From f6775e23fab009f97dbf2b96dcf9ad43c6537e36 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 7 Sep 2017 16:48:14 +0200 Subject: [PATCH] 4.13-stable patches added patches: android-binder-add-hwbinder-vndbinder-to-binder_devices.patch android-binder-add-padding-to-binder_fd_array_object.patch ath10k-fix-memory-leak-in-rx-ring-buffer-allocation.patch binder-free-memory-on-error.patch bluetooth-add-support-of-13d3-3494-rtl8723be-device.patch crypto-caam-qi-fix-compilation-with-config_debug_force_weak_per_cpu-y.patch crypto-caam-qi-fix-compilation-with-debug-enabled.patch dlm-avoid-double-free-on-error-path-in-dlm_device_-register-unregister.patch driver-core-bus-fix-a-potential-double-free.patch drm-nouveau-fix-error-handling-in-nv50_disp_atomic_commit.patch drm-nouveau-pci-msi-disable-msi-on-big-endian-platforms-by-default.patch fpga-altera-hps2fpga-fix-multiple-init-of-l3_remap_lock.patch hid-wacom-do-not-completely-map-wacom_hid_wd_touchringstatus-usage.patch iio-adc-ti-ads1015-add-adequate-wait-time-to-get-correct-conversion.patch iio-adc-ti-ads1015-avoid-getting-stale-result-after-runtime-resume.patch iio-adc-ti-ads1015-don-t-return-invalid-value-from-buffer-setup-callbacks.patch iio-adc-ti-ads1015-enable-conversion-when-config_pm-is-not-set.patch iio-adc-ti-ads1015-fix-incorrect-data-rate-setting-update.patch iio-adc-ti-ads1015-fix-scale-information-for-ads1115.patch intel_th-pci-add-cannon-lake-pch-h-support.patch intel_th-pci-add-cannon-lake-pch-lp-support.patch iwlwifi-pci-add-new-pci-id-for-7265d.patch mcb-add-support-for-sc31-to-mcb-lpc.patch mwifiex-correct-channel-stat-buffer-overflows.patch rtlwifi-rtl_pci_probe-fix-fail-path-of-_rtl_pci_find_adapter.patch s390-mm-avoid-empty-zero-pages-for-kvm-guests-to-avoid-postcopy-hangs.patch staging-ccree-save-ciphertext-for-cts-iv.patch staging-fsl-dpaa2-eth-fix-off-by-one-fd-ctrl-bitmaks.patch staging-rts5208-fix-incorrect-shift-to-extract-upper-nybble.patch thunderbolt-fix-reset-response_type.patch usb-core-avoid-race-of-async_completed-w-usbdev_release.patch workqueue-fix-flag-collision.patch --- ...hwbinder-vndbinder-to-binder_devices.patch | 40 +++ ...dd-padding-to-binder_fd_array_object.patch | 43 ++++ ...ry-leak-in-rx-ring-buffer-allocation.patch | 65 +++++ queue-4.13/binder-free-memory-on-error.patch | 51 ++++ ...upport-of-13d3-3494-rtl8723be-device.patch | 57 +++++ ...th-config_debug_force_weak_per_cpu-y.patch | 43 ++++ ...i-fix-compilation-with-debug-enabled.patch | 228 ++++++++++++++++++ ...h-in-dlm_device_-register-unregister.patch | 151 ++++++++++++ ...core-bus-fix-a-potential-double-free.patch | 33 +++ ...-handling-in-nv50_disp_atomic_commit.patch | 60 +++++ ...i-on-big-endian-platforms-by-default.patch | 37 +++ ...a-fix-multiple-init-of-l3_remap_lock.patch | 43 ++++ ...p-wacom_hid_wd_touchringstatus-usage.patch | 47 ++++ ...-wait-time-to-get-correct-conversion.patch | 78 ++++++ ...ng-stale-result-after-runtime-resume.patch | 83 +++++++ ...id-value-from-buffer-setup-callbacks.patch | 39 +++ ...conversion-when-config_pm-is-not-set.patch | 44 ++++ ...x-incorrect-data-rate-setting-update.patch | 85 +++++++ ...15-fix-scale-information-for-ads1115.patch | 139 +++++++++++ ...th-pci-add-cannon-lake-pch-h-support.patch | 32 +++ ...h-pci-add-cannon-lake-pch-lp-support.patch | 32 +++ ...iwlwifi-pci-add-new-pci-id-for-7265d.patch | 28 +++ .../mcb-add-support-for-sc31-to-mcb-lpc.patch | 53 ++++ ...orrect-channel-stat-buffer-overflows.patch | 74 ++++++ ...x-fail-path-of-_rtl_pci_find_adapter.patch | 53 ++++ ...r-kvm-guests-to-avoid-postcopy-hangs.patch | 122 ++++++++++ queue-4.13/series | 32 +++ ...ing-ccree-save-ciphertext-for-cts-iv.patch | 118 +++++++++ ...2-eth-fix-off-by-one-fd-ctrl-bitmaks.patch | 36 +++ ...orrect-shift-to-extract-upper-nybble.patch | 34 +++ .../thunderbolt-fix-reset-response_type.patch | 34 +++ ...-of-async_completed-w-usbdev_release.patch | 105 ++++++++ queue-4.13/workqueue-fix-flag-collision.patch | 35 +++ 33 files changed, 2154 insertions(+) create mode 100644 queue-4.13/android-binder-add-hwbinder-vndbinder-to-binder_devices.patch create mode 100644 queue-4.13/android-binder-add-padding-to-binder_fd_array_object.patch create mode 100644 queue-4.13/ath10k-fix-memory-leak-in-rx-ring-buffer-allocation.patch create mode 100644 queue-4.13/binder-free-memory-on-error.patch create mode 100644 queue-4.13/bluetooth-add-support-of-13d3-3494-rtl8723be-device.patch create mode 100644 queue-4.13/crypto-caam-qi-fix-compilation-with-config_debug_force_weak_per_cpu-y.patch create mode 100644 queue-4.13/crypto-caam-qi-fix-compilation-with-debug-enabled.patch create mode 100644 queue-4.13/dlm-avoid-double-free-on-error-path-in-dlm_device_-register-unregister.patch create mode 100644 queue-4.13/driver-core-bus-fix-a-potential-double-free.patch create mode 100644 queue-4.13/drm-nouveau-fix-error-handling-in-nv50_disp_atomic_commit.patch create mode 100644 queue-4.13/drm-nouveau-pci-msi-disable-msi-on-big-endian-platforms-by-default.patch create mode 100644 queue-4.13/fpga-altera-hps2fpga-fix-multiple-init-of-l3_remap_lock.patch create mode 100644 queue-4.13/hid-wacom-do-not-completely-map-wacom_hid_wd_touchringstatus-usage.patch create mode 100644 queue-4.13/iio-adc-ti-ads1015-add-adequate-wait-time-to-get-correct-conversion.patch create mode 100644 queue-4.13/iio-adc-ti-ads1015-avoid-getting-stale-result-after-runtime-resume.patch create mode 100644 queue-4.13/iio-adc-ti-ads1015-don-t-return-invalid-value-from-buffer-setup-callbacks.patch create mode 100644 queue-4.13/iio-adc-ti-ads1015-enable-conversion-when-config_pm-is-not-set.patch create mode 100644 queue-4.13/iio-adc-ti-ads1015-fix-incorrect-data-rate-setting-update.patch create mode 100644 queue-4.13/iio-adc-ti-ads1015-fix-scale-information-for-ads1115.patch create mode 100644 queue-4.13/intel_th-pci-add-cannon-lake-pch-h-support.patch create mode 100644 queue-4.13/intel_th-pci-add-cannon-lake-pch-lp-support.patch create mode 100644 queue-4.13/iwlwifi-pci-add-new-pci-id-for-7265d.patch create mode 100644 queue-4.13/mcb-add-support-for-sc31-to-mcb-lpc.patch create mode 100644 queue-4.13/mwifiex-correct-channel-stat-buffer-overflows.patch create mode 100644 queue-4.13/rtlwifi-rtl_pci_probe-fix-fail-path-of-_rtl_pci_find_adapter.patch create mode 100644 queue-4.13/s390-mm-avoid-empty-zero-pages-for-kvm-guests-to-avoid-postcopy-hangs.patch create mode 100644 queue-4.13/staging-ccree-save-ciphertext-for-cts-iv.patch create mode 100644 queue-4.13/staging-fsl-dpaa2-eth-fix-off-by-one-fd-ctrl-bitmaks.patch create mode 100644 queue-4.13/staging-rts5208-fix-incorrect-shift-to-extract-upper-nybble.patch create mode 100644 queue-4.13/thunderbolt-fix-reset-response_type.patch create mode 100644 queue-4.13/usb-core-avoid-race-of-async_completed-w-usbdev_release.patch create mode 100644 queue-4.13/workqueue-fix-flag-collision.patch diff --git a/queue-4.13/android-binder-add-hwbinder-vndbinder-to-binder_devices.patch b/queue-4.13/android-binder-add-hwbinder-vndbinder-to-binder_devices.patch new file mode 100644 index 00000000000..3ecf333f718 --- /dev/null +++ b/queue-4.13/android-binder-add-hwbinder-vndbinder-to-binder_devices.patch @@ -0,0 +1,40 @@ +From 9e18d0c82f0c07f2a41898d4adbb698a953403ee Mon Sep 17 00:00:00 2001 +From: Martijn Coenen +Date: Fri, 28 Jul 2017 13:56:07 +0200 +Subject: ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES. + +From: Martijn Coenen + +commit 9e18d0c82f0c07f2a41898d4adbb698a953403ee upstream. + +These will be required going forward. + +Signed-off-by: Martijn Coenen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/Kconfig | 2 +- + kernel/configs/android-base.config | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/android/Kconfig ++++ b/drivers/android/Kconfig +@@ -22,7 +22,7 @@ config ANDROID_BINDER_IPC + config ANDROID_BINDER_DEVICES + string "Android Binder devices" + depends on ANDROID_BINDER_IPC +- default "binder,hwbinder" ++ default "binder,hwbinder,vndbinder" + ---help--- + Default value for the binder.devices parameter. + +--- a/kernel/configs/android-base.config ++++ b/kernel/configs/android-base.config +@@ -10,6 +10,7 @@ + # CONFIG_USELIB is not set + CONFIG_ANDROID=y + CONFIG_ANDROID_BINDER_IPC=y ++CONFIG_ANDROID_BINDER_DEVICES=binder,hwbinder,vndbinder + CONFIG_ANDROID_LOW_MEMORY_KILLER=y + CONFIG_ARMV8_DEPRECATED=y + CONFIG_ASHMEM=y diff --git a/queue-4.13/android-binder-add-padding-to-binder_fd_array_object.patch b/queue-4.13/android-binder-add-padding-to-binder_fd_array_object.patch new file mode 100644 index 00000000000..8907dfbe370 --- /dev/null +++ b/queue-4.13/android-binder-add-padding-to-binder_fd_array_object.patch @@ -0,0 +1,43 @@ +From 5cdcf4c6a638591ec0e98c57404a19e7f9997567 Mon Sep 17 00:00:00 2001 +From: Martijn Coenen +Date: Fri, 28 Jul 2017 13:56:06 +0200 +Subject: ANDROID: binder: add padding to binder_fd_array_object. + +From: Martijn Coenen + +commit 5cdcf4c6a638591ec0e98c57404a19e7f9997567 upstream. + +binder_fd_array_object starts with a 4-byte header, +followed by a few fields that are 8 bytes when +ANDROID_BINDER_IPC_32BIT=N. + +This can cause alignment issues in a 64-bit kernel +with a 32-bit userspace, as on x86_32 an 8-byte primitive +may be aligned to a 4-byte address. Pad with a __u32 +to fix this. + +Signed-off-by: Martijn Coenen +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/android/binder.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/uapi/linux/android/binder.h ++++ b/include/uapi/linux/android/binder.h +@@ -132,6 +132,7 @@ enum { + + /* struct binder_fd_array_object - object describing an array of fds in a buffer + * @hdr: common header structure ++ * @pad: padding to ensure correct alignment + * @num_fds: number of file descriptors in the buffer + * @parent: index in offset array to buffer holding the fd array + * @parent_offset: start offset of fd array in the buffer +@@ -152,6 +153,7 @@ enum { + */ + struct binder_fd_array_object { + struct binder_object_header hdr; ++ __u32 pad; + binder_size_t num_fds; + binder_size_t parent; + binder_size_t parent_offset; diff --git a/queue-4.13/ath10k-fix-memory-leak-in-rx-ring-buffer-allocation.patch b/queue-4.13/ath10k-fix-memory-leak-in-rx-ring-buffer-allocation.patch new file mode 100644 index 00000000000..b253e7b0e35 --- /dev/null +++ b/queue-4.13/ath10k-fix-memory-leak-in-rx-ring-buffer-allocation.patch @@ -0,0 +1,65 @@ +From f35a7f91f66af528b3ee1921de16bea31d347ab0 Mon Sep 17 00:00:00 2001 +From: Rakesh Pillai +Date: Wed, 2 Aug 2017 16:03:37 +0530 +Subject: ath10k: fix memory leak in rx ring buffer allocation + +From: Rakesh Pillai + +commit f35a7f91f66af528b3ee1921de16bea31d347ab0 upstream. + +The rx ring buffers are added to a hash table if +firmware support full rx reorder. If the full rx +reorder support flag is not set before allocating +the rx ring buffers, none of the buffers are added +to the hash table. + +There is a race condition between rx ring refill and +rx buffer replenish from napi poll. The interrupts are +enabled in hif start, before the rx ring is refilled during init. +We replenish buffers from napi poll due to the interrupts which +get enabled after hif start. Hence before the entire rx ring is +refilled during the init, the napi poll replenishes a few buffers +in steps of 100 buffers per attempt. During this rx ring replenish +from napi poll, the rx reorder flag has not been set due to which +the replenished buffers are not added to the hash table + +Set the rx full reorder support flag before we allocate +the rx ring buffer to avoid the memory leak. + +Signed-off-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Cc: Christian Lamparter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -2055,6 +2055,12 @@ int ath10k_core_start(struct ath10k *ar, + goto err_wmi_detach; + } + ++ /* If firmware indicates Full Rx Reorder support it must be used in a ++ * slightly different manner. Let HTT code know. ++ */ ++ ar->htt.rx_ring.in_ord_rx = !!