From d81a46efe2294249f1223bbb1b6c1e7ba63f30f7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 26 Feb 2018 17:09:33 +0100 Subject: [PATCH] 4.9-stable patches added patches: add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch arm64-disable-unhandled-signal-log-messages-by-default.patch cfg80211-fix-cfg80211_beacon_dup.patch drm-amdgpu-add-atpx-quirk-handling-v2.patch drm-amdgpu-add-dpm-quirk-for-jet-pro-v2.patch drm-amdgpu-add-new-device-to-use-atpx-quirk.patch drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch kbuild-always-define-endianess-in-kconfig.h.patch ohci-hcd-fix-race-condition-caused-by-ohci_urb_enqueue-and-io_watchdog_func.patch pci-cxgb4-extend-t3-pci-quirk-to-t4-devices.patch pkcs-7-fix-certificate-chain-verification.patch rdma-uverbs-protect-from-command-mask-overflow.patch revert-usb-musb-host-don-t-start-next-rx-urb-if-current-one-failed.patch scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch usb-gadget-f_fs-process-all-descriptors-during-bind.patch usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch x.509-fix-bug_on-when-hash-algorithm-is-unsupported.patch x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch xtensa-fix-high-memory-reserved-memory-collision.patch --- ...-quirk-for-corsair-k70-rgb-keyboards.patch | 38 +++++ ...ndled-signal-log-messages-by-default.patch | 59 +++++++ .../cfg80211-fix-cfg80211_beacon_dup.patch | 38 +++++ ...rm-amdgpu-add-atpx-quirk-handling-v2.patch | 131 ++++++++++++++++ ...-amdgpu-add-dpm-quirk-for-jet-pro-v2.patch | 40 +++++ ...gpu-add-new-device-to-use-atpx-quirk.patch | 31 ++++ ...eaking-pm-domain-on-driver-unbind-v2.patch | 40 +++++ ...-quirk-for-cpt-panel-in-asus-ux303la.patch | 40 +++++ ...-trigger-before-requesting-interrupt.patch | 97 ++++++++++++ ...-has-been-set-up-when-poll-is-called.patch | 33 ++++ ...tead-of-smb_wmb-in-gic_raise_softirq.patch | 40 +++++ ...always-define-endianess-in-kconfig.h.patch | 95 +++++++++++ ...hci_urb_enqueue-and-io_watchdog_func.patch | 148 ++++++++++++++++++ ...b4-extend-t3-pci-quirk-to-t4-devices.patch | 112 +++++++++++++ ...7-fix-certificate-chain-verification.patch | 58 +++++++ ...s-protect-from-command-mask-overflow.patch | 134 ++++++++++++++++ ...rt-next-rx-urb-if-current-one-failed.patch | 44 ++++++ ...eserved-field-in-ibmvfc_fcp_rsp_info.patch | 42 +++++ queue-4.9/series | 26 +++ ...gadget-set-maxpacket-size-for-ep0-in.patch | 41 +++++ ...-process-all-descriptors-during-bind.patch | 55 +++++++ ...ssy-devices-supported-by-this-driver.patch | 68 ++++++++ ...ween-usb_kill_urb-and-finish_unlinks.patch | 95 +++++++++++ ...unning-flag-in-usb_dmac-with-rx-path.patch | 49 ++++++ ...n-when-hash-algorithm-is-unsupported.patch | 51 ++++++ ...fix-bogus-gcc-8-warning-in-nmi_setup.patch | 68 ++++++++ ...igh-memory-reserved-memory-collision.patch | 133 ++++++++++++++++ 27 files changed, 1806 insertions(+) create mode 100644 queue-4.9/add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch create mode 100644 queue-4.9/arm64-disable-unhandled-signal-log-messages-by-default.patch create mode 100644 queue-4.9/cfg80211-fix-cfg80211_beacon_dup.patch create mode 100644 queue-4.9/drm-amdgpu-add-atpx-quirk-handling-v2.patch create mode 100644 queue-4.9/drm-amdgpu-add-dpm-quirk-for-jet-pro-v2.patch create mode 100644 queue-4.9/drm-amdgpu-add-new-device-to-use-atpx-quirk.patch create mode 100644 queue-4.9/drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch create mode 100644 queue-4.9/drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch create mode 100644 queue-4.9/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch create mode 100644 queue-4.9/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch create mode 100644 queue-4.9/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch create mode 100644 queue-4.9/kbuild-always-define-endianess-in-kconfig.h.patch create mode 100644 queue-4.9/ohci-hcd-fix-race-condition-caused-by-ohci_urb_enqueue-and-io_watchdog_func.patch create mode 100644 queue-4.9/pci-cxgb4-extend-t3-pci-quirk-to-t4-devices.patch create mode 100644 queue-4.9/pkcs-7-fix-certificate-chain-verification.patch create mode 100644 queue-4.9/rdma-uverbs-protect-from-command-mask-overflow.patch create mode 100644 queue-4.9/revert-usb-musb-host-don-t-start-next-rx-urb-if-current-one-failed.patch create mode 100644 queue-4.9/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch create mode 100644 queue-4.9/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch create mode 100644 queue-4.9/usb-gadget-f_fs-process-all-descriptors-during-bind.patch create mode 100644 queue-4.9/usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch create mode 100644 queue-4.9/usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch create mode 100644 queue-4.9/usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch create mode 100644 queue-4.9/x.509-fix-bug_on-when-hash-algorithm-is-unsupported.patch create mode 100644 queue-4.9/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch create mode 100644 queue-4.9/xtensa-fix-high-memory-reserved-memory-collision.patch diff --git a/queue-4.9/add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch b/queue-4.9/add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch new file mode 100644 index 00000000000..58ead39c8c1 --- /dev/null +++ b/queue-4.9/add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch @@ -0,0 +1,38 @@ +From 7a1646d922577b5b48c0d222e03831141664bb59 Mon Sep 17 00:00:00 2001 +From: Jack Stocker +Date: Thu, 15 Feb 2018 18:24:10 +0000 +Subject: Add delay-init quirk for Corsair K70 RGB keyboards + +From: Jack Stocker + +commit 7a1646d922577b5b48c0d222e03831141664bb59 upstream. + +Following on from this patch: https://lkml.org/lkml/2017/11/3/516, +Corsair K70 RGB keyboards also require the DELAY_INIT quirk to +start correctly at boot. + +Device ids found here: +usb 3-3: New USB device found, idVendor=1b1c, idProduct=1b13 +usb 3-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +usb 3-3: Product: Corsair K70 RGB Gaming Keyboard + +Signed-off-by: Jack Stocker +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -225,6 +225,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + ++ /* Corsair K70 RGB */ ++ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Corsair Strafe RGB */ + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + diff --git a/queue-4.9/arm64-disable-unhandled-signal-log-messages-by-default.patch b/queue-4.9/arm64-disable-unhandled-signal-log-messages-by-default.patch new file mode 100644 index 00000000000..60ecb52d226 --- /dev/null +++ b/queue-4.9/arm64-disable-unhandled-signal-log-messages-by-default.patch @@ -0,0 +1,59 @@ +From 5ee39a71fd89ab7240c5339d04161c44a8e03269 Mon Sep 17 00:00:00 2001 +From: Michael Weiser +Date: Thu, 1 Feb 2018 23:13:38 +0100 +Subject: arm64: Disable unhandled signal log messages by default + +From: Michael Weiser + +commit 5ee39a71fd89ab7240c5339d04161c44a8e03269 upstream. + +aarch64 unhandled signal kernel messages are very verbose, suggesting +them to be more of a debugging aid: + +sigsegv[33]: unhandled level 2 translation fault (11) at 0x00000000, esr +0x92000046, in sigsegv[400000+71000] +CPU: 1 PID: 33 Comm: sigsegv Tainted: G W 4.15.0-rc3+ #3 +Hardware name: linux,dummy-virt (DT) +pstate: 60000000 (nZCv daif -PAN -UAO) +pc : 0x4003f4 +lr : 0x4006bc +sp : 0000fffffe94a060 +x29: 0000fffffe94a070 x28: 0000000000000000 +x27: 0000000000000000 x26: 0000000000000000 +x25: 0000000000000000 x24: 00000000004001b0 +x23: 0000000000486ac8 x22: 00000000004001c8 +x21: 0000000000000000 x20: 0000000000400be8 +x19: 0000000000400b30 x18: 0000000000484728 +x17: 000000000865ffc8 x16: 000000000000270f +x15: 00000000000000b0 x14: 0000000000000002 +x13: 0000000000000001 x12: 0000000000000000 +x11: 0000000000000000 x10: 0008000020008008 +x9 : 000000000000000f x8 : ffffffffffffffff +x7 : 0004000000000000 x6 : ffffffffffffffff +x5 : 0000000000000000 x4 : 0000000000000000 +x3 : 00000000004003e4 x2 : 0000fffffe94a1e8 +x1 : 000000000000000a x0 : 0000000000000000 + +Disable them by default, so they can be enabled using +/proc/sys/debug/exception-trace. + +Cc: +Signed-off-by: Michael Weiser +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -50,7 +50,7 @@ static const char *handler[]= { + "Error" + }; + +-int show_unhandled_signals = 1; ++int show_unhandled_signals = 0; + + /* + * Dump out the contents of some kernel memory nicely... diff --git a/queue-4.9/cfg80211-fix-cfg80211_beacon_dup.patch b/queue-4.9/cfg80211-fix-cfg80211_beacon_dup.patch new file mode 100644 index 00000000000..17f8c152b52 --- /dev/null +++ b/queue-4.9/cfg80211-fix-cfg80211_beacon_dup.patch @@ -0,0 +1,38 @@ +From bee92d06157fc39d5d7836a061c7d41289a55797 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 16:31:23 +0100 +Subject: cfg80211: fix cfg80211_beacon_dup + +From: Arnd Bergmann + +commit bee92d06157fc39d5d7836a061c7d41289a55797 upstream. + +gcc-8 warns about some obviously incorrect code: + +net/mac80211/cfg.c: In function 'cfg80211_beacon_dup': +net/mac80211/cfg.c:2896:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + +From the context, I conclude that we want to copy from beacon into +new_beacon, as we