From b115924f9be930180f469902c1573cc5220720a0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 21 Sep 2018 09:53:27 +0200 Subject: [PATCH] 4.14-stable patches added patches: alsa-msnd-fix-the-default-sample-sizes.patch alsa-pcm-add-__force-to-cast-in-snd_pcm_lib_read-write.patch alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch amd-xgbe-use-dma_mapping_error-to-check-map-errors.patch arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch arm-exynos-clear-global-variable-on-init-error-path.patch arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch arm64-fix-possible-spectre-v1-write-in-ptrace_hbp_set_event.patch asoc-rt5514-fix-the-issue-of-the-delay-volume-applied.patch block-allow-max_discard_segments-to-be-stacked.patch clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch clk-core-potentially-free-connection-id.patch clk-imx6ul-fix-missing-of_node_put.patch crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch dmaengine-pl330-fix-irq-race-with-terminate_all.patch drivers-base-stop-new-probing-during-shutdown.patch efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch fbdev-distinguish-between-interlaced-and-progressive-modes.patch fbdev-omapfb-off-by-one-in-omapfb_register_client.patch fbdev-via-fix-defined-but-not-used-warning.patch gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch gfs2-special-case-rindex-for-gfs2_grow.patch i2c-aspeed-fix-initial-values-of-master-and-slave-state.patch ib-ipoib-fix-error-return-code-in-ipoib_dev_init.patch ib-rxe-drop-qp0-silently.patch iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch iommu-io-pgtable-arm-v7s-abort-allocation-when-table-address-overflows-the-pte.patch kbuild-add-.delete_on_error-special-target.patch kvm-arm-arm64-fix-vgic-init-race.patch kvm-arm-arm64-vgic-fix-possible-spectre-v1-write-in-vgic_mmio_write_apr.patch mac80211-restrict-delayed-tailroom-needed-decrement.patch media-ov5645-supported-external-clock-is-24mhz.patch media-tw686x-fix-oops-on-buffer-alloc-failure.patch media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch mips-ath79-fix-system-restart.patch mips-jz4740-bump-zload-address.patch mtd-maps-fix-solutionengine.c-printk-format-warnings.patch nfp-avoid-buffer-leak-when-fw-communication-fails.patch nvme-rdma-unquiesce-queues-when-deleting-the-controller.patch perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch perf-powerpc-fix-callchain-ip-filtering.patch perf-test-fix-subtest-number-when-showing-results.patch perf-tools-fix-struct-comm_str-removal-crash.patch perf-tools-synthesize-group_desc-feature-in-pipe-mode.patch platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch powerpc-powernv-opal_put_chars-partial-write-fix.patch reset-imx7-fix-always-writing-bits-as-0.patch s390-qeth-fix-race-in-used-buffer-accounting.patch s390-qeth-reset-layer2-attribute-on-layer-switch.patch smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch staging-bcm2835-camera-fix-timeout-handling-in-wait_for_completion_timeout.patch staging-bcm2835-camera-handle-wait_for_completion_timeout-return-properly.patch usb-dwc3-change-stream-event-enable-bit-back-to-13.patch video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch video-goldfishfb-fix-memory-leak-on-driver-remove.patch wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch x86-mm-pti-add-an-overflow-check-to-pti_clone_pmds.patch x86-pti-check-the-return-value-of-pti_user_pagetable_walk_p4d.patch x86-pti-check-the-return-value-of-pti_user_pagetable_walk_pmd.patch xen-netfront-fix-queue-name-setting.patch xen-netfront-fix-warn-message-as-irq-device-name-has.patch xfrm-fix-passing-zero-to-err_ptr-warning.patch --- ...sa-msnd-fix-the-default-sample-sizes.patch | 34 ++++ ...ce-to-cast-in-snd_pcm_lib_read-write.patch | 43 +++++ ...e-definitions-in-au0828_device-macro.patch | 39 ++++ ...ma_mapping_error-to-check-map-errors.patch | 45 +++++ ...rhead-increase-load-on-l20-for-sdhci.patch | 59 ++++++ ...r-global-variable-on-init-error-path.patch | 36 ++++ ...com-db410c-fix-bluetooth-led-trigger.patch | 33 ++++ ...tre-v1-write-in-ptrace_hbp_set_event.patch | 57 ++++++ ...he-issue-of-the-delay-volume-applied.patch | 45 +++++ ...w-max_discard_segments-to-be-stacked.patch | 47 +++++ ...of_populated-flag-in-case-of-failure.patch | 46 +++++ ...-core-potentially-free-connection-id.patch | 52 +++++ .../clk-imx6ul-fix-missing-of_node_put.patch | 32 ++++ ...ster-correct-algorithms-for-sahara-3.patch | 42 ++++ ...v_xor_v2-kill-the-tasklets-upon-exit.patch | 37 ++++ ...l330-fix-irq-race-with-terminate_all.patch | 55 ++++++ ...ase-stop-new-probing-during-shutdown.patch | 55 ++++++ ...g-of-uefi-memory-map-longer-for-bgrt.patch | 58 ++++++ ...een-interlaced-and-progressive-modes.patch | 123 ++++++++++++ ...off-by-one-in-omapfb_register_client.patch | 33 ++++ ...via-fix-defined-but-not-used-warning.patch | 42 ++++ ...ll-bitmap-if-we-have-blocks-reserved.patch | 42 ++++ ...s2-special-case-rindex-for-gfs2_grow.patch | 48 +++++ ...ial-values-of-master-and-slave-state.patch | 52 +++++ ...-error-return-code-in-ipoib_dev_init.patch | 34 ++++ queue-4.14/ib-rxe-drop-qp0-silently.patch | 53 ++++++ ...e-ovackflg-to-priq-consumer-register.patch | 33 ++++ ...when-table-address-overflows-the-pte.patch | 57 ++++++ ...-add-.delete_on_error-special-target.patch | 64 +++++++ .../kvm-arm-arm64-fix-vgic-init-race.patch | 39 ++++ ...ctre-v1-write-in-vgic_mmio_write_apr.patch | 43 +++++ ...ct-delayed-tailroom-needed-decrement.patch | 138 ++++++++++++++ ...45-supported-external-clock-is-24mhz.patch | 76 ++++++++ ...86x-fix-oops-on-buffer-alloc-failure.patch | 53 ++++++ ...e-check-for-q-error-in-vb2_core_qbuf.patch | 39 ++++ .../mips-ath79-fix-system-restart.patch | 46 +++++ .../mips-jz4740-bump-zload-address.patch | 44 +++++ ...utionengine.c-printk-format-warnings.patch | 60 ++++++ ...fer-leak-when-fw-communication-fails.patch | 79 ++++++++ ...-queues-when-deleting-the-controller.patch | 33 ++++ ...when-return-address-is-in-a-register.patch | 113 +++++++++++ ...f-powerpc-fix-callchain-ip-filtering.patch | 180 ++++++++++++++++++ ...-subtest-number-when-showing-results.patch | 69 +++++++ ...ls-fix-struct-comm_str-removal-crash.patch | 125 ++++++++++++ ...size-group_desc-feature-in-pipe-mode.patch | 65 +++++++ ...-defined-but-not-used-build-warnings.patch | 44 +++++ ...rnv-opal_put_chars-partial-write-fix.patch | 38 ++++ ...et-imx7-fix-always-writing-bits-as-0.patch | 40 ++++ ...h-fix-race-in-used-buffer-accounting.patch | 40 ++++ ...set-layer2-attribute-on-layer-switch.patch | 37 ++++ queue-4.14/series | 63 ++++++ ...traffic-received-by-pf_inet6-sockets.patch | 83 ++++++++ ...dling-in-wait_for_completion_timeout.patch | 50 +++++ ...r_completion_timeout-return-properly.patch | 46 +++++ ...e-stream-event-enable-bit-back-to-13.patch | 35 ++++ ...ear-allocated-memory-for-video-modes.patch | 36 ++++ ...hfb-fix-memory-leak-on-driver-remove.patch | 37 ++++ ...check-return-value-of-qe_muram_alloc.patch | 49 +++++ ...-an-overflow-check-to-pti_clone_pmds.patch | 62 ++++++ ...value-of-pti_user_pagetable_walk_p4d.patch | 64 +++++++ ...value-of-pti_user_pagetable_walk_pmd.patch | 63 ++++++ .../xen-netfront-fix-queue-name-setting.patch | 53 ++++++ ...-warn-message-as-irq-device-name-has.patch | 95 +++++++++ ...-fix-passing-zero-to-err_ptr-warning.patch | 39 ++++ 64 files changed, 3572 insertions(+) create mode 100644 queue-4.14/alsa-msnd-fix-the-default-sample-sizes.patch create mode 100644 queue-4.14/alsa-pcm-add-__force-to-cast-in-snd_pcm_lib_read-write.patch create mode 100644 queue-4.14/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch create mode 100644 queue-4.14/amd-xgbe-use-dma_mapping_error-to-check-map-errors.patch create mode 100644 queue-4.14/arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch create mode 100644 queue-4.14/arm-exynos-clear-global-variable-on-init-error-path.patch create mode 100644 queue-4.14/arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch create mode 100644 queue-4.14/arm64-fix-possible-spectre-v1-write-in-ptrace_hbp_set_event.patch create mode 100644 queue-4.14/asoc-rt5514-fix-the-issue-of-the-delay-volume-applied.patch create mode 100644 queue-4.14/block-allow-max_discard_segments-to-be-stacked.patch create mode 100644 queue-4.14/clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch create mode 100644 queue-4.14/clk-core-potentially-free-connection-id.patch create mode 100644 queue-4.14/clk-imx6ul-fix-missing-of_node_put.patch create mode 100644 queue-4.14/crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch create mode 100644 queue-4.14/dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch create mode 100644 queue-4.14/dmaengine-pl330-fix-irq-race-with-terminate_all.patch create mode 100644 queue-4.14/drivers-base-stop-new-probing-during-shutdown.patch create mode 100644 queue-4.14/efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch create mode 100644 queue-4.14/fbdev-distinguish-between-interlaced-and-progressive-modes.patch create mode 100644 queue-4.14/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch create mode 100644 queue-4.14/fbdev-via-fix-defined-but-not-used-warning.patch create mode 100644 queue-4.14/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch create mode 100644 queue-4.14/gfs2-special-case-rindex-for-gfs2_grow.patch create mode 100644 queue-4.14/i2c-aspeed-fix-initial-values-of-master-and-slave-state.patch create mode 100644 queue-4.14/ib-ipoib-fix-error-return-code-in-ipoib_dev_init.patch create mode 100644 queue-4.14/ib-rxe-drop-qp0-silently.patch create mode 100644 queue-4.14/iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch create mode 100644 queue-4.14/iommu-io-pgtable-arm-v7s-abort-allocation-when-table-address-overflows-the-pte.patch create mode 100644 queue-4.14/kbuild-add-.delete_on_error-special-target.patch create mode 100644 queue-4.14/kvm-arm-arm64-fix-vgic-init-race.patch create mode 100644 queue-4.14/kvm-arm-arm64-vgic-fix-possible-spectre-v1-write-in-vgic_mmio_write_apr.patch create mode 100644 queue-4.14/mac80211-restrict-delayed-tailroom-needed-decrement.patch create mode 100644 queue-4.14/media-ov5645-supported-external-clock-is-24mhz.patch create mode 100644 queue-4.14/media-tw686x-fix-oops-on-buffer-alloc-failure.patch create mode 100644 queue-4.14/media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch create mode 100644 queue-4.14/mips-ath79-fix-system-restart.patch create mode 100644 queue-4.14/mips-jz4740-bump-zload-address.patch create mode 100644 queue-4.14/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch create mode 100644 queue-4.14/nfp-avoid-buffer-leak-when-fw-communication-fails.patch create mode 100644 queue-4.14/nvme-rdma-unquiesce-queues-when-deleting-the-controller.patch create mode 100644 queue-4.14/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch create mode 100644 queue-4.14/perf-powerpc-fix-callchain-ip-filtering.patch create mode 100644 queue-4.14/perf-test-fix-subtest-number-when-showing-results.patch create mode 100644 queue-4.14/perf-tools-fix-struct-comm_str-removal-crash.patch create mode 100644 queue-4.14/perf-tools-synthesize-group_desc-feature-in-pipe-mode.patch create mode 100644 queue-4.14/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch create mode 100644 queue-4.14/powerpc-powernv-opal_put_chars-partial-write-fix.patch create mode 100644 queue-4.14/reset-imx7-fix-always-writing-bits-as-0.patch create mode 100644 queue-4.14/s390-qeth-fix-race-in-used-buffer-accounting.patch create mode 100644 queue-4.14/s390-qeth-reset-layer2-attribute-on-layer-switch.patch create mode 100644 queue-4.14/smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch create mode 100644 queue-4.14/staging-bcm2835-camera-fix-timeout-handling-in-wait_for_completion_timeout.patch create mode 100644 queue-4.14/staging-bcm2835-camera-handle-wait_for_completion_timeout-return-properly.patch create mode 100644 queue-4.14/usb-dwc3-change-stream-event-enable-bit-back-to-13.patch create mode 100644 queue-4.14/video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch create mode 100644 queue-4.14/video-goldfishfb-fix-memory-leak-on-driver-remove.patch create mode 100644 queue-4.14/wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch create mode 100644 queue-4.14/x86-mm-pti-add-an-overflow-check-to-pti_clone_pmds.patch create mode 100644 queue-4.14/x86-pti-check-the-return-value-of-pti_user_pagetable_walk_p4d.patch create mode 100644 queue-4.14/x86-pti-check-the-return-value-of-pti_user_pagetable_walk_pmd.patch create mode 100644 queue-4.14/xen-netfront-fix-queue-name-setting.patch create mode 100644 queue-4.14/xen-netfront-fix-warn-message-as-irq-device-name-has.patch create mode 100644 queue-4.14/xfrm-fix-passing-zero-to-err_ptr-warning.patch diff --git a/queue-4.14/alsa-msnd-fix-the-default-sample-sizes.patch b/queue-4.14/alsa-msnd-fix-the-default-sample-sizes.patch new file mode 100644 index 00000000000..38508adb027 --- /dev/null +++ b/queue-4.14/alsa-msnd-fix-the-default-sample-sizes.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:00:48 +0200 +Subject: ALSA: msnd: Fix the default sample sizes + +From: Takashi Iwai + +[ Upstream commit 7c500f9ea139d0c9b80fdea5a9c911db3166ea54 ] + +The default sample sizes set by msnd driver are bogus; it sets ALSA +PCM format, not the actual bit width. + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/msnd/msnd_pinnacle.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/isa/msnd/msnd_pinnacle.c ++++ b/sound/isa/msnd/msnd_pinnacle.c +@@ -82,10 +82,10 @@ + + static void set_default_audio_parameters(struct snd_msnd *chip) + { +- chip->play_sample_size = DEFSAMPLESIZE; ++ chip->play_sample_size = snd_pcm_format_width(DEFSAMPLESIZE); + chip->play_sample_rate = DEFSAMPLERATE; + chip->play_channels = DEFCHANNELS; +- chip->capture_sample_size = DEFSAMPLESIZE; ++ chip->capture_sample_size = snd_pcm_format_width(DEFSAMPLESIZE); + chip->capture_sample_rate = DEFSAMPLERATE; + chip->capture_channels = DEFCHANNELS; + } diff --git a/queue-4.14/alsa-pcm-add-__force-to-cast-in-snd_pcm_lib_read-write.patch b/queue-4.14/alsa-pcm-add-__force-to-cast-in-snd_pcm_lib_read-write.patch new file mode 100644 index 00000000000..8489797ec87 --- /dev/null +++ b/queue-4.14/alsa-pcm-add-__force-to-cast-in-snd_pcm_lib_read-write.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:00:54 +0200 +Subject: ALSA: pcm: Add __force to cast in snd_pcm_lib_read/write() + +From: Takashi Iwai + +[ Upstream commit 95a48b7d4459948b6bacf809809cf01a7dc06d1d ] + +The snd_pcm_lib_read() and snd_pcm_lib_write() inline functions have +the explicit cast from a user pointer to a kernel pointer, but they +lacks of __force prefix. + +This fixes sparse warnings like: + ./include/sound/pcm.h:1093:47: warning: cast removes address space of expression + +Fixes: 68541213720d ("ALSA: pcm: Direct in-kernel read/write support") +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/pcm.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/sound/pcm.h ++++ b/include/sound/pcm.h +@@ -1081,14 +1081,14 @@ static inline snd_pcm_sframes_t + snd_pcm_lib_write(struct snd_pcm_substream *substream, + const void __user *buf, snd_pcm_uframes_t frames) + { +- return __snd_pcm_lib_xfer(substream, (void *)buf, true, frames, false); ++ return __snd_pcm_lib_xfer(substream, (void __force *)buf, true, frames, false); + } + + static inline snd_pcm_sframes_t + snd_pcm_lib_read(struct snd_pcm_substream *substream, + void __user *buf, snd_pcm_uframes_t frames) + { +- return __snd_pcm_lib_xfer(substream, (void *)buf, true, frames, false); ++ return __snd_pcm_lib_xfer(substream, (void __force *)buf, true, frames, false); + } + + static inline snd_pcm_sframes_t diff --git a/queue-4.14/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch b/queue-4.14/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch new file mode 100644 index 00000000000..ef8d541a362 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:00:46 +0200 +Subject: ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro + +From: Takashi Iwai + +[ Upstream commit bd1cd0eb2ce9141100628d476ead4de485501b29 ] + +AU0828_DEVICE() macro in quirks-table.h uses USB_DEVICE_VENDOR_SPEC() +for expanding idVendor and idProduct fields. However, the latter +macro adds also match_flags and bInterfaceClass, which are different +from the values AU0828_DEVICE() macro sets after that. + +For fixing them, just expand idVendor and idProduct fields manually in +AU0828_DEVICE(). + +This fixes sparse warnings like: + sound/usb/quirks-table.h:2892:1: warning: Initializer entry defined twice + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks-table.