From ea05e3d701a6928f8306e471e1c4bc96becf7227 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 13 Nov 2018 17:20:39 -0800 Subject: [PATCH] 4.19-stable patches added patches: 9p-clear-dangling-pointers-in-p9stat_free.patch 9p-locks-fix-glock.client_id-leak-in-do_lock.patch arm-dts-imx6ull-keep-imx6ul_-prefix-for-signals-on-both-i.mx6ul-and-i.mx6ull.patch arm-imx_v6_v7_defconfig-select-config_tmpfs_posix_acl.patch cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch drm-amd-display-fix-bug-of-accessing-invalid-memory.patch drm-amd-display-fix-gamma-not-being-applied.patch drm-amd-display-raise-dispclk-value-for-dce120-by-15.patch drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_list_create.patch drm-amdgpu-fix-sdma-to-after-gpu-reset-v3.patch drm-amdgpu-powerplay-fix-missing-break-in-switch-statements.patch drm-hisilicon-hibmc-do-not-carry-error-code-in-hibmc-framebuffer-pointer.patch drm-msm-disp-dpu-use-proper-define-for-drm_encoder_init-encoder_type.patch drm-msm-dpu-allow-planes-to-extend-past-active-display.patch drm-msm-gpu-fix-parameters-in-function-msm_gpu_crashstate_capture.patch drm-nouveau-secboot-acr-fix-memory-leak.patch drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch drm-rcar-du-update-gen3-output-limitations.patch input-wm97xx-ts-fix-exit-path.patch media-coda-don-t-overwrite-h.264-profile_idc-on-decoder-instance.patch media-ov5640-fix-mode-change-regression.patch media-ov5640-fix-restore-of-last-mode-set.patch media-pci-cx23885-handle-adding-to-list-failure.patch media-tvp5150-fix-width-alignment-during-set_selection.patch mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch mips-pci-call-pcie_bus_configure_settings-to-set-mps-mrrs.patch powerpc-64-module-rel32-relocation-range-check.patch powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch powerpc-eeh-fix-possible-null-deref-in-eeh_dump_dev_log.patch powerpc-makefile-fix-ppc_book3s_64-asflags.patch powerpc-memtrace-remove-memory-in-chunks.patch powerpc-mm-don-t-report-hugepage-tables-as-memory-leaks-when-using-kmemleak.patch powerpc-mm-fix-always-true-false-warning-in-slice.c.patch powerpc-mm-fix-page-table-dump-to-work-on-radix.patch powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch powerpc-selftests-wait-all-threads-to-join.patch powerpc-traps-restore-recoverability-of-machine_check-interrupts.patch sc16is7xx-fix-for-multi-channel-stall.patch serial-8250_of-fix-for-lack-of-interrupt-support.patch staging-erofs-fix-a-missing-endian-conversion.patch staging-iio-ad7606-fix-voltage-scales.patch staging-most-video-fix-registration-of-an-empty-comp-core_component.patch tracing-kprobes-check-the-probe-on-unloaded-module-correctly.patch tty-check-name-length-in-tty_find_polling_driver.patch udf-prevent-write-unsupported-filesystem-to-be-remounted-read-write.patch --- ...ear-dangling-pointers-in-p9stat_free.patch | 43 ++++++ ...-fix-glock.client_id-leak-in-do_lock.patch | 74 ++++++++++ ...signals-on-both-i.mx6ul-and-i.mx6ull.patch | 86 +++++++++++ ...config-select-config_tmpfs_posix_acl.patch | 48 ++++++ ...t-which-can-leat-to-information-leak.patch | 35 +++++ ...-fix-bug-of-accessing-invalid-memory.patch | 56 +++++++ ...-display-fix-gamma-not-being-applied.patch | 82 +++++++++++ ...raise-dispclk-value-for-dce120-by-15.patch | 48 ++++++ ...erflow-test-in-amdgpu_bo_list_create.patch | 38 +++++ ...mdgpu-fix-sdma-to-after-gpu-reset-v3.patch | 52 +++++++ ...x-missing-break-in-switch-statements.patch | 114 +++++++++++++++ ...or-code-in-hibmc-framebuffer-pointer.patch | 84 +++++++++++ ...ne-for-drm_encoder_init-encoder_type.patch | 107 ++++++++++++++ ...planes-to-extend-past-active-display.patch | 126 ++++++++++++++++ ...-function-msm_gpu_crashstate_capture.patch | 49 +++++++ ...-nouveau-secboot-acr-fix-memory-leak.patch | 34 +++++ ...fix-memory-barrier-bug-in-dmm-driver.patch | 74 ++++++++++ ...ar-du-update-gen3-output-limitations.patch | 50 +++++++ .../input-wm97xx-ts-fix-exit-path.patch | 40 +++++ ....264-profile_idc-on-decoder-instance.patch | 44 ++++++ ...ia-ov5640-fix-mode-change-regression.patch | 97 ++++++++++++ ...-ov5640-fix-restore-of-last-mode-set.patch | 92 ++++++++++++ ...x23885-handle-adding-to-list-failure.patch | 65 +++++++++ ...width-alignment-during-set_selection.patch | 55 +++++++ ...u-offline-before-disabling-local-irq.patch | 51 +++++++ ...s_configure_settings-to-set-mps-mrrs.patch | 46 ++++++ ...-module-rel32-relocation-range-check.patch | 46 ++++++ ...nsure-_zimage_start-is-a-weak-symbol.patch | 62 ++++++++ ...sible-null-deref-in-eeh_dump_dev_log.patch | 37 +++++ ...c-makefile-fix-ppc_book3s_64-asflags.patch | 81 ++++++++++ ...rpc-memtrace-remove-memory-in-chunks.patch | 87 +++++++++++ ...-as-memory-leaks-when-using-kmemleak.patch | 62 ++++++++ ...always-true-false-warning-in-slice.c.patch | 125 ++++++++++++++++ ...fix-page-table-dump-to-work-on-radix.patch | 56 +++++++ ...viour-when-testing-page-size-support.patch | 53 +++++++ ...c-selftests-wait-all-threads-to-join.patch | 75 ++++++++++ ...rability-of-machine_check-interrupts.patch | 51 +++++++ ...c16is7xx-fix-for-multi-channel-stall.patch | 116 +++++++++++++++ ...of-fix-for-lack-of-interrupt-support.patch | 89 +++++++++++ queue-4.19/series | 45 ++++++ ...rofs-fix-a-missing-endian-conversion.patch | 48 ++++++ ...taging-iio-ad7606-fix-voltage-scales.patch | 45 ++++++ ...tion-of-an-empty-comp-core_component.patch | 58 ++++++++ ...e-probe-on-unloaded-module-correctly.patch | 97 ++++++++++++ ...me-length-in-tty_find_polling_driver.patch | 138 ++++++++++++++++++ ...ilesystem-to-be-remounted-read-write.patch | 101 +++++++++++++ 46 files changed, 3162 insertions(+) create mode 100644 queue-4.19/9p-clear-dangling-pointers-in-p9stat_free.patch create mode 100644 queue-4.19/9p-locks-fix-glock.client_id-leak-in-do_lock.patch create mode 100644 queue-4.19/arm-dts-imx6ull-keep-imx6ul_-prefix-for-signals-on-both-i.mx6ul-and-i.mx6ull.patch create mode 100644 queue-4.19/arm-imx_v6_v7_defconfig-select-config_tmpfs_posix_acl.patch create mode 100644 queue-4.19/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch create mode 100644 queue-4.19/drm-amd-display-fix-bug-of-accessing-invalid-memory.patch create mode 100644 queue-4.19/drm-amd-display-fix-gamma-not-being-applied.patch create mode 100644 queue-4.19/drm-amd-display-raise-dispclk-value-for-dce120-by-15.patch create mode 100644 queue-4.19/drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_list_create.patch create mode 100644 queue-4.19/drm-amdgpu-fix-sdma-to-after-gpu-reset-v3.patch create mode 100644 queue-4.19/drm-amdgpu-powerplay-fix-missing-break-in-switch-statements.patch create mode 100644 queue-4.19/drm-hisilicon-hibmc-do-not-carry-error-code-in-hibmc-framebuffer-pointer.patch create mode 100644 queue-4.19/drm-msm-disp-dpu-use-proper-define-for-drm_encoder_init-encoder_type.patch create mode 100644 queue-4.19/drm-msm-dpu-allow-planes-to-extend-past-active-display.patch create mode 100644 queue-4.19/drm-msm-gpu-fix-parameters-in-function-msm_gpu_crashstate_capture.patch create mode 100644 queue-4.19/drm-nouveau-secboot-acr-fix-memory-leak.patch create mode 100644 queue-4.19/drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch create mode 100644 queue-4.19/drm-rcar-du-update-gen3-output-limitations.patch create mode 100644 queue-4.19/input-wm97xx-ts-fix-exit-path.patch create mode 100644 queue-4.19/media-coda-don-t-overwrite-h.264-profile_idc-on-decoder-instance.patch create mode 100644 queue-4.19/media-ov5640-fix-mode-change-regression.patch create mode 100644 queue-4.19/media-ov5640-fix-restore-of-last-mode-set.patch create mode 100644 queue-4.19/media-pci-cx23885-handle-adding-to-list-failure.patch create mode 100644 queue-4.19/media-tvp5150-fix-width-alignment-during-set_selection.patch create mode 100644 queue-4.19/mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch create mode 100644 queue-4.19/mips-pci-call-pcie_bus_configure_settings-to-set-mps-mrrs.patch create mode 100644 queue-4.19/powerpc-64-module-rel32-relocation-range-check.patch create mode 100644 queue-4.19/powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch create mode 100644 queue-4.19/powerpc-eeh-fix-possible-null-deref-in-eeh_dump_dev_log.patch create mode 100644 queue-4.19/powerpc-makefile-fix-ppc_book3s_64-asflags.patch create mode 100644 queue-4.19/powerpc-memtrace-remove-memory-in-chunks.patch create mode 100644 queue-4.19/powerpc-mm-don-t-report-hugepage-tables-as-memory-leaks-when-using-kmemleak.patch create mode 100644 queue-4.19/powerpc-mm-fix-always-true-false-warning-in-slice.c.patch create mode 100644 queue-4.19/powerpc-mm-fix-page-table-dump-to-work-on-radix.patch create mode 100644 queue-4.19/powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch create mode 100644 queue-4.19/powerpc-selftests-wait-all-threads-to-join.patch create mode 100644 queue-4.19/powerpc-traps-restore-recoverability-of-machine_check-interrupts.patch create mode 100644 queue-4.19/sc16is7xx-fix-for-multi-channel-stall.patch create mode 100644 queue-4.19/serial-8250_of-fix-for-lack-of-interrupt-support.patch create mode 100644 queue-4.19/series create mode 100644 queue-4.19/staging-erofs-fix-a-missing-endian-conversion.patch create mode 100644 queue-4.19/staging-iio-ad7606-fix-voltage-scales.patch create mode 100644 queue-4.19/staging-most-video-fix-registration-of-an-empty-comp-core_component.patch create mode 100644 queue-4.19/tracing-kprobes-check-the-probe-on-unloaded-module-correctly.patch create mode 100644 queue-4.19/tty-check-name-length-in-tty_find_polling_driver.patch create mode 100644 queue-4.19/udf-prevent-write-unsupported-filesystem-to-be-remounted-read-write.patch diff --git a/queue-4.19/9p-clear-dangling-pointers-in-p9stat_free.patch b/queue-4.19/9p-clear-dangling-pointers-in-p9stat_free.patch new file mode 100644 index 00000000000..fd35995a940 --- /dev/null +++ b/queue-4.19/9p-clear-dangling-pointers-in-p9stat_free.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Dominique Martinet +Date: Tue, 28 Aug 2018 07:32:35 +0900 +Subject: 9p: clear dangling pointers in p9stat_free + +From: Dominique Martinet + +[ Upstream commit 62e3941776fea8678bb8120607039410b1b61a65 ] + +p9stat_free is more of a cleanup function than a 'free' function as it +only frees the content of the struct; there are chances of use-after-free +if it is improperly used (e.g. p9stat_free called twice as it used to be +possible to) + +Clearing dangling pointers makes the function idempotent and safer to use. + +Link: http://lkml.kernel.org/r/1535410108-20650-2-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/protocol.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/9p/protocol.c ++++ b/net/9p/protocol.c +@@ -46,10 +46,15 @@ p9pdu_writef(struct p9_fcall *pdu, int p + void p9stat_free(struct p9_wstat *stbuf) + { + kfree(stbuf->name); ++ stbuf->name = NULL; + kfree(stbuf->uid); ++ stbuf->uid = NULL; + kfree(stbuf->gid); ++ stbuf->gid = NULL; + kfree(stbuf->muid); ++ stbuf->muid = NULL; + kfree(stbuf->extension); ++ stbuf->extension = NULL; + } + EXPORT_SYMBOL(p9stat_free); + diff --git a/queue-4.19/9p-locks-fix-glock.client_id-leak-in-do_lock.patch b/queue-4.19/9p-locks-fix-glock.client_id-leak-in-do_lock.patch new file mode 100644 index 00000000000..6ab9f517aca --- /dev/null +++ b/queue-4.19/9p-locks-fix-glock.client_id-leak-in-do_lock.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 01:18:43 +0900 +Subject: 9p locks: fix glock.client_id leak in do_lock + +From: Dominique Martinet + +[ Upstream commit b4dc44b3cac9e8327e0655f530ed0c46f2e6214c ] + +the 9p client code overwrites our glock.client_id pointing to a static +buffer by an allocated string holding the network provided value which +we do not care about; free and reset the value as appropriate. + +This is almost identical to the leak in v9fs_file_getlock() fixed by +Al Viro in commit ce85dd58ad5a6 ("9p: we are leaking glock.client_id +in v9fs_file_getlock()"), which was returned as an error by a coverity +false positive -- while we are here attempt to make the code slightly +more robust to future change of the net/9p/client code and hopefully +more clear to coverity that there is no problem. + +Link: http://lkml.kernel.org/r/1536339057-21974-5-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/9p/vfs_file.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -204,6 +204,14 @@ static int v9fs_file_do_lock(struct file + break; + if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0) + break; ++ /* ++ * p9_client_lock_dotl overwrites flock.client_id with the ++ * server message, free and reuse the client name ++ */ ++ if (flock.client_id != fid->clnt->name) { ++ kfree(flock.client_id); ++ flock.client_id = fid->clnt->name; ++ } + } + + /* map 9p status to VFS status */ +@@ -235,6 +243,8 @@ out_unlock: + locks_lock_file_wait(filp, fl); + fl->fl_type = fl_type; + } ++ if (flock.client_id != fid->clnt->name) ++ kfree(flock.client_id); + out: + return res; + } +@@ -269,7 +279,7 @@ static int v9fs_file_getlock(struct file + + res = p9_client_getlock_dotl(fid, &glock); + if (res < 0) +- return res; ++ goto out; + /* map 9p lock type to os lock type */ + switch (glock.type) { + case P9_LOCK_TYPE_RDLCK: +@@ -290,7 +300,9 @@ static int v9fs_file_getlock(struct file + fl->fl_end = glock.start + glock.length - 1; + fl->fl_pid = -glock.proc_id; + } +- kfree(glock.client_id); ++out: ++ if (glock.client_id != fid->clnt->name) ++ kfree(glock.client_id); + return res; + } + diff --git a/queue-4.19/arm-dts-imx6ull-keep-imx6ul_-prefix-for-signals-on-both-i.mx6ul-and-i.mx6ull.patch b/queue-4.19/arm-dts-imx6ull-keep-imx6ul_-prefix-for-signals-on-both-i.mx6ul-and-i.mx6ull.patch new file mode 100644 index 00000000000..0eeacd80253 --- /dev/null +++ b/queue-4.19/arm-dts-imx6ull-keep-imx6ul_-prefix-for-signals-on-both-i.mx6ul-and-i.mx6ull.patch @@ -0,0 +1,86 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: "Sébastien Szymanski" +Date: Wed, 22 Aug 2018 13:38:03 +0200 +Subject: ARM: dts: imx6ull: keep IMX6UL_ prefix for signals on both i.MX6UL and i.MX6ULL + +From: "Sébastien Szymanski" + +[ Upstream commit 31edaa6e7fd8143085a6a60c564447c07e76ed9f ] + +Signals available on both i.MX6UL and i.MX6ULL should have the same name +because it is the case of all others common signals, it avoids to make +mistakes (use the wrong ones) and it makes writing device tree files +less complicated. For example: + +imx6ul-imx6ull-board.dtsi: + ... + pinctrl_uart5: uart5grp { + fsl,pins = < + MX6UL_PAD_UART5_TX_DATA__UART5_DCE_TX 0x1b0b1 + MX6UL_PAD_UART5_RX_DATA__UART5_DCE_RX 0x1b0b1 + >; + }; + +imx6ul-board.dts: + #include + #include + ... + +imx6ull-board.dts: + #include + #include + ... + +Without this patch, the imx6ull-board.dtb will use +MX6UL_PAD_UART5_RX_DATA__UART5_DCE_RX instead of +MX6ULL_PAD_UART5_RX_DATA__UART5_DCE_RX and the uart5 will be +misconfigured. + +Signed-off-by: Sébastien Szymanski +Reviewed-by: Fabio Estevam +Acked-by: Rob Herring +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx6ull-pinfunc.h | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/imx6ull-pinfunc.h ++++ b/arch/arm/boot/dts/imx6ull-pinfunc.h +@@ -14,14 +14,23 @@ + * The pin function ID is a tuple of + * + */ ++/* signals common for i.MX6UL and i.MX6ULL */ ++#undef MX6UL_PAD_UART5_TX_DATA__UART5_DTE_RX ++#define MX6UL_PAD_UART5_TX_DATA__UART5_DTE_RX 0x00BC 0x0348 0x0644 0x0 0x6 ++#undef MX6UL_PAD_UART5_RX_DATA__UART5_DCE_RX ++#define MX6UL_PAD_UART5_RX_DATA__UART5_DCE_RX 0x00C0 0x034C 0x0644 0x0 0x7 ++#undef MX6UL_PAD_ENET1_RX_EN__UART5_DCE_RTS ++#define MX6UL_PAD_ENET1_RX_EN__UART5_DCE_RTS 0x00CC 0x0358 0x0640 0x1 0x5 ++#undef MX6UL_PAD_ENET1_TX_DATA0__UART5_DTE_RTS ++#define MX6UL_PAD_ENET1_TX_DATA0__UART5_DTE_RTS 0x00D0 0x035C 0x0640 0x1 0x6 ++#undef MX6UL_PAD_CSI_DATA02__UART5_DCE_RTS ++#define MX6UL_PAD_CSI_DATA02__UART5_DCE_RTS 0x01EC 0x0478 0x0640 0x8 0x7 ++ ++/* signals for i.MX6ULL only */ + #define MX6ULL_PAD_UART1_TX_DATA__UART5_DTE_RX 0x0084 0x0310 0x0644 0x9 0x4 + #define MX6ULL_PAD_UART1_RX_DATA__UART5_DCE_RX 0x0088 0x0314 0x0644 0x9 0x5 + #define MX6ULL_PAD_UART1_CTS_B__UART5_DCE_RTS 0x008C 0x0318 0x0640 0x9 0x3 + #define MX6ULL_PAD_UART1_RTS_B__UART5_DTE_RTS 0x0090 0x031C 0x0640 0x9 0x4 +-#define MX6ULL_PAD_UART5_TX_DATA__UART5_DTE_RX 0x00BC 0x0348 0x0644 0x0 0x6 +-#define MX6ULL_PAD_UART5_RX_DATA__UART5_DCE_RX 0x00C0 0x034C 0x0644 0x0 0x7 +-#define MX6ULL_PAD_ENET1_RX_EN__UART5_DCE_RTS 0x00CC 0x0358 0x0640 0x1 0x5 +-#define MX6ULL_PAD_ENET1_TX_DATA0__UART5_DTE_RTS 0x00D0 0x035C 0x0640 0x1 0x6 + #define MX6ULL_PAD_ENET2_RX_DATA0__EPDC_SDDO08 0x00E4 0x0370 0x0000 0x9 0x0 + #define MX6ULL_PAD_ENET2_RX_DATA1__EPDC_SDDO09 0x00E8 0x0374 0x0000 0x9 0x0 + #define MX6ULL_PAD_ENET2_RX_EN__EPDC_SDDO10 0x00EC 0x0378 0x0000 0x9 0x0 +@@ -55,7 +64,6 @@ + #define MX6ULL_PAD_CSI_DATA00__ESAI_TX_HF_CLK 0x01E4 0x0470 0x0000 0x9 0x0 + #define MX6ULL_PAD_CSI_DATA01__ESAI_RX_HF_CLK 0x01E8 0x0474 0x0000 0x9 0x0 + #define MX6ULL_PAD_CSI_DATA02__ESAI_RX_FS 0x01EC 0x0478 0x0000 0x9 0x0 +-#define MX6ULL_PAD_CSI_DATA02__UART5_DCE_RTS 0x01EC 0x0478 0x0640 0x8 0x7 + #define MX6ULL_PAD_CSI_DATA03__ESAI_RX_CLK 0x01F0 0x047C 0x0000 0x9 0x0 + #define MX6ULL_PAD_CSI_DATA04__ESAI_TX_FS 0x01F4 0x0480 0x0000 0x9 0x0 + #define MX6ULL_PAD_CSI_DATA05__ESAI_TX_CLK 0x01F8 0x0484 0x0000 0x9 0x0 diff --git a/queue-4.19/arm-imx_v6_v7_defconfig-select-config_tmpfs_posix_acl.patch b/queue-4.19/arm-imx_v6_v7_defconfig-select-config_tmpfs_posix_acl.patch new file mode 100644 index 00000000000..ac54d76c38b --- /dev/null +++ b/queue-4.19/arm-imx_v6_v7_defconfig-select-config_tmpfs_posix_acl.