From: Greg Kroah-Hartman Date: Mon, 26 Feb 2018 15:55:02 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.97~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1544eca7ff9a90c18f242547200f8f0833832f15;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch arm64-disable-unhandled-signal-log-messages-by-default.patch cfg80211-fix-cfg80211_beacon_dup.patch drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch usb-gadget-f_fs-process-all-descriptors-during-bind.patch usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch xtensa-fix-high-memory-reserved-memory-collision.patch --- diff --git a/queue-4.4/add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch b/queue-4.4/add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch new file mode 100644 index 00000000000..58ead39c8c1 --- /dev/null +++ b/queue-4.4/add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch @@ -0,0 +1,38 @@ +From 7a1646d922577b5b48c0d222e03831141664bb59 Mon Sep 17 00:00:00 2001 +From: Jack Stocker +Date: Thu, 15 Feb 2018 18:24:10 +0000 +Subject: Add delay-init quirk for Corsair K70 RGB keyboards + +From: Jack Stocker + +commit 7a1646d922577b5b48c0d222e03831141664bb59 upstream. + +Following on from this patch: https://lkml.org/lkml/2017/11/3/516, +Corsair K70 RGB keyboards also require the DELAY_INIT quirk to +start correctly at boot. + +Device ids found here: +usb 3-3: New USB device found, idVendor=1b1c, idProduct=1b13 +usb 3-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +usb 3-3: Product: Corsair K70 RGB Gaming Keyboard + +Signed-off-by: Jack Stocker +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -225,6 +225,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Corsair K70 RGB */ ++ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Corsair Strafe RGB */ + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + diff --git a/queue-4.4/arm64-disable-unhandled-signal-log-messages-by-default.patch b/queue-4.4/arm64-disable-unhandled-signal-log-messages-by-default.patch new file mode 100644 index 00000000000..5ed958dabb5 --- /dev/null +++ b/queue-4.4/arm64-disable-unhandled-signal-log-messages-by-default.patch @@ -0,0 +1,59 @@ +From 5ee39a71fd89ab7240c5339d04161c44a8e03269 Mon Sep 17 00:00:00 2001 +From: Michael Weiser +Date: Thu, 1 Feb 2018 23:13:38 +0100 +Subject: arm64: Disable unhandled signal log messages by default + +From: Michael Weiser + +commit 5ee39a71fd89ab7240c5339d04161c44a8e03269 upstream. + +aarch64 unhandled signal kernel messages are very verbose, suggesting +them to be more of a debugging aid: + +sigsegv[33]: unhandled level 2 translation fault (11) at 0x00000000, esr +0x92000046, in sigsegv[400000+71000] +CPU: 1 PID: 33 Comm: sigsegv Tainted: G W 4.15.0-rc3+ #3 +Hardware name: linux,dummy-virt (DT) +pstate: 60000000 (nZCv daif -PAN -UAO) +pc : 0x4003f4 +lr : 0x4006bc +sp : 0000fffffe94a060 +x29: 0000fffffe94a070 x28: 0000000000000000 +x27: 0000000000000000 x26: 0000000000000000 +x25: 0000000000000000 x24: 00000000004001b0 +x23: 0000000000486ac8 x22: 00000000004001c8 +x21: 0000000000000000 x20: 0000000000400be8 +x19: 0000000000400b30 x18: 0000000000484728 +x17: 000000000865ffc8 x16: 000000000000270f +x15: 00000000000000b0 x14: 0000000000000002 +x13: 0000000000000001 x12: 0000000000000000 +x11: 0000000000000000 x10: 0008000020008008 +x9 : 000000000000000f x8 : ffffffffffffffff +x7 : 0004000000000000 x6 : ffffffffffffffff +x5 : 0000000000000000 x4 : 0000000000000000 +x3 : 00000000004003e4 x2 : 0000fffffe94a1e8 +x1 : 000000000000000a x0 : 0000000000000000 + +Disable them by default, so they can be enabled using +/proc/sys/debug/exception-trace. + +Cc: +Signed-off-by: Michael Weiser +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -49,7 +49,7 @@ static const char *handler[]= { + "Error" + }; + +-int show_unhandled_signals = 1; ++int show_unhandled_signals = 0; + + /* + * Dump out the contents of some memory nicely... diff --git a/queue-4.4/arm64-mm-don-t-write-garbage-into-ttbr1_el1-register.patch b/queue-4.4/arm64-mm-don-t-write-garbage-into-ttbr1_el1-register.patch deleted file mode 100644 index 920108afa75..00000000000 --- a/queue-4.4/arm64-mm-don-t-write-garbage-into-ttbr1_el1-register.