From 6ff88d2db5bf92a231edc54b72ceffe440c23707 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 28 Aug 2017 06:50:49 +0200 Subject: [PATCH] 4.12-stable patches added patches: android-binder-fix-proc-tsk-check.patch binder-use-group-leader-instead-of-open-thread.patch binder-use-wake-up-hint-for-synchronous-transactions.patch clarify-and-fix-max_lfs_filesize-macros.patch iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch iio-magnetometer-st_magn-fix-status-register-address-for-lsm303agr.patch iio-magnetometer-st_magn-remove-ihl-property-for-lsm303agr.patch iommu-fix-wrong-freeing-of-iommu_device-dev.patch revert-android-binder-sanity-check-at-binder-ioctl.patch staging-rtl8188eu-add-rnx-n150nub-support.patch --- .../android-binder-fix-proc-tsk-check.patch | 32 ++++ ...-group-leader-instead-of-open-thread.patch | 35 ++++ ...up-hint-for-synchronous-transactions.patch | 38 ++++ ...rify-and-fix-max_lfs_filesize-macros.patch | 81 ++++++++ ...-with-user-space-powering-up-sensors.patch | 82 +++++++++ ...eleration-scale-factor-for-adis16480.patch | 32 ++++ ...tatus-register-address-for-lsm303agr.patch | 30 +++ ...gn-remove-ihl-property-for-lsm303agr.patch | 33 ++++ ...ix-wrong-freeing-of-iommu_device-dev.patch | 173 ++++++++++++++++++ ...-binder-sanity-check-at-binder-ioctl.patch | 49 +++++ queue-4.12/series | 11 ++ ...ng-rtl8188eu-add-rnx-n150nub-support.patch | 29 +++ 12 files changed, 625 insertions(+) create mode 100644 queue-4.12/android-binder-fix-proc-tsk-check.patch create mode 100644 queue-4.12/binder-use-group-leader-instead-of-open-thread.patch create mode 100644 queue-4.12/binder-use-wake-up-hint-for-synchronous-transactions.patch create mode 100644 queue-4.12/clarify-and-fix-max_lfs_filesize-macros.patch create mode 100644 queue-4.12/iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch create mode 100644 queue-4.12/iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch create mode 100644 queue-4.12/iio-magnetometer-st_magn-fix-status-register-address-for-lsm303agr.patch create mode 100644 queue-4.12/iio-magnetometer-st_magn-remove-ihl-property-for-lsm303agr.patch create mode 100644 queue-4.12/iommu-fix-wrong-freeing-of-iommu_device-dev.patch create mode 100644 queue-4.12/revert-android-binder-sanity-check-at-binder-ioctl.patch create mode 100644 queue-4.12/staging-rtl8188eu-add-rnx-n150nub-support.patch diff --git a/queue-4.12/android-binder-fix-proc-tsk-check.patch b/queue-4.12/android-binder-fix-proc-tsk-check.patch new file mode 100644 index 00000000000..8382e4feb9a --- /dev/null +++ b/queue-4.12/android-binder-fix-proc-tsk-check.patch @@ -0,0 +1,32 @@ +From b2a6d1b999a4c13e5997bb864694e77172d45250 Mon Sep 17 00:00:00 2001 +From: Martijn Coenen +Date: Fri, 28 Jul 2017 13:56:08 +0200 +Subject: ANDROID: binder: fix proc->tsk check. + +From: Martijn Coenen + +commit b2a6d1b999a4c13e5997bb864694e77172d45250 upstream. + +Commit c4ea41ba195d ("binder: use group leader instead of open thread")' +was incomplete and didn't update a check in binder_mmap(), causing all +mmap() calls into the binder driver to fail. + +Signed-off-by: Martijn Coenen +Tested-by: John Stultz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -3362,7 +3362,7 @@ static int binder_mmap(struct file *filp + const char *failure_string; + struct binder_buffer *buffer; + +- if (proc->tsk != current) ++ if (proc->tsk != current->group_leader) + return -EINVAL; + + if ((vma->vm_end - vma->vm_start) > SZ_4M) diff --git a/queue-4.12/binder-use-group-leader-instead-of-open-thread.patch b/queue-4.12/binder-use-group-leader-instead-of-open-thread.patch new file mode 100644 index 00000000000..cbed162b620 --- /dev/null +++ b/queue-4.12/binder-use-group-leader-instead-of-open-thread.patch @@ -0,0 +1,35 @@ +From c4ea41ba195d01c9af66fb28711a16cc97caa9c5 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Thu, 29 Jun 2017 12:01:36 -0700 +Subject: binder: use group leader instead of open thread + +From: Todd Kjos + +commit c4ea41ba195d01c9af66fb28711a16cc97caa9c5 upstream. + +The binder allocator assumes that the thread that +called binder_open will never die for the lifetime of +that proc. That thread is normally the group_leader, +however it may not be. Use the group_leader instead +of current. + +Signed-off-by: Todd Kjos +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -3460,8 +3460,8 @@ static int binder_open(struct inode *nod + proc = kzalloc(sizeof(*proc), GFP_KERNEL); + if (proc == NULL) + return -ENOMEM; +- get_task_struct(current); +- proc->tsk = current; ++ get_task_struct(current->group_leader); ++ proc->tsk = current->group_leader; + INIT_LIST_HEAD(&proc->todo); + init_waitqueue_head(&proc->wait); + proc->default_priority = task_nice(current); diff --git a/queue-4.12/binder-use-wake-up-hint-for-synchronous-transactions.patch b/queue-4.12/binder-use-wake-up-hint-for-synchronous-transactions.patch new file mode 100644 index 00000000000..ac0c354eaca --- /dev/null +++ b/queue-4.12/binder-use-wake-up-hint-for-synchronous-transactions.patch @@ -0,0 +1,38 @@ +From 00b40d613352c623aaae88a44e5ded7c912909d7 Mon Sep 17 00:00:00 2001 +From: Riley Andrews +Date: Thu, 29 Jun 2017 12:01:37 -0700 +Subject: binder: Use wake up hint for synchronous transactions. + +From: Riley Andrews + +commit 00b40d613352c623aaae88a44e5ded7c912909d7 upstream. + +Use wake_up_interruptible_sync() to hint to the scheduler binder +transactions are synchronous wakeups. Disable preemption while waking +to avoid ping-ponging on the binder lock. + +Signed-off-by: Todd Kjos +Signed-off-by: Omprakash Dhyade +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2200,8 +2200,12 @@ static void binder_transaction(struct bi + list_add_tail(&t->work.entry, target_list); + tcomplete->type = BINDER_WORK_TRANSACTION_COMPLETE; + list_add_tail(&tcomplete->entry, &thread->todo); +- if (target_wait) +- wake_up_interruptible(target_wait); ++ if (target_wait) { ++ if (reply || !(t->flags & TF_ONE_WAY)) ++ wake_up_interruptible_sync(target_wait); ++ else ++ wake_up_interruptible(target_wait); ++ } + return; + + err_translate_failed: diff --git a/queue-4.12/clarify-and-fix-max_lfs_filesize-macros.patch b/queue-4.12/clarify-and-fix-max_lfs_filesize-macros.patch new file mode 100644 index 00000000000..1f61cf3807b --- /dev/null +++ b/queue-4.12/clarify-and-fix-max_lfs_filesize-macros.patch @@ -0,0 +1,81 @@ +From 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sun, 27 Aug 2017 12:12:25 -0700 +Subject: Clarify (and fix) MAX_LFS_FILESIZE macros + +From: Linus Torvalds + +commit 0cc3b0ec23ce4c69e1e890ed2b8d2fa932b14aad upstream. + +We have a MAX_LFS_FILESIZE macro that is meant to be filled in by +filesystems (and other IO targets) that know they are 64-bit clean and +don't have any 32-bit limits in their IO path. + +It turns out that our 32-bit value for that limit was bogus. On 32-bit, +the VM layer is limited by the page cache to only 32-bit index values, +but our logic for that was confusing and actually wrong. We used to +define that value to + + (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1) + +which is actually odd in several ways: it limits the index to 31 bits, +and then it limits files so that they can't have data in that last byte +of a page that has the highest 31-bit index (ie page index 0x7fffffff). + +Neither of those limitations make sense. The index is actually