From 7c8beda5eb0d3ca0f6f7de40759ecead40be3579 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 1 May 2018 15:32:42 -0700 Subject: [PATCH] 4.16-stable patches added patches: acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch acpica-fix-memory-leak-on-unusual-memory-leak.patch alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch alsa-vmaster-propagate-slave-error.patch arm-cma-avoid-double-mapping-to-the-cma-area-if-config_highmem-y.patch arm-davinci_all_defconfig-set-config_davinci_watchdog-y.patch arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch arm-dts-ls1021a-specify-tbipa-register-address.patch arm-dts-porter-fix-hdmi-output-routing.patch arm-dts-socfpga-fix-gic-ppi-warning.patch arm64-dts-qcom-fix-spi5-config-on-msm8996.patch arm64-insn-allow-add-sub-immediate-with-lsl-12.patch asoc-fsl_ssi-maintain-a-mask-of-active-streams.patch asoc-rockchip-rk3288-hdmi-analog-select-needed-codecs.patch asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch asoc-samsung-odroid-fix-32000-sample-rate-handling.patch asoc-topology-create-tlv-data-for-dapm-widgets.patch ath10k-advertize-beacon_int_min_gcd.patch ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch ath9k-fix-crash-in-spectral-scan.patch audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch bcache-stop-dc-writeback_rate_update-properly.patch block-fix-a-race-between-request-queue-removal-and-the-block-cgroup-controller.patch block-null_blk-fix-invalid-parameters-when-loading-module.patch bluetooth-btusb-add-device-id-for-rtl8822be.patch bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch btrfs-bail-out-on-error-during-replay_dir_deletes.patch btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch btrfs-fix-copy_items-return-value-when-logging-an-inode.patch btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch btrfs-fix-null-pointer-dereference-in-log_dir_items.patch btrfs-fix-possible-softlock-on-single-core-machines.patch btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch clk-don-t-show-the-incorrect-clock-phase.patch clk-hisilicon-mark-wdt_mux_p-as-const.patch clk-meson-axg-add-the-fractional-part-of-the-fixed_pll.patch clk-meson-axg-fix-the-od-shift-of-the-sys_pll.patch clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch clk-samsung-exynos3250-fix-pll-rates.patch clk-samsung-exynos5250-fix-pll-rates.patch clk-samsung-exynos5260-fix-pll-rates.patch clk-samsung-exynos5433-fix-pll-rates.patch clk-samsung-exynos7-fix-pll-rates.patch clk-samsung-s3c2410-fix-pll-rates.patch clk-tegra-fix-pll_u-rate-configuration.patch clk-ti-fix-flag-space-conflict-with-clkctrl-clocks.patch coresight-use-px-to-print-pcsr-instead-of-p.patch cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch cpufreq-reorder-cpufreq_online-error-code-path.patch crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch crypto-inside-secure-do-not-overwrite-the-threshold-value.patch crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch crypto-inside-secure-fix-the-cache_len-computation.patch crypto-inside-secure-fix-the-extra-cache-computation.patch crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch crypto-inside-secure-move-the-digest-to-the-request-context.patch crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch cxgb4-fix-queue-free-path-of-uld-drivers.patch cxgb4-setup-fw-queues-before-registering-netdev.patch cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch dccp-initialize-ireq-ir_mark.patch dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch dpaa_eth-fix-pause-capability-advertisement-logic.patch dpaa_eth-fix-sg-mapping.patch drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch drm-amdkfd-add-missing-include-of-mm.h.patch drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch drm-omap-add-pclk-setting-case-when-channel-is-dss_wb.patch drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch efi-arm-only-register-page-tables-when-they-exist.patch enic-enable-rq-before-updating-rq-descriptors.patch ext4-don-t-complain-about-incorrect-features-when-probing.patch f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch f2fs-fix-to-clear-cp_trimmed_flag.patch f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch firmware-dmi_scan-fix-uuid-length-safety-check.patch firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch gfs2-check-for-the-end-of-metadata-in-punch_hole.patch gfs2-fix-fallocate-chunk-size.patch hv_netvsc-fix-the-return-status-in-rx-path.patch hwmon-nct6775-fix-writing-pwmx_mode.patch hwmon-pmbus-adm1275-accept-negative-page-register-values.patch hwmon-pmbus-max8688-accept-negative-page-register-values.patch hwrng-bcm2835-handle-deferred-clock-properly.patch hwrng-stm32-add-reset-during-probe.patch i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch ibmvnic-allocate-statistics-buffers-during-probe.patch ibmvnic-fix-reset-return-from-closed-state.patch ibmvnic-fix-tx-descriptor-tracking-again.patch ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch ieee802154-ca8210-fix-uninitialised-data-read.patch ima-clear-ima_hash.patch ima-fallback-to-the-builtin-hash-algorithm.patch ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch intel_th-use-correct-method-of-finding-hub.patch iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch iommu-mediatek-fix-protect-memory-setting.patch ipc-msg-introduce-msgctl-msg_stat_any.patch ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch kasan-fix-invalid-free-test-crashing-the-kernel.patch kasan-slub-fix-handling-of-kasan_slab_free-hook.patch kdb-make-mdr-command-repeat.patch kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch lan78xx-connect-phy-early.patch loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch mac80211-don-t-warn-on-bad-wmm-parameters-from-buggy-aps.patch max17042-propagate-of_node-to-power-supply-device.patch media-cx23885-override-888-impactvcbe-crystal-frequency.patch media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch media-cx25821-prevent-out-of-bounds-read-on-array-card.patch media-em28xx-add-hauppauge-solohd-dualhd-bulk-models.patch media-em28xx-usb-bulk-packet-size-fix.patch media-i2c-adv748x-fix-hdmi-field-heights.patch media-lgdt3306a-fix-a-double-kfree-on-i2c-device-remove.patch media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch media-ov5645-add-missing-of_node_put-in-error-path.patch media-s3c-camif-fix-out-of-bounds-array-access.patch media-v4l-vsp1-fix-display-stalls-when-requesting-too-many-inputs.patch media-vb2-fix-videobuf2-to-map-correct-area.patch media-vivid-fix-incorrect-capabilities-for-radio.patch memcg-fix-per_node_info-cleanup.patch mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch mm-ksm-fix-interaction-with-thp.patch mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch net-bgmac-correctly-annotate-register-space.patch net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch net-mlx5-protect-from-command-bit-overflow.patch net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch net-qlge-eliminate-duplicate-barriers-on-weakly-ordered-archs.patch net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch net-smc-pay-attention-to-max_order-for-cq-entries.patch net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch nvme-don-t-send-keep-alives-to-the-discovery-controller.patch nvme-expand-nvmf_check_if_ready-checks.patch nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch pci-endpoint-fix-kernel-panic-after-put_device.patch pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch perf-clang-add-support-for-recent-clang-versions.patch perf-core-fix-installing-cgroup-events-on-cpu.patch perf-core-fix-perf_output_read_group.patch perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch perf-report-fix-wrong-jump-arrow.patch perf-stat-fix-core-dump-when-flag-t-is-used.patch perf-test-fix-test-case-inet_pton-to-accept-inlines.patch perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch perf-tools-fix-perf-builds-with-clang-support.patch perf-top-fix-top.call-graph-config-option-reading.patch perf-x86-intel-fix-event-update-for-auto-reload.patch perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch phy-qcom-qmp-fix-phy-pipe-clock-gating.patch phy-rockchip-emmc-retry-calpad-busy-trimming.patch pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch pinctrl-msm-use-dynamic-gpio-numbering.patch pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch power-supply-ltc2941-battery-gauge-fix-temperature-units.patch powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch powerpc-add-missing-prototype-for-arch_irq_work_raise.patch powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch rds-tcp-must-use-spin_lock_irq-and-not-spin_lock_bh-with-rds_tcp_conn_lock.patch regmap-correct-comparison-in-regmap_cached.patch regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch riscv-spinlock-strengthen-implementations-with-fences.patch rsi-fix-kernel-panic-observed-on-64bit-machine.patch rtc-goldfish-add-missing-module_license.patch rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch rtc-m41t80-fix-race-conditions.patch rtc-rk808-fix-possible-race-condition.patch rtc-rp5c01-fix-possible-race-condition.patch rtc-snvs-fix-usage-of-snvs_rtc_enable.patch rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch rxrpc-fix-resend-event-time-calculation.patch rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch scsi-core-make-scsi-status-condition-met-equivalent-to-good.patch scsi-devinfo-add-hp-disk-subsystem-device-for-hp-xp-arrays.patch scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch scsi-lpfc-fix-io-failure-during-hba-reset-testing-with-nvme-io.patch scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch scsi-lpfc-fix-nonrecovery-of-nvme-controller-after-cable-swap.patch scsi-lpfc-fix-nvme-initiator-firstburst.patch scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch selftests-add-fib-onlink-tests.patch selftests-net-fixes-psock_fanout-ebpf-test-case.patch selftests-print-the-test-we-re-running-to-dev-kmsg.patch serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch serial-altera-ensure-port-regshift-is-honored-consistently.patch serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch serial-mvebu-uart-fix-tx-lost-characters.patch serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch soc-renesas-r8a77970-sysc-fix-power-area-parents.patch soreuseport-initialise-timewait-reuseport-field.patch sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch spi-bcm-qspi-fix-some-error-handling-paths.patch sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch staging-bcm2835-audio-release-resources-on-module_exit.patch staging-fsl-dpaa2-eth-fix-incorrect-casts.patch staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch staging-lustre-fix-bug-in-osc_enter_cache_try.patch staging-lustre-lmv-correctly-iput-lmo_root.patch staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch tools-hv-fix-compiler-warnings-about-major-target_fname.patch tools-thermal-tmon-fix-for-segfault.patch tracing-uprobe_event-fix-strncpy-corner-case.patch udf-provide-saner-default-for-invalid-uid-gid.patch usb-dwc2-fix-interval-type-issue.patch usb-dwc2-hcd-fix-host-channel-halt-flow.patch usb-dwc2-host-fix-transaction-errors-in-host-mode.patch usb-dwc3-add-softreset-phy-synchonization-delay.patch usb-dwc3-makefile-fix-link-error-on-randconfig.patch usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch vfio-ccw-fence-off-transport-mode.patch virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch watchdog-aspeed-allow-configuring-for-alternate-boot.patch watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch watchdog-dw-rmw-the-control-register.patch watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch x86-devicetree-fix-device-irq-settings-in-dt.patch x86-devicetree-initialize-device-tree-before-using-it.patch x86-mce-amd-collect-error-info-even-if-valid-bits-are-not-set.patch x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch x86-xen-add-pvh-specific-rsdp-address-retrieval-function.patch xen-acpi-off-by-one-in-read_acpi_id.patch xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch z3fold-fix-memory-leak.patch zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch --- ...-memory-leak-in-power-saving-threads.patch | 41 ++ ...-acpi-operand-cache-leak-in-nseval.c.patch | 91 ++++ ...n-failure-from-acpi_hw_register_read.patch | 45 ++ ...x-memory-leak-on-unusual-memory-leak.patch | 34 ++ ...-native-dsd-support-for-luxman-da-06.patch | 131 ++++++ .../alsa-vmaster-propagate-slave-error.patch | 42 ++ ...-to-the-cma-area-if-config_highmem-y.patch | 79 ++++ ...config-set-config_davinci_watchdog-y.patch | 37 ++ ...he-correct-compatible-for-the-eeprom.patch | 33 ++ ...he-correct-compatible-for-the-eeprom.patch | 33 ++ ...cm283x-fix-pin-function-of-jtag-pins.patch | 34 ++ ...s-bcm283x-fix-probing-of-bcm2835-i2s.patch | 38 ++ ...correct-evm_sd-regulator-max-voltage.patch | 40 ++ ...s-imx7d-cl-som-imx7-fix-pinctrl_enet.patch | 87 ++++ ...s-fix-missing-unit-address-separator.patch | 34 ++ ...1021a-specify-tbipa-register-address.patch | 37 ++ ...m-dts-porter-fix-hdmi-output-routing.patch | 32 ++ .../arm-dts-socfpga-fix-gic-ppi-warning.patch | 31 ++ ...-dts-qcom-fix-spi5-config-on-msm8996.patch | 34 ++ ...-allow-add-sub-immediate-with-lsl-12.patch | 66 +++ ...si-maintain-a-mask-of-active-streams.patch | 88 ++++ ...288-hdmi-analog-select-needed-codecs.patch | 33 ++ ...the-rclk-rate-is-properly-determined.patch | 53 +++ ...droid-fix-32000-sample-rate-handling.patch | 78 ++++ ...ogy-create-tlv-data-for-dapm-widgets.patch | 34 ++ .../ath10k-advertize-beacon_int_min_gcd.patch | 46 ++ ...using-worker-ath10k_sta_rc_update_wk.patch | 104 +++++ .../ath9k-fix-crash-in-spectral-scan.patch | 147 ++++++ ...or-to-avoid-null-pointer-dereference.patch | 37 ++ ...-count-usage-for-bch_cache_set_error.patch | 176 +++++++ ...ead-when-bcache_dev_detaching-is-set.patch | 132 ++++++ ...op-dc-writeback_rate_update-properly.patch | 264 +++++++++++ ...oval-and-the-block-cgroup-controller.patch | 97 ++++ ...valid-parameters-when-loading-module.patch | 167 +++++++ ...th-btusb-add-device-id-for-rtl8822be.patch | 33 ++ ...ort-for-intel-bluetooth-device-22560.patch | 88 ++++ ...b-id-7392-a611-for-edimax-ew-7611ulb.patch | 74 +++ ...lear-flags-in-ethtool-reset-handling.patch | 47 ++ ...src-port-field-in-decap-filter-nodes.patch | 38 ++ ...t-on-error-during-replay_dir_deletes.patch | 37 ++ ...during-umount-after-trans-is-aborted.patch | 47 ++ ...s-return-value-when-logging-an-inode.patch | 42 ++ ...lat-in-btrfs_alloc_subvolume_writers.patch | 436 ++++++++++++++++++ ...s-past-i_size-after-fsync-log-replay.patch | 147 ++++++ ...-deref-when-target-device-is-missing.patch | 55 +++ ...pointer-dereference-in-log_dir_items.patch | 39 ++ ...ble-softlock-on-single-core-machines.patch | 38 ++ ...shots-are-created-with-quota-enabled.patch | 59 +++ ...-qgroup-fix-wrong-tree-backref-level.patch | 52 +++ ...-check_disk_change-inside-cdrom_open.patch | 155 +++++++ ...don-t-show-the-incorrect-clock-phase.patch | 54 +++ ...lk-hisilicon-mark-wdt_mux_p-as-const.patch | 34 ++ ...the-fractional-part-of-the-fixed_pll.patch | 38 ++ ...-axg-fix-the-od-shift-of-the-sys_pll.patch | 32 ++ ...ent-for-sdmmc-phase-clock-for-rk3228.patch | 37 ++ ...ting-mmc-phase-if-clock-rate-is-zero.patch | 64 +++ ...clk-samsung-exynos3250-fix-pll-rates.patch | 55 +++ ...clk-samsung-exynos5250-fix-pll-rates.patch | 52 +++ ...clk-samsung-exynos5260-fix-pll-rates.patch | 43 ++ ...clk-samsung-exynos5433-fix-pll-rates.patch | 61 +++ .../clk-samsung-exynos7-fix-pll-rates.patch | 43 ++ .../clk-samsung-s3c2410-fix-pll-rates.patch | 69 +++ ...k-tegra-fix-pll_u-rate-configuration.patch | 57 +++ ...g-space-conflict-with-clkctrl-clocks.patch | 54 +++ ...ht-use-px-to-print-pcsr-instead-of-p.patch | 38 ++ ...ize-shared-perf-capabilities-of-cpus.patch | 53 +++ ...q-fix-cppc_cpufreq_init-failure-path.patch | 57 +++ ...order-cpufreq_online-error-code-path.patch | 49 ++ ...ix-possible-uninit-value-in-alg_bind.patch | 50 ++ ...l-aes-fix-the-keys-zeroing-on-errors.patch | 34 ++ ...-interrupts-while-setting-up-debugfs.patch | 82 ++++ ...do-not-overwrite-the-threshold-value.patch | 40 ++ ...ess-request-if-no-command-was-issued.patch | 41 ++ ...secure-fix-the-cache_len-computation.patch | 34 ++ ...cure-fix-the-extra-cache-computation.patch | 32 ++ ...he-invalidation-step-during-cra_exit.patch | 62 +++ ...ve-the-digest-to-the-request-context.patch | 161 +++++++ ...equest-to-complete-if-in-the-backlog.patch | 34 ++ ...unxi-ss-add-module_alias-to-sun4i-ss.patch | 31 ++ ...4-fix-queue-free-path-of-uld-drivers.patch | 36 ++ ...-fw-queues-before-registering-netdev.patch | 63 +++ ...available-before-issue-flush-request.patch | 127 +++++ queue-4.16/dccp-initialize-ireq-ir_mark.patch | 154 +++++++ ...e-condition-in-case-of-threaded-irqs.patch | 162 +++++++ ...get-num-channels-and-num-ees-from-dt.patch | 79 ++++ ...-lists-in-rcar_dmac_chan_get_residue.patch | 54 +++ ...late-system-suspend-resume-callbacks.patch | 47 ++ ...-access-to-phy-registers-after-reset.patch | 56 +++ ...pause-capability-advertisement-logic.patch | 33 ++ queue-4.16/dpaa_eth-fix-sg-mapping.patch | 73 +++ ...-rack-meter-really-fix-bogus-memsets.patch | 40 ++ ...k-revision-when-dpcd-revision-is-1.2.patch | 45 ++ ...-adjust-timeout-for-ib_ring_tests-v2.patch | 85 ++++ ...gister-when-only-enable-wptr-polling.patch | 48 ++ ...-ring-and-disable-pq-wptr-in-hw_fini.patch | 44 ++ ...m-amdkfd-add-missing-include-of-mm.h.patch | 28 ++ ...902x-retry-status-read-after-ddi-i2c.patch | 95 ++++ ...-error-path-in-meson_drv_bind_master.patch | 36 ++ ...dling-paths-in-meson_drv_bind_master.patch | 77 ++++ ...-setting-case-when-channel-is-dss_wb.patch | 34 ++ ...on-code-from-component-bind-to-probe.patch | 311 +++++++++++++ ...x-the-bus-format-for-the-ontat-panel.patch | 36 ++ ...-lvds-fix-lvds-startup-on-r-car-gen2.patch | 54 +++ ...-lvds-fix-lvds-startup-on-r-car-gen3.patch | 57 +++ ...ect-page-offset-for-prime-mmap-calls.patch | 56 +++ ...pe-fixes-for-64-bit-vblank-sequences.patch | 89 ++++ ...n-object-backup-buffer-when-not-used.patch | 91 ++++ ...ee-binding-for-allwinner-h6-main-ccu.patch | 42 ++ ...i-fix-the-phy-regulator-supply-props.patch | 37 ++ ...register-page-tables-when-they-exist.patch | 99 ++++ ...le-rq-before-updating-rq-descriptors.patch | 54 +++ ...bout-incorrect-features-when-probing.patch | 59 +++ ...xtent-cache-in-f2fs_drop_extent_tree.patch | 48 ++ .../f2fs-fix-to-clear-cp_trimmed_flag.patch | 33 ++ ...set-keep_size-bit-in-f2fs_zero_range.patch | 55 +++ ...-pack-except-cp-pack-2-page-at-first.patch | 127 +++++ ...s-due-to-enomem-for-unlimited-queues.patch | 96 ++++ ...mi_scan-fix-uuid-length-safety-check.patch | 37 ++ ...r-return-values-for-fw_add_devm_name.patch | 69 +++ ...fore-reading-the-agf-during-a-fstrim.patch | 69 +++ ...ult-while-unregistering-sysctl-table.patch | 44 ++ ...-wait-on-page-discarded-by-writeback.patch | 71 +++ ...n-with-empty-affinity-masks-on-error.patch | 67 +++ ...or-the-end-of-metadata-in-punch_hole.patch | 64 +++ .../gfs2-fix-fallocate-chunk-size.patch | 63 +++ ...vsc-fix-the-return-status-in-rx-path.patch | 74 +++ .../hwmon-nct6775-fix-writing-pwmx_mode.patch | 63 +++ ...accept-negative-page-register-values.patch | 42 ++ ...accept-negative-page-register-values.patch | 32 ++ ...m2835-handle-deferred-clock-properly.patch | 34 ++ .../hwrng-stm32-add-reset-during-probe.patch | 52 +++ ...-alias-for-devices-registered-via-of.patch | 71 +++ ...y-errata-delay-only-in-standard-mode.patch | 47 ++ ...er-emp-reset-for-firmware-to-recover.patch | 43 ++ ...ock-while-changing-interrupt-schemes.patch | 79 ++++ ...hile-resolving-gid-for-ib-link-layer.patch | 61 +++ ...-active-rate-and-width-to-qdr-and-4x.patch | 43 ++ ...-rxe_register_device-on-ppc64le-arch.patch | 81 ++++ ...cate-statistics-buffers-during-probe.patch | 77 ++++ ...c-fix-reset-return-from-closed-state.patch | 47 ++ ...nic-fix-tx-descriptor-tracking-again.patch | 45 ++ ...-used-tx-descriptor-counter-on-reset.patch | 35 ++ ...4-ca8210-fix-uninitialised-data-read.patch | 64 +++ queue-4.16/ima-clear-ima_hash.patch | 30 ++ ...llback-to-the-builtin-hash-algorithm.patch | 119 +++++ ...nfig-to-select-tpm-2.0-crb-interface.patch | 37 ++ ...th-use-correct-method-of-finding-hub.patch | 36 ++ ...-that-alloc_dev_data-may-return-null.patch | 36 ++ ...-mediatek-fix-protect-memory-setting.patch | 88 ++++ ...pc-msg-introduce-msgctl-msg_stat_any.patch | 132 ++++++ ...fix-kernel-panic-at-msg_done_handler.patch | 56 +++ ...ueue-is-valid-in-iwl_mvm_disable_txq.patch | 55 +++ ...m-take-rcu-lock-before-dereferencing.patch | 48 ++ ...from-running-when-in-filter_all-mode.patch | 48 ++ ...nvalid-free-test-crashing-the-kernel.patch | 59 +++ ...fix-handling-of-kasan_slab_free-hook.patch | 141 ++++++ queue-4.16/kdb-make-mdr-command-repeat.patch | 88 ++++ ..._eoi-when-in-kernel-ioapic-is-in-use.patch | 49 ++ ...-during-invalid-protected-mode-state.patch | 83 ++++ queue-4.16/lan78xx-connect-phy-early.patch | 174 +++++++ ...ilesystem-while-holding-lo_ctl_mutex.patch | 107 +++++ ...ent-masks-for-platform-fec-ethernets.patch | 72 +++ ...on-bad-wmm-parameters-from-buggy-aps.patch | 42 ++ ...agate-of_node-to-power-supply-device.patch | 34 ++ ...ide-888-impactvcbe-crystal-frequency.patch | 43 ++ ...subdev-host-data-to-clk_freq-pointer.patch | 36 ++ ...ent-out-of-bounds-read-on-array-card.patch | 53 +++ ...-hauppauge-solohd-dualhd-bulk-models.patch | 81 ++++ ...edia-em28xx-usb-bulk-packet-size-fix.patch | 46 ++ ...a-i2c-adv748x-fix-hdmi-field-heights.patch | 43 ++ ...-a-double-kfree-on-i2c-device-remove.patch | 38 ++ ...-module-count-mismatch-on-usb-unplug.patch | 44 ++ ...dd-missing-of_node_put-in-error-path.patch | 46 ++ ...camif-fix-out-of-bounds-array-access.patch | 63 +++ ...alls-when-requesting-too-many-inputs.patch | 41 ++ ...b2-fix-videobuf2-to-map-correct-area.patch | 40 ++ ...fix-incorrect-capabilities-for-radio.patch | 42 ++ .../memcg-fix-per_node_info-cleanup.patch | 47 ++ ...ix-ar724x_pll_reg_pcie_config-offset.patch | 39 ++ ...with-spurious-periods-after-newlines.patch | 70 +++ ...eference-and-free-in-page_evicatable.patch | 78 ++++ .../mm-ksm-fix-interaction-with-thp.patch | 103 +++++ ...flag-in-page_idle_clear_pte_refs_one.patch | 56 +++ ...l-pointer-dereferencing-in-mt76x2_tx.patch | 39 ++ ...-warning-in-ieee80211_get_key_rx_seq.patch | 59 +++ ...ac-correctly-annotate-register-space.patch | 38 ++ ...ian-access-in-bgmac_dma_tx_ring_free.patch | 34 ++ ...e-problem-in-hns3_get_rss_indir_size.patch | 32 ++ ...lue-problem-in-hns3_get_rss_key_size.patch | 32 ++ ...ft-problem-in-hns3_set_txbd_baseinfo.patch | 32 ++ ...x5-protect-from-command-bit-overflow.patch | 60 +++ ...timeout-logic-to-be-under-state-lock.patch | 126 +++++ ...ate-barriers-on-weakly-ordered-archs.patch | 64 +++ ...ep-to-avoid-null-pointer-dereference.patch | 35 ++ ...ttention-to-max_order-for-cq-entries.patch | 106 +++++ ...-stmmac_mac_config_rx_queues_routing.patch | 37 ++ ...leased-ownership-before-reading-data.patch | 39 ++ ...-is-the-last-desc-to-set-the-own-bit.patch | 57 +++ ...net6-check-sk_buff-ip-header-version.patch | 41 ++ ...p-alives-to-the-discovery-controller.patch | 51 ++ ...me-expand-nvmf_check_if_ready-checks.patch | 327 +++++++++++++ ...g-nvme-ssd-960-evo-asus-prime-z370-a.patch | 45 ++ ...ort-race-on-teardown-with-lld-reject.patch | 53 +++ ...grate-lockres-if-already-in-shutdown.patch | 133 ++++++ ...bus-from-hard-fail-to-soft-fail-mode.patch | 62 +++ ...dma-alias-quirk-for-marvell-88se9220.patch | 32 ++ ...nt-fix-kernel-panic-after-put_device.patch | 37 ++ ...runtime-resume-despite-being-unbound.patch | 87 ++++ ...uspend-aborts-during-suspend-to-idle.patch | 99 ++++ ...dd-support-for-recent-clang-versions.patch | 122 +++++ ...-fix-installing-cgroup-events-on-cpu.patch | 112 +++++ ...perf-core-fix-perf_output_read_group.patch | 78 ++++ ...nmapped-mmap-in-perf_mmap__read_done.patch | 44 ++ ...n-branch-history-mode-branch-history.patch | 101 ++++ .../perf-report-fix-wrong-jump-arrow.patch | 124 +++++ ...at-fix-core-dump-when-flag-t-is-used.patch | 116 +++++ ...est-case-inet_pton-to-accept-inlines.patch | 62 +++ ...x-dwarf-unwind-for-stripped-binaries.patch | 209 +++++++++ ...pare_symbol_names-to-compare-symbols.patch | 57 +++ ...s-fix-perf-builds-with-clang-support.patch | 38 ++ ...top.call-graph-config-option-reading.patch | 51 ++ ...tel-fix-event-update-for-auto-reload.patch | 238 ++++++++++ ...ge-period-handling-on-broadwell-cpus.patch | 74 +++ ...ore-the-pmu-state-in-the-nmi-handler.patch | 74 +++ ...y-qcom-qmp-fix-phy-pipe-clock-gating.patch | 72 +++ ...chip-emmc-retry-calpad-busy-trimming.patch | 74 +++ ...-dt-add-missing-pin-group-uart5nocts.patch | 43 ++ ...t_to_map_one_config-handling-of-hogs.patch | 52 +++ ...23s08-spi-fix-regmap-debugfs-entries.patch | 92 ++++ ...nctrl-msm-use-dynamic-gpio-numbering.patch | 34 ++ ...er-pin-assignment-for-ssi-pins-group.patch | 191 ++++++++ ...x-memory-leaks-in-build_tokens_sysfs.patch | 42 ++ ...-battery-gauge-fix-temperature-units.patch | 42 ++ ...e-of-amor-on-power9-after-deep-sleep.patch | 34 ++ ...s-no-debugger-or-crash-dump-handlers.patch | 67 +++ ...ng-prototype-for-arch_irq_work_raise.patch | 33 ++ ...upts-earlier-before-calling-get_user.patch | 81 ++++ ...ge-allocation-at-hint-address-on-8xx.patch | 183 ++++++++ ...eck-if-cpu_possible-in-mpic_physmask.patch | 47 ++ ...-address-leak-via-sampling-registers.patch | 72 +++ ...ss-leak-to-userspace-via-bhrb-buffer.patch | 42 ++ ...-npu-fix-deadlock-in-mmio_invalidate.patch | 370 +++++++++++++++ ...x-cleanup-when-vas-is-not-configured.patch | 73 +++ ...-hooks-when-first-break-point-is-set.patch | 81 ++++ ...tchdog-while-printing-stall-warnings.patch | 49 ++ ...-spin_lock_bh-with-rds_tcp_conn_lock.patch | 99 ++++ ...-correct-comparison-in-regmap_cached.patch | 33 ++ ...ndling-paths-in-gpio_regulator_probe.patch | 86 ++++ ...-handling-path-of-of_regulator_match.patch | 30 ++ ...ror-handling-path-in-imx_rproc_probe.patch | 36 ++ ...rengthen-implementations-with-fences.patch | 210 +++++++++ ...rnel-panic-observed-on-64bit-machine.patch | 154 +++++++ ...-goldfish-add-missing-module_license.patch | 36 ++ ...-system-time-doesn-t-overflow-time_t.patch | 45 ++ .../rtc-m41t80-fix-race-conditions.patch | 139 ++++++ ...tc-rk808-fix-possible-race-condition.patch | 77 ++++ ...c-rp5c01-fix-possible-race-condition.patch | 74 +++ ...tc-snvs-fix-usage-of-snvs_rtc_enable.patch | 91 ++++ ...ded-sign-extension-on-a-24-bit-shift.patch | 48 ++ ...n-t-treat-call-aborts-as-conn-aborts.patch | 59 +++ ...pc-fix-resend-event-time-calculation.patch | 38 ++ ...-annotation-after-initial-tx-failure.patch | 41 ++ ...k_update_flags-rqcf_act_skip-warning.patch | 74 +++ ...nd-thread-is-not-recursively-stopped.patch | 89 ++++ ...tus-condition-met-equivalent-to-good.patch | 62 +++ ...sk-subsystem-device-for-hp-xp-arrays.patch | 43 ++ ...fc-fix-frequency-of-release-wqe-cqes.patch | 41 ++ ...uring-hba-reset-testing-with-nvme-io.patch | 56 +++ ...fc-fix-issue_lip-if-link-is-disabled.patch | 37 ++ ...-of-nvme-controller-after-cable-swap.patch | 112 +++++ ...i-lpfc-fix-nvme-initiator-firstburst.patch | 66 +++ ...pfc-worker-thread-during-lip-testing.patch | 50 ++ ...as-fix-wrong-endianness-of-sgpio-api.patch | 88 ++++ .../selftests-add-fib-onlink-tests.patch | 399 ++++++++++++++++ ...et-fixes-psock_fanout-ebpf-test-case.patch | 40 ++ ...t-the-test-we-re-running-to-dev-kmsg.patch | 42 ++ ...e-rx-fifo-if-interrupts-are-disabled.patch | 40 ++ ...ort-regshift-is-honored-consistently.patch | 71 +++ ...ut-of-bounds-access-through-dt-alias.patch | 41 ++ ...ut-of-bounds-access-through-dt-alias.patch | 36 ++ ...nds-access-through-serial-port-index.patch | 40 ++ ...al-mvebu-uart-fix-tx-lost-characters.patch | 39 ++ ...nds-access-through-serial-port-index.patch | 37 ++ ...nds-access-through-serial-port-index.patch | 41 ++ ...ut-of-bounds-access-through-dt-alias.patch | 40 ++ ...ut-of-bounds-access-through-dt-alias.patch | 35 ++ queue-4.16/series | 338 ++++++++++++++ ...rocess-signals-before-return-to-user.patch | 32 ++ ...h_eth-fix-tsu-init-on-sh7734-r8a7740.patch | 81 ++++ ...-shutdown-when-domain-is-powered-off.patch | 41 ++ ...cnss_ctrl-fix-increment-in-nv-upload.patch | 37 ++ ...r8a77970-sysc-fix-power-area-parents.patch | 44 ++ ...-initialise-timewait-reuseport-field.patch | 149 ++++++ ...-inline-function-rather-than-a-macro.patch | 46 ++ ...m-qspi-fix-some-error-handling-paths.patch | 44 ++ ...evice-in-revalidate-and-check_events.patch | 119 +++++ ...dio-release-resources-on-module_exit.patch | 254 ++++++++++ ...ng-fsl-dpaa2-eth-fix-incorrect-casts.patch | 52 +++ ...ng-fsl-dpaa2-eth-fix-incorrect-kfree.patch | 64 +++ ...eee80211_eid-instead-of-literal-ints.patch | 107 +++++ ...ustre-fix-bug-in-osc_enter_cache_try.patch | 56 +++ ...g-lustre-lmv-correctly-iput-lmo_root.patch | 46 ++ ...on-failed-allocation-of-priv-oldaddr.patch | 37 ++ ...ro-when-zero-length-swap-file-on-ssd.patch | 54 +++ ...er-warnings-about-major-target_fname.patch | 59 +++ .../tools-thermal-tmon-fix-for-segfault.patch | 81 ++++ ...uprobe_event-fix-strncpy-corner-case.patch | 38 ++ ...de-saner-default-for-invalid-uid-gid.patch | 40 ++ .../usb-dwc2-fix-interval-type-issue.patch | 31 ++ ...-dwc2-hcd-fix-host-channel-halt-flow.patch | 49 ++ ...-fix-transaction-errors-in-host-mode.patch | 54 +++ ...d-softreset-phy-synchonization-delay.patch | 50 ++ ...akefile-fix-link-error-on-randconfig.patch | 32 ++ ...date-dwc_usb31-gtxfifosiz-reg-fields.patch | 40 ++ ...correct-handling-of-os-desc-requests.patch | 158 +++++++ ...xecute-copy_to_user-with-user_ds-set.patch | 68 +++ ...tup-return-usb_gadget_delayed_status.patch | 53 +++ ...to-bitshift-when-dealing-with-a-mask.patch | 32 ++ ...-value-of-config_usbip_vhci_hc_ports.patch | 35 ++ .../vfio-ccw-fence-off-transport-mode.patch | 37 ++ ...r-virtio-when-no-virtio_net_f_status.patch | 51 ++ ...-error-handling-in-asm9260_wdt_probe.patch | 46 ++ ...allow-configuring-for-alternate-boot.patch | 60 +++ ...ation-of-reset-mode-to-ctrl-register.patch | 53 +++ ...-error-handling-in-davinci_wdt_probe.patch | 54 +++ ...watchdog-dw-rmw-the-control-register.patch | 90 ++++ ...ix-error-handling-in-sprd_wdt_enable.patch | 38 ++ ...-on-the-boot-cpu-if-noapic-specified.patch | 58 +++ ...cetree-fix-device-irq-settings-in-dt.patch | 62 +++ ...itialize-device-tree-before-using-it.patch | 58 +++ ...-info-even-if-valid-bits-are-not-set.patch | 57 +++ ...e_rw-before-init-for-__ro_after_init.patch | 64 +++ ...of-this_cpu_has-in-build_cr3_noflush.patch | 86 ++++ ...set-huge-pud-pmd-on-non-leaf-entries.patch | 99 ++++ ...ific-rsdp-address-retrieval-function.patch | 83 ++++ .../xen-acpi-off-by-one-in-read_acpi_id.patch | 39 ++ ...en-disabling-and-freeing-a-xhci-slot.patch | 38 ++ queue-4.16/z3fold-fix-memory-leak.patch | 61 +++ ...et-up-z-dev.dma_mask-for-the-dma-api.patch | 55 +++ 339 files changed, 23666 insertions(+) create mode 100644 queue-4.16/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch create mode 100644 queue-4.16/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch create mode 100644 queue-4.16/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch create mode 100644 queue-4.16/acpica-fix-memory-leak-on-unusual-memory-leak.patch create mode 100644 queue-4.16/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch create mode 100644 queue-4.16/alsa-vmaster-propagate-slave-error.patch create mode 100644 queue-4.16/arm-cma-avoid-double-mapping-to-the-cma-area-if-config_highmem-y.patch create mode 100644 queue-4.16/arm-davinci_all_defconfig-set-config_davinci_watchdog-y.patch create mode 100644 queue-4.16/arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch create mode 100644 queue-4.16/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch create mode 100644 queue-4.16/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch create mode 100644 queue-4.16/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch create mode 100644 queue-4.16/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch create mode 100644 queue-4.16/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch create mode 100644 queue-4.16/arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch create mode 100644 queue-4.16/arm-dts-ls1021a-specify-tbipa-register-address.patch create mode 100644 queue-4.16/arm-dts-porter-fix-hdmi-output-routing.patch create mode 100644 queue-4.16/arm-dts-socfpga-fix-gic-ppi-warning.patch create mode 100644 queue-4.16/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch create mode 100644 queue-4.16/arm64-insn-allow-add-sub-immediate-with-lsl-12.patch create mode 100644 queue-4.16/asoc-fsl_ssi-maintain-a-mask-of-active-streams.patch create mode 100644 queue-4.16/asoc-rockchip-rk3288-hdmi-analog-select-needed-codecs.patch create mode 100644 queue-4.16/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch create mode 100644 queue-4.16/asoc-samsung-odroid-fix-32000-sample-rate-handling.patch create mode 100644 queue-4.16/asoc-topology-create-tlv-data-for-dapm-widgets.patch create mode 100644 queue-4.16/ath10k-advertize-beacon_int_min_gcd.patch create mode 100644 queue-4.16/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch create mode 100644 queue-4.16/ath9k-fix-crash-in-spectral-scan.patch create mode 100644 queue-4.16/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch create mode 100644 queue-4.16/bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch create mode 100644 queue-4.16/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch create mode 100644 queue-4.16/bcache-stop-dc-writeback_rate_update-properly.patch create mode 100644 queue-4.16/block-fix-a-race-between-request-queue-removal-and-the-block-cgroup-controller.patch create mode 100644 queue-4.16/block-null_blk-fix-invalid-parameters-when-loading-module.patch create mode 100644 queue-4.16/bluetooth-btusb-add-device-id-for-rtl8822be.patch create mode 100644 queue-4.16/bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch create mode 100644 queue-4.16/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch create mode 100644 queue-4.16/bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch create mode 100644 queue-4.16/bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch create mode 100644 queue-4.16/btrfs-bail-out-on-error-during-replay_dir_deletes.patch create mode 100644 queue-4.16/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch create mode 100644 queue-4.16/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch create mode 100644 queue-4.16/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch create mode 100644 queue-4.16/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch create mode 100644 queue-4.16/btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch create mode 100644 queue-4.16/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch create mode 100644 queue-4.16/btrfs-fix-possible-softlock-on-single-core-machines.patch create mode 100644 queue-4.16/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch create mode 100644 queue-4.16/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch create mode 100644 queue-4.16/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch create mode 100644 queue-4.16/clk-don-t-show-the-incorrect-clock-phase.patch create mode 100644 queue-4.16/clk-hisilicon-mark-wdt_mux_p-as-const.patch create mode 100644 queue-4.16/clk-meson-axg-add-the-fractional-part-of-the-fixed_pll.patch create mode 100644 queue-4.16/clk-meson-axg-fix-the-od-shift-of-the-sys_pll.patch create mode 100644 queue-4.16/clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch create mode 100644 queue-4.16/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch create mode 100644 queue-4.16/clk-samsung-exynos3250-fix-pll-rates.patch create mode 100644 queue-4.16/clk-samsung-exynos5250-fix-pll-rates.patch create mode 100644 queue-4.16/clk-samsung-exynos5260-fix-pll-rates.patch create mode 100644 queue-4.16/clk-samsung-exynos5433-fix-pll-rates.patch create mode 100644 queue-4.16/clk-samsung-exynos7-fix-pll-rates.patch create mode 100644 queue-4.16/clk-samsung-s3c2410-fix-pll-rates.patch create mode 100644 queue-4.16/clk-tegra-fix-pll_u-rate-configuration.patch create mode 100644 queue-4.16/clk-ti-fix-flag-space-conflict-with-clkctrl-clocks.patch create mode 100644 queue-4.16/coresight-use-px-to-print-pcsr-instead-of-p.patch create mode 100644 queue-4.16/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch create mode 100644 queue-4.16/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch create mode 100644 queue-4.16/cpufreq-reorder-cpufreq_online-error-code-path.patch create mode 100644 queue-4.16/crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch create mode 100644 queue-4.16/crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch create mode 100644 queue-4.16/crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch create mode 100644 queue-4.16/crypto-inside-secure-do-not-overwrite-the-threshold-value.patch create mode 100644 queue-4.16/crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch create mode 100644 queue-4.16/crypto-inside-secure-fix-the-cache_len-computation.patch create mode 100644 queue-4.16/crypto-inside-secure-fix-the-extra-cache-computation.patch create mode 100644 queue-4.16/crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch create mode 100644 queue-4.16/crypto-inside-secure-move-the-digest-to-the-request-context.patch create mode 100644 queue-4.16/crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch create mode 100644 queue-4.16/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch create mode 100644 queue-4.16/cxgb4-fix-queue-free-path-of-uld-drivers.patch create mode 100644 queue-4.16/cxgb4-setup-fw-queues-before-registering-netdev.patch create mode 100644 queue-4.16/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch create mode 100644 queue-4.16/dccp-initialize-ireq-ir_mark.patch create mode 100644 queue-4.16/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch create mode 100644 queue-4.16/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch create mode 100644 queue-4.16/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch create mode 100644 queue-4.16/dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch create mode 100644 queue-4.16/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch create mode 100644 queue-4.16/dpaa_eth-fix-pause-capability-advertisement-logic.patch create mode 100644 queue-4.16/dpaa_eth-fix-sg-mapping.patch create mode 100644 queue-4.16/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch create mode 100644 queue-4.16/drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch create mode 100644 queue-4.16/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch create mode 100644 queue-4.16/drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch create mode 100644 queue-4.16/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch create mode 100644 queue-4.16/drm-amdkfd-add-missing-include-of-mm.h.patch create mode 100644 queue-4.16/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch create mode 100644 queue-4.16/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch create mode 100644 queue-4.16/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch create mode 100644 queue-4.16/drm-omap-add-pclk-setting-case-when-channel-is-dss_wb.patch create mode 100644 queue-4.16/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch create mode 100644 queue-4.16/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch create mode 100644 queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch create mode 100644 queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch create mode 100644 queue-4.16/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch create mode 100644 queue-4.16/drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch create mode 100644 queue-4.16/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch create mode 100644 queue-4.16/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch create mode 100644 queue-4.16/dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch create mode 100644 queue-4.16/efi-arm-only-register-page-tables-when-they-exist.patch create mode 100644 queue-4.16/enic-enable-rq-before-updating-rq-descriptors.patch create mode 100644 queue-4.16/ext4-don-t-complain-about-incorrect-features-when-probing.patch create mode 100644 queue-4.16/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch create mode 100644 queue-4.16/f2fs-fix-to-clear-cp_trimmed_flag.patch create mode 100644 queue-4.16/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch create mode 100644 queue-4.16/f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch create mode 100644 queue-4.16/fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch create mode 100644 queue-4.16/firmware-dmi_scan-fix-uuid-length-safety-check.patch create mode 100644 queue-4.16/firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch create mode 100644 queue-4.16/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch create mode 100644 queue-4.16/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch create mode 100644 queue-4.16/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch create mode 100644 queue-4.16/genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch create mode 100644 queue-4.16/gfs2-check-for-the-end-of-metadata-in-punch_hole.patch create mode 100644 queue-4.16/gfs2-fix-fallocate-chunk-size.patch create mode 100644 queue-4.16/hv_netvsc-fix-the-return-status-in-rx-path.patch create mode 100644 queue-4.16/hwmon-nct6775-fix-writing-pwmx_mode.patch create mode 100644 queue-4.16/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch create mode 100644 queue-4.16/hwmon-pmbus-max8688-accept-negative-page-register-values.patch create mode 100644 queue-4.16/hwrng-bcm2835-handle-deferred-clock-properly.patch create mode 100644 queue-4.16/hwrng-stm32-add-reset-during-probe.patch create mode 100644 queue-4.16/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch create mode 100644 queue-4.16/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch create mode 100644 queue-4.16/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch create mode 100644 queue-4.16/i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch create mode 100644 queue-4.16/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch create mode 100644 queue-4.16/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch create mode 100644 queue-4.16/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch create mode 100644 queue-4.16/ibmvnic-allocate-statistics-buffers-during-probe.patch create mode 100644 queue-4.16/ibmvnic-fix-reset-return-from-closed-state.patch create mode 100644 queue-4.16/ibmvnic-fix-tx-descriptor-tracking-again.patch create mode 100644 queue-4.16/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch create mode 100644 queue-4.16/ieee802154-ca8210-fix-uninitialised-data-read.patch create mode 100644 queue-4.16/ima-clear-ima_hash.patch create mode 100644 queue-4.16/ima-fallback-to-the-builtin-hash-algorithm.patch create mode 100644 queue-4.16/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch create mode 100644 queue-4.16/intel_th-use-correct-method-of-finding-hub.patch create mode 100644 queue-4.16/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch create mode 100644 queue-4.16/iommu-mediatek-fix-protect-memory-setting.patch create mode 100644 queue-4.16/ipc-msg-introduce-msgctl-msg_stat_any.patch create mode 100644 queue-4.16/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch create mode 100644 queue-4.16/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch create mode 100644 queue-4.16/iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch create mode 100644 queue-4.16/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch create mode 100644 queue-4.16/kasan-fix-invalid-free-test-crashing-the-kernel.patch create mode 100644 queue-4.16/kasan-slub-fix-handling-of-kasan_slab_free-hook.patch create mode 100644 queue-4.16/kdb-make-mdr-command-repeat.patch create mode 100644 queue-4.16/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch create mode 100644 queue-4.16/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch create mode 100644 queue-4.16/lan78xx-connect-phy-early.patch create mode 100644 queue-4.16/loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch create mode 100644 queue-4.16/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch create mode 100644 queue-4.16/mac80211-don-t-warn-on-bad-wmm-parameters-from-buggy-aps.patch create mode 100644 queue-4.16/max17042-propagate-of_node-to-power-supply-device.patch create mode 100644 queue-4.16/media-cx23885-override-888-impactvcbe-crystal-frequency.patch create mode 100644 queue-4.16/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch create mode 100644 queue-4.16/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch create mode 100644 queue-4.16/media-em28xx-add-hauppauge-solohd-dualhd-bulk-models.patch create mode 100644 queue-4.16/media-em28xx-usb-bulk-packet-size-fix.patch create mode 100644 queue-4.16/media-i2c-adv748x-fix-hdmi-field-heights.patch create mode 100644 queue-4.16/media-lgdt3306a-fix-a-double-kfree-on-i2c-device-remove.patch create mode 100644 queue-4.16/media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch create mode 100644 queue-4.16/media-ov5645-add-missing-of_node_put-in-error-path.patch create mode 100644 queue-4.16/media-s3c-camif-fix-out-of-bounds-array-access.patch create mode 100644 queue-4.16/media-v4l-vsp1-fix-display-stalls-when-requesting-too-many-inputs.patch create mode 100644 queue-4.16/media-vb2-fix-videobuf2-to-map-correct-area.patch create mode 100644 queue-4.16/media-vivid-fix-incorrect-capabilities-for-radio.patch create mode 100644 queue-4.16/memcg-fix-per_node_info-cleanup.patch create mode 100644 queue-4.16/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch create mode 100644 queue-4.16/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch create mode 100644 queue-4.16/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch create mode 100644 queue-4.16/mm-ksm-fix-interaction-with-thp.patch create mode 100644 queue-4.16/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch create mode 100644 queue-4.16/mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch create mode 100644 queue-4.16/mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch create mode 100644 queue-4.16/net-bgmac-correctly-annotate-register-space.patch create mode 100644 queue-4.16/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch create mode 100644 queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch create mode 100644 queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch create mode 100644 queue-4.16/net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch create mode 100644 queue-4.16/net-mlx5-protect-from-command-bit-overflow.patch create mode 100644 queue-4.16/net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch create mode 100644 queue-4.16/net-qlge-eliminate-duplicate-barriers-on-weakly-ordered-archs.patch create mode 100644 queue-4.16/net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch create mode 100644 queue-4.16/net-smc-pay-attention-to-max_order-for-cq-entries.patch create mode 100644 queue-4.16/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch create mode 100644 queue-4.16/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch create mode 100644 queue-4.16/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch create mode 100644 queue-4.16/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch create mode 100644 queue-4.16/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch create mode 100644 queue-4.16/nvme-expand-nvmf_check_if_ready-checks.patch create mode 100644 queue-4.16/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch create mode 100644 queue-4.16/nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch create mode 100644 queue-4.16/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch create mode 100644 queue-4.16/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch create mode 100644 queue-4.16/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch create mode 100644 queue-4.16/pci-endpoint-fix-kernel-panic-after-put_device.patch create mode 100644 queue-4.16/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch create mode 100644 queue-4.16/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch create mode 100644 queue-4.16/perf-clang-add-support-for-recent-clang-versions.patch create mode 100644 queue-4.16/perf-core-fix-installing-cgroup-events-on-cpu.patch create mode 100644 queue-4.16/perf-core-fix-perf_output_read_group.patch create mode 100644 queue-4.16/perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch create mode 100644 queue-4.16/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch create mode 100644 queue-4.16/perf-report-fix-wrong-jump-arrow.patch create mode 100644 queue-4.16/perf-stat-fix-core-dump-when-flag-t-is-used.patch create mode 100644 queue-4.16/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch create mode 100644 queue-4.16/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch create mode 100644 queue-4.16/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch create mode 100644 queue-4.16/perf-tools-fix-perf-builds-with-clang-support.patch create mode 100644 queue-4.16/perf-top-fix-top.call-graph-config-option-reading.patch create mode 100644 queue-4.16/perf-x86-intel-fix-event-update-for-auto-reload.patch create mode 100644 queue-4.16/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch create mode 100644 queue-4.16/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch create mode 100644 queue-4.16/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch create mode 100644 queue-4.16/phy-rockchip-emmc-retry-calpad-busy-trimming.patch create mode 100644 queue-4.16/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch create mode 100644 queue-4.16/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch create mode 100644 queue-4.16/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch create mode 100644 queue-4.16/pinctrl-msm-use-dynamic-gpio-numbering.patch create mode 100644 queue-4.16/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch create mode 100644 queue-4.16/platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch create mode 100644 queue-4.16/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch create mode 100644 queue-4.16/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch create mode 100644 queue-4.16/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch create mode 100644 queue-4.16/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch create mode 100644 queue-4.16/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch create mode 100644 queue-4.16/powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch create mode 100644 queue-4.16/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch create mode 100644 queue-4.16/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch create mode 100644 queue-4.16/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch create mode 100644 queue-4.16/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch create mode 100644 queue-4.16/powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch create mode 100644 queue-4.16/powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch create mode 100644 queue-4.16/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch create mode 100644 queue-4.16/rds-tcp-must-use-spin_lock_irq-and-not-spin_lock_bh-with-rds_tcp_conn_lock.patch create mode 100644 queue-4.16/regmap-correct-comparison-in-regmap_cached.patch create mode 100644 queue-4.16/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch create mode 100644 queue-4.16/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch create mode 100644 queue-4.16/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch create mode 100644 queue-4.16/riscv-spinlock-strengthen-implementations-with-fences.patch create mode 100644 queue-4.16/rsi-fix-kernel-panic-observed-on-64bit-machine.patch create mode 100644 queue-4.16/rtc-goldfish-add-missing-module_license.patch create mode 100644 queue-4.16/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch create mode 100644 queue-4.16/rtc-m41t80-fix-race-conditions.patch create mode 100644 queue-4.16/rtc-rk808-fix-possible-race-condition.patch create mode 100644 queue-4.16/rtc-rp5c01-fix-possible-race-condition.patch create mode 100644 queue-4.16/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch create mode 100644 queue-4.16/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch create mode 100644 queue-4.16/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch create mode 100644 queue-4.16/rxrpc-fix-resend-event-time-calculation.patch create mode 100644 queue-4.16/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch create mode 100644 queue-4.16/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch create mode 100644 queue-4.16/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch create mode 100644 queue-4.16/scsi-core-make-scsi-status-condition-met-equivalent-to-good.patch create mode 100644 queue-4.16/scsi-devinfo-add-hp-disk-subsystem-device-for-hp-xp-arrays.patch create mode 100644 queue-4.16/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch create mode 100644 queue-4.16/scsi-lpfc-fix-io-failure-during-hba-reset-testing-with-nvme-io.patch create mode 100644 queue-4.16/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch create mode 100644 queue-4.16/scsi-lpfc-fix-nonrecovery-of-nvme-controller-after-cable-swap.patch create mode 100644 queue-4.16/scsi-lpfc-fix-nvme-initiator-firstburst.patch create mode 100644 queue-4.16/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch create mode 100644 queue-4.16/scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch create mode 100644 queue-4.16/selftests-add-fib-onlink-tests.patch create mode 100644 queue-4.16/selftests-net-fixes-psock_fanout-ebpf-test-case.patch create mode 100644 queue-4.16/selftests-print-the-test-we-re-running-to-dev-kmsg.patch create mode 100644 queue-4.16/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch create mode 100644 queue-4.16/serial-altera-ensure-port-regshift-is-honored-consistently.patch create mode 100644 queue-4.16/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch create mode 100644 queue-4.16/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch create mode 100644 queue-4.16/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch create mode 100644 queue-4.16/serial-mvebu-uart-fix-tx-lost-characters.patch create mode 100644 queue-4.16/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch create mode 100644 queue-4.16/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch create mode 100644 queue-4.16/serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch create mode 100644 queue-4.16/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch create mode 100644 queue-4.16/series create mode 100644 queue-4.16/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch create mode 100644 queue-4.16/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch create mode 100644 queue-4.16/soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch create mode 100644 queue-4.16/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch create mode 100644 queue-4.16/soc-renesas-r8a77970-sysc-fix-power-area-parents.patch create mode 100644 queue-4.16/soreuseport-initialise-timewait-reuseport-field.patch create mode 100644 queue-4.16/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch create mode 100644 queue-4.16/spi-bcm-qspi-fix-some-error-handling-paths.patch create mode 100644 queue-4.16/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch create mode 100644 queue-4.16/staging-bcm2835-audio-release-resources-on-module_exit.patch create mode 100644 queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-casts.patch create mode 100644 queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch create mode 100644 queue-4.16/staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch create mode 100644 queue-4.16/staging-lustre-fix-bug-in-osc_enter_cache_try.patch create mode 100644 queue-4.16/staging-lustre-lmv-correctly-iput-lmo_root.patch create mode 100644 queue-4.16/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch create mode 100644 queue-4.16/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch create mode 100644 queue-4.16/tools-hv-fix-compiler-warnings-about-major-target_fname.patch create mode 100644 queue-4.16/tools-thermal-tmon-fix-for-segfault.patch create mode 100644 queue-4.16/tracing-uprobe_event-fix-strncpy-corner-case.patch create mode 100644 queue-4.16/udf-provide-saner-default-for-invalid-uid-gid.patch create mode 100644 queue-4.16/usb-dwc2-fix-interval-type-issue.patch create mode 100644 queue-4.16/usb-dwc2-hcd-fix-host-channel-halt-flow.patch create mode 100644 queue-4.16/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch create mode 100644 queue-4.16/usb-dwc3-add-softreset-phy-synchonization-delay.patch create mode 100644 queue-4.16/usb-dwc3-makefile-fix-link-error-on-randconfig.patch create mode 100644 queue-4.16/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch create mode 100644 queue-4.16/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch create mode 100644 queue-4.16/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch create mode 100644 queue-4.16/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch create mode 100644 queue-4.16/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch create mode 100644 queue-4.16/usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch create mode 100644 queue-4.16/vfio-ccw-fence-off-transport-mode.patch create mode 100644 queue-4.16/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch create mode 100644 queue-4.16/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch create mode 100644 queue-4.16/watchdog-aspeed-allow-configuring-for-alternate-boot.patch create mode 100644 queue-4.16/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch create mode 100644 queue-4.16/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch create mode 100644 queue-4.16/watchdog-dw-rmw-the-control-register.patch create mode 100644 queue-4.16/watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch create mode 100644 queue-4.16/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch create mode 100644 queue-4.16/x86-devicetree-fix-device-irq-settings-in-dt.patch create mode 100644 queue-4.16/x86-devicetree-initialize-device-tree-before-using-it.patch create mode 100644 queue-4.16/x86-mce-amd-collect-error-info-even-if-valid-bits-are-not-set.patch create mode 100644 queue-4.16/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch create mode 100644 queue-4.16/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch create mode 100644 queue-4.16/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch create mode 100644 queue-4.16/x86-xen-add-pvh-specific-rsdp-address-retrieval-function.patch create mode 100644 queue-4.16/xen-acpi-off-by-one-in-read_acpi_id.patch create mode 100644 queue-4.16/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch create mode 100644 queue-4.16/z3fold-fix-memory-leak.patch create mode 100644 queue-4.16/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch diff --git a/queue-4.16/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch b/queue-4.16/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch new file mode 100644 index 00000000000..249da5cf152 --- /dev/null +++ b/queue-4.16/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Lenny Szubowicz +Date: Tue, 27 Mar 2018 09:56:40 -0400 +Subject: ACPI: acpi_pad: Fix memory leak in power saving threads + +From: Lenny Szubowicz + +[ Upstream commit 8b29d29abc484d638213dd79a18a95ae7e5bb402 ] + +Fix once per second (round_robin_time) memory leak of about 1 KB in +each acpi_pad kernel idling thread that is activated. + +Found by testing with kmemleak. + +Signed-off-by: Lenny Szubowicz +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_pad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -110,6 +110,7 @@ static void round_robin_cpu(unsigned int + cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus); + if (cpumask_empty(tmp)) { + mutex_unlock(&round_robin_lock); ++ free_cpumask_var(tmp); + return; + } + for_each_cpu(cpu, tmp) { +@@ -127,6 +128,8 @@ static void round_robin_cpu(unsigned int + mutex_unlock(&round_robin_lock); + + set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu)); ++ ++ free_cpumask_var(tmp); + } + + static void exit_round_robin(unsigned int tsk_index) diff --git a/queue-4.16/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch b/queue-4.16/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch new file mode 100644 index 00000000000..56d8736a205 --- /dev/null +++ b/queue-4.16/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch @@ -0,0 +1,91 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Seunghun Han +Date: Wed, 14 Mar 2018 16:12:56 -0700 +Subject: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c + +From: Seunghun Han + +[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ] + +I found an ACPI cache leak in ACPI early termination and boot continuing case. + +When early termination occurs due to malicious ACPI table, Linux kernel +terminates ACPI function and continues to boot process. While kernel terminates +ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. + +Boot log of ACPI operand cache leak is as follows: +>[ 0.464168] ACPI: Added _OSI(Module Device) +>[ 0.467022] ACPI: Added _OSI(Processor Device) +>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions) +>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device) +>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) +>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) +>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.497683] ACPI: Interpreter enabled +>[ 0.499385] ACPI: (supports S0) +>[ 0.501151] ACPI: Using IOAPIC for interrupt routing +>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) +>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) +>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991) +>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects +>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 +>[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 +>[ 0.529668] Call Trace: +>[ 0.530811] ? dump_stack+0x5c/0x81 +>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0 +>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10 +>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b +>[ 0.537237] ? acpi_terminate+0xa/0x14 +>[ 0.538701] ? acpi_init+0x2af/0x34f +>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.541593] ? do_one_initcall+0x4e/0x1a0 +>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f +>[ 0.546202] ? rest_init+0x80/0x80 +>[ 0.547513] ? kernel_init+0xa/0x100 +>[ 0.548817] ? ret_from_fork+0x25/0x30 +>[ 0.550587] vgaarb: loaded +>[ 0.551716] EDAC MC: Ver: 3.0.0 +>[ 0.553744] PCI: Probing PCI hardware +>[ 0.555038] PCI host bridge to bus 0000:00 +> ... Continue to boot and log is omitted ... + +I analyzed this memory leak in detail and found acpi_ns_evaluate() function +only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors +occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is +also not null. Therefore, this causes acpi operand memory leak. + +This cache leak causes a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +I made a patch to fix ACPI operand cache leak. + +Signed-off-by: Seunghun Han +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/nseval.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/acpica/nseval.c ++++ b/drivers/acpi/acpica/nseval.c +@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi + /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */ + + status = AE_OK; ++ } else if (ACPI_FAILURE(status)) { ++ ++ /* If return_object exists, delete it */ ++ ++ if (info->return_object) { ++ acpi_ut_remove_reference(info->return_object); ++ info->return_object = NULL; ++ } + } + + ACPI_DEBUG_PRINT((ACPI_DB_NAMES, diff --git a/queue-4.16/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch b/queue-4.16/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch new file mode 100644 index 00000000000..beb1cf61c8d --- /dev/null +++ b/queue-4.16/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch @@ -0,0 +1,45 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Erik Schmauss +Date: Wed, 14 Mar 2018 16:13:08 -0700 +Subject: ACPICA: Events: add a return on failure from acpi_hw_register_read + +From: Erik Schmauss + +[ Upstream commit b4c0de312613ca676db5bd7e696a44b56795612a ] + +This ensures that acpi_ev_fixed_event_detect() does not use fixed_status +and and fixed_enable as uninitialized variables. + +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/evevent.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpica/evevent.c ++++ b/drivers/acpi/acpica/evevent.c +@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void) + u32 fixed_status; + u32 fixed_enable; + u32 i; ++ acpi_status status; + + ACPI_FUNCTION_NAME(ev_fixed_event_detect); + +@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void) + * Read the fixed feature status and enable registers, as all the cases + * depend on their values. Ignore errors here. + */ +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); ++ status |= ++ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ if (ACPI_FAILURE(status)) { ++ return (int_status); ++ } + + ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS, + "Fixed Event Block: Enable %08X Status %08X\n", diff --git a/queue-4.16/acpica-fix-memory-leak-on-unusual-memory-leak.patch b/queue-4.16/acpica-fix-memory-leak-on-unusual-memory-leak.patch new file mode 100644 index 00000000000..50518c1b897 --- /dev/null +++ b/queue-4.16/acpica-fix-memory-leak-on-unusual-memory-leak.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Bob Moore +Date: Wed, 14 Mar 2018 16:13:01 -0700 +Subject: ACPICA: Fix memory leak on unusual memory leak + +From: Bob Moore + +[ Upstream commit 1c29c372b2d1d2415601041532745ce859f24126 ] + +Fixes a single-object memory leak on a store-to-reference method +invocation. ACPICA BZ 1439. + +Signed-off-by: Bob Moore +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/psargs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -890,6 +890,10 @@ acpi_ps_get_next_arg(struct acpi_walk_st + ACPI_POSSIBLE_METHOD_CALL); + + if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) { ++ ++ /* Free method call op and corresponding namestring sub-ob */ ++ ++ acpi_ps_free_op(arg->common.value.arg); + acpi_ps_free_op(arg); + arg = NULL; + walk_state->arg_count = 1; diff --git a/queue-4.16/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch b/queue-4.16/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch new file mode 100644 index 00000000000..ddaa20585dc --- /dev/null +++ b/queue-4.16/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch @@ -0,0 +1,131 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Nobutaka Okabe +Date: Fri, 23 Mar 2018 19:18:22 +0900 +Subject: ALSA: usb-audio: Add native DSD support for Luxman DA-06 + +From: Nobutaka Okabe + +[ Upstream commit 71426535f49fe6034d0e0db77608b91a0c1a022d ] + +Add native DSD support quirk for Luxman DA-06 DAC, by adding the +PID/VID 1852:5065. + +Rename "is_marantz_denon_dac()" function to "is_itf_usb_dsd_2alts_dac()" +to cover broader device family sharing the same USB audio +implementation(*). +For the same reason, rename "is_teac_dsd_dac()" function to +"is_itf_usb_dsd_3alts_dac()". + +(*) +These devices have the same USB controller "ITF-USB DSD", supplied by +INTERFACE Co., Ltd. +"ITF-USB DSD" USB controller has two patterns, + +Pattern 1. (2 altsets version) +- Altset 0: for control +- Altset 1: for stream (S32) +- Altset 2: for stream (S32, DSD_U32) + +Pattern 2. (3 altsets version) +- Altset 0: for control +- Altset 1: for stream (S16) +- Altset 2: for stream (S32) +- Altset 3: for stream (S32, DSD_U32) + +"is_itf_usb_dsd_2alts_dac()" returns true, if the DAC has "Pattern 1" +USB controller, and "is_itf_usb_dsd_3alts_dac()" returns true, if +"Pattern2". + +Signed-off-by: Nobutaka Okabe +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1149,24 +1149,27 @@ bool snd_usb_get_sample_rate_quirk(struc + return false; + } + +-/* Marantz/Denon USB DACs need a vendor cmd to switch ++/* ITF-USB DSD based DACs need a vendor cmd to switch + * between PCM and native DSD mode ++ * (2 altsets version) + */ +-static bool is_marantz_denon_dac(unsigned int id) ++static bool is_itf_usb_dsd_2alts_dac(unsigned int id) + { + switch (id) { + case USB_ID(0x154e, 0x1003): /* Denon DA-300USB */ + case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */ + case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */ ++ case USB_ID(0x1852, 0x5065): /* Luxman DA-06 */ + return true; + } + return false; + } + +-/* TEAC UD-501/UD-503/NT-503 USB DACs need a vendor cmd to switch +- * between PCM/DOP and native DSD mode ++/* ITF-USB DSD based DACs need a vendor cmd to switch ++ * between PCM and native DSD mode ++ * (3 altsets version) + */ +-static bool is_teac_dsd_dac(unsigned int id) ++static bool is_itf_usb_dsd_3alts_dac(unsigned int id) + { + switch (id) { + case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */ +@@ -1183,7 +1186,7 @@ int snd_usb_select_mode_quirk(struct snd + struct usb_device *dev = subs->dev; + int err; + +- if (is_marantz_denon_dac(subs->stream->chip->usb_id)) { ++ if (is_itf_usb_dsd_2alts_dac(subs->stream->chip->usb_id)) { + /* First switch to alt set 0, otherwise the mode switch cmd + * will not be accepted by the DAC + */ +@@ -1204,7 +1207,7 @@ int snd_usb_select_mode_quirk(struct snd + break; + } + mdelay(20); +- } else if (is_teac_dsd_dac(subs->stream->chip->usb_id)) { ++ } else if (is_itf_usb_dsd_3alts_dac(subs->stream->chip->usb_id)) { + /* Vendor mode switch cmd is required. */ + switch (fmt->altsetting) { + case 3: /* DSD mode (DSD_U32) requested */ +@@ -1300,10 +1303,10 @@ void snd_usb_ctl_msg_quirk(struct usb_de + (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + mdelay(20); + +- /* Marantz/Denon devices with USB DAC functionality need a delay ++ /* ITF-USB DSD based DACs functionality need a delay + * after each class compliant request + */ +- if (is_marantz_denon_dac(chip->usb_id) ++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id) + && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + mdelay(20); + +@@ -1390,14 +1393,14 @@ u64 snd_usb_interface_dsd_format_quirks( + break; + } + +- /* Denon/Marantz devices with USB DAC functionality */ +- if (is_marantz_denon_dac(chip->usb_id)) { ++ /* ITF-USB DSD based DACs (2 altsets version) */ ++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)) { + if (fp->altsetting == 2) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + } + +- /* TEAC devices with USB DAC functionality */ +- if (is_teac_dsd_dac(chip->usb_id)) { ++ /* ITF-USB DSD based DACs (3 altsets version) */ ++ if (is_itf_usb_dsd_3alts_dac(chip->usb_id)) { + if (fp->altsetting == 3) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + } diff --git a/queue-4.16/alsa-vmaster-propagate-slave-error.patch b/queue-4.16/alsa-vmaster-propagate-slave-error.patch new file mode 100644 index 00000000000..19628fa8559 --- /dev/null +++ b/queue-4.16/alsa-vmaster-propagate-slave-error.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Takashi Iwai +Date: Thu, 8 Mar 2018 08:26:48 +0100 +Subject: ALSA: vmaster: Propagate slave error + +From: Takashi Iwai + +[ Upstream commit 2e2c177ca84aff092c3c96714b0f6a12900f3946 ] + +In slave_update() of vmaster code ignores the error from the slave +get() callback and copies the values. It's not only about the missing +error code but also that this may potentially lead to a leak of +uninitialized variables when the slave get() don't clear them. + +This patch fixes slave_update() not to copy the potentially +uninitialized values when an error is returned from the slave get() +callback, and to propagate the error value properly. + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/vmaster.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/sound/core/vmaster.c ++++ b/sound/core/vmaster.c +@@ -68,10 +68,13 @@ static int slave_update(struct link_slav + return -ENOMEM; + uctl->id = slave->slave.id; + err = slave->slave.get(&slave->slave, uctl); ++ if (err < 0) ++ goto error; + for (ch = 0; ch < slave->info.count; ch++) + slave->vals[ch] = uctl->value.integer.value[ch]; ++ error: + kfree(uctl); +- return 0; ++ return err < 0 ? err : 0; + } + + /* get the slave ctl info and save the initial values */ diff --git a/queue-4.16/arm-cma-avoid-double-mapping-to-the-cma-area-if-config_highmem-y.patch b/queue-4.16/arm-cma-avoid-double-mapping-to-the-cma-area-if-config_highmem-y.patch new file mode 100644 index 00000000000..0bd7e56b535 --- /dev/null +++ b/queue-4.16/arm-cma-avoid-double-mapping-to-the-cma-area-if-config_highmem-y.patch @@ -0,0 +1,79 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Joonsoo Kim +Date: Tue, 10 Apr 2018 16:30:23 -0700 +Subject: ARM: CMA: avoid double mapping to the CMA area if CONFIG_HIGHMEM=y + +From: Joonsoo Kim + +[ Upstream commit 3d2054ad8c2d5100b68b0c0405f89fd90bf4107b ] + +CMA area is now managed by the separate zone, ZONE_MOVABLE, to fix many +MM related problems. In this implementation, if CONFIG_HIGHMEM = y, +then ZONE_MOVABLE is considered as HIGHMEM and the memory of the CMA +area is also considered as HIGHMEM. That means that they are considered +as the page without direct mapping. However, CMA area could be in a +lowmem and the memory could have direct mapping. + +In ARM, when establishing a new mapping for DMA, direct mapping should +be cleared since two mapping with different cache policy could cause +unknown problem. With this patch, PageHighmem() for the CMA memory +located in lowmem returns true so that the function for DMA mapping +cannot notice whether it needs to clear direct mapping or not, +correctly. To handle this situation, this patch always clears direct +mapping for such CMA memory. + +Link: http://lkml.kernel.org/r/1512114786-5085-4-git-send-email-iamjoonsoo.kim@lge.com +Signed-off-by: Joonsoo Kim +Tested-by: Tony Lindgren +Cc: "Aneesh Kumar K . V" +Cc: Johannes Weiner +Cc: Laura Abbott +Cc: Marek Szyprowski +Cc: Mel Gorman +Cc: Michal Hocko +Cc: Michal Nazarewicz +Cc: Minchan Kim +Cc: Rik van Riel +Cc: Russell King +Cc: Vlastimil Babka +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mm/dma-mapping.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -466,6 +466,12 @@ void __init dma_contiguous_early_fixup(p + void __init dma_contiguous_remap(void) + { + int i; ++ ++ if (!dma_mmu_remap_num) ++ return; ++ ++ /* call flush_cache_all() since CMA area would be large enough */ ++ flush_cache_all(); + for (i = 0; i < dma_mmu_remap_num; i++) { + phys_addr_t start = dma_mmu_remap[i].base; + phys_addr_t end = start + dma_mmu_remap[i].size; +@@ -498,7 +504,15 @@ void __init dma_contiguous_remap(void) + flush_tlb_kernel_range(__phys_to_virt(start), + __phys_to_virt(end)); + +- iotable_init(&map, 1); ++ /* ++ * All the memory in CMA region will be on ZONE_MOVABLE. ++ * If that zone is considered as highmem, the memory in CMA ++ * region is also considered as highmem even if it's ++ * physical address belong to lowmem. In this case, ++ * re-mapping isn't required. ++ */ ++ if (!is_highmem_idx(ZONE_MOVABLE)) ++ iotable_init(&map, 1); + } + } + diff --git a/queue-4.16/arm-davinci_all_defconfig-set-config_davinci_watchdog-y.patch b/queue-4.16/arm-davinci_all_defconfig-set-config_davinci_watchdog-y.patch new file mode 100644 index 00000000000..f3d73e231a2 --- /dev/null +++ b/queue-4.16/arm-davinci_all_defconfig-set-config_davinci_watchdog-y.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: David Lechner +Date: Mon, 15 Jan 2018 11:29:31 -0600 +Subject: ARM: davinci_all_defconfig: set CONFIG_DAVINCI_WATCHDOG=y + +From: David Lechner + +[ Upstream commit 35ba26772c827dbfc03be8adc3af8ff0d294b38f ] + +This changes CONFIG_DAVINCI_WATCHDOG from a module to a compiled-in +option. Since the reset function has been moved out of the mach code in +commit 94f2e94514e5 ("ARM: davinci: remove watchdog reset") and into the +watchdog driver, devices cannot reboot unless the watchdog driver is +loaded, so make it a compiled-in option so that we can always reboot, even +when modules are not loaded. + +Cc: Sekhar Nori +Suggested-by: Adam Ford +Signed-off-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/configs/davinci_all_defconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/configs/davinci_all_defconfig ++++ b/arch/arm/configs/davinci_all_defconfig +@@ -128,7 +128,7 @@ CONFIG_POWER_RESET=y + CONFIG_POWER_RESET_GPIO=y + CONFIG_BATTERY_LEGO_EV3=m + CONFIG_WATCHDOG=y +-CONFIG_DAVINCI_WATCHDOG=m ++CONFIG_DAVINCI_WATCHDOG=y + CONFIG_MFD_DM355EVM_MSP=y + CONFIG_TPS6507X=y + CONFIG_REGULATOR=y diff --git a/queue-4.16/arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch b/queue-4.16/arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch new file mode 100644 index 00000000000..7dbb39b7cda --- /dev/null +++ b/queue-4.16/arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch @@ -0,0 +1,33 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Peter Rosin +Date: Tue, 16 Jan 2018 17:06:17 +0100 +Subject: ARM: dts: at91: nattis: use the correct compatible for the eeprom + +From: Peter Rosin + +[ Upstream commit 6b65933008a6bbe5ff79a344b41175826848682d ] + +The used part does contain an eeprom compatible with an Atmel 24c02 +chip and it is from NXP, but it is not called 24c02. It's actually a +se97b chip. Adjust the compatible accordingly. + +Fixes: 0e4323899973 ("ARM: dts: at91: add devicetree for the Axentia Nattis with Natte power") +Signed-off-by: Peter Rosin +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-nattis-2-natte-2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/at91-nattis-2-natte-2.dts ++++ b/arch/arm/boot/dts/at91-nattis-2-natte-2.dts +@@ -146,7 +146,7 @@ + }; + + eeprom@50 { +- compatible = "nxp,24c02"; ++ compatible = "nxp,se97b", "atmel,24c02"; + reg = <0x50>; + pagesize = <16>; + }; diff --git a/queue-4.16/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch b/queue-4.16/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch new file mode 100644 index 00000000000..3391d5ade54 --- /dev/null +++ b/queue-4.16/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch @@ -0,0 +1,33 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Peter Rosin +Date: Tue, 16 Jan 2018 17:06:18 +0100 +Subject: ARM: dts: at91: tse850: use the correct compatible for the eeprom + +From: Peter Rosin + +[ Upstream commit 7981190fb5dd710dea08c2613cee3d05e795ca5e ] + +The used part does contain an eeprom compatible with an Atmel 24c02 +chip and it is from NXP, but it is not called 24c02. It's actually a +se97b chip. Adjust the compatible accordingly. + +Fixes: 21dd0ece34c2 ("ARM: dts: at91: add devicetree for the Axentia TSE-850") +Signed-off-by: Peter Rosin +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-tse850-3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/at91-tse850-3.dts ++++ b/arch/arm/boot/dts/at91-tse850-3.dts +@@ -246,7 +246,7 @@ + }; + + eeprom@50 { +- compatible = "nxp,24c02", "atmel,24c02"; ++ compatible = "nxp,se97b", "atmel,24c02"; + reg = <0x50>; + pagesize = <16>; + }; diff --git a/queue-4.16/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch b/queue-4.16/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch new file mode 100644 index 00000000000..7ebb5237d14 --- /dev/null +++ b/queue-4.16/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Henry Zhang +Date: Wed, 17 Jan 2018 18:41:33 -0800 +Subject: ARM: dts: bcm283x: Fix pin function of JTAG pins + +From: Henry Zhang + +[ Upstream commit 1a012cb2569f2031b3636232c3ab21c20c92d281 ] + +BCM2835 ARM Peripherals doc shows gpio pins 4, 5, 6, 12 and 13 +carry altenate function, ALT5 for ARM JTAG + +Fixes: 21ff843931b2 ("ARM: dts: bcm283x: Define standard pinctrl groups in the gpio node.") + +Signed-off-by: Henry Zhang +Acked-by: Stefan Wahren +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm283x.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -252,7 +252,7 @@ + + jtag_gpio4: jtag_gpio4 { + brcm,pins = <4 5 6 12 13>; +- brcm,function = ; ++ brcm,function = ; + }; + jtag_gpio22: jtag_gpio22 { + brcm,pins = <22 23 24 25 26 27>; diff --git a/queue-4.16/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch b/queue-4.16/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch new file mode 100644 index 00000000000..1fc4fb1a9e0 --- /dev/null +++ b/queue-4.16/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Stefan Wahren +Date: Fri, 16 Feb 2018 11:55:34 +0100 +Subject: ARM: dts: bcm283x: Fix probing of bcm2835-i2s + +From: Stefan Wahren + +[ Upstream commit 79c81facdc0b43b1cef37b8d5689a8c8b78f8be0 ] + +Since 517e7a1537a ("ASoC: bcm2835: move to use the clock framework") +the bcm2835-i2s requires a clock as DT property. Unfortunately +the necessary DT change has never been applied. While we are at it +also fix the first PCM register range to cover the PCM_GRAY register. + +Fixes: 517e7a1537a ("ASoC: bcm2835: move to use the clock framework") +Signed-off-by: Stefan Wahren +Reviewed-by: Eric Anholt +Tested-by: Matthias Reichl +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm283x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -397,8 +397,8 @@ + + i2s: i2s@7e203000 { + compatible = "brcm,bcm2835-i2s"; +- reg = <0x7e203000 0x20>, +- <0x7e101098 0x02>; ++ reg = <0x7e203000 0x24>; ++ clocks = <&clocks BCM2835_CLOCK_PCM>; + + dmas = <&dma 2>, + <&dma 3>; diff --git a/queue-4.16/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch b/queue-4.16/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch new file mode 100644 index 00000000000..8c7f2d3195f --- /dev/null +++ b/queue-4.16/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ravikumar Kattekola +Date: Tue, 6 Feb 2018 18:28:02 +0530 +Subject: ARM: dts: dra71-evm: Correct evm_sd regulator max voltage + +From: Ravikumar Kattekola + +[ Upstream commit f4aa1bd5b4fc80f5f4ecd184caad832fd62c25f7 ] + +Correct vpo_sd_1v8_3v3 regulator max voltage to 3.3V + +Fixes: 9868bc585ae2 ("ARM: dts: Add support for dra718-evm") +Signed-off-by: Ravikumar Kattekola +Signed-off-by: Sekhar Nori +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/dra71-evm.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra71-evm.dts ++++ b/arch/arm/boot/dts/dra71-evm.dts +@@ -24,13 +24,13 @@ + + regulator-name = "vddshv8"; + regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <3000000>; ++ regulator-max-microvolt = <3300000>; + regulator-boot-on; + vin-supply = <&evm_5v0>; + + gpios = <&gpio7 11 GPIO_ACTIVE_HIGH>; + states = <1800000 0x0 +- 3000000 0x1>; ++ 3300000 0x1>; + }; + + evm_1v8_sw: fixedregulator-evm_1v8 { diff --git a/queue-4.16/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch b/queue-4.16/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch new file mode 100644 index 00000000000..3bf222b74ee --- /dev/null +++ b/queue-4.16/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch @@ -0,0 +1,87 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Aapo Vienamo +Date: Wed, 31 Jan 2018 14:34:07 +0000 +Subject: ARM: dts: imx7d: cl-som-imx7: fix pinctrl_enet + +From: Aapo Vienamo + +[ Upstream commit 2bada7ac1fdcbf79a9689bd2ff65fa515ca7a31f ] + +The missing last digit of the CONFIG values is added. Looks like a typo +of some sort when comparing to the downstream dt. This fixes +intermittent behavior behaviour of the ethernet controllers. + +Signed-off-by: Aapo Vienamo +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx7d-cl-som-imx7.dts | 52 ++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +--- a/arch/arm/boot/dts/imx7d-cl-som-imx7.dts ++++ b/arch/arm/boot/dts/imx7d-cl-som-imx7.dts +@@ -213,37 +213,37 @@ + &iomuxc { + pinctrl_enet1: enet1grp { + fsl,pins = < +- MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x3 +- MX7D_PAD_SD2_WP__ENET1_MDC 0x3 +- MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x1 +- MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x1 +- MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x1 +- MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x1 +- MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x1 +- MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x1 +- MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x1 +- MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x1 +- MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x1 +- MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x1 +- MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x1 +- MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x1 ++ MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x30 ++ MX7D_PAD_SD2_WP__ENET1_MDC 0x30 ++ MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x11 ++ MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x11 ++ MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x11 ++ MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x11 ++ MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x11 ++ MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x11 ++ MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x11 ++ MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x11 ++ MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x11 ++ MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x11 ++ MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x11 ++ MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x11 + >; + }; + + pinctrl_enet2: enet2grp { + fsl,pins = < +- MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x1 +- MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x1 +- MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x1 +- MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x1 +- MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x1 +- MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x1 +- MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x1 +- MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x1 +- MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x1 +- MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x1 +- MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x1 +- MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x1 ++ MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x11 ++ MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x11 ++ MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x11 ++ MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x11 ++ MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x11 ++ MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x11 ++ MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x11 ++ MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x11 ++ MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x11 ++ MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x11 ++ MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x11 ++ MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x11 + >; + }; + diff --git a/queue-4.16/arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch b/queue-4.16/arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch new file mode 100644 index 00000000000..5afaad660f0 --- /dev/null +++ b/queue-4.16/arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Suman Anna +Date: Mon, 5 Mar 2018 16:18:49 -0800 +Subject: ARM: dts: keystone-k2e-clocks: Fix missing unit address separator + +From: Suman Anna + +[ Upstream commit 5a3a03905a433216f517babd0a343ae7265e9ca1 ] + +Commit 95d8b41c765b ("ARM: dts: keystone-k2e-clocks: Add missing unit +name to clock nodes that have regs") fixed the unit names on various +clock nodes but missed out adding the unit address separator on the +clkhyperlink0 clock node. Fix the same. + +Fixes: 95d8b41c765b ("ARM: dts: keystone-k2e-clocks: Add missing unit name to clock nodes that have regs") +Signed-off-by: Suman Anna +Signed-off-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/keystone-k2e-clocks.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/keystone-k2e-clocks.dtsi ++++ b/arch/arm/boot/dts/keystone-k2e-clocks.dtsi +@@ -42,7 +42,7 @@ clocks { + domain-id = <0>; + }; + +- clkhyperlink0: clkhyperlink02350030 { ++ clkhyperlink0: clkhyperlink0@2350030 { + #clock-cells = <0>; + compatible = "ti,keystone,psc-clock"; + clocks = <&chipclk12>; diff --git a/queue-4.16/arm-dts-ls1021a-specify-tbipa-register-address.patch b/queue-4.16/arm-dts-ls1021a-specify-tbipa-register-address.patch new file mode 100644 index 00000000000..09b8e40a0fa --- /dev/null +++ b/queue-4.16/arm-dts-ls1021a-specify-tbipa-register-address.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Esben Haabendal +Date: Fri, 6 Apr 2018 14:46:35 +0200 +Subject: ARM: dts: ls1021a: Specify TBIPA register address + +From: Esben Haabendal + +[ Upstream commit 5571196135abb6d51e01592812997403c136067c ] + +The current (mildly evil) fsl_pq_mdio code uses an undocumented shadow of +the TBIPA register on LS1021A, which happens to be read-only. +Changing TBI PHY address therefore does not work on LS1021A. + +The real (and documented) address of the TBIPA registere lies in the eTSEC +block and not in MDIO/MII, which is read/write, so using that fixes +the problem. + +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/ls1021a.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -587,7 +587,8 @@ + device_type = "mdio"; + #address-cells = <1>; + #size-cells = <0>; +- reg = <0x0 0x2d24000 0x0 0x4000>; ++ reg = <0x0 0x2d24000 0x0 0x4000>, ++ <0x0 0x2d10030 0x0 0x4>; + }; + + ptp_clock@2d10e00 { diff --git a/queue-4.16/arm-dts-porter-fix-hdmi-output-routing.patch b/queue-4.16/arm-dts-porter-fix-hdmi-output-routing.patch new file mode 100644 index 00000000000..c01f5a391b8 --- /dev/null +++ b/queue-4.16/arm-dts-porter-fix-hdmi-output-routing.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Laurent Pinchart +Date: Sat, 13 Jan 2018 01:14:23 +0200 +Subject: ARM: dts: porter: Fix HDMI output routing + +From: Laurent Pinchart + +[ Upstream commit d4b78db6ac3e084e2bdc57d5518bd247c727f396 ] + +The HDMI encoder is connected to the RGB output of the DU, which is +port@0, not port@1. Fix the incorrect DT description. + +Fixes: c5af8a4248d3 ("ARM: dts: porter: add DU DT support") +Signed-off-by: Laurent Pinchart +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/r8a7791-porter.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/r8a7791-porter.dts ++++ b/arch/arm/boot/dts/r8a7791-porter.dts +@@ -425,7 +425,7 @@ + "dclkin.0", "dclkin.1"; + + ports { +- port@1 { ++ port@0 { + endpoint { + remote-endpoint = <&adv7511_in>; + }; diff --git a/queue-4.16/arm-dts-socfpga-fix-gic-ppi-warning.patch b/queue-4.16/arm-dts-socfpga-fix-gic-ppi-warning.patch new file mode 100644 index 00000000000..d11ed627c23 --- /dev/null +++ b/queue-4.16/arm-dts-socfpga-fix-gic-ppi-warning.patch @@ -0,0 +1,31 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Philipp Puschmann +Date: Fri, 23 Mar 2018 10:22:15 +0100 +Subject: arm: dts: socfpga: fix GIC PPI warning + +From: Philipp Puschmann + +[ Upstream commit 6d97d5aba08b26108f95dc9fb7bbe4d9436c769c ] + +Fixes the warning "GIC: PPI13 is secure or misconfigured" by +changing the interrupt type from level_low to edge_raising + +Signed-off-by: Philipp Puschmann +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/socfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -831,7 +831,7 @@ + timer@fffec600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xfffec600 0x100>; +- interrupts = <1 13 0xf04>; ++ interrupts = <1 13 0xf01>; + clocks = <&mpu_periph_clk>; + }; + diff --git a/queue-4.16/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch b/queue-4.16/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch new file mode 100644 index 00000000000..1fdaf327079 --- /dev/null +++ b/queue-4.16/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ilia Lin +Date: Tue, 23 Jan 2018 09:36:18 +0200 +Subject: arm64: dts: qcom: Fix SPI5 config on MSM8996 + +From: Ilia Lin + +[ Upstream commit e723795c702b52cfceb3bb3faa63059eb4658313 ] + +Set correct clocks and interrupt values. +Fixes the incorrect SPI master configuration. This is +mandatory to make the SPI5 interface functional. + +Signed-off-by: Ilia Lin +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -497,8 +497,8 @@ + blsp2_spi5: spi@75ba000{ + compatible = "qcom,spi-qup-v2.2.1"; + reg = <0x075ba000 0x600>; +- interrupts = ; +- clocks = <&gcc GCC_BLSP2_QUP5_SPI_APPS_CLK>, ++ interrupts = ; ++ clocks = <&gcc GCC_BLSP2_QUP6_SPI_APPS_CLK>, + <&gcc GCC_BLSP2_AHB_CLK>; + clock-names = "core", "iface"; + pinctrl-names = "default", "sleep"; diff --git a/queue-4.16/arm64-insn-allow-add-sub-immediate-with-lsl-12.patch b/queue-4.16/arm64-insn-allow-add-sub-immediate-with-lsl-12.patch new file mode 100644 index 00000000000..6ce493fcd84 --- /dev/null +++ b/queue-4.16/arm64-insn-allow-add-sub-immediate-with-lsl-12.patch @@ -0,0 +1,66 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Marc Zyngier +Date: Sun, 3 Dec 2017 17:50:00 +0000 +Subject: arm64: insn: Allow ADD/SUB (immediate) with LSL #12 + +From: Marc Zyngier + +[ Upstream commit 11d764079c9f25d1da8e10906d54da7fefec5844 ] + +The encoder for ADD/SUB (immediate) can only cope with 12bit +immediates, while there is an encoding for a 12bit immediate shifted +by 12 bits to the left. + +Let's fix this small oversight by allowing the LSL_12 bit to be set. + +Reviewed-by: Christoffer Dall +Acked-by: Catalin Marinas +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/insn.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -35,6 +35,7 @@ + + #define AARCH64_INSN_SF_BIT BIT(31) + #define AARCH64_INSN_N_BIT BIT(22) ++#define AARCH64_INSN_LSL_12 BIT(22) + + static int aarch64_insn_encoding_class[] = { + AARCH64_INSN_CLS_UNKNOWN, +@@ -899,9 +900,18 @@ u32 aarch64_insn_gen_add_sub_imm(enum aa + return AARCH64_BREAK_FAULT; + } + ++ /* We can't encode more than a 24bit value (12bit + 12bit shift) */ ++ if (imm & ~(BIT(24) - 1)) ++ goto out; ++ ++ /* If we have something in the top 12 bits... */ + if (imm & ~(SZ_4K - 1)) { +- pr_err("%s: invalid immediate encoding %d\n", __func__, imm); +- return AARCH64_BREAK_FAULT; ++ /* ... and in the low 12 bits -> error */ ++ if (imm & (SZ_4K - 1)) ++ goto out; ++ ++ imm >>= 12; ++ insn |= AARCH64_INSN_LSL_12; + } + + insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RD, insn, dst); +@@ -909,6 +919,10 @@ u32 aarch64_insn_gen_add_sub_imm(enum aa + insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RN, insn, src); + + return aarch64_insn_encode_immediate(AARCH64_INSN_IMM_12, insn, imm); ++ ++out: ++ pr_err("%s: invalid immediate encoding %d\n", __func__, imm); ++ return AARCH64_BREAK_FAULT; + } + + u32 aarch64_insn_gen_bitfield(enum aarch64_insn_register dst, diff --git a/queue-4.16/asoc-fsl_ssi-maintain-a-mask-of-active-streams.patch b/queue-4.16/asoc-fsl_ssi-maintain-a-mask-of-active-streams.patch new file mode 100644 index 00000000000..b6fc34f2d6a --- /dev/null +++ b/queue-4.16/asoc-fsl_ssi-maintain-a-mask-of-active-streams.patch @@ -0,0 +1,88 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Nicolin Chen +Date: Mon, 12 Feb 2018 14:03:12 -0800 +Subject: ASoC: fsl_ssi: Maintain a mask of active streams + +From: Nicolin Chen + +[ Upstream commit e0582731abe004163e78ad2dac4cd1196db0908f ] + +Checking TE and RE bits in SCR register doesn't work for AC97 mode +which enables SSIEN, TE and RE in the fsl_ssi_setup_ac97() that's +called during probe(). + +So when running into the trigger(), it will always get the result +of both TE and RE being enabled already, even if actually there is +no active stream. + +This patch fixes this issue by adding a variable to log the active +streams manually. + +Signed-off-by: Nicolin Chen +Tested-by: Caleb Crome +Tested-by: Maciej S. Szmigiero +Reviewed-by: Maciej S. Szmigiero +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_ssi.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/sound/soc/fsl/fsl_ssi.c ++++ b/sound/soc/fsl/fsl_ssi.c +@@ -201,6 +201,7 @@ struct fsl_ssi_soc_data { + * @cpu_dai_drv: CPU DAI driver for this device + * + * @dai_fmt: DAI configuration this device is currently used with ++ * @streams: Mask of current active streams: BIT(TX) and BIT(RX) + * @i2s_net: I2S and Network mode configurations of SCR register + * @use_dma: DMA is used or FIQ with stream filter + * @use_dual_fifo: DMA with support for dual FIFO mode +@@ -245,6 +246,7 @@ struct fsl_ssi { + struct snd_soc_dai_driver cpu_dai_drv; + + unsigned int dai_fmt; ++ u8 streams; + u8 i2s_net; + bool use_dma; + bool use_dual_fifo; +@@ -440,15 +442,14 @@ static void fsl_ssi_fifo_clear(struct fs + static void fsl_ssi_config(struct fsl_ssi *ssi, bool enable, + struct fsl_ssi_regvals *vals) + { ++ int dir = (&ssi->regvals[TX] == vals) ? TX : RX; + struct regmap *regs = ssi->regs; + struct fsl_ssi_regvals *avals; + int nr_active_streams; +- u32 scr; + int keep_active; + +- regmap_read(regs, REG_SSI_SCR, &scr); +- +- nr_active_streams = !!(scr & SSI_SCR_TE) + !!(scr & SSI_SCR_RE); ++ nr_active_streams = !!(ssi->streams & BIT(TX)) + ++ !!(ssi->streams & BIT(RX)); + + if (nr_active_streams - 1 > 0) + keep_active = 1; +@@ -470,6 +471,9 @@ static void fsl_ssi_config(struct fsl_ss + keep_active); + /* Safely disable SCR register for the stream */ + regmap_update_bits(regs, REG_SSI_SCR, scr, 0); ++ ++ /* Log the disabled stream to the mask */ ++ ssi->streams &= ~BIT(dir); + } + + /* +@@ -545,6 +549,9 @@ config_done: + } + /* Enable all remaining bits */ + regmap_update_bits(regs, REG_SSI_SCR, vals->scr, vals->scr); ++ ++ /* Log the enabled stream to the mask */ ++ ssi->streams |= BIT(dir); + } + } + diff --git a/queue-4.16/asoc-rockchip-rk3288-hdmi-analog-select-needed-codecs.patch b/queue-4.16/asoc-rockchip-rk3288-hdmi-analog-select-needed-codecs.patch new file mode 100644 index 00000000000..befdf8efa35 --- /dev/null +++ b/queue-4.16/asoc-rockchip-rk3288-hdmi-analog-select-needed-codecs.patch @@ -0,0 +1,33 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ezequiel Garcia +Date: Tue, 20 Mar 2018 13:03:31 -0300 +Subject: ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs + +From: Ezequiel Garcia + +[ Upstream commit b1d0db067fbe2598d62b248beea5d705a0ea7642 ] + +The driver does not select all the codec drivers that needs. +Fix it by selecting the analog and HDMI codecs. + +Cc: Sjoerd Simons +Signed-off-by: Ezequiel Garcia +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/rockchip/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/rockchip/Kconfig ++++ b/sound/soc/rockchip/Kconfig +@@ -56,6 +56,9 @@ config SND_SOC_RK3288_HDMI_ANALOG + depends on SND_SOC_ROCKCHIP && I2C && GPIOLIB && CLKDEV_LOOKUP + select SND_SOC_ROCKCHIP_I2S + select SND_SOC_HDMI_CODEC ++ select SND_SOC_ES8328_I2C ++ select SND_SOC_ES8328_SPI if SPI_MASTER ++ select DRM_DW_HDMI_I2S_AUDIO if DRM_DW_HDMI + help + Say Y or M here if you want to add support for SoC audio on Rockchip + RK3288 boards using an analog output and the built-in HDMI audio. diff --git a/queue-4.16/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch b/queue-4.16/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch new file mode 100644 index 00000000000..89a376831b2 --- /dev/null +++ b/queue-4.16/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch @@ -0,0 +1,53 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Sylwester Nawrocki +Date: Mon, 5 Feb 2018 16:43:56 +0100 +Subject: ASoC: samsung: i2s: Ensure the RCLK rate is properly determined + +From: Sylwester Nawrocki + +[ Upstream commit 647d04f8e07afc7c3b7a42b3ee01a8b28db29631 ] + +If the RCLK mux clock configuration is specified in DT and no set_sysclk() +callback is used in the sound card driver the sclk_srcrate field will remain +set to 0, leading to an incorrect PSR divider setting. +To fix this the frequency value is retrieved from the CLK_I2S_RCLK_SRC clock, +so the actual RCLK mux selection is taken into account. + +Signed-off-by: Sylwester Nawrocki +Acked-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/samsung/i2s.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/sound/soc/samsung/i2s.c ++++ b/sound/soc/samsung/i2s.c +@@ -656,8 +656,12 @@ static int i2s_set_fmt(struct snd_soc_da + tmp |= mod_slave; + break; + case SND_SOC_DAIFMT_CBS_CFS: +- /* Set default source clock in Master mode */ +- if (i2s->rclk_srcrate == 0) ++ /* ++ * Set default source clock in Master mode, only when the ++ * CLK_I2S_RCLK_SRC clock is not exposed so we ensure any ++ * clock configuration assigned in DT is not overwritten. ++ */ ++ if (i2s->rclk_srcrate == 0 && i2s->clk_data.clks == NULL) + i2s_set_sysclk(dai, SAMSUNG_I2S_RCLKSRC_0, + 0, SND_SOC_CLOCK_IN); + break; +@@ -881,6 +885,11 @@ static int config_setup(struct i2s_dai * + return 0; + + if (!(i2s->quirks & QUIRK_NO_MUXPSR)) { ++ struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC]; ++ ++ if (i2s->rclk_srcrate == 0 && rclksrc && !IS_ERR(rclksrc)) ++ i2s->rclk_srcrate = clk_get_rate(rclksrc); ++ + psr = i2s->rclk_srcrate / i2s->frmclk / rfs; + writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR); + dev_dbg(&i2s->pdev->dev, diff --git a/queue-4.16/asoc-samsung-odroid-fix-32000-sample-rate-handling.patch b/queue-4.16/asoc-samsung-odroid-fix-32000-sample-rate-handling.patch new file mode 100644 index 00000000000..76c399d96de --- /dev/null +++ b/queue-4.16/asoc-samsung-odroid-fix-32000-sample-rate-handling.patch @@ -0,0 +1,78 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sylwester Nawrocki +Date: Wed, 14 Mar 2018 17:41:13 +0100 +Subject: ASoC: samsung: odroid: Fix 32000 sample rate handling + +From: Sylwester Nawrocki + +[ Upstream commit 1d22c337dc8f3a25638f7262e7bcb5729a34d140 ] + +In case of sample rates lower than 44100 currently there is too low MCLK +frequency set for the CODEC. Playback fails with following errors: + +$ speaker-test -c2 -t sine -f 1500 -l2 -r 32000 + +Sine wave rate is 1500.0000Hz +Rate set to 32000Hz (requested 32000Hz) +Buffer size range from 128 to 131072 +Period size range from 64 to 65536 +Using max buffer size 131072 +Periods = 4 +Unable to set hw params for playback: Invalid argument +Setting of hwparams failed: Invalid argument + +[ 497.883700] max98090 1-0010: Invalid master clock frequency + +To fix this the I2S root clock's frequency is increased, depending +on sampling rate. + +Signed-off-by: Sylwester Nawrocki +Acked-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/samsung/odroid.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/sound/soc/samsung/odroid.c ++++ b/sound/soc/samsung/odroid.c +@@ -36,23 +36,26 @@ static int odroid_card_hw_params(struct + { + struct snd_soc_pcm_runtime *rtd = substream->private_data; + struct odroid_priv *priv = snd_soc_card_get_drvdata(rtd->card); +- unsigned int pll_freq, rclk_freq; ++ unsigned int pll_freq, rclk_freq, rfs; + int ret; + + switch (params_rate(params)) { +- case 32000: + case 64000: +- pll_freq = 131072006U; ++ pll_freq = 196608001U; ++ rfs = 384; + break; + case 44100: + case 88200: + case 176400: + pll_freq = 180633609U; ++ rfs = 512; + break; ++ case 32000: + case 48000: + case 96000: + case 192000: + pll_freq = 196608001U; ++ rfs = 512; + break; + default: + return -EINVAL; +@@ -67,7 +70,7 @@ static int odroid_card_hw_params(struct + * frequency values due to the EPLL output frequency not being exact + * multiple of the audio sampling rate. + */ +- rclk_freq = params_rate(params) * 256 + 1; ++ rclk_freq = params_rate(params) * rfs + 1; + + ret = clk_set_rate(priv->sclk_i2s, rclk_freq); + if (ret < 0) diff --git a/queue-4.16/asoc-topology-create-tlv-data-for-dapm-widgets.patch b/queue-4.16/asoc-topology-create-tlv-data-for-dapm-widgets.patch new file mode 100644 index 00000000000..c853ab94d77 --- /dev/null +++ b/queue-4.16/asoc-topology-create-tlv-data-for-dapm-widgets.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ranjani Sridharan +Date: Fri, 9 Mar 2018 11:11:17 -0800 +Subject: ASoC: topology: create TLV data for dapm widgets + +From: Ranjani Sridharan + +[ Upstream commit bde8b3887add8368ecf0ca71117baf2fd56a6fc9 ] + +This patch adds the change required to create the TLV data +for dapm widget kcontrols from topology. This also fixes the following +TLV read error shown in amixer while showing the card control contents. +"amixer: Control hw:1 element TLV read error: No such device or address" + +Signed-off-by: Ranjani Sridharan +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-topology.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1276,6 +1276,9 @@ static struct snd_kcontrol_new *soc_tplg + kfree(sm); + continue; + } ++ ++ /* create any TLV data */ ++ soc_tplg_create_tlv(tplg, &kc[i], &mc->hdr); + } + return kc; + diff --git a/queue-4.16/ath10k-advertize-beacon_int_min_gcd.patch b/queue-4.16/ath10k-advertize-beacon_int_min_gcd.patch new file mode 100644 index 00000000000..5259cf12eef --- /dev/null +++ b/queue-4.16/ath10k-advertize-beacon_int_min_gcd.patch @@ -0,0 +1,46 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Anilkumar Kolli +Date: Wed, 28 Mar 2018 12:19:40 +0300 +Subject: ath10k: advertize beacon_int_min_gcd + +From: Anilkumar Kolli + +[ Upstream commit 8ebee73b574ad3dd1f14d461f65ceaffbd637650 ] + +This patch fixes regression caused by 0c317a02ca98 +("cfg80211: support virtual interfaces with different beacon intervals"), +with this change cfg80211 expects the driver to advertize +'beacon_int_min_gcd' to support different beacon intervals in multivap +scenario. This support is added for, QCA988X/QCA99X0/QCA9984/QCA4019. + +Verifed AP + mesh bring up on QCA9984 with beacon interval 100msec and +1000msec respectively. +Frimware: firmware-5.bin_10.4-3.5.3-00053 + +Fixes: 0c317a02ca98 ("cfg80211: support virtual interfaces with different beacon intervals") +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -7873,6 +7873,7 @@ static const struct ieee80211_iface_comb + .max_interfaces = 8, + .num_different_channels = 1, + .beacon_int_infra_match = true, ++ .beacon_int_min_gcd = 1, + #ifdef CONFIG_ATH10K_DFS_CERTIFIED + .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) | + BIT(NL80211_CHAN_WIDTH_20) | +@@ -7996,6 +7997,7 @@ static const struct ieee80211_iface_comb + .max_interfaces = 16, + .num_different_channels = 1, + .beacon_int_infra_match = true, ++ .beacon_int_min_gcd = 1, + #ifdef CONFIG_ATH10K_DFS_CERTIFIED + .