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ard.biesheuvel@linaro.org Mon Feb 26 13:53:22 2018 -From: Ard Biesheuvel -Date: Fri, 23 Feb 2018 18:29:02 +0000 -Subject: arm64: mm: don't write garbage into TTBR1_EL1 register -To: linux-arm-kernel@lists.infradead.org -Cc: catalin.marinas@arm.com, will.deacon@arm.com, marc.zyngier@arm.com, mark.rutland@arm.com, nicolas.dechesne@linaro.org, gregkh@linuxfoundation.org, Ard Biesheuvel -Message-ID: <20180223182902.24873-1-ard.biesheuvel@linaro.org> - -From: Ard Biesheuvel - -Stable backport commit 173358a49173 ("arm64: kpti: Add ->enable callback -to remap swapper using nG mappings") of upstream commit f992b4dfd58b did -not survive the backporting process unscathed, and ends up writing garbage -into the TTBR1_EL1 register, rather than pointing it to the zero page to -disable translations. Fix that. - -Cc: #v4.14 -Reported-by: Nicolas Dechesne -Signed-off-by: Ard Biesheuvel -Acked-by: Will Deacon -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/mm/proc.S | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S -index 08572f95bd8a..2b473ddeb7a3 100644 ---- a/arch/arm64/mm/proc.S -+++ b/arch/arm64/mm/proc.S -@@ -155,7 +155,7 @@ ENDPROC(cpu_do_switch_mm) - - .macro __idmap_cpu_set_reserved_ttbr1, tmp1, tmp2 - adrp \tmp1, empty_zero_page -- msr ttbr1_el1, \tmp2 -+ msr ttbr1_el1, \tmp1 - isb - tlbi vmalle1 - dsb nsh --- -2.11.0 - diff --git a/queue-4.4/cfg80211-fix-cfg80211_beacon_dup.patch b/queue-4.4/cfg80211-fix-cfg80211_beacon_dup.patch new file mode 100644 index 00000000000..42c2154f8ab --- /dev/null +++ b/queue-4.4/cfg80211-fix-cfg80211_beacon_dup.patch @@ -0,0 +1,38 @@ +From bee92d06157fc39d5d7836a061c7d41289a55797 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 16:31:23 +0100 +Subject: cfg80211: fix cfg80211_beacon_dup + +From: Arnd Bergmann + +commit bee92d06157fc39d5d7836a061c7d41289a55797 upstream. + +gcc-8 warns about some obviously incorrect code: + +net/mac80211/cfg.c: In function 'cfg80211_beacon_dup': +net/mac80211/cfg.c:2896:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + +From the context, I conclude that we want to copy from beacon into +new_beacon, as we do in the rest of the function. + +Cc: stable@vger.kernel.org +Fixes: 73da7d5bab79 ("mac80211: add channel switch command and beacon callbacks") +Signed-off-by: Arnd Bergmann +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2877,7 +2877,7 @@ cfg80211_beacon_dup(struct cfg80211_beac + } + if (beacon->probe_resp_len) { + new_beacon->probe_resp_len = beacon->probe_resp_len; +- beacon->probe_resp = pos; ++ new_beacon->probe_resp = pos; + memcpy(pos, beacon->probe_resp, beacon->probe_resp_len); + pos += beacon->probe_resp_len; + } diff --git a/queue-4.4/drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch b/queue-4.4/drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch new file mode 100644 index 00000000000..51090772c5d --- /dev/null +++ b/queue-4.4/drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch @@ -0,0 +1,40 @@ +From 458d876eb869d5a88b53074c6c271b8b9adc0f07 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 22 Jan 2018 23:13:32 -0500 +Subject: drm/amdgpu: Avoid leaking PM domain on driver unbind (v2) + +From: Alex Deucher + +commit 458d876eb869d5a88b53074c6c271b8b9adc0f07 upstream. + +We only support vga_switcheroo and runtime pm on PX/HG systems +so forcing runpm to 1 doesn't do anything useful anyway. + +Only call vga_switcheroo_init_domain_pm_ops() for PX/HG so +that the cleanup path is correct as well. This mirrors what +radeon does as well. + +v2: rework the patch originally sent by Lukas (Alex) + +Acked-by: Lukas Wunner +Reported-by: Lukas Wunner +Signed-off-by: Alex Deucher +Signed-off-by: Lukas Wunner (v1) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1467,8 +1467,6 @@ int amdgpu_device_init(struct amdgpu_dev + * ignore it */ + vga_client_register(adev->pdev, adev, NULL, amdgpu_vga_set_decode); + +- if (amdgpu_runtime_pm == 1) +- runtime = true; + if (amdgpu_device_is_px(ddev)) + runtime = true; + vga_switcheroo_register_client(adev->pdev, &amdgpu_switcheroo_ops, runtime); diff --git a/queue-4.4/drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch b/queue-4.4/drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch new file mode 100644 index 00000000000..64e0eef34e1 --- /dev/null +++ b/queue-4.4/drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch @@ -0,0 +1,40 @@ +From 06998a756a3865817b87a129a7e5d5bb66dc1ec3 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Sun, 18 Feb 2018 16:53:59 +0800 +Subject: drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA + +From: Kai-Heng Feng + +commit 06998a756a3865817b87a129a7e5d5bb66dc1ec3 upstream. + +Similar to commit e10aec652f31 ("drm/edid: Add 6 bpc quirk for display +AEO model 0."), the EDID reports "DFP 1.x compliant TMDS" but it support +6bpc instead of 8 bpc. + +Hence, use 6 bpc quirk for this panel. + +Fixes: 196f954e2509 ("drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown"") +BugLink: https://bugs.launchpad.net/bugs/1749420 +Signed-off-by: Kai-Heng Feng +Reviewed-by: Mario Kleiner +Cc: # v4.8+ +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180218085359.7817-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -106,6 +106,9 @@ static struct edid_quirk { + /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */ + { "AEO", 0, EDID_QUIRK_FORCE_6BPC }, + ++ /* CPT panel of Asus UX303LA reports 8 bpc, but is a 6 bpc panel */ ++ { "CPT", 0x17df, EDID_QUIRK_FORCE_6BPC }, ++ + /* Belinea 10 15 55 */ + { "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 }, + { "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 }, diff --git a/queue-4.4/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch b/queue-4.4/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch new file mode 100644 index 00000000000..9aaa65fbacf --- /dev/null +++ b/queue-4.4/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch @@ -0,0 +1,97 @@ +From f027e0b3a774e10302207e91d304bbf99e3a8b36 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Wed, 14 Feb 2018 15:43:00 +0100 +Subject: iio: adis_lib: Initialize trigger before requesting interrupt + +From: Lars-Peter Clausen + +commit f027e0b3a774e10302207e91d304bbf99e3a8b36 upstream. + +The adis_probe_trigger() creates a new IIO trigger and requests an +interrupt associated with the trigger. The interrupt uses the generic +iio_trigger_generic_data_rdy_poll() function as its interrupt handler. + +Currently the driver initializes some fields of the trigger structure after +the interrupt has been requested. But an interrupt can fire as soon as it +has been requested. This opens up a race condition. + +iio_trigger_generic_data_rdy_poll() will access the trigger data structure +and dereference the ops field. If the ops field is not yet initialized this +will result in a NULL pointer deref. + +It is not expected that the device generates an interrupt at this point, so +typically this issue did not surface unless e.g. due to a hardware +misconfiguration (wrong interrupt number, wrong polarity, etc.). + +But some newer devices from the ADIS family start to generate periodic +interrupts in their power-on reset configuration and unfortunately the +interrupt can not be masked in the device. This makes the race condition +much more visible and the following crash has been observed occasionally +when booting a system using the ADIS16460. + + Unable to handle kernel NULL pointer dereference at virtual address 00000008 + pgd = c0004000 + [00000008] *pgd=00000000 + Internal error: Oops: 5 [#1] PREEMPT SMP ARM + Modules linked in: + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-04126-gf9739f0-dirty #257 + Hardware name: Xilinx Zynq Platform + task: ef04f640 task.stack: ef050000 + PC is at iio_trigger_notify_done+0x30/0x68 + LR is at iio_trigger_generic_data_rdy_poll+0x18/0x20 + pc : [] lr : [] psr: 60000193 + sp : ef051bb8 ip : 00000000 fp : ef106400 + r10: c081d80a r9 : ef3bfa00 r8 : 00000087 + r7 : ef051bec r6 : 00000000 r5 : ef3bfa00 r4 : ee92ab00 + r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : ee97e400 + Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none + Control: 18c5387d Table: 0000404a DAC: 00000051 + Process swapper/0 (pid: 1, stack limit = 0xef050210) + [] (iio_trigger_notify_done) from [] (__handle_irq_event_percpu+0x88/0x118) + [] (__handle_irq_event_percpu) from [] (handle_irq_event_percpu+0x1c/0x58) + [] (handle_irq_event_percpu) from [] (handle_irq_event+0x38/0x5c) + [] (handle_irq_event) from [] (handle_level_irq+0xa4/0x130) + [] (handle_level_irq) from [] (generic_handle_irq+0x24/0x34) + [] (generic_handle_irq) from [] (zynq_gpio_irqhandler+0xb8/0x13c) + [] (zynq_gpio_irqhandler) from [] (generic_handle_irq+0x24/0x34) + [] (generic_handle_irq) from [] (__handle_domain_irq+0x5c/0xb4) + [] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x8c) + [] (gic_handle_irq) from [] (__irq_svc+0x6c/0xa8) + +To fix this make sure that the trigger is fully initialized before +requesting the interrupt. + +Fixes: ccd2b52f4ac6 ("staging:iio: Add common ADIS library") +Reported-by: Robin Getz +Signed-off-by: Lars-Peter Clausen +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/adis_trigger.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iio/imu/adis_trigger.c ++++ b/drivers/iio/imu/adis_trigger.c +@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis + if (adis->trig == NULL) + return -ENOMEM; + ++ adis->trig->dev.parent = &adis->spi->dev; ++ adis->trig->ops = &adis_trigger_ops; ++ iio_trigger_set_drvdata(adis->trig, adis); ++ + ret = request_irq(adis->spi->irq, + &iio_trigger_generic_data_rdy_poll, + IRQF_TRIGGER_RISING, +@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis + if (ret) + goto error_free_trig; + +- adis->trig->dev.parent = &adis->spi->dev; +- adis->trig->ops = &adis_trigger_ops; +- iio_trigger_set_drvdata(adis->trig, adis); + ret = iio_trigger_register(adis->trig); + + indio_dev->trig = iio_trigger_get(adis->trig); diff --git a/queue-4.4/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch b/queue-4.4/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch new file mode 100644 index 00000000000..58e634486f3 --- /dev/null +++ b/queue-4.4/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch @@ -0,0 +1,33 @@ +From 4cd140bda6494543f1c1b0ccceceaa44b676eef6 Mon Sep 17 00:00:00 2001 +From: Stefan Windfeldt-Prytz +Date: Thu, 15 Feb 2018 15:02:53 +0100 +Subject: iio: buffer: check if a buffer has been set up when poll is called + +From: Stefan Windfeldt-Prytz + +commit 4cd140bda6494543f1c1b0ccceceaa44b676eef6 upstream. + +If no iio buffer has been set up and poll is called return 0. +Without this check there will be a null pointer dereference when +calling poll on a iio driver without an iio buffer. + +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Windfeldt-Prytz +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -174,7 +174,7 @@ unsigned int iio_buffer_poll(struct file + struct iio_dev *indio_dev = filp->private_data; + struct iio_buffer *rb = indio_dev->buffer; + +- if (!indio_dev->info) ++ if (!indio_dev->info || rb == NULL) + return 0; + + poll_wait(filp, &rb->pollq, wait); diff --git a/queue-4.4/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch b/queue-4.4/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch new file mode 100644 index 00000000000..31f721d4066 --- /dev/null +++ b/queue-4.4/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch @@ -0,0 +1,40 @@ +From 21ec30c0ef5234fb1039cc7c7737d885bf875a9e Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Wed, 31 Jan 2018 18:03:42 -0600 +Subject: irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() + +From: Shanker Donthineni + +commit 21ec30c0ef5234fb1039cc7c7737d885bf875a9e upstream. + +A DMB instruction can be used to ensure the relative order of only +memory accesses before and after the barrier. Since writes to system +registers are not memory operations, barrier DMB is not sufficient +for observability of memory accesses that occur before ICC_SGI1R_EL1 +writes. + +A DSB instruction ensures that no instructions that appear in program +order after the DSB instruction, can execute until the DSB instruction +has completed. + +Cc: stable@vger.kernel.org +Acked-by: Will Deacon , +Signed-off-by: Shanker Donthineni +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -604,7 +604,7 @@ static void gic_raise_softirq(const stru + * Ensure that stores to Normal memory are visible to the + * other CPUs before issuing the IPI. + */ +- smp_wmb(); ++ wmb(); + + for_each_cpu(cpu, mask) { + unsigned long cluster_id = cpu_logical_map(cpu) & ~0xffUL; diff --git a/queue-4.4/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch b/queue-4.4/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch new file mode 100644 index 00000000000..8b08330a60e --- /dev/null +++ b/queue-4.4/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch @@ -0,0 +1,42 @@ +From c39813652700f3df552b6557530f1e5f782dbe2f Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Tue, 23 Jan 2018 20:11:32 -0600 +Subject: scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info + +From: Tyrel Datwyler + +commit c39813652700f3df552b6557530f1e5f782dbe2f upstream. + +The fcp_rsp_info structure as defined in the FC spec has an initial 3 +bytes reserved field. The ibmvfc driver mistakenly defined this field as +4 bytes resulting in the rsp_code field being defined in what should be +the start of the second reserved field and thus always being reported as +zero by the driver. + +Ideally, we should wire ibmvfc up with libfc for the sake of code +deduplication, and ease of maintaining standardized structures in a +single place. However, for now simply fixup the definition in ibmvfc for +backporting to distros on older kernels. Wiring up with libfc will be +done in a followup patch. + +Cc: +Reported-by: Hannes Reinecke +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ibmvscsi/ibmvfc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ibmvscsi/ibmvfc.h ++++ b/drivers/scsi/ibmvscsi/ibmvfc.h +@@ -366,7 +366,7 @@ enum ibmvfc_fcp_rsp_info_codes { + }; + + struct ibmvfc_fcp_rsp_info { +- __be16 reserved; ++ u8 reserved[3]; + u8 rsp_code; + u8 reserved2[4]; + }__attribute__((packed, aligned (2))); diff --git a/queue-4.4/series b/queue-4.4/series index 3269ef27744..79ca014615d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -3,4 +3,19 @@ powerpc-64s-fix-rfi-flush-dependency-on-hardlockup_detector.patch pci-keystone-fix-interrupt-controller-node-lookup.patch ip_tunnel-replace-dst_cache-with-generic-implementation.patch ip_tunnel-fix-preempt-warning-in-ip-tunnel-creation-updating.patch -arm64-mm-don-t-write-garbage-into-ttbr1_el1-register.patch +xtensa-fix-high-memory-reserved-memory-collision.patch +scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch +cfg80211-fix-cfg80211_beacon_dup.patch +iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch +iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch +x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch +irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch +usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch +arm64-disable-unhandled-signal-log-messages-by-default.patch +add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch +drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch +usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch +usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch +usb-gadget-f_fs-process-all-descriptors-during-bind.patch +usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch +drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch diff --git a/queue-4.4/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch b/queue-4.4/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch new file mode 100644 index 00000000000..98ced0c4908 --- /dev/null +++ b/queue-4.4/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch @@ -0,0 +1,41 @@ +From 6180026341e852a250e1f97ebdcf71684a3c81b9 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 12 Jan 2018 18:18:05 -0800 +Subject: usb: dwc3: gadget: Set maxpacket size for ep0 IN + +From: Thinh Nguyen + +commit 6180026341e852a250e1f97ebdcf71684a3c81b9 upstream. + +There are 2 control endpoint structures for DWC3. However, the driver +only updates the OUT direction control endpoint structure during +ConnectDone event. DWC3 driver needs to update the endpoint max packet +size for control IN endpoint as well. If the max packet size is not +properly set, then the driver will incorrectly calculate the data +transfer size and fail to send ZLP for HS/FS 3-stage control read +transfer. + +The fix is simply to update the max packet size for the ep0 IN direction +during ConnectDone event. + +Cc: stable@vger.kernel.org +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2393,6 +2393,8 @@ static void dwc3_gadget_conndone_interru + break; + } + ++ dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket; ++ + /* Enable USB2 LPM Capability */ + + if ((dwc->revision > DWC3_REVISION_194A) diff --git a/queue-4.4/usb-gadget-f_fs-process-all-descriptors-during-bind.patch b/queue-4.4/usb-gadget-f_fs-process-all-descriptors-during-bind.patch new file mode 100644 index 00000000000..e27b1751fa2 --- /dev/null +++ b/queue-4.4/usb-gadget-f_fs-process-all-descriptors-during-bind.patch @@ -0,0 +1,55 @@ +From 6cf439e0d37463e42784271179c8a308fd7493c6 Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Wed, 24 Jan 2018 00:11:53 -0800 +Subject: usb: gadget: f_fs: Process all descriptors during bind + +From: Jack Pham + +commit 6cf439e0d37463e42784271179c8a308fd7493c6 upstream. + +During _ffs_func_bind(), the received descriptors are evaluated +to prepare for binding with the gadget in order to allocate +endpoints and optionally set up OS descriptors. However, the +high- and super-speed descriptors are only parsed based on +whether the gadget_is_dualspeed() and gadget_is_superspeed() +calls are true, respectively. + +This is a problem in case a userspace program always provides +all of the {full,high,super,OS} descriptors when configuring a +function. Then, for example if a gadget device is not capable +of SuperSpeed, the call to ffs_do_descs() for the SS descriptors +is skipped, resulting in an incorrect offset calculation for +the vla_ptr when moving on to the OS descriptors that follow. +This causes ffs_do_os_descs() to fail as it is now looking at +the SS descriptors' offset within the raw_descs buffer instead. + +_ffs_func_bind() should evaluate the descriptors unconditionally, +so remove the checks for gadget speed. + +Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support") +Cc: stable@vger.kernel.org +Co-Developed-by: Mayank Rana +Signed-off-by: Mayank Rana +Signed-off-by: Jack Pham +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2756,10 +2756,8 @@ static int _ffs_func_bind(struct usb_con + struct ffs_data *ffs = func->ffs; + + const int full = !!func->ffs->fs_descs_count; +- const int high = gadget_is_dualspeed(func->gadget) && +- func->ffs->hs_descs_count; +- const int super = gadget_is_superspeed(func->gadget) && +- func->ffs->ss_descs_count; ++ const int high = !!func->ffs->hs_descs_count; ++ const int super = !!func->ffs->ss_descs_count; + + int fs_len, hs_len, ss_len, ret, i; + struct ffs_ep *eps_ptr; diff --git a/queue-4.4/usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch b/queue-4.4/usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch new file mode 100644 index 00000000000..8f77d830515 --- /dev/null +++ b/queue-4.4/usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch @@ -0,0 +1,68 @@ +From 