From c8c1eb870fded1a4cc52815638c3dedfb3e79b14 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 29 Apr 2018 15:07:53 +0200 Subject: [PATCH] 4.16-stable patches added patches: android-binder-prevent-transactions-into-own-process.patch arm-amba-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch arm-amba-fix-race-condition-with-driver_override.patch arm-amba-make-driver_override-output-consistent-with-other-buses.patch arm-dts-fix-nas4220b-pin-config.patch arm-socfpga_defconfig-remove-qspi-sector-4k-size-force.patch asoc-dmic-fix-clock-parenting.patch asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch cpufreq-powernv-fix-hardlockup-due-to-synchronous-smp_call-in-timer-interrupt.patch crypto-drbg-set-freed-buffers-to-null.patch drm-amd-display-disallow-enabling-crtc-without-primary-plane-with-fb.patch drm-amd-display-don-t-read-edid-in-atomic_check.patch drm-amd-display-fix-deadlock-when-flushing-irq.patch drm-amdgpu-set-compute_pgm_rsrc1-for-sgpr-vgpr-clearing-shaders.patch drm-edid-reset-more-of-the-display-info.patch drm-i915-audio-set-minimum-cd-clock-to-twice-the-bclk.patch drm-i915-enable-display-wa-1183-from-its-correct-spot.patch drm-i915-fbdev-enable-late-fbdev-initial-configuration.patch earlycon-use-a-pointer-table-to-fix-__earlycon_table-stride.patch fpga-manager-altera-ps-spi-preserve-nconfig-state.patch kvm-arm-arm64-close-vmid-generation-race.patch libceph-reschedule-a-tick-in-finish_hunting.patch libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch libceph-validate-con-state-at-the-top-of-try_write.patch module-fix-display-of-wrong-module-.text-address.patch objtool-perf-fix-gcc-8-wrestrict-error.patch pci-aardvark-fix-logic-in-advk_pcie_-rd-wr-_conf.patch pci-aardvark-fix-pcie-max-read-request-size-setting.patch pci-aardvark-set-pio_addr_ls-correctly-in-advk_pcie_rd_conf.patch pci-aardvark-use-isr1-instead-of-isr0-interrupt-in-legacy-irq-mode.patch pci-pm-do-not-clear-state_saved-in-pci_pm_freeze-when-smart-suspend-is-set.patch powerpc-mce-fix-a-bug-where-mce-loops-on-memory-ue.patch powerpc-mm-flush-cache-on-memory-hot-un-plug.patch powerpc-powernv-npu-do-a-pid-gpu-tlb-flush-when-invalidating-a-large-address-range.patch rtc-opal-fix-opal-rtc-driver-opal_busy-loops.patch slimbus-fix-out-of-bounds-access-in-slim_slicesize.patch smb311-fix-reconnect.patch virt-vbox-add-vbg_req_free-helper-function.patch virt-vbox-move-declarations-of-vboxguest-private-functions-to-private-header.patch virt-vbox-use-__get_free_pages-instead-of-kmalloc-for-dma32-memory.patch --- ...revent-transactions-into-own-process.patch | 40 +++ ...-end-of-sysfs-driver_override-buffer.patch | 39 +++ ...-race-condition-with-driver_override.patch | 69 +++++ ...e-output-consistent-with-other-buses.patch | 40 +++ .../arm-dts-fix-nas4220b-pin-config.patch | 81 ++++++ ...fig-remove-qspi-sector-4k-size-force.patch | 34 +++ .../asoc-dmic-fix-clock-parenting.patch | 67 +++++ ...r-calculation-failure-at-lower-ratio.patch | 47 ++++ ...chronous-smp_call-in-timer-interrupt.patch | 85 ++++++ ...rypto-drbg-set-freed-buffers-to-null.patch | 39 +++ ...g-crtc-without-primary-plane-with-fb.patch | 74 +++++ ...play-don-t-read-edid-in-atomic_check.patch | 101 +++++++ ...splay-fix-deadlock-when-flushing-irq.patch | 43 +++ ...rsrc1-for-sgpr-vgpr-clearing-shaders.patch | 63 +++++ ...-edid-reset-more-of-the-display-info.patch | 68 +++++ ...t-minimum-cd-clock-to-twice-the-bclk.patch | 78 ++++++ ...isplay-wa-1183-from-its-correct-spot.patch | 63 +++++ ...ble-late-fbdev-initial-configuration.patch | 66 +++++ ...table-to-fix-__earlycon_table-stride.patch | 145 ++++++++++ ...altera-ps-spi-preserve-nconfig-state.patch | 35 +++ ...arm-arm64-close-vmid-generation-race.patch | 92 ++++++ ...-reschedule-a-tick-in-finish_hunting.patch | 49 ++++ ...when-we-have-a-authenticated-session.patch | 60 ++++ ...te-con-state-at-the-top-of-try_write.patch | 56 ++++ ...isplay-of-wrong-module-.text-address.patch | 49 ++++ ...jtool-perf-fix-gcc-8-wrestrict-error.patch | 49 ++++ ...-fix-logic-in-advk_pcie_-rd-wr-_conf.patch | 52 ++++ ...x-pcie-max-read-request-size-setting.patch | 47 ++++ ...dr_ls-correctly-in-advk_pcie_rd_conf.patch | 48 ++++ ...of-isr0-interrupt-in-legacy-irq-mode.patch | 129 +++++++++ ..._pm_freeze-when-smart-suspend-is-set.patch | 66 +++++ ...x-a-bug-where-mce-loops-on-memory-ue.patch | 104 +++++++ ...mm-flush-cache-on-memory-hot-un-plug.patch | 59 ++++ ...n-invalidating-a-large-address-range.patch | 73 +++++ ...-fix-opal-rtc-driver-opal_busy-loops.patch | 116 ++++++++ queue-4.16/series | 40 +++ ...t-of-bounds-access-in-slim_slicesize.patch | 43 +++ queue-4.16/smb311-fix-reconnect.patch | 44 +++ ...box-add-vbg_req_free-helper-function.patch | 261 ++++++++++++++++++ ...-private-functions-to-private-header.patch | 76 +++++ ...-instead-of-kmalloc-for-dma32-memory.patch | 91 ++++++ 41 files changed, 2881 insertions(+) create mode 100644 queue-4.16/android-binder-prevent-transactions-into-own-process.patch create mode 100644 queue-4.16/arm-amba-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch create mode 100644 queue-4.16/arm-amba-fix-race-condition-with-driver_override.patch create mode 100644 queue-4.16/arm-amba-make-driver_override-output-consistent-with-other-buses.patch create mode 100644 queue-4.16/arm-dts-fix-nas4220b-pin-config.patch create mode 100644 queue-4.16/arm-socfpga_defconfig-remove-qspi-sector-4k-size-force.patch create mode 100644 queue-4.16/asoc-dmic-fix-clock-parenting.patch create mode 100644 queue-4.16/asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch create mode 100644 queue-4.16/cpufreq-powernv-fix-hardlockup-due-to-synchronous-smp_call-in-timer-interrupt.patch create mode 100644 queue-4.16/crypto-drbg-set-freed-buffers-to-null.patch create mode 100644 queue-4.16/drm-amd-display-disallow-enabling-crtc-without-primary-plane-with-fb.patch create mode 100644 queue-4.16/drm-amd-display-don-t-read-edid-in-atomic_check.patch create mode 100644 queue-4.16/drm-amd-display-fix-deadlock-when-flushing-irq.patch create mode 100644 queue-4.16/drm-amdgpu-set-compute_pgm_rsrc1-for-sgpr-vgpr-clearing-shaders.patch create mode 100644 queue-4.16/drm-edid-reset-more-of-the-display-info.patch create mode 100644 queue-4.16/drm-i915-audio-set-minimum-cd-clock-to-twice-the-bclk.patch create mode 100644 queue-4.16/drm-i915-enable-display-wa-1183-from-its-correct-spot.patch create mode 100644 queue-4.16/drm-i915-fbdev-enable-late-fbdev-initial-configuration.patch create mode 100644 queue-4.16/earlycon-use-a-pointer-table-to-fix-__earlycon_table-stride.patch create mode 100644 queue-4.16/fpga-manager-altera-ps-spi-preserve-nconfig-state.patch create mode 100644 queue-4.16/kvm-arm-arm64-close-vmid-generation-race.patch create mode 100644 queue-4.16/libceph-reschedule-a-tick-in-finish_hunting.patch create mode 100644 queue-4.16/libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch create mode 100644 queue-4.16/libceph-validate-con-state-at-the-top-of-try_write.patch create mode 100644 queue-4.16/module-fix-display-of-wrong-module-.text-address.patch create mode 100644 queue-4.16/objtool-perf-fix-gcc-8-wrestrict-error.patch create mode 100644 queue-4.16/pci-aardvark-fix-logic-in-advk_pcie_-rd-wr-_conf.patch create mode 100644 queue-4.16/pci-aardvark-fix-pcie-max-read-request-size-setting.patch create mode 100644 queue-4.16/pci-aardvark-set-pio_addr_ls-correctly-in-advk_pcie_rd_conf.patch create mode 100644 queue-4.16/pci-aardvark-use-isr1-instead-of-isr0-interrupt-in-legacy-irq-mode.patch create mode 100644 queue-4.16/pci-pm-do-not-clear-state_saved-in-pci_pm_freeze-when-smart-suspend-is-set.patch create mode 100644 queue-4.16/powerpc-mce-fix-a-bug-where-mce-loops-on-memory-ue.patch create mode 100644 queue-4.16/powerpc-mm-flush-cache-on-memory-hot-un-plug.patch create mode 100644 queue-4.16/powerpc-powernv-npu-do-a-pid-gpu-tlb-flush-when-invalidating-a-large-address-range.patch create mode 100644 queue-4.16/rtc-opal-fix-opal-rtc-driver-opal_busy-loops.patch create mode 100644 queue-4.16/slimbus-fix-out-of-bounds-access-in-slim_slicesize.patch create mode 100644 queue-4.16/smb311-fix-reconnect.patch create mode 100644 queue-4.16/virt-vbox-add-vbg_req_free-helper-function.patch create mode 100644 queue-4.16/virt-vbox-move-declarations-of-vboxguest-private-functions-to-private-header.patch create mode 100644 queue-4.16/virt-vbox-use-__get_free_pages-instead-of-kmalloc-for-dma32-memory.patch diff --git a/queue-4.16/android-binder-prevent-transactions-into-own-process.patch b/queue-4.16/android-binder-prevent-transactions-into-own-process.patch new file mode 100644 index 00000000000..297267178a6 --- /dev/null +++ b/queue-4.16/android-binder-prevent-transactions-into-own-process.patch @@ -0,0 +1,40 @@ +From 7aa135fcf26377f92dc0680a57566b4c7f3e281b Mon Sep 17 00:00:00 2001 +From: Martijn Coenen +Date: Wed, 28 Mar 2018 11:14:50 +0200 +Subject: ANDROID: binder: prevent transactions into own process. + +From: Martijn Coenen + +commit 7aa135fcf26377f92dc0680a57566b4c7f3e281b upstream. + +This can't happen with normal nodes (because you can't get a ref +to a node you own), but it could happen with the context manager; +to make the behavior consistent with regular nodes, reject +transactions into the context manager by the process owning it. + +Reported-by: syzbot+09e05aba06723a94d43d@syzkaller.appspotmail.com +Signed-off-by: Martijn Coenen +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2839,6 +2839,14 @@ static void binder_transaction(struct bi + else + return_error = BR_DEAD_REPLY; + mutex_unlock(&context->context_mgr_node_lock); ++ if (target_node && target_proc == proc) { ++ binder_user_error("%d:%d got transaction to context manager from process owning it\n", ++ proc->pid, thread->pid); ++ return_error = BR_FAILED_REPLY; ++ return_error_param = -EINVAL; ++ return_error_line = __LINE__; ++ goto err_invalid_target_handle; ++ } + } + if (!target_node) { + /* diff --git a/queue-4.16/arm-amba-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch b/queue-4.16/arm-amba-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch new file mode 100644 index 00000000000..3d26b064941 --- /dev/null +++ b/queue-4.16/arm-amba-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch @@ -0,0 +1,39 @@ +From d2ffed5185df9d8d9ccd150e4340e3b6f96a8381 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 10 Apr 2018 15:21:45 +0200 +Subject: ARM: amba: Don't read past the end of sysfs "driver_override" buffer + +From: Geert Uytterhoeven + +commit d2ffed5185df9d8d9ccd150e4340e3b6f96a8381 upstream. + +When printing the driver_override parameter when it is 4095 and 4094 +bytes long, the printing code would access invalid memory because we +need count + 1 bytes for printing. + +Cfr. commits 4efe874aace57dba ("PCI: Don't read past the end of sysfs +"driver_override" buffer") and bf563b01c2895a4b ("driver core: platform: +Don't read past the end of "driver_override" buffer"). + +Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Todd Kjos +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/amba/bus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -84,7 +84,8 @@ static ssize_t driver_override_store(str + struct amba_device *dev = to_amba_device(_dev); + char *driver_override, *old, *cp; + +- if (count > PATH_MAX) ++ /* We need to keep extra room for a newline */ ++ if (count >= (PAGE_SIZE - 1)) + return -EINVAL; + + driver_override = kstrndup(buf, count, GFP_KERNEL); diff --git a/queue-4.16/arm-amba-fix-race-condition-with-driver_override.patch b/queue-4.16/arm-amba-fix-race-condition-with-driver_override.patch new file mode 100644 index 00000000000..1f8df7e0bad --- /dev/null +++ b/queue-4.16/arm-amba-fix-race-condition-with-driver_override.patch @@ -0,0 +1,69 @@ +From 6a7228d90d42bcacfe38786756ba62762b91c20a Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 10 Apr 2018 15:21:44 +0200 +Subject: ARM: amba: Fix race condition with driver_override + +From: Geert Uytterhoeven + +commit 6a7228d90d42bcacfe38786756ba62762b91c20a upstream. + +The driver_override implementation is susceptible to a race condition +when different threads are reading vs storing a different driver +override. Add locking to avoid this race condition. + +Cfr. commits 6265539776a0810b ("driver core: platform: fix race +condition with driver_override") and 9561475db680f714 ("PCI: Fix race +condition with driver_override"). + +Fixes: 3cf385713460eb2b ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Todd Kjos +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/amba/bus.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -69,8 +69,12 @@ static ssize_t driver_override_show(stru + struct device_attribute *attr, char *buf) + { + struct amba_device *dev = to_amba_device(_dev); ++ ssize_t len; + +- return sprintf(buf, "%s\n", dev->driver_override); ++ device_lock(_dev); ++ len = sprintf(buf, "%s\n", dev->driver_override); ++ device_unlock(_dev); ++ return len; + } + + static ssize_t driver_override_store(struct device *_dev, +@@ -78,7 +82,7 @@ static ssize_t driver_override_store(str + const char *buf, size_t count) + { + struct amba_device *dev = to_amba_device(_dev); +- char *driver_override, *old = dev->driver_override, *cp; ++ char *driver_override, *old, *cp; + + if (count > PATH_MAX) + return -EINVAL; +@@ -91,12 +95,15 @@ static ssize_t driver_override_store(str + if (cp) + *cp = '\0'; + ++ device_lock(_dev); ++ old = dev->driver_override; + if (strlen(driver_override)) { + dev->driver_override = driver_override; + } else { + kfree(driver_override); + dev->driver_override = NULL; + } ++ device_unlock(_dev); + + kfree(old); + diff --git a/queue-4.16/arm-amba-make-driver_override-output-consistent-with-other-buses.patch b/queue-4.16/arm-amba-make-driver_override-output-consistent-with-other-buses.patch new file mode 100644 index 00000000000..a4390300a8c --- /dev/null +++ b/queue-4.16/arm-amba-make-driver_override-output-consistent-with-other-buses.patch @@ -0,0 +1,40 @@ +From 5f53624662eaac89598641cee6cd54fc192572d9 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Tue, 10 Apr 2018 15:21:43 +0200 +Subject: ARM: amba: Make driver_override output consistent with other buses + +From: Geert Uytterhoeven + +commit 5f53624662eaac89598641cee6cd54fc192572d9 upstream. + +For AMBA devices with unconfigured driver override, the +"driver_override" sysfs virtual file is empty, while it contains +"(null)" for platform and PCI devices. + +Make AMBA consistent with other buses by dropping the test for a NULL +pointer. + +Note that contrary to popular belief, sprintf() handles NULL pointers +fine; they are printed as "(null)". + +Signed-off-by: Geert Uytterhoeven +Cc: stable +Reviewed-by: Todd Kjos +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/amba/bus.