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Fabio Estevam +Date: Mon, 10 Sep 2018 14:45:23 -0300 +Subject: ARM: imx_v6_v7_defconfig: Select CONFIG_TMPFS_POSIX_ACL + +From: Fabio Estevam + +[ Upstream commit 35d3cbe84544da74e39e1cec01374092467e3119 ] + +Andreas Müller reports: + +"Fixes: + +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[220]: Failed to apply ACL on /dev/v4l-subdev0: Operation not supported +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[224]: Failed to apply ACL on /dev/v4l-subdev1: Operation not supported +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[215]: Failed to apply ACL on /dev/v4l-subdev10: Operation not supported +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[228]: Failed to apply ACL on /dev/v4l-subdev2: Operation not supported +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[232]: Failed to apply ACL on /dev/v4l-subdev5: Operation not supported +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[217]: Failed to apply ACL on /dev/v4l-subdev11: Operation not supported +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[214]: Failed to apply ACL on /dev/dri/card1: Operation not supported +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[216]: Failed to apply ACL on /dev/v4l-subdev8: Operation not supported +| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[226]: Failed to apply ACL on /dev/v4l-subdev9: Operation not supported + +and nasty follow-ups: Starting weston from sddm as unpriviledged user fails +with some hints on missing access rights." + +Select the CONFIG_TMPFS_POSIX_ACL option to fix these issues. + +Reported-by: Andreas Müller +Signed-off-by: Fabio Estevam +Acked-by: Otavio Salvador +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/configs/imx_v6_v7_defconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/configs/imx_v6_v7_defconfig ++++ b/arch/arm/configs/imx_v6_v7_defconfig +@@ -409,6 +409,7 @@ CONFIG_ZISOFS=y + CONFIG_UDF_FS=m + CONFIG_MSDOS_FS=m + CONFIG_VFAT_FS=y ++CONFIG_TMPFS_POSIX_ACL=y + CONFIG_JFFS2_FS=y + CONFIG_UBIFS_FS=y + CONFIG_NFS_FS=y diff --git a/queue-4.19/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch b/queue-4.19/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch new file mode 100644 index 00000000000..ea594f4a611 --- /dev/null +++ b/queue-4.19/cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch @@ -0,0 +1,35 @@ +From e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 Mon Sep 17 00:00:00 2001 +From: Young_X +Date: Wed, 3 Oct 2018 12:54:29 +0000 +Subject: cdrom: fix improper type cast, which can leat to information leak. + +From: Young_X + +commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 upstream. + +There is another cast from unsigned long to int which causes +a bounds check to fail with specially crafted input. The value is +then used as an index in the slot array in cdrom_slot_status(). + +This issue is similar to CVE-2018-16658 and CVE-2018-10940. + +Signed-off-by: Young_X +Signed-off-by: Jens Axboe +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struc + return -ENOSYS; + + if (arg != CDSL_CURRENT && arg != CDSL_NONE) { +- if ((int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + } + diff --git a/queue-4.19/drm-amd-display-fix-bug-of-accessing-invalid-memory.patch b/queue-4.19/drm-amd-display-fix-bug-of-accessing-invalid-memory.patch new file mode 100644 index 00000000000..d0a50b14fb8 --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-bug-of-accessing-invalid-memory.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Su Sung Chung +Date: Thu, 20 Sep 2018 15:03:27 -0400 +Subject: drm/amd/display: fix bug of accessing invalid memory + +From: Su Sung Chung + +[ Upstream commit 43c3ff27a47d83d153c4adc088243ba594582bf5 ] + +[Why] +A loop inside of build_evenly_distributed_points function that traverse through +the array of points become an infinite loop when m_GammaUpdates does not +get assigned to any value. + +[How] +In DMColor, clear m_gammaIsValid bit just before writting all Zeromem for +m_GammaUpdates, to prevent calling build_evenly_distributed_points +before m_GammaUpdates gets assigned to some value. + +Signed-off-by: Su Sung Chung +Reviewed-by: Aric Cyr +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/modules/color/color_gamma.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/modules/color/color_gamma.c ++++ b/drivers/gpu/drm/amd/display/modules/color/color_gamma.c +@@ -1069,10 +1069,14 @@ static void build_evenly_distributed_poi + struct dividers dividers) + { + struct gamma_pixel *p = points; +- struct gamma_pixel *p_last = p + numberof_points - 1; ++ struct gamma_pixel *p_last; + + uint32_t i = 0; + ++ // This function should not gets called with 0 as a parameter ++ ASSERT(numberof_points > 0); ++ p_last = p + numberof_points - 1; ++ + do { + struct fixed31_32 value = dc_fixpt_from_fraction(i, + numberof_points - 1); +@@ -1083,7 +1087,7 @@ static void build_evenly_distributed_poi + + ++p; + ++i; +- } while (i != numberof_points); ++ } while (i < numberof_points); + + p->r = dc_fixpt_div(p_last->r, dividers.divider1); + p->g = dc_fixpt_div(p_last->g, dividers.divider1); diff --git a/queue-4.19/drm-amd-display-fix-gamma-not-being-applied.patch b/queue-4.19/drm-amd-display-fix-gamma-not-being-applied.patch new file mode 100644 index 00000000000..795b0d84481 --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-gamma-not-being-applied.patch @@ -0,0 +1,82 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: SivapiriyanKumarasamy +Date: Wed, 12 Sep 2018 14:15:42 -0400 +Subject: drm/amd/display: fix gamma not being applied + +From: SivapiriyanKumarasamy + +[ Upstream commit 30049754ab7c4b6148dd3cd64af7d54850604582 ] + +[WHY] +Previously night light forced a full update by +applying a transfer function update regardless of if it was changed. +This logic was removed, + +Now gamma surface updates are only applied when there is also a plane +info update, this does not work in cases such as using the night light +slider. + +[HOW] +When moving the night light slider we will perform a full update if +the gamma has changed and there is a surface, even when the surface +has not changed. Also get stream updates in setgamma prior to +update planes and stream. + +Signed-off-by: SivapiriyanKumarasamy +Reviewed-by: Anthony Koo +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1120,9 +1120,6 @@ static enum surface_update_type get_plan + */ + update_flags->bits.bpp_change = 1; + +- if (u->gamma && dce_use_lut(u->plane_info->format)) +- update_flags->bits.gamma_change = 1; +- + if (memcmp(&u->plane_info->tiling_info, &u->surface->tiling_info, + sizeof(union dc_tiling_info)) != 0) { + update_flags->bits.swizzle_change = 1; +@@ -1139,7 +1136,6 @@ static enum surface_update_type get_plan + if (update_flags->bits.rotation_change + || update_flags->bits.stereo_format_change + || update_flags->bits.pixel_format_change +- || update_flags->bits.gamma_change + || update_flags->bits.bpp_change + || update_flags->bits.bandwidth_change + || update_flags->bits.output_tf_change) +@@ -1229,13 +1225,26 @@ static enum surface_update_type det_surf + if (u->coeff_reduction_factor) + update_flags->bits.coeff_reduction_change = 1; + ++ if (u->gamma) { ++ enum surface_pixel_format format = SURFACE_PIXEL_FORMAT_GRPH_BEGIN; ++ ++ if (u->plane_info) ++ format = u->plane_info->format; ++ else if (u->surface) ++ format = u->surface->format; ++ ++ if (dce_use_lut(format)) ++ update_flags->bits.gamma_change = 1; ++ } ++ + if (update_flags->bits.in_transfer_func_change) { + type = UPDATE_TYPE_MED; + elevate_update_type(&overall_type, type); + } + + if (update_flags->bits.input_csc_change +- || update_flags->bits.coeff_reduction_change) { ++ || update_flags->bits.coeff_reduction_change ++ || update_flags->bits.gamma_change) { + type = UPDATE_TYPE_FULL; + elevate_update_type(&overall_type, type); + } diff --git a/queue-4.19/drm-amd-display-raise-dispclk-value-for-dce120-by-15.patch b/queue-4.19/drm-amd-display-raise-dispclk-value-for-dce120-by-15.patch new file mode 100644 index 00000000000..d6c9b7bd7bc --- /dev/null +++ b/queue-4.19/drm-amd-display-raise-dispclk-value-for-dce120-by-15.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Nicholas Kazlauskas +Date: Wed, 12 Sep 2018 08:55:42 -0400 +Subject: drm/amd/display: Raise dispclk value for dce120 by 15% + +From: Nicholas Kazlauskas + +[ Upstream commit 481f576c6c21bf0446eaa23623ef0262e9a5387c ] + +[Why] + +The DISPCLK value was previously requested to be 15% higher for all +ASICs that went through the dce110 bandwidth code path. As part of a +refactoring of dce_clocks and the dce110 set bandwidth codepath this +was removed for power saving considerations. + +That change caused display corruption under certain hardware +configurations with Vega10. + +[How] + +The 15% DISPCLK increase is brought back but only on dce110 for now. +This is should be a temporary workaround until the root cause is sorted +out for why this occurs on Vega (or other ASICs, if reported). + +Tested-by: Nick Sarnie +Signed-off-by: Nicholas Kazlauskas +Reviewed-by: Harry Wentland +Acked-by: Bhawanpreet Lakha +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce/dce_clocks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_clocks.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_clocks.c +@@ -466,6 +466,9 @@ static void dce12_update_clocks(struct d + { + struct dm_pp_clock_for_voltage_req clock_voltage_req = {0}; + ++ /* TODO: Investigate why this is needed to fix display corruption. */ ++ new_clocks->dispclk_khz = new_clocks->dispclk_khz * 115 / 100; ++ + if (should_set_clock(safe_to_lower, new_clocks->dispclk_khz, dccg->clks.dispclk_khz)) { + clock_voltage_req.clk_type = DM_PP_CLOCK_TYPE_DISPLAY_CLK; + clock_voltage_req.clocks_in_khz = new_clocks->dispclk_khz; diff --git a/queue-4.19/drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_list_create.patch b/queue-4.19/drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_list_create.patch new file mode 100644 index 00000000000..8a2a7676e72 --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_list_create.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Dan Carpenter +Date: Fri, 10 Aug 2018 18:50:32 +0800 +Subject: drm/amdgpu: fix integer overflow test in amdgpu_bo_list_create() + +From: Dan Carpenter + +[ Upstream commit ff30e9e8509cb877dc7cbc776b36c70f5bdd290f ] + +We accidentally left out the size of the amdgpu_bo_list struct. It +could lead to memory corruption on 32 bit systems. You'd have to +pick the absolute maximum and set "num_entries == 59652323" then size +would wrap to 16 bytes. + +Fixes: 920990cb080a ("drm/amdgpu: allocate the bo_list array after the list") +Signed-off-by: Dan Carpenter +Reviewed-by: Huang Rui +Reviewed-by: Bas Nieuwenhuizen +Signed-off-by: Huang Rui +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +@@ -67,7 +67,8 @@ int amdgpu_bo_list_create(struct amdgpu_ + unsigned i; + int r; + +- if (num_entries > SIZE_MAX / sizeof(struct amdgpu_bo_list_entry)) ++ if (num_entries > (SIZE_MAX - sizeof(struct amdgpu_bo_list)) ++ / sizeof(struct amdgpu_bo_list_entry)) + return -EINVAL; + + size = sizeof(struct amdgpu_bo_list); diff --git a/queue-4.19/drm-amdgpu-fix-sdma-to-after-gpu-reset-v3.patch b/queue-4.19/drm-amdgpu-fix-sdma-to-after-gpu-reset-v3.patch new file mode 100644 index 00000000000..7ac74c5f848 --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-sdma-to-after-gpu-reset-v3.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Andrey Grodzovsky +Date: Mon, 10 Sep 2018 18:43:58 -0400 +Subject: drm/amdgpu: Fix SDMA TO after GPU reset v3 + +From: Andrey Grodzovsky + +[ Upstream commit d8de8260a45aae8f74af77eae9a162bdc0ed48d2 ] + +After GPU reset amdgpu_vm_clear_bo triggers VM flush +but job->vm_pd_addr is not set causing SDMA TO. + +v2: +Per advise by Christian König avoid flushing VM for jobs where +job->vm_pd_addr wasn't explicitly set. + +v3: +Shortcut vm_flush_needed early. + +Fixes cbd5285 drm/amdgpu: move setting the GART addr into TTM. +Signed-off-by: Andrey Grodzovsky +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 1 + + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c +@@ -66,6 +66,7 @@ int amdgpu_job_alloc(struct amdgpu_devic + amdgpu_sync_create(&(*job)->sync); + amdgpu_sync_create(&(*job)->sched_sync); + (*job)->vram_lost_counter = atomic_read(&adev->vram_lost_counter); ++ (*job)->vm_pd_addr = AMDGPU_BO_INVALID_OFFSET; + + return 0; + } +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -714,7 +714,8 @@ int amdgpu_vm_flush(struct amdgpu_ring * + } + + gds_switch_needed &= !!ring->funcs->emit_gds_switch; +- vm_flush_needed &= !!ring->funcs->emit_vm_flush; ++ vm_flush_needed &= !!ring->funcs->emit_vm_flush && ++ job->vm_pd_addr != AMDGPU_BO_INVALID_OFFSET; + pasid_mapping_needed &= adev->gmc.gmc_funcs->emit_pasid_mapping && + ring->funcs->emit_wreg; + diff --git a/queue-4.19/drm-amdgpu-powerplay-fix-missing-break-in-switch-statements.patch b/queue-4.19/drm-amdgpu-powerplay-fix-missing-break-in-switch-statements.patch new file mode 100644 index 00000000000..41cccdbb418 --- /dev/null +++ b/queue-4.19/drm-amdgpu-powerplay-fix-missing-break-in-switch-statements.patch @@ -0,0 +1,114 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Colin Ian King +Date: Mon, 8 Oct 2018 17:22:28 +0100 +Subject: drm/amdgpu/powerplay: fix missing break in switch statements + +From: Colin Ian King + +[ Upstream commit 14b284832e7dea6f54f0adfd7bed105548b94e57 ] + +There are several switch statements that are missing break statements. +Add missing breaks to handle any fall-throughs corner cases. + +Detected by CoverityScan, CID#1457175 ("Missing break in switch") + +Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.") +Acked-by: Huang Rui +Signed-off-by: Colin Ian King +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c | 2 ++ + drivers/gpu/drm/amd/powerplay/smumgr/fiji_smumgr.c | 2 ++ + drivers/gpu/drm/amd/powerplay/smumgr/iceland_smumgr.c | 2 ++ + drivers/gpu/drm/amd/powerplay/smumgr/tonga_smumgr.c | 2 ++ + drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c | 2 ++ + 5 files changed, 10 insertions(+) + +--- a/drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c +@@ -2268,11 +2268,13 @@ static uint32_t