(test_bit(WMI_SERVICE_RX_FULL_REORDER, ++ ar->wmi.svc_map)); ++ + status = ath10k_htt_rx_alloc(&ar->htt); + if (status) { + ath10k_err(ar, "failed to alloc htt rx: %d\n", status); +@@ -2167,12 +2173,6 @@ int ath10k_core_start(struct ath10k *ar, + } + } + +- /* If firmware indicates Full Rx Reorder support it must be used in a +- * slightly different manner. Let HTT code know. +- */ +- ar->htt.rx_ring.in_ord_rx = !!(test_bit(WMI_SERVICE_RX_FULL_REORDER, +- ar->wmi.svc_map)); +- + status = ath10k_htt_rx_ring_refill(ar); + if (status) { + ath10k_err(ar, "failed to refill htt rx ring: %d\n", status); diff --git a/queue-4.13/binder-free-memory-on-error.patch b/queue-4.13/binder-free-memory-on-error.patch new file mode 100644 index 00000000000..09f4e8ea7af --- /dev/null +++ b/queue-4.13/binder-free-memory-on-error.patch @@ -0,0 +1,51 @@ +From 22eb9476b5d80a393ac0ba235c42bccc90b82c76 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 21 Aug 2017 16:13:28 +0200 +Subject: binder: free memory on error + +From: Christian Brauner + +commit 22eb9476b5d80a393ac0ba235c42bccc90b82c76 upstream. + +On binder_init() the devices string is duplicated and smashed into individual +device names which are passed along. However, the original duplicated string +wasn't freed in case binder_init() failed. Let's free it on error. + +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -4215,7 +4215,7 @@ static int __init init_binder_device(con + static int __init binder_init(void) + { + int ret; +- char *device_name, *device_names; ++ char *device_name, *device_names, *device_tmp; + struct binder_device *device; + struct hlist_node *tmp; + +@@ -4263,7 +4263,8 @@ static int __init binder_init(void) + } + strcpy(device_names, binder_devices_param); + +- while ((device_name = strsep(&device_names, ","))) { ++ device_tmp = device_names; ++ while ((device_name = strsep(&device_tmp, ","))) { + ret = init_binder_device(device_name); + if (ret) + goto err_init_binder_device_failed; +@@ -4277,6 +4278,9 @@ err_init_binder_device_failed: + hlist_del(&device->hlist); + kfree(device); + } ++ ++ kfree(device_names); ++ + err_alloc_device_names_failed: + debugfs_remove_recursive(binder_debugfs_dir_entry_root); + diff --git a/queue-4.13/bluetooth-add-support-of-13d3-3494-rtl8723be-device.patch b/queue-4.13/bluetooth-add-support-of-13d3-3494-rtl8723be-device.patch new file mode 100644 index 00000000000..ef3bf230016 --- /dev/null +++ b/queue-4.13/bluetooth-add-support-of-13d3-3494-rtl8723be-device.patch @@ -0,0 +1,57 @@ +From a81d72d2002d6a932bd83022cbf8c442b1b97512 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Tue, 8 Aug 2017 14:09:02 +0300 +Subject: Bluetooth: Add support of 13d3:3494 RTL8723BE device + +From: Dmitry Tunin + +commit a81d72d2002d6a932bd83022cbf8c442b1b97512 upstream. + +T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 2.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=13d3 ProdID=3494 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -357,6 +357,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3410), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3416), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK }, ++ { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK }, + + /* Additional Realtek 8821AE Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, diff --git a/queue-4.13/crypto-caam-qi-fix-compilation-with-config_debug_force_weak_per_cpu-y.patch b/queue-4.13/crypto-caam-qi-fix-compilation-with-config_debug_force_weak_per_cpu-y.patch new file mode 100644 index 00000000000..3431d5ff072 --- /dev/null +++ b/queue-4.13/crypto-caam-qi-fix-compilation-with-config_debug_force_weak_per_cpu-y.patch @@ -0,0 +1,43 @@ +From 1ed289f7b78c34565a33dbe6f8c482e71f493934 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Mon, 10 Jul 2017 08:40:29 +0300 +Subject: crypto: caam/qi - fix compilation with CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 1ed289f7b78c34565a33dbe6f8c482e71f493934 upstream. + +caam/qi driver fails to compile when CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y. +Fix it by making the offending local per_cpu variable global. + +Fixes: 67c2315def06c ("crypto: caam - add Queue Interface (QI) backend support") +Reported-by: kbuild test robot +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/qi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/caam/qi.c ++++ b/drivers/crypto/caam/qi.c +@@ -55,6 +55,7 @@ struct caam_qi_pcpu_priv { + } ____cacheline_aligned; + + static DEFINE_PER_CPU(struct caam_qi_pcpu_priv, pcpu_qipriv); ++static DEFINE_PER_CPU(int, last_cpu); + + /* + * caam_qi_priv - CAAM QI backend private params +@@ -392,7 +393,6 @@ struct caam_drv_ctx *caam_drv_ctx_init(s + dma_addr_t hwdesc; + struct caam_drv_ctx *drv_ctx; + const cpumask_t *cpus = qman_affine_cpus(); +- static DEFINE_PER_CPU(int, last_cpu); + + num_words = desc_len(sh_desc); + if (num_words > MAX_SDLEN) { diff --git a/queue-4.13/crypto-caam-qi-fix-compilation-with-debug-enabled.patch b/queue-4.13/crypto-caam-qi-fix-compilation-with-debug-enabled.patch new file mode 100644 index 00000000000..3d32fedc460 --- /dev/null +++ b/queue-4.13/crypto-caam-qi-fix-compilation-with-debug-enabled.patch @@ -0,0 +1,228 @@ +From 972b812bd1e17cb0a9112f565951795f886fcc94 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Mon, 10 Jul 2017 08:40:28 +0300 +Subject: crypto: caam/qi - fix compilation with DEBUG enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 972b812bd1e17cb0a9112f565951795f886fcc94 upstream. + +caam/qi driver does not compile when DEBUG is enabled +(CRYPTO_DEV_FSL_CAAM_DEBUG=y): + +drivers/crypto/caam/caamalg_qi.c: In function 'ablkcipher_done': +drivers/crypto/caam/caamalg_qi.c:794:2: error: implicit declaration of function 'dbg_dump_sg' [-Werror=implicit-function-declaration] + dbg_dump_sg(KERN_ERR, "dst @" __stringify(__LINE__)": ", + +Since dbg_dump_sg() is shared between caam/jr and caam/qi, move it +in a shared location and export it. + +At the same time: +-reduce ifdeferry by providing a no-op implementation for !DEBUG case +-rename it to caam_dump_sg() to be consistent in terms of +exported symbols namespace (caam_*) + +Fixes: b189817cf789 ("crypto: caam/qi - add ablkcipher and authenc algorithms") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamalg.c | 66 ++++++++------------------------------- + drivers/crypto/caam/caamalg_qi.c | 6 +-- + drivers/crypto/caam/error.c | 40 +++++++++++++++++++++++ + drivers/crypto/caam/error.h | 4 ++ + 4 files changed, 62 insertions(+), 54 deletions(-) + +--- a/drivers/crypto/caam/caamalg.c ++++ b/drivers/crypto/caam/caamalg.c +@@ -81,40 +81,6 @@ + #define debug(format, arg...) + #endif + +-#ifdef DEBUG +-#include +- +-static void dbg_dump_sg(const char *level, const char *prefix_str, +- int prefix_type, int rowsize, int groupsize, +- struct scatterlist *sg, size_t tlen, bool ascii) +-{ +- struct scatterlist *it; +- void *it_page; +- size_t len; +- void *buf; +- +- for (it = sg; it != NULL && tlen > 0 ; it = sg_next(sg)) { +- /* +- * make sure the scatterlist's page +- * has a valid virtual memory mapping +- */ +- it_page = kmap_atomic(sg_page(it)); +- if (unlikely(!it_page)) { +- printk(KERN_ERR "dbg_dump_sg: kmap failed\n"); +- return; +- } +- +- buf = it_page + it->offset; +- len = min_t(size_t, tlen, it->length); +- print_hex_dump(level, prefix_str, prefix_type, rowsize, +- groupsize, buf, len, ascii); +- tlen -= len; +- +- kunmap_atomic(it_page); +- } +-} +-#endif +- + static struct list_head alg_list; + + struct caam_alg_entry { +@@ -898,10 +864,10 @@ static void ablkcipher_encrypt_done(stru + print_hex_dump(KERN_ERR, "dstiv @"__stringify(__LINE__)": ", + DUMP_PREFIX_ADDRESS, 16, 4, req->info, + edesc->src_nents > 1 ? 100 : ivsize, 1); +- dbg_dump_sg(KERN_ERR, "dst @"__stringify(__LINE__)": ", +- DUMP_PREFIX_ADDRESS, 16, 4, req->dst, +- edesc->dst_nents > 1 ? 100 : req->nbytes, 1); + #endif ++ caam_dump_sg(KERN_ERR, "dst @" __stringify(__LINE__)": ", ++ DUMP_PREFIX_ADDRESS, 16, 4, req->dst, ++ edesc->dst_nents > 1 ? 100 : req->nbytes, 1); + + ablkcipher_unmap(jrdev, edesc, req); + +@@ -937,10 +903,10 @@ static void ablkcipher_decrypt_done(stru + print_hex_dump(KERN_ERR, "dstiv @"__stringify(__LINE__)": ", + DUMP_PREFIX_ADDRESS, 16, 4, req->info, + ivsize, 1); +- dbg_dump_sg(KERN_ERR, "dst @"__stringify(__LINE__)": ", +- DUMP_PREFIX_ADDRESS, 16, 4, req->dst, +- edesc->dst_nents > 1 ? 100 : req->nbytes, 1); + #endif ++ caam_dump_sg(KERN_ERR, "dst @" __stringify(__LINE__)": ", ++ DUMP_PREFIX_ADDRESS, 16, 4, req->dst, ++ edesc->dst_nents > 1 ? 100 : req->nbytes, 1); + + ablkcipher_unmap(jrdev, edesc, req); + +@@ -1107,10 +1073,10 @@ static void init_ablkcipher_job(u32 *sh_ + ivsize, 1); + pr_err("asked=%d, nbytes%d\n", + (int)edesc->src_nents > 1 ? 100 : req->nbytes, req->nbytes); +- dbg_dump_sg(KERN_ERR, "src @"__stringify(__LINE__)": ", +- DUMP_PREFIX_ADDRESS, 16, 4, req->src, +- edesc->src_nents > 1 ? 100 : req->nbytes, 1); + #endif ++ caam_dump_sg(KERN_ERR, "src @" __stringify(__LINE__)": ", ++ DUMP_PREFIX_ADDRESS, 16, 4, req->src, ++ edesc->src_nents > 1 ? 100 : req->nbytes, 1); + + len = desc_len(sh_desc); + init_job_desc_shared(desc, ptr, len, HDR_SHARE_DEFER | HDR_REVERSE); +@@ -1164,10 +1130,10 @@ static void init_ablkcipher_giv_job(u32 + print_hex_dump(KERN_ERR, "presciv@" __stringify(__LINE__) ": ", + DUMP_PREFIX_ADDRESS, 16, 4, req->info, + ivsize, 1); +- dbg_dump_sg(KERN_ERR, "src @" __stringify(__LINE__) ": ", +- DUMP_PREFIX_ADDRESS, 16, 4, req->src, +- edesc->src_nents > 1 ? 100 : req->nbytes, 1); + #endif ++ caam_dump_sg(KERN_ERR, "src @" __stringify(__LINE__) ": ", ++ DUMP_PREFIX_ADDRESS, 16, 4, req->src, ++ edesc->src_nents > 1 ? 