From 8e740e6d918e6b727784059099b45bfd8b84bc80 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 9 Feb 2019 12:52:48 -0500 Subject: [PATCH] autosel patches for 3.18 Signed-off-by: Sasha Levin --- ...exec-offline-panic_smp_self_stop-cpu.patch | 63 ++++++++ ...ts-fix-omap4430-sdp-ethernet-startup.patch | 65 ++++++++ queue-3.18/arm-mmp-fix-timer_init-calls.patch | 112 +++++++++++++ .../arm-mmp-mmp2-dt-enable-the-clock.patch | 153 ++++++++++++++++++ ...2-hwmod-fix-some-section-annotations.patch | 76 +++++++++ ...m-pxa-avoid-section-mismatch-warning.patch | 76 +++++++++ ...m64-ftrace-don-t-adjust-the-lr-value.patch | 53 ++++++ ...4-kvm-skip-mmio-insn-after-emulation.patch | 63 ++++++++ ..._soc_eukrea_tlv320-build-error-on-i..patch | 45 ++++++ ...-authentication-messages-for-late-ac.patch | 39 +++++ ...ebusy-error-when-re-opening-device-a.patch | 42 +++++ ..._buf_start-for-null-before-dereferen.patch | 48 ++++++ ...nsure-mmdc-ch0-handshake-is-bypassed.patch | 46 ++++++ ...cpuidle-big.little-fix-refcount-leak.patch | 47 ++++++ ...-proper-enum-in-cryp_set_dma_transfe.patch | 62 +++++++ ...-proper-enum-in-hash_set_dma_transfe.patch | 47 ++++++ ...the-cpu-with-callbacks-queued-during.patch | 60 +++++++ ...-warning-about-pointless-switch-stat.patch | 72 +++++++++ ...if-the-wrong-uuids-are-attached-on-a.patch | 46 ++++++ ...rcu_read_lock-in-drbd_sync_handshake.patch | 82 ++++++++++ ...us-timeout-ping-timeo-when-failing-p.patch | 60 +++++++ ...-don-t-blindly-truncate-shebang-stri.patch | 54 +++++++ ...ta-flush-to-write-checkpoint-process.patch | 48 ++++++ ...unregister-crash-when-more-than-one-.patch | 84 ++++++++++ ...ve-better-with-small-rotated-display.patch | 62 +++++++ ...epoll-drop-ovflist-branch-prediction.patch | 55 +++++++ queue-3.18/gdrom-fix-a-memory-leak-bug.patch | 39 +++++ ...-missing-check-of-bus-read-in-lm80-p.patch | 53 ++++++ ...-missing-check-of-the-status-of-smbu.patch | 58 +++++++ ...-that-pme-is-not-enabled-during-runt.patch | 48 ++++++ ...ci-fix-a-possible-concurrency-use-af.patch | 53 ++++++ ...k.c-break-rcu-locks-based-on-jiffies.patch | 69 ++++++++ ...be-fix-error-handling-in-vpbe_initia.patch | 55 +++++++ ...-memstick-host-from-getting-runtime-.patch | 57 +++++++ ...pf-fix-encoding-bug-for-mm_srlv32_op.patch | 47 ++++++ ...-symbol-names-also-in-find_elf_symbo.patch | 102 ++++++++++++ ...mount_options-always-compare-auth-fl.patch | 55 +++++++ ...on-writing-v4_end_grace-before-nfsd-.patch | 40 +++++ ...issing-checks-of-niu_pci_eeprom_read.patch | 49 ++++++ ...n-t-clear-bh-uptodate-for-block-read.patch | 68 ++++++++ .../perf-tools-add-hygon-dhyana-support.patch | 42 +++++ ...add-of_node_put-in-dlpar_detach_node.patch | 45 ++++++ ...ess-fix-warning-error-with-access_ok.patch | 45 ++++++ .../sata_rcar-fix-deferred-probing.patch | 41 +++++ ...tacktrace-only-strip-base-path-when-.patch | 48 ++++++ ...t-clear-parity-enable-bit-when-disab.patch | 49 ++++++ queue-3.18/series | 59 +++++++ ...k-fix-access-permissions-for-keyring.patch | 66 ++++++++ ...on-t-leak-device-tree-node-reference.patch | 44 +++++ ...90-make-probe-handle-spi_setup-failu.patch | 46 ++++++ ...ng-iio-ad7780-update-voltage-on-read.patch | 44 +++++ ...ad7280a-handle-error-from-__ad7280_r.patch | 70 ++++++++ ...ping-use-proper-seqcount-initializer.patch | 45 ++++++ ...ng-properly-set-flags-in-autocts-mod.patch | 45 ++++++ .../udf-fix-bug-on-corrupted-inode.patch | 38 +++++ ...arking-pages-with-changed-protection.patch | 56 +++++++ ...b-autosuspend-if-usb3-port-is-still-.patch | 49 ++++++ ...fb-release-disp-device-node-in-probe.patch | 47 ++++++ ...dcom-cnb20le-unintended-sign-extensi.patch | 42 +++++ ...-spi-check-in-__xfrm6_tunnel_alloc_s.patch | 39 +++++ 60 files changed, 3413 insertions(+) create mode 100644 queue-3.18/arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch create mode 100644 queue-3.18/arm-dts-fix-omap4430-sdp-ethernet-startup.patch create mode 100644 queue-3.18/arm-mmp-fix-timer_init-calls.patch create mode 100644 queue-3.18/arm-mmp-mmp2-dt-enable-the-clock.patch create mode 100644 queue-3.18/arm-omap2-hwmod-fix-some-section-annotations.patch create mode 100644 queue-3.18/arm-pxa-avoid-section-mismatch-warning.patch create mode 100644 queue-3.18/arm64-ftrace-don-t-adjust-the-lr-value.patch create mode 100644 queue-3.18/arm64-kvm-skip-mmio-insn-after-emulation.patch create mode 100644 queue-3.18/asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch create mode 100644 queue-3.18/ath9k-dynack-use-authentication-messages-for-late-ac.patch create mode 100644 queue-3.18/block-swim3-fix-ebusy-error-when-re-opening-device-a.patch create mode 100644 queue-3.18/cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch create mode 100644 queue-3.18/clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch create mode 100644 queue-3.18/cpuidle-big.little-fix-refcount-leak.patch create mode 100644 queue-3.18/crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch create mode 100644 queue-3.18/crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch create mode 100644 queue-3.18/dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch create mode 100644 queue-3.18/drbd-avoid-clang-warning-about-pointless-switch-stat.patch create mode 100644 queue-3.18/drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch create mode 100644 queue-3.18/drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch create mode 100644 queue-3.18/drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch create mode 100644 queue-3.18/exec-load_script-don-t-blindly-truncate-shebang-stri.patch create mode 100644 queue-3.18/f2fs-move-dir-data-flush-to-write-checkpoint-process.patch create mode 100644 queue-3.18/fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch create mode 100644 queue-3.18/fbdev-fbmem-behave-better-with-small-rotated-display.patch create mode 100644 queue-3.18/fs-epoll-drop-ovflist-branch-prediction.patch create mode 100644 queue-3.18/gdrom-fix-a-memory-leak-bug.patch create mode 100644 queue-3.18/hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch create mode 100644 queue-3.18/hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch create mode 100644 queue-3.18/igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch create mode 100644 queue-3.18/isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch create mode 100644 queue-3.18/kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch create mode 100644 queue-3.18/media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch create mode 100644 queue-3.18/memstick-prevent-memstick-host-from-getting-runtime-.patch create mode 100644 queue-3.18/mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch create mode 100644 queue-3.18/modpost-validate-symbol-names-also-in-find_elf_symbo.patch create mode 100644 queue-3.18/nfs-nfs_compare_mount_options-always-compare-auth-fl.patch create mode 100644 queue-3.18/nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch create mode 100644 queue-3.18/niu-fix-missing-checks-of-niu_pci_eeprom_read.patch create mode 100644 queue-3.18/ocfs2-don-t-clear-bh-uptodate-for-block-read.patch create mode 100644 queue-3.18/perf-tools-add-hygon-dhyana-support.patch create mode 100644 queue-3.18/powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch create mode 100644 queue-3.18/powerpc-uaccess-fix-warning-error-with-access_ok.patch create mode 100644 queue-3.18/sata_rcar-fix-deferred-probing.patch create mode 100644 queue-3.18/scripts-decode_stacktrace-only-strip-base-path-when-.patch create mode 100644 queue-3.18/serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch create mode 100644 queue-3.18/series create mode 100644 queue-3.18/smack-fix-access-permissions-for-keyring.patch create mode 100644 queue-3.18/soc-tegra-don-t-leak-device-tree-node-reference.patch create mode 100644 queue-3.18/staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch create mode 100644 queue-3.18/staging-iio-ad7780-update-voltage-on-read.patch create mode 100644 queue-3.18/staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch create mode 100644 queue-3.18/timekeeping-use-proper-seqcount-initializer.patch create mode 100644 queue-3.18/tty-serial-samsung-properly-set-flags-in-autocts-mod.patch create mode 100644 queue-3.18/udf-fix-bug-on-corrupted-inode.patch create mode 100644 queue-3.18/um-avoid-marking-pages-with-changed-protection.patch create mode 100644 queue-3.18/usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch create mode 100644 queue-3.18/video-clps711x-fb-release-disp-device-node-in-probe.patch create mode 100644 queue-3.18/x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch create mode 100644 queue-3.18/xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch diff --git a/queue-3.18/arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch b/queue-3.18/arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch new file mode 100644 index 00000000000..8c97c1eaf52 --- /dev/null +++ b/queue-3.18/arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch @@ -0,0 +1,63 @@ +From 1dcb2880b82d515058d0099d59d678a6b71ac9d4 Mon Sep 17 00:00:00 2001 +From: Yufen Wang +Date: Fri, 2 Nov 2018 11:51:31 +0100 +Subject: ARM: 8808/1: kexec:offline panic_smp_self_stop CPU + +[ Upstream commit 82c08c3e7f171aa7f579b231d0abbc1d62e91974 ] + +In case panic() and panic() called at the same time on different CPUS. +For example: +CPU 0: + panic() + __crash_kexec + machine_crash_shutdown + crash_smp_send_stop + machine_kexec + BUG_ON(num_online_cpus() > 1); + +CPU 1: + panic() + local_irq_disable + panic_smp_self_stop + +If CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop(), kdump +fails. CPU1 can't receive the ipi irq, CPU1 will be always online. +To fix this problem, this patch split out the panic_smp_self_stop() +and add set_cpu_online(smp_processor_id(), false). + +Signed-off-by: Yufen Wang +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/smp.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index a8e32aaf0383..bae65844ff03 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -658,6 +658,21 @@ void smp_send_stop(void) + pr_warn("SMP: failed to stop secondary CPUs\n"); + } + ++/* In case panic() and panic() called at the same time on CPU1 and CPU2, ++ * and CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop() ++ * CPU1 can't receive the ipi irqs from CPU2, CPU1 will be always online, ++ * kdump fails. So split out the panic_smp_self_stop() and add ++ * set_cpu_online(smp_processor_id(), false). ++ */ ++void panic_smp_self_stop(void) ++{ ++ pr_debug("CPU %u will stop doing anything useful since another CPU has paniced\n", ++ smp_processor_id()); ++ set_cpu_online(smp_processor_id(), false); ++ while (1) ++ cpu_relax(); ++} ++ + /* + * not supported here + */ +-- +2.19.1 + diff --git a/queue-3.18/arm-dts-fix-omap4430-sdp-ethernet-startup.patch b/queue-3.18/arm-dts-fix-omap4430-sdp-ethernet-startup.patch new file mode 100644 index 00000000000..b9004bd33b9 --- /dev/null +++ b/queue-3.18/arm-dts-fix-omap4430-sdp-ethernet-startup.patch @@ -0,0 +1,65 @@ +From ab579e449d621712a4303b08cc7121ad94c3512f Mon Sep 17 00:00:00 2001 +From: Russell King - ARM Linux +Date: Fri, 7 Dec 2018 09:17:07 -0800 +Subject: ARM: dts: Fix OMAP4430 SDP Ethernet startup + +[ Upstream commit 84fb6c7feb1494ebb7d1ec8b95cfb7ada0264465 ] + +It was noticed that unbinding and rebinding the KSZ8851 ethernet +resulted in the driver reporting "failed to read device ID" at probe. +Probing the reset line with a 'scope while repeatedly attempting to +bind the driver in a shell loop revealed that the KSZ8851 RSTN pin is +constantly held at zero, meaning the device is held in reset, and +does not respond on the SPI bus. + +Experimentation with the startup delay on the regulator set to 50ms +shows that the reset is positively released after 20ms. + +Schematics for this board are not available, and the traces are buried +in the inner layers of the board which makes tracing where the RSTN pin +extremely difficult. We can only guess that the RSTN pin is wired to a +reset generator chip driven off the ethernet supply, which fits the +observed behaviour. + +Include this delay in the regulator startup delay - effectively +treating the reset as a "supply stable" indicator. + +This can not be modelled as a delay in the KSZ8851 driver since the +reset generation is board specific - if the RSTN pin had been wired to +a GPIO, reset could be released earlier via the already provided support +in the KSZ8851 driver. + +This also got confirmed by Peter Ujfalusi based +on Blaze schematics that should be very close to SDP4430: + +TPS22902YFPR is used as the regulator switch (gpio48 controlled): +Convert arm boot_lock to raw The VOUT is routed to TPS3808G01DBV. +(SCH Note: Threshold set at 90%. Vsense: 0.405V). + +According to the TPS3808 data sheet the RESET delay time when Ct is +open (this is the case in the schema): MIN/TYP/MAX: 12/20/28 ms. + +Signed-off-by: Russell King +Reviewed-by: Peter Ujfalusi +[tony@atomide.com: updated with notes from schematics from Peter] +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap4-sdp.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/omap4-sdp.dts b/arch/arm/boot/dts/omap4-sdp.dts +index 3e1da43068f6..4669854614c3 100644 +--- a/arch/arm/boot/dts/omap4-sdp.dts ++++ b/arch/arm/boot/dts/omap4-sdp.dts +@@ -33,6 +33,7 @@ + gpio = <&gpio2 16 0>; /* gpio line 48 */ + enable-active-high; + regulator-boot-on; ++ startup-delay-us = <25000>; + }; + + vbat: fixedregulator-vbat { +-- +2.19.1 + diff --git a/queue-3.18/arm-mmp-fix-timer_init-calls.patch b/queue-3.18/arm-mmp-fix-timer_init-calls.patch new file mode 100644 index 00000000000..4c3b6b3c6e6 --- /dev/null +++ b/queue-3.18/arm-mmp-fix-timer_init-calls.patch @@ -0,0 +1,112 @@ +From 233638cf845332de3f12c566962e8b31d91d9acb Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 10 Dec 2018 21:43:01 +0100 +Subject: ARM: mmp: fix timer_init calls + +[ Upstream commit 12d3a30db4a3b3df5fbadf5974b9cf50544a9950 ] + +The change to passing the timer frequency as a function argument +was a good idea, but caused a build failure for one user that +was missed in the update: + +arch/arm/mach-mmp/time.c: In function 'mmp_dt_init_timer': +arch/arm/mach-mmp/time.c:242:2: error: implicit declaration of function 'timer_init'; did you mean 'hrtimer_init'? [-Werror=implicit-function-declaration] + +Change that as well to fix the build error, and rename the +function to put it into a proper namespace and make it clearer +what is actually going on. + +I saw that the high 6500000 HZ frequency was previously only +set with CONFIG_MMP2, but is now also used with MMP (pxa910), +so I'm changing that back here. Please make sure that the +frequencies are all correct now. + +Fixes: f36797ee4380 ("ARM: mmp/mmp2: dt: enable the clock") +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mmp/common.h | 2 +- + arch/arm/mach-mmp/mmp2.c | 2 +- + arch/arm/mach-mmp/pxa168.c | 2 +- + arch/arm/mach-mmp/pxa910.c | 2 +- + arch/arm/mach-mmp/time.c | 4 ++-- + 5 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/mach-mmp/common.h b/arch/arm/mach-mmp/common.h +index 69c7eec6d1e0..10779ab9d55f 100644 +--- a/arch/arm/mach-mmp/common.h ++++ b/arch/arm/mach-mmp/common.h +@@ -1,7 +1,7 @@ + #include + #define ARRAY_AND_SIZE(x) (x), ARRAY_SIZE(x) + +-extern void timer_init(int irq, unsigned long rate); ++extern void mmp_timer_init(int irq, unsigned long rate); + + extern void __init mmp_map_io(void); + extern void mmp_restart(enum reboot_mode, const char *); +diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c +index 90a0d8114af2..c02a1f14aa02 100644 +--- a/arch/arm/mach-mmp/mmp2.c ++++ b/arch/arm/mach-mmp/mmp2.c +@@ -133,7 +133,7 @@ void __init mmp2_timer_init(void) + clk_rst = APBC_APBCLK | APBC_FNCLK | APBC_FNCLKSEL(1); + __raw_writel(clk_rst, APBC_TIMERS); + +- timer_init(IRQ_MMP2_TIMER1, 6500000); ++ mmp_timer_init(IRQ_MMP2_TIMER1, 6500000); + } + + /* on-chip devices */ +diff --git a/arch/arm/mach-mmp/pxa168.c b/arch/arm/mach-mmp/pxa168.c +index 5a616db7f392..94230041ec8f 100644 +--- a/arch/arm/mach-mmp/pxa168.c ++++ b/arch/arm/mach-mmp/pxa168.c +@@ -78,7 +78,7 @@ void __init pxa168_timer_init(void) + /* 3.25MHz, bus/functional clock enabled, release reset */ + __raw_writel(TIMER_CLK_RST, APBC_TIMERS); + +- timer_init(IRQ_PXA168_TIMER1, 6500000); ++ mmp_timer_init(IRQ_PXA168_TIMER1, 3250000); + } + + void pxa168_clear_keypad_wakeup(void) +diff --git a/arch/arm/mach-mmp/pxa910.c b/arch/arm/mach-mmp/pxa910.c +index eb57ee196842..6b002763721d 100644 +--- a/arch/arm/mach-mmp/pxa910.c ++++ b/arch/arm/mach-mmp/pxa910.c +@@ -114,7 +114,7 @@ void __init pxa910_timer_init(void) + __raw_writel(APBC_APBCLK | APBC_RST, APBC_TIMERS); + __raw_writel(TIMER_CLK_RST, APBC_TIMERS); + +- timer_init(IRQ_PXA910_AP1_TIMER1); ++ mmp_timer_init(IRQ_PXA910_AP1_TIMER1, 3250000); + } + + /* on-chip devices */ +diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c +index b66ea443f154..2c59bb0f0e59 100644 +--- a/arch/arm/mach-mmp/time.c ++++ b/arch/arm/mach-mmp/time.c +@@ -192,7 +192,7 @@ static struct irqaction timer_irq = { + .dev_id = &ckevt, + }; + +-void __init timer_init(int irq, unsigned long rate) ++void __init mmp_timer_init(int irq, unsigned long rate) + { + timer_config(); + +@@ -247,7 +247,7 @@ void __init mmp_dt_init_timer(void) + ret = -ENOMEM; + goto out; + } +- timer_init(irq, rate); ++ mmp_timer_init(irq, rate); + return; + out: + pr_err("Failed to get timer from device tree with error:%d\n", ret); +-- +2.19.1 + diff --git a/queue-3.18/arm-mmp-mmp2-dt-enable-the-clock.patch b/queue-3.18/arm-mmp-mmp2-dt-enable-the-clock.patch new file mode 100644 index 00000000000..57a13f97793 --- /dev/null +++ b/queue-3.18/arm-mmp-mmp2-dt-enable-the-clock.patch @@ -0,0 +1,153 @@ +From 35514917b569152232f712866107ab693819860b Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Wed, 28 Nov 2018 18:53:20 +0100 +Subject: ARM: mmp/mmp2: dt: enable the clock + +[ Upstream commit f36797ee43802b367e59f0f9a9805304a4ff0c98 ] + +The device-tree booted MMP2 needs to enable the timer clock, otherwise +it would stop ticking when the boot finishes. + +It can also use the clock rate from the clk, the non-DT boards need to +keep using the hardcoded rates. + +Signed-off-by: Lubomir Rintel +Acked-by: Pavel Machek +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mmp/common.h | 2 +- + arch/arm/mach-mmp/mmp2.c | 2 +- + arch/arm/mach-mmp/pxa168.c | 2 +- + arch/arm/mach-mmp/time.c | 32 ++++++++++++++++++++------------ + 4 files changed, 23 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/mach-mmp/common.h b/arch/arm/mach-mmp/common.h +index cf445bae6d77..69c7eec6d1e0 100644 +--- a/arch/arm/mach-mmp/common.h ++++ b/arch/arm/mach-mmp/common.h +@@ -1,7 +1,7 @@ + #include + #define ARRAY_AND_SIZE(x) (x), ARRAY_SIZE(x) + +-extern void timer_init(int irq); ++extern void timer_init(int irq, unsigned long rate); + + extern void __init mmp_map_io(void); + extern void mmp_restart(enum reboot_mode, const char *); +diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c +index a70b5530bd42..90a0d8114af2 100644 +--- a/arch/arm/mach-mmp/mmp2.c ++++ b/arch/arm/mach-mmp/mmp2.c +@@ -133,7 +133,7 @@ void __init mmp2_timer_init(void) + clk_rst = APBC_APBCLK | APBC_FNCLK | APBC_FNCLKSEL(1); + __raw_writel(clk_rst, APBC_TIMERS); + +- timer_init(IRQ_MMP2_TIMER1); ++ timer_init(IRQ_MMP2_TIMER1, 6500000); + } + + /* on-chip devices */ +diff --git a/arch/arm/mach-mmp/pxa168.c b/arch/arm/mach-mmp/pxa168.c +index 144e997624c0..5a616db7f392 100644 +--- a/arch/arm/mach-mmp/pxa168.c ++++ b/arch/arm/mach-mmp/pxa168.c +@@ -78,7 +78,7 @@ void __init pxa168_timer_init(void) + /* 3.25MHz, bus/functional clock enabled, release reset */ + __raw_writel(TIMER_CLK_RST, APBC_TIMERS); + +- timer_init(IRQ_PXA168_TIMER1); ++ timer_init(IRQ_PXA168_TIMER1, 6500000); + } + + void pxa168_clear_keypad_wakeup(void) +diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c +index 2756351dbb35..b66ea443f154 100644 +--- a/arch/arm/mach-mmp/time.c ++++ b/arch/arm/mach-mmp/time.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -39,12 +40,6 @@ + + #include "clock.h" + +-#ifdef CONFIG_CPU_MMP2 +-#define MMP_CLOCK_FREQ 6500000 +-#else +-#define MMP_CLOCK_FREQ 3250000 +-#endif +- + #define TIMERS_VIRT_BASE TIMERS1_VIRT_BASE + + #define MAX_DELTA (0xfffffffe) +@@ -197,19 +192,18 @@ static struct irqaction timer_irq = { + .dev_id = &ckevt, + }; + +-void __init timer_init(int irq) ++void __init timer_init(int irq, unsigned long rate) + { + timer_config(); + +- sched_clock_register(mmp_read_sched_clock, 32, MMP_CLOCK_FREQ); ++ sched_clock_register(mmp_read_sched_clock, 32, rate); + + ckevt.cpumask = cpumask_of(0); + + setup_irq(irq, &timer_irq); + +- clocksource_register_hz(&cksrc, MMP_CLOCK_FREQ); +- clockevents_config_and_register(&ckevt, MMP_CLOCK_FREQ, +- MIN_DELTA, MAX_DELTA); ++ clocksource_register_hz(&cksrc, rate); ++ clockevents_config_and_register(&ckevt, rate, MIN_DELTA, MAX_DELTA); + } + + #ifdef CONFIG_OF +@@ -221,7 +215,9 @@ static struct of_device_id mmp_timer_dt_ids[] = { + void __init mmp_dt_init_timer(void) + { + struct device_node *np; ++ struct clk *clk; + int irq, ret; ++ unsigned long rate; + + np = of_find_matching_node(NULL, mmp_timer_dt_ids); + if (!np) { +@@ -229,6 +225,18 @@ void __init mmp_dt_init_timer(void) + goto out; + } + ++ clk = of_clk_get(np, 0); ++ if (!IS_ERR(clk)) { ++ ret = clk_prepare_enable(clk); ++ if (ret) ++ goto out; ++ rate = clk_get_rate(clk) / 2; ++ } else if (cpu_is_pj4()) { ++ rate = 6500000; ++ } else { ++ rate = 3250000; ++ } ++ + irq = irq_of_parse_and_map(np, 0); + if (!irq) { + ret = -EINVAL; +@@ -239,7 +247,7 @@ void __init mmp_dt_init_timer(void) + ret = -ENOMEM; + goto out; + } +- timer_init(irq); ++ timer_init(irq, rate); + return; + out: + pr_err("Failed to get timer from device tree with error:%d\n", ret); +-- +2.19.1 + diff --git a/queue-3.18/arm-omap2-hwmod-fix-some-section-annotations.patch b/queue-3.18/arm-omap2-hwmod-fix-some-section-annotations.patch new file mode 100644 index 00000000000..71135485bc9 --- /dev/null +++ b/queue-3.18/arm-omap2-hwmod-fix-some-section-annotations.patch @@ -0,0 +1,76 @@ +From b9ec46bdf6384b9ce6a3094e67eae78b0013c027 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 17:52:07 -0700 +Subject: ARM: OMAP2+: hwmod: Fix some section annotations + +[ Upstream commit c10b26abeb53cabc1e6271a167d3f3d396ce0218 ] + +When building the kernel with Clang, the following section mismatch +warnings appears: + +WARNING: vmlinux.o(.text+0x2d398): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_iclk_autoidle() +The function _setup() references +the function __init _setup_iclk_autoidle(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_iclk_autoidle is wrong. + +WARNING: vmlinux.o(.text+0x2d3a0): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_reset() +The function _setup() references +the function __init _setup_reset(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_reset is wrong. + +WARNING: vmlinux.o(.text+0x2d408): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_postsetup() +The function _setup() references +the function __init _setup_postsetup(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_postsetup is wrong. + +_setup is used in omap_hwmod_allocate_module, which isn't marked __init +and looks like it shouldn't be, meaning to fix these warnings, those +functions must be moved out of the init section, which this patch does. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/omap_hwmod.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c +index e67ffbc9ec40..0e17fa4ca419 100644 +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -2578,7 +2578,7 @@ static int __init _init(struct omap_hwmod *oh, void *data) + * a stub; implementing this properly requires iclk autoidle usecounting in + * the clock code. No return value. + */ +-static void __init _setup_iclk_autoidle(struct omap_hwmod *oh) ++static void _setup_iclk_autoidle(struct omap_hwmod *oh) + { + struct omap_hwmod_ocp_if *os; + struct list_head *p; +@@ -2613,7 +2613,7 @@ static void __init _setup_iclk_autoidle(struct omap_hwmod *oh) + * reset. Returns 0 upon success or a negative error code upon + * failure. + */ +-static int __init _setup_reset(struct omap_hwmod *oh) ++static int _setup_reset(struct omap_hwmod *oh) + { + int r; + +@@ -2674,7 +2674,7 @@ static int __init _setup_reset(struct omap_hwmod *oh) + * + * No return value. + */ +-static void __init _setup_postsetup(struct omap_hwmod *oh) ++static void _setup_postsetup(struct omap_hwmod *oh) + { + u8 postsetup_state; + +-- +2.19.1 + diff --git a/queue-3.18/arm-pxa-avoid-section-mismatch-warning.patch b/queue-3.18/arm-pxa-avoid-section-mismatch-warning.patch new file mode 100644 index 00000000000..49722dd3804 --- /dev/null +++ b/queue-3.18/arm-pxa-avoid-section-mismatch-warning.patch @@ -0,0 +1,76 @@ +From 1307c14315afba2987f04e65218ad84c7a4e9683 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 10 Dec 2018 22:58:39 +0100 +Subject: ARM: pxa: avoid section mismatch warning + +[ Upstream commit 88af3209aa0881aa5ffd99664b6080a4be5f24e5 ] + +WARNING: vmlinux.o(.text+0x19f90): Section mismatch in reference from the function littleton_init_lcd() to the function .init.text:pxa_set_fb_info() +The function littleton_init_lcd() references +the function __init pxa_set_fb_info(). +This is often because littleton_init_lcd lacks a __init +annotation or the annotation of pxa_set_fb_info is wrong. + +WARNING: vmlinux.o(.text+0xf824): Section mismatch in reference from the function zeus_register_ohci() to the function .init.text:pxa_set_ohci_info() +The function zeus_register_ohci() references +the function __init pxa_set_ohci_info(). +This is often because zeus_register_ohci lacks a __init +annotation or the annotation of pxa_set_ohci_info is wrong. + +WARNING: vmlinux.o(.text+0xf95c): Section mismatch in reference from the function cm_x300_init_u2d() to the function .init.text:pxa3xx_set_u2d_info() +The function cm_x300_init_u2d() references +the function __init pxa3xx_set_u2d_info(). +This is often because cm_x300_init_u2d lacks a __init +annotation or the annotation of pxa3xx_set_u2d_info is wrong. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-pxa/cm-x300.c | 2 +- + arch/arm/mach-pxa/littleton.c | 2 +- + arch/arm/mach-pxa/zeus.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c +index 4d3588d26c2a..8d44c3d7a750 100644 +--- a/arch/arm/mach-pxa/cm-x300.c ++++ b/arch/arm/mach-pxa/cm-x300.c +@@ -542,7 +542,7 @@ static struct pxa3xx_u2d_platform_data cm_x300_u2d_platform_data = { + .exit = cm_x300_u2d_exit, + }; + +-static void cm_x300_init_u2d(void) ++static void __init cm_x300_init_u2d(void) + { + pxa3xx_set_u2d_info(&cm_x300_u2d_platform_data); + } +diff --git a/arch/arm/mach-pxa/littleton.c b/arch/arm/mach-pxa/littleton.c +index 5d665588c7eb..05aa7071efd6 100644 +--- a/arch/arm/mach-pxa/littleton.c ++++ b/arch/arm/mach-pxa/littleton.c +@@ -183,7 +183,7 @@ static struct pxafb_mach_info littleton_lcd_info = { + .lcd_conn = LCD_COLOR_TFT_16BPP, + }; + +-static void littleton_init_lcd(void) ++static void __init littleton_init_lcd(void) + { + pxa_set_fb_info(NULL, &littleton_lcd_info); + } +diff --git a/arch/arm/mach-pxa/zeus.c b/arch/arm/mach-pxa/zeus.c +index 205f9bf3821e..cfb2851dc519 100644 +--- a/arch/arm/mach-pxa/zeus.c ++++ b/arch/arm/mach-pxa/zeus.c +@@ -556,7 +556,7 @@ static struct pxaohci_platform_data zeus_ohci_platform_data = { + .flags = ENABLE_PORT_ALL | POWER_SENSE_LOW, + }; + +-static void zeus_register_ohci(void) ++static void __init zeus_register_ohci(void) + { + /* Port 2 is shared between host and client interface. */ + UP2OCR = UP2OCR_HXOE | UP2OCR_HXS | UP2OCR_DMPDE | UP2OCR_DPPDE; +-- +2.19.1 + diff --git a/queue-3.18/arm64-ftrace-don-t-adjust-the-lr-value.patch b/queue-3.18/arm64-ftrace-don-t-adjust-the-lr-value.patch new file mode 100644 index 00000000000..eeb6d35e264 --- /dev/null +++ b/queue-3.18/arm64-ftrace-don-t-adjust-the-lr-value.patch @@ -0,0 +1,53 @@ +From 82eb6460ff7cfb766c46bc4f2ea41263ccd2de5a Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 15 Nov 2018 22:42:01 +0000 +Subject: arm64: ftrace: don't adjust the LR value + +[ Upstream commit 6e803e2e6e367db9a0d6ecae1bd24bb5752011bd ] + +The core ftrace code requires that when it is handed the PC of an +instrumented function, this PC is the address of the instrumented +instruction. This is necessary so that the core ftrace code can identify +the specific instrumentation site. Since the instrumented function will +be a BL, the address of the instrumented function is LR - 4 at entry to +the ftrace code. + +This fixup is applied in the mcount_get_pc and mcount_get_pc0 helpers, +which acquire the PC of the instrumented function. + +The mcount_get_lr helper is used to acquire the LR of the instrumented +function, whose value does not require this adjustment, and cannot be +adjusted to anything meaningful. No adjustment of this value is made on +other architectures, including arm. However, arm64 adjusts this value by +4. + +This patch brings arm64 in line with other architectures and removes the +adjustment of the LR value. + +Signed-off-by: Mark Rutland +Cc: AKASHI Takahiro +Cc: Ard Biesheuvel +Cc: Catalin Marinas +Cc: Torsten Duwe +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/entry-ftrace.S | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/kernel/entry-ftrace.S b/arch/arm64/kernel/entry-ftrace.S +index c85a02b6cca0..b3fdbba80d4b 100644 +--- a/arch/arm64/kernel/entry-ftrace.S ++++ b/arch/arm64/kernel/entry-ftrace.S +@@ -78,7 +78,6 @@ + .macro mcount_get_lr reg + ldr \reg, [x29] + ldr \reg, [\reg, #8] +- mcount_adjust_addr \reg, \reg + .endm + + .macro mcount_get_lr_addr reg +-- +2.19.1 + diff --git a/queue-3.18/arm64-kvm-skip-mmio-insn-after-emulation.patch b/queue-3.18/arm64-kvm-skip-mmio-insn-after-emulation.patch new file mode 100644 index 00000000000..708c305e982 --- /dev/null +++ b/queue-3.18/arm64-kvm-skip-mmio-insn-after-emulation.patch @@ -0,0 +1,63 @@ +From fa62416eff461ca1428eb518efab406d671f165f Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 9 Nov 2018 15:07:10 +0000 +Subject: arm64: KVM: Skip MMIO insn after emulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 0d640732dbebed0f10f18526de21652931f0b2f2 ] + +When we emulate an MMIO instruction, we advance the CPU state within +decode_hsr(), before emulating the instruction effects. + +Having this logic in decode_hsr() is opaque, and advancing the state +before emulation is problematic. It gets in the way of applying +consistent single-step logic, and it prevents us from being able to fail +an MMIO instruction with a synchronous exception. + +Clean this up by only advancing the CPU state *after* the effects of the +instruction are emulated. + +Cc: Peter Maydell +Reviewed-by: Alex Bennée +Reviewed-by: Christoffer Dall +Signed-off-by: Mark Rutland +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm/kvm/mmio.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c +index 4cb5a93182e9..c215bb4423ac 100644 +--- a/arch/arm/kvm/mmio.c ++++ b/arch/arm/kvm/mmio.c +@@ -118,6 +118,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + *vcpu_reg(vcpu, vcpu->arch.mmio_decode.rt) = data; + } + ++ /* ++ * The MMIO instruction is emulated and should not be re-executed ++ * in the guest. ++ */ ++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); ++ + return 0; + } + +@@ -154,11 +160,6 @@ static int decode_hsr(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, + vcpu->arch.mmio_decode.sign_extend = sign_extend; + vcpu->arch.mmio_decode.rt = rt; + +- /* +- * The MMIO instruction is emulated and should not be re-executed +- * in the guest. +- */ +- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 0; + } + +-- +2.19.1 + diff --git a/queue-3.18/asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch b/queue-3.18/asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch new file mode 100644 index 00000000000..ed6369bbaeb --- /dev/null +++ b/queue-3.18/asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch @@ -0,0 +1,45 @@ +From 954f2f9289eb55f0f9c5432fb010640eec5f8bb2 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 13 Dec 2018 00:08:38 -0200 +Subject: ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M + +[ Upstream commit add6883619a9e3bf9658eaff1a547354131bbcd9 ] + +eukrea-tlv320.c machine driver runs on non-DT platforms +and include header file in order to be able +to use some machine_is_eukrea_xxx() macros. + +Building it for ARM64 causes the following build error: + +sound/soc/fsl/eukrea-tlv320.c:28:10: fatal error: asm/mach-types.h: No such file or directory + +Avoid this error by not allowing to build the SND_SOC_EUKREA_TLV320 +driver when ARM64 is selected. + +This is needed in preparation for the i.MX8M support. + +Reported-by: kbuild test robot +Signed-off-by: Fabio Estevam +Acked-by: Shawn Guo +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig +index 081e406b3713..009d1893901b 100644 +--- a/sound/soc/fsl/Kconfig ++++ b/sound/soc/fsl/Kconfig +@@ -219,7 +219,7 @@ config SND_SOC_PHYCORE_AC97 + + config SND_SOC_EUKREA_TLV320 + tristate "Eukrea TLV320" +- depends on ARCH_MXC && I2C ++ depends on ARCH_MXC && !ARM64 && I2C + select SND_SOC_TLV320AIC23_I2C + select SND_SOC_IMX_AUDMUX + select SND_SOC_IMX_SSI +-- +2.19.1 + diff --git a/queue-3.18/ath9k-dynack-use-authentication-messages-for-late-ac.patch b/queue-3.18/ath9k-dynack-use-authentication-messages-for-late-ac.patch new file mode 100644 index 00000000000..ec9956f76e1 --- /dev/null +++ b/queue-3.18/ath9k-dynack-use-authentication-messages-for-late-ac.patch @@ -0,0 +1,39 @@ +From 93fac85092bae769a62f1576f2bd78db9c533728 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Fri, 2 Nov 2018 21:49:55 +0100 +Subject: ath9k: dynack: use authentication messages for 'late' ack + +[ Upstream commit 3831a2a0010c72e3956020cbf1057a1701a2e469 ] + +In order to properly support dynack in ad-hoc mode running +wpa_supplicant, take into account authentication frames for +'late ack' detection. This patch has been tested on devices +mounted on offshore high-voltage stations connected through +~24Km link + +Reported-by: Koen Vandeputte +Tested-by: Koen Vandeputte +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/dynack.