ci_get_offsetof(uint32_t + case DRAM_LOG_BUFF_SIZE: + return offsetof(SMU7_SoftRegisters, DRAM_LOG_BUFF_SIZE); + } ++ break; + case SMU_Discrete_DpmTable: + switch (member) { + case LowSclkInterruptThreshold: + return offsetof(SMU7_Discrete_DpmTable, LowSclkInterruptT); + } ++ break; + } + pr_debug("can't get the offset of type %x member %x\n", type, member); + return 0; +--- a/drivers/gpu/drm/amd/powerplay/smumgr/fiji_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/fiji_smumgr.c +@@ -2330,6 +2330,7 @@ static uint32_t fiji_get_offsetof(uint32 + case DRAM_LOG_BUFF_SIZE: + return offsetof(SMU73_SoftRegisters, DRAM_LOG_BUFF_SIZE); + } ++ break; + case SMU_Discrete_DpmTable: + switch (member) { + case UvdBootLevel: +@@ -2339,6 +2340,7 @@ static uint32_t fiji_get_offsetof(uint32 + case LowSclkInterruptThreshold: + return offsetof(SMU73_Discrete_DpmTable, LowSclkInterruptThreshold); + } ++ break; + } + pr_warn("can't get the offset of type %x member %x\n", type, member); + return 0; +--- a/drivers/gpu/drm/amd/powerplay/smumgr/iceland_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/iceland_smumgr.c +@@ -2236,11 +2236,13 @@ static uint32_t iceland_get_offsetof(uin + case DRAM_LOG_BUFF_SIZE: + return offsetof(SMU71_SoftRegisters, DRAM_LOG_BUFF_SIZE); + } ++ break; + case SMU_Discrete_DpmTable: + switch (member) { + case LowSclkInterruptThreshold: + return offsetof(SMU71_Discrete_DpmTable, LowSclkInterruptThreshold); + } ++ break; + } + pr_warn("can't get the offset of type %x member %x\n", type, member); + return 0; +--- a/drivers/gpu/drm/amd/powerplay/smumgr/tonga_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/tonga_smumgr.c +@@ -2618,6 +2618,7 @@ static uint32_t tonga_get_offsetof(uint3 + case DRAM_LOG_BUFF_SIZE: + return offsetof(SMU72_SoftRegisters, DRAM_LOG_BUFF_SIZE); + } ++ break; + case SMU_Discrete_DpmTable: + switch (member) { + case UvdBootLevel: +@@ -2627,6 +2628,7 @@ static uint32_t tonga_get_offsetof(uint3 + case LowSclkInterruptThreshold: + return offsetof(SMU72_Discrete_DpmTable, LowSclkInterruptThreshold); + } ++ break; + } + pr_warn("can't get the offset of type %x member %x\n", type, member); + return 0; +--- a/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c +@@ -2184,6 +2184,7 @@ static uint32_t vegam_get_offsetof(uint3 + case DRAM_LOG_BUFF_SIZE: + return offsetof(SMU75_SoftRegisters, DRAM_LOG_BUFF_SIZE); + } ++ break; + case SMU_Discrete_DpmTable: + switch (member) { + case UvdBootLevel: +@@ -2193,6 +2194,7 @@ static uint32_t vegam_get_offsetof(uint3 + case LowSclkInterruptThreshold: + return offsetof(SMU75_Discrete_DpmTable, LowSclkInterruptThreshold); + } ++ break; + } + pr_warn("can't get the offset of type %x member %x\n", type, member); + return 0; diff --git a/queue-4.19/drm-hisilicon-hibmc-do-not-carry-error-code-in-hibmc-framebuffer-pointer.patch b/queue-4.19/drm-hisilicon-hibmc-do-not-carry-error-code-in-hibmc-framebuffer-pointer.patch new file mode 100644 index 00000000000..148bbf20a05 --- /dev/null +++ b/queue-4.19/drm-hisilicon-hibmc-do-not-carry-error-code-in-hibmc-framebuffer-pointer.patch @@ -0,0 +1,84 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: John Garry +Date: Sat, 22 Sep 2018 01:25:25 +0800 +Subject: drm/hisilicon: hibmc: Do not carry error code in HiBMC framebuffer pointer + +From: John Garry + +[ Upstream commit 331d880b35a76b5de0eec8cbcecbf615d758a5f9 ] + +In hibmc_drm_fb_create(), when the call to hibmc_framebuffer_init() fails +with error, do not store the error code in the HiBMC device frame-buffer +pointer, as this will be later checked for non-zero value in +hibmc_fbdev_destroy() when our intention is to check for a valid function +pointer. + +This fixes the following crash: +[ 9.699791] Unable to handle kernel NULL pointer dereference at virtual address 000000000000001a +[ 9.708672] Mem abort info: +[ 9.711489] ESR = 0x96000004 +[ 9.714570] Exception class = DABT (current EL), IL = 32 bits +[ 9.720551] SET = 0, FnV = 0 +[ 9.723631] EA = 0, S1PTW = 0 +[ 9.726799] Data abort info: +[ 9.729702] ISV = 0, ISS = 0x00000004 +[ 9.733573] CM = 0, WnR = 0 +[ 9.736566] [000000000000001a] user address but active_mm is swapper +[ 9.742987] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 9.748614] Modules linked in: +[ 9.751694] CPU: 16 PID: 293 Comm: kworker/16:1 Tainted: G W 4.19.0-rc4-next-20180920-00001-g9b0012c #322 +[ 9.762681] Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018 +[ 9.771915] Workqueue: events work_for_cpu_fn +[ 9.776312] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 9.781150] pc : drm_mode_object_put+0x0/0x20 +[ 9.785547] lr : hibmc_fbdev_fini+0x40/0x58 +[ 9.789767] sp : ffff00000af1bcf0 +[ 9.793108] x29: ffff00000af1bcf0 x28: 0000000000000000 +[ 9.798473] x27: 0000000000000000 x26: ffff000008f66630 +[ 9.803838] x25: 0000000000000000 x24: ffff0000095abb98 +[ 9.809203] x23: ffff8017db92fe00 x22: ffff8017d2b13000 +[ 9.814568] x21: ffffffffffffffea x20: ffff8017d2f80018 +[ 9.819933] x19: ffff8017d28a0018 x18: ffffffffffffffff +[ 9.825297] x17: 0000000000000000 x16: 0000000000000000 +[ 9.830662] x15: ffff0000092296c8 x14: ffff00008939970f +[ 9.836026] x13: ffff00000939971d x12: ffff000009229940 +[ 9.841391] x11: ffff0000085f8fc0 x10: ffff00000af1b9a0 +[ 9.846756] x9 : 000000000000000d x8 : 6620657a696c6169 +[ 9.852121] x7 : ffff8017d3340580 x6 : ffff8017d4168000 +[ 9.857486] x5 : 0000000000000000 x4 : ffff8017db92fb20 +[ 9.862850] x3 : 0000000000002690 x2 : ffff8017d3340480 +[ 9.868214] x1 : 0000000000000028 x0 : 0000000000000002 +[ 9.873580] Process kworker/16:1 (pid: 293, stack limit = 0x(____ptrval____)) +[ 9.880788] Call trace: +[ 9.883252] drm_mode_object_put+0x0/0x20 +[ 9.887297] hibmc_unload+0x1c/0x80 +[ 9.890815] hibmc_pci_probe+0x170/0x3c8 +[ 9.894773] local_pci_probe+0x3c/0xb0 +[ 9.898555] work_for_cpu_fn+0x18/0x28 +[ 9.902337] process_one_work+0x1e0/0x318 +[ 9.906382] worker_thread+0x228/0x450 +[ 9.910164] kthread+0x128/0x130 +[ 9.913418] ret_from_fork+0x10/0x18 +[ 9.917024] Code: a94153f3 a8c27bfd d65f03c0 d503201f (f9400c01) +[ 9.923180] ---[ end trace 2695ffa0af5be375 ]--- + +Fixes: d1667b86795a ("drm/hisilicon/hibmc: Add support for frame buffer") +Signed-off-by: John Garry +Reviewed-by: Xinliang Liu +Signed-off-by: Xinliang Liu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_fbdev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_fbdev.c ++++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_fbdev.c +@@ -122,6 +122,7 @@ static int hibmc_drm_fb_create(struct dr + hi_fbdev->fb = hibmc_framebuffer_init(priv->dev, &mode_cmd, gobj); + if (IS_ERR(hi_fbdev->fb)) { + ret = PTR_ERR(hi_fbdev->fb); ++ hi_fbdev->fb = NULL; + DRM_ERROR("failed to initialize framebuffer: %d\n", ret); + goto out_release_fbi; + } diff --git a/queue-4.19/drm-msm-disp-dpu-use-proper-define-for-drm_encoder_init-encoder_type.patch b/queue-4.19/drm-msm-disp-dpu-use-proper-define-for-drm_encoder_init-encoder_type.patch new file mode 100644 index 00000000000..e225d88b211 --- /dev/null +++ b/queue-4.19/drm-msm-disp-dpu-use-proper-define-for-drm_encoder_init-encoder_type.patch @@ -0,0 +1,107 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Stephen Boyd +Date: Thu, 16 Aug 2018 16:36:16 -0700 +Subject: drm/msm/disp/dpu: Use proper define for drm_encoder_init() 'encoder_type' + +From: Stephen Boyd + +[ Upstream commit 2c043eeffea4813b8f569e84b46035a08de5eb47 ] + +We got a bug report that this function oopses when trying to do a kasprintf(). + +PC is at string+0x2c/0x60 +LR is at vsnprintf+0x28c/0x4ec +pc : [] lr : [] pstate: a0c00049 +sp : ffffff80095fb540 +x29: ffffff80095fb540 x28: ffffff8008ad42bc +x27: 00000000ffffffd8 x26: 0000000000000000 +x25: ffffff8008c216c8 x24: 0000000000000000 +x23: 0000000000000000 x22: ffffff80095fb720 +x21: 0000000000000000 x20: ffffff80095fb720 +x19: ffffff80095fb6f0 x18: 000000000000000a +x17: 00000000b42ba473 x16: ffffff800805bbe8 +x15: 00000000000a157d x14: 000000000000000c +x13: 0000000000000000 x12: 0000ffff0000000f +x11: 0000000000000003 x10: 0000000000000001 +x9 : 0000000000000040 x8 : 000000000000001c +x7 : ffffffffffffffff x6 : 0000000000000000 +x5 : 0000000000000228 x4 : 0000000000000000 +x3 : ffff0a00ffffff04 x2 : 0000000000007961 +x1 : 0000000000000000 x0 : 0000000000000000 +Process kworker/3:1 (pid: 61, stack limit = 0xffffff80095f8000) +Call trace: +Exception stack(0xffffff80095fb400 to 0xffffff80095fb540) +b400: 0000000000000000 0000000000000000 0000000000007961 ffff0a00ffffff04 +b420: 0000000000000000 0000000000000228 0000000000000000 ffffffffffffffff +b440: 000000000000001c 0000000000000040 0000000000000001 0000000000000003 +b460: 0000ffff0000000f 0000000000000000 000000000000000c 00000000000a157d +b480: ffffff800805bbe8 00000000b42ba473 000000000000000a ffffff80095fb6f0 +b4a0: ffffff80095fb720 0000000000000000 ffffff80095fb720 0000000000000000 +b4c0: 0000000000000000 ffffff8008c216c8 0000000000000000 00000000ffffffd8 +b4e0: ffffff8008ad42bc ffffff80095fb540 ffffff80088d5fc4 ffffff80095fb540 +b500: ffffff80088d35d8 00000000a0c00049 ffffff80095fb550 ffffff80080d06a4 +b520: ffffffffffffffff ffffff80088d5e0c ffffff80095fb540 ffffff80088d35d8 +[] string+0x2c/0x60 +[] vsnprintf+0x28c/0x4ec +[] kvasprintf+0x68/0x100 +[] kasprintf+0x60/0x80 +[] drm_encoder_init+0x134/0x164 +[] dpu_encoder_init+0x60/0x94 +[] _dpu_kms_drm_obj_init+0xa0/0x424 +[] dpu_kms_hw_init+0x61c/0x6bc +[] msm_drm_bind+0x380/0x67c +[] try_to_bring_up_master+0x228/0x264 +[] component_master_add_with_match+0x90/0xc0 +[] msm_pdev_probe+0x260/0x2c8 +[] platform_drv_probe+0x58/0xa8 +[] driver_probe_device+0x2d8/0x40c +[] __device_attach_driver+0xd4/0x10c +[] bus_for_each_drv+0xb4/0xd0 +[] __device_attach+0xd0/0x160 +[] device_initial_probe+0x24/0x30 +[] bus_probe_device+0x38/0x98 +[] deferred_probe_work_func+0x144/0x148 +[] process_one_work+0x218/0x3bc +[] process_scheduled_works+0x44/0x48 +[] worker_thread+0x288/0x32c +[] kthread+0x134/0x13c +[] ret_from_fork+0x10/0x18 +Code: 910003fd 2a0403e6 eb0400ff 54000060 (38646845) + +Looking at the code I see that drm_encoder_init() is called from the DPU +code with 'DRM_MODE_CONNECTOR_DSI' passed in as the 'encoder_type' +argument (follow from _dpu_kms_initialize_dsi()). That corresponds to +the integer 16. That is then indexed into drm_encoder_enum_list in +drm_encoder_init() to look up the name of the encoder. If you're still +following along, that's an encoder not a connector! We really want to +use DRM_MODE_ENCODER_DSI (integer 6) instead of DRM_MODE_CONNECTOR_DSI +here, or we'll go out of bounds of the encoder array. Pass the right +thing and everything is fine. + +Cc: Jeykumar Sankaran +Cc: Jordan Crouse +Cc: Sean Paul +Fixes: 25fdd5933e4c (drm/msm: Add SDM845 DPU support) +Tested-by: Sai Prakash Ranjan +Reviewed-by: Jeykumar Sankaran +Signed-off-by: Stephen Boyd +Signed-off-by: Sean Paul + +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -450,7 +450,7 @@ static void _dpu_kms_initialize_dsi(stru + int i, rc; + + /*TODO: Support two independent DSI connectors */ +- encoder = dpu_encoder_init(dev, DRM_MODE_CONNECTOR_DSI); ++ encoder = dpu_encoder_init(dev, DRM_MODE_ENCODER_DSI); + if (IS_ERR_OR_NULL(encoder)) { + DPU_ERROR("encoder init failed for dsi display\n"); + return; diff --git a/queue-4.19/drm-msm-dpu-allow-planes-to-extend-past-active-display.patch b/queue-4.19/drm-msm-dpu-allow-planes-to-extend-past-active-display.patch new file mode 100644 index 00000000000..4b5840e037e --- /dev/null +++ b/queue-4.19/drm-msm-dpu-allow-planes-to-extend-past-active-display.patch @@ -0,0 +1,126 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Sean Paul +Date: Wed, 29 Aug 2018 13:49:47 -0400 +Subject: drm/msm: dpu: Allow planes to extend past active display + +From: Sean Paul + +[ Upstream commit 96fc56a775c1e44c0e3c0119f2cd3d77431c4569 ] + +The atomic_check is a bit too aggressive with respect to planes which +leave the active area. This caused a bunch of log spew when the cursor +got to the edge of the screen and stopped it from going all the way. + +This patch removes the conservative bounds checks from atomic and clips +the dst rect such that we properly display planes which go off the +screen. + +Changes in v2: +- Apply the clip to src as well (taking into account scaling) +Changes in v3: +- Use drm_atomic_helper_check_plane_state() to clip src/dst + +Cc: Sravanthi Kollukuduru +Cc: Jeykumar Sankaran +Cc: Ville Syrjälä +Reviewed-by: Jeykumar Sankaran +Signed-off-by: Sean Paul + +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 3 -- + drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 38 +++++++++++++++++------------ + drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 1 + drivers/gpu/drm/msm/msm_drv.h | 2 + + 4 files changed, 26 insertions(+), 18 deletions(-) + +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -1535,8 +1535,7 @@ static int dpu_crtc_atomic_check(struct + cnt++; + + dst = drm_plane_state_dest(pstate); +- if (!drm_rect_intersect(&clip, &dst) || +- !drm_rect_equals(&clip, &dst)) { ++ if (!drm_rect_intersect(&clip, &dst)) { + DPU_ERROR("invalid vertical/horizontal destination\n"); + DPU_ERROR("display: " DRM_RECT_FMT " plane: " + DRM_RECT_FMT "\n", DRM_RECT_ARG(&crtc_rect), +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c +@@ -1254,7 +1254,7 @@ static int dpu_plane_sspp_atomic_update( + const struct dpu_format *fmt; + struct drm_crtc *crtc; + struct drm_framebuffer *fb; +- struct drm_rect src, dst; ++ int ret, min_scale; + + if (!plane) { + DPU_ERROR("invalid plane\n"); +@@ -1293,21 +1293,29 @@ static int dpu_plane_sspp_atomic_update( + pdpu->is_rt_pipe = (dpu_crtc_get_client_type(crtc) != NRT_CLIENT); + _dpu_plane_set_qos_ctrl(plane, false, DPU_PLANE_QOS_PANIC_CTRL); + +- src.x1 = state->src_x >> 16; +- src.y1 = state->src_y >> 16; +- src.x2 = src.x1 + (state->src_w >> 16); +- src.y2 = src.y1 + (state->src_h >> 16); +- +- dst = drm_plane_state_dest(state); +- +- DPU_DEBUG_PLANE(pdpu, "FB[%u] " DRM_RECT_FMT "->crtc%u " DRM_RECT_FMT +- ", %4.4s ubwc %d\n", fb->base.id, DRM_RECT_ARG(&src), +- crtc->base.id, DRM_RECT_ARG(&dst), +- (char *)&fmt->base.pixel_format, +- DPU_FORMAT_IS_UBWC(fmt)); ++ min_scale = FRAC_16_16(1, pdpu->pipe_sblk->maxdwnscale); ++ ret = drm_atomic_helper_check_plane_state(state, crtc->state, min_scale, ++ pdpu->pipe_sblk->maxupscale << 16, ++ true, false); ++ if (ret) { ++ DPU_ERROR_PLANE(pdpu, "Check plane state failed (%d)\n", ret); ++ return ret; ++ } ++ ++ DPU_DEBUG_PLANE(pdpu, "FB[%u] " DRM_RECT_FP_FMT "->crtc%u " DRM_RECT_FMT ++ ", %4.4s ubwc %d\n", fb->base.id, DRM_RECT_FP_ARG(&state->src), ++ crtc->base.id, DRM_RECT_ARG(&state->dst), ++ (char *)&fmt->base.pixel_format, DPU_FORMAT_IS_UBWC(fmt)); ++ ++ pdpu->pipe_cfg.src_rect = state->src; ++ ++ /* state->src is 16.16, src_rect is not */ ++ pdpu->pipe_cfg.src_rect.x1 >>= 16; ++ pdpu->pipe_cfg.src_rect.x2 >>= 16; ++ pdpu->pipe_cfg.src_rect.y1 >>= 16; ++ pdpu->pipe_cfg.src_rect.y2 >>= 16; + +- pdpu->pipe_cfg.src_rect = src; +- pdpu->pipe_cfg.dst_rect = dst; ++ pdpu->pipe_cfg.dst_rect = state->dst; + + _dpu_plane_setup_scaler(pdpu, pstate, fmt, false); + +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +@@ -259,7 +259,6 @@ static void mdp5_plane_cleanup_fb(struct + msm_framebuffer_cleanup(fb, kms->aspace); + } + +-#define FRAC_16_16(mult, div) (((mult) << 16) / (div)) + static int mdp5_plane_atomic_check_with_state(struct drm_crtc_state *crtc_state, + struct drm_plane_state *state) + { +--- a/drivers/gpu/drm/msm/msm_drv.h ++++ b/drivers/gpu/drm/msm/msm_drv.h +@@ -62,6 +62,8 @@ struct msm_gem_vma; + #define MAX_BRIDGES 8 + #define MAX_CONNECTORS 8 + ++#define FRAC_16_16(mult, div) (((mult) << 16) / (div)) ++ + struct msm_file_private { + rwlock_t queuelock; + struct list_head submitqueues; diff --git a/queue-4.19/drm-msm-gpu-fix-parameters-in-function-msm_gpu_crashstate_capture.patch b/queue-4.19/drm-msm-gpu-fix-parameters-in-function-msm_gpu_crashstate_capture.patch new file mode 100644 index 00000000000..da7e6aae66f --- /dev/null +++ b/queue-4.19/drm-msm-gpu-fix-parameters-in-function-msm_gpu_crashstate_capture.