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -2875,7 +2875,8 @@ YAMAHA_DEVICE(0x7010, "UB99"), + */ + + #define AU0828_DEVICE(vid, pid, vname, pname) { \ +- USB_DEVICE_VENDOR_SPEC(vid, pid), \ ++ .idVendor = vid, \ ++ .idProduct = pid, \ + .match_flags = USB_DEVICE_ID_MATCH_DEVICE | \ + USB_DEVICE_ID_MATCH_INT_CLASS | \ + USB_DEVICE_ID_MATCH_INT_SUBCLASS, \ diff --git a/queue-4.14/amd-xgbe-use-dma_mapping_error-to-check-map-errors.patch b/queue-4.14/amd-xgbe-use-dma_mapping_error-to-check-map-errors.patch new file mode 100644 index 00000000000..243ef314873 --- /dev/null +++ b/queue-4.14/amd-xgbe-use-dma_mapping_error-to-check-map-errors.patch @@ -0,0 +1,45 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: YueHaibing +Date: Thu, 26 Jul 2018 09:51:27 +0800 +Subject: amd-xgbe: use dma_mapping_error to check map errors + +From: YueHaibing + +[ Upstream commit b24dbfe9ce03d9f83306616f22fb0e04e8960abe ] + +The dma_mapping_error() returns true or false, but we want +to return -ENOMEM if there was an error. + +Fixes: 174fd2597b0b ("amd-xgbe: Implement split header receive support") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c +@@ -289,7 +289,7 @@ static int xgbe_alloc_pages(struct xgbe_ + struct page *pages = NULL; + dma_addr_t pages_dma; + gfp_t gfp; +- int order, ret; ++ int order; + + again: + order = alloc_order; +@@ -316,10 +316,9 @@ again: + /* Map the pages */ + pages_dma = dma_map_page(pdata->dev, pages, 0, + PAGE_SIZE << order, DMA_FROM_DEVICE); +- ret = dma_mapping_error(pdata->dev, pages_dma); +- if (ret) { ++ if (dma_mapping_error(pdata->dev, pages_dma)) { + put_page(pages); +- return ret; ++ return -ENOMEM; + } + + pa->pages = pages; diff --git a/queue-4.14/arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch b/queue-4.14/arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch new file mode 100644 index 00000000000..a8725f748a7 --- /dev/null +++ b/queue-4.14/arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch @@ -0,0 +1,59 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Bhushan Shah +Date: Mon, 9 Jul 2018 14:46:28 +0530 +Subject: ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci + +From: Bhushan Shah + +[ Upstream commit 03864e57770a9541e7ff3990bacf2d9a2fffcd5d ] + +The kernel would not boot on the hammerhead hardware due to the +following error: + +mmc0: Timeout waiting for hardware interrupt. +mmc0: sdhci: ============ SDHCI REGISTER DUMP =========== +mmc0: sdhci: Sys addr: 0x00000200 | Version: 0x00003802 +mmc0: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000200 +mmc0: sdhci: Argument: 0x00000000 | Trn mode: 0x00000023 +mmc0: sdhci: Present: 0x03e80000 | Host ctl: 0x00000034 +mmc0: sdhci: Power: 0x00000001 | Blk gap: 0x00000000 +mmc0: sdhci: Wake-up: 0x00000000 | Clock: 0x00000007 +mmc0: sdhci: Timeout: 0x0000000e | Int stat: 0x00000000 +mmc0: sdhci: Int enab: 0x02ff900b | Sig enab: 0x02ff100b +mmc0: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 +mmc0: sdhci: Caps: 0x642dc8b2 | Caps_1: 0x00008007 +mmc0: sdhci: Cmd: 0x00000c1b | Max curr: 0x00000000 +mmc0: sdhci: Resp[0]: 0x00000c00 | Resp[1]: 0x00000000 +mmc0: sdhci: Resp[2]: 0x00000000 | Resp[3]: 0x00000000 +mmc0: sdhci: Host ctl2: 0x00000008 +mmc0: sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x70040220 +mmc0: sdhci: ============================================ +mmc0: Card stuck in wrong state! mmcblk0 card_busy_detect status: 0xe00 +mmc0: cache flush error -110 +mmc0: Reset 0x1 never completed. + +This patch increases the load on l20 to 0.2 amps for the sdhci +and allows the device to boot normally. + +Signed-off-by: Bhushan Shah +Signed-off-by: Brian Masney +Suggested-by: Bjorn Andersson +Tested-by: Brian Masney +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts ++++ b/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts +@@ -189,6 +189,8 @@ + regulator-max-microvolt = <2950000>; + + regulator-boot-on; ++ regulator-system-load = <200000>; ++ regulator-allow-set-load; + }; + + l21 { diff --git a/queue-4.14/arm-exynos-clear-global-variable-on-init-error-path.patch b/queue-4.14/arm-exynos-clear-global-variable-on-init-error-path.patch new file mode 100644 index 00000000000..c5da496b4ab --- /dev/null +++ b/queue-4.14/arm-exynos-clear-global-variable-on-init-error-path.patch @@ -0,0 +1,36 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Krzysztof Kozlowski +Date: Tue, 24 Jul 2018 18:48:14 +0200 +Subject: ARM: exynos: Clear global variable on init error path + +From: Krzysztof Kozlowski + +[ Upstream commit cd4806911cee3901bc2b5eb95603cf1958720b57 ] + +For most of Exynos SoCs, Power Management Unit (PMU) address space is +mapped into global variable 'pmu_base_addr' very early when initializing +PMU interrupt controller. A lot of other machine code depends on it so +when doing iounmap() on this address, clear the global as well to avoid +usage of invalid value (pointing to unmapped memory region). + +Properly mapped PMU address space is a requirement for all other machine +code so this fix is purely theoretical. Boot will fail immediately in +many other places after following this error path. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-exynos/suspend.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-exynos/suspend.c ++++ b/arch/arm/mach-exynos/suspend.c +@@ -209,6 +209,7 @@ static int __init exynos_pmu_irq_init(st + NULL); + if (!domain) { + iounmap(pmu_base_addr); ++ pmu_base_addr = NULL; + return -ENOMEM; + } + diff --git a/queue-4.14/arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch b/queue-4.14/arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch new file mode 100644 index 00000000000..fdd8ad615d8 --- /dev/null +++ b/queue-4.14/arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Loic Poulain +Date: Wed, 11 Jul 2018 14:18:23 +0200 +Subject: arm64: dts: qcom: db410c: Fix Bluetooth LED trigger + +From: Loic Poulain + +[ Upstream commit e53db018315b7660bb7000a29e79faff2496c2c2 ] + +Current LED trigger, 'bt', is not known/used by any existing driver. +Fix this by renaming it to 'bluetooth-power' trigger which is +controlled by the Bluetooth subsystem. + +Fixes: 9943230c8860 ("arm64: dts: qcom: Add apq8016-sbc board LED's related device nodes") +Signed-off-by: Loic Poulain +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/apq8016-sbc.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/qcom/apq8016-sbc.dtsi ++++ b/arch/arm64/boot/dts/qcom/apq8016-sbc.dtsi +@@ -187,7 +187,7 @@ + led@6 { + label = "apq8016-sbc:blue:bt"; + gpios = <&pm8916_mpps 3 GPIO_ACTIVE_HIGH>; +- linux,default-trigger = "bt"; ++ linux,default-trigger = "bluetooth-power"; + default-state = "off"; + }; + }; diff --git a/queue-4.14/arm64-fix-possible-spectre-v1-write-in-ptrace_hbp_set_event.patch b/queue-4.14/arm64-fix-possible-spectre-v1-write-in-ptrace_hbp_set_event.patch new file mode 100644 index 00000000000..3067b179120 --- /dev/null +++ b/queue-4.14/arm64-fix-possible-spectre-v1-write-in-ptrace_hbp_set_event.patch @@ -0,0 +1,57 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Mark Rutland +Date: Tue, 10 Jul 2018 19:01:22 +0100 +Subject: arm64: fix possible spectre-v1 write in ptrace_hbp_set_event() + +From: Mark Rutland + +[ Upstream commit 14d6e289a89780377f8bb09de8926d3c62d763cd ] + +It's possible for userspace to control idx. Sanitize idx when using it +as an array index, to inhibit the potential spectre-v1 write gadget. + +Found by smatch. + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -274,19 +274,22 @@ static int ptrace_hbp_set_event(unsigned + + switch (note_type) { + case NT_ARM_HW_BREAK: +- if (idx < ARM_MAX_BRP) { +- tsk->thread.debug.hbp_break[idx] = bp; +- err = 0; +- } ++ if (idx >= ARM_MAX_BRP) ++ goto out; ++ idx = array_index_nospec(idx, ARM_MAX_BRP); ++ tsk->thread.debug.hbp_break[idx] = bp; ++ err = 0; + break; + case NT_ARM_HW_WATCH: +- if (idx < ARM_MAX_WRP) { +- tsk->thread.debug.hbp_watch[idx] = bp; +- err = 0; +- } ++ if (idx >= ARM_MAX_WRP) ++ goto out; ++ idx = array_index_nospec(idx, ARM_MAX_WRP); ++ tsk->thread.debug.hbp_watch[idx] = bp; ++ err = 0; + break; + } + ++out: + return err; + } + diff --git a/queue-4.14/asoc-rt5514-fix-the-issue-of-the-delay-volume-applied.patch b/queue-4.14/asoc-rt5514-fix-the-issue-of-the-delay-volume-applied.patch new file mode 100644 index 00000000000..2d8924099b6 --- /dev/null +++ b/queue-4.14/asoc-rt5514-fix-the-issue-of-the-delay-volume-applied.patch @@ -0,0 +1,45 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Oder Chiou +Date: Tue, 24 Jul 2018 15:49:23 +0800 +Subject: ASoC: rt5514: Fix the issue of the delay volume applied + +From: Oder Chiou + +[ Upstream commit d96f8bd28cd0bae3e6702ae90df593628ef6906f ] + +The patch fixes the issue of the delay volume applied. + +Signed-off-by: Oder Chiou +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5514.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/codecs/rt5514.c ++++ b/sound/soc/codecs/rt5514.c +@@ -64,8 +64,8 @@ static const struct reg_sequence rt5514_ + {RT5514_ANA_CTRL_LDO10, 0x00028604}, + {RT5514_ANA_CTRL_ADCFED, 0x00000800}, + {RT5514_ASRC_IN_CTRL1, 0x00000003}, +- {RT5514_DOWNFILTER0_CTRL3, 0x10000362}, +- {RT5514_DOWNFILTER1_CTRL3, 0x10000362}, ++ {RT5514_DOWNFILTER0_CTRL3, 0x10000352}, ++ {RT5514_DOWNFILTER1_CTRL3, 0x10000352}, + }; + + static const struct reg_default rt5514_reg[] = { +@@ -92,10 +92,10 @@ static const struct reg_default rt5514_r + {RT5514_ASRC_IN_CTRL1, 0x00000003}, + {RT5514_DOWNFILTER0_CTRL1, 0x00020c2f}, + {RT5514_DOWNFILTER0_CTRL2, 0x00020c2f}, +- {RT5514_DOWNFILTER0_CTRL3, 0x10000362}, ++ {RT5514_DOWNFILTER0_CTRL3, 0x10000352}, + {RT5514_DOWNFILTER1_CTRL1, 0x00020c2f}, + {RT5514_DOWNFILTER1_CTRL2, 0x00020c2f}, +- {RT5514_DOWNFILTER1_CTRL3, 0x10000362}, ++ {RT5514_DOWNFILTER1_CTRL3, 0x10000352}, + {RT5514_ANA_CTRL_LDO10, 0x00028604}, + {RT5514_ANA_CTRL_LDO18_16, 0x02000345}, + {RT5514_ANA_CTRL_ADC12, 0x0000a2a8}, diff --git a/queue-4.14/block-allow-max_discard_segments-to-be-stacked.patch b/queue-4.14/block-allow-max_discard_segments-to-be-stacked.patch new file mode 100644 index 00000000000..03167d8c3b8 --- /dev/null +++ b/queue-4.14/block-allow-max_discard_segments-to-be-stacked.patch @@ -0,0 +1,47 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Mike Snitzer +Date: Fri, 20 Jul 2018 14:57:38 -0400 +Subject: block: allow max_discard_segments to be stacked + +From: Mike Snitzer + +[ Upstream commit 42c9cdfe1e11e083dceb0f0c4977b758cf7403b9 ] + +Set max_discard_segments to USHRT_MAX in blk_set_stacking_limits() so +that blk_stack_limits() can stack up this limit for stacked devices. + +before: + +$ cat /sys/block/nvme0n1/queue/max_discard_segments +256 +$ cat /sys/block/dm-0/queue/max_discard_segments +1 + +after: + +$ cat /sys/block/nvme0n1/queue/max_discard_segments +256 +$ cat /sys/block/dm-0/queue/max_discard_segments +256 + +Fixes: 1e739730c5b9e ("block: optionally merge discontiguous discard bios into a single request") +Reviewed-by: Christoph Hellwig +Signed-off-by: Mike Snitzer +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-settings.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -128,7 +128,7 @@ void blk_set_stacking_limits(struct queu + + /* Inherit limits from component devices */ + lim->max_segments = USHRT_MAX; +- lim->max_discard_segments = 1; ++ lim->max_discard_segments = USHRT_MAX; + lim->max_hw_sectors = UINT_MAX; + lim->max_segment_size = UINT_MAX; + lim->max_sectors = UINT_MAX; diff --git a/queue-4.14/clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch b/queue-4.14/clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch new file mode 100644 index 00000000000..00f3600ec97 --- /dev/null +++ b/queue-4.14/clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch @@ -0,0 +1,46 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Rajan Vaja +Date: Tue, 17 Jul 2018 06:17:00 -0700 +Subject: clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure + +From: Rajan Vaja + +[ Upstream commit f6dab4233d6b64d719109040503b567f71fbfa01 ] + +Fixed factor clock has two initializations at of_clk_init() time +and during platform driver probe. Before of_clk_init() call, +node is marked as populated and so its probe never gets called. + +During of_clk_init() fixed factor clock registration may fail if +any of its parent clock is not registered. In this case, it doesn't +get chance to retry registration from probe. Clear OF_POPULATED +flag if fixed factor clock registration fails so that clock +registration is attempted again from probe. + +Signed-off-by: Rajan Vaja +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-fixed-factor.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/clk/clk-fixed-factor.c ++++ b/drivers/clk/clk-fixed-factor.c +@@ -177,8 +177,15 @@ static struct clk *_of_fixed_factor_clk_ + + clk = clk_register_fixed_factor(NULL, clk_name, parent_name, flags, + mult, div); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { ++ /* ++ * If parent clock is not registered, registration would fail. ++ * Clear OF_POPULATED flag so that clock registration can be ++ * attempted again from probe function. ++ */ ++ of_node_clear_flag(node, OF_POPULATED); + return clk; ++ } + + ret = of_clk_add_provider(node, of_clk_src_simple_get, clk); + if (ret) { diff --git a/queue-4.14/clk-core-potentially-free-connection-id.patch b/queue-4.14/clk-core-potentially-free-connection-id.patch new file mode 100644 index 00000000000..ccbd3a8e8d4 --- /dev/null +++ b/queue-4.14/clk-core-potentially-free-connection-id.patch @@ -0,0 +1,52 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Mikko Perttunen +Date: Wed, 11 Jul 2018 11:21:04 +0300 +Subject: clk: core: Potentially free connection id + +From: Mikko Perttunen + +[ Upstream commit 365f7a89c881e84f1ebc925f65f899d5d7ce547e ] + +Patch "clk: core: Copy connection id" made it so that the connector id +'con_id' is kstrdup_const()ed to cater to drivers that pass non-constant +connection ids. The patch added the corresponding kfree_const to +__clk_free_clk(), but struct clk's can be freed also via __clk_put(). +Add the kfree_const call to __clk_put() and add comments to both +functions to remind that the logic in them should be kept in sync. + +Fixes: 253160a8ad06 ("clk: core: Copy connection id") +Signed-off-by: Mikko Perttunen +Reviewed-by: Leonard Crestez +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2557,6 +2557,7 @@ struct clk *__clk_create_clk(struct clk_ + return clk; + } + ++/* keep in sync with __clk_put */ + void __clk_free_clk(struct clk *clk) + { + clk_prepare_lock(); +@@ -2922,6 +2923,7 @@ int __clk_get(struct clk *clk) + return 1; + } + ++/* keep in sync with __clk_free_clk */ + void __clk_put(struct clk *clk) + { + struct module *owner; +@@ -2943,6 +2945,7 @@ void __clk_put(struct clk *clk) + + module_put(owner); + ++ kfree_const(clk->con_id); + kfree(clk); + } + diff --git a/queue-4.14/clk-imx6ul-fix-missing-of_node_put.patch b/queue-4.14/clk-imx6ul-fix-missing-of_node_put.patch new file mode 100644 index 00000000000..c816f179fbe --- /dev/null +++ b/queue-4.14/clk-imx6ul-fix-missing-of_node_put.patch @@ -0,0 +1,32 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Nicholas Mc Guire +Date: Fri, 13 Jul 2018 13:13:20 +0200 +Subject: clk: imx6ul: fix missing of_node_put() + +From: Nicholas Mc Guire + +[ Upstream commit 11177e7a7aaef95935592072985526ebf0a3df43 ] + +of_find_compatible_node() is returning a device node with refcount +incremented and must be explicitly decremented after the last use +which is right after the us in of_iomap() here. + +Signed-off-by: Nicholas Mc Guire +Fixes: 787b4271a6a0 ("clk: imx: add imx6ul clk tree support") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/imx/clk-imx6ul.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/imx/clk-imx6ul.c ++++ b/drivers/clk/imx/clk-imx6ul.c +@@ -135,6 +135,7 @@ static void __init imx6ul_clocks_init(st + + np = of_find_compatible_node(NULL, NULL, "fsl,imx6ul-anatop"); + base = of_iomap(np, 0); ++ of_node_put(np); + WARN_ON(!base); + + clks[IMX6UL_PLL1_BYPASS_SRC] = imx_clk_mux("pll1_bypass_src", base + 0x00, 14, 1, pll_bypass_src_sels, ARRAY_SIZE(pll_bypass_src_sels)); diff --git a/queue-4.14/crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch b/queue-4.14/crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch new file mode 100644 index 00000000000..42be1e564bd --- /dev/null +++ b/queue-4.14/crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Michael Müller +Date: Sun, 15 Jul 2018 00:27:06 +0200 +Subject: crypto: sharah - Unregister correct algorithms for SAHARA 3 + +From: Michael Müller + +[ Upstream commit 0e7d4d932ffc23f75efb31a8c2ac2396c1b81c55 ] + +This patch fixes two typos related to unregistering algorithms supported by +SAHARAH 3. In sahara_register_algs the wrong algorithms are unregistered +in case of an error. In sahara_unregister_algs the wrong array is used to +determine the iteration count. + +Signed-off-by: Michael Müller +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/sahara.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -1351,7 +1351,7 @@ err_sha_v4_algs: + + err_sha_v3_algs: + for (j = 0; j < k; j++) +- crypto_unregister_ahash(&sha_v4_algs[j]); ++ crypto_unregister_ahash(&sha_v3_algs[j]); + + err_aes_algs: + for (j = 0; j < i; j++) +@@ -1367,7 +1367,7 @@ static void sahara_unregister_algs(struc + for (i = 0; i < ARRAY_SIZE(aes_algs); i++) + crypto_unregister_alg(&aes_algs[i]); + +- for (i = 0; i < ARRAY_SIZE(sha_v4_algs); i++) ++ for (i = 0; i < ARRAY_SIZE(sha_v3_algs); i++) + crypto_unregister_ahash(&sha_v3_algs[i]); + + if (dev->version > SAHARA_VERSION_3) diff --git a/queue-4.14/dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch b/queue-4.14/dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch new file mode 100644 index 00000000000..9bc8955d5ab --- /dev/null +++ b/queue-4.14/dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Hanna Hawa +Date: Tue, 17 Jul 2018 13:30:00 +0300 +Subject: dmaengine: mv_xor_v2: kill the tasklets upon exit + +From: Hanna Hawa + +[ Upstream commit 8bbafed8dd5cfa81071b50ead5cb60367fdef3a9 ] + +The mv_xor_v2 driver uses a tasklet, initialized during the probe() +routine. However, it forgets to cleanup the tasklet using +tasklet_kill() function during the remove() routine, which this patch +fixes. This prevents the tasklet from potentially running after the +module has been removed. + +Fixes: 19a340b1a820 ("dmaengine: mv_xor_v2: new driver") + +Signed-off-by: Hanna Hawa +Reviewed-by: Thomas Petazzoni +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/mv_xor_v2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/dma/mv_xor_v2.c ++++ b/drivers/dma/mv_xor_v2.c +@@ -898,6 +898,8 @@ static int mv_xor_v2_remove(struct platf + + platform_msi_domain_free_irqs(&pdev->dev); + ++ tasklet_kill(&xor_dev->irq_tasklet); ++ + clk_disable_unprepare(xor_dev->clk); + + return 0; diff --git a/queue-4.14/dmaengine-pl330-fix-irq-race-with-terminate_all.patch b/queue-4.14/dmaengine-pl330-fix-irq-race-with-terminate_all.patch new file mode 100644 index 00000000000..6e99f9ad956 --- /dev/null +++ b/queue-4.14/dmaengine-pl330-fix-irq-race-with-terminate_all.