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) | + BIT(NL80211_CHAN_WIDTH_20) | diff --git a/queue-4.16/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch b/queue-4.16/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch new file mode 100644 index 00000000000..726880f4a5b --- /dev/null +++ b/queue-4.16/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch @@ -0,0 +1,104 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Karthikeyan Periyasamy +Date: Mon, 12 Mar 2018 17:09:40 +0530 +Subject: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) + +From: Karthikeyan Periyasamy + +[ Upstream commit 8b2d93dd22615cb7f3046a5a2083a6f8bb8052ed ] + +When attempt to run worker (ath10k_sta_rc_update_wk) after the station object +(ieee80211_sta) delete will trigger the kernel panic. + +This problem arise in AP + Mesh configuration, Where the current node AP VAP +and neighbor node mesh VAP MAC address are same. When the current mesh node +try to establish the mesh link with neighbor node, driver peer creation for +the neighbor mesh node fails due to duplication MAC address. Already the AP +VAP created with same MAC address. + +It is caused by the following scenario steps. + +Steps: +1. In above condition, ath10k driver sta_state callback (ath10k_sta_state) + fails to do the state change for a station from IEEE80211_STA_NOTEXIST + to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is + called from ieee80211_add_station() to handle the new station + (neighbor mesh node) request from the wpa_supplicant. +2. Concurrently ath10k receive the sta_rc_update callback notification from + the mesh_neighbour_update() to handle the beacon frames of the above + neighbor mesh node. since its atomic callback, ath10k driver queue the + work (ath10k_sta_rc_update_wk) to handle rc update. +3. Due to driver sta_state callback fails (step 1), mac80211 free the station + object. +4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access + the station object which is already deleted. so it will trigger kernel + panic. + +Added the peer exist check in sta_rc_update callback before queue the work. + +Kernel Panic log: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = c0204000 +[00000000] *pgd=00000000 +Internal error: Oops: 17 [#1] PREEMPT SMP ARM +CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1 +task: dcef0000 ti: d72b6000 task.ti: d72b6000 +PC is at pwq_activate_delayed_work+0x10/0x40 +LR is at pwq_activate_delayed_work+0xc/0x40 +pc : [] lr : [] psr: 40000193 +sp : d72b7f18 ip : 0000007a fp : d72b6000 +r10: 00000000 r9 : dd404414 r8 : d8c31998 +r7 : d72b6038 r6 : 00000004 r5 : d4907ec8 r4 : dcee1300 +r3 : ffffffe0 r2 : 00000000 r1 : 00000001 r0 : 00000000 +Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel +Control: 10c5787d Table: 595bc06a DAC: 00000015 +... +Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238) +Stack: (0xd72b7f18 to 0xd72b8000) +7f00: 00000001 dcee1300 +7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089 +7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000 +7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000 +7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340 +7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000 +7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[] (pwq_activate_delayed_work) from [] (pwq_dec_nr_in_flight+0x58/0xc4) +[] (pwq_dec_nr_in_flight) from [] (worker_thread+0x228/0x360) +[] (worker_thread) from [] (kthread+0xd8/0xec) +[] (kthread) from [] (ret_from_fork+0x14/0x34) +Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs +Rebooting in 3 seconds.. + +Signed-off-by: Karthikeyan Periyasamy +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -7084,10 +7084,20 @@ static void ath10k_sta_rc_update(struct + { + struct ath10k *ar = hw->priv; + struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv; ++ struct ath10k_vif *arvif = (void *)vif->drv_priv; ++ struct ath10k_peer *peer; + u32 bw, smps; + + spin_lock_bh(&ar->data_lock); + ++ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr); ++ if (!peer) { ++ spin_unlock_bh(&ar->data_lock); ++ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n", ++ sta->addr, arvif->vdev_id); ++ return; ++ } ++ + ath10k_dbg(ar, ATH10K_DBG_MAC, + "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n", + sta->addr, changed, sta->bandwidth, sta->rx_nss, diff --git a/queue-4.16/ath9k-fix-crash-in-spectral-scan.patch b/queue-4.16/ath9k-fix-crash-in-spectral-scan.patch new file mode 100644 index 00000000000..5219b867e33 --- /dev/null +++ b/queue-4.16/ath9k-fix-crash-in-spectral-scan.patch @@ -0,0 +1,147 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sebastian Gottschall +Date: Sat, 3 Mar 2018 05:10:44 +0100 +Subject: ath9k: fix crash in spectral scan + +From: Sebastian Gottschall + +[ Upstream commit 221b6ec69ed9c56b6cd9a124a387a9472f14284e ] + +Fixes crash seen on arm smp systems (gateworks ventana imx6): + +Unable to handle kernel NULL pointer dereference at virtual address 00000014 +pgd = 80004000 +[00000014] *pgd=00000000 +Internal error: Oops - BUG: 17 [#1] PREEMPT SMP ARM +Modules linked in: ip6table_filter nf_conntrack_ipv6 ip6_tables nf_log_ipv6 nf_defrag_ipv6 shortcut_fe ipcomp6 xfrm_ipcomp xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet ip6_tunnel tunnel6 mip6 ah6 esp6 xfrm_algo sit ip_tunnel tunnel4 ipv6 ath10k_pci ath10k_core ath9k ath mac80211 cfg80211 compat ath_pci ath_hal(P) caamalg authencesn authenc caamrng caamhash caam_jr caam cdc_ncm usbnet usbcore sky2 imx2_wdt +CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: P 4.9.85 #19 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +task: bf064980 task.stack: bf07c000 +PC is at relay_buf_full+0xc/0x30 +LR is at _674+0x740/0xf10 [ath9k] +pc : [<8018bce0>] lr : [<7f1aa604>] psr: 80000013 +sp : bf07dbf0 ip : bf07dc00 fp : bf07dbfc +r10: 0000003f r9 : bf130e00 r8 : 809044b0 +r7 : 00000000 r6 : be67a9f0 r5 : 00000000 r4 : 809043e4 +r3 : c0864c24 r2 : 00000000 r1 : 00000004 r0 : 00000000 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c5387d Table: 4e6a004a DAC: 00000055 +Process ksoftirqd/0 (pid: 3, stack limit = 0xbf07c210) +Stack: (0xbf07dbf0 to 0xbf07e000) +dbe0: bf07dd04 bf07dc00 7f1aa604 8018bce0 +dc00: 00004014 be59e010 bf07dc34 bf07dc18 7f1a7084 7f19c07c be59c010 be6470a0 +dc20: 0000096c be648954 bf07dc6c bf07dc38 7f1c286c bf07dd90 bf07dc5c bf07dc48 +dc40: 8029ea4c 0000003c 00000001 be59c010 00000094 00000000 00000000 00000000 +dc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dcc0: 00000000 00000000 00000000 00000000 00000000 00000000 8010ef24 00000030 +dce0: be94f5e8 be6485a0 bddf0200 be59c010 be6465a0 be6415a0 bf07ddf4 bf07dd08 +dd00: 7f1cf800 7f1aa55c 1fc38c4c 00000000 bf07dd58 cccccccd 66666667 be640bc0 +dd20: bf07dd54 be6415a0 1fc38c4c 00000000 00000000 be59c038 be67a9c0 be59e010 +dd40: be67a9f0 be647170 8090c904 be59c010 00000000 00000001 1fc38e84 00000000 +dd60: be640bc0 bddf0200 00000200 00000010 0000003f 00000002 20000013 be59c010 +dd80: 8092d940 bf7ca2c0 bf07ddb4 bf07dd98 1fc38c4c 2602003f 0100ff1b 80ff1b00 +dda0: 00808080 00000000 00000000 80808080 80808080 80808080 80808080 00008080 +ddc0: 00000000 00000000 7f1b62b8 00000002 be6470ec be6470f0 00000000 bf07de98 +dde0: 8092d940 be6415a0 bf07de94 bf07ddf8 7f1d1ed8 7f1cf1fc 00000000 00000000 +de00: bf7cc4c0 00000400 be6470f0 bf07de18 8015165c be59c010 8090453c 8090453c +de20: bf07dec4 be6465a0 8014f614 80148884 0000619a 00000001 bf07c000 00000100 +de40: bf07de78 00000001 7f327850 00000002 afb50401 bf064980 bf07de9c bf07de68 +de60: bf064a00 803cc668 bf064a00 be6470b4 be6470b8 80844180 00000000 bf07de98 +de80: 8092d940 bf07c000 bf07dec4 bf07de98 80124d18 7f1d1c44 80124c94 00000000 +dea0: 00000006 80902098 80902080 40000006 00000100 bf07c000 bf07df24 bf07dec8 +dec0: 8012501c 80124ca0 bf7cc4c0 bf064980 be95e1c0 04208040 80902d00 000061c7 +dee0: 0000000a 80600b54 8092d940 808441f8 80902080 bf07dec8 bf03b200 bf07c000 +df00: bf03b200 8090fe54 00000000 00000000 00000000 00000000 bf07df34 bf07df28 +df20: 80125148 80124f28 bf07df5c bf07df38 8013deb4 8012511c 00000000 bf03b240 +df40: bf03b200 8013dc90 00000000 00000000 bf07dfac bf07df60 8013ad40 8013dc9c +df60: 70448040 00000001 00000000 bf03b200 00000000 00030003 bf07df78 bf07df78 +df80: 00000000 00000000 bf07df88 bf07df88 bf03b240 8013ac48 00000000 00000000 +dfa0: 00000000 bf07dfb0 80107760 8013ac54 00000000 00000000 00000000 00000000 +dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 8c120004 1190ad04 +Backtrace: +[<8018bcd4>] (relay_buf_full) from [<7f1aa604>] (_674+0x740/0xf10 [ath9k]) +[<7f1aa550>] (_674 [ath9k]) from [<7f1cf800>] (_582+0x14b4/0x3708 [ath9k]) + r10:be6415a0 r9:be6465a0 r8:be59c010 r7:bddf0200 r6:be6485a0 r5:be94f5e8 + r4:00000030 +[<7f1cf1f0>] (_582 [ath9k]) from [<7f1d1ed8>] (_735+0x2a0/0xec4 [ath9k]) + r10:be6415a0 r9:8092d940 r8:bf07de98 r7:00000000 r6:be6470f0 r5:be6470ec + r4:00000002 +[<7f1d1c38>] (_735 [ath9k]) from [<80124d18>] (tasklet_action+0x84/0xf8) + r10:bf07c000 r9:8092d940 r8:bf07de98 r7:00000000 r6:80844180 r5:be6470b8 + r4:be6470b4 +[<80124c94>] (tasklet_action) from [<8012501c>] (__do_softirq+0x100/0x1f4) + r10:bf07c000 r9:00000100 r8:40000006 r7:80902080 r6:80902098 r5:00000006 + r4:00000000 r3:80124c94 +[<80124f1c>] (__do_softirq) from [<80125148>] (run_ksoftirqd+0x38/0x4c) + r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:8090fe54 r5:bf03b200 + r4:bf07c000 +[<80125110>] (run_ksoftirqd) from [<8013deb4>] (smpboot_thread_fn+0x224/0x260) +[<8013dc90>] (smpboot_thread_fn) from [<8013ad40>] (kthread+0xf8/0x100) + r9:00000000 r8:00000000 r7:8013dc90 r6:bf03b200 r5:bf03b240 r4:00000000 +[<8013ac48>] (kthread) from [<80107760>] (ret_from_fork+0x14/0x34) + r7:00000000 r6:00000000 r5:8013ac48 r4:bf03b240 +Code: e89da800 e1a0c00d e92dd800 e24cb004 (e5901014) +---[ end trace dddf11ac9111b272 ]--- +Kernel panic - not syncing: Fatal exception in interrupt +CPU1: stopping +CPU: 1 PID: 0 Comm: swapper/1 Tainted: P D 4.9.85 #19 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Backtrace: +[<8010a708>] (dump_backtrace) from [<8010a99c>] (show_stack+0x18/0x1c) + r7:bf093f58 r6:20000193 r5:809168e8 r4:00000000 +[<8010a984>] (show_stack) from [<802a09c4>] (dump_stack+0x94/0xa8) +[<802a0930>] (dump_stack) from [<8010d184>] (handle_IPI+0xe8/0x180) + r7:bf093f58 r6:00000000 r5:00000001 r4:808478c4 +[<8010d09c>] (handle_IPI) from [<801013e8>] (gic_handle_irq+0x78/0x7c) + r7:f4000100 r6:bf093f58 r5:f400010c r4:8090467c +[<80101370>] (gic_handle_irq) from [<8010b378>] (__irq_svc+0x58/0x8c) +Exception stack(0xbf093f58 to 0xbf093fa0) +3f40: bf7d62a0 00000000 +3f60: 0010a5f4 80113460 bf092000 809043e4 00000002 80904434 bf092008 412fc09a +3f80: 00000000 bf093fb4 bf093fb8 bf093fa8 8010804c 80108050 60000013 ffffffff + r9:bf092000 r8:bf092008 r7:bf093f8c r6:ffffffff r5:60000013 r4:80108050 +[<80108014>] (arch_cpu_idle) from [<80553c2c>] (default_idle_call+0x30/0x34) +[<80553bfc>] (default_idle_call) from [<80158394>] (cpu_startup_entry+0xc4/0xfc) +[<801582d0>] (cpu_startup_entry) from [<8010ce40>] (secondary_start_kernel+0x168/0x174) + r7:8092d2f8 r4:80913568 +[<8010ccd8>] (secondary_start_kernel) from [<10101488>] (0x10101488) + r5:00000055 r4:4f07806a +Rebooting in 10 seconds.. +Reboot failed -- System halted + +Signed-off-by: Sebastian Gottschall +Signed-off-by: Kalle Valo + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/common-spectral.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/common-spectral.c ++++ b/drivers/net/wireless/ath/ath9k/common-spectral.c +@@ -479,14 +479,16 @@ ath_cmn_is_fft_buf_full(struct ath_spec_ + { + int i = 0; + int ret = 0; ++ struct rchan_buf *buf; + struct rchan *rc = spec_priv->rfs_chan_spec_scan; + +- for_each_online_cpu(i) +- ret += relay_buf_full(*per_cpu_ptr(rc->buf, i)); ++ for_each_possible_cpu(i) { ++ if ((buf = *per_cpu_ptr(rc->buf, i))) { ++ ret += relay_buf_full(buf); ++ } ++ } + +- i = num_online_cpus(); +- +- if (ret == i) ++ if (ret) + return 1; + else + return 0; diff --git a/queue-4.16/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch b/queue-4.16/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch new file mode 100644 index 00000000000..b5a7cc9fadc --- /dev/null +++ b/queue-4.16/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Richard Guy Briggs +Date: Wed, 21 Feb 2018 04:30:07 -0500 +Subject: audit: return on memory error to avoid null pointer dereference + +From: Richard Guy Briggs + +[ Upstream commit 23138ead270045f1b3e912e667967b6094244999 ] + +If there is a memory allocation error when trying to change an audit +kernel feature value, the ignored allocation error will trigger a NULL +pointer dereference oops on subsequent use of that pointer. Return +instead. + +Passes audit-testsuite. +See: https://github.com/linux-audit/audit-kernel/issues/76 + +Signed-off-by: Richard Guy Briggs +[PM: not necessary (other funcs check for NULL), but a good practice] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1058,6 +1058,8 @@ static void audit_log_feature_change(int + return; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); ++ if (!ab) ++ return; + audit_log_task_info(ab, current); + audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", + audit_feature_names[which], !!old_feature, !!new_feature, diff --git a/queue-4.16/bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch b/queue-4.16/bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch new file mode 100644 index 00000000000..f1108da8210 --- /dev/null +++ b/queue-4.16/bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch @@ -0,0 +1,176 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Coly Li +Date: Sun, 18 Mar 2018 17:36:14 -0700 +Subject: bcache: fix cached_dev->count usage for bch_cache_set_error() + +From: Coly Li + +[ Upstream commit 804f3c6981f5e4a506a8f14dc284cb218d0659ae ] + +When bcache metadata I/O fails, bcache will call bch_cache_set_error() +to retire the whole cache set. The expected behavior to retire a cache +set is to unregister the cache set, and unregister all backing device +attached to this cache set, then remove sysfs entries of the cache set +and all attached backing devices, finally release memory of structs +cache_set, cache, cached_dev and bcache_device. + +In my testing when journal I/O failure triggered by disconnected cache +device, sometimes the cache set cannot be retired, and its sysfs +entry /sys/fs/bcache/ still exits and the backing device also +references it. This is not expected behavior. + +When metadata I/O failes, the call senquence to retire whole cache set is, + bch_cache_set_error() + bch_cache_set_unregister() + bch_cache_set_stop() + __cache_set_unregister() <- called as callback by calling + clousre_queue(&c->caching) + cache_set_flush() <- called as a callback when refcount + of cache_set->caching is 0 + cache_set_free() <- called as a callback when refcount + of catch_set->cl is 0 + bch_cache_set_release() <- called as a callback when refcount + of catch_set->kobj is 0 + +I find if kernel thread bch_writeback_thread() quits while-loop when +kthread_should_stop() is true and searched_full_index is false, clousre +callback cache_set_flush() set by continue_at() will never be called. The +result is, bcache fails to retire whole cache set. + +cache_set_flush() will be called when refcount of closure c->caching is 0, +and in function bcache_device_detach() refcount of closure c->caching is +released to 0 by clousre_put(). In metadata error code path, function +bcache_device_detach() is called by cached_dev_detach_finish(). This is a +callback routine being called when cached_dev->count is 0. This refcount +is decreased by cached_dev_put(). + +The above dependence indicates, cache_set_flush() will be called when +refcount of cache_set->cl is 0, and refcount of cache_set->cl to be 0 +when refcount of cache_dev->count is 0. + +The reason why sometimes cache_dev->count is not 0 (when metadata I/O fails +and bch_cache_set_error() called) is, in bch_writeback_thread(), refcount +of cache_dev is not decreased properly. + +In bch_writeback_thread(), cached_dev_put() is called only when +searched_full_index is true and cached_dev->writeback_keys is empty, a.k.a +there is no dirty data on cache. In most of run time it is correct, but +when bch_writeback_thread() quits the while-loop while cache is still +dirty, current code forget to call cached_dev_put() before this kernel +thread exits. This is why sometimes cache_set_flush() is not executed and +cache set fails to be retired. + +The reason to call cached_dev_put() in bch_writeback_rate() is, when the +cache device changes from clean to dirty, cached_dev_get() is called, to +make sure during writeback operatiions both backing and cache devices +won't be released. + +Adding following code in bch_writeback_thread() does not work, + static int bch_writeback_thread(void *arg) + } + ++ if (atomic_read(&dc->has_dirty)) ++ cached_dev_put() ++ + return 0; + } +because writeback kernel thread can be waken up and start via sysfs entry: + echo 1 > /sys/block/bcache/bcache/writeback_running +It is difficult to check whether backing device is dirty without race and +extra lock. So the above modification will introduce potential refcount +underflow in some conditions. + +The correct fix is, to take cached dev refcount when creating the kernel +thread, and put it before the kernel thread exits. Then bcache does not +need to take a cached dev refcount when cache turns from clean to dirty, +or to put a cached dev refcount when cache turns from ditry to clean. The +writeback kernel thread is alwasy safe to reference data structure from +cache set, cache and cached device (because a refcount of cache device is +taken for it already), and no matter the kernel thread is stopped by I/O +errors or system reboot, cached_dev->count can always be used correctly. + +The patch is simple, but understanding how it works is quite complicated. + +Changelog: +v2: set dc->writeback_thread to NULL in this patch, as suggested by Hannes. +v1: initial version for review. + +Signed-off-by: Coly Li +Reviewed-by: Hannes Reinecke +Reviewed-by: Michael Lyle +Cc: Michael Lyle +Cc: Junhui Tang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 1 - + drivers/md/bcache/writeback.c | 11 ++++++++--- + drivers/md/bcache/writeback.h | 2 -- + 3 files changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1065,7 +1065,6 @@ int bch_cached_dev_attach(struct cached_ + if (BDEV_STATE(&dc->sb) == BDEV_STATE_DIRTY) { + bch_sectors_dirty_init(&dc->disk); + atomic_set(&dc->has_dirty, 1); +- refcount_inc(&dc->count); + bch_writeback_queue(dc); + } + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -578,7 +578,7 @@ static int bch_writeback_thread(void *ar + + if (kthread_should_stop()) { + set_current_state(TASK_RUNNING); +- return 0; ++ break; + } + + schedule(); +@@ -591,7 +591,6 @@ static int bch_writeback_thread(void *ar + if (searched_full_index && + RB_EMPTY_ROOT(&dc->writeback_keys.keys)) { + atomic_set(&dc->has_dirty, 0); +- cached_dev_put(dc); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN); + bch_write_bdev_super(dc, NULL); + /* +@@ -620,6 +619,9 @@ static int bch_writeback_thread(void *ar + } + } + ++ dc->writeback_thread = NULL; ++ cached_dev_put(dc); ++ + return 0; + } + +@@ -683,10 +685,13 @@ int bch_cached_dev_writeback_start(struc + if (!dc->writeback_write_wq) + return -ENOMEM; + ++ cached_dev_get(dc); + dc->writeback_thread = kthread_create(bch_writeback_thread, dc, + "bcache_writeback"); +- if (IS_ERR(dc->writeback_thread)) ++ if (IS_ERR(dc->writeback_thread)) { ++ cached_dev_put(dc); + return PTR_ERR(dc->writeback_thread); ++ } + + schedule_delayed_work(&dc->writeback_rate_update, + dc->writeback_rate_update_seconds * HZ); +--- a/drivers/md/bcache/writeback.h ++++ b/drivers/md/bcache/writeback.h +@@ -105,8 +105,6 @@ static inline void bch_writeback_add(str + { + if (!atomic_read(&dc->has_dirty) && + !atomic_xchg(&dc->has_dirty, 1)) { +- refcount_inc(&dc->count); +- + if (BDEV_STATE(&dc->sb) != BDEV_STATE_DIRTY) { + SET_BDEV_STATE(&dc->sb, BDEV_STATE_DIRTY); + /* XXX: should do this synchronously */ diff --git a/queue-4.16/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch b/queue-4.16/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch new file mode 100644 index 00000000000..ea6ddb29880 --- /dev/null +++ b/queue-4.16/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch @@ -0,0 +1,132 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Coly Li +Date: Sun, 18 Mar 2018 17:36:15 -0700 +Subject: bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set + +From: Coly Li + +[ Upstream commit fadd94e05c02afec7b70b0b14915624f1782f578 ] + +In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()", +cached_dev_get() is called when creating dc->writeback_thread, and +cached_dev_put() is called when exiting dc->writeback_thread. This +modification works well unless people detach the bcache device manually by + 'echo 1 > /sys/block/bcache/bcache/detach' +Because this sysfs interface only calls bch_cached_dev_detach() which wakes +up dc->writeback_thread but does not stop it. The reason is, before patch +"bcache: fix cached_dev->count usage for bch_cache_set_error()", inside +bch_writeback_thread(), if cache is not dirty after writeback, +cached_dev_put() will be called here. And in cached_dev_make_request() when +a new write request makes cache from clean to dirty, cached_dev_get() will +be called there. Since we don't operate dc->count in these locations, +refcount d->count cannot be dropped after cache becomes clean, and +cached_dev_detach_finish() won't be called to detach bcache device. + +This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is +set inside bch_writeback_thread(). If this bit is set and cache is clean +(no existing writeback_keys), break the while-loop, call cached_dev_put() +and quit the writeback thread. + +Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the +writeback thread should continue to perform writeback, this is the original +design of manually detach. + +It is safe to do the following check without locking, let me explain why, ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + +If the kenrel thread does not sleep and continue to run due to conditions +are not updated in time on the running CPU core, it just consumes more CPU +cycles and has no hurt. This should-sleep-but-run is safe here. We just +focus on the should-run-but-sleep condition, which means the writeback +thread goes to sleep in mistake while it should continue to run. +1, First of all, no matter the writeback thread is hung or not, + kthread_stop() from cached_dev_detach_finish() will wake up it and + terminate by making kthread_should_stop() return true. And in normal + run time, bit on index BCACHE_DEV_DETACHING is always cleared, the + condition + !test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) + is always true and can be ignored as constant value. +2, If one of the following conditions is true, the writeback thread should + go to sleep, + "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)" + each of them independently controls the writeback thread should sleep or + not, let's analyse them one by one. +2.1 condition "!atomic_read(&dc->has_dirty)" + If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will + call bch_writeback_queue() immediately or call bch_writeback_add() which + indirectly calls bch_writeback_queue() too. In bch_writeback_queue(), + wake_up_process(dc->writeback_thread) is called. It sets writeback + thread's task state to TASK_RUNNING and following an implicit memory + barrier, then tries to wake up the writeback thread. + In writeback thread, its task state is set to TASK_INTERRUPTIBLE before + doing the condition check. If other CPU core sets the TASK_RUNNING state + after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread + will be scheduled to run very soon because its state is not + TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before + writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier + of wake_up_process() will make sure modification of dc->has_dirty on + other CPU core is updated and observed on the CPU core of writeback + thread. Therefore the condition check will correctly be false, and + continue writeback code without sleeping. +2.2 condition "!dc->writeback_running)" + dc->writeback_running can be changed via sysfs file, every time it is + modified, a following bch_writeback_queue() is alwasy called. So the + change is always observed on the CPU core of writeback thread. If + dc->writeback_running is changed from 0 to 1 on other CPU core, this + condition check will observe the modification and allow writeback + thread to continue to run without sleeping. +Now we can see, even without a locking protection, multiple conditions +check is safe here, no deadlock or process hang up will happen. + +I compose a separte patch because that patch "bcache: fix cached_dev->count +usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes +Reinecke. Also this fix is not trivial and good for a separate patch. + +Signed-off-by: Coly Li +Reviewed-by: Michael Lyle +Cc: Hannes Reinecke +Cc: Huijun Tang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/writeback.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -565,9 +565,15 @@ static int bch_writeback_thread(void *ar + while (!kthread_should_stop()) { + down_write(&dc->writeback_lock); + set_current_state(TASK_INTERRUPTIBLE); +- if (!atomic_read(&dc->has_dirty) || +- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && +- !dc->writeback_running)) { ++ /* ++ * If the bache device is detaching, skip here and continue ++ * to perform writeback. Otherwise, if no dirty data on cache, ++ * or there is dirty data on cache but writeback is disabled, ++ * the writeback thread should sleep here and wait for others ++ * to wake up it. ++ */ ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + up_write(&dc->writeback_lock); + + if (kthread_should_stop()) { +@@ -588,6 +594,14 @@ static int bch_writeback_thread(void *ar + cached_dev_put(dc); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN); + bch_write_bdev_super(dc, NULL); ++ /* ++ * If bcache device is detaching via sysfs interface, ++ * writeback thread should stop after there is no dirty ++ * data on cache. BCACHE_DEV_DETACHING flag is set in ++ * bch_cached_dev_detach(). ++ */ ++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) ++ break; + } + + up_write(&dc->writeback_lock); diff --git a/queue-4.16/bcache-stop-dc-writeback_rate_update-properly.patch b/queue-4.16/bcache-stop-dc-writeback_rate_update-properly.patch new file mode 100644 index 00000000000..bd7abbdfd50 --- /dev/null +++ b/queue-4.16/bcache-stop-dc-writeback_rate_update-properly.patch @@ -0,0 +1,264 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Coly Li +Date: Sun, 18 Mar 2018 17:36:16 -0700 +Subject: bcache: stop dc->writeback_rate_update properly + +From: Coly Li + +[ Upstream commit 3fd47bfe55b00d5ac7b0a44c9301c07be39b1082 ] + +struct delayed_work writeback_rate_update in struct cache_dev is a delayed +worker to call function update_writeback_rate() in period (the interval is +defined by dc->writeback_rate_update_seconds). + +When a metadate I/O error happens on cache device, bcache error handling +routine bch_cache_set_error() will call bch_cache_set_unregister() to +retire whole cache set. On the unregister code path, this delayed work is +stopped by calling cancel_delayed_work_sync(&dc->writeback_rate_update). + +dc->writeback_rate_update is a special delayed work from others in bcache. +In its routine update_writeback_rate(), this delayed work is re-armed +itself. That means when cancel_delayed_work_sync() returns, this delayed +work can still be executed after several seconds defined by +dc->writeback_rate_update_seconds. + +The problem is, after cancel_delayed_work_sync() returns, the cache set +unregister code path will continue and release memory of struct cache set. +Then the delayed work is scheduled to run, __update_writeback_rate() +will reference the already released cache_set memory, and trigger a NULL +pointer deference fault. + +This patch introduces two more bcache device flags, +- BCACHE_DEV_WB_RUNNING + bit set: bcache device is in writeback mode and running, it is OK for + dc->writeback_rate_update to re-arm itself. + bit clear:bcache device is trying to stop dc->writeback_rate_update, + this delayed work should not re-arm itself and quit. +- BCACHE_DEV_RATE_DW_RUNNING + bit set: routine update_writeback_rate() is executing. + bit clear: routine update_writeback_rate() quits. + +This patch also adds a function cancel_writeback_rate_update_dwork() to +wait for dc->writeback_rate_update quits before cancel it by calling +cancel_delayed_work_sync(). In order to avoid a deadlock by unexpected +quit dc->writeback_rate_update, after time_out seconds this function will +give up and continue to call cancel_delayed_work_sync(). + +And here I explain how this patch stops self re-armed delayed work properly +with the above stuffs. + +update_writeback_rate() sets BCACHE_DEV_RATE_DW_RUNNING at its beginning +and clears BCACHE_DEV_RATE_DW_RUNNING at its end. Before calling +cancel_writeback_rate_update_dwork() clear flag BCACHE_DEV_WB_RUNNING. + +Before calling cancel_delayed_work_sync() wait utill flag +BCACHE_DEV_RATE_DW_RUNNING is clear. So when calling +cancel_delayed_work_sync(), dc->writeback_rate_update must be already re- +armed, or quite by seeing BCACHE_DEV_WB_RUNNING cleared. In both cases +delayed work routine update_writeback_rate() won't be executed after +cancel_delayed_work_sync() returns. + +Inside update_writeback_rate() before calling schedule_delayed_work(), flag +BCACHE_DEV_WB_RUNNING is checked before. If this flag is cleared, it means +someone is about to stop the delayed work. Because flag +BCACHE_DEV_RATE_DW_RUNNING is set already and cancel_delayed_work_sync() +has to wait for this flag to be cleared, we don't need to worry about race +condition here. + +If update_writeback_rate() is scheduled to run after checking +BCACHE_DEV_RATE_DW_RUNNING and before calling cancel_delayed_work_sync() +in cancel_writeback_rate_update_dwork(), it is also safe. Because at this +moment BCACHE_DEV_WB_RUNNING is cleared with memory barrier. As I mentioned +previously, update_writeback_rate() will see BCACHE_DEV_WB_RUNNING is clear +and quit immediately. + +Because there are more dependences inside update_writeback_rate() to struct +cache_set memory, dc->writeback_rate_update is not a simple self re-arm +delayed work. After trying many different methods (e.g. hold dc->count, or +use locks), this is the only way I can find which works to properly stop +dc->writeback_rate_update delayed work. + +Changelog: +v3: change values of BCACHE_DEV_WB_RUNNING and BCACHE_DEV_RATE_DW_RUNNING + to bit index, for test_bit(). +v2: Try to fix the race issue which is pointed out by Junhui. +v1: The initial version for review + +Signed-off-by: Coly Li +Reviewed-by: Junhui Tang +Reviewed-by: Michael Lyle +Cc: Michael Lyle +Cc: Hannes Reinecke +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/bcache.h | 9 +++++---- + drivers/md/bcache/super.c | 38 ++++++++++++++++++++++++++++++++++---- + drivers/md/bcache/sysfs.c | 3 ++- + drivers/md/bcache/writeback.c | 29 ++++++++++++++++++++++++++++- + 4 files changed, 69 insertions(+), 10 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -258,10 +258,11 @@ struct bcache_device { + struct gendisk *disk; + + unsigned long flags; +-#define BCACHE_DEV_CLOSING 0 +-#define BCACHE_DEV_DETACHING 1 +-#define BCACHE_DEV_UNLINK_DONE 2 +- ++#define BCACHE_DEV_CLOSING 0 ++#define BCACHE_DEV_DETACHING 1 ++#define BCACHE_DEV_UNLINK_DONE 2 ++#define BCACHE_DEV_WB_RUNNING 3 ++#define BCACHE_DEV_RATE_DW_RUNNING 4 + unsigned nr_stripes; + unsigned stripe_size; + atomic_t *stripe_sectors_dirty; +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -899,6 +899,31 @@ void bch_cached_dev_run(struct cached_de + pr_debug("error creating sysfs link"); + } + ++/* ++ * If BCACHE_DEV_RATE_DW_RUNNING is set, it means routine of the delayed ++ * work dc->writeback_rate_update is running. Wait until the routine ++ * quits (BCACHE_DEV_RATE_DW_RUNNING is clear), then continue to ++ * cancel it. If BCACHE_DEV_RATE_DW_RUNNING is not clear after time_out ++ * seconds, give up waiting here and continue to cancel it too. ++ */ ++static void cancel_writeback_rate_update_dwork(struct cached_dev *dc) ++{ ++ int time_out = WRITEBACK_RATE_UPDATE_SECS_MAX * HZ; ++ ++ do { ++ if (!test_bit(BCACHE_DEV_RATE_DW_RUNNING, ++ &dc->disk.flags)) ++ break; ++ time_out--; ++ schedule_timeout_interruptible(1); ++ } while (time_out > 0); ++ ++ if (time_out == 0) ++ pr_warn("give up waiting for dc->writeback_write_update to quit"); ++ ++ cancel_delayed_work_sync(&dc->writeback_rate_update); ++} ++ + static void cached_dev_detach_finish(struct work_struct *w) + { + struct cached_dev *dc = container_of(w, struct cached_dev, detach); +@@ -911,7 +936,9 @@ static void cached_dev_detach_finish(str + + mutex_lock(&bch_register_lock); + +- cancel_delayed_work_sync(&dc->writeback_rate_update); ++ if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) ++ cancel_writeback_rate_update_dwork(dc); ++ + if (!IS_ERR_OR_NULL(dc->writeback_thread)) { + kthread_stop(dc->writeback_thread); + dc->writeback_thread = NULL; +@@ -954,6 +981,7 @@ void bch_cached_dev_detach(struct cached + closure_get(&dc->disk.cl); + + bch_writeback_queue(dc); ++ + cached_dev_put(dc); + } + +@@ -1092,14 +1120,16 @@ static void cached_dev_free(struct closu + { + struct cached_dev *dc = container_of(cl, struct cached_dev, disk.cl); + +- cancel_delayed_work_sync(&dc->writeback_rate_update); ++ mutex_lock(&bch_register_lock); ++ ++ if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) ++ cancel_writeback_rate_update_dwork(dc); ++ + if (!IS_ERR_OR_NULL(dc->writeback_thread)) + kthread_stop(dc->writeback_thread); + if (dc->writeback_write_wq) + destroy_workqueue(dc->writeback_write_wq); + +- mutex_lock(&bch_register_lock); +- + if (atomic_read(&dc->running)) + bd_unlink_disk_holder(dc->bdev, dc->disk.disk); + bcache_device_free(&dc->disk); +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -309,7 +309,8 @@ STORE(bch_cached_dev) + bch_writeback_queue(dc); + + if (attr == &sysfs_writeback_percent) +- schedule_delayed_work(&dc->writeback_rate_update, ++ if (!test_and_set_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) ++ schedule_delayed_work(&dc->writeback_rate_update, + dc->writeback_rate_update_seconds * HZ); + + mutex_unlock(&bch_register_lock); +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -115,6 +115,21 @@ static void update_writeback_rate(struct + struct cached_dev, + writeback_rate_update); + ++ /* ++ * should check BCACHE_DEV_RATE_DW_RUNNING before calling ++ * cancel_delayed_work_sync(). ++ */ ++ set_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags); ++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */ ++ smp_mb(); ++ ++ if (!test_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) { ++ clear_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags); ++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */ ++ smp_mb(); ++ return; ++ } ++ + down_read(&dc->writeback_lock); + + if (atomic_read(&dc->has_dirty) && +@@ -123,8 +138,18 @@ static void update_writeback_rate(struct + + up_read(&dc->writeback_lock); + +- schedule_delayed_work(&dc->writeback_rate_update, ++ if (test_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) { ++ schedule_delayed_work(&dc->writeback_rate_update, + dc->writeback_rate_update_seconds * HZ); ++ } ++ ++ /* ++ * should check BCACHE_DEV_RATE_DW_RUNNING before calling ++ * cancel_delayed_work_sync(). ++ */ ++ clear_bit(BCACHE_DEV_RATE_DW_RUNNING, &dc->disk.flags); ++ /* paired with where BCACHE_DEV_RATE_DW_RUNNING is tested */ ++ smp_mb(); + } + + static unsigned writeback_delay(struct cached_dev *dc, unsigned sectors) +@@ -675,6 +700,7 @@ void bch_cached_dev_writeback_init(struc + dc->writeback_rate_p_term_inverse = 40; + dc->writeback_rate_i_term_inverse = 10000; + ++ WARN_ON(test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)); + INIT_DELAYED_WORK(&dc->writeback_rate_update, update_writeback_rate); + } + +@@ -693,6 +719,7 @@ int bch_cached_dev_writeback_start(struc + return PTR_ERR(dc->writeback_thread); + } + ++ WARN_ON(test_and_set_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)); + schedule_delayed_work(&dc->writeback_rate_update, + dc->writeback_rate_update_seconds * HZ); + diff --git a/queue-4.16/block-fix-a-race-between-request-queue-removal-and-the-block-cgroup-controller.patch b/queue-4.16/block-fix-a-race-between-request-queue-removal-and-the-block-cgroup-controller.patch new file mode 100644 index 00000000000..d93fc2200fb --- /dev/null +++ b/queue-4.16/block-fix-a-race-between-request-queue-removal-and-the-block-cgroup-controller.patch @@ -0,0 +1,97 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Bart Van Assche +Date: Wed, 28 Feb 2018 10:15:33 -0800 +Subject: block: Fix a race between request queue removal and the block cgroup controller + +From: Bart Van Assche + +[ Upstream commit a063057d7c731cffa7d10740e8ebc2970df8dbb3 ] + +Avoid that the following race can occur: + +blk_cleanup_queue() blkcg_print_blkgs() + spin_lock_irq(lock) (1) spin_lock_irq(blkg->q->queue_lock) (2,5) + q->queue_lock = &q->__queue_lock (3) + spin_unlock_irq(lock) (4) + spin_unlock_irq(blkg->q->queue_lock) (6) + +(1) take driver lock; +(2) busy loop for driver lock; +(3) override driver lock with internal lock; +(4) unlock driver lock; +(5) can take driver lock now; +(6) but unlock internal lock. + +This change is safe because only the SCSI core and the NVME core keep +a reference on a request queue after having called blk_cleanup_queue(). +Neither driver accesses any of the removed data structures between its +blk_cleanup_queue() and blk_put_queue() calls. + +Reported-by: Joseph Qi +Signed-off-by: Bart Van Assche +Reviewed-by: Joseph Qi +Cc: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-core.c | 31 +++++++++++++++++++++++++++++++ + block/blk-sysfs.c | 7 ------- + 2 files changed, 31 insertions(+), 7 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -723,6 +723,37 @@ void blk_cleanup_queue(struct request_qu + del_timer_sync(&q->backing_dev_info->laptop_mode_wb_timer); + blk_sync_queue(q); + ++ /* ++ * I/O scheduler exit is only safe after the sysfs scheduler attribute ++ * has been removed. ++ */ ++ WARN_ON_ONCE(q->kobj.state_in_sysfs); ++ ++ /* ++ * Since the I/O scheduler exit code may access cgroup information, ++ * perform I/O scheduler exit before disassociating from the block ++ * cgroup controller. ++ */ ++ if (q->elevator) { ++ ioc_clear_queue(q); ++ elevator_exit(q, q->elevator); ++ q->elevator = NULL; ++ } ++ ++ /* ++ * Remove all references to @q from the block cgroup controller before ++ * restoring @q->queue_lock to avoid that restoring this pointer causes ++ * e.g. blkcg_print_blkgs() to crash. ++ */ ++ blkcg_exit_queue(q); ++ ++ /* ++ * Since the cgroup code may dereference the @q->backing_dev_info ++ * pointer, only decrease its reference count after having removed the ++ * association with the block cgroup controller. ++ */ ++ bdi_put(q->backing_dev_info); ++ + if (q->mq_ops) + blk_mq_free_queue(q); + percpu_ref_exit(&q->q_usage_counter); +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -798,13 +798,6 @@ static void __blk_release_queue(struct w + if (test_bit(QUEUE_FLAG_POLL_STATS, &q->queue_flags)) + blk_stat_remove_callback(q, q->poll_cb); + blk_stat_free_callback(q->poll_cb); +- bdi_put(q->backing_dev_info); +- blkcg_exit_queue(q); +- +- if (q->elevator) { +- ioc_clear_queue(q); +- elevator_exit(q, q->elevator); +- } + + blk_free_queue_stats(q->stats); + diff --git a/queue-4.16/block-null_blk-fix-invalid-parameters-when-loading-module.patch b/queue-4.16/block-null_blk-fix-invalid-parameters-when-loading-module.patch new file mode 100644 index 00000000000..242aa517abd --- /dev/null +++ b/queue-4.16/block-null_blk-fix-invalid-parameters-when-loading-module.patch @@ -0,0 +1,167 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ming Lei +Date: Tue, 6 Mar 2018 12:07:13 +0800 +Subject: block: null_blk: fix 'Invalid parameters' when loading module + +From: Ming Lei + +[ Upstream commit 66231ad3e2886ba99fbf440cea44cab547e5163f ] + +On ARM64, the default page size has been 64K on some distributions, and +we should allow ARM64 people to play null_blk. + +This patch fixes the issue by extend page bitmap size for supporting +other non-4KB PAGE_SIZE. + +Cc: Bart Van Assche +Cc: Shaohua Li +Cc: Kyungchan Koh , +Cc: weiping zhang +Cc: Yi Zhang +Reported-by: Yi Zhang +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/null_blk.c | 46 +++++++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 21 deletions(-) + +--- a/drivers/block/null_blk.c ++++ b/drivers/block/null_blk.c +@@ -72,6 +72,7 @@ enum nullb_device_flags { + NULLB_DEV_FL_CACHE = 3, + }; + ++#define MAP_SZ ((PAGE_SIZE >> SECTOR_SHIFT) + 2) + /* + * nullb_page is a page in memory for nullb devices. + * +@@ -86,10 +87,10 @@ enum nullb_device_flags { + */ + struct nullb_page { + struct page *page; +- unsigned long bitmap; ++ DECLARE_BITMAP(bitmap, MAP_SZ); + }; +-#define NULLB_PAGE_LOCK (sizeof(unsigned long) * 8 - 1) +-#define NULLB_PAGE_FREE (sizeof(unsigned long) * 8 - 2) ++#define NULLB_PAGE_LOCK (MAP_SZ - 1) ++#define NULLB_PAGE_FREE (MAP_SZ - 2) + + struct nullb_device { + struct nullb *nullb; +@@ -728,7 +729,7 @@ static struct nullb_page *null_alloc_pag + if (!t_page->page) + goto out_freepage; + +- t_page->bitmap = 0; ++ memset(t_page->bitmap, 0, sizeof(t_page->bitmap)); + return t_page; + out_freepage: + kfree(t_page); +@@ -738,13 +739,20 @@ out: + + static void null_free_page(struct nullb_page *t_page) + { +- __set_bit(NULLB_PAGE_FREE, &t_page->bitmap); +- if (test_bit(NULLB_PAGE_LOCK, &t_page->bitmap)) ++ __set_bit(NULLB_PAGE_FREE, t_page->bitmap); ++ if (test_bit(NULLB_PAGE_LOCK, t_page->bitmap)) + return; + __free_page(t_page->page); + kfree(t_page); + } + ++static bool null_page_empty(struct nullb_page *page) ++{ ++ int size = MAP_SZ - 2; ++ ++ return find_first_bit(page->bitmap, size) == size; ++} ++ + static void null_free_sector(struct nullb *nullb, sector_t sector, + bool is_cache) + { +@@ -759,9 +767,9 @@ static void null_free_sector(struct null + + t_page = radix_tree_lookup(root, idx); + if (t_page) { +- __clear_bit(sector_bit, &t_page->bitmap); ++ __clear_bit(sector_bit, t_page->bitmap); + +- if (!t_page->bitmap) { ++ if (null_page_empty(t_page)) { + ret = radix_tree_delete_item(root, idx, t_page); + WARN_ON(ret != t_page); + null_free_page(ret); +@@ -832,7 +840,7 @@ static struct nullb_page *__null_lookup_ + t_page = radix_tree_lookup(root, idx); + WARN_ON(t_page && t_page->page->index != idx); + +- if (t_page && (for_write || test_bit(sector_bit, &t_page->bitmap))) ++ if (t_page && (for_write || test_bit(sector_bit, t_page->bitmap))) + return t_page; + + return NULL; +@@ -895,10 +903,10 @@ static int null_flush_cache_page(struct + + t_page = null_insert_page(nullb, idx << PAGE_SECTORS_SHIFT, true); + +- __clear_bit(NULLB_PAGE_LOCK, &c_page->bitmap); +- if (test_bit(NULLB_PAGE_FREE, &c_page->bitmap)) { ++ __clear_bit(NULLB_PAGE_LOCK, c_page->bitmap); ++ if (test_bit(NULLB_PAGE_FREE, c_page->bitmap)) { + null_free_page(c_page); +- if (t_page && t_page->bitmap == 0) { ++ if (t_page && null_page_empty(t_page)) { + ret = radix_tree_delete_item(&nullb->dev->data, + idx, t_page); + null_free_page(t_page); +@@ -914,11 +922,11 @@ static int null_flush_cache_page(struct + + for (i = 0; i < PAGE_SECTORS; + i += (nullb->dev->blocksize >> SECTOR_SHIFT)) { +- if (test_bit(i, &c_page->bitmap)) { ++ if (test_bit(i, c_page->bitmap)) { + offset = (i << SECTOR_SHIFT); + memcpy(dst + offset, src + offset, + nullb->dev->blocksize); +- __set_bit(i, &t_page->bitmap); ++ __set_bit(i, t_page->bitmap); + } + } + +@@ -955,10 +963,10 @@ again: + * We found the page which is being flushed to disk by other + * threads + */ +- if (test_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap)) ++ if (test_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap)) + c_pages[i] = NULL; + else +- __set_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap); ++ __set_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap); + } + + one_round = 0; +@@ -1011,7 +1019,7 @@ static int copy_to_nullb(struct nullb *n + kunmap_atomic(dst); + kunmap_atomic(src); + +- __set_bit(sector & SECTOR_MASK, &t_page->bitmap); ++ __set_bit(sector & SECTOR_MASK, t_page->bitmap); + + if (is_fua) + null_free_sector(nullb, sector, true); +@@ -1802,10 +1810,6 @@ static int __init null_init(void) + struct nullb *nullb; + struct nullb_device *dev; + +- /* check for nullb_page.bitmap */ +- if (sizeof(unsigned long) * 8 - 2 < (PAGE_SIZE >> SECTOR_SHIFT)) +- return -EINVAL; +- + if (g_bs > PAGE_SIZE) { + pr_warn("null_blk: invalid block size\n"); + pr_warn("null_blk: defaults block size to %lu\n", PAGE_SIZE); diff --git a/queue-4.16/bluetooth-btusb-add-device-id-for-rtl8822be.patch b/queue-4.16/bluetooth-btusb-add-device-id-for-rtl8822be.patch new file mode 100644 index 00000000000..a6b3c2166c0 --- /dev/null +++ b/queue-4.16/bluetooth-btusb-add-device-id-for-rtl8822be.patch @@ -0,0 +1,33 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Larry Finger +Date: Sun, 11 Feb 2018 12:24:32 -0600 +Subject: Bluetooth: btusb: Add device ID for RTL8822BE + +From: Larry Finger + +[ Upstream commit fed03fe7e55b7dc16077f672bd9d7bbe92b3a691 ] + +The Asus Z370-I contains a Realtek RTL8822BE device with an associated +BT chip using a USB ID of 0b05:185c. This device is added to the driver. + +Signed-off-by: Hon Weng Chong +Signed-off-by: Larry Finger +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -377,6 +377,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8822BE Bluetooth devices */ ++ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK }, ++ + /* Silicon Wave based devices */ + { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE }, + diff --git a/queue-4.16/bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch b/queue-4.16/bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch new file mode 100644 index 00000000000..0cc1ee28ab9 --- /dev/null +++ b/queue-4.16/bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch @@ -0,0 +1,88 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Tedd Ho-Jeong An +Date: Mon, 5 Feb 2018 14:20:36 -0800 +Subject: Bluetooth: btusb: Add support for Intel Bluetooth device 22560 [8087:0026] + +From: Tedd Ho-Jeong An + +[ Upstream commit 1ce0cec1c14cda7e514fa21b36c0f035203b447d ] + +The Intel Bluetooth device 22560 family (HarrisonPeak, QnJ, and IcyPeak) +use the same firmware loading mechanism as previous generation, +so include new USB product ID and whitelist the hardware variant. + +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=12 MxCh= 0 +D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=8087 ProdID=0026 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms + +Signed-off-by: Tedd Ho-Jeong An +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -340,6 +340,7 @@ static const struct usb_device_id blackl + + /* Intel Bluetooth devices */ + { USB_DEVICE(0x8087, 0x0025), .driver_info = BTUSB_INTEL_NEW }, ++ { USB_DEVICE(0x8087, 0x0026), .driver_info = BTUSB_INTEL_NEW }, + { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR }, + { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL }, + { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL }, +@@ -2079,6 +2080,8 @@ static int btusb_setup_intel_new(struct + case 0x0c: /* WsP */ + case 0x11: /* JfP */ + case 0x12: /* ThP */ ++ case 0x13: /* HrP */ ++ case 0x14: /* QnJ, IcP */ + break; + default: + BT_ERR("%s: Unsupported Intel hardware variant (%u)", +@@ -2171,6 +2174,8 @@ static int btusb_setup_intel_new(struct + break; + case 0x11: /* JfP */ + case 0x12: /* ThP */ ++ case 0x13: /* HrP */ ++ case 0x14: /* QnJ, IcP */ + snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.sfi", + le16_to_cpu(ver.hw_variant), + le16_to_cpu(ver.hw_revision), +@@ -2202,6 +2207,8 @@ static int btusb_setup_intel_new(struct + break; + case 0x11: /* JfP */ + case 0x12: /* ThP */ ++ case 0x13: /* HrP */ ++ case 0x14: /* QnJ, IcP */ + snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.ddc", + le16_to_cpu(ver.hw_variant), + le16_to_cpu(ver.hw_revision), diff --git a/queue-4.16/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch b/queue-4.16/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch new file mode 100644 index 00000000000..06da9272ca5 --- /dev/null +++ b/queue-4.16/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch @@ -0,0 +1,74 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Vicente Bergas +Date: Tue, 20 Mar 2018 19:41:10 +0100 +Subject: Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB + +From: Vicente Bergas + +[ Upstream commit a41e0796396eeceff673af4a38feaee149c6ff86 ] + +This WiFi/Bluetooth USB dongle uses a Realtek chipset, so, use btrtl for it. + +Product information: +https://wikidevi.com/wiki/Edimax_EW-7611ULB + +>From /sys/kernel/debug/usb/devices +T: Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=7392 ProdID=a611 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=Edimax Wi-Fi N150 Bluetooth4.0 USB Adapter +S: SerialNumber=00e04c000001 +C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I:* If#= 2 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8723bu +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=500us +E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Tested-by: Vicente Bergas +Signed-off-by: Vicente Bergas +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -367,6 +367,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8723BU Bluetooth devices */ ++ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, ++ + /* Additional Realtek 8821AE Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, diff --git a/queue-4.16/bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch b/queue-4.16/bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch new file mode 100644 index 00000000000..62b961aafbb --- /dev/null +++ b/queue-4.16/bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch @@ -0,0 +1,47 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Scott Branden +Date: Sat, 31 Mar 2018 13:54:09 -0400 +Subject: bnxt_en: fix clear flags in ethtool reset handling + +From: Scott Branden + +[ Upstream commit 2373d8d6a7932d28b8e31ea2a70bf6c002d97ac8 ] + +Clear flags when reset command processed successfully for components +specified. + +Fixes: 6502ad5963a5 ("bnxt_en: Add ETH_RESET_AP support") +Signed-off-by: Scott Branden +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -2552,16 +2552,20 @@ static int bnxt_reset(struct net_device + return -EOPNOTSUPP; + + rc = bnxt_firmware_reset(dev, BNXT_FW_RESET_CHIP); +- if (!rc) ++ if (!rc) { + netdev_info(dev, "Reset request successful. Reload driver to complete reset\n"); ++ *flags = 0; ++ } + } else if (*flags == ETH_RESET_AP) { + /* This feature is not supported in older firmware versions */ + if (bp->hwrm_spec_code < 0x10803) + return -EOPNOTSUPP; + + rc = bnxt_firmware_reset(dev, BNXT_FW_RESET_AP); +- if (!rc) ++ if (!rc) { + netdev_info(dev, "Reset Application Processor request successful.\n"); ++ *flags = 0; ++ } + } else { + rc = -EINVAL; + } diff --git a/queue-4.16/bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch b/queue-4.16/bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch new file mode 100644 index 00000000000..ca723bde3fe --- /dev/null +++ b/queue-4.16/bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sriharsha Basavapatna +Date: Wed, 11 Apr 2018 11:50:15 -0400 +Subject: bnxt_en: Ignore src port field in decap filter nodes + +From: Sriharsha Basavapatna + +[ Upstream commit 479ca3bf91da971fcefc003cf5773e8d7db24794 ] + +The driver currently uses src port field (along with other fields) in the +decap tunnel key, while looking up and adding tunnel nodes. This leads to +redundant cfa_decap_filter_alloc() requests to the FW and flow-miss in the +flow engine. Fix this by ignoring the src port field in decap tunnel nodes. + +Fixes: f484f6782e01 ("bnxt_en: add hwrm FW cmds for cfa_encap_record and decap_filter") +Signed-off-by: Sriharsha Basavapatna +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c +@@ -992,8 +992,10 @@ static int bnxt_tc_get_decap_handle(stru + + /* Check if there's another flow using the same tunnel decap. + * If not, add this tunnel to the table and resolve the other +- * tunnel header fileds ++ * tunnel header fileds. Ignore src_port in the tunnel_key, ++ * since it is not required for decap filters. + */ ++ decap_key->tp_src = 0; + decap_node = bnxt_tc_get_tunnel_node(bp, &tc_info->decap_table, + &tc_info->decap_ht_params, + decap_key); diff --git a/queue-4.16/btrfs-bail-out-on-error-during-replay_dir_deletes.patch b/queue-4.16/btrfs-bail-out-on-error-during-replay_dir_deletes.patch new file mode 100644 index 00000000000..59798dbb417 --- /dev/null +++ b/queue-4.16/btrfs-bail-out-on-error-during-replay_dir_deletes.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Liu Bo +Date: Tue, 3 Apr 2018 01:59:48 +0800 +Subject: Btrfs: bail out on error during replay_dir_deletes + +From: Liu Bo + +[ Upstream commit b98def7ca6e152ee55e36863dddf6f41f12d1dc6 ] + +If errors were returned by btrfs_next_leaf(), replay_dir_deletes needs +to bail out, otherwise @ret would be forced to be 0 after 'break;' and +the caller won't be aware of it. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2356,8 +2356,10 @@ again: + nritems = btrfs_header_nritems(path->nodes[0]); + if (path->slots[0] >= nritems) { + ret = btrfs_next_leaf(root, path); +- if (ret) ++ if (ret == 1) + break; ++ else if (ret < 0) ++ goto out; + } + btrfs_item_key_to_cpu(path->nodes[0], &found_key, + path->slots[0]); diff --git a/queue-4.16/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch b/queue-4.16/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch new file mode 100644 index 00000000000..a654ba325d1 --- /dev/null +++ b/queue-4.16/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch @@ -0,0 +1,47 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Liu Bo +Date: Sat, 31 Mar 2018 06:11:56 +0800 +Subject: Btrfs: clean up resources during umount after trans is aborted + +From: Liu Bo + +[ Upstream commit af7227338135d2f1b1552bf9a6d43e02dcba10b9 ] + +Currently if some fatal errors occur, like all IO get -EIO, resources +would be cleaned up when +a) transaction is being committed or +b) BTRFS_FS_STATE_ERROR is set + +However, in some rare cases, resources may be left alone after transaction +gets aborted and umount may run into some ASSERT(), e.g. +ASSERT(list_empty(&block_group->dirty_list)); + +For case a), in btrfs_commit_transaciton(), there're several places at the +beginning where we just call btrfs_end_transaction() without cleaning up +resources. For case b), it is possible that the trans handle doesn't have +any dirty stuff, then only trans hanlde is marked as aborted while +BTRFS_FS_STATE_ERROR is not set, so resources remain in memory. + +This makes btrfs also check BTRFS_FS_STATE_TRANS_ABORTED to make sure that +all resources won't stay in memory after umount. + +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3735,7 +3735,8 @@ void close_ctree(struct btrfs_fs_info *f + btrfs_err(fs_info, "commit super ret %d", ret); + } + +- if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state)) ++ if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state) || ++ test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state)) + btrfs_error_commit_super(fs_info); + + kthread_stop(fs_info->transaction_kthread); diff --git a/queue-4.16/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch b/queue-4.16/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch new file mode 100644 index 00000000000..3498385f0c9 --- /dev/null +++ b/queue-4.16/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Filipe Manana +Date: Mon, 26 Mar 2018 23:59:12 +0100 +Subject: Btrfs: fix copy_items() return value when logging an inode + +From: Filipe Manana + +[ Upstream commit 8434ec46c6e3232cebc25a910363b29f5c617820 ] + +When logging an inode, at tree-log.c:copy_items(), if we call +btrfs_next_leaf() at the loop which checks for the need to log holes, we +need to make sure copy_items() returns the value 1 to its caller and +not 0 (on success). This is because the path the caller passed was +released and is now different from what is was before, and the caller +expects a return value of 0 to mean both success and that the path +has not changed, while a return value of 1 means both success and +signals the caller that it can not reuse the path, it has to perform +another tree search. + +Even though this is a case that should not be triggered on normal +circumstances or very rare at least, its consequences can be very +unpredictable (especially when replaying a log tree). + +Fixes: 16e7549f045d ("Btrfs: incompatible format change to remove hole extents") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4005,6 +4005,7 @@ fill_holes: + ASSERT(ret == 0); + src = src_path->nodes[0]; + i = 0; ++ need_find_last_extent = true; + } + + btrfs_item_key_to_cpu(src, &key, i); diff --git a/queue-4.16/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch b/queue-4.16/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch new file mode 100644 index 00000000000..8ccc4b5d1df --- /dev/null +++ b/queue-4.16/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch @@ -0,0 +1,436 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Jeff Mahoney +Date: Fri, 16 Mar 2018 14:36:27 -0400 +Subject: btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers + +From: Jeff Mahoney + +[ Upstream commit 8a5a916d9a35e13576d79cc16e24611821b13e34 ] + +While running btrfs/011, I hit the following lockdep splat. + +This is the important bit: + pcpu_alloc+0x1ac/0x5e0 + __percpu_counter_init+0x4e/0xb0 + btrfs_init_fs_root+0x99/0x1c0 [btrfs] + btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] + resolve_indirect_refs+0x130/0x830 [btrfs] + find_parent_nodes+0x69e/0xff0 [btrfs] + btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] + btrfs_find_all_roots+0x50/0x70 [btrfs] + btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] + btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] + +The percpu_counter_init call in btrfs_alloc_subvolume_writers +uses GFP_KERNEL, which we can't do during transaction commit. + +This switches it to GFP_NOFS. + +======================================================== +WARNING: possible irq lock inversion dependency detected +4.12.14-kvmsmall #8 Tainted: G W +-------------------------------------------------------- +kswapd0/50 just changed the state of lock: + (&delayed_node->mutex){+.+.-.}, at: [] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] +but this lock took another, RECLAIM_FS-unsafe lock in the past: + (pcpu_alloc_mutex){+.+.+.} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: +Chain exists of: + &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(pcpu_alloc_mutex); + local_irq_disable(); + lock(&delayed_node->mutex); + lock(&found->groups_sem); + + lock(&delayed_node->mutex); + + *** DEADLOCK *** + +2 locks held by kswapd0/50: + #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x7f/0x5b0 + #1: (&type->s_umount_key#30){+++++.}, at: [] trylock_super+0x16/0x50 + +the shortest dependencies between 2nd lock and 1st lock: + -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 { + HARDIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + kmem_cache_init_late+0x42/0x75 + start_kernel+0x343/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + SOFTIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + kmem_cache_init_late+0x42/0x75 + start_kernel+0x343/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + RECLAIM_FS-ON-W at: + __kmalloc+0x47/0x310 + pcpu_extend_area_map+0x2b/0xc0 + pcpu_alloc+0x3ec/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + __kmem_cache_create+0x1bf/0x390 + create_cache+0xba/0x1b0 + kmem_cache_create+0x1f8/0x2b0 + ksm_init+0x6f/0x19d + do_one_initcall+0x50/0x1b0 + kernel_init_freeable+0x201/0x289 + kernel_init+0xa/0x100 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + setup_cpu_cache+0x2f/0x1f0 + __kmem_cache_create+0x1bf/0x390 + create_boot_cache+0x8b/0xb1 + kmem_cache_init+0xa1/0x19e + start_kernel+0x270/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + } + ... key at: [] pcpu_alloc_mutex+0x70/0xa0 + ... acquired at: + pcpu_alloc+0x1ac/0x5e0 + __percpu_counter_init+0x4e/0xb0 + btrfs_init_fs_root+0x99/0x1c0 [btrfs] + btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] + resolve_indirect_refs+0x130/0x830 [btrfs] + find_parent_nodes+0x69e/0xff0 [btrfs] + btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] + btrfs_find_all_roots+0x50/0x70 [btrfs] + btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] + btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] + transaction_kthread+0x176/0x1b0 [btrfs] + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + + -> (&fs_info->commit_root_sem){++++..} ops: 1566382 { + HARDIRQ-ON-W at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + HARDIRQ-ON-R at: + down_read+0x35/0x90 + caching_thread+0x57/0x560 [btrfs] + normal_work_helper+0x1c0/0x5e0 [btrfs] + process_one_work+0x1e0/0x5c0 + worker_thread+0x44/0x390 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + SOFTIRQ-ON-W at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-R at: + down_read+0x35/0x90 + caching_thread+0x57/0x560 [btrfs] + normal_work_helper+0x1c0/0x5e0 [btrfs] + process_one_work+0x1e0/0x5c0 + worker_thread+0x44/0x390 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.61970+0x0/0xfffffffffff9aa88 [btrfs] + ... acquired at: + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] + btrfs_create_tree+0xbb/0x2a0 [btrfs] + btrfs_create_uuid_tree+0x37/0x140 [btrfs] + open_ctree+0x23c0/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + + -> (&found->groups_sem){++++..} ops: 2134587 { + HARDIRQ-ON-W at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + HARDIRQ-ON-R at: + down_read+0x35/0x90 + btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] + open_ctree+0x207b/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-W at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-R at: + down_read+0x35/0x90 + btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] + open_ctree+0x207b/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + INITIAL USE at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.59101+0x0/0xfffffffffff9ab78 [btrfs] + ... acquired at: + find_free_extent+0xcb4/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] + __btrfs_cow_block+0x110/0x5b0 [btrfs] + btrfs_cow_block+0xd7/0x290 [btrfs] + btrfs_search_slot+0x1f6/0x960 [btrfs] + btrfs_lookup_inode+0x2a/0x90 [btrfs] + __btrfs_update_delayed_inode+0x65/0x210 [btrfs] + btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs] + btrfs_evict_inode+0x3fe/0x6a0 [btrfs] + evict+0xc4/0x190 + __dentry_kill+0xbf/0x170 + dput+0x2ae/0x2f0 + SyS_rename+0x2a6/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +-> (&delayed_node->mutex){+.+.-.} ops: 5580204 { + HARDIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + IN-RECLAIM_FS-W at: + __mutex_lock+0x4e/0x8c0 + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.56935+0x0/0xfffffffffff96b78 [btrfs] + ... acquired at: + __lock_acquire+0x264/0x11c0 + lock_acquire+0xbd/0x1e0 + __mutex_lock+0x4e/0x8c0 + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + +stack backtrace: +CPU: 1 PID: 50 Comm: kswapd0 Tainted: G W 4.12.14-kvmsmall #8 SLE15 (unreleased) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0x78/0xb7 + print_irq_inversion_bug.part.38+0x19f/0x1aa + check_usage_forwards+0x102/0x120 + ? ret_from_fork+0x3a/0x50 + ? check_usage_backwards+0x110/0x110 + mark_lock+0x16c/0x270 + __lock_acquire+0x264/0x11c0 + ? pagevec_lookup_entries+0x1a/0x30 + ? truncate_inode_pages_range+0x2b3/0x7f0 + lock_acquire+0xbd/0x1e0 + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + __mutex_lock+0x4e/0x8c0 + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs] + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ? mem_cgroup_shrink_node+0x2c0/0x2c0 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x3a/0x50 + +Signed-off-by: Jeff Mahoney +Reviewed-by: Liu Bo +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1108,7 +1108,7 @@ static struct btrfs_subvolume_writers *b + if (!writers) + return ERR_PTR(-ENOMEM); + +- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL); ++ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS); + if (ret < 0) { + kfree(writers); + return ERR_PTR(ret); diff --git a/queue-4.16/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch b/queue-4.16/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch new file mode 100644 index 00000000000..ab70114c4c8 --- /dev/null +++ b/queue-4.16/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch @@ -0,0 +1,147 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Filipe Manana +Date: Thu, 5 Apr 2018 22:55:12 +0100 +Subject: Btrfs: fix loss of prealloc extents past i_size after fsync log replay + +From: Filipe Manana + +[ Upstream commit 471d557afed155b85da237ec46c549f443eeb5de ] + +Currently if we allocate extents beyond an inode's i_size (through the +fallocate system call) and then fsync the file, we log the extents but +after a power failure we replay them and then immediately drop them. +This behaviour happens since about 2009, commit c71bf099abdd ("Btrfs: +Avoid orphan inodes cleanup while replaying log"), because it marks +the inode as an orphan instead of dropping any extents beyond i_size +before replaying logged extents, so after the log replay, and while +the mount operation is still ongoing, we find the inode marked as an +orphan and then perform a truncation (drop extents beyond the inode's +i_size). Because the processing of orphan inodes is still done +right after replaying the log and before the mount operation finishes, +the intention of that commit does not make any sense (at least as +of today). However reverting that behaviour is not enough, because +we can not simply discard all extents beyond i_size and then replay +logged extents, because we risk dropping extents beyond i_size created +in past transactions, for example: + + add prealloc extent beyond i_size + fsync - clears the flag BTRFS_INODE_NEEDS_FULL_SYNC from the inode + transaction commit + add another prealloc extent beyond i_size + fsync - triggers the fast fsync path + power failure + +In that scenario, we would drop the first extent and then replay the +second one. To fix this just make sure that all prealloc extents +beyond i_size are logged, and if we find too many (which is far from +a common case), fallback to a full transaction commit (like we do when +logging regular extents in the fast fsync path). + +Trivial reproducer: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + $ xfs_io -f -c "pwrite -S 0xab 0 256K" /mnt/foo + $ sync + $ xfs_io -c "falloc -k 256K 1M" /mnt/foo + $ xfs_io -c "fsync" /mnt/foo + + + # mount to replay log + $ mount /dev/sdb /mnt + # at this point the file only has one extent, at offset 0, size 256K + +A test case for fstests follows soon, covering multiple scenarios that +involve adding prealloc extents with previous shrinking truncates and +without such truncates. + +Fixes: c71bf099abdd ("Btrfs: Avoid orphan inodes cleanup while replaying log") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 58 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2461,13 +2461,41 @@ static int replay_one_buffer(struct btrf + if (ret) + break; + +- /* for regular files, make sure corresponding +- * orphan item exist. extents past the new EOF +- * will be truncated later by orphan cleanup. ++ /* ++ * Before replaying extents, truncate the inode to its ++ * size. We need to do it now and not after log replay ++ * because before an fsync we can have prealloc extents ++ * added beyond the inode's i_size. If we did it after, ++ * through orphan cleanup for example, we would drop ++ * those prealloc extents just after replaying them. + */ + if (S_ISREG(mode)) { +- ret = insert_orphan_item(wc->trans, root, +- key.objectid); ++ struct inode *inode; ++ u64 from; ++ ++ inode = read_one_inode(root, key.objectid); ++ if (!inode) { ++ ret = -EIO; ++ break; ++ } ++ from = ALIGN(i_size_read(inode), ++ root->fs_info->sectorsize); ++ ret = btrfs_drop_extents(wc->trans, root, inode, ++ from, (u64)-1, 1); ++ /* ++ * If the nlink count is zero here, the iput ++ * will free the inode. We bump it to make ++ * sure it doesn't get freed until the link ++ * count fixup is done. ++ */ ++ if (!ret) { ++ if (inode->i_nlink == 0) ++ inc_nlink(inode); ++ /* Update link count and nbytes. */ ++ ret = btrfs_update_inode(wc->trans, ++ root, inode); ++ } ++ iput(inode); + if (ret) + break; + } +@@ -4321,6 +4349,31 @@ static int btrfs_log_changed_extents(str + num++; + } + ++ /* ++ * Add all prealloc extents beyond the inode's i_size to make sure we ++ * don't lose them after doing a fast fsync and replaying the log. ++ */ ++ if (inode->flags & BTRFS_INODE_PREALLOC) { ++ struct rb_node *node; ++ ++ for (node = rb_last(&tree->map); node; node = rb_prev(node)) { ++ em = rb_entry(node, struct extent_map, rb_node); ++ if (em->start < i_size_read(&inode->vfs_inode)) ++ break; ++ if (!list_empty(&em->list)) ++ continue; ++ /* Same as above loop. */ ++ if (++num > 32768) { ++ list_del_init(&tree->modified_extents); ++ ret = -EFBIG; ++ goto process; ++ } ++ refcount_inc(&em->refs); ++ set_bit(EXTENT_FLAG_LOGGING, &em->flags); ++ list_add_tail(&em->list, &extents); ++ } ++ } ++ + list_sort(NULL, &extents, extent_cmp); + btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end); + /* diff --git a/queue-4.16/btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch b/queue-4.16/btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch new file mode 100644 index 00000000000..650b41d2fcd --- /dev/null +++ b/queue-4.16/btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch @@ -0,0 +1,55 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Anand Jain +Date: Sat, 24 Feb 2018 19:43:56 +0800 +Subject: btrfs: fix null pointer deref when target device is missing + +From: Anand Jain + +[ Upstream commit acf18c56fdcb952a06650282192e3b4ca1855c5e ] + +The replace target device can be missing when mounted with -o degraded, +but we wont allocate a missing btrfs_device to it. So check the device +before accessing. + +BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0 +IP: btrfs_destroy_dev_replace_tgtdev+0x43/0xf0 [btrfs] +Call Trace: +btrfs_dev_replace_cancel+0x15f/0x180 [btrfs] +btrfs_ioctl+0x2216/0x2590 [btrfs] +do_vfs_ioctl+0x625/0x650 +SyS_ioctl+0x4e/0x80 +do_syscall_64+0x5d/0x160 +entry_SYSCALL64_slow_path+0x25/0x25 + +This patch has been moved in front of patch "btrfs: log, when replace, +is canceled by the user" that could reproduce the crash if the system +reboots inside btrfs_dev_replace_start before the +btrfs_dev_replace_finishing call. + + $ mkfs /dev/sda + $ mount /dev/sda mnt + $ btrfs replace start /dev/sda /dev/sdb + + $ mount po degraded /dev/sdb mnt + + +Signed-off-by: Anand Jain +[ added reproducer description from mail ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/dev-replace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -307,7 +307,7 @@ void btrfs_after_dev_replace_commit(stru + + static char* btrfs_dev_name(struct btrfs_device *device) + { +- if (test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)) ++ if (!device || test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state)) + return ""; + else + return rcu_str_deref(device->name); diff --git a/queue-4.16/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch b/queue-4.16/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch new file mode 100644 index 00000000000..6bb3d708393 --- /dev/null +++ b/queue-4.16/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch @@ -0,0 +1,39 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Liu Bo +Date: Tue, 3 Apr 2018 01:59:47 +0800 +Subject: Btrfs: fix NULL pointer dereference in log_dir_items + +From: Liu Bo + +[ Upstream commit 80c0b4210a963e31529e15bf90519708ec947596 ] + +0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is +returned, path->nodes[0] could be NULL, log_dir_items lacks such a +check for <0 and we may run into a null pointer dereference panic. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3548,8 +3548,11 @@ static noinline int log_dir_items(struct + * from this directory and from this transaction + */ + ret = btrfs_next_leaf(root, path); +- if (ret == 1) { +- last_offset = (u64)-1; ++ if (ret) { ++ if (ret == 1) ++ last_offset = (u64)-1; ++ else ++ err = ret; + goto done; + } + btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]); diff --git a/queue-4.16/btrfs-fix-possible-softlock-on-single-core-machines.patch b/queue-4.16/btrfs-fix-possible-softlock-on-single-core-machines.patch new file mode 100644 index 00000000000..1bb5900c411 --- /dev/null +++ b/queue-4.16/btrfs-fix-possible-softlock-on-single-core-machines.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Nikolay Borisov +Date: Thu, 5 Apr 2018 10:40:15 +0300 +Subject: btrfs: Fix possible softlock on single core machines + +From: Nikolay Borisov + +[ Upstream commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 ] + +do_chunk_alloc implements a loop checking whether there is a pending +chunk allocation and if so causes the caller do loop. Generally this +loop is executed only once, however testing with btrfs/072 on a single +core vm machines uncovered an extreme case where the system could loop +indefinitely. This is due to a missing cond_resched when loop which +doesn't give a chance to the previous chunk allocator finish its job. + +The fix is to simply add the missing cond_resched. + +Fixes: 6d74119f1a3e ("Btrfs: avoid taking the chunk_mutex in do_chunk_alloc") +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4650,6 +4650,7 @@ again: + if (wait_for_alloc) { + mutex_unlock(&fs_info->chunk_mutex); + wait_for_alloc = 0; ++ cond_resched(); + goto again; + } + diff --git a/queue-4.16/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch b/queue-4.16/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch new file mode 100644 index 00000000000..6a32d41cd73 --- /dev/null +++ b/queue-4.16/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch @@ -0,0 +1,59 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Qu Wenruo +Date: Tue, 19 Dec 2017 15:44:54 +0800 +Subject: btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled + +From: Qu Wenruo + +[ Upstream commit 4d31778aa2fa342f5f92ca4025b293a1729161d1 ] + +When multiple pending snapshots referring to the same source subvolume +are executed, enabled quota will cause root item corruption, where root +items are using old bytenr (no backref in extent tree). + +This can be triggered by fstests btrfs/152. + +The cause is when source subvolume is still dirty, extra commit +(simplied transaction commit) of qgroup_account_snapshot() can skip +dirty roots not recorded in current transaction, making root item of +source subvolume not updated. + +Fix it by forcing recording source subvolume in current transaction +before qgroup sub-transaction commit. + +Reported-by: Justin Maggard +Signed-off-by: Qu Wenruo +Reviewed-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -319,7 +319,7 @@ static int record_root_in_trans(struct b + if ((test_bit(BTRFS_ROOT_REF_COWS, &root->state) && + root->last_trans < trans->transid) || force) { + WARN_ON(root == fs_info->extent_root); +- WARN_ON(root->commit_root != root->node); ++ WARN_ON(!force && root->commit_root != root->node); + + /* + * see below for IN_TRANS_SETUP usage rules +@@ -1366,6 +1366,14 @@ static int qgroup_account_snapshot(struc + return 0; + + /* ++ * Ensure dirty @src will be commited. Or, after comming ++ * commit_fs_roots() and switch_commit_roots(), any dirty but not ++ * recorded root will never be updated again, causing an outdated root ++ * item. ++ */ ++ record_root_in_trans(trans, src, 1); ++ ++ /* + * We are going to commit transaction, see btrfs_commit_transaction() + * comment for reason locking tree_log_mutex + */ diff --git a/queue-4.16/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch b/queue-4.16/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch new file mode 100644 index 00000000000..68fe662a02c --- /dev/null +++ b/queue-4.16/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch @@ -0,0 +1,52 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Qu Wenruo +Date: Tue, 27 Mar 2018 20:44:18 +0800 +Subject: btrfs: tests/qgroup: Fix wrong tree backref level + +From: Qu Wenruo + +[ Upstream commit 3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a ] + +The extent tree of the test fs is like the following: + + BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919 + item 0 key (4096 168 4096) itemoff 3944 itemsize 51 + extent refs 1 gen 1 flags 2 + tree block key (68719476736 0 0) level 1 + ^^^^^^^ + ref#0: tree block backref root 5 + +And it's using an empty tree for fs tree, so there is no way that its +level can be 1. + +For REAL (created by mkfs) fs tree backref with no skinny metadata, the +result should look like: + + item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51 + refs 1 gen 4 flags TREE_BLOCK + tree block key (256 INODE_ITEM 0) level 0 + ^^^^^^^ + tree block backref root 5 + +Fix the level to 0, so it won't break later tree level checker. + +Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code") +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tests/qgroup-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tests/qgroup-tests.c ++++ b/fs/btrfs/tests/qgroup-tests.c +@@ -63,7 +63,7 @@ static int insert_normal_tree_ref(struct + btrfs_set_extent_generation(leaf, item, 1); + btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK); + block_info = (struct btrfs_tree_block_info *)(item + 1); +- btrfs_set_tree_block_level(leaf, block_info, 1); ++ btrfs_set_tree_block_level(leaf, block_info, 0); + iref = (struct btrfs_extent_inline_ref *)(block_info + 1); + if (parent > 0) { + btrfs_set_extent_inline_ref_type(leaf, iref, diff --git a/queue-4.16/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch b/queue-4.16/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch new file mode 100644 index 00000000000..3d848956a7b --- /dev/null +++ b/queue-4.16/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch @@ -0,0 +1,155 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Maurizio Lombardi +Date: Fri, 9 Mar 2018 13:59:06 +0100 +Subject: cdrom: do not call check_disk_change() inside cdrom_open() + +From: Maurizio Lombardi + +[ Upstream commit 2bbea6e117357d17842114c65e9a9cf2d13ae8a3 ] + +when mounting an ISO filesystem sometimes (very rarely) +the system hangs because of a race condition between two tasks. + +PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount" + #0 [ffff880078447ae0] __schedule at ffffffff8168d605 + #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49 + #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995 + #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef + #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod] + #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50 + #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3 + #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs] + #8 [ffff880078447da8] mount_bdev at ffffffff81202570 + #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs] +#10 [ffff880078447e28] mount_fs at ffffffff81202d09 +#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f +#12 [ffff880078447ea8] do_mount at ffffffff81220fee +#13 [ffff880078447f28] sys_mount at ffffffff812218d6 +#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49 + RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246 + RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010 + RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30 + RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010 + R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040 + R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30 + ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b + +This task was trying to mount the cdrom. It allocated and configured a +super_block struct and owned the write-lock for the super_block->s_umount +rwsem. While exclusively owning the s_umount lock, it called +sr_block_ioctl and waited to acquire the global sr_mutex lock. + +PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd" + #0 [ffff880078417898] __schedule at ffffffff8168d605 + #1 [ffff880078417900] schedule at ffffffff8168dc59 + #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605 + #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838 + #4 [ffff8800784179d0] down_read at ffffffff8168cde0 + #5 [ffff8800784179e8] get_super at ffffffff81201cc7 + #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de + #7 [ffff880078417a40] flush_disk at ffffffff8123a94b + #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50 + #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom] +#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod] +#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86 +#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65 +#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b +#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7 +#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf +#16 [ffff880078417d00] do_last at ffffffff8120d53d +#17 [ffff880078417db0] path_openat at ffffffff8120e6b2 +#18 [ffff880078417e48] do_filp_open at ffffffff8121082b +#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33 +#20 [ffff880078417f70] sys_open at ffffffff811fde4e +#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49 + RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246 + RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000 + RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70 + RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020 + R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e + R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010 + ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b + +This task tried to open the cdrom device, the sr_block_open function +acquired the global sr_mutex lock. The call to check_disk_change() +then saw an event flag indicating a possible media change and tried +to flush any cached data for the device. +As part of the flush, it tried to acquire the super_block->s_umount +lock associated with the cdrom device. +This was the same super_block as created and locked by the previous task. + +The first task acquires the s_umount lock and then the sr_mutex_lock; +the second task acquires the sr_mutex_lock and then the s_umount lock. + +This patch fixes the issue by moving check_disk_change() out of +cdrom_open() and let the caller take care of it. + +Signed-off-by: Maurizio Lombardi +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/paride/pcd.c | 2 ++ + drivers/cdrom/cdrom.c | 3 --- + drivers/cdrom/gdrom.c | 3 +++ + drivers/ide/ide-cd.c | 2 ++ + drivers/scsi/sr.c | 2 ++ + 5 files changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/block/paride/pcd.c ++++ b/drivers/block/paride/pcd.c +@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_d + struct pcd_unit *cd = bdev->bd_disk->private_data; + int ret; + ++ check_disk_change(bdev); ++ + mutex_lock(&pcd_mutex); + ret = cdrom_open(&cd->info, bdev, mode); + mutex_unlock(&pcd_mutex); +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -1152,9 +1152,6 @@ int cdrom_open(struct cdrom_device_info + + cd_dbg(CD_OPEN, "entering cdrom_open\n"); + +- /* open is event synchronization point, check events first */ +- check_disk_change(bdev); +- + /* if this was a O_NONBLOCK open and we should honor the flags, + * do a quick open without drive/disc integrity checks. */ + cdi->use_count++; +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -497,6 +497,9 @@ static const struct cdrom_device_ops gdr + static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode) + { + int ret; ++ ++ check_disk_change(bdev); ++ + mutex_lock(&gdrom_mutex); + ret = cdrom_open(gd.cd_info, bdev, mode); + mutex_unlock(&gdrom_mutex); +--- a/drivers/ide/ide-cd.c ++++ b/drivers/ide/ide-cd.c +@@ -1613,6 +1613,8 @@ static int idecd_open(struct block_devic + struct cdrom_info *info; + int rc = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&ide_cd_mutex); + info = ide_cd_get(bdev->bd_disk); + if (!info) +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -525,6 +525,8 @@ static int sr_block_open(struct block_de + struct scsi_cd *cd; + int ret = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&sr_mutex); + cd = scsi_cd_get(bdev->bd_disk); + if (cd) { diff --git a/queue-4.16/clk-don-t-show-the-incorrect-clock-phase.patch b/queue-4.16/clk-don-t-show-the-incorrect-clock-phase.patch new file mode 100644 index 00000000000..21d16ad7828 --- /dev/null +++ b/queue-4.16/clk-don-t-show-the-incorrect-clock-phase.patch @@ -0,0 +1,54 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Shawn Lin +Date: Wed, 14 Mar 2018 08:28:31 +0800 +Subject: clk: Don't show the incorrect clock phase + +From: Shawn Lin + +[ Upstream commit 1f9c63e8de3d7b377c9d74e4a17524cfb60e6384 ] + +It's found that the clock phase output from clk_summary is +wrong compared to the actual phase reading from the register. + +cat /sys/kernel/debug/clk/clk_summary | grep sdio_sample +sdio_sample 0 1 0 50000000 0 -22 + +It exposes an issue that clk core, clk_core_get_phase, always +returns the cached core->phase which should be either updated +by calling clk_set_phase or directly from the first place the +clk was registered. + +When registering the clk, the core->phase geting from ->get_phase() +may return negative value indicating error. This is quite common +since the clk's phase may be highly related to its parent chain, +but it was temporarily orphan when registered, since its parent +chains hadn't be ready at that time, so the clk drivers decide to +return error in this case. However, if no clk_set_phase is called or +maybe the ->set_phase() isn't even implemented, the core->phase would +never be updated. This is wrong, and we should try to update it when +all its parent chains are settled down, like the way of updating clock +rate for that. But it's not deserved to complicate the code now and +just update it anyway when calling clk_core_get_phase, which would be +much simple and enough. + +Signed-off-by: Shawn Lin +Acked-by: Jerome Brunet +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2375,6 +2375,9 @@ static int clk_core_get_phase(struct clk + int ret; + + clk_prepare_lock(); ++ /* Always try to update cached phase if possible */ ++ if (core->ops->get_phase) ++ core->phase = core->ops->get_phase(core->hw); + ret = core->phase; + clk_prepare_unlock(); + diff --git a/queue-4.16/clk-hisilicon-mark-wdt_mux_p-as-const.patch b/queue-4.16/clk-hisilicon-mark-wdt_mux_p-as-const.patch new file mode 100644 index 00000000000..f5911f08be3 --- /dev/null +++ b/queue-4.16/clk-hisilicon-mark-wdt_mux_p-as-const.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Arnd Bergmann +Date: Tue, 20 Feb 2018 16:15:21 +0100 +Subject: clk: hisilicon: mark wdt_mux_p[] as const + +From: Arnd Bergmann + +[ Upstream commit df934cbcbff7afbc024bf05f02615917c61f6470 ] + +The symbol is in the __initconst section but not marked init, which +caused a warning when building with LTO. + +This makes it 'const' as was obviously intended. + +Signed-off-by: Arnd Bergmann +Fixes: c80dfd9bf54e ("clk: hisilicon: add CRG driver for Hi3516CV300 SoC") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/hisilicon/crg-hi3516cv300.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/hisilicon/crg-hi3516cv300.c ++++ b/drivers/clk/hisilicon/crg-hi3516cv300.c +@@ -204,7 +204,7 @@ static const struct hisi_crg_funcs hi351 + /* hi3516CV300 sysctrl CRG */ + #define HI3516CV300_SYSCTRL_NR_CLKS 16 + +-static const char *wdt_mux_p[] __initconst = { "3m", "apb" }; ++static const char *const wdt_mux_p[] __initconst = { "3m", "apb" }; + static u32 wdt_mux_table[] = {0, 1}; + + static const struct hisi_mux_clock hi3516cv300_sysctrl_mux_clks[] = { diff --git a/queue-4.16/clk-meson-axg-add-the-fractional-part-of-the-fixed_pll.patch b/queue-4.16/clk-meson-axg-add-the-fractional-part-of-the-fixed_pll.patch new file mode 100644 index 00000000000..1007a023724 --- /dev/null +++ b/queue-4.16/clk-meson-axg-add-the-fractional-part-of-the-fixed_pll.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jerome Brunet +Date: Fri, 19 Jan 2018 16:55:29 +0100 +Subject: clk: meson: axg: add the fractional part of the fixed_pll + +From: Jerome Brunet + +[ Upstream commit 6b71aceceb09918daf37a40a1221077599040be3 ] + +The fixed_pll also has a fractional part. On axg s400 board, without +this parameter, the calculated rate is off by ~8Mhz (0,4%). The fixed_pll +being the root of the peripheral clock tree, this error is propagated to +the rest of the clocks + +Adding the definition of the parameter fixes the problem + +Fixes: 78b4af312f91 ("clk: meson-axg: add clock controller drivers") +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/meson/axg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/clk/meson/axg.c ++++ b/drivers/clk/meson/axg.c +@@ -129,6 +129,11 @@ static struct meson_clk_pll axg_fixed_pl + .shift = 16, + .width = 2, + }, ++ .frac = { ++ .reg_off = HHI_MPLL_CNTL2, ++ .shift = 0, ++ .width = 12, ++ }, + .lock = &meson_clk_lock, + .hw.init = &(struct clk_init_data){ + .name = "fixed_pll", diff --git a/queue-4.16/clk-meson-axg-fix-the-od-shift-of-the-sys_pll.patch b/queue-4.16/clk-meson-axg-fix-the-od-shift-of-the-sys_pll.patch new file mode 100644 index 00000000000..ba0c61d5f68 --- /dev/null +++ b/queue-4.16/clk-meson-axg-fix-the-od-shift-of-the-sys_pll.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Yixun Lan +Date: Fri, 19 Jan 2018 10:09:26 +0800 +Subject: clk: meson: axg: fix the od shift of the sys_pll + +From: Yixun Lan + +[ Upstream commit 2fa9b361e500a0e092a9525afbd6a3a363ffa5f0 ] + +According to the datasheet, the od shift of sys_pll is actually 16. + +Fixes: 78b4af312f91 ('clk: meson-axg: add clock controller drivers') +Signed-off-by: Yixun Lan +[fixed commit message] +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/meson/axg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/meson/axg.c ++++ b/drivers/clk/meson/axg.c +@@ -151,7 +151,7 @@ static struct meson_clk_pll axg_sys_pll + }, + .od = { + .reg_off = HHI_SYS_PLL_CNTL, +- .shift = 10, ++ .shift = 16, + .width = 2, + }, + .rate_table = sys_pll_rate_table, diff --git a/queue-4.16/clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch b/queue-4.16/clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch new file mode 100644 index 00000000000..96890af644f --- /dev/null +++ b/queue-4.16/clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Shawn Lin +Date: Wed, 21 Mar 2018 10:39:19 +0800 +Subject: clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228 + +From: Shawn Lin + +[ Upstream commit 4b0556a441dd37e598887215bc89b49a6ef525b3 ] + +commit c420c1e4db22 ("clk: rockchip: Prevent calculating mmc phase +if clock rate is zero") catches one gremlin again for clk-rk3228.c +that the parent of SDMMC phase clock should be sclk_sdmmc0, but not +sclk_sdmmc. However, the naming of the sdmmc clocks varies in the +manual with the card clock having the 0 while the hclk is named +without appended 0. So standardize one one format to prevent +confusion, as there also is only one (non-sdio) mmc controller on +the soc. + +Signed-off-by: Shawn Lin +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/rockchip/clk-rk3228.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/rockchip/clk-rk3228.c ++++ b/drivers/clk/rockchip/clk-rk3228.c +@@ -387,7 +387,7 @@ static struct rockchip_clk_branch rk3228 + RK2928_CLKSEL_CON(23), 5, 2, MFLAGS, 0, 6, DFLAGS, + RK2928_CLKGATE_CON(2), 15, GFLAGS), + +- COMPOSITE(SCLK_SDMMC, "sclk_sdmmc0", mux_mmc_src_p, 0, ++ COMPOSITE(SCLK_SDMMC, "sclk_sdmmc", mux_mmc_src_p, 0, + RK2928_CLKSEL_CON(11), 8, 2, MFLAGS, 0, 8, DFLAGS, + RK2928_CLKGATE_CON(2), 11, GFLAGS), + diff --git a/queue-4.16/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch b/queue-4.16/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch new file mode 100644 index 00000000000..0d2ca57792b --- /dev/null +++ b/queue-4.16/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch @@ -0,0 +1,64 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Shawn Lin +Date: Mon, 5 Mar 2018 11:25:58 +0800 +Subject: clk: rockchip: Prevent calculating mmc phase if clock rate is zero + +From: Shawn Lin + +[ Upstream commit 4bf59902b50012b1dddeeaa23b217d9c4956cdda ] + +The MMC sample and drv clock for rockchip platforms are derived from +the bus clock output to the MMC/SDIO card. So it should never happens +that the clk rate is zero given it should inherits the clock rate from +its parent. If something goes wrong and makes the clock rate to be zero, +the calculation would be wrong but may still make the mmc tuning process +work luckily. However it makes people harder to debug when the following +data transfer is unstable. + +Signed-off-by: Shawn Lin +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/rockchip/clk-mmc-phase.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/clk/rockchip/clk-mmc-phase.c ++++ b/drivers/clk/rockchip/clk-mmc-phase.c +@@ -58,6 +58,12 @@ static int rockchip_mmc_get_phase(struct + u16 degrees; + u32 delay_num = 0; + ++ /* See the comment for rockchip_mmc_set_phase below */ ++ if (!rate) { ++ pr_err("%s: invalid clk rate\n", __func__); ++ return -EINVAL; ++ } ++ + raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); + + degrees = (raw_value & ROCKCHIP_MMC_DEGREE_MASK) * 90; +@@ -84,6 +90,23 @@ static int rockchip_mmc_set_phase(struct + u32 raw_value; + u32 delay; + ++ /* ++ * The below calculation is based on the output clock from ++ * MMC host to the card, which expects the phase clock inherits ++ * the clock rate from its parent, namely the output clock ++ * provider of MMC host. However, things may go wrong if ++ * (1) It is orphan. ++ * (2) It is assigned to the wrong parent. ++ * ++ * This check help debug the case (1), which seems to be the ++ * most likely problem we often face and which makes it difficult ++ * for people to debug unstable mmc tuning results. ++ */ ++ if (!rate) { ++ pr_err("%s: invalid clk rate\n", __func__); ++ return -EINVAL; ++ } ++ + nineties = degrees / 90; + remainder = (degrees % 90); + diff --git a/queue-4.16/clk-samsung-exynos3250-fix-pll-rates.patch b/queue-4.16/clk-samsung-exynos3250-fix-pll-rates.patch new file mode 100644 index 00000000000..3e8b9f944a6 --- /dev/null +++ b/queue-4.16/clk-samsung-exynos3250-fix-pll-rates.patch @@ -0,0 +1,55 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:48 +0100 +Subject: clk: samsung: exynos3250: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit a8321e7887410a2b2e80ab89d1ef7b30562658ea ] + +Rates declared in PLL rate tables should match exactly rates calculated +from PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +In this patch an erroneous P value for 74176002 output frequency is also +corrected. + +Signed-off-by: Andrzej Hajda +Acked-by: Chanwoo Choi +Acked-by: Tomasz Figa +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos3250.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/samsung/clk-exynos3250.c ++++ b/drivers/clk/samsung/clk-exynos3250.c +@@ -698,7 +698,7 @@ static const struct samsung_pll_rate_tab + PLL_36XX_RATE(144000000, 96, 2, 3, 0), + PLL_36XX_RATE( 96000000, 128, 2, 4, 0), + PLL_36XX_RATE( 84000000, 112, 2, 4, 0), +- PLL_36XX_RATE( 80000004, 106, 2, 4, 43691), ++ PLL_36XX_RATE( 80000003, 106, 2, 4, 43691), + PLL_36XX_RATE( 73728000, 98, 2, 4, 19923), + PLL_36XX_RATE( 67737598, 270, 3, 5, 62285), + PLL_36XX_RATE( 65535999, 174, 2, 5, 49982), +@@ -734,7 +734,7 @@ static const struct samsung_pll_rate_tab + PLL_36XX_RATE(148352005, 98, 2, 3, 59070), + PLL_36XX_RATE(108000000, 144, 2, 4, 0), + PLL_36XX_RATE( 74250000, 99, 2, 4, 0), +- PLL_36XX_RATE( 74176002, 98, 3, 4, 59070), ++ PLL_36XX_RATE( 74176002, 98, 2, 4, 59070), + PLL_36XX_RATE( 54054000, 216, 3, 5, 14156), + PLL_36XX_RATE( 54000000, 144, 2, 5, 0), + { /* sentinel */ } diff --git a/queue-4.16/clk-samsung-exynos5250-fix-pll-rates.patch b/queue-4.16/clk-samsung-exynos5250-fix-pll-rates.patch new file mode 100644 index 00000000000..7bd2f17cee9 --- /dev/null +++ b/queue-4.16/clk-samsung-exynos5250-fix-pll-rates.patch @@ -0,0 +1,52 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:49 +0100 +Subject: clk: samsung: exynos5250: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit 2ac051eeabaa411ef89ae7cd5bb8e60cb41ad780 ] + +Rates declared in PLL rate tables should match exactly rates calculated +from PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Chanwoo Choi +Acked-by: Tomasz Figa +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos5250.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clk/samsung/clk-exynos5250.c ++++ b/drivers/clk/samsung/clk-exynos5250.c +@@ -711,13 +711,13 @@ static const struct samsung_pll_rate_tab + /* sorted in descending order */ + /* PLL_36XX_RATE(rate, m, p, s, k) */ + PLL_36XX_RATE(192000000, 64, 2, 2, 0), +- PLL_36XX_RATE(180633600, 90, 3, 2, 20762), ++ PLL_36XX_RATE(180633605, 90, 3, 2, 20762), + PLL_36XX_RATE(180000000, 90, 3, 2, 0), + PLL_36XX_RATE(73728000, 98, 2, 4, 19923), +- PLL_36XX_RATE(67737600, 90, 2, 4, 20762), ++ PLL_36XX_RATE(67737602, 90, 2, 4, 20762), + PLL_36XX_RATE(49152000, 98, 3, 4, 19923), +- PLL_36XX_RATE(45158400, 90, 3, 4, 20762), +- PLL_36XX_RATE(32768000, 131, 3, 5, 4719), ++ PLL_36XX_RATE(45158401, 90, 3, 4, 20762), ++ PLL_36XX_RATE(32768001, 131, 3, 5, 4719), + { }, + }; + diff --git a/queue-4.16/clk-samsung-exynos5260-fix-pll-rates.patch b/queue-4.16/clk-samsung-exynos5260-fix-pll-rates.patch new file mode 100644 index 00000000000..f25bc4acee5 --- /dev/null +++ b/queue-4.16/clk-samsung-exynos5260-fix-pll-rates.patch @@ -0,0 +1,43 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:50 +0100 +Subject: clk: samsung: exynos5260: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit cdb68fbd4e7962be742c4f29475220c5bf28d8a5 ] + +Rates declared in PLL rate tables should match exactly rates calculated from +the PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Tomasz Figa +Acked-by: Chanwoo Choi +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos5260.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/samsung/clk-exynos5260.c ++++ b/drivers/clk/samsung/clk-exynos5260.c +@@ -65,7 +65,7 @@ static const struct samsung_pll_rate_tab + PLL_36XX_RATE(480000000, 160, 2, 2, 0), + PLL_36XX_RATE(432000000, 144, 2, 2, 0), + PLL_36XX_RATE(400000000, 200, 3, 2, 0), +- PLL_36XX_RATE(394073130, 459, 7, 2, 49282), ++ PLL_36XX_RATE(394073128, 459, 7, 2, 49282), + PLL_36XX_RATE(333000000, 111, 2, 2, 0), + PLL_36XX_RATE(300000000, 100, 2, 2, 0), + PLL_36XX_RATE(266000000, 266, 3, 3, 0), diff --git a/queue-4.16/clk-samsung-exynos5433-fix-pll-rates.patch b/queue-4.16/clk-samsung-exynos5433-fix-pll-rates.patch new file mode 100644 index 00000000000..bb31b677a73 --- /dev/null +++ b/queue-4.16/clk-samsung-exynos5433-fix-pll-rates.patch @@ -0,0 +1,61 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:51 +0100 +Subject: clk: samsung: exynos5433: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit ab0447845cffc0fd752df2ccd6b4e34006000ce4 ] + +Rates declared in PLL rate tables should match exactly rates calculated from +the PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Tomasz Figa +Acked-by: Chanwoo Choi +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos5433.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/clk/samsung/clk-exynos5433.c ++++ b/drivers/clk/samsung/clk-exynos5433.c +@@ -729,7 +729,7 @@ static const struct samsung_pll_rate_tab + PLL_35XX_RATE(800000000U, 400, 6, 1), + PLL_35XX_RATE(733000000U, 733, 12, 1), + PLL_35XX_RATE(700000000U, 175, 3, 1), +- PLL_35XX_RATE(667000000U, 222, 4, 1), ++ PLL_35XX_RATE(666000000U, 222, 4, 1), + PLL_35XX_RATE(633000000U, 211, 4, 1), + PLL_35XX_RATE(600000000U, 500, 5, 2), + PLL_35XX_RATE(552000000U, 460, 5, 2), +@@ -757,12 +757,12 @@ static const struct samsung_pll_rate_tab + /* AUD_PLL */ + static const struct samsung_pll_rate_table exynos5433_aud_pll_rates[] __initconst = { + PLL_36XX_RATE(400000000U, 200, 3, 2, 0), +- PLL_36XX_RATE(393216000U, 197, 3, 2, -25690), ++ PLL_36XX_RATE(393216003U, 197, 3, 2, -25690), + PLL_36XX_RATE(384000000U, 128, 2, 2, 0), +- PLL_36XX_RATE(368640000U, 246, 4, 2, -15729), +- PLL_36XX_RATE(361507200U, 181, 3, 2, -16148), +- PLL_36XX_RATE(338688000U, 113, 2, 2, -6816), +- PLL_36XX_RATE(294912000U, 98, 1, 3, 19923), ++ PLL_36XX_RATE(368639991U, 246, 4, 2, -15729), ++ PLL_36XX_RATE(361507202U, 181, 3, 2, -16148), ++ PLL_36XX_RATE(338687988U, 113, 2, 2, -6816), ++ PLL_36XX_RATE(294912002U, 98, 1, 3, 19923), + PLL_36XX_RATE(288000000U, 96, 1, 3, 0), + PLL_36XX_RATE(252000000U, 84, 1, 3, 0), + { /* sentinel */ } diff --git a/queue-4.16/clk-samsung-exynos7-fix-pll-rates.patch b/queue-4.16/clk-samsung-exynos7-fix-pll-rates.patch new file mode 100644 index 00000000000..956a33ade85 --- /dev/null +++ b/queue-4.16/clk-samsung-exynos7-fix-pll-rates.patch @@ -0,0 +1,43 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:52 +0100 +Subject: clk: samsung: exynos7: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit 7e4db0c2836e892766565965207eee051c8037b9 ] + +Rates declared in PLL rate tables should match exactly rates calculated from +the PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Tomasz Figa +Acked-by: Chanwoo Choi +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/samsung/clk-exynos7.c ++++ b/drivers/clk/samsung/clk-exynos7.c +@@ -140,7 +140,7 @@ static const struct samsung_div_clock to + }; + + static const struct samsung_pll_rate_table pll1460x_24mhz_tbl[] __initconst = { +- PLL_36XX_RATE(491520000, 20, 1, 0, 31457), ++ PLL_36XX_RATE(491519897, 20, 1, 0, 31457), + {}, + }; + diff --git a/queue-4.16/clk-samsung-s3c2410-fix-pll-rates.patch b/queue-4.16/clk-samsung-s3c2410-fix-pll-rates.patch new file mode 100644 index 00000000000..02c1d625d55 --- /dev/null +++ b/queue-4.16/clk-samsung-s3c2410-fix-pll-rates.patch @@ -0,0 +1,69 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:53 +0100 +Subject: clk: samsung: s3c2410: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit 179db533c08431f509a3823077549773d519358b ] + +Rates declared in PLL rate tables should match exactly rates calculated from +the PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Tomasz Figa +Acked-by: Chanwoo Choi +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-s3c2410.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/clk/samsung/clk-s3c2410.c ++++ b/drivers/clk/samsung/clk-s3c2410.c +@@ -168,7 +168,7 @@ static struct samsung_pll_rate_table pll + PLL_35XX_RATE(226000000, 105, 1, 1), + PLL_35XX_RATE(210000000, 132, 2, 1), + /* 2410 common */ +- PLL_35XX_RATE(203000000, 161, 3, 1), ++ PLL_35XX_RATE(202800000, 161, 3, 1), + PLL_35XX_RATE(192000000, 88, 1, 1), + PLL_35XX_RATE(186000000, 85, 1, 1), + PLL_35XX_RATE(180000000, 82, 1, 1), +@@ -178,18 +178,18 @@ static struct samsung_pll_rate_table pll + PLL_35XX_RATE(147000000, 90, 2, 1), + PLL_35XX_RATE(135000000, 82, 2, 1), + PLL_35XX_RATE(124000000, 116, 1, 2), +- PLL_35XX_RATE(118000000, 150, 2, 2), ++ PLL_35XX_RATE(118500000, 150, 2, 2), + PLL_35XX_RATE(113000000, 105, 1, 2), +- PLL_35XX_RATE(101000000, 127, 2, 2), ++ PLL_35XX_RATE(101250000, 127, 2, 2), + PLL_35XX_RATE(90000000, 112, 2, 2), +- PLL_35XX_RATE(85000000, 105, 2, 2), ++ PLL_35XX_RATE(84750000, 105, 2, 2), + PLL_35XX_RATE(79000000, 71, 1, 2), +- PLL_35XX_RATE(68000000, 82, 2, 2), +- PLL_35XX_RATE(56000000, 142, 2, 3), ++ PLL_35XX_RATE(67500000, 82, 2, 2), ++ PLL_35XX_RATE(56250000, 142, 2, 3), + PLL_35XX_RATE(48000000, 120, 2, 3), +- PLL_35XX_RATE(51000000, 161, 3, 3), ++ PLL_35XX_RATE(50700000, 161, 3, 3), + PLL_35XX_RATE(45000000, 82, 1, 3), +- PLL_35XX_RATE(34000000, 82, 2, 3), ++ PLL_35XX_RATE(33750000, 82, 2, 3), + { /* sentinel */ }, + }; + diff --git a/queue-4.16/clk-tegra-fix-pll_u-rate-configuration.patch b/queue-4.16/clk-tegra-fix-pll_u-rate-configuration.patch new file mode 100644 index 00000000000..885d0525992 --- /dev/null +++ b/queue-4.16/clk-tegra-fix-pll_u-rate-configuration.patch @@ -0,0 +1,57 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Marcel Ziswiler +Date: Fri, 23 Feb 2018 00:04:51 +0100 +Subject: clk: tegra: Fix pll_u rate configuration + +From: Marcel Ziswiler + +[ Upstream commit c35b518f9ba06c9de79fb3ff62eed7462d804995 ] + +Turns out latest upstream U-Boot does not configure/enable pll_u which +leaves it at some default rate of 500 kHz: + +root@apalis-t30:~# cat /sys/kernel/debug/clk/clk_summary | grep pll_u + pll_u 3 3 0 500000 0 + +Of course this won't quite work leading to the following messages: + +[ 6.559593] usb 2-1: new full-speed USB device number 2 using tegra- +ehci +[ 11.759173] usb 2-1: device descriptor read/64, error -110 +[ 27.119453] usb 2-1: device descriptor read/64, error -110 +[ 27.389217] usb 2-1: new full-speed USB device number 3 using tegra- +ehci +[ 32.559454] usb 2-1: device descriptor read/64, error -110 +[ 47.929777] usb 2-1: device descriptor read/64, error -110 +[ 48.049658] usb usb2-port1: attempt power cycle +[ 48.759475] usb 2-1: new full-speed USB device number 4 using tegra- +ehci +[ 59.349457] usb 2-1: device not accepting address 4, error -110 +[ 59.509449] usb 2-1: new full-speed USB device number 5 using tegra- +ehci +[ 70.069457] usb 2-1: device not accepting address 5, error -110 +[ 70.079721] usb usb2-port1: unable to enumerate USB device + +Fix this by actually allowing the rate also being set from within +the Linux kernel. + +Signed-off-by: Marcel Ziswiler +Tested-by: Jon Hunter +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/tegra/clk-pll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/clk/tegra/clk-pll.c ++++ b/drivers/clk/tegra/clk-pll.c +@@ -1151,6 +1151,8 @@ static const struct clk_ops tegra_clk_pl + .enable = clk_pllu_enable, + .disable = clk_pll_disable, + .recalc_rate = clk_pll_recalc_rate, ++ .round_rate = clk_pll_round_rate, ++ .set_rate = clk_pll_set_rate, + }; + + static int _pll_fixed_mdiv(struct tegra_clk_pll_params *pll_params, diff --git a/queue-4.16/clk-ti-fix-flag-space-conflict-with-clkctrl-clocks.patch b/queue-4.16/clk-ti-fix-flag-space-conflict-with-clkctrl-clocks.patch new file mode 100644 index 00000000000..025bf75cbaa --- /dev/null +++ b/queue-4.16/clk-ti-fix-flag-space-conflict-with-clkctrl-clocks.patch @@ -0,0 +1,54 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Tero Kristo +Date: Tue, 27 Mar 2018 20:47:04 +0300 +Subject: clk: ti: fix flag space conflict with clkctrl clocks + +From: Tero Kristo + +[ Upstream commit 269bd202bc0fd04e841cb123867fd3f49e04ace9 ] + +The introduction of support for CLK_SET_RATE_PARENT flag for clkctrl +clocks used a generic clock flag, which causes a conflict with the +rest of the clkctrl flags, namely the NO_IDLEST flag. This can cause +boot failures on certain platforms where this flag is introduced, by +omitting the wait for the clockctrl module to be fully enabled before +proceeding with rest of the code. + +Fix this by moving all the clkctrl specific flags to their own bit-range. + +Signed-off-by: Tero Kristo +Fixes: 49159a9dc3da ("clk: ti: add support for CLK_SET_RATE_PARENT flag") +Reported-by: Christophe Lyon +Tested-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/ti/clock.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/clk/ti/clock.h ++++ b/drivers/clk/ti/clock.h +@@ -74,6 +74,11 @@ enum { + #define CLKF_CORE (1 << 9) + #define CLKF_J_TYPE (1 << 10) + ++/* CLKCTRL flags */ ++#define CLKF_SW_SUP BIT(5) ++#define CLKF_HW_SUP BIT(6) ++#define CLKF_NO_IDLEST BIT(7) ++ + #define CLK(dev, con, ck) \ + { \ + .lk = { \ +@@ -183,10 +188,6 @@ extern const struct omap_clkctrl_data am + extern const struct omap_clkctrl_data dm814_clkctrl_data[]; + extern const struct omap_clkctrl_data dm816_clkctrl_data[]; + +-#define CLKF_SW_SUP BIT(0) +-#define CLKF_HW_SUP BIT(1) +-#define CLKF_NO_IDLEST BIT(2) +- + typedef void (*ti_of_clk_init_cb_t)(void *, struct device_node *); + + struct clk *ti_clk_register(struct device *dev, struct clk_hw *hw, diff --git a/queue-4.16/coresight-use-px-to-print-pcsr-instead-of-p.patch b/queue-4.16/coresight-use-px-to-print-pcsr-instead-of-p.patch new file mode 100644 index 00000000000..ea3f4e93c44 --- /dev/null +++ b/queue-4.16/coresight-use-px-to-print-pcsr-instead-of-p.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Leo Yan +Date: Tue, 13 Mar 2018 11:24:30 -0600 +Subject: coresight: Use %px to print pcsr instead of %p + +From: Leo Yan + +[ Upstream commit 831c326fcd0e8e2a6ece952f898a1ec9b1dc1004 ] + +Commit ad67b74d2469 ("printk: hash addresses printed with %p") lets +printk specifier %p to hash all addresses before printing, this was +resulting in the high 32 bits of pcsr can only output zeros. So +module cannot completely print pc value and it's pointless for debugging +purpose. + +This patch fixes this by using %px to print pcsr instead. + +Cc: Mathieu Poirier +Signed-off-by: Leo Yan +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-cpu-debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c ++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c +@@ -315,7 +315,7 @@ static void debug_dump_regs(struct debug + } + + pc = debug_adjust_pc(drvdata); +- dev_emerg(dev, " EDPCSR: [<%p>] %pS\n", (void *)pc, (void *)pc); ++ dev_emerg(dev, " EDPCSR: [<%px>] %pS\n", (void *)pc, (void *)pc); + + if (drvdata->edcidsr_present) + dev_emerg(dev, " EDCIDSR: %08x\n", drvdata->edcidsr); diff --git a/queue-4.16/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch b/queue-4.16/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch new file mode 100644 index 00000000000..96dfa723700 --- /dev/null +++ b/queue-4.16/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch @@ -0,0 +1,53 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Shunyong Yang +Date: Fri, 6 Apr 2018 10:43:49 +0800 +Subject: cpufreq: CPPC: Initialize shared perf capabilities of CPUs + +From: Shunyong Yang + +[ Upstream commit 8913315e9459b146e5888ab5138e10daa061b885 ] + +When multiple CPUs are related in one cpufreq policy, the first online +CPU will be chosen by default to handle cpufreq operations. Let's take +cpu0 and cpu1 as an example. + +When cpu0 is offline, policy->cpu will be shifted to cpu1. cpu1's perf +capabilities should be initialized. Otherwise, perf capabilities are 0s +and speed change can not take effect. + +This patch copies perf capabilities of the first online CPU to other +shared CPUs when policy shared type is CPUFREQ_SHARED_TYPE_ANY. + +Acked-by: Viresh Kumar +Signed-off-by: Shunyong Yang +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -167,9 +167,19 @@ static int cppc_cpufreq_cpu_init(struct + NSEC_PER_USEC; + policy->shared_type = cpu->shared_type; + +- if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) ++ if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) { ++ int i; ++ + cpumask_copy(policy->cpus, cpu->shared_cpu_map); +- else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { ++ ++ for_each_cpu(i, policy->cpus) { ++ if (unlikely(i == policy->cpu)) ++ continue; ++ ++ memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps, ++ sizeof(cpu->perf_caps)); ++ } ++ } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { + /* Support only SW_ANY for now. */ + pr_debug("Unsupported CPU co-ord type\n"); + return -EFAULT; diff --git a/queue-4.16/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch b/queue-4.16/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch new file mode 100644 index 00000000000..7ae32237b3c --- /dev/null +++ b/queue-4.16/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch @@ -0,0 +1,57 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Chunyu Hu +Date: Mon, 5 Mar 2018 13:40:38 +0800 +Subject: cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path + +From: Chunyu Hu + +[ Upstream commit 55b55abc17f238c61921360e61dde90dd9a326d1 ] + +Kmemleak reported the below leak. When cppc_cpufreq_init went into +failure path, the cpu mask is not freed. After fix, this report is +gone. And to avaoid potential NULL pointer reference, check the cpu +value first. + +unreferenced object 0xffff800fd5ea4880 (size 128): + comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s) + hex dump (first 32 bytes): + 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 .... ........