From: Greg Kroah-Hartman Date: Fri, 23 Feb 2018 11:02:44 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.96~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bad7f492ba0f19f7ef149e8695e231da311c9efa;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: 509-fix-printing-uninitialized-stack-memory-when-oid-is-empty.patch arm-am33xx-prm-remove-am33xx_pwrdm_read_prev_pwrst-function.patch arm-dts-am4372-correct-the-interrupts_properties-of-mcasp.patch btrfs-fix-possible-off-by-one-in-btrfs_search_path_in_tree.patch dmaengine-jz4740-disable-unprepare-clk-if-probe-fails.patch gianfar-fix-a-flooded-alignment-reports-because-of-padding-issue.patch hippi-fix-a-fix-a-possible-sleep-in-atomic-bug-in-rr_close.patch m68k-add-missing-softirqentry_text-linker-section.patch media-s5k6aa-describe-some-function-parameters.patch mm-early_ioremap-fix-boot-hang-with-earlyprintk-efi-keep.patch net_sched-red-avoid-devision-by-zero.patch net_sched-red-avoid-illegal-values.patch perf-bench-numa-fixup-discontiguous-sparse-numa-nodes.patch perf-top-fix-window-dimensions-change-handling.patch powerpc-perf-fix-oops-when-grouping-different-pmu-events.patch s390-dasd-prevent-prefix-i-o-error.patch scripts-kernel-doc-don-t-fail-with-status-0-if-error-encountered-with-none.patch spi-sun4i-disable-clocks-in-the-remove-function.patch usb-build-drivers-usb-common-when-usb_support-is-set.patch x86-mm-kmmio-fix-mmiotrace-for-page-unaligned-addresses.patch xen-xen_acpi_processor-is-dom0-only.patch xfrm-fix-stack-out-of-bounds-with-misconfigured-transport-mode-policies.patch --- diff --git a/queue-3.18/509-fix-printing-uninitialized-stack-memory-when-oid-is-empty.patch b/queue-3.18/509-fix-printing-uninitialized-stack-memory-when-oid-is-empty.patch new file mode 100644 index 00000000000..fa2bc5cc571 --- /dev/null +++ b/queue-3.18/509-fix-printing-uninitialized-stack-memory-when-oid-is-empty.patch @@ -0,0 +1,56 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Eric Biggers +Date: Fri, 8 Dec 2017 15:13:28 +0000 +Subject: 509: fix printing uninitialized stack memory when OID is empty + +From: Eric Biggers + + +[ Upstream commit 8dfd2f22d3bf3ab7714f7495ad5d897b8845e8c1 ] + +Callers of sprint_oid() do not check its return value before printing +the result. In the case where the OID is zero-length, -EBADMSG was +being returned without anything being written to the buffer, resulting +in uninitialized stack memory being printed. Fix this by writing +"(bad)" to the buffer in the cases where -EBADMSG is returned. + +Fixes: 4f73175d0375 ("X.509: Add utility functions to render OIDs as strings") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/oid_registry.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/lib/oid_registry.c ++++ b/lib/oid_registry.c +@@ -116,7 +116,7 @@ int sprint_oid(const void *data, size_t + int count; + + if (v >= end) +- return -EBADMSG; ++ goto bad; + + n = *v++; + ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40); +@@ -134,7 +134,7 @@ int sprint_oid(const void *data, size_t + num = n & 0x7f; + do { + if (v >= end) +- return -EBADMSG; ++ goto bad; + n = *v++; + num <<= 7; + num |= n & 0x7f; +@@ -148,6 +148,10 @@ int sprint_oid(const void *data, size_t + } + + return ret; ++ ++bad: ++ snprintf(buffer, bufsize, "(bad)"); ++ return -EBADMSG; + } + EXPORT_SYMBOL_GPL(sprint_oid); + diff --git a/queue-3.18/arm-am33xx-prm-remove-am33xx_pwrdm_read_prev_pwrst-function.patch b/queue-3.18/arm-am33xx-prm-remove-am33xx_pwrdm_read_prev_pwrst-function.patch new file mode 100644 index 00000000000..185e7ef17aa --- /dev/null +++ b/queue-3.18/arm-am33xx-prm-remove-am33xx_pwrdm_read_prev_pwrst-function.patch @@ -0,0 +1,59 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Keerthy +Date: Fri, 10 Nov 2017 16:56:52 +0530 +Subject: ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function + +From: Keerthy + + +[ Upstream commit b6d6af7226465b6d11eac09d0be2ab78a4a9eb62 ] + +Referring TRM Am335X series: +http://www.ti.com/lit/ug/spruh73p/spruh73p.pdf + +The LastPowerStateEntered bitfield is present only for PM_CEFUSE +domain. This is not present in any of the other power domains. Hence +remove the generic am33xx_pwrdm_read_prev_pwrst hook which wrongly +reads the reserved bit fields for all the other power domains. + +Reading the reserved bits leads to wrongly interpreting the low +power transitions for various power domains that do not have the +LastPowerStateEntered field. The pm debug counters values are wrong +currently as we are incrementing them based on the reserved bits. + +Signed-off-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/prm33xx.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/arch/arm/mach-omap2/prm33xx.c ++++ b/arch/arm/mach-omap2/prm33xx.c +@@ -165,17 +165,6 @@ static int am33xx_pwrdm_read_pwrst(struc + return v; + } + +-static int am33xx_pwrdm_read_prev_pwrst(struct powerdomain *pwrdm) +-{ +- u32 v; +- +- v = am33xx_prm_read_reg(pwrdm->prcm_offs, pwrdm->pwrstst_offs); +- v &= AM33XX_LASTPOWERSTATEENTERED_MASK; +- v >>= AM33XX_LASTPOWERSTATEENTERED_SHIFT; +- +- return v; +-} +- + static int am33xx_pwrdm_set_lowpwrstchange(struct powerdomain *pwrdm) + { + am33xx_prm_rmw_reg_bits(AM33XX_LOWPOWERSTATECHANGE_MASK, +@@ -329,7 +318,6 @@ struct pwrdm_ops am33xx_pwrdm_operations + .pwrdm_set_next_pwrst = am33xx_pwrdm_set_next_pwrst, + .pwrdm_read_next_pwrst = am33xx_pwrdm_read_next_pwrst, + .pwrdm_read_pwrst = am33xx_pwrdm_read_pwrst, +- .pwrdm_read_prev_pwrst = am33xx_pwrdm_read_prev_pwrst, + .pwrdm_set_logic_retst = am33xx_pwrdm_set_logic_retst, + .pwrdm_read_logic_pwrst = am33xx_pwrdm_read_logic_pwrst, + .pwrdm_read_logic_retst = am33xx_pwrdm_read_logic_retst, diff --git a/queue-3.18/arm-dts-am4372-correct-the-interrupts_properties-of-mcasp.patch b/queue-3.18/arm-dts-am4372-correct-the-interrupts_properties-of-mcasp.patch new file mode 100644 index 00000000000..0bb78d0d661 --- /dev/null +++ b/queue-3.18/arm-dts-am4372-correct-the-interrupts_properties-of-mcasp.patch @@ -0,0 +1,50 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Peter Ujfalusi +Date: Wed, 1 Nov 2017 11:03:31 +0200 +Subject: ARM: dts: am4372: Correct the interrupts_properties of McASP + +From: Peter Ujfalusi + + +[ Upstream commit 627395a6f8091c0aa18f49dca7df59ba3ec147ef ] + +Fixes the following warnings: + +arch/arm/boot/dts/am437x-cm-t43.dtb: Warning (interrupts_property): +interrupts size is (8), expected multiple of 12 in +/ocp@44000000/mcasp@48038000 + +arch/arm/boot/dts/am437x-cm-t43.dtb: Warning (interrupts_property): +interrupts size is (8), expected multiple of 12 in +/ocp@44000000/mcasp@4803C000 + +Signed-off-by: Peter Ujfalusi +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/am4372.dtsi | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/am4372.dtsi ++++ b/arch/arm/boot/dts/am4372.dtsi +@@ -702,7 +702,8 @@ + reg = <0x48038000 0x2000>, + <0x46000000 0x400000>; + reg-names = "mpu", "dat"; +- interrupts = <80>, <81>; ++ interrupts = , ++ ; + interrupt-names = "tx", "rx"; + status = "disabled"; + dmas = <&edma 8>, +@@ -716,7 +717,8 @@ + reg = <0x4803C000 0x2000>, + <0x46400000 0x400000>; + reg-names = "mpu", "dat"; +- interrupts = <82>, <83>; ++ interrupts = , ++ ; + interrupt-names = "tx", "rx"; + status = "disabled"; + dmas = <&edma 10>, diff --git a/queue-3.18/btrfs-fix-possible-off-by-one-in-btrfs_search_path_in_tree.patch b/queue-3.18/btrfs-fix-possible-off-by-one-in-btrfs_search_path_in_tree.patch new file mode 100644 index 00000000000..3aff0067b99 --- /dev/null +++ b/queue-3.18/btrfs-fix-possible-off-by-one-in-btrfs_search_path_in_tree.patch @@ -0,0 +1,56 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Nikolay Borisov +Date: Fri, 1 Dec 2017 11:19:42 +0200 +Subject: btrfs: Fix possible off-by-one in btrfs_search_path_in_tree + +From: Nikolay Borisov + + +[ Upstream commit c8bcbfbd239ed60a6562964b58034ac8a25f4c31 ] + +The name char array passed to btrfs_search_path_in_tree is of size +BTRFS_INO_LOOKUP_PATH_MAX (4080). So the actual accessible char indexes +are in the range of [0, 4079]. Currently the code uses the define but this +represents an off-by-one. + +Implications: + +Size of btrfs_ioctl_ino_lookup_args is 4096, so the new byte will be +written to extra space, not some padding that could be provided by the +allocator. + +btrfs-progs store the arguments on stack, but kernel does own copy of +the ioctl buffer and the off-by-one overwrite does not affect userspace, +but the ending 0 might be lost. + +Kernel ioctl buffer is allocated dynamically so we're overwriting +somebody else's memory, and the ioctl is privileged if args.objectid is +not 256. Which is in most cases, but resolving a subvolume stored in +another directory will trigger that path. + +Before this patch the buffer was one byte larger, but then the -1 was +not added. + +Fixes: ac8e9819d71f907 ("Btrfs: add search and inode lookup ioctls") +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +[ added implications ] +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2233,7 +2233,7 @@ static noinline int btrfs_search_path_in + if (!path) + return -ENOMEM; + +- ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX]; ++ ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX - 1]; + + key.objectid = tree_id; + key.type = BTRFS_ROOT_ITEM_KEY; diff --git a/queue-3.18/dmaengine-jz4740-disable-unprepare-clk-if-probe-fails.patch b/queue-3.18/dmaengine-jz4740-disable-unprepare-clk-if-probe-fails.patch new file mode 100644 index 00000000000..7c369c91a03 --- /dev/null +++ b/queue-3.18/dmaengine-jz4740-disable-unprepare-clk-if-probe-fails.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Tobias Jordan +Date: Wed, 6 Dec 2017 14:28:27 +0100 +Subject: dmaengine: jz4740: disable/unprepare clk if probe fails + +From: Tobias Jordan + + +[ Upstream commit eb9436966fdc84cebdf222952a99898ab46d9bb0 ] + +in error path of jz4740_dma_probe(), call clk_disable_unprepare() to clean +up. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 25ce6c35fea0 MIPS: jz4740: Remove custom DMA API +Signed-off-by: Tobias Jordan +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dma-jz4740.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/dma/dma-jz4740.c ++++ b/drivers/dma/dma-jz4740.c +@@ -575,7 +575,7 @@ static int jz4740_dma_probe(struct platf + + ret = dma_async_device_register(dd); + if (ret) +- return ret; ++ goto err_clk; + + irq = platform_get_irq(pdev, 0); + ret = request_irq(irq, jz4740_dma_irq, 0, dev_name(&pdev->dev), dmadev); +@@ -588,6 +588,8 @@ static int jz4740_dma_probe(struct platf + + err_unregister: + dma_async_device_unregister(dd); ++err_clk: ++ clk_disable_unprepare(dmadev->clk); + return ret; + } + diff --git a/queue-3.18/gianfar-fix-a-flooded-alignment-reports-because-of-padding-issue.patch b/queue-3.18/gianfar-fix-a-flooded-alignment-reports-because-of-padding-issue.patch new file mode 100644 index 00000000000..ed234eb07e5 --- /dev/null +++ b/queue-3.18/gianfar-fix-a-flooded-alignment-reports-because-of-padding-issue.patch @@ -0,0 +1,81 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Zumeng Chen +Date: Mon, 4 Dec 2017 11:22:02 +0800 +Subject: gianfar: fix a flooded alignment reports because of padding issue. + +From: Zumeng Chen + + +[ Upstream commit 58117672943734715bbe7565ac9f062effa524f0 ] + +According to LS1021A RM, the value of PAL can be set so that the start of the +IP header in the receive data buffer is aligned to a 32-bit boundary. Normally, +setting PAL = 2 provides minimal padding to ensure such alignment of the IP +header. + +However every incoming packet's 8-byte time stamp will be inserted into the +packet data buffer as padding alignment bytes when hardware time stamping is +enabled. + +So we set the padding 8+2 here to avoid the flooded alignment faults: + +root@128:~# cat /proc/cpu/alignment +User: 0 +System: 17539 (inet_gro_receive+0x114/0x2c0) +Skipped: 0 +Half: 0 +Word: 0 +DWord: 0 +Multi: 17539 +User faults: 2 (fixup) + +Also shown when exception report enablement + +CPU: 0 PID: 161 Comm: irq/66-eth1_g0_ Not tainted 4.1.21-rt13-WR8.0.0.0_preempt-rt #16 +Hardware name: Freescale LS1021A +[<8001b420>] (unwind_backtrace) from [<8001476c>] (show_stack+0x20/0x24) +[<8001476c>] (show_stack) from [<807cfb48>] (dump_stack+0x94/0xac) +[<807cfb48>] (dump_stack) from [<80025d70>] (do_alignment+0x720/0x958) +[<80025d70>] (do_alignment) from [<80009224>] (do_DataAbort+0x40/0xbc) +[<80009224>] (do_DataAbort) from [<80015398>] (__dabt_svc+0x38/0x60) +Exception stack(0x86ad1cc0 to 0x86ad1d08) +1cc0: f9b3e080 86b3d072 2d78d287 00000000 866816c0 86b3d05e 86e785d0 00000000 +1ce0: 00000011 0000000e 80840ab0 86ad1d3c 86ad1d08 86ad1d08 806d7fc0 806d806c +1d00: 40070013 ffffffff +[<80015398>] (__dabt_svc) from [<806d806c>] (inet_gro_receive+0x114/0x2c0) +[<806d806c>] (inet_gro_receive) from [<80660eec>] (dev_gro_receive+0x21c/0x3c0) +[<80660eec>] (dev_gro_receive) from [<8066133c>] (napi_gro_receive+0x44/0x17c) +[<8066133c>] (napi_gro_receive) from [<804f0538>] (gfar_clean_rx_ring+0x39c/0x7d4) +[<804f0538>] (gfar_clean_rx_ring) from [<804f0bf4>] (gfar_poll_rx_sq+0x58/0xe0) +[<804f0bf4>] (gfar_poll_rx_sq) from [<80660b10>] (net_rx_action+0x27c/0x43c) +[<80660b10>] (net_rx_action) from [<80033638>] (do_current_softirqs+0x1e0/0x3dc) +[<80033638>] (do_current_softirqs) from [<800338c4>] (__local_bh_enable+0x90/0xa8) +[<800338c4>] (__local_bh_enable) from [<8008025c>] (irq_forced_thread_fn+0x70/0x84) +[<8008025c>] (irq_forced_thread_fn) from [<800805e8>] (irq_thread+0x16c/0x244) +[<800805e8>] (irq_thread) from [<8004e490>] (kthread+0xe8/0x104) +[<8004e490>] (kthread) from [<8000fda8>] (ret_from_fork+0x14/0x2c) + +Signed-off-by: Zumeng Chen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -1356,9 +1356,11 @@ static int gfar_probe(struct platform_de + + gfar_init_addr_hash_table(priv); + +- /* Insert receive time stamps into padding alignment bytes */ ++ /* Insert receive time stamps into padding alignment bytes, and ++ * plus 2 bytes padding to ensure the cpu alignment. ++ */ + if (priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER) +- priv->padding = 8; ++ priv->padding = 8 + DEFAULT_PADDING; + + if (dev->features & NETIF_F_IP_CSUM || + priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER) diff --git a/queue-3.18/hippi-fix-a-fix-a-possible-sleep-in-atomic-bug-in-rr_close.patch b/queue-3.18/hippi-fix-a-fix-a-possible-sleep-in-atomic-bug-in-rr_close.patch new file mode 100644 index 00000000000..3da069a8e71 --- /dev/null +++ b/queue-3.18/hippi-fix-a-fix-a-possible-sleep-in-atomic-bug-in-rr_close.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Jia-Ju Bai +Date: Tue, 12 Dec 2017 16:49:52 +0800 +Subject: hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close + +From: Jia-Ju Bai + + +[ Upstream commit 6e266610eb6553cfb7e7eb5d11914bd01509c406 ] + +The driver may sleep under a spinlock. +The function call path is: +rr_close (acquire the spinlock) + free_irq --> may sleep + +To fix it, free_irq is moved to the place without holding the spinlock. + +This bug is found by my static analysis tool(DSAC) and checked by my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hippi/rrunner.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/hippi/rrunner.c ++++ b/drivers/net/hippi/rrunner.c +@@ -1381,8 +1381,8 @@ static int rr_close(struct net_device *d + rrpriv->info_dma); + rrpriv->info = NULL; + +- free_irq(pdev->irq, dev); + spin_unlock_irqrestore(&rrpriv->lock, flags); ++ free_irq(pdev->irq, dev); + + return 0; + } diff --git a/queue-3.18/m68k-add-missing-softirqentry_text-linker-section.patch b/queue-3.18/m68k-add-missing-softirqentry_text-linker-section.patch new file mode 100644 index 00000000000..87ec0970d89 --- /dev/null +++ b/queue-3.18/m68k-add-missing-softirqentry_text-linker-section.patch @@ -0,0 +1,72 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Greg Ungerer +Date: Tue, 14 Nov 2017 11:50:07 +1000 +Subject: m68k: add missing SOFTIRQENTRY_TEXT linker section + +From: Greg Ungerer + + +[ Upstream commit 969de0988b77e5a57aac2f7270191a3c50540c52 ] + +Commit be7635e7287e ("arch, ftrace: for KASAN put hard/soft IRQ entries +into separate sections") added a new linker section, SOFTIRQENTRY_TEXT, +to the linker scripts for most architectures. It didn't add it to any of +the linker scripts for the m68k architecture. This was not really a problem +because it is only defined if either of CONFIG_FUNCTION_GRAPH_TRACER or +CONFIG_KASAN are enabled - which can never be true for m68k. + +However commit 229a71860547 ("irq: Make the irqentry text section +unconditional") means that SOFTIRQENTRY_TEXT is now always defined. So on +m68k we now end up with a separate ELF section for .softirqentry.text +instead of it being part of the .text section. On some m68k targets in some +configurations this can also cause a fatal link error: + + LD vmlinux +/usr/local/bin/../m68k-uclinux/bin/ld.real: section .softirqentry.text loaded at [0000000010de10c0,0000000010de12dd] overlaps section .rodata loaded at [0000000010de10c0,0000000010e0fd67] + +To fix add in the missing SOFTIRQENTRY_TEXT section into the m68k linker +scripts. I noticed that m68k is also missing the IRQENTRY_TEXT section, +so this patch also adds an entry for that too. + +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/kernel/vmlinux-nommu.lds | 2 ++ + arch/m68k/kernel/vmlinux-std.lds | 2 ++ + arch/m68k/kernel/vmlinux-sun3.lds | 2 ++ + 3 files changed, 6 insertions(+) + +--- a/arch/m68k/kernel/vmlinux-nommu.lds ++++ b/arch/m68k/kernel/vmlinux-nommu.lds +@@ -44,6 +44,8 @@ SECTIONS { + .text : { + HEAD_TEXT + TEXT_TEXT ++ IRQENTRY_TEXT ++ SOFTIRQENTRY_TEXT + SCHED_TEXT + LOCK_TEXT + *(.fixup) +--- a/arch/m68k/kernel/vmlinux-std.lds ++++ b/arch/m68k/kernel/vmlinux-std.lds +@@ -15,6 +15,8 @@ SECTIONS + .text : { + HEAD_TEXT + TEXT_TEXT ++ IRQENTRY_TEXT ++ SOFTIRQENTRY_TEXT + SCHED_TEXT + LOCK_TEXT + *(.fixup) +--- a/arch/m68k/kernel/vmlinux-sun3.lds ++++ b/arch/m68k/kernel/vmlinux-sun3.lds +@@ -15,6 +15,8 @@ SECTIONS + .text : { + HEAD_TEXT + TEXT_TEXT ++ IRQENTRY_TEXT ++ SOFTIRQENTRY_TEXT + SCHED_TEXT + LOCK_TEXT + *(.fixup) diff --git a/queue-3.18/media-s5k6aa-describe-some-function-parameters.patch b/queue-3.18/media-s5k6aa-describe-some-function-parameters.patch new file mode 100644 index 00000000000..46e6f586eed --- /dev/null +++ b/queue-3.18/media-s5k6aa-describe-some-function-parameters.patch @@ -0,0 +1,59 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Mauro Carvalho Chehab +Date: Wed, 29 Nov 2017 08:44:41 -0500 +Subject: media: s5k6aa: describe some function parameters + +From: Mauro Carvalho Chehab + + +[ Upstream commit 070250a1715cee2297de0d9e7e2cea58be999d37 ] + +as warned: + drivers/media/i2c/s5k6aa.c:429: warning: No description found for parameter 's5k6aa' + drivers/media/i2c/s5k6aa.c:679: warning: No description found for parameter 's5k6aa' + drivers/media/i2c/s5k6aa.c:733: warning: No description found for parameter 's5k6aa' + drivers/media/i2c/s5k6aa.c:733: warning: No description found for parameter 'preset' + drivers/media/i2c/s5k6aa.c:787: warning: No description found for parameter 'sd' + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/s5k6aa.