From c9efcc5e85b3ad4ce263dc058b225d2396ec7257 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 23 Jul 2019 11:51:45 +0200 Subject: [PATCH] 5.1-stable patches added patches: arm64-tegra-update-jetson-tx1-gpu-regulator-timings.patch bcache-destroy-dc-writeback_write_wq-if-failed-to-create-dc-writeback_thread.patch bcache-fix-mistaken-sysfs-entry-for-io_error-counter.patch bcache-ignore-read-ahead-request-failure-on-backing-device.patch bcache-revert-bcache-fix-high-cpu-occupancy-during-journal.patch bcache-revert-bcache-free-heap-cache_set-flush_btree-in-bch_journal_free.patch cifs-always-add-credits-back-for-unsolicited-pdus.patch cifs-fix-crash-in-smb2_compound_op-smb2_set_next_command.patch cifs-fix-deadlock-in-cached-root-handling.patch cifs-flush-before-set-info-if-we-have-writeable-handles.patch cifs-properly-handle-auto-disabling-of-serverino-option.patch input-alps-don-t-handle-alps-cs19-trackpoint-only-device.patch input-alps-fix-a-mismatch-between-a-condition-check-and-its-comment.patch input-gtco-bounds-check-collection-indent-level.patch input-synaptics-whitelist-lenovo-t580-smbus-intertouch.patch iwlwifi-add-support-for-hr1-rf-id.patch iwlwifi-don-t-warn-when-calling-iwl_get_shared_mem_conf-with-rf-kill.patch iwlwifi-fix-rf-kill-interrupt-while-fw-load-for-gen2-devices.patch iwlwifi-mvm-clear-rfkill_safe_init_done-when-we-start-the-firmware.patch iwlwifi-mvm-delay-gtk-setting-in-fw-in-ap-mode.patch iwlwifi-pcie-don-t-service-an-interrupt-that-was-masked.patch iwlwifi-pcie-fix-alive-interrupt-handling-for-gen2-devices-w-o-msi-x.patch opp-don-t-use-is_err-on-invalid-supplies.patch regulator-s2mps11-fix-buck7-and-buck8-wrong-voltages.patch regulator-s2mps11-fix-err_ptr-dereference-on-gpio-lookup-failure.patch revert-bcache-set-cache_set_io_disable-in-bch_cached_dev_error.patch --- ...ate-jetson-tx1-gpu-regulator-timings.patch | 38 +++++ ...failed-to-create-dc-writeback_thread.patch | 36 +++++ ...ken-sysfs-entry-for-io_error-counter.patch | 45 ++++++ ...ad-request-failure-on-backing-device.patch | 57 +++++++ ...ix-high-cpu-occupancy-during-journal.patch | 126 +++++++++++++++ ..._set-flush_btree-in-bch_journal_free.patch | 36 +++++ ...dd-credits-back-for-unsolicited-pdus.patch | 36 +++++ ...b2_compound_op-smb2_set_next_command.patch | 118 ++++++++++++++ ...fix-deadlock-in-cached-root-handling.patch | 91 +++++++++++ ...et-info-if-we-have-writeable-handles.patch | 61 +++++++ ...e-auto-disabling-of-serverino-option.patch | 69 ++++++++ ...dle-alps-cs19-trackpoint-only-device.patch | 101 ++++++++++++ ...en-a-condition-check-and-its-comment.patch | 38 +++++ ...bounds-check-collection-indent-level.patch | 79 +++++++++ ...itelist-lenovo-t580-smbus-intertouch.patch | 32 ++++ .../iwlwifi-add-support-for-hr1-rf-id.patch | 51 ++++++ ...iwl_get_shared_mem_conf-with-rf-kill.patch | 66 ++++++++ ...rrupt-while-fw-load-for-gen2-devices.patch | 148 +++++++++++++++++ ...init_done-when-we-start-the-firmware.patch | 55 +++++++ ...m-delay-gtk-setting-in-fw-in-ap-mode.patch | 150 ++++++++++++++++++ ...service-an-interrupt-that-was-masked.patch | 72 +++++++++ ...-handling-for-gen2-devices-w-o-msi-x.patch | 72 +++++++++ ...don-t-use-is_err-on-invalid-supplies.patch | 40 +++++ ...1-fix-buck7-and-buck8-wrong-voltages.patch | 42 +++++ ...r-dereference-on-gpio-lookup-failure.patch | 40 +++++ ...t_io_disable-in-bch_cached_dev_error.patch | 65 ++++++++ queue-5.1/series | 26 +++ 27 files changed, 1790 insertions(+) create mode 100644 queue-5.1/arm64-tegra-update-jetson-tx1-gpu-regulator-timings.patch create mode 100644 queue-5.1/bcache-destroy-dc-writeback_write_wq-if-failed-to-create-dc-writeback_thread.patch create mode 100644 queue-5.1/bcache-fix-mistaken-sysfs-entry-for-io_error-counter.patch create mode 100644 queue-5.1/bcache-ignore-read-ahead-request-failure-on-backing-device.patch create mode 100644 queue-5.1/bcache-revert-bcache-fix-high-cpu-occupancy-during-journal.patch create mode 100644 queue-5.1/bcache-revert-bcache-free-heap-cache_set-flush_btree-in-bch_journal_free.patch create mode 100644 queue-5.1/cifs-always-add-credits-back-for-unsolicited-pdus.patch create mode 100644 queue-5.1/cifs-fix-crash-in-smb2_compound_op-smb2_set_next_command.patch create mode 100644 queue-5.1/cifs-fix-deadlock-in-cached-root-handling.patch create mode 100644 queue-5.1/cifs-flush-before-set-info-if-we-have-writeable-handles.patch create mode 100644 queue-5.1/cifs-properly-handle-auto-disabling-of-serverino-option.patch create mode 100644 queue-5.1/input-alps-don-t-handle-alps-cs19-trackpoint-only-device.patch create mode 100644 queue-5.1/input-alps-fix-a-mismatch-between-a-condition-check-and-its-comment.patch create mode 100644 queue-5.1/input-gtco-bounds-check-collection-indent-level.patch create mode 100644 queue-5.1/input-synaptics-whitelist-lenovo-t580-smbus-intertouch.patch create mode 100644 queue-5.1/iwlwifi-add-support-for-hr1-rf-id.patch create mode 100644 queue-5.1/iwlwifi-don-t-warn-when-calling-iwl_get_shared_mem_conf-with-rf-kill.patch create mode 100644 queue-5.1/iwlwifi-fix-rf-kill-interrupt-while-fw-load-for-gen2-devices.patch create mode 100644 queue-5.1/iwlwifi-mvm-clear-rfkill_safe_init_done-when-we-start-the-firmware.patch create mode 100644 queue-5.1/iwlwifi-mvm-delay-gtk-setting-in-fw-in-ap-mode.patch create mode 100644 queue-5.1/iwlwifi-pcie-don-t-service-an-interrupt-that-was-masked.patch create mode 100644 queue-5.1/iwlwifi-pcie-fix-alive-interrupt-handling-for-gen2-devices-w-o-msi-x.patch create mode 100644 queue-5.1/opp-don-t-use-is_err-on-invalid-supplies.patch create mode 100644 queue-5.1/regulator-s2mps11-fix-buck7-and-buck8-wrong-voltages.patch create mode 100644 queue-5.1/regulator-s2mps11-fix-err_ptr-dereference-on-gpio-lookup-failure.patch create mode 100644 queue-5.1/revert-bcache-set-cache_set_io_disable-in-bch_cached_dev_error.patch diff --git a/queue-5.1/arm64-tegra-update-jetson-tx1-gpu-regulator-timings.patch b/queue-5.1/arm64-tegra-update-jetson-tx1-gpu-regulator-timings.patch new file mode 100644 index 00000000000..d7395a2d7f7 --- /dev/null +++ b/queue-5.1/arm64-tegra-update-jetson-tx1-gpu-regulator-timings.patch @@ -0,0 +1,38 @@ +From ece6031ece2dd64d63708cfe1088016cee5b10c0 Mon Sep 17 00:00:00 2001 +From: Jon Hunter +Date: Thu, 20 Jun 2019 09:17:01 +0100 +Subject: arm64: tegra: Update Jetson TX1 GPU regulator timings + +From: Jon Hunter + +commit ece6031ece2dd64d63708cfe1088016cee5b10c0 upstream. + +The GPU regulator enable ramp delay for Jetson TX1 is set to 1ms which +not sufficient because the enable ramp delay has been measured to be +greater than 1ms. Furthermore, the downstream kernels released by NVIDIA +for Jetson TX1 are using a enable ramp delay 2ms and a settling delay of +160us. Update the GPU regulator enable ramp delay for Jetson TX1 to be +2ms and add a settling delay of 160us. + +Cc: stable@vger.kernel.org +Signed-off-by: Jon Hunter +Fixes: 5e6b9a89afce ("arm64: tegra: Add VDD_GPU regulator to Jetson TX1") +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi +@@ -322,7 +322,8 @@ + regulator-max-microvolt = <1320000>; + enable-gpios = <&pmic 6 GPIO_ACTIVE_HIGH>; + regulator-ramp-delay = <80>; +- regulator-enable-ramp-delay = <1000>; ++ regulator-enable-ramp-delay = <2000>; ++ regulator-settling-time-us = <160>; + }; + }; + }; diff --git a/queue-5.1/bcache-destroy-dc-writeback_write_wq-if-failed-to-create-dc-writeback_thread.patch b/queue-5.1/bcache-destroy-dc-writeback_write_wq-if-failed-to-create-dc-writeback_thread.patch new file mode 100644 index 00000000000..c3de49ef0d6 --- /dev/null +++ b/queue-5.1/bcache-destroy-dc-writeback_write_wq-if-failed-to-create-dc-writeback_thread.patch @@ -0,0 +1,36 @@ +From f54d801dda14942dbefa00541d10603015b7859c Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:44 +0800 +Subject: bcache: destroy dc->writeback_write_wq if failed to create dc->writeback_thread + +From: Coly Li + +commit f54d801dda14942dbefa00541d10603015b7859c upstream. + +Commit 9baf30972b55 ("bcache: fix for gc and write-back race") added a +new work queue dc->writeback_write_wq, but forgot to destroy it in the +error condition when creating dc->writeback_thread failed. + +This patch destroys dc->writeback_write_wq if kthread_create() returns +error pointer to dc->writeback_thread, then a memory leak is avoided. + +Fixes: 9baf30972b55 ("bcache: fix for gc and write-back race") +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/writeback.