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __kmalloc_node+0x278/0x634 + [] alloc_cpumask_var_node+0x28/0x60 + [] zalloc_cpumask_var+0x14/0x1c + [] cppc_cpufreq_init+0xd0/0x19c + [] do_one_initcall+0xec/0x15c + [] kernel_init_freeable+0x1f4/0x2a4 + [] kernel_init+0x18/0x10c + [] ret_from_fork+0x10/0x18 + [] 0xffffffffffffffff + +Signed-off-by: Chunyu Hu +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -243,8 +243,13 @@ static int __init cppc_cpufreq_init(void + return ret; + + out: +- for_each_possible_cpu(i) +- kfree(all_cpu_data[i]); ++ for_each_possible_cpu(i) { ++ cpu = all_cpu_data[i]; ++ if (!cpu) ++ break; ++ free_cpumask_var(cpu->shared_cpu_map); ++ kfree(cpu); ++ } + + kfree(all_cpu_data); + return -ENODEV; diff --git a/queue-4.16/cpufreq-reorder-cpufreq_online-error-code-path.patch b/queue-4.16/cpufreq-reorder-cpufreq_online-error-code-path.patch new file mode 100644 index 00000000000..aca2e6dd0b9 --- /dev/null +++ b/queue-4.16/cpufreq-reorder-cpufreq_online-error-code-path.patch @@ -0,0 +1,49 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Viresh Kumar +Date: Thu, 22 Feb 2018 11:29:43 +0530 +Subject: cpufreq: Reorder cpufreq_online() error code path + +From: Viresh Kumar + +[ Upstream commit b24b6478e65f140610ab1ffaadc7bc6bf0be8aad ] + +Ideally the de-allocation of resources should happen in the exact +opposite order in which they were allocated. It helps maintain the code +in long term, even if nothing really breaks with incorrect ordering. + +That wasn't followed in cpufreq_online() and it has some +inconsistencies. For example, the symlinks were created from within +the locked region while they are removed only after putting the locks. +Also ->exit() should have been called only after the symlinks are +removed and the lock is dropped, as that was the case when ->init() +was first called. + +Signed-off-by: Viresh Kumar +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1327,14 +1327,14 @@ static int cpufreq_online(unsigned int c + return 0; + + out_exit_policy: ++ for_each_cpu(j, policy->real_cpus) ++ remove_cpu_dev_symlink(policy, get_cpu_device(j)); ++ + up_write(&policy->rwsem); + + if (cpufreq_driver->exit) + cpufreq_driver->exit(policy); + +- for_each_cpu(j, policy->real_cpus) +- remove_cpu_dev_symlink(policy, get_cpu_device(j)); +- + out_free_policy: + cpufreq_policy_free(policy); + return ret; diff --git a/queue-4.16/crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch b/queue-4.16/crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch new file mode 100644 index 00000000000..dc1344c097a --- /dev/null +++ b/queue-4.16/crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch @@ -0,0 +1,50 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Eric Dumazet +Date: Sat, 7 Apr 2018 13:42:36 -0700 +Subject: crypto: af_alg - fix possible uninit-value in alg_bind() + +From: Eric Dumazet + +[ Upstream commit a466856e0b7ab269cdf9461886d007e88ff575b0 ] + +syzbot reported : + +BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162 + +We need to check addr_len before dereferencing sa (or uaddr) + +Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Stephan Mueller +Cc: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/af_alg.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -158,16 +158,16 @@ static int alg_bind(struct socket *sock, + void *private; + int err; + +- /* If caller uses non-allowed flag, return error. */ +- if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) +- return -EINVAL; +- + if (sock->state == SS_CONNECTED) + return -EINVAL; + + if (addr_len < sizeof(*sa)) + return -EINVAL; + ++ /* If caller uses non-allowed flag, return error. */ ++ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) ++ return -EINVAL; ++ + sa->salg_type[sizeof(sa->salg_type) - 1] = 0; + sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0; + diff --git a/queue-4.16/crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch b/queue-4.16/crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch new file mode 100644 index 00000000000..ab9b740a436 --- /dev/null +++ b/queue-4.16/crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Antoine Tenart +Date: Fri, 23 Feb 2018 10:01:40 +0100 +Subject: crypto: atmel-aes - fix the keys zeroing on errors + +From: Antoine Tenart + +[ Upstream commit 5d804a5157dbaa64872a675923ae87161165c66b ] + +The Atmel AES driver uses memzero_explicit on the keys on error, but the +variable zeroed isn't the right one because of a typo. Fix this by using +the right variable. + +Fixes: 89a82ef87e01 ("crypto: atmel-authenc - add support to authenc(hmac(shaX), Y(aes)) modes") +Signed-off-by: Antoine Tenart +Reviewed-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-aes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/atmel-aes.c ++++ b/drivers/crypto/atmel-aes.c +@@ -2155,7 +2155,7 @@ static int atmel_aes_authenc_setkey(stru + + badkey: + crypto_aead_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); +- memzero_explicit(&key, sizeof(keys)); ++ memzero_explicit(&keys, sizeof(keys)); + return -EINVAL; + } + diff --git a/queue-4.16/crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch b/queue-4.16/crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch new file mode 100644 index 00000000000..100670a6b2e --- /dev/null +++ b/queue-4.16/crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch @@ -0,0 +1,82 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sebastian Andrzej Siewior +Date: Fri, 23 Feb 2018 23:33:07 +0100 +Subject: crypto: ccp - don't disable interrupts while setting up debugfs + +From: Sebastian Andrzej Siewior + +[ Upstream commit 79eb382b5e06a6dca5806465d7195d686a463ab0 ] + +I don't why we need take a single write lock and disable interrupts +while setting up debugfs. This is what what happens when we try anyway: + +|ccp 0000:03:00.2: enabling device (0000 -> 0002) +|BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:69 +|in_atomic(): 1, irqs_disabled(): 1, pid: 3, name: kworker/0:0 +|irq event stamp: 17150 +|hardirqs last enabled at (17149): [<0000000097a18c49>] restore_regs_and_return_to_kernel+0x0/0x23 +|hardirqs last disabled at (17150): [<000000000773b3a9>] _raw_write_lock_irqsave+0x1b/0x50 +|softirqs last enabled at (17148): [<0000000064d56155>] __do_softirq+0x3b8/0x4c1 +|softirqs last disabled at (17125): [<0000000092633c18>] irq_exit+0xb1/0xc0 +|CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0-rc2+ #30 +|Workqueue: events work_for_cpu_fn +|Call Trace: +| dump_stack+0x7d/0xb6 +| ___might_sleep+0x1eb/0x250 +| down_write+0x17/0x60 +| start_creating+0x4c/0xe0 +| debugfs_create_dir+0x9/0x100 +| ccp5_debugfs_setup+0x191/0x1b0 +| ccp5_init+0x8a7/0x8c0 +| ccp_dev_init+0xb8/0xe0 +| sp_init+0x6c/0x90 +| sp_pci_probe+0x26e/0x590 +| local_pci_probe+0x3f/0x90 +| work_for_cpu_fn+0x11/0x20 +| process_one_work+0x1ff/0x650 +| worker_thread+0x1d4/0x3a0 +| kthread+0xfe/0x130 +| ret_from_fork+0x27/0x50 + +If any locking is required, a simple mutex will do it. + +Cc: Gary R Hook +Signed-off-by: Sebastian Andrzej Siewior +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/ccp-debugfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/ccp/ccp-debugfs.c ++++ b/drivers/crypto/ccp/ccp-debugfs.c +@@ -278,7 +278,7 @@ static const struct file_operations ccp_ + }; + + static struct dentry *ccp_debugfs_dir; +-static DEFINE_RWLOCK(ccp_debugfs_lock); ++static DEFINE_MUTEX(ccp_debugfs_lock); + + #define MAX_NAME_LEN 20 + +@@ -290,16 +290,15 @@ void ccp5_debugfs_setup(struct ccp_devic + struct dentry *debugfs_stats; + struct dentry *debugfs_q_instance; + struct dentry *debugfs_q_stats; +- unsigned long flags; + int i; + + if (!debugfs_initialized()) + return; + +- write_lock_irqsave(&ccp_debugfs_lock, flags); ++ mutex_lock(&ccp_debugfs_lock); + if (!ccp_debugfs_dir) + ccp_debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); +- write_unlock_irqrestore(&ccp_debugfs_lock, flags); ++ mutex_unlock(&ccp_debugfs_lock); + if (!ccp_debugfs_dir) + return; + diff --git a/queue-4.16/crypto-inside-secure-do-not-overwrite-the-threshold-value.patch b/queue-4.16/crypto-inside-secure-do-not-overwrite-the-threshold-value.patch new file mode 100644 index 00000000000..c56e76b33a5 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-do-not-overwrite-the-threshold-value.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:51 +0100 +Subject: crypto: inside-secure - do not overwrite the threshold value + +From: Antoine Tenart + +[ Upstream commit e1d24c0bb76648cdf789b168defb6e31adb0b1b1 ] + +This patch fixes the Inside Secure SafeXcel driver not to overwrite the +interrupt threshold value. In certain cases the value of this register, +which controls when to fire an interrupt, was overwritten. This lead to +packet not being processed or acked as the driver never was aware of +their completion. + +This patch fixes this behaviour by not setting the threshold when +requests are being processed by the engine. + +Fixes: dc7e28a3286e ("crypto: inside-secure - dequeue all requests at once") +Suggested-by: Ofer Heifetz +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/crypto/inside-secure/safexcel.c ++++ b/drivers/crypto/inside-secure/safexcel.c +@@ -523,8 +523,7 @@ finalize: + + if (!priv->ring[ring].busy) { + nreq -= safexcel_try_push_requests(priv, ring, nreq); +- if (nreq) +- priv->ring[ring].busy = true; ++ priv->ring[ring].busy = true; + } + + priv->ring[ring].requests_left += nreq; diff --git a/queue-4.16/crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch b/queue-4.16/crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch new file mode 100644 index 00000000000..88723230eb8 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:54 +0100 +Subject: crypto: inside-secure - do not process request if no command was issued + +From: Antoine Tenart + +[ Upstream commit 95831ceafc0de7d94a5fe86ebb1c2042317cc2cd ] + +This patch adds a check in the SafeXcel dequeue function, to avoid +processing request further if no hardware command was issued. This can +happen in certain cases where the ->send() function caches all the data +that would have been send. + +Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block") +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/crypto/inside-secure/safexcel.c ++++ b/drivers/crypto/inside-secure/safexcel.c +@@ -490,6 +490,15 @@ handle_req: + if (backlog) + backlog->complete(backlog, -EINPROGRESS); + ++ /* In case the send() helper did not issue any command to push ++ * to the engine because the input data was cached, continue to ++ * dequeue other requests as this is valid and not an error. ++ */ ++ if (!commands && !results) { ++ kfree(request); ++ continue; ++ } ++ + spin_lock_bh(&priv->ring[ring].egress_lock); + list_add_tail(&request->list, &priv->ring[ring].list); + spin_unlock_bh(&priv->ring[ring].egress_lock); diff --git a/queue-4.16/crypto-inside-secure-fix-the-cache_len-computation.patch b/queue-4.16/crypto-inside-secure-fix-the-cache_len-computation.patch new file mode 100644 index 00000000000..a447b69a6a7 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-fix-the-cache_len-computation.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:53 +0100 +Subject: crypto: inside-secure - fix the cache_len computation + +From: Antoine Tenart + +[ Upstream commit 666a9c70b04fccabde5cea5e680ae1ae92460a62 ] + +This patch fixes the cache length computation as cache_len could end up +being a negative value. The check between the queued size and the +block size is updated to reflect the caching mechanism which can cache +up to a full block size (included!). + +Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block") +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -187,7 +187,7 @@ static int safexcel_ahash_send_req(struc + int i, queued, len, cache_len, extra, n_cdesc = 0, ret = 0; + + queued = len = req->len - req->processed; +- if (queued < crypto_ahash_blocksize(ahash)) ++ if (queued <= crypto_ahash_blocksize(ahash)) + cache_len = queued; + else + cache_len = queued - areq->nbytes; diff --git a/queue-4.16/crypto-inside-secure-fix-the-extra-cache-computation.patch b/queue-4.16/crypto-inside-secure-fix-the-extra-cache-computation.patch new file mode 100644 index 00000000000..27f19f06d6e --- /dev/null +++ b/queue-4.16/crypto-inside-secure-fix-the-extra-cache-computation.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:52 +0100 +Subject: crypto: inside-secure - fix the extra cache computation + +From: Antoine Tenart + +[ Upstream commit c1a8fa6e240ed4b99778d48ab790743565cb61c8 ] + +This patch fixes the extra cache computation when the queued data is a +multiple of a block size. This fixes the hash support in some cases. + +Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block") +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -201,7 +201,7 @@ static int safexcel_ahash_send_req(struc + /* If this is not the last request and the queued data + * is a multiple of a block, cache the last one for now. + */ +- extra = queued - crypto_ahash_blocksize(ahash); ++ extra = crypto_ahash_blocksize(ahash); + + if (extra) { + sg_pcopy_to_buffer(areq->src, sg_nents(areq->src), diff --git a/queue-4.16/crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch b/queue-4.16/crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch new file mode 100644 index 00000000000..9aa0beacfa5 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch @@ -0,0 +1,62 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:55 +0100 +Subject: crypto: inside-secure - fix the invalidation step during cra_exit + +From: Antoine Tenart + +[ Upstream commit b7007dbccd92f7b8c00e590020bee542a48c6a2c ] + +When exiting a transformation, the cra_exit() helper is called in each +driver providing one. The Inside Secure SafeXcel driver has one, which +is responsible of freeing some areas and of sending one invalidation +request to the crypto engine, to invalidate the context that was used +during the transformation. + +We could see in some setups (when lots of transformations were being +used with a short lifetime, and hence lots of cra_exit() calls) NULL +pointer dereferences and other weird issues. All these issues were +coming from accessing the tfm context. + +The issue is the invalidation request completion is checked using a +wait_for_completion_interruptible() call in both the cipher and hash +cra_exit() helpers. In some cases this was interrupted while the +invalidation request wasn't processed yet. And then cra_exit() returned, +and its caller was freeing the tfm instance. Only then the request was +being handled by the SafeXcel driver, which lead to the said issues. + +This patch fixes this by using wait_for_completion() calls in these +specific cases. + +Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_cipher.c | 2 +- + drivers/crypto/inside-secure/safexcel_hash.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/inside-secure/safexcel_cipher.c ++++ b/drivers/crypto/inside-secure/safexcel_cipher.c +@@ -456,7 +456,7 @@ static int safexcel_cipher_exit_inv(stru + queue_work(priv->ring[ring].workqueue, + &priv->ring[ring].work_data.work); + +- wait_for_completion_interruptible(&result.completion); ++ wait_for_completion(&result.completion); + + if (result.error) { + dev_warn(priv->dev, +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -496,7 +496,7 @@ static int safexcel_ahash_exit_inv(struc + queue_work(priv->ring[ring].workqueue, + &priv->ring[ring].work_data.work); + +- wait_for_completion_interruptible(&result.completion); ++ wait_for_completion(&result.completion); + + if (result.error) { + dev_warn(priv->dev, "hash: completion error (%d)\n", diff --git a/queue-4.16/crypto-inside-secure-move-the-digest-to-the-request-context.patch b/queue-4.16/crypto-inside-secure-move-the-digest-to-the-request-context.patch new file mode 100644 index 00000000000..04e152dbe3f --- /dev/null +++ b/queue-4.16/crypto-inside-secure-move-the-digest-to-the-request-context.patch @@ -0,0 +1,161 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Antoine Tenart +Date: Mon, 19 Mar 2018 09:21:13 +0100 +Subject: crypto: inside-secure - move the digest to the request context + +From: Antoine Tenart + +[ Upstream commit b869648c060fbb00bf6578d13cbe83e6f85914bc ] + +This patches moves the digest information from the transformation +context to the request context. This fixes cases where HMAC init +functions were called and override the digest value for a short period +of time, as the HMAC init functions call the SHA init one which reset +the value. This lead to a small percentage of HMAC being incorrectly +computed under heavy load. + +Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") +Suggested-by: Ofer Heifetz +Signed-off-by: Antoine Tenart +[Ofer here did all the work, from seeing the issue to understanding the +root cause. I only made the patch.] +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_hash.c | 30 ++++++++++++++++----------- + 1 file changed, 18 insertions(+), 12 deletions(-) + +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -21,7 +21,6 @@ struct safexcel_ahash_ctx { + struct safexcel_crypto_priv *priv; + + u32 alg; +- u32 digest; + + u32 ipad[SHA1_DIGEST_SIZE / sizeof(u32)]; + u32 opad[SHA1_DIGEST_SIZE / sizeof(u32)]; +@@ -35,6 +34,8 @@ struct safexcel_ahash_req { + + int nents; + ++ u32 digest; ++ + u8 state_sz; /* expected sate size, only set once */ + u32 state[SHA256_DIGEST_SIZE / sizeof(u32)] __aligned(sizeof(u32)); + +@@ -49,6 +50,8 @@ struct safexcel_ahash_export_state { + u64 len; + u64 processed; + ++ u32 digest; ++ + u32 state[SHA256_DIGEST_SIZE / sizeof(u32)]; + u8 cache[SHA256_BLOCK_SIZE]; + }; +@@ -82,9 +85,9 @@ static void safexcel_context_control(str + + cdesc->control_data.control0 |= CONTEXT_CONTROL_TYPE_HASH_OUT; + cdesc->control_data.control0 |= ctx->alg; +- cdesc->control_data.control0 |= ctx->digest; ++ cdesc->control_data.control0 |= req->digest; + +- if (ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) { ++ if (req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) { + if (req->processed) { + if (ctx->alg == CONTEXT_CONTROL_CRYPTO_ALG_SHA1) + cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(6); +@@ -112,7 +115,7 @@ static void safexcel_context_control(str + if (req->finish) + ctx->base.ctxr->data[i] = cpu_to_le32(req->processed / blocksize); + } +- } else if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC) { ++ } else if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC) { + cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(10); + + memcpy(ctx->base.ctxr->data, ctx->ipad, digestsize); +@@ -550,7 +553,7 @@ static int safexcel_ahash_enqueue(struct + if (ctx->base.ctxr) { + if (priv->version == EIP197 && + !ctx->base.needs_inv && req->processed && +- ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) ++ req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) + /* We're still setting needs_inv here, even though it is + * cleared right away, because the needs_inv flag can be + * set in other functions and we want to keep the same +@@ -585,7 +588,6 @@ static int safexcel_ahash_enqueue(struct + + static int safexcel_ahash_update(struct ahash_request *areq) + { +- struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq)); + struct safexcel_ahash_req *req = ahash_request_ctx(areq); + struct crypto_ahash *ahash = crypto_ahash_reqtfm(areq); + +@@ -601,7 +603,7 @@ static int safexcel_ahash_update(struct + * We're not doing partial updates when performing an hmac request. + * Everything will be handled by the final() call. + */ +- if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC) ++ if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC) + return 0; + + if (req->hmac) +@@ -660,6 +662,8 @@ static int safexcel_ahash_export(struct + export->len = req->len; + export->processed = req->processed; + ++ export->digest = req->digest; ++ + memcpy(export->state, req->state, req->state_sz); + memcpy(export->cache, req->cache, crypto_ahash_blocksize(ahash)); + +@@ -680,6 +684,8 @@ static int safexcel_ahash_import(struct + req->len = export->len; + req->processed = export->processed; + ++ req->digest = export->digest; ++ + memcpy(req->cache, export->cache, crypto_ahash_blocksize(ahash)); + memcpy(req->state, export->state, req->state_sz); + +@@ -716,7 +722,7 @@ static int safexcel_sha1_init(struct aha + req->state[4] = SHA1_H4; + + ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA1; +- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; ++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->state_sz = SHA1_DIGEST_SIZE; + + return 0; +@@ -783,10 +789,10 @@ struct safexcel_alg_template safexcel_al + + static int safexcel_hmac_sha1_init(struct ahash_request *areq) + { +- struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq)); ++ struct safexcel_ahash_req *req = ahash_request_ctx(areq); + + safexcel_sha1_init(areq); +- ctx->digest = CONTEXT_CONTROL_DIGEST_HMAC; ++ req->digest = CONTEXT_CONTROL_DIGEST_HMAC; + return 0; + } + +@@ -1024,7 +1030,7 @@ static int safexcel_sha256_init(struct a + req->state[7] = SHA256_H7; + + ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA256; +- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; ++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->state_sz = SHA256_DIGEST_SIZE; + + return 0; +@@ -1086,7 +1092,7 @@ static int safexcel_sha224_init(struct a + req->state[7] = SHA224_H7; + + ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA224; +- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; ++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->state_sz = SHA256_DIGEST_SIZE; + + return 0; diff --git a/queue-4.16/crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch b/queue-4.16/crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch new file mode 100644 index 00000000000..3f0ae525596 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Antoine Tenart +Date: Mon, 26 Feb 2018 14:45:12 +0100 +Subject: crypto: inside-secure - wait for the request to complete if in the backlog + +From: Antoine Tenart + +[ Upstream commit 4dc5475ae0375ea4f9283dfd9b2ddc91b20d4c4b ] + +This patch updates the safexcel_hmac_init_pad() function to also wait +for completion when the digest return code is -EBUSY, as it would mean +the request is in the backlog to be processed later. + +Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") +Suggested-by: Ofer Heifetz +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -845,7 +845,7 @@ static int safexcel_hmac_init_pad(struct + init_completion(&result.completion); + + ret = crypto_ahash_digest(areq); +- if (ret == -EINPROGRESS) { ++ if (ret == -EINPROGRESS || ret == -EBUSY) { + wait_for_completion_interruptible(&result.completion); + ret = result.error; + } diff --git a/queue-4.16/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch b/queue-4.16/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch new file mode 100644 index 00000000000..141e5ae78a5 --- /dev/null +++ b/queue-4.16/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch @@ -0,0 +1,31 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Peter Robinson +Date: Sun, 11 Feb 2018 23:15:37 +0000 +Subject: crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss + +From: Peter Robinson + +[ Upstream commit 7c73cf4cc2ac16465f5102437dc0a12d66671bd6 ] + +The MODULE_ALIAS is required to enable the sun4i-ss driver to load +automatically when built at a module. Tested on a Cubietruck. + +Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Signed-off-by: Peter Robinson +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c +@@ -451,6 +451,7 @@ static struct platform_driver sun4i_ss_d + + module_platform_driver(sun4i_ss_driver); + ++MODULE_ALIAS("platform:sun4i-ss"); + MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator"); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Corentin LABBE "); diff --git a/queue-4.16/cxgb4-fix-queue-free-path-of-uld-drivers.patch b/queue-4.16/cxgb4-fix-queue-free-path-of-uld-drivers.patch new file mode 100644 index 00000000000..6a83daf1269 --- /dev/null +++ b/queue-4.16/cxgb4-fix-queue-free-path-of-uld-drivers.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Arjun Vynipadath +Date: Thu, 15 Mar 2018 17:34:14 +0530 +Subject: cxgb4: Fix queue free path of ULD drivers + +From: Arjun Vynipadath + +[ Upstream commit d7cb44496a9bb458632cb3c18acb08949c210448 ] + +Setting sge_uld_rxq_info to NULL in free_queues_uld(). +We are referencing sge_uld_rxq_info in cxgb_up(). This +will fix a panic when interface is brought up after a +ULDq creation failure. + +Fixes: 94cdb8bb993a (cxgb4: Add support for dynamic allocation + of resources for ULD) +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudhar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -342,6 +342,7 @@ static void free_queues_uld(struct adapt + { + struct sge_uld_rxq_info *rxq_info = adap->sge.uld_rxq_info[uld_type]; + ++ adap->sge.uld_rxq_info[uld_type] = NULL; + kfree(rxq_info->rspq_id); + kfree(rxq_info->uldrxq); + kfree(rxq_info); diff --git a/queue-4.16/cxgb4-setup-fw-queues-before-registering-netdev.patch b/queue-4.16/cxgb4-setup-fw-queues-before-registering-netdev.patch new file mode 100644 index 00000000000..14268b34f6d --- /dev/null +++ b/queue-4.16/cxgb4-setup-fw-queues-before-registering-netdev.patch @@ -0,0 +1,63 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Arjun Vynipadath +Date: Fri, 23 Mar 2018 15:25:10 +0530 +Subject: cxgb4: Setup FW queues before registering netdev + +From: Arjun Vynipadath + +[ Upstream commit 843bd7db79c861b49e2912d723625f5fa8e94502 ] + +When NetworkManager is enabled, there are chances that interface up +is called even before probe completes. This means we have not yet +allocated the FW sge queues, hence rest of ingress queue allocation +wont be proper. Fix this by calling setup_fw_sge_queues() before +register_netdev(). + +Fixes: 0fbc81b3ad51 ('chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's') +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -833,8 +833,6 @@ static int setup_fw_sge_queues(struct ad + + err = t4_sge_alloc_rxq(adap, &s->fw_evtq, true, adap->port[0], + adap->msi_idx, NULL, fwevtq_handler, NULL, -1); +- if (err) +- t4_free_sge_resources(adap); + return err; + } + +@@ -5474,6 +5472,13 @@ static int init_one(struct pci_dev *pdev + if (err) + goto out_free_dev; + ++ err = setup_fw_sge_queues(adapter); ++ if (err) { ++ dev_err(adapter->pdev_dev, ++ "FW sge queue allocation failed, err %d", err); ++ goto out_free_dev; ++ } ++ + /* + * The card is now ready to go. If any errors occur during device + * registration we do not fail the whole card but rather proceed only +@@ -5522,10 +5527,10 @@ static int init_one(struct pci_dev *pdev + cxgb4_ptp_init(adapter); + + print_adapter_info(adapter); +- setup_fw_sge_queues(adapter); + return 0; + + out_free_dev: ++ t4_free_sge_resources(adapter); + free_some_resources(adapter); + if (adapter->flags & USING_MSIX) + free_msix_info(adapter); diff --git a/queue-4.16/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch b/queue-4.16/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch new file mode 100644 index 00000000000..f1dea7cf98b --- /dev/null +++ b/queue-4.16/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch @@ -0,0 +1,127 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Vaibhav Jain +Date: Thu, 15 Feb 2018 21:19:24 +0530 +Subject: cxl: Check if PSL data-cache is available before issue flush request + +From: Vaibhav Jain + +[ Upstream commit 94322ed8e857e3b2a33cf75118051af9baaa110f ] + +PSL9D doesn't have a data-cache that needs to be flushed before +resetting the card. However when cxl tries to flush data-cache on such +a card, it times-out as PSL_Control register never indicates flush +operation complete due to missing data-cache. This is usually +indicated in the kernel logs with this message: + +"WARNING: cache flush timed out" + +To fix this the patch checks PSL_Debug register CDC-Field(BIT:27) +which indicates the absence of a data-cache and sets a flag +'no_data_cache' in 'struct cxl_native' to indicate this. When +cxl_data_cache_flush() is called it checks the flag and if set bails +out early without requesting a data-cache flush operation to the PSL. + +Signed-off-by: Vaibhav Jain +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cxl/cxl.h | 4 ++++ + drivers/misc/cxl/native.c | 11 ++++++++++- + drivers/misc/cxl/pci.c | 19 +++++++++++++------ + 3 files changed, 27 insertions(+), 7 deletions(-) + +--- a/drivers/misc/cxl/cxl.h ++++ b/drivers/misc/cxl/cxl.h +@@ -369,6 +369,9 @@ static const cxl_p2n_reg_t CXL_PSL_WED_A + #define CXL_PSL_TFC_An_AE (1ull << (63-30)) /* Restart PSL with address error */ + #define CXL_PSL_TFC_An_R (1ull << (63-31)) /* Restart PSL transaction */ + ++/****** CXL_PSL_DEBUG *****************************************************/ ++#define CXL_PSL_DEBUG_CDC (1ull << (63-27)) /* Coherent Data cache support */ ++ + /****** CXL_XSL9_IERAT_ERAT - CAIA 2 **********************************/ + #define CXL_XSL9_IERAT_MLPID (1ull << (63-0)) /* Match LPID */ + #define CXL_XSL9_IERAT_MPID (1ull << (63-1)) /* Match PID */ +@@ -669,6 +672,7 @@ struct cxl_native { + irq_hw_number_t err_hwirq; + unsigned int err_virq; + u64 ps_off; ++ bool no_data_cache; /* set if no data cache on the card */ + const struct cxl_service_layer_ops *sl_ops; + }; + +--- a/drivers/misc/cxl/native.c ++++ b/drivers/misc/cxl/native.c +@@ -353,8 +353,17 @@ int cxl_data_cache_flush(struct cxl *ada + u64 reg; + unsigned long timeout = jiffies + (HZ * CXL_TIMEOUT); + +- pr_devel("Flushing data cache\n"); ++ /* ++ * Do a datacache flush only if datacache is available. ++ * In case of PSL9D datacache absent hence flush operation. ++ * would timeout. ++ */ ++ if (adapter->native->no_data_cache) { ++ pr_devel("No PSL data cache. Ignoring cache flush req.\n"); ++ return 0; ++ } + ++ pr_devel("Flushing data cache\n"); + reg = cxl_p1_read(adapter, CXL_PSL_Control); + reg |= CXL_PSL_Control_Fr; + cxl_p1_write(adapter, CXL_PSL_Control, reg); +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -456,6 +456,7 @@ static int init_implementation_adapter_r + u64 chipid; + u32 phb_index; + u64 capp_unit_id; ++ u64 psl_debug; + int rc; + + rc = cxl_calc_capp_routing(dev, &chipid, &phb_index, &capp_unit_id); +@@ -506,6 +507,16 @@ static int init_implementation_adapter_r + } else + cxl_p1_write(adapter, CXL_PSL9_DEBUG, 0x4000000000000000ULL); + ++ /* ++ * Check if PSL has data-cache. We need to flush adapter datacache ++ * when as its about to be removed. ++ */ ++ psl_debug = cxl_p1_read(adapter, CXL_PSL9_DEBUG); ++ if (psl_debug & CXL_PSL_DEBUG_CDC) { ++ dev_dbg(&dev->dev, "No data-cache present\n"); ++ adapter->native->no_data_cache = true; ++ } ++ + return 0; + } + +@@ -1449,10 +1460,8 @@ int cxl_pci_reset(struct cxl *adapter) + + /* + * The adapter is about to be reset, so ignore errors. +- * Not supported on P9 DD1 + */ +- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1()))) +- cxl_data_cache_flush(adapter); ++ cxl_data_cache_flush(adapter); + + /* pcie_warm_reset requests a fundamental pci reset which includes a + * PERST assert/deassert. PERST triggers a loading of the image +@@ -1936,10 +1945,8 @@ static void cxl_pci_remove_adapter(struc + + /* + * Flush adapter datacache as its about to be removed. +- * Not supported on P9 DD1. + */ +- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1()))) +- cxl_data_cache_flush(adapter); ++ cxl_data_cache_flush(adapter); + + cxl_deconfigure_adapter(adapter); + diff --git a/queue-4.16/dccp-initialize-ireq-ir_mark.patch b/queue-4.16/dccp-initialize-ireq-ir_mark.patch new file mode 100644 index 00000000000..9734fc3160f --- /dev/null +++ b/queue-4.16/dccp-initialize-ireq-ir_mark.patch @@ -0,0 +1,154 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Eric Dumazet +Date: Sat, 7 Apr 2018 13:42:41 -0700 +Subject: dccp: initialize ireq->ir_mark + +From: Eric Dumazet + +[ Upstream commit b855ff827476adbdc2259e9895681d82b7b26065 ] + +syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook() + +Thanks to the nice report, I tracked the problem to dccp not caring +of ireq->ir_mark for passive sessions. + +BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline] +BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84 +CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline] + iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84 + nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] + nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483 + nf_hook include/linux/netfilter.h:243 [inline] + __ip_local_out net/ipv4/ip_output.c:113 [inline] + ip_local_out net/ipv4/ip_output.c:122 [inline] + ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504 + dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142 + dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281 + dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363 + dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818 + inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x455259 +RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259 +RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015 +RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000 + +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] + kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 + __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 + ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502 + dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142 + dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281 + dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363 + dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818 + inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] + kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 + __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 + inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797 + dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92 + dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408 + dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414 + dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197 + dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840 + ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 + NF_HOOK include/linux/netfilter.h:288 [inline] + ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 + dst_input include/net/dst.h:449 [inline] + ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 + NF_HOOK include/linux/netfilter.h:288 [inline] + ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 + __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 + __netif_receive_skb net/core/dev.c:4627 [inline] + process_backlog+0x62d/0xe20 net/core/dev.c:5307 + napi_poll net/core/dev.c:5705 [inline] + net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 + __do_softirq+0x56d/0x93d kernel/softirq.c:285 +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 + reqsk_alloc include/net/request_sock.h:88 [inline] + inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145 + dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600 + dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317 + dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612 + dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682 + dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578 + sk_backlog_rcv include/net/sock.h:908 [inline] + __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513 + dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874 + ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 + NF_HOOK include/linux/netfilter.h:288 [inline] + ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 + dst_input include/net/dst.h:449 [inline] + ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 + NF_HOOK include/linux/netfilter.h:288 [inline] + ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 + __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 + __netif_receive_skb net/core/dev.c:4627 [inline] + process_backlog+0x62d/0xe20 net/core/dev.c:5307 + napi_poll net/core/dev.c:5705 [inline] + net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 + __do_softirq+0x56d/0x93d kernel/softirq.c:285 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ipv4.c | 1 + + net/dccp/ipv6.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -614,6 +614,7 @@ int dccp_v4_conn_request(struct sock *sk + ireq = inet_rsk(req); + sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); + sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); ++ ireq->ir_mark = inet_request_mark(sk, skb); + ireq->ireq_family = AF_INET; + ireq->ir_iif = sk->sk_bound_dev_if; + +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -351,6 +351,7 @@ static int dccp_v6_conn_request(struct s + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; + ireq->ireq_family = AF_INET6; ++ ireq->ir_mark = inet_request_mark(sk, skb); + + if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || diff --git a/queue-4.16/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch b/queue-4.16/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch new file mode 100644 index 00000000000..b3363b6f111 --- /dev/null +++ b/queue-4.16/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch @@ -0,0 +1,162 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Qi Hou +Date: Tue, 6 Mar 2018 09:13:37 +0800 +Subject: dmaengine: pl330: fix a race condition in case of threaded irqs + +From: Qi Hou + +[ Upstream commit a3ca831249ca8c4c226e4ceafee04e280152e59d ] + +When booting up with "threadirqs" in command line, all irq handlers of the DMA +controller pl330 will be threaded forcedly. These threads will race for the same +list, pl330->req_done. + +Before the callback, the spinlock was released. And after it, the spinlock was +taken. This opened an race window where another threaded irq handler could steal +the spinlock and be permitted to delete entries of the list, pl330->req_done. + +If the later deleted an entry that was still referred to by the former, there would +be a kernel panic when the former was scheduled and tried to get the next sibling +of the deleted entry. + +The scenario could be depicted as below: + + Thread: T1 pl330->req_done Thread: T2 + | | | + | -A-B-C-D- | + Locked | | + | | Waiting + Del A | | + | -B-C-D- | + Unlocked | | + | | Locked + Waiting | | + | | Del B + | | | + | -C-D- Unlocked + Waiting | | + | + Locked + | + get C via B + \ + - Kernel panic + +The kernel panic looked like as below: + +Unable to handle kernel paging request at virtual address dead000000000108 +pgd = ffffff8008c9e000 +[dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000 +Internal error: Oops: 96000044 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2 +Hardware name: Broadcom NS2 SVK (DT) +task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000 +PC is at pl330_irq_handler+0x27c/0x390 +LR is at pl330_irq_handler+0x2a8/0x390 +pc : [] lr : [] pstate: 800001c5 +sp : ffffffc1f5ce3d00 +x29: ffffffc1f5ce3d00 x28: 0000000000000140 +x27: ffffffc1f5c530b0 x26: dead000000000100 +x25: dead000000000200 x24: 0000000000418958 +x23: 0000000000000001 x22: ffffffc1f5ccd668 +x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418 +x19: dead000000000060 x18: 0000000000000001 +x17: 0000000000000007 x16: 0000000000000001 +x15: ffffffffffffffff x14: ffffffffffffffff +x13: ffffffffffffffff x12: 0000000000000000 +x11: 0000000000000001 x10: 0000000000000840 +x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338 +x7 : ffffff8008ce2020 x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : dead000000000200 x2 : dead000000000100 +x1 : 0000000000000140 x0 : ffffffc1f5ccd590 + +Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020) +Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000) +3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600 +3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998 +3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000 +3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0 +3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001 +3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8 +3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00 +3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000 +3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68 +3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80 +3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648 +3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00 +3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90 +3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0 +3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000 +3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8 +Call trace: +Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60) +3b20: dead000000000060 0000008000000000 +3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88 +3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4 +3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc +3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000 +3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140 +3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000 +3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000 +3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff +3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007 +[] pl330_irq_handler+0x27c/0x390 +[] irq_forced_thread_fn+0x38/0x88 +[] irq_thread+0x140/0x200 +[] kthread+0xd8/0xf0 +[] ret_from_fork+0x10/0x40 +Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443) +---[ end trace f50005726d31199c ]--- +Kernel panic - not syncing: Fatal exception in interrupt +SMP: stopping secondary CPUs +SMP: failed to stop secondary CPUs 0-1 +Kernel Offset: disabled +Memory Limit: none +---[ end Kernel panic - not syncing: Fatal exception in interrupt + +To fix this, re-start with the list-head after dropping the lock then +re-takeing it. + +Reviewed-by: Frank Mori Hess +Tested-by: Frank Mori Hess +Signed-off-by: Qi Hou +Signed-off-by: Vinod Koul + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1510,7 +1510,7 @@ static void pl330_dotask(unsigned long d + /* Returns 1 if state was updated, 0 otherwise */ + static int pl330_update(struct pl330_dmac *pl330) + { +- struct dma_pl330_desc *descdone, *tmp; ++ struct dma_pl330_desc *descdone; + unsigned long flags; + void __iomem *regs; + u32 val; +@@ -1588,7 +1588,9 @@ static int pl330_update(struct pl330_dma + } + + /* Now that we are in no hurry, do the callbacks */ +- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) { ++ while (!list_empty(&pl330->req_done)) { ++ descdone = list_first_entry(&pl330->req_done, ++ struct dma_pl330_desc, rqd); + list_del(&descdone->rqd); + spin_unlock_irqrestore(&pl330->lock, flags); + dma_pl330_rqcb(descdone, PL330_ERR_NONE); diff --git a/queue-4.16/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch b/queue-4.16/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch new file mode 100644 index 00000000000..b6ae5367904 --- /dev/null +++ b/queue-4.16/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch @@ -0,0 +1,79 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Srinivas Kandagatla +Date: Thu, 15 Feb 2018 12:25:09 +0000 +Subject: dmaengine: qcom: bam_dma: get num-channels and num-ees from dt + +From: Srinivas Kandagatla + +[ Upstream commit 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 ] + +When Linux is master of BAM, it can directly read registers to know number +of supported channels, however when its remotely controlled reading these +registers would trigger a crash if the BAM is not yet initialized or +powered up on the remote side. + +This patch allows driver to read num-channels and num-ees from Device Tree +for remotely controlled BAM. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/bam_dma.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/drivers/dma/qcom/bam_dma.c ++++ b/drivers/dma/qcom/bam_dma.c +@@ -393,6 +393,7 @@ struct bam_device { + struct device_dma_parameters dma_parms; + struct bam_chan *channels; + u32 num_channels; ++ u32 num_ees; + + /* execution environment ID, from DT */ + u32 ee; +@@ -1128,15 +1129,19 @@ static int bam_init(struct bam_device *b + u32 val; + + /* read revision and configuration information */ +- val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)) >> NUM_EES_SHIFT; +- val &= NUM_EES_MASK; ++ if (!bdev->num_ees) { ++ val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)); ++ bdev->num_ees = (val >> NUM_EES_SHIFT) & NUM_EES_MASK; ++ } + + /* check that configured EE is within range */ +- if (bdev->ee >= val) ++ if (bdev->ee >= bdev->num_ees) + return -EINVAL; + +- val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES)); +- bdev->num_channels = val & BAM_NUM_PIPES_MASK; ++ if (!bdev->num_channels) { ++ val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES)); ++ bdev->num_channels = val & BAM_NUM_PIPES_MASK; ++ } + + if (bdev->controlled_remotely) + return 0; +@@ -1232,6 +1237,18 @@ static int bam_dma_probe(struct platform + bdev->controlled_remotely = of_property_read_bool(pdev->dev.of_node, + "qcom,controlled-remotely"); + ++ if (bdev->controlled_remotely) { ++ ret = of_property_read_u32(pdev->dev.of_node, "num-channels", ++ &bdev->num_channels); ++ if (ret) ++ dev_err(bdev->dev, "num-channels unspecified in dt\n"); ++ ++ ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees", ++ &bdev->num_ees); ++ if (ret) ++ dev_err(bdev->dev, "num-ees unspecified in dt\n"); ++ } ++ + bdev->bamclk = devm_clk_get(bdev->dev, "bam_clk"); + if (IS_ERR(bdev->bamclk)) + return PTR_ERR(bdev->bamclk); diff --git a/queue-4.16/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch b/queue-4.16/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch new file mode 100644 index 00000000000..659c1d3c5b9 --- /dev/null +++ b/queue-4.16/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch @@ -0,0 +1,54 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Yoshihiro Shimoda +Date: Fri, 2 Feb 2018 19:05:15 +0900 +Subject: dmaengine: rcar-dmac: Check the done lists in rcar_dmac_chan_get_residue() + +From: Yoshihiro Shimoda + +[ Upstream commit 3e081628d510b2ddbe493371d9c574d9275da17e ] + +This patch fixes an issue that a race condition happens between a client +driver and the rcar-dmac driver: + +- The rcar_dmac_isr_transfer_end() is called. + - The done list appears, and desc.running is the next active list. +- rcar_dmac_chan_get_residue() is called by a client driver before + rcar_dmac_isr_channel_thread() is called. + - The rcar_dmac_chan_get_residue() will not find any descriptors. + - And, the following WARNING happens: + WARN(1, "No descriptor for cookie!"); + +The sh-sci driver with HSCIF (921,600bps) on R-Car H3 can cause this +situation. +So, this patch checks the done lists in rcar_dmac_chan_get_residue() +and returns zero if the done lists has the argument cookie. + +Tested-by: Nguyen Viet Dung +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1301,8 +1301,17 @@ static unsigned int rcar_dmac_chan_get_r + * If the cookie doesn't correspond to the currently running transfer + * then the descriptor hasn't been processed yet, and the residue is + * equal to the full descriptor size. ++ * Also, a client driver is possible to call this function before ++ * rcar_dmac_isr_channel_thread() runs. In this case, the "desc.running" ++ * will be the next descriptor, and the done list will appear. So, if ++ * the argument cookie matches the done list's cookie, we can assume ++ * the residue is zero. + */ + if (cookie != desc->async_tx.cookie) { ++ list_for_each_entry(desc, &chan->desc.done, node) { ++ if (cookie == desc->async_tx.cookie) ++ return 0; ++ } + list_for_each_entry(desc, &chan->desc.pending, node) { + if (cookie == desc->async_tx.cookie) + return desc->size; diff --git a/queue-4.16/dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch b/queue-4.16/dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch new file mode 100644 index 00000000000..495b75aa1a4 --- /dev/null +++ b/queue-4.16/dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch @@ -0,0 +1,47 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Geert Uytterhoeven +Date: Thu, 29 Mar 2018 18:53:32 +0200 +Subject: dmaengine: rcar-dmac: Fix too early/late system suspend/resume callbacks + +From: Geert Uytterhoeven + +[ Upstream commit 73dcc666d6bd0db56cd556010f93d8f04c1cc70c ] + +If serial console wake-up is enabled ("echo enabled > +/sys/.../ttySC0/power/wakeup"), and any serial input is received while +the system is suspended, serial port input no longer works after system +resume. + +Note that: + 1) The system can still be woken up using the serial console, + 2) Serial port input keeps working if the system is woken up in some + other way (e.g. Wake-on-LAN or gpio-keys), and no serial input was + received while suspended. + +To fix this, replace SET_LATE_SYSTEM_SLEEP_PM_OPS() by +SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(), as the callbacks installed by the +former happen too early resp. late in the suspend resp. resume process. + +Reported-by: RVC test team via Yoshihiro Shimoda +Fixes: 1131b0a4af911de5 ("dmaengine: rcar-dmac: Make DMAC reinit during system resume explicit") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1677,8 +1677,8 @@ static const struct dev_pm_ops rcar_dmac + * - Wait for the current transfer to complete and stop the device, + * - Resume transfers, if any. + */ +- SET_LATE_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, +- pm_runtime_force_resume) ++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, ++ pm_runtime_force_resume) + SET_RUNTIME_PM_OPS(rcar_dmac_runtime_suspend, rcar_dmac_runtime_resume, + NULL) + }; diff --git a/queue-4.16/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch b/queue-4.16/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch new file mode 100644 index 00000000000..f084eac2bda --- /dev/null +++ b/queue-4.16/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch @@ -0,0 +1,56 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Esben Haabendal +Date: Sun, 8 Apr 2018 22:17:01 +0200 +Subject: dp83640: Ensure against premature access to PHY registers after reset + +From: Esben Haabendal + +[ Upstream commit 76327a35caabd1a932e83d6a42b967aa08584e5d ] + +The datasheet specifies a 3uS pause after performing a software +reset. The default implementation of genphy_soft_reset() does not +provide this, so implement soft_reset with the needed pause. + +Signed-off-by: Esben Haabendal +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1207,6 +1207,23 @@ static void dp83640_remove(struct phy_de + kfree(dp83640); + } + ++static int dp83640_soft_reset(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = genphy_soft_reset(phydev); ++ if (ret < 0) ++ return ret; ++ ++ /* From DP83640 datasheet: "Software driver code must wait 3 us ++ * following a software reset before allowing further serial MII ++ * operations with the DP83640." ++ */ ++ udelay(10); /* Taking udelay inaccuracy into account */ ++ ++ return 0; ++} ++ + static int dp83640_config_init(struct phy_device *phydev) + { + struct dp83640_private *dp83640 = phydev->priv; +@@ -1501,6 +1518,7 @@ static struct phy_driver dp83640_driver + .flags = PHY_HAS_INTERRUPT, + .probe = dp83640_probe, + .remove = dp83640_remove, ++ .soft_reset = dp83640_soft_reset, + .config_init = dp83640_config_init, + .ack_interrupt = dp83640_ack_interrupt, + .config_intr = dp83640_config_intr, diff --git a/queue-4.16/dpaa_eth-fix-pause-capability-advertisement-logic.patch b/queue-4.16/dpaa_eth-fix-pause-capability-advertisement-logic.patch new file mode 100644 index 00000000000..6dbd4c54a21 --- /dev/null +++ b/queue-4.16/dpaa_eth-fix-pause-capability-advertisement-logic.patch @@ -0,0 +1,33 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jake Moroni +Date: Sun, 18 Feb 2018 15:26:04 -0500 +Subject: dpaa_eth: fix pause capability advertisement logic + +From: Jake Moroni + +[ Upstream commit 3021efb440d02bf5b952b6d151c7ffee9bdd49fe ] + +The ADVERTISED_Asym_Pause bit was being improperly set when both +rx and tx pause were enabled. When rx and tx are both enabled, only +the ADVERTISED_Pause bit is supposed to be set. + +Signed-off-by: Jake Moroni +Acked-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -211,7 +211,7 @@ static int dpaa_set_pauseparam(struct ne + if (epause->rx_pause) + newadv = ADVERTISED_Pause | ADVERTISED_Asym_Pause; + if (epause->tx_pause) +- newadv |= ADVERTISED_Asym_Pause; ++ newadv ^= ADVERTISED_Asym_Pause; + + oldadv = phydev->advertising & + (ADVERTISED_Pause | ADVERTISED_Asym_Pause); diff --git a/queue-4.16/dpaa_eth-fix-sg-mapping.patch b/queue-4.16/dpaa_eth-fix-sg-mapping.patch new file mode 100644 index 00000000000..19f471cbfca --- /dev/null +++ b/queue-4.16/dpaa_eth-fix-sg-mapping.patch @@ -0,0 +1,73 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Madalin Bucur +Date: Mon, 26 Feb 2018 11:24:01 -0600 +Subject: dpaa_eth: fix SG mapping + +From: Madalin Bucur + +[ Upstream commit 120d75ecf043044554abbba8507f6d22e4715beb ] + +An issue in the code mapping the skb fragments into +scatter-gather frames was evidentiated by netperf +TCP_SENDFILE tests. The size was set wrong for all +fragments but the first, affecting the transmission +of any skb with more than one fragment. + +Signed-off-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -1916,8 +1916,10 @@ static int skb_to_sg_fd(struct dpaa_priv + goto csum_failed; + } + ++ /* SGT[0] is used by the linear part */ + sgt = (struct qm_sg_entry *)(sgt_buf + priv->tx_headroom); +- qm_sg_entry_set_len(&sgt[0], skb_headlen(skb)); ++ frag_len = skb_headlen(skb); ++ qm_sg_entry_set_len(&sgt[0], frag_len); + sgt[0].bpid = FSL_DPAA_BPID_INV; + sgt[0].offset = 0; + addr = dma_map_single(dev, skb->data, +@@ -1930,9 +1932,9 @@ static int skb_to_sg_fd(struct dpaa_priv + qm_sg_entry_set64(&sgt[0], addr); + + /* populate the rest of SGT entries */ +- frag = &skb_shinfo(skb)->frags[0]; +- frag_len = frag->size; +- for (i = 1; i <= nr_frags; i++, frag++) { ++ for (i = 0; i < nr_frags; i++) { ++ frag = &skb_shinfo(skb)->frags[i]; ++ frag_len = frag->size; + WARN_ON(!skb_frag_page(frag)); + addr = skb_frag_dma_map(dev, frag, 0, + frag_len, dma_dir); +@@ -1942,15 +1944,16 @@ static int skb_to_sg_fd(struct dpaa_priv + goto sg_map_failed; + } + +- qm_sg_entry_set_len(&sgt[i], frag_len); +- sgt[i].bpid = FSL_DPAA_BPID_INV; +- sgt[i].offset = 0; ++ qm_sg_entry_set_len(&sgt[i + 1], frag_len); ++ sgt[i + 1].bpid = FSL_DPAA_BPID_INV; ++ sgt[i + 1].offset = 0; + + /* keep the offset in the address */ +- qm_sg_entry_set64(&sgt[i], addr); +- frag_len = frag->size; ++ qm_sg_entry_set64(&sgt[i + 1], addr); + } +- qm_sg_entry_set_f(&sgt[i - 1], frag_len); ++ ++ /* Set the final bit in the last used entry of the SGT */ ++ qm_sg_entry_set_f(&sgt[nr_frags], frag_len); + + qm_fd_set_sg(fd, priv->tx_headroom, skb->len); + diff --git a/queue-4.16/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch b/queue-4.16/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch new file mode 100644 index 00000000000..8169a68f076 --- /dev/null +++ b/queue-4.16/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Aaro Koskinen +Date: Fri, 16 Mar 2018 22:17:28 +0200 +Subject: drivers: macintosh: rack-meter: really fix bogus memsets + +From: Aaro Koskinen + +[ Upstream commit e283655b5abe26462d53d5196f186c5e8863af3b ] + +We should zero an array using sizeof instead of number of elements. + +Fixes the following compiler (GCC 7.3.0) warnings: + +drivers/macintosh/rack-meter.c: In function 'rackmeter_do_pause': +drivers/macintosh/rack-meter.c:157:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] +drivers/macintosh/rack-meter.c:158:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] + +Fixes: 4f7bef7a9f69 ("drivers: macintosh: rack-meter: fix bogus memsets") +Reported-by: Stephen Rothwell +Signed-off-by: Aaro Koskinen +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/macintosh/rack-meter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/macintosh/rack-meter.c ++++ b/drivers/macintosh/rack-meter.c +@@ -154,8 +154,8 @@ static void rackmeter_do_pause(struct ra + DBDMA_DO_STOP(rm->dma_regs); + return; + } +- memset(rdma->buf1, 0, ARRAY_SIZE(rdma->buf1)); +- memset(rdma->buf2, 0, ARRAY_SIZE(rdma->buf2)); ++ memset(rdma->buf1, 0, sizeof(rdma->buf1)); ++ memset(rdma->buf2, 0, sizeof(rdma->buf2)); + + rm->dma_buf_v->mark = 0; + diff --git a/queue-4.16/drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch b/queue-4.16/drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch new file mode 100644 index 00000000000..5271dd85c7d --- /dev/null +++ b/queue-4.16/drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch @@ -0,0 +1,45 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Tao +Date: Thu, 8 Feb 2018 16:04:25 -0500 +Subject: drm/amd/display: Set vsc pack revision when DPCD revision is >= 1.2 + +From: Tao + +[ Upstream commit 3b94a4007dcfd4ac5780cd3d8a2d99979c966073 ] + +Brightness couldn't change when booting up in DC mode. +It was because "psr_enabled" flag was not set to true before +setting vsc packet revision, causing packet rev setup was skipped. +Now instead of checking the psr flag, it checks if the DPCD_REV >= 1.2 +and set the vsc packet revision. + +Signed-off-by: Tao +Reviewed-by: Tony Cheng +Acked-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -35,6 +35,7 @@ + #include "core_types.h" + #include "set_mode_types.h" + #include "virtual/virtual_stream_encoder.h" ++#include "dpcd_defs.h" + + #include "dce80/dce80_resource.h" + #include "dce100/dce100_resource.h" +@@ -2428,7 +2429,8 @@ static void set_vsc_info_packet( + unsigned int vscPacketRevision = 0; + unsigned int i; + +- if (stream->sink->link->psr_enabled) { ++ /*VSC packet set to 2 when DP revision >= 1.2*/ ++ if (stream->sink->link->dpcd_caps.dpcd_rev.raw >= DPCD_REV_12) { + vscPacketRevision = 2; + } + diff --git a/queue-4.16/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch b/queue-4.16/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch new file mode 100644 index 00000000000..53d47aeebba --- /dev/null +++ b/queue-4.16/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch @@ -0,0 +1,85 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Monk Liu +Date: Tue, 23 Jan 2018 18:26:20 +0800 +Subject: drm/amdgpu: adjust timeout for ib_ring_tests(v2) + +From: Monk Liu + +[ Upstream commit dbf797655a43c6318ebb90b899e6583fcadc6472 ] + +issue: +sometime GFX/MM ib test hit timeout under SRIOV env, root cause +is that engine doesn't come back soon enough so the current +IB test considered as timed out. + +fix: +for SRIOV GFX IB test wait time need to be expanded a lot during +SRIOV runtimei mode since it couldn't really begin before GFX engine +come back. + +for SRIOV MM IB test it always need more time since MM scheduling +is not go together with GFX engine, it is controled by h/w MM +scheduler so no matter runtime or exclusive mode MM IB test +always need more time. + +v2: +use ring type instead of idx to judge + +Signed-off-by: Monk Liu +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +@@ -321,14 +321,45 @@ int amdgpu_ib_ring_tests(struct amdgpu_d + { + unsigned i; + int r, ret = 0; ++ long tmo_gfx, tmo_mm; ++ ++ tmo_mm = tmo_gfx = AMDGPU_IB_TEST_TIMEOUT; ++ if (amdgpu_sriov_vf(adev)) { ++ /* for MM engines in hypervisor side they are not scheduled together ++ * with CP and SDMA engines, so even in exclusive mode MM engine could ++ * still running on other VF thus the IB TEST TIMEOUT for MM engines ++ * under SR-IOV should be set to a long time. 8 sec should be enough ++ * for the MM comes back to this VF. ++ */ ++ tmo_mm = 8 * AMDGPU_IB_TEST_TIMEOUT; ++ } ++ ++ if (amdgpu_sriov_runtime(adev)) { ++ /* for CP & SDMA engines since they are scheduled together so ++ * need to make the timeout width enough to cover the time ++ * cost waiting for it coming back under RUNTIME only ++ */ ++ tmo_gfx = 8 * AMDGPU_IB_TEST_TIMEOUT; ++ } + + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { + struct amdgpu_ring *ring = adev->rings[i]; ++ long tmo; + + if (!ring || !ring->ready) + continue; + +- r = amdgpu_ring_test_ib(ring, AMDGPU_IB_TEST_TIMEOUT); ++ /* MM engine need more time */ ++ if (ring->funcs->type == AMDGPU_RING_TYPE_UVD || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCE || ++ ring->funcs->type == AMDGPU_RING_TYPE_UVD_ENC || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_DEC || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC) ++ tmo = tmo_mm; ++ else ++ tmo = tmo_gfx; ++ ++ r = amdgpu_ring_test_ib(ring, tmo); + if (r) { + ring->ready = false; + diff --git a/queue-4.16/drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch b/queue-4.16/drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch new file mode 100644 index 00000000000..de9a7c54447 --- /dev/null +++ b/queue-4.16/drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch @@ -0,0 +1,48 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Emily Deng +Date: Wed, 7 Mar 2018 09:47:43 +0800 +Subject: drm/amdgpu: Clean sdma wptr register when only enable wptr polling + +From: Emily Deng + +[ Upstream commit 4062119b9d958df33bcda703dc3ac646908fa861 ] + +The sdma wptr polling memory is not fast enough, then the sdma +wptr register will be random, and not equal to sdma rptr, which +will cause sdma engine hang when load driver, so clean up the sdma +wptr directly to fix this issue. + +v2:add comment above the code and correct coding style + +Reviewed-by: Xiangliang Yu +Reviewed-by: Christian König +Signed-off-by: Emily Deng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c +@@ -719,14 +719,17 @@ static int sdma_v3_0_gfx_resume(struct a + WREG32(mmSDMA0_GFX_RB_WPTR_POLL_ADDR_HI + sdma_offsets[i], + upper_32_bits(wptr_gpu_addr)); + wptr_poll_cntl = RREG32(mmSDMA0_GFX_RB_WPTR_POLL_CNTL + sdma_offsets[i]); +- if (ring->use_pollmem) ++ if (ring->use_pollmem) { ++ /*wptr polling is not enogh fast, directly clean the wptr register */ ++ WREG32(mmSDMA0_GFX_RB_WPTR + sdma_offsets[i], 0); + wptr_poll_cntl = REG_SET_FIELD(wptr_poll_cntl, + SDMA0_GFX_RB_WPTR_POLL_CNTL, + ENABLE, 1); +- else ++ } else { + wptr_poll_cntl = REG_SET_FIELD(wptr_poll_cntl, + SDMA0_GFX_RB_WPTR_POLL_CNTL, + ENABLE, 0); ++ } + WREG32(mmSDMA0_GFX_RB_WPTR_POLL_CNTL + sdma_offsets[i], wptr_poll_cntl); + + /* enable DMA RB */ diff --git a/queue-4.16/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch b/queue-4.16/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch new file mode 100644 index 00000000000..3edd6be9df2 --- /dev/null +++ b/queue-4.16/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch @@ -0,0 +1,44 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Monk Liu +Date: Mon, 29 Jan 2018 19:24:32 +0800 +Subject: drm/amdgpu: disable GFX ring and disable PQ wptr in hw_fini + +From: Monk Liu + +[ Upstream commit 9f0178fb67699992d38601cb923b434f9986dd68 ] + +otherwise there will be DMAR reading error comes out from CP since +GFX is still alive and CPC's WPTR_POLL is still enabled, which would +lead to DMAR read error. + +fix: +we can hault CPG after hw_fini, but cannot halt CPC becaues KIQ +stil need to be alive to let RLCV invoke, but its WPTR_POLL could +be disabled. + +Signed-off-by: Monk Liu +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -2954,7 +2954,13 @@ static int gfx_v9_0_hw_fini(void *handle + gfx_v9_0_kcq_disable(&adev->gfx.kiq.ring, &adev->gfx.compute_ring[i]); + + if (amdgpu_sriov_vf(adev)) { +- pr_debug("For SRIOV client, shouldn't do anything.\n"); ++ gfx_v9_0_cp_gfx_enable(adev, false); ++ /* must disable polling for SRIOV when hw finished, otherwise ++ * CPC engine may still keep fetching WB address which is already ++ * invalid after sw finished and trigger DMAR reading error in ++ * hypervisor side. ++ */ ++ WREG32_FIELD15(GC, 0, CP_PQ_WPTR_POLL_CNTL, EN, 0); + return 0; + } + gfx_v9_0_cp_enable(adev, false); diff --git a/queue-4.16/drm-amdkfd-add-missing-include-of-mm.h.patch b/queue-4.16/drm-amdkfd-add-missing-include-of-mm.h.patch new file mode 100644 index 00000000000..e8697d94c2d --- /dev/null +++ b/queue-4.16/drm-amdkfd-add-missing-include-of-mm.h.patch @@ -0,0 +1,28 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Oded Gabbay +Date: Thu, 15 Mar 2018 10:08:35 +0200 +Subject: drm/amdkfd: add missing include of mm.h + +From: Oded Gabbay + +[ Upstream commit 7420f482ea5163bf6dae39a5c7628d5397cd6307 ] + +This patch fixes kernel build in ARCH=frv + +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +@@ -26,6 +26,7 @@ + #define AMDGPU_AMDKFD_H_INCLUDED + + #include ++#include + #include + #include + diff --git a/queue-4.16/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch b/queue-4.16/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch new file mode 100644 index 00000000000..d0492c313fd --- /dev/null +++ b/queue-4.16/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch @@ -0,0 +1,95 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Linus Walleij +Date: Mon, 5 Mar 2018 11:17:02 +0100 +Subject: drm/bridge: sii902x: Retry status read after DDI I2C + +From: Linus Walleij + +[ Upstream commit 2e7a66a8b5ebf1b04a866e5d7c981640f7f62934 ] + +The following happens when connection a DVI output driven +from the SiI9022 using a DVI-to-VGA adapter plug: + +i2c i2c-0: sendbytes: NAK bailout. +i2c i2c-0: sendbytes: NAK bailout. + +Then no picture. Apparently the I2C engine inside the SiI9022 +is not smart enough to try to fall back to DDC I2C. Or the +vendor have not integrated the electronics properly. I don't +know which one it is. + +After this, the I2C bus seems stalled and the first attempt to +read the status register fails, and the code returns with +negative return value, and the display fails to initialized. + +Instead, retry status readout five times and continue even +if this fails. + +Tested on the ARM Versatile Express with a DVI-to-VGA +connector, it now gives picture. + +Introduce a helper struct device *dev variable to make +the code more readable. + +Cc: Ville Syrjälä +Reviewed-by: Liviu Dudau +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20180305101702.13441-1-linus.walleij@linaro.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/sii902x.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/bridge/sii902x.c ++++ b/drivers/gpu/drm/bridge/sii902x.c +@@ -137,7 +137,9 @@ static int sii902x_get_modes(struct drm_ + struct sii902x *sii902x = connector_to_sii902x(connector); + struct regmap *regmap = sii902x->regmap; + u32 bus_format = MEDIA_BUS_FMT_RGB888_1X24; ++ struct device *dev = &sii902x->i2c->dev; + unsigned long timeout; ++ unsigned int retries; + unsigned int status; + struct edid *edid; + int num = 0; +@@ -159,7 +161,7 @@ static int sii902x_get_modes(struct drm_ + time_before(jiffies, timeout)); + + if (!(status & SII902X_SYS_CTRL_DDC_BUS_GRTD)) { +- dev_err(&sii902x->i2c->dev, "failed to acquire the i2c bus\n"); ++ dev_err(dev, "failed to acquire the i2c bus\n"); + return -ETIMEDOUT; + } + +@@ -179,9 +181,19 @@ static int sii902x_get_modes(struct drm_ + if (ret) + return ret; + +- ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA, &status); ++ /* ++ * Sometimes the I2C bus can stall after failure to use the ++ * EDID channel. Retry a few times to see if things clear ++ * up, else continue anyway. ++ */ ++ retries = 5; ++ do { ++ ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA, ++ &status); ++ retries--; ++ } while (ret && retries); + if (ret) +- return ret; ++ dev_err(dev, "failed to read status (%d)\n", ret); + + ret = regmap_update_bits(regmap, SII902X_SYS_CTRL_DATA, + SII902X_SYS_CTRL_DDC_BUS_REQ | +@@ -201,7 +213,7 @@ static int sii902x_get_modes(struct drm_ + + if (status & (SII902X_SYS_CTRL_DDC_BUS_REQ | + SII902X_SYS_CTRL_DDC_BUS_GRTD)) { +- dev_err(&sii902x->i2c->dev, "failed to release the i2c bus\n"); ++ dev_err(dev, "failed to release the i2c bus\n"); + return -ETIMEDOUT; + } + diff --git a/queue-4.16/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch b/queue-4.16/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch new file mode 100644 index 00000000000..b9327f130d4 --- /dev/null +++ b/queue-4.16/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Christophe JAILLET +Date: Mon, 12 Mar 2018 21:15:08 +0100 +Subject: drm/meson: Fix an un-handled error path in 'meson_drv_bind_master()' + +From: Christophe JAILLET + +[ Upstream commit e770f6bf18182bc3af6ceec30189b6c323cbc157 ] + +'drm_vblank_init()' can fail. So handle this (unlikely) error. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Christophe JAILLET +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/6cbf3d70ac3904489c7194c895225c4103aebb96.1520885192.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/meson/meson_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -230,7 +230,10 @@ static int meson_drv_bind_master(struct + + priv->vsync_irq = platform_get_irq(pdev, 0); + +- drm_vblank_init(drm, 1); ++ ret = drm_vblank_init(drm, 1); ++ if (ret) ++ goto free_drm; ++ + drm_mode_config_init(drm); + drm->mode_config.max_width = 3840; + drm->mode_config.max_height = 2160; diff --git a/queue-4.16/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch b/queue-4.16/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch new file mode 100644 index 00000000000..b94909dbba7 --- /dev/null +++ b/queue-4.16/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch @@ -0,0 +1,77 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Christophe JAILLET +Date: Mon, 12 Mar 2018 21:15:10 +0100 +Subject: drm/meson: Fix some error handling paths in 'meson_drv_bind_master()' + +From: Christophe JAILLET + +[ Upstream commit 2c18107b9d58972588cd45d89b8f58d0f033c110 ] + +If one of these functions fail, we whould free 'drm', as alreadry done in +the other error handling paths, below and above. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Christophe JAILLET +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/df47e03d36c2cf7bc37ec3105fc47c16555bd946.1520885192.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/meson/meson_drv.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -189,35 +189,43 @@ static int meson_drv_bind_master(struct + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "vpu"); + regs = devm_ioremap_resource(dev, res); +- if (IS_ERR(regs)) +- return PTR_ERR(regs); ++ if (IS_ERR(regs)) { ++ ret = PTR_ERR(regs); ++ goto free_drm; ++ } + + priv->io_base = regs; + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "hhi"); + /* Simply ioremap since it may be a shared register zone */ + regs = devm_ioremap(dev, res->start, resource_size(res)); +- if (!regs) +- return -EADDRNOTAVAIL; ++ if (!regs) { ++ ret = -EADDRNOTAVAIL; ++ goto free_drm; ++ } + + priv->hhi = devm_regmap_init_mmio(dev, regs, + &meson_regmap_config); + if (IS_ERR(priv->hhi)) { + dev_err(&pdev->dev, "Couldn't create the HHI regmap\n"); +- return PTR_ERR(priv->hhi); ++ ret = PTR_ERR(priv->hhi); ++ goto free_drm; + } + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dmc"); + /* Simply ioremap since it may be a shared register zone */ + regs = devm_ioremap(dev, res->start, resource_size(res)); +- if (!regs) +- return -EADDRNOTAVAIL; ++ if (!regs) { ++ ret = -EADDRNOTAVAIL; ++ goto free_drm; ++ } + + priv->dmc = devm_regmap_init_mmio(dev, regs, + &meson_regmap_config); + if (IS_ERR(priv->dmc)) { + dev_err(&pdev->dev, "Couldn't create the DMC regmap\n"); +- return PTR_ERR(priv->dmc); ++ ret = PTR_ERR(priv->dmc); ++ goto free_drm; + } + + priv->vsync_irq = platform_get_irq(pdev, 0); diff --git a/queue-4.16/drm-omap-add-pclk-setting-case-when-channel-is-dss_wb.patch b/queue-4.16/drm-omap-add-pclk-setting-case-when-channel-is-dss_wb.patch new file mode 100644 index 00000000000..9c3fcc18257 --- /dev/null +++ b/queue-4.16/drm-omap-add-pclk-setting-case-when-channel-is-dss_wb.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Benoit Parrot +Date: Mon, 16 May 2016 16:42:50 -0500 +Subject: drm/omap: Add pclk setting case when channel is DSS_WB + +From: Benoit Parrot + +[ Upstream commit 9deb5ad3c47ead2b3c63e44435e9eff0f6f38835 ] + +In dispc_set_ovl_common() we need to initialize pclk to a valid +value when we use WB in capture mode (i.e. mem_2_mem is false). +Otherwise dispc_ovl_calc_scaling() fails. + +Signed-off-by: Benoit Parrot +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/dss/dispc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/dss/dispc.c ++++ b/drivers/gpu/drm/omapdrm/dss/dispc.c +@@ -2489,6 +2489,10 @@ static int dispc_ovl_setup_common(enum o + unsigned long pclk = dispc_plane_pclk_rate(plane); + unsigned long lclk = dispc_plane_lclk_rate(plane); + ++ /* when setting up WB, dispc_plane_pclk_rate() returns 0 */ ++ if (plane == OMAP_DSS_WB) ++ pclk = vm->pixelclock; ++ + if (paddr == 0 && rotation_type != OMAP_DSS_ROT_TILER) + return -EINVAL; + diff --git a/queue-4.16/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch b/queue-4.16/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch new file mode 100644 index 00000000000..d5777cdb38b --- /dev/null +++ b/queue-4.16/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch @@ -0,0 +1,311 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Laurent Pinchart +Date: Sun, 11 Feb 2018 15:07:44 +0200 +Subject: drm: omapdrm: dss: Move initialization code from component bind to probe + +From: Laurent Pinchart + +[ Upstream commit 215003b4ae1d47035092fef73b6a22aa82037091 ] + +There's no reason to delay initialization of most of the driver (such as +mapping memory I/O, getting clocks or enabling runtime PM) to the +component master bind handler. + +This additionally fixes a real PM issue caused enabling runtime PM in +the bind handler. + +The bind handler performs the following sequence of PM operations: + + pm_runtime_enable(dev); + pm_runtime_get_sync(dev); + + ... (access the hardware to read the device revision) ... + + pm_runtime_put_sync(dev); + +If a failure occurs at this point, the error path calls +pm_runtime_disable() to balance the pm_runtime_enable() call. + +To understand the problem, it should be noted that the bind handler is +called when one of the component registers itself, which happens in the +component's probe handler. Furthermore, as the components are children +of the DSS, the device core calls pm_runtime_get_sync() on the DSS +platform device before calling the component's probe handler. This +increases the DSS power usage count but doesn't runtime resume the +device, as runtime PM is disabled at that point. + +The bind handler is thus called with runtime PM disabled, with the +device runtime suspended, but with the power usage count larger than 0. +The pm_runtime_get_sync() call will thus further increase the power +usage count and runtime resume the device. The pm_runtime_put_sync() +handler will decrease the power usage count to a non-zero value and will +thus not suspend the device. Finally, the pm_runtime_disable() call will +disable runtime PM, preventing the pm_runtime_put() call in the device +core from runtime suspending the device. The DSS device is thus left +powered on. + +To fix this, move the initialization code from the bind handler to the +probe handler. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Sebastian Reichel +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/dss/dss.c | 193 ++++++++++++++++++++------------------ + 1 file changed, 104 insertions(+), 89 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/dss/dss.c ++++ b/drivers/gpu/drm/omapdrm/dss/dss.c +@@ -1300,88 +1300,18 @@ static const struct soc_device_attribute + + static int dss_bind(struct device *dev) + { +- struct platform_device *pdev = to_platform_device(dev); +- struct resource *dss_mem; +- u32 rev; + int r; + +- dss_mem = platform_get_resource(dss.pdev, IORESOURCE_MEM, 0); +- dss.base = devm_ioremap_resource(&pdev->dev, dss_mem); +- if (IS_ERR(dss.base)) +- return PTR_ERR(dss.base); +- +- r = dss_get_clocks(); ++ r = component_bind_all(dev, NULL); + if (r) + return r; + +- r = dss_setup_default_clock(); +- if (r) +- goto err_setup_clocks; +- +- r = dss_video_pll_probe(pdev); +- if (r) +- goto err_pll_init; +- +- r = dss_init_ports(pdev); +- if (r) +- goto err_init_ports; +- +- pm_runtime_enable(&pdev->dev); +- +- r = dss_runtime_get(); +- if (r) +- goto err_runtime_get; +- +- dss.dss_clk_rate = clk_get_rate(dss.dss_clk); +- +- /* Select DPLL */ +- REG_FLD_MOD(DSS_CONTROL, 0, 0, 0); +- +- dss_select_dispc_clk_source(DSS_CLK_SRC_FCK); +- +-#ifdef CONFIG_OMAP2_DSS_VENC +- REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */ +- REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */ +- REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */ +-#endif +- dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK; +- dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK; +- dss.dispc_clk_source = DSS_CLK_SRC_FCK; +- dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK; +- dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK; +- +- rev = dss_read_reg(DSS_REVISION); +- pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0)); +- +- dss_runtime_put(); +- +- r = component_bind_all(&pdev->dev, NULL); +- if (r) +- goto err_component; +- +- dss_debugfs_create_file("dss", dss_dump_regs); +- + pm_set_vt_switch(0); + + omapdss_gather_components(dev); + omapdss_set_is_initialized(true); + + return 0; +- +-err_component: +-err_runtime_get: +- pm_runtime_disable(&pdev->dev); +- dss_uninit_ports(pdev); +-err_init_ports: +- if (dss.video1_pll) +- dss_video_pll_uninit(dss.video1_pll); +- +- if (dss.video2_pll) +- dss_video_pll_uninit(dss.video2_pll); +-err_pll_init: +-err_setup_clocks: +- dss_put_clocks(); +- return r; + } + + static void dss_unbind(struct device *dev) +@@ -1391,18 +1321,6 @@ static void dss_unbind(struct device *de + omapdss_set_is_initialized(false); + + component_unbind_all(&pdev->dev, NULL); +- +- if (dss.video1_pll) +- dss_video_pll_uninit(dss.video1_pll); +- +- if (dss.video2_pll) +- dss_video_pll_uninit(dss.video2_pll); +- +- dss_uninit_ports(pdev); +- +- pm_runtime_disable(&pdev->dev); +- +- dss_put_clocks(); + } + + static const struct component_master_ops dss_component_ops = { +@@ -1434,10 +1352,46 @@ static int dss_add_child_component(struc + return 0; + } + ++static int dss_probe_hardware(void) ++{ ++ u32 rev; ++ int r; ++ ++ r = dss_runtime_get(); ++ if (r) ++ return r; ++ ++ dss.dss_clk_rate = clk_get_rate(dss.dss_clk); ++ ++ /* Select DPLL */ ++ REG_FLD_MOD(DSS_CONTROL, 0, 0, 0); ++ ++ dss_select_dispc_clk_source(DSS_CLK_SRC_FCK); ++ ++#ifdef CONFIG_OMAP2_DSS_VENC ++ REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */ ++ REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */ ++ REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */ ++#endif ++ dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK; ++ dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK; ++ dss.dispc_clk_source = DSS_CLK_SRC_FCK; ++ dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK; ++ dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK; ++ ++ rev = dss_read_reg(DSS_REVISION); ++ pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0)); ++ ++ dss_runtime_put(); ++ ++ return 0; ++} ++ + static int dss_probe(struct platform_device *pdev) + { + const struct soc_device_attribute *soc; + struct component_match *match = NULL; ++ struct resource *dss_mem; + int r; + + dss.pdev = pdev; +@@ -1458,20 +1412,69 @@ static int dss_probe(struct platform_dev + else + dss.feat = of_match_device(dss_of_match, &pdev->dev)->data; + +- r = dss_initialize_debugfs(); ++ /* Map I/O registers, get and setup clocks. */ ++ dss_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ dss.base = devm_ioremap_resource(&pdev->dev, dss_mem); ++ if (IS_ERR(dss.base)) ++ return PTR_ERR(dss.base); ++ ++ r = dss_get_clocks(); + if (r) + return r; + +- /* add all the child devices as components */ ++ r = dss_setup_default_clock(); ++ if (r) ++ goto err_put_clocks; ++ ++ /* Setup the video PLLs and the DPI and SDI ports. */ ++ r = dss_video_pll_probe(pdev); ++ if (r) ++ goto err_put_clocks; ++ ++ r = dss_init_ports(pdev); ++ if (r) ++ goto err_uninit_plls; ++ ++ /* Enable runtime PM and probe the hardware. */ ++ pm_runtime_enable(&pdev->dev); ++ ++ r = dss_probe_hardware(); ++ if (r) ++ goto err_pm_runtime_disable; ++ ++ /* Initialize debugfs. */ ++ r = dss_initialize_debugfs(); ++ if (r) ++ goto err_pm_runtime_disable; ++ ++ dss_debugfs_create_file("dss", dss_dump_regs); ++ ++ /* Add all the child devices as components. */ + device_for_each_child(&pdev->dev, &match, dss_add_child_component); + + r = component_master_add_with_match(&pdev->dev, &dss_component_ops, match); +- if (r) { +- dss_uninitialize_debugfs(); +- return r; +- } ++ if (r) ++ goto err_uninit_debugfs; + + return 0; ++ ++err_uninit_debugfs: ++ dss_uninitialize_debugfs(); ++ ++err_pm_runtime_disable: ++ pm_runtime_disable(&pdev->dev); ++ dss_uninit_ports(pdev); ++ ++err_uninit_plls: ++ if (dss.video1_pll) ++ dss_video_pll_uninit(dss.video1_pll); ++ if (dss.video2_pll) ++ dss_video_pll_uninit(dss.video2_pll); ++ ++err_put_clocks: ++ dss_put_clocks(); ++ ++ return r; + } + + static int dss_remove(struct platform_device *pdev) +@@ -1480,6 +1483,18 @@ static int dss_remove(struct platform_de + + dss_uninitialize_debugfs(); + ++ pm_runtime_disable(&pdev->dev); ++ ++ dss_uninit_ports(pdev); ++ ++ if (dss.video1_pll) ++ dss_video_pll_uninit(dss.video1_pll); ++ ++ if (dss.video2_pll) ++ dss_video_pll_uninit(dss.video2_pll); ++ ++ dss_put_clocks(); ++ + return 0; + } + diff --git a/queue-4.16/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch b/queue-4.16/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch new file mode 100644 index 00000000000..3a6c58e2a43 --- /dev/null +++ b/queue-4.16/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Eric Anholt +Date: Fri, 9 Mar 2018 15:33:32 -0800 +Subject: drm/panel: simple: Fix the bus format for the Ontat panel + +From: Eric Anholt + +[ Upstream commit 5651e5e094591f479adad5830ac1bc45196a39b3 ] + +This fixes bad color output. When I was first testing the device I +had the DPI hardware set to 666 mode, but apparently in the refactor +to use the bus_format information from the panel driver, I failed to +actually update the panel. + +Signed-off-by: Eric Anholt +Fixes: e8b6f561b2ee ("drm/panel: simple: Add the 7" DPI panel from Adafruit") +Cc: Thierry Reding +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20180309233332.1769-1-eric@anholt.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1597,7 +1597,7 @@ static const struct panel_desc ontat_yx7 + .width = 154, + .height = 83, + }, +- .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18, + }; + + static const struct drm_display_mode ortustech_com43h4m85ulc_mode = { diff --git a/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch b/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch new file mode 100644 index 00000000000..c1a8769ad32 --- /dev/null +++ b/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch @@ -0,0 +1,54 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Sergei Shtylyov +Date: Fri, 12 Jan 2018 23:12:05 +0300 +Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2 + +From: Sergei Shtylyov + +[ Upstream commit 8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4 ] + +According to the latest revision 2.00 of the R-Car Gen2 manual, the LVDS +and the bias circuit must be enabled after the LVDS I/O pins are +enabled, not before. Fix the Gen2 LVDS startup sequence accordingly. + +While at it, also fix the comment preceding the first LVDCR0 write that +still talks about hardcoding the LVDS mode 0. + +Fixes: 90374b5c25c9 ("drm/rcar-du: Add internal LVDS encoder support") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Laurent Pinchart +Tested-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +@@ -59,11 +59,8 @@ static void rcar_du_lvdsenc_start_gen2(s + + rcar_lvds_write(lvds, LVDPLLCR, pllcr); + +- /* +- * Select the input, hardcode mode 0, enable LVDS operation and turn +- * bias circuitry on. +- */ +- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_BEN | LVDCR0_LVEN; ++ /* Select the input and set the LVDS mode. */ ++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT; + if (rcrtc->index == 2) + lvdcr0 |= LVDCR0_DUSEL; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); +@@ -74,6 +71,10 @@ static void rcar_du_lvdsenc_start_gen2(s + LVDCR1_CHSTBY_GEN2(1) | LVDCR1_CHSTBY_GEN2(0) | + LVDCR1_CLKSTBY_GEN2); + ++ /* Enable LVDS operation and turn bias circuitry on. */ ++ lvdcr0 |= LVDCR0_BEN | LVDCR0_LVEN; ++ rcar_lvds_write(lvds, LVDCR0, lvdcr0); ++ + /* + * Turn the PLL on, wait for the startup delay, and turn the output + * on. diff --git a/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch b/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch new file mode 100644 index 00000000000..9d9d5e0d6cb --- /dev/null +++ b/queue-4.16/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch @@ -0,0 +1,57 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Sergei Shtylyov +Date: Fri, 12 Jan 2018 23:12:04 +0300 +Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen3 + +From: Sergei Shtylyov + +[ Upstream commit 796ceb9269626afaed3b4955c40d2c3d7a8c5d01 ] + +According to the latest revisions of the R-Car Gen3 manual, the LVDS mode +must be set before the LVDS I/O pins are enabled, not after -- fix the +Gen3 LVDS startup sequence accordingly. + +Fixes: e947eccbeba4 ("drm: rcar-du: Add support for LVDS mode selection") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Laurent Pinchart +[Updated comment in rcar_du_lvdsenc_start_gen3()] +[Moved Gen2 startup comment update to separate commit] +[Fixed =| typo] +Tested-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +@@ -95,7 +95,7 @@ static void rcar_du_lvdsenc_start_gen3(s + u32 lvdcr0; + u32 pllcr; + +- /* PLL clock configuration */ ++ /* Set the PLL clock configuration and LVDS mode. */ + if (freq < 42000) + pllcr = LVDPLLCR_PLLDIVCNT_42M; + else if (freq < 85000) +@@ -107,6 +107,9 @@ static void rcar_du_lvdsenc_start_gen3(s + + rcar_lvds_write(lvds, LVDPLLCR, pllcr); + ++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT; ++ rcar_lvds_write(lvds, LVDCR0, lvdcr0); ++ + /* Turn all the channels on. */ + rcar_lvds_write(lvds, LVDCR1, + LVDCR1_CHSTBY_GEN3(3) | LVDCR1_CHSTBY_GEN3(2) | +@@ -117,7 +120,7 @@ static void rcar_du_lvdsenc_start_gen3(s + * Turn the PLL on, set it to LVDS normal mode, wait for the startup + * delay and turn the output on. + */ +- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_PLLON; ++ lvdcr0 |= LVDCR0_PLLON; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); + + lvdcr0 |= LVDCR0_PWD; diff --git a/queue-4.16/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch b/queue-4.16/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch new file mode 100644 index 00000000000..37143ebd08e --- /dev/null +++ b/queue-4.16/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch @@ -0,0 +1,56 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: "Ørjan Eide" +Date: Tue, 30 Jan 2018 21:28:33 +0100 +Subject: drm/rockchip: Respect page offset for PRIME mmap calls + +From: "Ørjan Eide" + +[ Upstream commit 57de50af162b67612da99207b061ade3239e57db ] + +When mapping external DMA-bufs through the PRIME mmap call, we might be +given an offset which has to be respected. However for the internal DRM +GEM mmap path, we have to ignore the fake mmap offset used to identify +the buffer only. Currently the code always zeroes out vma->vm_pgoff, +which breaks the former. + +This patch fixes the problem by moving the vm_pgoff assignment to a +function that is used only for GEM mmap path, so that the PRIME path +retains the original offset. + +Cc: Daniel Kurtz +Signed-off-by: Ørjan Eide +Signed-off-by: Tomasz Figa +Signed-off-by: Sean Paul +Signed-off-by: Thierry Escande +Tested-by: Heiko Stuebner +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20180130202913.28724-4-thierry.escande@collabora.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c +@@ -262,7 +262,6 @@ static int rockchip_drm_gem_object_mmap( + * VM_PFNMAP flag that was set by drm_gem_mmap_obj()/drm_gem_mmap(). + */ + vma->vm_flags &= ~VM_PFNMAP; +- vma->vm_pgoff = 0; + + if (rk_obj->pages) + ret = rockchip_drm_gem_object_mmap_iommu(obj, vma); +@@ -297,6 +296,12 @@ int rockchip_gem_mmap(struct file *filp, + if (ret) + return ret; + ++ /* ++ * Set vm_pgoff (used as a fake buffer offset by DRM) to 0 and map the ++ * whole buffer from the start. ++ */ ++ vma->vm_pgoff = 0; ++ + obj = vma->vm_private_data; + + return rockchip_drm_gem_object_mmap(obj, vma); diff --git a/queue-4.16/drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch b/queue-4.16/drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch new file mode 100644 index 00000000000..06915a5325b --- /dev/null +++ b/queue-4.16/drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch @@ -0,0 +1,89 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Dhinakaran Pandiyan +Date: Fri, 2 Feb 2018 21:12:53 -0800 +Subject: drm/vblank: Data type fixes for 64-bit vblank sequences. + +From: Dhinakaran Pandiyan + +[ Upstream commit 3b765c0b765d2cc03ef02276f1af2658a03b3ced ] + +drm_vblank_count() has an u32 type returning what is a 64-bit vblank count. +The effect of this is when drm_wait_vblank_ioctl() tries to widen the user +space requested vblank sequence using this clipped 32-bit count(when the +value is >= 2^32) as reference, the requested sequence remains a 32-bit +value and gets queued like that. However, the code that checks if the +requested sequence has passed compares this against the 64-bit vblank +count. + +With drm_vblank_count() returning all bits of the vblank count, update +drm_crtc_accurate_vblank_count() so that drm_crtc_arm_vblank_event() queues +the correct sequence. Otherwise, this leads to prolonged waits for a vblank +sequence when the current count is >=2^32. + +Finally, fix drm_wait_one_vblank() too. + +v2: Commit message fix (Keith) + Squash commits (Rodrigo) + +Fixes: 570e86963a51 ("drm: Widen vblank count to 64-bits [v3]") +Cc: Keith Packard +Cc: Michel Dänzer +Cc: Daniel Vetter +Cc: Rodrigo Vivi +Signed-off-by: Dhinakaran Pandiyan +Acked-by: Daniel Vetter +Reviewed-by: Keith Packard +Signed-off-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20180203051302.9974-1-dhinakaran.pandiyan@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_vblank.c | 8 ++++---- + include/drm/drm_vblank.h | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/drm_vblank.c ++++ b/drivers/gpu/drm/drm_vblank.c +@@ -271,7 +271,7 @@ static void drm_update_vblank_count(stru + store_vblank(dev, pipe, diff, t_vblank, cur_vblank); + } + +-static u32 drm_vblank_count(struct drm_device *dev, unsigned int pipe) ++static u64 drm_vblank_count(struct drm_device *dev, unsigned int pipe) + { + struct drm_vblank_crtc *vblank = &dev->vblank[pipe]; + +@@ -292,11 +292,11 @@ static u32 drm_vblank_count(struct drm_d + * This is mostly useful for hardware that can obtain the scanout position, but + * doesn't have a hardware frame counter. + */ +-u32 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc) ++u64 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc) + { + struct drm_device *dev = crtc->dev; + unsigned int pipe = drm_crtc_index(crtc); +- u32 vblank; ++ u64 vblank; + unsigned long flags; + + WARN_ONCE(drm_debug & DRM_UT_VBL && !dev->driver->get_vblank_timestamp, +@@ -1055,7 +1055,7 @@ void drm_wait_one_vblank(struct drm_devi + { + struct drm_vblank_crtc *vblank = &dev->vblank[pipe]; + int ret; +- u32 last; ++ u64 last; + + if (WARN_ON(pipe >= dev->num_crtcs)) + return; +--- a/include/drm/drm_vblank.h ++++ b/include/drm/drm_vblank.h +@@ -179,7 +179,7 @@ void drm_crtc_wait_one_vblank(struct drm + void drm_crtc_vblank_off(struct drm_crtc *crtc); + void drm_crtc_vblank_reset(struct drm_crtc *crtc); + void drm_crtc_vblank_on(struct drm_crtc *crtc); +-u32 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc); ++u64 drm_crtc_accurate_vblank_count(struct drm_crtc *crtc); + + bool drm_calc_vbltimestamp_from_scanoutpos(struct drm_device *dev, + unsigned int pipe, int *max_error, diff --git a/queue-4.16/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch b/queue-4.16/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch new file mode 100644 index 00000000000..4b022ce5dc4 --- /dev/null +++ b/queue-4.16/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch @@ -0,0 +1,91 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Thomas Hellstrom +Date: Thu, 22 Mar 2018 10:35:18 +0100 +Subject: drm/vmwgfx: Unpin the screen object backup buffer when not used + +From: Thomas Hellstrom + +[ Upstream commit 20fb5a635a0c8478ac98f15cfafc2ea83df29565 ] + +We were relying on the pinned screen object backup buffer to be destroyed +when not used. But if we hold a copy of the atomic state, like when +hibernating, the backup buffer might not be destroyed since it's +refcounted by the atomic state. This causes us to hibernate with a +buffer pinned in VRAM. + +Fix this by only having the buffer pinned when it is actually used by a +screen object. + +Signed-off-by: Thomas Hellstrom +Reviewed-by: Brian Paul +Reviewed-by: Sinclair Yeh +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +@@ -453,7 +453,11 @@ vmw_sou_primary_plane_cleanup_fb(struct + struct drm_plane_state *old_state) + { + struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state); ++ struct drm_crtc *crtc = plane->state->crtc ? ++ plane->state->crtc : old_state->crtc; + ++ if (vps->dmabuf) ++ vmw_dmabuf_unpin(vmw_priv(crtc->dev), vps->dmabuf, false); + vmw_dmabuf_unreference(&vps->dmabuf); + vps->dmabuf_size = 0; + +@@ -491,10 +495,17 @@ vmw_sou_primary_plane_prepare_fb(struct + } + + size = new_state->crtc_w * new_state->crtc_h * 4; ++ dev_priv = vmw_priv(crtc->dev); + + if (vps->dmabuf) { +- if (vps->dmabuf_size == size) +- return 0; ++ if (vps->dmabuf_size == size) { ++ /* ++ * Note that this might temporarily up the pin-count ++ * to 2, until cleanup_fb() is called. ++ */ ++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf, ++ true); ++ } + + vmw_dmabuf_unreference(&vps->dmabuf); + vps->dmabuf_size = 0; +@@ -504,7 +515,6 @@ vmw_sou_primary_plane_prepare_fb(struct + if (!vps->dmabuf) + return -ENOMEM; + +- dev_priv = vmw_priv(crtc->dev); + vmw_svga_enable(dev_priv); + + /* After we have alloced the backing store might not be able to +@@ -515,13 +525,16 @@ vmw_sou_primary_plane_prepare_fb(struct + &vmw_vram_ne_placement, + false, &vmw_dmabuf_bo_free); + vmw_overlay_resume_all(dev_priv); +- +- if (ret != 0) ++ if (ret) { + vps->dmabuf = NULL; /* vmw_dmabuf_init frees on error */ +- else +- vps->dmabuf_size = size; ++ return ret; ++ } + +- return ret; ++ /* ++ * TTM already thinks the buffer is pinned, but make sure the ++ * pin_count is upped. ++ */ ++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf, true); + } + + diff --git a/queue-4.16/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch b/queue-4.16/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch new file mode 100644 index 00000000000..af4f28488db --- /dev/null +++ b/queue-4.16/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Icenowy Zheng +Date: Fri, 16 Mar 2018 22:02:12 +0800 +Subject: dt-bindings: add device tree binding for Allwinner H6 main CCU + +From: Icenowy Zheng + +[ Upstream commit 2e08e4d2ff488424919d69dd211ac860a019ac1d ] + +The Allwinner H6 main CCU uses the internal oscillator of the SoC, which +is different with old SoCs' main CCU. + +Add device tree binding for the Allwinner H6 main CCU. + +Signed-off-by: Icenowy Zheng +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/clock/sunxi-ccu.txt | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/Documentation/devicetree/bindings/clock/sunxi-ccu.txt ++++ b/Documentation/devicetree/bindings/clock/sunxi-ccu.txt +@@ -20,6 +20,7 @@ Required properties : + - "allwinner,sun50i-a64-ccu" + - "allwinner,sun50i-a64-r-ccu" + - "allwinner,sun50i-h5-ccu" ++ - "allwinner,sun50i-h6-ccu" + - "nextthing,gr8-ccu" + + - reg: Must contain the registers base address and length +@@ -31,6 +32,9 @@ Required properties : + - #clock-cells : must contain 1 + - #reset-cells : must contain 1 + ++For the main CCU on H6, one more clock is needed: ++- "iosc": the SoC's internal frequency oscillator ++ + For the PRCM CCUs on A83T/H3/A64, two more clocks are needed: + - "pll-periph": the SoC's peripheral PLL from the main CCU + - "iosc": the SoC's internal frequency oscillator diff --git a/queue-4.16/dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch b/queue-4.16/dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch new file mode 100644 index 00000000000..27189af7332 --- /dev/null +++ b/queue-4.16/dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Archit Taneja +Date: Wed, 17 Jan 2018 15:04:46 +0530 +Subject: dt-bindings: display: msm/dsi: Fix the PHY regulator supply props + +From: Archit Taneja + +[ Upstream commit 8c4905fd4939c59e0f7993ba34883e328eef4b59 ] + +The PHY regulator supply names vary across different PHY versions. +Mention explicitly which PHYs require which supplies. + +Cc: Rob Herring +Cc: devicetree@vger.kernel.org +Signed-off-by: Archit Taneja +Reviewed-by: Rob Herring +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/msm/dsi.txt | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/Documentation/devicetree/bindings/display/msm/dsi.txt ++++ b/Documentation/devicetree/bindings/display/msm/dsi.txt +@@ -102,7 +102,11 @@ Required properties: + - clocks: Phandles to device clocks. See [1] for details on clock bindings. + - clock-names: the following clocks are required: + * "iface" ++ For 28nm HPM/LP, 28nm 8960 PHYs: + - vddio-supply: phandle to vdd-io regulator device node ++ For 20nm PHY: ++- vddio-supply: phandle to vdd-io regulator device node ++- vcca-supply: phandle to vcca regulator device node + + Optional properties: + - qcom,dsi-phy-regulator-ldo-mode: Boolean value indicating if the LDO mode PHY diff --git a/queue-4.16/efi-arm-only-register-page-tables-when-they-exist.patch b/queue-4.16/efi-arm-only-register-page-tables-when-they-exist.patch new file mode 100644 index 00000000000..1715e28ad7f --- /dev/null +++ b/queue-4.16/efi-arm-only-register-page-tables-when-they-exist.patch @@ -0,0 +1,99 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Mark Rutland +Date: Thu, 8 Mar 2018 08:00:09 +0000 +Subject: efi/arm*: Only register page tables when they exist + +From: Mark Rutland + +[ Upstream commit 6b31a2fa1e8f7bc6c2a474b4a12dad7a145cf83d ] + +Currently the arm/arm64 runtime code registers the runtime servies +pagetables with ptdump regardless of whether runtime services page +tables have been created. + +As efi_mm.pgd is NULL in these cases, attempting to dump the efi page +tables results in a NULL pointer dereference in the ptdump code: + +/sys/kernel/debug# cat efi_page_tables +[ 479.522600] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[ 479.522715] Mem abort info: +[ 479.522764] ESR = 0x96000006 +[ 479.522850] Exception class = DABT (current EL), IL = 32 bits +[ 479.522899] SET = 0, FnV = 0 +[ 479.522937] EA = 0, S1PTW = 0 +[ 479.528200] Data abort info: +[ 479.528230] ISV = 0, ISS = 0x00000006 +[ 479.528317] CM = 0, WnR = 0 +[ 479.528317] user pgtable: 4k pages, 48-bit VAs, pgd = 0000000064ab0cb0 +[ 479.528449] [0000000000000000] *pgd=00000000fbbe4003, *pud=00000000fb66e003, *pmd=0000000000000000 +[ 479.528600] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 479.528664] Modules linked in: +[ 479.528699] CPU: 0 PID: 2457 Comm: cat Not tainted 4.15.0-rc3-00065-g2ad2ee7ecb5c-dirty #7 +[ 479.528799] Hardware name: FVP Base (DT) +[ 479.528899] pstate: 00400009 (nzcv daif +PAN -UAO) +[ 479.528941] pc : walk_pgd.isra.1+0x20/0x1d0 +[ 479.529011] lr : ptdump_walk_pgd+0x30/0x50 +[ 479.529105] sp : ffff00000bf4bc20 +[ 479.529185] x29: ffff00000bf4bc20 x28: 0000ffff9d22e000 +[ 479.529271] x27: 0000000000020000 x26: ffff80007b4c63c0 +[ 479.529358] x25: 00000000014000c0 x24: ffff80007c098900 +[ 479.529445] x23: ffff00000bf4beb8 x22: 0000000000000000 +[ 479.529532] x21: ffff00000bf4bd70 x20: 0000000000000001 +[ 479.529618] x19: ffff00000bf4bcb0 x18: 0000000000000000 +[ 479.529760] x17: 000000000041a1c8 x16: ffff0000082139d8 +[ 479.529800] x15: 0000ffff9d3c6030 x14: 0000ffff9d2527f4 +[ 479.529924] x13: 00000000000003f3 x12: 0000000000000038 +[ 479.530000] x11: 0000000000000003 x10: 0101010101010101 +[ 479.530099] x9 : 0000000017e94050 x8 : 000000000000003f +[ 479.530226] x7 : 0000000000000000 x6 : 0000000000000000 +[ 479.530313] x5 : 0000000000000001 x4 : 0000000000000000 +[ 479.530416] x3 : ffff000009069fd8 x2 : 0000000000000000 +[ 479.530500] x1 : 0000000000000000 x0 : 0000000000000000 +[ 479.530599] Process cat (pid: 2457, stack limit = 0x000000005d1b0e6f) +[ 479.530660] Call trace: +[ 479.530746] walk_pgd.isra.1+0x20/0x1d0 +[ 479.530833] ptdump_walk_pgd+0x30/0x50 +[ 479.530907] ptdump_show+0x10/0x20 +[ 479.530920] seq_read+0xc8/0x470 +[ 479.531023] full_proxy_read+0x60/0x90 +[ 479.531100] __vfs_read+0x18/0x100 +[ 479.531180] vfs_read+0x88/0x160 +[ 479.531267] SyS_read+0x48/0xb0 +[ 479.531299] el0_svc_naked+0x20/0x24 +[ 479.531400] Code: 91400420 f90033a0 a90707a2 f9403fa0 (f9400000) +[ 479.531499] ---[ end trace bfe8e28d8acb2b67 ]--- +Segmentation fault + +Let's avoid this problem by only registering the tables after their +successful creation, which is also less confusing when EFI runtime +services are not in use. + +Reported-by: Will Deacon +Signed-off-by: Mark Rutland +Signed-off-by: Ard Biesheuvel +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20180308080020.22828-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/arm-runtime.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/firmware/efi/arm-runtime.c ++++ b/drivers/firmware/efi/arm-runtime.c +@@ -54,6 +54,9 @@ static struct ptdump_info efi_ptdump_inf + + static int __init ptdump_init(void) + { ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) ++ return 0; ++ + return ptdump_debugfs_register(&efi_ptdump_info, "efi_page_tables"); + } + device_initcall(ptdump_init); diff --git a/queue-4.16/enic-enable-rq-before-updating-rq-descriptors.patch b/queue-4.16/enic-enable-rq-before-updating-rq-descriptors.patch new file mode 100644 index 00000000000..91ac07d54cc --- /dev/null +++ b/queue-4.16/enic-enable-rq-before-updating-rq-descriptors.patch @@ -0,0 +1,54 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Govindarajulu Varadarajan +Date: Thu, 1 Mar 2018 11:07:23 -0800 +Subject: enic: enable rq before updating rq descriptors + +From: Govindarajulu Varadarajan + +[ Upstream commit e8588e268509292550634d9a35f2723a207683b2 ] + +rq should be enabled before posting the buffers to rq desc. If not hw sees +stale value and casuses DMAR errors. + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1898,6 +1898,8 @@ static int enic_open(struct net_device * + } + + for (i = 0; i < enic->rq_count; i++) { ++ /* enable rq before updating rq desc */ ++ vnic_rq_enable(&enic->rq[i]); + vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf); + /* Need at least one buffer on ring to get going */ + if (vnic_rq_desc_used(&enic->rq[i]) == 0) { +@@ -1909,8 +1911,6 @@ static int enic_open(struct net_device * + + for (i = 0; i < enic->wq_count; i++) + vnic_wq_enable(&enic->wq[i]); +- for (i = 0; i < enic->rq_count; i++) +- vnic_rq_enable(&enic->rq[i]); + + if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic)) + enic_dev_add_station_addr(enic); +@@ -1936,8 +1936,12 @@ static int enic_open(struct net_device * + return 0; + + err_out_free_rq: +- for (i = 0; i < enic->rq_count; i++) ++ for (i = 0; i < enic->rq_count; i++) { ++ err = vnic_rq_disable(&enic->rq[i]); ++ if (err) ++ return err; + vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); ++ } + enic_dev_notify_unset(enic); + err_out_free_intr: + enic_unset_affinity_hint(enic); diff --git a/queue-4.16/ext4-don-t-complain-about-incorrect-features-when-probing.patch b/queue-4.16/ext4-don-t-complain-about-incorrect-features-when-probing.patch new file mode 100644 index 00000000000..a6c05f8a414 --- /dev/null +++ b/queue-4.16/ext4-don-t-complain-about-incorrect-features-when-probing.patch @@ -0,0 +1,59 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Eric Sandeen +Date: Thu, 22 Mar 2018 11:59:00 -0400 +Subject: ext4: don't complain about incorrect features when probing + +From: Eric Sandeen + +[ Upstream commit 0d9366d67bcf066b028e57d09c9a86ce879bcc28 ] + +If mount is auto-probing for filesystem type, it will try various +filesystems in order, with the MS_SILENT flag set. We get +that flag as the silent arg to ext4_fill_super. + +If we're probing (silent==1) then don't complain about feature +incompatibilities that are found if it looks like it's actually +a different valid extN type - failed probes should be silent +in this case. + +If the on-disk features are unknown even to ext4, then complain. + +Reported-by: Joakim Tjernlund +Tested-by: Joakim Tjernlund +Signed-off-by: Eric Sandeen +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3663,6 +3663,12 @@ static int ext4_fill_super(struct super_ + ext4_msg(sb, KERN_INFO, "mounting ext2 file system " + "using the ext4 subsystem"); + else { ++ /* ++ * If we're probing be silent, if this looks like ++ * it's actually an ext[34] filesystem. ++ */ ++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb))) ++ goto failed_mount; + ext4_msg(sb, KERN_ERR, "couldn't mount as ext2 due " + "to feature incompatibilities"); + goto failed_mount; +@@ -3674,6 +3680,12 @@ static int ext4_fill_super(struct super_ + ext4_msg(sb, KERN_INFO, "mounting ext3 file system " + "using the ext4 subsystem"); + else { ++ /* ++ * If we're probing be silent, if this looks like ++ * it's actually an ext4 filesystem. ++ */ ++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb))) ++ goto failed_mount; + ext4_msg(sb, KERN_ERR, "couldn't mount as ext3 due " + "to feature incompatibilities"); + goto failed_mount; diff --git a/queue-4.16/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch b/queue-4.16/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch new file mode 100644 index 00000000000..5d340735d49 --- /dev/null +++ b/queue-4.16/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch @@ -0,0 +1,48 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Chao Yu +Date: Sat, 27 Jan 2018 17:29:49 +0800 +Subject: f2fs: fix to check extent cache in f2fs_drop_extent_tree + +From: Chao Yu + +[ Upstream commit bf617f7a92edc6bb2909db2bfa4576f50b280ee5 ] + +If noextent_cache mount option is on, we will never initialize extent tree +in inode, but still we're going to access it in f2fs_drop_extent_tree, +result in kernel panic as below: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 + IP: _raw_write_lock+0xc/0x30 + Call Trace: + ? f2fs_drop_extent_tree+0x41/0x70 [f2fs] + f2fs_fallocate+0x5a0/0xdd0 [f2fs] + ? common_file_perm+0x47/0xc0 + ? apparmor_file_permission+0x1a/0x20 + vfs_fallocate+0x15b/0x290 + SyS_fallocate+0x44/0x70 + do_syscall_64+0x6e/0x160 + entry_SYSCALL64_slow_path+0x25/0x25 + +This patch fixes to check extent cache status before using in +f2fs_drop_extent_tree. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/extent_cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -706,6 +706,9 @@ void f2fs_drop_extent_tree(struct inode + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct extent_tree *et = F2FS_I(inode)->extent_tree; + ++ if (!f2fs_may_extent_tree(inode)) ++ return; ++ + set_inode_flag(inode, FI_NO_EXTENT); + + write_lock(&et->lock); diff --git a/queue-4.16/f2fs-fix-to-clear-cp_trimmed_flag.patch b/queue-4.16/f2fs-fix-to-clear-cp_trimmed_flag.patch new file mode 100644 index 00000000000..9da87f4e79a --- /dev/null +++ b/queue-4.16/f2fs-fix-to-clear-cp_trimmed_flag.patch @@ -0,0 +1,33 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Chao Yu +Date: Wed, 31 Jan 2018 09:30:34 +0800 +Subject: f2fs: fix to clear CP_TRIMMED_FLAG + +From: Chao Yu + +[ Upstream commit cd36d7a17f9da68be9aa67185ba3ad7969934a19 ] + +Once CP_TRIMMED_FLAG is set, after a reboot, we will never issue discard +before LBA becomes invalid again, fix it by clearing the flag in +checkpoint without CP_TRIMMED reason. + +Fixes: 1f43e2ad7bff ("f2fs: introduce CP_TRIMMED_FLAG to avoid unneeded discard") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1136,6 +1136,8 @@ static void update_ckpt_flags(struct f2f + + if (cpc->reason & CP_TRIMMED) + __set_ckpt_flags(ckpt, CP_TRIMMED_FLAG); ++ else ++ __clear_ckpt_flags(ckpt, CP_TRIMMED_FLAG); + + if (cpc->reason & CP_UMOUNT) + __set_ckpt_flags(ckpt, CP_UMOUNT_FLAG); diff --git a/queue-4.16/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch b/queue-4.16/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch new file mode 100644 index 00000000000..830b4ed751a --- /dev/null +++ b/queue-4.16/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch @@ -0,0 +1,55 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Chao Yu +Date: Sun, 25 Feb 2018 23:38:21 +0800 +Subject: f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range + +From: Chao Yu + +[ Upstream commit 17cd07ae95073c298af92c1ba14ac58ce84de33b ] + +As Jayashree Mohan reported: + +A simple workload to reproduce this would be : +1. create foo +2. Write (8K - 16K) // foo size = 16K now +3. fsync() +4. falloc zero_range , keep_size (4202496 - 4210688) // foo size must be 16K +5. fdatasync() +Crash now + +On recovery, we see that the file size is 4210688 and not 16K, which +violates the semantics of keep_size flag. We have a test case to +reproduce this using CrashMonkey on 4.15 kernel. Try this out by +simply running : + ./c_harness -f /dev/sda -d /dev/cow_ram0 -t f2fs -e 102400 -P -v + tests/generic_468_zero.so + +The root cause is that we miss to set KEEP_SIZE bit correctly in zero_range +when zeroing block cross EOF with FALLOC_FL_KEEP_SIZE, let's fix this +missing case. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1348,8 +1348,12 @@ static int f2fs_zero_range(struct inode + } + + out: +- if (!