52ad2bd8918158266fc88a05f95429b56b6a33c5 Mon Sep 17 00:00:00 2001 +From: Karsten Koop +Date: Fri, 9 Feb 2018 09:12:06 +0000 +Subject: usb: ldusb: add PIDs for new CASSY devices supported by this driver + +From: Karsten Koop + +commit 52ad2bd8918158266fc88a05f95429b56b6a33c5 upstream. + +This patch adds support for new CASSY devices to the ldusb driver. The +PIDs are also added to the ignore list in hid-quirks. + +Signed-off-by: Karsten Koop +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 3 +++ + drivers/hid/hid-ids.h | 3 +++ + drivers/usb/misc/ldusb.c | 6 ++++++ + 3 files changed, 12 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2386,6 +2386,9 @@ static const struct hid_device_id hid_ig + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) }, +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -570,6 +570,9 @@ + #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 + #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 + #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 ++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 ++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 ++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 + #define USB_DEVICE_ID_LD_JWM 0x1080 + #define USB_DEVICE_ID_LD_DMMP 0x1081 + #define USB_DEVICE_ID_LD_UMIP 0x1090 +--- a/drivers/usb/misc/ldusb.c ++++ b/drivers/usb/misc/ldusb.c +@@ -46,6 +46,9 @@ + #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 /* USB Product ID of Micro-CASSY Time (reserved) */ + #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 /* USB Product ID of Micro-CASSY Temperature */ + #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 /* USB Product ID of Micro-CASSY pH */ ++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 /* USB Product ID of Power Analyser CASSY */ ++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 /* USB Product ID of Converter Controller CASSY */ ++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 /* USB Product ID of Machine Test CASSY */ + #define USB_DEVICE_ID_LD_JWM 0x1080 /* USB Product ID of Joule and Wattmeter */ + #define USB_DEVICE_ID_LD_DMMP 0x1081 /* USB Product ID of Digital Multimeter P (reserved) */ + #define USB_DEVICE_ID_LD_UMIP 0x1090 /* USB Product ID of UMI P */ +@@ -88,6 +91,9 @@ static const struct usb_device_id ld_usb + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) }, diff --git a/queue-4.4/usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch b/queue-4.4/usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch new file mode 100644 index 00000000000..83ff4d10ad4 --- /dev/null +++ b/queue-4.4/usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch @@ -0,0 +1,95 @@ +From 46408ea558df13b110e0866b99624384a33bdeba Mon Sep 17 00:00:00 2001 +From: AMAN DEEP +Date: Thu, 8 Feb 2018 11:55:01 +0800 +Subject: usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() + +From: AMAN DEEP + +commit 46408ea558df13b110e0866b99624384a33bdeba upstream. + +There is a race condition between finish_unlinks->finish_urb() function +and usb_kill_urb() in ohci controller case. The finish_urb calls +spin_unlock(&ohci->lock) before usb_hcd_giveback_urb() function call, +then if during this time, usb_kill_urb is called for another endpoint, +then new ed will be added to ed_rm_list at beginning for unlink, and +ed_rm_list will point to newly added. + +When finish_urb() is completed in finish_unlinks() and ed->td_list +becomes empty as in below code (in finish_unlinks() function): + + if (list_empty(&ed->td_list)) { + *last = ed->ed_next; + ed->ed_next = NULL; + } else if (ohci->rh_state == OHCI_RH_RUNNING) { + *last = ed->ed_next; + ed->ed_next = NULL; + ed_schedule(ohci, ed); + } + +The *last = ed->ed_next will make ed_rm_list to point to ed->ed_next +and previously added ed by usb_kill_urb will be left unreferenced by +ed_rm_list. This causes usb_kill_urb() hang forever waiting for +finish_unlink to remove added ed from ed_rm_list. + +The main reason for hang in this race condtion is addition and removal +of ed from ed_rm_list in the beginning during usb_kill_urb and later +last* is modified in finish_unlinks(). + +As suggested by Alan Stern, the solution for proper handling of +ohci->ed_rm_list is to remove ed from the ed_rm_list before finishing +any URBs. Then at the end, we can add ed back to the list if necessary. + +This properly handle the updated ohci->ed_rm_list in usb_kill_urb(). + +Fixes: 977dcfdc6031 ("USB: OHCI: don't lose track of EDs when a controller dies") +Acked-by: Alan Stern +CC: +Signed-off-by: Aman Deep +Signed-off-by: Jeffy Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-q.