the full +32 bit unsigned value, and we can use that whole full page. So the +maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG". + +However, we do wan tto avoid the maximum index, because we have code +that iterates over the page indexes, and we don't want that code to +overflow. So the maximum size of a file on a 32-bit host should +actually be one page less than the full 32-bit index. + +So the actual limit is ULONG_MAX << PAGE_SHIFT. That means that we will +not actually be using the page of that last index (ULONG_MAX), but we +can grow a file up to that limit. + +The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug +Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5 +volume. It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one +byte less), but the actual true VM limit is one page less than 16TiB. + +This was invisible until commit c2a9737f45e2 ("vfs,mm: fix a dead loop +in truncate_inode_pages_range()"), which started applying that +MAX_LFS_FILESIZE limit to block devices too. + +NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is +actually just the offset type itself (loff_t), which is signed. But for +clarity, on 64-bit, just use the maximum signed value, and don't make +people have to count the number of 'f' characters in the hex constant. + +So just use LLONG_MAX for the 64-bit case. That was what the value had +been before too, just written out as a hex constant. + +Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") +Reported-and-tested-by: Doug Nazar +Cc: Andreas Dilger +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Dave Kleikamp +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/fs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -891,9 +891,9 @@ static inline struct file *get_file(stru + /* Page cache limit. The filesystems should put that into their s_maxbytes + limits, otherwise bad things can happen in VM. */ + #if BITS_PER_LONG==32 +-#define MAX_LFS_FILESIZE (((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1) ++#define MAX_LFS_FILESIZE ((loff_t)ULONG_MAX << PAGE_SHIFT) + #elif BITS_PER_LONG==64 +-#define MAX_LFS_FILESIZE ((loff_t)0x7fffffffffffffffLL) ++#define MAX_LFS_FILESIZE ((loff_t)LLONG_MAX) + #endif + + #define FL_POSIX 1 diff --git a/queue-4.12/iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch b/queue-4.12/iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch new file mode 100644 index 00000000000..2ec127460ce --- /dev/null +++ b/queue-4.12/iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch @@ -0,0 +1,82 @@ +From f1664eaacec31035450132c46ed2915fd2b2049a Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Sat, 12 Aug 2017 09:09:21 -0700 +Subject: iio: hid-sensor-trigger: Fix the race with user space powering up sensors + +From: Srinivas Pandruvada + +commit f1664eaacec31035450132c46ed2915fd2b2049a upstream. + +It has been reported for a while that with iio-sensor-proxy service the +rotation only works after one suspend/resume cycle. This required a wait +in the systemd unit file to avoid race. I found a Yoga 900 where I could +reproduce this. + +The problem scenerio is: +- During sensor driver init, enable run time PM and also set a + auto-suspend for 3 seconds. + This result in one runtime resume. But there is a check to avoid +a powerup in this sequence, but rpm is active +- User space iio-sensor-proxy tries to power up the sensor. Since rpm is + active it will simply return. But sensors were not actually +powered up in the prior sequence, so actaully the sensors will not work +- After 3 seconds the auto suspend kicks + +If we add a wait in systemd service file to fire iio-sensor-proxy after +3 seconds, then now