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Anders Roxell +Date: Tue, 31 Jul 2018 22:45:32 +0200 +Subject: drm/msm/gpu: fix parameters in function msm_gpu_crashstate_capture + +From: Anders Roxell + +[ Upstream commit 6969019f65b43afb6da6a26f1d9e55bbdfeebcd5 ] + +When CONFIG_DEV_COREDUMP isn't defined msm_gpu_crashstate_capture +doesn't pass the correct parameters. +drivers/gpu/drm/msm/msm_gpu.c: In function ‘recover_worker’: +drivers/gpu/drm/msm/msm_gpu.c:479:34: error: passing argument 2 of ‘msm_gpu_crashstate_capture’ from incompatible pointer type [-Werror=incompatible-pointer-types] + msm_gpu_crashstate_capture(gpu, submit, comm, cmd); + ^~~~~~ +drivers/gpu/drm/msm/msm_gpu.c:388:13: note: expected ‘char *’ but argument is of type ‘struct msm_gem_submit *’ + static void msm_gpu_crashstate_capture(struct msm_gpu *gpu, char *comm, + ^~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/gpu/drm/msm/msm_gpu.c:479:2: error: too many arguments to function ‘msm_gpu_crashstate_capture’ + msm_gpu_crashstate_capture(gpu, submit, comm, cmd); + ^~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/gpu/drm/msm/msm_gpu.c:388:13: note: declared here + static void msm_gpu_crashstate_capture(struct msm_gpu *gpu, char *comm, + +In current code the function msm_gpu_crashstate_capture parameters. + +Fixes: cdb95931dea3 ("drm/msm/gpu: Add the buffer objects from the submit to the crash dump") +Signed-off-by: Anders Roxell +Reviewed-By: Jordan Crouse +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_gpu.c ++++ b/drivers/gpu/drm/msm/msm_gpu.c +@@ -367,8 +367,8 @@ static void msm_gpu_crashstate_capture(s + msm_gpu_devcoredump_read, msm_gpu_devcoredump_free); + } + #else +-static void msm_gpu_crashstate_capture(struct msm_gpu *gpu, char *comm, +- char *cmd) ++static void msm_gpu_crashstate_capture(struct msm_gpu *gpu, ++ struct msm_gem_submit *submit, char *comm, char *cmd) + { + } + #endif diff --git a/queue-4.19/drm-nouveau-secboot-acr-fix-memory-leak.patch b/queue-4.19/drm-nouveau-secboot-acr-fix-memory-leak.patch new file mode 100644 index 00000000000..4db0c368fa8 --- /dev/null +++ b/queue-4.19/drm-nouveau-secboot-acr-fix-memory-leak.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: "Gustavo A. R. Silva" +Date: Tue, 24 Jul 2018 08:27:19 -0500 +Subject: drm/nouveau/secboot/acr: fix memory leak + +From: "Gustavo A. R. Silva" + +[ Upstream commit 74a07c0a59fa372b069d879971ba4d9e341979cf ] + +In case memory resources for *bl_desc* were allocated, release +them before return. + +Addresses-Coverity-ID: 1472021 ("Resource leak") +Fixes: 0d466901552a ("drm/nouveau/secboot/acr: Remove VLA usage") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: John Hubbard +Reviewed-by: Kees Cook +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r352.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r352.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/acr_r352.c +@@ -801,6 +801,7 @@ acr_r352_load(struct nvkm_acr *_acr, str + bl = acr->hsbl_unload_blob; + } else { + nvkm_error(_acr->subdev, "invalid secure boot blob!\n"); ++ kfree(bl_desc); + return -EINVAL; + } + diff --git a/queue-4.19/drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch b/queue-4.19/drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch new file mode 100644 index 00000000000..22ad6229cdc --- /dev/null +++ b/queue-4.19/drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Tomi Valkeinen +Date: Wed, 26 Sep 2018 12:11:27 +0300 +Subject: drm/omap: fix memory barrier bug in DMM driver + +From: Tomi Valkeinen + +[ Upstream commit 538f66ba204944470a653a4cccc5f8befdf97c22 ] + +A DMM timeout "timed out waiting for done" has been observed on DRA7 +devices. The timeout happens rarely, and only when the system is under +heavy load. + +Debugging showed that the timeout can be made to happen much more +frequently by optimizing the DMM driver, so that there's almost no code +between writing the last DMM descriptors to RAM, and writing to DMM +register which starts the DMM transaction. + +The current theory is that a wmb() does not properly ensure that the +data written to RAM is observable by all the components in the system. + +This DMM timeout has caused interesting (and rare) bugs as the error +handling was not functioning properly (the error handling has been fixed +in previous commits): + + * If a DMM timeout happened when a GEM buffer was being pinned for + display on the screen, a timeout error would be shown, but the driver + would continue programming DSS HW with broken buffer, leading to + SYNCLOST floods and possible crashes. + + * If a DMM timeout happened when other user (say, video decoder) was + pinning a GEM buffer, a timeout would be shown but if the user + handled the error properly, no other issues followed. + + * If a DMM timeout happened when a GEM buffer was being released, the + driver does not even notice the error, leading to crashes or hang + later. + +This patch adds wmb() and readl() calls after the last bit is written to +RAM, which should ensure that the execution proceeds only after the data +is actually in RAM, and thus observable by DMM. + +The read-back should not be needed. Further study is required to understand +if DMM is somehow special case and read-back is ok, or if DRA7's memory +barriers do not work correctly. + +Signed-off-by: Tomi Valkeinen +Signed-off-by: Peter Ujfalusi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -285,6 +285,17 @@ static int dmm_txn_commit(struct dmm_txn + } + + txn->last_pat->next_pa = 0; ++ /* ensure that the written descriptors are visible to DMM */ ++ wmb(); ++ ++ /* ++ * NOTE: the wmb() above should be enough, but there seems to be a bug ++ * in OMAP's memory barrier implementation, which in some rare cases may ++ * cause the writes not to be observable after wmb(). ++ */ ++ ++ /* read back to ensure the data is in RAM */ ++ readl(&txn->last_pat->next_pa); + + /* write to PAT_DESCR to clear out any pending transaction */ + dmm_write(dmm, 0x0, reg[PAT_DESCR][engine->id]); diff --git a/queue-4.19/drm-rcar-du-update-gen3-output-limitations.patch b/queue-4.19/drm-rcar-du-update-gen3-output-limitations.patch new file mode 100644 index 00000000000..42f4a5e4487 --- /dev/null +++ b/queue-4.19/drm-rcar-du-update-gen3-output-limitations.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Kieran Bingham +Date: Fri, 31 Aug 2018 19:12:57 +0100 +Subject: drm: rcar-du: Update Gen3 output limitations + +From: Kieran Bingham + +[ Upstream commit 2a3181d9cfd6d5aa48f8527708d0c32072072cef ] + +The R-Car Gen3 DU utilises the VSP1 hardware for memory access. The +limits on the RPF and WPF in this pipeline are 8190x8190. + +Update the supported maximum sizes accordingly. + +Signed-off-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rcar-du/rcar_du_kms.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +@@ -516,12 +516,22 @@ int rcar_du_modeset_init(struct rcar_du_ + + dev->mode_config.min_width = 0; + dev->mode_config.min_height = 0; +- dev->mode_config.max_width = 4095; +- dev->mode_config.max_height = 2047; + dev->mode_config.normalize_zpos = true; + dev->mode_config.funcs = &rcar_du_mode_config_funcs; + dev->mode_config.helper_private = &rcar_du_mode_config_helper; + ++ if (rcdu->info->gen < 3) { ++ dev->mode_config.max_width = 4095; ++ dev->mode_config.max_height = 2047; ++ } else { ++ /* ++ * The Gen3 DU uses the VSP1 for memory access, and is limited ++ * to frame sizes of 8190x8190. ++ */ ++ dev->mode_config.max_width = 8190; ++ dev->mode_config.max_height = 8190; ++ } ++ + rcdu->num_crtcs = hweight8(rcdu->info->channels_mask); + + ret = rcar_du_properties_init(rcdu); diff --git a/queue-4.19/input-wm97xx-ts-fix-exit-path.patch b/queue-4.19/input-wm97xx-ts-fix-exit-path.patch new file mode 100644 index 00000000000..1deaf3a4ce3 --- /dev/null +++ b/queue-4.19/input-wm97xx-ts-fix-exit-path.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Randy Dunlap +Date: Mon, 15 Oct 2018 11:16:58 -0700 +Subject: Input: wm97xx-ts - fix exit path + +From: Randy Dunlap + +[ Upstream commit a3f7c3fcf60868c1e90671df5d0cf9be5900a09b ] + +Loading then unloading wm97xx-ts.ko when CONFIG_AC97_BUS=m +causes a WARNING: from drivers/base/driver.c: + +Unexpected driver unregister! +WARNING: CPU: 0 PID: 1709 at ../drivers/base/driver.c:193 driver_unregister+0x30/0x40 + +Fix this by only calling driver_unregister() with the same +condition that driver_register() is called. + +Fixes: ae9d1b5fbd7b ("Input: wm97xx: add new AC97 bus support") + +Signed-off-by: Randy Dunlap +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/wm97xx-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/wm97xx-core.c ++++ b/drivers/input/touchscreen/wm97xx-core.c +@@ -929,7 +929,8 @@ static int __init wm97xx_init(void) + + static void __exit wm97xx_exit(void) + { +- driver_unregister(&wm97xx_driver); ++ if (IS_BUILTIN(CONFIG_AC97_BUS)) ++ driver_unregister(&wm97xx_driver); + platform_driver_unregister(&wm97xx_mfd_driver); + } + diff --git a/queue-4.19/media-coda-don-t-overwrite-h.264-profile_idc-on-decoder-instance.patch b/queue-4.19/media-coda-don-t-overwrite-h.264-profile_idc-on-decoder-instance.patch new file mode 100644 index 00000000000..b429ae1ef6c --- /dev/null +++ b/queue-4.19/media-coda-don-t-overwrite-h.264-profile_idc-on-decoder-instance.patch @@ -0,0 +1,44 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Lucas Stach +Date: Wed, 1 Aug 2018 10:18:04 -0400 +Subject: media: coda: don't overwrite h.264 profile_idc on decoder instance + +From: Lucas Stach + +[ Upstream commit 1f32061e843205f6fe8404d5100d5adcec334e75 ] + +On a decoder instance, after the profile has been parsed from the stream +__v4l2_ctrl_s_ctrl() is called to notify userspace about changes in the +read-only profile control. This ends up calling back into the CODA driver +where a missing check on the s_ctrl caused the profile information that has +just been parsed from the stream to be overwritten with the default +baseline profile. + +Later on the driver fails to enable frame reordering, based on the wrong +profile information. + +Fixes: 347de126d1da (media: coda: add read-only h.264 decoder + profile/level controls) + +Signed-off-by: Lucas Stach +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/coda/coda-common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -1804,7 +1804,8 @@ static int coda_s_ctrl(struct v4l2_ctrl + break; + case V4L2_CID_MPEG_VIDEO_H264_PROFILE: + /* TODO: switch between baseline and constrained baseline */ +- ctx->params.h264_profile_idc = 66; ++ if (ctx->inst_type == CODA_INST_ENCODER) ++ ctx->params.h264_profile_idc = 66; + break; + case V4L2_CID_MPEG_VIDEO_H264_LEVEL: + /* nothing to do, this is set by the encoder */ diff --git a/queue-4.19/media-ov5640-fix-mode-change-regression.patch b/queue-4.19/media-ov5640-fix-mode-change-regression.patch new file mode 100644 index 00000000000..b72a5b68e3f --- /dev/null +++ b/queue-4.19/media-ov5640-fix-mode-change-regression.patch @@ -0,0 +1,97 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Hugues Fruchet +Date: Thu, 16 Aug 2018 05:46:53 -0400 +Subject: media: ov5640: fix mode change regression + +From: Hugues Fruchet + +[ Upstream commit fb98e29ff1ea5a8118265d11f0e03bc8608a49cb ] + +fixes: 6949d864776e ("media: ov5640: do not change mode if format or frame interval is unchanged"). + +Symptom was fuzzy image because of JPEG default format +not being changed according to new format selected, fix this. +Init sequence initialises format to YUV422 UYVY but +sensor->fmt initial value was set to JPEG, fix this. + +Signed-off-by: Hugues Fruchet +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov5640.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -223,6 +223,7 @@ struct ov5640_dev { + int power_count; + + struct v4l2_mbus_framefmt fmt; ++ bool pending_fmt_change; + + const struct ov5640_mode_info *current_mode; + enum ov5640_frame_rate current_fr; +@@ -255,7 +256,7 @@ static inline struct v4l2_subdev *ctrl_t + * should be identified and removed to speed register load time + * over i2c. + */ +- ++/* YUV422 UYVY VGA@30fps */ + static const struct reg_value ov5640_init_setting_30fps_VGA[] = { + {0x3103, 0x11, 0, 0}, {0x3008, 0x82, 0, 5}, {0x3008, 0x42, 0, 0}, + {0x3103, 0x03, 0, 0}, {0x3017, 0x00, 0, 0}, {0x3018, 0x00, 0, 0}, +@@ -1968,9 +1969,12 @@ static int ov5640_set_fmt(struct v4l2_su + + if (new_mode != sensor->current_mode) { + sensor->current_mode = new_mode; +- sensor->fmt = *mbus_fmt; + sensor->pending_mode_change = true; + } ++ if (mbus_fmt->code != sensor->fmt.code) { ++ sensor->fmt = *mbus_fmt; ++ sensor->pending_fmt_change = true; ++ } + out: + mutex_unlock(&sensor->lock); + return ret; +@@ -2544,10 +2548,13 @@ static int ov5640_s_stream(struct v4l2_s + ret = ov5640_set_mode(sensor, sensor->current_mode); + if (ret) + goto out; ++ } + ++ if (enable && sensor->pending_fmt_change) { + ret = ov5640_set_framefmt(sensor, &sensor->fmt); + if (ret) + goto out; ++ sensor->pending_fmt_change = false; + } + + if (sensor->ep.bus_type == V4L2_MBUS_CSI2) +@@ -2642,9 +2649,14 @@ static int ov5640_probe(struct i2c_clien + return -ENOMEM; + + sensor->i2c_client = client; ++ ++ /* ++ * default init sequence initialize sensor to ++ * YUV422 UYVY VGA@30fps ++ */ + fmt = &sensor->fmt; +- fmt->code = ov5640_formats[0].code; +- fmt->colorspace = ov5640_formats[0].colorspace; ++ fmt->code = MEDIA_BUS_FMT_UYVY8_2X8; ++ fmt->colorspace = V4L2_COLORSPACE_SRGB; + fmt->ycbcr_enc = V4L2_MAP_YCBCR_ENC_DEFAULT(fmt->colorspace); + fmt->quantization = V4L2_QUANTIZATION_FULL_RANGE; + fmt->xfer_func = V4L2_MAP_XFER_FUNC_DEFAULT(fmt->colorspace); +@@ -2656,7 +2668,6 @@ static int ov5640_probe(struct i2c_clien + sensor->current_fr = OV5640_30_FPS; + sensor->current_mode = + &ov5640_mode_data[OV5640_30_FPS][OV5640_MODE_VGA_640_480]; +- sensor->pending_mode_change = true; + + sensor->ae_target = 52; + diff --git a/queue-4.19/media-ov5640-fix-restore-of-last-mode-set.patch b/queue-4.19/media-ov5640-fix-restore-of-last-mode-set.patch new file mode 100644 index 00000000000..4912fd5ce3d --- /dev/null +++ b/queue-4.19/media-ov5640-fix-restore-of-last-mode-set.patch @@ -0,0 +1,92 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Hugues Fruchet +Date: Tue, 11 Sep 2018 09:48:21 -0400 +Subject: media: ov5640: fix restore of last mode set + +From: Hugues Fruchet + +[ Upstream commit 985cdcb08a0488558d1005139596b64d73bee267 ] + +Mode setting depends on last mode set, in particular +because of exposure calculation when downscale mode +change between subsampling and scaling. +At stream on the last mode was wrongly set to current mode, +so no change was detected and exposure calculation +was not made, fix this. + +Signed-off-by: Hugues Fruchet +Reviewed-by: Jacopo Mondi +Tested-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov5640.