From 9b0f301c7380380996fcff1dec676b5414bdbd31 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 26 Aug 2018 09:14:09 +0200 Subject: [PATCH] 4.14-stable patches added patches: arc-add-missing-struct-nps_host_reg_aux_dpc.patch arc-dma-setup-smp_cache_bytes-and-cache_line_size.patch arc-fix-build-errors-in-arc-include-asm-delay.h.patch arc-fix-data-type-errors-in-platform-headers.patch arc-fix-printk-warning-in-arc-plat-eznps-mtm.c.patch arc-fix-type-warnings-in-arc-mm-cache.c.patch atl1c-reserve-min-skb-headroom.patch bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch bpf-ppc64-fix-unexpected-r0-0-exit-path-inside-bpf_xadd.patch bpf-use-gfp_atomic-instead-of-gfp_kernel-in-bpf_parse_prog.patch cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch can-m_can-move-accessing-of-message-ram-to-after-clocks-are-enabled.patch can-mpc5xxx_can-check-of_iomap-return-before-use.patch drivers-net-lmc-fix-case-value-for-target-abort-error.patch drm-bridge-adv7511-reset-registers-on-hotplug.patch drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch drm-re-enable-error-handling.patch enic-do-not-call-enic_change_mtu-in-enic_probe.patch enic-handle-mtu-change-for-vf-properly.patch esp6-fix-memleak-on-error-path-in-esp6_input.patch ext4-clear-mmp-sequence-number-when-remounting-read-only.patch fscache-allow-cancelled-operations-to-be-enqueued.patch gpiolib-acpi-make-sure-we-trigger-edge-events-at-least-once-on-boot.patch hinic-link-the-logical-network-device-to-the-pci-device-in-sysfs.patch i2c-davinci-avoid-zero-value-of-clkh.patch i2c-mux-locking-core-annotate-the-nested-rt_mutex-usage.patch ipc-sem.c-prevent-queue.status-tearing-in-semop.patch kvm-vmx-use-local-variable-for-current_vmptr-when-emulating-vmptrst.patch locking-rtmutex-allow-specifying-a-subclass-for-nested-locking.patch mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch memcg-remove-memcg_cgroup-id-from-idr-on-mem_cgroup_css_alloc-failure.patch mm-delete-historical-bug-from-zap_pmd_range.patch mm-memory.c-check-return-value-of-ioremap_prot.patch nbd-don-t-requeue-the-same-request-twice.patch nbd-handle-unexpected-replies-better.patch net-axienet-fix-double-deregister-of-mdio.patch net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch net-prevent-isa-drivers-from-building-on-ppc32.patch netfilter-nf_tables-don-t-allow-to-rename-to-already-pending-name.patch netfilter-nf_tables-fix-memory-leaks-on-chain-rename.patch netfilter-nft_set_hash-add-rcu_barrier-in-the-nft_rhash_destroy.patch nfp-flower-fix-port-metadata-conversion-bug.patch nl80211-add-a-missing-break-in-parse_station_flags.patch perf-x86-amd-ibs-don-t-access-non-started-event.patch qed-correct-multicast-api-to-reflect-existence-of-256-approximate-buckets.patch qed-fix-link-flap-issue-due-to-mismatching-eee-capabilities.patch qed-fix-possible-race-for-the-link-state-value.patch qmi_wwan-fix-interface-number-for-dw5821e-production-firmware.patch revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch sched-rt-restore-rt_runtime-after-disabling-rt_runtime_share.patch scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch scsi-fcoe-drop-frames-in-els-logo-error-path.patch scsi-fcoe-fix-use-after-free-in-fcoe_ctlr_els_send.patch scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch scsi-target-iscsi-cxgbit-fix-max-iso-npdu-calculation.patch scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch sparc-time-add-missing-__init-to-init_tick_ops.patch sparc-use-asm-generic-version-of-msi.h.patch squashfs-compute-expected-length-from-inode-size-rather-than-block-length.patch squashfs-metadata-2-electric-boogaloo.patch tools-power-turbostat-fix-s-on-up-systems.patch tools-power-turbostat-read-extended-processor-family-from-cpuid.patch tools-usb-ffs-test-fix-build-on-big-endian-systems.patch usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch usb-gadget-u_audio-fix-pcm-card-naming-in-g_audio_setup.patch usb-gadget-u_audio-protect-stream-runtime-fields-with-stream-spinlock.patch usb-gadget-u_audio-remove-cached-period-bytes-value.patch usb-gadget-u_audio-remove-caching-of-stream-buffer-parameters.patch usb-gadget-u_audio-update-hw_ptr-in-iso_complete-after-data-copied.patch usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch vti6-fix-pmtu-caching-and-reporting-on-xmit.patch x86-boot-fix-if_changed-build-flip-flop-bug.patch xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch xfrm-free-skb-if-nlsk-pointer-is-null.patch zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch --- ...-missing-struct-nps_host_reg_aux_dpc.patch | 40 +++ ...-smp_cache_bytes-and-cache_line_size.patch | 81 +++++++ ...ld-errors-in-arc-include-asm-delay.h.patch | 52 ++++ ...data-type-errors-in-platform-headers.patch | 53 ++++ ...intk-warning-in-arc-plat-eznps-mtm.c.patch | 74 ++++++ ...-fix-type-warnings-in-arc-mm-cache.c.patch | 55 +++++ .../atl1c-reserve-min-skb-headroom.patch | 51 ++++ ...emory-access-in-rss-hash-config-path.patch | 61 +++++ ...ected-r0-0-exit-path-inside-bpf_xadd.patch | 97 ++++++++ ...tead-of-gfp_kernel-in-bpf_parse_prog.patch | 72 ++++++ ...-bug-in-backing-file-read-monitoring.patch | 118 +++++++++ ...g-ing-on-unexpected-object-collision.patch | 37 +++ ...sage-ram-to-after-clocks-are-enabled.patch | 58 +++++ ...can-check-of_iomap-return-before-use.patch | 36 +++ ...ix-case-value-for-target-abort-error.patch | 35 +++ ...e-adv7511-reset-registers-on-hotplug.patch | 44 ++++ ...l-is-enabled-before-printing-warning.patch | 40 +++ ...x-imx-ldb-disable-ldb-on-driver-bind.patch | 40 +++ queue-4.14/drm-re-enable-error-handling.patch | 36 +++ ...t-call-enic_change_mtu-in-enic_probe.patch | 42 ++++ ...ic-handle-mtu-change-for-vf-properly.patch | 128 ++++++++++ ...-memleak-on-error-path-in-esp6_input.patch | 37 +++ ...nce-number-when-remounting-read-only.patch | 53 ++++ ...-cancelled-operations-to-be-enqueued.patch | 46 ++++ ...er-edge-events-at-least-once-on-boot.patch | 210 ++++++++++++++++ ...rk-device-to-the-pci-device-in-sysfs.patch | 31 +++ ...i2c-davinci-avoid-zero-value-of-clkh.patch | 42 ++++ ...e-annotate-the-nested-rt_mutex-usage.patch | 111 +++++++++ ...revent-queue.status-tearing-in-semop.patch | 36 +++ ...current_vmptr-when-emulating-vmptrst.patch | 59 +++++ ...ifying-a-subclass-for-nested-locking.patch | 97 ++++++++ ...-tied-to-ap_vlans-during-hw-reconfig.patch | 80 ++++++ ...-cacheflush.h-after-generic-includes.patch | 65 +++++ ...-idr-on-mem_cgroup_css_alloc-failure.patch | 76 ++++++ ...te-historical-bug-from-zap_pmd_range.patch | 55 +++++ ...c-check-return-value-of-ioremap_prot.patch | 38 +++ ...don-t-requeue-the-same-request-twice.patch | 116 +++++++++ ...nbd-handle-unexpected-replies-better.patch | 228 ++++++++++++++++++ ...xienet-fix-double-deregister-of-mdio.patch | 61 +++++ ...sing-rcu_read_unlock-in-caif_flow_cb.patch | 34 +++ ...t-isa-drivers-from-building-on-ppc32.patch | 77 ++++++ ...ow-to-rename-to-already-pending-name.patch | 107 ++++++++ ...les-fix-memory-leaks-on-chain-rename.patch | 70 ++++++ ...rcu_barrier-in-the-nft_rhash_destroy.patch | 116 +++++++++ ...wer-fix-port-metadata-conversion-bug.patch | 49 ++++ ...missing-break-in-parse_station_flags.patch | 38 +++ ...d-ibs-don-t-access-non-started-event.patch | 76 ++++++ ...existence-of-256-approximate-buckets.patch | 140 +++++++++++ ...-due-to-mismatching-eee-capabilities.patch | 49 ++++ ...ssible-race-for-the-link-state-value.patch | 35 +++ ...mber-for-dw5821e-production-firmware.patch | 50 ++++ ...k-core-externalsync-for-pcie-erratum.patch | 83 +++++++ ...ime-after-disabling-rt_runtime_share.patch | 72 ++++++ ..._started-flags-when-receiving-a-logo.patch | 52 ++++ ...e-drop-frames-in-els-logo-error-path.patch | 56 +++++ ...use-after-free-in-fcoe_ctlr_els_send.patch | 39 +++ ...l-pointer-dereference-in-case-of-tmf.patch | 69 ++++++ ...-cxgbit-fix-max-iso-npdu-calculation.patch | 77 ++++++ ...r-status-sam_stat_command_terminated.patch | 47 ++++ ...dd-snapshot-and-tracing_on-test-case.patch | 60 +++++ queue-4.14/series | 82 +++++++ ...-add-missing-__init-to-init_tick_ops.patch | 37 +++ ...arc-use-asm-generic-version-of-msi.h.patch | 61 +++++ ...-inode-size-rather-than-block-length.patch | 179 ++++++++++++++ ...quashfs-metadata-2-electric-boogaloo.patch | 125 ++++++++++ ...-power-turbostat-fix-s-on-up-systems.patch | 32 +++ ...extended-processor-family-from-cpuid.patch | 41 ++++ ...test-fix-build-on-big-endian-systems.patch | 71 ++++++ ...ix-endianness-of-struct-cntrl_-_lay3.patch | 96 ++++++++ ...x-error-handling-in-afunc_bind-again.patch | 225 +++++++++++++++++ ...tomic-context-bugs-in-r8a66597_queue.patch | 46 ++++ ...omic-context-bugs-in-init_controller.patch | 57 +++++ ...fix-pcm-card-naming-in-g_audio_setup.patch | 49 ++++ ...-runtime-fields-with-stream-spinlock.patch | 200 +++++++++++++++ ...dio-remove-cached-period-bytes-value.patch | 114 +++++++++ ...-caching-of-stream-buffer-parameters.patch | 115 +++++++++ ...tr-in-iso_complete-after-data-copied.patch | 48 ++++ ...-ppc64-build-errors-in-phy-fsl-usb.c.patch | 71 ++++++ ...x-pmtu-caching-and-reporting-on-xmit.patch | 55 +++++ ...t-fix-if_changed-build-flip-flop-bug.patch | 83 +++++++ ...policy-blocking-lbcast-and-multicast.patch | 67 +++++ ...frm-free-skb-if-nlsk-pointer-is-null.patch | 40 +++ ...-zswap_is_full-after-do-zswap_shrink.patch | 65 +++++ 83 files changed, 6046 insertions(+) create mode 100644 queue-4.14/arc-add-missing-struct-nps_host_reg_aux_dpc.patch create mode 100644 queue-4.14/arc-dma-setup-smp_cache_bytes-and-cache_line_size.patch create mode 100644 queue-4.14/arc-fix-build-errors-in-arc-include-asm-delay.h.patch create mode 100644 queue-4.14/arc-fix-data-type-errors-in-platform-headers.patch create mode 100644 queue-4.14/arc-fix-printk-warning-in-arc-plat-eznps-mtm.c.patch create mode 100644 queue-4.14/arc-fix-type-warnings-in-arc-mm-cache.c.patch create mode 100644 queue-4.14/atl1c-reserve-min-skb-headroom.patch create mode 100644 queue-4.14/bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch create mode 100644 queue-4.14/bpf-ppc64-fix-unexpected-r0-0-exit-path-inside-bpf_xadd.patch create mode 100644 queue-4.14/bpf-use-gfp_atomic-instead-of-gfp_kernel-in-bpf_parse_prog.patch create mode 100644 queue-4.14/cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch create mode 100644 queue-4.14/cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch create mode 100644 queue-4.14/can-m_can-move-accessing-of-message-ram-to-after-clocks-are-enabled.patch create mode 100644 queue-4.14/can-mpc5xxx_can-check-of_iomap-return-before-use.patch create mode 100644 queue-4.14/drivers-net-lmc-fix-case-value-for-target-abort-error.patch create mode 100644 queue-4.14/drm-bridge-adv7511-reset-registers-on-hotplug.patch create mode 100644 queue-4.14/drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch create mode 100644 queue-4.14/drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch create mode 100644 queue-4.14/drm-re-enable-error-handling.patch create mode 100644 queue-4.14/enic-do-not-call-enic_change_mtu-in-enic_probe.patch create mode 100644 queue-4.14/enic-handle-mtu-change-for-vf-properly.patch create mode 100644 queue-4.14/esp6-fix-memleak-on-error-path-in-esp6_input.patch create mode 100644 queue-4.14/ext4-clear-mmp-sequence-number-when-remounting-read-only.patch create mode 100644 queue-4.14/fscache-allow-cancelled-operations-to-be-enqueued.patch create mode 100644 queue-4.14/gpiolib-acpi-make-sure-we-trigger-edge-events-at-least-once-on-boot.patch create mode 100644 queue-4.14/hinic-link-the-logical-network-device-to-the-pci-device-in-sysfs.patch create mode 100644 queue-4.14/i2c-davinci-avoid-zero-value-of-clkh.patch create mode 100644 queue-4.14/i2c-mux-locking-core-annotate-the-nested-rt_mutex-usage.patch create mode 100644 queue-4.14/ipc-sem.c-prevent-queue.status-tearing-in-semop.patch create mode 100644 queue-4.14/kvm-vmx-use-local-variable-for-current_vmptr-when-emulating-vmptrst.patch create mode 100644 queue-4.14/locking-rtmutex-allow-specifying-a-subclass-for-nested-locking.patch create mode 100644 queue-4.14/mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch create mode 100644 queue-4.14/media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch create mode 100644 queue-4.14/memcg-remove-memcg_cgroup-id-from-idr-on-mem_cgroup_css_alloc-failure.patch create mode 100644 queue-4.14/mm-delete-historical-bug-from-zap_pmd_range.patch create mode 100644 queue-4.14/mm-memory.c-check-return-value-of-ioremap_prot.patch create mode 100644 queue-4.14/nbd-don-t-requeue-the-same-request-twice.patch create mode 100644 queue-4.14/nbd-handle-unexpected-replies-better.patch create mode 100644 queue-4.14/net-axienet-fix-double-deregister-of-mdio.patch create mode 100644 queue-4.14/net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch create mode 100644 queue-4.14/net-prevent-isa-drivers-from-building-on-ppc32.patch create mode 100644 queue-4.14/netfilter-nf_tables-don-t-allow-to-rename-to-already-pending-name.patch create mode 100644 queue-4.14/netfilter-nf_tables-fix-memory-leaks-on-chain-rename.patch create mode 100644 queue-4.14/netfilter-nft_set_hash-add-rcu_barrier-in-the-nft_rhash_destroy.patch create mode 100644 queue-4.14/nfp-flower-fix-port-metadata-conversion-bug.patch create mode 100644 queue-4.14/nl80211-add-a-missing-break-in-parse_station_flags.patch create mode 100644 queue-4.14/perf-x86-amd-ibs-don-t-access-non-started-event.patch create mode 100644 queue-4.14/qed-correct-multicast-api-to-reflect-existence-of-256-approximate-buckets.patch create mode 100644 queue-4.14/qed-fix-link-flap-issue-due-to-mismatching-eee-capabilities.patch create mode 100644 queue-4.14/qed-fix-possible-race-for-the-link-state-value.patch create mode 100644 queue-4.14/qmi_wwan-fix-interface-number-for-dw5821e-production-firmware.patch create mode 100644 queue-4.14/revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch create mode 100644 queue-4.14/sched-rt-restore-rt_runtime-after-disabling-rt_runtime_share.patch create mode 100644 queue-4.14/scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch create mode 100644 queue-4.14/scsi-fcoe-drop-frames-in-els-logo-error-path.patch create mode 100644 queue-4.14/scsi-fcoe-fix-use-after-free-in-fcoe_ctlr_els_send.patch create mode 100644 queue-4.14/scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch create mode 100644 queue-4.14/scsi-target-iscsi-cxgbit-fix-max-iso-npdu-calculation.patch create mode 100644 queue-4.14/scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch create mode 100644 queue-4.14/selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch create mode 100644 queue-4.14/sparc-time-add-missing-__init-to-init_tick_ops.patch create mode 100644 queue-4.14/sparc-use-asm-generic-version-of-msi.h.patch create mode 100644 queue-4.14/squashfs-compute-expected-length-from-inode-size-rather-than-block-length.patch create mode 100644 queue-4.14/squashfs-metadata-2-electric-boogaloo.patch create mode 100644 queue-4.14/tools-power-turbostat-fix-s-on-up-systems.patch create mode 100644 queue-4.14/tools-power-turbostat-read-extended-processor-family-from-cpuid.patch create mode 100644 queue-4.14/tools-usb-ffs-test-fix-build-on-big-endian-systems.patch create mode 100644 queue-4.14/usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch create mode 100644 queue-4.14/usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch create mode 100644 queue-4.14/usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch create mode 100644 queue-4.14/usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch create mode 100644 queue-4.14/usb-gadget-u_audio-fix-pcm-card-naming-in-g_audio_setup.patch create mode 100644 queue-4.14/usb-gadget-u_audio-protect-stream-runtime-fields-with-stream-spinlock.patch create mode 100644 queue-4.14/usb-gadget-u_audio-remove-cached-period-bytes-value.patch create mode 100644 queue-4.14/usb-gadget-u_audio-remove-caching-of-stream-buffer-parameters.patch create mode 100644 queue-4.14/usb-gadget-u_audio-update-hw_ptr-in-iso_complete-after-data-copied.patch create mode 100644 queue-4.14/usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch create mode 100644 queue-4.14/vti6-fix-pmtu-caching-and-reporting-on-xmit.patch create mode 100644 queue-4.14/x86-boot-fix-if_changed-build-flip-flop-bug.patch create mode 100644 queue-4.14/xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch create mode 100644 queue-4.14/xfrm-free-skb-if-nlsk-pointer-is-null.patch create mode 100644 queue-4.14/zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch diff --git a/queue-4.14/arc-add-missing-struct-nps_host_reg_aux_dpc.patch b/queue-4.14/arc-add-missing-struct-nps_host_reg_aux_dpc.patch new file mode 100644 index 00000000000..1ebb10349d0 --- /dev/null +++ b/queue-4.14/arc-add-missing-struct-nps_host_reg_aux_dpc.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Ofer Levi +Date: Sat, 28 Jul 2018 10:54:41 +0300 +Subject: ARC: [plat-eznps] Add missing struct nps_host_reg_aux_dpc + +From: Ofer Levi + +[ Upstream commit 05b466bf846d2e8d2f0baf8dfd81a42cc933e237 ] + +Fixing compilation issue caused by missing struct nps_host_reg_aux_dpc +definition. + +Fixes: 3f9cd874dcc87 ("ARC: [plat-eznps] avoid toggling of DPC register") +Reported-by: Randy Dunlap +Signed-off-by: Ofer Levi +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/plat-eznps/include/plat/ctop.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/arc/plat-eznps/include/plat/ctop.h ++++ b/arch/arc/plat-eznps/include/plat/ctop.h +@@ -143,6 +143,15 @@ struct nps_host_reg_gim_p_int_dst { + }; + + /* AUX registers definition */ ++struct nps_host_reg_aux_dpc { ++ union { ++ struct { ++ u32 ien:1, men:1, hen:1, reserved:29; ++ }; ++ u32 value; ++ }; ++}; ++ + struct nps_host_reg_aux_udmc { + union { + struct { diff --git a/queue-4.14/arc-dma-setup-smp_cache_bytes-and-cache_line_size.patch b/queue-4.14/arc-dma-setup-smp_cache_bytes-and-cache_line_size.patch new file mode 100644 index 00000000000..6663bf50417 --- /dev/null +++ b/queue-4.14/arc-dma-setup-smp_cache_bytes-and-cache_line_size.patch @@ -0,0 +1,81 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Eugeniy Paltsev +Date: Thu, 26 Jul 2018 16:15:43 +0300 +Subject: ARC: dma [non-IOC] setup SMP_CACHE_BYTES and cache_line_size + +From: Eugeniy Paltsev + +[ Upstream commit eb2777397fd83a4a7eaa26984d09d3babb845d2a ] + +As for today we don't setup SMP_CACHE_BYTES and cache_line_size for +ARC, so they are set to L1_CACHE_BYTES by default. L1 line length +(L1_CACHE_BYTES) might be easily smaller than L2 line (which is +usually the case BTW). This breaks code. + +For example this breaks ethernet infrastructure on HSDK/AXS103 boards +with IOC disabled, involving manual cache flushes +Functions which alloc and manage sk_buff packet data area rely on +SMP_CACHE_BYTES define. In the result we can share last L2 cache +line in sk_buff linear packet data area between DMA buffer and +some useful data in other structure. So we can lose this data when +we invalidate DMA buffer. + + sk_buff linear packet data area + | + | + | skb->end skb->tail + V | | + V V +----------------------------------------------. + packet data | | +----------------------------------------------. + +---------------------.--------------------------------------------------. + SLC line | SLC (L2 cache) line (128B) | +---------------------.--------------------------------------------------. + ^ ^ + | | + These cache lines will be invalidated when we invalidate skb + linear packet data area before DMA transaction starting. + +This leads to issues painful to debug as it reproduces only if +(sk_buff->end - sk_buff->tail) < SLC_LINE_SIZE and +if we have some useful data right after sk_buff->end. + +Fix that by hardcode SMP_CACHE_BYTES to max line length we may have. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/Kconfig | 3 +++ + arch/arc/include/asm/cache.h | 4 +++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -45,6 +45,9 @@ config ARC + select HAVE_KERNEL_GZIP + select HAVE_KERNEL_LZMA + ++config ARCH_HAS_CACHE_LINE_SIZE ++ def_bool y ++ + config MIGHT_HAVE_PCI + bool + +--- a/arch/arc/include/asm/cache.h ++++ b/arch/arc/include/asm/cache.h +@@ -48,7 +48,9 @@ + }) + + /* Largest line length for either L1 or L2 is 128 bytes */ +-#define ARCH_DMA_MINALIGN 128 ++#define SMP_CACHE_BYTES 128 ++#define cache_line_size() SMP_CACHE_BYTES ++#define ARCH_DMA_MINALIGN SMP_CACHE_BYTES + + extern void arc_cache_init(void); + extern char *arc_cache_mumbojumbo(int cpu_id, char *buf, int len); diff --git a/queue-4.14/arc-fix-build-errors-in-arc-include-asm-delay.h.patch b/queue-4.14/arc-fix-build-errors-in-arc-include-asm-delay.h.patch new file mode 100644 index 00000000000..86865c38ca7 --- /dev/null +++ b/queue-4.14/arc-fix-build-errors-in-arc-include-asm-delay.h.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Randy Dunlap +Date: Thu, 26 Jul 2018 20:16:35 -0700 +Subject: arc: fix build errors in arc/include/asm/delay.h + +From: Randy Dunlap + +[ Upstream commit 2423665ec53f2a29191b35382075e9834288a975 ] + +Fix build errors in arch/arc/'s delay.h: +- add "extern unsigned long loops_per_jiffy;" +- add for "u64" + +In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32: +../arch/arc/include/asm/delay.h: In function '__udelay': +../arch/arc/include/asm/delay.h:61:12: error: 'u64' undeclared (first use in this function) + loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32; + ^~~ + +In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32: +../arch/arc/include/asm/delay.h: In function '__udelay': +../arch/arc/include/asm/delay.h:63:37: error: 'loops_per_jiffy' undeclared (first use in this function) + loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32; + ^~~~~~~~~~~~~~~ + +Signed-off-by: Randy Dunlap +Cc: Vineet Gupta +Cc: linux-snps-arc@lists.infradead.org +Cc: Elad Kanfi +Cc: Leon Romanovsky +Cc: Ofer Levi +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/asm/delay.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arc/include/asm/delay.h ++++ b/arch/arc/include/asm/delay.h +@@ -17,8 +17,11 @@ + #ifndef __ASM_ARC_UDELAY_H + #define __ASM_ARC_UDELAY_H + ++#include + #include /* HZ */ + ++extern unsigned long loops_per_jiffy; ++ + static inline void __delay(unsigned long loops) + { + __asm__ __volatile__( diff --git a/queue-4.14/arc-fix-data-type-errors-in-platform-headers.patch b/queue-4.14/arc-fix-data-type-errors-in-platform-headers.patch new file mode 100644 index 00000000000..91d21a43c6c --- /dev/null +++ b/queue-4.14/arc-fix-data-type-errors-in-platform-headers.patch @@ -0,0 +1,53 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Randy Dunlap +Date: Sun, 29 Jul 2018 11:10:51 -0700 +Subject: arc: [plat-eznps] fix data type errors in platform headers + +From: Randy Dunlap + +[ Upstream commit b1f32ce1c3d2c11959b7e6a2c58dc5197c581966 ] + +Add to fix build errors. +Both ctop.h and use u32 types and cause many +errors. + +Examples: +../include/soc/nps/common.h:71:4: error: unknown type name 'u32' + u32 __reserved:20, cluster:4, core:4, thread:4; +../include/soc/nps/common.h:76:3: error: unknown type name 'u32' + u32 value; +../include/soc/nps/common.h:124:4: error: unknown type name 'u32' + u32 base:8, cl_x:4, cl_y:4, +../include/soc/nps/common.h:127:3: error: unknown type name 'u32' + u32 value; + +../arch/arc/plat-eznps/include/plat/ctop.h:83:4: error: unknown type name 'u32' + u32 gen:1, gdis:1, clk_gate_dis:1, asb:1, +../arch/arc/plat-eznps/include/plat/ctop.h:86:3: error: unknown type name 'u32' + u32 value; +../arch/arc/plat-eznps/include/plat/ctop.h:93:4: error: unknown type name 'u32' + u32 csa:22, dmsid:6, __reserved:3, cs:1; +../arch/arc/plat-eznps/include/plat/ctop.h:95:3: error: unknown type name 'u32' + u32 value; + +Cc: linux-snps-arc@lists.infradead.org +Cc: Ofer Levi +Reviewed-by: Leon Romanovsky +Signed-off-by: Randy Dunlap +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/plat-eznps/include/plat/ctop.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arc/plat-eznps/include/plat/ctop.h ++++ b/arch/arc/plat-eznps/include/plat/ctop.h +@@ -21,6 +21,7 @@ + #error "Incorrect ctop.h include" + #endif + ++#include + #include + + /* core auxiliary registers */ diff --git a/queue-4.14/arc-fix-printk-warning-in-arc-plat-eznps-mtm.c.patch b/queue-4.14/arc-fix-printk-warning-in-arc-plat-eznps-mtm.c.patch new file mode 100644 index 00000000000..6f44e418c18 --- /dev/null +++ b/queue-4.14/arc-fix-printk-warning-in-arc-plat-eznps-mtm.c.patch @@ -0,0 +1,74 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Randy Dunlap +Date: Thu, 26 Jul 2018 20:16:35 -0700 +Subject: arc: [plat-eznps] fix printk warning in arc/plat-eznps/mtm.c + +From: Randy Dunlap + +[ Upstream commit 9e2ea405543d9ddfe05b351f1679e53bd9c11f80 ] + +Fix printk format warning in arch/arc/plat-eznps/mtm.c: + +In file included from ../include/linux/printk.h:7, + from ../include/linux/kernel.h:14, + from ../include/linux/list.h:9, + from ../include/linux/smp.h:12, + from ../arch/arc/plat-eznps/mtm.c:17: +../arch/arc/plat-eznps/mtm.c: In function 'set_mtm_hs_ctr': +../include/linux/kern_levels.h:5:18: warning: format '%d' expects argument of type 'int', but argument 2 has type 'long int' [-Wformat=] + #define KERN_SOH "\001" /* ASCII Start Of Header */ + ^~~~~~ +../include/linux/kern_levels.h:11:18: note: in expansion of macro 'KERN_SOH' + #define KERN_ERR KERN_SOH "3" /* error conditions */ + ^~~~~~~~ +../include/linux/printk.h:308:9: note: in expansion of macro 'KERN_ERR' + printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) + ^~~~~~~~ +../arch/arc/plat-eznps/mtm.c:166:3: note: in expansion of macro 'pr_err' + pr_err("** Invalid @nps_mtm_hs_ctr [%d] needs to be [%d:%d] (incl)\n", + ^~~~~~ +../arch/arc/plat-eznps/mtm.c:166:40: note: format string is defined here + pr_err("** Invalid @nps_mtm_hs_ctr [%d] needs to be [%d:%d] (incl)\n", + ~^ + %ld +The hs_ctr variable can just be int instead of long, so also change +kstrtol() to kstrtoint() and leave the format string as %d. + +Also add 2 header files since they are used in mtm.c and we prefer +not to depend on accidental/indirect #includes. + +Cc: linux-snps-arc@lists.infradead.org +Cc: Ofer Levi +Reviewed-by: Leon Romanovsky +Signed-off-by: Randy Dunlap +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/plat-eznps/mtm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arc/plat-eznps/mtm.c ++++ b/arch/arc/plat-eznps/mtm.c +@@ -15,6 +15,8 @@ + */ + + #include ++#include ++#include + #include + #include + #include +@@ -157,10 +159,10 @@ void mtm_enable_core(unsigned int cpu) + /* Verify and set the value of the mtm hs counter */ + static int __init set_mtm_hs_ctr(char *ctr_str) + { +- long hs_ctr; ++ int hs_ctr; + int ret; + +- ret = kstrtol(ctr_str, 0, &hs_ctr); ++ ret = kstrtoint(ctr_str, 0, &hs_ctr); + + if (ret || hs_ctr > MT_HS_CNT_MAX || hs_ctr < MT_HS_CNT_MIN) { + pr_err("** Invalid @nps_mtm_hs_ctr [%d] needs to be [%d:%d] (incl)\n", diff --git a/queue-4.14/arc-fix-type-warnings-in-arc-mm-cache.c.patch b/queue-4.14/arc-fix-type-warnings-in-arc-mm-cache.c.patch new file mode 100644 index 00000000000..7577b854983 --- /dev/null +++ b/queue-4.14/arc-fix-type-warnings-in-arc-mm-cache.c.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Randy Dunlap +Date: Thu, 26 Jul 2018 20:16:35 -0700 +Subject: arc: fix type warnings in arc/mm/cache.c + +From: Randy Dunlap + +[ Upstream commit ec837d620c750c0d4996a907c8c4f7febe1bbeee ] + +Fix type warnings in arch/arc/mm/cache.c. + +../arch/arc/mm/cache.c: In function 'flush_anon_page': +../arch/arc/mm/cache.c:1062:55: warning: passing argument 2 of '__flush_dcache_page' makes integer from pointer without a cast [-Wint-conversion] + __flush_dcache_page((phys_addr_t)page_address(page), page_address(page)); + ^~~~~~~~~~~~~~~~~~ +../arch/arc/mm/cache.c:1013:59: note: expected 'long unsigned int' but argument is of type 'void *' + void __flush_dcache_page(phys_addr_t paddr, unsigned long vaddr) + ~~~~~~~~~~~~~~^~~~~ + +Signed-off-by: Randy Dunlap +Cc: Vineet Gupta +Cc: linux-snps-arc@lists.infradead.org +Cc: Elad Kanfi +Cc: Leon Romanovsky +Cc: Ofer Levi +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/mm/cache.