From f867df695db10598bf2c39415e08b4c1849f2a95 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 27 Feb 2019 20:02:07 -0500 Subject: [PATCH] patches for 4.4 Signed-off-by: Sasha Levin --- ...revent-potential-divide-by-zero-bugs.patch | 45 +++++++ ...return-value-to-avoid-build-warnings.patch | 74 +++++++++++ ...-snprintf-to-scnprintf-for-possible-.patch | 83 +++++++++++++ ...change-snprintf-to-scnprintf-for-pos.patch | 117 ++++++++++++++++++ ...ll-broadwell-fix-setting-for-.dynami.patch | 50 ++++++++ ...80211-extend-range-deviation-for-dmg.patch | 43 +++++++ ...unblock-writer-if-reader-closes-file.patch | 45 +++++++ ...rocess-frames-after-calling-napi_res.patch | 43 +++++++ ...vents-pending-from-svm_complete_inte.patch | 47 +++++++ ...nitiate-tdls-connection-if-station-i.patch | 57 +++++++++ ...ix-miscounting-of-ttl-dropped-frames.patch | 44 +++++++ ...tse-fix-connect_local_phy-error-path.patch | 37 ++++++ ...x-null-pointer-dereference-in-csio_v.patch | 41 ++++++ ...t-fix-maximum-acceptable-baud-rate-w.patch | 34 +++++ queue-4.4/series | 18 +++ ...licate-nvmem-partition-types-in-efx_.patch | 98 +++++++++++++++ ...x_thermal-fix-a-null-vs-is_err-check.patch | 34 +++++ ...fix-the-uninitialized-link_state-whe.patch | 57 +++++++++ ...tial-null-dereference-on-allocation-.patch | 37 ++++++ 19 files changed, 1004 insertions(+) create mode 100644 queue-4.4/alsa-compress-prevent-potential-divide-by-zero-bugs.patch create mode 100644 queue-4.4/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch create mode 100644 queue-4.4/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch create mode 100644 queue-4.4/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch create mode 100644 queue-4.4/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch create mode 100644 queue-4.4/cfg80211-extend-range-deviation-for-dmg.patch create mode 100644 queue-4.4/drm-msm-unblock-writer-if-reader-closes-file.patch create mode 100644 queue-4.4/ibmveth-do-not-process-frames-after-calling-napi_res.patch create mode 100644 queue-4.4/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch create mode 100644 queue-4.4/mac80211-don-t-initiate-tdls-connection-if-station-i.patch create mode 100644 queue-4.4/mac80211-fix-miscounting-of-ttl-dropped-frames.patch create mode 100644 queue-4.4/net-altera_tse-fix-connect_local_phy-error-path.patch create mode 100644 queue-4.4/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch create mode 100644 queue-4.4/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch create mode 100644 queue-4.4/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch create mode 100644 queue-4.4/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch create mode 100644 queue-4.4/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch create mode 100644 queue-4.4/usb-gadget-potential-null-dereference-on-allocation-.patch diff --git a/queue-4.4/alsa-compress-prevent-potential-divide-by-zero-bugs.patch b/queue-4.4/alsa-compress-prevent-potential-divide-by-zero-bugs.patch new file mode 100644 index 00000000000..588870705a0 --- /dev/null +++ b/queue-4.4/alsa-compress-prevent-potential-divide-by-zero-bugs.patch @@ -0,0 +1,45 @@ +From 85108948c9ac18ff4714bae3cae9b7e076235ea1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Dec 2018 12:06:58 +0300 +Subject: ALSA: compress: prevent potential divide by zero bugs + +[ Upstream commit 678e2b44c8e3fec3afc7202f1996a4500a50be93 ] + +The problem is seen in the q6asm_dai_compr_set_params() function: + + ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys, + (prtd->pcm_size / prtd->periods), + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + prtd->periods); + +In this code prtd->pcm_size is the buffer_size and prtd->periods comes +from params->buffer.fragments. If we allow the number of fragments to +be zero then it results in a divide by zero bug. One possible fix would +be to use prtd->pcm_count directly instead of using the division to +re-calculate it. But I decided that it doesn't really make sense to +allow zero fragments. + +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 6163bf3e81776..2272aee128710 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -500,7 +500,8 @@ static int snd_compress_check_input(struct snd_compr_params *params) + { + /* first let's check the buffer parameter's */ + if (params->buffer.fragment_size == 0 || +- params->buffer.fragments > INT_MAX / params->buffer.fragment_size) ++ params->buffer.fragments > INT_MAX / params->buffer.fragment_size || ++ params->buffer.fragments == 0) + return -EINVAL; + + /* now codec parameters */ +-- +2.19.1 + diff --git a/queue-4.4/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch b/queue-4.4/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch new file mode 100644 index 00000000000..1e86bb45b28 --- /dev/null +++ b/queue-4.4/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch @@ -0,0 +1,74 @@ +From 055de0b6056e924b10d995c835538332eeeee151 