do in the rest of the function. + +Cc: stable@vger.kernel.org +Fixes: 73da7d5bab79 ("mac80211: add channel switch command and beacon callbacks") +Signed-off-by: Arnd Bergmann +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2792,7 +2792,7 @@ cfg80211_beacon_dup(struct cfg80211_beac + } + if (beacon->probe_resp_len) { + new_beacon->probe_resp_len = beacon->probe_resp_len; +- beacon->probe_resp = pos; ++ new_beacon->probe_resp = pos; + memcpy(pos, beacon->probe_resp, beacon->probe_resp_len); + pos += beacon->probe_resp_len; + } diff --git a/queue-4.9/drm-amdgpu-add-atpx-quirk-handling-v2.patch b/queue-4.9/drm-amdgpu-add-atpx-quirk-handling-v2.patch new file mode 100644 index 00000000000..44fc98a39f7 --- /dev/null +++ b/queue-4.9/drm-amdgpu-add-atpx-quirk-handling-v2.patch @@ -0,0 +1,131 @@ +From 052c299080cd6859f82a8154a7a673fafabe644c Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 20 Dec 2017 13:29:58 -0500 +Subject: drm/amdgpu: add atpx quirk handling (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 052c299080cd6859f82a8154a7a673fafabe644c upstream. + +Add quirks for handling PX/HG systems. In this case, add +a quirk for a weston dGPU that only seems to properly power +down using ATPX power control rather than HG (_PR3). + +v2: append a new weston XT + +Signed-off-by: Alex Deucher +Signed-off-by: Junwei Zhang (v2) +Reviewed-and-Tested-by: Junwei Zhang +Reviewed-by: Alex Deucher +Acked-by: Christian König +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 57 ++++++++++++++++++++--- + 1 file changed, 50 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c +@@ -14,6 +14,16 @@ + + #include "amd_acpi.h" + ++#define AMDGPU_PX_QUIRK_FORCE_ATPX (1 << 0) ++ ++struct amdgpu_px_quirk { ++ u32 chip_vendor; ++ u32 chip_device; ++ u32 subsys_vendor; ++ u32 subsys_device; ++ u32 px_quirk_flags; ++}; ++ + struct amdgpu_atpx_functions { + bool px_params; + bool power_cntl; +@@ -35,6 +45,7 @@ struct amdgpu_atpx { + static struct amdgpu_atpx_priv { + bool atpx_detected; + bool bridge_pm_usable; ++ unsigned int quirks; + /* handle for device - and atpx */ + acpi_handle dhandle; + acpi_handle other_handle; +@@ -205,13 +216,19 @@ static int amdgpu_atpx_validate(struct a + + atpx->is_hybrid = false; + if (valid_bits & ATPX_MS_HYBRID_GFX_SUPPORTED) { +- printk("ATPX Hybrid Graphics\n"); +- /* +- * Disable legacy PM methods only when pcie port PM is usable, +- * otherwise the device might fail to power off or power on. +- */ +- atpx->functions.power_cntl = !amdgpu_atpx_priv.bridge_pm_usable; +- atpx->is_hybrid = true; ++ if (amdgpu_atpx_priv.quirks & AMDGPU_PX_QUIRK_FORCE_ATPX) { ++ printk("ATPX Hybrid Graphics, forcing to ATPX\n"); ++ atpx->functions.power_cntl = true; ++ atpx->is_hybrid = false; ++ } else { ++ printk("ATPX Hybrid Graphics\n"); ++ /* ++ * Disable legacy PM methods only when pcie port PM is usable, ++ * otherwise the device might fail to power off or power on. ++ */ ++ atpx->functions.power_cntl = !amdgpu_atpx_priv.bridge_pm_usable; ++ atpx->is_hybrid = true; ++ } + } + + atpx->dgpu_req_power_for_displays = false; +@@ -547,6 +564,30 @@ static const struct vga_switcheroo_handl + .get_client_id = amdgpu_atpx_get_client_id, + }; + ++static const struct amdgpu_px_quirk amdgpu_px_quirk_list[] = { ++ /* HG _PR3 doesn't seem to work on this A+A weston board */ ++ { 0x1002, 0x6900, 0x1002, 0x0124, AMDGPU_PX_QUIRK_FORCE_ATPX }, ++ { 0x1002, 0x6900, 0x1028, 0x0812, AMDGPU_PX_QUIRK_FORCE_ATPX }, ++ { 0, 0, 0, 0, 0 }, ++}; ++ ++static void amdgpu_atpx_get_quirks(struct pci_dev *pdev) ++{ ++ const struct amdgpu_px_quirk *p = amdgpu_px_quirk_list; ++ ++ /* Apply PX quirks */ ++ while (p && p->chip_device != 0) { ++ if (pdev->vendor == p->chip_vendor && ++ pdev->device == p->chip_device && ++ pdev->subsystem_vendor == p->subsys_vendor && ++ pdev->subsystem_device == p->subsys_device) { ++ amdgpu_atpx_priv.quirks |= p->px_quirk_flags; ++ break; ++ } ++ ++p; ++ } ++} ++ + /** + * amdgpu_atpx_detect - detect whether we have PX + * +@@ -570,6 +611,7 @@ static bool amdgpu_atpx_detect(void) + + parent_pdev = pci_upstream_bridge(pdev); + d3_supported |= parent_pdev && parent_pdev->bridge_d3; ++ amdgpu_atpx_get_quirks(pdev); + } + + while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_OTHER << 8, pdev)) != NULL) { +@@ -579,6 +621,7 @@ static bool amdgpu_atpx_detect(void) + + parent_pdev = pci_upstream_bridge(pdev); + d3_supported |= parent_pdev && parent_pdev->bridge_d3; ++ amdgpu_atpx_get_quirks(pdev); + } + + if (has_atpx && vga_count == 2) { diff --git a/queue-4.9/drm-amdgpu-add-dpm-quirk-for-jet-pro-v2.patch b/queue-4.9/drm-amdgpu-add-dpm-quirk-for-jet-pro-v2.patch new file mode 100644 index 00000000000..04a759a4026 --- /dev/null +++ b/queue-4.9/drm-amdgpu-add-dpm-quirk-for-jet-pro-v2.patch @@ -0,0 +1,40 @@ +From f2e5262f75ecb40a6e56554e156a292ab9e1d1b7 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 21 Nov 2017 12:10:57 -0500 +Subject: drm/amdgpu: Add dpm quirk for Jet PRO (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit f2e5262f75ecb40a6e56554e156a292ab9e1d1b7 upstream. + +Fixes stability issues. + +v2: clamp sclk to 600 Mhz + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103370 +Acked-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/si_dpm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +@@ -3507,6 +3507,11 @@ static void si_apply_state_adjust_rules( + max_sclk = 75000; + max_mclk = 80000; + } ++ if ((adev->pdev->revision == 0xC3) || ++ (adev->pdev->device == 0x6665)) { ++ max_sclk = 60000; ++ max_mclk = 80000; ++ } + } else if (adev->asic_type == CHIP_OLAND) { + if ((adev->pdev->revision == 0xC7) || + (adev->pdev->revision == 0x80) || diff --git a/queue-4.9/drm-amdgpu-add-new-device-to-use-atpx-quirk.patch b/queue-4.9/drm-amdgpu-add-new-device-to-use-atpx-quirk.patch new file mode 100644 index 00000000000..0903bcfdb34 --- /dev/null +++ b/queue-4.9/drm-amdgpu-add-new-device-to-use-atpx-quirk.patch @@ -0,0 +1,31 @@ +From 6e59de2048eb375a9bfcd39461ef841cd2a78962 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Thu, 8 Feb 2018 17:46:01 +0800 +Subject: drm/amdgpu: add new device to use atpx quirk + +From: Kai-Heng Feng + +commit 6e59de2048eb375a9bfcd39461ef841cd2a78962 upstream. + +The affected system (0x0813) is pretty similar to another one (0x0812), +it also needs to use ATPX power control. + +Signed-off-by: Kai-Heng Feng +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c +@@ -568,6 +568,7 @@ static const struct amdgpu_px_quirk amdg + /* HG _PR3 doesn't seem to work on this A+A weston board */ + { 0x1002, 0x6900, 0x1002, 0x0124, AMDGPU_PX_QUIRK_FORCE_ATPX }, + { 0x1002, 0x6900, 0x1028, 0x0812, AMDGPU_PX_QUIRK_FORCE_ATPX }, ++ { 0x1002, 0x6900, 0x1028, 0x0813, AMDGPU_PX_QUIRK_FORCE_ATPX }, + { 0, 0, 0, 0, 0 }, + }; + diff --git a/queue-4.9/drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch b/queue-4.9/drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch new file mode 100644 index 00000000000..622fa2b9095 --- /dev/null +++ b/queue-4.9/drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch @@ -0,0 +1,40 @@ +From 458d876eb869d5a88b53074c6c271b8b9adc0f07 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 22 Jan 2018 23:13:32 -0500 +Subject: drm/amdgpu: Avoid leaking PM domain on driver unbind (v2) + +From: Alex Deucher + +commit 458d876eb869d5a88b53074c6c271b8b9adc0f07 upstream. + +We only support vga_switcheroo and runtime pm on PX/HG systems +so forcing runpm to 1 doesn't do anything useful anyway. + +Only call vga_switcheroo_init_domain_pm_ops() for PX/HG so +that the cleanup path is correct as well. This mirrors what +radeon does as well. + +v2: rework the patch originally sent by Lukas (Alex) + +Acked-by: Lukas Wunner +Reported-by: Lukas Wunner +Signed-off-by: Alex Deucher +Signed-off-by: Lukas Wunner (v1) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -1678,8 +1678,6 @@ int amdgpu_device_init(struct amdgpu_dev + * ignore it */ + vga_client_register(adev->pdev, adev, NULL, amdgpu_vga_set_decode); + +- if (amdgpu_runtime_pm == 1) +- runtime = true; + if (amdgpu_device_is_px(ddev)) + runtime = true; + vga_switcheroo_register_client(adev->pdev, &amdgpu_switcheroo_ops, runtime); diff --git a/queue-4.9/drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch b/queue-4.9/drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch new file mode 100644 index 00000000000..103644258ea --- /dev/null +++ b/queue-4.9/drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch @@ -0,0 +1,40 @@ +From 06998a756a3865817b87a129a7e5d5bb66dc1ec3 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Sun, 18 Feb 2018 16:53:59 +0800 +Subject: drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA + +From: Kai-Heng Feng + +commit 06998a756a3865817b87a129a7e5d5bb66dc1ec3 upstream. + +Similar to commit e10aec652f31 ("drm/edid: Add 6 bpc quirk for display +AEO model 0."), the EDID reports "DFP 1.x compliant TMDS" but it support +6bpc instead of 8 bpc. + +Hence, use 6 bpc quirk for this panel. + +Fixes: 196f954e2509 ("drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown"") +BugLink: https://bugs.launchpad.net/bugs/1749420 +Signed-off-by: Kai-Heng Feng +Reviewed-by: Mario Kleiner +Cc: # v4.8+ +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180218085359.7817-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -107,6 +107,9 @@ static const struct edid_quirk { + /* AEO model 0 reports 8 bpc, but is a 6 bpc panel */ + { "AEO", 0, EDID_QUIRK_FORCE_6BPC }, + ++ /* CPT panel of Asus UX303LA reports 8 bpc, but is a 6 bpc panel */ ++ { "CPT", 0x17df, EDID_QUIRK_FORCE_6BPC }, ++ + /* Belinea 10 15 55 */ + { "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 }, + { "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 }, diff --git a/queue-4.9/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch b/queue-4.9/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch new file mode 100644 index 00000000000..9aaa65fbacf --- /dev/null +++ b/queue-4.9/iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch @@ -0,0 +1,97 @@ +From f027e0b3a774e10302207e91d304bbf99e3a8b36 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Wed, 14 Feb 2018 15:43:00 +0100 +Subject: iio: adis_lib: Initialize trigger before requesting interrupt + +From: Lars-Peter Clausen + +commit f027e0b3a774e10302207e91d304bbf99e3a8b36 upstream. + +The adis_probe_trigger() creates a new IIO trigger and requests an +interrupt associated with the trigger. The interrupt uses the generic +iio_trigger_generic_data_rdy_poll() function as its interrupt handler. + +Currently the driver initializes some fields of the trigger structure after +the interrupt has been requested. But an interrupt can fire as soon as it +has been requested. This opens up a race condition. + +iio_trigger_generic_data_rdy_poll() will access the trigger data structure +and dereference the ops field. If the ops field is not yet initialized this +will result in a NULL pointer deref. + +It is not expected that the device generates an interrupt at this point, so +typically this issue did not surface unless e.g. due to a hardware +misconfiguration (wrong interrupt number, wrong polarity, etc.). + +But some newer devices from the ADIS family start to generate periodic +interrupts in their power-on reset configuration and unfortunately the +interrupt can not be masked in the device. This makes the race condition +much more visible and the following crash has been observed occasionally +when booting a system using the ADIS16460. + + Unable to handle kernel NULL pointer dereference at virtual address 00000008 + pgd = c0004000 + [00000008] *pgd=00000000 + Internal error: Oops: 5 [#1] PREEMPT SMP ARM + Modules linked in: + CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.0-04126-gf9739f0-dirty #257 + Hardware name: Xilinx Zynq Platform + task: ef04f640 task.stack: ef050000 + PC is at iio_trigger_notify_done+0x30/0x68 + LR is at iio_trigger_generic_data_rdy_poll+0x18/0x20 + pc : [] lr : [] psr: 60000193 + sp : ef051bb8 ip : 00000000 fp : ef106400 + r10: c081d80a r9 : ef3bfa00 r8 : 00000087 + r7 : ef051bec r6 : 00000000 r5 : ef3bfa00 r4 : ee92ab00 + r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : ee97e400 + Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none + Control: 18c5387d Table: 0000404a DAC: 00000051 + Process swapper/0 (pid: 1, stack limit = 0xef050210) + [] (iio_trigger_notify_done) from [] (__handle_irq_event_percpu+0x88/0x118) + [] (__handle_irq_event_percpu) from [] (handle_irq_event_percpu+0x1c/0x58) + [] (handle_irq_event_percpu) from [] (handle_irq_event+0x38/0x5c) + [] (handle_irq_event) from [] (handle_level_irq+0xa4/0x130) + [] (handle_level_irq) from [] (generic_handle_irq+0x24/0x34) + [] (generic_handle_irq) from [] (zynq_gpio_irqhandler+0xb8/0x13c) + [] (zynq_gpio_irqhandler) from [] (generic_handle_irq+0x24/0x34) + [] (generic_handle_irq) from [] (__handle_domain_irq+0x5c/0xb4) + [] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x8c) + [] (gic_handle_irq) from [] (__irq_svc+0x6c/0xa8) + +To fix this make sure that the trigger is fully initialized before +requesting the interrupt. + +Fixes: ccd2b52f4ac6 ("staging:iio: Add common ADIS library") +Reported-by: Robin Getz +Signed-off-by: Lars-Peter Clausen +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/adis_trigger.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iio/imu/adis_trigger.c ++++ b/drivers/iio/imu/adis_trigger.c +@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis + if (adis->trig == NULL) + return -ENOMEM; + ++ adis->trig->dev.parent = &adis->spi->dev; ++ adis->trig->ops = &adis_trigger_ops; ++ iio_trigger_set_drvdata(adis->trig, adis); ++ + ret = request_irq(adis->spi->irq, + &iio_trigger_generic_data_rdy_poll, + IRQF_TRIGGER_RISING, +@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis + if (ret) + goto error_free_trig; + +- adis->trig->dev.parent = &adis->spi->dev; +- adis->trig->ops = &adis_trigger_ops; +- iio_trigger_set_drvdata(adis->trig, adis); + ret = iio_trigger_register(adis->trig); + + indio_dev->trig = iio_trigger_get(adis->trig); diff --git a/queue-4.9/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch b/queue-4.9/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch new file mode 100644 index 00000000000..58e634486f3 --- /dev/null +++ b/queue-4.9/iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch @@ -0,0 +1,33 @@ +From 4cd140bda6494543f1c1b0ccceceaa44b676eef6 Mon Sep 17 00:00:00 2001 +From: Stefan Windfeldt-Prytz +Date: Thu, 15 Feb 2018 15:02:53 +0100 +Subject: iio: buffer: check if a buffer has been set up when poll is called + +From: Stefan Windfeldt-Prytz + +commit 4cd140bda6494543f1c1b0ccceceaa44b676eef6 upstream. + +If no iio buffer has been set up and poll is called return 0. +Without this check there will be a null pointer dereference when +calling poll on a iio driver without an iio buffer. + +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Windfeldt-Prytz +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -174,7 +174,7 @@ unsigned int iio_buffer_poll(struct file + struct iio_dev *indio_dev = filp->private_data; + struct iio_buffer *rb = indio_dev->buffer; + +- if (!indio_dev->info) ++ if (!indio_dev->info || rb == NULL) + return 0; + + poll_wait(filp, &rb->pollq, wait); diff --git a/queue-4.9/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch b/queue-4.9/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch new file mode 100644 index 00000000000..7039fe84b44 --- /dev/null +++ b/queue-4.9/irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch @@ -0,0 +1,40 @@ +From 21ec30c0ef5234fb1039cc7c7737d885bf875a9e Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Wed, 31 Jan 2018 18:03:42 -0600 +Subject: irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() + +From: Shanker Donthineni + +commit 21ec30c0ef5234fb1039cc7c7737d885bf875a9e upstream. + +A DMB instruction can be used to ensure the relative order of only +memory accesses before and after the barrier. Since writes to system +registers are not memory operations, barrier DMB is not sufficient +for observability of memory accesses that occur before ICC_SGI1R_EL1 +writes. + +A DSB instruction ensures that no instructions that appear in program +order after the DSB instruction, can execute until the DSB instruction +has completed. + +Cc: stable@vger.kernel.org +Acked-by: Will Deacon , +Signed-off-by: Shanker Donthineni +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -616,7 +616,7 @@ static void gic_raise_softirq(const stru + * Ensure that stores to Normal memory are visible to the + * other CPUs before issuing the IPI. + */ +- smp_wmb(); ++ wmb(); + + for_each_cpu(cpu, mask) { + unsigned long cluster_id = cpu_logical_map(cpu) & ~0xffUL; diff --git a/queue-4.9/kbuild-always-define-endianess-in-kconfig.h.patch b/queue-4.9/kbuild-always-define-endianess-in-kconfig.h.patch new file mode 100644 index 00000000000..4a1d84bbf56 --- /dev/null +++ b/queue-4.9/kbuild-always-define-endianess-in-kconfig.h.patch @@ -0,0 +1,95 @@ +From 101110f6271ce956a049250c907bc960030577f8 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 21 Feb 2018 14:45:20 -0800 +Subject: Kbuild: always define endianess in kconfig.h + +From: Arnd Bergmann + +commit 101110f6271ce956a049250c907bc960030577f8 upstream. + +Build testing with LTO found a couple of files that get compiled +differently depending on whether asm/byteorder.h gets included early +enough or not. In particular, include/asm-generic/qrwlock_types.h is +affected by this, but there are probably others as well. + +The symptom is a series of LTO link time warnings, including these: + + net/netlabel/netlabel_unlabeled.h:223: error: type of 'netlbl_unlhsh_add' does not match original declaration [-Werror=lto-type-mismatch] + int netlbl_unlhsh_add(struct net *net, + net/netlabel/netlabel_unlabeled.c:377: note: 'netlbl_unlhsh_add' was previously declared here + + include/net/ipv6.h:360: error: type of 'ipv6_renew_options_kern' does not match original declaration [-Werror=lto-type-mismatch] + ipv6_renew_options_kern(struct sock *sk, + net/ipv6/exthdrs.c:1162: note: 'ipv6_renew_options_kern' was previously declared here + + net/core/dev.c:761: note: 'dev_get_by_name_rcu' was previously declared here + struct net_device *dev_get_by_name_rcu(struct net *net, const char *name) + net/core/dev.c:761: note: code may be misoptimized unless -fno-strict-aliasing is used + + drivers/gpu/drm/i915/i915_drv.h:3377: error: type of 'i915_gem_object_set_to_wc_domain' does not match original declaration [-Werror=lto-type-mismatch] + i915_gem_object_set_to_wc_domain(struct drm_i915_gem_object *obj, bool write); + drivers/gpu/drm/i915/i915_gem.c:3639: note: 'i915_gem_object_set_to_wc_domain' was previously declared here + + include/linux/debugfs.h:92:9: error: type of 'debugfs_attr_read' does not match original declaration [-Werror=lto-type-mismatch] + ssize_t debugfs_attr_read(struct file *file, char __user *buf, + fs/debugfs/file.c:318: note: 'debugfs_attr_read' was previously declared here + + include/linux/rwlock_api_smp.h:30: error: type of '_raw_read_unlock' does not match original declaration [-Werror=lto-type-mismatch] + void __lockfunc _raw_read_unlock(rwlock_t *lock) __releases(lock); + kernel/locking/spinlock.c:246:26: note: '_raw_read_unlock' was previously declared here + + include/linux/fs.h:3308:5: error: type of 'simple_attr_open' does not match original declaration [-Werror=lto-type-mismatch] + int simple_attr_open(struct inode *inode, struct file *file, + fs/libfs.c:795: note: 'simple_attr_open' was previously declared here + +All of the above are caused by include/asm-generic/qrwlock_types.h +failing to include asm/byteorder.h after commit e0d02285f16e +("locking/qrwlock: Use 'struct qrwlock' instead of 'struct __qrwlock'") +in linux-4.15. + +Similar bugs may or may not exist in older kernels as well, but there is +no easy way to test those with link-time optimizations, and kernels +before 4.14 are harder to fix because they don't have Babu's patch +series + +We had similar issues with CONFIG_ symbols in the past and ended up +always including the configuration headers though linux/kconfig.h. This +works around the issue through that same file, defining either +__BIG_ENDIAN or __LITTLE_ENDIAN depending on CONFIG_CPU_BIG_ENDIAN, +which is now always set on all architectures since commit 4c97a0c8fee3 +("arch: define CPU_BIG_ENDIAN for all fixed big endian archs"). + +Link: http://lkml.kernel.org/r/20180202154104.1522809-2-arnd@arndb.de +Signed-off-by: Arnd Bergmann +Cc: Babu Moger +Cc: Andi Kleen +Cc: Greg Kroah-Hartman +Cc: Masahiro Yamada +Cc: Nicolas Pitre +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kconfig.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/include/linux/kconfig.h ++++ b/include/linux/kconfig.h +@@ -3,6 +3,12 @@ + + #include + ++#ifdef CONFIG_CPU_BIG_ENDIAN ++#define __BIG_ENDIAN 4321 ++#else ++#define __LITTLE_ENDIAN 1234 ++#endif ++ + #define __ARG_PLACEHOLDER_1 0, + #define __take_second_arg(__ignored, val, ...) val + diff --git a/queue-4.9/ohci-hcd-fix-race-condition-caused-by-ohci_urb_enqueue-and-io_watchdog_func.patch b/queue-4.9/ohci-hcd-fix-race-condition-caused-by-ohci_urb_enqueue-and-io_watchdog_func.patch new file mode 100644 index 00000000000..7e2ff54cbd0 --- /dev/null +++ b/queue-4.9/ohci-hcd-fix-race-condition-caused-by-ohci_urb_enqueue-and-io_watchdog_func.patch @@ -0,0 +1,148 @@ +From b2685bdacdaab065c172b97b55ab46c6be77a037 Mon Sep 17 00:00:00 2001 +From: Shigeru Yoshida +Date: Fri, 2 Feb 2018 13:51:39 +0800 +Subject: ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func() + +From: Shigeru Yoshida + +commit b2685bdacdaab065c172b97b55ab46c6be77a037 upstream. + +Running io_watchdog_func() while ohci_urb_enqueue() is running can +cause a race condition where ohci->prev_frame_no is corrupted and the +watchdog can mis-detect following error: + + ohci-platform 664a0800.usb: frame counter not updating; disabled + ohci-platform 664a0800.usb: HC died; cleaning up + +Specifically, following scenario causes a race condition: + + 1. ohci_urb_enqueue() calls spin_lock_irqsave(&ohci->lock, flags) + and enters the critical section + 2. ohci_urb_enqueue() calls timer_pending(&ohci->io_watchdog) and it + returns false + 3. ohci_urb_enqueue() sets ohci->prev_frame_no to a frame number + read by ohci_frame_no(ohci) + 4. ohci_urb_enqueue() schedules io_watchdog_func() with mod_timer() + 5. ohci_urb_enqueue() calls spin_unlock_irqrestore(&ohci->lock, + flags) and exits the critical section + 6. Later, ohci_urb_enqueue() is called + 7. ohci_urb_enqueue() calls spin_lock_irqsave(&ohci->lock, flags) + and enters the critical section + 8. The timer scheduled on step 4 expires and io_watchdog_func() runs + 9. io_watchdog_func() calls spin_lock_irqsave(&ohci->lock, flags) + and waits on it because ohci_urb_enqueue() is already in the + critical section on step 7 + 10. ohci_urb_enqueue() calls timer_pending(&ohci->io_watchdog) and it + returns false + 11. ohci_urb_enqueue() sets ohci->prev_frame_no to new frame number + read by ohci_frame_no(ohci) because the frame number proceeded + between step 3 and 6 + 12. ohci_urb_enqueue() schedules io_watchdog_func() with mod_timer() + 13. ohci_urb_enqueue() calls spin_unlock_irqrestore(&ohci->lock, + flags) and exits the critical section, then wake up + io_watchdog_func() which is waiting on step 9 + 14. io_watchdog_func() enters the critical section + 15. io_watchdog_func() calls ohci_frame_no(ohci) and set frame_no + variable to the frame number + 16. io_watchdog_func() compares frame_no and ohci->prev_frame_no + +On step 16, because this calling of io_watchdog_func() is scheduled on +step 4, the frame number set in ohci->prev_frame_no is expected to the +number set on step 3. However, ohci->prev_frame_no is overwritten on +step 11. Because step 16 is executed soon after step 11, the frame +number might not proceed, so ohci->prev_frame_no must equals to +frame_no. + +To address above scenario, this patch introduces a special sentinel +value IO_WATCHDOG_OFF and set this value to ohci->prev_frame_no when +the watchdog is not pending or running. When ohci_urb_enqueue() +schedules the watchdog (step 4 and 12 above), it compares +ohci->prev_frame_no to IO_WATCHDOG_OFF so that ohci->prev_frame_no is +not overwritten while io_watchdog_func() is running. + +Signed-off-by: Shigeru Yoshida +Signed-off-by: Haiqing Bai +Acked-by: Alan Stern +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-hcd.c | 10 +++++++--- + drivers/usb/host/ohci-hub.c | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -73,6 +73,7 @@ static const char hcd_name [] = "ohci_hc + + #define STATECHANGE_DELAY msecs_to_jiffies(300) + #define IO_WATCHDOG_DELAY msecs_to_jiffies(275) ++#define IO_WATCHDOG_OFF 0xffffff00 + + #include "ohci.h" + #include "pci-quirks.h" +@@ -230,7 +231,7 @@ static int ohci_urb_enqueue ( + } + + /* Start up the I/O watchdog timer, if it's not running */ +- if (!timer_pending(&ohci->io_watchdog) && ++ if (ohci->prev_frame_no == IO_WATCHDOG_OFF && + list_empty(&ohci->eds_in_use) && + !(ohci->flags & OHCI_QUIRK_QEMU)) { + ohci->prev_frame_no = ohci_frame_no(ohci); +@@ -501,6 +502,7 @@ static int ohci_init (struct ohci_hcd *o + + setup_timer(&ohci->io_watchdog, io_watchdog_func, + (unsigned long) ohci); ++ ohci->prev_frame_no = IO_WATCHDOG_OFF; + + ohci->hcca = dma_alloc_coherent (hcd->self.controller, + sizeof(*ohci->hcca), &ohci->hcca_dma, GFP_KERNEL); +@@ -730,7 +732,7 @@ static void io_watchdog_func(unsigned lo + u32 head; + struct ed *ed; + struct td *td, *td_start, *td_next; +- unsigned frame_no; ++ unsigned frame_no, prev_frame_no = IO_WATCHDOG_OFF; + unsigned long flags; + + spin_lock_irqsave(&ohci->lock, flags); +@@ -835,7 +837,7 @@ static void io_watchdog_func(unsigned lo + } + } + if (!list_empty(&ohci->eds_in_use)) { +- ohci->prev_frame_no = frame_no; ++ prev_frame_no = frame_no; + ohci->prev_wdh_cnt = ohci->wdh_cnt; + ohci->prev_donehead = ohci_readl(ohci, + &ohci->regs->donehead); +@@ -845,6 +847,7 @@ static void io_watchdog_func(unsigned lo + } + + done: ++ ohci->prev_frame_no = prev_frame_no; + spin_unlock_irqrestore(&ohci->lock, flags); + } + +@@ -973,6 +976,7 @@ static void ohci_stop (struct usb_hcd *h + if (quirk_nec(ohci)) + flush_work(&ohci->nec_work); + del_timer_sync(&ohci->io_watchdog); ++ ohci->prev_frame_no = IO_WATCHDOG_OFF; + + ohci_writel (ohci, OHCI_INTR_MIE, &ohci->regs->intrdisable); + ohci_usb_reset(ohci); +--- a/drivers/usb/host/ohci-hub.c ++++ b/drivers/usb/host/ohci-hub.c +@@ -310,8 +310,10 @@ static int ohci_bus_suspend (struct usb_ + rc = ohci_rh_suspend (ohci, 0); + spin_unlock_irq (&ohci->lock); + +- if (rc == 0) ++ if (rc == 0) { + del_timer_sync(&ohci->io_watchdog); ++ ohci->prev_frame_no = IO_WATCHDOG_OFF; ++ } + return rc; + } + diff --git a/queue-4.9/pci-cxgb4-extend-t3-pci-quirk-to-t4-devices.patch b/queue-4.9/pci-cxgb4-extend-t3-pci-quirk-to-t4-devices.patch new file mode 100644 index 00000000000..a2b80c8a3a0 --- /dev/null +++ b/queue-4.9/pci-cxgb4-extend-t3-pci-quirk-to-t4-devices.patch @@ -0,0 +1,112 @@ +From 7dcf688d4c78a18ba9538b2bf1b11dc7a43fe9be Mon Sep 17 00:00:00 2001 +From: Casey Leedom +Date: Thu, 15 Feb 2018 20:03:18 +0530 +Subject: PCI/cxgb4: Extend T3 PCI quirk to T4+ devices + +From: Casey Leedom + +commit 7dcf688d4c78a18ba9538b2bf1b11dc7a43fe9be upstream. + +We've run into a problem where our device is attached +to a Virtual Machine and the use of the new