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/arc/mm/cache.c ++++ b/arch/arc/mm/cache.c +@@ -1035,7 +1035,7 @@ void flush_cache_mm(struct mm_struct *mm + void flush_cache_page(struct vm_area_struct *vma, unsigned long u_vaddr, + unsigned long pfn) + { +- unsigned int paddr = pfn << PAGE_SHIFT; ++ phys_addr_t paddr = pfn << PAGE_SHIFT; + + u_vaddr &= PAGE_MASK; + +@@ -1055,8 +1055,9 @@ void flush_anon_page(struct vm_area_stru + unsigned long u_vaddr) + { + /* TBD: do we really need to clear the kernel mapping */ +- __flush_dcache_page(page_address(page), u_vaddr); +- __flush_dcache_page(page_address(page), page_address(page)); ++ __flush_dcache_page((phys_addr_t)page_address(page), u_vaddr); ++ __flush_dcache_page((phys_addr_t)page_address(page), ++ (phys_addr_t)page_address(page)); + + } + diff --git a/queue-4.14/atl1c-reserve-min-skb-headroom.patch b/queue-4.14/atl1c-reserve-min-skb-headroom.patch new file mode 100644 index 00000000000..7c7df067a93 --- /dev/null +++ b/queue-4.14/atl1c-reserve-min-skb-headroom.patch @@ -0,0 +1,51 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Florian Westphal +Date: Fri, 20 Jul 2018 19:30:57 +0200 +Subject: atl1c: reserve min skb headroom + +From: Florian Westphal + +[ Upstream commit 6e56830776828d8ca9897fc4429eeab47c3bb432 ] + +Got crash report with following backtrace: +BUG: unable to handle kernel paging request at ffff8801869daffe +RIP: 0010:[] [] ip6_finish_output2+0x394/0x4c0 +RSP: 0018:ffff880186c83a98 EFLAGS: 00010283 +RAX: ffff8801869db00e ... + [] ip6_finish_output+0x8c/0xf0 + [] ip6_output+0x57/0x100 + [] ip6_forward+0x4b9/0x840 + [] ip6_rcv_finish+0x66/0xc0 + [] ipv6_rcv+0x319/0x530 + [] netif_receive_skb+0x1c/0x70 + [] atl1c_clean+0x1ec/0x310 [atl1c] + ... + +The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD). +atl1c driver provided skb with no headroom, so 14 bytes (ethernet +header) got pulled, but then 16 are copied. + +Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb(). + +Compile tested only; I lack hardware. + +Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring") +Signed-off-by: Florian Westphal +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -1685,6 +1685,7 @@ static struct sk_buff *atl1c_alloc_skb(s + skb = build_skb(page_address(page) + adapter->rx_page_offset, + adapter->rx_frag_size); + if (likely(skb)) { ++ skb_reserve(skb, NET_SKB_PAD); + adapter->rx_page_offset += adapter->rx_frag_size; + if (adapter->rx_page_offset >= PAGE_SIZE) + adapter->rx_page = NULL; diff --git a/queue-4.14/bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch b/queue-4.14/bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch new file mode 100644 index 00000000000..db019951d3a --- /dev/null +++ b/queue-4.14/bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch @@ -0,0 +1,61 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Tue, 24 Jul 2018 02:43:52 -0700 +Subject: bnx2x: Fix invalid memory access in rss hash config path. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit ae2dcb28c24794a87e424a726a1cf1a61980f52d ] + +Rx hash/filter table configuration uses rss_conf_obj to configure filters +in the hardware. This object is initialized only when the interface is +brought up. +This patch adds driver changes to configure rss params only when the device +is in opened state. In port disabled case, the config will be cached in the +driver structure which will be applied in the successive load path. + +Please consider applying it to 'net' branch. + +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +@@ -3387,14 +3387,18 @@ static int bnx2x_set_rss_flags(struct bn + DP(BNX2X_MSG_ETHTOOL, + "rss re-configured, UDP 4-tupple %s\n", + udp_rss_requested ? "enabled" : "disabled"); +- return bnx2x_rss(bp, &bp->rss_conf_obj, false, true); ++ if (bp->state == BNX2X_STATE_OPEN) ++ return bnx2x_rss(bp, &bp->rss_conf_obj, false, ++ true); + } else if ((info->flow_type == UDP_V6_FLOW) && + (bp->rss_conf_obj.udp_rss_v6 != udp_rss_requested)) { + bp->rss_conf_obj.udp_rss_v6 = udp_rss_requested; + DP(BNX2X_MSG_ETHTOOL, + "rss re-configured, UDP 4-tupple %s\n", + udp_rss_requested ? "enabled" : "disabled"); +- return bnx2x_rss(bp, &bp->rss_conf_obj, false, true); ++ if (bp->state == BNX2X_STATE_OPEN) ++ return bnx2x_rss(bp, &bp->rss_conf_obj, false, ++ true); + } + return 0; + +@@ -3508,7 +3512,10 @@ static int bnx2x_set_rxfh(struct net_dev + bp->rss_conf_obj.ind_table[i] = indir[i] + bp->fp->cl_id; + } + +- return bnx2x_config_rss_eth(bp, false); ++ if (bp->state == BNX2X_STATE_OPEN) ++ return bnx2x_config_rss_eth(bp, false); ++ ++ return 0; + } + + /** diff --git a/queue-4.14/bpf-ppc64-fix-unexpected-r0-0-exit-path-inside-bpf_xadd.patch b/queue-4.14/bpf-ppc64-fix-unexpected-r0-0-exit-path-inside-bpf_xadd.patch new file mode 100644 index 00000000000..70410cb415e --- /dev/null +++ b/queue-4.14/bpf-ppc64-fix-unexpected-r0-0-exit-path-inside-bpf_xadd.patch @@ -0,0 +1,97 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Daniel Borkmann +Date: Thu, 19 Jul 2018 18:18:35 +0200 +Subject: bpf, ppc64: fix unexpected r0=0 exit path inside bpf_xadd + +From: Daniel Borkmann + +[ Upstream commit b9c1e60e7bf4e64ac1b4f4d6d593f0bb57886973 ] + +None of the JITs is allowed to implement exit paths from the BPF +insn mappings other than BPF_JMP | BPF_EXIT. In the BPF core code +we have a couple of rewrites in eBPF (e.g. LD_ABS / LD_IND) and +in eBPF to cBPF translation to retain old existing behavior where +exceptions may occur; they are also tightly controlled by the +verifier where it disallows some of the features such as BPF to +BPF calls when legacy LD_ABS / LD_IND ops are present in the BPF +program. During recent review of all BPF_XADD JIT implementations +I noticed that the ppc64 one is buggy in that it contains two +jumps to exit paths. This is problematic as this can bypass verifier +expectations e.g. pointed out in commit f6b1b3bf0d5f ("bpf: fix +subprog verifier bypass by div/mod by 0 exception"). The first +exit path is obsoleted by the fix in ca36960211eb ("bpf: allow xadd +only on aligned memory") anyway, and for the second one we need to +do a fetch, add and store loop if the reservation from lwarx/ldarx +was lost in the meantime. + +Fixes: 156d0e290e96 ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF") +Reviewed-by: Naveen N. Rao +Reviewed-by: Sandipan Das +Tested-by: Sandipan Das +Signed-off-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp64.c | 29 +++++------------------------ + 1 file changed, 5 insertions(+), 24 deletions(-) + +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -322,6 +322,7 @@ static int bpf_jit_build_body(struct bpf + u64 imm64; + u8 *func; + u32 true_cond; ++ u32 tmp_idx; + + /* + * addrs[] maps a BPF bytecode address into a real offset from +@@ -681,11 +682,7 @@ emit_clear: + case BPF_STX | BPF_XADD | BPF_W: + /* Get EA into TMP_REG_1 */ + PPC_ADDI(b2p[TMP_REG_1], dst_reg, off); +- /* error if EA is not word-aligned */ +- PPC_ANDI(b2p[TMP_REG_2], b2p[TMP_REG_1], 0x03); +- PPC_BCC_SHORT(COND_EQ, (ctx->idx * 4) + 12); +- PPC_LI(b2p[BPF_REG_0], 0); +- PPC_JMP(exit_addr); ++ tmp_idx = ctx->idx * 4; + /* load value from memory into TMP_REG_2 */ + PPC_BPF_LWARX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1], 0); + /* add value from src_reg into this */ +@@ -693,32 +690,16 @@ emit_clear: + /* store result back */ + PPC_BPF_STWCX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1]); + /* we're done if this succeeded */ +- PPC_BCC_SHORT(COND_EQ, (ctx->idx * 4) + (7*4)); +- /* otherwise, let's try once more */ +- PPC_BPF_LWARX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1], 0); +- PPC_ADD(b2p[TMP_REG_2], b2p[TMP_REG_2], src_reg); +- PPC_BPF_STWCX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1]); +- /* exit if the store was not successful */ +- PPC_LI(b2p[BPF_REG_0], 0); +- PPC_BCC(COND_NE, exit_addr); ++ PPC_BCC_SHORT(COND_NE, tmp_idx); + break; + /* *(u64 *)(dst + off) += src */ + case BPF_STX | BPF_XADD | BPF_DW: + PPC_ADDI(b2p[TMP_REG_1], dst_reg, off); +- /* error if EA is not doubleword-aligned */ +- PPC_ANDI(b2p[TMP_REG_2], b2p[TMP_REG_1], 0x07); +- PPC_BCC_SHORT(COND_EQ, (ctx->idx * 4) + (3*4)); +- PPC_LI(b2p[BPF_REG_0], 0); +- PPC_JMP(exit_addr); +- PPC_BPF_LDARX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1], 0); +- PPC_ADD(b2p[TMP_REG_2], b2p[TMP_REG_2], src_reg); +- PPC_BPF_STDCX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1]); +- PPC_BCC_SHORT(COND_EQ, (ctx->idx * 4) + (7*4)); ++ tmp_idx = ctx->idx * 4; + PPC_BPF_LDARX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1], 0); + PPC_ADD(b2p[TMP_REG_2], b2p[TMP_REG_2], src_reg); + PPC_BPF_STDCX(b2p[TMP_REG_2], 0, b2p[TMP_REG_1]); +- PPC_LI(b2p[BPF_REG_0], 0); +- PPC_BCC(COND_NE, exit_addr); ++ PPC_BCC_SHORT(COND_NE, tmp_idx); + break; + + /* diff --git a/queue-4.14/bpf-use-gfp_atomic-instead-of-gfp_kernel-in-bpf_parse_prog.patch b/queue-4.14/bpf-use-gfp_atomic-instead-of-gfp_kernel-in-bpf_parse_prog.patch new file mode 100644 index 00000000000..4be2b423cee --- /dev/null +++ b/queue-4.14/bpf-use-gfp_atomic-instead-of-gfp_kernel-in-bpf_parse_prog.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Taehee Yoo +Date: Sun, 29 Jul 2018 00:28:31 +0900 +Subject: bpf: use GFP_ATOMIC instead of GFP_KERNEL in bpf_parse_prog() + +From: Taehee Yoo + +[ Upstream commit 71eb5255f55bdb484d35ff7c9a1803f453dfbf82 ] + +bpf_parse_prog() is protected by rcu_read_lock(). +so that GFP_KERNEL is not allowed in the bpf_parse_prog(). + +[51015.579396] ============================= +[51015.579418] WARNING: suspicious RCU usage +[51015.579444] 4.18.0-rc6+ #208 Not tainted +[51015.579464] ----------------------------- +[51015.579488] ./include/linux/rcupdate.h:303 Illegal context switch in RCU read-side critical section! +[51015.579510] other info that might help us debug this: +[51015.579532] rcu_scheduler_active = 2, debug_locks = 1 +[51015.579556] 2 locks held by ip/1861: +[51015.579577] #0: 00000000a8c12fd1 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x2e0/0x910 +[51015.579711] #1: 00000000bf815f8e (rcu_read_lock){....}, at: lwtunnel_build_state+0x96/0x390 +[51015.579842] stack backtrace: +[51015.579869] CPU: 0 PID: 1861 Comm: ip Not tainted 4.18.0-rc6+ #208 +[51015.579891] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 +[51015.579911] Call Trace: +[51015.579950] dump_stack+0x74/0xbb +[51015.580000] ___might_sleep+0x16b/0x3a0 +[51015.580047] __kmalloc_track_caller+0x220/0x380 +[51015.580077] kmemdup+0x1c/0x40 +[51015.580077] bpf_parse_prog+0x10e/0x230 +[51015.580164] ? kasan_kmalloc+0xa0/0xd0 +[51015.580164] ? bpf_destroy_state+0x30/0x30 +[51015.580164] ? bpf_build_state+0xe2/0x3e0 +[51015.580164] bpf_build_state+0x1bb/0x3e0 +[51015.580164] ? bpf_parse_prog+0x230/0x230 +[51015.580164] ? lock_is_held_type+0x123/0x1a0 +[51015.580164] lwtunnel_build_state+0x1aa/0x390 +[51015.580164] fib_create_info+0x1579/0x33d0 +[51015.580164] ? sched_clock_local+0xe2/0x150 +[51015.580164] ? fib_info_update_nh_saddr+0x1f0/0x1f0 +[51015.580164] ? sched_clock_local+0xe2/0x150 +[51015.580164] fib_table_insert+0x201/0x1990 +[51015.580164] ? lock_downgrade+0x610/0x610 +[51015.580164] ? fib_table_lookup+0x1920/0x1920 +[51015.580164] ? lwtunnel_valid_encap_type.part.6+0xcb/0x3a0 +[51015.580164] ? rtm_to_fib_config+0x637/0xbd0 +[51015.580164] inet_rtm_newroute+0xed/0x1b0 +[51015.580164] ? rtm_to_fib_config+0xbd0/0xbd0 +[51015.580164] rtnetlink_rcv_msg+0x331/0x910 +[ ... ] + +Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") +Signed-off-by: Taehee Yoo +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/lwt_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/lwt_bpf.c ++++ b/net/core/lwt_bpf.c +@@ -217,7 +217,7 @@ static int bpf_parse_prog(struct nlattr + if (!tb[LWT_BPF_PROG_FD] || !tb[LWT_BPF_PROG_NAME]) + return -EINVAL; + +- prog->name = nla_memdup(tb[LWT_BPF_PROG_NAME], GFP_KERNEL); ++ prog->name = nla_memdup(tb[LWT_BPF_PROG_NAME], GFP_ATOMIC); + if (!prog->name) + return -ENOMEM; + diff --git a/queue-4.14/cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch b/queue-4.14/cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch new file mode 100644 index 00000000000..d473ed7fc22 --- /dev/null +++ b/queue-4.14/cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch @@ -0,0 +1,118 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Kiran Kumar Modukuri +Date: Tue, 18 Jul 2017 16:25:49 -0700 +Subject: cachefiles: Fix refcounting bug in backing-file read monitoring + +From: Kiran Kumar Modukuri + +[ Upstream commit 934140ab028713a61de8bca58c05332416d037d1 ] + +cachefiles_read_waiter() has the right to access a 'monitor' object by +virtue of being called under the waitqueue lock for one of the pages in its +purview. However, it has no ref on that monitor object or on the +associated operation. + +What it is allowed to do is to move the monitor object to the operation's +to_do list, but once it drops the work_lock, it's actually no longer +permitted to access that object. However, it is trying to enqueue the +retrieval operation for processing - but it can only do this via a pointer +in the monitor object, something it shouldn't be doing. + +If it doesn't enqueue the operation, the operation may not get processed. +If the order is flipped so that the enqueue is first, then it's possible +for the work processor to look at the to_do list before the monitor is +enqueued upon it. + +Fix this by getting a ref on the operation so that we can trust that it +will still be there once we've added the monitor to the to_do list and +dropped the work_lock. The op can then be enqueued after the lock is +dropped. + +The bug can manifest in one of a couple of ways. The first manifestation +looks like: + + FS-Cache: + FS-Cache: Assertion failed + FS-Cache: 6 == 5 is false + ------------[ cut here ]------------ + kernel BUG at fs/fscache/operation.c:494! + RIP: 0010:fscache_put_operation+0x1e3/0x1f0 + ... + fscache_op_work_func+0x26/0x50 + process_one_work+0x131/0x290 + worker_thread+0x45/0x360 + kthread+0xf8/0x130 + ? create_worker+0x190/0x190 + ? kthread_cancel_work_sync+0x10/0x10 + ret_from_fork+0x1f/0x30 + +This is due to the operation being in the DEAD state (6) rather than +INITIALISED, COMPLETE or CANCELLED (5) because it's already passed through +fscache_put_operation(). + +The bug can also manifest like the following: + + kernel BUG at fs/fscache/operation.c:69! + ... + [exception RIP: fscache_enqueue_operation+246] + ... + #7 [ffff883fff083c10] fscache_enqueue_operation at ffffffffa0b793c6 + #8 [ffff883fff083c28] cachefiles_read_waiter at ffffffffa0b15a48 + #9 [ffff883fff083c48] __wake_up_common at ffffffff810af028 + +I'm not entirely certain as to which is line 69 in Lei's kernel, so I'm not +entirely clear which assertion failed. + +Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") +Reported-by: Lei Xue +Reported-by: Vegard Nossum +Reported-by: Anthony DeRobertis +Reported-by: NeilBrown +Reported-by: Daniel Axtens +Reported-by: Kiran Kumar Modukuri +Signed-off-by: David Howells +Reviewed-by: Daniel Axtens +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cachefiles/rdwr.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -27,6 +27,7 @@ static int cachefiles_read_waiter(wait_q + struct cachefiles_one_read *monitor = + container_of(wait, struct cachefiles_one_read, monitor); + struct cachefiles_object *object; ++ struct fscache_retrieval *op = monitor->op; + struct wait_bit_key *key = _key; + struct page *page = wait->private; + +@@ -51,16 +52,22 @@ static int cachefiles_read_waiter(wait_q + list_del(&wait->entry); + + /* move onto the action list and queue for FS-Cache thread pool */ +- ASSERT(monitor->op); ++ ASSERT(op); + +- object = container_of(monitor->op->op.object, +- struct cachefiles_object, fscache); ++ /* We need to temporarily bump the usage count as we don't own a ref ++ * here otherwise cachefiles_read_copier() may free the op between the ++ * monitor being enqueued on the op->to_do list and the op getting ++ * enqueued on the work queue. ++ */ ++ fscache_get_retrieval(op); + ++ object = container_of(op->op.object, struct cachefiles_object, fscache); + spin_lock(&object->work_lock); +- list_add_tail(&monitor->op_link, &monitor->op->to_do); ++ list_add_tail(&monitor->op_link, &op->to_do); + spin_unlock(&object->work_lock); + +- fscache_enqueue_retrieval(monitor->op); ++ fscache_enqueue_retrieval(op); ++ fscache_put_retrieval(op); + return 0; + } + diff --git a/queue-4.14/cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch b/queue-4.14/cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch new file mode 100644 index 00000000000..c1d791bd2c3 --- /dev/null +++ b/queue-4.14/cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Kiran Kumar Modukuri +Date: Thu, 21 Jun 2018 13:25:53 -0700 +Subject: cachefiles: Wait rather than BUG'ing on "Unexpected object collision" + +From: Kiran Kumar Modukuri + +[ Upstream commit c2412ac45a8f8f1cd582723c1a139608694d410d ] + +If we meet a conflicting object that is marked FSCACHE_OBJECT_IS_LIVE in +the active object tree, we have been emitting a BUG after logging +information about it and the new object. + +Instead, we should wait for the CACHEFILES_OBJECT_ACTIVE flag to be cleared +on the old object (or return an error). The ACTIVE flag should be cleared +after it has been removed from the active object tree. A timeout of 60s is +used in the wait, so we shouldn't be able to get stuck there. + +Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") +Signed-off-by: Kiran Kumar Modukuri +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cachefiles/namei.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/cachefiles/namei.c ++++ b/fs/cachefiles/namei.c +@@ -195,7 +195,6 @@ wait_for_old_object: + pr_err("\n"); + pr_err("Error: Unexpected object collision\n"); + cachefiles_printk_object(object, xobject); +- BUG(); + } + atomic_inc(&xobject->usage); + write_unlock(&cache->active_lock); diff --git a/queue-4.14/can-m_can-move-accessing-of-message-ram-to-after-clocks-are-enabled.patch b/queue-4.14/can-m_can-move-accessing-of-message-ram-to-after-clocks-are-enabled.patch new file mode 100644 index 00000000000..c588c939341 --- /dev/null +++ b/queue-4.14/can-m_can-move-accessing-of-message-ram-to-after-clocks-are-enabled.patch @@ -0,0 +1,58 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Faiz Abbas +Date: Tue, 3 Jul 2018 16:47:10 +0530 +Subject: can: m_can: Move accessing of message ram to after clocks are enabled + +From: Faiz Abbas + +[ Upstream commit 54e4a0c486041dc1c20593d997fafd67089e8408 ] + +MCAN message ram should only be accessed once clocks are enabled. +Therefore, move the call to parse/init the message ram to after +clocks are enabled. + +Signed-off-by: Faiz Abbas +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -1637,8 +1637,6 @@ static int m_can_plat_probe(struct platf + priv->can.clock.freq = clk_get_rate(cclk); + priv->mram_base = mram_addr; + +- m_can_of_parse_mram(priv, mram_config_vals); +- + platform_set_drvdata(pdev, dev); + SET_NETDEV_DEV(dev, &pdev->dev); + +@@ -1649,6 +1647,8 @@ static int m_can_plat_probe(struct platf + goto failed_free_dev; + } + ++ m_can_of_parse_mram(priv, mram_config_vals); ++ + devm_can_led_init(dev); + + dev_info(&pdev->dev, "%s device registered (irq=%d, version=%d)\n", +@@ -1698,8 +1698,6 @@ static __maybe_unused int m_can_resume(s + + pinctrl_pm_select_default_state(dev); + +- m_can_init_ram(priv); +- + priv->can.state = CAN_STATE_ERROR_ACTIVE; + + if (netif_running(ndev)) { +@@ -1709,6 +1707,7 @@ static __maybe_unused int m_can_resume(s + if (ret) + return ret; + ++ m_can_init_ram(priv); + m_can_start(ndev); + netif_device_attach(ndev); + netif_start_queue(ndev); diff --git a/queue-4.14/can-mpc5xxx_can-check-of_iomap-return-before-use.patch b/queue-4.14/can-mpc5xxx_can-check-of_iomap-return-before-use.patch new file mode 100644 index 00000000000..12d2499380a --- /dev/null +++ b/queue-4.14/can-mpc5xxx_can-check-of_iomap-return-before-use.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Nicholas Mc Guire +Date: Mon, 9 Jul 2018 21:16:40 +0200 +Subject: can: mpc5xxx_can: check of_iomap return before use + +From: Nicholas Mc Guire + +[ Upstream commit b5c1a23b17e563b656cc9bb76ce5323b997d90e8 ] + +of_iomap() can return NULL so that return needs to be checked and NULL +treated as failure. While at it also take care of the missing +of_node_put() in the error path. + +Signed-off-by: Nicholas Mc Guire +Fixes: commit afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/mscan/mpc5xxx_can.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/can/mscan/mpc5xxx_can.c ++++ b/drivers/net/can/mscan/mpc5xxx_can.c +@@ -86,6 +86,11 @@ static u32 mpc52xx_can_get_clock(struct + return 0; + } + cdm = of_iomap(np_cdm, 0); ++ if (!cdm) { ++ of_node_put(np_cdm); ++ dev_err(&ofdev->dev, "can't map clock node!\n"); ++ return 0; ++ } + + if (in_8(&cdm->ipb_clk_sel) & 0x1) + freq *= 2; diff --git a/queue-4.14/drivers-net-lmc-fix-case-value-for-target-abort-error.patch b/queue-4.14/drivers-net-lmc-fix-case-value-for-target-abort-error.patch new file mode 100644 index 00000000000..e2b62f6b66e --- /dev/null +++ b/queue-4.14/drivers-net-lmc-fix-case-value-for-target-abort-error.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Colin Ian King +Date: Wed, 1 Aug 2018 18:22:41 +0100 +Subject: drivers: net: lmc: fix case value for target abort error + +From: Colin Ian King + +[ Upstream commit afb41bb039656f0cecb54eeb8b2e2088201295f5 ] + +Current value for a target abort error is 0x010, however, this value +should in fact be 0x002. As it stands, the range of error is 0..7 so +it is currently never being detected. This bug has been in the driver +since the early 2.6.12 days (or before). + +Detected by CoverityScan, CID#744290 ("Logically dead code") + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/lmc/lmc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wan/lmc/lmc_main.c ++++ b/drivers/net/wan/lmc/lmc_main.c +@@ -1371,7 +1371,7 @@ static irqreturn_t lmc_interrupt (int ir + case 0x001: + printk(KERN_WARNING "%s: Master Abort (naughty)\n", dev->name); + break; +- case 0x010: ++ case 0x002: + printk(KERN_WARNING "%s: Target Abort (not so naughty)\n", dev->name); + break; + default: diff --git a/queue-4.14/drm-bridge-adv7511-reset-registers-on-hotplug.patch b/queue-4.14/drm-bridge-adv7511-reset-registers-on-hotplug.patch new file mode 100644 index 00000000000..57e780dd7ac --- /dev/null +++ b/queue-4.14/drm-bridge-adv7511-reset-registers-on-hotplug.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Sean Paul +Date: Tue, 3 Jul 2018 12:56:03 -0400 +Subject: drm/bridge: adv7511: Reset registers on hotplug + +From: Sean Paul + +[ Upstream commit 5f3417569165a8ee57654217f73e0160312f409c ] + +The bridge loses its hw state when the cable is unplugged. If we detect +this case in the hpd handler, reset its state. + +Reported-by: Rob Clark +Tested-by: Rob Clark +Reviewed-by: Archit Taneja +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20180703165648.120401-1-seanpaul@chromium.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -424,6 +424,18 @@ static void adv7511_hpd_work(struct work + else + status = connector_status_disconnected; + ++ /* ++ * The bridge resets its registers on unplug. So when we get a plug ++ * event and we're already supposed to be powered, cycle the bridge to ++ * restore its state. ++ */ ++ if (status == connector_status_connected && ++ adv7511->connector.status == connector_status_disconnected && ++ adv7511->powered) { ++ regcache_mark_dirty(adv7511->regmap); ++ adv7511_power_on(adv7511); ++ } ++ + if (adv7511->connector.status != status) { + adv7511->connector.status = status; + drm_kms_helper_hotplug_event(adv7511->connector.dev); diff --git a/queue-4.14/drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch b/queue-4.14/drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch new file mode 100644 index 00000000000..f5cd2ee832b --- /dev/null +++ b/queue-4.14/drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Lucas Stach +Date: Wed, 11 Apr 2018 17:31:36 +0200 +Subject: drm/imx: imx-ldb: check if channel is enabled before printing warning + +From: Lucas Stach + +[ Upstream commit c80d673b91a6c81d765864e10f2b15110ee900ad ] + +If the second LVDS channel has been disabled in the DT when using dual-channel +mode we should not print a warning. + +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imx/imx-ldb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/imx/imx-ldb.c ++++ b/drivers/gpu/drm/imx/imx-ldb.c +@@ -655,14 +655,14 @@ static int imx_ldb_bind(struct device *d + if (ret || i < 0 || i > 1) + return -EINVAL; + ++ if (!of_device_is_available(child)) ++ continue; ++ + if (dual && i > 0) { + dev_warn(dev, "dual-channel mode, ignoring second output\n"); + continue; + } + +- if (!of_device_is_available(child)) +- continue; +- + channel = &imx_ldb->channel[i]; + channel->ldb = imx_ldb; + channel->chno = i; diff --git a/queue-4.14/drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch b/queue-4.14/drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch new file mode 100644 index 00000000000..2ed043fefaa --- /dev/null +++ b/queue-4.14/drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Lucas Stach +Date: Wed, 11 Apr 2018 17:31:35 +0200 +Subject: drm/imx: imx-ldb: disable LDB on driver bind + +From: Lucas Stach + +[ Upstream commit b58262396fabd43dc869b576e3defdd23b32fe94 ] + +The LVDS signal integrity is only guaranteed when the correct enable +sequence (first IPU DI, then LDB) is used. If the LDB display output was +active before the imx-drm driver is loaded (like when a bootsplash was +active) the DI will be disabled by the full IPU reset we do when loading +the driver. The LDB control registers are not part of the IPU range and +thus will remain unchanged. + +This leads to the LDB still being active when the DI is getting enabled, +effectively reversing the required enable sequence. Fix this by also +disabling the LDB on driver bind. + +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imx/imx-ldb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/imx/imx-ldb.c ++++ b/drivers/gpu/drm/imx/imx-ldb.c +@@ -612,6 +612,9 @@ static int imx_ldb_bind(struct device *d + return PTR_ERR(imx_ldb->regmap); + } + ++ /* disable LDB by resetting the control register to POR default */ ++ regmap_write(imx_ldb->regmap, IOMUXC_GPR2, 0); ++ + imx_ldb->dev = dev; + + if (of_id) diff --git a/queue-4.14/drm-re-enable-error-handling.patch b/queue-4.14/drm-re-enable-error-handling.patch new file mode 100644 index 00000000000..f141157b2de --- /dev/null +++ b/queue-4.14/drm-re-enable-error-handling.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Nicholas Mc Guire +Date: Sat, 14 Jul 2018 14:32:12 +0200 +Subject: drm: re-enable error handling + +From: Nicholas Mc Guire + +[ Upstream commit d530b5f1ca0bb66958a2b714bebe40a1248b9c15 ] + +drm_legacy_ctxbitmap_next() returns idr_alloc() which can return +-ENOMEM, -EINVAL or -ENOSPC none of which are -1 . but the call sites +of drm_legacy_ctxbitmap_next() seem to be assuming that the error case +would be -1 (original return of drm_ctxbitmap_next() prior to 2.6.23 +was actually -1). Thus reenable error handling by checking for < 0. + +Signed-off-by: Nicholas Mc Guire +Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr") +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/1531571532-22733-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_context.c ++++ b/drivers/gpu/drm/drm_context.c +@@ -372,7 +372,7 @@ int drm_legacy_addctx(struct drm_device + ctx->handle = drm_legacy_ctxbitmap_next(dev); + } + DRM_DEBUG("%d\n", ctx->handle); +- if (ctx->handle == -1) { ++ if (ctx->handle < 0) { + DRM_DEBUG("Not enough free contexts.\n"); + /* Should this return -EBUSY instead? */ + return -ENOMEM; diff --git a/queue-4.14/enic-do-not-call-enic_change_mtu-in-enic_probe.patch b/queue-4.14/enic-do-not-call-enic_change_mtu-in-enic_probe.patch new file mode 100644 index 00000000000..e6a43fe8117 --- /dev/null +++ b/queue-4.14/enic-do-not-call-enic_change_mtu-in-enic_probe.