100 : req->nbytes, 1); + + len = desc_len(sh_desc); + init_job_desc_shared(desc, ptr, len, HDR_SHARE_DEFER | HDR_REVERSE); +@@ -1449,11 +1415,9 @@ static int aead_decrypt(struct aead_requ + u32 *desc; + int ret = 0; + +-#ifdef DEBUG +- dbg_dump_sg(KERN_ERR, "dec src@"__stringify(__LINE__)": ", +- DUMP_PREFIX_ADDRESS, 16, 4, req->src, +- req->assoclen + req->cryptlen, 1); +-#endif ++ caam_dump_sg(KERN_ERR, "dec src@" __stringify(__LINE__)": ", ++ DUMP_PREFIX_ADDRESS, 16, 4, req->src, ++ req->assoclen + req->cryptlen, 1); + + /* allocate extended descriptor */ + edesc = aead_edesc_alloc(req, AUTHENC_DESC_JOB_IO_LEN, +--- a/drivers/crypto/caam/caamalg_qi.c ++++ b/drivers/crypto/caam/caamalg_qi.c +@@ -791,9 +791,9 @@ static void ablkcipher_done(struct caam_ + print_hex_dump(KERN_ERR, "dstiv @" __stringify(__LINE__)": ", + DUMP_PREFIX_ADDRESS, 16, 4, req->info, + edesc->src_nents > 1 ? 100 : ivsize, 1); +- dbg_dump_sg(KERN_ERR, "dst @" __stringify(__LINE__)": ", +- DUMP_PREFIX_ADDRESS, 16, 4, req->dst, +- edesc->dst_nents > 1 ? 100 : req->nbytes, 1); ++ caam_dump_sg(KERN_ERR, "dst @" __stringify(__LINE__)": ", ++ DUMP_PREFIX_ADDRESS, 16, 4, req->dst, ++ edesc->dst_nents > 1 ? 100 : req->nbytes, 1); + #endif + + ablkcipher_unmap(qidev, edesc, req); +--- a/drivers/crypto/caam/error.c ++++ b/drivers/crypto/caam/error.c +@@ -9,6 +9,46 @@ + #include "desc.h" + #include "error.h" + ++#ifdef DEBUG ++#include ++ ++void caam_dump_sg(const char *level, const char *prefix_str, int prefix_type, ++ int rowsize, int groupsize, struct scatterlist *sg, ++ size_t tlen, bool ascii) ++{ ++ struct scatterlist *it; ++ void *it_page; ++ size_t len; ++ void *buf; ++ ++ for (it = sg; it && tlen > 0 ; it = sg_next(sg)) { ++ /* ++ * make sure the scatterlist's page ++ * has a valid virtual memory mapping ++ */ ++ it_page = kmap_atomic(sg_page(it)); ++ if (unlikely(!it_page)) { ++ pr_err("caam_dump_sg: kmap failed\n"); ++ return; ++ } ++ ++ buf = it_page + it->offset; ++ len = min_t(size_t, tlen, it->length); ++ print_hex_dump(level, prefix_str, prefix_type, rowsize, ++ groupsize, buf, len, ascii); ++ tlen -= len; ++ ++ kunmap_atomic(it_page); ++ } ++} ++#else ++void caam_dump_sg(const char *level, const char *prefix_str, int prefix_type, ++ int rowsize, int groupsize, struct scatterlist *sg, ++ size_t tlen, bool ascii) ++{} ++#endif /* DEBUG */ ++EXPORT_SYMBOL(caam_dump_sg); ++ + static const struct { + u8 value; + const char *error_text; +--- a/drivers/crypto/caam/error.h ++++ b/drivers/crypto/caam/error.h +@@ -8,4 +8,8 @@ + #define CAAM_ERROR_H + #define CAAM_ERROR_STR_MAX 302 + void caam_jr_strstatus(struct device *jrdev, u32 status); ++ ++void caam_dump_sg(const char *level, const char *prefix_str, int prefix_type, ++ int rowsize, int groupsize, struct scatterlist *sg, ++ size_t tlen, bool ascii); + #endif /* CAAM_ERROR_H */ diff --git a/queue-4.13/dlm-avoid-double-free-on-error-path-in-dlm_device_-register-unregister.patch b/queue-4.13/dlm-avoid-double-free-on-error-path-in-dlm_device_-register-unregister.patch new file mode 100644 index 00000000000..1867c2318ad --- /dev/null +++ b/queue-4.13/dlm-avoid-double-free-on-error-path-in-dlm_device_-register-unregister.patch @@ -0,0 +1,151 @@ +From 55acdd926f6b21a5cdba23da98a48aedf19ac9c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Edwin=20T=C3=B6r=C3=B6k?= +Date: Thu, 3 Aug 2017 10:30:06 +0100 +Subject: dlm: avoid double-free on error path in dlm_device_{register,unregister} +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Edwin Török + +commit 55acdd926f6b21a5cdba23da98a48aedf19ac9c3 upstream. + +Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4): + # seq 1 100 | xargs -P0 -n1 dlm_tool join + # seq 1 100 | xargs -P0 -n1 dlm_tool leave + +misc_register fails due to duplicate sysfs entry, which causes +dlm_device_register to free ls->ls_device.name. +In dlm_device_deregister the name was freed again, causing memory +corruption. + +According to the comment in dlm_device_deregister the name should've been +set to NULL when registration fails, +so this patch does that. + +sysfs: cannot create duplicate filename '/dev/char/10:1' +------------[ cut here ]------------ +warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70 +modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo +videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev +btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl +x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm +snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul +ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi +snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic +snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec +cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep +iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw +cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore +sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse + e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci +pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video +cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic +hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012 +task: ffff96b0cbabe140 task.stack: ffffb199027d0000 +rip: 0010:sysfs_warn_dup+0x56/0x70 +rsp: 0018:ffffb199027d3c58 eflags: 00010282 +rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006 +rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0 +rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721 +r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1 +r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef +fs: 00007f78069c0700(0000) gs:ffff96b15e240000(0000) +knlgs:0000000000000000 +cs: 0010 ds: 0000 es: 0000 cr0: 0000000080050033 +cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0 +call trace: + sysfs_do_create_link_sd.isra.2+0x9e/0xb0 + sysfs_create_link+0x25/0x40 + device_add+0x5a9/0x640 + device_create_groups_vargs+0xe0/0xf0 + device_create_with_groups+0x3f/0x60 + ? snprintf+0x45/0x70 + misc_register+0x140/0x180 + device_write+0x6a8/0x790 [dlm] + __vfs_write+0x37/0x160 + ? apparmor_file_permission+0x1a/0x20 + ? security_file_permission+0x3b/0xc0 + vfs_write+0xb5/0x1a0 + sys_write+0x55/0xc0 + ? sys_fcntl+0x5d/0xb0 + entry_syscall_64_fastpath+0x1e/0xa9 +rip: 0033:0x7f78083454bd +rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001 +rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd +rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005 +rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032 +r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00 +r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70 +code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8 +ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89 +df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84 +---[ end trace 40412246357cc9e0 ]--- + +dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group... +bug: unable to handle kernel null pointer dereference at 0000000000000001 +ip: [] kmem_cache_alloc+0x7a/0x140 +pgd 0 +oops: 0000 [#1] smp +modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6 +nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod +aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul +glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss +oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4 +hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too +serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata +scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6 +cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1 +hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017 +task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000 +rip: e030:[] [] +kmem_cache_alloc+0x7a/0x140 +rsp: e02b:ffff88000243fd90 eflags: 00010202 +rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c +rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00 +rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054 +r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0 +r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2 +fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000 +cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033 +cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660 +stack: +ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0 +ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2 +ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90 +call trace: +[] ? anon_vma_fork+0x60/0x140 +[] anon_vma_fork+0x92/0x140 +[] copy_process+0xcae/0x1a80 +[] _do_fork+0x8b/0x2d0 +[] sys_clone+0x19/0x20 +[] entry_syscall_64_fastpath+0x12/0x71 +] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80 +00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c +06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63 +rip [] kmem_cache_alloc+0x7a/0x140 +rsp +cr2: 0000000000000001 +--[ end trace 70cb9fd1b164a0e8 ]-- + +Signed-off-by: Edwin Török +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dlm/user.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/dlm/user.c ++++ b/fs/dlm/user.c +@@ -355,6 +355,10 @@ static int dlm_device_register(struct dl + error = misc_register(&ls->ls_device); + if (error) { + kfree(ls->ls_device.name); ++ /* this has to be set to NULL ++ * to avoid a double-free in dlm_device_deregister ++ */ ++ ls->ls_device.name = NULL; + } + fail: + return error; diff --git a/queue-4.13/driver-core-bus-fix-a-potential-double-free.patch b/queue-4.13/driver-core-bus-fix-a-potential-double-free.patch new file mode 100644 index 00000000000..a34cc7ed254 --- /dev/null +++ b/queue-4.13/driver-core-bus-fix-a-potential-double-free.patch @@ -0,0 +1,33 @@ +From 0f9b011d3321ca1079c7a46c18cb1956fbdb7bcb Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Tue, 29 Aug 2017 21:23:49 +0200 +Subject: driver core: bus: Fix a potential double free + +From: Christophe JAILLET + +commit 0f9b011d3321ca1079c7a46c18cb1956fbdb7bcb upstream. + +The .release function of driver_ktype is 'driver_release()'. +This function frees the container_of this kobject. + +So, this memory must not be freed explicitly in the error handling path of +'bus_add_driver()'. Otherwise a double free will occur. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -698,7 +698,7 @@ int bus_add_driver(struct device_driver + + out_unregister: + kobject_put(&priv->kobj); +- kfree(drv->p); ++ /* drv->p is freed in driver_release() */ + drv->p = NULL; + out_put_bus: + bus_put(bus); diff --git a/queue-4.13/drm-nouveau-fix-error-handling-in-nv50_disp_atomic_commit.patch b/queue-4.13/drm-nouveau-fix-error-handling-in-nv50_disp_atomic_commit.patch new file mode 100644 index 00000000000..5122b4d4481 --- /dev/null +++ b/queue-4.13/drm-nouveau-fix-error-handling-in-nv50_disp_atomic_commit.patch @@ -0,0 +1,60 @@ +From 813a7e1604eaad1c2792d37d402e1b48b8d0eb3f Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Tue, 11 Jul 2017 16:33:03 +0200 +Subject: drm/nouveau: Fix error handling in nv50_disp_atomic_commit + +From: Maarten Lankhorst + +commit 813a7e1604eaad1c2792d37d402e1b48b8d0eb3f upstream. + +Make it more clear that post commit return ret is really return 0, + +and add a missing drm_atomic_helper_cleanup_planes when +drm_atomic_helper_wait_for_fences fails. + +Fixes: 839ca903f12e ("drm/nouveau/kms/nv50: transition to atomic interfaces internally") +Cc: Ben Skeggs +Cc: dri-devel@lists.freedesktop.org +Cc: nouveau@lists.freedesktop.org +Signed-off-by: Maarten Lankhorst +Link: http://patchwork.freedesktop.org/patch/msgid/20170711143314.2148-2-maarten.lankhorst@linux.intel.com +Reviewed-by: Sean Paul +[mlankhorst: Use if (ret) to remove the goto in success case.] +Reviewed-by: Daniel Vetter +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nv50_display.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nv50_display.c ++++ b/drivers/gpu/drm/nouveau/nv50_display.c +@@ -4134,7 +4134,7 @@ nv50_disp_atomic_commit(struct drm_devic + if (!nonblock) { + ret = drm_atomic_helper_wait_for_fences(dev, state, true); + if (ret) +- goto done; ++ goto err_cleanup; + } + + for_each_plane_in_state(state, plane, plane_state, i) { +@@ -4162,7 +4162,7 @@ nv50_disp_atomic_commit(struct drm_devic + if (crtc->state->enable) { + if (!drm->have_disp_power_ref) { + drm->have_disp_power_ref = true; +- return ret; ++ return 0; + } + active = true; + break; +@@ -4174,6 +4174,9 @@ nv50_disp_atomic_commit(struct drm_devic + drm->have_disp_power_ref = false; + } + ++err_cleanup: ++ if (ret) ++ drm_atomic_helper_cleanup_planes(dev, state); + done: + pm_runtime_put_autosuspend(dev->dev); + return ret; diff --git a/queue-4.13/drm-nouveau-pci-msi-disable-msi-on-big-endian-platforms-by-default.patch b/queue-4.13/drm-nouveau-pci-msi-disable-msi-on-big-endian-platforms-by-default.patch new file mode 100644 index 00000000000..e035fbbb329 --- /dev/null +++ b/queue-4.13/drm-nouveau-pci-msi-disable-msi-on-big-endian-platforms-by-default.patch @@ -0,0 +1,37 @@ +From bc60c90f472b6e762ea96ef384072145adc8d4af Mon Sep 17 00:00:00 2001 +From: Ilia Mirkin +Date: Thu, 10 Aug 2017 12:13:40 -0400 +Subject: drm/nouveau/pci/msi: disable MSI on big-endian platforms by default + +From: Ilia Mirkin + +commit bc60c90f472b6e762ea96ef384072145adc8d4af upstream. + +It appears that MSI does not work on either G5 PPC nor on a E5500-based +platform, where other hardware is reported to work fine with MSI. + +Both tests were conducted with NV4x hardware, so perhaps other (or even +this) hardware can be made to work. It's still possible to force-enable +with config=NvMSI=1 on load. + +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c +@@ -192,6 +192,10 @@ nvkm_pci_new_(const struct nvkm_pci_func + } + } + ++#ifdef __BIG_ENDIAN ++ pci->msi = false; ++#endif ++ + pci->msi = nvkm_boolopt(device->cfgopt, "NvMSI", pci->msi); + if (pci->msi && func->msi_rearm) { + pci->msi = pci_enable_msi(pci->pdev) == 0; diff --git a/queue-4.13/fpga-altera-hps2fpga-fix-multiple-init-of-l3_remap_lock.patch b/queue-4.13/fpga-altera-hps2fpga-fix-multiple-init-of-l3_remap_lock.patch new file mode 100644 index 00000000000..b9aba57378f --- /dev/null +++ b/queue-4.13/fpga-altera-hps2fpga-fix-multiple-init-of-l3_remap_lock.patch @@ -0,0 +1,43 @@ +From 4ae2bd4b3ada3dfd80ca8110b4f567752966ca1e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Tue, 1 Aug 2017 21:20:54 -0500 +Subject: fpga: altera-hps2fpga: fix multiple init of l3_remap_lock + +From: Ian Abbott + +commit 4ae2bd4b3ada3dfd80ca8110b4f567752966ca1e upstream. + +The global spinlock `l3_remap_lock` is reinitialized every time the +"probe" function `alt_fpga_bridge_probe()` is called. It should only be +initialized once. Use `DEFINE_SPINLOCK()` to initialize it statically. + +Fixes: e5f8efa5c8bf ("ARM: socfpga: fpga bridge driver support") +Signed-off-by: Ian Abbott +Reviewed-By: Moritz Fischer +Signed-off-by: Alan Tull +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/fpga/altera-hps2fpga.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/fpga/altera-hps2fpga.c ++++ b/drivers/fpga/altera-hps2fpga.c +@@ -66,7 +66,7 @@ static int alt_hps2fpga_enable_show(stru + + /* The L3 REMAP register is write only, so keep a cached value. */ + static unsigned int l3_remap_shadow; +-static spinlock_t l3_remap_lock; ++static DEFINE_SPINLOCK(l3_remap_lock); + + static int _alt_hps2fpga_enable_set(struct altera_hps2fpga_data *priv, + bool enable) +@@ -171,8 +171,6 @@ static int alt_fpga_bridge_probe(struct + return -EBUSY; + } + +- spin_lock_init(&l3_remap_lock); +- + if (!of_property_read_u32(dev->of_node, "bridge-enable", &enable)) { + if (enable > 1) { + dev_warn(dev, "invalid bridge-enable %u > 1\n", enable); diff --git a/queue-4.13/hid-wacom-do-not-completely-map-wacom_hid_wd_touchringstatus-usage.patch b/queue-4.13/hid-wacom-do-not-completely-map-wacom_hid_wd_touchringstatus-usage.patch new file mode 100644 index 00000000000..f7474327a26 --- /dev/null +++ b/queue-4.13/hid-wacom-do-not-completely-map-wacom_hid_wd_touchringstatus-usage.patch @@ -0,0 +1,47 @@ +From 8d411cbf46e515ca2b7ceb3d2b3f43e22813edac Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Fri, 4 Aug 2017 15:35:14 -0700 +Subject: HID: wacom: Do not completely map WACOM_HID_WD_TOUCHRINGSTATUS usage + +From: Jason Gerecke + +commit 8d411cbf46e515ca2b7ceb3d2b3f43e22813edac upstream. + +The WACOM_HID_WD_TOUCHRINGSTATUS usage is a single bit which tells us +whether the touchring is currently in use or not. Because we need to +reset the axis value to 0 when the finger is removed, we call +'wacom_map_usage' to ensure that the required type/code values are +associated with the usage. The 'wacom_map_usage' also sets up the axis +range and resolution, however, which is not desired in this particular +case. + +Although xf86-input-wacom doesn't do really do anything with the ring's +range or resolution, the libinput driver (for Wayland environments) +uses these values to provide proper angle indications to userspace. + +Fixes: 60a2218698 ("HID: wacom: generic: add support for touchring") +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_wac.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1846,7 +1846,13 @@ static void wacom_wac_pad_usage_mapping( + features->device_type |= WACOM_DEVICETYPE_PAD; + break; + case WACOM_HID_WD_TOUCHRINGSTATUS: +- wacom_map_usage(input, usage, field, EV_ABS, ABS_WHEEL, 0); ++ /* ++ * Only set up type/code association. Completely mapping ++ * this usage may overwrite the axis resolution and range. ++ */ ++ usage->type = EV_ABS; ++ usage->code = ABS_WHEEL; ++ set_bit(EV_ABS, input->evbit); + features->device_type |= WACOM_DEVICETYPE_PAD; + break; + case WACOM_HID_WD_BUTTONCONFIG: diff --git a/queue-4.13/iio-adc-ti-ads1015-add-adequate-wait-time-to-get-correct-conversion.patch b/queue-4.13/iio-adc-ti-ads1015-add-adequate-wait-time-to-get-correct-conversion.patch new file mode 100644 index 00000000000..37c85b61cf5 --- /dev/null +++ b/queue-4.13/iio-adc-ti-ads1015-add-adequate-wait-time-to-get-correct-conversion.patch @@ -0,0 +1,78 @@ +From 4744d4e2afebf9644a439da9ca73d822fdd67bd9 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Fri, 21 Jul 2017 00:24:22 +0900 +Subject: iio: adc: ti-ads1015: add adequate wait time to get correct conversion + +From: Akinobu Mita + +commit 4744d4e2afebf9644a439da9ca73d822fdd67bd9 upstream. + +This driver assumes that the device is operating in the continuous +conversion mode which performs the conversion continuously. So this driver +inserts a wait time before reading the conversion register if the +configuration is changed from a previous request. + +Currently, the wait time is only the period required for a single +conversion that is calculated as the reciprocal of the sampling frequency. +However we also need to wait for the the previous conversion to complete. +Otherwise we probably get the conversion result for the previous +configuration when the sampling frequency is lower. + +Cc: Daniel Baluta +Signed-off-by: Akinobu Mita +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads1015.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -242,27 +242,34 @@ static + int ads1015_get_adc_result(struct ads1015_data *data, int chan, int *val) + { + int ret, pga, dr, conv_time; +- bool change; ++ unsigned int old, mask, cfg; + + if (chan < 0 || chan >= ADS1015_CHANNELS) + return -EINVAL; + ++ ret = regmap_read(data->regmap, ADS1015_CFG_REG, &old); ++ if (ret) ++ return ret; ++ + pga = data->channel_data[chan].pga; + dr = data->channel_data[chan].data_rate; ++ mask = ADS1015_CFG_MUX_MASK | ADS1015_CFG_PGA_MASK | ++ ADS1015_CFG_DR_MASK; ++ cfg = chan << ADS1015_CFG_MUX_SHIFT | pga << ADS1015_CFG_PGA_SHIFT | ++ dr << ADS1015_CFG_DR_SHIFT; + +- ret = regmap_update_bits_check(data->regmap, ADS1015_CFG_REG, +- ADS1015_CFG_MUX_MASK | +- ADS1015_CFG_PGA_MASK | +- ADS1015_CFG_DR_MASK, +- chan << ADS1015_CFG_MUX_SHIFT | +- pga << ADS1015_CFG_PGA_SHIFT | +- dr << ADS1015_CFG_DR_SHIFT, +- &change); +- if (ret < 0) ++ cfg = (old & ~mask) | (cfg & mask); ++ ++ ret = regmap_write(data->regmap, ADS1015_CFG_REG, cfg); ++ if (ret) + return ret; + +- if (change || data->conv_invalid) { +- conv_time = DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr]); ++ if (old != cfg || data->conv_invalid) { ++ int dr_old = (old & ADS1015_CFG_DR_MASK) >> ++ ADS1015_CFG_DR_SHIFT; ++ ++ conv_time = DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr_old]); ++ conv_time += DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr]); + usleep_range(conv_time, conv_time + 1); + data->conv_invalid = false; + } diff --git a/queue-4.13/iio-adc-ti-ads1015-avoid-getting-stale-result-after-runtime-resume.patch b/queue-4.13/iio-adc-ti-ads1015-avoid-getting-stale-result-after-runtime-resume.patch new file mode 100644 index 00000000000..8f973b7d001 --- /dev/null +++ b/queue-4.13/iio-adc-ti-ads1015-avoid-getting-stale-result-after-runtime-resume.patch @@ -0,0 +1,83 @@ +From 73e3e3fc50de50cfd68e945d85679c983ed31bd9 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Fri, 21 Jul 2017 00:24:20 +0900 +Subject: iio: adc: ti-ads1015: avoid getting stale result after runtime resume + +From: Akinobu Mita + +commit 73e3e3fc50de50cfd68e945d85679c983ed31bd9 upstream. + +This driver assumes that the device is operating in the continuous +conversion mode which performs the conversion continuously. So this driver +doesn't insert a wait time before reading the conversion register if the +configuration is not changed from a previous request. + +This assumption is broken if the device is runtime suspended and entered +a power-down state. The forthcoming request causes reading a stale result +from the conversion register as the device is runtime resumed just before. + +Fix it by adding a flag to detect that condition and insert a necessary +wait time. + +Cc: Daniel Baluta +Signed-off-by: Akinobu Mita +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads1015.