From 1babb086f6dbd68f3c2d67cec7d01f82324fa662 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 17 Jun 2018 13:23:33 +0200 Subject: [PATCH] 4.16-stable patches added patches: acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch acpi-scan-initialize-watchdog-before-pnp.patch acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch afs-fix-address-list-parsing.patch afs-fix-afs_find_server-search-loop.patch afs-fix-refcounting-in-callback-registration.patch afs-fix-server-record-deletion.patch afs-fix-server-rotation-s-handling-of-fileserver-probe-failure.patch afs-fix-the-handling-of-cb.initcallbackstate3-to-find-the-server-by-uuid.patch afs-fix-the-non-encryption-of-calls.patch afs-fix-vnovol-handling-in-address-rotation.patch agp-uninorth-make-two-functions-static.patch arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch arm-davinci-board-dm355-evm-fix-broken-networking.patch arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch arm-davinci-dm646x-fix-timer-interrupt-generation.patch arm-davinci-fix-gpio-lookup-for-i2c.patch arm-dts-correct-missing-compatible-entry-for-ti81xx-socs.patch arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch arm-dts-fix-cm2-and-prm-sizes-for-omap4.patch arm-dts-imx51-zii-rdu1-fix-touchscreen-bindings.patch arm-dts-logicpd-som-lv-fix-audio-mute.patch arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch arm-fix-kill-sigfpe-breakage.patch arm-kexec-fix-kdump-register-saving-on-panic.patch arm-keystone-fix-platform_domain_notifier-array-overrun.patch arm-omap1-ams-delta-fix-deferred_fiq-handler.patch arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch arm-replace-unnecessary-perl-with-sed-and-the-shell-operator.patch arm64-add-midr-encoding-for-nvidia-cpus.patch arm64-dts-correct-sata-addresses-for-stingray.patch arm64-dts-meson-gx-p23x-q20x-enable-the-usb-controller.patch arm64-dts-meson-gxl-add-usb-host-support.patch arm64-dts-meson-gxl-nexbox-a95x-enable-the-usb-controller.patch arm64-dts-meson-gxl-s905x-libretech-cc-enable-the-usb-controller.patch arm64-dts-meson-gxl-s905x-p212-enable-the-usb-controller.patch arm64-dts-meson-gxm-add-gxm-specific-usb-host-configuration.patch arm64-dts-meson-gxm-khadas-vim2-enable-the-usb-controller.patch arm64-dts-uniphier-fix-input-delay-value-for-legacy-mode-of-emmc.patch arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch arm64-kasan-avoid-pfn_to_nid-before-page-array-is-initialized.patch arm64-only-advance-singlestep-for-user-instruction-traps.patch arm64-ptrace-remove-addr_limit-manipulation.patch arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch asoc-intel-atom-fix-acpi-pci-kconfig.patch asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch asoc-rt5514-add-the-missing-register-in-the-readable-table.patch asoc-topology-check-widget-kcontrols-before-deref.patch asoc-topology-fix-bugs-of-freeing-soc-topology.patch ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch blk-mq-fix-sysfs-inflight-counter.patch blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch blkcg-init-root-blkcg_gq-under-lock.patch bpf-fix-possible-spectre-v1-in-find_and_alloc_map.patch bpf-fix-uninitialized-variable-in-bpf-tools.patch bpf-use-array_index_nospec-in-find_prog_type.patch bpf-x64-fix-jit-emission-for-dead-code.patch bpf-x64-fix-memleak-when-not-converging-after-image.patch bpf-x64-fix-memleak-when-not-converging-on-calls.patch can-dev-increase-bus-off-message-severity.patch cifs-allocate-validate-negotiation-request-through-kmalloc.patch cifs-set-resp_buf_type-to-no_buffer-on-error.patch cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch cifs-smbd-depend-on-infiniband_addr_trans.patch clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch clk-imx6ull-use-osc-clock-during-axi-rate-change.patch clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch cpufreq-brcmstb-avs-cpufreq-remove-development-debug-support.patch cxgb4-copy-mbox-log-size-to-pf0-3-adap-instances.patch doc-add-vendor-prefix-for-kieback-peter-gmbh.patch driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch drm-amdgpu-switch-to-interruptable-wait-to-recover-from-ring-hang.patch drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch drm-exynos-mixer-avoid-oops-in-vp_video_buffer.patch drm-exynos-mixer-fix-synchronization-check-in-interlaced-mode.patch drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch drm-omap-check-return-value-from-soc_device_match.patch drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch drm-omap-fix-uninitialized-ret-variable.patch drm-omap-handle-alloc-failures-in-omap_connector.patch drm-omap-silence-unititialized-variable-warning.patch drm-vc4-fix-oops-dereferencing-dpi-s-connector-since-panel_bridge.patch dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch dt-bindings-mvebu-uart-dt-fix-s-interrupts-names-interrupt-names.patch dt-bindings-net-ravb-add-support-for-r8a77965-soc.patch dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch efi-libstub-arm64-handle-randomized-text_offset.patch fsnotify-fix-ignore-mask-logic-in-send_to_group.patch gcc-plugins-fix-build-condition-of-sancov-plugin.patch hexagon-add-memset_io-helper.patch hexagon-export-csum_partial_copy_nocheck.patch hid-i2c-hid-add-resend_report_descr-quirk-for-toshiba-click-mini-l9w-b.patch hid-intel-ish-hid-use-put_device-instead-of-kfree.patch hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch i2c-pmcmsp-fix-error-return-from-master_xfer.patch i2c-pmcmsp-return-message-count-on-master_xfer-success.patch i2c-sprd-fix-the-i2c-count-issue.patch i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch i2c-viperboard-return-message-count-on-master_xfer-success.patch ib-core-make-ib_mad_client_id-atomic.patch ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch ib-hfi1-rdmavt-fix-memory-leak-in-hfi1_alloc_devdata-upon-failure.patch ib-hfi1-use-correct-type-for-num_user_context.patch ib-make-infiniband_addr_trans-configurable.patch ib-mlx4-fix-integer-overflow-when-calculating-optimal-mtt-size.patch ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch ib-rxe-avoid-double-kfree_skb.patch ib-uverbs-fix-validating-mandatory-attributes.patch ib_srp-depend-on-infiniband_addr_trans.patch ib_srpt-depend-on-infiniband_addr_trans.patch ibmvnic-do-not-notify-peers-on-parameter-change-resets.patch igb-fix-the-transmission-mode-of-queue-0-for-qav-mode.patch init-fix-false-positives-in-w-x-checking.patch input-atmel_mxt_ts-fix-the-firmware-update.patch input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch iommu-vt-d-fix-usage-of-force-parameter-in-intel_ir_reconfigure_irte.patch isofs-fix-potential-memory-leak-in-mount-option-parsing.patch ixgbe-fix-memory-leak-on-ipsec-allocation.patch ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch kthread-sched-wait-fix-kthread_parkme-completion-issue.patch kthread-sched-wait-fix-kthread_parkme-wait-loop.patch kvm-apic-flush-tlb-after-apic-mode-address-change-if-vpids-are-in-use.patch kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch kvm-arm-arm64-vgic-kick-new-vcpu-on-interrupt-migration.patch kvm-extend-max_irq_routes-to-4096-for-all-archs.patch kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch kvm-x86-lower-the-default-timer-frequency-limit-to-200us.patch kvm-x86-move-msr_ia32_tsc-handling-to-x86.c.patch lan78xx-phy-dsp-registers-initialization-to-address-eee-link-drop-issues-with-long-cables.patch lib-find_bit_benchmark.c-avoid-soft-lockup-in-test_find_first_bit.patch libahci-allow-drivers-to-override-stop_engine.patch linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch livepatch-allow-to-call-a-custom-callback-when-freeing-shadow-variables.patch livepatch-initialize-shadow-variables-safely-by-a-custom-callback.patch locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch mac80211-adjust-sae-authentication-timeout.patch mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch mips-dts-boston-fix-pci-bus-dtc-warnings.patch mips-io-add-barrier-after-register-read-in-readx.patch mips-io-prevent-compiler-reordering-writex.patch mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch mtd-fix-comparison-in-map_word_andequal.patch mtd-onenand-omap2-disable-dma-for-highmem-buffers.patch mtd-rawnand-fix-return-type-of-__divide-when-called-with-32-bit.patch net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch net-aquantia-limit-number-of-vectors-to-actually-allocated-irqs.patch net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch net-hns-avoid-action-name-truncation.patch net-mvpp2-fix-clk-error-path-in-mvpp2_probe.patch net-phy-broadcom-add-support-for-bcm89610-phy.patch net-phy-marvell-clear-wol-event-before-setting-it.patch net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch nfp-don-t-depend-on-eth_tbl-being-available.patch nfp-flower-split-and-limit-cmsg-skb-lists.patch nfp-ignore-signals-when-communicating-with-management-fw.patch nvme-depend-on-infiniband_addr_trans.patch nvme-fix-potential-memory-leak-in-option-parsing.patch nvme-fix-use-after-free-in-nvme_free_ns_head.patch nvme-multipath-disable-runtime-writable-enabling-parameter.patch nvme-multipath-fix-multipath-disabled-naming-collisions.patch nvme-set-integrity-flag-for-user-passthrough-commands.patch nvmet-rdma-depend-on-infiniband_addr_trans.patch objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch parisc-drivers.c-fix-section-mismatches.patch parisc-move-setup_profiling_timer-out-of-init-section.patch parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch pci-kirin-fix-reset-gpio-name.patch perf-cs-etm-support-unknown_thread-in-cs_etm_auxtrace.patch perf-pmu-fix-core-pmu-alias-list-for-x86-platform.patch perf-report-fix-switching-to-another-perf.data-file.patch perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch pinctrl-cherryview-associate-irq-descriptors-to-irqdomain.patch pinctrl-meson-axg-fix-the-range-of-aobus-bank.patch platform-x86-dell_wmi-use-depends-on-instead-of-select-for-dell_smbios.patch powerpc-64s-default-l1d_size-to-64k-in-rfi-fallback-flush.patch powerpc-kvm-booke-fix-altivec-related-build-break.patch powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch powerpc-pseries-fix-config_numa-n-build.patch powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch powerpc-trace-syscalls-update-syscall-name-matching-logic.patch proc-fix-proc-loadavg-regression.patch proc-kcore-don-t-bounds-check-against-address-0.patch proc-revalidate-kernel-thread-inodes-to-root-root.patch qed-fix-l2-initializations-over-iwarp-personality.patch qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch rdma-hns-bugfix-for-init-hem-table.patch rdma-hns-fix-the-qp-context-state-diagram.patch rdma-hns-intercept-illegal-rdma-operation-when-use-inline-data.patch rdma-hns-submit-bad-wr.patch rdma-iwpm-fix-memory-leak-on-map_info.patch rdma-mlx5-properly-check-return-value-of-mlx5_get_uars_page.patch rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch remoteproc-qcom-fix-potential-device-node-leaks.patch reset-uniphier-fix-usb-clock-line-for-ld20.patch risc-v-build-vdso-dummy.o-with-no-pie.patch riscv-select-dma_direct_ops-instead-of-redefining-it.patch rpmsg-added-module_alias-for-rpmsg_char.patch rxrpc-fix-error-reception-on-af_inet6-sockets.patch rxrpc-fix-missing-start-of-call-timeout.patch rxrpc-fix-the-min-security-level-for-kernel-calls.patch s390-qeth-fix-mac-address-update-sequence.patch s390-qeth-fix-request-side-race-during-cmd-io-timeout.patch s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch s390-smsgiucv-disable-smsg-on-module-unload.patch sched-core-introduce-set_special_state.patch sched-deadline-make-the-grub_reclaim-function-static.patch sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch scsi-isci-fix-infinite-loop-in-while-loop.patch scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch scsi-target-fix-crash-with-iscsi-target-and-dvd.patch scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch sh-switch-to-no_bootmem.patch smc-fix-sendpage-call.patch soc-bcm-raspberrypi-power-fix-use-of-__packed.patch soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch tee-check-shm-references-are-consistent-in-offset-size.patch thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch usb-musb-fix-remote-wakeup-racing-with-suspend.patch usb-typec-tps6598x-handle-block-reads-separately-with-plain-i2c-adapters.patch usb-typec-ucsi-fix-tracepoint-related-build-error.patch vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch vti6-change-minimum-mtu-to-ipv4_min_mtu-vti6-can-carry-ipv4-too.patch x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch x86-cpu-intel-add-missing-tlb-cpuid-values.patch x86-delay-skip-of-emulated-hypercall-instruction.patch x86-kvm-properly-update-tsc_offset-to-represent-the-running-guest.patch x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch x86-pkeys-selftests-add-a-test-for-pkey-0.patch x86-pkeys-selftests-add-prot_exec-test.patch x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch x86-pkeys-selftests-allow-faults-on-unknown-keys.patch x86-pkeys-selftests-avoid-printf-in-signal-deadlocks.patch x86-pkeys-selftests-factor-out-instruction-page.patch x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch x86-pkeys-selftests-fix-pointer-math.patch x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch x86-pkeys-selftests-save-off-prot-for-allocations.patch x86-pkeys-selftests-stop-using-assert.patch x86-selftests-add-mov_to_ss-test.patch x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch xen-xenbus_dev_frontend-really-return-response-string.patch xprtrdma-fix-list-corruption-dmar-errors-during-mr-recovery.patch --- ...dle-_dsm-for-thinkpad-x1-tablet-2016.patch | 47 ++ ...-scan-initialize-watchdog-before-pnp.patch | 49 +++ ...dog-prefer-itco_wdt-on-lenovo-z50-70.patch | 118 +++++ queue-4.16/afs-fix-address-list-parsing.patch | 79 ++++ .../afs-fix-afs_find_server-search-loop.patch | 60 +++ ...refcounting-in-callback-registration.patch | 205 +++++++++ .../afs-fix-server-record-deletion.patch | 68 +++ ...handling-of-fileserver-probe-failure.patch | 41 ++ ...ackstate3-to-find-the-server-by-uuid.patch | 44 ++ .../afs-fix-the-non-encryption-of-calls.patch | 49 +++ ...-vnovol-handling-in-address-rotation.patch | 47 ++ ...p-uninorth-make-two-functions-static.patch | 48 ++ ...sing-parameter-to-the-addruart-macro.patch | 86 ++++ ...r2-just-before-jumping-to-the-kernel.patch | 41 ++ ...da830-evm-fix-gpio-lookup-for-mmc-sd.patch | 48 ++ ...da850-evm-fix-gpio-lookup-for-mmc-sd.patch | 47 ++ ...oard-dm355-evm-fix-broken-networking.patch | 52 +++ ...pass-correct-i2c-adapter-id-for-vpif.patch | 42 ++ ...m646x-evm-set-vpif-capture-card-name.patch | 46 ++ ...k-fix-gpio-numbers-for-mmc-sd-lookup.patch | 47 ++ ...m646x-fix-timer-interrupt-generation.patch | 40 ++ .../arm-davinci-fix-gpio-lookup-for-i2c.patch | 80 ++++ ...ing-compatible-entry-for-ti81xx-socs.patch | 82 ++++ ...us-fix-irq-type-for-arm-global-timer.patch | 34 ++ ...50-fix-w-1-warnings-with-pinmux-node.patch | 39 ++ ...-dts-fix-cm2-and-prm-sizes-for-omap4.patch | 52 +++ ...51-zii-rdu1-fix-touchscreen-bindings.patch | 44 ++ ...rm-dts-logicpd-som-lv-fix-audio-mute.patch | 43 ++ ...cpd-som-lv-fix-wl127x-startup-issues.patch | 59 +++ queue-4.16/arm-fix-kill-sigfpe-breakage.patch | 54 +++ ...c-fix-kdump-register-saving-on-panic.patch | 77 ++++ ...atform_domain_notifier-array-overrun.patch | 84 ++++ ...1-ams-delta-fix-deferred_fiq-handler.patch | 67 +++ ...n-use-raw_smp_processor_id-for-trace.patch | 49 +++ ...perl-with-sed-and-the-shell-operator.patch | 46 ++ ...64-add-midr-encoding-for-nvidia-cpus.patch | 49 +++ ...-correct-sata-addresses-for-stingray.patch | 243 +++++++++++ ...-p23x-q20x-enable-the-usb-controller.patch | 32 ++ ...4-dts-meson-gxl-add-usb-host-support.patch | 109 +++++ ...exbox-a95x-enable-the-usb-controller.patch | 30 ++ ...bretech-cc-enable-the-usb-controller.patch | 42 ++ ...s905x-p212-enable-the-usb-controller.patch | 34 ++ ...-gxm-specific-usb-host-configuration.patch | 56 +++ ...hadas-vim2-enable-the-usb-controller.patch | 32 ++ ...-delay-value-for-legacy-mode-of-emmc.patch | 55 +++ ...e-spectre-v1-in-ptrace_hbp_get_event.patch | 59 +++ ...nid-before-page-array-is-initialized.patch | 102 +++++ ...inglestep-for-user-instruction-traps.patch | 45 ++ ...trace-remove-addr_limit-manipulation.patch | 66 +++ ...bcm89610-phy-interrupt-as-active-low.patch | 34 ++ ...asoc-intel-atom-fix-acpi-pci-kconfig.patch | 92 ++++ ...use-threaded-context-for-mbhc-events.patch | 54 +++ ...ssing-register-in-the-readable-table.patch | 45 ++ ...-check-widget-kcontrols-before-deref.patch | 39 ++ ...ogy-fix-bugs-of-freeing-soc-topology.patch | 33 ++ ...ride-ahci_stop_engine-for-mvebu-ahci.patch | 113 +++++ .../blk-mq-fix-sysfs-inflight-counter.patch | 123 ++++++ ...-blkcg-lock-when-deactivating-policy.patch | 48 ++ .../blkcg-init-root-blkcg_gq-under-lock.patch | 65 +++ ...ble-spectre-v1-in-find_and_alloc_map.patch | 65 +++ ...-uninitialized-variable-in-bpf-tools.patch | 54 +++ ...array_index_nospec-in-find_prog_type.patch | 46 ++ ...f-x64-fix-jit-emission-for-dead-code.patch | 93 ++++ ...leak-when-not-converging-after-image.patch | 48 ++ ...memleak-when-not-converging-on-calls.patch | 48 ++ ...ev-increase-bus-off-message-severity.patch | 45 ++ ...-negotiation-request-through-kmalloc.patch | 175 ++++++++ ...-resp_buf_type-to-no_buffer-on-error.patch | 40 ++ ...-fix-listxattr-when-there-are-no-eas.patch | 52 +++ ...smbd-depend-on-infiniband_addr_trans.patch | 34 ++ ...mux_round_closest-in-generic-clk-mux.patch | 85 ++++ ...use-osc-clock-during-axi-rate-change.patch | 35 ++ ...orrect-some-registers-operation-flow.patch | 54 +++ ...req-remove-development-debug-support.patch | 407 +++++++++++++++++ ...box-log-size-to-pf0-3-adap-instances.patch | 42 ++ ...vendor-prefix-for-kieback-peter-gmbh.patch | 30 ++ ...verification-to-__ata_ehi_pushv_desc.patch | 35 ++ ...table-wait-to-recover-from-ring-hang.patch | 39 ++ ...unter-retrieval-for-node-without-gpu.patch | 48 ++ ...er-overflow-in-drm_mode_create_ioctl.patch | 51 +++ ...-mixer-avoid-oops-in-vp_video_buffer.patch | 65 +++ ...hronization-check-in-interlaced-mode.patch | 59 +++ ...r-in-the-msm_fbdev_create-error-path.patch | 55 +++ ...-use-correct-enum-in-dsi_get_cmd_fmt.patch | 39 ++ ...-dereference-on-failure-of-get_pages.patch | 62 +++ ...k-return-value-from-soc_device_match.patch | 40 ++ ...e-null-ref-issue-in-tiler_reserve_2d.patch | 43 ++ ...-omap-fix-uninitialized-ret-variable.patch | 47 ++ ...dle-alloc-failures-in-omap_connector.patch | 56 +++ ...lence-unititialized-variable-warning.patch | 36 ++ ...g-dpi-s-connector-since-panel_bridge.patch | 83 ++++ ...-rcar-dmac-document-r8a77965-support.patch | 32 ++ ...rt-dt-fix-s-clocks-names-clock-names.patch | 28 ++ ...x-s-interrupts-names-interrupt-names.patch | 28 ++ ...et-ravb-add-support-for-r8a77965-soc.patch | 33 ++ ...-fix-path-to-display-timing-bindings.patch | 31 ++ ...inctrl-sunxi-fix-reference-to-driver.patch | 35 ++ ...-sci-add-support-for-r8a77965-h-scif.patch | 32 ++ ...names-when-using-filename-encryption.patch | 154 +++++++ ...-arm64-handle-randomized-text_offset.patch | 62 +++ ...x-ignore-mask-logic-in-send_to_group.patch | 77 ++++ ...fix-build-condition-of-sancov-plugin.patch | 47 ++ queue-4.16/hexagon-add-memset_io-helper.patch | 39 ++ ...gon-export-csum_partial_copy_nocheck.patch | 27 ++ ...r-quirk-for-toshiba-click-mini-l9w-b.patch | 44 ++ ...-hid-use-put_device-instead-of-kfree.patch | 32 ++ ...port-for-ibm-lenovo-scrollpoint-mice.patch | 135 ++++++ ...source-data-obtained-by-devres_alloc.patch | 35 ++ ...sp-fix-error-return-from-master_xfer.patch | 31 ++ ...message-count-on-master_xfer-success.patch | 31 ++ .../i2c-sprd-fix-the-i2c-count-issue.patch | 54 +++ ...i2c-accesses-after-suspend-is-called.patch | 65 +++ ...message-count-on-master_xfer-success.patch | 31 ++ ...ib-core-make-ib_mad_client_id-atomic.patch | 51 +++ ...n-exception-path-in-get_irq_affinity.patch | 72 +++ ...k-in-hfi1_alloc_devdata-upon-failure.patch | 129 ++++++ ...se-correct-type-for-num_user_context.patch | 39 ++ ...e-infiniband_addr_trans-configurable.patch | 38 ++ ...ow-when-calculating-optimal-mtt-size.patch | 58 +++ ...xe_opcode-ib_opcode_rc_send_only_inv.patch | 39 ++ .../ib-rxe-avoid-double-kfree_skb.patch | 97 +++++ ...-fix-validating-mandatory-attributes.patch | 40 ++ ..._srp-depend-on-infiniband_addr_trans.patch | 33 ++ ...srpt-depend-on-infiniband_addr_trans.patch | 33 ++ ...ify-peers-on-parameter-change-resets.patch | 33 ++ ...mission-mode-of-queue-0-for-qav-mode.patch | 62 +++ ...-fix-false-positives-in-w-x-checking.patch | 80 ++++ ...atmel_mxt_ts-fix-the-firmware-update.patch | 412 ++++++++++++++++++ ...n-unchecked-out-of-memory-error-path.patch | 40 ++ ...-shift-out-of-bounds-in-bug-checking.patch | 74 ++++ ...rameter-in-intel_ir_reconfigure_irte.patch | 55 +++ ...-memory-leak-in-mount-option-parsing.patch | 36 ++ ...-fix-memory-leak-on-ipsec-allocation.patch | 39 ++ ...nsupported-sfp-module-when-resetting.patch | 33 ++ ...ot-add-extra-alignment-to-efi-memmap.patch | 64 +++ ...ng-on-exception-masking-instructions.patch | 83 ++++ ...-fix-kthread_parkme-completion-issue.patch | 202 +++++++++ ...ed-wait-fix-kthread_parkme-wait-loop.patch | 71 +++ ...e-address-change-if-vpids-are-in-use.patch | 77 ++++ ...ble-spectre-v1-in-vgic_mmio_read_apr.patch | 52 +++ ...kick-new-vcpu-on-interrupt-migration.patch | 54 +++ ...max_irq_routes-to-4096-for-all-archs.patch | 49 +++ ...eference-of-trace_kvm_pi_irte_update.patch | 46 ++ ...fault-timer-frequency-limit-to-200us.patch | 46 ++ ...-move-msr_ia32_tsc-handling-to-x86.c.patch | 111 +++++ ...ee-link-drop-issues-with-long-cables.patch | 259 +++++++++++ ...d-soft-lockup-in-test_find_first_bit.patch | 45 ++ ...llow-drivers-to-override-stop_engine.patch | 217 +++++++++ ...h.h-fix-end_name_hash-for-64bit-long.patch | 70 +++ ...llback-when-freeing-shadow-variables.patch | 274 ++++++++++++ ...ariables-safely-by-a-custom-callback.patch | 350 +++++++++++++++ ...nsfer-by-setting-rwsem_owner_unknown.patch | 108 +++++ ...d-a-new-rwsem_anonymously_owned-flag.patch | 168 +++++++ ...11-adjust-sae-authentication-timeout.patch | 77 ++++ ...ddba-response-instead-of-the-request.patch | 64 +++ ...-dts-boston-fix-pci-bus-dtc-warnings.patch | 60 +++ ...barrier-after-register-read-in-readx.patch | 39 ++ ...o-prevent-compiler-reordering-writex.patch | 39 ++ ...n-__memcg_schedule_kmem_cache_create.patch | 89 ++++ ...offset-value-for-pmd-migration-entry.patch | 66 +++ ...-fix-comparison-in-map_word_andequal.patch | 37 ++ ...map2-disable-dma-for-highmem-buffers.patch | 170 ++++++++ ...-of-__divide-when-called-with-32-bit.patch | 57 +++ ...correctly-declare-vlan_features-bits.patch | 35 ++ ...f-vectors-to-actually-allocated-irqs.patch | 89 ++++ ...issing-kernel-doc-for-fec-parameters.patch | 33 ++ ...net-hns-avoid-action-name-truncation.patch | 63 +++ ...p2-fix-clk-error-path-in-mvpp2_probe.patch | 86 ++++ ...roadcom-add-support-for-bcm89610-phy.patch | 57 +++ ...ll-clear-wol-event-before-setting-it.patch | 41 ++ ...referencing-if-skbedit-flags-missing.patch | 99 +++++ ...of-bounds-in-nft_chain_commit_update.patch | 63 +++ ...ain-and-extensions-require-nf_tables.patch | 110 +++++ ...-t-depend-on-eth_tbl-being-available.patch | 135 ++++++ ...lower-split-and-limit-cmsg-skb-lists.patch | 153 +++++++ ...hen-communicating-with-management-fw.patch | 46 ++ ...nvme-depend-on-infiniband_addr_trans.patch | 33 ++ ...ential-memory-leak-in-option-parsing.patch | 74 ++++ ...-use-after-free-in-nvme_free_ns_head.patch | 75 ++++ ...-runtime-writable-enabling-parameter.patch | 33 ++ ...multipath-disabled-naming-collisions.patch | 122 ++++++ ...y-flag-for-user-passthrough-commands.patch | 31 ++ ...rdma-depend-on-infiniband_addr_trans.patch | 33 ++ ...-objtool-arch-x86-include-asm-insn.h.patch | 66 +++ ...ving-reflinked-inode-from-orphan-dir.patch | 90 ++++ ...isc-drivers.c-fix-section-mismatches.patch | 45 ++ ..._profiling_timer-out-of-init-section.patch | 32 ++ ...ent_clock-to-read_persistent_clock64.patch | 35 ++ .../pci-kirin-fix-reset-gpio-name.patch | 36 ++ ...rt-unknown_thread-in-cs_etm_auxtrace.patch | 90 ++++ ...core-pmu-alias-list-for-x86-platform.patch | 109 +++++ ...-switching-to-another-perf.data-file.patch | 66 +++ ...-enable-freeze-on-smi-for-perfmon-v1.patch | 72 +++ ...sociate-irq-descriptors-to-irqdomain.patch | 72 +++ ...eson-axg-fix-the-range-of-aobus-bank.patch | 33 ++ ...on-instead-of-select-for-dell_smbios.patch | 35 ++ ...1d_size-to-64k-in-rfi-fallback-flush.patch | 50 +++ ...ooke-fix-altivec-related-build-break.patch | 40 ++ ...-the-arch-hotunplug-code-flush-cache.patch | 59 +++ ...erpc-pseries-fix-config_numa-n-build.patch | 58 +++ ...ing-logic-to-account-for-ppc_-prefix.patch | 58 +++ ...s-update-syscall-name-matching-logic.patch | 46 ++ .../proc-fix-proc-loadavg-regression.patch | 60 +++ ...don-t-bounds-check-against-address-0.patch | 78 ++++ ...te-kernel-thread-inodes-to-root-root.patch | 47 ++ ...itializations-over-iwarp-personality.patch | 45 ++ ...s-sent-to-rdma-event-node-allocation.patch | 35 ++ ...id-during-qp-state-transition-to-rtr.patch | 55 +++ ...oy-access-to-net-namespace-for-ipoib.patch | 152 +++++++ .../rdma-hns-bugfix-for-init-hem-table.patch | 52 +++ ...hns-fix-the-qp-context-state-diagram.patch | 33 ++ ...-rdma-operation-when-use-inline-data.patch | 35 ++ queue-4.16/rdma-hns-submit-bad-wr.patch | 39 ++ ...dma-iwpm-fix-memory-leak-on-map_info.patch | 48 ++ ...k-return-value-of-mlx5_get_uars_page.patch | 36 ++ ...to-rds_ib_dev_put-in-rds_ib_setup_qp.patch | 43 ++ ...qcom-fix-potential-device-node-leaks.patch | 40 ++ ...uniphier-fix-usb-clock-line-for-ld20.patch | 45 ++ ...isc-v-build-vdso-dummy.o-with-no-pie.patch | 48 ++ ..._direct_ops-instead-of-redefining-it.patch | 40 ++ ...sg-added-module_alias-for-rpmsg_char.patch | 29 ++ ...-error-reception-on-af_inet6-sockets.patch | 94 ++++ ...pc-fix-missing-start-of-call-timeout.patch | 99 +++++ ...-min-security-level-for-kernel-calls.patch | 31 ++ ...qeth-fix-mac-address-update-sequence.patch | 124 ++++++ ...uest-side-race-during-cmd-io-timeout.patch | 209 +++++++++ ...d-device-to-query-hypervisor-for-mac.patch | 42 ++ ...sgiucv-disable-smsg-on-module-unload.patch | 31 ++ ...hed-core-introduce-set_special_state.patch | 206 +++++++++ ...ake-the-grub_reclaim-function-static.patch | 38 ++ ...declarations-to-kernel-sched-sched.h.patch | 78 ++++ ...isci-fix-infinite-loop-in-while-loop.patch | 42 ++ ...etlink-with-unicast-when-appropriate.patch | 124 ++++++ ...error-if-fw-successfully-initializes.patch | 37 ++ ...t-queue-depth-values-for-ide-devices.patch | 40 ++ ...-fix-crash-with-iscsi-target-and-dvd.patch | 49 +++ ...bus_busy-for-adapter-initated-aborts.patch | 32 ++ ...case-for-multiple-actions-on-trigger.patch | 74 ++++ ...failure-for-j2-cpu-with-smp-disabled.patch | 34 ++ queue-4.16/sh-switch-to-no_bootmem.patch | 204 +++++++++ queue-4.16/smc-fix-sendpage-call.patch | 44 ++ ...aspberrypi-power-fix-use-of-__packed.patch | 33 ++ ...rypi_firmware-dummies-return-failure.patch | 54 +++ ...rupts-are-enabled-for-shared-handler.patch | 57 +++ ...leep_range-for-cdns_spi_fill_tx_fifo.patch | 40 ++ ...t-field-overflow-writes-to-tscr-rscr.patch | 43 ++ ...ate_swap-vs.-active_balance-deadlock.patch | 120 +++++ ...rences-are-consistent-in-offset-size.patch | 44 ++ ...l-pointer-deref-on-module-load-probe.patch | 42 ++ ...san-uninit-value-in-strcmp-complaint.patch | 117 +++++ ...n-function-tipc_nl_node_dump_monitor.patch | 38 ++ ...op-when-dumping-link-monitor-summary.patch | 76 ++++ ...ohibit-probing-on-mov-ss-instruction.patch | 50 +++ ...ix-remote-wakeup-racing-with-suspend.patch | 126 ++++++ ...s-separately-with-plain-i2c-adapters.patch | 133 ++++++ ...i-fix-tracepoint-related-build-error.patch | 47 ++ ...alous-ms_rdonly-sb_rdonly-conversion.patch | 34 ++ ...ipv4_min_mtu-vti6-can-carry-ipv4-too.patch | 47 ++ ...ess-address-for-vmentry-of-l2-guests.patch | 65 +++ ...u-intel-add-missing-tlb-cpuid-values.patch | 42 ++ ...ip-of-emulated-hypercall-instruction.patch | 85 ++++ ...ffset-to-represent-the-running-guest.patch | 230 ++++++++++ ...resh-distros-that-export-the-mpx-abi.patch | 55 +++ ...keys-selftests-add-a-test-for-pkey-0.patch | 79 ++++ ...6-pkeys-selftests-add-prot_exec-test.patch | 92 ++++ ...sh-distros-that-export-the-pkeys-abi.patch | 187 ++++++++ ...lftests-allow-faults-on-unknown-keys.patch | 56 +++ ...sts-avoid-printf-in-signal-deadlocks.patch | 73 ++++ ...elftests-factor-out-instruction-page.patch | 72 +++ ...-fix-pkey-exhaustion-test-off-by-one.patch | 60 +++ ...x86-pkeys-selftests-fix-pointer-math.patch | 67 +++ ...tter-unexpected-fault-error-messages.patch | 72 +++ ...-debugging-code-fix-dprint_in_signal.patch | 59 +++ ...ftests-save-off-prot-for-allocations.patch | 95 ++++ ...86-pkeys-selftests-stop-using-assert.patch | 64 +++ .../x86-selftests-add-mov_to_ss-test.patch | 325 ++++++++++++++ ...info-pointer-after-shared_info-remap.patch | 94 ++++ ...ontend-really-return-response-string.patch | 41 ++ ...ption-dmar-errors-during-mr-recovery.patch | 130 ++++++ 279 files changed, 19684 insertions(+) create mode 100644 queue-4.16/acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch create mode 100644 queue-4.16/acpi-scan-initialize-watchdog-before-pnp.patch create mode 100644 queue-4.16/acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch create mode 100644 queue-4.16/afs-fix-address-list-parsing.patch create mode 100644 queue-4.16/afs-fix-afs_find_server-search-loop.patch create mode 100644 queue-4.16/afs-fix-refcounting-in-callback-registration.patch create mode 100644 queue-4.16/afs-fix-server-record-deletion.patch create mode 100644 queue-4.16/afs-fix-server-rotation-s-handling-of-fileserver-probe-failure.patch create mode 100644 queue-4.16/afs-fix-the-handling-of-cb.initcallbackstate3-to-find-the-server-by-uuid.patch create mode 100644 queue-4.16/afs-fix-the-non-encryption-of-calls.patch create mode 100644 queue-4.16/afs-fix-vnovol-handling-in-address-rotation.patch create mode 100644 queue-4.16/agp-uninorth-make-two-functions-static.patch create mode 100644 queue-4.16/arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch create mode 100644 queue-4.16/arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch create mode 100644 queue-4.16/arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch create mode 100644 queue-4.16/arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch create mode 100644 queue-4.16/arm-davinci-board-dm355-evm-fix-broken-networking.patch create mode 100644 queue-4.16/arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch create mode 100644 queue-4.16/arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch create mode 100644 queue-4.16/arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch create mode 100644 queue-4.16/arm-davinci-dm646x-fix-timer-interrupt-generation.patch create mode 100644 queue-4.16/arm-davinci-fix-gpio-lookup-for-i2c.patch create mode 100644 queue-4.16/arm-dts-correct-missing-compatible-entry-for-ti81xx-socs.patch create mode 100644 queue-4.16/arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch create mode 100644 queue-4.16/arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch create mode 100644 queue-4.16/arm-dts-fix-cm2-and-prm-sizes-for-omap4.patch create mode 100644 queue-4.16/arm-dts-imx51-zii-rdu1-fix-touchscreen-bindings.patch create mode 100644 queue-4.16/arm-dts-logicpd-som-lv-fix-audio-mute.patch create mode 100644 queue-4.16/arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch create mode 100644 queue-4.16/arm-fix-kill-sigfpe-breakage.patch create mode 100644 queue-4.16/arm-kexec-fix-kdump-register-saving-on-panic.patch create mode 100644 queue-4.16/arm-keystone-fix-platform_domain_notifier-array-overrun.patch create mode 100644 queue-4.16/arm-omap1-ams-delta-fix-deferred_fiq-handler.patch create mode 100644 queue-4.16/arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch create mode 100644 queue-4.16/arm-replace-unnecessary-perl-with-sed-and-the-shell-operator.patch create mode 100644 queue-4.16/arm64-add-midr-encoding-for-nvidia-cpus.patch create mode 100644 queue-4.16/arm64-dts-correct-sata-addresses-for-stingray.patch create mode 100644 queue-4.16/arm64-dts-meson-gx-p23x-q20x-enable-the-usb-controller.patch create mode 100644 queue-4.16/arm64-dts-meson-gxl-add-usb-host-support.patch create mode 100644 queue-4.16/arm64-dts-meson-gxl-nexbox-a95x-enable-the-usb-controller.patch create mode 100644 queue-4.16/arm64-dts-meson-gxl-s905x-libretech-cc-enable-the-usb-controller.patch create mode 100644 queue-4.16/arm64-dts-meson-gxl-s905x-p212-enable-the-usb-controller.patch create mode 100644 queue-4.16/arm64-dts-meson-gxm-add-gxm-specific-usb-host-configuration.patch create mode 100644 queue-4.16/arm64-dts-meson-gxm-khadas-vim2-enable-the-usb-controller.patch create mode 100644 queue-4.16/arm64-dts-uniphier-fix-input-delay-value-for-legacy-mode-of-emmc.patch create mode 100644 queue-4.16/arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch create mode 100644 queue-4.16/arm64-kasan-avoid-pfn_to_nid-before-page-array-is-initialized.patch create mode 100644 queue-4.16/arm64-only-advance-singlestep-for-user-instruction-traps.patch create mode 100644 queue-4.16/arm64-ptrace-remove-addr_limit-manipulation.patch create mode 100644 queue-4.16/arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch create mode 100644 queue-4.16/asoc-intel-atom-fix-acpi-pci-kconfig.patch create mode 100644 queue-4.16/asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch create mode 100644 queue-4.16/asoc-rt5514-add-the-missing-register-in-the-readable-table.patch create mode 100644 queue-4.16/asoc-topology-check-widget-kcontrols-before-deref.patch create mode 100644 queue-4.16/asoc-topology-fix-bugs-of-freeing-soc-topology.patch create mode 100644 queue-4.16/ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch create mode 100644 queue-4.16/blk-mq-fix-sysfs-inflight-counter.patch create mode 100644 queue-4.16/blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch create mode 100644 queue-4.16/blkcg-init-root-blkcg_gq-under-lock.patch create mode 100644 queue-4.16/bpf-fix-possible-spectre-v1-in-find_and_alloc_map.patch create mode 100644 queue-4.16/bpf-fix-uninitialized-variable-in-bpf-tools.patch create mode 100644 queue-4.16/bpf-use-array_index_nospec-in-find_prog_type.patch create mode 100644 queue-4.16/bpf-x64-fix-jit-emission-for-dead-code.patch create mode 100644 queue-4.16/bpf-x64-fix-memleak-when-not-converging-after-image.patch create mode 100644 queue-4.16/bpf-x64-fix-memleak-when-not-converging-on-calls.patch create mode 100644 queue-4.16/can-dev-increase-bus-off-message-severity.patch create mode 100644 queue-4.16/cifs-allocate-validate-negotiation-request-through-kmalloc.patch create mode 100644 queue-4.16/cifs-set-resp_buf_type-to-no_buffer-on-error.patch create mode 100644 queue-4.16/cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch create mode 100644 queue-4.16/cifs-smbd-depend-on-infiniband_addr_trans.patch create mode 100644 queue-4.16/clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch create mode 100644 queue-4.16/clk-imx6ull-use-osc-clock-during-axi-rate-change.patch create mode 100644 queue-4.16/clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch create mode 100644 queue-4.16/cpufreq-brcmstb-avs-cpufreq-remove-development-debug-support.patch create mode 100644 queue-4.16/cxgb4-copy-mbox-log-size-to-pf0-3-adap-instances.patch create mode 100644 queue-4.16/doc-add-vendor-prefix-for-kieback-peter-gmbh.patch create mode 100644 queue-4.16/driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch create mode 100644 queue-4.16/drm-amdgpu-switch-to-interruptable-wait-to-recover-from-ring-hang.patch create mode 100644 queue-4.16/drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch create mode 100644 queue-4.16/drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch create mode 100644 queue-4.16/drm-exynos-mixer-avoid-oops-in-vp_video_buffer.patch create mode 100644 queue-4.16/drm-exynos-mixer-fix-synchronization-check-in-interlaced-mode.patch create mode 100644 queue-4.16/drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch create mode 100644 queue-4.16/drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch create mode 100644 queue-4.16/drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch create mode 100644 queue-4.16/drm-omap-check-return-value-from-soc_device_match.patch create mode 100644 queue-4.16/drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch create mode 100644 queue-4.16/drm-omap-fix-uninitialized-ret-variable.patch create mode 100644 queue-4.16/drm-omap-handle-alloc-failures-in-omap_connector.patch create mode 100644 queue-4.16/drm-omap-silence-unititialized-variable-warning.patch create mode 100644 queue-4.16/drm-vc4-fix-oops-dereferencing-dpi-s-connector-since-panel_bridge.patch create mode 100644 queue-4.16/dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch create mode 100644 queue-4.16/dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch create mode 100644 queue-4.16/dt-bindings-mvebu-uart-dt-fix-s-interrupts-names-interrupt-names.patch create mode 100644 queue-4.16/dt-bindings-net-ravb-add-support-for-r8a77965-soc.patch create mode 100644 queue-4.16/dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch create mode 100644 queue-4.16/dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch create mode 100644 queue-4.16/dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch create mode 100644 queue-4.16/ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch create mode 100644 queue-4.16/efi-libstub-arm64-handle-randomized-text_offset.patch create mode 100644 queue-4.16/fsnotify-fix-ignore-mask-logic-in-send_to_group.patch create mode 100644 queue-4.16/gcc-plugins-fix-build-condition-of-sancov-plugin.patch create mode 100644 queue-4.16/hexagon-add-memset_io-helper.patch create mode 100644 queue-4.16/hexagon-export-csum_partial_copy_nocheck.patch create mode 100644 queue-4.16/hid-i2c-hid-add-resend_report_descr-quirk-for-toshiba-click-mini-l9w-b.patch create mode 100644 queue-4.16/hid-intel-ish-hid-use-put_device-instead-of-kfree.patch create mode 100644 queue-4.16/hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch create mode 100644 queue-4.16/hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch create mode 100644 queue-4.16/i2c-pmcmsp-fix-error-return-from-master_xfer.patch create mode 100644 queue-4.16/i2c-pmcmsp-return-message-count-on-master_xfer-success.patch create mode 100644 queue-4.16/i2c-sprd-fix-the-i2c-count-issue.patch create mode 100644 queue-4.16/i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch create mode 100644 queue-4.16/i2c-viperboard-return-message-count-on-master_xfer-success.patch create mode 100644 queue-4.16/ib-core-make-ib_mad_client_id-atomic.patch create mode 100644 queue-4.16/ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch create mode 100644 queue-4.16/ib-hfi1-rdmavt-fix-memory-leak-in-hfi1_alloc_devdata-upon-failure.patch create mode 100644 queue-4.16/ib-hfi1-use-correct-type-for-num_user_context.patch create mode 100644 queue-4.16/ib-make-infiniband_addr_trans-configurable.patch create mode 100644 queue-4.16/ib-mlx4-fix-integer-overflow-when-calculating-optimal-mtt-size.patch create mode 100644 queue-4.16/ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch create mode 100644 queue-4.16/ib-rxe-avoid-double-kfree_skb.patch create mode 100644 queue-4.16/ib-uverbs-fix-validating-mandatory-attributes.patch create mode 100644 queue-4.16/ib_srp-depend-on-infiniband_addr_trans.patch create mode 100644 queue-4.16/ib_srpt-depend-on-infiniband_addr_trans.patch create mode 100644 queue-4.16/ibmvnic-do-not-notify-peers-on-parameter-change-resets.patch create mode 100644 queue-4.16/igb-fix-the-transmission-mode-of-queue-0-for-qav-mode.patch create mode 100644 queue-4.16/init-fix-false-positives-in-w-x-checking.patch create mode 100644 queue-4.16/input-atmel_mxt_ts-fix-the-firmware-update.patch create mode 100644 queue-4.16/input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch create mode 100644 queue-4.16/iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch create mode 100644 queue-4.16/iommu-vt-d-fix-usage-of-force-parameter-in-intel_ir_reconfigure_irte.patch create mode 100644 queue-4.16/isofs-fix-potential-memory-leak-in-mount-option-parsing.patch create mode 100644 queue-4.16/ixgbe-fix-memory-leak-on-ipsec-allocation.patch create mode 100644 queue-4.16/ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch create mode 100644 queue-4.16/kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch create mode 100644 queue-4.16/kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch create mode 100644 queue-4.16/kthread-sched-wait-fix-kthread_parkme-completion-issue.patch create mode 100644 queue-4.16/kthread-sched-wait-fix-kthread_parkme-wait-loop.patch create mode 100644 queue-4.16/kvm-apic-flush-tlb-after-apic-mode-address-change-if-vpids-are-in-use.patch create mode 100644 queue-4.16/kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch create mode 100644 queue-4.16/kvm-arm-arm64-vgic-kick-new-vcpu-on-interrupt-migration.patch create mode 100644 queue-4.16/kvm-extend-max_irq_routes-to-4096-for-all-archs.patch create mode 100644 queue-4.16/kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch create mode 100644 queue-4.16/kvm-x86-lower-the-default-timer-frequency-limit-to-200us.patch create mode 100644 queue-4.16/kvm-x86-move-msr_ia32_tsc-handling-to-x86.c.patch create mode 100644 queue-4.16/lan78xx-phy-dsp-registers-initialization-to-address-eee-link-drop-issues-with-long-cables.patch create mode 100644 queue-4.16/lib-find_bit_benchmark.c-avoid-soft-lockup-in-test_find_first_bit.patch create mode 100644 queue-4.16/libahci-allow-drivers-to-override-stop_engine.patch create mode 100644 queue-4.16/linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch create mode 100644 queue-4.16/livepatch-allow-to-call-a-custom-callback-when-freeing-shadow-variables.patch create mode 100644 queue-4.16/livepatch-initialize-shadow-variables-safely-by-a-custom-callback.patch create mode 100644 queue-4.16/locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch create mode 100644 queue-4.16/locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch create mode 100644 queue-4.16/mac80211-adjust-sae-authentication-timeout.patch create mode 100644 queue-4.16/mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch create mode 100644 queue-4.16/mips-dts-boston-fix-pci-bus-dtc-warnings.patch create mode 100644 queue-4.16/mips-io-add-barrier-after-register-read-in-readx.patch create mode 100644 queue-4.16/mips-io-prevent-compiler-reordering-writex.patch create mode 100644 queue-4.16/mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch create mode 100644 queue-4.16/mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch create mode 100644 queue-4.16/mtd-fix-comparison-in-map_word_andequal.patch create mode 100644 queue-4.16/mtd-onenand-omap2-disable-dma-for-highmem-buffers.patch create mode 100644 queue-4.16/mtd-rawnand-fix-return-type-of-__divide-when-called-with-32-bit.patch create mode 100644 queue-4.16/net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch create mode 100644 queue-4.16/net-aquantia-limit-number-of-vectors-to-actually-allocated-irqs.patch create mode 100644 queue-4.16/net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch create mode 100644 queue-4.16/net-hns-avoid-action-name-truncation.patch create mode 100644 queue-4.16/net-mvpp2-fix-clk-error-path-in-mvpp2_probe.patch create mode 100644 queue-4.16/net-phy-broadcom-add-support-for-bcm89610-phy.patch create mode 100644 queue-4.16/net-phy-marvell-clear-wol-event-before-setting-it.patch create mode 100644 queue-4.16/net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch create mode 100644 queue-4.16/netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch create mode 100644 queue-4.16/netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch create mode 100644 queue-4.16/nfp-don-t-depend-on-eth_tbl-being-available.patch create mode 100644 queue-4.16/nfp-flower-split-and-limit-cmsg-skb-lists.patch create mode 100644 queue-4.16/nfp-ignore-signals-when-communicating-with-management-fw.patch create mode 100644 queue-4.16/nvme-depend-on-infiniband_addr_trans.patch create mode 100644 queue-4.16/nvme-fix-potential-memory-leak-in-option-parsing.patch create mode 100644 queue-4.16/nvme-fix-use-after-free-in-nvme_free_ns_head.patch create mode 100644 queue-4.16/nvme-multipath-disable-runtime-writable-enabling-parameter.patch create mode 100644 queue-4.16/nvme-multipath-fix-multipath-disabled-naming-collisions.patch create mode 100644 queue-4.16/nvme-set-integrity-flag-for-user-passthrough-commands.patch create mode 100644 queue-4.16/nvmet-rdma-depend-on-infiniband_addr_trans.patch create mode 100644 queue-4.16/objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch create mode 100644 queue-4.16/ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch create mode 100644 queue-4.16/parisc-drivers.c-fix-section-mismatches.patch create mode 100644 queue-4.16/parisc-move-setup_profiling_timer-out-of-init-section.patch create mode 100644 queue-4.16/parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch create mode 100644 queue-4.16/pci-kirin-fix-reset-gpio-name.patch create mode 100644 queue-4.16/perf-cs-etm-support-unknown_thread-in-cs_etm_auxtrace.patch create mode 100644 queue-4.16/perf-pmu-fix-core-pmu-alias-list-for-x86-platform.patch create mode 100644 queue-4.16/perf-report-fix-switching-to-another-perf.data-file.patch create mode 100644 queue-4.16/perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch create mode 100644 queue-4.16/pinctrl-cherryview-associate-irq-descriptors-to-irqdomain.patch create mode 100644 queue-4.16/pinctrl-meson-axg-fix-the-range-of-aobus-bank.patch create mode 100644 queue-4.16/platform-x86-dell_wmi-use-depends-on-instead-of-select-for-dell_smbios.patch create mode 100644 queue-4.16/powerpc-64s-default-l1d_size-to-64k-in-rfi-fallback-flush.patch create mode 100644 queue-4.16/powerpc-kvm-booke-fix-altivec-related-build-break.patch create mode 100644 queue-4.16/powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch create mode 100644 queue-4.16/powerpc-pseries-fix-config_numa-n-build.patch create mode 100644 queue-4.16/powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch create mode 100644 queue-4.16/powerpc-trace-syscalls-update-syscall-name-matching-logic.patch create mode 100644 queue-4.16/proc-fix-proc-loadavg-regression.patch create mode 100644 queue-4.16/proc-kcore-don-t-bounds-check-against-address-0.patch create mode 100644 queue-4.16/proc-revalidate-kernel-thread-inodes-to-root-root.patch create mode 100644 queue-4.16/qed-fix-l2-initializations-over-iwarp-personality.patch create mode 100644 queue-4.16/qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch create mode 100644 queue-4.16/rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch create mode 100644 queue-4.16/rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch create mode 100644 queue-4.16/rdma-hns-bugfix-for-init-hem-table.patch create mode 100644 queue-4.16/rdma-hns-fix-the-qp-context-state-diagram.patch create mode 100644 queue-4.16/rdma-hns-intercept-illegal-rdma-operation-when-use-inline-data.patch create mode 100644 queue-4.16/rdma-hns-submit-bad-wr.patch create mode 100644 queue-4.16/rdma-iwpm-fix-memory-leak-on-map_info.patch create mode 100644 queue-4.16/rdma-mlx5-properly-check-return-value-of-mlx5_get_uars_page.patch create mode 100644 queue-4.16/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch create mode 100644 queue-4.16/remoteproc-qcom-fix-potential-device-node-leaks.patch create mode 100644 queue-4.16/reset-uniphier-fix-usb-clock-line-for-ld20.patch create mode 100644 queue-4.16/risc-v-build-vdso-dummy.o-with-no-pie.patch create mode 100644 queue-4.16/riscv-select-dma_direct_ops-instead-of-redefining-it.patch create mode 100644 queue-4.16/rpmsg-added-module_alias-for-rpmsg_char.patch create mode 100644 queue-4.16/rxrpc-fix-error-reception-on-af_inet6-sockets.patch create mode 100644 queue-4.16/rxrpc-fix-missing-start-of-call-timeout.patch create mode 100644 queue-4.16/rxrpc-fix-the-min-security-level-for-kernel-calls.patch create mode 100644 queue-4.16/s390-qeth-fix-mac-address-update-sequence.patch create mode 100644 queue-4.16/s390-qeth-fix-request-side-race-during-cmd-io-timeout.patch create mode 100644 queue-4.16/s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch create mode 100644 queue-4.16/s390-smsgiucv-disable-smsg-on-module-unload.patch create mode 100644 queue-4.16/sched-core-introduce-set_special_state.patch create mode 100644 queue-4.16/sched-deadline-make-the-grub_reclaim-function-static.patch create mode 100644 queue-4.16/sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch create mode 100644 queue-4.16/scsi-isci-fix-infinite-loop-in-while-loop.patch create mode 100644 queue-4.16/scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch create mode 100644 queue-4.16/scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch create mode 100644 queue-4.16/scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch create mode 100644 queue-4.16/scsi-target-fix-crash-with-iscsi-target-and-dvd.patch create mode 100644 queue-4.16/scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch create mode 100644 queue-4.16/selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch create mode 100644 queue-4.16/sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch create mode 100644 queue-4.16/sh-switch-to-no_bootmem.patch create mode 100644 queue-4.16/smc-fix-sendpage-call.patch create mode 100644 queue-4.16/soc-bcm-raspberrypi-power-fix-use-of-__packed.patch create mode 100644 queue-4.16/soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch create mode 100644 queue-4.16/spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch create mode 100644 queue-4.16/spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch create mode 100644 queue-4.16/spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch create mode 100644 queue-4.16/stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch create mode 100644 queue-4.16/tee-check-shm-references-are-consistent-in-offset-size.patch create mode 100644 queue-4.16/thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch create mode 100644 queue-4.16/tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch create mode 100644 queue-4.16/tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch create mode 100644 queue-4.16/tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch create mode 100644 queue-4.16/uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch create mode 100644 queue-4.16/usb-musb-fix-remote-wakeup-racing-with-suspend.patch create mode 100644 queue-4.16/usb-typec-tps6598x-handle-block-reads-separately-with-plain-i2c-adapters.patch create mode 100644 queue-4.16/usb-typec-ucsi-fix-tracepoint-related-build-error.patch create mode 100644 queue-4.16/vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch create mode 100644 queue-4.16/vti6-change-minimum-mtu-to-ipv4_min_mtu-vti6-can-carry-ipv4-too.patch create mode 100644 queue-4.16/x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch create mode 100644 queue-4.16/x86-cpu-intel-add-missing-tlb-cpuid-values.patch create mode 100644 queue-4.16/x86-delay-skip-of-emulated-hypercall-instruction.patch create mode 100644 queue-4.16/x86-kvm-properly-update-tsc_offset-to-represent-the-running-guest.patch create mode 100644 queue-4.16/x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch create mode 100644 queue-4.16/x86-pkeys-selftests-add-a-test-for-pkey-0.patch create mode 100644 queue-4.16/x86-pkeys-selftests-add-prot_exec-test.patch create mode 100644 queue-4.16/x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch create mode 100644 queue-4.16/x86-pkeys-selftests-allow-faults-on-unknown-keys.patch create mode 100644 queue-4.16/x86-pkeys-selftests-avoid-printf-in-signal-deadlocks.patch create mode 100644 queue-4.16/x86-pkeys-selftests-factor-out-instruction-page.patch create mode 100644 queue-4.16/x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch create mode 100644 queue-4.16/x86-pkeys-selftests-fix-pointer-math.patch create mode 100644 queue-4.16/x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch create mode 100644 queue-4.16/x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch create mode 100644 queue-4.16/x86-pkeys-selftests-save-off-prot-for-allocations.patch create mode 100644 queue-4.16/x86-pkeys-selftests-stop-using-assert.patch create mode 100644 queue-4.16/x86-selftests-add-mov_to_ss-test.patch create mode 100644 queue-4.16/x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch create mode 100644 queue-4.16/xen-xenbus_dev_frontend-really-return-response-string.patch create mode 100644 queue-4.16/xprtrdma-fix-list-corruption-dmar-errors-during-mr-recovery.patch diff --git a/queue-4.16/acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch b/queue-4.16/acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch new file mode 100644 index 00000000000..4ffcb0daf82 --- /dev/null +++ b/queue-4.16/acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Chen Yu +Date: Tue, 10 Apr 2018 23:07:51 +0800 +Subject: ACPI / PM: Blacklist Low Power S0 Idle _DSM for ThinkPad X1 Tablet(2016) + +From: Chen Yu + +[ Upstream commit 855c1c2fce8bdbd796cba1d1456ca8f0e876c2f1 ] + +ThinkPad X1 Tablet(2016) is reported to have issues with +the Low Power S0 Idle _DSM interface and since this machine +model generally can do ACPI S3 just fine, and user would +like to use S3 as default sleep model, add a blacklist +entry to disable that interface for ThinkPad X1 Tablet(2016). + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199057 +Reported-and-tested-by: Robin Lee +Signed-off-by: Chen Yu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/sleep.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -364,6 +364,19 @@ static const struct dmi_system_id acpisl + DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9360"), + }, + }, ++ /* ++ * ThinkPad X1 Tablet(2016) cannot do suspend-to-idle using ++ * the Low Power S0 Idle firmware interface (see ++ * https://bugzilla.kernel.org/show_bug.cgi?id=199057). ++ */ ++ { ++ .callback = init_no_lps0, ++ .ident = "ThinkPad X1 Tablet(2016)", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "20GGA00L00"), ++ }, ++ }, + {}, + }; + diff --git a/queue-4.16/acpi-scan-initialize-watchdog-before-pnp.patch b/queue-4.16/acpi-scan-initialize-watchdog-before-pnp.patch new file mode 100644 index 00000000000..9bd43706049 --- /dev/null +++ b/queue-4.16/acpi-scan-initialize-watchdog-before-pnp.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Mika Westerberg +Date: Thu, 19 Apr 2018 13:08:37 +0300 +Subject: ACPI / scan: Initialize watchdog before PNP + +From: Mika Westerberg + +[ Upstream commit cc6a0e315a68e5db85bea347b0c5b0fe4a9a5904 ] + +At least on one Dell system the PNP motherboard resources device +includes resources used by WDAT table. Since PNP gets initialized before +WDAT it results following error and no watchdog: + + platform wdat_wdt: failed to claim resource 3: [io 0x046a-0x046c] + ACPI: watchdog: Device creation failed: -16 + +Now, the PNP system driver is already accustomed with the situation that +it cannot reserve all those motherboard resources because drivers using +those might have reserved them already. In addition putting WDAT table +resources under motherboard resources device makes sense in general. + +Fix this by initializing WDAT right before PNP. This allows WDAT to +reserve all its resources and still keeps PNP system driver happy. + +Reported-by: Shubhrata.Priyadarsh@dell.com +Reported-by: Takashi Iwai +Signed-off-by: Mika Westerberg +Acked-by: Guenter Roeck +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -2150,10 +2150,10 @@ int __init acpi_scan_init(void) + acpi_cmos_rtc_init(); + acpi_container_init(); + acpi_memory_hotplug_init(); ++ acpi_watchdog_init(); + acpi_pnp_init(); + acpi_int340x_thermal_init(); + acpi_amba_init(); +- acpi_watchdog_init(); + acpi_init_lpit(); + + acpi_scan_add_handler(&generic_device_handler); diff --git a/queue-4.16/acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch b/queue-4.16/acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch new file mode 100644 index 00000000000..8d42365e35b --- /dev/null +++ b/queue-4.16/acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch @@ -0,0 +1,118 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Mika Westerberg +Date: Mon, 23 Apr 2018 14:16:03 +0300 +Subject: ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70 + +From: Mika Westerberg + +[ Upstream commit a0a37862a4e1844793d39aca9ccb8fecbdcb8659 ] + +WDAT table on Lenovo Z50-70 is using RTC SRAM (ports 0x70 and 0x71) to +store state of the timer. This conflicts with Linux RTC driver +(rtc-cmos.c) who fails to reserve those ports for itself preventing RTC +from functioning. In addition the WDAT table seems not to be fully +functional because it does not reset the system when the watchdog times +out. + +On this system iTCO_wdt works just fine so we simply prefer to use it +instead of WDAT. This makes RTC working again and also results working +watchdog via iTCO_wdt. + +Reported-by: Peter Milley +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199033 +Signed-off-by: Mika Westerberg +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_watchdog.c | 59 +++++++++++++++++++++++++++++++++++-------- + 1 file changed, 49 insertions(+), 10 deletions(-) + +--- a/drivers/acpi/acpi_watchdog.c ++++ b/drivers/acpi/acpi_watchdog.c +@@ -12,23 +12,64 @@ + #define pr_fmt(fmt) "ACPI: watchdog: " fmt + + #include ++#include + #include + #include + + #include "internal.h" + ++static const struct dmi_system_id acpi_watchdog_skip[] = { ++ { ++ /* ++ * On Lenovo Z50-70 there are two issues with the WDAT ++ * table. First some of the instructions use RTC SRAM ++ * to store persistent information. This does not work well ++ * with Linux RTC driver. Second, more important thing is ++ * that the instructions do not actually reset the system. ++ * ++ * On this particular system iTCO_wdt seems to work just ++ * fine so we prefer that over WDAT for now. ++ * ++ * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033. ++ */ ++ .ident = "Lenovo Z50-70", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "20354"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Z50-70"), ++ }, ++ }, ++ {} ++}; ++ ++static const struct acpi_table_wdat *acpi_watchdog_get_wdat(void) ++{ ++ const struct acpi_table_wdat *wdat = NULL; ++ acpi_status status; ++ ++ if (acpi_disabled) ++ return NULL; ++ ++ if (dmi_check_system(acpi_watchdog_skip)) ++ return NULL; ++ ++ status = acpi_get_table(ACPI_SIG_WDAT, 0, ++ (struct acpi_table_header **)&wdat); ++ if (ACPI_FAILURE(status)) { ++ /* It is fine if there is no WDAT */ ++ return NULL; ++ } ++ ++ return wdat; ++} ++ + /** + * Returns true if this system should prefer ACPI based watchdog instead of + * the native one (which are typically the same hardware). + */ + bool acpi_has_watchdog(void) + { +- struct acpi_table_header hdr; +- +- if (acpi_disabled) +- return false; +- +- return ACPI_SUCCESS(acpi_get_table_header(ACPI_SIG_WDAT, 0, &hdr)); ++ return !!acpi_watchdog_get_wdat(); + } + EXPORT_SYMBOL_GPL(acpi_has_watchdog); + +@@ -41,12 +82,10 @@ void __init acpi_watchdog_init(void) + struct platform_device *pdev; + struct resource *resources; + size_t nresources = 0; +- acpi_status status; + int i; + +- status = acpi_get_table(ACPI_SIG_WDAT, 0, +- (struct acpi_table_header **)&wdat); +- if (ACPI_FAILURE(status)) { ++ wdat = acpi_watchdog_get_wdat(); ++ if (!wdat) { + /* It is fine if there is no WDAT */ + return; + } diff --git a/queue-4.16/afs-fix-address-list-parsing.patch b/queue-4.16/afs-fix-address-list-parsing.patch new file mode 100644 index 00000000000..169ca8dc5e0 --- /dev/null +++ b/queue-4.16/afs-fix-address-list-parsing.patch @@ -0,0 +1,79 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Wed, 9 May 2018 22:03:18 +0100 +Subject: afs: Fix address list parsing + +From: David Howells + +[ Upstream commit 01fd79e6de74a447c5657913a335d9ce6508cdb1 ] + +The parsing of port specifiers in the address list obtained from the DNS +resolution upcall doesn't work as in4_pton() and in6_pton() will fail on +encountering an unexpected delimiter (in this case, the '+' marking the +port number). However, in*_pton() can't be given multiple specifiers. + +Fix this by finding the delimiter in advance and not relying on in*_pton() +to find the end of the address for us. + +Fixes: 8b2a464ced77 ("afs: Add an address list concept") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/addr_list.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/fs/afs/addr_list.c ++++ b/fs/afs/addr_list.c +@@ -121,7 +121,7 @@ struct afs_addr_list *afs_parse_text_add + p = text; + do { + struct sockaddr_rxrpc *srx = &alist->addrs[alist->nr_addrs]; +- char tdelim = delim; ++ const char *q, *stop; + + if (*p == delim) { + p++; +@@ -130,28 +130,33 @@ struct afs_addr_list *afs_parse_text_add + + if (*p == '[') { + p++; +- tdelim = ']'; ++ q = memchr(p, ']', end - p); ++ } else { ++ for (q = p; q < end; q++) ++ if (*q == '+' || *q == delim) ++ break; + } + +- if (in4_pton(p, end - p, ++ if (in4_pton(p, q - p, + (u8 *)&srx->transport.sin6.sin6_addr.s6_addr32[3], +- tdelim, &p)) { ++ -1, &stop)) { + srx->transport.sin6.sin6_addr.s6_addr32[0] = 0; + srx->transport.sin6.sin6_addr.s6_addr32[1] = 0; + srx->transport.sin6.sin6_addr.s6_addr32[2] = htonl(0xffff); +- } else if (in6_pton(p, end - p, ++ } else if (in6_pton(p, q - p, + srx->transport.sin6.sin6_addr.s6_addr, +- tdelim, &p)) { ++ -1, &stop)) { + /* Nothing to do */ + } else { + goto bad_address; + } + +- if (tdelim == ']') { +- if (p == end || *p != ']') +- goto bad_address; ++ if (stop != q) ++ goto bad_address; ++ ++ p = q; ++ if (q < end && *q == ']') + p++; +- } + + if (p < end) { + if (*p == '+') { diff --git a/queue-4.16/afs-fix-afs_find_server-search-loop.patch b/queue-4.16/afs-fix-afs_find_server-search-loop.patch new file mode 100644 index 00000000000..c75274677d4 --- /dev/null +++ b/queue-4.16/afs-fix-afs_find_server-search-loop.patch @@ -0,0 +1,60 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Marc Dionne +Date: Fri, 11 May 2018 21:35:06 -0300 +Subject: afs: Fix afs_find_server search loop + +From: Marc Dionne + +[ Upstream commit f9c1bba3d392843f046d2ee27b4dfcec989d8a4b ] + +The code that looks up servers by addresses makes the assumption +that the list of addresses for a server is sorted. It exits the +loop if it finds that the target address is larger than the +current candidate. As the list is not currently sorted, this +can lead to a failure to find a matching server, which can cause +callbacks from that server to be ignored. + +Remove the early exit case so that the complete list is searched. + +Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/server.c | 13 ------------- + 1 file changed, 13 deletions(-) + +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -66,12 +66,6 @@ struct afs_server *afs_find_server(struc + sizeof(struct in6_addr)); + if (diff == 0) + goto found; +- if (diff < 0) { +- // TODO: Sort the list +- //if (i == alist->nr_ipv4) +- // goto not_found; +- break; +- } + } + } + } else { +@@ -85,17 +79,10 @@ struct afs_server *afs_find_server(struc + (u32)b->sin6_addr.s6_addr32[3]); + if (diff == 0) + goto found; +- if (diff < 0) { +- // TODO: Sort the list +- //if (i == 0) +- // goto not_found; +- break; +- } + } + } + } + +- //not_found: + server = NULL; + found: + if (server && !atomic_inc_not_zero(&server->usage)) diff --git a/queue-4.16/afs-fix-refcounting-in-callback-registration.patch b/queue-4.16/afs-fix-refcounting-in-callback-registration.patch new file mode 100644 index 00000000000..01378ec55c3 --- /dev/null +++ b/queue-4.16/afs-fix-refcounting-in-callback-registration.patch @@ -0,0 +1,205 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 08:43:04 +0100 +Subject: afs: Fix refcounting in callback registration + +From: David Howells + +[ Upstream commit d4a96bec7a7362834ef5c31d7b2cc9bf36eb0570 ] + +The refcounting on afs_cb_interest struct objects in +afs_register_server_cb_interest() is wrong as it uses the server list +entry's call back interest pointer without regard for the fact that it +might be replaced at any time and the object thrown away. + +Fix this by: + + (1) Put a lock on the afs_server_list struct that can be used to + mediate access to the callback interest pointers in the servers array. + + (2) Keep a ref on the callback interest that we get from the entry. + + (3) Dropping the old reference held by vnode->cb_interest if we replace + the pointer. + +Fixes: c435ee34551e ("afs: Overhaul the callback handling") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/callback.c | 56 ++++++++++++++++++++++++++++++++++++--------------- + fs/afs/internal.h | 7 ++++-- + fs/afs/rotate.c | 4 +-- + fs/afs/server_list.c | 7 ++++-- + 4 files changed, 52 insertions(+), 22 deletions(-) + +--- a/fs/afs/callback.c ++++ b/fs/afs/callback.c +@@ -23,36 +23,55 @@ + /* + * Set up an interest-in-callbacks record for a volume on a server and + * register it with the server. +- * - Called with volume->server_sem held. ++ * - Called with vnode->io_lock held. + */ + int afs_register_server_cb_interest(struct afs_vnode *vnode, +- struct afs_server_entry *entry) ++ struct afs_server_list *slist, ++ unsigned int index) + { +- struct afs_cb_interest *cbi = entry->cb_interest, *vcbi, *new, *x; ++ struct afs_server_entry *entry = &slist->servers[index]; ++ struct afs_cb_interest *cbi, *vcbi, *new, *old; + struct afs_server *server = entry->server; + + again: ++ if (vnode->cb_interest && ++ likely(vnode->cb_interest == entry->cb_interest)) ++ return 0; ++ ++ read_lock(&slist->lock); ++ cbi = afs_get_cb_interest(entry->cb_interest); ++ read_unlock(&slist->lock); ++ + vcbi = vnode->cb_interest; + if (vcbi) { +- if (vcbi == cbi) ++ if (vcbi == cbi) { ++ afs_put_cb_interest(afs_v2net(vnode), cbi); + return 0; ++ } + ++ /* Use a new interest in the server list for the same server ++ * rather than an old one that's still attached to a vnode. ++ */ + if (cbi && vcbi->server == cbi->server) { + write_seqlock(&vnode->cb_lock); +- vnode->cb_interest = afs_get_cb_interest(cbi); ++ old = vnode->cb_interest; ++ vnode->cb_interest = cbi; + write_sequnlock(&vnode->cb_lock); +- afs_put_cb_interest(afs_v2net(vnode), cbi); ++ afs_put_cb_interest(afs_v2net(vnode), old); + return 0; + } + ++ /* Re-use the one attached to the vnode. */ + if (!cbi && vcbi->server == server) { +- afs_get_cb_interest(vcbi); +- x = cmpxchg(&entry->cb_interest, cbi, vcbi); +- if (x != cbi) { +- cbi = x; +- afs_put_cb_interest(afs_v2net(vnode), vcbi); ++ write_lock(&slist->lock); ++ if (entry->cb_interest) { ++ write_unlock(&slist->lock); ++ afs_put_cb_interest(afs_v2net(vnode), cbi); + goto again; + } ++ ++ entry->cb_interest = cbi; ++ write_unlock(&slist->lock); + return 0; + } + } +@@ -72,13 +91,16 @@ again: + list_add_tail(&new->cb_link, &server->cb_interests); + write_unlock(&server->cb_break_lock); + +- x = cmpxchg(&entry->cb_interest, cbi, new); +- if (x == cbi) { ++ write_lock(&slist->lock); ++ if (!entry->cb_interest) { ++ entry->cb_interest = afs_get_cb_interest(new); + cbi = new; ++ new = NULL; + } else { +- cbi = x; +- afs_put_cb_interest(afs_v2net(vnode), new); ++ cbi = afs_get_cb_interest(entry->cb_interest); + } ++ write_unlock(&slist->lock); ++ afs_put_cb_interest(afs_v2net(vnode), new); + } + + ASSERT(cbi); +@@ -88,11 +110,13 @@ again: + */ + write_seqlock(&vnode->cb_lock); + +- vnode->cb_interest = afs_get_cb_interest(cbi); ++ old = vnode->cb_interest; ++ vnode->cb_interest = cbi; + vnode->cb_s_break = cbi->server->cb_s_break; + clear_bit(AFS_VNODE_CB_PROMISED, &vnode->flags); + + write_sequnlock(&vnode->cb_lock); ++ afs_put_cb_interest(afs_v2net(vnode), old); + return 0; + } + +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -399,6 +399,7 @@ struct afs_server_list { + unsigned short index; /* Server currently in use */ + unsigned short vnovol_mask; /* Servers to be skipped due to VNOVOL */ + unsigned int seq; /* Set to ->servers_seq when installed */ ++ rwlock_t lock; + struct afs_server_entry servers[]; + }; + +@@ -605,13 +606,15 @@ extern void afs_init_callback_state(stru + extern void afs_break_callback(struct afs_vnode *); + extern void afs_break_callbacks(struct afs_server *, size_t,struct afs_callback[]); + +-extern int afs_register_server_cb_interest(struct afs_vnode *, struct afs_server_entry *); ++extern int afs_register_server_cb_interest(struct afs_vnode *, ++ struct afs_server_list *, unsigned int); + extern void afs_put_cb_interest(struct afs_net *, struct afs_cb_interest *); + extern void afs_clear_callback_interests(struct afs_net *, struct afs_server_list *); + + static inline struct afs_cb_interest *afs_get_cb_interest(struct afs_cb_interest *cbi) + { +- refcount_inc(&cbi->usage); ++ if (cbi) ++ refcount_inc(&cbi->usage); + return cbi; + } + +--- a/fs/afs/rotate.c ++++ b/fs/afs/rotate.c +@@ -350,8 +350,8 @@ use_server: + * break request before we've finished decoding the reply and + * installing the vnode. + */ +- fc->ac.error = afs_register_server_cb_interest( +- vnode, &fc->server_list->servers[fc->index]); ++ fc->ac.error = afs_register_server_cb_interest(vnode, fc->server_list, ++ fc->index); + if (fc->ac.error < 0) + goto failed; + +--- a/fs/afs/server_list.c ++++ b/fs/afs/server_list.c +@@ -49,6 +49,7 @@ struct afs_server_list *afs_alloc_server + goto error; + + refcount_set(&slist->usage, 1); ++ rwlock_init(&slist->lock); + + /* Make sure a records exists for each server in the list. */ + for (i = 0; i < vldb->nr_servers; i++) { +@@ -64,9 +65,11 @@ struct afs_server_list *afs_alloc_server + goto error_2; + } + +- /* Insertion-sort by server pointer */ ++ /* Insertion-sort by UUID */ + for (j = 0; j < slist->nr_servers; j++) +- if (slist->servers[j].server >= server) ++ if (memcmp(&slist->servers[j].server->uuid, ++ &server->uuid, ++ sizeof(server->uuid)) >= 0) + break; + if (j < slist->nr_servers) { + if (slist->servers[j].server == server) { diff --git a/queue-4.16/afs-fix-server-record-deletion.patch b/queue-4.16/afs-fix-server-record-deletion.patch new file mode 100644 index 00000000000..8fd81afb48a --- /dev/null +++ b/queue-4.16/afs-fix-server-record-deletion.patch @@ -0,0 +1,68 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: David Howells +Date: Wed, 18 Apr 2018 09:38:34 +0100 +Subject: afs: Fix server record deletion + +From: David Howells + +[ Upstream commit 660625922b3d9fcb376e5870299bc5c1086e1d32 ] + +AFS server records get removed from the net->fs_servers tree when +they're deleted, but not from the net->fs_addresses{4,6} lists, which +can lead to an oops in afs_find_server() when a server record has been +removed, for instance during rmmod. + +Fix this by deleting the record from the by-address lists before posting +it for RCU destruction. + +The reason this hasn't been noticed before is that the fileserver keeps +probing the local cache manager, thereby keeping the service record +alive, so the oops would only happen when a fileserver eventually gets +bored and stops pinging or if the module gets rmmod'd and a call comes +in from the fileserver during the window between the server records +being destroyed and the socket being closed. + +The oops looks something like: + + BUG: unable to handle kernel NULL pointer dereference at 000000000000001c + ... + Workqueue: kafsd afs_process_async_call [kafs] + RIP: 0010:afs_find_server+0x271/0x36f [kafs] + ... + Call Trace: + afs_deliver_cb_init_call_back_state3+0x1f2/0x21f [kafs] + afs_deliver_to_call+0x1ee/0x5e8 [kafs] + afs_process_async_call+0x5b/0xd0 [kafs] + process_one_work+0x2c2/0x504 + worker_thread+0x1d4/0x2ac + kthread+0x11f/0x127 + ret_from_fork+0x24/0x30 + +Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/server.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -426,8 +426,15 @@ static void afs_gc_servers(struct afs_ne + } + write_sequnlock(&net->fs_lock); + +- if (deleted) ++ if (deleted) { ++ write_seqlock(&net->fs_addr_lock); ++ if (!hlist_unhashed(&server->addr4_link)) ++ hlist_del_rcu(&server->addr4_link); ++ if (!hlist_unhashed(&server->addr6_link)) ++ hlist_del_rcu(&server->addr6_link); ++ write_sequnlock(&net->fs_addr_lock); + afs_destroy_server(net, server); ++ } + } + } + diff --git a/queue-4.16/afs-fix-server-rotation-s-handling-of-fileserver-probe-failure.patch b/queue-4.16/afs-fix-server-rotation-s-handling-of-fileserver-probe-failure.patch new file mode 100644 index 00000000000..4e23ca3bfa7 --- /dev/null +++ b/queue-4.16/afs-fix-server-rotation-s-handling-of-fileserver-probe-failure.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 14:22:38 +0100 +Subject: afs: Fix server rotation's handling of fileserver probe failure + +From: David Howells + +[ Upstream commit ec5a3b4b507efca903d848518dcf2ebf7b04b466 ] + +The server rotation algorithm just gives up if it fails to probe a +fileserver. Fix this by rotating to the next fileserver instead. + +Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/rotate.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/afs/rotate.c ++++ b/fs/afs/rotate.c +@@ -369,8 +369,16 @@ use_server: + if (!test_bit(AFS_SERVER_FL_PROBED, &server->flags)) { + fc->ac.alist = afs_get_addrlist(alist); + +- if (!afs_probe_fileserver(fc)) +- goto failed; ++ if (!afs_probe_fileserver(fc)) { ++ switch (fc->ac.error) { ++ case -ENOMEM: ++ case -ERESTARTSYS: ++ case -EINTR: ++ goto failed; ++ default: ++ goto next_server; ++ } ++ } + } + + if (!fc->ac.alist) diff --git a/queue-4.16/afs-fix-the-handling-of-cb.initcallbackstate3-to-find-the-server-by-uuid.patch b/queue-4.16/afs-fix-the-handling-of-cb.initcallbackstate3-to-find-the-server-by-uuid.patch new file mode 100644 index 00000000000..044ebd1c522 --- /dev/null +++ b/queue-4.16/afs-fix-the-handling-of-cb.initcallbackstate3-to-find-the-server-by-uuid.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Fri, 11 May 2018 23:21:35 +0100 +Subject: afs: Fix the handling of CB.InitCallBackState3 to find the server by UUID + +From: David Howells + +[ Upstream commit 001ab5a67ee5d191c64aebf4b4ef8c7a0dcfd2bc ] + +Fix the handling of the CB.InitCallBackState3 service call to find the +record of a server that we're using by looking it up by the UUID passed as +the parameter rather than by its address (of which it might have many, and +which may change). + +Fixes: c35eccb1f614 ("[AFS]: Implement the CB.InitCallBackState3 operation.") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/cmservice.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/afs/cmservice.c ++++ b/fs/afs/cmservice.c +@@ -341,7 +341,6 @@ static int afs_deliver_cb_init_call_back + */ + static int afs_deliver_cb_init_call_back_state3(struct afs_call *call) + { +- struct sockaddr_rxrpc srx; + struct afs_server *server; + struct afs_uuid *r; + unsigned loop; +@@ -398,8 +397,9 @@ static int afs_deliver_cb_init_call_back + + /* we'll need the file server record as that tells us which set of + * vnodes to operate upon */ +- rxrpc_kernel_get_peer(call->net->socket, call->rxcall, &srx); +- server = afs_find_server(call->net, &srx); ++ rcu_read_lock(); ++ server = afs_find_server_by_uuid(call->net, call->request); ++ rcu_read_unlock(); + if (!server) + return -ENOTCONN; + call->cm_server = server; diff --git a/queue-4.16/afs-fix-the-non-encryption-of-calls.patch b/queue-4.16/afs-fix-the-non-encryption-of-calls.patch new file mode 100644 index 00000000000..2d63540d514 --- /dev/null +++ b/queue-4.16/afs-fix-the-non-encryption-of-calls.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 23:10:40 +0100 +Subject: afs: Fix the non-encryption of calls + +From: David Howells + +[ Upstream commit 4776cab43fd3111618112737a257dc3ef368eddd ] + +Some AFS servers refuse to accept unencrypted traffic, so can't be accessed +with kAFS. Set the AF_RXRPC security level to encrypt client calls to deal +with this. + +Note that incoming service calls are set by the remote client and so aren't +affected by this. + +This requires an AF_RXRPC patch to pass the value set by setsockopt to calls +begun by the kernel. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/rxrpc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/afs/rxrpc.c ++++ b/fs/afs/rxrpc.c +@@ -41,6 +41,7 @@ int afs_open_socket(struct afs_net *net) + { + struct sockaddr_rxrpc srx; + struct socket *socket; ++ unsigned int min_level; + int ret; + + _enter(""); +@@ -60,6 +61,12 @@ int afs_open_socket(struct afs_net *net) + srx.transport.sin6.sin6_family = AF_INET6; + srx.transport.sin6.sin6_port = htons(AFS_CM_PORT); + ++ min_level = RXRPC_SECURITY_ENCRYPT; ++ ret = kernel_setsockopt(socket, SOL_RXRPC, RXRPC_MIN_SECURITY_LEVEL, ++ (void *)&min_level, sizeof(min_level)); ++ if (ret < 0) ++ goto error_2; ++ + ret = kernel_bind(socket, (struct sockaddr *) &srx, sizeof(srx)); + if (ret == -EADDRINUSE) { + srx.transport.sin6.sin6_port = 0; diff --git a/queue-4.16/afs-fix-vnovol-handling-in-address-rotation.patch b/queue-4.16/afs-fix-vnovol-handling-in-address-rotation.patch new file mode 100644 index 00000000000..3a5f181c03b --- /dev/null +++ b/queue-4.16/afs-fix-vnovol-handling-in-address-rotation.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Fri, 11 May 2018 22:55:59 +0100 +Subject: afs: Fix VNOVOL handling in address rotation + +From: David Howells + +[ Upstream commit 3d9fa91161387ee629e7a07c47934d119910c8ae ] + +If a volume location record lists multiple file servers for a volume, then +it's possible that due to a misconfiguration or a changing configuration +that one of the file servers doesn't know about it yet and will abort +VNOVOL. Currently, the rotation algorithm will stop with EREMOTEIO. + +Fix this by moving on to try the next server if VNOVOL is returned. Once +all the servers have been tried and the record rechecked, the algorithm +will stop with EREMOTEIO or ENOMEDIUM. + +Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/rotate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/afs/rotate.c ++++ b/fs/afs/rotate.c +@@ -179,7 +179,7 @@ bool afs_select_fileserver(struct afs_fs + */ + if (fc->flags & AFS_FS_CURSOR_VNOVOL) { + fc->ac.error = -EREMOTEIO; +- goto failed; ++ goto next_server; + } + + write_lock(&vnode->volume->servers_lock); +@@ -201,7 +201,7 @@ bool afs_select_fileserver(struct afs_fs + */ + if (vnode->volume->servers == fc->server_list) { + fc->ac.error = -EREMOTEIO; +- goto failed; ++ goto next_server; + } + + /* Try again */ diff --git a/queue-4.16/agp-uninorth-make-two-functions-static.patch b/queue-4.16/agp-uninorth-make-two-functions-static.patch new file mode 100644 index 00000000000..3988d14965a --- /dev/null +++ b/queue-4.16/agp-uninorth-make-two-functions-static.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Mathieu Malaterre +Date: Sat, 5 May 2018 21:54:05 +0200 +Subject: agp: uninorth: make two functions static + +From: Mathieu Malaterre + +[ Upstream commit dec60f3a9b7251f2657d743d96ba9a83dca02351 ] + +Both ‘uninorth_remove_memory’ and ‘null_cache_flush’ can be made +static. So make them. + +Silence the following gcc warning (W=1): + + drivers/char/agp/uninorth-agp.c:198:5: warning: no previous prototype for ‘uninorth_remove_memory’ [-Wmissing-prototypes] + +and + + drivers/char/agp/uninorth-agp.c:473:6: warning: no previous prototype for ‘null_cache_flush’ [-Wmissing-prototypes] + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Dave Airlie +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/agp/uninorth-agp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/agp/uninorth-agp.c ++++ b/drivers/char/agp/uninorth-agp.c +@@ -195,7 +195,7 @@ static int uninorth_insert_memory(struct + return 0; + } + +-int uninorth_remove_memory(struct agp_memory *mem, off_t pg_start, int type) ++static int uninorth_remove_memory(struct agp_memory *mem, off_t pg_start, int type) + { + size_t i; + u32 *gp; +@@ -470,7 +470,7 @@ static int uninorth_free_gatt_table(stru + return 0; + } + +-void null_cache_flush(void) ++static void null_cache_flush(void) + { + mb(); + } diff --git a/queue-4.16/arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch b/queue-4.16/arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch new file mode 100644 index 00000000000..1397effa970 --- /dev/null +++ b/queue-4.16/arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch @@ -0,0 +1,86 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "Łukasz Stelmach" +Date: Tue, 3 Apr 2018 09:04:57 +0100 +Subject: ARM: 8753/1: decompressor: add a missing parameter to the addruart macro + +From: "Łukasz Stelmach" + +[ Upstream commit e07e3c33b9c0b5751ade624f44325c9bf2487ea6 ] + +In commit 639da5ee374b ("ARM: add an extra temp register to the low +level debugging addruart macro") an additional temporary register was +added to the addruart macro, but the decompressor code wasn't updated. + +Fixes: 639da5ee374b ("ARM: add an extra temp register to the low level debugging addruart macro") +Signed-off-by: Łukasz Stelmach +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/compressed/head.S | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -29,19 +29,19 @@ + #if defined(CONFIG_DEBUG_ICEDCC) + + #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_V6K) || defined(CONFIG_CPU_V7) +- .macro loadsp, rb, tmp ++ .macro loadsp, rb, tmp1, tmp2 + .endm + .macro writeb, ch, rb + mcr p14, 0, \ch, c0, c5, 0 + .endm + #elif defined(CONFIG_CPU_XSCALE) +- .macro loadsp, rb, tmp ++ .macro loadsp, rb, tmp1, tmp2 + .endm + .macro writeb, ch, rb + mcr p14, 0, \ch, c8, c0, 0 + .endm + #else +- .macro loadsp, rb, tmp ++ .macro loadsp, rb, tmp1, tmp2 + .endm + .macro writeb, ch, rb + mcr p14, 0, \ch, c1, c0, 0 +@@ -57,7 +57,7 @@ + .endm + + #if defined(CONFIG_ARCH_SA1100) +- .macro loadsp, rb, tmp ++ .macro loadsp, rb, tmp1, tmp2 + mov \rb, #0x80000000 @ physical base address + #ifdef CONFIG_DEBUG_LL_SER3 + add \rb, \rb, #0x00050000 @ Ser3 +@@ -66,8 +66,8 @@ + #endif + .endm + #else +- .macro loadsp, rb, tmp +- addruart \rb, \tmp ++ .macro loadsp, rb, tmp1, tmp2 ++ addruart \rb, \tmp1, \tmp2 + .endm + #endif + #endif +@@ -1297,7 +1297,7 @@ phex: adr r3, phexbuf + b 1b + + @ puts corrupts {r0, r1, r2, r3} +-puts: loadsp r3, r1 ++puts: loadsp r3, r2, r1 + 1: ldrb r2, [r0], #1 + teq r2, #0 + moveq pc, lr +@@ -1314,8 +1314,8 @@ puts: loadsp r3, r1 + @ putc corrupts {r0, r1, r2, r3} + putc: + mov r2, r0 ++ loadsp r3, r1, r0 + mov r0, #0 +- loadsp r3, r1 + b 2b + + @ memdump corrupts {r0, r1, r2, r3, r10, r11, r12, lr} diff --git a/queue-4.16/arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch b/queue-4.16/arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch new file mode 100644 index 00000000000..69d304a8fc1 --- /dev/null +++ b/queue-4.16/arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "Łukasz Stelmach" +Date: Wed, 4 Apr 2018 08:46:58 +0100 +Subject: ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel + +From: "Łukasz Stelmach" + +[ Upstream commit f2ae9de019e4e2807d812ec4fe1df7c34788a0a0 ] + +The hypervisor setup before __enter_kernel destroys the value +sotred in r1. The value needs to be restored just before the jump. + +Fixes: 6b52f7bdb888 ("ARM: hyp-stub: Use r1 for the soft-restart address") +Signed-off-by: Łukasz Stelmach +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/compressed/head.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -561,8 +561,6 @@ not_relocated: mov r0, #0 + bl decompress_kernel + bl cache_clean_flush + bl cache_off +- mov r1, r7 @ restore architecture number +- mov r2, r8 @ restore atags pointer + + #ifdef CONFIG_ARM_VIRT_EXT + mrs r0, spsr @ Get saved CPU boot mode +@@ -1365,6 +1363,8 @@ __hyp_reentry_vectors: + + __enter_kernel: + mov r0, #0 @ must be 0 ++ mov r1, r7 @ restore architecture number ++ mov r2, r8 @ restore atags pointer + ARM( mov pc, r4 ) @ call kernel + M_CLASS( add r4, r4, #1 ) @ enter in Thumb mode for M class + THUMB( bx r4 ) @ entry point is always ARM for A/R classes diff --git a/queue-4.16/arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch b/queue-4.16/arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch new file mode 100644 index 00000000000..0b824303432 --- /dev/null +++ b/queue-4.16/arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sekhar Nori +Date: Tue, 24 Apr 2018 20:05:03 +0530 +Subject: ARM: davinci: board-da830-evm: fix GPIO lookup for MMC/SD + +From: Sekhar Nori + +[ Upstream commit 51e9f12163223546bd3aa9f7af6817931f980da8 ] + +The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that +mmc can correctly lookup the wp and cp gpios. Also fix the GPIO numbers +as they are not offsets within a bank. + +Note that it is the gpio-davinci driver that sets the gpiochip label to +davinci_gpio.0. + +Fixes: b5e1438cf98a ("ARM: davinci: da830-evm: use gpio descriptor for mmc pins") +Reported-by: David Lechner +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-da830-evm.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-davinci/board-da830-evm.c ++++ b/arch/arm/mach-davinci/board-da830-evm.c +@@ -205,12 +205,17 @@ static const short da830_evm_mmc_sd_pins + -1 + }; + ++#define DA830_MMCSD_WP_PIN GPIO_TO_PIN(2, 1) ++#define DA830_MMCSD_CD_PIN GPIO_TO_PIN(2, 2) ++ + static struct gpiod_lookup_table mmc_gpios_table = { + .dev_id = "da830-mmc.0", + .table = { + /* gpio chip 1 contains gpio range 32-63 */ +- GPIO_LOOKUP("davinci_gpio.1", 2, "cd", GPIO_ACTIVE_LOW), +- GPIO_LOOKUP("davinci_gpio.1", 1, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA830_MMCSD_CD_PIN, "cd", ++ GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA830_MMCSD_WP_PIN, "wp", ++ GPIO_ACTIVE_LOW), + }, + }; + diff --git a/queue-4.16/arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch b/queue-4.16/arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch new file mode 100644 index 00000000000..7de2912daa1 --- /dev/null +++ b/queue-4.16/arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sekhar Nori +Date: Tue, 24 Apr 2018 20:05:04 +0530 +Subject: ARM: davinci: board-da850-evm: fix GPIO lookup for MMC/SD + +From: Sekhar Nori + +[ Upstream commit 67c6b6ff221f807180aea6dd597246f87e1dd98a ] + +The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that +mmc can correctly lookup the wp and cp gpios. Also fix the GPIO numbers +as they are not offsets within a bank. + +Note that it is the gpio-davinci driver that sets the gpiochip label to +davinci_gpio.0. + +Fixes: bdf0e8364fd3 ("ARM: davinci: da850-evm: use gpio descriptor for mmc pins") +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-da850-evm.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-davinci/board-da850-evm.c ++++ b/arch/arm/mach-davinci/board-da850-evm.c +@@ -763,12 +763,17 @@ static const short da850_evm_mcasp_pins[ + -1 + }; + ++#define DA850_MMCSD_CD_PIN GPIO_TO_PIN(4, 0) ++#define DA850_MMCSD_WP_PIN GPIO_TO_PIN(4, 1) ++ + static struct gpiod_lookup_table mmc_gpios_table = { + .dev_id = "da830-mmc.0", + .table = { + /* gpio chip 2 contains gpio range 64-95 */ +- GPIO_LOOKUP("davinci_gpio.2", 0, "cd", GPIO_ACTIVE_LOW), +- GPIO_LOOKUP("davinci_gpio.2", 1, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA850_MMCSD_CD_PIN, "cd", ++ GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA850_MMCSD_WP_PIN, "wp", ++ GPIO_ACTIVE_LOW), + }, + }; + diff --git a/queue-4.16/arm-davinci-board-dm355-evm-fix-broken-networking.patch b/queue-4.16/arm-davinci-board-dm355-evm-fix-broken-networking.patch new file mode 100644 index 00000000000..3e2017d5bfb --- /dev/null +++ b/queue-4.16/arm-davinci-board-dm355-evm-fix-broken-networking.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sekhar Nori +Date: Wed, 25 Apr 2018 14:53:23 +0530 +Subject: ARM: davinci: board-dm355-evm: fix broken networking + +From: Sekhar Nori + +[ Upstream commit 5c054de228dd6d97bf8e38962bd118953b66e5a0 ] + +Since commit 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all +error conditions of dm9000_parse_dt()"), passing either non-NULL +platform data or device-tree for dm9000 driver to probe is +mandatory. + +DM335 board was using none, so networking failed to initialize. +Fix it by passing non-NULL (but empty) platform data. + +Fixes: 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all error conditions of dm9000_parse_dt()") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-dm355-evm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm/mach-davinci/board-dm355-evm.c ++++ b/arch/arm/mach-davinci/board-dm355-evm.