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/i2c/s5k6aa.c ++++ b/drivers/media/i2c/s5k6aa.c +@@ -421,6 +421,7 @@ static int s5k6aa_set_ahb_address(struct + + /** + * s5k6aa_configure_pixel_clock - apply ISP main clock/PLL configuration ++ * @s5k6aa: pointer to &struct s5k6aa describing the device + * + * Configure the internal ISP PLL for the required output frequency. + * Locking: called with s5k6aa.lock mutex held. +@@ -669,6 +670,7 @@ static int s5k6aa_set_input_params(struc + + /** + * s5k6aa_configure_video_bus - configure the video output interface ++ * @s5k6aa: pointer to &struct s5k6aa describing the device + * @bus_type: video bus type: parallel or MIPI-CSI + * @nlanes: number of MIPI lanes to be used (MIPI-CSI only) + * +@@ -724,6 +726,8 @@ static int s5k6aa_new_config_sync(struct + + /** + * s5k6aa_set_prev_config - write user preview register set ++ * @s5k6aa: pointer to &struct s5k6aa describing the device ++ * @preset: s5kaa preset to be applied + * + * Configure output resolution and color fromat, pixel clock + * frequency range, device frame rate type and frame period range. +@@ -777,6 +781,7 @@ static int s5k6aa_set_prev_config(struct + + /** + * s5k6aa_initialize_isp - basic ISP MCU initialization ++ * @sd: pointer to V4L2 sub-device descriptor + * + * Configure AHB addresses for registers read/write; configure PLLs for + * required output pixel clock. The ISP power supply needs to be already diff --git a/queue-3.18/mm-early_ioremap-fix-boot-hang-with-earlyprintk-efi-keep.patch b/queue-3.18/mm-early_ioremap-fix-boot-hang-with-earlyprintk-efi-keep.patch new file mode 100644 index 00000000000..73b60f4babe --- /dev/null +++ b/queue-3.18/mm-early_ioremap-fix-boot-hang-with-earlyprintk-efi-keep.patch @@ -0,0 +1,48 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Dave Young +Date: Sat, 9 Dec 2017 12:16:10 +0800 +Subject: mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep + +From: Dave Young + + +[ Upstream commit 7f6f60a1ba52538c16f26930bfbcfe193d9d746a ] + +earlyprintk=efi,keep does not work any more with a warning +in mm/early_ioremap.c: WARN_ON(system_state != SYSTEM_BOOTING): +Boot just hangs because of the earlyprintk within the earlyprintk +implementation code itself. + +This is caused by a new introduced middle state in: + + 69a78ff226fe ("init: Introduce SYSTEM_SCHEDULING state") + +early_ioremap() is fine in both SYSTEM_BOOTING and SYSTEM_SCHEDULING +states, original condition should be updated accordingly. + +Signed-off-by: Dave Young +Acked-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: bp@suse.de +Cc: linux-efi@vger.kernel.org +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20171209041610.GA3249@dhcp-128-65.nay.redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/early_ioremap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/early_ioremap.c ++++ b/mm/early_ioremap.c +@@ -102,7 +102,7 @@ __early_ioremap(resource_size_t phys_add + enum fixed_addresses idx; + int i, slot; + +- WARN_ON(system_state != SYSTEM_BOOTING); ++ WARN_ON(system_state >= SYSTEM_RUNNING); + + slot = -1; + for (i = 0; i < FIX_BTMAPS_SLOTS; i++) { diff --git a/queue-3.18/net_sched-red-avoid-devision-by-zero.patch b/queue-3.18/net_sched-red-avoid-devision-by-zero.patch new file mode 100644 index 00000000000..04b6b7cb8ff --- /dev/null +++ b/queue-3.18/net_sched-red-avoid-devision-by-zero.patch @@ -0,0 +1,32 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Nogah Frankel +Date: Mon, 4 Dec 2017 13:31:10 +0200 +Subject: net_sched: red: Avoid devision by zero + +From: Nogah Frankel + + +[ Upstream commit 5c472203421ab4f928aa1ae9e1dbcfdd80324148 ] + +Do not allow delta value to be zero since it is used as a divisor. + +Fixes: 8af2a218de38 ("sch_red: Adaptative RED AQM") +Signed-off-by: Nogah Frankel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/red.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/red.h ++++ b/include/net/red.h +@@ -178,7 +178,7 @@ static inline void red_set_parms(struct + p->qth_max = qth_max << Wlog; + p->Wlog = Wlog; + p->Plog = Plog; +- if (delta < 0) ++ if (delta <= 0) + delta = 1; + p->qth_delta = delta; + if (!max_P) { diff --git a/queue-3.18/net_sched-red-avoid-illegal-values.patch b/queue-3.18/net_sched-red-avoid-illegal-values.patch new file mode 100644 index 00000000000..2c84703ac91 --- /dev/null +++ b/queue-3.18/net_sched-red-avoid-illegal-values.patch @@ -0,0 +1,93 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Nogah Frankel +Date: Mon, 4 Dec 2017 13:31:11 +0200 +Subject: net_sched: red: Avoid illegal values + +From: Nogah Frankel + + +[ Upstream commit 8afa10cbe281b10371fee5a87ab266e48d71a7f9 ] + +Check the qmin & qmax values doesn't overflow for the given Wlog value. +Check that qmin <= qmax. + +Fixes: a783474591f2 ("[PKT_SCHED]: Generic RED layer") +Signed-off-by: Nogah Frankel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/red.h | 11 +++++++++++ + net/sched/sch_choke.c | 3 +++ + net/sched/sch_gred.c | 3 +++ + net/sched/sch_red.c | 2 ++ + net/sched/sch_sfq.c | 3 +++ + 5 files changed, 22 insertions(+) + +--- a/include/net/red.h ++++ b/include/net/red.h +@@ -167,6 +167,17 @@ static inline void red_set_vars(struct r + v->qcount = -1; + } + ++static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog) ++{ ++ if (fls(qth_min) + Wlog > 32) ++ return false; ++ if (fls(qth_max) + Wlog > 32) ++ return false; ++ if (qth_max < qth_min) ++ return false; ++ return true; ++} ++ + static inline void red_set_parms(struct red_parms *p, + u32 qth_min, u32 qth_max, u8 Wlog, u8 Plog, + u8 Scell_log, u8 *stab, u32 max_P) +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -431,6 +431,9 @@ static int choke_change(struct Qdisc *sc + + ctl = nla_data(tb[TCA_CHOKE_PARMS]); + ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ return -EINVAL; ++ + if (ctl->limit > CHOKE_MAX_QUEUE) + return -EINVAL; + +--- a/net/sched/sch_gred.c ++++ b/net/sched/sch_gred.c +@@ -388,6 +388,9 @@ static inline int gred_change_vq(struct + struct