everything will work as the runtime resume will +actually powerup the sensor as this is a user request. + +To avoid this: +- Remove the check to match user requested state, this will cause a + brief powerup, but if the iio-sensor-proxy starts immediately it will +still work as the sensors are ON. +- Also move the autosuspend delay to place when user requested turn off + of sensors, like after user finished raw read or buffer disable + +Signed-off-by: Srinivas Pandruvada +Tested-by: Bastien Nocera +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c ++++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c +@@ -36,8 +36,6 @@ static int _hid_sensor_power_state(struc + s32 poll_value = 0; + + if (state) { +- if (!atomic_read(&st->user_requested_state)) +- return 0; + if (sensor_hub_device_open(st->hsdev)) + return -EIO; + +@@ -86,6 +84,9 @@ static int _hid_sensor_power_state(struc + &report_val); + } + ++ pr_debug("HID_SENSOR %s set power_state %d report_state %d\n", ++ st->pdev->name, state_val, report_val); ++ + sensor_hub_get_feature(st->hsdev, st->power_state.report_id, + st->power_state.index, + sizeof(state_val), &state_val); +@@ -107,6 +108,7 @@ int hid_sensor_power_state(struct hid_se + ret = pm_runtime_get_sync(&st->pdev->dev); + else { + pm_runtime_mark_last_busy(&st->pdev->dev); ++ pm_runtime_use_autosuspend(&st->pdev->dev); + ret = pm_runtime_put_autosuspend(&st->pdev->dev); + } + if (ret < 0) { +@@ -205,8 +207,6 @@ int hid_sensor_setup_trigger(struct iio_ + /* Default to 3 seconds, but can be changed from sysfs */ + pm_runtime_set_autosuspend_delay(&attrb->pdev->dev, + 3000); +- pm_runtime_use_autosuspend(&attrb->pdev->dev); +- + return ret; + error_unreg_trigger: + iio_trigger_unregister(trig); diff --git a/queue-4.12/iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch b/queue-4.12/iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch new file mode 100644 index 00000000000..bd8d28e001a --- /dev/null +++ b/queue-4.12/iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch @@ -0,0 +1,32 @@ +From fdd0d32eb95f135041236a6885d9006315aa9a1d Mon Sep 17 00:00:00 2001 +From: Dragos Bogdan +Date: Fri, 4 Aug 2017 01:37:27 +0300 +Subject: iio: imu: adis16480: Fix acceleration scale factor for adis16480 + +From: Dragos Bogdan + +commit fdd0d32eb95f135041236a6885d9006315aa9a1d upstream. + +According to the datasheet, the range of the acceleration is [-10 g, + 10 g], +so the scale factor should be 10 instead of 5. + +Signed-off-by: Dragos Bogdan +Acked-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/adis16480.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/adis16480.c ++++ b/drivers/iio/imu/adis16480.c +@@ -696,7 +696,7 @@ static const struct adis16480_chip_info + .gyro_max_val = IIO_RAD_TO_DEGREE(22500), + .gyro_max_scale = 450, + .accel_max_val = IIO_M_S_2_TO_G(12500), +- .accel_max_scale = 5, ++ .accel_max_scale = 10, + }, + [ADIS16485] = { + .channels = adis16485_channels, diff --git a/queue-4.12/iio-magnetometer-st_magn-fix-status-register-address-for-lsm303agr.patch b/queue-4.12/iio-magnetometer-st_magn-fix-status-register-address-for-lsm303agr.patch new file mode 100644 index 00000000000..e1207dff139 --- /dev/null +++ b/queue-4.12/iio-magnetometer-st_magn-fix-status-register-address-for-lsm303agr.patch @@ -0,0 +1,30 @@ +From 541ee9b24fca587f510fe1bc58508d5cf40707af Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Wed, 16 Aug 2017 19:02:50 +0200 +Subject: iio: magnetometer: st_magn: fix status register address for LSM303AGR + +From: Lorenzo Bianconi + +commit 541ee9b24fca587f510fe1bc58508d5cf40707af upstream. + +Fixes: 97865fe41322 (iio: st_sensors: verify interrupt event to