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -179,11 +180,16 @@ static struct resource dm355evm_dm9000_r + }, + }; + ++static struct dm9000_plat_data dm335evm_dm9000_platdata; ++ + static struct platform_device dm355evm_dm9000 = { + .name = "dm9000", + .id = -1, + .resource = dm355evm_dm9000_rsrc, + .num_resources = ARRAY_SIZE(dm355evm_dm9000_rsrc), ++ .dev = { ++ .platform_data = &dm335evm_dm9000_platdata, ++ }, + }; + + static struct tvp514x_platform_data tvp5146_pdata = { diff --git a/queue-4.16/arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch b/queue-4.16/arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch new file mode 100644 index 00000000000..9dd0f8d0bb0 --- /dev/null +++ b/queue-4.16/arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sekhar Nori +Date: Fri, 11 May 2018 20:51:35 +0530 +Subject: ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF + +From: Sekhar Nori + +[ Upstream commit 7d46899d57f8b61eb28701d9a4043b71e3392c26 ] + +commit a16cb91ad9c4 ("[media] media: vpif: use a configurable +i2c_adapter_id for vpif display") removed hardcoded I2C adaptor +setting in VPIF driver, but missed updating platform data passed +from DM646x board. + +Fix it. + +Fixes: a16cb91ad9c4 ("[media] media: vpif: use a configurable i2c_adapter_id for vpif display") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-dm646x-evm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/mach-davinci/board-dm646x-evm.c ++++ b/arch/arm/mach-davinci/board-dm646x-evm.c +@@ -534,6 +534,7 @@ static struct vpif_display_config dm646x + .set_clock = set_vpif_clock, + .subdevinfo = dm646x_vpif_subdev, + .subdev_count = ARRAY_SIZE(dm646x_vpif_subdev), ++ .i2c_adapter_id = 1, + .chan_config[0] = { + .outputs = dm6467_ch0_outputs, + .output_count = ARRAY_SIZE(dm6467_ch0_outputs), +@@ -676,6 +677,7 @@ static struct vpif_capture_config dm646x + .setup_input_channel_mode = setup_vpif_input_channel_mode, + .subdev_info = vpif_capture_sdev_info, + .subdev_count = ARRAY_SIZE(vpif_capture_sdev_info), ++ .i2c_adapter_id = 1, + .chan_config[0] = { + .inputs = dm6467_ch0_inputs, + .input_count = ARRAY_SIZE(dm6467_ch0_inputs), diff --git a/queue-4.16/arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch b/queue-4.16/arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch new file mode 100644 index 00000000000..1a311d1811f --- /dev/null +++ b/queue-4.16/arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sekhar Nori +Date: Fri, 11 May 2018 20:51:36 +0530 +Subject: ARM: davinci: board-dm646x-evm: set VPIF capture card name + +From: Sekhar Nori + +[ Upstream commit bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c ] + +VPIF capture driver expects card name to be set since it +uses it without checking for NULL. The commit which +introduced VPIF display and capture support added card +name only for display, not for capture. + +Set it in platform data to probe driver successfully. + +While at it, also fix the display card name to something more +appropriate. + +Fixes: 85609c1ccda6 ("DaVinci: DM646x - platform changes for vpif capture and display drivers") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-dm646x-evm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-davinci/board-dm646x-evm.c ++++ b/arch/arm/mach-davinci/board-dm646x-evm.c +@@ -539,7 +539,7 @@ static struct vpif_display_config dm646x + .outputs = dm6467_ch0_outputs, + .output_count = ARRAY_SIZE(dm6467_ch0_outputs), + }, +- .card_name = "DM646x EVM", ++ .card_name = "DM646x EVM Video Display", + }; + + /** +@@ -698,6 +698,7 @@ static struct vpif_capture_config dm646x + .fid_pol = 0, + }, + }, ++ .card_name = "DM646x EVM Video Capture", + }; + + static void __init evm_init_video(void) diff --git a/queue-4.16/arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch b/queue-4.16/arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch new file mode 100644 index 00000000000..e9bc172fa3b --- /dev/null +++ b/queue-4.16/arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sekhar Nori +Date: Tue, 24 Apr 2018 20:05:06 +0530 +Subject: ARM: davinci: board-omapl138-hawk: fix GPIO numbers for MMC/SD lookup + +From: Sekhar Nori + +[ Upstream commit d45622c0eaa5992a1a2248cbe93e1ff7a2da7be4 ] + +commit c4dc56be7e26 ("ARM: davinci: fix the GPIO lookup for omapl138-hawk") +fixed the GPIO chip name for look-up of MMC/SD CD and WP pins, but forgot +to change the GPIO numbers passed. + +The GPIO numbers are not offsets from within a 32 GPIO bank. Fix the +GPIO numbers as well as remove the misleading comment. + +Fixes: c4dc56be7e26 ("ARM: davinci: fix the GPIO lookup for omapl138-hawk") +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-omapl138-hawk.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-davinci/board-omapl138-hawk.c ++++ b/arch/arm/mach-davinci/board-omapl138-hawk.c +@@ -123,12 +123,16 @@ static const short hawk_mmcsd0_pins[] = + -1 + }; + ++#define DA850_HAWK_MMCSD_CD_PIN GPIO_TO_PIN(3, 12) ++#define DA850_HAWK_MMCSD_WP_PIN GPIO_TO_PIN(3, 13) ++ + static struct gpiod_lookup_table mmc_gpios_table = { + .dev_id = "da830-mmc.0", + .table = { +- /* CD: gpio3_12: gpio60: chip 1 contains gpio range 32-63*/ +- GPIO_LOOKUP("davinci_gpio.0", 28, "cd", GPIO_ACTIVE_LOW), +- GPIO_LOOKUP("davinci_gpio.0", 29, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA850_HAWK_MMCSD_CD_PIN, "cd", ++ GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA850_HAWK_MMCSD_WP_PIN, "wp", ++ GPIO_ACTIVE_LOW), + }, + }; + diff --git a/queue-4.16/arm-davinci-dm646x-fix-timer-interrupt-generation.patch b/queue-4.16/arm-davinci-dm646x-fix-timer-interrupt-generation.patch new file mode 100644 index 00000000000..b03910eabf1 --- /dev/null +++ b/queue-4.16/arm-davinci-dm646x-fix-timer-interrupt-generation.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sekhar Nori +Date: Fri, 11 May 2018 20:51:34 +0530 +Subject: ARM: davinci: dm646x: fix timer interrupt generation + +From: Sekhar Nori + +[ Upstream commit 73d4337ed9ceddef4b2f0e226634d5f985aa2d1c ] + +commit b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt +definition for DM646x") inadvertently removed priority setting for +timer0_12 (bottom half of timer0). This timer is used as clockevent. + +When INTPRIn register setting for an interrupt is left at 0, it is +mapped to FIQ by the AINTC causing the timer interrupt to not get +generated. + +Fix it by including an entry for timer0_12 in interrupt priority map +array. While at it, move the clockevent comment to the right place. + +Fixes: b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt definition for DM646x") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/dm646x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-davinci/dm646x.c ++++ b/arch/arm/mach-davinci/dm646x.c +@@ -495,7 +495,8 @@ static u8 dm646x_default_priorities[DAVI + [IRQ_DM646X_MCASP0TXINT] = 7, + [IRQ_DM646X_MCASP0RXINT] = 7, + [IRQ_DM646X_RESERVED_3] = 7, +- [IRQ_DM646X_MCASP1TXINT] = 7, /* clockevent */ ++ [IRQ_DM646X_MCASP1TXINT] = 7, ++ [IRQ_TINT0_TINT12] = 7, /* clockevent */ + [IRQ_TINT0_TINT34] = 7, /* clocksource */ + [IRQ_TINT1_TINT12] = 7, /* DSP timer */ + [IRQ_TINT1_TINT34] = 7, /* system tick */ diff --git a/queue-4.16/arm-davinci-fix-gpio-lookup-for-i2c.patch b/queue-4.16/arm-davinci-fix-gpio-lookup-for-i2c.patch new file mode 100644 index 00000000000..4ecd6a11b3d --- /dev/null +++ b/queue-4.16/arm-davinci-fix-gpio-lookup-for-i2c.patch @@ -0,0 +1,80 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sekhar Nori +Date: Wed, 18 Apr 2018 15:02:46 +0530 +Subject: ARM: davinci: fix GPIO lookup for I2C + +From: Sekhar Nori + +[ Upstream commit 9411ac07cd764be34bbd7ff09125a6b7b9175d4c ] + +The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that +I2C can correctly lookup the recovery gpios. + +Note that it is the gpio-davinci driver that sets the gpiochip label to +davinci_gpio.0. + +Also, the I2C device uses an id of 1 on DM644x and DM355. + +While at it, convert to using GPIO_TO_PIN() for referring to GPIO pin +numbers, like it is done in rest of the board support files. + +Fixes: e53537653791 ("i2c/ARM: davinci: Deep refactoring of I2C recovery") +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-dm355-evm.c | 9 ++++++--- + arch/arm/mach-davinci/board-dm644x-evm.c | 10 +++++++--- + 2 files changed, 13 insertions(+), 6 deletions(-) + +--- a/arch/arm/mach-davinci/board-dm355-evm.c ++++ b/arch/arm/mach-davinci/board-dm355-evm.c +@@ -110,12 +110,15 @@ static struct platform_device davinci_na + }, + }; + ++#define DM355_I2C_SDA_PIN GPIO_TO_PIN(0, 15) ++#define DM355_I2C_SCL_PIN GPIO_TO_PIN(0, 14) ++ + static struct gpiod_lookup_table i2c_recovery_gpiod_table = { +- .dev_id = "i2c_davinci", ++ .dev_id = "i2c_davinci.1", + .table = { +- GPIO_LOOKUP("davinci_gpio", 15, "sda", ++ GPIO_LOOKUP("davinci_gpio.0", DM355_I2C_SDA_PIN, "sda", + GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN), +- GPIO_LOOKUP("davinci_gpio", 14, "scl", ++ GPIO_LOOKUP("davinci_gpio.0", DM355_I2C_SCL_PIN, "scl", + GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN), + }, + }; +--- a/arch/arm/mach-davinci/board-dm644x-evm.c ++++ b/arch/arm/mach-davinci/board-dm644x-evm.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -596,12 +597,15 @@ static struct i2c_board_info __initdata + }, + }; + ++#define DM644X_I2C_SDA_PIN GPIO_TO_PIN(2, 12) ++#define DM644X_I2C_SCL_PIN GPIO_TO_PIN(2, 11) ++ + static struct gpiod_lookup_table i2c_recovery_gpiod_table = { +- .dev_id = "i2c_davinci", ++ .dev_id = "i2c_davinci.1", + .table = { +- GPIO_LOOKUP("davinci_gpio", 44, "sda", ++ GPIO_LOOKUP("davinci_gpio.0", DM644X_I2C_SDA_PIN, "sda", + GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN), +- GPIO_LOOKUP("davinci_gpio", 43, "scl", ++ GPIO_LOOKUP("davinci_gpio.0", DM644X_I2C_SCL_PIN, "scl", + GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN), + }, + }; diff --git a/queue-4.16/arm-dts-correct-missing-compatible-entry-for-ti81xx-socs.patch b/queue-4.16/arm-dts-correct-missing-compatible-entry-for-ti81xx-socs.patch new file mode 100644 index 00000000000..f1be9b4d3fc --- /dev/null +++ b/queue-4.16/arm-dts-correct-missing-compatible-entry-for-ti81xx-socs.patch @@ -0,0 +1,82 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Graeme Smecher +Date: Wed, 2 May 2018 17:32:36 -0700 +Subject: ARM: dts: correct missing "compatible" entry for ti81xx SoCs + +From: Graeme Smecher + +[ Upstream commit 647efef69de483f1dd7944ede31b4cae16acb124 ] + +The missing "compatible" entries are needed by drivers/clk/ti/clkctrl.c, +and without them the structures initialized in drivers/clk/ti/clk-814x.c +are not passed to configuration code. The result is a "not found from +clkctrl data" error message, although boot proceeds anyway. + +The reason why the compatible is not found is because the board specific +files override the SoC compatible without including it. This did not +cause any issues until with the clkctrl nodes got introduced. + +Very lightly tested on a (lurching) AM3874 design that's in the middle +of a kernel upgrade from TI's abandoned 2.6.37 tree. + +Also tested on j5eco-evm and hp-t410 to verify the clkctrl clocks are +found. + +Fixes: bb30465b5902 ("ARM: dts: dm814x: add clkctrl nodes") +Fixes: 80a06c0d8357 ("ARM: dts: dm816x: add clkctrl nodes") +Signed-off-by: Graeme Smecher +[tony: updated to fix for 8168-evm, updated comments] +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/dm8148-evm.dts | 2 +- + arch/arm/boot/dts/dm8148-t410.dts | 2 +- + arch/arm/boot/dts/dm8168-evm.dts | 2 +- + arch/arm/boot/dts/dra62x-j5eco-evm.dts | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/dm8148-evm.dts ++++ b/arch/arm/boot/dts/dm8148-evm.dts +@@ -10,7 +10,7 @@ + + / { + model = "DM8148 EVM"; +- compatible = "ti,dm8148-evm", "ti,dm8148"; ++ compatible = "ti,dm8148-evm", "ti,dm8148", "ti,dm814"; + + memory@80000000 { + device_type = "memory"; +--- a/arch/arm/boot/dts/dm8148-t410.dts ++++ b/arch/arm/boot/dts/dm8148-t410.dts +@@ -9,7 +9,7 @@ + + / { + model = "HP t410 Smart Zero Client"; +- compatible = "hp,t410", "ti,dm8148"; ++ compatible = "hp,t410", "ti,dm8148", "ti,dm814"; + + memory@80000000 { + device_type = "memory"; +--- a/arch/arm/boot/dts/dm8168-evm.dts ++++ b/arch/arm/boot/dts/dm8168-evm.dts +@@ -10,7 +10,7 @@ + + / { + model = "DM8168 EVM"; +- compatible = "ti,dm8168-evm", "ti,dm8168"; ++ compatible = "ti,dm8168-evm", "ti,dm8168", "ti,dm816"; + + memory@80000000 { + device_type = "memory"; +--- a/arch/arm/boot/dts/dra62x-j5eco-evm.dts ++++ b/arch/arm/boot/dts/dra62x-j5eco-evm.dts +@@ -10,7 +10,7 @@ + + / { + model = "DRA62x J5 Eco EVM"; +- compatible = "ti,dra62x-j5eco-evm", "ti,dra62x", "ti,dm8148"; ++ compatible = "ti,dra62x-j5eco-evm", "ti,dra62x", "ti,dm8148", "ti,dm814"; + + memory@80000000 { + device_type = "memory"; diff --git a/queue-4.16/arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch b/queue-4.16/arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch new file mode 100644 index 00000000000..7feac78a0c5 --- /dev/null +++ b/queue-4.16/arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "Clément Péron" +Date: Thu, 3 May 2018 17:32:07 +0200 +Subject: ARM: dts: cygnus: fix irq type for arm global timer + +From: "Clément Péron" + +[ Upstream commit 675c7215aacf54242b2e8bc64bab698abbe764db ] + +As per ARM documentation +PPI(0) ID27 - global timer interrupt is rising-edge sensitive. + +set IRQ triggering type to IRQ_TYPE_EDGE_RISING for ARM Global timers. + +Fixes: c9ad7bc5fe3 ("ARM: dts: Enable Broadcom Cygnus SoC") +Signed-off-by: Clément Péron +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm-cygnus.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/bcm-cygnus.dtsi ++++ b/arch/arm/boot/dts/bcm-cygnus.dtsi +@@ -69,7 +69,7 @@ + timer@20200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0x20200 0x100>; +- interrupts = ; ++ interrupts = ; + clocks = <&periph_clk>; + }; + diff --git a/queue-4.16/arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch b/queue-4.16/arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch new file mode 100644 index 00000000000..3773c5500fa --- /dev/null +++ b/queue-4.16/arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Sekhar Nori +Date: Tue, 17 Apr 2018 18:06:00 +0530 +Subject: ARM: dts: da850: fix W=1 warnings with pinmux node + +From: Sekhar Nori + +[ Upstream commit 94a82284ad4711b7f9fd78981fdc7a1cb645030b ] + +Remove unused #address-cells and #size-cells from pinmux +node. This fixes W=1 warnings of the type: + +arch/arm/boot/dts/da850-lcdk.dtb: Warning (avoid_unnecessary_addr_size): /soc@1c00000/pinmux@14120: unnecessary #address-cells/#size-cells without "ranges" or child "reg" property + +Tested on DA850 LCDK by checking output of: + +/sys/kernel/debug/pinctrl/1c14120.pinmux-pinctrl-single/pins + +before and after the change. + +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/da850.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/arm/boot/dts/da850.dtsi ++++ b/arch/arm/boot/dts/da850.dtsi +@@ -46,8 +46,6 @@ + pmx_core: pinmux@14120 { + compatible = "pinctrl-single"; + reg = <0x14120 0x50>; +- #address-cells = <1>; +- #size-cells = <0>; + #pinctrl-cells = <2>; + pinctrl-single,bit-per-mux; + pinctrl-single,register-width = <32>; diff --git a/queue-4.16/arm-dts-fix-cm2-and-prm-sizes-for-omap4.patch b/queue-4.16/arm-dts-fix-cm2-and-prm-sizes-for-omap4.patch new file mode 100644 index 00000000000..0fab13d8023 --- /dev/null +++ b/queue-4.16/arm-dts-fix-cm2-and-prm-sizes-for-omap4.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Tony Lindgren +Date: Mon, 16 Apr 2018 10:01:04 -0700 +Subject: ARM: dts: Fix cm2 and prm sizes for omap4 + +From: Tony Lindgren + +[ Upstream commit bc8a3ef1940c9a6dfa316b31e063fdd4fbab0add ] + +The size of these modules is 0x2000, not 0x3000. The extra 0x1000 +after 0x2000 is for the interconnect target agent which is a separate +device. + +Fixes: 7415b0b4c645 ("ARM: dts: omap4: add minimal l4 bus layout with +control module support") +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/omap4.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/omap4.dtsi ++++ b/arch/arm/boot/dts/omap4.dtsi +@@ -163,10 +163,10 @@ + + cm2: cm2@8000 { + compatible = "ti,omap4-cm2", "simple-bus"; +- reg = <0x8000 0x3000>; ++ reg = <0x8000 0x2000>; + #address-cells = <1>; + #size-cells = <1>; +- ranges = <0 0x8000 0x3000>; ++ ranges = <0 0x8000 0x2000>; + + cm2_clocks: clocks { + #address-cells = <1>; +@@ -250,11 +250,11 @@ + + prm: prm@6000 { + compatible = "ti,omap4-prm"; +- reg = <0x6000 0x3000>; ++ reg = <0x6000 0x2000>; + interrupts = ; + #address-cells = <1>; + #size-cells = <1>; +- ranges = <0 0x6000 0x3000>; ++ ranges = <0 0x6000 0x2000>; + + prm_clocks: clocks { + #address-cells = <1>; diff --git a/queue-4.16/arm-dts-imx51-zii-rdu1-fix-touchscreen-bindings.patch b/queue-4.16/arm-dts-imx51-zii-rdu1-fix-touchscreen-bindings.patch new file mode 100644 index 00000000000..fef217743ca --- /dev/null +++ b/queue-4.16/arm-dts-imx51-zii-rdu1-fix-touchscreen-bindings.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Nikita Yushchenko +Date: Mon, 7 May 2018 16:53:09 +0300 +Subject: ARM: dts: imx51-zii-rdu1: fix touchscreen bindings + +From: Nikita Yushchenko + +[ Upstream commit 6d3299aef7df7225ecff653feedafb5d1646998b ] + +This fixes errors in RDU1 device tree that cause touch screens not +working. + +Fixes: ceef0396f367 ("ARM: dts: imx: add ZII RDU1 board") +Signed-off-by: Nikita Yushchenko +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx51-zii-rdu1.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/imx51-zii-rdu1.dts ++++ b/arch/arm/boot/dts/imx51-zii-rdu1.dts +@@ -518,7 +518,7 @@ + }; + + touchscreen@20 { +- compatible = "syna,rmi4_i2c"; ++ compatible = "syna,rmi4-i2c"; + reg = <0x20>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_ts>; +@@ -536,8 +536,8 @@ + + rmi4-f11@11 { + reg = <0x11>; +- touch-inverted-y; +- touch-swapped-x-y; ++ touchscreen-inverted-y; ++ touchscreen-swapped-x-y; + syna,sensor-type = <1>; + }; + }; diff --git a/queue-4.16/arm-dts-logicpd-som-lv-fix-audio-mute.patch b/queue-4.16/arm-dts-logicpd-som-lv-fix-audio-mute.patch new file mode 100644 index 00000000000..31b26025b2f --- /dev/null +++ b/queue-4.16/arm-dts-logicpd-som-lv-fix-audio-mute.patch @@ -0,0 +1,43 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Adam Ford +Date: Tue, 1 May 2018 08:58:53 -0500 +Subject: ARM: dts: logicpd-som-lv: Fix Audio Mute + +From: Adam Ford + +[ Upstream commit 95e59fc3c3fa3187a07a75f40b21637deb4bd12d ] + +The Audio has worked, but the mute pin has a weak pulldown which alows +some of the audio signal to pass very quietly. This patch fixes +that so the mute pin is actively driven high for mute or low for normal +operation. + +Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic +PD DM3730 SOM-LV") + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi ++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi +@@ -82,6 +82,7 @@ + twl_audio: audio { + compatible = "ti,twl4030-audio"; + codec { ++ ti,hs_extmute_gpio = <&gpio2 25 GPIO_ACTIVE_HIGH>; + }; + }; + }; +@@ -195,6 +196,7 @@ + pinctrl-single,pins = < + OMAP3_CORE1_IOPAD(0x21ba, PIN_INPUT | MUX_MODE0) /* i2c1_scl.i2c1_scl */ + OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0) /* i2c1_sda.i2c1_sda */ ++ OMAP3_CORE1_IOPAD(0x20ba, PIN_OUTPUT | MUX_MODE4) /* gpmc_ncs6.gpio_57 */ + >; + }; + }; diff --git a/queue-4.16/arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch b/queue-4.16/arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch new file mode 100644 index 00000000000..e0ec2d714ee --- /dev/null +++ b/queue-4.16/arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Adam Ford +Date: Mon, 30 Apr 2018 18:24:34 -0500 +Subject: ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues + +From: Adam Ford + +[ Upstream commit 189822cbcbf3ea37c26a15612d8f922c440bc0e0 ] + +The VAUX3 rail from the PMIC powers a clock driver which clocks +the WL127x. This corrects a bug which did not correctly associate +the vin-supply with the proper power rail. + +This also fixes a typo in the pinmuxing to properly configure the +interrupt pin. + +Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD +DM3730 SOM-LV") + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/logicpd-som-lv.dtsi | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi ++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi +@@ -26,7 +26,7 @@ + gpio = <&gpio1 3 0>; /* gpio_3 */ + startup-delay-us = <70000>; + enable-active-high; +- vin-supply = <&vmmc2>; ++ vin-supply = <&vaux3>; + }; + + /* HS USB Host PHY on PORT 1 */ +@@ -209,7 +209,7 @@ + }; + wl127x_gpio: pinmux_wl127x_gpio_pin { + pinctrl-single,pins = < +- OMAP3_WKUP_IOPAD(0x2a0c, PIN_INPUT | MUX_MODE4) /* sys_boot0.gpio_2 */ ++ OMAP3_WKUP_IOPAD(0x2a0a, PIN_INPUT | MUX_MODE4) /* sys_boot0.gpio_2 */ + OMAP3_WKUP_IOPAD(0x2a0c, PIN_OUTPUT | MUX_MODE4) /* sys_boot1.gpio_3 */ + >; + }; +@@ -244,6 +244,11 @@ + #include "twl4030.dtsi" + #include "twl4030_omap3.dtsi" + ++&vaux3 { ++ regulator-min-microvolt = <2800000>; ++ regulator-max-microvolt = <2800000>; ++}; ++ + &twl { + twl_power: power { + compatible = "ti,twl4030-power-idle-osc-off", "ti,twl4030-power-idle"; diff --git a/queue-4.16/arm-fix-kill-sigfpe-breakage.patch b/queue-4.16/arm-fix-kill-sigfpe-breakage.patch new file mode 100644 index 00000000000..e36892a64e1 --- /dev/null +++ b/queue-4.16/arm-fix-kill-sigfpe-breakage.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Russell King +Date: Fri, 13 Apr 2018 00:22:47 +0100 +Subject: ARM: fix kill( ,SIGFPE) breakage + +From: Russell King + +[ Upstream commit 92d44a42af81e850a038c38278ff4f434b2871df ] + +Commit 7771c6645700 ("signal/arm: Document conflicts with SI_USER and +SIGFPE") broke the siginfo structure for userspace triggered signals, +causing the strace testsuite to regress. Fix this by eliminating +the FPE_FIXME definition (which is at the root of the breakage) and +use FPE_FLTINV instead for the case where the hardware appears to be +reporting nonsense. + +Fixes: 7771c6645700 ("signal/arm: Document conflicts with SI_USER and SIGFPE") +Suggested-by: Linus Torvalds +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/uapi/asm/siginfo.h | 13 ------------- + arch/arm/vfp/vfpmodule.c | 2 +- + 2 files changed, 1 insertion(+), 14 deletions(-) + delete mode 100644 arch/arm/include/uapi/asm/siginfo.h + +--- a/arch/arm/include/uapi/asm/siginfo.h ++++ /dev/null +@@ -1,13 +0,0 @@ +-#ifndef __ASM_SIGINFO_H +-#define __ASM_SIGINFO_H +- +-#include +- +-/* +- * SIGFPE si_codes +- */ +-#ifdef __KERNEL__ +-#define FPE_FIXME 0 /* Broken dup of SI_USER */ +-#endif /* __KERNEL__ */ +- +-#endif +--- a/arch/arm/vfp/vfpmodule.c ++++ b/arch/arm/vfp/vfpmodule.c +@@ -257,7 +257,7 @@ static void vfp_raise_exceptions(u32 exc + + if (exceptions == VFP_EXCEPTION_ERROR) { + vfp_panic("unhandled bounce", inst); +- vfp_raise_sigfpe(FPE_FIXME, regs); ++ vfp_raise_sigfpe(FPE_FLTINV, regs); + return; + } + diff --git a/queue-4.16/arm-kexec-fix-kdump-register-saving-on-panic.patch b/queue-4.16/arm-kexec-fix-kdump-register-saving-on-panic.patch new file mode 100644 index 00000000000..92a0a25621a --- /dev/null +++ b/queue-4.16/arm-kexec-fix-kdump-register-saving-on-panic.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Russell King +Date: Wed, 11 Apr 2018 18:24:01 +0100 +Subject: ARM: kexec: fix kdump register saving on panic() + +From: Russell King + +[ Upstream commit 2d7b3c64431245c95b05a441669c074da10db943 ] + +When a panic() occurs, the kexec code uses smp_send_stop() to stop +the other CPUs, but this results in the CPU register state not being +saved, and gdb is unable to inspect the state of other CPUs. + +Commit 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump +friendly version in panic path") addressed the issue on x86, but +ignored other architectures. Address the issue on ARM by splitting +out the crash stop implementation to crash_smp_send_stop() and +adding the necessary protection. + +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/machine_kexec.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +--- a/arch/arm/kernel/machine_kexec.c ++++ b/arch/arm/kernel/machine_kexec.c +@@ -95,6 +95,27 @@ void machine_crash_nonpanic_core(void *u + cpu_relax(); + } + ++void crash_smp_send_stop(void) ++{ ++ static int cpus_stopped; ++ unsigned long msecs; ++ ++ if (cpus_stopped) ++ return; ++ ++ atomic_set(&waiting_for_crash_ipi, num_online_cpus() - 1); ++ smp_call_function(machine_crash_nonpanic_core, NULL, false); ++ msecs = 1000; /* Wait at most a second for the other cpus to stop */ ++ while ((atomic_read(&waiting_for_crash_ipi) > 0) && msecs) { ++ mdelay(1); ++ msecs--; ++ } ++ if (atomic_read(&waiting_for_crash_ipi) > 0) ++ pr_warn("Non-crashing CPUs did not react to IPI\n"); ++ ++ cpus_stopped = 1; ++} ++ + static void machine_kexec_mask_interrupts(void) + { + unsigned int i; +@@ -120,19 +141,8 @@ static void machine_kexec_mask_interrupt + + void machine_crash_shutdown(struct pt_regs *regs) + { +- unsigned long msecs; +- + local_irq_disable(); +- +- atomic_set(&waiting_for_crash_ipi, num_online_cpus() - 1); +- smp_call_function(machine_crash_nonpanic_core, NULL, false); +- msecs = 1000; /* Wait at most a second for the other cpus to stop */ +- while ((atomic_read(&waiting_for_crash_ipi) > 0) && msecs) { +- mdelay(1); +- msecs--; +- } +- if (atomic_read(&waiting_for_crash_ipi) > 0) +- pr_warn("Non-crashing CPUs did not react to IPI\n"); ++ crash_smp_send_stop(); + + crash_save_cpu(regs, smp_processor_id()); + machine_kexec_mask_interrupts(); diff --git a/queue-4.16/arm-keystone-fix-platform_domain_notifier-array-overrun.patch b/queue-4.16/arm-keystone-fix-platform_domain_notifier-array-overrun.patch new file mode 100644 index 00000000000..05a37d6122e --- /dev/null +++ b/queue-4.16/arm-keystone-fix-platform_domain_notifier-array-overrun.patch @@ -0,0 +1,84 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Russell King +Date: Thu, 10 May 2018 14:24:20 +0100 +Subject: ARM: keystone: fix platform_domain_notifier array overrun + +From: Russell King + +[ Upstream commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa ] + +platform_domain_notifier contains a variable sized array, which the +pm_clk_notify() notifier treats as a NULL terminated array: + + for (con_id = clknb->con_ids; *con_id; con_id++) + pm_clk_add(dev, *con_id); + +Omitting the initialiser for con_ids means that the array is zero +sized, and there is no NULL terminator. This leads to pm_clk_notify() +overrunning into what ever structure follows, which may not be NULL. +This leads to an oops: + +Unable to handle kernel NULL pointer dereference at virtual address 0000008c +pgd = c0003000 +[0000008c] *pgd=80000800004003c, *pmd=00000000c +Internal error: Oops: 206 [#1] PREEMPT SMP ARM +Modules linked in:c +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9 +Hardware name: Keystone +PC is at strlen+0x0/0x34 +LR is at kstrdup+0x18/0x54 +pc : [] lr : [] psr: 20000013 +sp : eec73dc0 ip : eed780c0 fp : 00000001 +r10: 00000000 r9 : 00000000 r8 : eed71e10 +r7 : 0000008c r6 : 0000008c r5 : 014000c0 r4 : c03a6ff4 +r3 : c09445d0 r2 : 00000000 r1 : 014000c0 r0 : 0000008c +Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 30c5387d Table: 00003000 DAC: fffffffd +Process swapper/0 (pid: 1, stack limit = 0xeec72210) +Stack: (0xeec73dc0 to 0xeec74000) +... +[] (strlen) from [] (kstrdup+0x18/0x54) +[] (kstrdup) from [] (__pm_clk_add+0x58/0x120) +[] (__pm_clk_add) from [] (pm_clk_notify+0x64/0xa8) +[] (pm_clk_notify) from [] (notifier_call_chain+0x44/0x84) +[] (notifier_call_chain) from [] (__blocking_notifier_call_chain+0x48/0x60) +[] (__blocking_notifier_call_chain) from [] (blocking_notifier_call_chain+0x18/0x20) +[] (blocking_notifier_call_chain) from [] (device_add+0x36c/0x534) +[] (device_add) from [] (of_platform_device_create_pdata+0x70/0xa4) +[] (of_platform_device_create_pdata) from [] (of_platform_bus_create+0xf0/0x1ec) +[] (of_platform_bus_create) from [] (of_platform_populate+0x5c/0xac) +[] (of_platform_populate) from [] (of_platform_default_populate_init+0x8c/0xa8) +[] (of_platform_default_populate_init) from [] (do_one_initcall+0x3c/0x164) +[] (do_one_initcall) from [] (kernel_init_freeable+0x10c/0x1d0) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0xf0) +[] (kernel_init) from [] (ret_from_fork+0x14/0x3c) +Exception stack(0xeec73fb0 to 0xeec73ff8) +3fa0: 00000000 00000000 00000000 00000000 +3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000) +---[ end trace cafa8f148e262e80 ]--- + +Fix this by adding the necessary initialiser. + +Fixes: fc20ffe1213b ("ARM: keystone: add PM domain support for clock management") +Signed-off-by: Russell King +Acked-by: Santosh Shilimkar +Signed-off-by: Olof Johansson + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-keystone/pm_domain.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-keystone/pm_domain.c ++++ b/arch/arm/mach-keystone/pm_domain.c +@@ -29,6 +29,7 @@ static struct dev_pm_domain keystone_pm_ + + static struct pm_clk_notifier_block platform_domain_notifier = { + .pm_domain = &keystone_pm_domain, ++ .con_ids = { NULL }, + }; + + static const struct of_device_id of_keystone_table[] = { diff --git a/queue-4.16/arm-omap1-ams-delta-fix-deferred_fiq-handler.patch b/queue-4.16/arm-omap1-ams-delta-fix-deferred_fiq-handler.patch new file mode 100644 index 00000000000..f0460144619 --- /dev/null +++ b/queue-4.16/arm-omap1-ams-delta-fix-deferred_fiq-handler.patch @@ -0,0 +1,67 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Janusz Krzysztofik +Date: Wed, 2 May 2018 20:32:03 +0200 +Subject: ARM: OMAP1: ams-delta: fix deferred_fiq handler + +From: Janusz Krzysztofik + +[ Upstream commit baf64250b4a513bf4ac226fd938692dc1836f4f6 ] + +The deferred_fiq handler used to limit hardware operations to IRQ +unmask only, relying on gpio-omap assigned handler performing the ACKs. +Since commit 80ac93c27441 ("gpio: omap: Fix lost edge interrupts") this +is no longer the case as handle_edge_irq() has been replaced with +handle_simmple_irq() which doesn't touch the hardware. + +Add single ACK operation per each active IRQ pin to the handler. While +being at it, move unmask operation out of irq_counter loop so it is +also called only once for each active IRQ pin. + +Fixes: 80ac93c27441 ("gpio: omap: Fix lost edge interrupts") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap1/ams-delta-fiq.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/arch/arm/mach-omap1/ams-delta-fiq.c ++++ b/arch/arm/mach-omap1/ams-delta-fiq.c +@@ -58,22 +58,24 @@ static irqreturn_t deferred_fiq(int irq, + irq_num = gpio_to_irq(gpio); + fiq_count = fiq_buffer[FIQ_CNT_INT_00 + gpio]; + +- while (irq_counter[gpio] < fiq_count) { +- if (gpio != AMS_DELTA_GPIO_PIN_KEYBRD_CLK) { +- struct irq_data *d = irq_get_irq_data(irq_num); ++ if (irq_counter[gpio] < fiq_count && ++ gpio != AMS_DELTA_GPIO_PIN_KEYBRD_CLK) { ++ struct irq_data *d = irq_get_irq_data(irq_num); + +- /* +- * It looks like handle_edge_irq() that +- * OMAP GPIO edge interrupts default to, +- * expects interrupt already unmasked. +- */ +- if (irq_chip && irq_chip->irq_unmask) ++ /* ++ * handle_simple_irq() that OMAP GPIO edge ++ * interrupts default to since commit 80ac93c27441 ++ * requires interrupt already acked and unmasked. ++ */ ++ if (irq_chip) { ++ if (irq_chip->irq_ack) ++ irq_chip->irq_ack(d); ++ if (irq_chip->irq_unmask) + irq_chip->irq_unmask(d); + } +- generic_handle_irq(irq_num); +- +- irq_counter[gpio]++; + } ++ for (; irq_counter[gpio] < fiq_count; irq_counter[gpio]++) ++ generic_handle_irq(irq_num); + } + return IRQ_HANDLED; + } diff --git a/queue-4.16/arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch b/queue-4.16/arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch new file mode 100644 index 00000000000..886342b9268 --- /dev/null +++ b/queue-4.16/arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Tero Kristo +Date: Fri, 9 Mar 2018 11:50:20 +0200 +Subject: ARM: OMAP2+: powerdomain: use raw_smp_processor_id() for trace + +From: Tero Kristo + +[ Upstream commit 33e9572483031a79ad0a4468064675144d9269ec ] + +smp_processor_id() checks preemption if CONFIG_DEBUG_PREEMPT is enabled, +causing a warning dump during boot: + +[ 5.042377] BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1 +[ 5.050281] caller is pwrdm_set_next_pwrst+0x48/0x88 +[ 5.055330] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.14.24-g57341df0b4 #1 + +Use the raw_smp_processor_id() for the trace instead, this value does +not need to be perfectly correct. The alternative of disabling preempt +is too heavy weight operation to be applied in PM hot path for just +tracing purposes. + +Signed-off-by: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/powerdomain.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-omap2/powerdomain.c ++++ b/arch/arm/mach-omap2/powerdomain.c +@@ -188,7 +188,7 @@ static int _pwrdm_state_switch(struct po + ((prev & OMAP_POWERSTATE_MASK) << 0)); + trace_power_domain_target_rcuidle(pwrdm->name, + trace_state, +- smp_processor_id()); ++ raw_smp_processor_id()); + } + break; + default: +@@ -518,7 +518,7 @@ int pwrdm_set_next_pwrst(struct powerdom + if (arch_pwrdm && arch_pwrdm->pwrdm_set_next_pwrst) { + /* Trace the pwrdm desired target state */ + trace_power_domain_target_rcuidle(pwrdm->name, pwrst, +- smp_processor_id()); ++ raw_smp_processor_id()); + /* Program the pwrdm desired target state */ + ret = arch_pwrdm->pwrdm_set_next_pwrst(pwrdm, pwrst); + } diff --git a/queue-4.16/arm-replace-unnecessary-perl-with-sed-and-the-shell-operator.patch b/queue-4.16/arm-replace-unnecessary-perl-with-sed-and-the-shell-operator.patch new file mode 100644 index 00000000000..698799506d7 --- /dev/null +++ b/queue-4.16/arm-replace-unnecessary-perl-with-sed-and-the-shell-operator.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Russell King +Date: Mon, 16 Apr 2018 13:21:54 +0100 +Subject: ARM: replace unnecessary perl with sed and the shell $(( )) operator + +From: Russell King + +[ Upstream commit 6cea14f55474ec71f1098228e0ae5dd2a8f22c0a ] + +You can build a kernel in a cross compiling environment that doesn't +have perl in the $PATH. Commit 429f7a062e3b broke that for 32 bit +ARM. Fix it. + +As reported by Stephen Rothwell, it appears that the symbols can be +either part of the BSS section or absolute symbols depending on the +binutils version. When they're an absolute symbol, the $(( )) +operator errors out and the build fails. Fix this as well. + +Fixes: 429f7a062e3b ("ARM: decompressor: fix BSS size calculation") +Reported-by: Rob Landley +Reported-by: Stephen Rothwell +Acked-by: Rob Landley +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/compressed/Makefile | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/compressed/Makefile ++++ b/arch/arm/boot/compressed/Makefile +@@ -117,11 +117,9 @@ ccflags-y := -fpic -mno-single-pic-base + asflags-y := -DZIMAGE + + # Supply kernel BSS size to the decompressor via a linker symbol. +-KBSS_SZ = $(shell $(CROSS_COMPILE)nm $(obj)/../../../../vmlinux | \ +- perl -e 'while (<>) { \ +- $$bss_start=hex($$1) if /^([[:xdigit:]]+) B __bss_start$$/; \ +- $$bss_end=hex($$1) if /^([[:xdigit:]]+) B __bss_stop$$/; \ +- }; printf "%d\n", $$bss_end - $$bss_start;') ++KBSS_SZ = $(shell echo $$(($$($(CROSS_COMPILE)nm $(obj)/../../../../vmlinux | \ ++ sed -n -e 's/^\([^ ]*\) [AB] __bss_start$$/-0x\1/p' \ ++ -e 's/^\([^ ]*\) [AB] __bss_stop$$/+0x\1/p') )) ) + LDFLAGS_vmlinux = --defsym _kernel_bss_size=$(KBSS_SZ) + # Supply ZRELADDR to the decompressor via a linker symbol. + ifneq ($(CONFIG_AUTO_ZRELADDR),y) diff --git a/queue-4.16/arm64-add-midr-encoding-for-nvidia-cpus.patch b/queue-4.16/arm64-add-midr-encoding-for-nvidia-cpus.patch new file mode 100644 index 00000000000..25c8f19d7cc --- /dev/null +++ b/queue-4.16/arm64-add-midr-encoding-for-nvidia-cpus.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Gilhooley +Date: Tue, 8 May 2018 15:49:42 -0700 +Subject: arm64: Add MIDR encoding for NVIDIA CPUs + +From: David Gilhooley + +[ Upstream commit 1b06bd8dd95f7a19ab33fdf0f477c94950822ab3 ] + +This patch adds the MIDR encodings for NVIDIA as well as +the Denver and Carmel CPUs used in Tegra SoCs. + +Signed-off-by: David Gilhooley +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -75,6 +75,7 @@ + #define ARM_CPU_IMP_CAVIUM 0x43 + #define ARM_CPU_IMP_BRCM 0x42 + #define ARM_CPU_IMP_QCOM 0x51 ++#define ARM_CPU_IMP_NVIDIA 0x4E + + #define ARM_CPU_PART_AEM_V8 0xD0F + #define ARM_CPU_PART_FOUNDATION 0xD00 +@@ -98,6 +99,9 @@ + #define QCOM_CPU_PART_FALKOR 0xC00 + #define QCOM_CPU_PART_KRYO 0x200 + ++#define NVIDIA_CPU_PART_DENVER 0x003 ++#define NVIDIA_CPU_PART_CARMEL 0x004 ++ + #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) + #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) + #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) +@@ -112,6 +116,8 @@ + #define MIDR_QCOM_FALKOR_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR_V1) + #define MIDR_QCOM_FALKOR MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR) + #define MIDR_QCOM_KRYO MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO) ++#define MIDR_NVIDIA_DENVER MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_DENVER) ++#define MIDR_NVIDIA_CARMEL MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_CARMEL) + + #ifndef __ASSEMBLY__ + diff --git a/queue-4.16/arm64-dts-correct-sata-addresses-for-stingray.patch b/queue-4.16/arm64-dts-correct-sata-addresses-for-stingray.patch new file mode 100644 index 00000000000..5604b0c725c --- /dev/null +++ b/queue-4.16/arm64-dts-correct-sata-addresses-for-stingray.patch @@ -0,0 +1,243 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Srinath Mannam +Date: Wed, 18 Apr 2018 14:11:29 +0530 +Subject: arm64: dts: correct SATA addresses for Stingray + +From: Srinath Mannam + +[ Upstream commit 4555a5021fe88fc4f19ff53d1e58b410cf30a49a ] + +Correct all SATA ahci and phy controller register +addresses and interrupt lines to proper values. + +Fixes: 344a2e514182 ("arm64: dts: Add SATA DT nodes for Stingray SoC") + +Signed-off-by: Srinath Mannam +Reviewed-by: Ray Jui +Reviewed-by: Scott Branden +Reviewed-by: Andrew Gospodarek +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/broadcom/stingray/stingray-sata.dtsi | 80 +++++++-------- + 1 file changed, 40 insertions(+), 40 deletions(-) + +--- a/arch/arm64/boot/dts/broadcom/stingray/stingray-sata.dtsi ++++ b/arch/arm64/boot/dts/broadcom/stingray/stingray-sata.dtsi +@@ -36,11 +36,11 @@ + #size-cells = <1>; + ranges = <0x0 0x0 0x67d00000 0x00800000>; + +- sata0: ahci@210000 { ++ sata0: ahci@0 { + compatible = "brcm,iproc-ahci", "generic-ahci"; +- reg = <0x00210000 0x1000>; ++ reg = <0x00000000 0x1000>; + reg-names = "ahci"; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -52,9 +52,9 @@ + }; + }; + +- sata_phy0: sata_phy@212100 { ++ sata_phy0: sata_phy@2100 { + compatible = "brcm,iproc-sr-sata-phy"; +- reg = <0x00212100 0x1000>; ++ reg = <0x00002100 0x1000>; + reg-names = "phy"; + #address-cells = <1>; + #size-cells = <0>; +@@ -66,11 +66,11 @@ + }; + }; + +- sata1: ahci@310000 { ++ sata1: ahci@10000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; +- reg = <0x00310000 0x1000>; ++ reg = <0x00010000 0x1000>; + reg-names = "ahci"; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -82,9 +82,9 @@ + }; + }; + +- sata_phy1: sata_phy@312100 { ++ sata_phy1: sata_phy@12100 { + compatible = "brcm,iproc-sr-sata-phy"; +- reg = <0x00312100 0x1000>; ++ reg = <0x00012100 0x1000>; + reg-names = "phy"; + #address-cells = <1>; + #size-cells = <0>; +@@ -96,11 +96,11 @@ + }; + }; + +- sata2: ahci@120000 { ++ sata2: ahci@20000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; +- reg = <0x00120000 0x1000>; ++ reg = <0x00020000 0x1000>; + reg-names = "ahci"; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -112,9 +112,9 @@ + }; + }; + +- sata_phy2: sata_phy@122100 { ++ sata_phy2: sata_phy@22100 { + compatible = "brcm,iproc-sr-sata-phy"; +- reg = <0x00122100 0x1000>; ++ reg = <0x00022100 0x1000>; + reg-names = "phy"; + #address-cells = <1>; + #size-cells = <0>; +@@ -126,11 +126,11 @@ + }; + }; + +- sata3: ahci@130000 { ++ sata3: ahci@30000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; +- reg = <0x00130000 0x1000>; ++ reg = <0x00030000 0x1000>; + reg-names = "ahci"; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -142,9 +142,9 @@ + }; + }; + +- sata_phy3: sata_phy@132100 { ++ sata_phy3: sata_phy@32100 { + compatible = "brcm,iproc-sr-sata-phy"; +- reg = <0x00132100 0x1000>; ++ reg = <0x00032100 0x1000>; + reg-names = "phy"; + #address-cells = <1>; + #size-cells = <0>; +@@ -156,11 +156,11 @@ + }; + }; + +- sata4: ahci@330000 { ++ sata4: ahci@100000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; +- reg = <0x00330000 0x1000>; ++ reg = <0x00100000 0x1000>; + reg-names = "ahci"; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -172,9 +172,9 @@ + }; + }; + +- sata_phy4: sata_phy@332100 { ++ sata_phy4: sata_phy@102100 { + compatible = "brcm,iproc-sr-sata-phy"; +- reg = <0x00332100 0x1000>; ++ reg = <0x00102100 0x1000>; + reg-names = "phy"; + #address-cells = <1>; + #size-cells = <0>; +@@ -186,11 +186,11 @@ + }; + }; + +- sata5: ahci@400000 { ++ sata5: ahci@110000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; +- reg = <0x00400000 0x1000>; ++ reg = <0x00110000 0x1000>; + reg-names = "ahci"; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -202,9 +202,9 @@ + }; + }; + +- sata_phy5: sata_phy@402100 { ++ sata_phy5: sata_phy@112100 { + compatible = "brcm,iproc-sr-sata-phy"; +- reg = <0x00402100 0x1000>; ++ reg = <0x00112100 0x1000>; + reg-names = "phy"; + #address-cells = <1>; + #size-cells = <0>; +@@ -216,11 +216,11 @@ + }; + }; + +- sata6: ahci@410000 { ++ sata6: ahci@120000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; +- reg = <0x00410000 0x1000>; ++ reg = <0x00120000 0x1000>; + reg-names = "ahci"; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -232,9 +232,9 @@ + }; + }; + +- sata_phy6: sata_phy@412100 { ++ sata_phy6: sata_phy@122100 { + compatible = "brcm,iproc-sr-sata-phy"; +- reg = <0x00412100 0x1000>; ++ reg = <0x00122100 0x1000>; + reg-names = "phy"; + #address-cells = <1>; + #size-cells = <0>; +@@ -246,11 +246,11 @@ + }; + }; + +- sata7: ahci@420000 { ++ sata7: ahci@130000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; +- reg = <0x00420000 0x1000>; ++ reg = <0x00130000 0x1000>; + reg-names = "ahci"; +- interrupts = ; ++ interrupts = ; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -262,9 +262,9 @@ + }; + }; + +- sata_phy7: sata_phy@422100 { ++ sata_phy7: sata_phy@132100 { + compatible = "brcm,iproc-sr-sata-phy"; +- reg = <0x00422100 0x1000>; ++ reg = <0x00132100 0x1000>; + reg-names = "phy"; + #address-cells = <1>; + #size-cells = <0>; diff --git a/queue-4.16/arm64-dts-meson-gx-p23x-q20x-enable-the-usb-controller.patch b/queue-4.16/arm64-dts-meson-gx-p23x-q20x-enable-the-usb-controller.patch new file mode 100644 index 00000000000..0101b5b4269 --- /dev/null +++ b/queue-4.16/arm64-dts-meson-gx-p23x-q20x-enable-the-usb-controller.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 26 Mar 2018 23:17:45 +0200 +Subject: ARM64: dts: meson-gx-p23x-q20x: enable the USB controller + +From: Martin Blumenstingl + +[ Upstream commit 972cd12a027256061c19c164021f2a771e860438 ] + +All S905D (GXL) and S912 (GXM) reference boards (namely these are +P230, P231, Q200 and Q201) provide USB connectors. +This enables the USB controller on these boards to make the USB ports +actually usable. + +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-gx-p23x-q20x.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/boot/dts/amlogic/meson-gx-p23x-q20x.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx-p23x-q20x.dtsi +@@ -248,3 +248,7 @@ + pinctrl-0 = <&uart_ao_a_pins>; + pinctrl-names = "default"; + }; ++ ++&usb0 { ++ status = "okay"; ++}; diff --git a/queue-4.16/arm64-dts-meson-gxl-add-usb-host-support.patch b/queue-4.16/arm64-dts-meson-gxl-add-usb-host-support.patch new file mode 100644 index 00000000000..fa6c3d20e13 --- /dev/null +++ b/queue-4.16/arm64-dts-meson-gxl-add-usb-host-support.patch @@ -0,0 +1,109 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 26 Mar 2018 23:17:42 +0200 +Subject: ARM64: dts: meson-gxl: add USB host support + +From: Martin Blumenstingl + +[ Upstream commit 8aec5fc1d4d881fe446addb94309efb39d4e5b23 ] + +This adds USB host support to the Meson GXL SoC. A dwc3 controller is +used for host-mode, while a dwc2 controller (not added in this patch +because I could not get it working) is used for device-mode only. + +The dwc3 controller's internal roothub has two USB2 ports enabled but no +USB3 port. Each of the ports is supplied by a separate PHY. The USB pins +are connected to the SoC's USBHOST_A and USBOTG_B pins. +Due to the way the roothub works internally the USB PHYs are left +enabled. When the dwc3 controller is disabled the PHY is never powered on +so it does not draw any extra power. However, when the dwc3 host +controller is enabled then all PHYs also have to be enabled, otherwise +USB devices will not be detected (regardless of whether they are plugged +into an enabled port or not). This means that only the dwc3 controller +has to be enabled on boards with USB support (instead of requiring all +boards to enable the PHYs additionally with the chance of forgetting to +enable one and breaking all other ports with that as well). + +This also adds the USB3 PHY which currently only does some basic +initialization. That however is required because without it high-speed +devices (like USB thumb drives) do not work on some devices (probably +because the bootloader does not configure the USB3 PHY registers). + +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 61 +++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +--- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +@@ -57,6 +57,67 @@ + no-map; + }; + }; ++ ++ soc { ++ usb0: usb@c9000000 { ++ status = "disabled"; ++ compatible = "amlogic,meson-gxl-dwc3"; ++ #address-cells = <2>; ++ #size-cells = <2>; ++ ranges; ++ ++ clocks = <&clkc CLKID_USB>; ++ clock-names = "usb_general"; ++ resets = <&reset RESET_USB_OTG>; ++ reset-names = "usb_otg"; ++ ++ dwc3: dwc3@c9000000 { ++ compatible = "snps,dwc3"; ++ reg = <0x0 0xc9000000 0x0 0x100000>; ++ interrupts = ; ++ dr_mode = "host"; ++ maximum-speed = "high-speed"; ++ snps,dis_u2_susphy_quirk; ++ phys = <&usb3_phy>, <&usb2_phy0>, <&usb2_phy1>; ++ }; ++ }; ++ }; ++}; ++ ++&apb { ++ usb2_phy0: phy@78000 { ++ compatible = "amlogic,meson-gxl-usb2-phy"; ++ #phy-cells = <0>; ++ reg = <0x0 0x78000 0x0 0x20>; ++ clocks = <&clkc CLKID_USB>; ++ clock-names = "phy"; ++ resets = <&reset RESET_USB_OTG>; ++ reset-names = "phy"; ++ status = "okay"; ++ }; ++ ++ usb2_phy1: phy@78020 { ++ compatible = "amlogic,meson-gxl-usb2-phy"; ++ #phy-cells = <0>; ++ reg = <0x0 0x78020 0x0 0x20>; ++ clocks = <&clkc CLKID_USB>; ++ clock-names = "phy"; ++ resets = <&reset RESET_USB_OTG>; ++ reset-names = "phy"; ++ status = "okay"; ++ }; ++ ++ usb3_phy: phy@78080 { ++ compatible = "amlogic,meson-gxl-usb3-phy"; ++ #phy-cells = <0>; ++ reg = <0x0 0x78080 0x0 0x20>; ++ interrupts = ; ++ clocks = <&clkc CLKID_USB>, <&clkc_AO CLKID_AO_CEC_32K>; ++ clock-names = "phy", "peripheral"; ++ resets = <&reset RESET_USB_OTG>, <&reset RESET_USB_OTG>; ++ reset-names = "phy", "peripheral"; ++ status = "okay"; ++ }; + }; + + ðmac { diff --git a/queue-4.16/arm64-dts-meson-gxl-nexbox-a95x-enable-the-usb-controller.patch b/queue-4.16/arm64-dts-meson-gxl-nexbox-a95x-enable-the-usb-controller.patch new file mode 100644 index 00000000000..c25a5739efc --- /dev/null +++ b/queue-4.16/arm64-dts-meson-gxl-nexbox-a95x-enable-the-usb-controller.patch @@ -0,0 +1,30 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 26 Mar 2018 23:17:47 +0200 +Subject: ARM64: dts: meson-gxl-nexbox-a95x: enable the USB controller + +From: Martin Blumenstingl + +[ Upstream commit 55ef32249bb647c6b64adcf943918d302a0020a7 ] + +The Nexbox A95X provides two USB ports. Enable the SoC's USB controller +on this board to make these USB ports usable. + +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-gxl-s905x-nexbox-a95x.dts | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-nexbox-a95x.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-nexbox-a95x.dts +@@ -251,3 +251,7 @@ + pinctrl-0 = <&uart_ao_a_pins>; + pinctrl-names = "default"; + }; ++ ++&usb0 { ++ status = "okay"; ++}; diff --git a/queue-4.16/arm64-dts-meson-gxl-s905x-libretech-cc-enable-the-usb-controller.patch b/queue-4.16/arm64-dts-meson-gxl-s905x-libretech-cc-enable-the-usb-controller.patch new file mode 100644 index 00000000000..90d2684fe0f --- /dev/null +++ b/queue-4.16/arm64-dts-meson-gxl-s905x-libretech-cc-enable-the-usb-controller.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 26 Mar 2018 23:17:46 +0200 +Subject: ARM64: dts: meson-gxl-s905x-libretech-cc: enable the USB controller + +From: Martin Blumenstingl + +[ Upstream commit b83687f359d9b4128073f06ab7a06489eb04aa7c ] + +The LibreTech CC ("Le Potato") board provides four USB connectors. +These are provided by a hub which is connected to the SoC's USB +controller. +Enable the SoC's USB controller to make the USB ports usable. Also turn +on the HDMI_5V regulator when powering on the PHY because (even though +it's not shown in the schematics) HDMI_5V also supplies the USB VBUS. + +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts | 12 +++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts +@@ -271,3 +271,15 @@ + pinctrl-0 = <&uart_ao_a_pins>; + pinctrl-names = "default"; + }; ++ ++&usb0 { ++ status = "okay"; ++}; ++ ++&usb2_phy0 { ++ /* ++ * even though the schematics don't show it: ++ * HDMI_5V is also used as supply for the USB VBUS. ++ */ ++ phy-supply = <&hdmi_5v>; ++}; diff --git a/queue-4.16/arm64-dts-meson-gxl-s905x-p212-enable-the-usb-controller.patch b/queue-4.16/arm64-dts-meson-gxl-s905x-p212-enable-the-usb-controller.patch new file mode 100644 index 00000000000..22d14f4fd29 --- /dev/null +++ b/queue-4.16/arm64-dts-meson-gxl-s905x-p212-enable-the-usb-controller.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 26 Mar 2018 23:17:44 +0200 +Subject: ARM64: dts: meson-gxl-s905x-p212: enable the USB controller + +From: Martin Blumenstingl + +[ Upstream commit b9f07cb4f41fccbe7616482015d28e6e26aec3a3 ] + +All boards based on the P212 reference design (the P212 reference board +itself and the Khadas VIM) have USB connectors (in case of the Khadas +VIM the first port is exposed through the USB Type-C connector, the +second port is connected to a 4-port USB hub). +This enables the USB controller on these boards to make the USB ports +actually usable. + +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-gxl-s905x-p212.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-p212.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-p212.dtsi +@@ -185,3 +185,7 @@ + pinctrl-0 = <&uart_ao_a_pins>; + pinctrl-names = "default"; + }; ++ ++&usb0 { ++ status = "okay"; ++}; diff --git a/queue-4.16/arm64-dts-meson-gxm-add-gxm-specific-usb-host-configuration.patch b/queue-4.16/arm64-dts-meson-gxm-add-gxm-specific-usb-host-configuration.patch new file mode 100644 index 00000000000..9625b508d28 --- /dev/null +++ b/queue-4.16/arm64-dts-meson-gxm-add-gxm-specific-usb-host-configuration.patch @@ -0,0 +1,56 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 26 Mar 2018 23:17:43 +0200 +Subject: ARM64: dts: meson-gxm: add GXM specific USB host configuration + +From: Martin Blumenstingl + +[ Upstream commit 458baa95c86406c81c6ebac0a98d1689075a3ec4 ] + +The USB configuration on GXM is slightly different than on GXL. The dwc3 +controller's internal hub has three USB2 ports (instead of 2 on GXL) +along with a dedicated USB2 PHY for this port. However, it seems that +there are no pins on GXM which would allow connecting the third port to +a physical USB port. +Passing the third PHY is required though, because without it none of the +other USB ports is working (this seems to be a limitation of how the +internal USB hub works, if one PHY is disabled then no USB port works). + +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-gxm.dtsi | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/arch/arm64/boot/dts/amlogic/meson-gxm.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxm.dtsi +@@ -117,6 +117,19 @@ + }; + }; + ++&apb { ++ usb2_phy2: phy@78040 { ++ compatible = "amlogic,meson-gxl-usb2-phy"; ++ #phy-cells = <0>; ++ reg = <0x0 0x78040 0x0 0x20>; ++ clocks = <&clkc CLKID_USB>; ++ clock-names = "phy"; ++ resets = <&reset RESET_USB_OTG>; ++ reset-names = "phy"; ++ status = "okay"; ++ }; ++}; ++ + &clkc_AO { + compatible = "amlogic,meson-gxm-aoclkc", "amlogic,meson-gx-aoclkc"; + }; +@@ -137,3 +150,7 @@ + &hdmi_tx { + compatible = "amlogic,meson-gxm-dw-hdmi", "amlogic,meson-gx-dw-hdmi"; + }; ++ ++&dwc3 { ++ phys = <&usb3_phy>, <&usb2_phy0>, <&usb2_phy1>, <&usb2_phy2>; ++}; diff --git a/queue-4.16/arm64-dts-meson-gxm-khadas-vim2-enable-the-usb-controller.patch b/queue-4.16/arm64-dts-meson-gxm-khadas-vim2-enable-the-usb-controller.patch new file mode 100644 index 00000000000..69a704857dc --- /dev/null +++ b/queue-4.16/arm64-dts-meson-gxm-khadas-vim2-enable-the-usb-controller.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 26 Mar 2018 23:17:48 +0200 +Subject: ARM64: dts: meson-gxm-khadas-vim2: enable the USB controller + +From: Martin Blumenstingl + +[ Upstream commit 4b7b0d7b25538d2ad421a1041267d5208d3425bc ] + +The Khadas VIM2 board connects the dwc3 controller to an internal 4-port +USB hub which. Two of these ports are accessible directly soldered to +the board, while the other two are accessible through the 40-pin "GPIO" +header. + +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-gxm-khadas-vim2.dts +@@ -413,3 +413,7 @@ + status = "okay"; + vref-supply = <&vddio_ao18>; + }; ++ ++&usb0 { ++ status = "okay"; ++}; diff --git a/queue-4.16/arm64-dts-uniphier-fix-input-delay-value-for-legacy-mode-of-emmc.patch b/queue-4.16/arm64-dts-uniphier-fix-input-delay-value-for-legacy-mode-of-emmc.patch new file mode 100644 index 00000000000..a80baec9316 --- /dev/null +++ b/queue-4.16/arm64-dts-uniphier-fix-input-delay-value-for-legacy-mode-of-emmc.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Masahiro Yamada +Date: Thu, 12 Apr 2018 11:31:31 +0900 +Subject: arm64: dts: uniphier: fix input delay value for legacy mode of eMMC + +From: Masahiro Yamada + +[ Upstream commit f4e5200fc0d7dad75c688e7ccc0652481a916df5 ] + +The property of the legacy mode for the eMMC PHY turned out to +be wrong. Some eMMC devices are unstable due to the set-up/hold +timing violation. Correct the delay value. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/socionext/uniphier-ld11.dtsi | 2 +- + arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi | 2 +- + arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/socionext/uniphier-ld11.dtsi ++++ b/arch/arm64/boot/dts/socionext/uniphier-ld11.dtsi +@@ -330,7 +330,7 @@ + mmc-ddr-1_8v; + mmc-hs200-1_8v; + mmc-pwrseq = <&emmc_pwrseq>; +- cdns,phy-input-delay-legacy = <4>; ++ cdns,phy-input-delay-legacy = <9>; + cdns,phy-input-delay-mmc-highspeed = <2>; + cdns,phy-input-delay-mmc-ddr = <3>; + cdns,phy-dll-delay-sdclk = <21>; +--- a/arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi ++++ b/arch/arm64/boot/dts/socionext/uniphier-ld20.dtsi +@@ -435,7 +435,7 @@ + mmc-ddr-1_8v; + mmc-hs200-1_8v; + mmc-pwrseq = <&emmc_pwrseq>; +- cdns,phy-input-delay-legacy = <4>; ++ cdns,phy-input-delay-legacy = <9>; + cdns,phy-input-delay-mmc-highspeed = <2>; + cdns,phy-input-delay-mmc-ddr = <3>; + cdns,phy-dll-delay-sdclk = <21>; +--- a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi ++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi +@@ -336,7 +336,7 @@ + mmc-ddr-1_8v; + mmc-hs200-1_8v; + mmc-pwrseq = <&emmc_pwrseq>; +- cdns,phy-input-delay-legacy = <4>; ++ cdns,phy-input-delay-legacy = <9>; + cdns,phy-input-delay-mmc-highspeed = <2>; + cdns,phy-input-delay-mmc-ddr = <3>; + cdns,phy-dll-delay-sdclk = <21>; diff --git a/queue-4.16/arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch b/queue-4.16/arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch new file mode 100644 index 00000000000..c6ff3f9b604 --- /dev/null +++ b/queue-4.16/arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Mark Rutland +Date: Wed, 25 Apr 2018 17:13:40 +0100 +Subject: arm64: fix possible spectre-v1 in ptrace_hbp_get_event() + +From: Mark Rutland + +[ Upstream commit 19791a7ca674fb3009bb068260e852a2f05b605c ] + +It's possible for userspace to control idx. Sanitize idx when using it +as an array index. + +Found by smatch. + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -249,15 +250,20 @@ static struct perf_event *ptrace_hbp_get + + switch (note_type) { + case NT_ARM_HW_BREAK: +- if (idx < ARM_MAX_BRP) +- bp = tsk->thread.debug.hbp_break[idx]; ++ if (idx >= ARM_MAX_BRP) ++ goto out; ++ idx = array_index_nospec(idx, ARM_MAX_BRP); ++ bp = tsk->thread.debug.hbp_break[idx]; + break; + case NT_ARM_HW_WATCH: +- if (idx < ARM_MAX_WRP) +- bp = tsk->thread.debug.hbp_watch[idx]; ++ if (idx >= ARM_MAX_WRP) ++ goto out; ++ idx = array_index_nospec(idx, ARM_MAX_WRP); ++ bp = tsk->thread.debug.hbp_watch[idx]; + break; + } + ++out: + return bp; + } + diff --git a/queue-4.16/arm64-kasan-avoid-pfn_to_nid-before-page-array-is-initialized.patch b/queue-4.16/arm64-kasan-avoid-pfn_to_nid-before-page-array-is-initialized.patch new file mode 100644 index 00000000000..31ce537794f --- /dev/null +++ b/queue-4.16/arm64-kasan-avoid-pfn_to_nid-before-page-array-is-initialized.patch @@ -0,0 +1,102 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Mark Rutland +Date: Mon, 16 Apr 2018 14:44:41 +0100 +Subject: arm64: kasan: avoid pfn_to_nid() before page array is initialized + +From: Mark Rutland + +[ Upstream commit 800cb2e553d44541b83aa3ec45d9839385fe8ab6 ] + +In arm64's kasan_init(), we use pfn_to_nid() to find the NUMA node a +span of memory is in, hoping to allocate shadow from the same NUMA node. +However, at this point, the page array has not been initialized, and +thus this is bogus. + +Since commit: + + f165b378bbdf6c8a ("mm: uninitialized struct page poisoning sanity") + +... accessing fields of the page array results in a boot time Oops(), +highlighting this problem: + +[ 0.000000] Unable to handle kernel paging request at virtual address dfff200000000000 +[ 0.000000] Mem abort info: +[ 0.000000] ESR = 0x96000004 +[ 0.000000] Exception class = DABT (current EL), IL = 32 bits +[ 0.000000] SET = 0, FnV = 0 +[ 0.000000] EA = 0, S1PTW = 0 +[ 0.000000] Data abort info: +[ 0.000000] ISV = 0, ISS = 0x00000004 +[ 0.000000] CM = 0, WnR = 0 +[ 0.000000] [dfff200000000000] address between user and kernel address ranges +[ 0.000000] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 0.000000] Modules linked in: +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.16.0-07317-gf165b378bbdf #42 +[ 0.000000] Hardware name: ARM Juno development board (r1) (DT) +[ 0.000000] pstate: 80000085 (Nzcv daIf -PAN -UAO) +[ 0.000000] pc : __asan_load8+0x8c/0xa8 +[ 0.000000] lr : __dump_page+0x3c/0x3b8 +[ 0.000000] sp : ffff2000099b7ca0 +[ 0.000000] x29: ffff2000099b7ca0 x28: ffff20000a1762c0 +[ 0.000000] x27: ffff7e0000000000 x26: ffff2000099dd000 +[ 0.000000] x25: ffff200009a3f960 x24: ffff200008f9c38c +[ 0.000000] x23: ffff20000a9d3000 x22: ffff200009735430 +[ 0.000000] x21: fffffffffffffffe x20: ffff7e0001e50420 +[ 0.000000] x19: ffff7e0001e50400 x18: 0000000000001840 +[ 0.000000] x17: ffffffffffff8270 x16: 0000000000001840 +[ 0.000000] x15: 0000000000001920 x14: 0000000000000004 +[ 0.000000] x13: 0000000000000000 x12: 0000000000000800 +[ 0.000000] x11: 1ffff0012d0f89ff x10: ffff10012d0f89ff +[ 0.000000] x9 : 0000000000000000 x8 : ffff8009687c5000 +[ 0.000000] x7 : 0000000000000000 x6 : ffff10000f282000 +[ 0.000000] x5 : 0000000000000040 x4 : fffffffffffffffe +[ 0.000000] x3 : 0000000000000000 x2 : dfff200000000000 +[ 0.000000] x1 : 0000000000000005 x0 : 0000000000000000 +[ 0.000000] Process swapper (pid: 0, stack limit = 0x (ptrval)) +[ 0.000000] Call trace: +[ 0.000000] __asan_load8+0x8c/0xa8 +[ 0.000000] __dump_page+0x3c/0x3b8 +[ 0.000000] dump_page+0xc/0x18 +[ 0.000000] kasan_init+0x2e8/0x5a8 +[ 0.000000] setup_arch+0x294/0x71c +[ 0.000000] start_kernel+0xdc/0x500 +[ 0.000000] Code: aa0403e0 9400063c 17ffffee d343fc00 (38e26800) +[ 0.000000] ---[ end trace 67064f0e9c0cc338 ]--- +[ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! +[ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- + +Let's fix this by using early_pfn_to_nid(), as other architectures do in +their kasan init code. Note that early_pfn_to_nid acquires the nid from +the memblock array, which we iterate over in kasan_init(), so this +should be fine. + +Signed-off-by: Mark Rutland +Fixes: 39d114ddc6822302 ("arm64: add KASAN support") +Cc: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/kasan_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/mm/kasan_init.c ++++ b/arch/arm64/mm/kasan_init.c +@@ -204,7 +204,7 @@ void __init kasan_init(void) + clear_pgds(KASAN_SHADOW_START, KASAN_SHADOW_END); + + kasan_map_populate(kimg_shadow_start, kimg_shadow_end, +- pfn_to_nid(virt_to_pfn(lm_alias(_text)))); ++ early_pfn_to_nid(virt_to_pfn(lm_alias(_text)))); + + kasan_populate_zero_shadow((void *)KASAN_SHADOW_START, + (void *)mod_shadow_start); +@@ -224,7 +224,7 @@ void __init kasan_init(void) + + kasan_map_populate((unsigned long)kasan_mem_to_shadow(start), + (unsigned long)kasan_mem_to_shadow(end), +- pfn_to_nid(virt_to_pfn(start))); ++ early_pfn_to_nid(virt_to_pfn(start))); + } + + /* diff --git a/queue-4.16/arm64-only-advance-singlestep-for-user-instruction-traps.patch b/queue-4.16/arm64-only-advance-singlestep-for-user-instruction-traps.patch new file mode 100644 index 00000000000..bb4c6250d06 --- /dev/null +++ b/queue-4.16/arm64-only-advance-singlestep-for-user-instruction-traps.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Mark Rutland +Date: Tue, 3 Apr 2018 11:22:51 +0100 +Subject: arm64: only advance singlestep for user instruction traps + +From: Mark Rutland + +[ Upstream commit 9478f1927e6ef9ef5e1ad761af1c98aa8e40b7f5 ] + +Our arm64_skip_faulting_instruction() helper advances the userspace +singlestep state machine, but this is also called by the kernel BRK +handler, as used for WARN*(). + +Thus, if we happen to hit a WARN*() while the user singlestep state +machine is in the active-no-pending state, we'll advance to the +active-pending state without having executed a user instruction, and +will take a step exception earlier than expected when we return to +userspace. + +Let's fix this by only advancing the state machine when skipping a user +instruction. + +Signed-off-by: Mark Rutland +Cc: Andrey Konovalov +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/traps.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -243,7 +243,8 @@ void arm64_skip_faulting_instruction(str + * If we were single stepping, we want to get the step exception after + * we return from the trap. + */ +- user_fastforward_single_step(current); ++ if (user_mode(regs)) ++ user_fastforward_single_step(current); + } + + static LIST_HEAD(undef_hook); diff --git a/queue-4.16/arm64-ptrace-remove-addr_limit-manipulation.patch b/queue-4.16/arm64-ptrace-remove-addr_limit-manipulation.patch new file mode 100644 index 00000000000..addecaf2f97 --- /dev/null +++ b/queue-4.16/arm64-ptrace-remove-addr_limit-manipulation.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Mark Rutland +Date: Tue, 24 Apr 2018 13:11:22 +0100 +Subject: arm64: ptrace: remove addr_limit manipulation + +From: Mark Rutland + +[ Upstream commit 59275a0c037ed6fabd6354730f1e3104264ab719 ] + +We transiently switch to KERNEL_DS in compat_ptrace_gethbpregs() and +compat_ptrace_sethbpregs(), but in either case this is pointless as we +don't perform any uaccess during this window. + +let's rip out the redundant addr_limit manipulation. + +Acked-by: Catalin Marinas +Signed-off-by: Mark Rutland +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1458,9 +1458,7 @@ static int compat_ptrace_gethbpregs(stru + { + int ret; + u32 kdata; +- mm_segment_t old_fs = get_fs(); + +- set_fs(KERNEL_DS); + /* Watchpoint */ + if (num < 0) { + ret = compat_ptrace_hbp_get(NT_ARM_HW_WATCH, tsk, num, &kdata); +@@ -1471,7 +1469,6 @@ static int compat_ptrace_gethbpregs(stru + } else { + ret = compat_ptrace_hbp_get(NT_ARM_HW_BREAK, tsk, num, &kdata); + } +- set_fs(old_fs); + + if (!ret) + ret = put_user(kdata, data); +@@ -1484,7 +1481,6 @@ static int compat_ptrace_sethbpregs(stru + { + int ret; + u32 kdata = 0; +- mm_segment_t old_fs = get_fs(); + + if (num == 0) + return 0; +@@ -1493,12 +1489,10 @@ static int compat_ptrace_sethbpregs(stru + if (ret) + return ret; + +- set_fs(KERNEL_DS); + if (num < 0) + ret = compat_ptrace_hbp_set(NT_ARM_HW_WATCH, tsk, num, &kdata); + else + ret = compat_ptrace_hbp_set(NT_ARM_HW_BREAK, tsk, num, &kdata); +- set_fs(old_fs); + + return ret; + } diff --git a/queue-4.16/arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch b/queue-4.16/arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch new file mode 100644 index 00000000000..0eec4c2258a --- /dev/null +++ b/queue-4.16/arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Bhadram Varka +Date: Wed, 2 May 2018 20:44:40 +0530 +Subject: arm64: tegra: Make BCM89610 PHY interrupt as active low + +From: Bhadram Varka + +[ Upstream commit 9df50ba76ac1485b844beffa1f3f5d9659d9cdaf ] + +Need to configure PHY interrupt as active low for P3310 Tegra186 +platform otherwise it results in spurious interrupts. + +This issue wasn't seen before because the generic PHY driver without +interrupt support was used. + +Signed-off-by: Bhadram Varka +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi +@@ -46,7 +46,7 @@ + compatible = "ethernet-phy-ieee802.3-c22"; + reg = <0x0>; + interrupt-parent = <&gpio>; +- interrupts = ; ++ interrupts = ; + }; + }; + }; diff --git a/queue-4.16/asoc-intel-atom-fix-acpi-pci-kconfig.patch b/queue-4.16/asoc-intel-atom-fix-acpi-pci-kconfig.patch new file mode 100644 index 00000000000..2bc0a920fea --- /dev/null +++ b/queue-4.16/asoc-intel-atom-fix-acpi-pci-kconfig.patch @@ -0,0 +1,92 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Pierre-Louis Bossart +Date: Mon, 2 Apr 2018 12:06:14 -0500 +Subject: ASoC: Intel: atom: fix ACPI/PCI Kconfig + +From: Pierre-Louis Bossart + +[ Upstream commit 90619eb1dc4f19357fef5e9c13c6c9beead0fd80 ] + +The split between ACPI and PCI platforms generated issues with randconfig: + +with SND_SST_ATOM_HIFI2_PLATFORM_PCI=y and +SND_SST_ATOM_HIFI2_PLATFORM=m, we get this module link failure: + +ERROR: "sst_context_init" +[sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! + +ERROR: "sst_context_cleanup" +[sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! + +ERROR: "sst_alloc_drv_context" +[sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! + +ERROR: "intel_sst_pm" [sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] +undefined! + +ERROR: "sst_configure_runtime_pm" +[sound/soc/intel/atom/sst/snd-intel-sst-acpi.ko] undefined! + +To keep things simple, let's expose two configs for +SND_SST_ATOM_HIFI2_PLATFORM_PCI and SND_SST_ATOM_HIFI2_PLATFORM_ACPI, +which select a common SND_SST_ATOM_HIFI2_PLATFORM option. To avoid +breaking existing solutions with the semantics change, +SND_SST_ATOM_HIFI2_PLATFORM_ACPI uses "default ACPI" so that "make +oldnoconfig" and "make olddefconfig" still work as expected. + +Also remove mentions of Medfield while we are at it since it was +removed recently. + +Reported-by: Arnd Bergmann +Fixes: 4772c16ede52 ("ASoC: Intel: Kconfig: Simplify-clarify ACPI/PCI +dependencies") +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Andy Shevchenko +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/Kconfig | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- a/sound/soc/intel/Kconfig ++++ b/sound/soc/intel/Kconfig +@@ -72,24 +72,28 @@ config SND_SOC_INTEL_BAYTRAIL + for Baytrail Chromebooks but this option is now deprecated and is + not recommended, use SND_SST_ATOM_HIFI2_PLATFORM instead. + ++config SND_SST_ATOM_HIFI2_PLATFORM ++ tristate ++ select SND_SOC_COMPRESS ++ + config SND_SST_ATOM_HIFI2_PLATFORM_PCI +- tristate "PCI HiFi2 (Medfield, Merrifield) Platforms" ++ tristate "PCI HiFi2 (Merrifield) Platforms" + depends on X86 && PCI + select SND_SST_IPC_PCI +- select SND_SOC_COMPRESS ++ select SND_SST_ATOM_HIFI2_PLATFORM + help +- If you have a Intel Medfield or Merrifield/Edison platform, then ++ If you have a Intel Merrifield/Edison platform, then + enable this option by saying Y or m. Distros will typically not +- enable this option: Medfield devices are not available to +- developers and while Merrifield/Edison can run a mainline kernel with +- limited functionality it will require a firmware file which +- is not in the standard firmware tree ++ enable this option: while Merrifield/Edison can run a mainline ++ kernel with limited functionality it will require a firmware file ++ which is not in the standard firmware tree + +-config SND_SST_ATOM_HIFI2_PLATFORM ++config SND_SST_ATOM_HIFI2_PLATFORM_ACPI + tristate "ACPI HiFi2 (Baytrail, Cherrytrail) Platforms" ++ default ACPI + depends on X86 && ACPI + select SND_SST_IPC_ACPI +- select SND_SOC_COMPRESS ++ select SND_SST_ATOM_HIFI2_PLATFORM + select SND_SOC_ACPI_INTEL_MATCH + select IOSF_MBI + help diff --git a/queue-4.16/asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch b/queue-4.16/asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch new file mode 100644 index 00000000000..223d7a3ba57 --- /dev/null +++ b/queue-4.16/asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Srinivas Kandagatla +Date: Wed, 18 Apr 2018 18:46:37 +0100 +Subject: ASoC: msm8916-wcd-analog: use threaded context for mbhc events + +From: Srinivas Kandagatla + +[ Upstream commit a8419a0cd98ddf628a9e38a92110af7cc650dde7 ] + +As snd_soc_jack_report() can sleep, move handling of mbhc events to a +thread context rather than in interrupt context. + +Fixes: de66b3455023 ('ASoC: codecs: msm8916-wcd-analog: add MBHC support') +Reported-by: Bjorn Andersson +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/msm8916-wcd-analog.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -1185,7 +1185,8 @@ static int pm8916_wcd_analog_spmi_probe( + return irq; + } + +- ret = devm_request_irq(dev, irq, pm8916_mbhc_switch_irq_handler, ++ ret = devm_request_threaded_irq(dev, irq, NULL, ++ pm8916_mbhc_switch_irq_handler, + IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | + IRQF_ONESHOT, + "mbhc switch irq", priv); +@@ -1199,7 +1200,8 @@ static int pm8916_wcd_analog_spmi_probe( + return irq; + } + +- ret = devm_request_irq(dev, irq, mbhc_btn_press_irq_handler, ++ ret = devm_request_threaded_irq(dev, irq, NULL, ++ mbhc_btn_press_irq_handler, + IRQF_TRIGGER_RISING | + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "mbhc btn press irq", priv); +@@ -1212,7 +1214,8 @@ static int pm8916_wcd_analog_spmi_probe( + return irq; + } + +- ret = devm_request_irq(dev, irq, mbhc_btn_release_irq_handler, ++ ret = devm_request_threaded_irq(dev, irq, NULL, ++ mbhc_btn_release_irq_handler, + IRQF_TRIGGER_RISING | + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "mbhc btn release irq", priv); diff --git a/queue-4.16/asoc-rt5514-add-the-missing-register-in-the-readable-table.patch b/queue-4.16/asoc-rt5514-add-the-missing-register-in-the-readable-table.patch new file mode 100644 index 00000000000..854b0eb2886 --- /dev/null +++ b/queue-4.16/asoc-rt5514-add-the-missing-register-in-the-readable-table.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: "oder_chiou@realtek.com" +Date: Fri, 30 Mar 2018 15:41:55 +0800 +Subject: ASoC: rt5514: Add the missing register in the readable table + +From: "oder_chiou@realtek.com" + +[ Upstream commit 5ef5ac8de125fe6b4b23293bee026ca7ea1529b9 ] + +The patch adds the missing register in the readable table. + +Signed-off-by: Oder Chiou +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5514.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/codecs/rt5514.c ++++ b/sound/soc/codecs/rt5514.c +@@ -89,6 +89,7 @@ static const struct reg_default rt5514_r + {RT5514_PLL3_CALIB_CTRL5, 0x40220012}, + {RT5514_DELAY_BUF_CTRL1, 0x7fff006a}, + {RT5514_DELAY_BUF_CTRL3, 0x00000000}, ++ {RT5514_ASRC_IN_CTRL1, 0x00000003}, + {RT5514_DOWNFILTER0_CTRL1, 0x00020c2f}, + {RT5514_DOWNFILTER0_CTRL2, 0x00020c2f}, + {RT5514_DOWNFILTER0_CTRL3, 0x10000362}, +@@ -181,6 +182,7 @@ static bool rt5514_readable_register(str + case RT5514_PLL3_CALIB_CTRL5: + case RT5514_DELAY_BUF_CTRL1: + case RT5514_DELAY_BUF_CTRL3: ++ case RT5514_ASRC_IN_CTRL1: + case RT5514_DOWNFILTER0_CTRL1: + case RT5514_DOWNFILTER0_CTRL2: + case RT5514_DOWNFILTER0_CTRL3: +@@ -238,6 +240,7 @@ static bool rt5514_i2c_readable_register + case RT5514_DSP_MAPPING | RT5514_PLL3_CALIB_CTRL5: + case RT5514_DSP_MAPPING | RT5514_DELAY_BUF_CTRL1: + case RT5514_DSP_MAPPING | RT5514_DELAY_BUF_CTRL3: ++ case RT5514_DSP_MAPPING | RT5514_ASRC_IN_CTRL1: + case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL1: + case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL2: + case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL3: diff --git a/queue-4.16/asoc-topology-check-widget-kcontrols-before-deref.patch b/queue-4.16/asoc-topology-check-widget-kcontrols-before-deref.patch new file mode 100644 index 00000000000..0dcc3d45d91 --- /dev/null +++ b/queue-4.16/asoc-topology-check-widget-kcontrols-before-deref.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Liam Girdwood +Date: Tue, 27 Mar 2018 14:30:44 +0100 +Subject: ASoC: topology: Check widget kcontrols before deref. + +From: Liam Girdwood + +[ Upstream commit 05bdcf12905533b8628627b6634608cd3b57c607 ] + +Validate the topology input before we dereference the pointer. + +Signed-off-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-topology.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -510,7 +510,7 @@ static void remove_widget(struct snd_soc + */ + if (dobj->widget.kcontrol_type == SND_SOC_TPLG_TYPE_ENUM) { + /* enumerated widget mixer */ +- for (i = 0; i < w->num_kcontrols; i++) { ++ for (i = 0; w->kcontrols != NULL && i < w->num_kcontrols; i++) { + struct snd_kcontrol *kcontrol = w->kcontrols[i]; + struct soc_enum *se = + (struct soc_enum *)kcontrol->private_value; +@@ -528,7 +528,7 @@ static void remove_widget(struct snd_soc + kfree(w->kcontrol_news); + } else { + /* volume mixer or bytes controls */ +- for (i = 0; i < w->num_kcontrols; i++) { ++ for (i = 0; w->kcontrols != NULL && i < w->num_kcontrols; i++) { + struct snd_kcontrol *kcontrol = w->kcontrols[i]; + + if (dobj->widget.kcontrol_type diff --git a/queue-4.16/asoc-topology-fix-bugs-of-freeing-soc-topology.patch b/queue-4.16/asoc-topology-fix-bugs-of-freeing-soc-topology.patch new file mode 100644 index 00000000000..ae250450064 --- /dev/null +++ b/queue-4.16/asoc-topology-fix-bugs-of-freeing-soc-topology.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Yan Wang +Date: Mon, 26 Mar 2018 16:48:00 +0100 +Subject: ASoC: topology: Fix bugs of freeing soc topology + +From: Yan Wang + +[ Upstream commit feb12f0cd8d7b1e8df2e6fce19fc9a026a468cc2 ] + +In snd_soc_tplg_component_remove(), it should compare index and +not dobj->index with SND_SOC_TPLG_INDEX_ALL for removing all +topology objects. + +Signed-off-by: Yan Wang +Signed-off-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -2571,7 +2571,7 @@ int snd_soc_tplg_component_remove(struct + + /* match index */ + if (dobj->index != index && +- dobj->index != SND_SOC_TPLG_INDEX_ALL) ++ index != SND_SOC_TPLG_INDEX_ALL) + continue; + + switch (dobj->type) { diff --git a/queue-4.16/ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch b/queue-4.16/ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch new file mode 100644 index 00000000000..09b3a31c8bd --- /dev/null +++ b/queue-4.16/ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch @@ -0,0 +1,113 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Evan Wang +Date: Fri, 13 Apr 2018 12:32:31 +0800 +Subject: ata: ahci: mvebu: override ahci_stop_engine for mvebu AHCI + +From: Evan Wang + +[ Upstream commit daa2e3bdbb0b3e691cf20a042350817310cb8cb5 ] + +There is an issue(Errata Ref#226) that the SATA can not be +detected via SATA Port-MultiPlayer(PMP) with following +error log: + ata1.15: PMP product ID mismatch + ata1.15: SATA link up 6.0 Gbps (SStatus 133 SControl 300) + ata1.15: Port Multiplier vendor mismatch '0x1b4b'!='0x0' + ata1.15: PMP revalidation failed (errno=-19) + +After debugging, the reason is found that the value Port-x +FIS-based Switching Control(PxFBS@0x40) become wrong. +According to design, the bits[11:8, 0] of register PxFBS +are cleared when Port Command and Status (0x18) bit[0] +changes its value from 1 to 0, i.e. falling edge of Port +Command and Status bit[0] sends PULSE that resets PxFBS +bits[11:8; 0]. +So it needs a mvebu SATA WA to save the port PxFBS register +before PxCMD ST write and restore it afterwards. + +This patch implements the WA in a separate function of +ahci_mvebu_stop_engine to override ahci_stop_gngine. + +Signed-off-by: Evan Wang +Cc: Ofer Heifetz +Cc: Tejun Heo +Cc: Thomas Petazzoni +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci_mvebu.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/drivers/ata/ahci_mvebu.c ++++ b/drivers/ata/ahci_mvebu.c +@@ -62,6 +62,60 @@ static void ahci_mvebu_regret_option(str + writel(0x80, hpriv->mmio + AHCI_VENDOR_SPECIFIC_0_DATA); + } + ++/** ++ * ahci_mvebu_stop_engine ++ * ++ * @ap: Target ata port ++ * ++ * Errata Ref#226 - SATA Disk HOT swap issue when connected through ++ * Port Multiplier in FIS-based Switching mode. ++ * ++ * To avoid the issue, according to design, the bits[11:8, 0] of ++ * register PxFBS are cleared when Port Command and Status (0x18) bit[0] ++ * changes its value from 1 to 0, i.e. falling edge of Port ++ * Command and Status bit[0] sends PULSE that resets PxFBS ++ * bits[11:8; 0]. ++ * ++ * This function is used to override function of "ahci_stop_engine" ++ * from libahci.c by adding the mvebu work around(WA) to save PxFBS ++ * value before the PxCMD ST write of 0, then restore PxFBS value. ++ * ++ * Return: 0 on success; Error code otherwise. ++ */ ++int ahci_mvebu_stop_engine(struct ata_port *ap) ++{ ++ void __iomem *port_mmio = ahci_port_base(ap); ++ u32 tmp, port_fbs; ++ ++ tmp = readl(port_mmio + PORT_CMD); ++ ++ /* check if the HBA is idle */ ++ if ((tmp & (PORT_CMD_START | PORT_CMD_LIST_ON)) == 0) ++ return 0; ++ ++ /* save the port PxFBS register for later restore */ ++ port_fbs = readl(port_mmio + PORT_FBS); ++ ++ /* setting HBA to idle */ ++ tmp &= ~PORT_CMD_START; ++ writel(tmp, port_mmio + PORT_CMD); ++ ++ /* ++ * bit #15 PxCMD signal doesn't clear PxFBS, ++ * restore the PxFBS register right after clearing the PxCMD ST, ++ * no need to wait for the PxCMD bit #15. ++ */ ++ writel(port_fbs, port_mmio + PORT_FBS); ++ ++ /* wait for engine to stop. This could be as long as 500 msec */ ++ tmp = ata_wait_register(ap, port_mmio + PORT_CMD, ++ PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500); ++ if (tmp & PORT_CMD_LIST_ON) ++ return -EIO; ++ ++ return 0; ++} ++ + #ifdef CONFIG_PM_SLEEP + static int ahci_mvebu_suspend(struct platform_device *pdev, pm_message_t state) + { +@@ -112,6 +166,8 @@ static int ahci_mvebu_probe(struct platf + if (rc) + return rc; + ++ hpriv->stop_engine = ahci_mvebu_stop_engine; ++ + if (of_device_is_compatible(pdev->dev.of_node, + "marvell,armada-380-ahci")) { + dram = mv_mbus_dram_info(); diff --git a/queue-4.16/blk-mq-fix-sysfs-inflight-counter.patch b/queue-4.16/blk-mq-fix-sysfs-inflight-counter.patch new file mode 100644 index 00000000000..d86357370e0 --- /dev/null +++ b/queue-4.16/blk-mq-fix-sysfs-inflight-counter.patch @@ -0,0 +1,123 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Omar Sandoval +Date: Thu, 26 Apr 2018 00:21:59 -0700 +Subject: blk-mq: fix sysfs inflight counter + +From: Omar Sandoval + +[ Upstream commit bf0ddaba65ddbb2715af97041da8e7a45b2d8628 ] + +When the blk-mq inflight implementation was added, /proc/diskstats was +converted to use it, but /sys/block/$dev/inflight was not. Fix it by +adding another helper to count in-flight requests by data direction. + +Fixes: f299b7c7a9de ("blk-mq: provide internal in-flight variant") +Signed-off-by: Omar Sandoval +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 19 +++++++++++++++++++ + block/blk-mq.h | 4 +++- + block/genhd.c | 12 ++++++++++++ + block/partition-generic.c | 10 ++++++---- + include/linux/genhd.h | 4 +++- + 5 files changed, 43 insertions(+), 6 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -118,6 +118,25 @@ void blk_mq_in_flight(struct request_que + blk_mq_queue_tag_busy_iter(q, blk_mq_check_inflight, &mi); + } + ++static void blk_mq_check_inflight_rw(struct blk_mq_hw_ctx *hctx, ++ struct request *rq, void *priv, ++ bool reserved) ++{ ++ struct mq_inflight *mi = priv; ++ ++ if (rq->part == mi->part) ++ mi->inflight[rq_data_dir(rq)]++; ++} ++ ++void blk_mq_in_flight_rw(struct request_queue *q, struct hd_struct *part, ++ unsigned int inflight[2]) ++{ ++ struct mq_inflight mi = { .part = part, .inflight = inflight, }; ++ ++ inflight[0] = inflight[1] = 0; ++ blk_mq_queue_tag_busy_iter(q, blk_mq_check_inflight_rw, &mi); ++} ++ + void blk_freeze_queue_start(struct request_queue *q) + { + int freeze_depth; +--- a/block/blk-mq.h ++++ b/block/blk-mq.h +@@ -185,7 +185,9 @@ static inline bool blk_mq_hw_queue_mappe + } + + void blk_mq_in_flight(struct request_queue *q, struct hd_struct *part, +- unsigned int inflight[2]); ++ unsigned int inflight[2]); ++void blk_mq_in_flight_rw(struct request_queue *q, struct hd_struct *part, ++ unsigned int inflight[2]); + + static inline void blk_mq_put_dispatch_budget(struct blk_mq_hw_ctx *hctx) + { +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -82,6 +82,18 @@ void part_in_flight(struct request_queue + } + } + ++void part_in_flight_rw(struct request_queue *q, struct hd_struct *part, ++ unsigned int inflight[2]) ++{ ++ if (q->mq_ops) { ++ blk_mq_in_flight_rw(q, part, inflight); ++ return; ++ } ++ ++ inflight[0] = atomic_read(&part->in_flight[0]); ++ inflight[1] = atomic_read(&part->in_flight[1]); ++} ++ + struct hd_struct *__disk_get_part(struct gendisk *disk, int partno) + { + struct disk_part_tbl *ptbl = rcu_dereference(disk->part_tbl); +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -145,13 +145,15 @@ ssize_t part_stat_show(struct device *de + jiffies_to_msecs(part_stat_read(p, time_in_queue))); + } + +-ssize_t part_inflight_show(struct device *dev, +- struct device_attribute *attr, char *buf) ++ssize_t part_inflight_show(struct device *dev, struct device_attribute *attr, ++ char *buf) + { + struct hd_struct *p = dev_to_part(dev); ++ struct request_queue *q = part_to_disk(p)->queue; ++ unsigned int inflight[2]; + +- return sprintf(buf, "%8u %8u\n", atomic_read(&p->in_flight[0]), +- atomic_read(&p->in_flight[1])); ++ part_in_flight_rw(q, p, inflight); ++ return sprintf(buf, "%8u %8u\n", inflight[0], inflight[1]); + } + + #ifdef CONFIG_FAIL_MAKE_REQUEST +--- a/include/linux/genhd.h ++++ b/include/linux/genhd.h +@@ -368,7 +368,9 @@ static inline void free_part_stats(struc + part_stat_add(cpu, gendiskp, field, -subnd) + + void part_in_flight(struct request_queue *q, struct hd_struct *part, +- unsigned int inflight[2]); ++ unsigned int inflight[2]); ++void part_in_flight_rw(struct request_queue *q, struct hd_struct *part, ++ unsigned int inflight[2]); + void part_dec_in_flight(struct request_queue *q, struct hd_struct *part, + int rw); + void part_inc_in_flight(struct request_queue *q, struct hd_struct *part, diff --git a/queue-4.16/blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch b/queue-4.16/blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch new file mode 100644 index 00000000000..da1bc85c30d --- /dev/null +++ b/queue-4.16/blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jiang Biao +Date: Wed, 18 Apr 2018 08:37:18 -0600 +Subject: blkcg: don't hold blkcg lock when deactivating policy + +From: Jiang Biao + +[ Upstream commit 946b81da114b8ba5c74bb01e57c0c6eca2bdc801 ] + +As described in the comment of blkcg_activate_policy(), +*Update of each blkg is protected by both queue and blkcg locks so +that holding either lock and testing blkcg_policy_enabled() is +always enough for dereferencing policy data.* +with queue lock held, there is no need to hold blkcg lock in +blkcg_deactivate_policy(). Similar case is in +blkcg_activate_policy(), which has removed holding of blkcg lock in +commit 4c55f4f9ad3001ac1fefdd8d8ca7641d18558e23. + +Signed-off-by: Jiang Biao +Signed-off-by: Wen Yang +CC: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1367,17 +1367,12 @@ void blkcg_deactivate_policy(struct requ + __clear_bit(pol->plid, q->blkcg_pols); + + list_for_each_entry(blkg, &q->blkg_list, q_node) { +- /* grab blkcg lock too while removing @pd from @blkg */ +- spin_lock(&blkg->blkcg->lock); +- + if (blkg->pd[pol->plid]) { + if (pol->pd_offline_fn) + pol->pd_offline_fn(blkg->pd[pol->plid]); + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } +- +- spin_unlock(&blkg->blkcg->lock); + } + + spin_unlock_irq(q->queue_lock); diff --git a/queue-4.16/blkcg-init-root-blkcg_gq-under-lock.patch b/queue-4.16/blkcg-init-root-blkcg_gq-under-lock.patch new file mode 100644 index 00000000000..1e3c2635be9 --- /dev/null +++ b/queue-4.16/blkcg-init-root-blkcg_gq-under-lock.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jiang Biao +Date: Thu, 19 Apr 2018 12:06:09 +0800 +Subject: blkcg: init root blkcg_gq under lock + +From: Jiang Biao + +[ Upstream commit 901932a3f9b2b80352896be946c6d577c0a9652c ] + +The initializing of q->root_blkg is currently outside of queue lock +and rcu, so the blkg may be destroied before the initializing, which +may cause dangling/null references. On the other side, the destroys +of blkg are protected by queue lock or rcu. Put the initializing +inside the queue lock and rcu to make it safer. + +Signed-off-by: Jiang Biao +Signed-off-by: Wen Yang +CC: Tejun Heo +CC: Jens Axboe +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1142,18 +1142,16 @@ int blkcg_init_queue(struct request_queu + rcu_read_lock(); + spin_lock_irq(q->queue_lock); + blkg = blkg_create(&blkcg_root, q, new_blkg); ++ if (IS_ERR(blkg)) ++ goto err_unlock; ++ q->root_blkg = blkg; ++ q->root_rl.blkg = blkg; + spin_unlock_irq(q->queue_lock); + rcu_read_unlock(); + + if (preloaded) + radix_tree_preload_end(); + +- if (IS_ERR(blkg)) +- return PTR_ERR(blkg); +- +- q->root_blkg = blkg; +- q->root_rl.blkg = blkg; +- + ret = blk_throtl_init(q); + if (ret) { + spin_lock_irq(q->queue_lock); +@@ -1161,6 +1159,13 @@ int blkcg_init_queue(struct request_queu + spin_unlock_irq(q->queue_lock); + } + return ret; ++ ++err_unlock: ++ spin_unlock_irq(q->queue_lock); ++ rcu_read_unlock(); ++ if (preloaded) ++ radix_tree_preload_end(); ++ return PTR_ERR(blkg); + } + + /** diff --git a/queue-4.16/bpf-fix-possible-spectre-v1-in-find_and_alloc_map.patch b/queue-4.16/bpf-fix-possible-spectre-v1-in-find_and_alloc_map.patch new file mode 100644 index 00000000000..563d481f7fb --- /dev/null +++ b/queue-4.16/bpf-fix-possible-spectre-v1-in-find_and_alloc_map.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Mark Rutland +Date: Thu, 3 May 2018 17:04:59 +0100 +Subject: bpf: fix possible spectre-v1 in find_and_alloc_map() + +From: Mark Rutland + +[ Upstream commit 9ef09e35e521bf0df5325cc9cffa726a8f5f3c1b ] + +It's possible for userspace to control attr->map_type. Sanitize it when +using it as an array index to prevent an out-of-bounds value being used +under speculation. + +Found by smatch. + +Signed-off-by: Mark Rutland +Cc: Alexei Starovoitov +Cc: Dan Carpenter +Cc: Daniel Borkmann +Cc: Peter Zijlstra +Cc: netdev@vger.kernel.org +Acked-by: David S. Miller +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/syscall.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \ + (map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \ +@@ -102,12 +103,14 @@ const struct bpf_map_ops bpf_map_offload + static struct bpf_map *find_and_alloc_map(union bpf_attr *attr) + { + const struct bpf_map_ops *ops; ++ u32 type = attr->map_type; + struct bpf_map *map; + int err; + +- if (attr->map_type >= ARRAY_SIZE(bpf_map_types)) ++ if (type >= ARRAY_SIZE(bpf_map_types)) + return ERR_PTR(-EINVAL); +- ops = bpf_map_types[attr->map_type]; ++ type = array_index_nospec(type, ARRAY_SIZE(bpf_map_types)); ++ ops = bpf_map_types[type]; + if (!ops) + return ERR_PTR(-EINVAL); + +@@ -122,7 +125,7 @@ static struct bpf_map *find_and_alloc_ma + if (IS_ERR(map)) + return map; + map->ops = ops; +- map->map_type = attr->map_type; ++ map->map_type = type; + return map; + } + diff --git a/queue-4.16/bpf-fix-uninitialized-variable-in-bpf-tools.patch b/queue-4.16/bpf-fix-uninitialized-variable-in-bpf-tools.patch new file mode 100644 index 00000000000..f09ebc2d1ef --- /dev/null +++ b/queue-4.16/bpf-fix-uninitialized-variable-in-bpf-tools.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: John Fastabend +Date: Wed, 25 Apr 2018 15:08:53 -0700 +Subject: bpf: fix uninitialized variable in bpf tools + +From: John Fastabend + +[ Upstream commit 815425567dea6c54494e85050631d6bdda907c5d ] + +Here the variable cont is used as the saved_pointer for a call to +strtok_r(). It is safe to use the value uninitialized in this +context however and the later reference is only ever used if +the strtok_r is successful. But, 'gcc-5' at least doesn't have all +this knowledge so initialize cont to NULL. Additionally, do the +natural NULL check before accessing just for completness. + +The warning is the following: + +./bpf/tools/bpf/bpf_dbg.c: In function ‘cmd_load’: +./bpf/tools/bpf/bpf_dbg.c:1077:13: warning: ‘cont’ may be used uninitialized in this function [-Wmaybe-uninitialized] + } else if (matches(subcmd, "pcap") == 0) { + +Fixes: fd981e3c321a "filter: bpf_dbg: add minimal bpf debugger" +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/bpf/bpf_dbg.