(mode & FALLOC_FL_KEEP_SIZE) && i_size_read(inode) < new_size) +- f2fs_i_size_write(inode, new_size); ++ if (new_size > i_size_read(inode)) { ++ if (mode & FALLOC_FL_KEEP_SIZE) ++ file_set_keep_isize(inode); ++ else ++ f2fs_i_size_write(inode, new_size); ++ } + out_sem: + up_write(&F2FS_I(inode)->i_mmap_sem); + diff --git a/queue-4.16/f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch b/queue-4.16/f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch new file mode 100644 index 00000000000..8a1d74937c1 --- /dev/null +++ b/queue-4.16/f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch @@ -0,0 +1,127 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Gao Xiang +Date: Sat, 10 Feb 2018 12:12:51 +0800 +Subject: f2fs: flush cp pack except cp pack 2 page at first + +From: Gao Xiang + +[ Upstream commit 46706d5917f4457a6befe7a39a15c89dbb1ce9ca ] + +Previously, we attempt to flush the whole cp pack in a single bio, +however, when suddenly powering off at this time, we could get into +an extreme scenario that cp pack 1 page and cp pack 2 page are updated +and latest, but payload or current summaries are still partially +outdated. (see reliable write in the UFS specification) + +This patch submits the whole cp pack except cp pack 2 page at first, +and then writes the cp pack 2 page with an extra independent +bio with pre-io barrier. + +Signed-off-by: Gao Xiang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 69 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 46 insertions(+), 23 deletions(-) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1162,6 +1162,39 @@ static void update_ckpt_flags(struct f2f + spin_unlock_irqrestore(&sbi->cp_lock, flags); + } + ++static void commit_checkpoint(struct f2fs_sb_info *sbi, ++ void *src, block_t blk_addr) ++{ ++ struct writeback_control wbc = { ++ .for_reclaim = 0, ++ }; ++ ++ /* ++ * pagevec_lookup_tag and lock_page again will take ++ * some extra time. Therefore, update_meta_pages and ++ * sync_meta_pages are combined in this function. ++ */ ++ struct page *page = grab_meta_page(sbi, blk_addr); ++ int err; ++ ++ memcpy(page_address(page), src, PAGE_SIZE); ++ set_page_dirty(page); ++ ++ f2fs_wait_on_page_writeback(page, META, true); ++ f2fs_bug_on(sbi, PageWriteback(page)); ++ if (unlikely(!clear_page_dirty_for_io(page))) ++ f2fs_bug_on(sbi, 1); ++ ++ /* writeout cp pack 2 page */ ++ err = __f2fs_write_meta_page(page, &wbc, FS_CP_META_IO); ++ f2fs_bug_on(sbi, err); ++ ++ f2fs_put_page(page, 0); ++ ++ /* submit checkpoint (with barrier if NOBARRIER is not set) */ ++ f2fs_submit_merged_write(sbi, META_FLUSH); ++} ++ + static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc) + { + struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); +@@ -1264,16 +1297,6 @@ static int do_checkpoint(struct f2fs_sb_ + } + } + +- /* need to wait for end_io results */ +- wait_on_all_pages_writeback(sbi); +- if (unlikely(f2fs_cp_error(sbi))) +- return -EIO; +- +- /* flush all device cache */ +- err = f2fs_flush_device_cache(sbi); +- if (err) +- return err; +- + /* write out checkpoint buffer at block 0 */ + update_meta_page(sbi, ckpt, start_blk++); + +@@ -1301,26 +1324,26 @@ static int do_checkpoint(struct f2fs_sb_ + start_blk += NR_CURSEG_NODE_TYPE; + } + +- /* writeout checkpoint block */ +- update_meta_page(sbi, ckpt, start_blk); ++ /* update user_block_counts */ ++ sbi->last_valid_block_count = sbi->total_valid_block_count; ++ percpu_counter_set(&sbi->alloc_valid_block_count, 0); + +- /* wait for previous submitted node/meta pages writeback */ ++ /* Here, we have one bio having CP pack except cp pack 2 page */ ++ sync_meta_pages(sbi, META, LONG_MAX, FS_CP_META_IO); ++ ++ /* wait for previous submitted meta pages writeback */ + wait_on_all_pages_writeback(sbi); + + if (unlikely(f2fs_cp_error(sbi))) + return -EIO; + +- filemap_fdatawait_range(NODE_MAPPING(sbi), 0, LLONG_MAX); +- filemap_fdatawait_range(META_MAPPING(sbi), 0, LLONG_MAX); +- +- /* update user_block_counts */ +- sbi->last_valid_block_count = sbi->total_valid_block_count; +- percpu_counter_set(&sbi->alloc_valid_block_count, 0); +- +- /* Here, we only have one bio having CP pack */ +- sync_meta_pages(sbi, META_FLUSH, LONG_MAX, FS_CP_META_IO); ++ /* flush all device cache */ ++ err = f2fs_flush_device_cache(sbi); ++ if (err) ++ return err; + +- /* wait for previous submitted meta pages writeback */ ++ /* barrier and flush checkpoint cp pack 2 page if it can */ ++ commit_checkpoint(sbi, ckpt, start_blk); + wait_on_all_pages_writeback(sbi); + + release_ino_entry(sbi, false); diff --git a/queue-4.16/fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch b/queue-4.16/fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch new file mode 100644 index 00000000000..d32f90f1a23 --- /dev/null +++ b/queue-4.16/fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch @@ -0,0 +1,96 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jan Kara +Date: Wed, 21 Feb 2018 14:10:59 +0100 +Subject: fanotify: Avoid lost events due to ENOMEM for unlimited queues + +From: Jan Kara + +[ Upstream commit 1f5eaa90010ed7cf0ae90a526c48657d02c6086f ] + +Fanotify queues of unlimited length do not expect events can be lost. +Since these queues are used for system auditing and other security +related tasks, loosing events can even have security implications. +Currently, since the allocation is small (32-bytes), it cannot fail +however when we start accounting events in memcgs, allocation can start +failing. So avoid loosing events due to failure to allocate memory by +making event allocation use __GFP_NOFAIL. + +Reviewed-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fanotify/fanotify.c | 19 ++++++++++++++----- + fs/notify/fanotify/fanotify.h | 3 ++- + fs/notify/fanotify/fanotify_user.c | 2 +- + 3 files changed, 17 insertions(+), 7 deletions(-) + +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -135,23 +135,32 @@ static bool fanotify_should_send_event(s + return false; + } + +-struct fanotify_event_info *fanotify_alloc_event(struct inode *inode, u32 mask, ++struct fanotify_event_info *fanotify_alloc_event(struct fsnotify_group *group, ++ struct inode *inode, u32 mask, + const struct path *path) + { + struct fanotify_event_info *event; ++ gfp_t gfp = GFP_KERNEL; ++ ++ /* ++ * For queues with unlimited length lost events are not expected and ++ * can possibly have security implications. Avoid losing events when ++ * memory is short. ++ */ ++ if (group->max_events == UINT_MAX) ++ gfp |= __GFP_NOFAIL; + + if (fanotify_is_perm_event(mask)) { + struct fanotify_perm_event_info *pevent; + +- pevent = kmem_cache_alloc(fanotify_perm_event_cachep, +- GFP_KERNEL); ++ pevent = kmem_cache_alloc(fanotify_perm_event_cachep, gfp); + if (!pevent) + return NULL; + event = &pevent->fae; + pevent->response = 0; + goto init; + } +- event = kmem_cache_alloc(fanotify_event_cachep, GFP_KERNEL); ++ event = kmem_cache_alloc(fanotify_event_cachep, gfp); + if (!event) + return NULL; + init: __maybe_unused +@@ -206,7 +215,7 @@ static int fanotify_handle_event(struct + return 0; + } + +- event = fanotify_alloc_event(inode, mask, data); ++ event = fanotify_alloc_event(group, inode, mask, data); + ret = -ENOMEM; + if (unlikely(!event)) + goto finish; +--- a/fs/notify/fanotify/fanotify.h ++++ b/fs/notify/fanotify/fanotify.h +@@ -52,5 +52,6 @@ static inline struct fanotify_event_info + return container_of(fse, struct fanotify_event_info, fse); + } + +-struct fanotify_event_info *fanotify_alloc_event(struct inode *inode, u32 mask, ++struct fanotify_event_info *fanotify_alloc_event(struct fsnotify_group *group, ++ struct inode *inode, u32 mask, + const struct path *path); +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -757,7 +757,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned + group->fanotify_data.user = user; + atomic_inc(&user->fanotify_listeners); + +- oevent = fanotify_alloc_event(NULL, FS_Q_OVERFLOW, NULL); ++ oevent = fanotify_alloc_event(group, NULL, FS_Q_OVERFLOW, NULL); + if (unlikely(!oevent)) { + fd = -ENOMEM; + goto out_destroy_group; diff --git a/queue-4.16/firmware-dmi_scan-fix-uuid-length-safety-check.patch b/queue-4.16/firmware-dmi_scan-fix-uuid-length-safety-check.patch new file mode 100644 index 00000000000..2f8e41d9a27 --- /dev/null +++ b/queue-4.16/firmware-dmi_scan-fix-uuid-length-safety-check.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Jean Delvare +Date: Fri, 13 Apr 2018 15:37:59 +0200 +Subject: firmware: dmi_scan: Fix UUID length safety check + +From: Jean Delvare + +[ Upstream commit 90fe6f8ff00a07641ca893d64f75ca22ce77cca2 ] + +The test which ensures that the DMI type 1 structure is long enough +to hold the UUID is off by one. It would fail if the structure is +exactly 24 bytes long, while that's sufficient to hold the UUID. + +I don't expect this bug to cause problem in practice because all +implementations I have seen had length 8, 25 or 27 bytes, in line +with the SMBIOS specifications. But let's fix it still. + +Signed-off-by: Jean Delvare +Fixes: a814c3597a6b ("firmware: dmi_scan: Check DMI structure length") +Reviewed-by: Mika Westerberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/dmi_scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -186,7 +186,7 @@ static void __init dmi_save_uuid(const s + char *s; + int is_ff = 1, is_00 = 1, i; + +- if (dmi_ident[slot] || dm->length <= index + 16) ++ if (dmi_ident[slot] || dm->length < index + 16) + return; + + d = (u8 *) dm + index; diff --git a/queue-4.16/firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch b/queue-4.16/firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch new file mode 100644 index 00000000000..6f806aecee1 --- /dev/null +++ b/queue-4.16/firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch @@ -0,0 +1,69 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: "Luis R. Rodriguez" +Date: Sat, 10 Mar 2018 06:14:56 -0800 +Subject: firmware: fix checking for return values for fw_add_devm_name() + +From: "Luis R. Rodriguez" + +[ Upstream commit d15d7311550983be97dca44ad68cbc2ca001297b ] + +Currently fw_add_devm_name() returns 1 if the firmware cache +was already set. This makes it complicated for us to check for +correctness. It is actually non-fatal if the firmware cache +is already setup, so just return 0, and simplify the checkers. + +fw_add_devm_name() adds device's name onto the devres for the +device so that prior to suspend we cache the firmware onto memory, +so that on resume the firmware is reliably available. We never +were checking for success for this call though, meaning in some +really rare cases we my have never setup the firmware cache for +a device, which could in turn make resume fail. + +This is all theoretical, no known issues have been reported. +This small issue has been present way since the addition of the +devres firmware cache names on v3.7. + +Fixes: f531f05ae9437 ("firmware loader: store firmware name into devres list") +Signed-off-by: Luis R. Rodriguez +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/firmware_class.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -524,7 +524,7 @@ static int fw_add_devm_name(struct devic + + fwn = fw_find_devm_name(dev, name); + if (fwn) +- return 1; ++ return 0; + + fwn = devres_alloc(fw_name_devm_release, sizeof(struct fw_name_devm), + GFP_KERNEL); +@@ -552,6 +552,7 @@ static int assign_fw(struct firmware *fw + unsigned int opt_flags) + { + struct fw_priv *fw_priv = fw->priv; ++ int ret; + + mutex_lock(&fw_lock); + if (!fw_priv->size || fw_state_is_aborted(fw_priv)) { +@@ -568,8 +569,13 @@ static int assign_fw(struct firmware *fw + */ + /* don't cache firmware handled without uevent */ + if (device && (opt_flags & FW_OPT_UEVENT) && +- !(opt_flags & FW_OPT_NOCACHE)) +- fw_add_devm_name(device, fw_priv->fw_name); ++ !(opt_flags & FW_OPT_NOCACHE)) { ++ ret = fw_add_devm_name(device, fw_priv->fw_name); ++ if (ret) { ++ mutex_unlock(&fw_lock); ++ return ret; ++ } ++ } + + /* + * After caching firmware image is started, let it piggyback diff --git a/queue-4.16/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch b/queue-4.16/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch new file mode 100644 index 00000000000..1d61ce77a14 --- /dev/null +++ b/queue-4.16/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch @@ -0,0 +1,69 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Carlos Maiolino +Date: Tue, 10 Apr 2018 22:39:04 -0700 +Subject: Force log to disk before reading the AGF during a fstrim + +From: Carlos Maiolino + +[ Upstream commit 8c81dd46ef3c416b3b95e3020fb90dbd44e6140b ] + +Forcing the log to disk after reading the agf is wrong, we might be +calling xfs_log_force with XFS_LOG_SYNC with a metadata lock held. + +This can cause a deadlock when racing a fstrim with a filesystem +shutdown. + +The deadlock has been identified due a miscalculation bug in device-mapper +dm-thin, which returns lack of space to its users earlier than the device itself +really runs out of space, changing the device-mapper volume into an error state. + +The problem happened while filling the filesystem with a single file, +triggering the bug in device-mapper, consequently causing an IO error +and shutting down the filesystem. + +If such file is removed, and fstrim executed before the XFS finishes the +shut down process, the fstrim process will end up holding the buffer +lock, and going to sleep on the cil wait queue. + +At this point, the shut down process will try to wake up all the threads +waiting on the cil wait queue, but for this, it will try to hold the +same buffer log already held my the fstrim, locking up the filesystem. + +Signed-off-by: Carlos Maiolino +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_discard.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/xfs/xfs_discard.c ++++ b/fs/xfs/xfs_discard.c +@@ -50,19 +50,19 @@ xfs_trim_extents( + + pag = xfs_perag_get(mp, agno); + +- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); +- if (error || !agbp) +- goto out_put_perag; +- +- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); +- + /* + * Force out the log. This means any transactions that might have freed +- * space before we took the AGF buffer lock are now on disk, and the ++ * space before we take the AGF buffer lock are now on disk, and the + * volatile disk cache is flushed. + */ + xfs_log_force(mp, XFS_LOG_SYNC); + ++ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); ++ if (error || !agbp) ++ goto out_put_perag; ++ ++ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); ++ + /* + * Look up the longest btree in the AGF and start with it. + */ diff --git a/queue-4.16/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch b/queue-4.16/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch new file mode 100644 index 00000000000..e32617b6e62 --- /dev/null +++ b/queue-4.16/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch @@ -0,0 +1,44 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Danilo Krummrich +Date: Tue, 10 Apr 2018 16:31:38 -0700 +Subject: fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table + +From: Danilo Krummrich + +[ Upstream commit a0b0d1c345d0317efe594df268feb5ccc99f651e ] + +proc_sys_link_fill_cache() does not take currently unregistering sysctl +tables into account, which might result into a page fault in +sysctl_follow_link() - add a check to fix it. + +This bug has been present since v3.4. + +Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: Danilo Krummrich +Acked-by: Kees Cook +Reviewed-by: Andrew Morton +Cc: "Luis R . Rodriguez" +Cc: "Eric W. Biederman" +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -707,7 +707,10 @@ static bool proc_sys_link_fill_cache(str + struct ctl_table *table) + { + bool ret = true; ++ + head = sysctl_head_grab(head); ++ if (IS_ERR(head)) ++ return false; + + if (S_ISLNK(table->mode)) { + /* It is not an error if we can not follow the link ignore it */ diff --git a/queue-4.16/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch b/queue-4.16/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch new file mode 100644 index 00000000000..e895e6843e4 --- /dev/null +++ b/queue-4.16/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch @@ -0,0 +1,71 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: David Howells +Date: Wed, 4 Apr 2018 13:41:26 +0100 +Subject: fscache: Fix hanging wait on page discarded by writeback + +From: David Howells + +[ Upstream commit 2c98425720233ae3e135add0c7e869b32913502f ] + +If the fscache asynchronous write operation elects to discard a page that's +pending storage to the cache because the page would be over the store limit +then it needs to wake the page as someone may be waiting on completion of +the write. + +The problem is that the store limit may be updated by a different +asynchronous operation - and so may miss the write - and that the store +limit may not even get updated until later by the netfs. + +Fix the kernel hang by making fscache_write_op() mark as written any pages +that are over the limit. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fscache/page.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/fscache/page.c ++++ b/fs/fscache/page.c +@@ -776,6 +776,7 @@ static void fscache_write_op(struct fsca + + _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage)); + ++again: + spin_lock(&object->lock); + cookie = object->cookie; + +@@ -816,10 +817,6 @@ static void fscache_write_op(struct fsca + goto superseded; + page = results[0]; + _debug("gang %d [%lx]", n, page->index); +- if (page->index >= op->store_limit) { +- fscache_stat(&fscache_n_store_pages_over_limit); +- goto superseded; +- } + + radix_tree_tag_set(&cookie->stores, page->index, + FSCACHE_COOKIE_STORING_TAG); +@@ -829,6 +826,9 @@ static void fscache_write_op(struct fsca + spin_unlock(&cookie->stores_lock); + spin_unlock(&object->lock); + ++ if (page->index >= op->store_limit) ++ goto discard_page; ++ + fscache_stat(&fscache_n_store_pages); + fscache_stat(&fscache_n_cop_write_page); + ret = object->cache->ops->write_page(op, page); +@@ -844,6 +844,11 @@ static void fscache_write_op(struct fsca + _leave(""); + return; + ++discard_page: ++ fscache_stat(&fscache_n_store_pages_over_limit); ++ fscache_end_page_write(object, page); ++ goto again; ++ + superseded: + /* this writer is going away and there aren't any more things to + * write */ diff --git a/queue-4.16/genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch b/queue-4.16/genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch new file mode 100644 index 00000000000..1da5af6c8ec --- /dev/null +++ b/queue-4.16/genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch @@ -0,0 +1,67 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Thomas Gleixner +Date: Wed, 4 Apr 2018 12:40:07 +0200 +Subject: genirq/affinity: Don't return with empty affinity masks on error + +From: Thomas Gleixner + +[ Upstream commit 0211e12dd0a5385ecffd3557bc570dbad7fcf245 ] + +When the allocation of node_to_possible_cpumask fails, then +irq_create_affinity_masks() returns with a pointer to the empty affinity +masks array, which will cause malfunction. + +Reorder the allocations so the masks array allocation comes last and every +failure path returns NULL. + +Fixes: 9a0ef98e186d ("genirq/affinity: Assign vectors to all present CPUs") +Signed-off-by: Thomas Gleixner +Cc: Christoph Hellwig +Cc: Ming Lei +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/affinity.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/kernel/irq/affinity.c ++++ b/kernel/irq/affinity.c +@@ -108,7 +108,7 @@ irq_create_affinity_masks(int nvecs, con + int affv = nvecs - affd->pre_vectors - affd->post_vectors; + int last_affv = affv + affd->pre_vectors; + nodemask_t nodemsk = NODE_MASK_NONE; +- struct cpumask *masks; ++ struct cpumask *masks = NULL; + cpumask_var_t nmsk, *node_to_possible_cpumask; + + /* +@@ -121,13 +121,13 @@ irq_create_affinity_masks(int nvecs, con + if (!zalloc_cpumask_var(&nmsk, GFP_KERNEL)) + return NULL; + +- masks = kcalloc(nvecs, sizeof(*masks), GFP_KERNEL); +- if (!masks) +- goto out; +- + node_to_possible_cpumask = alloc_node_to_possible_cpumask(); + if (!node_to_possible_cpumask) +- goto out; ++ goto outcpumsk; ++ ++ masks = kcalloc(nvecs, sizeof(*masks), GFP_KERNEL); ++ if (!masks) ++ goto outnodemsk; + + /* Fill out vectors at the beginning that don't need affinity */ + for (curvec = 0; curvec < affd->pre_vectors; curvec++) +@@ -192,8 +192,9 @@ done: + /* Fill out vectors at the end that don't need affinity */ + for (; curvec < nvecs; curvec++) + cpumask_copy(masks + curvec, irq_default_affinity); ++outnodemsk: + free_node_to_possible_cpumask(node_to_possible_cpumask); +-out: ++outcpumsk: + free_cpumask_var(nmsk); + return masks; + } diff --git a/queue-4.16/gfs2-check-for-the-end-of-metadata-in-punch_hole.patch b/queue-4.16/gfs2-check-for-the-end-of-metadata-in-punch_hole.patch new file mode 100644 index 00000000000..66679b5c9ce --- /dev/null +++ b/queue-4.16/gfs2-check-for-the-end-of-metadata-in-punch_hole.patch @@ -0,0 +1,64 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Andreas Gruenbacher +Date: Fri, 23 Mar 2018 07:33:25 -0700 +Subject: gfs2: Check for the end of metadata in punch_hole + +From: Andreas Gruenbacher + +[ Upstream commit bb491ce67aa7c1635e5ae4f2f304a7d13d3dbe71 ] + +When punching a hole or truncating an inode down to a given size, also +check if the truncate point / start of the hole is within the range we +have metadata for. Otherwise, we can end up freeing blocks that +shouldn't be freed, corrupting the inode, or crashing the machine when +trying to punch a hole into the void. + +When growing an inode via truncate, we set the new size but we don't +allocate additional levels of indirect blocks and grow the inode height. +When shrinking that inode again, the new size may still point beyond the +end of the inode's metadata. + +Fixes xfstest generic/476. + +Debugged-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/bmap.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1344,6 +1344,7 @@ static inline bool walk_done(struct gfs2 + static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length) + { + struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); ++ u64 maxsize = sdp->sd_heightsize[ip->i_height]; + struct metapath mp = {}; + struct buffer_head *dibh, *bh; + struct gfs2_holder rd_gh; +@@ -1359,6 +1360,14 @@ static int punch_hole(struct gfs2_inode + u64 prev_bnr = 0; + __be64 *start, *end; + ++ if (offset >= maxsize) { ++ /* ++ * The starting point lies beyond the allocated meta-data; ++ * there are no blocks do deallocate. ++ */ ++ return 0; ++ } ++ + /* + * The start position of the hole is defined by lblock, start_list, and + * start_aligned. The end position of the hole is defined by lend, +@@ -1372,7 +1381,6 @@ static int punch_hole(struct gfs2_inode + */ + + if (length) { +- u64 maxsize = sdp->sd_heightsize[ip->i_height]; + u64 end_offset = offset + length; + u64 lend; + diff --git a/queue-4.16/gfs2-fix-fallocate-chunk-size.patch b/queue-4.16/gfs2-fix-fallocate-chunk-size.patch new file mode 100644 index 00000000000..f2b01d6f716 --- /dev/null +++ b/queue-4.16/gfs2-fix-fallocate-chunk-size.patch @@ -0,0 +1,63 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Andreas Gruenbacher +Date: Tue, 20 Feb 2018 08:03:24 -0700 +Subject: gfs2: Fix fallocate chunk size + +From: Andreas Gruenbacher + +[ Upstream commit 174d1232ebc84fcde8f5889d1171c9c7e74a10a7 ] + +The chunk size of allocations in __gfs2_fallocate is calculated +incorrectly. The size can collapse, causing __gfs2_fallocate to +allocate one block at a time, which is very inefficient. This needs +fixing in two places: + +In gfs2_quota_lock_check, always set ap->allowed to UINT_MAX to indicate +that there is no quota limit. This fixes callers that rely on +ap->allowed to be set even when quotas are off. + +In __gfs2_fallocate, reset max_blks to UINT_MAX in each iteration of the +loop to make sure that allocation limits from one resource group won't +spill over into another resource group. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/file.c | 5 +++-- + fs/gfs2/quota.h | 2 ++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -809,7 +809,7 @@ static long __gfs2_fallocate(struct file + struct gfs2_inode *ip = GFS2_I(inode); + struct gfs2_alloc_parms ap = { .aflags = 0, }; + unsigned int data_blocks = 0, ind_blocks = 0, rblocks; +- loff_t bytes, max_bytes, max_blks = UINT_MAX; ++ loff_t bytes, max_bytes, max_blks; + int error; + const loff_t pos = offset; + const loff_t count = len; +@@ -861,7 +861,8 @@ static long __gfs2_fallocate(struct file + return error; + /* ap.allowed tells us how many blocks quota will allow + * us to write. Check if this reduces max_blks */ +- if (ap.allowed && ap.allowed < max_blks) ++ max_blks = UINT_MAX; ++ if (ap.allowed) + max_blks = ap.allowed; + + error = gfs2_inplace_reserve(ip, &ap); +--- a/fs/gfs2/quota.h ++++ b/fs/gfs2/quota.h +@@ -45,6 +45,8 @@ static inline int gfs2_quota_lock_check( + { + struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); + int ret; ++ ++ ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ + if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) + return 0; + ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); diff --git a/queue-4.16/hv_netvsc-fix-the-return-status-in-rx-path.patch b/queue-4.16/hv_netvsc-fix-the-return-status-in-rx-path.patch new file mode 100644 index 00000000000..177560b9156 --- /dev/null +++ b/queue-4.16/hv_netvsc-fix-the-return-status-in-rx-path.patch @@ -0,0 +1,74 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Haiyang Zhang +Date: Thu, 22 Mar 2018 12:01:13 -0700 +Subject: hv_netvsc: Fix the return status in RX path + +From: Haiyang Zhang + +[ Upstream commit 5c71dadbb45970a8f0544a27ae8f1cbd9750e516 ] + +As defined in hyperv_net.h, the NVSP_STAT_SUCCESS is one not zero. +Some functions returns 0 when it actually means NVSP_STAT_SUCCESS. +This patch fixes them. + +In netvsc_receive(), it puts the last RNDIS packet's receive status +for all packets in a vmxferpage which may contain multiple RNDIS +packets. +This patch puts NVSP_STAT_FAIL in the receive completion if one of +the packets in a vmxferpage fails. + +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc.c | 8 ++++++-- + drivers/net/hyperv/netvsc_drv.c | 2 +- + drivers/net/hyperv/rndis_filter.c | 4 ++-- + 3 files changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1078,10 +1078,14 @@ static int netvsc_receive(struct net_dev + void *data = recv_buf + + vmxferpage_packet->ranges[i].byte_offset; + u32 buflen = vmxferpage_packet->ranges[i].byte_count; ++ int ret; + + /* Pass it to the upper layer */ +- status = rndis_filter_receive(ndev, net_device, +- channel, data, buflen); ++ ret = rndis_filter_receive(ndev, net_device, ++ channel, data, buflen); ++ ++ if (unlikely(ret != NVSP_STAT_SUCCESS)) ++ status = NVSP_STAT_FAIL; + } + + enq_receive_complete(ndev, net_device, q_idx, +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -831,7 +831,7 @@ int netvsc_recv_callback(struct net_devi + u64_stats_update_end(&rx_stats->syncp); + + napi_gro_receive(&nvchan->napi, skb); +- return 0; ++ return NVSP_STAT_SUCCESS; + } + + static void netvsc_get_drvinfo(struct net_device *net, +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -434,10 +434,10 @@ int rndis_filter_receive(struct net_devi + "unhandled rndis message (type %u len %u)\n", + rndis_msg->ndis_msg_type, + rndis_msg->msg_len); +- break; ++ return NVSP_STAT_FAIL; + } + +- return 0; ++ return NVSP_STAT_SUCCESS; + } + + static int rndis_filter_query_device(struct rndis_device *dev, diff --git a/queue-4.16/hwmon-nct6775-fix-writing-pwmx_mode.patch b/queue-4.16/hwmon-nct6775-fix-writing-pwmx_mode.patch new file mode 100644 index 00000000000..ba4f2efd802 --- /dev/null +++ b/queue-4.16/hwmon-nct6775-fix-writing-pwmx_mode.patch @@ -0,0 +1,63 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Guenter Roeck +Date: Mon, 26 Mar 2018 19:50:31 -0700 +Subject: hwmon: (nct6775) Fix writing pwmX_mode + +From: Guenter Roeck + +[ Upstream commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 ] + +pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip +register bit is set to 1 for DC mode. This got mixed up, and writing +1 into pwmX_mode resulted in DC mode enabled. Fix it up by using +the ABI definition throughout the driver for consistency. + +Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/nct6775.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -1469,7 +1469,7 @@ static void nct6775_update_pwm(struct de + duty_is_dc = data->REG_PWM_MODE[i] && + (nct6775_read_value(data, data->REG_PWM_MODE[i]) + & data->PWM_MODE_MASK[i]); +- data->pwm_mode[i] = duty_is_dc; ++ data->pwm_mode[i] = !duty_is_dc; + + fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]); + for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) { +@@ -2350,7 +2350,7 @@ show_pwm_mode(struct device *dev, struct + struct nct6775_data *data = nct6775_update_device(dev); + struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr); + +- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]); ++ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]); + } + + static ssize_t +@@ -2371,9 +2371,9 @@ store_pwm_mode(struct device *dev, struc + if (val > 1) + return -EINVAL; + +- /* Setting DC mode is not supported for all chips/channels */ ++ /* Setting DC mode (0) is not supported for all chips/channels */ + if (data->REG_PWM_MODE[nr] == 0) { +- if (val) ++ if (!val) + return -EINVAL; + return count; + } +@@ -2382,7 +2382,7 @@ store_pwm_mode(struct device *dev, struc + data->pwm_mode[nr] = val; + reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]); + reg &= ~data->PWM_MODE_MASK[nr]; +- if (val) ++ if (!val) + reg |= data->PWM_MODE_MASK[nr]; + nct6775_write_value(data, data->REG_PWM_MODE[nr], reg); + mutex_unlock(&data->update_lock); diff --git a/queue-4.16/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch b/queue-4.16/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch new file mode 100644 index 00000000000..54e803d5485 --- /dev/null +++ b/queue-4.16/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Guenter Roeck +Date: Sat, 10 Mar 2018 17:55:47 -0800 +Subject: hwmon: (pmbus/adm1275) Accept negative page register values + +From: Guenter Roeck + +[ Upstream commit ecb29abd4cb0670c616fb563a078f25d777ce530 ] + +A negative page register value means that no page needs to be +selected. This is used by status register read operations and needs +to be accepted. The failure to do so so results in missed status +and limit registers. + +Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/adm1275.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/pmbus/adm1275.c ++++ b/drivers/hwmon/pmbus/adm1275.c +@@ -154,7 +154,7 @@ static int adm1275_read_word_data(struct + const struct adm1275_data *data = to_adm1275_data(info); + int ret = 0; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { +@@ -240,7 +240,7 @@ static int adm1275_write_word_data(struc + const struct adm1275_data *data = to_adm1275_data(info); + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { diff --git a/queue-4.16/hwmon-pmbus-max8688-accept-negative-page-register-values.patch b/queue-4.16/hwmon-pmbus-max8688-accept-negative-page-register-values.patch new file mode 100644 index 00000000000..b5c64421c5e --- /dev/null +++ b/queue-4.16/hwmon-pmbus-max8688-accept-negative-page-register-values.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Guenter Roeck +Date: Sat, 10 Mar 2018 17:49:47 -0800 +Subject: hwmon: (pmbus/max8688) Accept negative page register values + +From: Guenter Roeck + +[ Upstream commit a46f8cd696624ef757be0311eb28f119c36778e8 ] + +A negative page register value means that no page needs to be +selected. This is used by status register evaluations and needs +to be accepted. + +Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/max8688.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/pmbus/max8688.c ++++ b/drivers/hwmon/pmbus/max8688.c +@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct + { + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { diff --git a/queue-4.16/hwrng-bcm2835-handle-deferred-clock-properly.patch b/queue-4.16/hwrng-bcm2835-handle-deferred-clock-properly.patch new file mode 100644 index 00000000000..0cb74795008 --- /dev/null +++ b/queue-4.16/hwrng-bcm2835-handle-deferred-clock-properly.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Stefan Wahren +Date: Mon, 12 Feb 2018 21:11:36 +0100 +Subject: hwrng: bcm2835 - Handle deferred clock properly + +From: Stefan Wahren + +[ Upstream commit 7b4c5d30d0bd2b22c09d4d993a76e0973a873891 ] + +In case the probe of the clock is deferred, we would assume it is +optional. This is wrong, so defer the probe of this driver until +the clock is available. + +Fixes: 791af4f4907a ("hwrng: bcm2835 - Manage an optional clock") +Signed-off-by: Stefan Wahren +Acked-by: Florian Fainelli +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/bcm2835-rng.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/hw_random/bcm2835-rng.c ++++ b/drivers/char/hw_random/bcm2835-rng.c +@@ -163,6 +163,8 @@ static int bcm2835_rng_probe(struct plat + + /* Clock is optional on most platforms */ + priv->clk = devm_clk_get(dev, NULL); ++ if (IS_ERR(priv->clk) && PTR_ERR(priv->clk) == -EPROBE_DEFER) ++ return -EPROBE_DEFER; + + priv->rng.name = pdev->name; + priv->rng.init = bcm2835_rng_init; diff --git a/queue-4.16/hwrng-stm32-add-reset-during-probe.patch b/queue-4.16/hwrng-stm32-add-reset-during-probe.patch new file mode 100644 index 00000000000..93c0a39d794 --- /dev/null +++ b/queue-4.16/hwrng-stm32-add-reset-during-probe.patch @@ -0,0 +1,52 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: "lionel.debieve@st.com" +Date: Thu, 15 Feb 2018 14:03:08 +0100 +Subject: hwrng: stm32 - add reset during probe + +From: "lionel.debieve@st.com" + +[ Upstream commit 326ed382256475aa4b8b7eae8a2f60689fd25e78 ] + +Avoid issue when probing the RNG without +reset if bad status has been detected previously + +Signed-off-by: Lionel Debieve +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/stm32-rng.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/char/hw_random/stm32-rng.c ++++ b/drivers/char/hw_random/stm32-rng.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #define RNG_CR 0x00 +@@ -46,6 +47,7 @@ struct stm32_rng_private { + struct hwrng rng; + void __iomem *base; + struct clk *clk; ++ struct reset_control *rst; + }; + + static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) +@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platfo + if (IS_ERR(priv->clk)) + return PTR_ERR(priv->clk); + ++ priv->rst = devm_reset_control_get(&ofdev->dev, NULL); ++ if (!IS_ERR(priv->rst)) { ++ reset_control_assert(priv->rst); ++ udelay(2); ++ reset_control_deassert(priv->rst); ++ } ++ + dev_set_drvdata(dev, priv); + + priv->rng.name = dev_driver_string(dev), diff --git a/queue-4.16/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch b/queue-4.16/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch new file mode 100644 index 00000000000..ad58e7aca2f --- /dev/null +++ b/queue-4.16/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch @@ -0,0 +1,71 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Javier Martinez Canillas +Date: Sun, 3 Dec 2017 22:40:50 +0100 +Subject: i2c: core: report OF style module alias for devices registered via OF + +From: Javier Martinez Canillas + +[ Upstream commit af503716ac1444db61d80cb6d17cfe62929c21df ] + +The buses should honor the firmware interface used to register the device, +but the I2C core reports a MODALIAS of the form i2c: even for I2C +devices registered via OF. + +This means that user-space will never get an OF stype uevent MODALIAS even +when the drivers modules contain aliases exported from both the I2C and OF +device ID tables. For example, an Atmel maXTouch Touchscreen registered by +a DT node with compatible "atmel,maxtouch" has the following module alias: + +$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias +i2c:maxtouch + +So udev won't be able to auto-load a module for an OF-only device driver. +Many OF-only drivers duplicate the OF device ID table entries in an I2C ID +table only has a workaround for how the I2C core reports the module alias. + +This patch changes the I2C core to report an OF related MODALIAS uevent if +the device was registered via OF. So for the previous example, after this +patch, the reported MODALIAS for the Atmel maXTouch will be the following: + +$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias +of:NtrackpadTCatmel,maxtouch + +NOTE: This patch may break out-of-tree drivers that were relying on this + behavior, and only had an I2C device ID table even when the device + was registered via OF. There are no remaining drivers in mainline + that do this, but out-of-tree drivers have to be fixed and define + a proper OF device ID table to have module auto-loading working. + +Signed-off-by: Javier Martinez Canillas +Tested-by: Dmitry Mastykin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-core-base.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -124,6 +124,10 @@ static int i2c_device_uevent(struct devi + struct i2c_client *client = to_i2c_client(dev); + int rc; + ++ rc = of_device_uevent_modalias(dev, env); ++ if (rc != -ENODEV) ++ return rc; ++ + rc = acpi_device_uevent_modalias(dev, env); + if (rc != -ENODEV) + return rc; +@@ -439,6 +443,10 @@ show_modalias(struct device *dev, struct + struct i2c_client *client = to_i2c_client(dev); + int len; + ++ len = of_device_modalias(dev, buf, PAGE_SIZE); ++ if (len != -ENODEV) ++ return len; ++ + len = acpi_device_modalias(dev, buf, PAGE_SIZE -1); + if (len != -ENODEV) + return len; diff --git a/queue-4.16/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch b/queue-4.16/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch new file mode 100644 index 00000000000..d424510fa1a --- /dev/null +++ b/queue-4.16/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch @@ -0,0 +1,47 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Gregory CLEMENT +Date: Wed, 14 Mar 2018 18:03:40 +0100 +Subject: i2c: mv64xxx: Apply errata delay only in standard mode + +From: Gregory CLEMENT + +[ Upstream commit 31184d8c6ea49ea0676d100cdd7e1f102ad025b5 ] + +The errata FE-8471889 description has been updated. There is still a +timing violation for repeated start. But the errata now states that it +was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz) +there is no issue. + +This patch limit the errata fix to the Standard mode. + +It has been tesed successfully on the clearfog (Aramda 388 based board). + +Signed-off-by: Gregory CLEMENT +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-mv64xxx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-mv64xxx.c ++++ b/drivers/i2c/busses/i2c-mv64xxx.c +@@ -845,12 +845,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat + */ + if (of_device_is_compatible(np, "marvell,mv78230-i2c")) { + drv_data->offload_enabled = true; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) { + drv_data->offload_enabled = false; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c")) diff --git a/queue-4.16/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch b/queue-4.16/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch new file mode 100644 index 00000000000..d22dd99420e --- /dev/null +++ b/queue-4.16/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch @@ -0,0 +1,43 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Filip Sadowski +Date: Fri, 29 Dec 2017 08:50:05 -0500 +Subject: i40e: Add delay after EMP reset for firmware to recover + +From: Filip Sadowski + +[ Upstream commit 1fa51a650e1deb50410677f1bd6c0ce17aa48a49 ] + +This patch adds necessary delay for 4.33 firmware to recover after +EMP reset. Without this patch driver occasionally reinitializes +structures too quickly to communicate with firmware after EMP reset +causing AdminQ to timeout. + +Signed-off-by: Filip Sadowski +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -9215,6 +9215,17 @@ static void i40e_rebuild(struct i40e_pf + } + i40e_get_oem_version(&pf->hw); + ++ if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) && ++ ((hw->aq.fw_maj_ver == 4 && hw->aq.fw_min_ver <= 33) || ++ hw->aq.fw_maj_ver < 4) && hw->mac.type == I40E_MAC_XL710) { ++ /* The following delay is necessary for 4.33 firmware and older ++ * to recover after EMP reset. 200 ms should suffice but we ++ * put here 300 ms to be sure that FW is ready to operate ++ * after reset. ++ */ ++ mdelay(300); ++ } ++ + /* re-verify the eeprom if we just had an EMP reset */ + if (test_and_clear_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state)) + i40e_verify_eeprom(pf); diff --git a/queue-4.16/i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch b/queue-4.16/i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch new file mode 100644 index 00000000000..19a7d3e750f --- /dev/null +++ b/queue-4.16/i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch @@ -0,0 +1,79 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Jacob Keller +Date: Fri, 16 Mar 2018 01:26:35 -0700 +Subject: i40e: hold the RTNL lock while changing interrupt schemes + +From: Jacob Keller + +[ Upstream commit f0ee70a042e267a517e943220e18ae62d3c1995a ] + +When we suspend and resume, we need to clear and re-enable the interrupt +scheme. This was previously not done while holding the RTNL lock, which +could be problematic, because we are actually destroying and re-creating +queues. + +Hold the RTNL lock for the entire sequence of preparing for reset, and +when resuming. This additionally protects the flags related to interrupt +scheme under RTNL lock so that their modification is properly threaded. + +This is part of a larger effort to remove the need for cmpxchg64 in +i40e_set_priv_flags(). + +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -14216,7 +14216,13 @@ static int __maybe_unused i40e_suspend(s + if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE)) + i40e_enable_mc_magic_wake(pf); + +- i40e_prep_for_reset(pf, false); ++ /* Since we're going to destroy queues during the ++ * i40e_clear_interrupt_scheme() we should hold the RTNL lock for this ++ * whole section ++ */ ++ rtnl_lock(); ++ ++ i40e_prep_for_reset(pf, true); + + wr32(hw, I40E_PFPM_APM, (pf->wol_en ? I40E_PFPM_APM_APME_MASK : 0)); + wr32(hw, I40E_PFPM_WUFC, (pf->wol_en ? I40E_PFPM_WUFC_MAG_MASK : 0)); +@@ -14228,6 +14234,8 @@ static int __maybe_unused i40e_suspend(s + */ + i40e_clear_interrupt_scheme(pf); + ++ rtnl_unlock(); ++ + return 0; + } + +@@ -14245,6 +14253,11 @@ static int __maybe_unused i40e_resume(st + if (!test_bit(__I40E_SUSPENDED, pf->state)) + return 0; + ++ /* We need to hold the RTNL lock prior to restoring interrupt schemes, ++ * since we're going to be restoring queues ++ */ ++ rtnl_lock(); ++ + /* We cleared the interrupt scheme when we suspended, so we need to + * restore it now to resume device functionality. + */ +@@ -14255,7 +14268,9 @@ static int __maybe_unused i40e_resume(st + } + + clear_bit(__I40E_DOWN, pf->state); +- i40e_reset_and_rebuild(pf, false, false); ++ i40e_reset_and_rebuild(pf, false, true); ++ ++ rtnl_unlock(); + + /* Clear suspended state last after everything is recovered */ + clear_bit(__I40E_SUSPENDED, pf->state); diff --git a/queue-4.16/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch b/queue-4.16/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch new file mode 100644 index 00000000000..5b86cae4e00 --- /dev/null +++ b/queue-4.16/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch @@ -0,0 +1,61 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Parav Pandit +Date: Tue, 13 Mar 2018 16:06:14 +0200 +Subject: IB/core: Honor port_num while resolving GID for IB link layer + +From: Parav Pandit + +[ Upstream commit 563c4ba3bd2b8b0b21c65669ec2226b1cfa1138b ] + +ah_attr contains the port number to which cm_id is bound. However, while +searching for GID table for matching GID entry, the port number is +ignored. + +This could cause the wrong GID to be used when the ah_attr is converted to +an AH. + +Reviewed-by: Daniel Jurgens +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/multicast.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/core/multicast.c ++++ b/drivers/infiniband/core/multicast.c +@@ -724,21 +724,19 @@ int ib_init_ah_from_mcmember(struct ib_d + { + int ret; + u16 gid_index; +- u8 p; + +- if (rdma_protocol_roce(device, port_num)) { +- ret = ib_find_cached_gid_by_port(device, &rec->port_gid, +- gid_type, port_num, +- ndev, +- &gid_index); +- } else if (rdma_protocol_ib(device, port_num)) { +- ret = ib_find_cached_gid(device, &rec->port_gid, +- IB_GID_TYPE_IB, NULL, &p, +- &gid_index); +- } else { +- ret = -EINVAL; +- } ++ /* GID table is not based on the netdevice for IB link layer, ++ * so ignore ndev during search. ++ */ ++ if (rdma_protocol_ib(device, port_num)) ++ ndev = NULL; ++ else if (!rdma_protocol_roce(device, port_num)) ++ return -EINVAL; + ++ ret = ib_find_cached_gid_by_port(device, &rec->port_gid, ++ gid_type, port_num, ++ ndev, ++ &gid_index); + if (ret) + return ret; + diff --git a/queue-4.16/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch b/queue-4.16/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch new file mode 100644 index 00000000000..9559ecff5af --- /dev/null +++ b/queue-4.16/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch @@ -0,0 +1,43 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Honggang Li +Date: Fri, 16 Mar 2018 10:37:13 +0800 +Subject: IB/mlx5: Set the default active rate and width to QDR and 4X + +From: Honggang Li + +[ Upstream commit 7672ed33c4c15dbe9d56880683baaba4227cf940 ] + +Before commit f1b65df5a232 ("IB/mlx5: Add support for active_width and +active_speed in RoCE"), the mlx5_ib driver set the default active_width +and active_speed to IB_WIDTH_4X and IB_SPEED_QDR. + +When the RoCE port is down, the RoCE port does not negotiate the active +width with the remote side, causing the active width to be zero. When +running userspace ibstat to view the port status, ibstat will panic as it +reads an invalid width from sys file. + +This patch restores the original behavior. + +Fixes: f1b65df5a232 ("IB/mlx5: Add support for active_width and active_speed in RoCE"). +Signed-off-by: Honggang Li +Reviewed-by: Hal Rosenstock +Reviewed-by: Noa Osherovich +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -388,6 +388,9 @@ static int mlx5_query_port_roce(struct i + if (err) + goto out; + ++ props->active_width = IB_WIDTH_4X; ++ props->active_speed = IB_SPEED_QDR; ++ + translate_eth_proto_oper(eth_prot_oper, &props->active_speed, + &props->active_width); + diff --git a/queue-4.16/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch b/queue-4.16/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch new file mode 100644 index 00000000000..39604a99d5c --- /dev/null +++ b/queue-4.16/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch @@ -0,0 +1,81 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Mikhail Malygin +Date: Mon, 2 Apr 2018 12:26:59 +0300 +Subject: IB/rxe: Fix for oops in rxe_register_device on ppc64le arch + +From: Mikhail Malygin + +[ Upstream commit efc365e7290d040fbd43f60b0e97653489a739d4 ] + +On ppc64le arch rxe_add command causes oops in kernel log: + +[ 92.495140] Oops: Kernel access of bad area, sig: 11 [#1] +[ 92.499710] SMP NR_CPUS=2048 NUMA pSeries +[ 92.499792] Modules linked in: ipt_MASQUERADE(E) nf_nat_masquerade_ipv4(E) nf_conntrack_netlink(E) nfnetlink(E) xfrm_user(E) iptable +_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) xt_addrtype(E) iptable_filter(E) ip_tables(E) xt_conntrack(E) x_tables(E) + nf_nat(E) nf_conntrack(E) br_netfilter(E) bridge(E) stp(E) llc(E) overlay(E) af_packet(E) rpcrdma(E) ib_isert(E) iscsi_target_mod(E) i +b_iser(E) libiscsi(E) ib_srpt(E) target_core_mod(E) ib_srp(E) ib_ipoib(E) rdma_ucm(E) ib_ucm(E) ib_uverbs(E) ib_umad(E) bochs_drm(E) tt +m(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) drm(E) agpgart(E) virtio_rng(E) virtio_console(E) rtc_ +generic(E) dm_ec(OEN) ttln_rdma(OEN) rdma_cm(E) configfs(E) iw_cm(E) ib_cm(E) rdma_rxe(E) ip6_udp_tunnel(E) udp_tunnel(E) ib_core(E) ql +a2xxx(E) +[ 92.499832] scsi_transport_fc(E) nvme_fc(E) nvme_fabrics(E) nvme_core(E) ipmi_watchdog(E) ipmi_ssif(E) ipmi_poweroff(E) ipmi_powernv(EX) ipmi_devintf(E) ipmi_msghandler(E) dummy(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_service_time(E) scsi_transport_iscsi(E) sd_mod(E) sr_mod(E) cdrom(E) hid_generic(E) usbhid(E) virtio_blk(E) virtio_scsi(E) virtio_net(E) ibmvscsi(EX) scsi_transport_srp(E) xhci_pci(E) xhci_hcd(E) usbcore(E) usb_common(E) virtio_pci(E) virtio_ring(E) virtio(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) autofs4(E) +[ 92.499834] Supported: No, Unsupported modules are loaded +[ 92.499839] CPU: 3 PID: 5576 Comm: sh Tainted: G OE NX 4.4.120-ttln.17-default #1 +[ 92.499841] task: c0000000afe8a490 ti: c0000000beba8000 task.ti: c0000000beba8000 +[ 92.499842] NIP: c00000000008ba3c LR: c000000000027644 CTR: c00000000008ba10 +[ 92.499844] REGS: c0000000bebab750 TRAP: 0300 Tainted: G OE NX (4.4.120-ttln.17-default) +[ 92.499850] MSR: 8000000000009033 CR: 28424428 XER: 20000000 +[ 92.499871] CFAR: 0000000000002424 DAR: 0000000000000208 DSISR: 40000000 SOFTE: 1 + GPR00: c000000000027644 c0000000bebab9d0 c000000000f09700 0000000000000000 + GPR04: d0000000043d7192 0000000000000002 000000000000001a fffffffffffffffe + GPR08: 000000000000009c c00000000008ba10 d0000000043e5848 d0000000043d3828 + GPR12: c00000000008ba10 c000000007a02400 0000000010062e38 0000010020388860 + GPR16: 0000000000000000 0000000000000000 00000100203885f0 00000000100f6c98 + GPR20: c0000000b3f1fcc0 c0000000b3f1fc48 c0000000b3f1fbd0 c0000000b3f1fb58 + GPR24: c0000000b3f1fae0 c0000000b3f1fa68 00000000000005dc c0000000b3f1f9f0 + GPR28: d0000000043e5848 c0000000b3f1f900 c0000000b3f1f320 c0000000b3f1f000 +[ 92.499881] NIP [c00000000008ba3c] dma_get_required_mask_pSeriesLP+0x2c/0x1a0 +[ 92.499885] LR [c000000000027644] dma_get_required_mask+0x44/0xac +[ 92.499886] Call Trace: +[ 92.499891] [c0000000bebab9d0] [c0000000bebaba30] 0xc0000000bebaba30 (unreliable) +[ 92.499894] [c0000000bebaba10] [c000000000027644] dma_get_required_mask+0x44/0xac +[ 92.499904] [c0000000bebaba30] [d0000000043cb4b4] rxe_register_device+0xc4/0x430 [rdma_rxe] +[ 92.499910] [c0000000bebabab0] [d0000000043c06c8] rxe_add+0x448/0x4e0 [rdma_rxe] +[ 92.499915] [c0000000bebabb30] [d0000000043d28dc] rxe_net_add+0x4c/0xf0 [rdma_rxe] +[ 92.499921] [c0000000bebabb60] [d0000000043d305c] rxe_param_set_add+0x6c/0x1ac [rdma_rxe] +[ 92.499924] [c0000000bebabbf0] [c0000000000e78c0] param_attr_store+0xa0/0x180 +[ 92.499927] [c0000000bebabc70] [c0000000000e6448] module_attr_store+0x48/0x70 +[ 92.499932] [c0000000bebabc90] [c000000000391f60] sysfs_kf_write+0x70/0xb0 +[ 92.499935] [c0000000bebabcb0] [c000000000390f1c] kernfs_fop_write+0x18c/0x1e0 +[ 92.499939] [c0000000bebabd00] [c0000000002e22ac] __vfs_write+0x4c/0x1d0 +[ 92.499942] [c0000000bebabd90] [c0000000002e2f94] vfs_write+0xc4/0x200 +[ 92.499945] [c0000000bebabde0] [c0000000002e488c] SyS_write+0x6c/0x110 +[ 92.499948] [c0000000bebabe30] [c000000000009384] system_call+0x38/0xe4 +[ 92.499949] Instruction dump: +[ 92.499954] 4e800020 3c4c00e8 3842dcf0 7c0802a6 f8010010 60000000 7c0802a6 fba1ffe8 +[ 92.499958] fbc1fff0 fbe1fff8 f8010010 f821ffc1 7c7e1b78 2fa90000 419e0078 +[ 92.499962] ---[ end trace bed077e15eb420cf ]--- + +It fails in dma_get_required_mask, that has ppc-specific implementation, +and fail if provided device argument is NULL + +Signed-off-by: Mikhail Malygin +Reviewed-by: Yonatan Cohen +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -1206,7 +1206,7 @@ int rxe_register_device(struct rxe_dev * + rxe->ndev->dev_addr); + dev->dev.dma_ops = &dma_virt_ops; + dma_coerce_mask_and_coherent(&dev->dev, +- dma_get_required_mask(dev->dev.parent)); ++ dma_get_required_mask(&dev->dev)); + + dev->uverbs_abi_ver = RXE_UVERBS_ABI_VERSION; + dev->uverbs_cmd_mask = BIT_ULL(IB_USER_VERBS_CMD_GET_CONTEXT) diff --git a/queue-4.16/ibmvnic-allocate-statistics-buffers-during-probe.patch b/queue-4.16/ibmvnic-allocate-statistics-buffers-during-probe.patch new file mode 100644 index 00000000000..97ac11fb1ee --- /dev/null +++ b/queue-4.16/ibmvnic-allocate-statistics-buffers-during-probe.patch @@ -0,0 +1,77 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Thomas Falcon +Date: Mon, 26 Feb 2018 18:10:56 -0600 +Subject: ibmvnic: Allocate statistics buffers during probe + +From: Thomas Falcon + +[ Upstream commit 53cc7721fdf12e649994cfb7d8f562acb0e4510b ] + +Currently, buffers holding individual queue statistics are allocated +when the device is opened. If an ibmvnic interface is hotplugged or +initialized but never opened, an attempt to get statistics with +ethtool will result in a kernel panic. + +Since the driver allocates a constant number, the maximum supported +queues, of buffers, these can be allocated during device probe and +freed when the device is hot-unplugged or the module is removed. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -812,8 +812,6 @@ static void release_resources(struct ibm + release_tx_pools(adapter); + release_rx_pools(adapter); + +- release_stats_token(adapter); +- release_stats_buffers(adapter); + release_error_buffers(adapter); + + if (adapter->napi) { +@@ -953,14 +951,6 @@ static int init_resources(struct ibmvnic + if (rc) + return rc; + +- rc = init_stats_buffers(adapter); +- if (rc) +- return rc; +- +- rc = init_stats_token(adapter); +- if (rc) +- return rc; +- + adapter->vpd = kzalloc(sizeof(*adapter->vpd), GFP_KERNEL); + if (!adapter->vpd) + return -ENOMEM; +@@ -4390,6 +4380,14 @@ static int ibmvnic_init(struct ibmvnic_a + release_crq_queue(adapter); + } + ++ rc = init_stats_buffers(adapter); ++ if (rc) ++ return rc; ++ ++ rc = init_stats_token(adapter); ++ if (rc) ++ return rc; ++ + return rc; + } + +@@ -4497,6 +4495,9 @@ static int ibmvnic_remove(struct vio_dev + release_sub_crqs(adapter); + release_crq_queue(adapter); + ++ release_stats_token(adapter); ++ release_stats_buffers(adapter); ++ + adapter->state = VNIC_REMOVED; + + mutex_unlock(&adapter->reset_lock); diff --git a/queue-4.16/ibmvnic-fix-reset-return-from-closed-state.patch b/queue-4.16/ibmvnic-fix-reset-return-from-closed-state.patch new file mode 100644 index 00000000000..86f1d779e69 --- /dev/null +++ b/queue-4.16/ibmvnic-fix-reset-return-from-closed-state.patch @@ -0,0 +1,47 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: John Allen +Date: Wed, 14 Mar 2018 10:41:29 -0500 +Subject: ibmvnic: Fix reset return from closed state + +From: John Allen + +[ Upstream commit e676d81c8990f511d60698a1a8abaa438b3f9d3d ] + +The case in which we handle a reset from the state where the device is +closed seems to be bugged for all types of reset. For most types of reset +we currently exit the reset routine correctly, but don't set the state to +indicate that we are back in the "closed" state. For some specific cases, +we don't exit the reset routine at all and resetting will cause a closed +device to be opened. + +This patch fixes the problem by unconditionally checking the reset_state +and correctly setting the adapter state before returning. + +Signed-off-by: John Allen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1699,12 +1699,14 @@ static int do_reset(struct ibmvnic_adapt + rc = reset_rx_pools(adapter); + if (rc) + return rc; +- +- if (reset_state == VNIC_CLOSED) +- return 0; + } + } + ++ adapter->state = VNIC_CLOSED; ++ ++ if (reset_state == VNIC_CLOSED) ++ return 0; ++ + rc = __ibmvnic_open(netdev); + if (rc) { + if (list_empty(&adapter->rwi_list)) diff --git a/queue-4.16/ibmvnic-fix-tx-descriptor-tracking-again.patch b/queue-4.16/ibmvnic-fix-tx-descriptor-tracking-again.patch new file mode 100644 index 00000000000..c9b7c75a12f --- /dev/null +++ b/queue-4.16/ibmvnic-fix-tx-descriptor-tracking-again.patch @@ -0,0 +1,45 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Thomas Falcon +Date: Mon, 26 Feb 2018 18:10:55 -0600 +Subject: ibmvnic: Fix TX descriptor tracking again + +From: Thomas Falcon + +[ Upstream commit ecba616e041e64840d14e294b089ca355614b7fb ] + +Sorry, the previous change introduced a race condition between +transmit completion processing and tracking TX descriptors. If a +completion is received before the number of descriptors is logged, +the number of descriptors will be add but not removed. After enough +times, this could halt the transmit queue forever. + +Log the number of descriptors used by a transmit before sending. +I stress tested the fix on two different systems running over the +weekend without any issues. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1457,6 +1457,7 @@ static int ibmvnic_xmit(struct sk_buff * + if ((*hdrs >> 7) & 1) { + build_hdr_descs_arr(tx_buff, &num_entries, *hdrs); + tx_crq.v1.n_crq_elem = num_entries; ++ tx_buff->num_entries = num_entries; + tx_buff->indir_arr[0] = tx_crq; + tx_buff->indir_dma = dma_map_single(dev, tx_buff->indir_arr, + sizeof(tx_buff->indir_arr), +@@ -1475,6 +1476,7 @@ static int ibmvnic_xmit(struct sk_buff * + (u64)tx_buff->indir_dma, + (u64)num_entries); + } else { ++ tx_buff->num_entries = num_entries; + lpar_rc = send_subcrq(adapter, handle_array[queue_num], + &tx_crq); + } diff --git a/queue-4.16/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch b/queue-4.16/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch new file mode 100644 index 00000000000..ec184a8bdc2 --- /dev/null +++ b/queue-4.16/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch @@ -0,0 +1,35 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Thomas Falcon +Date: Fri, 6 Apr 2018 18:37:03 -0500 +Subject: ibmvnic: Zero used TX descriptor counter on reset + +From: Thomas Falcon + +[ Upstream commit 41f714672f93608751dbd2fa2291d476a8ff0150 ] + +The counter that tracks used TX descriptors pending completion +needs to be zeroed as part of a device reset. This change fixes +a bug causing transmit queues to be stopped unnecessarily and in +some cases a transmit queue stall and timeout reset. If the counter +is not reset, the remaining descriptors will not be "removed", +effectively reducing queue capacity. If the queue is over half full, +it will cause the queue to stall if stopped. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2266,6 +2266,7 @@ static int reset_one_sub_crq_queue(struc + } + + memset(scrq->msgs, 0, 4 * PAGE_SIZE); ++ atomic_set(&scrq->used, 0); + scrq->cur = 0; + + rc = h_reg_sub_crq(adapter->vdev->unit_address, scrq->msg_token, diff --git a/queue-4.16/ieee802154-ca8210-fix-uninitialised-data-read.patch b/queue-4.16/ieee802154-ca8210-fix-uninitialised-data-read.patch new file mode 100644 index 00000000000..013f443c348 --- /dev/null +++ b/queue-4.16/ieee802154-ca8210-fix-uninitialised-data-read.patch @@ -0,0 +1,64 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Harry Morris +Date: Wed, 28 Mar 2018 11:54:27 +0100 +Subject: ieee802154: ca8210: fix uninitialised data read + +From: Harry Morris + +[ Upstream commit 86674a97f5055f4c7f406563408096e8cf9364ff ] + +In ca8210_test_int_user_write() a user can request the transfer of a +frame with a length field (command.length) that is longer than the +actual buffer provided (len). In this scenario the driver will copy +the buffer contents into the uninitialised command[] buffer, then +transfer bytes over the SPI even though only bytes +had been populated, potentially leaking sensitive kernel memory. + +Also the first 6 bytes of the command buffer must be initialised in case +a malformed, short packet is written and the uninitialised bytes are +read in ca8210_test_check_upstream. + +Reported-by: Domen Puncer Kugler +Signed-off-by: Harry Morris +Tested-by: Harry Morris +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_writ + struct ca8210_priv *priv = filp->private_data; + u8 command[CA8210_SPI_BUF_SIZE]; + +- if (len > CA8210_SPI_BUF_SIZE) { ++ memset(command, SPI_IDLE, 6); ++ if (len > CA8210_SPI_BUF_SIZE || len < 2) { + dev_warn( + &priv->spi->dev, +- "userspace requested erroneously long write (%zu)\n", ++ "userspace requested erroneous write length (%zu)\n", + len + ); +- return -EMSGSIZE; ++ return -EBADE; + } + + ret = copy_from_user(command, in_buf, len); +@@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_writ + ); + return -EIO; + } ++ if (len != command[1] + 2) { ++ dev_err( ++ &priv->spi->dev, ++ "write len does not match packet length field\n" ++ ); ++ return -EBADE; ++ } + + ret = ca8210_test_check_upstream(command, priv->spi); + if (ret == 0) { diff --git a/queue-4.16/ima-clear-ima_hash.patch b/queue-4.16/ima-clear-ima_hash.patch new file mode 100644 index 00000000000..5b7eac31ad9 --- /dev/null +++ b/queue-4.16/ima-clear-ima_hash.patch @@ -0,0 +1,30 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Mimi Zohar +Date: Sat, 10 Mar 2018 23:07:34 -0500 +Subject: ima: clear IMA_HASH + +From: Mimi Zohar + +[ Upstream commit a9a4935d44b58c858a81393694bc232a96cdcbd4 ] + +The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly. + +Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions") +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -384,7 +384,7 @@ int ima_match_policy(struct inode *inode + action |= entry->action & IMA_DO_MASK; + if (entry->action & IMA_APPRAISE) { + action |= get_subaction(entry, func); +- action ^= IMA_HASH; ++ action &= ~IMA_HASH; + } + + if (entry->action & IMA_DO_MASK) diff --git a/queue-4.16/ima-fallback-to-the-builtin-hash-algorithm.patch b/queue-4.16/ima-fallback-to-the-builtin-hash-algorithm.patch new file mode 100644 index 00000000000..8162b1f65b3 --- /dev/null +++ b/queue-4.16/ima-fallback-to-the-builtin-hash-algorithm.patch @@ -0,0 +1,119 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Petr Vorel +Date: Fri, 23 Mar 2018 14:41:08 +0100 +Subject: ima: Fallback to the builtin hash algorithm + +From: Petr Vorel + +[ Upstream commit ab60368ab6a452466885ef4edf0cefd089465132 ] + +IMA requires having it's hash algorithm be compiled-in due to it's +early use. The default IMA algorithm is protected by Kconfig to be +compiled-in. + +The ima_hash kernel parameter allows to choose the hash algorithm. When +the specified algorithm is not available or available as a module, IMA +initialization fails, which leads to a kernel panic (mknodat syscall calls +ima_post_path_mknod()). Therefore as fallback we force IMA to use +the default builtin Kconfig hash algorithm. + +Fixed crash: + +$ grep CONFIG_CRYPTO_MD4 .config +CONFIG_CRYPTO_MD4=m + +[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4 +... +[ 1.545190] ima: Can not allocate md4 (reason: -2) +... +[ 2.610120] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 2.611903] IP: ima_match_policy+0x23/0x390 +[ 2.612967] PGD 0 P4D 0 +[ 2.613080] Oops: 0000 [#1] SMP +[ 2.613080] Modules linked in: autofs4 +[ 2.613080] Supported: Yes +[ 2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1 +[ 2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +[ 2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000 +[ 2.613080] RIP: 0010:ima_match_policy+0x23/0x390 +[ 2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296 +[ 2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004 +[ 2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728 +[ 2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000 +[ 2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f +[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000 +[ 2.613080] FS: 00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 +[ 2.613080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0 +[ 2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 2.613080] Call Trace: +[ 2.613080] ? shmem_mknod+0xbf/0xd0 +[ 2.613080] ima_post_path_mknod+0x1c/0x40 +[ 2.613080] SyS_mknod+0x210/0x220 +[ 2.613080] entry_SYSCALL_64_fastpath+0x1a/0xa5 +[ 2.613080] RIP: 0033:0x7f5c1bfde570 +[ 2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 +[ 2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570 +[ 2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f +[ 2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000 +[ 2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660 +[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002 +[ 2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20 +[ 2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88 +[ 2.613080] CR2: 0000000000000000 +[ 2.613080] ---[ end trace 9a9f0a8a73079f6a ]--- +[ 2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 +[ 2.673052] +[ 2.675337] Kernel Offset: disabled +[ 2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 + +Signed-off-by: Petr Vorel +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_crypto.c | 2 ++ + security/integrity/ima/ima_main.c | 13 +++++++++++++ + 2 files changed, 15 insertions(+) + +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -73,6 +73,8 @@ int __init ima_init_crypto(void) + hash_algo_name[ima_hash_algo], rc); + return rc; + } ++ pr_info("Allocated hash algorithm: %s\n", ++ hash_algo_name[ima_hash_algo]); + return 0; + } + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -16,6 +16,9 @@ + * implements the IMA hooks: ima_bprm_check, ima_file_mmap, + * and ima_file_check. + */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ + #include + #include + #include +@@ -472,6 +475,16 @@ static int __init init_ima(void) + ima_init_template_list(); + hash_setup(CONFIG_IMA_DEFAULT_HASH); + error = ima_init(); ++ ++ if (error && strcmp(hash_algo_name[ima_hash_algo], ++ CONFIG_IMA_DEFAULT_HASH) != 0) { ++ pr_info("Allocating %s failed, going to use default hash algorithm %s\n", ++ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); ++ hash_setup_done = 0; ++ hash_setup(CONFIG_IMA_DEFAULT_HASH); ++ error = ima_init(); ++ } ++ + if (!error) { + ima_initialized = 1; + ima_update_policy_flag(); diff --git a/queue-4.16/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch b/queue-4.16/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch new file mode 100644 index 00000000000..d94f9bf454a --- /dev/null +++ b/queue-4.16/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Jiandi An +Date: Tue, 6 Mar 2018 23:26:26 -0600 +Subject: ima: Fix Kconfig to select TPM 2.0 CRB interface + +From: Jiandi An + +[ Upstream commit fac37c628fd5d68fd7298d9b57ae8601ee1b4723 ] + +TPM_CRB driver provides TPM CRB 2.0 support. If it is built as a +module, the TPM chip is registered after IMA init. tpm_pcr_read() in +IMA fails and displays the following message even though eventually +there is a TPM chip on the system. + +ima: No TPM chip found, activating TPM-bypass! (rc=-19) + +Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel +and initializes before IMA. + +Signed-off-by: Jiandi An +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -10,6 +10,7 @@ config IMA + select CRYPTO_HASH_INFO + select TCG_TPM if HAS_IOMEM && !UML + select TCG_TIS if TCG_TPM && X86 ++ select TCG_CRB if TCG_TPM && ACPI + select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES + help + The Trusted Computing Group(TCG) runtime Integrity diff --git a/queue-4.16/intel_th-use-correct-method-of-finding-hub.patch b/queue-4.16/intel_th-use-correct-method-of-finding-hub.patch new file mode 100644 index 00000000000..7498be24c47 --- /dev/null +++ b/queue-4.16/intel_th-use-correct-method-of-finding-hub.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexander Shishkin +Date: Thu, 1 Mar 2018 10:15:32 +0200 +Subject: intel_th: Use correct method of finding hub + +From: Alexander Shishkin + +[ Upstream commit 9ad577087165478c9d9be82b15ed9bf2db5835f5 ] + +Since commit 8edc514b01e9 ("intel_th: Make SOURCE devices children of the +root device") the hub is not the parent of SOURCE devices any more, so the +new helper function should be used for that instead of always using the +parent. The intel_th_set_output() path, however, still uses the old +logic, leading to the hub driver structure being aliased with something +else, like struct pci_driver or struct acpi_driver, and an incorrect call +to an address inferred from that, potentially resulting in a crash. + +Fixes: 8edc514b01e9 ("intel_th: Make SOURCE devices children of the root device") +Signed-off-by: Alexander Shishkin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -935,7 +935,7 @@ EXPORT_SYMBOL_GPL(intel_th_trace_disable + int intel_th_set_output(struct intel_th_device *thdev, + unsigned int master) + { +- struct intel_th_device *hub = to_intel_th_device(thdev->dev.parent); ++ struct intel_th_device *hub = to_intel_th_hub(thdev); + struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver); + + if (!hubdrv->set_output) diff --git a/queue-4.16/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch b/queue-4.16/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch new file mode 100644 index 00000000000..82506e54768 --- /dev/null +++ b/queue-4.16/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sebastian Andrzej Siewior +Date: Thu, 22 Mar 2018 16:22:33 +0100 +Subject: iommu/amd: Take into account that alloc_dev_data() may return NULL + +From: Sebastian Andrzej Siewior + +[ Upstream commit 39ffe39545cd5cb5b8cee9f0469165cf24dc62c2 ] + +find_dev_data() does not check whether the return value alloc_dev_data() +is NULL. This was okay once because the pointer was returned once as-is. +Since commit df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred +call-back") the pointer may be used within find_dev_data() so a NULL +check is required. + +Cc: Baoquan He +Fixes: df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred call-back") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -310,6 +310,8 @@ static struct iommu_dev_data *find_dev_d + + if (dev_data == NULL) { + dev_data = alloc_dev_data(devid); ++ if (!dev_data) ++ return NULL; + + if (translation_pre_enabled(iommu)) + dev_data->defer_attach = true; diff --git a/queue-4.16/iommu-mediatek-fix-protect-memory-setting.patch b/queue-4.16/iommu-mediatek-fix-protect-memory-setting.patch new file mode 100644 index 00000000000..4ad77ee1618 --- /dev/null +++ b/queue-4.16/iommu-mediatek-fix-protect-memory-setting.patch @@ -0,0 +1,88 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Yong Wu +Date: Sun, 18 Mar 2018 09:52:54 +0800 +Subject: iommu/mediatek: Fix protect memory setting + +From: Yong Wu + +[ Upstream commit 70ca608b2ec6dafa6bb1c2b0691852fc78f8f717 ] + +In MediaTek's IOMMU design, When a iommu translation fault occurs +(HW can NOT translate the destination address to a valid physical +address), the IOMMU HW output the dirty data into a special memory +to avoid corrupting the main memory, this is called "protect memory". +the register(0x114) for protect memory is a little different between +mt8173 and mt2712. + +In the mt8173, bit[30:6] in the register represents [31:7] of the +physical address. In the 4GB mode, the register bit[31] should be 1. +While in the mt2712, the bits don't shift. bit[31:7] in the register +represents [31:7] in the physical address, and bit[1:0] in the +register represents bit[33:32] of the physical address if it has. + +Fixes: e6dec9230862 ("iommu/mediatek: Add mt2712 IOMMU support") +Reported-by: Honghui Zhang +Signed-off-by: Yong Wu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/mtk_iommu.c | 15 ++++++++++----- + drivers/iommu/mtk_iommu.h | 1 + + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -60,7 +60,7 @@ + (((prot) & 0x3) << F_MMU_TF_PROTECT_SEL_SHIFT(data)) + + #define REG_MMU_IVRP_PADDR 0x114 +-#define F_MMU_IVRP_PA_SET(pa, ext) (((pa) >> 1) | ((!!(ext)) << 31)) ++ + #define REG_MMU_VLD_PA_RNG 0x118 + #define F_MMU_VLD_PA_RNG(EA, SA) (((EA) << 8) | (SA)) + +@@ -539,8 +539,13 @@ static int mtk_iommu_hw_init(const struc + F_INT_PRETETCH_TRANSATION_FIFO_FAULT; + writel_relaxed(regval, data->base + REG_MMU_INT_MAIN_CONTROL); + +- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB), +- data->base + REG_MMU_IVRP_PADDR); ++ if (data->m4u_plat == M4U_MT8173) ++ regval = (data->protect_base >> 1) | (data->enable_4GB << 31); ++ else ++ regval = lower_32_bits(data->protect_base) | ++ upper_32_bits(data->protect_base); ++ writel_relaxed(regval, data->base + REG_MMU_IVRP_PADDR); ++ + if (data->enable_4GB && data->m4u_plat != M4U_MT8173) { + /* + * If 4GB mode is enabled, the validate PA range is from +@@ -695,6 +700,7 @@ static int __maybe_unused mtk_iommu_susp + reg->ctrl_reg = readl_relaxed(base + REG_MMU_CTRL_REG); + reg->int_control0 = readl_relaxed(base + REG_MMU_INT_CONTROL0); + reg->int_main_control = readl_relaxed(base + REG_MMU_INT_MAIN_CONTROL); ++ reg->ivrp_paddr = readl_relaxed(base + REG_MMU_IVRP_PADDR); + clk_disable_unprepare(data->bclk); + return 0; + } +@@ -717,8 +723,7 @@ static int __maybe_unused mtk_iommu_resu + writel_relaxed(reg->ctrl_reg, base + REG_MMU_CTRL_REG); + writel_relaxed(reg->int_control0, base + REG_MMU_INT_CONTROL0); + writel_relaxed(reg->int_main_control, base + REG_MMU_INT_MAIN_CONTROL); +- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB), +- base + REG_MMU_IVRP_PADDR); ++ writel_relaxed(reg->ivrp_paddr, base + REG_MMU_IVRP_PADDR); + if (data->m4u_dom) + writel(data->m4u_dom->cfg.arm_v7s_cfg.ttbr[0], + base + REG_MMU_PT_BASE_ADDR); +--- a/drivers/iommu/mtk_iommu.h ++++ b/drivers/iommu/mtk_iommu.h +@@ -32,6 +32,7 @@ struct mtk_iommu_suspend_reg { + u32 ctrl_reg; + u32 int_control0; + u32 int_main_control; ++ u32 ivrp_paddr; + }; + + enum mtk_iommu_plat { diff --git a/queue-4.16/ipc-msg-introduce-msgctl-msg_stat_any.patch b/queue-4.16/ipc-msg-introduce-msgctl-msg_stat_any.patch new file mode 100644 index 00000000000..4593ae25d35 --- /dev/null +++ b/queue-4.16/ipc-msg-introduce-msgctl-msg_stat_any.patch @@ -0,0 +1,132 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Davidlohr Bueso +Date: Tue, 10 Apr 2018 16:35:30 -0700 +Subject: ipc/msg: introduce msgctl(MSG_STAT_ANY) + +From: Davidlohr Bueso + +[ Upstream commit 23c8cec8cf679b10997a512abb1e86f0cedc42ba ] + +There is a permission discrepancy when consulting msq ipc object +metadata between /proc/sysvipc/msg (0444) and the MSG_STAT shmctl +command. The later does permission checks for the object vs S_IRUGO. +As such there can be cases where EACCESS is returned via syscall but the +info is displayed anyways in the procfs files. + +While this might have security implications via info leaking (albeit no +writing to the msq metadata), this behavior goes way back and showing +all the objects regardless of the permissions was most likely an +overlook - so we are stuck with it. Furthermore, modifying either the +syscall or the procfs file can cause userspace programs to break (ie +ipcs). Some applications require getting the procfs info (without root +privileges) and can be rather slow in comparison with a syscall -- up to +500x in some reported cases for shm. + +This patch introduces a new MSG_STAT_ANY command such that the msq ipc +object permissions are ignored, and only audited instead. In addition, +I've left the lsm security hook checks in place, as if some policy can +block the call, then the user has no other choice than just parsing the +procfs file. + +Link: http://lkml.kernel.org/r/20180215162458.10059-4-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso +Reported-by: Robert Kettler +Cc: Eric W. Biederman +Cc: Kees Cook +Cc: Manfred Spraul +Cc: Michael Kerrisk +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/msg.h | 1 + + ipc/msg.c | 17 ++++++++++++----- + security/selinux/hooks.c | 1 + + security/smack/smack_lsm.c | 1 + + 4 files changed, 15 insertions(+), 5 deletions(-) + +--- a/include/uapi/linux/msg.h ++++ b/include/uapi/linux/msg.h +@@ -7,6 +7,7 @@ + /* ipcs ctl commands */ + #define MSG_STAT 11 + #define MSG_INFO 12 ++#define MSG_STAT_ANY 13 + + /* msgrcv options */ + #define MSG_NOERROR 010000 /* no error if message is too big */ +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -483,14 +483,14 @@ static int msgctl_stat(struct ipc_namesp + memset(p, 0, sizeof(*p)); + + rcu_read_lock(); +- if (cmd == MSG_STAT) { ++ if (cmd == MSG_STAT || cmd == MSG_STAT_ANY) { + msq = msq_obtain_object(ns, msqid); + if (IS_ERR(msq)) { + err = PTR_ERR(msq); + goto out_unlock; + } + id = msq->q_perm.id; +- } else { ++ } else { /* IPC_STAT */ + msq = msq_obtain_object_check(ns, msqid); + if (IS_ERR(msq)) { + err = PTR_ERR(msq); +@@ -498,9 +498,14 @@ static int msgctl_stat(struct ipc_namesp + } + } + +- err = -EACCES; +- if (ipcperms(ns, &msq->q_perm, S_IRUGO)) +- goto out_unlock; ++ /* see comment for SHM_STAT_ANY */ ++ if (cmd == MSG_STAT_ANY) ++ audit_ipc_obj(&msq->q_perm); ++ else { ++ err = -EACCES; ++ if (ipcperms(ns, &msq->q_perm, S_IRUGO)) ++ goto out_unlock; ++ } + + err = security_msg_queue_msgctl(msq, cmd); + if (err) +@@ -558,6 +563,7 @@ SYSCALL_DEFINE3(msgctl, int, msqid, int, + return err; + } + case MSG_STAT: /* msqid is an index rather than a msg queue id */ ++ case MSG_STAT_ANY: + case IPC_STAT: + err = msgctl_stat(ns, msqid, cmd, &msqid64); + if (err < 0) +@@ -671,6 +677,7 @@ COMPAT_SYSCALL_DEFINE3(msgctl, int, msqi + } + case IPC_STAT: + case MSG_STAT: ++ case MSG_STAT_ANY: + err = msgctl_stat(ns, msqid, cmd, &msqid64); + if (err < 0) + return err; +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -5590,6 +5590,7 @@ static int selinux_msg_queue_msgctl(stru + SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); + case IPC_STAT: + case MSG_STAT: ++ case MSG_STAT_ANY: + perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; + break; + case IPC_SET: +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -3294,6 +3294,7 @@ static int smack_msg_queue_msgctl(struct + switch (cmd) { + case IPC_STAT: + case MSG_STAT: ++ case MSG_STAT_ANY: + may = MAY_READ; + break; + case IPC_SET: diff --git a/queue-4.16/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch b/queue-4.16/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch new file mode 100644 index 00000000000..9b5eec7144d --- /dev/null +++ b/queue-4.16/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch @@ -0,0 +1,56 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Kamlakant Patel +Date: Tue, 13 Mar 2018 16:32:27 +0530 +Subject: ipmi_ssif: Fix kernel panic at msg_done_handler + +From: Kamlakant Patel + +[ Upstream commit f002612b9d86613bc6fde0a444e0095225f6053e ] + +This happens when BMC doesn't return any data and the code is trying +to print the value of data[2]. + +Getting following crash: +[ 484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002 +[ 484.736496] pgd = ffff0000094a2000 +[ 484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000 +[ 484.748158] Internal error: Oops: 96000005 [#1] SMP +[...] +[ 485.101451] Call trace: +[...] +[ 485.188473] [] msg_done_handler+0x668/0x700 [ipmi_ssif] +[ 485.195249] [] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif] +[ 485.202038] [] kthread+0x108/0x138 +[ 485.206994] [] ret_from_fork+0x10/0x30 +[ 485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3) + +Adding a check to validate the data len before printing data[2] to fix this issue. + +Signed-off-by: Kamlakant Patel +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -761,7 +761,7 @@ static void msg_done_handler(struct ssif + ssif_info->ssif_state = SSIF_NORMAL; + ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Error getting flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +@@ -783,7 +783,7 @@ static void msg_done_handler(struct ssif + if ((result < 0) || (len < 3) || (data[2] != 0)) { + /* Error clearing flags */ + pr_warn(PFX "Error clearing flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) { + pr_warn(PFX "Invalid response clearing flags: %x %x\n", diff --git a/queue-4.16/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch b/queue-4.16/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch new file mode 100644 index 00000000000..46944ba82f7 --- /dev/null +++ b/queue-4.16/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch @@ -0,0 +1,55 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Luca Coelho +Date: Mon, 18 Dec 2017 20:13:07 +0200 +Subject: iwlwifi: mvm: check if mac80211_queue is valid in iwl_mvm_disable_txq + +From: Luca Coelho + +[ Upstream commit 9a233bb8025105db9a60b5d761005cc5a6c77f3d ] + +Sometimes iwl_mvm_disable_txq() may be called with mac80211_queue == +IEEE80211_INVAL_HW_QUEUE, and this would cause us to use BIT(0xFF) +which is way too large for the u16 we used to store it in +hw_queue_to_mac820211. If this happens the following UBSAN warning +will be generated: + +[ 167.185167] UBSAN: Undefined behaviour in drivers/net/wireless/intel/iwlwifi/mvm/utils.c:838:5 +[ 167.185171] shift exponent 255 is too large for 64-bit type 'long unsigned int' + +Fix that by checking that it is not IEEE80211_INVAL_HW_QUEUE and, +while at it, add a warning if the queue number is larger than +IEEE80211_MAX_QUEUES. + +Fixes: 34e10860ae8d ("iwlwifi: mvm: remove references to queue_info in new TX path") +Reported-by: Paul Menzel +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c +@@ -800,12 +800,19 @@ int iwl_mvm_disable_txq(struct iwl_mvm * + .scd_queue = queue, + .action = SCD_CFG_DISABLE_QUEUE, + }; +- bool remove_mac_queue = true; ++ bool remove_mac_queue = mac80211_queue != IEEE80211_INVAL_HW_QUEUE; + int ret; + ++ if (WARN_ON(remove_mac_queue && mac80211_queue >= IEEE80211_MAX_QUEUES)) ++ return -EINVAL; ++ + if (iwl_mvm_has_new_tx_api(mvm)) { + spin_lock_bh(&mvm->queue_info_lock); +- mvm->hw_queue_to_mac80211[queue] &= ~BIT(mac80211_queue); ++ ++ if (remove_mac_queue) ++ mvm->hw_queue_to_mac80211[queue] &= ++ ~BIT(mac80211_queue); ++ + spin_unlock_bh(&mvm->queue_info_lock); + + iwl_trans_txq_free(mvm->trans, queue); diff --git a/queue-4.16/iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch b/queue-4.16/iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch new file mode 100644 index 00000000000..d6415573589 --- /dev/null +++ b/queue-4.16/iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch @@ -0,0 +1,48 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sara Sharon +Date: Tue, 19 Dec 2017 09:19:32 +0200 +Subject: iwlwifi: mvm: take RCU lock before dereferencing + +From: Sara Sharon + +[ Upstream commit f4f155e5ec04d381b2f0870817d93dbdc259aa63 ] + +RCU isn't properly locked. + +Fixes: 46d372af9935 ("iwlwifi: mvm: rs: new rate scale API - add FW notifications") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c +@@ -234,13 +234,15 @@ void iwl_mvm_tlc_update_notif(struct iwl + struct iwl_mvm_sta *mvmsta; + struct iwl_lq_sta_rs_fw *lq_sta; + ++ rcu_read_lock(); ++ + notif = (void *)pkt->data; + mvmsta = iwl_mvm_sta_from_staid_rcu(mvm, notif->sta_id); + + if (!mvmsta) { + IWL_ERR(mvm, "Invalid sta id (%d) in FW TLC notification\n", + notif->sta_id); +- return; ++ goto out; + } + + lq_sta = &mvmsta->lq_sta.rs_fw; +@@ -251,6 +253,8 @@ void iwl_mvm_tlc_update_notif(struct iwl + IWL_DEBUG_RATE(mvm, "new rate_n_flags: 0x%X\n", + lq_sta->last_rate_n_flags); + } ++out: ++ rcu_read_unlock(); + } + + void rs_fw_rate_init(struct iwl_mvm *mvm, struct ieee80211_sta *sta, diff --git a/queue-4.16/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch b/queue-4.16/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch new file mode 100644 index 00000000000..b76c0f7db3b --- /dev/null +++ b/queue-4.16/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch @@ -0,0 +1,48 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jacob Keller +Date: Mon, 29 Jan 2018 15:57:48 -0800 +Subject: ixgbe: prevent ptp_rx_hang from running when in FILTER_ALL mode + +From: Jacob Keller + +[ Upstream commit 6704a3abf4cf4181a1ee64f5db4969347b88ca1d ] + +On hardware which supports timestamping all packets, the timestamps are +recorded in the packet buffer, and the driver no longer uses or reads +the registers. This makes the logic for checking and clearing Rx +timestamp hangs meaningless. + +If we run the ixgbe_ptp_rx_hang() function in this case, then the driver +will continuously spam the log output with "Clearing Rx timestamp hang". +These messages are spurious, and confusing to end users. + +The original code in commit a9763f3cb54c ("ixgbe: Update PTP to support +X550EM_x devices", 2015-12-03) did have a flag PTP_RX_TIMESTAMP_IN_REGISTER +which was intended to be used to avoid the Rx timestamp hang check, +however it did not actually check the flag before calling the function. + +Do so now in order to stop the checks and prevent the spurious log +messages. + +Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices", 2015-12-03) +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -7711,7 +7711,8 @@ static void ixgbe_service_task(struct wo + + if (test_bit(__IXGBE_PTP_RUNNING, &adapter->state)) { + ixgbe_ptp_overflow_check(adapter); +- ixgbe_ptp_rx_hang(adapter); ++ if (adapter->flags & IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER) ++ ixgbe_ptp_rx_hang(adapter); + ixgbe_ptp_tx_hang(adapter); + } + diff --git a/queue-4.16/kasan-fix-invalid-free-test-crashing-the-kernel.patch b/queue-4.16/kasan-fix-invalid-free-test-crashing-the-kernel.patch new file mode 100644 index 00000000000..ba3ca6ab782 --- /dev/null +++ b/queue-4.16/kasan-fix-invalid-free-test-crashing-the-kernel.patch @@ -0,0 +1,59 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Andrey Konovalov +Date: Tue, 10 Apr 2018 16:30:35 -0700 +Subject: kasan: fix invalid-free test crashing the kernel + +From: Andrey Konovalov + +[ Upstream commit 91c93ed07f04f5b32a30321d522d8ca9504745bf ] + +When an invalid-free is triggered by one of the KASAN tests, the object +doesn't actually get freed. This later leads to a BUG failure in +kmem_cache_destroy that checks that there are no allocated objects in +the cache that is being destroyed. + +Fix this by calling kmem_cache_free with the proper object address after +the call that triggers invalid-free. + +Link: http://lkml.kernel.org/r/286eaefc0a6c3fa9b83b87e7d6dc0fbb5b5c9926.1519924383.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Acked-by: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Geert Uytterhoeven +Cc: Nick Terrell +Cc: Chris Mason +Cc: Yury Norov +Cc: Al Viro +Cc: "Luis R . Rodriguez" +Cc: Palmer Dabbelt +Cc: "Paul E . McKenney" +Cc: Jeff Layton +Cc: "Jason A . Donenfeld" +Cc: Kostya Serebryany +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_kasan.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/lib/test_kasan.c ++++ b/lib/test_kasan.c +@@ -567,7 +567,15 @@ static noinline void __init kmem_cache_i + return; + } + ++ /* Trigger invalid free, the object doesn't get freed */ + kmem_cache_free(cache, p + 1); ++ ++ /* ++ * Properly free the object to prevent the "Objects remaining in ++ * test_cache on __kmem_cache_shutdown" BUG failure. ++ */ ++ kmem_cache_free(cache, p); ++ + kmem_cache_destroy(cache); + } + diff --git a/queue-4.16/kasan-slub-fix-handling-of-kasan_slab_free-hook.patch b/queue-4.16/kasan-slub-fix-handling-of-kasan_slab_free-hook.patch new file mode 100644 index 00000000000..63a6dc96784 --- /dev/null +++ b/queue-4.16/kasan-slub-fix-handling-of-kasan_slab_free-hook.patch @@ -0,0 +1,141 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Andrey Konovalov +Date: Tue, 10 Apr 2018 16:30:31 -0700 +Subject: kasan, slub: fix handling of kasan_slab_free hook + +From: Andrey Konovalov + +[ Upstream commit c3895391df385c6628638f014c87e16f5e2efd45 ] + +The kasan_slab_free hook's return value denotes whether the reuse of a +slab object must be delayed (e.g. when the object is put into memory +qurantine). + +The current way SLUB handles this hook is by ignoring its return value +and hardcoding checks similar (but not exactly the same) to the ones +performed in kasan_slab_free, which is prone to making mistakes. + +The main difference between the hardcoded checks and the ones in +kasan_slab_free is whether we want to perform a free in case when an +invalid-free or a double-free was detected (we don't). + +This patch changes the way SLUB handles this by: +1. taking into account the return value of kasan_slab_free for each of + the objects, that are being freed; +2. reconstructing the freelist of objects to exclude the ones, whose + reuse must be delayed. + +[andreyknvl@google.com: eliminate unnecessary branch in slab_free] + Link: http://lkml.kernel.org/r/a62759a2545fddf69b0c034547212ca1eb1b3ce2.1520359686.git.andreyknvl@google.com +Link: http://lkml.kernel.org/r/083f58501e54731203801d899632d76175868e97.1519400992.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Acked-by: Andrey Ryabinin +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Kostya Serebryany +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 57 ++++++++++++++++++++++++++++++++++----------------------- + 1 file changed, 34 insertions(+), 23 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1362,10 +1362,8 @@ static __always_inline void kfree_hook(v + kasan_kfree_large(x, _RET_IP_); + } + +-static __always_inline void *slab_free_hook(struct kmem_cache *s, void *x) ++static __always_inline bool slab_free_hook(struct kmem_cache *s, void *x) + { +- void *freeptr; +- + kmemleak_free_recursive(x, s->flags); + + /* +@@ -1385,17 +1383,12 @@ static __always_inline void *slab_free_h + if (!(s->flags & SLAB_DEBUG_OBJECTS)) + debug_check_no_obj_freed(x, s->object_size); + +- freeptr = get_freepointer(s, x); +- /* +- * kasan_slab_free() may put x into memory quarantine, delaying its +- * reuse. In this case the object's freelist pointer is changed. +- */ +- kasan_slab_free(s, x, _RET_IP_); +- return freeptr; ++ /* KASAN might put x into memory quarantine, delaying its reuse */ ++ return kasan_slab_free(s, x, _RET_IP_); + } + +-static inline void slab_free_freelist_hook(struct kmem_cache *s, +- void *head, void *tail) ++static inline bool slab_free_freelist_hook(struct kmem_cache *s, ++ void **head, void **tail) + { + /* + * Compiler cannot detect this function can be removed if slab_free_hook() +@@ -1406,13 +1399,33 @@ static inline void slab_free_freelist_ho + defined(CONFIG_DEBUG_OBJECTS_FREE) || \ + defined(CONFIG_KASAN) + +- void *object = head; +- void *tail_obj = tail ? : head; +- void *freeptr; ++ void *object; ++ void *next = *head; ++ void *old_tail = *tail ? *tail : *head; ++ ++ /* Head and tail of the reconstructed freelist */ ++ *head = NULL; ++ *tail = NULL; + + do { +- freeptr = slab_free_hook(s, object); +- } while ((object != tail_obj) && (object = freeptr)); ++ object = next; ++ next = get_freepointer(s, object); ++ /* If object's reuse doesn't have to be delayed */ ++ if (!slab_free_hook(s, object)) { ++ /* Move object to the new freelist */ ++ set_freepointer(s, object, *head); ++ *head = object; ++ if (!*tail) ++ *tail = object; ++ } ++ } while (object != old_tail); ++ ++ if (*head == *tail) ++ *tail = NULL; ++ ++ return *head != NULL; ++#else ++ return true; + #endif + } + +@@ -2965,14 +2978,12 @@ static __always_inline void slab_free(st + void *head, void *tail, int cnt, + unsigned long addr) + { +- slab_free_freelist_hook(s, head, tail); + /* +- * slab_free_freelist_hook() could have put the items into quarantine. +- * If so, no need to free them. ++ * With KASAN enabled slab_free_freelist_hook modifies the freelist ++ * to remove objects, whose reuse must be delayed. + */ +- if (s->flags & SLAB_KASAN && !(s->flags & SLAB_TYPESAFE_BY_RCU)) +- return; +- do_slab_free(s, page, head, tail, cnt, addr); ++ if (slab_free_freelist_hook(s, &head, &tail)) ++ do_slab_free(s, page, head, tail, cnt, addr); + } + + #ifdef CONFIG_KASAN diff --git a/queue-4.16/kdb-make-mdr-command-repeat.patch b/queue-4.16/kdb-make-mdr-command-repeat.patch new file mode 100644 index 00000000000..a0db04d81fc --- /dev/null +++ b/queue-4.16/kdb-make-mdr-command-repeat.patch @@ -0,0 +1,88 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Randy Dunlap +Date: Fri, 8 Dec 2017 10:19:19 -0800 +Subject: kdb: make "mdr" command repeat + +From: Randy Dunlap + +[ Upstream commit 1e0ce03bf142454f38a5fc050bf4fd698d2d36d8 ] + +The "mdr" command should repeat (continue) when only Enter/Return +is pressed, so make it do so. + +Signed-off-by: Randy Dunlap +Cc: Daniel Thompson +Cc: Jason Wessel +Cc: kgdb-bugreport@lists.sourceforge.net +Signed-off-by: Jason Wessel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/debug/kdb/kdb_main.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1566,6 +1566,7 @@ static int kdb_md(int argc, const char * + int symbolic = 0; + int valid = 0; + int phys = 0; ++ int raw = 0; + + kdbgetintenv("MDCOUNT", &mdcount); + kdbgetintenv("RADIX", &radix); +@@ -1575,9 +1576,10 @@ static int kdb_md(int argc, const char * + repeat = mdcount * 16 / bytesperword; + + if (strcmp(argv[0], "mdr") == 0) { +- if (argc != 2) ++ if (argc == 2 || (argc == 0 && last_addr != 0)) ++ valid = raw = 1; ++ else + return KDB_ARGCOUNT; +- valid = 1; + } else if (isdigit(argv[0][2])) { + bytesperword = (int)(argv[0][2] - '0'); + if (bytesperword == 0) { +@@ -1613,7 +1615,10 @@ static int kdb_md(int argc, const char * + radix = last_radix; + bytesperword = last_bytesperword; + repeat = last_repeat; +- mdcount = ((repeat * bytesperword) + 15) / 16; ++ if (raw) ++ mdcount = repeat; ++ else ++ mdcount = ((repeat * bytesperword) + 15) / 16; + } + + if (argc) { +@@ -1630,7 +1635,10 @@ static int kdb_md(int argc, const char * + diag = kdbgetularg(argv[nextarg], &val); + if (!diag) { + mdcount = (int) val; +- repeat = mdcount * 16 / bytesperword; ++ if (raw) ++ repeat = mdcount; ++ else ++ repeat = mdcount * 16 / bytesperword; + } + } + if (argc >= nextarg+1) { +@@ -1640,8 +1648,15 @@ static int kdb_md(int argc, const char * + } + } + +- if (strcmp(argv[0], "mdr") == 0) +- return kdb_mdr(addr, mdcount); ++ if (strcmp(argv[0], "mdr") == 0) { ++ int ret; ++ last_addr = addr; ++ ret = kdb_mdr(addr, mdcount); ++ last_addr += mdcount; ++ last_repeat = mdcount; ++ last_bytesperword = bytesperword; // to make REPEAT happy ++ return ret; ++ } + + switch (radix) { + case 10: diff --git a/queue-4.16/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch b/queue-4.16/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch new file mode 100644 index 00000000000..1fffe89a6fc --- /dev/null +++ b/queue-4.16/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch @@ -0,0 +1,49 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Vitaly Kuznetsov +Date: Fri, 9 Feb 2018 14:01:33 +0100 +Subject: KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use + +From: Vitaly Kuznetsov + +[ Upstream commit 0bcc3fb95b97ac2ca223a5a870287b37f56265ac ] + +Devices which use level-triggered interrupts under Windows 2016 with +Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV +unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC +version which has no EOI register so EOI never happens. + +The issue was discovered and discussed a while ago: +https://www.spinics.net/lists/kvm/msg148098.html + +While this is a guest OS bug (it should check that IOAPIC has the required +capabilities before disabling EOI broadcast) we can workaround it in KVM: +advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcp + if (!lapic_in_kernel(vcpu)) + return; + ++ /* ++ * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) ++ * which doesn't have EOI register; Some buggy OSes (e.g. Windows with ++ * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC ++ * version first and level-triggered interrupts never get EOIed in ++ * IOAPIC. ++ */ + feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); +- if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31)))) ++ if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && ++ !ioapic_in_kernel(vcpu->kvm)) + v |= APIC_LVR_DIRECTED_EOI; + kvm_lapic_set_reg(apic, APIC_LVR, v); + } diff --git a/queue-4.16/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch b/queue-4.16/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch new file mode 100644 index 00000000000..94559af7488 --- /dev/null +++ b/queue-4.16/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch @@ -0,0 +1,83 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sean Christopherson +Date: Fri, 23 Mar 2018 09:34:00 -0700 +Subject: KVM: VMX: raise internal error for exception during invalid protected mode state + +From: Sean Christopherson + +[ Upstream commit add5ff7a216ee545a214013f26d1ef2f44a9c9f8 ] + +Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter +an exception in Protected Mode while emulating guest due to invalid +guest state. Unlike Big RM, KVM doesn't support emulating exceptions +in PM, i.e. PM exceptions are always injected via the VMCS. Because +we will never do VMRESUME due to emulation_required, the exception is +never realized and we'll keep emulating the faulting instruction over +and over until we receive a signal. + +Exit to userspace iff there is a pending exception, i.e. don't exit +simply on a requested event. The purpose of this check and exit is to +aid in debugging a guest that is in all likelihood already doomed. +Invalid guest state in PM is extremely limited in normal operation, +e.g. it generally only occurs for a few instructions early in BIOS, +and any exception at this time is all but guaranteed to be fatal. +Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly +handled/emulated, while checking for vectored interrupts, e.g. INTR +and NMI, without hitting false positives would add a fair amount of +complexity for almost no benefit (getting hit by lightning seems +more likely than encountering this specific scenario). + +Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an +exception via the VMCS and emulation_required is true. + +Signed-off-by: Sean Christopherson +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2555,6 +2555,8 @@ static void vmx_queue_exception(struct k + return; + } + ++ WARN_ON_ONCE(vmx->emulation_required); ++ + if (kvm_exception_is_soft(nr)) { + vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, + vmx->vcpu.arch.event_exit_inst_len); +@@ -6849,12 +6851,12 @@ static int handle_invalid_guest_state(st + goto out; + } + +- if (err != EMULATE_DONE) { +- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; +- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; +- vcpu->run->internal.ndata = 0; +- return 0; +- } ++ if (err != EMULATE_DONE) ++ goto emulation_error; ++ ++ if (vmx->emulation_required && !vmx->rmode.vm86_active && ++ vcpu->arch.exception.pending) ++ goto emulation_error; + + if (vcpu->arch.halt_request) { + vcpu->arch.halt_request = 0; +@@ -6870,6 +6872,12 @@ static int handle_invalid_guest_state(st + + out: + return ret; ++ ++emulation_error: ++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; ++ vcpu->run->internal.ndata = 0; ++ return 0; + } + + static int __grow_ple_window(int val) diff --git a/queue-4.16/lan78xx-connect-phy-early.patch b/queue-4.16/lan78xx-connect-phy-early.patch new file mode 100644 index 00000000000..ad1ca9d8cfb --- /dev/null +++ b/queue-4.16/lan78xx-connect-phy-early.patch @@ -0,0 +1,174 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexander Graf +Date: Wed, 4 Apr 2018 00:19:35 +0200 +Subject: lan78xx: Connect phy early + +From: Alexander Graf + +[ Upstream commit 92571a1aae40d291158d16e7142637908220f470 ] + +When using wicked with a lan78xx device attached to the system, we +end up with ethtool commands issued on the device before an ifup +got issued. That lead to the following crash: + + Unable to handle kernel NULL pointer dereference at virtual address 0000039c + pgd = ffff800035b30000 + [0000039c] *pgd=0000000000000000 + Internal error: Oops: 96000004 [#1] SMP + Modules linked in: [...] + Supported: Yes + CPU: 3 PID: 638 Comm: wickedd Tainted: G E 4.12.14-0-default #1 + Hardware name: raspberrypi rpi/rpi, BIOS 2018.03-rc2 02/21/2018 + task: ffff800035e74180 task.stack: ffff800036718000 + PC is at phy_ethtool_ksettings_get+0x20/0x98 + LR is at lan78xx_get_link_ksettings+0x44/0x60 [lan78xx] + pc : [] lr : [] pstate: 20000005 + sp : ffff80003671bb20 + x29: ffff80003671bb20 x28: ffff800035e74180 + x27: ffff000008912000 x26: 000000000000001d + x25: 0000000000000124 x24: ffff000008f74d00 + x23: 0000004000114809 x22: 0000000000000000 + x21: ffff80003671bbd0 x20: 0000000000000000 + x19: ffff80003671bbd0 x18: 000000000000040d + x17: 0000000000000001 x16: 0000000000000000 + x15: 0000000000000000 x14: ffffffffffffffff + x13: 0000000000000000 x12: 0000000000000020 + x11: 0101010101010101 x10: fefefefefefefeff + x9 : 7f7f7f7f7f7f7f7f x8 : fefefeff31677364 + x7 : 0000000080808080 x6 : ffff80003671bc9c + x5 : ffff80003671b9f8 x4 : ffff80002c296190 + x3 : 0000000000000000 x2 : 0000000000000000 + x1 : ffff80003671bbd0 x0 : ffff80003671bc00 + Process wickedd (pid: 638, stack limit = 0xffff800036718000) + Call trace: + Exception stack(0xffff80003671b9e0 to 0xffff80003671bb20) + b9e0: ffff80003671bc00 ffff80003671bbd0 0000000000000000 0000000000000000 + ba00: ffff80002c296190 ffff80003671b9f8 ffff80003671bc9c 0000000080808080 + ba20: fefefeff31677364 7f7f7f7f7f7f7f7f fefefefefefefeff 0101010101010101 + ba40: 0000000000000020 0000000000000000 ffffffffffffffff 0000000000000000 + ba60: 0000000000000000 0000000000000001 000000000000040d ffff80003671bbd0 + ba80: 0000000000000000 ffff80003671bbd0 0000000000000000 0000004000114809 + baa0: ffff000008f74d00 0000000000000124 000000000000001d ffff000008912000 + bac0: ffff800035e74180 ffff80003671bb20 ffff000000dcca84 ffff80003671bb20 + bae0: ffff0000086f7f30 0000000020000005 ffff80002c296000 ffff800035223900 + bb00: 0000ffffffffffff 0000000000000000 ffff80003671bb20 ffff0000086f7f30 + [] phy_ethtool_ksettings_get+0x20/0x98 + [] lan78xx_get_link_ksettings+0x44/0x60 [lan78xx] + [] ethtool_get_settings+0x68/0x210 + [] dev_ethtool+0x214/0x2180 + [] dev_ioctl+0x400/0x630 + [] sock_do_ioctl+0x70/0x88 + [] sock_ioctl+0x208/0x368 + [] do_vfs_ioctl+0xb0/0x848 + [] SyS_ioctl+0x8c/0xa8 + Exception stack(0xffff80003671bec0 to 0xffff80003671c000) + bec0: 0000000000000009 0000000000008946 0000fffff4e841d0 0000aa0032687465 + bee0: 0000aaaafa2319d4 0000fffff4e841d4 0000000032687465 0000000032687465 + bf00: 000000000000001d 7f7fff7f7f7f7f7f 72606b622e71ff4c 7f7f7f7f7f7f7f7f + bf20: 0101010101010101 0000000000000020 ffffffffffffffff 0000ffff7f510c68 + bf40: 0000ffff7f6a9d18 0000ffff7f44ce30 000000000000040d 0000ffff7f6f98f0 + bf60: 0000fffff4e842c0 0000000000000001 0000aaaafa2c2e00 0000ffff7f6ab000 + bf80: 0000fffff4e842c0 0000ffff7f62a000 0000aaaafa2b9f20 0000aaaafa2c2e00 + bfa0: 0000fffff4e84818 0000fffff4e841a0 0000ffff7f5ad0cc 0000fffff4e841a0 + bfc0: 0000ffff7f44ce3c 0000000080000000 0000000000000009 000000000000001d + bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + +The culprit is quite simple: The driver tries to access the phy left and right, +but only actually has a working reference to it when the device is up. + +The fix thus is quite simple too: Get a reference to the phy on probe already +and keep it even when the device is going down. + +With this patch applied, I can successfully run wicked on my system and bring +the interface up and down as many times as I want, without getting NULL pointer +dereferences in between. + +Signed-off-by: Alexander Graf +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2083,10 +2083,6 @@ static int lan78xx_phy_init(struct lan78 + + dev->fc_autoneg = phydev->autoneg; + +- phy_start(phydev); +- +- netif_dbg(dev, ifup, dev->net, "phy initialised successfully"); +- + return 0; + + error: +@@ -2523,9 +2519,9 @@ static int lan78xx_open(struct net_devic + if (ret < 0) + goto done; + +- ret = lan78xx_phy_init(dev); +- if (ret < 0) +- goto done; ++ phy_start(net->phydev); ++ ++ netif_dbg(dev, ifup, dev->net, "phy initialised successfully"); + + /* for Link Check */ + if (dev->urb_intr) { +@@ -2586,13 +2582,8 @@ static int lan78xx_stop(struct net_devic + if (timer_pending(&dev->stat_monitor)) + del_timer_sync(&dev->stat_monitor); + +- phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0); +- phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0); +- +- phy_stop(net->phydev); +- phy_disconnect(net->phydev); +- +- net->phydev = NULL; ++ if (net->phydev) ++ phy_stop(net->phydev); + + clear_bit(EVENT_DEV_OPEN, &dev->flags); + netif_stop_queue(net); +@@ -3507,8 +3498,13 @@ static void lan78xx_disconnect(struct us + return; + + udev = interface_to_usbdev(intf); +- + net = dev->net; ++ ++ phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0); ++ phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0); ++ ++ phy_disconnect(net->phydev); ++ + unregister_netdev(net); + + cancel_delayed_work_sync(&dev->wq); +@@ -3664,8 +3660,14 @@ static int lan78xx_probe(struct usb_inte + pm_runtime_set_autosuspend_delay(&udev->dev, + DEFAULT_AUTOSUSPEND_DELAY); + ++ ret = lan78xx_phy_init(dev); ++ if (ret < 0) ++ goto out4; ++ + return 0; + ++out4: ++ unregister_netdev(netdev); + out3: + lan78xx_unbind(dev, intf); + out2: +@@ -4013,7 +4015,7 @@ static int lan78xx_reset_resume(struct u + + lan78xx_reset(dev); + +- lan78xx_phy_init(dev); ++ phy_start(dev->net->phydev); + + return lan78xx_resume(intf); + } diff --git a/queue-4.16/loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch b/queue-4.16/loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch new file mode 100644 index 00000000000..0c84355b743 --- /dev/null +++ b/queue-4.16/loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch @@ -0,0 +1,107 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Omar Sandoval +Date: Mon, 26 Mar 2018 21:39:11 -0700 +Subject: loop: don't call into filesystem while holding lo_ctl_mutex + +From: Omar Sandoval + +[ Upstream commit 2d1d4c1e591fd40bd7dafd868a249d7d00e215d5 ] + +We hit an issue where a loop device on NFS was stuck in +loop_get_status() doing vfs_getattr() after the NFS server died, which +caused a pile-up of uninterruptible processes waiting on lo_ctl_mutex. +There's no reason to hold this lock while we wait on the filesystem; +let's drop it so that other processes can do their thing. We need to +grab a reference on lo_backing_file while we use it, and we can get rid +of the check on lo_device, which has been unnecessary since commit +a34c0ae9ebd6 ("[PATCH] loop: remove the bio remapping capability") in +the linux-history tree. + +Signed-off-by: Omar Sandoval +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 38 ++++++++++++++++++++++++-------------- + 1 file changed, 24 insertions(+), 14 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1171,21 +1171,17 @@ loop_set_status(struct loop_device *lo, + static int + loop_get_status(struct loop_device *lo, struct loop_info64 *info) + { +- struct file *file = lo->lo_backing_file; ++ struct file *file; + struct kstat stat; +- int error; ++ int ret; + +- if (lo->lo_state != Lo_bound) ++ if (lo->lo_state != Lo_bound) { ++ mutex_unlock(&lo->lo_ctl_mutex); + return -ENXIO; +- error = vfs_getattr(&file->f_path, &stat, +- STATX_INO, AT_STATX_SYNC_AS_STAT); +- if (error) +- return error; ++ } ++ + memset(info, 0, sizeof(*info)); + info->lo_number = lo->lo_number; +- info->lo_device = huge_encode_dev(stat.dev); +- info->lo_inode = stat.ino; +- info->lo_rdevice = huge_encode_dev(lo->lo_device ? stat.rdev : stat.dev); + info->lo_offset = lo->lo_offset; + info->lo_sizelimit = lo->lo_sizelimit; + info->lo_flags = lo->lo_flags; +@@ -1198,7 +1194,19 @@ loop_get_status(struct loop_device *lo, + memcpy(info->lo_encrypt_key, lo->lo_encrypt_key, + lo->lo_encrypt_key_size); + } +- return 0; ++ ++ /* Drop lo_ctl_mutex while we call into the filesystem. */ ++ file = get_file(lo->lo_backing_file); ++ mutex_unlock(&lo->lo_ctl_mutex); ++ ret = vfs_getattr(&file->f_path, &stat, STATX_INO, ++ AT_STATX_SYNC_AS_STAT); ++ if (!ret) { ++ info->lo_device = huge_encode_dev(stat.dev); ++ info->lo_inode = stat.ino; ++ info->lo_rdevice = huge_encode_dev(stat.rdev); ++ } ++ fput(file); ++ return ret; + } + + static void +@@ -1378,7 +1386,8 @@ static int lo_ioctl(struct block_device + break; + case LOOP_GET_STATUS: + err = loop_get_status_old(lo, (struct loop_info __user *) arg); +- break; ++ /* loop_get_status() unlocks lo_ctl_mutex */ ++ goto out_unlocked; + case LOOP_SET_STATUS64: + err = -EPERM; + if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN)) +@@ -1387,7 +1396,8 @@ static int lo_ioctl(struct block_device + break; + case LOOP_GET_STATUS64: + err = loop_get_status64(lo, (struct loop_info64 __user *) arg); +- break; ++ /* loop_get_status() unlocks lo_ctl_mutex */ ++ goto out_unlocked; + case LOOP_SET_CAPACITY: + err = -EPERM; + if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN)) +@@ -1548,7 +1558,7 @@ static int lo_compat_ioctl(struct block_ + mutex_lock(&lo->lo_ctl_mutex); + err = loop_get_status_compat( + lo, (struct compat_loop_info __user *) arg); +- mutex_unlock(&lo->lo_ctl_mutex); ++ /* loop_get_status() unlocks lo_ctl_mutex */ + break; + case LOOP_SET_CAPACITY: + case LOOP_CLR_FD: diff --git a/queue-4.16/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch b/queue-4.16/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch new file mode 100644 index 00000000000..1ad91183d43 --- /dev/null +++ b/queue-4.16/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch @@ -0,0 +1,72 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Greg Ungerer +Date: Wed, 28 Mar 2018 17:12:18 +1000 +Subject: m68k: set dma and coherent masks for platform FEC ethernets + +From: Greg Ungerer + +[ Upstream commit f61e64310b75733d782e930d1fb404b84699eed6 ] + +As of commit 205e1b7f51e4 ("dma-mapping: warn when there is no +coherent_dma_mask") the Freescale FEC driver is issuing the following +warning on driver initialization on ColdFire systems: + +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4 +Stack from 41833dd8: + 41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000 + 400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d + 40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000 + 00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8 + 7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c + 40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000 +Call Trace: + [<40025534>] 0x40025534 + [<4004e514>] 0x4004e514 + [<400255de>] 0x400255de + [<40159e20>] 0x40159e20 + [<40159e20>] 0x40159e20 + +It is not fatal, the driver and the system continue to function normally. + +As per the warning the coherent_dma_mask is not set on this device. +There is nothing special about the DMA memory coherency on this hardware +so we can just set the mask to 32bits in the platform data for the FEC +ethernet devices. + +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/coldfire/device.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/m68k/coldfire/device.c ++++ b/arch/m68k/coldfire/device.c +@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 = + .id = 0, + .num_resources = ARRAY_SIZE(mcf_fec0_resources), + .resource = mcf_fec0_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec0.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + + #ifdef MCFFEC_BASE1 +@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 = + .id = 1, + .num_resources = ARRAY_SIZE(mcf_fec1_resources), + .resource = mcf_fec1_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec1.