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Govindarajulu Varadarajan +Date: Mon, 30 Jul 2018 09:56:54 -0700 +Subject: enic: do not call enic_change_mtu in enic_probe + +From: Govindarajulu Varadarajan + +[ Upstream commit cb5c6568867325f9905e80c96531d963bec8e5ea ] + +In commit ab123fe071c9 ("enic: handle mtu change for vf properly") +ASSERT_RTNL() is added to _enic_change_mtu() to prevent it from being +called without rtnl held. enic_probe() calls enic_change_mtu() +without rtnl held. At this point netdev is not registered yet. +Remove call to enic_change_mtu and assign the mtu to netdev->mtu. + +Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly") +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2843,7 +2843,6 @@ static int enic_probe(struct pci_dev *pd + */ + + enic->port_mtu = enic->config.mtu; +- (void)enic_change_mtu(netdev, enic->port_mtu); + + err = enic_set_mac_addr(netdev, enic->mac_addr); + if (err) { +@@ -2930,6 +2929,7 @@ static int enic_probe(struct pci_dev *pd + /* MTU range: 68 - 9000 */ + netdev->min_mtu = ENIC_MIN_MTU; + netdev->max_mtu = ENIC_MAX_MTU; ++ netdev->mtu = enic->port_mtu; + + err = register_netdev(netdev); + if (err) { diff --git a/queue-4.14/enic-handle-mtu-change-for-vf-properly.patch b/queue-4.14/enic-handle-mtu-change-for-vf-properly.patch new file mode 100644 index 00000000000..199c39e6695 --- /dev/null +++ b/queue-4.14/enic-handle-mtu-change-for-vf-properly.patch @@ -0,0 +1,128 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Govindarajulu Varadarajan +Date: Fri, 27 Jul 2018 11:19:29 -0700 +Subject: enic: handle mtu change for vf properly + +From: Govindarajulu Varadarajan + +[ Upstream commit ab123fe071c9aa9680ecd62eb080eb26cff4892c ] + +When driver gets notification for mtu change, driver does not handle it for +all RQs. It handles only RQ[0]. + +Fix is to use enic_change_mtu() interface to change mtu for vf. + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 78 +++++++++------------------- + 1 file changed, 27 insertions(+), 51 deletions(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2007,28 +2007,42 @@ static int enic_stop(struct net_device * + return 0; + } + ++static int _enic_change_mtu(struct net_device *netdev, int new_mtu) ++{ ++ bool running = netif_running(netdev); ++ int err = 0; ++ ++ ASSERT_RTNL(); ++ if (running) { ++ err = enic_stop(netdev); ++ if (err) ++ return err; ++ } ++ ++ netdev->mtu = new_mtu; ++ ++ if (running) { ++ err = enic_open(netdev); ++ if (err) ++ return err; ++ } ++ ++ return 0; ++} ++ + static int enic_change_mtu(struct net_device *netdev, int new_mtu) + { + struct enic *enic = netdev_priv(netdev); +- int running = netif_running(netdev); + + if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic)) + return -EOPNOTSUPP; + +- if (running) +- enic_stop(netdev); +- +- netdev->mtu = new_mtu; +- + if (netdev->mtu > enic->port_mtu) + netdev_warn(netdev, +- "interface MTU (%d) set higher than port MTU (%d)\n", +- netdev->mtu, enic->port_mtu); +- +- if (running) +- enic_open(netdev); ++ "interface MTU (%d) set higher than port MTU (%d)\n", ++ netdev->mtu, enic->port_mtu); + +- return 0; ++ return _enic_change_mtu(netdev, new_mtu); + } + + static void enic_change_mtu_work(struct work_struct *work) +@@ -2036,47 +2050,9 @@ static void enic_change_mtu_work(struct + struct enic *enic = container_of(work, struct enic, change_mtu_work); + struct net_device *netdev = enic->netdev; + int new_mtu = vnic_dev_mtu(enic->vdev); +- int err; +- unsigned int i; +- +- new_mtu = max_t(int, ENIC_MIN_MTU, min_t(int, ENIC_MAX_MTU, new_mtu)); + + rtnl_lock(); +- +- /* Stop RQ */ +- del_timer_sync(&enic->notify_timer); +- +- for (i = 0; i < enic->rq_count; i++) +- napi_disable(&enic->napi[i]); +- +- vnic_intr_mask(&enic->intr[0]); +- enic_synchronize_irqs(enic); +- err = vnic_rq_disable(&enic->rq[0]); +- if (err) { +- rtnl_unlock(); +- netdev_err(netdev, "Unable to disable RQ.\n"); +- return; +- } +- vnic_rq_clean(&enic->rq[0], enic_free_rq_buf); +- vnic_cq_clean(&enic->cq[0]); +- vnic_intr_clean(&enic->intr[0]); +- +- /* Fill RQ with new_mtu-sized buffers */ +- netdev->mtu = new_mtu; +- vnic_rq_fill(&enic->rq[0], enic_rq_alloc_buf); +- /* Need at least one buffer on ring to get going */ +- if (vnic_rq_desc_used(&enic->rq[0]) == 0) { +- rtnl_unlock(); +- netdev_err(netdev, "Unable to alloc receive buffers.\n"); +- return; +- } +- +- /* Start RQ */ +- vnic_rq_enable(&enic->rq[0]); +- napi_enable(&enic->napi[0]); +- vnic_intr_unmask(&enic->intr[0]); +- enic_notify_timer_start(enic); +- ++ (void)_enic_change_mtu(netdev, new_mtu); + rtnl_unlock(); + + netdev_info(netdev, "interface MTU set as %d\n", netdev->mtu); diff --git a/queue-4.14/esp6-fix-memleak-on-error-path-in-esp6_input.patch b/queue-4.14/esp6-fix-memleak-on-error-path-in-esp6_input.patch new file mode 100644 index 00000000000..32efb9a0cb9 --- /dev/null +++ b/queue-4.14/esp6-fix-memleak-on-error-path-in-esp6_input.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Zhen Lei +Date: Wed, 27 Jun 2018 11:49:28 +0800 +Subject: esp6: fix memleak on error path in esp6_input + +From: Zhen Lei + +[ Upstream commit 7284fdf39a912322ce97de2d30def3c6068a418c ] + +This ought to be an omission in e6194923237 ("esp: Fix memleaks on error +paths."). The memleak on error path in esp6_input is similar to esp_input +of esp4. + +Fixes: e6194923237 ("esp: Fix memleaks on error paths.") +Fixes: 3f29770723f ("ipsec: check return value of skb_to_sgvec always") +Signed-off-by: Zhen Lei +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/esp6.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -651,8 +651,10 @@ skip_cow: + + sg_init_table(sg, nfrags); + ret = skb_to_sgvec(skb, sg, 0, skb->len); +- if (unlikely(ret < 0)) ++ if (unlikely(ret < 0)) { ++ kfree(tmp); + goto out; ++ } + + skb->ip_summed = CHECKSUM_NONE; + diff --git a/queue-4.14/ext4-clear-mmp-sequence-number-when-remounting-read-only.patch b/queue-4.14/ext4-clear-mmp-sequence-number-when-remounting-read-only.patch new file mode 100644 index 00000000000..ff0b145f554 --- /dev/null +++ b/queue-4.14/ext4-clear-mmp-sequence-number-when-remounting-read-only.patch @@ -0,0 +1,53 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Theodore Ts'o +Date: Sun, 8 Jul 2018 19:36:02 -0400 +Subject: ext4: clear mmp sequence number when remounting read-only + +From: Theodore Ts'o + +[ Upstream commit 2dca60d98e241bea686004168f85208f215fc697 ] + +Previously, when an MMP-protected file system is remounted read-only, +the kmmpd thread would exit the next time it woke up (a few seconds +later), without resetting the MMP sequence number back to +EXT4_MMP_SEQ_CLEAN. + +Fix this by explicitly killing the MMP thread when the file system is +remounted read-only. + +Signed-off-by: Theodore Ts'o +Cc: Andreas Dilger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mmp.c | 7 ++----- + fs/ext4/super.c | 2 ++ + 2 files changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/ext4/mmp.c ++++ b/fs/ext4/mmp.c +@@ -186,11 +186,8 @@ static int kmmpd(void *data) + goto exit_thread; + } + +- if (sb_rdonly(sb)) { +- ext4_warning(sb, "kmmpd being stopped since filesystem " +- "has been remounted as readonly."); +- goto exit_thread; +- } ++ if (sb_rdonly(sb)) ++ break; + + diff = jiffies - last_update_time; + if (diff < mmp_update_interval * HZ) +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5163,6 +5163,8 @@ static int ext4_remount(struct super_blo + + if (sbi->s_journal) + ext4_mark_recovery_complete(sb, es); ++ if (sbi->s_mmp_tsk) ++ kthread_stop(sbi->s_mmp_tsk); + } else { + /* Make sure we can mount this feature set readwrite */ + if (ext4_has_feature_readonly(sb) || diff --git a/queue-4.14/fscache-allow-cancelled-operations-to-be-enqueued.patch b/queue-4.14/fscache-allow-cancelled-operations-to-be-enqueued.patch new file mode 100644 index 00000000000..5c845b1e64e --- /dev/null +++ b/queue-4.14/fscache-allow-cancelled-operations-to-be-enqueued.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Kiran Kumar Modukuri +Date: Wed, 25 Jul 2018 14:31:20 +0100 +Subject: fscache: Allow cancelled operations to be enqueued + +From: Kiran Kumar Modukuri + +[ Upstream commit d0eb06afe712b7b103b6361f40a9a0c638524669 ] + +Alter the state-check assertion in fscache_enqueue_operation() to allow +cancelled operations to be given processing time so they can be cleaned up. + +Also fix a debugging statement that was requiring such operations to have +an object assigned. + +Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") +Reported-by: Kiran Kumar Modukuri +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fscache/operation.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/fscache/operation.c ++++ b/fs/fscache/operation.c +@@ -66,7 +66,8 @@ void fscache_enqueue_operation(struct fs + ASSERT(op->processor != NULL); + ASSERT(fscache_object_is_available(op->object)); + ASSERTCMP(atomic_read(&op->usage), >, 0); +- ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS); ++ ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS, ++ op->state, ==, FSCACHE_OP_ST_CANCELLED); + + fscache_stat(&fscache_n_op_enqueue); + switch (op->flags & FSCACHE_OP_TYPE) { +@@ -481,7 +482,8 @@ void fscache_put_operation(struct fscach + struct fscache_cache *cache; + + _enter("{OBJ%x OP%x,%d}", +- op->object->debug_id, op->debug_id, atomic_read(&op->usage)); ++ op->object ? op->object->debug_id : 0, ++ op->debug_id, atomic_read(&op->usage)); + + ASSERTCMP(atomic_read(&op->usage), >, 0); + diff --git a/queue-4.14/gpiolib-acpi-make-sure-we-trigger-edge-events-at-least-once-on-boot.patch b/queue-4.14/gpiolib-acpi-make-sure-we-trigger-edge-events-at-least-once-on-boot.patch new file mode 100644 index 00000000000..ce90bf16378 --- /dev/null +++ b/queue-4.14/gpiolib-acpi-make-sure-we-trigger-edge-events-at-least-once-on-boot.patch @@ -0,0 +1,210 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Benjamin Tissoires +Date: Thu, 12 Jul 2018 17:25:06 +0200 +Subject: gpiolib-acpi: make sure we trigger edge events at least once on boot + +From: Benjamin Tissoires + +[ Upstream commit ca876c7483b697b498868b1f575997191b077885 ] + +On some systems using edge triggered ACPI Event Interrupts, the initial +state at boot is not setup by the firmware, instead relying on the edge +irq event handler running at least once to setup the initial state. + +2 known examples of this are: + +1) The Surface 3 has its _LID state controlled by an ACPI operation region + triggered by a GPIO event: + + OperationRegion (GPOR, GeneralPurposeIo, Zero, One) + Field (GPOR, ByteAcc, NoLock, Preserve) + { + Connection ( + GpioIo (Shared, PullNone, 0x0000, 0x0000, IoRestrictionNone, + "\\_SB.GPO0", 0x00, ResourceConsumer, , + ) + { // Pin list + 0x004C + } + ), + HELD, 1 + } + + Method (_E4C, 0, Serialized) // _Exx: Edge-Triggered GPE + { + If ((HELD == One)) + { + ^^LID.LIDB = One + } + Else + { + ^^LID.LIDB = Zero + Notify (LID, 0x80) // Status Change + } + + Notify (^^PCI0.SPI1.NTRG, One) // Device Check + } + + Currently, the state of LIDB is wrong until the user actually closes or + open the cover. We need to trigger the GPIO event once to update the + internal ACPI state. + + Coincidentally, this also enables the Surface 2 integrated HID sensor hub + which also requires an ACPI gpio operation region to start initialization. + +2) Various Bay Trail based tablets come with an external USB mux and + TI T1210B USB phy to enable USB gadget mode. The mux is controlled by a + GPIO which is controlled by an edge triggered ACPI Event Interrupt which + monitors the micro-USB ID pin. + + When the tablet is connected to a PC (or no cable is plugged in), the ID + pin is high and the tablet should be in gadget mode. But the GPIO + controlling the mux is initialized by the firmware so that the USB data + lines are muxed to the host controller. + + This means that if the user wants to use gadget mode, the user needs to + first plug in a host-cable to force the ID pin low and then unplug it + and connect the tablet to a PC, to get the ACPI event handler to run and + switch the mux to device mode, + +This commit fixes both by running the event-handler once on boot. + +Note that the running of the event-handler is done from a late_initcall, +this is done because the handler AML code may rely on OperationRegions +registered by other builtin drivers. This avoids errors like these: + +[ 0.133026] ACPI Error: No handler for Region [XSCG] ((____ptrval____)) [GenericSerialBus] (20180531/evregion-132) +[ 0.133036] ACPI Error: Region GenericSerialBus (ID=9) has no handler (20180531/exfldio-265) +[ 0.133046] ACPI Error: Method parse/execution failed \_SB.GPO2._E12, AE_NOT_EXIST (20180531/psparse-516) + +Signed-off-by: Benjamin Tissoires +[hdegoede: Document BYT USB mux reliance on initial trigger] +[hdegoede: Run event handler from a late_initcall, rather then immediately] +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-acpi.c | 56 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -25,6 +25,7 @@ + + struct acpi_gpio_event { + struct list_head node; ++ struct list_head initial_sync_list; + acpi_handle handle; + unsigned int pin; + unsigned int irq; +@@ -50,6 +51,9 @@ struct acpi_gpio_chip { + struct list_head events; + }; + ++static LIST_HEAD(acpi_gpio_initial_sync_list); ++static DEFINE_MUTEX(acpi_gpio_initial_sync_list_lock); ++ + static int acpi_gpiochip_find(struct gpio_chip *gc, void *data) + { + if (!gc->parent) +@@ -142,6 +146,21 @@ static struct gpio_desc *acpi_get_gpiod( + return gpiochip_get_desc(chip, offset); + } + ++static void acpi_gpio_add_to_initial_sync_list(struct acpi_gpio_event *event) ++{ ++ mutex_lock(&acpi_gpio_initial_sync_list_lock); ++ list_add(&event->initial_sync_list, &acpi_gpio_initial_sync_list); ++ mutex_unlock(&acpi_gpio_initial_sync_list_lock); ++} ++ ++static void acpi_gpio_del_from_initial_sync_list(struct acpi_gpio_event *event) ++{ ++ mutex_lock(&acpi_gpio_initial_sync_list_lock); ++ if (!list_empty(&event->initial_sync_list)) ++ list_del_init(&event->initial_sync_list); ++ mutex_unlock(&acpi_gpio_initial_sync_list_lock); ++} ++ + static irqreturn_t acpi_gpio_irq_handler(int irq, void *data) + { + struct acpi_gpio_event *event = data; +@@ -193,7 +212,7 @@ static acpi_status acpi_gpiochip_request + irq_handler_t handler = NULL; + struct gpio_desc *desc; + unsigned long irqflags; +- int ret, pin, irq; ++ int ret, pin, irq, value; + + if (!acpi_gpio_get_irq_resource(ares, &agpio)) + return AE_OK; +@@ -228,6 +247,8 @@ static acpi_status acpi_gpiochip_request + + gpiod_direction_input(desc); + ++ value = gpiod_get_value(desc); ++ + ret = gpiochip_lock_as_irq(chip, pin); + if (ret) { + dev_err(chip->parent, "Failed to lock GPIO as interrupt\n"); +@@ -269,6 +290,7 @@ static acpi_status acpi_gpiochip_request + event->irq = irq; + event->pin = pin; + event->desc = desc; ++ INIT_LIST_HEAD(&event->initial_sync_list); + + ret = request_threaded_irq(event->irq, NULL, handler, irqflags, + "ACPI:Event", event); +@@ -283,6 +305,18 @@ static acpi_status acpi_gpiochip_request + enable_irq_wake(irq); + + list_add_tail(&event->node, &acpi_gpio->events); ++ ++ /* ++ * Make sure we trigger the initial state of the IRQ when using RISING ++ * or FALLING. Note we run the handlers on late_init, the AML code ++ * may refer to OperationRegions from other (builtin) drivers which ++ * may be probed after us. ++ */ ++ if (handler == acpi_gpio_irq_handler && ++ (((irqflags & IRQF_TRIGGER_RISING) && value == 1) || ++ ((irqflags & IRQF_TRIGGER_FALLING) && value == 0))) ++ acpi_gpio_add_to_initial_sync_list(event); ++ + return AE_OK; + + fail_free_event: +@@ -355,6 +389,8 @@ void acpi_gpiochip_free_interrupts(struc + list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) { + struct gpio_desc *desc; + ++ acpi_gpio_del_from_initial_sync_list(event); ++ + if (irqd_is_wakeup_set(irq_get_irq_data(event->irq))) + disable_irq_wake(event->irq); + +@@ -1210,3 +1246,21 @@ bool acpi_can_fallback_to_crs(struct acp + + return con_id == NULL; + } ++ ++/* Sync the initial state of handlers after all builtin drivers have probed */ ++static int acpi_gpio_initial_sync(void) ++{ ++ struct acpi_gpio_event *event, *ep; ++ ++ mutex_lock(&acpi_gpio_initial_sync_list_lock); ++ list_for_each_entry_safe(event, ep, &acpi_gpio_initial_sync_list, ++ initial_sync_list) { ++ acpi_evaluate_object(event->handle, NULL, NULL, NULL); ++ list_del_init(&event->initial_sync_list); ++ } ++ mutex_unlock(&acpi_gpio_initial_sync_list_lock); ++ ++ return 0; ++} ++/* We must use _sync so that this runs after the first deferred_probe run */ ++late_initcall_sync(acpi_gpio_initial_sync); diff --git a/queue-4.14/hinic-link-the-logical-network-device-to-the-pci-device-in-sysfs.patch b/queue-4.14/hinic-link-the-logical-network-device-to-the-pci-device-in-sysfs.patch new file mode 100644 index 00000000000..89cd2a38979 --- /dev/null +++ b/queue-4.14/hinic-link-the-logical-network-device-to-the-pci-device-in-sysfs.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: dann frazier +Date: Mon, 23 Jul 2018 16:55:40 -0600 +Subject: hinic: Link the logical network device to the pci device in sysfs + +From: dann frazier + +[ Upstream commit 7856e8616273098dc6c09a6e084afd98a283ff0d ] + +Otherwise interfaces get exposed under /sys/devices/virtual, which +doesn't give udev the context it needs for PCI-based predictable +interface names. + +Signed-off-by: dann frazier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/huawei/hinic/hinic_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c +@@ -981,6 +981,7 @@ static int nic_dev_init(struct pci_dev * + hinic_hwdev_cb_register(nic_dev->hwdev, HINIC_MGMT_MSG_CMD_LINK_STATUS, + nic_dev, link_status_event_handler); + ++ SET_NETDEV_DEV(netdev, &pdev->dev); + err = register_netdev(netdev); + if (err) { + dev_err(&pdev->dev, "Failed to register netdev\n"); diff --git a/queue-4.14/i2c-davinci-avoid-zero-value-of-clkh.patch b/queue-4.14/i2c-davinci-avoid-zero-value-of-clkh.patch new file mode 100644 index 00000000000..ba20f1e5d1e --- /dev/null +++ b/queue-4.14/i2c-davinci-avoid-zero-value-of-clkh.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Alexander Sverdlin +Date: Fri, 13 Jul 2018 17:20:17 +0200 +Subject: i2c: davinci: Avoid zero value of CLKH + +From: Alexander Sverdlin + +[ Upstream commit cc8de9a68599b261244ea453b38678229f06ada7 ] + +If CLKH is set to 0 I2C clock is not generated at all, so avoid this value +and stretch the clock in this case. + +Signed-off-by: Alexander Sverdlin +Acked-by: Sekhar Nori +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-davinci.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-davinci.c ++++ b/drivers/i2c/busses/i2c-davinci.c +@@ -234,12 +234,16 @@ static void i2c_davinci_calc_clk_divider + /* + * It's not always possible to have 1 to 2 ratio when d=7, so fall back + * to minimal possible clkh in this case. ++ * ++ * Note: ++ * CLKH is not allowed to be 0, in this case I2C clock is not generated ++ * at all + */ +- if (clk >= clkl + d) { ++ if (clk > clkl + d) { + clkh = clk - clkl - d; + clkl -= d; + } else { +- clkh = 0; ++ clkh = 1; + clkl = clk - (d << 1); + } + diff --git a/queue-4.14/i2c-mux-locking-core-annotate-the-nested-rt_mutex-usage.patch b/queue-4.14/i2c-mux-locking-core-annotate-the-nested-rt_mutex-usage.patch new file mode 100644 index 00000000000..51430691f77 --- /dev/null +++ b/queue-4.14/i2c-mux-locking-core-annotate-the-nested-rt_mutex-usage.patch @@ -0,0 +1,111 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Peter Rosin +Date: Fri, 20 Jul 2018 10:39:14 +0200 +Subject: i2c/mux, locking/core: Annotate the nested rt_mutex usage + +From: Peter Rosin + +[ Upstream commit 7b94ea50514d1a0dc94f02723b603c27bc0ea597 ] + +If an i2c topology has instances of nested muxes, then a lockdep splat +is produced when when i2c_parent_lock_bus() is called. Here is an +example: + + ============================================ + WARNING: possible recursive locking detected + -------------------------------------------- + insmod/68159 is trying to acquire lock: + (i2c_register_adapter#2){+.+.}, at: i2c_parent_lock_bus+0x32/0x50 [i2c_mux] + + but task is already holding lock: + (i2c_register_adapter#2){+.+.}, at: i2c_parent_lock_bus+0x32/0x50 [i2c_mux] + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(i2c_register_adapter#2); + lock(i2c_register_adapter#2); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 1 lock held by insmod/68159: + #0: (i2c_register_adapter#2){+.+.}, at: i2c_parent_lock_bus+0x32/0x50 [i2c_mux] + + stack backtrace: + CPU: 13 PID: 68159 Comm: insmod Tainted: G O + Call Trace: + dump_stack+0x67/0x98 + __lock_acquire+0x162e/0x1780 + lock_acquire+0xba/0x200 + rt_mutex_lock+0x44/0x60 + i2c_parent_lock_bus+0x32/0x50 [i2c_mux] + i2c_parent_lock_bus+0x3e/0x50 [i2c_mux] + i2c_smbus_xfer+0xf0/0x700 + i2c_smbus_read_byte+0x42/0x70 + my2c_init+0xa2/0x1000 [my2c] + do_one_initcall+0x51/0x192 + do_init_module+0x62/0x216 + load_module+0x20f9/0x2b50 + SYSC_init_module+0x19a/0x1c0 + SyS_init_module+0xe/0x10 + do_syscall_64+0x6c/0x1a0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Reported-by: John Sperbeck +Tested-by: John Sperbeck +Signed-off-by: Peter Rosin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Davidlohr Bueso +Cc: Deepa Dinamani +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Cc: Peter Chang +Cc: Peter Zijlstra +Cc: Philippe Ombredanne +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: Wolfram Sang +Link: http://lkml.kernel.org/r/20180720083914.1950-3-peda@axentia.se +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-core-base.c | 2 +- + drivers/i2c/i2c-mux.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -638,7 +638,7 @@ static int i2c_check_addr_busy(struct i2 + static void i2c_adapter_lock_bus(struct i2c_adapter *adapter, + unsigned int flags) + { +- rt_mutex_lock(&adapter->bus_lock); ++ rt_mutex_lock_nested(&adapter->bus_lock, i2c_adapter_depth(adapter)); + } + + /** +--- a/drivers/i2c/i2c-mux.c ++++ b/drivers/i2c/i2c-mux.c +@@ -144,7 +144,7 @@ static void i2c_mux_lock_bus(struct i2c_ + struct i2c_mux_priv *priv = adapter->algo_data; + struct i2c_adapter *parent = priv->muxc->parent; + +- rt_mutex_lock(&parent->mux_lock); ++ rt_mutex_lock_nested(&parent->mux_lock, i2c_adapter_depth(adapter)); + if (!(flags & I2C_LOCK_ROOT_ADAPTER)) + return; + i2c_lock_bus(parent, flags); +@@ -181,7 +181,7 @@ static void i2c_parent_lock_bus(struct i + struct i2c_mux_priv *priv = adapter->algo_data; + struct i2c_adapter *parent = priv->muxc->parent; + +- rt_mutex_lock(&parent->mux_lock); ++ rt_mutex_lock_nested(&parent->mux_lock, i2c_adapter_depth(adapter)); + i2c_lock_bus(parent, flags); + } + diff --git a/queue-4.14/ipc-sem.c-prevent-queue.status-tearing-in-semop.patch b/queue-4.14/ipc-sem.c-prevent-queue.status-tearing-in-semop.patch new file mode 100644 index 00000000000..cae6da4baff --- /dev/null +++ b/queue-4.14/ipc-sem.c-prevent-queue.status-tearing-in-semop.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Davidlohr Bueso +Date: Thu, 26 Jul 2018 16:37:19 -0700 +Subject: ipc/sem.c: prevent queue.status tearing in semop + +From: Davidlohr Bueso + +[ Upstream commit f075faa300acc4f6301e348acde0a4580ed5f77c ] + +In order for load/store tearing prevention to work, _all_ accesses to +the variable in question need to be done around READ and WRITE_ONCE() +macros. Ensure everyone does so for q->status variable for +semtimedop(). + +Link: http://lkml.kernel.org/r/20180717052654.676-1-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + ipc/sem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -2041,7 +2041,7 @@ static long do_semtimedop(int semid, str + } + + do { +- queue.status = -EINTR; ++ WRITE_ONCE(queue.status, -EINTR); + queue.sleeper = current; + + __set_current_state(TASK_INTERRUPTIBLE); diff --git a/queue-4.14/kvm-vmx-use-local-variable-for-current_vmptr-when-emulating-vmptrst.patch b/queue-4.14/kvm-vmx-use-local-variable-for-current_vmptr-when-emulating-vmptrst.patch new file mode 100644 index 00000000000..db795dbe4fb --- /dev/null +++ b/queue-4.14/kvm-vmx-use-local-variable-for-current_vmptr-when-emulating-vmptrst.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Sean Christopherson +Date: Thu, 19 Jul 2018 10:31:00 -0700 +Subject: KVM: vmx: use local variable for current_vmptr when emulating VMPTRST + +From: Sean Christopherson + +[ Upstream commit 0a06d4256674c4e041945b52044941995fee237d ] + +Do not expose the address of vmx->nested.current_vmptr to +kvm_write_guest_virt_system() as the resulting __copy_to_user() +call will trigger a WARN when CONFIG_HARDENED_USERCOPY is +enabled. + +Opportunistically clean up variable names in handle_vmptrst() +to improve readability, e.g. vmcs_gva is misleading as the +memory operand of VMPTRST is plain memory, not a VMCS. + +Signed-off-by: Sean Christopherson +Tested-by: Peter Shier +Reviewed-by: Peter Shier +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8108,21 +8108,20 @@ static int handle_vmptrld(struct kvm_vcp + /* Emulate the VMPTRST instruction */ + static int handle_vmptrst(struct kvm_vcpu *vcpu) + { +- unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION); +- u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO); +- gva_t vmcs_gva; ++ unsigned long exit_qual = vmcs_readl(EXIT_QUALIFICATION); ++ u32 instr_info = vmcs_read32(VMX_INSTRUCTION_INFO); ++ gpa_t current_vmptr = to_vmx(vcpu)->nested.current_vmptr; + struct x86_exception e; ++ gva_t gva; + + if (!nested_vmx_check_permission(vcpu)) + return 1; + +- if (get_vmx_mem_address(vcpu, exit_qualification, +- vmx_instruction_info, true, &vmcs_gva)) ++ if (get_vmx_mem_address(vcpu, exit_qual, instr_info, true, &gva)) + return 1; + /* *_system ok, nested_vmx_check_permission has verified cpl=0 */ +- if (kvm_write_guest_virt_system(vcpu, vmcs_gva, +- (void *)&to_vmx(vcpu)->nested.current_vmptr, +- sizeof(u64), &e)) { ++ if (kvm_write_guest_virt_system(vcpu, gva, (void *)¤t_vmptr, ++ sizeof(gpa_t), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } diff --git a/queue-4.14/locking-rtmutex-allow-specifying-a-subclass-for-nested-locking.patch b/queue-4.14/locking-rtmutex-allow-specifying-a-subclass-for-nested-locking.patch new file mode 100644 index 00000000000..4d91712233b --- /dev/null +++ b/queue-4.14/locking-rtmutex-allow-specifying-a-subclass-for-nested-locking.patch @@ -0,0 +1,97 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Peter Rosin +Date: Fri, 20 Jul 2018 10:39:13 +0200 +Subject: locking/rtmutex: Allow specifying a subclass for nested locking + +From: Peter Rosin + +[ Upstream commit 62cedf3e60af03e47849fe2bd6a03ec179422a8a ] + +Needed for annotating rt_mutex locks. + +Tested-by: John Sperbeck +Signed-off-by: Peter Rosin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Davidlohr Bueso +Cc: Deepa Dinamani +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Cc: Peter Chang +Cc: Peter Zijlstra +Cc: Philippe Ombredanne +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: Wolfram Sang +Link: http://lkml.kernel.org/r/20180720083914.1950-2-peda@axentia.se +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/rtmutex.h | 7 +++++++ + kernel/locking/rtmutex.c | 29 +++++++++++++++++++++++++---- + 2 files changed, 32 insertions(+), 4 deletions(-) + +--- a/include/linux/rtmutex.h ++++ b/include/linux/rtmutex.h +@@ -106,7 +106,14 @@ static inline int rt_mutex_is_locked(str + extern void __rt_mutex_init(struct rt_mutex *lock, const char *name, struct lock_class_key *key); + extern void rt_mutex_destroy(struct rt_mutex *lock); + ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++extern void rt_mutex_lock_nested(struct rt_mutex *lock, unsigned int subclass); ++#define rt_mutex_lock(lock) rt_mutex_lock_nested(lock, 0) ++#else + extern void rt_mutex_lock(struct rt_mutex *lock); ++#define rt_mutex_lock_nested(lock, subclass) rt_mutex_lock(lock) ++#endif ++ + extern int rt_mutex_lock_interruptible(struct rt_mutex *lock); + extern int rt_mutex_timed_lock(struct rt_mutex *lock, + struct hrtimer_sleeper *timeout); +--- a/kernel/locking/rtmutex.c ++++ b/kernel/locking/rtmutex.c +@@ -1466,6 +1466,29 @@ rt_mutex_fastunlock(struct rt_mutex *loc + rt_mutex_postunlock(&wake_q); + } + ++static inline void __rt_mutex_lock(struct rt_mutex *lock, unsigned int subclass) ++{ ++ might_sleep(); ++ ++ mutex_acquire(&lock->dep_map, subclass, 0, _RET_IP_); ++ rt_mutex_fastlock(lock, TASK_UNINTERRUPTIBLE, rt_mutex_slowlock); ++} ++ ++#ifdef CONFIG_DEBUG_LOCK_ALLOC ++/** ++ * rt_mutex_lock_nested - lock a rt_mutex ++ * ++ * @lock: the rt_mutex to be locked ++ * @subclass: the lockdep subclass ++ */ ++void __sched rt_mutex_lock_nested(struct rt_mutex *lock, unsigned int subclass) ++{ ++ __rt_mutex_lock(lock, subclass); ++} ++EXPORT_SYMBOL_GPL(rt_mutex_lock_nested); ++#endif ++ ++#ifndef CONFIG_DEBUG_LOCK_ALLOC + /** + * rt_mutex_lock - lock a rt_mutex + * +@@ -1473,12 +1496,10 @@ rt_mutex_fastunlock(struct rt_mutex *loc + */ + void __sched rt_mutex_lock(struct rt_mutex *lock) + { +- might_sleep(); +- +- mutex_acquire(&lock->dep_map, 0, 0, _RET_IP_); +- rt_mutex_fastlock(lock, TASK_UNINTERRUPTIBLE, rt_mutex_slowlock); ++ __rt_mutex_lock(lock, 0); + } + EXPORT_SYMBOL_GPL(rt_mutex_lock); ++#endif + + /** + * rt_mutex_lock_interruptible - lock a rt_mutex interruptible diff --git a/queue-4.14/mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch b/queue-4.14/mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch new file mode 100644 index 00000000000..2d3422a3e73 --- /dev/null +++ b/queue-4.14/mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch @@ -0,0 +1,80 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: "mpubbise@codeaurora.org" +Date: Mon, 2 Jul 2018 15:40:14 +0530 +Subject: mac80211: add stations tied to AP_VLANs during hw reconfig + +From: "mpubbise@codeaurora.org" + +[ Upstream commit 19103a4bfb42f320395daa5616ece3e89e759d63 ] + +As part of hw reconfig, only stations linked to AP interfaces are added +back to the driver ignoring those which are tied to AP_VLAN interfaces. + +It is true that there could be stations tied to the AP_VLAN interface while +serving 4addr clients or when using AP_VLAN for VLAN operations; we should +be adding these stations back to the driver as part of hw reconfig, failing +to do so can cause functional issues. + +In the case of ath10k driver, the following errors were observed. + +ath10k_pci : failed to install key for non-existent peer XX:XX:XX:XX:XX:XX +Workqueue: events_freezable ieee80211_restart_work [mac80211] +(unwind_backtrace) from (show_stack+0x10/0x14) +(show_stack) (dump_stack+0x80/0xa0) +(dump_stack) (warn_slowpath_common+0x68/0x8c) +(warn_slowpath_common) (warn_slowpath_null+0x18/0x20) +(warn_slowpath_null) (ieee80211_enable_keys+0x88/0x154 [mac80211]) +(ieee80211_enable_keys) (ieee80211_reconfig+0xc90/0x19c8 [mac80211]) +(ieee80211_reconfig]) (ieee80211_restart_work+0x8c/0xa0 [mac80211]) +(ieee80211_restart_work) (process_one_work+0x284/0x488) +(process_one_work) (worker_thread+0x228/0x360) +(worker_thread) (kthread+0xd8/0xec) +(kthread) (ret_from_fork+0x14/0x24) + +Also while bringing down the AP VAP, WARN_ONs and errors related to peer +removal were observed. + +ath10k_pci : failed to clear all peer wep keys for vdev 0: -2 +ath10k_pci : failed to disassociate station: 8c:fd:f0:0a:8c:f5 vdev 0: -2 +(unwind_backtrace) (show_stack+0x10/0x14) +(show_stack) (dump_stack+0x80/0xa0) +(dump_stack) (warn_slowpath_common+0x68/0x8c) +(warn_slowpath_common) (warn_slowpath_null+0x18/0x20) +(warn_slowpath_null) (sta_set_sinfo+0xb98/0xc9c [mac80211]) +(sta_set_sinfo [mac80211]) (__sta_info_flush+0xf0/0x134 [mac80211]) +(__sta_info_flush [mac80211]) (ieee80211_stop_ap+0xe8/0x390 [mac80211]) +(ieee80211_stop_ap [mac80211]) (__cfg80211_stop_ap+0xe0/0x3dc [cfg80211]) +(__cfg80211_stop_ap [cfg80211]) (cfg80211_stop_ap+0x30/0x44 [cfg80211]) +(cfg80211_stop_ap [cfg80211]) (genl_rcv_msg+0x274/0x30c) +(genl_rcv_msg) (netlink_rcv_skb+0x58/0xac) +(netlink_rcv_skb) (genl_rcv+0x20/0x34) +(genl_rcv) (netlink_unicast+0x11c/0x204) +(netlink_unicast) (netlink_sendmsg+0x30c/0x370) +(netlink_sendmsg) (sock_sendmsg+0x70/0x84) +(sock_sendmsg) (___sys_sendmsg.part.3+0x188/0x228) +(___sys_sendmsg.part.3) (__sys_sendmsg+0x4c/0x70) +(__sys_sendmsg) (ret_fast_syscall+0x0/0x44) + +These issues got fixed by adding the stations which are +tied to AP_VLANs back to the driver. + +Signed-off-by: Manikanta Pubbisetty +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/util.