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c +index 22b3cc4c27cd..64965bf9034d 100644 +--- a/drivers/net/wireless/ath/ath9k/dynack.c ++++ b/drivers/net/wireless/ath/ath9k/dynack.c +@@ -187,7 +187,8 @@ void ath_dynack_sample_tx_ts(struct ath_hw *ah, struct sk_buff *skb, + /* late ACK */ + if (ts->ts_status & ATH9K_TXERR_XRETRY) { + if (ieee80211_is_assoc_req(hdr->frame_control) || +- ieee80211_is_assoc_resp(hdr->frame_control)) { ++ ieee80211_is_assoc_resp(hdr->frame_control) || ++ ieee80211_is_auth(hdr->frame_control)) { + ath_dbg(common, DYNACK, "late ack\n"); + ath9k_hw_setslottime(ah, (LATEACK_TO - 3) / 2); + ath9k_hw_set_ack_timeout(ah, LATEACK_TO); +-- +2.19.1 + diff --git a/queue-3.18/block-swim3-fix-ebusy-error-when-re-opening-device-a.patch b/queue-3.18/block-swim3-fix-ebusy-error-when-re-opening-device-a.patch new file mode 100644 index 00000000000..06637db2f03 --- /dev/null +++ b/queue-3.18/block-swim3-fix-ebusy-error-when-re-opening-device-a.patch @@ -0,0 +1,42 @@ +From 6b63da5244f555d5c4a9c45d63f1c55b431bb513 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Mon, 31 Dec 2018 16:44:09 +1100 +Subject: block/swim3: Fix -EBUSY error when re-opening device after unmount + +[ Upstream commit 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 ] + +When the block device is opened with FMODE_EXCL, ref_count is set to -1. +This value doesn't get reset when the device is closed which means the +device cannot be opened again. Fix this by checking for refcount <= 0 +in the release method. + +Reported-and-tested-by: Stan Johnson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Finn Thain +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/swim3.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c +index 523ee8fd4c15..eaf1336623aa 100644 +--- a/drivers/block/swim3.c ++++ b/drivers/block/swim3.c +@@ -1027,7 +1027,11 @@ static void floppy_release(struct gendisk *disk, fmode_t mode) + struct swim3 __iomem *sw = fs->swim3; + + mutex_lock(&swim3_mutex); +- if (fs->ref_count > 0 && --fs->ref_count == 0) { ++ if (fs->ref_count > 0) ++ --fs->ref_count; ++ else if (fs->ref_count == -1) ++ fs->ref_count = 0; ++ if (fs->ref_count == 0) { + swim3_action(fs, MOTOR_OFF); + out_8(&sw->control_bic, 0xff); + swim3_select(fs, RELAX); +-- +2.19.1 + diff --git a/queue-3.18/cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch b/queue-3.18/cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch new file mode 100644 index 00000000000..d20ed587dd7 --- /dev/null +++ b/queue-3.18/cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch @@ -0,0 +1,48 @@ +From 787823548c3d60f2253790ad8a484671cf7fdc48 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Thu, 13 Dec 2018 08:06:16 +1000 +Subject: cifs: check ntwrk_buf_start for NULL before dereferencing it + +[ Upstream commit 59a63e479ce36a3f24444c3a36efe82b78e4a8e0 ] + +RHBZ: 1021460 + +There is an issue where when multiple threads open/close the same directory +ntwrk_buf_start might end up being NULL, causing the call to smbCalcSize +later to oops with a NULL deref. + +The real bug is why this happens and why this can become NULL for an +open cfile, which should not be allowed. +This patch tries to avoid a oops until the time when we fix the underlying +issue. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/readdir.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index 707d8cf95348..116985335cc1 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -645,7 +645,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos, + /* scan and find it */ + int i; + char *cur_ent; +- char *end_of_smb = cfile->srch_inf.ntwrk_buf_start + ++ char *end_of_smb; ++ ++ if (cfile->srch_inf.ntwrk_buf_start == NULL) { ++ cifs_dbg(VFS, "ntwrk_buf_start is NULL during readdir\n"); ++ return -EIO; ++ } ++ ++ end_of_smb = cfile->srch_inf.ntwrk_buf_start + + server->ops->calc_smb_size( + cfile->srch_inf.ntwrk_buf_start); + +-- +2.19.1 + diff --git a/queue-3.18/clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch b/queue-3.18/clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch new file mode 100644 index 00000000000..251e337ba67 --- /dev/null +++ b/queue-3.18/clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch @@ -0,0 +1,46 @@ +From fc74ba47bad08c4cde5f3f9d67d43f5a0a679cff Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Fri, 30 Nov 2018 07:23:47 +0000 +Subject: clk: imx6sl: ensure MMDC CH0 handshake is bypassed + +[ Upstream commit 0efcc2c0fd2001a83240a8c3d71f67770484917e ] + +Same as other i.MX6 SoCs, ensure unused MMDC channel's +handshake is bypassed, this is to make sure no request +signal will be generated when periphe_clk_sel is changed +or SRC warm reset is triggered. + +Signed-off-by: Anson Huang +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/clk-imx6sl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/mach-imx/clk-imx6sl.c b/arch/arm/mach-imx/clk-imx6sl.c +index e982ebe10814..a99af8bd0571 100644 +--- a/arch/arm/mach-imx/clk-imx6sl.c ++++ b/arch/arm/mach-imx/clk-imx6sl.c +@@ -18,6 +18,8 @@ + #include "clk.h" + #include "common.h" + ++#define CCDR 0x4 ++#define BM_CCM_CCDR_MMDC_CH0_MASK (1 << 17) + #define CCSR 0xc + #define BM_CCSR_PLL1_SW_CLK_SEL (1 << 2) + #define CACRR 0x10 +@@ -410,6 +412,10 @@ static void __init imx6sl_clocks_init(struct device_node *ccm_node) + clks[IMX6SL_CLK_USDHC3] = imx_clk_gate2("usdhc3", "usdhc3_podf", base + 0x80, 6); + clks[IMX6SL_CLK_USDHC4] = imx_clk_gate2("usdhc4", "usdhc4_podf", base + 0x80, 8); + ++ /* Ensure the MMDC CH0 handshake is bypassed */ ++ writel_relaxed(readl_relaxed(base + CCDR) | ++ BM_CCM_CCDR_MMDC_CH0_MASK, base + CCDR); ++ + imx_check_clocks(clks, ARRAY_SIZE(clks)); + + clk_data.clks = clks; +-- +2.19.1 + diff --git a/queue-3.18/cpuidle-big.little-fix-refcount-leak.patch b/queue-3.18/cpuidle-big.little-fix-refcount-leak.patch new file mode 100644 index 00000000000..a9ea7365c60 --- /dev/null +++ b/queue-3.18/cpuidle-big.little-fix-refcount-leak.patch @@ -0,0 +1,47 @@ +From 193aae4f54f9c3fd1ecfcd9f2a4a7b9f14b2c3e4 Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Mon, 10 Dec 2018 11:26:41 -0500 +Subject: cpuidle: big.LITTLE: fix refcount leak + +[ Upstream commit 9456823c842f346c74265fcd98d008d87a7eb6f5 ] + +of_find_node_by_path() acquires a reference to the node +returned by it and that reference needs to be dropped by its caller. +bl_idle_init() doesn't do that, so fix it. + +Signed-off-by: Yangtao Li +Acked-by: Daniel Lezcano +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle-big_little.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/cpuidle-big_little.c b/drivers/cpuidle/cpuidle-big_little.c +index fbc00a1d3c48..355dc3d9cb35 100644 +--- a/drivers/cpuidle/cpuidle-big_little.c ++++ b/drivers/cpuidle/cpuidle-big_little.c +@@ -175,6 +175,7 @@ static int __init bl_idle_init(void) + { + int ret; + struct device_node *root = of_find_node_by_path("/"); ++ const struct of_device_id *match_id; + + if (!root) + return -ENODEV; +@@ -182,7 +183,11 @@ static int __init bl_idle_init(void) + /* + * Initialize the driver just for a compliant set of machines + */ +- if (!of_match_node(compatible_machine_match, root)) ++ match_id = of_match_node(compatible_machine_match, root); ++ ++ of_node_put(root); ++ ++ if (!match_id) + return -ENODEV; + /* + * For now the differentiation between little and big cores +-- +2.19.1 + diff --git a/queue-3.18/crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch b/queue-3.18/crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch new file mode 100644 index 00000000000..005076a71bb --- /dev/null +++ b/queue-3.18/crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch @@ -0,0 +1,62 @@ +From 902a2d5461c41bd2197debe5107750964084ef6d Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 10 Dec 2018 16:49:29 -0700 +Subject: crypto: ux500 - Use proper enum in cryp_set_dma_transfer + +[ Upstream commit 9d880c5945c748d8edcac30965f3349a602158c4 ] + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/crypto/ux500/cryp/cryp_core.c:559:5: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, DMA_CTRL_ACK); + ^~~~~~~~~ +drivers/crypto/ux500/cryp/cryp_core.c:583:5: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, + ^~~~~~~~~ +2 warnings generated. + +dmaengine_prep_slave_sg expects an enum from dma_transfer_direction. +Because we know the value of the dma_data_direction enum from the +switch statement, we can just use the proper value from +dma_transfer_direction so there is no more conversion. + +DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1 +DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2 + +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ux500/cryp/cryp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/ux500/cryp/cryp_core.c b/drivers/crypto/ux500/cryp/cryp_core.c +index e4cea7c45142..3897bfe41c8b 100644 +--- a/drivers/crypto/ux500/cryp/cryp_core.c ++++ b/drivers/crypto/ux500/cryp/cryp_core.c +@@ -555,7 +555,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx, + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg_src, + ctx->device->dma.sg_src_len, +- direction, DMA_CTRL_ACK); ++ DMA_MEM_TO_DEV, DMA_CTRL_ACK); + break; + + case DMA_FROM_DEVICE: +@@ -579,7 +579,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx, + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg_dst, + ctx->device->dma.sg_dst_len, +- direction, ++ DMA_DEV_TO_MEM, + DMA_CTRL_ACK | + DMA_PREP_INTERRUPT); + +-- +2.19.1 + diff --git a/queue-3.18/crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch b/queue-3.18/crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch new file mode 100644 index 00000000000..ab0bf21e2f2 --- /dev/null +++ b/queue-3.18/crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch @@ -0,0 +1,47 @@ +From 264b5240509d4495cc4eb87662626b7ada23ef34 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 10 Dec 2018 16:49:54 -0700 +Subject: crypto: ux500 - Use proper enum in hash_set_dma_transfer + +[ Upstream commit 5ac93f808338f4dd465402e91869702eb87db241 ] + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/crypto/ux500/hash/hash_core.c:169:4: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); + ^~~~~~~~~ +1 warning generated. + +dmaengine_prep_slave_sg expects an enum from dma_transfer_direction. +We know that the only direction supported by this function is +DMA_TO_DEVICE because of the check at the top of this function so we can +just use the equivalent value from dma_transfer_direction. + +DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1 + +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ux500/hash/hash_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index 3ff21c3e9ab2..48614b33e30e 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -181,7 +181,7 @@ static int hash_set_dma_transfer(struct hash_ctx *ctx, struct scatterlist *sg, + __func__); + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg, ctx->device->dma.sg_len, +- direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); ++ DMA_MEM_TO_DEV, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); + if (!desc) { + dev_err(ctx->device->dev, + "%s: device_prep_slave_sg() failed!\n", __func__); +-- +2.19.1 + diff --git a/queue-3.18/dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch b/queue-3.18/dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch new file mode 100644 index 00000000000..8d758f2c1b7 --- /dev/null +++ b/queue-3.18/dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch @@ -0,0 +1,60 @@ +From 46965be5ca74daa591924c6eb33a7943dc374b36 Mon Sep 17 00:00:00 2001 +From: Bob Peterson +Date: Thu, 8 Nov 2018 14:04:50 -0500 +Subject: dlm: Don't swamp the CPU with callbacks queued during recovery + +[ Upstream commit 216f0efd19b9cc32207934fd1b87a45f2c4c593e ] + +Before this patch, recovery would cause all callbacks to be delayed, +put on a queue, and afterward they were all queued to the callback +work queue. This patch does the same thing, but occasionally takes +a break after 25 of them so it won't swamp the CPU at the expense +of other RT processes like corosync. + +Signed-off-by: Bob Peterson +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/ast.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/dlm/ast.c b/fs/dlm/ast.c +index dcea1e37a1b7..f18619bc2e09 100644 +--- a/fs/dlm/ast.c ++++ b/fs/dlm/ast.c +@@ -290,6 +290,8 @@ void dlm_callback_suspend(struct dlm_ls *ls) + flush_workqueue(ls->ls_callback_wq); + } + ++#define MAX_CB_QUEUE 25 ++ + void dlm_callback_resume(struct dlm_ls *ls) + { + struct dlm_lkb *lkb, *safe; +@@ -300,15 +302,23 @@ void dlm_callback_resume(struct dlm_ls *ls) + if (!ls->ls_callback_wq) + return; + ++more: + mutex_lock(&ls->ls_cb_mutex); + list_for_each_entry_safe(lkb, safe, &ls->ls_cb_delay, lkb_cb_list) { + list_del_init(&lkb->lkb_cb_list); + queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work); + count++; ++ if (count == MAX_CB_QUEUE) ++ break; + } + mutex_unlock(&ls->ls_cb_mutex); + + if (count) + log_rinfo(ls, "dlm_callback_resume %d", count); ++ if (count == MAX_CB_QUEUE) { ++ count = 0; ++ cond_resched(); ++ goto more; ++ } + } + +-- +2.19.1 + diff --git a/queue-3.18/drbd-avoid-clang-warning-about-pointless-switch-stat.patch b/queue-3.18/drbd-avoid-clang-warning-about-pointless-switch-stat.patch new file mode 100644 index 00000000000..93bb91a9d7c --- /dev/null +++ b/queue-3.18/drbd-avoid-clang-warning-about-pointless-switch-stat.patch @@ -0,0 +1,72 @@ +From 8c19befd0a0d0b42f088f362a7796cf2ce23a9e3 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 20 Dec 2018 17:23:43 +0100 +Subject: drbd: Avoid Clang warning about pointless switch statment + +[ Upstream commit a52c5a16cf19d8a85831bb1b915a221dd4ffae3c ] + +There are several warnings from Clang about no case statement matching +the constant 0: + +In file included from drivers/block/drbd/drbd_receiver.c:48: +In file included from drivers/block/drbd/drbd_int.h:48: +In file included from ./include/linux/drbd_genl_api.h:54: +In file included from ./include/linux/genl_magic_struct.h:236: +./include/linux/drbd_genl.h:321:1: warning: no case matching constant +switch condition '0' +GENL_struct(DRBD_NLA_HELPER, 24, drbd_helper_info, +^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./include/linux/genl_magic_struct.h:220:10: note: expanded from macro +'GENL_struct' + switch (0) { + ^ + +Silence this warning by adding a 'case 0:' statement. Additionally, +adjust the alignment of the statements in the ct_assert_unique macro to +avoid a checkpatch warning. + +This solution was originally sent by Arnd Bergmann with a default case +statement: https://lore.kernel.org/patchwork/patch/756723/ + +Link: https://github.com/ClangBuiltLinux/linux/issues/43 +Suggested-by: Lars Ellenberg +Signed-off-by: Nathan Chancellor +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/genl_magic_struct.