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + #endif /* MCFFEC_BASE1 */ + #endif /* CONFIG_FEC */ diff --git a/queue-4.16/mac80211-don-t-warn-on-bad-wmm-parameters-from-buggy-aps.patch b/queue-4.16/mac80211-don-t-warn-on-bad-wmm-parameters-from-buggy-aps.patch new file mode 100644 index 00000000000..a04ee2a59a2 --- /dev/null +++ b/queue-4.16/mac80211-don-t-warn-on-bad-wmm-parameters-from-buggy-aps.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Emmanuel Grumbach +Date: Mon, 26 Mar 2018 16:21:04 +0300 +Subject: mac80211: don't WARN on bad WMM parameters from buggy APs + +From: Emmanuel Grumbach + +[ Upstream commit c470bdc1aaf36669e04ba65faf1092b2d1c6cabe ] + +Apparently, some APs are buggy enough to send a zeroed +WMM IE. Don't WARN on this since this is not caused by a bug +on the client's system. + +This aligns the condition of the WARNING in drv_conf_tx +with the validity check in ieee80211_sta_wmm_params. +We will now pick the default values whenever we get +a zeroed WMM IE. + +This has been reported here: +https://bugzilla.kernel.org/show_bug.cgi?id=199161 + +Fixes: f409079bb678 ("mac80211: sanity check CW_min/CW_max towards driver") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1786,7 +1786,8 @@ static bool ieee80211_sta_wmm_params(str + params[ac].acm = acm; + params[ac].uapsd = uapsd; + +- if (params[ac].cw_min > params[ac].cw_max) { ++ if (params->cw_min == 0 || ++ params[ac].cw_min > params[ac].cw_max) { + sdata_info(sdata, + "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n", + params[ac].cw_min, params[ac].cw_max, aci); diff --git a/queue-4.16/max17042-propagate-of_node-to-power-supply-device.patch b/queue-4.16/max17042-propagate-of_node-to-power-supply-device.patch new file mode 100644 index 00000000000..b3841c14d5d --- /dev/null +++ b/queue-4.16/max17042-propagate-of_node-to-power-supply-device.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Pierre Bourdon +Date: Tue, 20 Feb 2018 16:03:18 +0100 +Subject: max17042: propagate of_node to power supply device + +From: Pierre Bourdon + +[ Upstream commit 66ec32fc7cd116dab5c02603ea8ec28ff92da3b5 ] + +max17042_get_status uses the core power_supply_am_i_supplied. That +function relies on DT properties to figure out the power supply +topology, and will error out without DT. + +Fixes max17042 battery status being reported as "unknown". + +Signed-off-by: Pierre Bourdon +Signed-off-by: Andre Heider +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/max17042_battery.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -1053,6 +1053,7 @@ static int max17042_probe(struct i2c_cli + + i2c_set_clientdata(client, chip); + psy_cfg.drv_data = chip; ++ psy_cfg.of_node = dev->of_node; + + /* When current is not measured, + * CURRENT_NOW and CURRENT_AVG properties should be invisible. */ diff --git a/queue-4.16/media-cx23885-override-888-impactvcbe-crystal-frequency.patch b/queue-4.16/media-cx23885-override-888-impactvcbe-crystal-frequency.patch new file mode 100644 index 00000000000..9c0422894f2 --- /dev/null +++ b/queue-4.16/media-cx23885-override-888-impactvcbe-crystal-frequency.patch @@ -0,0 +1,43 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Brad Love +Date: Tue, 6 Mar 2018 14:15:37 -0500 +Subject: media: cx23885: Override 888 ImpactVCBe crystal frequency + +From: Brad Love + +[ Upstream commit 779c79d4b833ec646b0aed878da38edb45bbe156 ] + +Hauppauge produced a revision of ImpactVCBe using an 888, +with a 25MHz crystal, instead of using the default third +overtone 50Mhz crystal. This overrides that frequency so +that the cx25840 is properly configured. Without the proper +crystal setup the cx25840 cannot load the firmware or +decode video. + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx23885/cx23885-core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/media/pci/cx23885/cx23885-core.c ++++ b/drivers/media/pci/cx23885/cx23885-core.c +@@ -873,6 +873,16 @@ static int cx23885_dev_setup(struct cx23 + if (cx23885_boards[dev->board].clk_freq > 0) + dev->clk_freq = cx23885_boards[dev->board].clk_freq; + ++ if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE && ++ dev->pci->subsystem_device == 0x7137) { ++ /* Hauppauge ImpactVCBe device ID 0x7137 is populated ++ * with an 888, and a 25Mhz crystal, instead of the ++ * usual third overtone 50Mhz. The default clock rate must ++ * be overridden so the cx25840 is properly configured ++ */ ++ dev->clk_freq = 25000000; ++ } ++ + dev->pci_bus = dev->pci->bus->number; + dev->pci_slot = PCI_SLOT(dev->pci->devfn); + cx23885_irq_add(dev, 0x001f00); diff --git a/queue-4.16/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch b/queue-4.16/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch new file mode 100644 index 00000000000..81c09d80e69 --- /dev/null +++ b/queue-4.16/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Brad Love +Date: Tue, 6 Mar 2018 14:15:36 -0500 +Subject: media: cx23885: Set subdev host data to clk_freq pointer + +From: Brad Love + +[ Upstream commit 5ceade1d97fc6687e050c44c257382c192f56276 ] + +Currently clk_freq is ignored entirely, because the cx235840 driver +configures the xtal at the chip defaults. This is an issue if a +board is produced with a non-default frequency crystal. If clk_freq +is not zero the cx25840 will attempt to use the setting provided, +or fall back to defaults otherwise. + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx23885/cx23885-cards.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/pci/cx23885/cx23885-cards.c ++++ b/drivers/media/pci/cx23885/cx23885-cards.c +@@ -2286,6 +2286,10 @@ void cx23885_card_setup(struct cx23885_d + &dev->i2c_bus[2].i2c_adap, + "cx25840", 0x88 >> 1, NULL); + if (dev->sd_cx25840) { ++ /* set host data for clk_freq configuration */ ++ v4l2_set_subdev_hostdata(dev->sd_cx25840, ++ &dev->clk_freq); ++ + dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE; + v4l2_subdev_call(dev->sd_cx25840, core, load_fw); + } diff --git a/queue-4.16/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch b/queue-4.16/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch new file mode 100644 index 00000000000..0b848bbd51d --- /dev/null +++ b/queue-4.16/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch @@ -0,0 +1,53 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Colin Ian King +Date: Wed, 31 Jan 2018 12:33:09 -0500 +Subject: media: cx25821: prevent out-of-bounds read on array card + +From: Colin Ian King + +[ Upstream commit 67300abdbe9f1717532aaf4e037222762716d0f6 ] + +Currently an out of range dev->nr is detected by just reporting the +issue and later on an out-of-bounds read on array card occurs because +of this. Fix this by checking the upper range of dev->nr with the size +of array card (removes the hard coded size), move this check earlier +and also exit with the error -ENOSYS to avoid the later out-of-bounds +array read. + +Detected by CoverityScan, CID#711191 ("Out-of-bounds-read") + +Fixes: commit 02b20b0b4cde ("V4L/DVB (12730): Add conexant cx25821 driver") + +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +[hans.verkuil@cisco.com: %ld -> %zd] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx25821/cx25821-core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/pci/cx25821/cx25821-core.c ++++ b/drivers/media/pci/cx25821/cx25821-core.c +@@ -867,6 +867,10 @@ static int cx25821_dev_setup(struct cx25 + dev->nr = ++cx25821_devcount; + sprintf(dev->name, "cx25821[%d]", dev->nr); + ++ if (dev->nr >= ARRAY_SIZE(card)) { ++ CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card)); ++ return -ENODEV; ++ } + if (dev->pci->device != 0x8210) { + pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n", + __func__, dev->pci->device); +@@ -882,9 +886,6 @@ static int cx25821_dev_setup(struct cx25 + dev->channels[i].sram_channels = &cx25821_sram_channels[i]; + } + +- if (dev->nr > 1) +- CX25821_INFO("dev->nr > 1!"); +- + /* board config */ + dev->board = 1; /* card[dev->nr]; */ + dev->_max_num_decoders = MAX_DECODERS; diff --git a/queue-4.16/media-em28xx-add-hauppauge-solohd-dualhd-bulk-models.patch b/queue-4.16/media-em28xx-add-hauppauge-solohd-dualhd-bulk-models.patch new file mode 100644 index 00000000000..e2d5d94524e --- /dev/null +++ b/queue-4.16/media-em28xx-add-hauppauge-solohd-dualhd-bulk-models.patch @@ -0,0 +1,81 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Brad Love +Date: Thu, 4 Jan 2018 19:04:15 -0500 +Subject: media: em28xx: Add Hauppauge SoloHD/DualHD bulk models + +From: Brad Love + +[ Upstream commit f2a326c928cca1f5e36a3dceaf66e8c6b34e9cb8 ] + +Add additional pids to driver list + +Signed-off-by: Brad Love +Reviewed-by: Michael Ira Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx-cards.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -507,8 +507,10 @@ static struct em28xx_reg_seq plex_px_bcu + }; + + /* +- * 2040:0265 Hauppauge WinTV-dualHD DVB +- * 2040:026d Hauppauge WinTV-dualHD ATSC/QAM ++ * 2040:0265 Hauppauge WinTV-dualHD DVB Isoc ++ * 2040:8265 Hauppauge WinTV-dualHD DVB Bulk ++ * 2040:026d Hauppauge WinTV-dualHD ATSC/QAM Isoc ++ * 2040:826d Hauppauge WinTV-dualHD ATSC/QAM Bulk + * reg 0x80/0x84: + * GPIO_0: Yellow LED tuner 1, 0=on, 1=off + * GPIO_1: Green LED tuner 1, 0=on, 1=off +@@ -2391,7 +2393,8 @@ struct em28xx_board em28xx_boards[] = { + .has_dvb = 1, + }, + /* +- * 2040:0265 Hauppauge WinTV-dualHD (DVB version). ++ * 2040:0265 Hauppauge WinTV-dualHD (DVB version) Isoc. ++ * 2040:8265 Hauppauge WinTV-dualHD (DVB version) Bulk. + * Empia EM28274, 2x Silicon Labs Si2168, 2x Silicon Labs Si2157 + */ + [EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB] = { +@@ -2406,7 +2409,8 @@ struct em28xx_board em28xx_boards[] = { + .leds = hauppauge_dualhd_leds, + }, + /* +- * 2040:026d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM). ++ * 2040:026d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM) Isoc. ++ * 2040:826d Hauppauge WinTV-dualHD (model 01595 - ATSC/QAM) Bulk. + * Empia EM28274, 2x LG LGDT3306A, 2x Silicon Labs Si2157 + */ + [EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595] = { +@@ -2547,8 +2551,12 @@ struct usb_device_id em28xx_id_table[] = + .driver_info = EM2883_BOARD_HAUPPAUGE_WINTV_HVR_850 }, + { USB_DEVICE(0x2040, 0x0265), + .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB }, ++ { USB_DEVICE(0x2040, 0x8265), ++ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_DVB }, + { USB_DEVICE(0x2040, 0x026d), + .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595 }, ++ { USB_DEVICE(0x2040, 0x826d), ++ .driver_info = EM28174_BOARD_HAUPPAUGE_WINTV_DUALHD_01595 }, + { USB_DEVICE(0x0438, 0xb002), + .driver_info = EM2880_BOARD_AMD_ATI_TV_WONDER_HD_600 }, + { USB_DEVICE(0x2001, 0xf112), +@@ -2609,7 +2617,11 @@ struct usb_device_id em28xx_id_table[] = + .driver_info = EM28178_BOARD_PCTV_461E }, + { USB_DEVICE(0x2013, 0x025f), + .driver_info = EM28178_BOARD_PCTV_292E }, +- { USB_DEVICE(0x2040, 0x0264), /* Hauppauge WinTV-soloHD */ ++ { USB_DEVICE(0x2040, 0x0264), /* Hauppauge WinTV-soloHD Isoc */ ++ .driver_info = EM28178_BOARD_PCTV_292E }, ++ { USB_DEVICE(0x2040, 0x8264), /* Hauppauge OEM Generic WinTV-soloHD Bulk */ ++ .driver_info = EM28178_BOARD_PCTV_292E }, ++ { USB_DEVICE(0x2040, 0x8268), /* Hauppauge Retail WinTV-soloHD Bulk */ + .driver_info = EM28178_BOARD_PCTV_292E }, + { USB_DEVICE(0x0413, 0x6f07), + .driver_info = EM2861_BOARD_LEADTEK_VC100 }, diff --git a/queue-4.16/media-em28xx-usb-bulk-packet-size-fix.patch b/queue-4.16/media-em28xx-usb-bulk-packet-size-fix.patch new file mode 100644 index 00000000000..cf6a2f5e5ea --- /dev/null +++ b/queue-4.16/media-em28xx-usb-bulk-packet-size-fix.patch @@ -0,0 +1,46 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Brad Love +Date: Thu, 4 Jan 2018 19:04:13 -0500 +Subject: media: em28xx: USB bulk packet size fix + +From: Brad Love + +[ Upstream commit c7c7e8d7803406daa21e96d00c357de8b77b6764 ] + +Hauppauge em28xx bulk devices exhibit continuity errors and corrupted +packets, when run in VMWare virtual machines. Unknown if other +manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected. + +According to documentation the maximum packet multiplier for em28xx in bulk +transfer mode is 256 * 188 bytes. This changes the size of bulk transfers +to maximum supported value and have a bonus beneficial alignment. + +Before: + +After: + +This sets up USB to expect just as many bytes as the em28xx is set to emit. + +Successful usage under load afterwards natively and in both VMWare +and KVM/Qemu virtual machines. + +Signed-off-by: Brad Love +Reviewed-by: Michael Ira Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/em28xx/em28xx.h ++++ b/drivers/media/usb/em28xx/em28xx.h +@@ -191,7 +191,7 @@ + USB 2.0 spec says bulk packet size is always 512 bytes + */ + #define EM28XX_BULK_PACKET_MULTIPLIER 384 +-#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384 ++#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94 + + #define EM28XX_INTERLACED_DEFAULT 1 + diff --git a/queue-4.16/media-i2c-adv748x-fix-hdmi-field-heights.patch b/queue-4.16/media-i2c-adv748x-fix-hdmi-field-heights.patch new file mode 100644 index 00000000000..e480ed4ea81 --- /dev/null +++ b/queue-4.16/media-i2c-adv748x-fix-hdmi-field-heights.patch @@ -0,0 +1,43 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Kieran Bingham +Date: Mon, 8 Jan 2018 13:14:04 -0500 +Subject: media: i2c: adv748x: fix HDMI field heights + +From: Kieran Bingham + +[ Upstream commit 9f564184e6cc21a86c26bab920afac1bab7653ff ] + +The ADV748x handles interlaced media using V4L2_FIELD_ALTERNATE field +types. The correct specification for the height on the mbus is the +image height, in this instance, the field height. + +The AFE component already correctly adjusts the height on the mbus, but +the HDMI component got left behind. + +Adjust the mbus height to correctly describe the image height of the +fields when processing interlaced video for HDMI pipelines. + +Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver") + +Reviewed-by: Niklas Söderlund +Signed-off-by: Kieran Bingham +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv748x/adv748x-hdmi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/i2c/adv748x/adv748x-hdmi.c ++++ b/drivers/media/i2c/adv748x/adv748x-hdmi.c +@@ -105,6 +105,9 @@ static void adv748x_hdmi_fill_format(str + + fmt->width = hdmi->timings.bt.width; + fmt->height = hdmi->timings.bt.height; ++ ++ if (fmt->field == V4L2_FIELD_ALTERNATE) ++ fmt->height /= 2; + } + + static void adv748x_fill_optional_dv_timings(struct v4l2_dv_timings *timings) diff --git a/queue-4.16/media-lgdt3306a-fix-a-double-kfree-on-i2c-device-remove.patch b/queue-4.16/media-lgdt3306a-fix-a-double-kfree-on-i2c-device-remove.patch new file mode 100644 index 00000000000..f9463771260 --- /dev/null +++ b/queue-4.16/media-lgdt3306a-fix-a-double-kfree-on-i2c-device-remove.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Brad Love +Date: Fri, 5 Jan 2018 09:57:13 -0500 +Subject: media: lgdt3306a: Fix a double kfree on i2c device remove + +From: Brad Love + +[ Upstream commit 94448e21cf08b10f7dc7acdaca387594370396b0 ] + +Both lgdt33606a_release and lgdt3306a_remove kfree state, but _release is +called first, then _remove operates on states members before kfree'ing it. +This can lead to random oops/GPF/etc on USB disconnect. + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/lgdt3306a.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/lgdt3306a.c ++++ b/drivers/media/dvb-frontends/lgdt3306a.c +@@ -1768,7 +1768,13 @@ static void lgdt3306a_release(struct dvb + struct lgdt3306a_state *state = fe->demodulator_priv; + + dbg_info("\n"); +- kfree(state); ++ ++ /* ++ * If state->muxc is not NULL, then we are an i2c device ++ * and lgdt3306a_remove will clean up state ++ */ ++ if (!state->muxc) ++ kfree(state); + } + + static const struct dvb_frontend_ops lgdt3306a_ops; diff --git a/queue-4.16/media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch b/queue-4.16/media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch new file mode 100644 index 00000000000..947b7df678c --- /dev/null +++ b/queue-4.16/media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch @@ -0,0 +1,44 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Brad Love +Date: Fri, 5 Jan 2018 09:57:12 -0500 +Subject: media: lgdt3306a: Fix module count mismatch on usb unplug + +From: Brad Love + +[ Upstream commit 835d66173a38538c072a7c393d02360dcfac8582 ] + +When used as an i2c device there is a module usage count mismatch on +removal, preventing the driver from being used thereafter. dvb_attach +increments the usage count so it is properly balanced on removal. + +On disconnect of Hauppauge SoloHD/DualHD before: + +lsmod | grep lgdt3306a +lgdt3306a 28672 -1 +i2c_mux 16384 1 lgdt3306a + +On disconnect of Hauppauge SoloHD/DualHD after: + +lsmod | grep lgdt3306a +lgdt3306a 28672 0 +i2c_mux 16384 1 lgdt3306a + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/lgdt3306a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/lgdt3306a.c ++++ b/drivers/media/dvb-frontends/lgdt3306a.c +@@ -2175,7 +2175,7 @@ static int lgdt3306a_probe(struct i2c_cl + sizeof(struct lgdt3306a_config)); + + config->i2c_addr = client->addr; +- fe = lgdt3306a_attach(config, client->adapter); ++ fe = dvb_attach(lgdt3306a_attach, config, client->adapter); + if (fe == NULL) { + ret = -ENODEV; + goto err_fe; diff --git a/queue-4.16/media-ov5645-add-missing-of_node_put-in-error-path.patch b/queue-4.16/media-ov5645-add-missing-of_node_put-in-error-path.patch new file mode 100644 index 00000000000..91da58aee20 --- /dev/null +++ b/queue-4.16/media-ov5645-add-missing-of_node_put-in-error-path.patch @@ -0,0 +1,46 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Akinobu Mita +Date: Mon, 19 Mar 2018 12:14:17 -0400 +Subject: media: ov5645: add missing of_node_put() in error path + +From: Akinobu Mita + +[ Upstream commit 06fe932307d58108a11c3e603517dd2a73a57b80 ] + +The device node obtained with of_graph_get_next_endpoint() should be +released by calling of_node_put(). But it was not released when +v4l2_fwnode_endpoint_parse() failed. + +This change moves the of_node_put() call before the error check and +fixes the issue. + +Cc: Mauro Carvalho Chehab +Signed-off-by: Akinobu Mita +Acked-by: Todor Tomov +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov5645.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/ov5645.c ++++ b/drivers/media/i2c/ov5645.c +@@ -1131,13 +1131,14 @@ static int ov5645_probe(struct i2c_clien + + ret = v4l2_fwnode_endpoint_parse(of_fwnode_handle(endpoint), + &ov5645->ep); ++ ++ of_node_put(endpoint); ++ + if (ret < 0) { + dev_err(dev, "parsing endpoint node failed\n"); + return ret; + } + +- of_node_put(endpoint); +- + if (ov5645->ep.bus_type != V4L2_MBUS_CSI2) { + dev_err(dev, "invalid bus type, must be CSI2\n"); + return -EINVAL; diff --git a/queue-4.16/media-s3c-camif-fix-out-of-bounds-array-access.patch b/queue-4.16/media-s3c-camif-fix-out-of-bounds-array-access.patch new file mode 100644 index 00000000000..881eab31ab6 --- /dev/null +++ b/queue-4.16/media-s3c-camif-fix-out-of-bounds-array-access.patch @@ -0,0 +1,63 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Arnd Bergmann +Date: Tue, 16 Jan 2018 16:52:15 -0500 +Subject: media: s3c-camif: fix out-of-bounds array access + +From: Arnd Bergmann + +[ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ] + +While experimenting with older compiler versions, I ran +into a warning that no longer shows up on gcc-4.8 or newer: + +drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': +drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds + +This is an off-by-one bug, leading to an access before the start of the +array, while newer compilers silently assume this undefined behavior +cannot happen and leave the loop at index 0 if no other entry matches. + +As Sylvester explains, we actually need to ensure that the +value is within the range, so this reworks the loop to be +easier to parse correctly, and an additional check to fall +back on the first format value for any unexpected input. + +I found an existing gcc bug for it and added a reduced version +of the function there. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 +Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") + +Signed-off-by: Arnd Bergmann +Reviewed-by: Laurent Pinchart +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -1256,16 +1256,17 @@ static void __camif_subdev_try_format(st + { + const struct s3c_camif_variant *variant = camif->variant; + const struct vp_pix_limits *pix_lim; +- int i = ARRAY_SIZE(camif_mbus_formats); ++ unsigned int i; + + /* FIXME: constraints against codec or preview path ? */ + pix_lim = &variant->vp_pix_limits[VP_CODEC]; + +- while (i-- >= 0) ++ for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) + if (camif_mbus_formats[i] == mf->code) + break; + +- mf->code = camif_mbus_formats[i]; ++ if (i == ARRAY_SIZE(camif_mbus_formats)) ++ mf->code = camif_mbus_formats[0]; + + if (pad == CAMIF_SD_PAD_SINK) { + v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH, diff --git a/queue-4.16/media-v4l-vsp1-fix-display-stalls-when-requesting-too-many-inputs.patch b/queue-4.16/media-v4l-vsp1-fix-display-stalls-when-requesting-too-many-inputs.patch new file mode 100644 index 00000000000..62ad9e796d8 --- /dev/null +++ b/queue-4.16/media-v4l-vsp1-fix-display-stalls-when-requesting-too-many-inputs.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Laurent Pinchart +Date: Sun, 3 Dec 2017 05:06:57 -0500 +Subject: media: v4l: vsp1: Fix display stalls when requesting too many inputs + +From: Laurent Pinchart + +[ Upstream commit 5e3e4cb5e24b92773b194aa90066170b12133bc6 ] + +Make sure we don't accept more inputs than the hardware can handle. This +is a temporary fix to avoid display stall, we need to instead allocate +the BRU or BRS to display pipelines dynamically based on the number of +planes they each use. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Kieran Bingham +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/vsp1/vsp1_drm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/media/platform/vsp1/vsp1_drm.c ++++ b/drivers/media/platform/vsp1/vsp1_drm.c +@@ -530,6 +530,15 @@ void vsp1_du_atomic_flush(struct device + struct vsp1_rwpf *rpf = vsp1->rpf[i]; + unsigned int j; + ++ /* ++ * Make sure we don't accept more inputs than the hardware can ++ * handle. This is a temporary fix to avoid display stall, we ++ * need to instead allocate the BRU or BRS to display pipelines ++ * dynamically based on the number of planes they each use. ++ */ ++ if (pipe->num_inputs >= pipe->bru->source_pad) ++ pipe->inputs[i] = NULL; ++ + if (!pipe->inputs[i]) + continue; + diff --git a/queue-4.16/media-vb2-fix-videobuf2-to-map-correct-area.patch b/queue-4.16/media-vb2-fix-videobuf2-to-map-correct-area.patch new file mode 100644 index 00000000000..22002487d43 --- /dev/null +++ b/queue-4.16/media-vb2-fix-videobuf2-to-map-correct-area.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Masami Hiramatsu +Date: Tue, 6 Feb 2018 03:02:23 -0500 +Subject: media: vb2: Fix videobuf2 to map correct area + +From: Masami Hiramatsu + +[ Upstream commit d13a0139d7874a0577b5955d6eed895517d23b72 ] + +Fixes vb2_vmalloc_get_userptr() to ioremap correct area. +Since the current code does ioremap the page address, if the offset > 0, +it does not do ioremap the last page and results in kernel panic. + +This fixes to pass the size + offset to ioremap so that ioremap +can map correct area. Also, this uses __pfn_to_phys() to get the physical +address of given PFN. + +Signed-off-by: Masami Hiramatsu +Reported-by: Takao Orito +Reported-by: Fumihiro ATSUMI +Reviewed-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/videobuf2/videobuf2-vmalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/common/videobuf2/videobuf2-vmalloc.c ++++ b/drivers/media/common/videobuf2/videobuf2-vmalloc.c +@@ -106,7 +106,7 @@ static void *vb2_vmalloc_get_userptr(str + if (nums[i-1] + 1 != nums[i]) + goto fail_map; + buf->vaddr = (__force void *) +- ioremap_nocache(nums[0] << PAGE_SHIFT, size); ++ ioremap_nocache(__pfn_to_phys(nums[0]), size + offset); + } else { + buf->vaddr = vm_map_ram(frame_vector_pages(vec), n_pages, -1, + PAGE_KERNEL); diff --git a/queue-4.16/media-vivid-fix-incorrect-capabilities-for-radio.patch b/queue-4.16/media-vivid-fix-incorrect-capabilities-for-radio.patch new file mode 100644 index 00000000000..fafde799aa3 --- /dev/null +++ b/queue-4.16/media-vivid-fix-incorrect-capabilities-for-radio.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Hans Verkuil +Date: Thu, 1 Feb 2018 02:36:33 -0500 +Subject: media: vivid: fix incorrect capabilities for radio + +From: Hans Verkuil + +[ Upstream commit 65243386f41d38460bfd4375d231a7c0346d0401 ] + +The vivid driver has two custom controls that change the behavior of RDS. +Depending on the control setting the V4L2_CAP_READWRITE capability is toggled. +However, after an earlier commit the capability was no longer set correctly. +This is now fixed. + +Fixes: 9765a32cd8 ("vivid: set device_caps in video_device") + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/vivid/vivid-ctrls.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/vivid/vivid-ctrls.c ++++ b/drivers/media/platform/vivid/vivid-ctrls.c +@@ -1208,6 +1208,7 @@ static int vivid_radio_rx_s_ctrl(struct + v4l2_ctrl_activate(dev->radio_rx_rds_ta, dev->radio_rx_rds_controls); + v4l2_ctrl_activate(dev->radio_rx_rds_tp, dev->radio_rx_rds_controls); + v4l2_ctrl_activate(dev->radio_rx_rds_ms, dev->radio_rx_rds_controls); ++ dev->radio_rx_dev.device_caps = dev->radio_rx_caps; + break; + case V4L2_CID_RDS_RECEPTION: + dev->radio_rx_rds_enabled = ctrl->val; +@@ -1282,6 +1283,7 @@ static int vivid_radio_tx_s_ctrl(struct + dev->radio_tx_caps &= ~V4L2_CAP_READWRITE; + if (!dev->radio_tx_rds_controls) + dev->radio_tx_caps |= V4L2_CAP_READWRITE; ++ dev->radio_tx_dev.device_caps = dev->radio_tx_caps; + break; + case V4L2_CID_RDS_TX_PTY: + if (dev->radio_rx_rds_controls) diff --git a/queue-4.16/memcg-fix-per_node_info-cleanup.patch b/queue-4.16/memcg-fix-per_node_info-cleanup.patch new file mode 100644 index 00000000000..a8ee2d81ad1 --- /dev/null +++ b/queue-4.16/memcg-fix-per_node_info-cleanup.patch @@ -0,0 +1,47 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Michal Hocko +Date: Tue, 10 Apr 2018 16:29:52 -0700 +Subject: memcg: fix per_node_info cleanup + +From: Michal Hocko + +[ Upstream commit 4eaf431f6f71bbed40a4c733ffe93a7e8cedf9d9 ] + +syzbot has triggered a NULL ptr dereference when allocation fault +injection enforces a failure and alloc_mem_cgroup_per_node_info +initializes memcg->nodeinfo only half way through. + +But __mem_cgroup_free still tries to free all per-node data and +dereferences pn->lruvec_stat_cpu unconditioanlly even if the specific +per-node data hasn't been initialized. + +The bug is quite unlikely to hit because small allocations do not fail +and we would need quite some numa nodes to make struct +mem_cgroup_per_node large enough to cross the costly order. + +Link: http://lkml.kernel.org/r/20180406100906.17790-1-mhocko@kernel.org +Reported-by: syzbot+8a5de3cce7cdc70e9ebe@syzkaller.appspotmail.com +Fixes: 00f3ca2c2d66 ("mm: memcontrol: per-lruvec stats infrastructure") +Signed-off-by: Michal Hocko +Reviewed-by: Andrey Ryabinin +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4108,6 +4108,9 @@ static void free_mem_cgroup_per_node_inf + { + struct mem_cgroup_per_node *pn = memcg->nodeinfo[node]; + ++ if (!pn) ++ return; ++ + free_percpu(pn->lruvec_stat_cpu); + kfree(pn); + } diff --git a/queue-4.16/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch b/queue-4.16/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch new file mode 100644 index 00000000000..89d26f5d59f --- /dev/null +++ b/queue-4.16/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch @@ -0,0 +1,39 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Mathias Kresin +Date: Thu, 11 May 2017 08:18:24 +0200 +Subject: MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset + +From: Mathias Kresin + +[ Upstream commit 05454c1bde91fb013c0431801001da82947e6b5a ] + +According to the QCA u-boot source the "PCIE Phase Lock Loop +Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the +QCA955X and QCA956X at offset 0x10. + +Since the PCIE PLL config register is only defined for the AR724x fix +only this value. The value is wrong since the day it was added and isn't +used by any driver yet. + +Signed-off-by: Mathias Kresin +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16048/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h ++++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h +@@ -167,7 +167,7 @@ + #define AR71XX_AHB_DIV_MASK 0x7 + + #define AR724X_PLL_REG_CPU_CONFIG 0x00 +-#define AR724X_PLL_REG_PCIE_CONFIG 0x18 ++#define AR724X_PLL_REG_PCIE_CONFIG 0x10 + + #define AR724X_PLL_FB_SHIFT 0 + #define AR724X_PLL_FB_MASK 0x3ff diff --git a/queue-4.16/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch b/queue-4.16/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch new file mode 100644 index 00000000000..77f0f398947 --- /dev/null +++ b/queue-4.16/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch @@ -0,0 +1,70 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Joe Perches +Date: Tue, 5 Dec 2017 23:04:58 -0800 +Subject: MIPS: Octeon: Fix logging messages with spurious periods after newlines + +From: Joe Perches + +[ Upstream commit db6775ca6e0353d2618ca7d5e210fc36ad43bbd4 ] + +Using a period after a newline causes bad output. + +Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes") +Signed-off-by: Joe Perches +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17886/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/cavium-octeon/octeon-irq.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -2271,7 +2271,7 @@ static int __init octeon_irq_init_cib(st + + parent_irq = irq_of_parse_and_map(ciu_node, 0); + if (!parent_irq) { +- pr_err("ERROR: Couldn't acquire parent_irq for %s\n.", ++ pr_err("ERROR: Couldn't acquire parent_irq for %s\n", + ciu_node->name); + return -EINVAL; + } +@@ -2283,7 +2283,7 @@ static int __init octeon_irq_init_cib(st + + addr = of_get_address(ciu_node, 0, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->raw_reg = (u64)phys_to_virt( +@@ -2291,7 +2291,7 @@ static int __init octeon_irq_init_cib(st + + addr = of_get_address(ciu_node, 1, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->en_reg = (u64)phys_to_virt( +@@ -2299,7 +2299,7 @@ static int __init octeon_irq_init_cib(st + + r = of_property_read_u32(ciu_node, "cavium,max-bits", &val); + if (r) { +- pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.", ++ pr_err("ERROR: Couldn't read cavium,max-bits from %s\n", + ciu_node->name); + return r; + } +@@ -2309,7 +2309,7 @@ static int __init octeon_irq_init_cib(st + &octeon_irq_domain_cib_ops, + host_data); + if (!cib_domain) { +- pr_err("ERROR: Couldn't irq_domain_add_linear()\n."); ++ pr_err("ERROR: Couldn't irq_domain_add_linear()\n"); + return -ENOMEM; + } + diff --git a/queue-4.16/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch b/queue-4.16/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch new file mode 100644 index 00000000000..e5d7209b767 --- /dev/null +++ b/queue-4.16/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch @@ -0,0 +1,78 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Huang Ying +Date: Thu, 5 Apr 2018 16:23:20 -0700 +Subject: mm: fix races between address_space dereference and free in page_evicatable + +From: Huang Ying + +[ Upstream commit e92bb4dd9673945179b1fc738c9817dd91bfb629 ] + +When page_mapping() is called and the mapping is dereferenced in +page_evicatable() through shrink_active_list(), it is possible for the +inode to be truncated and the embedded address space to be freed at the +same time. This may lead to the following race. + +CPU1 CPU2 + +truncate(inode) shrink_active_list() + ... page_evictable(page) + truncate_inode_page(mapping, page); + delete_from_page_cache(page) + spin_lock_irqsave(&mapping->tree_lock, flags); + __delete_from_page_cache(page, NULL) + page_cache_tree_delete(..) + ... mapping = page_mapping(page); + page->mapping = NULL; + ... + spin_unlock_irqrestore(&mapping->tree_lock, flags); + page_cache_free_page(mapping, page) + put_page(page) + if (put_page_testzero(page)) -> false +- inode now has no pages and can be freed including embedded address_space + + mapping_unevictable(mapping) + test_bit(AS_UNEVICTABLE, &mapping->flags); +- we've dereferenced mapping which is potentially already free. + +Similar race exists between swap cache freeing and page_evicatable() +too. + +The address_space in inode and swap cache will be freed after a RCU +grace period. So the races are fixed via enclosing the page_mapping() +and address_space usage in rcu_read_lock/unlock(). Some comments are +added in code to make it clear what is protected by the RCU read lock. + +Link: http://lkml.kernel.org/r/20180212081227.1940-1-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Reviewed-by: Jan Kara +Reviewed-by: Andrew Morton +Cc: Mel Gorman +Cc: Minchan Kim +Cc: "Huang, Ying" +Cc: Johannes Weiner +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -3896,7 +3896,13 @@ int node_reclaim(struct pglist_data *pgd + */ + int page_evictable(struct page *page) + { +- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ int ret; ++ ++ /* Prevent address_space of inode and swap cache from being freed */ ++ rcu_read_lock(); ++ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ rcu_read_unlock(); ++ return ret; + } + + #ifdef CONFIG_SHMEM diff --git a/queue-4.16/mm-ksm-fix-interaction-with-thp.patch b/queue-4.16/mm-ksm-fix-interaction-with-thp.patch new file mode 100644 index 00000000000..85111f99949 --- /dev/null +++ b/queue-4.16/mm-ksm-fix-interaction-with-thp.patch @@ -0,0 +1,103 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Claudio Imbrenda +Date: Thu, 5 Apr 2018 16:25:41 -0700 +Subject: mm/ksm: fix interaction with THP + +From: Claudio Imbrenda + +[ Upstream commit 77da2ba0648a4fd52e5ff97b8b2b8dd312aec4b0 ] + +This patch fixes a corner case for KSM. When two pages belong or +belonged to the same transparent hugepage, and they should be merged, +KSM fails to split the page, and therefore no merging happens. + +This bug can be reproduced by: +* making sure ksm is running (in case disabling ksmtuned) +* enabling transparent hugepages +* allocating a THP-aligned 1-THP-sized buffer + e.g. on amd64: posix_memalign(&p, 1<<21, 1<<21) +* filling it with the same values + e.g. memset(p, 42, 1<<21) +* performing madvise to make it mergeable + e.g. madvise(p, 1<<21, MADV_MERGEABLE) +* waiting for KSM to perform a few scans + +The expected outcome is that the all the pages get merged (1 shared and +the rest sharing); the actual outcome is that no pages get merged (1 +unshared and the rest volatile) + +The reason of this behaviour is that we increase the reference count +once for both pages we want to merge, but if they belong to the same +hugepage (or compound page), the reference counter used in both cases is +the one of the head of the compound page. This means that +split_huge_page will find a value of the reference counter too high and +will fail. + +This patch solves this problem by testing if the two pages to merge +belong to the same hugepage when attempting to merge them. If so, the +hugepage is split safely. This means that the hugepage is not split if +not necessary. + +Link: http://lkml.kernel.org/r/1521548069-24758-1-git-send-email-imbrenda@linux.vnet.ibm.com +Signed-off-by: Claudio Imbrenda +Co-authored-by: Gerald Schaefer +Reviewed-by: Andrew Morton +Cc: Andrea Arcangeli +Cc: Minchan Kim +Cc: Kirill A. Shutemov +Cc: Hugh Dickins +Cc: Christian Borntraeger +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/ksm.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -2089,8 +2089,22 @@ static void cmp_and_merge_page(struct pa + tree_rmap_item = + unstable_tree_search_insert(rmap_item, page, &tree_page); + if (tree_rmap_item) { ++ bool split; ++ + kpage = try_to_merge_two_pages(rmap_item, page, + tree_rmap_item, tree_page); ++ /* ++ * If both pages we tried to merge belong to the same compound ++ * page, then we actually ended up increasing the reference ++ * count of the same compound page twice, and split_huge_page ++ * failed. ++ * Here we set a flag if that happened, and we use it later to ++ * try split_huge_page again. Since we call put_page right ++ * afterwards, the reference count will be correct and ++ * split_huge_page should succeed. ++ */ ++ split = PageTransCompound(page) ++ && compound_head(page) == compound_head(tree_page); + put_page(tree_page); + if (kpage) { + /* +@@ -2117,6 +2131,20 @@ static void cmp_and_merge_page(struct pa + break_cow(tree_rmap_item); + break_cow(rmap_item); + } ++ } else if (split) { ++ /* ++ * We are here if we tried to merge two pages and ++ * failed because they both belonged to the same ++ * compound page. We will split the page now, but no ++ * merging will take place. ++ * We do not want to add the cost of a full lock; if ++ * the page is locked, it is better to skip it and ++ * perhaps try again later. ++ */ ++ if (!trylock_page(page)) ++ return; ++ split_huge_page(page); ++ unlock_page(page); + } + } + } diff --git a/queue-4.16/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch b/queue-4.16/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch new file mode 100644 index 00000000000..0bd4bcba086 --- /dev/null +++ b/queue-4.16/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch @@ -0,0 +1,56 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Yang Shi +Date: Thu, 5 Apr 2018 16:22:35 -0700 +Subject: mm: thp: fix potential clearing to referenced flag in page_idle_clear_pte_refs_one() + +From: Yang Shi + +[ Upstream commit f0849ac0b8e072073ec5fcc7fadd05a77434364e ] + +For PTE-mapped THP, the compound THP has not been split to normal 4K +pages yet, the whole THP is considered referenced if any one of sub page +is referenced. + +When walking PTE-mapped THP by pvmw, all relevant PTEs will be checked +to retrieve referenced bit. But, the current code just returns the +result of the last PTE. If the last PTE has not referenced, the +referenced flag will be cleared. + +Just set referenced when ptep{pmdp}_clear_young_notify() returns true. + +Link: http://lkml.kernel.org/r/1518212451-87134-1-git-send-email-yang.shi@linux.alibaba.com +Signed-off-by: Yang Shi +Reported-by: Gang Deng +Suggested-by: Kirill A. Shutemov +Reviewed-by: Andrew Morton +Cc: "Kirill A. Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_idle.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/mm/page_idle.c ++++ b/mm/page_idle.c +@@ -65,11 +65,15 @@ static bool page_idle_clear_pte_refs_one + while (page_vma_mapped_walk(&pvmw)) { + addr = pvmw.address; + if (pvmw.pte) { +- referenced = ptep_clear_young_notify(vma, addr, +- pvmw.pte); ++ /* ++ * For PTE-mapped THP, one sub page is referenced, ++ * the whole THP is referenced. ++ */ ++ if (ptep_clear_young_notify(vma, addr, pvmw.pte)) ++ referenced = true; + } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) { +- referenced = pmdp_clear_young_notify(vma, addr, +- pvmw.pmd); ++ if (pmdp_clear_young_notify(vma, addr, pvmw.pmd)) ++ referenced = true; + } else { + /* unexpected pmd-mapped page? */ + WARN_ON_ONCE(1); diff --git a/queue-4.16/mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch b/queue-4.16/mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch new file mode 100644 index 00000000000..46c0f231b5a --- /dev/null +++ b/queue-4.16/mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch @@ -0,0 +1,39 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Lorenzo Bianconi +Date: Sat, 17 Mar 2018 12:29:27 +0100 +Subject: mt76x2: fix possible NULL pointer dereferencing in mt76x2_tx() + +From: Lorenzo Bianconi + +[ Upstream commit 6958b027435aa54d82bbef09a007fd287f439977 ] + +Fix a theoretical NULL pointer dereferencing in mt76x2_tx routine that +can occurs for injected frames in a monitor vif since vif pointer could +be NULL for that interfaces + +Fixes: 23405236460b ("mt76: fix transmission of encrypted mgmt frames") +Signed-off-by: Lorenzo Bianconi +Acked-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt76x2_tx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt76x2_tx.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_tx.c +@@ -36,9 +36,12 @@ void mt76x2_tx(struct ieee80211_hw *hw, + + msta = (struct mt76x2_sta *) control->sta->drv_priv; + wcid = &msta->wcid; ++ /* sw encrypted frames */ ++ if (!info->control.hw_key && wcid->hw_key_idx != -1) ++ control->sta = NULL; + } + +- if (vif || (!info->control.hw_key && wcid->hw_key_idx != -1)) { ++ if (vif && !control->sta) { + struct mt76x2_vif *mvif; + + mvif = (struct mt76x2_vif *) vif->drv_priv; diff --git a/queue-4.16/mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch b/queue-4.16/mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch new file mode 100644 index 00000000000..91155c04a6c --- /dev/null +++ b/queue-4.16/mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch @@ -0,0 +1,59 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Lorenzo Bianconi +Date: Sat, 17 Mar 2018 15:01:39 +0100 +Subject: mt76x2: fix warning in ieee80211_get_key_rx_seq() + +From: Lorenzo Bianconi + +[ Upstream commit c03a5aacde0c86f6dabab8f17a6d1911ee13b6c4 ] + +Fall back to software encryption for hw unsupported ciphers in order +to fix the following warning in ieee80211_get_key_rx_seq routine: + +WARNING: CPU: 1 PID: 1277 at backports-2017-11-01/net/mac80211/key.c: +1010 mt76_wcid_key_setup+0x6c/0x138 [mt76] +CPU: 1 PID: 1277 Comm: hostapd Tainted: G W 4.9.86 #0 +Stack : 00000000 00000000 80527b4a 00000042 80523824 00000000 00000000 80520000 + 8fd79a9c 804bbda7 80454c84 00000001 000004fd 80523824 8f7e4ba0 8eceda12 + 00000010 8006af94 00000001 80520000 804c1f04 804c1f08 80459890 8ec999b4 + 00000003 800a7840 8f7e4ba0 8eceda12 8121de20 00000000 00000001 00c999b4 + 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + ... +Call Trace: +[<8000f52c>] show_stack+0x70/0x8c +[<801d8d04>] dump_stack+0x94/0xd0 +[<8002bcd4>] __warn+0x110/0x118 +[<8002bd70>] warn_slowpath_null+0x1c/0x2c +[<8f0415cc>] mt76_wcid_key_setup+0x6c/0x138 [mt76] +[<8f1311b4>] mt76x2_dma_cleanup+0xa38/0x1048 [mt76x2e] + +Fixes: 30ce7f4456ae ("mt76: validate rx CCMP PN") +Signed-off-by: Lorenzo Bianconi +Acked-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt76x2_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt76x2_main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_main.c +@@ -336,6 +336,17 @@ mt76x2_set_key(struct ieee80211_hw *hw, + int idx = key->keyidx; + int ret; + ++ /* fall back to sw encryption for unsupported ciphers */ ++ switch (key->cipher) { ++ case WLAN_CIPHER_SUITE_WEP40: ++ case WLAN_CIPHER_SUITE_WEP104: ++ case WLAN_CIPHER_SUITE_TKIP: ++ case WLAN_CIPHER_SUITE_CCMP: ++ break; ++ default: ++ return -EOPNOTSUPP; ++ } ++ + /* + * The hardware does not support per-STA RX GTK, fall back + * to software mode for these. diff --git a/queue-4.16/net-bgmac-correctly-annotate-register-space.patch b/queue-4.16/net-bgmac-correctly-annotate-register-space.patch new file mode 100644 index 00000000000..48b739906ad --- /dev/null +++ b/queue-4.16/net-bgmac-correctly-annotate-register-space.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 10:26:29 -0700 +Subject: net: bgmac: Correctly annotate register space + +From: Florian Fainelli + +[ Upstream commit 16a1c0646e55c3345bce8e4edfc06ad119d27c04 ] + +All the members: base, idm_base and nicpm_base should be annotated with +__iomem since they are pointers to register space. This fixes a bunch of +sparse reported warnings. + +Fixes: f6a95a24957a ("net: ethernet: bgmac: Add platform device support") +Fixes: dd5c5d037f5e ("net: ethernet: bgmac: add NS2 support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.h ++++ b/drivers/net/ethernet/broadcom/bgmac.h +@@ -479,9 +479,9 @@ struct bgmac_rx_header { + struct bgmac { + union { + struct { +- void *base; +- void *idm_base; +- void *nicpm_base; ++ void __iomem *base; ++ void __iomem *idm_base; ++ void __iomem *nicpm_base; + } plat; + struct { + struct bcma_device *core; diff --git a/queue-4.16/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch b/queue-4.16/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch new file mode 100644 index 00000000000..4ab4033532c --- /dev/null +++ b/queue-4.16/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 10:26:30 -0700 +Subject: net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() + +From: Florian Fainelli + +[ Upstream commit 60d6e6f0b9e422dd01aeda39257ee0428e5e2a3f ] + +bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian +32-bit word without using proper accessors, fix this, and because a +length cannot be negative, use unsigned int while at it. + +Fixes: 9cde94506eac ("bgmac: implement scatter/gather support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -533,7 +533,8 @@ static void bgmac_dma_tx_ring_free(struc + int i; + + for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) { +- int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN; ++ u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1); ++ unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN; + + slot = &ring->slots[i]; + dev_kfree_skb(slot->skb); diff --git a/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch b/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch new file mode 100644 index 00000000000..316294f3327 --- /dev/null +++ b/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Fuyun Liang +Date: Sat, 24 Mar 2018 11:32:44 +0800 +Subject: net: hns3: fix for returning wrong value problem in hns3_get_rss_indir_size + +From: Fuyun Liang + +[ Upstream commit da44a00f06df1f823ea449065e79581ee624de4b ] + +The return type of hns3_get_rss_indir_size is u32. But a negative value is +returned. This patch fixes it by replacing the negative value with zero. + +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -709,7 +709,7 @@ static u32 hns3_get_rss_indir_size(struc + + if (!h->ae_algo || !h->ae_algo->ops || + !h->ae_algo->ops->get_rss_indir_size) +- return -EOPNOTSUPP; ++ return 0; + + return h->ae_algo->ops->get_rss_indir_size(h); + } diff --git a/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch b/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch new file mode 100644 index 00000000000..096aa82f2e9 --- /dev/null +++ b/queue-4.16/net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Fuyun Liang +Date: Sat, 24 Mar 2018 11:32:43 +0800 +Subject: net: hns3: fix for returning wrong value problem in hns3_get_rss_key_size + +From: Fuyun Liang + +[ Upstream commit 3bd6d258b1d5f76744567855d1376358a94f127d ] + +The return type of hns3_get_rss_key_size is u32. But a negative value is +returned. This patch fixes it by replacing the negative value with zero. + +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -698,7 +698,7 @@ static u32 hns3_get_rss_key_size(struct + + if (!h->ae_algo || !h->ae_algo->ops || + !h->ae_algo->ops->get_rss_key_size) +- return -EOPNOTSUPP; ++ return 0; + + return h->ae_algo->ops->get_rss_key_size(h); + } diff --git a/queue-4.16/net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch b/queue-4.16/net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch new file mode 100644 index 00000000000..94d6dbee298 --- /dev/null +++ b/queue-4.16/net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Fuyun Liang +Date: Sat, 24 Mar 2018 11:32:45 +0800 +Subject: net: hns3: fix for the wrong shift problem in hns3_set_txbd_baseinfo + +From: Fuyun Liang + +[ Upstream commit 3c8f5c0339515202e8662b6e3ae36a7b16610caf ] + +Third parameter of hnae_set_field is shift, But a mask is given. This +patch fixes it by replacing HNS3_TXD_BDTYPE_M with HNS3_TXD_BDTYPE_S. + +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -747,7 +747,7 @@ static void hns3_set_txbd_baseinfo(u16 * + { + /* Config bd buffer end */ + hnae_set_field(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_BDTYPE_M, +- HNS3_TXD_BDTYPE_M, 0); ++ HNS3_TXD_BDTYPE_S, 0); + hnae_set_bit(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_FE_B, !!frag_end); + hnae_set_bit(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_VLD_B, 1); + hnae_set_field(*bdtp_fe_sc_vld_ra_ri, HNS3_TXD_SC_M, HNS3_TXD_SC_S, 0); diff --git a/queue-4.16/net-mlx5-protect-from-command-bit-overflow.patch b/queue-4.16/net-mlx5-protect-from-command-bit-overflow.patch new file mode 100644 index 00000000000..8cf92834e6c --- /dev/null +++ b/queue-4.16/net-mlx5-protect-from-command-bit-overflow.patch @@ -0,0 +1,60 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Leon Romanovsky +Date: Tue, 2 Jan 2018 16:49:56 +0200 +Subject: net/mlx5: Protect from command bit overflow + +From: Leon Romanovsky + +[ Upstream commit 957f6ba8adc7be401a74ccff427e4cfd88d3bfcb ] + +The system with CONFIG_UBSAN enabled on produces the following error +during driver initialization. The reason to it that max_reg_cmds can be +larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long. + +================================================================================ +UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42 +signed integer overflow: +-2147483648 - 1 cannot be represented in type 'int' +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0xe9/0x18f + ? dma_virt_alloc+0x81/0x81 + ubsan_epilogue+0xe/0x4e + handle_overflow+0x187/0x20c + mlx5_cmd_init+0x73a/0x12b0 + mlx5_load_one+0x1c3d/0x1d30 + init_one+0xd02/0xf10 + pci_device_probe+0x26c/0x3b0 + driver_probe_device+0x622/0xb40 + __driver_attach+0x175/0x1b0 + bus_for_each_dev+0xef/0x190 + bus_add_driver+0x2db/0x490 + driver_register+0x16b/0x1e0 + __pci_register_driver+0x177/0x1b0 + init+0x6d/0x92 + do_one_initcall+0x15b/0x270 + kernel_init_freeable+0x2d8/0x3d0 + kernel_init+0x14/0x190 + ret_from_fork+0x24/0x30 +================================================================================ + +Signed-off-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1802,7 +1802,7 @@ int mlx5_cmd_init(struct mlx5_core_dev * + + cmd->checksum_disabled = 1; + cmd->max_reg_cmds = (1 << cmd->log_sz) - 1; +- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1; ++ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1; + + cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16; + if (cmd->cmdif_rev > CMD_IF_REV) { diff --git a/queue-4.16/net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch b/queue-4.16/net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch new file mode 100644 index 00000000000..69430d60b49 --- /dev/null +++ b/queue-4.16/net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch @@ -0,0 +1,126 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Eran Ben Elisha +Date: Tue, 16 Jan 2018 17:25:06 +0200 +Subject: net/mlx5e: Move all TX timeout logic to be under state lock + +From: Eran Ben Elisha + +[ Upstream commit bfc647d52e67dc756c605e9a50d45b71054c2533 ] + +Driver callback for handling TX timeout should access some internal +resources (SQ, CQ) in order to decide if the tx timeout work should be +scheduled. These resources might be unavailable if channels are closed +in parallel (ifdown for example). + +The state lock is the mechanism to protect from such races. +Move all TX timeout logic to be in the work under a state lock. + +In addition, Move the work from the global WQ to mlx5e WQ to make sure +this work is flushed when device is detached.. + +Also, move the mlx5e_tx_timeout_work code to be next to the TX timeout +NDO for better code locality. + +Fixes: 3947ca185999 ("net/mlx5e: Implement ndo_tx_timeout callback") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 61 ++++++++++++---------- + 1 file changed, 34 insertions(+), 27 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -153,26 +153,6 @@ static void mlx5e_update_carrier_work(st + mutex_unlock(&priv->state_lock); + } + +-static void mlx5e_tx_timeout_work(struct work_struct *work) +-{ +- struct mlx5e_priv *priv = container_of(work, struct mlx5e_priv, +- tx_timeout_work); +- int err; +- +- rtnl_lock(); +- mutex_lock(&priv->state_lock); +- if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) +- goto unlock; +- mlx5e_close_locked(priv->netdev); +- err = mlx5e_open_locked(priv->netdev); +- if (err) +- netdev_err(priv->netdev, "mlx5e_open_locked failed recovering from a tx_timeout, err(%d).\n", +- err); +-unlock: +- mutex_unlock(&priv->state_lock); +- rtnl_unlock(); +-} +- + void mlx5e_update_stats(struct mlx5e_priv *priv) + { + int i; +@@ -3632,13 +3612,19 @@ static bool mlx5e_tx_timeout_eq_recover( + return true; + } + +-static void mlx5e_tx_timeout(struct net_device *dev) ++static void mlx5e_tx_timeout_work(struct work_struct *work) + { +- struct mlx5e_priv *priv = netdev_priv(dev); ++ struct mlx5e_priv *priv = container_of(work, struct mlx5e_priv, ++ tx_timeout_work); ++ struct net_device *dev = priv->netdev; + bool reopen_channels = false; +- int i; ++ int i, err; + +- netdev_err(dev, "TX timeout detected\n"); ++ rtnl_lock(); ++ mutex_lock(&priv->state_lock); ++ ++ if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) ++ goto unlock; + + for (i = 0; i < priv->channels.num * priv->channels.params.num_tc; i++) { + struct netdev_queue *dev_queue = netdev_get_tx_queue(dev, i); +@@ -3646,7 +3632,9 @@ static void mlx5e_tx_timeout(struct net_ + + if (!netif_xmit_stopped(dev_queue)) + continue; +- netdev_err(dev, "TX timeout on queue: %d, SQ: 0x%x, CQ: 0x%x, SQ Cons: 0x%x SQ Prod: 0x%x, usecs since last trans: %u\n", ++ ++ netdev_err(dev, ++ "TX timeout on queue: %d, SQ: 0x%x, CQ: 0x%x, SQ Cons: 0x%x SQ Prod: 0x%x, usecs since last trans: %u\n", + i, sq->sqn, sq->cq.mcq.cqn, sq->cc, sq->pc, + jiffies_to_usecs(jiffies - dev_queue->trans_start)); + +@@ -3659,8 +3647,27 @@ static void mlx5e_tx_timeout(struct net_ + } + } + +- if (reopen_channels && test_bit(MLX5E_STATE_OPENED, &priv->state)) +- schedule_work(&priv->tx_timeout_work); ++ if (!reopen_channels) ++ goto unlock; ++ ++ mlx5e_close_locked(dev); ++ err = mlx5e_open_locked(dev); ++ if (err) ++ netdev_err(priv->netdev, ++ "mlx5e_open_locked failed recovering from a tx_timeout, err(%d).\n", ++ err); ++ ++unlock: ++ mutex_unlock(&priv->state_lock); ++ rtnl_unlock(); ++} ++ ++static void mlx5e_tx_timeout(struct net_device *dev) ++{ ++ struct mlx5e_priv *priv = netdev_priv(dev); ++ ++ netdev_err(dev, "TX timeout detected\n"); ++ queue_work(priv->wq, &priv->tx_timeout_work); + } + + static int mlx5e_xdp_set(struct net_device *netdev, struct bpf_prog *prog) diff --git a/queue-4.16/net-qlge-eliminate-duplicate-barriers-on-weakly-ordered-archs.patch b/queue-4.16/net-qlge-eliminate-duplicate-barriers-on-weakly-ordered-archs.patch new file mode 100644 index 00000000000..95466686635 --- /dev/null +++ b/queue-4.16/net-qlge-eliminate-duplicate-barriers-on-weakly-ordered-archs.patch @@ -0,0 +1,64 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sinan Kaya +Date: Sun, 25 Mar 2018 10:39:19 -0400 +Subject: net: qlge: Eliminate duplicate barriers on weakly-ordered archs + +From: Sinan Kaya + +[ Upstream commit e42d8cee343a545ac2d9557a3b28708bbca2bd31 ] + +Code includes wmb() followed by writel(). writel() already has a barrier on +some architectures like arm64. + +This ends up CPU observing two barriers back to back before executing the +register write. + +Create a new wrapper function with relaxed write operator. Use the new +wrapper when a write is following a wmb(). + +Signed-off-by: Sinan Kaya +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlge/qlge.h | 16 ++++++++++++++++ + drivers/net/ethernet/qlogic/qlge/qlge_main.c | 3 ++- + 2 files changed, 18 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qlge/qlge.h ++++ b/drivers/net/ethernet/qlogic/qlge/qlge.h +@@ -2185,6 +2185,22 @@ static inline void ql_write_db_reg(u32 v + } + + /* ++ * Doorbell Registers: ++ * Doorbell registers are virtual registers in the PCI memory space. ++ * The space is allocated by the chip during PCI initialization. The ++ * device driver finds the doorbell address in BAR 3 in PCI config space. ++ * The registers are used to control outbound and inbound queues. For ++ * example, the producer index for an outbound queue. Each queue uses ++ * 1 4k chunk of memory. The lower half of the space is for outbound ++ * queues. The upper half is for inbound queues. ++ * Caller has to guarantee ordering. ++ */ ++static inline void ql_write_db_reg_relaxed(u32 val, void __iomem *addr) ++{ ++ writel_relaxed(val, addr); ++} ++ ++/* + * Shadow Registers: + * Outbound queues have a consumer index that is maintained by the chip. + * Inbound queues have a producer index that is maintained by the chip. +--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c +@@ -2700,7 +2700,8 @@ static netdev_tx_t qlge_send(struct sk_b + tx_ring->prod_idx = 0; + wmb(); + +- ql_write_db_reg(tx_ring->prod_idx, tx_ring->prod_idx_db_reg); ++ ql_write_db_reg_relaxed(tx_ring->prod_idx, tx_ring->prod_idx_db_reg); ++ mmiowb(); + netif_printk(qdev, tx_queued, KERN_DEBUG, qdev->ndev, + "tx queued, slot %d, len %d\n", + tx_ring->prod_idx, skb->len); diff --git a/queue-4.16/net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch b/queue-4.16/net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch new file mode 100644 index 00000000000..65e6151a9e2 --- /dev/null +++ b/queue-4.16/net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch @@ -0,0 +1,35 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Colin Ian King +Date: Fri, 23 Mar 2018 23:51:57 +0000 +Subject: net: qualcomm: rmnet: check for null ep to avoid null pointer dereference + +From: Colin Ian King + +[ Upstream commit 0c29ba1b43df1eb7d8beb03fc929d2dac4c15f7e ] + +The call to rmnet_get_endpoint can potentially return NULL so check +for this to avoid any subsequent null pointer dereferences on a NULL +ep. + +Detected by CoverityScan, CID#1465385 ("Dereference null return value") + +Fixes: 23790ef12082 ("net: qualcomm: rmnet: Allow to configure flags for existing devices") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c +@@ -307,6 +307,8 @@ static int rmnet_changelink(struct net_d + if (data[IFLA_VLAN_ID]) { + mux_id = nla_get_u16(data[IFLA_VLAN_ID]); + ep = rmnet_get_endpoint(port, priv->mux_id); ++ if (!ep) ++ return -ENODEV; + + hlist_del_init_rcu(&ep->hlnode); + hlist_add_head_rcu(&ep->hlnode, &port->muxed_ep[mux_id]); diff --git a/queue-4.16/net-smc-pay-attention-to-max_order-for-cq-entries.patch b/queue-4.16/net-smc-pay-attention-to-max_order-for-cq-entries.patch new file mode 100644 index 00000000000..c8d12036328 --- /dev/null +++ b/queue-4.16/net-smc-pay-attention-to-max_order-for-cq-entries.patch @@ -0,0 +1,106 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ursula Braun +Date: Wed, 14 Mar 2018 11:01:00 +0100 +Subject: net/smc: pay attention to MAX_ORDER for CQ entries + +From: Ursula Braun + +[ Upstream commit c9f4c6cf53bfafb639386a4c094929f13f573e04 ] + +smc allocates a certain number of CQ entries for used RoCE devices. For +mlx5 devices the chosen constant number results in a large allocation +causing this warning: + +[13355.124656] WARNING: CPU: 3 PID: 16535 at mm/page_alloc.c:3883 __alloc_pages_nodemask+0x2be/0x10c0 +[13355.124657] Modules linked in: smc_diag(O) smc(O) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter mlx5_ib ib_core sunrpc mlx5_core s390_trng rng_core ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common ptp pps_core eadm_sch dm_multipath dm_mod vhost_net tun vhost tap sch_fq_codel kvm ip_tables x_tables autofs4 [last unloaded: smc] +[13355.124672] CPU: 3 PID: 16535 Comm: kworker/3:0 Tainted: G O 4.14.0uschi #1 +[13355.124673] Hardware name: IBM 3906 M04 704 (LPAR) +[13355.124675] Workqueue: events smc_listen_work [smc] +[13355.124677] task: 00000000e2f22100 task.stack: 0000000084720000 +[13355.124678] Krnl PSW : 0704c00180000000 000000000029da76 (__alloc_pages_nodemask+0x2be/0x10c0) +[13355.124681] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 +[13355.124682] Krnl GPRS: 0000000000000000 00550e00014080c0 0000000000000000 0000000000000001 +[13355.124684] 000000000029d8b6 00000000f3bfd710 0000000000000000 00000000014080c0 +[13355.124685] 0000000000000009 00000000ec277a00 0000000000200000 0000000000000000 +[13355.124686] 0000000000000000 00000000000001ff 000000000029d8b6 0000000084723720 +[13355.124708] Krnl Code: 000000000029da6a: a7110200 tmll %r1,512 + 000000000029da6e: a774ff29 brc 7,29d8c0 + #000000000029da72: a7f40001 brc 15,29da74 + >000000000029da76: a7f4ff25 brc 15,29d8c0 + 000000000029da7a: a7380000 lhi %r3,0 + 000000000029da7e: a7f4fef1 brc 15,29d860 + 000000000029da82: 5820f0c4 l %r2,196(%r15) + 000000000029da86: a53e0048 llilh %r3,72 +[13355.124720] Call Trace: +[13355.124722] ([<000000000029d8b6>] __alloc_pages_nodemask+0xfe/0x10c0) +[13355.124724] [<000000000013bd1e>] s390_dma_alloc+0x6e/0x148 +[13355.124733] [<000003ff802eeba6>] mlx5_dma_zalloc_coherent_node+0x8e/0xe0 [mlx5_core] +[13355.124740] [<000003ff802eee18>] mlx5_buf_alloc_node+0x70/0x108 [mlx5_core] +[13355.124744] [<000003ff804eb410>] mlx5_ib_create_cq+0x558/0x898 [mlx5_ib] +[13355.124749] [<000003ff80407d40>] ib_create_cq+0x48/0x88 [ib_core] +[13355.124751] [<000003ff80109fba>] smc_ib_setup_per_ibdev+0x52/0x118 [smc] +[13355.124753] [<000003ff8010bcb6>] smc_conn_create+0x65e/0x728 [smc] +[13355.124755] [<000003ff801081a2>] smc_listen_work+0x2d2/0x540 [smc] +[13355.124756] [<0000000000162c66>] process_one_work+0x1be/0x440 +[13355.124758] [<0000000000162f40>] worker_thread+0x58/0x458 +[13355.124759] [<0000000000169e7e>] kthread+0x14e/0x168 +[13355.124760] [<00000000009ce8be>] kernel_thread_starter+0x6/0xc +[13355.124762] [<00000000009ce8b8>] kernel_thread_starter+0x0/0xc +[13355.124762] Last Breaking-Event-Address: +[13355.124764] [<000000000029da72>] __alloc_pages_nodemask+0x2ba/0x10c0 +[13355.124764] ---[ end trace 34be38b581c0b585 ]--- + +This patch reduces the smc constant for the maximum number of allocated +completion queue entries SMC_MAX_CQE by 2 to avoid high round up values +in the mlx5 code, and reduces the number of allocated completion queue +entries even more, if the final allocation for an mlx5 device hits the +MAX_ORDER limit. + +Reported-by: Ihnken Menssen +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_ib.c | 10 +++++++++- + net/smc/smc_wr.h | 1 - + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -23,6 +23,8 @@ + #include "smc_wr.h" + #include "smc.h" + ++#define SMC_MAX_CQE 32766 /* max. # of completion queue elements */ ++ + #define SMC_QP_MIN_RNR_TIMER 5 + #define SMC_QP_TIMEOUT 15 /* 4096 * 2 ** timeout usec */ + #define SMC_QP_RETRY_CNT 7 /* 7: infinite */ +@@ -438,9 +440,15 @@ out: + long smc_ib_setup_per_ibdev(struct smc_ib_device *smcibdev) + { + struct ib_cq_init_attr cqattr = { +- .cqe = SMC_WR_MAX_CQE, .comp_vector = 0 }; ++ .cqe = SMC_MAX_CQE, .comp_vector = 0 }; ++ int cqe_size_order, smc_order; + long rc; + ++ /* the calculated number of cq entries fits to mlx5 cq allocation */ ++ cqe_size_order = cache_line_size() == 128 ? 7 : 6; ++ smc_order = MAX_ORDER - cqe_size_order - 1; ++ if (SMC_MAX_CQE + 2 > (0x00000001 << smc_order) * PAGE_SIZE) ++ cqattr.cqe = (0x00000001 << smc_order) * PAGE_SIZE - 2; + smcibdev->roce_cq_send = ib_create_cq(smcibdev->ibdev, + smc_wr_tx_cq_handler, NULL, + smcibdev, &cqattr); +--- a/net/smc/smc_wr.h ++++ b/net/smc/smc_wr.h +@@ -19,7 +19,6 @@ + #include "smc.h" + #include "smc_core.h" + +-#define SMC_WR_MAX_CQE 32768 /* max. # of completion queue elements */ + #define SMC_WR_BUF_CNT 16 /* # of ctrl buffers per link */ + + #define SMC_WR_TX_WAIT_FREE_SLOT_TIME (10 * HZ) diff --git a/queue-4.16/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch b/queue-4.16/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch new file mode 100644 index 00000000000..19b9e6c5a27 --- /dev/null +++ b/queue-4.16/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Niklas Cassel +Date: Mon, 19 Feb 2018 18:11:13 +0100 +Subject: net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing() + +From: Niklas Cassel + +[ Upstream commit 13138de01400762f706c5e956e70660770d61962 ] + +stmmac_mac_config_rx_queues_routing() incorrectly calls rx_queue_prio() +instead of rx_queue_routing(). + +This looks like a copy paste issue, since +stmmac_mac_config_rx_queues_prio() already calls rx_queue_prio(), +and both stmmac_mac_config_rx_queues_routing() and +stmmac_mac_config_rx_queues_prio() are very similar in structure. + +Fixes: abe80fdc6ee6 ("net: stmmac: RX queue routing configuration") +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2435,7 +2435,7 @@ static void stmmac_mac_config_rx_queues_ + continue; + + packet = priv->plat->rx_queues_cfg[queue].pkt_route; +- priv->hw->mac->rx_queue_prio(priv->hw, packet, queue); ++ priv->hw->mac->rx_queue_routing(priv->hw, packet, queue); + } + } + diff --git a/queue-4.16/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch b/queue-4.16/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch new file mode 100644 index 00000000000..1e3eab4d28e --- /dev/null +++ b/queue-4.16/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch @@ -0,0 +1,39 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Niklas Cassel +Date: Mon, 26 Feb 2018 22:47:08 +0100 +Subject: net: stmmac: ensure that the device has released ownership before reading data + +From: Niklas Cassel + +[ Upstream commit a6b25da5e7ba212af5826a662e6a035a79bffabd ] + +According to Documentation/memory-barriers.txt, we need to use a +dma_rmb() after reading the status/own bit, to ensure that all +descriptor fields are read after reading the own bit. + +This way, we ensure that the DMA engine is done with the DMA +descriptor before we read the other descriptor fields, e.g. reading +the tx hardware timestamp (if PTP is enabled). + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1843,6 +1843,11 @@ static void stmmac_tx_clean(struct stmma + if (unlikely(status & tx_dma_own)) + break; + ++ /* Make sure descriptor fields are read after reading ++ * the own bit. ++ */ ++ dma_rmb(); ++ + /* Just consider the last segment and ...*/ + if (likely(!(status & tx_not_ls))) { + /* ... verify the status error condition */ diff --git a/queue-4.16/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch b/queue-4.16/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch new file mode 100644 index 00000000000..1b14a206e5c --- /dev/null +++ b/queue-4.16/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch @@ -0,0 +1,57 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Niklas Cassel +Date: Mon, 26 Feb 2018 22:47:06 +0100 +Subject: net: stmmac: ensure that the MSS desc is the last desc to set the own bit + +From: Niklas Cassel + +[ Upstream commit 15d2ee42a3087089e73ad52fd8c1b37ab496b87c ] + +A dma_wmb() is used to guarantee the ordering, with respect to +other writes, to cache coherent DMA memory. + +There is a dma_wmb() in prepare_tx_desc()/prepare_tso_tx_desc() which +ensures that TDES0/1/2 is written before TDES3 (which contains the own +bit), for First Desc. + +However, in the rare case that MSS changes, there will be a MSS +context descriptor in front of the regular DMA descriptors: + + <- DMA Next Descriptor + + + + +Thus, for this special case, we need a dma_wmb() +after prepare_tso_tx_desc()/before writing the own bit to the MSS desc, +so that we flush the write to TDES3 for First Desc, +in order to ensure that the MSS descriptor is the last descriptor to +set the own bit. + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2985,8 +2985,15 @@ static netdev_tx_t stmmac_tso_xmit(struc + tcp_hdrlen(skb) / 4, (skb->len - proto_hdr_len)); + + /* If context desc is used to change MSS */ +- if (mss_desc) ++ if (mss_desc) { ++ /* Make sure that first descriptor has been completely ++ * written, including its own bit. This is because MSS is ++ * actually before first descriptor, so we need to make ++ * sure that MSS's own bit is the last thing written. ++ */ ++ dma_wmb(); + priv->hw->desc->set_tx_owner(mss_desc); ++ } + + /* The own bit must be the latest setting done when prepare the + * descriptor and then barrier is needed to make sure that diff --git a/queue-4.16/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch b/queue-4.16/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch new file mode 100644 index 00000000000..812b2f20990 --- /dev/null +++ b/queue-4.16/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Richard Haines +Date: Mon, 13 Nov 2017 20:54:22 +0000 +Subject: netlabel: If PF_INET6, check sk_buff ip header version + +From: Richard Haines + +[ Upstream commit 213d7f94775322ba44e0bbb55ec6946e9de88cea ] + +When resolving a fallback label, check the sk_buff version as it +is possible (e.g. SCTP) to have family = PF_INET6 while +receiving ip_hdr(skb)->version = 4. + +Signed-off-by: Richard Haines +Acked-by: Paul Moore +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netlabel/netlabel_unlabeled.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct + iface = rcu_dereference(netlbl_unlhsh_def); + if (iface == NULL || !iface->valid) + goto unlabel_getattr_nolabel; ++ ++#if IS_ENABLED(CONFIG_IPV6) ++ /* When resolving a fallback label, check the sk_buff version as ++ * it is possible (e.g. SCTP) to have family = PF_INET6 while ++ * receiving ip_hdr(skb)->version = 4. ++ */ ++ if (family == PF_INET6 && ip_hdr(skb)->version == 4) ++ family = PF_INET; ++#endif /* IPv6 */ ++ + switch (family) { + case PF_INET: { + struct iphdr *hdr4; diff --git a/queue-4.16/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch b/queue-4.16/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch new file mode 100644 index 00000000000..b3608fa8986 --- /dev/null +++ b/queue-4.16/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch @@ -0,0 +1,51 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Johannes Thumshirn +Date: Thu, 12 Apr 2018 09:16:06 -0600 +Subject: nvme: don't send keep-alives to the discovery controller + +From: Johannes Thumshirn + +[ Upstream commit 74c6c71530847808d4e3be7b205719270efee80c ] + +NVMe over Fabrics 1.0 Section 5.2 "Discovery Controller Properties and +Command Support" Figure 31 "Discovery Controller – Admin Commands" +explicitly listst all commands but "Get Log Page" and "Identify" as +reserved, but NetApp report the Linux host is sending Keep Alive +commands to the discovery controller, which is a violation of the +Spec. + +We're already checking for discovery controllers when configuring the +keep alive timeout but when creating a discovery controller we're not +hard wiring the keep alive timeout to 0 and thus remain on +NVME_DEFAULT_KATO for the discovery controller. + +This can be easily remproduced when issuing a direct connect to the +discovery susbsystem using: +'nvme connect [...] --nqn=nqn.2014-08.org.nvmexpress.discovery' + +Signed-off-by: Johannes Thumshirn +Fixes: 07bfcd09a288 ("nvme-fabrics: add a generic NVMe over Fabrics library") +Reported-by: Martin George +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fabrics.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -608,8 +608,10 @@ static int nvmf_parse_options(struct nvm + opts->discovery_nqn = + !(strcmp(opts->subsysnqn, + NVME_DISC_SUBSYS_NAME)); +- if (opts->discovery_nqn) ++ if (opts->discovery_nqn) { ++ opts->kato = 0; + opts->nr_io_queues = 0; ++ } + break; + case NVMF_OPT_TRADDR: + p = match_strdup(args); diff --git a/queue-4.16/nvme-expand-nvmf_check_if_ready-checks.patch b/queue-4.16/nvme-expand-nvmf_check_if_ready-checks.patch new file mode 100644 index 00000000000..42ef791e60b --- /dev/null +++ b/queue-4.16/nvme-expand-nvmf_check_if_ready-checks.patch @@ -0,0 +1,327 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: James Smart +Date: Thu, 12 Apr 2018 09:16:15 -0600 +Subject: nvme: expand nvmf_check_if_ready checks + +From: James Smart + +[ Upstream commit bb06ec31452fb2da1594f88035c2ecea4e0652f4 ] + +The nvmf_check_if_ready() checks that were added are very simplistic. +As such, the routine allows a lot of cases to fail ios during windows +of reset or re-connection. In cases where there are not multi-path +options present, the error goes back to the callee - the filesystem +or application. Not good. + +The common routine was rewritten and calling syntax slightly expanded +so that per-transport is_ready routines don't need to be present. +The transports now call the routine directly. The routine is now a +fabrics routine rather than an inline function. + +The routine now looks at controller state to decide the action to +take. Some states mandate io failure. Others define the condition where +a command can be accepted. When the decision is unclear, a generic +queue-or-reject check is made to look for failfast or multipath ios and +only fails the io if it is so marked. Otherwise, the io will be queued +and wait for the controller state to resolve. + +Admin commands issued via ioctl share a live admin queue with commands +from the transport for controller init. The ioctls could be intermixed +with the initialization commands. It's possible for the ioctl cmd to +be issued prior to the controller being enabled. To block this, the +ioctl admin commands need to be distinguished from admin commands used +for controller init. Added a USERCMD nvme_req(req)->rq_flags bit to +reflect this division and set it on ioctls requests. As the +nvmf_check_if_ready() routine is called prior to nvme_setup_cmd(), +ensure that commands allocated by the ioctl path (actually anything +in core.c) preps the nvme_req(req) before starting the io. This will +preserve the USERCMD flag during execution and/or retry. + +Signed-off-by: James Smart +Reviewed-by: Sagi Grimberg +Reviewed-by: Johannes Thumshirn +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 17 ++++++--- + drivers/nvme/host/fabrics.c | 79 ++++++++++++++++++++++++++++++++++++++++++++ + drivers/nvme/host/fabrics.h | 33 +----------------- + drivers/nvme/host/fc.c | 12 +----- + drivers/nvme/host/nvme.h | 1 + drivers/nvme/host/rdma.c | 14 +------ + drivers/nvme/target/loop.c | 11 +----- + 7 files changed, 101 insertions(+), 66 deletions(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -378,6 +378,15 @@ static void nvme_put_ns(struct nvme_ns * + kref_put(&ns->kref, nvme_free_ns); + } + ++static inline void nvme_clear_nvme_request(struct request *req) ++{ ++ if (!(req->rq_flags & RQF_DONTPREP)) { ++ nvme_req(req)->retries = 0; ++ nvme_req(req)->flags = 0; ++ req->rq_flags |= RQF_DONTPREP; ++ } ++} ++ + struct request *nvme_alloc_request(struct request_queue *q, + struct nvme_command *cmd, blk_mq_req_flags_t flags, int qid) + { +@@ -394,6 +403,7 @@ struct request *nvme_alloc_request(struc + return req; + + req->cmd_flags |= REQ_FAILFAST_DRIVER; ++ nvme_clear_nvme_request(req); + nvme_req(req)->cmd = cmd; + + return req; +@@ -610,11 +620,7 @@ blk_status_t nvme_setup_cmd(struct nvme_ + { + blk_status_t ret = BLK_STS_OK; + +- if (!(req->rq_flags & RQF_DONTPREP)) { +- nvme_req(req)->retries = 0; +- nvme_req(req)->flags = 0; +- req->rq_flags |= RQF_DONTPREP; +- } ++ nvme_clear_nvme_request(req); + + switch (req_op(req)) { + case REQ_OP_DRV_IN: +@@ -744,6 +750,7 @@ static int nvme_submit_user_cmd(struct r + return PTR_ERR(req); + + req->timeout = timeout ? timeout : ADMIN_TIMEOUT; ++ nvme_req(req)->flags |= NVME_REQ_USERCMD; + + if (ubuffer && bufflen) { + ret = blk_rq_map_user(q, req, NULL, ubuffer, bufflen, +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -536,6 +536,85 @@ static struct nvmf_transport_ops *nvmf_l + return NULL; + } + ++blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, struct request *rq, ++ bool queue_live, bool is_connected) ++{ ++ struct nvme_command *cmd = nvme_req(rq)->cmd; ++ ++ if (likely(ctrl->state == NVME_CTRL_LIVE && is_connected)) ++ return BLK_STS_OK; ++ ++ switch (ctrl->state) { ++ case NVME_CTRL_DELETING: ++ goto reject_io; ++ ++ case NVME_CTRL_NEW: ++ case NVME_CTRL_CONNECTING: ++ if (!is_connected) ++ /* ++ * This is the case of starting a new ++ * association but connectivity was lost ++ * before it was fully created. We need to ++ * error the commands used to initialize the ++ * controller so the reconnect can go into a ++ * retry attempt. The commands should all be ++ * marked REQ_FAILFAST_DRIVER, which will hit ++ * the reject path below. Anything else will ++ * be queued while the state settles. ++ */ ++ goto reject_or_queue_io; ++ ++ if ((queue_live && ++ !(nvme_req(rq)->flags & NVME_REQ_USERCMD)) || ++ (!queue_live && blk_rq_is_passthrough(rq) && ++ cmd->common.opcode == nvme_fabrics_command && ++ cmd->fabrics.fctype == nvme_fabrics_type_connect)) ++ /* ++ * If queue is live, allow only commands that ++ * are internally generated pass through. These ++ * are commands on the admin queue to initialize ++ * the controller. This will reject any ioctl ++ * admin cmds received while initializing. ++ * ++ * If the queue is not live, allow only a ++ * connect command. This will reject any ioctl ++ * admin cmd as well as initialization commands ++ * if the controller reverted the queue to non-live. ++ */ ++ return BLK_STS_OK; ++ ++ /* ++ * fall-thru to the reject_or_queue_io clause ++ */ ++ break; ++ ++ /* these cases fall-thru ++ * case NVME_CTRL_LIVE: ++ * case NVME_CTRL_RESETTING: ++ */ ++ default: ++ break; ++ } ++ ++reject_or_queue_io: ++ /* ++ * Any other new io is something we're not in a state to send ++ * to the device. Default action is to busy it and retry it ++ * after the controller state is recovered. However, anything ++ * marked for failfast or nvme multipath is immediately failed. ++ * Note: commands used to initialize the controller will be ++ * marked for failfast. ++ * Note: nvme cli/ioctl commands are marked for failfast. ++ */ ++ if (!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) ++ return BLK_STS_RESOURCE; ++ ++reject_io: ++ nvme_req(rq)->status = NVME_SC_ABORT_REQ; ++ return BLK_STS_IOERR; ++} ++EXPORT_SYMBOL_GPL(nvmf_check_if_ready); ++ + static const match_table_t opt_tokens = { + { NVMF_OPT_TRANSPORT, "transport=%s" }, + { NVMF_OPT_TRADDR, "traddr=%s" }, +--- a/drivers/nvme/host/fabrics.h ++++ b/drivers/nvme/host/fabrics.h +@@ -157,36 +157,7 @@ void nvmf_unregister_transport(struct nv + void nvmf_free_options(struct nvmf_ctrl_options *opts); + int nvmf_get_address(struct nvme_ctrl *ctrl, char *buf, int size); + bool nvmf_should_reconnect(struct nvme_ctrl *ctrl); +- +-static inline blk_status_t nvmf_check_init_req(struct nvme_ctrl *ctrl, +- struct request *rq) +-{ +- struct nvme_command *cmd = nvme_req(rq)->cmd; +- +- /* +- * We cannot accept any other command until the connect command has +- * completed, so only allow connect to pass. +- */ +- if (!blk_rq_is_passthrough(rq) || +- cmd->common.opcode != nvme_fabrics_command || +- cmd->fabrics.fctype != nvme_fabrics_type_connect) { +- /* +- * Connecting state means transport disruption or initial +- * establishment, which can take a long time and even might +- * fail permanently, fail fast to give upper layers a chance +- * to failover. +- * Deleting state means that the ctrl will never accept commands +- * again, fail it permanently. +- */ +- if (ctrl->state == NVME_CTRL_CONNECTING || +- ctrl->state == NVME_CTRL_DELETING) { +- nvme_req(rq)->status = NVME_SC_ABORT_REQ; +- return BLK_STS_IOERR; +- } +- return BLK_STS_RESOURCE; /* try again later */ +- } +- +- return BLK_STS_OK; +-} ++blk_status_t nvmf_check_if_ready(struct nvme_ctrl *ctrl, ++ struct request *rq, bool queue_live, bool is_connected); + + #endif /* _NVME_FABRICS_H */ +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2284,14 +2284,6 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl + return BLK_STS_OK; + } + +-static inline blk_status_t nvme_fc_is_ready(struct nvme_fc_queue *queue, +- struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_FC_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t + nvme_fc_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) +@@ -2307,7 +2299,9 @@ nvme_fc_queue_rq(struct blk_mq_hw_ctx *h + u32 data_len; + blk_status_t ret; + +- ret = nvme_fc_is_ready(queue, rq); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq, ++ test_bit(NVME_FC_Q_LIVE, &queue->flags), ++ ctrl->rport->remoteport.port_state == FC_OBJSTATE_ONLINE); + if (unlikely(ret)) + return ret; + +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -104,6 +104,7 @@ struct nvme_request { + + enum { + NVME_REQ_CANCELLED = (1 << 0), ++ NVME_REQ_USERCMD = (1 << 1), + }; + + static inline struct nvme_request *nvme_req(struct request *req) +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1594,17 +1594,6 @@ nvme_rdma_timeout(struct request *rq, bo + return BLK_EH_HANDLED; + } + +-/* +- * We cannot accept any other command until the Connect command has completed. +- */ +-static inline blk_status_t +-nvme_rdma_is_ready(struct nvme_rdma_queue *queue, struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_RDMA_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t nvme_rdma_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) + { +@@ -1620,7 +1609,8 @@ static blk_status_t nvme_rdma_queue_rq(s + + WARN_ON_ONCE(rq->tag < 0); + +- ret = nvme_rdma_is_ready(queue, rq); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, rq, ++ test_bit(NVME_RDMA_Q_LIVE, &queue->flags), true); + if (unlikely(ret)) + return ret; + +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -149,14 +149,6 @@ nvme_loop_timeout(struct request *rq, bo + return BLK_EH_HANDLED; + } + +-static inline blk_status_t nvme_loop_is_ready(struct nvme_loop_queue *queue, +- struct request *rq) +-{ +- if (unlikely(!test_bit(NVME_LOOP_Q_LIVE, &queue->flags))) +- return nvmf_check_init_req(&queue->ctrl->ctrl, rq); +- return BLK_STS_OK; +-} +- + static blk_status_t nvme_loop_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) + { +@@ -166,7 +158,8 @@ static blk_status_t nvme_loop_queue_rq(s + struct nvme_loop_iod *iod = blk_mq_rq_to_pdu(req); + blk_status_t ret; + +- ret = nvme_loop_is_ready(queue, req); ++ ret = nvmf_check_if_ready(&queue->ctrl->ctrl, req, ++ test_bit(NVME_LOOP_Q_LIVE, &queue->flags), true); + if (unlikely(ret)) + return ret; + diff --git a/queue-4.16/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch b/queue-4.16/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch new file mode 100644 index 00000000000..a5d1cbddd57 --- /dev/null +++ b/queue-4.16/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch @@ -0,0 +1,45 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: "Jarosław Janik" +Date: Sun, 11 Mar 2018 19:51:56 +0100 +Subject: nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A + +From: "Jarosław Janik" + +[ Upstream commit 467c77d4cbefaaf65e2f44fe102d543a52fcae5b ] + +Yet another "incompatible" Samsung NVMe SSD 960 EVO and Asus motherboard +combination. 960 EVO device disappears from PCIe bus within few minutes +after boot-up when APST is in use and never gets back. Forcing +NVME_QUIRK_NO_APST is the only way to make this drive work with this +particular motherboard. NVME_QUIRK_NO_DEEPEST_PS doesn't work, upgrading +motherboard's BIOS didn't help either. +Since this is a desktop motherboard, the only drawback of not using APST +is increased device temperature. + +Signed-off-by: Jarosław Janik +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2461,10 +2461,13 @@ static unsigned long check_vendor_combin + } else if (pdev->vendor == 0x144d && pdev->device == 0xa804) { + /* + * Samsung SSD 960 EVO drops off the PCIe bus after system +- * suspend on a Ryzen board, ASUS PRIME B350M-A. ++ * suspend on a Ryzen board, ASUS PRIME B350M-A, as well as ++ * within few minutes after bootup on a Coffee Lake board - ++ * ASUS PRIME Z370-A + */ + if (dmi_match(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC.") && +- dmi_match(DMI_BOARD_NAME, "PRIME B350M-A")) ++ (dmi_match(DMI_BOARD_NAME, "PRIME B350M-A") || ++ dmi_match(DMI_BOARD_NAME, "PRIME Z370-A"))) + return NVME_QUIRK_NO_APST; + } + diff --git a/queue-4.16/nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch b/queue-4.16/nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch new file mode 100644 index 00000000000..3176f6c0389 --- /dev/null +++ b/queue-4.16/nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch @@ -0,0 +1,53 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: James Smart +Date: Wed, 28 Feb 2018 14:49:10 -0800 +Subject: nvme_fc: fix abort race on teardown with lld reject + +From: James Smart + +[ Upstream commit b12740d316fa89f3f6191b71f986cf3b9383d379 ] + +Another abort race: An io request is started, becomes active, +and is attempted to be started with the lldd. At the same time +the controller is stopped/torndown and an itterator is run to +abort the ios. As the io is active, it is added to the outstanding +aborted io count. However on the original io request thread, the +driver ends up rejecting the io due to the condition that induced +the controller teardown. The driver reject path didn't check whether +it was in the outstanding io count. This left the count outstanding +stopping controller teardown. + +Correct by, in the driver reject case, setting the state to +inactive and checking whether it was in the outstanding io count. + +Signed-off-by: James Smart +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -2191,7 +2191,7 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl + struct nvme_fc_cmd_iu *cmdiu = &op->cmd_iu; + struct nvme_command *sqe = &cmdiu->sqe; + u32 csn; +- int ret; ++ int ret, opstate; + + /* + * before attempting to send the io, check to see if we believe +@@ -2269,6 +2269,9 @@ nvme_fc_start_fcp_op(struct nvme_fc_ctrl + queue->lldd_handle, &op->fcp_req); + + if (ret) { ++ opstate = atomic_xchg(&op->state, FCPOP_STATE_COMPLETE); ++ __nvme_fc_fcpop_chk_teardowns(ctrl, op, opstate); ++ + if (!(op->flags & FCOP_FLAGS_AEN)) + nvme_fc_unmap_data(ctrl, op->rq, op); + diff --git a/queue-4.16/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch b/queue-4.16/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch new file mode 100644 index 00000000000..dbf78b78c22 --- /dev/null +++ b/queue-4.16/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch @@ -0,0 +1,133 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Jun Piao +Date: Thu, 5 Apr 2018 16:18:48 -0700 +Subject: ocfs2/dlm: don't handle migrate lockres if already in shutdown + +From: Jun Piao + +[ Upstream commit bb34f24c7d2c98d0c81838a7700e6068325b17a0 ] + +We should not handle migrate lockres if we are already in +'DLM_CTXT_IN_SHUTDOWN', as that will cause lockres remains after leaving +dlm domain. At last other nodes will get stuck into infinite loop when +requsting lock from us. + +The problem is caused by concurrency umount between nodes. Before +receiveing N1's DLM_BEGIN_EXIT_DOMAIN_MSG, N2 has picked up N1 as the +migrate target. So N2 will continue sending lockres to N1 even though +N1 has left domain. + + N1 N2 (owner) + touch file + + access the file, + and get pr lock + + begin leave domain and + pick up N1 as new owner + + begin leave domain and + migrate all lockres done + + begin migrate lockres to N1 + + end leave domain, but + the lockres left + unexpectedly, because + migrate task has passed + +[piaojun@huawei.com: v3] + Link: http://lkml.kernel.org/r/5A9CBD19.5020107@huawei.com +Link: http://lkml.kernel.org/r/5A99F028.2090902@huawei.com +Signed-off-by: Jun Piao +Reviewed-by: Yiwen Jiang +Reviewed-by: Joseph Qi +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dlm/dlmdomain.c | 14 -------------- + fs/ocfs2/dlm/dlmdomain.h | 25 ++++++++++++++++++++++++- + fs/ocfs2/dlm/dlmrecovery.c | 9 +++++++++ + 3 files changed, 33 insertions(+), 15 deletions(-) + +--- a/fs/ocfs2/dlm/dlmdomain.c ++++ b/fs/ocfs2/dlm/dlmdomain.c +@@ -675,20 +675,6 @@ static void dlm_leave_domain(struct dlm_ + spin_unlock(&dlm->spinlock); + } + +-int dlm_shutting_down(struct dlm_ctxt *dlm) +-{ +- int ret = 0; +- +- spin_lock(&dlm_domain_lock); +- +- if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) +- ret = 1; +- +- spin_unlock(&dlm_domain_lock); +- +- return ret; +-} +- + void dlm_unregister_domain(struct dlm_ctxt *dlm) + { + int leave = 0; +--- a/fs/ocfs2/dlm/dlmdomain.h ++++ b/fs/ocfs2/dlm/dlmdomain.h +@@ -28,7 +28,30 @@ + extern spinlock_t dlm_domain_lock; + extern struct list_head dlm_domains; + +-int dlm_shutting_down(struct dlm_ctxt *dlm); ++static inline int dlm_joined(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_JOINED) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ ++static inline int dlm_shutting_down(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ + void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm, + int node_num); + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -1378,6 +1378,15 @@ int dlm_mig_lockres_handler(struct o2net + if (!dlm_grab(dlm)) + return -EINVAL; + ++ if (!dlm_joined(dlm)) { ++ mlog(ML_ERROR, "Domain %s not joined! " ++ "lockres %.*s, master %u\n", ++ dlm->name, mres->lockname_len, ++ mres->lockname, mres->master); ++ dlm_put(dlm); ++ return -EINVAL; ++ } ++ + BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION))); + + real_master = mres->master; diff --git a/queue-4.16/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch b/queue-4.16/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch new file mode 100644 index 00000000000..1cc19ec5bbb --- /dev/null +++ b/queue-4.16/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch @@ -0,0 +1,62 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Helge Deller +Date: Sun, 25 Mar 2018 14:04:22 +0200 +Subject: parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode + +From: Helge Deller + +[ Upstream commit b845f66f78bf42a4ce98e5cfe0e94fab41dd0742 ] + +Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy +I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card. + +To avoid such instability, this patch switches the LBA PCI bus from Hard Fail +mode into Soft Fail mode. In this mode the bus will return -1UL for timed out +MMIO transactions, which is exactly how the x86 (and most other architectures) +PCI busses behave. + +This patch is based on a proposal by Grant Grundler and Kyle McMartin 10 +years ago: +https://www.spinics.net/lists/linux-parisc/msg01027.html + +Cc: Carlo Pisani +Cc: Kyle McMartin +Reviewed-by: Grant Grundler +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/lba_pci.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -1403,9 +1403,27 @@ lba_hw_init(struct lba_device *d) + WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG); + } + +- /* Set HF mode as the default (vs. -1 mode). */ ++ ++ /* ++ * Hard Fail vs. Soft Fail on PCI "Master Abort". ++ * ++ * "Master Abort" means the MMIO transaction timed out - usually due to ++ * the device not responding to an MMIO read. We would like HF to be ++ * enabled to find driver problems, though it means the system will ++ * crash with a HPMC. ++ * ++ * In SoftFail mode "~0L" is returned as a result of a timeout on the ++ * pci bus. This is like how PCI busses on x86 and most other ++ * architectures behave. In order to increase compatibility with ++ * existing (x86) PCI hardware and existing Linux drivers we enable ++ * Soft Faul mode on PA-RISC now too. ++ */ + stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL); ++#if defined(ENABLE_HARDFAIL) + WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#else ++ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#endif + + /* + ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal diff --git a/queue-4.16/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch b/queue-4.16/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch new file mode 100644 index 00000000000..c80d3f871b9 --- /dev/null +++ b/queue-4.16/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Thomas Vincent-Cross +Date: Tue, 27 Feb 2018 20:20:36 +1100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9220 + +From: Thomas Vincent-Cross + +[ Upstream commit 832e4e1f76b8a84991e9db56fdcef1ebce839b8b ] + +Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 +Signed-off-by: Thomas Vincent-Cross +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3903,6 +3903,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); diff --git a/queue-4.16/pci-endpoint-fix-kernel-panic-after-put_device.patch b/queue-4.16/pci-endpoint-fix-kernel-panic-after-put_device.patch new file mode 100644 index 00000000000..2dd96a28506 --- /dev/null +++ b/queue-4.16/pci-endpoint-fix-kernel-panic-after-put_device.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Rolf Evers-Fischer +Date: Wed, 28 Feb 2018 18:32:19 +0100 +Subject: PCI: endpoint: Fix kernel panic after put_device() + +From: Rolf Evers-Fischer + +[ Upstream commit 9eef6a5c3b0bf90eb292d462ea267bcb6ad1c334 ] + +'put_device()' calls the relase function 'pci_epf_dev_release()', +which already frees 'epf->name' and 'epf'. + +Therefore we must not free them again after 'put_device()'. + +Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions") + +Signed-off-by: Rolf Evers-Fischer +Signed-off-by: Lorenzo Pieralisi +Acked-by: Kishon Vijay Abraham I +Reviewed-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-epf-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -243,7 +243,7 @@ struct pci_epf *pci_epf_create(const cha + + put_dev: + put_device(dev); +- kfree(epf->name); ++ return ERR_PTR(ret); + + free_func_name: + kfree(func_name); diff --git a/queue-4.16/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch b/queue-4.16/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch new file mode 100644 index 00000000000..a061275cee4 --- /dev/null +++ b/queue-4.16/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch @@ -0,0 +1,87 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: "Rafael J. Wysocki" +Date: Sat, 3 Mar 2018 10:53:24 +0100 +Subject: PCI: Restore config space on runtime resume despite being unbound + +From: "Rafael J. Wysocki" + +[ Upstream commit 5775b843a619b3c93f946e2b55a208d9f0f48b59 ] + +We leave PCI devices not bound to a driver in D0 during runtime suspend. +But they may have a parent which is bound and can be transitioned to +D3cold at runtime. Once the parent goes to D3cold, the unbound child +may go to D3cold as well. When the child goes to D3cold, its internal +state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost. + +One example are recent hybrid graphics laptops which cut power to the +discrete GPU when the root port above it goes to ACPI power state D3. +Users may provoke this by unbinding the GPU driver and allowing runtime +PM on the GPU via sysfs: The PM core will then treat the GPU as +"suspended", which in turn allows the root port to runtime suspend, +causing the power resources listed in its _PR3 object to be powered off. +The GPU's BARs will be uninitialized when a driver later probes it. + +Another example are hybrid graphics laptops where the GPU itself (rather +than the root port) is capable of runtime suspending to D3cold. If the +GPU's integrated HDA controller is not bound and the GPU's driver +decides to runtime suspend to D3cold, the HDA controller's BARs will be +uninitialized when a driver later probes it. + +Fix by saving and restoring config space over a runtime suspend cycle +even if the device is not bound. + +Acked-by: Bjorn Helgaas +Tested-by: Peter Wu # Nvidia Optimus +Tested-by: Lukas Wunner # MacBook Pro +Signed-off-by: Rafael J. Wysocki +[lukas: add commit message, bikeshed code comments for clarity] +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-driver.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -1225,11 +1225,14 @@ static int pci_pm_runtime_suspend(struct + int error; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * If pci_dev->driver is not set (unbound), we leave the device in D0, ++ * but it may go to D3cold when the bridge above it runtime suspends. ++ * Save its config space in case that happens. + */ +- if (!pci_dev->driver) ++ if (!pci_dev->driver) { ++ pci_save_state(pci_dev); + return 0; ++ } + + if (!pm || !pm->runtime_suspend) + return -ENOSYS; +@@ -1277,16 +1280,18 @@ static int pci_pm_runtime_resume(struct + const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * Restoring config space is necessary even if the device is not bound ++ * to a driver because although we left it in D0, it may have gone to ++ * D3cold when the bridge above it runtime suspended. + */ ++ pci_restore_standard_config(pci_dev); ++ + if (!pci_dev->driver) + return 0; + + if (!pm || !pm->runtime_resume) + return -ENOSYS; + +- pci_restore_standard_config(pci_dev); + pci_fixup_device(pci_fixup_resume_early, pci_dev); + pci_enable_wake(pci_dev, PCI_D0, false); + pci_fixup_device(pci_fixup_resume, pci_dev); diff --git a/queue-4.16/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch b/queue-4.16/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch new file mode 100644 index 00000000000..82322129a9f --- /dev/null +++ b/queue-4.16/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch @@ -0,0 +1,99 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: "Rafael J. Wysocki" +Date: Wed, 21 Feb 2018 13:24:16 +0100 +Subject: PCMCIA / PM: Avoid noirq suspend aborts during suspend-to-idle + +From: "Rafael J. Wysocki" + +[ Upstream commit dbdd0f58fd2cdde5cf945c9da67a2d52d32ba550 ] + +There is a problem with PCMCIA system resume callbacks with respect +to suspend-to-idle in which the ->suspend_noirq() callback may be +invoked after the ->resume_noirq() one without resuming the system +entirely in some cases. This doesn't work for PCMCIA because of +the lack of symmetry between its system suspend and system resume +"noirq" callbacks. + +The system resume handling in PCMCIA is split between +socket_early_resume() and socket_late_resume() which are called in +different phases of system resume and both need to run for +socket_suspend() (invoked by the system suspend "noirq" callback) +to work. Specifically, socket_suspend() returns an error when +called after socket_early_resume() without socket_late_resume(), +so if the suspend-to-idle core detects a spurious wakeup event and +attempts to put the system back to sleep, that is aborted by the +error coming from socket_suspend(). + +Avoid that by using a new socket state flag, SOCKET_IN_RESUME, +to indicate that socket_early_resume() has already run for the +socket in which case socket_suspend() will do minimum handling +and return 0. + +This change has been tested on my venerable Toshiba Portege R500 +(which is where the problem has been discovered in the first place), +but admittedly I have no PCMCIA cards to test along with the socket +itself. + +Fixes: 33e4f80ee69b (ACPI / PM: Ignore spurious SCI wakeups from suspend-to-idle) +Signed-off-by: Rafael J. Wysocki +[linux@dominikbrodowski.net: follow same codepaths for both suspend variants; call ->suspend()] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pcmcia/cs.c | 10 +++++++--- + drivers/pcmcia/cs_internal.h | 1 + + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -452,17 +452,20 @@ static int socket_insert(struct pcmcia_s + + static int socket_suspend(struct pcmcia_socket *skt) + { +- if (skt->state & SOCKET_SUSPEND) ++ if ((skt->state & SOCKET_SUSPEND) && !(skt->state & SOCKET_IN_RESUME)) + return -EBUSY; + + mutex_lock(&skt->ops_mutex); +- skt->suspended_state = skt->state; ++ /* store state on first suspend, but not after spurious wakeups */ ++ if (!(skt->state & SOCKET_IN_RESUME)) ++ skt->suspended_state = skt->state; + + skt->socket = dead_socket; + skt->ops->set_socket(skt, &skt->socket); + if (skt->ops->suspend) + skt->ops->suspend(skt); + skt->state |= SOCKET_SUSPEND; ++ skt->state &= ~SOCKET_IN_RESUME; + mutex_unlock(&skt->ops_mutex); + return 0; + } +@@ -475,6 +478,7 @@ static int socket_early_resume(struct pc + skt->ops->set_socket(skt, &skt->socket); + if (skt->state & SOCKET_PRESENT) + skt->resume_status = socket_setup(skt, resume_delay); ++ skt->state |= SOCKET_IN_RESUME; + mutex_unlock(&skt->ops_mutex); + return 0; + } +@@ -484,7 +488,7 @@ static int socket_late_resume(struct pcm + int ret = 0; + + mutex_lock(&skt->ops_mutex); +- skt->state &= ~SOCKET_SUSPEND; ++ skt->state &= ~(SOCKET_SUSPEND | SOCKET_IN_RESUME); + mutex_unlock(&skt->ops_mutex); + + if (!(skt->state & SOCKET_PRESENT)) { +--- a/drivers/pcmcia/cs_internal.h ++++ b/drivers/pcmcia/cs_internal.h +@@ -70,6 +70,7 @@ struct pccard_resource_ops { + /* Flags in socket state */ + #define SOCKET_PRESENT 0x0008 + #define SOCKET_INUSE 0x0010 ++#define SOCKET_IN_RESUME 0x0040 + #define SOCKET_SUSPEND 0x0080 + #define SOCKET_WIN_REQ(i) (0x0100<<(i)) + #define SOCKET_CARDBUS 0x8000 diff --git a/queue-4.16/perf-clang-add-support-for-recent-clang-versions.patch b/queue-4.16/perf-clang-add-support-for-recent-clang-versions.patch new file mode 100644 index 00000000000..57c77177a23 --- /dev/null +++ b/queue-4.16/perf-clang-add-support-for-recent-clang-versions.patch @@ -0,0 +1,122 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sandipan Das +Date: Wed, 4 Apr 2018 23:34:18 +0530 +Subject: perf clang: Add support for recent clang versions + +From: Sandipan Das + +[ Upstream commit 7854e499f33fd9c7e63288692ffb754d9b1d02fd ] + +The clang API calls used by perf have changed in recent releases and +builds succeed with libclang-3.9 only. This introduces compatibility +with libclang-4.0 and above. + +Without this patch, we will see the following compilation errors with +libclang-4.0+: + + util/c++/clang.cpp: In function ‘clang::CompilerInvocation* perf::createCompilerInvocation(llvm::opt::ArgStringList, llvm::StringRef&, clang::DiagnosticsEngine&)’: + util/c++/clang.cpp:62:33: error: ‘IK_C’ was not declared in this scope + Opts.Inputs.emplace_back(Path, IK_C); + ^~~~ + util/c++/clang.cpp: In function ‘std::unique_ptr perf::getModuleFromSource(llvm::opt::ArgStringList, llvm::StringRef, llvm::IntrusiveRefCntPtr)’: + util/c++/clang.cpp:75:26: error: no matching function for call to ‘clang::CompilerInstance::setInvocation(clang::CompilerInvocation*)’ + Clang.setInvocation(&*CI); + ^ + In file included from util/c++/clang.cpp:14:0: + /usr/include/clang/Frontend/CompilerInstance.h:231:8: note: candidate: void clang::CompilerInstance::setInvocation(std::shared_ptr) + void setInvocation(std::shared_ptr Value); + ^~~~~~~~~~~~~ + +Committer testing: + +Tested on Fedora 27 after installing the clang-devel and llvm-devel +packages, versions: + + # rpm -qa | egrep llvm\|clang + llvm-5.0.1-6.fc27.x86_64 + clang-libs-5.0.1-5.fc27.x86_64 + clang-5.0.1-5.fc27.x86_64 + clang-tools-extra-5.0.1-5.fc27.x86_64 + llvm-libs-5.0.1-6.fc27.x86_64 + llvm-devel-5.0.1-6.fc27.x86_64 + clang-devel-5.0.1-5.fc27.x86_64 + # + +Make sure you don't have some older version lying around in /usr/local, +etc, then: + + $ make LIBCLANGLLVM=1 -C tools/perf install-bin + +And in the end perf will be linked agains these libraries: + + # ldd ~/bin/perf | egrep -i llvm\|clang + libclangAST.so.5 => /lib64/libclangAST.so.5 (0x00007f8bb2eb4000) + libclangBasic.so.5 => /lib64/libclangBasic.so.5 (0x00007f8bb29e3000) + libclangCodeGen.so.5 => /lib64/libclangCodeGen.so.5 (0x00007f8bb23f7000) + libclangDriver.so.5 => /lib64/libclangDriver.so.5 (0x00007f8bb2060000) + libclangFrontend.so.5 => /lib64/libclangFrontend.so.5 (0x00007f8bb1d06000) + libclangLex.so.5 => /lib64/libclangLex.so.5 (0x00007f8bb1a3e000) + libclangTooling.so.5 => /lib64/libclangTooling.so.5 (0x00007f8bb17d4000) + libclangEdit.so.5 => /lib64/libclangEdit.so.5 (0x00007f8bb15c5000) + libclangSema.so.5 => /lib64/libclangSema.so.5 (0x00007f8bb0cc9000) + libclangAnalysis.so.5 => /lib64/libclangAnalysis.so.5 (0x00007f8bb0a23000) + libclangParse.so.5 => /lib64/libclangParse.so.5 (0x00007f8bb0725000) + libclangSerialization.so.5 => /lib64/libclangSerialization.so.5 (0x00007f8bb039a000) + libLLVM-5.0.so => /lib64/libLLVM-5.0.so (0x00007f8bace98000) + libclangASTMatchers.so.5 => /lib64/../lib64/libclangASTMatchers.so.5 (0x00007f8bab735000) + libclangFormat.so.5 => /lib64/../lib64/libclangFormat.so.5 (0x00007f8bab4b2000) + libclangRewrite.so.5 => /lib64/../lib64/libclangRewrite.so.5 (0x00007f8bab2a1000) + libclangToolingCore.so.5 => /lib64/../lib64/libclangToolingCore.so.5 (0x00007f8bab08e000) + # + +Signed-off-by: Sandipan Das +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Naveen N. Rao +Fixes: 00b86691c77c ("perf clang: Add builtin clang support ant test case") +Link: http://lkml.kernel.org/r/20180404180419.19056-2-sandipan@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/c++/clang.cpp | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/c++/clang.cpp ++++ b/tools/perf/util/c++/clang.cpp +@@ -9,6 +9,7 @@ + * Copyright (C) 2016 Huawei Inc. + */ + ++#include "clang/Basic/Version.h" + #include "clang/CodeGen/CodeGenAction.h" + #include "clang/Frontend/CompilerInvocation.h" + #include "clang/Frontend/CompilerInstance.h" +@@ -58,7 +59,8 @@ createCompilerInvocation(llvm::opt::ArgS + + FrontendOptions& Opts = CI->getFrontendOpts(); + Opts.Inputs.clear(); +- Opts.Inputs.emplace_back(Path, IK_C); ++ Opts.Inputs.emplace_back(Path, ++ FrontendOptions::getInputKindForExtension("c")); + return CI; + } + +@@ -71,10 +73,17 @@ getModuleFromSource(llvm::opt::ArgString + + Clang.setVirtualFileSystem(&*VFS); + ++#if CLANG_VERSION_MAJOR < 4 + IntrusiveRefCntPtr CI = + createCompilerInvocation(std::move(CFlags), Path, + Clang.getDiagnostics()); + Clang.setInvocation(&*CI); ++#else ++ std::shared_ptr CI( ++ createCompilerInvocation(std::move(CFlags), Path, ++ Clang.getDiagnostics())); ++ Clang.setInvocation(CI); ++#endif + + std::unique_ptr Act(new EmitLLVMOnlyAction(&*LLVMCtx)); + if (!Clang.ExecuteAction(*Act)) diff --git a/queue-4.16/perf-core-fix-installing-cgroup-events-on-cpu.patch b/queue-4.16/perf-core-fix-installing-cgroup-events-on-cpu.patch new file mode 100644 index 00000000000..22b99efffa1 --- /dev/null +++ b/queue-4.16/perf-core-fix-installing-cgroup-events-on-cpu.patch @@ -0,0 +1,112 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: "leilei.lin" +Date: Tue, 6 Mar 2018 17:36:37 +0800 +Subject: perf/core: Fix installing cgroup events on CPU + +From: "leilei.lin" + +[ Upstream commit 33801b94741d6c3be9713c10aa627477216c21e2 ] + +There's two problems when installing cgroup events on CPUs: firstly +list_update_cgroup_event() only tries to set cpuctx->cgrp for the +first event, if that mismatches on @cgrp we'll not try again for later +additions. + +Secondly, when we install a cgroup event into an active context, only +issue an event reprogram when the event matches the current cgroup +context. This avoids a pointless event reprogramming. + +Signed-off-by: leilei.lin +[ Improved the changelog and comments. ] +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: brendan.d.gregg@gmail.com +Cc: eranian@gmail.com +Cc: linux-kernel@vger.kernel.org +Cc: yang_oliver@hotmail.com +Link: http://lkml.kernel.org/r/20180306093637.28247-1-linxiulei@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 46 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 35 insertions(+), 11 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -948,27 +948,39 @@ list_update_cgroup_event(struct perf_eve + if (!is_cgroup_event(event)) + return; + +- if (add && ctx->nr_cgroups++) +- return; +- else if (!add && --ctx->nr_cgroups) +- return; + /* + * Because cgroup events are always per-cpu events, + * this will always be called from the right CPU. + */ + cpuctx = __get_cpu_context(ctx); +- cpuctx_entry = &cpuctx->cgrp_cpuctx_entry; +- /* cpuctx->cgrp is NULL unless a cgroup event is active in this CPU .