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -70,9 +70,6 @@ static ssize_t driver_override_show(stru + { + struct amba_device *dev = to_amba_device(_dev); + +- if (!dev->driver_override) +- return 0; +- + return sprintf(buf, "%s\n", dev->driver_override); + } + diff --git a/queue-4.16/arm-dts-fix-nas4220b-pin-config.patch b/queue-4.16/arm-dts-fix-nas4220b-pin-config.patch new file mode 100644 index 00000000000..b99ebdddb81 --- /dev/null +++ b/queue-4.16/arm-dts-fix-nas4220b-pin-config.patch @@ -0,0 +1,81 @@ +From 1c3bc8fb10c1803f8651911722ed584db3dfb0f2 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Tue, 17 Apr 2018 10:53:11 +0200 +Subject: ARM: dts: Fix NAS4220B pin config + +From: Linus Walleij + +commit 1c3bc8fb10c1803f8651911722ed584db3dfb0f2 upstream. + +The DTS file for the NAS4220B had the pin config for the +ethernet interface set to the pins in the SL3512 SoC while +this system is using SL3516. Fix it by referencing the +right SL3516 pins instead of the SL3512 pins. + +Cc: stable@vger.kernel.org +Cc: Hans Ulli Kroll +Reported-by: Andreas Fiedler +Reported-by: Roman Yeryomin +Tested-by: Roman Yeryomin +Signed-off-by: Linus Walleij +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/gemini-nas4220b.dts | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +--- a/arch/arm/boot/dts/gemini-nas4220b.dts ++++ b/arch/arm/boot/dts/gemini-nas4220b.dts +@@ -134,37 +134,37 @@ + function = "gmii"; + groups = "gmii_gmac0_grp"; + }; +- /* Settings come from OpenWRT */ ++ /* Settings come from OpenWRT, pins on SL3516 */ + conf0 { +- pins = "R8 GMAC0 RXDV", "U11 GMAC1 RXDV"; ++ pins = "V8 GMAC0 RXDV", "T10 GMAC1 RXDV"; + skew-delay = <0>; + }; + conf1 { +- pins = "T8 GMAC0 RXC", "T11 GMAC1 RXC"; ++ pins = "Y7 GMAC0 RXC", "Y11 GMAC1 RXC"; + skew-delay = <15>; + }; + conf2 { +- pins = "P8 GMAC0 TXEN", "V11 GMAC1 TXEN"; ++ pins = "T8 GMAC0 TXEN", "W11 GMAC1 TXEN"; + skew-delay = <7>; + }; + conf3 { +- pins = "V7 GMAC0 TXC"; ++ pins = "U8 GMAC0 TXC"; + skew-delay = <11>; + }; + conf4 { +- pins = "P10 GMAC1 TXC"; ++ pins = "V11 GMAC1 TXC"; + skew-delay = <10>; + }; + conf5 { + /* The data lines all have default skew */ +- pins = "U8 GMAC0 RXD0", "V8 GMAC0 RXD1", +- "P9 GMAC0 RXD2", "R9 GMAC0 RXD3", +- "U7 GMAC0 TXD0", "T7 GMAC0 TXD1", +- "R7 GMAC0 TXD2", "P7 GMAC0 TXD3", +- "R11 GMAC1 RXD0", "P11 GMAC1 RXD1", +- "V12 GMAC1 RXD2", "U12 GMAC1 RXD3", +- "R10 GMAC1 TXD0", "T10 GMAC1 TXD1", +- "U10 GMAC1 TXD2", "V10 GMAC1 TXD3"; ++ pins = "W8 GMAC0 RXD0", "V9 GMAC0 RXD1", ++ "Y8 GMAC0 RXD2", "U9 GMAC0 RXD3", ++ "T7 GMAC0 TXD0", "U6 GMAC0 TXD1", ++ "V7 GMAC0 TXD2", "U7 GMAC0 TXD3", ++ "Y12 GMAC1 RXD0", "V12 GMAC1 RXD1", ++ "T11 GMAC1 RXD2", "W12 GMAC1 RXD3", ++ "U10 GMAC1 TXD0", "Y10 GMAC1 TXD1", ++ "W10 GMAC1 TXD2", "T9 GMAC1 TXD3"; + skew-delay = <7>; + }; + /* Set up drive strength on GMAC0 to 16 mA */ diff --git a/queue-4.16/arm-socfpga_defconfig-remove-qspi-sector-4k-size-force.patch b/queue-4.16/arm-socfpga_defconfig-remove-qspi-sector-4k-size-force.patch new file mode 100644 index 00000000000..080b71ba167 --- /dev/null +++ b/queue-4.16/arm-socfpga_defconfig-remove-qspi-sector-4k-size-force.patch @@ -0,0 +1,34 @@ +From 6e8fe39989720b87439fee7817a5ca362b16d931 Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Mon, 26 Mar 2018 14:50:00 -0500 +Subject: ARM: socfpga_defconfig: Remove QSPI Sector 4K size force + +From: Thor Thayer + +commit 6e8fe39989720b87439fee7817a5ca362b16d931 upstream. + +Remove QSPI Sector 4K size force which is causing QSPI boot +problems with the JFFS2 root filesystem. + +Fixes the following error: + "Magic bitmask 0x1985 not found at ..." + +Cc: stable@vger.kernel.org +Signed-off-by: Thor Thayer +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/configs/socfpga_defconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/configs/socfpga_defconfig ++++ b/arch/arm/configs/socfpga_defconfig +@@ -57,6 +57,7 @@ CONFIG_MTD_M25P80=y + CONFIG_MTD_NAND=y + CONFIG_MTD_NAND_DENALI_DT=y + CONFIG_MTD_SPI_NOR=y ++# CONFIG_MTD_SPI_NOR_USE_4K_SECTORS is not set + CONFIG_SPI_CADENCE_QUADSPI=y + CONFIG_OF_OVERLAY=y + CONFIG_OF_CONFIGFS=y diff --git a/queue-4.16/asoc-dmic-fix-clock-parenting.patch b/queue-4.16/asoc-dmic-fix-clock-parenting.patch new file mode 100644 index 00000000000..15b11b9573b --- /dev/null +++ b/queue-4.16/asoc-dmic-fix-clock-parenting.patch @@ -0,0 +1,67 @@ +From 573eda59c772d11fc2b56d525dfb698b0f87ddb3 Mon Sep 17 00:00:00 2001 +From: Tero Kristo +Date: Thu, 12 Apr 2018 11:23:15 +0300 +Subject: ASoC: dmic: Fix clock parenting + +From: Tero Kristo + +commit 573eda59c772d11fc2b56d525dfb698b0f87ddb3 upstream. + +In 4.16 the clock hierarchy got changed by +a5c82a09d876 ARM: dts: omap4: add clkctrl nodes + +The fck of dmic is no longer a mux clock, it's parent is. + +Signed-off-by: Tero Kristo +Signed-off-by: Peter Ujfalusi +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org # 4.16+ +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/omap/omap-dmic.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/sound/soc/omap/omap-dmic.c ++++ b/sound/soc/omap/omap-dmic.c +@@ -281,7 +281,7 @@ static int omap_dmic_dai_trigger(struct + static int omap_dmic_select_fclk(struct omap_dmic *dmic, int clk_id, + unsigned int freq) + { +- struct clk *parent_clk; ++ struct clk *parent_clk, *mux; + char *parent_clk_name; + int ret = 0; + +@@ -329,14 +329,21 @@ static int omap_dmic_select_fclk(struct + return -ENODEV; + } + ++ mux = clk_get_parent(dmic->fclk); ++ if (IS_ERR(mux)) { ++ dev_err(dmic->dev, "can't get fck mux parent\n"); ++ clk_put(parent_clk); ++ return -ENODEV; ++ } ++ + mutex_lock(&dmic->mutex); + if (dmic->active) { + /* disable clock while reparenting */ + pm_runtime_put_sync(dmic->dev); +- ret = clk_set_parent(dmic->fclk, parent_clk); ++ ret = clk_set_parent(mux, parent_clk); + pm_runtime_get_sync(dmic->dev); + } else { +- ret = clk_set_parent(dmic->fclk, parent_clk); ++ ret = clk_set_parent(mux, parent_clk); + } + mutex_unlock(&dmic->mutex); + +@@ -349,6 +356,7 @@ static int omap_dmic_select_fclk(struct + dmic->fclk_freq = freq; + + err_busy: ++ clk_put(mux); + clk_put(parent_clk); + + return ret; diff --git a/queue-4.16/asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch b/queue-4.16/asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch new file mode 100644 index 00000000000..1941634535f --- /dev/null +++ b/queue-4.16/asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch @@ -0,0 +1,47 @@ +From c656941df9bc80f7ec65b92ca73c42f8b0b62628 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Sun, 8 Apr 2018 16:57:35 -0700 +Subject: ASoC: fsl_esai: Fix divisor calculation failure at lower ratio + +From: Nicolin Chen + +commit c656941df9bc80f7ec65b92ca73c42f8b0b62628 upstream. + +When the desired ratio is less than 256, the savesub (tolerance) +in the calculation would become 0. This will then fail the loop- +search immediately without reporting any errors. + +But if the ratio is smaller enough, there is no need to calculate +the tolerance because PM divisor alone is enough to get the ratio. + +So a simple fix could be just to set PM directly instead of going +into the loop-search. + +Reported-by: Marek Vasut +Signed-off-by: Nicolin Chen +Tested-by: Marek Vasut +Reviewed-by: Fabio Estevam +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/fsl/fsl_esai.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -144,6 +144,13 @@ static int fsl_esai_divisor_cal(struct s + + psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8; + ++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */ ++ if (ratio <= 256) { ++ pm = ratio; ++ fp = 1; ++ goto out; ++ } ++ + /* Set the max fluctuation -- 0.1% of the max devisor */ + savesub = (psr ? 1 : 8) * 256 * maxfp / 1000; + diff --git a/queue-4.16/cpufreq-powernv-fix-hardlockup-due-to-synchronous-smp_call-in-timer-interrupt.patch b/queue-4.16/cpufreq-powernv-fix-hardlockup-due-to-synchronous-smp_call-in-timer-interrupt.patch new file mode 100644 index 00000000000..9419462dab2 --- /dev/null +++ b/queue-4.16/cpufreq-powernv-fix-hardlockup-due-to-synchronous-smp_call-in-timer-interrupt.patch @@ -0,0 +1,85 @@ +From c0f7f5b6c69107ca92909512533e70258ee19188 Mon Sep 17 00:00:00 2001 +From: Shilpasri G Bhat +Date: Wed, 25 Apr 2018 16:29:31 +0530 +Subject: cpufreq: powernv: Fix hardlockup due to synchronous smp_call in timer interrupt + +From: Shilpasri G Bhat + +commit c0f7f5b6c69107ca92909512533e70258ee19188 upstream. + +gpstate_timer_handler() uses synchronous smp_call to set the pstate +on the requested core. This causes the below hard lockup: + + smp_call_function_single+0x110/0x180 (unreliable) + smp_call_function_any+0x180/0x250 + gpstate_timer_handler+0x1e8/0x580 + call_timer_fn+0x50/0x1c0 + expire_timers+0x138/0x1f0 + run_timer_softirq+0x1e8/0x270 + __do_softirq+0x158/0x3e4 + irq_exit+0xe8/0x120 + timer_interrupt+0x9c/0xe0 + decrementer_common+0x114/0x120 + -- interrupt: 901 at doorbell_global_ipi+0x34/0x50 + LR = arch_send_call_function_ipi_mask+0x120/0x130 + arch_send_call_function_ipi_mask+0x4c/0x130 + smp_call_function_many+0x340/0x450 + pmdp_invalidate+0x98/0xe0 + change_huge_pmd+0xe0/0x270 + change_protection_range+0xb88/0xe40 + mprotect_fixup+0x140/0x340 + SyS_mprotect+0x1b4/0x350 + system_call+0x58/0x6c + +One way to avoid this is removing the smp-call. We can ensure that the +timer always runs on one of the policy-cpus. If the timer gets +migrated to a cpu outside the policy then re-queue it back on the +policy->cpus. This way we can get rid of the smp-call which was being +used to set the pstate on the policy->cpus. + +Fixes: 7bc54b652f13 ("timers, cpufreq/powernv: Initialize the gpstate timer as pinned") +Cc: stable@vger.kernel.org # v4.8+ +Reported-by: Nicholas Piggin +Reported-by: Pridhiviraj Paidipeddi +Signed-off-by: Shilpasri G Bhat +Acked-by: Nicholas Piggin +Acked-by: Viresh Kumar +Acked-by: Vaidyanathan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/powernv-cpufreq.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -679,6 +679,16 @@ void gpstate_timer_handler(struct timer_ + + if (!spin_trylock(&gpstates->gpstate_lock)) + return; ++ /* ++ * If the timer has migrated to the different cpu then bring ++ * it back to one of the policy->cpus ++ */ ++ if (!cpumask_test_cpu(raw_smp_processor_id(), policy->cpus)) { ++ gpstates->timer.expires = jiffies + msecs_to_jiffies(1); ++ add_timer_on(&gpstates->timer, cpumask_first(policy->cpus)); ++ spin_unlock(&gpstates->gpstate_lock); ++ return; ++ } + + /* + * If PMCR was last updated was using fast_swtich then +@@ -718,10 +728,8 @@ void gpstate_timer_handler(struct timer_ + if (gpstate_idx != gpstates->last_lpstate_idx) + queue_gpstate_timer(gpstates); + ++ set_pstate(&freq_data); + spin_unlock(&gpstates->gpstate_lock); +- +- /* Timer may get migrated to a different cpu on cpu hot unplug */ +- smp_call_function_any(policy->cpus, set_pstate, &freq_data, 1); + } + + /* diff --git a/queue-4.16/crypto-drbg-set-freed-buffers-to-null.patch b/queue-4.16/crypto-drbg-set-freed-buffers-to-null.patch new file mode 100644 index 00000000000..3d4afeb50a8 --- /dev/null +++ b/queue-4.16/crypto-drbg-set-freed-buffers-to-null.patch @@ -0,0 +1,39 @@ +From eea0d3ea7546961f69f55b26714ac8fd71c7c020 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Thu, 12 Apr 2018 08:40:55 +0200 +Subject: crypto: drbg - set freed buffers to NULL + +From: Stephan Mueller + +commit eea0d3ea7546961f69f55b26714ac8fd71c7c020 upstream. + +During freeing of the internal buffers used by the DRBG, set the pointer +to NULL. It is possible that the context with the freed buffers is +reused. In case of an error during initialization where the pointers +do not yet point to allocated memory, the NULL value prevents a double +free. + +Cc: stable@vger.kernel.org +Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") +Signed-off-by: Stephan Mueller +Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/drbg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/drbg.c ++++ b/crypto/drbg.c +@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(st + if (!drbg) + return; + kzfree(drbg->Vbuf); ++ drbg->Vbuf = NULL; + drbg->V = NULL; + kzfree(drbg->Cbuf); ++ drbg->Cbuf = NULL; + drbg->C = NULL; + kzfree(drbg->scratchpadbuf); + drbg->scratchpadbuf = NULL; diff --git a/queue-4.16/drm-amd-display-disallow-enabling-crtc-without-primary-plane-with-fb.patch b/queue-4.16/drm-amd-display-disallow-enabling-crtc-without-primary-plane-with-fb.patch new file mode 100644 index 00000000000..503659d3426 --- /dev/null +++ b/queue-4.16/drm-amd-display-disallow-enabling-crtc-without-primary-plane-with-fb.patch @@ -0,0 +1,74 @@ +From f2877656809386d7bc62c2b1c1b4e58404c486d4 Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Mon, 16 Apr 2018 17:28:11 -0400 +Subject: drm/amd/display: Disallow enabling CRTC without primary plane with FB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Harry Wentland + +commit f2877656809386d7bc62c2b1c1b4e58404c486d4 upstream. + +The below commit + + "drm/atomic: Try to preserve the crtc enabled state in drm_atomic_remove_fb, v2" + +introduces a slight behavioral change to rmfb. Instead of disabling a crtc +when the primary plane is