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/tools/bpf/bpf_dbg.c ++++ b/tools/bpf/bpf_dbg.c +@@ -1063,7 +1063,7 @@ static int cmd_load_pcap(char *file) + + static int cmd_load(char *arg) + { +- char *subcmd, *cont, *tmp = strdup(arg); ++ char *subcmd, *cont = NULL, *tmp = strdup(arg); + int ret = CMD_OK; + + subcmd = strtok_r(tmp, " ", &cont); +@@ -1073,7 +1073,10 @@ static int cmd_load(char *arg) + bpf_reset(); + bpf_reset_breakpoints(); + +- ret = cmd_load_bpf(cont); ++ if (!cont) ++ ret = CMD_ERR; ++ else ++ ret = cmd_load_bpf(cont); + } else if (matches(subcmd, "pcap") == 0) { + ret = cmd_load_pcap(cont); + } else { diff --git a/queue-4.16/bpf-use-array_index_nospec-in-find_prog_type.patch b/queue-4.16/bpf-use-array_index_nospec-in-find_prog_type.patch new file mode 100644 index 00000000000..c2916863f1c --- /dev/null +++ b/queue-4.16/bpf-use-array_index_nospec-in-find_prog_type.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Daniel Borkmann +Date: Fri, 4 May 2018 02:13:57 +0200 +Subject: bpf: use array_index_nospec in find_prog_type + +From: Daniel Borkmann + +[ Upstream commit d0f1a451e33d9ca834422622da30aa68daade56b ] + +Commit 9ef09e35e521 ("bpf: fix possible spectre-v1 in find_and_alloc_map()") +converted find_and_alloc_map() over to use array_index_nospec() to sanitize +map type that user space passes on map creation, and this patch does an +analogous conversion for progs in find_prog_type() as it's also passed from +user space when loading progs as attr->prog_type. + +Signed-off-by: Daniel Borkmann +Cc: Mark Rutland +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/syscall.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -872,11 +872,17 @@ static const struct bpf_prog_ops * const + + static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog) + { +- if (type >= ARRAY_SIZE(bpf_prog_types) || !bpf_prog_types[type]) ++ const struct bpf_prog_ops *ops; ++ ++ if (type >= ARRAY_SIZE(bpf_prog_types)) ++ return -EINVAL; ++ type = array_index_nospec(type, ARRAY_SIZE(bpf_prog_types)); ++ ops = bpf_prog_types[type]; ++ if (!ops) + return -EINVAL; + + if (!bpf_prog_is_dev_bound(prog->aux)) +- prog->aux->ops = bpf_prog_types[type]; ++ prog->aux->ops = ops; + else + prog->aux->ops = &bpf_offload_prog_ops; + prog->type = type; diff --git a/queue-4.16/bpf-x64-fix-jit-emission-for-dead-code.patch b/queue-4.16/bpf-x64-fix-jit-emission-for-dead-code.patch new file mode 100644 index 00000000000..0ba8c95a304 --- /dev/null +++ b/queue-4.16/bpf-x64-fix-jit-emission-for-dead-code.patch @@ -0,0 +1,93 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Gianluca Borello +Date: Wed, 25 Apr 2018 05:42:16 +0000 +Subject: bpf, x64: fix JIT emission for dead code + +From: Gianluca Borello + +[ Upstream commit 1612a981b76688c598dc944bbfbe29a2b33e3973 ] + +Commit 2a5418a13fcf ("bpf: improve dead code sanitizing") replaced dead +code with a series of ja-1 instructions, for safety. That made JIT +compilation much more complex for some BPF programs. One instance of such +programs is, for example: + +bool flag = false +... +/* A bunch of other code */ +... +if (flag) + do_something() + +In some cases llvm is not able to remove at compile time the code for +do_something(), so the generated BPF program ends up with a large amount +of dead instructions. In one specific real life example, there are two +series of ~500 and ~1000 dead instructions in the program. When the +verifier replaces them with a series of ja-1 instructions, it causes an +interesting behavior at JIT time. + +During the first pass, since all the instructions are estimated at 64 +bytes, the ja-1 instructions end up being translated as 5 bytes JMP +instructions (0xE9), since the jump offsets become increasingly large (> +127) as each instruction gets discovered to be 5 bytes instead of the +estimated 64. + +Starting from the second pass, the first N instructions of the ja-1 +sequence get translated into 2 bytes JMPs (0xEB) because the jump offsets +become <= 127 this time. In particular, N is defined as roughly 127 / (5 +- 2) ~= 42. So, each further pass will make the subsequent N JMP +instructions shrink from 5 to 2 bytes, making the image shrink every time. +This means that in order to have the entire program converge, there need +to be, in the real example above, at least ~1000 / 42 ~= 24 passes just +for translating the dead code. If we add this number to the passes needed +to translate the other non dead code, it brings such program to 40+ +passes, and JIT doesn't complete. Ultimately the userspace loader fails +because such BPF program was supposed to be part of a prog array owner +being JITed. + +While it is certainly possible to try to refactor such programs to help +the compiler remove dead code, the behavior is not really intuitive and it +puts further burden on the BPF developer who is not expecting such +behavior. To make things worse, such programs are working just fine in all +the kernel releases prior to the ja-1 fix. + +A possible approach to mitigate this behavior consists into noticing that +for ja-1 instructions we don't really need to rely on the estimated size +of the previous and current instructions, we know that a -1 BPF jump +offset can be safely translated into a 0xEB instruction with a jump offset +of -2. + +Such fix brings the BPF program in the previous example to complete again +in ~9 passes. + +Fixes: 2a5418a13fcf ("bpf: improve dead code sanitizing") +Signed-off-by: Gianluca Borello +Acked-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/net/bpf_jit_comp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -992,7 +992,17 @@ emit_cond_jmp: /* convert BPF opcode to + break; + + case BPF_JMP | BPF_JA: +- jmp_offset = addrs[i + insn->off] - addrs[i]; ++ if (insn->off == -1) ++ /* -1 jmp instructions will always jump ++ * backwards two bytes. Explicitly handling ++ * this case avoids wasting too many passes ++ * when there are long sequences of replaced ++ * dead code. ++ */ ++ jmp_offset = -2; ++ else ++ jmp_offset = addrs[i + insn->off] - addrs[i]; ++ + if (!jmp_offset) + /* optimize out nop jumps */ + break; diff --git a/queue-4.16/bpf-x64-fix-memleak-when-not-converging-after-image.patch b/queue-4.16/bpf-x64-fix-memleak-when-not-converging-after-image.patch new file mode 100644 index 00000000000..45b9c73cca8 --- /dev/null +++ b/queue-4.16/bpf-x64-fix-memleak-when-not-converging-after-image.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Daniel Borkmann +Date: Wed, 2 May 2018 20:12:22 +0200 +Subject: bpf, x64: fix memleak when not converging after image + +From: Daniel Borkmann + +[ Upstream commit 3aab8884c9eb99189a3569ac4e6b205371c9ac0b ] + +While reviewing x64 JIT code, I noticed that we leak the prior allocated +JIT image in the case where proglen != oldproglen during the JIT passes. +Prior to the commit e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT +compiler") we would just break out of the loop, and using the image as the +JITed prog since it could only shrink in size anyway. After e0ee9c12157d, +we would bail out to out_addrs label where we free addrs and jit_data but +not the image coming from bpf_jit_binary_alloc(). + +Fixes: e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT compiler") +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Acked-by: David S. Miller +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/net/bpf_jit_comp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1201,6 +1201,7 @@ skip_init_addrs: + for (pass = 0; pass < 20 || image; pass++) { + proglen = do_jit(prog, addrs, image, oldproglen, &ctx); + if (proglen <= 0) { ++out_image: + image = NULL; + if (header) + bpf_jit_binary_free(header); +@@ -1211,8 +1212,7 @@ skip_init_addrs: + if (proglen != oldproglen) { + pr_err("bpf_jit: proglen=%d != oldproglen=%d\n", + proglen, oldproglen); +- prog = orig_prog; +- goto out_addrs; ++ goto out_image; + } + break; + } diff --git a/queue-4.16/bpf-x64-fix-memleak-when-not-converging-on-calls.patch b/queue-4.16/bpf-x64-fix-memleak-when-not-converging-on-calls.patch new file mode 100644 index 00000000000..1ecab31bc04 --- /dev/null +++ b/queue-4.16/bpf-x64-fix-memleak-when-not-converging-on-calls.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Daniel Borkmann +Date: Wed, 2 May 2018 20:12:23 +0200 +Subject: bpf, x64: fix memleak when not converging on calls + +From: Daniel Borkmann + +[ Upstream commit 39f56ca945af86112753646316c4c92dcd4acd82 ] + +The JIT logic in jit_subprogs() is as follows: for all subprogs we +allocate a bpf_prog_alloc(), populate it (prog->is_func = 1 here), +and pass it to bpf_int_jit_compile(). If a failure occurred during +JIT and prog->jited is not set, then we bail out from attempting to +JIT the whole program, and punt to the interpreter instead. In case +JITing went successful, we fixup BPF call offsets and do another +pass to bpf_int_jit_compile() (extra_pass is true at that point) to +complete JITing calls. Given that requires to pass JIT context around +addrs and jit_data from x86 JIT are freed in the extra_pass in +bpf_int_jit_compile() when calls are involved (if not, they can +be freed immediately). However, if in the original pass, the JIT +image didn't converge then we leak addrs and jit_data since image +itself is NULL, the prog->is_func is set and extra_pass is false +in that case, meaning both will become unreachable and are never +cleaned up, therefore we need to free as well on !image. Only x64 +JIT is affected. + +Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs") +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Acked-by: David S. Miller +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1249,7 +1249,7 @@ out_image: + prog = orig_prog; + } + +- if (!prog->is_func || extra_pass) { ++ if (!image || !prog->is_func || extra_pass) { + out_addrs: + kfree(addrs); + kfree(jit_data); diff --git a/queue-4.16/can-dev-increase-bus-off-message-severity.patch b/queue-4.16/can-dev-increase-bus-off-message-severity.patch new file mode 100644 index 00000000000..4ec221f7051 --- /dev/null +++ b/queue-4.16/can-dev-increase-bus-off-message-severity.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Jakob Unterwurzacher +Date: Wed, 18 Apr 2018 16:10:03 +0200 +Subject: can: dev: increase bus-off message severity + +From: Jakob Unterwurzacher + +[ Upstream commit 71c23a821c6bcacba71a094efe49ee689605906b ] + +bus-off is usually caused by hardware malfunction or configuration error +(baud rate mismatch) and causes a complete loss of communication. + +Increase the "bus-off" message's severity from netdev_dbg() to +netdev_info() to make it visible to the user. + +A can interface going into bus-off is similar in severity to ethernet's +"Link is Down" message, which is also printed at info level. + +It is debatable whether the the "restarted" message should also be +changed to netdev_info() to make the interface state changes +comprehensible from the kernel log. I have chosen to keep the +"restarted" message at dbg for now as the "bus-off" message should be +enough for the user to notice and investigate the problem. + +Signed-off-by: Jakob Unterwurzacher +Cc: linux-can@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -605,7 +605,7 @@ void can_bus_off(struct net_device *dev) + { + struct can_priv *priv = netdev_priv(dev); + +- netdev_dbg(dev, "bus-off\n"); ++ netdev_info(dev, "bus-off\n"); + + netif_carrier_off(dev); + diff --git a/queue-4.16/cifs-allocate-validate-negotiation-request-through-kmalloc.patch b/queue-4.16/cifs-allocate-validate-negotiation-request-through-kmalloc.patch new file mode 100644 index 00000000000..270b98f2a8b --- /dev/null +++ b/queue-4.16/cifs-allocate-validate-negotiation-request-through-kmalloc.patch @@ -0,0 +1,175 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Long Li +Date: Wed, 25 Apr 2018 11:30:04 -0700 +Subject: cifs: Allocate validate negotiation request through kmalloc + +From: Long Li + +[ Upstream commit 2796d303e3c5ec213c578ed3a66872205c126eb8 ] + +The data buffer allocated on the stack can't be DMA'ed, ib_dma_map_page will +return an invalid DMA address for a buffer on stack. Even worse, this +incorrect address can't be detected by ib_dma_mapping_error. Sending data +from this address to hardware will not fail, but the remote peer will get +junk data. + +Fix this by allocating the request on the heap in smb3_validate_negotiate. + +Changes in v2: +Removed duplicated code on freeing buffers on function exit. +(Thanks to Parav Pandit ) +Fixed typo in the patch title. + +Changes in v3: +Added "Fixes" to the patch. +Changed several sizeof() to use *pointer in place of struct. + +Changes in v4: +Added detailed comments on the failure through RDMA. +Allocate request buffer using GPF_NOFS. +Fixed possible memory leak. + +Changes in v5: +Removed variable ret for checking return value. +Changed to use pneg_inbuf->Dialects[0] to calculate unused space in pneg_inbuf. + +Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks") +Signed-off-by: Long Li +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Reviewed-by: Tom Talpey +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 68 ++++++++++++++++++++++++++++++------------------------ + 1 file changed, 38 insertions(+), 30 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -621,8 +621,8 @@ neg_exit: + + int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) + { +- int rc = 0; +- struct validate_negotiate_info_req vneg_inbuf; ++ int rc; ++ struct validate_negotiate_info_req *pneg_inbuf; + struct validate_negotiate_info_rsp *pneg_rsp = NULL; + u32 rsplen; + u32 inbuflen; /* max of 4 dialects */ +@@ -656,63 +656,69 @@ int smb3_validate_negotiate(const unsign + if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) + cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n"); + +- vneg_inbuf.Capabilities = ++ pneg_inbuf = kmalloc(sizeof(*pneg_inbuf), GFP_NOFS); ++ if (!pneg_inbuf) ++ return -ENOMEM; ++ ++ pneg_inbuf->Capabilities = + cpu_to_le32(tcon->ses->server->vals->req_capabilities); +- memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid, ++ memcpy(pneg_inbuf->Guid, tcon->ses->server->client_guid, + SMB2_CLIENT_GUID_SIZE); + + if (tcon->ses->sign) +- vneg_inbuf.SecurityMode = ++ pneg_inbuf->SecurityMode = + cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED); + else if (global_secflags & CIFSSEC_MAY_SIGN) +- vneg_inbuf.SecurityMode = ++ pneg_inbuf->SecurityMode = + cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED); + else +- vneg_inbuf.SecurityMode = 0; ++ pneg_inbuf->SecurityMode = 0; + + + if (strcmp(tcon->ses->server->vals->version_string, + SMB3ANY_VERSION_STRING) == 0) { +- vneg_inbuf.Dialects[0] = cpu_to_le16(SMB30_PROT_ID); +- vneg_inbuf.Dialects[1] = cpu_to_le16(SMB302_PROT_ID); +- vneg_inbuf.DialectCount = cpu_to_le16(2); ++ pneg_inbuf->Dialects[0] = cpu_to_le16(SMB30_PROT_ID); ++ pneg_inbuf->Dialects[1] = cpu_to_le16(SMB302_PROT_ID); ++ pneg_inbuf->DialectCount = cpu_to_le16(2); + /* structure is big enough for 3 dialects, sending only 2 */ +- inbuflen = sizeof(struct validate_negotiate_info_req) - 2; ++ inbuflen = sizeof(*pneg_inbuf) - ++ sizeof(pneg_inbuf->Dialects[0]); + } else if (strcmp(tcon->ses->server->vals->version_string, + SMBDEFAULT_VERSION_STRING) == 0) { +- vneg_inbuf.Dialects[0] = cpu_to_le16(SMB21_PROT_ID); +- vneg_inbuf.Dialects[1] = cpu_to_le16(SMB30_PROT_ID); +- vneg_inbuf.Dialects[2] = cpu_to_le16(SMB302_PROT_ID); +- vneg_inbuf.DialectCount = cpu_to_le16(3); ++ pneg_inbuf->Dialects[0] = cpu_to_le16(SMB21_PROT_ID); ++ pneg_inbuf->Dialects[1] = cpu_to_le16(SMB30_PROT_ID); ++ pneg_inbuf->Dialects[2] = cpu_to_le16(SMB302_PROT_ID); ++ pneg_inbuf->DialectCount = cpu_to_le16(3); + /* structure is big enough for 3 dialects */ +- inbuflen = sizeof(struct validate_negotiate_info_req); ++ inbuflen = sizeof(*pneg_inbuf); + } else { + /* otherwise specific dialect was requested */ +- vneg_inbuf.Dialects[0] = ++ pneg_inbuf->Dialects[0] = + cpu_to_le16(tcon->ses->server->vals->protocol_id); +- vneg_inbuf.DialectCount = cpu_to_le16(1); ++ pneg_inbuf->DialectCount = cpu_to_le16(1); + /* structure is big enough for 3 dialects, sending only 1 */ +- inbuflen = sizeof(struct validate_negotiate_info_req) - 4; ++ inbuflen = sizeof(*pneg_inbuf) - ++ sizeof(pneg_inbuf->Dialects[0]) * 2; + } + + rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, + FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */, +- (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req), +- (char **)&pneg_rsp, &rsplen); ++ (char *)pneg_inbuf, inbuflen, (char **)&pneg_rsp, &rsplen); + + if (rc != 0) { + cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); +- return -EIO; ++ rc = -EIO; ++ goto out_free_inbuf; + } + +- if (rsplen != sizeof(struct validate_negotiate_info_rsp)) { ++ rc = -EIO; ++ if (rsplen != sizeof(*pneg_rsp)) { + cifs_dbg(VFS, "invalid protocol negotiate response size: %d\n", + rsplen); + + /* relax check since Mac returns max bufsize allowed on ioctl */ +- if ((rsplen > CIFSMaxBufSize) +- || (rsplen < sizeof(struct validate_negotiate_info_rsp))) +- goto err_rsp_free; ++ if (rsplen > CIFSMaxBufSize || rsplen < sizeof(*pneg_rsp)) ++ goto out_free_rsp; + } + + /* check validate negotiate info response matches what we got earlier */ +@@ -729,15 +735,17 @@ int smb3_validate_negotiate(const unsign + goto vneg_out; + + /* validate negotiate successful */ ++ rc = 0; + cifs_dbg(FYI, "validate negotiate info successful\n"); +- kfree(pneg_rsp); +- return 0; ++ goto out_free_rsp; + + vneg_out: + cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); +-err_rsp_free: ++out_free_rsp: + kfree(pneg_rsp); +- return -EIO; ++out_free_inbuf: ++ kfree(pneg_inbuf); ++ return rc; + } + + enum securityEnum diff --git a/queue-4.16/cifs-set-resp_buf_type-to-no_buffer-on-error.patch b/queue-4.16/cifs-set-resp_buf_type-to-no_buffer-on-error.patch new file mode 100644 index 00000000000..a3ff799f536 --- /dev/null +++ b/queue-4.16/cifs-set-resp_buf_type-to-no_buffer-on-error.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Steve French +Date: Sun, 22 Apr 2018 10:24:19 -0500 +Subject: CIFS: set *resp_buf_type to NO_BUFFER on error + +From: Steve French + +[ Upstream commit 117e3b7fed552eba96ae0b3b92312fe8c5b0bfdd ] + +Dan Carpenter had pointed this out a while ago, but the code around +this had changed so wasn't causing any problems since that field +was not used in this error path. + +Still, it is cleaner to always initialize this field, so changing +the error path to set it. + +Reviewed-by: Ronnie Sahlberg +CC: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/transport.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -833,8 +833,11 @@ SendReceive2(const unsigned int xid, str + if (n_vec + 1 > CIFS_MAX_IOV_SIZE) { + new_iov = kmalloc(sizeof(struct kvec) * (n_vec + 1), + GFP_KERNEL); +- if (!new_iov) ++ if (!new_iov) { ++ /* otherwise cifs_send_recv below sets resp_buf_type */ ++ *resp_buf_type = CIFS_NO_BUFFER; + return -ENOMEM; ++ } + } else + new_iov = s_iov; + diff --git a/queue-4.16/cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch b/queue-4.16/cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch new file mode 100644 index 00000000000..30c02ae1a04 --- /dev/null +++ b/queue-4.16/cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Paulo Alcantara +Date: Fri, 4 May 2018 11:25:26 -0300 +Subject: cifs: smb2ops: Fix listxattr() when there are no EAs + +From: Paulo Alcantara + +[ Upstream commit ae2cd7fb478b8da707906ee1706ae1379968a8f9 ] + +As per listxattr(2): + + On success, a nonnegative number is returned indicating the size + of the extended attribute name list. On failure, -1 is returned + and errno is set appropriately. + +In SMB1, when the server returns an empty EA list through a listxattr(), +it will correctly return 0 as there are no EAs for the given file. + +However, in SMB2+, it returns -ENODATA in listxattr() which is wrong since +the request and response were sent successfully, although there's no actual +EA for the given file. + +This patch fixes listxattr() for SMB2+ by returning 0 in cifs_listxattr() +when the server returns an empty list of EAs. + +Signed-off-by: Paulo Alcantara +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -589,9 +589,15 @@ smb2_query_eas(const unsigned int xid, s + + SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); + ++ /* ++ * If ea_name is NULL (listxattr) and there are no EAs, return 0 as it's ++ * not an error. Otherwise, the specified ea_name was not found. ++ */ + if (!rc) + rc = move_smb2_ea_to_cifs(ea_data, buf_size, smb2_data, + SMB2_MAX_EA_BUF, ea_name); ++ else if (!ea_name && rc == -ENODATA) ++ rc = 0; + + kfree(smb2_data); + return rc; diff --git a/queue-4.16/cifs-smbd-depend-on-infiniband_addr_trans.patch b/queue-4.16/cifs-smbd-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..e849765e266 --- /dev/null +++ b/queue-4.16/cifs-smbd-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:33 -0700 +Subject: cifs: smbd: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit 3c6b03d18df657d677808d7090b4d03bc6026efd ] + +CIFS_SMB_DIRECT code depends on INFINIBAND_ADDR_TRANS provided symbols. +So declare the kconfig dependency. This is necessary to allow for +enabling INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Reviewed-by: Long Li +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/Kconfig ++++ b/fs/cifs/Kconfig +@@ -198,7 +198,7 @@ config CIFS_SMB311 + + config CIFS_SMB_DIRECT + bool "SMB Direct support (Experimental)" +- depends on CIFS=m && INFINIBAND || CIFS=y && INFINIBAND=y ++ depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y + help + Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1. + SMB Direct allows transferring SMB packets over RDMA. If unsure, diff --git a/queue-4.16/clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch b/queue-4.16/clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch new file mode 100644 index 00000000000..c016b4f0d96 --- /dev/null +++ b/queue-4.16/clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch @@ -0,0 +1,85 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jerome Brunet +Date: Mon, 9 Apr 2018 15:59:20 +0200 +Subject: clk: honor CLK_MUX_ROUND_CLOSEST in generic clk mux + +From: Jerome Brunet + +[ Upstream commit 4ad69b80e886a845f56ce0a3d10211208693d92b ] + +CLK_MUX_ROUND_CLOSEST is part of the clk_mux documentation but clk_mux +directly calls __clk_mux_determine_rate(), which overrides the flag. +As result, if clk_mux is instantiated with CLK_MUX_ROUND_CLOSEST, the +flag will be ignored and the clock rounded down. + +To solve this, this patch expose clk_mux_determine_rate_flags() in the +clk-provider API and uses it in the determine_rate() callback of clk_mux. + +Fixes: 15a02c1f6dd7 ("clk: Add __clk_mux_determine_rate_closest") +Signed-off-by: Jerome Brunet +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-mux.c | 10 +++++++++- + drivers/clk/clk.c | 7 ++++--- + include/linux/clk-provider.h | 3 +++ + 3 files changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/clk/clk-mux.c ++++ b/drivers/clk/clk-mux.c +@@ -101,10 +101,18 @@ static int clk_mux_set_parent(struct clk + return 0; + } + ++static int clk_mux_determine_rate(struct clk_hw *hw, ++ struct clk_rate_request *req) ++{ ++ struct clk_mux *mux = to_clk_mux(hw); ++ ++ return clk_mux_determine_rate_flags(hw, req, mux->flags); ++} ++ + const struct clk_ops clk_mux_ops = { + .get_parent = clk_mux_get_parent, + .set_parent = clk_mux_set_parent, +- .determine_rate = __clk_mux_determine_rate, ++ .determine_rate = clk_mux_determine_rate, + }; + EXPORT_SYMBOL_GPL(clk_mux_ops); + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -426,9 +426,9 @@ static bool mux_is_better_rate(unsigned + return now <= rate && now > best; + } + +-static int +-clk_mux_determine_rate_flags(struct clk_hw *hw, struct clk_rate_request *req, +- unsigned long flags) ++int clk_mux_determine_rate_flags(struct clk_hw *hw, ++ struct clk_rate_request *req, ++ unsigned long flags) + { + struct clk_core *core = hw->core, *parent, *best_parent = NULL; + int i, num_parents, ret; +@@ -488,6 +488,7 @@ out: + + return 0; + } ++EXPORT_SYMBOL_GPL(clk_mux_determine_rate_flags); + + struct clk *__clk_lookup(const char *name) + { +--- a/include/linux/clk-provider.h ++++ b/include/linux/clk-provider.h +@@ -755,6 +755,9 @@ int __clk_mux_determine_rate(struct clk_ + int __clk_determine_rate(struct clk_hw *core, struct clk_rate_request *req); + int __clk_mux_determine_rate_closest(struct clk_hw *hw, + struct clk_rate_request *req); ++int clk_mux_determine_rate_flags(struct clk_hw *hw, ++ struct clk_rate_request *req, ++ unsigned long flags); + void clk_hw_reparent(struct clk_hw *hw, struct clk_hw *new_parent); + void clk_hw_set_rate_range(struct clk_hw *hw, unsigned long min_rate, + unsigned long max_rate); diff --git a/queue-4.16/clk-imx6ull-use-osc-clock-during-axi-rate-change.patch b/queue-4.16/clk-imx6ull-use-osc-clock-during-axi-rate-change.patch new file mode 100644 index 00000000000..18c26e76f28 --- /dev/null +++ b/queue-4.16/clk-imx6ull-use-osc-clock-during-axi-rate-change.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Stefan Agner +Date: Wed, 18 Apr 2018 14:49:08 +0200 +Subject: clk: imx6ull: use OSC clock during AXI rate change + +From: Stefan Agner + +[ Upstream commit 2e5be528ab0182ad4b42b9feea3b80f85f37179b ] + +On i.MX6 ULL using PLL3 seems to cause a freeze when setting +the parent to IMX6UL_CLK_PLL3_USB_OTG. This only seems to appear +since commit 6f9575e55632 ("clk: imx: Add CLK_IS_CRITICAL flag +for busy divider and busy mux"), probably because the clock is +now forced to be on. + +Fixes: 6f9575e55632("clk: imx: Add CLK_IS_CRITICAL flag for busy divider and busy mux") +Signed-off-by: Stefan Agner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/imx/clk-imx6ul.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/imx/clk-imx6ul.c ++++ b/drivers/clk/imx/clk-imx6ul.c +@@ -461,7 +461,7 @@ static void __init imx6ul_clocks_init(st + clk_set_rate(clks[IMX6UL_CLK_AHB], 99000000); + + /* Change periph_pre clock to pll2_bus to adjust AXI rate to 264MHz */ +- clk_set_parent(clks[IMX6UL_CLK_PERIPH_CLK2_SEL], clks[IMX6UL_CLK_PLL3_USB_OTG]); ++ clk_set_parent(clks[IMX6UL_CLK_PERIPH_CLK2_SEL], clks[IMX6UL_CLK_OSC]); + clk_set_parent(clks[IMX6UL_CLK_PERIPH], clks[IMX6UL_CLK_PERIPH_CLK2]); + clk_set_parent(clks[IMX6UL_CLK_PERIPH_PRE], clks[IMX6UL_CLK_PLL2_BUS]); + clk_set_parent(clks[IMX6UL_CLK_PERIPH], clks[IMX6UL_CLK_PERIPH_PRE]); diff --git a/queue-4.16/clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch b/queue-4.16/clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch new file mode 100644 index 00000000000..cc68baa502e --- /dev/null +++ b/queue-4.16/clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Anson Huang +Date: Wed, 28 Mar 2018 11:22:37 +0800 +Subject: clocksource/drivers/imx-tpm: Correct some registers operation flow + +From: Anson Huang + +[ Upstream commit 506a7be93ff773d5d4cf75a59f342865605b4910 ] + +According to i.MX7ULP reference manual, TPM_SC_CPWMS can ONLY be written when +counter is disabled, TPM_SC_TOF is write-1-clear, TPM_C0SC_CHF is also +write-1-clear, correct these registers initialization flow; + +Signed-off-by: Anson Huang +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-imx-tpm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/clocksource/timer-imx-tpm.c ++++ b/drivers/clocksource/timer-imx-tpm.c +@@ -20,6 +20,7 @@ + #define TPM_SC 0x10 + #define TPM_SC_CMOD_INC_PER_CNT (0x1 << 3) + #define TPM_SC_CMOD_DIV_DEFAULT 0x3 ++#define TPM_SC_TOF_MASK (0x1 << 7) + #define TPM_CNT 0x14 + #define TPM_MOD 0x18 + #define TPM_STATUS 0x1c +@@ -29,6 +30,7 @@ + #define TPM_C0SC_MODE_SHIFT 2 + #define TPM_C0SC_MODE_MASK 0x3c + #define TPM_C0SC_MODE_SW_COMPARE 0x4 ++#define TPM_C0SC_CHF_MASK (0x1 << 7) + #define TPM_C0V 0x24 + + static void __iomem *timer_base; +@@ -205,9 +207,13 @@ static int __init tpm_timer_init(struct + * 4) Channel0 disabled + * 5) DMA transfers disabled + */ ++ /* make sure counter is disabled */ + writel(0, timer_base + TPM_SC); ++ /* TOF is W1C */ ++ writel(TPM_SC_TOF_MASK, timer_base + TPM_SC); + writel(0, timer_base + TPM_CNT); +- writel(0, timer_base + TPM_C0SC); ++ /* CHF is W1C */ ++ writel(TPM_C0SC_CHF_MASK, timer_base + TPM_C0SC); + + /* increase per cnt, div 8 by default */ + writel(TPM_SC_CMOD_INC_PER_CNT | TPM_SC_CMOD_DIV_DEFAULT, diff --git a/queue-4.16/cpufreq-brcmstb-avs-cpufreq-remove-development-debug-support.patch b/queue-4.16/cpufreq-brcmstb-avs-cpufreq-remove-development-debug-support.patch new file mode 100644 index 00000000000..a4d4beea5fc --- /dev/null +++ b/queue-4.16/cpufreq-brcmstb-avs-cpufreq-remove-development-debug-support.patch @@ -0,0 +1,407 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Markus Mayer +Date: Wed, 18 Apr 2018 08:56:42 -0700 +Subject: cpufreq: brcmstb-avs-cpufreq: remove development debug support + +From: Markus Mayer + +[ Upstream commit ee53a65dc766384aaf1a26e3c43dd13456170b69 ] + +This debug code was helpful while developing the driver, but it isn't +being used for anything anymore. + +Signed-off-by: Markus Mayer +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/Kconfig.arm | 10 - + drivers/cpufreq/brcmstb-avs-cpufreq.c | 323 ---------------------------------- + 2 files changed, 1 insertion(+), 332 deletions(-) + +--- a/drivers/cpufreq/Kconfig.arm ++++ b/drivers/cpufreq/Kconfig.arm +@@ -70,16 +70,6 @@ config ARM_BRCMSTB_AVS_CPUFREQ + + Say Y, if you have a Broadcom SoC with AVS support for DFS or DVFS. + +-config ARM_BRCMSTB_AVS_CPUFREQ_DEBUG +- bool "Broadcom STB AVS CPUfreq driver sysfs debug capability" +- depends on ARM_BRCMSTB_AVS_CPUFREQ +- help +- Enabling this option turns on debug support via sysfs under +- /sys/kernel/debug/brcmstb-avs-cpufreq. It is possible to read all and +- write some AVS mailbox registers through sysfs entries. +- +- If in doubt, say N. +- + config ARM_EXYNOS5440_CPUFREQ + tristate "SAMSUNG EXYNOS5440" + depends on SOC_EXYNOS5440 +--- a/drivers/cpufreq/brcmstb-avs-cpufreq.c ++++ b/drivers/cpufreq/brcmstb-avs-cpufreq.c +@@ -49,13 +49,6 @@ + #include + #include + +-#ifdef CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG +-#include +-#include +-#include +-#include +-#endif +- + /* Max number of arguments AVS calls take */ + #define AVS_MAX_CMD_ARGS 4 + /* +@@ -182,88 +175,11 @@ struct private_data { + void __iomem *base; + void __iomem *avs_intr_base; + struct device *dev; +-#ifdef CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG +- struct dentry *debugfs; +-#endif + struct completion done; + struct semaphore sem; + struct pmap pmap; + }; + +-#ifdef CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG +- +-enum debugfs_format { +- DEBUGFS_NORMAL, +- DEBUGFS_FLOAT, +- DEBUGFS_REV, +-}; +- +-struct debugfs_data { +- struct debugfs_entry *entry; +- struct private_data *priv; +-}; +- +-struct debugfs_entry { +- char *name; +- u32 offset; +- fmode_t mode; +- enum debugfs_format format; +-}; +- +-#define DEBUGFS_ENTRY(name, mode, format) { \ +- #name, AVS_MBOX_##name, mode, format \ +-} +- +-/* +- * These are used for debugfs only. Otherwise we use AVS_MBOX_PARAM() directly. +- */ +-#define AVS_MBOX_PARAM1 AVS_MBOX_PARAM(0) +-#define AVS_MBOX_PARAM2 AVS_MBOX_PARAM(1) +-#define AVS_MBOX_PARAM3 AVS_MBOX_PARAM(2) +-#define AVS_MBOX_PARAM4 AVS_MBOX_PARAM(3) +- +-/* +- * This table stores the name, access permissions and offset for each hardware +- * register and is used to generate debugfs entries. +- */ +-static struct debugfs_entry debugfs_entries[] = { +- DEBUGFS_ENTRY(COMMAND, S_IWUSR, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(STATUS, S_IWUSR, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(VOLTAGE0, 0, DEBUGFS_FLOAT), +- DEBUGFS_ENTRY(TEMP0, 0, DEBUGFS_FLOAT), +- DEBUGFS_ENTRY(PV0, 0, DEBUGFS_FLOAT), +- DEBUGFS_ENTRY(MV0, 0, DEBUGFS_FLOAT), +- DEBUGFS_ENTRY(PARAM1, S_IWUSR, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(PARAM2, S_IWUSR, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(PARAM3, S_IWUSR, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(PARAM4, S_IWUSR, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(REVISION, 0, DEBUGFS_REV), +- DEBUGFS_ENTRY(PSTATE, 0, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(HEARTBEAT, 0, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(MAGIC, S_IWUSR, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(SIGMA_HVT, 0, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(SIGMA_SVT, 0, DEBUGFS_NORMAL), +- DEBUGFS_ENTRY(VOLTAGE1, 0, DEBUGFS_FLOAT), +- DEBUGFS_ENTRY(TEMP1, 0, DEBUGFS_FLOAT), +- DEBUGFS_ENTRY(PV1, 0, DEBUGFS_FLOAT), +- DEBUGFS_ENTRY(MV1, 0, DEBUGFS_FLOAT), +- DEBUGFS_ENTRY(FREQUENCY, 0, DEBUGFS_NORMAL), +-}; +- +-static int brcm_avs_target_index(struct cpufreq_policy *, unsigned int); +- +-static char *__strtolower(char *s) +-{ +- char *p; +- +- for (p = s; *p; p++) +- *p = tolower(*p); +- +- return s; +-} +- +-#endif /* CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG */ +- + static void __iomem *__map_region(const char *name) + { + struct device_node *np; +@@ -516,238 +432,6 @@ brcm_avs_get_freq_table(struct device *d + return table; + } + +-#ifdef CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG +- +-#define MANT(x) (unsigned int)(abs((x)) / 1000) +-#define FRAC(x) (unsigned int)(abs((x)) - abs((x)) / 1000 * 1000) +- +-static int brcm_avs_debug_show(struct seq_file *s, void *data) +-{ +- struct debugfs_data *dbgfs = s->private; +- void __iomem *base; +- u32 val, offset; +- +- if (!dbgfs) { +- seq_puts(s, "No device pointer\n"); +- return 0; +- } +- +- base = dbgfs->priv->base; +- offset = dbgfs->entry->offset; +- val = readl(base + offset); +- switch (dbgfs->entry->format) { +- case DEBUGFS_NORMAL: +- seq_printf(s, "%u\n", val); +- break; +- case DEBUGFS_FLOAT: +- seq_printf(s, "%d.%03d\n", MANT(val), FRAC(val)); +- break; +- case DEBUGFS_REV: +- seq_printf(s, "%c.%c.%c.%c\n", (val >> 24 & 0xff), +- (val >> 16 & 0xff), (val >> 8 & 0xff), +- val & 0xff); +- break; +- } +- seq_printf(s, "0x%08x\n", val); +- +- return 0; +-} +- +-#undef MANT +-#undef FRAC +- +-static ssize_t brcm_avs_seq_write(struct file *file, const char __user *buf, +- size_t size, loff_t *ppos) +-{ +- struct seq_file *s = file->private_data; +- struct debugfs_data *dbgfs = s->private; +- struct private_data *priv = dbgfs->priv; +- void __iomem *base, *avs_intr_base; +- bool use_issue_command = false; +- unsigned long val, offset; +- char str[128]; +- int ret; +- char *str_ptr = str; +- +- if (size >= sizeof(str)) +- return -E2BIG; +- +- memset(str, 0, sizeof(str)); +- ret = copy_from_user(str, buf, size); +- if (ret) +- return ret; +- +- base = priv->base; +- avs_intr_base = priv->avs_intr_base; +- offset = dbgfs->entry->offset; +- /* +- * Special case writing to "command" entry only: if the string starts +- * with a 'c', we use the driver's __issue_avs_command() function. +- * Otherwise, we perform a raw write. This should allow testing of raw +- * access as well as using the higher level function. (Raw access +- * doesn't clear the firmware return status after issuing the command.) +- */ +- if (str_ptr[0] == 'c' && offset == AVS_MBOX_COMMAND) { +- use_issue_command = true; +- str_ptr++; +- } +- if (kstrtoul(str_ptr, 0, &val) != 0) +- return -EINVAL; +- +- /* +- * Setting the P-state is a special case. We need to update the CPU +- * frequency we report. +- */ +- if (val == AVS_CMD_SET_PSTATE) { +- struct cpufreq_policy *policy; +- unsigned int pstate; +- +- policy = cpufreq_cpu_get(smp_processor_id()); +- /* Read back the P-state we are about to set */ +- pstate = readl(base + AVS_MBOX_PARAM(0)); +- if (use_issue_command) { +- ret = brcm_avs_target_index(policy, pstate); +- return ret ? ret : size; +- } +- policy->cur = policy->freq_table[pstate].frequency; +- } +- +- if (use_issue_command) { +- ret = __issue_avs_command(priv, val, false, NULL); +- } else { +- /* Locking here is not perfect, but is only for debug. */ +- ret = down_interruptible(&priv->sem); +- if (ret) +- return ret; +- +- writel(val, base + offset); +- /* We have to wake up the firmware to process a command. */ +- if (offset == AVS_MBOX_COMMAND) +- writel(AVS_CPU_L2_INT_MASK, +- avs_intr_base + AVS_CPU_L2_SET0); +- up(&priv->sem); +- } +- +- return ret ? ret : size; +-} +- +-static struct debugfs_entry *__find_debugfs_entry(const char *name) +-{ +- int i; +- +- for (i = 0; i < ARRAY_SIZE(debugfs_entries); i++) +- if (strcasecmp(debugfs_entries[i].name, name) == 0) +- return &debugfs_entries[i]; +- +- return NULL; +-} +- +-static int brcm_avs_debug_open(struct inode *inode, struct file *file) +-{ +- struct debugfs_data *data; +- fmode_t fmode; +- int ret; +- +- /* +- * seq_open(), which is called by single_open(), clears "write" access. +- * We need write access to some files, so we preserve our access mode +- * and restore it. +- */ +- fmode = file->f_mode; +- /* +- * Check access permissions even for root. We don't want to be writing +- * to read-only registers. Access for regular users has already been +- * checked by the VFS layer. +- */ +- if ((fmode & FMODE_WRITER) && !(inode->i_mode & S_IWUSR)) +- return -EACCES; +- +- data = kmalloc(sizeof(*data), GFP_KERNEL); +- if (!data) +- return -ENOMEM; +- /* +- * We use the same file system operations for all our debug files. To +- * produce specific output, we look up the file name upon opening a +- * debugfs entry and map it to a memory offset. This offset is then used +- * in the generic "show" function to read a specific register. +- */ +- data->entry = __find_debugfs_entry(file->f_path.dentry->d_iname); +- data->priv = inode->i_private; +- +- ret = single_open(file, brcm_avs_debug_show, data); +- if (ret) +- kfree(data); +- file->f_mode = fmode; +- +- return ret; +-} +- +-static int brcm_avs_debug_release(struct inode *inode, struct file *file) +-{ +- struct seq_file *seq_priv = file->private_data; +- struct debugfs_data *data = seq_priv->private; +- +- kfree(data); +- return single_release(inode, file); +-} +- +-static const struct file_operations brcm_avs_debug_ops = { +- .open = brcm_avs_debug_open, +- .read = seq_read, +- .write = brcm_avs_seq_write, +- .llseek = seq_lseek, +- .release = brcm_avs_debug_release, +-}; +- +-static void brcm_avs_cpufreq_debug_init(struct platform_device *pdev) +-{ +- struct private_data *priv = platform_get_drvdata(pdev); +- struct dentry *dir; +- int i; +- +- if (!priv) +- return; +- +- dir = debugfs_create_dir(BRCM_AVS_CPUFREQ_NAME, NULL); +- if (IS_ERR_OR_NULL(dir)) +- return; +- priv->debugfs = dir; +- +- for (i = 0; i < ARRAY_SIZE(debugfs_entries); i++) { +- /* +- * The DEBUGFS_ENTRY macro generates uppercase strings. We +- * convert them to lowercase before creating the debugfs +- * entries. +- */ +- char *entry = __strtolower(debugfs_entries[i].name); +- fmode_t mode = debugfs_entries[i].mode; +- +- if (!debugfs_create_file(entry, S_IFREG | S_IRUGO | mode, +- dir, priv, &brcm_avs_debug_ops)) { +- priv->debugfs = NULL; +- debugfs_remove_recursive(dir); +- break; +- } +- } +-} +- +-static void brcm_avs_cpufreq_debug_exit(struct platform_device *pdev) +-{ +- struct private_data *priv = platform_get_drvdata(pdev); +- +- if (priv && priv->debugfs) { +- debugfs_remove_recursive(priv->debugfs); +- priv->debugfs = NULL; +- } +-} +- +-#else +- +-static void brcm_avs_cpufreq_debug_init(struct platform_device *pdev) {} +-static void brcm_avs_cpufreq_debug_exit(struct platform_device *pdev) {} +- +-#endif /* CONFIG_ARM_BRCMSTB_AVS_CPUFREQ_DEBUG */ +- + /* + * To ensure the right firmware is running we need to + * - check the MAGIC matches what we expect +@@ -1020,11 +704,8 @@ static int brcm_avs_cpufreq_probe(struct + return ret; + + brcm_avs_driver.driver_data = pdev; +- ret = cpufreq_register_driver(&brcm_avs_driver); +- if (!ret) +- brcm_avs_cpufreq_debug_init(pdev); + +- return ret; ++ return cpufreq_register_driver(&brcm_avs_driver); + } + + static int brcm_avs_cpufreq_remove(struct platform_device *pdev) +@@ -1036,8 +717,6 @@ static int brcm_avs_cpufreq_remove(struc + if (ret) + return ret; + +- brcm_avs_cpufreq_debug_exit(pdev); +- + priv = platform_get_drvdata(pdev); + iounmap(priv->base); + iounmap(priv->avs_intr_base); diff --git a/queue-4.16/cxgb4-copy-mbox-log-size-to-pf0-3-adap-instances.patch b/queue-4.16/cxgb4-copy-mbox-log-size-to-pf0-3-adap-instances.patch new file mode 100644 index 00000000000..87cda653f4d --- /dev/null +++ b/queue-4.16/cxgb4-copy-mbox-log-size-to-pf0-3-adap-instances.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ganesh Goudar +Date: Wed, 9 May 2018 19:00:35 +0530 +Subject: cxgb4: copy mbox log size to PF0-3 adap instances + +From: Ganesh Goudar + +[ Upstream commit aca06eafd09f48ca4d97f3c0b2a12c8d631116f0 ] + +copy mbox size to adapter instances of PF0-3 to avoid +mbox log overflow. This fixes the possible protection +fault. + +Fixes: baf5086840ab ("cxgb4: restructure VF mgmt code") +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -5191,6 +5191,7 @@ static int init_one(struct pci_dev *pdev + } + spin_lock_init(&adapter->mbox_lock); + INIT_LIST_HEAD(&adapter->mlist.list); ++ adapter->mbox_log->size = T4_OS_LOG_MBOX_CMDS; + pci_set_drvdata(pdev, adapter); + + if (func != ent->driver_data) { +@@ -5225,8 +5226,6 @@ static int init_one(struct pci_dev *pdev + goto out_free_adapter; + } + +- adapter->mbox_log->size = T4_OS_LOG_MBOX_CMDS; +- + /* PCI device has been enabled */ + adapter->flags |= DEV_ENABLED; + memset(adapter->chan_map, 0xff, sizeof(adapter->chan_map)); diff --git a/queue-4.16/doc-add-vendor-prefix-for-kieback-peter-gmbh.patch b/queue-4.16/doc-add-vendor-prefix-for-kieback-peter-gmbh.patch new file mode 100644 index 00000000000..647e0cfe582 --- /dev/null +++ b/queue-4.16/doc-add-vendor-prefix-for-kieback-peter-gmbh.patch @@ -0,0 +1,30 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Lukasz Majewski +Date: Wed, 4 Apr 2018 09:52:04 +0200 +Subject: doc: Add vendor prefix for Kieback & Peter GmbH + +From: Lukasz Majewski + +[ Upstream commit 99bf8f27f3f94d2a37291354b8dc83f13728f75f ] + +The 'kiebackpeter' entry has been added to vendor-prefixes.txt to indicate +products from Kieback & Peter GmbH. + +Signed-off-by: Lukasz Majewski +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/vendor-prefixes.txt | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/devicetree/bindings/vendor-prefixes.txt ++++ b/Documentation/devicetree/bindings/vendor-prefixes.txt +@@ -181,6 +181,7 @@ karo Ka-Ro electronics GmbH + keithkoep Keith & Koep GmbH + keymile Keymile GmbH + khadas Khadas ++kiebackpeter Kieback & Peter GmbH + kinetic Kinetic Technologies + kingnovel Kingnovel Technology Co., Ltd. + kosagi Sutajio Ko-Usagi PTE Ltd. diff --git a/queue-4.16/driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch b/queue-4.16/driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch new file mode 100644 index 00000000000..eeab497dead --- /dev/null +++ b/queue-4.16/driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Mathieu Malaterre +Date: Sat, 5 May 2018 22:00:37 +0200 +Subject: driver core: add __printf verification to __ata_ehi_pushv_desc + +From: Mathieu Malaterre + +[ Upstream commit 0d74d872c3f8b9cb3d096fb932a063b43b37f188 ] + +__printf is useful to verify format and arguments. Remove the following +warning (with W=1): + + drivers/ata/libata-eh.c:183:10: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format] + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-eh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -175,8 +175,8 @@ static void ata_eh_handle_port_resume(st + { } + #endif /* CONFIG_PM */ + +-static void __ata_ehi_pushv_desc(struct ata_eh_info *ehi, const char *fmt, +- va_list args) ++static __printf(2, 0) void __ata_ehi_pushv_desc(struct ata_eh_info *ehi, ++ const char *fmt, va_list args) + { + ehi->desc_len += vscnprintf(ehi->desc + ehi->desc_len, + ATA_EH_DESC_LEN - ehi->desc_len, diff --git a/queue-4.16/drm-amdgpu-switch-to-interruptable-wait-to-recover-from-ring-hang.patch b/queue-4.16/drm-amdgpu-switch-to-interruptable-wait-to-recover-from-ring-hang.patch new file mode 100644 index 00000000000..911205c8f75 --- /dev/null +++ b/queue-4.16/drm-amdgpu-switch-to-interruptable-wait-to-recover-from-ring-hang.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Andrey Grodzovsky +Date: Mon, 30 Apr 2018 10:04:42 -0400 +Subject: drm/amdgpu: Switch to interruptable wait to recover from ring hang. + +From: Andrey Grodzovsky + +[ Upstream commit e6a5b9f9aee145c2f2c24431d84edfbb0d49eea5 ] + +v2: +Use dma_fence_wait instead of dma_fence_wait_timeout(...,MAX_SCHEDULE_TIMEOUT) +Avoid printing error message for ERESTARTSYS + +Originally-by: David Panariti +Signed-off-by: Andrey Grodzovsky +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c +@@ -419,9 +419,11 @@ int amdgpu_ctx_wait_prev_fence(struct am + + if (other) { + signed long r; +- r = dma_fence_wait_timeout(other, false, MAX_SCHEDULE_TIMEOUT); ++ r = dma_fence_wait(other, true); + if (r < 0) { +- DRM_ERROR("Error (%ld) waiting for fence!\n", r); ++ if (r != -ERESTARTSYS) ++ DRM_ERROR("Error (%ld) waiting for fence!\n", r); ++ + return r; + } + } diff --git a/queue-4.16/drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch b/queue-4.16/drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch new file mode 100644 index 00000000000..de22b446693 --- /dev/null +++ b/queue-4.16/drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Andres Rodriguez +Date: Tue, 10 Apr 2018 17:32:33 -0400 +Subject: drm/amdkfd: fix clock counter retrieval for node without GPU + +From: Andres Rodriguez + +[ Upstream commit 1cf6cc74bbeb85bb87c3ca3f3df97a283c3aa737 ] + +Currently if a user requests clock counters for a node without a GPU +resource we will always return EINVAL. + +Instead if no GPU resource is attached, fill the gpu_clock_counter +argument with zeroes so that we may proceed and return valid CPU +counters. + +Signed-off-by: Andres Rodriguez +Signed-off-by: Felix Kuehling +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -748,12 +748,13 @@ static int kfd_ioctl_get_clock_counters( + struct timespec64 time; + + dev = kfd_device_by_id(args->gpu_id); +- if (dev == NULL) +- return -EINVAL; +- +- /* Reading GPU clock counter from KGD */ +- args->gpu_clock_counter = +- dev->kfd2kgd->get_gpu_clock_counter(dev->kgd); ++ if (dev) ++ /* Reading GPU clock counter from KGD */ ++ args->gpu_clock_counter = ++ dev->kfd2kgd->get_gpu_clock_counter(dev->kgd); ++ else ++ /* Node without GPU resource */ ++ args->gpu_clock_counter = 0; + + /* No access to rdtsc. Using raw monotonic time */ + getrawmonotonic64(&time); diff --git a/queue-4.16/drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch b/queue-4.16/drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch new file mode 100644 index 00000000000..dcdc5fee9f7 --- /dev/null +++ b/queue-4.16/drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch @@ -0,0 +1,51 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dan Carpenter +Date: Wed, 16 May 2018 17:00:26 +0300 +Subject: drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() + +From: Dan Carpenter + +[ Upstream commit 2b6207291b7b277a5df9d1aab44b56815a292dba ] + +There is a comment here which says that DIV_ROUND_UP() and that's where +the problem comes from. Say you pick: + + args->bpp = UINT_MAX - 7; + args->width = 4; + args->height = 1; + +The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and +because of how we picked args->width that means cpp < UINT_MAX / 4. + +I've fixed it by preventing the integer overflow in DIV_ROUND_UP(). I +removed the check for !cpp because it's not possible after this change. +I also changed all the 0xffffffffU references to U32_MAX. + +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180516140026.GA19340@mwanda +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_dumb_buffers.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_dumb_buffers.c ++++ b/drivers/gpu/drm/drm_dumb_buffers.c +@@ -65,12 +65,13 @@ int drm_mode_create_dumb_ioctl(struct dr + return -EINVAL; + + /* overflow checks for 32bit size calculations */ +- /* NOTE: DIV_ROUND_UP() can overflow */ ++ if (args->bpp > U32_MAX - 8) ++ return -EINVAL; + cpp = DIV_ROUND_UP(args->bpp, 8); +- if (!cpp || cpp > 0xffffffffU / args->width) ++ if (cpp > U32_MAX / args->width) + return -EINVAL; + stride = cpp * args->width; +- if (args->height > 0xffffffffU / stride) ++ if (args->height > U32_MAX / stride) + return -EINVAL; + + /* test for wrap-around */ diff --git a/queue-4.16/drm-exynos-mixer-avoid-oops-in-vp_video_buffer.patch b/queue-4.16/drm-exynos-mixer-avoid-oops-in-vp_video_buffer.patch new file mode 100644 index 00000000000..cdacc882655 --- /dev/null +++ b/queue-4.16/drm-exynos-mixer-avoid-oops-in-vp_video_buffer.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Tobias Jakobi +Date: Fri, 2 Feb 2018 16:11:23 +0100 +Subject: drm/exynos: mixer: avoid Oops in vp_video_buffer() + +From: Tobias Jakobi + +[ Upstream commit 0ccc1c8f0282e237a0bd6dca7cdac4ed5e318ee7 ] + +If an interlaced video mode is selected, a IOMMU pagefault is +triggered by vp_video_buffer(). + +Fix the most apparent bugs: +- pitch value for chroma plane +- divide by two of height and vpos of source and destination + +Signed-off-by: Tobias Jakobi +[ a.hajda: Halved also destination height and vpos, updated commit message ] +Signed-off-by: Andrzej Hajda +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_mixer.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_mixer.c ++++ b/drivers/gpu/drm/exynos/exynos_mixer.c +@@ -485,7 +485,7 @@ static void vp_video_buffer(struct mixer + chroma_addr[1] = chroma_addr[0] + 0x40; + } else { + luma_addr[1] = luma_addr[0] + fb->pitches[0]; +- chroma_addr[1] = chroma_addr[0] + fb->pitches[0]; ++ chroma_addr[1] = chroma_addr[0] + fb->pitches[1]; + } + } else { + luma_addr[1] = 0; +@@ -508,21 +508,23 @@ static void vp_video_buffer(struct mixer + vp_reg_write(ctx, VP_IMG_SIZE_Y, VP_IMG_HSIZE(fb->pitches[0]) | + VP_IMG_VSIZE(fb->height)); + /* chroma plane for NV12/NV21 is half the height of the luma plane */ +- vp_reg_write(ctx, VP_IMG_SIZE_C, VP_IMG_HSIZE(fb->pitches[0]) | ++ vp_reg_write(ctx, VP_IMG_SIZE_C, VP_IMG_HSIZE(fb->pitches[1]) | + VP_IMG_VSIZE(fb->height / 2)); + + vp_reg_write(ctx, VP_SRC_WIDTH, state->src.w); +- vp_reg_write(ctx, VP_SRC_HEIGHT, state->src.h); + vp_reg_write(ctx, VP_SRC_H_POSITION, + VP_SRC_H_POSITION_VAL(state->src.x)); +- vp_reg_write(ctx, VP_SRC_V_POSITION, state->src.y); +- + vp_reg_write(ctx, VP_DST_WIDTH, state->crtc.w); + vp_reg_write(ctx, VP_DST_H_POSITION, state->crtc.x); ++ + if (test_bit(MXR_BIT_INTERLACE, &ctx->flags)) { ++ vp_reg_write(ctx, VP_SRC_HEIGHT, state->src.h / 2); ++ vp_reg_write(ctx, VP_SRC_V_POSITION, state->src.y / 2); + vp_reg_write(ctx, VP_DST_HEIGHT, state->crtc.h / 2); + vp_reg_write(ctx, VP_DST_V_POSITION, state->crtc.y / 2); + } else { ++ vp_reg_write(ctx, VP_SRC_HEIGHT, state->src.h); ++ vp_reg_write(ctx, VP_SRC_V_POSITION, state->src.y); + vp_reg_write(ctx, VP_DST_HEIGHT, state->crtc.h); + vp_reg_write(ctx, VP_DST_V_POSITION, state->crtc.y); + } diff --git a/queue-4.16/drm-exynos-mixer-fix-synchronization-check-in-interlaced-mode.patch b/queue-4.16/drm-exynos-mixer-fix-synchronization-check-in-interlaced-mode.patch new file mode 100644 index 00000000000..bab33eff07e --- /dev/null +++ b/queue-4.16/drm-exynos-mixer-fix-synchronization-check-in-interlaced-mode.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Andrzej Hajda +Date: Fri, 2 Feb 2018 16:11:22 +0100 +Subject: drm/exynos/mixer: fix synchronization check in interlaced mode + +From: Andrzej Hajda + +[ Upstream commit 2eced8e917b060587fc8ed46df41c364957a5050 ] + +In case of interlace mode video processor registers and mixer config +register must be check to ensure internal state is in sync with shadow +registers. +This patch fixes page-faults in interlaced mode. + +Signed-off-by: Andrzej Hajda +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_mixer.c | 10 ++++++++++ + drivers/gpu/drm/exynos/regs-mixer.h | 1 + + 2 files changed, 11 insertions(+) + +--- a/drivers/gpu/drm/exynos/exynos_mixer.c ++++ b/drivers/gpu/drm/exynos/exynos_mixer.c +@@ -494,6 +494,7 @@ static void vp_video_buffer(struct mixer + + spin_lock_irqsave(&ctx->reg_slock, flags); + ++ vp_reg_write(ctx, VP_SHADOW_UPDATE, 1); + /* interlace or progressive scan mode */ + val = (test_bit(MXR_BIT_INTERLACE, &ctx->flags) ? ~0 : 0); + vp_reg_writemask(ctx, VP_MODE, val, VP_MODE_LINE_SKIP); +@@ -711,6 +712,15 @@ static irqreturn_t mixer_irq_handler(int + + /* interlace scan need to check shadow register */ + if (test_bit(MXR_BIT_INTERLACE, &ctx->flags)) { ++ if (test_bit(MXR_BIT_VP_ENABLED, &ctx->flags) && ++ vp_reg_read(ctx, VP_SHADOW_UPDATE)) ++ goto out; ++ ++ base = mixer_reg_read(ctx, MXR_CFG); ++ shadow = mixer_reg_read(ctx, MXR_CFG_S); ++ if (base != shadow) ++ goto out; ++ + base = mixer_reg_read(ctx, MXR_GRAPHIC_BASE(0)); + shadow = mixer_reg_read(ctx, MXR_GRAPHIC_BASE_S(0)); + if (base != shadow) +--- a/drivers/gpu/drm/exynos/regs-mixer.h ++++ b/drivers/gpu/drm/exynos/regs-mixer.h +@@ -47,6 +47,7 @@ + #define MXR_MO 0x0304 + #define MXR_RESOLUTION 0x0310 + ++#define MXR_CFG_S 0x2004 + #define MXR_GRAPHIC0_BASE_S 0x2024 + #define MXR_GRAPHIC1_BASE_S 0x2044 + diff --git a/queue-4.16/drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch b/queue-4.16/drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch new file mode 100644 index 00000000000..bcd72eebfc6 --- /dev/null +++ b/queue-4.16/drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Emil Velikov +Date: Wed, 28 Mar 2018 17:22:16 +0100 +Subject: drm/msm: don't deref error pointer in the msm_fbdev_create error path + +From: Emil Velikov + +[ Upstream commit 789d4c300e10eb2096ee83c3497118e67ccc951e ] + +Currently the error pointer returned by msm_alloc_stolen_fb gets passed +to drm_framebuffer_remove. The latter handles only NULL pointers, thus +a nasty crash will occur. + +Drop the unnecessary fail label and the associated checks - both err and +fb will be set at this stage. + +Cc: Rob Clark +Cc: linux-arm-msm@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: freedreno@lists.freedesktop.org +Signed-off-by: Emil Velikov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_fbdev.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_fbdev.c ++++ b/drivers/gpu/drm/msm/msm_fbdev.c +@@ -92,8 +92,7 @@ static int msm_fbdev_create(struct drm_f + + if (IS_ERR(fb)) { + dev_err(dev->dev, "failed to allocate fb\n"); +- ret = PTR_ERR(fb); +- goto fail; ++ return PTR_ERR(fb); + } + + bo = msm_framebuffer_bo(fb, 0); +@@ -151,13 +150,7 @@ static int msm_fbdev_create(struct drm_f + + fail_unlock: + mutex_unlock(&dev->struct_mutex); +-fail: +- +- if (ret) { +- if (fb) +- drm_framebuffer_remove(fb); +- } +- ++ drm_framebuffer_remove(fb); + return ret; + } + diff --git a/queue-4.16/drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch b/queue-4.16/drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch new file mode 100644 index 00000000000..43ba602108f --- /dev/null +++ b/queue-4.16/drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Stefan Agner +Date: Mon, 19 Mar 2018 22:26:32 +0100 +Subject: drm/msm/dsi: use correct enum in dsi_get_cmd_fmt + +From: Stefan Agner + +[ Upstream commit a4af89286f8fc382459308764ea05935dc477cdc ] + +The function dsi_get_cmd_fmt returns enum dsi_cmd_dst_format, +use the correct enum value also for MIPI_DSI_FMT_RGB666/_PACKED. + +This has been discovered using clang: + drivers/gpu/drm/msm/dsi/dsi_host.c:743:35: warning: implicit conversion + from enumeration type 'enum dsi_vid_dst_format' to different + enumeration type 'enum dsi_cmd_dst_format' [-Wenum-conversion] + case MIPI_DSI_FMT_RGB666: return VID_DST_FORMAT_RGB666; + ~~~~~~ ^~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Stefan Agner +Reviewed-by: Archit Taneja +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -740,7 +740,7 @@ static inline enum dsi_cmd_dst_format ds + switch (mipi_fmt) { + case MIPI_DSI_FMT_RGB888: return CMD_DST_FORMAT_RGB888; + case MIPI_DSI_FMT_RGB666_PACKED: +- case MIPI_DSI_FMT_RGB666: return VID_DST_FORMAT_RGB666; ++ case MIPI_DSI_FMT_RGB666: return CMD_DST_FORMAT_RGB666; + case MIPI_DSI_FMT_RGB565: return CMD_DST_FORMAT_RGB565; + default: return CMD_DST_FORMAT_RGB888; + } diff --git a/queue-4.16/drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch b/queue-4.16/drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch new file mode 100644 index 00000000000..7b3f0dad5ef --- /dev/null +++ b/queue-4.16/drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch @@ -0,0 +1,62 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Ben Hutchings +Date: Tue, 3 Apr 2018 23:38:45 +0100 +Subject: drm/msm: Fix possible null dereference on failure of get_pages() + +From: Ben Hutchings + +[ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ] + +Commit 62e3a3e342af changed get_pages() to initialise +msm_gem_object::pages before trying to initialise msm_gem_object::sgt, +so that put_pages() would properly clean up pages in the failure +case. + +However, this means that put_pages() now needs to check that +msm_gem_object::sgt is not null before trying to clean it up, and +this check was only applied to part of the cleanup code. Move +it all into the conditional block. (Strictly speaking we don't +need to make the kfree() conditional, but since we can't avoid +checking for null ourselves we may as well do so.) + +Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages") +Signed-off-by: Ben Hutchings +Reviewed-by: Jordan Crouse +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -132,17 +132,19 @@ static void put_pages(struct drm_gem_obj + struct msm_gem_object *msm_obj = to_msm_bo(obj); + + if (msm_obj->pages) { +- /* For non-cached buffers, ensure the new pages are clean +- * because display controller, GPU, etc. are not coherent: +- */ +- if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) +- dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, +- msm_obj->sgt->nents, DMA_BIDIRECTIONAL); ++ if (msm_obj->sgt) { ++ /* For non-cached buffers, ensure the new ++ * pages are clean because display controller, ++ * GPU, etc. are not coherent: ++ */ ++ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) ++ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, ++ msm_obj->sgt->nents, ++ DMA_BIDIRECTIONAL); + +- if (msm_obj->sgt) + sg_free_table(msm_obj->sgt); +- +- kfree(msm_obj->sgt); ++ kfree(msm_obj->sgt); ++ } + + if (use_pages(obj)) + drm_gem_put_pages(obj, msm_obj->pages, true, false); diff --git a/queue-4.16/drm-omap-check-return-value-from-soc_device_match.patch b/queue-4.16/drm-omap-check-return-value-from-soc_device_match.patch new file mode 100644 index 00000000000..430b43aacc9 --- /dev/null +++ b/queue-4.16/drm-omap-check-return-value-from-soc_device_match.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Tomi Valkeinen +Date: Wed, 2 May 2018 12:11:56 +0300 +Subject: drm/omap: check return value from soc_device_match + +From: Tomi Valkeinen + +[ Upstream commit 4d6cb5e2fee52af17001e92950f0894304706ee4 ] + +soc_device_match() can return NULL, so add a check and fail if +soc_device_match() fails. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180502091159.7071-2-tomi.valkeinen@ti.com +Reviewed-by: Benoit Parrot +Reviewed-by: Peter Ujfalusi +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/dss/hdmi4_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c ++++ b/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c +@@ -922,8 +922,13 @@ int hdmi4_core_init(struct platform_devi + { + const struct hdmi4_features *features; + struct resource *res; ++ const struct soc_device_attribute *soc; + +- features = soc_device_match(hdmi4_soc_devices)->data; ++ soc = soc_device_match(hdmi4_soc_devices); ++ if (!soc) ++ return -ENODEV; ++ ++ features = soc->data; + core->cts_swmode = features->cts_swmode; + core->audio_use_mclk = features->audio_use_mclk; + diff --git a/queue-4.16/drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch b/queue-4.16/drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch new file mode 100644 index 00000000000..31e4bde6e7a --- /dev/null +++ b/queue-4.16/drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch @@ -0,0 +1,43 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Tomi Valkeinen +Date: Thu, 29 Mar 2018 13:40:37 +0300 +Subject: drm/omap: fix possible NULL ref issue in tiler_reserve_2d + +From: Tomi Valkeinen + +[ Upstream commit 6a0f0c55619f0b82a677cab72e77c3444a5eee58 ] + +tiler_reserve_2d allocates memory but does not check if it got the +memory. Add the check and return ENOMEM on failure. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180329104038.29154-2-tomi.valkeinen@ti.com +Reviewed-by: Emil Velikov +Reviewed-by: Laurent Pinchart +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -401,12 +401,16 @@ int tiler_unpin(struct tiler_block *bloc + struct tiler_block *tiler_reserve_2d(enum tiler_fmt fmt, uint16_t w, + uint16_t h, uint16_t align) + { +- struct tiler_block *block = kzalloc(sizeof(*block), GFP_KERNEL); ++ struct tiler_block *block; + u32 min_align = 128; + int ret; + unsigned long flags; + u32 slot_bytes; + ++ block = kzalloc(sizeof(*block), GFP_KERNEL); ++ if (!block) ++ return ERR_PTR(-ENOMEM); ++ + BUG_ON(!validfmt(fmt)); + + /* convert width/height to slots */ diff --git a/queue-4.16/drm-omap-fix-uninitialized-ret-variable.patch b/queue-4.16/drm-omap-fix-uninitialized-ret-variable.patch new file mode 100644 index 00000000000..791215760c8 --- /dev/null +++ b/queue-4.16/drm-omap-fix-uninitialized-ret-variable.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Tomi Valkeinen +Date: Thu, 29 Mar 2018 13:40:36 +0300 +Subject: drm/omap: fix uninitialized ret variable + +From: Tomi Valkeinen + +[ Upstream commit 77eeac24b10fc84d3ffd5b11a897dff88dde244d ] + +audio_config function for both HDMI4 and HDMI5 return uninitialized +value as the error code if the display is not currently enabled. For +some reason this has not caused any issues. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180329104038.29154-1-tomi.valkeinen@ti.com +Reviewed-by: Emil Velikov +Reviewed-by: Laurent Pinchart +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/dss/hdmi4.c | 2 +- + drivers/gpu/drm/omapdrm/dss/hdmi5.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/dss/hdmi4.c ++++ b/drivers/gpu/drm/omapdrm/dss/hdmi4.c +@@ -665,7 +665,7 @@ static int hdmi_audio_config(struct devi + struct omap_dss_audio *dss_audio) + { + struct omap_hdmi *hd = dev_get_drvdata(dev); +- int ret; ++ int ret = 0; + + mutex_lock(&hd->lock); + +--- a/drivers/gpu/drm/omapdrm/dss/hdmi5.c ++++ b/drivers/gpu/drm/omapdrm/dss/hdmi5.c +@@ -660,7 +660,7 @@ static int hdmi_audio_config(struct devi + struct omap_dss_audio *dss_audio) + { + struct omap_hdmi *hd = dev_get_drvdata(dev); +- int ret; ++ int ret = 0; + + mutex_lock(&hd->lock); + diff --git a/queue-4.16/drm-omap-handle-alloc-failures-in-omap_connector.patch b/queue-4.16/drm-omap-handle-alloc-failures-in-omap_connector.patch new file mode 100644 index 00000000000..a26409c16a2 --- /dev/null +++ b/queue-4.16/drm-omap-handle-alloc-failures-in-omap_connector.patch @@ -0,0 +1,56 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Tomi Valkeinen +Date: Wed, 2 May 2018 12:11:59 +0300 +Subject: drm/omap: handle alloc failures in omap_connector + +From: Tomi Valkeinen + +[ Upstream commit 47aaaec818dfd1009d1358974a2931f05dd57203 ] + +Handle memory allocation failures in omap_connector to avoid NULL +derefs. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180502091159.7071-5-tomi.valkeinen@ti.com +Reviewed-by: Benoit Parrot +Reviewed-by: Peter Ujfalusi +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_connector.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/omap_connector.c ++++ b/drivers/gpu/drm/omapdrm/omap_connector.c +@@ -121,6 +121,9 @@ static int omap_connector_get_modes(stru + if (dssdrv->read_edid) { + void *edid = kzalloc(MAX_EDID, GFP_KERNEL); + ++ if (!edid) ++ return 0; ++ + if ((dssdrv->read_edid(dssdev, edid, MAX_EDID) > 0) && + drm_edid_is_valid(edid)) { + drm_mode_connector_update_edid_property( +@@ -139,6 +142,9 @@ static int omap_connector_get_modes(stru + struct drm_display_mode *mode = drm_mode_create(dev); + struct videomode vm = {0}; + ++ if (!mode) ++ return 0; ++ + dssdrv->get_timings(dssdev, &vm); + + drm_display_mode_from_videomode(&vm, mode); +@@ -200,6 +206,10 @@ static int omap_connector_mode_valid(str + if (!r) { + /* check if vrefresh is still valid */ + new_mode = drm_mode_duplicate(dev, mode); ++ ++ if (!new_mode) ++ return MODE_BAD; ++ + new_mode->clock = vm.pixelclock / 1000; + new_mode->vrefresh = 0; + if (mode->vrefresh == drm_mode_vrefresh(new_mode)) diff --git a/queue-4.16/drm-omap-silence-unititialized-variable-warning.patch b/queue-4.16/drm-omap-silence-unititialized-variable-warning.patch new file mode 100644 index 00000000000..3b26401ea54 --- /dev/null +++ b/queue-4.16/drm-omap-silence-unititialized-variable-warning.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dan Carpenter +Date: Wed, 18 Apr 2018 17:29:37 +0300 +Subject: drm/omap: silence unititialized variable warning + +From: Dan Carpenter + +[ Upstream commit 4a9fbfcab19d3f71ad2bf0bcb653c4ee84e69c7f ] + +Smatch complains that "area_free" could be used without being +initialized. This code is several years old and premusably works fine +so this can't be a very serious bug. But it's easy enough to silence +the warning. If "area_free" is false at the end of the function then +we return -ENOMEM. + +Signed-off-by: Dan Carpenter +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180418142937.GA13828@mwanda +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/tcm-sita.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/tcm-sita.c ++++ b/drivers/gpu/drm/omapdrm/tcm-sita.c +@@ -90,7 +90,7 @@ static int l2r_t2b(uint16_t w, uint16_t + { + int i; + unsigned long index; +- bool area_free; ++ bool area_free = false; + unsigned long slots_per_band = PAGE_SIZE / slot_bytes; + unsigned long bit_offset = (offset > 0) ? offset / slot_bytes : 0; + unsigned long curr_bit = bit_offset; diff --git a/queue-4.16/drm-vc4-fix-oops-dereferencing-dpi-s-connector-since-panel_bridge.patch b/queue-4.16/drm-vc4-fix-oops-dereferencing-dpi-s-connector-since-panel_bridge.patch new file mode 100644 index 00000000000..c02c9dc378b --- /dev/null +++ b/queue-4.16/drm-vc4-fix-oops-dereferencing-dpi-s-connector-since-panel_bridge.patch @@ -0,0 +1,83 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Eric Anholt +Date: Fri, 9 Mar 2018 15:32:56 -0800 +Subject: drm/vc4: Fix oops dereferencing DPI's connector since panel_bridge. + +From: Eric Anholt + +[ Upstream commit 164c2416dd40770aba5814f93da835e8a9f7196d ] + +In the cleanup, I didn't notice that we needed to dereference the +connector for the bus_format. Fix the regression by looking up the +first (and only) connector attached to us, and assume that its +bus_format is what we want. Some day it would be good to have that +part of display_info attached to the bridge, instead. + +v2: Fix stray whitespace change + +Signed-off-by: Eric Anholt +Fixes: 7b1298e05310 ("drm/vc4: Switch DPI to using the panel-bridge helper.") +Link: https://patchwork.freedesktop.org/patch/msgid/20180309233256.1667-1-eric@anholt.net +Reviewed-by: Sean Paul +Reviewed-by: Boris Brezillon +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vc4/vc4_dpi.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/vc4/vc4_dpi.c ++++ b/drivers/gpu/drm/vc4/vc4_dpi.c +@@ -96,7 +96,6 @@ struct vc4_dpi { + struct platform_device *pdev; + + struct drm_encoder *encoder; +- struct drm_connector *connector; + + void __iomem *regs; + +@@ -164,14 +163,31 @@ static void vc4_dpi_encoder_disable(stru + + static void vc4_dpi_encoder_enable(struct drm_encoder *encoder) + { ++ struct drm_device *dev = encoder->dev; + struct drm_display_mode *mode = &encoder->crtc->mode; + struct vc4_dpi_encoder *vc4_encoder = to_vc4_dpi_encoder(encoder); + struct vc4_dpi *dpi = vc4_encoder->dpi; ++ struct drm_connector_list_iter conn_iter; ++ struct drm_connector *connector = NULL, *connector_scan; + u32 dpi_c = DPI_ENABLE | DPI_OUTPUT_ENABLE_MODE; + int ret; + +- if (dpi->connector->display_info.num_bus_formats) { +- u32 bus_format = dpi->connector->display_info.bus_formats[0]; ++ /* Look up the connector attached to DPI so we can get the ++ * bus_format. Ideally the bridge would tell us the ++ * bus_format we want, but it doesn't yet, so assume that it's ++ * uniform throughout the bridge chain. ++ */ ++ drm_connector_list_iter_begin(dev, &conn_iter); ++ drm_for_each_connector_iter(connector_scan, &conn_iter) { ++ if (connector_scan->encoder == encoder) { ++ connector = connector_scan; ++ break; ++ } ++ } ++ drm_connector_list_iter_end(&conn_iter); ++ ++ if (connector && connector->display_info.num_bus_formats) { ++ u32 bus_format = connector->display_info.bus_formats[0]; + + switch (bus_format) { + case MEDIA_BUS_FMT_RGB888_1X24: +@@ -199,6 +215,9 @@ static void vc4_dpi_encoder_enable(struc + DRM_ERROR("Unknown media bus format %d\n", bus_format); + break; + } ++ } else { ++ /* Default to 24bit if no connector found. */ ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, DPI_FORMAT); + } + + if (mode->flags & DRM_MODE_FLAG_NHSYNC) diff --git a/queue-4.16/dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch b/queue-4.16/dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch new file mode 100644 index 00000000000..fd91ecb248a --- /dev/null +++ b/queue-4.16/dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jacopo Mondi +Date: Mon, 16 Apr 2018 15:56:08 +0200 +Subject: dt-bindings: dmaengine: rcar-dmac: document R8A77965 support + +From: Jacopo Mondi + +[ Upstream commit b89bc283286b105e50aab9ab35992c0237ac77d8 ] + +Add documentation for r8a77965 compatible string to rcar-dmac device +tree bindings documentation. + +Signed-off-by: Jacopo Mondi +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt ++++ b/Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt +@@ -25,6 +25,7 @@ Required Properties: + - "renesas,dmac-r8a7794" (R-Car E2) + - "renesas,dmac-r8a7795" (R-Car H3) + - "renesas,dmac-r8a7796" (R-Car M3-W) ++ - "renesas,dmac-r8a77965" (R-Car M3-N) + - "renesas,dmac-r8a77970" (R-Car V3M) + + - reg: base address and length of the registers block for the DMAC diff --git a/queue-4.16/dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch b/queue-4.16/dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch new file mode 100644 index 00000000000..515835918e2 --- /dev/null +++ b/queue-4.16/dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch @@ -0,0 +1,28 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Geert Uytterhoeven +Date: Mon, 23 Apr 2018 09:32:40 +0200 +Subject: dt-bindings: meson-uart: DT fix s/clocks-names/clock-names/ + +From: Geert Uytterhoeven + +[ Upstream commit 34df2466b48dfe258e14fe2a7bc4641416575ade ] + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt ++++ b/Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt +@@ -21,7 +21,7 @@ Required properties: + - interrupts : identifier to the device interrupt + - clocks : a list of phandle + clock-specifier pairs, one for each + entry in clock names. +-- clocks-names : ++- clock-names : + * "xtal" for external xtal clock identifier + * "pclk" for the bus core clock, either the clk81 clock or the gate clock + * "baud" for the source of the baudrate generator, can be either the xtal diff --git a/queue-4.16/dt-bindings-mvebu-uart-dt-fix-s-interrupts-names-interrupt-names.patch b/queue-4.16/dt-bindings-mvebu-uart-dt-fix-s-interrupts-names-interrupt-names.patch new file mode 100644 index 00000000000..6c2ebdc4de8 --- /dev/null +++ b/queue-4.16/dt-bindings-mvebu-uart-dt-fix-s-interrupts-names-interrupt-names.patch @@ -0,0 +1,28 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Geert Uytterhoeven +Date: Mon, 23 Apr 2018 09:35:16 +0200 +Subject: dt-bindings: mvebu-uart: DT fix s/interrupts-names/interrupt-names/ + +From: Geert Uytterhoeven + +[ Upstream commit 17a16542b88e753cc3bd54cf30b74df3d547421e ] + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/serial/mvebu-uart.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/serial/mvebu-uart.txt ++++ b/Documentation/devicetree/bindings/serial/mvebu-uart.txt +@@ -24,7 +24,7 @@ Required properties: + - Must contain two elements for the extended variant of the IP + (marvell,armada-3700-uart-ext): "uart-tx" and "uart-rx", + respectively the UART TX interrupt and the UART RX interrupt. A +- corresponding interrupts-names property must be defined. ++ corresponding interrupt-names property must be defined. + - For backward compatibility reasons, a single element interrupts + property is also supported for the standard variant of the IP, + containing only the UART sum interrupt. This form is deprecated diff --git a/queue-4.16/dt-bindings-net-ravb-add-support-for-r8a77965-soc.patch b/queue-4.16/dt-bindings-net-ravb-add-support-for-r8a77965-soc.patch new file mode 100644 index 00000000000..8a750ac9556 --- /dev/null +++ b/queue-4.16/dt-bindings-net-ravb-add-support-for-r8a77965-soc.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jacopo Mondi +Date: Mon, 16 Apr 2018 15:55:17 +0200 +Subject: dt-bindings: net: ravb: Add support for r8a77965 SoC + +From: Jacopo Mondi + +[ Upstream commit 1a862488729a6ea9cfd285d2c90f8738949ae7d2 ] + +Add documentation for r8a77965 compatible string to renesas ravb device +tree bindings documentation. + +Signed-off-by: Jacopo Mondi +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Acked-by: Sergei Shtylyov +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/net/renesas,ravb.txt | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/devicetree/bindings/net/renesas,ravb.txt ++++ b/Documentation/devicetree/bindings/net/renesas,ravb.txt +@@ -17,6 +17,7 @@ Required properties: + + - "renesas,etheravb-r8a7795" for the R8A7795 SoC. + - "renesas,etheravb-r8a7796" for the R8A7796 SoC. ++ - "renesas,etheravb-r8a77965" for the R8A77965 SoC. + - "renesas,etheravb-r8a77970" for the R8A77970 SoC. + - "renesas,etheravb-r8a77980" for the R8A77980 SoC. + - "renesas,etheravb-r8a77995" for the R8A77995 SoC. diff --git a/queue-4.16/dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch b/queue-4.16/dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch new file mode 100644 index 00000000000..b0236db2be6 --- /dev/null +++ b/queue-4.16/dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Geert Uytterhoeven +Date: Wed, 25 Apr 2018 09:49:38 +0200 +Subject: dt-bindings: panel: lvds: Fix path to display timing bindings + +From: Geert Uytterhoeven + +[ Upstream commit f130307054a59ca21d2396f386be77ebd2e8ca96 ] + +Fixes: 14da3ed8dd08c581 ("devicetree/bindings: display: Document common +panel properties") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Laurent Pinchart +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/panel/panel-common.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/display/panel/panel-common.txt ++++ b/Documentation/devicetree/bindings/display/panel/panel-common.txt +@@ -38,7 +38,7 @@ Display Timings + require specific display timings. The panel-timing subnode expresses those + timings as specified in the timing subnode section of the display timing + bindings defined in +- Documentation/devicetree/bindings/display/display-timing.txt. ++ Documentation/devicetree/bindings/display/panel/display-timing.txt. + + + Connectivity diff --git a/queue-4.16/dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch b/queue-4.16/dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch new file mode 100644 index 00000000000..a6927cca6bf --- /dev/null +++ b/queue-4.16/dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Matheus Castello +Date: Wed, 11 Apr 2018 01:17:03 -0400 +Subject: dt-bindings: pinctrl: sunxi: Fix reference to driver + +From: Matheus Castello + +[ Upstream commit b614e905a0bc8fc5d4fa72665ac26ae00c874a4e ] + +Bindings describe hardware, not drivers. +Use reference to hardware Allwinner A1X Pin Controller instead driver. + +Signed-off-by: Matheus Castello +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt ++++ b/Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt +@@ -55,9 +55,9 @@ pins it needs, and how they should be co + configuration, drive strength and pullups. If one of these options is + not set, its actual value will be unspecified. + +-This driver supports the generic pin multiplexing and configuration +-bindings. For details on each properties, you can refer to +-./pinctrl-bindings.txt. ++Allwinner A1X Pin Controller supports the generic pin multiplexing and ++configuration bindings. For details on each properties, you can refer to ++ ./pinctrl-bindings.txt. + + Required sub-node properties: + - pins diff --git a/queue-4.16/dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch b/queue-4.16/dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch new file mode 100644 index 00000000000..f70b598498a --- /dev/null +++ b/queue-4.16/dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jacopo Mondi +Date: Mon, 16 Apr 2018 15:55:28 +0200 +Subject: dt-bindings: serial: sh-sci: Add support for r8a77965 (H)SCIF + +From: Jacopo Mondi + +[ Upstream commit 7de5b7e5f6a67c285b86d1478e8e150929c93482 ] + +Add documentation for r8a77965 compatible string to Renesas sci-serial +device tree bindings documentation. + +Signed-off-by: Jacopo Mondi +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/serial/renesas,sci-serial.txt | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/Documentation/devicetree/bindings/serial/renesas,sci-serial.txt ++++ b/Documentation/devicetree/bindings/serial/renesas,sci-serial.txt +@@ -41,6 +41,8 @@ Required properties: + - "renesas,hscif-r8a7795" for R8A7795 (R-Car H3) HSCIF compatible UART. + - "renesas,scif-r8a7796" for R8A7796 (R-Car M3-W) SCIF compatible UART. + - "renesas,hscif-r8a7796" for R8A7796 (R-Car M3-W) HSCIF compatible UART. ++ - "renesas,scif-r8a77965" for R8A77965 (R-Car M3-N) SCIF compatible UART. ++ - "renesas,hscif-r8a77965" for R8A77965 (R-Car M3-N) HSCIF compatible UART. + - "renesas,scif-r8a77970" for R8A77970 (R-Car V3M) SCIF compatible UART. + - "renesas,hscif-r8a77970" for R8A77970 (R-Car V3M) HSCIF compatible UART. + - "renesas,scif-r8a77995" for R8A77995 (R-Car D3) SCIF compatible UART. diff --git a/queue-4.16/ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch b/queue-4.16/ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch new file mode 100644 index 00000000000..7648485b34d --- /dev/null +++ b/queue-4.16/ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch @@ -0,0 +1,154 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Tyler Hicks +Date: Wed, 28 Mar 2018 23:41:52 +0000 +Subject: eCryptfs: don't pass up plaintext names when using filename encryption + +From: Tyler Hicks + +[ Upstream commit e86281e700cca8a773f9a572fa406adf2784ba5c ] + +Both ecryptfs_filldir() and ecryptfs_readlink_lower() use +ecryptfs_decode_and_decrypt_filename() to translate lower filenames to +upper filenames. The function correctly passes up lower filenames, +unchanged, when filename encryption isn't in use. However, it was also +passing up lower filenames when the filename wasn't encrypted or +when decryption failed. Since 88ae4ab9802e, eCryptfs refuses to lookup +lower plaintext names when filename encryption is enabled so this +resulted in a situation where userspace would see lower plaintext +filenames in calls to getdents(2) but then not be able to lookup those +filenames. + +An example of this can be seen when enabling filename encryption on an +eCryptfs mount at the root directory of an Ext4 filesystem: + +$ ls -1i /lower +12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE-- +11 lost+found +$ ls -1i /upper +ls: cannot access '/upper/lost+found': No such file or directory + ? lost+found +12 test + +With this change, the lower lost+found dentry is ignored: + +$ ls -1i /lower +12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE-- +11 lost+found +$ ls -1i /upper +12 test + +Additionally, some potentially noisy error/info messages in the related +code paths are turned into debug messages so that the logs can't be +easily filled. + +Fixes: 88ae4ab9802e ("ecryptfs_lookup(): try either only encrypted or plaintext name") +Reported-by: Guenter Roeck +Cc: Al Viro +Signed-off-by: Tyler Hicks +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ecryptfs/crypto.c | 41 ++++++++++++++++++++++++++++------------- + fs/ecryptfs/file.c | 21 ++++++++++++++++----- + 2 files changed, 44 insertions(+), 18 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -1997,6 +1997,16 @@ out: + return rc; + } + ++static bool is_dot_dotdot(const char *name, size_t name_size) ++{ ++ if (name_size == 1 && name[0] == '.') ++ return true; ++ else if (name_size == 2 && name[0] == '.' && name[1] == '.') ++ return true; ++ ++ return false; ++} ++ + /** + * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext + * @plaintext_name: The plaintext name +@@ -2021,13 +2031,21 @@ int ecryptfs_decode_and_decrypt_filename + size_t packet_size; + int rc = 0; + +- if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) +- && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) +- && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) +- && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, +- ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) { +- const char *orig_name = name; +- size_t orig_name_size = name_size; ++ if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) && ++ !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)) { ++ if (is_dot_dotdot(name, name_size)) { ++ rc = ecryptfs_copy_filename(plaintext_name, ++ plaintext_name_size, ++ name, name_size); ++ goto out; ++ } ++ ++ if (name_size <= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE || ++ strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, ++ ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)) { ++ rc = -EINVAL; ++ goto out; ++ } + + name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; + name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; +@@ -2047,12 +2065,9 @@ int ecryptfs_decode_and_decrypt_filename + decoded_name, + decoded_name_size); + if (rc) { +- printk(KERN_INFO "%s: Could not parse tag 70 packet " +- "from filename; copying through filename " +- "as-is\n", __func__); +- rc = ecryptfs_copy_filename(plaintext_name, +- plaintext_name_size, +- orig_name, orig_name_size); ++ ecryptfs_printk(KERN_DEBUG, ++ "%s: Could not parse tag 70 packet from filename\n", ++ __func__); + goto out_free; + } + } else { +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -82,17 +82,28 @@ ecryptfs_filldir(struct dir_context *ctx + buf->sb, lower_name, + lower_namelen); + if (rc) { +- printk(KERN_ERR "%s: Error attempting to decode and decrypt " +- "filename [%s]; rc = [%d]\n", __func__, lower_name, +- rc); +- goto out; ++ if (rc != -EINVAL) { ++ ecryptfs_printk(KERN_DEBUG, ++ "%s: Error attempting to decode and decrypt filename [%s]; rc = [%d]\n", ++ __func__, lower_name, rc); ++ return rc; ++ } ++ ++ /* Mask -EINVAL errors as these are most likely due a plaintext ++ * filename present in the lower filesystem despite filename ++ * encryption being enabled. One unavoidable example would be ++ * the "lost+found" dentry in the root directory of an Ext4 ++ * filesystem. ++ */ ++ return 0; + } ++ + buf->caller->pos = buf->ctx.pos; + rc = !dir_emit(buf->caller, name, name_size, ino, d_type); + kfree(name); + if (!rc) + buf->entries_written++; +-out: ++ + return rc; + } + diff --git a/queue-4.16/efi-libstub-arm64-handle-randomized-text_offset.patch b/queue-4.16/efi-libstub-arm64-handle-randomized-text_offset.patch new file mode 100644 index 00000000000..7c0ae36f056 --- /dev/null +++ b/queue-4.16/efi-libstub-arm64-handle-randomized-text_offset.patch @@ -0,0 +1,62 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Mark Rutland +Date: Fri, 18 May 2018 16:08:41 +0200 +Subject: efi/libstub/arm64: Handle randomized TEXT_OFFSET + +From: Mark Rutland + +[ Upstream commit 4f74d72aa7067e75af92fbab077e6d7d0210be66 ] + +When CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET is an arbitrary +multiple of PAGE_SIZE in the interval [0, 2MB). + +The EFI stub does not account for the potential misalignment of +TEXT_OFFSET relative to EFI_KIMG_ALIGN, and produces a randomized +physical offset which is always a round multiple of EFI_KIMG_ALIGN. +This may result in statically allocated objects whose alignment exceeds +PAGE_SIZE to appear misaligned in memory. This has been observed to +result in spurious stack overflow reports and failure to make use of +the IRQ stacks, and theoretically could result in a number of other +issues. + +We can OR in the low bits of TEXT_OFFSET to ensure that we have the +necessary offset (and hence preserve the misalignment of TEXT_OFFSET +relative to EFI_KIMG_ALIGN), so let's do that. + +Reported-by: Kim Phillips +Tested-by: Kim Phillips +[ardb: clarify comment and commit log, drop unneeded parens] +Signed-off-by: Mark Rutland +Signed-off-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: 6f26b3671184c36d ("arm64: kaslr: increase randomization granularity") +Link: http://lkml.kernel.org/r/20180518140841.9731-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/arm64-stub.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/firmware/efi/libstub/arm64-stub.c ++++ b/drivers/firmware/efi/libstub/arm64-stub.c +@@ -98,6 +98,16 @@ efi_status_t handle_kernel_image(efi_sys + (phys_seed >> 32) & mask : TEXT_OFFSET; + + /* ++ * With CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET may not ++ * be a multiple of EFI_KIMG_ALIGN, and we must ensure that ++ * we preserve the misalignment of 'offset' relative to ++ * EFI_KIMG_ALIGN so that statically allocated objects whose ++ * alignment exceeds PAGE_SIZE appear correctly aligned in ++ * memory. ++ */ ++ offset |= TEXT_OFFSET % EFI_KIMG_ALIGN; ++ ++ /* + * If KASLR is enabled, and we have some randomness available, + * locate the kernel at a randomized offset in physical memory. + */ diff --git a/queue-4.16/fsnotify-fix-ignore-mask-logic-in-send_to_group.patch b/queue-4.16/fsnotify-fix-ignore-mask-logic-in-send_to_group.patch new file mode 100644 index 00000000000..305d00d1b9d --- /dev/null +++ b/queue-4.16/fsnotify-fix-ignore-mask-logic-in-send_to_group.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Amir Goldstein +Date: Thu, 5 Apr 2018 16:18:03 +0300 +Subject: fsnotify: fix ignore mask logic in send_to_group() + +From: Amir Goldstein + +[ Upstream commit 92183a42898dc400b89da35685d1814ac6acd3d8 ] + +The ignore mask logic in send_to_group() does not match the logic +in fanotify_should_send_event(). In the latter, a vfsmount mark ignore +mask precedes an inode mark mask and in the former, it does not. + +That difference may cause events to be sent to fanotify backend for no +reason. Fix the logic in send_to_group() to match that of +fanotify_should_send_event(). + +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fsnotify.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -192,8 +192,9 @@ static int send_to_group(struct inode *t + struct fsnotify_iter_info *iter_info) + { + struct fsnotify_group *group = NULL; +- __u32 inode_test_mask = 0; +- __u32 vfsmount_test_mask = 0; ++ __u32 test_mask = (mask & ~FS_EVENT_ON_CHILD); ++ __u32 marks_mask = 0; ++ __u32 marks_ignored_mask = 0; + + if (unlikely(!inode_mark && !vfsmount_mark)) { + BUG(); +@@ -213,29 +214,25 @@ static int send_to_group(struct inode *t + /* does the inode mark tell us to do something? */ + if (inode_mark) { + group = inode_mark->group; +- inode_test_mask = (mask & ~FS_EVENT_ON_CHILD); +- inode_test_mask &= inode_mark->mask; +- inode_test_mask &= ~inode_mark->ignored_mask; ++ marks_mask |= inode_mark->mask; ++ marks_ignored_mask |= inode_mark->ignored_mask; + } + + /* does the vfsmount_mark tell us to do something? */ + if (vfsmount_mark) { +- vfsmount_test_mask = (mask & ~FS_EVENT_ON_CHILD); + group = vfsmount_mark->group; +- vfsmount_test_mask &= vfsmount_mark->mask; +- vfsmount_test_mask &= ~vfsmount_mark->ignored_mask; +- if (inode_mark) +- vfsmount_test_mask &= ~inode_mark->ignored_mask; ++ marks_mask |= vfsmount_mark->mask; ++ marks_ignored_mask |= vfsmount_mark->ignored_mask; + } + + pr_debug("%s: group=%p to_tell=%p mask=%x inode_mark=%p" +- " inode_test_mask=%x vfsmount_mark=%p vfsmount_test_mask=%x" ++ " vfsmount_mark=%p marks_mask=%x marks_ignored_mask=%x" + " data=%p data_is=%d cookie=%d\n", +- __func__, group, to_tell, mask, inode_mark, +- inode_test_mask, vfsmount_mark, vfsmount_test_mask, data, ++ __func__, group, to_tell, mask, inode_mark, vfsmount_mark, ++ marks_mask, marks_ignored_mask, data, + data_is, cookie); + +- if (!inode_test_mask && !vfsmount_test_mask) ++ if (!(test_mask & marks_mask & ~marks_ignored_mask)) + return 0; + + return group->ops->handle_event(group, to_tell, inode_mark, diff --git a/queue-4.16/gcc-plugins-fix-build-condition-of-sancov-plugin.patch b/queue-4.16/gcc-plugins-fix-build-condition-of-sancov-plugin.patch new file mode 100644 index 00000000000..56a0cac0e22 --- /dev/null +++ b/queue-4.16/gcc-plugins-fix-build-condition-of-sancov-plugin.