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -177,6 +177,12 @@ struct ads1015_data { + struct ads1015_channel_data channel_data[ADS1015_CHANNELS]; + + unsigned int *data_rate; ++ /* ++ * Set to true when the ADC is switched to the continuous-conversion ++ * mode and exits from a power-down state. This flag is used to avoid ++ * getting the stale result from the conversion register. ++ */ ++ bool conv_invalid; + }; + + static bool ads1015_is_writeable_reg(struct device *dev, unsigned int reg) +@@ -255,9 +261,10 @@ int ads1015_get_adc_result(struct ads101 + if (ret < 0) + return ret; + +- if (change) { ++ if (change || data->conv_invalid) { + conv_time = DIV_ROUND_UP(USEC_PER_SEC, data->data_rate[dr]); + usleep_range(conv_time, conv_time + 1); ++ data->conv_invalid = false; + } + + return regmap_read(data->regmap, ADS1015_CONV_REG, val); +@@ -630,6 +637,8 @@ static int ads1015_probe(struct i2c_clie + if (ret) + return ret; + ++ data->conv_invalid = true; ++ + ret = pm_runtime_set_active(&client->dev); + if (ret) + goto err_buffer_cleanup; +@@ -685,10 +694,15 @@ static int ads1015_runtime_resume(struct + { + struct iio_dev *indio_dev = i2c_get_clientdata(to_i2c_client(dev)); + struct ads1015_data *data = iio_priv(indio_dev); ++ int ret; + +- return regmap_update_bits(data->regmap, ADS1015_CFG_REG, ++ ret = regmap_update_bits(data->regmap, ADS1015_CFG_REG, + ADS1015_CFG_MOD_MASK, + ADS1015_CONTINUOUS << ADS1015_CFG_MOD_SHIFT); ++ if (!ret) ++ data->conv_invalid = true; ++ ++ return ret; + } + #endif + diff --git a/queue-4.13/iio-adc-ti-ads1015-don-t-return-invalid-value-from-buffer-setup-callbacks.patch b/queue-4.13/iio-adc-ti-ads1015-don-t-return-invalid-value-from-buffer-setup-callbacks.patch new file mode 100644 index 00000000000..33384a04480 --- /dev/null +++ b/queue-4.13/iio-adc-ti-ads1015-don-t-return-invalid-value-from-buffer-setup-callbacks.patch @@ -0,0 +1,39 @@ +From a6fe5e52d5ecfc98530034d6c9db73777cf41ede Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Fri, 21 Jul 2017 00:24:21 +0900 +Subject: iio: adc: ti-ads1015: don't return invalid value from buffer setup callbacks + +From: Akinobu Mita + +commit a6fe5e52d5ecfc98530034d6c9db73777cf41ede upstream. + +pm_runtime_get_sync() and pm_runtime_put_autosuspend() return 0 on +success, 1 if the device's runtime PM status was already requested status +or error code on failure. So a positive return value doesn't indicate an +error condition. + +However, any non-zero return values from buffer preenable and postdisable +callbacks are recognized as an error and this driver reuses the return +value from pm_runtime_get_sync() and pm_runtime_put_autosuspend() in +these callbacks. This change fixes the false error detections. + +Cc: Daniel Baluta +Signed-off-by: Akinobu Mita +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads1015.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -235,7 +235,7 @@ static int ads1015_set_power_state(struc + ret = pm_runtime_put_autosuspend(dev); + } + +- return ret; ++ return ret < 0 ? ret : 0; + } + + static diff --git a/queue-4.13/iio-adc-ti-ads1015-enable-conversion-when-config_pm-is-not-set.patch b/queue-4.13/iio-adc-ti-ads1015-enable-conversion-when-config_pm-is-not-set.patch new file mode 100644 index 00000000000..b33efc0cde4 --- /dev/null +++ b/queue-4.13/iio-adc-ti-ads1015-enable-conversion-when-config_pm-is-not-set.patch @@ -0,0 +1,44 @@ +From e8245c68350104b6022b6783719e843d69ea7c43 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Fri, 21 Jul 2017 00:24:19 +0900 +Subject: iio: adc: ti-ads1015: enable conversion when CONFIG_PM is not set + +From: Akinobu Mita + +commit e8245c68350104b6022b6783719e843d69ea7c43 upstream. + +The ADS1015 device have two operating modes, continuous conversion mode +and single-shot mode. This driver assumes that the continuous conversion +mode is selected by runtime resume callback when the ADC result is +requested. + +If CONFIG_PM is disabled, the device is always in the default single-shot +mode and no one begins a single conversion. So the conversion register +doesn't contain valid ADC result. Fix it by changing the continuous mode +in probe function. + +Cc: Daniel Baluta +Signed-off-by: Akinobu Mita +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads1015.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -623,6 +623,13 @@ static int ads1015_probe(struct i2c_clie + dev_err(&client->dev, "iio triggered buffer setup failed\n"); + return ret; + } ++ ++ ret = regmap_update_bits(data->regmap, ADS1015_CFG_REG, ++ ADS1015_CFG_MOD_MASK, ++ ADS1015_CONTINUOUS << ADS1015_CFG_MOD_SHIFT); ++ if (ret) ++ return ret; ++ + ret = pm_runtime_set_active(&client->dev); + if (ret) + goto err_buffer_cleanup; diff --git a/queue-4.13/iio-adc-ti-ads1015-fix-incorrect-data-rate-setting-update.patch b/queue-4.13/iio-adc-ti-ads1015-fix-incorrect-data-rate-setting-update.patch new file mode 100644 index 00000000000..fa91590ddde --- /dev/null +++ b/queue-4.13/iio-adc-ti-ads1015-fix-incorrect-data-rate-setting-update.patch @@ -0,0 +1,85 @@ +From 0d106b74c558e3000aa0e058b4725cacb70ce77a Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Fri, 21 Jul 2017 00:24:17 +0900 +Subject: iio: adc: ti-ads1015: fix incorrect data rate setting update + +From: Akinobu Mita + +commit 0d106b74c558e3000aa0e058b4725cacb70ce77a upstream. + +The ti-ads1015 driver has eight iio voltage channels and each iio channel +can hold own sampling frequency information. + +The ADS1015 device only have a single config register which contains an +input multiplexer selection, PGA and data rate settings. So the driver +should load the correct settings when the input multiplexer selection is +changed. + +However, regardless of which channlel is currently selected, changing any +iio channel's sampling frequency information immediately overwrites the +current data rate setting in the config register. + +It breaks the current data rate setting if the different channel's sampling +frequency information is changed because the data rate setting is not +reloaded when the input multiplexer is switched. + +This removes the unexpected config register update and correctly load the +data rate setting before getting adc result. + +Cc: Daniel Baluta +Signed-off-by: Akinobu Mita +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads1015.c | 27 ++++++++++----------------- + 1 file changed, 10 insertions(+), 17 deletions(-) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -252,9 +252,11 @@ int ads1015_get_adc_result(struct ads101 + + ret = regmap_update_bits_check(data->regmap, ADS1015_CFG_REG, + ADS1015_CFG_MUX_MASK | +- ADS1015_CFG_PGA_MASK, ++ ADS1015_CFG_PGA_MASK | ++ ADS1015_CFG_DR_MASK, + chan << ADS1015_CFG_MUX_SHIFT | +- pga << ADS1015_CFG_PGA_SHIFT, ++ pga << ADS1015_CFG_PGA_SHIFT | ++ dr << ADS1015_CFG_DR_SHIFT, + &change); + if (ret < 0) + return ret; +@@ -325,25 +327,16 @@ static int ads1015_set_scale(struct ads1 + + static int ads1015_set_data_rate(struct ads1015_data *data, int chan, int rate) + { +- int i, ret, rindex = -1; ++ int i; + +- for (i = 0; i < ARRAY_SIZE(ads1015_data_rate); i++) ++ for (i = 0; i < ARRAY_SIZE(ads1015_data_rate); i++) { + if (data->data_rate[i] == rate) { +- rindex = i; +- break; ++ data->channel_data[chan].data_rate = i; ++ return 0; + } +- if (rindex < 0) +- return -EINVAL; +- +- ret = regmap_update_bits(data->regmap, ADS1015_CFG_REG, +- ADS1015_CFG_DR_MASK, +- rindex << ADS1015_CFG_DR_SHIFT); +- if (ret < 0) +- return ret; +- +- data->channel_data[chan].data_rate = rindex; ++ } + +- return 0; ++ return -EINVAL; + } + + static int ads1015_read_raw(struct iio_dev *indio_dev, diff --git a/queue-4.13/iio-adc-ti-ads1015-fix-scale-information-for-ads1115.patch b/queue-4.13/iio-adc-ti-ads1015-fix-scale-information-for-ads1115.patch new file mode 100644 index 00000000000..3a6a3d4fa7f --- /dev/null +++ b/queue-4.13/iio-adc-ti-ads1015-fix-scale-information-for-ads1115.patch @@ -0,0 +1,139 @@ +From 8d0e8e795623bd6229cf48bb7777a1c456c370ed Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Fri, 21 Jul 2017 00:24:18 +0900 +Subject: iio: adc: ti-ads1015: fix scale information for ADS1115 + +From: Akinobu Mita + +commit 8d0e8e795623bd6229cf48bb7777a1c456c370ed upstream. + +The ti-ads1015 driver supports ADS1015 and ADS1115 devices. The same +scale information is used for both devices in this driver, however they +have actually different values and the ADS1115's one is not correct. + +These devices have the same full-scale input voltage range for each PGA +selection. So instead of adding another hardcoded scale information, +compute a correct scale on demand from each device's resolution. + +Cc: Daniel Baluta +Signed-off-by: Akinobu Mita +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads1015.c | 48 +++++++++++++++++++++---------------------- + 1 file changed, 24 insertions(+), 24 deletions(-) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -81,18 +81,12 @@ static const unsigned int ads1115_data_r + 8, 16, 32, 64, 128, 250, 475, 860 + }; + +-static const struct { +- int scale; +- int uscale; +-} ads1015_scale[] = { +- {3, 0}, +- {2, 0}, +- {1, 0}, +- {0, 500000}, +- {0, 250000}, +- {0, 125000}, +- {0, 125000}, +- {0, 125000}, ++/* ++ * Translation from PGA bits to full-scale positive and negative input voltage ++ * range in mV ++ */ ++static int ads1015_fullscale_range[] = { ++ 6144, 4096, 2048, 1024, 512, 256, 256, 256 + }; + + #define ADS1015_V_CHAN(_chan, _addr) { \ +@@ -300,17 +294,20 @@ err: + return IRQ_HANDLED; + } + +-static int ads1015_set_scale(struct ads1015_data *data, int chan, ++static int ads1015_set_scale(struct ads1015_data *data, ++ struct iio_chan_spec const *chan, + int scale, int uscale) + { + int i, ret, rindex = -1; ++ int fullscale = div_s64((scale * 1000000LL + uscale) << ++ (chan->scan_type.realbits - 1), 1000000); + +- for (i = 0; i < ARRAY_SIZE(ads1015_scale); i++) +- if (ads1015_scale[i].scale == scale && +- ads1015_scale[i].uscale == uscale) { ++ for (i = 0; i < ARRAY_SIZE(ads1015_fullscale_range); i++) { ++ if (ads1015_fullscale_range[i] == fullscale) { + rindex = i; + break; + } ++ } + if (rindex < 0) + return -EINVAL; + +@@ -320,7 +317,7 @@ static int ads1015_set_scale(struct ads1 + if (ret < 0) + return ret; + +- data->channel_data[chan].pga = rindex; ++ data->channel_data[chan->address].pga = rindex; + + return 0; + } +@@ -378,9 +375,9 @@ static int ads1015_read_raw(struct iio_d + } + case IIO_CHAN_INFO_SCALE: + idx = data->channel_data[chan->address].pga; +- *val = ads1015_scale[idx].scale; +- *val2 = ads1015_scale[idx].uscale; +- ret = IIO_VAL_INT_PLUS_MICRO; ++ *val = ads1015_fullscale_range[idx]; ++ *val2 = chan->scan_type.realbits - 1; ++ ret = IIO_VAL_FRACTIONAL_LOG2; + break; + case IIO_CHAN_INFO_SAMP_FREQ: + idx = data->channel_data[chan->address].data_rate; +@@ -407,7 +404,7 @@ static int ads1015_write_raw(struct iio_ + mutex_lock(&data->lock); + switch (mask) { + case IIO_CHAN_INFO_SCALE: +- ret = ads1015_set_scale(data, chan->address, val, val2); ++ ret = ads1015_set_scale(data, chan, val, val2); + break; + case IIO_CHAN_INFO_SAMP_FREQ: + ret = ads1015_set_data_rate(data, chan->address, val); +@@ -439,7 +436,10 @@ static const struct iio_buffer_setup_ops + .validate_scan_mask = &iio_validate_scan_mask_onehot, + }; + +-static IIO_CONST_ATTR(scale_available, "3 2 1 0.5 0.25 0.125"); ++static IIO_CONST_ATTR_NAMED(ads1015_scale_available, scale_available, ++ "3 2 1 0.5 0.25 0.125"); ++static IIO_CONST_ATTR_NAMED(ads1115_scale_available, scale_available, ++ "0.1875 0.125 0.0625 0.03125 0.015625 0.007813"); + + static IIO_CONST_ATTR_NAMED(ads1015_sampling_frequency_available, + sampling_frequency_available, "128 250 490 920 1600 2400 3300"); +@@ -447,7 +447,7 @@ static IIO_CONST_ATTR_NAMED(ads1115_samp + sampling_frequency_available, "8 16 32 64 128 250 475 860"); + + static struct attribute *ads1015_attributes[] = { +- &iio_const_attr_scale_available.dev_attr.attr, ++ &iio_const_attr_ads1015_scale_available.dev_attr.attr, + &iio_const_attr_ads1015_sampling_frequency_available.dev_attr.attr, + NULL, + }; +@@ -457,7 +457,7 @@ static const struct attribute_group ads1 + }; + + static struct attribute *ads1115_attributes[] = { +- &iio_const_attr_scale_available.dev_attr.attr, ++ &iio_const_attr_ads1115_scale_available.dev_attr.attr, + &iio_const_attr_ads1115_sampling_frequency_available.dev_attr.attr, + NULL, + }; diff --git a/queue-4.13/intel_th-pci-add-cannon-lake-pch-h-support.patch b/queue-4.13/intel_th-pci-add-cannon-lake-pch-h-support.patch new file mode 100644 index 00000000000..1303cfe1fba --- /dev/null +++ b/queue-4.13/intel_th-pci-add-cannon-lake-pch-h-support.patch @@ -0,0 +1,32 @@ +From 84331e1390b6378a5129a3678c87a42c6f697d29 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 30 Jun 2016 16:11:13 +0300 +Subject: intel_th: pci: Add Cannon Lake PCH-H support + +From: Alexander Shishkin + +commit 84331e1390b6378a5129a3678c87a42c6f697d29 upstream. + +This adds Intel(R) Trace Hub PCI ID for Cannon Lake PCH-H. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -95,6 +95,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e), + .driver_data = (kernel_ulong_t)0, + }, ++ { ++ /* Cannon Lake H */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa326), ++ .driver_data = (kernel_ulong_t)0, ++ }, + { 0 }, + }; + diff --git a/queue-4.13/intel_th-pci-add-cannon-lake-pch-lp-support.patch b/queue-4.13/intel_th-pci-add-cannon-lake-pch-lp-support.patch new file mode 100644 index 00000000000..092330fae5c --- /dev/null +++ b/queue-4.13/intel_th-pci-add-cannon-lake-pch-lp-support.patch @@ -0,0 +1,32 @@ +From efb3669e14fe17d0ec4ecf57d0365039fe726f59 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 30 Jun 2016 16:11:31 +0300 +Subject: intel_th: pci: Add Cannon Lake PCH-LP support + +From: Alexander Shishkin + +commit efb3669e14fe17d0ec4ecf57d0365039fe726f59 upstream. + +This adds Intel(R) Trace Hub PCI ID for Cannon Lake PCH-LP. + +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -100,6 +100,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa326), + .driver_data = (kernel_ulong_t)0, + }, ++ { ++ /* Cannon Lake LP */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6), ++ .driver_data = (kernel_ulong_t)0, ++ }, + { 0 }, + }; + diff --git a/queue-4.13/iwlwifi-pci-add-new-pci-id-for-7265d.patch b/queue-4.13/iwlwifi-pci-add-new-pci-id-for-7265d.patch new file mode 100644 index 00000000000..0c727677ae4 --- /dev/null +++ b/queue-4.13/iwlwifi-pci-add-new-pci-id-for-7265d.patch @@ -0,0 +1,28 @@ +From 3f7a5e13e85026b6e460bbd6e87f87379421d272 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Wed, 16 Aug 2017 08:47:38 +0300 +Subject: iwlwifi: pci: add new PCI ID for 7265D + +From: Luca Coelho + +commit 3f7a5e13e85026b6e460bbd6e87f87379421d272 upstream. + +We have a new PCI subsystem ID for 7265D. Add it to the list. + +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -430,6 +430,7 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x095B, 0x520A, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x9000, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x9400, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x9E10, iwl7265_2ac_cfg)}, + + /* 8000 Series */ + {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)}, diff --git a/queue-4.13/mcb-add-support-for-sc31-to-mcb-lpc.patch b/queue-4.13/mcb-add-support-for-sc31-to-mcb-lpc.patch new file mode 100644 index 00000000000..e02e0b55cc3 --- /dev/null +++ b/queue-4.13/mcb-add-support-for-sc31-to-mcb-lpc.patch @@ -0,0 +1,53 @@ +From acf5e051ac44d5dc60b21bc4734ef1b844d55551 Mon Sep 17 00:00:00 2001 +From: Michael Moese +Date: Tue, 29 Aug 2017 14:47:24 +0200 +Subject: MCB: add support for SC31 to mcb-lpc + +From: Michael Moese + +commit acf5e051ac44d5dc60b21bc4734ef1b844d55551 upstream. + +This patch adds the resources and DMI ID's for the MEN SC31, +which uses a different address region to map the LPC bus than +the one used for the existing SC24. + +Signed-off-by: Michael Moese +[jth add stable tag] +Signed-off-by: Johannes Thumshirn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mcb/mcb-lpc.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/mcb/mcb-lpc.c ++++ b/drivers/mcb/mcb-lpc.c +@@ -114,6 +114,12 @@ static struct resource sc24_fpga_resourc + .flags = IORESOURCE_MEM, + }; + ++static struct resource sc31_fpga_resource = { ++ .start = 0xf000e000, ++ .end = 0xf000e000 + CHAM_HEADER_SIZE, ++ .flags = IORESOURCE_MEM, ++}; ++ + static struct platform_driver mcb_lpc_driver = { + .driver = { + .name = "mcb-lpc", +@@ -132,6 +138,15 @@ static const struct dmi_system_id mcb_lp + .driver_data = (void *)&sc24_fpga_resource, + .callback = mcb_lpc_create_platform_device, + }, ++ { ++ .ident = "SC31", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MEN"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "14SC31"), ++ }, ++ .driver_data = (void *)&sc31_fpga_resource, ++ .callback = mcb_lpc_create_platform_device, ++ }, + {} + }; + MODULE_DEVICE_TABLE(dmi, mcb_lpc_dmi_table); diff --git a/queue-4.13/mwifiex-correct-channel-stat-buffer-overflows.patch b/queue-4.13/mwifiex-correct-channel-stat-buffer-overflows.patch new file mode 100644 index 00000000000..4a3898150eb --- /dev/null +++ b/queue-4.13/mwifiex-correct-channel-stat-buffer-overflows.patch @@ -0,0 +1,74 @@ +From 4b5dde2d6234ff5bc68e97e6901d1f2a0a7f3749 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Thu, 29 Jun 2017 18:23:54 -0700 +Subject: mwifiex: correct channel stat buffer overflows + +From: Brian Norris + +commit 4b5dde2d6234ff5bc68e97e6901d1f2a0a7f3749 upstream. + +mwifiex records information about various channels as it receives scan +information. It does this by appending to a buffer that was sized +to the max number of supported channels on any band, but there are +numerous problems: + +(a) scans can return info from more than one band (e.g., both 2.4 and 5 + GHz), so the determined "max" is not large enough +(b) some firmware appears to return multiple results for a given + channel, so the max *really* isn't large enough +(c) there is no bounds checking when stashing these stats, so problems + (a) and (b) can easily lead to buffer overflows + +Let's patch this by setting a slightly-more-correct max (that accounts +for a combination of both 2.4G and 5G bands) and adding a bounds check +when writing to our statistics buffer. + +Due to problem (b), we still might not properly report all known survey +information (e.g., with "iw survey dump"), since duplicate results +(or otherwise "larger than expected" results) will cause some +truncation. But that's a problem for a future bugfix. + +(And because of this known deficiency, only log the excess at the WARN +level, since that isn't visible by default in this driver and would +otherwise be a bit too noisy.) + +Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex") +Cc: Avinash Patil +Cc: Xinming Hu +Signed-off-by: Brian Norris +Reviewed-by: Dmitry Torokhov +Reviewed-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 +- + drivers/net/wireless/marvell/mwifiex/scan.c | 6 ++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -4215,7 +4215,7 @@ int mwifiex_init_channel_scan_gap(struct + if (adapter->config_bands & BAND_A) + n_channels_a = mwifiex_band_5ghz.n_channels; + +- adapter->num_in_chan_stats = max_t(u32, n_channels_bg, n_channels_a); ++ adapter->num_in_chan_stats = n_channels_bg + n_channels_a; + adapter->chan_stats = vmalloc(sizeof(*adapter->chan_stats) * + adapter->num_in_chan_stats); + +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2492,6 +2492,12 @@ mwifiex_update_chan_statistics(struct mw + sizeof(struct mwifiex_chan_stats); + + for (i = 0 ; i < num_chan; i++) { ++ if (adapter->survey_idx >= adapter->num_in_chan_stats) { ++ mwifiex_dbg(adapter, WARN, ++ "FW reported too many channel results (max %d)\n", ++ adapter->num_in_chan_stats); ++ return; ++ } + chan_stats.chan_num = fw_chan_stats->chan_num; + chan_stats.bandcfg = fw_chan_stats->bandcfg; + chan_stats.flags = fw_chan_stats->flags; diff --git a/queue-4.13/rtlwifi-rtl_pci_probe-fix-fail-path-of-_rtl_pci_find_adapter.patch b/queue-4.13/rtlwifi-rtl_pci_probe-fix-fail-path-of-_rtl_pci_find_adapter.patch new file mode 100644 index 00000000000..02d2ec4af32 --- /dev/null +++ b/queue-4.13/rtlwifi-rtl_pci_probe-fix-fail-path-of-_rtl_pci_find_adapter.patch @@ -0,0 +1,53 @@ +From fc81bab5eeb103711925d7510157cf5cd2b153f4 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Sun, 30 Jul 2017 09:02:19 +0100 +Subject: rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter + +From: Malcolm Priestley + +commit fc81bab5eeb103711925d7510157cf5cd2b153f4 upstream. + +_rtl_pci_find_adapter fail path will jump to label fail3 for +unsupported adapter types. + +However, on course for fail3 there will be call rtl_deinit_core +before rtl_init_core. + +For the inclusion of checking pci_iounmap this fail can be moved to +fail2. + +Fixes +[ 4.492963] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 4.493067] IP: rtl_deinit_core+0x31/0x90 [rtlwifi] + +Signed-off-by: Malcolm Priestley +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -2257,7 +2257,7 @@ int rtl_pci_probe(struct pci_dev *pdev, + /* find adapter */ + if (!