pci_set_vpd_size() +API doesn't help. The VM kernel has been informed that +the accesses are okay, but all of the actual VPD Capability +Accesses are trapped down into the KVM Hypervisor where it +goes ahead and imposes the silent denials. + +The right idea is to follow the kernel.org +commit 1c7de2b4ff88 ("PCI: Enable access to non-standard VPD for +Chelsio devices (cxgb3)") which Alexey Kardashevskiy authored +to establish a PCI Quirk for our T3-based adapters. This commit +extends that PCI Quirk to cover Chelsio T4 devices and later. + +The advantage of this approach is that the VPD Size gets set early +in the Base OS/Hypervisor Boot and doesn't require that the cxgb4 +driver even be available in the Base OS/Hypervisor. Thus PF4 can +be exported to a Virtual Machine and everything should work. + +Fixes: 67e658794ca1 ("cxgb4: Set VPD size so we can read both VPD structures") +Cc: # v4.9+ +Signed-off-by: Casey Leedom +Signed-off-by: Arjun Vynipadath +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 10 -------- + drivers/pci/quirks.c | 35 +++++++++++++++++------------ + 2 files changed, 21 insertions(+), 24 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -2596,7 +2596,6 @@ void t4_get_regs(struct adapter *adap, v + } + + #define EEPROM_STAT_ADDR 0x7bfc +-#define VPD_SIZE 0x800 + #define VPD_BASE 0x400 + #define VPD_BASE_OLD 0 + #define VPD_LEN 1024 +@@ -2634,15 +2633,6 @@ int t4_get_raw_vpd_params(struct adapter + if (!vpd) + return -ENOMEM; + +- /* We have two VPD data structures stored in the adapter VPD area. +- * By default, Linux calculates the size of the VPD area by traversing +- * the first VPD area at offset 0x0, so we need to tell the OS what +- * our real VPD size is. +- */ +- ret = pci_set_vpd_size(adapter->pdev, VPD_SIZE); +- if (ret < 0) +- goto out; +- + /* Card information normally starts at VPD_BASE but early cards had + * it at 0. + */ +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3369,22 +3369,29 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN + + static void quirk_chelsio_extend_vpd(struct pci_dev *dev) + { +- pci_set_vpd_size(dev, 8192); ++ int chip = (dev->device & 0xf000) >> 12; ++ int func = (dev->device & 0x0f00) >> 8; ++ int prod = (dev->device & 0x00ff) >> 0; ++ ++ /* ++ * If this is a T3-based adapter, there's a 1KB VPD area at offset ++ * 0xc00 which contains the preferred VPD values. If this is a T4 or ++ * later based adapter, the special VPD is at offset 0x400 for the ++ * Physical Functions (the SR-IOV Virtual Functions have no VPD ++ * Capabilities). The PCI VPD Access core routines will normally ++ * compute the size of the VPD by parsing the VPD Data Structure at ++ * offset 0x000. This will result in silent failures when attempting ++ * to accesses these other VPD areas which are beyond those computed ++ * limits. ++ */ ++ if (chip == 0x0 && prod >= 0x20) ++ pci_set_vpd_size(dev, 8192); ++ else if (chip >= 0x4 && func < 0x8) ++ pci_set_vpd_size(dev, 2048); + } + +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x20, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x21, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x22, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x23, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x24, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x25, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x26, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x30, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x31, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x32, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x35, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x36, quirk_chelsio_extend_vpd); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, 0x37, quirk_chelsio_extend_vpd); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CHELSIO, PCI_ANY_ID, ++ quirk_chelsio_extend_vpd); + + #ifdef CONFIG_ACPI + /* diff --git a/queue-4.9/pkcs-7-fix-certificate-chain-verification.patch b/queue-4.9/pkcs-7-fix-certificate-chain-verification.patch new file mode 100644 index 00000000000..6a3f5ba3cdb --- /dev/null +++ b/queue-4.9/pkcs-7-fix-certificate-chain-verification.patch @@ -0,0 +1,58 @@ +From 971b42c038dc83e3327872d294fe7131bab152fc Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 22 Feb 2018 14:38:33 +0000 +Subject: PKCS#7: fix certificate chain verification + +From: Eric Biggers + +commit 971b42c038dc83e3327872d294fe7131bab152fc upstream. + +When pkcs7_verify_sig_chain() is building the certificate chain for a +SignerInfo using the certificates in the PKCS#7 message, it is passing +the wrong arguments to public_key_verify_signature(). Consequently, +when the next certificate is supposed to be used to verify the previous +certificate, the next certificate is actually used to verify itself. + +An attacker can use this bug to create a bogus certificate chain that +has no cryptographic relationship between the beginning and end. + +Fortunately I couldn't quite find a way to use this to bypass the +overall signature verification, though it comes very close. Here's the +reasoning: due to the bug, every certificate in the chain beyond the +first actually has to be self-signed (where "self-signed" here refers to +the actual key and signature; an attacker might still manipulate the +certificate fields such that the self_signed flag doesn't actually get +set, and thus the chain doesn't end immediately). But to pass trust +validation (pkcs7_validate_trust()), either the SignerInfo or one of the +certificates has to actually be signed by a trusted key. Since only +self-signed certificates can be added to the chain, the only way for an +attacker to introduce a trusted signature is to include a self-signed +trusted certificate. + +But, when pkcs7_validate_trust_one() reaches that certificate, instead +of trying to verify the signature on that certificate, it will actually +look up the corresponding trusted key, which will succeed, and then try +to verify the *previous* certificate, which will fail. Thus, disaster +is narrowly averted (as far as I could tell). + +Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier") +Cc: # v4.7+ +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/pkcs7_verify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/asymmetric_keys/pkcs7_verify.c ++++ b/crypto/asymmetric_keys/pkcs7_verify.c +@@ -261,7 +261,7 @@ static int pkcs7_verify_sig_chain(struct + sinfo->index); + return 0; + } +- ret = public_key_verify_signature(p->pub, p->sig); ++ ret = public_key_verify_signature(p->pub, x509->sig); + if (ret < 0) + return ret; + x509->signer = p; diff --git a/queue-4.9/rdma-uverbs-protect-from-command-mask-overflow.patch b/queue-4.9/rdma-uverbs-protect-from-command-mask-overflow.patch new file mode 100644 index 00000000000..9c8b6cb5246 --- /dev/null +++ b/queue-4.9/rdma-uverbs-protect-from-command-mask-overflow.patch @@ -0,0 +1,134 @@ +From 3f802b162dbf4a558ff98986449eddc717826209 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 13 Feb 2018 12:18:41 +0200 +Subject: RDMA/uverbs: Protect from command mask overflow + +From: Leon Romanovsky + +commit 3f802b162dbf4a558ff98986449eddc717826209 upstream. + +The command number is not bounds checked against the command mask before it +is shifted, resulting in an ubsan hit. This does not cause malfunction since +the command number is eventually bounds checked, but we can make this ubsan +clean by moving the bounds check to before the mask check. + +================================================================================ +UBSAN: Undefined behaviour in +drivers/infiniband/core/uverbs_main.c:647:21 +shift exponent 207 is too large for 64-bit type 'long long unsigned int' +CPU: 0 PID: 446 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #61 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: +dump_stack+0xde/0x164 +? dma_virt_map_sg+0x22c/0x22c +ubsan_epilogue+0xe/0x81 +__ubsan_handle_shift_out_of_bounds+0x293/0x2f7 +? debug_check_no_locks_freed+0x340/0x340 +? __ubsan_handle_load_invalid_value+0x19b/0x19b +? lock_acquire+0x440/0x440 +? lock_acquire+0x19d/0x440 +? __might_fault+0xf4/0x240 +? ib_uverbs_write+0x68d/0xe20 +ib_uverbs_write+0x68d/0xe20 +? __lock_acquire+0xcf7/0x3940 +? uverbs_devnode+0x110/0x110 +? cyc2ns_read_end+0x10/0x10 +? sched_clock_cpu+0x18/0x200 +? sched_clock_cpu+0x18/0x200 +__vfs_write+0x10d/0x700 +? uverbs_devnode+0x110/0x110 +? kernel_read+0x170/0x170 +? __fget+0x35b/0x5d0 +? security_file_permission+0x93/0x260 +vfs_write+0x1b0/0x550 +SyS_write+0xc7/0x1a0 +? SyS_read+0x1a0/0x1a0 +? trace_hardirqs_on_thunk+0x1a/0x1c +entry_SYSCALL_64_fastpath+0x18/0x85 +RIP: 0033:0x448e29 +RSP: 002b:00007f033f567c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007f033f5686bc RCX: 0000000000448e29 +RDX: 0000000000000060 RSI: 0000000020001000 RDI: 0000000000000012 +RBP: 000000000070bea0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000056a0 R14: 00000000006e8740 R15: 0000000000000000 +================================================================================ + +Cc: syzkaller +Cc: # 4.5 +Fixes: 2dbd5186a39c ("IB/core: IB/core: Allow legacy verbs through extended interfaces") +Reported-by: Noa Osherovich +Reviewed-by: Matan Barak +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_main.