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Thu, 13 Dec 2018 18:42:57 +0300 +Subject: ARC: fix __ffs return value to avoid build warnings + +[ Upstream commit 4e868f8419cb4cb558c5d428e7ab5629cef864c7 ] + +| CC mm/nobootmem.o +|In file included from ./include/asm-generic/bug.h:18:0, +| from ./arch/arc/include/asm/bug.h:32, +| from ./include/linux/bug.h:5, +| from ./include/linux/mmdebug.h:5, +| from ./include/linux/gfp.h:5, +| from ./include/linux/slab.h:15, +| from mm/nobootmem.c:14: +|mm/nobootmem.c: In function '__free_pages_memory': +|./include/linux/kernel.h:845:29: warning: comparison of distinct pointer types lacks a cast +| (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) +| ^ +|./include/linux/kernel.h:859:4: note: in expansion of macro '__typecheck' +| (__typecheck(x, y) && __no_side_effects(x, y)) +| ^~~~~~~~~~~ +|./include/linux/kernel.h:869:24: note: in expansion of macro '__safe_cmp' +| __builtin_choose_expr(__safe_cmp(x, y), \ +| ^~~~~~~~~~ +|./include/linux/kernel.h:878:19: note: in expansion of macro '__careful_cmp' +| #define min(x, y) __careful_cmp(x, y, <) +| ^~~~~~~~~~~~~ +|mm/nobootmem.c:104:11: note: in expansion of macro 'min' +| order = min(MAX_ORDER - 1UL, __ffs(start)); + +Change __ffs return value from 'int' to 'unsigned long' as it +is done in other implementations (like asm-generic, x86, etc...) +to avoid build-time warnings in places where type is strictly +checked. + +As __ffs may return values in [0-31] interval changing return +type to unsigned is valid. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/bitops.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arc/include/asm/bitops.h b/arch/arc/include/asm/bitops.h +index 0352fb8d21b99..9623ae002f5b4 100644 +--- a/arch/arc/include/asm/bitops.h ++++ b/arch/arc/include/asm/bitops.h +@@ -286,7 +286,7 @@ static inline __attribute__ ((const)) int __fls(unsigned long x) + /* + * __ffs: Similar to ffs, but zero based (0-31) + */ +-static inline __attribute__ ((const)) int __ffs(unsigned long word) ++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long word) + { + if (!word) + return word; +@@ -346,9 +346,9 @@ static inline __attribute__ ((const)) int ffs(unsigned long x) + /* + * __ffs: Similar to ffs, but zero based (0-31) + */ +-static inline __attribute__ ((const)) int __ffs(unsigned long x) ++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long x) + { +- int n; ++ unsigned long n; + + asm volatile( + " ffs.f %0, %1 \n" /* 0:31; 31(Z) if src 0 */ +-- +2.19.1 + diff --git a/queue-4.4/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch b/queue-4.4/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch new file mode 100644 index 00000000000..e0aac59a67e --- /dev/null +++ b/queue-4.4/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch @@ -0,0 +1,83 @@ +From 6101cb536867fcb042144faf395f8769ae5b0c41 Mon Sep 17 00:00:00 2001 +From: Silvio Cesare +Date: Sat, 12 Jan 2019 16:28:43 +0100 +Subject: ASoC: dapm: change snprintf to scnprintf for possible overflow + +[ Upstream commit e581e151e965bf1f2815dd94620b638fec4d0a7e ] + +Change snprintf to scnprintf. There are generally two cases where using +snprintf causes problems. + +1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) +In this case, if snprintf would have written more characters than what the +buffer size (SIZE) is, then size will end up larger than SIZE. In later +uses of snprintf, SIZE - size will result in a negative number, leading +to problems. Note that size might already be too large by using +size = snprintf before the code reaches a case of size += snprintf. + +2) If size is ultimately used as a length parameter for a copy back to user +space, then it will potentially allow for a buffer overflow and information +disclosure when size is greater than SIZE. When the size is used to index +the buffer directly, we can have memory corruption. This also means when +size = snprintf... is used, it may also cause problems since size may become +large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel +configuration. + +The solution to these issues is to use scnprintf which returns the number of +characters actually written to the buffer, so the size variable will never +exceed SIZE. + +Signed-off-by: Silvio Cesare +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Dan Carpenter +Cc: Kees Cook +Cc: Will Deacon +Cc: Greg KH +Signed-off-by: Willy Tarreau +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 0aefed8ab0cf5..7e26d173da41c 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -1943,19 +1943,19 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + out = is_connected_output_ep(w, NULL); + } + +- ret = snprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d", ++ ret = scnprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d", + w->name, w->power ? "On" : "Off", + w->force ? " (forced)" : "", in, out); + + if (w->reg >= 0) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + " - R%d(0x%x) mask 