kvm-fix-uaf-in-nested-posted-interrupt-processing.patch
drivers-hv-vmbus-return-einval-for-the-sys-files-for-unopened-channels.patch
x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch
+spi-imx-add-a-device-specific-prepare_message-callba.patch
+spi-imx-mx51-ecspi-move-some-initialisation-to-prepa.patch
+ubifs-handle-re-linking-of-inodes-correctly-while-re.patch
--- /dev/null
+From da537f41103e21af990de4b165ec08b6062b7a10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Sun, 23 Dec 2018 22:21:21 +0100
+Subject: spi: imx: add a device specific prepare_message callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is just preparatory work which allows to move some initialisation
+that currently is done in the per transfer hook .config to an earlier
+point in time in the next few patches. There is no change in behaviour
+introduced by this patch.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ukleinek: backport to v4.14.x]
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 40 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index d51ca243a028..3fdb0652429b 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -72,6 +72,7 @@ struct spi_imx_data;
+
+ struct spi_imx_devtype_data {
+ void (*intctrl)(struct spi_imx_data *, int);
++ int (*prepare_message)(struct spi_imx_data *, struct spi_message *);
+ int (*config)(struct spi_device *);
+ void (*trigger)(struct spi_imx_data *);
+ int (*rx_available)(struct spi_imx_data *);
+@@ -439,6 +440,12 @@ static void mx51_ecspi_trigger(struct spi_imx_data *spi_imx)
+ writel(reg, spi_imx->base + MX51_ECSPI_CTRL);
+ }
+
++static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
++ struct spi_message *msg)
++{
++ return 0;
++}
++
+ static int mx51_ecspi_config(struct spi_device *spi)
+ {
+ struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
+@@ -599,6 +606,12 @@ static void mx31_trigger(struct spi_imx_data *spi_imx)
+ writel(reg, spi_imx->base + MXC_CSPICTRL);
+ }
+
++static int mx31_prepare_message(struct spi_imx_data *spi_imx,
++ struct spi_message *msg)
++{
++ return 0;
++}
++
+ static int mx31_config(struct spi_device *spi)
+ {
+ struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
+@@ -695,6 +708,12 @@ static void mx21_trigger(struct spi_imx_data *spi_imx)
+ writel(reg, spi_imx->base + MXC_CSPICTRL);
+ }
+
++static int mx21_prepare_message(struct spi_imx_data *spi_imx,
++ struct spi_message *msg)
++{
++ return 0;
++}
++
+ static int mx21_config(struct spi_device *spi)
+ {
+ struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
+@@ -764,6 +783,12 @@ static void mx1_trigger(struct spi_imx_data *spi_imx)
+ writel(reg, spi_imx->base + MXC_CSPICTRL);
+ }
+
++static int mx1_prepare_message(struct spi_imx_data *spi_imx,
++ struct spi_message *msg)
++{
++ return 0;
++}
++
+ static int mx1_config(struct spi_device *spi)
+ {
+ struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
+@@ -798,6 +823,7 @@ static void mx1_reset(struct spi_imx_data *spi_imx)
+
+ static struct spi_imx_devtype_data imx1_cspi_devtype_data = {
+ .intctrl = mx1_intctrl,
++ .prepare_message = mx1_prepare_message,
+ .config = mx1_config,
+ .trigger = mx1_trigger,
+ .rx_available = mx1_rx_available,
+@@ -810,6 +836,7 @@ static struct spi_imx_devtype_data imx1_cspi_devtype_data = {
+
+ static struct spi_imx_devtype_data imx21_cspi_devtype_data = {
+ .intctrl = mx21_intctrl,
++ .prepare_message = mx21_prepare_message,
+ .config = mx21_config,
+ .trigger = mx21_trigger,
+ .rx_available = mx21_rx_available,
+@@ -823,6 +850,7 @@ static struct spi_imx_devtype_data imx21_cspi_devtype_data = {
+ static struct spi_imx_devtype_data imx27_cspi_devtype_data = {
+ /* i.mx27 cspi shares the functions with i.mx21 one */
+ .intctrl = mx21_intctrl,
++ .prepare_message = mx21_prepare_message,
+ .config = mx21_config,
+ .trigger = mx21_trigger,
+ .rx_available = mx21_rx_available,
+@@ -835,6 +863,7 @@ static struct spi_imx_devtype_data imx27_cspi_devtype_data = {
+
+ static struct spi_imx_devtype_data imx31_cspi_devtype_data = {
+ .intctrl = mx31_intctrl,
++ .prepare_message = mx31_prepare_message,
+ .config = mx31_config,
+ .trigger = mx31_trigger,
+ .rx_available = mx31_rx_available,
+@@ -848,6 +877,7 @@ static struct spi_imx_devtype_data imx31_cspi_devtype_data = {
+ static struct spi_imx_devtype_data imx35_cspi_devtype_data = {
+ /* i.mx35 and later cspi shares the functions with i.mx31 one */
+ .intctrl = mx31_intctrl,
++ .prepare_message = mx31_prepare_message,
+ .config = mx31_config,
+ .trigger = mx31_trigger,
+ .rx_available = mx31_rx_available,
+@@ -860,6 +890,7 @@ static struct spi_imx_devtype_data imx35_cspi_devtype_data = {
+
+ static struct spi_imx_devtype_data imx51_ecspi_devtype_data = {
+ .intctrl = mx51_ecspi_intctrl,
++ .prepare_message = mx51_ecspi_prepare_message,
+ .config = mx51_ecspi_config,
+ .trigger = mx51_ecspi_trigger,