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/genl_magic_struct.h b/include/linux/genl_magic_struct.h +index eecd19b37001..250e9be65e74 100644 +--- a/include/linux/genl_magic_struct.h ++++ b/include/linux/genl_magic_struct.h +@@ -185,6 +185,7 @@ static inline void ct_assert_unique_operations(void) + { + switch (0) { + #include GENL_MAGIC_INCLUDE_FILE ++ case 0: + ; + } + } +@@ -203,6 +204,7 @@ static inline void ct_assert_unique_top_level_attributes(void) + { + switch (0) { + #include GENL_MAGIC_INCLUDE_FILE ++ case 0: + ; + } + } +@@ -212,7 +214,8 @@ static inline void ct_assert_unique_top_level_attributes(void) + static inline void ct_assert_unique_ ## s_name ## _attributes(void) \ + { \ + switch (0) { \ +- s_fields \ ++ s_fields \ ++ case 0: \ + ; \ + } \ + } +-- +2.19.1 + diff --git a/queue-3.18/drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch b/queue-3.18/drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch new file mode 100644 index 00000000000..d603e577f1e --- /dev/null +++ b/queue-3.18/drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch @@ -0,0 +1,46 @@ +From 81153aae486c14a8f413e779089010ad66147c98 Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Thu, 20 Dec 2018 17:23:32 +0100 +Subject: drbd: disconnect, if the wrong UUIDs are attached on a connected peer + +[ Upstream commit b17b59602b6dcf8f97a7dc7bc489a48388d7063a ] + +With "on-no-data-accessible suspend-io", DRBD requires the next attach +or connect to be to the very same data generation uuid tag it lost last. + +If we first lost connection to the peer, +then later lost connection to our own disk, +we would usually refuse to re-connect to the peer, +because it presents the wrong data set. + +However, if the peer first connects without a disk, +and then attached its disk, we accepted that same wrong data set, +which would be "unexpected" by any user of that DRBD +and cause "undefined results" (read: very likely data corruption). + +The fix is to forcefully disconnect as soon as we notice that the peer +attached to the "wrong" dataset. + +Signed-off-by: Lars Ellenberg +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 4f18ec5198fb..6b2b278bb2b7 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -3889,7 +3889,7 @@ static int receive_uuids(struct drbd_connection *connection, struct packet_info + kfree(device->p_uuid); + device->p_uuid = p_uuid; + +- if (device->state.conn < C_CONNECTED && ++ if ((device->state.conn < C_CONNECTED || device->state.pdsk == D_DISKLESS) && + device->state.disk < D_INCONSISTENT && + device->state.role == R_PRIMARY && + (device->ed_uuid & ~((u64)1)) != (p_uuid[UI_CURRENT] & ~((u64)1))) { +-- +2.19.1 + diff --git a/queue-3.18/drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch b/queue-3.18/drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch new file mode 100644 index 00000000000..2707e246b3d --- /dev/null +++ b/queue-3.18/drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch @@ -0,0 +1,82 @@ +From 89838da245b2f46e646ee36b8c1e8c15b1ff4f85 Mon Sep 17 00:00:00 2001 +From: Roland Kammerer +Date: Thu, 20 Dec 2018 17:23:28 +0100 +Subject: drbd: narrow rcu_read_lock in drbd_sync_handshake + +[ Upstream commit d29e89e34952a9ad02c77109c71a80043544296e ] + +So far there was the possibility that we called +genlmsg_new(GFP_NOIO)/mutex_lock() while holding an rcu_read_lock(). + +This included cases like: + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + drbd_bcast_event + genlmsg_new(GFP_NOIO) --> may sleep + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + notify_helper + genlmsg_new(GFP_NOIO) --> may sleep + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + notify_helper + mutex_lock --> may sleep + +While using GFP_ATOMIC whould have been possible in the first two cases, +the real fix is to narrow the rcu_read_lock. + +Reported-by: Jia-Ju Bai +Reviewed-by: Lars Ellenberg +Signed-off-by: Roland Kammerer +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 6960fb064731..4f18ec5198fb 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -3125,7 +3125,7 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + enum drbd_conns rv = C_MASK; + enum drbd_disk_state mydisk; + struct net_conf *nc; +- int hg, rule_nr, rr_conflict, tentative; ++ int hg, rule_nr, rr_conflict, tentative, always_asbp; + + mydisk = device->state.disk; + if (mydisk == D_NEGOTIATING) +@@ -3167,8 +3167,12 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + + rcu_read_lock(); + nc = rcu_dereference(peer_device->connection->net_conf); ++ always_asbp = nc->always_asbp; ++ rr_conflict = nc->rr_conflict; ++ tentative = nc->tentative; ++ rcu_read_unlock(); + +- if (hg == 100 || (hg == -100 && nc->always_asbp)) { ++ if (hg == 100 || (hg == -100 && always_asbp)) { + int pcount = (device->state.role == R_PRIMARY) + + (peer_role == R_PRIMARY); + int forced = (hg == -100); +@@ -3207,9 +3211,6 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + "Sync from %s node\n", + (hg < 0) ? "peer" : "this"); + } +- rr_conflict = nc->rr_conflict; +- tentative = nc->tentative; +- rcu_read_unlock(); + + if (hg == -100) { + /* FIXME this log message is not correct if we end up here +-- +2.19.1 + diff --git a/queue-3.18/drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch b/queue-3.18/drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch new file mode 100644 index 00000000000..d544dd2d4a2 --- /dev/null +++ b/queue-3.18/drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch @@ -0,0 +1,60 @@ +From 6c4aac3640a083e6d13541c189c27f8b5ee40c31 Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Thu, 20 Dec 2018 17:23:41 +0100 +Subject: drbd: skip spurious timeout (ping-timeo) when failing promote + +[ Upstream commit 9848b6ddd8c92305252f94592c5e278574e7a6ac ] + +If you try to promote a Secondary while connected to a Primary +and allow-two-primaries is NOT set, we will wait for "ping-timeout" +to give this node a chance to detect a dead primary, +in case the cluster manager noticed faster than we did. + +But if we then are *still* connected to a Primary, +we fail (after an additional timeout of ping-timout). + +This change skips the spurious second timeout. + +Most people won't notice really, +since "ping-timeout" by default is half a second. + +But in some installations, ping-timeout may be 10 or 20 seconds or more, +and spuriously delaying the error return becomes annoying. + +Signed-off-by: Lars Ellenberg +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_nl.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c +index 1cd47df44bda..591d309b005e 100644 +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -632,14 +632,15 @@ drbd_set_role(struct drbd_device *const device, enum drbd_role new_role, int for + if (rv == SS_TWO_PRIMARIES) { + /* Maybe the peer is detected as dead very soon... + retry at most once more in this case. */ +- int timeo; +- rcu_read_lock(); +- nc = rcu_dereference(connection->net_conf); +- timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1; +- rcu_read_unlock(); +- schedule_timeout_interruptible(timeo); +- if (try < max_tries) ++ if (try < max_tries) { ++ int timeo; + try = max_tries - 1; ++ rcu_read_lock(); ++ nc = rcu_dereference(connection->net_conf); ++ timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1; ++ rcu_read_unlock(); ++ schedule_timeout_interruptible(timeo); ++ } + continue; + } + if (rv < SS_SUCCESS) { +-- +2.19.1 + diff --git a/queue-3.18/exec-load_script-don-t-blindly-truncate-shebang-stri.patch b/queue-3.18/exec-load_script-don-t-blindly-truncate-shebang-stri.patch new file mode 100644 index 00000000000..e0c0bdd2b19 --- /dev/null +++ b/queue-3.18/exec-load_script-don-t-blindly-truncate-shebang-stri.patch @@ -0,0 +1,54 @@ +From 69c25f3f151a47d0593e94bbe6b50299cb6a4408 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Thu, 3 Jan 2019 15:28:07 -0800 +Subject: exec: load_script: don't blindly truncate shebang string + +[ Upstream commit 8099b047ecc431518b9bb6bdbba3549bbecdc343 ] + +load_script() simply truncates bprm->buf and this is very wrong if the +length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently +truncate i_arg or (worse) we can execute the wrong binary if buf[2:126] +happens to be the valid executable path. + +Change load_script() to return ENOEXEC if it can't find '\n' or zero in +bprm->buf. Note that '\0' can come from either +prepare_binprm()->memset() or from kernel_read(), we do not care. + +Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com +Signed-off-by: Oleg Nesterov +Acked-by: Kees Cook +Acked-by: Michal Hocko +Cc: Ben Woodard +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/binfmt_script.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index 5027a3e14922..f62e45df2d38 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -33,10 +33,14 @@ static int load_script(struct linux_binprm *bprm) + fput(bprm->file); + bprm->file = NULL; + +- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; +- if ((cp = strchr(bprm->buf, '\n')) == NULL) +- cp = bprm->buf+BINPRM_BUF_SIZE-1; ++ for (cp = bprm->buf+2;; cp++) { ++ if (cp >= bprm->buf + BINPRM_BUF_SIZE) ++ return -ENOEXEC; ++ if (!*cp || (*cp == '\n')) ++ break; ++ } + *cp = '\0'; ++ + while (cp > bprm->buf) { + cp--; + if ((*cp == ' ') || (*cp == '\t')) +-- +2.19.1 + diff --git a/queue-3.18/f2fs-move-dir-data-flush-to-write-checkpoint-process.patch b/queue-3.18/f2fs-move-dir-data-flush-to-write-checkpoint-process.patch new file mode 100644 index 00000000000..cf886b1c857 --- /dev/null +++ b/queue-3.18/f2fs-move-dir-data-flush-to-write-checkpoint-process.patch @@ -0,0 +1,48 @@ +From 2b9b90c7f511c57d069f77606738ed26ba23c457 Mon Sep 17 00:00:00 2001 +From: Yunlei He +Date: Tue, 6 Nov 2018 10:25:29 +0800 +Subject: f2fs: move dir data flush to write checkpoint process + +[ Upstream commit b61ac5b720146c619c7cdf17eff2551b934399e5 ] + +This patch move dir data flush to write checkpoint process, by +doing this, it may reduce some time for dir fsync. + +pre: + -f2fs_do_sync_file enter + -file_write_and_wait_range <- flush & wait + -write_checkpoint + -do_checkpoint <- wait all + -f2fs_do_sync_file exit + +now: + -f2fs_do_sync_file enter + -write_checkpoint + -block_operations <- flush dir & no wait + -do_checkpoint <- wait all + -f2fs_do_sync_file exit + +Signed-off-by: Yunlei He +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 8e68bb64f835..c4ba75acc6e2 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -153,6 +153,9 @@ int f2fs_sync_file(struct file *file, loff_t start, loff_t end, int datasync) + + trace_f2fs_sync_file_enter(inode); + ++ if (S_ISDIR(inode->i_mode)) ++ goto go_write; ++ + /* if fdatasync is triggered, let's do in-place-update */ + if (get_dirty_pages(inode) <= SM_I(sbi)->min_fsync_blocks) + set_inode_flag(fi, FI_NEED_IPU); +-- +2.19.1 + diff --git a/queue-3.18/fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch b/queue-3.18/fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch new file mode 100644 index 00000000000..98cd7b6b509 --- /dev/null +++ b/queue-3.18/fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch @@ -0,0 +1,84 @@ +From 85085b86924f3e34a616dfc9759558c8e4e80471 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Thu, 20 Dec 2018 19:13:09 +0100 +Subject: fbdev: fbcon: Fix unregister crash when more than one framebuffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ] + +When unregistering fbdev using unregister_framebuffer(), any bound +console will unbind automatically. This is working fine if this is the +only framebuffer, resulting in a switch to the dummy console. However if +there is a fb0 and I unregister fb1 having a bound console, I eventually +get a crash. The fastest way for me to trigger the crash is to do a +reboot, resulting in this splat: + +[ 76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c +[ 76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm] +[ 76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4 +[ 76.478933] Hardware name: BCM2835 +[ 76.478949] Backtrace: +[ 76.478995] [] (dump_backtrace) from [] (show_stack+0x20/0x24) +[ 76.479022] r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81 +[ 76.479060] [] (show_stack) from [] (dump_stack+0x20/0x28) +[ 76.479102] [] (dump_stack) from [] (__warn+0xec/0x12c) +[ 76.479134] [] (__warn) from [] (warn_slowpath_null+0x4c/0x58) +[ 76.479165] r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84 +[ 76.479197] [] (warn_slowpath_null) from [] (__queue_work+0x2d4/0x41c) +[ 76.479222] r6:d7666a00 r5:c0e918ee r4:dbc4e700 +[ 76.479251] [] (__queue_work) from [] (queue_work_on+0x60/0x88) +[ 76.479281] r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00 +[ 76.479298] r4:20000113 +[ 76.479348] [] (queue_work_on) from [] (cursor_timer_handler+0x30/0x54) +[ 76.479374] r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc +[ 76.479413] [] (cursor_timer_handler) from [] (call_timer_fn+0x100/0x230) +[ 76.479435] r4:c0e9192f r3:d758a340 +[ 76.479465] [] (call_timer_fn) from [] (expire_timers+0x10c/0x12c) +[ 76.479495] r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8 +[ 76.479513] r4:d8a8fabc +[ 76.479541] [] (expire_timers) from [] (run_timer_softirq+0xa8/0x184) +[ 76.479570] r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280 +[ 76.479603] [] (run_timer_softirq) from [] (__do_softirq+0x1ac/0x3fc) +[ 76.479632] r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002 +[ 76.479650] r4:c0eb65ec +[ 76.479686] [] (__do_softirq) from [] (irq_exit+0xe8/0x168) +[ 76.479716] r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0 +[ 76.479734] r4:00000000 +[ 76.479764] [] (irq_exit) from [] (__handle_domain_irq+0x94/0xb0) +[ 76.479793] [] (__handle_domain_irq) from [] (bcm2835_handle_irq+0x3c/0x48) +[ 76.479823] r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8 +[ 76.479851] [] (bcm2835_handle_irq) from [] (__irq_svc+0x70/0x98) + +The problem is in the console rebinding in fbcon_fb_unbind(). It uses the +virtual console index as the new framebuffer index to bind the console(s) +to. The correct way is to use the con2fb_map lookup table to find the +framebuffer index. + +Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer") +Signed-off-by: Noralf Trønnes +Reviewed-by: Mikulas Patocka +Acked-by: Daniel Vetter +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/console/fbcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c +index eb976ee3a02f..614d3209d465 100644 +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -3018,7 +3018,7 @@ static int fbcon_fb_unbind(int idx) + for (i = first_fb_vc; i <= last_fb_vc; i++) { + if (con2fb_map[i] != idx && + con2fb_map[i] != -1) { +- new_idx = i; ++ new_idx = con2fb_map[i]; + break; + } + } +-- +2.19.1 + diff --git a/queue-3.18/fbdev-fbmem-behave-better-with-small-rotated-display.patch b/queue-3.18/fbdev-fbmem-behave-better-with-small-rotated-display.patch new file mode 100644 index 00000000000..3decdc1513a --- /dev/null +++ b/queue-3.18/fbdev-fbmem-behave-better-with-small-rotated-display.patch @@ -0,0 +1,62 @@ +From 2f7d94e615efe75e0453199344ac107402b2c9f8 Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Thu, 20 Dec 2018 19:13:07 +0100 +Subject: fbdev: fbmem: behave better with small rotated displays and many CPUs + +[ Upstream commit f75df8d4b4fabfad7e3cba2debfad12741c6fde7 ] + +Blitting an image with "negative" offsets is not working since there +is no clipping. It hopefully just crashes. For the bootup logo, there +is protection so that blitting does not happen as the image is drawn +further and further to the right (ROTATE_UR) or further and further +down (ROTATE_CW). There is however no protection when drawing in the +opposite directions (ROTATE_UD and ROTATE_CCW). + +Add back this protection. + +The regression is 20-odd years old but the mindless warning-killing +mentality displayed in commit 34bdb666f4b2 ("fbdev: fbmem: remove +positive test on unsigned values") is also to blame, methinks. + +Fixes: 448d479747b8 ("fbdev: fb_do_show_logo() updates") +Signed-off-by: Peter Rosin +Cc: Tomi Valkeinen +Cc: Fabian Frederick +Cc: Geert Uytterhoeven +cc: Geoff Levand +Cc: James Simmons +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmem.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index 8a29ec5992fd..ea2bd6208a2f 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -433,7 +433,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + image->dx += image->width + 8; + } + } else if (rotate == FB_ROTATE_UD) { +- for (x = 0; x < num; x++) { ++ u32 dx = image->dx; ++ ++ for (x = 0; x < num && image->dx <= dx; x++) { + info->fbops->fb_imageblit(info, image); + image->dx -= image->width + 8; + } +@@ -445,7 +447,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + image->dy += image->height + 8; + } + } else if (rotate == FB_ROTATE_CCW) { +- for (x = 0; x < num; x++) { ++ u32 dy = image->dy; ++ ++ for (x = 0; x < num && image->dy <= dy; x++) { + info->fbops->fb_imageblit(info, image); + image->dy -= image->height + 8; + } +-- +2.19.1 + diff --git a/queue-3.18/fs-epoll-drop-ovflist-branch-prediction.patch b/queue-3.18/fs-epoll-drop-ovflist-branch-prediction.patch new file mode 100644 index 00000000000..9093134893c --- /dev/null +++ b/queue-3.18/fs-epoll-drop-ovflist-branch-prediction.patch @@ -0,0 +1,55 @@ +From 50c4497a95c96ace23f7bcabf771c5b883e99bce Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Thu, 3 Jan 2019 15:27:09 -0800 +Subject: fs/epoll: drop ovflist branch prediction + +[ Upstream commit 76699a67f3041ff4c7af6d6ee9be2bfbf1ffb671 ] + +The ep->ovflist is a secondary ready-list to temporarily store events +that might occur when doing sproc without holding the ep->wq.lock. This +accounts for every time we check for ready events and also send events +back to userspace; both callbacks, particularly the latter because of +copy_to_user, can account for a non-trivial time. + +As such, the unlikely() check to see if the pointer is being used, seems +both misleading and sub-optimal. In fact, we go to an awful lot of +trouble to sync both lists, and populating the ovflist is far from an +uncommon scenario. + +For example, profiling a concurrent epoll_wait(2) benchmark, with +CONFIG_PROFILE_ANNOTATED_BRANCHES shows that for a two threads a 33% +incorrect rate was seen; and when incrementally increasing the number of +epoll instances (which is used, for example for multiple queuing load +balancing models), up to a 90% incorrect rate was seen. + +Similarly, by deleting the prediction, 3% throughput boost was seen +across incremental threads. + +Link: http://lkml.kernel.org/r/20181108051006.18751-4-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso +Reviewed-by: Andrew Morton +Cc: Al Viro +Cc: Jason Baron +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 2b5285c40b40..8e50ef617d85 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1037,7 +1037,7 @@ static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *k + * semantics). All the events that happen during that period of time are + * chained in ep->ovflist and requeued later on. + */ +- if (unlikely(ep->ovflist != EP_UNACTIVE_PTR)) { ++ if (ep->ovflist != EP_UNACTIVE_PTR) { + if (epi->next == EP_UNACTIVE_PTR) { + epi->next = ep->ovflist; + ep->ovflist = epi; +-- +2.19.1 + diff --git a/queue-3.18/gdrom-fix-a-memory-leak-bug.patch b/queue-3.18/gdrom-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..490ed1a93be --- /dev/null +++ b/queue-3.18/gdrom-fix-a-memory-leak-bug.patch @@ -0,0 +1,39 @@ +From dbd1aeb5c7382822273576e83832c7a8081f6b14 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 26 Dec 2018 20:15:13 -0600 +Subject: gdrom: fix a memory leak bug + +[ Upstream commit 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017 ] + +In probe_gdrom(), the buffer pointed by 'gd.cd_info' is allocated through +kzalloc() and is used to hold the information of the gdrom device. To +register and unregister the device, the pointer 'gd.cd_info' is passed to +the functions register_cdrom() and unregister_cdrom(), respectively. +However, this buffer is not freed after it is used, which can cause a +memory leak bug. + +This patch simply frees the buffer 'gd.cd_info' in exit_gdrom() to fix the +above issue. + +Signed-off-by: Wenwen Wang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/gdrom.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c +index e2808fefbb78..1852d19d0d7b 100644 +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -882,6 +882,7 @@ static void __exit exit_gdrom(void) + platform_device_unregister(pd); + platform_driver_unregister(&gdrom_driver); + kfree(gd.toc); ++ kfree(gd.cd_info); + } + + module_init(init_gdrom); +-- +2.19.1 + diff --git a/queue-3.18/hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch b/queue-3.18/hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch new file mode 100644 index 00000000000..8f03a58ba6e --- /dev/null +++ b/queue-3.18/hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch @@ -0,0 +1,53 @@ +From 91f2511182ab369648919bb67e838c44940e9856 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 21 Dec 2018 13:10:39 -0600 +Subject: hwmon: (lm80) fix a missing check of bus read in lm80 probe + +[ Upstream commit 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315 ] + +In lm80_probe(), if lm80_read_value() fails, it returns a negative +error number which is stored to data->fan[f_min] and will be further +used. We should avoid using the data if the read fails. + +The fix checks if lm80_read_value() fails, and if so, returns with the +error number. + +Signed-off-by: Kangjie Lu +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm80.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c +index 47ddae6b7038..cb6606a0470d 100644 +--- a/drivers/hwmon/lm80.c ++++ b/drivers/hwmon/lm80.c +@@ -628,6 +628,7 @@ static int lm80_probe(struct i2c_client *client, + struct device *dev = &client->dev; + struct device *hwmon_dev; + struct lm80_data *data; ++ int rv; + + data = devm_kzalloc(dev, sizeof(struct lm80_data), GFP_KERNEL); + if (!data) +@@ -640,8 +641,14 @@ static int lm80_probe(struct i2c_client *client, + lm80_init_client(client); + + /* A few vars need to be filled upon startup */ +- data->fan[f_min][0] = lm80_read_value(client, LM80_REG_FAN_MIN(1)); +- data->fan[f_min][1] = lm80_read_value(client, LM80_REG_FAN_MIN(2)); ++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(1)); ++ if (rv < 0) ++ return rv; ++ data->fan[f_min][0] = rv; ++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(2)); ++ if (rv < 0) ++ return rv; ++ data->fan[f_min][1] = rv; + + hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name, + data, lm80_groups); +-- +2.19.1 + diff --git a/queue-3.18/hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch b/queue-3.18/hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch new file mode 100644 index 00000000000..031fe9ae2df --- /dev/null +++ b/queue-3.18/hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch @@ -0,0 +1,58 @@ +From d38043aabb7fb459314c304a42703e65f68f1ebc Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 21 Dec 2018 13:01:33 -0600 +Subject: hwmon: (lm80) fix a missing check of the status of SMBus read + +[ Upstream commit c9c63915519b1def7043b184680f33c24cd49d7b ] + +If lm80_read_value() fails, it returns a negative number instead of the +correct read data. Therefore, we should avoid using the data if it +fails. + +The fix checks if lm80_read_value() fails, and if so, returns with the +error number. + +Signed-off-by: Kangjie Lu +[groeck: One variable for return values is enough] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm80.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c +index 4bcd9b882948..47ddae6b7038 100644 +--- a/drivers/hwmon/lm80.c ++++ b/drivers/hwmon/lm80.c +@@ -360,9 +360,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr, + struct i2c_client *client = data->client; + unsigned long min, val; + u8 reg; +- int err = kstrtoul(buf, 10, &val); +- if (err < 0) +- return err; ++ int rv; ++ ++ rv = kstrtoul(buf, 10, &val); ++ if (rv < 0) ++ return rv; + + /* Save fan_min */ + mutex_lock(&data->update_lock); +@@ -390,8 +392,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr, + return -EINVAL; + } + +- reg = (lm80_read_value(client, LM80_REG_FANDIV) & +- ~(3 << (2 * (nr + 1)))) | (data->fan_div[nr] << (2 * (nr + 1))); ++ rv = lm80_read_value(client, LM80_REG_FANDIV); ++ if (rv < 0) ++ return rv; ++ reg = (rv & ~(3 << (2 * (nr + 1)))) ++ | (data->fan_div[nr] << (2 * (nr + 1))); + lm80_write_value(client, LM80_REG_FANDIV, reg); + + /* Restore fan_min */ +-- +2.19.1 + diff --git a/queue-3.18/igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch b/queue-3.18/igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch new file mode 100644 index 00000000000..66268d65313 --- /dev/null +++ b/queue-3.18/igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch @@ -0,0 +1,48 @@ +From f44ef055a26dbd92f50e2797ce1affbf295ba3f5 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Mon, 3 Dec 2018 13:54:38 +0800 +Subject: igb: Fix an issue that PME is not enabled during runtime suspend + +[ Upstream commit 1fb3a7a75e2efcc83ef21f2434069cddd6fae6f5 ] + +I210 ethernet card doesn't wakeup when a cable gets plugged. It's +because its PME is not set. + +Since commit 42eca2302146 ("PCI: Don't touch card regs after runtime +suspend D3"), if the PCI state is saved, pci_pm_runtime_suspend() stops +calling pci_finish_runtime_suspend(), which enables the PCI PME. + +To fix the issue, let's not to save PCI states when it's runtime +suspend, to let the PCI subsystem enables PME. + +Fixes: 42eca2302146 ("PCI: Don't touch card regs after runtime suspend D3") +Signed-off-by: Kai-Heng Feng +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index b73c896ed184..390d96ae4147 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7351,9 +7351,11 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + rtnl_unlock(); + + #ifdef CONFIG_PM +- retval = pci_save_state(pdev); +- if (retval) +- return retval; ++ if (!runtime) { ++ retval = pci_save_state(pdev); ++ if (retval) ++ return retval; ++ } + #endif + + status = rd32(E1000_STATUS); +-- +2.19.1 + diff --git a/queue-3.18/isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch b/queue-3.18/isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch new file mode 100644 index 00000000000..5cab081ca6c --- /dev/null +++ b/queue-3.18/isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch @@ -0,0 +1,53 @@ +From faa4f7d521214df25ad2712c58cc566e8b4d75af Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Wed, 26 Dec 2018 22:09:34 +0800 +Subject: isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug + in HFCPCI_l1hw() + +[ Upstream commit 7418e6520f22a2e35815122fa5a53d5bbfa2c10f ] + +In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and +HFCPCI_l1hw() may be concurrently executed. + +HFCPCI_l1hw() + line 1173: if (!cs->tx_skb) + +hfcpci_interrupt() + line 942: spin_lock_irqsave(); + line 1066: dev_kfree_skb_irq(cs->tx_skb); + +Thus, a possible concurrency use-after-free bug may occur +in HFCPCI_l1hw(). + +To fix these bugs, the calls to spin_lock_irqsave() and +spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the +access to cs->tx_skb. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hisax/hfc_pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c +index 4a4825528188..3d58437638c8 100644 +--- a/drivers/isdn/hisax/hfc_pci.c ++++ b/drivers/isdn/hisax/hfc_pci.c +@@ -1169,11 +1169,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg) + if (cs->debug & L1_DEB_LAPD) + debugl1(cs, "-> PH_REQUEST_PULL"); + #endif ++ spin_lock_irqsave(&cs->lock, flags); + if (!cs->tx_skb) { + test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags); + st->l1.l1l2(st, PH_PULL | CONFIRM, NULL); + } else + test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags); ++ spin_unlock_irqrestore(&cs->lock, flags); + break; + case (HW_RESET | REQUEST): + spin_lock_irqsave(&cs->lock, flags); +-- +2.19.1 + diff --git a/queue-3.18/kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch b/queue-3.18/kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch new file mode 100644 index 00000000000..af42c0b7e29 --- /dev/null +++ b/queue-3.18/kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch @@ -0,0 +1,69 @@ +From aeec937449e6fae5b62b97e782ca716173ee6bf9 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 3 Jan 2019 15:26:31 -0800 +Subject: kernel/hung_task.c: break RCU locks based on jiffies + +[ Upstream commit 304ae42739b108305f8d7b3eb3c1aec7c2b643a9 ] + +check_hung_uninterruptible_tasks() is currently calling rcu_lock_break() +for every 1024 threads. But check_hung_task() is very slow if printk() +was called, and is very fast otherwise. + +If many threads within some 1024 threads called printk(), the RCU grace +period might be extended enough to trigger RCU stall warnings. +Therefore, calling rcu_lock_break() for every some fixed jiffies will be +safer. + +Link: http://lkml.kernel.org/r/1544800658-11423-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Acked-by: Paul E. McKenney +Cc: Petr Mladek +Cc: Sergey Senozhatsky +Cc: Dmitry Vyukov +Cc: "Rafael J. Wysocki" +Cc: Vitaly Kuznetsov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/hung_task.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/hung_task.c b/kernel/hung_task.c +index 06db12434d72..eda60beeac7d 100644 +--- a/kernel/hung_task.c ++++ b/kernel/hung_task.c +@@ -30,7 +30,7 @@ int __read_mostly sysctl_hung_task_check_count = PID_MAX_LIMIT; + * is disabled during the critical section. It also controls the size of + * the RCU grace period. So it needs to be upper-bound. + */ +-#define HUNG_TASK_BATCHING 1024 ++#define HUNG_TASK_LOCK_BREAK (HZ / 10) + + /* + * Zero means infinite timeout - no checking done: +@@ -158,7 +158,7 @@ static bool rcu_lock_break(struct task_struct *g, struct task_struct *t) + static void check_hung_uninterruptible_tasks(unsigned long timeout) + { + int max_count = sysctl_hung_task_check_count; +- int batch_count = HUNG_TASK_BATCHING; ++ unsigned long last_break = jiffies; + struct task_struct *g, *t; + + /* +@@ -172,10 +172,10 @@ static void check_hung_uninterruptible_tasks(unsigned long timeout) + do_each_thread(g, t) { + if (!max_count--) + goto unlock; +- if (!--batch_count) { +- batch_count = HUNG_TASK_BATCHING; ++ if (time_after(jiffies, last_break + HUNG_TASK_LOCK_BREAK)) { + if (!rcu_lock_break(g, t)) + goto unlock; ++ last_break = jiffies; + } + /* use "==" to skip the TASK_KILLABLE tasks waiting on NFS */ + if (t->state == TASK_UNINTERRUPTIBLE) +-- +2.19.1 + diff --git a/queue-3.18/media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch b/queue-3.18/media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch new file mode 100644 index 00000000000..2c400636b0b --- /dev/null +++ b/queue-3.18/media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch @@ -0,0 +1,55 @@ +From 7db074dea9d986f93b5c000fcced1a955eff932f Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Fri, 23 Nov 2018 16:56:26 -0500 +Subject: media: DaVinci-VPBE: fix error handling in vpbe_initialize() + +[ Upstream commit aa35dc3c71950e3fec3e230c06c27c0fbd0067f8 ] + +If vpbe_set_default_output() or vpbe_set_default_mode() fails, +vpbe_initialize() returns error code without releasing resources. + +The patch adds error handling for that case. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/davinci/vpbe.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c +index 33b9660b7f77..40d462cac5ec 100644 +--- a/drivers/media/platform/davinci/vpbe.c ++++ b/drivers/media/platform/davinci/vpbe.c +@@ -740,7 +740,7 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev) + if (ret) { + v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default output %s", + def_output); +- return ret; ++ goto fail_kfree_amp; + } + + printk(KERN_NOTICE "Setting default mode to %s\n", def_mode); +@@ -748,12 +748,15 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev) + if (ret) { + v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default mode %s", + def_mode); +- return ret; ++ goto fail_kfree_amp; + } + vpbe_dev->initialized = 1; + /* TBD handling of bootargs for default output and mode */ + return 0; + ++fail_kfree_amp: ++ mutex_lock(&vpbe_dev->lock); ++ kfree(vpbe_dev->amp); + fail_kfree_encoders: + kfree(vpbe_dev->encoders); + fail_dev_unregister: +-- +2.19.1 + diff --git a/queue-3.18/memstick-prevent-memstick-host-from-getting-runtime-.patch b/queue-3.18/memstick-prevent-memstick-host-from-getting-runtime-.patch new file mode 100644 index 00000000000..056e37b9c62 --- /dev/null +++ b/queue-3.18/memstick-prevent-memstick-host-from-getting-runtime-.patch @@ -0,0 +1,57 @@ +From 448a7590bbecb4586b96d478847b8262b430af50 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Mon, 5 Nov 2018 16:45:04 +0800 +Subject: memstick: Prevent memstick host from getting runtime suspended during + card detection + +[ Upstream commit e03e303edf1c63e6dd455ccd568c74e93ef3ba8c ] + +We can use MEMSTICK_POWER_{ON,OFF} along with pm_runtime_{get,put} +helpers to let memstick host support runtime pm. + +The rpm count may go down to zero before the memstick host powers on, so +the host can be runtime suspended. + +So before doing card detection, increment the rpm count to avoid the +host gets runtime suspended. Balance the rpm count after card detection +is done. + +Signed-off-by: Kai-Heng Feng +Tested-by: Oleksandr Natalenko +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/memstick.