_rtl_pci_find_adapter(pdev, hw)) { + err = -ENODEV; +- goto fail3; ++ goto fail2; + } + + /* Init IO handler */ +@@ -2318,10 +2318,10 @@ fail3: + pci_set_drvdata(pdev, NULL); + rtl_deinit_core(hw); + ++fail2: + if (rtlpriv->io.pci_mem_start != 0) + pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start); + +-fail2: + pci_release_regions(pdev); + complete(&rtlpriv->firmware_loading_complete); + diff --git a/queue-4.13/s390-mm-avoid-empty-zero-pages-for-kvm-guests-to-avoid-postcopy-hangs.patch b/queue-4.13/s390-mm-avoid-empty-zero-pages-for-kvm-guests-to-avoid-postcopy-hangs.patch new file mode 100644 index 00000000000..5d5b90e04b1 --- /dev/null +++ b/queue-4.13/s390-mm-avoid-empty-zero-pages-for-kvm-guests-to-avoid-postcopy-hangs.patch @@ -0,0 +1,122 @@ +From fa41ba0d08de7c975c3e94d0067553f9b934221f Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Thu, 24 Aug 2017 12:55:08 +0200 +Subject: s390/mm: avoid empty zero pages for KVM guests to avoid postcopy hangs + +From: Christian Borntraeger + +commit fa41ba0d08de7c975c3e94d0067553f9b934221f upstream. + +Right now there is a potential hang situation for postcopy migrations, +if the guest is enabling storage keys on the target system during the +postcopy process. + +For storage key virtualization, we have to forbid the empty zero page as +the storage key is a property of the physical page frame. As we enable +storage key handling lazily we then drop all mappings for empty zero +pages for lazy refaulting later on. + +This does not work with the postcopy migration, which relies on the +empty zero page never triggering a fault again in the future. The reason +is that postcopy migration will simply read a page on the target system +if that page is a known zero page to fault in an empty zero page. At +the same time postcopy remembers that this page was already transferred +- so any future userfault on that page will NOT be retransmitted again +to avoid races. + +If now the guest enters the storage key mode while in postcopy, we will +break this assumption of postcopy. + +The solution is to disable the empty zero page for KVM guests early on +and not during storage key enablement. With this change, the postcopy +migration process is guaranteed to start after no zero pages are left. + +As guest pages are very likely not empty zero pages anyway the memory +overhead is also pretty small. + +While at it this also adds proper page table locking to the zero page +removal. + +Signed-off-by: Christian Borntraeger +Acked-by: Janosch Frank +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/pgtable.h | 2 +- + arch/s390/mm/gmap.c | 39 ++++++++++++++++++++++++++++++++------- + 2 files changed, 33 insertions(+), 8 deletions(-) + +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -505,7 +505,7 @@ static inline int mm_alloc_pgste(struct + * In the case that a guest uses storage keys + * faults should no longer be backed by zero pages + */ +-#define mm_forbids_zeropage mm_use_skey ++#define mm_forbids_zeropage mm_has_pgste + static inline int mm_use_skey(struct mm_struct *mm) + { + #ifdef CONFIG_PGSTE +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -2121,6 +2121,37 @@ static inline void thp_split_mm(struct m + } + + /* ++ * Remove all empty zero pages from the mapping for lazy refaulting ++ * - This must be called after mm->context.has_pgste is set, to avoid ++ * future creation of zero pages ++ * - This must be called after THP was enabled ++ */ ++static int __zap_zero_pages(pmd_t *pmd, unsigned long start, ++ unsigned long end, struct mm_walk *walk) ++{ ++ unsigned long addr; ++ ++ for (addr = start; addr != end; addr += PAGE_SIZE) { ++ pte_t *ptep; ++ spinlock_t *ptl; ++ ++ ptep = pte_offset_map_lock(walk->mm, pmd, addr, &ptl); ++ if (is_zero_pfn(pte_pfn(*ptep))) ++ ptep_xchg_direct(walk->mm, addr, ptep, __pte(_PAGE_INVALID)); ++ pte_unmap_unlock(ptep, ptl); ++ } ++ return 0; ++} ++ ++static inline void zap_zero_pages(struct mm_struct *mm) ++{ ++ struct mm_walk walk = { .pmd_entry = __zap_zero_pages }; ++ ++ walk.mm = mm; ++ walk_page_range(0, TASK_SIZE, &walk); ++} ++ ++/* + * switch on pgstes for its userspace process (for kvm) + */ + int s390_enable_sie(void) +@@ -2137,6 +2168,7 @@ int s390_enable_sie(void) + mm->context.has_pgste = 1; + /* split thp mappings and disable thp for future mappings */ + thp_split_mm(mm); ++ zap_zero_pages(mm); + up_write(&mm->mmap_sem); + return 0; + } +@@ -2149,13 +2181,6 @@ EXPORT_SYMBOL_GPL(s390_enable_sie); + static int __s390_enable_skey(pte_t *pte, unsigned long addr, + unsigned long next, struct mm_walk *walk) + { +- /* +- * Remove all zero page mappings, +- * after establishing a policy to forbid zero page mappings +- * following faults for that page will get fresh anonymous pages +- */ +- if (is_zero_pfn(pte_pfn(*pte))) +- ptep_xchg_direct(walk->mm, addr, pte, __pte(_PAGE_INVALID)); + /* Clear storage key */ + ptep_zap_key(walk->mm, addr, pte); + return 0; diff --git a/queue-4.13/series b/queue-4.13/series index 8acd3f5bb03..05aa57e0cc1 100644 --- a/queue-4.13/series +++ b/queue-4.13/series @@ -3,6 +3,38 @@ usb-serial-option-add-support-for-d-link-dwm-157-c1.patch usb-add-device-quirk-for-logitech-hd-pro-webcam-c920-c.patch usb-xhci-fix-regression-when-ati-chipsets-detected.patch usb-musb-fix-external-abort-on-suspend.patch +android-binder-add-padding-to-binder_fd_array_object.patch +android-binder-add-hwbinder-vndbinder-to-binder_devices.patch +usb-core-avoid-race-of-async_completed-w-usbdev_release.patch +staging-rts5208-fix-incorrect-shift-to-extract-upper-nybble.patch +staging-ccree-save-ciphertext-for-cts-iv.patch +staging-fsl-dpaa2-eth-fix-off-by-one-fd-ctrl-bitmaks.patch +iio-adc-ti-ads1015-fix-incorrect-data-rate-setting-update.patch +iio-adc-ti-ads1015-fix-scale-information-for-ads1115.patch +iio-adc-ti-ads1015-enable-conversion-when-config_pm-is-not-set.patch +iio-adc-ti-ads1015-avoid-getting-stale-result-after-runtime-resume.patch +iio-adc-ti-ads1015-don-t-return-invalid-value-from-buffer-setup-callbacks.patch +iio-adc-ti-ads1015-add-adequate-wait-time-to-get-correct-conversion.patch +driver-core-bus-fix-a-potential-double-free.patch +hid-wacom-do-not-completely-map-wacom_hid_wd_touchringstatus-usage.patch +binder-free-memory-on-error.patch +crypto-caam-qi-fix-compilation-with-config_debug_force_weak_per_cpu-y.patch +crypto-caam-qi-fix-compilation-with-debug-enabled.patch +thunderbolt-fix-reset-response_type.patch +fpga-altera-hps2fpga-fix-multiple-init-of-l3_remap_lock.patch +intel_th-pci-add-cannon-lake-pch-h-support.patch +intel_th-pci-add-cannon-lake-pch-lp-support.patch +ath10k-fix-memory-leak-in-rx-ring-buffer-allocation.patch drm-vgem-pin-our-pages-for-dmabuf-exports.patch drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch drm-dp-mst-handle-errors-from-drm_atomic_get_private_obj_state-correctly.patch +rtlwifi-rtl_pci_probe-fix-fail-path-of-_rtl_pci_find_adapter.patch +bluetooth-add-support-of-13d3-3494-rtl8723be-device.patch +iwlwifi-pci-add-new-pci-id-for-7265d.patch +dlm-avoid-double-free-on-error-path-in-dlm_device_-register-unregister.patch +mwifiex-correct-channel-stat-buffer-overflows.patch +mcb-add-support-for-sc31-to-mcb-lpc.patch +s390-mm-avoid-empty-zero-pages-for-kvm-guests-to-avoid-postcopy-hangs.patch +drm-nouveau-pci-msi-disable-msi-on-big-endian-platforms-by-default.patch +drm-nouveau-fix-error-handling-in-nv50_disp_atomic_commit.patch +workqueue-fix-flag-collision.patch diff --git a/queue-4.13/staging-ccree-save-ciphertext-for-cts-iv.patch b/queue-4.13/staging-ccree-save-ciphertext-for-cts-iv.patch new file mode 100644 index 00000000000..965e48287f9 --- /dev/null +++ b/queue-4.13/staging-ccree-save-ciphertext-for-cts-iv.patch @@ -0,0 +1,118 @@ +From 737aed947f9b5bd749a2684e13572ee99a1b8bae Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Wed, 23 Aug 2017 12:12:05 +0300 +Subject: staging: ccree: save ciphertext for CTS IV + +From: Gilad Ben-Yossef + +commit 737aed947f9b5bd749a2684e13572ee99a1b8bae upstream. + +The crypto API requires saving the last blocks of ciphertext +in req->info for use as IV for CTS mode. The ccree driver +was not doing this. This patch fixes that. + +The bug was manifested with cts(cbc(aes)) mode in tcrypt tests. + +Fixes: 302ef8ebb4b2 ("Add CryptoCell skcipher support") +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ccree/ssi_cipher.c | 40 +++++++++++++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 4 deletions(-) + +--- a/drivers/staging/ccree/ssi_cipher.c ++++ b/drivers/staging/ccree/ssi_cipher.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include "ssi_config.h" + #include "ssi_driver.h" +@@ -716,6 +717,7 @@ static int ssi_blkcipher_complete(struct + { + int completion_error = 0; + u32 inflight_counter; ++ struct ablkcipher_request *req = (struct ablkcipher_request *)areq; + + ssi_buffer_mgr_unmap_blkcipher_request(dev, req_ctx, ivsize, src, dst); + +@@ -726,6 +728,22 @@ static int ssi_blkcipher_complete(struct + ctx_p->drvdata->inflight_counter--; + + if (areq) { ++ /* ++ * The crypto API expects us to set the req->info to the last ++ * ciphertext block. For encrypt, simply copy from the result. ++ * For decrypt, we must copy from a saved buffer since this ++ * could be an in-place decryption operation and the src is ++ * lost by this point. ++ */ ++ if (req_ctx->gen_ctx.op_type == DRV_CRYPTO_DIRECTION_DECRYPT) { ++ memcpy(req->info, req_ctx->backup_info, ivsize); ++ kfree(req_ctx->backup_info); ++ } else { ++ scatterwalk_map_and_copy(req->info, req->dst, ++ (req->nbytes - ivsize), ++ ivsize, 0); ++ } ++ + ablkcipher_request_complete(areq, completion_error); + return 0; + } +@@ -759,11 +777,13 @@ static int ssi_blkcipher_process( + if (unlikely(validate_data_size(ctx_p, nbytes))) { + SSI_LOG_ERR("Unsupported data size %d.