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -834,6 +834,7 @@ int bch_cached_dev_writeback_start(struc + "bcache_writeback"); + if (IS_ERR(dc->writeback_thread)) { + cached_dev_put(dc); ++ destroy_workqueue(dc->writeback_write_wq); + return PTR_ERR(dc->writeback_thread); + } + dc->writeback_running = true; diff --git a/queue-5.1/bcache-fix-mistaken-sysfs-entry-for-io_error-counter.patch b/queue-5.1/bcache-fix-mistaken-sysfs-entry-for-io_error-counter.patch new file mode 100644 index 00000000000..f215b69e7b4 --- /dev/null +++ b/queue-5.1/bcache-fix-mistaken-sysfs-entry-for-io_error-counter.patch @@ -0,0 +1,45 @@ +From 5461999848e0462c14f306a62923d22de820a59c Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:43 +0800 +Subject: bcache: fix mistaken sysfs entry for io_error counter + +From: Coly Li + +commit 5461999848e0462c14f306a62923d22de820a59c upstream. + +In bch_cached_dev_files[] from driver/md/bcache/sysfs.c, sysfs_errors is +incorrectly inserted in. The correct entry should be sysfs_io_errors. + +This patch fixes the problem and now I/O errors of cached device can be +read from /sys/block/bcache/bcache/io_errors. + +Fixes: c7b7bd07404c5 ("bcache: add io_disable to struct cached_dev") +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -180,7 +180,7 @@ SHOW(__bch_cached_dev) + var_print(writeback_percent); + sysfs_hprint(writeback_rate, + wb ? atomic_long_read(&dc->writeback_rate.rate) << 9 : 0); +- sysfs_hprint(io_errors, atomic_read(&dc->io_errors)); ++ sysfs_printf(io_errors, "%i", atomic_read(&dc->io_errors)); + sysfs_printf(io_error_limit, "%i", dc->error_limit); + sysfs_printf(io_disable, "%i", dc->io_disable); + var_print(writeback_rate_update_seconds); +@@ -464,7 +464,7 @@ static struct attribute *bch_cached_dev_ + &sysfs_writeback_rate_p_term_inverse, + &sysfs_writeback_rate_minimum, + &sysfs_writeback_rate_debug, +- &sysfs_errors, ++ &sysfs_io_errors, + &sysfs_io_error_limit, + &sysfs_io_disable, + &sysfs_dirty_data, diff --git a/queue-5.1/bcache-ignore-read-ahead-request-failure-on-backing-device.patch b/queue-5.1/bcache-ignore-read-ahead-request-failure-on-backing-device.patch new file mode 100644 index 00000000000..b1e659992fa --- /dev/null +++ b/queue-5.1/bcache-ignore-read-ahead-request-failure-on-backing-device.patch @@ -0,0 +1,57 @@ +From 578df99b1b0531d19af956530fe4da63d01a1604 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:29 +0800 +Subject: bcache: ignore read-ahead request failure on backing device + +From: Coly Li + +commit 578df99b1b0531d19af956530fe4da63d01a1604 upstream. + +When md raid device (e.g. raid456) is used as backing device, read-ahead +requests on a degrading and recovering md raid device might be failured +immediately by md raid code, but indeed this md raid array can still be +read or write for normal I/O requests. Therefore such failed read-ahead +request are not real hardware failure. Further more, after degrading and +recovering accomplished, read-ahead requests will be handled by md raid +array again. + +For such condition, I/O failures of read-ahead requests don't indicate +real health status (because normal I/O still be served), they should not +be counted into I/O error counter dc->io_errors. + +Since there is no simple way to detect whether the backing divice is a +md raid device, this patch simply ignores I/O failures for read-ahead +bios on backing device, to avoid bogus backing device failure on a +degrading md raid array. + +Suggested-and-tested-by: Thorsten Knabe +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/io.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/md/bcache/io.c ++++ b/drivers/md/bcache/io.c +@@ -58,6 +58,18 @@ void bch_count_backing_io_errors(struct + + WARN_ONCE(!dc, "NULL pointer of struct cached_dev"); + ++ /* ++ * Read-ahead requests on a degrading and recovering md raid ++ * (e.g. raid6) device might be failured immediately by md ++ * raid code, which is not a real hardware media failure. So ++ * we shouldn't count failed REQ_RAHEAD bio to dc->io_errors. ++ */ ++ if (bio->bi_opf & REQ_RAHEAD) { ++ pr_warn_ratelimited("%s: Read-ahead I/O failed on backing device, ignore", ++ dc->backing_dev_name); ++ return; ++ } ++ + errors = atomic_add_return(1, &dc->io_errors); + if (errors < dc->error_limit) + pr_err("%s: IO error on backing device, unrecoverable", diff --git a/queue-5.1/bcache-revert-bcache-fix-high-cpu-occupancy-during-journal.patch b/queue-5.1/bcache-revert-bcache-fix-high-cpu-occupancy-during-journal.patch new file mode 100644 index 00000000000..fd1df304e59 --- /dev/null +++ b/queue-5.1/bcache-revert-bcache-fix-high-cpu-occupancy-during-journal.patch @@ -0,0 +1,126 @@ +From 249a5f6da57c28a903c75d81505d58ec8c10030d Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:54 +0800 +Subject: bcache: Revert "bcache: fix high CPU occupancy during journal" + +From: Coly Li + +commit 249a5f6da57c28a903c75d81505d58ec8c10030d upstream. + +This reverts commit c4dc2497d50d9c6fb16aa0d07b6a14f3b2adb1e0. + +This patch enlarges a race between normal btree flush code path and +flush_btree_write(), which causes deadlock when journal space is +exhausted. Reverts this patch makes the race window from 128 btree +nodes to only 1 btree nodes. + +Fixes: c4dc2497d50d ("bcache: fix high CPU occupancy during journal") +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Cc: Tang Junhui +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/bcache.h | 2 - + drivers/md/bcache/journal.c | 47 ++++++++++++++------------------------------ + drivers/md/bcache/util.h | 2 - + 3 files changed, 15 insertions(+), 36 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -726,8 +726,6 @@ struct cache_set { + + #define BUCKET_HASH_BITS 12 + struct hlist_head bucket_hash[1 << BUCKET_HASH_BITS]; +- +- DECLARE_HEAP(struct btree *, flush_btree); + }; + + struct bbio { +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -390,12 +390,6 @@ err: + } + + /* Journalling */ +-#define journal_max_cmp(l, r) \ +- (fifo_idx(&c->journal.pin, btree_current_write(l)->journal) < \ +- fifo_idx(&(c)->journal.pin, btree_current_write(r)->journal)) +-#define journal_min_cmp(l, r) \ +- (fifo_idx(&c->journal.pin, btree_current_write(l)->journal) > \ +- fifo_idx(&(c)->journal.pin, btree_current_write(r)->journal)) + + static void btree_flush_write(struct cache_set *c) + { +@@ -403,35 +397,25 @@ static void btree_flush_write(struct cac + * Try to find the btree node with that references the oldest journal + * entry, best is our current candidate and is locked if non NULL: + */ +- struct btree *b; +- int i; ++ struct btree *b, *best; ++ unsigned int i; + + atomic_long_inc(&c->flush_write); +- + retry: +- spin_lock(&c->journal.lock); +- if (heap_empty(&c->flush_btree)) { +- for_each_cached_btree(b, c, i) +- if (btree_current_write(b)->journal) { +- if (!heap_full(&c->flush_btree)) +- heap_add(&c->flush_btree, b, +- journal_max_cmp); +- else if (journal_max_cmp(b, +- heap_peek(&c->flush_btree))) { +- c->flush_btree.data[0] = b; +- heap_sift(&c->flush_btree, 0, +- journal_max_cmp); +- } +- } +- +- for (i = c->flush_btree.used / 2 - 1; i >= 0; --i) +- heap_sift(&c->flush_btree, i, journal_min_cmp); +- } ++ best = NULL; + +- b = NULL; +- heap_pop(&c->flush_btree, b, journal_min_cmp); +- spin_unlock(&c->journal.lock); ++ for_each_cached_btree(b, c, i) ++ if (btree_current_write(b)->journal) { ++ if (!best) ++ best = b; ++ else if (journal_pin_cmp(c, ++ btree_current_write(best)->journal, ++ btree_current_write(b)->journal)) { ++ best = b; ++ } ++ } + ++ b = best; + if (b) { + mutex_lock(&b->write_lock); + if (!btree_current_write(b)->journal) { +@@ -873,8 +857,7 @@ int bch_journal_alloc(struct cache_set * + j->w[0].c = c; + j->w[1].c = c; + +- if (!(init_heap(&c->flush_btree, 128, GFP_KERNEL)) || +- !(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) || ++ if (!(init_fifo(&j->pin, JOURNAL_PIN, GFP_KERNEL)) || + !(j->w[0].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS)) || + !(j->w[1].data = (void *) __get_free_pages(GFP_KERNEL, JSET_BITS))) + return -ENOMEM; +--- a/drivers/md/bcache/util.h ++++ b/drivers/md/bcache/util.h +@@ -113,8 +113,6 @@ do { \ + + #define heap_full(h) ((h)->used == (h)->size) + +-#define heap_empty(h) ((h)->used == 0) +- + #define DECLARE_FIFO(type, name) \ + struct { \ + size_t front, back, size, mask; \ diff --git a/queue-5.1/bcache-revert-bcache-free-heap-cache_set-flush_btree-in-bch_journal_free.patch b/queue-5.1/bcache-revert-bcache-free-heap-cache_set-flush_btree-in-bch_journal_free.patch new file mode 100644 index 00000000000..4b00294e13d --- /dev/null +++ b/queue-5.1/bcache-revert-bcache-free-heap-cache_set-flush_btree-in-bch_journal_free.patch @@ -0,0 +1,36 @@ +From ba82c1ac1667d6efb91a268edb13fc9cdaecec9b Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:53 +0800 +Subject: bcache: Revert "bcache: free heap cache_set->flush_btree in bch_journal_free" + +From: Coly Li + +commit ba82c1ac1667d6efb91a268edb13fc9cdaecec9b upstream. + +This reverts commit 6268dc2c4703aabfb0b35681be709acf4c2826c6. + +This patch depends on commit c4dc2497d50d ("bcache: fix high CPU +occupancy during journal") which is reverted in previous patch. So +revert this one too. + +Fixes: 6268dc2c4703 ("bcache: free heap cache_set->flush_btree in bch_journal_free") +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Cc: Shenghui Wang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/journal.