disabled, it now preserves it. + +Since DC is currently not equipped to handle this we need to fail such +a commit, otherwise we might see a corrupted screen. + +This is based on Shirish's previous approach but avoids adding all +planes to the new atomic state which leads to a full update in DC for +any commit, and is not what we intend. + +Theoretically DM should be able to deal with states with fully populated planes, +even for simple updates, such as cursor updates. This should still be +addressed in the future. + +Signed-off-by: Harry Wentland +Tested-by: Michel Dänzer +Reviewed-by: Tony Cheng +Cc: stable@vger.kernel.org +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4506,6 +4506,7 @@ static int dm_update_crtcs_state(struct + struct amdgpu_dm_connector *aconnector = NULL; + struct drm_connector_state *new_con_state = NULL; + struct dm_connector_state *dm_conn_state = NULL; ++ struct drm_plane_state *new_plane_state = NULL; + + new_stream = NULL; + +@@ -4513,6 +4514,13 @@ static int dm_update_crtcs_state(struct + dm_new_crtc_state = to_dm_crtc_state(new_crtc_state); + acrtc = to_amdgpu_crtc(crtc); + ++ new_plane_state = drm_atomic_get_new_plane_state(state, new_crtc_state->crtc->primary); ++ ++ if (new_crtc_state->enable && new_plane_state && !new_plane_state->fb) { ++ ret = -EINVAL; ++ goto fail; ++ } ++ + aconnector = amdgpu_dm_find_first_crtc_matching_connector(state, crtc); + + /* TODO This hack should go away */ +@@ -4685,7 +4693,7 @@ static int dm_update_planes_state(struct + if (!dm_old_crtc_state->stream) + continue; + +- DRM_DEBUG_DRIVER("Disabling DRM plane: %d on DRM crtc %d\n", ++ DRM_DEBUG_ATOMIC("Disabling DRM plane: %d on DRM crtc %d\n", + plane->base.id, old_plane_crtc->base.id); + + if (!dc_remove_plane_from_context( diff --git a/queue-4.16/drm-amd-display-don-t-read-edid-in-atomic_check.patch b/queue-4.16/drm-amd-display-don-t-read-edid-in-atomic_check.patch new file mode 100644 index 00000000000..f95274fec76 --- /dev/null +++ b/queue-4.16/drm-amd-display-don-t-read-edid-in-atomic_check.patch @@ -0,0 +1,101 @@ +From c7b8de00384be49dc1617a838b0ce89a0235f319 Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Thu, 8 Mar 2018 22:05:35 -0500 +Subject: drm/amd/display: Don't read EDID in atomic_check + +From: Harry Wentland + +commit c7b8de00384be49dc1617a838b0ce89a0235f319 upstream. + +We shouldn't attempt to read EDID in atomic_check. We really shouldn't +even be modifying the connector object, or any other non-state object, +but this is a start at least. + +Moving EDID cleanup to dm_dp_mst_connector_destroy from +dm_dp_destroy_mst_connector to ensure the EDID is still available for +headless mode. + +Signed-off-by: Harry Wentland +Reviewed-by: Tony Cheng +Acked-by: Harry Wentland +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 32 +++--------- + 1 file changed, 10 insertions(+), 22 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -157,6 +157,11 @@ dm_dp_mst_connector_destroy(struct drm_c + struct amdgpu_dm_connector *amdgpu_dm_connector = to_amdgpu_dm_connector(connector); + struct amdgpu_encoder *amdgpu_encoder = amdgpu_dm_connector->mst_encoder; + ++ if (amdgpu_dm_connector->edid) { ++ kfree(amdgpu_dm_connector->edid); ++ amdgpu_dm_connector->edid = NULL; ++ } ++ + drm_encoder_cleanup(&amdgpu_encoder->base); + kfree(amdgpu_encoder); + drm_connector_cleanup(connector); +@@ -183,28 +188,22 @@ static int dm_connector_update_modes(str + void dm_dp_mst_dc_sink_create(struct drm_connector *connector) + { + struct amdgpu_dm_connector *aconnector = to_amdgpu_dm_connector(connector); +- struct edid *edid; + struct dc_sink *dc_sink; + struct dc_sink_init_data init_params = { + .link = aconnector->dc_link, + .sink_signal = SIGNAL_TYPE_DISPLAY_PORT_MST }; + ++ /* FIXME none of this is safe. we shouldn't touch aconnector here in ++ * atomic_check ++ */ ++ + /* + * TODO: Need to further figure out why ddc.algo is NULL while MST port exists + */ + if (!aconnector->port || !aconnector->port->aux.ddc.algo) + return; + +- edid = drm_dp_mst_get_edid(connector, &aconnector->mst_port->mst_mgr, aconnector->port); +- +- if (!edid) { +- drm_mode_connector_update_edid_property( +- &aconnector->base, +- NULL); +- return; +- } +- +- aconnector->edid = edid; ++ ASSERT(aconnector->edid); + + dc_sink = dc_link_add_remote_sink( + aconnector->dc_link, +@@ -217,9 +216,6 @@ void dm_dp_mst_dc_sink_create(struct drm + + amdgpu_dm_add_sink_to_freesync_module( + connector, aconnector->edid); +- +- drm_mode_connector_update_edid_property( +- &aconnector->base, aconnector->edid); + } + + static int dm_dp_mst_get_modes(struct drm_connector *connector) +@@ -426,14 +422,6 @@ static void dm_dp_destroy_mst_connector( + dc_sink_release(aconnector->dc_sink); + aconnector->dc_sink = NULL; + } +- if (aconnector->edid) { +- kfree(aconnector->edid); +- aconnector->edid = NULL; +- } +- +- drm_mode_connector_update_edid_property( +- &aconnector->base, +- NULL); + + aconnector->mst_connected = false; + } diff --git a/queue-4.16/drm-amd-display-fix-deadlock-when-flushing-irq.patch b/queue-4.16/drm-amd-display-fix-deadlock-when-flushing-irq.patch new file mode 100644 index 00000000000..316db60ad78 --- /dev/null +++ b/queue-4.16/drm-amd-display-fix-deadlock-when-flushing-irq.patch @@ -0,0 +1,43 @@ +From ad64dc0137968f09800e58174bbfd5eac9fe5418 Mon Sep 17 00:00:00 2001 +From: Mikita Lipski +Date: Wed, 10 Jan 2018 10:01:38 -0500 +Subject: drm/amd/display: Fix deadlock when flushing irq + +From: Mikita Lipski + +commit ad64dc0137968f09800e58174bbfd5eac9fe5418 upstream. + +Lock irq table when reading a work in queue, +unlock to flush the work, lock again till all tasks +are cleared + +Signed-off-by: Mikita Lipski +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c +@@ -400,14 +400,15 @@ void amdgpu_dm_irq_fini(struct amdgpu_de + { + int src; + struct irq_list_head *lh; ++ unsigned long irq_table_flags; + DRM_DEBUG_KMS("DM_IRQ: releasing resources.\n"); +- + for (src = 0; src < DAL_IRQ_SOURCES_NUMBER; src++) { +- ++ DM_IRQ_TABLE_LOCK(adev, irq_table_flags); + /* The handler was removed from the table, + * it means it is safe to flush all the 'work' + * (because no code can schedule a new one). */ + lh = &adev->dm.irq_handler_list_low_tab[src]; ++ DM_IRQ_TABLE_UNLOCK(adev, irq_table_flags); + flush_work(&lh->work); + } + diff --git a/queue-4.16/drm-amdgpu-set-compute_pgm_rsrc1-for-sgpr-vgpr-clearing-shaders.patch b/queue-4.16/drm-amdgpu-set-compute_pgm_rsrc1-for-sgpr-vgpr-clearing-shaders.patch new file mode 100644 index 00000000000..77beadf501e --- /dev/null +++ b/queue-4.16/drm-amdgpu-set-compute_pgm_rsrc1-for-sgpr-vgpr-clearing-shaders.patch @@ -0,0 +1,63 @@ +From 75569c182e4f65cd8826a5853dc9cbca703cbd0e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= +Date: Thu, 12 Apr 2018 16:34:19 +0200 +Subject: drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nicolai Hähnle + +commit 75569c182e4f65cd8826a5853dc9cbca703cbd0e upstream. + +Otherwise, the SQ may skip some of the register writes, or shader waves may +be allocated where we don't expect them, so that as a result we don't actually +reset all of the register SRAMs. This can lead to spurious ECC errors later on +if a shader uses an uninitialized register. + +Signed-off-by: Nicolai Hähnle +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +@@ -1459,10 +1459,11 @@ static const u32 sgpr_init_compute_shade + static const u32 vgpr_init_regs[] = + { + mmCOMPUTE_STATIC_THREAD_MGMT_SE0, 0xffffffff, +- mmCOMPUTE_RESOURCE_LIMITS, 0, ++ mmCOMPUTE_RESOURCE_LIMITS, 0x1000000, /* CU_GROUP_COUNT=1 */ + mmCOMPUTE_NUM_THREAD_X, 256*4, + mmCOMPUTE_NUM_THREAD_Y, 1, + mmCOMPUTE_NUM_THREAD_Z, 1, ++ mmCOMPUTE_PGM_RSRC1, 0x100004f, /* VGPRS=15 (64 logical VGPRs), SGPRS=1 (16 SGPRs), BULKY=1 */ + mmCOMPUTE_PGM_RSRC2, 20, + mmCOMPUTE_USER_DATA_0, 0xedcedc00, + mmCOMPUTE_USER_DATA_1, 0xedcedc01, +@@ -1479,10 +1480,11 @@ static const u32 vgpr_init_regs[] = + static const u32 sgpr1_init_regs[] = + { + mmCOMPUTE_STATIC_THREAD_MGMT_SE0, 0x0f, +- mmCOMPUTE_RESOURCE_LIMITS, 0x1000000, ++ mmCOMPUTE_RESOURCE_LIMITS, 0x1000000, /* CU_GROUP_COUNT=1 */ + mmCOMPUTE_NUM_THREAD_X, 256*5, + mmCOMPUTE_NUM_THREAD_Y, 1, + mmCOMPUTE_NUM_THREAD_Z, 1, ++ mmCOMPUTE_PGM_RSRC1, 0x240, /* SGPRS=9 (80 GPRS) */ + mmCOMPUTE_PGM_RSRC2, 20, + mmCOMPUTE_USER_DATA_0, 0xedcedc00, + mmCOMPUTE_USER_DATA_1, 0xedcedc01, +@@ -1503,6 +1505,7 @@ static const u32 sgpr2_init_regs[] = + mmCOMPUTE_NUM_THREAD_X, 256*5, + mmCOMPUTE_NUM_THREAD_Y, 1, + mmCOMPUTE_NUM_THREAD_Z, 1, ++ mmCOMPUTE_PGM_RSRC1, 0x240, /* SGPRS=9 (80 GPRS) */ + mmCOMPUTE_PGM_RSRC2, 20, + mmCOMPUTE_USER_DATA_0, 0xedcedc00, + mmCOMPUTE_USER_DATA_1, 0xedcedc01, diff --git a/queue-4.16/drm-edid-reset-more-of-the-display-info.patch b/queue-4.16/drm-edid-reset-more-of-the-display-info.patch new file mode 100644 index 00000000000..66610a882ef --- /dev/null +++ b/queue-4.16/drm-edid-reset-more-of-the-display-info.patch @@ -0,0 +1,68 @@ +From 1f6b8eef11c3d097bc8a6b2bbb868eb47ec6f7d8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Tue, 24 Apr 2018 16:02:50 +0300 +Subject: drm/edid: Reset more of the display info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 1f6b8eef11c3d097bc8a6b2bbb868eb47ec6f7d8 upstream. + +We're currently failing to reset everything in display_info.hdmi +which will potentially cause us to use stale information when +swapping monitors. Eg. if the user replaces a HDMI 2.0 monitor +with a HDMI 1.x monitor we will continue to think that the monitor +supports scrambling. That will lead to a black screen since the +HDMI 1.x monitor won't understand the scrambled signal. + +Fix the problem by clearing display_info.hdmi fully. And while at +eliminate some duplicated code by calling drm_reset_display_info() +in drm_add_display_info(). + +Cc: stable@vger.kernel.org +Cc: Antony Chen +Cc: Shashank Sharma +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105655 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20180424130250.7028-1-ville.syrjala@linux.intel.com +Reviewed-by: Daniel Vetter +Tested-by: Antony Chen +Signed-off-by: Sean Paul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -4450,6 +4450,7 @@ drm_reset_display_info(struct drm_connec + info->max_tmds_clock = 0; + info->dvi_dual = false; + info->has_hdmi_infoframe = false; ++ memset(&info->hdmi, 0, sizeof(info->hdmi)); + + info->non_desktop = 0; + } +@@ -4461,17 +4462,11 @@ u32 drm_add_display_info(struct drm_conn + + u32 quirks = edid_get_quirks(edid); + ++ drm_reset_display_info(connector); ++ + info->width_mm = edid->width_cm * 10; + info->height_mm = edid->height_cm * 10; + +- /* driver figures it out in this case */ +- info->bpc = 0; +- info->color_formats = 0; +- info->cea_rev = 0; +- info->max_tmds_clock = 0; +- info->dvi_dual = false; +- info->has_hdmi_infoframe = false; +- + info->non_desktop = !!(quirks & EDID_QUIRK_NON_DESKTOP); + + DRM_DEBUG_KMS("non_desktop set to %d\n", info->non_desktop); diff --git a/queue-4.16/drm-i915-audio-set-minimum-cd-clock-to-twice-the-bclk.patch b/queue-4.16/drm-i915-audio-set-minimum-cd-clock-to-twice-the-bclk.patch new file mode 100644 index 00000000000..2f4fd73ed68 --- /dev/null +++ b/queue-4.16/drm-i915-audio-set-minimum-cd-clock-to-twice-the-bclk.patch @@ -0,0 +1,78 @@ +From 904e1b1ff4c70044334f395aa751c8e73fb42714 Mon Sep 17 00:00:00 2001 +From: Abhay Kumar +Date: Wed, 18 Apr 2018 13:37:07 +0300 +Subject: drm/i915/audio: set minimum CD clock to twice the BCLK +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Abhay Kumar + +commit 904e1b1ff4c70044334f395aa751c8e73fb42714 upstream. + +In GLK when the device boots with only 1366x768 panel without audio, HDA +codec doesn't come up. In this case, the CDCLK is less than twice the +BCLK. Even though audio isn't being enabled, having a too low CDCLK +leads to audio probe failing altogether. + +Require CDCLK to be at least twice the BLCK regardless of audio. This is +a minimal fix to improve things. Unfortunately, this a) leads to too +high CDCLK being used when audio is not used, and b) is still not enough +to fix audio probe when no outputs are connected at probe time. + +The proper fix would be to increase CDCLK dynamically from the audio +component hooks. + +v2: + - Address comment (Jani) + - New design approach +v3: - Typo fix on top of v1 + +v4 by Jani: rewrite commit message, add comment in code + +Cc: stable@vger.kernel.org +Cc: Ville Syrjälä +Cc: Dhinakaran Pandiyan +Cc: Wenkai Du +Reviewed-by: Wenkai Du +Tested-by: Wenkai Du +Acked-by: Ville Syrjälä +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102937 +Signed-off-by: Abhay Kumar +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20180418103707.14645-1-jani.nikula@intel.com +(cherry picked from commit 2a5b95b448485e143ec3e004eabe53b31db78eb3) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_cdclk.