0x%x", + w->reg, w->reg, w->mask << w->shift); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (w->sname) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n", ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n", + w->sname, + w->active ? "active" : "inactive"); + +@@ -1968,7 +1968,7 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + if (!p->connect) + continue; + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + " %s \"%s\" \"%s\"\n", + (rdir == SND_SOC_DAPM_DIR_IN) ? "in" : "out", + p->name ? p->name : "static", +-- +2.19.1 + diff --git a/queue-4.4/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch b/queue-4.4/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch new file mode 100644 index 00000000000..27fe42b77ad --- /dev/null +++ b/queue-4.4/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch @@ -0,0 +1,117 @@ +From d9c85adb8b70dcd43f973edc4b097d18f97f9fdf Mon Sep 17 00:00:00 2001 +From: Silvio Cesare +Date: Tue, 15 Jan 2019 04:27:27 +0100 +Subject: ASoC: imx-audmux: change snprintf to scnprintf for possible overflow + +[ Upstream commit c407cd008fd039320d147088b52d0fa34ed3ddcb ] + +Change snprintf to scnprintf. There are generally two cases where using +snprintf causes problems. + +1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) +In this case, if snprintf would have written more characters than what the +buffer size (SIZE) is, then size will end up larger than SIZE. In later +uses of snprintf, SIZE - size will result in a negative number, leading +to problems. Note that size might already be too large by using +size = snprintf before the code reaches a case of size += snprintf. + +2) If size is ultimately used as a length parameter for a copy back to user +space, then it will potentially allow for a buffer overflow and information +disclosure when size is greater than SIZE. When the size is used to index +the buffer directly, we can have memory corruption. This also means when +size = snprintf... is used, it may also cause problems since size may become +large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel +configuration. + +The solution to these issues is to use scnprintf which returns the number of +characters actually written to the buffer, so the size variable will never +exceed SIZE. + +Signed-off-by: Silvio Cesare +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Mark Brown +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Dan Carpenter +Cc: Kees Cook +Cc: Will Deacon +Cc: Greg KH +Signed-off-by: Willy Tarreau +Acked-by: Nicolin Chen +Reviewed-by: Kees Cook +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c +index fc57da341d610..136df38c4536c 100644 +--- a/sound/soc/fsl/imx-audmux.c ++++ b/sound/soc/fsl/imx-audmux.c +@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf, + if (!buf) + return -ENOMEM; + +- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", ++ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", + pdcr, ptcr); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS output from %s, ", + audmux_port_string((ptcr >> 27) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk output from %s", + audmux_port_string((ptcr >> 22) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk input"); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) { +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "Port is symmetric"); + } else { + if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS output from %s, ", + audmux_port_string((ptcr >> 17) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk output from %s", + audmux_port_string((ptcr >> 12) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk input"); + } + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "\nData received from %s\n", + audmux_port_string((pdcr >> 13) & 0x7)); + +-- +2.19.1 + diff --git a/queue-4.4/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch b/queue-4.4/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch new file mode 100644 index 00000000000..6e522b1923c --- /dev/null +++ b/queue-4.4/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch @@ -0,0 +1,50 @@ +From c91d93832e4def13b800454256339d11cf962944 Mon Sep 17 00:00:00 2001 +From: Rander Wang +Date: Tue, 18 Dec 2018 16:24:54 +0800 +Subject: ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field + +[ Upstream commit 906a9abc5de73c383af518f5a806f4be2993a0c7 ] + +For some reason this field was set to zero when all other drivers use +.dynamic = 1 for front-ends. This change was tested on Dell XPS13 and +has no impact with the existing legacy driver. The SOF driver also works +with this change which enables it to override the fixed topology. + +Signed-off-by: Rander Wang +Acked-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/broadwell.c | 2 +- + sound/soc/intel/boards/haswell.