status) +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/st_magn_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/magnetometer/st_magn_core.c ++++ b/drivers/iio/magnetometer/st_magn_core.c +@@ -358,7 +358,7 @@ static const struct st_sensor_settings s + .mask_int1 = 0x01, + .addr_ihl = 0x63, + .mask_ihl = 0x04, +- .addr_stat_drdy = ST_SENSORS_DEFAULT_STAT_ADDR, ++ .addr_stat_drdy = 0x67, + }, + .multi_read_bit = false, + .bootime = 2, diff --git a/queue-4.12/iio-magnetometer-st_magn-remove-ihl-property-for-lsm303agr.patch b/queue-4.12/iio-magnetometer-st_magn-remove-ihl-property-for-lsm303agr.patch new file mode 100644 index 00000000000..27803e4f70d --- /dev/null +++ b/queue-4.12/iio-magnetometer-st_magn-remove-ihl-property-for-lsm303agr.patch @@ -0,0 +1,33 @@ +From 8b35a5f87a73842601cd376e0f5b9b25831390f4 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Wed, 16 Aug 2017 19:02:51 +0200 +Subject: iio: magnetometer: st_magn: remove ihl property for LSM303AGR + +From: Lorenzo Bianconi + +commit 8b35a5f87a73842601cd376e0f5b9b25831390f4 upstream. + +Remove IRQ active low support for LSM303AGR since the sensor does not +support that capability for data-ready line + +Fixes: a9fd053b56c6 (iio: st_sensors: support active-low interrupts) +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/st_magn_core.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/iio/magnetometer/st_magn_core.c ++++ b/drivers/iio/magnetometer/st_magn_core.c +@@ -356,8 +356,6 @@ static const struct st_sensor_settings s + .drdy_irq = { + .addr = 0x62, + .mask_int1 = 0x01, +- .addr_ihl = 0x63, +- .mask_ihl = 0x04, + .addr_stat_drdy = 0x67, + }, + .multi_read_bit = false, diff --git a/queue-4.12/iommu-fix-wrong-freeing-of-iommu_device-dev.patch b/queue-4.12/iommu-fix-wrong-freeing-of-iommu_device-dev.patch new file mode 100644 index 00000000000..370aa8bbd66 --- /dev/null +++ b/queue-4.12/iommu-fix-wrong-freeing-of-iommu_device-dev.patch @@ -0,0 +1,173 @@ +From 2926a2aa5c14fb2add75e6584845b1c03022235f Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Mon, 14 Aug 2017 17:19:26 +0200 +Subject: iommu: Fix wrong freeing of iommu_device->dev + +From: Joerg Roedel + +commit 2926a2aa5c14fb2add75e6584845b1c03022235f upstream. + +The struct iommu_device has a 'struct device' embedded into +it, not as a pointer, but the whole struct. In the +conversion of the iommu drivers to use struct iommu_device +it was forgotten that the relase function for that struct +device simply calls kfree() on the pointer. + +This frees memory that was never allocated and causes memory +corruption. + +To fix this issue, use a pointer to struct device instead of +embedding the whole struct. This needs some updates in the +iommu sysfs code as well as the Intel VT-d and AMD IOMMU +driver. + +Reported-by: Sebastian Ott +Fixes: 39ab9555c241 ('iommu: Add sysfs bindings for struct iommu_device') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu_types.h | 4 +++- + drivers/iommu/intel-iommu.c | 4 +++- + drivers/iommu/iommu-sysfs.c | 34 +++++++++++++++++++++------------- + include/linux/iommu.h | 12 +++++++++++- + 4 files changed, 38 insertions(+), 16 deletions(-) + +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -571,7 +571,9 @@ struct amd_iommu { + + static inline struct amd_iommu *dev_to_amd_iommu(struct device *dev) + { +- return container_of(dev, struct amd_iommu, iommu.dev); ++ struct iommu_device *iommu = dev_to_iommu_device(dev); ++ ++ return container_of(iommu, struct amd_iommu, iommu); + } + + #define ACPIHID_UID_LEN 256 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -4749,7 +4749,9 @@ static void intel_disable_iommus(void) + + static inline struct