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -226,6 +226,7 @@ struct ov5640_dev { + bool pending_fmt_change; + + const struct ov5640_mode_info *current_mode; ++ const struct ov5640_mode_info *last_mode; + enum ov5640_frame_rate current_fr; + struct v4l2_fract frame_interval; + +@@ -1614,10 +1615,10 @@ static int ov5640_set_mode_direct(struct + return __v4l2_ctrl_s_ctrl(sensor->ctrls.auto_exp, exposure); + } + +-static int ov5640_set_mode(struct ov5640_dev *sensor, +- const struct ov5640_mode_info *orig_mode) ++static int ov5640_set_mode(struct ov5640_dev *sensor) + { + const struct ov5640_mode_info *mode = sensor->current_mode; ++ const struct ov5640_mode_info *orig_mode = sensor->last_mode; + enum ov5640_downsize_mode dn_mode, orig_dn_mode; + s32 exposure; + int ret; +@@ -1674,6 +1675,7 @@ static int ov5640_set_mode(struct ov5640 + return ret; + + sensor->pending_mode_change = false; ++ sensor->last_mode = mode; + + return 0; + } +@@ -1690,6 +1692,7 @@ static int ov5640_restore_mode(struct ov + ret = ov5640_load_regs(sensor, &ov5640_mode_init_data); + if (ret < 0) + return ret; ++ sensor->last_mode = &ov5640_mode_init_data; + + ret = ov5640_mod_reg(sensor, OV5640_REG_SYS_ROOT_DIVIDER, 0x3f, + (ilog2(OV5640_SCLK2X_ROOT_DIVIDER_DEFAULT) << 2) | +@@ -1698,7 +1701,7 @@ static int ov5640_restore_mode(struct ov + return ret; + + /* now restore the last capture mode */ +- ret = ov5640_set_mode(sensor, &ov5640_mode_init_data); ++ ret = ov5640_set_mode(sensor); + if (ret < 0) + return ret; + +@@ -2545,7 +2548,7 @@ static int ov5640_s_stream(struct v4l2_s + + if (sensor->streaming == !enable) { + if (enable && sensor->pending_mode_change) { +- ret = ov5640_set_mode(sensor, sensor->current_mode); ++ ret = ov5640_set_mode(sensor); + if (ret) + goto out; + } +@@ -2668,6 +2671,7 @@ static int ov5640_probe(struct i2c_clien + sensor->current_fr = OV5640_30_FPS; + sensor->current_mode = + &ov5640_mode_data[OV5640_30_FPS][OV5640_MODE_VGA_640_480]; ++ sensor->last_mode = sensor->current_mode; + + sensor->ae_target = 52; + diff --git a/queue-4.19/media-pci-cx23885-handle-adding-to-list-failure.patch b/queue-4.19/media-pci-cx23885-handle-adding-to-list-failure.patch new file mode 100644 index 00000000000..1f9d9064919 --- /dev/null +++ b/queue-4.19/media-pci-cx23885-handle-adding-to-list-failure.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Nicholas Mc Guire +Date: Sun, 9 Sep 2018 12:02:32 -0400 +Subject: media: pci: cx23885: handle adding to list failure + +From: Nicholas Mc Guire + +[ Upstream commit c5d59528e24ad22500347b199d52b9368e686a42 ] + +altera_hw_filt_init() which calls append_internal() assumes +that the node was successfully linked in while in fact it can +silently fail. So the call-site needs to set return to -ENOMEM +on append_internal() returning NULL and exit through the err path. + +Fixes: 349bcf02e361 ("[media] Altera FPGA based CI driver module") + +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx23885/altera-ci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/media/pci/cx23885/altera-ci.c ++++ b/drivers/media/pci/cx23885/altera-ci.c +@@ -665,6 +665,10 @@ static int altera_hw_filt_init(struct al + } + + temp_int = append_internal(inter); ++ if (!temp_int) { ++ ret = -ENOMEM; ++ goto err; ++ } + inter->filts_used = 1; + inter->dev = config->dev; + inter->fpga_rw = config->fpga_rw; +@@ -699,6 +703,7 @@ err: + __func__, ret); + + kfree(pid_filt); ++ kfree(inter); + + return ret; + } +@@ -733,6 +738,10 @@ int altera_ci_init(struct altera_ci_conf + } + + temp_int = append_internal(inter); ++ if (!temp_int) { ++ ret = -ENOMEM; ++ goto err; ++ } + inter->cis_used = 1; + inter->dev = config->dev; + inter->fpga_rw = config->fpga_rw; +@@ -801,6 +810,7 @@ err: + ci_dbg_print("%s: Cannot initialize CI: Error %d.\n", __func__, ret); + + kfree(state); ++ kfree(inter); + + return ret; + } diff --git a/queue-4.19/media-tvp5150-fix-width-alignment-during-set_selection.patch b/queue-4.19/media-tvp5150-fix-width-alignment-during-set_selection.patch new file mode 100644 index 00000000000..f33235c8d33 --- /dev/null +++ b/queue-4.19/media-tvp5150-fix-width-alignment-during-set_selection.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Marco Felsch +Date: Thu, 28 Jun 2018 12:20:33 -0400 +Subject: media: tvp5150: fix width alignment during set_selection() + +From: Marco Felsch + +[ Upstream commit bd24db04101f45a9c1d874fe21b0c7eab7bcadec ] + +The driver ignored the width alignment which exists due to the UYVY +colorspace format. Fix the width alignment and make use of the the +provided v4l2 helper function to set the width, height and all +alignments in one. + +Fixes: 963ddc63e20d ("[media] media: tvp5150: Add cropping support") + +Signed-off-by: Marco Felsch +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/tvp5150.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -901,9 +901,6 @@ static int tvp5150_set_selection(struct + + /* tvp5150 has some special limits */ + rect.left = clamp(rect.left, 0, TVP5150_MAX_CROP_LEFT); +- rect.width = clamp_t(unsigned int, rect.width, +- TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left, +- TVP5150_H_MAX - rect.left); + rect.top = clamp(rect.top, 0, TVP5150_MAX_CROP_TOP); + + /* Calculate height based on current standard */ +@@ -917,9 +914,16 @@ static int tvp5150_set_selection(struct + else + hmax = TVP5150_V_MAX_OTHERS; + +- rect.height = clamp_t(unsigned int, rect.height, ++ /* ++ * alignments: ++ * - width = 2 due to UYVY colorspace ++ * - height, image = no special alignment ++ */ ++ v4l_bound_align_image(&rect.width, ++ TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left, ++ TVP5150_H_MAX - rect.left, 1, &rect.height, + hmax - TVP5150_MAX_CROP_TOP - rect.top, +- hmax - rect.top); ++ hmax - rect.top, 0, 0); + + tvp5150_write(sd, TVP5150_VERT_BLANKING_START, rect.top); + tvp5150_write(sd, TVP5150_VERT_BLANKING_STOP, diff --git a/queue-4.19/mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch b/queue-4.19/mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch new file mode 100644 index 00000000000..864edea9e25 --- /dev/null +++ b/queue-4.19/mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Dengcheng Zhu +Date: Tue, 11 Sep 2018 14:49:20 -0700 +Subject: MIPS: kexec: Mark CPU offline before disabling local IRQ + +From: Dengcheng Zhu + +[ Upstream commit dc57aaf95a516f70e2d527d8287a0332c481a226 ] + +After changing CPU online status, it will not be sent any IPIs such as in +__flush_cache_all() on software coherency systems. Do this before disabling +local IRQ. + +Signed-off-by: Dengcheng Zhu +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20571/ +Cc: pburton@wavecomp.com +Cc: ralf@linux-mips.org +Cc: linux-mips@linux-mips.org +Cc: rachel.mozes@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/kernel/crash.c | 3 +++ + arch/mips/kernel/machine_kexec.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/arch/mips/kernel/crash.c ++++ b/arch/mips/kernel/crash.c +@@ -36,6 +36,9 @@ static void crash_shutdown_secondary(voi + if (!cpu_online(cpu)) + return; + ++ /* We won't be sent IPIs any more. */ ++ set_cpu_online(cpu, false); ++ + local_irq_disable(); + if (!cpumask_test_cpu(cpu, &cpus_in_crash)) + crash_save_cpu(regs, cpu); +--- a/arch/mips/kernel/machine_kexec.c ++++ b/arch/mips/kernel/machine_kexec.c +@@ -118,6 +118,9 @@ machine_kexec(struct kimage *image) + *ptr = (unsigned long) phys_to_virt(*ptr); + } + ++ /* Mark offline BEFORE disabling local irq. */ ++ set_cpu_online(smp_processor_id(), false); ++ + /* + * we do not want to be bothered. + */ diff --git a/queue-4.19/mips-pci-call-pcie_bus_configure_settings-to-set-mps-mrrs.patch b/queue-4.19/mips-pci-call-pcie_bus_configure_settings-to-set-mps-mrrs.patch new file mode 100644 index 00000000000..87b7555fd8e --- /dev/null +++ b/queue-4.19/mips-pci-call-pcie_bus_configure_settings-to-set-mps-mrrs.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Huacai Chen +Date: Sat, 15 Sep 2018 14:01:12 +0800 +Subject: MIPS/PCI: Call pcie_bus_configure_settings() to set MPS/MRRS + +From: Huacai Chen + +[ Upstream commit 2794f688b2c336e0da85e9f91fed33febbd9f54a ] + +Call pcie_bus_configure_settings() on MIPS, like for other platforms. +The function pcie_bus_configure_settings() makes sure the MPS (Max +Payload Size) across the bus is uniform and provides the ability to +tune the MRSS (Max Read Request Size) and MPS (Max Payload Size) to +higher performance values. Some devices will not operate properly if +these aren't set correctly because the firmware doesn't always do it. + +Signed-off-by: Huacai Chen +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20649/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: Huacai Chen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/pci/pci-legacy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/mips/pci/pci-legacy.c ++++ b/arch/mips/pci/pci-legacy.c +@@ -127,8 +127,12 @@ static void pcibios_scanbus(struct pci_c + if (pci_has_flag(PCI_PROBE_ONLY)) { + pci_bus_claim_resources(bus); + } else { ++ struct pci_bus *child; ++ + pci_bus_size_bridges(bus); + pci_bus_assign_resources(bus); ++ list_for_each_entry(child, &bus->children, node) ++ pcie_bus_configure_settings(child); + } + pci_bus_add_devices(bus); + } diff --git a/queue-4.19/powerpc-64-module-rel32-relocation-range-check.patch b/queue-4.19/powerpc-64-module-rel32-relocation-range-check.patch new file mode 100644 index 00000000000..7ab7c3d5064 --- /dev/null +++ b/queue-4.19/powerpc-64-module-rel32-relocation-range-check.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Nov 13 16:10:37 PST 2018 +From: Nicholas Piggin +Date: Wed, 29 Aug 2018 21:56:56 +1000 +Subject: powerpc/64/module: REL32 relocation range check + +From: Nicholas Piggin + +[ Upstream commit b851ba02a6f3075f0f99c60c4bc30a4af80cf428 ] + +The recent module relocation overflow crash demonstrated that we +have no range checking on REL32 relative relocations. This patch +implements a basic check, the same kernel that previously oopsed +and rebooted now continues with some of these errors when loading +the module: + + module_64: x_tables: REL32 527703503449812 out of range! + +Possibly other relocations (ADDR32, REL16, TOC16, etc.) should also have +overflow checks. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/module_64.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/module_64.c ++++ b/arch/powerpc/kernel/module_64.c +@@ -680,7 +680,14 @@ int apply_relocate_add(Elf64_Shdr *sechd + + case R_PPC64_REL32: + /* 32 bits relative (used by relative exception tables) */ +- *(u32 *)location = value - (unsigned long)location; ++ /* Convert value to relative */ ++ value -= (unsigned long)location; ++ if (value + 0x80000000 > 0xffffffff) { ++ pr_err("%s: REL32 %li out of range!\n", ++ me->name, (long int)value); ++ return -ENOEXEC; ++ } ++ *(u32 *)location = value; + break; + + case R_PPC64_TOCSAVE: diff --git a/queue-4.19/powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch b/queue-4.19/powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch new file mode 100644 index 00000000000..ec58f211ce9 --- /dev/null +++ b/queue-4.19/powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Joel Stanley +Date: Fri, 14 Sep 2018 13:36:47 +0930 +Subject: powerpc/boot: Ensure _zimage_start is a weak symbol + +From: Joel Stanley + +[ Upstream commit ee9d21b3b3583712029a0db65a4b7c081d08d3b3 ] + +When building with clang crt0's _zimage_start is not marked weak, which +breaks the build when linking the kernel image: + + $ objdump -t arch/powerpc/boot/crt0.o |grep _zimage_start$ + 0000000000000058 g .text 0000000000000000 _zimage_start + + ld: arch/powerpc/boot/wrapper.a(crt0.o): in function '_zimage_start': + (.text+0x58): multiple definition of '_zimage_start'; + arch/powerpc/boot/pseries-head.o:(.text+0x0): first defined here + +Clang requires the .weak directive to appear after the symbol is +declared. The binutils manual says: + + This directive sets the weak attribute on the comma separated list of + symbol names. If the symbols do not already exist, they will be + created. + +So it appears this is different with clang. The only reference I could +see for this was an OpenBSD mailing list post[1]. + +Changing it to be after the declaration fixes building with Clang, and +still works with GCC. + + $ objdump -t arch/powerpc/boot/crt0.o |grep _zimage_start$ + 0000000000000058 w .text 0000000000000000 _zimage_start + +Reported to clang as https://bugs.llvm.org/show_bug.cgi?id=38921 + +[1] https://groups.google.com/forum/#!topic/fa.openbsd.tech/PAgKKen2YCY + +Signed-off-by: Joel Stanley +Reviewed-by: Nick Desaulniers +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/boot/crt0.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/boot/crt0.S ++++ b/arch/powerpc/boot/crt0.S +@@ -47,8 +47,10 @@ p_end: .long _end + p_pstack: .long _platform_stack_top + #endif + +- .weak _zimage_start + .globl _zimage_start ++ /* Clang appears to require the .weak directive to be after the symbol ++ * is defined. See https://bugs.llvm.org/show_bug.cgi?id=38921 */ ++ .weak _zimage_start + _zimage_start: + .globl _zimage_start_lib + _zimage_start_lib: diff --git a/queue-4.19/powerpc-eeh-fix-possible-null-deref-in-eeh_dump_dev_log.patch b/queue-4.19/powerpc-eeh-fix-possible-null-deref-in-eeh_dump_dev_log.patch new file mode 100644 index 00000000000..1213619031c --- /dev/null +++ b/queue-4.19/powerpc-eeh-fix-possible-null-deref-in-eeh_dump_dev_log.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Sam Bobroff +Date: Wed, 12 Sep 2018 11:23:20 +1000 +Subject: powerpc/eeh: Fix possible null deref in eeh_dump_dev_log() + +From: Sam Bobroff + +[ Upstream commit f9bc28aedfb5bbd572d2d365f3095c1becd7209b ] + +If an error occurs during an unplug operation, it's possible for +eeh_dump_dev_log() to be called when edev->pdn is null, which +currently leads to dereferencing a null pointer. + +Handle this by skipping the error log for those devices. + +Signed-off-by: Sam Bobroff +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/eeh.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -169,6 +169,11 @@ static size_t eeh_dump_dev_log(struct ee + int n = 0, l = 0; + char buffer[128]; + ++ if (!pdn) { ++ pr_warn("EEH: Note: No error log for absent device.\n"); ++ return 0; ++ } ++ + n += scnprintf(buf+n, len-n, "%04x:%02x:%02x.%01x\n", + pdn->phb->global_number, pdn->busno, + PCI_SLOT(pdn->devfn), PCI_FUNC(pdn->devfn)); diff --git a/queue-4.19/powerpc-makefile-fix-ppc_book3s_64-asflags.patch b/queue-4.19/powerpc-makefile-fix-ppc_book3s_64-asflags.patch new file mode 100644 index 00000000000..dbe22f78dc6 --- /dev/null +++ b/queue-4.19/powerpc-makefile-fix-ppc_book3s_64-asflags.patch @@ -0,0 +1,81 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Joel Stanley +Date: Thu, 11 Oct 2018 13:13:03 +1030 +Subject: powerpc/Makefile: Fix PPC_BOOK3S_64 ASFLAGS + +From: Joel Stanley + +[ Upstream commit 960e30029863db95ec79a71009272d4661db5991 ] + +Ever since commit 15a3204d24a3 ("powerpc/64s: Set assembler machine type +to POWER4") we force -mpower4 to be passed to the assembler +irrespective of the CFLAGS used (for Book3s 64). + +When building a powerpc64 kernel with clang, clang will not add -many +to the assembler flags, so any instructions that the compiler has +generated that are not available on power4 will cause an error: + + /usr/bin/as -a64 -mppc64 -mlittle-endian -mpower8 \ + -I ./arch/powerpc/include -I ./arch/powerpc/include/generated \ + -I ./include -I ./arch/powerpc/include/uapi \ + -I ./arch/powerpc/include/generated/uapi -I ./include/uapi \ + -I ./include/generated/uapi -I arch/powerpc -I arch/powerpc \ + -maltivec -mpower4 -o init/do_mounts.o /tmp/do_mounts-3b0a3d.s + /tmp/do_mounts-51ce54.s:748: Error: unrecognized opcode: `isel' + +GCC does include -many, so the GCC driven gas call will succeed: + + as -v -I ./arch/powerpc/include -I ./arch/powerpc/include/generated -I + ./include -I ./arch/powerpc/include/uapi + -I ./arch/powerpc/include/generated/uapi -I ./include/uapi + -I ./include/generated/uapi -I arch/powerpc -I arch/powerpc + -a64 -mpower8 -many -mlittle -maltivec -mpower4 -o init/do_mounts.o + +Note that isel is power7 and above for IBM CPUs. GCC only generates it +for Power9 and above, but the above test was run against the clang +generated assembly. + +Peter Bergner explains: + + When using -many -mpower4, gas will first try and find a matching + power4 mnemonic and failing that, it will then allow any valid + mnemonic that gas knows about. GCC's use of -many predates me + though. + + IIRC, Alan looked at trying to remove it, but I forget why he + didn't. Could be either a gcc or gas issue at the time. I'm not sure + whether issue still exists or not. He and I have modified how gas + works internally a fair amount since he tried removing gcc use of + -many. + + I will also note that when using -many, gas will choose the