gred_sched *table = qdisc_priv(sch); + struct gred_sched_data *q = table->tab[dp]; + ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ return -EINVAL; ++ + if (!q) { + table->tab[dp] = q = *prealloc; + *prealloc = NULL; +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -199,6 +199,8 @@ static int red_change(struct Qdisc *sch, + max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_RED_PARMS]); ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog)) ++ return -EINVAL; + + if (ctl->limit > 0) { + child = fifo_create_dflt(sch, &bfifo_qdisc_ops, ctl->limit); +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -653,6 +653,9 @@ static int sfq_change(struct Qdisc *sch, + if (ctl->divisor && + (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536)) + return -EINVAL; ++ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, ++ ctl_v1->Wlog)) ++ return -EINVAL; + if (ctl_v1 && ctl_v1->qth_min) { + p = kmalloc(sizeof(*p), GFP_KERNEL); + if (!p) diff --git a/queue-3.18/perf-bench-numa-fixup-discontiguous-sparse-numa-nodes.patch b/queue-3.18/perf-bench-numa-fixup-discontiguous-sparse-numa-nodes.patch new file mode 100644 index 00000000000..d9e80bfe15e --- /dev/null +++ b/queue-3.18/perf-bench-numa-fixup-discontiguous-sparse-numa-nodes.patch @@ -0,0 +1,132 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Satheesh Rajendran +Date: Wed, 22 Nov 2017 22:13:53 +0530 +Subject: perf bench numa: Fixup discontiguous/sparse numa nodes + +From: Satheesh Rajendran + + +[ Upstream commit 321a7c35c90cc834851ceda18a8ee18f1d032b92 ] + +Certain systems are designed to have sparse/discontiguous nodes. On +such systems, 'perf bench numa' hangs, shows wrong number of nodes and +shows values for non-existent nodes. Handle this by only taking nodes +that are exposed by kernel to userspace. + +Signed-off-by: Satheesh Rajendran +Reviewed-by: Srikar Dronamraju +Acked-by: Naveen N. Rao +Link: http://lkml.kernel.org/r/1edbcd353c009e109e93d78f2f46381930c340fe.1511368645.git.sathnaga@linux.vnet.ibm.com +Signed-off-by: Balamuruhan S +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/bench/numa.c | 56 +++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 51 insertions(+), 5 deletions(-) + +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -203,6 +203,47 @@ static const char * const numa_usage[] = + NULL + }; + ++/* ++ * To get number of numa nodes present. ++ */ ++static int nr_numa_nodes(void) ++{ ++ int i, nr_nodes = 0; ++ ++ for (i = 0; i < g->p.nr_nodes; i++) { ++ if (numa_bitmask_isbitset(numa_nodes_ptr, i)) ++ nr_nodes++; ++ } ++ ++ return nr_nodes; ++} ++ ++/* ++ * To check if given numa node is present. ++ */ ++static int is_node_present(int node) ++{ ++ return numa_bitmask_isbitset(numa_nodes_ptr, node); ++} ++ ++/* ++ * To check given numa node has cpus. ++ */ ++static bool node_has_cpus(int node) ++{ ++ struct bitmask *cpu = numa_allocate_cpumask(); ++ unsigned int i; ++ ++ if (cpu && !numa_node_to_cpus(node, cpu)) { ++ for (i = 0; i < cpu->size; i++) { ++ if (numa_bitmask_isbitset(cpu, i)) ++ return true; ++ } ++ } ++ ++ return false; /* lets fall back to nocpus safely */ ++} ++ + static cpu_set_t bind_to_cpu(int target_cpu) + { + cpu_set_t orig_mask, mask; +@@ -231,12 +272,12 @@ static cpu_set_t bind_to_cpu(int target_ + + static cpu_set_t bind_to_node(int target_node) + { +- int cpus_per_node = g->p.nr_cpus/g->p.nr_nodes; ++ int cpus_per_node = g->p.nr_cpus / nr_numa_nodes(); + cpu_set_t orig_mask, mask; + int cpu; + int ret; + +- BUG_ON(cpus_per_node*g->p.nr_nodes != g->p.nr_cpus); ++ BUG_ON(cpus_per_node * nr_numa_nodes() != g->p.nr_cpus); + BUG_ON(!cpus_per_node); + + ret = sched_getaffinity(0, sizeof(orig_mask), &orig_mask); +@@ -636,7 +677,7 @@ static int parse_setup_node_list(void) + int i; + + for (i = 0; i < mul; i++) { +- if (t >= g->p.nr_tasks) { ++ if (t >= g->p.nr_tasks || !node_has_cpus(bind_node)) { + printf("\n# NOTE: ignoring bind NODEs starting at NODE#%d\n", bind_node); + goto out; + } +@@ -943,6 +984,8 @@ static void calc_convergence(double runt + sum = 0; + + for (node = 0; node < g->p.nr_nodes; node++) { ++ if (!is_node_present(node)) ++ continue; + nr = nodes[node]; + nr_min = min(nr, nr_min); + nr_max = max(nr, nr_max); +@@ -963,8 +1006,11 @@ static void calc_convergence(double runt + process_groups = 0; + + for (node = 0; node < g->p.nr_nodes; node++) { +- int processes = count_node_processes(node); ++ int processes; + ++ if (!is_node_present(node)) ++ continue; ++ processes = count_node_processes(node); + nr = nodes[node]; + tprintf(" %2d/%-2d", nr, processes); + +@@ -1262,7 +1308,7 @@ static void print_summary(void) + + printf("\n ###\n"); + printf(" # %d %s will execute (on %d nodes, %d CPUs):\n", +- g->p.nr_tasks, g->p.nr_tasks == 1 ? "task" : "tasks", g->p.nr_nodes, g->p.nr_cpus); ++ g->p.nr_tasks, g->p.nr_tasks == 1 ? "task" : "tasks", nr_numa_nodes(), g->p.nr_cpus); + printf(" # %5dx %5ldMB global shared mem operations\n", + g->p.nr_loops, g->p.bytes_global/1024/1024); + printf(" # %5dx %5ldMB process shared mem operations\n", diff --git a/queue-3.18/perf-top-fix-window-dimensions-change-handling.patch b/queue-3.18/perf-top-fix-window-dimensions-change-handling.patch new file mode 100644 index 00000000000..3da7b730ae3 --- /dev/null +++ b/queue-3.18/perf-top-fix-window-dimensions-change-handling.patch @@ -0,0 +1,82 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Jiri Olsa +Date: Tue, 14 Nov 2017 10:23:39 +0100 +Subject: perf top: Fix window dimensions change handling + +From: Jiri Olsa + + +[ Upstream commit 89d0aeab4252adc2a7ea693637dd21c588bfa2d1 ] + +The stdio perf top crashes when we change the terminal +window size. The reason is that we assumed we get the +perf_top pointer as a signal handler argument which is +not the case. + +Changing the SIGWINCH handler logic to change global +resize variable, which is checked in the main thread +loop. + +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Ravi Bangoria +Cc: Adrian Hunter +Cc: Andi Kleen +Cc: David Ahern +Cc: Namhyung Kim +Cc: Wang Nan +Link: http://lkml.kernel.org/n/tip-ysuzwz77oev1ftgvdscn9bpu@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-top.