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: John Keeping +Date: Tue, 17 Jul 2018 11:48:16 +0100 +Subject: dmaengine: pl330: fix irq race with terminate_all + +From: John Keeping + +[ Upstream commit e49756544a21f5625b379b3871d27d8500764670 ] + +In pl330_update() when checking if a channel has been aborted, the +channel's lock is not taken, only the overall pl330_dmac lock. But in +pl330_terminate_all() the aborted flag (req_running==-1) is set under +the channel lock and not the pl330_dmac lock. + +With threaded interrupts, this leads to a potential race: + + pl330_terminate_all pl330_update + ------------------- ------------ + lock channel + entry + lock pl330 + _stop channel + unlock pl330 + lock pl330 + check req_running != -1 + req_running = -1 + _start channel + +Signed-off-by: John Keeping +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -2142,13 +2142,14 @@ static int pl330_terminate_all(struct dm + + pm_runtime_get_sync(pl330->ddma.dev); + spin_lock_irqsave(&pch->lock, flags); ++ + spin_lock(&pl330->lock); + _stop(pch->thread); +- spin_unlock(&pl330->lock); +- + pch->thread->req[0].desc = NULL; + pch->thread->req[1].desc = NULL; + pch->thread->req_running = -1; ++ spin_unlock(&pl330->lock); ++ + power_down = pch->active; + pch->active = false; + diff --git a/queue-4.14/drivers-base-stop-new-probing-during-shutdown.patch b/queue-4.14/drivers-base-stop-new-probing-during-shutdown.patch new file mode 100644 index 00000000000..2f166163498 --- /dev/null +++ b/queue-4.14/drivers-base-stop-new-probing-during-shutdown.patch @@ -0,0 +1,55 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Pingfan Liu +Date: Thu, 19 Jul 2018 13:14:58 +0800 +Subject: drivers/base: stop new probing during shutdown + +From: Pingfan Liu + +[ Upstream commit 3297c8fc65af5d40501ea7cddff1b195cae57e4e ] + +There is a race window in device_shutdown(), which may cause +-1. parent device shut down before child or +-2. no shutdown on a new probing device. + +For 1st, taking the following scenario: + device_shutdown new plugin device + list_del_init(parent_dev); + spin_unlock(list_lock); + device_add(child) + probe child + shutdown parent_dev + --> now child is on the tail of devices_kset + +For 2nd, taking the following scenario: + device_shutdown new plugin device + device_add(dev) + device_lock(dev); + ... + device_unlock(dev); + probe dev + --> now, the new occurred dev has no opportunity to shutdown + +To fix this race issue, just prevent the new probing request. With this +logic, device_shutdown() is more similar to dpm_prepare(). + +Signed-off-by: Pingfan Liu +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -2783,6 +2783,9 @@ void device_shutdown(void) + { + struct device *dev, *parent; + ++ wait_for_device_probe(); ++ device_block_probing(); ++ + spin_lock(&devices_kset->list_lock); + /* + * Walk the devices list backward, shutting down each in turn. diff --git a/queue-4.14/efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch b/queue-4.14/efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch new file mode 100644 index 00000000000..722dba2df9a --- /dev/null +++ b/queue-4.14/efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch @@ -0,0 +1,58 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Ard Biesheuvel +Date: Mon, 23 Jul 2018 10:57:30 +0900 +Subject: efi/arm: preserve early mapping of UEFI memory map longer for BGRT + +From: Ard Biesheuvel + +[ Upstream commit 3ea86495aef2f6de26b7cb1599ba350dd6a0c521 ] + +The BGRT code validates the contents of the table against the UEFI +memory map, and so it expects it to be mapped when the code runs. + +On ARM, this is currently not the case, since we tear down the early +mapping after efi_init() completes, and only create the permanent +mapping in arm_enable_runtime_services(), which executes as an early +initcall, but still leaves a window where the UEFI memory map is not +mapped. + +So move the call to efi_memmap_unmap() from efi_init() to +arm_enable_runtime_services(). + +Signed-off-by: Ard Biesheuvel +[will: fold in EFI_MEMMAP attribute check from Ard] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/arm-init.c | 1 - + drivers/firmware/efi/arm-runtime.c | 4 +++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/efi/arm-init.c ++++ b/drivers/firmware/efi/arm-init.c +@@ -259,7 +259,6 @@ void __init efi_init(void) + + reserve_regions(); + efi_esrt_init(); +- efi_memmap_unmap(); + + memblock_reserve(params.mmap & PAGE_MASK, + PAGE_ALIGN(params.mmap_size + +--- a/drivers/firmware/efi/arm-runtime.c ++++ b/drivers/firmware/efi/arm-runtime.c +@@ -122,11 +122,13 @@ static int __init arm_enable_runtime_ser + { + u64 mapsize; + +- if (!efi_enabled(EFI_BOOT)) { ++ if (!efi_enabled(EFI_BOOT) || !efi_enabled(EFI_MEMMAP)) { + pr_info("EFI services will not be available.\n"); + return 0; + } + ++ efi_memmap_unmap(); ++ + if (efi_runtime_disabled()) { + pr_info("EFI runtime services will be disabled.\n"); + return 0; diff --git a/queue-4.14/fbdev-distinguish-between-interlaced-and-progressive-modes.patch b/queue-4.14/fbdev-distinguish-between-interlaced-and-progressive-modes.patch new file mode 100644 index 00000000000..96b50b0ab09 --- /dev/null +++ b/queue-4.14/fbdev-distinguish-between-interlaced-and-progressive-modes.patch @@ -0,0 +1,123 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Fredrik Noring +Date: Tue, 24 Jul 2018 19:11:24 +0200 +Subject: fbdev: Distinguish between interlaced and progressive modes + +From: Fredrik Noring + +[ Upstream commit 1ba0a59cea41ea05fda92daaf2a2958a2246b9cf ] + +I discovered the problem when developing a frame buffer driver for the +PlayStation 2 (not yet merged), using the following video modes for the +PlayStation 3 in drivers/video/fbdev/ps3fb.c: + + }, { + /* 1080if */ + "1080if", 50, 1920, 1080, 13468, 148, 484, 36, 4, 88, 5, + FB_SYNC_BROADCAST, FB_VMODE_INTERLACED + }, { + /* 1080pf */ + "1080pf", 50, 1920, 1080, 6734, 148, 484, 36, 4, 88, 5, + FB_SYNC_BROADCAST, FB_VMODE_NONINTERLACED + }, + +In ps3fb_probe, the mode_option module parameter is used with fb_find_mode +but it can only select the interlaced variant of 1920x1080 since the loop +matching the modes does not take the difference between interlaced and +progressive modes into account. + +In short, without the patch, progressive 1920x1080 cannot be chosen as a +mode_option parameter since fb_find_mode (falsely) thinks interlace is a +perfect match. + +Signed-off-by: Fredrik Noring +Cc: "Maciej W. Rozycki" +[b.zolnierkie: updated patch description] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/modedb.c | 41 +++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +--- a/drivers/video/fbdev/core/modedb.c ++++ b/drivers/video/fbdev/core/modedb.c +@@ -644,7 +644,7 @@ static int fb_try_mode(struct fb_var_scr + * + * Valid mode specifiers for @mode_option: + * +- * x[M][R][-][@][i][m] or ++ * x[M][R][-][@][i][p][m] or + * [-][@] + * + * with , , and decimal numbers and +@@ -653,10 +653,10 @@ static int fb_try_mode(struct fb_var_scr + * If 'M' is present after yres (and before refresh/bpp if present), + * the function will compute the timings using VESA(tm) Coordinated + * Video Timings (CVT). If 'R' is present after 'M', will compute with +- * reduced blanking (for flatpanels). If 'i' is present, compute +- * interlaced mode. If 'm' is present, add margins equal to 1.8% +- * of xres rounded down to 8 pixels, and 1.8% of yres. The char +- * 'i' and 'm' must be after 'M' and 'R'. Example: ++ * reduced blanking (for flatpanels). If 'i' or 'p' are present, compute ++ * interlaced or progressive mode. If 'm' is present, add margins equal ++ * to 1.8% of xres rounded down to 8 pixels, and 1.8% of yres. The chars ++ * 'i', 'p' and 'm' must be after 'M' and 'R'. Example: + * + * 1024x768MR-8@60m - Reduced blank with margins at 60Hz. + * +@@ -697,7 +697,8 @@ int fb_find_mode(struct fb_var_screeninf + unsigned int namelen = strlen(name); + int res_specified = 0, bpp_specified = 0, refresh_specified = 0; + unsigned int xres = 0, yres = 0, bpp = default_bpp, refresh = 0; +- int yres_specified = 0, cvt = 0, rb = 0, interlace = 0; ++ int yres_specified = 0, cvt = 0, rb = 0; ++ int interlace_specified = 0, interlace = 0; + int margins = 0; + u32 best, diff, tdiff; + +@@ -748,9 +749,17 @@ int fb_find_mode(struct fb_var_screeninf + if (!cvt) + margins = 1; + break; ++ case 'p': ++ if (!cvt) { ++ interlace = 0; ++ interlace_specified = 1; ++ } ++ break; + case 'i': +- if (!cvt) ++ if (!cvt) { + interlace = 1; ++ interlace_specified = 1; ++ } + break; + default: + goto done; +@@ -819,11 +828,21 @@ done: + if ((name_matches(db[i], name, namelen) || + (res_specified && res_matches(db[i], xres, yres))) && + !fb_try_mode(var, info, &db[i], bpp)) { +- if (refresh_specified && db[i].refresh == refresh) +- return 1; ++ const int db_interlace = (db[i].vmode & ++ FB_VMODE_INTERLACED ? 1 : 0); ++ int score = abs(db[i].refresh - refresh); ++ ++ if (interlace_specified) ++ score += abs(db_interlace - interlace); ++ ++ if (!interlace_specified || ++ db_interlace == interlace) ++ if (refresh_specified && ++ db[i].refresh == refresh) ++ return 1; + +- if (abs(db[i].refresh - refresh) < diff) { +- diff = abs(db[i].refresh - refresh); ++ if (score < diff) { ++ diff = score; + best = i; + } + } diff --git a/queue-4.14/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch b/queue-4.14/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch new file mode 100644 index 00000000000..e90174416f5 --- /dev/null +++ b/queue-4.14/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Dan Carpenter +Date: Tue, 24 Jul 2018 19:11:28 +0200 +Subject: fbdev: omapfb: off by one in omapfb_register_client() + +From: Dan Carpenter + +[ Upstream commit 5ec1ec35b2979b59d0b33381e7c9aac17e159d16 ] + +The omapfb_register_client[] array has OMAPFB_PLANE_NUM elements so the +> should be >= or we are one element beyond the end of the array. + +Fixes: 8b08cf2b64f5 ("OMAP: add TI OMAP framebuffer driver") +Signed-off-by: Dan Carpenter +Cc: Imre Deak +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/omap/omapfb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/omap/omapfb_main.c ++++ b/drivers/video/fbdev/omap/omapfb_main.c +@@ -958,7 +958,7 @@ int omapfb_register_client(struct omapfb + { + int r; + +- if ((unsigned)omapfb_nb->plane_idx > OMAPFB_PLANE_NUM) ++ if ((unsigned)omapfb_nb->plane_idx >= OMAPFB_PLANE_NUM) + return -EINVAL; + + if (!notifier_inited) { diff --git a/queue-4.14/fbdev-via-fix-defined-but-not-used-warning.patch b/queue-4.14/fbdev-via-fix-defined-but-not-used-warning.patch new file mode 100644 index 00000000000..43e81d07025 --- /dev/null +++ b/queue-4.14/fbdev-via-fix-defined-but-not-used-warning.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Randy Dunlap +Date: Tue, 24 Jul 2018 19:11:27 +0200 +Subject: fbdev/via: fix defined but not used warning + +From: Randy Dunlap + +[ Upstream commit b6566b47a67e07fdca44cf51abb14e2fbe17d3eb ] + +Fix a build warning in viafbdev.c when CONFIG_PROC_FS is not enabled +by marking the unused function as __maybe_unused. + +../drivers/video/fbdev/via/viafbdev.c:1471:12: warning: 'viafb_sup_odev_proc_show' defined but not used [-Wunused-function] + +Signed-off-by: Randy Dunlap +Cc: Florian Tobias Schandinat +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/via/viafbdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/via/viafbdev.c ++++ b/drivers/video/fbdev/via/viafbdev.c +@@ -19,6 +19,7 @@ + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + ++#include + #include + #include + #include +@@ -1468,7 +1469,7 @@ static const struct file_operations viaf + + #endif /* CONFIG_FB_VIA_DIRECT_PROCFS */ + +-static int viafb_sup_odev_proc_show(struct seq_file *m, void *v) ++static int __maybe_unused viafb_sup_odev_proc_show(struct seq_file *m, void *v) + { + via_odev_to_seq(m, supported_odev_map[ + viaparinfo->shared->chip_info.gfx_chip_name]); diff --git a/queue-4.14/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch b/queue-4.14/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch new file mode 100644 index 00000000000..fa7e41002ae --- /dev/null +++ b/queue-4.14/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Bob Peterson +Date: Mon, 18 Jun 2018 13:24:13 -0500 +Subject: gfs2: Don't reject a supposedly full bitmap if we have blocks reserved + +From: Bob Peterson + +[ Upstream commit e79e0e1428188b24c3b57309ffa54a33c4ae40c4 ] + +Before this patch, you could get into situations like this: + +1. Process 1 searches for X free blocks, finds them, makes a reservation +2. Process 2 searches for free blocks in the same rgrp, but now the + bitmap is full because process 1's reservation is skipped over. + So it marks the bitmap as GBF_FULL. +3. Process 1 tries to allocate blocks from its own reservation, but + since the GBF_FULL bit is set, it skips over the rgrp and searches + elsewhere, thus not using its own reservation. + +This patch adds an additional check to allow processes to use their +own reservations. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/rgrp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1665,7 +1665,8 @@ static int gfs2_rbm_find(struct gfs2_rbm + + while(1) { + bi = rbm_bi(rbm); +- if (test_bit(GBF_FULL, &bi->bi_flags) && ++ if ((ip == NULL || !gfs2_rs_active(&ip->i_res)) && ++ test_bit(GBF_FULL, &bi->bi_flags) && + (state == GFS2_BLKST_FREE)) + goto next_bitmap; + diff --git a/queue-4.14/gfs2-special-case-rindex-for-gfs2_grow.patch b/queue-4.14/gfs2-special-case-rindex-for-gfs2_grow.patch new file mode 100644 index 00000000000..ceb71c9c871 --- /dev/null +++ b/queue-4.14/gfs2-special-case-rindex-for-gfs2_grow.patch @@ -0,0 +1,48 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Andreas Gruenbacher +Date: Wed, 25 Jul 2018 18:45:08 +0100 +Subject: gfs2: Special-case rindex for gfs2_grow + +From: Andreas Gruenbacher + +[ Upstream commit 776125785a87ff05d49938bd5b9f336f2a05bff6 ] + +To speed up the common case of appending to a file, +gfs2_write_alloc_required presumes that writing beyond the end of a file +will always require additional blocks to be allocated. This assumption +is incorrect for preallocates files, but there are no negative +consequences as long as *some* space is still left on the filesystem. + +One special file that always has some space preallocated beyond the end +of the file is the rindex: when growing a filesystem, gfs2_grow adds one +or more new resource groups and appends records describing those +resource groups to the rindex; the preallocated space ensures that this +is always possible. + +However, when a filesystem is completely full, gfs2_write_alloc_required +will indicate that an additional allocation is required, and appending +the next record to the rindex will fail even though space for that +record has already been preallocated. To fix that, skip the incorrect +optimization in gfs2_write_alloc_required, but for the rindex only. +Other writes to preallocated space beyond the end of the file are still +allowed to fail on completely full filesystems. + +Signed-off-by: Andreas Gruenbacher +Reviewed-by: Bob Peterson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/bmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1680,7 +1680,7 @@ int gfs2_write_alloc_required(struct gfs + end_of_file = (i_size_read(&ip->i_inode) + sdp->sd_sb.sb_bsize - 1) >> shift; + lblock = offset >> shift; + lblock_stop = (offset + len + sdp->sd_sb.sb_bsize - 1) >> shift; +- if (lblock_stop > end_of_file) ++ if (lblock_stop > end_of_file && ip != GFS2_I(sdp->sd_rindex)) + return 1; + + size = (lblock_stop - lblock) << shift; diff --git a/queue-4.14/i2c-aspeed-fix-initial-values-of-master-and-slave-state.patch b/queue-4.14/i2c-aspeed-fix-initial-values-of-master-and-slave-state.patch new file mode 100644 index 00000000000..543bc0e2f9e --- /dev/null +++ b/queue-4.14/i2c-aspeed-fix-initial-values-of-master-and-slave-state.patch @@ -0,0 +1,52 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Jae Hyun Yoo +Date: Mon, 2 Jul 2018 14:20:28 -0700 +Subject: i2c: aspeed: Fix initial values of master and slave state + +From: Jae Hyun Yoo + +[ Upstream commit 517fde0eb5a8f46c54ba6e2c36e32563b23cb14f ] + +This patch changes the order of enum aspeed_i2c_master_state and +enum aspeed_i2c_slave_state defines to make their initial value to +ASPEED_I2C_MASTER_INACTIVE and ASPEED_I2C_SLAVE_STOP respectively. +In case of multi-master use, if a slave data comes ahead of the +first master xfer, master_state starts from an invalid state so +this change fixes the issue. + +Signed-off-by: Jae Hyun Yoo +Reviewed-by: Brendan Higgins +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-aspeed.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-aspeed.c ++++ b/drivers/i2c/busses/i2c-aspeed.c +@@ -110,22 +110,22 @@ + #define ASPEED_I2CD_DEV_ADDR_MASK GENMASK(6, 0) + + enum aspeed_i2c_master_state { ++ ASPEED_I2C_MASTER_INACTIVE, + ASPEED_I2C_MASTER_START, + ASPEED_I2C_MASTER_TX_FIRST, + ASPEED_I2C_MASTER_TX, + ASPEED_I2C_MASTER_RX_FIRST, + ASPEED_I2C_MASTER_RX, + ASPEED_I2C_MASTER_STOP, +- ASPEED_I2C_MASTER_INACTIVE, + }; + + enum aspeed_i2c_slave_state { ++ ASPEED_I2C_SLAVE_STOP, + ASPEED_I2C_SLAVE_START, + ASPEED_I2C_SLAVE_READ_REQUESTED, + ASPEED_I2C_SLAVE_READ_PROCESSED, + ASPEED_I2C_SLAVE_WRITE_REQUESTED, + ASPEED_I2C_SLAVE_WRITE_RECEIVED, +- ASPEED_I2C_SLAVE_STOP, + }; + + struct aspeed_i2c_bus { diff --git a/queue-4.14/ib-ipoib-fix-error-return-code-in-ipoib_dev_init.patch b/queue-4.14/ib-ipoib-fix-error-return-code-in-ipoib_dev_init.patch new file mode 100644 index 00000000000..9451870a4be --- /dev/null +++ b/queue-4.14/ib-ipoib-fix-error-return-code-in-ipoib_dev_init.