From: Greg Kroah-Hartman Date: Tue, 27 Jun 2017 12:20:14 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.59~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2c4ab7300ee1fa3a3c8b3fa1c4a5987178345651;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: dmaengine-bcm2835-fix-cyclic-dma-period-splitting.patch jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch net-phy-fix-marvell-phy-status-reading.patch net-phy-initialize-mdio-clock-at-probe-function.patch rt2x00-avoid-introducing-a-usb-dependency-in-the-rt2x00lib-module.patch spi-double-time-out-tolerance.patch usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch --- diff --git a/queue-4.9/dmaengine-bcm2835-fix-cyclic-dma-period-splitting.patch b/queue-4.9/dmaengine-bcm2835-fix-cyclic-dma-period-splitting.patch new file mode 100644 index 00000000000..835f005d237 --- /dev/null +++ b/queue-4.9/dmaengine-bcm2835-fix-cyclic-dma-period-splitting.patch @@ -0,0 +1,47 @@ +From 2201ac6129fa162ac24da089a034bb0971648ebb Mon Sep 17 00:00:00 2001 +From: Matthias Reichl +Date: Mon, 20 Feb 2017 20:01:16 +0100 +Subject: dmaengine: bcm2835: Fix cyclic DMA period splitting + +From: Matthias Reichl + +commit 2201ac6129fa162ac24da089a034bb0971648ebb upstream. + +The code responsible for splitting periods into chunks that +can be handled by the DMA controller missed to update total_len, +the number of bytes processed in the current period, when there +are more chunks to follow. + +Therefore total_len was stuck at 0 and the code didn't work at all. +This resulted in a wrong control block layout and audio issues because +the cyclic DMA callback wasn't executing on period boundaries. + +Fix this by adding the missing total_len update. + +Signed-off-by: Matthias Reichl +Signed-off-by: Martin Sperl +Tested-by: Clive Messer +Reviewed-by: Eric Anholt +Signed-off-by: Vinod Koul +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/bcm2835-dma.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/dma/bcm2835-dma.c ++++ b/drivers/dma/bcm2835-dma.c +@@ -251,8 +251,11 @@ static void bcm2835_dma_create_cb_set_le + */ + + /* have we filled in period_length yet? */ +- if (*total_len + control_block->length < period_len) ++ if (*total_len + control_block->length < period_len) { ++ /* update number of bytes in this period so far */ ++ *total_len += control_block->length; + return; ++ } + + /* calculate the length that remains to reach period_length */ + control_block->length = period_len - *total_len; diff --git a/queue-4.9/jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch b/queue-4.9/jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch new file mode 100644 index 00000000000..79d29464e20 --- /dev/null +++ b/queue-4.9/jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch @@ -0,0 +1,72 @@ +From 7292ae3d5a18fb922be496e6bb687647193569b4 Mon Sep 17 00:00:00 2001 +From: Gleb Fotengauer-Malinovskiy +Date: Mon, 20 Mar 2017 20:15:53 +0300 +Subject: jump label: fix passing kbuild_cflags when checking for asm goto support + +From: Gleb Fotengauer-Malinovskiy + +commit 7292ae3d5a18fb922be496e6bb687647193569b4 upstream. + +The latest change of asm goto support check added passing of KBUILD_CFLAGS +to compiler. When these flags reference gcc plugins that are not built yet, +the check fails. + +When one runs "make bzImage" followed by "make modules", the kernel is always +built with HAVE_JUMP_LABEL disabled, while the modules are built depending on +CONFIG_JUMP_LABEL. If HAVE_JUMP_LABEL macro happens to be different, modules +are built with undefined references, e.g.: + +ERROR: "static_key_slow_inc" [net/netfilter/xt_TEE.ko] undefined! +ERROR: "static_key_slow_dec" [net/netfilter/xt_TEE.ko] undefined! +ERROR: "static_key_slow_dec" [net/netfilter/nft_meta.ko] undefined! +ERROR: "static_key_slow_inc" [net/netfilter/nft_meta.ko] undefined! +ERROR: "nf_hooks_needed" [net/netfilter/ipvs/ip_vs.ko] undefined! +ERROR: "nf_hooks_needed" [net/ipv6/ipv6.ko] undefined! +ERROR: "static_key_count" [net/ipv6/ipv6.ko] undefined! +ERROR: "static_key_slow_inc" [net/ipv6/ipv6.ko] undefined! + +This change moves the check before all these references are added +to KBUILD_CFLAGS. This is correct because subsequent KBUILD_CFLAGS +modifications are not relevant to this check. + +Reported-by: Anton V. Boyarshinov +Fixes: 35f860f9ba6a ("jump label: pass kbuild_cflags when checking for asm goto support") +Signed-off-by: Gleb Fotengauer-Malinovskiy +Signed-off-by: Dmitry V. Levin +Acked-by: Steven Rostedt (VMware) +Acked-by: David Lin +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + Makefile | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -651,6 +651,12 @@ KBUILD_CFLAGS += $(call cc-ifversion, -l + # Tell gcc to never replace conditional load with a non-conditional one + KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0) + ++# check for 'asm goto' ++ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y) ++ KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO ++ KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO ++endif ++ + include scripts/Makefile.gcc-plugins + + ifdef CONFIG_READABLE_ASM +@@ -796,12 +802,6 @@ KBUILD_CFLAGS += $(call cc-option,-Wer + # use the deterministic mode of AR if available + KBUILD_ARFLAGS := $(call ar-option,D) + +-# check for 'asm goto' +-ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y) +- KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO +- KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO +-endif +- + include scripts/Makefile.kasan + include scripts/Makefile.extrawarn + include scripts/Makefile.ubsan diff --git a/queue-4.9/net-phy-fix-marvell-phy-status-reading.patch b/queue-4.9/net-phy-fix-marvell-phy-status-reading.patch new file mode 100644 index 00000000000..465d04e3410 --- /dev/null +++ b/queue-4.9/net-phy-fix-marvell-phy-status-reading.patch @@ -0,0 +1,40 @@ +From 898805e0cdf7fd860ec21bf661d3a0285a3defbd Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Tue, 30 May 2017 16:21:51 +0100 +Subject: net: phy: fix marvell phy status reading + +From: Russell King + +commit 898805e0cdf7fd860ec21bf661d3a0285a3defbd upstream. + +The Marvell driver incorrectly provides phydev->lp_advertising as the +logical and of the link partner's advert and our advert. This is +incorrect - this field is supposed to store the link parter's unmodified +advertisment. + +This allows ethtool to report the correct link partner auto-negotiation +status. + +Fixes: be937f1f89ca ("Marvell PHY m88e1111 driver fix") +Signed-off-by: Russell King +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/phy/marvell.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1114,8 +1114,6 @@ static int marvell_read_status_page(stru + if (adv < 0) + return adv; + +- lpa &= adv; +- + if (status & MII_M1011_PHY_STATUS_FULLDUPLEX) + phydev->duplex = DUPLEX_FULL; + else diff --git a/queue-4.9/net-phy-initialize-mdio-clock-at-probe-function.patch b/queue-4.9/net-phy-initialize-mdio-clock-at-probe-function.patch new file mode 100644 index 00000000000..bb7c4162b76 --- /dev/null +++ b/queue-4.9/net-phy-initialize-mdio-clock-at-probe-function.patch @@ -0,0 +1,55 @@ +From bb1a619735b4660f21bce3e728b937640024b4ad Mon Sep 17 00:00:00 2001 +From: Yendapally Reddy Dhananjaya Reddy +Date: Wed, 8 Feb 2017 17:14:26 -0500 +Subject: net: phy: Initialize mdio clock at probe function + +From: Yendapally Reddy Dhananjaya Reddy + +commit bb1a619735b4660f21bce3e728b937640024b4ad upstream. + +USB PHYs need the MDIO clock divisor enabled earlier to work. +Initialize mdio clock divisor in probe function. The ext bus +bit available in the same register will be used by mdio mux +to enable external mdio. + +Signed-off-by: Yendapally Reddy Dhananjaya Reddy +Fixes: ddc24ae1 ("net: phy: Broadcom iProc MDIO bus driver") +Reviewed-by: Florian Fainelli +Signed-off-by: Jon Mason +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/phy/mdio-bcm-iproc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/phy/mdio-bcm-iproc.c ++++ b/drivers/net/phy/mdio-bcm-iproc.c +@@ -81,8 +81,6 @@ static int iproc_mdio_read(struct mii_bu + if (rc) + return rc; + +- iproc_mdio_config_clk(priv->base); +- + /* Prepare the read operation */ + cmd = (MII_DATA_TA_VAL << MII_DATA_TA_SHIFT) | + (reg << MII_DATA_RA_SHIFT) | +@@ -112,8 +110,6 @@ static int iproc_mdio_write(struct mii_b + if (rc) + return rc; + +- iproc_mdio_config_clk(priv->base); +- + /* Prepare the write operation */ + cmd = (MII_DATA_TA_VAL << MII_DATA_TA_SHIFT) | + (reg << MII_DATA_RA_SHIFT) | +@@ -163,6 +159,8 @@ static int iproc_mdio_probe(struct platf + bus->read = iproc_mdio_read; + bus->write = iproc_mdio_write; + ++ iproc_mdio_config_clk(priv->base); ++ + rc = of_mdiobus_register(bus, pdev->dev.of_node); + if (rc) { + dev_err(&pdev->dev, "MDIO bus registration failed\n"); diff --git a/queue-4.9/rt2x00-avoid-introducing-a-usb-dependency-in-the-rt2x00lib-module.patch b/queue-4.9/rt2x00-avoid-introducing-a-usb-dependency-in-the-rt2x00lib-module.patch new file mode 100644 index 00000000000..921b64dca50 --- /dev/null +++ b/queue-4.9/rt2x00-avoid-introducing-a-usb-dependency-in-the-rt2x00lib-module.patch @@ -0,0 +1,84 @@ +From 6232c17438ed01f43665197db5a98a4a4f77ef47 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 2 Feb 2017 10:57:40 +0100 +Subject: rt2x00: avoid introducing a USB dependency in the rt2x00lib module + +From: Stanislaw Gruszka + +commit 6232c17438ed01f43665197db5a98a4a4f77ef47 upstream. + +As reported by Felix: + +Though protected by an ifdef, introducing an usb symbol dependency in +the rt2x00lib module is a major inconvenience for distributions that +package kernel modules split into individual packages. + +Get rid of this unnecessary dependency by calling the usb related +function from a more suitable place. + +Cc: Vishal Thanki +Reported-by: Felix Fietkau +Fixes: 8b4c0009313f ("rt2x00usb: Use usb anchor to manage URB") +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 23 ++++++++--------------- + drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 5 +++++ + 2 files changed, 13 insertions(+), 15 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c +@@ -1422,21 +1422,6 @@ void rt2x00lib_remove_dev(struct rt2x00_ + cancel_work_sync(&rt2x00dev->intf_work); + cancel_delayed_work_sync(&rt2x00dev->autowakeup_work); + cancel_work_sync(&rt2x00dev->sleep_work); +-#if IS_ENABLED(CONFIG_RT2X00_LIB_USB) +- if (rt2x00_is_usb(rt2x00dev)) { +- usb_kill_anchored_urbs(rt2x00dev->anchor); +- hrtimer_cancel(&rt2x00dev->txstatus_timer); +- cancel_work_sync(&rt2x00dev->rxdone_work); +- cancel_work_sync(&rt2x00dev->txdone_work); +- } +-#endif +- if (rt2x00dev->workqueue) +- destroy_workqueue(rt2x00dev->workqueue); +- +- /* +- * Free the tx status fifo. +- */ +- kfifo_free(&rt2x00dev->txstatus_fifo); + + /* + * Kill the tx status tasklet. +@@ -1452,6 +1437,14 @@ void rt2x00lib_remove_dev(struct rt2x00_ + */ + rt2x00lib_uninitialize(rt2x00dev); + ++ if (rt2x00dev->workqueue) ++ destroy_workqueue(rt2x00dev->workqueue); ++ ++ /* ++ * Free the tx status fifo. ++ */ ++ kfifo_free(&rt2x00dev->txstatus_fifo); ++ + /* + * Free extra components + */ +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c +@@ -740,6 +740,11 @@ void rt2x00usb_uninitialize(struct rt2x0 + { + struct data_queue *queue; + ++ usb_kill_anchored_urbs(rt2x00dev->anchor); ++ hrtimer_cancel(&rt2x00dev->txstatus_timer); ++ cancel_work_sync(&rt2x00dev->rxdone_work); ++ cancel_work_sync(&rt2x00dev->txdone_work); ++ + queue_for_each(rt2x00dev, queue) + rt2x00usb_free_entries(queue); + } diff --git a/queue-4.9/series b/queue-4.9/series index e3e76eb7dea..be3fc454275 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -34,3 +34,10 @@ drm-amdgpu-adjust-default-display-clock.patch rxrpc-fix-several-cases-where-a-padded-len-isn-t-checked-in-ticket-decode.patch of-add-check-to-of_scan_flat_dt-before-accessing-initial_boot_params.patch mtd-spi-nor-fix-spansion-quad-enable.patch +usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch +rt2x00-avoid-introducing-a-usb-dependency-in-the-rt2x00lib-module.patch +net-phy-initialize-mdio-clock-at-probe-function.patch +dmaengine-bcm2835-fix-cyclic-dma-period-splitting.patch +spi-double-time-out-tolerance.patch +net-phy-fix-marvell-phy-status-reading.patch +jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch diff --git a/queue-4.9/spi-double-time-out-tolerance.patch b/queue-4.9/spi-double-time-out-tolerance.patch new file mode 100644 index 00000000000..8a5dd7b3747 --- /dev/null +++ b/queue-4.9/spi-double-time-out-tolerance.patch @@ -0,0 +1,44 @@ +From 833bfade96561216aa2129516a5926a0326860a2 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Mon, 17 Apr 2017 01:38:05 +0200 +Subject: spi: double time out tolerance + +From: Hauke Mehrtens + +commit 833bfade96561216aa2129516a5926a0326860a2 upstream. + +The generic SPI code calculates how long the issued transfer would take +and adds 100ms in addition to the timeout as tolerance. On my 500 MHz +Lantiq Mips SoC I am getting timeouts from the SPI like this