+ .rx_available = mx51_ecspi_rx_available,
+@@ -872,6 +903,7 @@ static struct spi_imx_devtype_data imx51_ecspi_devtype_data = {
+
+ static struct spi_imx_devtype_data imx53_ecspi_devtype_data = {
+ .intctrl = mx51_ecspi_intctrl,
++ .prepare_message = mx51_ecspi_prepare_message,
+ .config = mx51_ecspi_config,
+ .trigger = mx51_ecspi_trigger,
+ .rx_available = mx51_ecspi_rx_available,
+@@ -1310,7 +1342,13 @@ spi_imx_prepare_message(struct spi_master *master, struct spi_message *msg)
+ return ret;
+ }
+
+- return 0;
++ ret = spi_imx->devtype_data->prepare_message(spi_imx, msg);
++ if (ret) {
++ clk_disable(spi_imx->clk_ipg);
++ clk_disable(spi_imx->clk_per);
++ }
++
++ return ret;
+ }
+
+ static int
+--
+2.19.1
+
--- /dev/null
+From edc2d073b9dbfc51f5c615b98fbf22c140093c29 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Sun, 23 Dec 2018 22:21:22 +0100
+Subject: spi: imx: mx51-ecspi: Move some initialisation to prepare_message
+ hook.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The relevant difference between prepare_message and config is that the
+former is run before the CS signal is asserted. So the polarity of the
+CLK line must be configured in prepare_message as an edge generated by
+config might already result in a latch of the MOSI line.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[ukleinek: backport to v4.14.x]
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 59 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 36 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index 3fdb0652429b..df18d07d544d 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -443,14 +443,9 @@ static void mx51_ecspi_trigger(struct spi_imx_data *spi_imx)
+ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
+ struct spi_message *msg)
+ {
+- return 0;
+-}
+-
+-static int mx51_ecspi_config(struct spi_device *spi)
+-{
+- struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
++ struct spi_device *spi = msg->spi;
+ u32 ctrl = MX51_ECSPI_CTRL_ENABLE;
+- u32 clk = spi_imx->speed_hz, delay, reg;
++ u32 testreg;
+ u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG);
+
+ /*
+@@ -468,14 +463,21 @@ static int mx51_ecspi_config(struct spi_device *spi)
+ if (spi->mode & SPI_READY)
+ ctrl |= MX51_ECSPI_CTRL_DRCTL(spi_imx->spi_drctl);
+
+- /* set clock speed */
+- ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->speed_hz, &clk);
+- spi_imx->spi_bus_clk = clk;
+-
+ /* set chip select to use */
+ ctrl |= MX51_ECSPI_CTRL_CS(spi->chip_select);
+
+- ctrl |= (spi_imx->bits_per_word - 1) << MX51_ECSPI_CTRL_BL_OFFSET;
++ /*
++ * The ctrl register must be written first, with the EN bit set other
++ * registers must not be written to.
++ */
++ writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL);
++
++ testreg = readl(spi_imx->base + MX51_ECSPI_TESTREG);
++ if (spi->mode & SPI_LOOP)
++ testreg |= MX51_ECSPI_TESTREG_LBC;
++ else
++ testreg &= ~MX51_ECSPI_TESTREG_LBC;
++ writel(testreg, spi_imx->base + MX51_ECSPI_TESTREG);
+
+ cfg |= MX51_ECSPI_CONFIG_SBBCTRL(spi->chip_select);
+
+@@ -491,26 +493,38 @@ static int mx51_ecspi_config(struct spi_device *spi)
+ cfg &= ~MX51_ECSPI_CONFIG_SCLKPOL(spi->chip_select);
+ cfg &= ~MX51_ECSPI_CONFIG_SCLKCTL(spi->chip_select);
+ }
++
+ if (spi->mode & SPI_CS_HIGH)
+ cfg |= MX51_ECSPI_CONFIG_SSBPOL(spi->chip_select);
+ else
+ cfg &= ~MX51_ECSPI_CONFIG_SSBPOL(spi->chip_select);
+
++ writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG);
++
++ return 0;
++}
++
++static int mx51_ecspi_config(struct spi_device *spi)
++{
++ struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
++ u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL);
++ u32 clk = spi_imx->speed_hz, delay;
++
++ /* Clear BL field and set the right value */
++ ctrl &= ~MX51_ECSPI_CTRL_BL_MASK;
++ ctrl |= (spi_imx->bits_per_word - 1) << MX51_ECSPI_CTRL_BL_OFFSET;
++
++ /* set clock speed */
++ ctrl &= ~(0xf << MX51_ECSPI_CTRL_POSTDIV_OFFSET |
++ 0xf << MX51_ECSPI_CTRL_PREDIV_OFFSET);
++ ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->speed_hz, &clk);
++ spi_imx->spi_bus_clk = clk;
++
+ if (spi_imx->usedma)
+ ctrl |= MX51_ECSPI_CTRL_SMC;
+
+- /* CTRL register always go first to bring out controller from reset */
+ writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL);
+
+- reg = readl(spi_imx->base + MX51_ECSPI_TESTREG);
+- if (spi->mode & SPI_LOOP)
+- reg |= MX51_ECSPI_TESTREG_LBC;
+- else
+- reg &= ~MX51_ECSPI_TESTREG_LBC;
+- writel(reg, spi_imx->base + MX51_ECSPI_TESTREG);
+-
+- writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG);
+-
+ /*
+ * Wait until the changes in the configuration register CONFIGREG
+ * propagate into the hardware. It takes exactly one tick of the
+@@ -532,7 +546,6 @@ static int mx51_ecspi_config(struct spi_device *spi)
+ * Configure the DMA register: setup the watermark
+ * and enable DMA request.