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -70,6 +70,7 @@ + #include + + static volatile int done; ++static volatile int resize; + + #define HEADER_LINE_NR 5 + +@@ -79,10 +80,13 @@ static void perf_top__update_print_entri + } + + static void perf_top__sig_winch(int sig __maybe_unused, +- siginfo_t *info __maybe_unused, void *arg) ++ siginfo_t *info __maybe_unused, void *arg __maybe_unused) + { +- struct perf_top *top = arg; ++ resize = 1; ++} + ++static void perf_top__resize(struct perf_top *top) ++{ + get_term_dimensions(&top->winsize); + perf_top__update_print_entries(top); + } +@@ -461,7 +465,7 @@ static bool perf_top__handle_keypress(st + .sa_sigaction = perf_top__sig_winch, + .sa_flags = SA_SIGINFO, + }; +- perf_top__sig_winch(SIGWINCH, NULL, top); ++ perf_top__resize(top); + sigaction(SIGWINCH, &act, NULL); + } else { + signal(SIGWINCH, SIG_DFL); +@@ -997,6 +1001,11 @@ static int __cmd_top(struct perf_top *to + + if (hits == top->samples) + ret = perf_evlist__poll(top->evlist, 100); ++ ++ if (resize) { ++ perf_top__resize(top); ++ resize = 0; ++ } + } + + ret = 0; diff --git a/queue-3.18/powerpc-perf-fix-oops-when-grouping-different-pmu-events.patch b/queue-3.18/powerpc-perf-fix-oops-when-grouping-different-pmu-events.patch new file mode 100644 index 00000000000..369216e2ee1 --- /dev/null +++ b/queue-3.18/powerpc-perf-fix-oops-when-grouping-different-pmu-events.patch @@ -0,0 +1,60 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Ravi Bangoria +Date: Thu, 30 Nov 2017 14:03:22 +0530 +Subject: powerpc/perf: Fix oops when grouping different pmu events + +From: Ravi Bangoria + + +[ Upstream commit 5aa04b3eb6fca63d2e9827be656dcadc26d54e11 ] + +When user tries to group imc (In-Memory Collections) event with +normal event, (sometime) kernel crashes with following log: + + Faulting instruction address: 0x00000000 + [link register ] c00000000010ce88 power_check_constraints+0x128/0x980 + ... + c00000000010e238 power_pmu_event_init+0x268/0x6f0 + c0000000002dc60c perf_try_init_event+0xdc/0x1a0 + c0000000002dce88 perf_event_alloc+0x7b8/0xac0 + c0000000002e92e0 SyS_perf_event_open+0x530/0xda0 + c00000000000b004 system_call+0x38/0xe0 + +'event_base' field of 'struct hw_perf_event' is used as flags for +normal hw events and used as memory address for imc events. While +grouping these two types of events, collect_events() tries to +interpret imc 'event_base' as a flag, which causes a corruption +resulting in a crash. + +Consider only those events which belongs to 'perf_hw_context' in +collect_events(). + +Signed-off-by: Ravi Bangoria +Reviewed-By: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -1376,7 +1376,7 @@ static int collect_events(struct perf_ev + int n = 0; + struct perf_event *event; + +- if (!is_software_event(group)) { ++ if (group->pmu->task_ctx_nr == perf_hw_context) { + if (n >= max_count) + return -1; + ctrs[n] = group; +@@ -1384,7 +1384,7 @@ static int collect_events(struct perf_ev + events[n++] = group->hw.config; + } + list_for_each_entry(event, &group->sibling_list, group_entry) { +- if (!is_software_event(event) && ++ if (event->pmu->task_ctx_nr == perf_hw_context && + event->state != PERF_EVENT_STATE_OFF) { + if (n >= max_count) + return -1; diff --git a/queue-3.18/s390-dasd-prevent-prefix-i-o-error.patch b/queue-3.18/s390-dasd-prevent-prefix-i-o-error.patch new file mode 100644 index 00000000000..74c53fab110 --- /dev/null +++ b/queue-3.18/s390-dasd-prevent-prefix-i-o-error.patch @@ -0,0 +1,62 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Stefan Haberland +Date: Thu, 26 Oct 2017 14:37:35 +0200 +Subject: s390/dasd: prevent prefix I/O error + +From: Stefan Haberland + + +[ Upstream commit da340f921d3454f1521671c7a5a43ad3331fbe50 ] + +Prevent that a prefix flag is set based on invalid configuration data. +The validity.verify_base flag should only be set for alias devices. +Usually the unit address type is either one of base, PAV alias or +HyperPAV alias. But in cases where the unit address type is not set or +any other value the validity.verify_base flag might be set as well. +This would lead to follow on errors. +Explicitly check for alias devices and set the validity flag only for +them. + +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -518,10 +518,12 @@ static int prefix_LRE(struct ccw1 *ccw, + pfxdata->validity.define_extent = 1; + + /* private uid is kept up to date, conf_data may be outdated */ +- if (startpriv->uid.type != UA_BASE_DEVICE) { ++ if (startpriv->uid.type == UA_BASE_PAV_ALIAS) + pfxdata->validity.verify_base = 1; +- if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) +- pfxdata->validity.hyper_pav = 1; ++ ++ if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) { ++ pfxdata->validity.verify_base = 1; ++ pfxdata->validity.hyper_pav = 1; + } + + /* define extend data (mostly)*/ +@@ -2969,10 +2971,12 @@ static int prepare_itcw(struct itcw *itc + pfxdata.validity.define_extent = 1; + + /* private uid is kept up to date, conf_data may be outdated */ +- if (startpriv->uid.type != UA_BASE_DEVICE) { ++ if (startpriv->uid.type == UA_BASE_PAV_ALIAS) ++ pfxdata.validity.verify_base = 1; ++ ++ if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) { + pfxdata.validity.verify_base = 1; +- if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) +- pfxdata.validity.hyper_pav = 1; ++ pfxdata.validity.hyper_pav = 1; + } + + switch (cmd) { diff --git a/queue-3.18/scripts-kernel-doc-don-t-fail-with-status-0-if-error-encountered-with-none.patch b/queue-3.18/scripts-kernel-doc-don-t-fail-with-status-0-if-error-encountered-with-none.patch new file mode 100644 index 00000000000..411b56386d6 --- /dev/null +++ b/queue-3.18/scripts-kernel-doc-don-t-fail-with-status-0-if-error-encountered-with-none.patch @@ -0,0 +1,52 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Will Deacon +Date: Wed, 29 Nov 2017 15:20:03 +0000 +Subject: scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none + +From: Will Deacon + + +[ Upstream commit e814bccbafece52a24e152d2395b5d49eef55841 ] + +My bisect scripts starting running into build failures when trying to +compile 4.15-rc1 with the builds failing with things like: + +drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:2078: error: Cannot parse struct or union! + +The line in question is actually just a #define, but after some digging +it turns out that my scripts pass W=1 and since commit 3a025e1d1c2ea +("Add