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2068,7 +2068,8 @@ int ieee80211_reconfig(struct ieee80211_ + if (!sta->uploaded) + continue; + +- if (sta->sdata->vif.type != NL80211_IFTYPE_AP) ++ if (sta->sdata->vif.type != NL80211_IFTYPE_AP && ++ sta->sdata->vif.type != NL80211_IFTYPE_AP_VLAN) + continue; + + for (state = IEEE80211_STA_NOTEXIST; diff --git a/queue-4.14/media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch b/queue-4.14/media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch new file mode 100644 index 00000000000..25ab2025786 --- /dev/null +++ b/queue-4.14/media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Guenter Roeck +Date: Mon, 23 Jul 2018 14:39:33 -0700 +Subject: media: staging: omap4iss: Include asm/cacheflush.h after generic includes + +From: Guenter Roeck + +[ Upstream commit 0894da849f145af51bde88a6b84f95b9c9e0bc66 ] + +Including asm/cacheflush.h first results in the following build error +when trying to build sparc32:allmodconfig, because 'struct page' has not +been declared, and the function declaration ends up creating a separate +(private) declaration of struct page (as a result of function arguments +being in the scope of the function declaration and definition, not in +global scope). + +The C scoping rules do not just affect variable visibility, they also +affect type declaration visibility. + +The end result is that when the actual call site is seen in +, the 'struct page' type in the caller is not the same +'struct page' that the function was declared with, resulting in: + + In file included from arch/sparc/include/asm/page.h:10:0, + ... + from drivers/staging/media/omap4iss/iss_video.c:15: + include/linux/highmem.h: In function 'clear_user_highpage': + include/linux/highmem.h:137:31: error: + passing argument 1 of 'sparc_flush_page_to_ram' from incompatible + pointer type + +Include generic includes files first to fix the problem. + +Fixes: fc96d58c10162 ("[media] v4l: omap4iss: Add support for OMAP4 camera interface - Video devices") +Suggested-by: Linus Torvalds +Acked-by: David S. Miller +Cc: Randy Dunlap +Signed-off-by: Guenter Roeck +[ Added explanation of C scope rules - Linus ] +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/omap4iss/iss_video.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/media/omap4iss/iss_video.c ++++ b/drivers/staging/media/omap4iss/iss_video.c +@@ -11,7 +11,6 @@ + * (at your option) any later version. + */ + +-#include + #include + #include + #include +@@ -24,6 +23,8 @@ + #include + #include + ++#include ++ + #include "iss_video.h" + #include "iss.h" + diff --git a/queue-4.14/memcg-remove-memcg_cgroup-id-from-idr-on-mem_cgroup_css_alloc-failure.patch b/queue-4.14/memcg-remove-memcg_cgroup-id-from-idr-on-mem_cgroup_css_alloc-failure.patch new file mode 100644 index 00000000000..9a06aa8fb0f --- /dev/null +++ b/queue-4.14/memcg-remove-memcg_cgroup-id-from-idr-on-mem_cgroup_css_alloc-failure.patch @@ -0,0 +1,76 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Kirill Tkhai +Date: Thu, 2 Aug 2018 15:36:01 -0700 +Subject: memcg: remove memcg_cgroup::id from IDR on mem_cgroup_css_alloc() failure + +From: Kirill Tkhai + +[ Upstream commit 7e97de0b033bcac4fa9a35cef72e0c06e6a22c67 ] + +In case of memcg_online_kmem() failure, memcg_cgroup::id remains hashed +in mem_cgroup_idr even after memcg memory is freed. This leads to leak +of ID in mem_cgroup_idr. + +This patch adds removal into mem_cgroup_css_alloc(), which fixes the +problem. For better readability, it adds a generic helper which is used +in mem_cgroup_alloc() and mem_cgroup_id_put_many() as well. + +Link: http://lkml.kernel.org/r/152354470916.22460.14397070748001974638.stgit@localhost.localdomain +Fixes 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs") +Signed-off-by: Kirill Tkhai +Acked-by: Johannes Weiner +Acked-by: Vladimir Davydov +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4110,6 +4110,14 @@ static struct cftype mem_cgroup_legacy_f + + static DEFINE_IDR(mem_cgroup_idr); + ++static void mem_cgroup_id_remove(struct mem_cgroup *memcg) ++{ ++ if (memcg->id.id > 0) { ++ idr_remove(&mem_cgroup_idr, memcg->id.id); ++ memcg->id.id = 0; ++ } ++} ++ + static void mem_cgroup_id_get_many(struct mem_cgroup *memcg, unsigned int n) + { + VM_BUG_ON(atomic_read(&memcg->id.ref) <= 0); +@@ -4120,8 +4128,7 @@ static void mem_cgroup_id_put_many(struc + { + VM_BUG_ON(atomic_read(&memcg->id.ref) < n); + if (atomic_sub_and_test(n, &memcg->id.ref)) { +- idr_remove(&mem_cgroup_idr, memcg->id.id); +- memcg->id.id = 0; ++ mem_cgroup_id_remove(memcg); + + /* Memcg ID pins CSS */ + css_put(&memcg->css); +@@ -4258,8 +4265,7 @@ static struct mem_cgroup *mem_cgroup_all + idr_replace(&mem_cgroup_idr, memcg, memcg->id.id); + return memcg; + fail: +- if (memcg->id.id > 0) +- idr_remove(&mem_cgroup_idr, memcg->id.id); ++ mem_cgroup_id_remove(memcg); + __mem_cgroup_free(memcg); + return NULL; + } +@@ -4318,6 +4324,7 @@ mem_cgroup_css_alloc(struct cgroup_subsy + + return &memcg->css; + fail: ++ mem_cgroup_id_remove(memcg); + mem_cgroup_free(memcg); + return ERR_PTR(-ENOMEM); + } diff --git a/queue-4.14/mm-delete-historical-bug-from-zap_pmd_range.patch b/queue-4.14/mm-delete-historical-bug-from-zap_pmd_range.patch new file mode 100644 index 00000000000..256f04a2887 --- /dev/null +++ b/queue-4.14/mm-delete-historical-bug-from-zap_pmd_range.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Hugh Dickins +Date: Wed, 1 Aug 2018 11:31:52 -0700 +Subject: mm: delete historical BUG from zap_pmd_range() + +From: Hugh Dickins + +[ Upstream commit 53406ed1bcfdabe4b5bc35e6d17946c6f9f563e2 ] + +Delete the old VM_BUG_ON_VMA() from zap_pmd_range(), which asserted +that mmap_sem must be held when splitting an "anonymous" vma there. +Whether that's still strictly true nowadays is not entirely clear, +but the danger of sometimes crashing on the BUG is now fairly clear. + +Even with the new stricter rules for anonymous vma marking, the +condition it checks for can possible trigger. Commit 44960f2a7b63 +("staging: ashmem: Fix SIGBUS crash when traversing mmaped ashmem +pages") is good, and originally I thought it was safe from that +VM_BUG_ON_VMA(), because the /dev/ashmem fd exposed to the user is +disconnected from the vm_file in the vma, and madvise(,,MADV_REMOVE) +insists on VM_SHARED. + +But after I read John's earlier mail, drawing attention to the +vfs_fallocate() in there: I may be wrong, and I don't know if Android +has THP in the config anyway, but it looks to me like an +unmap_mapping_range() from ashmem's vfs_fallocate() could hit precisely +the VM_BUG_ON_VMA(), once it's vma_is_anonymous(). + +Signed-off-by: Hugh Dickins +Cc: John Stultz +Cc: Kirill Shutemov +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1417,11 +1417,9 @@ static inline unsigned long zap_pmd_rang + do { + next = pmd_addr_end(addr, end); + if (is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) { +- if (next - addr != HPAGE_PMD_SIZE) { +- VM_BUG_ON_VMA(vma_is_anonymous(vma) && +- !rwsem_is_locked(&tlb->mm->mmap_sem), vma); ++ if (next - addr != HPAGE_PMD_SIZE) + __split_huge_pmd(vma, pmd, addr, false, NULL); +- } else if (zap_huge_pmd(tlb, vma, pmd, addr)) ++ else if (zap_huge_pmd(tlb, vma, pmd, addr)) + goto next; + /* fall through */ + } diff --git a/queue-4.14/mm-memory.c-check-return-value-of-ioremap_prot.patch b/queue-4.14/mm-memory.c-check-return-value-of-ioremap_prot.patch new file mode 100644 index 00000000000..7d1864b05cd --- /dev/null +++ b/queue-4.14/mm-memory.c-check-return-value-of-ioremap_prot.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: "jie@chenjie6@huwei.com" +Date: Fri, 10 Aug 2018 17:23:06 -0700 +Subject: mm/memory.c: check return value of ioremap_prot + +From: "jie@chenjie6@huwei.com" + +[ Upstream commit 24eee1e4c47977bdfb71d6f15f6011e7b6188d04 ] + +ioremap_prot() can return NULL which could lead to an oops. + +Link: http://lkml.kernel.org/r/1533195441-58594-1-git-send-email-chenjie6@huawei.com +Signed-off-by: chen jie +Reviewed-by: Andrew Morton +Cc: Li Zefan +Cc: chenjie +Cc: Yang Shi +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4348,6 +4348,9 @@ int generic_access_phys(struct vm_area_s + return -EINVAL; + + maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot); ++ if (!maddr) ++ return -ENOMEM; ++ + if (write) + memcpy_toio(maddr + offset, buf, len); + else diff --git a/queue-4.14/nbd-don-t-requeue-the-same-request-twice.patch b/queue-4.14/nbd-don-t-requeue-the-same-request-twice.patch new file mode 100644 index 00000000000..28d831a1b1a --- /dev/null +++ b/queue-4.14/nbd-don-t-requeue-the-same-request-twice.patch @@ -0,0 +1,116 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Josef Bacik +Date: Mon, 16 Jul 2018 12:11:34 -0400 +Subject: nbd: don't requeue the same request twice. + +From: Josef Bacik + +[ Upstream commit d7d94d48a272fd7583dc3c83acb8f5ed4ef456a4 ] + +We can race with the snd timeout and the per-request timeout and end up +requeuing the same request twice. We can't use the send_complete +completion to tell if everything is ok because we hold the tx_lock +during send, so the timeout stuff will block waiting to mark the socket +dead, and we could be marked complete and still requeue. Instead add a +flag to the socket so we know whether we've been requeued yet. + +Signed-off-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -112,12 +112,15 @@ struct nbd_device { + struct task_struct *task_setup; + }; + ++#define NBD_CMD_REQUEUED 1 ++ + struct nbd_cmd { + struct nbd_device *nbd; + int index; + int cookie; + struct completion send_complete; + blk_status_t status; ++ unsigned long flags; + }; + + #if IS_ENABLED(CONFIG_DEBUG_FS) +@@ -146,6 +149,14 @@ static inline struct device *nbd_to_dev( + return disk_to_dev(nbd->disk); + } + ++static void nbd_requeue_cmd(struct nbd_cmd *cmd) ++{ ++ struct request *req = blk_mq_rq_from_pdu(cmd); ++ ++ if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) ++ blk_mq_requeue_request(req, true); ++} ++ + static const char *nbdcmd_to_ascii(int cmd) + { + switch (cmd) { +@@ -328,7 +339,7 @@ static enum blk_eh_timer_return nbd_xmit + nbd_mark_nsock_dead(nbd, nsock, 1); + mutex_unlock(&nsock->tx_lock); + } +- blk_mq_requeue_request(req, true); ++ nbd_requeue_cmd(cmd); + nbd_config_put(nbd); + return BLK_EH_NOT_HANDLED; + } +@@ -484,6 +495,7 @@ static int nbd_send_cmd(struct nbd_devic + nsock->pending = req; + nsock->sent = sent; + } ++ set_bit(NBD_CMD_REQUEUED, &cmd->flags); + return BLK_STS_RESOURCE; + } + dev_err_ratelimited(disk_to_dev(nbd->disk), +@@ -525,6 +537,7 @@ send_pages: + */ + nsock->pending = req; + nsock->sent = sent; ++ set_bit(NBD_CMD_REQUEUED, &cmd->flags); + return BLK_STS_RESOURCE; + } + dev_err(disk_to_dev(nbd->disk), +@@ -793,7 +806,7 @@ again: + */ + blk_mq_start_request(req); + if (unlikely(nsock->pending && nsock->pending != req)) { +- blk_mq_requeue_request(req, true); ++ nbd_requeue_cmd(cmd); + ret = 0; + goto out; + } +@@ -806,7 +819,7 @@ again: + dev_err_ratelimited(disk_to_dev(nbd->disk), + "Request send failed, requeueing\n"); + nbd_mark_nsock_dead(nbd, nsock, 1); +- blk_mq_requeue_request(req, true); ++ nbd_requeue_cmd(cmd); + ret = 0; + } + out: +@@ -831,6 +844,7 @@ static blk_status_t nbd_queue_rq(struct + * done sending everything over the wire. + */ + init_completion(&cmd->send_complete); ++ clear_bit(NBD_CMD_REQUEUED, &cmd->flags); + + /* We can be called directly from the user space process, which means we + * could possibly have signals pending so our sendmsg will fail. In +@@ -1446,6 +1460,7 @@ static int nbd_init_request(struct blk_m + { + struct nbd_cmd *cmd = blk_mq_rq_to_pdu(rq); + cmd->nbd = set->driver_data; ++ cmd->flags = 0; + return 0; + } + diff --git a/queue-4.14/nbd-handle-unexpected-replies-better.patch b/queue-4.14/nbd-handle-unexpected-replies-better.patch new file mode 100644 index 00000000000..c1dab993b58 --- /dev/null +++ b/queue-4.14/nbd-handle-unexpected-replies-better.patch @@ -0,0 +1,228 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Josef Bacik +Date: Mon, 16 Jul 2018 12:11:35 -0400 +Subject: nbd: handle unexpected replies better + +From: Josef Bacik + +[ Upstream commit 8f3ea35929a0806ad1397db99a89ffee0140822a ] + +If the server or network is misbehaving and we get an unexpected reply +we can sometimes miss the request not being started and wait on a +request and never get a response, or even double complete the same +request. Fix this by replacing the send_complete completion with just a +per command lock. Add a per command cookie as well so that we can know +if we're getting a double completion for a previous event. Also check +to make sure we dont have REQUEUED set as that means we raced with the +timeout handler and need to just let the retry occur. + +Signed-off-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 75 ++++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 61 insertions(+), 14 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -116,11 +116,12 @@ struct nbd_device { + + struct nbd_cmd { + struct nbd_device *nbd; ++ struct mutex lock; + int index; + int cookie; +- struct completion send_complete; + blk_status_t status; + unsigned long flags; ++ u32 cmd_cookie; + }; + + #if IS_ENABLED(CONFIG_DEBUG_FS) +@@ -157,6 +158,27 @@ static void nbd_requeue_cmd(struct nbd_c + blk_mq_requeue_request(req, true); + } + ++#define NBD_COOKIE_BITS 32 ++ ++static u64 nbd_cmd_handle(struct nbd_cmd *cmd) ++{ ++ struct request *req = blk_mq_rq_from_pdu(cmd); ++ u32 tag = blk_mq_unique_tag(req); ++ u64 cookie = cmd->cmd_cookie; ++ ++ return (cookie << NBD_COOKIE_BITS) | tag; ++} ++ ++static u32 nbd_handle_to_tag(u64 handle) ++{ ++ return (u32)handle; ++} ++ ++static u32 nbd_handle_to_cookie(u64 handle) ++{ ++ return (u32)(handle >> NBD_COOKIE_BITS); ++} ++ + static const char *nbdcmd_to_ascii(int cmd) + { + switch (cmd) { +@@ -317,6 +339,9 @@ static enum blk_eh_timer_return nbd_xmit + } + config = nbd->config; + ++ if (!mutex_trylock(&cmd->lock)) ++ return BLK_EH_RESET_TIMER; ++ + if (config->num_connections > 1) { + dev_err_ratelimited(nbd_to_dev(nbd), + "Connection timed out, retrying\n"); +@@ -339,6 +364,7 @@ static enum blk_eh_timer_return nbd_xmit + nbd_mark_nsock_dead(nbd, nsock, 1); + mutex_unlock(&nsock->tx_lock); + } ++ mutex_unlock(&cmd->lock); + nbd_requeue_cmd(cmd); + nbd_config_put(nbd); + return BLK_EH_NOT_HANDLED; +@@ -349,6 +375,7 @@ static enum blk_eh_timer_return nbd_xmit + } + set_bit(NBD_TIMEDOUT, &config->runtime_flags); + cmd->status = BLK_STS_IOERR; ++ mutex_unlock(&cmd->lock); + sock_shutdown(nbd); + nbd_config_put(nbd); + +@@ -425,9 +452,9 @@ static int nbd_send_cmd(struct nbd_devic + struct iov_iter from; + unsigned long size = blk_rq_bytes(req); + struct bio *bio; ++ u64 handle; + u32 type; + u32 nbd_cmd_flags = 0; +- u32 tag = blk_mq_unique_tag(req); + int sent = nsock->sent, skip = 0; + + iov_iter_kvec(&from, WRITE | ITER_KVEC, &iov, 1, sizeof(request)); +@@ -469,6 +496,8 @@ static int nbd_send_cmd(struct nbd_devic + goto send_pages; + } + iov_iter_advance(&from, sent); ++ } else { ++ cmd->cmd_cookie++; + } + cmd->index = index; + cmd->cookie = nsock->cookie; +@@ -477,7 +506,8 @@ static int nbd_send_cmd(struct nbd_devic + request.from = cpu_to_be64((u64)blk_rq_pos(req) << 9); + request.len = htonl(size); + } +- memcpy(request.handle, &tag, sizeof(tag)); ++ handle = nbd_cmd_handle(cmd); ++ memcpy(request.handle, &handle, sizeof(handle)); + + dev_dbg(nbd_to_dev(nbd), "request %p: sending control (%s@%llu,%uB)\n", + cmd, nbdcmd_to_ascii(type), +@@ -570,10 +600,12 @@ static struct nbd_cmd *nbd_read_stat(str + struct nbd_reply reply; + struct nbd_cmd *cmd; + struct request *req = NULL; ++ u64 handle; + u16 hwq; + u32 tag; + struct kvec iov = {.iov_base = &reply, .iov_len = sizeof(reply)}; + struct iov_iter to; ++ int ret = 0; + + reply.magic = 0; + iov_iter_kvec(&to, READ | ITER_KVEC, &iov, 1, sizeof(reply)); +@@ -591,8 +623,8 @@ static struct nbd_cmd *nbd_read_stat(str + return ERR_PTR(-EPROTO); + } + +- memcpy(&tag, reply.handle, sizeof(u32)); +- ++ memcpy(&handle, reply.handle, sizeof(handle)); ++ tag = nbd_handle_to_tag(handle); + hwq = blk_mq_unique_tag_to_hwq(tag); + if (hwq < nbd->tag_set.nr_hw_queues) + req = blk_mq_tag_to_rq(nbd->tag_set.tags[hwq], +@@ -603,11 +635,25 @@ static struct nbd_cmd *nbd_read_stat(str + return ERR_PTR(-ENOENT); + } + cmd = blk_mq_rq_to_pdu(req); ++ ++ mutex_lock(&cmd->lock); ++ if (cmd->cmd_cookie != nbd_handle_to_cookie(handle)) { ++ dev_err(disk_to_dev(nbd->disk), "Double reply on req %p, cmd_cookie %u, handle cookie %u\n", ++ req, cmd->cmd_cookie, nbd_handle_to_cookie(handle)); ++ ret = -ENOENT; ++ goto out; ++ } ++ if (test_bit(NBD_CMD_REQUEUED, &cmd->flags)) { ++ dev_err(disk_to_dev(nbd->disk), "Raced with timeout on req %p\n", ++ req); ++ ret = -ENOENT; ++ goto out; ++ } + if (ntohl(reply.error)) { + dev_err(disk_to_dev(nbd->disk), "Other side returned error (%d)\n", + ntohl(reply.error)); + cmd->status = BLK_STS_IOERR; +- return cmd; ++ goto out; + } + + dev_dbg(nbd_to_dev(nbd), "request %p: got reply\n", cmd); +@@ -632,18 +678,18 @@ static struct nbd_cmd *nbd_read_stat(str + if (nbd_disconnected(config) || + config->num_connections <= 1) { + cmd->status = BLK_STS_IOERR; +- return cmd; ++ goto out; + } +- return ERR_PTR(-EIO); ++ ret = -EIO; ++ goto out; + } + dev_dbg(nbd_to_dev(nbd), "request %p: got %d bytes data\n", + cmd, bvec.bv_len); + } +- } else { +- /* See the comment in nbd_queue_rq. */ +- wait_for_completion(&cmd->send_complete); + } +- return cmd; ++out: ++ mutex_unlock(&cmd->lock); ++ return ret ? ERR_PTR(ret) : cmd; + } + + static void recv_work(struct work_struct *work) +@@ -843,7 +889,7 @@ static blk_status_t nbd_queue_rq(struct + * that the server is misbehaving (or there was an error) before we're + * done sending everything over the wire. + */ +- init_completion(&cmd->send_complete); ++ mutex_lock(&cmd->lock); + clear_bit(NBD_CMD_REQUEUED, &cmd->flags); + + /* We can be called directly from the user space process, which means we +@@ -856,7 +902,7 @@ static blk_status_t nbd_queue_rq(struct + ret = BLK_STS_IOERR; + else if (!ret) + ret = BLK_STS_OK; +- complete(&cmd->send_complete); ++ mutex_unlock(&cmd->lock); + + return ret; + } +@@ -1461,6 +1507,7 @@ static int nbd_init_request(struct blk_m + struct nbd_cmd *cmd = blk_mq_rq_to_pdu(rq); + cmd->nbd = set->driver_data; + cmd->flags = 0; ++ mutex_init(&cmd->lock); + return 0; + } + diff --git a/queue-4.14/net-axienet-fix-double-deregister-of-mdio.patch b/queue-4.14/net-axienet-fix-double-deregister-of-mdio.patch new file mode 100644 index 00000000000..a35d7441bb3 --- /dev/null +++ b/queue-4.14/net-axienet-fix-double-deregister-of-mdio.patch @@ -0,0 +1,61 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Shubhrajyoti Datta +Date: Tue, 24 Jul 2018 10:09:53 +0530 +Subject: net: axienet: Fix double deregister of mdio + +From: Shubhrajyoti Datta + +[ Upstream commit 03bc7cab7d7218088412a75e141696a89059ab00 ] + +If the registration fails then mdio_unregister is called. +However at unbind the unregister ia attempted again resulting +in the below crash + +[ 73.544038] kernel BUG at drivers/net/phy/mdio_bus.c:415! +[ 73.549362] Internal error: Oops - BUG: 0 [#1] SMP +[ 73.554127] Modules linked in: +[ 73.557168] CPU: 0 PID: 2249 Comm: sh Not tainted 4.14.0 #183 +[ 73.562895] Hardware name: xlnx,zynqmp (DT) +[ 73.567062] task: ffffffc879e41180 task.stack: ffffff800cbe0000 +[ 73.572973] PC is at mdiobus_unregister+0x84/0x88 +[ 73.577656] LR is at axienet_mdio_teardown+0x18/0x30 +[ 73.582601] pc : [] lr : [] +pstate: 20000145 +[ 73.589981] sp : ffffff800cbe3c30 +[ 73.593277] x29: ffffff800cbe3c30 x28: ffffffc879e41180 +[ 73.598573] x27: ffffff8008a21000 x26: 0000000000000040 +[ 73.603868] x25: 0000000000000124 x24: ffffffc879efe920 +[ 73.609164] x23: 0000000000000060 x22: ffffffc879e02000 +[ 73.614459] x21: ffffffc879e02800 x20: ffffffc87b0b8870 +[ 73.619754] x19: ffffffc879e02800 x18: 000000000000025d +[ 73.625050] x17: 0000007f9a719ad0 x16: ffffff8008195bd8 +[ 73.630345] x15: 0000007f9a6b3d00 x14: 0000000000000010 +[ 73.635640] x13: 74656e7265687465 x12: 0000000000000030 +[ 73.640935] x11: 0000000000000030 x10: 0101010101010101 +[ 73.646231] x9 : 241f394f42533300 x8 : ffffffc8799f6e98 +[ 73.651526] x7 : ffffffc8799f6f18 x6 : ffffffc87b0ba318 +[ 73.656822] x5 : ffffffc87b0ba498 x4 : 0000000000000000 +[ 73.662117] x3 : 0000000000000000 x2 : 0000000000000008 +[ 73.667412] x1 : 0000000000000004 x0 : ffffffc8799f4000 +[ 73.672708] Process sh (pid: 2249, stack limit = 0xffffff800cbe0000) + +Fix the same by making the bus NULL on unregister. + +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c +@@ -218,6 +218,7 @@ issue: + ret = of_mdiobus_register(bus, np1); + if (ret) { + mdiobus_free(bus); ++ lp->mii_bus = NULL; + return ret; + } + return 0; diff --git a/queue-4.14/net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch b/queue-4.14/net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch new file mode 100644 index 00000000000..048370f3d60 --- /dev/null +++ b/queue-4.14/net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: YueHaibing +Date: Thu, 19 Jul 2018 10:27:13 +0800 +Subject: net: caif: Add a missing rcu_read_unlock() in caif_flow_cb + +From: YueHaibing + +[ Upstream commit 64119e05f7b31e83e2555f6782e6cdc8f81c63f4 ] + +Add a missing rcu_read_unlock in the error path + +Fixes: c95567c80352 ("caif: added check for potential null return") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff + caifd = caif_get(skb->dev); + + WARN_ON(caifd == NULL); +- if (caifd == NULL) ++ if (!caifd) { ++ rcu_read_unlock(); + return; ++ } + + caifd_hold(caifd); + rcu_read_unlock(); diff --git a/queue-4.14/net-prevent-isa-drivers-from-building-on-ppc32.patch b/queue-4.14/net-prevent-isa-drivers-from-building-on-ppc32.patch new file mode 100644 index 00000000000..3acb4c65c7e --- /dev/null +++ b/queue-4.14/net-prevent-isa-drivers-from-building-on-ppc32.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Randy Dunlap +Date: Sat, 21 Jul 2018 12:59:25 -0700 +Subject: net: prevent ISA drivers from building on PPC32 + +From: Randy Dunlap + +[ Upstream commit c9ce1fa1c24b08e13c2a3b5b1f94a19c9eaa982c ] + +Prevent drivers from building on PPC32 if they use isa_bus_to_virt(), +isa_virt_to_bus(), or isa_page_to_bus(), which are not available and +thus cause build errors. + +../drivers/net/ethernet/3com/3c515.c: In function 'corkscrew_open': +../drivers/net/ethernet/3com/3c515.c:824:9: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration] + +../drivers/net/ethernet/amd/lance.c: In function 'lance_rx': +../drivers/net/ethernet/amd/lance.c:1203:23: error: implicit declaration of function 'isa_bus_to_virt'; did you mean 'bus_to_virt'? [-Werror=implicit-function-declaration] + +../drivers/net/ethernet/amd/ni65.c: In function 'ni65_init_lance': +../drivers/net/ethernet/amd/ni65.c:585:20: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration] + +../drivers/net/ethernet/cirrus/cs89x0.c: In function 'net_open': +../drivers/net/ethernet/cirrus/cs89x0.c:897:20: error: implicit declaration of function 'isa_virt_to_bus'; did you mean 'virt_to_bus'? [-Werror=implicit-function-declaration] + +Signed-off-by: Randy Dunlap +Suggested-by: Michael Ellerman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/Kconfig | 2 +- + drivers/net/ethernet/amd/Kconfig | 4 ++-- + drivers/net/ethernet/cirrus/Kconfig | 1 + + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/3com/Kconfig ++++ b/drivers/net/ethernet/3com/Kconfig +@@ -32,7 +32,7 @@ config EL3 + + config 3C515 + tristate "3c515 ISA \"Fast EtherLink\"" +- depends on ISA && ISA_DMA_API ++ depends on ISA && ISA_DMA_API && !PPC32 + ---help--- + If you have a 3Com ISA EtherLink XL "Corkscrew" 3c515 Fast Ethernet + network card, say Y here. +--- a/drivers/net/ethernet/amd/Kconfig ++++ b/drivers/net/ethernet/amd/Kconfig +@@ -44,7 +44,7 @@ config AMD8111_ETH + + config LANCE + tristate "AMD LANCE and PCnet (AT1500 and NE2100) support" +- depends on ISA && ISA_DMA_API && !ARM ++ depends on ISA && ISA_DMA_API && !ARM && !PPC32 + ---help--- + If you have a network (Ethernet) card of this type, say Y here. + Some LinkSys cards are of this type. +@@ -138,7 +138,7 @@ config PCMCIA_NMCLAN + + config NI65 + tristate "NI6510 support" +- depends on ISA && ISA_DMA_API && !ARM ++ depends on ISA && ISA_DMA_API && !ARM && !PPC32 + ---help--- + If you have a network (Ethernet) card of this type, say Y here. + +--- a/drivers/net/ethernet/cirrus/Kconfig ++++ b/drivers/net/ethernet/cirrus/Kconfig +@@ -19,6 +19,7 @@ if NET_VENDOR_CIRRUS + config CS89x0 + tristate "CS89x0 support" + depends on ISA || EISA || ARM ++ depends on !PPC32 + ---help--- + Support for CS89x0 chipset based Ethernet cards. If you have a + network (Ethernet) card of this type, say Y and read the file diff --git a/queue-4.14/netfilter-nf_tables-don-t-allow-to-rename-to-already-pending-name.patch b/queue-4.14/netfilter-nf_tables-don-t-allow-to-rename-to-already-pending-name.patch new file mode 100644 index 00000000000..df99ec860c9 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-don-t-allow-to-rename-to-already-pending-name.patch @@ -0,0 +1,107 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Florian Westphal +Date: Tue, 17 Jul 2018 07:17:56 +0200 +Subject: netfilter: nf_tables: don't allow to rename to already-pending name + +From: Florian Westphal + +[ Upstream commit c6cc94df65c3174be92afbee638f11cbb5e606a7 ] + +Its possible to rename two chains to the same name in one +transaction: + +nft add chain t c1 +nft add chain t c2 +nft 'rename chain t c1 c3;rename chain t c2 c3' + +This creates two chains named 'c3'. + +Appears to be harmless, both chains can still be deleted both +by name or handle, but, nevertheless, its a bug. + +Walk transaction log and also compare vs. the pending renames. + +Both chains can still be deleted, but nevertheless it is a bug as +we don't allow to create chains with identical names, so we should +prevent this from happening-by-rename too. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 42 +++++++++++++++++++++++++++++------------- + 1 file changed, 29 insertions(+), 13 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1480,7 +1480,6 @@ static int nf_tables_updchain(struct nft + struct nft_base_chain *basechain; + struct nft_stats *stats = NULL; + struct nft_chain_hook hook; +- const struct nlattr *name; + struct nf_hook_ops *ops; + struct nft_trans *trans; + int err, i; +@@ -1531,12 +1530,11 @@ static int nf_tables_updchain(struct nft + return PTR_ERR(stats); + } + ++ err = -ENOMEM; + trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, + sizeof(struct nft_trans_chain)); +- if (trans == NULL) { +- free_percpu(stats); +- return -ENOMEM; +- } ++ if (trans == NULL) ++ goto err; + + nft_trans_chain_stats(trans) = stats; + nft_trans_chain_update(trans) = true; +@@ -1546,19 +1544,37 @@ static int nf_tables_updchain(struct nft + else + nft_trans_chain_policy(trans) = -1; + +- name = nla[NFTA_CHAIN_NAME]; +- if (nla[NFTA_CHAIN_HANDLE] && name) { +- nft_trans_chain_name(trans) = +- nla_strdup(name, GFP_KERNEL); +- if (!nft_trans_chain_name(trans)) { +- kfree(trans); +- free_percpu(stats); +- return -ENOMEM; ++ if (nla[NFTA_CHAIN_HANDLE] && ++ nla[NFTA_CHAIN_NAME]) { ++ struct nft_trans *tmp; ++ char *name; ++ ++ err = -ENOMEM; ++ name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); ++ if (!name) ++ goto err; ++ ++ err = -EEXIST; ++ list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { ++ if (tmp->msg_type == NFT_MSG_NEWCHAIN && ++ tmp->ctx.table == table && ++ nft_trans_chain_update(tmp) && ++ nft_trans_chain_name(tmp) && ++ strcmp(name, nft_trans_chain_name(tmp)) == 0) { ++ kfree(name); ++ goto err; ++ } + } ++ ++ nft_trans_chain_name(trans) = name; + } + list_add_tail(&trans->list, &ctx->net->nft.commit_list); + + return 0; ++err: ++ free_percpu(stats); ++ kfree(trans); ++ return err; + } + + static int nf_tables_newchain(struct net *net, struct sock *nlsk, diff --git a/queue-4.14/netfilter-nf_tables-fix-memory-leaks-on-chain-rename.patch b/queue-4.14/netfilter-nf_tables-fix-memory-leaks-on-chain-rename.patch new file mode 100644 index 00000000000..3dd85e1306e --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-fix-memory-leaks-on-chain-rename.patch @@ -0,0 +1,70 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Florian Westphal +Date: Tue, 17 Jul 2018 07:17:55 +0200 +Subject: netfilter: nf_tables: fix memory leaks on chain rename + +From: Florian Westphal + +[ Upstream commit 9f8aac0be21ed5f99bd5ba0ff315d710737d1794 ] + +The new name is stored in the transaction metadata, on commit, +the pointers to the old and new names are swapped. + +Therefore in abort and commit case we have to free the +pointer in the chain_trans container. + +In commit case, the pointer can be used by another cpu that +is currently dumping the renamed chain, thus kfree needs to +happen after waiting for rcu readers to complete. + +Fixes: b7263e071a ("netfilter: nf_tables: Allow chain name of up to 255 chars") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5043,6 +5043,9 @@ static void nf_tables_commit_release(str + case NFT_MSG_DELTABLE: + nf_tables_table_destroy(&trans->ctx); + break; ++ case NFT_MSG_NEWCHAIN: ++ kfree(nft_trans_chain_name(trans)); ++ break; + case NFT_MSG_DELCHAIN: + nf_tables_chain_destroy(trans->ctx.chain); + break; +@@ -5100,13 +5103,15 @@ static int nf_tables_commit(struct net * + nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); + break; + case NFT_MSG_NEWCHAIN: +- if (nft_trans_chain_update(trans)) ++ if (nft_trans_chain_update(trans)) { + nft_chain_commit_update(trans); +- else ++ nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); ++ /* trans destroyed after rcu grace period */ ++ } else { + nft_clear(net, trans->ctx.chain); +- +- nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); +- nft_trans_destroy(trans); ++ nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); ++ nft_trans_destroy(trans); ++ } + break; + case NFT_MSG_DELCHAIN: + list_del_rcu(&trans->ctx.chain->list); +@@ -5246,7 +5251,7 @@ static int nf_tables_abort(struct net *n + case NFT_MSG_NEWCHAIN: + if (nft_trans_chain_update(trans)) { + free_percpu(nft_trans_chain_stats(trans)); +- ++ kfree(nft_trans_chain_name(trans)); + nft_trans_destroy(trans); + } else { + trans->ctx.table->use--; diff --git a/queue-4.14/netfilter-nft_set_hash-add-rcu_barrier-in-the-nft_rhash_destroy.patch b/queue-4.14/netfilter-nft_set_hash-add-rcu_barrier-in-the-nft_rhash_destroy.patch new file mode 100644 index 00000000000..35c8ff1da4b --- /dev/null +++ b/queue-4.14/netfilter-nft_set_hash-add-rcu_barrier-in-the-nft_rhash_destroy.patch @@ -0,0 +1,116 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Taehee Yoo +Date: Tue, 10 Jul 2018 23:21:08 +0900 +Subject: netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy() + +From: Taehee Yoo + +[ Upstream commit 9970a8e40d4c39e23d62d32540366d1d7d2cce9b ] + +GC of set uses call_rcu() to destroy elements. +So that elements would be destroyed after destroying sets and chains. +But, elements should be destroyed before destroying sets and chains. +In order to wait calling call_rcu(), a rcu_barrier() is added. + +In order to test correctly, below patch should be applied. +https://patchwork.ozlabs.org/patch/940883/ + +test scripts: + %cat test.nft + table ip aa { + map map1 { + type ipv4_addr : verdict; flags timeout; + elements = { + 0 : jump a0, + 1 : jump a0, + 2 : jump a0, + 3 : jump a0, + 4 : jump a0, + 5 : jump a0, + 6 : jump a0, + 7 : jump a0, + 8 : jump a0, + 9 : jump a0, + } + timeout 1s; + } + chain a0 { + } + } + flush ruleset + + [ ... ] + + table ip aa { + map map1 { + type ipv4_addr : verdict; flags timeout; + elements = { + 0 : jump a0, + 1 : jump a0, + 2 : jump a0, + 3 : jump a0, + 4 : jump a0, + 5 : jump a0, + 6 : jump a0, + 7 : jump a0, + 8 : jump a0, + 9 : jump a0, + } + timeout 1s; + } + chain a0 { + } + } + flush ruleset + +Splat looks like: +[ 200.795603] kernel BUG at net/netfilter/nf_tables_api.c:1363! +[ 200.806944] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 200.812253] CPU: 1 PID: 1582 Comm: nft Not tainted 4.17.0+ #24 +[ 200.820297] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 +[ 200.830309] RIP: 0010:nf_tables_chain_destroy.isra.34+0x62/0x240 [nf_tables] +[ 200.838317] Code: 43 50 85 c0 74 26 48 8b 45 00 48 8b 4d 08 ba 54 05 00 00 48 c7 c6 60 6d 29 c0 48 c7 c7 c0 65 29 c0 +4c 8b 40 08 e8 58 e5 fd f8 <0f> 0b 48 89 da 48 b8 00 00 00 00 00 fc ff +[ 200.860366] RSP: 0000:ffff880118dbf4d0 EFLAGS: 00010282 +[ 200.866354] RAX: 0000000000000061 RBX: ffff88010cdeaf08 RCX: 0000000000000000 +[ 200.874355] RDX: 0000000000000061 RSI: 0000000000000008 RDI: ffffed00231b7e90 +[ 200.882361] RBP: ffff880118dbf4e8 R08: ffffed002373bcfb R09: ffffed002373bcfa +[ 200.890354] R10: 0000000000000000 R11: ffffed002373bcfb R12: dead000000000200 +[ 200.898356] R13: dead000000000100 R14: ffffffffbb62af38 R15: dffffc0000000000 +[ 200.906354] FS: 00007fefc31fd700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000 +[ 200.915533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 200.922355] CR2: 0000557f1c8e9128 CR3: 0000000106880000 CR4: 00000000001006e0 +[ 200.930353] Call Trace: +[ 200.932351] ? nf_tables_commit+0x26f6/0x2c60 [nf_tables] +[ 200.939525] ? nf_tables_setelem_notify.constprop.49+0x1a0/0x1a0 [nf_tables] +[ 200.947525] ? nf_tables_delchain+0x6e0/0x6e0 [nf_tables] +[ 200.952383] ? nft_add_set_elem+0x1700/0x1700 [nf_tables] +[ 200.959532] ? nla_parse+0xab/0x230 +[ 200.963529] ? nfnetlink_rcv_batch+0xd06/0x10d0 [nfnetlink] +[ 200.968384] ? nfnetlink_net_init+0x130/0x130 [nfnetlink] +[ 200.975525] ? debug_show_all_locks+0x290/0x290 +[ 200.980363] ? debug_show_all_locks+0x290/0x290 +[ 200.986356] ? sched_clock_cpu+0x132/0x170 +[ 200.990352] ? find_held_lock+0x39/0x1b0 +[ 200.994355] ? sched_clock_local+0x10d/0x130 +[ 200.999531] ? memset+0x1f/0x40 + +Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_set_hash.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -359,6 +359,7 @@ static void nft_rhash_destroy(const stru + struct nft_rhash *priv = nft_set_priv(set); + + cancel_delayed_work_sync(&priv->gc_work); ++ rcu_barrier(); + rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy, + (void *)set); + } diff --git a/queue-4.14/nfp-flower-fix-port-metadata-conversion-bug.patch b/queue-4.14/nfp-flower-fix-port-metadata-conversion-bug.patch new file mode 100644 index 00000000000..ebd7086e57a --- /dev/null +++ b/queue-4.14/nfp-flower-fix-port-metadata-conversion-bug.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: John Hurley +Date: Fri, 27 Jul 2018 20:56:52 -0700 +Subject: nfp: flower: fix port metadata conversion bug + +From: John Hurley + +[ Upstream commit ee614c871014045b45fae149b7245fc22a0bbdd8 ] + +Function nfp_flower_repr_get_type_and_port expects an enum nfp_repr_type +return value but, if the repr type is unknown, returns a value of type +enum nfp_flower_cmsg_port_type. This means that if FW encodes the port +ID in a way the driver does not understand instead of dropping the frame +driver may attribute it to a physical port (uplink) provided the port +number is less than physical port count. + +Fix this and ensure a net_device of NULL is returned if the repr can not +be determined. + +Fixes: 1025351a88a4 ("nfp: add flower app") +Signed-off-by: John Hurley +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/flower/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/netronome/nfp/flower/main.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c +@@ -79,7 +79,7 @@ nfp_flower_repr_get_type_and_port(struct + return NFP_REPR_TYPE_VF; + } + +- return NFP_FLOWER_CMSG_PORT_TYPE_UNSPEC; ++ return __NFP_REPR_TYPE_MAX; + } + + static struct net_device * +@@ -90,6 +90,8 @@ nfp_flower_repr_get(struct nfp_app *app, + u8 port = 0; + + repr_type = nfp_flower_repr_get_type_and_port(app, port_id, &port); ++ if (repr_type > NFP_REPR_TYPE_MAX) ++ return NULL; + + reprs = rcu_dereference(app->reprs[repr_type]); + if (!reprs) diff --git a/queue-4.14/nl80211-add-a-missing-break-in-parse_station_flags.patch b/queue-4.14/nl80211-add-a-missing-break-in-parse_station_flags.patch new file mode 100644 index 00000000000..c63b2414899 --- /dev/null +++ b/queue-4.14/nl80211-add-a-missing-break-in-parse_station_flags.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Bernd Edlinger +Date: Sun, 8 Jul 2018 09:57:22 +0000 +Subject: nl80211: Add a missing break in parse_station_flags + +From: Bernd Edlinger + +[ Upstream commit 5cf3006cc81d9aa09a10aa781fc065546b12919d ] + +I was looking at usually suppressed gcc warnings, +[-Wimplicit-fallthrough=] in this case: + +The code definitely looks like a break is missing here. +However I am not able to test the NL80211_IFTYPE_MESH_POINT, +nor do I actually know what might be :) +So please use this patch with caution and only if you are +able to do some testing. + +Signed-off-by: Bernd Edlinger +[johannes: looks obvious enough to apply as is, interesting + though that it never seems to have been a problem] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4186,6 +4186,7 @@ static int parse_station_flags(struct ge + params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) | + BIT(NL80211_STA_FLAG_MFP) | + BIT(NL80211_STA_FLAG_AUTHORIZED); ++ break; + default: + return -EINVAL; + } diff --git a/queue-4.14/perf-x86-amd-ibs-don-t-access-non-started-event.patch b/queue-4.14/perf-x86-amd-ibs-don-t-access-non-started-event.patch new file mode 100644 index 00000000000..06e055f5ffa --- /dev/null +++ b/queue-4.14/perf-x86-amd-ibs-don-t-access-non-started-event.patch @@ -0,0 +1,76 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Thomas Gleixner +Date: Fri, 20 Jul 2018 10:39:07 +0200 +Subject: perf/x86/amd/ibs: Don't access non-started event + +From: Thomas Gleixner + +[ Upstream commit d2753e6b4882a637a0e8fb3b9c2e15f33265300e ] + +Paul Menzel reported the following bug: + +> Enabling the undefined behavior sanitizer and building GNU/Linux 4.18-rc5+ +> (with some unrelated commits) with GCC 8.1.0 from Debian Sid/unstable, the +> warning below is shown. +> +> > [ 2.111913] +> > ================================================================================ +> > [ 2.111917] UBSAN: Undefined behaviour in arch/x86/events/amd/ibs.c:582:24 +> > [ 2.111919] member access within null pointer of type 'struct perf_event' +> > [ 2.111926] CPU: 0 PID: 144 Comm: udevadm Not tainted 4.18.0-rc5-00316-g4864b68cedf2 #104 +> > [ 2.111928] Hardware name: ASROCK E350M1/E350M1, BIOS TIMELESS 01/01/1970 +> > [ 2.111930] Call Trace: +> > [ 2.111943] dump_stack+0x55/0x89 +> > [ 2.111949] ubsan_epilogue+0xb/0x33 +> > [ 2.111953] handle_null_ptr_deref+0x7f/0x90 +> > [ 2.111958] __ubsan_handle_type_mismatch_v1+0x55/0x60 +> > [ 2.111964] perf_ibs_handle_irq+0x596/0x620 + +The code dereferences event before checking the STARTED bit. Patch +below should cure the issue. + +The warning should not trigger, if I analyzed the thing correctly. +(And Paul's testing confirms this.) + +Reported-by: Paul Menzel +Tested-by: Paul Menzel +Signed-off-by: Thomas Gleixner +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Paul Menzel +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Vince Weaver +Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1807200958390.1580@nanos.tec.linutronix.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/amd/ibs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -579,7 +579,7 @@ static int perf_ibs_handle_irq(struct pe + { + struct cpu_perf_ibs *pcpu = this_cpu_ptr(perf_ibs->pcpu); + struct perf_event *event = pcpu->event; +- struct hw_perf_event *hwc = &event->hw; ++ struct hw_perf_event *hwc; + struct perf_sample_data data; + struct perf_raw_record raw; + struct pt_regs regs; +@@ -602,6 +602,10 @@ fail: + return 0; + } + ++ if (WARN_ON_ONCE(!event)) ++ goto fail; ++ ++ hwc = &event->hw; + msr = hwc->config_base; + buf = ibs_data.regs; + rdmsrl(msr, *buf); diff --git a/queue-4.14/qed-correct-multicast-api-to-reflect-existence-of-256-approximate-buckets.patch b/queue-4.14/qed-correct-multicast-api-to-reflect-existence-of-256-approximate-buckets.patch new file mode 100644 index 00000000000..14f50270b44 --- /dev/null +++ b/queue-4.14/qed-correct-multicast-api-to-reflect-existence-of-256-approximate-buckets.patch @@ -0,0 +1,140 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Wed, 18 Jul 2018 22:50:04 -0700 +Subject: qed: Correct Multicast API to reflect existence of 256 approximate buckets. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 25c020a90919632b3425c19dc09188d56b9ed59a ] + +FW hsi contains 256 approximation buckets which are split in ramrod into +eight u32 values, but driver is using eight 'unsigned long' variables. + +This patch fixes the mcast logic by making the API utilize u32. + +Fixes: 83aeb933 ("qed*: Trivial modifications") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_l2.c | 15 +++++++-------- + drivers/net/ethernet/qlogic/qed/qed_l2.h | 2 +- + drivers/net/ethernet/qlogic/qed/qed_sriov.c | 2 +- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 4 ++-- + drivers/net/ethernet/qlogic/qed/qed_vf.h | 7 ++++++- + 5 files changed, 17 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c +@@ -663,7 +663,7 @@ qed_sp_update_mcast_bin(struct qed_hwfn + + p_ramrod->common.update_approx_mcast_flg = 1; + for (i = 0; i < ETH_MULTICAST_MAC_BINS_IN_REGS; i++) { +- u32 *p_bins = (u32 *)p_params->bins; ++ u32 *p_bins = p_params->bins; + + p_ramrod->approx_mcast.bins[i] = cpu_to_le32(p_bins[i]); + } +@@ -1474,8 +1474,8 @@ qed_sp_eth_filter_mcast(struct qed_hwfn + enum spq_mode comp_mode, + struct qed_spq_comp_cb *p_comp_data) + { +- unsigned long bins[ETH_MULTICAST_MAC_BINS_IN_REGS]; + struct vport_update_ramrod_data *p_ramrod = NULL; ++ u32 bins[ETH_MULTICAST_MAC_BINS_IN_REGS]; + struct qed_spq_entry *p_ent = NULL; + struct qed_sp_init_data init_data; + u8 abs_vport_id = 0; +@@ -1511,26 +1511,25 @@ qed_sp_eth_filter_mcast(struct qed_hwfn + /* explicitly clear out the entire vector */ + memset(&p_ramrod->approx_mcast.bins, 0, + sizeof(p_ramrod->approx_mcast.bins)); +- memset(bins, 0, sizeof(unsigned long) * +- ETH_MULTICAST_MAC_BINS_IN_REGS); ++ memset(bins, 0, sizeof(bins)); + /* filter ADD op is explicit set op and it removes + * any existing filters for the vport + */ + if (p_filter_cmd->opcode == QED_FILTER_ADD) { + for (i = 0; i < p_filter_cmd->num_mc_addrs; i++) { +- u32 bit; ++ u32 bit, nbits; + + bit = qed_mcast_bin_from_mac(p_filter_cmd->mac[i]); +- __set_bit(bit, bins); ++ nbits = sizeof(u32) * BITS_PER_BYTE; ++ bins[bit / nbits] |= 1 << (bit % nbits); + } + + /* Convert to correct endianity */ + for (i = 0; i < ETH_MULTICAST_MAC_BINS_IN_REGS; i++) { + struct vport_update_ramrod_mcast *p_ramrod_bins; +- u32 *p_bins = (u32 *)bins; + + p_ramrod_bins = &p_ramrod->approx_mcast; +- p_ramrod_bins->bins[i] = cpu_to_le32(p_bins[i]); ++ p_ramrod_bins->bins[i] = cpu_to_le32(bins[i]); + } + } + +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.h +@@ -214,7 +214,7 @@ struct qed_sp_vport_update_params { + u8 anti_spoofing_en; + u8 update_accept_any_vlan_flg; + u8 accept_any_vlan; +- unsigned long bins[8]; ++ u32 bins[8]; + struct qed_rss_params *rss_params; + struct qed_filter_accept_flags accept_flags; + struct qed_sge_tpa_params *sge_tpa_params; +--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +@@ -2826,7 +2826,7 @@ qed_iov_vp_update_mcast_bin_param(struct + + p_data->update_approx_mcast_flg = 1; + memcpy(p_data->bins, p_mcast_tlv->bins, +- sizeof(unsigned long) * ETH_MULTICAST_MAC_BINS_IN_REGS); ++ sizeof(u32) * ETH_MULTICAST_MAC_BINS_IN_REGS); + *tlvs_mask |= 1 << QED_IOV_VP_UPDATE_MCAST; + } + +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -1126,7 +1126,7 @@ int qed_vf_pf_vport_update(struct qed_hw + resp_size += sizeof(struct pfvf_def_resp_tlv); + + memcpy(p_mcast_tlv->bins, p_params->bins, +- sizeof(unsigned long) * ETH_MULTICAST_MAC_BINS_IN_REGS); ++ sizeof(u32) * ETH_MULTICAST_MAC_BINS_IN_REGS); + } + + update_rx = p_params->accept_flags.update_rx_mode_config; +@@ -1272,7 +1272,7 @@ void qed_vf_pf_filter_mcast(struct qed_h + u32 bit; + + bit = qed_mcast_bin_from_mac(p_filter_cmd->mac[i]); +- __set_bit(bit, sp_params.bins); ++ sp_params.bins[bit / 32] |= 1 << (bit % 32); + } + } + +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.h +@@ -392,7 +392,12 @@ struct vfpf_vport_update_mcast_bin_tlv { + struct channel_tlv tl; + u8 padding[4]; + +- u64 bins[8]; ++ /* There are only 256 approx bins, and in HSI they're divided into ++ * 32-bit values. As old VFs used to set-bit to the values on its side, ++ * the upper half of the array is never expected to contain any data. ++ */ ++ u64 bins[4]; ++ u64 obsolete_bins[4]; + }; + + struct vfpf_vport_update_accept_param_tlv { diff --git a/queue-4.14/qed-fix-link-flap-issue-due-to-mismatching-eee-capabilities.patch b/queue-4.14/qed-fix-link-flap-issue-due-to-mismatching-eee-capabilities.patch new file mode 100644 index 00000000000..ca1e6ee445d --- /dev/null +++ b/queue-4.14/qed-fix-link-flap-issue-due-to-mismatching-eee-capabilities.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Wed, 18 Jul 2018 22:50:02 -0700 +Subject: qed: Fix link flap issue due to mismatching EEE capabilities. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 4ad95a93a702ec4f4fb5159b822797ba67b8cbbe ] + +Apparently, MFW publishes EEE capabilities even for Fiber-boards that don't +support them, and later since qed internally sets adv_caps it would cause +link-flap avoidance (LFA) to fail when driver would initiate the link. +This in turn delays the link, causing traffic to fail. + +Driver has been modified to not to ask MFW for any EEE config if EEE isn't +to be enabled. + +Fixes: 645874e5 ("qed: Add support for Energy efficient ethernet.") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_mcp.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +@@ -1279,9 +1279,15 @@ int qed_mcp_set_link(struct qed_hwfn *p_ + phy_cfg.pause |= (params->pause.forced_tx) ? ETH_PAUSE_TX : 0; + phy_cfg.adv_speed = params->speed.advertised_speeds; + phy_cfg.loopback_mode = params->loopback_mode; +- if (p_hwfn->mcp_info->capabilities & FW_MB_PARAM_FEATURE_SUPPORT_EEE) { +- if (params->eee.enable) +- phy_cfg.eee_cfg |= EEE_CFG_EEE_ENABLED; ++ ++ /* There are MFWs that share this capability regardless of whether ++ * this is feasible or not. And given that at the very least adv_caps ++ * would be set internally by qed, we want to make sure LFA would ++ * still work. ++ */ ++ if ((p_hwfn->mcp_info->capabilities & ++ FW_MB_PARAM_FEATURE_SUPPORT_EEE) && params->eee.enable) { ++ phy_cfg.eee_cfg |= EEE_CFG_EEE_ENABLED; + if (params->eee.tx_lpi_enable) + phy_cfg.eee_cfg |= EEE_CFG_TX_LPI; + if (params->eee.adv_caps & QED_EEE_1G_ADV) diff --git a/queue-4.14/qed-fix-possible-race-for-the-link-state-value.patch b/queue-4.14/qed-fix-possible-race-for-the-link-state-value.patch new file mode 100644 index 00000000000..6f41200c23f --- /dev/null +++ b/queue-4.14/qed-fix-possible-race-for-the-link-state-value.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Wed, 18 Jul 2018 22:50:03 -0700 +Subject: qed: Fix possible race for the link state value. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 58874c7b246109d8efb2b0099d1aa296d6bfc3fa ] + +There's a possible race where driver can read link status in mid-transition +and see that virtual-link is up yet speed is 0. Since in this +mid-transition we're guaranteed to see a mailbox from MFW soon, we can +afford to treat this as link down. + +Fixes: cc875c2e ("qed: Add link support") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_mcp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +@@ -1182,6 +1182,7 @@ static void qed_mcp_handle_link_change(s + break; + default: + p_link->speed = 0; ++ p_link->link_up = 0; + } + + if (p_link->link_up && p_link->speed) diff --git a/queue-4.14/qmi_wwan-fix-interface-number-for-dw5821e-production-firmware.patch b/queue-4.14/qmi_wwan-fix-interface-number-for-dw5821e-production-firmware.patch new file mode 100644 index 00000000000..29452338575 --- /dev/null +++ b/queue-4.14/qmi_wwan-fix-interface-number-for-dw5821e-production-firmware.patch @@ -0,0 +1,50 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Aleksander Morgado +Date: Tue, 24 Jul 2018 01:31:07 +0200 +Subject: qmi_wwan: fix interface number for DW5821e production firmware + +From: Aleksander Morgado + +[ Upstream commit f25e1392fdb556290957142ac2da33a02cbff403 ] + +The original mapping for the DW5821e was done using a development +version of the firmware. Confirmed with the vendor that the final +USB layout ends up exposing the QMI control/data ports in USB +config #1, interface #0, not in interface #1 (which is now a HID +interface). + +T: Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 2 +P: Vendor=413c ProdID=81d7 Rev=03.18 +S: Manufacturer=DELL +S: Product=DW5821e Snapdragon X20 LTE +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + +Fixes: e7e197edd09c25 ("qmi_wwan: add support for the Dell Wireless 5821e module") +Signed-off-by: Aleksander Morgado +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1245,7 +1245,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ +- {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e */ ++ {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */ + {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */ + {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ diff --git a/queue-4.14/revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch b/queue-4.14/revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch new file mode 100644 index 00000000000..bef3e50c15a --- /dev/null +++ b/queue-4.14/revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch @@ -0,0 +1,83 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: "Rafał Miłecki" +Date: Fri, 27 Jul 2018 13:13:39 +0200 +Subject: Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum" + +From: "Rafał Miłecki" + +[ Upstream commit d5ea019f8a381f88545bb26993b62ec24a2796b7 ] + +This reverts commit 2a027b47dba6 ("MIPS: BCM47XX: Enable 74K Core +ExternalSync for PCIe erratum"). + +Enabling ExternalSync caused a regression for BCM4718A1 (used e.g. in +Netgear E3000 and ASUS RT-N16): it simply hangs during PCIe +initialization. It's likely that BCM4717A1 is also affected. + +I didn't notice that earlier as the only BCM47XX devices with PCIe I +own are: +1) BCM4706 with 2 x 14e4:4331 +2) BCM4706 with 14e4:4360 and 14e4:4331 +it appears that BCM4706 is unaffected. + +While BCM5300X-ES300-RDS.pdf seems to document that erratum and its +workarounds (according to quotes provided by Tokunori) it seems not even +Broadcom follows them. + +According to the provided info Broadcom should define CONF7_ES in their +SDK's mipsinc.h and implement workaround in the si_mips_init(). Checking +both didn't reveal such code. It *could* mean Broadcom also had some +problems with the given workaround. + +Signed-off-by: Rafał Miłecki +Signed-off-by: Paul Burton +Reported-by: Michael Marley +Patchwork: https://patchwork.linux-mips.org/patch/20032/ +URL: https://bugs.openwrt.org/index.php?do=details&task_id=1688 +Cc: Tokunori Ikegami +Cc: Hauke Mehrtens +Cc: Chris Packham +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/bcm47xx/setup.c | 6 ------ + arch/mips/include/asm/mipsregs.h | 3 --- + 2 files changed, 9 deletions(-) + +--- a/arch/mips/bcm47xx/setup.c ++++ b/arch/mips/bcm47xx/setup.c +@@ -212,12 +212,6 @@ static int __init bcm47xx_cpu_fixes(void + */ + if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706) + cpu_wait = NULL; +- +- /* +- * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail" +- * Enable ExternalSync for sync instruction to take effect +- */ +- set_c0_config7(MIPS_CONF7_ES); + break; + #endif + } +--- a/arch/mips/include/asm/mipsregs.h ++++ b/arch/mips/include/asm/mipsregs.h +@@ -680,8 +680,6 @@ + #define MIPS_CONF7_WII (_ULCAST_(1) << 31) + + #define MIPS_CONF7_RPS (_ULCAST_(1) << 2) +-/* ExternalSync */ +-#define MIPS_CONF7_ES (_ULCAST_(1) << 8) + + #define MIPS_CONF7_IAR (_ULCAST_(1) << 10) + #define MIPS_CONF7_AR (_ULCAST_(1) << 16) +@@ -2747,7 +2745,6 @@ __BUILD_SET_C0(status) + __BUILD_SET_C0(cause) + __BUILD_SET_C0(config) + __BUILD_SET_C0(config5) +-__BUILD_SET_C0(config7) + __BUILD_SET_C0(intcontrol) + __BUILD_SET_C0(intctl) + __BUILD_SET_C0(srsmap) diff --git a/queue-4.14/sched-rt-restore-rt_runtime-after-disabling-rt_runtime_share.patch b/queue-4.14/sched-rt-restore-rt_runtime-after-disabling-rt_runtime_share.patch new file mode 100644 index 00000000000..96addb35841 --- /dev/null +++ b/queue-4.14/sched-rt-restore-rt_runtime-after-disabling-rt_runtime_share.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Hailong Liu +Date: Wed, 18 Jul 2018 08:46:55 +0800 +Subject: sched/rt: Restore rt_runtime after disabling RT_RUNTIME_SHARE + +From: Hailong Liu + +[ Upstream commit f3d133ee0a17d5694c6f21873eec9863e11fa423 ] + +NO_RT_RUNTIME_SHARE feature is used to prevent a CPU borrow enough +runtime with a spin-rt-task. + +However, if RT_RUNTIME_SHARE feature is enabled and rt_rq has borrowd +enough rt_runtime at the beginning, rt_runtime can't be restored to +its initial bandwidth rt_runtime after we disable RT_RUNTIME_SHARE. + +E.g. on my PC with 4 cores, procedure to reproduce: +1) Make sure RT_RUNTIME_SHARE is enabled + cat /sys/kernel/debug/sched_features + GENTLE_FAIR_SLEEPERS START_DEBIT NO_NEXT_BUDDY LAST_BUDDY + CACHE_HOT_BUDDY WAKEUP_PREEMPTION NO_HRTICK NO_DOUBLE_TICK + LB_BIAS NONTASK_CAPACITY TTWU_QUEUE NO_SIS_AVG_CPU SIS_PROP + NO_WARN_DOUBLE_CLOCK RT_PUSH_IPI RT_RUNTIME_SHARE NO_LB_MIN + ATTACH_AGE_LOAD WA_IDLE WA_WEIGHT WA_BIAS +2) Start a spin-rt-task + ./loop_rr & +3) set affinity to the last cpu + taskset -p 8 $pid_of_loop_rr +4) Observe that last cpu have borrowed enough runtime. + cat /proc/sched_debug | grep rt_runtime + .rt_runtime : 950.000000 + .rt_runtime : 900.000000 + .rt_runtime : 950.000000 + .rt_runtime : 1000.000000 +5) Disable RT_RUNTIME_SHARE + echo NO_RT_RUNTIME_SHARE > /sys/kernel/debug/sched_features +6) Observe that rt_runtime can not been restored + cat /proc/sched_debug | grep rt_runtime + .rt_runtime : 950.000000 + .rt_runtime : 900.000000 + .rt_runtime : 950.000000 + .rt_runtime : 1000.000000 + +This patch help to restore rt_runtime after we disable +RT_RUNTIME_SHARE. + +Signed-off-by: Hailong Liu +Signed-off-by: Jiang Biao +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: zhong.weidong@zte.com.cn +Link: http://lkml.kernel.org/r/1531874815-39357-1-git-send-email-liu.hailong6@zte.com.cn +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/rt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -837,6 +837,8 @@ static int do_sched_rt_period_timer(stru + * can be time-consuming. Try to avoid it when possible. + */ + raw_spin_lock(&rt_rq->rt_runtime_lock); ++ if (!sched_feat(RT_RUNTIME_SHARE) && rt_rq->rt_runtime != RUNTIME_INF) ++ rt_rq->rt_runtime = rt_b->rt_runtime; + skip = !rt_rq->rt_time && !rt_rq->rt_nr_running; + raw_spin_unlock(&rt_rq->rt_runtime_lock); + if (skip) diff --git a/queue-4.14/scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch b/queue-4.14/scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch new file mode 100644 index 00000000000..c857b64c243 --- /dev/null +++ b/queue-4.14/scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Johannes Thumshirn +Date: Tue, 31 Jul 2018 15:46:03 +0200 +Subject: scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO + +From: Johannes Thumshirn + +[ Upstream commit 1550ec458e0cf1a40a170ab1f4c46e3f52860f65 ] + +When receiving a LOGO request we forget to clear the FC_RP_STARTED flag +before starting the rport delete routine. + +As the started flag was not cleared, we're not deleting the rport but +waiting for a restart and thus are keeping the reference count of the rdata +object at 1. + +This leads to the following kmemleak report: +unreferenced object 0xffff88006542aa00 (size 512): + comm "kworker/0:2", pid 24, jiffies 4294899222 (age 226.880s) + hex dump (first 32 bytes): + 68 96 fe 65 00 88 ff ff 00 00 00 00 00 00 00 00 h..e............ + 01 00 00 00 08 00 00 00 02 c5 45 24 ac b8 00 10 ..........E$.... + backtrace: + [<(____ptrval____)>] fcoe_ctlr_vn_add.isra.5+0x7f/0x770 [libfcoe] + [<(____ptrval____)>] fcoe_ctlr_vn_recv+0x12af/0x27f0 [libfcoe] + [<(____ptrval____)>] fcoe_ctlr_recv_work+0xd01/0x32f0 [libfcoe] + [<(____ptrval____)>] process_one_work+0x7ff/0x1420 + [<(____ptrval____)>] worker_thread+0x87/0xef0 + [<(____ptrval____)>] kthread+0x2db/0x390 + [<(____ptrval____)>] ret_from_fork+0x35/0x40 + [<(____ptrval____)>] 0xffffffffffffffff + +Signed-off-by: Johannes Thumshirn +Reported-by: ard +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libfc/fc_rport.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/libfc/fc_rport.c ++++ b/drivers/scsi/libfc/fc_rport.c +@@ -2164,6 +2164,7 @@ static void fc_rport_recv_logo_req(struc + FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n", + fc_rport_state(rdata)); + ++ rdata->flags &= ~FC_RP_STARTED; + fc_rport_enter_delete(rdata, RPORT_EV_STOP); + mutex_unlock(&rdata->rp_mutex); + kref_put(&rdata->kref, fc_rport_destroy); diff --git a/queue-4.14/scsi-fcoe-drop-frames-in-els-logo-error-path.patch b/queue-4.14/scsi-fcoe-drop-frames-in-els-logo-error-path.patch new file mode 100644 index 00000000000..8e96ac12cff --- /dev/null +++ b/queue-4.14/scsi-fcoe-drop-frames-in-els-logo-error-path.patch @@ -0,0 +1,56 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Johannes Thumshirn +Date: Tue, 31 Jul 2018 15:46:02 +0200 +Subject: scsi: fcoe: drop frames in ELS LOGO error path + +From: Johannes Thumshirn + +[ Upstream commit 63d0e3dffda311e77b9a8c500d59084e960a824a ] + +Drop the frames in the ELS LOGO error path instead of just returning an +error. + +This fixes the following kmemleak report: +unreferenced object 0xffff880064cb1000 (size 424): + comm "kworker/0:2", pid 24, jiffies 4294904293 (age 68.504s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<(____ptrval____)>] _fc_frame_alloc+0x2c/0x180 [libfc] + [<(____ptrval____)>] fc_lport_enter_logo+0x106/0x360 [libfc] + [<(____ptrval____)>] fc_fabric_logoff+0x8c/0xc0 [libfc] + [<(____ptrval____)>] fcoe_if_destroy+0x79/0x3b0 [fcoe] + [<(____ptrval____)>] fcoe_destroy_work+0xd2/0x170 [fcoe] + [<(____ptrval____)>] process_one_work+0x7ff/0x1420 + [<(____ptrval____)>] worker_thread+0x87/0xef0 + [<(____ptrval____)>] kthread+0x2db/0x390 + [<(____ptrval____)>] ret_from_fork+0x35/0x40 + [<(____ptrval____)>] 0xffffffffffffffff + +which can be triggered by issuing +echo eth0 > /sys/bus/fcoe/ctlr_destroy + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -754,9 +754,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr + case ELS_LOGO: + if (fip->mode == FIP_MODE_VN2VN) { + if (fip->state != FIP_ST_VNMP_UP) +- return -EINVAL; ++ goto drop; + if (ntoh24(fh->fh_d_id) == FC_FID_FLOGI) +- return -EINVAL; ++ goto drop; + } else { + if (fip->state != FIP_ST_ENABLED) + return 0; diff --git a/queue-4.14/scsi-fcoe-fix-use-after-free-in-fcoe_ctlr_els_send.patch b/queue-4.14/scsi-fcoe-fix-use-after-free-in-fcoe_ctlr_els_send.patch new file mode 100644 index 00000000000..ba8982527a4 --- /dev/null +++ b/queue-4.14/scsi-fcoe-fix-use-after-free-in-fcoe_ctlr_els_send.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Johannes Thumshirn +Date: Tue, 31 Jul 2018 15:46:01 +0200 +Subject: scsi: fcoe: fix use-after-free in fcoe_ctlr_els_send + +From: Johannes Thumshirn + +[ Upstream commit 2d7d4fd35e6e15b47c13c70368da83add19f01e7 ] + +KASAN reports a use-after-free in fcoe_ctlr_els_send() when we're sending a +LOGO and have FIP debugging enabled. This is because we're first freeing +the skb and then printing the frame's DID. But the DID is a member of the +FC frame header which in turn is the skb's payload. + +Exchange the debug print and kfree_skb() calls so we're not touching the +freed data. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -799,9 +799,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr + fip->send(fip, skb); + return -EINPROGRESS; + drop: +- kfree_skb(skb); + LIBFCOE_FIP_DBG(fip, "drop els_send op %u d_id %x\n", + op, ntoh24(fh->fh_d_id)); ++ kfree_skb(skb); + return -EINVAL; + } + EXPORT_SYMBOL(fcoe_ctlr_els_send); diff --git a/queue-4.14/scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch b/queue-4.14/scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch new file mode 100644 index 00000000000..651d8c0dfc5 --- /dev/null +++ b/queue-4.14/scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch @@ -0,0 +1,69 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Varun Prakash +Date: Wed, 11 Jul 2018 22:09:52 +0530 +Subject: scsi: libiscsi: fix possible NULL pointer dereference in case of TMF + +From: Varun Prakash + +[ Upstream commit a17037e7d59075053b522048742a08ac9500bde8 ] + +In iscsi_check_tmf_restrictions() task->hdr is dereferenced to print the +opcode, it is possible that task->hdr is NULL. + +There are two cases based on opcode argument: + +1. ISCSI_OP_SCSI_CMD - In this case alloc_pdu() is called +after iscsi_check_tmf_restrictions() + +iscsi_prep_scsi_cmd_pdu() -> iscsi_check_tmf_restrictions() -> alloc_pdu(). + +Transport drivers allocate memory for iSCSI hdr in alloc_pdu() and assign +it to task->hdr. In case of TMF task->hdr will be NULL resulting in NULL +pointer dereference. + +2. ISCSI_OP_SCSI_DATA_OUT - In this case transport driver can free the +memory for iSCSI hdr after transmitting the pdu so task->hdr can be NULL or +invalid. + +This patch fixes this issue by removing task->hdr->opcode from the printk +statement. + +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -284,11 +284,11 @@ static int iscsi_check_tmf_restrictions( + */ + if (opcode != ISCSI_OP_SCSI_DATA_OUT) { + iscsi_conn_printk(KERN_INFO, conn, +- "task [op %x/%x itt " ++ "task [op %x itt " + "0x%x/0x%x] " + "rejected.\n", +- task->hdr->opcode, opcode, +- task->itt, task->hdr_itt); ++ opcode, task->itt, ++ task->hdr_itt); + return -EACCES; + } + /* +@@ -297,10 +297,10 @@ static int iscsi_check_tmf_restrictions( + */ + if (conn->session->fast_abort) { + iscsi_conn_printk(KERN_INFO, conn, +- "task [op %x/%x itt " ++ "task [op %x itt " + "0x%x/0x%x] fast abort.\n", +- task->hdr->opcode, opcode, +- task->itt, task->hdr_itt); ++ opcode, task->itt, ++ task->hdr_itt); + return -EACCES; + } + break; diff --git a/queue-4.14/scsi-target-iscsi-cxgbit-fix-max-iso-npdu-calculation.patch b/queue-4.14/scsi-target-iscsi-cxgbit-fix-max-iso-npdu-calculation.patch new file mode 100644 index 00000000000..bb0e8a7293e --- /dev/null +++ b/queue-4.14/scsi-target-iscsi-cxgbit-fix-max-iso-npdu-calculation.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Varun Prakash +Date: Wed, 11 Jul 2018 22:03:43 +0530 +Subject: scsi: target: iscsi: cxgbit: fix max iso npdu calculation + +From: Varun Prakash + +[ Upstream commit 1b350ea0c2f4df9aa30426614c8eb755a8c32814 ] + +- rounddown CXGBIT_MAX_ISO_PAYLOAD by csk->emss before calculating + max_iso_npdu to get max TCP payload in multiple of mss. + +- call cxgbit_set_digest() before cxgbit_set_iso_npdu() to set + csk->submode, it is used in calculating number of iso pdus. + +Signed-off-by: Varun Prakash +Reviewed-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/cxgbit/cxgbit_target.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/target/iscsi/cxgbit/cxgbit_target.c ++++ b/drivers/target/iscsi/cxgbit/cxgbit_target.c +@@ -652,6 +652,7 @@ static int cxgbit_set_iso_npdu(struct cx + struct iscsi_param *param; + u32 mrdsl, mbl; + u32 max_npdu, max_iso_npdu; ++ u32 max_iso_payload; + + if (conn->login->leading_connection) { + param = iscsi_find_param_from_key(MAXBURSTLENGTH, +@@ -670,8 +671,10 @@ static int cxgbit_set_iso_npdu(struct cx + mrdsl = conn_ops->MaxRecvDataSegmentLength; + max_npdu = mbl / mrdsl; + +- max_iso_npdu = CXGBIT_MAX_ISO_PAYLOAD / +- (ISCSI_HDR_LEN + mrdsl + ++ max_iso_payload = rounddown(CXGBIT_MAX_ISO_PAYLOAD, csk->emss); ++ ++ max_iso_npdu = max_iso_payload / ++ (ISCSI_HDR_LEN + mrdsl + + cxgbit_digest_len[csk->submode]); + + csk->max_iso_npdu = min(max_npdu, max_iso_npdu); +@@ -741,6 +744,9 @@ static int cxgbit_set_params(struct iscs + if (conn_ops->MaxRecvDataSegmentLength > cdev->mdsl) + conn_ops->MaxRecvDataSegmentLength = cdev->mdsl; + ++ if (cxgbit_set_digest(csk)) ++ return -1; ++ + if (conn->login->leading_connection) { + param = iscsi_find_param_from_key(ERRORRECOVERYLEVEL, + conn->param_list); +@@ -764,7 +770,7 @@ static int cxgbit_set_params(struct iscs + if (is_t5(cdev->lldi.adapter_type)) + goto enable_ddp; + else +- goto enable_digest; ++ return 0; + } + + if (test_bit(CDEV_ISO_ENABLE, &cdev->flags)) { +@@ -781,10 +787,6 @@ enable_ddp: + } + } + +-enable_digest: +- if (cxgbit_set_digest(csk)) +- return -1; +- + return 0; + } + diff --git a/queue-4.14/scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch b/queue-4.14/scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch new file mode 100644 index 00000000000..33837c8e173 --- /dev/null +++ b/queue-4.14/scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Jim Gill +Date: Thu, 2 Aug 2018 14:13:30 -0700 +Subject: scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED + +From: Jim Gill + +[ Upstream commit e95153b64d03c2b6e8d62e51bdcc33fcad6e0856 ] + +Commands that are reset are returned with status +SAM_STAT_COMMAND_TERMINATED. PVSCSI currently returns DID_OK | +SAM_STAT_COMMAND_TERMINATED which fails the command. Instead, set hostbyte +to DID_RESET to allow upper layers to retry. + +Tested by copying a large file between two pvscsi disks on same adapter +while performing a bus reset at 1-second intervals. Before fix, commands +sometimes fail with DID_OK. After fix, commands observed to fail with +DID_RESET. + +Signed-off-by: Jim Gill +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/vmw_pvscsi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/vmw_pvscsi.c ++++ b/drivers/scsi/vmw_pvscsi.c +@@ -561,9 +561,14 @@ static void pvscsi_complete_request(stru + (btstat == BTSTAT_SUCCESS || + btstat == BTSTAT_LINKED_COMMAND_COMPLETED || + btstat == BTSTAT_LINKED_COMMAND_COMPLETED_WITH_FLAG)) { +- cmd->result = (DID_OK << 16) | sdstat; +- if (sdstat == SAM_STAT_CHECK_CONDITION && cmd->sense_buffer) +- cmd->result |= (DRIVER_SENSE << 24); ++ if (sdstat == SAM_STAT_COMMAND_TERMINATED) { ++ cmd->result = (DID_RESET << 16); ++ } else { ++ cmd->result = (DID_OK << 16) | sdstat; ++ if (sdstat == SAM_STAT_CHECK_CONDITION && ++ cmd->sense_buffer) ++ cmd->result |= (DRIVER_SENSE << 24); ++ } + } else + switch (btstat) { + case BTSTAT_SUCCESS: diff --git a/queue-4.14/selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch b/queue-4.14/selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch new file mode 100644 index 00000000000..c6fce0b4793 --- /dev/null +++ b/queue-4.14/selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch @@ -0,0 +1,60 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 14 Jul 2018 01:28:44 +0900 +Subject: selftests/ftrace: Add snapshot and tracing_on test case + +From: Masami Hiramatsu + +[ Upstream commit 82f4f3e69c5c29bce940dd87a2c0f16c51d48d17 ] + +Add a testcase for checking snapshot and tracing_on +relationship. This ensures that the snapshotting doesn't +affect current tracing on/off settings. + +Link: http://lkml.kernel.org/r/153149932412.11274.15289227592627901488.stgit@devbox + +Cc: Tom Zanussi +Cc: Hiraku Toyooka +Signed-off-by: Masami Hiramatsu +Cc: Ingo Molnar +Cc: Shuah Khan +Cc: linux-kselftest@vger.kernel.org +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc | 28 ++++++++++++++ + 1 file changed, 28 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc +@@ -0,0 +1,28 @@ ++#!/bin/sh ++# description: Snapshot and tracing setting ++# flags: instance ++ ++[ ! -f snapshot ] && exit_unsupported ++ ++echo "Set tracing off" ++echo 0 > tracing_on ++ ++echo "Allocate and take a snapshot" ++echo 1 > snapshot ++ ++# Since trace buffer is empty, snapshot is also empty, but allocated ++grep -q "Snapshot is allocated" snapshot ++ ++echo "Ensure keep tracing off" ++test `cat tracing_on` -eq 0 ++ ++echo "Set tracing on" ++echo 1 > tracing_on ++ ++echo "Take a snapshot again" ++echo 1 > snapshot ++ ++echo "Ensure keep tracing on" ++test `cat tracing_on` -eq 1 ++ ++exit 0 diff --git a/queue-4.14/series b/queue-4.14/series index 77393f22b27..b40372f705d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1 +1,83 @@ crypto-vmx-use-skcipher-for-ctr-fallback.patch +vti6-fix-pmtu-caching-and-reporting-on-xmit.patch +xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch +xfrm-free-skb-if-nlsk-pointer-is-null.patch +esp6-fix-memleak-on-error-path-in-esp6_input.patch +mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch +ext4-clear-mmp-sequence-number-when-remounting-read-only.patch +nl80211-add-a-missing-break-in-parse_station_flags.patch +drm-bridge-adv7511-reset-registers-on-hotplug.patch +scsi-target-iscsi-cxgbit-fix-max-iso-npdu-calculation.patch +scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch +drm-re-enable-error-handling.patch +drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch +drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch +nbd-don-t-requeue-the-same-request-twice.patch +nbd-handle-unexpected-replies-better.patch +usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch +usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch +usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch +usb-gadget-u_audio-fix-pcm-card-naming-in-g_audio_setup.patch +usb-gadget-u_audio-update-hw_ptr-in-iso_complete-after-data-copied.patch +usb-gadget-u_audio-remove-caching-of-stream-buffer-parameters.patch +usb-gadget-u_audio-remove-cached-period-bytes-value.patch +usb-gadget-u_audio-protect-stream-runtime-fields-with-stream-spinlock.patch +usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch +tools-usb-ffs-test-fix-build-on-big-endian-systems.patch +usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch +netfilter-nft_set_hash-add-rcu_barrier-in-the-nft_rhash_destroy.patch +bpf-ppc64-fix-unexpected-r0-0-exit-path-inside-bpf_xadd.patch +netfilter-nf_tables-fix-memory-leaks-on-chain-rename.patch +netfilter-nf_tables-don-t-allow-to-rename-to-already-pending-name.patch +kvm-vmx-use-local-variable-for-current_vmptr-when-emulating-vmptrst.patch +tools-power-turbostat-fix-s-on-up-systems.patch +net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch +qed-fix-link-flap-issue-due-to-mismatching-eee-capabilities.patch +qed-fix-possible-race-for-the-link-state-value.patch +qed-correct-multicast-api-to-reflect-existence-of-256-approximate-buckets.patch +atl1c-reserve-min-skb-headroom.patch +net-prevent-isa-drivers-from-building-on-ppc32.patch +can-mpc5xxx_can-check-of_iomap-return-before-use.patch +can-m_can-move-accessing-of-message-ram-to-after-clocks-are-enabled.patch +i2c-davinci-avoid-zero-value-of-clkh.patch +perf-x86-amd-ibs-don-t-access-non-started-event.patch +media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch +bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch +qmi_wwan-fix-interface-number-for-dw5821e-production-firmware.patch +net-axienet-fix-double-deregister-of-mdio.patch +locking-rtmutex-allow-specifying-a-subclass-for-nested-locking.patch +i2c-mux-locking-core-annotate-the-nested-rt_mutex-usage.patch +sched-rt-restore-rt_runtime-after-disabling-rt_runtime_share.patch +x86-boot-fix-if_changed-build-flip-flop-bug.patch +fscache-allow-cancelled-operations-to-be-enqueued.patch +cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch +cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch +selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch +hinic-link-the-logical-network-device-to-the-pci-device-in-sysfs.patch +ipc-sem.c-prevent-queue.status-tearing-in-semop.patch +zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch +tools-power-turbostat-read-extended-processor-family-from-cpuid.patch +revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch +arc-dma-setup-smp_cache_bytes-and-cache_line_size.patch +bpf-use-gfp_atomic-instead-of-gfp_kernel-in-bpf_parse_prog.patch +nfp-flower-fix-port-metadata-conversion-bug.patch +enic-handle-mtu-change-for-vf-properly.patch +arc-add-missing-struct-nps_host_reg_aux_dpc.patch +arc-fix-data-type-errors-in-platform-headers.patch +arc-fix-printk-warning-in-arc-plat-eznps-mtm.c.patch +arc-fix-build-errors-in-arc-include-asm-delay.h.patch +arc-fix-type-warnings-in-arc-mm-cache.c.patch +sparc-time-add-missing-__init-to-init_tick_ops.patch +sparc-use-asm-generic-version-of-msi.h.patch +enic-do-not-call-enic_change_mtu-in-enic_probe.patch +squashfs-metadata-2-electric-boogaloo.patch +mm-delete-historical-bug-from-zap_pmd_range.patch +squashfs-compute-expected-length-from-inode-size-rather-than-block-length.patch +drivers-net-lmc-fix-case-value-for-target-abort-error.patch +memcg-remove-memcg_cgroup-id-from-idr-on-mem_cgroup_css_alloc-failure.patch +gpiolib-acpi-make-sure-we-trigger-edge-events-at-least-once-on-boot.patch +scsi-fcoe-fix-use-after-free-in-fcoe_ctlr_els_send.patch +scsi-fcoe-drop-frames-in-els-logo-error-path.patch +scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch +scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch +mm-memory.c-check-return-value-of-ioremap_prot.patch diff --git a/queue-4.14/sparc-time-add-missing-__init-to-init_tick_ops.patch b/queue-4.14/sparc-time-add-missing-__init-to-init_tick_ops.patch new file mode 100644 index 00000000000..f942d195589 --- /dev/null +++ b/queue-4.14/sparc-time-add-missing-__init-to-init_tick_ops.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: "Steven Rostedt (VMware)" +Date: Wed, 6 Jun 2018 10:11:10 -0400 +Subject: sparc/time: Add missing __init to init_tick_ops() + +From: "Steven Rostedt (VMware)" + +[ Upstream commit 6f57ed681ed817a4ec444e83f3aa2ad695d5ef34 ] + +Code that was added to force gcc not to inline any function that isn't +explicitly declared as inline uncovered that init_tick_ops() isn't +marked as "__init". It is only called by __init functions and more +importantly it too calls an __init function which would require it to be +__init as well. + +Link: http://lkml.kernel.org/r/201806060444.hdHcKOBy%fengguang.wu@intel.com + +Reported-by: kbuild test robot +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/time_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sparc/kernel/time_64.c ++++ b/arch/sparc/kernel/time_64.c +@@ -813,7 +813,7 @@ static void __init get_tick_patch(void) + } + } + +-static void init_tick_ops(struct sparc64_tick_ops *ops) ++static void __init init_tick_ops(struct sparc64_tick_ops *ops) + { + unsigned long freq, quotient, tick; + diff --git a/queue-4.14/sparc-use-asm-generic-version-of-msi.h.patch b/queue-4.14/sparc-use-asm-generic-version-of-msi.h.patch new file mode 100644 index 00000000000..e02502a0543 --- /dev/null +++ b/queue-4.14/sparc-use-asm-generic-version-of-msi.h.patch @@ -0,0 +1,61 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Thomas Petazzoni +Date: Tue, 24 Jul 2018 13:53:05 +0200 +Subject: sparc: use asm-generic version of msi.h + +From: Thomas Petazzoni + +[ Upstream commit 12be1036c536f849ad6f9bba73cffa708aa965c3 ] + +This is necessary to be able to include when +CONFIG_GENERIC_MSI_IRQ_DOMAIN is enabled. Without this, a build with +CONFIG_GENERIC_MSI_IRQ_DOMAIN fails with: + + In file included from drivers//ata/ahci.c:45:0: +>> include/linux/msi.h:226:10: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'? + msi_alloc_info_t *arg); + ^~~~~~~~~~~~~~~~ + sg_alloc_fn + include/linux/msi.h:230:9: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'? + msi_alloc_info_t *arg); + ^~~~~~~~~~~~~~~~ + sg_alloc_fn + include/linux/msi.h:239:12: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'? + msi_alloc_info_t *arg); + ^~~~~~~~~~~~~~~~ + sg_alloc_fn + include/linux/msi.h:240:22: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'? + void (*msi_finish)(msi_alloc_info_t *arg, int retval); + ^~~~~~~~~~~~~~~~ + sg_alloc_fn + include/linux/msi.h:241:20: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'? + void (*set_desc)(msi_alloc_info_t *arg, + ^~~~~~~~~~~~~~~~ + sg_alloc_fn + include/linux/msi.h:316:18: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'? + int nvec, msi_alloc_info_t *args); + ^~~~~~~~~~~~~~~~ + sg_alloc_fn + include/linux/msi.h:318:29: error: unknown type name 'msi_alloc_info_t'; did you mean 'sg_alloc_fn'? + int virq, int nvec, msi_alloc_info_t *args); + ^~~~~~~~~~~~~~~~ + sg_alloc_fn + +Signed-off-by: Thomas Petazzoni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/asm/Kbuild | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/sparc/include/asm/Kbuild ++++ b/arch/sparc/include/asm/Kbuild +@@ -14,6 +14,7 @@ generic-y += local64.h + generic-y += mcs_spinlock.h + generic-y += mm-arch-hooks.h + generic-y += module.h ++generic-y += msi.h + generic-y += preempt.h + generic-y += rwsem.h + generic-y += serial.h diff --git a/queue-4.14/squashfs-compute-expected-length-from-inode-size-rather-than-block-length.patch b/queue-4.14/squashfs-compute-expected-length-from-inode-size-rather-than-block-length.patch new file mode 100644 index 00000000000..6e020290b2f --- /dev/null +++ b/queue-4.14/squashfs-compute-expected-length-from-inode-size-rather-than-block-length.patch @@ -0,0 +1,179 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Phillip Lougher +Date: Thu, 2 Aug 2018 16:45:15 +0100 +Subject: Squashfs: Compute expected length from inode size rather than block length + +From: Phillip Lougher + +[ Upstream commit a3f94cb99a854fa381fe7fadd97c4f61633717a5 ] + +Previously in squashfs_readpage() when copying data into the page +cache, it used the length of the datablock read from the filesystem +(after decompression). However, if the filesystem has been corrupted +this data block may be short, which will leave pages unfilled. + +The fix for this is to compute the expected number of bytes to copy +from the inode size, and use this to detect if the block is short. + +Signed-off-by: Phillip Lougher +Tested-by: Willy Tarreau +Cc: Анатолий Тросиненко +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/file.c | 25 ++++++++++--------------- + fs/squashfs/file_cache.c | 4 ++-- + fs/squashfs/file_direct.c | 16 +++++++++++----- + fs/squashfs/squashfs.h | 2 +- + 4 files changed, 24 insertions(+), 23 deletions(-) + +--- a/fs/squashfs/file.c ++++ b/fs/squashfs/file.c +@@ -431,10 +431,9 @@ skip_page: + } + + /* Read datablock stored packed inside a fragment (tail-end packed block) */ +-static int squashfs_readpage_fragment(struct page *page) ++static int squashfs_readpage_fragment(struct page *page, int expected) + { + struct inode *inode = page->mapping->host; +- struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; + struct squashfs_cache_entry *buffer = squashfs_get_fragment(inode->i_sb, + squashfs_i(inode)->fragment_block, + squashfs_i(inode)->fragment_size); +@@ -445,23 +444,16 @@ static int squashfs_readpage_fragment(st + squashfs_i(inode)->fragment_block, + squashfs_i(inode)->fragment_size); + else +- squashfs_copy_cache(page, buffer, i_size_read(inode) & +- (msblk->block_size - 1), ++ squashfs_copy_cache(page, buffer, expected, + squashfs_i(inode)->fragment_offset); + + squashfs_cache_put(buffer); + return res; + } + +-static int squashfs_readpage_sparse(struct page *page, int index, int file_end) ++static int squashfs_readpage_sparse(struct page *page, int expected) + { +- struct inode *inode = page->mapping->host; +- struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; +- int bytes = index == file_end ? +- (i_size_read(inode) & (msblk->block_size - 1)) : +- msblk->block_size; +- +- squashfs_copy_cache(page, NULL, bytes, 0); ++ squashfs_copy_cache(page, NULL, expected, 0); + return 0; + } + +@@ -471,6 +463,9 @@ static int squashfs_readpage(struct file + struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; + int index = page->index >> (msblk->block_log - PAGE_SHIFT); + int file_end = i_size_read(inode) >> msblk->block_log; ++ int expected = index == file_end ? ++ (i_size_read(inode) & (msblk->block_size - 1)) : ++ msblk->block_size; + int res; + void *pageaddr; + +@@ -489,11 +484,11 @@ static int squashfs_readpage(struct file + goto error_out; + + if (bsize == 0) +- res = squashfs_readpage_sparse(page, index, file_end); ++ res = squashfs_readpage_sparse(page, expected); + else +- res = squashfs_readpage_block(page, block, bsize); ++ res = squashfs_readpage_block(page, block, bsize, expected); + } else +- res = squashfs_readpage_fragment(page); ++ res = squashfs_readpage_fragment(page, expected); + + if (!res) + return 0; +--- a/fs/squashfs/file_cache.c ++++ b/fs/squashfs/file_cache.c +@@ -20,7 +20,7 @@ + #include "squashfs.h" + + /* Read separately compressed datablock and memcopy into page cache */ +-int squashfs_readpage_block(struct page *page, u64 block, int bsize) ++int squashfs_readpage_block(struct page *page, u64 block, int bsize, int expected) + { + struct inode *i = page->mapping->host; + struct squashfs_cache_entry *buffer = squashfs_get_datablock(i->i_sb, +@@ -31,7 +31,7 @@ int squashfs_readpage_block(struct page + ERROR("Unable to read page, block %llx, size %x\n", block, + bsize); + else +- squashfs_copy_cache(page, buffer, buffer->length, 0); ++ squashfs_copy_cache(page, buffer, expected, 0); + + squashfs_cache_put(buffer); + return res; +--- a/fs/squashfs/file_direct.c ++++ b/fs/squashfs/file_direct.c +@@ -21,10 +21,11 @@ + #include "page_actor.h" + + static int squashfs_read_cache(struct page *target_page, u64 block, int bsize, +- int pages, struct page **page); ++ int pages, struct page **page, int bytes); + + /* Read separately compressed datablock directly into page cache */ +-int squashfs_readpage_block(struct page *target_page, u64 block, int bsize) ++int squashfs_readpage_block(struct page *target_page, u64 block, int bsize, ++ int expected) + + { + struct inode *inode = target_page->mapping->host; +@@ -83,7 +84,7 @@ int squashfs_readpage_block(struct page + * using an intermediate buffer. + */ + res = squashfs_read_cache(target_page, block, bsize, pages, +- page); ++ page, expected); + if (res < 0) + goto mark_errored; + +@@ -95,6 +96,11 @@ int squashfs_readpage_block(struct page + if (res < 0) + goto mark_errored; + ++ if (res != expected) { ++ res = -EIO; ++ goto mark_errored; ++ } ++ + /* Last page may have trailing bytes not filled */ + bytes = res % PAGE_SIZE; + if (bytes) { +@@ -138,12 +144,12 @@ out: + + + static int squashfs_read_cache(struct page *target_page, u64 block, int bsize, +- int pages, struct page **page) ++ int pages, struct page **page, int bytes) + { + struct inode *i = target_page->mapping->host; + struct squashfs_cache_entry *buffer = squashfs_get_datablock(i->i_sb, + block, bsize); +- int bytes = buffer->length, res = buffer->error, n, offset = 0; ++ int res = buffer->error, n, offset = 0; + + if (res) { + ERROR("Unable to read page, block %llx, size %x\n", block, +--- a/fs/squashfs/squashfs.h ++++ b/fs/squashfs/squashfs.h +@@ -72,7 +72,7 @@ void squashfs_copy_cache(struct page *, + int); + + /* file_xxx.c */ +-extern int squashfs_readpage_block(struct page *, u64, int); ++extern int squashfs_readpage_block(struct page *, u64, int, int); + + /* id.c */ + extern int squashfs_get_id(struct super_block *, unsigned int, unsigned int *); diff --git a/queue-4.14/squashfs-metadata-2-electric-boogaloo.patch b/queue-4.14/squashfs-metadata-2-electric-boogaloo.patch new file mode 100644 index 00000000000..ce6204d6f1e --- /dev/null +++ b/queue-4.14/squashfs-metadata-2-electric-boogaloo.patch @@ -0,0 +1,125 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Linus Torvalds +Date: Wed, 1 Aug 2018 10:38:43 -0700 +Subject: squashfs metadata 2: electric boogaloo + +From: Linus Torvalds + +[ Upstream commit cdbb65c4c7ead680ebe54f4f0d486e2847a500ea ] + +Anatoly continues to find issues with fuzzed squashfs images. + +This time, corrupt, missing, or undersized data for the page filling +wasn't checked for, because the squashfs_{copy,read}_cache() functions +did the squashfs_copy_data() call without checking the resulting data +size. + +Which could result in the page cache pages being incompletely filled in, +and no error indication to the user space reading garbage data. + +So make a helper function for the "fill in pages" case, because the +exact same incomplete sequence existed in two places. + +[ I should have made a squashfs branch for these things, but I didn't + intend to start doing them in the first place. + + My historical connection through cramfs is why I got into looking at + these issues at all, and every time I (continue to) think it's a + one-off. + + Because _this_ time is always the last time. Right? - Linus ] + +Reported-by: Anatoly Trosinenko +Tested-by: Willy Tarreau +Cc: Al Viro +Cc: Phillip Lougher +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/file.c | 25 ++++++++++++++++++------- + fs/squashfs/file_direct.c | 8 +------- + fs/squashfs/squashfs.h | 1 + + 3 files changed, 20 insertions(+), 14 deletions(-) + +--- a/fs/squashfs/file.c ++++ b/fs/squashfs/file.c +@@ -374,13 +374,29 @@ static int read_blocklist(struct inode * + return squashfs_block_size(size); + } + ++void squashfs_fill_page(struct page *page, struct squashfs_cache_entry *buffer, int offset, int avail) ++{ ++ int copied; ++ void *pageaddr; ++ ++ pageaddr = kmap_atomic(page); ++ copied = squashfs_copy_data(pageaddr, buffer, offset, avail); ++ memset(pageaddr + copied, 0, PAGE_SIZE - copied); ++ kunmap_atomic(pageaddr); ++ ++ flush_dcache_page(page); ++ if (copied == avail) ++ SetPageUptodate(page); ++ else ++ SetPageError(page); ++} ++ + /* Copy data into page cache */ + void squashfs_copy_cache(struct page *page, struct squashfs_cache_entry *buffer, + int bytes, int offset) + { + struct inode *inode = page->mapping->host; + struct squashfs_sb_info *msblk = inode->i_sb->s_fs_info; +- void *pageaddr; + int i, mask = (1 << (msblk->block_log - PAGE_SHIFT)) - 1; + int start_index = page->index & ~mask, end_index = start_index | mask; + +@@ -406,12 +422,7 @@ void squashfs_copy_cache(struct page *pa + if (PageUptodate(push_page)) + goto skip_page; + +- pageaddr = kmap_atomic(push_page); +- squashfs_copy_data(pageaddr, buffer, offset, avail); +- memset(pageaddr + avail, 0, PAGE_SIZE - avail); +- kunmap_atomic(pageaddr); +- flush_dcache_page(push_page); +- SetPageUptodate(push_page); ++ squashfs_fill_page(push_page, buffer, offset, avail); + skip_page: + unlock_page(push_page); + if (i != page->index) +--- a/fs/squashfs/file_direct.c ++++ b/fs/squashfs/file_direct.c +@@ -144,7 +144,6 @@ static int squashfs_read_cache(struct pa + struct squashfs_cache_entry *buffer = squashfs_get_datablock(i->i_sb, + block, bsize); + int bytes = buffer->length, res = buffer->error, n, offset = 0; +- void *pageaddr; + + if (res) { + ERROR("Unable to read page, block %llx, size %x\n", block, +@@ -159,12 +158,7 @@ static int squashfs_read_cache(struct pa + if (page[n] == NULL) + continue; + +- pageaddr = kmap_atomic(page[n]); +- squashfs_copy_data(pageaddr, buffer, offset, avail); +- memset(pageaddr + avail, 0, PAGE_SIZE - avail); +- kunmap_atomic(pageaddr); +- flush_dcache_page(page[n]); +- SetPageUptodate(page[n]); ++ squashfs_fill_page(page[n], buffer, offset, avail); + unlock_page(page[n]); + if (page[n] != target_page) + put_page(page[n]); +--- a/fs/squashfs/squashfs.h ++++ b/fs/squashfs/squashfs.h +@@ -67,6 +67,7 @@ extern __le64 *squashfs_read_fragment_in + u64, u64, unsigned int); + + /* file.c */ ++void squashfs_fill_page(struct page *, struct squashfs_cache_entry *, int, int); + void squashfs_copy_cache(struct page *, struct squashfs_cache_entry *, int, + int); + diff --git a/queue-4.14/tools-power-turbostat-fix-s-on-up-systems.patch b/queue-4.14/tools-power-turbostat-fix-s-on-up-systems.patch new file mode 100644 index 00000000000..b8205230988 --- /dev/null +++ b/queue-4.14/tools-power-turbostat-fix-s-on-up-systems.