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Masahiro Yamada +Date: Fri, 13 Apr 2018 14:06:10 +0900 +Subject: gcc-plugins: fix build condition of SANCOV plugin + +From: Masahiro Yamada + +[ Upstream commit 642ef99be932c4071274b28eaf3d3d85bbb6e78c ] + +Since commit d677a4d60193 ("Makefile: support flag +-fsanitizer-coverage=trace-cmp"), you miss to build the SANCOV +plugin under some circumstances. + + CONFIG_KCOV=y + CONFIG_KCOV_ENABLE_COMPARISONS=y + Your compiler does not support -fsanitize-coverage=trace-pc + Your compiler does not support -fsanitize-coverage=trace-cmp + +Under this condition, $(CFLAGS_KCOV) is not empty but contains a +space, so the following ifeq-conditional is false. + + ifeq ($(CFLAGS_KCOV),) + +Then, scripts/Makefile.gcc-plugins misses to add sancov_plugin.so to +gcc-plugin-y while the SANCOV plugin is necessary as an alternative +means. + +Fixes: d677a4d60193 ("Makefile: support flag -fsanitizer-coverage=trace-cmp") +Signed-off-by: Masahiro Yamada +Acked-by: Kees Cook +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.gcc-plugins | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/Makefile.gcc-plugins ++++ b/scripts/Makefile.gcc-plugins +@@ -14,7 +14,7 @@ ifdef CONFIG_GCC_PLUGINS + endif + + ifdef CONFIG_GCC_PLUGIN_SANCOV +- ifeq ($(CFLAGS_KCOV),) ++ ifeq ($(strip $(CFLAGS_KCOV)),) + # It is needed because of the gcc-plugin.sh and gcc version checks. + gcc-plugin-$(CONFIG_GCC_PLUGIN_SANCOV) += sancov_plugin.so + diff --git a/queue-4.16/hexagon-add-memset_io-helper.patch b/queue-4.16/hexagon-add-memset_io-helper.patch new file mode 100644 index 00000000000..896091ac7ed --- /dev/null +++ b/queue-4.16/hexagon-add-memset_io-helper.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Arnd Bergmann +Date: Fri, 6 Apr 2018 16:28:22 +0200 +Subject: hexagon: add memset_io() helper + +From: Arnd Bergmann + +[ Upstream commit a57ab96ef9dde231d4d46edba4d5f73720edc16a ] + +We already have memcpy_toio(), but not memset_io(), so let's +add the obvious version to allow building an allmodconfig kernel +without errors like + +drivers/gpu/drm/ttm/ttm_bo_util.c: In function 'ttm_bo_move_memcpy': +drivers/gpu/drm/ttm/ttm_bo_util.c:390:3: error: implicit declaration of function 'memset_io' [-Werror=implicit-function-declaration] + +Signed-off-by: Arnd Bergmann +Signed-off-by: Richard Kuo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/include/asm/io.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/hexagon/include/asm/io.h ++++ b/arch/hexagon/include/asm/io.h +@@ -216,6 +216,12 @@ static inline void memcpy_toio(volatile + memcpy((void *) dst, src, count); + } + ++static inline void memset_io(volatile void __iomem *addr, int value, ++ size_t size) ++{ ++ memset((void __force *)addr, value, size); ++} ++ + #define PCI_IO_ADDR (volatile void __iomem *) + + /* diff --git a/queue-4.16/hexagon-export-csum_partial_copy_nocheck.patch b/queue-4.16/hexagon-export-csum_partial_copy_nocheck.patch new file mode 100644 index 00000000000..903f71c6db6 --- /dev/null +++ b/queue-4.16/hexagon-export-csum_partial_copy_nocheck.patch @@ -0,0 +1,27 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Arnd Bergmann +Date: Fri, 6 Apr 2018 16:28:23 +0200 +Subject: hexagon: export csum_partial_copy_nocheck + +From: Arnd Bergmann + +[ Upstream commit 330e261c35dfb969c48f996dbbc8b334b5ee8d9d ] + +This is needed to link ipv6 as a loadable module, which in turn happens +in allmodconfig. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Richard Kuo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/lib/checksum.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/hexagon/lib/checksum.c ++++ b/arch/hexagon/lib/checksum.c +@@ -199,3 +199,4 @@ csum_partial_copy_nocheck(const void *sr + memcpy(dst, src, len); + return csum_partial(dst, len, sum); + } ++EXPORT_SYMBOL(csum_partial_copy_nocheck); diff --git a/queue-4.16/hid-i2c-hid-add-resend_report_descr-quirk-for-toshiba-click-mini-l9w-b.patch b/queue-4.16/hid-i2c-hid-add-resend_report_descr-quirk-for-toshiba-click-mini-l9w-b.patch new file mode 100644 index 00000000000..2312d229aba --- /dev/null +++ b/queue-4.16/hid-i2c-hid-add-resend_report_descr-quirk-for-toshiba-click-mini-l9w-b.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Hans de Goede +Date: Thu, 3 May 2018 11:32:33 +0200 +Subject: HID: i2c-hid: Add RESEND_REPORT_DESCR quirk for Toshiba Click Mini L9W-B + +From: Hans de Goede + +[ Upstream commit 070b9637dd8fa85c3ba7ecc60fe57fa4da9c2d1d ] + +The 0457:10fb touchscreen found on the Toshiba Click Mini L9W-B needs +to have a report-decriptors command send to it on resume in order for +the touchscreen to start generating events again on resume. + +Signed-off-by: Hans de Goede +Acked-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/i2c-hid/i2c-hid.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -966,6 +966,7 @@ + #define USB_DEVICE_ID_SIS817_TOUCH 0x0817 + #define USB_DEVICE_ID_SIS_TS 0x1013 + #define USB_DEVICE_ID_SIS1030_TOUCH 0x1030 ++#define USB_DEVICE_ID_SIS10FB_TOUCH 0x10fb + + #define USB_VENDOR_ID_SKYCABLE 0x1223 + #define USB_DEVICE_ID_SKYCABLE_WIRELESS_PRESENTER 0x3F07 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -174,6 +174,8 @@ static const struct i2c_hid_quirks { + I2C_HID_QUIRK_NO_IRQ_AFTER_RESET }, + { I2C_VENDOR_ID_RAYD, I2C_PRODUCT_ID_RAYD_3118, + I2C_HID_QUIRK_RESEND_REPORT_DESCR }, ++ { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH, ++ I2C_HID_QUIRK_RESEND_REPORT_DESCR }, + { 0, 0 } + }; + diff --git a/queue-4.16/hid-intel-ish-hid-use-put_device-instead-of-kfree.patch b/queue-4.16/hid-intel-ish-hid-use-put_device-instead-of-kfree.patch new file mode 100644 index 00000000000..7e3a3980560 --- /dev/null +++ b/queue-4.16/hid-intel-ish-hid-use-put_device-instead-of-kfree.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Arvind Yadav +Date: Fri, 30 Mar 2018 16:56:10 +0530 +Subject: HID: intel-ish-hid: use put_device() instead of kfree() + +From: Arvind Yadav + +[ Upstream commit a4eb490a41a0da3b1275fc7427084cf9ae2c3c1c ] + +Never directly free @dev after calling device_register(), even +if it returned an error. Always use put_device() to give up the +reference initialized. + +Signed-off-by: Arvind Yadav +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -418,7 +418,7 @@ static struct ishtp_cl_device *ishtp_bus + list_del(&device->device_link); + spin_unlock_irqrestore(&dev->device_list_lock, flags); + dev_err(dev->devc, "Failed to register ISHTP client device\n"); +- kfree(device); ++ put_device(&device->dev); + return NULL; + } + diff --git a/queue-4.16/hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch b/queue-4.16/hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch new file mode 100644 index 00000000000..54df605b6e2 --- /dev/null +++ b/queue-4.16/hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch @@ -0,0 +1,135 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: pgzh +Date: Thu, 12 Apr 2018 19:36:47 +0200 +Subject: HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice + +From: pgzh + +[ Upstream commit a230cd52b8a2be39cd6e9a13b3e62af57f21372a ] + +The IBM/Lenovo Scrollpoint mice feature a trackpoint-like stick instead of a +scrolling wheel capable of 2-D (vertical+horizontal) scrolling. hid-generic +does only expose 1-D (vertical) scrolling functionality for these mice. This +patch adds support for horizontal scrolling for the IBM/Lenovo Scrollpoint mice +to hid-lenovo. + +[jkosina@suse.cz: remove change versioning from git changelog] +Signed-off-by: Peter Ganzhorn +Reviewed-by: Benjamin Tissoires +Signed-off-by: Peter De Wachter +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/Kconfig | 7 ++++--- + drivers/hid/hid-ids.h | 8 ++++++++ + drivers/hid/hid-lenovo.c | 36 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 3 deletions(-) + +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -448,10 +448,11 @@ config HID_LENOVO + select NEW_LEDS + select LEDS_CLASS + ---help--- +- Support for Lenovo devices that are not fully compliant with HID standard. ++ Support for IBM/Lenovo devices that are not fully compliant with HID standard. + +- Say Y if you want support for the non-compliant features of the Lenovo +- Thinkpad standalone keyboards, e.g: ++ Say Y if you want support for horizontal scrolling of the IBM/Lenovo ++ Scrollpoint mice or the non-compliant features of the Lenovo Thinkpad ++ standalone keyboards, e.g: + - ThinkPad USB Keyboard with TrackPoint (supports extra LEDs and trackpoint + configuration) + - ThinkPad Compact Bluetooth Keyboard with TrackPoint (supports Fn keys) +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -546,6 +546,13 @@ + #define USB_VENDOR_ID_HUION 0x256c + #define USB_DEVICE_ID_HUION_TABLET 0x006e + ++#define USB_VENDOR_ID_IBM 0x04b3 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_III 0x3100 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_PRO 0x3103 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL 0x3105 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL 0x3108 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO 0x3109 ++ + #define USB_VENDOR_ID_IDEACOM 0x1cb6 + #define USB_DEVICE_ID_IDEACOM_IDC6650 0x6650 + #define USB_DEVICE_ID_IDEACOM_IDC6651 0x6651 +@@ -678,6 +685,7 @@ + #define USB_DEVICE_ID_LENOVO_TPKBD 0x6009 + #define USB_DEVICE_ID_LENOVO_CUSBKBD 0x6047 + #define USB_DEVICE_ID_LENOVO_CBTKBD 0x6048 ++#define USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL 0x6049 + #define USB_DEVICE_ID_LENOVO_TPPRODOCK 0x6067 + #define USB_DEVICE_ID_LENOVO_X1_COVER 0x6085 + #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3 +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -6,6 +6,17 @@ + * + * Copyright (c) 2012 Bernhard Seibold + * Copyright (c) 2014 Jamie Lentin ++ * ++ * Linux IBM/Lenovo Scrollpoint mouse driver: ++ * - IBM Scrollpoint III ++ * - IBM Scrollpoint Pro ++ * - IBM Scrollpoint Optical ++ * - IBM Scrollpoint Optical 800dpi ++ * - IBM Scrollpoint Optical 800dpi Pro ++ * - Lenovo Scrollpoint Optical ++ * ++ * Copyright (c) 2012 Peter De Wachter ++ * Copyright (c) 2018 Peter Ganzhorn + */ + + /* +@@ -160,6 +171,17 @@ static int lenovo_input_mapping_cptkbd(s + return 0; + } + ++static int lenovo_input_mapping_scrollpoint(struct hid_device *hdev, ++ struct hid_input *hi, struct hid_field *field, ++ struct hid_usage *usage, unsigned long **bit, int *max) ++{ ++ if (usage->hid == HID_GD_Z) { ++ hid_map_usage(hi, usage, bit, max, EV_REL, REL_HWHEEL); ++ return 1; ++ } ++ return 0; ++} ++ + static int lenovo_input_mapping(struct hid_device *hdev, + struct hid_input *hi, struct hid_field *field, + struct hid_usage *usage, unsigned long **bit, int *max) +@@ -172,6 +194,14 @@ static int lenovo_input_mapping(struct h + case USB_DEVICE_ID_LENOVO_CBTKBD: + return lenovo_input_mapping_cptkbd(hdev, hi, field, + usage, bit, max); ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_III: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_PRO: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO: ++ case USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL: ++ return lenovo_input_mapping_scrollpoint(hdev, hi, field, ++ usage, bit, max); + default: + return 0; + } +@@ -883,6 +913,12 @@ static const struct hid_device_id lenovo + { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_CUSBKBD) }, + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_CBTKBD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_TPPRODOCK) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_III) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_PRO) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL) }, + { } + }; + diff --git a/queue-4.16/hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch b/queue-4.16/hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch new file mode 100644 index 00000000000..5af7d3e96cd --- /dev/null +++ b/queue-4.16/hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Arvind Yadav +Date: Tue, 24 Apr 2018 13:33:03 +0530 +Subject: HID: wacom: Release device resource data obtained by devres_alloc() + +From: Arvind Yadav + +[ Upstream commit 097b8f62dd793e08f1732fc74dbb64596c7fbff9 ] + +Free device resource data, if __wacom_devm_sysfs_create_group +is not successful. + +Signed-off-by: Arvind Yadav +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -1213,8 +1213,10 @@ static int __wacom_devm_sysfs_create_gro + devres->root = root; + + error = sysfs_create_group(devres->root, group); +- if (error) ++ if (error) { ++ devres_free(devres); + return error; ++ } + + devres_add(&wacom->hdev->dev, devres); + diff --git a/queue-4.16/i2c-pmcmsp-fix-error-return-from-master_xfer.patch b/queue-4.16/i2c-pmcmsp-fix-error-return-from-master_xfer.patch new file mode 100644 index 00000000000..ed5932e65f7 --- /dev/null +++ b/queue-4.16/i2c-pmcmsp-fix-error-return-from-master_xfer.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Peter Rosin +Date: Wed, 9 May 2018 21:46:30 +0200 +Subject: i2c: pmcmsp: fix error return from master_xfer + +From: Peter Rosin + +[ Upstream commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b ] + +Returning -1 (-EPERM) is not appropriate here, go with -EIO. + +Signed-off-by: Peter Rosin +Signed-off-by: Wolfram Sang +Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-pmcmsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-pmcmsp.c ++++ b/drivers/i2c/busses/i2c-pmcmsp.c +@@ -564,7 +564,7 @@ static int pmcmsptwi_master_xfer(struct + * TODO: We could potentially loop and retry in the case + * of MSP_TWI_XFER_TIMEOUT. + */ +- return -1; ++ return -EIO; + } + + return num; diff --git a/queue-4.16/i2c-pmcmsp-return-message-count-on-master_xfer-success.patch b/queue-4.16/i2c-pmcmsp-return-message-count-on-master_xfer-success.patch new file mode 100644 index 00000000000..530f094806e --- /dev/null +++ b/queue-4.16/i2c-pmcmsp-return-message-count-on-master_xfer-success.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Peter Rosin +Date: Wed, 9 May 2018 21:46:29 +0200 +Subject: i2c: pmcmsp: return message count on master_xfer success + +From: Peter Rosin + +[ Upstream commit de9a8634f1cb4560a35696d472cc7f1383d9b866 ] + +Returning zero is wrong in this case. + +Signed-off-by: Peter Rosin +Signed-off-by: Wolfram Sang +Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-pmcmsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-pmcmsp.c ++++ b/drivers/i2c/busses/i2c-pmcmsp.c +@@ -567,7 +567,7 @@ static int pmcmsptwi_master_xfer(struct + return -1; + } + +- return 0; ++ return num; + } + + static u32 pmcmsptwi_i2c_func(struct i2c_adapter *adapter) diff --git a/queue-4.16/i2c-sprd-fix-the-i2c-count-issue.patch b/queue-4.16/i2c-sprd-fix-the-i2c-count-issue.patch new file mode 100644 index 00000000000..e4b66173919 --- /dev/null +++ b/queue-4.16/i2c-sprd-fix-the-i2c-count-issue.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Baolin Wang +Date: Mon, 9 Apr 2018 14:40:55 +0800 +Subject: i2c: sprd: Fix the i2c count issue + +From: Baolin Wang + +[ Upstream commit 2a010461207cc96bee5ab81748325dec1972976f ] + +We found the I2C controller count register is unreliable sometimes, +that will cause I2C to lose data. Thus we can read the data count +from 'i2c_dev->count' instead of the I2C controller count register. + +Signed-off-by: Baolin Wang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-sprd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-sprd.c ++++ b/drivers/i2c/busses/i2c-sprd.c +@@ -368,13 +368,12 @@ static irqreturn_t sprd_i2c_isr_thread(i + struct sprd_i2c *i2c_dev = dev_id; + struct i2c_msg *msg = i2c_dev->msg; + bool ack = !(readl(i2c_dev->base + I2C_STATUS) & I2C_RX_ACK); +- u32 i2c_count = readl(i2c_dev->base + I2C_COUNT); + u32 i2c_tran; + + if (msg->flags & I2C_M_RD) + i2c_tran = i2c_dev->count >= I2C_FIFO_FULL_THLD; + else +- i2c_tran = i2c_count; ++ i2c_tran = i2c_dev->count; + + /* + * If we got one ACK from slave when writing data, and we did not +@@ -412,14 +411,13 @@ static irqreturn_t sprd_i2c_isr(int irq, + { + struct sprd_i2c *i2c_dev = dev_id; + struct i2c_msg *msg = i2c_dev->msg; +- u32 i2c_count = readl(i2c_dev->base + I2C_COUNT); + bool ack = !(readl(i2c_dev->base + I2C_STATUS) & I2C_RX_ACK); + u32 i2c_tran; + + if (msg->flags & I2C_M_RD) + i2c_tran = i2c_dev->count >= I2C_FIFO_FULL_THLD; + else +- i2c_tran = i2c_count; ++ i2c_tran = i2c_dev->count; + + /* + * If we did not get one ACK from slave when writing data, then we diff --git a/queue-4.16/i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch b/queue-4.16/i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch new file mode 100644 index 00000000000..1b2d980dd93 --- /dev/null +++ b/queue-4.16/i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Baolin Wang +Date: Mon, 9 Apr 2018 14:40:54 +0800 +Subject: i2c: sprd: Prevent i2c accesses after suspend is called + +From: Baolin Wang + +[ Upstream commit da33aa03fa34c918faf2c371ebda0dd961d7ccb2 ] + +Add one flag to indicate if the i2c controller has been in suspend state, +which can prevent i2c accesses after i2c controller is suspended following +system suspend. + +Signed-off-by: Baolin Wang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-sprd.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/i2c/busses/i2c-sprd.c ++++ b/drivers/i2c/busses/i2c-sprd.c +@@ -86,6 +86,7 @@ struct sprd_i2c { + u32 count; + int irq; + int err; ++ bool is_suspended; + }; + + static void sprd_i2c_set_count(struct sprd_i2c *i2c_dev, u32 count) +@@ -283,6 +284,9 @@ static int sprd_i2c_master_xfer(struct i + struct sprd_i2c *i2c_dev = i2c_adap->algo_data; + int im, ret; + ++ if (i2c_dev->is_suspended) ++ return -EBUSY; ++ + ret = pm_runtime_get_sync(i2c_dev->dev); + if (ret < 0) + return ret; +@@ -586,11 +590,23 @@ static int sprd_i2c_remove(struct platfo + + static int __maybe_unused sprd_i2c_suspend_noirq(struct device *pdev) + { ++ struct sprd_i2c *i2c_dev = dev_get_drvdata(pdev); ++ ++ i2c_lock_adapter(&i2c_dev->adap); ++ i2c_dev->is_suspended = true; ++ i2c_unlock_adapter(&i2c_dev->adap); ++ + return pm_runtime_force_suspend(pdev); + } + + static int __maybe_unused sprd_i2c_resume_noirq(struct device *pdev) + { ++ struct sprd_i2c *i2c_dev = dev_get_drvdata(pdev); ++ ++ i2c_lock_adapter(&i2c_dev->adap); ++ i2c_dev->is_suspended = false; ++ i2c_unlock_adapter(&i2c_dev->adap); ++ + return pm_runtime_force_resume(pdev); + } + diff --git a/queue-4.16/i2c-viperboard-return-message-count-on-master_xfer-success.patch b/queue-4.16/i2c-viperboard-return-message-count-on-master_xfer-success.patch new file mode 100644 index 00000000000..3534504507c --- /dev/null +++ b/queue-4.16/i2c-viperboard-return-message-count-on-master_xfer-success.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Peter Rosin +Date: Wed, 9 May 2018 21:47:48 +0200 +Subject: i2c: viperboard: return message count on master_xfer success + +From: Peter Rosin + +[ Upstream commit 35cd67a0caf767aba472452865dcb4471fcce2b1 ] + +Returning zero is wrong in this case. + +Signed-off-by: Peter Rosin +Signed-off-by: Wolfram Sang +Fixes: 174a13aa8669 ("i2c: Add viperboard i2c master driver") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-viperboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-viperboard.c ++++ b/drivers/i2c/busses/i2c-viperboard.c +@@ -337,7 +337,7 @@ static int vprbrd_i2c_xfer(struct i2c_ad + } + mutex_unlock(&vb->lock); + } +- return 0; ++ return num; + error: + mutex_unlock(&vb->lock); + return error; diff --git a/queue-4.16/ib-core-make-ib_mad_client_id-atomic.patch b/queue-4.16/ib-core-make-ib_mad_client_id-atomic.patch new file mode 100644 index 00000000000..3343d912201 --- /dev/null +++ b/queue-4.16/ib-core-make-ib_mad_client_id-atomic.patch @@ -0,0 +1,51 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "Håkon Bugge" +Date: Wed, 18 Apr 2018 16:24:50 +0200 +Subject: IB/core: Make ib_mad_client_id atomic + +From: "Håkon Bugge" + +[ Upstream commit db82476f37413eaeff5f836a9d8b022d6544accf ] + +Currently, the kernel protects access to the agent ID allocator on a per +port basis using a spinlock, so it is impossible for two apps/threads on +the same port to get the same TID, but it is entirely possible for two +threads on different ports to end up with the same TID. + +As this can be confusing (regardless of it being legal according to the +IB Spec 1.3, C13-18.1.1, in section 13.4.6.4 - TransactionID usage), +and as the rdma-core user space API for /dev/umad devices implies unique +TIDs even across ports, make the TID an atomic type so that no two +allocations, regardless of port number, will be the same. + +Signed-off-by: HÃ¥kon Bugge +Reviewed-by: Jack Morgenstein +Reviewed-by: Ira Weiny +Reviewed-by: Zhu Yanjun +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/mad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -59,7 +59,7 @@ module_param_named(recv_queue_size, mad_ + MODULE_PARM_DESC(recv_queue_size, "Size of receive queue in number of work requests"); + + static struct list_head ib_mad_port_list; +-static u32 ib_mad_client_id = 0; ++static atomic_t ib_mad_client_id = ATOMIC_INIT(0); + + /* Port list lock */ + static DEFINE_SPINLOCK(ib_mad_port_list_lock); +@@ -377,7 +377,7 @@ struct ib_mad_agent *ib_register_mad_age + } + + spin_lock_irqsave(&port_priv->reg_lock, flags); +- mad_agent_priv->agent.hi_tid = ++ib_mad_client_id; ++ mad_agent_priv->agent.hi_tid = atomic_inc_return(&ib_mad_client_id); + + /* + * Make sure MAD registration (if supplied) diff --git a/queue-4.16/ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch b/queue-4.16/ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch new file mode 100644 index 00000000000..04d22961fdf --- /dev/null +++ b/queue-4.16/ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sebastian Sanchez +Date: Tue, 1 May 2018 05:36:13 -0700 +Subject: IB/hfi1: Fix memory leak in exception path in get_irq_affinity() + +From: Sebastian Sanchez + +[ Upstream commit 59482a14918b282ca2a98f38c69da5ebeb1107d2 ] + +When IRQ affinity is set and the interrupt type is unknown, a cpu +mask allocated within the function is never freed. Fix this memory +leak by allocating memory within the scope where it is used. + +Reviewed-by: Mike Marciniszyn +Reviewed-by: Michael J. Ruhl +Signed-off-by: Sebastian Sanchez +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/affinity.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/affinity.c ++++ b/drivers/infiniband/hw/hfi1/affinity.c +@@ -412,7 +412,6 @@ static void hfi1_cleanup_sdma_notifier(s + static int get_irq_affinity(struct hfi1_devdata *dd, + struct hfi1_msix_entry *msix) + { +- int ret; + cpumask_var_t diff; + struct hfi1_affinity_node *entry; + struct cpu_mask_set *set = NULL; +@@ -424,10 +423,6 @@ static int get_irq_affinity(struct hfi1_ + extra[0] = '\0'; + cpumask_clear(&msix->mask); + +- ret = zalloc_cpumask_var(&diff, GFP_KERNEL); +- if (!ret) +- return -ENOMEM; +- + entry = node_affinity_lookup(dd->node); + + switch (msix->type) { +@@ -458,6 +453,9 @@ static int get_irq_affinity(struct hfi1_ + * finds its CPU here. + */ + if (cpu == -1 && set) { ++ if (!zalloc_cpumask_var(&diff, GFP_KERNEL)) ++ return -ENOMEM; ++ + if (cpumask_equal(&set->mask, &set->used)) { + /* + * We've used up all the CPUs, bump up the generation +@@ -469,6 +467,8 @@ static int get_irq_affinity(struct hfi1_ + cpumask_andnot(diff, &set->mask, &set->used); + cpu = cpumask_first(diff); + cpumask_set_cpu(cpu, &set->used); ++ ++ free_cpumask_var(diff); + } + + cpumask_set_cpu(cpu, &msix->mask); +@@ -482,7 +482,6 @@ static int get_irq_affinity(struct hfi1_ + hfi1_setup_sdma_notifier(msix); + } + +- free_cpumask_var(diff); + return 0; + } + diff --git a/queue-4.16/ib-hfi1-rdmavt-fix-memory-leak-in-hfi1_alloc_devdata-upon-failure.patch b/queue-4.16/ib-hfi1-rdmavt-fix-memory-leak-in-hfi1_alloc_devdata-upon-failure.patch new file mode 100644 index 00000000000..143cbb1a7e3 --- /dev/null +++ b/queue-4.16/ib-hfi1-rdmavt-fix-memory-leak-in-hfi1_alloc_devdata-upon-failure.patch @@ -0,0 +1,129 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sebastian Sanchez +Date: Tue, 1 May 2018 05:36:06 -0700 +Subject: IB/{hfi1, rdmavt}: Fix memory leak in hfi1_alloc_devdata() upon failure + +From: Sebastian Sanchez + +[ Upstream commit e9777ad4399c26c70318c4945f94efac2ed95391 ] + +When allocating device data, if there's an allocation failure, the +already allocated memory won't be freed such as per-cpu counters. + +Fix memory leaks in exception path by creating a common reentrant +clean up function hfi1_clean_devdata() to be used at driver unload +time and device data allocation failure. + +To accomplish this, free_platform_config() and clean_up_i2c() are +changed to be reentrant to remove dependencies when they are called +in different order. This helps avoid NULL pointer dereferences +introduced by this patch if those two functions weren't reentrant. + +In addition, set dd->int_counter, dd->rcv_limit, +dd->send_schedule and dd->tx_opstats to NULL after they're freed in +hfi1_clean_devdata(), so that hfi1_clean_devdata() is fully reentrant. + +Reviewed-by: Mike Marciniszyn +Reviewed-by: Michael J. Ruhl +Signed-off-by: Sebastian Sanchez +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/init.c | 37 ++++++++++++++++++++++++---------- + drivers/infiniband/hw/hfi1/platform.c | 1 + drivers/infiniband/hw/hfi1/qsfp.c | 2 + + 3 files changed, 30 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1209,30 +1209,49 @@ static void finalize_asic_data(struct hf + kfree(ad); + } + +-static void __hfi1_free_devdata(struct kobject *kobj) ++/** ++ * hfi1_clean_devdata - cleans up per-unit data structure ++ * @dd: pointer to a valid devdata structure ++ * ++ * It cleans up all data structures set up by ++ * by hfi1_alloc_devdata(). ++ */ ++static void hfi1_clean_devdata(struct hfi1_devdata *dd) + { +- struct hfi1_devdata *dd = +- container_of(kobj, struct hfi1_devdata, kobj); + struct hfi1_asic_data *ad; + unsigned long flags; + + spin_lock_irqsave(&hfi1_devs_lock, flags); +- idr_remove(&hfi1_unit_table, dd->unit); +- list_del(&dd->list); ++ if (!list_empty(&dd->list)) { ++ idr_remove(&hfi1_unit_table, dd->unit); ++ list_del_init(&dd->list); ++ } + ad = release_asic_data(dd); + spin_unlock_irqrestore(&hfi1_devs_lock, flags); +- if (ad) +- finalize_asic_data(dd, ad); ++ ++ finalize_asic_data(dd, ad); + free_platform_config(dd); + rcu_barrier(); /* wait for rcu callbacks to complete */ + free_percpu(dd->int_counter); + free_percpu(dd->rcv_limit); + free_percpu(dd->send_schedule); + free_percpu(dd->tx_opstats); ++ dd->int_counter = NULL; ++ dd->rcv_limit = NULL; ++ dd->send_schedule = NULL; ++ dd->tx_opstats = NULL; + sdma_clean(dd, dd->num_sdma); + rvt_dealloc_device(&dd->verbs_dev.rdi); + } + ++static void __hfi1_free_devdata(struct kobject *kobj) ++{ ++ struct hfi1_devdata *dd = ++ container_of(kobj, struct hfi1_devdata, kobj); ++ ++ hfi1_clean_devdata(dd); ++} ++ + static struct kobj_type hfi1_devdata_type = { + .release = __hfi1_free_devdata, + }; +@@ -1333,9 +1352,7 @@ struct hfi1_devdata *hfi1_alloc_devdata( + return dd; + + bail: +- if (!list_empty(&dd->list)) +- list_del_init(&dd->list); +- rvt_dealloc_device(&dd->verbs_dev.rdi); ++ hfi1_clean_devdata(dd); + return ERR_PTR(ret); + } + +--- a/drivers/infiniband/hw/hfi1/platform.c ++++ b/drivers/infiniband/hw/hfi1/platform.c +@@ -199,6 +199,7 @@ void free_platform_config(struct hfi1_de + { + /* Release memory allocated for eprom or fallback file read. */ + kfree(dd->platform_config.data); ++ dd->platform_config.data = NULL; + } + + void get_port_type(struct hfi1_pportdata *ppd) +--- a/drivers/infiniband/hw/hfi1/qsfp.c ++++ b/drivers/infiniband/hw/hfi1/qsfp.c +@@ -204,6 +204,8 @@ static void clean_i2c_bus(struct hfi1_i2 + + void clean_up_i2c(struct hfi1_devdata *dd, struct hfi1_asic_data *ad) + { ++ if (!ad) ++ return; + clean_i2c_bus(ad->i2c_bus0); + ad->i2c_bus0 = NULL; + clean_i2c_bus(ad->i2c_bus1); diff --git a/queue-4.16/ib-hfi1-use-correct-type-for-num_user_context.patch b/queue-4.16/ib-hfi1-use-correct-type-for-num_user_context.patch new file mode 100644 index 00000000000..8667bdbcc8f --- /dev/null +++ b/queue-4.16/ib-hfi1-use-correct-type-for-num_user_context.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "Michael J. Ruhl" +Date: Tue, 1 May 2018 05:35:43 -0700 +Subject: IB/hfi1 Use correct type for num_user_context + +From: "Michael J. Ruhl" + +[ Upstream commit 5da9e742be44d9b7c68b1bf6e1aaf46a1aa7a52b ] + +The module parameter num_user_context is defined as 'int' and +defaults to -1. The module_param_named() says that it is uint. + +Correct module_param_named() type information and update the modinfo +text to reflect the default value. + +Reviewed-by: Dennis Dalessandro +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -88,9 +88,9 @@ + * pio buffers per ctxt, etc.) Zero means use one user context per CPU. + */ + int num_user_contexts = -1; +-module_param_named(num_user_contexts, num_user_contexts, uint, S_IRUGO); ++module_param_named(num_user_contexts, num_user_contexts, int, 0444); + MODULE_PARM_DESC( +- num_user_contexts, "Set max number of user contexts to use"); ++ num_user_contexts, "Set max number of user contexts to use (default: -1 will use the real (non-HT) CPU count)"); + + uint krcvqs[RXE_NUM_DATA_VL]; + int krcvqsset; diff --git a/queue-4.16/ib-make-infiniband_addr_trans-configurable.patch b/queue-4.16/ib-make-infiniband_addr_trans-configurable.patch new file mode 100644 index 00000000000..1384d57d1da --- /dev/null +++ b/queue-4.16/ib-make-infiniband_addr_trans-configurable.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:35 -0700 +Subject: IB: make INFINIBAND_ADDR_TRANS configurable + +From: Greg Thelen + +[ Upstream commit f7cb7b85be55a4906b4b4b30596db1043dae6335 ] + +Allow INFINIBAND without INFINIBAND_ADDR_TRANS because fuzzing has been +finding fair number of CM bugs. So provide option to disable it. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Reviewed-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/Kconfig | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/Kconfig ++++ b/drivers/infiniband/Kconfig +@@ -62,9 +62,12 @@ config INFINIBAND_ON_DEMAND_PAGING + pages on demand instead. + + config INFINIBAND_ADDR_TRANS +- bool ++ bool "RDMA/CM" + depends on INFINIBAND + default y ++ ---help--- ++ Support for RDMA communication manager (CM). ++ This allows for a generic connection abstraction over RDMA. + + config INFINIBAND_ADDR_TRANS_CONFIGFS + bool diff --git a/queue-4.16/ib-mlx4-fix-integer-overflow-when-calculating-optimal-mtt-size.patch b/queue-4.16/ib-mlx4-fix-integer-overflow-when-calculating-optimal-mtt-size.patch new file mode 100644 index 00000000000..927e94a9a0d --- /dev/null +++ b/queue-4.16/ib-mlx4-fix-integer-overflow-when-calculating-optimal-mtt-size.patch @@ -0,0 +1,58 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Jack Morgenstein +Date: Wed, 2 May 2018 13:04:25 +0300 +Subject: IB/mlx4: Fix integer overflow when calculating optimal MTT size + +From: Jack Morgenstein + +[ Upstream commit b03bcde962606d2ee59a4e9dd470db9ad53c5418 ] + +When the kernel was compiled using the UBSAN option, +we saw the following stack trace: + +[ 1184.827917] UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx4/mr.c:349:27 +[ 1184.828114] signed integer overflow: +[ 1184.828247] -2147483648 - 1 cannot be represented in type 'int' + +The problem was caused by calling round_up in procedure +mlx4_ib_umem_calc_optimal_mtt_size (on line 349, as noted in the stack +trace) with the second parameter (1 << block_shift) (which is an int). +The second parameter should have been (1ULL << block_shift) (which +is an unsigned long long). + +(1 << block_shift) is treated by the compiler as an int (because 1 is +an integer). + +Now, local variable block_shift is initialized to 31. +If block_shift is 31, 1 << block_shift is 1 << 31 = 0x80000000=-214748368. +This is the most negative int value. + +Inside the round_up macro, there is a cast applied to ((1 << 31) - 1). +However, this cast is applied AFTER ((1 << 31) - 1) is calculated. +Since (1 << 31) is treated as an int, we get the negative overflow +identified by UBSAN in the process of calculating ((1 << 31) - 1). + +The fix is to change (1 << block_shift) to (1ULL << block_shift) on +line 349. + +Fixes: 9901abf58368 ("IB/mlx4: Use optimal numbers of MTT entries") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/mr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/mr.c ++++ b/drivers/infiniband/hw/mlx4/mr.c +@@ -346,7 +346,7 @@ int mlx4_ib_umem_calc_optimal_mtt_size(s + /* Add to the first block the misalignment that it suffers from. */ + total_len += (first_block_start & ((1ULL << block_shift) - 1ULL)); + last_block_end = current_block_start + current_block_len; +- last_block_aligned_end = round_up(last_block_end, 1 << block_shift); ++ last_block_aligned_end = round_up(last_block_end, 1ULL << block_shift); + total_len += (last_block_aligned_end - last_block_end); + + if (total_len & ((1ULL << block_shift) - 1ULL)) diff --git a/queue-4.16/ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch b/queue-4.16/ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch new file mode 100644 index 00000000000..0c142588d35 --- /dev/null +++ b/queue-4.16/ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Jianchao Wang +Date: Thu, 26 Apr 2018 11:52:39 +0800 +Subject: IB/rxe: add RXE_START_MASK for rxe_opcode IB_OPCODE_RC_SEND_ONLY_INV + +From: Jianchao Wang + +[ Upstream commit 2da36d44a9d54a2c6e1f8da1f7ccc26b0bc6cfec ] + +w/o RXE_START_MASK, the last_psn of IB_OPCODE_RC_SEND_ONLY_INV +will not be updated in update_wqe_psn, and the corresponding +wqe will not be acked in rxe_completer due to its last_psn is +zero. Finally, the other wqe will also not be able to be acked, +because the wqe of IB_OPCODE_RC_SEND_ONLY_INV with last_psn 0 +is still there. This causes large amount of io timeout when +nvmeof is over rxe. + +Add RXE_START_MASK for IB_OPCODE_RC_SEND_ONLY_INV to fix this. + +Signed-off-by: Jianchao Wang +Reviewed-by: Zhu Yanjun +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_opcode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_opcode.c ++++ b/drivers/infiniband/sw/rxe/rxe_opcode.c +@@ -390,7 +390,7 @@ struct rxe_opcode_info rxe_opcode[RXE_NU + .name = "IB_OPCODE_RC_SEND_ONLY_INV", + .mask = RXE_IETH_MASK | RXE_PAYLOAD_MASK | RXE_REQ_MASK + | RXE_COMP_MASK | RXE_RWR_MASK | RXE_SEND_MASK +- | RXE_END_MASK, ++ | RXE_END_MASK | RXE_START_MASK, + .length = RXE_BTH_BYTES + RXE_IETH_BYTES, + .offset = { + [RXE_BTH] = 0, diff --git a/queue-4.16/ib-rxe-avoid-double-kfree_skb.patch b/queue-4.16/ib-rxe-avoid-double-kfree_skb.patch new file mode 100644 index 00000000000..9122000330c --- /dev/null +++ b/queue-4.16/ib-rxe-avoid-double-kfree_skb.patch @@ -0,0 +1,97 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Zhu Yanjun +Date: Thu, 26 Apr 2018 00:41:10 -0400 +Subject: IB/rxe: avoid double kfree_skb + +From: Zhu Yanjun + +[ Upstream commit 9fd4350ba8953804f05215999e11a6cfb7b41f2b ] + +When skb is sent, it will pass the following functions in soft roce. + +rxe_send [rdma_rxe] + ip_local_out + __ip_local_out + ip_output + ip_finish_output + ip_finish_output2 + dev_queue_xmit + __dev_queue_xmit + dev_hard_start_xmit + +In the above functions, if error occurs in the above functions or +iptables rules drop skb after ip_local_out, kfree_skb will be called. +So it is not necessary to call kfree_skb in soft roce module again. +Or else crash will occur. + +The steps to reproduce: + + server client + --------- --------- + |1.1.1.1|<----rxe-channel--->|1.1.1.2| + --------- --------- + +On server: rping -s -a 1.1.1.1 -v -C 10000 -S 512 +On client: rping -c -a 1.1.1.1 -v -C 10000 -S 512 + +The kernel configs CONFIG_DEBUG_KMEMLEAK and +CONFIG_DEBUG_OBJECTS are enabled on both server and client. + +When rping runs, run the following command in server: + +iptables -I OUTPUT -p udp --dport 4791 -j DROP + +Without this patch, crash will occur. + +CC: Srinivas Eeda +CC: Junxiao Bi +Signed-off-by: Zhu Yanjun +Reviewed-by: Yuval Shaia +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_req.c | 1 - + drivers/infiniband/sw/rxe/rxe_resp.c | 6 +----- + 2 files changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -728,7 +728,6 @@ next_wqe: + rollback_state(wqe, qp, &rollback_wqe, rollback_psn); + + if (ret == -EAGAIN) { +- kfree_skb(skb); + rxe_run_task(&qp->req.task, 1); + goto exit; + } +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -742,7 +742,6 @@ static enum resp_states read_reply(struc + err = rxe_xmit_packet(rxe, qp, &ack_pkt, skb); + if (err) { + pr_err("Failed sending RDMA reply.\n"); +- kfree_skb(skb); + return RESPST_ERR_RNR; + } + +@@ -954,10 +953,8 @@ static int send_ack(struct rxe_qp *qp, s + } + + err = rxe_xmit_packet(rxe, qp, &ack_pkt, skb); +- if (err) { ++ if (err) + pr_err_ratelimited("Failed sending ack\n"); +- kfree_skb(skb); +- } + + err1: + return err; +@@ -1150,7 +1147,6 @@ static enum resp_states duplicate_reques + if (rc) { + pr_err("Failed resending result. This flow is not handled - skb ignored\n"); + rxe_drop_ref(qp); +- kfree_skb(skb_copy); + rc = RESPST_CLEANUP; + goto out; + } diff --git a/queue-4.16/ib-uverbs-fix-validating-mandatory-attributes.patch b/queue-4.16/ib-uverbs-fix-validating-mandatory-attributes.patch new file mode 100644 index 00000000000..4eb398956ba --- /dev/null +++ b/queue-4.16/ib-uverbs-fix-validating-mandatory-attributes.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Matan Barak +Date: Tue, 24 Apr 2018 08:15:20 +0000 +Subject: IB/uverbs: Fix validating mandatory attributes + +From: Matan Barak + +[ Upstream commit f604db645a66b7ba4f21c426fe73253928dada41 ] + +Previously, if a method contained mandatory attributes in a namespace +that wasn't given by the user, these attributes weren't validated. +Fixing this by iterating over all specification namespaces. + +Fixes: fac9658cabb9 ("IB/core: Add new ioctl interface") +Signed-off-by: Matan Barak +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_ioctl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/infiniband/core/uverbs_ioctl.c ++++ b/drivers/infiniband/core/uverbs_ioctl.c +@@ -191,6 +191,15 @@ static int uverbs_validate_kernel_mandat + return -EINVAL; + } + ++ for (; i < method_spec->num_buckets; i++) { ++ struct uverbs_attr_spec_hash *attr_spec_bucket = ++ method_spec->attr_buckets[i]; ++ ++ if (!bitmap_empty(attr_spec_bucket->mandatory_attrs_bitmask, ++ attr_spec_bucket->num_attrs)) ++ return -EINVAL; ++ } ++ + return 0; + } + diff --git a/queue-4.16/ib_srp-depend-on-infiniband_addr_trans.patch b/queue-4.16/ib_srp-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..a397b4b7377 --- /dev/null +++ b/queue-4.16/ib_srp-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:34 -0700 +Subject: ib_srp: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit 5a3bc8a4abbd2d553430218d3a320400dce811b7 ] + +INFINIBAND_SRP code depends on INFINIBAND_ADDR_TRANS provided symbols. +So declare the kconfig dependency. This is necessary to allow for +enabling INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Reviewed-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srp/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srp/Kconfig ++++ b/drivers/infiniband/ulp/srp/Kconfig +@@ -1,6 +1,6 @@ + config INFINIBAND_SRP + tristate "InfiniBand SCSI RDMA Protocol" +- depends on SCSI ++ depends on SCSI && INFINIBAND_ADDR_TRANS + select SCSI_SRP_ATTRS + ---help--- + Support for the SCSI RDMA Protocol over InfiniBand. This diff --git a/queue-4.16/ib_srpt-depend-on-infiniband_addr_trans.patch b/queue-4.16/ib_srpt-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..4a98f4513cb --- /dev/null +++ b/queue-4.16/ib_srpt-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:32 -0700 +Subject: ib_srpt: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit 346a47b65d10e450778ec0d21e4a9409f25daaa8 ] + +INFINIBAND_SRPT code depends on INFINIBAND_ADDR_TRANS provided symbols. +So declare the kconfig dependency. This is necessary to allow for +enabling INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Reviewed-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srpt/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srpt/Kconfig ++++ b/drivers/infiniband/ulp/srpt/Kconfig +@@ -1,6 +1,6 @@ + config INFINIBAND_SRPT + tristate "InfiniBand SCSI RDMA Protocol target support" +- depends on INFINIBAND && TARGET_CORE ++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS && TARGET_CORE + ---help--- + + Support for the SCSI RDMA Protocol (SRP) Target driver. The diff --git a/queue-4.16/ibmvnic-do-not-notify-peers-on-parameter-change-resets.patch b/queue-4.16/ibmvnic-do-not-notify-peers-on-parameter-change-resets.patch new file mode 100644 index 00000000000..050a2ef1872 --- /dev/null +++ b/queue-4.16/ibmvnic-do-not-notify-peers-on-parameter-change-resets.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Nathan Fontenot +Date: Wed, 11 Apr 2018 10:09:38 -0500 +Subject: ibmvnic: Do not notify peers on parameter change resets + +From: Nathan Fontenot + +[ Upstream commit ebc701b796a67a5785399dcbc83d90e3b5f1e02f ] + +When attempting to change the driver parameters, such as the MTU +value or number of queues, do not call netdev_notify_peers(). +Doing so will deadlock on the rtnl_lock. + +Signed-off-by: Nathan Fontenot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1711,7 +1711,8 @@ static int do_reset(struct ibmvnic_adapt + for (i = 0; i < adapter->req_rx_queues; i++) + napi_schedule(&adapter->napi[i]); + +- if (adapter->reset_reason != VNIC_RESET_FAILOVER) ++ if (adapter->reset_reason != VNIC_RESET_FAILOVER && ++ adapter->reset_reason != VNIC_RESET_CHANGE_PARAM) + netdev_notify_peers(netdev); + + netif_carrier_on(netdev); diff --git a/queue-4.16/igb-fix-the-transmission-mode-of-queue-0-for-qav-mode.patch b/queue-4.16/igb-fix-the-transmission-mode-of-queue-0-for-qav-mode.patch new file mode 100644 index 00000000000..374d4106d51 --- /dev/null +++ b/queue-4.16/igb-fix-the-transmission-mode-of-queue-0-for-qav-mode.patch @@ -0,0 +1,62 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Vinicius Costa Gomes +Date: Fri, 30 Mar 2018 17:06:52 -0700 +Subject: igb: Fix the transmission mode of queue 0 for Qav mode + +From: Vinicius Costa Gomes + +[ Upstream commit 2707df9773cd2cb8b0f35b8592431b301da9d352 ] + +When Qav mode is enabled, queue 0 should be kept on Stream Reservation +mode. From the i210 datasheet, section 8.12.19: + +"Note: Queue0 QueueMode must be set to 1b when TransmitMode is set to +Qav." ("QueueMode 1b" represents the Stream Reservation mode) + +The solution is to give queue 0 the all the credits it might need, so +it has priority over queue 1. + +A situation where this can happen is when cbs is "installed" only on +queue 1, leaving queue 0 alone. For example: + +$ tc qdisc replace dev enp2s0 handle 100: parent root mqprio num_tc 3 \ + map 2 2 1 0 2 2 2 2 2 2 2 2 2 2 2 2 queues 1@0 1@1 2@2 hw 0 + +$ tc qdisc replace dev enp2s0 parent 100:2 cbs locredit -1470 \ + hicredit 30 sendslope -980000 idleslope 20000 offload 1 + +Signed-off-by: Vinicius Costa Gomes +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1698,7 +1698,22 @@ static void igb_configure_cbs(struct igb + WARN_ON(hw->mac.type != e1000_i210); + WARN_ON(queue < 0 || queue > 1); + +- if (enable) { ++ if (enable || queue == 0) { ++ /* i210 does not allow the queue 0 to be in the Strict ++ * Priority mode while the Qav mode is enabled, so, ++ * instead of disabling strict priority mode, we give ++ * queue 0 the maximum of credits possible. ++ * ++ * See section 8.12.19 of the i210 datasheet, "Note: ++ * Queue0 QueueMode must be set to 1b when ++ * TransmitMode is set to Qav." ++ */ ++ if (queue == 0 && !enable) { ++ /* max "linkspeed" idleslope in kbps */ ++ idleslope = 1000000; ++ hicredit = ETH_FRAME_LEN; ++ } ++ + set_tx_desc_fetch_prio(hw, queue, TX_QUEUE_PRIO_HIGH); + set_queue_mode(hw, queue, QUEUE_MODE_STREAM_RESERVATION); + diff --git a/queue-4.16/init-fix-false-positives-in-w-x-checking.patch b/queue-4.16/init-fix-false-positives-in-w-x-checking.patch new file mode 100644 index 00000000000..9a4bcd22ed3 --- /dev/null +++ b/queue-4.16/init-fix-false-positives-in-w-x-checking.patch @@ -0,0 +1,80 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Jeffrey Hugo +Date: Fri, 11 May 2018 16:01:42 -0700 +Subject: init: fix false positives in W+X checking + +From: Jeffrey Hugo + +[ Upstream commit ae646f0b9ca135b87bc73ff606ef996c3029780a ] + +load_module() creates W+X mappings via __vmalloc_node_range() (from +layout_and_allocate()->move_module()->module_alloc()) by using +PAGE_KERNEL_EXEC. These mappings are later cleaned up via +"call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). + +This is a problem because call_rcu_sched() queues work, which can be run +after debug_checkwx() is run, resulting in a race condition. If hit, +the race results in a nasty splat about insecure W+X mappings, which +results in a poor user experience as these are not the mappings that +debug_checkwx() is intended to catch. + +This issue is observed on multiple arm64 platforms, and has been +artificially triggered on an x86 platform. + +Address the race by flushing the queued work before running the +arch-defined mark_rodata_ro() which then calls debug_checkwx(). + +Link: http://lkml.kernel.org/r/1525103946-29526-1-git-send-email-jhugo@codeaurora.org +Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") +Signed-off-by: Jeffrey Hugo +Reported-by: Timur Tabi +Reported-by: Jan Glauber +Acked-by: Kees Cook +Acked-by: Ingo Molnar +Acked-by: Will Deacon +Acked-by: Laura Abbott +Cc: Mark Rutland +Cc: Ard Biesheuvel +Cc: Catalin Marinas +Cc: Stephen Smalley +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + init/main.c | 7 +++++++ + kernel/module.c | 5 +++++ + 2 files changed, 12 insertions(+) + +--- a/init/main.c ++++ b/init/main.c +@@ -981,6 +981,13 @@ __setup("rodata=", set_debug_rodata); + static void mark_readonly(void) + { + if (rodata_enabled) { ++ /* ++ * load_module() results in W+X mappings, which are cleaned up ++ * with call_rcu_sched(). Let's make sure that queued work is ++ * flushed so that we don't hit false positives looking for ++ * insecure pages which are W+X. ++ */ ++ rcu_barrier_sched(); + mark_rodata_ro(); + rodata_test(); + } else +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3521,6 +3521,11 @@ static noinline int do_init_module(struc + * walking this with preempt disabled. In all the failure paths, we + * call synchronize_sched(), but we don't want to slow down the success + * path, so use actual RCU here. ++ * Note that module_alloc() on most architectures creates W+X page ++ * mappings which won't be cleaned up until do_free_init() runs. Any ++ * code such as mark_rodata_ro() which depends on those mappings to ++ * be cleaned up needs to sync with the queued work - ie ++ * rcu_barrier_sched() + */ + call_rcu_sched(&freeinit->rcu, do_free_init); + mutex_unlock(&module_mutex); diff --git a/queue-4.16/input-atmel_mxt_ts-fix-the-firmware-update.patch b/queue-4.16/input-atmel_mxt_ts-fix-the-firmware-update.patch new file mode 100644 index 00000000000..1c9c7c4f622 --- /dev/null +++ b/queue-4.16/input-atmel_mxt_ts-fix-the-firmware-update.patch @@ -0,0 +1,412 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Nick Dyer +Date: Tue, 1 May 2018 11:40:18 -0700 +Subject: Input: atmel_mxt_ts - fix the firmware update + +From: Nick Dyer + +[ Upstream commit 068bdb67ef74df0ad1627b7247a163e3e252ac11 ] + +The automatic update mechanism will trigger an update if the +info block CRCs are different between maxtouch configuration +file (maxtouch.cfg) and chip. + +The driver compared the CRCs without retrieving the chip CRC, +resulting always in a failure and firmware flashing action +triggered. Fix this issue by retrieving the chip info block +CRC before the check. + +Note that this solution has the benefit that by reading the +information block and the object table into a contiguous region +of memory, we can verify the checksum at probe time. This means +we make sure that we are indeed talking to a chip that supports +object protocol correctly. + +Using this patch on a kevin chromebook, the touchscreen and +touchpad drivers are able to match the CRC: + + atmel_mxt_ts 3-004b: Family: 164 Variant: 14 Firmware V2.3.AA Objects: 40 + atmel_mxt_ts 5-004a: Family: 164 Variant: 17 Firmware V2.0.AA Objects: 31 + atmel_mxt_ts 3-004b: Resetting device + atmel_mxt_ts 5-004a: Resetting device + atmel_mxt_ts 3-004b: Config CRC 0x573E89: OK + atmel_mxt_ts 3-004b: Touchscreen size X4095Y2729 + input: Atmel maXTouch Touchscreen as /devices/platform/ff130000.i2c/i2c-3/3-004b/input/input5 + atmel_mxt_ts 5-004a: Config CRC 0x0AF6BA: OK + atmel_mxt_ts 5-004a: Touchscreen size X1920Y1080 + input: Atmel maXTouch Touchpad as /devices/platform/ff140000.i2c/i2c-5/5-004a/input/input6 + +Signed-off-by: Nick Dyer +Acked-by: Benson Leung +[Ezequiel: minor patch massage] +Signed-off-by: Ezequiel Garcia +Tested-by: Sebastian Reichel +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 186 ++++++++++++++++++------------- + 1 file changed, 110 insertions(+), 76 deletions(-) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -275,7 +275,8 @@ struct mxt_data { + char phys[64]; /* device physical location */ + const struct mxt_platform_data *pdata; + struct mxt_object *object_table; +- struct mxt_info info; ++ struct mxt_info *info; ++ void *raw_info_block; + unsigned int irq; + unsigned int max_x; + unsigned int max_y; +@@ -450,12 +451,13 @@ static int mxt_lookup_bootloader_address + { + u8 appmode = data->client->addr; + u8 bootloader; ++ u8 family_id = data->info ? data->info->family_id : 0; + + switch (appmode) { + case 0x4a: + case 0x4b: + /* Chips after 1664S use different scheme */ +- if (retry || data->info.family_id >= 0xa2) { ++ if (retry || family_id >= 0xa2) { + bootloader = appmode - 0x24; + break; + } +@@ -682,7 +684,7 @@ mxt_get_object(struct mxt_data *data, u8 + struct mxt_object *object; + int i; + +- for (i = 0; i < data->info.object_num; i++) { ++ for (i = 0; i < data->info->object_num; i++) { + object = data->object_table + i; + if (object->type == type) + return object; +@@ -1453,12 +1455,12 @@ static int mxt_update_cfg(struct mxt_dat + data_pos += offset; + } + +- if (cfg_info.family_id != data->info.family_id) { ++ if (cfg_info.family_id != data->info->family_id) { + dev_err(dev, "Family ID mismatch!\n"); + return -EINVAL; + } + +- if (cfg_info.variant_id != data->info.variant_id) { ++ if (cfg_info.variant_id != data->info->variant_id) { + dev_err(dev, "Variant ID mismatch!\n"); + return -EINVAL; + } +@@ -1503,7 +1505,7 @@ static int mxt_update_cfg(struct mxt_dat + + /* Malloc memory to store configuration */ + cfg_start_ofs = MXT_OBJECT_START + +- data->info.object_num * sizeof(struct mxt_object) + ++ data->info->object_num * sizeof(struct mxt_object) + + MXT_INFO_CHECKSUM_SIZE; + config_mem_size = data->mem_size - cfg_start_ofs; + config_mem = kzalloc(config_mem_size, GFP_KERNEL); +@@ -1554,20 +1556,6 @@ release_mem: + return ret; + } + +-static int mxt_get_info(struct mxt_data *data) +-{ +- struct i2c_client *client = data->client; +- struct mxt_info *info = &data->info; +- int error; +- +- /* Read 7-byte info block starting at address 0 */ +- error = __mxt_read_reg(client, 0, sizeof(*info), info); +- if (error) +- return error; +- +- return 0; +-} +- + static void mxt_free_input_device(struct mxt_data *data) + { + if (data->input_dev) { +@@ -1582,9 +1570,10 @@ static void mxt_free_object_table(struct + video_unregister_device(&data->dbg.vdev); + v4l2_device_unregister(&data->dbg.v4l2); + #endif +- +- kfree(data->object_table); + data->object_table = NULL; ++ data->info = NULL; ++ kfree(data->raw_info_block); ++ data->raw_info_block = NULL; + kfree(data->msg_buf); + data->msg_buf = NULL; + data->T5_address = 0; +@@ -1600,34 +1589,18 @@ static void mxt_free_object_table(struct + data->max_reportid = 0; + } + +-static int mxt_get_object_table(struct mxt_data *data) ++static int mxt_parse_object_table(struct mxt_data *data, ++ struct mxt_object *object_table) + { + struct i2c_client *client = data->client; +- size_t table_size; +- struct mxt_object *object_table; +- int error; + int i; + u8 reportid; + u16 end_address; + +- table_size = data->info.object_num * sizeof(struct mxt_object); +- object_table = kzalloc(table_size, GFP_KERNEL); +- if (!object_table) { +- dev_err(&data->client->dev, "Failed to allocate memory\n"); +- return -ENOMEM; +- } +- +- error = __mxt_read_reg(client, MXT_OBJECT_START, table_size, +- object_table); +- if (error) { +- kfree(object_table); +- return error; +- } +- + /* Valid Report IDs start counting from 1 */ + reportid = 1; + data->mem_size = 0; +- for (i = 0; i < data->info.object_num; i++) { ++ for (i = 0; i < data->info->object_num; i++) { + struct mxt_object *object = object_table + i; + u8 min_id, max_id; + +@@ -1651,8 +1624,8 @@ static int mxt_get_object_table(struct m + + switch (object->type) { + case MXT_GEN_MESSAGE_T5: +- if (data->info.family_id == 0x80 && +- data->info.version < 0x20) { ++ if (data->info->family_id == 0x80 && ++ data->info->version < 0x20) { + /* + * On mXT224 firmware versions prior to V2.0 + * read and discard unused CRC byte otherwise +@@ -1707,24 +1680,102 @@ static int mxt_get_object_table(struct m + /* If T44 exists, T5 position has to be directly after */ + if (data->T44_address && (data->T5_address != data->T44_address + 1)) { + dev_err(&client->dev, "Invalid T44 position\n"); +- error = -EINVAL; +- goto free_object_table; ++ return -EINVAL; + } + + data->msg_buf = kcalloc(data->max_reportid, + data->T5_msg_size, GFP_KERNEL); +- if (!data->msg_buf) { +- dev_err(&client->dev, "Failed to allocate message buffer\n"); ++ if (!data->msg_buf) ++ return -ENOMEM; ++ ++ return 0; ++} ++ ++static int mxt_read_info_block(struct mxt_data *data) ++{ ++ struct i2c_client *client = data->client; ++ int error; ++ size_t size; ++ void *id_buf, *buf; ++ uint8_t num_objects; ++ u32 calculated_crc; ++ u8 *crc_ptr; ++ ++ /* If info block already allocated, free it */ ++ if (data->raw_info_block) ++ mxt_free_object_table(data); ++ ++ /* Read 7-byte ID information block starting at address 0 */ ++ size = sizeof(struct mxt_info); ++ id_buf = kzalloc(size, GFP_KERNEL); ++ if (!id_buf) ++ return -ENOMEM; ++ ++ error = __mxt_read_reg(client, 0, size, id_buf); ++ if (error) ++ goto err_free_mem; ++ ++ /* Resize buffer to give space for rest of info block */ ++ num_objects = ((struct mxt_info *)id_buf)->object_num; ++ size += (num_objects * sizeof(struct mxt_object)) ++ + MXT_INFO_CHECKSUM_SIZE; ++ ++ buf = krealloc(id_buf, size, GFP_KERNEL); ++ if (!buf) { + error = -ENOMEM; +- goto free_object_table; ++ goto err_free_mem; ++ } ++ id_buf = buf; ++ ++ /* Read rest of info block */ ++ error = __mxt_read_reg(client, MXT_OBJECT_START, ++ size - MXT_OBJECT_START, ++ id_buf + MXT_OBJECT_START); ++ if (error) ++ goto err_free_mem; ++ ++ /* Extract & calculate checksum */ ++ crc_ptr = id_buf + size - MXT_INFO_CHECKSUM_SIZE; ++ data->info_crc = crc_ptr[0] | (crc_ptr[1] << 8) | (crc_ptr[2] << 16); ++ ++ calculated_crc = mxt_calculate_crc(id_buf, 0, ++ size - MXT_INFO_CHECKSUM_SIZE); ++ ++ /* ++ * CRC mismatch can be caused by data corruption due to I2C comms ++ * issue or else device is not using Object Based Protocol (eg i2c-hid) ++ */ ++ if ((data->info_crc == 0) || (data->info_crc != calculated_crc)) { ++ dev_err(&client->dev, ++ "Info Block CRC error calculated=0x%06X read=0x%06X\n", ++ calculated_crc, data->info_crc); ++ error = -EIO; ++ goto err_free_mem; ++ } ++ ++ data->raw_info_block = id_buf; ++ data->info = (struct mxt_info *)id_buf; ++ ++ dev_info(&client->dev, ++ "Family: %u Variant: %u Firmware V%u.%u.%02X Objects: %u\n", ++ data->info->family_id, data->info->variant_id, ++ data->info->version >> 4, data->info->version & 0xf, ++ data->info->build, data->info->object_num); ++ ++ /* Parse object table information */ ++ error = mxt_parse_object_table(data, id_buf + MXT_OBJECT_START); ++ if (error) { ++ dev_err(&client->dev, "Error %d parsing object table\n", error); ++ mxt_free_object_table(data); ++ goto err_free_mem; + } + +- data->object_table = object_table; ++ data->object_table = (struct mxt_object *)(id_buf + MXT_OBJECT_START); + + return 0; + +-free_object_table: +- mxt_free_object_table(data); ++err_free_mem: ++ kfree(id_buf); + return error; + } + +@@ -2039,7 +2090,7 @@ static int mxt_initialize(struct mxt_dat + int error; + + while (1) { +- error = mxt_get_info(data); ++ error = mxt_read_info_block(data); + if (!error) + break; + +@@ -2070,16 +2121,9 @@ static int mxt_initialize(struct mxt_dat + msleep(MXT_FW_RESET_TIME); + } + +- /* Get object table information */ +- error = mxt_get_object_table(data); +- if (error) { +- dev_err(&client->dev, "Error %d reading object table\n", error); +- return error; +- } +- + error = mxt_acquire_irq(data); + if (error) +- goto err_free_object_table; ++ return error; + + error = request_firmware_nowait(THIS_MODULE, true, MXT_CFG_NAME, + &client->dev, GFP_KERNEL, data, +@@ -2087,14 +2131,10 @@ static int mxt_initialize(struct mxt_dat + if (error) { + dev_err(&client->dev, "Failed to invoke firmware loader: %d\n", + error); +- goto err_free_object_table; ++ return error; + } + + return 0; +- +-err_free_object_table: +- mxt_free_object_table(data); +- return error; + } + + static int mxt_set_t7_power_cfg(struct mxt_data *data, u8 sleep) +@@ -2155,7 +2195,7 @@ recheck: + static u16 mxt_get_debug_value(struct mxt_data *data, unsigned int x, + unsigned int y) + { +- struct mxt_info *info = &data->info; ++ struct mxt_info *info = data->info; + struct mxt_dbg *dbg = &data->dbg; + unsigned int ofs, page; + unsigned int col = 0; +@@ -2483,7 +2523,7 @@ static const struct video_device mxt_vid + + static void mxt_debug_init(struct mxt_data *data) + { +- struct mxt_info *info = &data->info; ++ struct mxt_info *info = data->info; + struct mxt_dbg *dbg = &data->dbg; + struct mxt_object *object; + int error; +@@ -2569,7 +2609,6 @@ static int mxt_configure_objects(struct + const struct firmware *cfg) + { + struct device *dev = &data->client->dev; +- struct mxt_info *info = &data->info; + int error; + + error = mxt_init_t7_power_cfg(data); +@@ -2594,11 +2633,6 @@ static int mxt_configure_objects(struct + + mxt_debug_init(data); + +- dev_info(dev, +- "Family: %u Variant: %u Firmware V%u.%u.%02X Objects: %u\n", +- info->family_id, info->variant_id, info->version >> 4, +- info->version & 0xf, info->build, info->object_num); +- + return 0; + } + +@@ -2607,7 +2641,7 @@ static ssize_t mxt_fw_version_show(struc + struct device_attribute *attr, char *buf) + { + struct mxt_data *data = dev_get_drvdata(dev); +- struct mxt_info *info = &data->info; ++ struct mxt_info *info = data->info; + return scnprintf(buf, PAGE_SIZE, "%u.%u.%02X\n", + info->version >> 4, info->version & 0xf, info->build); + } +@@ -2617,7 +2651,7 @@ static ssize_t mxt_hw_version_show(struc + struct device_attribute *attr, char *buf) + { + struct mxt_data *data = dev_get_drvdata(dev); +- struct mxt_info *info = &data->info; ++ struct mxt_info *info = data->info; + return scnprintf(buf, PAGE_SIZE, "%u.%u\n", + info->family_id, info->variant_id); + } +@@ -2656,7 +2690,7 @@ static ssize_t mxt_object_show(struct de + return -ENOMEM; + + error = 0; +- for (i = 0; i < data->info.object_num; i++) { ++ for (i = 0; i < data->info->object_num; i++) { + object = data->object_table + i; + + if (!mxt_object_readable(object->type)) diff --git a/queue-4.16/input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch b/queue-4.16/input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch new file mode 100644 index 00000000000..9fd0986d0ba --- /dev/null +++ b/queue-4.16/input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Christophe JAILLET +Date: Fri, 6 Apr 2018 15:36:11 -0700 +Subject: Input: synaptics-rmi4 - fix an unchecked out of memory error path + +From: Christophe JAILLET + +[ Upstream commit 839c42273617787318da7baf6151d553108f5e17 ] + +When extending the rmi_spi buffers, we must check that no out of memory +error occurs, otherwise we may access data above the currently allocated +memory. + +Propagate the error code returned by 'rmi_spi_manage_pools()' instead. + +Signed-off-by: Christophe JAILLET +Reviewed-by: Andrew Duggan +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_spi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/input/rmi4/rmi_spi.c ++++ b/drivers/input/rmi4/rmi_spi.c +@@ -147,8 +147,11 @@ static int rmi_spi_xfer(struct rmi_spi_x + if (len > RMI_SPI_XFER_SIZE_LIMIT) + return -EINVAL; + +- if (rmi_spi->xfer_buf_size < len) +- rmi_spi_manage_pools(rmi_spi, len); ++ if (rmi_spi->xfer_buf_size < len) { ++ ret = rmi_spi_manage_pools(rmi_spi, len); ++ if (ret < 0) ++ return ret; ++ } + + if (addr == 0) + /* diff --git a/queue-4.16/iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch b/queue-4.16/iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch new file mode 100644 index 00000000000..bec0a98e1bd --- /dev/null +++ b/queue-4.16/iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch @@ -0,0 +1,74 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Changbin Du +Date: Fri, 20 Apr 2018 13:29:55 +0800 +Subject: iommu/vt-d: fix shift-out-of-bounds in bug checking + +From: Changbin Du + +[ Upstream commit 0dfc0c792d691f8056f38b5c30789f504be0e467 ] + +It allows to flush more than 4GB of device TLBs. So the mask should be +64bit wide. UBSAN captured this fault as below. + +[ 3.760024] ================================================================================ +[ 3.768440] UBSAN: Undefined behaviour in drivers/iommu/dmar.c:1348:3 +[ 3.774864] shift exponent 64 is too large for 32-bit type 'int' +[ 3.780853] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G U 4.17.0-rc1+ #89 +[ 3.788661] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016 +[ 3.796034] Call Trace: +[ 3.798472] +[ 3.800479] dump_stack+0x90/0xfb +[ 3.803787] ubsan_epilogue+0x9/0x40 +[ 3.807353] __ubsan_handle_shift_out_of_bounds+0x10e/0x170 +[ 3.812916] ? qi_flush_dev_iotlb+0x124/0x180 +[ 3.817261] qi_flush_dev_iotlb+0x124/0x180 +[ 3.821437] iommu_flush_dev_iotlb+0x94/0xf0 +[ 3.825698] iommu_flush_iova+0x10b/0x1c0 +[ 3.829699] ? fq_ring_free+0x1d0/0x1d0 +[ 3.833527] iova_domain_flush+0x25/0x40 +[ 3.837448] fq_flush_timeout+0x55/0x160 +[ 3.841368] ? fq_ring_free+0x1d0/0x1d0 +[ 3.845200] ? fq_ring_free+0x1d0/0x1d0 +[ 3.849034] call_timer_fn+0xbe/0x310 +[ 3.852696] ? fq_ring_free+0x1d0/0x1d0 +[ 3.856530] run_timer_softirq+0x223/0x6e0 +[ 3.860625] ? sched_clock+0x5/0x10 +[ 3.864108] ? sched_clock+0x5/0x10 +[ 3.867594] __do_softirq+0x1b5/0x6f5 +[ 3.871250] irq_exit+0xd4/0x130 +[ 3.874470] smp_apic_timer_interrupt+0xb8/0x2f0 +[ 3.879075] apic_timer_interrupt+0xf/0x20 +[ 3.883159] +[ 3.885255] RIP: 0010:poll_idle+0x60/0xe7 +[ 3.889252] RSP: 0018:ffffb1b201943e30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +[ 3.896802] RAX: 0000000080200000 RBX: 000000000000008e RCX: 000000000000001f +[ 3.903918] RDX: 0000000000000000 RSI: 000000002819aa06 RDI: 0000000000000000 +[ 3.911031] RBP: ffff9e93c6b33280 R08: 00000010f717d567 R09: 000000000010d205 +[ 3.918146] R10: ffffb1b201943df8 R11: 0000000000000001 R12: 00000000e01b169d +[ 3.925260] R13: 0000000000000000 R14: ffffffffb12aa400 R15: 0000000000000000 +[ 3.932382] cpuidle_enter_state+0xb4/0x470 +[ 3.936558] do_idle+0x222/0x310 +[ 3.939779] cpu_startup_entry+0x78/0x90 +[ 3.943693] start_secondary+0x205/0x2e0 +[ 3.947607] secondary_startup_64+0xa5/0xb0 +[ 3.951783] ================================================================================ + +Signed-off-by: Changbin Du +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/dmar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -1345,7 +1345,7 @@ void qi_flush_dev_iotlb(struct intel_iom + struct qi_desc desc; + + if (mask) { +- BUG_ON(addr & ((1 << (VTD_PAGE_SHIFT + mask)) - 1)); ++ BUG_ON(addr & ((1ULL << (VTD_PAGE_SHIFT + mask)) - 1)); + addr |= (1ULL << (VTD_PAGE_SHIFT + mask - 1)) - 1; + desc.high = QI_DEV_IOTLB_ADDR(addr) | QI_DEV_IOTLB_SIZE; + } else diff --git a/queue-4.16/iommu-vt-d-fix-usage-of-force-parameter-in-intel_ir_reconfigure_irte.patch b/queue-4.16/iommu-vt-d-fix-usage-of-force-parameter-in-intel_ir_reconfigure_irte.patch new file mode 100644 index 00000000000..1ae95b7a524 --- /dev/null +++ b/queue-4.16/iommu-vt-d-fix-usage-of-force-parameter-in-intel_ir_reconfigure_irte.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Jagannathan Raman +Date: Tue, 6 Mar 2018 17:39:41 -0500 +Subject: iommu/vt-d: Fix usage of force parameter in intel_ir_reconfigure_irte() + +From: Jagannathan Raman + +[ Upstream commit aa7528fe3576d11f4a10237178a723a1f080a547 ] + +It was noticed that the IRTE configured for guest OS kernel +was over-written while the guest was running. As a result, +vt-d Posted Interrupts configured for the guest are not being +delivered directly, and instead bounces off the host. Every +interrupt delivery takes a VM Exit. + +It was noticed that the following stack is doing the over-write: +[ 147.463177] modify_irte+0x171/0x1f0 +[ 147.463405] intel_ir_set_affinity+0x5c/0x80 +[ 147.463641] msi_domain_set_affinity+0x32/0x90 +[ 147.463881] irq_do_set_affinity+0x37/0xd0 +[ 147.464125] irq_set_affinity_locked+0x9d/0xb0 +[ 147.464374] __irq_set_affinity+0x42/0x70 +[ 147.464627] write_irq_affinity.isra.5+0xe1/0x110 +[ 147.464895] proc_reg_write+0x38/0x70 +[ 147.465150] __vfs_write+0x36/0x180 +[ 147.465408] ? handle_mm_fault+0xdf/0x200 +[ 147.465671] ? _cond_resched+0x15/0x30 +[ 147.465936] vfs_write+0xad/0x1a0 +[ 147.466204] SyS_write+0x52/0xc0 +[ 147.466472] do_syscall_64+0x74/0x1a0 +[ 147.466744] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +reversing the sense of force check in intel_ir_reconfigure_irte() +restores proper posted interrupt functionality + +Signed-off-by: Jagannathan Raman +Fixes: d491bdff888e ('iommu/vt-d: Reevaluate vector configuration on activate()') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel_irq_remapping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -1136,7 +1136,7 @@ static void intel_ir_reconfigure_irte(st + irte->dest_id = IRTE_DEST(cfg->dest_apicid); + + /* Update the hardware only if the interrupt is in remapped mode. */ +- if (!force || ir_data->irq_2_iommu.mode == IRQ_REMAPPING) ++ if (force || ir_data->irq_2_iommu.mode == IRQ_REMAPPING) + modify_irte(&ir_data->irq_2_iommu, irte); + } + diff --git a/queue-4.16/isofs-fix-potential-memory-leak-in-mount-option-parsing.patch b/queue-4.16/isofs-fix-potential-memory-leak-in-mount-option-parsing.patch new file mode 100644 index 00000000000..5dae34e944c --- /dev/null +++ b/queue-4.16/isofs-fix-potential-memory-leak-in-mount-option-parsing.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Chengguang Xu +Date: Sat, 14 Apr 2018 20:16:06 +0800 +Subject: isofs: fix potential memory leak in mount option parsing + +From: Chengguang Xu + +[ Upstream commit 4f34a5130a471f32f2fe7750769ab4057dc3eaa0 ] + +When specifying string type mount option (e.g., iocharset) +several times in a mount, current option parsing may +cause memory leak. Hence, call kfree for previous one +in this case. Meanwhile, check memory allocation result +for it. + +Signed-off-by: Chengguang Xu +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -394,7 +394,10 @@ static int parse_options(char *options, + break; + #ifdef CONFIG_JOLIET + case Opt_iocharset: ++ kfree(popt->iocharset); + popt->iocharset = match_strdup(&args[0]); ++ if (!popt->iocharset) ++ return 0; + break; + #endif + case Opt_map_a: diff --git a/queue-4.16/ixgbe-fix-memory-leak-on-ipsec-allocation.patch b/queue-4.16/ixgbe-fix-memory-leak-on-ipsec-allocation.patch new file mode 100644 index 00000000000..6431670b9e6 --- /dev/null +++ b/queue-4.16/ixgbe-fix-memory-leak-on-ipsec-allocation.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Colin Ian King +Date: Wed, 9 May 2018 14:58:48 +0100 +Subject: ixgbe: fix memory leak on ipsec allocation + +From: Colin Ian King + +[ Upstream commit c89ebb968f04c71e16e86c91caeacb045dc8f908 ] + +The error clean up path kfree's adapter->ipsec and should be +instead kfree'ing ipsec. Fix this. Also, the err1 error exit path +does not need to kfree ipsec because this failure path was for +the failed allocation of ipsec. + +Detected by CoverityScan, CID#146424 ("Resource Leak") + +Fixes: 63a67fe229ea ("ixgbe: add ipsec offload add and remove SA") +Signed-off-by: Colin Ian King +Acked-by: Shannon Nelson +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c +@@ -918,8 +918,8 @@ err2: + kfree(ipsec->ip_tbl); + kfree(ipsec->rx_tbl); + kfree(ipsec->tx_tbl); ++ kfree(ipsec); + err1: +- kfree(adapter->ipsec); + netdev_err(adapter->netdev, "Unable to allocate memory for SA tables"); + } + diff --git a/queue-4.16/ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch b/queue-4.16/ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch new file mode 100644 index 00000000000..656b4bb227c --- /dev/null +++ b/queue-4.16/ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Emil Tantilov +Date: Thu, 19 Apr 2018 17:06:57 -0700 +Subject: ixgbe: return error on unsupported SFP module when resetting + +From: Emil Tantilov + +[ Upstream commit bbb2707623f3ccc48695da2433f06d7c38193451 ] + +Add check for unsupported module and return the error code. +This fixes a Coverity hit due to unused return status from setup_sfp. + +Signed-off-by: Emil Tantilov +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -3427,6 +3427,9 @@ static s32 ixgbe_reset_hw_X550em(struct + hw->phy.sfp_setup_needed = false; + } + ++ if (status == IXGBE_ERR_SFP_NOT_SUPPORTED) ++ return status; ++ + /* Reset PHY */ + if (!hw->phy.reset_disable && hw->phy.ops.reset) + hw->phy.ops.reset(hw); diff --git a/queue-4.16/kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch b/queue-4.16/kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch new file mode 100644 index 00000000000..cacb5b24502 --- /dev/null +++ b/queue-4.16/kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch @@ -0,0 +1,64 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Dave Young +Date: Fri, 20 Apr 2018 14:56:10 -0700 +Subject: kexec_file: do not add extra alignment to efi memmap + +From: Dave Young + +[ Upstream commit a841aa83dff0af75c88aa846ba610a8af4c5ee21 ] + +Chun-Yi reported a kernel warning message below: + + WARNING: CPU: 0 PID: 0 at ../mm/early_ioremap.c:182 early_iounmap+0x4f/0x12c() + early_iounmap(ffffffffff200180, 00000118) [0] size not consistent 00000120 + +The problem is x86 kexec_file_load adds extra alignment to the efi +memmap: in bzImage64_load(): + + efi_map_sz = efi_get_runtime_map_size(); + efi_map_sz = ALIGN(efi_map_sz, 16); + +And __efi_memmap_init maps with the size including the alignment bytes +but efi_memmap_unmap use nr_maps * desc_size which does not include the +extra bytes. + +The alignment in kexec code is only needed for the kexec buffer internal +use Actually kexec should pass exact size of the efi memmap to 2nd +kernel. + +Link: http://lkml.kernel.org/r/20180417083600.GA1972@dhcp-128-65.nay.redhat.com +Signed-off-by: Dave Young +Reported-by: joeyli +Tested-by: Randy Wright +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kexec-bzimage64.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -398,11 +398,10 @@ static void *bzImage64_load(struct kimag + * little bit simple + */ + efi_map_sz = efi_get_runtime_map_size(); +- efi_map_sz = ALIGN(efi_map_sz, 16); + params_cmdline_sz = sizeof(struct boot_params) + cmdline_len + + MAX_ELFCOREHDR_STR_LEN; + params_cmdline_sz = ALIGN(params_cmdline_sz, 16); +- kbuf.bufsz = params_cmdline_sz + efi_map_sz + ++ kbuf.bufsz = params_cmdline_sz + ALIGN(efi_map_sz, 16) + + sizeof(struct setup_data) + + sizeof(struct efi_setup_data); + +@@ -410,7 +409,7 @@ static void *bzImage64_load(struct kimag + if (!params) + return ERR_PTR(-ENOMEM); + efi_map_offset = params_cmdline_sz; +- efi_setup_data_offset = efi_map_offset + efi_map_sz; ++ efi_setup_data_offset = efi_map_offset + ALIGN(efi_map_sz, 16); + + /* Copy setup header onto bootparams. Documentation/x86/boot.txt */ + setup_header_size = 0x0202 + kernel[0x0201] - setup_hdr_offset; diff --git a/queue-4.16/kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch b/queue-4.16/kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch new file mode 100644 index 00000000000..714306e28d5 --- /dev/null +++ b/queue-4.16/kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch @@ -0,0 +1,83 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Masami Hiramatsu +Date: Wed, 9 May 2018 21:58:15 +0900 +Subject: kprobes/x86: Prohibit probing on exception masking instructions + +From: Masami Hiramatsu + +[ Upstream commit ee6a7354a3629f9b65bc18dbe393503e9440d6f5 ] + +Since MOV SS and POP SS instructions will delay the exceptions until the +next instruction is executed, single-stepping on it by kprobes must be +prohibited. + +However, kprobes usually executes those instructions directly on trampoline +buffer (a.k.a. kprobe-booster), except for the kprobes which has +post_handler. Thus if kprobe user probes MOV SS with post_handler, it will +do single-stepping on the MOV SS. + +This means it is safe that if it is used via ftrace or perf/bpf since those +don't use the post_handler. + +Anyway, since the stack switching is a rare case, it is safer just +rejecting kprobes on such instructions. + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Thomas Gleixner +Cc: Ricardo Neri +Cc: Francis Deslauriers +Cc: Oleg Nesterov +Cc: Alexei Starovoitov +Cc: Steven Rostedt +Cc: Andy Lutomirski +Cc: "H . Peter Anvin" +Cc: Yonghong Song +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: "David S . Miller" +Link: https://lkml.kernel.org/r/152587069574.17316.3311695234863248641.stgit@devbox +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/insn.h | 18 ++++++++++++++++++ + arch/x86/kernel/kprobes/core.c | 4 ++++ + 2 files changed, 22 insertions(+) + +--- a/arch/x86/include/asm/insn.h ++++ b/arch/x86/include/asm/insn.h +@@ -208,4 +208,22 @@ static inline int insn_offset_immediate( + return insn_offset_displacement(insn) + insn->displacement.nbytes; + } + ++#define POP_SS_OPCODE 0x1f ++#define MOV_SREG_OPCODE 0x8e ++ ++/* ++ * Intel SDM Vol.3A 6.8.3 states; ++ * "Any single-step trap that would be delivered following the MOV to SS ++ * instruction or POP to SS instruction (because EFLAGS.TF is 1) is ++ * suppressed." ++ * This function returns true if @insn is MOV SS or POP SS. On these ++ * instructions, single stepping is suppressed. ++ */ ++static inline int insn_masking_exception(struct insn *insn) ++{ ++ return insn->opcode.bytes[0] == POP_SS_OPCODE || ++ (insn->opcode.bytes[0] == MOV_SREG_OPCODE && ++ X86_MODRM_REG(insn->modrm.bytes[0]) == 2); ++} ++ + #endif /* _ASM_X86_INSN_H */ +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -370,6 +370,10 @@ int __copy_instruction(u8 *dest, u8 *src + if (insn->opcode.bytes[0] == BREAKPOINT_INSTRUCTION) + return 0; + ++ /* We should not singlestep on the exception masking instructions */ ++ if (insn_masking_exception(insn)) ++ return 0; ++ + #ifdef CONFIG_X86_64 + /* Only x86_64 has RIP relative instructions */ + if (insn_rip_relative(insn)) { diff --git a/queue-4.16/kthread-sched-wait-fix-kthread_parkme-completion-issue.patch b/queue-4.16/kthread-sched-wait-fix-kthread_parkme-completion-issue.patch new file mode 100644 index 00000000000..1917ade9181 --- /dev/null +++ b/queue-4.16/kthread-sched-wait-fix-kthread_parkme-completion-issue.patch @@ -0,0 +1,202 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Peter Zijlstra +Date: Tue, 1 May 2018 18:14:45 +0200 +Subject: kthread, sched/wait: Fix kthread_parkme() completion issue + +From: Peter Zijlstra + +[ Upstream commit 85f1abe0019fcb3ea10df7029056cf42702283a8 ] + +Even with the wait-loop fixed, there is a further issue with +kthread_parkme(). Upon hotplug, when we do takedown_cpu(), +smpboot_park_threads() can return before all those threads are in fact +blocked, due to the placement of the complete() in __kthread_parkme(). + +When that happens, sched_cpu_dying() -> migrate_tasks() can end up +migrating such a still runnable task onto another CPU. + +Normally the task will have hit schedule() and gone to sleep by the +time we do kthread_unpark(), which will then do __kthread_bind() to +re-bind the task to the correct CPU. + +However, when we loose the initial TASK_PARKED store to the concurrent +wakeup issue described previously, do the complete(), get migrated, it +is possible to either: + + - observe kthread_unpark()'s clearing of SHOULD_PARK and terminate + the park and set TASK_RUNNING, or + + - __kthread_bind()'s wait_task_inactive() to observe the competing + TASK_RUNNING store. + +Either way the WARN() in __kthread_bind() will trigger and fail to +correctly set the CPU affinity. + +Fix this by only issuing the complete() when the kthread has scheduled +out. This does away with all the icky 'still running' nonsense. + +The alternative is to promote TASK_PARKED to a special state, this +guarantees wait_task_inactive() cannot observe a 'stale' TASK_RUNNING +and we'll end up doing the right thing, but this preserves the whole +icky business of potentially migating the still runnable thing. + +Reported-by: Gaurav Kohli +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kthread.h | 1 + + kernel/kthread.c | 43 +++++++++++++++++++------------------------ + kernel/sched/core.c | 32 +++++++++++++++++++++----------- + 3 files changed, 41 insertions(+), 35 deletions(-) + +--- a/include/linux/kthread.h ++++ b/include/linux/kthread.h +@@ -62,6 +62,7 @@ void *kthread_probe_data(struct task_str + int kthread_park(struct task_struct *k); + void kthread_unpark(struct task_struct *k); + void kthread_parkme(void); ++void kthread_park_complete(struct task_struct *k); + + int kthreadd(void *unused); + extern struct task_struct *kthreadd_task; +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -55,7 +55,6 @@ enum KTHREAD_BITS { + KTHREAD_IS_PER_CPU = 0, + KTHREAD_SHOULD_STOP, + KTHREAD_SHOULD_PARK, +- KTHREAD_IS_PARKED, + }; + + static inline void set_kthread_struct(void *kthread) +@@ -181,11 +180,8 @@ static void __kthread_parkme(struct kthr + set_current_state(TASK_PARKED); + if (!test_bit(KTHREAD_SHOULD_PARK, &self->flags)) + break; +- if (!test_and_set_bit(KTHREAD_IS_PARKED, &self->flags)) +- complete(&self->parked); + schedule(); + } +- clear_bit(KTHREAD_IS_PARKED, &self->flags); + __set_current_state(TASK_RUNNING); + } + +@@ -195,6 +191,11 @@ void kthread_parkme(void) + } + EXPORT_SYMBOL_GPL(kthread_parkme); + ++void kthread_park_complete(struct task_struct *k) ++{ ++ complete(&to_kthread(k)->parked); ++} ++ + static int kthread(void *_create) + { + /* Copy data: it's on kthread's stack */ +@@ -451,22 +452,15 @@ void kthread_unpark(struct task_struct * + { + struct kthread *kthread = to_kthread(k); + +- clear_bit(KTHREAD_SHOULD_PARK, &kthread->flags); + /* +- * We clear the IS_PARKED bit here as we don't wait +- * until the task has left the park code. So if we'd +- * park before that happens we'd see the IS_PARKED bit +- * which might be about to be cleared. ++ * Newly created kthread was parked when the CPU was offline. ++ * The binding was lost and we need to set it again. + */ +- if (test_and_clear_bit(KTHREAD_IS_PARKED, &kthread->flags)) { +- /* +- * Newly created kthread was parked when the CPU was offline. +- * The binding was lost and we need to set it again. +- */ +- if (test_bit(KTHREAD_IS_PER_CPU, &kthread->flags)) +- __kthread_bind(k, kthread->cpu, TASK_PARKED); +- wake_up_state(k, TASK_PARKED); +- } ++ if (test_bit(KTHREAD_IS_PER_CPU, &kthread->flags)) ++ __kthread_bind(k, kthread->cpu, TASK_PARKED); ++ ++ clear_bit(KTHREAD_SHOULD_PARK, &kthread->flags); ++ wake_up_state(k, TASK_PARKED); + } + EXPORT_SYMBOL_GPL(kthread_unpark); + +@@ -489,12 +483,13 @@ int kthread_park(struct task_struct *k) + if (WARN_ON(k->flags & PF_EXITING)) + return -ENOSYS; + +- if (!test_bit(KTHREAD_IS_PARKED, &kthread->flags)) { +- set_bit(KTHREAD_SHOULD_PARK, &kthread->flags); +- if (k != current) { +- wake_up_process(k); +- wait_for_completion(&kthread->parked); +- } ++ if (WARN_ON_ONCE(test_bit(KTHREAD_SHOULD_PARK, &kthread->flags))) ++ return -EBUSY; ++ ++ set_bit(KTHREAD_SHOULD_PARK, &kthread->flags); ++ if (k != current) { ++ wake_up_process(k); ++ wait_for_completion(&kthread->parked); + } + + return 0; +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -30,6 +30,8 @@ + #include + #include + ++#include ++ + #include + #include + #ifdef CONFIG_PARAVIRT +@@ -2733,20 +2735,28 @@ static struct rq *finish_task_switch(str + membarrier_mm_sync_core_before_usermode(mm); + mmdrop(mm); + } +- if (unlikely(prev_state == TASK_DEAD)) { +- if (prev->sched_class->task_dead) +- prev->sched_class->task_dead(prev); ++ if (unlikely(prev_state & (TASK_DEAD|TASK_PARKED))) { ++ switch (prev_state) { ++ case TASK_DEAD: ++ if (prev->sched_class->task_dead) ++ prev->sched_class->task_dead(prev); ++ ++ /* ++ * Remove function-return probe instances associated with this ++ * task and put them back on the free list. ++ */ ++ kprobe_flush_task(prev); + +- /* +- * Remove function-return probe instances associated with this +- * task and put them back on the free list. +- */ +- kprobe_flush_task(prev); ++ /* Task is done with its stack. */ ++ put_task_stack(prev); + +- /* Task is done with its stack. */ +- put_task_stack(prev); ++ put_task_struct(prev); ++ break; + +- put_task_struct(prev); ++ case TASK_PARKED: ++ kthread_park_complete(prev); ++ break; ++ } + } + + tick_nohz_task_switch(); diff --git a/queue-4.16/kthread-sched-wait-fix-kthread_parkme-wait-loop.patch b/queue-4.16/kthread-sched-wait-fix-kthread_parkme-wait-loop.patch new file mode 100644 index 00000000000..17fb2a35aef --- /dev/null +++ b/queue-4.16/kthread-sched-wait-fix-kthread_parkme-wait-loop.patch @@ -0,0 +1,71 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Peter Zijlstra +Date: Mon, 30 Apr 2018 14:50:22 +0200 +Subject: kthread, sched/wait: Fix kthread_parkme() wait-loop + +From: Peter Zijlstra + +[ Upstream commit 741a76b350897604c48fb12beff1c9b77724dc96 ] + +Gaurav reported a problem with __kthread_parkme() where a concurrent +try_to_wake_up() could result in competing stores to ->state which, +when the TASK_PARKED store got lost bad things would happen. + +The comment near set_current_state() actually mentions this competing +store, but only mentions the case against TASK_RUNNING. This same +store, with different timing, can happen against a subsequent !RUNNING +store. + +This normally is not a problem, because as per that same comment, the +!RUNNING state store is inside a condition based wait-loop: + + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + if (!need_sleep) + break; + schedule(); + } + __set_current_state(TASK_RUNNING); + +If we loose the (first) TASK_UNINTERRUPTIBLE store to a previous +(concurrent) wakeup, the schedule() will NO-OP and we'll go around the +loop once more. + +The problem here is that the TASK_PARKED store is not inside the +KTHREAD_SHOULD_PARK condition wait-loop. + +There is a genuine issue with sleeps that do not have a condition; +this is addressed in a subsequent patch. + +Reported-by: Gaurav Kohli +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Oleg Nesterov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kthread.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -177,12 +177,13 @@ void *kthread_probe_data(struct task_str + + static void __kthread_parkme(struct kthread *self) + { +- __set_current_state(TASK_PARKED); +- while (test_bit(KTHREAD_SHOULD_PARK, &self->flags)) { ++ for (;;) { ++ set_current_state(TASK_PARKED); ++ if (!test_bit(KTHREAD_SHOULD_PARK, &self->flags)) ++ break; + if (!test_and_set_bit(KTHREAD_IS_PARKED, &self->flags)) + complete(&self->parked); + schedule(); +- __set_current_state(TASK_PARKED); + } + clear_bit(KTHREAD_IS_PARKED, &self->flags); + __set_current_state(TASK_RUNNING); diff --git a/queue-4.16/kvm-apic-flush-tlb-after-apic-mode-address-change-if-vpids-are-in-use.patch b/queue-4.16/kvm-apic-flush-tlb-after-apic-mode-address-change-if-vpids-are-in-use.patch new file mode 100644 index 00000000000..fb091e14af1 --- /dev/null +++ b/queue-4.16/kvm-apic-flush-tlb-after-apic-mode-address-change-if-vpids-are-in-use.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Junaid Shahid +Date: Thu, 26 Apr 2018 13:09:50 -0700 +Subject: kvm: apic: Flush TLB after APIC mode/address change if VPIDs are in use + +From: Junaid Shahid + +[ Upstream commit a468f2dbf921d02f5107378501693137a812999b ] + +Currently, KVM flushes the TLB after a change to the APIC access page +address or the APIC mode when EPT mode is enabled. However, even in +shadow paging mode, a TLB flush is needed if VPIDs are being used, as +specified in the Intel SDM Section 29.4.5. + +So replace vmx_flush_tlb_ept_only() with vmx_flush_tlb(), which will +flush if either EPT or VPIDs are in use. + +Signed-off-by: Junaid Shahid +Reviewed-by: Jim Mattson +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -4272,12 +4272,6 @@ static void vmx_flush_tlb(struct kvm_vcp + __vmx_flush_tlb(vcpu, to_vmx(vcpu)->vpid, invalidate_gpa); + } + +-static void vmx_flush_tlb_ept_only(struct kvm_vcpu *vcpu) +-{ +- if (enable_ept) +- vmx_flush_tlb(vcpu, true); +-} +- + static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu) + { + ulong cr0_guest_owned_bits = vcpu->arch.cr0_guest_owned_bits; +@@ -9030,7 +9024,7 @@ static void vmx_set_virtual_x2apic_mode( + } else { + sec_exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE; + sec_exec_control |= SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES; +- vmx_flush_tlb_ept_only(vcpu); ++ vmx_flush_tlb(vcpu, true); + } + vmcs_write32(SECONDARY_VM_EXEC_CONTROL, sec_exec_control); + +@@ -9058,7 +9052,7 @@ static void vmx_set_apic_access_page_add + !nested_cpu_has2(get_vmcs12(&vmx->vcpu), + SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) { + vmcs_write64(APIC_ACCESS_ADDR, hpa); +- vmx_flush_tlb_ept_only(vcpu); ++ vmx_flush_tlb(vcpu, true); + } + } + +@@ -10950,7 +10944,7 @@ static int prepare_vmcs02(struct kvm_vcp + } + } else if (nested_cpu_has2(vmcs12, + SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) { +- vmx_flush_tlb_ept_only(vcpu); ++ vmx_flush_tlb(vcpu, true); + } + + /* +@@ -11777,7 +11771,7 @@ static void nested_vmx_vmexit(struct kvm + } else if (!nested_cpu_has_ept(vmcs12) && + nested_cpu_has2(vmcs12, + SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) { +- vmx_flush_tlb_ept_only(vcpu); ++ vmx_flush_tlb(vcpu, true); + } + + /* This is needed for same reason as it was needed in prepare_vmcs02 */ diff --git a/queue-4.16/kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch b/queue-4.16/kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch new file mode 100644 index 00000000000..8b64826de06 --- /dev/null +++ b/queue-4.16/kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Mark Rutland +Date: Wed, 25 Apr 2018 17:13:42 +0100 +Subject: KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr() + +From: Mark Rutland + +[ Upstream commit 5e1ca5e23b167987d5b6d8b08f2d5b7dd2d13f49 ] + +It's possible for userspace to control n. Sanitize n when using it as an +array index. + +Note that while it appears that n must be bound to the interval [0,3] +due to the way it is extracted from addr, we cannot guarantee that +compiler transformations (and/or future refactoring) will ensure this is +the case, and given this is a slow path it's better to always perform +the masking. + +Found by smatch. + +Signed-off-by: Mark Rutland +Acked-by: Christoffer Dall +Acked-by: Marc Zyngier +Cc: kvmarm@lists.cs.columbia.edu +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/vgic/vgic-mmio-v2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic-mmio-v2.c ++++ b/virt/kvm/arm/vgic/vgic-mmio-v2.c +@@ -14,6 +14,8 @@ + #include + #include + #include ++#include ++ + #include + #include + +@@ -324,6 +326,9 @@ static unsigned long vgic_mmio_read_apr( + + if (n > vgic_v3_max_apr_idx(vcpu)) + return 0; ++ ++ n = array_index_nospec(n, 4); ++ + /* GICv3 only uses ICH_AP1Rn for memory mapped (GICv2) guests */ + return vgicv3->vgic_ap1r[n]; + } diff --git a/queue-4.16/kvm-arm-arm64-vgic-kick-new-vcpu-on-interrupt-migration.patch b/queue-4.16/kvm-arm-arm64-vgic-kick-new-vcpu-on-interrupt-migration.patch new file mode 100644 index 00000000000..3581bed8c76 --- /dev/null +++ b/queue-4.16/kvm-arm-arm64-vgic-kick-new-vcpu-on-interrupt-migration.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Andre Przywara +Date: Tue, 17 Apr 2018 11:23:49 +0100 +Subject: KVM: arm/arm64: vgic: Kick new VCPU on interrupt migration + +From: Andre Przywara + +[ Upstream commit bf9a41377d14f565764022470e14aae72559589a ] + +When vgic_prune_ap_list() finds an interrupt that needs to be migrated +to a new VCPU, we should notify this VCPU of the pending interrupt, +since it requires immediate action. +Kick this VCPU once we have added the new IRQ to the list, but only +after dropping the locks. + +Reported-by: Stefano Stabellini +Reviewed-by: Christoffer Dall +Signed-off-by: Andre Przywara +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/vgic/vgic.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic.c ++++ b/virt/kvm/arm/vgic/vgic.c +@@ -599,6 +599,7 @@ retry: + + list_for_each_entry_safe(irq, tmp, &vgic_cpu->ap_list_head, ap_list) { + struct kvm_vcpu *target_vcpu, *vcpuA, *vcpuB; ++ bool target_vcpu_needs_kick = false; + + spin_lock(&irq->irq_lock); + +@@ -669,11 +670,18 @@ retry: + list_del(&irq->ap_list); + irq->vcpu = target_vcpu; + list_add_tail(&irq->ap_list, &new_cpu->ap_list_head); ++ target_vcpu_needs_kick = true; + } + + spin_unlock(&irq->irq_lock); + spin_unlock(&vcpuB->arch.vgic_cpu.ap_list_lock); + spin_unlock_irqrestore(&vcpuA->arch.vgic_cpu.ap_list_lock, flags); ++ ++ if (target_vcpu_needs_kick) { ++ kvm_make_request(KVM_REQ_IRQ_PENDING, target_vcpu); ++ kvm_vcpu_kick(target_vcpu); ++ } ++ + goto retry; + } + diff --git a/queue-4.16/kvm-extend-max_irq_routes-to-4096-for-all-archs.patch b/queue-4.16/kvm-extend-max_irq_routes-to-4096-for-all-archs.patch new file mode 100644 index 00000000000..2f0f91c0425 --- /dev/null +++ b/queue-4.16/kvm-extend-max_irq_routes-to-4096-for-all-archs.