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/boards/broadwell.c b/sound/soc/intel/boards/broadwell.c +index 3f8a1e10bed02..e5ca41ffa8908 100644 +--- a/sound/soc/intel/boards/broadwell.c ++++ b/sound/soc/intel/boards/broadwell.c +@@ -191,7 +191,7 @@ static struct snd_soc_dai_link broadwell_rt286_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/intel/boards/haswell.c b/sound/soc/intel/boards/haswell.c +index 22558572cb9ca..de955c2e8c4e3 100644 +--- a/sound/soc/intel/boards/haswell.c ++++ b/sound/soc/intel/boards/haswell.c +@@ -145,7 +145,7 @@ static struct snd_soc_dai_link haswell_rt5640_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +-- +2.19.1 + diff --git a/queue-4.4/cfg80211-extend-range-deviation-for-dmg.patch b/queue-4.4/cfg80211-extend-range-deviation-for-dmg.patch new file mode 100644 index 00000000000..5895ed7296e --- /dev/null +++ b/queue-4.4/cfg80211-extend-range-deviation-for-dmg.patch @@ -0,0 +1,43 @@ +From 72e0db1ba4bebe3d9b1fa42a4a0401a7907a242c Mon Sep 17 00:00:00 2001 +From: Chaitanya Tata +Date: Sat, 19 Jan 2019 03:17:47 +0530 +Subject: cfg80211: extend range deviation for DMG + +[ Upstream commit 93183bdbe73bbdd03e9566c8dc37c9d06b0d0db6 ] + +Recently, DMG frequency bands have been extended till 71GHz, so extend +the range check till 20GHz (45-71GHZ), else some channels will be marked +as disabled. + +Signed-off-by: Chaitanya Tata +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 50dffd183cc63..429abf4219064 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -780,7 +780,7 @@ static bool reg_does_bw_fit(const struct ieee80211_freq_range *freq_range, + * definitions (the "2.4 GHz band", the "5 GHz band" and the "60GHz band"), + * however it is safe for now to assume that a frequency rule should not be + * part of a frequency's band if the start freq or end freq are off by more +- * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 10 GHz for the ++ * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 20 GHz for the + * 60 GHz band. + * This resolution can be lowered and should be considered as we add + * regulatory rule support for other "bands". +@@ -795,7 +795,7 @@ static bool freq_in_rule_band(const struct ieee80211_freq_range *freq_range, + * with the Channel starting frequency above 45 GHz. + */ + u32 limit = freq_khz > 45 * ONE_GHZ_IN_KHZ ? +- 10 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; ++ 20 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; + if (abs(freq_khz - freq_range->start_freq_khz) <= limit) + return true; + if (abs(freq_khz - freq_range->end_freq_khz) <= limit) +-- +2.19.1 + diff --git a/queue-4.4/drm-msm-unblock-writer-if-reader-closes-file.patch b/queue-4.4/drm-msm-unblock-writer-if-reader-closes-file.patch new file mode 100644 index 00000000000..80755832b24 --- /dev/null +++ b/queue-4.4/drm-msm-unblock-writer-if-reader-closes-file.patch @@ -0,0 +1,45 @@ +From 2d1fac64848538fb279a4128bc97f0c027b4ca21 Mon Sep 17 00:00:00 2001 +From: "Kristian H. Kristensen" +Date: Wed, 19 Dec 2018 08:57:41 -0800 +Subject: drm/msm: Unblock writer if reader closes file + +[ Upstream commit 99c66bc051e7407fe0bf0607b142ec0be1a1d1dd ] + +Prevents deadlock when fifo is full and reader closes file. + +Signed-off-by: Kristian H. Kristensen +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_rd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c +index 9a78c48817c6a..909a52b21ebe7 100644 +--- a/drivers/gpu/drm/msm/msm_rd.c ++++ b/drivers/gpu/drm/msm/msm_rd.c +@@ -103,7 +103,9 @@ static void rd_write(struct msm_rd_state *rd, const void *buf, int sz) + char *fptr = &fifo->buf[fifo->head]; + int n; + +- wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0); ++ wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open); ++ if (!rd->open) ++ return; + + n = min(sz, circ_space_to_end(&rd->fifo)); + memcpy(fptr, ptr, n); +@@ -192,7 +194,10 @@ static int rd_open(struct inode *inode, struct file *file) + static int rd_release(struct inode *inode, struct file *file) + { + struct msm_rd_state *rd = inode->i_private; ++ + rd->open = false; ++ wake_up_all(&rd->fifo_event); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.4/ibmveth-do-not-process-frames-after-calling-napi_res.patch b/queue-4.4/ibmveth-do-not-process-frames-after-calling-napi_res.patch new file mode 100644 index 00000000000..4282fd18655 --- /dev/null +++ b/queue-4.4/ibmveth-do-not-process-frames-after-calling-napi_res.patch @@ -0,0 +1,43 @@ +From d8c3294ba0ab6a647d860a6d28720d299ac9a0f3 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Thu, 24 Jan 2019 11:17:01 -0600 +Subject: ibmveth: Do not process frames after calling napi_reschedule + +[ Upstream commit e95d22c69b2c130ccce257b84daf283fd82d611e ] + +The IBM virtual ethernet driver's polling function continues +to process frames after rescheduling NAPI, resulting in a warning +if it exhausted its budget. Do not restart polling after calling +napi_reschedule. Instead let frames be processed in the following +instance. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 61a9ab4fe047d..70b3253e7ed5e 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1238,7 +1238,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + struct iphdr *iph; + u16 mss = 0; + +-restart_poll: + while (frames_processed < budget) { + if (!ibmveth_rxq_pending_buffer(adapter)) + break; +@@ -1336,7 +1335,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + napi_reschedule(napi)) { + lpar_rc = h_vio_signal(adapter->vdev->unit_address, + VIO_IRQ_DISABLE); +- goto restart_poll; + } + } + +-- +2.19.1 + diff --git a/queue-4.4/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch b/queue-4.4/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch new file mode 100644 index 00000000000..cd44f859abb --- /dev/null +++ b/queue-4.4/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch @@ -0,0 +1,47 @@ +From f3ff193a4fdde8a1fc93d814bf4933c025f68e8e Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 7 Jan 2019 19:44:51 +0100 +Subject: KVM: nSVM: clear events pending from svm_complete_interrupts() when + exiting to L1 + +[ Upstream commit 619ad846fc3452adaf71ca246c5aa711e2055398 ] + +kvm-unit-tests' eventinj "NMI failing on IDT" test results in NMI being +delivered to the host (L1) when it's running nested. The problem seems to +be: svm_complete_interrupts() raises 'nmi_injected' flag but later we +decide to reflect EXIT_NPF to L1. The flag remains pending and we do NMI +injection upon entry so it got delivered to L1 instead of L2. + +It seems that VMX code solves the same issue in prepare_vmcs12(), this was +introduced with code refactoring in commit 5f3d5799974b ("KVM: nVMX: Rework +event injection and recovery"). + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 7ce1a19d9d8bf..acbde1249b6f3 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2388,6 +2388,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm) + kvm_mmu_reset_context(&svm->vcpu); + kvm_mmu_load(&svm->vcpu); + ++ /* ++ * Drop what we picked up for L2 via svm_complete_interrupts() so it ++ * doesn't end up in L1. ++ */ ++ svm->vcpu.arch.nmi_injected = false; ++ kvm_clear_exception_queue(&svm->vcpu); ++ kvm_clear_interrupt_queue(&svm->vcpu); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.4/mac80211-don-t-initiate-tdls-connection-if-station-i.patch b/queue-4.4/mac80211-don-t-initiate-tdls-connection-if-station-i.patch new file mode 100644 index 00000000000..17f44e2c52d --- /dev/null +++ b/queue-4.4/mac80211-don-t-initiate-tdls-connection-if-station-i.patch @@ -0,0 +1,57 @@ +From 1f9d353409cd1e1b1bcc17389d6d0ffd21d9b0fa Mon Sep 17 00:00:00 2001 +From: Balaji Pothunoori +Date: Mon, 21 Jan 2019 12:30:43 +0530 +Subject: mac80211: don't initiate TDLS connection if station is not associated + to AP + +[ Upstream commit 7ed5285396c257fd4070b1e29e7b2341aae2a1ce ] + +Following call trace is observed while adding TDLS peer entry in driver +during TDLS setup. + +Call Trace: +[] dump_stack+0x47/0x61 +[] __warn+0xe2/0x100 +[] ? sta_apply_parameters+0x49f/0x550 [mac80211] +[] warn_slowpath_null+0x25/0x30 +[] sta_apply_parameters+0x49f/0x550 [mac80211] +[] ? sta_info_alloc+0x1c2/0x450 [mac80211] +[] ieee80211_add_station+0xe3/0x160 [mac80211] +[] nl80211_new_station+0x273/0x420 +[] genl_rcv_msg+0x219/0x3c0 +[] ? genl_rcv+0x30/0x30 +[] netlink_rcv_skb+0x8e/0xb0 +[] genl_rcv+0x1c/0x30 +[] netlink_unicast+0x13a/0x1d0 +[] netlink_sendmsg+0x2d8/0x390 +[] sock_sendmsg+0x2d/0x40 +[] ___sys_sendmsg+0x1d9/0x1e0 + +Fixing this by allowing TDLS setup request only when we have completed +association. + +Signed-off-by: Balaji Pothunoori +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 67348d8ac35da..7349bf26ae7b3 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1228,6 +1228,10 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, + if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) + sta->sta.tdls = true; + ++ if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION && ++ !sdata->u.mgd.associated) ++ return -EINVAL; ++ + err = sta_apply_parameters(local, sta, params); + if (err) { + sta_info_free(local, sta); +-- +2.19.1 + diff --git a/queue-4.4/mac80211-fix-miscounting-of-ttl-dropped-frames.patch b/queue-4.4/mac80211-fix-miscounting-of-ttl-dropped-frames.patch new file mode 100644 index 00000000000..89cff817343 --- /dev/null +++ b/queue-4.4/mac80211-fix-miscounting-of-ttl-dropped-frames.patch @@ -0,0 +1,44 @@ +From 68e07a25650b7de0b47bdb756917fbea1ea636dd Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Thu, 17 Jan 2019 16:32:42 -0500 +Subject: mac80211: fix miscounting of ttl-dropped frames + +[ Upstream commit a0dc02039a2ee54fb4ae400e0b755ed30e73e58c ] + +In ieee80211_rx_h_mesh_fwding, we increment the 'dropped_frames_ttl' +counter when we decrement the ttl to zero. For unicast frames +destined for other hosts, we stop processing the frame at that point. + +For multicast frames, we do not rebroadcast it in this case, but we +do pass the frame up the stack to process it on this STA. That +doesn't match the usual definition of "dropped," so don't count +those as such. + +With this change, something like `ping6 -i0.2 ff02::1%mesh0` from a +peer in a ttl=1 network no longer increments the counter rapidly. + +Signed-off-by: Bob Copeland +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index acacceec8cd86..833ad779659c8 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2340,7 +2340,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + skb_set_queue_mapping(skb, q); + + if (!