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c +index a0547dbf9806..4d673a626db4 100644 +--- a/drivers/memstick/core/memstick.c ++++ b/drivers/memstick/core/memstick.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #define DRIVER_NAME "memstick" + +@@ -436,6 +437,7 @@ static void memstick_check(struct work_struct *work) + struct memstick_dev *card; + + dev_dbg(&host->dev, "memstick_check started\n"); ++ pm_runtime_get_noresume(host->dev.parent); + mutex_lock(&host->lock); + if (!host->card) { + if (memstick_power_on(host)) +@@ -479,6 +481,7 @@ out_power_off: + host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF); + + mutex_unlock(&host->lock); ++ pm_runtime_put(host->dev.parent); + dev_dbg(&host->dev, "memstick_check finished\n"); + } + +-- +2.19.1 + diff --git a/queue-3.18/mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch b/queue-3.18/mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch new file mode 100644 index 00000000000..88ea63e0dc8 --- /dev/null +++ b/queue-3.18/mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch @@ -0,0 +1,47 @@ +From bcc8237b6cc98d1d0e583d16b77e4f0972b57477 Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Mon, 3 Dec 2018 17:27:54 -0500 +Subject: mips: bpf: fix encoding bug for mm_srlv32_op + +[ Upstream commit 17f6c83fb5ebf7db4fcc94a5be4c22d5a7bfe428 ] + +For micro-mips, srlv inside POOL32A encoding space should use 0x50 +sub-opcode, NOT 0x90. + +Some early version ISA doc describes the encoding as 0x90 for both srlv and +srav, this looks to me was a typo. I checked Binutils libopcode +implementation which is using 0x50 for srlv and 0x90 for srav. + +v1->v2: + - Keep mm_srlv32_op sorted by value. + +Fixes: f31318fdf324 ("MIPS: uasm: Add srlv uasm instruction") +Cc: Markos Chandras +Cc: Paul Burton +Cc: linux-mips@vger.kernel.org +Acked-by: Jakub Kicinski +Acked-by: Song Liu +Signed-off-by: Jiong Wang +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/mips/include/uapi/asm/inst.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h +index 4bfdb9d4c186..3eb4d6177266 100644 +--- a/arch/mips/include/uapi/asm/inst.h ++++ b/arch/mips/include/uapi/asm/inst.h +@@ -262,8 +262,8 @@ enum mm_32a_minor_op { + mm_ext_op = 0x02c, + mm_pool32axf_op = 0x03c, + mm_srl32_op = 0x040, ++ mm_srlv32_op = 0x050, + mm_sra_op = 0x080, +- mm_srlv32_op = 0x090, + mm_rotr_op = 0x0c0, + mm_lwxs_op = 0x118, + mm_addu32_op = 0x150, +-- +2.19.1 + diff --git a/queue-3.18/modpost-validate-symbol-names-also-in-find_elf_symbo.patch b/queue-3.18/modpost-validate-symbol-names-also-in-find_elf_symbo.patch new file mode 100644 index 00000000000..5413bba91e0 --- /dev/null +++ b/queue-3.18/modpost-validate-symbol-names-also-in-find_elf_symbo.patch @@ -0,0 +1,102 @@ +From d721ccca0a8f2f9856ab3712cf4f9d5424e8e58a Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Tue, 23 Oct 2018 15:15:35 -0700 +Subject: modpost: validate symbol names also in find_elf_symbol + +[ Upstream commit 5818c683a619c534c113e1f66d24f636defc29bc ] + +If an ARM mapping symbol shares an address with a valid symbol, +find_elf_symbol can currently return the mapping symbol instead, as the +symbol is not validated. This can result in confusing warnings: + + WARNING: vmlinux.o(.text+0x18f4028): Section mismatch in reference + from the function set_reset_devices() to the variable .init.text:$x.0 + +This change adds a call to is_valid_name to find_elf_symbol, similarly +to how it's already used in find_elf_symbol2. + +Signed-off-by: Sami Tolvanen +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 50 ++++++++++++++++++++++--------------------- + 1 file changed, 26 insertions(+), 24 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 9c06b5d62e90..2ff9ed878f9d 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1134,6 +1134,30 @@ static int secref_whitelist(const struct sectioncheck *mismatch, + return 1; + } + ++static inline int is_arm_mapping_symbol(const char *str) ++{ ++ return str[0] == '$' && strchr("axtd", str[1]) ++ && (str[2] == '\0' || str[2] == '.'); ++} ++ ++/* ++ * If there's no name there, ignore it; likewise, ignore it if it's ++ * one of the magic symbols emitted used by current ARM tools. ++ * ++ * Otherwise if find_symbols_between() returns those symbols, they'll ++ * fail the whitelist tests and cause lots of false alarms ... fixable ++ * only by merging __exit and __init sections into __text, bloating ++ * the kernel (which is especially evil on embedded platforms). ++ */ ++static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym) ++{ ++ const char *name = elf->strtab + sym->st_name; ++ ++ if (!name || !strlen(name)) ++ return 0; ++ return !is_arm_mapping_symbol(name); ++} ++ + /** + * Find symbol based on relocation record info. + * In some cases the symbol supplied is a valid symbol so +@@ -1159,6 +1183,8 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (ELF_ST_TYPE(sym->st_info) == STT_SECTION) + continue; ++ if (!is_valid_name(elf, sym)) ++ continue; + if (sym->st_value == addr) + return sym; + /* Find a symbol nearby - addr are maybe negative */ +@@ -1177,30 +1203,6 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + return NULL; + } + +-static inline int is_arm_mapping_symbol(const char *str) +-{ +- return str[0] == '$' && strchr("axtd", str[1]) +- && (str[2] == '\0' || str[2] == '.'); +-} +- +-/* +- * If there's no name there, ignore it; likewise, ignore it if it's +- * one of the magic symbols emitted used by current ARM tools. +- * +- * Otherwise if find_symbols_between() returns those symbols, they'll +- * fail the whitelist tests and cause lots of false alarms ... fixable +- * only by merging __exit and __init sections into __text, bloating +- * the kernel (which is especially evil on embedded platforms). +- */ +-static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym) +-{ +- const char *name = elf->strtab + sym->st_name; +- +- if (!name || !strlen(name)) +- return 0; +- return !is_arm_mapping_symbol(name); +-} +- + /* + * Find symbols before or equal addr and after addr - in the section sec. + * If we find two symbols with equal offset prefer one with a valid name. +-- +2.19.1 + diff --git a/queue-3.18/nfs-nfs_compare_mount_options-always-compare-auth-fl.patch b/queue-3.18/nfs-nfs_compare_mount_options-always-compare-auth-fl.patch new file mode 100644 index 00000000000..85c15f0d212 --- /dev/null +++ b/queue-3.18/nfs-nfs_compare_mount_options-always-compare-auth-fl.patch @@ -0,0 +1,55 @@ +From 4448aa8e5b59ecf4fccf61ced6d4d65b93eaed07 Mon Sep 17 00:00:00 2001 +From: Chris Perl +Date: Mon, 17 Dec 2018 10:56:38 -0500 +Subject: NFS: nfs_compare_mount_options always compare auth flavors. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 594d1644cd59447f4fceb592448d5cd09eb09b5e ] + +This patch removes the check from nfs_compare_mount_options to see if a +`sec' option was passed for the current mount before comparing auth +flavors and instead just always compares auth flavors. + +Consider the following scenario: + +You have a server with the address 192.168.1.1 and two exports /export/a +and /export/b. The first export supports `sys' and `krb5' security, the +second just `sys'. + +Assume you start with no mounts from the server. + +The following results in EIOs being returned as the kernel nfs client +incorrectly thinks it can share the underlying `struct nfs_server's: + +$ mkdir /tmp/{a,b} +$ sudo mount -t nfs -o vers=3,sec=krb5 192.168.1.1:/export/a /tmp/a +$ sudo mount -t nfs -o vers=3 192.168.1.1:/export/b /tmp/b +$ df >/dev/null +df: ‘/tmp/b’: Input/output error + +Signed-off-by: Chris Perl +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index dbdc2d2f91cf..655ac3a196e4 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2376,8 +2376,7 @@ static int nfs_compare_mount_options(const struct super_block *s, const struct n + goto Ebusy; + if (a->acdirmax != b->acdirmax) + goto Ebusy; +- if (b->auth_info.flavor_len > 0 && +- clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor) ++ if (clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor) + goto Ebusy; + return 1; + Ebusy: +-- +2.19.1 + diff --git a/queue-3.18/nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch b/queue-3.18/nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch new file mode 100644 index 00000000000..91150eb615e --- /dev/null +++ b/queue-3.18/nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch @@ -0,0 +1,40 @@ +From 4f0d6c9d269f6109dbec391f13551655023b9c3e Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 27 Nov 2018 15:54:17 -0500 +Subject: nfsd4: fix crash on writing v4_end_grace before nfsd startup + +[ Upstream commit 62a063b8e7d1db684db3f207261a466fa3194e72 ] + +Anatoly Trosinenko reports that this: + +1) Checkout fresh master Linux branch (tested with commit e195ca6cb) +2) Copy x84_64-config-4.14 to .config, then enable NFS server v4 and build +3) From `kvm-xfstests shell`: + +results in NULL dereference in locks_end_grace. + +Check that nfsd has been started before trying to end the grace period. + +Reported-by: Anatoly Trosinenko +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfsctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index ca73ca79a0ee..0e8574af298b 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1110,6 +1110,8 @@ static ssize_t write_v4_end_grace(struct file *file, char *buf, size_t size) + case 'Y': + case 'y': + case '1': ++ if (nn->nfsd_serv) ++ return -EBUSY; + nfsd4_end_grace(nn); + break; + default: +-- +2.19.1 + diff --git a/queue-3.18/niu-fix-missing-checks-of-niu_pci_eeprom_read.patch b/queue-3.18/niu-fix-missing-checks-of-niu_pci_eeprom_read.patch new file mode 100644 index 00000000000..bfbc8f80664 --- /dev/null +++ b/queue-3.18/niu-fix-missing-checks-of-niu_pci_eeprom_read.patch @@ -0,0 +1,49 @@ +From c1e61d8a57972805eeb8a65f708a2ff89f02abac Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 25 Dec 2018 01:56:14 -0600 +Subject: niu: fix missing checks of niu_pci_eeprom_read + +[ Upstream commit 26fd962bde0b15e54234fe762d86bc0349df1de4 ] + +niu_pci_eeprom_read() may fail, so we should check its return value +before using the read data. + +Signed-off-by: Kangjie Lu +Acked-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/niu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index 68738aa8e218..e87bded39781 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -8131,6 +8131,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + start += 3; + + prop_len = niu_pci_eeprom_read(np, start + 4); ++ if (prop_len < 0) ++ return prop_len; + err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64); + if (err < 0) + return err; +@@ -8175,8 +8177,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + netif_printk(np, probe, KERN_DEBUG, np->dev, + "VPD_SCAN: Reading in property [%s] len[%d]\n", + namebuf, prop_len); +- for (i = 0; i < prop_len; i++) +- *prop_buf++ = niu_pci_eeprom_read(np, off + i); ++ for (i = 0; i < prop_len; i++) { ++ err = niu_pci_eeprom_read(np, off + i); ++ if (err >= 0) ++ *prop_buf = err; ++ ++prop_buf; ++ } + } + + start += len; +-- +2.19.1 + diff --git a/queue-3.18/ocfs2-don-t-clear-bh-uptodate-for-block-read.patch b/queue-3.18/ocfs2-don-t-clear-bh-uptodate-for-block-read.patch new file mode 100644 index 00000000000..c85f7e14c19 --- /dev/null +++ b/queue-3.18/ocfs2-don-t-clear-bh-uptodate-for-block-read.patch @@ -0,0 +1,68 @@ +From 0ef618757fb7fd63023aab76969b282c4aec1ad7 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Fri, 28 Dec 2018 00:32:57 -0800 +Subject: ocfs2: don't clear bh uptodate for block read + +[ Upstream commit 70306d9dce75abde855cefaf32b3f71eed8602a3 ] + +For sync io read in ocfs2_read_blocks_sync(), first clear bh uptodate flag +and submit the io, second wait io done, last check whether bh uptodate, if +not return io error. + +If two sync io for the same bh were issued, it could be the first io done +and set uptodate flag, but just before check that flag, the second io came +in and cleared uptodate, then ocfs2_read_blocks_sync() for the first io +will return IO error. + +Indeed it's not necessary to clear uptodate flag, as the io end handler +end_buffer_read_sync() will set or clear it based on io succeed or failed. + +The following message was found from a nfs server but the underlying +storage returned no error. + +[4106438.567376] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2780 ERROR: read block 1238823695 failed -5 +[4106438.567569] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2812 ERROR: status = -5 +[4106438.567611] (nfsd,7146,3):ocfs2_test_inode_bit:2894 ERROR: get alloc slot and bit failed -5 +[4106438.567643] (nfsd,7146,3):ocfs2_test_inode_bit:2932 ERROR: status = -5 +[4106438.567675] (nfsd,7146,3):ocfs2_get_dentry:94 ERROR: test inode bit failed -5 + +Same issue in non sync read ocfs2_read_blocks(), fixed it as well. + +Link: http://lkml.kernel.org/r/20181121020023.3034-4-junxiao.bi@oracle.com +Signed-off-by: Junxiao Bi +Reviewed-by: Changwei Ge +Reviewed-by: Yiwen Jiang +Cc: Joel Becker +Cc: Joseph Qi +Cc: Jun Piao +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/buffer_head_io.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c +index d6eab71abe1f..30d65259bc61 100644 +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -146,7 +146,6 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block, + BUG(); + } + +- clear_buffer_uptodate(bh); + get_bh(bh); /* for end_buffer_read_sync() */ + bh->b_end_io = end_buffer_read_sync; + submit_bh(READ, bh); +@@ -300,7 +299,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + continue; + } + +- clear_buffer_uptodate(bh); + get_bh(bh); /* for end_buffer_read_sync() */ + if (validate) + set_buffer_needs_validate(bh); +-- +2.19.1 + diff --git a/queue-3.18/perf-tools-add-hygon-dhyana-support.patch b/queue-3.18/perf-tools-add-hygon-dhyana-support.patch new file mode 100644 index 00000000000..af48226a9c7 --- /dev/null +++ b/queue-3.18/perf-tools-add-hygon-dhyana-support.patch @@ -0,0 +1,42 @@ +From 39aab393f15fc7a76d14ef711e97c51ec4f45135 Mon Sep 17 00:00:00 2001 +From: Pu Wen +Date: Mon, 12 Nov 2018 15:40:51 +0800 +Subject: perf tools: Add Hygon Dhyana support + +[ Upstream commit 4787eff3fa88f62fede6ed7afa06477ae6bf984d ] + +The tool perf is useful for the performance analysis on the Hygon Dhyana +platform. But right now there is no Hygon support for it to analyze the +KVM guest os data. So add Hygon Dhyana support to it by checking vendor +string to share the code path of AMD. + +Signed-off-by: Pu Wen +Acked-by: Borislav Petkov +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1542008451-31735-1-git-send-email-puwen@hygon.cn +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/kvm-stat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/arch/x86/util/kvm-stat.c b/tools/perf/arch/x86/util/kvm-stat.c +index 14e4e668fad7..f97696a418cc 100644 +--- a/tools/perf/arch/x86/util/kvm-stat.c ++++ b/tools/perf/arch/x86/util/kvm-stat.c +@@ -146,7 +146,7 @@ int cpu_isa_init(struct perf_kvm_stat *kvm, const char *cpuid) + if (strstr(cpuid, "Intel")) { + kvm->exit_reasons = vmx_exit_reasons; + kvm->exit_reasons_isa = "VMX"; +- } else if (strstr(cpuid, "AMD")) { ++ } else if (strstr(cpuid, "AMD") || strstr(cpuid, "Hygon")) { + kvm->exit_reasons = svm_exit_reasons; + kvm->exit_reasons_isa = "SVM"; + } else +-- +2.19.1 + diff --git a/queue-3.18/powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch b/queue-3.18/powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch new file mode 100644 index 00000000000..2428ac3db51 --- /dev/null +++ b/queue-3.18/powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch @@ -0,0 +1,45 @@ +From df57717e66038eb39da8653c83016a8b80bc5b49 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Thu, 4 Oct 2018 20:27:16 -0700 +Subject: powerpc/pseries: add of_node_put() in dlpar_detach_node() + +[ Upstream commit 5b3f5c408d8cc59b87e47f1ab9803dbd006e4a91 ] + +The previous commit, "of: overlay: add missing of_node_get() in +__of_attach_node_sysfs" added a missing of_node_get() to +__of_attach_node_sysfs(). This results in a refcount imbalance +for nodes attached with dlpar_attach_node(). The calling sequence +from dlpar_attach_node() to __of_attach_node_sysfs() is: + + dlpar_attach_node() + of_attach_node() + __of_attach_node_sysfs() + +For more detailed description of the node refcount, see +commit 68baf692c435 ("powerpc/pseries: Fix of_node_put() underflow +during DLPAR remove"). + +Tested-by: Alan Tull +Acked-by: Michael Ellerman +Signed-off-by: Frank Rowand +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/dlpar.