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/drivers/infiniband/core/uverbs_main.c ++++ b/drivers/infiniband/core/uverbs_main.c +@@ -735,12 +735,21 @@ static int verify_command_mask(struct ib + return -1; + } + ++static bool verify_command_idx(u32 command, bool extended) ++{ ++ if (extended) ++ return command < ARRAY_SIZE(uverbs_ex_cmd_table); ++ ++ return command < ARRAY_SIZE(uverbs_cmd_table); ++} ++ + static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf, + size_t count, loff_t *pos) + { + struct ib_uverbs_file *file = filp->private_data; + struct ib_device *ib_dev; + struct ib_uverbs_cmd_hdr hdr; ++ bool extended_command; + __u32 command; + __u32 flags; + int srcu_key; +@@ -770,6 +779,15 @@ static ssize_t ib_uverbs_write(struct fi + } + + command = hdr.command & IB_USER_VERBS_CMD_COMMAND_MASK; ++ flags = (hdr.command & ++ IB_USER_VERBS_CMD_FLAGS_MASK) >> IB_USER_VERBS_CMD_FLAGS_SHIFT; ++ ++ extended_command = flags & IB_USER_VERBS_CMD_FLAG_EXTENDED; ++ if (!verify_command_idx(command, extended_command)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + if (verify_command_mask(ib_dev, command)) { + ret = -EOPNOTSUPP; + goto out; +@@ -781,12 +799,8 @@ static ssize_t ib_uverbs_write(struct fi + goto out; + } + +- flags = (hdr.command & +- IB_USER_VERBS_CMD_FLAGS_MASK) >> IB_USER_VERBS_CMD_FLAGS_SHIFT; +- + if (!flags) { +- if (command >= ARRAY_SIZE(uverbs_cmd_table) || +- !uverbs_cmd_table[command]) { ++ if (!uverbs_cmd_table[command]) { + ret = -EINVAL; + goto out; + } +@@ -807,8 +821,7 @@ static ssize_t ib_uverbs_write(struct fi + struct ib_udata uhw; + size_t written_count = count; + +- if (command >= ARRAY_SIZE(uverbs_ex_cmd_table) || +- !uverbs_ex_cmd_table[command]) { ++ if (!uverbs_ex_cmd_table[command]) { + ret = -ENOSYS; + goto out; + } diff --git a/queue-4.9/revert-usb-musb-host-don-t-start-next-rx-urb-if-current-one-failed.patch b/queue-4.9/revert-usb-musb-host-don-t-start-next-rx-urb-if-current-one-failed.patch new file mode 100644 index 00000000000..24e328c35b9 --- /dev/null +++ b/queue-4.9/revert-usb-musb-host-don-t-start-next-rx-urb-if-current-one-failed.patch @@ -0,0 +1,44 @@ +From 44eb5e12b845cc8a0634f21b70ef07d774eb4b25 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Tue, 20 Feb 2018 07:31:35 -0600 +Subject: Revert "usb: musb: host: don't start next rx urb if current one failed" + +From: Bin Liu + +commit 44eb5e12b845cc8a0634f21b70ef07d774eb4b25 upstream. + +This reverts commit dbac5d07d13e330e6706813c9fde477140fb5d80. + +commit dbac5d07d13e ("usb: musb: host: don't start next rx urb if current one failed") +along with commit b5801212229f ("usb: musb: host: clear rxcsr error bit if set") +try to solve the issue described in [1], but the latter alone is +sufficient, and the former causes the issue as in [2], so now revert it. + +[1] https://marc.info/?l=linux-usb&m=146173995117456&w=2 +[2] https://marc.info/?l=linux-usb&m=151689238420622&w=2 + +Cc: stable@vger.kernel.org # v4.7+ +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_host.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -418,13 +418,7 @@ static void musb_advance_schedule(struct + } + } + +- /* +- * The pipe must be broken if current urb->status is set, so don't +- * start next urb. +- * TODO: to minimize the risk of regression, only check urb->status +- * for RX, until we have a test case to understand the behavior of TX. +- */ +- if ((!status || !is_in) && qh && qh->is_ready) { ++ if (qh != NULL && qh->is_ready) { + musb_dbg(musb, "... next ep%d %cX urb %p", + hw_ep->epnum, is_in ? 'R' : 'T', next_urb(qh)); + musb_start_urb(musb, is_in, qh); diff --git a/queue-4.9/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch b/queue-4.9/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch new file mode 100644 index 00000000000..f7335dbc67b --- /dev/null +++ b/queue-4.9/scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch @@ -0,0 +1,42 @@ +From c39813652700f3df552b6557530f1e5f782dbe2f Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Tue, 23 Jan 2018 20:11:32 -0600 +Subject: scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info + +From: Tyrel Datwyler + +commit c39813652700f3df552b6557530f1e5f782dbe2f upstream. + +The fcp_rsp_info structure as defined in the FC spec has an initial 3 +bytes reserved field. The ibmvfc driver mistakenly defined this field as +4 bytes resulting in the rsp_code field being defined in what should be +the start of the second reserved field and thus always being reported as +zero by the driver. + +Ideally, we should wire ibmvfc up with libfc for the sake of code +deduplication, and ease of maintaining standardized structures in a +single place. However, for now simply fixup the definition in ibmvfc for +backporting to distros on older kernels. Wiring up with libfc will be +done in a followup patch. + +Cc: +Reported-by: Hannes Reinecke +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ibmvscsi/ibmvfc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ibmvscsi/ibmvfc.h ++++ b/drivers/scsi/ibmvscsi/ibmvfc.h +@@ -367,7 +367,7 @@ enum ibmvfc_fcp_rsp_info_codes { + }; + + struct ibmvfc_fcp_rsp_info { +- __be16 reserved; ++ u8 reserved[3]; + u8 rsp_code; + u8 reserved2[4]; + }__attribute__((packed, aligned (2))); diff --git a/queue-4.9/series b/queue-4.9/series index f4e4ea61f83..54a341f0552 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,27 @@ netfilter-drop-outermost-socket-lock-in-getsockopt.patch +xtensa-fix-high-memory-reserved-memory-collision.patch +scsi-ibmvfc-fix-misdefined-reserved-field-in-ibmvfc_fcp_rsp_info.patch +cfg80211-fix-cfg80211_beacon_dup.patch +x.509-fix-bug_on-when-hash-algorithm-is-unsupported.patch +pkcs-7-fix-certificate-chain-verification.patch +rdma-uverbs-protect-from-command-mask-overflow.patch +iio-buffer-check-if-a-buffer-has-been-set-up-when-poll-is-called.patch +iio-adis_lib-initialize-trigger-before-requesting-interrupt.patch +kbuild-always-define-endianess-in-kconfig.h.patch +x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch +irqchip-gic-v3-use-wmb-instead-of-smb_wmb-in-gic_raise_softirq.patch +pci-cxgb4-extend-t3-pci-quirk-to-t4-devices.patch +ohci-hcd-fix-race-condition-caused-by-ohci_urb_enqueue-and-io_watchdog_func.patch +usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch +arm64-disable-unhandled-signal-log-messages-by-default.patch +add-delay-init-quirk-for-corsair-k70-rgb-keyboards.patch +drm-edid-add-6-bpc-quirk-for-cpt-panel-in-asus-ux303la.patch +usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch +usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch +revert-usb-musb-host-don-t-start-next-rx-urb-if-current-one-failed.patch +usb-gadget-f_fs-process-all-descriptors-during-bind.patch +usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch +drm-amdgpu-add-dpm-quirk-for-jet-pro-v2.patch +drm-amdgpu-add-atpx-quirk-handling-v2.patch +drm-amdgpu-avoid-leaking-pm-domain-on-driver-unbind-v2.patch +drm-amdgpu-add-new-device-to-use-atpx-quirk.patch diff --git a/queue-4.9/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch b/queue-4.9/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch new file mode 100644 index 00000000000..db7eb6dc708 --- /dev/null +++ b/queue-4.9/usb-dwc3-gadget-set-maxpacket-size-for-ep0-in.patch @@ -0,0 +1,41 @@ +From 6180026341e852a250e1f97ebdcf71684a3c81b9 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Fri, 12 Jan 2018 18:18:05 -0800 +Subject: usb: dwc3: gadget: Set maxpacket size for ep0 IN + +From: Thinh Nguyen + +commit 6180026341e852a250e1f97ebdcf71684a3c81b9 upstream. + +There are 2 control endpoint structures for DWC3. However, the driver +only updates the OUT direction control endpoint structure during +ConnectDone event. DWC3 driver needs to update the endpoint max packet +size for control IN endpoint as well. If the max packet size is not +properly set, then the driver will incorrectly calculate the data +transfer size and fail to send ZLP for HS/FS 3-stage control read +transfer. + +The fix is simply to update the max packet size for the ep0 IN direction +during ConnectDone event. + +Cc: stable@vger.kernel.org +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2528,6 +2528,8 @@ static void dwc3_gadget_conndone_interru + break; + } + ++ dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket; ++ + /* Enable USB2 LPM Capability */ + + if ((dwc->revision > DWC3_REVISION_194A) && diff --git a/queue-4.9/usb-gadget-f_fs-process-all-descriptors-during-bind.patch b/queue-4.9/usb-gadget-f_fs-process-all-descriptors-during-bind.patch new file mode 100644 index 00000000000..e960c9002b8 --- /dev/null +++ b/queue-4.9/usb-gadget-f_fs-process-all-descriptors-during-bind.patch @@ -0,0 +1,55 @@ +From 6cf439e0d37463e42784271179c8a308fd7493c6 Mon Sep 17 00:00:00 2001 +From: Jack Pham +Date: Wed, 24 Jan 2018 00:11:53 -0800 +Subject: usb: gadget: f_fs: Process all descriptors during bind + +From: Jack Pham + +commit 6cf439e0d37463e42784271179c8a308fd7493c6 upstream. + +During _ffs_func_bind(), the received descriptors are evaluated +to prepare for