when the +system boots up: + +m25p80 spi32766.4: SPI transfer timed out +blk_update_request: I/O error, dev mtdblock3, sector 2 +SQUASHFS error: squashfs_read_data failed to read block 0x6e + +After increasing the tolerance for the timeout to 200ms I haven't seen +these SPI transfer time outs any more. +The Lantiq SPI driver in use here has an extra work queue in between, +which gets triggered when the controller send the last word and the +hardware FIFOs used for reading and writing are only 8 words long. + +Signed-off-by: Hauke Mehrtens +Signed-off-by: Mark Brown +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1004,7 +1004,7 @@ static int spi_transfer_one_message(stru + ret = 0; + ms = 8LL * 1000LL * xfer->len; + do_div(ms, xfer->speed_hz); +- ms += ms + 100; /* some tolerance */ ++ ms += ms + 200; /* some tolerance */ + + if (ms > UINT_MAX) + ms = UINT_MAX; diff --git a/queue-4.9/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch b/queue-4.9/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch new file mode 100644 index 00000000000..adab0bc6d6e --- /dev/null +++ b/queue-4.9/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch @@ -0,0 +1,106 @@ +From b7f73850bb4fac1e2209a4dd5e636d39be92f42c Mon Sep 17 00:00:00 2001 +From: William Wu +Date: Tue, 25 Apr 2017 17:45:48 +0800 +Subject: usb: gadget: f_fs: avoid out of bounds access on comp_desc + +From: William Wu + +commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c upstream. + +Companion descriptor is only used for SuperSpeed endpoints, +if the endpoints are HighSpeed or FullSpeed, the Companion +descriptor will not allocated, so we can only access it if +gadget is SuperSpeed. + +I can reproduce this issue on Rockchip platform rk3368 SoC +which supports USB 2.0, and use functionfs for ADB. Kernel +build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report +the following BUG: + +================================================================== +BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509 +Read of size 1 by task swapper/0/0 +============================================================================ +BUG kmalloc-256 (Not tainted): kasan: bad access detected +---------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1 +alloc_debug_processing+0x128/0x17c +___slab_alloc.constprop.58+0x50c/0x610 +__slab_alloc.isra.55.constprop.57+0x24/0x34 +__kmalloc+0xe0/0x250 +ffs_func_bind+0x52c/0x99c +usb_add_function+0xd8/0x1d4 +configfs_composite_bind+0x48c/0x570 +udc_bind_to_driver+0x6c/0x170 +usb_udc_attach_driver+0xa4/0xd0 +gadget_dev_desc_UDC_store+0xcc/0x118 +configfs_write_file+0x1a0/0x1f8 +__vfs_write+0x64/0x174 +vfs_write+0xe4/0x200 +SyS_write+0x68/0xc8 +el0_svc_naked+0x24/0x28 +INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247 +... +Call trace: +[] dump_backtrace+0x0/0x230 +[] show_stack+0x14/0x1c +[] dump_stack+0xa0/0xc8 +[] print_trailer+0x188/0x198 +[] object_err+0x3c/0x4c +[] kasan_report+0x324/0x4dc +[] __asan_load1+0x24/0x50 +[] ffs_func_set_alt+0x224/0x3a0 +[] composite_setup+0xdcc/0x1ac8 +[] android_setup+0x124/0x1a0 +[] _setup+0x54/0x74 +[] handle_ep0+0x3288/0x4390 +[] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4 +[] dwc_otg_pcd_handle_intr+0x1ec/0x298 +[] dwc_otg_pcd_irq+0x10/0x20 +[] handle_irq_event_percpu+0x124/0x3ac +[] handle_irq_event+0x60/0xa0 +[] handle_fasteoi_irq+0x10c/0x1d4 +[] generic_handle_irq+0x30/0x40 +[] __handle_domain_irq+0xac/0xdc +[] gic_handle_irq+0x64/0xa4 +... +Memory state around the buggy address: + ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc + >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 +================================================================== + +Signed-off-by: William Wu +Signed-off-by: Felipe Balbi +Cc: Jerry Zhang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1858,12 +1858,12 @@ static int ffs_func_eps_enable(struct ff + ep->ep->driver_data = ep; + ep->ep->desc = ds; + +- comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + +- USB_DT_ENDPOINT_SIZE); +- ep->ep->maxburst = comp_desc->bMaxBurst + 1; +- +- if (needs_comp_desc) ++ if (needs_comp_desc) { ++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + ++ USB_DT_ENDPOINT_SIZE); ++ ep->ep->maxburst = comp_desc->bMaxBurst + 1; + ep->ep->comp_desc = comp_desc; ++ } + + ret = usb_ep_enable(ep->ep); + if (likely(!ret)) {