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -842,7 +842,6 @@ void bch_journal_free(struct cache_set * + free_pages((unsigned long) c->journal.w[1].data, JSET_BITS); + free_pages((unsigned long) c->journal.w[0].data, JSET_BITS); + free_fifo(&c->journal.pin); +- free_heap(&c->flush_btree); + } + + int bch_journal_alloc(struct cache_set *c) diff --git a/queue-5.1/cifs-always-add-credits-back-for-unsolicited-pdus.patch b/queue-5.1/cifs-always-add-credits-back-for-unsolicited-pdus.patch new file mode 100644 index 00000000000..2ab4332524d --- /dev/null +++ b/queue-5.1/cifs-always-add-credits-back-for-unsolicited-pdus.patch @@ -0,0 +1,36 @@ +From 3e2725796cbdfe4efc7eb7b27cacaeac2ddad1a5 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Sat, 6 Jul 2019 06:43:08 +1000 +Subject: cifs: always add credits back for unsolicited PDUs + +From: Ronnie Sahlberg + +commit 3e2725796cbdfe4efc7eb7b27cacaeac2ddad1a5 upstream. + +not just if CONFIG_CIFS_DEBUG2 is enabled. + +Signed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1221,11 +1221,11 @@ next_pdu: + atomic_read(&midCount)); + cifs_dump_mem("Received Data is: ", bufs[i], + HEADER_SIZE(server)); ++ smb2_add_credits_from_hdr(bufs[i], server); + #ifdef CONFIG_CIFS_DEBUG2 + if (server->ops->dump_detail) + server->ops->dump_detail(bufs[i], + server); +- smb2_add_credits_from_hdr(bufs[i], server); + cifs_dump_mids(server); + #endif /* CIFS_DEBUG2 */ + } diff --git a/queue-5.1/cifs-fix-crash-in-smb2_compound_op-smb2_set_next_command.patch b/queue-5.1/cifs-fix-crash-in-smb2_compound_op-smb2_set_next_command.patch new file mode 100644 index 00000000000..5ff5d25dd69 --- /dev/null +++ b/queue-5.1/cifs-fix-crash-in-smb2_compound_op-smb2_set_next_command.patch @@ -0,0 +1,118 @@ +From 88a92c913cef09e70b1744a8877d177aa6cb2189 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Tue, 16 Jul 2019 10:41:46 +1000 +Subject: cifs: fix crash in smb2_compound_op()/smb2_set_next_command() + +From: Ronnie Sahlberg + +commit 88a92c913cef09e70b1744a8877d177aa6cb2189 upstream. + +RHBZ: 1722704 + +In low memory situations the various SMB2_*_init() functions can fail +to allocate a request PDU and thus leave the request iovector as NULL. + +If we don't check the return code for failure we end up calling +smb2_set_next_command() with a NULL iovector causing a crash when it tries +to dereference it. + +CC: Stable +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2inode.c | 12 ++++++++++++ + fs/cifs/smb2ops.c | 11 ++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2inode.c ++++ b/fs/cifs/smb2inode.c +@@ -120,6 +120,8 @@ smb2_compound_op(const unsigned int xid, + SMB2_O_INFO_FILE, 0, + sizeof(struct smb2_file_all_info) + + PATH_MAX * 2, 0, NULL); ++ if (rc) ++ goto finished; + smb2_set_next_command(tcon, &rqst[num_rqst]); + smb2_set_related(&rqst[num_rqst++]); + trace_smb3_query_info_compound_enter(xid, ses->Suid, tcon->tid, +@@ -147,6 +149,8 @@ smb2_compound_op(const unsigned int xid, + COMPOUND_FID, current->tgid, + FILE_DISPOSITION_INFORMATION, + SMB2_O_INFO_FILE, 0, data, size); ++ if (rc) ++ goto finished; + smb2_set_next_command(tcon, &rqst[num_rqst]); + smb2_set_related(&rqst[num_rqst++]); + trace_smb3_rmdir_enter(xid, ses->Suid, tcon->tid, full_path); +@@ -163,6 +167,8 @@ smb2_compound_op(const unsigned int xid, + COMPOUND_FID, current->tgid, + FILE_END_OF_FILE_INFORMATION, + SMB2_O_INFO_FILE, 0, data, size); ++ if (rc) ++ goto finished; + smb2_set_next_command(tcon, &rqst[num_rqst]); + smb2_set_related(&rqst[num_rqst++]); + trace_smb3_set_eof_enter(xid, ses->Suid, tcon->tid, full_path); +@@ -180,6 +186,8 @@ smb2_compound_op(const unsigned int xid, + COMPOUND_FID, current->tgid, + FILE_BASIC_INFORMATION, + SMB2_O_INFO_FILE, 0, data, size); ++ if (rc) ++ goto finished; + smb2_set_next_command(tcon, &rqst[num_rqst]); + smb2_set_related(&rqst[num_rqst++]); + trace_smb3_set_info_compound_enter(xid, ses->Suid, tcon->tid, +@@ -206,6 +214,8 @@ smb2_compound_op(const unsigned int xid, + COMPOUND_FID, current->tgid, + FILE_RENAME_INFORMATION, + SMB2_O_INFO_FILE, 0, data, size); ++ if (rc) ++ goto finished; + smb2_set_next_command(tcon, &rqst[num_rqst]); + smb2_set_related(&rqst[num_rqst++]); + trace_smb3_rename_enter(xid, ses->Suid, tcon->tid, full_path); +@@ -231,6 +241,8 @@ smb2_compound_op(const unsigned int xid, + COMPOUND_FID, current->tgid, + FILE_LINK_INFORMATION, + SMB2_O_INFO_FILE, 0, data, size); ++ if (rc) ++ goto finished; + smb2_set_next_command(tcon, &rqst[num_rqst]); + smb2_set_related(&rqst[num_rqst++]); + trace_smb3_hardlink_enter(xid, ses->Suid, tcon->tid, full_path); +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2004,6 +2004,10 @@ smb2_set_related(struct smb_rqst *rqst) + struct smb2_sync_hdr *shdr; + + shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base); ++ if (shdr == NULL) { ++ cifs_dbg(FYI, "shdr NULL in smb2_set_related\n"); ++ return; ++ } + shdr->Flags |= SMB2_FLAGS_RELATED_OPERATIONS; + } + +@@ -2018,6 +2022,12 @@ smb2_set_next_command(struct cifs_tcon * + unsigned long len = smb_rqst_len(server, rqst); + int i, num_padding; + ++ shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base); ++ if (shdr == NULL) { ++ cifs_dbg(FYI, "shdr NULL in smb2_set_next_command\n"); ++ return; ++ } ++ + /* SMB headers in a compound are 8 byte aligned. */ + + /* No padding needed */ +@@ -2057,7 +2067,6 @@ smb2_set_next_command(struct cifs_tcon * + } + + finished: +- shdr = (struct smb2_sync_hdr *)(rqst->rq_iov[0].iov_base); + shdr->NextCommand = cpu_to_le32(len); + } + diff --git a/queue-5.1/cifs-fix-deadlock-in-cached-root-handling.patch b/queue-5.1/cifs-fix-deadlock-in-cached-root-handling.patch new file mode 100644 index 00000000000..a9b5a2b99c1 --- /dev/null +++ b/queue-5.1/cifs-fix-deadlock-in-cached-root-handling.patch @@ -0,0 +1,91 @@ +From 7e5a70ad88b1e6f6d9b934b2efb41afff496820f Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Wed, 17 Jul 2019 12:46:28 +0200 +Subject: CIFS: fix deadlock in cached root handling + +From: Aurelien Aptel + +commit 7e5a70ad88b1e6f6d9b934b2efb41afff496820f upstream. + +Prevent deadlock between open_shroot() and +cifs_mark_open_files_invalid() by releasing the lock before entering +SMB2_open, taking it again after and checking if we still need to use +the result. + +Link: https://lore.kernel.org/linux-cifs/684ed01c-cbca-2716-bc28-b0a59a0f8521@prodrive-technologies.com/T/#u +Fixes: 3d4ef9a15343 ("smb3: fix redundant opens on root") +Signed-off-by: Aurelien Aptel +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 46 +++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 45 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -705,8 +705,51 @@ int open_shroot(unsigned int xid, struct + + smb2_set_related(&rqst[1]); + ++ /* ++ * We do not hold the lock for the open because in case ++ * SMB2_open needs to reconnect, it will end up calling ++ * cifs_mark_open_files_invalid() which takes the lock again ++ * thus causing a deadlock ++ */ ++ ++ mutex_unlock(&tcon->crfid.fid_mutex); + rc = compound_send_recv(xid, ses, flags, 2, rqst, + resp_buftype, rsp_iov); ++ mutex_lock(&tcon->crfid.fid_mutex); ++ ++ /* ++ * Now we need to check again as the cached root might have ++ * been successfully re-opened from a concurrent process ++ */ ++ ++ if (tcon->crfid.is_valid) { ++ /* work was already done */ ++ ++ /* stash fids for close() later */ ++ struct cifs_fid fid = { ++ .persistent_fid = pfid->persistent_fid, ++ .volatile_fid = pfid->volatile_fid, ++ }; ++ ++ /* ++ * caller expects this func to set pfid to a valid ++ * cached root, so we copy the existing one and get a ++ * reference. ++ */ ++ memcpy(pfid, tcon->crfid.fid, sizeof(*pfid)); ++ kref_get(&tcon->crfid.refcount); ++ ++ mutex_unlock(&tcon->crfid.fid_mutex); ++ ++ if (rc == 0) { ++ /* close extra handle outside of crit sec */ ++ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); ++ } ++ goto oshr_free; ++ } ++ ++ /* Cached root is still invalid, continue normaly */ ++ + if (rc) + goto oshr_exit; + +@@ -740,8 +783,9 @@ int open_shroot(unsigned int xid, struct + (char *)&tcon->crfid.file_all_info)) + tcon->crfid.file_all_info_is_valid = 1; + +- oshr_exit: ++oshr_exit: + mutex_unlock(&tcon->crfid.fid_mutex); ++oshr_free: + SMB2_open_free(&rqst[0]); + SMB2_query_info_free(&rqst[1]); + free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base); diff --git a/queue-5.1/cifs-flush-before-set-info-if-we-have-writeable-handles.patch b/queue-5.1/cifs-flush-before-set-info-if-we-have-writeable-handles.patch new file mode 100644 index 00000000000..65cd2b0d347 --- /dev/null +++ b/queue-5.1/cifs-flush-before-set-info-if-we-have-writeable-handles.patch @@ -0,0 +1,61 @@ +From aa081859b10c5d8b19f5c525c78883a59d73c2b8 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Fri, 19 Jul 2019 08:12:11 +1000 +Subject: cifs: flush before set-info if we have writeable handles + +From: Ronnie Sahlberg + +commit aa081859b10c5d8b19f5c525c78883a59d73c2b8 upstream. + +Servers can defer destaging any data and updating the mtime until close(). +This means that if we do a setinfo to modify the mtime while other handles +are open for write the server may overwrite our setinfo timestamps when +if flushes the file on close() of the writeable handle. + +To solve this we add an explicit flush when the mtime is about to +be updated. + +This fixes "cp -p" to preserve mtime when copying a file onto an SMB2 share. + +CC: Stable +Signed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -2371,6 +2371,8 @@ cifs_setattr_nounix(struct dentry *diren + struct inode *inode = d_inode(direntry); + struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb); + struct cifsInodeInfo *cifsInode = CIFS_I(inode); ++ struct cifsFileInfo *wfile; ++ struct cifs_tcon *tcon; + char *full_path = NULL; + int rc = -EACCES; + __u32 dosattr = 0; +@@ -2417,6 +2419,20 @@ cifs_setattr_nounix(struct dentry *diren + mapping_set_error(inode->i_mapping, rc); + rc = 0; + ++ if (attrs->ia_valid & ATTR_MTIME) { ++ rc = cifs_get_writable_file(cifsInode, false, &wfile); ++ if (!rc) { ++ tcon = tlink_tcon(wfile->tlink); ++ rc = tcon->ses->server->ops->flush(xid, tcon, &wfile->fid); ++ cifsFileInfo_put(wfile); ++ if (rc) ++ return rc; ++ } else if (rc != -EBADF) ++ return rc; ++ else ++ rc = 0; ++ } ++ + if (attrs->ia_valid & ATTR_SIZE) { + rc = cifs_set_file_size(inode, attrs, xid, full_path); + if (rc != 0) diff --git a/queue-5.1/cifs-properly-handle-auto-disabling-of-serverino-option.patch b/queue-5.1/cifs-properly-handle-auto-disabling-of-serverino-option.patch new file mode 100644 index 00000000000..b8de9a8204e --- /dev/null +++ b/queue-5.1/cifs-properly-handle-auto-disabling-of-serverino-option.patch @@ -0,0 +1,69 @@ +From 29fbeb7a908a60a5ae8c50fbe171cb8fdcef1980 Mon Sep 17 00:00:00 2001 +From: "Paulo Alcantara (SUSE)" +Date: Tue, 18 Jun 2019 16:16:02 -0300 +Subject: cifs: Properly handle auto disabling of serverino option + +From: Paulo Alcantara (SUSE) + +commit 29fbeb7a908a60a5ae8c50fbe171cb8fdcef1980 upstream. + +Fix mount options comparison when serverino option is turned off later +in cifs_autodisable_serverino() and thus avoiding mismatch of new cifs +mounts. + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_fs_sb.h | 5 +++++ + fs/cifs/connect.c | 8 ++++++-- + fs/cifs/misc.c | 1 + + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifs_fs_sb.h ++++ b/fs/cifs/cifs_fs_sb.h +@@ -83,5 +83,10 @@ struct cifs_sb_info { + * failover properly. + */ + char *origin_fullpath; /* \\HOST\SHARE\[OPTIONAL PATH] */ ++ /* ++ * Indicate whether serverino option was turned off later ++ * (cifs_autodisable_serverino) in order to match new mounts. ++ */ ++ bool mnt_cifs_serverino_autodisabled; + }; + #endif /* _CIFS_FS_SB_H */ +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3455,12 +3455,16 @@ compare_mount_options(struct super_block + { + struct cifs_sb_info *old = CIFS_SB(sb); + struct cifs_sb_info *new = mnt_data->cifs_sb; ++ unsigned int oldflags = old->mnt_cifs_flags & CIFS_MOUNT_MASK; ++ unsigned int newflags = new->mnt_cifs_flags & CIFS_MOUNT_MASK; + + if ((sb->s_flags & CIFS_MS_MASK) != (mnt_data->flags & CIFS_MS_MASK)) + return 0; + +- if ((old->mnt_cifs_flags & CIFS_MOUNT_MASK) != +- (new->mnt_cifs_flags & CIFS_MOUNT_MASK)) ++ if (old->mnt_cifs_serverino_autodisabled) ++ newflags &= ~CIFS_MOUNT_SERVER_INUM; ++ ++ if (oldflags != newflags) + return 0; + + /* +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -539,6 +539,7 @@ cifs_autodisable_serverino(struct cifs_s + tcon = cifs_sb_master_tcon(cifs_sb); + + cifs_sb->mnt_cifs_flags &= ~CIFS_MOUNT_SERVER_INUM; ++ cifs_sb->mnt_cifs_serverino_autodisabled = true; + cifs_dbg(VFS, "Autodisabling the use of server inode numbers on %s.\n", + tcon ? tcon->treeName : "new server"); + cifs_dbg(VFS, "The server doesn't seem to support them properly or the files might be on different servers (DFS).\n"); diff --git a/queue-5.1/input-alps-don-t-handle-alps-cs19-trackpoint-only-device.patch b/queue-5.1/input-alps-don-t-handle-alps-cs19-trackpoint-only-device.patch new file mode 100644 index 00000000000..0f813e40eee --- /dev/null +++ b/queue-5.1/input-alps-don-t-handle-alps-cs19-trackpoint-only-device.patch @@ -0,0 +1,101 @@ +From 7e4935ccc3236751e5fe4bd6846f86e46bb2e427 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Mon, 15 Jul 2019 10:00:58 -0700 +Subject: Input: alps - don't handle ALPS cs19 trackpoint-only device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hui Wang + +commit 7e4935ccc3236751e5fe4bd6846f86e46bb2e427 upstream. + +On a latest Lenovo laptop, the trackpoint and 3 buttons below it +don't work at all, when we move the trackpoint or press those 3 +buttons, the kernel will print out: +"Rejected trackstick packet from non DualPoint device" + +This device is identified as an alps touchpad but the packet has +trackpoint format, so the alps.c drops the packet and prints out +the message above. + +According to XiaoXiao's explanation, this device is named cs19 and +is trackpoint-only device, its firmware is only for trackpoint, it +is independent of touchpad and is a device completely different from +DualPoint ones. + +To drive this device with mininal changes to the existing driver, we +just let the alps driver not handle this device, then the trackpoint.c +will be the driver of this device if the trackpoint driver is enabled. +(if not, this device will fallback to a bare PS/2 device) + +With the trackpoint.c, this trackpoint and 3 buttons all work well, +they have all features that the trackpoint should have, like +scrolling-screen, drag-and-drop and frame-selection. + +Signed-off-by: XiaoXiao Liu +Signed-off-by: Hui Wang +Reviewed-by: Pali Rohár +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -24,6 +24,7 @@ + + #include "psmouse.h" + #include "alps.h" ++#include "trackpoint.h" + + /* + * Definitions for ALPS version 3 and 4 command mode protocol +@@ -2864,6 +2865,23 @@ static const struct alps_protocol_info * + return NULL; + } + ++static bool alps_is_cs19_trackpoint(struct psmouse *psmouse) ++{ ++ u8 param[2] = { 0 }; ++ ++ if (ps2_command(&psmouse->ps2dev, ++ param, MAKE_PS2_CMD(0, 2, TP_READ_ID))) ++ return false; ++ ++ /* ++ * param[0] contains the trackpoint device variant_id while ++ * param[1] contains the firmware_id. So far all alps ++ * trackpoint-only devices have their variant_ids equal ++ * TP_VARIANT_ALPS and their firmware_ids are in 0x20~0x2f range. ++ */ ++ return param[0] == TP_VARIANT_ALPS && (param[1] & 0x20); ++} ++ + static int alps_identify(struct psmouse *psmouse, struct alps_data *priv) + { + const struct alps_protocol_info *protocol; +@@ -3165,6 +3183,20 @@ int alps_detect(struct psmouse *psmouse, + return error; + + /* ++ * ALPS cs19 is a trackpoint-only device, and uses different ++ * protocol than DualPoint ones, so we return -EINVAL here and let ++ * trackpoint.c drive this device. If the trackpoint driver is not ++ * enabled, the device will fall back to a bare PS/2 mouse. ++ * If ps2_command() fails here, we depend on the immediately ++ * followed psmouse_reset() to reset the device to normal state. ++ */ ++ if (alps_is_cs19_trackpoint(psmouse)) { ++ psmouse_dbg(psmouse, ++ "ALPS CS19 trackpoint-only device detected, ignoring\n"); ++ return -EINVAL; ++ } ++ ++ /* + * Reset the device to make sure it is fully operational: + * on some laptops, like certain Dell Latitudes, we may + * fail to properly detect presence of trackstick if device diff --git a/queue-5.1/input-alps-fix-a-mismatch-between-a-condition-check-and-its-comment.patch b/queue-5.1/input-alps-fix-a-mismatch-between-a-condition-check-and-its-comment.patch new file mode 100644 index 00000000000..3c4c45c0758 --- /dev/null +++ b/queue-5.1/input-alps-fix-a-mismatch-between-a-condition-check-and-its-comment.patch @@ -0,0 +1,38 @@ +From 771a081e44a9baa1991ef011cc453ef425591740 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Fri, 19 Jul 2019 12:38:58 +0300 +Subject: Input: alps - fix a mismatch between a condition check and its comment + +From: Hui Wang + +commit 771a081e44a9baa1991ef011cc453ef425591740 upstream. + +In the function alps_is_cs19_trackpoint(), we check if the param[1] is +in the 0x20~0x2f range, but the code we wrote for this checking is not +correct: +(param[1] & 0x20) does not mean param[1] is in the range of 0x20~0x2f, +it also means the param[1] is in the range of 0x30~0x3f, 0x60~0x6f... + +Now fix it with a new condition checking ((param[1] & 0xf0) == 0x20). + +Fixes: 7e4935ccc323 ("Input: alps - don't handle ALPS cs19 trackpoint-only device") +Cc: stable@vger.kernel.org +Signed-off-by: Hui Wang +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -2879,7 +2879,7 @@ static bool alps_is_cs19_trackpoint(stru + * trackpoint-only devices have their variant_ids equal + * TP_VARIANT_ALPS and their firmware_ids are in 0x20~0x2f range. + */ +- return param[0] == TP_VARIANT_ALPS && (param[1] & 0x20); ++ return param[0] == TP_VARIANT_ALPS && ((param[1] & 0xf0) == 0x20); + } + + static int alps_identify(struct psmouse *psmouse, struct alps_data *priv) diff --git a/queue-5.1/input-gtco-bounds-check-collection-indent-level.patch b/queue-5.1/input-gtco-bounds-check-collection-indent-level.patch new file mode 100644 index 00000000000..29900e91a18 --- /dev/null +++ b/queue-5.1/input-gtco-bounds-check-collection-indent-level.patch @@ -0,0 +1,79 @@ +From 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 Mon Sep 17 00:00:00 2001 +From: Grant Hernandez +Date: Sat, 13 Jul 2019 01:00:12 -0700 +Subject: Input: gtco - bounds check collection indent level + +From: Grant Hernandez + +commit 2a017fd82c5402b3c8df5e3d6e5165d9e6147dc1 upstream. + +The GTCO tablet input driver configures itself from an HID report sent +via USB during the initial enumeration process. Some debugging messages +are generated during the parsing. A debugging message indentation +counter is not bounds checked, leading to the ability for a specially +crafted HID report to cause '-' and null bytes be written past the end +of the indentation array. As long as the kernel has CONFIG_DYNAMIC_DEBUG +enabled, this code will not be optimized out. This was discovered +during code review after a previous syzkaller bug was found in this +driver. + +Signed-off-by: Grant Hernandez +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/gtco.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -78,6 +78,7 @@ Scott Hill shill@gtcocalcomp.com + + /* Max size of a single report */ + #define REPORT_MAX_SIZE 10 ++#define MAX_COLLECTION_LEVELS 10 + + + /* Bitmask whether pen is in range */ +@@ -223,8 +224,7 @@ static void parse_hid_report_descriptor( + char maintype = 'x'; + char globtype[12]; + int indent = 0; +- char indentstr[10] = ""; +- ++ char indentstr[MAX_COLLECTION_LEVELS + 1] = { 0 }; + + dev_dbg(ddev, "======>>>>>>PARSE<<<<<<======\n"); + +@@ -350,6 +350,13 @@ static void parse_hid_report_descriptor( + case TAG_MAIN_COL_START: + maintype = 'S'; + ++ if (indent == MAX_COLLECTION_LEVELS) { ++ dev_err(ddev, "Collection level %d would exceed limit of %d\n", ++ indent + 1, ++ MAX_COLLECTION_LEVELS); ++ break; ++ } ++ + if (data == 0) { + dev_dbg(ddev, "======>>>>>> Physical\n"); + strcpy(globtype, "Physical"); +@@ -369,8 +376,15 @@ static void parse_hid_report_descriptor( + break; + + case TAG_MAIN_COL_END: +- dev_dbg(ddev, "<<<<<<======\n"); + maintype = 'E'; ++ ++ if (indent == 0) { ++ dev_err(ddev, "Collection level already at zero\n"); ++ break; ++ } ++ ++ dev_dbg(ddev, "<<<<<<======\n"); ++ + indent--; + for (x = 0; x < indent; x++) + indentstr[x] = '-'; diff --git a/queue-5.1/input-synaptics-whitelist-lenovo-t580-smbus-intertouch.patch b/queue-5.1/input-synaptics-whitelist-lenovo-t580-smbus-intertouch.patch new file mode 100644 index 00000000000..ed4323b9111 --- /dev/null +++ b/queue-5.1/input-synaptics-whitelist-lenovo-t580-smbus-intertouch.patch @@ -0,0 +1,32 @@ +From 1976d7d200c5a32e72293a2ada36b7b7c9d6dd6e Mon Sep 17 00:00:00 2001 +From: Nick Black +Date: Thu, 11 Jul 2019 23:42:03 -0700 +Subject: Input: synaptics - whitelist Lenovo T580 SMBus intertouch + +From: Nick Black + +commit 1976d7d200c5a32e72293a2ada36b7b7c9d6dd6e upstream. + +Adds the Lenovo T580 to the SMBus intertouch list for Synaptics +touchpads. I've tested with this for a week now, and it seems a great +improvement. It's also nice to have the complaint gone from dmesg. + +Signed-off-by: Nick Black +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/synaptics.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -179,6 +179,7 @@ static const char * const smbus_pnp_ids[ + "LEN0093", /* T480 */ + "LEN0096", /* X280 */ + "LEN0097", /* X280 -> ALPS trackpoint */ ++ "LEN009b", /* T580 */ + "LEN200f", /* T450s */ + "LEN2054", /* E480 */ + "LEN2055", /* E580 */ diff --git a/queue-5.1/iwlwifi-add-support-for-hr1-rf-id.patch b/queue-5.1/iwlwifi-add-support-for-hr1-rf-id.patch new file mode 100644 index 00000000000..2c87aad9a7c --- /dev/null +++ b/queue-5.1/iwlwifi-add-support-for-hr1-rf-id.patch @@ -0,0 +1,51 @@ +From 498d3eb5bfbb2e05e40005152976a7b9eadfb59c Mon Sep 17 00:00:00 2001 +From: Oren Givon +Date: Thu, 20 Jun 2019 11:46:23 +0300 +Subject: iwlwifi: add support for hr1 RF ID + +From: Oren Givon + +commit 498d3eb5bfbb2e05e40005152976a7b9eadfb59c upstream. + +The 22000 series FW that was meant to be used with hr is +also the FW that is used for hr1 and has a different RF ID. +Add support to load the hr FW when hr1 RF ID is detected. + +Cc: stable@vger.kernel.org # 5.1+ +Signed-off-by: Oren Givon +Signed-off-by: Luciano Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 1 + + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 8 +++++--- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-csr.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-csr.h +@@ -335,6 +335,7 @@ enum { + /* RF_ID value */ + #define CSR_HW_RF_ID_TYPE_JF (0x00105100) + #define CSR_HW_RF_ID_TYPE_HR (0x0010A000) ++#define CSR_HW_RF_ID_TYPE_HR1 (0x0010c100) + #define CSR_HW_RF_ID_TYPE_HRCDB (0x00109F00) + #define CSR_HW_RF_ID_TYPE_GF (0x0010D000) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -3562,9 +3562,11 @@ struct iwl_trans *iwl_trans_pcie_alloc(s + trans->cfg = &iwlax210_2ax_cfg_so_gf_a0; + } + } else if (cfg == &iwl_ax101_cfg_qu_hr) { +- if (CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) == +- CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR) && +- trans->hw_rev == CSR_HW_REV_TYPE_QNJ_B0) { ++ if ((CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) == ++ CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR) && ++ trans->hw_rev == CSR_HW_REV_TYPE_QNJ_B0) || ++ (CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) == ++ CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR1))) { + trans->cfg = &iwl22000_2ax_cfg_qnj_hr_b0; + } else if (CSR_HW_RF_ID_TYPE_CHIP_ID(trans->hw_rf_id) == + CSR_HW_RF_ID_TYPE_CHIP_ID(CSR_HW_RF_ID_TYPE_HR)) { diff --git a/queue-5.1/iwlwifi-don-t-warn-when-calling-iwl_get_shared_mem_conf-with-rf-kill.patch b/queue-5.1/iwlwifi-don-t-warn-when-calling-iwl_get_shared_mem_conf-with-rf-kill.patch new file mode 100644 index 00000000000..9711a17eb7e --- /dev/null +++ b/queue-5.1/iwlwifi-don-t-warn-when-calling-iwl_get_shared_mem_conf-with-rf-kill.patch @@ -0,0 +1,66 @@ +From 0d53cfd0cca3c729a089c39eef0e7d8ae7662974 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Wed, 22 May 2019 12:17:09 +0300 +Subject: iwlwifi: don't WARN when calling iwl_get_shared_mem_conf with RF-Kill + +From: Emmanuel Grumbach + +commit 0d53cfd0cca3c729a089c39eef0e7d8ae7662974 upstream. + +iwl_mvm_send_cmd returns 0 when the command won't be sent +because RF-Kill is asserted. Do the same when we call +iwl_get_shared_mem_conf since it is not sent through +iwl_mvm_send_cmd but directly calls the transport layer. + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/fw/smem.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/fw/smem.