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_cdclk.c ++++ b/drivers/gpu/drm/i915/intel_cdclk.c +@@ -1946,10 +1946,22 @@ int intel_crtc_compute_min_cdclk(const s + } + } + +- /* According to BSpec, "The CD clock frequency must be at least twice ++ /* ++ * According to BSpec, "The CD clock frequency must be at least twice + * the frequency of the Azalia BCLK." and BCLK is 96 MHz by default. ++ * ++ * FIXME: Check the actual, not default, BCLK being used. ++ * ++ * FIXME: This does not depend on ->has_audio because the higher CDCLK ++ * is required for audio probe, also when there are no audio capable ++ * displays connected at probe time. This leads to unnecessarily high ++ * CDCLK when audio is not required. ++ * ++ * FIXME: This limit is only applied when there are displays connected ++ * at probe time. If we probe without displays, we'll still end up using ++ * the platform minimum CDCLK, failing audio probe. + */ +- if (crtc_state->has_audio && INTEL_GEN(dev_priv) >= 9) ++ if (INTEL_GEN(dev_priv) >= 9) + min_cdclk = max(2 * 96000, min_cdclk); + + /* diff --git a/queue-4.16/drm-i915-enable-display-wa-1183-from-its-correct-spot.patch b/queue-4.16/drm-i915-enable-display-wa-1183-from-its-correct-spot.patch new file mode 100644 index 00000000000..659d9c39dbc --- /dev/null +++ b/queue-4.16/drm-i915-enable-display-wa-1183-from-its-correct-spot.patch @@ -0,0 +1,63 @@ +From ac315c621f01d4b8a53dec317c7ae322fd26ff38 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Thu, 19 Apr 2018 18:51:09 +0300 +Subject: drm/i915: Enable display WA#1183 from its correct spot +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit ac315c621f01d4b8a53dec317c7ae322fd26ff38 upstream. + +The DMC FW specific part of display WA#1183 is supposed to be enabled +whenever enabling DC5 or DC6, so move it to the DC6 enable function +from the DC6 disable function. + +I noticed this after Daniel's patch to remove the unused +skl_disable_dc6() function. + +Fixes: 53421c2fe99c ("drm/i915: Apply Display WA #1183 on skl, kbl, and cfl") +Cc: Lucas De Marchi +Cc: Rodrigo Vivi +Cc: Ville Syrjälä +Cc: Daniel Vetter +Cc: +Signed-off-by: Imre Deak +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20180419155109.29451-1-imre.deak@intel.com +(cherry picked from commit b49be6622f08187129561cff0409f7b06b33de57) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_runtime_pm.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_runtime_pm.c ++++ b/drivers/gpu/drm/i915/intel_runtime_pm.c +@@ -624,19 +624,18 @@ void skl_enable_dc6(struct drm_i915_priv + + DRM_DEBUG_KMS("Enabling DC6\n"); + +- gen9_set_dc_state(dev_priv, DC_STATE_EN_UPTO_DC6); ++ /* Wa Display #1183: skl,kbl,cfl */ ++ if (IS_GEN9_BC(dev_priv)) ++ I915_WRITE(GEN8_CHICKEN_DCPR_1, I915_READ(GEN8_CHICKEN_DCPR_1) | ++ SKL_SELECT_ALTERNATE_DC_EXIT); + ++ gen9_set_dc_state(dev_priv, DC_STATE_EN_UPTO_DC6); + } + + void skl_disable_dc6(struct drm_i915_private *dev_priv) + { + DRM_DEBUG_KMS("Disabling DC6\n"); + +- /* Wa Display #1183: skl,kbl,cfl */ +- if (IS_GEN9_BC(dev_priv)) +- I915_WRITE(GEN8_CHICKEN_DCPR_1, I915_READ(GEN8_CHICKEN_DCPR_1) | +- SKL_SELECT_ALTERNATE_DC_EXIT); +- + gen9_set_dc_state(dev_priv, DC_STATE_DISABLE); + } + diff --git a/queue-4.16/drm-i915-fbdev-enable-late-fbdev-initial-configuration.patch b/queue-4.16/drm-i915-fbdev-enable-late-fbdev-initial-configuration.patch new file mode 100644 index 00000000000..9201d4deeff --- /dev/null +++ b/queue-4.16/drm-i915-fbdev-enable-late-fbdev-initial-configuration.patch @@ -0,0 +1,66 @@ +From 0b551f1e0fc50ee4e3cde2dd639cb010dae5b997 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Roberto=20de=20Souza?= +Date: Wed, 18 Apr 2018 16:41:58 -0700 +Subject: drm/i915/fbdev: Enable late fbdev initial configuration +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Roberto de Souza + +commit 0b551f1e0fc50ee4e3cde2dd639cb010dae5b997 upstream. + +If the initial fbdev configuration (intel_fbdev_initial_config()) runs +and there still no sink connected it will cause +drm_fb_helper_initial_config() to return 0 as no error happened (but +internally the return is -EAGAIN). Because no framebuffer was +allocated, when a sink is connected intel_fbdev_output_poll_changed() +will not execute drm_fb_helper_hotplug_event() that would trigger +another try to do the initial fbdev configuration. + +So here allowing drm_fb_helper_hotplug_event() to be executed when there +is no framebuffer allocated and fbdev was not set up yet. + +This issue also happens when a MST DP sink is connected since boot, as +the MST topology is discovered in parallel if +intel_fbdev_initial_config() is executed before the first sink MST is +discovered it will cause this same issue. + +This is a follow-up patch of +https://patchwork.freedesktop.org/patch/196089/ + +Changes from v1: +- not creating a dump framebuffer anymore, instead just allowing + drm_fb_helper_hotplug_event() to execute when fbdev is not setup yet. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104158 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104425 +Cc: Rodrigo Vivi +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Chris Wilson +Signed-off-by: José Roberto de Souza +Tested-by: Paul Menzel +Tested-by: frederik # 4.15.17 +Tested-by: Ian Pilcher +Acked-by: Chris Wilson +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20180418234158.9388-1-jose.souza@intel.com +(cherry picked from commit df9e6521749ab33cde306e8a4350b0ac7889220a) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_fbdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/intel_fbdev.c +@@ -801,7 +801,7 @@ void intel_fbdev_output_poll_changed(str + return; + + intel_fbdev_sync(ifbdev); +- if (ifbdev->vma) ++ if (ifbdev->vma || ifbdev->helper.deferred_setup) + drm_fb_helper_hotplug_event(&ifbdev->helper); + } + diff --git a/queue-4.16/earlycon-use-a-pointer-table-to-fix-__earlycon_table-stride.patch b/queue-4.16/earlycon-use-a-pointer-table-to-fix-__earlycon_table-stride.patch new file mode 100644 index 00000000000..e50d75d8e54 --- /dev/null +++ b/queue-4.16/earlycon-use-a-pointer-table-to-fix-__earlycon_table-stride.patch @@ -0,0 +1,145 @@ +From dd709e72cb934eefd44de8d9969097173fbf45dc Mon Sep 17 00:00:00 2001 +From: Daniel Kurtz +Date: Fri, 6 Apr 2018 17:21:53 -0600 +Subject: earlycon: Use a pointer table to fix __earlycon_table stride + +From: Daniel Kurtz + +commit dd709e72cb934eefd44de8d9969097173fbf45dc upstream. + +Commit 99492c39f39f ("earlycon: Fix __earlycon_table stride") tried to fix +__earlycon_table stride by forcing the earlycon_id struct alignment to 32 +and asking the linker to 32-byte align the __earlycon_table symbol. This +fix was based on commit 07fca0e57fca92 ("tracing: Properly align linker +defined symbols") which tried a similar fix for the tracing subsystem. + +However, this fix doesn't quite work because there is no guarantee that +gcc will place structures packed into an array format. In fact, gcc 4.9 +chooses to 64-byte align these structs by inserting additional padding +between the entries because it has no clue that they are supposed to be in +an array. If we are unlucky, the linker will assign symbol +"__earlycon_table" to a 32-byte aligned address which does not correspond +to the 64-byte aligned contents of section "__earlycon_table". + +To address this same problem, the fix to the tracing system was +subsequently re-implemented using a more robust table of pointers approach +by commits: + 3d56e331b653 ("tracing: Replace syscall_meta_data struct array with pointer array") + 654986462939 ("tracepoints: Fix section alignment using pointer array") + e4a9ea5ee7c8 ("tracing: Replace trace_event struct array with pointer array") + +Let's use this same "array of pointers to structs" approach for +EARLYCON_TABLE. + +Fixes: 99492c39f39f ("earlycon: Fix __earlycon_table stride") +Signed-off-by: Daniel Kurtz +Suggested-by: Aaron Durbin +Reviewed-by: Rob Herring +Tested-by: Guenter Roeck +Reviewed-by: Guenter Roeck +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/fdt.c | 7 +++++-- + drivers/tty/serial/earlycon.c | 6 ++++-- + include/asm-generic/vmlinux.lds.h | 2 +- + include/linux/serial_core.h | 21 ++++++++++++++------- + 4 files changed, 24 insertions(+), 12 deletions(-) + +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -942,7 +942,7 @@ int __init early_init_dt_scan_chosen_std + int offset; + const char *p, *q, *options = NULL; + int l; +- const struct earlycon_id *match; ++ const struct earlycon_id **p_match; + const void *fdt = initial_boot_params; + + offset = fdt_path_offset(fdt, "/chosen"); +@@ -969,7 +969,10 @@ int __init early_init_dt_scan_chosen_std + return 0; + } + +- for (match = __earlycon_table; match < __earlycon_table_end; match++) { ++ for (p_match = __earlycon_table; p_match < __earlycon_table_end; ++ p_match++) { ++ const struct earlycon_id *match = *p_match; ++ + if (!match->compatible[0]) + continue; + +--- a/drivers/tty/serial/earlycon.c ++++ b/drivers/tty/serial/earlycon.c +@@ -169,7 +169,7 @@ static int __init register_earlycon(char + */ + int __init setup_earlycon(char *buf) + { +- const struct earlycon_id *match; ++ const struct earlycon_id **p_match; + + if (!buf || !buf[0]) + return -EINVAL; +@@ -177,7 +177,9 @@ int __init setup_earlycon(char *buf) + if (early_con.flags & CON_ENABLED) + return -EALREADY; + +- for (match = __earlycon_table; match < __earlycon_table_end; match++) { ++ for (p_match = __earlycon_table; p_match < __earlycon_table_end; ++ p_match++) { ++ const struct earlycon_id *match = *p_match; + size_t len = strlen(match->name); + + if (strncmp(buf, match->name, len)) +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -179,7 +179,7 @@ + #endif + + #ifdef CONFIG_SERIAL_EARLYCON +-#define EARLYCON_TABLE() STRUCT_ALIGN(); \ ++#define EARLYCON_TABLE() . = ALIGN(8); \ + VMLINUX_SYMBOL(__earlycon_table) = .; \ + KEEP(*(__earlycon_table)) \ + VMLINUX_SYMBOL(__earlycon_table_end) = .; +--- a/include/linux/serial_core.h ++++ b/include/linux/serial_core.h +@@ -351,10 +351,10 @@ struct earlycon_id { + char name[16]; + char compatible[128]; + int (*setup)(struct earlycon_device *, const char *options); +-} __aligned(32); ++}; + +-extern const struct earlycon_id __earlycon_table[]; +-extern const struct earlycon_id __earlycon_table_end[]; ++extern const struct earlycon_id *__earlycon_table[]; ++extern const struct earlycon_id *__earlycon_table_end[]; + + #if defined(CONFIG_SERIAL_EARLYCON) && !defined(MODULE) + #define EARLYCON_USED_OR_UNUSED __used +@@ -362,12 +362,19 @@ extern const struct earlycon_id __earlyc + #define EARLYCON_USED_OR_UNUSED __maybe_unused + #endif + +-#define OF_EARLYCON_DECLARE(_name, compat, fn) \ +- static const struct earlycon_id __UNIQUE_ID(__earlycon_##_name) \ +- EARLYCON_USED_OR_UNUSED __section(__earlycon_table) \ ++#define _OF_EARLYCON_DECLARE(_name, compat, fn, unique_id) \ ++ static const struct earlycon_id unique_id \ ++ EARLYCON_USED_OR_UNUSED __initconst \ + = { .name = __stringify(_name), \ + .compatible = compat, \ +- .setup = fn } ++ .setup = fn }; \ ++ static const struct earlycon_id EARLYCON_USED_OR_UNUSED \ ++ __section(__earlycon_table) \ ++ * const __PASTE(__p, unique_id) = &unique_id ++ ++#define OF_EARLYCON_DECLARE(_name, compat, fn) \ ++ _OF_EARLYCON_DECLARE(_name, compat, fn, \ ++ __UNIQUE_ID(__earlycon_##_name)) + + #define EARLYCON_DECLARE(_name, fn) OF_EARLYCON_DECLARE(_name, "", fn) + diff --git a/queue-4.16/fpga-manager-altera-ps-spi-preserve-nconfig-state.patch b/queue-4.16/fpga-manager-altera-ps-spi-preserve-nconfig-state.patch new file mode 100644 index 00000000000..aff74961af2 --- /dev/null +++ b/queue-4.16/fpga-manager-altera-ps-spi-preserve-nconfig-state.patch @@ -0,0 +1,35 @@ +From 881c93c0fb73328845898344208fa0bf0d62cac6 Mon Sep 17 00:00:00 2001 +From: Anatolij Gustschin +Date: Sun, 15 Apr 2018 11:33:08 -0700 +Subject: fpga-manager: altera-ps-spi: preserve nCONFIG state + +From: Anatolij Gustschin + +commit 881c93c0fb73328845898344208fa0bf0d62cac6 upstream. + +If the driver module is loaded when FPGA is configured, the FPGA +is reset because nconfig is pulled low (low-active gpio inited +with GPIOD_OUT_HIGH activates the signal which means setting its +value to low). Init nconfig with GPIOD_OUT_LOW to prevent this. + +Signed-off-by: Anatolij Gustschin +Acked-by: Alan Tull +Signed-off-by: Moritz Fischer +Cc: stable # 4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/fpga/altera-ps-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/fpga/altera-ps-spi.c ++++ b/drivers/fpga/altera-ps-spi.c +@@ -249,7 +249,7 @@ static int altera_ps_probe(struct spi_de + + conf->data = of_id->data; + conf->spi = spi; +- conf->config = devm_gpiod_get(&spi->dev, "nconfig", GPIOD_OUT_HIGH); ++ conf->config = devm_gpiod_get(&spi->dev, "nconfig", GPIOD_OUT_LOW); + if (IS_ERR(conf->config)) { + dev_err(&spi->dev, "Failed to get config gpio: %ld\n", + PTR_ERR(conf->config)); diff --git a/queue-4.16/kvm-arm-arm64-close-vmid-generation-race.patch b/queue-4.16/kvm-arm-arm64-close-vmid-generation-race.patch new file mode 100644 index 00000000000..c7e74c73edd --- /dev/null +++ b/queue-4.16/kvm-arm-arm64-close-vmid-generation-race.patch @@ -0,0 +1,92 @@ +From f0cf47d939d0b4b4f660c5aaa4276fa3488f3391 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 4 Apr 2018 14:48:24 +0100 +Subject: KVM: arm/arm64: Close VMID generation race + +From: Marc Zyngier + +commit f0cf47d939d0b4b4f660c5aaa4276fa3488f3391 upstream. + +Before entering the guest, we check whether our VMID is still +part of the current generation. In order to avoid taking a lock, +we start with checking that the generation is still current, and +only if not current do we take the lock, recheck, and update the +generation and VMID. + +This leaves open a small race: A vcpu can bump up the global +generation number as well as the VM's, but has not updated +the VMID itself yet. + +At that point another vcpu from the same VM comes in, checks +the generation (and finds it not needing anything), and jumps +into the guest. At this point, we end-up with two vcpus belonging +to the same VM running with two different VMIDs. Eventually, the +VMID used by the second vcpu will get reassigned, and things will +really go wrong... + +A simple solution would be to drop this initial check, and always take +the lock. This is likely to cause performance issues. A middle ground +is to convert the spinlock to a rwlock, and only take the read lock +on the fast path. If the check fails at that point, drop it and +acquire the write lock, rechecking the condition. + +This ensures that the above scenario doesn't occur. + +Cc: stable@vger.kernel.org +Reported-by: Mark Rutland +Tested-by: Shannon Zhao +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/arm.