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Wei Yongjun +Date: Wed, 11 Jul 2018 13:15:42 +0000 +Subject: IB/ipoib: Fix error return code in ipoib_dev_init() + +From: Wei Yongjun + +[ Upstream commit 99a7e2bf704d64c966dfacede1ba2d9b47cb676e ] + +Fix to return a negative error code from the ipoib_neigh_hash_init() +error handling case instead of 0, as done elsewhere in this function. + +Fixes: 515ed4f3aab4 ("IB/IPoIB: Separate control and data related initializations") +Signed-off-by: Wei Yongjun +Reviewed-by: Yuval Shaia +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -1752,7 +1752,8 @@ int ipoib_dev_init(struct net_device *de + goto out_free_pd; + } + +- if (ipoib_neigh_hash_init(priv) < 0) { ++ ret = ipoib_neigh_hash_init(priv); ++ if (ret) { + pr_warn("%s failed to init neigh hash\n", dev->name); + goto out_dev_uninit; + } diff --git a/queue-4.14/ib-rxe-drop-qp0-silently.patch b/queue-4.14/ib-rxe-drop-qp0-silently.patch new file mode 100644 index 00000000000..b34c21815db --- /dev/null +++ b/queue-4.14/ib-rxe-drop-qp0-silently.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Zhu Yanjun +Date: Fri, 13 Jul 2018 03:10:20 -0400 +Subject: IB/rxe: Drop QP0 silently + +From: Zhu Yanjun + +[ Upstream commit 536ca245c512aedfd84cde072d7b3ca14b6e1792 ] + +According to "Annex A16: RDMA over Converged Ethernet (RoCE)": + +A16.4.3 MANAGEMENT INTERFACES + +As defined in the base specification, a special Queue Pair, QP0 is defined +solely for communication between subnet manager(s) and subnet management +agents. Since such an IB-defined subnet management architecture is outside +the scope of this annex, it follows that there is also no requirement that +a port which conforms to this annex be associated with a QP0. Thus, for +end nodes designed to conform to this annex, the concept of QP0 is +undefined and unused for any port connected to an Ethernet network. + +CA16-8: A packet arriving at a RoCE port containing a BTH with the +destination QP field set to QP0 shall be silently dropped. + +Signed-off-by: Zhu Yanjun +Acked-by: Moni Shoua +Reviewed-by: Yuval Shaia +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -225,9 +225,14 @@ static int hdr_check(struct rxe_pkt_info + goto err1; + } + ++ if (unlikely(qpn == 0)) { ++ pr_warn_once("QP 0 not supported"); ++ goto err1; ++ } ++ + if (qpn != IB_MULTICAST_QPN) { +- index = (qpn == 0) ? port->qp_smi_index : +- ((qpn == 1) ? port->qp_gsi_index : qpn); ++ index = (qpn == 1) ? port->qp_gsi_index : qpn; ++ + qp = rxe_pool_get_index(&rxe->qp_pool, index); + if (unlikely(!qp)) { + pr_warn_ratelimited("no qp matches qpn 0x%x\n", qpn); diff --git a/queue-4.14/iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch b/queue-4.14/iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch new file mode 100644 index 00000000000..cd07b46e859 --- /dev/null +++ b/queue-4.14/iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Miao Zhong +Date: Mon, 23 Jul 2018 20:56:58 +0800 +Subject: iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register + +From: Miao Zhong + +[ Upstream commit 0d535967ac658966c6ade8f82b5799092f7d5441 ] + +When PRI queue occurs overflow, driver should update the OVACKFLG to +the PRIQ consumer register, otherwise subsequent PRI requests will not +be processed. + +Cc: Will Deacon +Cc: Robin Murphy +Signed-off-by: Miao Zhong +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm-smmu-v3.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -1272,6 +1272,7 @@ static irqreturn_t arm_smmu_priq_thread( + + /* Sync our overflow flag, as we believe we're up to speed */ + q->cons = Q_OVF(q, q->prod) | Q_WRP(q, q->cons) | Q_IDX(q, q->cons); ++ writel(q->cons, q->cons_reg); + return IRQ_HANDLED; + } + diff --git a/queue-4.14/iommu-io-pgtable-arm-v7s-abort-allocation-when-table-address-overflows-the-pte.patch b/queue-4.14/iommu-io-pgtable-arm-v7s-abort-allocation-when-table-address-overflows-the-pte.patch new file mode 100644 index 00000000000..934400048f7 --- /dev/null +++ b/queue-4.14/iommu-io-pgtable-arm-v7s-abort-allocation-when-table-address-overflows-the-pte.patch @@ -0,0 +1,57 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Jean-Philippe Brucker +Date: Tue, 19 Jun 2018 13:52:24 +0100 +Subject: iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE + +From: Jean-Philippe Brucker + +[ Upstream commit 29859aeb8a6ea17ba207933a81b6b77b4d4df81a ] + +When run on a 64-bit system in selftest, the v7s driver may obtain page +table with physical addresses larger than 32-bit. Level-2 tables are 1KB +and are are allocated with slab, which doesn't accept the GFP_DMA32 +flag. Currently map() truncates the address written in the PTE, causing +iova_to_phys() or unmap() to access invalid memory. Kasan reports it as +a use-after-free. To avoid any nasty surprise, test if the physical +address fits in a PTE before returning a new table. 32-bit systems, +which are the main users of this page table format, shouldn't see any +difference. + +Signed-off-by: Jean-Philippe Brucker +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/io-pgtable-arm-v7s.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/io-pgtable-arm-v7s.c ++++ b/drivers/iommu/io-pgtable-arm-v7s.c +@@ -192,6 +192,7 @@ static void *__arm_v7s_alloc_table(int l + { + struct io_pgtable_cfg *cfg = &data->iop.cfg; + struct device *dev = cfg->iommu_dev; ++ phys_addr_t phys; + dma_addr_t dma; + size_t size = ARM_V7S_TABLE_SIZE(lvl); + void *table = NULL; +@@ -200,6 +201,10 @@ static void *__arm_v7s_alloc_table(int l + table = (void *)__get_dma_pages(__GFP_ZERO, get_order(size)); + else if (lvl == 2) + table = kmem_cache_zalloc(data->l2_tables, gfp | GFP_DMA); ++ phys = virt_to_phys(table); ++ if (phys != (arm_v7s_iopte)phys) ++ /* Doesn't fit in PTE */ ++ goto out_free; + if (table && !(cfg->quirks & IO_PGTABLE_QUIRK_NO_DMA)) { + dma = dma_map_single(dev, table, size, DMA_TO_DEVICE); + if (dma_mapping_error(dev, dma)) +@@ -209,7 +214,7 @@ static void *__arm_v7s_alloc_table(int l + * address directly, so if the DMA layer suggests otherwise by + * translating or truncating them, that bodes very badly... + */ +- if (dma != virt_to_phys(table)) ++ if (dma != phys) + goto out_unmap; + } + kmemleak_ignore(table); diff --git a/queue-4.14/kbuild-add-.delete_on_error-special-target.patch b/queue-4.14/kbuild-add-.delete_on_error-special-target.patch new file mode 100644 index 00000000000..d798f117d35 --- /dev/null +++ b/queue-4.14/kbuild-add-.delete_on_error-special-target.patch @@ -0,0 +1,64 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Masahiro Yamada +Date: Fri, 20 Jul 2018 16:46:33 +0900 +Subject: kbuild: add .DELETE_ON_ERROR special target + +From: Masahiro Yamada + +[ Upstream commit 9c2af1c7377a8a6ef86e5cabf80978f3dbbb25c0 ] + +If Make gets a fatal signal while a shell is executing, it may delete +the target file that the recipe was supposed to update. This is needed +to make sure that it is remade from scratch when Make is next run; if +Make is interrupted after the recipe has begun to write the target file, +it results in an incomplete file whose time stamp is newer than that +of the prerequisites files. Make automatically deletes the incomplete +file on interrupt unless the target is marked .PRECIOUS. + +The situation is just the same as when the shell fails for some reasons. +Usually when a recipe line fails, if it has changed the target file at +all, the file is corrupted, or at least it is not completely updated. +Yet the file’s time stamp says that it is now up to date, so the next +time Make runs, it will not try to update that file. + +However, Make does not cater to delete the incomplete target file in +this case. We need to add .DELETE_ON_ERROR somewhere in the Makefile +to request it. + +scripts/Kbuild.include seems a suitable place to add it because it is +included from almost all sub-makes. + +Please note .DELETE_ON_ERROR is not effective for phony targets. + +The external module building should never ever touch the kernel tree. +The following recipe fails if include/generated/autoconf.h is missing. +However, include/config/auto.conf is not deleted since it is a phony +target. + + PHONY += include/config/auto.conf + + include/config/auto.conf: + $(Q)test -e include/generated/autoconf.h -a -e $@ || ( \ + echo >&2; \ + echo >&2 " ERROR: Kernel configuration is invalid."; \ + echo >&2 " include/generated/autoconf.h or $@ are missing.";\ + echo >&2 " Run 'make oldconfig && make prepare' on kernel src to fix it."; \ + echo >&2 ; \ + /bin/false) + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Kbuild.include | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -403,3 +403,6 @@ endif + endef + # + ############################################################################### ++ ++# delete partially updated (i.e. corrupted) files on error ++.DELETE_ON_ERROR: diff --git a/queue-4.14/kvm-arm-arm64-fix-vgic-init-race.patch b/queue-4.14/kvm-arm-arm64-fix-vgic-init-race.patch new file mode 100644 index 00000000000..af7a953cb5a --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-fix-vgic-init-race.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Christoffer Dall +Date: Tue, 3 Jul 2018 22:54:14 +0200 +Subject: KVM: arm/arm64: Fix vgic init race + +From: Christoffer Dall + +[ Upstream commit 1d47191de7e15900f8fbfe7cccd7c6e1c2d7c31a ] + +The vgic_init function can race with kvm_arch_vcpu_create() which does +not hold kvm_lock() and we therefore have no synchronization primitives +to ensure we're doing the right thing. + +As the user is trying to initialize or run the VM while at the same time +creating more VCPUs, we just have to refuse to initialize the VGIC in +this case rather than silently failing with a broken VCPU. + +Reviewed-by: Eric Auger +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/vgic/vgic-init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic-init.c ++++ b/virt/kvm/arm/vgic/vgic-init.c +@@ -277,6 +277,10 @@ int vgic_init(struct kvm *kvm) + if (vgic_initialized(kvm)) + return 0; + ++ /* Are we also in the middle of creating a VCPU? */ ++ if (kvm->created_vcpus != atomic_read(&kvm->online_vcpus)) ++ return -EBUSY; ++ + /* freeze the number of spis */ + if (!dist->nr_spis) + dist->nr_spis = VGIC_NR_IRQS_LEGACY - VGIC_NR_PRIVATE_IRQS; diff --git a/queue-4.14/kvm-arm-arm64-vgic-fix-possible-spectre-v1-write-in-vgic_mmio_write_apr.patch b/queue-4.14/kvm-arm-arm64-vgic-fix-possible-spectre-v1-write-in-vgic_mmio_write_apr.patch new file mode 100644 index 00000000000..1fcc56a91ae --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-vgic-fix-possible-spectre-v1-write-in-vgic_mmio_write_apr.patch @@ -0,0 +1,43 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Mark Rutland +Date: Tue, 10 Jul 2018 19:01:23 +0100 +Subject: KVM: arm/arm64: vgic: Fix possible spectre-v1 write in vgic_mmio_write_apr() + +From: Mark Rutland + +[ Upstream commit 6b8b9a48545e08345b8ff77c9fd51b1aebdbefb3 ] + +It's possible for userspace to control n. Sanitize n when using it as an +array index, to inhibit the potential spectre-v1 write gadget. + +Note that while it appears that n must be bound to the interval [0,3] +due to the way it is extracted from addr, we cannot guarantee that +compiler transformations (and/or future refactoring) will ensure this is +the case, and given this is a slow path it's better to always perform +the masking. + +Found by smatch. + +Signed-off-by: Mark Rutland +Cc: Christoffer Dall +Cc: Marc Zyngier +Cc: kvmarm@lists.cs.columbia.edu +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/vgic/vgic-mmio-v2.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic-mmio-v2.c ++++ b/virt/kvm/arm/vgic/vgic-mmio-v2.c +@@ -348,6 +348,9 @@ static void vgic_mmio_write_apr(struct k + + if (n > vgic_v3_max_apr_idx(vcpu)) + return; ++ ++ n = array_index_nospec(n, 4); ++ + /* GICv3 only uses ICH_AP1Rn for memory mapped (GICv2) guests */ + vgicv3->vgic_ap1r[n] = val; + } diff --git a/queue-4.14/mac80211-restrict-delayed-tailroom-needed-decrement.patch b/queue-4.14/mac80211-restrict-delayed-tailroom-needed-decrement.patch new file mode 100644 index 00000000000..d84943e5151 --- /dev/null +++ b/queue-4.14/mac80211-restrict-delayed-tailroom-needed-decrement.patch @@ -0,0 +1,138 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Manikanta Pubbisetty +Date: Tue, 10 Jul 2018 16:48:27 +0530 +Subject: mac80211: restrict delayed tailroom needed decrement + +From: Manikanta Pubbisetty + +[ Upstream commit 133bf90dbb8b873286f8ec2e81ba26e863114b8c ] + +As explained in ieee80211_delayed_tailroom_dec(), during roam, +keys of the old AP will be destroyed and new keys will be +installed. Deletion of the old key causes +crypto_tx_tailroom_needed_cnt to go from 1 to 0 and the new key +installation causes a transition from 0 to 1. + +Whenever crypto_tx_tailroom_needed_cnt transitions from 0 to 1, +we invoke synchronize_net(); the reason for doing this is to avoid +a race in the TX path as explained in increment_tailroom_need_count(). +This synchronize_net() operation can be slow and can affect the station +roam time. To avoid this, decrementing the crypto_tx_tailroom_needed_cnt +is delayed for a while so that upon installation of new key the +transition would be from 1 to 2 instead of 0 to 1 and thereby +improving the roam time. + +This is all correct for a STA iftype, but deferring the tailroom_needed +decrement for other iftypes may be unnecessary. + +For example, let's consider the case of a 4-addr client connecting to +an AP for which AP_VLAN interface is also created, let the initial +value for tailroom_needed on the AP be 1. + +* 4-addr client connects to the AP (AP: tailroom_needed = 1) +* AP will clear old keys, delay decrement of tailroom_needed count +* AP_VLAN is created, it takes the tailroom count from master + (AP_VLAN: tailroom_needed = 1, AP: tailroom_needed = 1) +* Install new key for the station, assume key is plumbed in the HW, + there won't be any change in tailroom_needed count on AP iface +* Delayed decrement of tailroom_needed count on AP + (AP: tailroom_needed = 0, AP_VLAN: tailroom_needed = 1) + +Because of the delayed decrement on AP iface, tailroom_needed count goes +out of sync between AP(master iface) and AP_VLAN(slave iface) and +there would be unnecessary tailroom created for the packets going +through AP_VLAN iface. + +Also, WARN_ONs were observed while trying to bring down the AP_VLAN +interface: +(warn_slowpath_common) (warn_slowpath_null+0x18/0x20) +(warn_slowpath_null) (ieee80211_free_keys+0x114/0x1e4) +(ieee80211_free_keys) (ieee80211_del_virtual_monitor+0x51c/0x850) +(ieee80211_del_virtual_monitor) (ieee80211_stop+0x30/0x3c) +(ieee80211_stop) (__dev_close_many+0x94/0xb8) +(__dev_close_many) (dev_close_many+0x5c/0xc8) + +Restricting delayed decrement to station interface alone fixes the problem +and it makes sense to do so because delayed decrement is done to improve +roam time which is applicable only for client devices. + +Signed-off-by: Manikanta Pubbisetty +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 2 +- + net/mac80211/key.c | 24 +++++++++++++++--------- + 2 files changed, 16 insertions(+), 10 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -494,7 +494,7 @@ static int ieee80211_del_key(struct wiph + goto out_unlock; + } + +- ieee80211_key_free(key, true); ++ ieee80211_key_free(key, sdata->vif.type == NL80211_IFTYPE_STATION); + + ret = 0; + out_unlock: +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -649,11 +649,15 @@ int ieee80211_key_link(struct ieee80211_ + { + struct ieee80211_local *local = sdata->local; + struct ieee80211_key *old_key; +- int idx, ret; +- bool pairwise; +- +- pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; +- idx = key->conf.keyidx; ++ int idx = key->conf.keyidx; ++ bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; ++ /* ++ * We want to delay tailroom updates only for station - in that ++ * case it helps roaming speed, but in other cases it hurts and ++ * can cause warnings to appear. ++ */ ++ bool delay_tailroom = sdata->vif.type == NL80211_IFTYPE_STATION; ++ int ret; + + mutex_lock(&sdata->local->key_mtx); + +@@ -681,14 +685,14 @@ int ieee80211_key_link(struct ieee80211_ + increment_tailroom_need_count(sdata); + + ieee80211_key_replace(sdata, sta, pairwise, old_key, key); +- ieee80211_key_destroy(old_key, true); ++ ieee80211_key_destroy(old_key, delay_tailroom); + + ieee80211_debugfs_key_add(key); + + if (!local->wowlan) { + ret = ieee80211_key_enable_hw_accel(key); + if (ret) +- ieee80211_key_free(key, true); ++ ieee80211_key_free(key, delay_tailroom); + } else { + ret = 0; + } +@@ -923,7 +927,8 @@ void ieee80211_free_sta_keys(struct ieee + ieee80211_key_replace(key->sdata, key->sta, + key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE, + key, NULL); +- __ieee80211_key_destroy(key, true); ++ __ieee80211_key_destroy(key, key->sdata->vif.type == ++ NL80211_IFTYPE_STATION); + } + + for (i = 0; i < NUM_DEFAULT_KEYS; i++) { +@@ -933,7 +938,8 @@ void ieee80211_free_sta_keys(struct ieee + ieee80211_key_replace(key->sdata, key->sta, + key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE, + key, NULL); +- __ieee80211_key_destroy(key, true); ++ __ieee80211_key_destroy(key, key->sdata->vif.type == ++ NL80211_IFTYPE_STATION); + } + + mutex_unlock(&local->key_mtx); diff --git a/queue-4.14/media-ov5645-supported-external-clock-is-24mhz.patch b/queue-4.14/media-ov5645-supported-external-clock-is-24mhz.patch new file mode 100644 index 00000000000..bf4b1c80c82 --- /dev/null +++ b/queue-4.14/media-ov5645-supported-external-clock-is-24mhz.patch @@ -0,0 +1,76 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Todor Tomov +Date: Mon, 18 Jun 2018 04:06:58 -0400 +Subject: media: ov5645: Supported external clock is 24MHz + +From: Todor Tomov + +[ Upstream commit 4adb0a0432f489c5eb802b33dae7737f69e6fd7a ] + +The external clock frequency was set to 23.88MHz by mistake +because of a platform which cannot get closer to 24MHz. +The supported by the driver external clock is 24MHz so +set it correctly and also fix the values of the pixel +clock and link clock. +However allow 1% tolerance to the external clock as this +difference is small enough to be insignificant. + +Signed-off-by: Todor Tomov +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov5645.