From: Greg Kroah-Hartman Date: Fri, 13 Jul 2018 12:22:06 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.4.141~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5d2060f277a647096aa1e303712651b83ea3d594;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: acpica-clear-status-of-all-events-when-entering-s5.patch ahci-add-intel-ice-lake-lp-pci-id.patch ahci-disable-lpm-on-lenovo-50-series-laptops-with-a-too-old-bios.patch ata-fix-zbc_out-all-bit-handling.patch ata-fix-zbc_out-command-block-check.patch drm-etnaviv-bring-back-progress-check-in-job-timeout-handler.patch drm-etnaviv-check-for-platform_device_register_simple-failure.patch drm-etnaviv-fix-driver-unregistering.patch ibmasm-don-t-write-out-of-bounds-in-read-handler.patch mei-discard-messages-from-not-connected-client-during-power-down.patch mips-call-dump_stack-from-show_regs.patch mips-fix-ioremap-ram-check.patch mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch mmc-dw_mmc-fix-card-threshold-control-configuration.patch mmc-renesas_sdhi_internal_dmac-cannot-clear-the-rx_in_use-in-abort.patch mmc-sdhci-esdhc-imx-allow-1.8v-modes-without-100-200mhz-pinctrl-states.patch mtd-spi-nor-cadence-quadspi-fix-direct-mode-write-timeouts.patch staging-r8822be-fix-rtl8822be-can-t-find-any-wireless-ap.patch staging-rtl8723bs-prevent-an-underflow-in-rtw_check_beacon_data.patch tracing-kprobe-release-kprobe-print_fmt-properly.patch vmw_balloon-fix-inflation-with-batching.patch --- diff --git a/queue-4.17/acpica-clear-status-of-all-events-when-entering-s5.patch b/queue-4.17/acpica-clear-status-of-all-events-when-entering-s5.patch new file mode 100644 index 00000000000..a3de844543b --- /dev/null +++ b/queue-4.17/acpica-clear-status-of-all-events-when-entering-s5.patch @@ -0,0 +1,65 @@ +From fa85015c0d95884c8dc42f38e2f2d6137d436b67 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Mon, 9 Jul 2018 11:01:07 +0200 +Subject: ACPICA: Clear status of all events when entering S5 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafael J. Wysocki + +commit fa85015c0d95884c8dc42f38e2f2d6137d436b67 upstream. + +After commit 18996f2db918 (ACPICA: Events: Stop unconditionally +clearing ACPI IRQs during suspend/resume) the status of ACPI events +is not cleared any more when entering the ACPI S5 system state (power +off) which causes some systems to power up immediately after turing +off power in certain situations. + +That is a functional regression, so address it by making the code +clear the status of all ACPI events again when entering S5 (for +system-wide suspend or hibernation the clearing of the status of all +events is not desirable, as it might cause the kernel to miss wakeup +events sometimes). + +Fixes: 18996f2db918 (ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume) +Reported-by: Takashi Iwai +Tested-by: Thomas Hänig +Cc: 4.17+ # 4.17+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpica/hwsleep.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/acpica/hwsleep.c ++++ b/drivers/acpi/acpica/hwsleep.c +@@ -51,16 +51,23 @@ acpi_status acpi_hw_legacy_sleep(u8 slee + return_ACPI_STATUS(status); + } + +- /* +- * 1) Disable all GPEs +- * 2) Enable all wakeup GPEs +- */ ++ /* Disable all GPEs */ + status = acpi_hw_disable_all_gpes(); + if (ACPI_FAILURE(status)) { + return_ACPI_STATUS(status); + } ++ /* ++ * If the target sleep state is S5, clear all GPEs and fixed events too ++ */ ++ if (sleep_state == ACPI_STATE_S5) { ++ status = acpi_hw_clear_acpi_status(); ++ if (ACPI_FAILURE(status)) { ++ return_ACPI_STATUS(status); ++ } ++ } + acpi_gbl_system_awake_and_running = FALSE; + ++ /* Enable all wakeup GPEs */ + status = acpi_hw_enable_all_wakeup_gpes(); + if (ACPI_FAILURE(status)) { + return_ACPI_STATUS(status); diff --git a/queue-4.17/ahci-add-intel-ice-lake-lp-pci-id.patch b/queue-4.17/ahci-add-intel-ice-lake-lp-pci-id.patch new file mode 100644 index 00000000000..df74eacf875 --- /dev/null +++ b/queue-4.17/ahci-add-intel-ice-lake-lp-pci-id.patch @@ -0,0 +1,31 @@ +From ba44579141f9e2c0229e6e7eeb00b5fa68f0f74a Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 27 Jun 2018 15:15:40 +0300 +Subject: ahci: Add Intel Ice Lake LP PCI ID + +From: Mika Westerberg + +commit ba44579141f9e2c0229e6e7eeb00b5fa68f0f74a upstream. + +This should also be using the default LPM policy for mobile chipsets so +add the PCI ID to the driver list of supported devices. + +Signed-off-by: Mika Westerberg +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -400,6 +400,7 @@ static const struct pci_device_id ahci_p + { PCI_VDEVICE(INTEL, 0x0f23), board_ahci_mobile }, /* Bay Trail AHCI */ + { PCI_VDEVICE(INTEL, 0x22a3), board_ahci_mobile }, /* Cherry Tr. AHCI */ + { PCI_VDEVICE(INTEL, 0x5ae3), board_ahci_mobile }, /* ApolloLake AHCI */ ++ { PCI_VDEVICE(INTEL, 0x34d3), board_ahci_mobile }, /* Ice Lake LP AHCI */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, diff --git a/queue-4.17/ahci-disable-lpm-on-lenovo-50-series-laptops-with-a-too-old-bios.patch b/queue-4.17/ahci-disable-lpm-on-lenovo-50-series-laptops-with-a-too-old-bios.patch new file mode 100644 index 00000000000..ef5caedba10 --- /dev/null +++ b/queue-4.17/ahci-disable-lpm-on-lenovo-50-series-laptops-with-a-too-old-bios.patch @@ -0,0 +1,149 @@ +From 240630e61870e62e39a97225048f9945848fa5f5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 1 Jul 2018 12:15:46 +0200 +Subject: ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS + +From: Hans de Goede + +commit 240630e61870e62e39a97225048f9945848fa5f5 upstream. + +There have been several reports of LPM related hard freezes about once +a day on multiple Lenovo 50 series models. Strange enough these reports +where not disk model specific as LPM issues usually are and some users +with the exact same disk + laptop where seeing them while other users +where not seeing these issues. + +It turns out that enabling LPM triggers a firmware bug somewhere, which +has been fixed in later BIOS versions. + +This commit adds a new ahci_broken_lpm() function and a new ATA_FLAG_NO_LPM +for dealing with this. + +The ahci_broken_lpm() function contains DMI match info for the 4 models +which are known to be affected by this and the DMI BIOS date field for +known good BIOS versions. If the BIOS date is older then the one in the +table LPM will be disabled and a warning will be printed. + +Note the BIOS dates are for known good versions, some older versions may +work too, but we don't know for sure, the table is using dates from BIOS +versions for which users have confirmed that upgrading to that version +makes the problem go away. + +Unfortunately I've been unable to get hold of the reporter who reported +that BIOS version 2.35 fixed the problems on the W541 for him. I've been +able to verify the DMI_SYS_VENDOR and DMI_PRODUCT_VERSION from an older +dmidecode, but I don't know the exact BIOS date as reported in the DMI. +Lenovo keeps a changelog with dates in their release notes, but the +dates there are the