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/smem.c +@@ -8,7 +8,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright(c) 2018 Intel Corporation ++ * Copyright(c) 2018 - 2019 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -31,7 +31,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright(c) 2018 Intel Corporation ++ * Copyright(c) 2018 - 2019 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -134,6 +134,7 @@ void iwl_get_shared_mem_conf(struct iwl_ + .len = { 0, }, + }; + struct iwl_rx_packet *pkt; ++ int ret; + + if (fw_has_capa(&fwrt->fw->ucode_capa, + IWL_UCODE_TLV_CAPA_EXTEND_SHARED_MEM_CFG)) +@@ -141,8 +142,13 @@ void iwl_get_shared_mem_conf(struct iwl_ + else + cmd.id = SHARED_MEM_CFG; + +- if (WARN_ON(iwl_trans_send_cmd(fwrt->trans, &cmd))) ++ ret = iwl_trans_send_cmd(fwrt->trans, &cmd); ++ ++ if (ret) { ++ WARN(ret != -ERFKILL, ++ "Could not send the SMEM command: %d\n", ret); + return; ++ } + + pkt = cmd.resp_pkt; + if (fwrt->trans->cfg->device_family >= IWL_DEVICE_FAMILY_22000) diff --git a/queue-5.1/iwlwifi-fix-rf-kill-interrupt-while-fw-load-for-gen2-devices.patch b/queue-5.1/iwlwifi-fix-rf-kill-interrupt-while-fw-load-for-gen2-devices.patch new file mode 100644 index 00000000000..f476aaa8a0c --- /dev/null +++ b/queue-5.1/iwlwifi-fix-rf-kill-interrupt-while-fw-load-for-gen2-devices.patch @@ -0,0 +1,148 @@ +From ed3e4c6d3cd8f093a3636cb05492429fe2af228d Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 20 May 2019 15:18:24 +0300 +Subject: iwlwifi: fix RF-Kill interrupt while FW load for gen2 devices + +From: Emmanuel Grumbach + +commit ed3e4c6d3cd8f093a3636cb05492429fe2af228d upstream. + +Newest devices have a new firmware load mechanism. This +mechanism is called the context info. It means that the +driver doesn't need to load the sections of the firmware. +The driver rather prepares a place in DRAM, with pointers +to the relevant sections of the firmware, and the firmware +loads itself. +At the end of the process, the firmware sends the ALIVE +interrupt. This is different from the previous scheme in +which the driver expected the FH_TX interrupt after each +section being transferred over the DMA. + +In order to support this new flow, we enabled all the +interrupts. This broke the assumption that we have in the +code that the RF-Kill interrupt can't interrupt the firmware +load flow. + +Change the context info flow to enable only the ALIVE +interrupt, and re-enable all the other interrupts only +after the firmware is alive. Then, we won't see the RF-Kill +interrupt until then. Getting the RF-Kill interrupt while +loading the firmware made us kill the firmware while it is +loading and we ended up dumping garbage instead of the firmware +state. + +Re-enable the ALIVE | RX interrupts from the ISR when we +get the ALIVE interrupt to be able to get the RX interrupt +that comes immediately afterwards for the ALIVE +notification. This is needed for non MSI-X only. + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c | 2 - + drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info.c | 2 - + drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 27 +++++++++++++++ + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 5 ++ + drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 9 +++++ + 5 files changed, 43 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c +@@ -168,7 +168,7 @@ int iwl_pcie_ctxt_info_gen3_init(struct + + memcpy(iml_img, trans->iml, trans->iml_len); + +- iwl_enable_interrupts(trans); ++ iwl_enable_fw_load_int_ctx_info(trans); + + /* kick FW self load */ + iwl_write64(trans, CSR_CTXT_INFO_ADDR, +--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info.c +@@ -222,7 +222,7 @@ int iwl_pcie_ctxt_info_init(struct iwl_t + + trans_pcie->ctxt_info = ctxt_info; + +- iwl_enable_interrupts(trans); ++ iwl_enable_fw_load_int_ctx_info(trans); + + /* Configure debug, if exists */ + if (iwl_pcie_dbg_on(trans)) +--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h +@@ -894,6 +894,33 @@ static inline void iwl_enable_fw_load_in + } + } + ++static inline void iwl_enable_fw_load_int_ctx_info(struct iwl_trans *trans) ++{ ++ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); ++ ++ IWL_DEBUG_ISR(trans, "Enabling ALIVE interrupt only\n"); ++ ++ if (!trans_pcie->msix_enabled) { ++ /* ++ * When we'll receive the ALIVE interrupt, the ISR will call ++ * iwl_enable_fw_load_int_ctx_info again to set the ALIVE ++ * interrupt (which is not really needed anymore) but also the ++ * RX interrupt which will allow us to receive the ALIVE ++ * notification (which is Rx) and continue the flow. ++ */ ++ trans_pcie->inta_mask = CSR_INT_BIT_ALIVE | CSR_INT_BIT_FH_RX; ++ iwl_write32(trans, CSR_INT_MASK, trans_pcie->inta_mask); ++ } else { ++ iwl_enable_hw_int_msk_msix(trans, ++ MSIX_HW_INT_CAUSES_REG_ALIVE); ++ /* ++ * Leave all the FH causes enabled to get the ALIVE ++ * notification. ++ */ ++ iwl_enable_fh_int_msk_msix(trans, trans_pcie->fh_init_mask); ++ } ++} ++ + static inline u16 iwl_pcie_get_cmd_index(const struct iwl_txq *q, u32 index) + { + return index & (q->n_window - 1); +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +@@ -1850,6 +1850,8 @@ irqreturn_t iwl_pcie_irq_handler(int irq + */ + iwl_pcie_rxmq_restock(trans, trans_pcie->rxq); + } ++ ++ handled |= CSR_INT_BIT_ALIVE; + } + + /* Safely ignore these bits for debug checks below */ +@@ -1968,6 +1970,9 @@ irqreturn_t iwl_pcie_irq_handler(int irq + /* Re-enable RF_KILL if it occurred */ + else if (handled & CSR_INT_BIT_RF_KILL) + iwl_enable_rfkill_int(trans); ++ /* Re-enable the ALIVE / Rx interrupt if it occurred */ ++ else if (handled & (CSR_INT_BIT_ALIVE | CSR_INT_BIT_FH_RX)) ++ iwl_enable_fw_load_int_ctx_info(trans); + spin_unlock(&trans_pcie->irq_lock); + + out: +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c +@@ -272,6 +272,15 @@ void iwl_trans_pcie_gen2_fw_alive(struct + * paging memory cannot be freed included since FW will still use it + */ + iwl_pcie_ctxt_info_free(trans); ++ ++ /* ++ * Re-enable all the interrupts, including the RF-Kill one, now that ++ * the firmware is alive. ++ */ ++ iwl_enable_interrupts(trans); ++ mutex_lock(&trans_pcie->mutex); ++ iwl_pcie_check_hw_rf_kill(trans); ++ mutex_unlock(&trans_pcie->mutex); + } + + int iwl_trans_pcie_gen2_start_fw(struct iwl_trans *trans, diff --git a/queue-5.1/iwlwifi-mvm-clear-rfkill_safe_init_done-when-we-start-the-firmware.patch b/queue-5.1/iwlwifi-mvm-clear-rfkill_safe_init_done-when-we-start-the-firmware.patch new file mode 100644 index 00000000000..e22374bb367 --- /dev/null +++ b/queue-5.1/iwlwifi-mvm-clear-rfkill_safe_init_done-when-we-start-the-firmware.patch @@ -0,0 +1,55 @@ +From 940225628652b340b2bfe99f42f3d2db9fd9ce6c Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Wed, 22 May 2019 12:22:35 +0300 +Subject: iwlwifi: mvm: clear rfkill_safe_init_done when we start the firmware + +From: Emmanuel Grumbach + +commit 940225628652b340b2bfe99f42f3d2db9fd9ce6c upstream. + +Otherwise it'll stay set forever which is clearly buggy. + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -419,6 +419,8 @@ static int iwl_run_unified_mvm_ucode(str + + lockdep_assert_held(&mvm->mutex); + ++ mvm->rfkill_safe_init_done = false; ++ + iwl_init_notification_wait(&mvm->notif_wait, + &init_wait, + init_complete, +@@ -537,8 +539,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mv + + lockdep_assert_held(&mvm->mutex); + +- if (WARN_ON_ONCE(mvm->rfkill_safe_init_done)) +- return 0; ++ mvm->rfkill_safe_init_done = false; + + iwl_init_notification_wait(&mvm->notif_wait, + &calib_wait, +@@ -1108,10 +1109,13 @@ static int iwl_mvm_load_rt_fw(struct iwl + + iwl_fw_dbg_apply_point(&mvm->fwrt, IWL_FW_INI_APPLY_EARLY); + ++ mvm->rfkill_safe_init_done = false; + ret = iwl_mvm_load_ucode_wait_alive(mvm, IWL_UCODE_REGULAR); + if (ret) + return ret; + ++ mvm->rfkill_safe_init_done = true; ++ + iwl_fw_dbg_apply_point(&mvm->fwrt, IWL_FW_INI_APPLY_AFTER_ALIVE); + + return iwl_init_paging(&mvm->fwrt, mvm->fwrt.cur_fw_img); diff --git a/queue-5.1/iwlwifi-mvm-delay-gtk-setting-in-fw-in-ap-mode.patch b/queue-5.1/iwlwifi-mvm-delay-gtk-setting-in-fw-in-ap-mode.patch new file mode 100644 index 00000000000..2521bdbe78a --- /dev/null +++ b/queue-5.1/iwlwifi-mvm-delay-gtk-setting-in-fw-in-ap-mode.patch @@ -0,0 +1,150 @@ +From c56e00a3feaee2b46b7d33875fb7f52efd30241f Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 20 May 2019 14:49:56 +0200 +Subject: iwlwifi: mvm: delay GTK setting in FW in AP mode + +From: Johannes Berg + +commit c56e00a3feaee2b46b7d33875fb7f52efd30241f upstream. + +In AP (and IBSS) mode, we can only set GTKs to firmware after we have +sent down the multicast station, but this we can only do after we've +enabled beaconing, etc. + +However, during rfkill exit, hostapd will configure the keys before +starting the AP, and cfg80211/mac80211 accept it happily. + +On earlier devices, this didn't bother us as GTK TX wasn't really +handled in firmware, we just put the key material into the TX cmd +and thus it only mattered when we actually transmitted a frame. + +On newer devices, however, the firmware needs to track all of this +and that doesn't work if we add the key before the (multicast) sta +it belongs to. + +To fix this, keep a list of keys to add during AP enable, and call +the function there. + +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 53 +++++++++++++++++++++- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 + + 2 files changed, 54 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -207,6 +207,12 @@ static const struct cfg80211_pmsr_capabi + }, + }; + ++static int iwl_mvm_mac_set_key(struct ieee80211_hw *hw, ++ enum set_key_cmd cmd, ++ struct ieee80211_vif *vif, ++ struct ieee80211_sta *sta, ++ struct ieee80211_key_conf *key); ++ + void iwl_mvm_ref(struct iwl_mvm *mvm, enum iwl_mvm_ref_type ref_type) + { + if (!iwl_mvm_is_d0i3_supported(mvm)) +@@ -2535,7 +2541,7 @@ static int iwl_mvm_start_ap_ibss(struct + { + struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw); + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); +- int ret; ++ int ret, i; + + /* + * iwl_mvm_mac_ctxt_add() might read directly from the device +@@ -2609,6 +2615,20 @@ static int iwl_mvm_start_ap_ibss(struct + /* must be set before quota calculations */ + mvmvif->ap_ibss_active = true; + ++ /* send all the early keys to the device now */ ++ for (i = 0; i < ARRAY_SIZE(mvmvif->ap_early_keys); i++) { ++ struct ieee80211_key_conf *key = mvmvif->ap_early_keys[i]; ++ ++ if (!key) ++ continue; ++ ++ mvmvif->ap_early_keys[i] = NULL; ++ ++ ret = iwl_mvm_mac_set_key(hw, SET_KEY, vif, NULL, key); ++ if (ret) ++ goto out_quota_failed; ++ } ++ + if (vif->type == NL80211_IFTYPE_AP && !vif->p2p) { + iwl_mvm_vif_set_low_latency(mvmvif, true, + LOW_LATENCY_VIF_TYPE); +@@ -3378,11 +3398,12 @@ static int iwl_mvm_mac_set_key(struct ie + struct ieee80211_sta *sta, + struct ieee80211_key_conf *key) + { ++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); + struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw); + struct iwl_mvm_sta *mvmsta; + struct iwl_mvm_key_pn *ptk_pn; + int keyidx = key->keyidx; +- int ret; ++ int ret, i; + u8 key_offset; + + if (iwlwifi_mod_params.swcrypto) { +@@ -3455,6 +3476,22 @@ static int iwl_mvm_mac_set_key(struct ie + key->hw_key_idx = STA_KEY_IDX_INVALID; + break; + } ++ ++ if (!mvmvif->ap_ibss_active) { ++ for (i = 0; ++ i < ARRAY_SIZE(mvmvif->ap_early_keys); ++ i++) { ++ if (!mvmvif->ap_early_keys[i]) { ++ mvmvif->ap_early_keys[i] = key; ++ break; ++ } ++ } ++ ++ if (i >= ARRAY_SIZE(mvmvif->ap_early_keys)) ++ ret = -ENOSPC; ++ ++ break; ++ } + } + + /* During FW restart, in order to restore the state as it was, +@@ -3523,6 +3560,18 @@ static int iwl_mvm_mac_set_key(struct ie + + break; + case DISABLE_KEY: ++ ret = -ENOENT; ++ for (i = 0; i < ARRAY_SIZE(mvmvif->ap_early_keys); i++) { ++ if (mvmvif->ap_early_keys[i] == key) { ++ mvmvif->ap_early_keys[i] = NULL; ++ ret = 0; ++ } ++ } ++ ++ /* found in pending list - don't do anything else */ ++ if (ret == 0) ++ break; ++ + if (key->hw_key_idx == STA_KEY_IDX_INVALID) { + ret = 0; + break; +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -498,6 +498,9 @@ struct iwl_mvm_vif { + netdev_features_t features; + + struct iwl_probe_resp_data __rcu *probe_resp_data; ++ ++ /* we can only have 2 GTK + 2 IGTK active at a time */ ++ struct ieee80211_key_conf *ap_early_keys[4]; + }; + + static inline struct iwl_mvm_vif * diff --git a/queue-5.1/iwlwifi-pcie-don-t-service-an-interrupt-that-was-masked.patch b/queue-5.1/iwlwifi-pcie-don-t-service-an-interrupt-that-was-masked.patch new file mode 100644 index 00000000000..7a9b88596e2 --- /dev/null +++ b/queue-5.1/iwlwifi-pcie-don-t-service-an-interrupt-that-was-masked.patch @@ -0,0 +1,72 @@ +From 3b57a10ca14c619707398dc58fe5ece18c95b20b Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 21 May 2019 15:10:38 +0300 +Subject: iwlwifi: pcie: don't service an interrupt that was masked + +From: Emmanuel Grumbach + +commit 3b57a10ca14c619707398dc58fe5ece18c95b20b upstream. + +Sometimes the register status can include interrupts that +were masked. We can, for example, get the RF-Kill bit set +in the interrupt status register although this interrupt +was masked. Then if we get the ALIVE interrupt (for example) +that was not masked, we need to *not* service the RF-Kill +interrupt. +Fix this in the MSI-X interrupt handler. + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +@@ -2113,10 +2113,18 @@ irqreturn_t iwl_pcie_irq_msix_handler(in + return IRQ_NONE; + } + +- if (iwl_have_debug_level(IWL_DL_ISR)) +- IWL_DEBUG_ISR(trans, "ISR inta_fh 0x%08x, enabled 0x%08x\n", +- inta_fh, ++ if (iwl_have_debug_level(IWL_DL_ISR)) { ++ IWL_DEBUG_ISR(trans, ++ "ISR inta_fh 0x%08x, enabled (sw) 0x%08x (hw) 0x%08x\n", ++ inta_fh, trans_pcie->fh_mask, + iwl_read32(trans, CSR_MSIX_FH_INT_MASK_AD)); ++ if (inta_fh & ~trans_pcie->fh_mask) ++ IWL_DEBUG_ISR(trans, ++ "We got a masked interrupt (0x%08x)\n", ++ inta_fh & ~trans_pcie->fh_mask); ++ } ++ ++ inta_fh &= trans_pcie->fh_mask; + + if ((trans_pcie->shared_vec_mask & IWL_SHARED_IRQ_NON_RX) && + inta_fh & MSIX_FH_INT_CAUSES_Q0) { +@@ -2156,11 +2164,18 @@ irqreturn_t iwl_pcie_irq_msix_handler(in + } + + /* After checking FH register check HW register */ +- if (iwl_have_debug_level(IWL_DL_ISR)) ++ if (iwl_have_debug_level(IWL_DL_ISR)) { + IWL_DEBUG_ISR(trans, +- "ISR inta_hw 0x%08x, enabled 0x%08x\n", +- inta_hw, ++ "ISR inta_hw 0x%08x, enabled (sw) 0x%08x (hw) 0x%08x\n", ++ inta_hw, trans_pcie->hw_mask, + iwl_read32(trans, CSR_MSIX_HW_INT_MASK_AD)); ++ if (inta_hw & ~trans_pcie->hw_mask) ++ IWL_DEBUG_ISR(trans, ++ "We got a masked interrupt 0x%08x\n", ++ inta_hw & ~trans_pcie->hw_mask); ++ } ++ ++ inta_hw &= trans_pcie->hw_mask; + + /* Alive notification via Rx interrupt will do the real work */ + if (inta_hw & MSIX_HW_INT_CAUSES_REG_ALIVE) { diff --git a/queue-5.1/iwlwifi-pcie-fix-alive-interrupt-handling-for-gen2-devices-w-o-msi-x.patch b/queue-5.1/iwlwifi-pcie-fix-alive-interrupt-handling-for-gen2-devices-w-o-msi-x.patch new file mode 100644 index 00000000000..39276f29726 --- /dev/null +++ b/queue-5.1/iwlwifi-pcie-fix-alive-interrupt-handling-for-gen2-devices-w-o-msi-x.patch @@ -0,0 +1,72 @@ +From ec46ae30245ecb41d73f8254613db07c653fb498 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 21 May 2019 15:03:21 +0300 +Subject: iwlwifi: pcie: fix ALIVE interrupt handling for gen2 devices w/o MSI-X + +From: Emmanuel Grumbach + +commit ec46ae30245ecb41d73f8254613db07c653fb498 upstream. + +We added code to restock the buffer upon ALIVE interrupt +when MSI-X is disabled. This was added as part of the context +info code. This code was added only if the ISR debug level +is set which is very unlikely to be related. +Move this code to run even when the ISR debug level is not +set. + +Note that gen2 devices work with MSI-X in most cases so that +this path is seldom used. + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 34 ++++++++++++--------------- + 1 file changed, 16 insertions(+), 18 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c +@@ -1832,25 +1832,23 @@ irqreturn_t iwl_pcie_irq_handler(int irq + goto out; + } + +- if (iwl_have_debug_level(IWL_DL_ISR)) { +- /* NIC fires this, but we don't use it, redundant with WAKEUP */ +- if (inta & CSR_INT_BIT_SCD) { +- IWL_DEBUG_ISR(trans, +- "Scheduler finished to transmit the frame/frames.\n"); +- isr_stats->sch++; +- } ++ /* NIC fires this, but we don't use it, redundant with WAKEUP */ ++ if (inta & CSR_INT_BIT_SCD) { ++ IWL_DEBUG_ISR(trans, ++ "Scheduler finished to transmit the frame/frames.\n"); ++ isr_stats->sch++; ++ } + +- /* Alive notification via Rx interrupt will do the real work */ +- if (inta & CSR_INT_BIT_ALIVE) { +- IWL_DEBUG_ISR(trans, "Alive interrupt\n"); +- isr_stats->alive++; +- if (trans->cfg->gen2) { +- /* +- * We can restock, since firmware configured +- * the RFH +- */ +- iwl_pcie_rxmq_restock(trans, trans_pcie->rxq); +- } ++ /* Alive notification via Rx interrupt will do the real work */ ++ if (inta & CSR_INT_BIT_ALIVE) { ++ IWL_DEBUG_ISR(trans, "Alive interrupt\n"); ++ isr_stats->alive++; ++ if (trans->cfg->gen2) { ++ /* ++ * We can restock, since firmware configured ++ * the RFH ++ */ ++ iwl_pcie_rxmq_restock(trans, trans_pcie->rxq); + } + } + diff --git a/queue-5.1/opp-don-t-use-is_err-on-invalid-supplies.patch b/queue-5.1/opp-don-t-use-is_err-on-invalid-supplies.patch new file mode 100644 index 00000000000..0cade5f59e8 --- /dev/null +++ b/queue-5.1/opp-don-t-use-is_err-on-invalid-supplies.patch @@ -0,0 +1,40 @@ +From 560d1bcad715c215e7ffe5d7cffe045974b623d0 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sun, 23 Jun 2019 20:50:53 +0300 +Subject: opp: Don't use IS_ERR on invalid supplies + +From: Dmitry Osipenko + +commit 560d1bcad715c215e7ffe5d7cffe045974b623d0 upstream. + +_set_opp_custom() receives a set of OPP supplies as its arguments and +the caller of it passes NULL when the supplies are not valid. But +_set_opp_custom(), by mistake, checks for error by performing +IS_ERR(old_supply) on it which will always evaluate to false. + +The problem was