first + mnemonic that matches in the mnemonic table and we have (mostly) + sorted the table so that server mnemonics show up earlier in the + table than other mnemonics, so they'll be seen/chosen first. + +By explicitly setting -many we can build with Clang and GCC while +retaining the -mpower4 option. + +Signed-off-by: Joel Stanley +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -238,7 +238,11 @@ cpu-as-$(CONFIG_4xx) += -Wa,-m405 + cpu-as-$(CONFIG_ALTIVEC) += $(call as-option,-Wa$(comma)-maltivec) + cpu-as-$(CONFIG_E200) += -Wa,-me200 + cpu-as-$(CONFIG_E500) += -Wa,-me500 +-cpu-as-$(CONFIG_PPC_BOOK3S_64) += -Wa,-mpower4 ++ ++# When using '-many -mpower4' gas will first try and find a matching power4 ++# mnemonic and failing that it will allow any valid mnemonic that GAS knows ++# about. GCC will pass -many to GAS when assembling, clang does not. ++cpu-as-$(CONFIG_PPC_BOOK3S_64) += -Wa,-mpower4 -Wa,-many + cpu-as-$(CONFIG_PPC_E500MC) += $(call as-option,-Wa$(comma)-me500mc) + + KBUILD_AFLAGS += $(cpu-as-y) diff --git a/queue-4.19/powerpc-memtrace-remove-memory-in-chunks.patch b/queue-4.19/powerpc-memtrace-remove-memory-in-chunks.patch new file mode 100644 index 00000000000..dcaf3368c78 --- /dev/null +++ b/queue-4.19/powerpc-memtrace-remove-memory-in-chunks.patch @@ -0,0 +1,87 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Rashmica Gupta +Date: Fri, 17 Aug 2018 14:25:01 +1000 +Subject: powerpc/memtrace: Remove memory in chunks + +From: Rashmica Gupta + +[ Upstream commit 3f7daf3d7582dc6628ac40a9045dd1bbd80c5f35 ] + +When hot-removing memory release_mem_region_adjustable() splits iomem +resources if they are not the exact size of the memory being +hot-deleted. Adding this memory back to the kernel adds a new resource. + +Eg a node has memory 0x0 - 0xfffffffff. Hot-removing 1GB from +0xf40000000 results in the single resource 0x0-0xfffffffff being split +into two resources: 0x0-0xf3fffffff and 0xf80000000-0xfffffffff. + +When we hot-add the memory back we now have three resources: +0x0-0xf3fffffff, 0xf40000000-0xf7fffffff, and 0xf80000000-0xfffffffff. + +This is an issue if we try to remove some memory that overlaps +resources. Eg when trying to remove 2GB at address 0xf40000000, +release_mem_region_adjustable() fails as it expects the chunk of memory +to be within the boundaries of a single resource. We then get the +warning: "Unable to release resource" and attempting to use memtrace +again gives us this error: "bash: echo: write error: Resource +temporarily unavailable" + +This patch makes memtrace remove memory in chunks that are always the +same size from an address that is always equal to end_of_memory - +n*size, for some n. So hotremoving and hotadding memory of different +sizes will now not attempt to remove memory that spans multiple +resources. + +Signed-off-by: Rashmica Gupta +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/memtrace.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/platforms/powernv/memtrace.c ++++ b/arch/powerpc/platforms/powernv/memtrace.c +@@ -90,17 +90,15 @@ static bool memtrace_offline_pages(u32 n + walk_memory_range(start_pfn, end_pfn, (void *)MEM_OFFLINE, + change_memblock_state); + +- lock_device_hotplug(); +- remove_memory(nid, start_pfn << PAGE_SHIFT, nr_pages << PAGE_SHIFT); +- unlock_device_hotplug(); + + return true; + } + + static u64 memtrace_alloc_node(u32 nid, u64 size) + { +- u64 start_pfn, end_pfn, nr_pages; ++ u64 start_pfn, end_pfn, nr_pages, pfn; + u64 base_pfn; ++ u64 bytes = memory_block_size_bytes(); + + if (!node_spanned_pages(nid)) + return 0; +@@ -113,8 +111,21 @@ static u64 memtrace_alloc_node(u32 nid, + end_pfn = round_down(end_pfn - nr_pages, nr_pages); + + for (base_pfn = end_pfn; base_pfn > start_pfn; base_pfn -= nr_pages) { +- if (memtrace_offline_pages(nid, base_pfn, nr_pages) == true) ++ if (memtrace_offline_pages(nid, base_pfn, nr_pages) == true) { ++ /* ++ * Remove memory in memory block size chunks so that ++ * iomem resources are always split to the same size and ++ * we never try to remove memory that spans two iomem ++ * resources. ++ */ ++ lock_device_hotplug(); ++ end_pfn = base_pfn + nr_pages; ++ for (pfn = base_pfn; pfn < end_pfn; pfn += bytes>> PAGE_SHIFT) { ++ remove_memory(nid, pfn << PAGE_SHIFT, bytes); ++ } ++ unlock_device_hotplug(); + return base_pfn << PAGE_SHIFT; ++ } + } + + return 0; diff --git a/queue-4.19/powerpc-mm-don-t-report-hugepage-tables-as-memory-leaks-when-using-kmemleak.patch b/queue-4.19/powerpc-mm-don-t-report-hugepage-tables-as-memory-leaks-when-using-kmemleak.patch new file mode 100644 index 00000000000..dc00330e59d --- /dev/null +++ b/queue-4.19/powerpc-mm-don-t-report-hugepage-tables-as-memory-leaks-when-using-kmemleak.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Christophe Leroy +Date: Mon, 13 Aug 2018 13:19:52 +0000 +Subject: powerpc/mm: Don't report hugepage tables as memory leaks when using kmemleak + +From: Christophe Leroy + +[ Upstream commit 803d690e68f0c5230183f1a42c7d50a41d16e380 ] + +When a process allocates a hugepage, the following leak is +reported by kmemleak. This is a false positive which is +due to the pointer to the table being stored in the PGD +as physical memory address and not virtual memory pointer. + +unreferenced object 0xc30f8200 (size 512): + comm "mmap", pid 374, jiffies 4872494 (age 627.630s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] huge_pte_alloc+0xdc/0x1f8 + [<9e0df1e1>] hugetlb_fault+0x560/0x8f8 + [<7938ec6c>] follow_hugetlb_page+0x14c/0x44c + [] __get_user_pages+0x1c4/0x3dc + [] __mm_populate+0xac/0x140 + [<3215421e>] vm_mmap_pgoff+0xb4/0xb8 + [] ksys_mmap_pgoff+0xcc/0x1fc + [<4fcd760f>] ret_from_syscall+0x0/0x38 + +See commit a984506c542e2 ("powerpc/mm: Don't report PUDs as +memory leaks when using kmemleak") for detailed explanation. + +To fix that, this patch tells kmemleak to ignore the allocated +hugepage table. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/hugetlbpage.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/mm/hugetlbpage.c ++++ b/arch/powerpc/mm/hugetlbpage.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -112,6 +113,8 @@ static int __hugepte_alloc(struct mm_str + for (i = i - 1 ; i >= 0; i--, hpdp--) + *hpdp = __hugepd(0); + kmem_cache_free(cachep, new); ++ } else { ++ kmemleak_ignore(new); + } + spin_unlock(ptl); + return 0; diff --git a/queue-4.19/powerpc-mm-fix-always-true-false-warning-in-slice.c.patch b/queue-4.19/powerpc-mm-fix-always-true-false-warning-in-slice.c.patch new file mode 100644 index 00000000000..589c338d143 --- /dev/null +++ b/queue-4.19/powerpc-mm-fix-always-true-false-warning-in-slice.c.patch @@ -0,0 +1,125 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Christophe Leroy +Date: Thu, 2 Aug 2018 09:25:55 +0000 +Subject: powerpc/mm: fix always true/false warning in slice.c + +From: Christophe Leroy + +[ Upstream commit 37e9c674e7e6f445e12cb1151017bd4bacdd1e2d ] + +This patch fixes the following warnings (obtained with make W=1). + +arch/powerpc/mm/slice.c: In function 'slice_range_to_mask': +arch/powerpc/mm/slice.c:73:12: error: comparison is always true due to limited range of data type [-Werror=type-limits] + if (start < SLICE_LOW_TOP) { + ^ +arch/powerpc/mm/slice.c:81:20: error: comparison is always false due to limited range of data type [-Werror=type-limits] + if ((start + len) > SLICE_LOW_TOP) { + ^ +arch/powerpc/mm/slice.c: In function 'slice_mask_for_free': +arch/powerpc/mm/slice.c:136:17: error: comparison is always true due to limited range of data type [-Werror=type-limits] + if (high_limit <= SLICE_LOW_TOP) + ^ +arch/powerpc/mm/slice.c: In function 'slice_check_range_fits': +arch/powerpc/mm/slice.c:185:12: error: comparison is always true due to limited range of data type [-Werror=type-limits] + if (start < SLICE_LOW_TOP) { + ^ +arch/powerpc/mm/slice.c:195:39: error: comparison is always false due to limited range of data type [-Werror=type-limits] + if (SLICE_NUM_HIGH && ((start + len) > SLICE_LOW_TOP)) { + ^ +arch/powerpc/mm/slice.c: In function 'slice_scan_available': +arch/powerpc/mm/slice.c:306:11: error: comparison is always true due to limited range of data type [-Werror=type-limits] + if (addr < SLICE_LOW_TOP) { + ^ +arch/powerpc/mm/slice.c: In function 'get_slice_psize': +arch/powerpc/mm/slice.c:709:11: error: comparison is always true due to limited range of data type [-Werror=type-limits] + if (addr < SLICE_LOW_TOP) { + ^ + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/slice.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/mm/slice.c ++++ b/arch/powerpc/mm/slice.c +@@ -61,6 +61,13 @@ static void slice_print_mask(const char + + #endif + ++static inline bool slice_addr_is_low(unsigned long addr) ++{ ++ u64 tmp = (u64)addr; ++ ++ return tmp < SLICE_LOW_TOP; ++} ++ + static void slice_range_to_mask(unsigned long start, unsigned long len, + struct slice_mask *ret) + { +@@ -70,7 +77,7 @@ static void slice_range_to_mask(unsigned + if (SLICE_NUM_HIGH) + bitmap_zero(ret->high_slices, SLICE_NUM_HIGH); + +- if (start < SLICE_LOW_TOP) { ++ if (slice_addr_is_low(start)) { + unsigned long mend = min(end, + (unsigned long)(SLICE_LOW_TOP - 1)); + +@@ -78,7 +85,7 @@ static void slice_range_to_mask(unsigned + - (1u << GET_LOW_SLICE_INDEX(start)); + } + +- if ((start + len) > SLICE_LOW_TOP) { ++ if (SLICE_NUM_HIGH && !slice_addr_is_low(end)) { + unsigned long start_index = GET_HIGH_SLICE_INDEX(start); + unsigned long align_end = ALIGN(end, (1UL << SLICE_HIGH_SHIFT)); + unsigned long count = GET_HIGH_SLICE_INDEX(align_end) - start_index; +@@ -133,7 +140,7 @@ static void slice_mask_for_free(struct m + if (!slice_low_has_vma(mm, i)) + ret->low_slices |= 1u << i; + +- if (high_limit <= SLICE_LOW_TOP) ++ if (slice_addr_is_low(high_limit - 1)) + return; + + for (i = 0; i < GET_HIGH_SLICE_INDEX(high_limit); i++) +@@ -182,7 +189,7 @@ static bool slice_check_range_fits(struc + unsigned long end = start + len - 1; + u64 low_slices = 0; + +- if (start < SLICE_LOW_TOP) { ++ if (slice_addr_is_low(start)) { + unsigned long mend = min(end, + (unsigned long)(SLICE_LOW_TOP - 1)); + +@@ -192,7 +199,7 @@ static bool slice_check_range_fits(struc + if ((low_slices & available->low_slices) != low_slices) + return false; + +- if (SLICE_NUM_HIGH && ((start + len) > SLICE_LOW_TOP)) { ++ if (SLICE_NUM_HIGH && !slice_addr_is_low(end)) { + unsigned long start_index = GET_HIGH_SLICE_INDEX(start); + unsigned long align_end = ALIGN(end, (1UL << SLICE_HIGH_SHIFT)); + unsigned long count = GET_HIGH_SLICE_INDEX(align_end) - start_index; +@@ -303,7 +310,7 @@ static bool slice_scan_available(unsigne + int end, unsigned long *boundary_addr) + { + unsigned long slice; +- if (addr < SLICE_LOW_TOP) { ++ if (slice_addr_is_low(addr)) { + slice = GET_LOW_SLICE_INDEX(addr); + *boundary_addr = (slice + end) << SLICE_LOW_SHIFT; + return !!(available->low_slices & (1u << slice)); +@@ -706,7 +713,7 @@ unsigned int get_slice_psize(struct mm_s + + VM_BUG_ON(radix_enabled()); + +- if (addr < SLICE_LOW_TOP) { ++ if (slice_addr_is_low(addr)) { + psizes = mm->context.low_slices_psize; + index = GET_LOW_SLICE_INDEX(addr); + } else { diff --git a/queue-4.19/powerpc-mm-fix-page-table-dump-to-work-on-radix.patch b/queue-4.19/powerpc-mm-fix-page-table-dump-to-work-on-radix.patch new file mode 100644 index 00000000000..7cc79769f2d --- /dev/null +++ b/queue-4.19/powerpc-mm-fix-page-table-dump-to-work-on-radix.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Michael Ellerman +Date: Wed, 15 Aug 2018 21:29:45 +1000 +Subject: powerpc/mm: Fix page table dump to work on Radix + +From: Michael Ellerman + +[ Upstream commit 0d923962ab69c27cca664a2d535e90ef655110ca ] + +When we're running on Book3S with the Radix MMU enabled the page table +dump currently prints the wrong addresses because it uses the wrong +start address. + +Fix it to use PAGE_OFFSET rather than KERN_VIRT_START. + +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/dump_linuxpagetables.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/mm/dump_linuxpagetables.c ++++ b/arch/powerpc/mm/dump_linuxpagetables.c +@@ -418,12 +418,13 @@ static void walk_pagetables(struct pg_st + unsigned int i; + unsigned long addr; + ++ addr = st->start_address; ++ + /* + * Traverse the linux pagetable structure and dump pages that are in + * the hash pagetable. + */ +- for (i = 0; i < PTRS_PER_PGD; i++, pgd++) { +- addr = KERN_VIRT_START + i * PGDIR_SIZE; ++ for (i = 0; i < PTRS_PER_PGD; i++, pgd++, addr += PGDIR_SIZE) { + if (!pgd_none(*pgd) && !pgd_huge(*pgd)) + /* pgd exists */ + walk_pud(st, pgd, addr); +@@ -472,9 +473,14 @@ static int ptdump_show(struct seq_file * + { + struct pg_state st = { + .seq = m, +- .start_address = KERN_VIRT_START, + .marker = address_markers, + }; ++ ++ if (radix_enabled()) ++ st.start_address = PAGE_OFFSET; ++ else ++ st.start_address = KERN_VIRT_START; ++ + /* Traverse kernel page tables */ + walk_pagetables(&st); + note_page(&st, 0, 0, 0); diff --git a/queue-4.19/powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch b/queue-4.19/powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch new file mode 100644 index 00000000000..615f408b094 --- /dev/null +++ b/queue-4.19/powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Daniel Axtens +Date: Mon, 1 Oct 2018 16:21:51 +1000 +Subject: powerpc/nohash: fix undefined behaviour when testing page size support + +From: Daniel Axtens + +[ Upstream commit f5e284803a7206d43e26f9ffcae5de9626d95e37 ] + +When enumerating page size definitions to check hardware support, +we construct a constant which is (1U << (def->shift - 10)). + +However, the array of page size definitions is only initalised for +various MMU_PAGE_* constants, so it contains a number of 0-initialised +elements with def->shift == 0. This means we end up shifting by a +very large number, which gives the following UBSan splat: + +================================================================================ +UBSAN: Undefined behaviour in /home/dja/dev/linux/linux/arch/powerpc/mm/tlb_nohash.c:506:21 +shift exponent 4294967286 is too large for 32-bit type 'unsigned int' +CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc3-00045-ga604f927b012-dirty #6 +Call Trace: +[c00000000101bc20] [c000000000a13d54] .dump_stack+0xa8/0xec (unreliable) +[c00000000101bcb0] [c0000000004f20a8] .ubsan_epilogue+0x18/0x64 +[c00000000101bd30] [c0000000004f2b10] .__ubsan_handle_shift_out_of_bounds+0x110/0x1a4 +[c00000000101be20] [c000000000d21760] .early_init_mmu+0x1b4/0x5a0 +[c00000000101bf10] [c000000000d1ba28] .early_setup+0x100/0x130 +[c00000000101bf90] [c000000000000528] start_here_multiplatform+0x68/0x80 +================================================================================ + +Fix this by first checking if the element exists (shift != 0) before +constructing the constant. + +Signed-off-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/tlb_nohash.