optional check for bad kernel-doc comments") that results in +kernel-doc running on each source file. The file in question has a +badly formatted comment immediately before the #define: + +/** + * struct brcmf_skbuff_cb reserves first two bytes in sk_buff::cb for + * bus layer usage. + */ + +which causes the regex in dump_struct to fail (lack of braces following +struct declaration) and kernel-doc returns 1, which causes the build +to fail. + +Fix the issue by always returning 0 from kernel-doc when invoked with +-none. It successfully generates no documentation, and prints out any +issues. + +Cc: Matthew Wilcox +Cc: Jonathan Corbet +Signed-off-by: Will Deacon +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kernel-doc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/kernel-doc ++++ b/scripts/kernel-doc +@@ -2616,4 +2616,4 @@ if ($verbose && $warnings) { + print STDERR "$warnings warnings\n"; + } + +-exit($errors); ++exit($output_mode eq "none" ? 0 : $errors); diff --git a/queue-3.18/series b/queue-3.18/series index 57ac9c260af..bdd0db5f447 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -32,3 +32,25 @@ asoc-ux500-add-module_license-tag.patch video-fbdev-mmp-add-module_license.patch dn_getsockoptdecnet-move-nf_-get-set-sockopt-outside-sock-lock.patch usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch +usb-build-drivers-usb-common-when-usb_support-is-set.patch +arm-am33xx-prm-remove-am33xx_pwrdm_read_prev_pwrst-function.patch +arm-dts-am4372-correct-the-interrupts_properties-of-mcasp.patch +perf-top-fix-window-dimensions-change-handling.patch +perf-bench-numa-fixup-discontiguous-sparse-numa-nodes.patch +media-s5k6aa-describe-some-function-parameters.patch +scripts-kernel-doc-don-t-fail-with-status-0-if-error-encountered-with-none.patch +m68k-add-missing-softirqentry_text-linker-section.patch +powerpc-perf-fix-oops-when-grouping-different-pmu-events.patch +s390-dasd-prevent-prefix-i-o-error.patch +gianfar-fix-a-flooded-alignment-reports-because-of-padding-issue.patch +net_sched-red-avoid-devision-by-zero.patch +net_sched-red-avoid-illegal-values.patch +btrfs-fix-possible-off-by-one-in-btrfs_search_path_in_tree.patch +509-fix-printing-uninitialized-stack-memory-when-oid-is-empty.patch +spi-sun4i-disable-clocks-in-the-remove-function.patch +xfrm-fix-stack-out-of-bounds-with-misconfigured-transport-mode-policies.patch +dmaengine-jz4740-disable-unprepare-clk-if-probe-fails.patch +mm-early_ioremap-fix-boot-hang-with-earlyprintk-efi-keep.patch +x86-mm-kmmio-fix-mmiotrace-for-page-unaligned-addresses.patch +xen-xen_acpi_processor-is-dom0-only.patch +hippi-fix-a-fix-a-possible-sleep-in-atomic-bug-in-rr_close.patch diff --git a/queue-3.18/spi-sun4i-disable-clocks-in-the-remove-function.patch b/queue-3.18/spi-sun4i-disable-clocks-in-the-remove-function.patch new file mode 100644 index 00000000000..84dff80f8fb --- /dev/null +++ b/queue-3.18/spi-sun4i-disable-clocks-in-the-remove-function.patch @@ -0,0 +1,35 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Takuo Koguchi +Date: Thu, 7 Dec 2017 16:20:14 +0900 +Subject: spi: sun4i: disable clocks in the remove function + +From: Takuo Koguchi + + +[ Upstream commit c810daba0ab5226084a56893a789af427a801146 ] + +mclk and hclk need to be disabled. Since pm_runtime_disable does +not disable the clocks, use pm_runtime_force_suspend instead. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Takuo Koguchi +Acked-by: Maxime Ripard +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sun4i.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-sun4i.c ++++ b/drivers/spi/spi-sun4i.c +@@ -458,7 +458,7 @@ err_free_master: + + static int sun4i_spi_remove(struct platform_device *pdev) + { +- pm_runtime_disable(&pdev->dev); ++ pm_runtime_force_suspend(&pdev->dev); + + return 0; + } diff --git a/queue-3.18/usb-build-drivers-usb-common-when-usb_support-is-set.patch b/queue-3.18/usb-build-drivers-usb-common-when-usb_support-is-set.patch new file mode 100644 index 00000000000..0b14efde3e0 --- /dev/null +++ b/queue-3.18/usb-build-drivers-usb-common-when-usb_support-is-set.patch @@ -0,0 +1,40 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Randy Dunlap +Date: Fri, 17 Nov 2017 11:00:45 -0800 +Subject: usb: build drivers/usb/common/ when USB_SUPPORT is set + +From: Randy Dunlap + + +[ Upstream commit c9d24f78268be444e803fb2bb138a2f598de9c23 ] + +PHY drivers can use ULPI interfaces when CONFIG_USB (which is host side +support) is not enabled, so also build drivers/usb/ when CONFIG_USB_SUPPORT +is enabled so that drivers/usb/common/ is built. + +ERROR: "ulpi_unregister_driver" [drivers/phy/ti/phy-tusb1210.ko] undefined! +ERROR: "__ulpi_register_driver" [drivers/phy/ti/phy-tusb1210.ko] undefined! +ERROR: "ulpi_read" [drivers/phy/ti/phy-tusb1210.ko] undefined! +ERROR: "ulpi_write" [drivers/phy/ti/phy-tusb1210.ko] undefined! +ERROR: "ulpi_unregister_driver" [drivers/phy/qualcomm/phy-qcom-usb-hs.ko] undefined! +ERROR: "__ulpi_register_driver" [drivers/phy/qualcomm/phy-qcom-usb-hs.ko] undefined! +ERROR: "ulpi_write" [drivers/phy/qualcomm/phy-qcom-usb-hs.ko] undefined! + +Signed-off-by: Randy Dunlap +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/Makefile ++++ b/drivers/Makefile +@@ -90,6 +90,7 @@ obj-$(CONFIG_TC) += tc/ + obj-$(CONFIG_UWB) += uwb/ + obj-$(CONFIG_USB_PHY) += usb/ + obj-$(CONFIG_USB) += usb/ ++obj-$(CONFIG_USB_SUPPORT) += usb/ + obj-$(CONFIG_PCI) += usb/ + obj-$(CONFIG_USB_GADGET) += usb/ + obj-$(CONFIG_SERIO) += input/serio/ diff --git a/queue-3.18/x86-mm-kmmio-fix-mmiotrace-for-page-unaligned-addresses.patch b/queue-3.18/x86-mm-kmmio-fix-mmiotrace-for-page-unaligned-addresses.patch new file mode 100644 index 00000000000..af4a9de261f --- /dev/null +++ b/queue-3.18/x86-mm-kmmio-fix-mmiotrace-for-page-unaligned-addresses.patch @@ -0,0 +1,116 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Karol Herbst +Date: Mon, 27 Nov 2017 08:51:39 +0100 +Subject: x86/mm/kmmio: Fix mmiotrace for page unaligned addresses + +From: Karol Herbst + + +[ Upstream commit 6d60ce384d1d5ca32b595244db4077a419acc687 ] + +If something calls ioremap() with an address not aligned to PAGE_SIZE, the +returned address might be not aligned as well. This led to a probe +registered on exactly the returned address, but the entire page was armed +for