*/ +- if (add) { ++ ++ /* ++ * Since setting cpuctx->cgrp is conditional on the current @cgrp ++ * matching the event's cgroup, we must do this for every new event, ++ * because if the first would mismatch, the second would not try again ++ * and we would leave cpuctx->cgrp unset. ++ */ ++ if (add && !cpuctx->cgrp) { + struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx); + +- list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list)); + if (cgroup_is_descendant(cgrp->css.cgroup, event->cgrp->css.cgroup)) + cpuctx->cgrp = cgrp; +- } else { +- list_del(cpuctx_entry); +- cpuctx->cgrp = NULL; + } ++ ++ if (add && ctx->nr_cgroups++) ++ return; ++ else if (!add && --ctx->nr_cgroups) ++ return; ++ ++ /* no cgroup running */ ++ if (!add) ++ cpuctx->cgrp = NULL; ++ ++ cpuctx_entry = &cpuctx->cgrp_cpuctx_entry; ++ if (add) ++ list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list)); ++ else ++ list_del(cpuctx_entry); + } + + #else /* !CONFIG_CGROUP_PERF */ +@@ -2328,6 +2340,18 @@ static int __perf_install_in_context(vo + raw_spin_lock(&task_ctx->lock); + } + ++#ifdef CONFIG_CGROUP_PERF ++ if (is_cgroup_event(event)) { ++ /* ++ * If the current cgroup doesn't match the event's ++ * cgroup, we should not try to schedule it. ++ */ ++ struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx); ++ reprogram = cgroup_is_descendant(cgrp->css.cgroup, ++ event->cgrp->css.cgroup); ++ } ++#endif ++ + if (reprogram) { + ctx_sched_out(ctx, cpuctx, EVENT_TIME); + add_event_to_ctx(event, ctx); diff --git a/queue-4.16/perf-core-fix-perf_output_read_group.patch b/queue-4.16/perf-core-fix-perf_output_read_group.patch new file mode 100644 index 00000000000..ecd1970c173 --- /dev/null +++ b/queue-4.16/perf-core-fix-perf_output_read_group.patch @@ -0,0 +1,78 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Peter Zijlstra +Date: Fri, 9 Mar 2018 12:52:04 +0100 +Subject: perf/core: Fix perf_output_read_group() + +From: Peter Zijlstra + +[ Upstream commit 9e5b127d6f33468143d90c8a45ca12410e4c3fa7 ] + +Mark reported his arm64 perf fuzzer runs sometimes splat like: + + armv8pmu_read_counter+0x1e8/0x2d8 + armpmu_event_update+0x8c/0x188 + armpmu_read+0xc/0x18 + perf_output_read+0x550/0x11e8 + perf_event_read_event+0x1d0/0x248 + perf_event_exit_task+0x468/0xbb8 + do_exit+0x690/0x1310 + do_group_exit+0xd0/0x2b0 + get_signal+0x2e8/0x17a8 + do_signal+0x144/0x4f8 + do_notify_resume+0x148/0x1e8 + work_pending+0x8/0x14 + +which asserts that we only call pmu::read() on ACTIVE events. + +The above callchain does: + + perf_event_exit_task() + perf_event_exit_task_context() + task_ctx_sched_out() // INACTIVE + perf_event_exit_event() + perf_event_set_state(EXIT) // EXIT + sync_child_event() + perf_event_read_event() + perf_output_read() + perf_output_read_group() + leader->pmu->read() + +Which results in doing a pmu::read() on an !ACTIVE event. + +I _think_ this is 'new' since we added attr.inherit_stat, which added +the perf_event_read_event() to the exit path, without that +perf_event_read_output() would only trigger from samples and for +@event to trigger a sample, it's leader _must_ be ACTIVE too. + +Still, adding this check makes it consistent with the @sub case for +the siblings. + +Reported-and-Tested-by: Mark Rutland +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5770,7 +5770,8 @@ static void perf_output_read_group(struc + if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) + values[n++] = running; + +- if (leader != event) ++ if ((leader != event) && ++ (leader->state == PERF_EVENT_STATE_ACTIVE)) + leader->pmu->read(leader); + + values[n++] = perf_event_count(leader); diff --git a/queue-4.16/perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch b/queue-4.16/perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch new file mode 100644 index 00000000000..25643215878 --- /dev/null +++ b/queue-4.16/perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch @@ -0,0 +1,44 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Kan Liang +Date: Mon, 26 Mar 2018 09:42:09 -0400 +Subject: perf mmap: Fix accessing unmapped mmap in perf_mmap__read_done() + +From: Kan Liang + +[ Upstream commit f58385f629c87a9e210108b39c1f4950d0363ad2 ] + +There is a segmentation fault when running 'perf trace'. For example: + + [root@jouet e]# perf trace -e *chdir -o /tmp/bla perf report --ignore-vmlinux -i ../perf.data + +The perf_mmap__consume() could unmap the mmap. It needs to check the +refcnt in perf_mmap__read_done(). + +Reported-by: Arnaldo Carvalho de Melo +Signed-off-by: Kan Liang +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Wang Nan +Fixes: ee023de05f35 ("perf mmap: Introduce perf_mmap__read_done()") +Link: http://lkml.kernel.org/r/1522071729-16776-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/mmap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/tools/perf/util/mmap.c ++++ b/tools/perf/util/mmap.c +@@ -344,5 +344,11 @@ out: + */ + void perf_mmap__read_done(struct perf_mmap *map) + { ++ /* ++ * Check if event was unmapped due to a POLLHUP/POLLERR. ++ */ ++ if (!refcount_read(&map->refcnt)) ++ return; ++ + map->prev = perf_mmap__read_head(map); + } diff --git a/queue-4.16/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch b/queue-4.16/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch new file mode 100644 index 00000000000..ab56af16491 --- /dev/null +++ b/queue-4.16/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch @@ -0,0 +1,101 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jiri Olsa +Date: Fri, 16 Feb 2018 13:36:19 +0100 +Subject: perf report: Fix memory corruption in --branch-history mode --branch-history + +From: Jiri Olsa + +[ Upstream commit e3ebaa465136ecfedf9c6f4671df02bf625f8125 ] + +Jin Yao reported memory corrupton in perf report with +branch info used for stack trace: + + > Following command lines will cause perf crash. + + > perf record -j call -g -a + > perf report --branch-history + > + > *** Error in `perf': double free or corruption (!prev): 0x00000000104aa040 *** + > ======= Backtrace: ========= + > /lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f6b37254725] + > /lib/x86_64-linux-gnu/libc.so.6(+0x7ff4a)[0x7f6b3725cf4a] + > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f6b37260abc] + > perf[0x51b914] + > perf(hist_entry_iter__add+0x1e5)[0x51f305] + > perf[0x43cf01] + > perf[0x4fa3bf] + > perf[0x4fa923] + > perf[0x4fd396] + > perf[0x4f9614] + > perf(perf_session__process_events+0x89e)[0x4fc38e] + > perf(cmd_report+0x15d2)[0x43f202] + > perf[0x4a059f] + > perf(main+0x631)[0x427b71] + > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6b371fd830] + > perf(_start+0x29)[0x427d89] + +For the cumulative output, we allocate the he_cache array based on the +--max-stack option value and populate it with data from 'callchain_cursor'. + +The --max-stack option value does not ensure now the limit for number of +callchain_cursor nodes, so the cumulative iter code will allocate smaller array +than it's actually needed and cause above corruption. + +I think the --max-stack limit does not apply here anyway, because we add +callchain data as normal hist entries, while the --max-stack control the limit +of single entry callchain depth. + +Using the callchain_cursor.nr as he_cache array count to fix this. Also +removing struct hist_entry_iter::max_stack, because there's no longer any use +for it. + +We need more fixes to ensure that the branch stack code follows properly the +logic of --max-stack, which is not the case at the moment. + +Original-patch-by: Jin Yao +Signed-off-by: Jiri Olsa +Reported-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180216123619.GA9945@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/hist.c | 4 +--- + tools/perf/util/hist.h | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -879,7 +879,7 @@ iter_prepare_cumulative_entry(struct his + * cumulated only one time to prevent entries more than 100% + * overhead. + */ +- he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1)); ++ he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1)); + if (he_cache == NULL) + return -ENOMEM; + +@@ -1045,8 +1045,6 @@ int hist_entry_iter__add(struct hist_ent + if (err) + return err; + +- iter->max_stack = max_stack_depth; +- + err = iter->ops->prepare_entry(iter, al); + if (err) + goto out; +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -107,7 +107,6 @@ struct hist_entry_iter { + int curr; + + bool hide_unresolved; +- int max_stack; + + struct perf_evsel *evsel; + struct perf_sample *sample; diff --git a/queue-4.16/perf-report-fix-wrong-jump-arrow.patch b/queue-4.16/perf-report-fix-wrong-jump-arrow.patch new file mode 100644 index 00000000000..7f9dcdaac38 --- /dev/null +++ b/queue-4.16/perf-report-fix-wrong-jump-arrow.patch @@ -0,0 +1,124 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jin Yao +Date: Mon, 29 Jan 2018 18:57:53 +0800 +Subject: perf report: Fix wrong jump arrow + +From: Jin Yao + +[ Upstream commit b40982e8468b46b8f7f5bba5a7e541ec04a29d7d ] + +When we use perf report interactive annotate view, we can see +the position of jump arrow is not correct. For example, + +1. perf record -b ... +2. perf report +3. In interactive mode, select Annotate 'function' + +Percent│ IPC Cycle + │ if (flag) + 1.37 │0.4┌── 1 ↓ je 82 + │ │ x += x / y + y / x; + 0.00 │0.4│ 1310 movsd (%rsp),%xmm0 + 0.00 │0.4│ 565 movsd 0x8(%rsp),%xmm4 + │0.4│ movsd 0x8(%rsp),%xmm1 + │0.4│ movsd (%rsp),%xmm3 + │0.4│ divsd %xmm4,%xmm0 + 0.00 │0.4│ 579 divsd %xmm3,%xmm1 + │0.4│ movsd (%rsp),%xmm2 + │0.4│ addsd %xmm1,%xmm0 + │0.4│ addsd %xmm2,%xmm0 + 0.00 │0.4│ movsd %xmm0,(%rsp) + │ │ volatile double x = 1212121212, y = 121212; + │ │ + │ │ s_randseed = time(0); + │ │ srand(s_randseed); + │ │ + │ │ for (i = 0; i < 2000000000; i++) { + 1.37 │0.4└─→ 82: sub $0x1,%ebx + 28.21 │0.48 17 ↑ jne 38 + +The jump arrow in above example is not correct. It should add the +width of IPC and Cycle. + +With this patch, the result is: + +Percent│ IPC Cycle + │ if (flag) + 1.37 │0.48 1 ┌──je 82 + │ │ x += x / y + y / x; + 0.00 │0.48 1310 │ movsd (%rsp),%xmm0 + 0.00 │0.48 565 │ movsd 0x8(%rsp),%xmm4 + │0.48 │ movsd 0x8(%rsp),%xmm1 + │0.48 │ movsd (%rsp),%xmm3 + │0.48 │ divsd %xmm4,%xmm0 + 0.00 │0.48 579 │ divsd %xmm3,%xmm1 + │0.48 │ movsd (%rsp),%xmm2 + │0.48 │ addsd %xmm1,%xmm0 + │0.48 │ addsd %xmm2,%xmm0 + 0.00 │0.48 │ movsd %xmm0,(%rsp) + │ │ volatile double x = 1212121212, y = 121212; + │ │ + │ │ s_randseed = time(0); + │ │ srand(s_randseed); + │ │ + │ │ for (i = 0; i < 2000000000; i++) { + 1.37 │0.48 82:└─→sub $0x1,%ebx + 28.21 │0.48 17 ↑ jne 38 + +Committer notes: + +Please note that only from LBRv5 (according to Jiri) onwards, i.e. >= +Skylake is that we'll have the cycles counts in each branch record +entry, so to see the Cycles and IPC columns, and be able to test this +patch, one need a capable hardware. + +While applying this I first tested it on a Broadwell class machine and +couldn't get those columns, will add code to the annotate browser to +warn the user about that, i.e. you have branch records, but no cycles, +use a more recent hardware to get the cycles and IPC columns. + +Signed-off-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1517223473-14750-1-git-send-email-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/ui/browsers/annotate.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/perf/ui/browsers/annotate.c ++++ b/tools/perf/ui/browsers/annotate.c +@@ -319,6 +319,7 @@ static void annotate_browser__draw_curre + struct map_symbol *ms = ab->b.priv; + struct symbol *sym = ms->sym; + u8 pcnt_width = annotate_browser__pcnt_width(ab); ++ int width = 0; + + /* PLT symbols contain external offsets */ + if (strstr(sym->name, "@plt")) +@@ -365,13 +366,17 @@ static void annotate_browser__draw_curre + to = (u64)btarget->idx; + } + ++ if (ab->have_cycles) ++ width = IPC_WIDTH + CYCLES_WIDTH; ++ + ui_browser__set_color(browser, HE_COLORSET_JUMP_ARROWS); +- __ui_browser__line_arrow(browser, pcnt_width + 2 + ab->addr_width, ++ __ui_browser__line_arrow(browser, ++ pcnt_width + 2 + ab->addr_width + width, + from, to); + + if (is_fused(ab, cursor)) { + ui_browser__mark_fused(browser, +- pcnt_width + 3 + ab->addr_width, ++ pcnt_width + 3 + ab->addr_width + width, + from - 1, + to > from ? true : false); + } diff --git a/queue-4.16/perf-stat-fix-core-dump-when-flag-t-is-used.patch b/queue-4.16/perf-stat-fix-core-dump-when-flag-t-is-used.patch new file mode 100644 index 00000000000..d5830decd7b --- /dev/null +++ b/queue-4.16/perf-stat-fix-core-dump-when-flag-t-is-used.patch @@ -0,0 +1,116 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Thomas Richter +Date: Thu, 8 Mar 2018 15:57:35 +0100 +Subject: perf stat: Fix core dump when flag T is used + +From: Thomas Richter + +[ Upstream commit fca32340a5e8b896f57d41fd94b8b1701df25eb1 ] + +Executing command 'perf stat -T -- ls' dumps core on x86 and s390. + +Here is the call back chain (done on x86): + + # gdb ./perf + .... + (gdb) r stat -T -- ls +... +Program received signal SIGSEGV, Segmentation fault. +0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6 +(gdb) where + #0 0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6 + #1 0x00007ffff56ae484 in asprintf () from /lib64/libc.so.6 + #2 0x00000000004f1982 in __parse_events_add_pmu (parse_state=0x7fffffffd580, + list=0xbfb970, name=0xbf3ef0 "cpu", + head_config=0xbfb930, auto_merge_stats=false) at util/parse-events.c:1233 + #3 0x00000000004f1c8e in parse_events_add_pmu (parse_state=0x7fffffffd580, + list=0xbfb970, name=0xbf3ef0 "cpu", + head_config=0xbfb930) at util/parse-events.c:1288 + #4 0x0000000000537ce3 in parse_events_parse (_parse_state=0x7fffffffd580, + scanner=0xbf4210) at util/parse-events.y:234 + #5 0x00000000004f2c7a in parse_events__scanner (str=0x6b66c0 + "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", + parse_state=0x7fffffffd580, start_token=258) at util/parse-events.c:1673 + #6 0x00000000004f2e23 in parse_events (evlist=0xbe9990, str=0x6b66c0 + "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", err=0x0) + at util/parse-events.c:1713 + #7 0x000000000044e137 in add_default_attributes () at builtin-stat.c:2281 + #8 0x000000000044f7b5 in cmd_stat (argc=1, argv=0x7fffffffe3b0) at + builtin-stat.c:2828 + #9 0x00000000004c8b0f in run_builtin (p=0xab01a0 , argc=4, + argv=0x7fffffffe3b0) at perf.c:297 + #10 0x00000000004c8d7c in handle_internal_command (argc=4, + argv=0x7fffffffe3b0) at perf.c:349 + #11 0x00000000004c8ece in run_argv (argcp=0x7fffffffe20c, + argv=0x7fffffffe200) at perf.c:393 + #12 0x00000000004c929c in main (argc=4, argv=0x7fffffffe3b0) at perf.c:537 +(gdb) + +It turns out that a NULL pointer is referenced. Here are the +function calls: + + ... + cmd_stat() + +---> add_default_attributes() + +---> parse_events(evsel_list, transaction_attrs, NULL); + 3rd parameter set to NULL + +Function parse_events(xx, xx, struct parse_events_error *err) dives +into a bison generated scanner and creates +parser state information for it first: + + struct parse_events_state parse_state = { + .list = LIST_HEAD_INIT(parse_state.list), + .idx = evlist->nr_entries, + .error = err, <--- NULL POINTER !!! + .evlist = evlist, + }; + +Now various functions inside the bison scanner are called to end up in +__parse_events_add_pmu(struct parse_events_state *parse_state, ..) with +first parameter being a pointer to above structure definition. + +Now the PMU event name is not found (because being executed in a VM) and +this function tries to create an error message with + + asprintf(&parse_state->error.str, ....) + +which references a NULL pointer and dumps core. + +Fix this by providing a pointer to the necessary error information +instead of NULL. Technically only the else part is needed to avoid the +core dump, just lets be safe... + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180308145735.64717-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-stat.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -2274,11 +2274,16 @@ static int add_default_attributes(void) + return 0; + + if (transaction_run) { ++ struct parse_events_error errinfo; ++ + if (pmu_have_event("cpu", "cycles-ct") && + pmu_have_event("cpu", "el-start")) +- err = parse_events(evsel_list, transaction_attrs, NULL); ++ err = parse_events(evsel_list, transaction_attrs, ++ &errinfo); + else +- err = parse_events(evsel_list, transaction_limited_attrs, NULL); ++ err = parse_events(evsel_list, ++ transaction_limited_attrs, ++ &errinfo); + if (err) { + fprintf(stderr, "Cannot set up transaction events\n"); + return -1; diff --git a/queue-4.16/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch b/queue-4.16/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch new file mode 100644 index 00000000000..8aa152c537a --- /dev/null +++ b/queue-4.16/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch @@ -0,0 +1,62 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Thomas Richter +Date: Wed, 14 Feb 2018 08:03:03 +0100 +Subject: perf test: Fix test case inet_pton to accept inlines. + +From: Thomas Richter + +[ Upstream commit 0f19a038afdc592176c9a302f0d08be6a68ad74a ] + +Using Fedora 27 and latest Linux kernel the test case +trace+probe_libc_inet_pton.sh fails again on s390. This time is the +inlining of functions which does not match. After an update of the +glibc (from 2.26-16 to 2.26-24) the output is different + +The expected output is: + + __inet_pton (/usr/lib64/libc-2.26.so) + gaih_inet (inlined) + .... + +The actual output is: + + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.061/0.061/0.061/0.000 ms + 0.000 probe_libc:inet_pton:(3ffb2140448)) + __inet_pton (inlined) + gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) + ... + +Fix this by being less strict on 'inlined' verses library name and +accept both + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180214070303.55757-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/trace+probe_libc_inet_pton.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh ++++ b/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh +@@ -21,12 +21,12 @@ trace_libc_inet_pton_backtrace() { + expected[3]=".*packets transmitted.*" + expected[4]="rtt min.*" + expected[5]="[0-9]+\.[0-9]+[[:space:]]+probe_libc:inet_pton:\([[:xdigit:]]+\)" +- expected[6]=".*inet_pton[[:space:]]\($libc\)$" ++ expected[6]=".*inet_pton[[:space:]]\($libc|inlined\)$" + case "$(uname -m)" in + s390x) + eventattr='call-graph=dwarf' +- expected[7]="gaih_inet[[:space:]]\(inlined\)$" +- expected[8]="__GI_getaddrinfo[[:space:]]\(inlined\)$" ++ expected[7]="gaih_inet.*[[:space:]]\($libc|inlined\)$" ++ expected[8]="__GI_getaddrinfo[[:space:]]\($libc|inlined\)$" + expected[9]="main[[:space:]]\(.*/bin/ping.*\)$" + expected[10]="__libc_start_main[[:space:]]\($libc\)$" + expected[11]="_start[[:space:]]\(.*/bin/ping.*\)$" diff --git a/queue-4.16/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch b/queue-4.16/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch new file mode 100644 index 00000000000..207fc2d83ea --- /dev/null +++ b/queue-4.16/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch @@ -0,0 +1,209 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jiri Olsa +Date: Tue, 6 Feb 2018 19:18:12 +0100 +Subject: perf tests: Fix dwarf unwind for stripped binaries + +From: Jiri Olsa + +[ Upstream commit fdf7c49c200d1b9909e2204cec5bd68b48605c71 ] + +When we strip the perf binary, dwarf unwind test stop +to work. The reason is that strip will remove static +function symbols, which we need to check for unwind. + +This change will keep this test working in cases where +the global symbols are put into dynamic symbol table, +which is the case on x86. It still won't work on powerpc. + +Making those 5 local functions global, and adding +'test_dwarf_unwind__' to their names. + +Committer testing: + +Before: + + # perf test dwarf + 58: DWARF unwind : Ok + # strip ~/bin/perf + # perf test dwarf + 58: DWARF unwind : FAILED! + # perf test -v dwarf + 58: DWARF unwind : + --- start --- + test child forked, pid 6590 + unwind: thread map already set, dso=/home/acme/bin/perf + + unwind: access_mem addr 0x7ffce6c48098 val 48563f, offset 1144 + unwind: test__dwarf_unwind:ip = 0x4a54e5 (0xa54e5) + got: test__dwarf_unwind 0xa54e5, expecting test__dwarf_unwind + unwind: '':ip = 0x4a50bb (0xa50bb) + failed: got unresolved address 0xa50bb + unwind failed + test child finished with -1 + ---- end ---- + DWARF unwind: FAILED! + # + +After: + + # perf test dwarf + 58: DWARF unwind : Ok + # strip ~/bin/perf + # perf test dwarf + 58: DWARF unwind : Ok + # + # perf test -v dwarf + 58: DWARF unwind : + --- start --- + test child forked, pid 7219 + unwind: thread map already set, dso=/home/acme/bin/perf + + unwind: access_mem addr 0x7fff007da2c8 val 48575f, offset 1144 + unwind: test__arch_unwind_sample:ip = 0x589044 (0x189044) + got: test__arch_unwind_sample 0x189044, expecting test__arch_unwind_sample + unwind: test_dwarf_unwind__thread:ip = 0x4a52f7 (0xa52f7) + got: test_dwarf_unwind__thread 0xa52f7, expecting test_dwarf_unwind__thread + unwind: test_dwarf_unwind__compare:ip = 0x4a5468 (0xa5468) + got: test_dwarf_unwind__compare 0xa5468, expecting test_dwarf_unwind__compare + unwind: bsearch:ip = 0x7f6608ae94d8 (0x394d8) + got: bsearch 0x394d8, expecting bsearch + unwind: test_dwarf_unwind__krava_3:ip = 0x4a54d1 (0xa54d1) + got: test_dwarf_unwind__krava_3 0xa54d1, expecting test_dwarf_unwind__krava_3 + unwind: test_dwarf_unwind__krava_2:ip = 0x4a550b (0xa550b) + got: test_dwarf_unwind__krava_2 0xa550b, expecting test_dwarf_unwind__krava_2 + unwind: test_dwarf_unwind__krava_1:ip = 0x4a554b (0xa554b) + got: test_dwarf_unwind__krava_1 0xa554b, expecting test_dwarf_unwind__krava_1 + unwind: test__dwarf_unwind:ip = 0x4a5605 (0xa5605) + got: test__dwarf_unwind 0xa5605, expecting test__dwarf_unwind + test child finished with 0 + ---- end ---- + DWARF unwind: Ok + # + +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180206181813.10943-17-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/dwarf-unwind.c | 46 ++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 16 deletions(-) + +--- a/tools/perf/tests/dwarf-unwind.c ++++ b/tools/perf/tests/dwarf-unwind.c +@@ -37,6 +37,19 @@ static int init_live_machine(struct mach + mmap_handler, machine, true, 500); + } + ++/* ++ * We need to keep these functions global, despite the ++ * fact that they are used only locally in this object, ++ * in order to keep them around even if the binary is ++ * stripped. If they are gone, the unwind check for ++ * symbol fails. ++ */ ++int test_dwarf_unwind__thread(struct thread *thread); ++int test_dwarf_unwind__compare(void *p1, void *p2); ++int test_dwarf_unwind__krava_3(struct thread *thread); ++int test_dwarf_unwind__krava_2(struct thread *thread); ++int test_dwarf_unwind__krava_1(struct thread *thread); ++ + #define MAX_STACK 8 + + static int unwind_entry(struct unwind_entry *entry, void *arg) +@@ -45,12 +58,12 @@ static int unwind_entry(struct unwind_en + char *symbol = entry->sym ? entry->sym->name : NULL; + static const char *funcs[MAX_STACK] = { + "test__arch_unwind_sample", +- "unwind_thread", +- "compare", ++ "test_dwarf_unwind__thread", ++ "test_dwarf_unwind__compare", + "bsearch", +- "krava_3", +- "krava_2", +- "krava_1", ++ "test_dwarf_unwind__krava_3", ++ "test_dwarf_unwind__krava_2", ++ "test_dwarf_unwind__krava_1", + "test__dwarf_unwind" + }; + /* +@@ -77,7 +90,7 @@ static int unwind_entry(struct unwind_en + return strcmp((const char *) symbol, funcs[idx]); + } + +-static noinline int unwind_thread(struct thread *thread) ++noinline int test_dwarf_unwind__thread(struct thread *thread) + { + struct perf_sample sample; + unsigned long cnt = 0; +@@ -108,7 +121,7 @@ static noinline int unwind_thread(struct + + static int global_unwind_retval = -INT_MAX; + +-static noinline int compare(void *p1, void *p2) ++noinline int test_dwarf_unwind__compare(void *p1, void *p2) + { + /* Any possible value should be 'thread' */ + struct thread *thread = *(struct thread **)p1; +@@ -117,17 +130,17 @@ static noinline int compare(void *p1, vo + /* Call unwinder twice for both callchain orders. */ + callchain_param.order = ORDER_CALLER; + +- global_unwind_retval = unwind_thread(thread); ++ global_unwind_retval = test_dwarf_unwind__thread(thread); + if (!global_unwind_retval) { + callchain_param.order = ORDER_CALLEE; +- global_unwind_retval = unwind_thread(thread); ++ global_unwind_retval = test_dwarf_unwind__thread(thread); + } + } + + return p1 - p2; + } + +-static noinline int krava_3(struct thread *thread) ++noinline int test_dwarf_unwind__krava_3(struct thread *thread) + { + struct thread *array[2] = {thread, thread}; + void *fp = &bsearch; +@@ -141,18 +154,19 @@ static noinline int krava_3(struct threa + size_t, int (*)(void *, void *)); + + _bsearch = fp; +- _bsearch(array, &thread, 2, sizeof(struct thread **), compare); ++ _bsearch(array, &thread, 2, sizeof(struct thread **), ++ test_dwarf_unwind__compare); + return global_unwind_retval; + } + +-static noinline int krava_2(struct thread *thread) ++noinline int test_dwarf_unwind__krava_2(struct thread *thread) + { +- return krava_3(thread); ++ return test_dwarf_unwind__krava_3(thread); + } + +-static noinline int krava_1(struct thread *thread) ++noinline int test_dwarf_unwind__krava_1(struct thread *thread) + { +- return krava_2(thread); ++ return test_dwarf_unwind__krava_2(thread); + } + + int test__dwarf_unwind(struct test *test __maybe_unused, int subtest __maybe_unused) +@@ -189,7 +203,7 @@ int test__dwarf_unwind(struct test *test + goto out; + } + +- err = krava_1(thread); ++ err = test_dwarf_unwind__krava_1(thread); + thread__put(thread); + + out: diff --git a/queue-4.16/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch b/queue-4.16/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch new file mode 100644 index 00000000000..5b863d4cdd4 --- /dev/null +++ b/queue-4.16/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch @@ -0,0 +1,57 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jiri Olsa +Date: Thu, 15 Feb 2018 13:26:35 +0100 +Subject: perf tests: Use arch__compare_symbol_names to compare symbols + +From: Jiri Olsa + +[ Upstream commit ab6e9a99345131cd8e54268d1d0dc04a33f7ed11 ] + +The symbol search called by machine__find_kernel_symbol_by_name is using +internally arch__compare_symbol_names function to compare 2 symbol +names, because different archs have different ways of comparing symbols. +Mostly for skipping '.' prefixes and similar. + +In test 1 when we try to find matching symbols in kallsyms and vmlinux, +by address and by symbol name. When either is found we compare the pair +symbol names by simple strcmp, which is not good enough for reasons +explained in previous paragraph. + +On powerpc this can cause lockup, because even thought we found the +pair, the compared names are different and don't match simple strcmp. +Following code path is executed, that leads to lockup: + + - we find the pair in kallsyms by sym->start +next_pair: + - we compare the names and it fails + - we find the pair by sym->name + - the pair addresses match so we call goto next_pair + because we assume the names match in this case + +Signed-off-by: Jiri Olsa +Tested-by: Naveen N. Rao +Acked-by: Naveen N. Rao +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 031b84c407c3 ("perf probe ppc: Enable matching against dot symbols automatically") +Link: http://lkml.kernel.org/r/20180215122635.24029-10-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/vmlinux-kallsyms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/vmlinux-kallsyms.c ++++ b/tools/perf/tests/vmlinux-kallsyms.c +@@ -125,7 +125,7 @@ int test__vmlinux_matches_kallsyms(struc + + if (pair && UM(pair->start) == mem_start) { + next_pair: +- if (strcmp(sym->name, pair->name) == 0) { ++ if (arch__compare_symbol_names(sym->name, pair->name) == 0) { + /* + * kallsyms don't have the symbol end, so we + * set that by using the next symbol start - 1, diff --git a/queue-4.16/perf-tools-fix-perf-builds-with-clang-support.patch b/queue-4.16/perf-tools-fix-perf-builds-with-clang-support.patch new file mode 100644 index 00000000000..79913a23885 --- /dev/null +++ b/queue-4.16/perf-tools-fix-perf-builds-with-clang-support.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sandipan Das +Date: Wed, 4 Apr 2018 23:34:17 +0530 +Subject: perf tools: Fix perf builds with clang support + +From: Sandipan Das + +[ Upstream commit c2fb54a183cfe77c6fdc9d71e2d5299c1c302a6e ] + +For libclang, some distro packages provide static libraries (.a) while +some provide shared libraries (.so). Currently, perf code can only be +linked with static libraries. This makes perf build possible for both +cases. + +Signed-off-by: Sandipan Das +Cc: Jiri Olsa +Cc: Naveen N. Rao +Fixes: d58ac0bf8d1e ("perf build: Add clang and llvm compile and linking support") +Link: http://lkml.kernel.org/r/20180404180419.19056-1-sandipan@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/Makefile.perf | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -364,7 +364,8 @@ LIBS = -Wl,--whole-archive $(PERFLIBS) $ + + ifeq ($(USE_CLANG), 1) + CLANGLIBS_LIST = AST Basic CodeGen Driver Frontend Lex Tooling Edit Sema Analysis Parse Serialization +- LIBCLANG = $(foreach l,$(CLANGLIBS_LIST),$(wildcard $(shell $(LLVM_CONFIG) --libdir)/libclang$(l).a)) ++ CLANGLIBS_NOEXT_LIST = $(foreach l,$(CLANGLIBS_LIST),$(shell $(LLVM_CONFIG) --libdir)/libclang$(l)) ++ LIBCLANG = $(foreach l,$(CLANGLIBS_NOEXT_LIST),$(wildcard $(l).a $(l).so)) + LIBS += -Wl,--start-group $(LIBCLANG) -Wl,--end-group + endif + diff --git a/queue-4.16/perf-top-fix-top.call-graph-config-option-reading.patch b/queue-4.16/perf-top-fix-top.call-graph-config-option-reading.patch new file mode 100644 index 00000000000..1d0750d3366 --- /dev/null +++ b/queue-4.16/perf-top-fix-top.call-graph-config-option-reading.patch @@ -0,0 +1,51 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Yisheng Xie +Date: Mon, 12 Mar 2018 19:25:56 +0800 +Subject: perf top: Fix top.call-graph config option reading + +From: Yisheng Xie + +[ Upstream commit a3a4a3b37c9b911af4c375b2475cea0fd2b84d38 ] + +When trying to add the "call-graph" variable for top into the +.perfconfig file, like: + + [top] + call-graph = fp + +I that perf_top_config() do not parse this variable. + +Fix it by calling perf_default_config() when the top.call-graph variable +is set. + +Signed-off-by: Yisheng Xie +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Fixes: b8cbb349061e ("perf config: Bring perf_default_config to the very beginning at main()") +Link: http://lkml.kernel.org/r/1520853957-36106-1-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-top.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1224,8 +1224,10 @@ parse_callchain_opt(const struct option + + static int perf_top_config(const char *var, const char *value, void *cb __maybe_unused) + { +- if (!strcmp(var, "top.call-graph")) +- var = "call-graph.record-mode"; /* fall-through */ ++ if (!strcmp(var, "top.call-graph")) { ++ var = "call-graph.record-mode"; ++ return perf_default_config(var, value, cb); ++ } + if (!strcmp(var, "top.children")) { + symbol_conf.cumulate_callchain = perf_config_bool(var, value); + return 0; diff --git a/queue-4.16/perf-x86-intel-fix-event-update-for-auto-reload.patch b/queue-4.16/perf-x86-intel-fix-event-update-for-auto-reload.patch new file mode 100644 index 00000000000..ed8f10542e0 --- /dev/null +++ b/queue-4.16/perf-x86-intel-fix-event-update-for-auto-reload.patch @@ -0,0 +1,238 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Kan Liang +Date: Mon, 12 Feb 2018 14:20:31 -0800 +Subject: perf/x86/intel: Fix event update for auto-reload + +From: Kan Liang + +[ Upstream commit d31fc13fdcb20e1c317f9a7dd6273c18fbd58308 ] + +There is a bug when reading event->count with large PEBS enabled. + +Here is an example: + + # ./read_count + 0x71f0 + 0x122c0 + 0x1000000001c54 + 0x100000001257d + 0x200000000bdc5 + +In fixed period mode, the auto-reload mechanism could be enabled for +PEBS events, but the calculation of event->count does not take the +auto-reload values into account. + +Anyone who reads event->count will get the wrong result, e.g x86_pmu_read(). + +This bug was introduced with the auto-reload mechanism enabled since +commit: + + 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible") + +Introduce intel_pmu_save_and_restart_reload() to calculate the +event->count only for auto-reload. + +Since the counter increments a negative counter value and overflows on +the sign switch, giving the interval: + + [-period, 0] + +the difference between two consequtive reads is: + + A) value2 - value1; + when no overflows have happened in between, + B) (0 - value1) + (value2 - (-period)); + when one overflow happened in between, + C) (0 - value1) + (n - 1) * (period) + (value2 - (-period)); + when @n overflows happened in between. + +Here A) is the obvious difference, B) is the extension to the discrete +interval, where the first term is to the top of the interval and the +second term is from the bottom of the next interval and C) the extension +to multiple intervals, where the middle term is the whole intervals +covered. + +The equation for all cases is: + + value2 - value1 + n * period + +Previously the event->count is updated right before the sample output. +But for case A, there is no PEBS record ready. It needs to be specially +handled. + +Remove the auto-reload code from x86_perf_event_set_period() since +we'll not longer call that function in this case. + +Based-on-code-from: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Fixes: 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible") +Link: http://lkml.kernel.org/r/1518474035-21006-2-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/core.c | 15 ++----- + arch/x86/events/intel/ds.c | 92 +++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 94 insertions(+), 13 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -1156,16 +1156,13 @@ int x86_perf_event_set_period(struct per + + per_cpu(pmc_prev_left[idx], smp_processor_id()) = left; + +- if (!(hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) || +- local64_read(&hwc->prev_count) != (u64)-left) { +- /* +- * The hw event starts counting from this event offset, +- * mark it to be able to extra future deltas: +- */ +- local64_set(&hwc->prev_count, (u64)-left); ++ /* ++ * The hw event starts counting from this event offset, ++ * mark it to be able to extra future deltas: ++ */ ++ local64_set(&hwc->prev_count, (u64)-left); + +- wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask); +- } ++ wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask); + + /* + * Due to erratum on certan cpu we need +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1315,17 +1315,84 @@ get_next_pebs_record_by_bit(void *base, + return NULL; + } + ++/* ++ * Special variant of intel_pmu_save_and_restart() for auto-reload. ++ */ ++static int ++intel_pmu_save_and_restart_reload(struct perf_event *event, int count) ++{ ++ struct hw_perf_event *hwc = &event->hw; ++ int shift = 64 - x86_pmu.cntval_bits; ++ u64 period = hwc->sample_period; ++ u64 prev_raw_count, new_raw_count; ++ s64 new, old; ++ ++ WARN_ON(!period); ++ ++ /* ++ * drain_pebs() only happens when the PMU is disabled. ++ */ ++ WARN_ON(this_cpu_read(cpu_hw_events.enabled)); ++ ++ prev_raw_count = local64_read(&hwc->prev_count); ++ rdpmcl(hwc->event_base_rdpmc, new_raw_count); ++ local64_set(&hwc->prev_count, new_raw_count); ++ ++ /* ++ * Since the counter increments a negative counter value and ++ * overflows on the sign switch, giving the interval: ++ * ++ * [-period, 0] ++ * ++ * the difference between two consequtive reads is: ++ * ++ * A) value2 - value1; ++ * when no overflows have happened in between, ++ * ++ * B) (0 - value1) + (value2 - (-period)); ++ * when one overflow happened in between, ++ * ++ * C) (0 - value1) + (n - 1) * (period) + (value2 - (-period)); ++ * when @n overflows happened in between. ++ * ++ * Here A) is the obvious difference, B) is the extension to the ++ * discrete interval, where the first term is to the top of the ++ * interval and the second term is from the bottom of the next ++ * interval and C) the extension to multiple intervals, where the ++ * middle term is the whole intervals covered. ++ * ++ * An equivalent of C, by reduction, is: ++ * ++ * value2 - value1 + n * period ++ */ ++ new = ((s64)(new_raw_count << shift) >> shift); ++ old = ((s64)(prev_raw_count << shift) >> shift); ++ local64_add(new - old + count * period, &event->count); ++ ++ perf_event_update_userpage(event); ++ ++ return 0; ++} ++ + static void __intel_pmu_pebs_event(struct perf_event *event, + struct pt_regs *iregs, + void *base, void *top, + int bit, int count) + { ++ struct hw_perf_event *hwc = &event->hw; + struct perf_sample_data data; + struct pt_regs regs; + void *at = get_next_pebs_record_by_bit(base, top, bit); + +- if (!intel_pmu_save_and_restart(event) && +- !(event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD)) ++ if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) { ++ /* ++ * Now, auto-reload is only enabled in fixed period mode. ++ * The reload value is always hwc->sample_period. ++ * May need to change it, if auto-reload is enabled in ++ * freq mode later. ++ */ ++ intel_pmu_save_and_restart_reload(event, count); ++ } else if (!intel_pmu_save_and_restart(event)) + return; + + while (count > 1) { +@@ -1377,8 +1444,11 @@ static void intel_pmu_drain_pebs_core(st + return; + + n = top - at; +- if (n <= 0) ++ if (n <= 0) { ++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD) ++ intel_pmu_save_and_restart_reload(event, 0); + return; ++ } + + __intel_pmu_pebs_event(event, iregs, at, top, 0, n); + } +@@ -1401,8 +1471,22 @@ static void intel_pmu_drain_pebs_nhm(str + + ds->pebs_index = ds->pebs_buffer_base; + +- if (unlikely(base >= top)) ++ if (unlikely(base >= top)) { ++ /* ++ * The drain_pebs() could be called twice in a short period ++ * for auto-reload event in pmu::read(). There are no ++ * overflows have happened in between. ++ * It needs to call intel_pmu_save_and_restart_reload() to ++ * update the event->count for this case. ++ */ ++ for_each_set_bit(bit, (unsigned long *)&cpuc->pebs_enabled, ++ x86_pmu.max_pebs_events) { ++ event = cpuc->events[bit]; ++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD) ++ intel_pmu_save_and_restart_reload(event, 0); ++ } + return; ++ } + + for (at = base; at < top; at += x86_pmu.pebs_record_size) { + struct pebs_record_nhm *p = at; diff --git a/queue-4.16/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch b/queue-4.16/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch new file mode 100644 index 00000000000..dfd78fd3ea6 --- /dev/null +++ b/queue-4.16/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch @@ -0,0 +1,74 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Kan Liang +Date: Thu, 1 Mar 2018 12:54:54 -0500 +Subject: perf/x86/intel: Fix large period handling on Broadwell CPUs + +From: Kan Liang + +[ Upstream commit f605cfca8c39ffa2b98c06d2b9f30ba64f1e54e3 ] + +Large fixed period values could be truncated on Broadwell, for example: + + perf record -e cycles -c 10000000000 + +Here the fixed period is 0x2540BE400, but the period which finally applied is +0x540BE400 - which is wrong. + +The reason is that x86_pmu::limit_period() uses an u32 parameter, so the +high 32 bits of 'period' get truncated. + +This bug was introduced in: + + commit 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds") + +It's safe to use u64 instead of u32: + + - Although the 'left' is s64, the value of 'left' must be positive when + calling limit_period(). + + - bdw_limit_period() only modifies the lowest 6 bits, it doesn't touch + the higher 32 bits. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds") +Link: http://lkml.kernel.org/r/1519926894-3520-1-git-send-email-kan.liang@linux.intel.com +[ Rewrote unacceptably bad changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 2 +- + arch/x86/events/perf_event.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3196,7 +3196,7 @@ glp_get_event_constraints(struct cpu_hw_ + * Therefore the effective (average) period matches the requested period, + * despite coarser hardware granularity. + */ +-static unsigned bdw_limit_period(struct perf_event *event, unsigned left) ++static u64 bdw_limit_period(struct perf_event *event, u64 left) + { + if ((event->hw.config & INTEL_ARCH_EVENT_MASK) == + X86_CONFIG(.event=0xc0, .umask=0x01)) { +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -557,7 +557,7 @@ struct x86_pmu { + struct x86_pmu_quirk *quirks; + int perfctr_second_write; + bool late_ack; +- unsigned (*limit_period)(struct perf_event *event, unsigned l); ++ u64 (*limit_period)(struct perf_event *event, u64 l); + + /* + * sysfs attrs diff --git a/queue-4.16/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch b/queue-4.16/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch new file mode 100644 index 00000000000..bee616629be --- /dev/null +++ b/queue-4.16/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch @@ -0,0 +1,74 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Kan Liang +Date: Tue, 20 Feb 2018 02:11:50 -0800 +Subject: perf/x86/intel: Properly save/restore the PMU state in the NMI handler + +From: Kan Liang + +[ Upstream commit 82d71ed0277efc45360828af8c4e4d40e1b45352 ] + +The PMU is disabled in intel_pmu_handle_irq(), but cpuc->enabled is not updated +accordingly. + +This is fine in current usage because no-one checks it - but fix it +for future code: for example, the drain_pebs() will be modified to +fix an auto-reload bug. + +Properly save/restore the old PMU state. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: kernel test robot +Link: http://lkml.kernel.org/r/6f44ee84-56f8-79f1-559b-08e371eaeb78@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2201,16 +2201,23 @@ static int intel_pmu_handle_irq(struct p + int bit, loops; + u64 status; + int handled; ++ int pmu_enabled; + + cpuc = this_cpu_ptr(&cpu_hw_events); + + /* ++ * Save the PMU state. ++ * It needs to be restored when leaving the handler. ++ */ ++ pmu_enabled = cpuc->enabled; ++ /* + * No known reason to not always do late ACK, + * but just in case do it opt-in. + */ + if (!x86_pmu.late_ack) + apic_write(APIC_LVTPC, APIC_DM_NMI); + intel_bts_disable_local(); ++ cpuc->enabled = 0; + __intel_pmu_disable_all(); + handled = intel_pmu_drain_bts_buffer(); + handled += intel_bts_interrupt(); +@@ -2320,7 +2327,8 @@ again: + + done: + /* Only restore PMU state when it's active. See x86_pmu_disable(). */ +- if (cpuc->enabled) ++ cpuc->enabled = pmu_enabled; ++ if (pmu_enabled) + __intel_pmu_enable_all(0, true); + intel_bts_enable_local(); + diff --git a/queue-4.16/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch b/queue-4.16/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch new file mode 100644 index 00000000000..43ac4a04a95 --- /dev/null +++ b/queue-4.16/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch @@ -0,0 +1,72 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Vivek Gautam +Date: Tue, 16 Jan 2018 16:26:56 +0530 +Subject: phy: qcom-qmp: Fix phy pipe clock gating + +From: Vivek Gautam + +[ Upstream commit f8ba22a39e985c93e278709b1d5f20857a26b49b ] + +Pipe clock comes out of the phy and is available as long as +the phy is turned on. Clock controller fails to gate this +clock after the phy is turned off and generates a warning. + +/ # [ 33.048561] gcc_usb3_phy_pipe_clk status stuck at 'on' +[ 33.048585] ------------[ cut here ]------------ +[ 33.052621] WARNING: CPU: 1 PID: 18 at ../drivers/clk/qcom/clk-branch.c:97 clk_branch_wait+0xf0/0x108 +[ 33.057384] Modules linked in: +[ 33.066497] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G W 4.12.0-rc7-00024-gfe926e34c36d-dirty #96 +[ 33.069451] Hardware name: Qualcomm Technologies, Inc. DB820c (DT) +... +[ 33.278565] [] clk_branch_wait+0xf0/0x108 +[ 33.286375] [] clk_branch2_disable+0x28/0x34 +[ 33.291761] [] clk_core_disable+0x5c/0x88 +[ 33.297660] [] clk_core_disable_lock+0x20/0x34 +[ 33.303129] [] clk_disable+0x1c/0x24 +[ 33.309384] [] qcom_qmp_phy_poweroff+0x20/0x48 +[ 33.314328] [] phy_power_off+0x80/0xdc +[ 33.320492] [] dwc3_core_exit+0x94/0xa0 +[ 33.325784] [] dwc3_suspend_common+0x50/0x60 +[ 33.331080] [] dwc3_runtime_suspend+0x48/0x6c +[ 33.336810] [] pm_generic_runtime_suspend+0x28/0x38 +[ 33.342627] [] __rpm_callback+0x150/0x254 +[ 33.349222] [] rpm_callback+0x24/0x78 +[ 33.354604] [] rpm_suspend+0xe0/0x4e4 +[ 33.359813] [] pm_runtime_work+0xdc/0xf0 +[ 33.365028] [] process_one_work+0x12c/0x28c +[ 33.370576] [] worker_thread+0x58/0x3b8 +[ 33.376393] [] kthread+0x100/0x12c +[ 33.381776] [] ret_from_fork+0x10/0x50 + +Fix this by disabling it as the first thing in phy_exit(). + +Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets") +Signed-off-by: Vivek Gautam +Signed-off-by: Manu Gautam +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c +@@ -751,8 +751,6 @@ static int qcom_qmp_phy_poweroff(struct + struct qmp_phy *qphy = phy_get_drvdata(phy); + struct qcom_qmp *qmp = qphy->qmp; + +- clk_disable_unprepare(qphy->pipe_clk); +- + regulator_bulk_disable(qmp->cfg->num_vregs, qmp->vregs); + + return 0; +@@ -936,6 +934,8 @@ static int qcom_qmp_phy_exit(struct phy + const struct qmp_phy_cfg *cfg = qmp->cfg; + int i = cfg->num_clks; + ++ clk_disable_unprepare(qphy->pipe_clk); ++ + /* PHY reset */ + qphy_setbits(qphy->pcs, cfg->regs[QPHY_SW_RESET], SW_RESET); + diff --git a/queue-4.16/phy-rockchip-emmc-retry-calpad-busy-trimming.patch b/queue-4.16/phy-rockchip-emmc-retry-calpad-busy-trimming.patch new file mode 100644 index 00000000000..8163e7c06dd --- /dev/null +++ b/queue-4.16/phy-rockchip-emmc-retry-calpad-busy-trimming.patch @@ -0,0 +1,74 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Shawn Lin +Date: Thu, 11 Jan 2018 10:40:26 +0800 +Subject: phy: rockchip-emmc: retry calpad busy trimming + +From: Shawn Lin + +[ Upstream commit a4781c2a74b249cad814ceea7272997bbd20051e ] + +It turns out that 5us isn't enough for all cases, so let's +retry some more times to wait for caldone. + +Signed-off-by: Shawn Lin +Tested-by: Ziyuan Xu +Signed-off-by: Caesar Wang +Reviewed-by: Douglas Anderson +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/rockchip/phy-rockchip-emmc.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/drivers/phy/rockchip/phy-rockchip-emmc.c ++++ b/drivers/phy/rockchip/phy-rockchip-emmc.c +@@ -76,6 +76,10 @@ + #define PHYCTRL_OTAPDLYSEL_MASK 0xf + #define PHYCTRL_OTAPDLYSEL_SHIFT 0x7 + ++#define PHYCTRL_IS_CALDONE(x) \ ++ ((((x) >> PHYCTRL_CALDONE_SHIFT) & \ ++ PHYCTRL_CALDONE_MASK) == PHYCTRL_CALDONE_DONE) ++ + struct rockchip_emmc_phy { + unsigned int reg_offset; + struct regmap *reg_base; +@@ -90,6 +94,7 @@ static int rockchip_emmc_phy_power(struc + unsigned int freqsel = PHYCTRL_FREQSEL_200M; + unsigned long rate; + unsigned long timeout; ++ int ret; + + /* + * Keep phyctrl_pdb and phyctrl_endll low to allow +@@ -160,17 +165,19 @@ static int rockchip_emmc_phy_power(struc + PHYCTRL_PDB_SHIFT)); + + /* +- * According to the user manual, it asks driver to +- * wait 5us for calpad busy trimming ++ * According to the user manual, it asks driver to wait 5us for ++ * calpad busy trimming. However it is documented that this value is ++ * PVT(A.K.A process,voltage and temperature) relevant, so some ++ * failure cases are found which indicates we should be more tolerant ++ * to calpad busy trimming. + */ +- udelay(5); +- regmap_read(rk_phy->reg_base, +- rk_phy->reg_offset + GRF_EMMCPHY_STATUS, +- &caldone); +- caldone = (caldone >> PHYCTRL_CALDONE_SHIFT) & PHYCTRL_CALDONE_MASK; +- if (caldone != PHYCTRL_CALDONE_DONE) { +- pr_err("rockchip_emmc_phy_power: caldone timeout.\n"); +- return -ETIMEDOUT; ++ ret = regmap_read_poll_timeout(rk_phy->reg_base, ++ rk_phy->reg_offset + GRF_EMMCPHY_STATUS, ++ caldone, PHYCTRL_IS_CALDONE(caldone), ++ 0, 50); ++ if (ret) { ++ pr_err("%s: caldone failed, ret=%d\n", __func__, ret); ++ return ret; + } + + /* Set the frequency of the DLL operation */ diff --git a/queue-4.16/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch b/queue-4.16/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch new file mode 100644 index 00000000000..dbb1732e38c --- /dev/null +++ b/queue-4.16/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch @@ -0,0 +1,43 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Niklas Cassel +Date: Thu, 22 Feb 2018 16:22:46 +0100 +Subject: pinctrl: artpec6: dt: add missing pin group uart5nocts + +From: Niklas Cassel + +[ Upstream commit 7e065fb9ccce89fe667fdbd9a177eaec59a359fc ] + +Add missing pin group uart5nocts (all pins except cts), which has been +supported by the artpec6 pinctrl driver since its initial submission. + +Fixes: 00df0582eab1 ("pinctrl: Add pincontrol driver for ARTPEC-6 SoC") +Signed-off-by: Niklas Cassel +Reviewed-by: Rob Herring +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt ++++ b/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt +@@ -20,7 +20,8 @@ Required subnode-properties: + gpio: cpuclkoutgrp0, udlclkoutgrp0, i2c1grp0, i2c2grp0, + i2c3grp0, i2s0grp0, i2s1grp0, i2srefclkgrp0, spi0grp0, + spi1grp0, pciedebuggrp0, uart0grp0, uart0grp1, uart1grp0, +- uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0 ++ uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0, ++ uart5nocts + cpuclkout: cpuclkoutgrp0 + udlclkout: udlclkoutgrp0 + i2c1: i2c1grp0 +@@ -37,7 +38,7 @@ Required subnode-properties: + uart2: uart2grp0, uart2grp1 + uart3: uart3grp0 + uart4: uart4grp0 +- uart5: uart5grp0 ++ uart5: uart5grp0, uart5nocts + nand: nandgrp0 + sdio0: sdio0grp0 + sdio1: sdio1grp0 diff --git a/queue-4.16/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch b/queue-4.16/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch new file mode 100644 index 00000000000..42dd92df317 --- /dev/null +++ b/queue-4.16/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch @@ -0,0 +1,52 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Richard Fitzgerald +Date: Wed, 28 Feb 2018 15:53:06 +0000 +Subject: pinctrl: devicetree: Fix dt_to_map_one_config handling of hogs + +From: Richard Fitzgerald + +[ Upstream commit b89405b6102fcc3746f43697b826028caa94c823 ] + +When dt_to_map_one_config() is called with a pinctrl_dev passed +in, it should only be using this if the node being looked up +is a hog. The code was always using the passed pinctrl_dev +without checking whether the dt node referred to it. + +A pin controller can have pinctrl-n dependencies on other pin +controllers in these cases: + +- the pin controller hardware is external, for example I2C, so + needs other pin controller(s) to be setup to communicate with + the hardware device. + +- it is a child of a composite MFD so its of_node is shared with + the parent MFD and other children of that MFD. Any part of that + MFD could have dependencies on other pin controllers. + +Because of this, dt_to_map_one_config() can't assume that if it +has a pinctrl_dev passed in then the node it looks up must be +a hog. It could be a reference to some other pin controller. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/devicetree.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/devicetree.c ++++ b/drivers/pinctrl/devicetree.c +@@ -122,8 +122,10 @@ static int dt_to_map_one_config(struct p + /* OK let's just assume this will appear later then */ + return -EPROBE_DEFER; + } +- if (!pctldev) +- pctldev = get_pinctrl_dev_from_of_node(np_pctldev); ++ /* If we're creating a hog we can use the passed pctldev */ ++ if (pctldev && (np_pctldev == p->dev->of_node)) ++ break; ++ pctldev = get_pinctrl_dev_from_of_node(np_pctldev); + if (pctldev) + break; + /* Do not defer probing of hogs (circular loop) */ diff --git a/queue-4.16/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch b/queue-4.16/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch new file mode 100644 index 00000000000..99e0a202c11 --- /dev/null +++ b/queue-4.16/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch @@ -0,0 +1,92 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: "Jan Kundrát" +Date: Thu, 25 Jan 2018 18:29:15 +0100 +Subject: pinctrl: mcp23s08: spi: Fix regmap debugfs entries + +From: "Jan Kundrát" + +[ Upstream commit 9b3e4207661e67f04c72af15e29f74cd944f5964 ] + +The SPI version of this chip allows several devices to be present on the +same SPI bus via a local address. If this is in action and if the kernel +has debugfs, however, the code attempts to create duplicate entries for +the regmap's debugfs: + + mcp23s08 spi1.1: Failed to create debugfs directory + +This patch simply assigns a local name matching the device logical +address to the `struct regmap_config`. + +No changes are needed for MCP23S18 because that device does not support +any logical addressing. Similarly, I2C devices do not need any action, +either, because they are already different in their I2C address. + +A similar problem is present for the pinctrl debugfs instance, but that +one is not addressed by this patch. + +Signed-off-by: Jan Kundrát +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -771,6 +771,7 @@ static int mcp23s08_probe_one(struct mcp + { + int status, ret; + bool mirror = false; ++ struct regmap_config *one_regmap_config = NULL; + + mutex_init(&mcp->lock); + +@@ -791,22 +792,36 @@ static int mcp23s08_probe_one(struct mcp + switch (type) { + #ifdef CONFIG_SPI_MASTER + case MCP_TYPE_S08: +- mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, +- &mcp23x08_regmap); +- mcp->reg_shift = 0; +- mcp->chip.ngpio = 8; +- mcp->chip.label = "mcp23s08"; +- break; +- + case MCP_TYPE_S17: ++ switch (type) { ++ case MCP_TYPE_S08: ++ one_regmap_config = ++ devm_kmemdup(dev, &mcp23x08_regmap, ++ sizeof(struct regmap_config), GFP_KERNEL); ++ mcp->reg_shift = 0; ++ mcp->chip.ngpio = 8; ++ mcp->chip.label = "mcp23s08"; ++ break; ++ case MCP_TYPE_S17: ++ one_regmap_config = ++ devm_kmemdup(dev, &mcp23x17_regmap, ++ sizeof(struct regmap_config), GFP_KERNEL); ++ mcp->reg_shift = 1; ++ mcp->chip.ngpio = 16; ++ mcp->chip.label = "mcp23s17"; ++ break; ++ } ++ if (!one_regmap_config) ++ return -ENOMEM; ++ ++ one_regmap_config->name = devm_kasprintf(dev, GFP_KERNEL, "%d", (addr & ~0x40) >> 1); + mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, +- &mcp23x17_regmap); +- mcp->reg_shift = 1; +- mcp->chip.ngpio = 16; +- mcp->chip.label = "mcp23s17"; ++ one_regmap_config); + break; + + case MCP_TYPE_S18: ++ if (!one_regmap_config) ++ return -ENOMEM; + mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, + &mcp23x17_regmap); + mcp->reg_shift = 1; diff --git a/queue-4.16/pinctrl-msm-use-dynamic-gpio-numbering.patch b/queue-4.16/pinctrl-msm-use-dynamic-gpio-numbering.patch new file mode 100644 index 00000000000..d186489e636 --- /dev/null +++ b/queue-4.16/pinctrl-msm-use-dynamic-gpio-numbering.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Bjorn Andersson +Date: Sun, 28 Jan 2018 16:59:48 -0800 +Subject: pinctrl: msm: Use dynamic GPIO numbering + +From: Bjorn Andersson + +[ Upstream commit a7aa75a2a7dba32594291a71c3704000a2fd7089 ] + +The base of the TLMM gpiochip should not be statically defined as 0, fix +this to not artificially restrict the existence of multiple pinctrl-msm +devices. + +Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver") +Reported-by: Timur Tabi +Signed-off-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -818,7 +818,7 @@ static int msm_gpio_init(struct msm_pinc + return -EINVAL; + + chip = &pctrl->chip; +- chip->base = 0; ++ chip->base = -1; + chip->ngpio = ngpio; + chip->label = dev_name(pctrl->dev); + chip->parent = pctrl->dev; diff --git a/queue-4.16/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch b/queue-4.16/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch new file mode 100644 index 00000000000..a28907d8b9f --- /dev/null +++ b/queue-4.16/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch @@ -0,0 +1,191 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Takeshi Kihara +Date: Fri, 16 Feb 2018 15:25:03 +0100 +Subject: pinctrl: sh-pfc: r8a7796: Fix MOD_SEL register pin assignment for SSI pins group + +From: Takeshi Kihara + +[ Upstream commit b418c4609d5052d174668ad6d13efe023c45c595 ] + +This patch fixes MOD_SEL1 bit20 and MOD_SEL2 bit20, bit21 pin assignment +for SSI pins group. + +This is a correction to the incorrect implementation of MOD_SEL register +pin assignment for R8A7796 SoC specification of R-Car Gen3 Hardware +User's Manual Rev.0.51E or later. + +Fixes: f9aece7344bd ("pinctrl: sh-pfc: Initial R8A7796 PFC support") +Signed-off-by: Takeshi Kihara +Signed-off-by: Ulrich Hecht +Reviewed-by: Simon Horman +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/sh-pfc/pfc-r8a7796.c | 40 +++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/drivers/pinctrl/sh-pfc/pfc-r8a7796.c ++++ b/drivers/pinctrl/sh-pfc/pfc-r8a7796.c +@@ -1,7 +1,7 @@ + /* + * R8A7796 processor support - PFC hardware block. + * +- * Copyright (C) 2016 Renesas Electronics Corp. ++ * Copyright (C) 2016-2017 Renesas Electronics Corp. + * + * This file is based on the drivers/pinctrl/sh-pfc/pfc-r8a7795.c + * +@@ -477,7 +477,7 @@ FM(IP16_31_28) IP16_31_28 FM(IP17_31_28) + #define MOD_SEL1_26 FM(SEL_TIMER_TMU_0) FM(SEL_TIMER_TMU_1) + #define MOD_SEL1_25_24 FM(SEL_SSP1_1_0) FM(SEL_SSP1_1_1) FM(SEL_SSP1_1_2) FM(SEL_SSP1_1_3) + #define MOD_SEL1_23_22_21 FM(SEL_SSP1_0_0) FM(SEL_SSP1_0_1) FM(SEL_SSP1_0_2) FM(SEL_SSP1_0_3) FM(SEL_SSP1_0_4) F_(0, 0) F_(0, 0) F_(0, 0) +-#define MOD_SEL1_20 FM(SEL_SSI_0) FM(SEL_SSI_1) ++#define MOD_SEL1_20 FM(SEL_SSI1_0) FM(SEL_SSI1_1) + #define MOD_SEL1_19 FM(SEL_SPEED_PULSE_0) FM(SEL_SPEED_PULSE_1) + #define MOD_SEL1_18_17 FM(SEL_SIMCARD_0) FM(SEL_SIMCARD_1) FM(SEL_SIMCARD_2) FM(SEL_SIMCARD_3) + #define MOD_SEL1_16 FM(SEL_SDHI2_0) FM(SEL_SDHI2_1) +@@ -1218,7 +1218,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_11_8, HSCK0), + PINMUX_IPSR_MSEL(IP13_11_8, MSIOF1_SCK_D, SEL_MSIOF1_3), + PINMUX_IPSR_MSEL(IP13_11_8, AUDIO_CLKB_A, SEL_ADG_B_0), +- PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI1_1), + PINMUX_IPSR_MSEL(IP13_11_8, TS_SCK0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_11_8, STP_ISCLK_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_11_8, RIF0_CLK_C, SEL_DRIF0_2), +@@ -1226,14 +1226,14 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP13_15_12, HRX0), + PINMUX_IPSR_MSEL(IP13_15_12, MSIOF1_RXD_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP13_15_12, TS_SDEN0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_15_12, STP_ISEN_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_15_12, RIF0_D0_C, SEL_DRIF0_2), + + PINMUX_IPSR_GPSR(IP13_19_16, HTX0), + PINMUX_IPSR_MSEL(IP13_19_16, MSIOF1_TXD_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP13_19_16, TS_SDAT0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_19_16, STP_ISD_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_19_16, RIF0_D1_C, SEL_DRIF0_2), +@@ -1241,7 +1241,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_23_20, HCTS0_N), + PINMUX_IPSR_MSEL(IP13_23_20, RX2_B, SEL_SCIF2_1), + PINMUX_IPSR_MSEL(IP13_23_20, MSIOF1_SYNC_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP13_23_20, TS_SPSYNC0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_23_20, STP_ISSYNC_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_23_20, RIF0_SYNC_C, SEL_DRIF0_2), +@@ -1250,7 +1250,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_27_24, HRTS0_N), + PINMUX_IPSR_MSEL(IP13_27_24, TX2_B, SEL_SCIF2_1), + PINMUX_IPSR_MSEL(IP13_27_24, MSIOF1_SS1_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP13_27_24, STP_IVCXO27_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_27_24, BPFCLK_A, SEL_FM_0), + PINMUX_IPSR_GPSR(IP13_27_24, AUDIO_CLKOUT2_A), +@@ -1265,7 +1265,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_3_0, RX5_A, SEL_SCIF5_0), + PINMUX_IPSR_MSEL(IP14_3_0, NFWP_N_A, SEL_NDF_0), + PINMUX_IPSR_MSEL(IP14_3_0, AUDIO_CLKA_C, SEL_ADG_A_2), +- PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI2_0), + PINMUX_IPSR_MSEL(IP14_3_0, STP_IVCXO27_0_C, SEL_SSP1_0_2), + PINMUX_IPSR_GPSR(IP14_3_0, AUDIO_CLKOUT3_A), + PINMUX_IPSR_MSEL(IP14_3_0, TCLK1_B, SEL_TIMER_TMU_1), +@@ -1274,7 +1274,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_7_4, TX5_A, SEL_SCIF5_0), + PINMUX_IPSR_MSEL(IP14_7_4, MSIOF1_SS2_D, SEL_MSIOF1_3), + PINMUX_IPSR_MSEL(IP14_7_4, AUDIO_CLKC_A, SEL_ADG_C_0), +- PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI2_0), + PINMUX_IPSR_MSEL(IP14_7_4, STP_OPWM_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_GPSR(IP14_7_4, AUDIO_CLKOUT_D), + PINMUX_IPSR_MSEL(IP14_7_4, SPEEDIN_B, SEL_SPEED_PULSE_1), +@@ -1302,10 +1302,10 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_31_28, MSIOF1_SS2_F, SEL_MSIOF1_5), + + /* IPSR15 */ +- PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI1_0), + +- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI_0), +- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI2_0), ++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI1_1), + + PINMUX_IPSR_GPSR(IP15_11_8, SSI_SCK349), + PINMUX_IPSR_MSEL(IP15_11_8, MSIOF1_SS1_A, SEL_MSIOF1_0), +@@ -1391,11 +1391,11 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP16_27_24, RIF1_D1_A, SEL_DRIF1_0), + PINMUX_IPSR_MSEL(IP16_27_24, RIF3_D1_A, SEL_DRIF3_0), + +- PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP16_31_28, HSCK2_B, SEL_HSCIF2_1), + PINMUX_IPSR_MSEL(IP16_31_28, MSIOF1_SS1_C, SEL_MSIOF1_2), + PINMUX_IPSR_MSEL(IP16_31_28, HSCK1_A, SEL_HSCIF1_0), +- PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI1_1), + PINMUX_IPSR_GPSR(IP16_31_28, SCK1), + PINMUX_IPSR_MSEL(IP16_31_28, STP_IVCXO27_1_A, SEL_SSP1_1_0), + PINMUX_IPSR_MSEL(IP16_31_28, SCK5_A, SEL_SCIF5_0), +@@ -1427,7 +1427,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_19_16, USB1_PWEN), + PINMUX_IPSR_MSEL(IP17_19_16, SIM0_CLK_C, SEL_SIMCARD_2), +- PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI1_0), + PINMUX_IPSR_MSEL(IP17_19_16, TS_SCK0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP17_19_16, STP_ISCLK_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP17_19_16, FMCLK_B, SEL_FM_1), +@@ -1437,7 +1437,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_23_20, USB1_OVC), + PINMUX_IPSR_MSEL(IP17_23_20, MSIOF1_SS2_C, SEL_MSIOF1_2), +- PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI1_0), + PINMUX_IPSR_MSEL(IP17_23_20, TS_SDAT0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP17_23_20, STP_ISD_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP17_23_20, FMIN_B, SEL_FM_1), +@@ -1447,7 +1447,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_27_24, USB30_PWEN), + PINMUX_IPSR_GPSR(IP17_27_24, AUDIO_CLKOUT_B), +- PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP17_27_24, TS_SDEN1_D, SEL_TSIF1_3), + PINMUX_IPSR_MSEL(IP17_27_24, STP_ISEN_1_D, SEL_SSP1_1_3), + PINMUX_IPSR_MSEL(IP17_27_24, STP_OPWM_0_E, SEL_SSP1_0_4), +@@ -1459,7 +1459,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_31_28, USB30_OVC), + PINMUX_IPSR_GPSR(IP17_31_28, AUDIO_CLKOUT1_B), +- PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP17_31_28, TS_SPSYNC1_D, SEL_TSIF1_3), + PINMUX_IPSR_MSEL(IP17_31_28, STP_ISSYNC_1_D, SEL_SSP1_1_3), + PINMUX_IPSR_MSEL(IP17_31_28, STP_IVCXO27_0_E, SEL_SSP1_0_4), +@@ -1470,7 +1470,7 @@ static const u16 pinmux_data[] = { + /* IPSR18 */ + PINMUX_IPSR_GPSR(IP18_3_0, GP6_30), + PINMUX_IPSR_GPSR(IP18_3_0, AUDIO_CLKOUT2_B), +- PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP18_3_0, TS_SDEN0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP18_3_0, STP_ISEN_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP18_3_0, RIF2_D0_B, SEL_DRIF2_1), +@@ -1480,7 +1480,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP18_7_4, GP6_31), + PINMUX_IPSR_GPSR(IP18_7_4, AUDIO_CLKOUT3_B), +- PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP18_7_4, TS_SPSYNC0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP18_7_4, STP_ISSYNC_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP18_7_4, RIF2_D1_B, SEL_DRIF2_1), diff --git a/queue-4.16/platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch b/queue-4.16/platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch new file mode 100644 index 00000000000..c310414fee7 --- /dev/null +++ b/queue-4.16/platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Dan Carpenter +Date: Fri, 16 Mar 2018 15:10:15 +0300 +Subject: platform/x86: dell-smbios: Fix memory leaks in build_tokens_sysfs() + +From: Dan Carpenter + +[ Upstream commit 0e5b09b165510e2ea5c526e962c4edadd849ef4c ] + +We're freeing "value_name" which is NULL, so that's a no-op, but we +intended to free "location_name" instead. And then we don't free the +names in token_location_attrs[0] and token_value_attrs[0]. + +Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens") +Signed-off-by: Dan Carpenter +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell-smbios-base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/dell-smbios-base.c ++++ b/drivers/platform/x86/dell-smbios-base.c +@@ -514,7 +514,7 @@ static int build_tokens_sysfs(struct pla + continue; + + loop_fail_create_value: +- kfree(value_name); ++ kfree(location_name); + goto out_unwind_strings; + } + smbios_attribute_group.attrs = token_attrs; +@@ -525,7 +525,7 @@ loop_fail_create_value: + return 0; + + out_unwind_strings: +- for (i = i-1; i > 0; i--) { ++ while (i--) { + kfree(token_location_attrs[i].attr.name); + kfree(token_value_attrs[i].attr.name); + } diff --git a/queue-4.16/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch b/queue-4.16/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch new file mode 100644 index 00000000000..cf01e279cdd --- /dev/null +++ b/queue-4.16/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Ladislav Michl +Date: Thu, 22 Feb 2018 18:21:36 +0100 +Subject: power: supply: ltc2941-battery-gauge: Fix temperature units + +From: Ladislav Michl + +[ Upstream commit dde5953f05a89eb63a0d666ffe51d447b2ac3e05 ] + +Temperature is measured in tenths of degree Celsius. + +Fixes: 085bc24d1553 ("Add LTC2941/LTC2943 Battery Gauge Driver") +Signed-off-by: Ladislav Michl +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/ltc2941-battery-gauge.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/power/supply/ltc2941-battery-gauge.c ++++ b/drivers/power/supply/ltc2941-battery-gauge.c +@@ -317,15 +317,15 @@ static int ltc294x_get_temperature(const + + if (info->id == LTC2942_ID) { + reg = LTC2942_REG_TEMPERATURE_MSB; +- value = 60000; /* Full-scale is 600 Kelvin */ ++ value = 6000; /* Full-scale is 600 Kelvin */ + } else { + reg = LTC2943_REG_TEMPERATURE_MSB; +- value = 51000; /* Full-scale is 510 Kelvin */ ++ value = 5100; /* Full-scale is 510 Kelvin */ + } + ret = ltc294x_read_regs(info->client, reg, &datar[0], 2); + value *= (datar[0] << 8) | datar[1]; +- /* Convert to centidegrees */ +- *val = value / 0xFFFF - 27215; ++ /* Convert to tenths of degree Celsius */ ++ *val = value / 0xFFFF - 2722; + return ret; + } + diff --git a/queue-4.16/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch b/queue-4.16/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch new file mode 100644 index 00000000000..ea4a819b888 --- /dev/null +++ b/queue-4.16/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch @@ -0,0 +1,34 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Nicholas Piggin +Date: Thu, 5 Apr 2018 16:10:00 +1000 +Subject: powerpc/64s/idle: Fix restore of AMOR on POWER9 after deep sleep + +From: Nicholas Piggin + +[ Upstream commit c1b25a17d24925b0961c319cfc3fd7e1dc778914 ] + +POWER8 restores AMOR when waking from deep sleep, but POWER9 does not, +because it does not go through the subcore restore. + +Have POWER9 restore it in core restore. + +Fixes: ee97b6b99f42 ("powerpc/mm/radix: Setup AMOR in HV mode to allow key 0") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/idle_book3s.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/kernel/idle_book3s.S ++++ b/arch/powerpc/kernel/idle_book3s.S +@@ -834,6 +834,8 @@ BEGIN_FTR_SECTION + mtspr SPRN_PTCR,r4 + ld r4,_RPR(r1) + mtspr SPRN_RPR,r4 ++ ld r4,_AMOR(r1) ++ mtspr SPRN_AMOR,r4 + END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + + ld r4,_TSCR(r1) diff --git a/queue-4.16/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch b/queue-4.16/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch new file mode 100644 index 00000000000..4a1c3aac87c --- /dev/null +++ b/queue-4.16/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch @@ -0,0 +1,67 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Nicholas Piggin +Date: Tue, 27 Mar 2018 01:01:16 +1000 +Subject: powerpc/64s: sreset panic if there is no debugger or crash dump handlers + +From: Nicholas Piggin + +[ Upstream commit d40b6768e45bd9213139b2d91d30c7692b6007b1 ] + +system_reset_exception does most of its own crash handling now, +invoking the debugger or crash dumps if they are registered. If not, +then it goes through to die() to print stack traces, and then is +supposed to panic (according to comments). + +However after die() prints oopses, it does its own handling which +doesn't allow system_reset_exception to panic (e.g., it may just +kill the current process). This patch causes sreset exceptions to +return from die after it prints messages but before acting. + +This also stops die from invoking the debugger on 0x100 crashes. +system_reset_exception similarly calls the debugger. It had been +thought this was harmless (because if the debugger was disabled, +neither call would fire, and if it was enabled the first call +would return). However in some cases like xmon 'X' command, the +debugger returns 0, which currently causes it to be entered +again (first in system_reset_exception, then in die), which is +confusing. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/traps.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -208,6 +208,12 @@ static void oops_end(unsigned long flags + } + raw_local_irq_restore(flags); + ++ /* ++ * system_reset_excption handles debugger, crash dump, panic, for 0x100 ++ */ ++ if (TRAP(regs) == 0x100) ++ return; ++ + crash_fadump(regs, "die oops"); + + if (kexec_should_crash(current)) +@@ -272,8 +278,13 @@ void die(const char *str, struct pt_regs + { + unsigned long flags; + +- if (debugger(regs)) +- return; ++ /* ++ * system_reset_excption handles debugger, crash dump, panic, for 0x100 ++ */ ++ if (TRAP(regs) != 0x100) { ++ if (debugger(regs)) ++ return; ++ } + + flags = oops_begin(regs); + if (__die(str, regs, err)) diff --git a/queue-4.16/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch b/queue-4.16/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch new file mode 100644 index 00000000000..1748182fe72 --- /dev/null +++ b/queue-4.16/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch @@ -0,0 +1,33 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Mathieu Malaterre +Date: Sun, 25 Feb 2018 18:22:29 +0100 +Subject: powerpc: Add missing prototype for arch_irq_work_raise() + +From: Mathieu Malaterre + +[ Upstream commit f5246862f82f1e16bbf84cda4cddf287672b30fe ] + +In commit 4f8b50bbbe63 ("irq_work, ppc: Fix up arch hooks") a new +function arch_irq_work_raise() was added without a prototype in header +irq_work.h. + +Fix the following warning (treated as error in W=1): + arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’ + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/irq_work.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/include/asm/irq_work.h ++++ b/arch/powerpc/include/asm/irq_work.h +@@ -6,5 +6,6 @@ static inline bool arch_irq_work_has_int + { + return true; + } ++extern void arch_irq_work_raise(void); + + #endif /* _ASM_POWERPC_IRQ_WORK_H */ diff --git a/queue-4.16/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch b/queue-4.16/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch new file mode 100644 index 00000000000..223d452c6d3 --- /dev/null +++ b/queue-4.16/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch @@ -0,0 +1,81 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Anshuman Khandual +Date: Thu, 29 Mar 2018 11:53:37 +0530 +Subject: powerpc/fscr: Enable interrupts earlier before calling get_user() + +From: Anshuman Khandual + +[ Upstream commit 709b973c844c0b4d115ac3a227a2e5a68722c912 ] + +The function get_user() can sleep while trying to fetch instruction +from user address space and causes the following warning from the +scheduler. + +BUG: sleeping function called from invalid context + +Though interrupts get enabled back but it happens bit later after +get_user() is called. This change moves enabling these interrupts +earlier covering the function get_user(). While at this, lets check +for kernel mode and crash as this interrupt should not have been +triggered from the kernel context. + +Signed-off-by: Anshuman Khandual +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/traps.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -1612,6 +1612,22 @@ void facility_unavailable_exception(stru + value = mfspr(SPRN_FSCR); + + status = value >> 56; ++ if ((hv || status >= 2) && ++ (status < ARRAY_SIZE(facility_strings)) && ++ facility_strings[status]) ++ facility = facility_strings[status]; ++ ++ /* We should not have taken this interrupt in kernel */ ++ if (!user_mode(regs)) { ++ pr_emerg("Facility '%s' unavailable (%d) exception in kernel mode at %lx\n", ++ facility, status, regs->nip); ++ die("Unexpected facility unavailable exception", regs, SIGABRT); ++ } ++ ++ /* We restore the interrupt state now */ ++ if (!arch_irq_disabled_regs(regs)) ++ local_irq_enable(); ++ + if (status == FSCR_DSCR_LG) { + /* + * User is accessing the DSCR register using the problem +@@ -1678,25 +1694,11 @@ void facility_unavailable_exception(stru + return; + } + +- if ((hv || status >= 2) && +- (status < ARRAY_SIZE(facility_strings)) && +- facility_strings[status]) +- facility = facility_strings[status]; +- +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); +- + pr_err_ratelimited("%sFacility '%s' unavailable (%d), exception at 0x%lx, MSR=%lx\n", + hv ? "Hypervisor " : "", facility, status, regs->nip, regs->msr); + + out: +- if (user_mode(regs)) { +- _exception(SIGILL, regs, ILL_ILLOPC, regs->nip); +- return; +- } +- +- die("Unexpected facility unavailable exception", regs, SIGABRT); ++ _exception(SIGILL, regs, ILL_ILLOPC, regs->nip); + } + #endif + diff --git a/queue-4.16/powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch b/queue-4.16/powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch new file mode 100644 index 00000000000..a0357f42222 --- /dev/null +++ b/queue-4.16/powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch @@ -0,0 +1,183 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Christophe Leroy +Date: Thu, 22 Feb 2018 15:27:26 +0100 +Subject: powerpc/mm/slice: Fix hugepage allocation at hint address on 8xx + +From: Christophe Leroy + +[ Upstream commit aa0ab02ba992eb956934b21373e0138211486ddd ] + +On the 8xx, the page size is set in the PMD entry and applies to +all pages of the page table pointed by the said PMD entry. + +When an app has some regular pages allocated (e.g. see below) and tries +to mmap() a huge page at a hint address covered by the same PMD entry, +the kernel accepts the hint allthough the 8xx cannot handle different +page sizes in the same PMD entry. + +10000000-10001000 r-xp 00000000 00:0f 2597 /root/malloc +10010000-10011000 rwxp 00000000 00:0f 2597 /root/malloc + +mmap(0x10080000, 524288, PROT_READ|PROT_WRITE, + MAP_PRIVATE|MAP_ANONYMOUS|0x40000, -1, 0) = 0x10080000 + +This results the app remaining forever in do_page_fault()/hugetlb_fault() +and when interrupting that app, we get the following warning: + +[162980.035629] WARNING: CPU: 0 PID: 2777 at arch/powerpc/mm/hugetlbpage.c:354 hugetlb_free_pgd_range+0xc8/0x1e4 +[162980.035699] CPU: 0 PID: 2777 Comm: malloc Tainted: G W 4.14.6 #85 +[162980.035744] task: c67e2c00 task.stack: c668e000 +[162980.035783] NIP: c000fe18 LR: c00e1eec CTR: c00f90c0 +[162980.035830] REGS: c668fc20 TRAP: 0700 Tainted: G W (4.14.6) +[162980.035854] MSR: 00029032 CR: 24044224 XER: 20000000 +[162980.036003] +[162980.036003] GPR00: c00e1eec c668fcd0 c67e2c00 00000010 c6869410 10080000 00000000 77fb4000 +[162980.036003] GPR08: ffff0001 0683c001 00000000 ffffff80 44028228 10018a34 00004008 418004fc +[162980.036003] GPR16: c668e000 00040100 c668e000 c06c0000 c668fe78 c668e000 c6835ba0 c668fd48 +[162980.036003] GPR24: 00000000 73ffffff 74000000 00000001 77fb4000 100fffff 10100000 10100000 +[162980.036743] NIP [c000fe18] hugetlb_free_pgd_range+0xc8/0x1e4 +[162980.036839] LR [c00e1eec] free_pgtables+0x12c/0x150 +[162980.036861] Call Trace: +[162980.036939] [c668fcd0] [c00f0774] unlink_anon_vmas+0x1c4/0x214 (unreliable) +[162980.037040] [c668fd10] [c00e1eec] free_pgtables+0x12c/0x150 +[162980.037118] [c668fd40] [c00eabac] exit_mmap+0xe8/0x1b4 +[162980.037210] [c668fda0] [c0019710] mmput.part.9+0x20/0xd8 +[162980.037301] [c668fdb0] [c001ecb0] do_exit+0x1f0/0x93c +[162980.037386] [c668fe00] [c001f478] do_group_exit+0x40/0xcc +[162980.037479] [c668fe10] [c002a76c] get_signal+0x47c/0x614 +[162980.037570] [c668fe70] [c0007840] do_signal+0x54/0x244 +[162980.037654] [c668ff30] [c0007ae8] do_notify_resume+0x34/0x88 +[162980.037744] [c668ff40] [c000dae8] do_user_signal+0x74/0xc4 +[162980.037781] Instruction dump: +[162980.037821] 7fdff378 81370000 54a3463a 80890020 7d24182e 7c841a14 712a0004 4082ff94 +[162980.038014] 2f890000 419e0010 712a0ff0 408200e0 <0fe00000> 54a9000a 7f984840 419d0094 +[162980.038216] ---[ end trace c0ceeca8e7a5800a ]--- +[162980.038754] BUG: non-zero nr_ptes on freeing mm: 1 +[162985.363322] BUG: non-zero nr_ptes on freeing mm: -1 + +In order to fix this, this patch uses the address space "slices" +implemented for BOOK3S/64 and enhanced to support PPC32 by the +preceding patch. + +This patch modifies the context.id on the 8xx to be in the range +[1:16] instead of [0:15] in order to identify context.id == 0 as +not initialised contexts as done on BOOK3S + +This patch activates CONFIG_PPC_MM_SLICES when CONFIG_HUGETLB_PAGE is +selected for the 8xx + +Alltough we could in theory have as many slices as PMD entries, the +current slices implementation limits the number of low slices to 16. +This limitation is not preventing us to fix the initial issue allthough +it is suboptimal. It will be cured in a subsequent patch. + +Fixes: 4b91428699477 ("powerpc/8xx: Implement support of hugepages") +Signed-off-by: Christophe Leroy +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/mmu-8xx.h | 6 ++++++ + arch/powerpc/kernel/setup-common.c | 2 ++ + arch/powerpc/mm/8xx_mmu.c | 2 +- + arch/powerpc/mm/hugetlbpage.c | 2 ++ + arch/powerpc/mm/mmu_context_nohash.c | 18 ++++++++++++++++-- + arch/powerpc/platforms/Kconfig.cputype | 1 + + 6 files changed, 28 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/include/asm/mmu-8xx.h ++++ b/arch/powerpc/include/asm/mmu-8xx.h +@@ -191,6 +191,12 @@ typedef struct { + unsigned int id; + unsigned int active; + unsigned long vdso_base; ++#ifdef CONFIG_PPC_MM_SLICES ++ u16 user_psize; /* page size index */ ++ u64 low_slices_psize; /* page size encodings */ ++ unsigned char high_slices_psize[0]; ++ unsigned long slb_addr_limit; ++#endif + } mm_context_t; + + #define PHYS_IMMR_BASE (mfspr(SPRN_IMMR) & 0xfff80000) +--- a/arch/powerpc/kernel/setup-common.c ++++ b/arch/powerpc/kernel/setup-common.c +@@ -919,6 +919,8 @@ void __init setup_arch(char **cmdline_p) + #ifdef CONFIG_PPC64 + if (!radix_enabled()) + init_mm.context.slb_addr_limit = DEFAULT_MAP_WINDOW_USER64; ++#elif defined(CONFIG_PPC_8xx) ++ init_mm.context.slb_addr_limit = DEFAULT_MAP_WINDOW; + #else + #error "context.addr_limit not initialized." + #endif +--- a/arch/powerpc/mm/8xx_mmu.c ++++ b/arch/powerpc/mm/8xx_mmu.c +@@ -192,7 +192,7 @@ void set_context(unsigned long id, pgd_t + mtspr(SPRN_M_TW, __pa(pgd) - offset); + + /* Update context */ +- mtspr(SPRN_M_CASID, id); ++ mtspr(SPRN_M_CASID, id - 1); + /* sync */ + mb(); + } +--- a/arch/powerpc/mm/hugetlbpage.c ++++ b/arch/powerpc/mm/hugetlbpage.c +@@ -553,9 +553,11 @@ unsigned long hugetlb_get_unmapped_area( + struct hstate *hstate = hstate_file(file); + int mmu_psize = shift_to_mmu_psize(huge_page_shift(hstate)); + ++#ifdef CONFIG_PPC_RADIX_MMU + if (radix_enabled()) + return radix__hugetlb_get_unmapped_area(file, addr, len, + pgoff, flags); ++#endif + return slice_get_unmapped_area(addr, len, flags, mmu_psize, 1); + } + #endif +--- a/arch/powerpc/mm/mmu_context_nohash.c ++++ b/arch/powerpc/mm/mmu_context_nohash.c +@@ -331,6 +331,20 @@ int init_new_context(struct task_struct + { + pr_hard("initing context for mm @%p\n", mm); + ++#ifdef CONFIG_PPC_MM_SLICES ++ if (!mm->context.slb_addr_limit) ++ mm->context.slb_addr_limit = DEFAULT_MAP_WINDOW; ++ ++ /* ++ * We have MMU_NO_CONTEXT set to be ~0. Hence check ++ * explicitly against context.id == 0. This ensures that we properly ++ * initialize context slice details for newly allocated mm's (which will ++ * have id == 0) and don't alter context slice inherited via fork (which ++ * will have id != 0). ++ */ ++ if (mm->context.id == 0) ++ slice_set_user_psize(mm, mmu_virtual_psize); ++#endif + mm->context.id = MMU_NO_CONTEXT; + mm->context.active = 0; + return 0; +@@ -428,8 +442,8 @@ void __init mmu_context_init(void) + * -- BenH + */ + if (mmu_has_feature(MMU_FTR_TYPE_8xx)) { +- first_context = 0; +- last_context = 15; ++ first_context = 1; ++ last_context = 16; + no_selective_tlbil = true; + } else if (mmu_has_feature(MMU_FTR_TYPE_47x)) { + first_context = 1; +--- a/arch/powerpc/platforms/Kconfig.cputype ++++ b/arch/powerpc/platforms/Kconfig.cputype +@@ -326,6 +326,7 @@ config PPC_BOOK3E_MMU + config PPC_MM_SLICES + bool + default y if PPC_BOOK3S_64 ++ default y if PPC_8xx && HUGETLB_PAGE + default n + + config PPC_HAVE_PMU_SUPPORT diff --git a/queue-4.16/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch b/queue-4.16/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch new file mode 100644 index 00000000000..244e286bd83 --- /dev/null +++ b/queue-4.16/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch @@ -0,0 +1,47 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Michael Ellerman +Date: Fri, 30 Mar 2018 23:27:25 +1100 +Subject: powerpc/mpic: Check if cpu_possible() in mpic_physmask() + +From: Michael Ellerman + +[ Upstream commit 0834d627fbea00c1444075eb3e448e1974da452d ] + +In mpic_physmask() we loop over all CPUs up to 32, then get the hard +SMP processor id of that CPU. + +Currently that's possibly walking off the end of the paca array, but +in a future patch we will change the paca array to be an array of +pointers, and in that case we will get a NULL for missing CPUs and +oops. eg: + + Unable to handle kernel paging request for data at address 0x88888888888888b8 + Faulting instruction address: 0xc00000000004e380 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP .mpic_set_affinity+0x60/0x1a0 + LR .irq_do_set_affinity+0x48/0x100 + +Fix it by checking the CPU is possible, this also fixes the code if +there are gaps in the CPU numbering which probably never happens on +mpic systems but who knows. + +Debugged-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/mpic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/mpic.c ++++ b/arch/powerpc/sysdev/mpic.c +@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpum + int i; + u32 mask = 0; + +- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1) ++ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1) + mask |= (cpumask & 1) << get_hard_smp_processor_id(i); + return mask; + } diff --git a/queue-4.16/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch b/queue-4.16/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch new file mode 100644 index 00000000000..2fd7a4c6047 --- /dev/null +++ b/queue-4.16/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch @@ -0,0 +1,72 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Michael Ellerman +Date: Wed, 21 Mar 2018 17:10:24 +0530 +Subject: powerpc/perf: Fix kernel address leak via sampling registers + +From: Michael Ellerman + +[ Upstream commit e1ebd0e5b9d0a10ba65e63a3514b6da8c6a5a819 ] + +Current code in power_pmu_disable() does not clear the sampling +registers like Sampling Instruction Address Register (SIAR) and +Sampling Data Address Register (SDAR) after disabling the PMU. Since +these are userspace readable and could contain kernel addresses, add +code to explicitly clear the content of these registers. + +Also add a "context synchronizing instruction" to enforce no further +updates to these registers as suggested by Power ISA v3.0B. From +section 9.4, on page 1108: + + "If an mtspr instruction is executed that changes the value of a + Performance Monitor register other than SIAR, SDAR, and SIER, the + change is not guaranteed to have taken effect until after a + subsequent context synchronizing instruction has been executed (see + Chapter 11. "Synchronization Requirements for Context Alterations" + on page 1133)." + +Signed-off-by: Madhavan Srinivasan +[mpe: Massage change log and add ISA reference] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -1236,6 +1236,7 @@ static void power_pmu_disable(struct pmu + */ + write_mmcr0(cpuhw, val); + mb(); ++ isync(); + + /* + * Disable instruction sampling if it was enabled +@@ -1244,12 +1245,26 @@ static void power_pmu_disable(struct pmu + mtspr(SPRN_MMCRA, + cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE); + mb(); ++ isync(); + } + + cpuhw->disabled = 1; + cpuhw->n_added = 0; + + ebb_switch_out(mmcr0); ++ ++#ifdef CONFIG_PPC64 ++ /* ++ * These are readable by userspace, may contain kernel ++ * addresses and are not switched by context switch, so clear ++ * them now to avoid leaking anything to userspace in general ++ * including to another process. ++ */ ++ if (ppmu->flags & PPMU_ARCH_207S) { ++ mtspr(SPRN_SDAR, 0); ++ mtspr(SPRN_SIAR, 0); ++ } ++#endif + } + + local_irq_restore(flags); diff --git a/queue-4.16/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch b/queue-4.16/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch new file mode 100644 index 00000000000..da0321f5195 --- /dev/null +++ b/queue-4.16/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Madhavan Srinivasan +Date: Wed, 21 Mar 2018 17:10:25 +0530 +Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer + +From: Madhavan Srinivasan + +[ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ] + +The current Branch History Rolling Buffer (BHRB) code does not check +for any privilege levels before updating the data from BHRB. This +could leak kernel addresses to userspace even when profiling only with +userspace privileges. Add proper checks to prevent it. + +Acked-by: Balbir Singh +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -457,6 +457,16 @@ static void power_pmu_bhrb_read(struct c + /* invalid entry */ + continue; + ++ /* ++ * BHRB rolling buffer could very much contain the kernel ++ * addresses at this point. Check the privileges before ++ * exporting it to userspace (avoid exposure of regions ++ * where we could have speculative execution) ++ */ ++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && ++ is_kernel_addr(addr)) ++ continue; ++ + /* Branches are read most recent first (ie. mfbhrb 0 is + * the most recent branch). + * There are two types of valid entries: diff --git a/queue-4.16/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch b/queue-4.16/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch new file mode 100644 index 00000000000..4b6c11951fa --- /dev/null +++ b/queue-4.16/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch @@ -0,0 +1,370 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alistair Popple +Date: Fri, 2 Mar 2018 16:18:45 +1100 +Subject: powerpc/powernv/npu: Fix deadlock in mmio_invalidate() + +From: Alistair Popple + +[ Upstream commit 2b74e2a9b39df40a2b489af2d24079617c61ee0e ] + +When sending TLB invalidates to the NPU we need to send extra flushes due +to a hardware issue. The original implementation would lock the all the +ATSD MMIO registers sequentially before unlocking and relocking each of +them sequentially to do the extra flush. + +This introduced a deadlock as it is possible for one thread to hold one +ATSD register whilst waiting for another register to be freed while the +other thread is holding that register waiting for the one in the first +thread to be freed. + +For example if there are two threads and two ATSD registers: + + Thread A Thread B + ---------------------- + Acquire 1 + Acquire 2 + Release 1 Acquire 1 + Wait 1 Wait 2 + +Both threads will be stuck waiting to acquire a register resulting in an +RCU stall warning or soft lockup. + +This patch solves the deadlock by refactoring the code to ensure registers +are not released between flushes and to ensure all registers are either +acquired or released together and in order. + +Fixes: bbd5ff50afff ("powerpc/powernv/npu-dma: Add explicit flush when sending an ATSD") +Signed-off-by: Alistair Popple +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/npu-dma.c | 227 +++++++++++++++++++------------ + 1 file changed, 140 insertions(+), 87 deletions(-) + +--- a/arch/powerpc/platforms/powernv/npu-dma.c ++++ b/arch/powerpc/platforms/powernv/npu-dma.c +@@ -417,6 +417,11 @@ struct npu_context { + void *priv; + }; + ++struct mmio_atsd_reg { ++ struct npu *npu; ++ int reg; ++}; ++ + /* + * Find a free MMIO ATSD register and mark it in use. Return -ENOSPC + * if none are available. +@@ -426,7 +431,7 @@ static int get_mmio_atsd_reg(struct npu + int i; + + for (i = 0; i < npu->mmio_atsd_count; i++) { +- if (!test_and_set_bit(i, &npu->mmio_atsd_usage)) ++ if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage)) + return i; + } + +@@ -435,86 +440,90 @@ static int get_mmio_atsd_reg(struct npu + + static void put_mmio_atsd_reg(struct npu *npu, int reg) + { +- clear_bit(reg, &npu->mmio_atsd_usage); ++ clear_bit_unlock(reg, &npu->mmio_atsd_usage); + } + + /* MMIO ATSD register offsets */ + #define XTS_ATSD_AVA 1 + #define XTS_ATSD_STAT 2 + +-static int mmio_launch_invalidate(struct npu *npu, unsigned long launch, +- unsigned long va) ++static void mmio_launch_invalidate(struct mmio_atsd_reg *mmio_atsd_reg, ++ unsigned long launch, unsigned long va) + { +- int mmio_atsd_reg; +- +- do { +- mmio_atsd_reg = get_mmio_atsd_reg(npu); +- cpu_relax(); +- } while (mmio_atsd_reg < 0); ++ struct npu *npu = mmio_atsd_reg->npu; ++ int reg = mmio_atsd_reg->reg; + + __raw_writeq(cpu_to_be64(va), +- npu->mmio_atsd_regs[mmio_atsd_reg] + XTS_ATSD_AVA); ++ npu->mmio_atsd_regs[reg] + XTS_ATSD_AVA); + eieio(); +- __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[mmio_atsd_reg]); +- +- return mmio_atsd_reg; ++ __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[reg]); + } + +-static int mmio_invalidate_pid(struct npu *npu, unsigned long pid, bool flush) ++static void mmio_invalidate_pid(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], ++ unsigned long pid, bool flush) + { ++ int i; + unsigned long launch; + +- /* IS set to invalidate matching PID */ +- launch = PPC_BIT(12); ++ for (i = 0; i <= max_npu2_index; i++) { ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; ++ ++ /* IS set to invalidate matching PID */ ++ launch = PPC_BIT(12); + +- /* PRS set to process-scoped */ +- launch |= PPC_BIT(13); ++ /* PRS set to process-scoped */ ++ launch |= PPC_BIT(13); + +- /* AP */ +- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); ++ /* AP */ ++ launch |= (u64) ++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); + +- /* PID */ +- launch |= pid << PPC_BITLSHIFT(38); ++ /* PID */ ++ launch |= pid << PPC_BITLSHIFT(38); + +- /* No flush */ +- launch |= !flush << PPC_BITLSHIFT(39); ++ /* No flush */ ++ launch |= !flush << PPC_BITLSHIFT(39); + +- /* Invalidating the entire process doesn't use a va */ +- return mmio_launch_invalidate(npu, launch, 0); ++ /* Invalidating the entire process doesn't use a va */ ++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, 0); ++ } + } + +-static int mmio_invalidate_va(struct npu *npu, unsigned long va, +- unsigned long pid, bool flush) ++static void mmio_invalidate_va(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], ++ unsigned long va, unsigned long pid, bool flush) + { ++ int i; + unsigned long launch; + +- /* IS set to invalidate target VA */ +- launch = 0; ++ for (i = 0; i <= max_npu2_index; i++) { ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; + +- /* PRS set to process scoped */ +- launch |= PPC_BIT(13); ++ /* IS set to invalidate target VA */ ++ launch = 0; + +- /* AP */ +- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); ++ /* PRS set to process scoped */ ++ launch |= PPC_BIT(13); + +- /* PID */ +- launch |= pid << PPC_BITLSHIFT(38); ++ /* AP */ ++ launch |= (u64) ++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); + +- /* No flush */ +- launch |= !flush << PPC_BITLSHIFT(39); ++ /* PID */ ++ launch |= pid << PPC_BITLSHIFT(38); + +- return mmio_launch_invalidate(npu, launch, va); ++ /* No flush */ ++ launch |= !flush << PPC_BITLSHIFT(39); ++ ++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, va); ++ } + } + + #define mn_to_npu_context(x) container_of(x, struct npu_context, mn) + +-struct mmio_atsd_reg { +- struct npu *npu; +- int reg; +-}; +- + static void mmio_invalidate_wait( +- struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], bool flush) ++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) + { + struct npu *npu; + int i, reg; +@@ -529,16 +538,67 @@ static void mmio_invalidate_wait( + reg = mmio_atsd_reg[i].reg; + while (__raw_readq(npu->mmio_atsd_regs[reg] + XTS_ATSD_STAT)) + cpu_relax(); ++ } ++} ++ ++/* ++ * Acquires all the address translation shootdown (ATSD) registers required to ++ * launch an ATSD on all links this npu_context is active on. ++ */ ++static void acquire_atsd_reg(struct npu_context *npu_context, ++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) ++{ ++ int i, j; ++ struct npu *npu; ++ struct pci_dev *npdev; ++ struct pnv_phb *nphb; ++ ++ for (i = 0; i <= max_npu2_index; i++) { ++ mmio_atsd_reg[i].reg = -1; ++ for (j = 0; j < NV_MAX_LINKS; j++) { ++ /* ++ * There are no ordering requirements with respect to ++ * the setup of struct npu_context, but to ensure ++ * consistent behaviour we need to ensure npdev[][] is ++ * only read once. ++ */ ++ npdev = READ_ONCE(npu_context->npdev[i][j]); ++ if (!npdev) ++ continue; ++ ++ nphb = pci_bus_to_host(npdev->bus)->private_data; ++ npu = &nphb->npu; ++ mmio_atsd_reg[i].npu = npu; ++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu); ++ while (mmio_atsd_reg[i].reg < 0) { ++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu); ++ cpu_relax(); ++ } ++ break; ++ } ++ } ++} + +- put_mmio_atsd_reg(npu, reg); ++/* ++ * Release previously acquired ATSD registers. To avoid deadlocks the registers ++ * must be released in the same order they were acquired above in ++ * acquire_atsd_reg. ++ */ ++static void release_atsd_reg(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) ++{ ++ int i; + ++ for (i = 0; i <= max_npu2_index; i++) { + /* +- * The GPU requires two flush ATSDs to ensure all entries have +- * been flushed. We use PID 0 as it will never be used for a +- * process on the GPU. ++ * We can't rely on npu_context->npdev[][] being the same here ++ * as when acquire_atsd_reg() was called, hence we use the ++ * values stored in mmio_atsd_reg during the acquire phase ++ * rather than re-reading npdev[][]. + */ +- if (flush) +- mmio_invalidate_pid(npu, 0, true); ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; ++ ++ put_mmio_atsd_reg(mmio_atsd_reg[i].npu, mmio_atsd_reg[i].reg); + } + } + +@@ -549,10 +609,6 @@ static void mmio_invalidate_wait( + static void mmio_invalidate(struct npu_context *npu_context, int va, + unsigned long address, bool flush) + { +- int i, j; +- struct npu *npu; +- struct pnv_phb *nphb; +- struct pci_dev *npdev; + struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]; + unsigned long pid = npu_context->mm->context.id; + +@@ -568,37 +624,25 @@ static void mmio_invalidate(struct npu_c + * Loop over all the NPUs this process is active on and launch + * an invalidate. + */ +- for (i = 0; i <= max_npu2_index; i++) { +- mmio_atsd_reg[i].reg = -1; +- for (j = 0; j < NV_MAX_LINKS; j++) { +- npdev = npu_context->npdev[i][j]; +- if (!npdev) +- continue; ++ acquire_atsd_reg(npu_context, mmio_atsd_reg); ++ if (va) ++ mmio_invalidate_va(mmio_atsd_reg, address, pid, flush); ++ else ++ mmio_invalidate_pid(mmio_atsd_reg, pid, flush); + +- nphb = pci_bus_to_host(npdev->bus)->private_data; +- npu = &nphb->npu; +- mmio_atsd_reg[i].npu = npu; +- +- if (va) +- mmio_atsd_reg[i].reg = +- mmio_invalidate_va(npu, address, pid, +- flush); +- else +- mmio_atsd_reg[i].reg = +- mmio_invalidate_pid(npu, pid, flush); +- +- /* +- * The NPU hardware forwards the shootdown to all GPUs +- * so we only have to launch one shootdown per NPU. +- */ +- break; +- } ++ mmio_invalidate_wait(mmio_atsd_reg); ++ if (flush) { ++ /* ++ * The GPU requires two flush ATSDs to ensure all entries have ++ * been flushed. We use PID 0 as it will never be used for a ++ * process on the GPU. ++ */ ++ mmio_invalidate_pid(mmio_atsd_reg, 0, true); ++ mmio_invalidate_wait(mmio_atsd_reg); ++ mmio_invalidate_pid(mmio_atsd_reg, 0, true); ++ mmio_invalidate_wait(mmio_atsd_reg); + } +- +- mmio_invalidate_wait(mmio_atsd_reg, flush); +- if (flush) +- /* Wait for the flush to complete */ +- mmio_invalidate_wait(mmio_atsd_reg, false); ++ release_atsd_reg(mmio_atsd_reg); + } + + static void pnv_npu2_mn_release(struct mmu_notifier *mn, +@@ -741,7 +785,16 @@ struct npu_context *pnv_npu2_init_contex + if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index", + &nvlink_index))) + return ERR_PTR(-ENODEV); +- npu_context->npdev[npu->index][nvlink_index] = npdev; ++ ++ /* ++ * npdev is a pci_dev pointer setup by the PCI code. We assign it to ++ * npdev[][] to indicate to the mmu notifiers that an invalidation ++ * should also be sent over this nvlink. The notifiers don't use any ++ * other fields in npu_context, so we just need to ensure that when they ++ * deference npu_context->npdev[][] it is either a valid pointer or ++ * NULL. ++ */ ++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], npdev); + + if (!nphb->npu.nmmu_flush) { + /* +@@ -793,7 +846,7 @@ void pnv_npu2_destroy_context(struct npu + if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index", + &nvlink_index))) + return; +- npu_context->npdev[npu->index][nvlink_index] = NULL; ++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], NULL); + opal_npu_destroy_context(nphb->opal_id, npu_context->mm->context.id, + PCI_DEVID(gpdev->bus->number, gpdev->devfn)); + kref_put(&npu_context->kref, pnv_npu2_release_context); diff --git a/queue-4.16/powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch b/queue-4.16/powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch new file mode 100644 index 00000000000..e8d635cb872 --- /dev/null +++ b/queue-4.16/powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch @@ -0,0 +1,73 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sukadev Bhattiprolu +Date: Fri, 9 Feb 2018 11:49:06 -0600 +Subject: powerpc/vas: Fix cleanup when VAS is not configured + +From: Sukadev Bhattiprolu + +[ Upstream commit 45ddea8a73a25461387eb8e87f3e0ecca084799b ] + +When VAS is not configured, unregister the platform driver. Also simplify +cleanup by delaying vas debugfs init until we know VAS is configured. + +Signed-off-by: Sukadev Bhattiprolu +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/vas-debug.c | 11 +++++++++++ + arch/powerpc/platforms/powernv/vas.c | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/platforms/powernv/vas-debug.c ++++ b/arch/powerpc/platforms/powernv/vas-debug.c +@@ -179,6 +179,7 @@ void vas_instance_init_dbgdir(struct vas + { + struct dentry *d; + ++ vas_init_dbgdir(); + if (!vas_debugfs) + return; + +@@ -201,8 +202,18 @@ free_name: + vinst->dbgdir = NULL; + } + ++/* ++ * Set up the "root" VAS debugfs dir. Return if we already set it up ++ * (or failed to) in an earlier instance of VAS. ++ */ + void vas_init_dbgdir(void) + { ++ static bool first_time = true; ++ ++ if (!first_time) ++ return; ++ ++ first_time = false; + vas_debugfs = debugfs_create_dir("vas", NULL); + if (IS_ERR(vas_debugfs)) + vas_debugfs = NULL; +--- a/arch/powerpc/platforms/powernv/vas.c ++++ b/arch/powerpc/platforms/powernv/vas.c +@@ -160,8 +160,6 @@ static int __init vas_init(void) + int found = 0; + struct device_node *dn; + +- vas_init_dbgdir(); +- + platform_driver_register(&vas_driver); + + for_each_compatible_node(dn, NULL, "ibm,vas") { +@@ -169,8 +167,10 @@ static int __init vas_init(void) + found++; + } + +- if (!found) ++ if (!found) { ++ platform_driver_unregister(&vas_driver); + return -ENODEV; ++ } + + pr_devel("Found %d instances\n", found); + diff --git a/queue-4.16/powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch b/queue-4.16/powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch new file mode 100644 index 00000000000..3e479a2d0c0 --- /dev/null +++ b/queue-4.16/powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch @@ -0,0 +1,81 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Vaibhav Jain +Date: Sun, 4 Mar 2018 23:00:25 +0530 +Subject: powerpc/xmon: Setup debugger hooks when first break-point is set + +From: Vaibhav Jain + +[ Upstream commit e1368d0c9edbc366e45216e7295fd61ae55c2b12 ] + +Presently sysrq key for xmon('x') is registered during kernel init +irrespective of the value of kernel param 'xmon'. Thus xmon is enabled +even if 'xmon=off' is passed on the kernel command line. However this +doesn't enable the kernel debugger hooks needed for instruction or +data breakpoints. Thus when a break-point is hit with xmon=off a +kernel oops of the form below is reported: + + Oops: Exception in kernel mode, sig: 5 [#1] + < snip > + Trace/breakpoint trap + +To fix this the patch checks and enables debugger hooks when an +instruction or data break-point is set via xmon console. + +Signed-off-by: Vaibhav Jain +Reviewed-by: Balbir Singh +[mpe: Just printf directly, no need for static const char[]] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/xmon/xmon.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -1273,6 +1273,16 @@ static long check_bp_loc(unsigned long a + return 1; + } + ++/* Force enable xmon if not already enabled */ ++static inline void force_enable_xmon(void) ++{ ++ /* Enable xmon hooks if needed */ ++ if (!xmon_on) { ++ printf("xmon: Enabling debugger hooks\n"); ++ xmon_on = 1; ++ } ++} ++ + static char *breakpoint_help_string = + "Breakpoint command usage:\n" + "b show breakpoints\n" +@@ -1315,6 +1325,8 @@ bpt_cmds(void) + dabr.address &= ~HW_BRK_TYPE_DABR; + dabr.enabled = mode | BP_DABR; + } ++ ++ force_enable_xmon(); + break; + + case 'i': /* bi - hardware instr breakpoint */ +@@ -1335,6 +1347,7 @@ bpt_cmds(void) + if (bp != NULL) { + bp->enabled |= BP_CIABR; + iabr = bp; ++ force_enable_xmon(); + } + break; + #endif +@@ -1399,8 +1412,10 @@ bpt_cmds(void) + if (!check_bp_loc(a)) + break; + bp = new_breakpoint(a); +- if (bp != NULL) ++ if (bp != NULL) { + bp->enabled |= BP_TRAP; ++ force_enable_xmon(); ++ } + break; + } + } diff --git a/queue-4.16/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch b/queue-4.16/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch new file mode 100644 index 00000000000..08ea7291c89 --- /dev/null +++ b/queue-4.16/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch @@ -0,0 +1,49 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Tejun Heo +Date: Tue, 9 Jan 2018 10:38:17 -0800 +Subject: rcu: Call touch_nmi_watchdog() while printing stall warnings + +From: Tejun Heo + +[ Upstream commit 3caa973b7a260e7a2a69edc94c300ab9c65148c3 ] + +When RCU stall warning triggers, it can print out a lot of messages +while holding spinlocks. If the console device is slow (e.g. an +actual or IPMI serial console), it may end up triggering NMI hard +lockup watchdog like the following. + +--- + kernel/rcu/tree_plugin.h | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -560,8 +560,14 @@ static void rcu_print_detail_task_stall_ + } + t = list_entry(rnp->gp_tasks->prev, + struct task_struct, rcu_node_entry); +- list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) ++ list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) { ++ /* ++ * We could be printing a lot while holding a spinlock. ++ * Avoid triggering hard lockup. ++ */ ++ touch_nmi_watchdog(); + sched_show_task(t); ++ } + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + } + +@@ -1677,6 +1683,12 @@ static void print_cpu_stall_info(struct + char *ticks_title; + unsigned long ticks_value; + ++ /* ++ * We could be printing a lot while holding a spinlock. Avoid ++ * triggering hard lockup. ++ */ ++ touch_nmi_watchdog(); ++ + if (rsp->gpnum == rdp->gpnum) { + ticks_title = "ticks this GP"; + ticks_value = rdp->ticks_this_gp; diff --git a/queue-4.16/rds-tcp-must-use-spin_lock_irq-and-not-spin_lock_bh-with-rds_tcp_conn_lock.patch b/queue-4.16/rds-tcp-must-use-spin_lock_irq-and-not-spin_lock_bh-with-rds_tcp_conn_lock.patch new file mode 100644 index 00000000000..02bc558304e --- /dev/null +++ b/queue-4.16/rds-tcp-must-use-spin_lock_irq-and-not-spin_lock_bh-with-rds_tcp_conn_lock.patch @@ -0,0 +1,99 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sowmini Varadhan +Date: Thu, 15 Mar 2018 03:54:26 -0700 +Subject: rds: tcp: must use spin_lock_irq* and not spin_lock_bh with rds_tcp_conn_lock + +From: Sowmini Varadhan + +[ Upstream commit 53d0e83f9329aa51dcc205b514dbee05cb4df309 ] + +rds_tcp_connection allocation/free management has the potential to be +called from __rds_conn_create after IRQs have been disabled, so +spin_[un]lock_bh cannot be used with rds_tcp_conn_lock. + +Bottom-halves that need to synchronize for critical sections protected +by rds_tcp_conn_lock should instead use rds_destroy_pending() correctly. + +Reported-by: syzbot+c68e51bb5e699d3f8d91@syzkaller.appspotmail.com +Fixes: ebeeb1ad9b8a ("rds: tcp: use rds_destroy_pending() to synchronize + netns/module teardown and rds connection/workq management") +Signed-off-by: Sowmini Varadhan +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/tcp.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -275,13 +275,14 @@ static int rds_tcp_laddr_check(struct ne + static void rds_tcp_conn_free(void *arg) + { + struct rds_tcp_connection *tc = arg; ++ unsigned long flags; + + rdsdebug("freeing tc %p\n", tc); + +- spin_lock_bh(&rds_tcp_conn_lock); ++ spin_lock_irqsave(&rds_tcp_conn_lock, flags); + if (!tc->t_tcp_node_detached) + list_del(&tc->t_tcp_node); +- spin_unlock_bh(&rds_tcp_conn_lock); ++ spin_unlock_irqrestore(&rds_tcp_conn_lock, flags); + + kmem_cache_free(rds_tcp_conn_slab, tc); + } +@@ -311,13 +312,13 @@ static int rds_tcp_conn_alloc(struct rds + rdsdebug("rds_conn_path [%d] tc %p\n", i, + conn->c_path[i].cp_transport_data); + } +- spin_lock_bh(&rds_tcp_conn_lock); ++ spin_lock_irq(&rds_tcp_conn_lock); + for (i = 0; i < RDS_MPATH_WORKERS; i++) { + tc = conn->c_path[i].cp_transport_data; + tc->t_tcp_node_detached = false; + list_add_tail(&tc->t_tcp_node, &rds_tcp_conn_list); + } +- spin_unlock_bh(&rds_tcp_conn_lock); ++ spin_unlock_irq(&rds_tcp_conn_lock); + fail: + if (ret) { + for (j = 0; j < i; j++) +@@ -529,7 +530,7 @@ static void rds_tcp_kill_sock(struct net + + rtn->rds_tcp_listen_sock = NULL; + rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w); +- spin_lock_bh(&rds_tcp_conn_lock); ++ spin_lock_irq(&rds_tcp_conn_lock); + list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) { + struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net); + +@@ -542,7 +543,7 @@ static void rds_tcp_kill_sock(struct net + tc->t_tcp_node_detached = true; + } + } +- spin_unlock_bh(&rds_tcp_conn_lock); ++ spin_unlock_irq(&rds_tcp_conn_lock); + list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node) + rds_conn_destroy(tc->t_cpath->cp_conn); + } +@@ -590,7 +591,7 @@ static void rds_tcp_sysctl_reset(struct + { + struct rds_tcp_connection *tc, *_tc; + +- spin_lock_bh(&rds_tcp_conn_lock); ++ spin_lock_irq(&rds_tcp_conn_lock); + list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) { + struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net); + +@@ -600,7 +601,7 @@ static void rds_tcp_sysctl_reset(struct + /* reconnect with new parameters */ + rds_conn_path_drop(tc->t_cpath, false); + } +- spin_unlock_bh(&rds_tcp_conn_lock); ++ spin_unlock_irq(&rds_tcp_conn_lock); + } + + static int rds_tcp_skbuf_handler(struct ctl_table *ctl, int write, diff --git a/queue-4.16/regmap-correct-comparison-in-regmap_cached.patch b/queue-4.16/regmap-correct-comparison-in-regmap_cached.patch new file mode 100644 index 00000000000..aca236b9b4a --- /dev/null +++ b/queue-4.16/regmap-correct-comparison-in-regmap_cached.patch @@ -0,0 +1,33 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Charles Keepax +Date: Mon, 12 Feb 2018 18:15:44 +0000 +Subject: regmap: Correct comparison in regmap_cached + +From: Charles Keepax + +[ Upstream commit 71df179363a5a733a8932e9afb869760d7559383 ] + +The cache pointer points to the actual memory used by the cache, as the +comparison here is looking for the type of the cache it should check +against cache_type. + +Fixes: 1ea975cf1ef5 ("regmap: Add a function to check if a regmap register is cached") +Signed-off-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -99,7 +99,7 @@ bool regmap_cached(struct regmap *map, u + int ret; + unsigned int val; + +- if (map->cache == REGCACHE_NONE) ++ if (map->cache_type == REGCACHE_NONE) + return false; + + if (!map->cache_ops) diff --git a/queue-4.16/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch b/queue-4.16/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch new file mode 100644 index 00000000000..3d1d371699f --- /dev/null +++ b/queue-4.16/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch @@ -0,0 +1,86 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Christophe Jaillet +Date: Tue, 13 Mar 2018 21:33:11 +0100 +Subject: regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' + +From: Christophe Jaillet + +[ Upstream commit ed8cffda27dea6fd3dafb3ee881c5a786edac9ca ] + +Re-order error handling code and gotos to avoid leaks in error handling +paths. + +Fixes: 9f946099fe19 ("regulator: gpio: fix parsing of gpio list") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/gpio-regulator.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/regulator/gpio-regulator.c ++++ b/drivers/regulator/gpio-regulator.c +@@ -271,8 +271,7 @@ static int gpio_regulator_probe(struct p + drvdata->desc.name = kstrdup(config->supply_name, GFP_KERNEL); + if (drvdata->desc.name == NULL) { + dev_err(&pdev->dev, "Failed to allocate supply name\n"); +- ret = -ENOMEM; +- goto err; ++ return -ENOMEM; + } + + if (config->nr_gpios != 0) { +@@ -292,7 +291,7 @@ static int gpio_regulator_probe(struct p + dev_err(&pdev->dev, + "Could not obtain regulator setting GPIOs: %d\n", + ret); +- goto err_memstate; ++ goto err_memgpio; + } + } + +@@ -303,7 +302,7 @@ static int gpio_regulator_probe(struct p + if (drvdata->states == NULL) { + dev_err(&pdev->dev, "Failed to allocate state data\n"); + ret = -ENOMEM; +- goto err_memgpio; ++ goto err_stategpio; + } + drvdata->nr_states = config->nr_states; + +@@ -324,7 +323,7 @@ static int gpio_regulator_probe(struct p + default: + dev_err(&pdev->dev, "No regulator type set\n"); + ret = -EINVAL; +- goto err_memgpio; ++ goto err_memstate; + } + + /* build initial state from gpio init data. */ +@@ -361,22 +360,21 @@ static int gpio_regulator_probe(struct p + if (IS_ERR(drvdata->dev)) { + ret = PTR_ERR(drvdata->dev); + dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret); +- goto err_stategpio; ++ goto err_memstate; + } + + platform_set_drvdata(pdev, drvdata); + + return 0; + +-err_stategpio: +- gpio_free_array(drvdata->gpios, drvdata->nr_gpios); + err_memstate: + kfree(drvdata->states); ++err_stategpio: ++ gpio_free_array(drvdata->gpios, drvdata->nr_gpios); + err_memgpio: + kfree(drvdata->gpios); + err_name: + kfree(drvdata->desc.name); +-err: + return ret; + } + diff --git a/queue-4.16/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch b/queue-4.16/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch new file mode 100644 index 00000000000..90c2a71062f --- /dev/null +++ b/queue-4.16/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch @@ -0,0 +1,30 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Christophe JAILLET +Date: Fri, 26 Jan 2018 23:13:44 +0100 +Subject: regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' + +From: Christophe JAILLET + +[ Upstream commit 30966861a7a2051457be8c49466887d78cc47e97 ] + +If an unlikely failure in 'of_get_regulator_init_data()' occurs, we must +release the reference on the current 'child' node before returning. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/of_regulator.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -321,6 +321,7 @@ int of_regulator_match(struct device *de + dev_err(dev, + "failed to parse DT for regulator %s\n", + child->name); ++ of_node_put(child); + return -EINVAL; + } + match->of_node = of_node_get(child); diff --git a/queue-4.16/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch b/queue-4.16/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch new file mode 100644 index 00000000000..53c113e0c8a --- /dev/null +++ b/queue-4.16/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Christophe JAILLET +Date: Wed, 14 Mar 2018 20:56:37 +0100 +Subject: remoteproc: imx_rproc: Fix an error handling path in 'imx_rproc_probe()' + +From: Christophe JAILLET + +[ Upstream commit de6f83f85be94e0b7d0d324c29ccc9d78a6bb4e7 ] + +If 'of_device_get_match_data()' fails, we must undo the previous +'rproc_alloc()' call. + +Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/imx_rproc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -339,8 +339,10 @@ static int imx_rproc_probe(struct platfo + } + + dcfg = of_device_get_match_data(dev); +- if (!dcfg) +- return -EINVAL; ++ if (!dcfg) { ++ ret = -EINVAL; ++ goto err_put_rproc; ++ } + + priv = rproc->priv; + priv->rproc = rproc; diff --git a/queue-4.16/riscv-spinlock-strengthen-implementations-with-fences.patch b/queue-4.16/riscv-spinlock-strengthen-implementations-with-fences.patch new file mode 100644 index 00000000000..d39328e05ce --- /dev/null +++ b/queue-4.16/riscv-spinlock-strengthen-implementations-with-fences.patch @@ -0,0 +1,210 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Andrea Parri +Date: Fri, 9 Mar 2018 13:13:20 +0100 +Subject: riscv/spinlock: Strengthen implementations with fences + +From: Andrea Parri + +[ Upstream commit 0123f4d76ca63b7b895f40089be0ce4809e392d8 ] + +Current implementations map locking operations using .rl and .aq +annotations. However, this mapping is unsound w.r.t. the kernel +memory consistency model (LKMM) [1]: + +Referring to the "unlock-lock-read-ordering" test reported below, +Daniel wrote: + + "I think an RCpc interpretation of .aq and .rl would in fact + allow the two normal loads in P1 to be reordered [...] + + The intuition would be that the amoswap.w.aq can forward from + the amoswap.w.rl while that's still in the store buffer, and + then the lw x3,0(x4) can also perform while the amoswap.w.rl + is still in the store buffer, all before the l1 x1,0(x2) + executes. That's not forbidden unless the amoswaps are RCsc, + unless I'm missing something. + + Likewise even if the unlock()/lock() is between two stores. + A control dependency might originate from the load part of + the amoswap.w.aq, but there still would have to be something + to ensure that this load part in fact performs after the store + part of the amoswap.w.rl performs globally, and that's not + automatic under RCpc." + +Simulation of the RISC-V memory consistency model confirmed this +expectation. + +In order to "synchronize" LKMM and RISC-V's implementation, this +commit strengthens the implementations of the locking operations +by replacing .rl and .aq with the use of ("lightweigth") fences, +resp., "fence rw, w" and "fence r , rw". + +C unlock-lock-read-ordering + +{} +/* s initially owned by P1 */ + +P0(int *x, int *y) +{ + WRITE_ONCE(*x, 1); + smp_wmb(); + WRITE_ONCE(*y, 1); +} + +P1(int *x, int *y, spinlock_t *s) +{ + int r0; + int r1; + + r0 = READ_ONCE(*y); + spin_unlock(s); + spin_lock(s); + r1 = READ_ONCE(*x); +} + +exists (1:r0=1 /\ 1:r1=0) + +[1] https://marc.info/?l=linux-kernel&m=151930201102853&w=2 + https://groups.google.com/a/groups.riscv.org/forum/#!topic/isa-dev/hKywNHBkAXM + https://marc.info/?l=linux-kernel&m=151633436614259&w=2 + +Signed-off-by: Andrea Parri +Cc: Palmer Dabbelt +Cc: Albert Ou +Cc: Daniel Lustig +Cc: Alan Stern +Cc: Will Deacon +Cc: Peter Zijlstra +Cc: Boqun Feng +Cc: Nicholas Piggin +Cc: David Howells +Cc: Jade Alglave +Cc: Luc Maranget +Cc: "Paul E. McKenney" +Cc: Akira Yokosawa +Cc: Ingo Molnar +Cc: Linus Torvalds +Cc: linux-riscv@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/fence.h | 12 ++++++++++++ + arch/riscv/include/asm/spinlock.h | 29 +++++++++++++++-------------- + 2 files changed, 27 insertions(+), 14 deletions(-) + create mode 100644 arch/riscv/include/asm/fence.h + +--- /dev/null ++++ b/arch/riscv/include/asm/fence.h +@@ -0,0 +1,12 @@ ++#ifndef _ASM_RISCV_FENCE_H ++#define _ASM_RISCV_FENCE_H ++ ++#ifdef CONFIG_SMP ++#define RISCV_ACQUIRE_BARRIER "\tfence r , rw\n" ++#define RISCV_RELEASE_BARRIER "\tfence rw, w\n" ++#else ++#define RISCV_ACQUIRE_BARRIER ++#define RISCV_RELEASE_BARRIER ++#endif ++ ++#endif /* _ASM_RISCV_FENCE_H */ +--- a/arch/riscv/include/asm/spinlock.h ++++ b/arch/riscv/include/asm/spinlock.h +@@ -17,6 +17,7 @@ + + #include + #include ++#include + + /* + * Simple spin lock operations. These provide no fairness guarantees. +@@ -28,10 +29,7 @@ + + static inline void arch_spin_unlock(arch_spinlock_t *lock) + { +- __asm__ __volatile__ ( +- "amoswap.w.rl x0, x0, %0" +- : "=A" (lock->lock) +- :: "memory"); ++ smp_store_release(&lock->lock, 0); + } + + static inline int arch_spin_trylock(arch_spinlock_t *lock) +@@ -39,7 +37,8 @@ static inline int arch_spin_trylock(arch + int tmp = 1, busy; + + __asm__ __volatile__ ( +- "amoswap.w.aq %0, %2, %1" ++ " amoswap.w %0, %2, %1\n" ++ RISCV_ACQUIRE_BARRIER + : "=r" (busy), "+A" (lock->lock) + : "r" (tmp) + : "memory"); +@@ -68,8 +67,9 @@ static inline void arch_read_lock(arch_r + "1: lr.w %1, %0\n" + " bltz %1, 1b\n" + " addi %1, %1, 1\n" +- " sc.w.aq %1, %1, %0\n" ++ " sc.w %1, %1, %0\n" + " bnez %1, 1b\n" ++ RISCV_ACQUIRE_BARRIER + : "+A" (lock->lock), "=&r" (tmp) + :: "memory"); + } +@@ -82,8 +82,9 @@ static inline void arch_write_lock(arch_ + "1: lr.w %1, %0\n" + " bnez %1, 1b\n" + " li %1, -1\n" +- " sc.w.aq %1, %1, %0\n" ++ " sc.w %1, %1, %0\n" + " bnez %1, 1b\n" ++ RISCV_ACQUIRE_BARRIER + : "+A" (lock->lock), "=&r" (tmp) + :: "memory"); + } +@@ -96,8 +97,9 @@ static inline int arch_read_trylock(arch + "1: lr.w %1, %0\n" + " bltz %1, 1f\n" + " addi %1, %1, 1\n" +- " sc.w.aq %1, %1, %0\n" ++ " sc.w %1, %1, %0\n" + " bnez %1, 1b\n" ++ RISCV_ACQUIRE_BARRIER + "1:\n" + : "+A" (lock->lock), "=&r" (busy) + :: "memory"); +@@ -113,8 +115,9 @@ static inline int arch_write_trylock(arc + "1: lr.w %1, %0\n" + " bnez %1, 1f\n" + " li %1, -1\n" +- " sc.w.aq %1, %1, %0\n" ++ " sc.w %1, %1, %0\n" + " bnez %1, 1b\n" ++ RISCV_ACQUIRE_BARRIER + "1:\n" + : "+A" (lock->lock), "=&r" (busy) + :: "memory"); +@@ -125,7 +128,8 @@ static inline int arch_write_trylock(arc + static inline void arch_read_unlock(arch_rwlock_t *lock) + { + __asm__ __volatile__( +- "amoadd.w.rl x0, %1, %0" ++ RISCV_RELEASE_BARRIER ++ " amoadd.w x0, %1, %0\n" + : "+A" (lock->lock) + : "r" (-1) + : "memory"); +@@ -133,10 +137,7 @@ static inline void arch_read_unlock(arch + + static inline void arch_write_unlock(arch_rwlock_t *lock) + { +- __asm__ __volatile__ ( +- "amoswap.w.rl x0, x0, %0" +- : "=A" (lock->lock) +- :: "memory"); ++ smp_store_release(&lock->lock, 0); + } + + #endif /* _ASM_RISCV_SPINLOCK_H */ diff --git a/queue-4.16/rsi-fix-kernel-panic-observed-on-64bit-machine.patch b/queue-4.16/rsi-fix-kernel-panic-observed-on-64bit-machine.patch new file mode 100644 index 00000000000..be6e32c9cd0 --- /dev/null +++ b/queue-4.16/rsi-fix-kernel-panic-observed-on-64bit-machine.patch @@ -0,0 +1,154 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Amitkumar Karwar +Date: Tue, 20 Mar 2018 19:10:41 +0530 +Subject: rsi: fix kernel panic observed on 64bit machine + +From: Amitkumar Karwar + +[ Upstream commit 864db4d5085349fcfa1f260b5bcd2adde3d7f2ed ] + +Following kernel panic is observed on 64bit machine while loading +the driver. It is fixed if we pass dynamically allocated memory to +SDIO for DMA. + +BUG: unable to handle kernel paging request at ffffeb04000172e0 +IP: sg_miter_stop+0x56/0x70 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +Modules linked in: rsi_sdio(OE+) rsi_91x(OE) btrsi(OE) rfcomm bluetooth +ecdh_generic mac80211 mmc_block fuse xt_CHECKSUM iptable_mangle +drm_kms_helper mmc_core serio_raw drm firewire_ohci tg3 +CPU: 0 PID: 4003 Comm: insmod Tainted: G OE 4.16.0-rc1+ #27 +Hardware name: Dell Inc. Latitude E5500 /0DW634, BIOS +A19 06/13/2013 +RIP: 0010:sg_miter_stop+0x56/0x70 +RSP: 0018:ffff88007d003e78 EFLAGS: 00010002 +RAX: 0000000000000003 RBX: 0000000000000004 RCX: 0000000000000000 +RDX: ffffeb04000172c0 RSI: ffff88002f58002c RDI: ffff88007d003e80 +RBP: 0000000000000004 R08: ffff88007d003e80 R09: 0000000000000008 +R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000004 +R13: ffff88002f580028 R14: 0000000000000000 R15: 0000000000000004 +FS: 00007f35c29db700(0000) GS:ffff88007d000000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffeb04000172e0 CR3: 000000007038e000 CR4: 00000000000406f0 +Call Trace: + +sg_copy_buffer+0xc6/0xf0 +sdhci_tasklet_finish+0x170/0x260 [sdhci] +tasklet_action+0xf4/0x100 +__do_softirq+0xef/0x26e +irq_exit+0xbe/0xd0 +do_IRQ+0x4a/0xc0 +common_interrupt+0xa2/0xa2 + + +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 32 +++++++++++++++++++++----------- + drivers/net/wireless/rsi/rsi_sdio.h | 2 ++ + 2 files changed, 23 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -636,11 +636,14 @@ static int rsi_sdio_master_reg_read(stru + u32 *read_buf, u16 size) + { + u32 addr_on_bus, *data; +- u32 align[2] = {}; + u16 ms_addr; + int status; + +- data = PTR_ALIGN(&align[0], 8); ++ data = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ ++ data = PTR_ALIGN(data, 8); + + ms_addr = (addr >> 16); + status = rsi_sdio_master_access_msword(adapter, ms_addr); +@@ -648,7 +651,7 @@ static int rsi_sdio_master_reg_read(stru + rsi_dbg(ERR_ZONE, + "%s: Unable to set ms word to common reg\n", + __func__); +- return status; ++ goto err; + } + addr &= 0xFFFF; + +@@ -666,7 +669,7 @@ static int rsi_sdio_master_reg_read(stru + (u8 *)data, 4); + if (status < 0) { + rsi_dbg(ERR_ZONE, "%s: AHB register read failed\n", __func__); +- return status; ++ goto err; + } + if (size == 2) { + if ((addr & 0x3) == 0) +@@ -688,17 +691,23 @@ static int rsi_sdio_master_reg_read(stru + *read_buf = *data; + } + +- return 0; ++err: ++ kfree(data); ++ return status; + } + + static int rsi_sdio_master_reg_write(struct rsi_hw *adapter, + unsigned long addr, + unsigned long data, u16 size) + { +- unsigned long data1[2], *data_aligned; ++ unsigned long *data_aligned; + int status; + +- data_aligned = PTR_ALIGN(&data1[0], 8); ++ data_aligned = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL); ++ if (!data_aligned) ++ return -ENOMEM; ++ ++ data_aligned = PTR_ALIGN(data_aligned, 8); + + if (size == 2) { + *data_aligned = ((data << 16) | (data & 0xFFFF)); +@@ -717,6 +726,7 @@ static int rsi_sdio_master_reg_write(str + rsi_dbg(ERR_ZONE, + "%s: Unable to set ms word to common reg\n", + __func__); ++ kfree(data_aligned); + return -EIO; + } + addr = addr & 0xFFFF; +@@ -726,12 +736,12 @@ static int rsi_sdio_master_reg_write(str + (adapter, + (addr | RSI_SD_REQUEST_MASTER), + (u8 *)data_aligned, size); +- if (status < 0) { ++ if (status < 0) + rsi_dbg(ERR_ZONE, + "%s: Unable to do AHB reg write\n", __func__); +- return status; +- } +- return 0; ++ ++ kfree(data_aligned); ++ return status; + } + + /** +--- a/drivers/net/wireless/rsi/rsi_sdio.h ++++ b/drivers/net/wireless/rsi/rsi_sdio.h +@@ -46,6 +46,8 @@ enum sdio_interrupt_type { + #define PKT_BUFF_AVAILABLE 1 + #define FW_ASSERT_IND 2 + ++#define RSI_MASTER_REG_BUF_SIZE 12 ++ + #define RSI_DEVICE_BUFFER_STATUS_REGISTER 0xf3 + #define RSI_FN1_INT_REGISTER 0xf9 + #define RSI_INT_ENABLE_REGISTER 0x04 diff --git a/queue-4.16/rtc-goldfish-add-missing-module_license.patch b/queue-4.16/rtc-goldfish-add-missing-module_license.patch new file mode 100644 index 00000000000..17fa613dde6 --- /dev/null +++ b/queue-4.16/rtc-goldfish-add-missing-module_license.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: James Hogan +Date: Tue, 16 Jan 2018 14:45:21 +0000 +Subject: rtc: goldfish: Add missing MODULE_LICENSE + +From: James Hogan + +[ Upstream commit 82d632b85eb89f97051530f556cb49ee1c04bde7 ] + +Fix the following warning in MIPS allmodconfig by adding a +MODULE_LICENSE() at the end of rtc-goldfish.c, based on the file header +comment which says GNU General Public License version 2: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/rtc/rtc-goldfish.o + +Fixes: f22d9cdcb5eb ("rtc: goldfish: Add RTC driver for Android emulator") +Signed-off-by: James Hogan +Cc: Miodrag Dinic +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: linux-rtc@vger.kernel.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-goldfish.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/rtc/rtc-goldfish.c ++++ b/drivers/rtc/rtc-goldfish.c +@@ -235,3 +235,5 @@ static struct platform_driver goldfish_r + }; + + module_platform_driver(goldfish_rtc); ++ ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.16/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch b/queue-4.16/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch new file mode 100644 index 00000000000..aa9a95eb834 --- /dev/null +++ b/queue-4.16/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch @@ -0,0 +1,45 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexandre Belloni +Date: Thu, 8 Mar 2018 23:27:31 +0100 +Subject: rtc: hctosys: Ensure system time doesn't overflow time_t + +From: Alexandre Belloni + +[ Upstream commit b3a5ac42ab18b7d1a8f2f072ca0ee76a3b754a43 ] + +On 32bit platforms, time_t is still a signed 32bit long. If it is +overflowed, userspace and the kernel cant agree on the current system time. +This causes multiple issues, in particular with systemd: +https://github.com/systemd/systemd/issues/1143 + +A good workaround is to simply avoid using hctosys which is something I +greatly encourage as the time is better set by userspace. + +However, many distribution enable it and use systemd which is rendering the +system unusable in case the RTC holds a date after 2038 (and more so after +2106). Many drivers have workaround for this case and they should be +eliminated so there is only one place left to fix when userspace is able to +cope with dates after the 31bit overflow. + +Acked-by: Arnd Bergmann +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/hctosys.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/rtc/hctosys.c ++++ b/drivers/rtc/hctosys.c +@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void) + + tv64.tv_sec = rtc_tm_to_time64(&tm); + ++#if BITS_PER_LONG == 32 ++ if (tv64.tv_sec > INT_MAX) ++ goto err_read; ++#endif ++ + err = do_settimeofday64(&tv64); + + dev_info(rtc->dev.parent, diff --git a/queue-4.16/rtc-m41t80-fix-race-conditions.patch b/queue-4.16/rtc-m41t80-fix-race-conditions.patch new file mode 100644 index 00000000000..1a02e0d756f --- /dev/null +++ b/queue-4.16/rtc-m41t80-fix-race-conditions.patch @@ -0,0 +1,139 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexandre Belloni +Date: Sun, 25 Feb 2018 21:14:31 +0100 +Subject: rtc: m41t80: fix race conditions + +From: Alexandre Belloni + +[ Upstream commit 10d0c768cc6d581523d673b9d1b54213f8a5eb24 ] + +The IRQ is requested before the struct rtc is allocated and registered, but +this struct is used in the IRQ handler, leading to: + +Unable to handle kernel NULL pointer dereference at virtual address 0000017c +pgd = a38a2f9b +[0000017c] *pgd=00000000 +Internal error: Oops: 5 [#1] ARM +Modules linked in: +CPU: 0 PID: 613 Comm: irq/48-m41t80 Not tainted 4.16.0-rc1+ #42 +Hardware name: Atmel SAMA5 +PC is at mutex_lock+0x14/0x38 +LR is at m41t80_handle_irq+0x1c/0x9c +pc : [] lr : [] psr: 20000013 +sp : dec73f30 ip : 00000000 fp : dec56d98 +r10: df437cf0 r9 : c0a03008 r8 : c0145ffc +r7 : df5c4300 r6 : dec568d0 r5 : df593000 r4 : 0000017c +r3 : df592800 r2 : 60000013 r1 : df593000 r0 : 0000017c +Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c53c7d Table: 20004059 DAC: 00000051 +Process irq/48-m41t80 (pid: 613, stack limit = 0xb52d091e) +Stack: (0xdec73f30 to 0xdec74000) +3f20: dec56840 df5c4300 00000001 df5c4300 +3f40: c0145ffc c0146018 dec56840 ffffe000 00000001 c0146290 dec567c0 00000000 +3f60: c0146084 ed7c9a62 c014615c dec56d80 dec567c0 00000000 dec72000 dec56840 +3f80: c014615c c012ffc0 dec72000 dec567c0 c012fe80 00000000 00000000 00000000 +3fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000 +3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 29282726 2d2c2b2a +[] (mutex_lock) from [] (m41t80_handle_irq+0x1c/0x9c) +[] (m41t80_handle_irq) from [] (irq_thread_fn+0x1c/0x54) +[] (irq_thread_fn) from [] (irq_thread+0x134/0x1c0) +[] (irq_thread) from [] (kthread+0x140/0x148) +[] (kthread) from [] (ret_from_fork+0x14/0x2c) +Exception stack(0xdec73fb0 to 0xdec73ff8) +3fa0: 00000000 00000000 00000000 00000000 +3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +Code: e3c33d7f e3c3303f f5d0f000 e593300c (e1901f9f) +---[ end trace 22b027302eb7c604 ]--- +genirq: exiting task "irq/48-m41t80" (613) is an active IRQ thread (irq 48) + +Also, there is another possible race condition. The probe function is not +allowed to fail after the RTC is registered because the following may +happen: + +CPU0: CPU1: +sys_load_module() + do_init_module() + do_one_initcall() + cmos_do_probe() + rtc_device_register() + __register_chrdev() + cdev->owner = struct module* + open("/dev/rtc0") + rtc_device_unregister() + module_put() + free_module() + module_free(mod->module_core) + /* struct module *module is now + freed */ + chrdev_open() + spin_lock(cdev_lock) + cdev_get() + try_module_get() + module_is_live() + /* dereferences already + freed struct module* */ + +Switch to devm_rtc_allocate_device/rtc_register_device to allocate the rtc +before requesting the IRQ and register it as late as possible. + +Signed-off-by: Alexandre Belloni + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-m41t80.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-m41t80.c ++++ b/drivers/rtc/rtc-m41t80.c +@@ -885,7 +885,6 @@ static int m41t80_probe(struct i2c_clien + { + struct i2c_adapter *adapter = to_i2c_adapter(client->dev.parent); + int rc = 0; +- struct rtc_device *rtc = NULL; + struct rtc_time tm; + struct m41t80_data *m41t80_data = NULL; + bool wakeup_source = false; +@@ -909,6 +908,10 @@ static int m41t80_probe(struct i2c_clien + m41t80_data->features = id->driver_data; + i2c_set_clientdata(client, m41t80_data); + ++ m41t80_data->rtc = devm_rtc_allocate_device(&client->dev); ++ if (IS_ERR(m41t80_data->rtc)) ++ return PTR_ERR(m41t80_data->rtc); ++ + #ifdef CONFIG_OF + wakeup_source = of_property_read_bool(client->dev.of_node, + "wakeup-source"); +@@ -932,15 +935,11 @@ static int m41t80_probe(struct i2c_clien + device_init_wakeup(&client->dev, true); + } + +- rtc = devm_rtc_device_register(&client->dev, client->name, +- &m41t80_rtc_ops, THIS_MODULE); +- if (IS_ERR(rtc)) +- return PTR_ERR(rtc); ++ m41t80_data->rtc->ops = &m41t80_rtc_ops; + +- m41t80_data->rtc = rtc; + if (client->irq <= 0) { + /* We cannot support UIE mode if we do not have an IRQ line */ +- rtc->uie_unsupported = 1; ++ m41t80_data->rtc->uie_unsupported = 1; + } + + /* Make sure HT (Halt Update) bit is cleared */ +@@ -993,6 +992,11 @@ static int m41t80_probe(struct i2c_clien + if (m41t80_data->features & M41T80_FEATURE_SQ) + m41t80_sqw_register_clk(m41t80_data); + #endif ++ ++ rc = rtc_register_device(m41t80_data->rtc); ++ if (rc) ++ return rc; ++ + return 0; + } + diff --git a/queue-4.16/rtc-rk808-fix-possible-race-condition.patch b/queue-4.16/rtc-rk808-fix-possible-race-condition.patch new file mode 100644 index 00000000000..b89dd0c6b98 --- /dev/null +++ b/queue-4.16/rtc-rk808-fix-possible-race-condition.patch @@ -0,0 +1,77 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexandre Belloni +Date: Wed, 21 Feb 2018 11:57:05 +0100 +Subject: rtc: rk808: fix possible race condition + +From: Alexandre Belloni + +[ Upstream commit 201fac95e799c3d0304ec724d555e1251b9f6e84 ] + +The probe function is not allowed to fail after registering the RTC because +the following may happen: + +CPU0: CPU1: +sys_load_module() + do_init_module() + do_one_initcall() + cmos_do_probe() + rtc_device_register() + __register_chrdev() + cdev->owner = struct module* + open("/dev/rtc0") + rtc_device_unregister() + module_put() + free_module() + module_free(mod->module_core) + /* struct module *module is now + freed */ + chrdev_open() + spin_lock(cdev_lock) + cdev_get() + try_module_get() + module_is_live() + /* dereferences already + freed struct module* */ + +Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc +as late as possible. + +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-rk808.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-rk808.c ++++ b/drivers/rtc/rtc-rk808.c +@@ -416,12 +416,11 @@ static int rk808_rtc_probe(struct platfo + + device_init_wakeup(&pdev->dev, 1); + +- rk808_rtc->rtc = devm_rtc_device_register(&pdev->dev, "rk808-rtc", +- &rk808_rtc_ops, THIS_MODULE); +- if (IS_ERR(rk808_rtc->rtc)) { +- ret = PTR_ERR(rk808_rtc->rtc); +- return ret; +- } ++ rk808_rtc->rtc = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(rk808_rtc->rtc)) ++ return PTR_ERR(rk808_rtc->rtc); ++ ++ rk808_rtc->rtc->ops = &rk808_rtc_ops; + + rk808_rtc->irq = platform_get_irq(pdev, 0); + if (rk808_rtc->irq < 0) { +@@ -438,9 +437,10 @@ static int rk808_rtc_probe(struct platfo + if (ret) { + dev_err(&pdev->dev, "Failed to request alarm IRQ %d: %d\n", + rk808_rtc->irq, ret); ++ return ret; + } + +- return ret; ++ return rtc_register_device(rk808_rtc->rtc); + } + + static struct platform_driver rk808_rtc_driver = { diff --git a/queue-4.16/rtc-rp5c01-fix-possible-race-condition.patch b/queue-4.16/rtc-rp5c01-fix-possible-race-condition.patch new file mode 100644 index 00000000000..2ef7a540d18 --- /dev/null +++ b/queue-4.16/rtc-rp5c01-fix-possible-race-condition.patch @@ -0,0 +1,74 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexandre Belloni +Date: Mon, 12 Feb 2018 23:47:49 +0100 +Subject: rtc: rp5c01: fix possible race condition + +From: Alexandre Belloni + +[ Upstream commit bcdd559268039d8340d38fa58668393596e29fdc ] + +The probe function is not allowed to fail after registering the RTC because +the following may happen: + +CPU0: CPU1: +sys_load_module() + do_init_module() + do_one_initcall() + cmos_do_probe() + rtc_device_register() + __register_chrdev() + cdev->owner = struct module* + open("/dev/rtc0") + rtc_device_unregister() + module_put() + free_module() + module_free(mod->module_core) + /* struct module *module is now + freed */ + chrdev_open() + spin_lock(cdev_lock) + cdev_get() + try_module_get() + module_is_live() + /* dereferences already + freed struct module* */ + +Switch to devm_rtc_allocate_device/rtc_register_device to register the rtc +as late as possible. + +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-rp5c01.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-rp5c01.c ++++ b/drivers/rtc/rtc-rp5c01.c +@@ -249,16 +249,24 @@ static int __init rp5c01_rtc_probe(struc + + platform_set_drvdata(dev, priv); + +- rtc = devm_rtc_device_register(&dev->dev, "rtc-rp5c01", &rp5c01_rtc_ops, +- THIS_MODULE); ++ rtc = devm_rtc_allocate_device(&dev->dev); + if (IS_ERR(rtc)) + return PTR_ERR(rtc); ++ ++ rtc->ops = &rp5c01_rtc_ops; ++ + priv->rtc = rtc; + + error = sysfs_create_bin_file(&dev->dev.kobj, &priv->nvram_attr); + if (error) + return error; + ++ error = rtc_register_device(rtc); ++ if (error) { ++ sysfs_remove_bin_file(&dev->dev.kobj, &priv->nvram_attr); ++ return error; ++ } ++ + return 0; + } + diff --git a/queue-4.16/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch b/queue-4.16/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch new file mode 100644 index 00000000000..46cb10439bd --- /dev/null +++ b/queue-4.16/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch @@ -0,0 +1,91 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Bryan O'Donoghue +Date: Wed, 28 Mar 2018 20:14:05 +0100 +Subject: rtc: snvs: Fix usage of snvs_rtc_enable + +From: Bryan O'Donoghue + +[ Upstream commit 1485991c024603b2fb4ae77beb7a0d741128a48e ] + +commit 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") introduces +the SNVS RTC driver with a function snvs_rtc_enable(). + +snvs_rtc_enable() can return an error on the enable path however this +driver does not currently trap that failure on the probe() path and +consequently if enabling the RTC fails we encounter a later error spinning +forever in rtc_write_sync_lp(). + +[ 36.093481] [] (__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x34/0x44) +[ 36.102122] [] (_raw_spin_unlock_irqrestore) from [] (regmap_read+0x4c/0x5c) +[ 36.110938] [] (regmap_read) from [] (rtc_write_sync_lp+0x6c/0x98) +[ 36.118881] [] (rtc_write_sync_lp) from [] (snvs_rtc_alarm_irq_enable+0x40/0x4c) +[ 36.128041] [] (snvs_rtc_alarm_irq_enable) from [] (rtc_timer_do_work+0xd8/0x1a8) +[ 36.137291] [] (rtc_timer_do_work) from [] (process_one_work+0x28c/0x76c) +[ 36.145840] [] (process_one_work) from [] (worker_thread+0x34/0x58c) +[ 36.153961] [] (worker_thread) from [] (kthread+0x138/0x150) +[ 36.161388] [] (kthread) from [] (ret_from_fork+0x14/0x20) +[ 36.168635] rcu_sched kthread starved for 2602 jiffies! g496 c495 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0 +[ 36.178564] rcu_sched R running task 0 8 2 0x00000000 +[ 36.185664] [] (__schedule) from [] (schedule+0x3c/0xa0) +[ 36.192739] [] (schedule) from [] (schedule_timeout+0x78/0x4e0) +[ 36.200422] [] (schedule_timeout) from [] (rcu_gp_kthread+0x648/0x1864) +[ 36.208800] [] (rcu_gp_kthread) from [] (kthread+0x138/0x150) +[ 36.216309] [] (kthread) from [] (ret_from_fork+0x14/0x20) + +This patch fixes by parsing the result of rtc_write_sync_lp() and +propagating both in the probe and elsewhere. If the RTC doesn't start we +don't proceed loading the driver and don't get into this loop mess later +on. + +Fixes: 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") +Signed-off-by: Bryan O'Donoghue +Acked-by: Shawn Guo +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-snvs.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct devi + { + struct snvs_rtc_data *data = dev_get_drvdata(dev); + unsigned long time; ++ int ret; + + rtc_tm_to_time(tm, &time); + + /* Disable RTC first */ +- snvs_rtc_enable(data, false); ++ ret = snvs_rtc_enable(data, false); ++ if (ret) ++ return ret; + + /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */ + regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH); + regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH)); + + /* Enable RTC again */ +- snvs_rtc_enable(data, true); ++ ret = snvs_rtc_enable(data, true); + +- return 0; ++ return ret; + } + + static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm) +@@ -288,7 +291,11 @@ static int snvs_rtc_probe(struct platfor + regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff); + + /* Enable RTC */ +- snvs_rtc_enable(data, true); ++ ret = snvs_rtc_enable(data, true); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to enable rtc %d\n", ret); ++ goto error_rtc_device_register; ++ } + + device_init_wakeup(&pdev->dev, true); + diff --git a/queue-4.16/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch b/queue-4.16/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch new file mode 100644 index 00000000000..b8bac6718eb --- /dev/null +++ b/queue-4.16/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch @@ -0,0 +1,48 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Colin Ian King +Date: Thu, 15 Feb 2018 19:36:14 +0000 +Subject: rtc: tx4939: avoid unintended sign extension on a 24 bit shift + +From: Colin Ian King + +[ Upstream commit 347876ad47b9923ce26e686173bbf46581802ffa ] + +The shifting of buf[5] by 24 bits to the left will be promoted to +a 32 bit signed int and then sign-extended to an unsigned long. If +the top bit of buf[5] is set then all then all the upper bits sec +end up as also being set because of the sign-extension. Fix this by +casting buf[5] to an unsigned long before the shift. + +Detected by CoverityScan, CID#1465292 ("Unintended sign extension") + +Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver") +Signed-off-by: Colin Ian King +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-tx4939.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-tx4939.c ++++ b/drivers/rtc/rtc-tx4939.c +@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d + for (i = 2; i < 6; i++) + buf[i] = __raw_readl(&rtcreg->dat); + spin_unlock_irq(&pdata->lock); +- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; ++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | ++ (buf[3] << 8) | buf[2]; + rtc_time_to_tm(sec, tm); + return rtc_valid_tm(tm); + } +@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct + alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0; + alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0; + spin_unlock_irq(&pdata->lock); +- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; ++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | ++ (buf[3] << 8) | buf[2]; + rtc_time_to_tm(sec, &alrm->time); + return rtc_valid_tm(&alrm->time); + } diff --git a/queue-4.16/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch b/queue-4.16/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch new file mode 100644 index 00000000000..b76d3b966f9 --- /dev/null +++ b/queue-4.16/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch @@ -0,0 +1,59 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: David Howells +Date: Fri, 30 Mar 2018 21:04:44 +0100 +Subject: rxrpc: Don't treat call aborts as conn aborts + +From: David Howells + +[ Upstream commit 57b0c9d49b94bbeb53649b7fbd264603c1ebd585 ] + +If a call-level abort is received for the previous call to complete on a +connection channel, then that abort is queued for the connection processor +to handle. Unfortunately, the connection processor then assumes without +checking that the abort is connection-level (ie. callNumber is 0) and +distributes it over all active calls on that connection, thereby +incorrectly aborting them. + +Fix this by discarding aborts aimed at a completed call. + +Further, discard all packets aimed at a call that's complete if there's +currently an active call on a channel, since the DATA packets associated +with the new call automatically terminate the old call. + +Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/input.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -1240,16 +1240,19 @@ void rxrpc_data_ready(struct sock *udp_s + goto discard_unlock; + + if (sp->hdr.callNumber == chan->last_call) { +- /* For the previous service call, if completed successfully, we +- * discard all further packets. ++ if (chan->call || ++ sp->hdr.type == RXRPC_PACKET_TYPE_ABORT) ++ goto discard_unlock; ++ ++ /* For the previous service call, if completed ++ * successfully, we discard all further packets. + */ + if (rxrpc_conn_is_service(conn) && +- (chan->last_type == RXRPC_PACKET_TYPE_ACK || +- sp->hdr.type == RXRPC_PACKET_TYPE_ABORT)) ++ chan->last_type == RXRPC_PACKET_TYPE_ACK) + goto discard_unlock; + +- /* But otherwise we need to retransmit the final packet from +- * data cached in the connection record. ++ /* But otherwise we need to retransmit the final packet ++ * from data cached in the connection record. + */ + rxrpc_post_packet_to_conn(conn, skb); + goto out_unlock; diff --git a/queue-4.16/rxrpc-fix-resend-event-time-calculation.patch b/queue-4.16/rxrpc-fix-resend-event-time-calculation.patch new file mode 100644 index 00000000000..7ef187bfdbb --- /dev/null +++ b/queue-4.16/rxrpc-fix-resend-event-time-calculation.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Marc Dionne +Date: Fri, 30 Mar 2018 21:04:44 +0100 +Subject: rxrpc: Fix resend event time calculation + +From: Marc Dionne + +[ Upstream commit 59299aa1028fce051adbd25aaff7c387b865cd6d ] + +Commit a158bdd3 ("rxrpc: Fix call timeouts") reworked the time calculation +for the next resend event. For this calculation, "oldest" will be before +"now", so ktime_sub(oldest, now) will yield a negative value. When passed +to nsecs_to_jiffies which expects an unsigned value, the end result will be +a very large value, and a resend event scheduled far into the future. This +could cause calls to stall if some packets were lost. + +Fix by ordering the arguments to ktime_sub correctly. + +Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") +Signed-off-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/call_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -225,7 +225,7 @@ static void rxrpc_resend(struct rxrpc_ca + ktime_to_ns(ktime_sub(skb->tstamp, max_age))); + } + +- resend_at = nsecs_to_jiffies(ktime_to_ns(ktime_sub(oldest, now))); ++ resend_at = nsecs_to_jiffies(ktime_to_ns(ktime_sub(now, oldest))); + resend_at += jiffies + rxrpc_resend_timeout; + WRITE_ONCE(call->resend_at, resend_at); + diff --git a/queue-4.16/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch b/queue-4.16/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch new file mode 100644 index 00000000000..ed7c8136650 --- /dev/null +++ b/queue-4.16/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: David Howells +Date: Fri, 30 Mar 2018 21:04:43 +0100 +Subject: rxrpc: Fix Tx ring annotation after initial Tx failure + +From: David Howells + +[ Upstream commit 03877bf6a30cca7d4bc3ffabd3c3e9464a7a1a19 ] + +rxrpc calls have a ring of packets that are awaiting ACK or retransmission +and a parallel ring of annotations that tracks the state of those packets. +If the initial transmission of a packet on the underlying UDP socket fails +then the packet annotation is marked for resend - but the setting of this +mark accidentally erases the last-packet mark also stored in the same +annotation slot. If this happens, a call won't switch out of the Tx phase +when all the packets have been transmitted. + +Fix this by retaining the last-packet mark and only altering the packet +state. + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/sendmsg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -130,7 +130,9 @@ static inline void rxrpc_instant_resend( + spin_lock_bh(&call->lock); + + if (call->state < RXRPC_CALL_COMPLETE) { +- call->rxtx_annotations[ix] = RXRPC_TX_ANNO_RETRANS; ++ call->rxtx_annotations[ix] = ++ (call->rxtx_annotations[ix] & RXRPC_TX_ANNO_LAST) | ++ RXRPC_TX_ANNO_RETRANS; + if (!test_and_set_bit(RXRPC_CALL_EV_RESEND, &call->events)) + rxrpc_queue_call(call); + } diff --git a/queue-4.16/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch b/queue-4.16/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch new file mode 100644 index 00000000000..21de8d2adfa --- /dev/null +++ b/queue-4.16/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch @@ -0,0 +1,74 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Davidlohr Bueso +Date: Mon, 2 Apr 2018 09:49:54 -0700 +Subject: sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning + +From: Davidlohr Bueso + +[ Upstream commit d29a20645d5e929aa7e8616f28e5d8e1c49263ec ] + +While running rt-tests' pi_stress program I got the following splat: + + rq->clock_update_flags < RQCF_ACT_SKIP + WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20 + + [...] + + + enqueue_top_rt_rq+0xf4/0x150 + ? cpufreq_dbs_governor_start+0x170/0x170 + sched_rt_rq_enqueue+0x65/0x80 + sched_rt_period_timer+0x156/0x360 + ? sched_rt_rq_enqueue+0x80/0x80 + __hrtimer_run_queues+0xfa/0x260 + hrtimer_interrupt+0xcb/0x220 + smp_apic_timer_interrupt+0x62/0x120 + apic_timer_interrupt+0xf/0x20 + + + [...] + + do_idle+0x183/0x1e0 + cpu_startup_entry+0x5f/0x70 + start_secondary+0x192/0x1d0 + secondary_startup_64+0xa5/0xb0 + +We can get rid of it be the "traditional" means of adding an +update_rq_clock() call after acquiring the rq->lock in +do_sched_rt_period_timer(). + +The case for the RT task throttling (which this workload also hits) +can be ignored in that the skip_update call is actually bogus and +quite the contrary (the request bits are removed/reverted). + +By setting RQCF_UPDATED we really don't care if the skip is happening +or not and will therefore make the assert_clock_updated() check happy. + +Signed-off-by: Davidlohr Bueso +Reviewed-by: Matt Fleming +Acked-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Thomas Gleixner +Cc: dave@stgolabs.net +Cc: linux-kernel@vger.kernel.org +Cc: rostedt@goodmis.org +Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/rt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -843,6 +843,8 @@ static int do_sched_rt_period_timer(stru + continue; + + raw_spin_lock(&rq->lock); ++ update_rq_clock(rq); ++ + if (rt_rq->rt_time) { + u64 runtime; + diff --git a/queue-4.16/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch b/queue-4.16/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch new file mode 100644 index 00000000000..d6cc80f2e54 --- /dev/null +++ b/queue-4.16/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch @@ -0,0 +1,89 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Dave Carroll +Date: Tue, 3 Apr 2018 15:50:42 -0600 +Subject: scsi: aacraid: Insure command thread is not recursively stopped + +From: Dave Carroll + +[ Upstream commit 1c6b41fb92936fa5facea464d5d7cbf855966d04 ] + +If a recursive IOP_RESET is invoked, usually due to the eh_thread +handling errors after the first reset, be sure we flag that the command +thread has been stopped to avoid an Oops of the form; + + [ 336.620256] CPU: 28 PID: 1193 Comm: scsi_eh_0 Kdump: loaded Not tainted 4.14.0-49.el7a.ppc64le #1 + [ 336.620297] task: c000003fd630b800 task.stack: c000003fd61a4000 + [ 336.620326] NIP: c000000000176794 LR: c00000000013038c CTR: c00000000024bc10 + [ 336.620361] REGS: c000003fd61a7720 TRAP: 0300 Not tainted (4.14.0-49.el7a.ppc64le) + [ 336.620395] MSR: 9000000000009033 CR: 22084022 XER: 20040000 + [ 336.620435] CFAR: c000000000130388 DAR: 0000000000000000 DSISR: 40000000 SOFTE: 1 + [ 336.620435] GPR00: c00000000013038c c000003fd61a79a0 c0000000014c7e00 0000000000000000 + [ 336.620435] GPR04: 000000000000000c 000000000000000c 9000000000009033 0000000000000477 + [ 336.620435] GPR08: 0000000000000477 0000000000000000 0000000000000000 c008000010f7d940 + [ 336.620435] GPR12: c00000000024bc10 c000000007a33400 c0000000001708a8 c000003fe3b881d8 + [ 336.620435] GPR16: c000003fe3b88060 c000003fd61a7d10 fffffffffffff000 000000000000001e + [ 336.620435] GPR20: 0000000000000001 c000000000ebf1a0 0000000000000001 c000003fe3b88000 + [ 336.620435] GPR24: 0000000000000003 0000000000000002 c000003fe3b88840 c000003fe3b887e8 + [ 336.620435] GPR28: c000003fe3b88000 c000003fc8181788 0000000000000000 c000003fc8181700 + [ 336.620750] NIP [c000000000176794] exit_creds+0x34/0x160 + [ 336.620775] LR [c00000000013038c] __put_task_struct+0x8c/0x1f0 + [ 336.620804] Call Trace: + [ 336.620817] [c000003fd61a79a0] [c000003fe3b88000] 0xc000003fe3b88000 (unreliable) + [ 336.620853] [c000003fd61a79d0] [c00000000013038c] __put_task_struct+0x8c/0x1f0 + [ 336.620889] [c000003fd61a7a00] [c000000000171418] kthread_stop+0x1e8/0x1f0 + [ 336.620922] [c000003fd61a7a40] [c008000010f7448c] aac_reset_adapter+0x14c/0x8d0 [aacraid] + [ 336.620959] [c000003fd61a7b00] [c008000010f60174] aac_eh_host_reset+0x84/0x100 [aacraid] + [ 336.621010] [c000003fd61a7b30] [c000000000864f24] scsi_try_host_reset+0x74/0x180 + [ 336.621046] [c000003fd61a7bb0] [c000000000867ac0] scsi_eh_ready_devs+0xc00/0x14d0 + [ 336.625165] [c000003fd61a7ca0] [c0000000008699e0] scsi_error_handler+0x550/0x730 + [ 336.632101] [c000003fd61a7dc0] [c000000000170a08] kthread+0x168/0x1b0 + [ 336.639031] [c000003fd61a7e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4 + [ 336.645971] Instruction dump: + [ 336.648743] 384216a0 7c0802a6 fbe1fff8 f8010010 f821ffd1 7c7f1b78 60000000 60000000 + [ 336.657056] 39400000 e87f0838 f95f0838 7c0004ac <7d401828> 314affff 7d40192d 40c2fff4 + [ 336.663997] -[ end trace 4640cf8d4945ad95 ]- + +So flag when the thread is stopped by setting the thread pointer to NULL. + +Signed-off-by: Dave Carroll +Reviewed-by: Raghava Aditya Renukunta +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aacraid/commsup.c | 4 +++- + drivers/scsi/aacraid/linit.c | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -1502,9 +1502,10 @@ static int _aac_reset_adapter(struct aac + host = aac->scsi_host_ptr; + scsi_block_requests(host); + aac_adapter_disable_int(aac); +- if (aac->thread->pid != current->pid) { ++ if (aac->thread && aac->thread->pid != current->pid) { + spin_unlock_irq(host->host_lock); + kthread_stop(aac->thread); ++ aac->thread = NULL; + jafo = 1; + } + +@@ -1591,6 +1592,7 @@ static int _aac_reset_adapter(struct aac + aac->name); + if (IS_ERR(aac->thread)) { + retval = PTR_ERR(aac->thread); ++ aac->thread = NULL; + goto out; + } + } +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -1562,6 +1562,7 @@ static void __aac_shutdown(struct aac_de + up(&fib->event_wait); + } + kthread_stop(aac->thread); ++ aac->thread = NULL; + } + + aac_send_shutdown(aac); diff --git a/queue-4.16/scsi-core-make-scsi-status-condition-met-equivalent-to-good.patch b/queue-4.16/scsi-core-make-scsi-status-condition-met-equivalent-to-good.patch new file mode 100644 index 00000000000..6bb5c5486dc --- /dev/null +++ b/queue-4.16/scsi-core-make-scsi-status-condition-met-equivalent-to-good.patch @@ -0,0 +1,62 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Douglas Gilbert +Date: Tue, 6 Mar 2018 22:19:49 -0500 +Subject: scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD + +From: Douglas Gilbert + +[ Upstream commit 1875ede02ed5e176a18dccbca84abc28d5b3e141 ] + +The SCSI PRE-FETCH (10 or 16) command is present both on hard disks +and some SSDs. It is useful when the address of the next block(s) to +be read is known but it is not following the LBA of the current READ +(so read-ahead won't help). It returns two "good" SCSI Status values. +If the requested blocks have fitted (or will most likely fit (when +the IMMED bit is set)) into the disk's cache, it returns CONDITION +MET. If it didn't (or will not) fit then it returns GOOD status. + +The goal of this patch is to stop the SCSI subsystem treating the +CONDITION MET SCSI status as an error. The current state makes the +PRE-FETCH command effectively unusable via pass-throughs. + +Signed-off-by: Douglas Gilbert +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_lib.c | 11 +++++++++++ + include/scsi/scsi.h | 2 ++ + 2 files changed, 13 insertions(+) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -856,6 +856,17 @@ void scsi_io_completion(struct scsi_cmnd + /* for passthrough error may be set */ + error = BLK_STS_OK; + } ++ /* ++ * Another corner case: the SCSI status byte is non-zero but 'good'. ++ * Example: PRE-FETCH command returns SAM_STAT_CONDITION_MET when ++ * it is able to fit nominated LBs in its cache (and SAM_STAT_GOOD ++ * if it can't fit). Treat SAM_STAT_CONDITION_MET and the related ++ * intermediate statuses (both obsolete in SAM-4) as good. ++ */ ++ if (status_byte(result) && scsi_status_is_good(result)) { ++ result = 0; ++ error = BLK_STS_OK; ++ } + + /* + * special case: failed zero length commands always need to +--- a/include/scsi/scsi.h ++++ b/include/scsi/scsi.h +@@ -47,6 +47,8 @@ static inline int scsi_status_is_good(in + */ + status &= 0xfe; + return ((status == SAM_STAT_GOOD) || ++ (status == SAM_STAT_CONDITION_MET) || ++ /* Next two "intermediate" statuses are obsolete in SAM-4 */ + (status == SAM_STAT_INTERMEDIATE) || + (status == SAM_STAT_INTERMEDIATE_CONDITION_MET) || + /* FIXME: this is obsolete in SAM-3 */ diff --git a/queue-4.16/scsi-devinfo-add-hp-disk-subsystem-device-for-hp-xp-arrays.patch b/queue-4.16/scsi-devinfo-add-hp-disk-subsystem-device-for-hp-xp-arrays.patch new file mode 100644 index 00000000000..05378f96991 --- /dev/null +++ b/queue-4.16/scsi-devinfo-add-hp-disk-subsystem-device-for-hp-xp-arrays.patch @@ -0,0 +1,43 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Xose Vazquez Perez +Date: Thu, 15 Mar 2018 18:32:01 +0100 +Subject: scsi: devinfo: add HP DISK-SUBSYSTEM device, for HP XP arrays + +From: Xose Vazquez Perez + +[ Upstream commit 5f96f42b76e00e2871033745ff029056cc725c76 ] + +"The DISK-SUBSYSTEM is a special model name returned when LUs +are not installed. For example, when LU#0 is not installed in "OPEN-" +models, LU#0 is detected as the DISK-SUBSYSTEM model": +https://marc.info/?l=linux-scsi&m=125424006417825 + +It's missing for HP XP rebranded arrays, "HP"/"OPEN-". +Only the HITACHI one is present: +13f7e5acc8b329080672c13f05f252ace5b79825 +627511e3e67553b04f6917c03e39b797df210e04 + +Cc: Anthony Cheung +Cc: Takahiro Yasui +Cc: Matthias Rudolph +Cc: Martin K. Petersen +Cc: James E.J. Bottomley +Cc: SCSI ML +Signed-off-by: Xose Vazquez Perez +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_devinfo.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -189,6 +189,7 @@ static struct { + {"HP", "C5713A", NULL, BLIST_NOREPORTLUN}, + {"HP", "DF400", "*", BLIST_REPORTLUN2}, + {"HP", "DF500", "*", BLIST_REPORTLUN2}, ++ {"HP", "DISK-SUBSYSTEM", "*", BLIST_REPORTLUN2}, + {"HP", "OP-C-", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, + {"HP", "3380-", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, + {"HP", "3390-", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, diff --git a/queue-4.16/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch b/queue-4.16/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch new file mode 100644 index 00000000000..335feaafd4d --- /dev/null +++ b/queue-4.16/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: James Smart +Date: Tue, 30 Jan 2018 15:58:45 -0800 +Subject: scsi: lpfc: Fix frequency of Release WQE CQEs + +From: James Smart + +[ Upstream commit 04673e38f56b30cd39b1fa0f386137d818b17781 ] + +The driver controls when the hardware sends completions that communicate +consumption of elements from the WQ. This is done by setting a WQEC bit +on a WQE. + +The current driver sets it on every Nth WQE posting. However, the driver +isn't clearing the bit if the WQE is reused. Thus, if the queue depth +isn't evenly divisible by N, with enough time, it can be set on every +element, creating a lot of overhead and risking CQ full conditions. + +Correct by clearing the bit when not setting it on an Nth element. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_sli.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -129,6 +129,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, u + /* set consumption flag every once in a while */ + if (!((q->host_index + 1) % q->entry_repost)) + bf_set(wqe_wqec, &wqe->generic.wqe_com, 1); ++ else ++ bf_set(wqe_wqec, &wqe->generic.wqe_com, 0); + if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED) + bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id); + lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size); diff --git a/queue-4.16/scsi-lpfc-fix-io-failure-during-hba-reset-testing-with-nvme-io.patch b/queue-4.16/scsi-lpfc-fix-io-failure-during-hba-reset-testing-with-nvme-io.patch new file mode 100644 index 00000000000..154cf9c869e --- /dev/null +++ b/queue-4.16/scsi-lpfc-fix-io-failure-during-hba-reset-testing-with-nvme-io.patch @@ -0,0 +1,56 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: James Smart +Date: Tue, 30 Jan 2018 15:58:51 -0800 +Subject: scsi: lpfc: Fix IO failure during hba reset testing with nvme io. + +From: James Smart + +[ Upstream commit 91455b850956bc13708a074bd1400f54aae74890 ] + +A stress test repeatedly resetting the adapter while performing io would +eventually report I/O failures and missing nvme namespaces. + +The driver was setting the nvmefc_fcp_req->private pointer to NULL +during the IO completion routine before upcalling done(). If the +transport was also running an abort for that IO, the driver would fail +the abort with message 6140. Failing the abort is not allowed by the +nvme-fc transport, as it mandates that the io must be returned back to +the transport. As that does not happen, the transport controller delete +has an outstanding reference and can't complete teardown. + +The NULL-ing of the private pointer should be done only when the io is +considered complete. It's complete when the adapter returns the exchange +with the "exchange busy" flag clear. + +Move the NULL'ing of the structure to the done case. This leaves the io +contexts set while it is busy and until the subsequent XRI_ABORTED +completion which returns the exchange is received. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_nvme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -982,14 +982,14 @@ out_err: + phba->cpucheck_cmpl_io[lpfc_ncmd->cpu]++; + } + #endif +- freqpriv = nCmd->private; +- freqpriv->nvme_buf = NULL; + + /* NVME targets need completion held off until the abort exchange + * completes unless the NVME Rport is getting unregistered. + */ + + if (!(lpfc_ncmd->flags & LPFC_SBUF_XBUSY)) { ++ freqpriv = nCmd->private; ++ freqpriv->nvme_buf = NULL; + nCmd->done(nCmd); + lpfc_ncmd->nvmeCmd = NULL; + } diff --git a/queue-4.16/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch b/queue-4.16/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch new file mode 100644 index 00000000000..f0c91f60b29 --- /dev/null +++ b/queue-4.16/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: James Smart +Date: Tue, 30 Jan 2018 15:58:55 -0800 +Subject: scsi: lpfc: Fix issue_lip if link is disabled + +From: James Smart + +[ Upstream commit 2289e9598dde9705400559ca2606fb8c145c34f0 ] + +The driver ignored checks on whether the link should be kept +administratively down after a link bounce. Correct the checks. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_attr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -905,7 +905,12 @@ lpfc_issue_lip(struct Scsi_Host *shost) + LPFC_MBOXQ_t *pmboxq; + int mbxstatus = MBXERR_ERROR; + ++ /* ++ * If the link is offline, disabled or BLOCK_MGMT_IO ++ * it doesn't make any sense to allow issue_lip ++ */ + if ((vport->fc_flag & FC_OFFLINE_MODE) || ++ (phba->hba_flag & LINK_DISABLED) || + (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO)) + return -EPERM; + diff --git a/queue-4.16/scsi-lpfc-fix-nonrecovery-of-nvme-controller-after-cable-swap.patch b/queue-4.16/scsi-lpfc-fix-nonrecovery-of-nvme-controller-after-cable-swap.patch new file mode 100644 index 00000000000..ca2830b6409 --- /dev/null +++ b/queue-4.16/scsi-lpfc-fix-nonrecovery-of-nvme-controller-after-cable-swap.patch @@ -0,0 +1,112 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: James Smart +Date: Tue, 30 Jan 2018 15:59:01 -0800 +Subject: scsi: lpfc: Fix nonrecovery of NVME controller after cable swap. + +From: James Smart + +[ Upstream commit 815a9c437617e221842d12b3366ff6911b3df628 ] + +In a test that is doing large numbers of cable swaps on the target, the +nvme controllers wouldn't reconnect. + +During the cable swaps, the targets n_port_id would change. This +information was passed to the nvme-fc transport, in the new remoteport +registration. However, the nvme-fc transport didn't update the n_port_id +value in the remoteport struct when it reused an existing structure. +Later, when a new association was attempted on the remoteport, the +driver's NVME LS routine would use the stale n_port_id from the +remoteport struct to address the LS. As the device is no longer at that +address, the LS would go into never never land. + +Separately, the nvme-fc transport will be corrected to update the +n_port_id value on a re-registration. + +However, for now, there's no reason to use the transports values. The +private pointer points to the drivers node structure and the node +structure is up to date. Therefore, revise the LS routine to use the +drivers data structures for the LS. Augmented the debug message for +better debugging in the future. + +Also removed a duplicate if check that seems to have slipped in. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_nvme.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -241,10 +241,11 @@ lpfc_nvme_cmpl_gen_req(struct lpfc_hba * + ndlp = (struct lpfc_nodelist *)cmdwqe->context1; + lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC, + "6047 nvme cmpl Enter " +- "Data %p DID %x Xri: %x status %x cmd:%p lsreg:%p " +- "bmp:%p ndlp:%p\n", ++ "Data %p DID %x Xri: %x status %x reason x%x cmd:%p " ++ "lsreg:%p bmp:%p ndlp:%p\n", + pnvme_lsreq, ndlp ? ndlp->nlp_DID : 0, + cmdwqe->sli4_xritag, status, ++ (wcqe->parameter & 0xffff), + cmdwqe, pnvme_lsreq, cmdwqe->context3, ndlp); + + lpfc_nvmeio_data(phba, "NVME LS CMPL: xri x%x stat x%x parm x%x\n", +@@ -419,6 +420,7 @@ lpfc_nvme_ls_req(struct nvme_fc_local_po + { + int ret = 0; + struct lpfc_nvme_lport *lport; ++ struct lpfc_nvme_rport *rport; + struct lpfc_vport *vport; + struct lpfc_nodelist *ndlp; + struct ulp_bde64 *bpl; +@@ -437,19 +439,18 @@ lpfc_nvme_ls_req(struct nvme_fc_local_po + */ + + lport = (struct lpfc_nvme_lport *)pnvme_lport->private; ++ rport = (struct lpfc_nvme_rport *)pnvme_rport->private; + vport = lport->vport; + + if (vport->load_flag & FC_UNLOADING) + return -ENODEV; + +- if (vport->load_flag & FC_UNLOADING) +- return -ENODEV; +- +- ndlp = lpfc_findnode_did(vport, pnvme_rport->port_id); ++ /* Need the ndlp. It is stored in the driver's rport. */ ++ ndlp = rport->ndlp; + if (!ndlp || !NLP_CHK_NODE_ACT(ndlp)) { + lpfc_printf_vlog(vport, KERN_ERR, LOG_NODE | LOG_NVME_IOERR, +- "6051 DID x%06x not an active rport.\n", +- pnvme_rport->port_id); ++ "6051 Remoteport %p, rport has invalid ndlp. " ++ "Failing LS Req\n", pnvme_rport); + return -ENODEV; + } + +@@ -500,8 +501,9 @@ lpfc_nvme_ls_req(struct nvme_fc_local_po + + /* Expand print to include key fields. */ + lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC, +- "6149 ENTER. lport %p, rport %p lsreq%p rqstlen:%d " +- "rsplen:%d %pad %pad\n", ++ "6149 Issue LS Req to DID 0x%06x lport %p, rport %p " ++ "lsreq%p rqstlen:%d rsplen:%d %pad %pad\n", ++ ndlp->nlp_DID, + pnvme_lport, pnvme_rport, + pnvme_lsreq, pnvme_lsreq->rqstlen, + pnvme_lsreq->rsplen, &pnvme_lsreq->rqstdma, +@@ -517,7 +519,7 @@ lpfc_nvme_ls_req(struct nvme_fc_local_po + ndlp, 2, 30, 0); + if (ret != WQE_SUCCESS) { + atomic_inc(&lport->xmt_ls_err); +- lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_DISC, ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_NVME_DISC, + "6052 EXIT. issue ls wqe failed lport %p, " + "rport %p lsreq%p Status %x DID %x\n", + pnvme_lport, pnvme_rport, pnvme_lsreq, diff --git a/queue-4.16/scsi-lpfc-fix-nvme-initiator-firstburst.patch b/queue-4.16/scsi-lpfc-fix-nvme-initiator-firstburst.patch new file mode 100644 index 00000000000..31c86b2f83c --- /dev/null +++ b/queue-4.16/scsi-lpfc-fix-nvme-initiator-firstburst.patch @@ -0,0 +1,66 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: James Smart +Date: Mon, 5 Mar 2018 12:04:02 -0800 +Subject: scsi: lpfc: Fix NVME Initiator FirstBurst + +From: James Smart + +[ Upstream commit 0709263abe0de70a798dcdf481d5dd489ca4752e ] + +First Burst support was not properly indicated in NVMe PRLI. + +Correct the bit position and the logic to check and set first burst support. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 15 ++++++++++++++- + drivers/scsi/lpfc/lpfc_nvme.h | 2 ++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -1998,8 +1998,14 @@ lpfc_cmpl_prli_prli_issue(struct lpfc_vp + ndlp->nlp_type |= NLP_NVME_TARGET; + if (bf_get_be32(prli_disc, nvpr)) + ndlp->nlp_type |= NLP_NVME_DISCOVERY; ++ ++ /* ++ * If prli_fba is set, the Target supports FirstBurst. ++ * If prli_fb_sz is 0, the FirstBurst size is unlimited, ++ * otherwise it defines the actual size supported by ++ * the NVME Target. ++ */ + if ((bf_get_be32(prli_fba, nvpr) == 1) && +- (bf_get_be32(prli_fb_sz, nvpr) > 0) && + (phba->cfg_nvme_enable_fb) && + (!phba->nvmet_support)) { + /* Both sides support FB. The target's first +@@ -2008,6 +2014,13 @@ lpfc_cmpl_prli_prli_issue(struct lpfc_vp + ndlp->nlp_flag |= NLP_FIRSTBURST; + ndlp->nvme_fb_size = bf_get_be32(prli_fb_sz, + nvpr); ++ ++ /* Expressed in units of 512 bytes */ ++ if (ndlp->nvme_fb_size) ++ ndlp->nvme_fb_size <<= ++ LPFC_NVME_FB_SHIFT; ++ else ++ ndlp->nvme_fb_size = LPFC_NVME_MAX_FB; + } + } + +--- a/drivers/scsi/lpfc/lpfc_nvme.h ++++ b/drivers/scsi/lpfc/lpfc_nvme.h +@@ -27,6 +27,8 @@ + + #define LPFC_NVME_WAIT_TMO 10 + #define LPFC_NVME_EXPEDITE_XRICNT 8 ++#define LPFC_NVME_FB_SHIFT 9 ++#define LPFC_NVME_MAX_FB (1 << 20) /* 1M */ + + struct lpfc_nvme_qhandle { + uint32_t index; /* WQ index to use */ diff --git a/queue-4.16/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch b/queue-4.16/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch new file mode 100644 index 00000000000..4eb40118c11 --- /dev/null +++ b/queue-4.16/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch @@ -0,0 +1,50 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: James Smart +Date: Tue, 30 Jan 2018 15:58:54 -0800 +Subject: scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing + +From: James Smart + +[ Upstream commit 161df4f09987ae2e9f0f97f0b38eee298b4a39ff ] + +During link bounce testing in a point-to-point topology, the host may +enter a soft lockup on the lpfc_worker thread: + + Call Trace: + lpfc_work_done+0x1f3/0x1390 [lpfc] + lpfc_do_work+0x16f/0x180 [lpfc] + kthread+0xc7/0xe0 + ret_from_fork+0x3f/0x70 + +The driver was simultaneously setting a combination of flags that caused +lpfc_do_work()to effectively spin between slow path work and new event +data, causing the lockup. + +Ensure in the typical wq completions, that new event data flags are set +if the slow path flag is running. The slow path will eventually +reschedule the wq handling. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -696,8 +696,9 @@ lpfc_work_done(struct lpfc_hba *phba) + phba->hba_flag & HBA_SP_QUEUE_EVT)) { + if (pring->flag & LPFC_STOP_IOCB_EVENT) { + pring->flag |= LPFC_DEFERRED_RING_EVENT; +- /* Set the lpfc data pending flag */ +- set_bit(LPFC_DATA_READY, &phba->data_flags); ++ /* Preserve legacy behavior. */ ++ if (!(phba->hba_flag & HBA_SP_QUEUE_EVT)) ++ set_bit(LPFC_DATA_READY, &phba->data_flags); + } else { + if (phba->link_state >= LPFC_LINK_UP || + phba->link_flag & LS_MDS_LOOPBACK) { diff --git a/queue-4.16/scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch b/queue-4.16/scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch new file mode 100644 index 00000000000..6717c0522f3 --- /dev/null +++ b/queue-4.16/scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch @@ -0,0 +1,88 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Wilfried Weissmann +Date: Fri, 23 Feb 2018 20:52:34 +0100 +Subject: scsi: mvsas: fix wrong endianness of sgpio api + +From: Wilfried Weissmann + +[ Upstream commit e75fba9c0668b3767f608ea07485f48d33c270cf ] + +This patch fixes the byte order of the SGPIO api and brings it back in +sync with ledmon v0.80 and above. + +[mkp: added missing SoB and fixed whitespace] + +Signed-off-by: Wilfried Weissmann +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mvsas/mv_94xx.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/mvsas/mv_94xx.c ++++ b/drivers/scsi/mvsas/mv_94xx.c +@@ -1080,16 +1080,16 @@ static int mvs_94xx_gpio_write(struct mv + void __iomem *regs = mvi->regs_ex - 0x10200; + + int drive = (i/3) & (4-1); /* drive number on host */ +- u32 block = mr32(MVS_SGPIO_DCTRL + ++ int driveshift = drive * 8; /* bit offset of drive */ ++ u32 block = ioread32be(regs + MVS_SGPIO_DCTRL + + MVS_SGPIO_HOST_OFFSET * mvi->id); + +- + /* + * if bit is set then create a mask with the first + * bit of the drive set in the mask ... + */ +- u32 bit = (write_data[i/8] & (1 << (i&(8-1)))) ? +- 1<<(24-drive*8) : 0; ++ u32 bit = get_unaligned_be32(write_data) & (1 << i) ? ++ 1 << driveshift : 0; + + /* + * ... and then shift it to the right position based +@@ -1098,26 +1098,27 @@ static int mvs_94xx_gpio_write(struct mv + switch (i%3) { + case 0: /* activity */ + block &= ~((0x7 << MVS_SGPIO_DCTRL_ACT_SHIFT) +- << (24-drive*8)); ++ << driveshift); + /* hardwire activity bit to SOF */ + block |= LED_BLINKA_SOF << ( + MVS_SGPIO_DCTRL_ACT_SHIFT + +- (24-drive*8)); ++ driveshift); + break; + case 1: /* id */ + block &= ~((0x3 << MVS_SGPIO_DCTRL_LOC_SHIFT) +- << (24-drive*8)); ++ << driveshift); + block |= bit << MVS_SGPIO_DCTRL_LOC_SHIFT; + break; + case 2: /* fail */ + block &= ~((0x7 << MVS_SGPIO_DCTRL_ERR_SHIFT) +- << (24-drive*8)); ++ << driveshift); + block |= bit << MVS_SGPIO_DCTRL_ERR_SHIFT; + break; + } + +- mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id, +- block); ++ iowrite32be(block, ++ regs + MVS_SGPIO_DCTRL + ++ MVS_SGPIO_HOST_OFFSET * mvi->id); + + } + +@@ -1132,7 +1133,7 @@ static int mvs_94xx_gpio_write(struct mv + void __iomem *regs = mvi->regs_ex - 0x10200; + + mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id, +- be32_to_cpu(((u32 *) write_data)[i])); ++ ((u32 *) write_data)[i]); + } + return reg_count; + } diff --git a/queue-4.16/selftests-add-fib-onlink-tests.patch b/queue-4.16/selftests-add-fib-onlink-tests.patch new file mode 100644 index 00000000000..64dd1bccca9 --- /dev/null +++ b/queue-4.16/selftests-add-fib-onlink-tests.patch @@ -0,0 +1,399 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: David Ahern +Date: Tue, 13 Feb 2018 08:44:06 -0800 +Subject: selftests: Add FIB onlink tests + +From: David Ahern + +[ Upstream commit 153e1b84f477f716bc3f81e6cfae1a3d941fc7ec ] + +Add test cases verifying FIB onlink commands work as expected in +various conditions - IPv4, IPv6, main table, and VRF. + +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/fib-onlink-tests.sh | 375 ++++++++++++++++++++++++ + 1 file changed, 375 insertions(+) + create mode 100755 tools/testing/selftests/net/fib-onlink-tests.sh + +--- /dev/null ++++ b/tools/testing/selftests/net/fib-onlink-tests.sh +@@ -0,0 +1,375 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++# IPv4 and IPv6 onlink tests ++ ++PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} ++ ++# Network interfaces ++# - odd in current namespace; even in peer ns ++declare -A NETIFS ++# default VRF ++NETIFS[p1]=veth1 ++NETIFS[p2]=veth2 ++NETIFS[p3]=veth3 ++NETIFS[p4]=veth4 ++# VRF ++NETIFS[p5]=veth5 ++NETIFS[p6]=veth6 ++NETIFS[p7]=veth7 ++NETIFS[p8]=veth8 ++ ++# /24 network ++declare -A V4ADDRS ++V4ADDRS[p1]=169.254.1.1 ++V4ADDRS[p2]=169.254.1.2 ++V4ADDRS[p3]=169.254.3.1 ++V4ADDRS[p4]=169.254.3.2 ++V4ADDRS[p5]=169.254.5.1 ++V4ADDRS[p6]=169.254.5.2 ++V4ADDRS[p7]=169.254.7.1 ++V4ADDRS[p8]=169.254.7.2 ++ ++# /64 network ++declare -A V6ADDRS ++V6ADDRS[p1]=2001:db8:101::1 ++V6ADDRS[p2]=2001:db8:101::2 ++V6ADDRS[p3]=2001:db8:301::1 ++V6ADDRS[p4]=2001:db8:301::2 ++V6ADDRS[p5]=2001:db8:501::1 ++V6ADDRS[p6]=2001:db8:501::2 ++V6ADDRS[p7]=2001:db8:701::1 ++V6ADDRS[p8]=2001:db8:701::2 ++ ++# Test networks: ++# [1] = default table ++# [2] = VRF ++# ++# /32 host routes ++declare -A TEST_NET4 ++TEST_NET4[1]=169.254.101 ++TEST_NET4[2]=169.254.102 ++# /128 host routes ++declare -A TEST_NET6 ++TEST_NET6[1]=2001:db8:101 ++TEST_NET6[2]=2001:db8:102 ++ ++# connected gateway ++CONGW[1]=169.254.1.254 ++CONGW[2]=169.254.5.254 ++ ++# recursive gateway ++RECGW4[1]=169.254.11.254 ++RECGW4[2]=169.254.12.254 ++RECGW6[1]=2001:db8:11::64 ++RECGW6[2]=2001:db8:12::64 ++ ++# for v4 mapped to v6 ++declare -A TEST_NET4IN6IN6 ++TEST_NET4IN6[1]=10.1.1.254 ++TEST_NET4IN6[2]=10.2.1.254 ++ ++# mcast address ++MCAST6=ff02::1 ++ ++ ++PEER_NS=bart ++PEER_CMD="ip netns exec ${PEER_NS}" ++VRF=lisa ++VRF_TABLE=1101 ++PBR_TABLE=101 ++ ++################################################################################ ++# utilities ++ ++log_test() ++{ ++ local rc=$1 ++ local expected=$2 ++ local msg="$3" ++ ++ if [ ${rc} -eq ${expected} ]; then ++ nsuccess=$((nsuccess+1)) ++ printf "\n TEST: %-50s [ OK ]\n" "${msg}" ++ else ++ nfail=$((nfail+1)) ++ printf "\n TEST: %-50s [FAIL]\n" "${msg}" ++ if [ "${PAUSE_ON_FAIL}" = "yes" ]; then ++ echo ++ echo "hit enter to continue, 'q' to quit" ++ read a ++ [ "$a" = "q" ] && exit 1 ++ fi ++ fi ++} ++ ++log_section() ++{ ++ echo ++ echo "######################################################################" ++ echo "TEST SECTION: $*" ++ echo "######################################################################" ++} ++ ++log_subsection() ++{ ++ echo ++ echo "#########################################" ++ echo "TEST SUBSECTION: $*" ++} ++ ++run_cmd() ++{ ++ echo ++ echo "COMMAND: $*" ++ eval $* ++} ++ ++get_linklocal() ++{ ++ local dev=$1 ++ local pfx ++ local addr ++ ++ addr=$(${pfx} ip -6 -br addr show dev ${dev} | \ ++ awk '{ ++ for (i = 3; i <= NF; ++i) { ++ if ($i ~ /^fe80/) ++ print $i ++ } ++ }' ++ ) ++ addr=${addr/\/*} ++ ++ [ -z "$addr" ] && return 1 ++ ++ echo $addr ++ ++ return 0 ++} ++ ++################################################################################ ++# ++ ++setup() ++{ ++ echo ++ echo "########################################" ++ echo "Configuring interfaces" ++ ++ set -e ++ ++ # create namespace ++ ip netns add ${PEER_NS} ++ ip -netns ${PEER_NS} li set lo up ++ ++ # add vrf table ++ ip li add ${VRF} type vrf table ${VRF_TABLE} ++ ip li set ${VRF} up ++ ip ro add table ${VRF_TABLE} unreachable default ++ ip -6 ro add table ${VRF_TABLE} unreachable default ++ ++ # create test interfaces ++ ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]} ++ ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]} ++ ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]} ++ ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]} ++ ++ # enslave vrf interfaces ++ for n in 5 7; do ++ ip li set ${NETIFS[p${n}]} vrf ${VRF} ++ done ++ ++ # add addresses ++ for n in 1 3 5 7; do ++ ip li set ${NETIFS[p${n}]} up ++ ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} ++ done ++ ++ # move peer interfaces to namespace and add addresses ++ for n in 2 4 6 8; do ++ ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up ++ ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]} ++ ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} ++ done ++ ++ set +e ++ ++ # let DAD complete - assume default of 1 probe ++ sleep 1 ++} ++ ++cleanup() ++{ ++ # make sure we start from a clean slate ++ ip netns del ${PEER_NS} 2>/dev/null ++ for n in 1 3 5 7; do ++ ip link del ${NETIFS[p${n}]} 2>/dev/null ++ done ++ ip link del ${VRF} 2>/dev/null ++ ip ro flush table ${VRF_TABLE} ++ ip -6 ro flush table ${VRF_TABLE} ++} ++ ++################################################################################ ++# IPv4 tests ++# ++ ++run_ip() ++{ ++ local table="$1" ++ local prefix="$2" ++ local gw="$3" ++ local dev="$4" ++ local exp_rc="$5" ++ local desc="$6" ++ ++ # dev arg may be empty ++ [ -n "${dev}" ] && dev="dev ${dev}" ++ ++ run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink ++ log_test $? ${exp_rc} "${desc}" ++} ++ ++valid_onlink_ipv4() ++{ ++ # - unicast connected, unicast recursive ++ # ++ log_subsection "default VRF - main table" ++ ++ run_ip 254 ${TEST_NET4[1]}.1 ${CONGW[1]} ${NETIFS[p1]} 0 "unicast connected" ++ run_ip 254 ${TEST_NET4[1]}.2 ${RECGW4[1]} ${NETIFS[p1]} 0 "unicast recursive" ++ ++ log_subsection "VRF ${VRF}" ++ ++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.1 ${CONGW[2]} ${NETIFS[p5]} 0 "unicast connected" ++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.2 ${RECGW4[2]} ${NETIFS[p5]} 0 "unicast recursive" ++ ++ log_subsection "VRF device, PBR table" ++ ++ run_ip ${PBR_TABLE} ${TEST_NET4[2]}.3 ${CONGW[2]} ${NETIFS[p5]} 0 "unicast connected" ++ run_ip ${PBR_TABLE} ${TEST_NET4[2]}.4 ${RECGW4[2]} ${NETIFS[p5]} 0 "unicast recursive" ++} ++ ++invalid_onlink_ipv4() ++{ ++ run_ip 254 ${TEST_NET4[1]}.11 ${V4ADDRS[p1]} ${NETIFS[p1]} 2 \ ++ "Invalid gw - local unicast address" ++ ++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.11 ${V4ADDRS[p5]} ${NETIFS[p5]} 2 \ ++ "Invalid gw - local unicast address, VRF" ++ ++ run_ip 254 ${TEST_NET4[1]}.101 ${V4ADDRS[p1]} "" 2 "No nexthop device given" ++ ++ run_ip 254 ${TEST_NET4[1]}.102 ${V4ADDRS[p3]} ${NETIFS[p1]} 2 \ ++ "Gateway resolves to wrong nexthop device" ++ ++ run_ip ${VRF_TABLE} ${TEST_NET4[2]}.103 ${V4ADDRS[p7]} ${NETIFS[p5]} 2 \ ++ "Gateway resolves to wrong nexthop device - VRF" ++} ++ ++################################################################################ ++# IPv6 tests ++# ++ ++run_ip6() ++{ ++ local table="$1" ++ local prefix="$2" ++ local gw="$3" ++ local dev="$4" ++ local exp_rc="$5" ++ local desc="$6" ++ ++ # dev arg may be empty ++ [ -n "${dev}" ] && dev="dev ${dev}" ++ ++ run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink ++ log_test $? ${exp_rc} "${desc}" ++} ++ ++valid_onlink_ipv6() ++{ ++ # - unicast connected, unicast recursive, v4-mapped ++ # ++ log_subsection "default VRF - main table" ++ ++ run_ip6 254 ${TEST_NET6[1]}::1 ${V6ADDRS[p1]/::*}::64 ${NETIFS[p1]} 0 "unicast connected" ++ run_ip6 254 ${TEST_NET6[1]}::2 ${RECGW6[1]} ${NETIFS[p1]} 0 "unicast recursive" ++ run_ip6 254 ${TEST_NET6[1]}::3 ::ffff:${TEST_NET4IN6[1]} ${NETIFS[p1]} 0 "v4-mapped" ++ ++ log_subsection "VRF ${VRF}" ++ ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::1 ${V6ADDRS[p5]/::*}::64 ${NETIFS[p5]} 0 "unicast connected" ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::2 ${RECGW6[2]} ${NETIFS[p5]} 0 "unicast recursive" ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::3 ::ffff:${TEST_NET4IN6[2]} ${NETIFS[p5]} 0 "v4-mapped" ++ ++ log_subsection "VRF device, PBR table" ++ ++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::4 ${V6ADDRS[p5]/::*}::64 ${NETIFS[p5]} 0 "unicast connected" ++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::5 ${RECGW6[2]} ${NETIFS[p5]} 0 "unicast recursive" ++ run_ip6 ${PBR_TABLE} ${TEST_NET6[2]}::6 ::ffff:${TEST_NET4IN6[2]} ${NETIFS[p5]} 0 "v4-mapped" ++} ++ ++invalid_onlink_ipv6() ++{ ++ local lladdr ++ ++ lladdr=$(get_linklocal ${NETIFS[p1]}) || return 1 ++ ++ run_ip6 254 ${TEST_NET6[1]}::11 ${V6ADDRS[p1]} ${NETIFS[p1]} 2 \ ++ "Invalid gw - local unicast address" ++ run_ip6 254 ${TEST_NET6[1]}::12 ${lladdr} ${NETIFS[p1]} 2 \ ++ "Invalid gw - local linklocal address" ++ run_ip6 254 ${TEST_NET6[1]}::12 ${MCAST6} ${NETIFS[p1]} 2 \ ++ "Invalid gw - multicast address" ++ ++ lladdr=$(get_linklocal ${NETIFS[p5]}) || return 1 ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::11 ${V6ADDRS[p5]} ${NETIFS[p5]} 2 \ ++ "Invalid gw - local unicast address, VRF" ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::12 ${lladdr} ${NETIFS[p5]} 2 \ ++ "Invalid gw - local linklocal address, VRF" ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::12 ${MCAST6} ${NETIFS[p5]} 2 \ ++ "Invalid gw - multicast address, VRF" ++ ++ run_ip6 254 ${TEST_NET6[1]}::101 ${V6ADDRS[p1]} "" 2 \ ++ "No nexthop device given" ++ ++ # default VRF validation is done against LOCAL table ++ # run_ip6 254 ${TEST_NET6[1]}::102 ${V6ADDRS[p3]/::[0-9]/::64} ${NETIFS[p1]} 2 \ ++ # "Gateway resolves to wrong nexthop device" ++ ++ run_ip6 ${VRF_TABLE} ${TEST_NET6[2]}::103 ${V6ADDRS[p7]/::[0-9]/::64} ${NETIFS[p5]} 2 \ ++ "Gateway resolves to wrong nexthop device - VRF" ++} ++ ++run_onlink_tests() ++{ ++ log_section "IPv4 onlink" ++ log_subsection "Valid onlink commands" ++ valid_onlink_ipv4 ++ log_subsection "Invalid onlink commands" ++ invalid_onlink_ipv4 ++ ++ log_section "IPv6 onlink" ++ log_subsection "Valid onlink commands" ++ valid_onlink_ipv6 ++ invalid_onlink_ipv6 ++} ++ ++################################################################################ ++# main ++ ++nsuccess=0 ++nfail=0 ++ ++cleanup ++setup ++run_onlink_tests ++cleanup ++ ++if [ "$TESTS" != "none" ]; then ++ printf "\nTests passed: %3d\n" ${nsuccess} ++ printf "Tests failed: %3d\n" ${nfail} ++fi diff --git a/queue-4.16/selftests-net-fixes-psock_fanout-ebpf-test-case.patch b/queue-4.16/selftests-net-fixes-psock_fanout-ebpf-test-case.patch new file mode 100644 index 00000000000..acd6cde34e3 --- /dev/null +++ b/queue-4.16/selftests-net-fixes-psock_fanout-ebpf-test-case.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Prashant Bhole +Date: Thu, 15 Feb 2018 09:19:26 +0900 +Subject: selftests/net: fixes psock_fanout eBPF test case + +From: Prashant Bhole + +[ Upstream commit ddd0010392d9cbcb95b53d11b7cafc67b373ab56 ] + +eBPF test fails due to verifier failure because log_buf is too small. +Fixed by increasing log_buf size + +Signed-off-by: Prashant Bhole +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/psock_fanout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/psock_fanout.c ++++ b/tools/testing/selftests/net/psock_fanout.c +@@ -128,6 +128,8 @@ static void sock_fanout_getopts(int fd, + + static void sock_fanout_set_ebpf(int fd) + { ++ static char log_buf[65536]; ++ + const int len_off = __builtin_offsetof(struct __sk_buff, len); + struct bpf_insn prog[] = { + { BPF_ALU64 | BPF_MOV | BPF_X, 6, 1, 0, 0 }, +@@ -140,7 +142,6 @@ static void sock_fanout_set_ebpf(int fd) + { BPF_ALU | BPF_MOV | BPF_K, 0, 0, 0, 0 }, + { BPF_JMP | BPF_EXIT, 0, 0, 0, 0 } + }; +- char log_buf[512]; + union bpf_attr attr; + int pfd; + diff --git a/queue-4.16/selftests-print-the-test-we-re-running-to-dev-kmsg.patch b/queue-4.16/selftests-print-the-test-we-re-running-to-dev-kmsg.patch new file mode 100644 index 00000000000..c7f4fc86604 --- /dev/null +++ b/queue-4.16/selftests-print-the-test-we-re-running-to-dev-kmsg.patch @@ -0,0 +1,42 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Michael Ellerman +Date: Fri, 23 Mar 2018 20:44:27 +1100 +Subject: selftests: Print the test we're running to /dev/kmsg + +From: Michael Ellerman + +[ Upstream commit 88893cf787d3062c631cc20b875068eb11756e03 ] + +Some tests cause the kernel to print things to the kernel log +buffer (ie. printk), in particular oops and warnings etc. However when +running all the tests in succession it's not always obvious which +test(s) caused the kernel to print something. + +We can narrow it down by printing which test directory we're running +in to /dev/kmsg, if it's writable. + +Example output: + + [ 170.149149] kselftest: Running tests in powerpc + [ 305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes + left + [ 808.915456] kselftest: Running tests in pstore + +Signed-off-by: Michael Ellerman +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -130,6 +130,7 @@ ifdef INSTALL_PATH + BUILD_TARGET=$$BUILD/$$TARGET; \ + echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \ + echo "echo ========================================" >> $(ALL_SCRIPT); \ ++ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \ + echo "cd $$TARGET" >> $(ALL_SCRIPT); \ + make -s --no-print-directory OUTPUT=$$BUILD_TARGET -C $$TARGET emit_tests >> $(ALL_SCRIPT); \ + echo "cd \$$ROOT" >> $(ALL_SCRIPT); \ diff --git a/queue-4.16/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch b/queue-4.16/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch new file mode 100644 index 00000000000..ec0c185f019 --- /dev/null +++ b/queue-4.16/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Vignesh R +Date: Thu, 8 Feb 2018 18:25:41 +0530 +Subject: serial: 8250: Don't service RX FIFO if interrupts are disabled + +From: Vignesh R + +[ Upstream commit 2e9fe539108320820016f78ca7704a7342788380 ] + +Currently, data in RX FIFO is read based on UART_LSR register state even +if RDI and RLSI interrupts are disabled in UART_IER register. +This is because when IRQ handler is called due to TX FIFO empty event, +RX FIFO is serviced based on UART_LSR register status instead of +UART_IIR status. This defeats the purpose of disabling UART RX +FIFO interrupts during throttling(see, omap_8250_throttle()) as IRQ +handler continues to drain UART RX FIFO resulting in overflow of buffer +at tty layer. +Fix this by making sure that driver drains UART RX FIFO only when +UART_IIR_RDI is set along with UART_LSR_BI or UART_LSR_DR bits. + +Signed-off-by: Vignesh R +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1867,7 +1867,8 @@ int serial8250_handle_irq(struct uart_po + + status = serial_port_in(port, UART_LSR); + +- if (status & (UART_LSR_DR | UART_LSR_BI)) { ++ if (status & (UART_LSR_DR | UART_LSR_BI) && ++ iir & UART_IIR_RDI) { + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } diff --git a/queue-4.16/serial-altera-ensure-port-regshift-is-honored-consistently.patch b/queue-4.16/serial-altera-ensure-port-regshift-is-honored-consistently.patch new file mode 100644 index 00000000000..28cfcb46a3d --- /dev/null +++ b/queue-4.16/serial-altera-ensure-port-regshift-is-honored-consistently.patch @@ -0,0 +1,71 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: "Uwe Kleine-König" +Date: Thu, 25 Jan 2018 14:30:43 +0100 +Subject: serial: altera: ensure port->regshift is honored consistently + +From: "Uwe Kleine-König" + +[ Upstream commit 0e254963b6ba4d63ac911e79537fea38dd03dc50 ] + +Most register accesses in the altera driver honor port->regshift by +using altera_uart_writel(). There are a few accesses however that were +missed when the driver was converted to use port->regshift and some +others were added later in commit 4d9d7d896d77 ("serial: altera_uart: +add earlycon support"). + +Fixes: 2780ad42f5fe ("tty: serial: altera_uart: Use port->regshift to store bus shift") +Signed-off-by: Uwe Kleine-König +Acked-by: Tobias Klauser +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/altera_uart.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serial/altera_uart.c ++++ b/drivers/tty/serial/altera_uart.c +@@ -327,7 +327,7 @@ static int altera_uart_startup(struct ua + + /* Enable RX interrupts now */ + pp->imr = ALTERA_UART_CONTROL_RRDY_MSK; +- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG); + + spin_unlock_irqrestore(&port->lock, flags); + +@@ -343,7 +343,7 @@ static void altera_uart_shutdown(struct + + /* Disable all interrupts now */ + pp->imr = 0; +- writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG); + + spin_unlock_irqrestore(&port->lock, flags); + +@@ -432,7 +432,7 @@ static void altera_uart_console_putc(str + ALTERA_UART_STATUS_TRDY_MSK)) + cpu_relax(); + +- writel(c, port->membase + ALTERA_UART_TXDATA_REG); ++ altera_uart_writel(port, c, ALTERA_UART_TXDATA_REG); + } + + static void altera_uart_console_write(struct console *co, const char *s, +@@ -502,13 +502,13 @@ static int __init altera_uart_earlycon_s + return -ENODEV; + + /* Enable RX interrupts now */ +- writel(ALTERA_UART_CONTROL_RRDY_MSK, +- port->membase + ALTERA_UART_CONTROL_REG); ++ altera_uart_writel(port, ALTERA_UART_CONTROL_RRDY_MSK, ++ ALTERA_UART_CONTROL_REG); + + if (dev->baud) { + unsigned int baudclk = port->uartclk / dev->baud; + +- writel(baudclk, port->membase + ALTERA_UART_DIVISOR_REG); ++ altera_uart_writel(port, baudclk, ALTERA_UART_DIVISOR_REG); + } + + dev->con->write = altera_uart_earlycon_write; diff --git a/queue-4.16/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.16/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..ff2005df728 --- /dev/null +++ b/queue-4.16/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:29 +0100 +Subject: serial: arc_uart: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit f9f5786987e81d166c60833edcb7d1836aa16944 ] + +The arc_uart_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a +legitimate DTB. + +Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/arc_uart.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -593,6 +593,11 @@ static int arc_serial_probe(struct platf + if (dev_id < 0) + dev_id = 0; + ++ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", dev_id); ++ return -EINVAL; ++ } ++ + uart = &arc_uart_ports[dev_id]; + port = &uart->port; + diff --git a/queue-4.16/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.16/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..0a4fdcc4839 --- /dev/null +++ b/queue-4.16/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,36 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:30 +0100 +Subject: serial: fsl_lpuart: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 ] + +The lpuart_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -2145,6 +2145,10 @@ static int lpuart_probe(struct platform_ + dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); + return ret; + } ++ if (ret >= ARRAY_SIZE(lpuart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ret); ++ return -EINVAL; ++ } + sport->port.line = ret; + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + sport->port.membase = devm_ioremap_resource(&pdev->dev, res); diff --git a/queue-4.16/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.16/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..c96150e2af4 --- /dev/null +++ b/queue-4.16/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:31 +0100 +Subject: serial: imx: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit 5673444821406dda5fc25e4b52aca419f8065a19 ] + +The imx_ports[] array is indexed using a value derived from the +"serialN" alias in DT, or from platform data, which may lead to an +out-of-bounds access. + +Fix this by adding a range check. + +Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/imx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2042,6 +2042,12 @@ static int serial_imx_probe(struct platf + else if (ret < 0) + return ret; + ++ if (sport->port.line >= ARRAY_SIZE(imx_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ++ sport->port.line); ++ return -EINVAL; ++ } ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(base)) diff --git a/queue-4.16/serial-mvebu-uart-fix-tx-lost-characters.patch b/queue-4.16/serial-mvebu-uart-fix-tx-lost-characters.patch new file mode 100644 index 00000000000..dabbeddd6c8 --- /dev/null +++ b/queue-4.16/serial-mvebu-uart-fix-tx-lost-characters.patch @@ -0,0 +1,39 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Gabriel Matni +Date: Thu, 22 Mar 2018 19:15:12 +0000 +Subject: serial: mvebu-uart: fix tx lost characters + +From: Gabriel Matni + +[ Upstream commit c685af1108d7c303f0b901413405d68eaeac4477 ] + +Fixes missing characters on kernel console at low baud rates (i.e.9600). +The driver should poll TX_RDY or TX_FIFO_EMP instead of TX_EMP to ensure +that the transmitter holding register (THR) is ready to receive a new byte. + +TX_EMP tells us when it is possible to send a break sequence via +SND_BRK_SEQ. While this also indicates that both the THR and the TSR are +empty, it does not guarantee that a new byte can be written just yet. + +Fixes: 30530791a7a0 ("serial: mvebu-uart: initial support for Armada-3700 serial port") +Reviewed-by: Miquel Raynal +Acked-by: Gregory CLEMENT +Signed-off-by: Gabriel Matni +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mvebu-uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -617,7 +617,7 @@ static void wait_for_xmitr(struct uart_p + u32 val; + + readl_poll_timeout_atomic(port->membase + UART_STAT, val, +- (val & STAT_TX_EMP), 1, 10000); ++ (val & STAT_TX_RDY(port)), 1, 10000); + } + + static void mvebu_uart_console_putchar(struct uart_port *port, int ch) diff --git a/queue-4.16/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.16/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..95cc9c57cf8 --- /dev/null +++ b/queue-4.16/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:32 +0100 +Subject: serial: mxs-auart: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit dd345a31bfdec350d2593e6de5964e55c7f19c76 ] + +The auart_port[] array is indexed using a value derived from the +"serialN" alias in DT, or from platform data, which may lead to an +out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mxs-auart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/mxs-auart.c ++++ b/drivers/tty/serial/mxs-auart.c +@@ -1663,6 +1663,10 @@ static int mxs_auart_probe(struct platfo + s->port.line = pdev->id < 0 ? 0 : pdev->id; + else if (ret < 0) + return ret; ++ if (s->port.line >= ARRAY_SIZE(auart_port)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); ++ return -EINVAL; ++ } + + if (of_id) { + pdev->id_entry = of_id->data; diff --git a/queue-4.16/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.16/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..a0240ade0cc --- /dev/null +++ b/queue-4.16/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:34 +0100 +Subject: serial: samsung: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit 49ee23b71877831ac087d6083f6f397dc19c9664 ] + +The s3c24xx_serial_ports[] array is indexed using a value derived from +the "serialN" alias in DT, or from an incrementing probe index, which +may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using +a legitimate DTB or legitimate board code. + +Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1818,6 +1818,10 @@ static int s3c24xx_serial_probe(struct p + + dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index); + ++ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", index); ++ return -EINVAL; ++ } + ourport = &s3c24xx_serial_ports[index]; + + ourport->drv_data = s3c24xx_get_driver_data(pdev); diff --git a/queue-4.16/serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.16/serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..9925f8d048e --- /dev/null +++ b/queue-4.16/serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:35 +0100 +Subject: serial: sh-sci: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit 090fa4b0dccfa3d04e1c5ab0fe4eba16e6713895 ] + +The sci_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_SH_SCI_NR_UARTS), so this can even be triggered using a +legitimate DTB. + +Fixes: 97ed9790c514066b ("serial: sh-sci: Remove unused platform data capabilities field") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3098,6 +3098,10 @@ static struct plat_sci_port *sci_parse_d + dev_err(&pdev->dev, "failed to get alias id (%d)\n", id); + return NULL; + } ++ if (id >= ARRAY_SIZE(sci_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", id); ++ return NULL; ++ } + + sp = &sci_ports[id]; + *dev_id = id; diff --git a/queue-4.16/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.16/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..db1a872a62b --- /dev/null +++ b/queue-4.16/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,35 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:37 +0100 +Subject: serial: xuartps: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit e7d75e18d0fc3f7193b65282b651f980c778d935 ] + +The cdns_uart_port[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Michal Simek +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/xilinx_uartps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1110,7 +1110,7 @@ static struct uart_port *cdns_uart_get_p + struct uart_port *port; + + /* Try the given port id if failed use default method */ +- if (cdns_uart_port[id].mapbase != 0) { ++ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) { + /* Find the next unused port */ + for (id = 0; id < CDNS_UART_NR_PORTS; id++) + if (cdns_uart_port[id].mapbase == 0) diff --git a/queue-4.16/series b/queue-4.16/series new file mode 100644 index 00000000000..e4fed7b53f9 --- /dev/null +++ b/queue-4.16/series @@ -0,0 +1,338 @@ +sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch +firmware-dmi_scan-fix-uuid-length-safety-check.patch +nvme-don-t-send-keep-alives-to-the-discovery-controller.patch +btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch +btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch +x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch +x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch +bnxt_en-ignore-src-port-field-in-decap-filter-nodes.patch +nvme-expand-nvmf_check_if_ready-checks.patch +fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch +kasan-fix-invalid-free-test-crashing-the-kernel.patch +kasan-slub-fix-handling-of-kasan_slab_free-hook.patch +ipc-msg-introduce-msgctl-msg_stat_any.patch +arm-cma-avoid-double-mapping-to-the-cma-area-if-config_highmem-y.patch +memcg-fix-per_node_info-cleanup.patch +swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch +z3fold-fix-memory-leak.patch +sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch +force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch +tracing-uprobe_event-fix-strncpy-corner-case.patch +cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch +powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch +scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch +perf-tools-fix-perf-builds-with-clang-support.patch +perf-clang-add-support-for-recent-clang-versions.patch +dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch +arm-dts-ls1021a-specify-tbipa-register-address.patch +ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch +crypto-af_alg-fix-possible-uninit-value-in-alg_bind.patch +soreuseport-initialise-timewait-reuseport-field.patch +dccp-initialize-ireq-ir_mark.patch +genirq-affinity-don-t-return-with-empty-affinity-masks-on-error.patch +mm-ksm-fix-interaction-with-thp.patch +mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch +mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch +clk-ti-fix-flag-space-conflict-with-clkctrl-clocks.patch +btrfs-bail-out-on-error-during-replay_dir_deletes.patch +btrfs-fix-null-pointer-dereference-in-log_dir_items.patch +btrfs-fix-possible-softlock-on-single-core-machines.patch +ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch +ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch +powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch +sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch +x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch +kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch +lan78xx-connect-phy-early.patch +fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch +media-ov5645-add-missing-of_node_put-in-error-path.patch +dmaengine-rcar-dmac-fix-too-early-late-system-suspend-resume-callbacks.patch +sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch +rtc-snvs-fix-usage-of-snvs_rtc_enable.patch +riscv-spinlock-strengthen-implementations-with-fences.patch +platform-x86-dell-smbios-fix-memory-leaks-in-build_tokens_sysfs.patch +net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch +net-bgmac-correctly-annotate-register-space.patch +bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch +bnxt_en-fix-clear-flags-in-ethtool-reset-handling.patch +powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch +btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch +btrfs-fix-copy_items-return-value-when-logging-an-inode.patch +btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch +btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch +rxrpc-fix-resend-event-time-calculation.patch +rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch +rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch +crypto-inside-secure-move-the-digest-to-the-request-context.patch +xen-acpi-off-by-one-in-read_acpi_id.patch +drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch +acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch +powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch +ieee802154-ca8210-fix-uninitialised-data-read.patch +mac80211-don-t-warn-on-bad-wmm-parameters-from-buggy-aps.patch +ath10k-advertize-beacon_int_min_gcd.patch +staging-bcm2835-audio-release-resources-on-module_exit.patch +iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch +intel_th-use-correct-method-of-finding-hub.patch +m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch +iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch +iwlwifi-mvm-take-rcu-lock-before-dereferencing.patch +net-mlx5e-move-all-tx-timeout-logic-to-be-under-state-lock.patch +loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch +parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch +perf-mmap-fix-accessing-unmapped-mmap-in-perf_mmap__read_done.patch +hwmon-nct6775-fix-writing-pwmx_mode.patch +mt76x2-fix-possible-null-pointer-dereferencing-in-mt76x2_tx.patch +mt76x2-fix-warning-in-ieee80211_get_key_rx_seq.patch +rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch +powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch +powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch +rsi-fix-kernel-panic-observed-on-64bit-machine.patch +tools-thermal-tmon-fix-for-segfault.patch +selftests-print-the-test-we-re-running-to-dev-kmsg.patch +i40e-hold-the-rtnl-lock-while-changing-interrupt-schemes.patch +net-mlx5-protect-from-command-bit-overflow.patch +watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch +net-qlge-eliminate-duplicate-barriers-on-weakly-ordered-archs.patch +net-hns3-fix-for-the-wrong-shift-problem-in-hns3_set_txbd_baseinfo.patch +net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_indir_size.patch +net-hns3-fix-for-returning-wrong-value-problem-in-hns3_get_rss_key_size.patch +net-qualcomm-rmnet-check-for-null-ep-to-avoid-null-pointer-dereference.patch +ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch +nvme_fc-fix-abort-race-on-teardown-with-lld-reject.patch +nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch +ath9k-fix-crash-in-spectral-scan.patch +btrfs-fix-null-pointer-deref-when-target-device-is-missing.patch +cxgb4-setup-fw-queues-before-registering-netdev.patch +hv_netvsc-fix-the-return-status-in-rx-path.patch +ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch +ima-fallback-to-the-builtin-hash-algorithm.patch +watchdog-aspeed-allow-configuring-for-alternate-boot.patch +alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch +gfs2-check-for-the-end-of-metadata-in-punch_hole.patch +virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch +arm-dts-socfpga-fix-gic-ppi-warning.patch +ima-clear-ima_hash.patch +clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch +serial-mvebu-uart-fix-tx-lost-characters.patch +ext4-don-t-complain-about-incorrect-features-when-probing.patch +drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch +usb-dwc3-add-softreset-phy-synchonization-delay.patch +usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch +usb-dwc3-makefile-fix-link-error-on-randconfig.patch +scsi-devinfo-add-hp-disk-subsystem-device-for-hp-xp-arrays.patch +asoc-rockchip-rk3288-hdmi-analog-select-needed-codecs.patch +iommu-mediatek-fix-protect-memory-setting.patch +cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch +firmware-fix-checking-for-return-values-for-fw_add_devm_name.patch +clk-don-t-show-the-incorrect-clock-phase.patch +staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch +ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch +arm64-insn-allow-add-sub-immediate-with-lsl-12.patch +zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch +asoc-samsung-odroid-fix-32000-sample-rate-handling.patch +bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch +remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch +dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch +bcache-fix-cached_dev-count-usage-for-bch_cache_set_error.patch +acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch +acpica-fix-memory-leak-on-unusual-memory-leak.patch +bcache-stop-dc-writeback_rate_update-properly.patch +acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch +cxgb4-fix-queue-free-path-of-uld-drivers.patch +rds-tcp-must-use-spin_lock_irq-and-not-spin_lock_bh-with-rds_tcp_conn_lock.patch +i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch +rtc-rk808-fix-possible-race-condition.patch +rtc-m41t80-fix-race-conditions.patch +clk-hisilicon-mark-wdt_mux_p-as-const.patch +kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch +perf-top-fix-top.call-graph-config-option-reading.patch +perf-stat-fix-core-dump-when-flag-t-is-used.patch +xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch +ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch +drm-amdkfd-add-missing-include-of-mm.h.patch +coresight-use-px-to-print-pcsr-instead-of-p.patch +ibmvnic-fix-reset-return-from-closed-state.patch +regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch +spi-bcm-qspi-fix-some-error-handling-paths.patch +net-smc-pay-attention-to-max_order-for-cq-entries.patch +mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch +powerpc-vas-fix-cleanup-when-vas-is-not-configured.patch +pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch +watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch +watchdog-dw-rmw-the-control-register.patch +watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch +ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch +drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch +drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch +usb-dwc2-fix-interval-type-issue.patch +usb-dwc2-hcd-fix-host-channel-halt-flow.patch +usb-dwc2-host-fix-transaction-errors-in-host-mode.patch +usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch +usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch +powerpc-add-missing-prototype-for-arch_irq_work_raise.patch +powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch +powerpc-xmon-setup-debugger-hooks-when-first-break-point-is-set.patch +scsi-lpfc-fix-nvme-initiator-firstburst.patch +scsi-core-make-scsi-status-condition-met-equivalent-to-good.patch +f2fs-flush-cp-pack-except-cp-pack-2-page-at-first.patch +cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch +f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch +f2fs-fix-to-clear-cp_trimmed_flag.patch +f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch +asoc-topology-create-tlv-data-for-dapm-widgets.patch +perf-core-fix-installing-cgroup-events-on-cpu.patch +max17042-propagate-of_node-to-power-supply-device.patch +perf-core-fix-perf_output_read_group.patch +clk-tegra-fix-pll_u-rate-configuration.patch +drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch +hwmon-pmbus-max8688-accept-negative-page-register-values.patch +hwmon-pmbus-adm1275-accept-negative-page-register-values.patch +usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch +crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch +perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch +cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch +efi-arm-only-register-page-tables-when-they-exist.patch +perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch +perf-x86-intel-fix-event-update-for-auto-reload.patch +arm64-dts-qcom-fix-spi5-config-on-msm8996.patch +soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch +gfs2-fix-fallocate-chunk-size.patch +usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch +usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch +x86-devicetree-initialize-device-tree-before-using-it.patch +x86-devicetree-fix-device-irq-settings-in-dt.patch +phy-rockchip-emmc-retry-calpad-busy-trimming.patch +alsa-vmaster-propagate-slave-error.patch +phy-qcom-qmp-fix-phy-pipe-clock-gating.patch +drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch +drm-amdgpu-clean-sdma-wptr-register-when-only-enable-wptr-polling.patch +media-cx23885-override-888-impactvcbe-crystal-frequency.patch +media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch +tools-hv-fix-compiler-warnings-about-major-target_fname.patch +block-null_blk-fix-invalid-parameters-when-loading-module.patch +media-s3c-camif-fix-out-of-bounds-array-access.patch +staging-lustre-fix-bug-in-osc_enter_cache_try.patch +dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch +media-lgdt3306a-fix-a-double-kfree-on-i2c-device-remove.patch +media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch +media-em28xx-add-hauppauge-solohd-dualhd-bulk-models.patch +media-em28xx-usb-bulk-packet-size-fix.patch +arm-dts-keystone-k2e-clocks-fix-missing-unit-address-separator.patch +clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch +powerpc-mm-slice-fix-hugepage-allocation-at-hint-address-on-8xx.patch +i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch +dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch +enic-enable-rq-before-updating-rq-descriptors.patch +watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch +crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch +crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch +hwrng-stm32-add-reset-during-probe.patch +pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch +pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch +scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch +vfio-ccw-fence-off-transport-mode.patch +staging-fsl-dpaa2-eth-fix-incorrect-casts.patch +staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch +staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch +pci-endpoint-fix-kernel-panic-after-put_device.patch +rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch +rtc-rp5c01-fix-possible-race-condition.patch +dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch +drm-omap-add-pclk-setting-case-when-channel-is-dss_wb.patch +drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch +arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch +drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch +block-fix-a-race-between-request-queue-removal-and-the-block-cgroup-controller.patch +drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch +serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch +serial-sh-sci-fix-out-of-bounds-access-through-dt-alias.patch +serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch +serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch +serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch +serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch +serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch +serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch +serial-altera-ensure-port-regshift-is-honored-consistently.patch +ibmvnic-allocate-statistics-buffers-during-probe.patch +net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch +ibmvnic-fix-tx-descriptor-tracking-again.patch +net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch +cpufreq-reorder-cpufreq_online-error-code-path.patch +dpaa_eth-fix-sg-mapping.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch +staging-lustre-lmv-correctly-iput-lmo_root.patch +udf-provide-saner-default-for-invalid-uid-gid.patch +fanotify-avoid-lost-events-due-to-enomem-for-unlimited-queues.patch +ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch +sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch +media-v4l-vsp1-fix-display-stalls-when-requesting-too-many-inputs.patch +media-i2c-adv748x-fix-hdmi-field-heights.patch +media-vb2-fix-videobuf2-to-map-correct-area.patch +media-vivid-fix-incorrect-capabilities-for-radio.patch +media-cx25821-prevent-out-of-bounds-read-on-array-card.patch +x86-xen-add-pvh-specific-rsdp-address-retrieval-function.patch +arm-davinci_all_defconfig-set-config_davinci_watchdog-y.patch +clk-samsung-s3c2410-fix-pll-rates.patch +clk-samsung-exynos7-fix-pll-rates.patch +clk-samsung-exynos5260-fix-pll-rates.patch +clk-samsung-exynos5433-fix-pll-rates.patch +clk-samsung-exynos5250-fix-pll-rates.patch +clk-samsung-exynos3250-fix-pll-rates.patch +power-supply-ltc2941-battery-gauge-fix-temperature-units.patch +arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch +arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch +pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch +crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch +crypto-inside-secure-fix-the-cache_len-computation.patch +crypto-inside-secure-fix-the-extra-cache-computation.patch +hwrng-bcm2835-handle-deferred-clock-properly.patch +crypto-inside-secure-do-not-overwrite-the-threshold-value.patch +crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch +crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch +audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch +x86-mce-amd-collect-error-info-even-if-valid-bits-are-not-set.patch +asoc-fsl_ssi-maintain-a-mask-of-active-streams.patch +net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch +rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch +pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch +dt-bindings-display-msm-dsi-fix-the-phy-regulator-supply-props.patch +drm-amd-display-set-vsc-pack-revision-when-dpcd-revision-is-1.2.patch +dpaa_eth-fix-pause-capability-advertisement-logic.patch +mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch +soc-renesas-r8a77970-sysc-fix-power-area-parents.patch +drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch +x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch +perf-test-fix-test-case-inet_pton-to-accept-inlines.patch +perf-report-fix-wrong-jump-arrow.patch +perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch +perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch +perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch +selftests-net-fixes-psock_fanout-ebpf-test-case.patch +drm-vblank-data-type-fixes-for-64-bit-vblank-sequences.patch +netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch +drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch +drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch +selftests-add-fib-onlink-tests.patch +rtc-goldfish-add-missing-module_license.patch +arm-dts-at91-nattis-use-the-correct-compatible-for-the-eeprom.patch +arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch +regmap-correct-comparison-in-regmap_cached.patch +soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch +i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch +scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch +scsi-lpfc-fix-nonrecovery-of-nvme-controller-after-cable-swap.patch +scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch +scsi-lpfc-fix-io-failure-during-hba-reset-testing-with-nvme-io.patch +scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch +arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch +arm-dts-porter-fix-hdmi-output-routing.patch +regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch +pinctrl-msm-use-dynamic-gpio-numbering.patch +pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch +asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch +clk-meson-axg-fix-the-od-shift-of-the-sys_pll.patch +clk-meson-axg-add-the-fractional-part-of-the-fixed_pll.patch +bluetooth-btusb-add-device-id-for-rtl8822be.patch +bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch +kdb-make-mdr-command-repeat.patch diff --git a/queue-4.16/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch b/queue-4.16/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch new file mode 100644 index 00000000000..30eeb273dad --- /dev/null +++ b/queue-4.16/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Rich Felker +Date: Thu, 15 Mar 2018 20:01:36 -0400 +Subject: sh: fix debug trap failure to process signals before return to user + +From: Rich Felker + +[ Upstream commit 96a598996f6ac518ac79839ecbb17c91af91f4f7 ] + +When responding to a debug trap (breakpoint) in userspace, the +kernel's trap handler raised SIGTRAP but returned from the trap via a +code path that ignored pending signals, resulting in an infinite loop +re-executing the trapping instruction. + +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/entry-common.