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index 80d175dca68e..85bd29475987 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -299,6 +299,8 @@ int dlpar_detach_node(struct device_node *dn) + if (rc) + return rc; + ++ of_node_put(dn); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-3.18/powerpc-uaccess-fix-warning-error-with-access_ok.patch b/queue-3.18/powerpc-uaccess-fix-warning-error-with-access_ok.patch new file mode 100644 index 00000000000..d464b0ceae0 --- /dev/null +++ b/queue-3.18/powerpc-uaccess-fix-warning-error-with-access_ok.patch @@ -0,0 +1,45 @@ +From e094b86b0e9968bb650f7fc4a9170c5be886105b Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 10 Dec 2018 06:50:09 +0000 +Subject: powerpc/uaccess: fix warning/error with access_ok() + +[ Upstream commit 05a4ab823983d9136a460b7b5e0d49ee709a6f86 ] + +With the following piece of code, the following compilation warning +is encountered: + + if (_IOC_DIR(ioc) != _IOC_NONE) { + int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ; + + if (!access_ok(verify, ioarg, _IOC_SIZE(ioc))) { + +drivers/platform/test/dev.c: In function 'my_ioctl': +drivers/platform/test/dev.c:219:7: warning: unused variable 'verify' [-Wunused-variable] + int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ; + +This patch fixes it by referencing 'type' in the macro allthough +doing nothing with it. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h +index 46c486599645..1bb8cc3fbbf1 100644 +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -59,7 +59,7 @@ + #endif + + #define access_ok(type, addr, size) \ +- (__chk_user_ptr(addr), \ ++ (__chk_user_ptr(addr), (void)(type), \ + __access_ok((__force unsigned long)(addr), (size), get_fs())) + + /* +-- +2.19.1 + diff --git a/queue-3.18/sata_rcar-fix-deferred-probing.patch b/queue-3.18/sata_rcar-fix-deferred-probing.patch new file mode 100644 index 00000000000..d7eceea0714 --- /dev/null +++ b/queue-3.18/sata_rcar-fix-deferred-probing.patch @@ -0,0 +1,41 @@ +From bfa74d8ca0c8996789ba65229b4ebc0279c0a003 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Sat, 24 Nov 2018 21:14:16 +0300 +Subject: sata_rcar: fix deferred probing + +[ Upstream commit 9f83cfdb1ace3ef268ecc6fda50058d2ec37d603 ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Switch to propagating the +error code upstream, still checking/overriding IRQ0 as libata regards it +as "no IRQ" (thus polling) anyway... + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Reviewed-by: Simon Horman +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sergei Shtylyov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_rcar.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c +index ea1fbc1d4c5f..e7e259a6c732 100644 +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -879,7 +879,9 @@ static int sata_rcar_probe(struct platform_device *pdev) + int ret = 0; + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) ++ if (irq < 0) ++ return irq; ++ if (!irq) + return -EINVAL; + + priv = devm_kzalloc(&pdev->dev, sizeof(struct sata_rcar_priv), +-- +2.19.1 + diff --git a/queue-3.18/scripts-decode_stacktrace-only-strip-base-path-when-.patch b/queue-3.18/scripts-decode_stacktrace-only-strip-base-path-when-.patch new file mode 100644 index 00000000000..16d8f7d665a --- /dev/null +++ b/queue-3.18/scripts-decode_stacktrace-only-strip-base-path-when-.patch @@ -0,0 +1,48 @@ +From 7455f5f88285939964b6336193226a72ac60105a Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 28 Dec 2018 00:31:25 -0800 +Subject: scripts/decode_stacktrace: only strip base path when a prefix of the + path + +[ Upstream commit 67a28de47faa83585dd644bd4c31e5a1d9346c50 ] + +Running something like: + + decodecode vmlinux . + +leads to interested results where not only the leading "." gets stripped +from the displayed paths, but also anywhere in the string, displaying +something like: + + kvm_vcpu_check_block (arch/arm64/kvm/virt/kvm/kvm_mainc:2141) + +which doesn't help further processing. + +Fix it by only stripping the base path if it is a prefix of the path. + +Link: http://lkml.kernel.org/r/20181210174659.31054-3-marc.zyngier@arm.com +Signed-off-by: Marc Zyngier +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + scripts/decode_stacktrace.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh +index 515c4c00e957..aa4b57abd1b5 100755 +--- a/scripts/decode_stacktrace.sh ++++ b/scripts/decode_stacktrace.sh +@@ -61,7 +61,7 @@ parse_symbol() { + fi + + # Strip out the base of the path +- code=${code//$basepath/""} ++ code=${code//^$basepath/""} + + # In the case of inlines, move everything to same line + code=${code//$'\n'/' '} +-- +2.19.1 + diff --git a/queue-3.18/serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch b/queue-3.18/serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch new file mode 100644 index 00000000000..e0d9ccdfd4b --- /dev/null +++ b/queue-3.18/serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch @@ -0,0 +1,49 @@ +From 72f725a22d46dbfcc832a413bfc24c13fc79726c Mon Sep 17 00:00:00 2001 +From: Andy Duan +Date: Tue, 16 Oct 2018 07:32:22 +0000 +Subject: serial: fsl_lpuart: clear parity enable bit when disable parity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 397bd9211fe014b347ca8f95a8f4e1017bac1aeb ] + +Current driver only enable parity enable bit and never clear it +when user set the termios. The fix clear the parity enable bit when +PARENB flag is not set in termios->c_cflag. + +Cc: Lukas Wunner +Signed-off-by: Andy Duan +Reviewed-by: Fabio Estevam +Acked-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 92b7a5bf7c4d..839e65da4d3f 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1284,6 +1284,8 @@ lpuart_set_termios(struct uart_port *port, struct ktermios *termios, + else + cr1 &= ~UARTCR1_PT; + } ++ } else { ++ cr1 &= ~UARTCR1_PE; + } + + /* ask the core to calculate the divisor */ +@@ -1419,6 +1421,8 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, + else + ctrl &= ~UARTCTRL_PT; + } ++ } else { ++ ctrl &= ~UARTCTRL_PE; + } + + /* ask the core to calculate the divisor */ +-- +2.19.1 + diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..6186c73088e --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,59 @@ +staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch +ath9k-dynack-use-authentication-messages-for-late-ac.patch +arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch +dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch +x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch +powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch +serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch +staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch +staging-iio-ad7780-update-voltage-on-read.patch +arm-omap2-hwmod-fix-some-section-annotations.patch +modpost-validate-symbol-names-also-in-find_elf_symbo.patch +perf-tools-add-hygon-dhyana-support.patch +soc-tegra-don-t-leak-device-tree-node-reference.patch +f2fs-move-dir-data-flush-to-write-checkpoint-process.patch +nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch +arm64-ftrace-don-t-adjust-the-lr-value.patch +arm-mmp-mmp2-dt-enable-the-clock.patch +media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch +smack-fix-access-permissions-for-keyring.patch +usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch +timekeeping-use-proper-seqcount-initializer.patch +arm-dts-fix-omap4430-sdp-ethernet-startup.patch +mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch +sata_rcar-fix-deferred-probing.patch +clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch +cpuidle-big.little-fix-refcount-leak.patch +udf-fix-bug-on-corrupted-inode.patch +arm-pxa-avoid-section-mismatch-warning.patch +asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch +arm-mmp-fix-timer_init-calls.patch +memstick-prevent-memstick-host-from-getting-runtime-.patch +tty-serial-samsung-properly-set-flags-in-autocts-mod.patch +arm64-kvm-skip-mmio-insn-after-emulation.patch +powerpc-uaccess-fix-warning-error-with-access_ok.patch +xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch +drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch +drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch +drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch +drbd-avoid-clang-warning-about-pointless-switch-stat.patch +video-clps711x-fb-release-disp-device-node-in-probe.patch +fbdev-fbmem-behave-better-with-small-rotated-display.patch +igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch +fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch +nfs-nfs_compare_mount_options-always-compare-auth-fl.patch +hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch +hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch +crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch +crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch +cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch +um-avoid-marking-pages-with-changed-protection.patch +niu-fix-missing-checks-of-niu_pci_eeprom_read.patch +scripts-decode_stacktrace-only-strip-base-path-when-.patch +ocfs2-don-t-clear-bh-uptodate-for-block-read.patch +isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch +gdrom-fix-a-memory-leak-bug.patch +block-swim3-fix-ebusy-error-when-re-opening-device-a.patch +kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch +fs-epoll-drop-ovflist-branch-prediction.patch +exec-load_script-don-t-blindly-truncate-shebang-stri.patch diff --git a/queue-3.18/smack-fix-access-permissions-for-keyring.patch b/queue-3.18/smack-fix-access-permissions-for-keyring.patch new file mode 100644 index 00000000000..bcde3fb74ce --- /dev/null +++ b/queue-3.18/smack-fix-access-permissions-for-keyring.patch @@ -0,0 +1,66 @@ +From cf549725de982795f6b76a7a8bc30df5bdb6e5bd Mon Sep 17 00:00:00 2001 +From: Zoran Markovic +Date: Wed, 17 Oct 2018 16:25:44 -0700 +Subject: smack: fix access permissions for keyring + +[ Upstream commit 5b841bfab695e3b8ae793172a9ff7990f99cc3e2 ] + +Function smack_key_permission() only issues smack requests for the +following operations: + - KEY_NEED_READ (issues MAY_READ) + - KEY_NEED_WRITE (issues MAY_WRITE) + - KEY_NEED_LINK (issues MAY_WRITE) + - KEY_NEED_SETATTR (issues MAY_WRITE) +A blank smack request is issued in all other cases, resulting in +smack access being granted if there is any rule defined between +subject and object, or denied with -EACCES otherwise. + +Request MAY_READ access for KEY_NEED_SEARCH and KEY_NEED_VIEW. +Fix the logic in the unlikely case when both MAY_READ and +MAY_WRITE are needed. Validate access permission field for valid +contents. + +Signed-off-by: Zoran Markovic +Signed-off-by: Casey Schaufler +Cc: Casey Schaufler +Cc: James Morris +Cc: "Serge E. Hallyn" +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 59350f6b7e8d..e36976ed38e4 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -3847,6 +3847,12 @@ static int smack_key_permission(key_ref_t key_ref, + int request = 0; + int rc; + ++ /* ++ * Validate requested permissions ++ */ ++ if (perm & ~KEY_NEED_ALL) ++ return -EINVAL; ++ + keyp = key_ref_to_ptr(key_ref); + if (keyp == NULL) + return -EINVAL; +@@ -3866,10 +3872,10 @@ static int smack_key_permission(key_ref_t key_ref, + ad.a.u.key_struct.key = keyp->serial; + ad.a.u.key_struct.key_desc = keyp->description; + #endif +- if (perm & KEY_NEED_READ) +- request = MAY_READ; ++ if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) ++ request |= MAY_READ; + if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) +- request = MAY_WRITE; ++ request |= MAY_WRITE; + rc = smk_access(tkp, keyp->security, request, &ad); + rc = smk_bu_note("key access", tkp, keyp->security, request, rc); + return rc; +-- +2.19.1 + diff --git a/queue-3.18/soc-tegra-don-t-leak-device-tree-node-reference.patch b/queue-3.18/soc-tegra-don-t-leak-device-tree-node-reference.patch new file mode 100644 index 00000000000..9250b52ca91 --- /dev/null +++ b/queue-3.18/soc-tegra-don-t-leak-device-tree-node-reference.patch @@ -0,0 +1,44 @@ +From c1c2b9b1626bdbd5015d445664e477245abea709 Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Wed, 21 Nov 2018 07:49:12 -0500 +Subject: soc/tegra: Don't leak device tree node reference + +[ Upstream commit 9eb40fa2cd2d1f6829e7b49bb22692f754b9cfe0 ] + +of_find_node_by_path() acquires a reference to the node returned by it +and that reference needs to be dropped by its caller. soc_is_tegra() +doesn't do that, so fix it. + +Signed-off-by: Yangtao Li +Acked-by: Jon Hunter +[treding: slightly rewrite to avoid inline comparison] +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/common.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/common.c b/drivers/soc/tegra/common.c +index a71cb74f3674..04323ade15dd 100644 +--- a/drivers/soc/tegra/common.c ++++ b/drivers/soc/tegra/common.c +@@ -20,11 +20,15 @@ static const struct of_device_id tegra_machine_match[] = { + + bool soc_is_tegra(void) + { ++ const struct of_device_id *match; + struct device_node *root; + + root = of_find_node_by_path("/"); + if (!root) + return false; + +- return of_match_node(tegra_machine_match, root) != NULL; ++ match = of_match_node(tegra_machine_match, root); ++ of_node_put(root); ++ ++ return match != NULL; + } +-- +2.19.1 + diff --git a/queue-3.18/staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch b/queue-3.18/staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch new file mode 100644 index 00000000000..d9fd722d72b --- /dev/null +++ b/queue-3.18/staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch @@ -0,0 +1,46 @@ +From 5b0e4091d1e2bba6c76f69b58a9ce085870b9c24 Mon Sep 17 00:00:00 2001 +From: Matheus Tavares +Date: Sat, 3 Nov 2018 19:49:44 -0300 +Subject: staging:iio:ad2s90: Make probe handle spi_setup failure + +[ Upstream commit b3a3eafeef769c6982e15f83631dcbf8d1794efb ] + +Previously, ad2s90_probe ignored the return code from spi_setup, not +handling its possible failure. This patch makes ad2s90_probe check if +the code is an error code and, if so, do the following: + +- Call dev_err with an appropriate error message. +- Return the spi_setup's error code. + +Note: The 'return ret' statement could be out of the 'if' block, but +this whole block will be moved up in the function in the patch: +'staging:iio:ad2s90: Move device registration to the end of probe'. + +Signed-off-by: Matheus Tavares +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/resolver/ad2s90.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/iio/resolver/ad2s90.c b/drivers/staging/iio/resolver/ad2s90.c +index e24c5890652f..c0cee97bd0f1 100644 +--- a/drivers/staging/iio/resolver/ad2s90.c ++++ b/drivers/staging/iio/resolver/ad2s90.c +@@ -86,7 +86,12 @@ static int ad2s90_probe(struct spi_device *spi) + /* need 600ns between CS and the first falling edge of SCLK */ + spi->max_speed_hz = 830000; + spi->mode = SPI_MODE_3; +- spi_setup(spi); ++ ret = spi_setup(spi); ++ ++ if (ret < 0) { ++ dev_err(&spi->dev, "spi_setup failed!