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/usb/host/ohci-q.c ++++ b/drivers/usb/host/ohci-q.c +@@ -1018,6 +1018,8 @@ skip_ed: + * have modified this list. normally it's just prepending + * entries (which we'd ignore), but paranoia won't hurt. + */ ++ *last = ed->ed_next; ++ ed->ed_next = NULL; + modified = 0; + + /* unlink urbs as requested, but rescan the list after +@@ -1076,21 +1078,22 @@ rescan_this: + goto rescan_this; + + /* +- * If no TDs are queued, take ED off the ed_rm_list. ++ * If no TDs are queued, ED is now idle. + * Otherwise, if the HC is running, reschedule. +- * If not, leave it on the list for further dequeues. ++ * If the HC isn't running, add ED back to the ++ * start of the list for later processing. + */ + if (list_empty(&ed->td_list)) { +- *last = ed->ed_next; +- ed->ed_next = NULL; + ed->state = ED_IDLE; + list_del(&ed->in_use_list); + } else if (ohci->rh_state == OHCI_RH_RUNNING) { +- *last = ed->ed_next; +- ed->ed_next = NULL; + ed_schedule(ohci, ed); + } else { +- last = &ed->ed_next; ++ ed->ed_next = ohci->ed_rm_list; ++ ohci->ed_rm_list = ed; ++ /* Don't loop on the same ED */ ++ if (last == &ohci->ed_rm_list) ++ last = &ed->ed_next; + } + + if (modified) diff --git a/queue-4.4/usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch b/queue-4.4/usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch new file mode 100644 index 00000000000..2f085154a96 --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch @@ -0,0 +1,49 @@ +From 17aa31f13cad25daa19d3f923323f552e87bc874 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 5 Feb 2018 17:12:35 +0900 +Subject: usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path + +From: Yoshihiro Shimoda + +commit 17aa31f13cad25daa19d3f923323f552e87bc874 upstream. + +This fixes an issue that a gadget driver (usb_f_fs) is possible to +stop rx transactions after the usb-dmac is used because the following +functions missed to set/check the "running" flag. + - usbhsf_dma_prepare_pop_with_usb_dmac() + - usbhsf_dma_pop_done_with_usb_dmac() + +So, if next transaction uses pio, the usbhsf_prepare_pop() can not +start the transaction because the "running" flag is 0. + +Fixes: 8355b2b3082d ("usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle") +Cc: # v3.19+ +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -999,6 +999,10 @@ static int usbhsf_dma_prepare_pop_with_u + if ((uintptr_t)pkt->buf & (USBHS_USB_DMAC_XFER_SIZE - 1)) + goto usbhsf_pio_prepare_pop; + ++ /* return at this time if the pipe is running */ ++ if (usbhs_pipe_is_running(pipe)) ++ return 0; ++ + usbhs_pipe_config_change_bfre(pipe, 1); + + ret = usbhsf_fifo_select(pipe, fifo, 0); +@@ -1189,6 +1193,7 @@ static int usbhsf_dma_pop_done_with_usb_ + usbhsf_fifo_clear(pipe, fifo); + pkt->actual = usbhs_dma_calc_received_size(pkt, chan, rcv_len); + ++ usbhs_pipe_running(pipe, 0); + usbhsf_dma_stop(pipe, fifo); + usbhsf_dma_unmap(pkt); + usbhsf_fifo_unselect(pipe, pipe->fifo); diff --git a/queue-4.4/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch b/queue-4.4/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch new file mode 100644 index 00000000000..4c9fdaa4afe --- /dev/null +++ b/queue-4.4/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch @@ -0,0 +1,68 @@ +From 85c615eb52222bc5fab6c7190d146bc59fac289e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 20 Feb 2018 21:58:21 +0100 +Subject: x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() + +From: Arnd Bergmann + +commit 85c615eb52222bc5fab6c7190d146bc59fac289e upstream. + +GCC-8 shows a warning for the x86 oprofile code that copies per-CPU +data from CPU 0 to all other CPUs, which when building a non-SMP +kernel turns into a memcpy() with identical source and destination +pointers: + + arch/x86/oprofile/nmi_int.c: In function 'mux_clone': + arch/x86/oprofile/nmi_int.c:285:2: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + memcpy(per_cpu(cpu_msrs, cpu).multiplex, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + per_cpu(cpu_msrs, 0).multiplex, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(struct op_msr) * model->num_virt_counters); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + arch/x86/oprofile/nmi_int.c: In function 'nmi_setup': + arch/x86/oprofile/nmi_int.c:466:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + arch/x86/oprofile/nmi_int.c:470:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + +I have analyzed a number of such warnings now: some are valid and the +GCC warning is welcome. Others turned out to be false-positives, and +GCC was changed to not warn about those any more. This is a corner case +that is a false-positive but the GCC developers feel it's better to keep +warning about it. + +In this case, it seems best to work around it by telling GCC +a little more clearly that this code path is never hit with +an IS_ENABLED() configuration check. + +Cc:stable as we also want old kernels to build cleanly with GCC-8. + +Signed-off-by: Arnd Bergmann +Cc: Jessica Yu +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Martin Sebor +Cc: Peter Zijlstra +Cc: Robert Richter +Cc: Thomas Gleixner +Cc: oprofile-list@lists.sf.net +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180220205826.2008875-1-arnd@arndb.de +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84095 +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/oprofile/nmi_int.