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Wanpeng Li +Date: Thu, 26 Apr 2018 17:55:03 -0700 +Subject: KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs + +From: Wanpeng Li + +[ Upstream commit ddc9cfb79c1096a0855839631c091aa7e9602052 ] + +Our virtual machines make use of device assignment by configuring +12 NVMe disks for high I/O performance. Each NVMe device has 129 +MSI-X Table entries: +Capabilities: [50] MSI-X: Enable+ Count=129 Masked-Vector table: BAR=0 offset=00002000 +The windows virtual machines fail to boot since they will map the number of +MSI-table entries that the NVMe hardware reported to the bus to msi routing +table, this will exceed the 1024. This patch extends MAX_IRQ_ROUTES to 4096 +for all archs, in the future this might be extended again if needed. + +Reviewed-by: Cornelia Huck +Cc: Paolo Bonzini +Cc: Radim KrÄmář +Cc: Cornelia Huck +Cc: Christian Borntraeger +Signed-off-by: Wanpeng Li +Signed-off-by: Tonny Lu +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1045,13 +1045,7 @@ static inline int mmu_notifier_retry(str + + #ifdef CONFIG_HAVE_KVM_IRQ_ROUTING + +-#ifdef CONFIG_S390 +-#define KVM_MAX_IRQ_ROUTES 4096 //FIXME: we can have more than that... +-#elif defined(CONFIG_ARM64) +-#define KVM_MAX_IRQ_ROUTES 4096 +-#else +-#define KVM_MAX_IRQ_ROUTES 1024 +-#endif ++#define KVM_MAX_IRQ_ROUTES 4096 /* might need extension/rework in the future */ + + bool kvm_arch_can_set_irq_routing(struct kvm *kvm); + int kvm_set_irq_routing(struct kvm *kvm, diff --git a/queue-4.16/kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch b/queue-4.16/kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch new file mode 100644 index 00000000000..b2e80907a79 --- /dev/null +++ b/queue-4.16/kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: hu huajun +Date: Wed, 11 Apr 2018 15:16:40 +0800 +Subject: KVM: X86: fix incorrect reference of trace_kvm_pi_irte_update + +From: hu huajun + +[ Upstream commit 2698d82e519413c6ad287e6f14b29e0373ed37f8 ] + +In arch/x86/kvm/trace.h, this function is declared as host_irq the +first input, and vcpu_id the second, instead of otherwise. + +Signed-off-by: hu huajun +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm.c | 5 ++--- + arch/x86/kvm/vmx.c | 2 +- + 2 files changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5142,9 +5142,8 @@ static int svm_update_pi_irte(struct kvm + } + + if (!ret && svm) { +- trace_kvm_pi_irte_update(svm->vcpu.vcpu_id, +- host_irq, e->gsi, +- vcpu_info.vector, ++ trace_kvm_pi_irte_update(host_irq, svm->vcpu.vcpu_id, ++ e->gsi, vcpu_info.vector, + vcpu_info.pi_desc_addr, set); + } + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -12237,7 +12237,7 @@ static int vmx_update_pi_irte(struct kvm + vcpu_info.pi_desc_addr = __pa(vcpu_to_pi_desc(vcpu)); + vcpu_info.vector = irq.vector; + +- trace_kvm_pi_irte_update(vcpu->vcpu_id, host_irq, e->gsi, ++ trace_kvm_pi_irte_update(host_irq, vcpu->vcpu_id, e->gsi, + vcpu_info.vector, vcpu_info.pi_desc_addr, set); + + if (set) diff --git a/queue-4.16/kvm-x86-lower-the-default-timer-frequency-limit-to-200us.patch b/queue-4.16/kvm-x86-lower-the-default-timer-frequency-limit-to-200us.patch new file mode 100644 index 00000000000..2ab1316cf2d --- /dev/null +++ b/queue-4.16/kvm-x86-lower-the-default-timer-frequency-limit-to-200us.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Wanpeng Li +Date: Sat, 5 May 2018 04:02:32 -0700 +Subject: KVM: X86: Lower the default timer frequency limit to 200us + +From: Wanpeng Li + +[ Upstream commit 4c27625b7a67eb9006963ed2bcf8e53b259b43af ] + +Anthoine reported: + The period used by Windows change over time but it can be 1 + milliseconds or less. I saw the limit_periodic_timer_frequency + print so 500 microseconds is sometimes reached. + +As suggested by Paolo, lower the default timer frequency limit to a +smaller interval of 200 us (5000 Hz) to leave some headroom. This +is required due to Windows 10 changing the scheduler tick limit +from 1024 Hz to 2048 Hz. + +Reported-by: Anthoine Bourgeois +Suggested-by: Paolo Bonzini +Reviewed-by: Darren Kenny +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Anthoine Bourgeois +Cc: Darren Kenny +Cc: Jan Kiszka +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -112,7 +112,7 @@ module_param(ignore_msrs, bool, S_IRUGO + static bool __read_mostly report_ignored_msrs = true; + module_param(report_ignored_msrs, bool, S_IRUGO | S_IWUSR); + +-unsigned int min_timer_period_us = 500; ++unsigned int min_timer_period_us = 200; + module_param(min_timer_period_us, uint, S_IRUGO | S_IWUSR); + + static bool __read_mostly kvmclock_periodic_sync = true; diff --git a/queue-4.16/kvm-x86-move-msr_ia32_tsc-handling-to-x86.c.patch b/queue-4.16/kvm-x86-move-msr_ia32_tsc-handling-to-x86.c.patch new file mode 100644 index 00000000000..7ad80551377 --- /dev/null +++ b/queue-4.16/kvm-x86-move-msr_ia32_tsc-handling-to-x86.c.patch @@ -0,0 +1,111 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Paolo Bonzini +Date: Fri, 13 Apr 2018 11:38:35 +0200 +Subject: kvm: x86: move MSR_IA32_TSC handling to x86.c + +From: Paolo Bonzini + +[ Upstream commit dd259935e4eec844dc3e5b8a7cd951cd658b4fb6 ] + +This is not specific to Intel/AMD anymore. The TSC offset is available +in vcpu->arch.tsc_offset. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm.c | 9 --------- + arch/x86/kvm/vmx.c | 20 -------------------- + arch/x86/kvm/x86.c | 6 ++++++ + 3 files changed, 6 insertions(+), 29 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3915,12 +3915,6 @@ static int svm_get_msr(struct kvm_vcpu * + struct vcpu_svm *svm = to_svm(vcpu); + + switch (msr_info->index) { +- case MSR_IA32_TSC: { +- msr_info->data = svm->vmcb->control.tsc_offset + +- kvm_scale_tsc(vcpu, rdtsc()); +- +- break; +- } + case MSR_STAR: + msr_info->data = svm->vmcb->save.star; + break; +@@ -4080,9 +4074,6 @@ static int svm_set_msr(struct kvm_vcpu * + svm->vmcb->save.g_pat = data; + mark_dirty(svm->vmcb, VMCB_NPT); + break; +- case MSR_IA32_TSC: +- kvm_write_tsc(vcpu, msr); +- break; + case MSR_IA32_SPEC_CTRL: + if (!msr->host_initiated && + !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS)) +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2650,20 +2650,6 @@ static u64 vmx_read_l1_tsc_offset(struct + } + + /* +- * reads and returns guest's timestamp counter "register" +- * guest_tsc = (host_tsc * tsc multiplier) >> 48 + tsc_offset +- * -- Intel TSC Scaling for Virtualization White Paper, sec 1.3 +- */ +-static u64 guest_read_tsc(struct kvm_vcpu *vcpu) +-{ +- u64 host_tsc, tsc_offset; +- +- host_tsc = rdtsc(); +- tsc_offset = vmcs_read64(TSC_OFFSET); +- return kvm_scale_tsc(vcpu, host_tsc) + tsc_offset; +-} +- +-/* + * writes 'offset' into guest's timestamp counter offset register + */ + static void vmx_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset) +@@ -3283,9 +3269,6 @@ static int vmx_get_msr(struct kvm_vcpu * + #endif + case MSR_EFER: + return kvm_get_msr_common(vcpu, msr_info); +- case MSR_IA32_TSC: +- msr_info->data = guest_read_tsc(vcpu); +- break; + case MSR_IA32_SPEC_CTRL: + if (!msr_info->host_initiated && + !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) +@@ -3403,9 +3386,6 @@ static int vmx_set_msr(struct kvm_vcpu * + return 1; + vmcs_write64(GUEST_BNDCFGS, data); + break; +- case MSR_IA32_TSC: +- kvm_write_tsc(vcpu, msr_info); +- break; + case MSR_IA32_SPEC_CTRL: + if (!msr_info->host_initiated && + !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL)) +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2333,6 +2333,9 @@ int kvm_set_msr_common(struct kvm_vcpu * + return 1; + vcpu->arch.smbase = data; + break; ++ case MSR_IA32_TSC: ++ kvm_write_tsc(vcpu, msr_info); ++ break; + case MSR_SMI_COUNT: + if (!msr_info->host_initiated) + return 1; +@@ -2572,6 +2575,9 @@ int kvm_get_msr_common(struct kvm_vcpu * + case MSR_IA32_UCODE_REV: + msr_info->data = vcpu->arch.microcode_version; + break; ++ case MSR_IA32_TSC: ++ msr_info->data = kvm_scale_tsc(vcpu, rdtsc()) + vcpu->arch.tsc_offset; ++ break; + case MSR_MTRRcap: + case 0x200 ... 0x2ff: + return kvm_mtrr_get_msr(vcpu, msr_info->index, &msr_info->data); diff --git a/queue-4.16/lan78xx-phy-dsp-registers-initialization-to-address-eee-link-drop-issues-with-long-cables.patch b/queue-4.16/lan78xx-phy-dsp-registers-initialization-to-address-eee-link-drop-issues-with-long-cables.patch new file mode 100644 index 00000000000..7796ead35c3 --- /dev/null +++ b/queue-4.16/lan78xx-phy-dsp-registers-initialization-to-address-eee-link-drop-issues-with-long-cables.patch @@ -0,0 +1,259 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Raghuram Chary J +Date: Wed, 11 Apr 2018 20:36:36 +0530 +Subject: lan78xx: PHY DSP registers initialization to address EEE link drop issues with long cables + +From: Raghuram Chary J + +[ Upstream commit 1c2734b31d72316e3faaad88c0c9c46fa92a4b20 ] + +The patch is to configure DSP registers of PHY device +to handle Gbe-EEE failures with >40m cable length. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Raghuram Chary J +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/microchip.c | 178 ++++++++++++++++++++++++++++++++++++++++++- + include/linux/microchipphy.h | 8 + + 2 files changed, 185 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/microchip.c ++++ b/drivers/net/phy/microchip.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + #define DRIVER_AUTHOR "WOOJUNG HUH " + #define DRIVER_DESC "Microchip LAN88XX PHY driver" +@@ -30,6 +31,16 @@ struct lan88xx_priv { + __u32 wolopts; + }; + ++static int lan88xx_read_page(struct phy_device *phydev) ++{ ++ return __phy_read(phydev, LAN88XX_EXT_PAGE_ACCESS); ++} ++ ++static int lan88xx_write_page(struct phy_device *phydev, int page) ++{ ++ return __phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, page); ++} ++ + static int lan88xx_phy_config_intr(struct phy_device *phydev) + { + int rc; +@@ -66,6 +77,150 @@ static int lan88xx_suspend(struct phy_de + return 0; + } + ++static int lan88xx_TR_reg_set(struct phy_device *phydev, u16 regaddr, ++ u32 data) ++{ ++ int val, save_page, ret = 0; ++ u16 buf; ++ ++ /* Save current page */ ++ save_page = phy_save_page(phydev); ++ if (save_page < 0) { ++ pr_warn("Failed to get current page\n"); ++ goto err; ++ } ++ ++ /* Switch to TR page */ ++ lan88xx_write_page(phydev, LAN88XX_EXT_PAGE_ACCESS_TR); ++ ++ ret = __phy_write(phydev, LAN88XX_EXT_PAGE_TR_LOW_DATA, ++ (data & 0xFFFF)); ++ if (ret < 0) { ++ pr_warn("Failed to write TR low data\n"); ++ goto err; ++ } ++ ++ ret = __phy_write(phydev, LAN88XX_EXT_PAGE_TR_HIGH_DATA, ++ (data & 0x00FF0000) >> 16); ++ if (ret < 0) { ++ pr_warn("Failed to write TR high data\n"); ++ goto err; ++ } ++ ++ /* Config control bits [15:13] of register */ ++ buf = (regaddr & ~(0x3 << 13));/* Clr [14:13] to write data in reg */ ++ buf |= 0x8000; /* Set [15] to Packet transmit */ ++ ++ ret = __phy_write(phydev, LAN88XX_EXT_PAGE_TR_CR, buf); ++ if (ret < 0) { ++ pr_warn("Failed to write data in reg\n"); ++ goto err; ++ } ++ ++ usleep_range(1000, 2000);/* Wait for Data to be written */ ++ val = __phy_read(phydev, LAN88XX_EXT_PAGE_TR_CR); ++ if (!(val & 0x8000)) ++ pr_warn("TR Register[0x%X] configuration failed\n", regaddr); ++err: ++ return phy_restore_page(phydev, save_page, ret); ++} ++ ++static void lan88xx_config_TR_regs(struct phy_device *phydev) ++{ ++ int err; ++ ++ /* Get access to Channel 0x1, Node 0xF , Register 0x01. ++ * Write 24-bit value 0x12B00A to register. Setting MrvlTrFix1000Kf, ++ * MrvlTrFix1000Kp, MasterEnableTR bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x0F82, 0x12B00A); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x0F82]\n"); ++ ++ /* Get access to Channel b'10, Node b'1101, Register 0x06. ++ * Write 24-bit value 0xD2C46F to register. Setting SSTrKf1000Slv, ++ * SSTrKp1000Mas bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x168C, 0xD2C46F); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x168C]\n"); ++ ++ /* Get access to Channel b'10, Node b'1111, Register 0x11. ++ * Write 24-bit value 0x620 to register. Setting rem_upd_done_thresh ++ * bits ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x17A2, 0x620); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x17A2]\n"); ++ ++ /* Get access to Channel b'10, Node b'1101, Register 0x10. ++ * Write 24-bit value 0xEEFFDD to register. Setting ++ * eee_TrKp1Long_1000, eee_TrKp2Long_1000, eee_TrKp3Long_1000, ++ * eee_TrKp1Short_1000,eee_TrKp2Short_1000, eee_TrKp3Short_1000 bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x16A0, 0xEEFFDD); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x16A0]\n"); ++ ++ /* Get access to Channel b'10, Node b'1101, Register 0x13. ++ * Write 24-bit value 0x071448 to register. Setting ++ * slv_lpi_tr_tmr_val1, slv_lpi_tr_tmr_val2 bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x16A6, 0x071448); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x16A6]\n"); ++ ++ /* Get access to Channel b'10, Node b'1101, Register 0x12. ++ * Write 24-bit value 0x13132F to register. Setting ++ * slv_sigdet_timer_val1, slv_sigdet_timer_val2 bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x16A4, 0x13132F); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x16A4]\n"); ++ ++ /* Get access to Channel b'10, Node b'1101, Register 0x14. ++ * Write 24-bit value 0x0 to register. Setting eee_3level_delay, ++ * eee_TrKf_freeze_delay bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x16A8, 0x0); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x16A8]\n"); ++ ++ /* Get access to Channel b'01, Node b'1111, Register 0x34. ++ * Write 24-bit value 0x91B06C to register. Setting ++ * FastMseSearchThreshLong1000, FastMseSearchThreshShort1000, ++ * FastMseSearchUpdGain1000 bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x0FE8, 0x91B06C); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x0FE8]\n"); ++ ++ /* Get access to Channel b'01, Node b'1111, Register 0x3E. ++ * Write 24-bit value 0xC0A028 to register. Setting ++ * FastMseKp2ThreshLong1000, FastMseKp2ThreshShort1000, ++ * FastMseKp2UpdGain1000, FastMseKp2ExitEn1000 bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x0FFC, 0xC0A028); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x0FFC]\n"); ++ ++ /* Get access to Channel b'01, Node b'1111, Register 0x35. ++ * Write 24-bit value 0x041600 to register. Setting ++ * FastMseSearchPhShNum1000, FastMseSearchClksPerPh1000, ++ * FastMsePhChangeDelay1000 bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x0FEA, 0x041600); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x0FEA]\n"); ++ ++ /* Get access to Channel b'10, Node b'1101, Register 0x03. ++ * Write 24-bit value 0x000004 to register. Setting TrFreeze bits. ++ */ ++ err = lan88xx_TR_reg_set(phydev, 0x1686, 0x000004); ++ if (err < 0) ++ pr_warn("Failed to Set Register[0x1686]\n"); ++} ++ + static int lan88xx_probe(struct phy_device *phydev) + { + struct device *dev = &phydev->mdio.dev; +@@ -132,6 +287,25 @@ static void lan88xx_set_mdix(struct phy_ + phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, LAN88XX_EXT_PAGE_SPACE_0); + } + ++static int lan88xx_config_init(struct phy_device *phydev) ++{ ++ int val; ++ ++ genphy_config_init(phydev); ++ /*Zerodetect delay enable */ ++ val = phy_read_mmd(phydev, MDIO_MMD_PCS, ++ PHY_ARDENNES_MMD_DEV_3_PHY_CFG); ++ val |= PHY_ARDENNES_MMD_DEV_3_PHY_CFG_ZD_DLY_EN_; ++ ++ phy_write_mmd(phydev, MDIO_MMD_PCS, PHY_ARDENNES_MMD_DEV_3_PHY_CFG, ++ val); ++ ++ /* Config DSP registers */ ++ lan88xx_config_TR_regs(phydev); ++ ++ return 0; ++} ++ + static int lan88xx_config_aneg(struct phy_device *phydev) + { + lan88xx_set_mdix(phydev); +@@ -151,7 +325,7 @@ static struct phy_driver microchip_phy_d + .probe = lan88xx_probe, + .remove = lan88xx_remove, + +- .config_init = genphy_config_init, ++ .config_init = lan88xx_config_init, + .config_aneg = lan88xx_config_aneg, + + .ack_interrupt = lan88xx_phy_ack_interrupt, +@@ -160,6 +334,8 @@ static struct phy_driver microchip_phy_d + .suspend = lan88xx_suspend, + .resume = genphy_resume, + .set_wol = lan88xx_set_wol, ++ .read_page = lan88xx_read_page, ++ .write_page = lan88xx_write_page, + } }; + + module_phy_driver(microchip_phy_driver); +--- a/include/linux/microchipphy.h ++++ b/include/linux/microchipphy.h +@@ -70,4 +70,12 @@ + #define LAN88XX_MMD3_CHIP_ID (32877) + #define LAN88XX_MMD3_CHIP_REV (32878) + ++/* DSP registers */ ++#define PHY_ARDENNES_MMD_DEV_3_PHY_CFG (0x806A) ++#define PHY_ARDENNES_MMD_DEV_3_PHY_CFG_ZD_DLY_EN_ (0x2000) ++#define LAN88XX_EXT_PAGE_ACCESS_TR (0x52B5) ++#define LAN88XX_EXT_PAGE_TR_CR 16 ++#define LAN88XX_EXT_PAGE_TR_LOW_DATA 17 ++#define LAN88XX_EXT_PAGE_TR_HIGH_DATA 18 ++ + #endif /* _MICROCHIPPHY_H */ diff --git a/queue-4.16/lib-find_bit_benchmark.c-avoid-soft-lockup-in-test_find_first_bit.patch b/queue-4.16/lib-find_bit_benchmark.c-avoid-soft-lockup-in-test_find_first_bit.patch new file mode 100644 index 00000000000..3aaf71baa42 --- /dev/null +++ b/queue-4.16/lib-find_bit_benchmark.c-avoid-soft-lockup-in-test_find_first_bit.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Yury Norov +Date: Fri, 11 May 2018 16:01:39 -0700 +Subject: lib/find_bit_benchmark.c: avoid soft lockup in test_find_first_bit() + +From: Yury Norov + +[ Upstream commit 4ba281d5bd9907355e6b79fb72049c9ed50cc670 ] + +test_find_first_bit() is intentionally sub-optimal, and may cause soft +lockup due to long time of run on some systems. So decrease length of +bitmap to traverse to avoid lockup. + +With the change below, time of test execution doesn't exceed 0.2 seconds +on my testing system. + +Link: http://lkml.kernel.org/r/20180420171949.15710-1-ynorov@caviumnetworks.com +Fixes: 4441fca0a27f5 ("lib: test module for find_*_bit() functions") +Signed-off-by: Yury Norov +Reviewed-by: Andrew Morton +Reported-by: Fengguang Wu +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/find_bit_benchmark.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/lib/find_bit_benchmark.c ++++ b/lib/find_bit_benchmark.c +@@ -132,7 +132,12 @@ static int __init find_bit_test(void) + test_find_next_bit(bitmap, BITMAP_LEN); + test_find_next_zero_bit(bitmap, BITMAP_LEN); + test_find_last_bit(bitmap, BITMAP_LEN); +- test_find_first_bit(bitmap, BITMAP_LEN); ++ ++ /* ++ * test_find_first_bit() may take some time, so ++ * traverse only part of bitmap to avoid soft lockup. ++ */ ++ test_find_first_bit(bitmap, BITMAP_LEN / 10); + test_find_next_and_bit(bitmap, bitmap2, BITMAP_LEN); + + pr_err("\nStart testing find_bit() with sparse bitmap\n"); diff --git a/queue-4.16/libahci-allow-drivers-to-override-stop_engine.patch b/queue-4.16/libahci-allow-drivers-to-override-stop_engine.patch new file mode 100644 index 00000000000..132784277cb --- /dev/null +++ b/queue-4.16/libahci-allow-drivers-to-override-stop_engine.patch @@ -0,0 +1,217 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Evan Wang +Date: Fri, 13 Apr 2018 12:32:30 +0800 +Subject: libahci: Allow drivers to override stop_engine + +From: Evan Wang + +[ Upstream commit fa89f53bd7288d6aa7a982841119e7123faf5a53 ] + +Marvell armada37xx, armada7k and armada8k share the same +AHCI sata controller IP, and currently there is an issue +(Errata Ref#226)that the SATA can not be detected via SATA +Port-MultiPlayer(PMP). After debugging, the reason is +found that the value of Port-x FIS-based Switching Control +(PxFBS@0x40) became wrong. +According to design, the bits[11:8, 0] of register PxFBS +are cleared when Port Command and Status (0x18) bit[0] +changes its value from 1 to 0, i.e. falling edge of Port +Command and Status bit[0] sends PULSE that resets PxFBS +bits[11:8; 0]. +So it needs save the port PxFBS register before PxCMD +ST write and restore the port PxFBS register afterwards +in ahci_stop_engine(). + +This commit allows drivers to override ahci_stop_engine +behavior for use by the Marvell AHCI driver(and potentially +other drivers in the future). + +Signed-off-by: Evan Wang +Cc: Ofer Heifetz +Cc: Tejun Heo +Cc: Thomas Petazzoni +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.c | 6 +++--- + drivers/ata/ahci.h | 7 +++++++ + drivers/ata/ahci_qoriq.c | 2 +- + drivers/ata/ahci_xgene.c | 4 ++-- + drivers/ata/libahci.c | 20 ++++++++++++-------- + drivers/ata/sata_highbank.c | 2 +- + 6 files changed, 26 insertions(+), 15 deletions(-) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -699,7 +699,7 @@ static int ahci_vt8251_hardreset(struct + + DPRINTK("ENTER\n"); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + rc = sata_link_hardreset(link, sata_ehc_deb_timing(&link->eh_context), + deadline, &online, NULL); +@@ -725,7 +725,7 @@ static int ahci_p5wdh_hardreset(struct a + bool online; + int rc; + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + /* clear D2H reception area to properly wait for D2H FIS */ + ata_tf_init(link->device, &tf); +@@ -789,7 +789,7 @@ static int ahci_avn_hardreset(struct ata + + DPRINTK("ENTER\n"); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + for (i = 0; i < 2; i++) { + u16 val; +--- a/drivers/ata/ahci.h ++++ b/drivers/ata/ahci.h +@@ -365,6 +365,13 @@ struct ahci_host_priv { + * be overridden anytime before the host is activated. + */ + void (*start_engine)(struct ata_port *ap); ++ /* ++ * Optional ahci_stop_engine override, if not set this gets set to the ++ * default ahci_stop_engine during ahci_save_initial_config, this can ++ * be overridden anytime before the host is activated. ++ */ ++ int (*stop_engine)(struct ata_port *ap); ++ + irqreturn_t (*irq_handler)(int irq, void *dev_instance); + + /* only required for per-port MSI(-X) support */ +--- a/drivers/ata/ahci_qoriq.c ++++ b/drivers/ata/ahci_qoriq.c +@@ -96,7 +96,7 @@ static int ahci_qoriq_hardreset(struct a + + DPRINTK("ENTER\n"); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + /* + * There is a errata on ls1021a Rev1.0 and Rev2.0 which is: +--- a/drivers/ata/ahci_xgene.c ++++ b/drivers/ata/ahci_xgene.c +@@ -165,7 +165,7 @@ static int xgene_ahci_restart_engine(str + PORT_CMD_ISSUE, 0x0, 1, 100)) + return -EBUSY; + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + ahci_start_fis_rx(ap); + + /* +@@ -421,7 +421,7 @@ static int xgene_ahci_hardreset(struct a + portrxfis_saved = readl(port_mmio + PORT_FIS_ADDR); + portrxfishi_saved = readl(port_mmio + PORT_FIS_ADDR_HI); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + rc = xgene_ahci_do_hardreset(link, deadline, &online); + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -560,6 +560,9 @@ void ahci_save_initial_config(struct dev + if (!hpriv->start_engine) + hpriv->start_engine = ahci_start_engine; + ++ if (!hpriv->stop_engine) ++ hpriv->stop_engine = ahci_stop_engine; ++ + if (!hpriv->irq_handler) + hpriv->irq_handler = ahci_single_level_irq_intr; + } +@@ -897,9 +900,10 @@ static void ahci_start_port(struct ata_p + static int ahci_deinit_port(struct ata_port *ap, const char **emsg) + { + int rc; ++ struct ahci_host_priv *hpriv = ap->host->private_data; + + /* disable DMA */ +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) { + *emsg = "failed to stop engine"; + return rc; +@@ -1310,7 +1314,7 @@ int ahci_kick_engine(struct ata_port *ap + int busy, rc; + + /* stop engine */ +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) + goto out_restart; + +@@ -1549,7 +1553,7 @@ int ahci_do_hardreset(struct ata_link *l + + DPRINTK("ENTER\n"); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + /* clear D2H reception area to properly wait for D2H FIS */ + ata_tf_init(link->device, &tf); +@@ -2075,14 +2079,14 @@ void ahci_error_handler(struct ata_port + + if (!(ap->pflags & ATA_PFLAG_FROZEN)) { + /* restart engine */ +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + hpriv->start_engine(ap); + } + + sata_pmp_error_handler(ap); + + if (!ata_dev_enabled(ap->link.device)) +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + } + EXPORT_SYMBOL_GPL(ahci_error_handler); + +@@ -2129,7 +2133,7 @@ static void ahci_set_aggressive_devslp(s + return; + + /* set DITO, MDAT, DETO and enable DevSlp, need to stop engine first */ +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) + return; + +@@ -2189,7 +2193,7 @@ static void ahci_enable_fbs(struct ata_p + return; + } + +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) + return; + +@@ -2222,7 +2226,7 @@ static void ahci_disable_fbs(struct ata_ + return; + } + +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) + return; + +--- a/drivers/ata/sata_highbank.c ++++ b/drivers/ata/sata_highbank.c +@@ -410,7 +410,7 @@ static int ahci_highbank_hardreset(struc + int rc; + int retry = 100; + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + /* clear D2H reception area to properly wait for D2H FIS */ + ata_tf_init(link->device, &tf); diff --git a/queue-4.16/linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch b/queue-4.16/linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch new file mode 100644 index 00000000000..04b38d194a9 --- /dev/null +++ b/queue-4.16/linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch @@ -0,0 +1,70 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Amir Goldstein +Date: Mon, 5 Feb 2018 19:32:18 +0200 +Subject: : fix end_name_hash() for 64bit long + +From: Amir Goldstein + +[ Upstream commit 19b9ad67310ed2f685062a00aec602bec33835f0 ] + +The comment claims that this helper will try not to loose bits, but for +64bit long it looses the high bits before hashing 64bit long into 32bit +int. Use the helper hash_long() to do the right thing for 64bit long. +For 32bit long, there is no change. + +All the callers of end_name_hash() either assign the result to +qstr->hash, which is u32 or return the result as an int value (e.g. +full_name_hash()). Change the helper return type to int to conform to +its users. + +[ It took me a while to apply this, because my initial reaction to it + was - incorrectly - that it could make for slower code. + + After having looked more at it, I take back all my complaints about + the patch, Amir was right and I was mis-reading things or just being + stupid. + + I also don't worry too much about the possible performance impact of + this on 64-bit, since most architectures that actually care about + performance end up not using this very much (the dcache code is the + most performance-critical, but the word-at-a-time case uses its own + hashing anyway). + + So this ends up being mostly used for filesystems that do their own + degraded hashing (usually because they want a case-insensitive + comparison function). + + A _tiny_ worry remains, in that not everybody uses DCACHE_WORD_ACCESS, + and then this potentially makes things more expensive on 64-bit + architectures with slow or lacking multipliers even for the normal + case. + + That said, realistically the only such architecture I can think of is + PA-RISC. Nobody really cares about performance on that, it's more of a + "look ma, I've got warts^W an odd machine" platform. + + So the patch is fine, and all my initial worries were just misplaced + from not looking at this properly. - Linus ] + +Signed-off-by: Amir Goldstein +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/stringhash.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/stringhash.h ++++ b/include/linux/stringhash.h +@@ -50,9 +50,9 @@ partial_name_hash(unsigned long c, unsig + * losing bits). This also has the property (wanted by the dcache) + * that the msbits make a good hash table index. + */ +-static inline unsigned long end_name_hash(unsigned long hash) ++static inline unsigned int end_name_hash(unsigned long hash) + { +- return __hash_32((unsigned int)hash); ++ return hash_long(hash, 32); + } + + /* diff --git a/queue-4.16/livepatch-allow-to-call-a-custom-callback-when-freeing-shadow-variables.patch b/queue-4.16/livepatch-allow-to-call-a-custom-callback-when-freeing-shadow-variables.patch new file mode 100644 index 00000000000..abf290e103e --- /dev/null +++ b/queue-4.16/livepatch-allow-to-call-a-custom-callback-when-freeing-shadow-variables.patch @@ -0,0 +1,274 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Petr Mladek +Date: Mon, 16 Apr 2018 13:36:47 +0200 +Subject: livepatch: Allow to call a custom callback when freeing shadow variables + +From: Petr Mladek + +[ Upstream commit 3b2c77d000fe9f7d02e9e726e00dccf9f92b256f ] + +We might need to do some actions before the shadow variable is freed. +For example, we might need to remove it from a list or free some data +that it points to. + +This is already possible now. The user can get the shadow variable +by klp_shadow_get(), do the necessary actions, and then call +klp_shadow_free(). + +This patch allows to do it a more elegant way. The user could implement +the needed actions in a callback that is passed to klp_shadow_free() +as a parameter. The callback usually does reverse operations to +the constructor callback that can be called by klp_shadow_*alloc(). + +It is especially useful for klp_shadow_free_all(). There we need to do +these extra actions for each found shadow variable with the given ID. + +Note that the memory used by the shadow variable itself is still released +later by rcu callback. It is needed to protect internal structures that +keep all shadow variables. But the destructor is called immediately. +The shadow variable must not be access anyway after klp_shadow_free() +is called. The user is responsible to protect this any suitable way. + +Be aware that the destructor is called under klp_shadow_lock. It is +the same as for the contructor in klp_shadow_alloc(). + +Signed-off-by: Petr Mladek +Acked-by: Josh Poimboeuf +Acked-by: Miroslav Benes +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/livepatch/shadow-vars.txt | 10 +++++++--- + include/linux/livepatch.h | 5 +++-- + kernel/livepatch/shadow.c | 26 ++++++++++++++++++-------- + samples/livepatch/livepatch-shadow-fix1.c | 25 +++++++++++++++---------- + samples/livepatch/livepatch-shadow-fix2.c | 27 ++++++++++++++++----------- + 5 files changed, 59 insertions(+), 34 deletions(-) + +--- a/Documentation/livepatch/shadow-vars.txt ++++ b/Documentation/livepatch/shadow-vars.txt +@@ -65,11 +65,15 @@ to do actions that can be done only once + + * klp_shadow_free() - detach and free a shadow variable + - find and remove a reference from global hashtable +- - if found, free shadow variable ++ - if found ++ - call destructor function if defined ++ - free shadow variable + + * klp_shadow_free_all() - detach and free all <*, id> shadow variables + - find and remove any <*, id> references from global hashtable +- - if found, free shadow variable ++ - if found ++ - call destructor function if defined ++ - free shadow variable + + + 2. Use cases +@@ -136,7 +140,7 @@ variable: + + void sta_info_free(struct ieee80211_local *local, struct sta_info *sta) + { +- klp_shadow_free(sta, PS_LOCK); ++ klp_shadow_free(sta, PS_LOCK, NULL); + kfree(sta); + ... + +--- a/include/linux/livepatch.h ++++ b/include/linux/livepatch.h +@@ -189,6 +189,7 @@ static inline bool klp_have_reliable_sta + typedef int (*klp_shadow_ctor_t)(void *obj, + void *shadow_data, + void *ctor_data); ++typedef void (*klp_shadow_dtor_t)(void *obj, void *shadow_data); + + void *klp_shadow_get(void *obj, unsigned long id); + void *klp_shadow_alloc(void *obj, unsigned long id, +@@ -197,8 +198,8 @@ void *klp_shadow_alloc(void *obj, unsign + void *klp_shadow_get_or_alloc(void *obj, unsigned long id, + size_t size, gfp_t gfp_flags, + klp_shadow_ctor_t ctor, void *ctor_data); +-void klp_shadow_free(void *obj, unsigned long id); +-void klp_shadow_free_all(unsigned long id); ++void klp_shadow_free(void *obj, unsigned long id, klp_shadow_dtor_t dtor); ++void klp_shadow_free_all(unsigned long id, klp_shadow_dtor_t dtor); + + #else /* !CONFIG_LIVEPATCH */ + +--- a/kernel/livepatch/shadow.c ++++ b/kernel/livepatch/shadow.c +@@ -243,15 +243,26 @@ void *klp_shadow_get_or_alloc(void *obj, + } + EXPORT_SYMBOL_GPL(klp_shadow_get_or_alloc); + ++static void klp_shadow_free_struct(struct klp_shadow *shadow, ++ klp_shadow_dtor_t dtor) ++{ ++ hash_del_rcu(&shadow->node); ++ if (dtor) ++ dtor(shadow->obj, shadow->data); ++ kfree_rcu(shadow, rcu_head); ++} ++ + /** + * klp_shadow_free() - detach and free a shadow variable + * @obj: pointer to parent object + * @id: data identifier ++ * @dtor: custom callback that can be used to unregister the variable ++ * and/or free data that the shadow variable points to (optional) + * + * This function releases the memory for this shadow variable + * instance, callers should stop referencing it accordingly. + */ +-void klp_shadow_free(void *obj, unsigned long id) ++void klp_shadow_free(void *obj, unsigned long id, klp_shadow_dtor_t dtor) + { + struct klp_shadow *shadow; + unsigned long flags; +@@ -263,8 +274,7 @@ void klp_shadow_free(void *obj, unsigned + (unsigned long)obj) { + + if (klp_shadow_match(shadow, obj, id)) { +- hash_del_rcu(&shadow->node); +- kfree_rcu(shadow, rcu_head); ++ klp_shadow_free_struct(shadow, dtor); + break; + } + } +@@ -276,11 +286,13 @@ EXPORT_SYMBOL_GPL(klp_shadow_free); + /** + * klp_shadow_free_all() - detach and free all <*, id> shadow variables + * @id: data identifier ++ * @dtor: custom callback that can be used to unregister the variable ++ * and/or free data that the shadow variable points to (optional) + * + * This function releases the memory for all <*, id> shadow variable + * instances, callers should stop referencing them accordingly. + */ +-void klp_shadow_free_all(unsigned long id) ++void klp_shadow_free_all(unsigned long id, klp_shadow_dtor_t dtor) + { + struct klp_shadow *shadow; + unsigned long flags; +@@ -290,10 +302,8 @@ void klp_shadow_free_all(unsigned long i + + /* Delete all <*, id> from hash */ + hash_for_each(klp_shadow_hash, i, shadow, node) { +- if (klp_shadow_match(shadow, shadow->obj, id)) { +- hash_del_rcu(&shadow->node); +- kfree_rcu(shadow, rcu_head); +- } ++ if (klp_shadow_match(shadow, shadow->obj, id)) ++ klp_shadow_free_struct(shadow, dtor); + } + + spin_unlock_irqrestore(&klp_shadow_lock, flags); +--- a/samples/livepatch/livepatch-shadow-fix1.c ++++ b/samples/livepatch/livepatch-shadow-fix1.c +@@ -98,9 +98,19 @@ struct dummy *livepatch_fix1_dummy_alloc + return d; + } + ++static void livepatch_fix1_dummy_leak_dtor(void *obj, void *shadow_data) ++{ ++ void *d = obj; ++ void **shadow_leak = shadow_data; ++ ++ kfree(*shadow_leak); ++ pr_info("%s: dummy @ %p, prevented leak @ %p\n", ++ __func__, d, *shadow_leak); ++} ++ + void livepatch_fix1_dummy_free(struct dummy *d) + { +- void **shadow_leak, *leak; ++ void **shadow_leak; + + /* + * Patch: fetch the saved SV_LEAK shadow variable, detach and +@@ -109,15 +119,10 @@ void livepatch_fix1_dummy_free(struct du + * was loaded.) + */ + shadow_leak = klp_shadow_get(d, SV_LEAK); +- if (shadow_leak) { +- leak = *shadow_leak; +- klp_shadow_free(d, SV_LEAK); +- kfree(leak); +- pr_info("%s: dummy @ %p, prevented leak @ %p\n", +- __func__, d, leak); +- } else { ++ if (shadow_leak) ++ klp_shadow_free(d, SV_LEAK, livepatch_fix1_dummy_leak_dtor); ++ else + pr_info("%s: dummy @ %p leaked!\n", __func__, d); +- } + + kfree(d); + } +@@ -163,7 +168,7 @@ static int livepatch_shadow_fix1_init(vo + static void livepatch_shadow_fix1_exit(void) + { + /* Cleanup any existing SV_LEAK shadow variables */ +- klp_shadow_free_all(SV_LEAK); ++ klp_shadow_free_all(SV_LEAK, livepatch_fix1_dummy_leak_dtor); + + WARN_ON(klp_unregister_patch(&patch)); + } +--- a/samples/livepatch/livepatch-shadow-fix2.c ++++ b/samples/livepatch/livepatch-shadow-fix2.c +@@ -68,22 +68,27 @@ bool livepatch_fix2_dummy_check(struct d + return time_after(jiffies, d->jiffies_expire); + } + ++static void livepatch_fix2_dummy_leak_dtor(void *obj, void *shadow_data) ++{ ++ void *d = obj; ++ void **shadow_leak = shadow_data; ++ ++ kfree(*shadow_leak); ++ pr_info("%s: dummy @ %p, prevented leak @ %p\n", ++ __func__, d, *shadow_leak); ++} ++ + void livepatch_fix2_dummy_free(struct dummy *d) + { +- void **shadow_leak, *leak; ++ void **shadow_leak; + int *shadow_count; + + /* Patch: copy the memory leak patch from the fix1 module. */ + shadow_leak = klp_shadow_get(d, SV_LEAK); +- if (shadow_leak) { +- leak = *shadow_leak; +- klp_shadow_free(d, SV_LEAK); +- kfree(leak); +- pr_info("%s: dummy @ %p, prevented leak @ %p\n", +- __func__, d, leak); +- } else { ++ if (shadow_leak) ++ klp_shadow_free(d, SV_LEAK, livepatch_fix2_dummy_leak_dtor); ++ else + pr_info("%s: dummy @ %p leaked!\n", __func__, d); +- } + + /* + * Patch: fetch the SV_COUNTER shadow variable and display +@@ -93,7 +98,7 @@ void livepatch_fix2_dummy_free(struct du + if (shadow_count) { + pr_info("%s: dummy @ %p, check counter = %d\n", + __func__, d, *shadow_count); +- klp_shadow_free(d, SV_COUNTER); ++ klp_shadow_free(d, SV_COUNTER, NULL); + } + + kfree(d); +@@ -140,7 +145,7 @@ static int livepatch_shadow_fix2_init(vo + static void livepatch_shadow_fix2_exit(void) + { + /* Cleanup any existing SV_COUNTER shadow variables */ +- klp_shadow_free_all(SV_COUNTER); ++ klp_shadow_free_all(SV_COUNTER, NULL); + + WARN_ON(klp_unregister_patch(&patch)); + } diff --git a/queue-4.16/livepatch-initialize-shadow-variables-safely-by-a-custom-callback.patch b/queue-4.16/livepatch-initialize-shadow-variables-safely-by-a-custom-callback.patch new file mode 100644 index 00000000000..33e559305cc --- /dev/null +++ b/queue-4.16/livepatch-initialize-shadow-variables-safely-by-a-custom-callback.patch @@ -0,0 +1,350 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Petr Mladek +Date: Mon, 16 Apr 2018 13:36:46 +0200 +Subject: livepatch: Initialize shadow variables safely by a custom callback + +From: Petr Mladek + +[ Upstream commit e91c2518a5d22a07642f35d85f39001ad379dae4 ] + +The existing API allows to pass a sample data to initialize the shadow +data. It works well when the data are position independent. But it fails +miserably when we need to set a pointer to the shadow structure itself. + +Unfortunately, we might need to initialize the pointer surprisingly +often because of struct list_head. It is even worse because the list +might be hidden in other common structures, for example, struct mutex, +struct wait_queue_head. + +For example, this was needed to fix races in ALSA sequencer. It required +to add mutex into struct snd_seq_client. See commit b3defb791b26ea06 +("ALSA: seq: Make ioctls race-free") and commit d15d662e89fc667b9 +("ALSA: seq: Fix racy pool initializations") + +This patch makes the API more safe. A custom constructor function and data +are passed to klp_shadow_*alloc() functions instead of the sample data. + +Note that ctor_data are no longer a template for shadow->data. It might +point to any data that might be necessary when the constructor is called. + +Also note that the constructor is called under klp_shadow_lock. It is +an internal spin_lock that synchronizes alloc() vs. get() operations, +see klp_shadow_get_or_alloc(). On one hand, this adds a risk of ABBA +deadlocks. On the other hand, it allows to do some operations safely. +For example, we could add the new structure into an existing list. +This must be done only once when the structure is allocated. + +Reported-by: Nicolai Stange +Signed-off-by: Petr Mladek +Acked-by: Josh Poimboeuf +Acked-by: Miroslav Benes +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/livepatch/shadow-vars.txt | 31 +++++++---- + include/linux/livepatch.h | 14 +++-- + kernel/livepatch/shadow.c | 84 +++++++++++++++++++----------- + samples/livepatch/livepatch-shadow-fix1.c | 18 ++++++ + samples/livepatch/livepatch-shadow-fix2.c | 6 -- + 5 files changed, 105 insertions(+), 48 deletions(-) + +--- a/Documentation/livepatch/shadow-vars.txt ++++ b/Documentation/livepatch/shadow-vars.txt +@@ -34,9 +34,13 @@ meta-data and shadow-data: + - data[] - storage for shadow data + + It is important to note that the klp_shadow_alloc() and +-klp_shadow_get_or_alloc() calls, described below, store a *copy* of the +-data that the functions are provided. Callers should provide whatever +-mutual exclusion is required of the shadow data. ++klp_shadow_get_or_alloc() are zeroing the variable by default. ++They also allow to call a custom constructor function when a non-zero ++value is needed. Callers should provide whatever mutual exclusion ++is required. ++ ++Note that the constructor is called under klp_shadow_lock spinlock. It allows ++to do actions that can be done only once when a new variable is allocated. + + * klp_shadow_get() - retrieve a shadow variable data pointer + - search hashtable for pair +@@ -47,7 +51,7 @@ mutual exclusion is required of the shad + - WARN and return NULL + - if doesn't already exist + - allocate a new shadow variable +- - copy data into the new shadow variable ++ - initialize the variable using a custom constructor and data when provided + - add to the global hashtable + + * klp_shadow_get_or_alloc() - get existing or alloc a new shadow variable +@@ -56,7 +60,7 @@ mutual exclusion is required of the shad + - return existing shadow variable + - if doesn't already exist + - allocate a new shadow variable +- - copy data into the new shadow variable ++ - initialize the variable using a custom constructor and data when provided + - add pair to the global hashtable + + * klp_shadow_free() - detach and free a shadow variable +@@ -107,7 +111,8 @@ struct sta_info *sta_info_alloc(struct i + sta = kzalloc(sizeof(*sta) + hw->sta_data_size, gfp); + + /* Attach a corresponding shadow variable, then initialize it */ +- ps_lock = klp_shadow_alloc(sta, PS_LOCK, NULL, sizeof(*ps_lock), gfp); ++ ps_lock = klp_shadow_alloc(sta, PS_LOCK, sizeof(*ps_lock), gfp, ++ NULL, NULL); + if (!ps_lock) + goto shadow_fail; + spin_lock_init(ps_lock); +@@ -148,16 +153,24 @@ shadow variables to parents already in-f + For commit 1d147bfa6429, a good spot to allocate a shadow spinlock is + inside ieee80211_sta_ps_deliver_wakeup(): + ++int ps_lock_shadow_ctor(void *obj, void *shadow_data, void *ctor_data) ++{ ++ spinlock_t *lock = shadow_data; ++ ++ spin_lock_init(lock); ++ return 0; ++} ++ + #define PS_LOCK 1 + void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta) + { +- DEFINE_SPINLOCK(ps_lock_fallback); + spinlock_t *ps_lock; + + /* sync with ieee80211_tx_h_unicast_ps_buf */ + ps_lock = klp_shadow_get_or_alloc(sta, PS_LOCK, +- &ps_lock_fallback, sizeof(ps_lock_fallback), +- GFP_ATOMIC); ++ sizeof(*ps_lock), GFP_ATOMIC, ++ ps_lock_shadow_ctor, NULL); ++ + if (ps_lock) + spin_lock(ps_lock); + ... +--- a/include/linux/livepatch.h ++++ b/include/linux/livepatch.h +@@ -186,11 +186,17 @@ static inline bool klp_have_reliable_sta + IS_ENABLED(CONFIG_HAVE_RELIABLE_STACKTRACE); + } + ++typedef int (*klp_shadow_ctor_t)(void *obj, ++ void *shadow_data, ++ void *ctor_data); ++ + void *klp_shadow_get(void *obj, unsigned long id); +-void *klp_shadow_alloc(void *obj, unsigned long id, void *data, +- size_t size, gfp_t gfp_flags); +-void *klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data, +- size_t size, gfp_t gfp_flags); ++void *klp_shadow_alloc(void *obj, unsigned long id, ++ size_t size, gfp_t gfp_flags, ++ klp_shadow_ctor_t ctor, void *ctor_data); ++void *klp_shadow_get_or_alloc(void *obj, unsigned long id, ++ size_t size, gfp_t gfp_flags, ++ klp_shadow_ctor_t ctor, void *ctor_data); + void klp_shadow_free(void *obj, unsigned long id); + void klp_shadow_free_all(unsigned long id); + +--- a/kernel/livepatch/shadow.c ++++ b/kernel/livepatch/shadow.c +@@ -113,8 +113,10 @@ void *klp_shadow_get(void *obj, unsigned + } + EXPORT_SYMBOL_GPL(klp_shadow_get); + +-static void *__klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data, +- size_t size, gfp_t gfp_flags, bool warn_on_exist) ++static void *__klp_shadow_get_or_alloc(void *obj, unsigned long id, ++ size_t size, gfp_t gfp_flags, ++ klp_shadow_ctor_t ctor, void *ctor_data, ++ bool warn_on_exist) + { + struct klp_shadow *new_shadow; + void *shadow_data; +@@ -125,18 +127,15 @@ static void *__klp_shadow_get_or_alloc(v + if (shadow_data) + goto exists; + +- /* Allocate a new shadow variable for use inside the lock below */ ++ /* ++ * Allocate a new shadow variable. Fill it with zeroes by default. ++ * More complex setting can be done by @ctor function. But it is ++ * called only when the buffer is really used (under klp_shadow_lock). ++ */ + new_shadow = kzalloc(size + sizeof(*new_shadow), gfp_flags); + if (!new_shadow) + return NULL; + +- new_shadow->obj = obj; +- new_shadow->id = id; +- +- /* Initialize the shadow variable if data provided */ +- if (data) +- memcpy(new_shadow->data, data, size); +- + /* Look for again under the lock */ + spin_lock_irqsave(&klp_shadow_lock, flags); + shadow_data = klp_shadow_get(obj, id); +@@ -150,6 +149,22 @@ static void *__klp_shadow_get_or_alloc(v + goto exists; + } + ++ new_shadow->obj = obj; ++ new_shadow->id = id; ++ ++ if (ctor) { ++ int err; ++ ++ err = ctor(obj, new_shadow->data, ctor_data); ++ if (err) { ++ spin_unlock_irqrestore(&klp_shadow_lock, flags); ++ kfree(new_shadow); ++ pr_err("Failed to construct shadow variable <%p, %lx> (%d)\n", ++ obj, id, err); ++ return NULL; ++ } ++ } ++ + /* No found, so attach the newly allocated one */ + hash_add_rcu(klp_shadow_hash, &new_shadow->node, + (unsigned long)new_shadow->obj); +@@ -170,26 +185,32 @@ exists: + * klp_shadow_alloc() - allocate and add a new shadow variable + * @obj: pointer to parent object + * @id: data identifier +- * @data: pointer to data to attach to parent + * @size: size of attached data + * @gfp_flags: GFP mask for allocation ++ * @ctor: custom constructor to initialize the shadow data (optional) ++ * @ctor_data: pointer to any data needed by @ctor (optional) + * +- * Allocates @size bytes for new shadow variable data using @gfp_flags +- * and copies @size bytes from @data into the new shadow variable's own +- * data space. If @data is NULL, @size bytes are still allocated, but +- * no copy is performed. The new shadow variable is then added to the +- * global hashtable. +- * +- * If an existing shadow variable can be found, this routine +- * will issue a WARN, exit early and return NULL. ++ * Allocates @size bytes for new shadow variable data using @gfp_flags. ++ * The data are zeroed by default. They are further initialized by @ctor ++ * function if it is not NULL. The new shadow variable is then added ++ * to the global hashtable. ++ * ++ * If an existing shadow variable can be found, this routine will ++ * issue a WARN, exit early and return NULL. ++ * ++ * This function guarantees that the constructor function is called only when ++ * the variable did not exist before. The cost is that @ctor is called ++ * in atomic context under a spin lock. + * + * Return: the shadow variable data element, NULL on duplicate or + * failure. + */ +-void *klp_shadow_alloc(void *obj, unsigned long id, void *data, +- size_t size, gfp_t gfp_flags) ++void *klp_shadow_alloc(void *obj, unsigned long id, ++ size_t size, gfp_t gfp_flags, ++ klp_shadow_ctor_t ctor, void *ctor_data) + { +- return __klp_shadow_get_or_alloc(obj, id, data, size, gfp_flags, true); ++ return __klp_shadow_get_or_alloc(obj, id, size, gfp_flags, ++ ctor, ctor_data, true); + } + EXPORT_SYMBOL_GPL(klp_shadow_alloc); + +@@ -197,25 +218,28 @@ EXPORT_SYMBOL_GPL(klp_shadow_alloc); + * klp_shadow_get_or_alloc() - get existing or allocate a new shadow variable + * @obj: pointer to parent object + * @id: data identifier +- * @data: pointer to data to attach to parent + * @size: size of attached data + * @gfp_flags: GFP mask for allocation ++ * @ctor: custom constructor to initialize the shadow data (optional) ++ * @ctor_data: pointer to any data needed by @ctor (optional) + * + * Returns a pointer to existing shadow data if an shadow + * variable is already present. Otherwise, it creates a new shadow + * variable like klp_shadow_alloc(). + * +- * This function guarantees that only one shadow variable exists with +- * the given @id for the given @obj. It also guarantees that the shadow +- * variable will be initialized by the given @data only when it did not +- * exist before. ++ * This function guarantees that only one shadow variable exists with the given ++ * @id for the given @obj. It also guarantees that the constructor function ++ * will be called only when the variable did not exist before. The cost is ++ * that @ctor is called in atomic context under a spin lock. + * + * Return: the shadow variable data element, NULL on failure. + */ +-void *klp_shadow_get_or_alloc(void *obj, unsigned long id, void *data, +- size_t size, gfp_t gfp_flags) ++void *klp_shadow_get_or_alloc(void *obj, unsigned long id, ++ size_t size, gfp_t gfp_flags, ++ klp_shadow_ctor_t ctor, void *ctor_data) + { +- return __klp_shadow_get_or_alloc(obj, id, data, size, gfp_flags, false); ++ return __klp_shadow_get_or_alloc(obj, id, size, gfp_flags, ++ ctor, ctor_data, false); + } + EXPORT_SYMBOL_GPL(klp_shadow_get_or_alloc); + +--- a/samples/livepatch/livepatch-shadow-fix1.c ++++ b/samples/livepatch/livepatch-shadow-fix1.c +@@ -56,6 +56,21 @@ struct dummy { + unsigned long jiffies_expire; + }; + ++/* ++ * The constructor makes more sense together with klp_shadow_get_or_alloc(). ++ * In this example, it would be safe to assign the pointer also to the shadow ++ * variable returned by klp_shadow_alloc(). But we wanted to show the more ++ * complicated use of the API. ++ */ ++static int shadow_leak_ctor(void *obj, void *shadow_data, void *ctor_data) ++{ ++ void **shadow_leak = shadow_data; ++ void *leak = ctor_data; ++ ++ *shadow_leak = leak; ++ return 0; ++} ++ + struct dummy *livepatch_fix1_dummy_alloc(void) + { + struct dummy *d; +@@ -74,7 +89,8 @@ struct dummy *livepatch_fix1_dummy_alloc + * pointer to handle resource release. + */ + leak = kzalloc(sizeof(int), GFP_KERNEL); +- klp_shadow_alloc(d, SV_LEAK, &leak, sizeof(leak), GFP_KERNEL); ++ klp_shadow_alloc(d, SV_LEAK, sizeof(leak), GFP_KERNEL, ++ shadow_leak_ctor, leak); + + pr_info("%s: dummy @ %p, expires @ %lx\n", + __func__, d, d->jiffies_expire); +--- a/samples/livepatch/livepatch-shadow-fix2.c ++++ b/samples/livepatch/livepatch-shadow-fix2.c +@@ -53,17 +53,15 @@ struct dummy { + bool livepatch_fix2_dummy_check(struct dummy *d, unsigned long jiffies) + { + int *shadow_count; +- int count; + + /* + * Patch: handle in-flight dummy structures, if they do not + * already have a SV_COUNTER shadow variable, then attach a + * new one. + */ +- count = 0; + shadow_count = klp_shadow_get_or_alloc(d, SV_COUNTER, +- &count, sizeof(count), +- GFP_NOWAIT); ++ sizeof(*shadow_count), GFP_NOWAIT, ++ NULL, NULL); + if (shadow_count) + *shadow_count += 1; + diff --git a/queue-4.16/locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch b/queue-4.16/locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch new file mode 100644 index 00000000000..b930d32c07f --- /dev/null +++ b/queue-4.16/locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch @@ -0,0 +1,108 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Waiman Long +Date: Tue, 15 May 2018 17:49:51 -0400 +Subject: locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN + +From: Waiman Long + +[ Upstream commit 5a817641f68a6399a5fac8b7d2da67a73698ffed ] + +The filesystem freezing code needs to transfer ownership of a rwsem +embedded in a percpu-rwsem from the task that does the freezing to +another one that does the thawing by calling percpu_rwsem_release() +after freezing and percpu_rwsem_acquire() before thawing. + +However, the new rwsem debug code runs afoul with this scheme by warning +that the task that releases the rwsem isn't the one that acquires it, +as reported by Amir Goldstein: + + DEBUG_LOCKS_WARN_ON(sem->owner != get_current()) + WARNING: CPU: 1 PID: 1401 at /home/amir/build/src/linux/kernel/locking/rwsem.c:133 up_write+0x59/0x79 + + Call Trace: + percpu_up_write+0x1f/0x28 + thaw_super_locked+0xdf/0x120 + do_vfs_ioctl+0x270/0x5f1 + ksys_ioctl+0x52/0x71 + __x64_sys_ioctl+0x16/0x19 + do_syscall_64+0x5d/0x167 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +To work properly with the rwsem debug code, we need to annotate that the +rwsem ownership is unknown during the tranfer period until a brave soul +comes forward to acquire the ownership. During that period, optimistic +spinning will be disabled. + +Reported-by: Amir Goldstein +Tested-by: Amir Goldstein +Signed-off-by: Waiman Long +Acked-by: Peter Zijlstra +Cc: Andrew Morton +Cc: Davidlohr Bueso +Cc: Jan Kara +Cc: Linus Torvalds +Cc: Matthew Wilcox +Cc: Oleg Nesterov +Cc: Paul E. McKenney +Cc: Theodore Y. Ts'o +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-fsdevel@vger.kernel.org +Link: http://lkml.kernel.org/r/1526420991-21213-3-git-send-email-longman@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/percpu-rwsem.h | 6 +++++- + include/linux/rwsem.h | 6 ++++++ + kernel/locking/rwsem-xadd.c | 2 ++ + 3 files changed, 13 insertions(+), 1 deletion(-) + +--- a/include/linux/percpu-rwsem.h ++++ b/include/linux/percpu-rwsem.h +@@ -133,7 +133,7 @@ static inline void percpu_rwsem_release( + lock_release(&sem->rw_sem.dep_map, 1, ip); + #ifdef CONFIG_RWSEM_SPIN_ON_OWNER + if (!read) +- sem->rw_sem.owner = NULL; ++ sem->rw_sem.owner = RWSEM_OWNER_UNKNOWN; + #endif + } + +@@ -141,6 +141,10 @@ static inline void percpu_rwsem_acquire( + bool read, unsigned long ip) + { + lock_acquire(&sem->rw_sem.dep_map, 0, 1, read, 1, NULL, ip); ++#ifdef CONFIG_RWSEM_SPIN_ON_OWNER ++ if (!read) ++ sem->rw_sem.owner = current; ++#endif + } + + #endif +--- a/include/linux/rwsem.h ++++ b/include/linux/rwsem.h +@@ -44,6 +44,12 @@ struct rw_semaphore { + #endif + }; + ++/* ++ * Setting bit 0 of the owner field with other non-zero bits will indicate ++ * that the rwsem is writer-owned with an unknown owner. ++ */ ++#define RWSEM_OWNER_UNKNOWN ((struct task_struct *)-1L) ++ + extern struct rw_semaphore *rwsem_down_read_failed(struct rw_semaphore *sem); + extern struct rw_semaphore *rwsem_down_read_failed_killable(struct rw_semaphore *sem); + extern struct rw_semaphore *rwsem_down_write_failed(struct rw_semaphore *sem); +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -352,6 +352,8 @@ static inline bool rwsem_can_spin_on_own + struct task_struct *owner; + bool ret = true; + ++ BUILD_BUG_ON(!rwsem_has_anonymous_owner(RWSEM_OWNER_UNKNOWN)); ++ + if (need_resched()) + return false; + diff --git a/queue-4.16/locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch b/queue-4.16/locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch new file mode 100644 index 00000000000..76720fd2750 --- /dev/null +++ b/queue-4.16/locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch @@ -0,0 +1,168 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Waiman Long +Date: Tue, 15 May 2018 17:49:50 -0400 +Subject: locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag + +From: Waiman Long + +[ Upstream commit d7d760efad70c7a030725499bf9f342f04af24dd ] + +There are use cases where a rwsem can be acquired by one task, but +released by another task. In thess cases, optimistic spinning may need +to be disabled. One example will be the filesystem freeze/thaw code +where the task that freezes the filesystem will acquire a write lock +on a rwsem and then un-owns it before returning to userspace. Later on, +another task will come along, acquire the ownership, thaw the filesystem +and release the rwsem. + +Bit 0 of the owner field was used to designate that it is a reader +owned rwsem. It is now repurposed to mean that the owner of the rwsem +is not known. If only bit 0 is set, the rwsem is reader owned. If bit +0 and other bits are set, it is writer owned with an unknown owner. +One such value for the latter case is (-1L). So we can set owner to 1 for +reader-owned, -1 for writer-owned. The owner is unknown in both cases. + +To handle transfer of rwsem ownership, the higher level code should +set the owner field to -1 to indicate a write-locked rwsem with unknown +owner. Optimistic spinning will be disabled in this case. + +Once the higher level code figures who the new owner is, it can then +set the owner field accordingly. + +Tested-by: Amir Goldstein +Signed-off-by: Waiman Long +Acked-by: Peter Zijlstra +Cc: Andrew Morton +Cc: Davidlohr Bueso +Cc: Jan Kara +Cc: Linus Torvalds +Cc: Matthew Wilcox +Cc: Oleg Nesterov +Cc: Paul E. McKenney +Cc: Theodore Y. Ts'o +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-fsdevel@vger.kernel.org +Link: http://lkml.kernel.org/r/1526420991-21213-2-git-send-email-longman@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/rwsem-xadd.c | 17 +++++++---------- + kernel/locking/rwsem.c | 2 -- + kernel/locking/rwsem.h | 30 +++++++++++++++++++++--------- + 3 files changed, 28 insertions(+), 21 deletions(-) + +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -357,11 +357,8 @@ static inline bool rwsem_can_spin_on_own + + rcu_read_lock(); + owner = READ_ONCE(sem->owner); +- if (!rwsem_owner_is_writer(owner)) { +- /* +- * Don't spin if the rwsem is readers owned. +- */ +- ret = !rwsem_owner_is_reader(owner); ++ if (!owner || !is_rwsem_owner_spinnable(owner)) { ++ ret = !owner; /* !owner is spinnable */ + goto done; + } + +@@ -382,11 +379,11 @@ static noinline bool rwsem_spin_on_owner + { + struct task_struct *owner = READ_ONCE(sem->owner); + +- if (!rwsem_owner_is_writer(owner)) +- goto out; ++ if (!is_rwsem_owner_spinnable(owner)) ++ return false; + + rcu_read_lock(); +- while (sem->owner == owner) { ++ while (owner && (READ_ONCE(sem->owner) == owner)) { + /* + * Ensure we emit the owner->on_cpu, dereference _after_ + * checking sem->owner still matches owner, if that fails, +@@ -408,12 +405,12 @@ static noinline bool rwsem_spin_on_owner + cpu_relax(); + } + rcu_read_unlock(); +-out: ++ + /* + * If there is a new owner or the owner is not set, we continue + * spinning. + */ +- return !rwsem_owner_is_reader(READ_ONCE(sem->owner)); ++ return is_rwsem_owner_spinnable(READ_ONCE(sem->owner)); + } + + static bool rwsem_optimistic_spin(struct rw_semaphore *sem) +--- a/kernel/locking/rwsem.c ++++ b/kernel/locking/rwsem.c +@@ -217,5 +217,3 @@ void up_read_non_owner(struct rw_semapho + EXPORT_SYMBOL(up_read_non_owner); + + #endif +- +- +--- a/kernel/locking/rwsem.h ++++ b/kernel/locking/rwsem.h +@@ -1,20 +1,24 @@ + /* SPDX-License-Identifier: GPL-2.0 */ + /* + * The owner field of the rw_semaphore structure will be set to +- * RWSEM_READ_OWNED when a reader grabs the lock. A writer will clear ++ * RWSEM_READER_OWNED when a reader grabs the lock. A writer will clear + * the owner field when it unlocks. A reader, on the other hand, will + * not touch the owner field when it unlocks. + * +- * In essence, the owner field now has the following 3 states: ++ * In essence, the owner field now has the following 4 states: + * 1) 0 + * - lock is free or the owner hasn't set the field yet + * 2) RWSEM_READER_OWNED + * - lock is currently or previously owned by readers (lock is free + * or not set by owner yet) +- * 3) Other non-zero value +- * - a writer owns the lock ++ * 3) RWSEM_ANONYMOUSLY_OWNED bit set with some other bits set as well ++ * - lock is owned by an anonymous writer, so spinning on the lock ++ * owner should be disabled. ++ * 4) Other non-zero value ++ * - a writer owns the lock and other writers can spin on the lock owner. + */ +-#define RWSEM_READER_OWNED ((struct task_struct *)1UL) ++#define RWSEM_ANONYMOUSLY_OWNED (1UL << 0) ++#define RWSEM_READER_OWNED ((struct task_struct *)RWSEM_ANONYMOUSLY_OWNED) + + #ifdef CONFIG_RWSEM_SPIN_ON_OWNER + /* +@@ -45,14 +49,22 @@ static inline void rwsem_set_reader_owne + WRITE_ONCE(sem->owner, RWSEM_READER_OWNED); + } + +-static inline bool rwsem_owner_is_writer(struct task_struct *owner) ++/* ++ * Return true if the a rwsem waiter can spin on the rwsem's owner ++ * and steal the lock, i.e. the lock is not anonymously owned. ++ * N.B. !owner is considered spinnable. ++ */ ++static inline bool is_rwsem_owner_spinnable(struct task_struct *owner) + { +- return owner && owner != RWSEM_READER_OWNED; ++ return !((unsigned long)owner & RWSEM_ANONYMOUSLY_OWNED); + } + +-static inline bool rwsem_owner_is_reader(struct task_struct *owner) ++/* ++ * Return true if rwsem is owned by an anonymous writer or readers. ++ */ ++static inline bool rwsem_has_anonymous_owner(struct task_struct *owner) + { +- return owner == RWSEM_READER_OWNED; ++ return (unsigned long)owner & RWSEM_ANONYMOUSLY_OWNED; + } + #else + static inline void rwsem_set_owner(struct rw_semaphore *sem) diff --git a/queue-4.16/mac80211-adjust-sae-authentication-timeout.patch b/queue-4.16/mac80211-adjust-sae-authentication-timeout.patch new file mode 100644 index 00000000000..96fd753f2fd --- /dev/null +++ b/queue-4.16/mac80211-adjust-sae-authentication-timeout.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ilan Peer +Date: Fri, 20 Apr 2018 13:49:20 +0300 +Subject: mac80211: Adjust SAE authentication timeout + +From: Ilan Peer + +[ Upstream commit 407879b690ba3a6bf29be896d02dad63463bd1c0 ] + +The IEEE P802.11-REVmd D1.0 specification updated the SAE authentication +timeout to be 2000 milliseconds (see dot11RSNASAERetransPeriod). Update +the SAE timeout setting accordingly. + +While at it, reduce some code duplication in the timeout configuration. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -35,6 +35,7 @@ + #define IEEE80211_AUTH_TIMEOUT (HZ / 5) + #define IEEE80211_AUTH_TIMEOUT_LONG (HZ / 2) + #define IEEE80211_AUTH_TIMEOUT_SHORT (HZ / 10) ++#define IEEE80211_AUTH_TIMEOUT_SAE (HZ * 2) + #define IEEE80211_AUTH_MAX_TRIES 3 + #define IEEE80211_AUTH_WAIT_ASSOC (HZ * 5) + #define IEEE80211_ASSOC_TIMEOUT (HZ / 5) +@@ -3788,16 +3789,19 @@ static int ieee80211_auth(struct ieee802 + tx_flags); + + if (tx_flags == 0) { +- auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT; +- auth_data->timeout_started = true; +- run_again(sdata, auth_data->timeout); ++ if (auth_data->algorithm == WLAN_AUTH_SAE) ++ auth_data->timeout = jiffies + ++ IEEE80211_AUTH_TIMEOUT_SAE; ++ else ++ auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT; + } else { + auth_data->timeout = + round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG); +- auth_data->timeout_started = true; +- run_again(sdata, auth_data->timeout); + } + ++ auth_data->timeout_started = true; ++ run_again(sdata, auth_data->timeout); ++ + return 0; + } + +@@ -3868,8 +3872,15 @@ void ieee80211_sta_work(struct ieee80211 + ifmgd->status_received = false; + if (ifmgd->auth_data && ieee80211_is_auth(fc)) { + if (status_acked) { +- ifmgd->auth_data->timeout = +- jiffies + IEEE80211_AUTH_TIMEOUT_SHORT; ++ if (ifmgd->auth_data->algorithm == ++ WLAN_AUTH_SAE) ++ ifmgd->auth_data->timeout = ++ jiffies + ++ IEEE80211_AUTH_TIMEOUT_SAE; ++ else ++ ifmgd->auth_data->timeout = ++ jiffies + ++ IEEE80211_AUTH_TIMEOUT_SHORT; + run_again(sdata, ifmgd->auth_data->timeout); + } else { + ifmgd->auth_data->timeout = jiffies - 1; diff --git a/queue-4.16/mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch b/queue-4.16/mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch new file mode 100644 index 00000000000..d7c181a4d91 --- /dev/null +++ b/queue-4.16/mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch @@ -0,0 +1,64 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Sara Sharon +Date: Fri, 20 Apr 2018 13:49:19 +0300 +Subject: mac80211: use timeout from the AddBA response instead of the request + +From: Sara Sharon + +[ Upstream commit 914eac248d876f9c00cd1792ffec3d182c863f13 ] + +2016 spec, section 10.24.2 specifies that the block ack +timeout in the ADD BA request is advisory. + +That means we should check the value in the response and +act upon it (same as buffer size). + +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/agg-tx.c | 4 ++++ + net/mac80211/tx.c | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -8,6 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation + * Copyright(c) 2015-2017 Intel Deutschland GmbH ++ * Copyright (C) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -970,6 +971,9 @@ void ieee80211_process_addba_resp(struct + + sta->ampdu_mlme.addba_req_num[tid] = 0; + ++ tid_tx->timeout = ++ le16_to_cpu(mgmt->u.action.u.addba_resp.timeout); ++ + if (tid_tx->timeout) { + mod_timer(&tid_tx->session_timer, + TU_TO_EXP_TIME(tid_tx->timeout)); +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -4,6 +4,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2007 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH ++ * Copyright (C) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -1138,7 +1139,7 @@ static bool ieee80211_tx_prep_agg(struct + } + + /* reset session timer */ +- if (reset_agg_timer && tid_tx->timeout) ++ if (reset_agg_timer) + tid_tx->last_tx = jiffies; + + return queued; diff --git a/queue-4.16/mips-dts-boston-fix-pci-bus-dtc-warnings.patch b/queue-4.16/mips-dts-boston-fix-pci-bus-dtc-warnings.patch new file mode 100644 index 00000000000..91911910ba1 --- /dev/null +++ b/queue-4.16/mips-dts-boston-fix-pci-bus-dtc-warnings.patch @@ -0,0 +1,60 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Matt Redfearn +Date: Fri, 13 Apr 2018 09:50:44 +0100 +Subject: MIPS: dts: Boston: Fix PCI bus dtc warnings: + +From: Matt Redfearn + +[ Upstream commit 2c2bf522ed8cbfaac666f7dc65cfd38de2b89f0f ] + +dtc recently (v1.4.4-8-g756ffc4f52f6) added PCI bus checks. Fix the +warnings now emitted: + +arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@10000000: missing bus-range for PCI bridge +arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@12000000: missing bus-range for PCI bridge +arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@14000000: missing bus-range for PCI bridge + +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: Paul Burton +Cc: Rob Herring +Cc: Mark Rutland +Cc: linux-mips@linux-mips.org +Cc: devicetree@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19070/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/boot/dts/img/boston.dts | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/mips/boot/dts/img/boston.dts ++++ b/arch/mips/boot/dts/img/boston.dts +@@ -51,6 +51,8 @@ + ranges = <0x02000000 0 0x40000000 + 0x40000000 0 0x40000000>; + ++ bus-range = <0x00 0xff>; ++ + interrupt-map-mask = <0 0 0 7>; + interrupt-map = <0 0 0 1 &pci0_intc 1>, + <0 0 0 2 &pci0_intc 2>, +@@ -79,6 +81,8 @@ + ranges = <0x02000000 0 0x20000000 + 0x20000000 0 0x20000000>; + ++ bus-range = <0x00 0xff>; ++ + interrupt-map-mask = <0 0 0 7>; + interrupt-map = <0 0 0 1 &pci1_intc 1>, + <0 0 0 2 &pci1_intc 2>, +@@ -107,6 +111,8 @@ + ranges = <0x02000000 0 0x16000000 + 0x16000000 0 0x100000>; + ++ bus-range = <0x00 0xff>; ++ + interrupt-map-mask = <0 0 0 7>; + interrupt-map = <0 0 0 1 &pci2_intc 1>, + <0 0 0 2 &pci2_intc 2>, diff --git a/queue-4.16/mips-io-add-barrier-after-register-read-in-readx.patch b/queue-4.16/mips-io-add-barrier-after-register-read-in-readx.patch new file mode 100644 index 00000000000..a7b537a0034 --- /dev/null +++ b/queue-4.16/mips-io-add-barrier-after-register-read-in-readx.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Sinan Kaya +Date: Thu, 12 Apr 2018 22:30:44 -0400 +Subject: MIPS: io: Add barrier after register read in readX() + +From: Sinan Kaya + +[ Upstream commit a1cc7034e33d12dc17d13fbcd7d597d552889097 ] + +While a barrier is present in the writeX() functions before the register +write, a similar barrier is missing in the readX() functions after the +register read. This could allow memory accesses following readX() to +observe stale data. + +Signed-off-by: Sinan Kaya +Reported-by: Arnd Bergmann +Cc: Ralf Baechle +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/19069/ +[jhogan@kernel.org: Tidy commit message] +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/io.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/include/asm/io.h ++++ b/arch/mips/include/asm/io.h +@@ -377,6 +377,8 @@ static inline type pfx##read##bwlq(const + BUG(); \ + } \ + \ ++ /* prevent prefetching of coherent DMA data prematurely */ \ ++ rmb(); \ + return pfx##ioswab##bwlq(__mem, __val); \ + } + diff --git a/queue-4.16/mips-io-prevent-compiler-reordering-writex.patch b/queue-4.16/mips-io-prevent-compiler-reordering-writex.patch new file mode 100644 index 00000000000..8d6419715c5 --- /dev/null +++ b/queue-4.16/mips-io-prevent-compiler-reordering-writex.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Sinan Kaya +Date: Tue, 3 Apr 2018 08:55:03 -0400 +Subject: MIPS: io: Prevent compiler reordering writeX() + +From: Sinan Kaya + +[ Upstream commit f6b7aeee8f167409195fbf1364d02988fecad1d0 ] + +writeX() has strong ordering semantics with respect to memory updates. +In the absence of a write barrier or a compiler barrier, the compiler +can reorder register and memory update instructions. This breaks the +writeX() API. + +Signed-off-by: Sinan Kaya +Cc: Arnd Bergmann +Cc: Ralf Baechle +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18997/ +[jhogan@kernel.org: Tidy commit message] +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/io.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/io.h ++++ b/arch/mips/include/asm/io.h +@@ -307,7 +307,7 @@ static inline void iounmap(const volatil + #if defined(CONFIG_CPU_CAVIUM_OCTEON) || defined(CONFIG_LOONGSON3_ENHANCEMENT) + #define war_io_reorder_wmb() wmb() + #else +-#define war_io_reorder_wmb() do { } while (0) ++#define war_io_reorder_wmb() barrier() + #endif + + #define __BUILD_MEMORY_SINGLE(pfx, bwlq, type, irq) \ diff --git a/queue-4.16/mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch b/queue-4.16/mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch new file mode 100644 index 00000000000..cf01409fcb5 --- /dev/null +++ b/queue-4.16/mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch @@ -0,0 +1,89 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Minchan Kim +Date: Fri, 20 Apr 2018 14:56:17 -0700 +Subject: mm: memcg: add __GFP_NOWARN in __memcg_schedule_kmem_cache_create() + +From: Minchan Kim + +[ Upstream commit c892fd82cc0632d425ae011a4dd75eb59e9f84ee ] + +If there is heavy memory pressure, page allocation with __GFP_NOWAIT +fails easily although it's order-0 request. I got below warning 9 times +for normal boot. + + : page allocation failure: order:0, mode:0x2200000(GFP_NOWAIT|__GFP_NOTRACK) + .. snip .. + Call trace: + dump_backtrace+0x0/0x4 + dump_stack+0xa4/0xc0 + warn_alloc+0xd4/0x15c + __alloc_pages_nodemask+0xf88/0x10fc + alloc_slab_page+0x40/0x18c + new_slab+0x2b8/0x2e0 + ___slab_alloc+0x25c/0x464 + __kmalloc+0x394/0x498 + memcg_kmem_get_cache+0x114/0x2b8 + kmem_cache_alloc+0x98/0x3e8 + mmap_region+0x3bc/0x8c0 + do_mmap+0x40c/0x43c + vm_mmap_pgoff+0x15c/0x1e4 + sys_mmap+0xb0/0xc8 + el0_svc_naked+0x24/0x28 + Mem-Info: + active_anon:17124 inactive_anon:193 isolated_anon:0 + active_file:7898 inactive_file:712955 isolated_file:55 + unevictable:0 dirty:27 writeback:18 unstable:0 + slab_reclaimable:12250 slab_unreclaimable:23334 + mapped:19310 shmem:212 pagetables:816 bounce:0 + free:36561 free_pcp:1205 free_cma:35615 + Node 0 active_anon:68496kB inactive_anon:772kB active_file:31592kB inactive_file:2851820kB unevictable:0kB isolated(anon):0kB isolated(file):220kB mapped:77240kB dirty:108kB writeback:72kB shmem:848kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no + DMA free:142188kB min:3056kB low:3820kB high:4584kB active_anon:10052kB inactive_anon:12kB active_file:312kB inactive_file:1412620kB unevictable:0kB writepending:0kB present:1781412kB managed:1604728kB mlocked:0kB slab_reclaimable:3592kB slab_unreclaimable:876kB kernel_stack:400kB pagetables:52kB bounce:0kB free_pcp:1436kB local_pcp:124kB free_cma:142492kB + lowmem_reserve[]: 0 1842 1842 + Normal free:4056kB min:4172kB low:5212kB high:6252kB active_anon:58376kB inactive_anon:760kB active_file:31348kB inactive_file:1439040kB unevictable:0kB writepending:180kB present:2000636kB managed:1923688kB mlocked:0kB slab_reclaimable:45408kB slab_unreclaimable:92460kB kernel_stack:9680kB pagetables:3212kB bounce:0kB free_pcp:3392kB local_pcp:688kB free_cma:0kB + lowmem_reserve[]: 0 0 0 + DMA: 0*4kB 0*8kB 1*16kB (C) 0*32kB 0*64kB 0*128kB 1*256kB (C) 1*512kB (C) 0*1024kB 1*2048kB (C) 34*4096kB (C) = 142096kB + Normal: 228*4kB (UMEH) 172*8kB (UMH) 23*16kB (UH) 24*32kB (H) 5*64kB (H) 1*128kB (H) 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 3872kB + 721350 total pagecache pages + 0 pages in swap cache + Swap cache stats: add 0, delete 0, find 0/0 + Free swap = 0kB + Total swap = 0kB + 945512 pages RAM + 0 pages HighMem/MovableOnly + 63408 pages reserved + 51200 pages cma reserved + +__memcg_schedule_kmem_cache_create() tries to create a shadow slab cache +and the worker allocation failure is not really critical because we will +retry on the next kmem charge. We might miss some charges but that +shouldn't be critical. The excessive allocation failure report is not +very helpful. + +[mhocko@kernel.org: changelog update] +Link: http://lkml.kernel.org/r/20180418022912.248417-1-minchan@kernel.org +Signed-off-by: Minchan Kim +Acked-by: Johannes Weiner +Reviewed-by: Andrew Morton +Cc: Michal Hocko +Cc: Vladimir Davydov +Cc: Minchan Kim +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2192,7 +2192,7 @@ static void __memcg_schedule_kmem_cache_ + { + struct memcg_kmem_cache_create_work *cw; + +- cw = kmalloc(sizeof(*cw), GFP_NOWAIT); ++ cw = kmalloc(sizeof(*cw), GFP_NOWAIT | __GFP_NOWARN); + if (!cw) + return; + diff --git a/queue-4.16/mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch b/queue-4.16/mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch new file mode 100644 index 00000000000..9dbae1b431d --- /dev/null +++ b/queue-4.16/mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Huang Ying +Date: Fri, 20 Apr 2018 14:55:38 -0700 +Subject: mm, pagemap: fix swap offset value for PMD migration entry + +From: Huang Ying + +[ Upstream commit 88c28f2469151b031f8cea9b28ed5be1b74a4172 ] + +The swap offset reported by /proc//pagemap may be not correct for +PMD migration entries. If addr passed into pagemap_pmd_range() isn't +aligned with PMD start address, the swap offset reported doesn't +reflect this. And in the loop to report information of each sub-page, +the swap offset isn't increased accordingly as that for PFN. + +This may happen after opening /proc//pagemap and seeking to a page +whose address doesn't align with a PMD start address. I have verified +this with a simple test program. + +BTW: migration swap entries have PFN information, do we need to restrict +whether to show them? + +[akpm@linux-foundation.org: fix typo, per Huang, Ying] +Link: http://lkml.kernel.org/r/20180408033737.10897-1-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Cc: Michal Hocko +Cc: "Kirill A. Shutemov" +Cc: Andrei Vagin +Cc: Dan Williams +Cc: "Jerome Glisse" +Cc: Daniel Colascione +Cc: Zi Yan +Cc: Naoya Horiguchi +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/task_mmu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1329,9 +1329,11 @@ static int pagemap_pmd_range(pmd_t *pmdp + #ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION + else if (is_swap_pmd(pmd)) { + swp_entry_t entry = pmd_to_swp_entry(pmd); ++ unsigned long offset = swp_offset(entry); + ++ offset += (addr & ~PMD_MASK) >> PAGE_SHIFT; + frame = swp_type(entry) | +- (swp_offset(entry) << MAX_SWAPFILES_SHIFT); ++ (offset << MAX_SWAPFILES_SHIFT); + flags |= PM_SWAP; + if (pmd_swp_soft_dirty(pmd)) + flags |= PM_SOFT_DIRTY; +@@ -1351,6 +1353,8 @@ static int pagemap_pmd_range(pmd_t *pmdp + break; + if (pm->show_pfn && (flags & PM_PRESENT)) + frame++; ++ else if (flags & PM_SWAP) ++ frame += (1 << MAX_SWAPFILES_SHIFT); + } + spin_unlock(ptl); + return err; diff --git a/queue-4.16/mtd-fix-comparison-in-map_word_andequal.patch b/queue-4.16/mtd-fix-comparison-in-map_word_andequal.patch new file mode 100644 index 00000000000..e63672ae3dc --- /dev/null +++ b/queue-4.16/mtd-fix-comparison-in-map_word_andequal.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ben Hutchings +Date: Thu, 10 May 2018 19:20:54 +0100 +Subject: mtd: Fix comparison in map_word_andequal() + +From: Ben Hutchings + +[ Upstream commit ea739a287f4f16d6250bea779a1026ead79695f2 ] + +Commit 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") +changed map_word_andequal() into a macro, but also changed the right +hand side of the comparison from val3 to val2. Change it back to use +val3 on the right hand side. + +Thankfully this did not cause a regression because all callers +currently pass the same argument for val2 and val3. + +Fixes: 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") +Signed-off-by: Ben Hutchings +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mtd/map.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -312,7 +312,7 @@ void map_destroy(struct mtd_info *mtd); + ({ \ + int i, ret = 1; \ + for (i = 0; i < map_words(map); i++) { \ +- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \ ++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \ + ret = 0; \ + break; \ + } \ diff --git a/queue-4.16/mtd-onenand-omap2-disable-dma-for-highmem-buffers.patch b/queue-4.16/mtd-onenand-omap2-disable-dma-for-highmem-buffers.patch new file mode 100644 index 00000000000..5815c29f8fb --- /dev/null +++ b/queue-4.16/mtd-onenand-omap2-disable-dma-for-highmem-buffers.patch @@ -0,0 +1,170 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ladislav Michl +Date: Wed, 2 May 2018 12:41:32 +0200 +Subject: mtd: onenand: omap2: Disable DMA for HIGHMEM buffers + +From: Ladislav Michl + +[ Upstream commit 6732cfd4cac514b556f36b518670af91c8bdf19a ] + +dma_map_single does not work for vmalloc-ed buffers, +so disable DMA in this case. + +Signed-off-by: Ladislav Michl +Reported-by: "H. Nikolaus Schaller" +Tested-by: "H. Nikolaus Schaller" +Reviewed-by: Peter Ujfalusi +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/onenand/omap2.c | 105 +++++++++++++++----------------------------- + 1 file changed, 38 insertions(+), 67 deletions(-) + +--- a/drivers/mtd/onenand/omap2.c ++++ b/drivers/mtd/onenand/omap2.c +@@ -377,56 +377,42 @@ static int omap2_onenand_read_bufferram( + { + struct omap2_onenand *c = container_of(mtd, struct omap2_onenand, mtd); + struct onenand_chip *this = mtd->priv; +- dma_addr_t dma_src, dma_dst; +- int bram_offset; ++ struct device *dev = &c->pdev->dev; + void *buf = (void *)buffer; ++ dma_addr_t dma_src, dma_dst; ++ int bram_offset, err; + size_t xtra; +- int ret; + + bram_offset = omap2_onenand_bufferram_offset(mtd, area) + area + offset; +- if (bram_offset & 3 || (size_t)buf & 3 || count < 384) +- goto out_copy; +- +- /* panic_write() may be in an interrupt context */ +- if (in_interrupt() || oops_in_progress) ++ /* ++ * If the buffer address is not DMA-able, len is not long enough to make ++ * DMA transfers profitable or panic_write() may be in an interrupt ++ * context fallback to PIO mode. ++ */ ++ if (!virt_addr_valid(buf) || bram_offset & 3 || (size_t)buf & 3 || ++ count < 384 || in_interrupt() || oops_in_progress ) + goto out_copy; + +- if (buf >= high_memory) { +- struct page *p1; +- +- if (((size_t)buf & PAGE_MASK) != +- ((size_t)(buf + count - 1) & PAGE_MASK)) +- goto out_copy; +- p1 = vmalloc_to_page(buf); +- if (!p1) +- goto out_copy; +- buf = page_address(p1) + ((size_t)buf & ~PAGE_MASK); +- } +- + xtra = count & 3; + if (xtra) { + count -= xtra; + memcpy(buf + count, this->base + bram_offset + count, xtra); + } + ++ dma_dst = dma_map_single(dev, buf, count, DMA_FROM_DEVICE); + dma_src = c->phys_base + bram_offset; +- dma_dst = dma_map_single(&c->pdev->dev, buf, count, DMA_FROM_DEVICE); +- if (dma_mapping_error(&c->pdev->dev, dma_dst)) { +- dev_err(&c->pdev->dev, +- "Couldn't DMA map a %d byte buffer\n", +- count); +- goto out_copy; +- } + +- ret = omap2_onenand_dma_transfer(c, dma_src, dma_dst, count); +- dma_unmap_single(&c->pdev->dev, dma_dst, count, DMA_FROM_DEVICE); +- +- if (ret) { +- dev_err(&c->pdev->dev, "timeout waiting for DMA\n"); ++ if (dma_mapping_error(dev, dma_dst)) { ++ dev_err(dev, "Couldn't DMA map a %d byte buffer\n", count); + goto out_copy; + } + +- return 0; ++ err = omap2_onenand_dma_transfer(c, dma_src, dma_dst, count); ++ dma_unmap_single(dev, dma_dst, count, DMA_FROM_DEVICE); ++ if (!err) ++ return 0; ++ ++ dev_err(dev, "timeout waiting for DMA\n"); + + out_copy: + memcpy(buf, this->base + bram_offset, count); +@@ -439,49 +425,34 @@ static int omap2_onenand_write_bufferram + { + struct omap2_onenand *c = container_of(mtd, struct omap2_onenand, mtd); + struct onenand_chip *this = mtd->priv; +- dma_addr_t dma_src, dma_dst; +- int bram_offset; ++ struct device *dev = &c->pdev->dev; + void *buf = (void *)buffer; +- int ret; ++ dma_addr_t dma_src, dma_dst; ++ int bram_offset, err; + + bram_offset = omap2_onenand_bufferram_offset(mtd, area) + area + offset; +- if (bram_offset & 3 || (size_t)buf & 3 || count < 384) +- goto out_copy; +- +- /* panic_write() may be in an interrupt context */ +- if (in_interrupt() || oops_in_progress) ++ /* ++ * If the buffer address is not DMA-able, len is not long enough to make ++ * DMA transfers profitable or panic_write() may be in an interrupt ++ * context fallback to PIO mode. ++ */ ++ if (!virt_addr_valid(buf) || bram_offset & 3 || (size_t)buf & 3 || ++ count < 384 || in_interrupt() || oops_in_progress ) + goto out_copy; + +- if (buf >= high_memory) { +- struct page *p1; +- +- if (((size_t)buf & PAGE_MASK) != +- ((size_t)(buf + count - 1) & PAGE_MASK)) +- goto out_copy; +- p1 = vmalloc_to_page(buf); +- if (!p1) +- goto out_copy; +- buf = page_address(p1) + ((size_t)buf & ~PAGE_MASK); +- } +- +- dma_src = dma_map_single(&c->pdev->dev, buf, count, DMA_TO_DEVICE); ++ dma_src = dma_map_single(dev, buf, count, DMA_TO_DEVICE); + dma_dst = c->phys_base + bram_offset; +- if (dma_mapping_error(&c->pdev->dev, dma_src)) { +- dev_err(&c->pdev->dev, +- "Couldn't DMA map a %d byte buffer\n", +- count); +- return -1; +- } +- +- ret = omap2_onenand_dma_transfer(c, dma_src, dma_dst, count); +- dma_unmap_single(&c->pdev->dev, dma_src, count, DMA_TO_DEVICE); +- +- if (ret) { +- dev_err(&c->pdev->dev, "timeout waiting for DMA\n"); ++ if (dma_mapping_error(dev, dma_src)) { ++ dev_err(dev, "Couldn't DMA map a %d byte buffer\n", count); + goto out_copy; + } + +- return 0; ++ err = omap2_onenand_dma_transfer(c, dma_src, dma_dst, count); ++ dma_unmap_page(dev, dma_src, count, DMA_TO_DEVICE); ++ if (!err) ++ return 0; ++ ++ dev_err(dev, "timeout waiting for DMA\n"); + + out_copy: + memcpy(this->base + bram_offset, buf, count); diff --git a/queue-4.16/mtd-rawnand-fix-return-type-of-__divide-when-called-with-32-bit.patch b/queue-4.16/mtd-rawnand-fix-return-type-of-__divide-when-called-with-32-bit.patch new file mode 100644 index 00000000000..91e727c8ed9 --- /dev/null +++ b/queue-4.16/mtd-rawnand-fix-return-type-of-__divide-when-called-with-32-bit.patch @@ -0,0 +1,57 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Geert Uytterhoeven +Date: Mon, 14 May 2018 12:49:37 +0200 +Subject: mtd: rawnand: Fix return type of __DIVIDE() when called with 32-bit + +From: Geert Uytterhoeven + +[ Upstream commit 9f825e74d761c13b0cfaa5f65344d64ff970e252 ] + +The __DIVIDE() macro checks whether it is called with a 32-bit or 64-bit +dividend, to select the appropriate divide-and-round-up routine. +As the check uses the ternary operator, the result will always be +promoted to a type that can hold both results, i.e. unsigned long long. + +When using this result in a division on a 32-bit system, this may lead +to link errors like: + + ERROR: "__udivdi3" [drivers/mtd/nand/raw/nand.ko] undefined! + +Fix this by casting the result of the division to the type of the +dividend. + +Fixes: 8878b126df769831 ("mtd: nand: add ->exec_op() implementation") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mtd/rawnand.h | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/include/linux/mtd/rawnand.h ++++ b/include/linux/mtd/rawnand.h +@@ -824,12 +824,18 @@ struct nand_op_instr { + * tBERS (during an erase) which all of them are u64 values that cannot be + * divided by usual kernel macros and must be handled with the special + * DIV_ROUND_UP_ULL() macro. ++ * ++ * Cast to type of dividend is needed here to guarantee that the result won't ++ * be an unsigned long long when the dividend is an unsigned long (or smaller), ++ * which is what the compiler does when it sees ternary operator with 2 ++ * different return types (picks the largest type to make sure there's no ++ * loss). + */ +-#define __DIVIDE(dividend, divisor) ({ \ +- sizeof(dividend) == sizeof(u32) ? \ +- DIV_ROUND_UP(dividend, divisor) : \ +- DIV_ROUND_UP_ULL(dividend, divisor); \ +- }) ++#define __DIVIDE(dividend, divisor) ({ \ ++ (__typeof__(dividend))(sizeof(dividend) <= sizeof(unsigned long) ? \ ++ DIV_ROUND_UP(dividend, divisor) : \ ++ DIV_ROUND_UP_ULL(dividend, divisor)); \ ++ }) + #define PSEC_TO_NSEC(x) __DIVIDE(x, 1000) + #define PSEC_TO_MSEC(x) __DIVIDE(x, 1000000000) + diff --git a/queue-4.16/net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch b/queue-4.16/net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch new file mode 100644 index 00000000000..be1e1917e65 --- /dev/null +++ b/queue-4.16/net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Igor Russkikh +Date: Mon, 7 May 2018 16:10:38 +0300 +Subject: net: aquantia: driver should correctly declare vlan_features bits + +From: Igor Russkikh + +[ Upstream commit 8c61ab7f111a2b29d051348b9cb9a39804ebf1f8 ] + +In particular, not reporting SG forced skbs to be linear for vlan +interfaces over atlantic NIC. + +With this fix it is possible to enable SG feature on device and +therefore optimize performance. + +Reported-by: Ma Yuying +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -246,6 +246,8 @@ void aq_nic_ndev_init(struct aq_nic_s *s + + self->ndev->hw_features |= aq_hw_caps->hw_features; + self->ndev->features = aq_hw_caps->hw_features; ++ self->ndev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_RXCSUM | ++ NETIF_F_RXHASH | NETIF_F_SG | NETIF_F_LRO; + self->ndev->priv_flags = aq_hw_caps->hw_priv_flags; + self->ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE; + diff --git a/queue-4.16/net-aquantia-limit-number-of-vectors-to-actually-allocated-irqs.patch b/queue-4.16/net-aquantia-limit-number-of-vectors-to-actually-allocated-irqs.patch new file mode 100644 index 00000000000..a4e4fe6d7a6 --- /dev/null +++ b/queue-4.16/net-aquantia-limit-number-of-vectors-to-actually-allocated-irqs.patch @@ -0,0 +1,89 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Igor Russkikh +Date: Mon, 7 May 2018 16:10:39 +0300 +Subject: net: aquantia: Limit number of vectors to actually allocated irqs + +From: Igor Russkikh + +[ Upstream commit a09bd81b5413d1b4d705c6c5303b5d311069da22 ] + +Driver should use pci_alloc_irq_vectors return value to correct number +of allocated vectors and napi instances. Otherwise it'll panic later +in pci_irq_vector. + +Driver also should allow more than one MSI vectors to be allocated. + +Error return path from pci_alloc_irq_vectors is also fixed to revert +resources in a correct sequence when error happens. + +Reported-by: Long, Nicholas +Fixes: 23ee07a ("net: aquantia: Cleanup pci functions module") +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 1 + drivers/net/ethernet/aquantia/atlantic/aq_nic.h | 1 + drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 20 +++++++++---------- + 3 files changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -95,6 +95,7 @@ void aq_nic_cfg_start(struct aq_nic_s *s + /*rss rings */ + cfg->vecs = min(cfg->aq_hw_caps->vecs, AQ_CFG_VECS_DEF); + cfg->vecs = min(cfg->vecs, num_online_cpus()); ++ cfg->vecs = min(cfg->vecs, self->irqvecs); + /* cfg->vecs should be power of 2 for RSS */ + if (cfg->vecs >= 8U) + cfg->vecs = 8U; +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.h +@@ -80,6 +80,7 @@ struct aq_nic_s { + + struct pci_dev *pdev; + unsigned int msix_entry_mask; ++ u32 irqvecs; + }; + + static inline struct device *aq_nic_get_dev(struct aq_nic_s *self) +--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c +@@ -267,16 +267,16 @@ static int aq_pci_probe(struct pci_dev * + numvecs = min(numvecs, num_online_cpus()); + /*enable interrupts */ + #if !AQ_CFG_FORCE_LEGACY_INT +- err = pci_alloc_irq_vectors(self->pdev, numvecs, numvecs, +- PCI_IRQ_MSIX); +- +- if (err < 0) { +- err = pci_alloc_irq_vectors(self->pdev, 1, 1, +- PCI_IRQ_MSI | PCI_IRQ_LEGACY); +- if (err < 0) +- goto err_hwinit; ++ numvecs = pci_alloc_irq_vectors(self->pdev, 1, numvecs, ++ PCI_IRQ_MSIX | PCI_IRQ_MSI | ++ PCI_IRQ_LEGACY); ++ ++ if (numvecs < 0) { ++ err = numvecs; ++ goto err_hwinit; + } + #endif ++ self->irqvecs = numvecs; + + /* net device init */ + aq_nic_cfg_start(self); +@@ -298,9 +298,9 @@ err_free_aq_hw: + kfree(self->aq_hw); + err_ioremap: + free_netdev(ndev); +-err_pci_func: +- pci_release_regions(pdev); + err_ndev: ++ pci_release_regions(pdev); ++err_pci_func: + pci_disable_device(pdev); + return err; + } diff --git a/queue-4.16/net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch b/queue-4.16/net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch new file mode 100644 index 00000000000..6240fe7b7a0 --- /dev/null +++ b/queue-4.16/net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Florian Fainelli +Date: Mon, 23 Apr 2018 15:51:38 -0700 +Subject: net: ethtool: Add missing kernel doc for FEC parameters + +From: Florian Fainelli + +[ Upstream commit d805c5209350ae725e3a1ee0204ba27d9e75ce3e ] + +While adding support for ethtool::get_fecparam and set_fecparam, kernel +doc for these functions was missed, add those. + +Fixes: 1a5f3da20bd9 ("net: ethtool: add support for forward error correction modes") +Signed-off-by: Florian Fainelli +Acked-by: Roopa Prabhu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ethtool.