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/ov5645.c ++++ b/drivers/media/i2c/ov5645.c +@@ -510,8 +510,8 @@ static const struct reg_value ov5645_set + }; + + static const s64 link_freq[] = { +- 222880000, +- 334320000 ++ 224000000, ++ 336000000 + }; + + static const struct ov5645_mode_info ov5645_mode_info_data[] = { +@@ -520,7 +520,7 @@ static const struct ov5645_mode_info ov5 + .height = 960, + .data = ov5645_setting_sxga, + .data_size = ARRAY_SIZE(ov5645_setting_sxga), +- .pixel_clock = 111440000, ++ .pixel_clock = 112000000, + .link_freq = 0 /* an index in link_freq[] */ + }, + { +@@ -528,7 +528,7 @@ static const struct ov5645_mode_info ov5 + .height = 1080, + .data = ov5645_setting_1080p, + .data_size = ARRAY_SIZE(ov5645_setting_1080p), +- .pixel_clock = 167160000, ++ .pixel_clock = 168000000, + .link_freq = 1 /* an index in link_freq[] */ + }, + { +@@ -536,7 +536,7 @@ static const struct ov5645_mode_info ov5 + .height = 1944, + .data = ov5645_setting_full, + .data_size = ARRAY_SIZE(ov5645_setting_full), +- .pixel_clock = 167160000, ++ .pixel_clock = 168000000, + .link_freq = 1 /* an index in link_freq[] */ + }, + }; +@@ -1157,7 +1157,8 @@ static int ov5645_probe(struct i2c_clien + return ret; + } + +- if (xclk_freq != 23880000) { ++ /* external clock must be 24MHz, allow 1% tolerance */ ++ if (xclk_freq < 23760000 || xclk_freq > 24240000) { + dev_err(dev, "external clock frequency %u is not supported\n", + xclk_freq); + return -EINVAL; diff --git a/queue-4.14/media-tw686x-fix-oops-on-buffer-alloc-failure.patch b/queue-4.14/media-tw686x-fix-oops-on-buffer-alloc-failure.patch new file mode 100644 index 00000000000..5ef2859c079 --- /dev/null +++ b/queue-4.14/media-tw686x-fix-oops-on-buffer-alloc-failure.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Krzysztof Ha?asa +Date: Thu, 28 Jun 2018 17:45:07 -0400 +Subject: media: tw686x: Fix oops on buffer alloc failure + +From: Krzysztof Ha?asa + +[ Upstream commit 5a1a2f63d840dc2631505b607e11ff65ac1b7d3c ] + +The error path currently calls tw686x_video_free() which requires +vc->dev to be initialized, causing a NULL dereference on uninitizalized +channels. + +Fix this by setting the vc->dev fields for all the channels first. + +Fixes: f8afaa8dbc0d ("[media] tw686x: Introduce an interface to support multiple DMA modes") + +Signed-off-by: Krzysztof Ha?asa +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/tw686x/tw686x-video.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/media/pci/tw686x/tw686x-video.c ++++ b/drivers/media/pci/tw686x/tw686x-video.c +@@ -1190,6 +1190,14 @@ int tw686x_video_init(struct tw686x_dev + return err; + } + ++ /* Initialize vc->dev and vc->ch for the error path */ ++ for (ch = 0; ch < max_channels(dev); ch++) { ++ struct tw686x_video_channel *vc = &dev->video_channels[ch]; ++ ++ vc->dev = dev; ++ vc->ch = ch; ++ } ++ + for (ch = 0; ch < max_channels(dev); ch++) { + struct tw686x_video_channel *vc = &dev->video_channels[ch]; + struct video_device *vdev; +@@ -1198,9 +1206,6 @@ int tw686x_video_init(struct tw686x_dev + spin_lock_init(&vc->qlock); + INIT_LIST_HEAD(&vc->vidq_queued); + +- vc->dev = dev; +- vc->ch = ch; +- + /* default settings */ + err = tw686x_set_standard(vc, V4L2_STD_NTSC); + if (err) diff --git a/queue-4.14/media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch b/queue-4.14/media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch new file mode 100644 index 00000000000..821f877a302 --- /dev/null +++ b/queue-4.14/media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Hans Verkuil +Date: Thu, 5 Jul 2018 04:25:19 -0400 +Subject: media: videobuf2-core: check for q->error in vb2_core_qbuf() + +From: Hans Verkuil + +[ Upstream commit b509d733d337417bcb7fa4a35be3b9a49332b724 ] + +The vb2_core_qbuf() function didn't check if q->error was set. It is +checked in __buf_prepare(), but that function isn't called if the buffer +was already prepared before with VIDIOC_PREPARE_BUF. + +So check it at the start of vb2_core_qbuf() as well. + +Signed-off-by: Hans Verkuil +Acked-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/videobuf2-core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -1373,6 +1373,11 @@ int vb2_core_qbuf(struct vb2_queue *q, u + struct vb2_buffer *vb; + int ret; + ++ if (q->error) { ++ dprintk(1, "fatal error occurred on queue\n"); ++ return -EIO; ++ } ++ + vb = q->bufs[index]; + + switch (vb->state) { diff --git a/queue-4.14/mips-ath79-fix-system-restart.patch b/queue-4.14/mips-ath79-fix-system-restart.patch new file mode 100644 index 00000000000..dbeae153be8 --- /dev/null +++ b/queue-4.14/mips-ath79-fix-system-restart.patch @@ -0,0 +1,46 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Felix Fietkau +Date: Fri, 20 Jul 2018 13:58:22 +0200 +Subject: MIPS: ath79: fix system restart + +From: Felix Fietkau + +[ Upstream commit f8a7bfe1cb2c1ebfa07775c9c8ac0ad3ba8e5ff5 ] + +This patch disables irq on reboot to fix hang issues that were observed +due to pending interrupts. + +Signed-off-by: Felix Fietkau +Signed-off-by: John Crispin +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19913/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/ath79/setup.c | 1 + + arch/mips/include/asm/mach-ath79/ath79.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -40,6 +40,7 @@ static char ath79_sys_type[ATH79_SYS_TYP + + static void ath79_restart(char *command) + { ++ local_irq_disable(); + ath79_device_reset_set(AR71XX_RESET_FULL_CHIP); + for (;;) + if (cpu_wait) +--- a/arch/mips/include/asm/mach-ath79/ath79.h ++++ b/arch/mips/include/asm/mach-ath79/ath79.h +@@ -134,6 +134,7 @@ static inline u32 ath79_pll_rr(unsigned + static inline void ath79_reset_wr(unsigned reg, u32 val) + { + __raw_writel(val, ath79_reset_base + reg); ++ (void) __raw_readl(ath79_reset_base + reg); /* flush */ + } + + static inline u32 ath79_reset_rr(unsigned reg) diff --git a/queue-4.14/mips-jz4740-bump-zload-address.patch b/queue-4.14/mips-jz4740-bump-zload-address.patch new file mode 100644 index 00000000000..6e2e7c83be4 --- /dev/null +++ b/queue-4.14/mips-jz4740-bump-zload-address.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Paul Cercueil +Date: Sun, 8 Jul 2018 17:07:12 +0200 +Subject: MIPS: jz4740: Bump zload address + +From: Paul Cercueil + +[ Upstream commit c6ea7e9747318e5a6774995f4f8e3e0f7c0fa8ba ] + +Having the zload address at 0x8060.0000 means the size of the +uncompressed kernel cannot be bigger than around 6 MiB, as it is +deflated at address 0x8001.0000. + +This limit is too small; a kernel with some built-in drivers and things +like debugfs enabled will already be over 6 MiB in size, and so will +fail to extract properly. + +To fix this, we bump the zload address from 0x8060.0000 to 0x8100.0000. + +This is fine, as all the boards featuring Ingenic JZ SoCs have at least +32 MiB of RAM, and use u-boot or compatible bootloaders which won't +hardcode the load address but read it from the uImage's header. + +Signed-off-by: Paul Cercueil +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19787/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/jz4740/Platform | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/jz4740/Platform ++++ b/arch/mips/jz4740/Platform +@@ -1,4 +1,4 @@ + platform-$(CONFIG_MACH_INGENIC) += jz4740/ + cflags-$(CONFIG_MACH_INGENIC) += -I$(srctree)/arch/mips/include/asm/mach-jz4740 + load-$(CONFIG_MACH_INGENIC) += 0xffffffff80010000 +-zload-$(CONFIG_MACH_INGENIC) += 0xffffffff80600000 ++zload-$(CONFIG_MACH_INGENIC) += 0xffffffff81000000 diff --git a/queue-4.14/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch b/queue-4.14/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch new file mode 100644 index 00000000000..9b56f217891 --- /dev/null +++ b/queue-4.14/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch @@ -0,0 +1,60 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Randy Dunlap +Date: Tue, 24 Jul 2018 11:29:01 -0700 +Subject: mtd/maps: fix solutionengine.c printk format warnings + +From: Randy Dunlap + +[ Upstream commit 1d25e3eeed1d987404e2d2e451eebac8c15cecc1 ] + +Fix 2 printk format warnings (this driver is currently only used by +arch/sh/) by using "%pap" instead of "%lx". + +Fixes these build warnings: + +../drivers/mtd/maps/solutionengine.c: In function 'init_soleng_maps': +../include/linux/kern_levels.h:5:18: warning: format '%lx' expects argument of type 'long unsigned int', but argument 2 has type 'resource_size_t' {aka 'unsigned int'} [-Wformat=] +../drivers/mtd/maps/solutionengine.c:62:54: note: format string is defined here + printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n", + ~~~~^ + %08x +../include/linux/kern_levels.h:5:18: warning: format '%lx' expects argument of type 'long unsigned int', but argument 3 has type 'resource_size_t' {aka 'unsigned int'} [-Wformat=] +../drivers/mtd/maps/solutionengine.c:62:72: note: format string is defined here + printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n", + ~~~~^ + %08x + +Cc: David Woodhouse +Cc: Brian Norris +Cc: Boris Brezillon +Cc: Marek Vasut +Cc: Richard Weinberger +Cc: linux-mtd@lists.infradead.org +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: linux-sh@vger.kernel.org +Cc: Sergei Shtylyov + +Signed-off-by: Randy Dunlap +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/maps/solutionengine.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/maps/solutionengine.c ++++ b/drivers/mtd/maps/solutionengine.c +@@ -59,9 +59,9 @@ static int __init init_soleng_maps(void) + return -ENXIO; + } + } +- printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n", +- soleng_flash_map.phys & 0x1fffffff, +- soleng_eprom_map.phys & 0x1fffffff); ++ printk(KERN_NOTICE "Solution Engine: Flash at 0x%pap, EPROM at 0x%pap\n", ++ &soleng_flash_map.phys, ++ &soleng_eprom_map.phys); + flash_mtd->owner = THIS_MODULE; + + eprom_mtd = do_map_probe("map_rom", &soleng_eprom_map); diff --git a/queue-4.14/nfp-avoid-buffer-leak-when-fw-communication-fails.patch b/queue-4.14/nfp-avoid-buffer-leak-when-fw-communication-fails.patch new file mode 100644 index 00000000000..a306d8d2d01 --- /dev/null +++ b/queue-4.14/nfp-avoid-buffer-leak-when-fw-communication-fails.patch @@ -0,0 +1,79 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Jakub Kicinski +Date: Fri, 20 Jul 2018 21:14:39 -0700 +Subject: nfp: avoid buffer leak when FW communication fails + +From: Jakub Kicinski + +[ Upstream commit 07300f774fec9519663a597987a4083225588be4 ] + +After device is stopped we reset the rings by moving all free buffers +to positions [0, cnt - 2], and clear the position cnt - 1 in the ring. +We then proceed to clear the read/write pointers. This means that if +we try to reset the ring again the code will assume that the next to +fill buffer is at position 0 and swap it with cnt - 1. Since we +previously cleared position cnt - 1 it will lead to leaking the first +buffer and leaving ring in a bad state. + +This scenario can only happen if FW communication fails, in which case +the ring will never be used again, so the fact it's in a bad state will +not be noticed. Buffer leak is the only problem. Don't try to move +buffers in the ring if the read/write pointers indicate the ring was +never used or have already been reset. + +nfp_net_clear_config_and_disable() is now fully idempotent. + +Found by code inspection, FW communication failures are very rare, +and reconfiguring a live device is not common either, so it's unlikely +anyone has ever noticed the leak. + +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +@@ -1087,7 +1087,7 @@ static bool nfp_net_xdp_complete(struct + * @dp: NFP Net data path struct + * @tx_ring: TX ring structure + * +- * Assumes that the device is stopped ++ * Assumes that the device is stopped, must be idempotent. + */ + static void + nfp_net_tx_ring_reset(struct nfp_net_dp *dp, struct nfp_net_tx_ring *tx_ring) +@@ -1289,13 +1289,18 @@ static void nfp_net_rx_give_one(const st + * nfp_net_rx_ring_reset() - Reflect in SW state of freelist after disable + * @rx_ring: RX ring structure + * +- * Warning: Do *not* call if ring buffers were never put on the FW freelist +- * (i.e. device was not enabled)! ++ * Assumes that the device is stopped, must be idempotent. + */ + static void nfp_net_rx_ring_reset(struct nfp_net_rx_ring *rx_ring) + { + unsigned int wr_idx, last_idx; + ++ /* wr_p == rd_p means ring was never fed FL bufs. RX rings are always ++ * kept at cnt - 1 FL bufs. ++ */ ++ if (rx_ring->wr_p == 0 && rx_ring->rd_p == 0) ++ return; ++ + /* Move the empty entry to the end of the list */ + wr_idx = D_IDX(rx_ring, rx_ring->wr_p); + last_idx = rx_ring->cnt - 1; +@@ -2505,6 +2510,8 @@ static void nfp_net_vec_clear_ring_data( + /** + * nfp_net_clear_config_and_disable() - Clear control BAR and disable NFP + * @nn: NFP Net device to reconfigure ++ * ++ * Warning: must be fully idempotent. + */ + static void nfp_net_clear_config_and_disable(struct nfp_net *nn) + { diff --git a/queue-4.14/nvme-rdma-unquiesce-queues-when-deleting-the-controller.patch b/queue-4.14/nvme-rdma-unquiesce-queues-when-deleting-the-controller.patch new file mode 100644 index 00000000000..97e2f2d5e97 --- /dev/null +++ b/queue-4.14/nvme-rdma-unquiesce-queues-when-deleting-the-controller.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Sagi Grimberg +Date: Mon, 9 Jul 2018 12:49:05 +0300 +Subject: nvme-rdma: unquiesce queues when deleting the controller + +From: Sagi Grimberg + +[ Upstream commit 90140624e8face94207003ac9a9d2a329b309d68 ] + +If the controller is going away, we need to unquiesce the IO queues so +that all pending request can fail gracefully before moving forward with +controller deletion. Do that before we destroy the IO queues so +blk_cleanup_queue won't block in freeze. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/rdma.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1728,6 +1728,8 @@ static void nvme_rdma_shutdown_ctrl(stru + nvme_stop_queues(&ctrl->ctrl); + blk_mq_tagset_busy_iter(&ctrl->tag_set, + nvme_cancel_request, &ctrl->ctrl); ++ if (shutdown) ++ nvme_start_queues(&ctrl->ctrl); + nvme_rdma_destroy_io_queues(ctrl, shutdown); + } + diff --git a/queue-4.14/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch b/queue-4.14/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch new file mode 100644 index 00000000000..a27368bc2c1 --- /dev/null +++ b/queue-4.14/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch @@ -0,0 +1,113 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Sandipan Das +Date: Tue, 10 Jul 2018 19:28:14 +0530 +Subject: perf powerpc: Fix callchain ip filtering when return address is in a register + +From: Sandipan Das + +[ Upstream commit 9068533e4f470daf2b0f29c71d865990acd8826e ] + +For powerpc64, perf will filter out the second entry in the callchain, +i.e. the LR value, if the return address of the function corresponding +to the probed location has already been saved on its caller's stack. + +The state of the return address is determined using debug information. +At any point within a function, if the return address is already saved +somewhere, a DWARF expression can tell us about its location. If the +return address in still in LR only, no DWARF expression would exist. + +Typically, the instructions in a function's prologue first copy the LR +value to R0 and then pushes R0 on to the stack. If LR has already been +copied to R0 but R0 is yet to be pushed to the stack, we can still get a +DWARF expression that says that the return address is in R0. This is +indicating that getting a DWARF expression for the return address does +not guarantee the fact that it has already been saved on the stack. + +This can be observed on a powerpc64le system running Fedora 27 as shown +below. + + # objdump -d /usr/lib64/libc-2.26.so | less + ... + 000000000015af20 : + 15af20: 0b 00 4c 3c addis r2,r12,11 + 15af24: e0 c1 42 38 addi r2,r2,-15904 + 15af28: a6 02 08 7c mflr r0 + 15af2c: f0 ff c1 fb std r30,-16(r1) + 15af30: f8 ff e1 fb std r31,-8(r1) + 15af34: 78 1b 7f 7c mr r31,r3 + 15af38: 78 23 83 7c mr r3,r4 + 15af3c: 78 2b be 7c mr r30,r5 + 15af40: 10 00 01 f8 std r0,16(r1) + 15af44: c1 ff 21 f8 stdu r1,-64(r1) + 15af48: 28 00 81 f8 std r4,40(r1) + ... + + # readelf --debug-dump=frames-interp /usr/lib64/libc-2.26.so | less + ... + 00027024 0000000000000024 00027028 FDE cie=00000000 pc=000000000015af20..000000000015af88 + LOC CFA r30 r31 ra + 000000000015af20 r1+0 u u u + 000000000015af34 r1+0 c-16 c-8 r0 + 000000000015af48 r1+64 c-16 c-8 c+16 + 000000000015af5c r1+0 c-16 c-8 c+16 + 000000000015af78 r1+0 u u + ... + + # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x18 + # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1 + # perf script + +Before: + + ping 2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38) + 7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so) + 7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) + 12f152d70 _init+0xbfc (/usr/bin/ping) + 7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +After: + + ping 2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38) + 7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so) + 7fff7e26fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so) + 7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) + 12f152d70 _init+0xbfc (/usr/bin/ping) + 7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +Reported-by: Ravi Bangoria +Signed-off-by: Sandipan Das +Cc: Jiri Olsa +Cc: Maynard Johnson +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Sukadev Bhattiprolu +Link: http://lkml.kernel.org/r/66e848a7bdf2d43b39210a705ff6d828a0865661.1530724939.git.sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/skip-callchain-idx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/tools/perf/arch/powerpc/util/skip-callchain-idx.c ++++ b/tools/perf/arch/powerpc/util/skip-callchain-idx.c +@@ -58,9 +58,13 @@ static int check_return_reg(int ra_regno + } + + /* +- * Check if return address is on the stack. ++ * Check if return address is on the stack. If return address ++ * is in a register (typically R0), it is yet to be saved on ++ * the stack. + */ +- if (nops != 0 || ops != NULL) ++ if ((nops != 0 || ops != NULL) && ++ !