release dates not the build dates which are in DMI. +So I've chosen to set the date to which we compare to one day past the +release date of the 2.34 BIOS. I plan to fix this with a follow up +commit once I've the necessary info. + +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++ + drivers/ata/libata-core.c | 3 ++ + include/linux/libata.h | 1 + 3 files changed, 63 insertions(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1281,6 +1281,59 @@ static bool ahci_broken_suspend(struct p + return strcmp(buf, dmi->driver_data) < 0; + } + ++static bool ahci_broken_lpm(struct pci_dev *pdev) ++{ ++ static const struct dmi_system_id sysids[] = { ++ /* Various Lenovo 50 series have LPM issues with older BIOSen */ ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad X250"), ++ }, ++ .driver_data = "20180406", /* 1.31 */ ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L450"), ++ }, ++ .driver_data = "20180420", /* 1.28 */ ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T450s"), ++ }, ++ .driver_data = "20180315", /* 1.33 */ ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W541"), ++ }, ++ /* ++ * Note date based on release notes, 2.35 has been ++ * reported to be good, but I've been unable to get ++ * a hold of the reporter to get the DMI BIOS date. ++ * TODO: fix this. ++ */ ++ .driver_data = "20180310", /* 2.35 */ ++ }, ++ { } /* terminate list */ ++ }; ++ const struct dmi_system_id *dmi = dmi_first_match(sysids); ++ int year, month, date; ++ char buf[9]; ++ ++ if (!dmi) ++ return false; ++ ++ dmi_get_date(DMI_BIOS_DATE, &year, &month, &date); ++ snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date); ++ ++ return strcmp(buf, dmi->driver_data) < 0; ++} ++ + static bool ahci_broken_online(struct pci_dev *pdev) + { + #define ENCODE_BUSDEVFN(bus, slot, func) \ +@@ -1695,6 +1748,12 @@ static int ahci_init_one(struct pci_dev + "quirky BIOS, skipping spindown on poweroff\n"); + } + ++ if (ahci_broken_lpm(pdev)) { ++ pi.flags |= ATA_FLAG_NO_LPM; ++ dev_warn(&pdev->dev, ++ "BIOS update required for Link Power Management support\n"); ++ } ++ + if (ahci_broken_suspend(pdev)) { + hpriv->flags |= AHCI_HFLAG_NO_SUSPEND; + dev_warn(&pdev->dev, +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2502,6 +2502,9 @@ int ata_dev_configure(struct ata_device + (id[ATA_ID_SATA_CAPABILITY] & 0xe) == 0x2) + dev->horkage |= ATA_HORKAGE_NOLPM; + ++ if (ap->flags & ATA_FLAG_NO_LPM) ++ dev->horkage |= ATA_HORKAGE_NOLPM; ++ + if (dev->horkage & ATA_HORKAGE_NOLPM) { + ata_dev_warn(dev, "LPM support broken, forcing max_power\n"); + dev->link->ap->target_lpm_policy = ATA_LPM_MAX_POWER; +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -211,6 +211,7 @@ enum { + ATA_FLAG_SLAVE_POSS = (1 << 0), /* host supports slave dev */ + /* (doesn't imply presence) */ + ATA_FLAG_SATA = (1 << 1), ++ ATA_FLAG_NO_LPM = (1 << 2), /* host not happy with LPM */ + ATA_FLAG_NO_LOG_PAGE = (1 << 5), /* do not issue log page read */ + ATA_FLAG_NO_ATAPI = (1 << 6), /* No ATAPI support */ + ATA_FLAG_PIO_DMA = (1 << 7), /* PIO cmds via DMA */ diff --git a/queue-4.17/ata-fix-zbc_out-all-bit-handling.patch b/queue-4.17/ata-fix-zbc_out-all-bit-handling.patch new file mode 100644 index 00000000000..5cadde6d5cb --- /dev/null +++ b/queue-4.17/ata-fix-zbc_out-all-bit-handling.patch @@ -0,0 +1,49 @@ +From 6edf1d4cb0acde3a0a5dac849f33031bd7abb7b1 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 26 Jun 2018 20:56:55 +0900 +Subject: ata: Fix ZBC_OUT all bit handling + +From: Damien Le Moal + +commit 6edf1d4cb0acde3a0a5dac849f33031bd7abb7b1 upstream. + +If the ALL bit is set in the ZBC_OUT command, the command zone ID field +(block) should be ignored. + +Reported-by: David Butterfield +Signed-off-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-scsi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3802,7 +3802,14 @@ static unsigned int ata_scsi_zbc_out_xla + */ + goto invalid_param_len; + } +- if (block >= dev->n_sectors) { ++ ++ all = cdb[14] & 0x1; ++ if (all) { ++ /* ++ * Ignore the block address (zone ID) as defined by ZBC. ++ */ ++ block = 0; ++ } else if (block >= dev->n_sectors) { + /* + * Block must be a valid zone ID (a zone start LBA). + */ +@@ -3810,8 +3817,6 @@ static unsigned int ata_scsi_zbc_out_xla + goto invalid_fld; + } + +- all = cdb[14] & 0x1; +- + if (ata_ncq_enabled(qc->dev) && + ata_fpdma_zac_mgmt_out_supported(qc->dev)) { + tf->protocol = ATA_PROT_NCQ_NODATA; diff --git a/queue-4.17/ata-fix-zbc_out-command-block-check.patch b/queue-4.17/ata-fix-zbc_out-command-block-check.patch new file mode 100644 index 00000000000..248cd6550bf --- /dev/null +++ b/queue-4.17/ata-fix-zbc_out-command-block-check.patch @@ -0,0 +1,56 @@ +From b320a0a9f23c98f21631eb27bcbbca91c79b1c6e Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 26 Jun 2018 20:56:54 +0900 +Subject: ata: Fix ZBC_OUT command block check + +From: Damien Le Moal + +commit b320a0a9f23c98f21631eb27bcbbca91c79b1c6e upstream. + +The block (LBA) specified must not exceed the last addressable LBA, +which is dev->nr_sectors - 1. So fix the correct check is +"if (block >= dev->n_sectors)" and not "if (block > dev->n_sectords)". + +Additionally, the asc/ascq to return for an LBA that is not a zone start +LBA should be ILLEGAL REQUEST, regardless if the bad LBA is out of +range. + +Reported-by: David Butterfield +Signed-off-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-scsi.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3802,8 +3802,13 @@ static unsigned int ata_scsi_zbc_out_xla + */ + goto invalid_param_len; + } +- if (block > dev->n_sectors) +- goto out_of_range; ++ if (block >= dev->n_sectors) { ++ /* ++ * Block must be a valid zone ID (a zone start LBA). ++ */ ++ fp = 2; ++ goto invalid_fld; ++ } + + all = cdb[14] & 0x1; + +@@ -3834,10 +3839,6 @@ static unsigned int ata_scsi_zbc_out_xla + invalid_fld: + ata_scsi_set_invalid_field(qc->dev, scmd, fp, 0xff); + return 1; +- out_of_range: +- /* "Logical Block Address out of range" */ +- ata_scsi_set_sense(qc->dev, scmd, ILLEGAL_REQUEST, 0x21, 0x00); +- return 1; + invalid_param_len: + /* "Parameter list length error" */ + ata_scsi_set_sense(qc->dev, scmd, ILLEGAL_REQUEST, 0x1a, 0x0); diff --git a/queue-4.17/drm-etnaviv-bring-back-progress-check-in-job-timeout-handler.patch b/queue-4.17/drm-etnaviv-bring-back-progress-check-in-job-timeout-handler.patch new file mode 100644 index 00000000000..c7fff881dba --- /dev/null +++ b/queue-4.17/drm-etnaviv-bring-back-progress-check-in-job-timeout-handler.patch @@ -0,0 +1,84 @@ +From 2c83a726d6fbb5d130d8f2edd82a258adb675ac3 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Wed, 27 Jun 2018 15:58:13 +0200 +Subject: drm/etnaviv: bring back progress check in job timeout handler + +From: Lucas Stach + +commit 2c83a726d6fbb5d130d8f2edd82a258adb675ac3 upstream. + +When the hangcheck handler was replaced by the DRM scheduler timeout +handling we dropped the forward progress check, as this might allow +clients to hog the GPU for a long time with a big job. + +It turns out that even reasonably well behaved clients like the +Armada Xorg driver occasionally trip over the 500ms timeout. Bring +back the forward progress check to get rid of the userspace regression. + +We would still like to fix userspace to submit smaller batches +if possible, but that is for another day. + +Cc: +Fixes: 6d7a20c07760 (drm/etnaviv: replace hangcheck with scheduler timeout) +Reported-by: Russell King +Signed-off-by: Lucas Stach +Reviewed-by: Eric Anholt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/etnaviv/etnaviv_gpu.h | 3 +++ + drivers/gpu/drm/etnaviv/etnaviv_sched.c | 24 ++++++++++++++++++++++++ + 2 files changed, 27 insertions(+) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h +@@ -142,6 +142,9 @@ struct etnaviv_gpu { + struct work_struct sync_point_work; + int sync_point_event; + ++ /* hang detection */ ++ u32 hangcheck_dma_addr; ++ + void __iomem *mmio; + int irq; + +--- a/drivers/gpu/drm/etnaviv/etnaviv_sched.