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/ethtool.h ++++ b/include/linux/ethtool.h +@@ -310,6 +310,8 @@ bool ethtool_convert_link_mode_to_legacy + * fields should be ignored (use %__ETHTOOL_LINK_MODE_MASK_NBITS + * instead of the latter), any change to them will be overwritten + * by kernel. Returns a negative error code or zero. ++ * @get_fecparam: Get the network device Forward Error Correction parameters. ++ * @set_fecparam: Set the network device Forward Error Correction parameters. + * + * All operations are optional (i.e. the function pointer may be set + * to %NULL) and callers must take this into account. Callers must diff --git a/queue-4.16/net-hns-avoid-action-name-truncation.patch b/queue-4.16/net-hns-avoid-action-name-truncation.patch new file mode 100644 index 00000000000..1d61c7fc0ca --- /dev/null +++ b/queue-4.16/net-hns-avoid-action-name-truncation.patch @@ -0,0 +1,63 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: dann frazier +Date: Wed, 18 Apr 2018 21:55:41 -0600 +Subject: net: hns: Avoid action name truncation + +From: dann frazier + +[ Upstream commit f4ea89110df237da6fbcaab76af431e85f07d904 ] + +When longer interface names are used, the action names exposed in +/proc/interrupts and /proc/irq/* maybe truncated. For example, when +using the predictable name algorithm in systemd on a HiSilicon D05, +I see: + + ubuntu@d05-3:~$ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //' + enahisic2i0-tx0 + enahisic2i0-tx1 + [...] + enahisic2i0-tx8 + enahisic2i0-tx9 + enahisic2i0-tx1 + enahisic2i0-tx1 + enahisic2i0-tx1 + enahisic2i0-tx1 + enahisic2i0-tx1 + enahisic2i0-tx1 + +Increase the max ring name length to allow for an interface name +of IFNAMSIZE. After this change, I now see: + + $ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //' + enahisic2i0-tx0 + enahisic2i0-tx1 + enahisic2i0-tx2 + [...] + enahisic2i0-tx8 + enahisic2i0-tx9 + enahisic2i0-tx10 + enahisic2i0-tx11 + enahisic2i0-tx12 + enahisic2i0-tx13 + enahisic2i0-tx14 + enahisic2i0-tx15 + +Signed-off-by: dann frazier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hnae.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hnae.h ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.h +@@ -87,7 +87,7 @@ do { \ + + #define HNAE_AE_REGISTER 0x1 + +-#define RCB_RING_NAME_LEN 16 ++#define RCB_RING_NAME_LEN (IFNAMSIZ + 4) + + #define HNAE_LOWEST_LATENCY_COAL_PARAM 30 + #define HNAE_LOW_LATENCY_COAL_PARAM 80 diff --git a/queue-4.16/net-mvpp2-fix-clk-error-path-in-mvpp2_probe.patch b/queue-4.16/net-mvpp2-fix-clk-error-path-in-mvpp2_probe.patch new file mode 100644 index 00000000000..9809f712541 --- /dev/null +++ b/queue-4.16/net-mvpp2-fix-clk-error-path-in-mvpp2_probe.patch @@ -0,0 +1,86 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Maxime Chevallier +Date: Wed, 25 Apr 2018 20:21:16 +0200 +Subject: net: mvpp2: Fix clk error path in mvpp2_probe + +From: Maxime Chevallier + +[ Upstream commit 45f972adb7f4db2d7f02af728ccd104113336074 ] + +When clk_prepare_enable fails for the axi_clk, the mg_clk isn't properly +cleaned up. Add another jump label to handle that case, and make sure we +jump to it in the later error cases. + +Fixes: 4792ea04bcd0 ("net: mvpp2: Fix clock resource by adding an optional bus clock") +Signed-off-by: Maxime Chevallier +Acked-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/marvell/mvpp2.c ++++ b/drivers/net/ethernet/marvell/mvpp2.c +@@ -8332,12 +8332,12 @@ static int mvpp2_probe(struct platform_d + if (IS_ERR(priv->axi_clk)) { + err = PTR_ERR(priv->axi_clk); + if (err == -EPROBE_DEFER) +- goto err_gop_clk; ++ goto err_mg_clk; + priv->axi_clk = NULL; + } else { + err = clk_prepare_enable(priv->axi_clk); + if (err < 0) +- goto err_gop_clk; ++ goto err_mg_clk; + } + + /* Get system's tclk rate */ +@@ -8351,7 +8351,7 @@ static int mvpp2_probe(struct platform_d + if (priv->hw_version == MVPP22) { + err = dma_set_mask(&pdev->dev, MVPP2_DESC_DMA_MASK); + if (err) +- goto err_mg_clk; ++ goto err_axi_clk; + /* Sadly, the BM pools all share the same register to + * store the high 32 bits of their address. So they + * must all have the same high 32 bits, which forces +@@ -8359,14 +8359,14 @@ static int mvpp2_probe(struct platform_d + */ + err = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); + if (err) +- goto err_mg_clk; ++ goto err_axi_clk; + } + + /* Initialize network controller */ + err = mvpp2_init(pdev, priv); + if (err < 0) { + dev_err(&pdev->dev, "failed to initialize controller\n"); +- goto err_mg_clk; ++ goto err_axi_clk; + } + + /* Initialize ports */ +@@ -8379,7 +8379,7 @@ static int mvpp2_probe(struct platform_d + if (priv->port_count == 0) { + dev_err(&pdev->dev, "no ports enabled\n"); + err = -ENODEV; +- goto err_mg_clk; ++ goto err_axi_clk; + } + + /* Statistics must be gathered regularly because some of them (like +@@ -8407,8 +8407,9 @@ err_port_probe: + mvpp2_port_remove(priv->port_list[i]); + i++; + } +-err_mg_clk: ++err_axi_clk: + clk_disable_unprepare(priv->axi_clk); ++err_mg_clk: + if (priv->hw_version == MVPP22) + clk_disable_unprepare(priv->mg_clk); + err_gop_clk: diff --git a/queue-4.16/net-phy-broadcom-add-support-for-bcm89610-phy.patch b/queue-4.16/net-phy-broadcom-add-support-for-bcm89610-phy.patch new file mode 100644 index 00000000000..9547411cea7 --- /dev/null +++ b/queue-4.16/net-phy-broadcom-add-support-for-bcm89610-phy.patch @@ -0,0 +1,57 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Bhadram Varka +Date: Wed, 2 May 2018 20:43:58 +0530 +Subject: net: phy: broadcom: add support for BCM89610 PHY + +From: Bhadram Varka + +[ Upstream commit 23b8392201e0681b76630c4cea68e1a2e1821ec6 ] + +It adds support for BCM89610 (Single-Port 10/100/1000BASE-T) +transceiver which is used in P3310 Tegra186 platform. + +Signed-off-by: Bhadram Varka +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/broadcom.c | 10 ++++++++++ + include/linux/brcmphy.h | 1 + + 2 files changed, 11 insertions(+) + +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -720,6 +720,15 @@ static struct phy_driver broadcom_driver + .get_strings = bcm_phy_get_strings, + .get_stats = bcm53xx_phy_get_stats, + .probe = bcm53xx_phy_probe, ++}, { ++ .phy_id = PHY_ID_BCM89610, ++ .phy_id_mask = 0xfffffff0, ++ .name = "Broadcom BCM89610", ++ .features = PHY_GBIT_FEATURES, ++ .flags = PHY_HAS_INTERRUPT, ++ .config_init = bcm54xx_config_init, ++ .ack_interrupt = bcm_phy_ack_intr, ++ .config_intr = bcm_phy_config_intr, + } }; + + module_phy_driver(broadcom_drivers); +@@ -741,6 +750,7 @@ static struct mdio_device_id __maybe_unu + { PHY_ID_BCMAC131, 0xfffffff0 }, + { PHY_ID_BCM5241, 0xfffffff0 }, + { PHY_ID_BCM5395, 0xfffffff0 }, ++ { PHY_ID_BCM89610, 0xfffffff0 }, + { } + }; + +--- a/include/linux/brcmphy.h ++++ b/include/linux/brcmphy.h +@@ -25,6 +25,7 @@ + #define PHY_ID_BCM54612E 0x03625e60 + #define PHY_ID_BCM54616S 0x03625d10 + #define PHY_ID_BCM57780 0x03625d90 ++#define PHY_ID_BCM89610 0x03625cd0 + + #define PHY_ID_BCM7250 0xae025280 + #define PHY_ID_BCM7260 0xae025190 diff --git a/queue-4.16/net-phy-marvell-clear-wol-event-before-setting-it.patch b/queue-4.16/net-phy-marvell-clear-wol-event-before-setting-it.patch new file mode 100644 index 00000000000..b213835da1a --- /dev/null +++ b/queue-4.16/net-phy-marvell-clear-wol-event-before-setting-it.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jingju Hou +Date: Mon, 23 Apr 2018 15:22:49 +0800 +Subject: net: phy: marvell: clear wol event before setting it + +From: Jingju Hou + +[ Upstream commit b6a930fa88083b41d26ddf1cab95cbd740936c22 ] + +If WOL event happened once, the LED[2] interrupt pin will not be +cleared unless we read the CSISR register. If interrupts are in use, +the normal interrupt handling will clear the WOL event. Let's clear the +WOL event before enabling it if !phy_interrupt_is_valid(). + +Signed-off-by: Jingju Hou +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1377,6 +1377,15 @@ static int m88e1318_set_wol(struct phy_d + if (err < 0) + goto error; + ++ /* If WOL event happened once, the LED[2] interrupt pin ++ * will not be cleared unless we reading the interrupt status ++ * register. If interrupts are in use, the normal interrupt ++ * handling will clear the WOL event. Clear the WOL event ++ * before enabling it if !phy_interrupt_is_valid() ++ */ ++ if (!phy_interrupt_is_valid(phydev)) ++ phy_read(phydev, MII_M1011_IEVENT); ++ + /* Enable the WOL interrupt */ + err = __phy_modify(phydev, MII_88E1318S_PHY_CSIER, 0, + MII_88E1318S_PHY_CSIER_WOL_EIE); diff --git a/queue-4.16/net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch b/queue-4.16/net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch new file mode 100644 index 00000000000..fe0b80e7e0f --- /dev/null +++ b/queue-4.16/net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch @@ -0,0 +1,99 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Roman Mashak +Date: Fri, 11 May 2018 10:55:09 -0400 +Subject: net sched actions: fix invalid pointer dereferencing if skbedit flags missing + +From: Roman Mashak + +[ Upstream commit af5d01842fe1fbfb9f5e1c1d957ba02ab6f4569a ] + +When application fails to pass flags in netlink TLV for a new skbedit action, +the kernel results in the following oops: + +[ 8.307732] BUG: unable to handle kernel paging request at 0000000000021130 +[ 8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0 +[ 8.310595] Oops: 0000 [#1] SMP PTI +[ 8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw +[ 8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357 +[ 8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140 +[ 8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246 +[ 8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000 +[ 8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100 +[ 8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122 +[ 8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000 +[ 8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000 +[ 8.325590] FS: 00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000 +[ 8.327001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0 +[ 8.329289] Call Trace: +[ 8.329735] tcf_skbedit_init+0xa7/0xb0 +[ 8.330423] tcf_action_init_1+0x362/0x410 +[ 8.331139] ? try_to_wake_up+0x44/0x430 +[ 8.331817] tcf_action_init+0x103/0x190 +[ 8.332511] tc_ctl_action+0x11a/0x220 +[ 8.333174] rtnetlink_rcv_msg+0x23d/0x2e0 +[ 8.333902] ? _cond_resched+0x16/0x40 +[ 8.334569] ? __kmalloc_node_track_caller+0x5b/0x2c0 +[ 8.335440] ? rtnl_calcit.isra.31+0xf0/0xf0 +[ 8.336178] netlink_rcv_skb+0xdb/0x110 +[ 8.336855] netlink_unicast+0x167/0x220 +[ 8.337550] netlink_sendmsg+0x2a7/0x390 +[ 8.338258] sock_sendmsg+0x30/0x40 +[ 8.338865] ___sys_sendmsg+0x2c5/0x2e0 +[ 8.339531] ? pagecache_get_page+0x27/0x210 +[ 8.340271] ? filemap_fault+0xa2/0x630 +[ 8.340943] ? page_add_file_rmap+0x108/0x200 +[ 8.341732] ? alloc_set_pte+0x2aa/0x530 +[ 8.342573] ? finish_fault+0x4e/0x70 +[ 8.343332] ? __handle_mm_fault+0xbc1/0x10d0 +[ 8.344337] ? __sys_sendmsg+0x53/0x80 +[ 8.345040] __sys_sendmsg+0x53/0x80 +[ 8.345678] do_syscall_64+0x4f/0x100 +[ 8.346339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 8.347206] RIP: 0033:0x7f591191da67 +[ 8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67 +[ 8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003 +[ 8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000 +[ 8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000 +[ 8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0 +[ 8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00 +00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30 +74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c +[ 8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840 +[ 8.359770] CR2: 0000000000021130 +[ 8.360438] ---[ end trace 60c66be45dfc14f0 ]--- + +The caller calls action's ->init() and passes pointer to "struct tc_action *a", +which later may be initialized to point at the existing action, otherwise +"struct tc_action *a" is still invalid, and therefore dereferencing it is an +error as happens in tcf_idr_release, where refcnt is decremented. + +So in case of missing flags tcf_idr_release must be called only for +existing actions. + +v2: + - prepare patch for net tree + +Fixes: 5e1567aeb7fe ("net sched: skbedit action fix late binding") +Signed-off-by: Roman Mashak +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_skbedit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/act_skbedit.c ++++ b/net/sched/act_skbedit.c +@@ -121,7 +121,8 @@ static int tcf_skbedit_init(struct net * + return 0; + + if (!flags) { +- tcf_idr_release(*a, bind); ++ if (exists) ++ tcf_idr_release(*a, bind); + return -EINVAL; + } + diff --git a/queue-4.16/netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch b/queue-4.16/netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch new file mode 100644 index 00000000000..6008776ef11 --- /dev/null +++ b/queue-4.16/netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch @@ -0,0 +1,63 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Taehee Yoo +Date: Wed, 18 Apr 2018 23:35:34 +0900 +Subject: netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update + +From: Taehee Yoo + +[ Upstream commit d71efb599ad42ef1e564c652d8084252bdc85edf ] + +When chain name is changed, nft_chain_commit_update is called. +In the nft_chain_commit_update, trans->ctx.chain->name has old chain name +and nft_trans_chain_name(trans) has new chain name. +If new chain name is longer than old chain name, KASAN warns +slab-out-of-bounds. + +[ 175.015012] BUG: KASAN: slab-out-of-bounds in strcpy+0x9e/0xb0 +[ 175.022735] Write of size 1 at addr ffff880114e022da by task iptables-compat/1458 + +[ 175.031353] CPU: 0 PID: 1458 Comm: iptables-compat Not tainted 4.16.0-rc7+ #146 +[ 175.031353] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 +[ 175.031353] Call Trace: +[ 175.031353] dump_stack+0x68/0xa0 +[ 175.031353] print_address_description+0xd0/0x260 +[ 175.031353] ? strcpy+0x9e/0xb0 +[ 175.031353] kasan_report+0x234/0x350 +[ 175.031353] __asan_report_store1_noabort+0x1c/0x20 +[ 175.031353] strcpy+0x9e/0xb0 +[ 175.031353] nf_tables_commit+0x1ccc/0x2990 +[ 175.031353] nfnetlink_rcv+0x141e/0x16c0 +[ 175.031353] ? nfnetlink_net_init+0x150/0x150 +[ 175.031353] ? lock_acquire+0x370/0x370 +[ 175.031353] ? lock_acquire+0x370/0x370 +[ 175.031353] netlink_unicast+0x444/0x640 +[ 175.031353] ? netlink_attachskb+0x700/0x700 +[ 175.031353] ? _copy_from_iter_full+0x180/0x740 +[ 175.031353] ? kasan_check_write+0x14/0x20 +[ 175.031353] ? _copy_from_user+0x9b/0xd0 +[ 175.031353] netlink_sendmsg+0x845/0xc70 +[ ... ] + +Steps to reproduce: + iptables-compat -N 1 + iptables-compat -E 1 aaaaaaaaa + +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5741,7 +5741,7 @@ static void nft_chain_commit_update(stru + struct nft_base_chain *basechain; + + if (nft_trans_chain_name(trans)) +- strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans)); ++ swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); + + if (!nft_is_base_chain(trans->ctx.chain)) + return; diff --git a/queue-4.16/netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch b/queue-4.16/netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch new file mode 100644 index 00000000000..ec17899f70e --- /dev/null +++ b/queue-4.16/netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch @@ -0,0 +1,110 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Pablo Neira Ayuso +Date: Wed, 18 Apr 2018 12:23:39 +0200 +Subject: netfilter: nf_tables: NAT chain and extensions require NF_TABLES + +From: Pablo Neira Ayuso + +[ Upstream commit 39f2ff0816e5421476c2bc538b68b4bb0708a78e ] + +Move these options inside the scope of the 'if' NF_TABLES and +NF_TABLES_IPV6 dependencies. This patch fixes: + + net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_nat_do_chain': +>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:37: undefined reference to `nft_do_chain' + net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_exit': +>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:94: undefined reference to `nft_unregister_chain_type' + net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_init': +>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:87: undefined reference to `nft_register_chain_type' + +that happens with: + +CONFIG_NF_TABLES=m +CONFIG_NFT_CHAIN_NAT_IPV6=y + +Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type") +Reported-by: kbuild test robot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter/Kconfig | 55 ++++++++++++++++++++++----------------------- + 1 file changed, 28 insertions(+), 27 deletions(-) + +--- a/net/ipv6/netfilter/Kconfig ++++ b/net/ipv6/netfilter/Kconfig +@@ -48,6 +48,34 @@ config NFT_CHAIN_ROUTE_IPV6 + fields such as the source, destination, flowlabel, hop-limit and + the packet mark. + ++if NF_NAT_IPV6 ++ ++config NFT_CHAIN_NAT_IPV6 ++ tristate "IPv6 nf_tables nat chain support" ++ help ++ This option enables the "nat" chain for IPv6 in nf_tables. This ++ chain type is used to perform Network Address Translation (NAT) ++ packet transformations such as the source, destination address and ++ source and destination ports. ++ ++config NFT_MASQ_IPV6 ++ tristate "IPv6 masquerade support for nf_tables" ++ depends on NFT_MASQ ++ select NF_NAT_MASQUERADE_IPV6 ++ help ++ This is the expression that provides IPv4 masquerading support for ++ nf_tables. ++ ++config NFT_REDIR_IPV6 ++ tristate "IPv6 redirect support for nf_tables" ++ depends on NFT_REDIR ++ select NF_NAT_REDIRECT ++ help ++ This is the expression that provides IPv4 redirect support for ++ nf_tables. ++ ++endif # NF_NAT_IPV6 ++ + config NFT_REJECT_IPV6 + select NF_REJECT_IPV6 + default NFT_REJECT +@@ -107,39 +135,12 @@ config NF_NAT_IPV6 + + if NF_NAT_IPV6 + +-config NFT_CHAIN_NAT_IPV6 +- depends on NF_TABLES_IPV6 +- tristate "IPv6 nf_tables nat chain support" +- help +- This option enables the "nat" chain for IPv6 in nf_tables. This +- chain type is used to perform Network Address Translation (NAT) +- packet transformations such as the source, destination address and +- source and destination ports. +- + config NF_NAT_MASQUERADE_IPV6 + tristate "IPv6 masquerade support" + help + This is the kernel functionality to provide NAT in the masquerade + flavour (automatic source address selection) for IPv6. + +-config NFT_MASQ_IPV6 +- tristate "IPv6 masquerade support for nf_tables" +- depends on NF_TABLES_IPV6 +- depends on NFT_MASQ +- select NF_NAT_MASQUERADE_IPV6 +- help +- This is the expression that provides IPv4 masquerading support for +- nf_tables. +- +-config NFT_REDIR_IPV6 +- tristate "IPv6 redirect support for nf_tables" +- depends on NF_TABLES_IPV6 +- depends on NFT_REDIR +- select NF_NAT_REDIRECT +- help +- This is the expression that provides IPv4 redirect support for +- nf_tables. +- + endif # NF_NAT_IPV6 + + config IP6_NF_IPTABLES diff --git a/queue-4.16/nfp-don-t-depend-on-eth_tbl-being-available.patch b/queue-4.16/nfp-don-t-depend-on-eth_tbl-being-available.patch new file mode 100644 index 00000000000..6c45a99fa9a --- /dev/null +++ b/queue-4.16/nfp-don-t-depend-on-eth_tbl-being-available.patch @@ -0,0 +1,135 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jakub Kicinski +Date: Wed, 25 Apr 2018 11:21:08 -0700 +Subject: nfp: don't depend on eth_tbl being available + +From: Jakub Kicinski + +[ Upstream commit c55ca688ed99a9cb79367aee2ed2ff6cb80fc039 ] + +For very very old generation of the management FW Ethernet port +information table may theoretically not be available. This in +turn will cause the nfp_port structures to not be allocated. + +Make sure we don't crash the kernel when there is no eth_tbl: + +RIP: 0010:nfp_net_pci_probe+0xf2/0xb40 [nfp] +... +Call Trace: + nfp_pci_probe+0x6de/0xab0 [nfp] + local_pci_probe+0x47/0xa0 + work_for_cpu_fn+0x1a/0x30 + process_one_work+0x1de/0x3e0 + +Found while working with broken/development version of management FW. + +Fixes: a5950182c00e ("nfp: map mac_stats and vf_cfg BARs") +Fixes: 93da7d9660ee ("nfp: provide nfp_port to of nfp_net_get_mac_addr()") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/main.c | 2 - + drivers/net/ethernet/netronome/nfp/nfp_app_nic.c | 2 - + drivers/net/ethernet/netronome/nfp/nfp_main.h | 4 ++ + drivers/net/ethernet/netronome/nfp/nfp_net_main.c | 31 ++++++++++++---------- + 4 files changed, 23 insertions(+), 16 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/main.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c +@@ -358,7 +358,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap + } + + SET_NETDEV_DEV(repr, &priv->nn->pdev->dev); +- nfp_net_get_mac_addr(app->pf, port); ++ nfp_net_get_mac_addr(app->pf, repr, port); + + cmsg_port_id = nfp_flower_cmsg_phys_port(phys_port); + err = nfp_repr_init(app, repr, +--- a/drivers/net/ethernet/netronome/nfp/nfp_app_nic.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_app_nic.c +@@ -69,7 +69,7 @@ int nfp_app_nic_vnic_alloc(struct nfp_ap + if (err) + return err < 0 ? err : 0; + +- nfp_net_get_mac_addr(app->pf, nn->port); ++ nfp_net_get_mac_addr(app->pf, nn->dp.netdev, nn->port); + + return 0; + } +--- a/drivers/net/ethernet/netronome/nfp/nfp_main.h ++++ b/drivers/net/ethernet/netronome/nfp/nfp_main.h +@@ -171,7 +171,9 @@ void nfp_net_pci_remove(struct nfp_pf *p + int nfp_hwmon_register(struct nfp_pf *pf); + void nfp_hwmon_unregister(struct nfp_pf *pf); + +-void nfp_net_get_mac_addr(struct nfp_pf *pf, struct nfp_port *port); ++void ++nfp_net_get_mac_addr(struct nfp_pf *pf, struct net_device *netdev, ++ struct nfp_port *port); + + bool nfp_ctrl_tx(struct nfp_net *nn, struct sk_buff *skb); + +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_main.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_main.c +@@ -67,23 +67,26 @@ + /** + * nfp_net_get_mac_addr() - Get the MAC address. + * @pf: NFP PF handle ++ * @netdev: net_device to set MAC address on + * @port: NFP port structure + * + * First try to get the MAC address from NSP ETH table. If that + * fails generate a random address. + */ +-void nfp_net_get_mac_addr(struct nfp_pf *pf, struct nfp_port *port) ++void ++nfp_net_get_mac_addr(struct nfp_pf *pf, struct net_device *netdev, ++ struct nfp_port *port) + { + struct nfp_eth_table_port *eth_port; + + eth_port = __nfp_port_get_eth_port(port); + if (!eth_port) { +- eth_hw_addr_random(port->netdev); ++ eth_hw_addr_random(netdev); + return; + } + +- ether_addr_copy(port->netdev->dev_addr, eth_port->mac_addr); +- ether_addr_copy(port->netdev->perm_addr, eth_port->mac_addr); ++ ether_addr_copy(netdev->dev_addr, eth_port->mac_addr); ++ ether_addr_copy(netdev->perm_addr, eth_port->mac_addr); + } + + static struct nfp_eth_table_port * +@@ -511,16 +514,18 @@ static int nfp_net_pci_map_mem(struct nf + return PTR_ERR(mem); + } + +- min_size = NFP_MAC_STATS_SIZE * (pf->eth_tbl->max_index + 1); +- pf->mac_stats_mem = nfp_rtsym_map(pf->rtbl, "_mac_stats", +- "net.macstats", min_size, +- &pf->mac_stats_bar); +- if (IS_ERR(pf->mac_stats_mem)) { +- if (PTR_ERR(pf->mac_stats_mem) != -ENOENT) { +- err = PTR_ERR(pf->mac_stats_mem); +- goto err_unmap_ctrl; ++ if (pf->eth_tbl) { ++ min_size = NFP_MAC_STATS_SIZE * (pf->eth_tbl->max_index + 1); ++ pf->mac_stats_mem = nfp_rtsym_map(pf->rtbl, "_mac_stats", ++ "net.macstats", min_size, ++ &pf->mac_stats_bar); ++ if (IS_ERR(pf->mac_stats_mem)) { ++ if (PTR_ERR(pf->mac_stats_mem) != -ENOENT) { ++ err = PTR_ERR(pf->mac_stats_mem); ++ goto err_unmap_ctrl; ++ } ++ pf->mac_stats_mem = NULL; + } +- pf->mac_stats_mem = NULL; + } + + pf->vf_cfg_mem = nfp_net_pf_map_rtsym(pf, "net.vfcfg", diff --git a/queue-4.16/nfp-flower-split-and-limit-cmsg-skb-lists.patch b/queue-4.16/nfp-flower-split-and-limit-cmsg-skb-lists.patch new file mode 100644 index 00000000000..e207f0b54d0 --- /dev/null +++ b/queue-4.16/nfp-flower-split-and-limit-cmsg-skb-lists.patch @@ -0,0 +1,153 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Pieter Jansen van Vuuren +Date: Wed, 11 Apr 2018 16:47:38 -0700 +Subject: nfp: flower: split and limit cmsg skb lists + +From: Pieter Jansen van Vuuren + +[ Upstream commit cf2cbadc20f5651c3dde9f5ac2ee52fb43aa4ddd ] + +Introduce a second skb list for handling control messages and limit the +number of allowed messages. Some control messages are considered more +crucial than others, resulting in the need for a second skb list. By +splitting the list into a separate high and low priority list we can +ensure that messages on the high list get added to the head of the list +that gets processed, this however has no functional impact. Previously +there was no limit on the number of messages allowed on the queue, this +could result in the queue growing boundlessly and eventually the host +running out of memory. + +Fixes: b985f870a5f0 ("nfp: process control messages in workqueue in flower app") +Signed-off-by: Pieter Jansen van Vuuren +Reviewed-by: Jakub Kicinski +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/cmsg.c | 38 ++++++++++++++++++++--- + drivers/net/ethernet/netronome/nfp/flower/cmsg.h | 2 + + drivers/net/ethernet/netronome/nfp/flower/main.c | 6 ++- + drivers/net/ethernet/netronome/nfp/flower/main.h | 8 +++- + 4 files changed, 46 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.c +@@ -242,18 +242,49 @@ out: + + void nfp_flower_cmsg_process_rx(struct work_struct *work) + { ++ struct sk_buff_head cmsg_joined; + struct nfp_flower_priv *priv; + struct sk_buff *skb; + + priv = container_of(work, struct nfp_flower_priv, cmsg_work); ++ skb_queue_head_init(&cmsg_joined); + +- while ((skb = skb_dequeue(&priv->cmsg_skbs))) ++ spin_lock_bh(&priv->cmsg_skbs_high.lock); ++ skb_queue_splice_tail_init(&priv->cmsg_skbs_high, &cmsg_joined); ++ spin_unlock_bh(&priv->cmsg_skbs_high.lock); ++ ++ spin_lock_bh(&priv->cmsg_skbs_low.lock); ++ skb_queue_splice_tail_init(&priv->cmsg_skbs_low, &cmsg_joined); ++ spin_unlock_bh(&priv->cmsg_skbs_low.lock); ++ ++ while ((skb = __skb_dequeue(&cmsg_joined))) + nfp_flower_cmsg_process_one_rx(priv->app, skb); + } + +-void nfp_flower_cmsg_rx(struct nfp_app *app, struct sk_buff *skb) ++static void ++nfp_flower_queue_ctl_msg(struct nfp_app *app, struct sk_buff *skb, int type) + { + struct nfp_flower_priv *priv = app->priv; ++ struct sk_buff_head *skb_head; ++ ++ if (type == NFP_FLOWER_CMSG_TYPE_PORT_REIFY || ++ type == NFP_FLOWER_CMSG_TYPE_PORT_MOD) ++ skb_head = &priv->cmsg_skbs_high; ++ else ++ skb_head = &priv->cmsg_skbs_low; ++ ++ if (skb_queue_len(skb_head) >= NFP_FLOWER_WORKQ_MAX_SKBS) { ++ nfp_flower_cmsg_warn(app, "Dropping queued control messages\n"); ++ dev_kfree_skb_any(skb); ++ return; ++ } ++ ++ skb_queue_tail(skb_head, skb); ++ schedule_work(&priv->cmsg_work); ++} ++ ++void nfp_flower_cmsg_rx(struct nfp_app *app, struct sk_buff *skb) ++{ + struct nfp_flower_cmsg_hdr *cmsg_hdr; + + cmsg_hdr = nfp_flower_cmsg_get_hdr(skb); +@@ -270,7 +301,6 @@ void nfp_flower_cmsg_rx(struct nfp_app * + nfp_flower_rx_flow_stats(app, skb); + dev_consume_skb_any(skb); + } else { +- skb_queue_tail(&priv->cmsg_skbs, skb); +- schedule_work(&priv->cmsg_work); ++ nfp_flower_queue_ctl_msg(app, skb, cmsg_hdr->type); + } + } +--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h ++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h +@@ -98,6 +98,8 @@ + #define NFP_FL_IPV4_TUNNEL_TYPE GENMASK(7, 4) + #define NFP_FL_IPV4_PRE_TUN_INDEX GENMASK(2, 0) + ++#define NFP_FLOWER_WORKQ_MAX_SKBS 30000 ++ + #define nfp_flower_cmsg_warn(app, fmt, args...) \ + do { \ + if (net_ratelimit()) \ +--- a/drivers/net/ethernet/netronome/nfp/flower/main.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c +@@ -517,7 +517,8 @@ static int nfp_flower_init(struct nfp_ap + + app->priv = app_priv; + app_priv->app = app; +- skb_queue_head_init(&app_priv->cmsg_skbs); ++ skb_queue_head_init(&app_priv->cmsg_skbs_high); ++ skb_queue_head_init(&app_priv->cmsg_skbs_low); + INIT_WORK(&app_priv->cmsg_work, nfp_flower_cmsg_process_rx); + init_waitqueue_head(&app_priv->reify_wait_queue); + +@@ -544,7 +545,8 @@ static void nfp_flower_clean(struct nfp_ + { + struct nfp_flower_priv *app_priv = app->priv; + +- skb_queue_purge(&app_priv->cmsg_skbs); ++ skb_queue_purge(&app_priv->cmsg_skbs_high); ++ skb_queue_purge(&app_priv->cmsg_skbs_low); + flush_work(&app_priv->cmsg_work); + + nfp_flower_metadata_cleanup(app); +--- a/drivers/net/ethernet/netronome/nfp/flower/main.h ++++ b/drivers/net/ethernet/netronome/nfp/flower/main.h +@@ -89,7 +89,10 @@ struct nfp_fl_stats_id { + * @mask_table: Hash table used to store masks + * @flow_table: Hash table used to store flower rules + * @cmsg_work: Workqueue for control messages processing +- * @cmsg_skbs: List of skbs for control message processing ++ * @cmsg_skbs_high: List of higher priority skbs for control message ++ * processing ++ * @cmsg_skbs_low: List of lower priority skbs for control message ++ * processing + * @nfp_mac_off_list: List of MAC addresses to offload + * @nfp_mac_index_list: List of unique 8-bit indexes for non NFP netdevs + * @nfp_ipv4_off_list: List of IPv4 addresses to offload +@@ -117,7 +120,8 @@ struct nfp_flower_priv { + DECLARE_HASHTABLE(mask_table, NFP_FLOWER_MASK_HASH_BITS); + DECLARE_HASHTABLE(flow_table, NFP_FLOWER_HASH_BITS); + struct work_struct cmsg_work; +- struct sk_buff_head cmsg_skbs; ++ struct sk_buff_head cmsg_skbs_high; ++ struct sk_buff_head cmsg_skbs_low; + struct list_head nfp_mac_off_list; + struct list_head nfp_mac_index_list; + struct list_head nfp_ipv4_off_list; diff --git a/queue-4.16/nfp-ignore-signals-when-communicating-with-management-fw.patch b/queue-4.16/nfp-ignore-signals-when-communicating-with-management-fw.patch new file mode 100644 index 00000000000..488e3f511d7 --- /dev/null +++ b/queue-4.16/nfp-ignore-signals-when-communicating-with-management-fw.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jakub Kicinski +Date: Wed, 11 Apr 2018 16:47:35 -0700 +Subject: nfp: ignore signals when communicating with management FW + +From: Jakub Kicinski + +[ Upstream commit 5496295aefe86995e41398b0f76de601308fc3f5 ] + +We currently allow signals to interrupt the wait for management FW +commands. Exiting the wait should not cause trouble, the FW will +just finish executing the command in the background and new commands +will wait for the old one to finish. + +However, this may not be what users expect (Ctrl-C not actually stopping +the command). Moreover some systems routinely request link information +with signals pending (Ubuntu 14.04 runs a landscape-sysinfo python tool +from MOTD) worrying users with errors like these: + +nfp 0000:04:00.0: nfp_nsp: Error -512 waiting for code 0x0007 to start +nfp 0000:04:00.0: nfp: reading port table failed -512 + +Make the wait for management FW responses non-interruptible. + +Fixes: 1a64821c6af7 ("nfp: add support for service processor access") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c +@@ -281,8 +281,7 @@ nfp_nsp_wait_reg(struct nfp_cpp *cpp, u6 + if ((*reg & mask) == val) + return 0; + +- if (msleep_interruptible(25)) +- return -ERESTARTSYS; ++ msleep(25); + + if (time_after(start_time, wait_until)) + return -ETIMEDOUT; diff --git a/queue-4.16/nvme-depend-on-infiniband_addr_trans.patch b/queue-4.16/nvme-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..733b36f426e --- /dev/null +++ b/queue-4.16/nvme-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:30 -0700 +Subject: nvme: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit 3af7a156bdc356946098e13180be66b6420619bf ] + +NVME_RDMA code depends on INFINIBAND_ADDR_TRANS provided symbols. So +declare the kconfig dependency. This is necessary to allow for enabling +INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/Kconfig ++++ b/drivers/nvme/host/Kconfig +@@ -27,7 +27,7 @@ config NVME_FABRICS + + config NVME_RDMA + tristate "NVM Express over Fabrics RDMA host driver" +- depends on INFINIBAND && BLOCK ++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS && BLOCK + select NVME_CORE + select NVME_FABRICS + select SG_POOL diff --git a/queue-4.16/nvme-fix-potential-memory-leak-in-option-parsing.patch b/queue-4.16/nvme-fix-potential-memory-leak-in-option-parsing.patch new file mode 100644 index 00000000000..64878a13a8b --- /dev/null +++ b/queue-4.16/nvme-fix-potential-memory-leak-in-option-parsing.patch @@ -0,0 +1,74 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Chengguang Xu +Date: Sat, 14 Apr 2018 20:06:19 +0800 +Subject: nvme: fix potential memory leak in option parsing + +From: Chengguang Xu + +[ Upstream commit 59a2f3f00fd744dbad22593f47552037d3154ca6 ] + +When specifying same string type option several times, +current option parsing may cause memory leak. Hence, +call kfree for previous one in this case. + +Signed-off-by: Chengguang Xu +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fabrics.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -668,6 +668,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->transport); + opts->transport = p; + break; + case NVMF_OPT_NQN: +@@ -676,6 +677,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->subsysnqn); + opts->subsysnqn = p; + nqnlen = strlen(opts->subsysnqn); + if (nqnlen >= NVMF_NQN_SIZE) { +@@ -698,6 +700,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->traddr); + opts->traddr = p; + break; + case NVMF_OPT_TRSVCID: +@@ -706,6 +709,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->trsvcid); + opts->trsvcid = p; + break; + case NVMF_OPT_QUEUE_SIZE: +@@ -792,6 +796,7 @@ static int nvmf_parse_options(struct nvm + ret = -EINVAL; + goto out; + } ++ nvmf_host_put(opts->host); + opts->host = nvmf_host_add(p); + kfree(p); + if (!opts->host) { +@@ -817,6 +822,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->host_traddr); + opts->host_traddr = p; + break; + case NVMF_OPT_HOST_ID: diff --git a/queue-4.16/nvme-fix-use-after-free-in-nvme_free_ns_head.patch b/queue-4.16/nvme-fix-use-after-free-in-nvme_free_ns_head.patch new file mode 100644 index 00000000000..b0d19f5f455 --- /dev/null +++ b/queue-4.16/nvme-fix-use-after-free-in-nvme_free_ns_head.patch @@ -0,0 +1,75 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Jianchao Wang +Date: Fri, 4 May 2018 16:01:57 +0800 +Subject: nvme: fix use-after-free in nvme_free_ns_head + +From: Jianchao Wang + +[ Upstream commit 12d9f07022dcde261ad16e9a11f45096dc68b03c ] + +Currently only nvme_ctrl will take a reference counter of +nvme_subsystem, nvme_ns_head also needs it. Otherwise +nvme_free_ns_head will access the nvme_subsystem.ns_ida +which has been freed by __nvme_release_subsystem after all the +reference of nvme_subsystem have been released by nvme_free_ctrl. +This could cause memory corruption. + + BUG: KASAN: use-after-free in radix_tree_next_chunk+0x9f/0x4b0 + Read of size 8 at addr ffff88036494d2e8 by task fio/1815 + + CPU: 1 PID: 1815 Comm: fio Kdump: loaded Tainted: G W 4.17.0-rc1+ #18 + Hardware name: LENOVO 10MLS0E339/3106, BIOS M1AKT22A 06/27/2017 + Call Trace: + dump_stack+0x91/0xeb + print_address_description+0x6b/0x290 + kasan_report+0x261/0x360 + radix_tree_next_chunk+0x9f/0x4b0 + ida_remove+0x8b/0x180 + ida_simple_remove+0x26/0x40 + nvme_free_ns_head+0x58/0xc0 + __blkdev_put+0x30a/0x3a0 + blkdev_close+0x44/0x50 + __fput+0x184/0x380 + task_work_run+0xaf/0xe0 + do_exit+0x501/0x1440 + do_group_exit+0x89/0x140 + __x64_sys_exit_group+0x28/0x30 + do_syscall_64+0x72/0x230 + +Signed-off-by: Jianchao Wang +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -99,6 +99,7 @@ static struct class *nvme_subsys_class; + + static void nvme_ns_remove(struct nvme_ns *ns); + static int nvme_revalidate_disk(struct gendisk *disk); ++static void nvme_put_subsystem(struct nvme_subsystem *subsys); + + static __le32 nvme_get_log_dw10(u8 lid, size_t size) + { +@@ -353,6 +354,7 @@ static void nvme_free_ns_head(struct kre + ida_simple_remove(&head->subsys->ns_ida, head->instance); + list_del_init(&head->entry); + cleanup_srcu_struct(&head->srcu); ++ nvme_put_subsystem(head->subsys); + kfree(head); + } + +@@ -2843,6 +2845,9 @@ static struct nvme_ns_head *nvme_alloc_n + goto out_cleanup_srcu; + + list_add_tail(&head->entry, &ctrl->subsys->nsheads); ++ ++ kref_get(&ctrl->subsys->ref); ++ + return head; + out_cleanup_srcu: + cleanup_srcu_struct(&head->srcu); diff --git a/queue-4.16/nvme-multipath-disable-runtime-writable-enabling-parameter.patch b/queue-4.16/nvme-multipath-disable-runtime-writable-enabling-parameter.patch new file mode 100644 index 00000000000..0f792cdce0e --- /dev/null +++ b/queue-4.16/nvme-multipath-disable-runtime-writable-enabling-parameter.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Keith Busch +Date: Thu, 26 Apr 2018 14:24:29 -0600 +Subject: nvme/multipath: Disable runtime writable enabling parameter + +From: Keith Busch + +[ Upstream commit 5cadde8019a6a80550fdde92d5a3327565974eab ] + +We can't allow the user to change multipath settings at runtime, as this +will create naming conflicts due to the different naming schemes used +for each mode. + +Signed-off-by: Keith Busch +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/multipath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -15,7 +15,7 @@ + #include "nvme.h" + + static bool multipath = true; +-module_param(multipath, bool, 0644); ++module_param(multipath, bool, 0444); + MODULE_PARM_DESC(multipath, + "turn on native support for multiple controllers per subsystem"); + diff --git a/queue-4.16/nvme-multipath-fix-multipath-disabled-naming-collisions.patch b/queue-4.16/nvme-multipath-fix-multipath-disabled-naming-collisions.patch new file mode 100644 index 00000000000..7bdd47496d3 --- /dev/null +++ b/queue-4.16/nvme-multipath-fix-multipath-disabled-naming-collisions.patch @@ -0,0 +1,122 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Keith Busch +Date: Thu, 26 Apr 2018 14:22:41 -0600 +Subject: nvme/multipath: Fix multipath disabled naming collisions + +From: Keith Busch + +[ Upstream commit a785dbccd95c37606c720580714f5a7a8b3255f1 ] + +When CONFIG_NVME_MULTIPATH is set, but we're not using nvme to multipath, +namespaces with multiple paths were not creating unique names due to +reusing the same instance number from the namespace's head. + +This patch fixes this by falling back to the non-multipath naming method +when the parameter disabled using multipath. + +Reported-by: Mike Snitzer +Signed-off-by: Keith Busch +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 26 +------------------------- + drivers/nvme/host/multipath.c | 22 ++++++++++++++++++++++ + drivers/nvme/host/nvme.h | 12 ++++++++++++ + 3 files changed, 35 insertions(+), 25 deletions(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2979,31 +2979,7 @@ static void nvme_alloc_ns(struct nvme_ct + if (nvme_init_ns_head(ns, nsid, id)) + goto out_free_id; + nvme_setup_streams_ns(ctrl, ns); +- +-#ifdef CONFIG_NVME_MULTIPATH +- /* +- * If multipathing is enabled we need to always use the subsystem +- * instance number for numbering our devices to avoid conflicts +- * between subsystems that have multiple controllers and thus use +- * the multipath-aware subsystem node and those that have a single +- * controller and use the controller node directly. +- */ +- if (ns->head->disk) { +- sprintf(disk_name, "nvme%dc%dn%d", ctrl->subsys->instance, +- ctrl->cntlid, ns->head->instance); +- flags = GENHD_FL_HIDDEN; +- } else { +- sprintf(disk_name, "nvme%dn%d", ctrl->subsys->instance, +- ns->head->instance); +- } +-#else +- /* +- * But without the multipath code enabled, multiple controller per +- * subsystems are visible as devices and thus we cannot use the +- * subsystem instance. +- */ +- sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance); +-#endif ++ nvme_set_disk_name(disk_name, ns, ctrl, &flags); + + if ((ctrl->quirks & NVME_QUIRK_LIGHTNVM) && id->vs[0] == 0x1) { + if (nvme_nvm_register(ns, disk_name, node)) { +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -19,6 +19,28 @@ module_param(multipath, bool, 0444); + MODULE_PARM_DESC(multipath, + "turn on native support for multiple controllers per subsystem"); + ++/* ++ * If multipathing is enabled we need to always use the subsystem instance ++ * number for numbering our devices to avoid conflicts between subsystems that ++ * have multiple controllers and thus use the multipath-aware subsystem node ++ * and those that have a single controller and use the controller node ++ * directly. ++ */ ++void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, ++ struct nvme_ctrl *ctrl, int *flags) ++{ ++ if (!multipath) { ++ sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance); ++ } else if (ns->head->disk) { ++ sprintf(disk_name, "nvme%dc%dn%d", ctrl->subsys->instance, ++ ctrl->cntlid, ns->head->instance); ++ *flags = GENHD_FL_HIDDEN; ++ } else { ++ sprintf(disk_name, "nvme%dn%d", ctrl->subsys->instance, ++ ns->head->instance); ++ } ++} ++ + void nvme_failover_req(struct request *req) + { + struct nvme_ns *ns = req->q->queuedata; +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -411,6 +411,8 @@ extern const struct attribute_group nvme + extern const struct block_device_operations nvme_ns_head_ops; + + #ifdef CONFIG_NVME_MULTIPATH ++void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, ++ struct nvme_ctrl *ctrl, int *flags); + void nvme_failover_req(struct request *req); + bool nvme_req_needs_failover(struct request *req, blk_status_t error); + void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl); +@@ -436,6 +438,16 @@ static inline void nvme_mpath_check_last + } + + #else ++/* ++ * Without the multipath code enabled, multiple controller per subsystems are ++ * visible as devices and thus we cannot use the subsystem instance. ++ */ ++static inline void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, ++ struct nvme_ctrl *ctrl, int *flags) ++{ ++ sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance); ++} ++ + static inline void nvme_failover_req(struct request *req) + { + } diff --git a/queue-4.16/nvme-set-integrity-flag-for-user-passthrough-commands.patch b/queue-4.16/nvme-set-integrity-flag-for-user-passthrough-commands.patch new file mode 100644 index 00000000000..6c8c0793573 --- /dev/null +++ b/queue-4.16/nvme-set-integrity-flag-for-user-passthrough-commands.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Keith Busch +Date: Tue, 17 Apr 2018 14:42:44 -0600 +Subject: nvme: Set integrity flag for user passthrough commands + +From: Keith Busch + +[ Upstream commit f31a21103c03bb62846409fdc60cc9faf2398cfb ] + +If the command a separate metadata buffer attached, the request needs +to have the integrity flag set so the driver knows to map it. + +Signed-off-by: Keith Busch +Reviewed-by: Martin K. Petersen +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -767,6 +767,7 @@ static int nvme_submit_user_cmd(struct r + ret = PTR_ERR(meta); + goto out_unmap; + } ++ req->cmd_flags |= REQ_INTEGRITY; + } + } + diff --git a/queue-4.16/nvmet-rdma-depend-on-infiniband_addr_trans.patch b/queue-4.16/nvmet-rdma-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..24f3b358249 --- /dev/null +++ b/queue-4.16/nvmet-rdma-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:31 -0700 +Subject: nvmet-rdma: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit d6fc6a22fc7d3df987666725496ed5dd2dd30f23 ] + +NVME_TARGET_RDMA code depends on INFINIBAND_ADDR_TRANS provided symbols. +So declare the kconfig dependency. This is necessary to allow for +enabling INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/target/Kconfig ++++ b/drivers/nvme/target/Kconfig +@@ -27,7 +27,7 @@ config NVME_TARGET_LOOP + + config NVME_TARGET_RDMA + tristate "NVMe over Fabrics RDMA target support" +- depends on INFINIBAND ++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS + depends on NVME_TARGET + select SGL_ALLOC + help diff --git a/queue-4.16/objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch b/queue-4.16/objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch new file mode 100644 index 00000000000..94f8bc948cd --- /dev/null +++ b/queue-4.16/objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ingo Molnar +Date: Mon, 14 May 2018 10:15:54 +0200 +Subject: objtool, kprobes/x86: Sync the latest header with tools/objtool/arch/x86/include/asm/insn.h + +From: Ingo Molnar + +[ Upstream commit 4fe875e4bd3cae85ae6f6eaf77f63fabe613b66e ] + +The following commit: + + ee6a7354a362: kprobes/x86: Prohibit probing on exception masking instructions + +Modified , adding the insn_masking_exception() function. + +Sync the tooling version of the header to it, to fix this warning: + + Warning: synced file at 'tools/objtool/arch/x86/include/asm/insn.h' differs from latest kernel version at 'arch/x86/include/asm/insn.h' + +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Cc: Masami Hiramatsu +Cc: Thomas Gleixner +Cc: Ricardo Neri +Cc: Francis Deslauriers +Cc: Oleg Nesterov +Cc: Alexei Starovoitov +Cc: Steven Rostedt +Cc: Andy Lutomirski +Cc: "H . Peter Anvin" +Cc: Yonghong Song +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: "David S . Miller" +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/objtool/arch/x86/include/asm/insn.h | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/tools/objtool/arch/x86/include/asm/insn.h ++++ b/tools/objtool/arch/x86/include/asm/insn.h +@@ -208,4 +208,22 @@ static inline int insn_offset_immediate( + return insn_offset_displacement(insn) + insn->displacement.nbytes; + } + ++#define POP_SS_OPCODE 0x1f ++#define MOV_SREG_OPCODE 0x8e ++ ++/* ++ * Intel SDM Vol.3A 6.8.3 states; ++ * "Any single-step trap that would be delivered following the MOV to SS ++ * instruction or POP to SS instruction (because EFLAGS.TF is 1) is ++ * suppressed." ++ * This function returns true if @insn is MOV SS or POP SS. On these ++ * instructions, single stepping is suppressed. ++ */ ++static inline int insn_masking_exception(struct insn *insn) ++{ ++ return insn->opcode.bytes[0] == POP_SS_OPCODE || ++ (insn->opcode.bytes[0] == MOV_SREG_OPCODE && ++ X86_MODRM_REG(insn->modrm.bytes[0]) == 2); ++} ++ + #endif /* _ASM_X86_INSN_H */ diff --git a/queue-4.16/ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch b/queue-4.16/ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch new file mode 100644 index 00000000000..abe6702b5c5 --- /dev/null +++ b/queue-4.16/ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch @@ -0,0 +1,90 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ashish Samant +Date: Fri, 11 May 2018 16:02:07 -0700 +Subject: ocfs2: take inode cluster lock before moving reflinked inode from orphan dir + +From: Ashish Samant + +[ Upstream commit e4383029201470523c3ffe339bd7d57e9b4a7d65 ] + +While reflinking an inode, we create a new inode in orphan directory, +then take EX lock on it, reflink the original inode to orphan inode and +release EX lock. Once the lock is released another node could request +it in EX mode from ocfs2_recover_orphans() which causes downconvert of +the lock, on this node, to NL mode. + +Later we attempt to initialize security acl for the orphan inode and +move it to the reflink destination. However, while doing this we dont +take EX lock on the inode. This could potentially cause problems +because we could be starting transaction, accessing journal and +modifying metadata of the inode while holding NL lock and with another +node holding EX lock on the inode. + +Fix this by taking orphan inode cluster lock in EX mode before +initializing security and moving orphan inode to reflink destination. +Use the __tracker variant while taking inode lock to avoid recursive +locking in the ocfs2_init_security_and_acl() call chain. + +Link: http://lkml.kernel.org/r/1523475107-7639-1-git-send-email-ashish.samant@oracle.com +Signed-off-by: Ashish Samant +Reviewed-by: Joseph Qi +Reviewed-by: Junxiao Bi +Acked-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/refcounttree.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/refcounttree.c ++++ b/fs/ocfs2/refcounttree.c +@@ -4250,10 +4250,11 @@ out: + static int ocfs2_reflink(struct dentry *old_dentry, struct inode *dir, + struct dentry *new_dentry, bool preserve) + { +- int error; ++ int error, had_lock; + struct inode *inode = d_inode(old_dentry); + struct buffer_head *old_bh = NULL; + struct inode *new_orphan_inode = NULL; ++ struct ocfs2_lock_holder oh; + + if (!ocfs2_refcount_tree(OCFS2_SB(inode->i_sb))) + return -EOPNOTSUPP; +@@ -4295,6 +4296,14 @@ static int ocfs2_reflink(struct dentry * + goto out; + } + ++ had_lock = ocfs2_inode_lock_tracker(new_orphan_inode, NULL, 1, ++ &oh); ++ if (had_lock < 0) { ++ error = had_lock; ++ mlog_errno(error); ++ goto out; ++ } ++ + /* If the security isn't preserved, we need to re-initialize them. */ + if (!preserve) { + error = ocfs2_init_security_and_acl(dir, new_orphan_inode, +@@ -4302,14 +4311,15 @@ static int ocfs2_reflink(struct dentry * + if (error) + mlog_errno(error); + } +-out: + if (!error) { + error = ocfs2_mv_orphaned_inode_to_new(dir, new_orphan_inode, + new_dentry); + if (error) + mlog_errno(error); + } ++ ocfs2_inode_unlock_tracker(new_orphan_inode, 1, &oh, had_lock); + ++out: + if (new_orphan_inode) { + /* + * We need to open_unlock the inode no matter whether we diff --git a/queue-4.16/parisc-drivers.c-fix-section-mismatches.patch b/queue-4.16/parisc-drivers.c-fix-section-mismatches.patch new file mode 100644 index 00000000000..db007c833df --- /dev/null +++ b/queue-4.16/parisc-drivers.c-fix-section-mismatches.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Helge Deller +Date: Fri, 20 Apr 2018 23:19:17 +0200 +Subject: parisc: drivers.c: Fix section mismatches + +From: Helge Deller + +[ Upstream commit b819439fea305a0bfd6ca23a7994fd1a8847c0d8 ] + +Fix two section mismatches in drivers.c: +1) Section mismatch in reference from the function alloc_tree_node() to + the function .init.text:create_tree_node(). +2) Section mismatch in reference from the function walk_native_bus() to + the function .init.text:alloc_pa_dev(). + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/drivers.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/drivers.c ++++ b/arch/parisc/kernel/drivers.c +@@ -448,7 +448,8 @@ static int match_by_id(struct device * d + * Checks all the children of @parent for a matching @id. If none + * found, it allocates a new device and returns it. + */ +-static struct parisc_device * alloc_tree_node(struct device *parent, char id) ++static struct parisc_device * __init alloc_tree_node( ++ struct device *parent, char id) + { + struct match_id_data d = { + .id = id, +@@ -825,8 +826,8 @@ void walk_lower_bus(struct parisc_device + * devices which are not physically connected (such as extra serial & + * keyboard ports). This problem is not yet solved. + */ +-static void walk_native_bus(unsigned long io_io_low, unsigned long io_io_high, +- struct device *parent) ++static void __init walk_native_bus(unsigned long io_io_low, ++ unsigned long io_io_high, struct device *parent) + { + int i, devices_found = 0; + unsigned long hpa = io_io_low; diff --git a/queue-4.16/parisc-move-setup_profiling_timer-out-of-init-section.patch b/queue-4.16/parisc-move-setup_profiling_timer-out-of-init-section.patch new file mode 100644 index 00000000000..ce97d09e9d5 --- /dev/null +++ b/queue-4.16/parisc-move-setup_profiling_timer-out-of-init-section.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Helge Deller +Date: Fri, 18 May 2018 16:12:12 +0200 +Subject: parisc: Move setup_profiling_timer() out of init section + +From: Helge Deller + +[ Upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 ] + +No other architecture has setup_profiling_timer() in the init section, +thus on parisc we face this section mismatch warning: + Reference from the function devm_device_add_group() to the function .init.text:setup_profiling_timer() + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/smp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/parisc/kernel/smp.c ++++ b/arch/parisc/kernel/smp.c +@@ -423,8 +423,7 @@ int __cpu_up(unsigned int cpu, struct ta + } + + #ifdef CONFIG_PROC_FS +-int __init +-setup_profiling_timer(unsigned int multiplier) ++int setup_profiling_timer(unsigned int multiplier) + { + return -EINVAL; + } diff --git a/queue-4.16/parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch b/queue-4.16/parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch new file mode 100644 index 00000000000..c75766a27df --- /dev/null +++ b/queue-4.16/parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Baolin Wang +Date: Thu, 19 Apr 2018 14:51:03 +0800 +Subject: parisc: time: Convert read_persistent_clock() to read_persistent_clock64() + +From: Baolin Wang + +[ Upstream commit f76cdd00ef0e39d880139b074e3b247594dff95a ] + +The read_persistent_clock() uses a timespec, which is not year 2038 safe +on 32bit systems. On parisc architecture, we have implemented generic +RTC drivers that can be used to compensate the system suspend time, but +the RTC time can not represent the nanosecond resolution, so this patch +just converts to read_persistent_clock64() with timespec64. + +Signed-off-by: Baolin Wang +Acked-by: Arnd Bergmann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/time.c ++++ b/arch/parisc/kernel/time.c +@@ -205,7 +205,7 @@ static int __init rtc_init(void) + device_initcall(rtc_init); + #endif + +-void read_persistent_clock(struct timespec *ts) ++void read_persistent_clock64(struct timespec64 *ts) + { + static struct pdc_tod tod_data; + if (pdc_tod_read(&tod_data) == 0) { diff --git a/queue-4.16/pci-kirin-fix-reset-gpio-name.patch b/queue-4.16/pci-kirin-fix-reset-gpio-name.patch new file mode 100644 index 00000000000..cc73203b17b --- /dev/null +++ b/queue-4.16/pci-kirin-fix-reset-gpio-name.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Loic Poulain +Date: Tue, 3 Apr 2018 11:19:01 +0200 +Subject: PCI: kirin: Fix reset gpio name + +From: Loic Poulain + +[ Upstream commit 5db8f8d1099bd93a64a80b609dbcce887327ffc8 ] + +As documented in the devicetree bindings (pci/kirin-pcie.txt) and the +reset gpio name must be 'reset-gpios'. However, current driver +erroneously looks for a 'reset-gpio' resource which makes the driver +probe fail. Fix it. + +Fixes: fc5165db245a ("PCI: kirin: Add HiSilicon Kirin SoC PCIe controller driver") +Signed-off-by: Loic Poulain +[lorenzo.pieralisi@arm.com: updated the commit log] +Signed-off-by: Lorenzo Pieralisi +Acked-by: Xiaowei Song +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/dwc/pcie-kirin.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/dwc/pcie-kirin.c ++++ b/drivers/pci/dwc/pcie-kirin.c +@@ -487,7 +487,7 @@ static int kirin_pcie_probe(struct platf + return ret; + + kirin_pcie->gpio_id_reset = of_get_named_gpio(dev->of_node, +- "reset-gpio", 0); ++ "reset-gpios", 0); + if (kirin_pcie->gpio_id_reset < 0) + return -ENODEV; + diff --git a/queue-4.16/perf-cs-etm-support-unknown_thread-in-cs_etm_auxtrace.patch b/queue-4.16/perf-cs-etm-support-unknown_thread-in-cs_etm_auxtrace.patch new file mode 100644 index 00000000000..2c05fa13b61 --- /dev/null +++ b/queue-4.16/perf-cs-etm-support-unknown_thread-in-cs_etm_auxtrace.patch @@ -0,0 +1,90 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Leo Yan +Date: Thu, 10 May 2018 12:01:59 +0800 +Subject: perf cs-etm: Support unknown_thread in cs_etm_auxtrace + +From: Leo Yan + +[ Upstream commit 46d53620044f7b574c0f3216f8b4f2ce3559ce31 ] + +CoreSight doesn't allocate thread structure for unknown_thread in ETM +auxtrace, so unknown_thread is NULL pointer. If the perf data doesn't +contain valid tid and then cs_etm__mem_access() uses unknown_thread +instead as thread handler, this results in a segmentation fault when +thread__find_addr_map() accesses the thread handler. + +This commit creates a new thread data which is used by unknown_thread, so +CoreSight tracing can roll back to use unknown_thread if perf data +doesn't include valid thread info. This commit also releases thread +data for initialization failure case and for normal auxtrace free flow. + +Signed-off-by: Leo Yan +Acked-by: Mathieu Poirier +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/1525924920-4381-1-git-send-email-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/cs-etm.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/cs-etm.c ++++ b/tools/perf/util/cs-etm.c +@@ -212,6 +212,7 @@ static void cs_etm__free(struct perf_ses + for (i = 0; i < aux->num_cpu; i++) + zfree(&aux->metadata[i]); + ++ thread__zput(aux->unknown_thread); + zfree(&aux->metadata); + zfree(&aux); + } +@@ -980,6 +981,23 @@ int cs_etm__process_auxtrace_info(union + etm->auxtrace.free = cs_etm__free; + session->auxtrace = &etm->auxtrace; + ++ etm->unknown_thread = thread__new(999999999, 999999999); ++ if (!etm->unknown_thread) ++ goto err_free_queues; ++ ++ /* ++ * Initialize list node so that at thread__zput() we can avoid ++ * segmentation fault at list_del_init(). ++ */ ++ INIT_LIST_HEAD(&etm->unknown_thread->node); ++ ++ err = thread__set_comm(etm->unknown_thread, "unknown", 0); ++ if (err) ++ goto err_delete_thread; ++ ++ if (thread__init_map_groups(etm->unknown_thread, etm->machine)) ++ goto err_delete_thread; ++ + if (dump_trace) { + cs_etm__print_auxtrace_info(auxtrace_info->priv, num_cpu); + return 0; +@@ -994,16 +1012,18 @@ int cs_etm__process_auxtrace_info(union + + err = cs_etm__synth_events(etm, session); + if (err) +- goto err_free_queues; ++ goto err_delete_thread; + + err = auxtrace_queues__process_index(&etm->queues, session); + if (err) +- goto err_free_queues; ++ goto err_delete_thread; + + etm->data_queued = etm->queues.populated; + + return 0; + ++err_delete_thread: ++ thread__zput(etm->unknown_thread); + err_free_queues: + auxtrace_queues__free(&etm->queues); + session->auxtrace = NULL; diff --git a/queue-4.16/perf-pmu-fix-core-pmu-alias-list-for-x86-platform.patch b/queue-4.16/perf-pmu-fix-core-pmu-alias-list-for-x86-platform.patch new file mode 100644 index 00000000000..a0d217b687c --- /dev/null +++ b/queue-4.16/perf-pmu-fix-core-pmu-alias-list-for-x86-platform.patch @@ -0,0 +1,109 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Kan Liang +Date: Tue, 24 Apr 2018 11:20:10 -0700 +Subject: perf pmu: Fix core PMU alias list for X86 platform + +From: Kan Liang + +[ Upstream commit 292c34c10249c64a70def442f0d977bf9d466ed7 ] + +When counting uncore event with alias, core event is mistakenly +involved, for example: + + perf stat --no-merge -e "unc_m_cas_count.all" -C0 sleep 1 + + Performance counter stats for 'CPU(s) 0': + + 0 unc_m_cas_count.all [uncore_imc_4] + 0 unc_m_cas_count.all [uncore_imc_2] + 0 unc_m_cas_count.all [uncore_imc_0] + 153,640 unc_m_cas_count.all [cpu] + 0 unc_m_cas_count.all [uncore_imc_5] + 25,026 unc_m_cas_count.all [uncore_imc_3] + 0 unc_m_cas_count.all [uncore_imc_1] + + 1.001447890 seconds time elapsed + +The reason is that current implementation doesn't check PMU name of a +event when adding its alias into the alias list for core PMU. The +uncore event aliases are mistakenly added. + +This bug was introduced in: + commit 14b22ae028de ("perf pmu: Add helper function is_pmu_core to + detect PMU CORE devices") + +Checking the PMU name for all PMUs on X86 and other architectures except +ARM. +There is no behavior change for ARM. + +Signed-off-by: Kan Liang +Tested-by: Arnaldo Carvalho de Melo +Cc: Agustin Vega-Frias +Cc: Andi Kleen +Cc: Ganapatrao Kulkarni +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Shaokun Zhang +Cc: Will Deacon +Fixes: 14b22ae028de ("perf pmu: Add helper function is_pmu_core to detect PMU CORE devices") +Link: http://lkml.kernel.org/r/1524594014-79243-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/pmu.c | 20 +++++++------------- + 1 file changed, 7 insertions(+), 13 deletions(-) + +--- a/tools/perf/util/pmu.c ++++ b/tools/perf/util/pmu.c +@@ -539,9 +539,10 @@ static bool pmu_is_uncore(const char *na + + /* + * PMU CORE devices have different name other than cpu in sysfs on some +- * platforms. looking for possible sysfs files to identify as core device. ++ * platforms. ++ * Looking for possible sysfs files to identify the arm core device. + */ +-static int is_pmu_core(const char *name) ++static int is_arm_pmu_core(const char *name) + { + struct stat st; + char path[PATH_MAX]; +@@ -550,12 +551,6 @@ static int is_pmu_core(const char *name) + if (!sysfs) + return 0; + +- /* Look for cpu sysfs (x86 and others) */ +- scnprintf(path, PATH_MAX, "%s/bus/event_source/devices/cpu", sysfs); +- if ((stat(path, &st) == 0) && +- (strncmp(name, "cpu", strlen("cpu")) == 0)) +- return 1; +- + /* Look for cpu sysfs (specific to arm) */ + scnprintf(path, PATH_MAX, "%s/bus/event_source/devices/%s/cpus", + sysfs, name); +@@ -651,6 +646,7 @@ static void pmu_add_cpu_aliases(struct l + struct pmu_events_map *map; + struct pmu_event *pe; + const char *name = pmu->name; ++ const char *pname; + + map = perf_pmu__find_map(pmu); + if (!map) +@@ -669,11 +665,9 @@ static void pmu_add_cpu_aliases(struct l + break; + } + +- if (!is_pmu_core(name)) { +- /* check for uncore devices */ +- if (pe->pmu == NULL) +- continue; +- if (strncmp(pe->pmu, name, strlen(pe->pmu))) ++ if (!is_arm_pmu_core(name)) { ++ pname = pe->pmu ? pe->pmu : "cpu"; ++ if (strncmp(pname, name, strlen(pname))) + continue; + } + diff --git a/queue-4.16/perf-report-fix-switching-to-another-perf.data-file.patch b/queue-4.16/perf-report-fix-switching-to-another-perf.data-file.patch new file mode 100644 index 00000000000..23b27b8fa5e --- /dev/null +++ b/queue-4.16/perf-report-fix-switching-to-another-perf.data-file.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Arnaldo Carvalho de Melo +Date: Thu, 12 Apr 2018 14:58:24 -0300 +Subject: perf report: Fix switching to another perf.data file + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 7b366142a50ad79e48de8e67c5b3e8cfb9fa82dd ] + +In the TUI the 's' hotkey can be used to switch to another perf.data +file in the current directory, but that got broken in Fixes: +b01141f4f59c ("perf annotate: Initialize the priv are in symbol__new()"), +that would show this once another file was chosen: + + ┌─Fatal Error─────────────────────────────────────┐ + │Annotation needs to be init before symbol__init()│ + │ │ + │ │ + │Press any key... │ + └─────────────────────────────────────────────────┘ + +Fix it by just silently bailing out if symbol__annotation_init() was already +called, just like is done with symbol__init(), i.e. they are done just once at +session start, not when switching to a new perf.data file. + +Cc: Adrian Hunter +Cc: Andi Kleen +Cc: David Ahern +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Martin LiÅ¡ka +Cc: Namhyung Kim +Cc: Ravi Bangoria +Cc: Thomas Richter +Cc: Wang Nan +Fixes: b01141f4f59c ("perf annotate: Initialize the priv are in symbol__new()") +Link: https://lkml.kernel.org/n/tip-ogppdtpzfax7y1h6gjdv5s6u@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/symbol.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/tools/perf/util/symbol.c ++++ b/tools/perf/util/symbol.c +@@ -2094,16 +2094,14 @@ static bool symbol__read_kptr_restrict(v + + int symbol__annotation_init(void) + { ++ if (symbol_conf.init_annotation) ++ return 0; ++ + if (symbol_conf.initialized) { + pr_err("Annotation needs to be init before symbol__init()\n"); + return -1; + } + +- if (symbol_conf.init_annotation) { +- pr_warning("Annotation being initialized multiple times\n"); +- return 0; +- } +- + symbol_conf.priv_size += sizeof(struct annotation); + symbol_conf.init_annotation = true; + return 0; diff --git a/queue-4.16/perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch b/queue-4.16/perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch new file mode 100644 index 00000000000..56e69926d43 --- /dev/null +++ b/queue-4.16/perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Kan Liang +Date: Wed, 25 Apr 2018 14:57:17 -0400 +Subject: perf/x86/intel: Don't enable freeze-on-smi for PerfMon V1 + +From: Kan Liang + +[ Upstream commit 4e949e9b9d1e3edcdab3b54656c5851bd9e49c67 ] + +The SMM freeze feature was introduced since PerfMon V2. But the current +code unconditionally enables the feature for all platforms. It can +generate #GP exception, if the related FREEZE_WHILE_SMM bit is set for +the machine with PerfMon V1. + +To disable the feature for PerfMon V1, perf needs to +- Remove the freeze_on_smi sysfs entry by moving intel_pmu_attrs to + intel_pmu, which is only applied to PerfMon V2 and later. +- Check the PerfMon version before flipping the SMM bit when starting CPU + +Fixes: 6089327f5424 ("perf/x86: Add sysfs entry to freeze counters on SMI") +Signed-off-by: Kan Liang +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: ak@linux.intel.com +Cc: eranian@google.com +Cc: acme@redhat.com +Link: https://lkml.kernel.org/r/1524682637-63219-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3331,7 +3331,8 @@ static void intel_pmu_cpu_starting(int c + + cpuc->lbr_sel = NULL; + +- flip_smm_bit(&x86_pmu.attr_freeze_on_smi); ++ if (x86_pmu.version > 1) ++ flip_smm_bit(&x86_pmu.attr_freeze_on_smi); + + if (!cpuc->shared_regs) + return; +@@ -3494,6 +3495,8 @@ static __initconst const struct x86_pmu + .cpu_dying = intel_pmu_cpu_dying, + }; + ++static struct attribute *intel_pmu_attrs[]; ++ + static __initconst const struct x86_pmu intel_pmu = { + .name = "Intel", + .handle_irq = intel_pmu_handle_irq, +@@ -3524,6 +3527,8 @@ static __initconst const struct x86_pmu + .format_attrs = intel_arch3_formats_attr, + .events_sysfs_show = intel_event_sysfs_show, + ++ .attrs = intel_pmu_attrs, ++ + .cpu_prepare = intel_pmu_cpu_prepare, + .cpu_starting = intel_pmu_cpu_starting, + .cpu_dying = intel_pmu_cpu_dying, +@@ -3902,8 +3907,6 @@ __init int intel_pmu_init(void) + + x86_pmu.max_pebs_events = min_t(unsigned, MAX_PEBS_EVENTS, x86_pmu.num_counters); + +- +- x86_pmu.attrs = intel_pmu_attrs; + /* + * Quirk: v2 perfmon does not report fixed-purpose events, so + * assume at least 3 events, when not running in a hypervisor: diff --git a/queue-4.16/pinctrl-cherryview-associate-irq-descriptors-to-irqdomain.patch b/queue-4.16/pinctrl-cherryview-associate-irq-descriptors-to-irqdomain.patch new file mode 100644 index 00000000000..bab8e8e32e9 --- /dev/null +++ b/queue-4.16/pinctrl-cherryview-associate-irq-descriptors-to-irqdomain.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Mika Westerberg +Date: Wed, 25 Apr 2018 13:32:11 +0300 +Subject: pinctrl: cherryview: Associate IRQ descriptors to irqdomain + +From: Mika Westerberg + +[ Upstream commit 83b9dc11312f48a561594a895672abb6cb2a2250 ] + +When we dropped the custom Linux GPIO translation it resulted that the +IRQ numbers changed slightly as well. Normally this would be fine +because everyone is expected to use controller relative GPIO numbers and +ACPI GpioIo/GpioInt resources. However, there is a certain set of +Intel_Strago based Chromebooks where i8042 keyboard controller IRQ +number is hardcoded be 182 (this is corrected with newer coreboot but +the older ones still have the hardcoded Linux IRQ number). Because of +this hardcoded IRQ number keyboard on those systems accidentally broke +again. + +Fix this by iteratively associating IRQ descriptors to the chip irqdomain +so that there are no gaps on those systems. Other systems are not +affected. + +Fixes: 03c4749dd6c7 ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199463 +Reported-by: Sultan Alsawaf +Signed-off-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1622,22 +1622,30 @@ static int chv_gpio_probe(struct chv_pin + + if (!need_valid_mask) { + irq_base = devm_irq_alloc_descs(pctrl->dev, -1, 0, +- chip->ngpio, NUMA_NO_NODE); ++ community->npins, NUMA_NO_NODE); + if (irq_base < 0) { + dev_err(pctrl->dev, "Failed to allocate IRQ numbers\n"); + return irq_base; + } +- } else { +- irq_base = 0; + } + +- ret = gpiochip_irqchip_add(chip, &chv_gpio_irqchip, irq_base, ++ ret = gpiochip_irqchip_add(chip, &chv_gpio_irqchip, 0, + handle_bad_irq, IRQ_TYPE_NONE); + if (ret) { + dev_err(pctrl->dev, "failed to add IRQ chip\n"); + return ret; + } + ++ if (!need_valid_mask) { ++ for (i = 0; i < community->ngpio_ranges; i++) { ++ range = &community->gpio_ranges[i]; ++ ++ irq_domain_associate_many(chip->irq.domain, irq_base, ++ range->base, range->npins); ++ irq_base += range->npins; ++ } ++ } ++ + gpiochip_set_chained_irqchip(chip, &chv_gpio_irqchip, irq, + chv_gpio_irq_handler); + return 0; diff --git a/queue-4.16/pinctrl-meson-axg-fix-the-range-of-aobus-bank.patch b/queue-4.16/pinctrl-meson-axg-fix-the-range-of-aobus-bank.patch new file mode 100644 index 00000000000..781792d2baf --- /dev/null +++ b/queue-4.16/pinctrl-meson-axg-fix-the-range-of-aobus-bank.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Yixun Lan +Date: Tue, 17 Apr 2018 17:08:24 +0000 +Subject: pinctrl: meson-axg: fix the range of aobus bank + +From: Yixun Lan + +[ Upstream commit b84e54616a946f24eeeca8762cb70a9074b045e7 ] + +The GPIOAO bank is range from GPIOAO_0 to GPIOAO_13. + +Fixes: 83c566806a68 ("pinctrl: meson-axg: Add new pinctrl driver for Meson AXG SoC") +Reported-by: Xingyu Chen +Signed-off-by: Yixun Lan +Acked-by: Kevin Hilman +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/meson/pinctrl-meson-axg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/meson/pinctrl-meson-axg.c ++++ b/drivers/pinctrl/meson/pinctrl-meson-axg.c +@@ -898,7 +898,7 @@ static struct meson_bank meson_axg_perip + + static struct meson_bank meson_axg_aobus_banks[] = { + /* name first last irq pullen pull dir out in */ +- BANK("AO", GPIOAO_0, GPIOAO_9, 0, 13, 0, 16, 0, 0, 0, 0, 0, 16, 1, 0), ++ BANK("AO", GPIOAO_0, GPIOAO_13, 0, 13, 0, 16, 0, 0, 0, 0, 0, 16, 1, 0), + }; + + static struct meson_pmx_bank meson_axg_periphs_pmx_banks[] = { diff --git a/queue-4.16/platform-x86-dell_wmi-use-depends-on-instead-of-select-for-dell_smbios.patch b/queue-4.16/platform-x86-dell_wmi-use-depends-on-instead-of-select-for-dell_smbios.patch new file mode 100644 index 00000000000..74ed247874e --- /dev/null +++ b/queue-4.16/platform-x86-dell_wmi-use-depends-on-instead-of-select-for-dell_smbios.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Darren Hart +Date: Sat, 12 May 2018 12:10:07 -0700 +Subject: platform/x86: DELL_WMI use depends on instead of select for DELL_SMBIOS + +From: Darren Hart + +[ Upstream commit 54940fa60ad3728c592f62dadb558165495a6938 ] + +If DELL_WMI "select"s DELL_SMBIOS, the DELL_SMBIOS dependencies are +ignored and it is still possible to end up with unmet direct +dependencies. + +Change the select to a depends on. + +Tested-by: Randy Dunlap +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -168,8 +168,8 @@ config DELL_WMI + depends on DMI + depends on INPUT + depends on ACPI_VIDEO || ACPI_VIDEO = n ++ depends on DELL_SMBIOS + select DELL_WMI_DESCRIPTOR +- select DELL_SMBIOS + select INPUT_SPARSEKMAP + ---help--- + Say Y here if you want to support WMI-based hotkeys on Dell laptops. diff --git a/queue-4.16/powerpc-64s-default-l1d_size-to-64k-in-rfi-fallback-flush.patch b/queue-4.16/powerpc-64s-default-l1d_size-to-64k-in-rfi-fallback-flush.patch new file mode 100644 index 00000000000..4e8f94d759f --- /dev/null +++ b/queue-4.16/powerpc-64s-default-l1d_size-to-64k-in-rfi-fallback-flush.patch @@ -0,0 +1,50 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Madhavan Srinivasan +Date: Thu, 18 Jan 2018 00:33:36 +0530 +Subject: powerpc/64s: Default l1d_size to 64K in RFI fallback flush + +From: Madhavan Srinivasan + +[ Upstream commit 9dfbf78e4114fcaf4ef61c49885c3ab5bad40d0b ] + +If there is no d-cache-size property in the device tree, l1d_size could +be zero. We don't actually expect that to happen, it's only been seen +on mambo (simulator) in some configurations. + +A zero-size l1d_size leads to the loop in the asm wrapping around to +2^64-1, and then walking off the end of the fallback area and +eventually causing a page fault which is fatal. + +Just default to 64K which is correct on some CPUs, and sane enough to +not cause a crash on others. + +Fixes: aa8a5e0062ac9 ('powerpc/64s: Add support for RFI flush of L1-D cache') +Signed-off-by: Madhavan Srinivasan +[mpe: Rewrite comment and change log] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/setup_64.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -864,6 +864,17 @@ static void init_fallback_flush(void) + int cpu; + + l1d_size = ppc64_caches.l1d.size; ++ ++ /* ++ * If there is no d-cache-size property in the device tree, l1d_size ++ * could be zero. That leads to the loop in the asm wrapping around to ++ * 2^64-1, and then walking off the end of the fallback area and ++ * eventually causing a page fault which is fatal. Just default to ++ * something vaguely sane. ++ */ ++ if (!l1d_size) ++ l1d_size = (64 * 1024); ++ + limit = min(ppc64_bolted_size(), ppc64_rma_size); + + /* diff --git a/queue-4.16/powerpc-kvm-booke-fix-altivec-related-build-break.patch b/queue-4.16/powerpc-kvm-booke-fix-altivec-related-build-break.patch new file mode 100644 index 00000000000..97563eb8ab4 --- /dev/null +++ b/queue-4.16/powerpc-kvm-booke-fix-altivec-related-build-break.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Laurentiu Tudor +Date: Thu, 26 Apr 2018 15:33:19 +0300 +Subject: powerpc/kvm/booke: Fix altivec related build break + +From: Laurentiu Tudor + +[ Upstream commit b2d7ecbe355698010a6b7a15eb179e09eb3d6a34 ] + +Add missing "altivec unavailable" interrupt injection helper +thus fixing the linker error below: + + arch/powerpc/kvm/emulate_loadstore.o: In function `kvmppc_check_altivec_disabled': + arch/powerpc/kvm/emulate_loadstore.c: undefined reference to `.kvmppc_core_queue_vec_unavail' + +Fixes: 09f984961c137c4b ("KVM: PPC: Book3S: Add MMIO emulation for VMX instructions") +Signed-off-by: Laurentiu Tudor +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/booke.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/powerpc/kvm/booke.c ++++ b/arch/powerpc/kvm/booke.c +@@ -305,6 +305,13 @@ void kvmppc_core_queue_fpunavail(struct + kvmppc_booke_queue_irqprio(vcpu, BOOKE_IRQPRIO_FP_UNAVAIL); + } + ++#ifdef CONFIG_ALTIVEC ++void kvmppc_core_queue_vec_unavail(struct kvm_vcpu *vcpu) ++{ ++ kvmppc_booke_queue_irqprio(vcpu, BOOKE_IRQPRIO_ALTIVEC_UNAVAIL); ++} ++#endif ++ + void kvmppc_core_queue_dec(struct kvm_vcpu *vcpu) + { + kvmppc_booke_queue_irqprio(vcpu, BOOKE_IRQPRIO_DECREMENTER); diff --git a/queue-4.16/powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch b/queue-4.16/powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch new file mode 100644 index 00000000000..80b0cf10647 --- /dev/null +++ b/queue-4.16/powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Balbir Singh +Date: Fri, 6 Apr 2018 15:24:24 +1000 +Subject: powerpc/powernv/memtrace: Let the arch hotunplug code flush cache + +From: Balbir Singh + +[ Upstream commit 7fd6641de28fe9b5bce0c38d2adee0a72a72619e ] + +Don't do this via custom code, instead now that we have support in the +arch hotplug/hotunplug code, rely on those routines to do the right +thing. + +The existing flush doesn't work because it uses ppc64_caches.l1d.size +instead of ppc64_caches.l1d.line_size. + +Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") +Signed-off-by: Balbir Singh +Reviewed-by: Rashmica Gupta +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/memtrace.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/arch/powerpc/platforms/powernv/memtrace.c ++++ b/arch/powerpc/platforms/powernv/memtrace.c +@@ -82,19 +82,6 @@ static const struct file_operations memt + .open = simple_open, + }; + +-static void flush_memory_region(u64 base, u64 size) +-{ +- unsigned long line_size = ppc64_caches.l1d.size; +- u64 end = base + size; +- u64 addr; +- +- base = round_down(base, line_size); +- end = round_up(end, line_size); +- +- for (addr = base; addr < end; addr += line_size) +- asm volatile("dcbf 0,%0" : "=r" (addr) :: "memory"); +-} +- + static int check_memblock_online(struct memory_block *mem, void *arg) + { + if (mem->state != MEM_ONLINE) +@@ -132,10 +119,6 @@ static bool memtrace_offline_pages(u32 n + walk_memory_range(start_pfn, end_pfn, (void *)MEM_OFFLINE, + change_memblock_state); + +- /* RCU grace period? */ +- flush_memory_region((u64)__va(start_pfn << PAGE_SHIFT), +- nr_pages << PAGE_SHIFT); +- + lock_device_hotplug(); + remove_memory(nid, start_pfn << PAGE_SHIFT, nr_pages << PAGE_SHIFT); + unlock_device_hotplug(); diff --git a/queue-4.16/powerpc-pseries-fix-config_numa-n-build.patch b/queue-4.16/powerpc-pseries-fix-config_numa-n-build.patch new file mode 100644 index 00000000000..0bd6faaea29 --- /dev/null +++ b/queue-4.16/powerpc-pseries-fix-config_numa-n-build.patch @@ -0,0 +1,58 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Michael Ellerman +Date: Tue, 8 May 2018 14:59:56 +1000 +Subject: powerpc/pseries: Fix CONFIG_NUMA=n build + +From: Michael Ellerman + +[ Upstream commit 6c0a8f6b5a45ac892a763b6299bd3c5324fc5e02 ] + +The build is failing with CONFIG_NUMA=n and some compiler versions: + + arch/powerpc/platforms/pseries/hotplug-cpu.o: In function `dlpar_online_cpu': + hotplug-cpu.c:(.text+0x12c): undefined reference to `timed_topology_update' + arch/powerpc/platforms/pseries/hotplug-cpu.o: In function `dlpar_cpu_remove': + hotplug-cpu.c:(.text+0x400): undefined reference to `timed_topology_update' + +Fix it by moving the empty version of timed_topology_update() into the +existing #ifdef block, which has the right guard of SPLPAR && NUMA. + +Fixes: cee5405da402 ("powerpc/hotplug: Improve responsiveness of hotplug change") +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/topology.h | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/arch/powerpc/include/asm/topology.h ++++ b/arch/powerpc/include/asm/topology.h +@@ -91,6 +91,7 @@ extern int start_topology_update(void); + extern int stop_topology_update(void); + extern int prrn_is_enabled(void); + extern int find_and_online_cpu_nid(int cpu); ++extern int timed_topology_update(int nsecs); + #else + static inline int start_topology_update(void) + { +@@ -108,16 +109,12 @@ static inline int find_and_online_cpu_ni + { + return 0; + } ++static inline int timed_topology_update(int nsecs) ++{ ++ return 0; ++} + #endif /* CONFIG_NUMA && CONFIG_PPC_SPLPAR */ + +-#if defined(CONFIG_HOTPLUG_CPU) || defined(CONFIG_NEED_MULTIPLE_NODES) +-#if defined(CONFIG_PPC_SPLPAR) +-extern int timed_topology_update(int nsecs); +-#else +-#define timed_topology_update(nsecs) +-#endif /* CONFIG_PPC_SPLPAR */ +-#endif /* CONFIG_HOTPLUG_CPU || CONFIG_NEED_MULTIPLE_NODES */ +- + #include + + #ifdef CONFIG_SMP diff --git a/queue-4.16/powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch b/queue-4.16/powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch new file mode 100644 index 00000000000..174ddf1bef0 --- /dev/null +++ b/queue-4.16/powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch @@ -0,0 +1,58 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "Naveen N. Rao" +Date: Fri, 4 May 2018 18:44:25 +0530 +Subject: powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix + +From: "Naveen N. Rao" + +[ Upstream commit edf6a2dfe3889daf97e7c164891a87832169e3e4 ] + +Some syscall entry functions on powerpc are prefixed with +ppc_/ppc32_/ppc64_ rather than the usual sys_/__se_sys prefix. fork(), +clone(), swapcontext() are some examples of syscalls with such entry +points. We need to match against these names when initializing ftrace +syscall tracing. + +Signed-off-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/ftrace.h | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/ftrace.h ++++ b/arch/powerpc/include/asm/ftrace.h +@@ -69,13 +69,30 @@ struct dyn_arch_ftrace { + #endif + + #if defined(CONFIG_FTRACE_SYSCALLS) && !defined(__ASSEMBLY__) +-#ifdef PPC64_ELF_ABI_v1 ++/* ++ * Some syscall entry functions on powerpc start with "ppc_" (fork and clone, ++ * for instance) or ppc32_/ppc64_. We should also match the sys_ variant with ++ * those. ++ */ + #define ARCH_HAS_SYSCALL_MATCH_SYM_NAME ++#ifdef PPC64_ELF_ABI_v1 + static inline bool arch_syscall_match_sym_name(const char *sym, const char *name) + { + /* We need to skip past the initial dot, and the __se_sys alias */ + return !strcmp(sym + 1, name) || +- (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name)); ++ (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name)) || ++ (!strncmp(sym, ".ppc_", 5) && !strcmp(sym + 5, name + 4)) || ++ (!strncmp(sym, ".ppc32_", 7) && !strcmp(sym + 7, name + 4)) || ++ (!strncmp(sym, ".ppc64_", 7) && !strcmp(sym + 7, name + 4)); ++} ++#else ++static inline bool arch_syscall_match_sym_name(const char *sym, const char *name) ++{ ++ return !strcmp(sym, name) || ++ (!strncmp(sym, "__se_sys", 8) && !strcmp(sym + 5, name)) || ++ (!strncmp(sym, "ppc_", 4) && !strcmp(sym + 4, name + 4)) || ++ (!strncmp(sym, "ppc32_", 6) && !strcmp(sym + 6, name + 4)) || ++ (!strncmp(sym, "ppc64_", 6) && !strcmp(sym + 6, name + 4)); + } + #endif + #endif /* CONFIG_FTRACE_SYSCALLS && !__ASSEMBLY__ */ diff --git a/queue-4.16/powerpc-trace-syscalls-update-syscall-name-matching-logic.patch b/queue-4.16/powerpc-trace-syscalls-update-syscall-name-matching-logic.patch new file mode 100644 index 00000000000..084fd43822a --- /dev/null +++ b/queue-4.16/powerpc-trace-syscalls-update-syscall-name-matching-logic.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "Naveen N. Rao" +Date: Fri, 4 May 2018 18:44:24 +0530 +Subject: powerpc/trace/syscalls: Update syscall name matching logic + +From: "Naveen N. Rao" + +[ Upstream commit 0b7758aaf6543b9a10c8671db559e9d374a3fd95 ] + +On powerpc64 ABIv1, we are enabling syscall tracing for only ~20 +syscalls. This is due to commit e145242ea0df6 ("syscalls/core, +syscalls/x86: Clean up syscall stub naming convention") which has +changed the syscall entry wrapper prefix from "SyS" to "__se_sys". + +Update the logic for ABIv1 to not just skip the initial dot, but also +the "__se_sys" prefix. + +Fixes: commit e145242ea0df6 ("syscalls/core, syscalls/x86: Clean up syscall stub naming convention") +Reported-by: Michael Ellerman +Signed-off-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/ftrace.h | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/include/asm/ftrace.h ++++ b/arch/powerpc/include/asm/ftrace.h +@@ -73,13 +73,9 @@ struct dyn_arch_ftrace { + #define ARCH_HAS_SYSCALL_MATCH_SYM_NAME + static inline bool arch_syscall_match_sym_name(const char *sym, const char *name) + { +- /* +- * Compare the symbol name with the system call name. Skip the .sys or .SyS +- * prefix from the symbol name and the sys prefix from the system call name and +- * just match the rest. This is only needed on ppc64 since symbol names on +- * 32bit do not start with a period so the generic function will work. +- */ +- return !strcmp(sym + 4, name + 3); ++ /* We need to skip past the initial dot, and the __se_sys alias */ ++ return !strcmp(sym + 1, name) || ++ (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name)); + } + #endif + #endif /* CONFIG_FTRACE_SYSCALLS && !__ASSEMBLY__ */ diff --git a/queue-4.16/proc-fix-proc-loadavg-regression.patch b/queue-4.16/proc-fix-proc-loadavg-regression.patch new file mode 100644 index 00000000000..9d4bf42a44f --- /dev/null +++ b/queue-4.16/proc-fix-proc-loadavg-regression.patch @@ -0,0 +1,60 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Alexey Dobriyan +Date: Fri, 20 Apr 2018 14:56:06 -0700 +Subject: proc: fix /proc/loadavg regression + +From: Alexey Dobriyan + +[ Upstream commit 9a1015b32faa7cebfe19663c886b0cfe90be1d49 ] + +Commit 95846ecf9dac ("pid: replace pid bitmap implementation with IDR +API") changed last field of /proc/loadavg (last pid allocated) to be off +by one: + + # unshare -p -f --mount-proc cat /proc/loadavg + 0.00 0.00 0.00 1/60 2 <=== + +It should be 1 after first fork into pid namespace. + +This is formally a regression but given how useless this field is I +don't think anyone is affected. + +Bug was found by /proc testsuite! + +Link: http://lkml.kernel.org/r/20180413175408.GA27246@avx2 +Fixes: 95846ecf9dac508 ("pid: replace pid bitmap implementation with IDR API") +Signed-off-by: Alexey Dobriyan +Cc: "Eric W. Biederman" +Cc: Gargi Sharma +Cc: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/cell/spufs/sched.c | 2 +- + fs/proc/loadavg.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/cell/spufs/sched.c ++++ b/arch/powerpc/platforms/cell/spufs/sched.c +@@ -1093,7 +1093,7 @@ static int show_spu_loadavg(struct seq_f + LOAD_INT(c), LOAD_FRAC(c), + count_active_contexts(), + atomic_read(&nr_spu_contexts), +- idr_get_cursor(&task_active_pid_ns(current)->idr)); ++ idr_get_cursor(&task_active_pid_ns(current)->idr) - 1); + return 0; + } + +--- a/fs/proc/loadavg.c ++++ b/fs/proc/loadavg.c +@@ -24,7 +24,7 @@ static int loadavg_proc_show(struct seq_ + LOAD_INT(avnrun[1]), LOAD_FRAC(avnrun[1]), + LOAD_INT(avnrun[2]), LOAD_FRAC(avnrun[2]), + nr_running(), nr_threads, +- idr_get_cursor(&task_active_pid_ns(current)->idr)); ++ idr_get_cursor(&task_active_pid_ns(current)->idr) - 1); + return 0; + } + diff --git a/queue-4.16/proc-kcore-don-t-bounds-check-against-address-0.patch b/queue-4.16/proc-kcore-don-t-bounds-check-against-address-0.patch new file mode 100644 index 00000000000..24488994886 --- /dev/null +++ b/queue-4.16/proc-kcore-don-t-bounds-check-against-address-0.patch @@ -0,0 +1,78 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Laura Abbott +Date: Fri, 11 May 2018 16:01:57 -0700 +Subject: proc/kcore: don't bounds check against address 0 + +From: Laura Abbott + +[ Upstream commit 3955333df9a50e8783d115613a397ae55d905080 ] + +The existing kcore code checks for bad addresses against __va(0) with +the assumption that this is the lowest address on the system. This may +not hold true on some systems (e.g. arm64) and produce overflows and +crashes. Switch to using other functions to validate the address range. + +It's currently only seen on arm64 and it's not clear if anyone wants to +use that particular combination on a stable release. So this is not +urgent for stable. + +Link: http://lkml.kernel.org/r/20180501201143.15121-1-labbott@redhat.com +Signed-off-by: Laura Abbott +Tested-by: Dave Anderson +Cc: Kees Cook +Cc: Ard Biesheuvel +Cc: Ingo Molnar +Cc: Andi Kleen +Cc: Alexey Dobriyan a +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/kcore.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/fs/proc/kcore.c ++++ b/fs/proc/kcore.c +@@ -209,25 +209,34 @@ kclist_add_private(unsigned long pfn, un + { + struct list_head *head = (struct list_head *)arg; + struct kcore_list *ent; ++ struct page *p; ++ ++ if (!pfn_valid(pfn)) ++ return 1; ++ ++ p = pfn_to_page(pfn); ++ if (!memmap_valid_within(pfn, p, page_zone(p))) ++ return 1; + + ent = kmalloc(sizeof(*ent), GFP_KERNEL); + if (!ent) + return -ENOMEM; +- ent->addr = (unsigned long)__va((pfn << PAGE_SHIFT)); ++ ent->addr = (unsigned long)page_to_virt(p); + ent->size = nr_pages << PAGE_SHIFT; + +- /* Sanity check: Can happen in 32bit arch...maybe */ +- if (ent->addr < (unsigned long) __va(0)) ++ if (!virt_addr_valid(ent->addr)) + goto free_out; + + /* cut not-mapped area. ....from ppc-32 code. */ + if (ULONG_MAX - ent->addr < ent->size) + ent->size = ULONG_MAX - ent->addr; + +- /* cut when vmalloc() area is higher than direct-map area */ +- if (VMALLOC_START > (unsigned long)__va(0)) { +- if (ent->addr > VMALLOC_START) +- goto free_out; ++ /* ++ * We've already checked virt_addr_valid so we know this address ++ * is a valid pointer, therefore we can check against it to determine ++ * if we need to trim ++ */ ++ if (VMALLOC_START > ent->addr) { + if (VMALLOC_START - ent->addr < ent->size) + ent->size = VMALLOC_START - ent->addr; + } diff --git a/queue-4.16/proc-revalidate-kernel-thread-inodes-to-root-root.patch b/queue-4.16/proc-revalidate-kernel-thread-inodes-to-root-root.patch new file mode 100644 index 00000000000..3b91c932ee2 --- /dev/null +++ b/queue-4.16/proc-revalidate-kernel-thread-inodes-to-root-root.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Alexey Dobriyan +Date: Fri, 20 Apr 2018 14:56:03 -0700 +Subject: proc: revalidate kernel thread inodes to root:root + +From: Alexey Dobriyan + +[ Upstream commit 2e0ad552f5f8cd0fda02bc45fcd2b89821c62fd1 ] + +task_dump_owner() has the following code: + + mm = task->mm; + if (mm) { + if (get_dumpable(mm) != SUID_DUMP_USER) { + uid = ... + } + } + +Check for ->mm is buggy -- kernel thread might be borrowing mm +and inode will go to some random uid:gid pair. + +Link: http://lkml.kernel.org/r/20180412220109.GA20978@avx2 +Signed-off-by: Alexey Dobriyan +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/base.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1693,6 +1693,12 @@ void task_dump_owner(struct task_struct + kuid_t uid; + kgid_t gid; + ++ if (unlikely(task->flags & PF_KTHREAD)) { ++ *ruid = GLOBAL_ROOT_UID; ++ *rgid = GLOBAL_ROOT_GID; ++ return; ++ } ++ + /* Default to the tasks effective ownership */ + rcu_read_lock(); + cred = __task_cred(task); diff --git a/queue-4.16/qed-fix-l2-initializations-over-iwarp-personality.patch b/queue-4.16/qed-fix-l2-initializations-over-iwarp-personality.patch new file mode 100644 index 00000000000..d6783300737 --- /dev/null +++ b/queue-4.16/qed-fix-l2-initializations-over-iwarp-personality.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Michal Kalderon +Date: Tue, 8 May 2018 21:29:18 +0300 +Subject: qed: Fix l2 initializations over iWARP personality + +From: Michal Kalderon + +[ Upstream commit af6858ee423a309d93054c361c61099b8eb12bbf ] + +If qede driver was loaded on a device configured for iWARP +the l2 mutex wouldn't be allocated, and some l2 related +resources wouldn't be freed. + +fixes: c851a9dc4359 ("qed: Introduce iWARP personality") +Signed-off-by: Michal Kalderon +Signed-off-by: Sudarsana Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_l2.