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/virt/kvm/arm/arm.c ++++ b/virt/kvm/arm/arm.c +@@ -63,7 +63,7 @@ static DEFINE_PER_CPU(struct kvm_vcpu *, + static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1); + static u32 kvm_next_vmid; + static unsigned int kvm_vmid_bits __read_mostly; +-static DEFINE_SPINLOCK(kvm_vmid_lock); ++static DEFINE_RWLOCK(kvm_vmid_lock); + + static bool vgic_present; + +@@ -470,11 +470,16 @@ static void update_vttbr(struct kvm *kvm + { + phys_addr_t pgd_phys; + u64 vmid; ++ bool new_gen; + +- if (!need_new_vmid_gen(kvm)) ++ read_lock(&kvm_vmid_lock); ++ new_gen = need_new_vmid_gen(kvm); ++ read_unlock(&kvm_vmid_lock); ++ ++ if (!new_gen) + return; + +- spin_lock(&kvm_vmid_lock); ++ write_lock(&kvm_vmid_lock); + + /* + * We need to re-check the vmid_gen here to ensure that if another vcpu +@@ -482,7 +487,7 @@ static void update_vttbr(struct kvm *kvm + * use the same vmid. + */ + if (!need_new_vmid_gen(kvm)) { +- spin_unlock(&kvm_vmid_lock); ++ write_unlock(&kvm_vmid_lock); + return; + } + +@@ -516,7 +521,7 @@ static void update_vttbr(struct kvm *kvm + vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK(kvm_vmid_bits); + kvm->arch.vttbr = kvm_phys_to_vttbr(pgd_phys) | vmid; + +- spin_unlock(&kvm_vmid_lock); ++ write_unlock(&kvm_vmid_lock); + } + + static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu) diff --git a/queue-4.16/libceph-reschedule-a-tick-in-finish_hunting.patch b/queue-4.16/libceph-reschedule-a-tick-in-finish_hunting.patch new file mode 100644 index 00000000000..281be536706 --- /dev/null +++ b/queue-4.16/libceph-reschedule-a-tick-in-finish_hunting.patch @@ -0,0 +1,49 @@ +From 7b4c443d139f1d2b5570da475f7a9cbcef86740c Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 23 Apr 2018 15:25:10 +0200 +Subject: libceph: reschedule a tick in finish_hunting() + +From: Ilya Dryomov + +commit 7b4c443d139f1d2b5570da475f7a9cbcef86740c upstream. + +If we go without an established session for a while, backoff delay will +climb to 30 seconds. The keepalive timeout is also 30 seconds, so it's +pretty easily hit after a prolonged hunting for a monitor: we don't get +a chance to send out a keepalive in time, which means we never get back +a keepalive ack in time, cutting an established session and attempting +to connect to a different monitor every 30 seconds: + + [Sun Apr 1 23:37:05 2018] libceph: mon0 10.80.20.99:6789 session established + [Sun Apr 1 23:37:36 2018] libceph: mon0 10.80.20.99:6789 session lost, hunting for new mon + [Sun Apr 1 23:37:36 2018] libceph: mon2 10.80.20.103:6789 session established + [Sun Apr 1 23:38:07 2018] libceph: mon2 10.80.20.103:6789 session lost, hunting for new mon + [Sun Apr 1 23:38:07 2018] libceph: mon1 10.80.20.100:6789 session established + [Sun Apr 1 23:38:37 2018] libceph: mon1 10.80.20.100:6789 session lost, hunting for new mon + [Sun Apr 1 23:38:37 2018] libceph: mon2 10.80.20.103:6789 session established + [Sun Apr 1 23:39:08 2018] libceph: mon2 10.80.20.103:6789 session lost, hunting for new mon + +The regular keepalive interval is 10 seconds. After ->hunting is +cleared in finish_hunting(), call __schedule_delayed() to ensure we +send out a keepalive after 10 seconds. + +Cc: stable@vger.kernel.org # 4.7+ +Link: http://tracker.ceph.com/issues/23537 +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/mon_client.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -1133,6 +1133,7 @@ static void finish_hunting(struct ceph_m + monc->hunting = false; + monc->had_a_connection = true; + un_backoff(monc); ++ __schedule_delayed(monc); + } + } + diff --git a/queue-4.16/libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch b/queue-4.16/libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch new file mode 100644 index 00000000000..f07f31fc33a --- /dev/null +++ b/queue-4.16/libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch @@ -0,0 +1,60 @@ +From facb9f6eba3df4e8027301cc0e514dc582a1b366 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 23 Apr 2018 15:25:10 +0200 +Subject: libceph: un-backoff on tick when we have a authenticated session + +From: Ilya Dryomov + +commit facb9f6eba3df4e8027301cc0e514dc582a1b366 upstream. + +This means that if we do some backoff, then authenticate, and are +healthy for an extended period of time, a subsequent failure won't +leave us starting our hunting sequence with a large backoff. + +Mirrors ceph.git commit d466bc6e66abba9b464b0b69687cf45c9dccf383. + +Cc: stable@vger.kernel.org # 4.7+ +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/mon_client.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -209,6 +209,14 @@ static void reopen_session(struct ceph_m + __open_session(monc); + } + ++static void un_backoff(struct ceph_mon_client *monc) ++{ ++ monc->hunt_mult /= 2; /* reduce by 50% */ ++ if (monc->hunt_mult < 1) ++ monc->hunt_mult = 1; ++ dout("%s hunt_mult now %d\n", __func__, monc->hunt_mult); ++} ++ + /* + * Reschedule delayed work timer. + */ +@@ -963,6 +971,7 @@ static void delayed_work(struct work_str + if (!monc->hunting) { + ceph_con_keepalive(&monc->con); + __validate_auth(monc); ++ un_backoff(monc); + } + + if (is_auth && +@@ -1123,9 +1132,7 @@ static void finish_hunting(struct ceph_m + dout("%s found mon%d\n", __func__, monc->cur_mon); + monc->hunting = false; + monc->had_a_connection = true; +- monc->hunt_mult /= 2; /* reduce by 50% */ +- if (monc->hunt_mult < 1) +- monc->hunt_mult = 1; ++ un_backoff(monc); + } + } + diff --git a/queue-4.16/libceph-validate-con-state-at-the-top-of-try_write.patch b/queue-4.16/libceph-validate-con-state-at-the-top-of-try_write.patch new file mode 100644 index 00000000000..ee6de6ae299 --- /dev/null +++ b/queue-4.16/libceph-validate-con-state-at-the-top-of-try_write.patch @@ -0,0 +1,56 @@ +From 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Tue, 24 Apr 2018 19:10:55 +0200 +Subject: libceph: validate con->state at the top of try_write() + +From: Ilya Dryomov + +commit 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 upstream. + +ceph_con_workfn() validates con->state before calling try_read() and +then try_write(). However, try_read() temporarily releases con->mutex, +notably in process_message() and ceph_con_in_msg_alloc(), opening the +window for ceph_con_close() to sneak in, close the connection and +release con->sock. When try_write() is called on the assumption that +con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock +gets passed to the networking stack: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 + IP: selinux_socket_sendmsg+0x5/0x20 + +Make sure con->state is valid at the top of try_write() and add an +explicit BUG_ON for this, similar to try_read(). + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/23706 +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2531,6 +2531,11 @@ static int try_write(struct ceph_connect + int ret = 1; + + dout("try_write start %p state %lu\n", con, con->state); ++ if (con->state != CON_STATE_PREOPEN && ++ con->state != CON_STATE_CONNECTING && ++ con->state != CON_STATE_NEGOTIATING && ++ con->state != CON_STATE_OPEN) ++ return 0; + + more: + dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes); +@@ -2556,6 +2561,8 @@ more: + } + + more_kvec: ++ BUG_ON(!con->sock); ++ + /* kvec data queued? */ + if (con->out_kvec_left) { + ret = write_partial_kvec(con); diff --git a/queue-4.16/module-fix-display-of-wrong-module-.text-address.patch b/queue-4.16/module-fix-display-of-wrong-module-.text-address.patch new file mode 100644 index 00000000000..b927c56399c --- /dev/null +++ b/queue-4.16/module-fix-display-of-wrong-module-.text-address.patch @@ -0,0 +1,49 @@ +From be71eda5383faa663efdba9ef54a6b8255e3c7f0 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Wed, 18 Apr 2018 09:14:36 +0200 +Subject: module: Fix display of wrong module .text address + +From: Thomas Richter + +commit be71eda5383faa663efdba9ef54a6b8255e3c7f0 upstream. + +Reading file /proc/modules shows the correct address: +[root@s35lp76 ~]# cat /proc/modules | egrep '^qeth_l2' +qeth_l2 94208 1 - Live 0x000003ff80401000 + +and reading file /sys/module/qeth_l2/sections/.text +[root@s35lp76 ~]# cat /sys/module/qeth_l2/sections/.text +0x0000000018ea8363 +displays a random address. + +This breaks the perf tool which uses this address on s390 +to calculate start of .text section in memory. + +Fix this by printing the correct (unhashed) address. + +Thanks to Jessica Yu for helping on this. + +Fixes: ef0010a30935 ("vsprintf: don't use 'restricted_pointer()' when not restricting") +Cc: # v4.15+ +Suggested-by: Linus Torvalds +Signed-off-by: Thomas Richter +Cc: Jessica Yu +Signed-off-by: Jessica Yu +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/module.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1472,7 +1472,8 @@ static ssize_t module_sect_show(struct m + { + struct module_sect_attr *sattr = + container_of(mattr, struct module_sect_attr, mattr); +- return sprintf(buf, "0x%pK\n", (void *)sattr->address); ++ return sprintf(buf, "0x%px\n", kptr_restrict < 2 ? ++ (void *)sattr->address : NULL); + } + + static void free_sect_attrs(struct module_sect_attrs *sect_attrs) diff --git a/queue-4.16/objtool-perf-fix-gcc-8-wrestrict-error.patch b/queue-4.16/objtool-perf-fix-gcc-8-wrestrict-error.patch new file mode 100644 index 00000000000..f7690d13228 --- /dev/null +++ b/queue-4.16/objtool-perf-fix-gcc-8-wrestrict-error.patch @@ -0,0 +1,49 @@ +From 854e55ad289ef8888e7991f0ada85d5846f5afb9 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Thu, 15 Mar 2018 22:11:54 -0500 +Subject: objtool, perf: Fix GCC 8 -Wrestrict error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Josh Poimboeuf + +commit 854e55ad289ef8888e7991f0ada85d5846f5afb9 upstream. + +Starting with recent GCC 8 builds, objtool and perf fail to build with +the following error: + + ../str_error_r.c: In function ‘str_error_r’: + ../str_error_r.c:25:3: error: passing argument 1 to restrict-qualified parameter aliases with argument 5 [-Werror=restrict] + snprintf(buf, buflen, "INTERNAL ERROR: strerror_r(%d, %p, %zd)=%d", errnum, buf, buflen, err); + +The code seems harmless, but there's probably no benefit in printing the +'buf' pointer in this situation anyway, so just remove it to make GCC +happy. + +Reported-by: Laura Abbott +Signed-off-by: Josh Poimboeuf +Tested-by: Laura Abbott +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Wang Nan +Link: http://lkml.kernel.org/r/20180316031154.juk2uncs7baffctp@treble +Signed-off-by: Arnaldo Carvalho de Melo +Cc: Fredrik Schön +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/str_error_r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/lib/str_error_r.c ++++ b/tools/lib/str_error_r.c +@@ -22,6 +22,6 @@ char *str_error_r(int errnum, char *buf, + { + int err = strerror_r(errnum, buf, buflen); + if (err) +- snprintf(buf, buflen, "INTERNAL ERROR: strerror_r(%d, %p, %zd)=%d", errnum, buf, buflen, err); ++ snprintf(buf, buflen, "INTERNAL ERROR: strerror_r(%d, [buf], %zd)=%d", errnum, buflen, err); + return buf; + } diff --git a/queue-4.16/pci-aardvark-fix-logic-in-advk_pcie_-rd-wr-_conf.patch b/queue-4.16/pci-aardvark-fix-logic-in-advk_pcie_-rd-wr-_conf.patch new file mode 100644 index 00000000000..db72fb84a0c --- /dev/null +++ b/queue-4.16/pci-aardvark-fix-logic-in-advk_pcie_-rd-wr-_conf.patch @@ -0,0 +1,52 @@ +From 660661afcd40ed7f515ef3369721ed58e80c0fc5 Mon Sep 17 00:00:00 2001 +From: Victor Gu +Date: Fri, 6 Apr 2018 16:55:31 +0200 +Subject: PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf() + +From: Victor Gu + +commit 660661afcd40ed7f515ef3369721ed58e80c0fc5 upstream. + +The PCI configuration space read/write functions were special casing +the situation where PCI_SLOT(devfn) != 0, and returned +PCIBIOS_DEVICE_NOT_FOUND in this case. + +However, while this is what is intended for the root bus, it is not +intended for the child busses, as it prevents discovering devices with +PCI_SLOT(x) != 0. Therefore, we return PCIBIOS_DEVICE_NOT_FOUND only +if we're on the root bus. + +Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver") +Cc: +Signed-off-by: Victor Gu +Reviewed-by: Wilson Ding +Reviewed-by: Nadav Haklai +[Thomas: tweak commit log.] +Signed-off-by: Thomas Petazzoni +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-aardvark.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -437,7 +437,7 @@ static int advk_pcie_rd_conf(struct pci_ + u32 reg; + int ret; + +- if (PCI_SLOT(devfn) != 0) { ++ if ((bus->number == pcie->root_bus_nr) && PCI_SLOT(devfn) != 0) { + *val = 0xffffffff; + return PCIBIOS_DEVICE_NOT_FOUND; + } +@@ -491,7 +491,7 @@ static int advk_pcie_wr_conf(struct pci_ + int offset; + int ret; + +- if (PCI_SLOT(devfn) != 0) ++ if ((bus->number == pcie->root_bus_nr) && PCI_SLOT(devfn) != 0) + return PCIBIOS_DEVICE_NOT_FOUND; + + if (where % size) diff --git a/queue-4.16/pci-aardvark-fix-pcie-max-read-request-size-setting.patch b/queue-4.16/pci-aardvark-fix-pcie-max-read-request-size-setting.patch new file mode 100644 index 00000000000..f87830f384a --- /dev/null +++ b/queue-4.16/pci-aardvark-fix-pcie-max-read-request-size-setting.patch @@ -0,0 +1,47 @@ +From fc31c4e347c9dad50544d01d5ee98b22c7df88bb Mon Sep 17 00:00:00 2001 +From: Evan Wang +Date: Fri, 6 Apr 2018 16:55:34 +0200 +Subject: PCI: aardvark: Fix PCIe Max Read Request Size setting + +From: Evan Wang + +commit fc31c4e347c9dad50544d01d5ee98b22c7df88bb upstream. + +There is an obvious typo issue in the definition of the PCIe maximum +read request size: a bit shift is directly used as a value, while it +should be used to shift the correct value. + +Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver") +Cc: +Signed-off-by: Evan Wang +Reviewed-by: Victor Gu +Reviewed-by: Nadav Haklai +[Thomas: tweak commit log.] +Signed-off-by: Thomas Petazzoni +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-aardvark.