spotted during of testing of upcoming update for the +NVIDIA Tegra CPUFreq driver. + +Cc: stable +Fixes: 7e535993fa4f ("OPP: Separate out custom OPP handler specific code") +Reported-by: Marc Dietrich +Signed-off-by: Dmitry Osipenko +[ Viresh: Massaged changelog ] +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/opp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -631,7 +631,7 @@ static int _set_opp_custom(const struct + + data->old_opp.rate = old_freq; + size = sizeof(*old_supply) * opp_table->regulator_count; +- if (IS_ERR(old_supply)) ++ if (!old_supply) + memset(data->old_opp.supplies, 0, size); + else + memcpy(data->old_opp.supplies, old_supply, size); diff --git a/queue-5.1/regulator-s2mps11-fix-buck7-and-buck8-wrong-voltages.patch b/queue-5.1/regulator-s2mps11-fix-buck7-and-buck8-wrong-voltages.patch new file mode 100644 index 00000000000..a6011d9c609 --- /dev/null +++ b/queue-5.1/regulator-s2mps11-fix-buck7-and-buck8-wrong-voltages.patch @@ -0,0 +1,42 @@ +From 16da0eb5ab6ef2dd1d33431199126e63db9997cc Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 29 Jun 2019 13:44:45 +0200 +Subject: regulator: s2mps11: Fix buck7 and buck8 wrong voltages + +From: Krzysztof Kozlowski + +commit 16da0eb5ab6ef2dd1d33431199126e63db9997cc upstream. + +On S2MPS11 device, the buck7 and buck8 regulator voltages start at 750 +mV, not 600 mV. Using wrong minimal value caused shifting of these +regulator values by 150 mV (e.g. buck7 usually configured to v1.35 V was +reported as 1.2 V). + +On most of the boards these regulators are left in default state so this +was only affecting reported voltage. However if any driver wanted to +change them, then effectively it would set voltage 150 mV higher than +intended. + +Cc: +Fixes: cb74685ecb39 ("regulator: s2mps11: Add samsung s2mps11 regulator driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/s2mps11.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/regulator/s2mps11.c ++++ b/drivers/regulator/s2mps11.c +@@ -372,8 +372,8 @@ static const struct regulator_desc s2mps + regulator_desc_s2mps11_buck1_4(4), + regulator_desc_s2mps11_buck5, + regulator_desc_s2mps11_buck67810(6, MIN_600_MV, STEP_6_25_MV), +- regulator_desc_s2mps11_buck67810(7, MIN_600_MV, STEP_12_5_MV), +- regulator_desc_s2mps11_buck67810(8, MIN_600_MV, STEP_12_5_MV), ++ regulator_desc_s2mps11_buck67810(7, MIN_750_MV, STEP_12_5_MV), ++ regulator_desc_s2mps11_buck67810(8, MIN_750_MV, STEP_12_5_MV), + regulator_desc_s2mps11_buck9, + regulator_desc_s2mps11_buck67810(10, MIN_750_MV, STEP_12_5_MV), + }; diff --git a/queue-5.1/regulator-s2mps11-fix-err_ptr-dereference-on-gpio-lookup-failure.patch b/queue-5.1/regulator-s2mps11-fix-err_ptr-dereference-on-gpio-lookup-failure.patch new file mode 100644 index 00000000000..afd92b4b705 --- /dev/null +++ b/queue-5.1/regulator-s2mps11-fix-err_ptr-dereference-on-gpio-lookup-failure.patch @@ -0,0 +1,40 @@ +From 70ca117b02f3b1c8830fe95e4e3dea2937038e11 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 19 Jun 2019 14:42:39 +0200 +Subject: regulator: s2mps11: Fix ERR_PTR dereference on GPIO lookup failure + +From: Krzysztof Kozlowski + +commit 70ca117b02f3b1c8830fe95e4e3dea2937038e11 upstream. + +If devm_gpiod_get_from_of_node() call returns ERR_PTR, it is assigned +into an array of GPIO descriptors and used later because such error is +not treated as critical thus it is not propagated back to the probe +function. + +All code later expects that such GPIO descriptor is either a NULL or +proper value. This later might lead to dereference of ERR_PTR. + +Only devices with S2MPS14 flavor are affected (other do not control +regulators with GPIOs). + +Fixes: 1c984942f0a4 ("regulator: s2mps11: Pass descriptor instead of GPIO number") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/s2mps11.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/regulator/s2mps11.c ++++ b/drivers/regulator/s2mps11.c +@@ -826,6 +826,7 @@ static void s2mps14_pmic_dt_parse_ext_co + else if (IS_ERR(gpio[reg])) { + dev_err(&pdev->dev, "Failed to get control GPIO for %d/%s\n", + reg, rdata[reg].name); ++ gpio[reg] = NULL; + continue; + } + if (gpio[reg]) diff --git a/queue-5.1/revert-bcache-set-cache_set_io_disable-in-bch_cached_dev_error.patch b/queue-5.1/revert-bcache-set-cache_set_io_disable-in-bch_cached_dev_error.patch new file mode 100644 index 00000000000..a297e849a82 --- /dev/null +++ b/queue-5.1/revert-bcache-set-cache_set_io_disable-in-bch_cached_dev_error.patch @@ -0,0 +1,65 @@ +From 695277f16b3a102fcc22c97fdf2de77c7b19f0b3 Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:27 +0800 +Subject: Revert "bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()" + +From: Coly Li + +commit 695277f16b3a102fcc22c97fdf2de77c7b19f0b3 upstream. + +This reverts commit 6147305c73e4511ca1a975b766b97a779d442567. + +Although this patch helps the failed bcache device to stop faster when +too many I/O errors detected on corresponding cached device, setting +CACHE_SET_IO_DISABLE bit to cache set c->flags was not a good idea. This +operation will disable all I/Os on cache set, which means other attached +bcache devices won't work neither. + +Without this patch, the failed bcache device can also be stopped +eventually if internal I/O accomplished (e.g. writeback). Therefore here +I revert it. + +Fixes: 6147305c73e4 ("bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()") +Reported-by: Yong Li +Signed-off-by: Coly Li +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1429,8 +1429,6 @@ int bch_flash_dev_create(struct cache_se + + bool bch_cached_dev_error(struct cached_dev *dc) + { +- struct cache_set *c; +- + if (!dc || test_bit(BCACHE_DEV_CLOSING, &dc->disk.flags)) + return false; + +@@ -1441,21 +1439,6 @@ bool bch_cached_dev_error(struct cached_ + pr_err("stop %s: too many IO errors on backing device %s\n", + dc->disk.disk->disk_name, dc->backing_dev_name); + +- /* +- * If the cached device is still attached to a cache set, +- * even dc->io_disable is true and no more I/O requests +- * accepted, cache device internal I/O (writeback scan or +- * garbage collection) may still prevent bcache device from +- * being stopped. So here CACHE_SET_IO_DISABLE should be +- * set to c->flags too, to make the internal I/O to cache +- * device rejected and stopped immediately. +- * If c is NULL, that means the bcache device is not attached +- * to any cache set, then no CACHE_SET_IO_DISABLE bit to set. +- */ +- c = dc->disk.c; +- if (c && test_and_set_bit(CACHE_SET_IO_DISABLE, &c->flags)) +- pr_info("CACHE_SET_IO_DISABLE already set"); +- + bcache_device_stop(&dc->disk); + return true; + } diff --git a/queue-5.1/series b/queue-5.1/series index d39323f7854..fd1278e0695 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -248,3 +248,29 @@ crypto-crypto4xx-block-ciphers-should-only-accept-complete-blocks.patch crypto-ccp-memset-structure-fields-to-zero-before-reuse.patch crypto-ccp-gcm-use-const-time-tag-comparison.patch crypto-crypto4xx-fix-a-potential-double-free-in-ppc4xx_trng_probe.patch +cifs-always-add-credits-back-for-unsolicited-pdus.patch +cifs-fix-crash-in-smb2_compound_op-smb2_set_next_command.patch +cifs-properly-handle-auto-disabling-of-serverino-option.patch +cifs-flush-before-set-info-if-we-have-writeable-handles.patch +cifs-fix-deadlock-in-cached-root-handling.patch +revert-bcache-set-cache_set_io_disable-in-bch_cached_dev_error.patch +bcache-revert-bcache-fix-high-cpu-occupancy-during-journal.patch +bcache-revert-bcache-free-heap-cache_set-flush_btree-in-bch_journal_free.patch +bcache-ignore-read-ahead-request-failure-on-backing-device.patch +bcache-fix-mistaken-sysfs-entry-for-io_error-counter.patch +bcache-destroy-dc-writeback_write_wq-if-failed-to-create-dc-writeback_thread.patch +input-gtco-bounds-check-collection-indent-level.patch +input-alps-don-t-handle-alps-cs19-trackpoint-only-device.patch +input-synaptics-whitelist-lenovo-t580-smbus-intertouch.patch +input-alps-fix-a-mismatch-between-a-condition-check-and-its-comment.patch +regulator-s2mps11-fix-err_ptr-dereference-on-gpio-lookup-failure.patch +regulator-s2mps11-fix-buck7-and-buck8-wrong-voltages.patch +arm64-tegra-update-jetson-tx1-gpu-regulator-timings.patch +iwlwifi-add-support-for-hr1-rf-id.patch +iwlwifi-pcie-don-t-service-an-interrupt-that-was-masked.patch +iwlwifi-pcie-fix-alive-interrupt-handling-for-gen2-devices-w-o-msi-x.patch +iwlwifi-don-t-warn-when-calling-iwl_get_shared_mem_conf-with-rf-kill.patch +iwlwifi-fix-rf-kill-interrupt-while-fw-load-for-gen2-devices.patch +iwlwifi-mvm-delay-gtk-setting-in-fw-in-ap-mode.patch +iwlwifi-mvm-clear-rfkill_safe_init_done-when-we-start-the-firmware.patch +opp-don-t-use-is_err-on-invalid-supplies.patch -- 2.47.3