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c +@@ -115,8 +115,7 @@ int qed_l2_alloc(struct qed_hwfn *p_hwfn + + void qed_l2_setup(struct qed_hwfn *p_hwfn) + { +- if (p_hwfn->hw_info.personality != QED_PCI_ETH && +- p_hwfn->hw_info.personality != QED_PCI_ETH_ROCE) ++ if (!QED_IS_L2_PERSONALITY(p_hwfn)) + return; + + mutex_init(&p_hwfn->p_l2_info->lock); +@@ -126,8 +125,7 @@ void qed_l2_free(struct qed_hwfn *p_hwfn + { + u32 i; + +- if (p_hwfn->hw_info.personality != QED_PCI_ETH && +- p_hwfn->hw_info.personality != QED_PCI_ETH_ROCE) ++ if (!QED_IS_L2_PERSONALITY(p_hwfn)) + return; + + if (!p_hwfn->p_l2_info) diff --git a/queue-4.16/qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch b/queue-4.16/qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch new file mode 100644 index 00000000000..cd852511d43 --- /dev/null +++ b/queue-4.16/qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Michal Kalderon +Date: Tue, 8 May 2018 21:29:19 +0300 +Subject: qede: Fix gfp flags sent to rdma event node allocation + +From: Michal Kalderon + +[ Upstream commit 090477e4acb31c5dd674940c7c01d4f16bd1ac41 ] + +A previous commit 4609adc27175 ("qede: Fix qedr link update") +added a flow that could allocate rdma event objects from an +interrupt path (link notification). Therefore the kzalloc call +should be done with GFP_ATOMIC. + +fixes: 4609adc27175 ("qede: Fix qedr link update") +Signed-off-by: Michal Kalderon +Signed-off-by: Sudarsana Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_rdma.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_rdma.c +@@ -238,7 +238,7 @@ qede_rdma_get_free_event_node(struct qed + } + + if (!found) { +- event_node = kzalloc(sizeof(*event_node), GFP_KERNEL); ++ event_node = kzalloc(sizeof(*event_node), GFP_ATOMIC); + if (!event_node) { + DP_NOTICE(edev, + "qedr: Could not allocate memory for rdma work\n"); diff --git a/queue-4.16/rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch b/queue-4.16/rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch new file mode 100644 index 00000000000..d0cfb29c9d7 --- /dev/null +++ b/queue-4.16/rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Parav Pandit +Date: Wed, 2 May 2018 13:18:59 +0300 +Subject: RDMA/cma: Do not query GID during QP state transition to RTR + +From: Parav Pandit + +[ Upstream commit 9aa169213d1166d30ae357a44abbeae93459339d ] + +When commit [1] was added, SGID was queried to derive the SMAC address. +Then, later on during a refactor [2], SMAC was no longer needed. However, +the now useless GID query remained. Then during additional code changes +later on, the GID query was being done in such a way that it caused iWARP +queries to start breaking. Remove the useless GID query and resolve the +iWARP breakage at the same time. + +This is discussed in [3]. + +[1] commit dd5f03beb4f7 ("IB/core: Ethernet L2 attributes in verbs/cm structures") +[2] commit 5c266b2304fb ("IB/cm: Remove the usage of smac and vid of qp_attr and cm_av") +[3] https://www.spinics.net/lists/linux-rdma/msg63951.html + +Suggested-by: Shiraz Saleem +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -901,7 +901,6 @@ static int cma_modify_qp_rtr(struct rdma + { + struct ib_qp_attr qp_attr; + int qp_attr_mask, ret; +- union ib_gid sgid; + + mutex_lock(&id_priv->qp_mutex); + if (!id_priv->id.qp) { +@@ -924,12 +923,6 @@ static int cma_modify_qp_rtr(struct rdma + if (ret) + goto out; + +- ret = ib_query_gid(id_priv->id.device, id_priv->id.port_num, +- rdma_ah_read_grh(&qp_attr.ah_attr)->sgid_index, +- &sgid, NULL); +- if (ret) +- goto out; +- + BUG_ON(id_priv->cma_dev->device != id_priv->id.device); + + if (conn_param) diff --git a/queue-4.16/rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch b/queue-4.16/rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch new file mode 100644 index 00000000000..9f1c5643a4e --- /dev/null +++ b/queue-4.16/rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch @@ -0,0 +1,152 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Parav Pandit +Date: Tue, 24 Apr 2018 20:13:45 +0300 +Subject: RDMA/cma: Fix use after destroy access to net namespace for IPoIB + +From: Parav Pandit + +[ Upstream commit 2918c1a900252b4a0c730715ec205437c7daf79d ] + +There are few issues with validation of netdevice and listen id lookup +for IB (IPoIB) while processing incoming CM request as below. + +1. While performing lookup of bind_list in cma_ps_find(), net namespace +of the netdevice can get deleted in cma_exit_net(), resulting in use +after free access of idr and/or net namespace structures. +This lookup occurs from the workqueue context (and not userspace +context where net namespace is always valid). + + CPU0 CPU1 + ==== ==== + + bind_list = cma_ps_find(); + move netdevice to new namespace + delete net namespace + cma_exit_net() + idr_destroy(idr); + + [..] + cma_find_listener(bind_list, ..); + +2. While netdevice is validated for IP address in given net namespace, +netdevice's net namespace and/or ifindex can change in +cma_get_net_dev() and cma_match_net_dev(). + +Above issues are overcome by using rcu lock along with netdevice +UP/DOWN state as described below. +When a net namespace is getting deleted, netdevice is closed and +shutdown before moving it back to init_net namespace. +change_net_namespace() synchronizes with any existing use of netdevice +before changing the netdev properties such as net or ifindex. +Once netdevice IFF_UP flags is cleared, such fields are not guaranteed +to be valid. +Therefore, rcu lock along with netdevice state check ensures that, +while route lookup and cm_id lookup is in progress, netdevice of +interest won't migrate to any other net namespace. +This ensures that associated net namespace of netdevice won't get +deleted while rcu lock is held for netdevice which is in IFF_UP state. + +Fixes: fa20105e09e9 ("IB/cma: Add support for network namespaces") +Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces") +Fixes: f887f2ac87c2 ("IB/cma: Validate routing of incoming requests") +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 53 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 43 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -420,6 +420,8 @@ struct cma_hdr { + #define CMA_VERSION 0x00 + + struct cma_req_info { ++ struct sockaddr_storage listen_addr_storage; ++ struct sockaddr_storage src_addr_storage; + struct ib_device *device; + int port; + union ib_gid local_gid; +@@ -1373,11 +1375,11 @@ static bool validate_net_dev(struct net_ + } + + static struct net_device *cma_get_net_dev(struct ib_cm_event *ib_event, +- const struct cma_req_info *req) ++ struct cma_req_info *req) + { +- struct sockaddr_storage listen_addr_storage, src_addr_storage; +- struct sockaddr *listen_addr = (struct sockaddr *)&listen_addr_storage, +- *src_addr = (struct sockaddr *)&src_addr_storage; ++ struct sockaddr *listen_addr = ++ (struct sockaddr *)&req->listen_addr_storage; ++ struct sockaddr *src_addr = (struct sockaddr *)&req->src_addr_storage; + struct net_device *net_dev; + const union ib_gid *gid = req->has_gid ? &req->local_gid : NULL; + int err; +@@ -1392,11 +1394,6 @@ static struct net_device *cma_get_net_de + if (!net_dev) + return ERR_PTR(-ENODEV); + +- if (!validate_net_dev(net_dev, listen_addr, src_addr)) { +- dev_put(net_dev); +- return ERR_PTR(-EHOSTUNREACH); +- } +- + return net_dev; + } + +@@ -1532,15 +1529,51 @@ static struct rdma_id_private *cma_id_fr + } + } + ++ /* ++ * Net namespace might be getting deleted while route lookup, ++ * cm_id lookup is in progress. Therefore, perform netdevice ++ * validation, cm_id lookup under rcu lock. ++ * RCU lock along with netdevice state check, synchronizes with ++ * netdevice migrating to different net namespace and also avoids ++ * case where net namespace doesn't get deleted while lookup is in ++ * progress. ++ * If the device state is not IFF_UP, its properties such as ifindex ++ * and nd_net cannot be trusted to remain valid without rcu lock. ++ * net/core/dev.c change_net_namespace() ensures to synchronize with ++ * ongoing operations on net device after device is closed using ++ * synchronize_net(). ++ */ ++ rcu_read_lock(); ++ if (*net_dev) { ++ /* ++ * If netdevice is down, it is likely that it is administratively ++ * down or it might be migrating to different namespace. ++ * In that case avoid further processing, as the net namespace ++ * or ifindex may change. ++ */ ++ if (((*net_dev)->flags & IFF_UP) == 0) { ++ id_priv = ERR_PTR(-EHOSTUNREACH); ++ goto err; ++ } ++ ++ if (!validate_net_dev(*net_dev, ++ (struct sockaddr *)&req.listen_addr_storage, ++ (struct sockaddr *)&req.src_addr_storage)) { ++ id_priv = ERR_PTR(-EHOSTUNREACH); ++ goto err; ++ } ++ } ++ + bind_list = cma_ps_find(*net_dev ? dev_net(*net_dev) : &init_net, + rdma_ps_from_service_id(req.service_id), + cma_port_from_service_id(req.service_id)); + id_priv = cma_find_listener(bind_list, cm_id, ib_event, &req, *net_dev); ++err: ++ rcu_read_unlock(); + if (IS_ERR(id_priv) && *net_dev) { + dev_put(*net_dev); + *net_dev = NULL; + } +- + return id_priv; + } + diff --git a/queue-4.16/rdma-hns-bugfix-for-init-hem-table.patch b/queue-4.16/rdma-hns-bugfix-for-init-hem-table.patch new file mode 100644 index 00000000000..014f3188bfa --- /dev/null +++ b/queue-4.16/rdma-hns-bugfix-for-init-hem-table.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: oulijun +Date: Thu, 26 Apr 2018 14:46:15 +0800 +Subject: RDMA/hns: Bugfix for init hem table + +From: oulijun + +[ Upstream commit 215a8c09e5e2aa6ae1fbcef87f8f27d65d5d1ca4 ] + +During init hem table, type should be used instead of +table->type which is finally initializaed with type. + +Signed-off-by: Lijun Ou +Signed-off-by: Yixian Liu +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -912,7 +912,7 @@ int hns_roce_init_hem_table(struct hns_r + obj_per_chunk = buf_chunk_size / obj_size; + num_hem = (nobj + obj_per_chunk - 1) / obj_per_chunk; + bt_chunk_num = bt_chunk_size / 8; +- if (table->type >= HEM_TYPE_MTT) ++ if (type >= HEM_TYPE_MTT) + num_bt_l0 = bt_chunk_num; + + table->hem = kcalloc(num_hem, sizeof(*table->hem), +@@ -920,7 +920,7 @@ int hns_roce_init_hem_table(struct hns_r + if (!table->hem) + goto err_kcalloc_hem_buf; + +- if (check_whether_bt_num_3(table->type, hop_num)) { ++ if (check_whether_bt_num_3(type, hop_num)) { + unsigned long num_bt_l1; + + num_bt_l1 = (num_hem + bt_chunk_num - 1) / +@@ -939,8 +939,8 @@ int hns_roce_init_hem_table(struct hns_r + goto err_kcalloc_l1_dma; + } + +- if (check_whether_bt_num_2(table->type, hop_num) || +- check_whether_bt_num_3(table->type, hop_num)) { ++ if (check_whether_bt_num_2(type, hop_num) || ++ check_whether_bt_num_3(type, hop_num)) { + table->bt_l0 = kcalloc(num_bt_l0, sizeof(*table->bt_l0), + GFP_KERNEL); + if (!table->bt_l0) diff --git a/queue-4.16/rdma-hns-fix-the-qp-context-state-diagram.patch b/queue-4.16/rdma-hns-fix-the-qp-context-state-diagram.patch new file mode 100644 index 00000000000..2f619a0defc --- /dev/null +++ b/queue-4.16/rdma-hns-fix-the-qp-context-state-diagram.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: oulijun +Date: Thu, 26 Apr 2018 14:46:17 +0800 +Subject: RDMA/hns: Fix the qp context state diagram + +From: oulijun + +[ Upstream commit 6e1a70943cecdca9bb13b601b1a9772a7bdcc2c3 ] + +According to RoCE protocol, it is possible to +transition from error to error state for modifying +qp in hip08. This patch fix it. + +Signed-off-by: Lijun Ou +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -3166,7 +3166,8 @@ static int hns_roce_v2_modify_qp(struct + (cur_state == IB_QPS_RTR && new_state == IB_QPS_ERR) || + (cur_state == IB_QPS_RTS && new_state == IB_QPS_ERR) || + (cur_state == IB_QPS_SQD && new_state == IB_QPS_ERR) || +- (cur_state == IB_QPS_SQE && new_state == IB_QPS_ERR)) { ++ (cur_state == IB_QPS_SQE && new_state == IB_QPS_ERR) || ++ (cur_state == IB_QPS_ERR && new_state == IB_QPS_ERR)) { + /* Nothing */ + ; + } else { diff --git a/queue-4.16/rdma-hns-intercept-illegal-rdma-operation-when-use-inline-data.patch b/queue-4.16/rdma-hns-intercept-illegal-rdma-operation-when-use-inline-data.patch new file mode 100644 index 00000000000..3139429e3fb --- /dev/null +++ b/queue-4.16/rdma-hns-intercept-illegal-rdma-operation-when-use-inline-data.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: oulijun +Date: Thu, 26 Apr 2018 14:46:16 +0800 +Subject: RDMA/hns: Intercept illegal RDMA operation when use inline data + +From: oulijun + +[ Upstream commit 328d405b3d4c8dd1f06bfd77f498e23281ae348c ] + +RDMA read operation is not supported inline data. If user cofigures +issue a RDMA read and use inline data, it will happen a hardware +error. + +Signed-off-by: Lijun Ou +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -71,6 +71,11 @@ static int set_rwqe_data_seg(struct ib_q + return -EINVAL; + } + ++ if (wr->opcode == IB_WR_RDMA_READ) { ++ dev_err(hr_dev->dev, "Not support inline data!\n"); ++ return -EINVAL; ++ } ++ + for (i = 0; i < wr->num_sge; i++) { + memcpy(wqe, ((void *)wr->sg_list[i].addr), + wr->sg_list[i].length); diff --git a/queue-4.16/rdma-hns-submit-bad-wr.patch b/queue-4.16/rdma-hns-submit-bad-wr.patch new file mode 100644 index 00000000000..cc6581f4063 --- /dev/null +++ b/queue-4.16/rdma-hns-submit-bad-wr.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: oulijun +Date: Thu, 26 Apr 2018 14:46:23 +0800 +Subject: RDMA/hns: Submit bad wr + +From: oulijun + +[ Upstream commit 137ae3208416278aabef3b71e0ea1052940ca362 ] + +When generated bad work reqeust, it needs to +report to user. This patch mainly fixes it. + +Signed-off-by: Lijun Ou +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -153,7 +153,7 @@ static int hns_roce_v2_post_send(struct + ibqp->qp_type != IB_QPT_GSI && + ibqp->qp_type != IB_QPT_UD)) { + dev_err(dev, "Not supported QP(0x%x)type!\n", ibqp->qp_type); +- *bad_wr = NULL; ++ *bad_wr = wr; + return -EOPNOTSUPP; + } + +@@ -461,6 +461,7 @@ static int hns_roce_v2_post_send(struct + } else { + dev_err(dev, "Illegal qp_type(0x%x)\n", ibqp->qp_type); + spin_unlock_irqrestore(&qp->sq.lock, flags); ++ *bad_wr = wr; + return -EOPNOTSUPP; + } + } diff --git a/queue-4.16/rdma-iwpm-fix-memory-leak-on-map_info.patch b/queue-4.16/rdma-iwpm-fix-memory-leak-on-map_info.patch new file mode 100644 index 00000000000..5947d1bdbda --- /dev/null +++ b/queue-4.16/rdma-iwpm-fix-memory-leak-on-map_info.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Colin Ian King +Date: Wed, 25 Apr 2018 17:24:04 +0100 +Subject: RDMA/iwpm: fix memory leak on map_info + +From: Colin Ian King + +[ Upstream commit f96416cea7bce9afe619c15e87fced70f93f9098 ] + +In the cases where iwpm_hash_bucket is NULL and where function +get_mapinfo_hash_bucket returns NULL then the map_info is never added +to hash_bucket_head and hence there is a leak of map_info. Fix this +by nullifying hash_bucket_head and if that is null we know that +that map_info was not added to hash_bucket_head and hence map_info +should be free'd. + +Detected by CoverityScan, CID#1222481 ("Resource Leak") + +Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service") +Signed-off-by: Colin Ian King +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/iwpm_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/iwpm_util.c ++++ b/drivers/infiniband/core/iwpm_util.c +@@ -114,7 +114,7 @@ int iwpm_create_mapinfo(struct sockaddr_ + struct sockaddr_storage *mapped_sockaddr, + u8 nl_client) + { +- struct hlist_head *hash_bucket_head; ++ struct hlist_head *hash_bucket_head = NULL; + struct iwpm_mapping_info *map_info; + unsigned long flags; + int ret = -EINVAL; +@@ -142,6 +142,9 @@ int iwpm_create_mapinfo(struct sockaddr_ + } + } + spin_unlock_irqrestore(&iwpm_mapinfo_lock, flags); ++ ++ if (!hash_bucket_head) ++ kfree(map_info); + return ret; + } + diff --git a/queue-4.16/rdma-mlx5-properly-check-return-value-of-mlx5_get_uars_page.patch b/queue-4.16/rdma-mlx5-properly-check-return-value-of-mlx5_get_uars_page.patch new file mode 100644 index 00000000000..6fa4b4b3639 --- /dev/null +++ b/queue-4.16/rdma-mlx5-properly-check-return-value-of-mlx5_get_uars_page.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Leon Romanovsky +Date: Mon, 23 Apr 2018 17:01:56 +0300 +Subject: RDMA/mlx5: Properly check return value of mlx5_get_uars_page + +From: Leon Romanovsky + +[ Upstream commit 444261ca6ff201fa03de97a5041237e67a9d8d31 ] + +Starting from commit 72f36be06138 ("net/mlx5: Fix mlx5_get_uars_page to +return error code") the mlx5_get_uars_page() call returns error in case +of failure, but it was mistakenly overlooked in the merge commit. + +Fixes: e7996a9a77fc ("Merge tag v4.15 of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git") +Reported-by: Alaa Hleihel +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/main.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -4833,9 +4833,7 @@ static void mlx5_ib_stage_cong_debugfs_c + static int mlx5_ib_stage_uar_init(struct mlx5_ib_dev *dev) + { + dev->mdev->priv.uar = mlx5_get_uars_page(dev->mdev); +- if (!dev->mdev->priv.uar) +- return -ENOMEM; +- return 0; ++ return PTR_ERR_OR_ZERO(dev->mdev->priv.uar); + } + + static void mlx5_ib_stage_uar_cleanup(struct mlx5_ib_dev *dev) diff --git a/queue-4.16/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch b/queue-4.16/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch new file mode 100644 index 00000000000..4bd0549d67a --- /dev/null +++ b/queue-4.16/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch @@ -0,0 +1,43 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Dag Moxnes +Date: Wed, 25 Apr 2018 13:22:01 +0200 +Subject: rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp + +From: Dag Moxnes + +[ Upstream commit 91a825290ca4eae88603bc811bf74a45f94a3f46 ] + +The function rds_ib_setup_qp is calling rds_ib_get_client_data and +should correspondingly call rds_ib_dev_put. This call was lost in +the non-error path with the introduction of error handling done in +commit 3b12f73a5c29 ("rds: ib: add error handle") + +Signed-off-by: Dag Moxnes +Reviewed-by: HÃ¥kon Bugge +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_cm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rds/ib_cm.c ++++ b/net/rds/ib_cm.c +@@ -547,7 +547,7 @@ static int rds_ib_setup_qp(struct rds_co + rdsdebug("conn %p pd %p cq %p %p\n", conn, ic->i_pd, + ic->i_send_cq, ic->i_recv_cq); + +- return ret; ++ goto out; + + sends_out: + vfree(ic->i_sends); +@@ -572,6 +572,7 @@ send_cq_out: + ic->i_send_cq = NULL; + rds_ibdev_out: + rds_ib_remove_conn(rds_ibdev, conn); ++out: + rds_ib_dev_put(rds_ibdev); + + return ret; diff --git a/queue-4.16/remoteproc-qcom-fix-potential-device-node-leaks.patch b/queue-4.16/remoteproc-qcom-fix-potential-device-node-leaks.patch new file mode 100644 index 00000000000..1c5d25fcb29 --- /dev/null +++ b/queue-4.16/remoteproc-qcom-fix-potential-device-node-leaks.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Tobias Jordan +Date: Thu, 15 Feb 2018 16:12:55 +0100 +Subject: remoteproc: qcom: Fix potential device node leaks + +From: Tobias Jordan + +[ Upstream commit 278d744c46fd4f1925aec77752d18a0e4a9cbec3 ] + +Add missing of_node_put()s at two places for device nodes returned by +of_parse_phandle(). + +Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating + Hexagon v5") +Signed-off-by: Tobias Jordan +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/qcom_q6v5_pil.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/remoteproc/qcom_q6v5_pil.c ++++ b/drivers/remoteproc/qcom_q6v5_pil.c +@@ -1088,6 +1088,7 @@ static int q6v5_alloc_memory_region(stru + dev_err(qproc->dev, "unable to resolve mba region\n"); + return ret; + } ++ of_node_put(node); + + qproc->mba_phys = r.start; + qproc->mba_size = resource_size(&r); +@@ -1105,6 +1106,7 @@ static int q6v5_alloc_memory_region(stru + dev_err(qproc->dev, "unable to resolve mpss region\n"); + return ret; + } ++ of_node_put(node); + + qproc->mpss_phys = qproc->mpss_reloc = r.start; + qproc->mpss_size = resource_size(&r); diff --git a/queue-4.16/reset-uniphier-fix-usb-clock-line-for-ld20.patch b/queue-4.16/reset-uniphier-fix-usb-clock-line-for-ld20.patch new file mode 100644 index 00000000000..3e64278184d --- /dev/null +++ b/queue-4.16/reset-uniphier-fix-usb-clock-line-for-ld20.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Masahiro Yamada +Date: Thu, 12 Apr 2018 11:16:10 +0900 +Subject: reset: uniphier: fix USB clock line for LD20 + +From: Masahiro Yamada + +[ Upstream commit e6914365fd280fce303a89b8a8d4529af5a2e0f9 ] + +For LD20, the bit 5 of the offset 0x200c turned out to be a USB3 +reset. The hardware document says it is the GIO reset despite LD20 +has no GIO bus, confusingly. + +Also, fix confusing comments for PXs3. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/reset/reset-uniphier.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/reset/reset-uniphier.c ++++ b/drivers/reset/reset-uniphier.c +@@ -107,7 +107,7 @@ static const struct uniphier_reset_data + UNIPHIER_RESETX(4, 0x200c, 2), /* eMMC */ + UNIPHIER_RESETX(6, 0x200c, 6), /* Ether */ + UNIPHIER_RESETX(8, 0x200c, 8), /* STDMAC (HSC) */ +- UNIPHIER_RESETX(12, 0x200c, 5), /* GIO (PCIe, USB3) */ ++ UNIPHIER_RESETX(14, 0x200c, 5), /* USB30 */ + UNIPHIER_RESETX(16, 0x200c, 12), /* USB30-PHY0 */ + UNIPHIER_RESETX(17, 0x200c, 13), /* USB30-PHY1 */ + UNIPHIER_RESETX(18, 0x200c, 14), /* USB30-PHY2 */ +@@ -122,8 +122,8 @@ static const struct uniphier_reset_data + UNIPHIER_RESETX(2, 0x200c, 0), /* NAND */ + UNIPHIER_RESETX(4, 0x200c, 2), /* eMMC */ + UNIPHIER_RESETX(8, 0x200c, 12), /* STDMAC */ +- UNIPHIER_RESETX(12, 0x200c, 4), /* USB30 link (GIO0) */ +- UNIPHIER_RESETX(13, 0x200c, 5), /* USB31 link (GIO1) */ ++ UNIPHIER_RESETX(12, 0x200c, 4), /* USB30 link */ ++ UNIPHIER_RESETX(13, 0x200c, 5), /* USB31 link */ + UNIPHIER_RESETX(16, 0x200c, 16), /* USB30-PHY0 */ + UNIPHIER_RESETX(17, 0x200c, 18), /* USB30-PHY1 */ + UNIPHIER_RESETX(18, 0x200c, 20), /* USB30-PHY2 */ diff --git a/queue-4.16/risc-v-build-vdso-dummy.o-with-no-pie.patch b/queue-4.16/risc-v-build-vdso-dummy.o-with-no-pie.patch new file mode 100644 index 00000000000..9980ec2e9eb --- /dev/null +++ b/queue-4.16/risc-v-build-vdso-dummy.o-with-no-pie.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Aurelien Jarno +Date: Wed, 21 Mar 2018 22:26:31 +0100 +Subject: RISC-V: build vdso-dummy.o with -no-pie + +From: Aurelien Jarno + +[ Upstream commit 85602bea297fc4e5223adbf7006dcce9aa694f17 ] + +Debian toolcahin defaults to PIE, and I guess that will also be the case +of most distributions. This causes the following build failure: + + AS arch/riscv/kernel/vdso/getcpu.o + AS arch/riscv/kernel/vdso/flush_icache.o + VDSOLD arch/riscv/kernel/vdso/vdso.so.dbg + OBJCOPY arch/riscv/kernel/vdso/vdso.so + AS arch/riscv/kernel/vdso/vdso.o + VDSOLD arch/riscv/kernel/vdso/vdso-dummy.o + LD arch/riscv/kernel/vdso/vdso-syms.o +riscv64-linux-gnu-ld: attempted static link of dynamic object `arch/riscv/kernel/vdso/vdso-dummy.o' +make[2]: *** [arch/riscv/kernel/vdso/Makefile:43: arch/riscv/kernel/vdso/vdso-syms.o] Error 1 +make[1]: *** [scripts/Makefile.build:575: arch/riscv/kernel/vdso] Error 2 +make: *** [Makefile:1018: arch/riscv/kernel] Error 2 + +While the root Makefile correctly passes "-fno-PIE" to build individual +object files, the RISC-V kernel also builds vdso-dummy.o as an +executable, which is therefore linked as PIE. Fix that by updating this +specific link rule to also include "-no-pie". + +Signed-off-by: Aurelien Jarno +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/vdso/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/kernel/vdso/Makefile ++++ b/arch/riscv/kernel/vdso/Makefile +@@ -52,7 +52,7 @@ $(obj)/%.so: $(obj)/%.so.dbg FORCE + # Add -lgcc so rv32 gets static muldi3 and lshrdi3 definitions. + # Make sure only to export the intended __vdso_xxx symbol offsets. + quiet_cmd_vdsold = VDSOLD $@ +- cmd_vdsold = $(CC) $(KCFLAGS) -nostdlib $(SYSCFLAGS_$(@F)) \ ++ cmd_vdsold = $(CC) $(KCFLAGS) $(call cc-option, -no-pie) -nostdlib $(SYSCFLAGS_$(@F)) \ + -Wl,-T,$(filter-out FORCE,$^) -o $@.tmp -lgcc && \ + $(CROSS_COMPILE)objcopy \ + $(patsubst %, -G __vdso_%, $(vdso-syms)) $@.tmp $@ diff --git a/queue-4.16/riscv-select-dma_direct_ops-instead-of-redefining-it.patch b/queue-4.16/riscv-select-dma_direct_ops-instead-of-redefining-it.patch new file mode 100644 index 00000000000..6bdf9139377 --- /dev/null +++ b/queue-4.16/riscv-select-dma_direct_ops-instead-of-redefining-it.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Christoph Hellwig +Date: Mon, 16 Apr 2018 14:53:51 +0200 +Subject: riscv: select DMA_DIRECT_OPS instead of redefining it + +From: Christoph Hellwig + +[ Upstream commit 86e11757d8b28d8266065beaa9d391d49426797b ] + +DMA_DIRECT_OPS is defined in lib/Kconfig, so don't duplicate it in +arch/riscv/Kconfig. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/Kconfig | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -11,6 +11,7 @@ config RISCV + select ARCH_WANT_FRAME_POINTERS + select CLONE_BACKWARDS + select COMMON_CLK ++ select DMA_DIRECT_OPS + select GENERIC_CLOCKEVENTS + select GENERIC_CPU_DEVICES + select GENERIC_IRQ_SHOW +@@ -88,9 +89,6 @@ config PGTABLE_LEVELS + config HAVE_KPROBES + def_bool n + +-config DMA_DIRECT_OPS +- def_bool y +- + menu "Platform type" + + choice diff --git a/queue-4.16/rpmsg-added-module_alias-for-rpmsg_char.patch b/queue-4.16/rpmsg-added-module_alias-for-rpmsg_char.patch new file mode 100644 index 00000000000..fe4df58e0ed --- /dev/null +++ b/queue-4.16/rpmsg-added-module_alias-for-rpmsg_char.patch @@ -0,0 +1,29 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Ramon Fried +Date: Fri, 23 Mar 2018 00:09:12 -0400 +Subject: rpmsg: added MODULE_ALIAS for rpmsg_char + +From: Ramon Fried + +[ Upstream commit 93dd4e73c0d9cc32f835d76a54257020b0bfc75a ] + +Added "rpmsg:rpmsg_chrdev" MODULE_ALIAS to autoload +rpmg_chrdev module automatically. + +Signed-off-by: Ramon Fried +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/rpmsg_char.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/rpmsg/rpmsg_char.c ++++ b/drivers/rpmsg/rpmsg_char.c +@@ -581,4 +581,6 @@ static void rpmsg_chrdev_exit(void) + unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX); + } + module_exit(rpmsg_chrdev_exit); ++ ++MODULE_ALIAS("rpmsg:rpmsg_chrdev"); + MODULE_LICENSE("GPL v2"); diff --git a/queue-4.16/rxrpc-fix-error-reception-on-af_inet6-sockets.patch b/queue-4.16/rxrpc-fix-error-reception-on-af_inet6-sockets.patch new file mode 100644 index 00000000000..bbee11c63a6 --- /dev/null +++ b/queue-4.16/rxrpc-fix-error-reception-on-af_inet6-sockets.patch @@ -0,0 +1,94 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 23:26:00 +0100 +Subject: rxrpc: Fix error reception on AF_INET6 sockets + +From: David Howells + +[ Upstream commit f2aeed3a591ff29a82495eeaa92ac4780bad7487 ] + +AF_RXRPC tries to turn on IP_RECVERR and IP_MTU_DISCOVER on the UDP socket +it just opened for communications with the outside world, regardless of the +type of socket. Unfortunately, this doesn't work with an AF_INET6 socket. + +Fix this by turning on IPV6_RECVERR and IPV6_MTU_DISCOVER instead if the +socket is of the AF_INET6 family. + +Without this, kAFS server and address rotation doesn't work correctly +because the algorithm doesn't detect received network errors. + +Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/local_object.c | 57 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 42 insertions(+), 15 deletions(-) + +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -133,22 +133,49 @@ static int rxrpc_open_socket(struct rxrp + } + } + +- /* we want to receive ICMP errors */ +- opt = 1; +- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR, +- (char *) &opt, sizeof(opt)); +- if (ret < 0) { +- _debug("setsockopt failed"); +- goto error; +- } ++ switch (local->srx.transport.family) { ++ case AF_INET: ++ /* we want to receive ICMP errors */ ++ opt = 1; ++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR, ++ (char *) &opt, sizeof(opt)); ++ if (ret < 0) { ++ _debug("setsockopt failed"); ++ goto error; ++ } ++ ++ /* we want to set the don't fragment bit */ ++ opt = IP_PMTUDISC_DO; ++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER, ++ (char *) &opt, sizeof(opt)); ++ if (ret < 0) { ++ _debug("setsockopt failed"); ++ goto error; ++ } ++ break; ++ ++ case AF_INET6: ++ /* we want to receive ICMP errors */ ++ opt = 1; ++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR, ++ (char *) &opt, sizeof(opt)); ++ if (ret < 0) { ++ _debug("setsockopt failed"); ++ goto error; ++ } ++ ++ /* we want to set the don't fragment bit */ ++ opt = IPV6_PMTUDISC_DO; ++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER, ++ (char *) &opt, sizeof(opt)); ++ if (ret < 0) { ++ _debug("setsockopt failed"); ++ goto error; ++ } ++ break; + +- /* we want to set the don't fragment bit */ +- opt = IP_PMTUDISC_DO; +- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER, +- (char *) &opt, sizeof(opt)); +- if (ret < 0) { +- _debug("setsockopt failed"); +- goto error; ++ default: ++ BUG(); + } + + /* set the socket up */ diff --git a/queue-4.16/rxrpc-fix-missing-start-of-call-timeout.patch b/queue-4.16/rxrpc-fix-missing-start-of-call-timeout.patch new file mode 100644 index 00000000000..a9063d43009 --- /dev/null +++ b/queue-4.16/rxrpc-fix-missing-start-of-call-timeout.patch @@ -0,0 +1,99 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 23:26:00 +0100 +Subject: rxrpc: Fix missing start of call timeout + +From: David Howells + +[ Upstream commit c54e43d752c7187595c8c62a231e0b0d53c7fded ] + +The expect_rx_by call timeout is supposed to be set when a call is started +to indicate that we need to receive a packet by that point. This is +currently put back every time we receive a packet, but it isn't started +when we first send a packet. Without this, the call may wait forever if +the server doesn't deign to reply. + +Fix this by setting the timeout upon a successful UDP sendmsg call for the +first DATA packet. The timeout is initiated only for initial transmission +and not for subsequent retries as we don't want the retry mechanism to +extend the timeout indefinitely. + +Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/ar-internal.h | 1 + + net/rxrpc/input.c | 2 +- + net/rxrpc/output.c | 11 +++++++++++ + net/rxrpc/sendmsg.c | 10 ++++++++++ + 4 files changed, 23 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -464,6 +464,7 @@ enum rxrpc_call_flag { + RXRPC_CALL_SEND_PING, /* A ping will need to be sent */ + RXRPC_CALL_PINGING, /* Ping in process */ + RXRPC_CALL_RETRANS_TIMEOUT, /* Retransmission due to timeout occurred */ ++ RXRPC_CALL_BEGAN_RX_TIMER, /* We began the expect_rx_by timer */ + }; + + /* +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -971,7 +971,7 @@ static void rxrpc_input_call_packet(stru + if (timo) { + unsigned long now = jiffies, expect_rx_by; + +- expect_rx_by = jiffies + timo; ++ expect_rx_by = now + timo; + WRITE_ONCE(call->expect_rx_by, expect_rx_by); + rxrpc_reduce_call_timer(call, expect_rx_by, now, + rxrpc_timer_set_for_normal); +--- a/net/rxrpc/output.c ++++ b/net/rxrpc/output.c +@@ -407,6 +407,17 @@ done: + rxrpc_timer_set_for_lost_ack); + } + } ++ ++ if (sp->hdr.seq == 1 && ++ !test_and_set_bit(RXRPC_CALL_BEGAN_RX_TIMER, ++ &call->flags)) { ++ unsigned long nowj = jiffies, expect_rx_by; ++ ++ expect_rx_by = nowj + call->next_rx_timo; ++ WRITE_ONCE(call->expect_rx_by, expect_rx_by); ++ rxrpc_reduce_call_timer(call, expect_rx_by, nowj, ++ rxrpc_timer_set_for_normal); ++ } + } + + rxrpc_set_keepalive(call); +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -223,6 +223,15 @@ static void rxrpc_queue_packet(struct rx + + ret = rxrpc_send_data_packet(call, skb, false); + if (ret < 0) { ++ switch (ret) { ++ case -ENETUNREACH: ++ case -EHOSTUNREACH: ++ case -ECONNREFUSED: ++ rxrpc_set_call_completion(call, ++ RXRPC_CALL_LOCAL_ERROR, ++ 0, ret); ++ goto out; ++ } + _debug("need instant resend %d", ret); + rxrpc_instant_resend(call, ix); + } else { +@@ -241,6 +250,7 @@ static void rxrpc_queue_packet(struct rx + rxrpc_timer_set_for_send); + } + ++out: + rxrpc_free_skb(skb, rxrpc_skb_tx_freed); + _leave(""); + } diff --git a/queue-4.16/rxrpc-fix-the-min-security-level-for-kernel-calls.patch b/queue-4.16/rxrpc-fix-the-min-security-level-for-kernel-calls.patch new file mode 100644 index 00000000000..588a8938ff0 --- /dev/null +++ b/queue-4.16/rxrpc-fix-the-min-security-level-for-kernel-calls.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 23:26:01 +0100 +Subject: rxrpc: Fix the min security level for kernel calls + +From: David Howells + +[ Upstream commit 93864fc3ffcc4bf70e96cfb5cc6e941630419ad0 ] + +Fix the kernel call initiation to set the minimum security level for kernel +initiated calls (such as from kAFS) from the sockopt value. + +Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/af_rxrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -310,7 +310,7 @@ struct rxrpc_call *rxrpc_kernel_begin_ca + memset(&cp, 0, sizeof(cp)); + cp.local = rx->local; + cp.key = key; +- cp.security_level = 0; ++ cp.security_level = rx->min_sec_level; + cp.exclusive = false; + cp.upgrade = upgrade; + cp.service_id = srx->srx_service; diff --git a/queue-4.16/s390-qeth-fix-mac-address-update-sequence.patch b/queue-4.16/s390-qeth-fix-mac-address-update-sequence.patch new file mode 100644 index 00000000000..8aaa6aa6b2c --- /dev/null +++ b/queue-4.16/s390-qeth-fix-mac-address-update-sequence.patch @@ -0,0 +1,124 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Apr 2018 12:52:09 +0200 +Subject: s390/qeth: fix MAC address update sequence + +From: Julian Wiedmann + +[ Upstream commit bcacfcbc82b4235d280ed9b067aa4567f4a0c756 ] + +When changing the MAC address on a L2 qeth device, current code first +unregisters the old address, then registers the new one. +If HW rejects the new address (or the IO fails), the device ends up with +no operable address at all. + +Re-order the code flow so that the old address only gets dropped if the +new address was registered successfully. While at it, add logic to catch +some corner-cases. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_l2_main.c | 55 ++++++++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 24 deletions(-) + +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -122,13 +122,10 @@ static int qeth_l2_send_setmac(struct qe + QETH_CARD_TEXT(card, 2, "L2Setmac"); + rc = qeth_l2_send_setdelmac(card, mac, IPA_CMD_SETVMAC); + if (rc == 0) { +- card->info.mac_bits |= QETH_LAYER2_MAC_REGISTERED; +- ether_addr_copy(card->dev->dev_addr, mac); + dev_info(&card->gdev->dev, +- "MAC address %pM successfully registered on device %s\n", +- card->dev->dev_addr, card->dev->name); ++ "MAC address %pM successfully registered on device %s\n", ++ mac, card->dev->name); + } else { +- card->info.mac_bits &= ~QETH_LAYER2_MAC_REGISTERED; + switch (rc) { + case -EEXIST: + dev_warn(&card->gdev->dev, +@@ -143,19 +140,6 @@ static int qeth_l2_send_setmac(struct qe + return rc; + } + +-static int qeth_l2_send_delmac(struct qeth_card *card, __u8 *mac) +-{ +- int rc; +- +- QETH_CARD_TEXT(card, 2, "L2Delmac"); +- if (!(card->info.mac_bits & QETH_LAYER2_MAC_REGISTERED)) +- return 0; +- rc = qeth_l2_send_setdelmac(card, mac, IPA_CMD_DELVMAC); +- if (rc == 0) +- card->info.mac_bits &= ~QETH_LAYER2_MAC_REGISTERED; +- return rc; +-} +- + static int qeth_l2_write_mac(struct qeth_card *card, u8 *mac) + { + enum qeth_ipa_cmds cmd = is_multicast_ether_addr_64bits(mac) ? +@@ -522,6 +506,7 @@ static int qeth_l2_set_mac_address(struc + { + struct sockaddr *addr = p; + struct qeth_card *card = dev->ml_priv; ++ u8 old_addr[ETH_ALEN]; + int rc = 0; + + QETH_CARD_TEXT(card, 3, "setmac"); +@@ -533,14 +518,35 @@ static int qeth_l2_set_mac_address(struc + return -EOPNOTSUPP; + } + QETH_CARD_HEX(card, 3, addr->sa_data, ETH_ALEN); ++ if (!is_valid_ether_addr(addr->sa_data)) ++ return -EADDRNOTAVAIL; ++ + if (qeth_wait_for_threads(card, QETH_RECOVER_THREAD)) { + QETH_CARD_TEXT(card, 3, "setmcREC"); + return -ERESTARTSYS; + } +- rc = qeth_l2_send_delmac(card, &card->dev->dev_addr[0]); +- if (!rc || (rc == -ENOENT)) +- rc = qeth_l2_send_setmac(card, addr->sa_data); +- return rc ? -EINVAL : 0; ++ ++ if (!qeth_card_hw_is_reachable(card)) { ++ ether_addr_copy(dev->dev_addr, addr->sa_data); ++ return 0; ++ } ++ ++ /* don't register the same address twice */ ++ if (ether_addr_equal_64bits(dev->dev_addr, addr->sa_data) && ++ (card->info.mac_bits & QETH_LAYER2_MAC_REGISTERED)) ++ return 0; ++ ++ /* add the new address, switch over, drop the old */ ++ rc = qeth_l2_send_setmac(card, addr->sa_data); ++ if (rc) ++ return rc; ++ ether_addr_copy(old_addr, dev->dev_addr); ++ ether_addr_copy(dev->dev_addr, addr->sa_data); ++ ++ if (card->info.mac_bits & QETH_LAYER2_MAC_REGISTERED) ++ qeth_l2_remove_mac(card, old_addr); ++ card->info.mac_bits |= QETH_LAYER2_MAC_REGISTERED; ++ return 0; + } + + static void qeth_promisc_to_bridge(struct qeth_card *card) +@@ -1067,8 +1073,9 @@ static int __qeth_l2_set_online(struct c + goto out_remove; + } + +- if (card->info.type != QETH_CARD_TYPE_OSN) +- qeth_l2_send_setmac(card, &card->dev->dev_addr[0]); ++ if (card->info.type != QETH_CARD_TYPE_OSN && ++ !qeth_l2_send_setmac(card, card->dev->dev_addr)) ++ card->info.mac_bits |= QETH_LAYER2_MAC_REGISTERED; + + if (qeth_is_diagass_supported(card, QETH_DIAGS_CMD_TRAP)) { + if (card->info.hwtrap && diff --git a/queue-4.16/s390-qeth-fix-request-side-race-during-cmd-io-timeout.patch b/queue-4.16/s390-qeth-fix-request-side-race-during-cmd-io-timeout.patch new file mode 100644 index 00000000000..2acf345701a --- /dev/null +++ b/queue-4.16/s390-qeth-fix-request-side-race-during-cmd-io-timeout.patch @@ -0,0 +1,209 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Apr 2018 12:52:10 +0200 +Subject: s390/qeth: fix request-side race during cmd IO timeout + +From: Julian Wiedmann + +[ Upstream commit db71bbbd11a4d314f0fa3fbf3369b71cf33ce33c ] + +Submitting a cmd IO request (usually on the WRITE device, but for IDX +also on the READ device) is currently done with ccw_device_start() +and a manual timeout in the caller. +On timeout, the caller cleans up the related resources (eg. IO buffer). +But 1) the IO might still be active and utilize those resources, and + 2) when the IO completes, qeth_irq() will attempt to clean up the + same resources again. + +Instead of introducing additional resource locking, switch to +ccw_device_start_timeout() to ensure IO termination after timeout, and +let the IRQ handler alone deal with cleaning up after a request. + +This also removes a stray write->irq_pending reset from +clear_ipacmd_list(). The routine doesn't terminate any pending IO on +the WRITE device, so this should be handled properly via IO timeout +in the IRQ handler. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 51 +++++++++++++++++++------------------- + drivers/s390/net/qeth_core_mpc.h | 12 ++++++++ + drivers/s390/net/qeth_l2_main.c | 4 +- + 3 files changed, 40 insertions(+), 27 deletions(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -706,7 +706,6 @@ void qeth_clear_ipacmd_list(struct qeth_ + qeth_put_reply(reply); + } + spin_unlock_irqrestore(&card->lock, flags); +- atomic_set(&card->write.irq_pending, 0); + } + EXPORT_SYMBOL_GPL(qeth_clear_ipacmd_list); + +@@ -1101,14 +1100,9 @@ static void qeth_irq(struct ccw_device * + { + int rc; + int cstat, dstat; ++ struct qeth_cmd_buffer *iob = NULL; + struct qeth_channel *channel; + struct qeth_card *card; +- struct qeth_cmd_buffer *iob; +- +- if (__qeth_check_irb_error(cdev, intparm, irb)) +- return; +- cstat = irb->scsw.cmd.cstat; +- dstat = irb->scsw.cmd.dstat; + + card = CARD_FROM_CDEV(cdev); + if (!card) +@@ -1126,6 +1120,19 @@ static void qeth_irq(struct ccw_device * + channel = &card->data; + QETH_CARD_TEXT(card, 5, "data"); + } ++ ++ if (qeth_intparm_is_iob(intparm)) ++ iob = (struct qeth_cmd_buffer *) __va((addr_t)intparm); ++ ++ if (__qeth_check_irb_error(cdev, intparm, irb)) { ++ /* IO was terminated, free its resources. */ ++ if (iob) ++ qeth_release_buffer(iob->channel, iob); ++ atomic_set(&channel->irq_pending, 0); ++ wake_up(&card->wait_q); ++ return; ++ } ++ + atomic_set(&channel->irq_pending, 0); + + if (irb->scsw.cmd.fctl & (SCSW_FCTL_CLEAR_FUNC)) +@@ -1149,6 +1156,10 @@ static void qeth_irq(struct ccw_device * + /* we don't have to handle this further */ + intparm = 0; + } ++ ++ cstat = irb->scsw.cmd.cstat; ++ dstat = irb->scsw.cmd.dstat; ++ + if ((dstat & DEV_STAT_UNIT_EXCEP) || + (dstat & DEV_STAT_UNIT_CHECK) || + (cstat)) { +@@ -1187,11 +1198,8 @@ static void qeth_irq(struct ccw_device * + channel->state == CH_STATE_UP) + __qeth_issue_next_read(card); + +- if (intparm) { +- iob = (struct qeth_cmd_buffer *) __va((addr_t)intparm); +- if (iob->callback) +- iob->callback(iob->channel, iob); +- } ++ if (iob && iob->callback) ++ iob->callback(iob->channel, iob); + + out: + wake_up(&card->wait_q); +@@ -1862,8 +1870,8 @@ static int qeth_idx_activate_get_answer( + atomic_cmpxchg(&channel->irq_pending, 0, 1) == 0); + QETH_DBF_TEXT(SETUP, 6, "noirqpnd"); + spin_lock_irqsave(get_ccwdev_lock(channel->ccwdev), flags); +- rc = ccw_device_start(channel->ccwdev, +- &channel->ccw, (addr_t) iob, 0, 0); ++ rc = ccw_device_start_timeout(channel->ccwdev, &channel->ccw, ++ (addr_t) iob, 0, 0, QETH_TIMEOUT); + spin_unlock_irqrestore(get_ccwdev_lock(channel->ccwdev), flags); + + if (rc) { +@@ -1880,7 +1888,6 @@ static int qeth_idx_activate_get_answer( + if (channel->state != CH_STATE_UP) { + rc = -ETIME; + QETH_DBF_TEXT_(SETUP, 2, "3err%d", rc); +- qeth_clear_cmd_buffers(channel); + } else + rc = 0; + return rc; +@@ -1934,8 +1941,8 @@ static int qeth_idx_activate_channel(str + atomic_cmpxchg(&channel->irq_pending, 0, 1) == 0); + QETH_DBF_TEXT(SETUP, 6, "noirqpnd"); + spin_lock_irqsave(get_ccwdev_lock(channel->ccwdev), flags); +- rc = ccw_device_start(channel->ccwdev, +- &channel->ccw, (addr_t) iob, 0, 0); ++ rc = ccw_device_start_timeout(channel->ccwdev, &channel->ccw, ++ (addr_t) iob, 0, 0, QETH_TIMEOUT); + spin_unlock_irqrestore(get_ccwdev_lock(channel->ccwdev), flags); + + if (rc) { +@@ -1956,7 +1963,6 @@ static int qeth_idx_activate_channel(str + QETH_DBF_MESSAGE(2, "%s IDX activate timed out\n", + dev_name(&channel->ccwdev->dev)); + QETH_DBF_TEXT_(SETUP, 2, "2err%d", -ETIME); +- qeth_clear_cmd_buffers(channel); + return -ETIME; + } + return qeth_idx_activate_get_answer(channel, idx_reply_cb); +@@ -2158,8 +2164,8 @@ int qeth_send_control_data(struct qeth_c + + QETH_CARD_TEXT(card, 6, "noirqpnd"); + spin_lock_irqsave(get_ccwdev_lock(card->write.ccwdev), flags); +- rc = ccw_device_start(card->write.ccwdev, &card->write.ccw, +- (addr_t) iob, 0, 0); ++ rc = ccw_device_start_timeout(CARD_WDEV(card), &card->write.ccw, ++ (addr_t) iob, 0, 0, event_timeout); + spin_unlock_irqrestore(get_ccwdev_lock(card->write.ccwdev), flags); + if (rc) { + QETH_DBF_MESSAGE(2, "%s qeth_send_control_data: " +@@ -2191,8 +2197,6 @@ int qeth_send_control_data(struct qeth_c + } + } + +- if (reply->rc == -EIO) +- goto error; + rc = reply->rc; + qeth_put_reply(reply); + return rc; +@@ -2203,9 +2207,6 @@ time_err: + list_del_init(&reply->list); + spin_unlock_irqrestore(&reply->card->lock, flags); + atomic_inc(&reply->received); +-error: +- atomic_set(&card->write.irq_pending, 0); +- qeth_release_buffer(iob->channel, iob); + rc = reply->rc; + qeth_put_reply(reply); + return rc; +--- a/drivers/s390/net/qeth_core_mpc.h ++++ b/drivers/s390/net/qeth_core_mpc.h +@@ -35,6 +35,18 @@ extern unsigned char IPA_PDU_HEADER[]; + #define QETH_HALT_CHANNEL_PARM -11 + #define QETH_RCD_PARM -12 + ++static inline bool qeth_intparm_is_iob(unsigned long intparm) ++{ ++ switch (intparm) { ++ case QETH_CLEAR_CHANNEL_PARM: ++ case QETH_HALT_CHANNEL_PARM: ++ case QETH_RCD_PARM: ++ case 0: ++ return false; ++ } ++ return true; ++} ++ + /*****************************************************************************/ + /* IP Assist related definitions */ + /*****************************************************************************/ +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -1346,8 +1346,8 @@ static int qeth_osn_send_control_data(st + qeth_prepare_control_data(card, len, iob); + QETH_CARD_TEXT(card, 6, "osnoirqp"); + spin_lock_irqsave(get_ccwdev_lock(card->write.ccwdev), flags); +- rc = ccw_device_start(card->write.ccwdev, &card->write.ccw, +- (addr_t) iob, 0, 0); ++ rc = ccw_device_start_timeout(CARD_WDEV(card), &card->write.ccw, ++ (addr_t) iob, 0, 0, QETH_IPA_TIMEOUT); + spin_unlock_irqrestore(get_ccwdev_lock(card->write.ccwdev), flags); + if (rc) { + QETH_DBF_MESSAGE(2, "qeth_osn_send_control_data: " diff --git a/queue-4.16/s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch b/queue-4.16/s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch new file mode 100644 index 00000000000..86b4d1a916f --- /dev/null +++ b/queue-4.16/s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Apr 2018 12:52:11 +0200 +Subject: s390/qeth: use Read device to query hypervisor for MAC + +From: Julian Wiedmann + +[ Upstream commit b7493e91c11a757cf0f8ab26989642ee4bb2c642 ] + +For z/VM NICs, qeth needs to consider which of the three CCW devices in +an MPC group it uses for requesting a managed MAC address. + +On the Base device, the hypervisor returns a default MAC which is +pre-assigned when creating the NIC (this MAC is also returned by the +READ MAC primitive). Querying any other device results in the allocation +of an additional MAC address. + +For consistency with READ MAC and to avoid using up more addresses than +necessary, it is preferable to use the NIC's default MAC. So switch the +the diag26c over to using a NIC's Read device, which should always be +identical to the Base device. + +Fixes: ec61bd2fd2a2 ("s390/qeth: use diag26c to get MAC address on L2") +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -4839,7 +4839,7 @@ int qeth_vm_request_mac(struct qeth_card + goto out; + } + +- ccw_device_get_id(CARD_DDEV(card), &id); ++ ccw_device_get_id(CARD_RDEV(card), &id); + request->resp_buf_len = sizeof(*response); + request->resp_version = DIAG26C_VERSION2; + request->op_code = DIAG26C_GET_MAC; diff --git a/queue-4.16/s390-smsgiucv-disable-smsg-on-module-unload.patch b/queue-4.16/s390-smsgiucv-disable-smsg-on-module-unload.patch new file mode 100644 index 00000000000..85a9de307f5 --- /dev/null +++ b/queue-4.16/s390-smsgiucv-disable-smsg-on-module-unload.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Martin Schwidefsky +Date: Tue, 3 Apr 2018 11:08:52 +0200 +Subject: s390/smsgiucv: disable SMSG on module unload + +From: Martin Schwidefsky + +[ Upstream commit 760dd0eeaec1689430243ead14e5a429613d8c52 ] + +The module exit function of the smsgiucv module uses the incorrect CP +command to disable SMSG messages. The correct command is "SET SMSG OFF". +Use it. + +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/smsgiucv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/net/smsgiucv.c ++++ b/drivers/s390/net/smsgiucv.c +@@ -176,7 +176,7 @@ static struct device_driver smsg_driver + + static void __exit smsg_exit(void) + { +- cpcmd("SET SMSG IUCV", NULL, 0, NULL); ++ cpcmd("SET SMSG OFF", NULL, 0, NULL); + device_unregister(smsg_dev); + iucv_unregister(&smsg_handler, 1); + driver_unregister(&smsg_driver); diff --git a/queue-4.16/sched-core-introduce-set_special_state.patch b/queue-4.16/sched-core-introduce-set_special_state.patch new file mode 100644 index 00000000000..c257acbaa73 --- /dev/null +++ b/queue-4.16/sched-core-introduce-set_special_state.patch @@ -0,0 +1,206 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Peter Zijlstra +Date: Mon, 30 Apr 2018 14:51:01 +0200 +Subject: sched/core: Introduce set_special_state() + +From: Peter Zijlstra + +[ Upstream commit b5bf9a90bbebffba888c9144c5a8a10317b04064 ] + +Gaurav reported a perceived problem with TASK_PARKED, which turned out +to be a broken wait-loop pattern in __kthread_parkme(), but the +reported issue can (and does) in fact happen for states that do not do +condition based sleeps. + +When the 'current->state = TASK_RUNNING' store of a previous +(concurrent) try_to_wake_up() collides with the setting of a 'special' +sleep state, we can loose the sleep state. + +Normal condition based wait-loops are immune to this problem, but for +sleep states that are not condition based are subject to this problem. + +There already is a fix for TASK_DEAD. Abstract that and also apply it +to TASK_STOPPED and TASK_TRACED, both of which are also without +condition based wait-loop. + +Reported-by: Gaurav Kohli +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Oleg Nesterov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 50 ++++++++++++++++++++++++++++++++++++++----- + include/linux/sched/signal.h | 2 - + kernel/sched/core.c | 17 -------------- + kernel/signal.c | 17 ++++++++++++-- + 4 files changed, 62 insertions(+), 24 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -113,17 +113,36 @@ struct task_group; + + #ifdef CONFIG_DEBUG_ATOMIC_SLEEP + ++/* ++ * Special states are those that do not use the normal wait-loop pattern. See ++ * the comment with set_special_state(). ++ */ ++#define is_special_task_state(state) \ ++ ((state) & (__TASK_STOPPED | __TASK_TRACED | TASK_DEAD)) ++ + #define __set_current_state(state_value) \ + do { \ ++ WARN_ON_ONCE(is_special_task_state(state_value));\ + current->task_state_change = _THIS_IP_; \ + current->state = (state_value); \ + } while (0) ++ + #define set_current_state(state_value) \ + do { \ ++ WARN_ON_ONCE(is_special_task_state(state_value));\ + current->task_state_change = _THIS_IP_; \ + smp_store_mb(current->state, (state_value)); \ + } while (0) + ++#define set_special_state(state_value) \ ++ do { \ ++ unsigned long flags; /* may shadow */ \ ++ WARN_ON_ONCE(!is_special_task_state(state_value)); \ ++ raw_spin_lock_irqsave(¤t->pi_lock, flags); \ ++ current->task_state_change = _THIS_IP_; \ ++ current->state = (state_value); \ ++ raw_spin_unlock_irqrestore(¤t->pi_lock, flags); \ ++ } while (0) + #else + /* + * set_current_state() includes a barrier so that the write of current->state +@@ -145,8 +164,8 @@ struct task_group; + * + * The above is typically ordered against the wakeup, which does: + * +- * need_sleep = false; +- * wake_up_state(p, TASK_UNINTERRUPTIBLE); ++ * need_sleep = false; ++ * wake_up_state(p, TASK_UNINTERRUPTIBLE); + * + * Where wake_up_state() (and all other wakeup primitives) imply enough + * barriers to order the store of the variable against wakeup. +@@ -155,12 +174,33 @@ struct task_group; + * once it observes the TASK_UNINTERRUPTIBLE store the waking CPU can issue a + * TASK_RUNNING store which can collide with __set_current_state(TASK_RUNNING). + * +- * This is obviously fine, since they both store the exact same value. ++ * However, with slightly different timing the wakeup TASK_RUNNING store can ++ * also collide with the TASK_UNINTERRUPTIBLE store. Loosing that store is not ++ * a problem either because that will result in one extra go around the loop ++ * and our @cond test will save the day. + * + * Also see the comments of try_to_wake_up(). + */ +-#define __set_current_state(state_value) do { current->state = (state_value); } while (0) +-#define set_current_state(state_value) smp_store_mb(current->state, (state_value)) ++#define __set_current_state(state_value) \ ++ current->state = (state_value) ++ ++#define set_current_state(state_value) \ ++ smp_store_mb(current->state, (state_value)) ++ ++/* ++ * set_special_state() should be used for those states when the blocking task ++ * can not use the regular condition based wait-loop. In that case we must ++ * serialize against wakeups such that any possible in-flight TASK_RUNNING stores ++ * will not collide with our state change. ++ */ ++#define set_special_state(state_value) \ ++ do { \ ++ unsigned long flags; /* may shadow */ \ ++ raw_spin_lock_irqsave(¤t->pi_lock, flags); \ ++ current->state = (state_value); \ ++ raw_spin_unlock_irqrestore(¤t->pi_lock, flags); \ ++ } while (0) ++ + #endif + + /* Task command name length: */ +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -280,7 +280,7 @@ static inline void kernel_signal_stop(vo + { + spin_lock_irq(¤t->sighand->siglock); + if (current->jobctl & JOBCTL_STOP_DEQUEUED) +- __set_current_state(TASK_STOPPED); ++ set_special_state(TASK_STOPPED); + spin_unlock_irq(¤t->sighand->siglock); + + schedule(); +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3459,23 +3459,8 @@ static void __sched notrace __schedule(b + + void __noreturn do_task_dead(void) + { +- /* +- * The setting of TASK_RUNNING by try_to_wake_up() may be delayed +- * when the following two conditions become true. +- * - There is race condition of mmap_sem (It is acquired by +- * exit_mm()), and +- * - SMI occurs before setting TASK_RUNINNG. +- * (or hypervisor of virtual machine switches to other guest) +- * As a result, we may become TASK_RUNNING after becoming TASK_DEAD +- * +- * To avoid it, we have to wait for releasing tsk->pi_lock which +- * is held by try_to_wake_up() +- */ +- raw_spin_lock_irq(¤t->pi_lock); +- raw_spin_unlock_irq(¤t->pi_lock); +- + /* Causes final put_task_struct in finish_task_switch(): */ +- __set_current_state(TASK_DEAD); ++ set_special_state(TASK_DEAD); + + /* Tell freezer to ignore us: */ + current->flags |= PF_NOFREEZE; +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1961,14 +1961,27 @@ static void ptrace_stop(int exit_code, i + return; + } + ++ set_special_state(TASK_TRACED); ++ + /* + * We're committing to trapping. TRACED should be visible before + * TRAPPING is cleared; otherwise, the tracer might fail do_wait(). + * Also, transition to TRACED and updates to ->jobctl should be + * atomic with respect to siglock and should be done after the arch + * hook as siglock is released and regrabbed across it. ++ * ++ * TRACER TRACEE ++ * ++ * ptrace_attach() ++ * [L] wait_on_bit(JOBCTL_TRAPPING) [S] set_special_state(TRACED) ++ * do_wait() ++ * set_current_state() smp_wmb(); ++ * ptrace_do_wait() ++ * wait_task_stopped() ++ * task_stopped_code() ++ * [L] task_is_traced() [S] task_clear_jobctl_trapping(); + */ +- set_current_state(TASK_TRACED); ++ smp_wmb(); + + current->last_siginfo = info; + current->exit_code = exit_code; +@@ -2176,7 +2189,7 @@ static bool do_signal_stop(int signr) + if (task_participate_group_stop(current)) + notify = CLD_STOPPED; + +- __set_current_state(TASK_STOPPED); ++ set_special_state(TASK_STOPPED); + spin_unlock_irq(¤t->sighand->siglock); + + /* diff --git a/queue-4.16/sched-deadline-make-the-grub_reclaim-function-static.patch b/queue-4.16/sched-deadline-make-the-grub_reclaim-function-static.patch new file mode 100644 index 00000000000..49e4d5c26cb --- /dev/null +++ b/queue-4.16/sched-deadline-make-the-grub_reclaim-function-static.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 16 May 2018 22:09:02 +0200 +Subject: sched/deadline: Make the grub_reclaim() function static + +From: Mathieu Malaterre + +[ Upstream commit 3febfc8a219a036633b57a34c6678e21b6a0580d ] + +Since the grub_reclaim() function can be made static, make it so. + +Silences the following GCC warning (W=1): + + kernel/sched/deadline.c:1120:5: warning: no previous prototype for ‘grub_reclaim’ [-Wmissing-prototypes] + +Signed-off-by: Mathieu Malaterre +Acked-by: Peter Zijlstra +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180516200902.959-1-malat@debian.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1121,7 +1121,7 @@ extern bool sched_rt_bandwidth_account(s + * should be larger than 2^(64 - 20 - 8), which is more than 64 seconds. + * So, overflow is not an issue here. + */ +-u64 grub_reclaim(u64 delta, struct rq *rq, struct sched_dl_entity *dl_se) ++static u64 grub_reclaim(u64 delta, struct rq *rq, struct sched_dl_entity *dl_se) + { + u64 u_inact = rq->dl.this_bw - rq->dl.running_bw; /* Utot - Uact */ + u64 u_act; diff --git a/queue-4.16/sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch b/queue-4.16/sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch new file mode 100644 index 00000000000..0ea7c81d518 --- /dev/null +++ b/queue-4.16/sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch @@ -0,0 +1,78 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 16 May 2018 21:53:47 +0200 +Subject: sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h + +From: Mathieu Malaterre + +[ Upstream commit f6a3463063f42d9fb2c78f386437a822e0ad1792 ] + +In the following commit: + + 6b55c9654fcc ("sched/debug: Move print_cfs_rq() declaration to kernel/sched/sched.h") + +the print_cfs_rq() prototype was added to , +right next to the prototypes for print_cfs_stats(), print_rt_stats() +and print_dl_stats(). + +Finish this previous commit and also move related prototypes for +print_rt_rq() and print_dl_rq(). + +Remove existing extern declarations now that they not needed anymore. + +Silences the following GCC warning, triggered by W=1: + + kernel/sched/debug.c:573:6: warning: no previous prototype for ‘print_rt_rq’ [-Wmissing-prototypes] + kernel/sched/debug.c:603:6: warning: no previous prototype for ‘print_dl_rq’ [-Wmissing-prototypes] + +Signed-off-by: Mathieu Malaterre +Acked-by: Peter Zijlstra +Cc: Linus Torvalds +Cc: Srikar Dronamraju +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180516195348.30426-1-malat@debian.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 2 -- + kernel/sched/rt.c | 2 -- + kernel/sched/sched.h | 5 +++-- + 3 files changed, 3 insertions(+), 6 deletions(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -2723,8 +2723,6 @@ bool dl_cpu_busy(unsigned int cpu) + #endif + + #ifdef CONFIG_SCHED_DEBUG +-extern void print_dl_rq(struct seq_file *m, int cpu, struct dl_rq *dl_rq); +- + void print_dl_stats(struct seq_file *m, int cpu) + { + print_dl_rq(m, cpu, &cpu_rq(cpu)->dl); +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -2691,8 +2691,6 @@ int sched_rr_handler(struct ctl_table *t + } + + #ifdef CONFIG_SCHED_DEBUG +-extern void print_rt_rq(struct seq_file *m, int cpu, struct rt_rq *rt_rq); +- + void print_rt_stats(struct seq_file *m, int cpu) + { + rt_rq_iter_t iter; +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1986,8 +1986,9 @@ extern bool sched_debug_enabled; + extern void print_cfs_stats(struct seq_file *m, int cpu); + extern void print_rt_stats(struct seq_file *m, int cpu); + extern void print_dl_stats(struct seq_file *m, int cpu); +-extern void +-print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq); ++extern void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq); ++extern void print_rt_rq(struct seq_file *m, int cpu, struct rt_rq *rt_rq); ++extern void print_dl_rq(struct seq_file *m, int cpu, struct dl_rq *dl_rq); + #ifdef CONFIG_NUMA_BALANCING + extern void + show_numa_stats(struct task_struct *p, struct seq_file *m); diff --git a/queue-4.16/scsi-isci-fix-infinite-loop-in-while-loop.patch b/queue-4.16/scsi-isci-fix-infinite-loop-in-while-loop.patch new file mode 100644 index 00000000000..d7b0cea348a --- /dev/null +++ b/queue-4.16/scsi-isci-fix-infinite-loop-in-while-loop.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Colin Ian King +Date: Fri, 20 Apr 2018 10:57:16 +0100 +Subject: scsi: isci: Fix infinite loop in while loop + +From: Colin Ian King + +[ Upstream commit 4bc83b3f272fe8f36450f9c003df49cf07ffe5fd ] + +In the case when the phy_mask is bitwise anded with the phy_index bit is +zero the continue statement currently jumps to the next iteration of the +while loop and phy_index is never actually incremented, potentially +causing an infinite loop if phy_index is less than SCI_MAX_PHS. Fix this +by turning the while loop into a for loop. + +Signed-off-by: Colin Ian King +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/isci/port_config.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/isci/port_config.c ++++ b/drivers/scsi/isci/port_config.c +@@ -291,7 +291,7 @@ sci_mpc_agent_validate_phy_configuration + * Note: We have not moved the current phy_index so we will actually + * compare the startting phy with itself. + * This is expected and required to add the phy to the port. */ +- while (phy_index < SCI_MAX_PHYS) { ++ for (; phy_index < SCI_MAX_PHYS; phy_index++) { + if ((phy_mask & (1 << phy_index)) == 0) + continue; + sci_phy_get_sas_address(&ihost->phys[phy_index], +@@ -311,7 +311,6 @@ sci_mpc_agent_validate_phy_configuration + &ihost->phys[phy_index]); + + assigned_phy_mask |= (1 << phy_index); +- phy_index++; + } + + } diff --git a/queue-4.16/scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch b/queue-4.16/scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch new file mode 100644 index 00000000000..d15925ab5b3 --- /dev/null +++ b/queue-4.16/scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch @@ -0,0 +1,124 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Chris Leech +Date: Mon, 9 Apr 2018 15:15:28 -0700 +Subject: scsi: iscsi: respond to netlink with unicast when appropriate + +From: Chris Leech + +[ Upstream commit af17092810a887178195276255b7b31f8fbe7dbe ] + +Instead of always multicasting responses, send a unicast netlink message +directed at the correct pid. This will be needed if we ever want to +support multiple userspace processes interacting with the kernel over +iSCSI netlink simultaneously. Limitations can currently be seen if you +attempt to run multiple iscsistart commands in parallel. + +We've fixed up the userspace issues in iscsistart that prevented +multiple instances from running, so now attempts to speed up booting by +bringing up multiple iscsi sessions at once in the initramfs are just +running into misrouted responses that this fixes. + +Signed-off-by: Chris Leech +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_transport_iscsi.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2322,6 +2322,12 @@ iscsi_multicast_skb(struct sk_buff *skb, + return nlmsg_multicast(nls, skb, 0, group, gfp); + } + ++static int ++iscsi_unicast_skb(struct sk_buff *skb, u32 portid) ++{ ++ return nlmsg_unicast(nls, skb, portid); ++} ++ + int iscsi_recv_pdu(struct iscsi_cls_conn *conn, struct iscsi_hdr *hdr, + char *data, uint32_t data_size) + { +@@ -2524,14 +2530,11 @@ void iscsi_ping_comp_event(uint32_t host + EXPORT_SYMBOL_GPL(iscsi_ping_comp_event); + + static int +-iscsi_if_send_reply(uint32_t group, int seq, int type, int done, int multi, +- void *payload, int size) ++iscsi_if_send_reply(u32 portid, int type, void *payload, int size) + { + struct sk_buff *skb; + struct nlmsghdr *nlh; + int len = nlmsg_total_size(size); +- int flags = multi ? NLM_F_MULTI : 0; +- int t = done ? NLMSG_DONE : type; + + skb = alloc_skb(len, GFP_ATOMIC); + if (!skb) { +@@ -2539,10 +2542,9 @@ iscsi_if_send_reply(uint32_t group, int + return -ENOMEM; + } + +- nlh = __nlmsg_put(skb, 0, 0, t, (len - sizeof(*nlh)), 0); +- nlh->nlmsg_flags = flags; ++ nlh = __nlmsg_put(skb, 0, 0, type, (len - sizeof(*nlh)), 0); + memcpy(nlmsg_data(nlh), payload, size); +- return iscsi_multicast_skb(skb, group, GFP_ATOMIC); ++ return iscsi_unicast_skb(skb, portid); + } + + static int +@@ -3470,6 +3472,7 @@ static int + iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + { + int err = 0; ++ u32 portid; + struct iscsi_uevent *ev = nlmsg_data(nlh); + struct iscsi_transport *transport = NULL; + struct iscsi_internal *priv; +@@ -3490,10 +3493,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, s + if (!try_module_get(transport->owner)) + return -EINVAL; + ++ portid = NETLINK_CB(skb).portid; ++ + switch (nlh->nlmsg_type) { + case ISCSI_UEVENT_CREATE_SESSION: + err = iscsi_if_create_session(priv, ep, ev, +- NETLINK_CB(skb).portid, ++ portid, + ev->u.c_session.initial_cmdsn, + ev->u.c_session.cmds_max, + ev->u.c_session.queue_depth); +@@ -3506,7 +3511,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, s + } + + err = iscsi_if_create_session(priv, ep, ev, +- NETLINK_CB(skb).portid, ++ portid, + ev->u.c_bound_session.initial_cmdsn, + ev->u.c_bound_session.cmds_max, + ev->u.c_bound_session.queue_depth); +@@ -3664,6 +3669,8 @@ iscsi_if_recv_msg(struct sk_buff *skb, s + static void + iscsi_if_rx(struct sk_buff *skb) + { ++ u32 portid = NETLINK_CB(skb).portid; ++ + mutex_lock(&rx_queue_mutex); + while (skb->len >= NLMSG_HDRLEN) { + int err; +@@ -3699,8 +3706,8 @@ iscsi_if_rx(struct sk_buff *skb) + break; + if (ev->type == ISCSI_UEVENT_GET_CHAP && !err) + break; +- err = iscsi_if_send_reply(group, nlh->nlmsg_seq, +- nlh->nlmsg_type, 0, 0, ev, sizeof(*ev)); ++ err = iscsi_if_send_reply(portid, nlh->nlmsg_type, ++ ev, sizeof(*ev)); + } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH); + skb_pull(skb, rlen); + } diff --git a/queue-4.16/scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch b/queue-4.16/scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch new file mode 100644 index 00000000000..8db6c94af58 --- /dev/null +++ b/queue-4.16/scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Vinson Lee +Date: Wed, 21 Mar 2018 21:04:12 +0000 +Subject: scsi: megaraid_sas: Do not log an error if FW successfully initializes. + +From: Vinson Lee + +[ Upstream commit fb1633d56b0025233ed3dc49b44544748d509d9d ] + +Fixes: 2d2c2331673c ("scsi: megaraid_sas: modified few prints in OCR and IOC INIT path") +Signed-off-by: Vinson Lee +Acked-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -1124,12 +1124,12 @@ megasas_ioc_init_fusion(struct megasas_i + goto fail_fw_init; + } + +- ret = 0; ++ return 0; + + fail_fw_init: + dev_err(&instance->pdev->dev, +- "Init cmd return status %s for SCSI host %d\n", +- ret ? "FAILED" : "SUCCESS", instance->host->host_no); ++ "Init cmd return status FAILED for SCSI host %d\n", ++ instance->host->host_no); + + return ret; + } diff --git a/queue-4.16/scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch b/queue-4.16/scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch new file mode 100644 index 00000000000..4c35d798c8a --- /dev/null +++ b/queue-4.16/scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Long Li +Date: Thu, 22 Mar 2018 14:47:18 -0700 +Subject: scsi: storvsc: Set up correct queue depth values for IDE devices + +From: Long Li + +[ Upstream commit f286299c1d0ba5e2ca0377610307b370fe178767 ] + +Unlike SCSI and FC, we don't use multiple channels for IDE. Also fix +the calculation for sub-channels. + +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1722,11 +1722,14 @@ static int storvsc_probe(struct hv_devic + max_targets = STORVSC_MAX_TARGETS; + max_channels = STORVSC_MAX_CHANNELS; + /* +- * On Windows8 and above, we support sub-channels for storage. ++ * On Windows8 and above, we support sub-channels for storage ++ * on SCSI and FC controllers. + * The number of sub-channels offerred is based on the number of + * VCPUs in the guest. + */ +- max_sub_channels = (num_cpus / storvsc_vcpus_per_sub_channel); ++ if (!dev_is_ide) ++ max_sub_channels = ++ (num_cpus - 1) / storvsc_vcpus_per_sub_channel; + } + + scsi_driver.can_queue = (max_outstanding_req_per_channel * diff --git a/queue-4.16/scsi-target-fix-crash-with-iscsi-target-and-dvd.patch b/queue-4.16/scsi-target-fix-crash-with-iscsi-target-and-dvd.patch new file mode 100644 index 00000000000..0b6b125954a --- /dev/null +++ b/queue-4.16/scsi-target-fix-crash-with-iscsi-target-and-dvd.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Ming Lei +Date: Mon, 16 Apr 2018 17:48:41 +0800 +Subject: scsi: target: fix crash with iscsi target and dvd + +From: Ming Lei + +[ Upstream commit 8e1ceafe50ec4d1bcfae154dd70e7cb6946a6177 ] + +When the current page can't be added to bio, one new bio should be +created for adding this page again, instead of ignoring this page. + +This patch fixes kernel crash with iscsi target and dvd, as reported by +Wakko. + +Cc: Wakko Warner +Cc: Bart Van Assche +Cc: target-devel@vger.kernel.org +Cc: linux-scsi@vger.kernel.org +Cc: "Nicholas A. Bellinger" +Cc: Christoph Hellwig +Fixes: 84c8590646d5b35804 ("target: avoid accessing .bi_vcnt directly") +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_pscsi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -890,6 +890,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct + bytes = min(bytes, data_len); + + if (!bio) { ++new_bio: + nr_vecs = min_t(int, BIO_MAX_PAGES, nr_pages); + nr_pages -= nr_vecs; + /* +@@ -931,6 +932,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct + * be allocated with pscsi_get_bio() above. + */ + bio = NULL; ++ goto new_bio; + } + + data_len -= bytes; diff --git a/queue-4.16/scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch b/queue-4.16/scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch new file mode 100644 index 00000000000..e02a2424fbc --- /dev/null +++ b/queue-4.16/scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Jim Gill +Date: Fri, 20 Apr 2018 19:04:47 -0700 +Subject: scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts + +From: Jim Gill + +[ Upstream commit f4b024271ae3e9786e5d6f1c05b01b57a74e1d6d ] + +The vmw_pvscsi driver returns DID_ABORT for commands aborted internally +by the adapter, leading to the filesystem going read-only. Change the +result to DID_BUS_BUSY, causing the kernel to retry the command. + +Signed-off-by: Jim Gill +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/vmw_pvscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/vmw_pvscsi.c ++++ b/drivers/scsi/vmw_pvscsi.c +@@ -609,7 +609,7 @@ static void pvscsi_complete_request(stru + break; + + case BTSTAT_ABORTQUEUE: +- cmd->result = (DID_ABORT << 16); ++ cmd->result = (DID_BUS_BUSY << 16); + break; + + case BTSTAT_SCSIPARITY: diff --git a/queue-4.16/selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch b/queue-4.16/selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch new file mode 100644 index 00000000000..9773d2a93b3 --- /dev/null +++ b/queue-4.16/selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch @@ -0,0 +1,74 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Masami Hiramatsu +Date: Thu, 5 Apr 2018 18:29:12 +0900 +Subject: selftests: ftrace: Add a testcase for multiple actions on trigger + +From: Masami Hiramatsu + +[ Upstream commit 25aa50e0ca397a5e5d4d6fcecefa8107877d1dd0 ] + +Add a testcase for multiple actions with different +parameters on an event trigger, which has been fixed +by commit 192c283e93bd ("tracing: Add action comparisons + when testing matching hist triggers"). + +Link: http://lkml.kernel.org/r/152292055227.15769.6327959816123227152.stgit@devbox + +Reviewed-by: Tom Zanussi +Tested-by: Tom Zanussi +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc | 44 ++++++++++ + 1 file changed, 44 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc +@@ -0,0 +1,44 @@ ++#!/bin/sh ++# description: event trigger - test multiple actions on hist trigger ++ ++ ++do_reset() { ++ reset_trigger ++ echo > set_event ++ clear_trace ++} ++ ++fail() { #msg ++ do_reset ++ echo $1 ++ exit_fail ++} ++ ++if [ ! -f set_event ]; then ++ echo "event tracing is not supported" ++ exit_unsupported ++fi ++ ++if [ ! -f synthetic_events ]; then ++ echo "synthetic event is not supported" ++ exit_unsupported ++fi ++ ++clear_synthetic_events ++reset_tracer ++do_reset ++ ++echo "Test multiple actions on hist trigger" ++echo 'wakeup_latency u64 lat; pid_t pid' >> synthetic_events ++TRIGGER1=events/sched/sched_wakeup/trigger ++TRIGGER2=events/sched/sched_switch/trigger ++ ++echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="cyclictest"' > $TRIGGER1 ++echo 'hist:keys=next_pid:wakeup_lat=common_timestamp.usecs-$ts0 if next_comm=="cyclictest"' >> $TRIGGER2 ++echo 'hist:keys=next_pid:onmatch(sched.sched_wakeup).wakeup_latency(sched.sched_switch.$wakeup_lat,next_pid) if next_comm=="cyclictest"' >> $TRIGGER2 ++echo 'hist:keys=next_pid:onmatch(sched.sched_wakeup).wakeup_latency(sched.sched_switch.$wakeup_lat,prev_pid) if next_comm=="cyclictest"' >> $TRIGGER2 ++echo 'hist:keys=next_pid if next_comm=="cyclictest"' >> $TRIGGER2 ++ ++do_reset ++ ++exit 0 diff --git a/queue-4.16/sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch b/queue-4.16/sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch new file mode 100644 index 00000000000..075061c21ea --- /dev/null +++ b/queue-4.16/sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Rich Felker +Date: Sat, 5 May 2018 16:40:23 -0400 +Subject: sh: fix build failure for J2 cpu with SMP disabled + +From: Rich Felker + +[ Upstream commit 6cb465972c4eb6741b3094a58a65e527fc63c100 ] + +The sh asm/smp.h defines a fallback hard_smp_processor_id macro for +the !SMP case, but linux/smp.h never includes asm/smp.h in the !SMP +case. + +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/cpu/sh2/probe.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/sh/kernel/cpu/sh2/probe.c ++++ b/arch/sh/kernel/cpu/sh2/probe.c +@@ -43,7 +43,11 @@ void __ref cpu_probe(void) + #endif + + #if defined(CONFIG_CPU_J2) ++#if defined(CONFIG_SMP) + unsigned cpu = hard_smp_processor_id(); ++#else ++ unsigned cpu = 0; ++#endif + if (cpu == 0) of_scan_flat_dt(scan_cache, NULL); + if (j2_ccr_base) __raw_writel(0x80000303, j2_ccr_base + 4*cpu); + if (cpu != 0) return; diff --git a/queue-4.16/sh-switch-to-no_bootmem.patch b/queue-4.16/sh-switch-to-no_bootmem.patch new file mode 100644 index 00000000000..9de0e960182 --- /dev/null +++ b/queue-4.16/sh-switch-to-no_bootmem.patch @@ -0,0 +1,204 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Rob Herring +Date: Fri, 11 May 2018 08:45:59 -0500 +Subject: sh: switch to NO_BOOTMEM + +From: Rob Herring + +[ Upstream commit ac21fc2dcb405cf250ad3f1228f64f64930d9211 ] + +Commit 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc") +inadvertently switched the DT unflattening allocations from memblock to +bootmem which doesn't work because the unflattening happens before +bootmem is initialized. Swapping the order of bootmem init and +unflattening could also fix this, but removing bootmem is desired. So +enable NO_BOOTMEM on SH like other architectures have done. + +Fixes: 0fa1c579349f ("of/fdt: use memblock_virt_alloc for early alloc") +Reported-by: Rich Felker +Cc: Yoshinori Sato +Signed-off-by: Rob Herring +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/Kconfig | 1 + arch/sh/kernel/setup.c | 1 + arch/sh/mm/init.c | 68 ++++--------------------------------------------- + arch/sh/mm/numa.c | 19 ------------- + 4 files changed, 7 insertions(+), 82 deletions(-) + +--- a/arch/sh/Kconfig ++++ b/arch/sh/Kconfig +@@ -9,6 +9,7 @@ config SUPERH + select HAVE_IDE if HAS_IOPORT_MAP + select HAVE_MEMBLOCK + select HAVE_MEMBLOCK_NODE_MAP ++ select NO_BOOTMEM + select ARCH_DISCARD_MEMBLOCK + select HAVE_OPROFILE + select HAVE_GENERIC_DMA_COHERENT +--- a/arch/sh/kernel/setup.c ++++ b/arch/sh/kernel/setup.c +@@ -11,7 +11,6 @@ + #include + #include + #include +-#include + #include + #include + #include +--- a/arch/sh/mm/init.c ++++ b/arch/sh/mm/init.c +@@ -211,59 +211,15 @@ void __init allocate_pgdat(unsigned int + + NODE_DATA(nid) = __va(phys); + memset(NODE_DATA(nid), 0, sizeof(struct pglist_data)); +- +- NODE_DATA(nid)->bdata = &bootmem_node_data[nid]; + #endif + + NODE_DATA(nid)->node_start_pfn = start_pfn; + NODE_DATA(nid)->node_spanned_pages = end_pfn - start_pfn; + } + +-static void __init bootmem_init_one_node(unsigned int nid) +-{ +- unsigned long total_pages, paddr; +- unsigned long end_pfn; +- struct pglist_data *p; +- +- p = NODE_DATA(nid); +- +- /* Nothing to do.. */ +- if (!p->node_spanned_pages) +- return; +- +- end_pfn = pgdat_end_pfn(p); +- +- total_pages = bootmem_bootmap_pages(p->node_spanned_pages); +- +- paddr = memblock_alloc(total_pages << PAGE_SHIFT, PAGE_SIZE); +- if (!paddr) +- panic("Can't allocate bootmap for nid[%d]\n", nid); +- +- init_bootmem_node(p, paddr >> PAGE_SHIFT, p->node_start_pfn, end_pfn); +- +- free_bootmem_with_active_regions(nid, end_pfn); +- +- /* +- * XXX Handle initial reservations for the system memory node +- * only for the moment, we'll refactor this later for handling +- * reservations in other nodes. +- */ +- if (nid == 0) { +- struct memblock_region *reg; +- +- /* Reserve the sections we're already using. */ +- for_each_memblock(reserved, reg) { +- reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT); +- } +- } +- +- sparse_memory_present_with_active_regions(nid); +-} +- + static void __init do_init_bootmem(void) + { + struct memblock_region *reg; +- int i; + + /* Add active regions with valid PFNs. */ + for_each_memblock(memory, reg) { +@@ -279,9 +235,12 @@ static void __init do_init_bootmem(void) + + plat_mem_setup(); + +- for_each_online_node(i) +- bootmem_init_one_node(i); ++ for_each_memblock(memory, reg) { ++ int nid = memblock_get_region_node(reg); + ++ memory_present(nid, memblock_region_memory_base_pfn(reg), ++ memblock_region_memory_end_pfn(reg)); ++ } + sparse_init(); + } + +@@ -322,7 +281,6 @@ void __init paging_init(void) + { + unsigned long max_zone_pfns[MAX_NR_ZONES]; + unsigned long vaddr, end; +- int nid; + + sh_mv.mv_mem_init(); + +@@ -377,21 +335,7 @@ void __init paging_init(void) + kmap_coherent_init(); + + memset(max_zone_pfns, 0, sizeof(max_zone_pfns)); +- +- for_each_online_node(nid) { +- pg_data_t *pgdat = NODE_DATA(nid); +- unsigned long low, start_pfn; +- +- start_pfn = pgdat->bdata->node_min_pfn; +- low = pgdat->bdata->node_low_pfn; +- +- if (max_zone_pfns[ZONE_NORMAL] < low) +- max_zone_pfns[ZONE_NORMAL] = low; +- +- printk("Node %u: start_pfn = 0x%lx, low = 0x%lx\n", +- nid, start_pfn, low); +- } +- ++ max_zone_pfns[ZONE_NORMAL] = max_low_pfn; + free_area_init_nodes(max_zone_pfns); + } + +--- a/arch/sh/mm/numa.c ++++ b/arch/sh/mm/numa.c +@@ -8,7 +8,6 @@ + * for more details. + */ + #include +-#include + #include + #include + #include +@@ -26,9 +25,7 @@ EXPORT_SYMBOL_GPL(node_data); + */ + void __init setup_bootmem_node(int nid, unsigned long start, unsigned long end) + { +- unsigned long bootmap_pages; + unsigned long start_pfn, end_pfn; +- unsigned long bootmem_paddr; + + /* Don't allow bogus node assignment */ + BUG_ON(nid >= MAX_NUMNODES || nid <= 0); +@@ -48,25 +45,9 @@ void __init setup_bootmem_node(int nid, + SMP_CACHE_BYTES, end)); + memset(NODE_DATA(nid), 0, sizeof(struct pglist_data)); + +- NODE_DATA(nid)->bdata = &bootmem_node_data[nid]; + NODE_DATA(nid)->node_start_pfn = start_pfn; + NODE_DATA(nid)->node_spanned_pages = end_pfn - start_pfn; + +- /* Node-local bootmap */ +- bootmap_pages = bootmem_bootmap_pages(end_pfn - start_pfn); +- bootmem_paddr = memblock_alloc_base(bootmap_pages << PAGE_SHIFT, +- PAGE_SIZE, end); +- init_bootmem_node(NODE_DATA(nid), bootmem_paddr >> PAGE_SHIFT, +- start_pfn, end_pfn); +- +- free_bootmem_with_active_regions(nid, end_pfn); +- +- /* Reserve the pgdat and bootmap space with the bootmem allocator */ +- reserve_bootmem_node(NODE_DATA(nid), start_pfn << PAGE_SHIFT, +- sizeof(struct pglist_data), BOOTMEM_DEFAULT); +- reserve_bootmem_node(NODE_DATA(nid), bootmem_paddr, +- bootmap_pages << PAGE_SHIFT, BOOTMEM_DEFAULT); +- + /* It's up */ + node_set_online(nid); + diff --git a/queue-4.16/smc-fix-sendpage-call.patch b/queue-4.16/smc-fix-sendpage-call.patch new file mode 100644 index 00000000000..396d76797d9 --- /dev/null +++ b/queue-4.16/smc-fix-sendpage-call.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Stefan Raspl +Date: Thu, 3 May 2018 17:57:39 +0200 +Subject: smc: fix sendpage() call + +From: Stefan Raspl + +[ Upstream commit bda27ff5c4526f80a7620a94ecfe8dca153e3696 ] + +The sendpage() call grabs the sock lock before calling the default +implementation - which tries to grab it once again. + +Signed-off-by: Stefan Raspl +Signed-off-by: Ursula Braun < +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1313,8 +1313,11 @@ static ssize_t smc_sendpage(struct socke + + smc = smc_sk(sk); + lock_sock(sk); +- if (sk->sk_state != SMC_ACTIVE) ++ if (sk->sk_state != SMC_ACTIVE) { ++ release_sock(sk); + goto out; ++ } ++ release_sock(sk); + if (smc->use_fallback) + rc = kernel_sendpage(smc->clcsock, page, offset, + size, flags); +@@ -1322,7 +1325,6 @@ static ssize_t smc_sendpage(struct socke + rc = sock_no_sendpage(sock, page, offset, size, flags); + + out: +- release_sock(sk); + return rc; + } + diff --git a/queue-4.16/soc-bcm-raspberrypi-power-fix-use-of-__packed.patch b/queue-4.16/soc-bcm-raspberrypi-power-fix-use-of-__packed.patch new file mode 100644 index 00000000000..c7c0ea037aa --- /dev/null +++ b/queue-4.16/soc-bcm-raspberrypi-power-fix-use-of-__packed.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 09:42:25 -0700 +Subject: soc: bcm: raspberrypi-power: Fix use of __packed + +From: Florian Fainelli + +[ Upstream commit 0a12e80ce4230434c2ed66ad0d65af0b7ccecea8 ] + +Commit a09cd356586d ("ARM: bcm2835: add rpi power domain driver") +attempted to annotate the structure rpi_power_domain_packet with +__packed but introduced a typo and made it named __packet instead. Just +drop the annotation since the structure is naturally aligned already. + +Fixes: a09cd356586d ("ARM: bcm2835: add rpi power domain driver") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/bcm/raspberrypi-power.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/bcm/raspberrypi-power.c ++++ b/drivers/soc/bcm/raspberrypi-power.c +@@ -45,7 +45,7 @@ struct rpi_power_domains { + struct rpi_power_domain_packet { + u32 domain; + u32 on; +-} __packet; ++}; + + /* + * Asks the firmware to enable or disable power on a specific power diff --git a/queue-4.16/soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch b/queue-4.16/soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch new file mode 100644 index 00000000000..1b595815aa1 --- /dev/null +++ b/queue-4.16/soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Geert Uytterhoeven +Date: Sun, 8 Apr 2018 11:05:15 +0200 +Subject: soc: bcm2835: Make !RASPBERRYPI_FIRMWARE dummies return failure + +From: Geert Uytterhoeven + +[ Upstream commit 144345a4a8c3b497a3f60d3af9d6071a37660186 ] + +If CONFIG_RASPBERRYPI_FIRMWARE=n: + + drivers/gpio/gpio-raspberrypi-exp.c: In function ‘rpi_exp_gpio_get_polarity’: + drivers/gpio/gpio-raspberrypi-exp.c:71: warning: ‘get.polarity’ is used uninitialized in this function + drivers/gpio/gpio-raspberrypi-exp.c: In function ‘rpi_exp_gpio_get_direction’: + drivers/gpio/gpio-raspberrypi-exp.c:150: warning: ‘get.direction’ is used uninitialized in this function + +The dummy firmware interface functions return 0, which means success, +causing subsequent code to make use of the never initialized output +parameter. + +Fix this by making the dummy functions return an error code (-ENOSYS) +instead. + +Note that this assumes the firmware always fills in the requested data +in the CONFIG_RASPBERRYPI_FIRMWARE=y case. + +Fixes: d45f1a563b92dac7 ("staging: vc04_services: fix up rpi firmware functions") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Eric Anholt +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/soc/bcm2835/raspberrypi-firmware.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/soc/bcm2835/raspberrypi-firmware.h ++++ b/include/soc/bcm2835/raspberrypi-firmware.h +@@ -125,13 +125,13 @@ struct rpi_firmware *rpi_firmware_get(st + static inline int rpi_firmware_property(struct rpi_firmware *fw, u32 tag, + void *data, size_t len) + { +- return 0; ++ return -ENOSYS; + } + + static inline int rpi_firmware_property_list(struct rpi_firmware *fw, + void *data, size_t tag_size) + { +- return 0; ++ return -ENOSYS; + } + + static inline struct rpi_firmware *rpi_firmware_get(struct device_node *firmware_node) diff --git a/queue-4.16/spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch b/queue-4.16/spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch new file mode 100644 index 00000000000..3b364d0dbc6 --- /dev/null +++ b/queue-4.16/spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch @@ -0,0 +1,57 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Rob Herring +Date: Thu, 3 May 2018 13:09:44 -0500 +Subject: spi: bcm2835aux: ensure interrupts are enabled for shared handler + +From: Rob Herring + +[ Upstream commit bc519d9574618e47a0c788000fb78da95e18d953 ] + +The BCM2835 AUX SPI has a shared interrupt line (with AUX UART). +Downstream fixes this with an AUX irqchip to demux the IRQ sources and a +DT change which breaks compatibility with older kernels. The AUX irqchip +was already rejected for upstream[1] and the DT change would break +working systems if the DTB is updated to a newer one. The latter issue +was brought to my attention by Alex Graf. + +The root cause however is a bug in the shared handler. Shared handlers +must check that interrupts are actually enabled before servicing the +interrupt. Add a check that the TXEMPTY or IDLE interrupts are enabled. + +[1] https://patchwork.kernel.org/patch/9781221/ + +Cc: Alexander Graf +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Eric Anholt +Cc: Stefan Wahren +Cc: Florian Fainelli +Cc: Ray Jui +Cc: Scott Branden +Cc: bcm-kernel-feedback-list@broadcom.com +Cc: linux-spi@vger.kernel.org +Cc: linux-rpi-kernel@lists.infradead.org +Cc: linux-arm-kernel@lists.infradead.org +Signed-off-by: Rob Herring +Reviewed-by: Eric Anholt +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm2835aux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/spi/spi-bcm2835aux.c ++++ b/drivers/spi/spi-bcm2835aux.c +@@ -184,6 +184,11 @@ static irqreturn_t bcm2835aux_spi_interr + struct bcm2835aux_spi *bs = spi_master_get_devdata(master); + irqreturn_t ret = IRQ_NONE; + ++ /* IRQ may be shared, so return if our interrupts are disabled */ ++ if (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_CNTL1) & ++ (BCM2835_AUX_SPI_CNTL1_TXEMPTY | BCM2835_AUX_SPI_CNTL1_IDLE))) ++ return ret; ++ + /* check if we have data to read */ + while (bs->rx_len && + (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT) & diff --git a/queue-4.16/spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch b/queue-4.16/spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch new file mode 100644 index 00000000000..b73bfbd3706 --- /dev/null +++ b/queue-4.16/spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: sxauwsk +Date: Tue, 17 Apr 2018 04:01:27 +0800 +Subject: spi: cadence: Add usleep_range() for cdns_spi_fill_tx_fifo() + +From: sxauwsk + +[ Upstream commit 49530e6411789c1b9ea3ebc58e520c19d1c3752f ] + +In case of xspi work in busy condition, may send bytes failed. +once something wrong, spi controller did't work any more + +My test found this situation appear in both of read/write process. +so when TX FIFO is full, add one byte delay before send data; + +Signed-off-by: sxauwsk +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -313,6 +313,14 @@ static void cdns_spi_fill_tx_fifo(struct + + while ((trans_cnt < CDNS_SPI_FIFO_DEPTH) && + (xspi->tx_bytes > 0)) { ++ ++ /* When xspi in busy condition, bytes may send failed, ++ * then spi control did't work thoroughly, add one byte delay ++ */ ++ if (cdns_spi_read(xspi, CDNS_SPI_ISR) & ++ CDNS_SPI_IXR_TXFULL) ++ usleep_range(10, 20); ++ + if (xspi->txbuf) + cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++); + else diff --git a/queue-4.16/spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch b/queue-4.16/spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch new file mode 100644 index 00000000000..2454ccdcc70 --- /dev/null +++ b/queue-4.16/spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch @@ -0,0 +1,43 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Vladimir Zapolskiy +Date: Fri, 13 Apr 2018 15:44:16 +0300 +Subject: spi: sh-msiof: Fix bit field overflow writes to TSCR/RSCR + +From: Vladimir Zapolskiy + +[ Upstream commit 10b4640833e95eeacaef8060bc1b35e636df3218 ] + +The change fixes a bit field overflow which allows to write to higher +bits while calculating SPI transfer clock and setting BRPS and BRDV +bit fields, the problem is reproduced if 'parent_rate' to 'spi_hz' +ratio is greater than 1024, for instance + + p->min_div = 2, + MSO rate = 33333333, + SPI device rate = 10000 + +results in + + k = 5, i.e. BRDV = 0b100 or 1/32 prescaler output, + BRPS = 105, + TSCR value = 0x6804, thus MSSEL and MSIMM bit fields are non-zero. + +Fixes: 65d5665bb260 ("spi: sh-msiof: Update calculation of frequency dividing") +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sh-msiof.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -283,6 +283,7 @@ static void sh_msiof_spi_set_clk_regs(st + } + + k = min_t(int, k, ARRAY_SIZE(sh_msiof_spi_div_table) - 1); ++ brps = min_t(int, brps, 32); + + scr = sh_msiof_spi_div_table[k].brdv | SCR_BRPS(brps); + sh_msiof_write(p, TSCR, scr); diff --git a/queue-4.16/stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch b/queue-4.16/stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch new file mode 100644 index 00000000000..726aaf01418 --- /dev/null +++ b/queue-4.16/stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch @@ -0,0 +1,120 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Peter Zijlstra +Date: Fri, 20 Apr 2018 11:50:05 +0200 +Subject: stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock + +From: Peter Zijlstra + +[ Upstream commit 0b26351b910fb8fe6a056f8a1bbccabe50c0e19f ] + +Matt reported the following deadlock: + +CPU0 CPU1 + +schedule(.prev=migrate/0) + pick_next_task() ... + idle_balance() migrate_swap() + active_balance() stop_two_cpus() + spin_lock(stopper0->lock) + spin_lock(stopper1->lock) + ttwu(migrate/0) + smp_cond_load_acquire() -- waits for schedule() + stop_one_cpu(1) + spin_lock(stopper1->lock) -- waits for stopper lock + +Fix this deadlock by taking the wakeups out from under stopper->lock. +This allows the active_balance() to queue the stop work and finish the +context switch, which in turn allows the wakeup from migrate_swap() to +observe the context and complete the wakeup. + +Signed-off-by: Peter Zijlstra (Intel) +Reported-by: Matt Fleming +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Matt Fleming +Cc: Linus Torvalds +Cc: Michal Hocko +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180420095005.GH4064@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/stop_machine.