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_sched.c +@@ -21,6 +21,7 @@ + #include "etnaviv_gem.h" + #include "etnaviv_gpu.h" + #include "etnaviv_sched.h" ++#include "state.xml.h" + + static int etnaviv_job_hang_limit = 0; + module_param_named(job_hang_limit, etnaviv_job_hang_limit, int , 0444); +@@ -96,6 +97,29 @@ static void etnaviv_sched_timedout_job(s + { + struct etnaviv_gem_submit *submit = to_etnaviv_submit(sched_job); + struct etnaviv_gpu *gpu = submit->gpu; ++ u32 dma_addr; ++ int change; ++ ++ /* ++ * If the GPU managed to complete this jobs fence, the timout is ++ * spurious. Bail out. ++ */ ++ if (fence_completed(gpu, submit->out_fence->seqno)) ++ return; ++ ++ /* ++ * If the GPU is still making forward progress on the front-end (which ++ * should never loop) we shift out the timeout to give it a chance to ++ * finish the job. ++ */ ++ dma_addr = gpu_read(gpu, VIVS_FE_DMA_ADDRESS); ++ change = dma_addr - gpu->hangcheck_dma_addr; ++ if (change < 0 || change > 16) { ++ gpu->hangcheck_dma_addr = dma_addr; ++ schedule_delayed_work(&sched_job->work_tdr, ++ sched_job->sched->timeout); ++ return; ++ } + + /* block scheduler */ + kthread_park(gpu->sched.thread); diff --git a/queue-4.17/drm-etnaviv-check-for-platform_device_register_simple-failure.patch b/queue-4.17/drm-etnaviv-check-for-platform_device_register_simple-failure.patch new file mode 100644 index 00000000000..9a3e0bb9ab1 --- /dev/null +++ b/queue-4.17/drm-etnaviv-check-for-platform_device_register_simple-failure.patch @@ -0,0 +1,73 @@ +From 45a0faaba9c8c5ba1e31a08a391aed0bad327167 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Wed, 27 Jun 2018 10:07:45 -0300 +Subject: drm/etnaviv: Check for platform_device_register_simple() failure + +From: Fabio Estevam + +commit 45a0faaba9c8c5ba1e31a08a391aed0bad327167 upstream. + +platform_device_register_simple() may fail, so we should better +check its return value and propagate it in the case of error. + +Cc: +Fixes: 246774d17fc0 ("drm/etnaviv: remove the need for a gpu-subsystem DT node") +Signed-off-by: Fabio Estevam +Reviewed-by: Philipp Zabel +Signed-off-by: Lucas Stach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/etnaviv/etnaviv_drv.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c +@@ -693,8 +693,11 @@ static struct platform_driver etnaviv_pl + }, + }; + ++static struct platform_device *etnaviv_drm; ++ + static int __init etnaviv_init(void) + { ++ struct platform_device *pdev; + int ret; + struct device_node *np; + +@@ -706,7 +709,7 @@ static int __init etnaviv_init(void) + + ret = platform_driver_register(&etnaviv_platform_driver); + if (ret != 0) +- platform_driver_unregister(&etnaviv_gpu_driver); ++ goto unregister_gpu_driver; + + /* + * If the DT contains at least one available GPU device, instantiate +@@ -715,12 +718,24 @@ static int __init etnaviv_init(void) + for_each_compatible_node(np, NULL, "vivante,gc") { + if (!of_device_is_available(np)) + continue; +- +- platform_device_register_simple("etnaviv", -1, NULL, 0); ++ pdev = platform_device_register_simple("etnaviv", -1, ++ NULL, 0); ++ if (IS_ERR(pdev)) { ++ ret = PTR_ERR(pdev); ++ of_node_put(np); ++ goto unregister_platform_driver; ++ } ++ etnaviv_drm = pdev; + of_node_put(np); + break; + } + ++ return 0; ++ ++unregister_platform_driver: ++ platform_driver_unregister(&etnaviv_platform_driver); ++unregister_gpu_driver: ++ platform_driver_unregister(&etnaviv_gpu_driver); + return ret; + } + module_init(etnaviv_init); diff --git a/queue-4.17/drm-etnaviv-fix-driver-unregistering.patch b/queue-4.17/drm-etnaviv-fix-driver-unregistering.patch new file mode 100644 index 00000000000..91a30a65645 --- /dev/null +++ b/queue-4.17/drm-etnaviv-fix-driver-unregistering.patch @@ -0,0 +1,62 @@ +From bf6ba3aeb2962e5ee4a78e7535af579ecba630bb Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Wed, 27 Jun 2018 10:07:46 -0300 +Subject: drm/etnaviv: Fix driver unregistering + +From: Fabio Estevam + +commit bf6ba3aeb2962e5ee4a78e7535af579ecba630bb upstream. + +Russell King reported: + +"When removing and reloading the etnaviv module, the following splat +occurs: + +sysfs: cannot create duplicate filename '/devices/platform/etnaviv' +CPU: 0 PID: 1471 Comm: modprobe Not tainted 4.17.0+ #1608 +Hardware name: Marvell Dove (Cubox) +Backtrace: +[] (dump_backtrace) from [] (show_stack+0x18/0x1c) + r6:ef033e38 r5:ee07b340 r4:edb9d000 r3:00000000 +[] (show_stack) from [] (dump_stack+0x20/0x28) +[] (dump_stack) from [] (sysfs_warn_dup+0x5c/0x70) +[] (sysfs_warn_dup) from [] (sysfs_create_dir_ns+0x90/0x98) +..." + +Commit 246774d17fc0 ("drm/etnaviv: remove the need for a gpu-subsystem +DT node") introduced DRM registration via +platform_device_register_simple(), but missed to call +platform_device_unregister() inside etnaviv_exit(). + +Fix the problem by calling platform_device_unregister() inside +etnaviv_exit(). While at it, also rearrange the function calls +in the exit path to make them happen in the opposite order of +registration. + +Tested on a imx6-sabresd board. + +Cc: +Fixes: 246774d17fc0 ("drm/etnaviv: remove the need for a gpu-subsystem DT node") +Reported-by: Russell King +Signed-off-by: Fabio Estevam +Reviewed-by: Philipp Zabel +Signed-off-by: Lucas Stach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/etnaviv/etnaviv_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c +@@ -742,8 +742,9 @@ module_init(etnaviv_init); + + static void __exit etnaviv_exit(void) + { +- platform_driver_unregister(&etnaviv_gpu_driver); ++ platform_device_unregister(etnaviv_drm); + platform_driver_unregister(&etnaviv_platform_driver); ++ platform_driver_unregister(&etnaviv_gpu_driver); + } + module_exit(etnaviv_exit); + diff --git a/queue-4.17/ibmasm-don-t-write-out-of-bounds-in-read-handler.patch b/queue-4.17/ibmasm-don-t-write-out-of-bounds-in-read-handler.patch new file mode 100644 index 00000000000..26142983b72 --- /dev/null +++ b/queue-4.17/ibmasm-don-t-write-out-of-bounds-in-read-handler.patch @@ -0,0 +1,63 @@ +From a0341fc1981a950c1e902ab901e98f60e0e243f3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 7 Jul 2018 04:16:33 +0200 +Subject: ibmasm: don't write out of bounds in read handler + +From: Jann Horn + +commit a0341fc1981a950c1e902ab901e98f60e0e243f3 upstream. + +This read handler had a lot of custom logic and wrote outside the bounds of +the provided buffer. This could lead to kernel and userspace memory +corruption. Just use simple_read_from_buffer() with a stack buffer. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------ + 1 file changed, 3 insertions(+), 24 deletions(-) + +--- a/drivers/misc/ibmasm/ibmasmfs.c ++++ b/drivers/misc/ibmasm/ibmasmfs.c +@@ -507,35 +507,14 @@ static int remote_settings_file_close(st + static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset) + { + void __iomem *address = (void __iomem *)file->private_data; +- unsigned char *page; +- int retval; + int len = 0; + unsigned int value; +- +- if (*offset < 0) +- return -EINVAL; +- if (count == 0 || count > 1024) +- return 0; +- if (*offset != 0) +- return 0; +- +- page = (unsigned char *)__get_free_page(GFP_KERNEL); +- if (!page) +- return -ENOMEM; ++ char lbuf[20]; + + value = readl(address); +- len = sprintf(page, "%d\n", value); +- +- if (copy_to_user(buf, page, len)) { +- retval = -EFAULT; +- goto exit; +- } +- *offset += len; +- retval = len; ++ len = snprintf(lbuf, sizeof(lbuf), "%d\n", value); + +-exit: +- free_page((unsigned long)page); +- return retval; ++ return simple_read_from_buffer(buf, count, offset, lbuf, len); + } + + static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset) diff --git a/queue-4.17/mei-discard-messages-from-not-connected-client-during-power-down.patch b/queue-4.17/mei-discard-messages-from-not-connected-client-during-power-down.patch new file mode 100644 index 00000000000..81cb2435d56 --- /dev/null +++ b/queue-4.17/mei-discard-messages-from-not-connected-client-during-power-down.patch @@ -0,0 +1,46 @@ +From b7a020bff31318fc8785e6f96b1d38c1625cf1fb Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Thu, 7 Jun 2018 00:31:48 +0300 +Subject: mei: discard messages from not connected client during power down. + +From: Alexander Usyskin + +commit b7a020bff31318fc8785e6f96b1d38c1625cf1fb upstream. + +This fixes regression introduced by +commit 8d52af6795c0 ("mei: speed up the power down flow") + +In power down or suspend flow a message can still be received +from the FW because the clients fake disconnection. +In normal case we interpret messages w/o destination as corrupted +and link reset is performed in order to clean the channel, +but during power down link reset is already in progress resulting +in endless loop. To resolve the issue under power down flow we +discard messages silently. + +Cc: 4.16+ +Fixes: 8d52af6795c0 ("mei: speed up the power down flow") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199541 +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/interrupt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/misc/mei/interrupt.c ++++ b/drivers/misc/mei/interrupt.c +@@ -310,8 +310,11 @@ int mei_irq_read_handler(struct mei_devi + if (&cl->link == &dev->file_list) { + /* A message for not connected fixed address clients + * should be silently discarded ++ * On power down client may be force cleaned, ++ * silently discard such messages + */ +- if (hdr_is_fixed(mei_hdr)) { ++ if (hdr_is_fixed(mei_hdr) || ++ dev->dev_state == MEI_DEV_POWER_DOWN) { + mei_irq_discard_msg(dev, mei_hdr); + ret = 0; + goto reset_slots; diff --git a/queue-4.17/mips-call-dump_stack-from-show_regs.patch b/queue-4.17/mips-call-dump_stack-from-show_regs.patch new file mode 100644 index 00000000000..2280750ab2d --- /dev/null +++ b/queue-4.17/mips-call-dump_stack-from-show_regs.patch @@ -0,0 +1,71 @@ +From 5a267832c2ec47b2dad0fdb291a96bb5b8869315 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 22 Jun 2018 10:55:45 -0700 +Subject: MIPS: Call dump_stack() from show_regs() + +From: Paul Burton + +commit 5a267832c2ec47b2dad0fdb291a96bb5b8869315 upstream. + +The generic nmi_cpu_backtrace() function calls show_regs() when a struct +pt_regs is available, and dump_stack() otherwise. If we were to make use +of the generic nmi_cpu_backtrace() with MIPS' current implementation of +show_regs() this would mean that we see only register data with no +accompanying stack information, in contrast with our current +implementation which calls dump_stack() regardless of whether register +state is available. + +In preparation for making use of the generic nmi_cpu_backtrace() to +implement arch_trigger_cpumask_backtrace(), have our implementation of +show_regs() call dump_stack() and drop the explicit dump_stack() call in +arch_dump_stack() which is invoked by arch_trigger_cpumask_backtrace(). + +This will allow the output we produce to remain the same after a later +patch switches to using nmi_cpu_backtrace(). It may mean that we produce +extra stack output in other uses of show_regs(), but this: + + 1) Seems harmless. + 2) Is good for consistency between arch_trigger_cpumask_backtrace() + and other users of show_regs(). + 3) Matches the behaviour of the ARM & PowerPC architectures. + +Marked for stable back to v4.9 as a prerequisite of the following patch +"MIPS: Call dump_stack() from show_regs()". + +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19596/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: Huacai Chen +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 4 ++-- + arch/mips/kernel/traps.c | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -663,8 +663,8 @@ static void arch_dump_stack(void *info) + + if (regs) + show_regs(regs); +- +- dump_stack(); ++ else ++ dump_stack(); + } + + void arch_trigger_cpumask_backtrace(const cpumask_t *mask, bool exclude_self) +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -351,6 +351,7 @@ static void __show_regs(const struct pt_ + void show_regs(struct pt_regs *regs) + { + __show_regs((struct pt_regs *)regs); ++ dump_stack(); + } + + void show_registers(struct pt_regs *regs) diff --git a/queue-4.17/mips-fix-ioremap-ram-check.patch b/queue-4.17/mips-fix-ioremap-ram-check.patch new file mode 100644 index 00000000000..52ef8ad2430 --- /dev/null +++ b/queue-4.17/mips-fix-ioremap-ram-check.patch @@ -0,0 +1,125 @@ +From 523402fa9101090c91d2033b7ebdfdcf65880488 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 5 Jul 2018 14:37:52 -0700 +Subject: MIPS: Fix ioremap() RAM check + +From: Paul Burton + +commit 523402fa9101090c91d2033b7ebdfdcf65880488 upstream. + +We currently attempt to check whether a physical address range provided +to __ioremap() may be in use by the page allocator by examining the +value of PageReserved for each page in the region - lowmem pages not +marked reserved are presumed to be in use by the page allocator, and +requests to ioremap them fail. + +The way we check this has been broken since commit 92923ca3aace ("mm: +meminit: only set page reserved in the memblock region"), because +memblock will typically not have any knowledge of non-RAM pages and +therefore those pages will not have the PageReserved flag set. Thus when +we attempt to ioremap a region outside of RAM we incorrectly fail +believing that the region is RAM that may be in use. + +In most cases ioremap() on MIPS will take a fast-path to use the +unmapped kseg1 or xkphys virtual address spaces and never hit this path, +so the only way to hit it is for a MIPS32 system to attempt to ioremap() +an address range in lowmem with flags other than _CACHE_UNCACHED. +Perhaps the most straightforward way to do this is using +ioremap_uncached_accelerated(), which is how the problem was discovered. + +Fix this by making use of walk_system_ram_range() to test the address +range provided to __ioremap() against only RAM pages, rather than all +lowmem pages. This means that if we have a lowmem I/O region, which is +very common for MIPS systems, we're free to ioremap() address ranges +within it. A nice bonus is that the test is no longer limited to lowmem. + +The approach here matches the way x86 performed the same test after +commit c81c8a1eeede ("x86, ioremap: Speed up check for RAM pages") until +x86 moved towards a slightly more complicated check using walk_mem_res() +for unrelated reasons with commit 0e4c12b45aa8 ("x86/mm, resource: Use +PAGE_KERNEL protection for ioremap of memory pages"). + +Signed-off-by: Paul Burton +Reported-by: Serge Semin +Tested-by: Serge Semin +Fixes: 92923ca3aace ("mm: meminit: only set page reserved in the memblock region") +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # v4.2+ +Patchwork: https://patchwork.linux-mips.org/patch/19786/ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/ioremap.c | 37 +++++++++++++++++++++++++------------ + 1 file changed, 25 insertions(+), 12 deletions(-) + +--- a/arch/mips/mm/ioremap.c ++++ b/arch/mips/mm/ioremap.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -98,6 +99,20 @@ static int remap_area_pages(unsigned lon + return error; + } + ++static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages, ++ void *arg) ++{ ++ unsigned long i; ++ ++ for (i = 0; i < nr_pages; i++) { ++ if (pfn_valid(start_pfn + i) && ++ !PageReserved(pfn_to_page(start_pfn + i))) ++ return 1; ++ } ++ ++ return 0; ++} ++ + /* + * Generic mapping function (not visible outside): + */ +@@ -116,8 +131,8 @@ static int remap_area_pages(unsigned lon + + void __iomem * __ioremap(phys_addr_t phys_addr, phys_addr_t size, unsigned long flags) + { ++ unsigned long offset, pfn, last_pfn; + struct vm_struct * area; +- unsigned long offset; + phys_addr_t last_addr; + void * addr; + +@@ -137,18 +152,16 @@ void __iomem * __ioremap(phys_addr_t phy + return (void __iomem *) CKSEG1ADDR(phys_addr); + + /* +- * Don't allow anybody to remap normal RAM that we're using.. ++ * Don't allow anybody to remap RAM that may be allocated by the page ++ * allocator, since that could lead to races & data clobbering. + */ +- if (phys_addr < virt_to_phys(high_memory)) { +- char *t_addr, *t_end; +- struct page *page; +- +- t_addr = __va(phys_addr); +- t_end = t_addr + (size - 1); +- +- for(page = virt_to_page(t_addr); page <= virt_to_page(t_end); page++) +- if(!PageReserved(page)) +- return NULL; ++ pfn = PFN_DOWN(phys_addr); ++ last_pfn = PFN_DOWN(last_addr); ++ if (walk_system_ram_range(pfn, last_pfn - pfn + 1, NULL, ++ __ioremap_check_ram) == 1) { ++ WARN_ONCE(1, "ioremap on RAM at %pa - %pa\n", ++ &phys_addr, &last_addr); ++ return NULL; + } + + /* diff --git a/queue-4.17/mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch b/queue-4.17/mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch new file mode 100644 index 00000000000..da0ef014ebd --- /dev/null +++ b/queue-4.17/mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch @@ -0,0 +1,180 @@ +From b63e132b6433a41cf311e8bc382d33fd2b73b505 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 22 Jun 2018 10:55:46 -0700 +Subject: MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() + +From: Paul Burton + +commit b63e132b6433a41cf311e8bc382d33fd2b73b505 upstream. + +The current MIPS implementation of arch_trigger_cpumask_backtrace() is +broken because it attempts to use synchronous IPIs despite the fact that +it may be run with interrupts disabled. + +This means that when arch_trigger_cpumask_backtrace() is invoked, for +example by the RCU CPU stall watchdog, we may: + + - Deadlock due to use of synchronous IPIs with interrupts disabled, + causing the CPU that's attempting to generate the backtrace output + to hang itself. + + - Not succeed in generating the desired output from remote CPUs. + + - Produce warnings about this from smp_call_function_many(), for + example: + + [42760.526910] INFO: rcu_sched detected stalls on CPUs/tasks: + [42760.535755] 0-...!: (1 GPs behind) idle=ade/140000000000000/0 softirq=526944/526945 fqs=0 + [42760.547874] 1-...!: (0 ticks this GP) idle=e4a/140000000000000/0 softirq=547885/547885 fqs=0 + [42760.559869] (detected by 2, t=2162 jiffies, g=266689, c=266688, q=33) + [42760.568927] ------------[ cut here ]------------ + [42760.576146] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:416 smp_call_function_many+0x88/0x20c + [42760.587839] Modules linked in: + [42760.593152] CPU: 2 PID: 1216 Comm: sh Not tainted 4.15.4-00373-gee058bb4d0c2 #2 + [42760.603767] Stack : 8e09bd20 8e09bd20 8e09bd20 fffffff0 00000007 00000006 00000000 8e09bca8 + [42760.616937] 95b2b379 95b2b379 807a0080 00000007 81944518 0000018a 00000032 00000000 + [42760.630095] 00000000 00000030 80000000 00000000 806eca74 00000009 8017e2b8 000001a0 + [42760.643169] 00000000 00000002 00000000 8e09baa4 00000008 808b8008 86d69080 8e09bca0 + [42760.656282] 8e09ad50 805e20aa 00000000 00000000 00000000 8017e2b8 00000009 801070ca + [42760.669424] ... + [42760.673919] Call Trace: + [42760.678672] [<27fde568>] show_stack+0x70/0xf0 + [42760.685417] [<84751641>] dump_stack+0xaa/0xd0 + [42760.692188] [<699d671c>] __warn+0x80/0x92 + [42760.698549] [<68915d41>] warn_slowpath_null+0x28/0x36 + [42760.705912] [] smp_call_function_many+0x88/0x20c + [42760.713696] [<6bbdfc2a>] arch_trigger_cpumask_backtrace+0x30/0x4a + [42760.722216] [] rcu_dump_cpu_stacks+0x6a/0x98 + [42760.729580] [<796e7629>] rcu_check_callbacks+0x672/0x6ac + [42760.737476] [<059b3b43>] update_process_times+0x18/0x34 + [42760.744981] [<6eb94941>] tick_sched_handle.isra.5+0x26/0x38 + [42760.752793] [<478d3d70>] tick_sched_timer+0x1c/0x50 + [42760.759882] [] __hrtimer_run_queues+0xc6/0x226 + [42760.767418] [] hrtimer_interrupt+0x88/0x19a + [42760.775031] [<6765a19e>] gic_compare_interrupt+0x2e/0x3a + [42760.782761] [<0558bf5f>] handle_percpu_devid_irq+0x78/0x168 + [42760.790795] [<90c11ba2>] generic_handle_irq+0x1e/0x2c + [42760.798117] [<1b6d462c>] gic_handle_local_int+0x38/0x86 + [42760.805545] [] gic_irq_dispatch+0xa/0x14 + [42760.812534] [<90c11ba2>] generic_handle_irq+0x1e/0x2c + [42760.820086] [] do_IRQ+0x16/0x20 + [42760.826274] [<9aef3ce6>] plat_irq_dispatch+0x62/0x94 + [42760.833458] [<6a94b53c>] except_vec_vi_end+0x70/0x78 + [42760.840655] [<22284043>] smp_call_function_many+0x1ba/0x20c + [42760.848501] [<54022b58>] smp_call_function+0x1e/0x2c + [42760.855693] [] flush_tlb_mm+0x2a/0x98 + [42760.862730] [<0844cdd0>] tlb_flush_mmu+0x1c/0x44 + [42760.869628] [] arch_tlb_finish_mmu+0x26/0x3e + [42760.877021] [<1aeaaf74>] tlb_finish_mmu+0x18/0x66 + [42760.883907] [] exit_mmap+0x76/0xea + [42760.890428] [] mmput+0x80/0x11a + [42760.896632] [] do_exit+0x1f4/0x80c + [42760.903158] [] do_group_exit+0x20/0x7e + [42760.909990] [<13fa8d54>] __wake_up_parent+0x0/0x1e + [42760.917045] [<46cf89d0>] smp_call_function_many+0x1a2/0x20c + [42760.924893] [<8c21a93b>] syscall_common+0x14/0x1c + [42760.931765] ---[ end trace 02aa09da9dc52a60 ]--- + [42760.938342] ------------[ cut here ]------------ + [42760.945311] WARNING: CPU: 2 PID: 1216 at kernel/smp.c:291 smp_call_function_single+0xee/0xf8 + ... + +This patch switches MIPS' arch_trigger_cpumask_backtrace() to use async +IPIs & smp_call_function_single_async() in order to resolve this +problem. We ensure use of the pre-allocated call_single_data_t +structures is serialized by maintaining a cpumask indicating that +they're busy, and refusing to attempt to send an IPI when a CPU's bit is +set in this mask. This should only happen if a CPU hasn't responded to a +previous backtrace IPI - ie. if it's hung - and we print a warning to +the console in this case. + +I've marked this for stable branches as far back as v4.9, to which it +applies cleanly. Strictly speaking the faulty MIPS implementation can be +traced further back to commit 856839b76836 ("MIPS: Add +arch_trigger_all_cpu_backtrace() function") in v3.19, but kernel +versions v3.19 through v4.8 will require further work to backport due to +the rework performed in commit 9a01c3ed5cdb ("nmi_backtrace: add more +trigger_*_cpu_backtrace() methods"). + +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19597/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: Huacai Chen +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # v4.9+ +Fixes: 856839b76836 ("MIPS: Add arch_trigger_all_cpu_backtrace() function") +Fixes: 9a01c3ed5cdb ("nmi_backtrace: add more trigger_*_cpu_backtrace() methods") +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/process.c | 45 ++++++++++++++++++++++++++++++--------------- + 1 file changed, 30 insertions(+), 15 deletions(-) + +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -655,28 +656,42 @@ unsigned long arch_align_stack(unsigned + return sp & ALMASK; + } + +-static void arch_dump_stack(void *info) +-{ +- struct pt_regs *regs; ++static DEFINE_PER_CPU(call_single_data_t, backtrace_csd); ++static struct cpumask backtrace_csd_busy; + +- regs = get_irq_regs(); +- +- if (regs) +- show_regs(regs); +- else +- dump_stack(); ++static void handle_backtrace(void *info) ++{ ++ nmi_cpu_backtrace(get_irq_regs()); ++ cpumask_clear_cpu(smp_processor_id(), &backtrace_csd_busy); + } + +-void arch_trigger_cpumask_backtrace(const cpumask_t *mask, bool exclude_self) ++static void raise_backtrace(cpumask_t *mask) + { +- long this_cpu = get_cpu(); ++ call_single_data_t *csd; ++ int cpu; + +- if (cpumask_test_cpu(this_cpu, mask) && !exclude_self) +- dump_stack(); ++ for_each_cpu(cpu, mask) { ++ /* ++ * If we previously sent an IPI to the target CPU & it hasn't ++ * cleared its bit in the busy cpumask then it didn't handle ++ * our previous IPI & it's not safe for us to reuse the ++ * call_single_data_t. ++ */ ++ if (cpumask_test_and_set_cpu(cpu, &backtrace_csd_busy)) { ++ pr_warn("Unable to send backtrace IPI to CPU%u - perhaps it hung?\n", ++ cpu); ++ continue; ++ } + +- smp_call_function_many(mask, arch_dump_stack, NULL, 1); ++ csd = &per_cpu(backtrace_csd, cpu); ++ csd->func = handle_backtrace; ++ smp_call_function_single_async(cpu, csd); ++ } ++} + +- put_cpu(); ++void arch_trigger_cpumask_backtrace(const cpumask_t *mask, bool exclude_self) ++{ ++ nmi_trigger_cpumask_backtrace(mask, exclude_self, raise_backtrace); + } + + int mips_get_process_fp_mode(struct task_struct *task) diff --git a/queue-4.17/mmc-dw_mmc-fix-card-threshold-control-configuration.patch b/queue-4.17/mmc-dw_mmc-fix-card-threshold-control-configuration.patch new file mode 100644 index 00000000000..c0a805f69fd --- /dev/null +++ b/queue-4.17/mmc-dw_mmc-fix-card-threshold-control-configuration.patch @@ -0,0 +1,49 @@ +From 7a6b9f4d601dfce8cb68f0dcfd834270280e31e6 Mon Sep 17 00:00:00 2001 +From: x00270170 +Date: Tue, 3 Jul 2018 15:06:27 +0800 +Subject: mmc: dw_mmc: fix card threshold control configuration + +From: x00270170 + +commit 7a6b9f4d601dfce8cb68f0dcfd834270280e31e6 upstream. + +Card write threshold control is supposed to be set since controller +version 2.80a for data write in HS400 mode and data read in +HS200/HS400/SDR104 mode. However the current code returns without +configuring it in the case of data writing in HS400 mode. +Meanwhile the patch fixes that the current code goes to +'disable' when doing data reading in HS400 mode. + +Fixes: 7e4bf1bc9543 ("mmc: dw_mmc: add the card write threshold for HS400 mode") +Signed-off-by: Qing Xia +Cc: stable@vger.kernel.org # v4.8+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -1065,8 +1065,8 @@ static void dw_mci_ctrl_thld(struct dw_m + * It's used when HS400 mode is enabled. + */ + if (data->flags & MMC_DATA_WRITE && +- !(host->timing != MMC_TIMING_MMC_HS400)) +- return; ++ host->timing != MMC_TIMING_MMC_HS400) ++ goto disable; + + if (data->flags & MMC_DATA_WRITE) + enable = SDMMC_CARD_WR_THR_EN; +@@ -1074,7 +1074,8 @@ static void dw_mci_ctrl_thld(struct dw_m + enable = SDMMC_CARD_RD_THR_EN; + + if (host->timing != MMC_TIMING_MMC_HS200 && +- host->timing != MMC_TIMING_UHS_SDR104) ++ host->timing != MMC_TIMING_UHS_SDR104 && ++ host->timing != MMC_TIMING_MMC_HS400) + goto disable; + + blksz_depth = blksz / (1 << host->data_shift); diff --git a/queue-4.17/mmc-renesas_sdhi_internal_dmac-cannot-clear-the-rx_in_use-in-abort.patch b/queue-4.17/mmc-renesas_sdhi_internal_dmac-cannot-clear-the-rx_in_use-in-abort.patch new file mode 100644 index 00000000000..cadd0a81a0a --- /dev/null +++ b/queue-4.17/mmc-renesas_sdhi_internal_dmac-cannot-clear-the-rx_in_use-in-abort.patch @@ -0,0 +1,41 @@ +From 25a98edd5795719c5187e16ea271e8de86e02809 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Fri, 29 Jun 2018 19:01:45 +0900 +Subject: mmc: renesas_sdhi_internal_dmac: Cannot clear the RX_IN_USE in abort + +From: Yoshihiro Shimoda + +commit 25a98edd5795719c5187e16ea271e8de86e02809 upstream. + +This patch is fixes an issue that the SDHI_INTERNAL_DMAC_RX_IN_USE +flag cannot be cleared because tmio_mmc_core sets the host->data +to NULL before the tmio_mmc_core calls tmio_mmc_abort_dma(). + +So, this patch clears the SDHI_INTERNAL_DMAC_RX_IN_USE in +the renesas_sdhi_internal_dmac_abort_dma() anyway. This doesn't +cause any side effects. + +Fixes: 0cbc94daa554 ("mmc: renesas_sdhi_internal_dmac: limit DMA RX for old SoCs") +Cc: # v4.17+ +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/renesas_sdhi_internal_dmac.