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -255,7 +255,7 @@ debug_trap: + mov.l @r8, r8 + jsr @r8 + nop +- bra __restore_all ++ bra ret_from_exception + nop + CFI_ENDPROC + diff --git a/queue-4.16/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch b/queue-4.16/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch new file mode 100644 index 00000000000..1fe72471ccb --- /dev/null +++ b/queue-4.16/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch @@ -0,0 +1,81 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Sergei Shtylyov +Date: Sat, 24 Feb 2018 22:41:45 +0300 +Subject: sh_eth: fix TSU init on SH7734/R8A7740 + +From: Sergei Shtylyov + +[ Upstream commit a94cf2a614f8bc5b2b33c708626ce695bf71e424 ] + +It appears that the single port Ether controllers having TSU (like SH7734/ +R8A7740) need the same kind of treating in sh_eth_tsu_init() as R7S72100 +currently has -- they also don't have the TSU registers related e.g. to +passing the frames between ports. Add the 'sh_eth_cpu_data::dual_port' +flag and use it as a new criterion for taking a "short path" in the TSU +init sequence in order to avoid writing to the non-existent registers... + +Fixes: f0e81fecd4f8 ("net: sh_eth: Add support SH7734") +Fixes: 73a0d907301e ("net: sh_eth: add support R8A7740") +Signed-off-by: Sergei Shtylyov +Tested-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 6 +++++- + drivers/net/ethernet/renesas/sh_eth.h | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -763,6 +763,7 @@ static struct sh_eth_cpu_data sh7757_dat + .rpadir = 1, + .rpadir_value = 2 << 16, + .rtrate = 1, ++ .dual_port = 1, + }; + + #define SH_GIGA_ETH_BASE 0xfee00000UL +@@ -841,6 +842,7 @@ static struct sh_eth_cpu_data sh7757_dat + .no_trimd = 1, + .no_ade = 1, + .tsu = 1, ++ .dual_port = 1, + }; + + /* SH7734 */ +@@ -911,6 +913,7 @@ static struct sh_eth_cpu_data sh7763_dat + .tsu = 1, + .irq_flags = IRQF_SHARED, + .magic = 1, ++ .dual_port = 1, + }; + + static struct sh_eth_cpu_data sh7619_data = { +@@ -943,6 +946,7 @@ static struct sh_eth_cpu_data sh771x_dat + EESIPR_RRFIP | EESIPR_RTLFIP | EESIPR_RTSFIP | + EESIPR_PREIP | EESIPR_CERFIP, + .tsu = 1, ++ .dual_port = 1, + }; + + static void sh_eth_set_default_cpu_data(struct sh_eth_cpu_data *cd) +@@ -2932,7 +2936,7 @@ static int sh_eth_vlan_rx_kill_vid(struc + /* SuperH's TSU register init function */ + static void sh_eth_tsu_init(struct sh_eth_private *mdp) + { +- if (sh_eth_is_rz_fast_ether(mdp)) { ++ if (!mdp->cd->dual_port) { + sh_eth_tsu_write(mdp, 0, TSU_TEN); /* Disable all CAM entry */ + sh_eth_tsu_write(mdp, TSU_FWSLC_POSTENU | TSU_FWSLC_POSTENL, + TSU_FWSLC); /* Enable POST registers */ +--- a/drivers/net/ethernet/renesas/sh_eth.h ++++ b/drivers/net/ethernet/renesas/sh_eth.h +@@ -509,6 +509,7 @@ struct sh_eth_cpu_data { + unsigned rmiimode:1; /* EtherC has RMIIMODE register */ + unsigned rtrate:1; /* EtherC has RTRATE register */ + unsigned magic:1; /* EtherC has ECMR.MPDE and ECSR.MPD */ ++ unsigned dual_port:1; /* Dual EtherC/E-DMAC */ + }; + + struct sh_eth_private { diff --git a/queue-4.16/soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch b/queue-4.16/soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch new file mode 100644 index 00000000000..1aa84940c1d --- /dev/null +++ b/queue-4.16/soc-amlogic-meson-gx-pwrc-vpu-fix-error-on-shutdown-when-domain-is-powered-off.patch @@ -0,0 +1,41 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Heiner Kallweit +Date: Thu, 21 Dec 2017 20:41:02 +0100 +Subject: soc: amlogic: meson-gx-pwrc-vpu: fix error on shutdown when domain is powered off + +From: Heiner Kallweit + +[ Upstream commit 87f88732d25e6175cb4faa8070658f604660d720 ] + +When operating the system headless headless, the domain is never +powered on, leaving the clocks disabled. The shutdown function then +tries to disable the already disabled clocks, resulting in errors. +Therefore call meson_gx_pwrc_vpu_power_off() only if domain is +powered on. +This patch fixes the described issue on my system (Odorid-C2). + +Fixes: 339cd0ea0822 "soc: amlogic: meson-gx-pwrc-vpu: fix power-off when powered by bootloader" +Signed-off-by: Heiner Kallweit +Reviewed-by: Neil Armstrong +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/amlogic/meson-gx-pwrc-vpu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/soc/amlogic/meson-gx-pwrc-vpu.c ++++ b/drivers/soc/amlogic/meson-gx-pwrc-vpu.c +@@ -224,7 +224,11 @@ static int meson_gx_pwrc_vpu_probe(struc + + static void meson_gx_pwrc_vpu_shutdown(struct platform_device *pdev) + { +- meson_gx_pwrc_vpu_power_off(&vpu_hdmi_pd.genpd); ++ bool powered_off; ++ ++ powered_off = meson_gx_pwrc_vpu_get_power(&vpu_hdmi_pd); ++ if (!powered_off) ++ meson_gx_pwrc_vpu_power_off(&vpu_hdmi_pd.genpd); + } + + static const struct of_device_id meson_gx_pwrc_vpu_match_table[] = { diff --git a/queue-4.16/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch b/queue-4.16/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch new file mode 100644 index 00000000000..ed8e9b582a3 --- /dev/null +++ b/queue-4.16/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Bjorn Andersson +Date: Tue, 27 Feb 2018 16:45:25 -0800 +Subject: soc: qcom: wcnss_ctrl: Fix increment in NV upload + +From: Bjorn Andersson + +[ Upstream commit 90c29ed7627b6b4aeb603ee197650173c8434512 ] + +hdr.len includes both the size of the header and the fragment, so using +this when stepping through the firmware causes us to skip 16 bytes every +chunk of 3072 bytes; causing only the first fragment to actually be +valid data. + +Instead use fragment size steps through the firmware blob. + +Fixes: ea7a1f275cf0 ("soc: qcom: Introduce WCNSS_CTRL SMD client") +Reported-by: Will Newton +Signed-off-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/wcnss_ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/wcnss_ctrl.c ++++ b/drivers/soc/qcom/wcnss_ctrl.c +@@ -249,7 +249,7 @@ static int wcnss_download_nv(struct wcns + /* Increment for next fragment */ + req->seq++; + +- data += req->hdr.len; ++ data += NV_FRAGMENT_SIZE; + left -= NV_FRAGMENT_SIZE; + } while (left > 0); + diff --git a/queue-4.16/soc-renesas-r8a77970-sysc-fix-power-area-parents.patch b/queue-4.16/soc-renesas-r8a77970-sysc-fix-power-area-parents.patch new file mode 100644 index 00000000000..201df7f2a31 --- /dev/null +++ b/queue-4.16/soc-renesas-r8a77970-sysc-fix-power-area-parents.patch @@ -0,0 +1,44 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Sergei Shtylyov +Date: Fri, 16 Feb 2018 23:09:48 +0300 +Subject: soc: renesas: r8a77970-sysc: fix power area parents + +From: Sergei Shtylyov + +[ Upstream commit 40d5c8e94751f4a4fa4e0e27e3805e201a4e79c0 ] + +According to the figure 9.2(b) of the R-Car Series, 3rd Generation User’s +Manual: Hardware Rev. 0.80 the A2IRn and A2SCn power areas in R8A77970 have +the A3IR area as a parent, thus the SYSC driver has those parents wrong... + +Fixes: bab9b2a74fe9 ("soc: renesas: rcar-sysc: add R8A77970 support") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/renesas/r8a77970-sysc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/soc/renesas/r8a77970-sysc.c ++++ b/drivers/soc/renesas/r8a77970-sysc.c +@@ -25,12 +25,12 @@ static const struct rcar_sysc_area r8a77 + PD_CPU_NOCR }, + { "cr7", 0x240, 0, R8A77970_PD_CR7, R8A77970_PD_ALWAYS_ON }, + { "a3ir", 0x180, 0, R8A77970_PD_A3IR, R8A77970_PD_ALWAYS_ON }, +- { "a2ir0", 0x400, 0, R8A77970_PD_A2IR0, R8A77970_PD_ALWAYS_ON }, +- { "a2ir1", 0x400, 1, R8A77970_PD_A2IR1, R8A77970_PD_A2IR0 }, +- { "a2ir2", 0x400, 2, R8A77970_PD_A2IR2, R8A77970_PD_A2IR0 }, +- { "a2ir3", 0x400, 3, R8A77970_PD_A2IR3, R8A77970_PD_A2IR0 }, +- { "a2sc0", 0x400, 4, R8A77970_PD_A2SC0, R8A77970_PD_ALWAYS_ON }, +- { "a2sc1", 0x400, 5, R8A77970_PD_A2SC1, R8A77970_PD_A2SC0 }, ++ { "a2ir0", 0x400, 0, R8A77970_PD_A2IR0, R8A77970_PD_A3IR }, ++ { "a2ir1", 0x400, 1, R8A77970_PD_A2IR1, R8A77970_PD_A3IR }, ++ { "a2ir2", 0x400, 2, R8A77970_PD_A2IR2, R8A77970_PD_A3IR }, ++ { "a2ir3", 0x400, 3, R8A77970_PD_A2IR3, R8A77970_PD_A3IR }, ++ { "a2sc0", 0x400, 4, R8A77970_PD_A2SC0, R8A77970_PD_A3IR }, ++ { "a2sc1", 0x400, 5, R8A77970_PD_A2SC1, R8A77970_PD_A3IR }, + }; + + const struct rcar_sysc_info r8a77970_sysc_info __initconst = { diff --git a/queue-4.16/soreuseport-initialise-timewait-reuseport-field.patch b/queue-4.16/soreuseport-initialise-timewait-reuseport-field.patch new file mode 100644 index 00000000000..17cb122cdb8 --- /dev/null +++ b/queue-4.16/soreuseport-initialise-timewait-reuseport-field.patch @@ -0,0 +1,149 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Eric Dumazet +Date: Sat, 7 Apr 2018 13:42:43 -0700 +Subject: soreuseport: initialise timewait reuseport field + +From: Eric Dumazet + +[ Upstream commit 3099a52918937ab86ec47038ad80d377ba16c531 ] + +syzbot reported an uninit-value in inet_csk_bind_conflict() [1] + +It turns out we never propagated sk->sk_reuseport into timewait socket. + +[1] +BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151 +CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151 + inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320 + inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399 + SYSC_bind+0x3f2/0x4b0 net/socket.c:1474 + SyS_bind+0x54/0x80 net/socket.c:1460 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x4416e9 +RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031 +RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9 +RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004 +RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08 +R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478 +R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] + kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 + __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 + tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283 + tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 + tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 + sk_backlog_rcv include/net/sock.h:908 [inline] + __release_sock+0x2d6/0x680 net/core/sock.c:2271 + release_sock+0x97/0x2a0 net/core/sock.c:2786 + tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 + inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 + inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 + sock_release net/socket.c:595 [inline] + sock_close+0xe0/0x300 net/socket.c:1149 + __fput+0x49e/0xa10 fs/file_table.c:209 + ____fput+0x37/0x40 fs/file_table.c:243 + task_work_run+0x243/0x2c0 kernel/task_work.c:113 + exit_task_work include/linux/task_work.h:22 [inline] + do_exit+0x10e1/0x38d0 kernel/exit.c:867 + do_group_exit+0x1a0/0x360 kernel/exit.c:970 + SYSC_exit_group+0x21/0x30 kernel/exit.c:981 + SyS_exit_group+0x25/0x30 kernel/exit.c:979 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] + kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 + __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 + inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182 + tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258 + tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 + tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 + sk_backlog_rcv include/net/sock.h:908 [inline] + __release_sock+0x2d6/0x680 net/core/sock.c:2271 + release_sock+0x97/0x2a0 net/core/sock.c:2786 + tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 + inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 + inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 + sock_release net/socket.c:595 [inline] + sock_close+0xe0/0x300 net/socket.c:1149 + __fput+0x49e/0xa10 fs/file_table.c:209 + ____fput+0x37/0x40 fs/file_table.c:243 + task_work_run+0x243/0x2c0 kernel/task_work.c:113 + exit_task_work include/linux/task_work.h:22 [inline] + do_exit+0x10e1/0x38d0 kernel/exit.c:867 + do_group_exit+0x1a0/0x360 kernel/exit.c:970 + SYSC_exit_group+0x21/0x30 kernel/exit.c:981 + SyS_exit_group+0x25/0x30 kernel/exit.c:979 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 + inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163 + tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258 + tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 + tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 + sk_backlog_rcv include/net/sock.h:908 [inline] + __release_sock+0x2d6/0x680 net/core/sock.c:2271 + release_sock+0x97/0x2a0 net/core/sock.c:2786 + tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 + inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 + inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 + sock_release net/socket.c:595 [inline] + sock_close+0xe0/0x300 net/socket.c:1149 + __fput+0x49e/0xa10 fs/file_table.c:209 + ____fput+0x37/0x40 fs/file_table.c:243 + task_work_run+0x243/0x2c0 kernel/task_work.c:113 + exit_task_work include/linux/task_work.h:22 [inline] + do_exit+0x10e1/0x38d0 kernel/exit.c:867 + do_group_exit+0x1a0/0x360 kernel/exit.c:970 + SYSC_exit_group+0x21/0x30 kernel/exit.c:981 + SyS_exit_group+0x25/0x30 kernel/exit.c:979 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: da5e36308d9f ("soreuseport: TCP/IPv4 implementation") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet_timewait_sock.h | 1 + + net/ipv4/inet_timewait_sock.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/include/net/inet_timewait_sock.h ++++ b/include/net/inet_timewait_sock.h +@@ -43,6 +43,7 @@ struct inet_timewait_sock { + #define tw_family __tw_common.skc_family + #define tw_state __tw_common.skc_state + #define tw_reuse __tw_common.skc_reuse ++#define tw_reuseport __tw_common.skc_reuseport + #define tw_ipv6only __tw_common.skc_ipv6only + #define tw_bound_dev_if __tw_common.skc_bound_dev_if + #define tw_node __tw_common.skc_nulls_node +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -178,6 +178,7 @@ struct inet_timewait_sock *inet_twsk_all + tw->tw_dport = inet->inet_dport; + tw->tw_family = sk->sk_family; + tw->tw_reuse = sk->sk_reuse; ++ tw->tw_reuseport = sk->sk_reuseport; + tw->tw_hash = sk->sk_hash; + tw->tw_ipv6only = 0; + tw->tw_transparent = inet->transparent; diff --git a/queue-4.16/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch b/queue-4.16/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch new file mode 100644 index 00000000000..3cfcf0ff87f --- /dev/null +++ b/queue-4.16/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch @@ -0,0 +1,46 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: "David S. Miller" +Date: Tue, 3 Apr 2018 08:24:35 -0700 +Subject: sparc64: Make atomic_xchg() an inline function rather than a macro. + +From: "David S. Miller" + +[ Upstream commit d13864b68e41c11e4231de90cf358658f6ecea45 ] + +This avoids a lot of -Wunused warnings such as: + +==================== +kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’: +./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value] + #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) + +./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’ + #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) + ^~~~ +kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’ + atomic_xchg(&kgdb_active, cpu); + ^~~~~~~~~~~ +==================== + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/asm/atomic_64.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/sparc/include/asm/atomic_64.h ++++ b/arch/sparc/include/asm/atomic_64.h +@@ -83,7 +83,11 @@ ATOMIC_OPS(xor) + #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0) + + #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) +-#define atomic_xchg(v, new) (xchg(&((v)->counter), new)) ++ ++static inline int atomic_xchg(atomic_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} + + static inline int __atomic_add_unless(atomic_t *v, int a, int u) + { diff --git a/queue-4.16/spi-bcm-qspi-fix-some-error-handling-paths.patch b/queue-4.16/spi-bcm-qspi-fix-some-error-handling-paths.patch new file mode 100644 index 00000000000..d9beea8a9b0 --- /dev/null +++ b/queue-4.16/spi-bcm-qspi-fix-some-error-handling-paths.patch @@ -0,0 +1,44 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Christophe Jaillet +Date: Tue, 13 Mar 2018 19:36:58 +0100 +Subject: spi: bcm-qspi: fIX some error handling paths + +From: Christophe Jaillet + +[ Upstream commit bc3cc75281b3c2b1c5355d88d147b66a753bb9a5 ] + +For some reason, commit c0368e4db4a3 ("spi: bcm-qspi: Fix use after free +in bcm_qspi_probe() in error path") has updated some gotos, but not all of +them. + +This looks spurious, so fix it. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm-qspi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1247,7 +1247,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[MSPI] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[MSPI])) { + ret = PTR_ERR(qspi->base[MSPI]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + } else { + goto qspi_resource_err; +@@ -1258,7 +1258,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[BSPI] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[BSPI])) { + ret = PTR_ERR(qspi->base[BSPI]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + qspi->bspi_mode = true; + } else { diff --git a/queue-4.16/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch b/queue-4.16/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch new file mode 100644 index 00000000000..609dbfa0403 --- /dev/null +++ b/queue-4.16/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch @@ -0,0 +1,119 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Jens Axboe +Date: Wed, 11 Apr 2018 11:26:09 -0600 +Subject: sr: get/drop reference to device in revalidate and check_events + +From: Jens Axboe + +[ Upstream commit 2d097c50212e137e7b53ffe3b37561153eeba87d ] + +We can't just use scsi_cd() to get the scsi_cd structure, we have +to grab a live reference to the device. For both callbacks, we're +not inside an open where we already hold a reference to the device. + +This fixes device removal/addition under concurrent device access, +which otherwise could result in the below oops. + +NULL pointer dereference at 0000000000000010 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: +sr 12:0:0:0: [sr2] scsi-1 drive + scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl +sr 12:0:0:0: Attached scsi CD-ROM sr2 + sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc +sr 12:0:0:0: Attached scsi generic sg7 type 5 + igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif] +CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650 +Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016 +RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod] +RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292 +RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66 +RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000 +RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000 +R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d +R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000 +FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ? __invalidate_device+0x48/0x60 + check_disk_change+0x4c/0x60 + sr_block_open+0x16/0xd0 [sr_mod] + __blkdev_get+0xb9/0x450 + ? iget5_locked+0x1c0/0x1e0 + blkdev_get+0x11e/0x320 + ? bdget+0x11d/0x150 + ? _raw_spin_unlock+0xa/0x20 + ? bd_acquire+0xc0/0xc0 + do_dentry_open+0x1b0/0x320 + ? inode_permission+0x24/0xc0 + path_openat+0x4e6/0x1420 + ? cpumask_any_but+0x1f/0x40 + ? flush_tlb_mm_range+0xa0/0x120 + do_filp_open+0x8c/0xf0 + ? __seccomp_filter+0x28/0x230 + ? _raw_spin_unlock+0xa/0x20 + ? __handle_mm_fault+0x7d6/0x9b0 + ? list_lru_add+0xa8/0xc0 + ? _raw_spin_unlock+0xa/0x20 + ? __alloc_fd+0xaf/0x160 + ? do_sys_open+0x1a6/0x230 + do_sys_open+0x1a6/0x230 + do_syscall_64+0x5a/0x100 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Reviewed-by: Lee Duncan +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sr.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -585,18 +585,28 @@ out: + static unsigned int sr_block_check_events(struct gendisk *disk, + unsigned int clearing) + { +- struct scsi_cd *cd = scsi_cd(disk); ++ unsigned int ret = 0; ++ struct scsi_cd *cd; + +- if (atomic_read(&cd->device->disk_events_disable_depth)) ++ cd = scsi_cd_get(disk); ++ if (!cd) + return 0; + +- return cdrom_check_events(&cd->cdi, clearing); ++ if (!atomic_read(&cd->device->disk_events_disable_depth)) ++ ret = cdrom_check_events(&cd->cdi, clearing); ++ ++ scsi_cd_put(cd); ++ return ret; + } + + static int sr_block_revalidate_disk(struct gendisk *disk) + { +- struct scsi_cd *cd = scsi_cd(disk); + struct scsi_sense_hdr sshdr; ++ struct scsi_cd *cd; ++ ++ cd = scsi_cd_get(disk); ++ if (!cd) ++ return -ENXIO; + + /* if the unit is not ready, nothing more to do */ + if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr)) +@@ -605,6 +615,7 @@ static int sr_block_revalidate_disk(stru + sr_cd_check(&cd->cdi); + get_sectorsize(cd); + out: ++ scsi_cd_put(cd); + return 0; + } + diff --git a/queue-4.16/staging-bcm2835-audio-release-resources-on-module_exit.patch b/queue-4.16/staging-bcm2835-audio-release-resources-on-module_exit.patch new file mode 100644 index 00000000000..fccce57730a --- /dev/null +++ b/queue-4.16/staging-bcm2835-audio-release-resources-on-module_exit.patch @@ -0,0 +1,254 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Kirill Marinushkin +Date: Fri, 23 Mar 2018 20:32:54 +0100 +Subject: staging: bcm2835-audio: Release resources on module_exit() + +From: Kirill Marinushkin + +[ Upstream commit 626118b472d2eb45f83a0276a18d3e6a01c69f6a ] + +In the current implementation, `rmmod snd_bcm2835` does not release +resources properly. It causes an oops when trying to list sound devices. + +This commit fixes it. + +The details WRT allocation / free are described below. + +Device structure WRT allocation: + +pdev + \childdev[] + \card + \chip + \pcm + \ctl + +Allocation / register sequence: + +* childdev: devm_kzalloc - freed during driver detach +* childdev: device_initialize - freed during device_unregister +* pdev: devres_alloc - freed during driver detach +* childdev: device_add - removed during device_unregister +* pdev, childdev: devres_add - freed during driver detach +* card: snd_card_new - freed during snd_card_free +* chip: kzalloc - freed during kfree +* card, chip: snd_device_new - freed during snd_device_free +* chip: new_pcm - TODO: free pcm +* chip: new_ctl - TODO: free ctl +* card: snd_card_register - unregistered during snd_card_free + +Free / unregister sequence: + +* card: snd_card_free +* card, chip: snd_device_free +* childdev: device_unregister +* chip: kfree + +Steps to reproduce the issue before this commit: + +~~~~ +$ rmmod snd_bcm2835 +$ aplay -L +[ 138.648130] Unable to handle kernel paging request at virtual address 7f1343c0 +[ 138.660415] pgd = ad8f0000 +[ 138.665567] [7f1343c0] *pgd=3864c811, *pte=00000000, *ppte=00000000 +[ 138.674887] Internal error: Oops: 7 [#1] SMP ARM +[ 138.683571] Modules linked in: sha256_generic cfg80211 rfkill snd_pcm snd_timer + snd fixed uio_pdrv_genirq uio ip_tables x_tables ipv6 [last unloaded: snd_bcm2835 +] +[ 138.706594] CPU: 3 PID: 463 Comm: aplay Tainted: G WC 4.15.0-rc1-v +7+ #6 +[ 138.719833] Hardware name: BCM2835 +[ 138.726016] task: b877ac00 task.stack: aebec000 +[ 138.733408] PC is at try_module_get+0x38/0x24c +[ 138.740813] LR is at snd_ctl_open+0x58/0x194 [snd] +[ 138.748485] pc : [<801c4d5c>] lr : [<7f0e6b2c>] psr: 20000013 +[ 138.757709] sp : aebedd60 ip : aebedd88 fp : aebedd84 +[ 138.765884] r10: 00000000 r9 : 00000004 r8 : 7f0ed440 +[ 138.774040] r7 : b7e469b0 r6 : 7f0e6b2c r5 : afd91900 r4 : 7f1343c0 +[ 138.783571] r3 : aebec000 r2 : 00000001 r1 : b877ac00 r0 : 7f1343c0 +[ 138.793084] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +[ 138.803300] Control: 10c5387d Table: 2d8f006a DAC: 00000055 +[ 138.812064] Process aplay (pid: 463, stack limit = 0xaebec210) +[ 138.820868] Stack: (0xaebedd60 to 0xaebee000) +[ 138.828207] dd60: 00000000 b848d000 afd91900 00000000 b7e469b0 7f0ed440 aebedda4 aebedd88 +[ 138.842371] dd80: 7f0e6b2c 801c4d30 afd91900 7f0ea4dc 00000000 b7e469b0 aebeddcc aebedda8 +[ 138.856611] dda0: 7f0e250c 7f0e6ae0 7f0e2464 b8478ec0 b7e469b0 afd91900 7f0ea388 00000000 +[ 138.870864] ddc0: aebeddf4 aebeddd0 802ce590 7f0e2470 8090ab64 afd91900 afd91900 b7e469b0 +[ 138.885301] dde0: afd91908 802ce4e4 aebede1c aebeddf8 802c57b4 802ce4f0 afd91900 aebedea8 +[ 138.900110] de00: b7fa4c00 00000000 00000000 00000004 aebede3c aebede20 802c6ba8 802c56b4 +[ 138.915260] de20: aebedea8 00000000 aebedf5c 00000000 aebedea4 aebede40 802d9a68 802c6b58 +[ 138.930661] de40: b874ddd0 00000000 00000000 00000001 00000041 00000000 afd91900 aebede70 +[ 138.946402] de60: 00000000 00000000 00000002 b7e469b0 b8a87610 b8d6ab80 801852f8 00080000 +[ 138.962314] de80: aebedf5c aebedea8 00000001 80108464 aebec000 00000000 aebedf4c aebedea8 +[ 138.978414] dea0: 802dacd4 802d970c b8a87610 b8d6ab80 a7982bc6 00000009 af363019 b9231480 +[ 138.994617] dec0: 00000000 b8c038a0 b7e469b0 00000101 00000002 00000238 00000000 00000000 +[ 139.010823] dee0: 00000000 aebedee8 00080000 0000000f aebedf3c aebedf00 802ed7e4 80843f94 +[ 139.027025] df00: 00000003 00080000 b9231490 b9231480 00000000 00080000 af363000 00000000 +[ 139.043229] df20: 00000005 00000002 ffffff9c 00000000 00080000 ffffff9c af363000 00000003 +[ 139.059430] df40: aebedf94 aebedf50 802c6f70 802dac70 aebec000 00000000 00000001 00000000 +[ 139.075629] df60: 00020000 00000004 00000100 00000001 7ebe577c 0002e038 00000000 00000005 +[ 139.091828] df80: 80108464 aebec000 aebedfa4 aebedf98 802c7060 802c6e6c 00000000 aebedfa8 +[ 139.108025] dfa0: 801082c0 802c7040 7ebe577c 0002e038 7ebe577c 00080000 00000b98 e81c8400 +[ 139.124222] dfc0: 7ebe577c 0002e038 00000000 00000005 7ebe57e4 00a20af8 7ebe57f0 76f87394 +[ 139.140419] dfe0: 00000000 7ebe55c4 76ec88e8 76df1d9c 60000010 7ebe577c 00000000 00000000 +[ 139.156715] [<801c4d5c>] (try_module_get) from [<7f0e6b2c>] (snd_ctl_open+0x58/0x194 [snd]) +[ 139.173222] [<7f0e6b2c>] (snd_ctl_open [snd]) from [<7f0e250c>] (snd_open+0xa8/0x14c [snd]) +[ 139.189683] [<7f0e250c>] (snd_open [snd]) from [<802ce590>] (chrdev_open+0xac/0x188) +[ 139.205465] [<802ce590>] (chrdev_open) from [<802c57b4>] (do_dentry_open+0x10c/0x314) +[ 139.221347] [<802c57b4>] (do_dentry_open) from [<802c6ba8>] (vfs_open+0x5c/0x88) +[ 139.236788] [<802c6ba8>] (vfs_open) from [<802d9a68>] (path_openat+0x368/0x944) +[ 139.248270] [<802d9a68>] (path_openat) from [<802dacd4>] (do_filp_open+0x70/0xc4) +[ 139.263731] [<802dacd4>] (do_filp_open) from [<802c6f70>] (do_sys_open+0x110/0x1d4) +[ 139.279378] [<802c6f70>] (do_sys_open) from [<802c7060>] (SyS_open+0x2c/0x30) +[ 139.290647] [<802c7060>] (SyS_open) from [<801082c0>] (ret_fast_syscall+0x0/0x28) +[ 139.306021] Code: e3c3303f e5932004 e2822001 e5832004 (e5943000) +[ 139.316265] ---[ end trace 7f3f7f6193b663ed ]--- +[ 139.324956] note: aplay[463] exited with preempt_count 1 +~~~~ + +Signed-off-by: Kirill Marinushkin +Cc: Eric Anholt +Cc: Stefan Wahren +Cc: Greg Kroah-Hartman +Cc: Florian Fainelli +Cc: Ray Jui +Cc: Scott Branden +Cc: bcm-kernel-feedback-list@broadcom.com +Cc: Michael Zoran +Cc: Andy Shevchenko +Cc: linux-rpi-kernel@lists.infradead.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: devel@driverdev.osuosl.org +Cc: linux-kernel@vger.kernel.org +Reviewed-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 54 ++++++++---------- + 1 file changed, 25 insertions(+), 29 deletions(-) + +--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c ++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c +@@ -25,6 +25,10 @@ MODULE_PARM_DESC(enable_compat_alsa, + static void snd_devm_unregister_child(struct device *dev, void *res) + { + struct device *childdev = *(struct device **)res; ++ struct bcm2835_chip *chip = dev_get_drvdata(childdev); ++ struct snd_card *card = chip->card; ++ ++ snd_card_free(card); + + device_unregister(childdev); + } +@@ -50,6 +54,13 @@ static int snd_devm_add_child(struct dev + return 0; + } + ++static void snd_bcm2835_release(struct device *dev) ++{ ++ struct bcm2835_chip *chip = dev_get_drvdata(dev); ++ ++ kfree(chip); ++} ++ + static struct device * + snd_create_device(struct device *parent, + struct device_driver *driver, +@@ -65,6 +76,7 @@ snd_create_device(struct device *parent, + device_initialize(device); + device->parent = parent; + device->driver = driver; ++ device->release = snd_bcm2835_release; + + dev_set_name(device, "%s", name); + +@@ -75,18 +87,19 @@ snd_create_device(struct device *parent, + return device; + } + +-static int snd_bcm2835_free(struct bcm2835_chip *chip) +-{ +- kfree(chip); +- return 0; +-} +- + /* component-destructor + * (see "Management of Cards and Components") + */ + static int snd_bcm2835_dev_free(struct snd_device *device) + { +- return snd_bcm2835_free(device->device_data); ++ struct bcm2835_chip *chip = device->device_data; ++ struct snd_card *card = chip->card; ++ ++ /* TODO: free pcm, ctl */ ++ ++ snd_device_free(card, chip); ++ ++ return 0; + } + + /* chip-specific constructor +@@ -111,7 +124,7 @@ static int snd_bcm2835_create(struct snd + + err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops); + if (err) { +- snd_bcm2835_free(chip); ++ kfree(chip); + return err; + } + +@@ -119,31 +132,14 @@ static int snd_bcm2835_create(struct snd + return 0; + } + +-static void snd_devm_card_free(struct device *dev, void *res) ++static struct snd_card *snd_bcm2835_card_new(struct device *dev) + { +- struct snd_card *snd_card = *(struct snd_card **)res; +- +- snd_card_free(snd_card); +-} +- +-static struct snd_card *snd_devm_card_new(struct device *dev) +-{ +- struct snd_card **dr; + struct snd_card *card; + int ret; + +- dr = devres_alloc(snd_devm_card_free, sizeof(*dr), GFP_KERNEL); +- if (!dr) +- return ERR_PTR(-ENOMEM); +- + ret = snd_card_new(dev, -1, NULL, THIS_MODULE, 0, &card); +- if (ret) { +- devres_free(dr); ++ if (ret) + return ERR_PTR(ret); +- } +- +- *dr = card; +- devres_add(dev, dr); + + return card; + } +@@ -260,7 +256,7 @@ static int snd_add_child_device(struct d + return PTR_ERR(child); + } + +- card = snd_devm_card_new(child); ++ card = snd_bcm2835_card_new(child); + if (IS_ERR(card)) { + dev_err(child, "Failed to create card"); + return PTR_ERR(card); +@@ -302,7 +298,7 @@ static int snd_add_child_device(struct d + return err; + } + +- dev_set_drvdata(child, card); ++ dev_set_drvdata(child, chip); + dev_info(child, "card created with %d channels\n", numchans); + + return 0; diff --git a/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-casts.patch b/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-casts.patch new file mode 100644 index 00000000000..771b2825ceb --- /dev/null +++ b/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-casts.patch @@ -0,0 +1,52 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ioana Radulescu +Date: Mon, 26 Feb 2018 10:28:06 -0600 +Subject: staging: fsl-dpaa2/eth: Fix incorrect casts + +From: Ioana Radulescu + +[ Upstream commit 75c583ab9709692a60871d4719006391cde8dc1d ] + +The DPAA2 Ethernet driver incorrectly assumes virtual addresses +are always 64b long, which causes compiler errors when building +for a 32b platform. + +Fix this by using explicit casts to uintptr_t where necessary. + +Signed-off-by: Ioana Radulescu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c ++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c +@@ -324,7 +324,7 @@ static int consume_frames(struct dpaa2_e + } + + fd = dpaa2_dq_fd(dq); +- fq = (struct dpaa2_eth_fq *)dpaa2_dq_fqd_ctx(dq); ++ fq = (struct dpaa2_eth_fq *)(uintptr_t)dpaa2_dq_fqd_ctx(dq); + fq->stats.frames++; + + fq->consume(priv, ch, fd, &ch->napi, fq->flowid); +@@ -1908,7 +1908,7 @@ static int setup_rx_flow(struct dpaa2_et + queue.destination.id = fq->channel->dpcon_id; + queue.destination.type = DPNI_DEST_DPCON; + queue.destination.priority = 1; +- queue.user_context = (u64)fq; ++ queue.user_context = (u64)(uintptr_t)fq; + err = dpni_set_queue(priv->mc_io, 0, priv->mc_token, + DPNI_QUEUE_RX, 0, fq->flowid, + DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST, +@@ -1960,7 +1960,7 @@ static int setup_tx_flow(struct dpaa2_et + queue.destination.id = fq->channel->dpcon_id; + queue.destination.type = DPNI_DEST_DPCON; + queue.destination.priority = 0; +- queue.user_context = (u64)fq; ++ queue.user_context = (u64)(uintptr_t)fq; + err = dpni_set_queue(priv->mc_io, 0, priv->mc_token, + DPNI_QUEUE_TX_CONFIRM, 0, fq->flowid, + DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST, diff --git a/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch b/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch new file mode 100644 index 00000000000..1526694ca4a --- /dev/null +++ b/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch @@ -0,0 +1,64 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ioana Radulescu +Date: Wed, 14 Mar 2018 15:04:51 -0500 +Subject: staging: fsl-dpaa2/eth: Fix incorrect kfree + +From: Ioana Radulescu + +[ Upstream commit 6a9bbe53db9a5aa0be9788aa8a2c250dee55444b ] + +Use netdev_alloc_frag() instead of kmalloc to allocate space for +the S/G table of egress multi-buffer frames. + +This fixes a bug where an unaligned pointer received from the +allocator would be overwritten with the 64B aligned value, +leading to a wrong address being later passed to kfree. + +Signed-off-by: Ioana Radulescu +Reported-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c ++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c +@@ -374,12 +374,14 @@ static int build_sg_fd(struct dpaa2_eth_ + /* Prepare the HW SGT structure */ + sgt_buf_size = priv->tx_data_offset + + sizeof(struct dpaa2_sg_entry) * (1 + num_dma_bufs); +- sgt_buf = kzalloc(sgt_buf_size + DPAA2_ETH_TX_BUF_ALIGN, GFP_ATOMIC); ++ sgt_buf = netdev_alloc_frag(sgt_buf_size + DPAA2_ETH_TX_BUF_ALIGN); + if (unlikely(!sgt_buf)) { + err = -ENOMEM; + goto sgt_buf_alloc_failed; + } + sgt_buf = PTR_ALIGN(sgt_buf, DPAA2_ETH_TX_BUF_ALIGN); ++ memset(sgt_buf, 0, sgt_buf_size); ++ + sgt = (struct dpaa2_sg_entry *)(sgt_buf + priv->tx_data_offset); + + /* Fill in the HW SGT structure. +@@ -421,7 +423,7 @@ static int build_sg_fd(struct dpaa2_eth_ + return 0; + + dma_map_single_failed: +- kfree(sgt_buf); ++ skb_free_frag(sgt_buf); + sgt_buf_alloc_failed: + dma_unmap_sg(dev, scl, num_sg, DMA_BIDIRECTIONAL); + dma_map_sg_failed: +@@ -525,9 +527,9 @@ static void free_tx_fd(const struct dpaa + return; + } + +- /* Free SGT buffer kmalloc'ed on tx */ ++ /* Free SGT buffer allocated on tx */ + if (fd_format != dpaa2_fd_single) +- kfree(skbh); ++ skb_free_frag(skbh); + + /* Move on with skb release */ + dev_kfree_skb(skb); diff --git a/queue-4.16/staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch b/queue-4.16/staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch new file mode 100644 index 00000000000..b55e4bba2bf --- /dev/null +++ b/queue-4.16/staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch @@ -0,0 +1,107 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Quytelda Kahja +Date: Wed, 28 Feb 2018 21:19:07 -0800 +Subject: staging: ks7010: Use constants from ieee80211_eid instead of literal ints. + +From: Quytelda Kahja + +[ Upstream commit dc13498ab47fdfae3cda4df712beb2e4244b3fe0 ] + +The case statement in get_ap_information() should not use literal integers +to parse information element IDs when these values are provided by name +in 'enum ieee80211_eid' in the header 'linux/ieee80211.h'. + +Signed-off-by: Quytelda Kahja +Reviewed-by: Tobin C. Harding +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/ks7010/ks_hostif.c | 31 +++++++++++++++---------------- + drivers/staging/ks7010/ks_hostif.h | 1 + + 2 files changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/staging/ks7010/ks_hostif.c ++++ b/drivers/staging/ks7010/ks_hostif.c +@@ -242,9 +242,8 @@ int get_ap_information(struct ks_wlan_pr + offset = 0; + + while (bsize > offset) { +- /* DPRINTK(4, "Element ID=%d\n",*bp); */ +- switch (*bp) { +- case 0: /* ssid */ ++ switch (*bp) { /* Information Element ID */ ++ case WLAN_EID_SSID: + if (*(bp + 1) <= SSID_MAX_SIZE) { + ap->ssid.size = *(bp + 1); + } else { +@@ -254,8 +253,8 @@ int get_ap_information(struct ks_wlan_pr + } + memcpy(ap->ssid.body, bp + 2, ap->ssid.size); + break; +- case 1: /* rate */ +- case 50: /* ext rate */ ++ case WLAN_EID_SUPP_RATES: ++ case WLAN_EID_EXT_SUPP_RATES: + if ((*(bp + 1) + ap->rate_set.size) <= + RATE_SET_MAX_SIZE) { + memcpy(&ap->rate_set.body[ap->rate_set.size], +@@ -271,9 +270,9 @@ int get_ap_information(struct ks_wlan_pr + (RATE_SET_MAX_SIZE - ap->rate_set.size); + } + break; +- case 3: /* DS parameter */ ++ case WLAN_EID_DS_PARAMS: + break; +- case 48: /* RSN(WPA2) */ ++ case WLAN_EID_RSN: + ap->rsn_ie.id = *bp; + if (*(bp + 1) <= RSN_IE_BODY_MAX) { + ap->rsn_ie.size = *(bp + 1); +@@ -284,8 +283,8 @@ int get_ap_information(struct ks_wlan_pr + } + memcpy(ap->rsn_ie.body, bp + 2, ap->rsn_ie.size); + break; +- case 221: /* WPA */ +- if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */ ++ case WLAN_EID_VENDOR_SPECIFIC: /* WPA */ ++ if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */ + ap->wpa_ie.id = *bp; + if (*(bp + 1) <= RSN_IE_BODY_MAX) { + ap->wpa_ie.size = *(bp + 1); +@@ -300,18 +299,18 @@ int get_ap_information(struct ks_wlan_pr + } + break; + +- case 2: /* FH parameter */ +- case 4: /* CF parameter */ +- case 5: /* TIM */ +- case 6: /* IBSS parameter */ +- case 7: /* Country */ +- case 42: /* ERP information */ +- case 47: /* Reserve ID 47 Broadcom AP */ ++ case WLAN_EID_FH_PARAMS: ++ case WLAN_EID_CF_PARAMS: ++ case WLAN_EID_TIM: ++ case WLAN_EID_IBSS_PARAMS: ++ case WLAN_EID_COUNTRY: ++ case WLAN_EID_ERP_INFO: + break; + default: + DPRINTK(4, "unknown Element ID=%d\n", *bp); + break; + } ++ + offset += 2; /* id & size field */ + offset += *(bp + 1); /* +size offset */ + bp += (*(bp + 1) + 2); /* pointer update */ +--- a/drivers/staging/ks7010/ks_hostif.h ++++ b/drivers/staging/ks7010/ks_hostif.h +@@ -13,6 +13,7 @@ + #define _KS_HOSTIF_H_ + + #include ++#include + + /* + * HOST-MAC I/F events diff --git a/queue-4.16/staging-lustre-fix-bug-in-osc_enter_cache_try.patch b/queue-4.16/staging-lustre-fix-bug-in-osc_enter_cache_try.patch new file mode 100644 index 00000000000..c5def2d8310 --- /dev/null +++ b/queue-4.16/staging-lustre-fix-bug-in-osc_enter_cache_try.patch @@ -0,0 +1,56 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: NeilBrown +Date: Fri, 2 Mar 2018 10:31:25 +1100 +Subject: staging: lustre: fix bug in osc_enter_cache_try + +From: NeilBrown + +[ Upstream commit 2fab9faf9b27298c4536c1c1b14072ab18b8f80b ] + +The lustre-release patch commit bdc5bb52c554 ("LU-4933 osc: +Automatically increase the max_dirty_mb") changed + +- if (cli->cl_dirty + PAGE_CACHE_SIZE <= cli->cl_dirty_max && ++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages && + +When this patch landed in Linux a couple of years later, it landed as + +- if (cli->cl_dirty + PAGE_SIZE <= cli->cl_dirty_max && ++ if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages && + +which is clearly different ('<=' vs '<'), and allows cl_dirty_pages to +increase beyond cl_dirty_max_pages - which causes a latter assertion +to fails. + +Fixes: 3147b268400a ("staging: lustre: osc: Automatically increase the max_dirty_mb") +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lustre/include/obd.h | 2 +- + drivers/staging/lustre/lustre/osc/osc_cache.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/lustre/lustre/include/obd.h ++++ b/drivers/staging/lustre/lustre/include/obd.h +@@ -191,7 +191,7 @@ struct client_obd { + struct sptlrpc_flavor cl_flvr_mgc; /* fixed flavor of mgc->mgs */ + + /* the grant values are protected by loi_list_lock below */ +- unsigned long cl_dirty_pages; /* all _dirty_ in pahges */ ++ unsigned long cl_dirty_pages; /* all _dirty_ in pages */ + unsigned long cl_dirty_max_pages; /* allowed w/o rpc */ + unsigned long cl_dirty_transit; /* dirty synchronous */ + unsigned long cl_avail_grant; /* bytes of credit for ost */ +--- a/drivers/staging/lustre/lustre/osc/osc_cache.c ++++ b/drivers/staging/lustre/lustre/osc/osc_cache.c +@@ -1530,7 +1530,7 @@ static int osc_enter_cache_try(struct cl + if (rc < 0) + return 0; + +- if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages && ++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages && + atomic_long_read(&obd_dirty_pages) + 1 <= obd_max_dirty_pages) { + osc_consume_write_grant(cli, &oap->oap_brw_page); + if (transient) { diff --git a/queue-4.16/staging-lustre-lmv-correctly-iput-lmo_root.patch b/queue-4.16/staging-lustre-lmv-correctly-iput-lmo_root.patch new file mode 100644 index 00000000000..62ccc32e692 --- /dev/null +++ b/queue-4.16/staging-lustre-lmv-correctly-iput-lmo_root.patch @@ -0,0 +1,46 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: NeilBrown +Date: Fri, 23 Feb 2018 09:09:33 +1100 +Subject: staging: lustre: lmv: correctly iput lmo_root + +From: NeilBrown + +[ Upstream commit 17556cdbe6ed70a6a20e597b228628f7f34387f8 ] + +Commit 8f18c8a48b73 ("staging: lustre: lmv: separate master object +with master stripe") changed how lmo_root inodes were managed, +particularly when LMV_HASH_FLAG_MIGRATION is not set. +Previously lsm_md_oinfo[0].lmo_root was always a borrowed +inode reference and didn't need to by iput(). +Since the change, that special case only applies when +LMV_HASH_FLAG_MIGRATION is set + +In the upstream (lustre-release) version of this patch [Commit +60e07b972114 ("LU-4690 lod: separate master object with master +stripe")] the for loop in the lmv_unpack_md() was changed to count +from 0 and to ignore entry 0 if LMV_HASH_FLAG_MIGRATION is set. +In the patch that got applied to Linux, that change was missing, +so lsm_md_oinfo[0].lmo_root is never iput(). +This results in a "VFS: Busy inodes" warning at unmount. + +Fixes: 8f18c8a48b73 ("staging: lustre: lmv: separate master object with master stripe") +Signed-off-by: NeilBrown +Reviewed-by: James Simmons +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/lustre/lustre/lmv/lmv_obd.c ++++ b/drivers/staging/lustre/lustre/lmv/lmv_obd.c +@@ -2695,7 +2695,7 @@ static int lmv_unpackmd(struct obd_expor + if (lsm && !lmm) { + int i; + +- for (i = 1; i < lsm->lsm_md_stripe_count; i++) { ++ for (i = 0; i < lsm->lsm_md_stripe_count; i++) { + /* + * For migrating inode, the master stripe and master + * object will be the same, so do not need iput, see diff --git a/queue-4.16/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch b/queue-4.16/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch new file mode 100644 index 00000000000..0a53c59850f --- /dev/null +++ b/queue-4.16/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Colin Ian King +Date: Wed, 28 Feb 2018 11:28:49 +0000 +Subject: staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr + +From: Colin Ian King + +[ Upstream commit e1a7418529e33bc4efc346324557251a16a3e79b ] + +Currently the allocation of priv->oldaddr is not null checked which will +lead to subsequent errors when accessing priv->oldaddr. Fix this with +a null pointer check and a return of -ENOMEM on allocation failure. + +Detected with Coccinelle: +drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test, +possible model on line 1723 + +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192u/r8192U_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -1706,6 +1706,8 @@ static short rtl8192_usb_initendpoints(s + + priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL); + priv->oldaddr = kmalloc(16, GFP_KERNEL); ++ if (!priv->oldaddr) ++ return -ENOMEM; + oldaddr = priv->oldaddr; + align = ((long)oldaddr) & 3; + if (align) { diff --git a/queue-4.16/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch b/queue-4.16/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch new file mode 100644 index 00000000000..c5e75c52ae9 --- /dev/null +++ b/queue-4.16/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch @@ -0,0 +1,54 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Tom Abraham +Date: Tue, 10 Apr 2018 16:29:48 -0700 +Subject: swap: divide-by-zero when zero length swap file on ssd + +From: Tom Abraham + +[ Upstream commit a06ad633a37c64a0cd4c229fc605cee8725d376e ] + +Calling swapon() on a zero length swap file on SSD can lead to a +divide-by-zero. + +Although creating such files isn't possible with mkswap and they woud be +considered invalid, it would be better for the swapon code to be more +robust and handle this condition gracefully (return -EINVAL). +Especially since the fix is small and straightforward. + +To help with wear leveling on SSD, the swapon syscall calculates a +random position in the swap file using modulo p->highest_bit, which is +set to maxpages - 1 in read_swap_header. + +If the swap file is zero length, read_swap_header sets maxpages=1 and +last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we +modulo p->highest_bit in swapon syscall. + +This can be prevented by having read_swap_header return zero if +last_page is zero. + +Link: http://lkml.kernel.org/r/5AC747C1020000A7001FA82C@prv-mh.provo.novell.com +Signed-off-by: Thomas Abraham +Reported-by: +Reviewed-by: Andrew Morton +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2961,6 +2961,10 @@ static unsigned long read_swap_header(st + maxpages = swp_offset(pte_to_swp_entry( + swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; + last_page = swap_header->info.last_page; ++ if (!last_page) { ++ pr_warn("Empty swap-file\n"); ++ return 0; ++ } + if (last_page > maxpages) { + pr_warn("Truncating oversized swap area, only using %luk out of %luk\n", + maxpages << (PAGE_SHIFT - 10), diff --git a/queue-4.16/tools-hv-fix-compiler-warnings-about-major-target_fname.patch b/queue-4.16/tools-hv-fix-compiler-warnings-about-major-target_fname.patch new file mode 100644 index 00000000000..fcd19bfcbee --- /dev/null +++ b/queue-4.16/tools-hv-fix-compiler-warnings-about-major-target_fname.patch @@ -0,0 +1,59 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Dexuan Cui +Date: Sun, 4 Mar 2018 22:17:14 -0700 +Subject: tools: hv: fix compiler warnings about major/target_fname + +From: Dexuan Cui + +[ Upstream commit 1330fc35327f3ecdfa1aa645e7321ced7349b2cd ] + +This patch fixes the below warnings with new glibc and gcc: + +hv_vss_daemon.c:100:13: warning: In the GNU C Library, "major" is defined + by . For historical compatibility, it is currently +defined by as well, but we plan to remove this soon. +To use "major", include directly. + +hv_fcopy_daemon.c:42:2: note: 'snprintf' output between 2 and 1040 +bytes into a destination of size 260 + +Signed-off-by: Dexuan Cui +Cc: Stephen Hemminger +Cc: K. Y. Srinivasan +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/hv/hv_fcopy_daemon.c | 3 ++- + tools/hv/hv_vss_daemon.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/hv/hv_fcopy_daemon.c ++++ b/tools/hv/hv_fcopy_daemon.c +@@ -23,13 +23,14 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + + static int target_fd; +-static char target_fname[W_MAX_PATH]; ++static char target_fname[PATH_MAX]; + static unsigned long long filesize; + + static int hv_start_fcopy(struct hv_start_fcopy *smsg) +--- a/tools/hv/hv_vss_daemon.c ++++ b/tools/hv/hv_vss_daemon.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/queue-4.16/tools-thermal-tmon-fix-for-segfault.patch b/queue-4.16/tools-thermal-tmon-fix-for-segfault.patch new file mode 100644 index 00000000000..d9b8b0ca1bf --- /dev/null +++ b/queue-4.16/tools-thermal-tmon-fix-for-segfault.patch @@ -0,0 +1,81 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Frank Asseg +Date: Mon, 12 Mar 2018 19:57:06 +0100 +Subject: tools/thermal: tmon: fix for segfault + +From: Frank Asseg + +[ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ] + +Fixes a segfault occurring when e.g. is pressed multiple times in the +ncurses tmon application. The segfault is caused by incrementing +cur_thermal_record in the main function without checking if it's value reached +NR_THERMAL_RECORD immediately. Since the boundary check only occurred in +update_thermal_data a race condition existed, which lead to an attempted read +beyond the last element of the trec array. + +The fix was implemented by moving the cur_thermal_record incrementation to the +update_thermal_data function using a temporary variable on which the boundary +condition is checked before updating cur_thread_record, so that the variable is +never incremented beyond the trec array's boundary. + +It seems the segfault does not occur on every machine: On a HP EliteBook G4 the +segfault happens, while it does not happen on a Thinkpad T540p. + +Signed-off-by: Frank Asseg +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/thermal/tmon/sysfs.c | 12 +++++++----- + tools/thermal/tmon/tmon.c | 1 - + 2 files changed, 7 insertions(+), 6 deletions(-) + +--- a/tools/thermal/tmon/sysfs.c ++++ b/tools/thermal/tmon/sysfs.c +@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst + int update_thermal_data() + { + int i; ++ int next_thermal_record = cur_thermal_record + 1; + char tz_name[256]; + static unsigned long samples; + +@@ -495,9 +496,9 @@ int update_thermal_data() + } + + /* circular buffer for keeping historic data */ +- if (cur_thermal_record >= NR_THERMAL_RECORDS) +- cur_thermal_record = 0; +- gettimeofday(&trec[cur_thermal_record].tv, NULL); ++ if (next_thermal_record >= NR_THERMAL_RECORDS) ++ next_thermal_record = 0; ++ gettimeofday(&trec[next_thermal_record].tv, NULL); + if (tmon_log) { + fprintf(tmon_log, "%lu ", ++samples); + fprintf(tmon_log, "%3.1f ", p_param.t_target); +@@ -507,11 +508,12 @@ int update_thermal_data() + snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE, + ptdata.tzi[i].instance); + sysfs_get_ulong(tz_name, "temp", +- &trec[cur_thermal_record].temp[i]); ++ &trec[next_thermal_record].temp[i]); + if (tmon_log) + fprintf(tmon_log, "%lu ", +- trec[cur_thermal_record].temp[i]/1000); ++ trec[next_thermal_record].temp[i] / 1000); + } ++ cur_thermal_record = next_thermal_record; + for (i = 0; i < ptdata.nr_cooling_dev; i++) { + char cdev_name[256]; + unsigned long val; +--- a/tools/thermal/tmon/tmon.c ++++ b/tools/thermal/tmon/tmon.c +@@ -336,7 +336,6 @@ int main(int argc, char **argv) + show_data_w(); + show_cooling_device(); + } +- cur_thermal_record++; + time_elapsed += ticktime; + controller_handler(trec[0].temp[target_tz_index] / 1000, + &yk); diff --git a/queue-4.16/tracing-uprobe_event-fix-strncpy-corner-case.patch b/queue-4.16/tracing-uprobe_event-fix-strncpy-corner-case.patch new file mode 100644 index 00000000000..d3d78034be2 --- /dev/null +++ b/queue-4.16/tracing-uprobe_event-fix-strncpy-corner-case.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Masami Hiramatsu +Date: Tue, 10 Apr 2018 21:20:08 +0900 +Subject: tracing/uprobe_event: Fix strncpy corner case + +From: Masami Hiramatsu + +[ Upstream commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 ] + +Fix string fetch function to terminate with NUL. +It is OK to drop the rest of string. + +Signed-off-by: Masami Hiramatsu +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Thomas Gleixner +Cc: security@kernel.org +Cc: 范龙飞 +Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_uprobe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -151,6 +151,8 @@ static void FETCH_FUNC_NAME(memory, stri + return; + + ret = strncpy_from_user(dst, src, maxlen); ++ if (ret == maxlen) ++ dst[--ret] = '\0'; + + if (ret < 0) { /* Failed to fetch string */ + ((u8 *)get_rloc_data(dest))[0] = '\0'; diff --git a/queue-4.16/udf-provide-saner-default-for-invalid-uid-gid.patch b/queue-4.16/udf-provide-saner-default-for-invalid-uid-gid.patch new file mode 100644 index 00000000000..fab3625950f --- /dev/null +++ b/queue-4.16/udf-provide-saner-default-for-invalid-uid-gid.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Jan Kara +Date: Thu, 22 Feb 2018 10:39:52 +0100 +Subject: udf: Provide saner default for invalid uid / gid + +From: Jan Kara + +[ Upstream commit 116e5258e4115aca0c64ac0bf40ded3b353ed626 ] + +Currently when UDF filesystem is recorded without uid / gid (ids are set +to -1), we will assign INVALID_[UG]ID to vfs inode unless user uses uid= +and gid= mount options. In such case filesystem could not be modified in +any way as VFS refuses to modify files with invalid ids (even by root). +This is confusing to users and not very useful default since such media +mode is generally used for removable media. Use overflow[ug]id instead +so that at least root can modify the filesystem. + +Reported-by: Steve Kenton +Reviewed-by: Pali Rohár +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -2091,8 +2091,9 @@ static int udf_fill_super(struct super_b + bool lvid_open = false; + + uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT); +- uopt.uid = INVALID_UID; +- uopt.gid = INVALID_GID; ++ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */ ++ uopt.uid = make_kuid(current_user_ns(), overflowuid); ++ uopt.gid = make_kgid(current_user_ns(), overflowgid); + uopt.umask = 0; + uopt.fmode = UDF_INVALID_MODE; + uopt.dmode = UDF_INVALID_MODE; diff --git a/queue-4.16/usb-dwc2-fix-interval-type-issue.patch b/queue-4.16/usb-dwc2-fix-interval-type-issue.patch new file mode 100644 index 00000000000..ff3163da964 --- /dev/null +++ b/queue-4.16/usb-dwc2-fix-interval-type-issue.patch @@ -0,0 +1,31 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Grigor Tovmasyan +Date: Tue, 6 Feb 2018 19:07:38 +0400 +Subject: usb: dwc2: Fix interval type issue + +From: Grigor Tovmasyan + +[ Upstream commit 12814a3f8f9b247531d7863170cc82b3fe4218fd ] + +The maximum value that unsigned char can hold is 255, meanwhile +the maximum value of interval is 2^(bIntervalMax-1)=2^15. + +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/core.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/core.h ++++ b/drivers/usb/dwc2/core.h +@@ -217,7 +217,7 @@ struct dwc2_hsotg_ep { + unsigned char dir_in; + unsigned char index; + unsigned char mc; +- unsigned char interval; ++ u16 interval; + + unsigned int halted:1; + unsigned int periodic:1; diff --git a/queue-4.16/usb-dwc2-hcd-fix-host-channel-halt-flow.patch b/queue-4.16/usb-dwc2-hcd-fix-host-channel-halt-flow.patch new file mode 100644 index 00000000000..a7523768b0a --- /dev/null +++ b/queue-4.16/usb-dwc2-hcd-fix-host-channel-halt-flow.patch @@ -0,0 +1,49 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Minas Harutyunyan +Date: Fri, 19 Jan 2018 14:43:53 +0400 +Subject: usb: dwc2: hcd: Fix host channel halt flow + +From: Minas Harutyunyan + +[ Upstream commit a82c7abdf8fc3b09c4a0ed2eee6d43ecef2ccdb0 ] + +According databook in Buffer and External DMA mode +non-split periodic channels can't be halted. + +Acked-by: John Youn +Signed-off-by: Minas Harutyunyan +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -989,6 +989,24 @@ void dwc2_hc_halt(struct dwc2_hsotg *hso + + if (dbg_hc(chan)) + dev_vdbg(hsotg->dev, "%s()\n", __func__); ++ ++ /* ++ * In buffer DMA or external DMA mode channel can't be halted ++ * for non-split periodic channels. At the end of the next ++ * uframe/frame (in the worst case), the core generates a channel ++ * halted and disables the channel automatically. ++ */ ++ if ((hsotg->params.g_dma && !hsotg->params.g_dma_desc) || ++ hsotg->hw_params.arch == GHWCFG2_EXT_DMA_ARCH) { ++ if (!chan->do_split && ++ (chan->ep_type == USB_ENDPOINT_XFER_ISOC || ++ chan->ep_type == USB_ENDPOINT_XFER_INT)) { ++ dev_err(hsotg->dev, "%s() Channel can't be halted\n", ++ __func__); ++ return; ++ } ++ } ++ + if (halt_status == DWC2_HC_XFER_NO_HALT_STATUS) + dev_err(hsotg->dev, "!!! halt_status = %d !!!\n", halt_status); + diff --git a/queue-4.16/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch b/queue-4.16/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch new file mode 100644 index 00000000000..3ed482052ad --- /dev/null +++ b/queue-4.16/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch @@ -0,0 +1,54 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Minas Harutyunyan +Date: Fri, 19 Jan 2018 14:44:20 +0400 +Subject: usb: dwc2: host: Fix transaction errors in host mode + +From: Minas Harutyunyan + +[ Upstream commit 92a8dd26464e1f21f1d869ec53717bd2c1200d63 ] + +Added missing GUSBCFG programming in host mode, which fixes +transaction errors issue on HiKey and Altera Cyclone V boards. + +These field even if was programmed in device mode (in function +dwc2_hsotg_core_init_disconnected()) will be resetting to POR values +after core soft reset applied. +So, each time when switching to host mode required to set this field +to correct value. + +Acked-by: John Youn +Signed-off-by: Minas Harutyunyan +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -2340,10 +2340,22 @@ static int dwc2_core_init(struct dwc2_hs + */ + static void dwc2_core_host_init(struct dwc2_hsotg *hsotg) + { +- u32 hcfg, hfir, otgctl; ++ u32 hcfg, hfir, otgctl, usbcfg; + + dev_dbg(hsotg->dev, "%s(%p)\n", __func__, hsotg); + ++ /* Set HS/FS Timeout Calibration to 7 (max available value). ++ * The number of PHY clocks that the application programs in ++ * this field is added to the high/full speed interpacket timeout ++ * duration in the core to account for any additional delays ++ * introduced by the PHY. This can be required, because the delay ++ * introduced by the PHY in generating the linestate condition ++ * can vary from one PHY to another. ++ */ ++ usbcfg = dwc2_readl(hsotg->regs + GUSBCFG); ++ usbcfg |= GUSBCFG_TOUTCAL(7); ++ dwc2_writel(usbcfg, hsotg->regs + GUSBCFG); ++ + /* Restart the Phy Clock */ + dwc2_writel(0, hsotg->regs + PCGCTL); + diff --git a/queue-4.16/usb-dwc3-add-softreset-phy-synchonization-delay.patch b/queue-4.16/usb-dwc3-add-softreset-phy-synchonization-delay.patch new file mode 100644 index 00000000000..e0b5f99ea37 --- /dev/null +++ b/queue-4.16/usb-dwc3-add-softreset-phy-synchonization-delay.patch @@ -0,0 +1,50 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Thinh Nguyen +Date: Fri, 16 Mar 2018 15:33:48 -0700 +Subject: usb: dwc3: Add SoftReset PHY synchonization delay + +From: Thinh Nguyen + +[ Upstream commit fab3833338779e1e668bd58d1f76d601657304b8 ] + +>From DWC_usb31 programming guide section 1.3.2, once DWC3_DCTL_CSFTRST +bit is cleared, we must wait at least 50ms before accessing the PHY +domain (synchronization delay). + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -232,7 +232,7 @@ static int dwc3_core_soft_reset(struct d + do { + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + if (!(reg & DWC3_DCTL_CSFTRST)) +- return 0; ++ goto done; + + udelay(1); + } while (--retries); +@@ -241,6 +241,17 @@ static int dwc3_core_soft_reset(struct d + phy_exit(dwc->usb2_generic_phy); + + return -ETIMEDOUT; ++ ++done: ++ /* ++ * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared, ++ * we must wait at least 50ms before accessing the PHY domain ++ * (synchronization delay). DWC_usb31 programming guide section 1.3.2. ++ */ ++ if (dwc3_is_usb31(dwc)) ++ msleep(50); ++ ++ return 0; + } + + /* diff --git a/queue-4.16/usb-dwc3-makefile-fix-link-error-on-randconfig.patch b/queue-4.16/usb-dwc3-makefile-fix-link-error-on-randconfig.patch new file mode 100644 index 00000000000..b2e5211f5cc --- /dev/null +++ b/queue-4.16/usb-dwc3-makefile-fix-link-error-on-randconfig.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Felipe Balbi +Date: Thu, 22 Mar 2018 10:45:20 +0200 +Subject: usb: dwc3: Makefile: fix link error on randconfig + +From: Felipe Balbi + +[ Upstream commit de948a74ad6f0eefddf36d765b8f2dd6df82caa0 ] + +If building a kernel without FTRACE but with TRACING, dwc3.ko fails to +link due to missing trace events. Fix this by using the correct +Kconfig symbol on Makefile. + +Reported-by: Randy Dunlap +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/Makefile ++++ b/drivers/usb/dwc3/Makefile +@@ -6,7 +6,7 @@ obj-$(CONFIG_USB_DWC3) += dwc3.o + + dwc3-y := core.o + +-ifneq ($(CONFIG_FTRACE),) ++ifneq ($(CONFIG_TRACING),) + dwc3-y += trace.o + endif + diff --git a/queue-4.16/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch b/queue-4.16/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch new file mode 100644 index 00000000000..94a5524cf0f --- /dev/null +++ b/queue-4.16/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch @@ -0,0 +1,40 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Thinh Nguyen +Date: Fri, 16 Mar 2018 15:33:54 -0700 +Subject: usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields + +From: Thinh Nguyen + +[ Upstream commit 0cab8d26d6e5e053b2bed3356992aaa71dc93628 ] + +Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP +is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM. + +The GTXFIFOSIZ register for DWC_usb31 is as follows: + +-------+-----------+----------------------------------+ + | BITS | Name | Description | + +=======+===========+==================================+ + | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address | + | 15 | TXFRAMNUM | Asynchronous/Periodic TXFIFO | + | 14:0 | TXFDEP | TXFIFO Depth | + +-------+-----------+----------------------------------+ + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -241,6 +241,8 @@ + #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1) + + /* Global TX Fifo Size Register */ ++#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */ ++#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */ + #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff) + #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000) + diff --git a/queue-4.16/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch b/queue-4.16/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch new file mode 100644 index 00000000000..c0502cb6870 --- /dev/null +++ b/queue-4.16/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch @@ -0,0 +1,158 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Chris Dickens +Date: Sun, 31 Dec 2017 18:59:42 -0800 +Subject: usb: gadget: composite: fix incorrect handling of OS desc requests + +From: Chris Dickens + +[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ] + +When handling an OS descriptor request, one of the first operations is +to zero out the request buffer using the wLength from the setup packet. +There is no bounds checking, so a wLength > 4096 would clobber memory +adjacent to the request buffer. Fix this by taking the min of wLength +and the request buffer length prior to the memset. While at it, define +the buffer length in a header file so that magic numbers don't appear +throughout the code. + +When returning data to the host, the data length should be the min of +the wLength and the valid data we have to return. Currently we are +returning wLength, thus requests for a wLength greater than the amount +of data in the OS descriptor buffer would return invalid (albeit zero'd) +data following the valid descriptor data. Fix this by counting the +number of bytes when constructing the data and using this when +determining the length of the request. + +Signed-off-by: Chris Dickens +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 40 +++++++++++++++++++--------------------- + include/linux/usb/composite.h | 3 +++ + 2 files changed, 22 insertions(+), 21 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1422,7 +1422,7 @@ static int count_ext_compat(struct usb_c + return res; + } + +-static void fill_ext_compat(struct usb_configuration *c, u8 *buf) ++static int fill_ext_compat(struct usb_configuration *c, u8 *buf) + { + int i, count; + +@@ -1449,10 +1449,12 @@ static void fill_ext_compat(struct usb_c + buf += 23; + } + count += 24; +- if (count >= 4096) +- return; ++ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ) ++ return count; + } + } ++ ++ return count; + } + + static int count_ext_prop(struct usb_configuration *c, int interface) +@@ -1497,25 +1499,20 @@ static int fill_ext_prop(struct usb_conf + struct usb_os_desc *d; + struct usb_os_desc_ext_prop *ext_prop; + int j, count, n, ret; +- u8 *start = buf; + + f = c->interface[interface]; ++ count = 10; /* header length */ + for (j = 0; j < f->os_desc_n; ++j) { + if (interface != f->os_desc_table[j].if_id) + continue; + d = f->os_desc_table[j].os_desc; + if (d) + list_for_each_entry(ext_prop, &d->ext_prop, entry) { +- /* 4kB minus header length */ +- n = buf - start; +- if (n >= 4086) +- return 0; +- +- count = ext_prop->data_len + ++ n = ext_prop->data_len + + ext_prop->name_len + 14; +- if (count > 4086 - n) +- return -EINVAL; +- usb_ext_prop_put_size(buf, count); ++ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ) ++ return count; ++ usb_ext_prop_put_size(buf, n); + usb_ext_prop_put_type(buf, ext_prop->type); + ret = usb_ext_prop_put_name(buf, ext_prop->name, + ext_prop->name_len); +@@ -1541,11 +1538,12 @@ static int fill_ext_prop(struct usb_conf + default: + return -EINVAL; + } +- buf += count; ++ buf += n; ++ count += n; + } + } + +- return 0; ++ return count; + } + + /* +@@ -1827,6 +1825,7 @@ unknown: + req->complete = composite_setup_complete; + buf = req->buf; + os_desc_cfg = cdev->os_desc_config; ++ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ); + memset(buf, 0, w_length); + buf[5] = 0x01; + switch (ctrl->bRequestType & USB_RECIP_MASK) { +@@ -1850,8 +1849,8 @@ unknown: + count += 16; /* header */ + put_unaligned_le32(count, buf); + buf += 16; +- fill_ext_compat(os_desc_cfg, buf); +- value = w_length; ++ value = fill_ext_compat(os_desc_cfg, buf); ++ value = min_t(u16, w_length, value); + } + break; + case USB_RECIP_INTERFACE: +@@ -1880,8 +1879,7 @@ unknown: + interface, buf); + if (value < 0) + return value; +- +- value = w_length; ++ value = min_t(u16, w_length, value); + } + break; + } +@@ -2156,8 +2154,8 @@ int composite_os_desc_req_prepare(struct + goto end; + } + +- /* OS feature descriptor length <= 4kB */ +- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL); ++ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ, ++ GFP_KERNEL); + if (!cdev->os_desc_req->buf) { + ret = -ENOMEM; + usb_ep_free_request(ep0, cdev->os_desc_req); +--- a/include/linux/usb/composite.h ++++ b/include/linux/usb/composite.h +@@ -54,6 +54,9 @@ + /* big enough to hold our biggest descriptor */ + #define USB_COMP_EP0_BUFSIZ 1024 + ++/* OS feature descriptor length <= 4kB */ ++#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096 ++ + #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1) + struct usb_configuration; + diff --git a/queue-4.16/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch b/queue-4.16/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch new file mode 100644 index 00000000000..5b11a06a2c8 --- /dev/null +++ b/queue-4.16/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch @@ -0,0 +1,68 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Lars-Peter Clausen +Date: Fri, 12 Jan 2018 11:05:02 +0100 +Subject: usb: gadget: ffs: Execute copy_to_user() with USER_DS set + +From: Lars-Peter Clausen + +[ Upstream commit 4058ebf33cb0be88ca516f968eda24ab7b6b93e4 ] + +When using a AIO read() operation on the function FS gadget driver a URB is +submitted asynchronously and on URB completion the received data is copied +to the userspace buffer associated with the read operation. + +This is done from a kernel worker thread invoking copy_to_user() (through +copy_to_iter()). And while the user space process memory is made available +to the kernel thread using use_mm(), some architecture require in addition +to this that the operation runs with USER_DS set. Otherwise the userspace +memory access will fail. + +For example on ARM64 with Privileged Access Never (PAN) and User Access +Override (UAO) enabled the following crash occurs. + + Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP + Modules linked in: + CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487 + Hardware name: ZynqMP ZCU102 Rev1.0 (DT) + Workqueue: events ffs_user_copy_worker + task: ffffffc87afc8080 task.stack: ffffffc87a00c000 + PC is at __arch_copy_to_user+0x190/0x220 + LR is at copy_to_iter+0x78/0x3c8 + [...] + [] __arch_copy_to_user+0x190/0x220 + [] ffs_user_copy_worker+0x70/0x130 + [] process_one_work+0x1dc/0x460 + [] worker_thread+0x50/0x4b0 + [] kthread+0xd8/0xf0 + [] ret_from_fork+0x10/0x50 + +Address this by placing a set_fs(USER_DS) before of the copy operation +and revert it again once the copy operation has finished. + +This patch is analogous to commit d7ffde35e31a ("vhost: use USER_DS in +vhost_worker thread") which addresses the same underlying issue. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -758,9 +758,13 @@ static void ffs_user_copy_worker(struct + bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; + + if (io_data->read && ret > 0) { ++ mm_segment_t oldfs = get_fs(); ++ ++ set_fs(USER_DS); + use_mm(io_data->mm); + ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data); + unuse_mm(io_data->mm); ++ set_fs(oldfs); + } + + io_data->kiocb->ki_complete(io_data->kiocb, ret, ret); diff --git a/queue-4.16/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch b/queue-4.16/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch new file mode 100644 index 00000000000..a4968c7860a --- /dev/null +++ b/queue-4.16/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch @@ -0,0 +1,53 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Lars-Peter Clausen +Date: Fri, 12 Jan 2018 11:26:16 +0100 +Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS + +From: Lars-Peter Clausen + +[ Upstream commit 946ef68ad4e45aa048a5fb41ce8823ed29da866a ] + +Some UDC drivers (like the DWC3) expect that the response to a setup() +request is queued from within the setup function itself so that it is +available as soon as setup() has completed. + +Upon receiving a setup request the function fs driver creates an event that +is made available to userspace. And only once userspace has acknowledged +that event the response to the setup request is queued. + +So it violates the requirement of those UDC drivers and random failures can +be observed. This is basically a race condition and if userspace is able to +read the event and queue the response fast enough all is good. But if it is +not, for example because other processes are currently scheduled to run, +the USB host that sent the setup request will observe an error. + +To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS +return code. If a setup() callback returns this value the UDC driver is +aware that response is not yet available and can uses the appropriate +methods to handle this case. + +Since in the case of function fs the response will never be available when +the setup() function returns make sure that this status code is used. + +This fixed random occasional failures that were previously observed on a +DWC3 based system under high system load. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3238,7 +3238,7 @@ static int ffs_func_setup(struct usb_fun + __ffs_event_add(ffs, FUNCTIONFS_SETUP); + spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); + +- return 0; ++ return USB_GADGET_DELAYED_STATUS; + } + + static bool ffs_func_req_match(struct usb_function *f, diff --git a/queue-4.16/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch b/queue-4.16/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch new file mode 100644 index 00000000000..79a139ac7d2 --- /dev/null +++ b/queue-4.16/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch @@ -0,0 +1,32 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Wolfram Sang +Date: Tue, 6 Feb 2018 09:50:40 +0100 +Subject: usb: gadget: udc: change comparison to bitshift when dealing with a mask + +From: Wolfram Sang + +[ Upstream commit ac87e560f7c0f91b62012e9a159c0681a373b922 ] + +Due to a typo, the mask was destroyed by a comparison instead of a bit +shift. + +Reported-by: Geert Uytterhoeven +Signed-off-by: Wolfram Sang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/goku_udc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/goku_udc.h ++++ b/drivers/usb/gadget/udc/goku_udc.h +@@ -25,7 +25,7 @@ struct goku_udc_regs { + # define INT_EP1DATASET 0x00040 + # define INT_EP2DATASET 0x00080 + # define INT_EP3DATASET 0x00100 +-#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */ ++#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */ + # define INT_EP1NAK 0x00200 + # define INT_EP2NAK 0x00400 + # define INT_EP3NAK 0x00800 diff --git a/queue-4.16/usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch b/queue-4.16/usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch new file mode 100644 index 00000000000..2ccd31d24ac --- /dev/null +++ b/queue-4.16/usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch @@ -0,0 +1,35 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ben Hutchings +Date: Mon, 29 Jan 2018 00:04:18 +0000 +Subject: usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS + +From: Ben Hutchings + +[ Upstream commit 351a8d4837ae0d61744e64262c3a80ab92ff3e42 ] + +Now that usbip supports USB3, the maximum number of ports allowed +on a hub is 15 (USB_SS_MAXPORTS), not 31 (USB_MAXCHILDREN). + +Reported-by: Gianluigi Tiesi +Reported-by: Borissh1983 +References: https://bugs.debian.org/878866 +Fixes: 1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support") +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/usbip/Kconfig ++++ b/drivers/usb/usbip/Kconfig +@@ -27,7 +27,7 @@ config USBIP_VHCI_HCD + + config USBIP_VHCI_HC_PORTS + int "Number of ports per USB/IP virtual host controller" +- range 1 31 ++ range 1 15 + default 8 + depends on USBIP_VHCI_HCD + ---help--- diff --git a/queue-4.16/vfio-ccw-fence-off-transport-mode.patch b/queue-4.16/vfio-ccw-fence-off-transport-mode.patch new file mode 100644 index 00000000000..0b4d04db90d --- /dev/null +++ b/queue-4.16/vfio-ccw-fence-off-transport-mode.patch @@ -0,0 +1,37 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Cornelia Huck +Date: Thu, 22 Feb 2018 15:35:43 +0100 +Subject: vfio-ccw: fence off transport mode + +From: Cornelia Huck + +[ Upstream commit 9851bc77e62499957567e7c39a5beba7d6de6296 ] + +vfio-ccw only supports command mode for channel programs, not transport +mode. User space is supposed to already take care of that and pass us +command-mode ORBs only, but better make sure and return an error to +the caller instead of trying to process tcws as ccws. + +Reviewed-by: Dong Jia Shi +Acked-by: Halil Pasic +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/vfio_ccw_fsm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/s390/cio/vfio_ccw_fsm.c ++++ b/drivers/s390/cio/vfio_ccw_fsm.c +@@ -129,6 +129,11 @@ static void fsm_io_request(struct vfio_c + if (scsw->cmd.fctl & SCSW_FCTL_START_FUNC) { + orb = (union orb *)io_region->orb_area; + ++ /* Don't try to build a cp if transport mode is specified. */ ++ if (orb->tm.b) { ++ io_region->ret_code = -EOPNOTSUPP; ++ goto err_out; ++ } + io_region->ret_code = cp_init(&private->cp, mdev_dev(mdev), + orb); + if (io_region->ret_code) diff --git a/queue-4.16/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch b/queue-4.16/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch new file mode 100644 index 00000000000..e6297f695ad --- /dev/null +++ b/queue-4.16/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch @@ -0,0 +1,51 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Jay Vosburgh +Date: Thu, 22 Mar 2018 14:42:41 +0000 +Subject: virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS + +From: Jay Vosburgh + +[ Upstream commit bda7fab54828bbef2164bb23c0f6b1a7d05cc718 ] + +The operstate update logic will leave an interface in the +default UNKNOWN operstate if the interface carrier state never changes +from the default carrier up state set at creation. This includes the +case of an explicit call to netif_carrier_on, as the carrier on to on +transition has no effect on operstate. + + This affects virtio-net for the case that the virtio peer does +not support VIRTIO_NET_F_STATUS (the feature that provides carrier state +updates). Without this feature, the virtio specification states that +"the link should be assumed active," so, logically, the operstate should +be UP instead of UNKNOWN. This has impact on user space applications +that use the operstate to make availability decisions for the interface. + + Resolve this by changing the virtio probe logic slightly to call +netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS +cases, and then the existing call to netif_carrier_on for the "without" +case will cause an operstate transition. + +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Ben Hutchings +Signed-off-by: Jay Vosburgh +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -2874,8 +2874,8 @@ static int virtnet_probe(struct virtio_d + + /* Assume link up if device can't report link status, + otherwise get link status from config. */ ++ netif_carrier_off(dev); + if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) { +- netif_carrier_off(dev); + schedule_work(&vi->config_work); + } else { + vi->status = VIRTIO_NET_S_LINK_UP; diff --git a/queue-4.16/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch b/queue-4.16/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch new file mode 100644 index 00000000000..fc6e1193eb3 --- /dev/null +++ b/queue-4.16/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch @@ -0,0 +1,46 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexey Khoroshilov +Date: Sat, 10 Feb 2018 13:17:27 +0300 +Subject: watchdog: asm9260_wdt: fix error handling in asm9260_wdt_probe() + +From: Alexey Khoroshilov + +[ Upstream commit 3c829f47e33eb0398a9a14e357a05199a7be0277 ] + +If devm_reset_control_get_exclusive() fails, asm9260_wdt_probe() +returns immediately. But clks has been already enabled at that point, +so it is required to disable them or to move the code around. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/asm9260_wdt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/watchdog/asm9260_wdt.c ++++ b/drivers/watchdog/asm9260_wdt.c +@@ -292,14 +292,14 @@ static int asm9260_wdt_probe(struct plat + if (IS_ERR(priv->iobase)) + return PTR_ERR(priv->iobase); + +- ret = asm9260_wdt_get_dt_clks(priv); +- if (ret) +- return ret; +- + priv->rst = devm_reset_control_get_exclusive(&pdev->dev, "wdt_rst"); + if (IS_ERR(priv->rst)) + return PTR_ERR(priv->rst); + ++ ret = asm9260_wdt_get_dt_clks(priv); ++ if (ret) ++ return ret; ++ + wdd = &priv->wdd; + wdd->info = &asm9260_wdt_ident; + wdd->ops = &asm9260_wdt_ops; diff --git a/queue-4.16/watchdog-aspeed-allow-configuring-for-alternate-boot.patch b/queue-4.16/watchdog-aspeed-allow-configuring-for-alternate-boot.patch new file mode 100644 index 00000000000..c4fb3ba5e87 --- /dev/null +++ b/queue-4.16/watchdog-aspeed-allow-configuring-for-alternate-boot.patch @@ -0,0 +1,60 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Milton Miller +Date: Thu, 15 Mar 2018 11:02:06 -0500 +Subject: watchdog: aspeed: Allow configuring for alternate boot + +From: Milton Miller + +[ Upstream commit 6ffa3402211acc30e47e691e14d62f3fd065a54e ] + +Allow the device tree to specify a watchdog to fallover to +the alternate boot source. + +The aspeeed watchdog can set a latch directing flash chip select 0 to +chip select 1, allowing boot from an alternate media if the watchdog +is not reset in time. On the ast2400 bank 1 also goes to flash bank 1, +while on the ast2500 the chip selects are swapped. + +Also clear the secondary boot bit during the machine restart operation. +Otherwise, the system will switch to the alternate boot after every +reboot, which is not desired. + +Signed-off-by: Milton Miller +Signed-off-by: Eddie James +Reviewed-by: Joel Stanley +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/aspeed_wdt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/watchdog/aspeed_wdt.c ++++ b/drivers/watchdog/aspeed_wdt.c +@@ -46,6 +46,7 @@ MODULE_DEVICE_TABLE(of, aspeed_wdt_of_ta + #define WDT_RELOAD_VALUE 0x04 + #define WDT_RESTART 0x08 + #define WDT_CTRL 0x0C ++#define WDT_CTRL_BOOT_SECONDARY BIT(7) + #define WDT_CTRL_RESET_MODE_SOC (0x00 << 5) + #define WDT_CTRL_RESET_MODE_FULL_CHIP (0x01 << 5) + #define WDT_CTRL_RESET_MODE_ARM_CPU (0x10 << 5) +@@ -158,6 +159,7 @@ static int aspeed_wdt_restart(struct wat + { + struct aspeed_wdt *wdt = to_aspeed_wdt(wdd); + ++ wdt->ctrl &= ~WDT_CTRL_BOOT_SECONDARY; + aspeed_wdt_enable(wdt, 128 * WDT_RATE_1MHZ / 1000); + + mdelay(1000); +@@ -242,6 +244,8 @@ static int aspeed_wdt_probe(struct platf + } + if (of_property_read_bool(np, "aspeed,external-signal")) + wdt->ctrl |= WDT_CTRL_WDT_EXT; ++ if (of_property_read_bool(np, "aspeed,alt-boot")) ++ wdt->ctrl |= WDT_CTRL_BOOT_SECONDARY; + + if (readl(wdt->base + WDT_CTRL) & WDT_CTRL_ENABLE) { + /* diff --git a/queue-4.16/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch b/queue-4.16/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch new file mode 100644 index 00000000000..e152e56486f --- /dev/null +++ b/queue-4.16/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch @@ -0,0 +1,53 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Milton Miller +Date: Fri, 9 Mar 2018 15:58:19 -0600 +Subject: watchdog: aspeed: Fix translation of reset mode to ctrl register + +From: Milton Miller + +[ Upstream commit d2fc8db691bf3197d43b2afb553311a9bf257bff ] + +Assert RESET_SYSTEM bit for any reset and set MODE field from reset +type. + +The watchdog control register has a RESET_SYSTEM bit that is really +closer to activate a reset, and RESET_SYSTEM_MODE field that chooses +how much to reset. + +Before this patch, a node without these optional property would do a +SOC reset, but a node with properties requesting a cpu or SOC reset +would do nothing and a node requesting a system reset would do a +SOC reset. + +Fixes: b7f0b8ad25f3 ("drivers/watchdog: ASPEED reference dev tree properties for config") +Signed-off-by: Milton Miller +Signed-off-by: Eddie James +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/aspeed_wdt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/watchdog/aspeed_wdt.c ++++ b/drivers/watchdog/aspeed_wdt.c +@@ -234,11 +234,14 @@ static int aspeed_wdt_probe(struct platf + wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC | WDT_CTRL_RESET_SYSTEM; + } else { + if (!strcmp(reset_type, "cpu")) +- wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU | ++ WDT_CTRL_RESET_SYSTEM; + else if (!strcmp(reset_type, "soc")) +- wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC | ++ WDT_CTRL_RESET_SYSTEM; + else if (!strcmp(reset_type, "system")) +- wdt->ctrl |= WDT_CTRL_RESET_SYSTEM; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_FULL_CHIP | ++ WDT_CTRL_RESET_SYSTEM; + else if (strcmp(reset_type, "none")) + return -EINVAL; + } diff --git a/queue-4.16/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch b/queue-4.16/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch new file mode 100644 index 00000000000..984e61e48df --- /dev/null +++ b/queue-4.16/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch @@ -0,0 +1,54 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexey Khoroshilov +Date: Sat, 24 Mar 2018 00:36:46 +0300 +Subject: watchdog: davinci_wdt: fix error handling in davinci_wdt_probe() + +From: Alexey Khoroshilov + +[ Upstream commit d66e53649c18377edc08d48901e658e4fd491d46 ] + +clk_disable_unprepare() was added to one error path, +but there is another one. The patch makes sure clk is +disabled at the both of them. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/davinci_wdt.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/watchdog/davinci_wdt.c ++++ b/drivers/watchdog/davinci_wdt.c +@@ -236,15 +236,22 @@ static int davinci_wdt_probe(struct plat + + wdt_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + davinci_wdt->base = devm_ioremap_resource(dev, wdt_mem); +- if (IS_ERR(davinci_wdt->base)) +- return PTR_ERR(davinci_wdt->base); ++ if (IS_ERR(davinci_wdt->base)) { ++ ret = PTR_ERR(davinci_wdt->base); ++ goto err_clk_disable; ++ } + + ret = watchdog_register_device(wdd); +- if (ret < 0) { +- clk_disable_unprepare(davinci_wdt->clk); ++ if (ret) { + dev_err(dev, "cannot register watchdog device\n"); ++ goto err_clk_disable; + } + ++ return 0; ++ ++err_clk_disable: ++ clk_disable_unprepare(davinci_wdt->clk); ++ + return ret; + } + diff --git a/queue-4.16/watchdog-dw-rmw-the-control-register.patch b/queue-4.16/watchdog-dw-rmw-the-control-register.patch new file mode 100644 index 00000000000..75be0e99904 --- /dev/null +++ b/queue-4.16/watchdog-dw-rmw-the-control-register.patch @@ -0,0 +1,90 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Brian Norris +Date: Fri, 9 Mar 2018 19:46:06 -0800 +Subject: watchdog: dw: RMW the control register + +From: Brian Norris + +[ Upstream commit a81abbb412341e9e3b2d42ed7d310cf71fbb84a8 ] + +RK3399 has rst_pulse_length in CONTROL_REG[4:2], determining the length +of pulse to issue for system reset. We shouldn't clobber this value, +because that might make the system reset ineffective. On RK3399, we're +seeing that a value of 000b (meaning 2 cycles) yields an unreliable +(partial?) reset, and so we only fully reset after the watchdog fires a +second time. If we retain the system default (010b, or 8 clock cycles), +then the watchdog reset is much more reliable. + +Read-modify-write retains the system value and improves reset +reliability. + +It seems we were intentionally clobbering the response mode previously, +to ensure we performed a system reset (we don't support an interrupt +notification), so retain that explicitly. + +Signed-off-by: Brian Norris +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/dw_wdt.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/watchdog/dw_wdt.c ++++ b/drivers/watchdog/dw_wdt.c +@@ -34,6 +34,7 @@ + + #define WDOG_CONTROL_REG_OFFSET 0x00 + #define WDOG_CONTROL_REG_WDT_EN_MASK 0x01 ++#define WDOG_CONTROL_REG_RESP_MODE_MASK 0x02 + #define WDOG_TIMEOUT_RANGE_REG_OFFSET 0x04 + #define WDOG_TIMEOUT_RANGE_TOPINIT_SHIFT 4 + #define WDOG_CURRENT_COUNT_REG_OFFSET 0x08 +@@ -121,14 +122,23 @@ static int dw_wdt_set_timeout(struct wat + return 0; + } + ++static void dw_wdt_arm_system_reset(struct dw_wdt *dw_wdt) ++{ ++ u32 val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ ++ /* Disable interrupt mode; always perform system reset. */ ++ val &= ~WDOG_CONTROL_REG_RESP_MODE_MASK; ++ /* Enable watchdog. */ ++ val |= WDOG_CONTROL_REG_WDT_EN_MASK; ++ writel(val, dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++} ++ + static int dw_wdt_start(struct watchdog_device *wdd) + { + struct dw_wdt *dw_wdt = to_dw_wdt(wdd); + + dw_wdt_set_timeout(wdd, wdd->timeout); +- +- writel(WDOG_CONTROL_REG_WDT_EN_MASK, +- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ dw_wdt_arm_system_reset(dw_wdt); + + return 0; + } +@@ -152,16 +162,13 @@ static int dw_wdt_restart(struct watchdo + unsigned long action, void *data) + { + struct dw_wdt *dw_wdt = to_dw_wdt(wdd); +- u32 val; + + writel(0, dw_wdt->regs + WDOG_TIMEOUT_RANGE_REG_OFFSET); +- val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); +- if (val & WDOG_CONTROL_REG_WDT_EN_MASK) ++ if (dw_wdt_is_enabled(dw_wdt)) + writel(WDOG_COUNTER_RESTART_KICK_VALUE, + dw_wdt->regs + WDOG_COUNTER_RESTART_REG_OFFSET); + else +- writel(WDOG_CONTROL_REG_WDT_EN_MASK, +- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ dw_wdt_arm_system_reset(dw_wdt); + + /* wait for reset to assert... */ + mdelay(500); diff --git a/queue-4.16/watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch b/queue-4.16/watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch new file mode 100644 index 00000000000..82e55cda43e --- /dev/null +++ b/queue-4.16/watchdog-sprd_wdt-fix-error-handling-in-sprd_wdt_enable.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Alexey Khoroshilov +Date: Fri, 9 Mar 2018 00:21:48 +0300 +Subject: watchdog: sprd_wdt: Fix error handling in sprd_wdt_enable() + +From: Alexey Khoroshilov + +[ Upstream commit 3c578cd4bc52b6e65d65be1abad9a8aa489ec207 ] + +If clk_prepare_enable(wdt->rtc_enable) fails, +wdt->enable clock is left enabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/sprd_wdt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/sprd_wdt.c ++++ b/drivers/watchdog/sprd_wdt.c +@@ -154,8 +154,10 @@ static int sprd_wdt_enable(struct sprd_w + if (ret) + return ret; + ret = clk_prepare_enable(wdt->rtc_enable); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(wdt->enable); + return ret; ++ } + + sprd_wdt_unlock(wdt->base); + val = readl_relaxed(wdt->base + SPRD_WDT_CTRL); diff --git a/queue-4.16/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch b/queue-4.16/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch new file mode 100644 index 00000000000..d7feba0e620 --- /dev/null +++ b/queue-4.16/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch @@ -0,0 +1,58 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Baoquan He +Date: Wed, 14 Feb 2018 13:46:56 +0800 +Subject: x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified + +From: Baoquan He + +[ Upstream commit bee3204ec3c49f6f53add9c3962c9012a5c036fa ] + +Currently the kdump kernel becomes very slow if 'noapic' is specified. +Normal kernel doesn't have this bug. + +Kernel parameter 'noapic' is used to disable IO-APIC in system for +testing or special purpose. Here the root cause is that in kdump +kernel LAPIC is disabled since commit: + + 522e664644 ("x86/apic: Disable I/O APIC before shutdown of the local APIC") + +In this case we need set up through-local-APIC on boot CPU in +setup_local_APIC(). + +In normal kernel the legacy irq mode is enabled by the BIOS. If +it is virtual wire mode, the local-APIC has been enabled and set as +through-local-APIC. + +Though we fixed the regression introduced by commit 522e664644, +to further improve robustness set up the through-local-APIC mode +explicitly, do not rely on the default boot IRQ mode. + +Signed-off-by: Baoquan He +Reviewed-by: Eric W. Biederman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: douly.fnst@cn.fujitsu.com +Cc: joro@8bytes.org +Cc: prarit@redhat.com +Cc: uobergfe@redhat.com +Link: http://lkml.kernel.org/r/20180214054656.3780-7-bhe@redhat.com +[ Rewrote the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1570,7 +1570,7 @@ void setup_local_APIC(void) + * TODO: set up through-local-APIC from through-I/O-APIC? --macro + */ + value = apic_read(APIC_LVT0) & APIC_LVT_MASKED; +- if (!cpu && (pic_mode || !value)) { ++ if (!cpu && (pic_mode || !value || skip_ioapic_setup)) { + value = APIC_DM_EXTINT; + apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu); + } else { diff --git a/queue-4.16/x86-devicetree-fix-device-irq-settings-in-dt.patch b/queue-4.16/x86-devicetree-fix-device-irq-settings-in-dt.patch new file mode 100644 index 00000000000..3774381a65b --- /dev/null +++ b/queue-4.16/x86-devicetree-fix-device-irq-settings-in-dt.patch @@ -0,0 +1,62 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ivan Gorinov +Date: Wed, 7 Mar 2018 11:46:53 -0800 +Subject: x86/devicetree: Fix device IRQ settings in DT + +From: Ivan Gorinov + +[ Upstream commit 0a5169add90e43ab45ab1ba34223b8583fcaf675 ] + +IRQ parameters for the SoC devices connected directly to I/O APIC lines +(without PCI IRQ routing) may be specified in the Device Tree. + +Called from DT IRQ parser, irq_create_fwspec_mapping() calls +irq_domain_alloc_irqs() with a pointer to irq_fwspec structure as @arg. + +But x86-specific DT IRQ allocation code casts @arg to of_phandle_args +structure pointer and crashes trying to read the IRQ parameters. The +function was not converted when the mapping descriptor was changed to +irq_fwspec in the generic irqdomain code. + +Fixes: 11e4438ee330 ("irqdomain: Introduce a firmware-specific IRQ specifier structure") +Signed-off-by: Ivan Gorinov +Signed-off-by: Thomas Gleixner +Cc: Mark Rutland +Cc: Rob Herring +Link: https://lkml.kernel.org/r/a234dee27ea60ce76141872da0d6bdb378b2a9ee.1520450752.git.ivan.gorinov@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/devicetree.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -195,19 +195,22 @@ static struct of_ioapic_type of_ioapic_t + static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, + unsigned int nr_irqs, void *arg) + { +- struct of_phandle_args *irq_data = (void *)arg; ++ struct irq_fwspec *fwspec = (struct irq_fwspec *)arg; + struct of_ioapic_type *it; + struct irq_alloc_info tmp; ++ int type_index; + +- if (WARN_ON(irq_data->args_count < 2)) ++ if (WARN_ON(fwspec->param_count < 2)) + return -EINVAL; +- if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type)) ++ ++ type_index = fwspec->param[1]; ++ if (type_index >= ARRAY_SIZE(of_ioapic_type)) + return -EINVAL; + +- it = &of_ioapic_type[irq_data->args[1]]; ++ it = &of_ioapic_type[type_index]; + ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity); + tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain)); +- tmp.ioapic_pin = irq_data->args[0]; ++ tmp.ioapic_pin = fwspec->param[0]; + + return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp); + } diff --git a/queue-4.16/x86-devicetree-initialize-device-tree-before-using-it.patch b/queue-4.16/x86-devicetree-initialize-device-tree-before-using-it.patch new file mode 100644 index 00000000000..89fc840a746 --- /dev/null +++ b/queue-4.16/x86-devicetree-initialize-device-tree-before-using-it.patch @@ -0,0 +1,58 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Ivan Gorinov +Date: Wed, 7 Mar 2018 11:46:29 -0800 +Subject: x86/devicetree: Initialize device tree before using it + +From: Ivan Gorinov + +[ Upstream commit 628df9dc5ad886b0a9b33c75a7b09710eb859ca1 ] + +Commit 08d53aa58cb1 added CRC32 calculation in early_init_dt_verify() and +checking in late initcall of_fdt_raw_init(), making early_init_dt_verify() +mandatory. + +The required call to early_init_dt_verify() was not added to the +x86-specific implementation, causing failure to create the sysfs entry in +of_fdt_raw_init(). + +Fixes: 08d53aa58cb1 ("of/fdt: export fdt blob as /sys/firmware/fdt") +Signed-off-by: Ivan Gorinov +Signed-off-by: Thomas Gleixner +Cc: Mark Rutland +Cc: Rob Herring +Link: https://lkml.kernel.org/r/c8c7e941efc63b5d25ebf9b6350b0f3df38f6098.1520450752.git.ivan.gorinov@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/devicetree.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -270,14 +271,15 @@ static void __init x86_flattree_get_conf + + map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128); + +- initial_boot_params = dt = early_memremap(initial_dtb, map_len); +- size = of_get_flat_dt_size(); ++ dt = early_memremap(initial_dtb, map_len); ++ size = fdt_totalsize(dt); + if (map_len < size) { + early_memunmap(dt, map_len); +- initial_boot_params = dt = early_memremap(initial_dtb, size); ++ dt = early_memremap(initial_dtb, size); + map_len = size; + } + ++ early_init_dt_verify(dt); + unflatten_and_copy_device_tree(); + early_memunmap(dt, map_len); + } diff --git a/queue-4.16/x86-mce-amd-collect-error-info-even-if-valid-bits-are-not-set.patch b/queue-4.16/x86-mce-amd-collect-error-info-even-if-valid-bits-are-not-set.patch new file mode 100644 index 00000000000..4214894c4dd --- /dev/null +++ b/queue-4.16/x86-mce-amd-collect-error-info-even-if-valid-bits-are-not-set.patch @@ -0,0 +1,57 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Borislav Petkov +Date: Wed, 21 Feb 2018 11:18:56 +0100 +Subject: x86/mce/AMD: Collect error info even if valid bits are not set + +From: Borislav Petkov + +[ Upstream commit 4b1e84276a6172980c5bf39aa091ba13e90d6dad ] + +The MCA banks log error info into MCA_ADDR, MCA_MISC0, and MCA_SYND even +if the corresponding valid bits are not set: + +"Error handlers should save the values in MCA_ADDR, MCA_MISC0, +and MCA_SYND even if MCA_STATUS[AddrV], MCA_STATUS[MiscV], and +MCA_STATUS[SyndV] are zero." + +Do so by setting those bits so that code down the MCE processing path +doesn't need to be changed. + +Signed-off-by: Borislav Petkov +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: linux-edac +Link: http://lkml.kernel.org/r/20180221101900.10326-5-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mcheck/mce.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -444,6 +444,20 @@ static inline void mce_gather_info(struc + if (mca_cfg.rip_msr) + m->ip = mce_rdmsrl(mca_cfg.rip_msr); + } ++ ++ /* ++ * Error handlers should save the values in MCA_ADDR, MCA_MISC0, and ++ * MCA_SYND even if MCA_STATUS[AddrV], MCA_STATUS[MiscV], and ++ * MCA_STATUS[SyndV] are zero. ++ */ ++ if (m->cpuvendor == X86_VENDOR_AMD) { ++ u64 status = MCI_STATUS_ADDRV | MCI_STATUS_MISCV; ++ ++ if (mce_flags.smca) ++ status |= MCI_STATUS_SYNDV; ++ ++ m->status |= status; ++ } + } + + int mce_available(struct cpuinfo_x86 *c) diff --git a/queue-4.16/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch b/queue-4.16/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch new file mode 100644 index 00000000000..af379be48a7 --- /dev/null +++ b/queue-4.16/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch @@ -0,0 +1,64 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Dave Hansen +Date: Fri, 6 Apr 2018 13:55:14 -0700 +Subject: x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init + +From: Dave Hansen + +[ Upstream commit 639d6aafe437a7464399d2a77d006049053df06f ] + +__ro_after_init data gets stuck in the .rodata section. That's normally +fine because the kernel itself manages the R/W properties. + +But, if we run __change_page_attr() on an area which is __ro_after_init, +the .rodata checks will trigger and force the area to be immediately +read-only, even if it is early-ish in boot. This caused problems when +trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: +it cleared _PAGE_GLOBAL like I asked, but also took it up on itself +to clear _PAGE_RW. The kernel then oopses the next time it wrote to +a __ro_after_init data structure. + +To fix this, add the kernel_set_to_readonly check, just like we have +for kernel text, just a few lines below in this function. + +Signed-off-by: Dave Hansen +Acked-by: Kees Cook +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Hugh Dickins +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Nadav Amit +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180406205514.8D898241@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pageattr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -298,9 +298,11 @@ static inline pgprot_t static_protection + + /* + * The .rodata section needs to be read-only. Using the pfn +- * catches all aliases. ++ * catches all aliases. This also includes __ro_after_init, ++ * so do not enforce until kernel_set_to_readonly is true. + */ +- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, ++ if (kernel_set_to_readonly && ++ within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, + __pa_symbol(__end_rodata) >> PAGE_SHIFT)) + pgprot_val(forbidden) |= _PAGE_RW; + diff --git a/queue-4.16/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch b/queue-4.16/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch new file mode 100644 index 00000000000..db32d35a694 --- /dev/null +++ b/queue-4.16/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch @@ -0,0 +1,86 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Sai Praneeth +Date: Wed, 4 Apr 2018 12:34:19 -0700 +Subject: x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of this_cpu_has() in build_cr3_noflush() + +From: Sai Praneeth + +[ Upstream commit 162ee5a8ab49be40d253f90e94aef712470a3a24 ] + +Linus reported the following boot warning: + + WARNING: CPU: 0 PID: 0 at arch/x86/include/asm/tlbflush.h:134 load_new_mm_cr3+0x114/0x170 + [...] + Call Trace: + switch_mm_irqs_off+0x267/0x590 + switch_mm+0xe/0x20 + efi_switch_mm+0x3e/0x50 + efi_enter_virtual_mode+0x43f/0x4da + start_kernel+0x3bf/0x458 + secondary_startup_64+0xa5/0xb0 + +... after merging: + + 03781e40890c: x86/efi: Use efi_switch_mm() rather than manually twiddling with %cr3 + +When the platform supports PCID and if CONFIG_DEBUG_VM=y is enabled, +build_cr3_noflush() (called via switch_mm()) does a sanity check to see +if X86_FEATURE_PCID is set. + +Presently, build_cr3_noflush() uses "this_cpu_has(X86_FEATURE_PCID)" to +perform the check but this_cpu_has() works only after SMP is initialized +(i.e. per cpu cpu_info's should be populated) and this happens to be very +late in the boot process (during rest_init()). + +As efi_runtime_services() are called during (early) kernel boot time +and run time, modify build_cr3_noflush() to use boot_cpu_has() all the +time. As suggested by Dave Hansen, this should be OK because all CPU's have +same capabilities on x86. + +With this change the warning is fixed. + +( Dave also suggested that we put a warning in this_cpu_has() if it's used + early in the boot process. This is still work in progress as it affects + MCE. ) + +Reported-by: Linus Torvalds +Signed-off-by: Sai Praneeth Prakhya +Cc: Andrew Morton +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Lee Chun-Yi +Cc: Matt Fleming +Cc: Michael S. Tsirkin +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Ravi Shankar +Cc: Ricardo Neri +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/1522870459-7432-1-git-send-email-sai.praneeth.prakhya@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/tlbflush.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -131,7 +131,12 @@ static inline unsigned long build_cr3(pg + static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid) + { + VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE); +- VM_WARN_ON_ONCE(!this_cpu_has(X86_FEATURE_PCID)); ++ /* ++ * Use boot_cpu_has() instead of this_cpu_has() as this function ++ * might be called during early boot. This should work even after ++ * boot because all CPU's the have same capabilities: ++ */ ++ VM_WARN_ON_ONCE(!boot_cpu_has(X86_FEATURE_PCID)); + return __sme_pa(pgd) | kern_pcid(asid) | CR3_NOFLUSH; + } + diff --git a/queue-4.16/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch b/queue-4.16/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch new file mode 100644 index 00000000000..f2305756964 --- /dev/null +++ b/queue-4.16/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch @@ -0,0 +1,99 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Joerg Roedel +Date: Wed, 11 Apr 2018 17:24:38 +0200 +Subject: x86/pgtable: Don't set huge PUD/PMD on non-leaf entries + +From: Joerg Roedel + +[ Upstream commit e3e288121408c3abeed5af60b87b95c847143845 ] + +The pmd_set_huge() and pud_set_huge() functions are used from +the generic ioremap() code to establish large mappings where this +is possible. + +But the generic ioremap() code does not check whether the +PMD/PUD entries are already populated with a non-leaf entry, +so that any page-table pages these entries point to will be +lost. + +Further, on x86-32 with SHARED_KERNEL_PMD=0, this causes a +BUG_ON() in vmalloc_sync_one() when PMD entries are synced +from swapper_pg_dir to the current page-table. This happens +because the PMD entry from swapper_pg_dir was promoted to a +huge-page entry while the current PGD still contains the +non-leaf entry. Because both entries are present and point +to a different page, the BUG_ON() triggers. + +This was actually triggered with pti-x32 enabled in a KVM +virtual machine by the graphics driver. + +A real and better fix for that would be to improve the +page-table handling in the generic ioremap() code. But that is +out-of-scope for this patch-set and left for later work. + +Reported-by: David H. Gutteridge +Signed-off-by: Joerg Roedel +Reviewed-by: Thomas Gleixner +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Jiri Kosina +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Pavel Machek +Cc: Peter Zijlstra +Cc: Waiman Long +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180411152437.GC15462@8bytes.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pgtable.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + #include + #include + #include +@@ -636,6 +637,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t + (mtrr != MTRR_TYPE_WRBACK)) + return 0; + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pud_present(*pud) && !pud_huge(*pud)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pud, pfn_pte( +@@ -664,6 +669,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t + return 0; + } + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pmd_present(*pmd) && !pmd_huge(*pmd)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pmd, pfn_pte( diff --git a/queue-4.16/x86-xen-add-pvh-specific-rsdp-address-retrieval-function.patch b/queue-4.16/x86-xen-add-pvh-specific-rsdp-address-retrieval-function.patch new file mode 100644 index 00000000000..443de1b0265 --- /dev/null +++ b/queue-4.16/x86-xen-add-pvh-specific-rsdp-address-retrieval-function.patch @@ -0,0 +1,83 @@ +From foo@baz Tue May 1 14:59:18 PDT 2018 +From: Juergen Gross +Date: Mon, 19 Feb 2018 11:09:06 +0100 +Subject: x86/xen: Add pvh specific rsdp address retrieval function + +From: Juergen Gross + +[ Upstream commit b17d9d1df3c33a4f1d2bf397e2257aecf9dc56d4 ] + +Add pvh_get_root_pointer() for Xen PVH guests to communicate the +address of the RSDP table given to the kernel via Xen start info. + +This makes the kernel boot again in PVH mode after on recent Xen the +RSDP was moved to higher addresses. So up to that change it was pure +luck that the legacy method to locate the RSDP was working when +running as PVH mode. + +Signed-off-by: Juergen Gross +Reviewed-by: Andy Shevchenko +Acked-by: Thomas Gleixner +Acked-by: Rafael J. Wysocki +Cc: Borislav Petkov +Cc: Eric Biederman +Cc: H. Peter Anvin +Cc: Kees Cook +Cc: Kirill A. Shutemov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: boris.ostrovsky@oracle.com +Cc: lenb@kernel.org +Cc: linux-acpi@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Link: http://lkml.kernel.org/r/20180219100906.14265-4-jgross@suse.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/xen/enlighten_pvh.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/arch/x86/xen/enlighten_pvh.c ++++ b/arch/x86/xen/enlighten_pvh.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -16,15 +17,20 @@ + /* + * PVH variables. + * +- * xen_pvh and pvh_bootparams need to live in data segment since they +- * are used after startup_{32|64}, which clear .bss, are invoked. ++ * xen_pvh pvh_bootparams and pvh_start_info need to live in data segment ++ * since they are used after startup_{32|64}, which clear .bss, are invoked. + */ + bool xen_pvh __attribute__((section(".data"))) = 0; + struct boot_params pvh_bootparams __attribute__((section(".data"))); ++struct hvm_start_info pvh_start_info __attribute__((section(".data"))); + +-struct hvm_start_info pvh_start_info; + unsigned int pvh_start_info_sz = sizeof(pvh_start_info); + ++static u64 pvh_get_root_pointer(void) ++{ ++ return pvh_start_info.rsdp_paddr; ++} ++ + static void __init init_pvh_bootparams(void) + { + struct xen_memory_map memmap; +@@ -71,6 +77,8 @@ static void __init init_pvh_bootparams(v + */ + pvh_bootparams.hdr.version = 0x212; + pvh_bootparams.hdr.type_of_loader = (9 << 4) | 0; /* Xen loader */ ++ ++ x86_init.acpi.get_root_pointer = pvh_get_root_pointer; + } + + /* diff --git a/queue-4.16/xen-acpi-off-by-one-in-read_acpi_id.patch b/queue-4.16/xen-acpi-off-by-one-in-read_acpi_id.patch new file mode 100644 index 00000000000..9bbb3d3cfae --- /dev/null +++ b/queue-4.16/xen-acpi-off-by-one-in-read_acpi_id.patch @@ -0,0 +1,39 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Dan Carpenter +Date: Thu, 29 Mar 2018 12:01:53 +0300 +Subject: xen/acpi: off by one in read_acpi_id() + +From: Dan Carpenter + +[ Upstream commit c37a3c94775855567b90f91775b9691e10bd2806 ] + +If acpi_id is == nr_acpi_bits, then we access one element beyond the end +of the acpi_psd[] array or we set one bit beyond the end of the bit map +when we do __set_bit(acpi_id, acpi_id_present); + +Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.") +Signed-off-by: Dan Carpenter +Reviewed-by: Joao Martins +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xen-acpi-processor.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/xen/xen-acpi-processor.c ++++ b/drivers/xen/xen-acpi-processor.c +@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl + } + /* There are more ACPI Processor objects than in x2APIC or MADT. + * This can happen with incorrect ACPI SSDT declerations. */ +- if (acpi_id > nr_acpi_bits) { +- pr_debug("We only have %u, trying to set %u\n", +- nr_acpi_bits, acpi_id); ++ if (acpi_id >= nr_acpi_bits) { ++ pr_debug("max acpi id %u, trying to set %u\n", ++ nr_acpi_bits - 1, acpi_id); + return AE_OK; + } + /* OK, There is a ACPI Processor object */ diff --git a/queue-4.16/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch b/queue-4.16/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch new file mode 100644 index 00000000000..c4348cdc291 --- /dev/null +++ b/queue-4.16/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch @@ -0,0 +1,38 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Mathias Nyman +Date: Fri, 16 Mar 2018 16:33:01 +0200 +Subject: xhci: zero usb device slot_id member when disabling and freeing a xhci slot + +From: Mathias Nyman + +[ Upstream commit a400efe455f7b61ac9a801ac8d0d01f8c8d82dd5 ] + +set udev->slot_id to zero when disabling and freeing the xhci slot. +Prevents usb core from calling xhci with a stale slot id. + +xHC controller may be reset during resume to recover from some error. +All slots are unusable as they are disabled and freed. +xhci driver starts slot enumeration again from 1 in the order they are +enabled. In the worst case a stale udev->slot_id for one device matches +a newly enabled slot_id for a different device, causing us to +perform a action on the wrong device. + +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -913,6 +913,8 @@ void xhci_free_virt_device(struct xhci_h + if (dev->out_ctx) + xhci_free_container_ctx(xhci, dev->out_ctx); + ++ if (dev->udev && dev->udev->slot_id) ++ dev->udev->slot_id = 0; + kfree(xhci->devs[slot_id]); + xhci->devs[slot_id] = NULL; + } diff --git a/queue-4.16/z3fold-fix-memory-leak.patch b/queue-4.16/z3fold-fix-memory-leak.patch new file mode 100644 index 00000000000..e2b13b5783c --- /dev/null +++ b/queue-4.16/z3fold-fix-memory-leak.patch @@ -0,0 +1,61 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Xidong Wang +Date: Tue, 10 Apr 2018 16:29:34 -0700 +Subject: z3fold: fix memory leak + +From: Xidong Wang + +[ Upstream commit 1ec6995d1290bfb87cc3a51f0836c889e857cef9 ] + +In z3fold_create_pool(), the memory allocated by __alloc_percpu() is not +released on the error path that pool->compact_wq , which holds the +return value of create_singlethread_workqueue(), is NULL. This will +result in a memory leak bug. + +[akpm@linux-foundation.org: fix oops on kzalloc() failure, check __alloc_percpu() retval] +Link: http://lkml.kernel.org/r/1522803111-29209-1-git-send-email-wangxidong_97@163.com +Signed-off-by: Xidong Wang +Reviewed-by: Andrew Morton +Cc: Vitaly Wool +Cc: Mike Rapoport +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/z3fold.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/mm/z3fold.c ++++ b/mm/z3fold.c +@@ -467,6 +467,8 @@ static struct z3fold_pool *z3fold_create + spin_lock_init(&pool->lock); + spin_lock_init(&pool->stale_lock); + pool->unbuddied = __alloc_percpu(sizeof(struct list_head)*NCHUNKS, 2); ++ if (!pool->unbuddied) ++ goto out_pool; + for_each_possible_cpu(cpu) { + struct list_head *unbuddied = + per_cpu_ptr(pool->unbuddied, cpu); +@@ -479,7 +481,7 @@ static struct z3fold_pool *z3fold_create + pool->name = name; + pool->compact_wq = create_singlethread_workqueue(pool->name); + if (!pool->compact_wq) +- goto out; ++ goto out_unbuddied; + pool->release_wq = create_singlethread_workqueue(pool->name); + if (!pool->release_wq) + goto out_wq; +@@ -489,8 +491,11 @@ static struct z3fold_pool *z3fold_create + + out_wq: + destroy_workqueue(pool->compact_wq); +-out: ++out_unbuddied: ++ free_percpu(pool->unbuddied); ++out_pool: + kfree(pool); ++out: + return NULL; + } + diff --git a/queue-4.16/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch b/queue-4.16/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch new file mode 100644 index 00000000000..38b092292a3 --- /dev/null +++ b/queue-4.16/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch @@ -0,0 +1,55 @@ +From foo@baz Tue May 1 14:59:17 PDT 2018 +From: Michael Schmitz +Date: Sat, 3 Mar 2018 12:04:13 +1300 +Subject: zorro: Set up z->dev.dma_mask for the DMA API + +From: Michael Schmitz + +[ Upstream commit 55496d3fe2acd1a365c43cbd613a20ecd4d74395 ] + +The generic DMA API uses dev->dma_mask to check the DMA addressable +memory bitmask, and warns if no mask is set or even allocated. + +Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask +to point to z->dev.dma_coherent_mask so device drivers that need DMA have +everything set up to avoid warnings from dma_alloc_coherent(). Drivers can +still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask. + +Signed-off-by: Michael Schmitz +[geert: Handle Zorro II with 24-bit address space] +Acked-by: Christoph Hellwig +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/zorro/zorro.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/zorro/zorro.c ++++ b/drivers/zorro/zorro.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(stru + z->dev.parent = &bus->dev; + z->dev.bus = &zorro_bus_type; + z->dev.id = i; ++ switch (z->rom.er_Type & ERT_TYPEMASK) { ++ case ERT_ZORROIII: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(32); ++ break; ++ ++ case ERT_ZORROII: ++ default: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(24); ++ break; ++ } ++ z->dev.dma_mask = &z->dev.coherent_dma_mask; + } + + /* ... then register them */ -- 2.47.3