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/kernel/stop_machine.c ++++ b/kernel/stop_machine.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + /* + * Structure to determine completion condition and record errors. May +@@ -65,27 +66,31 @@ static void cpu_stop_signal_done(struct + } + + static void __cpu_stop_queue_work(struct cpu_stopper *stopper, +- struct cpu_stop_work *work) ++ struct cpu_stop_work *work, ++ struct wake_q_head *wakeq) + { + list_add_tail(&work->list, &stopper->works); +- wake_up_process(stopper->thread); ++ wake_q_add(wakeq, stopper->thread); + } + + /* queue @work to @stopper. if offline, @work is completed immediately */ + static bool cpu_stop_queue_work(unsigned int cpu, struct cpu_stop_work *work) + { + struct cpu_stopper *stopper = &per_cpu(cpu_stopper, cpu); ++ DEFINE_WAKE_Q(wakeq); + unsigned long flags; + bool enabled; + + spin_lock_irqsave(&stopper->lock, flags); + enabled = stopper->enabled; + if (enabled) +- __cpu_stop_queue_work(stopper, work); ++ __cpu_stop_queue_work(stopper, work, &wakeq); + else if (work->done) + cpu_stop_signal_done(work->done); + spin_unlock_irqrestore(&stopper->lock, flags); + ++ wake_up_q(&wakeq); ++ + return enabled; + } + +@@ -229,6 +234,7 @@ static int cpu_stop_queue_two_works(int + { + struct cpu_stopper *stopper1 = per_cpu_ptr(&cpu_stopper, cpu1); + struct cpu_stopper *stopper2 = per_cpu_ptr(&cpu_stopper, cpu2); ++ DEFINE_WAKE_Q(wakeq); + int err; + retry: + spin_lock_irq(&stopper1->lock); +@@ -252,8 +258,8 @@ retry: + goto unlock; + + err = 0; +- __cpu_stop_queue_work(stopper1, work1); +- __cpu_stop_queue_work(stopper2, work2); ++ __cpu_stop_queue_work(stopper1, work1, &wakeq); ++ __cpu_stop_queue_work(stopper2, work2, &wakeq); + unlock: + spin_unlock(&stopper2->lock); + spin_unlock_irq(&stopper1->lock); +@@ -263,6 +269,9 @@ unlock: + cpu_relax(); + goto retry; + } ++ ++ wake_up_q(&wakeq); ++ + return err; + } + /** diff --git a/queue-4.16/tee-check-shm-references-are-consistent-in-offset-size.patch b/queue-4.16/tee-check-shm-references-are-consistent-in-offset-size.patch new file mode 100644 index 00000000000..4b09d0ee022 --- /dev/null +++ b/queue-4.16/tee-check-shm-references-are-consistent-in-offset-size.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Etienne Carriere +Date: Sun, 29 Apr 2018 14:22:29 +0200 +Subject: tee: check shm references are consistent in offset/size + +From: Etienne Carriere + +[ Upstream commit ab9d3db5b320a052452b9cd035599ee3c84bbee9 ] + +This change prevents userland from referencing TEE shared memory +outside the area initially allocated by its owner. Prior this change an +application could not reference or access memory it did not own but +it could reference memory not explicitly allocated by owner but still +allocated to the owner due to the memory allocation granule. + +Reported-by: Alexandre Jutras +Signed-off-by: Etienne Carriere +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/tee_core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -238,6 +238,17 @@ static int params_from_user(struct tee_c + if (IS_ERR(shm)) + return PTR_ERR(shm); + ++ /* ++ * Ensure offset + size does not overflow offset ++ * and does not overflow the size of the referred ++ * shared memory object. ++ */ ++ if ((ip.a + ip.b) < ip.a || ++ (ip.a + ip.b) > shm->size) { ++ tee_shm_put(shm); ++ return -EINVAL; ++ } ++ + params[n].u.memref.shm_offs = ip.a; + params[n].u.memref.size = ip.b; + params[n].u.memref.shm = shm; diff --git a/queue-4.16/thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch b/queue-4.16/thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch new file mode 100644 index 00000000000..9c28cdffb51 --- /dev/null +++ b/queue-4.16/thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Hans de Goede +Date: Sun, 22 Apr 2018 19:56:17 +0200 +Subject: thermal: int3403_thermal: Fix NULL pointer deref on module load / probe + +From: Hans de Goede + +[ Upstream commit 13b86f50eaaddaea4bdd2fe476fd12e6a0951add ] + +Starting with kernel 4.17 thermal_cooling_device_register() will call the +get_max_state() op during register. + +Since we deref priv->priv in int3403_get_max_state() this means we must +set priv->priv before calling thermal_cooling_device_register(). + +Signed-off-by: Hans de Goede +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/int340x_thermal/int3403_thermal.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/thermal/int340x_thermal/int3403_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3403_thermal.c +@@ -194,6 +194,7 @@ static int int3403_cdev_add(struct int34 + return -EFAULT; + } + ++ priv->priv = obj; + obj->max_state = p->package.count - 1; + obj->cdev = + thermal_cooling_device_register(acpi_device_bid(priv->adev), +@@ -201,8 +202,6 @@ static int int3403_cdev_add(struct int34 + if (IS_ERR(obj->cdev)) + result = PTR_ERR(obj->cdev); + +- priv->priv = obj; +- + kfree(buf.pointer); + /* TODO: add ACPI notification support */ + diff --git a/queue-4.16/tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch b/queue-4.16/tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch new file mode 100644 index 00000000000..57b19d4fb32 --- /dev/null +++ b/queue-4.16/tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch @@ -0,0 +1,117 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ying Xue +Date: Tue, 8 May 2018 21:44:06 +0800 +Subject: tipc: eliminate KMSAN uninit-value in strcmp complaint + +From: Ying Xue + +[ Upstream commit 94f6a80c0c11828cb7b3d79294459dd8d761ca89 ] + +When we get link properties through netlink interface with +tipc_nl_node_get_link(), we don't validate TIPC_NLA_LINK_NAME +attribute at all, instead we directly use it. As a consequence, +KMSAN detected the TIPC_NLA_LINK_NAME attribute was an uninitialized +value, and then posted the following complaint: + +================================================================== +BUG: KMSAN: uninit-value in strcmp+0xf7/0x160 lib/string.c:329 +CPU: 1 PID: 4527 Comm: syz-executor655 Not tainted 4.16.0+ #87 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 + strcmp+0xf7/0x160 lib/string.c:329 + tipc_nl_node_get_link+0x220/0x6f0 net/tipc/node.c:1881 + genl_family_rcv_msg net/netlink/genetlink.c:599 [inline] + genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624 + netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:635 + netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] + netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337 + netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x445589 +RSP: 002b:00007fb7ee66cdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445589 +RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003 +RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fffa2bf3f3f R14: 00007fb7ee66d9c0 R15: 0000000000000001 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] + netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +================================================================== + +To quiet the complaint, TIPC_NLA_LINK_NAME attribute has been +validated in tipc_nl_node_get_link() before it's used. + +Reported-by: syzbot+df0257c92ffd4fcc58cd@syzkaller.appspotmail.com +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -1863,6 +1863,7 @@ out: + int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); ++ struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1]; + struct tipc_nl_msg msg; + char *name; + int err; +@@ -1870,9 +1871,19 @@ int tipc_nl_node_get_link(struct sk_buff + msg.portid = info->snd_portid; + msg.seq = info->snd_seq; + +- if (!info->attrs[TIPC_NLA_LINK_NAME]) ++ if (!info->attrs[TIPC_NLA_LINK]) + return -EINVAL; +- name = nla_data(info->attrs[TIPC_NLA_LINK_NAME]); ++ ++ err = nla_parse_nested(attrs, TIPC_NLA_LINK_MAX, ++ info->attrs[TIPC_NLA_LINK], ++ tipc_nl_link_policy, info->extack); ++ if (err) ++ return err; ++ ++ if (!attrs[TIPC_NLA_LINK_NAME]) ++ return -EINVAL; ++ ++ name = nla_data(attrs[TIPC_NLA_LINK_NAME]); + + msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); + if (!msg.skb) diff --git a/queue-4.16/tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch b/queue-4.16/tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch new file mode 100644 index 00000000000..4b8bdfefe57 --- /dev/null +++ b/queue-4.16/tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Jon Maloy +Date: Wed, 25 Apr 2018 18:29:25 +0200 +Subject: tipc: fix bug in function tipc_nl_node_dump_monitor + +From: Jon Maloy + +[ Upstream commit 7dbc73e6124ce4d0cfbdd6166de388e9367c47ad ] + +Commit 36a50a989ee8 ("tipc: fix infinite loop when dumping link monitor +summary") intended to fix a problem with user tool looping when max +number of bearers are enabled. + +Unfortunately, the wrong version of the commit was posted, so the +problem was not solved at all. + +This commit adds the missing part. + +Fixes: 36a50a989ee8 ("tipc: fix infinite loop when dumping link monitor summary") +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -2157,7 +2157,7 @@ int tipc_nl_node_dump_monitor(struct sk_ + + rtnl_lock(); + for (bearer_id = prev_bearer; bearer_id < MAX_BEARERS; bearer_id++) { +- err = __tipc_nl_add_monitor(net, &msg, prev_bearer); ++ err = __tipc_nl_add_monitor(net, &msg, bearer_id); + if (err) + break; + } diff --git a/queue-4.16/tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch b/queue-4.16/tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch new file mode 100644 index 00000000000..5be7875f37b --- /dev/null +++ b/queue-4.16/tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch @@ -0,0 +1,76 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Tung Nguyen +Date: Tue, 17 Apr 2018 21:58:27 +0200 +Subject: tipc: fix infinite loop when dumping link monitor summary + +From: Tung Nguyen + +[ Upstream commit 36a50a989ee8267588de520b8704b85f045a3220 ] + +When configuring the number of used bearers to MAX_BEARER and issuing +command "tipc link monitor summary", the command enters infinite loop +in user space. + +This issue happens because function tipc_nl_node_dump_monitor() returns +the wrong 'prev_bearer' value when all potential monitors have been +scanned. + +The correct behavior is to always try to scan all monitors until either +the netlink message is full, in which case we return the bearer identity +of the affected monitor, or we continue through the whole bearer array +until we can return MAX_BEARERS. This solution also caters for the case +where there may be gaps in the bearer array. + +Signed-off-by: Tung Nguyen +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/monitor.c | 2 +- + net/tipc/node.c | 11 ++++------- + 2 files changed, 5 insertions(+), 8 deletions(-) + +--- a/net/tipc/monitor.c ++++ b/net/tipc/monitor.c +@@ -777,7 +777,7 @@ int __tipc_nl_add_monitor(struct net *ne + + ret = tipc_bearer_get_name(net, bearer_name, bearer_id); + if (ret || !mon) +- return -EINVAL; ++ return 0; + + hdr = genlmsg_put(msg->skb, msg->portid, msg->seq, &tipc_genl_family, + NLM_F_MULTI, TIPC_NL_MON_GET); +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -2145,8 +2145,8 @@ int tipc_nl_node_dump_monitor(struct sk_ + struct net *net = sock_net(skb->sk); + u32 prev_bearer = cb->args[0]; + struct tipc_nl_msg msg; ++ int bearer_id; + int err; +- int i; + + if (prev_bearer == MAX_BEARERS) + return 0; +@@ -2156,16 +2156,13 @@ int tipc_nl_node_dump_monitor(struct sk_ + msg.seq = cb->nlh->nlmsg_seq; + + rtnl_lock(); +- for (i = prev_bearer; i < MAX_BEARERS; i++) { +- prev_bearer = i; ++ for (bearer_id = prev_bearer; bearer_id < MAX_BEARERS; bearer_id++) { + err = __tipc_nl_add_monitor(net, &msg, prev_bearer); + if (err) +- goto out; ++ break; + } +- +-out: + rtnl_unlock(); +- cb->args[0] = prev_bearer; ++ cb->args[0] = bearer_id; + + return skb->len; + } diff --git a/queue-4.16/uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch b/queue-4.16/uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch new file mode 100644 index 00000000000..9eafad4b5c5 --- /dev/null +++ b/queue-4.16/uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch @@ -0,0 +1,50 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Masami Hiramatsu +Date: Wed, 9 May 2018 21:58:45 +0900 +Subject: uprobes/x86: Prohibit probing on MOV SS instruction + +From: Masami Hiramatsu + +[ Upstream commit 13ebe18c94f5b0665c01ae7fad2717ae959f4212 ] + +Since MOV SS and POP SS instructions will delay the exceptions until the +next instruction is executed, single-stepping on it by uprobes must be +prohibited. + +uprobe already rejects probing on POP SS (0x1f), but allows probing on MOV +SS (0x8e and reg == 2). This checks the target instruction and if it is +MOV SS or POP SS, returns -ENOTSUPP to reject probing. + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Thomas Gleixner +Acked-by: Oleg Nesterov +Cc: Ricardo Neri +Cc: Francis Deslauriers +Cc: Alexei Starovoitov +Cc: Steven Rostedt +Cc: Andy Lutomirski +Cc: "H . Peter Anvin" +Cc: Yonghong Song +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: "David S . Miller" +Link: https://lkml.kernel.org/r/152587072544.17316.5950935243917346341.stgit@devbox +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/uprobes.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -299,6 +299,10 @@ static int uprobe_init_insn(struct arch_ + if (is_prefix_bad(insn)) + return -ENOTSUPP; + ++ /* We should not singlestep on the exception masking instructions */ ++ if (insn_masking_exception(insn)) ++ return -ENOTSUPP; ++ + if (x86_64) + good_insns = good_insns_64; + else diff --git a/queue-4.16/usb-musb-fix-remote-wakeup-racing-with-suspend.patch b/queue-4.16/usb-musb-fix-remote-wakeup-racing-with-suspend.patch new file mode 100644 index 00000000000..4d03b17e53e --- /dev/null +++ b/queue-4.16/usb-musb-fix-remote-wakeup-racing-with-suspend.patch @@ -0,0 +1,126 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "Daniel Glöckner" +Date: Mon, 14 May 2018 09:40:05 -0500 +Subject: usb: musb: fix remote wakeup racing with suspend + +From: "Daniel Glöckner" + +[ Upstream commit ebc3dd688cd988754a304147753b13e58de1b5a1 ] + +It has been observed that writing 0xF2 to the power register while it +reads as 0xF4 results in the register having the value 0xF0, i.e. clearing +RESUME and setting SUSPENDM in one go does not work. It might also violate +the USB spec to transition directly from resume to suspend, especially +when not taking T_DRSMDN into account. But this is what happens when a +remote wakeup occurs between SetPortFeature USB_PORT_FEAT_SUSPEND on the +root hub and musb_bus_suspend being called. + +This commit returns -EBUSY when musb_bus_suspend is called while remote +wakeup is signalled and thus avoids to reset the RESUME bit. Ignoring +this error when musb_port_suspend is called from musb_hub_control is ok. + +Signed-off-by: Daniel Glöckner +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_host.c | 5 ++++- + drivers/usb/musb/musb_host.h | 7 +++++-- + drivers/usb/musb/musb_virthub.c | 25 +++++++++++++++---------- + 3 files changed, 24 insertions(+), 13 deletions(-) + +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -2530,8 +2530,11 @@ static int musb_bus_suspend(struct usb_h + { + struct musb *musb = hcd_to_musb(hcd); + u8 devctl; ++ int ret; + +- musb_port_suspend(musb, true); ++ ret = musb_port_suspend(musb, true); ++ if (ret) ++ return ret; + + if (!is_host_active(musb)) + return 0; +--- a/drivers/usb/musb/musb_host.h ++++ b/drivers/usb/musb/musb_host.h +@@ -67,7 +67,7 @@ extern void musb_host_rx(struct musb *, + extern void musb_root_disconnect(struct musb *musb); + extern void musb_host_resume_root_hub(struct musb *musb); + extern void musb_host_poke_root_hub(struct musb *musb); +-extern void musb_port_suspend(struct musb *musb, bool do_suspend); ++extern int musb_port_suspend(struct musb *musb, bool do_suspend); + extern void musb_port_reset(struct musb *musb, bool do_reset); + extern void musb_host_finish_resume(struct work_struct *work); + #else +@@ -99,7 +99,10 @@ static inline void musb_root_disconnect( + static inline void musb_host_resume_root_hub(struct musb *musb) {} + static inline void musb_host_poll_rh_status(struct musb *musb) {} + static inline void musb_host_poke_root_hub(struct musb *musb) {} +-static inline void musb_port_suspend(struct musb *musb, bool do_suspend) {} ++static inline int musb_port_suspend(struct musb *musb, bool do_suspend) ++{ ++ return 0; ++} + static inline void musb_port_reset(struct musb *musb, bool do_reset) {} + static inline void musb_host_finish_resume(struct work_struct *work) {} + #endif +--- a/drivers/usb/musb/musb_virthub.c ++++ b/drivers/usb/musb/musb_virthub.c +@@ -48,14 +48,14 @@ void musb_host_finish_resume(struct work + spin_unlock_irqrestore(&musb->lock, flags); + } + +-void musb_port_suspend(struct musb *musb, bool do_suspend) ++int musb_port_suspend(struct musb *musb, bool do_suspend) + { + struct usb_otg *otg = musb->xceiv->otg; + u8 power; + void __iomem *mbase = musb->mregs; + + if (!is_host_active(musb)) +- return; ++ return 0; + + /* NOTE: this doesn't necessarily put PHY into low power mode, + * turning off its clock; that's a function of PHY integration and +@@ -66,16 +66,20 @@ void musb_port_suspend(struct musb *musb + if (do_suspend) { + int retries = 10000; + +- power &= ~MUSB_POWER_RESUME; +- power |= MUSB_POWER_SUSPENDM; +- musb_writeb(mbase, MUSB_POWER, power); ++ if (power & MUSB_POWER_RESUME) ++ return -EBUSY; ++ ++ if (!(power & MUSB_POWER_SUSPENDM)) { ++ power |= MUSB_POWER_SUSPENDM; ++ musb_writeb(mbase, MUSB_POWER, power); + +- /* Needed for OPT A tests */ +- power = musb_readb(mbase, MUSB_POWER); +- while (power & MUSB_POWER_SUSPENDM) { ++ /* Needed for OPT A tests */ + power = musb_readb(mbase, MUSB_POWER); +- if (retries-- < 1) +- break; ++ while (power & MUSB_POWER_SUSPENDM) { ++ power = musb_readb(mbase, MUSB_POWER); ++ if (retries-- < 1) ++ break; ++ } + } + + musb_dbg(musb, "Root port suspended, power %02x", power); +@@ -111,6 +115,7 @@ void musb_port_suspend(struct musb *musb + schedule_delayed_work(&musb->finish_resume_work, + msecs_to_jiffies(USB_RESUME_TIMEOUT)); + } ++ return 0; + } + + void musb_port_reset(struct musb *musb, bool do_reset) diff --git a/queue-4.16/usb-typec-tps6598x-handle-block-reads-separately-with-plain-i2c-adapters.patch b/queue-4.16/usb-typec-tps6598x-handle-block-reads-separately-with-plain-i2c-adapters.patch new file mode 100644 index 00000000000..6abd2eb735a --- /dev/null +++ b/queue-4.16/usb-typec-tps6598x-handle-block-reads-separately-with-plain-i2c-adapters.patch @@ -0,0 +1,133 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Heikki Krogerus +Date: Wed, 25 Apr 2018 17:22:09 +0300 +Subject: usb: typec: tps6598x: handle block reads separately with plain-I2C adapters + +From: Heikki Krogerus + +[ Upstream commit 1a2f474d328f292ee706414824ec4ca690cdf5ba ] + +If the I2C adapter that the PD controller is attached to +does not support SMBus protocol, the driver needs to handle +block reads separately. The first byte returned in block +read protocol will show the total number of bytes. It needs +to be stripped away. + +This is handled separately in the driver only because right +now we have no way of requesting the used protocol with +regmap-i2c. This is in practice a workaround for what is +really a problem in regmap-i2c. The other option would have +been to register custom regmap, or not use regmap at all, +however, since the solution is very simple, I choose to use +it in this case for convenience. It is easy to remove once +we figure out how to handle this kind of cases in +regmap-i2c. + +Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") +Reviewed-by: Guenter Roeck +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tps6598x.c | 47 +++++++++++++++++++++++++++++++++++-------- + 1 file changed, 39 insertions(+), 8 deletions(-) + +--- a/drivers/usb/typec/tps6598x.c ++++ b/drivers/usb/typec/tps6598x.c +@@ -73,6 +73,7 @@ struct tps6598x { + struct device *dev; + struct regmap *regmap; + struct mutex lock; /* device lock */ ++ u8 i2c_protocol:1; + + struct typec_port *port; + struct typec_partner *partner; +@@ -80,19 +81,39 @@ struct tps6598x { + struct typec_capability typec_cap; + }; + ++static int ++tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len) ++{ ++ u8 data[len + 1]; ++ int ret; ++ ++ if (!tps->i2c_protocol) ++ return regmap_raw_read(tps->regmap, reg, val, len); ++ ++ ret = regmap_raw_read(tps->regmap, reg, data, sizeof(data)); ++ if (ret) ++ return ret; ++ ++ if (data[0] < len) ++ return -EIO; ++ ++ memcpy(val, &data[1], len); ++ return 0; ++} ++ + static inline int tps6598x_read16(struct tps6598x *tps, u8 reg, u16 *val) + { +- return regmap_raw_read(tps->regmap, reg, val, sizeof(u16)); ++ return tps6598x_block_read(tps, reg, val, sizeof(u16)); + } + + static inline int tps6598x_read32(struct tps6598x *tps, u8 reg, u32 *val) + { +- return regmap_raw_read(tps->regmap, reg, val, sizeof(u32)); ++ return tps6598x_block_read(tps, reg, val, sizeof(u32)); + } + + static inline int tps6598x_read64(struct tps6598x *tps, u8 reg, u64 *val) + { +- return regmap_raw_read(tps->regmap, reg, val, sizeof(u64)); ++ return tps6598x_block_read(tps, reg, val, sizeof(u64)); + } + + static inline int tps6598x_write16(struct tps6598x *tps, u8 reg, u16 val) +@@ -121,8 +142,8 @@ static int tps6598x_read_partner_identit + struct tps6598x_rx_identity_reg id; + int ret; + +- ret = regmap_raw_read(tps->regmap, TPS_REG_RX_IDENTITY_SOP, +- &id, sizeof(id)); ++ ret = tps6598x_block_read(tps, TPS_REG_RX_IDENTITY_SOP, ++ &id, sizeof(id)); + if (ret) + return ret; + +@@ -223,13 +244,13 @@ static int tps6598x_exec_cmd(struct tps6 + } while (val); + + if (out_len) { +- ret = regmap_raw_read(tps->regmap, TPS_REG_DATA1, +- out_data, out_len); ++ ret = tps6598x_block_read(tps, TPS_REG_DATA1, ++ out_data, out_len); + if (ret) + return ret; + val = out_data[0]; + } else { +- ret = regmap_read(tps->regmap, TPS_REG_DATA1, &val); ++ ret = tps6598x_block_read(tps, TPS_REG_DATA1, &val, sizeof(u8)); + if (ret) + return ret; + } +@@ -384,6 +405,16 @@ static int tps6598x_probe(struct i2c_cli + if (!vid) + return -ENODEV; + ++ /* ++ * Checking can the adapter handle SMBus protocol. If it can not, the ++ * driver needs to take care of block reads separately. ++ * ++ * FIXME: Testing with I2C_FUNC_I2C. regmap-i2c uses I2C protocol ++ * unconditionally if the adapter has I2C_FUNC_I2C set. ++ */ ++ if (i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) ++ tps->i2c_protocol = true; ++ + ret = tps6598x_read32(tps, TPS_REG_STATUS, &status); + if (ret < 0) + return ret; diff --git a/queue-4.16/usb-typec-ucsi-fix-tracepoint-related-build-error.patch b/queue-4.16/usb-typec-ucsi-fix-tracepoint-related-build-error.patch new file mode 100644 index 00000000000..b3f44bb3507 --- /dev/null +++ b/queue-4.16/usb-typec-ucsi-fix-tracepoint-related-build-error.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Tobias Regnery +Date: Tue, 10 Apr 2018 10:38:06 +0200 +Subject: usb: typec: ucsi: fix tracepoint related build error + +From: Tobias Regnery + +[ Upstream commit 2f860691c2d2e3af1404ffeb2d22dd5c3dbca811 ] + +There is the following build error with CONFIG_TYPEC_UCSI=m, CONFIG_FTRACE=y +and CONFIG_TRACING=n: + +ERROR: "__tracepoint_ucsi_command" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_register_port" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_notify" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_reset_ppm" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_run_command" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_ack" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_connector_change" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! + +This compination is quite hard to create because CONFIG_TRACING gets selected +only in rare cases without CONFIG_FTRACE. + +The build failure is caused by conditionally compiling trace.c depending on +the wrong option CONFIG_FTRACE. Change this to depend on CONFIG_TRACING like +other users of tracepoints do. + +Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface") +Signed-off-by: Tobias Regnery +Acked-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/ucsi/Makefile ++++ b/drivers/usb/typec/ucsi/Makefile +@@ -5,6 +5,6 @@ obj-$(CONFIG_TYPEC_UCSI) += typec_ucsi.o + + typec_ucsi-y := ucsi.o + +-typec_ucsi-$(CONFIG_FTRACE) += trace.o ++typec_ucsi-$(CONFIG_TRACING) += trace.o + + obj-$(CONFIG_UCSI_ACPI) += ucsi_acpi.o diff --git a/queue-4.16/vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch b/queue-4.16/vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch new file mode 100644 index 00000000000..7850a21afd3 --- /dev/null +++ b/queue-4.16/vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: David Howells +Date: Fri, 20 Apr 2018 13:35:02 +0100 +Subject: vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion + +From: David Howells + +[ Upstream commit a9e5b73288cf1595ac2e05cf1acd1924ceea05fa ] + +In do_mount() when the MS_* flags are being converted to MNT_* flags, +MS_RDONLY got accidentally convered to SB_RDONLY. + +Undo this change. + +Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags") +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2810,7 +2810,7 @@ long do_mount(const char *dev_name, cons + mnt_flags |= MNT_NODIRATIME; + if (flags & MS_STRICTATIME) + mnt_flags &= ~(MNT_RELATIME | MNT_NOATIME); +- if (flags & SB_RDONLY) ++ if (flags & MS_RDONLY) + mnt_flags |= MNT_READONLY; + + /* The default atime for remount is preservation */ diff --git a/queue-4.16/vti6-change-minimum-mtu-to-ipv4_min_mtu-vti6-can-carry-ipv4-too.patch b/queue-4.16/vti6-change-minimum-mtu-to-ipv4_min_mtu-vti6-can-carry-ipv4-too.patch new file mode 100644 index 00000000000..2636be15d25 --- /dev/null +++ b/queue-4.16/vti6-change-minimum-mtu-to-ipv4_min_mtu-vti6-can-carry-ipv4-too.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Stefano Brivio +Date: Thu, 26 Apr 2018 19:39:09 +0200 +Subject: vti6: Change minimum MTU to IPV4_MIN_MTU, vti6 can carry IPv4 too + +From: Stefano Brivio + +[ Upstream commit b4331a681822b420511b3258f1c3db35001fde48 ] + +A vti6 interface can carry IPv4 as well, so it makes no sense to +enforce a minimum MTU of IPV6_MIN_MTU. + +If the user sets an MTU below IPV6_MIN_MTU, IPv6 will be +disabled on the interface, courtesy of addrconf_notify(). + +Reported-by: Xin Long +Fixes: b96f9afee4eb ("ipv4/6: use core net MTU range checking") +Fixes: c6741fbed6dc ("vti6: Properly adjust vti6 MTU from MTU of lower device") +Fixes: 53c81e95df17 ("ip6_vti: adjust vti mtu according to mtu of lower device") +Signed-off-by: Stefano Brivio +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -669,7 +669,7 @@ static void vti6_link_config(struct ip6_ + else + mtu = ETH_DATA_LEN - LL_MAX_HEADER - sizeof(struct ipv6hdr); + +- dev->mtu = max_t(int, mtu, IPV6_MIN_MTU); ++ dev->mtu = max_t(int, mtu, IPV4_MIN_MTU); + } + + /** +@@ -881,7 +881,7 @@ static void vti6_dev_setup(struct net_de + dev->priv_destructor = vti6_dev_free; + + dev->type = ARPHRD_TUNNEL6; +- dev->min_mtu = IPV6_MIN_MTU; ++ dev->min_mtu = IPV4_MIN_MTU; + dev->max_mtu = IP_MAX_MTU - sizeof(struct ipv6hdr); + dev->flags |= IFF_NOARP; + dev->addr_len = sizeof(struct in6_addr); diff --git a/queue-4.16/x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch b/queue-4.16/x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch new file mode 100644 index 00000000000..7ff57ad4f1b --- /dev/null +++ b/queue-4.16/x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Krish Sadhukhan +Date: Wed, 11 Apr 2018 01:10:16 -0400 +Subject: x86: Add check for APIC access address for vmentry of L2 guests + +From: Krish Sadhukhan + +[ Upstream commit f0f4cf5b306620282db0c59ff963012e1973e025 ] + +According to the sub-section titled 'VM-Execution Control Fields' in the +section titled 'Basic VM-Entry Checks' in Intel SDM vol. 3C, the following +vmentry check must be enforced: + + If the 'virtualize APIC-accesses' VM-execution control is 1, the + APIC-access address must satisfy the following checks: + + - Bits 11:0 of the address must be 0. + - The address should not set any bits beyond the processor's + physical-address width. + +This patch adds the necessary check to conform to this rule. If the check +fails, we cause the L2 VMENTRY to fail which is what the associated unit +test (following patch) expects. + +Reviewed-by: Mihai Carabas +Reviewed-by: Konrad Rzeszutek Wilk +Reviewed-by: Jim Mattson +Reviewed-by: Wanpeng Li +Signed-off-by: Krish Sadhukhan +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10338,6 +10338,16 @@ static inline bool nested_vmx_prepare_ms + return true; + } + ++static int nested_vmx_check_apic_access_controls(struct kvm_vcpu *vcpu, ++ struct vmcs12 *vmcs12) ++{ ++ if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) && ++ !page_address_valid(vcpu, vmcs12->apic_access_addr)) ++ return -EINVAL; ++ else ++ return 0; ++} ++ + static int nested_vmx_check_apicv_controls(struct kvm_vcpu *vcpu, + struct vmcs12 *vmcs12) + { +@@ -11006,6 +11016,9 @@ static int check_vmentry_prereqs(struct + if (nested_vmx_check_msr_bitmap_controls(vcpu, vmcs12)) + return VMXERR_ENTRY_INVALID_CONTROL_FIELD; + ++ if (nested_vmx_check_apic_access_controls(vcpu, vmcs12)) ++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD; ++ + if (nested_vmx_check_tpr_shadow_controls(vcpu, vmcs12)) + return VMXERR_ENTRY_INVALID_CONTROL_FIELD; + diff --git a/queue-4.16/x86-cpu-intel-add-missing-tlb-cpuid-values.patch b/queue-4.16/x86-cpu-intel-add-missing-tlb-cpuid-values.patch new file mode 100644 index 00000000000..6d634e13f26 --- /dev/null +++ b/queue-4.16/x86-cpu-intel-add-missing-tlb-cpuid-values.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: "jacek.tomaka@poczta.fm" +Date: Tue, 24 Apr 2018 00:14:25 +0800 +Subject: x86/cpu/intel: Add missing TLB cpuid values + +From: "jacek.tomaka@poczta.fm" + +[ Upstream commit b837913fc2d9061bf9b8c0dd6bf2d24e2f98b84a ] + +Make kernel print the correct number of TLB entries on Intel Xeon Phi 7210 +(and others) + +Before: +[ 0.320005] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0 +After: +[ 0.320005] Last level dTLB entries: 4KB 256, 2MB 128, 4MB 128, 1GB 16 + +The entries do exist in the official Intel SMD but the type column there is +incorrect (states "Cache" where it should read "TLB"), but the entries for +the values 0x6B, 0x6C and 0x6D are correctly described as 'Data TLB'. + +Signed-off-by: Jacek Tomaka +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20180423161425.24366-1-jacekt@dugeo.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -751,6 +751,9 @@ static const struct _tlb_table intel_tlb + { 0x5d, TLB_DATA_4K_4M, 256, " TLB_DATA 4 KByte and 4 MByte pages" }, + { 0x61, TLB_INST_4K, 48, " TLB_INST 4 KByte pages, full associative" }, + { 0x63, TLB_DATA_1G, 4, " TLB_DATA 1 GByte pages, 4-way set associative" }, ++ { 0x6b, TLB_DATA_4K, 256, " TLB_DATA 4 KByte pages, 8-way associative" }, ++ { 0x6c, TLB_DATA_2M_4M, 128, " TLB_DATA 2 MByte or 4 MByte pages, 8-way associative" }, ++ { 0x6d, TLB_DATA_1G, 16, " TLB_DATA 1 GByte pages, fully associative" }, + { 0x76, TLB_INST_2M_4M, 8, " TLB_INST 2-MByte or 4-MByte pages, fully associative" }, + { 0xb0, TLB_INST_4K, 128, " TLB_INST 4 KByte pages, 4-way set associative" }, + { 0xb1, TLB_INST_2M_4M, 4, " TLB_INST 2M pages, 4-way, 8 entries or 4M pages, 4-way entries" }, diff --git a/queue-4.16/x86-delay-skip-of-emulated-hypercall-instruction.patch b/queue-4.16/x86-delay-skip-of-emulated-hypercall-instruction.patch new file mode 100644 index 00000000000..26f08fc89d9 --- /dev/null +++ b/queue-4.16/x86-delay-skip-of-emulated-hypercall-instruction.patch @@ -0,0 +1,85 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Marian Rotariu +Date: Mon, 30 Apr 2018 12:23:01 +0300 +Subject: x86: Delay skip of emulated hypercall instruction + +From: Marian Rotariu + +[ Upstream commit 6356ee0c9602004e0a3b4b2dad68ee2ee9385b17 ] + +The IP increment should be done after the hypercall emulation, after +calling the various handlers. In this way, these handlers can accurately +identify the the IP of the VMCALL if they need it. + +This patch keeps the same functionality for the Hyper-V handler which does +not use the return code of the standard kvm_skip_emulated_instruction() +call. + +Signed-off-by: Marian Rotariu +[Hyper-V hypercalls also need kvm_skip_emulated_instruction() - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/hyperv.c | 2 +- + arch/x86/kvm/x86.c | 19 +++++++++++-------- + 2 files changed, 12 insertions(+), 9 deletions(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -1223,7 +1223,7 @@ static int kvm_hv_hypercall_complete_use + struct kvm_run *run = vcpu->run; + + kvm_hv_hypercall_set_result(vcpu, run->hyperv.u.hcall.result); +- return 1; ++ return kvm_skip_emulated_instruction(vcpu); + } + + int kvm_hv_hypercall(struct kvm_vcpu *vcpu) +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6553,12 +6553,13 @@ void kvm_vcpu_deactivate_apicv(struct kv + int kvm_emulate_hypercall(struct kvm_vcpu *vcpu) + { + unsigned long nr, a0, a1, a2, a3, ret; +- int op_64_bit, r; ++ int op_64_bit; + +- r = kvm_skip_emulated_instruction(vcpu); +- +- if (kvm_hv_hypercall_enabled(vcpu->kvm)) +- return kvm_hv_hypercall(vcpu); ++ if (kvm_hv_hypercall_enabled(vcpu->kvm)) { ++ if (!kvm_hv_hypercall(vcpu)) ++ return 0; ++ goto out; ++ } + + nr = kvm_register_read(vcpu, VCPU_REGS_RAX); + a0 = kvm_register_read(vcpu, VCPU_REGS_RBX); +@@ -6579,7 +6580,7 @@ int kvm_emulate_hypercall(struct kvm_vcp + + if (kvm_x86_ops->get_cpl(vcpu) != 0) { + ret = -KVM_EPERM; +- goto out; ++ goto out_error; + } + + switch (nr) { +@@ -6599,12 +6600,14 @@ int kvm_emulate_hypercall(struct kvm_vcp + ret = -KVM_ENOSYS; + break; + } +-out: ++out_error: + if (!op_64_bit) + ret = (u32)ret; + kvm_register_write(vcpu, VCPU_REGS_RAX, ret); ++ ++out: + ++vcpu->stat.hypercalls; +- return r; ++ return kvm_skip_emulated_instruction(vcpu); + } + EXPORT_SYMBOL_GPL(kvm_emulate_hypercall); + diff --git a/queue-4.16/x86-kvm-properly-update-tsc_offset-to-represent-the-running-guest.patch b/queue-4.16/x86-kvm-properly-update-tsc_offset-to-represent-the-running-guest.patch new file mode 100644 index 00000000000..2a6276b6cf9 --- /dev/null +++ b/queue-4.16/x86-kvm-properly-update-tsc_offset-to-represent-the-running-guest.patch @@ -0,0 +1,230 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: KarimAllah Ahmed +Date: Sat, 14 Apr 2018 05:10:52 +0200 +Subject: X86/KVM: Properly update 'tsc_offset' to represent the running guest + +From: KarimAllah Ahmed + +[ Upstream commit e79f245ddec17bbd89d73cd0169dba4be46c9b55 ] + +Update 'tsc_offset' on vmentry/vmexit of L2 guests to ensure that it always +captures the TSC_OFFSET of the running guest whether it is the L1 or L2 +guest. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: kvm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Reviewed-by: Jim Mattson +Suggested-by: Paolo Bonzini +Signed-off-by: KarimAllah Ahmed +[AMD changes, fix update_ia32_tsc_adjust_msr. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/svm.c | 17 +++++++++++- + arch/x86/kvm/vmx.c | 54 +++++++++++++++++++++++++--------------- + arch/x86/kvm/x86.c | 6 ++-- + 4 files changed, 56 insertions(+), 22 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1019,6 +1019,7 @@ struct kvm_x86_ops { + + bool (*has_wbinvd_exit)(void); + ++ u64 (*read_l1_tsc_offset)(struct kvm_vcpu *vcpu); + void (*write_tsc_offset)(struct kvm_vcpu *vcpu, u64 offset); + + void (*get_exit_info)(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2); +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1313,12 +1313,23 @@ static void init_sys_seg(struct vmcb_seg + seg->base = 0; + } + ++static u64 svm_read_l1_tsc_offset(struct kvm_vcpu *vcpu) ++{ ++ struct vcpu_svm *svm = to_svm(vcpu); ++ ++ if (is_guest_mode(vcpu)) ++ return svm->nested.hsave->control.tsc_offset; ++ ++ return vcpu->arch.tsc_offset; ++} ++ + static void svm_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset) + { + struct vcpu_svm *svm = to_svm(vcpu); + u64 g_tsc_offset = 0; + + if (is_guest_mode(vcpu)) { ++ /* Write L1's TSC offset. */ + g_tsc_offset = svm->vmcb->control.tsc_offset - + svm->nested.hsave->control.tsc_offset; + svm->nested.hsave->control.tsc_offset = offset; +@@ -3188,6 +3199,7 @@ static int nested_svm_vmexit(struct vcpu + /* Restore the original control entries */ + copy_vmcb_control_area(vmcb, hsave); + ++ svm->vcpu.arch.tsc_offset = svm->vmcb->control.tsc_offset; + kvm_clear_exception_queue(&svm->vcpu); + kvm_clear_interrupt_queue(&svm->vcpu); + +@@ -3348,10 +3360,12 @@ static void enter_svm_guest_mode(struct + /* We don't want to see VMMCALLs from a nested guest */ + clr_intercept(svm, INTERCEPT_VMMCALL); + ++ svm->vcpu.arch.tsc_offset += nested_vmcb->control.tsc_offset; ++ svm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset; ++ + svm->vmcb->control.virt_ext = nested_vmcb->control.virt_ext; + svm->vmcb->control.int_vector = nested_vmcb->control.int_vector; + svm->vmcb->control.int_state = nested_vmcb->control.int_state; +- svm->vmcb->control.tsc_offset += nested_vmcb->control.tsc_offset; + svm->vmcb->control.event_inj = nested_vmcb->control.event_inj; + svm->vmcb->control.event_inj_err = nested_vmcb->control.event_inj_err; + +@@ -6966,6 +6980,7 @@ static struct kvm_x86_ops svm_x86_ops __ + + .has_wbinvd_exit = svm_has_wbinvd_exit, + ++ .read_l1_tsc_offset = svm_read_l1_tsc_offset, + .write_tsc_offset = svm_write_tsc_offset, + + .set_tdp_cr3 = set_tdp_cr3, +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2638,6 +2638,17 @@ static void setup_msrs(struct vcpu_vmx * + vmx_update_msr_bitmap(&vmx->vcpu); + } + ++static u64 vmx_read_l1_tsc_offset(struct kvm_vcpu *vcpu) ++{ ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu); ++ ++ if (is_guest_mode(vcpu) && ++ (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING)) ++ return vcpu->arch.tsc_offset - vmcs12->tsc_offset; ++ ++ return vcpu->arch.tsc_offset; ++} ++ + /* + * reads and returns guest's timestamp counter "register" + * guest_tsc = (host_tsc * tsc multiplier) >> 48 + tsc_offset +@@ -10916,11 +10927,8 @@ static int prepare_vmcs02(struct kvm_vcp + vmcs_write64(GUEST_IA32_PAT, vmx->vcpu.arch.pat); + } + +- if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING) +- vmcs_write64(TSC_OFFSET, +- vcpu->arch.tsc_offset + vmcs12->tsc_offset); +- else +- vmcs_write64(TSC_OFFSET, vcpu->arch.tsc_offset); ++ vmcs_write64(TSC_OFFSET, vcpu->arch.tsc_offset); ++ + if (kvm_has_tsc_control) + decache_tsc_multiplier(vmx); + +@@ -11137,6 +11145,7 @@ static int enter_vmx_non_root_mode(struc + struct vmcs12 *vmcs12 = get_vmcs12(vcpu); + u32 msr_entry_idx; + u32 exit_qual; ++ int r; + + enter_guest_mode(vcpu); + +@@ -11146,26 +11155,21 @@ static int enter_vmx_non_root_mode(struc + vmx_switch_vmcs(vcpu, &vmx->nested.vmcs02); + vmx_segment_cache_clear(vmx); + +- if (prepare_vmcs02(vcpu, vmcs12, from_vmentry, &exit_qual)) { +- leave_guest_mode(vcpu); +- vmx_switch_vmcs(vcpu, &vmx->vmcs01); +- nested_vmx_entry_failure(vcpu, vmcs12, +- EXIT_REASON_INVALID_STATE, exit_qual); +- return 1; +- } ++ if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING) ++ vcpu->arch.tsc_offset += vmcs12->tsc_offset; ++ ++ r = EXIT_REASON_INVALID_STATE; ++ if (prepare_vmcs02(vcpu, vmcs12, from_vmentry, &exit_qual)) ++ goto fail; + + nested_get_vmcs12_pages(vcpu, vmcs12); + ++ r = EXIT_REASON_MSR_LOAD_FAIL; + msr_entry_idx = nested_vmx_load_msr(vcpu, + vmcs12->vm_entry_msr_load_addr, + vmcs12->vm_entry_msr_load_count); +- if (msr_entry_idx) { +- leave_guest_mode(vcpu); +- vmx_switch_vmcs(vcpu, &vmx->vmcs01); +- nested_vmx_entry_failure(vcpu, vmcs12, +- EXIT_REASON_MSR_LOAD_FAIL, msr_entry_idx); +- return 1; +- } ++ if (msr_entry_idx) ++ goto fail; + + /* + * Note no nested_vmx_succeed or nested_vmx_fail here. At this point +@@ -11174,6 +11178,14 @@ static int enter_vmx_non_root_mode(struc + * the success flag) when L2 exits (see nested_vmx_vmexit()). + */ + return 0; ++ ++fail: ++ if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING) ++ vcpu->arch.tsc_offset -= vmcs12->tsc_offset; ++ leave_guest_mode(vcpu); ++ vmx_switch_vmcs(vcpu, &vmx->vmcs01); ++ nested_vmx_entry_failure(vcpu, vmcs12, r, exit_qual); ++ return 1; + } + + /* +@@ -11745,6 +11757,9 @@ static void nested_vmx_vmexit(struct kvm + + leave_guest_mode(vcpu); + ++ if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING) ++ vcpu->arch.tsc_offset -= vmcs12->tsc_offset; ++ + if (likely(!vmx->fail)) { + if (exit_reason == -1) + sync_vmcs12(vcpu, vmcs12); +@@ -12423,6 +12438,7 @@ static struct kvm_x86_ops vmx_x86_ops __ + + .has_wbinvd_exit = cpu_has_vmx_wbinvd_exit, + ++ .read_l1_tsc_offset = vmx_read_l1_tsc_offset, + .write_tsc_offset = vmx_write_tsc_offset, + + .set_tdp_cr3 = vmx_set_cr3, +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1459,7 +1459,7 @@ static void kvm_track_tsc_matching(struc + + static void update_ia32_tsc_adjust_msr(struct kvm_vcpu *vcpu, s64 offset) + { +- u64 curr_offset = vcpu->arch.tsc_offset; ++ u64 curr_offset = kvm_x86_ops->read_l1_tsc_offset(vcpu); + vcpu->arch.ia32_tsc_adjust_msr += offset - curr_offset; + } + +@@ -1501,7 +1501,9 @@ static u64 kvm_compute_tsc_offset(struct + + u64 kvm_read_l1_tsc(struct kvm_vcpu *vcpu, u64 host_tsc) + { +- return vcpu->arch.tsc_offset + kvm_scale_tsc(vcpu, host_tsc); ++ u64 tsc_offset = kvm_x86_ops->read_l1_tsc_offset(vcpu); ++ ++ return tsc_offset + kvm_scale_tsc(vcpu, host_tsc); + } + EXPORT_SYMBOL_GPL(kvm_read_l1_tsc); + diff --git a/queue-4.16/x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch b/queue-4.16/x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch new file mode 100644 index 00000000000..5f69dc1f7d6 --- /dev/null +++ b/queue-4.16/x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ingo Molnar +Date: Mon, 14 May 2018 10:59:08 +0200 +Subject: x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI + +From: Ingo Molnar + +[ Upstream commit 73bb4d6cd192b8629c5125aaada9892d9fc986b6 ] + +Fix this warning: + + mpx-mini-test.c:422:0: warning: "SEGV_BNDERR" redefined + +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: akpm@linux-foundation.org +Cc: dave.hansen@intel.com +Cc: linux-mm@kvack.org +Cc: linuxram@us.ibm.com +Cc: mpe@ellerman.id.au +Cc: shakeelb@google.com +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180514085908.GA12798@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/mpx-mini-test.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/x86/mpx-mini-test.c ++++ b/tools/testing/selftests/x86/mpx-mini-test.c +@@ -368,6 +368,11 @@ static int expected_bnd_index = -1; + uint64_t shadow_plb[NR_MPX_BOUNDS_REGISTERS][2]; /* shadow MPX bound registers */ + unsigned long shadow_map[NR_MPX_BOUNDS_REGISTERS]; + ++/* Failed address bound checks: */ ++#ifndef SEGV_BNDERR ++# define SEGV_BNDERR 3 ++#endif ++ + /* + * The kernel is supposed to provide some information about the bounds + * exception in the siginfo. It should match what we have in the bounds +@@ -419,8 +424,6 @@ void handler(int signum, siginfo_t *si, + br_count++; + dprintf1("#BR 0x%jx (total seen: %d)\n", status, br_count); + +-#define SEGV_BNDERR 3 /* failed address bound checks */ +- + dprintf2("Saw a #BR! status 0x%jx at %016lx br_reason: %jx\n", + status, ip, br_reason); + dprintf2("si_signo: %d\n", si->si_signo); diff --git a/queue-4.16/x86-pkeys-selftests-add-a-test-for-pkey-0.patch b/queue-4.16/x86-pkeys-selftests-add-a-test-for-pkey-0.patch new file mode 100644 index 00000000000..69a425ef7c1 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-add-a-test-for-pkey-0.patch @@ -0,0 +1,79 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:56 -0700 +Subject: x86/pkeys/selftests: Add a test for pkey 0 + +From: Dave Hansen + +[ Upstream commit 3488a600d90bcaf061b104dbcfbdc8d99b398312 ] + +Protection key 0 is the default key for all memory and will +not normally come back from pkey_alloc(). But, you might +still want pass it to mprotect_pkey(). + +This check ensures that you can use pkey 0. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171356.9E40B254@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 30 ++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1184,6 +1184,35 @@ void test_pkey_alloc_exhaust(int *ptr, u + } + } + ++/* ++ * pkey 0 is special. It is allocated by default, so you do not ++ * have to call pkey_alloc() to use it first. Make sure that it ++ * is usable. ++ */ ++void test_mprotect_with_pkey_0(int *ptr, u16 pkey) ++{ ++ long size; ++ int prot; ++ ++ assert(pkey_last_malloc_record); ++ size = pkey_last_malloc_record->size; ++ /* ++ * This is a bit of a hack. But mprotect() requires ++ * huge-page-aligned sizes when operating on hugetlbfs. ++ * So, make sure that we use something that's a multiple ++ * of a huge page when we can. ++ */ ++ if (size >= HPAGE_SIZE) ++ size = HPAGE_SIZE; ++ prot = pkey_last_malloc_record->prot; ++ ++ /* Use pkey 0 */ ++ mprotect_pkey(ptr, size, prot, 0); ++ ++ /* Make sure that we can set it back to the original pkey. */ ++ mprotect_pkey(ptr, size, prot, pkey); ++} ++ + void test_ptrace_of_child(int *ptr, u16 pkey) + { + __attribute__((__unused__)) int peek_result; +@@ -1378,6 +1407,7 @@ void (*pkey_tests[])(int *ptr, u16 pkey) + test_kernel_gup_write_to_write_disabled_region, + test_executing_on_unreadable_memory, + test_implicit_mprotect_exec_only_memory, ++ test_mprotect_with_pkey_0, + test_ptrace_of_child, + test_pkey_syscalls_on_non_allocated_pkey, + test_pkey_syscalls_bad_args, diff --git a/queue-4.16/x86-pkeys-selftests-add-prot_exec-test.patch b/queue-4.16/x86-pkeys-selftests-add-prot_exec-test.patch new file mode 100644 index 00000000000..707c3fa1af1 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-add-prot_exec-test.patch @@ -0,0 +1,92 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:48 -0700 +Subject: x86/pkeys/selftests: Add PROT_EXEC test + +From: Dave Hansen + +[ Upstream commit 6af17cf89e99b64cf1f660bf848755442ab2f047 ] + +Under the covers, implement executable-only memory with +protection keys when userspace calls mprotect(PROT_EXEC). + +But, we did not have a selftest for that. Now we do. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171348.9EEE4BEF@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 44 ++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1303,6 +1303,49 @@ void test_executing_on_unreadable_memory + expected_pk_fault(pkey); + } + ++void test_implicit_mprotect_exec_only_memory(int *ptr, u16 pkey) ++{ ++ void *p1; ++ int scratch; ++ int ptr_contents; ++ int ret; ++ ++ dprintf1("%s() start\n", __func__); ++ ++ p1 = get_pointer_to_instructions(); ++ lots_o_noops_around_write(&scratch); ++ ptr_contents = read_ptr(p1); ++ dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents); ++ ++ /* Use a *normal* mprotect(), not mprotect_pkey(): */ ++ ret = mprotect(p1, PAGE_SIZE, PROT_EXEC); ++ pkey_assert(!ret); ++ ++ dprintf2("pkru: %x\n", rdpkru()); ++ ++ /* Make sure this is an *instruction* fault */ ++ madvise(p1, PAGE_SIZE, MADV_DONTNEED); ++ lots_o_noops_around_write(&scratch); ++ do_not_expect_pk_fault("executing on PROT_EXEC memory"); ++ ptr_contents = read_ptr(p1); ++ dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents); ++ expected_pk_fault(UNKNOWN_PKEY); ++ ++ /* ++ * Put the memory back to non-PROT_EXEC. Should clear the ++ * exec-only pkey off the VMA and allow it to be readable ++ * again. Go to PROT_NONE first to check for a kernel bug ++ * that did not clear the pkey when doing PROT_NONE. ++ */ ++ ret = mprotect(p1, PAGE_SIZE, PROT_NONE); ++ pkey_assert(!ret); ++ ++ ret = mprotect(p1, PAGE_SIZE, PROT_READ|PROT_EXEC); ++ pkey_assert(!ret); ++ ptr_contents = read_ptr(p1); ++ do_not_expect_pk_fault("plain read on recently PROT_EXEC area"); ++} ++ + void test_mprotect_pkey_on_unsupported_cpu(int *ptr, u16 pkey) + { + int size = PAGE_SIZE; +@@ -1327,6 +1370,7 @@ void (*pkey_tests[])(int *ptr, u16 pkey) + test_kernel_gup_of_access_disabled_region, + test_kernel_gup_write_to_write_disabled_region, + test_executing_on_unreadable_memory, ++ test_implicit_mprotect_exec_only_memory, + test_ptrace_of_child, + test_pkey_syscalls_on_non_allocated_pkey, + test_pkey_syscalls_bad_args, diff --git a/queue-4.16/x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch b/queue-4.16/x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch new file mode 100644 index 00000000000..8f4c199c675 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch @@ -0,0 +1,187 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Ingo Molnar +Date: Mon, 14 May 2018 10:56:23 +0200 +Subject: x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI + +From: Ingo Molnar + +[ Upstream commit 0fb96620dce351608aa82eed5942e2f58b07beda ] + +Ubuntu 18.04 started exporting pkeys details in header files, resulting +in build failures and warnings in the pkeys self-tests: + + protection_keys.c:232:0: warning: "SEGV_BNDERR" redefined + protection_keys.c:387:5: error: conflicting types for ‘pkey_get’ + protection_keys.c:409:5: error: conflicting types for ‘pkey_set’ + ... + +Fix these namespace conflicts and double definitions, plus also +clean up the ABI definitions to make it all a bit more readable ... + +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: akpm@linux-foundation.org +Cc: dave.hansen@intel.com +Cc: linux-mm@kvack.org +Cc: linuxram@us.ibm.com +Cc: mpe@ellerman.id.au +Cc: shakeelb@google.com +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180514085623.GB7094@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 67 +++++++++++++++----------- + 1 file changed, 41 insertions(+), 26 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -191,26 +191,30 @@ void lots_o_noops_around_write(int *writ + #ifdef __i386__ + + #ifndef SYS_mprotect_key +-# define SYS_mprotect_key 380 ++# define SYS_mprotect_key 380 + #endif ++ + #ifndef SYS_pkey_alloc +-# define SYS_pkey_alloc 381 +-# define SYS_pkey_free 382 ++# define SYS_pkey_alloc 381 ++# define SYS_pkey_free 382 + #endif +-#define REG_IP_IDX REG_EIP +-#define si_pkey_offset 0x14 ++ ++#define REG_IP_IDX REG_EIP ++#define si_pkey_offset 0x14 + + #else + + #ifndef SYS_mprotect_key +-# define SYS_mprotect_key 329 ++# define SYS_mprotect_key 329 + #endif ++ + #ifndef SYS_pkey_alloc +-# define SYS_pkey_alloc 330 +-# define SYS_pkey_free 331 ++# define SYS_pkey_alloc 330 ++# define SYS_pkey_free 331 + #endif +-#define REG_IP_IDX REG_RIP +-#define si_pkey_offset 0x20 ++ ++#define REG_IP_IDX REG_RIP ++#define si_pkey_offset 0x20 + + #endif + +@@ -225,8 +229,14 @@ void dump_mem(void *dumpme, int len_byte + } + } + +-#define SEGV_BNDERR 3 /* failed address bound checks */ +-#define SEGV_PKUERR 4 ++/* Failed address bound checks: */ ++#ifndef SEGV_BNDERR ++# define SEGV_BNDERR 3 ++#endif ++ ++#ifndef SEGV_PKUERR ++# define SEGV_PKUERR 4 ++#endif + + static char *si_code_str(int si_code) + { +@@ -393,10 +403,15 @@ pid_t fork_lazy_child(void) + return forkret; + } + +-#define PKEY_DISABLE_ACCESS 0x1 +-#define PKEY_DISABLE_WRITE 0x2 ++#ifndef PKEY_DISABLE_ACCESS ++# define PKEY_DISABLE_ACCESS 0x1 ++#endif ++ ++#ifndef PKEY_DISABLE_WRITE ++# define PKEY_DISABLE_WRITE 0x2 ++#endif + +-u32 pkey_get(int pkey, unsigned long flags) ++static u32 hw_pkey_get(int pkey, unsigned long flags) + { + u32 mask = (PKEY_DISABLE_ACCESS|PKEY_DISABLE_WRITE); + u32 pkru = __rdpkru(); +@@ -418,7 +433,7 @@ u32 pkey_get(int pkey, unsigned long fla + return masked_pkru; + } + +-int pkey_set(int pkey, unsigned long rights, unsigned long flags) ++static int hw_pkey_set(int pkey, unsigned long rights, unsigned long flags) + { + u32 mask = (PKEY_DISABLE_ACCESS|PKEY_DISABLE_WRITE); + u32 old_pkru = __rdpkru(); +@@ -452,15 +467,15 @@ void pkey_disable_set(int pkey, int flag + pkey, flags); + pkey_assert(flags & (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE)); + +- pkey_rights = pkey_get(pkey, syscall_flags); ++ pkey_rights = hw_pkey_get(pkey, syscall_flags); + +- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__, ++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__, + pkey, pkey, pkey_rights); + pkey_assert(pkey_rights >= 0); + + pkey_rights |= flags; + +- ret = pkey_set(pkey, pkey_rights, syscall_flags); ++ ret = hw_pkey_set(pkey, pkey_rights, syscall_flags); + assert(!ret); + /*pkru and flags have the same format */ + shadow_pkru |= flags << (pkey * 2); +@@ -468,8 +483,8 @@ void pkey_disable_set(int pkey, int flag + + pkey_assert(ret >= 0); + +- pkey_rights = pkey_get(pkey, syscall_flags); +- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__, ++ pkey_rights = hw_pkey_get(pkey, syscall_flags); ++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__, + pkey, pkey, pkey_rights); + + dprintf1("%s(%d) pkru: 0x%x\n", __func__, pkey, rdpkru()); +@@ -483,24 +498,24 @@ void pkey_disable_clear(int pkey, int fl + { + unsigned long syscall_flags = 0; + int ret; +- int pkey_rights = pkey_get(pkey, syscall_flags); ++ int pkey_rights = hw_pkey_get(pkey, syscall_flags); + u32 orig_pkru = rdpkru(); + + pkey_assert(flags & (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE)); + +- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__, ++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__, + pkey, pkey, pkey_rights); + pkey_assert(pkey_rights >= 0); + + pkey_rights |= flags; + +- ret = pkey_set(pkey, pkey_rights, 0); ++ ret = hw_pkey_set(pkey, pkey_rights, 0); + /* pkru and flags have the same format */ + shadow_pkru &= ~(flags << (pkey * 2)); + pkey_assert(ret >= 0); + +- pkey_rights = pkey_get(pkey, syscall_flags); +- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__, ++ pkey_rights = hw_pkey_get(pkey, syscall_flags); ++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__, + pkey, pkey, pkey_rights); + + dprintf1("%s(%d) pkru: 0x%x\n", __func__, pkey, rdpkru()); diff --git a/queue-4.16/x86-pkeys-selftests-allow-faults-on-unknown-keys.patch b/queue-4.16/x86-pkeys-selftests-allow-faults-on-unknown-keys.patch new file mode 100644 index 00000000000..715ca1c5c50 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-allow-faults-on-unknown-keys.patch @@ -0,0 +1,56 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:46 -0700 +Subject: x86/pkeys/selftests: Allow faults on unknown keys + +From: Dave Hansen + +[ Upstream commit 7e7fd67ca39335a49619729821efb7cbdd674eb0 ] + +The exec-only pkey is allocated inside the kernel and userspace +is not told what it is. So, allow PK faults to occur that have +an unknown key. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171345.7FC7DA00@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -921,13 +921,21 @@ void *malloc_pkey(long size, int prot, u + } + + int last_pkru_faults; ++#define UNKNOWN_PKEY -2 + void expected_pk_fault(int pkey) + { + dprintf2("%s(): last_pkru_faults: %d pkru_faults: %d\n", + __func__, last_pkru_faults, pkru_faults); + dprintf2("%s(%d): last_si_pkey: %d\n", __func__, pkey, last_si_pkey); + pkey_assert(last_pkru_faults + 1 == pkru_faults); +- pkey_assert(last_si_pkey == pkey); ++ ++ /* ++ * For exec-only memory, we do not know the pkey in ++ * advance, so skip this check. ++ */ ++ if (pkey != UNKNOWN_PKEY) ++ pkey_assert(last_si_pkey == pkey); ++ + /* + * The signal handler shold have cleared out PKRU to let the + * test program continue. We now have to restore it. diff --git a/queue-4.16/x86-pkeys-selftests-avoid-printf-in-signal-deadlocks.patch b/queue-4.16/x86-pkeys-selftests-avoid-printf-in-signal-deadlocks.patch new file mode 100644 index 00000000000..7a349847876 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-avoid-printf-in-signal-deadlocks.patch @@ -0,0 +1,73 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:44 -0700 +Subject: x86/pkeys/selftests: Avoid printf-in-signal deadlocks + +From: Dave Hansen + +[ Upstream commit caf9eb6b4c82fc6cbd03697052ff22d97b0c377b ] + +printf() and friends are unusable in signal handlers. They deadlock. +The pkey selftest does not do any normal printing in signal handlers, +only extra debugging. So, just print the format string so we get +*some* output when debugging. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171344.C53FD2F3@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/pkey-helpers.h | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +--- a/tools/testing/selftests/x86/pkey-helpers.h ++++ b/tools/testing/selftests/x86/pkey-helpers.h +@@ -26,30 +26,26 @@ static inline void sigsafe_printf(const + { + va_list ap; + +- va_start(ap, format); + if (!dprint_in_signal) { ++ va_start(ap, format); + vprintf(format, ap); ++ va_end(ap); + } else { + int ret; +- int len = vsnprintf(dprint_in_signal_buffer, +- DPRINT_IN_SIGNAL_BUF_SIZE, +- format, ap); + /* +- * len is amount that would have been printed, +- * but actual write is truncated at BUF_SIZE. ++ * No printf() functions are signal-safe. ++ * They deadlock easily. Write the format ++ * string to get some output, even if ++ * incomplete. + */ +- if (len > DPRINT_IN_SIGNAL_BUF_SIZE) +- len = DPRINT_IN_SIGNAL_BUF_SIZE; +- ret = write(1, dprint_in_signal_buffer, len); ++ ret = write(1, format, strlen(format)); + if (ret < 0) +- abort(); ++ exit(1); + } +- va_end(ap); + } + #define dprintf_level(level, args...) do { \ + if (level <= DEBUG_LEVEL) \ + sigsafe_printf(args); \ +- fflush(NULL); \ + } while (0) + #define dprintf0(args...) dprintf_level(0, args) + #define dprintf1(args...) dprintf_level(1, args) diff --git a/queue-4.16/x86-pkeys-selftests-factor-out-instruction-page.patch b/queue-4.16/x86-pkeys-selftests-factor-out-instruction-page.patch new file mode 100644 index 00000000000..df6e7aff597 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-factor-out-instruction-page.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:47 -0700 +Subject: x86/pkeys/selftests: Factor out "instruction page" + +From: Dave Hansen + +[ Upstream commit 3fcd2b2d928904cbf30b01e2c5e4f1dd2f9ab262 ] + +We currently have an execute-only test, but it is for +the explicit mprotect_pkey() interface. We will soon +add a test for the implicit mprotect(PROT_EXEC) +enterface. We need this code in both tests. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171347.C64AB733@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1253,12 +1253,9 @@ void test_ptrace_of_child(int *ptr, u16 + free(plain_ptr_unaligned); + } + +-void test_executing_on_unreadable_memory(int *ptr, u16 pkey) ++void *get_pointer_to_instructions(void) + { + void *p1; +- int scratch; +- int ptr_contents; +- int ret; + + p1 = ALIGN_PTR_UP(&lots_o_noops_around_write, PAGE_SIZE); + dprintf3("&lots_o_noops: %p\n", &lots_o_noops_around_write); +@@ -1268,7 +1265,23 @@ void test_executing_on_unreadable_memory + /* Point 'p1' at the *second* page of the function: */ + p1 += PAGE_SIZE; + ++ /* ++ * Try to ensure we fault this in on next touch to ensure ++ * we get an instruction fault as opposed to a data one ++ */ + madvise(p1, PAGE_SIZE, MADV_DONTNEED); ++ ++ return p1; ++} ++ ++void test_executing_on_unreadable_memory(int *ptr, u16 pkey) ++{ ++ void *p1; ++ int scratch; ++ int ptr_contents; ++ int ret; ++ ++ p1 = get_pointer_to_instructions(); + lots_o_noops_around_write(&scratch); + ptr_contents = read_ptr(p1); + dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents); diff --git a/queue-4.16/x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch b/queue-4.16/x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch new file mode 100644 index 00000000000..38eaa91d92a --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch @@ -0,0 +1,60 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:50 -0700 +Subject: x86/pkeys/selftests: Fix pkey exhaustion test off-by-one + +From: Dave Hansen + +[ Upstream commit f50b4878329ab61d8e05796f655adeb6f5fb57c6 ] + +In our "exhaust all pkeys" test, we make sure that there +is the expected number available. Turns out that the +test did not cover the execute-only key, but discussed +it anyway. It did *not* discuss the test-allocated +key. + +Now that we have a test for the mprotect(PROT_EXEC) case, +this off-by-one issue showed itself. Correct the off-by- +one and add the explanation for the case we missed. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171350.E1656B95@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1163,12 +1163,15 @@ void test_pkey_alloc_exhaust(int *ptr, u + pkey_assert(i < NR_PKEYS*2); + + /* +- * There are 16 pkeys supported in hardware. One is taken +- * up for the default (0) and another can be taken up by +- * an execute-only mapping. Ensure that we can allocate +- * at least 14 (16-2). ++ * There are 16 pkeys supported in hardware. Three are ++ * allocated by the time we get here: ++ * 1. The default key (0) ++ * 2. One possibly consumed by an execute-only mapping. ++ * 3. One allocated by the test code and passed in via ++ * 'pkey' to this function. ++ * Ensure that we can allocate at least another 13 (16-3). + */ +- pkey_assert(i >= NR_PKEYS-2); ++ pkey_assert(i >= NR_PKEYS-3); + + for (i = 0; i < nr_allocated_pkeys; i++) { + err = sys_pkey_free(allocated_pkeys[i]); diff --git a/queue-4.16/x86-pkeys-selftests-fix-pointer-math.patch b/queue-4.16/x86-pkeys-selftests-fix-pointer-math.patch new file mode 100644 index 00000000000..127fc86c7f9 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-fix-pointer-math.patch @@ -0,0 +1,67 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:52 -0700 +Subject: x86/pkeys/selftests: Fix pointer math + +From: Dave Hansen + +[ Upstream commit 3d64f4ed15c3c53dba4c514bf59c334464dee373 ] + +We dump out the entire area of the siginfo where the si_pkey_ptr is +supposed to be. But, we do some math on the poitner, which is a u32. +We intended to do byte math, not u32 math on the pointer. + +Cast it over to a u8* so it works. + +Also, move this block of code to below th si_code check. It doesn't +hurt anything, but the si_pkey field is gibberish for other signal +types. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171352.9BE09819@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -303,13 +303,6 @@ void signal_handler(int signum, siginfo_ + dump_mem(pkru_ptr - 128, 256); + pkey_assert(*pkru_ptr); + +- si_pkey_ptr = (u32 *)(((u8 *)si) + si_pkey_offset); +- dprintf1("si_pkey_ptr: %p\n", si_pkey_ptr); +- dump_mem(si_pkey_ptr - 8, 24); +- siginfo_pkey = *si_pkey_ptr; +- pkey_assert(siginfo_pkey < NR_PKEYS); +- last_si_pkey = siginfo_pkey; +- + if ((si->si_code == SEGV_MAPERR) || + (si->si_code == SEGV_ACCERR) || + (si->si_code == SEGV_BNDERR)) { +@@ -317,6 +310,13 @@ void signal_handler(int signum, siginfo_ + exit(4); + } + ++ si_pkey_ptr = (u32 *)(((u8 *)si) + si_pkey_offset); ++ dprintf1("si_pkey_ptr: %p\n", si_pkey_ptr); ++ dump_mem((u8 *)si_pkey_ptr - 8, 24); ++ siginfo_pkey = *si_pkey_ptr; ++ pkey_assert(siginfo_pkey < NR_PKEYS); ++ last_si_pkey = siginfo_pkey; ++ + dprintf1("signal pkru from xsave: %08x\n", *pkru_ptr); + /* need __rdpkru() version so we do not do shadow_pkru checking */ + dprintf1("signal pkru from pkru: %08x\n", __rdpkru()); diff --git a/queue-4.16/x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch b/queue-4.16/x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch new file mode 100644 index 00000000000..f240df83db3 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:38 -0700 +Subject: x86/pkeys/selftests: Give better unexpected fault error messages + +From: Dave Hansen + +[ Upstream commit 55556b0b2016806b2e16a20b62d143383983a34a ] + +do_not_expect_pk_fault() is a helper that we call when we do not expect +a PK fault to have occurred. But, it is a function, which means that +it obscures the line numbers from pkey_assert(). It also gives no +details. + +Replace it with an implementation that gives nice line numbers and +also lets callers pass in a more descriptive message about what +happened that caused the unexpected fault. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171338.55D13B64@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -954,10 +954,11 @@ void expected_pk_fault(int pkey) + last_si_pkey = -1; + } + +-void do_not_expect_pk_fault(void) +-{ +- pkey_assert(last_pkru_faults == pkru_faults); +-} ++#define do_not_expect_pk_fault(msg) do { \ ++ if (last_pkru_faults != pkru_faults) \ ++ dprintf0("unexpected PK fault: %s\n", msg); \ ++ pkey_assert(last_pkru_faults == pkru_faults); \ ++} while (0) + + int test_fds[10] = { -1 }; + int nr_test_fds; +@@ -1243,7 +1244,7 @@ void test_ptrace_of_child(int *ptr, u16 + pkey_assert(ret != -1); + /* Now access from the current task, and expect NO exception: */ + peek_result = read_ptr(plain_ptr); +- do_not_expect_pk_fault(); ++ do_not_expect_pk_fault("read plain pointer after ptrace"); + + ret = ptrace(PTRACE_DETACH, child_pid, ignored, 0); + pkey_assert(ret != -1); +@@ -1287,7 +1288,7 @@ void test_executing_on_unreadable_memory + */ + madvise(p1, PAGE_SIZE, MADV_DONTNEED); + lots_o_noops_around_write(&scratch); +- do_not_expect_pk_fault(); ++ do_not_expect_pk_fault("executing on PROT_EXEC memory"); + ptr_contents = read_ptr(p1); + dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents); + expected_pk_fault(pkey); diff --git a/queue-4.16/x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch b/queue-4.16/x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch new file mode 100644 index 00000000000..4ee9b48d210 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:42 -0700 +Subject: x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal + +From: Dave Hansen + +[ Upstream commit a50093d60464dd51d1ae0c2267b0abe9e1de77f3 ] + +There is some noisy debug code at the end of the signal handler. It was +disabled by an early, unconditional "return". However, that return also +hid a dprint_in_signal=0, which kept dprint_in_signal=1 and effectively +locked us into permanent dprint_in_signal=1 behavior. + +Remove the return and the dead code, fixing dprint_in_signal. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171342.846B9B2E@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -325,22 +325,6 @@ void signal_handler(int signum, siginfo_ + dprintf1("WARNING: set PRKU=0 to allow faulting instruction to continue\n"); + pkru_faults++; + dprintf1("<<<<==================================================\n"); +- return; +- if (trapno == 14) { +- fprintf(stderr, +- "ERROR: In signal handler, page fault, trapno = %d, ip = %016lx\n", +- trapno, ip); +- fprintf(stderr, "si_addr %p\n", si->si_addr); +- fprintf(stderr, "REG_ERR: %lx\n", +- (unsigned long)uctxt->uc_mcontext.gregs[REG_ERR]); +- exit(1); +- } else { +- fprintf(stderr, "unexpected trap %d! at 0x%lx\n", trapno, ip); +- fprintf(stderr, "si_addr %p\n", si->si_addr); +- fprintf(stderr, "REG_ERR: %lx\n", +- (unsigned long)uctxt->uc_mcontext.gregs[REG_ERR]); +- exit(2); +- } + dprint_in_signal = 0; + } + diff --git a/queue-4.16/x86-pkeys-selftests-save-off-prot-for-allocations.patch b/queue-4.16/x86-pkeys-selftests-save-off-prot-for-allocations.patch new file mode 100644 index 00000000000..eb2b184bf54 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-save-off-prot-for-allocations.patch @@ -0,0 +1,95 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:54 -0700 +Subject: x86/pkeys/selftests: Save off 'prot' for allocations + +From: Dave Hansen + +[ Upstream commit acb25d761d6f2f64e785ccefc71e54f244f1eda4 ] + +This makes it possible to to tell what 'prot' a given allocation +is supposed to have. That way, if we want to change just the +pkey, we know what 'prot' to pass to mprotect_pkey(). + +Also, keep a record of the most recent allocation so the tests +can easily find it. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171354.AA23E228@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -677,10 +677,12 @@ int mprotect_pkey(void *ptr, size_t size + struct pkey_malloc_record { + void *ptr; + long size; ++ int prot; + }; + struct pkey_malloc_record *pkey_malloc_records; ++struct pkey_malloc_record *pkey_last_malloc_record; + long nr_pkey_malloc_records; +-void record_pkey_malloc(void *ptr, long size) ++void record_pkey_malloc(void *ptr, long size, int prot) + { + long i; + struct pkey_malloc_record *rec = NULL; +@@ -712,6 +714,8 @@ void record_pkey_malloc(void *ptr, long + (int)(rec - pkey_malloc_records), rec, ptr, size); + rec->ptr = ptr; + rec->size = size; ++ rec->prot = prot; ++ pkey_last_malloc_record = rec; + nr_pkey_malloc_records++; + } + +@@ -756,7 +760,7 @@ void *malloc_pkey_with_mprotect(long siz + pkey_assert(ptr != (void *)-1); + ret = mprotect_pkey((void *)ptr, PAGE_SIZE, prot, pkey); + pkey_assert(!ret); +- record_pkey_malloc(ptr, size); ++ record_pkey_malloc(ptr, size, prot); + rdpkru(); + + dprintf1("%s() for pkey %d @ %p\n", __func__, pkey, ptr); +@@ -777,7 +781,7 @@ void *malloc_pkey_anon_huge(long size, i + size = ALIGN_UP(size, HPAGE_SIZE * 2); + ptr = mmap(NULL, size, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); + pkey_assert(ptr != (void *)-1); +- record_pkey_malloc(ptr, size); ++ record_pkey_malloc(ptr, size, prot); + mprotect_pkey(ptr, size, prot, pkey); + + dprintf1("unaligned ptr: %p\n", ptr); +@@ -850,7 +854,7 @@ void *malloc_pkey_hugetlb(long size, int + pkey_assert(ptr != (void *)-1); + mprotect_pkey(ptr, size, prot, pkey); + +- record_pkey_malloc(ptr, size); ++ record_pkey_malloc(ptr, size, prot); + + dprintf1("mmap()'d hugetlbfs for pkey %d @ %p\n", pkey, ptr); + return ptr; +@@ -872,7 +876,7 @@ void *malloc_pkey_mmap_dax(long size, in + + mprotect_pkey(ptr, size, prot, pkey); + +- record_pkey_malloc(ptr, size); ++ record_pkey_malloc(ptr, size, prot); + + dprintf1("mmap()'d for pkey %d @ %p\n", pkey, ptr); + close(fd); diff --git a/queue-4.16/x86-pkeys-selftests-stop-using-assert.patch b/queue-4.16/x86-pkeys-selftests-stop-using-assert.patch new file mode 100644 index 00000000000..d1bfa93ddd0 --- /dev/null +++ b/queue-4.16/x86-pkeys-selftests-stop-using-assert.patch @@ -0,0 +1,64 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:40 -0700 +Subject: x86/pkeys/selftests: Stop using assert() + +From: Dave Hansen + +[ Upstream commit 86b9eea230edf4c67d4d4a70fba9b74505867a25 ] + +If we use assert(), the program "crashes". That can be scary to users, +so stop doing it. Just exit with a >0 exit code instead. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171340.E63EF7DA@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -72,10 +72,9 @@ extern void abort_hooks(void); + test_nr, iteration_nr); \ + dprintf0("errno at assert: %d", errno); \ + abort_hooks(); \ +- assert(condition); \ ++ exit(__LINE__); \ + } \ + } while (0) +-#define raw_assert(cond) assert(cond) + + void cat_into_file(char *str, char *file) + { +@@ -87,12 +86,17 @@ void cat_into_file(char *str, char *file + * these need to be raw because they are called under + * pkey_assert() + */ +- raw_assert(fd >= 0); ++ if (fd < 0) { ++ fprintf(stderr, "error opening '%s'\n", str); ++ perror("error: "); ++ exit(__LINE__); ++ } ++ + ret = write(fd, str, strlen(str)); + if (ret != strlen(str)) { + perror("write to file failed"); + fprintf(stderr, "filename: '%s' str: '%s'\n", file, str); +- raw_assert(0); ++ exit(__LINE__); + } + close(fd); + } diff --git a/queue-4.16/x86-selftests-add-mov_to_ss-test.patch b/queue-4.16/x86-selftests-add-mov_to_ss-test.patch new file mode 100644 index 00000000000..b07450cb263 --- /dev/null +++ b/queue-4.16/x86-selftests-add-mov_to_ss-test.patch @@ -0,0 +1,325 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Andy Lutomirski +Date: Tue, 8 May 2018 10:28:35 -0700 +Subject: x86/selftests: Add mov_to_ss test + +From: Andy Lutomirski + +[ Upstream commit 59c2a7226fc5130032021c99f05ad5c0a56551cd ] + +This exercises a nasty corner case of the x86 ISA. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/Makefile | 2 + tools/testing/selftests/x86/mov_ss_trap.c | 285 ++++++++++++++++++++++++++++++ + 2 files changed, 286 insertions(+), 1 deletion(-) + create mode 100644 tools/testing/selftests/x86/mov_ss_trap.c + +--- a/tools/testing/selftests/x86/Makefile ++++ b/tools/testing/selftests/x86/Makefile +@@ -11,7 +11,7 @@ CAN_BUILD_X86_64 := $(shell ./check_cc.s + + TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ + check_initial_reg_state sigreturn iopl mpx-mini-test ioperm \ +- protection_keys test_vdso test_vsyscall ++ protection_keys test_vdso test_vsyscall mov_ss_trap + TARGETS_C_32BIT_ONLY := entry_from_vm86 syscall_arg_fault test_syscall_vdso unwind_vdso \ + test_FCMOV test_FCOMI test_FISTTP \ + vdso_restorer +--- /dev/null ++++ b/tools/testing/selftests/x86/mov_ss_trap.c +@@ -0,0 +1,285 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * mov_ss_trap.c: Exercise the bizarre side effects of a watchpoint on MOV SS ++ * ++ * This does MOV SS from a watchpointed address followed by various ++ * types of kernel entries. A MOV SS that hits a watchpoint will queue ++ * up a #DB trap but will not actually deliver that trap. The trap ++ * will be delivered after the next instruction instead. The CPU's logic ++ * seems to be: ++ * ++ * - Any fault: drop the pending #DB trap. ++ * - INT $N, INT3, INTO, SYSCALL, SYSENTER: enter the kernel and then ++ * deliver #DB. ++ * - ICEBP: enter the kernel but do not deliver the watchpoint trap ++ * - breakpoint: only one #DB is delivered (phew!) ++ * ++ * There are plenty of ways for a kernel to handle this incorrectly. This ++ * test tries to exercise all the cases. ++ * ++ * This should mostly cover CVE-2018-1087 and CVE-2018-8897. ++ */ ++#define _GNU_SOURCE ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define X86_EFLAGS_RF (1UL << 16) ++ ++#if __x86_64__ ++# define REG_IP REG_RIP ++#else ++# define REG_IP REG_EIP ++#endif ++ ++unsigned short ss; ++extern unsigned char breakpoint_insn[]; ++sigjmp_buf jmpbuf; ++static unsigned char altstack_data[SIGSTKSZ]; ++ ++static void enable_watchpoint(void) ++{ ++ pid_t parent = getpid(); ++ int status; ++ ++ pid_t child = fork(); ++ if (child < 0) ++ err(1, "fork"); ++ ++ if (child) { ++ if (waitpid(child, &status, 0) != child) ++ err(1, "waitpid for child"); ++ } else { ++ unsigned long dr0, dr1, dr7; ++ ++ dr0 = (unsigned long)&ss; ++ dr1 = (unsigned long)breakpoint_insn; ++ dr7 = ((1UL << 1) | /* G0 */ ++ (3UL << 16) | /* RW0 = read or write */ ++ (1UL << 18) | /* LEN0 = 2 bytes */ ++ (1UL << 3)); /* G1, RW1 = insn */ ++ ++ if (ptrace(PTRACE_ATTACH, parent, NULL, NULL) != 0) ++ err(1, "PTRACE_ATTACH"); ++ ++ if (waitpid(parent, &status, 0) != parent) ++ err(1, "waitpid for child"); ++ ++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[0]), dr0) != 0) ++ err(1, "PTRACE_POKEUSER DR0"); ++ ++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[1]), dr1) != 0) ++ err(1, "PTRACE_POKEUSER DR1"); ++ ++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[7]), dr7) != 0) ++ err(1, "PTRACE_POKEUSER DR7"); ++ ++ printf("\tDR0 = %lx, DR1 = %lx, DR7 = %lx\n", dr0, dr1, dr7); ++ ++ if (ptrace(PTRACE_DETACH, parent, NULL, NULL) != 0) ++ err(1, "PTRACE_DETACH"); ++ ++ exit(0); ++ } ++} ++ ++static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), ++ int flags) ++{ ++ struct sigaction sa; ++ memset(&sa, 0, sizeof(sa)); ++ sa.sa_sigaction = handler; ++ sa.sa_flags = SA_SIGINFO | flags; ++ sigemptyset(&sa.sa_mask); ++ if (sigaction(sig, &sa, 0)) ++ err(1, "sigaction"); ++} ++ ++static char const * const signames[] = { ++ [SIGSEGV] = "SIGSEGV", ++ [SIGBUS] = "SIBGUS", ++ [SIGTRAP] = "SIGTRAP", ++ [SIGILL] = "SIGILL", ++}; ++ ++static void sigtrap(int sig, siginfo_t *si, void *ctx_void) ++{ ++ ucontext_t *ctx = ctx_void; ++ ++ printf("\tGot SIGTRAP with RIP=%lx, EFLAGS.RF=%d\n", ++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP], ++ !!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_RF)); ++} ++ ++static void handle_and_return(int sig, siginfo_t *si, void *ctx_void) ++{ ++ ucontext_t *ctx = ctx_void; ++ ++ printf("\tGot %s with RIP=%lx\n", signames[sig], ++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP]); ++} ++ ++static void handle_and_longjmp(int sig, siginfo_t *si, void *ctx_void) ++{ ++ ucontext_t *ctx = ctx_void; ++ ++ printf("\tGot %s with RIP=%lx\n", signames[sig], ++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP]); ++ ++ siglongjmp(jmpbuf, 1); ++} ++ ++int main() ++{ ++ unsigned long nr; ++ ++ asm volatile ("mov %%ss, %[ss]" : [ss] "=m" (ss)); ++ printf("\tSS = 0x%hx, &SS = 0x%p\n", ss, &ss); ++ ++ if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0) == 0) ++ printf("\tPR_SET_PTRACER_ANY succeeded\n"); ++ ++ printf("\tSet up a watchpoint\n"); ++ sethandler(SIGTRAP, sigtrap, 0); ++ enable_watchpoint(); ++ ++ printf("[RUN]\tRead from watched memory (should get SIGTRAP)\n"); ++ asm volatile ("mov %[ss], %[tmp]" : [tmp] "=r" (nr) : [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; INT3\n"); ++ asm volatile ("mov %[ss], %%ss; int3" :: [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; INT 3\n"); ++ asm volatile ("mov %[ss], %%ss; .byte 0xcd, 0x3" :: [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; CS CS INT3\n"); ++ asm volatile ("mov %[ss], %%ss; .byte 0x2e, 0x2e; int3" :: [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; CSx14 INT3\n"); ++ asm volatile ("mov %[ss], %%ss; .fill 14,1,0x2e; int3" :: [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; INT 4\n"); ++ sethandler(SIGSEGV, handle_and_return, SA_RESETHAND); ++ asm volatile ("mov %[ss], %%ss; int $4" :: [ss] "m" (ss)); ++ ++#ifdef __i386__ ++ printf("[RUN]\tMOV SS; INTO\n"); ++ sethandler(SIGSEGV, handle_and_return, SA_RESETHAND); ++ nr = -1; ++ asm volatile ("add $1, %[tmp]; mov %[ss], %%ss; into" ++ : [tmp] "+r" (nr) : [ss] "m" (ss)); ++#endif ++ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; ICEBP\n"); ++ ++ /* Some emulators (e.g. QEMU TCG) don't emulate ICEBP. */ ++ sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND); ++ ++ asm volatile ("mov %[ss], %%ss; .byte 0xf1" :: [ss] "m" (ss)); ++ } ++ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; CLI\n"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); ++ asm volatile ("mov %[ss], %%ss; cli" :: [ss] "m" (ss)); ++ } ++ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; #PF\n"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); ++ asm volatile ("mov %[ss], %%ss; mov (-1), %[tmp]" ++ : [tmp] "=r" (nr) : [ss] "m" (ss)); ++ } ++ ++ /* ++ * INT $1: if #DB has DPL=3 and there isn't special handling, ++ * then the kernel will die. ++ */ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; INT 1\n"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); ++ asm volatile ("mov %[ss], %%ss; int $1" :: [ss] "m" (ss)); ++ } ++ ++#ifdef __x86_64__ ++ /* ++ * In principle, we should test 32-bit SYSCALL as well, but ++ * the calling convention is so unpredictable that it's ++ * not obviously worth the effort. ++ */ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; SYSCALL\n"); ++ sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND); ++ nr = SYS_getpid; ++ /* ++ * Toggle the high bit of RSP to make it noncanonical to ++ * strengthen this test on non-SMAP systems. ++ */ ++ asm volatile ("btc $63, %%rsp\n\t" ++ "mov %[ss], %%ss; syscall\n\t" ++ "btc $63, %%rsp" ++ : "+a" (nr) : [ss] "m" (ss) ++ : "rcx" ++#ifdef __x86_64__ ++ , "r11" ++#endif ++ ); ++ } ++#endif ++ ++ printf("[RUN]\tMOV SS; breakpointed NOP\n"); ++ asm volatile ("mov %[ss], %%ss; breakpoint_insn: nop" :: [ss] "m" (ss)); ++ ++ /* ++ * Invoking SYSENTER directly breaks all the rules. Just handle ++ * the SIGSEGV. ++ */ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; SYSENTER\n"); ++ stack_t stack = { ++ .ss_sp = altstack_data, ++ .ss_size = SIGSTKSZ, ++ }; ++ if (sigaltstack(&stack, NULL) != 0) ++ err(1, "sigaltstack"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK); ++ nr = SYS_getpid; ++ asm volatile ("mov %[ss], %%ss; SYSENTER" : "+a" (nr) ++ : [ss] "m" (ss) : "flags", "rcx" ++#ifdef __x86_64__ ++ , "r11" ++#endif ++ ); ++ ++ /* We're unreachable here. SYSENTER forgets RIP. */ ++ } ++ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; INT $0x80\n"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); ++ nr = 20; /* compat getpid */ ++ asm volatile ("mov %[ss], %%ss; int $0x80" ++ : "+a" (nr) : [ss] "m" (ss) ++ : "flags" ++#ifdef __x86_64__ ++ , "r8", "r9", "r10", "r11" ++#endif ++ ); ++ } ++ ++ printf("[OK]\tI aten't dead\n"); ++ return 0; ++} diff --git a/queue-4.16/x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch b/queue-4.16/x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch new file mode 100644 index 00000000000..fa447670696 --- /dev/null +++ b/queue-4.16/x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch @@ -0,0 +1,94 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: "van der Linden, Frank" +Date: Fri, 4 May 2018 16:11:00 -0400 +Subject: x86/xen: Reset VCPU0 info pointer after shared_info remap + +From: "van der Linden, Frank" + +[ Upstream commit d1ecfa9d1f402366b1776fbf84e635678a51414f ] + +This patch fixes crashes during boot for HVM guests on older (pre HVM +vector callback) Xen versions. Without this, current kernels will always +fail to boot on those Xen versions. + +Sample stack trace: + + BUG: unable to handle kernel paging request at ffffffffff200000 + IP: __xen_evtchn_do_upcall+0x1e/0x80 + PGD 1e0e067 P4D 1e0e067 PUD 1e10067 PMD 235c067 PTE 0 + Oops: 0002 [#1] SMP PTI + Modules linked in: + CPU: 0 PID: 512 Comm: kworker/u2:0 Not tainted 4.14.33-52.13.amzn1.x86_64 #1 + Hardware name: Xen HVM domU, BIOS 3.4.3.amazon 11/11/2016 + task: ffff88002531d700 task.stack: ffffc90000480000 + RIP: 0010:__xen_evtchn_do_upcall+0x1e/0x80 + RSP: 0000:ffff880025403ef0 EFLAGS: 00010046 + RAX: ffffffff813cc760 RBX: ffffffffff200000 RCX: ffffc90000483ef0 + RDX: ffff880020540a00 RSI: ffff880023c78000 RDI: 000000000000001c + RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff880025403f5c R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff880025400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffffff200000 CR3: 0000000001e0a000 CR4: 00000000000006f0 + Call Trace: + + do_hvm_evtchn_intr+0xa/0x10 + __handle_irq_event_percpu+0x43/0x1a0 + handle_irq_event_percpu+0x20/0x50 + handle_irq_event+0x39/0x60 + handle_fasteoi_irq+0x80/0x140 + handle_irq+0xaf/0x120 + do_IRQ+0x41/0xd0 + common_interrupt+0x7d/0x7d + + +During boot, the HYPERVISOR_shared_info page gets remapped to make it work +with KASLR. This means that any pointer derived from it needs to be +adjusted. + +The only value that this applies to is the vcpu_info pointer for VCPU 0. +For PV and HVM with the callback vector feature, this gets done via the +smp_ops prepare_boot_cpu callback. Older Xen versions do not support the +HVM callback vector, so there is no Xen-specific smp_ops set up in that +scenario. So, the vcpu_info pointer for VCPU 0 never gets set to the proper +value, and the first reference of it will be bad. Fix this by resetting it +immediately after the remap. + +Signed-off-by: Frank van der Linden +Reviewed-by: Eduardo Valentin +Reviewed-by: Alakesh Haloi +Reviewed-by: Vallish Vaidyeshwara +Reviewed-by: Boris Ostrovsky +Cc: Juergen Gross +Cc: Boris Ostrovsky +Cc: xen-devel@lists.xenproject.org +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/xen/enlighten_hvm.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/x86/xen/enlighten_hvm.c ++++ b/arch/x86/xen/enlighten_hvm.c +@@ -65,6 +65,19 @@ static void __init xen_hvm_init_mem_mapp + { + early_memunmap(HYPERVISOR_shared_info, PAGE_SIZE); + HYPERVISOR_shared_info = __va(PFN_PHYS(shared_info_pfn)); ++ ++ /* ++ * The virtual address of the shared_info page has changed, so ++ * the vcpu_info pointer for VCPU 0 is now stale. ++ * ++ * The prepare_boot_cpu callback will re-initialize it via ++ * xen_vcpu_setup, but we can't rely on that to be called for ++ * old Xen versions (xen_have_vector_callback == 0). ++ * ++ * It is, in any case, bad to have a stale vcpu_info pointer ++ * so reset it now. ++ */ ++ xen_vcpu_info_reset(0); + } + + static void __init init_hvm_pv_info(void) diff --git a/queue-4.16/xen-xenbus_dev_frontend-really-return-response-string.patch b/queue-4.16/xen-xenbus_dev_frontend-really-return-response-string.patch new file mode 100644 index 00000000000..766989ef74b --- /dev/null +++ b/queue-4.16/xen-xenbus_dev_frontend-really-return-response-string.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jun 17 12:07:33 CEST 2018 +From: Simon Gaiser +Date: Thu, 15 Mar 2018 04:08:03 +0100 +Subject: xen: xenbus_dev_frontend: Really return response string + +From: Simon Gaiser + +[ Upstream commit ebf04f331fa15a966262341a7dc6b1a0efd633e4 ] + +xenbus_command_reply() did not actually copy the response string and +leaked stack content instead. + +Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc") +Signed-off-by: Simon Gaiser +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -403,7 +403,7 @@ static int xenbus_command_reply(struct x + { + struct { + struct xsd_sockmsg hdr; +- const char body[16]; ++ char body[16]; + } msg; + int rc; + +@@ -412,6 +412,7 @@ static int xenbus_command_reply(struct x + msg.hdr.len = strlen(reply) + 1; + if (msg.hdr.len > sizeof(msg.body)) + return -E2BIG; ++ memcpy(&msg.body, reply, msg.hdr.len); + + mutex_lock(&u->reply_mutex); + rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len); diff --git a/queue-4.16/xprtrdma-fix-list-corruption-dmar-errors-during-mr-recovery.patch b/queue-4.16/xprtrdma-fix-list-corruption-dmar-errors-during-mr-recovery.patch new file mode 100644 index 00000000000..548610ba5bf --- /dev/null +++ b/queue-4.16/xprtrdma-fix-list-corruption-dmar-errors-during-mr-recovery.patch @@ -0,0 +1,130 @@ +From foo@baz Sun Jun 17 12:07:34 CEST 2018 +From: Chuck Lever +Date: Tue, 1 May 2018 11:37:14 -0400 +Subject: xprtrdma: Fix list corruption / DMAR errors during MR recovery + +From: Chuck Lever + +[ Upstream commit 054f155721d7af1f343ed52bea246626d8450ca8 ] + +The ro_release_mr methods check whether mr->mr_list is empty. +Therefore, be sure to always use list_del_init when removing an MR +linked into a list using that field. Otherwise, when recovering from +transport failures or device removal, list corruption can result, or +MRs can get mapped or unmapped an odd number of times, resulting in +IOMMU-related failures. + +In general this fix is appropriate back to v4.8. However, code +changes since then make it impossible to apply this patch directly +to stable kernels. The fix would have to be applied by hand or +reworked for kernels earlier than v4.16. + +Backport guidance -- there are several cases: +- When creating an MR, initialize mr_list so that using list_empty + on an as-yet-unused MR is safe. +- When an MR is being handled by the remote invalidation path, + ensure that mr_list is reinitialized when it is removed from + rl_registered. +- When an MR is being handled by rpcrdma_destroy_mrs, it is removed + from mr_all, but it may still be on an rl_registered list. In + that case, the MR needs to be removed from that list before being + released. +- Other cases are covered by using list_del_init in rpcrdma_mr_pop. + +Fixes: 9d6b04097882 ('xprtrdma: Place registered MWs on a ... ') +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtrdma/fmr_ops.c | 5 +---- + net/sunrpc/xprtrdma/frwr_ops.c | 9 +++------ + net/sunrpc/xprtrdma/verbs.c | 5 +++++ + net/sunrpc/xprtrdma/xprt_rdma.h | 2 +- + 4 files changed, 10 insertions(+), 11 deletions(-) + +--- a/net/sunrpc/xprtrdma/fmr_ops.c ++++ b/net/sunrpc/xprtrdma/fmr_ops.c +@@ -72,6 +72,7 @@ fmr_op_init_mr(struct rpcrdma_ia *ia, st + if (IS_ERR(mr->fmr.fm_mr)) + goto out_fmr_err; + ++ INIT_LIST_HEAD(&mr->mr_list); + return 0; + + out_fmr_err: +@@ -102,10 +103,6 @@ fmr_op_release_mr(struct rpcrdma_mr *mr) + LIST_HEAD(unmap_list); + int rc; + +- /* Ensure MW is not on any rl_registered list */ +- if (!list_empty(&mr->mr_list)) +- list_del(&mr->mr_list); +- + kfree(mr->fmr.fm_physaddrs); + kfree(mr->mr_sg); + +--- a/net/sunrpc/xprtrdma/frwr_ops.c ++++ b/net/sunrpc/xprtrdma/frwr_ops.c +@@ -110,6 +110,7 @@ frwr_op_init_mr(struct rpcrdma_ia *ia, s + if (!mr->mr_sg) + goto out_list_err; + ++ INIT_LIST_HEAD(&mr->mr_list); + sg_init_table(mr->mr_sg, depth); + init_completion(&frwr->fr_linv_done); + return 0; +@@ -133,10 +134,6 @@ frwr_op_release_mr(struct rpcrdma_mr *mr + { + int rc; + +- /* Ensure MR is not on any rl_registered list */ +- if (!list_empty(&mr->mr_list)) +- list_del(&mr->mr_list); +- + rc = ib_dereg_mr(mr->frwr.fr_mr); + if (rc) + pr_err("rpcrdma: final ib_dereg_mr for %p returned %i\n", +@@ -195,7 +192,7 @@ frwr_op_recover_mr(struct rpcrdma_mr *mr + return; + + out_release: +- pr_err("rpcrdma: FRWR reset failed %d, %p release\n", rc, mr); ++ pr_err("rpcrdma: FRWR reset failed %d, %p released\n", rc, mr); + r_xprt->rx_stats.mrs_orphaned++; + + spin_lock(&r_xprt->rx_buf.rb_mrlock); +@@ -458,7 +455,7 @@ frwr_op_reminv(struct rpcrdma_rep *rep, + + list_for_each_entry(mr, mrs, mr_list) + if (mr->mr_handle == rep->rr_inv_rkey) { +- list_del(&mr->mr_list); ++ list_del_init(&mr->mr_list); + trace_xprtrdma_remoteinv(mr); + mr->frwr.fr_state = FRWR_IS_INVALID; + rpcrdma_mr_unmap_and_put(mr); +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1244,6 +1244,11 @@ rpcrdma_mrs_destroy(struct rpcrdma_buffe + list_del(&mr->mr_all); + + spin_unlock(&buf->rb_mrlock); ++ ++ /* Ensure MW is not on any rl_registered list */ ++ if (!list_empty(&mr->mr_list)) ++ list_del(&mr->mr_list); ++ + ia->ri_ops->ro_release_mr(mr); + count++; + spin_lock(&buf->rb_mrlock); +--- a/net/sunrpc/xprtrdma/xprt_rdma.h ++++ b/net/sunrpc/xprtrdma/xprt_rdma.h +@@ -381,7 +381,7 @@ rpcrdma_mr_pop(struct list_head *list) + struct rpcrdma_mr *mr; + + mr = list_first_entry(list, struct rpcrdma_mr, mr_list); +- list_del(&mr->mr_list); ++ list_del_init(&mr->mr_list); + return mr; + } + -- 2.47.3