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -29,6 +29,7 @@ + #define PCIE_CORE_DEV_CTRL_STATS_MAX_PAYLOAD_SZ_SHIFT 5 + #define PCIE_CORE_DEV_CTRL_STATS_SNOOP_DISABLE (0 << 11) + #define PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT 12 ++#define PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SZ 0x2 + #define PCIE_CORE_LINK_CTRL_STAT_REG 0xd0 + #define PCIE_CORE_LINK_L0S_ENTRY BIT(0) + #define PCIE_CORE_LINK_TRAINING BIT(5) +@@ -295,7 +296,8 @@ static void advk_pcie_setup_hw(struct ad + reg = PCIE_CORE_DEV_CTRL_STATS_RELAX_ORDER_DISABLE | + (7 << PCIE_CORE_DEV_CTRL_STATS_MAX_PAYLOAD_SZ_SHIFT) | + PCIE_CORE_DEV_CTRL_STATS_SNOOP_DISABLE | +- PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT; ++ (PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SZ << ++ PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT); + advk_writel(pcie, reg, PCIE_CORE_DEV_CTRL_STATS_REG); + + /* Program PCIe Control 2 to disable strict ordering */ diff --git a/queue-4.16/pci-aardvark-set-pio_addr_ls-correctly-in-advk_pcie_rd_conf.patch b/queue-4.16/pci-aardvark-set-pio_addr_ls-correctly-in-advk_pcie_rd_conf.patch new file mode 100644 index 00000000000..246d29cae32 --- /dev/null +++ b/queue-4.16/pci-aardvark-set-pio_addr_ls-correctly-in-advk_pcie_rd_conf.patch @@ -0,0 +1,48 @@ +From 4fa3999ee672c54a5498ce98e20fe3fdf9c1cbb4 Mon Sep 17 00:00:00 2001 +From: Victor Gu +Date: Fri, 6 Apr 2018 16:55:32 +0200 +Subject: PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf() + +From: Victor Gu + +commit 4fa3999ee672c54a5498ce98e20fe3fdf9c1cbb4 upstream. + +When setting the PIO_ADDR_LS register during a configuration read, we +were properly passing the device number, function number and register +number, but not the bus number, causing issues when reading the +configuration of PCIe devices. + +Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver") +Cc: +Signed-off-by: Victor Gu +Reviewed-by: Wilson Ding +Reviewed-by: Nadav Haklai +[Thomas: tweak commit log.] +Signed-off-by: Thomas Petazzoni +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-aardvark.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -172,8 +172,6 @@ + #define PCIE_CONFIG_WR_TYPE0 0xa + #define PCIE_CONFIG_WR_TYPE1 0xb + +-/* PCI_BDF shifts 8bit, so we need extra 4bit shift */ +-#define PCIE_BDF(dev) (dev << 4) + #define PCIE_CONF_BUS(bus) (((bus) & 0xff) << 20) + #define PCIE_CONF_DEV(dev) (((dev) & 0x1f) << 15) + #define PCIE_CONF_FUNC(fun) (((fun) & 0x7) << 12) +@@ -456,7 +454,7 @@ static int advk_pcie_rd_conf(struct pci_ + advk_writel(pcie, reg, PIO_CTRL); + + /* Program the address registers */ +- reg = PCIE_BDF(devfn) | PCIE_CONF_REG(where); ++ reg = PCIE_CONF_ADDR(bus->number, devfn, where); + advk_writel(pcie, reg, PIO_ADDR_LS); + advk_writel(pcie, 0, PIO_ADDR_MS); + diff --git a/queue-4.16/pci-aardvark-use-isr1-instead-of-isr0-interrupt-in-legacy-irq-mode.patch b/queue-4.16/pci-aardvark-use-isr1-instead-of-isr0-interrupt-in-legacy-irq-mode.patch new file mode 100644 index 00000000000..87c341b6e9b --- /dev/null +++ b/queue-4.16/pci-aardvark-use-isr1-instead-of-isr0-interrupt-in-legacy-irq-mode.patch @@ -0,0 +1,129 @@ +From 3430f924a62905891c8fa9a3b97ea52007795bc3 Mon Sep 17 00:00:00 2001 +From: Victor Gu +Date: Fri, 6 Apr 2018 16:55:33 +0200 +Subject: PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq mode + +From: Victor Gu + +commit 3430f924a62905891c8fa9a3b97ea52007795bc3 upstream. + +The Aardvark has two interrupts sets: + + - first set is bit[23:16] of PCIe ISR 0 register(RD0074840h) + + - second set is bit[11:8] of PCIe ISR 1 register(RD0074848h) + +Only one set should be used, while another set should be masked. + +The second set, ISR1, is more advanced, the Legacy INT_X status bit is +asserted once Assert_INTX message is received, and de-asserted after +Deassert_INTX message is received which matches what the driver is +currently doing in the ->irq_mask() and ->irq_unmask() functions. + +The ISR0 requires additional work to deassert the interrupt, which the +driver does not currently implement, therefore it needs fixing. + +Update the driver to use ISR1 register set, fixing current +implementation. + +Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=196339 +Signed-off-by: Victor Gu +[Thomas: tweak commit log.] +Signed-off-by: Thomas Petazzoni +[lorenzo.pieralisi@arm.com: updated the commit log] +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Evan Wang +Reviewed-by: Nadav Haklai +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-aardvark.c | 43 +++++++++++++++++++++++----------------- + 1 file changed, 25 insertions(+), 18 deletions(-) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -100,7 +100,8 @@ + #define PCIE_ISR1_MASK_REG (CONTROL_BASE_ADDR + 0x4C) + #define PCIE_ISR1_POWER_STATE_CHANGE BIT(4) + #define PCIE_ISR1_FLUSH BIT(5) +-#define PCIE_ISR1_ALL_MASK GENMASK(5, 4) ++#define PCIE_ISR1_INTX_ASSERT(val) BIT(8 + (val)) ++#define PCIE_ISR1_ALL_MASK GENMASK(11, 4) + #define PCIE_MSI_ADDR_LOW_REG (CONTROL_BASE_ADDR + 0x50) + #define PCIE_MSI_ADDR_HIGH_REG (CONTROL_BASE_ADDR + 0x54) + #define PCIE_MSI_STATUS_REG (CONTROL_BASE_ADDR + 0x58) +@@ -607,9 +608,9 @@ static void advk_pcie_irq_mask(struct ir + irq_hw_number_t hwirq = irqd_to_hwirq(d); + u32 mask; + +- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG); +- mask |= PCIE_ISR0_INTX_ASSERT(hwirq); +- advk_writel(pcie, mask, PCIE_ISR0_MASK_REG); ++ mask = advk_readl(pcie, PCIE_ISR1_MASK_REG); ++ mask |= PCIE_ISR1_INTX_ASSERT(hwirq); ++ advk_writel(pcie, mask, PCIE_ISR1_MASK_REG); + } + + static void advk_pcie_irq_unmask(struct irq_data *d) +@@ -618,9 +619,9 @@ static void advk_pcie_irq_unmask(struct + irq_hw_number_t hwirq = irqd_to_hwirq(d); + u32 mask; + +- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG); +- mask &= ~PCIE_ISR0_INTX_ASSERT(hwirq); +- advk_writel(pcie, mask, PCIE_ISR0_MASK_REG); ++ mask = advk_readl(pcie, PCIE_ISR1_MASK_REG); ++ mask &= ~PCIE_ISR1_INTX_ASSERT(hwirq); ++ advk_writel(pcie, mask, PCIE_ISR1_MASK_REG); + } + + static int advk_pcie_irq_map(struct irq_domain *h, +@@ -763,29 +764,35 @@ static void advk_pcie_handle_msi(struct + + static void advk_pcie_handle_int(struct advk_pcie *pcie) + { +- u32 val, mask, status; ++ u32 isr0_val, isr0_mask, isr0_status; ++ u32 isr1_val, isr1_mask, isr1_status; + int i, virq; + +- val = advk_readl(pcie, PCIE_ISR0_REG); +- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG); +- status = val & ((~mask) & PCIE_ISR0_ALL_MASK); +- +- if (!status) { +- advk_writel(pcie, val, PCIE_ISR0_REG); ++ isr0_val = advk_readl(pcie, PCIE_ISR0_REG); ++ isr0_mask = advk_readl(pcie, PCIE_ISR0_MASK_REG); ++ isr0_status = isr0_val & ((~isr0_mask) & PCIE_ISR0_ALL_MASK); ++ ++ isr1_val = advk_readl(pcie, PCIE_ISR1_REG); ++ isr1_mask = advk_readl(pcie, PCIE_ISR1_MASK_REG); ++ isr1_status = isr1_val & ((~isr1_mask) & PCIE_ISR1_ALL_MASK); ++ ++ if (!isr0_status && !isr1_status) { ++ advk_writel(pcie, isr0_val, PCIE_ISR0_REG); ++ advk_writel(pcie, isr1_val, PCIE_ISR1_REG); + return; + } + + /* Process MSI interrupts */ +- if (status & PCIE_ISR0_MSI_INT_PENDING) ++ if (isr0_status & PCIE_ISR0_MSI_INT_PENDING) + advk_pcie_handle_msi(pcie); + + /* Process legacy interrupts */ + for (i = 0; i < PCI_NUM_INTX; i++) { +- if (!(status & PCIE_ISR0_INTX_ASSERT(i))) ++ if (!(isr1_status & PCIE_ISR1_INTX_ASSERT(i))) + continue; + +- advk_writel(pcie, PCIE_ISR0_INTX_ASSERT(i), +- PCIE_ISR0_REG); ++ advk_writel(pcie, PCIE_ISR1_INTX_ASSERT(i), ++ PCIE_ISR1_REG); + + virq = irq_find_mapping(pcie->irq_domain, i); + generic_handle_irq(virq); diff --git a/queue-4.16/pci-pm-do-not-clear-state_saved-in-pci_pm_freeze-when-smart-suspend-is-set.patch b/queue-4.16/pci-pm-do-not-clear-state_saved-in-pci_pm_freeze-when-smart-suspend-is-set.patch new file mode 100644 index 00000000000..eb3b63278dd --- /dev/null +++ b/queue-4.16/pci-pm-do-not-clear-state_saved-in-pci_pm_freeze-when-smart-suspend-is-set.patch @@ -0,0 +1,66 @@ +From ae860a19f37c686e7c5816e96640168b7174a096 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Fri, 20 Apr 2018 15:22:02 +0300 +Subject: PCI / PM: Do not clear state_saved in pci_pm_freeze() when smart suspend is set + +From: Mika Westerberg + +commit ae860a19f37c686e7c5816e96640168b7174a096 upstream. + +If a driver uses DPM_FLAG_SMART_SUSPEND and the device is already +runtime suspended when hibernate is started PCI core skips runtime +resuming the device but still clears pci_dev->state_saved. After the +hibernation image is written pci_pm_thaw_noirq() makes sure subsequent +thaw phases for the device are also skipped leaving it runtime suspended +with pci_dev->state_saved == false. + +When the device is eventually runtime resumed pci_pm_runtime_resume() +restores config space by calling pci_restore_standard_config(), however +because pci_dev->state_saved == false pci_restore_state() never actually +restores the config space leaving the device in a state that is not what +the driver might expect. + +For example here is what happens for intel-lpss I2C devices once the +hibernation snapshot is taken: + + intel-lpss 0000:00:15.0: power state changed by ACPI to D0 + intel-lpss 0000:00:1e.0: power state changed by ACPI to D3cold + video LNXVIDEO:00: Restoring backlight state + PM: hibernation exit + i2c_designware i2c_designware.1: Unknown Synopsys component type: 0xffffffff + i2c_designware i2c_designware.0: Unknown Synopsys component type: 0xffffffff + i2c_designware i2c_designware.1: timeout in disabling adapter + i2c_designware i2c_designware.0: timeout in disabling adapter + +Since PCI config space is not restored the device is still in D3hot +making MMIO register reads return 0xffffffff. + +Fix this by clearing pci_dev->state_saved only if we actually end up +runtime resuming the device. + +Fixes: c4b65157aeef (PCI / PM: Take SMART_SUSPEND driver flag into account) +Signed-off-by: Mika Westerberg +Cc: 4.15+ # 4.15+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-driver.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -945,10 +945,11 @@ static int pci_pm_freeze(struct device * + * devices should not be touched during freeze/thaw transitions, + * however. + */ +- if (!dev_pm_test_driver_flags(dev, DPM_FLAG_SMART_SUSPEND)) ++ if (!dev_pm_smart_suspend_and_suspended(dev)) { + pm_runtime_resume(dev); ++ pci_dev->state_saved = false; ++ } + +- pci_dev->state_saved = false; + if (pm->freeze) { + int error; + diff --git a/queue-4.16/powerpc-mce-fix-a-bug-where-mce-loops-on-memory-ue.patch b/queue-4.16/powerpc-mce-fix-a-bug-where-mce-loops-on-memory-ue.patch new file mode 100644 index 00000000000..2d11061d02d --- /dev/null +++ b/queue-4.16/powerpc-mce-fix-a-bug-where-mce-loops-on-memory-ue.patch @@ -0,0 +1,104 @@ +From 75ecfb49516c53da00c57b9efe48fa3f5504a791 Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Mon, 23 Apr 2018 10:29:27 +0530 +Subject: powerpc/mce: Fix a bug where mce loops on memory UE. + +From: Mahesh Salgaonkar + +commit 75ecfb49516c53da00c57b9efe48fa3f5504a791 upstream. + +The current code extracts the physical address for UE errors and then +hooks it up into memory failure infrastructure. On successful +extraction of physical address it wrongly sets "handled = 1" which +means this UE error has been recovered. Since MCE handler gets return +value as handled = 1, it assumes that error has been recovered and +goes back to same NIP. This causes MCE interrupt again and again in a +loop leading to hard lockup. + +Also, initialize phys_addr to ULONG_MAX so that we don't end up +queuing undesired page to hwpoison. + +Without this patch we see: + Severe Machine check interrupt [Recovered] + NIP: [000000001002588c] PID: 7109 Comm: find + Initiator: CPU + Error type: UE [Load/Store] + Effective address: 00007fffd2755940 + Physical address: 000020181a080000 + ... + Severe Machine check interrupt [Recovered] + NIP: [000000001002588c] PID: 7109 Comm: find + Initiator: CPU + Error type: UE [Load/Store] + Effective address: 00007fffd2755940 + Physical address: 000020181a080000 + Severe Machine check interrupt [Recovered] + NIP: [000000001002588c] PID: 7109 Comm: find + Initiator: CPU + Error type: UE [Load/Store] + Effective address: 00007fffd2755940 + Physical address: 000020181a080000 + Memory failure: 0x20181a08: recovery action for dirty LRU page: Recovered + Memory failure: 0x20181a08: already hardware poisoned + Memory failure: 0x20181a08: already hardware poisoned + Memory failure: 0x20181a08: already hardware poisoned + Memory failure: 0x20181a08: already hardware poisoned + Memory failure: 0x20181a08: already hardware poisoned + Memory failure: 0x20181a08: already hardware poisoned + ... + Watchdog CPU:38 Hard LOCKUP + +After this patch we see: + + Severe Machine check interrupt [Not recovered] + NIP: [00007fffaae585f4] PID: 7168 Comm: find + Initiator: CPU + Error type: UE [Load/Store] + Effective address: 00007fffaafe28ac + Physical address: 00002017c0bd0000 + find[7168]: unhandled signal 7 at 00007fffaae585f4 nip 00007fffaae585f4 lr 00007fffaae585e0 code 4 + Memory failure: 0x2017c0bd: recovery action for dirty LRU page: Recovered + +Fixes: 01eaac2b0591 ("powerpc/mce: Hookup ierror (instruction) UE errors") +Fixes: ba41e1e1ccb9 ("powerpc/mce: Hookup derror (load/store) UE errors") +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Balbir Singh +Reviewed-by: Balbir Singh +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/mce_power.