binding with the gadget in order to allocate +endpoints and optionally set up OS descriptors. However, the +high- and super-speed descriptors are only parsed based on +whether the gadget_is_dualspeed() and gadget_is_superspeed() +calls are true, respectively. + +This is a problem in case a userspace program always provides +all of the {full,high,super,OS} descriptors when configuring a +function. Then, for example if a gadget device is not capable +of SuperSpeed, the call to ffs_do_descs() for the SS descriptors +is skipped, resulting in an incorrect offset calculation for +the vla_ptr when moving on to the OS descriptors that follow. +This causes ffs_do_os_descs() to fail as it is now looking at +the SS descriptors' offset within the raw_descs buffer instead. + +_ffs_func_bind() should evaluate the descriptors unconditionally, +so remove the checks for gadget speed. + +Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support") +Cc: stable@vger.kernel.org +Co-Developed-by: Mayank Rana +Signed-off-by: Mayank Rana +Signed-off-by: Jack Pham +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2956,10 +2956,8 @@ static int _ffs_func_bind(struct usb_con + struct ffs_data *ffs = func->ffs; + + const int full = !!func->ffs->fs_descs_count; +- const int high = gadget_is_dualspeed(func->gadget) && +- func->ffs->hs_descs_count; +- const int super = gadget_is_superspeed(func->gadget) && +- func->ffs->ss_descs_count; ++ const int high = !!func->ffs->hs_descs_count; ++ const int super = !!func->ffs->ss_descs_count; + + int fs_len, hs_len, ss_len, ret, i; + struct ffs_ep *eps_ptr; diff --git a/queue-4.9/usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch b/queue-4.9/usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch new file mode 100644 index 00000000000..e91efce4ddd --- /dev/null +++ b/queue-4.9/usb-ldusb-add-pids-for-new-cassy-devices-supported-by-this-driver.patch @@ -0,0 +1,68 @@ +From 52ad2bd8918158266fc88a05f95429b56b6a33c5 Mon Sep 17 00:00:00 2001 +From: Karsten Koop +Date: Fri, 9 Feb 2018 09:12:06 +0000 +Subject: usb: ldusb: add PIDs for new CASSY devices supported by this driver + +From: Karsten Koop + +commit 52ad2bd8918158266fc88a05f95429b56b6a33c5 upstream. + +This patch adds support for new CASSY devices to the ldusb driver. The +PIDs are also added to the ignore list in hid-quirks. + +Signed-off-by: Karsten Koop +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 3 +++ + drivers/hid/hid-ids.h | 3 +++ + drivers/usb/misc/ldusb.c | 6 ++++++ + 3 files changed, 12 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2443,6 +2443,9 @@ static const struct hid_device_id hid_ig + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) }, +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -608,6 +608,9 @@ + #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 + #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 + #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 ++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 ++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 ++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 + #define USB_DEVICE_ID_LD_JWM 0x1080 + #define USB_DEVICE_ID_LD_DMMP 0x1081 + #define USB_DEVICE_ID_LD_UMIP 0x1090 +--- a/drivers/usb/misc/ldusb.c ++++ b/drivers/usb/misc/ldusb.c +@@ -46,6 +46,9 @@ + #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 /* USB Product ID of Micro-CASSY Time (reserved) */ + #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 /* USB Product ID of Micro-CASSY Temperature */ + #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 /* USB Product ID of Micro-CASSY pH */ ++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 /* USB Product ID of Power Analyser CASSY */ ++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 /* USB Product ID of Converter Controller CASSY */ ++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 /* USB Product ID of Machine Test CASSY */ + #define USB_DEVICE_ID_LD_JWM 0x1080 /* USB Product ID of Joule and Wattmeter */ + #define USB_DEVICE_ID_LD_DMMP 0x1081 /* USB Product ID of Digital Multimeter P (reserved) */ + #define USB_DEVICE_ID_LD_UMIP 0x1090 /* USB Product ID of UMI P */ +@@ -88,6 +91,9 @@ static const struct usb_device_id ld_usb + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) }, ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) }, + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) }, diff --git a/queue-4.9/usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch b/queue-4.9/usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch new file mode 100644 index 00000000000..83ff4d10ad4 --- /dev/null +++ b/queue-4.9/usb-ohci-proper-handling-of-ed_rm_list-to-handle-race-condition-between-usb_kill_urb-and-finish_unlinks.patch @@ -0,0 +1,95 @@ +From 46408ea558df13b110e0866b99624384a33bdeba Mon Sep 17 00:00:00 2001 +From: AMAN DEEP +Date: Thu, 8 Feb 2018 11:55:01 +0800 +Subject: usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() + +From: AMAN DEEP + +commit 46408ea558df13b110e0866b99624384a33bdeba upstream. + +There is a race condition between finish_unlinks->finish_urb() function +and usb_kill_urb() in ohci controller case. The finish_urb calls +spin_unlock(&ohci->lock) before usb_hcd_giveback_urb() function call, +then if during this time, usb_kill_urb is called for another endpoint, +then new ed will be added to ed_rm_list at beginning for unlink, and +ed_rm_list will point to newly added. + +When finish_urb() is completed in finish_unlinks() and ed->td_list +becomes empty as in below code (in finish_unlinks() function): + + if (list_empty(&ed->td_list)) { + *last = ed->ed_next; + ed->ed_next = NULL; + } else if (ohci->rh_state == OHCI_RH_RUNNING) { + *last = ed->ed_next; + ed->ed_next = NULL; + ed_schedule(ohci, ed); + } + +The *last = ed->ed_next will make ed_rm_list to point to ed->ed_next +and previously added ed by usb_kill_urb will be left unreferenced by +ed_rm_list. This causes usb_kill_urb() hang forever waiting for +finish_unlink to remove added ed from ed_rm_list. + +The main reason for hang in this race condtion is addition and removal +of ed from ed_rm_list in the beginning during usb_kill_urb and later +last* is modified in finish_unlinks(). + +As suggested by Alan Stern, the solution for proper handling of +ohci->ed_rm_list is to remove ed from the ed_rm_list before finishing +any URBs. Then at the end, we can add ed back to the list if necessary. + +This properly handle the updated ohci->ed_rm_list in usb_kill_urb(). + +Fixes: 977dcfdc6031 ("USB: OHCI: don't lose track of EDs when a controller dies") +Acked-by: Alan Stern +CC: +Signed-off-by: Aman Deep +Signed-off-by: Jeffy Chen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-q.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/usb/host/ohci-q.c ++++ b/drivers/usb/host/ohci-q.c +@@ -1018,6 +1018,8 @@ skip_ed: + * have modified this list. normally it's just prepending + * entries (which we'd ignore), but paranoia won't hurt. + */ ++ *last = ed->ed_next; ++ ed->ed_next = NULL; + modified = 0; + + /* unlink urbs as requested, but rescan the list after +@@ -1076,21 +1078,22 @@ rescan_this: + goto rescan_this; + + /* +- * If no TDs are queued, take ED off the ed_rm_list. ++ * If no TDs are queued, ED is now idle. + * Otherwise, if the HC is running, reschedule. +- * If not, leave it on the list for further dequeues. ++ * If the HC isn't running, add ED back to the ++ * start of the list for later processing. + */ + if (list_empty(&ed->td_list)) { +- *last = ed->ed_next; +- ed->ed_next = NULL; + ed->state = ED_IDLE; + list_del(&ed->in_use_list); + } else if (ohci->rh_state == OHCI_RH_RUNNING) { +- *last = ed->ed_next; +- ed->ed_next = NULL; + ed_schedule(ohci, ed); + } else { +- last = &ed->ed_next; ++ ed->ed_next = ohci->ed_rm_list; ++ ohci->ed_rm_list = ed; ++ /* Don't loop on the same ED */ ++ if (last == &ohci->ed_rm_list) ++ last = &ed->ed_next; + } + + if (modified) diff --git a/queue-4.9/usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch b/queue-4.9/usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch new file mode 100644 index 00000000000..81b5feddd2a --- /dev/null +++ b/queue-4.9/usb-renesas_usbhs-missed-the-running-flag-in-usb_dmac-with-rx-path.patch @@ -0,0 +1,49 @@ +From 17aa31f13cad25daa19d3f923323f552e87bc874 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 5 Feb 2018 17:12:35 +0900 +Subject: usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path + +From: Yoshihiro Shimoda + +commit 17aa31f13cad25daa19d3f923323f552e87bc874 upstream. + +This fixes an issue that a gadget driver (usb_f_fs) is possible to +stop rx transactions after the usb-dmac is used because the following +functions missed to set/check the "running" flag. + - usbhsf_dma_prepare_pop_with_usb_dmac() + - usbhsf_dma_pop_done_with_usb_dmac() + +So, if next transaction uses pio, the usbhsf_prepare_pop() can not +start the transaction because the "running" flag is 0. + +Fixes: 8355b2b3082d ("usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle") +Cc: # v3.19+ +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -1001,6 +1001,10 @@ static int usbhsf_dma_prepare_pop_with_u + if ((uintptr_t)pkt->buf & (USBHS_USB_DMAC_XFER_SIZE - 1)) + goto usbhsf_pio_prepare_pop; + ++ /* return at this time if the pipe is running */ ++ if (usbhs_pipe_is_running(pipe)) ++ return 0; ++ + usbhs_pipe_config_change_bfre(pipe, 1); + + ret = usbhsf_fifo_select(pipe, fifo, 0); +@@ -1191,6 +1195,7 @@ static int usbhsf_dma_pop_done_with_usb_ + usbhsf_fifo_clear(pipe, fifo); + pkt->actual = usbhs_dma_calc_received_size(pkt, chan, rcv_len); + ++ usbhs_pipe_running(pipe, 0); + usbhsf_dma_stop(pipe, fifo); + usbhsf_dma_unmap(pkt); + usbhsf_fifo_unselect(pipe, pipe->fifo); diff --git a/queue-4.9/x.509-fix-bug_on-when-hash-algorithm-is-unsupported.patch b/queue-4.9/x.509-fix-bug_on-when-hash-algorithm-is-unsupported.patch new file mode 100644 index 00000000000..8cb7a36a525 --- /dev/null +++ b/queue-4.9/x.509-fix-bug_on-when-hash-algorithm-is-unsupported.patch @@ -0,0 +1,51 @@ +From 437499eea4291ae9621e8763a41df027c110a1ef Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 22 Feb 2018 14:38:33 +0000 +Subject: X.509: fix BUG_ON() when hash algorithm is unsupported + +From: Eric Biggers + +commit 437499eea4291ae9621e8763a41df027c110a1ef upstream. + +The X.509 parser mishandles the case where the certificate's signature's +hash algorithm is not available in the crypto API. In this case, +x509_get_sig_params() doesn't allocate the cert->sig->digest buffer; +this part seems to be intentional. However, +public_key_verify_signature() is still called via +x509_check_for_self_signed(), which triggers the 'BUG_ON(!sig->digest)'. + +Fix this by making public_key_verify_signature() return -ENOPKG if the +hash buffer has not been allocated. + +Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled: + + openssl req -new -sha512 -x509 -batch -nodes -outform der \ + | keyctl padd asymmetric desc @s + +Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier") +Reported-by: Paolo Valente +Cc: Paolo Valente +Cc: # v4.7+ +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/public_key.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/asymmetric_keys/public_key.c ++++ b/crypto/asymmetric_keys/public_key.c +@@ -93,9 +93,11 @@ int public_key_verify_signature(const st + + BUG_ON(!pkey); + BUG_ON(!sig); +- BUG_ON(!sig->digest); + BUG_ON(!sig->s); + ++ if (!sig->digest) ++ return -ENOPKG; ++ + alg_name = sig->pkey_algo; + if (strcmp(sig->pkey_algo, "rsa") == 0) { + /* The data wangled by the RSA algorithm is typically padded diff --git a/queue-4.9/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch b/queue-4.9/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch new file mode 100644 index 00000000000..97ff949a602 --- /dev/null +++ b/queue-4.9/x86-oprofile-fix-bogus-gcc-8-warning-in-nmi_setup.patch @@ -0,0 +1,68 @@ +From 85c615eb52222bc5fab6c7190d146bc59fac289e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 20 Feb 2018 21:58:21 +0100 +Subject: x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() + +From: Arnd Bergmann + +commit 85c615eb52222bc5fab6c7190d146bc59fac289e upstream. + +GCC-8 shows a warning for the x86 oprofile code that copies per-CPU +data from CPU 0 to all other CPUs, which when building a non-SMP +kernel turns into a memcpy() with identical source and destination +pointers: + + arch/x86/oprofile/nmi_int.c: In function 'mux_clone': + arch/x86/oprofile/nmi_int.c:285:2: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + memcpy(per_cpu(cpu_msrs, cpu).multiplex, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + per_cpu(cpu_msrs, 0).multiplex, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(struct op_msr) * model->num_virt_counters); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + arch/x86/oprofile/nmi_int.c: In function 'nmi_setup': + arch/x86/oprofile/nmi_int.c:466:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + arch/x86/oprofile/nmi_int.c:470:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict] + +I have analyzed a number of such warnings now: some are valid and the +GCC warning is welcome. Others turned out to be false-positives, and +GCC was changed to not warn about those any more. This is a corner case +that is a false-positive but the GCC developers feel it's better to keep +warning about it. + +In this case, it seems best to work around it by telling GCC +a little more clearly that this code path is never hit with +an IS_ENABLED() configuration check. + +Cc:stable as we also want old kernels to build cleanly with GCC-8. + +Signed-off-by: Arnd Bergmann +Cc: Jessica Yu +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Martin Sebor +Cc: Peter Zijlstra +Cc: Robert Richter +Cc: Thomas Gleixner +Cc: oprofile-list@lists.sf.net +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180220205826.2008875-1-arnd@arndb.de +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84095 +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/oprofile/nmi_int.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -472,7 +472,7 @@ static int nmi_setup(void) + goto fail; + + for_each_possible_cpu(cpu) { +- if (!cpu) ++ if (!IS_ENABLED(CONFIG_SMP) || !cpu) + continue; + + memcpy(per_cpu(cpu_msrs, cpu).counters, diff --git a/queue-4.9/xtensa-fix-high-memory-reserved-memory-collision.patch b/queue-4.9/xtensa-fix-high-memory-reserved-memory-collision.patch new file mode 100644 index 00000000000..bb953310331 --- /dev/null +++ b/queue-4.9/xtensa-fix-high-memory-reserved-memory-collision.patch @@ -0,0 +1,133 @@ +From 6ac5a11dc674bc5016ea716e8082fff61f524dc1 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Tue, 13 Feb 2018 15:31:05 -0800 +Subject: xtensa: fix high memory/reserved memory collision + +From: Max Filippov + +commit 6ac5a11dc674bc5016ea716e8082fff61f524dc1 upstream. + +Xtensa memory initialization code frees high memory pages without +checking whether they are in the reserved memory regions or not. That +results in invalid value of totalram_pages and duplicate page usage by +CMA and highmem. It produces a bunch of BUGs at startup looking like +this: + +BUG: Bad page state in process swapper pfn:70800 +page:be60c000 count:0 mapcount:-127 mapping: (null) index:0x1 +flags: 0x80000000() +raw: 80000000 00000000 00000001 ffffff80 00000000 be60c014 be60c014 0000000a +page dumped because: nonzero mapcount +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Tainted: G B 4.16.0-rc1-00015-g7928b2cbe55b-dirty #23 +Stack: + bd839d33 00000000 00000018 ba97b64c a106578c bd839d70 be60c000 00000000 + a1378054 bd86a000 00000003 ba97b64c a1066166 bd839da0 be60c000 ffe00000 + a1066b58 bd839dc0 be504000 00000000 000002f4 bd838000 00000000 0000001e +Call Trace: + [] bad_page+0xac/0xd0 + [] free_pages_check_bad+0x34/0x4c + [] __free_pages_ok+0xae/0x14c + [] __free_pages+0x30/0x64 + [] init_cma_reserved_pageblock+0x35/0x44 + [] cma_init_reserved_areas+0xf4/0x148 + [] do_one_initcall+0x80/0xf8 + [] kernel_init_freeable+0xda/0x13c + [] kernel_init+0x9/0xd0 + [] ret_from_kernel_thread+0xc/0x18 + +Only free high memory pages that are not reserved. + +Cc: stable@vger.kernel.org +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/mm/init.c | 70 +++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 63 insertions(+), 7 deletions(-) + +--- a/arch/xtensa/mm/init.c ++++ b/arch/xtensa/mm/init.c +@@ -77,19 +77,75 @@ void __init zones_init(void) + free_area_init_node(0, zones_size, ARCH_PFN_OFFSET, NULL); + } + ++#ifdef CONFIG_HIGHMEM ++static void __init free_area_high(unsigned long pfn, unsigned long end) ++{ ++ for (; pfn < end; pfn++) ++ free_highmem_page(pfn_to_page(pfn)); ++} ++ ++static void __init free_highpages(void) ++{ ++ unsigned long max_low = max_low_pfn; ++ struct memblock_region *mem, *res; ++ ++ reset_all_zones_managed_pages(); ++ /* set highmem page free */ ++ for_each_memblock(memory, mem) { ++ unsigned long start = memblock_region_memory_base_pfn(mem); ++ unsigned long end = memblock_region_memory_end_pfn(mem); ++ ++ /* Ignore complete lowmem entries */ ++ if (end <= max_low) ++ continue; ++ ++ if (memblock_is_nomap(mem)) ++ continue; ++ ++ /* Truncate partial highmem entries */ ++ if (start < max_low) ++ start = max_low; ++ ++ /* Find and exclude any reserved regions */ ++ for_each_memblock(reserved, res) { ++ unsigned long res_start, res_end; ++ ++ res_start = memblock_region_reserved_base_pfn(res); ++ res_end = memblock_region_reserved_end_pfn(res); ++ ++ if (res_end < start) ++ continue; ++ if (res_start < start) ++ res_start = start; ++ if (res_start > end) ++ res_start = end; ++ if (res_end > end) ++ res_end = end; ++ if (res_start != start) ++ free_area_high(start, res_start); ++ start = res_end; ++ if (start == end) ++ break; ++ } ++ ++ /* And now free anything which remains */ ++ if (start < end) ++ free_area_high(start, end); ++ } ++} ++#else ++static void __init free_highpages(void) ++{ ++} ++#endif ++ + /* + * Initialize memory pages. + */ + + void __init mem_init(void) + { +-#ifdef CONFIG_HIGHMEM +- unsigned long tmp; +- +- reset_all_zones_managed_pages(); +- for (tmp = max_low_pfn; tmp < max_pfn; tmp++) +- free_highmem_page(pfn_to_page(tmp)); +-#endif ++ free_highpages(); + + max_mapnr = max_pfn - ARCH_PFN_OFFSET; + high_memory = (void *)__va(max_low_pfn << PAGE_SHIFT); -- 2.47.3