\n", nbytes); + crypto_tfm_set_flags(tfm, CRYPTO_TFM_RES_BAD_BLOCK_LEN); +- return -EINVAL; ++ rc = -EINVAL; ++ goto exit_process; + } + if (nbytes == 0) { + /* No data to process is valid */ +- return 0; ++ rc = 0; ++ goto exit_process; + } + /*For CTS in case of data size aligned to 16 use CBC mode*/ + if (((nbytes % AES_BLOCK_SIZE) == 0) && (ctx_p->cipher_mode == DRV_CIPHER_CBC_CTS)) { +@@ -842,6 +862,9 @@ exit_process: + if (cts_restore_flag != 0) + ctx_p->cipher_mode = DRV_CIPHER_CBC_CTS; + ++ if (rc != -EINPROGRESS) ++ kfree(req_ctx->backup_info); ++ + return rc; + } + +@@ -884,7 +907,6 @@ static int ssi_ablkcipher_encrypt(struct + struct blkcipher_req_ctx *req_ctx = ablkcipher_request_ctx(req); + unsigned int ivsize = crypto_ablkcipher_ivsize(ablk_tfm); + +- req_ctx->backup_info = req->info; + req_ctx->is_giv = false; + + return ssi_blkcipher_process(tfm, req_ctx, req->dst, req->src, req->nbytes, req->info, ivsize, (void *)req, DRV_CRYPTO_DIRECTION_ENCRYPT); +@@ -897,8 +919,18 @@ static int ssi_ablkcipher_decrypt(struct + struct blkcipher_req_ctx *req_ctx = ablkcipher_request_ctx(req); + unsigned int ivsize = crypto_ablkcipher_ivsize(ablk_tfm); + +- req_ctx->backup_info = req->info; ++ /* ++ * Allocate and save the last IV sized bytes of the source, which will ++ * be lost in case of in-place decryption and might be needed for CTS. ++ */ ++ req_ctx->backup_info = kmalloc(ivsize, GFP_KERNEL); ++ if (!req_ctx->backup_info) ++ return -ENOMEM; ++ ++ scatterwalk_map_and_copy(req_ctx->backup_info, req->src, ++ (req->nbytes - ivsize), ivsize, 0); + req_ctx->is_giv = false; ++ + return ssi_blkcipher_process(tfm, req_ctx, req->dst, req->src, req->nbytes, req->info, ivsize, (void *)req, DRV_CRYPTO_DIRECTION_DECRYPT); + } + diff --git a/queue-4.13/staging-fsl-dpaa2-eth-fix-off-by-one-fd-ctrl-bitmaks.patch b/queue-4.13/staging-fsl-dpaa2-eth-fix-off-by-one-fd-ctrl-bitmaks.patch new file mode 100644 index 00000000000..289a868ab39 --- /dev/null +++ b/queue-4.13/staging-fsl-dpaa2-eth-fix-off-by-one-fd-ctrl-bitmaks.patch @@ -0,0 +1,36 @@ +From 11b86a84bc535a602fcf72ba6b3aa4eaa748764f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Fri, 1 Sep 2017 15:58:41 +0300 +Subject: staging: fsl-dpaa2/eth: fix off-by-one FD ctrl bitmaks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 11b86a84bc535a602fcf72ba6b3aa4eaa748764f upstream. + +Fix the values of DPAA2_FD_CTRL_FSE and DPAA2_FD_CTRL_FAERR, +which are shifted off by one bit. + +Fixes: 39163c0ce0f48 ("staging: fsl-dpaa2/eth: Errors checking update") +Signed-off-by: Horia Geantă +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h ++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h +@@ -123,8 +123,8 @@ struct dpaa2_eth_swa { + /* Error bits in FD CTRL */ + #define DPAA2_FD_CTRL_UFD 0x00000004 + #define DPAA2_FD_CTRL_SBE 0x00000008 +-#define DPAA2_FD_CTRL_FSE 0x00000010 +-#define DPAA2_FD_CTRL_FAERR 0x00000020 ++#define DPAA2_FD_CTRL_FSE 0x00000020 ++#define DPAA2_FD_CTRL_FAERR 0x00000040 + + #define DPAA2_FD_RX_ERR_MASK (DPAA2_FD_CTRL_SBE | \ + DPAA2_FD_CTRL_FAERR) diff --git a/queue-4.13/staging-rts5208-fix-incorrect-shift-to-extract-upper-nybble.patch b/queue-4.13/staging-rts5208-fix-incorrect-shift-to-extract-upper-nybble.patch new file mode 100644 index 00000000000..55a509401e4 --- /dev/null +++ b/queue-4.13/staging-rts5208-fix-incorrect-shift-to-extract-upper-nybble.patch @@ -0,0 +1,34 @@ +From 34ff1bf4920471cff66775dc39537b15c5f0feff Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 18 Aug 2017 14:34:16 +0100 +Subject: staging/rts5208: fix incorrect shift to extract upper nybble + +From: Colin Ian King + +commit 34ff1bf4920471cff66775dc39537b15c5f0feff upstream. + +The mask of sns_key_info1 suggests the upper nybble is being extracted +however the following shift of 8 bits is too large and always results in +0. Fix this by shifting only by 4 bits to correctly get the upper nybble. + +Detected by CoverityScan, CID#142891 ("Operands don't affect result") + +Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rts5208/rtsx_scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rts5208/rtsx_scsi.c ++++ b/drivers/staging/rts5208/rtsx_scsi.c +@@ -414,7 +414,7 @@ void set_sense_data(struct rtsx_chip *ch + sense->ascq = ascq; + if (sns_key_info0 != 0) { + sense->sns_key_info[0] = SKSV | sns_key_info0; +- sense->sns_key_info[1] = (sns_key_info1 & 0xf0) >> 8; ++ sense->sns_key_info[1] = (sns_key_info1 & 0xf0) >> 4; + sense->sns_key_info[2] = sns_key_info1 & 0x0f; + } + } diff --git a/queue-4.13/thunderbolt-fix-reset-response_type.patch b/queue-4.13/thunderbolt-fix-reset-response_type.patch new file mode 100644 index 00000000000..c648da4bf96 --- /dev/null +++ b/queue-4.13/thunderbolt-fix-reset-response_type.patch @@ -0,0 +1,34 @@ +From 02729d17b1b818cc38a6b6319231a0cd86b132e4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 16 Aug 2017 11:54:17 +0300 +Subject: thunderbolt: Fix reset response_type + +From: Dan Carpenter + +commit 02729d17b1b818cc38a6b6319231a0cd86b132e4 upstream. + +There is a mistake here where we accidentally use sizeof(TB_CFG_PKG_RESET) +instead of just TB_CFG_PKG_RESET. The size of an int is 4 so it's the +same as TB_CFG_PKG_NOTIFY_ACK. + +Fixes: d7f781bfdbf4 ("thunderbolt: Rework control channel to be more reliable") +Reported-by: Colin King +Signed-off-by: Dan Carpenter +Acked-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/ctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thunderbolt/ctl.c ++++ b/drivers/thunderbolt/ctl.c +@@ -804,7 +804,7 @@ struct tb_cfg_result tb_cfg_reset(struct + req->request_type = TB_CFG_PKG_RESET; + req->response = &reply; + req->response_size = sizeof(reply); +- req->response_type = sizeof(TB_CFG_PKG_RESET); ++ req->response_type = TB_CFG_PKG_RESET; + + res = tb_cfg_request_sync(ctl, req, timeout_msec); + diff --git a/queue-4.13/usb-core-avoid-race-of-async_completed-w-usbdev_release.patch b/queue-4.13/usb-core-avoid-race-of-async_completed-w-usbdev_release.patch new file mode 100644 index 00000000000..23e3c3a6974 --- /dev/null +++ b/queue-4.13/usb-core-avoid-race-of-async_completed-w-usbdev_release.patch @@ -0,0 +1,105 @@ +From ed62ca2f4f51c17841ea39d98c0c409cb53a3e10 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Thu, 10 Aug 2017 15:42:22 -0700 +Subject: USB: core: Avoid race of async_completed() w/ usbdev_release() + +From: Douglas Anderson + +commit ed62ca2f4f51c17841ea39d98c0c409cb53a3e10 upstream. + +While running reboot tests w/ a specific set of USB devices (and +slub_debug enabled), I found that once every few hours my device would +be crashed with a stack that looked like this: + +[ 14.012445] BUG: spinlock bad magic on CPU#0, modprobe/2091 +[ 14.012460] lock: 0xffffffc0cb055978, .magic: ffffffc0, .owner: cryption contexts: %lu/%lu +[ 14.012460] /1025536097, .owner_cpu: 0 +[ 14.012466] CPU: 0 PID: 2091 Comm: modprobe Not tainted 4.4.79 #352 +[ 14.012468] Hardware name: Google Kevin (DT) +[ 14.012471] Call trace: +[ 14.012483] [<....>] dump_backtrace+0x0/0x160 +[ 14.012487] [<....>] show_stack+0x20/0x28 +[ 14.012494] [<....>] dump_stack+0xb4/0xf0 +[ 14.012500] [<....>] spin_dump+0x8c/0x98 +[ 14.012504] [<....>] spin_bug+0x30/0x3c +[ 14.012508] [<....>] do_raw_spin_lock+0x40/0x164 +[ 14.012515] [<....>] _raw_spin_lock_irqsave+0x64/0x74 +[ 14.012521] [<....>] __wake_up+0x2c/0x60 +[ 14.012528] [<....>] async_completed+0x2d0/0x300 +[ 14.012534] [<....>] __usb_hcd_giveback_urb+0xc4/0x138 +[ 14.012538] [<....>] usb_hcd_giveback_urb+0x54/0xf0 +[ 14.012544] [<....>] xhci_irq+0x1314/0x1348 +[ 14.012548] [<....>] usb_hcd_irq+0x40/0x50 +[ 14.012553] [<....>] handle_irq_event_percpu+0x1b4/0x3f0 +[ 14.012556] [<....>] handle_irq_event+0x4c/0x7c +[ 14.012561] [<....>] handle_fasteoi_irq+0x158/0x1c8 +[ 14.012564] [<....>] generic_handle_irq+0x30/0x44 +[ 14.012568] [<....>] __handle_domain_irq+0x90/0xbc +[ 14.012572] [<....>] gic_handle_irq+0xcc/0x18c + +Investigation using kgdb() found that the wait queue that was passed +into wake_up() had been freed (it was filled with slub_debug poison). + +I analyzed and instrumented the code and reproduced. My current +belief is that this is happening: + +1. async_completed() is called (from IRQ). Moves "as" onto the + completed list. +2. On another CPU, proc_reapurbnonblock_compat() calls + async_getcompleted(). Blocks on spinlock. +3. async_completed() releases the lock; keeps running; gets blocked + midway through wake_up(). +4. proc_reapurbnonblock_compat() => async_getcompleted() gets the + lock; removes "as" from completed list and frees it. +5. usbdev_release() is called. Frees "ps". +6. async_completed() finally continues running wake_up(). ...but + wake_up() has a pointer to the freed "ps". + +The instrumentation that led me to believe this was based on adding +some trace_printk() calls in a select few functions and then using +kdb's "ftdump" at crash time. The trace follows (NOTE: in the trace +below I cheated a little bit and added a udelay(1000) in +async_completed() after releasing the spinlock because I wanted it to +trigger quicker): + +<...>-2104 0d.h2 13759034us!: async_completed at start: as=ffffffc0cc638200 +mtpd-2055 3.... 13759356us : async_getcompleted before spin_lock_irqsave +mtpd-2055 3d..1 13759362us : async_getcompleted after list_del_init: as=ffffffc0cc638200 +mtpd-2055 3.... 13759371us+: proc_reapurbnonblock_compat: free_async(ffffffc0cc638200) +mtpd-2055 3.... 13759422us+: async_getcompleted before spin_lock_irqsave +mtpd-2055 3.... 13759479us : usbdev_release at start: ps=ffffffc0cc042080 +mtpd-2055 3.... 13759487us : async_getcompleted before spin_lock_irqsave +mtpd-2055 3.... 13759497us!: usbdev_release after kfree(ps): ps=ffffffc0cc042080 +<...>-2104 0d.h2 13760294us : async_completed before wake_up(): as=ffffffc0cc638200 + +To fix this problem we can just move the wake_up() under the ps->lock. +There should be no issues there that I'm aware of. + +Signed-off-by: Douglas Anderson +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -623,6 +623,8 @@ static void async_completed(struct urb * + if (as->status < 0 && as->bulk_addr && as->status != -ECONNRESET && + as->status != -ENOENT) + cancel_bulk_urbs(ps, as->bulk_addr); ++ ++ wake_up(&ps->wait); + spin_unlock(&ps->lock); + + if (signr) { +@@ -630,8 +632,6 @@ static void async_completed(struct urb * + put_pid(pid); + put_cred(cred); + } +- +- wake_up(&ps->wait); + } + + static void destroy_async(struct usb_dev_state *ps, struct list_head *list) diff --git a/queue-4.13/workqueue-fix-flag-collision.patch b/queue-4.13/workqueue-fix-flag-collision.patch new file mode 100644 index 00000000000..def91ee7d2c --- /dev/null +++ b/queue-4.13/workqueue-fix-flag-collision.patch @@ -0,0 +1,35 @@ +From fbf1c41fc0f4d3574ac2377245efd666c1fa3075 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 3 Sep 2017 01:18:41 +0100 +Subject: workqueue: Fix flag collision + +From: Ben Hutchings + +commit fbf1c41fc0f4d3574ac2377245efd666c1fa3075 upstream. + +Commit 0a94efb5acbb ("workqueue: implicit ordered attribute should be +overridable") introduced a __WQ_ORDERED_EXPLICIT flag but gave it the +same value as __WQ_LEGACY. I don't believe these were intended to +mean the same thing, so renumber __WQ_ORDERED_EXPLICIT. + +Fixes: 0a94efb5acbb ("workqueue: implicit ordered attribute should be ...") +Signed-off-by: Ben Hutchings +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/workqueue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -323,8 +323,8 @@ enum { + + __WQ_DRAINING = 1 << 16, /* internal: workqueue is draining */ + __WQ_ORDERED = 1 << 17, /* internal: workqueue is ordered */ +- __WQ_ORDERED_EXPLICIT = 1 << 18, /* internal: alloc_ordered_workqueue() */ + __WQ_LEGACY = 1 << 18, /* internal: create*_workqueue() */ ++ __WQ_ORDERED_EXPLICIT = 1 << 19, /* internal: alloc_ordered_workqueue() */ + + WQ_MAX_ACTIVE = 512, /* I like 512, better ideas? */ + WQ_MAX_UNBOUND_PER_CPU = 4, /* 4 * #cpus for unbound wq */ -- 2.47.3