--mesh_hdr->ttl) { +- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); ++ if (!is_multicast_ether_addr(hdr->addr1)) ++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, ++ dropped_frames_ttl); + goto out; + } + +-- +2.19.1 + diff --git a/queue-4.4/net-altera_tse-fix-connect_local_phy-error-path.patch b/queue-4.4/net-altera_tse-fix-connect_local_phy-error-path.patch new file mode 100644 index 00000000000..67f14edaf35 --- /dev/null +++ b/queue-4.4/net-altera_tse-fix-connect_local_phy-error-path.patch @@ -0,0 +1,37 @@ +From f25f93c8dab10aadb29388ec9e51039e416e32f8 Mon Sep 17 00:00:00 2001 +From: Atsushi Nemoto +Date: Mon, 21 Jan 2019 17:26:41 +0900 +Subject: net: altera_tse: fix connect_local_phy error path + +[ Upstream commit 17b42a20d7ca59377788c6a2409e77569570cc10 ] + +The connect_local_phy should return NULL (not negative errno) on +error, since its caller expects it. + +Signed-off-by: Atsushi Nemoto +Acked-by: Thor Thayer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_tse_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index fe644823ceaf9..bb51f124d8c7d 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -716,8 +716,10 @@ static struct phy_device *connect_local_phy(struct net_device *dev) + + phydev = phy_connect(dev, phy_id_fmt, &altera_tse_adjust_link, + priv->phy_iface); +- if (IS_ERR(phydev)) ++ if (IS_ERR(phydev)) { + netdev_err(dev, "Could not attach to PHY\n"); ++ phydev = NULL; ++ } + + } else { + int ret; +-- +2.19.1 + diff --git a/queue-4.4/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch b/queue-4.4/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch new file mode 100644 index 00000000000..c3f21aa9d7f --- /dev/null +++ b/queue-4.4/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch @@ -0,0 +1,41 @@ +From fb86bdc96ad1343bf6de8ca088fbba4653aa3a52 Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Sat, 12 Jan 2019 22:14:30 +0530 +Subject: scsi: csiostor: fix NULL pointer dereference in + csio_vport_set_state() + +[ Upstream commit fe35a40e675473eb65f2f5462b82770f324b5689 ] + +Assign fc_vport to ln->fc_vport before calling csio_fcoe_alloc_vnp() to +avoid a NULL pointer dereference in csio_vport_set_state(). + +ln->fc_vport is dereferenced in csio_vport_set_state(). + +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_attr.c b/drivers/scsi/csiostor/csio_attr.c +index 2d1c4ebd40f91..6587f20cff1a1 100644 +--- a/drivers/scsi/csiostor/csio_attr.c ++++ b/drivers/scsi/csiostor/csio_attr.c +@@ -582,12 +582,12 @@ csio_vport_create(struct fc_vport *fc_vport, bool disable) + } + + fc_vport_set_state(fc_vport, FC_VPORT_INITIALIZING); ++ ln->fc_vport = fc_vport; + + if (csio_fcoe_alloc_vnp(hw, ln)) + goto error; + + *(struct csio_lnode **)fc_vport->dd_data = ln; +- ln->fc_vport = fc_vport; + if (!fc_vport->node_name) + fc_vport->node_name = wwn_to_u64(csio_ln_wwnn(ln)); + if (!fc_vport->port_name) +-- +2.19.1 + diff --git a/queue-4.4/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch b/queue-4.4/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch new file mode 100644 index 00000000000..434e889ee39 --- /dev/null +++ b/queue-4.4/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch @@ -0,0 +1,34 @@ +From 70fdf74a8c3adc4e877a59284ecd9dd6cb640ae3 Mon Sep 17 00:00:00 2001 +From: Tomonori Sakita +Date: Mon, 21 Jan 2019 17:34:16 +0900 +Subject: serial: fsl_lpuart: fix maximum acceptable baud rate with + over-sampling + +[ Upstream commit 815d835b7ba46685c316b000013367dacb2b461b ] + +Using over-sampling ratio, lpuart can accept baud rate upto uartclk / 4. + +Signed-off-by: Tomonori Sakita +Signed-off-by: Atsushi Nemoto +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 8b5ec9386f0f4..1544a7cc76ff8 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1409,7 +1409,7 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, + } + + /* ask the core to calculate the divisor */ +- baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16); ++ baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 4); + + spin_lock_irqsave(&sport->port.lock, flags); + +-- +2.19.1 + diff --git a/queue-4.4/series b/queue-4.4/series index ee60f0aef7d..2c76954b549 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -29,3 +29,21 @@ arcv2-enable-unaligned-access-in-early-asm-code.patch revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch libceph-handle-an-empty-authorize-reply.patch scsi-libsas-fix-rphy-phy_identifier-for-phys-with-end-devices-attached.patch +drm-msm-unblock-writer-if-reader-closes-file.patch +asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch +alsa-compress-prevent-potential-divide-by-zero-bugs.patch +thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch +usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch +usb-gadget-potential-null-dereference-on-allocation-.patch +asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch +asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch +arc-fix-__ffs-return-value-to-avoid-build-warnings.patch +mac80211-fix-miscounting-of-ttl-dropped-frames.patch +serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch +scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch +net-altera_tse-fix-connect_local_phy-error-path.patch +sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch +ibmveth-do-not-process-frames-after-calling-napi_res.patch +mac80211-don-t-initiate-tdls-connection-if-station-i.patch +cfg80211-extend-range-deviation-for-dmg.patch +kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch diff --git a/queue-4.4/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch b/queue-4.4/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch new file mode 100644 index 00000000000..4e63c3cbf4a --- /dev/null +++ b/queue-4.4/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch @@ -0,0 +1,98 @@ +From a919627faa376e337f5fec2242fb09cc661f9e83 Mon Sep 17 00:00:00 2001 +From: Edward Cree +Date: Tue, 22 Jan 2019 19:02:17 +0000 +Subject: sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe + +[ Upstream commit 3366463513f544c12c6b88c13da4462ee9e7a1a1 ] + +Use a bitmap to keep track of which partition types we've already seen; + for duplicates, return -EEXIST from efx_ef10_mtd_probe_partition() and + thus skip adding that partition. +Duplicate partitions occur because of the A/B backup scheme used by newer + sfc NICs. Prior to this patch they cause sysfs_warn_dup errors because + they have the same name, causing us not to expose any MTDs at all. + +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 063aca17e698b..79a1031c3ef77 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -4433,22 +4433,25 @@ static const struct efx_ef10_nvram_type_info efx_ef10_nvram_types[] = { + { NVRAM_PARTITION_TYPE_LICENSE, 0, 0, "sfc_license" }, + { NVRAM_PARTITION_TYPE_PHY_MIN, 0xff, 0, "sfc_phy_fw" }, + }; ++#define EF10_NVRAM_PARTITION_COUNT ARRAY_SIZE(efx_ef10_nvram_types) + + static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + struct efx_mcdi_mtd_partition *part, +- unsigned int type) ++ unsigned int type, ++ unsigned long *found) + { + MCDI_DECLARE_BUF(inbuf, MC_CMD_NVRAM_METADATA_IN_LEN); + MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_METADATA_OUT_LENMAX); + const struct efx_ef10_nvram_type_info *info; + size_t size, erase_size, outlen; ++ int type_idx = 0; + bool protected; + int rc; + +- for (info = efx_ef10_nvram_types; ; info++) { +- if (info == +- efx_ef10_nvram_types + ARRAY_SIZE(efx_ef10_nvram_types)) ++ for (type_idx = 0; ; type_idx++) { ++ if (type_idx == EF10_NVRAM_PARTITION_COUNT) + return -ENODEV; ++ info = efx_ef10_nvram_types + type_idx; + if ((type & ~info->type_mask) == info->type) + break; + } +@@ -4461,6 +4464,13 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + if (protected) + return -ENODEV; /* hide it */ + ++ /* If we've already exposed a partition of this type, hide this ++ * duplicate. All operations on MTDs are keyed by the type anyway, ++ * so we can't act on the duplicate. ++ */ ++ if (__test_and_set_bit(type_idx, found)) ++ return -EEXIST; ++ + part->nvram_type = type; + + MCDI_SET_DWORD(inbuf, NVRAM_METADATA_IN_TYPE, type); +@@ -4489,6 +4499,7 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + static int efx_ef10_mtd_probe(struct efx_nic *efx) + { + MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_PARTITIONS_OUT_LENMAX); ++ DECLARE_BITMAP(found, EF10_NVRAM_PARTITION_COUNT); + struct efx_mcdi_mtd_partition *parts; + size_t outlen, n_parts_total, i, n_parts; + unsigned int type; +@@ -4517,11 +4528,13 @@ static int efx_ef10_mtd_probe(struct efx_nic *efx) + for (i = 0; i < n_parts_total; i++) { + type = MCDI_ARRAY_DWORD(outbuf, NVRAM_PARTITIONS_OUT_TYPE_ID, + i); +- rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type); +- if (rc == 0) +- n_parts++; +- else if (rc != -ENODEV) ++ rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type, ++ found); ++ if (rc == -EEXIST || rc == -ENODEV) ++ continue; ++ if (rc) + goto fail; ++ n_parts++; + } + + rc = efx_mtd_add(efx, &parts[0].common, n_parts, sizeof(*parts)); +-- +2.19.1 + diff --git a/queue-4.4/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch b/queue-4.4/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch new file mode 100644 index 00000000000..fe861bd6e7c --- /dev/null +++ b/queue-4.4/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch @@ -0,0 +1,34 @@ +From b7bf92f965fd568eb9c7a345d77ddcf8abda1502 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 17 Dec 2018 10:02:42 +0300 +Subject: thermal: int340x_thermal: Fix a NULL vs IS_ERR() check + +[ Upstream commit 3fe931b31a4078395c1967f0495dcc9e5ec6b5e3 ] + +The intel_soc_dts_iosf_init() function doesn't return NULL, it returns +error pointers. + +Fixes: 4d0dd6c1576b ("Thermal/int340x/processor_thermal: Enable auxiliary DTS for Braswell") +Signed-off-by: Dan Carpenter +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/int340x_thermal/processor_thermal_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/int340x_thermal/processor_thermal_device.c b/drivers/thermal/int340x_thermal/processor_thermal_device.c +index ccc0ad02d0669..7f374ab5b1760 100644 +--- a/drivers/thermal/int340x_thermal/processor_thermal_device.c ++++ b/drivers/thermal/int340x_thermal/processor_thermal_device.c +@@ -363,7 +363,7 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, + proc_priv->soc_dts = intel_soc_dts_iosf_init( + INTEL_SOC_DTS_INTERRUPT_MSI, 2, 0); + +- if (proc_priv->soc_dts && pdev->irq) { ++ if (!IS_ERR(proc_priv->soc_dts) && pdev->irq) { + ret = pci_enable_msi(pdev); + if (!ret) { + ret = request_threaded_irq(pdev->irq, NULL, +-- +2.19.1 + diff --git a/queue-4.4/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch b/queue-4.4/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch new file mode 100644 index 00000000000..6494d59b137 --- /dev/null +++ b/queue-4.4/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch @@ -0,0 +1,57 @@ +From 083d2070c035bf1eb63bc04a7869d52e4866e88e Mon Sep 17 00:00:00 2001 +From: Zeng Tao +Date: Wed, 26 Dec 2018 19:22:00 +0800 +Subject: usb: dwc3: gadget: Fix the uninitialized link_state when udc starts + +[ Upstream commit 88b1bb1f3b88e0bf20b05d543a53a5b99bd7ceb6 ] + +Currently the link_state is uninitialized and the default value is 0(U0) +before the first time we start the udc, and after we start the udc then + stop the udc, the link_state will be undefined. +We may have the following warnings if we start the udc again with +an undefined link_state: + +WARNING: CPU: 0 PID: 327 at drivers/usb/dwc3/gadget.c:294 dwc3_send_gadget_ep_cmd+0x304/0x308 +dwc3 100e0000.hidwc3_0: wakeup failed --> -22 +[...] +Call Trace: +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x84/0x98) +[] (dump_stack) from [] (__warn+0xe8/0x100) +[] (__warn) from [](warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [](dwc3_send_gadget_ep_cmd+0x304/0x308) +[] (dwc3_send_gadget_ep_cmd) from [](dwc3_ep0_start_trans+0x48/0xf4) +[] (dwc3_ep0_start_trans) from [](dwc3_ep0_out_start+0x64/0x80) +[] (dwc3_ep0_out_start) from [](__dwc3_gadget_start+0x1e0/0x278) +[] (__dwc3_gadget_start) from [](dwc3_gadget_start+0x88/0x10c) +[] (dwc3_gadget_start) from [](udc_bind_to_driver+0x88/0xbc) +[] (udc_bind_to_driver) from [](usb_gadget_probe_driver+0xf8/0x140) +[] (usb_gadget_probe_driver) from [](gadget_dev_desc_UDC_store+0xac/0xc4 [libcomposite]) +[] (gadget_dev_desc_UDC_store [libcomposite]) from[] (configfs_write_file+0xd4/0x160) +[] (configfs_write_file) from [] (__vfs_write+0x1c/0x114) +[] (__vfs_write) from [] (vfs_write+0xa4/0x168) +[] (vfs_write) from [] (SyS_write+0x3c/0x90) +[] (SyS_write) from [] (ret_fast_syscall+0x0/0x3c) + +Signed-off-by: Zeng Tao +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index b6037a0ae829b..557f08adf644e 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1676,6 +1676,7 @@ static int dwc3_gadget_start(struct usb_gadget *g, + + /* begin to receive SETUP packets */ + dwc->ep0state = EP0_SETUP_PHASE; ++ dwc->link_state = DWC3_LINK_STATE_SS_DIS; + dwc3_ep0_out_start(dwc); + + dwc3_gadget_enable_irq(dwc); +-- +2.19.1 + diff --git a/queue-4.4/usb-gadget-potential-null-dereference-on-allocation-.patch b/queue-4.4/usb-gadget-potential-null-dereference-on-allocation-.patch new file mode 100644 index 00000000000..322e58e797c --- /dev/null +++ b/queue-4.4/usb-gadget-potential-null-dereference-on-allocation-.patch @@ -0,0 +1,37 @@ +From 8c1fe4d7636dbfa255afacde8ebef7f38501f152 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Dec 2018 23:42:52 +0300 +Subject: usb: gadget: Potential NULL dereference on allocation error + +[ Upstream commit df28169e1538e4a8bcd8b779b043e5aa6524545c ] + +The source_sink_alloc_func() function is supposed to return error +pointers on error. The function is called from usb_get_function() which +doesn't check for NULL returns so it would result in an Oops. + +Of course, in the current kernel, small allocations always succeed so +this doesn't affect runtime. + +Signed-off-by: Dan Carpenter +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_sourcesink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c +index 67b2439899389..d7d095781be18 100644 +--- a/drivers/usb/gadget/function/f_sourcesink.c ++++ b/drivers/usb/gadget/function/f_sourcesink.c +@@ -849,7 +849,7 @@ static struct usb_function *source_sink_alloc_func( + + ss = kzalloc(sizeof(*ss), GFP_KERNEL); + if (!ss) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + ss_opts = container_of(fi, struct f_ss_opts, func_inst); + +-- +2.19.1 + -- 2.47.3