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Len Brown +Date: Fri, 20 Jul 2018 14:47:03 -0400 +Subject: tools/power turbostat: fix -S on UP systems + +From: Len Brown + +[ Upstream commit 9d83601a9cc1884d1b5706ee2acc661d558c6838 ] + +The -S (system summary) option failed to print any data on a 1-processor system. + +Reported-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/power/x86/turbostat/turbostat.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -1038,9 +1038,7 @@ void format_all_counters(struct thread_d + if (!printed || !summary_only) + print_header("\t"); + +- if (topo.num_cpus > 1) +- format_counters(&average.threads, &average.cores, +- &average.packages); ++ format_counters(&average.threads, &average.cores, &average.packages); + + printed = 1; + diff --git a/queue-4.14/tools-power-turbostat-read-extended-processor-family-from-cpuid.patch b/queue-4.14/tools-power-turbostat-read-extended-processor-family-from-cpuid.patch new file mode 100644 index 00000000000..c3580e6ff84 --- /dev/null +++ b/queue-4.14/tools-power-turbostat-read-extended-processor-family-from-cpuid.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Calvin Walton +Date: Fri, 27 Jul 2018 07:50:53 -0400 +Subject: tools/power turbostat: Read extended processor family from CPUID + +From: Calvin Walton + +[ Upstream commit 5aa3d1a20a233d4a5f1ec3d62da3f19d9afea682 ] + +This fixes the reported family on modern AMD processors (e.g. Ryzen, +which is family 0x17). Previously these processors all showed up as +family 0xf. + +See the document +https://support.amd.com/TechDocs/56255_OSRR.pdf +section CPUID_Fn00000001_EAX for how to calculate the family +from the BaseFamily and ExtFamily values. + +This matches the code in arch/x86/lib/cpu.c + +Signed-off-by: Calvin Walton +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/power/x86/turbostat/turbostat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -4029,7 +4029,9 @@ void process_cpuid() + family = (fms >> 8) & 0xf; + model = (fms >> 4) & 0xf; + stepping = fms & 0xf; +- if (family == 6 || family == 0xf) ++ if (family == 0xf) ++ family += (fms >> 20) & 0xff; ++ if (family >= 6) + model += ((fms >> 16) & 0xf) << 4; + + if (!quiet) { diff --git a/queue-4.14/tools-usb-ffs-test-fix-build-on-big-endian-systems.patch b/queue-4.14/tools-usb-ffs-test-fix-build-on-big-endian-systems.patch new file mode 100644 index 00000000000..47422299989 --- /dev/null +++ b/queue-4.14/tools-usb-ffs-test-fix-build-on-big-endian-systems.patch @@ -0,0 +1,71 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Peter Senna Tschudin +Date: Tue, 10 Jul 2018 16:01:45 +0200 +Subject: tools: usb: ffs-test: Fix build on big endian systems + +From: Peter Senna Tschudin + +[ Upstream commit a2b22dddc7bb6110ac3b5ed1a60aa9279836fadb ] + +The tools/usb/ffs-test.c file defines cpu_to_le16/32 by using the C +library htole16/32 function calls. However, cpu_to_le16/32 are used when +initializing structures, i.e in a context where a function call is not +allowed. + +It works fine on little endian systems because htole16/32 are defined by +the C library as no-ops. But on big-endian systems, they are actually +doing something, which might involve calling a function, causing build +failures, such as: + + ffs-test.c:48:25: error: initializer element is not constant + #define cpu_to_le32(x) htole32(x) + ^~~~~~~ + ffs-test.c:128:12: note: in expansion of macro ‘cpu_to_le32’ + .magic = cpu_to_le32(FUNCTIONFS_DESCRIPTORS_MAGIC_V2), + ^~~~~~~~~~~ + +To solve this, we code cpu_to_le16/32 in a way that allows them to be +used when initializing structures. This fix was imported from +meta-openembedded/android-tools/fix-big-endian-build.patch written by +Thomas Petazzoni . + +CC: Thomas Petazzoni +Signed-off-by: Peter Senna Tschudin +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/usb/ffs-test.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/tools/usb/ffs-test.c ++++ b/tools/usb/ffs-test.c +@@ -44,12 +44,25 @@ + + /******************** Little Endian Handling ********************************/ + +-#define cpu_to_le16(x) htole16(x) +-#define cpu_to_le32(x) htole32(x) ++/* ++ * cpu_to_le16/32 are used when initializing structures, a context where a ++ * function call is not allowed. To solve this, we code cpu_to_le16/32 in a way ++ * that allows them to be used when initializing structures. ++ */ ++ ++#if __BYTE_ORDER == __LITTLE_ENDIAN ++#define cpu_to_le16(x) (x) ++#define cpu_to_le32(x) (x) ++#else ++#define cpu_to_le16(x) ((((x) >> 8) & 0xffu) | (((x) & 0xffu) << 8)) ++#define cpu_to_le32(x) \ ++ ((((x) & 0xff000000u) >> 24) | (((x) & 0x00ff0000u) >> 8) | \ ++ (((x) & 0x0000ff00u) << 8) | (((x) & 0x000000ffu) << 24)) ++#endif ++ + #define le32_to_cpu(x) le32toh(x) + #define le16_to_cpu(x) le16toh(x) + +- + /******************** Messages and Errors ***********************************/ + + static const char argv0[] = "ffs-test"; diff --git a/queue-4.14/usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch b/queue-4.14/usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch new file mode 100644 index 00000000000..89ce99a4ddd --- /dev/null +++ b/queue-4.14/usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch @@ -0,0 +1,96 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Eugeniu Rosca +Date: Mon, 2 Jul 2018 23:46:47 +0200 +Subject: usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' + +From: Eugeniu Rosca + +[ Upstream commit eec24f2a0d4dc3b1d95a3ccd2feb523ede3ba775 ] + +The list [1] of commits doing endianness fixes in USB subsystem is long +due to below quote from USB spec Revision 2.0 from April 27, 2000: + +------------ +8.1 Byte/Bit Ordering + +Multiple byte fields in standard descriptors, requests, and responses +are interpreted as and moved over the bus in little-endian order, i.e. +LSB to MSB. +------------ + +This commit belongs to the same family. + +[1] Example of endianness fixes in USB subsystem: +commit 14e1d56cbea6 ("usb: gadget: f_uac2: endianness fixes.") +commit 42370b821168 ("usb: gadget: f_uac1: endianness fixes.") +commit 63afd5cc7877 ("USB: chaoskey: fix Alea quirk on big-endian hosts") +commit 74098c4ac782 ("usb: gadget: acm: fix endianness in notifications") +commit cdd7928df0d2 ("ACM gadget: fix endianness in notifications") +commit 323ece54e076 ("cdc-wdm: fix endianness bug in debug statements") +commit e102609f1072 ("usb: gadget: uvc: Fix endianness mismatches") + list goes on + +Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") +Signed-off-by: Eugeniu Rosca +Reviewed-by: Ruslan Bilovol +Signed-off-by: Felipe Balbi + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uac2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -442,14 +442,14 @@ static struct usb_descriptor_header *hs_ + }; + + struct cntrl_cur_lay3 { +- __u32 dCUR; ++ __le32 dCUR; + }; + + struct cntrl_range_lay3 { +- __u16 wNumSubRanges; +- __u32 dMIN; +- __u32 dMAX; +- __u32 dRES; ++ __le16 wNumSubRanges; ++ __le32 dMIN; ++ __le32 dMAX; ++ __le32 dRES; + } __packed; + + static void set_ep_max_packet_size(const struct f_uac2_opts *uac2_opts, +@@ -707,9 +707,9 @@ in_rq_cur(struct usb_function *fn, const + memset(&c, 0, sizeof(struct cntrl_cur_lay3)); + + if (entity_id == USB_IN_CLK_ID) +- c.dCUR = p_srate; ++ c.dCUR = cpu_to_le32(p_srate); + else if (entity_id == USB_OUT_CLK_ID) +- c.dCUR = c_srate; ++ c.dCUR = cpu_to_le32(c_srate); + + value = min_t(unsigned, w_length, sizeof c); + memcpy(req->buf, &c, value); +@@ -746,15 +746,15 @@ in_rq_range(struct usb_function *fn, con + + if (control_selector == UAC2_CS_CONTROL_SAM_FREQ) { + if (entity_id == USB_IN_CLK_ID) +- r.dMIN = p_srate; ++ r.dMIN = cpu_to_le32(p_srate); + else if (entity_id == USB_OUT_CLK_ID) +- r.dMIN = c_srate; ++ r.dMIN = cpu_to_le32(c_srate); + else + return -EOPNOTSUPP; + + r.dMAX = r.dMIN; + r.dRES = 0; +- r.wNumSubRanges = 1; ++ r.wNumSubRanges = cpu_to_le16(1); + + value = min_t(unsigned, w_length, sizeof r); + memcpy(req->buf, &r, value); diff --git a/queue-4.14/usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch b/queue-4.14/usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch new file mode 100644 index 00000000000..4d1ba72d300 --- /dev/null +++ b/queue-4.14/usb-gadget-f_uac2-fix-error-handling-in-afunc_bind-again.patch @@ -0,0 +1,225 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Eugeniu Rosca +Date: Thu, 21 Jun 2018 17:22:46 +0200 +Subject: usb: gadget: f_uac2: fix error handling in afunc_bind (again) + +From: Eugeniu Rosca + +[ Upstream commit e87581fe0509020f77ebf0b7c4c1c338c6a4bcf6 ] + +If usb_ep_autoconfig() fails (i.e. returns a null endpoint descriptor), +we expect afunc_bind() to fail (i.e. return a negative error code). + +However, due to v4.10-rc1 commit f1d3861d63a5 ("usb: gadget: f_uac2: fix +error handling at afunc_bind"), afunc_bind() returns zero, telling the +caller that it succeeded. This then generates NULL pointer dereference +in below scenario on Rcar H3-ES20-Salvator-X target: + +rcar-gen3:/home/root# modprobe g_audio +[ 626.521155] g_audio gadget: afunc_bind:565 Error! +[ 626.526319] g_audio gadget: Linux USB Audio Gadget, version: Feb 2, 2012 +[ 626.533405] g_audio gadget: g_audio ready +rcar-gen3:/home/root# +rcar-gen3:/home/root# modprobe -r g_audio +[ 728.256707] ================================================================== +[ 728.264293] BUG: KASAN: null-ptr-deref in u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.272244] Read of size 8 at addr 00000000000000a0 by task modprobe/2545 +[ 728.279309] +[ 728.280849] CPU: 0 PID: 2545 Comm: modprobe Tainted: G WC 4.14.47+ #152 +[ 728.288778] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) +[ 728.296454] Call trace: +[ 728.299151] [] dump_backtrace+0x0/0x364 +[ 728.304808] [] show_stack+0x14/0x1c +[ 728.310081] [] dump_stack+0x108/0x174 +[ 728.315522] [] kasan_report+0x1fc/0x354 +[ 728.321134] [] __asan_load8+0x24/0x94 +[ 728.326600] [] u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.333735] [] afunc_disable+0x44/0x60 [usb_f_uac2] +[ 728.340503] [] usb_remove_function+0x9c/0x210 [libcomposite] +[ 728.348060] [] remove_config.isra.2+0x1d8/0x218 [libcomposite] +[ 728.355788] [] __composite_unbind+0x104/0x1f8 [libcomposite] +[ 728.363339] [] composite_unbind+0x10/0x18 [libcomposite] +[ 728.370536] [] usb_gadget_remove_driver+0xc0/0x170 [udc_core] +[ 728.378172] [] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core] +[ 728.386274] [] usb_composite_unregister+0x10/0x18 [libcomposite] +[ 728.394116] [] audio_driver_exit+0x14/0x28 [g_audio] +[ 728.400878] [] SyS_delete_module+0x288/0x32c +[ 728.406935] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000) +[ 728.413624] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8 +[ 728.421718] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000 +[ 728.429792] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005 +[ 728.437870] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000 +[ 728.445952] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0 +[ 728.454035] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428 +[ 728.462114] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000 +[ 728.470190] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010 +[ 728.478281] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a +[ 728.486351] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 728.494434] [] el0_svc_naked+0x34/0x38 +[ 728.499957] ================================================================== +[ 728.507801] Unable to handle kernel NULL pointer dereference at virtual address 000000a0 +[ 728.517742] Mem abort info: +[ 728.520993] Exception class = DABT (current EL), IL = 32 bits +[ 728.527375] SET = 0, FnV = 0 +[ 728.530731] EA = 0, S1PTW = 0 +[ 728.534361] Data abort info: +[ 728.537650] ISV = 0, ISS = 0x00000006 +[ 728.541863] CM = 0, WnR = 0 +[ 728.545167] user pgtable: 4k pages, 48-bit VAs, pgd = ffff8006c6100000 +[ 728.552156] [00000000000000a0] *pgd=0000000716a8d003 +[ 728.557519] , *pud=00000007116fc003 +[ 728.561259] , *pmd=0000000000000000 +[ 728.564985] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 728.570815] Modules linked in: +[ 728.574023] usb_f_uac2 +[ 728.576560] u_audio +[ 728.578827] g_audio(-) +[ 728.581361] libcomposite +[ 728.584071] configfs +[ 728.586428] aes_ce_blk +[ 728.588960] sata_rcar +[ 728.591421] crypto_simd +[ 728.594039] cryptd +[ 728.596217] libata +[ 728.598396] aes_ce_cipher +[ 728.601188] crc32_ce +[ 728.603542] ghash_ce +[ 728.605896] gf128mul +[ 728.608250] aes_arm64 +[ 728.610692] scsi_mod +[ 728.613046] sha2_ce +[ 728.615313] xhci_plat_hcd +[ 728.618106] sha256_arm64 +[ 728.620811] sha1_ce +[ 728.623077] renesas_usbhs +[ 728.625869] xhci_hcd +[ 728.628243] renesas_usb3 +[ 728.630948] sha1_generic +[ 728.633670] ravb_streaming(C) +[ 728.636814] udc_core +[ 728.639168] cpufreq_dt +[ 728.641697] rcar_gen3_thermal +[ 728.644840] usb_dmac +[ 728.647194] pwm_rcar +[ 728.649548] thermal_sys +[ 728.652165] virt_dma +[ 728.654519] mch_core(C) +[ 728.657137] pwm_bl +[ 728.659315] snd_soc_rcar +[ 728.662020] snd_aloop +[ 728.664462] snd_soc_generic_card +[ 728.667869] snd_soc_ak4613 +[ 728.670749] ipv6 +[ 728.672768] autofs4 +[ 728.675052] CPU: 0 PID: 2545 Comm: modprobe Tainted: G B WC 4.14.47+ #152 +[ 728.682973] Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) +[ 728.690637] task: ffff8006ced38000 task.stack: ffff8006cf6c0000 +[ 728.696814] PC is at u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.702896] LR is at u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.708964] pc : [] lr : [] pstate: 60000145 +[ 728.716620] sp : ffff8006cf6c7a50 +[ 728.720154] x29: ffff8006cf6c7a50 +[ 728.723760] x28: ffff8006ced38000 +[ 728.727272] x27: ffff200008fd7000 +[ 728.730857] x26: ffff2000021d2340 +[ 728.734361] x25: 0000000000000000 +[ 728.737948] x24: ffff200009e94b08 +[ 728.741452] x23: 00000000000000a0 +[ 728.745052] x22: 00000000000000a8 +[ 728.748558] x21: 1ffff000d9ed8f7c +[ 728.752142] x20: ffff8006d671a800 +[ 728.755646] x19: 0000000000000000 +[ 728.759231] x18: 0000000000000000 +[ 728.762736] x17: 0000ffffbc7c8f40 +[ 728.766320] x16: ffff200008213c4c +[ 728.769823] x15: 0000000000000000 +[ 728.773408] x14: 0720072007200720 +[ 728.776912] x13: 0720072007200720 +[ 728.780497] x12: ffffffffffffffff +[ 728.784001] x11: 0000000000000040 +[ 728.787598] x10: 0000000000001600 +[ 728.791103] x9 : ffff8006cf6c77a0 +[ 728.794689] x8 : ffff8006ced39660 +[ 728.798193] x7 : ffff20000811c738 +[ 728.801794] x6 : 0000000000000000 +[ 728.805299] x5 : dfff200000000000 +[ 728.808885] x4 : ffff8006ced38000 +[ 728.812390] x3 : ffff200008fb46e8 +[ 728.815976] x2 : 0000000000000007 +[ 728.819480] x1 : 3ba68643e7431500 +[ 728.823066] x0 : 0000000000000000 +[ 728.826574] Process modprobe (pid: 2545, stack limit = 0xffff8006cf6c0000) +[ 728.833704] Call trace: +[ 728.836292] Exception stack(0xffff8006cf6c7910 to 0xffff8006cf6c7a50) +[ 728.842987] 7900: 0000000000000000 3ba68643e7431500 +[ 728.851084] 7920: 0000000000000007 ffff200008fb46e8 ffff8006ced38000 dfff200000000000 +[ 728.859173] 7940: 0000000000000000 ffff20000811c738 ffff8006ced39660 ffff8006cf6c77a0 +[ 728.867248] 7960: 0000000000001600 0000000000000040 ffffffffffffffff 0720072007200720 +[ 728.875323] 7980: 0720072007200720 0000000000000000 ffff200008213c4c 0000ffffbc7c8f40 +[ 728.883412] 79a0: 0000000000000000 0000000000000000 ffff8006d671a800 1ffff000d9ed8f7c +[ 728.891485] 79c0: 00000000000000a8 00000000000000a0 ffff200009e94b08 0000000000000000 +[ 728.899561] 79e0: ffff2000021d2340 ffff200008fd7000 ffff8006ced38000 ffff8006cf6c7a50 +[ 728.907636] 7a00: ffff2000021e1618 ffff8006cf6c7a50 ffff2000021e1618 0000000060000145 +[ 728.915710] 7a20: 0000000000000008 0000000000000000 0000ffffffffffff 3ba68643e7431500 +[ 728.923780] 7a40: ffff8006cf6c7a50 ffff2000021e1618 +[ 728.928880] [] u_audio_stop_capture+0x70/0x268 [u_audio] +[ 728.936032] [] afunc_disable+0x44/0x60 [usb_f_uac2] +[ 728.942822] [] usb_remove_function+0x9c/0x210 [libcomposite] +[ 728.950385] [] remove_config.isra.2+0x1d8/0x218 [libcomposite] +[ 728.958134] [] __composite_unbind+0x104/0x1f8 [libcomposite] +[ 728.965689] [] composite_unbind+0x10/0x18 [libcomposite] +[ 728.972882] [] usb_gadget_remove_driver+0xc0/0x170 [udc_core] +[ 728.980522] [] usb_gadget_unregister_driver+0x1cc/0x258 [udc_core] +[ 728.988638] [] usb_composite_unregister+0x10/0x18 [libcomposite] +[ 728.996472] [] audio_driver_exit+0x14/0x28 [g_audio] +[ 729.003231] [] SyS_delete_module+0x288/0x32c +[ 729.009278] Exception stack(0xffff8006cf6c7ec0 to 0xffff8006cf6c8000) +[ 729.015946] 7ec0: 0000000006136428 0000000000000800 0000000000000000 0000ffffd706efe8 +[ 729.024022] 7ee0: 0000ffffd706efe9 000000000000000a 1999999999999999 0000000000000000 +[ 729.032099] 7f00: 000000000000006a 000000000042c078 0000000000000000 0000000000000005 +[ 729.040172] 7f20: 0000000000000000 0000000000000000 0000000000000004 0000000000000000 +[ 729.048263] 7f40: 000000000042bfc8 0000ffffbc7c8f40 0000000000000000 00000000061363c0 +[ 729.056337] 7f60: 0000000006136428 0000000000000000 0000000000000000 0000000006136428 +[ 729.064411] 7f80: 000000000042c000 0000ffffd7071448 000000000042c000 0000000000000000 +[ 729.072484] 7fa0: 00000000061350c0 0000ffffd7070010 000000000041129c 0000ffffd7070010 +[ 729.080563] 7fc0: 0000ffffbc7c8f48 0000000060000000 0000000006136428 000000000000006a +[ 729.088636] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 729.096733] [] el0_svc_naked+0x34/0x38 +[ 729.102259] Code: 9597d1b3 aa1703e0 9102a276 958792b9 (f9405275) +[ 729.108617] ---[ end trace 7560c5fa3d100243 ]--- + +After this patch is applied, the issue is fixed: +rcar-gen3:/home/root# modprobe g_audio +[ 59.217127] g_audio gadget: afunc_bind:565 Error! +[ 59.222329] g_audio ee020000.usb: failed to start g_audio: -19 +modprobe: ERROR: could not insert 'g_audio': No such device +rcar-gen3:/home/root# modprobe -r g_audio +rcar-gen3:/home/root# + +Fixes: f1d3861d63a5 ("usb: gadget: f_uac2: fix error handling at afunc_bind") +Signed-off-by: Eugeniu Rosca +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uac2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -563,13 +563,13 @@ afunc_bind(struct usb_configuration *cfg + agdev->out_ep = usb_ep_autoconfig(gadget, &fs_epout_desc); + if (!agdev->out_ep) { + dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); +- return ret; ++ return -ENODEV; + } + + agdev->in_ep = usb_ep_autoconfig(gadget, &fs_epin_desc); + if (!agdev->in_ep) { + dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); +- return ret; ++ return -ENODEV; + } + + agdev->in_ep_maxpsize = max_t(u16, diff --git a/queue-4.14/usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch b/queue-4.14/usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch new file mode 100644 index 00000000000..2a38747c0eb --- /dev/null +++ b/queue-4.14/usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Jia-Ju Bai +Date: Wed, 20 Jun 2018 11:55:08 +0800 +Subject: usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() + +From: Jia-Ju Bai + +[ Upstream commit f36b507c14c4b6e634463a610294e9cb0065c8ea ] + +The driver may sleep in an interrupt handler. +The function call path (from bottom to top) in Linux-4.16.7 is: + +[FUNC] r8a66597_queue(GFP_KERNEL) +drivers/usb/gadget/udc/r8a66597-udc.c, 1193: + r8a66597_queue in get_status +drivers/usb/gadget/udc/r8a66597-udc.c, 1301: + get_status in setup_packet +drivers/usb/gadget/udc/r8a66597-udc.c, 1381: + setup_packet in irq_control_stage +drivers/usb/gadget/udc/r8a66597-udc.c, 1508: + irq_control_stage in r8a66597_irq (interrupt handler) + +To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC. + +This bug is found by my static analysis tool (DSAC-2) and checked by +my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/r8a66597-udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/r8a66597-udc.c ++++ b/drivers/usb/gadget/udc/r8a66597-udc.c +@@ -1193,7 +1193,7 @@ __acquires(r8a66597->lock) + r8a66597->ep0_req->length = 2; + /* AV: what happens if we get called again before that gets through? */ + spin_unlock(&r8a66597->lock); +- r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_KERNEL); ++ r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_ATOMIC); + spin_lock(&r8a66597->lock); + } + diff --git a/queue-4.14/usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch b/queue-4.14/usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch new file mode 100644 index 00000000000..e863be4a1f3 --- /dev/null +++ b/queue-4.14/usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch @@ -0,0 +1,57 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Jia-Ju Bai +Date: Wed, 20 Jun 2018 11:54:53 +0800 +Subject: usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() + +From: Jia-Ju Bai + +[ Upstream commit 0602088b10a7c0b4e044a810678ef93d7cc5bf48 ] + +The driver may sleep with holding a spinlock. +The function call paths (from bottom to top) in Linux-4.16.7 are: + +[FUNC] msleep +drivers/usb/gadget/udc/r8a66597-udc.c, 839: + msleep in init_controller +drivers/usb/gadget/udc/r8a66597-udc.c, 96: + init_controller in r8a66597_usb_disconnect +drivers/usb/gadget/udc/r8a66597-udc.c, 93: + spin_lock in r8a66597_usb_disconnect + +[FUNC] msleep +drivers/usb/gadget/udc/r8a66597-udc.c, 835: + msleep in init_controller +drivers/usb/gadget/udc/r8a66597-udc.c, 96: + init_controller in r8a66597_usb_disconnect +drivers/usb/gadget/udc/r8a66597-udc.c, 93: + spin_lock in r8a66597_usb_disconnect + +To fix these bugs, msleep() is replaced with mdelay(). + +This bug is found by my static analysis tool (DSAC-2) and checked by +my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/r8a66597-udc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/udc/r8a66597-udc.c ++++ b/drivers/usb/gadget/udc/r8a66597-udc.c +@@ -835,11 +835,11 @@ static void init_controller(struct r8a66 + + r8a66597_bset(r8a66597, XCKE, SYSCFG0); + +- msleep(3); ++ mdelay(3); + + r8a66597_bset(r8a66597, PLLC, SYSCFG0); + +- msleep(1); ++ mdelay(1); + + r8a66597_bset(r8a66597, SCKE, SYSCFG0); + diff --git a/queue-4.14/usb-gadget-u_audio-fix-pcm-card-naming-in-g_audio_setup.patch b/queue-4.14/usb-gadget-u_audio-fix-pcm-card-naming-in-g_audio_setup.patch new file mode 100644 index 00000000000..cb7c85f5baf --- /dev/null +++ b/queue-4.14/usb-gadget-u_audio-fix-pcm-card-naming-in-g_audio_setup.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Eugeniu Rosca +Date: Thu, 21 Jun 2018 17:22:47 +0200 +Subject: usb: gadget: u_audio: fix pcm/card naming in g_audio_setup() + +From: Eugeniu Rosca + +[ Upstream commit dfa042fa310caa475667b8c38d852f14439e0b01 ] + +Fix below smatch (v0.5.0-4443-g69e9094e11c1) warnings: +drivers/usb/gadget/function/u_audio.c:607 g_audio_setup() warn: strcpy() 'pcm_name' of unknown size might be too large for 'pcm->name' +drivers/usb/gadget/function/u_audio.c:614 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card->driver' +drivers/usb/gadget/function/u_audio.c:615 g_audio_setup() warn: strcpy() 'card_name' of unknown size might be too large for 'card->shortname' + +Below commits performed a similar 's/strcpy/strlcpy/' rework: +* v2.6.31 commit 8372d4980fbc ("ALSA: ctxfi - Fix PCM device naming") +* v4.14 commit 003d3e70dbeb ("ALSA: ad1848: fix format string overflow warning") +* v4.14 commit 6d8b04de87e1 ("ALSA: cs423x: fix format string overflow warning") + +Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core") +Signed-off-by: Eugeniu Rosca +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_audio.