\n"); ++ return ret; ++ } + + return 0; + } +-- +2.19.1 + diff --git a/queue-3.18/staging-iio-ad7780-update-voltage-on-read.patch b/queue-3.18/staging-iio-ad7780-update-voltage-on-read.patch new file mode 100644 index 00000000000..b35bad6fc5e --- /dev/null +++ b/queue-3.18/staging-iio-ad7780-update-voltage-on-read.patch @@ -0,0 +1,44 @@ +From eae9e530e62e52f614c75689aa5ecdfcc8aa7f14 Mon Sep 17 00:00:00 2001 +From: Renato Lui Geh +Date: Mon, 5 Nov 2018 17:14:58 -0200 +Subject: staging: iio: ad7780: update voltage on read + +[ Upstream commit 336650c785b62c3bea7c8cf6061c933a90241f67 ] + +The ad7780 driver previously did not read the correct device output, as +it read an outdated value set at initialization. It now updates its +voltage on read. + +Signed-off-by: Renato Lui Geh +Acked-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/adc/ad7780.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/iio/adc/ad7780.c b/drivers/staging/iio/adc/ad7780.c +index 273add3ed63f..5a3072740326 100644 +--- a/drivers/staging/iio/adc/ad7780.c ++++ b/drivers/staging/iio/adc/ad7780.c +@@ -90,12 +90,16 @@ static int ad7780_read_raw(struct iio_dev *indio_dev, + long m) + { + struct ad7780_state *st = iio_priv(indio_dev); ++ int voltage_uv; + + switch (m) { + case IIO_CHAN_INFO_RAW: + return ad_sigma_delta_single_conversion(indio_dev, chan, val); + case IIO_CHAN_INFO_SCALE: +- *val = st->int_vref_mv * st->gain; ++ voltage_uv = regulator_get_voltage(st->reg); ++ if (voltage_uv < 0) ++ return voltage_uv; ++ *val = (voltage_uv / 1000) * st->gain; + *val2 = chan->scan_type.realbits - 1; + return IIO_VAL_FRACTIONAL_LOG2; + case IIO_CHAN_INFO_OFFSET: +-- +2.19.1 + diff --git a/queue-3.18/staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch b/queue-3.18/staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch new file mode 100644 index 00000000000..f1a5fb9f5ea --- /dev/null +++ b/queue-3.18/staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch @@ -0,0 +1,70 @@ +From 3c9cd0eed651f734cfc0ab6c7ec4081de9735c6b Mon Sep 17 00:00:00 2001 +From: Slawomir Stepien +Date: Sat, 20 Oct 2018 23:04:11 +0200 +Subject: staging: iio: adc: ad7280a: handle error from __ad7280_read32() + +[ Upstream commit 0559ef7fde67bc6c83c6eb6329dbd6649528263e ] + +Inside __ad7280_read32(), the spi_sync_transfer() can fail with negative +error code. This change will ensure that this error is being passed up +in the call stack, so it can be handled. + +Signed-off-by: Slawomir Stepien +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/adc/ad7280a.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c +index d215edf66af2..0ad4af5d0ae4 100644 +--- a/drivers/staging/iio/adc/ad7280a.c ++++ b/drivers/staging/iio/adc/ad7280a.c +@@ -250,7 +250,9 @@ static int ad7280_read(struct ad7280_state *st, unsigned devaddr, + if (ret) + return ret; + +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -288,7 +290,9 @@ static int ad7280_read_channel(struct ad7280_state *st, unsigned devaddr, + + ad7280_delay(st); + +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -321,7 +325,9 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned cnt, + ad7280_delay(st); + + for (i = 0; i < cnt; i++) { +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -364,7 +370,10 @@ static int ad7280_chain_setup(struct ad7280_state *st) + return ret; + + for (n = 0; n <= AD7280A_MAX_CHAIN; n++) { +- __ad7280_read32(st, &val); ++ ret = __ad7280_read32(st, &val); ++ if (ret) ++ return ret; ++ + if (val == 0) + return n - 1; + +-- +2.19.1 + diff --git a/queue-3.18/timekeeping-use-proper-seqcount-initializer.patch b/queue-3.18/timekeeping-use-proper-seqcount-initializer.patch new file mode 100644 index 00000000000..dea99fb89d8 --- /dev/null +++ b/queue-3.18/timekeeping-use-proper-seqcount-initializer.patch @@ -0,0 +1,45 @@ +From e59f7a344fbe8622422a456533e7d28706006db9 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 28 Nov 2018 15:43:09 -0800 +Subject: timekeeping: Use proper seqcount initializer + +[ Upstream commit ce10a5b3954f2514af726beb78ed8d7350c5e41c ] + +tk_core.seq is initialized open coded, but that misses to initialize the +lockdep map when lockdep is enabled. Lockdep splats involving tk_core seq +consequently lack a name and are hard to read. + +Use the proper initializer which takes care of the lockdep map +initialization. + +[ tglx: Massaged changelog ] + +Signed-off-by: Bart Van Assche +Signed-off-by: Thomas Gleixner +Cc: peterz@infradead.org +Cc: tj@kernel.org +Cc: johannes.berg@intel.com +Link: https://lkml.kernel.org/r/20181128234325.110011-12-bvanassche@acm.org +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index 70e3e6ae06d2..05397615d048 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -39,7 +39,9 @@ + static struct { + seqcount_t seq; + struct timekeeper timekeeper; +-} tk_core ____cacheline_aligned; ++} tk_core ____cacheline_aligned = { ++ .seq = SEQCNT_ZERO(tk_core.seq), ++}; + + static DEFINE_RAW_SPINLOCK(timekeeper_lock); + static struct timekeeper shadow_timekeeper; +-- +2.19.1 + diff --git a/queue-3.18/tty-serial-samsung-properly-set-flags-in-autocts-mod.patch b/queue-3.18/tty-serial-samsung-properly-set-flags-in-autocts-mod.patch new file mode 100644 index 00000000000..f241bf5d599 --- /dev/null +++ b/queue-3.18/tty-serial-samsung-properly-set-flags-in-autocts-mod.patch @@ -0,0 +1,45 @@ +From 304129186b08b1d352652e39129e577c038261af Mon Sep 17 00:00:00 2001 +From: Beomho Seo +Date: Fri, 14 Dec 2018 12:34:08 +0100 +Subject: tty: serial: samsung: Properly set flags in autoCTS mode + +[ Upstream commit 31e933645742ee6719d37573a27cce0761dcf92b ] + +Commit 391f93f2ec9f ("serial: core: Rework hw-assited flow control support") +has changed the way the autoCTS mode is handled. + +According to that change, serial drivers which enable H/W autoCTS mode must +set UPSTAT_AUTOCTS to prevent the serial core from inadvertently disabling +TX. This patch adds proper handling of UPSTAT_AUTOCTS flag. + +Signed-off-by: Beomho Seo +[mszyprow: rephrased commit message] +Signed-off-by: Marek Szyprowski +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/samsung.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 957992ceba0a..67cbc5647c36 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -817,11 +817,14 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, + wr_regl(port, S3C2410_ULCON, ulcon); + wr_regl(port, S3C2410_UBRDIV, quot); + ++ port->status &= ~UPSTAT_AUTOCTS; ++ + umcon = rd_regl(port, S3C2410_UMCON); + if (termios->c_cflag & CRTSCTS) { + umcon |= S3C2410_UMCOM_AFC; + /* Disable RTS when RX FIFO contains 63 bytes */ + umcon &= ~S3C2412_UMCON_AFC_8; ++ port->status = UPSTAT_AUTOCTS; + } else { + umcon &= ~S3C2410_UMCOM_AFC; + } +-- +2.19.1 + diff --git a/queue-3.18/udf-fix-bug-on-corrupted-inode.patch b/queue-3.18/udf-fix-bug-on-corrupted-inode.patch new file mode 100644 index 00000000000..ca8b94b690d --- /dev/null +++ b/queue-3.18/udf-fix-bug-on-corrupted-inode.patch @@ -0,0 +1,38 @@ +From fa63002e7636bbf5483ec8bdaf56fea2418306ec Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 12 Dec 2018 14:29:20 +0100 +Subject: udf: Fix BUG on corrupted inode + +[ Upstream commit d288d95842f1503414b7eebce3773bac3390457e ] + +When inode is corrupted so that extent type is invalid, some functions +(such as udf_truncate_extents()) will just BUG. Check that extent type +is valid when loading the inode to memory. + +Reported-by: Anatoly Trosinenko +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 0c1ca254d616..00c2caff1743 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1366,6 +1366,12 @@ reread: + + iinfo->i_alloc_type = le16_to_cpu(fe->icbTag.flags) & + ICBTAG_FLAG_AD_MASK; ++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_SHORT && ++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_LONG && ++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB) { ++ ret = -EIO; ++ goto out; ++ } + iinfo->i_unique = 0; + iinfo->i_lenEAttr = 0; + iinfo->i_lenExtents = 0; +-- +2.19.1 + diff --git a/queue-3.18/um-avoid-marking-pages-with-changed-protection.patch b/queue-3.18/um-avoid-marking-pages-with-changed-protection.patch new file mode 100644 index 00000000000..d44742d4122 --- /dev/null +++ b/queue-3.18/um-avoid-marking-pages-with-changed-protection.patch @@ -0,0 +1,56 @@ +From 2f6e286a3d2c6615e799d0d8cfcef420cdc27469 Mon Sep 17 00:00:00 2001 +From: Anton Ivanov +Date: Wed, 5 Dec 2018 12:37:41 +0000 +Subject: um: Avoid marking pages with "changed protection" + +[ Upstream commit 8892d8545f2d0342b9c550defbfb165db237044b ] + +Changing protection is a very high cost operation in UML +because in addition to an extra syscall it also interrupts +mmap merge sequences generated by the tlb. + +While the condition is not particularly common it is worth +avoiding. + +Signed-off-by: Anton Ivanov +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/asm/pgtable.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/um/include/asm/pgtable.h b/arch/um/include/asm/pgtable.h +index bf974f712af7..e75fa226f08a 100644 +--- a/arch/um/include/asm/pgtable.h ++++ b/arch/um/include/asm/pgtable.h +@@ -210,12 +210,17 @@ static inline pte_t pte_mkold(pte_t pte) + + static inline pte_t pte_wrprotect(pte_t pte) + { +- pte_clear_bits(pte, _PAGE_RW); ++ if (likely(pte_get_bits(pte, _PAGE_RW))) ++ pte_clear_bits(pte, _PAGE_RW); ++ else ++ return pte; + return(pte_mknewprot(pte)); + } + + static inline pte_t pte_mkread(pte_t pte) + { ++ if (unlikely(pte_get_bits(pte, _PAGE_USER))) ++ return pte; + pte_set_bits(pte, _PAGE_USER); + return(pte_mknewprot(pte)); + } +@@ -234,6 +239,8 @@ static inline pte_t pte_mkyoung(pte_t pte) + + static inline pte_t pte_mkwrite(pte_t pte) + { ++ if (unlikely(pte_get_bits(pte, _PAGE_RW))) ++ return pte; + pte_set_bits(pte, _PAGE_RW); + return(pte_mknewprot(pte)); + } +-- +2.19.1 + diff --git a/queue-3.18/usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch b/queue-3.18/usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch new file mode 100644 index 00000000000..435fd1c9bdd --- /dev/null +++ b/queue-3.18/usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch @@ -0,0 +1,49 @@ +From 1901d02fabf274029aab893612019b0e32093c3d Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 28 Nov 2018 15:55:21 +0200 +Subject: usb: hub: delay hub autosuspend if USB3 port is still link training + +[ Upstream commit e86108940e541febf35813402ff29fa6f4a9ac0b ] + +When initializing a hub we want to give a USB3 port in link training +the same debounce delay time before autosuspening the hub as already +trained, connected enabled ports. + +USB3 ports won't reach the enabled state with "current connect status" and +"connect status change" bits set until the USB3 link training finishes. + +Catching the port in link training (polling) and adding the debounce delay +prevents unnecessary failed attempts to autosuspend the hub. + +Signed-off-by: Mathias Nyman +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 19cc2c03906d..adf8dea1f6f3 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1117,6 +1117,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + USB_PORT_FEAT_ENABLE); + } + ++ /* ++ * Add debounce if USB3 link is in polling/link training state. ++ * Link will automatically transition to Enabled state after ++ * link training completes. ++ */ ++ if (hub_is_superspeed(hdev) && ++ ((portstatus & USB_PORT_STAT_LINK_STATE) == ++ USB_SS_PORT_LS_POLLING)) ++ need_debounce_delay = true; ++ + /* Clear status-change flags; we'll debounce later */ + if (portchange & USB_PORT_STAT_C_CONNECTION) { + need_debounce_delay = true; +-- +2.19.1 + diff --git a/queue-3.18/video-clps711x-fb-release-disp-device-node-in-probe.patch b/queue-3.18/video-clps711x-fb-release-disp-device-node-in-probe.patch new file mode 100644 index 00000000000..4ff823e838e --- /dev/null +++ b/queue-3.18/video-clps711x-fb-release-disp-device-node-in-probe.patch @@ -0,0 +1,47 @@ +From fe06409c8c3d388d986749a7b68dd0839069c50a Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Thu, 20 Dec 2018 19:13:07 +0100 +Subject: video: clps711x-fb: release disp device node in probe() + +[ Upstream commit fdac751355cd76e049f628afe6acb8ff4b1399f7 ] + +clps711x_fb_probe() increments refcnt of disp device node by +of_parse_phandle() and leaves it undecremented on both +successful and error paths. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Cc: Alexander Shiyan +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/clps711x-fb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/clps711x-fb.c b/drivers/video/fbdev/clps711x-fb.c +index 49a7bb4ef02f..dd8fd28d6132 100644 +--- a/drivers/video/fbdev/clps711x-fb.c ++++ b/drivers/video/fbdev/clps711x-fb.c +@@ -287,14 +287,17 @@ static int clps711x_fb_probe(struct platform_device *pdev) + } + + ret = of_get_fb_videomode(disp, &cfb->mode, OF_USE_NATIVE_MODE); +- if (ret) ++ if (ret) { ++ of_node_put(disp); + goto out_fb_release; ++ } + + of_property_read_u32(disp, "ac-prescale", &cfb->ac_prescale); + cfb->cmap_invert = of_property_read_bool(disp, "cmap-invert"); + + ret = of_property_read_u32(disp, "bits-per-pixel", + &info->var.bits_per_pixel); ++ of_node_put(disp); + if (ret) + goto out_fb_release; + +-- +2.19.1 + diff --git a/queue-3.18/x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch b/queue-3.18/x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch new file mode 100644 index 00000000000..25a063e853f --- /dev/null +++ b/queue-3.18/x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch @@ -0,0 +1,42 @@ +From 41847ce379c226cf272c4de3ed267bfa66a1247e Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 25 Oct 2018 14:52:31 +0100 +Subject: x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) + +[ Upstream commit 53bb565fc5439f2c8c57a786feea5946804aa3e9 ] + +In the expression "word1 << 16", word1 starts as u16, but is promoted to a +signed int, then sign-extended to resource_size_t, which is probably not +what was intended. Cast to resource_size_t to avoid the sign extension. + +This fixes an identical issue as fixed by commit 0b2d70764bb3 ("x86/PCI: +Fix Broadcom CNB20LE unintended sign extension") back in 2014. + +Detected by CoverityScan, CID#138749, 138750 ("Unintended sign extension") + +Fixes: 3f6ea84a3035 ("PCI: read memory ranges out of Broadcom CNB20LE host bridge") +Signed-off-by: Colin Ian King +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + arch/x86/pci/broadcom_bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/pci/broadcom_bus.c b/arch/x86/pci/broadcom_bus.c +index 526536c81ddc..ca1e8e6dccc8 100644 +--- a/arch/x86/pci/broadcom_bus.c ++++ b/arch/x86/pci/broadcom_bus.c +@@ -50,8 +50,8 @@ static void __init cnb20le_res(u8 bus, u8 slot, u8 func) + word1 = read_pci_config_16(bus, slot, func, 0xc0); + word2 = read_pci_config_16(bus, slot, func, 0xc2); + if (word1 != word2) { +- res.start = (word1 << 16) | 0x0000; +- res.end = (word2 << 16) | 0xffff; ++ res.start = ((resource_size_t) word1 << 16) | 0x0000; ++ res.end = ((resource_size_t) word2 << 16) | 0xffff; + res.flags = IORESOURCE_MEM; + update_res(info, res.start, res.end, res.flags, 0); + } +-- +2.19.1 + diff --git a/queue-3.18/xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch b/queue-3.18/xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch new file mode 100644 index 00000000000..ceeaea14436 --- /dev/null +++ b/queue-3.18/xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch @@ -0,0 +1,39 @@ +From 6539733c052caf6a0fa24a611c48033af82e6004 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 19 Dec 2018 14:45:09 +0800 +Subject: xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi + +[ Upstream commit fa89a4593b927b3f59c3b69379f31d3b22272e4e ] + +gcc warn this: + +net/ipv6/xfrm6_tunnel.c:143 __xfrm6_tunnel_alloc_spi() warn: + always true condition '(spi <= 4294967295) => (0-u32max <= u32max)' + +'spi' is u32, which always not greater than XFRM6_TUNNEL_SPI_MAX +because of wrap around. So the second forloop will never reach. + +Signed-off-by: YueHaibing +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_tunnel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c +index 5743044cd660..56b72cada346 100644 +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -144,6 +144,9 @@ static u32 __xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr) + index = __xfrm6_tunnel_spi_check(net, spi); + if (index >= 0) + goto alloc_spi; ++ ++ if (spi == XFRM6_TUNNEL_SPI_MAX) ++ break; + } + for (spi = XFRM6_TUNNEL_SPI_MIN; spi < xfrm6_tn->spi; spi++) { + index = __xfrm6_tunnel_spi_check(net, spi); +-- +2.19.1 + -- 2.47.2