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/kernel/mce_power.c ++++ b/arch/powerpc/kernel/mce_power.c +@@ -441,7 +441,6 @@ static int mce_handle_ierror(struct pt_r + if (pfn != ULONG_MAX) { + *phys_addr = + (pfn << PAGE_SHIFT); +- handled = 1; + } + } + } +@@ -532,9 +531,7 @@ static int mce_handle_derror(struct pt_r + * kernel/exception-64s.h + */ + if (get_paca()->in_mce < MAX_MCE_DEPTH) +- if (!mce_find_instr_ea_and_pfn(regs, addr, +- phys_addr)) +- handled = 1; ++ mce_find_instr_ea_and_pfn(regs, addr, phys_addr); + } + found = 1; + } +@@ -572,7 +569,7 @@ static long mce_handle_error(struct pt_r + const struct mce_ierror_table itable[]) + { + struct mce_error_info mce_err = { 0 }; +- uint64_t addr, phys_addr; ++ uint64_t addr, phys_addr = ULONG_MAX; + uint64_t srr1 = regs->msr; + long handled; + diff --git a/queue-4.16/powerpc-mm-flush-cache-on-memory-hot-un-plug.patch b/queue-4.16/powerpc-mm-flush-cache-on-memory-hot-un-plug.patch new file mode 100644 index 00000000000..8dc185096cd --- /dev/null +++ b/queue-4.16/powerpc-mm-flush-cache-on-memory-hot-un-plug.patch @@ -0,0 +1,59 @@ +From fb5924fddf9ee31db04da7ad4e8c3434a387101b Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Fri, 6 Apr 2018 15:24:23 +1000 +Subject: powerpc/mm: Flush cache on memory hot(un)plug + +From: Balbir Singh + +commit fb5924fddf9ee31db04da7ad4e8c3434a387101b upstream. + +This patch adds support for flushing potentially dirty cache lines +when memory is hot-plugged/hot-un-plugged. The support is currently +limited to 64 bit systems. + +The bug was exposed when mappings for a device were actually +hot-unplugged and plugged in back later. A similar issue was observed +during the development of memtrace, but memtrace does it's own +flushing of region via a custom routine. + +These patches do a flush both on hotplug/unplug to clear any stale +data in the cache w.r.t mappings, there is a small race window where a +clean cache line may be created again just prior to tearing down the +mapping. + +The patches were tested by disabling the flush routines in memtrace +and doing I/O on the trace file. The system immediately +checkstops (quite reliablly if prior to the hot-unplug of the memtrace +region, we memset the regions we are about to hot unplug). After these +patches no custom flushing is needed in the memtrace code. + +Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Balbir Singh +Acked-by: Reza Arbab +Reviewed-by: Rashmica Gupta +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -143,6 +143,7 @@ int arch_add_memory(int nid, u64 start, + start, start + size, rc); + return -EFAULT; + } ++ flush_inval_dcache_range(start, start + size); + + return __add_pages(nid, start_pfn, nr_pages, altmap, want_memblock); + } +@@ -169,6 +170,7 @@ int arch_remove_memory(u64 start, u64 si + + /* Remove htab bolted mappings for this section of memory */ + start = (unsigned long)__va(start); ++ flush_inval_dcache_range(start, start + size); + ret = remove_section_mapping(start, start + size); + + /* Ensure all vmalloc mappings are flushed in case they also diff --git a/queue-4.16/powerpc-powernv-npu-do-a-pid-gpu-tlb-flush-when-invalidating-a-large-address-range.patch b/queue-4.16/powerpc-powernv-npu-do-a-pid-gpu-tlb-flush-when-invalidating-a-large-address-range.patch new file mode 100644 index 00000000000..212e23c65f6 --- /dev/null +++ b/queue-4.16/powerpc-powernv-npu-do-a-pid-gpu-tlb-flush-when-invalidating-a-large-address-range.patch @@ -0,0 +1,73 @@ +From d0cf9b561ca97d5245bb9e0c4774b7fadd897d67 Mon Sep 17 00:00:00 2001 +From: Alistair Popple +Date: Tue, 17 Apr 2018 19:11:28 +1000 +Subject: powerpc/powernv/npu: Do a PID GPU TLB flush when invalidating a large address range + +From: Alistair Popple + +commit d0cf9b561ca97d5245bb9e0c4774b7fadd897d67 upstream. + +The NPU has a limited number of address translation shootdown (ATSD) +registers and the GPU has limited bandwidth to process ATSDs. This can +result in contention of ATSD registers leading to soft lockups on some +threads, particularly when invalidating a large address range in +pnv_npu2_mn_invalidate_range(). + +At some threshold it becomes more efficient to flush the entire GPU +TLB for the given MM context (PID) than individually flushing each +address in the range. This patch will result in ranges greater than +2MB being converted from 32+ ATSDs into a single ATSD which will flush +the TLB for the given PID on each GPU. + +Fixes: 1ab66d1fbada ("powerpc/powernv: Introduce address translation services for Nvlink2") +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Alistair Popple +Acked-by: Balbir Singh +Tested-by: Balbir Singh +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/npu-dma.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/platforms/powernv/npu-dma.c ++++ b/arch/powerpc/platforms/powernv/npu-dma.c +@@ -34,6 +34,13 @@ + #define npu_to_phb(x) container_of(x, struct pnv_phb, npu) + + /* ++ * When an address shootdown range exceeds this threshold we invalidate the ++ * entire TLB on the GPU for the given PID rather than each specific address in ++ * the range. ++ */ ++#define ATSD_THRESHOLD (2*1024*1024) ++ ++/* + * Other types of TCE cache invalidation are not functional in the + * hardware. + */ +@@ -627,11 +634,19 @@ static void pnv_npu2_mn_invalidate_range + struct npu_context *npu_context = mn_to_npu_context(mn); + unsigned long address; + +- for (address = start; address < end; address += PAGE_SIZE) +- mmio_invalidate(npu_context, 1, address, false); ++ if (end - start > ATSD_THRESHOLD) { ++ /* ++ * Just invalidate the entire PID if the address range is too ++ * large. ++ */ ++ mmio_invalidate(npu_context, 0, 0, true); ++ } else { ++ for (address = start; address < end; address += PAGE_SIZE) ++ mmio_invalidate(npu_context, 1, address, false); + +- /* Do the flush only on the final addess == end */ +- mmio_invalidate(npu_context, 1, address, true); ++ /* Do the flush only on the final addess == end */ ++ mmio_invalidate(npu_context, 1, address, true); ++ } + } + + static const struct mmu_notifier_ops nv_nmmu_notifier_ops = { diff --git a/queue-4.16/rtc-opal-fix-opal-rtc-driver-opal_busy-loops.patch b/queue-4.16/rtc-opal-fix-opal-rtc-driver-opal_busy-loops.patch new file mode 100644 index 00000000000..0d09c3923b2 --- /dev/null +++ b/queue-4.16/rtc-opal-fix-opal-rtc-driver-opal_busy-loops.patch @@ -0,0 +1,116 @@ +From 682e6b4da5cbe8e9a53f979a58c2a9d7dc997175 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Tue, 10 Apr 2018 21:49:32 +1000 +Subject: rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops + +From: Nicholas Piggin + +commit 682e6b4da5cbe8e9a53f979a58c2a9d7dc997175 upstream. + +The OPAL RTC driver does not sleep in case it gets OPAL_BUSY or +OPAL_BUSY_EVENT from firmware, which causes large scheduling +latencies, up to 50 seconds have been observed here when RTC stops +responding (BMC reboot can do it). + +Fix this by converting it to the standard form OPAL_BUSY loop that +sleeps. + +Fixes: 628daa8d5abf ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks") +Cc: stable@vger.kernel.org # v3.2+ +Signed-off-by: Nicholas Piggin +Acked-by: Alexandre Belloni +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-rtc.c | 8 ++++-- + drivers/rtc/rtc-opal.c | 37 ++++++++++++++++++------------ + 2 files changed, 28 insertions(+), 17 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal-rtc.c ++++ b/arch/powerpc/platforms/powernv/opal-rtc.c +@@ -48,10 +48,12 @@ unsigned long __init opal_get_boot_time( + + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ mdelay(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); +- else if (rc == OPAL_BUSY) +- mdelay(10); ++ } else if (rc == OPAL_BUSY) { ++ mdelay(OPAL_BUSY_DELAY_MS); ++ } + } + if (rc != OPAL_SUCCESS) + return 0; +--- a/drivers/rtc/rtc-opal.c ++++ b/drivers/rtc/rtc-opal.c +@@ -57,7 +57,7 @@ static void tm_to_opal(struct rtc_time * + + static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm) + { +- long rc = OPAL_BUSY; ++ s64 rc = OPAL_BUSY; + int retries = 10; + u32 y_m_d; + u64 h_m_s_ms; +@@ -66,13 +66,17 @@ static int opal_get_rtc_time(struct devi + + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ msleep(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); +- else if (retries-- && (rc == OPAL_HARDWARE +- || rc == OPAL_INTERNAL_ERROR)) +- msleep(10); +- else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) +- break; ++ } else if (rc == OPAL_BUSY) { ++ msleep(OPAL_BUSY_DELAY_MS); ++ } else if (rc == OPAL_HARDWARE || rc == OPAL_INTERNAL_ERROR) { ++ if (retries--) { ++ msleep(10); /* Wait 10ms before retry */ ++ rc = OPAL_BUSY; /* go around again */ ++ } ++ } + } + + if (rc != OPAL_SUCCESS) +@@ -87,21 +91,26 @@ static int opal_get_rtc_time(struct devi + + static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm) + { +- long rc = OPAL_BUSY; ++ s64 rc = OPAL_BUSY; + int retries = 10; + u32 y_m_d = 0; + u64 h_m_s_ms = 0; + + tm_to_opal(tm, &y_m_d, &h_m_s_ms); ++ + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_rtc_write(y_m_d, h_m_s_ms); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ msleep(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); +- else if (retries-- && (rc == OPAL_HARDWARE +- || rc == OPAL_INTERNAL_ERROR)) +- msleep(10); +- else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) +- break; ++ } else if (rc == OPAL_BUSY) { ++ msleep(OPAL_BUSY_DELAY_MS); ++ } else if (rc == OPAL_HARDWARE || rc == OPAL_INTERNAL_ERROR) { ++ if (retries--) { ++ msleep(10); /* Wait 10ms before retry */ ++ rc = OPAL_BUSY; /* go around again */ ++ } ++ } + } + + return rc == OPAL_SUCCESS ? 0 : -EIO; diff --git a/queue-4.16/series b/queue-4.16/series index c94945cdb4c..e5e8d1a9150 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -64,3 +64,43 @@ blk-mq-start-request-gstate-with-gen-1.patch bfq-iosched-ensure-to-clear-bic-bfqq-pointers-when-preparing-request.patch block-do-not-use-interruptible-wait-anywhere.patch vfio-ccw-process-ssch-with-interrupts-disabled.patch +smb311-fix-reconnect.patch +android-binder-prevent-transactions-into-own-process.patch +pci-aardvark-fix-logic-in-advk_pcie_-rd-wr-_conf.patch +pci-aardvark-set-pio_addr_ls-correctly-in-advk_pcie_rd_conf.patch +pci-aardvark-use-isr1-instead-of-isr0-interrupt-in-legacy-irq-mode.patch +pci-aardvark-fix-pcie-max-read-request-size-setting.patch +arm-amba-make-driver_override-output-consistent-with-other-buses.patch +arm-amba-fix-race-condition-with-driver_override.patch +arm-amba-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch +arm-dts-fix-nas4220b-pin-config.patch +arm-socfpga_defconfig-remove-qspi-sector-4k-size-force.patch +kvm-arm-arm64-close-vmid-generation-race.patch +slimbus-fix-out-of-bounds-access-in-slim_slicesize.patch +powerpc-mm-flush-cache-on-memory-hot-un-plug.patch +powerpc-mce-fix-a-bug-where-mce-loops-on-memory-ue.patch +powerpc-powernv-npu-do-a-pid-gpu-tlb-flush-when-invalidating-a-large-address-range.patch +crypto-drbg-set-freed-buffers-to-null.patch +asoc-dmic-fix-clock-parenting.patch +asoc-fsl_esai-fix-divisor-calculation-failure-at-lower-ratio.patch +libceph-un-backoff-on-tick-when-we-have-a-authenticated-session.patch +libceph-reschedule-a-tick-in-finish_hunting.patch +libceph-validate-con-state-at-the-top-of-try_write.patch +pci-pm-do-not-clear-state_saved-in-pci_pm_freeze-when-smart-suspend-is-set.patch +virt-vbox-move-declarations-of-vboxguest-private-functions-to-private-header.patch +virt-vbox-add-vbg_req_free-helper-function.patch +virt-vbox-use-__get_free_pages-instead-of-kmalloc-for-dma32-memory.patch +fpga-manager-altera-ps-spi-preserve-nconfig-state.patch +module-fix-display-of-wrong-module-.text-address.patch +earlycon-use-a-pointer-table-to-fix-__earlycon_table-stride.patch +cpufreq-powernv-fix-hardlockup-due-to-synchronous-smp_call-in-timer-interrupt.patch +rtc-opal-fix-opal-rtc-driver-opal_busy-loops.patch +drm-edid-reset-more-of-the-display-info.patch +drm-amdgpu-set-compute_pgm_rsrc1-for-sgpr-vgpr-clearing-shaders.patch +drm-i915-fbdev-enable-late-fbdev-initial-configuration.patch +drm-i915-audio-set-minimum-cd-clock-to-twice-the-bclk.patch +drm-i915-enable-display-wa-1183-from-its-correct-spot.patch +drm-amd-display-fix-deadlock-when-flushing-irq.patch +drm-amd-display-don-t-read-edid-in-atomic_check.patch +drm-amd-display-disallow-enabling-crtc-without-primary-plane-with-fb.patch +objtool-perf-fix-gcc-8-wrestrict-error.patch diff --git a/queue-4.16/slimbus-fix-out-of-bounds-access-in-slim_slicesize.patch b/queue-4.16/slimbus-fix-out-of-bounds-access-in-slim_slicesize.patch new file mode 100644 index 00000000000..dd1ab7bfb75 --- /dev/null +++ b/queue-4.16/slimbus-fix-out-of-bounds-access-in-slim_slicesize.patch @@ -0,0 +1,43 @@ +From e33bbe69149b802c0c77bfb822685772f85388ca Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Sun, 8 Apr 2018 11:02:34 +0200 +Subject: slimbus: Fix out-of-bounds access in slim_slicesize() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +commit e33bbe69149b802c0c77bfb822685772f85388ca upstream. + +With gcc-4.1.2: + + slimbus/messaging.c: In function ‘slim_slicesize’: + slimbus/messaging.c:186: warning: statement with no effect + +Indeed, clamp() is a macro not operating in-place, but returning the +clamped value. Hence the value is not clamped at all, which may lead to +an out-of-bounds access. + +Fix this by assigning the clamped value. + +Fixes: afbdcc7c384b0d44 ("slimbus: Add messaging APIs to slimbus framework") +Signed-off-by: Geert Uytterhoeven +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/slimbus/messaging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/slimbus/messaging.c ++++ b/drivers/slimbus/messaging.c +@@ -183,7 +183,7 @@ static u16 slim_slicesize(int code) + 0, 1, 2, 3, 3, 4, 4, 5, 5, 5, 5, 6, 6, 6, 6, 7 + }; + +- clamp(code, 1, (int)ARRAY_SIZE(sizetocode)); ++ code = clamp(code, 1, (int)ARRAY_SIZE(sizetocode)); + + return sizetocode[code - 1]; + } diff --git a/queue-4.16/smb311-fix-reconnect.patch b/queue-4.16/smb311-fix-reconnect.patch new file mode 100644 index 00000000000..70968965c10 --- /dev/null +++ b/queue-4.16/smb311-fix-reconnect.patch @@ -0,0 +1,44 @@ +From 0d5ec281c0175d10f8d9be4d4a9c5fb37767ed00 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 22 Apr 2018 19:51:22 -0500 +Subject: SMB311: Fix reconnect + +From: Steve French + +commit 0d5ec281c0175d10f8d9be4d4a9c5fb37767ed00 upstream. + +The preauth hash was not being recalculated properly on reconnect +of SMB3.11 dialect mounts (which caused access denied repeatedly +on auto-reconnect). + +Fixes: 8bd68c6e47ab ("CIFS: implement v3.11 preauth integrity") + +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/transport.