(nops == 1 && ops[0].atom == DW_OP_regx && ++ ops[0].number2 == 0 && ops[0].offset == 0)) + return 0; + + /* diff --git a/queue-4.14/perf-powerpc-fix-callchain-ip-filtering.patch b/queue-4.14/perf-powerpc-fix-callchain-ip-filtering.patch new file mode 100644 index 00000000000..417e2ce664e --- /dev/null +++ b/queue-4.14/perf-powerpc-fix-callchain-ip-filtering.patch @@ -0,0 +1,180 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Sandipan Das +Date: Tue, 10 Jul 2018 19:28:13 +0530 +Subject: perf powerpc: Fix callchain ip filtering + +From: Sandipan Das + +[ Upstream commit c715fcfda5a08edabaa15508742be926b7ee51db ] + +For powerpc64, redundant entries in the callchain are filtered out by +determining the state of the return address and the stack frame using +DWARF debug information. + +For making these filtering decisions we must analyze the debug +information for the location corresponding to the program counter value, +i.e. the first entry in the callchain, and not the LR value; otherwise, +perf may filter out either the second or the third entry in the +callchain incorrectly. + +This can be observed on a powerpc64le system running Fedora 27 as shown +below. + +Case 1 - Attaching a probe at inet_pton+0x8 (binary offset 0x15af28). + Return address is still in LR and a new stack frame is not yet + allocated. The LR value, i.e. the second entry, should not be + filtered out. + + # objdump -d /usr/lib64/libc-2.26.so | less + ... + 000000000010eb10 : + ... + 10fa48: 78 bb e4 7e mr r4,r23 + 10fa4c: 0a 00 60 38 li r3,10 + 10fa50: d9 b4 04 48 bl 15af28 + 10fa54: 00 00 00 60 nop + 10fa58: ac f4 ff 4b b 10ef04 + ... + 0000000000110450 : + ... + 1105a8: 54 00 ff 38 addi r7,r31,84 + 1105ac: 58 00 df 38 addi r6,r31,88 + 1105b0: 69 e5 ff 4b bl 10eb18 + 1105b4: 78 1b 71 7c mr r17,r3 + 1105b8: 50 01 7f e8 ld r3,336(r31) + ... + 000000000015af20 : + 15af20: 0b 00 4c 3c addis r2,r12,11 + 15af24: e0 c1 42 38 addi r2,r2,-15904 + 15af28: a6 02 08 7c mflr r0 + 15af2c: f0 ff c1 fb std r30,-16(r1) + 15af30: f8 ff e1 fb std r31,-8(r1) + ... + + # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x8 + # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1 + # perf script + +Before: + + ping 4507 [002] 514985.546540: probe_libc:inet_pton: (7fffa7dbaf28) + 7fffa7dbaf28 __GI___inet_pton+0x8 (/usr/lib64/libc-2.26.so) + 7fffa7d705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) + 13fb52d70 _init+0xbfc (/usr/bin/ping) + 7fffa7c836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fffa7c83898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +After: + + ping 4507 [002] 514985.546540: probe_libc:inet_pton: (7fffa7dbaf28) + 7fffa7dbaf28 __GI___inet_pton+0x8 (/usr/lib64/libc-2.26.so) + 7fffa7d6fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so) + 7fffa7d705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) + 13fb52d70 _init+0xbfc (/usr/bin/ping) + 7fffa7c836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fffa7c83898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +Case 2 - Attaching a probe at _int_malloc+0x180 (binary offset 0x9cf10). + Return address in still in LR and a new stack frame has already + been allocated but not used. The caller's caller, i.e. the third + entry, is invalid and should be filtered out and not the second + one. + + # objdump -d /usr/lib64/libc-2.26.so | less + ... + 000000000009cd90 <_int_malloc>: + 9cd90: 17 00 4c 3c addis r2,r12,23 + 9cd94: 70 a3 42 38 addi r2,r2,-23696 + 9cd98: 26 00 80 7d mfcr r12 + 9cd9c: f8 ff e1 fb std r31,-8(r1) + 9cda0: 17 00 e4 3b addi r31,r4,23 + 9cda4: d8 ff 61 fb std r27,-40(r1) + 9cda8: 78 23 9b 7c mr r27,r4 + 9cdac: 1f 00 bf 2b cmpldi cr7,r31,31 + 9cdb0: f0 ff c1 fb std r30,-16(r1) + 9cdb4: b0 ff c1 fa std r22,-80(r1) + 9cdb8: 78 1b 7e 7c mr r30,r3 + 9cdbc: 08 00 81 91 stw r12,8(r1) + 9cdc0: 11 ff 21 f8 stdu r1,-240(r1) + 9cdc4: 4c 01 9d 41 bgt cr7,9cf10 <_int_malloc+0x180> + 9cdc8: 20 00 a4 2b cmpldi cr7,r4,32 + ... + 9cf08: 00 00 00 60 nop + 9cf0c: 00 00 42 60 ori r2,r2,0 + 9cf10: e4 06 ff 7b rldicr r31,r31,0,59 + 9cf14: 40 f8 a4 7f cmpld cr7,r4,r31 + 9cf18: 68 05 9d 41 bgt cr7,9d480 <_int_malloc+0x6f0> + ... + 000000000009e3c0 : + ... + 9e420: 40 02 80 38 li r4,576 + 9e424: 78 fb e3 7f mr r3,r31 + 9e428: 71 e9 ff 4b bl 9cd98 <_int_malloc+0x8> + 9e42c: 00 00 a3 2f cmpdi cr7,r3,0 + 9e430: 78 1b 7e 7c mr r30,r3 + ... + 000000000009f7a0 <__libc_malloc>: + ... + 9f8f8: 00 00 89 2f cmpwi cr7,r9,0 + 9f8fc: 1c ff 9e 40 bne cr7,9f818 <__libc_malloc+0x78> + 9f900: c9 ea ff 4b bl 9e3c8 + 9f904: 00 00 00 60 nop + 9f908: e8 90 22 e9 ld r9,-28440(r2) + ... + + # perf probe -x /usr/lib64/libc-2.26.so -a _int_malloc+0x180 + # perf record -e probe_libc:_int_malloc -g ./test-malloc + # perf script + +Before: + + test-malloc 6554 [009] 515975.797403: probe_libc:_int_malloc: (7fffa6e6cf10) + 7fffa6e6cf10 _int_malloc+0x180 (/usr/lib64/libc-2.26.so) + 7fffa6dd0000 [unknown] (/usr/lib64/libc-2.26.so) + 7fffa6e6f904 malloc+0x164 (/usr/lib64/libc-2.26.so) + 7fffa6e6f9fc malloc+0x25c (/usr/lib64/libc-2.26.so) + 100006b4 main+0x38 (/home/testuser/test-malloc) + 7fffa6df36a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fffa6df3898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +After: + + test-malloc 6554 [009] 515975.797403: probe_libc:_int_malloc: (7fffa6e6cf10) + 7fffa6e6cf10 _int_malloc+0x180 (/usr/lib64/libc-2.26.so) + 7fffa6e6e42c tcache_init.part.4+0x6c (/usr/lib64/libc-2.26.so) + 7fffa6e6f904 malloc+0x164 (/usr/lib64/libc-2.26.so) + 7fffa6e6f9fc malloc+0x25c (/usr/lib64/libc-2.26.so) + 100006b4 main+0x38 (/home/sandipan/test-malloc) + 7fffa6df36a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fffa6df3898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +Signed-off-by: Sandipan Das +Cc: Jiri Olsa +Cc: Maynard Johnson +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Sukadev Bhattiprolu +Fixes: a60335ba3298 ("perf tools powerpc: Adjust callchain based on DWARF debug info") +Link: http://lkml.kernel.org/r/24bb726d91ed173aebc972ec3f41a2ef2249434e.1530724939.git.sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/skip-callchain-idx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/arch/powerpc/util/skip-callchain-idx.c ++++ b/tools/perf/arch/powerpc/util/skip-callchain-idx.c +@@ -250,7 +250,7 @@ int arch_skip_callchain_idx(struct threa + if (!chain || chain->nr < 3) + return skip_slot; + +- ip = chain->ips[2]; ++ ip = chain->ips[1]; + + thread__find_addr_location(thread, PERF_RECORD_MISC_USER, + MAP__FUNCTION, ip, &al); diff --git a/queue-4.14/perf-test-fix-subtest-number-when-showing-results.patch b/queue-4.14/perf-test-fix-subtest-number-when-showing-results.patch new file mode 100644 index 00000000000..41b43c7b8bb --- /dev/null +++ b/queue-4.14/perf-test-fix-subtest-number-when-showing-results.patch @@ -0,0 +1,69 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Thomas Richter +Date: Tue, 24 Jul 2018 15:48:58 +0200 +Subject: perf test: Fix subtest number when showing results + +From: Thomas Richter + +[ Upstream commit 9ef0112442bdddef5fb55adf20b3a5464b33de75 ] + +Perf test 40 for example has several subtests numbered 1-4 when +displaying the start of the subtest. When the subtest results +are displayed the subtests are numbered 0-3. + +Use this command to generate trace output: + + [root@s35lp76 perf]# ./perf test -Fv 40 2>/tmp/bpf1 + +Fix this by adjusting the subtest number when show the +subtest result. + +Output before: + + [root@s35lp76 perf]# egrep '(^40\.[0-4]| subtest [0-4]:)' /tmp/bpf1 + 40.1: Basic BPF filtering : + BPF filter subtest 0: Ok + 40.2: BPF pinning : + BPF filter subtest 1: Ok + 40.3: BPF prologue generation : + BPF filter subtest 2: Ok + 40.4: BPF relocation checker : + BPF filter subtest 3: Ok + [root@s35lp76 perf]# + +Output after: + + root@s35lp76 ~]# egrep '(^40\.[0-4]| subtest [0-4]:)' /tmp/bpf1 + 40.1: Basic BPF filtering : + BPF filter subtest 1: Ok + 40.2: BPF pinning : + BPF filter subtest 2: Ok + 40.3: BPF prologue generation : + BPF filter subtest 3: Ok + 40.4: BPF relocation checker : + BPF filter subtest 4: Ok + [root@s35lp76 ~]# + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180724134858.100644-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/builtin-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/builtin-test.c ++++ b/tools/perf/tests/builtin-test.c +@@ -589,7 +589,7 @@ static int __cmd_test(int argc, const ch + for (subi = 0; subi < subn; subi++) { + pr_info("%2d.%1d: %-*s:", i, subi + 1, subw, + t->subtest.get_desc(subi)); +- err = test_and_print(t, skip, subi); ++ err = test_and_print(t, skip, subi + 1); + if (err != TEST_OK && t->subtest.skip_if_fail) + skip = true; + } diff --git a/queue-4.14/perf-tools-fix-struct-comm_str-removal-crash.patch b/queue-4.14/perf-tools-fix-struct-comm_str-removal-crash.patch new file mode 100644 index 00000000000..7bf4b9467c6 --- /dev/null +++ b/queue-4.14/perf-tools-fix-struct-comm_str-removal-crash.patch @@ -0,0 +1,125 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Jiri Olsa +Date: Fri, 20 Jul 2018 12:17:40 +0200 +Subject: perf tools: Fix struct comm_str removal crash + +From: Jiri Olsa + +[ Upstream commit 46b3722cc7765582354488da633aafffcb138458 ] + +We occasionaly hit following assert failure in 'perf top', when processing the +/proc info in multiple threads. + + perf: ...include/linux/refcount.h:109: refcount_inc: + Assertion `!(!refcount_inc_not_zero(r))' failed. + +The gdb backtrace looks like this: + + [Switching to Thread 0x7ffff11ba700 (LWP 13749)] + 0x00007ffff50839fb in raise () from /lib64/libc.so.6 + (gdb) + #0 0x00007ffff50839fb in raise () from /lib64/libc.so.6 + #1 0x00007ffff5085800 in abort () from /lib64/libc.so.6 + #2 0x00007ffff507c0da in __assert_fail_base () from /lib64/libc.so.6 + #3 0x00007ffff507c152 in __assert_fail () from /lib64/libc.so.6 + #4 0x0000000000535373 in refcount_inc (r=0x7fffdc009be0) + at ...include/linux/refcount.h:109 + #5 0x00000000005354f1 in comm_str__get (cs=0x7fffdc009bc0) + at util/comm.c:24 + #6 0x00000000005356bd in __comm_str__findnew (str=0x7fffd000b260 ":2", + root=0xbed5c0 ) at util/comm.c:72 + #7 0x000000000053579e in comm_str__findnew (str=0x7fffd000b260 ":2", + root=0xbed5c0 ) at util/comm.c:95 + #8 0x000000000053582e in comm__new (str=0x7fffd000b260 ":2", + timestamp=0, exec=false) at util/comm.c:111 + #9 0x00000000005363bc in thread__new (pid=2, tid=2) at util/thread.c:57 + #10 0x0000000000523da0 in ____machine__findnew_thread (machine=0xbfde38, + threads=0xbfdf28, pid=2, tid=2, create=true) at util/machine.c:457 + #11 0x0000000000523eb4 in __machine__findnew_thread (machine=0xbfde38, + ... + +The failing assertion is this one: + + REFCOUNT_WARN(!refcount_inc_not_zero(r), ... + +The problem is that we keep global comm_str_root list, which +is accessed by multiple threads during the 'perf top' startup +and following 2 paths can race: + + thread 1: + ... + thread__new + comm__new + comm_str__findnew + down_write(&comm_str_lock); + __comm_str__findnew + comm_str__get + + thread 2: + ... + comm__override or comm__free + comm_str__put + refcount_dec_and_test + down_write(&comm_str_lock); + rb_erase(&cs->rb_node, &comm_str_root); + +Because thread 2 first decrements the refcnt and only after then it removes the +struct comm_str from the list, the thread 1 can find this object on the list +with refcnt equls to 0 and hit the assert. + +This patch fixes the thread 1 __comm_str__findnew path, by ignoring objects +that already dropped the refcnt to 0. For the rest of the objects we take the +refcnt before comparing its name and release it afterwards with comm_str__put, +which can also release the object completely. + +Signed-off-by: Jiri Olsa +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: David Ahern +Cc: Kan Liang +Cc: Lukasz Odzioba +Cc: Peter Zijlstra +Cc: Wang Nan +Cc: kernel-team@lge.com +Link: http://lkml.kernel.org/r/20180720101740.GA27176@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/comm.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/tools/perf/util/comm.c ++++ b/tools/perf/util/comm.c +@@ -18,9 +18,10 @@ static struct rb_root comm_str_root; + + static struct comm_str *comm_str__get(struct comm_str *cs) + { +- if (cs) +- refcount_inc(&cs->refcnt); +- return cs; ++ if (cs && refcount_inc_not_zero(&cs->refcnt)) ++ return cs; ++ ++ return NULL; + } + + static void comm_str__put(struct comm_str *cs) +@@ -62,9 +63,14 @@ static struct comm_str *comm_str__findne + parent = *p; + iter = rb_entry(parent, struct comm_str, rb_node); + ++ /* ++ * If we race with comm_str__put, iter->refcnt is 0 ++ * and it will be removed within comm_str__put call ++ * shortly, ignore it in this search. ++ */ + cmp = strcmp(str, iter->str); +- if (!cmp) +- return comm_str__get(iter); ++ if (!cmp && comm_str__get(iter)) ++ return iter; + + if (cmp < 0) + p = &(*p)->rb_left; diff --git a/queue-4.14/perf-tools-synthesize-group_desc-feature-in-pipe-mode.patch b/queue-4.14/perf-tools-synthesize-group_desc-feature-in-pipe-mode.patch new file mode 100644 index 00000000000..bfa953f25bf --- /dev/null +++ b/queue-4.14/perf-tools-synthesize-group_desc-feature-in-pipe-mode.patch @@ -0,0 +1,65 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Jiri Olsa +Date: Thu, 12 Jul 2018 15:52:02 +0200 +Subject: perf tools: Synthesize GROUP_DESC feature in pipe mode + +From: Jiri Olsa + +[ Upstream commit e8fedff1cc729fd227924305152ccc6f580e8c83 ] + +Stephan reported, that pipe mode does not carry the group information +and thus the piped report won't display the grouped output for following +command: + + # perf record -e '{cycles,instructions,branches}' -a sleep 4 | perf report + +It has no idea about the group setup, so it will display events +separately: + + # Overhead Command Shared Object ... + # ........ ............... ....................... + # + 6.71% swapper [kernel.kallsyms] + 2.28% offlineimap libpython2.7.so.1.0 + 0.78% perf [kernel.kallsyms] + ... + +Fix GROUP_DESC feature record to be synthesized in pipe mode, so the +report output is grouped if there are groups defined in record: + + # Overhead Command Shared ... + # ........................ ............... ....... + # + 7.57% 0.16% 0.30% swapper [kernel + 1.87% 3.15% 2.46% offlineimap libpyth + 1.33% 0.00% 0.00% perf [kernel + ... + +Reported-by: Stephane Eranian +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Stephane Eranian +Cc: Alexander Shishkin +Cc: David Ahern +Cc: David Carrillo-Cisneros +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180712135202.14774-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -2209,7 +2209,7 @@ static const struct feature_ops feat_ops + FEAT_OPR(NUMA_TOPOLOGY, numa_topology, true), + FEAT_OPN(BRANCH_STACK, branch_stack, false), + FEAT_OPR(PMU_MAPPINGS, pmu_mappings, false), +- FEAT_OPN(GROUP_DESC, group_desc, false), ++ FEAT_OPR(GROUP_DESC, group_desc, false), + FEAT_OPN(AUXTRACE, auxtrace, false), + FEAT_OPN(STAT, stat, false), + FEAT_OPN(CACHE, cache, true), diff --git a/queue-4.14/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch b/queue-4.14/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch new file mode 100644 index 00000000000..099914d174a --- /dev/null +++ b/queue-4.14/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Randy Dunlap +Date: Fri, 6 Jul 2018 20:53:09 -0700 +Subject: platform/x86: toshiba_acpi: Fix defined but not used build warnings + +From: Randy Dunlap + +[ Upstream commit c2e2a618eb7104e18fdcf739d4d911563812a81c ] + +Fix a build warning in toshiba_acpi.c when CONFIG_PROC_FS is not enabled +by marking the unused function as __maybe_unused. + +../drivers/platform/x86/toshiba_acpi.c:1685:12: warning: 'version_proc_show' defined but not used [-Wunused-function] + +Signed-off-by: Randy Dunlap +Cc: Azael Avalos +Cc: platform-driver-x86@vger.kernel.org +Cc: Andy Shevchenko +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/toshiba_acpi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/toshiba_acpi.c ++++ b/drivers/platform/x86/toshiba_acpi.c +@@ -34,6 +34,7 @@ + #define TOSHIBA_ACPI_VERSION "0.24" + #define PROC_INTERFACE_VERSION 1 + ++#include + #include + #include + #include +@@ -1682,7 +1683,7 @@ static const struct file_operations keys + .write = keys_proc_write, + }; + +-static int version_proc_show(struct seq_file *m, void *v) ++static int __maybe_unused version_proc_show(struct seq_file *m, void *v) + { + seq_printf(m, "driver: %s\n", TOSHIBA_ACPI_VERSION); + seq_printf(m, "proc_interface: %d\n", PROC_INTERFACE_VERSION); diff --git a/queue-4.14/powerpc-powernv-opal_put_chars-partial-write-fix.patch b/queue-4.14/powerpc-powernv-opal_put_chars-partial-write-fix.patch new file mode 100644 index 00000000000..75076c29307 --- /dev/null +++ b/queue-4.14/powerpc-powernv-opal_put_chars-partial-write-fix.patch @@ -0,0 +1,38 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Nicholas Piggin +Date: Tue, 1 May 2018 00:55:44 +1000 +Subject: powerpc/powernv: opal_put_chars partial write fix + +From: Nicholas Piggin + +[ Upstream commit bd90284cc6c1c9e8e48c8eadd0c79574fcce0b81 ] + +The intention here is to consume and discard the remaining buffer +upon error. This works if there has not been a previous partial write. +If there has been, then total_len is no longer total number of bytes +to copy. total_len is always "bytes left to copy", so it should be +added to written bytes. + +This code may not be exercised any more if partial writes will not be +hit, but this is a small bugfix before a larger change. + +Reviewed-by: Benjamin Herrenschmidt +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/opal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -388,7 +388,7 @@ int opal_put_chars(uint32_t vtermno, con + /* Closed or other error drop */ + if (rc != OPAL_SUCCESS && rc != OPAL_BUSY && + rc != OPAL_BUSY_EVENT) { +- written = total_len; ++ written += total_len; + break; + } + if (rc == OPAL_SUCCESS) { diff --git a/queue-4.14/reset-imx7-fix-always-writing-bits-as-0.patch b/queue-4.14/reset-imx7-fix-always-writing-bits-as-0.patch new file mode 100644 index 00000000000..7606949c7a6 --- /dev/null +++ b/queue-4.14/reset-imx7-fix-always-writing-bits-as-0.patch @@ -0,0 +1,40 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Leonard Crestez +Date: Fri, 20 Jul 2018 15:47:43 +0300 +Subject: reset: imx7: Fix always writing bits as 0 + +From: Leonard Crestez + +[ Upstream commit 26fce0557fa639fb7bbc33e31a57cff7df25c3a0 ] + +Right now the only user of reset-imx7 is pci-imx6 and the +reset_control_assert and deassert calls on pciephy_reset don't toggle +the PCIEPHY_BTN and PCIEPHY_G_RST bits as expected. Fix this by writing +1 or 0 respectively. + +The reference manual is not very clear regarding SRC_PCIEPHY_RCR but for +other registers like MIPIPHY and HSICPHY the bits are explicitly +documented as "1 means assert, 0 means deassert". + +The values are still reversed for IMX7_RESET_PCIE_CTRL_APPS_EN. + +Signed-off-by: Leonard Crestez +Reviewed-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/reset/reset-imx7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/reset/reset-imx7.c ++++ b/drivers/reset/reset-imx7.c +@@ -80,7 +80,7 @@ static int imx7_reset_set(struct reset_c + { + struct imx7_src *imx7src = to_imx7_src(rcdev); + const struct imx7_src_signal *signal = &imx7_src_signals[id]; +- unsigned int value = 0; ++ unsigned int value = assert ? signal->bit : 0; + + switch (id) { + case IMX7_RESET_PCIEPHY: diff --git a/queue-4.14/s390-qeth-fix-race-in-used-buffer-accounting.patch b/queue-4.14/s390-qeth-fix-race-in-used-buffer-accounting.patch new file mode 100644 index 00000000000..9a86966b70d --- /dev/null +++ b/queue-4.14/s390-qeth-fix-race-in-used-buffer-accounting.patch @@ -0,0 +1,40 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Jul 2018 12:43:48 +0200 +Subject: s390/qeth: fix race in used-buffer accounting + +From: Julian Wiedmann + +[ Upstream commit a702349a4099cd5a7bab0904689d8e0bf8dcd622 ] + +By updating q->used_buffers only _after_ do_QDIO() has completed, there +is a potential race against the buffer's TX completion. In the unlikely +case that the TX completion path wins, qeth_qdio_output_handler() would +decrement the counter before qeth_flush_buffers() even incremented it. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -3507,13 +3507,14 @@ static void qeth_flush_buffers(struct qe + qdio_flags = QDIO_FLAG_SYNC_OUTPUT; + if (atomic_read(&queue->set_pci_flags_count)) + qdio_flags |= QDIO_FLAG_PCI_OUT; ++ atomic_add(count, &queue->used_buffers); ++ + rc = do_QDIO(CARD_DDEV(queue->card), qdio_flags, + queue->queue_no, index, count); + if (queue->card->options.performance_stats) + queue->card->perf_stats.outbound_do_qdio_time += + qeth_get_micros() - + queue->card->perf_stats.outbound_do_qdio_start_time; +- atomic_add(count, &queue->used_buffers); + if (rc) { + queue->card->stats.tx_errors += count; + /* ignore temporary SIGA errors without busy condition */ diff --git a/queue-4.14/s390-qeth-reset-layer2-attribute-on-layer-switch.patch b/queue-4.14/s390-qeth-reset-layer2-attribute-on-layer-switch.patch new file mode 100644 index 00000000000..b3e5782b273 --- /dev/null +++ b/queue-4.14/s390-qeth-reset-layer2-attribute-on-layer-switch.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Jul 2018 12:43:49 +0200 +Subject: s390/qeth: reset layer2 attribute on layer switch + +From: Julian Wiedmann + +[ Upstream commit 70551dc46ffa3555a0b5f3545b0cd87ab67fd002 ] + +After the subdriver's remove() routine has completed, the card's layer +mode is undetermined again. Reflect this in the layer2 field. + +If qeth_dev_layer2_store() hits an error after remove() was called, the +card _always_ requires a setup(), even if the previous layer mode is +requested again. +But qeth_dev_layer2_store() bails out early if the requested layer mode +still matches the current one. So unless we reset the layer2 field, +re-probing the card back to its previous mode is currently not possible. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_sys.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/net/qeth_core_sys.c ++++ b/drivers/s390/net/qeth_core_sys.c +@@ -423,6 +423,7 @@ static ssize_t qeth_dev_layer2_store(str + if (card->discipline) { + card->discipline->remove(card->gdev); + qeth_core_free_discipline(card); ++ card->options.layer2 = -1; + } + + rc = qeth_core_load_discipline(card, newdis); diff --git a/queue-4.14/series b/queue-4.14/series index 635615e32dc..f9510d3da0c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -10,3 +10,66 @@ erspan-fix-error-handling-for-erspan-tunnel.patch erspan-return-packet_reject-when-the-appropriate-tunnel-is-not-found.patch tcp-really-ignore-msg_zerocopy-if-no-so_zerocopy.patch hv-netvsc-fix-null-dereference-at-single-queue-mode-fallback.patch +usb-dwc3-change-stream-event-enable-bit-back-to-13.patch +iommu-arm-smmu-v3-sync-the-ovackflg-to-priq-consumer-register.patch +iommu-io-pgtable-arm-v7s-abort-allocation-when-table-address-overflows-the-pte.patch +alsa-pcm-add-__force-to-cast-in-snd_pcm_lib_read-write.patch +alsa-msnd-fix-the-default-sample-sizes.patch +alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch +xfrm-fix-passing-zero-to-err_ptr-warning.patch +amd-xgbe-use-dma_mapping_error-to-check-map-errors.patch +gfs2-special-case-rindex-for-gfs2_grow.patch +clk-imx6ul-fix-missing-of_node_put.patch +clk-core-potentially-free-connection-id.patch +clk-clk-fixed-factor-clear-of_populated-flag-in-case-of-failure.patch +kbuild-add-.delete_on_error-special-target.patch +media-tw686x-fix-oops-on-buffer-alloc-failure.patch +dmaengine-pl330-fix-irq-race-with-terminate_all.patch +mips-ath79-fix-system-restart.patch +media-videobuf2-core-check-for-q-error-in-vb2_core_qbuf.patch +ib-rxe-drop-qp0-silently.patch +block-allow-max_discard_segments-to-be-stacked.patch +ib-ipoib-fix-error-return-code-in-ipoib_dev_init.patch +mtd-maps-fix-solutionengine.c-printk-format-warnings.patch +media-ov5645-supported-external-clock-is-24mhz.patch +perf-test-fix-subtest-number-when-showing-results.patch +gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch +perf-tools-synthesize-group_desc-feature-in-pipe-mode.patch +fbdev-omapfb-off-by-one-in-omapfb_register_client.patch +perf-tools-fix-struct-comm_str-removal-crash.patch +video-goldfishfb-fix-memory-leak-on-driver-remove.patch +fbdev-via-fix-defined-but-not-used-warning.patch +perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch +video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch +fbdev-distinguish-between-interlaced-and-progressive-modes.patch +arm-exynos-clear-global-variable-on-init-error-path.patch +perf-powerpc-fix-callchain-ip-filtering.patch +nvme-rdma-unquiesce-queues-when-deleting-the-controller.patch +kvm-arm-arm64-vgic-fix-possible-spectre-v1-write-in-vgic_mmio_write_apr.patch +powerpc-powernv-opal_put_chars-partial-write-fix.patch +staging-bcm2835-camera-fix-timeout-handling-in-wait_for_completion_timeout.patch +staging-bcm2835-camera-handle-wait_for_completion_timeout-return-properly.patch +asoc-rt5514-fix-the-issue-of-the-delay-volume-applied.patch +mips-jz4740-bump-zload-address.patch +mac80211-restrict-delayed-tailroom-needed-decrement.patch +smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch +wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch +arm64-fix-possible-spectre-v1-write-in-ptrace_hbp_set_event.patch +reset-imx7-fix-always-writing-bits-as-0.patch +efi-arm-preserve-early-mapping-of-uefi-memory-map-longer-for-bgrt.patch +nfp-avoid-buffer-leak-when-fw-communication-fails.patch +xen-netfront-fix-queue-name-setting.patch +arm64-dts-qcom-db410c-fix-bluetooth-led-trigger.patch +arm-dts-qcom-msm8974-hammerhead-increase-load-on-l20-for-sdhci.patch +s390-qeth-fix-race-in-used-buffer-accounting.patch +s390-qeth-reset-layer2-attribute-on-layer-switch.patch +platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch +kvm-arm-arm64-fix-vgic-init-race.patch +drivers-base-stop-new-probing-during-shutdown.patch +i2c-aspeed-fix-initial-values-of-master-and-slave-state.patch +dmaengine-mv_xor_v2-kill-the-tasklets-upon-exit.patch +crypto-sharah-unregister-correct-algorithms-for-sahara-3.patch +x86-pti-check-the-return-value-of-pti_user_pagetable_walk_p4d.patch +x86-pti-check-the-return-value-of-pti_user_pagetable_walk_pmd.patch +x86-mm-pti-add-an-overflow-check-to-pti_clone_pmds.patch +xen-netfront-fix-warn-message-as-irq-device-name-has.patch diff --git a/queue-4.14/smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch b/queue-4.14/smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch new file mode 100644 index 00000000000..117dd1338a6 --- /dev/null +++ b/queue-4.14/smack-fix-handling-of-ipv4-traffic-received-by-pf_inet6-sockets.patch @@ -0,0 +1,83 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Piotr Sawicki +Date: Thu, 19 Jul 2018 11:42:58 +0200 +Subject: Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets + +From: Piotr Sawicki + +[ Upstream commit 129a99890936766f4b69b9da7ed88366313a9210 ] + +A socket which has sk_family set to PF_INET6 is able to receive not +only IPv6 but also IPv4 traffic (IPv4-mapped IPv6 addresses). + +Prior to this patch, the smk_skb_to_addr_ipv6() could have been +called for socket buffers containing IPv4 packets, in result such +traffic was allowed. + +Signed-off-by: Piotr Sawicki +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/smack/smack_lsm.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -3960,15 +3960,19 @@ static int smack_socket_sock_rcv_skb(str + struct smack_known *skp = NULL; + int rc = 0; + struct smk_audit_info ad; ++ u16 family = sk->sk_family; + #ifdef CONFIG_AUDIT + struct lsm_network_audit net; + #endif + #if IS_ENABLED(CONFIG_IPV6) + struct sockaddr_in6 sadd; + int proto; ++ ++ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) ++ family = PF_INET; + #endif /* CONFIG_IPV6 */ + +- switch (sk->sk_family) { ++ switch (family) { + case PF_INET: + #ifdef CONFIG_SECURITY_SMACK_NETFILTER + /* +@@ -3986,7 +3990,7 @@ static int smack_socket_sock_rcv_skb(str + */ + netlbl_secattr_init(&secattr); + +- rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); ++ rc = netlbl_skbuff_getattr(skb, family, &secattr); + if (rc == 0) + skp = smack_from_secattr(&secattr, ssp); + else +@@ -3999,7 +4003,7 @@ access_check: + #endif + #ifdef CONFIG_AUDIT + smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); +- ad.a.u.net->family = sk->sk_family; ++ ad.a.u.net->family = family; + ad.a.u.net->netif = skb->skb_iif; + ipv4_skb_to_auditdata(skb, &ad.a, NULL); + #endif +@@ -4013,7 +4017,7 @@ access_check: + rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, + MAY_WRITE, rc); + if (rc != 0) +- netlbl_skbuff_err(skb, sk->sk_family, rc, 0); ++ netlbl_skbuff_err(skb, family, rc, 0); + break; + #if IS_ENABLED(CONFIG_IPV6) + case PF_INET6: +@@ -4029,7 +4033,7 @@ access_check: + skp = smack_net_ambient; + #ifdef CONFIG_AUDIT + smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); +- ad.a.u.net->family = sk->sk_family; ++ ad.a.u.net->family = family; + ad.a.u.net->netif = skb->skb_iif; + ipv6_skb_to_auditdata(skb, &ad.a, NULL); + #endif /* CONFIG_AUDIT */ diff --git a/queue-4.14/staging-bcm2835-camera-fix-timeout-handling-in-wait_for_completion_timeout.patch b/queue-4.14/staging-bcm2835-camera-fix-timeout-handling-in-wait_for_completion_timeout.patch new file mode 100644 index 00000000000..3729bb215f5 --- /dev/null +++ b/queue-4.14/staging-bcm2835-camera-fix-timeout-handling-in-wait_for_completion_timeout.patch @@ -0,0 +1,50 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Nicholas Mc Guire +Date: Sat, 21 Jul 2018 15:20:28 +0200 +Subject: staging: bcm2835-camera: fix timeout handling in wait_for_completion_timeout + +From: Nicholas Mc Guire + +[ Upstream commit b7afce51d95726a619743aaad8870db66dfa1479 ] + +wait_for_completion_timeout returns unsigned long not int so a variable of +proper type is introduced. Further the check for <= 0 is ambiguous and should +be == 0 here indicating timeout which is the only error case so no additional +check needed here. + +Signed-off-by: Nicholas Mc Guire +Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/mmal-vchiq.c +@@ -834,6 +834,7 @@ static int send_synchronous_mmal_msg(str + { + struct mmal_msg_context *msg_context; + int ret; ++ unsigned long timeout; + + /* payload size must not cause message to exceed max size */ + if (payload_len > +@@ -872,11 +873,11 @@ static int send_synchronous_mmal_msg(str + return ret; + } + +- ret = wait_for_completion_timeout(&msg_context->u.sync.cmplt, 3 * HZ); +- if (ret <= 0) { +- pr_err("error %d waiting for sync completion\n", ret); +- if (ret == 0) +- ret = -ETIME; ++ timeout = wait_for_completion_timeout(&msg_context->u.sync.cmplt, ++ 3 * HZ); ++ if (timeout == 0) { ++ pr_err("timed out waiting for sync completion\n"); ++ ret = -ETIME; + /* todo: what happens if the message arrives after aborting */ + release_msg_context(msg_context); + return ret; diff --git a/queue-4.14/staging-bcm2835-camera-handle-wait_for_completion_timeout-return-properly.patch b/queue-4.14/staging-bcm2835-camera-handle-wait_for_completion_timeout-return-properly.patch new file mode 100644 index 00000000000..18c0dde5bf9 --- /dev/null +++ b/queue-4.14/staging-bcm2835-camera-handle-wait_for_completion_timeout-return-properly.patch @@ -0,0 +1,46 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Nicholas Mc Guire +Date: Sat, 21 Jul 2018 13:31:24 +0200 +Subject: staging: bcm2835-camera: handle wait_for_completion_timeout return properly + +From: Nicholas Mc Guire + +[ Upstream commit 5b70084f6cbcd53f615433f9d216e01bd71de0bb ] + +wait_for_completion_timeout returns unsigned long not int so a variable of +proper type is introduced. Further the check for <= 0 is ambiguous and +should be == 0 here indicating timeout. + +Signed-off-by: Nicholas Mc Guire +Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c ++++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c +@@ -580,6 +580,7 @@ static int start_streaming(struct vb2_qu + static void stop_streaming(struct vb2_queue *vq) + { + int ret; ++ unsigned long timeout; + struct bm2835_mmal_dev *dev = vb2_get_drv_priv(vq); + + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, "%s: dev:%p\n", +@@ -605,10 +606,10 @@ static void stop_streaming(struct vb2_qu + sizeof(dev->capture.frame_count)); + + /* wait for last frame to complete */ +- ret = wait_for_completion_timeout(&dev->capture.frame_cmplt, HZ); +- if (ret <= 0) ++ timeout = wait_for_completion_timeout(&dev->capture.frame_cmplt, HZ); ++ if (timeout == 0) + v4l2_err(&dev->v4l2_dev, +- "error %d waiting for frame completion\n", ret); ++ "timed out waiting for frame completion\n"); + + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, + "disabling connection\n"); diff --git a/queue-4.14/usb-dwc3-change-stream-event-enable-bit-back-to-13.patch b/queue-4.14/usb-dwc3-change-stream-event-enable-bit-back-to-13.patch new file mode 100644 index 00000000000..bd8af5009f5 --- /dev/null +++ b/queue-4.14/usb-dwc3-change-stream-event-enable-bit-back-to-13.