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/mm/tlb_nohash.c ++++ b/arch/powerpc/mm/tlb_nohash.c +@@ -503,6 +503,9 @@ static void setup_page_sizes(void) + for (psize = 0; psize < MMU_PAGE_COUNT; ++psize) { + struct mmu_psize_def *def = &mmu_psize_defs[psize]; + ++ if (!def->shift) ++ continue; ++ + if (tlb1ps & (1U << (def->shift - 10))) { + def->flags |= MMU_PAGE_SIZE_DIRECT; + diff --git a/queue-4.19/powerpc-selftests-wait-all-threads-to-join.patch b/queue-4.19/powerpc-selftests-wait-all-threads-to-join.patch new file mode 100644 index 00000000000..29c489ed208 --- /dev/null +++ b/queue-4.19/powerpc-selftests-wait-all-threads-to-join.patch @@ -0,0 +1,75 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Breno Leitao +Date: Tue, 31 Jul 2018 17:55:57 -0300 +Subject: powerpc/selftests: Wait all threads to join + +From: Breno Leitao + +[ Upstream commit 693b31b2fc1636f0aa7af53136d3b49f6ad9ff39 ] + +Test tm-tmspr might exit before all threads stop executing, because it just +waits for the very last thread to join before proceeding/exiting. + +This patch makes sure that all threads that were created will join before +proceeding/exiting. + +This patch also guarantees that the amount of threads being created is equal +to thread_num. + +Signed-off-by: Breno Leitao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/powerpc/tm/tm-tmspr.c | 27 ++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/tools/testing/selftests/powerpc/tm/tm-tmspr.c ++++ b/tools/testing/selftests/powerpc/tm/tm-tmspr.c +@@ -98,7 +98,7 @@ void texasr(void *in) + + int test_tmspr() + { +- pthread_t thread; ++ pthread_t *thread; + int thread_num; + unsigned long i; + +@@ -107,21 +107,28 @@ int test_tmspr() + /* To cause some context switching */ + thread_num = 10 * sysconf(_SC_NPROCESSORS_ONLN); + ++ thread = malloc(thread_num * sizeof(pthread_t)); ++ if (thread == NULL) ++ return EXIT_FAILURE; ++ + /* Test TFIAR and TFHAR */ +- for (i = 0 ; i < thread_num ; i += 2){ +- if (pthread_create(&thread, NULL, (void*)tfiar_tfhar, (void *)i)) ++ for (i = 0; i < thread_num; i += 2) { ++ if (pthread_create(&thread[i], NULL, (void *)tfiar_tfhar, ++ (void *)i)) + return EXIT_FAILURE; + } +- if (pthread_join(thread, NULL) != 0) +- return EXIT_FAILURE; +- + /* Test TEXASR */ +- for (i = 0 ; i < thread_num ; i++){ +- if (pthread_create(&thread, NULL, (void*)texasr, (void *)i)) ++ for (i = 1; i < thread_num; i += 2) { ++ if (pthread_create(&thread[i], NULL, (void *)texasr, (void *)i)) + return EXIT_FAILURE; + } +- if (pthread_join(thread, NULL) != 0) +- return EXIT_FAILURE; ++ ++ for (i = 0; i < thread_num; i++) { ++ if (pthread_join(thread[i], NULL) != 0) ++ return EXIT_FAILURE; ++ } ++ ++ free(thread); + + if (passed) + return 0; diff --git a/queue-4.19/powerpc-traps-restore-recoverability-of-machine_check-interrupts.patch b/queue-4.19/powerpc-traps-restore-recoverability-of-machine_check-interrupts.patch new file mode 100644 index 00000000000..27d389da99d --- /dev/null +++ b/queue-4.19/powerpc-traps-restore-recoverability-of-machine_check-interrupts.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Nov 13 16:10:37 PST 2018 +From: Christophe Leroy +Date: Sat, 13 Oct 2018 09:16:22 +0000 +Subject: powerpc/traps: restore recoverability of machine_check interrupts + +From: Christophe Leroy + +[ Upstream commit daf00ae71dad8aa05965713c62558aeebf2df48e ] + +commit b96672dd840f ("powerpc: Machine check interrupt is a non- +maskable interrupt") added a call to nmi_enter() at the beginning of +machine check restart exception handler. Due to that, in_interrupt() +always returns true regardless of the state before entering the +exception, and die() panics even when the system was not already in +interrupt. + +This patch calls nmi_exit() before calling die() in order to restore +the interrupt state we had before calling nmi_enter() + +Fixes: b96672dd840f ("powerpc: Machine check interrupt is a non-maskable interrupt") +Signed-off-by: Christophe Leroy +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/traps.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -767,12 +767,17 @@ void machine_check_exception(struct pt_r + if (check_io_access(regs)) + goto bail; + +- die("Machine check", regs, SIGBUS); +- + /* Must die if the interrupt is not recoverable */ + if (!(regs->msr & MSR_RI)) + nmi_panic(regs, "Unrecoverable Machine check"); + ++ if (!nested) ++ nmi_exit(); ++ ++ die("Machine check", regs, SIGBUS); ++ ++ return; ++ + bail: + if (!nested) + nmi_exit(); diff --git a/queue-4.19/sc16is7xx-fix-for-multi-channel-stall.patch b/queue-4.19/sc16is7xx-fix-for-multi-channel-stall.patch new file mode 100644 index 00000000000..e27cd760709 --- /dev/null +++ b/queue-4.19/sc16is7xx-fix-for-multi-channel-stall.patch @@ -0,0 +1,116 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Phil Elwell +Date: Wed, 12 Sep 2018 15:31:55 +0100 +Subject: sc16is7xx: Fix for multi-channel stall + +From: Phil Elwell + +[ Upstream commit 8344498721059754e09d30fe255a12dab8fb03ef ] + +The SC16IS752 is a dual-channel device. The two channels are largely +independent, but the IRQ signals are wired together as an open-drain, +active low signal which will be driven low while either of the +channels requires attention, which can be for significant periods of +time until operations complete and the interrupt can be acknowledged. +In that respect it is should be treated as a true level-sensitive IRQ. + +The kernel, however, needs to be able to exit interrupt context in +order to use I2C or SPI to access the device registers (which may +involve sleeping). Therefore the interrupt needs to be masked out or +paused in some way. + +The usual way to manage sleeping from within an interrupt handler +is to use a threaded interrupt handler - a regular interrupt routine +does the minimum amount of work needed to triage the interrupt before +waking the interrupt service thread. If the threaded IRQ is marked as +IRQF_ONESHOT the kernel will automatically mask out the interrupt +until the thread runs to completion. The sc16is7xx driver used to +use a threaded IRQ, but a patch switched to using a kthread_worker +in order to set realtime priorities on the handler thread and for +other optimisations. The end result is non-threaded IRQ that +schedules some work then returns IRQ_HANDLED, making the kernel +think that all IRQ processing has completed. + +The work-around to prevent a constant stream of interrupts is to +mark the interrupt as edge-sensitive rather than level-sensitive, +but interpreting an active-low source as a falling-edge source +requires care to prevent a total cessation of interrupts. Whereas +an edge-triggering source will generate a new edge for every interrupt +condition a level-triggering source will keep the signal at the +interrupting level until it no longer requires attention; in other +words, the host won't see another edge until all interrupt conditions +are cleared. It is therefore vital that the interrupt handler does not +exit with an outstanding interrupt condition, otherwise the kernel +will not receive another interrupt unless some other operation causes +the interrupt state on the device to be cleared. + +The existing sc16is7xx driver has a very simple interrupt "thread" +(kthread_work job) that processes interrupts on each channel in turn +until there are no more. If both channels are active and the first +channel starts interrupting while the handler for the second channel +is running then it will not be detected and an IRQ stall ensues. This +could be handled easily if there was a shared IRQ status register, or +a convenient way to determine if the IRQ had been deasserted for any +length of time, but both appear to be lacking. + +Avoid this problem (or at least make it much less likely to happen) +by reducing the granularity of per-channel interrupt processing +to one condition per iteration, only exiting the overall loop when +both channels are no longer interrupting. + +Signed-off-by: Phil Elwell +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sc16is7xx.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -657,7 +657,7 @@ static void sc16is7xx_handle_tx(struct u + uart_write_wakeup(port); + } + +-static void sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno) ++static bool sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno) + { + struct uart_port *port = &s->p[portno].port; + +@@ -666,7 +666,7 @@ static void sc16is7xx_port_irq(struct sc + + iir = sc16is7xx_port_read(port, SC16IS7XX_IIR_REG); + if (iir & SC16IS7XX_IIR_NO_INT_BIT) +- break; ++ return false; + + iir &= SC16IS7XX_IIR_ID_MASK; + +@@ -688,16 +688,23 @@ static void sc16is7xx_port_irq(struct sc + port->line, iir); + break; + } +- } while (1); ++ } while (0); ++ return true; + } + + static void sc16is7xx_ist(struct kthread_work *ws) + { + struct sc16is7xx_port *s = to_sc16is7xx_port(ws, irq_work); +- int i; + +- for (i = 0; i < s->devtype->nr_uart; ++i) +- sc16is7xx_port_irq(s, i); ++ while (1) { ++ bool keep_polling = false; ++ int i; ++ ++ for (i = 0; i < s->devtype->nr_uart; ++i) ++ keep_polling |= sc16is7xx_port_irq(s, i); ++ if (!keep_polling) ++ break; ++ } + } + + static irqreturn_t sc16is7xx_irq(int irq, void *dev_id) diff --git a/queue-4.19/serial-8250_of-fix-for-lack-of-interrupt-support.patch b/queue-4.19/serial-8250_of-fix-for-lack-of-interrupt-support.patch new file mode 100644 index 00000000000..2d340c6864d --- /dev/null +++ b/queue-4.19/serial-8250_of-fix-for-lack-of-interrupt-support.patch @@ -0,0 +1,89 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: John Garry +Date: Thu, 30 Aug 2018 17:08:50 +0800 +Subject: serial: 8250_of: Fix for lack of interrupt support + +From: John Garry + +[ Upstream commit a27d938251ef40c43db81af16fc26b2cec181d4d ] + +In commit c58caaab3bf8 ("serial: 8250: of: Defer probe on missing IRQ"), a +check was added for the UART driver being probed prior to the parent IRQ +controller. + +Unfortunately this breaks certain boards which have no interrupt support, +like Huawei D03. + +Indeed, the 8250 DT bindings state that interrupts should be supported - +not must. + +To fix, switch from irq_of_parse_and_map() to of_irq_get(), which +does relay whether the IRQ host controller domain is not ready, i.e. +defer probe, instead of assuming it. + +Fixes: c58caaab3bf8 ("serial: 8250: of: Defer probe on missing IRQ") +Signed-off-by: John Garry +Reviewed-by: Rob Herring +Reviewed-by: Alexander Sverdlin +Tested-by: Alexander Sverdlin +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_of.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +--- a/drivers/tty/serial/8250/8250_of.c ++++ b/drivers/tty/serial/8250/8250_of.c +@@ -58,7 +58,7 @@ static int of_platform_serial_setup(stru + struct resource resource; + struct device_node *np = ofdev->dev.of_node; + u32 clk, spd, prop; +- int ret; ++ int ret, irq; + + memset(port, 0, sizeof *port); + +@@ -143,21 +143,27 @@ static int of_platform_serial_setup(stru + if (ret >= 0) + port->line = ret; + +- port->irq = irq_of_parse_and_map(np, 0); +- if (!port->irq) { +- ret = -EPROBE_DEFER; +- goto err_unprepare; ++ irq = of_irq_get(np, 0); ++ if (irq < 0) { ++ if (irq == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto err_unprepare; ++ } ++ /* IRQ support not mandatory */ ++ irq = 0; + } + ++ port->irq = irq; ++ + info->rst = devm_reset_control_get_optional_shared(&ofdev->dev, NULL); + if (IS_ERR(info->rst)) { + ret = PTR_ERR(info->rst); +- goto err_dispose; ++ goto err_unprepare; + } + + ret = reset_control_deassert(info->rst); + if (ret) +- goto err_dispose; ++ goto err_unprepare; + + port->type = type; + port->uartclk = clk; +@@ -184,8 +190,6 @@ static int of_platform_serial_setup(stru + port->handle_irq = fsl8250_handle_irq; + + return 0; +-err_dispose: +- irq_dispose_mapping(port->irq); + err_unprepare: + clk_disable_unprepare(info->clk); + err_pmruntime: diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..2cd64ec3079 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,45 @@ +powerpc-traps-restore-recoverability-of-machine_check-interrupts.patch +powerpc-64-module-rel32-relocation-range-check.patch +powerpc-mm-fix-page-table-dump-to-work-on-radix.patch +powerpc-mm-fix-always-true-false-warning-in-slice.c.patch +drm-amd-display-fix-bug-of-accessing-invalid-memory.patch +input-wm97xx-ts-fix-exit-path.patch +powerpc-makefile-fix-ppc_book3s_64-asflags.patch +powerpc-eeh-fix-possible-null-deref-in-eeh_dump_dev_log.patch +tty-check-name-length-in-tty_find_polling_driver.patch +tracing-kprobes-check-the-probe-on-unloaded-module-correctly.patch +drm-nouveau-secboot-acr-fix-memory-leak.patch +drm-amdgpu-powerplay-fix-missing-break-in-switch-statements.patch +arm-imx_v6_v7_defconfig-select-config_tmpfs_posix_acl.patch +powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch +drm-msm-gpu-fix-parameters-in-function-msm_gpu_crashstate_capture.patch +drm-msm-disp-dpu-use-proper-define-for-drm_encoder_init-encoder_type.patch +drm-msm-dpu-allow-planes-to-extend-past-active-display.patch +powerpc-mm-don-t-report-hugepage-tables-as-memory-leaks-when-using-kmemleak.patch +drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch +drm-amd-display-raise-dispclk-value-for-dce120-by-15.patch +drm-amd-display-fix-gamma-not-being-applied.patch +drm-hisilicon-hibmc-do-not-carry-error-code-in-hibmc-framebuffer-pointer.patch +media-pci-cx23885-handle-adding-to-list-failure.patch +media-coda-don-t-overwrite-h.264-profile_idc-on-decoder-instance.patch +mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch +powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch +powerpc-memtrace-remove-memory-in-chunks.patch +mips-pci-call-pcie_bus_configure_settings-to-set-mps-mrrs.patch +staging-erofs-fix-a-missing-endian-conversion.patch +serial-8250_of-fix-for-lack-of-interrupt-support.patch +sc16is7xx-fix-for-multi-channel-stall.patch +media-tvp5150-fix-width-alignment-during-set_selection.patch +powerpc-selftests-wait-all-threads-to-join.patch +staging-iio-ad7606-fix-voltage-scales.patch +drm-rcar-du-update-gen3-output-limitations.patch +drm-amdgpu-fix-sdma-to-after-gpu-reset-v3.patch +staging-most-video-fix-registration-of-an-empty-comp-core_component.patch +9p-locks-fix-glock.client_id-leak-in-do_lock.patch +udf-prevent-write-unsupported-filesystem-to-be-remounted-read-write.patch +arm-dts-imx6ull-keep-imx6ul_-prefix-for-signals-on-both-i.mx6ul-and-i.mx6ull.patch +media-ov5640-fix-mode-change-regression.patch +9p-clear-dangling-pointers-in-p9stat_free.patch +drm-amdgpu-fix-integer-overflow-test-in-amdgpu_bo_list_create.patch +media-ov5640-fix-restore-of-last-mode-set.patch +cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch diff --git a/queue-4.19/staging-erofs-fix-a-missing-endian-conversion.patch b/queue-4.19/staging-erofs-fix-a-missing-endian-conversion.patch new file mode 100644 index 00000000000..327c76c9df4 --- /dev/null +++ b/queue-4.19/staging-erofs-fix-a-missing-endian-conversion.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Gao Xiang +Date: Tue, 18 Sep 2018 22:25:33 +0800 +Subject: staging: erofs: fix a missing endian conversion + +From: Gao Xiang + +[ Upstream commit 37ec35a6cc2b99eb7fd6b85b7d7b75dff46bc353 ] + +This patch fixes a missing endian conversion in +vle_get_logical_extent_head. + +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/erofs/unzip_vle.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/staging/erofs/unzip_vle.c ++++ b/drivers/staging/erofs/unzip_vle.c +@@ -1490,6 +1490,7 @@ static erofs_off_t vle_get_logical_exten + unsigned long long ofs; + const unsigned int clusterbits = EROFS_SB(inode->i_sb)->clusterbits; + const unsigned int clustersize = 1 << clusterbits; ++ unsigned int delta0; + + if (page->index != blkaddr) { + kunmap_atomic(*kaddr_iter); +@@ -1504,12 +1505,13 @@ static erofs_off_t vle_get_logical_exten + di = *kaddr_iter + vle_extent_blkoff(inode, lcn); + switch (vle_cluster_type(di)) { + case Z_EROFS_VLE_CLUSTER_TYPE_NONHEAD: +- BUG_ON(!di->di_u.delta[0]); +- BUG_ON(lcn < di->di_u.delta[0]); ++ delta0 = le16_to_cpu(di->di_u.delta[0]); ++ DBG_BUGON(!delta0); ++ DBG_BUGON(lcn < delta0); + + ofs = vle_get_logical_extent_head(inode, + page_iter, kaddr_iter, +- lcn - di->di_u.delta[0], pcn, flags); ++ lcn - delta0, pcn, flags); + break; + case Z_EROFS_VLE_CLUSTER_TYPE_PLAIN: + *flags ^= EROFS_MAP_ZIPPED; diff --git a/queue-4.19/staging-iio-ad7606-fix-voltage-scales.patch b/queue-4.19/staging-iio-ad7606-fix-voltage-scales.patch new file mode 100644 index 00000000000..fa19413e571 --- /dev/null +++ b/queue-4.19/staging-iio-ad7606-fix-voltage-scales.