mmiotracing. + +On calling iounmap() the address passed to unregister_kmmio_probe() was +PAGE_SIZE aligned by the caller leading to a complete freeze of the +machine. + +We should always page align addresses while (un)registerung mappings, +because the mmiotracer works on top of pages, not mappings. We still keep +track of the probes based on their real addresses and lengths though, +because the mmiotrace still needs to know what are mapped memory regions. + +Also move the call to mmiotrace_iounmap() prior page aligning the address, +so that all probes are unregistered properly, otherwise the kernel ends up +failing memory allocations randomly after disabling the mmiotracer. + +Tested-by: Lyude +Signed-off-by: Karol Herbst +Acked-by: Pekka Paalanen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Cc: nouveau@lists.freedesktop.org +Link: http://lkml.kernel.org/r/20171127075139.4928-1-kherbst@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/ioremap.c | 4 ++-- + arch/x86/mm/kmmio.c | 12 +++++++----- + 2 files changed, 9 insertions(+), 7 deletions(-) + +--- a/arch/x86/mm/ioremap.c ++++ b/arch/x86/mm/ioremap.c +@@ -296,11 +296,11 @@ void iounmap(volatile void __iomem *addr + (void __force *)addr < phys_to_virt(ISA_END_ADDRESS)) + return; + ++ mmiotrace_iounmap(addr); ++ + addr = (volatile void __iomem *) + (PAGE_MASK & (unsigned long __force)addr); + +- mmiotrace_iounmap(addr); +- + /* Use the vm area unlocked, assuming the caller + ensures there isn't another iounmap for the same address + in parallel. Reuse of the virtual address is prevented by +--- a/arch/x86/mm/kmmio.c ++++ b/arch/x86/mm/kmmio.c +@@ -434,17 +434,18 @@ int register_kmmio_probe(struct kmmio_pr + unsigned long flags; + int ret = 0; + unsigned long size = 0; ++ unsigned long addr = p->addr & PAGE_MASK; + const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK); + unsigned int l; + pte_t *pte; + + spin_lock_irqsave(&kmmio_lock, flags); +- if (get_kmmio_probe(p->addr)) { ++ if (get_kmmio_probe(addr)) { + ret = -EEXIST; + goto out; + } + +- pte = lookup_address(p->addr, &l); ++ pte = lookup_address(addr, &l); + if (!pte) { + ret = -EINVAL; + goto out; +@@ -453,7 +454,7 @@ int register_kmmio_probe(struct kmmio_pr + kmmio_count++; + list_add_rcu(&p->list, &kmmio_probes); + while (size < size_lim) { +- if (add_kmmio_fault_page(p->addr + size)) ++ if (add_kmmio_fault_page(addr + size)) + pr_err("Unable to set page fault.\n"); + size += page_level_size(l); + } +@@ -527,19 +528,20 @@ void unregister_kmmio_probe(struct kmmio + { + unsigned long flags; + unsigned long size = 0; ++ unsigned long addr = p->addr & PAGE_MASK; + const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK); + struct kmmio_fault_page *release_list = NULL; + struct kmmio_delayed_release *drelease; + unsigned int l; + pte_t *pte; + +- pte = lookup_address(p->addr, &l); ++ pte = lookup_address(addr, &l); + if (!pte) + return; + + spin_lock_irqsave(&kmmio_lock, flags); + while (size < size_lim) { +- release_kmmio_fault_page(p->addr + size, &release_list); ++ release_kmmio_fault_page(addr + size, &release_list); + size += page_level_size(l); + } + list_del_rcu(&p->list); diff --git a/queue-3.18/xen-xen_acpi_processor-is-dom0-only.patch b/queue-3.18/xen-xen_acpi_processor-is-dom0-only.patch new file mode 100644 index 00000000000..4f3ae8e9c8b --- /dev/null +++ b/queue-3.18/xen-xen_acpi_processor-is-dom0-only.patch @@ -0,0 +1,32 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Jan Beulich +Date: Tue, 12 Dec 2017 03:18:11 -0700 +Subject: xen: XEN_ACPI_PROCESSOR is Dom0-only + +From: Jan Beulich + + +[ Upstream commit c4f9d9cb2c29ff04c6b4bb09b72802d8aedfc7cb ] + +Add a respective dependency. + +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/Kconfig ++++ b/drivers/xen/Kconfig +@@ -222,7 +222,7 @@ config XEN_ACPI_HOTPLUG_CPU + + config XEN_ACPI_PROCESSOR + tristate "Xen ACPI processor" +- depends on XEN && X86 && ACPI_PROCESSOR && CPU_FREQ ++ depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ + default m + help + This ACPI processor uploads Power Management information to the Xen diff --git a/queue-3.18/xfrm-fix-stack-out-of-bounds-with-misconfigured-transport-mode-policies.patch b/queue-3.18/xfrm-fix-stack-out-of-bounds-with-misconfigured-transport-mode-policies.patch new file mode 100644 index 00000000000..f378ed7add1 --- /dev/null +++ b/queue-3.18/xfrm-fix-stack-out-of-bounds-with-misconfigured-transport-mode-policies.patch @@ -0,0 +1,64 @@ +From foo@baz Fri Feb 23 12:01:27 CET 2018 +From: Steffen Klassert +Date: Fri, 8 Dec 2017 08:07:25 +0100 +Subject: xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. + +From: Steffen Klassert + + +[ Upstream commit 732706afe1cc46ef48493b3d2b69c98f36314ae4 ] + +On policies with a transport mode template, we pass the addresses +from the flowi to xfrm_state_find(), assuming that the IP addresses +(and address family) don't change during transformation. + +Unfortunately our policy template validation is not strict enough. +It is possible to configure policies with transport mode template +where the address family of the template does not match the selectors +address family. This lead to stack-out-of-bound reads because +we compare arddesses of the wrong family. Fix this by refusing +such a configuration, address family can not change on transport +mode. + +We use the assumption that, on transport mode, the first templates +address family must match the address family of the policy selector. +Subsequent transport mode templates must mach the address family of +the previous template. + +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1349,11 +1349,14 @@ static void copy_templates(struct xfrm_p + + static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) + { ++ u16 prev_family; + int i; + + if (nr > XFRM_MAX_DEPTH) + return -EINVAL; + ++ prev_family = family; ++ + for (i = 0; i < nr; i++) { + /* We never validated the ut->family value, so many + * applications simply leave it at zero. The check was +@@ -1365,6 +1368,12 @@ static int validate_tmpl(int nr, struct + if (!ut[i].family) + ut[i].family = family; + ++ if ((ut[i].mode == XFRM_MODE_TRANSPORT) && ++ (ut[i].family != prev_family)) ++ return -EINVAL; ++ ++ prev_family = ut[i].family; ++ + switch (ut[i].family) { + case AF_INET: + break;