intel_iommu *dev_to_intel_iommu(struct device *dev) + { +- return container_of(dev, struct intel_iommu, iommu.dev); ++ struct iommu_device *iommu_dev = dev_to_iommu_device(dev); ++ ++ return container_of(iommu_dev, struct intel_iommu, iommu); + } + + static ssize_t intel_iommu_show_version(struct device *dev, +--- a/drivers/iommu/iommu-sysfs.c ++++ b/drivers/iommu/iommu-sysfs.c +@@ -62,32 +62,40 @@ int iommu_device_sysfs_add(struct iommu_ + va_list vargs; + int ret; + +- device_initialize(&iommu->dev); +- +- iommu->dev.class = &iommu_class; +- iommu->dev.parent = parent; +- iommu->dev.groups = groups; ++ iommu->dev = kzalloc(sizeof(*iommu->dev), GFP_KERNEL); ++ if (!iommu->dev) ++ return -ENOMEM; ++ ++ device_initialize(iommu->dev); ++ ++ iommu->dev->class = &iommu_class; ++ iommu->dev->parent = parent; ++ iommu->dev->groups = groups; + + va_start(vargs, fmt); +- ret = kobject_set_name_vargs(&iommu->dev.kobj, fmt, vargs); ++ ret = kobject_set_name_vargs(&iommu->dev->kobj, fmt, vargs); + va_end(vargs); + if (ret) + goto error; + +- ret = device_add(&iommu->dev); ++ ret = device_add(iommu->dev); + if (ret) + goto error; + ++ dev_set_drvdata(iommu->dev, iommu); ++ + return 0; + + error: +- put_device(&iommu->dev); ++ put_device(iommu->dev); + return ret; + } + + void iommu_device_sysfs_remove(struct iommu_device *iommu) + { +- device_unregister(&iommu->dev); ++ dev_set_drvdata(iommu->dev, NULL); ++ device_unregister(iommu->dev); ++ iommu->dev = NULL; + } + /* + * IOMMU drivers can indicate a device is managed by a given IOMMU using +@@ -102,14 +110,14 @@ int iommu_device_link(struct iommu_devic + if (!iommu || IS_ERR(iommu)) + return -ENODEV; + +- ret = sysfs_add_link_to_group(&iommu->dev.kobj, "devices", ++ ret = sysfs_add_link_to_group(&iommu->dev->kobj, "devices", + &link->kobj, dev_name(link)); + if (ret) + return ret; + +- ret = sysfs_create_link_nowarn(&link->kobj, &iommu->dev.kobj, "iommu"); ++ ret = sysfs_create_link_nowarn(&link->kobj, &iommu->dev->kobj, "iommu"); + if (ret) +- sysfs_remove_link_from_group(&iommu->dev.kobj, "devices", ++ sysfs_remove_link_from_group(&iommu->dev->kobj, "devices", + dev_name(link)); + + return ret; +@@ -121,5 +129,5 @@ void iommu_device_unlink(struct iommu_de + return; + + sysfs_remove_link(&link->kobj, "iommu"); +- sysfs_remove_link_from_group(&iommu->dev.kobj, "devices", dev_name(link)); ++ sysfs_remove_link_from_group(&iommu->dev->kobj, "devices", dev_name(link)); + } +--- a/include/linux/iommu.h ++++ b/include/linux/iommu.h +@@ -240,7 +240,7 @@ struct iommu_device { + struct list_head list; + const struct iommu_ops *ops; + struct fwnode_handle *fwnode; +- struct device dev; ++ struct device *dev; + }; + + int iommu_device_register(struct iommu_device *iommu); +@@ -265,6 +265,11 @@ static inline void iommu_device_set_fwno + iommu->fwnode = fwnode; + } + ++static inline struct iommu_device *dev_to_iommu_device(struct device *dev) ++{ ++ return (struct iommu_device *)dev_get_drvdata(dev); ++} ++ + #define IOMMU_GROUP_NOTIFY_ADD_DEVICE 1 /* Device added */ + #define IOMMU_GROUP_NOTIFY_DEL_DEVICE 2 /* Pre Device removed */ + #define IOMMU_GROUP_NOTIFY_BIND_DRIVER 3 /* Pre Driver bind */ +@@ -589,6 +594,11 @@ static inline void iommu_device_set_fwno + { + } + ++static inline struct iommu_device *dev_to_iommu_device(struct device *dev) ++{ ++ return NULL; ++} ++ + static inline void iommu_device_unregister(struct iommu_device *iommu) + { + } diff --git a/queue-4.12/revert-android-binder-sanity-check-at-binder-ioctl.patch b/queue-4.12/revert-android-binder-sanity-check-at-binder-ioctl.patch new file mode 100644 index 00000000000..73a39be75aa --- /dev/null +++ b/queue-4.12/revert-android-binder-sanity-check-at-binder-ioctl.patch @@ -0,0 +1,49 @@ +From a2b18708ee14baec4ef9c0fba96070bba14d0081 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Wed, 5 Jul 2017 13:46:01 -0700 +Subject: Revert "android: binder: Sanity check at binder ioctl" + +From: Todd Kjos + +commit a2b18708ee14baec4ef9c0fba96070bba14d0081 upstream. + +This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27. + +The patch introduced a race in the binder driver. An attempt to fix the +race was submitted in "[PATCH v2] android: binder: fix dangling pointer +comparison", however the conclusion in the discussion for that patch +was that the original patch should be reverted. + +The reversion is being done as part of the fine-grained locking +patchset since the patch would need to be refactored when +proc->vmm_vm_mm is removed from struct binder_proc and added +in the binder allocator. + +Signed-off-by: Todd Kjos +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -3247,10 +3247,6 @@ static long binder_ioctl(struct file *fi + /*pr_info("binder_ioctl: %d:%d %x %lx\n", + proc->pid, current->pid, cmd, arg);*/ + +- if (unlikely(current->mm != proc->vma_vm_mm)) { +- pr_err("current mm mismatch proc mm\n"); +- return -EINVAL; +- } + trace_binder_ioctl(cmd, arg); + + ret = wait_event_interruptible(binder_user_error_wait, binder_stop_on_user_error < 2); +@@ -3466,7 +3462,6 @@ static int binder_open(struct inode *nod + return -ENOMEM; + get_task_struct(current); + proc->tsk = current; +- proc->vma_vm_mm = current->mm; + INIT_LIST_HEAD(&proc->todo); + init_waitqueue_head(&proc->wait); + proc->default_priority = task_nice(current); diff --git a/queue-4.12/series b/queue-4.12/series index 7b39a26f75b..3ce0446fd57 100644 --- a/queue-4.12/series +++ b/queue-4.12/series @@ -81,3 +81,14 @@ netfilter-nfnetlink-improve-input-length-sanitization-in-nfnetlink_rcv.patch bluetooth-hidp-fix-possible-might-sleep-error-in-hidp_session_thread.patch bluetooth-cmtp-fix-possible-might-sleep-error-in-cmtp_session.patch bluetooth-bnep-fix-possible-might-sleep-error-in-bnep_session.patch +revert-android-binder-sanity-check-at-binder-ioctl.patch +binder-use-group-leader-instead-of-open-thread.patch +binder-use-wake-up-hint-for-synchronous-transactions.patch +android-binder-fix-proc-tsk-check.patch +iio-imu-adis16480-fix-acceleration-scale-factor-for-adis16480.patch +iio-hid-sensor-trigger-fix-the-race-with-user-space-powering-up-sensors.patch +iio-magnetometer-st_magn-fix-status-register-address-for-lsm303agr.patch +iio-magnetometer-st_magn-remove-ihl-property-for-lsm303agr.patch +staging-rtl8188eu-add-rnx-n150nub-support.patch +iommu-fix-wrong-freeing-of-iommu_device-dev.patch +clarify-and-fix-max_lfs_filesize-macros.patch diff --git a/queue-4.12/staging-rtl8188eu-add-rnx-n150nub-support.patch b/queue-4.12/staging-rtl8188eu-add-rnx-n150nub-support.patch new file mode 100644 index 00000000000..0d16bf8915f --- /dev/null +++ b/queue-4.12/staging-rtl8188eu-add-rnx-n150nub-support.patch @@ -0,0 +1,29 @@ +From f299aec6ebd747298e35934cff7709c6b119ca52 Mon Sep 17 00:00:00 2001 +From: Charles Milette +Date: Fri, 18 Aug 2017 16:30:34 -0400 +Subject: staging: rtl8188eu: add RNX-N150NUB support + +From: Charles Milette + +commit f299aec6ebd747298e35934cff7709c6b119ca52 upstream. + +Add support for USB Device Rosewill RNX-N150NUB. +VendorID: 0x0bda, ProductID: 0xffef + +Signed-off-by: Charles Milette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -45,6 +45,7 @@ static struct usb_device_id rtw_usb_id_t + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ ++ {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ + {} /* Terminating entry */ + }; + -- 2.47.3