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: "Erich E. Hoover" +Date: Thu, 19 Jul 2018 17:26:24 -0600 +Subject: usb: dwc3: change stream event enable bit back to 13 + +From: "Erich E. Hoover" + +[ Upstream commit 9a7faac3650216112e034b157289bf1a48a99e2d ] + +Commit ff3f0789b3dc ("usb: dwc3: use BIT() macro where possible") +changed DWC3_DEPCFG_STREAM_EVENT_EN from bit 13 to bit 12. + +Spotted this cleanup typo while looking at diffs between 4.9.35 and +4.14.16 for a separate issue. + +Fixes: ff3f0789b3dc ("usb: dwc3: use BIT() macro where possible") +Signed-off-by: Erich E. Hoover +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.h ++++ b/drivers/usb/dwc3/gadget.h +@@ -33,7 +33,7 @@ struct dwc3; + #define DWC3_DEPCFG_XFER_IN_PROGRESS_EN BIT(9) + #define DWC3_DEPCFG_XFER_NOT_READY_EN BIT(10) + #define DWC3_DEPCFG_FIFO_ERROR_EN BIT(11) +-#define DWC3_DEPCFG_STREAM_EVENT_EN BIT(12) ++#define DWC3_DEPCFG_STREAM_EVENT_EN BIT(13) + #define DWC3_DEPCFG_BINTERVAL_M1(n) (((n) & 0xff) << 16) + #define DWC3_DEPCFG_STREAM_CAPABLE BIT(24) + #define DWC3_DEPCFG_EP_NUMBER(n) (((n) & 0x1f) << 25) diff --git a/queue-4.14/video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch b/queue-4.14/video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch new file mode 100644 index 00000000000..2dbbdd4ebf2 --- /dev/null +++ b/queue-4.14/video-fbdev-pxafb-clear-allocated-memory-for-video-modes.patch @@ -0,0 +1,36 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Daniel Mack +Date: Tue, 24 Jul 2018 19:11:25 +0200 +Subject: video: fbdev: pxafb: clear allocated memory for video modes + +From: Daniel Mack + +[ Upstream commit b951d80aaf224b1f774e10def672f5e37488e4ee ] + +When parsing the video modes from DT properties, make sure to zero out +memory before using it. This is important because not all fields in the mode +struct are explicitly initialized, even though they are used later on. + +Fixes: 420a488278e86 ("video: fbdev: pxafb: initial devicetree conversion") +Reviewed-by: Robert Jarzmik +Signed-off-by: Daniel Mack +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/pxafb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2130,8 +2130,8 @@ static int of_get_pxafb_display(struct d + return -EINVAL; + + ret = -ENOMEM; +- info->modes = kmalloc_array(timings->num_timings, +- sizeof(info->modes[0]), GFP_KERNEL); ++ info->modes = kcalloc(timings->num_timings, sizeof(info->modes[0]), ++ GFP_KERNEL); + if (!info->modes) + goto out; + info->num_modes = timings->num_timings; diff --git a/queue-4.14/video-goldfishfb-fix-memory-leak-on-driver-remove.patch b/queue-4.14/video-goldfishfb-fix-memory-leak-on-driver-remove.patch new file mode 100644 index 00000000000..50f74f369d5 --- /dev/null +++ b/queue-4.14/video-goldfishfb-fix-memory-leak-on-driver-remove.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Anton Vasilyev +Date: Tue, 24 Jul 2018 19:11:27 +0200 +Subject: video: goldfishfb: fix memory leak on driver remove + +From: Anton Vasilyev + +[ Upstream commit 5958fde72d04e7b8c6de3669d1f794a90997e3eb ] + +goldfish_fb_probe() allocates memory for fb, but goldfish_fb_remove() does +not have deallocation of fb, which leads to memory leak on probe/remove. + +The patch adds deallocation into goldfish_fb_remove(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Cc: Aleksandar Markovic +Cc: Miodrag Dinic +Cc: Goran Ferenc +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/goldfishfb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/video/fbdev/goldfishfb.c ++++ b/drivers/video/fbdev/goldfishfb.c +@@ -301,6 +301,7 @@ static int goldfish_fb_remove(struct pla + dma_free_coherent(&pdev->dev, framesize, (void *)fb->fb.screen_base, + fb->fb.fix.smem_start); + iounmap(fb->reg_base); ++ kfree(fb); + return 0; + } + diff --git a/queue-4.14/wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch b/queue-4.14/wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch new file mode 100644 index 00000000000..28993b6ba13 --- /dev/null +++ b/queue-4.14/wan-fsl_ucc_hdlc-use-is_err_value-to-check-return-value-of-qe_muram_alloc.patch @@ -0,0 +1,49 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: YueHaibing +Date: Mon, 23 Jul 2018 22:12:33 +0800 +Subject: wan/fsl_ucc_hdlc: use IS_ERR_VALUE() to check return value of qe_muram_alloc + +From: YueHaibing + +[ Upstream commit fd800f646402c0f85547166b59ca065175928b7b ] + +qe_muram_alloc return a unsigned long integer,which should not +compared with zero. check it using IS_ERR_VALUE() to fix this. + +Fixes: c19b6d246a35 ("drivers/net: support hdlc function for QE-UCC") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/fsl_ucc_hdlc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -192,7 +192,7 @@ static int uhdlc_init(struct ucc_hdlc_pr + priv->ucc_pram_offset = qe_muram_alloc(sizeof(struct ucc_hdlc_param), + ALIGNMENT_OF_UCC_HDLC_PRAM); + +- if (priv->ucc_pram_offset < 0) { ++ if (IS_ERR_VALUE(priv->ucc_pram_offset)) { + dev_err(priv->dev, "Can not allocate MURAM for hdlc parameter.\n"); + ret = -ENOMEM; + goto free_tx_bd; +@@ -228,14 +228,14 @@ static int uhdlc_init(struct ucc_hdlc_pr + + /* Alloc riptr, tiptr */ + riptr = qe_muram_alloc(32, 32); +- if (riptr < 0) { ++ if (IS_ERR_VALUE(riptr)) { + dev_err(priv->dev, "Cannot allocate MURAM mem for Receive internal temp data pointer\n"); + ret = -ENOMEM; + goto free_tx_skbuff; + } + + tiptr = qe_muram_alloc(32, 32); +- if (tiptr < 0) { ++ if (IS_ERR_VALUE(tiptr)) { + dev_err(priv->dev, "Cannot allocate MURAM mem for Transmit internal temp data pointer\n"); + ret = -ENOMEM; + goto free_riptr; diff --git a/queue-4.14/x86-mm-pti-add-an-overflow-check-to-pti_clone_pmds.patch b/queue-4.14/x86-mm-pti-add-an-overflow-check-to-pti_clone_pmds.patch new file mode 100644 index 00000000000..928ea0155a2 --- /dev/null +++ b/queue-4.14/x86-mm-pti-add-an-overflow-check-to-pti_clone_pmds.patch @@ -0,0 +1,62 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Joerg Roedel +Date: Wed, 18 Jul 2018 11:41:01 +0200 +Subject: x86/mm/pti: Add an overflow check to pti_clone_pmds() + +From: Joerg Roedel + +[ Upstream commit 935232ce28dfabff1171e5a7113b2d865fa9ee63 ] + +The addr counter will overflow if the last PMD of the address space is +cloned, resulting in an endless loop. + +Check for that and bail out of the loop when it happens. + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Tested-by: Pavel Machek +Cc: "H . Peter Anvin" +Cc: linux-mm@kvack.org +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Jiri Kosina +Cc: Boris Ostrovsky +Cc: Brian Gerst +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: Andrea Arcangeli +Cc: Waiman Long +Cc: "David H . Gutteridge" +Cc: joro@8bytes.org +Link: https://lkml.kernel.org/r/1531906876-13451-25-git-send-email-joro@8bytes.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pti.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/mm/pti.c ++++ b/arch/x86/mm/pti.c +@@ -291,6 +291,10 @@ pti_clone_pmds(unsigned long start, unsi + p4d_t *p4d; + pud_t *pud; + ++ /* Overflow check */ ++ if (addr < start) ++ break; ++ + pgd = pgd_offset_k(addr); + if (WARN_ON(pgd_none(*pgd))) + return; diff --git a/queue-4.14/x86-pti-check-the-return-value-of-pti_user_pagetable_walk_p4d.patch b/queue-4.14/x86-pti-check-the-return-value-of-pti_user_pagetable_walk_p4d.patch new file mode 100644 index 00000000000..2926a048b32 --- /dev/null +++ b/queue-4.14/x86-pti-check-the-return-value-of-pti_user_pagetable_walk_p4d.patch @@ -0,0 +1,64 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Jiang Biao +Date: Fri, 20 Jul 2018 08:06:31 +0800 +Subject: x86/pti: Check the return value of pti_user_pagetable_walk_p4d() + +From: Jiang Biao + +[ Upstream commit b2b7d986a89b6c94b1331a909de1217214fb08c1 ] + +pti_user_pagetable_walk_p4d() can return NULL, so the return value should +be checked to prevent a NULL pointer dereference. + +Add the check and a warning when the P4D allocation fails. + +Signed-off-by: Jiang Biao +Signed-off-by: Thomas Gleixner +Cc: dave.hansen@linux.intel.com +Cc: luto@kernel.org +Cc: hpa@zytor.com +Cc: albcamus@gmail.com +Cc: zhong.weidong@zte.com.cn +Link: https://lkml.kernel.org/r/1532045192-49622-1-git-send-email-jiang.biao2@zte.com.cn +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pti.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/pti.c ++++ b/arch/x86/mm/pti.c +@@ -162,7 +162,7 @@ static __init p4d_t *pti_user_pagetable_ + + if (pgd_none(*pgd)) { + unsigned long new_p4d_page = __get_free_page(gfp); +- if (!new_p4d_page) ++ if (WARN_ON_ONCE(!new_p4d_page)) + return NULL; + + set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(new_p4d_page))); +@@ -181,9 +181,13 @@ static __init p4d_t *pti_user_pagetable_ + static __init pmd_t *pti_user_pagetable_walk_pmd(unsigned long address) + { + gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO); +- p4d_t *p4d = pti_user_pagetable_walk_p4d(address); ++ p4d_t *p4d; + pud_t *pud; + ++ p4d = pti_user_pagetable_walk_p4d(address); ++ if (!p4d) ++ return NULL; ++ + BUILD_BUG_ON(p4d_large(*p4d) != 0); + if (p4d_none(*p4d)) { + unsigned long new_pud_page = __get_free_page(gfp); +@@ -319,6 +323,9 @@ static void __init pti_clone_p4d(unsigne + pgd_t *kernel_pgd; + + user_p4d = pti_user_pagetable_walk_p4d(addr); ++ if (!user_p4d) ++ return; ++ + kernel_pgd = pgd_offset_k(addr); + kernel_p4d = p4d_offset(kernel_pgd, addr); + *user_p4d = *kernel_p4d; diff --git a/queue-4.14/x86-pti-check-the-return-value-of-pti_user_pagetable_walk_pmd.patch b/queue-4.14/x86-pti-check-the-return-value-of-pti_user_pagetable_walk_pmd.patch new file mode 100644 index 00000000000..f052242d29b --- /dev/null +++ b/queue-4.14/x86-pti-check-the-return-value-of-pti_user_pagetable_walk_pmd.patch @@ -0,0 +1,63 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Jiang Biao +Date: Fri, 20 Jul 2018 08:06:32 +0800 +Subject: x86/pti: Check the return value of pti_user_pagetable_walk_pmd() + +From: Jiang Biao + +[ Upstream commit 8c934e01a7ce685d98e970880f5941d79272c654 ] + +pti_user_pagetable_walk_pmd() can return NULL, so the return value should +be checked to prevent a NULL pointer dereference. + +Add the check and a warning when the PMD allocation fails. + +Signed-off-by: Jiang Biao +Signed-off-by: Thomas Gleixner +Cc: dave.hansen@linux.intel.com +Cc: luto@kernel.org +Cc: hpa@zytor.com +Cc: albcamus@gmail.com +Cc: zhong.weidong@zte.com.cn +Link: https://lkml.kernel.org/r/1532045192-49622-2-git-send-email-jiang.biao2@zte.com.cn +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pti.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/pti.c ++++ b/arch/x86/mm/pti.c +@@ -191,7 +191,7 @@ static __init pmd_t *pti_user_pagetable_ + BUILD_BUG_ON(p4d_large(*p4d) != 0); + if (p4d_none(*p4d)) { + unsigned long new_pud_page = __get_free_page(gfp); +- if (!new_pud_page) ++ if (WARN_ON_ONCE(!new_pud_page)) + return NULL; + + set_p4d(p4d, __p4d(_KERNPG_TABLE | __pa(new_pud_page))); +@@ -205,7 +205,7 @@ static __init pmd_t *pti_user_pagetable_ + } + if (pud_none(*pud)) { + unsigned long new_pmd_page = __get_free_page(gfp); +- if (!new_pmd_page) ++ if (WARN_ON_ONCE(!new_pmd_page)) + return NULL; + + set_pud(pud, __pud(_KERNPG_TABLE | __pa(new_pmd_page))); +@@ -227,9 +227,13 @@ static __init pmd_t *pti_user_pagetable_ + static __init pte_t *pti_user_pagetable_walk_pte(unsigned long address) + { + gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO); +- pmd_t *pmd = pti_user_pagetable_walk_pmd(address); ++ pmd_t *pmd; + pte_t *pte; + ++ pmd = pti_user_pagetable_walk_pmd(address); ++ if (!pmd) ++ return NULL; ++ + /* We can't do anything sensible if we hit a large mapping. */ + if (pmd_large(*pmd)) { + WARN_ON(1); diff --git a/queue-4.14/xen-netfront-fix-queue-name-setting.patch b/queue-4.14/xen-netfront-fix-queue-name-setting.patch new file mode 100644 index 00000000000..6bb4d78cd91 --- /dev/null +++ b/queue-4.14/xen-netfront-fix-queue-name-setting.patch @@ -0,0 +1,53 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Vitaly Kuznetsov +Date: Fri, 20 Jul 2018 18:33:59 +0200 +Subject: xen-netfront: fix queue name setting + +From: Vitaly Kuznetsov + +[ Upstream commit 2d408c0d4574b01b9ed45e02516888bf925e11a9 ] + +Commit f599c64fdf7d ("xen-netfront: Fix race between device setup and +open") changed the initialization order: xennet_create_queues() now +happens before we do register_netdev() so using netdev->name in +xennet_init_queue() is incorrect, we end up with the following in +/proc/interrupts: + + 60: 139 0 xen-dyn -event eth%d-q0-tx + 61: 265 0 xen-dyn -event eth%d-q0-rx + 62: 234 0 xen-dyn -event eth%d-q1-tx + 63: 1 0 xen-dyn -event eth%d-q1-rx + +and this looks ugly. Actually, using early netdev name (even when it's +already set) is also not ideal: nowadays we tend to rename eth devices +and queue name may end up not corresponding to the netdev name. + +Use nodename from xenbus device for queue naming: this can't change in VM's +lifetime. Now /proc/interrupts looks like + + 62: 202 0 xen-dyn -event device/vif/0-q0-tx + 63: 317 0 xen-dyn -event device/vif/0-q0-rx + 64: 262 0 xen-dyn -event device/vif/0-q1-tx + 65: 17 0 xen-dyn -event device/vif/0-q1-rx + +Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open") +Signed-off-by: Vitaly Kuznetsov +Reviewed-by: Ross Lagerwall +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1611,7 +1611,7 @@ static int xennet_init_queue(struct netf + (unsigned long)queue); + + snprintf(queue->name, sizeof(queue->name), "%s-q%u", +- queue->info->netdev->name, queue->id); ++ queue->info->xbdev->nodename, queue->id); + + /* Initialise tx_skbs as a free chain containing every entry. */ + queue->tx_skb_freelist = 0; diff --git a/queue-4.14/xen-netfront-fix-warn-message-as-irq-device-name-has.patch b/queue-4.14/xen-netfront-fix-warn-message-as-irq-device-name-has.patch new file mode 100644 index 00000000000..bd1d79ddb8a --- /dev/null +++ b/queue-4.14/xen-netfront-fix-warn-message-as-irq-device-name-has.patch @@ -0,0 +1,95 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: Xiao Liang +Date: Tue, 14 Aug 2018 23:21:28 +0800 +Subject: xen-netfront: fix warn message as irq device name has '/' + +From: Xiao Liang + +[ Upstream commit 21f2706b20100bb3db378461ab9b8e2035309b5b ] + +There is a call trace generated after commit 2d408c0d4574b01b9ed45e02516888bf925e11a9( +xen-netfront: fix queue name setting). There is no 'device/vif/xx-q0-tx' file found +under /proc/irq/xx/. + +This patch only picks up device type and id as its name. + +With the patch, now /proc/interrupts looks like below and the warning message gone: + 70: 21 0 0 0 xen-dyn -event vif0-q0-tx + 71: 15 0 0 0 xen-dyn -event vif0-q0-rx + 72: 14 0 0 0 xen-dyn -event vif0-q1-tx + 73: 33 0 0 0 xen-dyn -event vif0-q1-rx + 74: 12 0 0 0 xen-dyn -event vif0-q2-tx + 75: 24 0 0 0 xen-dyn -event vif0-q2-rx + 76: 19 0 0 0 xen-dyn -event vif0-q3-tx + 77: 21 0 0 0 xen-dyn -event vif0-q3-rx + +Below is call trace information without this patch: + +name 'device/vif/0-q0-tx' +WARNING: CPU: 2 PID: 37 at fs/proc/generic.c:174 __xlate_proc_name+0x85/0xa0 +RIP: 0010:__xlate_proc_name+0x85/0xa0 +RSP: 0018:ffffb85c40473c18 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000006 +RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff984c7f516930 +RBP: ffffb85c40473cb8 R08: 000000000000002c R09: 0000000000000229 +R10: 0000000000000000 R11: 0000000000000001 R12: ffffb85c40473c98 +R13: ffffb85c40473cb8 R14: ffffb85c40473c50 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff984c7f500000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f69b6899038 CR3: 000000001c20a006 CR4: 00000000001606e0 +Call Trace: +__proc_create+0x45/0x230 +? snprintf+0x49/0x60 +proc_mkdir_data+0x35/0x90 +register_handler_proc+0xef/0x110 +? proc_register+0xfc/0x110 +? proc_create_data+0x70/0xb0 +__setup_irq+0x39b/0x660 +? request_threaded_irq+0xad/0x160 +request_threaded_irq+0xf5/0x160 +? xennet_tx_buf_gc+0x1d0/0x1d0 [xen_netfront] +bind_evtchn_to_irqhandler+0x3d/0x70 +? xenbus_alloc_evtchn+0x41/0xa0 +netback_changed+0xa46/0xcda [xen_netfront] +? find_watch+0x40/0x40 +xenwatch_thread+0xc5/0x160 +? finish_wait+0x80/0x80 +kthread+0x112/0x130 +? kthread_create_worker_on_cpu+0x70/0x70 +ret_from_fork+0x35/0x40 +Code: 81 5c 00 48 85 c0 75 cc 5b 49 89 2e 31 c0 5d 4d 89 3c 24 41 5c 41 5d 41 5e 41 5f c3 4c 89 ee 48 c7 c7 40 4f 0e b4 e8 65 ea d8 ff <0f> 0b b8 fe ff ff ff 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 0f 1f +---[ end trace 650e5561b0caab3a ]--- + +Signed-off-by: Xiao Liang +Reviewed-by: Juergen Gross + +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1603,6 +1603,7 @@ static int xennet_init_queue(struct netf + { + unsigned short i; + int err = 0; ++ char *devid; + + spin_lock_init(&queue->tx_lock); + spin_lock_init(&queue->rx_lock); +@@ -1610,8 +1611,9 @@ static int xennet_init_queue(struct netf + setup_timer(&queue->rx_refill_timer, rx_refill_timeout, + (unsigned long)queue); + +- snprintf(queue->name, sizeof(queue->name), "%s-q%u", +- queue->info->xbdev->nodename, queue->id); ++ devid = strrchr(queue->info->xbdev->nodename, '/') + 1; ++ snprintf(queue->name, sizeof(queue->name), "vif%s-q%u", ++ devid, queue->id); + + /* Initialise tx_skbs as a free chain containing every entry. */ + queue->tx_skb_freelist = 0; diff --git a/queue-4.14/xfrm-fix-passing-zero-to-err_ptr-warning.patch b/queue-4.14/xfrm-fix-passing-zero-to-err_ptr-warning.patch new file mode 100644 index 00000000000..afa9b0a75e3 --- /dev/null +++ b/queue-4.14/xfrm-fix-passing-zero-to-err_ptr-warning.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Sep 21 09:51:45 CEST 2018 +From: YueHaibing +Date: Wed, 25 Jul 2018 16:54:33 +0800 +Subject: xfrm: fix 'passing zero to ERR_PTR()' warning + +From: YueHaibing + +[ Upstream commit 934ffce1343f22ed5e2d0bd6da4440f4848074de ] + +Fix a static code checker warning: + + net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR' + +xfrm_tmpl_resolve return 0 just means no xdst found, return NULL +instead of passing zero to ERR_PTR. + +Fixes: d809ec895505 ("xfrm: do not assume that template resolving always returns xfrms") +Signed-off-by: YueHaibing +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_policy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1831,7 +1831,10 @@ xfrm_resolve_and_create_bundle(struct xf + /* Try to instantiate a bundle */ + err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family); + if (err <= 0) { +- if (err != 0 && err != -EAGAIN) ++ if (err == 0) ++ return NULL; ++ ++ if (err != -EAGAIN) + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); + return ERR_PTR(err); + } -- 2.47.3