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -753,7 +753,7 @@ cifs_send_recv(const unsigned int xid, s + goto out; + + #ifdef CONFIG_CIFS_SMB311 +- if (ses->status == CifsNew) ++ if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP)) + smb311_update_preauth_hash(ses, rqst->rq_iov+1, + rqst->rq_nvec-1); + #endif +@@ -797,7 +797,7 @@ cifs_send_recv(const unsigned int xid, s + *resp_buf_type = CIFS_SMALL_BUFFER; + + #ifdef CONFIG_CIFS_SMB311 +- if (ses->status == CifsNew) { ++ if ((ses->status == CifsNew) || (optype & CIFS_NEG_OP)) { + struct kvec iov = { + .iov_base = buf + 4, + .iov_len = get_rfc1002_length(buf) diff --git a/queue-4.16/virt-vbox-add-vbg_req_free-helper-function.patch b/queue-4.16/virt-vbox-add-vbg_req_free-helper-function.patch new file mode 100644 index 00000000000..bb487df930c --- /dev/null +++ b/queue-4.16/virt-vbox-add-vbg_req_free-helper-function.patch @@ -0,0 +1,261 @@ +From f6f9885b0531163f72c7bf898a0ab1ba4c7d5de6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 18 Apr 2018 15:24:48 +0200 +Subject: virt: vbox: Add vbg_req_free() helper function + +From: Hans de Goede + +commit f6f9885b0531163f72c7bf898a0ab1ba4c7d5de6 upstream. + +This is a preparation patch for fixing issues on x86_64 virtual-machines +with more then 4G of RAM, atm we pass __GFP_DMA32 to kmalloc, but kmalloc +does not honor that, so we need to switch to get_pages, which means we +will not be able to use kfree to free memory allocated with vbg_alloc_req. + +While at it also remove a comment on a vbg_alloc_req call which talks +about Windows (inherited from the vbox upstream cross-platform code). + +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virt/vboxguest/vboxguest_core.c | 66 ++++++++++++++++--------------- + drivers/virt/vboxguest/vboxguest_core.h | 1 + drivers/virt/vboxguest/vboxguest_utils.c | 14 +++++- + 3 files changed, 47 insertions(+), 34 deletions(-) + +--- a/drivers/virt/vboxguest/vboxguest_core.c ++++ b/drivers/virt/vboxguest/vboxguest_core.c +@@ -114,7 +114,7 @@ static void vbg_guest_mappings_init(stru + } + + out: +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + kfree(pages); + } + +@@ -144,7 +144,7 @@ static void vbg_guest_mappings_exit(stru + + rc = vbg_req_perform(gdev, req); + +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + + if (rc < 0) { + vbg_err("%s error: %d\n", __func__, rc); +@@ -214,8 +214,8 @@ static int vbg_report_guest_info(struct + ret = vbg_status_code_to_errno(rc); + + out_free: +- kfree(req2); +- kfree(req1); ++ vbg_req_free(req2, sizeof(*req2)); ++ vbg_req_free(req1, sizeof(*req1)); + return ret; + } + +@@ -245,7 +245,7 @@ static int vbg_report_driver_status(stru + if (rc == VERR_NOT_IMPLEMENTED) /* Compatibility with older hosts. */ + rc = VINF_SUCCESS; + +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + + return vbg_status_code_to_errno(rc); + } +@@ -431,7 +431,7 @@ static int vbg_heartbeat_host_config(str + rc = vbg_req_perform(gdev, req); + do_div(req->interval_ns, 1000000); /* ns -> ms */ + gdev->heartbeat_interval_ms = req->interval_ns; +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + + return vbg_status_code_to_errno(rc); + } +@@ -454,12 +454,6 @@ static int vbg_heartbeat_init(struct vbg + if (ret < 0) + return ret; + +- /* +- * Preallocate the request to use it from the timer callback because: +- * 1) on Windows vbg_req_alloc must be called at IRQL <= APC_LEVEL +- * and the timer callback runs at DISPATCH_LEVEL; +- * 2) avoid repeated allocations. +- */ + gdev->guest_heartbeat_req = vbg_req_alloc( + sizeof(*gdev->guest_heartbeat_req), + VMMDEVREQ_GUEST_HEARTBEAT); +@@ -481,8 +475,8 @@ static void vbg_heartbeat_exit(struct vb + { + del_timer_sync(&gdev->heartbeat_timer); + vbg_heartbeat_host_config(gdev, false); +- kfree(gdev->guest_heartbeat_req); +- ++ vbg_req_free(gdev->guest_heartbeat_req, ++ sizeof(*gdev->guest_heartbeat_req)); + } + + /** +@@ -543,7 +537,7 @@ static int vbg_reset_host_event_filter(s + if (rc < 0) + vbg_err("%s error, rc: %d\n", __func__, rc); + +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + return vbg_status_code_to_errno(rc); + } + +@@ -617,7 +611,7 @@ static int vbg_set_session_event_filter( + + out: + mutex_unlock(&gdev->session_mutex); +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + + return ret; + } +@@ -642,7 +636,7 @@ static int vbg_reset_host_capabilities(s + if (rc < 0) + vbg_err("%s error, rc: %d\n", __func__, rc); + +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + return vbg_status_code_to_errno(rc); + } + +@@ -712,7 +706,7 @@ static int vbg_set_session_capabilities( + + out: + mutex_unlock(&gdev->session_mutex); +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + + return ret; + } +@@ -749,7 +743,7 @@ static int vbg_query_host_version(struct + } + + out: +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + return ret; + } + +@@ -847,11 +841,16 @@ int vbg_core_init(struct vbg_dev *gdev, + return 0; + + err_free_reqs: +- kfree(gdev->mouse_status_req); +- kfree(gdev->ack_events_req); +- kfree(gdev->cancel_req); +- kfree(gdev->mem_balloon.change_req); +- kfree(gdev->mem_balloon.get_req); ++ vbg_req_free(gdev->mouse_status_req, ++ sizeof(*gdev->mouse_status_req)); ++ vbg_req_free(gdev->ack_events_req, ++ sizeof(*gdev->ack_events_req)); ++ vbg_req_free(gdev->cancel_req, ++ sizeof(*gdev->cancel_req)); ++ vbg_req_free(gdev->mem_balloon.change_req, ++ sizeof(*gdev->mem_balloon.change_req)); ++ vbg_req_free(gdev->mem_balloon.get_req, ++ sizeof(*gdev->mem_balloon.get_req)); + return ret; + } + +@@ -872,11 +871,16 @@ void vbg_core_exit(struct vbg_dev *gdev) + vbg_reset_host_capabilities(gdev); + vbg_core_set_mouse_status(gdev, 0); + +- kfree(gdev->mouse_status_req); +- kfree(gdev->ack_events_req); +- kfree(gdev->cancel_req); +- kfree(gdev->mem_balloon.change_req); +- kfree(gdev->mem_balloon.get_req); ++ vbg_req_free(gdev->mouse_status_req, ++ sizeof(*gdev->mouse_status_req)); ++ vbg_req_free(gdev->ack_events_req, ++ sizeof(*gdev->ack_events_req)); ++ vbg_req_free(gdev->cancel_req, ++ sizeof(*gdev->cancel_req)); ++ vbg_req_free(gdev->mem_balloon.change_req, ++ sizeof(*gdev->mem_balloon.change_req)); ++ vbg_req_free(gdev->mem_balloon.get_req, ++ sizeof(*gdev->mem_balloon.get_req)); + } + + /** +@@ -1415,7 +1419,7 @@ static int vbg_ioctl_write_core_dump(str + req->flags = dump->u.in.flags; + dump->hdr.rc = vbg_req_perform(gdev, req); + +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + return 0; + } + +@@ -1513,7 +1517,7 @@ int vbg_core_set_mouse_status(struct vbg + if (rc < 0) + vbg_err("%s error, rc: %d\n", __func__, rc); + +- kfree(req); ++ vbg_req_free(req, sizeof(*req)); + return vbg_status_code_to_errno(rc); + } + +--- a/drivers/virt/vboxguest/vboxguest_core.h ++++ b/drivers/virt/vboxguest/vboxguest_core.h +@@ -173,6 +173,7 @@ void vbg_linux_mouse_event(struct vbg_de + + /* Private (non exported) functions form vboxguest_utils.c */ + void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type); ++void vbg_req_free(void *req, size_t len); + int vbg_req_perform(struct vbg_dev *gdev, void *req); + int vbg_hgcm_call32( + struct vbg_dev *gdev, u32 client_id, u32 function, u32 timeout_ms, +--- a/drivers/virt/vboxguest/vboxguest_utils.c ++++ b/drivers/virt/vboxguest/vboxguest_utils.c +@@ -82,6 +82,14 @@ void *vbg_req_alloc(size_t len, enum vmm + return req; + } + ++void vbg_req_free(void *req, size_t len) ++{ ++ if (!req) ++ return; ++ ++ kfree(req); ++} ++ + /* Note this function returns a VBox status code, not a negative errno!! */ + int vbg_req_perform(struct vbg_dev *gdev, void *req) + { +@@ -137,7 +145,7 @@ int vbg_hgcm_connect(struct vbg_dev *gde + rc = hgcm_connect->header.result; + } + +- kfree(hgcm_connect); ++ vbg_req_free(hgcm_connect, sizeof(*hgcm_connect)); + + *vbox_status = rc; + return 0; +@@ -166,7 +174,7 @@ int vbg_hgcm_disconnect(struct vbg_dev * + if (rc >= 0) + rc = hgcm_disconnect->header.result; + +- kfree(hgcm_disconnect); ++ vbg_req_free(hgcm_disconnect, sizeof(*hgcm_disconnect)); + + *vbox_status = rc; + return 0; +@@ -623,7 +631,7 @@ int vbg_hgcm_call(struct vbg_dev *gdev, + } + + if (!leak_it) +- kfree(call); ++ vbg_req_free(call, size); + + free_bounce_bufs: + if (bounce_bufs) { diff --git a/queue-4.16/virt-vbox-move-declarations-of-vboxguest-private-functions-to-private-header.patch b/queue-4.16/virt-vbox-move-declarations-of-vboxguest-private-functions-to-private-header.patch new file mode 100644 index 00000000000..8b592fb3e8b --- /dev/null +++ b/queue-4.16/virt-vbox-move-declarations-of-vboxguest-private-functions-to-private-header.patch @@ -0,0 +1,76 @@ +From 02cfde67df1f440c7c3c7038cc97992afb81804f Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 18 Apr 2018 15:24:47 +0200 +Subject: virt: vbox: Move declarations of vboxguest private functions to private header + +From: Hans de Goede + +commit 02cfde67df1f440c7c3c7038cc97992afb81804f upstream. + +Move the declarations of functions from vboxguest_utils.c which are only +meant for vboxguest internal use from include/linux/vbox_utils.h to +drivers/virt/vboxguest/vboxguest_core.h. + +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virt/vboxguest/vboxguest_core.h | 8 ++++++++ + include/linux/vbox_utils.h | 23 ----------------------- + 2 files changed, 8 insertions(+), 23 deletions(-) + +--- a/drivers/virt/vboxguest/vboxguest_core.h ++++ b/drivers/virt/vboxguest/vboxguest_core.h +@@ -171,4 +171,12 @@ irqreturn_t vbg_core_isr(int irq, void * + + void vbg_linux_mouse_event(struct vbg_dev *gdev); + ++/* Private (non exported) functions form vboxguest_utils.c */ ++void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type); ++int vbg_req_perform(struct vbg_dev *gdev, void *req); ++int vbg_hgcm_call32( ++ struct vbg_dev *gdev, u32 client_id, u32 function, u32 timeout_ms, ++ struct vmmdev_hgcm_function_parameter32 *parm32, u32 parm_count, ++ int *vbox_status); ++ + #endif +--- a/include/linux/vbox_utils.h ++++ b/include/linux/vbox_utils.h +@@ -24,24 +24,6 @@ __printf(1, 2) void vbg_debug(const char + #define vbg_debug pr_debug + #endif + +-/** +- * Allocate memory for generic request and initialize the request header. +- * +- * Return: the allocated memory +- * @len: Size of memory block required for the request. +- * @req_type: The generic request type. +- */ +-void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type); +- +-/** +- * Perform a generic request. +- * +- * Return: VBox status code +- * @gdev: The Guest extension device. +- * @req: Pointer to the request structure. +- */ +-int vbg_req_perform(struct vbg_dev *gdev, void *req); +- + int vbg_hgcm_connect(struct vbg_dev *gdev, + struct vmmdev_hgcm_service_location *loc, + u32 *client_id, int *vbox_status); +@@ -52,11 +34,6 @@ int vbg_hgcm_call(struct vbg_dev *gdev, + u32 timeout_ms, struct vmmdev_hgcm_function_parameter *parms, + u32 parm_count, int *vbox_status); + +-int vbg_hgcm_call32( +- struct vbg_dev *gdev, u32 client_id, u32 function, u32 timeout_ms, +- struct vmmdev_hgcm_function_parameter32 *parm32, u32 parm_count, +- int *vbox_status); +- + /** + * Convert a VirtualBox status code to a standard Linux kernel return value. + * Return: 0 or negative errno value. diff --git a/queue-4.16/virt-vbox-use-__get_free_pages-instead-of-kmalloc-for-dma32-memory.patch b/queue-4.16/virt-vbox-use-__get_free_pages-instead-of-kmalloc-for-dma32-memory.patch new file mode 100644 index 00000000000..880f6b8fbc8 --- /dev/null +++ b/queue-4.16/virt-vbox-use-__get_free_pages-instead-of-kmalloc-for-dma32-memory.patch @@ -0,0 +1,91 @@ +From faf6a2a44164c0fb2c2a82692ab9051917514bce Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 18 Apr 2018 15:24:49 +0200 +Subject: virt: vbox: Use __get_free_pages instead of kmalloc for DMA32 memory + +From: Hans de Goede + +commit faf6a2a44164c0fb2c2a82692ab9051917514bce upstream. + +It is not possible to get DMA32 zone memory through kmalloc, causing +the vboxguest driver to malfunction due to getting memory above +4G which the PCI device cannot handle. + +This commit changes the kmalloc calls where the 4G limit matters to +using __get_free_pages() fixing vboxguest not working on x86_64 guests +with more then 4G RAM. + +Cc: stable@vger.kernel.org +Reported-by: Eloy Coto Pereiro +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virt/vboxguest/vboxguest_linux.c | 19 ++++++++++++++++--- + drivers/virt/vboxguest/vboxguest_utils.c | 5 +++-- + 2 files changed, 19 insertions(+), 5 deletions(-) + +--- a/drivers/virt/vboxguest/vboxguest_linux.c ++++ b/drivers/virt/vboxguest/vboxguest_linux.c +@@ -87,6 +87,7 @@ static long vbg_misc_device_ioctl(struct + struct vbg_session *session = filp->private_data; + size_t returned_size, size; + struct vbg_ioctl_hdr hdr; ++ bool is_vmmdev_req; + int ret = 0; + void *buf; + +@@ -106,8 +107,17 @@ static long vbg_misc_device_ioctl(struct + if (size > SZ_16M) + return -E2BIG; + +- /* __GFP_DMA32 because IOCTL_VMMDEV_REQUEST passes this to the host */ +- buf = kmalloc(size, GFP_KERNEL | __GFP_DMA32); ++ /* ++ * IOCTL_VMMDEV_REQUEST needs the buffer to be below 4G to avoid ++ * the need for a bounce-buffer and another copy later on. ++ */ ++ is_vmmdev_req = (req & ~IOCSIZE_MASK) == VBG_IOCTL_VMMDEV_REQUEST(0) || ++ req == VBG_IOCTL_VMMDEV_REQUEST_BIG; ++ ++ if (is_vmmdev_req) ++ buf = vbg_req_alloc(size, VBG_IOCTL_HDR_TYPE_DEFAULT); ++ else ++ buf = kmalloc(size, GFP_KERNEL); + if (!buf) + return -ENOMEM; + +@@ -132,7 +142,10 @@ static long vbg_misc_device_ioctl(struct + ret = -EFAULT; + + out: +- kfree(buf); ++ if (is_vmmdev_req) ++ vbg_req_free(buf, size); ++ else ++ kfree(buf); + + return ret; + } +--- a/drivers/virt/vboxguest/vboxguest_utils.c ++++ b/drivers/virt/vboxguest/vboxguest_utils.c +@@ -65,8 +65,9 @@ VBG_LOG(vbg_debug, pr_debug); + void *vbg_req_alloc(size_t len, enum vmmdev_request_type req_type) + { + struct vmmdev_request_header *req; ++ int order = get_order(PAGE_ALIGN(len)); + +- req = kmalloc(len, GFP_KERNEL | __GFP_DMA32); ++ req = (void *)__get_free_pages(GFP_KERNEL | GFP_DMA32, order); + if (!req) + return NULL; + +@@ -87,7 +88,7 @@ void vbg_req_free(void *req, size_t len) + if (!req) + return; + +- kfree(req); ++ free_pages((unsigned long)req, get_order(PAGE_ALIGN(len))); + } + + /* Note this function returns a VBox status code, not a negative errno!! */ -- 2.47.3