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/u_audio.c ++++ b/drivers/usb/gadget/function/u_audio.c +@@ -604,15 +604,15 @@ int g_audio_setup(struct g_audio *g_audi + if (err < 0) + goto snd_fail; + +- strcpy(pcm->name, pcm_name); ++ strlcpy(pcm->name, pcm_name, sizeof(pcm->name)); + pcm->private_data = uac; + uac->pcm = pcm; + + snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &uac_pcm_ops); + snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE, &uac_pcm_ops); + +- strcpy(card->driver, card_name); +- strcpy(card->shortname, card_name); ++ strlcpy(card->driver, card_name, sizeof(card->driver)); ++ strlcpy(card->shortname, card_name, sizeof(card->shortname)); + sprintf(card->longname, "%s %i", card_name, card->dev->id); + + snd_pcm_lib_preallocate_pages_for_all(pcm, SNDRV_DMA_TYPE_CONTINUOUS, diff --git a/queue-4.14/usb-gadget-u_audio-protect-stream-runtime-fields-with-stream-spinlock.patch b/queue-4.14/usb-gadget-u_audio-protect-stream-runtime-fields-with-stream-spinlock.patch new file mode 100644 index 00000000000..51cf7169841 --- /dev/null +++ b/queue-4.14/usb-gadget-u_audio-protect-stream-runtime-fields-with-stream-spinlock.patch @@ -0,0 +1,200 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Vladimir Zapolskiy +Date: Thu, 21 Jun 2018 17:22:52 +0200 +Subject: usb: gadget: u_audio: protect stream runtime fields with stream spinlock + +From: Vladimir Zapolskiy + +[ Upstream commit 56bc61587daadef67712068f251c4ef2e3932d94 ] + +The change protects almost the whole body of u_audio_iso_complete() +function by PCM stream lock, this is mainly sufficient to avoid a race +between USB request completion and stream termination, the change +prevents a possibility of invalid memory access in interrupt context +by memcpy(): + + Unable to handle kernel paging request at virtual address 00004e80 + pgd = c0004000 + [00004e80] *pgd=00000000 + Internal error: Oops: 817 [#1] PREEMPT SMP ARM + CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: G C 3.14.54+ #117 + task: da180b80 ti: da192000 task.ti: da192000 + PC is at memcpy+0x50/0x330 + LR is at 0xcdd92b0e + pc : [] lr : [] psr: 20000193 + sp : da193ce4 ip : dd86ae26 fp : 0000b180 + r10: daf81680 r9 : 00000000 r8 : d58a01ea + r7 : 2c0b43e4 r6 : acdfb08b r5 : 01a271cf r4 : 87389377 + r3 : 69469782 r2 : 00000020 r1 : daf82fe0 r0 : 00004e80 + Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel + Control: 10c5387d Table: 2b70804a DAC: 00000015 + Process ksoftirqd/0 (pid: 3, stack limit = 0xda192238) + +Also added a check for potential !runtime condition, commonly it is +done by PCM_RUNTIME_CHECK(substream) in the beginning, however this +does not completely prevent from oopses in u_audio_iso_complete(), +because the proper protection scheme must be implemented in PCM +library functions. + +An example of *not fixed* oops due to substream->runtime->* +dereference by snd_pcm_running(substream) from +snd_pcm_period_elapsed(), where substream->runtime is gone while +waiting the substream lock: + + Unable to handle kernel paging request at virtual address 6b6b6b6b + pgd = db7e4000 + [6b6b6b6b] *pgd=00000000 + CPU: 0 PID: 193 Comm: klogd Tainted: G C 3.14.54+ #118 + task: db5ac500 ti: db60c000 task.ti: db60c000 + PC is at snd_pcm_period_elapsed+0x48/0xd8 [snd_pcm] + LR is at snd_pcm_period_elapsed+0x40/0xd8 [snd_pcm] + pc : [<>] lr : [<>] psr: 60000193 + Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user + Control: 10c5387d Table: 2b7e404a DAC: 00000015 + Process klogd (pid: 193, stack limit = 0xdb60c238) + [<>] (snd_pcm_period_elapsed [snd_pcm]) from [<>] (udc_irq+0x500/0xbbc) + [<>] (udc_irq) from [<>] (ci_irq+0x280/0x304) + [<>] (ci_irq) from [<>] (handle_irq_event_percpu+0xa4/0x40c) + [<>] (handle_irq_event_percpu) from [<>] (handle_irq_event+0x3c/0x5c) + [<>] (handle_irq_event) from [<>] (handle_fasteoi_irq+0xc4/0x110) + [<>] (handle_fasteoi_irq) from [<>] (generic_handle_irq+0x20/0x30) + [<>] (generic_handle_irq) from [<>] (handle_IRQ+0x80/0xc0) + [<>] (handle_IRQ) from [<>] (gic_handle_irq+0x3c/0x60) + [<>] (gic_handle_irq) from [<>] (__irq_svc+0x44/0x78) + +Signed-off-by: Vladimir Zapolskiy +[erosca: W/o this patch, with minimal instrumentation [1], I can + consistently reproduce BUG: KASAN: use-after-free [2]] + +[1] Instrumentation to reproduce issue [2]: + diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c + index a72295c953bb..bd0b308024fe 100644 + --- a/drivers/usb/gadget/function/u_audio.c + +++ b/drivers/usb/gadget/function/u_audio.c + @@ -16,6 +16,7 @@ + #include + #include + #include + +#include + + #include "u_audio.h" + + @@ -147,6 +148,8 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req) + + spin_unlock_irqrestore(&prm->lock, flags); + + + udelay(500); //delay here to increase probability of parallel activities + + + /* Pack USB load in ALSA ring buffer */ + pending = prm->dma_bytes - hw_ptr; + +[2] After applying [1], below BUG occurs on Rcar-H3-Salvator-X board: +================================================================== +BUG: KASAN: use-after-free in u_audio_iso_complete+0x24c/0x520 [u_audio] +Read of size 8 at addr ffff8006cafcc248 by task swapper/0/0 + +CPU: 0 PID: 0 Comm: swapper/0 Tainted: G WC 4.14.47+ #160 +Hardware name: Renesas Salvator-X board based on r8a7795 ES2.0+ (DT) +Call trace: +[] dump_backtrace+0x0/0x364 +[] show_stack+0x14/0x1c +[] dump_stack+0x108/0x174 +[] print_address_description+0x7c/0x32c +[] kasan_report+0x324/0x354 +[] __asan_load8+0x24/0x94 +[] u_audio_iso_complete+0x24c/0x520 [u_audio] +[] usb_gadget_giveback_request+0x480/0x4d0 [udc_core] +[] usbhsg_queue_done+0x100/0x130 [renesas_usbhs] +[] usbhsf_pkt_handler+0x1a4/0x298 [renesas_usbhs] +[] usbhsf_irq_ready+0x128/0x178 [renesas_usbhs] +[] usbhs_interrupt+0x440/0x490 [renesas_usbhs] +[] __handle_irq_event_percpu+0x594/0xa58 +[] handle_irq_event_percpu+0x84/0x12c +[] handle_irq_event+0xb0/0x10c +[] handle_fasteoi_irq+0x1e0/0x2ec +[] generic_handle_irq+0x2c/0x44 +[] __handle_domain_irq+0x190/0x194 +[] gic_handle_irq+0x80/0xac +Exception stack(0xffff200009e97c80 to 0xffff200009e97dc0) +7c80: 0000000000000000 0000000000000000 0000000000000003 ffff200008179298 +7ca0: ffff20000ae1c180 dfff200000000000 0000000000000000 ffff2000081f9a88 +7cc0: ffff200009eb5960 ffff200009e97cf0 0000000000001600 ffff0400041b064b +7ce0: 0000000000000000 0000000000000002 0000000200000001 0000000000000001 +7d00: ffff20000842197c 0000ffff958c4970 0000000000000000 ffff8006da0d5b80 +7d20: ffff8006d4678498 0000000000000000 000000126bde0a8b ffff8006d4678480 +7d40: 0000000000000000 000000126bdbea64 ffff200008fd0000 ffff8006fffff980 +7d60: 00000000495f0018 ffff200009e97dc0 ffff200008b6c4ec ffff200009e97dc0 +7d80: ffff200008b6c4f0 0000000020000145 ffff8006da0d5b80 ffff8006d4678498 +7da0: ffffffffffffffff ffff8006d4678498 ffff200009e97dc0 ffff200008b6c4f0 +[] el1_irq+0xb4/0x12c +[] cpuidle_enter_state+0x818/0x844 +[] cpuidle_enter+0x18/0x20 +[] call_cpuidle+0x98/0x9c +[] do_idle+0x214/0x264 +[] cpu_startup_entry+0x20/0x24 +[] rest_init+0x30c/0x320 +[] start_kernel+0x570/0x5b0 +---<-snip->--- + +Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") +Signed-off-by: Eugeniu Rosca + +Signed-off-by: Felipe Balbi + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_audio.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/u_audio.c ++++ b/drivers/usb/gadget/function/u_audio.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include "u_audio.h" + +@@ -88,7 +89,7 @@ static const struct snd_pcm_hardware uac + static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req) + { + unsigned pending; +- unsigned long flags; ++ unsigned long flags, flags2; + unsigned int hw_ptr; + int status = req->status; + struct uac_req *ur = req->context; +@@ -115,7 +116,14 @@ static void u_audio_iso_complete(struct + if (!substream) + goto exit; + ++ snd_pcm_stream_lock_irqsave(substream, flags2); ++ + runtime = substream->runtime; ++ if (!runtime || !snd_pcm_running(substream)) { ++ snd_pcm_stream_unlock_irqrestore(substream, flags2); ++ goto exit; ++ } ++ + spin_lock_irqsave(&prm->lock, flags); + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { +@@ -146,6 +154,8 @@ static void u_audio_iso_complete(struct + + spin_unlock_irqrestore(&prm->lock, flags); + ++ udelay(500); //delay here to increase probability of parallel activities ++ + /* Pack USB load in ALSA ring buffer */ + pending = runtime->dma_bytes - hw_ptr; + +@@ -174,6 +184,7 @@ static void u_audio_iso_complete(struct + prm->hw_ptr = (hw_ptr + req->actual) % runtime->dma_bytes; + hw_ptr = prm->hw_ptr; + spin_unlock_irqrestore(&prm->lock, flags); ++ snd_pcm_stream_unlock_irqrestore(substream, flags2); + + if ((hw_ptr % snd_pcm_lib_period_bytes(substream)) < req->actual) + snd_pcm_period_elapsed(substream); diff --git a/queue-4.14/usb-gadget-u_audio-remove-cached-period-bytes-value.patch b/queue-4.14/usb-gadget-u_audio-remove-cached-period-bytes-value.patch new file mode 100644 index 00000000000..01c4b0db37a --- /dev/null +++ b/queue-4.14/usb-gadget-u_audio-remove-cached-period-bytes-value.patch @@ -0,0 +1,114 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Vladimir Zapolskiy +Date: Thu, 21 Jun 2018 17:22:50 +0200 +Subject: usb: gadget: u_audio: remove cached period bytes value + +From: Vladimir Zapolskiy + +[ Upstream commit 773e53d50e227b0c03d0bb434c1636f6c49c75b2 ] + +Substream period size potentially can be changed in runtime, however +this is not accounted in the data copying routine, the change replaces +the cached value with an actual value from substream runtime. + +As a side effect the change also removes a potential division by zero +in u_audio_iso_complete() function, if there is a race with +uac_pcm_hw_free(), which sets prm->period_size to 0. + +Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Eugeniu Rosca +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_audio.c | 40 ++++------------------------------ + 1 file changed, 5 insertions(+), 35 deletions(-) + +--- a/drivers/usb/gadget/function/u_audio.c ++++ b/drivers/usb/gadget/function/u_audio.c +@@ -49,8 +49,6 @@ struct uac_rtd_params { + + void *rbuf; + +- size_t period_size; +- + unsigned max_psize; /* MaxPacketSize of endpoint */ + struct uac_req *ureq; + +@@ -92,7 +90,6 @@ static void u_audio_iso_complete(struct + unsigned pending; + unsigned long flags; + unsigned int hw_ptr; +- bool update_alsa = false; + int status = req->status; + struct uac_req *ur = req->context; + struct snd_pcm_substream *substream; +@@ -145,11 +142,6 @@ static void u_audio_iso_complete(struct + req->actual = req->length; + } + +- pending = prm->hw_ptr % prm->period_size; +- pending += req->actual; +- if (pending >= prm->period_size) +- update_alsa = true; +- + hw_ptr = prm->hw_ptr; + + spin_unlock_irqrestore(&prm->lock, flags); +@@ -180,14 +172,15 @@ static void u_audio_iso_complete(struct + spin_lock_irqsave(&prm->lock, flags); + /* update hw_ptr after data is copied to memory */ + prm->hw_ptr = (hw_ptr + req->actual) % runtime->dma_bytes; ++ hw_ptr = prm->hw_ptr; + spin_unlock_irqrestore(&prm->lock, flags); + ++ if ((hw_ptr % snd_pcm_lib_period_bytes(substream)) < req->actual) ++ snd_pcm_period_elapsed(substream); ++ + exit: + if (usb_ep_queue(ep, req, GFP_ATOMIC)) + dev_err(uac->card->dev, "%d Error!\n", __LINE__); +- +- if (update_alsa) +- snd_pcm_period_elapsed(substream); + } + + static int uac_pcm_trigger(struct snd_pcm_substream *substream, int cmd) +@@ -250,35 +243,12 @@ static snd_pcm_uframes_t uac_pcm_pointer + static int uac_pcm_hw_params(struct snd_pcm_substream *substream, + struct snd_pcm_hw_params *hw_params) + { +- struct snd_uac_chip *uac = snd_pcm_substream_chip(substream); +- struct uac_rtd_params *prm; +- int err; +- +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- prm = &uac->p_prm; +- else +- prm = &uac->c_prm; +- +- err = snd_pcm_lib_malloc_pages(substream, ++ return snd_pcm_lib_malloc_pages(substream, + params_buffer_bytes(hw_params)); +- if (err >= 0) +- prm->period_size = params_period_bytes(hw_params); +- +- return err; + } + + static int uac_pcm_hw_free(struct snd_pcm_substream *substream) + { +- struct snd_uac_chip *uac = snd_pcm_substream_chip(substream); +- struct uac_rtd_params *prm; +- +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- prm = &uac->p_prm; +- else +- prm = &uac->c_prm; +- +- prm->period_size = 0; +- + return snd_pcm_lib_free_pages(substream); + } + diff --git a/queue-4.14/usb-gadget-u_audio-remove-caching-of-stream-buffer-parameters.patch b/queue-4.14/usb-gadget-u_audio-remove-caching-of-stream-buffer-parameters.patch new file mode 100644 index 00000000000..9ae8ad70c8f --- /dev/null +++ b/queue-4.14/usb-gadget-u_audio-remove-caching-of-stream-buffer-parameters.patch @@ -0,0 +1,115 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Vladimir Zapolskiy +Date: Thu, 21 Jun 2018 17:22:49 +0200 +Subject: usb: gadget: u_audio: remove caching of stream buffer parameters + +From: Vladimir Zapolskiy + +[ Upstream commit 96afb54ece0ee903d23a7ac04ddc461413b972c4 ] + +There is no necessity to copy PCM stream ring buffer area and size +properties to UAC private data structure, these values can be got +from substream itself. + +The change gives more control on substream and avoid stale caching. + +Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Eugeniu Rosca +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_audio.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +--- a/drivers/usb/gadget/function/u_audio.c ++++ b/drivers/usb/gadget/function/u_audio.c +@@ -41,9 +41,6 @@ struct uac_req { + struct uac_rtd_params { + struct snd_uac_chip *uac; /* parent chip */ + bool ep_enabled; /* if the ep is enabled */ +- /* Size of the ring buffer */ +- size_t dma_bytes; +- unsigned char *dma_area; + + struct snd_pcm_substream *ss; + +@@ -99,6 +96,7 @@ static void u_audio_iso_complete(struct + int status = req->status; + struct uac_req *ur = req->context; + struct snd_pcm_substream *substream; ++ struct snd_pcm_runtime *runtime; + struct uac_rtd_params *prm = ur->pp; + struct snd_uac_chip *uac = prm->uac; + +@@ -120,6 +118,7 @@ static void u_audio_iso_complete(struct + if (!substream) + goto exit; + ++ runtime = substream->runtime; + spin_lock_irqsave(&prm->lock, flags); + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { +@@ -156,29 +155,31 @@ static void u_audio_iso_complete(struct + spin_unlock_irqrestore(&prm->lock, flags); + + /* Pack USB load in ALSA ring buffer */ +- pending = prm->dma_bytes - hw_ptr; ++ pending = runtime->dma_bytes - hw_ptr; + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { + if (unlikely(pending < req->actual)) { +- memcpy(req->buf, prm->dma_area + hw_ptr, pending); +- memcpy(req->buf + pending, prm->dma_area, ++ memcpy(req->buf, runtime->dma_area + hw_ptr, pending); ++ memcpy(req->buf + pending, runtime->dma_area, + req->actual - pending); + } else { +- memcpy(req->buf, prm->dma_area + hw_ptr, req->actual); ++ memcpy(req->buf, runtime->dma_area + hw_ptr, ++ req->actual); + } + } else { + if (unlikely(pending < req->actual)) { +- memcpy(prm->dma_area + hw_ptr, req->buf, pending); +- memcpy(prm->dma_area, req->buf + pending, ++ memcpy(runtime->dma_area + hw_ptr, req->buf, pending); ++ memcpy(runtime->dma_area, req->buf + pending, + req->actual - pending); + } else { +- memcpy(prm->dma_area + hw_ptr, req->buf, req->actual); ++ memcpy(runtime->dma_area + hw_ptr, req->buf, ++ req->actual); + } + } + + spin_lock_irqsave(&prm->lock, flags); + /* update hw_ptr after data is copied to memory */ +- prm->hw_ptr = (hw_ptr + req->actual) % prm->dma_bytes; ++ prm->hw_ptr = (hw_ptr + req->actual) % runtime->dma_bytes; + spin_unlock_irqrestore(&prm->lock, flags); + + exit: +@@ -260,11 +261,8 @@ static int uac_pcm_hw_params(struct snd_ + + err = snd_pcm_lib_malloc_pages(substream, + params_buffer_bytes(hw_params)); +- if (err >= 0) { +- prm->dma_bytes = substream->runtime->dma_bytes; +- prm->dma_area = substream->runtime->dma_area; ++ if (err >= 0) + prm->period_size = params_period_bytes(hw_params); +- } + + return err; + } +@@ -279,8 +277,6 @@ static int uac_pcm_hw_free(struct snd_pc + else + prm = &uac->c_prm; + +- prm->dma_area = NULL; +- prm->dma_bytes = 0; + prm->period_size = 0; + + return snd_pcm_lib_free_pages(substream); diff --git a/queue-4.14/usb-gadget-u_audio-update-hw_ptr-in-iso_complete-after-data-copied.patch b/queue-4.14/usb-gadget-u_audio-update-hw_ptr-in-iso_complete-after-data-copied.patch new file mode 100644 index 00000000000..4f8e5e9cec0 --- /dev/null +++ b/queue-4.14/usb-gadget-u_audio-update-hw_ptr-in-iso_complete-after-data-copied.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Joshua Frkuska +Date: Thu, 21 Jun 2018 17:22:48 +0200 +Subject: usb: gadget: u_audio: update hw_ptr in iso_complete after data copied + +From: Joshua Frkuska + +[ Upstream commit 6b37bd78d30c890e575a1bda22978d1d2a233362 ] + +In u_audio_iso_complete, the runtime hw_ptr is updated before the +data is actually copied over to/from the buffer/dma area. When +ALSA uses this hw_ptr, the data may not actually be available to +be used. This causes trash/stale audio to play/record. This +patch updates the hw_ptr after the data has been copied to avoid +this. + +Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") +Signed-off-by: Joshua Frkuska +Signed-off-by: Eugeniu Rosca +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_audio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/u_audio.c ++++ b/drivers/usb/gadget/function/u_audio.c +@@ -152,7 +152,6 @@ static void u_audio_iso_complete(struct + update_alsa = true; + + hw_ptr = prm->hw_ptr; +- prm->hw_ptr = (prm->hw_ptr + req->actual) % prm->dma_bytes; + + spin_unlock_irqrestore(&prm->lock, flags); + +@@ -177,6 +176,11 @@ static void u_audio_iso_complete(struct + } + } + ++ spin_lock_irqsave(&prm->lock, flags); ++ /* update hw_ptr after data is copied to memory */ ++ prm->hw_ptr = (hw_ptr + req->actual) % prm->dma_bytes; ++ spin_unlock_irqrestore(&prm->lock, flags); ++ + exit: + if (usb_ep_queue(ep, req, GFP_ATOMIC)) + dev_err(uac->card->dev, "%d Error!\n", __LINE__); diff --git a/queue-4.14/usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch b/queue-4.14/usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch new file mode 100644 index 00000000000..cc7473eed6c --- /dev/null +++ b/queue-4.14/usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch @@ -0,0 +1,71 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Randy Dunlap +Date: Sun, 15 Jul 2018 10:37:37 -0700 +Subject: usb/phy: fix PPC64 build errors in phy-fsl-usb.c + +From: Randy Dunlap + +[ Upstream commit a39ba90a1cc7010edb0a7132e1b67f3d80b994e9 ] + +Fix build errors when built for PPC64: +These variables are only used on PPC32 so they don't need to be +initialized for PPC64. + +../drivers/usb/phy/phy-fsl-usb.c: In function 'usb_otg_start': +../drivers/usb/phy/phy-fsl-usb.c:865:3: error: '_fsl_readl' undeclared (first use in this function); did you mean 'fsl_readl'? + _fsl_readl = _fsl_readl_be; +../drivers/usb/phy/phy-fsl-usb.c:865:16: error: '_fsl_readl_be' undeclared (first use in this function); did you mean 'fsl_readl'? + _fsl_readl = _fsl_readl_be; +../drivers/usb/phy/phy-fsl-usb.c:866:3: error: '_fsl_writel' undeclared (first use in this function); did you mean 'fsl_writel'? + _fsl_writel = _fsl_writel_be; +../drivers/usb/phy/phy-fsl-usb.c:866:17: error: '_fsl_writel_be' undeclared (first use in this function); did you mean 'fsl_writel'? + _fsl_writel = _fsl_writel_be; +../drivers/usb/phy/phy-fsl-usb.c:868:16: error: '_fsl_readl_le' undeclared (first use in this function); did you mean 'fsl_readl'? + _fsl_readl = _fsl_readl_le; +../drivers/usb/phy/phy-fsl-usb.c:869:17: error: '_fsl_writel_le' undeclared (first use in this function); did you mean 'fsl_writel'? + _fsl_writel = _fsl_writel_le; + +and the sysfs "show" function return type should be ssize_t, not int: + +../drivers/usb/phy/phy-fsl-usb.c:1042:49: error: initialization of 'ssize_t (*)(struct device *, struct device_attribute *, char *)' {aka 'long int (*)(struct device *, struct device_attribute *, char *)'} from incompatible pointer type 'int (*)(struct device *, struct device_attribute *, char *)' [-Werror=incompatible-pointer-types] + static DEVICE_ATTR(fsl_usb2_otg_state, S_IRUGO, show_fsl_usb2_otg_state, NULL); + +Signed-off-by: Randy Dunlap +Cc: Felipe Balbi +Cc: linux-usb@vger.kernel.org +Cc: Michael Ellerman +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-fsl-usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/phy/phy-fsl-usb.c ++++ b/drivers/usb/phy/phy-fsl-usb.c +@@ -874,6 +874,7 @@ int usb_otg_start(struct platform_device + if (pdata->init && pdata->init(pdev) != 0) + return -EINVAL; + ++#ifdef CONFIG_PPC32 + if (pdata->big_endian_mmio) { + _fsl_readl = _fsl_readl_be; + _fsl_writel = _fsl_writel_be; +@@ -881,6 +882,7 @@ int usb_otg_start(struct platform_device + _fsl_readl = _fsl_readl_le; + _fsl_writel = _fsl_writel_le; + } ++#endif + + /* request irq */ + p_otg->irq = platform_get_irq(pdev, 0); +@@ -971,7 +973,7 @@ int usb_otg_start(struct platform_device + /* + * state file in sysfs + */ +-static int show_fsl_usb2_otg_state(struct device *dev, ++static ssize_t show_fsl_usb2_otg_state(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct otg_fsm *fsm = &fsl_otg_dev->fsm; diff --git a/queue-4.14/vti6-fix-pmtu-caching-and-reporting-on-xmit.patch b/queue-4.14/vti6-fix-pmtu-caching-and-reporting-on-xmit.patch new file mode 100644 index 00000000000..58ca5bd9da2 --- /dev/null +++ b/queue-4.14/vti6-fix-pmtu-caching-and-reporting-on-xmit.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Eyal Birger +Date: Thu, 7 Jun 2018 10:11:02 +0300 +Subject: vti6: fix PMTU caching and reporting on xmit + +From: Eyal Birger + +[ Upstream commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ] + +When setting the skb->dst before doing the MTU check, the route PMTU +caching and reporting is done on the new dst which is about to be +released. + +Instead, PMTU handling should be done using the original dst. + +This is aligned with IPv4 VTI. + +Fixes: ccd740cbc6 ("vti6: Add pmtu handling to vti6_xmit.") +Signed-off-by: Eyal Birger +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -480,10 +480,6 @@ vti6_xmit(struct sk_buff *skb, struct ne + goto tx_err_dst_release; + } + +- skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev))); +- skb_dst_set(skb, dst); +- skb->dev = skb_dst(skb)->dev; +- + mtu = dst_mtu(dst); + if (!skb->ignore_df && skb->len > mtu) { + skb_dst_update_pmtu(skb, mtu); +@@ -498,9 +494,14 @@ vti6_xmit(struct sk_buff *skb, struct ne + htonl(mtu)); + } + +- return -EMSGSIZE; ++ err = -EMSGSIZE; ++ goto tx_err_dst_release; + } + ++ skb_scrub_packet(skb, !net_eq(t->net, dev_net(dev))); ++ skb_dst_set(skb, dst); ++ skb->dev = skb_dst(skb)->dev; ++ + err = dst_output(t->net, skb->sk, skb); + if (net_xmit_eval(err) == 0) { + struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats); diff --git a/queue-4.14/x86-boot-fix-if_changed-build-flip-flop-bug.patch b/queue-4.14/x86-boot-fix-if_changed-build-flip-flop-bug.patch new file mode 100644 index 00000000000..5453c66f445 --- /dev/null +++ b/queue-4.14/x86-boot-fix-if_changed-build-flip-flop-bug.patch @@ -0,0 +1,83 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Kees Cook +Date: Tue, 24 Jul 2018 16:08:27 -0700 +Subject: x86/boot: Fix if_changed build flip/flop bug + +From: Kees Cook + +[ Upstream commit 92a4728608a8fd228c572bc8ff50dd98aa0ddf2a ] + +Dirk Gouders reported that two consecutive "make" invocations on an +already compiled tree will show alternating behaviors: + +$ make + CALL scripts/checksyscalls.sh + DESCEND objtool + CHK include/generated/compile.h + DATAREL arch/x86/boot/compressed/vmlinux +Kernel: arch/x86/boot/bzImage is ready (#48) + Building modules, stage 2. + MODPOST 165 modules + +$ make + CALL scripts/checksyscalls.sh + DESCEND objtool + CHK include/generated/compile.h + LD arch/x86/boot/compressed/vmlinux + ZOFFSET arch/x86/boot/zoffset.h + AS arch/x86/boot/header.o + LD arch/x86/boot/setup.elf + OBJCOPY arch/x86/boot/setup.bin + OBJCOPY arch/x86/boot/vmlinux.bin + BUILD arch/x86/boot/bzImage +Setup is 15644 bytes (padded to 15872 bytes). +System is 6663 kB +CRC 3eb90f40 +Kernel: arch/x86/boot/bzImage is ready (#48) + Building modules, stage 2. + MODPOST 165 modules + +He bisected it back to: + + commit 98f78525371b ("x86/boot: Refuse to build with data relocations") + +The root cause was the use of the "if_changed" kbuild function multiple +times for the same target. It was designed to only be used once per +target, otherwise it will effectively always trigger, flipping back and +forth between the two commands getting recorded by "if_changed". Instead, +this patch merges the two commands into a single function to get stable +build artifacts (i.e. .vmlinux.cmd), and a single build behavior. + +Bisected-and-Reported-by: Dirk Gouders +Fix-Suggested-by: Masahiro Yamada +Signed-off-by: Kees Cook +Reviewed-by: Masahiro Yamada +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180724230827.GA37823@beast +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/Makefile | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -104,9 +104,13 @@ define cmd_check_data_rel + done + endef + ++# We need to run two commands under "if_changed", so merge them into a ++# single invocation. ++quiet_cmd_check-and-link-vmlinux = LD $@ ++ cmd_check-and-link-vmlinux = $(cmd_check_data_rel); $(cmd_ld) ++ + $(obj)/vmlinux: $(vmlinux-objs-y) FORCE +- $(call if_changed,check_data_rel) +- $(call if_changed,ld) ++ $(call if_changed,check-and-link-vmlinux) + + OBJCOPYFLAGS_vmlinux.bin := -R .comment -S + $(obj)/vmlinux.bin: vmlinux FORCE diff --git a/queue-4.14/xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch b/queue-4.14/xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch new file mode 100644 index 00000000000..72835d79f40 --- /dev/null +++ b/queue-4.14/xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch @@ -0,0 +1,67 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Tommi Rantala +Date: Thu, 21 Jun 2018 09:30:47 +0300 +Subject: xfrm: fix missing dst_release() after policy blocking lbcast and multicast + +From: Tommi Rantala + +[ Upstream commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 ] + +Fix missing dst_release() when local broadcast or multicast traffic is +xfrm policy blocked. + +For IPv4 this results to dst leak: ip_route_output_flow() allocates +dst_entry via __ip_route_output_key() and passes it to +xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is +propagated. The dst that was allocated is never released. + +IPv4 local broadcast testcase: + ping -b 192.168.1.255 & + sleep 1 + ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block + +IPv4 multicast testcase: + ping 224.0.0.1 & + sleep 1 + ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block + +For IPv6 the missing dst_release() causes trouble e.g. when used in netns: + ip netns add TEST + ip netns exec TEST ip link set lo up + ip link add dummy0 type dummy + ip link set dev dummy0 netns TEST + ip netns exec TEST ip addr add fd00::1111 dev dummy0 + ip netns exec TEST ip link set dummy0 up + ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 & + sleep 1 + ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block + wait + ip netns del TEST + +After netns deletion we see: +[ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2 +[ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2 +[ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2 +[ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2 + +Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()") +Signed-off-by: Tommi Rantala +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_policy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -2285,6 +2285,9 @@ struct dst_entry *xfrm_lookup_route(stru + if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) + return make_blackhole(net, dst_orig->ops->family, dst_orig); + ++ if (IS_ERR(dst)) ++ dst_release(dst_orig); ++ + return dst; + } + EXPORT_SYMBOL(xfrm_lookup_route); diff --git a/queue-4.14/xfrm-free-skb-if-nlsk-pointer-is-null.patch b/queue-4.14/xfrm-free-skb-if-nlsk-pointer-is-null.patch new file mode 100644 index 00000000000..d957f3604ba --- /dev/null +++ b/queue-4.14/xfrm-free-skb-if-nlsk-pointer-is-null.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Florian Westphal +Date: Mon, 25 Jun 2018 14:00:07 +0200 +Subject: xfrm: free skb if nlsk pointer is NULL + +From: Florian Westphal + +[ Upstream commit 86126b77dcd551ce223e7293bb55854e3df05646 ] + +nlmsg_multicast() always frees the skb, so in case we cannot call +it we must do that ourselves. + +Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification") +Signed-off-by: Florian Westphal +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1021,10 +1021,12 @@ static inline int xfrm_nlmsg_multicast(s + { + struct sock *nlsk = rcu_dereference(net->xfrm.nlsk); + +- if (nlsk) +- return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); +- else +- return -1; ++ if (!nlsk) { ++ kfree_skb(skb); ++ return -EPIPE; ++ } ++ ++ return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); + } + + static inline size_t xfrm_spdinfo_msgsize(void) diff --git a/queue-4.14/zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch b/queue-4.14/zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch new file mode 100644 index 00000000000..2d0bfa2e6a9 --- /dev/null +++ b/queue-4.14/zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Aug 26 09:13:00 CEST 2018 +From: Li Wang +Date: Thu, 26 Jul 2018 16:37:42 -0700 +Subject: zswap: re-check zswap_is_full() after do zswap_shrink() + +From: Li Wang + +[ Upstream commit 16e536ef47f567289a5699abee9ff7bb304bc12d ] + +/sys/../zswap/stored_pages keeps rising in a zswap test with +"zswap.max_pool_percent=0" parameter. But it should not compress or +store pages any more since there is no space in the compressed pool. + +Reproduce steps: + 1. Boot kernel with "zswap.enabled=1" + 2. Set the max_pool_percent to 0 + # echo 0 > /sys/module/zswap/parameters/max_pool_percent + 3. Do memory stress test to see if some pages have been compressed + # stress --vm 1 --vm-bytes $mem_available"M" --timeout 60s + 4. Watching the 'stored_pages' number increasing or not + +The root cause is: + + When zswap_max_pool_percent is set to 0 via kernel parameter, + zswap_is_full() will always return true due to zswap_shrink(). But if + the shinking is able to reclain a page successfully the code then + proceeds to compressing/storing another page, so the value of + stored_pages will keep changing. + +To solve the issue, this patch adds a zswap_is_full() check again after + zswap_shrink() to make sure it's now under the max_pool_percent, and to + not compress/store if we reached the limit. + +Link: http://lkml.kernel.org/r/20180530103936.17812-1-liwang@redhat.com +Signed-off-by: Li Wang +Acked-by: Dan Streetman +Cc: Seth Jennings +Cc: Huang Ying +Cc: Yu Zhao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/zswap.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -989,6 +989,15 @@ static int zswap_frontswap_store(unsigne + ret = -ENOMEM; + goto reject; + } ++ ++ /* A second zswap_is_full() check after ++ * zswap_shrink() to make sure it's now ++ * under the max_pool_percent ++ */ ++ if (zswap_is_full()) { ++ ret = -ENOMEM; ++ goto reject; ++ } + } + + /* allocate entry */ -- 2.47.3