+ */
+-
+ writel(MX51_ECSPI_DMA_RX_WML(spi_imx->wml) |
+ MX51_ECSPI_DMA_TX_WML(spi_imx->wml) |
+ MX51_ECSPI_DMA_RXT_WML(spi_imx->wml) |
+--
+2.19.1
+
--- /dev/null
+From cba6396f9204d6a340d08570eca91532dd88a4ef Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 26 Dec 2018 13:32:11 +0100
+Subject: ubifs: Handle re-linking of inodes correctly while recovery
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit e58725d51fa8da9133f3f1c54170aa2e43056b91 upstream.
+
+UBIFS's recovery code strictly assumes that a deleted inode will never
+come back, therefore it removes all data which belongs to that inode
+as soon it faces an inode with link count 0 in the replay list.
+Before O_TMPFILE this assumption was perfectly fine. With O_TMPFILE
+it can lead to data loss upon a power-cut.
+
+Consider a journal with entries like:
+0: inode X (nlink = 0) /* O_TMPFILE was created */
+1: data for inode X /* Someone writes to the temp file */
+2: inode X (nlink = 0) /* inode was changed, xattr, chmod, … */
+3: inode X (nlink = 1) /* inode was re-linked via linkat() */
+
+Upon replay of entry #2 UBIFS will drop all data that belongs to inode X,
+this will lead to an empty file after mounting.
+
+As solution for this problem, scan the replay list for a re-link entry
+before dropping data.
+
+Fixes: 474b93704f32 ("ubifs: Implement O_TMPFILE")
+Cc: stable@vger.kernel.org # 4.9-4.18
+Cc: Russell Senior <russell@personaltelco.net>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Reported-by: Russell Senior <russell@personaltelco.net>
+Reported-by: Rafał Miłecki <zajec5@gmail.com>
+Tested-by: Rafał Miłecki <rafal@milecki.pl>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+[rmilecki: update ubifs_assert() calls to compile with 4.18 and older]
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+(cherry picked from commit e58725d51fa8da9133f3f1c54170aa2e43056b91)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/replay.c | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/fs/ubifs/replay.c b/fs/ubifs/replay.c
+index ae5c02f22f3e..d998fbf7de30 100644
+--- a/fs/ubifs/replay.c
++++ b/fs/ubifs/replay.c
+@@ -209,6 +209,38 @@ static int trun_remove_range(struct ubifs_info *c, struct replay_entry *r)
+ return ubifs_tnc_remove_range(c, &min_key, &max_key);
+ }
+
++/**
++ * inode_still_linked - check whether inode in question will be re-linked.
++ * @c: UBIFS file-system description object
++ * @rino: replay entry to test
++ *
++ * O_TMPFILE files can be re-linked, this means link count goes from 0 to 1.
++ * This case needs special care, otherwise all references to the inode will
++ * be removed upon the first replay entry of an inode with link count 0
++ * is found.
++ */
++static bool inode_still_linked(struct ubifs_info *c, struct replay_entry *rino)
++{
++ struct replay_entry *r;
++
++ ubifs_assert(rino->deletion);
++ ubifs_assert(key_type(c, &rino->key) == UBIFS_INO_KEY);
++
++ /*
++ * Find the most recent entry for the inode behind @rino and check
++ * whether it is a deletion.
++ */
++ list_for_each_entry_reverse(r, &c->replay_list, list) {
++ ubifs_assert(r->sqnum >= rino->sqnum);
++ if (key_inum(c, &r->key) == key_inum(c, &rino->key))
++ return r->deletion == 0;
++
++ }
++
++ ubifs_assert(0);
++ return false;
++}
++
+ /**
+ * apply_replay_entry - apply a replay entry to the TNC.
+ * @c: UBIFS file-system description object
+@@ -239,6 +271,11 @@ static int apply_replay_entry(struct ubifs_info *c, struct replay_entry *r)
+ {
+ ino_t inum = key_inum(c, &r->key);
+
++ if (inode_still_linked(c, r)) {
++ err = 0;
++ break;
++ }
++
+ err = ubifs_tnc_remove_ino(c, inum);
+ break;
+ }
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