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -471,7 +471,7 @@ static int nmi_setup(void) + goto fail; + + for_each_possible_cpu(cpu) { +- if (!cpu) ++ if (!IS_ENABLED(CONFIG_SMP) || !cpu) + continue; + + memcpy(per_cpu(cpu_msrs, cpu).counters, diff --git a/queue-4.4/xtensa-fix-high-memory-reserved-memory-collision.patch b/queue-4.4/xtensa-fix-high-memory-reserved-memory-collision.patch new file mode 100644 index 00000000000..f777adfefc8 --- /dev/null +++ b/queue-4.4/xtensa-fix-high-memory-reserved-memory-collision.patch @@ -0,0 +1,133 @@ +From 6ac5a11dc674bc5016ea716e8082fff61f524dc1 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 13 Feb 2018 15:31:05 -0800 +Subject: xtensa: fix high memory/reserved memory collision + +From: Max Filippov + +commit 6ac5a11dc674bc5016ea716e8082fff61f524dc1 upstream. + +Xtensa memory initialization code frees high memory pages without +checking whether they are in the reserved memory regions or not. That +results in invalid value of totalram_pages and duplicate page usage by +CMA and highmem. It produces a bunch of BUGs at startup looking like +this: + +BUG: Bad page state in process swapper pfn:70800 +page:be60c000 count:0 mapcount:-127 mapping: (null) index:0x1 +flags: 0x80000000() +raw: 80000000 00000000 00000001 ffffff80 00000000 be60c014 be60c014 0000000a +page dumped because: nonzero mapcount +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Tainted: G B 4.16.0-rc1-00015-g7928b2cbe55b-dirty #23 +Stack: + bd839d33 00000000 00000018 ba97b64c a106578c bd839d70 be60c000 00000000 + a1378054 bd86a000 00000003 ba97b64c a1066166 bd839da0 be60c000 ffe00000 + a1066b58 bd839dc0 be504000 00000000 000002f4 bd838000 00000000 0000001e +Call Trace: + [] bad_page+0xac/0xd0 + [] free_pages_check_bad+0x34/0x4c + [] __free_pages_ok+0xae/0x14c + [] __free_pages+0x30/0x64 + [] init_cma_reserved_pageblock+0x35/0x44 + [] cma_init_reserved_areas+0xf4/0x148 + [] do_one_initcall+0x80/0xf8 + [] kernel_init_freeable+0xda/0x13c + [] kernel_init+0x9/0xd0 + [] ret_from_kernel_thread+0xc/0x18 + +Only free high memory pages that are not reserved. + +Cc: stable@vger.kernel.org +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/mm/init.c | 70 +++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 63 insertions(+), 7 deletions(-) + +--- a/arch/xtensa/mm/init.c ++++ b/arch/xtensa/mm/init.c +@@ -318,19 +318,75 @@ void __init zones_init(void) + free_area_init_node(0, zones_size, ARCH_PFN_OFFSET, NULL); + } + ++#ifdef CONFIG_HIGHMEM ++static void __init free_area_high(unsigned long pfn, unsigned long end) ++{ ++ for (; pfn < end; pfn++) ++ free_highmem_page(pfn_to_page(pfn)); ++} ++ ++static void __init free_highpages(void) ++{ ++ unsigned long max_low = max_low_pfn; ++ struct memblock_region *mem, *res; ++ ++ reset_all_zones_managed_pages(); ++ /* set highmem page free */ ++ for_each_memblock(memory, mem) { ++ unsigned long start = memblock_region_memory_base_pfn(mem); ++ unsigned long end = memblock_region_memory_end_pfn(mem); ++ ++ /* Ignore complete lowmem entries */ ++ if (end <= max_low) ++ continue; ++ ++ if (memblock_is_nomap(mem)) ++ continue; ++ ++ /* Truncate partial highmem entries */ ++ if (start < max_low) ++ start = max_low; ++ ++ /* Find and exclude any reserved regions */ ++ for_each_memblock(reserved, res) { ++ unsigned long res_start, res_end; ++ ++ res_start = memblock_region_reserved_base_pfn(res); ++ res_end = memblock_region_reserved_end_pfn(res); ++ ++ if (res_end < start) ++ continue; ++ if (res_start < start) ++ res_start = start; ++ if (res_start > end) ++ res_start = end; ++ if (res_end > end) ++ res_end = end; ++ if (res_start != start) ++ free_area_high(start, res_start); ++ start = res_end; ++ if (start == end) ++ break; ++ } ++ ++ /* And now free anything which remains */ ++ if (start < end) ++ free_area_high(start, end); ++ } ++} ++#else ++static void __init free_highpages(void) ++{ ++} ++#endif ++ + /* + * Initialize memory pages. + */ + + void __init mem_init(void) + { +-#ifdef CONFIG_HIGHMEM +- unsigned long tmp; +- +- reset_all_zones_managed_pages(); +- for (tmp = max_low_pfn; tmp < max_pfn; tmp++) +- free_highmem_page(pfn_to_page(tmp)); +-#endif ++ free_highpages(); + + max_mapnr = max_pfn - ARCH_PFN_OFFSET; + high_memory = (void *)__va(max_low_pfn << PAGE_SHIFT);