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c ++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c +@@ -139,8 +139,7 @@ renesas_sdhi_internal_dmac_abort_dma(str + renesas_sdhi_internal_dmac_dm_write(host, DM_CM_RST, + RST_RESERVED_BITS | val); + +- if (host->data && host->data->flags & MMC_DATA_READ) +- clear_bit(SDHI_INTERNAL_DMAC_RX_IN_USE, &global_flags); ++ clear_bit(SDHI_INTERNAL_DMAC_RX_IN_USE, &global_flags); + + renesas_sdhi_internal_dmac_enable_dma(host, true); + } diff --git a/queue-4.17/mmc-sdhci-esdhc-imx-allow-1.8v-modes-without-100-200mhz-pinctrl-states.patch b/queue-4.17/mmc-sdhci-esdhc-imx-allow-1.8v-modes-without-100-200mhz-pinctrl-states.patch new file mode 100644 index 00000000000..be7b198cc11 --- /dev/null +++ b/queue-4.17/mmc-sdhci-esdhc-imx-allow-1.8v-modes-without-100-200mhz-pinctrl-states.patch @@ -0,0 +1,81 @@ +From 92748beac07c471d995fbec642b63572dc01b3dc Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Wed, 4 Jul 2018 17:07:45 +0200 +Subject: mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states + +From: Stefan Agner + +commit 92748beac07c471d995fbec642b63572dc01b3dc upstream. + +If pinctrl nodes for 100/200MHz are missing, the controller should +not select any mode which need signal frequencies 100MHz or higher. +To prevent such speed modes the driver currently uses the quirk flag +SDHCI_QUIRK2_NO_1_8_V. This works nicely for SD cards since 1.8V +signaling is required for all faster modes and slower modes use 3.3V +signaling only. + +However, there are eMMC modes which use 1.8V signaling and run below +100MHz, e.g. DDR52 at 1.8V. With using SDHCI_QUIRK2_NO_1_8_V this +mode is prevented. When using a fixed 1.8V regulator as vqmmc-supply +the stack has no valid mode to use. In this tenuous situation the +kernel continuously prints voltage switching errors: + mmc1: Switching to 3.3V signalling voltage failed + +Avoid using SDHCI_QUIRK2_NO_1_8_V and prevent faster modes by +altering the SDHCI capability register. With that the stack is able +to select 1.8V modes even if no faster pinctrl states are available: + # cat /sys/kernel/debug/mmc1/ios + ... + timing spec: 8 (mmc DDR52) + signal voltage: 1 (1.80 V) + ... + +Link: http://lkml.kernel.org/r/20180628081331.13051-1-stefan@agner.ch +Signed-off-by: Stefan Agner +Fixes: ad93220de7da ("mmc: sdhci-esdhc-imx: change pinctrl state according +to uhs mode") +Cc: # v4.13+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -306,6 +306,15 @@ static u32 esdhc_readl_le(struct sdhci_h + + if (imx_data->socdata->flags & ESDHC_FLAG_HS400) + val |= SDHCI_SUPPORT_HS400; ++ ++ /* ++ * Do not advertise faster UHS modes if there are no ++ * pinctrl states for 100MHz/200MHz. ++ */ ++ if (IS_ERR_OR_NULL(imx_data->pins_100mhz) || ++ IS_ERR_OR_NULL(imx_data->pins_200mhz)) ++ val &= ~(SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50 ++ | SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_HS400); + } + } + +@@ -1136,18 +1145,6 @@ sdhci_esdhc_imx_probe_dt(struct platform + ESDHC_PINCTRL_STATE_100MHZ); + imx_data->pins_200mhz = pinctrl_lookup_state(imx_data->pinctrl, + ESDHC_PINCTRL_STATE_200MHZ); +- if (IS_ERR(imx_data->pins_100mhz) || +- IS_ERR(imx_data->pins_200mhz)) { +- dev_warn(mmc_dev(host->mmc), +- "could not get ultra high speed state, work on normal mode\n"); +- /* +- * fall back to not supporting uhs by specifying no +- * 1.8v quirk +- */ +- host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V; +- } +- } else { +- host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V; + } + + /* call to generic mmc_of_parse to support additional capabilities */ diff --git a/queue-4.17/mtd-spi-nor-cadence-quadspi-fix-direct-mode-write-timeouts.patch b/queue-4.17/mtd-spi-nor-cadence-quadspi-fix-direct-mode-write-timeouts.patch new file mode 100644 index 00000000000..19507b179d6 --- /dev/null +++ b/queue-4.17/mtd-spi-nor-cadence-quadspi-fix-direct-mode-write-timeouts.patch @@ -0,0 +1,47 @@ +From aa7eee8a143a7e8b530eb1e75fb86cae793d1e21 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Sat, 30 Jun 2018 16:24:21 +0530 +Subject: mtd: spi-nor: cadence-quadspi: Fix direct mode write timeouts + +From: Vignesh R + +commit aa7eee8a143a7e8b530eb1e75fb86cae793d1e21 upstream. + +Sometimes when writing large size files to flash in direct/memory mapped +mode, it is seen that flash write enable command times out with error: +[ 503.146293] cadence-qspi 47040000.ospi: Flash command execution timed out. + +This is because, we need to make sure previous direct write operation +is complete by polling for IDLE bit in CONFIG_REG before starting the +next operation. + +Fix this by polling for IDLE bit after memory mapped write. + +Fixes: a27f2eaf2b27 ("mtd: spi-nor: cadence-quadspi: Add support for direct access mode") +Cc: stable@vger.kernel.org +Signed-off-by: Vignesh R +Reviewed-by: Marek Vasut +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/spi-nor/cadence-quadspi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/spi-nor/cadence-quadspi.c ++++ b/drivers/mtd/spi-nor/cadence-quadspi.c +@@ -920,10 +920,12 @@ static ssize_t cqspi_write(struct spi_no + if (ret) + return ret; + +- if (f_pdata->use_direct_mode) ++ if (f_pdata->use_direct_mode) { + memcpy_toio(cqspi->ahb_base + to, buf, len); +- else ++ ret = cqspi_wait_idle(cqspi); ++ } else { + ret = cqspi_indirect_write_execute(nor, to, buf, len); ++ } + if (ret) + return ret; + diff --git a/queue-4.17/series b/queue-4.17/series index 55fa86d56bb..bd97b648a82 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -1 +1,22 @@ bpf-reject-passing-modified-ctx-to-helper-functions.patch +mips-call-dump_stack-from-show_regs.patch +mips-use-async-ipis-for-arch_trigger_cpumask_backtrace.patch +mips-fix-ioremap-ram-check.patch +drm-etnaviv-check-for-platform_device_register_simple-failure.patch +drm-etnaviv-fix-driver-unregistering.patch +drm-etnaviv-bring-back-progress-check-in-job-timeout-handler.patch +acpica-clear-status-of-all-events-when-entering-s5.patch +mmc-sdhci-esdhc-imx-allow-1.8v-modes-without-100-200mhz-pinctrl-states.patch +mmc-dw_mmc-fix-card-threshold-control-configuration.patch +mmc-renesas_sdhi_internal_dmac-cannot-clear-the-rx_in_use-in-abort.patch +ibmasm-don-t-write-out-of-bounds-in-read-handler.patch +staging-rtl8723bs-prevent-an-underflow-in-rtw_check_beacon_data.patch +staging-r8822be-fix-rtl8822be-can-t-find-any-wireless-ap.patch +ata-fix-zbc_out-command-block-check.patch +ata-fix-zbc_out-all-bit-handling.patch +mei-discard-messages-from-not-connected-client-during-power-down.patch +mtd-spi-nor-cadence-quadspi-fix-direct-mode-write-timeouts.patch +tracing-kprobe-release-kprobe-print_fmt-properly.patch +vmw_balloon-fix-inflation-with-batching.patch +ahci-add-intel-ice-lake-lp-pci-id.patch +ahci-disable-lpm-on-lenovo-50-series-laptops-with-a-too-old-bios.patch diff --git a/queue-4.17/staging-r8822be-fix-rtl8822be-can-t-find-any-wireless-ap.patch b/queue-4.17/staging-r8822be-fix-rtl8822be-can-t-find-any-wireless-ap.patch new file mode 100644 index 00000000000..749e6f34b54 --- /dev/null +++ b/queue-4.17/staging-r8822be-fix-rtl8822be-can-t-find-any-wireless-ap.patch @@ -0,0 +1,58 @@ +From d59d2f9995d28974877750f429e821324bd603c7 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Fri, 6 Jul 2018 13:44:35 +0800 +Subject: staging: r8822be: Fix RTL8822be can't find any wireless AP + +From: Ping-Ke Shih + +commit d59d2f9995d28974877750f429e821324bd603c7 upstream. + +RTL8822be can't bring up properly on ASUS X530UN, and dmesg says: +[ 8.591333] r8822be: module is from the staging directory, the quality +is unknown, you have been warned. +[ 8.593122] r8822be 0000:02:00.0: enabling device (0000 -> 0003) +[ 8.669163] r8822be: Using firmware rtlwifi/rtl8822befw.bin +[ 9.289939] r8822be: rtlwifi: wireless switch is on +[ 10.056426] r8822be 0000:02:00.0 wlp2s0: renamed from wlan0 +... +[ 11.952534] r8822be: halmac_init_hal failed +[ 11.955933] r8822be: halmac_init_hal failed +[ 11.956227] r8822be: halmac_init_hal failed +[ 22.007942] r8822be: halmac_init_hal failed + +Jian-Hong reported it works if turn off ASPM with module parameter aspm=0. +In order to fix this problem kindly, this commit don't turn off aspm but +enlarge ASPM L1 latency to 7. + +Reported-by: Jian-Hong Pan +Tested-by: Jian-Hong Pan +Signed-off-by: Ping-Ke Shih +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtlwifi/rtl8822be/hw.c | 2 +- + drivers/staging/rtlwifi/wifi.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtlwifi/rtl8822be/hw.c ++++ b/drivers/staging/rtlwifi/rtl8822be/hw.c +@@ -814,7 +814,7 @@ static void _rtl8822be_enable_aspm_back_ + return; + + pci_read_config_byte(rtlpci->pdev, 0x70f, &tmp); +- pci_write_config_byte(rtlpci->pdev, 0x70f, tmp | BIT(7)); ++ pci_write_config_byte(rtlpci->pdev, 0x70f, tmp | ASPM_L1_LATENCY << 3); + + pci_read_config_byte(rtlpci->pdev, 0x719, &tmp); + pci_write_config_byte(rtlpci->pdev, 0x719, tmp | BIT(3) | BIT(4)); +--- a/drivers/staging/rtlwifi/wifi.h ++++ b/drivers/staging/rtlwifi/wifi.h +@@ -99,6 +99,7 @@ + #define RTL_USB_MAX_RX_COUNT 100 + #define QBSS_LOAD_SIZE 5 + #define MAX_WMMELE_LENGTH 64 ++#define ASPM_L1_LATENCY 7 + + #define TOTAL_CAM_ENTRY 32 + diff --git a/queue-4.17/staging-rtl8723bs-prevent-an-underflow-in-rtw_check_beacon_data.patch b/queue-4.17/staging-rtl8723bs-prevent-an-underflow-in-rtw_check_beacon_data.patch new file mode 100644 index 00000000000..2e40450f2d1 --- /dev/null +++ b/queue-4.17/staging-rtl8723bs-prevent-an-underflow-in-rtw_check_beacon_data.patch @@ -0,0 +1,35 @@ +From 920c92448839bd4f8eb87a92b08cad56d449caff Mon Sep 17 00:00:00 2001 +From: Murray McAllister +Date: Mon, 2 Jul 2018 13:07:28 +1200 +Subject: staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data(). + +From: Murray McAllister + +commit 920c92448839bd4f8eb87a92b08cad56d449caff upstream. + +Dan Carpenter reported an integer underflow issue in the rtl8188eu driver. +This is also needed for the length (signed integer) in rtl8723bs, as it is +later converted to an unsigned integer and used in a memcpy operation. + +Original issue is at https://patchwork.kernel.org/patch/9796371/ + +Reported-by: Dan Carpenter +Signed-off-by: Murray McAllister +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8723bs/core/rtw_ap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_ap.c ++++ b/drivers/staging/rtl8723bs/core/rtw_ap.c +@@ -1059,7 +1059,7 @@ int rtw_check_beacon_data(struct adapter + return _FAIL; + + +- if (len > MAX_IE_SZ) ++ if (len < 0 || len > MAX_IE_SZ) + return _FAIL; + + pbss_network->IELength = len; diff --git a/queue-4.17/tracing-kprobe-release-kprobe-print_fmt-properly.patch b/queue-4.17/tracing-kprobe-release-kprobe-print_fmt-properly.patch new file mode 100644 index 00000000000..4e9561fb5c3 --- /dev/null +++ b/queue-4.17/tracing-kprobe-release-kprobe-print_fmt-properly.patch @@ -0,0 +1,50 @@ +From 0fc8c3581dd42bc8f530314ca86db2d861485731 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Mon, 9 Jul 2018 16:19:06 +0200 +Subject: tracing/kprobe: Release kprobe print_fmt properly + +From: Jiri Olsa + +commit 0fc8c3581dd42bc8f530314ca86db2d861485731 upstream. + +We don't release tk->tp.call.print_fmt when destroying +local uprobe. Also there's missing print_fmt kfree in +create_local_trace_kprobe error path. + +Link: http://lkml.kernel.org/r/20180709141906.2390-1-jolsa@kernel.org + +Cc: stable@vger.kernel.org +Fixes: e12f03d7031a ("perf/core: Implement the 'perf_kprobe' PMU") +Acked-by: Song Liu +Acked-by: Masami Hiramatsu +Signed-off-by: Jiri Olsa +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_kprobe.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1451,8 +1451,10 @@ create_local_trace_kprobe(char *func, vo + } + + ret = __register_trace_kprobe(tk); +- if (ret < 0) ++ if (ret < 0) { ++ kfree(tk->tp.call.print_fmt); + goto error; ++ } + + return &tk->tp.call; + error: +@@ -1472,6 +1474,8 @@ void destroy_local_trace_kprobe(struct t + } + + __unregister_trace_kprobe(tk); ++ ++ kfree(tk->tp.call.print_fmt); + free_trace_kprobe(tk); + } + #endif /* CONFIG_PERF_EVENTS */ diff --git a/queue-4.17/vmw_balloon-fix-inflation-with-batching.patch b/queue-4.17/vmw_balloon-fix-inflation-with-batching.patch new file mode 100644 index 00000000000..57f2ea790ad --- /dev/null +++ b/queue-4.17/vmw_balloon-fix-inflation-with-batching.patch @@ -0,0 +1,44 @@ +From 90d72ce079791399ac255c75728f3c9e747b093d Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Mon, 2 Jul 2018 19:27:13 -0700 +Subject: vmw_balloon: fix inflation with batching + +From: Nadav Amit + +commit 90d72ce079791399ac255c75728f3c9e747b093d upstream. + +Embarrassingly, the recent fix introduced worse problem than it solved, +causing the balloon not to inflate. The VM informed the hypervisor that +the pages for lock/unlock are sitting in the wrong address, as it used +the page that is used the uninitialized page variable. + +Fixes: b23220fe054e9 ("vmw_balloon: fixing double free when batching mode is off") +Cc: stable@vger.kernel.org +Reviewed-by: Xavier Deguillard +Signed-off-by: Nadav Amit +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -467,7 +467,7 @@ static int vmballoon_send_batched_lock(s + unsigned int num_pages, bool is_2m_pages, unsigned int *target) + { + unsigned long status; +- unsigned long pfn = page_to_pfn(b->page); ++ unsigned long pfn = PHYS_PFN(virt_to_phys(b->batch_page)); + + STATS_INC(b->stats.lock[is_2m_pages]); + +@@ -515,7 +515,7 @@ static bool vmballoon_send_batched_unloc + unsigned int num_pages, bool is_2m_pages, unsigned int *target) + { + unsigned long status; +- unsigned long pfn = page_to_pfn(b->page); ++ unsigned long pfn = PHYS_PFN(virt_to_phys(b->batch_page)); + + STATS_INC(b->stats.unlock[is_2m_pages]); +