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Alexandru Ardelean +Date: Thu, 13 Sep 2018 11:44:09 +0300 +Subject: staging:iio:ad7606: fix voltage scales + +From: Alexandru Ardelean + +[ Upstream commit 4ee033301c898dd0835d035d0e0eb768a3d35da1 ] + +Fixes commit 17be2a2905a6ec9aa27cd59521495e2f490d2af0 ("staging: iio: +ad7606: replace range/range_available with corresponding scale"). + +The AD7606 devices don't have a 2.5V voltage range, they have 5V & 10V +voltage range, which is selectable via the `gpio_range` descriptor. + +The scales also seem to have been miscomputed, because when they were +applied to the raw values, the results differ from the expected values. +After checking the ADC transfer function in the datasheet, these were +re-computed. + +Signed-off-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/adc/ad7606.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/staging/iio/adc/ad7606.c ++++ b/drivers/staging/iio/adc/ad7606.c +@@ -26,9 +26,12 @@ + + #include "ad7606.h" + +-/* Scales are computed as 2.5/2**16 and 5/2**16 respectively */ ++/* ++ * Scales are computed as 5000/32768 and 10000/32768 respectively, ++ * so that when applied to the raw values they provide mV values ++ */ + static const unsigned int scale_avail[2][2] = { +- {0, 38147}, {0, 76294} ++ {0, 152588}, {0, 305176} + }; + + static int ad7606_reset(struct ad7606_state *st) diff --git a/queue-4.19/staging-most-video-fix-registration-of-an-empty-comp-core_component.patch b/queue-4.19/staging-most-video-fix-registration-of-an-empty-comp-core_component.patch new file mode 100644 index 00000000000..6ca82b5a927 --- /dev/null +++ b/queue-4.19/staging-most-video-fix-registration-of-an-empty-comp-core_component.patch @@ -0,0 +1,58 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Colin Ian King +Date: Wed, 5 Sep 2018 10:46:05 +0100 +Subject: staging: most: video: fix registration of an empty comp core_component + +From: Colin Ian King + +[ Upstream commit 1f447e51c0b9e8beeec0917ea5f51930f55e17c9 ] + +Currently we have structrues comp (which is empty) and comp_info being +used to register and deregister the component. This mismatch in naming +occurred from a previous commit that renamed aim_info to comp. Fix this +to use consistent component naming in line with most/net, most/sound etc. + +This fixes the message two issues, one with a null empty name when +loading the module: + +[ 1485.269515] most_core: registered new core component (null) + +and an Oops when removing the module: + +[ 1485.277971] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +[ 1485.278648] PGD 0 P4D 0 +[ 1485.279253] Oops: 0002 [#2] SMP PTI +[ 1485.279847] CPU: 1 PID: 32629 Comm: modprobe Tainted: P D WC OE 4.18.0-8-generic #9 +[ 1485.280442] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 +[ 1485.281040] RIP: 0010:most_deregister_component+0x3c/0x70 [most_core] +.. etc + +Fixes: 1b10a0316e2d ("staging: most: video: remove aim designators") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/most/video/video.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/most/video/video.c ++++ b/drivers/staging/most/video/video.c +@@ -530,7 +530,7 @@ static int comp_disconnect_channel(struc + return 0; + } + +-static struct core_component comp_info = { ++static struct core_component comp = { + .name = "video", + .probe_channel = comp_probe_channel, + .disconnect_channel = comp_disconnect_channel, +@@ -565,7 +565,7 @@ static void __exit comp_exit(void) + } + spin_unlock_irq(&list_lock); + +- most_deregister_component(&comp_info); ++ most_deregister_component(&comp); + BUG_ON(!list_empty(&video_devices)); + } + diff --git a/queue-4.19/tracing-kprobes-check-the-probe-on-unloaded-module-correctly.patch b/queue-4.19/tracing-kprobes-check-the-probe-on-unloaded-module-correctly.patch new file mode 100644 index 00000000000..f75df2aabc0 --- /dev/null +++ b/queue-4.19/tracing-kprobes-check-the-probe-on-unloaded-module-correctly.patch @@ -0,0 +1,97 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Masami Hiramatsu +Date: Wed, 29 Aug 2018 01:18:15 +0900 +Subject: tracing/kprobes: Check the probe on unloaded module correctly + +From: Masami Hiramatsu + +[ Upstream commit 59158ec4aef7d44be51a6f3e7e17fc64c32604eb ] + +Current kprobe event doesn't checks correctly whether the +given event is on unloaded module or not. It just checks +the event has ":" in the name. + +That is not enough because if we define a probe on non-exist +symbol on loaded module, it allows to define that (with +warning message) + +To ensure it correctly, this searches the module name on +loaded module list and only if there is not, it allows to +define it. (this event will be available when the target +module is loaded) + +Link: http://lkml.kernel.org/r/153547309528.26502.8300278470528281328.stgit@devbox + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_kprobe.c | 39 ++++++++++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -61,9 +61,23 @@ static nokprobe_inline bool trace_kprobe + return strncmp(mod->name, name, len) == 0 && name[len] == ':'; + } + +-static nokprobe_inline bool trace_kprobe_is_on_module(struct trace_kprobe *tk) ++static nokprobe_inline bool trace_kprobe_module_exist(struct trace_kprobe *tk) + { +- return !!strchr(trace_kprobe_symbol(tk), ':'); ++ char *p; ++ bool ret; ++ ++ if (!tk->symbol) ++ return false; ++ p = strchr(tk->symbol, ':'); ++ if (!p) ++ return true; ++ *p = '\0'; ++ mutex_lock(&module_mutex); ++ ret = !!find_module(tk->symbol); ++ mutex_unlock(&module_mutex); ++ *p = ':'; ++ ++ return ret; + } + + static nokprobe_inline unsigned long trace_kprobe_nhit(struct trace_kprobe *tk) +@@ -554,19 +568,13 @@ static int __register_trace_kprobe(struc + else + ret = register_kprobe(&tk->rp.kp); + +- if (ret == 0) ++ if (ret == 0) { + tk->tp.flags |= TP_FLAG_REGISTERED; +- else { +- if (ret == -ENOENT && trace_kprobe_is_on_module(tk)) { +- pr_warn("This probe might be able to register after target module is loaded. Continue.\n"); +- ret = 0; +- } else if (ret == -EILSEQ) { +- pr_warn("Probing address(0x%p) is not an instruction boundary.\n", +- tk->rp.kp.addr); +- ret = -EINVAL; +- } ++ } else if (ret == -EILSEQ) { ++ pr_warn("Probing address(0x%p) is not an instruction boundary.\n", ++ tk->rp.kp.addr); ++ ret = -EINVAL; + } +- + return ret; + } + +@@ -629,6 +637,11 @@ static int register_trace_kprobe(struct + + /* Register k*probe */ + ret = __register_trace_kprobe(tk); ++ if (ret == -ENOENT && !trace_kprobe_module_exist(tk)) { ++ pr_warn("This probe might be able to register after target module is loaded. Continue.\n"); ++ ret = 0; ++ } ++ + if (ret < 0) + unregister_kprobe_event(tk); + else diff --git a/queue-4.19/tty-check-name-length-in-tty_find_polling_driver.patch b/queue-4.19/tty-check-name-length-in-tty_find_polling_driver.patch new file mode 100644 index 00000000000..10ab30e0ba9 --- /dev/null +++ b/queue-4.19/tty-check-name-length-in-tty_find_polling_driver.patch @@ -0,0 +1,138 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Miles Chen +Date: Mon, 8 Oct 2018 10:39:17 +0800 +Subject: tty: check name length in tty_find_polling_driver() + +From: Miles Chen + +[ Upstream commit 33a1a7be198657c8ca26ad406c4d2a89b7162bcc ] + +The issue is found by a fuzzing test. +If tty_find_polling_driver() recevies an incorrect input such as +',,' or '0b', the len becomes 0 and strncmp() always return 0. +In this case, a null p->ops->poll_init() is called and it causes a kernel +panic. + +Fix this by checking name length against zero in tty_find_polling_driver(). + +$echo ,, > /sys/module/kgdboc/parameters/kgdboc +[ 20.804451] WARNING: CPU: 1 PID: 104 at drivers/tty/serial/serial_core.c:457 +uart_get_baud_rate+0xe8/0x190 +[ 20.804917] Modules linked in: +[ 20.805317] CPU: 1 PID: 104 Comm: sh Not tainted 4.19.0-rc7ajb #8 +[ 20.805469] Hardware name: linux,dummy-virt (DT) +[ 20.805732] pstate: 20000005 (nzCv daif -PAN -UAO) +[ 20.805895] pc : uart_get_baud_rate+0xe8/0x190 +[ 20.806042] lr : uart_get_baud_rate+0xc0/0x190 +[ 20.806476] sp : ffffffc06acff940 +[ 20.806676] x29: ffffffc06acff940 x28: 0000000000002580 +[ 20.806977] x27: 0000000000009600 x26: 0000000000009600 +[ 20.807231] x25: ffffffc06acffad0 x24: 00000000ffffeff0 +[ 20.807576] x23: 0000000000000001 x22: 0000000000000000 +[ 20.807807] x21: 0000000000000001 x20: 0000000000000000 +[ 20.808049] x19: ffffffc06acffac8 x18: 0000000000000000 +[ 20.808277] x17: 0000000000000000 x16: 0000000000000000 +[ 20.808520] x15: ffffffffffffffff x14: ffffffff00000000 +[ 20.808757] x13: ffffffffffffffff x12: 0000000000000001 +[ 20.809011] x11: 0101010101010101 x10: ffffff880d59ff5f +[ 20.809292] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3 +[ 20.809549] x7 : 0000000000000000 x6 : ffffff880d59ff5f +[ 20.809803] x5 : 0000000080008001 x4 : 0000000000000003 +[ 20.810056] x3 : ffffff900853e6b4 x2 : dfffff9000000000 +[ 20.810693] x1 : ffffffc06acffad0 x0 : 0000000000000cb0 +[ 20.811005] Call trace: +[ 20.811214] uart_get_baud_rate+0xe8/0x190 +[ 20.811479] serial8250_do_set_termios+0xe0/0x6f4 +[ 20.811719] serial8250_set_termios+0x48/0x54 +[ 20.811928] uart_set_options+0x138/0x1bc +[ 20.812129] uart_poll_init+0x114/0x16c +[ 20.812330] tty_find_polling_driver+0x158/0x200 +[ 20.812545] configure_kgdboc+0xbc/0x1bc +[ 20.812745] param_set_kgdboc_var+0xb8/0x150 +[ 20.812960] param_attr_store+0xbc/0x150 +[ 20.813160] module_attr_store+0x40/0x58 +[ 20.813364] sysfs_kf_write+0x8c/0xa8 +[ 20.813563] kernfs_fop_write+0x154/0x290 +[ 20.813764] vfs_write+0xf0/0x278 +[ 20.813951] __arm64_sys_write+0x84/0xf4 +[ 20.814400] el0_svc_common+0xf4/0x1dc +[ 20.814616] el0_svc_handler+0x98/0xbc +[ 20.814804] el0_svc+0x8/0xc +[ 20.822005] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 20.826913] Mem abort info: +[ 20.827103] ESR = 0x84000006 +[ 20.827352] Exception class = IABT (current EL), IL = 16 bits +[ 20.827655] SET = 0, FnV = 0 +[ 20.827855] EA = 0, S1PTW = 0 +[ 20.828135] user pgtable: 4k pages, 39-bit VAs, pgdp = (____ptrval____) +[ 20.828484] [0000000000000000] pgd=00000000aadee003, pud=00000000aadee003, pmd=0000000000000000 +[ 20.829195] Internal error: Oops: 84000006 [#1] SMP +[ 20.829564] Modules linked in: +[ 20.829890] CPU: 1 PID: 104 Comm: sh Tainted: G W 4.19.0-rc7ajb #8 +[ 20.830545] Hardware name: linux,dummy-virt (DT) +[ 20.830829] pstate: 60000085 (nZCv daIf -PAN -UAO) +[ 20.831174] pc : (null) +[ 20.831457] lr : serial8250_do_set_termios+0x358/0x6f4 +[ 20.831727] sp : ffffffc06acff9b0 +[ 20.831936] x29: ffffffc06acff9b0 x28: ffffff9008d7c000 +[ 20.832267] x27: ffffff900969e16f x26: 0000000000000000 +[ 20.832589] x25: ffffff900969dfb0 x24: 0000000000000000 +[ 20.832906] x23: ffffffc06acffad0 x22: ffffff900969e160 +[ 20.833232] x21: 0000000000000000 x20: ffffffc06acffac8 +[ 20.833559] x19: ffffff900969df90 x18: 0000000000000000 +[ 20.833878] x17: 0000000000000000 x16: 0000000000000000 +[ 20.834491] x15: ffffffffffffffff x14: ffffffff00000000 +[ 20.834821] x13: ffffffffffffffff x12: 0000000000000001 +[ 20.835143] x11: 0101010101010101 x10: ffffff880d59ff5f +[ 20.835467] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3 +[ 20.835790] x7 : 0000000000000000 x6 : ffffff880d59ff5f +[ 20.836111] x5 : c06419717c314100 x4 : 0000000000000007 +[ 20.836419] x3 : 0000000000000000 x2 : 0000000000000000 +[ 20.836732] x1 : 0000000000000001 x0 : ffffff900969df90 +[ 20.837100] Process sh (pid: 104, stack limit = 0x(____ptrval____)) +[ 20.837396] Call trace: +[ 20.837566] (null) +[ 20.837816] serial8250_set_termios+0x48/0x54 +[ 20.838089] uart_set_options+0x138/0x1bc +[ 20.838570] uart_poll_init+0x114/0x16c +[ 20.838834] tty_find_polling_driver+0x158/0x200 +[ 20.839119] configure_kgdboc+0xbc/0x1bc +[ 20.839380] param_set_kgdboc_var+0xb8/0x150 +[ 20.839658] param_attr_store+0xbc/0x150 +[ 20.839920] module_attr_store+0x40/0x58 +[ 20.840183] sysfs_kf_write+0x8c/0xa8 +[ 20.840183] sysfs_kf_write+0x8c/0xa8 +[ 20.840440] kernfs_fop_write+0x154/0x290 +[ 20.840702] vfs_write+0xf0/0x278 +[ 20.840942] __arm64_sys_write+0x84/0xf4 +[ 20.841209] el0_svc_common+0xf4/0x1dc +[ 20.841471] el0_svc_handler+0x98/0xbc +[ 20.841713] el0_svc+0x8/0xc +[ 20.842057] Code: bad PC value +[ 20.842764] ---[ end trace a8835d7de79aaadf ]--- +[ 20.843134] Kernel panic - not syncing: Fatal exception +[ 20.843515] SMP: stopping secondary CPUs +[ 20.844289] Kernel Offset: disabled +[ 20.844634] CPU features: 0x0,21806002 +[ 20.844857] Memory Limit: none +[ 20.845172] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Signed-off-by: Miles Chen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -408,7 +408,7 @@ struct tty_driver *tty_find_polling_driv + mutex_lock(&tty_mutex); + /* Search through the tty devices to look for a match */ + list_for_each_entry(p, &tty_drivers, tty_drivers) { +- if (strncmp(name, p->name, len) != 0) ++ if (!len || strncmp(name, p->name, len) != 0) + continue; + stp = str; + if (*stp == ',') diff --git a/queue-4.19/udf-prevent-write-unsupported-filesystem-to-be-remounted-read-write.patch b/queue-4.19/udf-prevent-write-unsupported-filesystem-to-be-remounted-read-write.patch new file mode 100644 index 00000000000..8860099584a --- /dev/null +++ b/queue-4.19/udf-prevent-write-unsupported-filesystem-to-be-remounted-read-write.patch @@ -0,0 +1,101 @@ +From foo@baz Tue Nov 13 16:10:38 PST 2018 +From: Jan Kara +Date: Thu, 6 Sep 2018 15:56:10 +0200 +Subject: udf: Prevent write-unsupported filesystem to be remounted read-write + +From: Jan Kara + +[ Upstream commit a9ad01bc759df79b0012f43ee52164391e31cd96 ] + +There are certain filesystem features which we support for reading but +not for writing. We properly refuse to mount such filesystems read-write +however for some features (such as read-only partitions), we don't check +for these features when remounting the filesystem from read-only to +read-write. Thus such filesystems could be remounted read-write leading +to strange behavior (most likely crashes). + +Fix the problem by marking in superblock whether the filesystem has some +features that are supported in read-only mode and check this flag during +remount. + +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/super.c | 30 ++++++++++++++++-------------- + fs/udf/udf_sb.h | 2 ++ + 2 files changed, 18 insertions(+), 14 deletions(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -613,14 +613,11 @@ static int udf_remount_fs(struct super_b + struct udf_options uopt; + struct udf_sb_info *sbi = UDF_SB(sb); + int error = 0; +- struct logicalVolIntegrityDescImpUse *lvidiu = udf_sb_lvidiu(sb); ++ ++ if (!(*flags & SB_RDONLY) && UDF_QUERY_FLAG(sb, UDF_FLAG_RW_INCOMPAT)) ++ return -EACCES; + + sync_filesystem(sb); +- if (lvidiu) { +- int write_rev = le16_to_cpu(lvidiu->minUDFWriteRev); +- if (write_rev > UDF_MAX_WRITE_VERSION && !(*flags & SB_RDONLY)) +- return -EACCES; +- } + + uopt.flags = sbi->s_flags; + uopt.uid = sbi->s_uid; +@@ -1257,6 +1254,7 @@ static int udf_load_partdesc(struct supe + ret = -EACCES; + goto out_bh; + } ++ UDF_SET_FLAG(sb, UDF_FLAG_RW_INCOMPAT); + ret = udf_load_vat(sb, i, type1_idx); + if (ret < 0) + goto out_bh; +@@ -2155,10 +2153,12 @@ static int udf_fill_super(struct super_b + UDF_MAX_READ_VERSION); + ret = -EINVAL; + goto error_out; +- } else if (minUDFWriteRev > UDF_MAX_WRITE_VERSION && +- !sb_rdonly(sb)) { +- ret = -EACCES; +- goto error_out; ++ } else if (minUDFWriteRev > UDF_MAX_WRITE_VERSION) { ++ if (!sb_rdonly(sb)) { ++ ret = -EACCES; ++ goto error_out; ++ } ++ UDF_SET_FLAG(sb, UDF_FLAG_RW_INCOMPAT); + } + + sbi->s_udfrev = minUDFWriteRev; +@@ -2176,10 +2176,12 @@ static int udf_fill_super(struct super_b + } + + if (sbi->s_partmaps[sbi->s_partition].s_partition_flags & +- UDF_PART_FLAG_READ_ONLY && +- !sb_rdonly(sb)) { +- ret = -EACCES; +- goto error_out; ++ UDF_PART_FLAG_READ_ONLY) { ++ if (!sb_rdonly(sb)) { ++ ret = -EACCES; ++ goto error_out; ++ } ++ UDF_SET_FLAG(sb, UDF_FLAG_RW_INCOMPAT); + } + + if (udf_find_fileset(sb, &fileset, &rootdir)) { +--- a/fs/udf/udf_sb.h ++++ b/fs/udf/udf_sb.h +@@ -30,6 +30,8 @@ + #define UDF_FLAG_LASTBLOCK_SET 16 + #define UDF_FLAG_BLOCKSIZE_SET 17 + #define UDF_FLAG_INCONSISTENT 18 ++#define UDF_FLAG_RW_INCOMPAT 19 /* Set when we find RW incompatible ++ * feature */ + + #define UDF_PART_FLAG_UNALLOC_BITMAP 0x0001 + #define UDF_PART_FLAG_UNALLOC_TABLE 0x0002 -- 2.47.2