--- /dev/null
+From c7777236dd8f587f6a8d6800c03df318fd4d2627 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Thu, 10 Jan 2019 18:41:51 +0000
+Subject: ACPI/IORT: Fix rc_dma_get_range()
+
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+
+commit c7777236dd8f587f6a8d6800c03df318fd4d2627 upstream.
+
+When executed for a PCI_ROOT_COMPLEX type, iort_match_node_callback()
+expects the opaque pointer argument to be a PCI bus device. At the
+moment rc_dma_get_range() passes the PCI endpoint instead of the bus,
+and we've been lucky to have pci_domain_nr(ptr) return 0 instead of
+crashing. Pass the bus device to iort_scan_node().
+
+Fixes: 5ac65e8c8941 ("ACPI/IORT: Support address size limit for root complexes")
+Reported-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Acked-by: Robin Murphy <robin.murphy@arm.com>
+Cc: stable@vger.kernel.org
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Hanjun Guo <hanjun.guo@linaro.org>
+Cc: Sudeep Holla <sudeep.holla@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/arm64/iort.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/arm64/iort.c
++++ b/drivers/acpi/arm64/iort.c
+@@ -951,9 +951,10 @@ static int rc_dma_get_range(struct devic
+ {
+ struct acpi_iort_node *node;
+ struct acpi_iort_root_complex *rc;
++ struct pci_bus *pbus = to_pci_dev(dev)->bus;
+
+ node = iort_scan_node(ACPI_IORT_NODE_PCI_ROOT_COMPLEX,
+- iort_match_node_callback, dev);
++ iort_match_node_callback, &pbus->dev);
+ if (!node || node->revision < 1)
+ return -ENODEV;
+
--- /dev/null
+From 2b531d71595d2b5b12782a49b23c335869e2621e Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 4 Jan 2019 23:10:54 +0100
+Subject: ACPI / PMIC: xpower: Fix TS-pin current-source handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2b531d71595d2b5b12782a49b23c335869e2621e upstream.
+
+The current-source used for the battery temp-sensor (TS) is shared with the
+GPADC. For proper fuel-gauge and charger operation the TS current-source
+needs to be permanently on. But to read the GPADC we need to temporary
+switch the TS current-source to ondemand, so that the GPADC can use it,
+otherwise we will always read an all 0 value.
+
+The switching from on to on-ondemand is not necessary when the TS
+current-source is off (this happens on devices which do not have a TS).
+
+Prior to this commit there were 2 issues with our handling of the TS
+current-source switching:
+
+ 1) We were writing hardcoded values to the ADC TS pin-ctrl register,
+ overwriting various other unrelated bits. Specifically we were overwriting
+ the current-source setting for the TS and GPIO0 pins, forcing it to 80ųA
+ independent of its original setting. On a Chuwi Vi10 tablet this was
+ causing us to get a too high adc value (due to a too high current-source)
+ resulting in acpi_lpat_raw_to_temp() returning -ENOENT, resulting in:
+
+ACPI Error: AE_ERROR, Returned by Handler for [UserDefinedRegion]
+ACPI Error: Method parse/execution failed \_SB.SXP1._TMP, AE_ERROR
+
+This commit fixes this by using regmap_update_bits to change only the
+relevant bits.
+
+ 2) At the end of intel_xpower_pmic_get_raw_temp() we were unconditionally
+ enabling the TS current-source even on devices where the TS-pin is not used
+ and the current-source thus was off on entry of the function.
+
+This commit fixes this by checking if the TS current-source is off when
+entering intel_xpower_pmic_get_raw_temp() and if so it is left as is.
+
+Fixes: 58eefe2f3f53 (ACPI / PMIC: xpower: Do pinswitch ... reading GPADC)
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: 4.14+ <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/pmic/intel_pmic_xpower.c | 41 +++++++++++++++++++++++++++-------
+ 1 file changed, 33 insertions(+), 8 deletions(-)
+
+--- a/drivers/acpi/pmic/intel_pmic_xpower.c
++++ b/drivers/acpi/pmic/intel_pmic_xpower.c
+@@ -20,8 +20,11 @@
+ #define GPI1_LDO_ON (3 << 0)
+ #define GPI1_LDO_OFF (4 << 0)
+
+-#define AXP288_ADC_TS_PIN_GPADC 0xf2
+-#define AXP288_ADC_TS_PIN_ON 0xf3
++#define AXP288_ADC_TS_CURRENT_ON_OFF_MASK GENMASK(1, 0)
++#define AXP288_ADC_TS_CURRENT_OFF (0 << 0)
++#define AXP288_ADC_TS_CURRENT_ON_WHEN_CHARGING (1 << 0)
++#define AXP288_ADC_TS_CURRENT_ON_ONDEMAND (2 << 0)
++#define AXP288_ADC_TS_CURRENT_ON (3 << 0)
+
+ static struct pmic_table power_table[] = {
+ {
+@@ -212,22 +215,44 @@ out:
+ */
+ static int intel_xpower_pmic_get_raw_temp(struct regmap *regmap, int reg)
+ {
++ int ret, adc_ts_pin_ctrl;
+ u8 buf[2];
+- int ret;
+
+- ret = regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL,
+- AXP288_ADC_TS_PIN_GPADC);
++ /*
++ * The current-source used for the battery temp-sensor (TS) is shared
++ * with the GPADC. For proper fuel-gauge and charger operation the TS
++ * current-source needs to be permanently on. But to read the GPADC we
++ * need to temporary switch the TS current-source to ondemand, so that
++ * the GPADC can use it, otherwise we will always read an all 0 value.
++ *
++ * Note that the switching from on to on-ondemand is not necessary
++ * when the TS current-source is off (this happens on devices which
++ * do not use the TS-pin).
++ */
++ ret = regmap_read(regmap, AXP288_ADC_TS_PIN_CTRL, &adc_ts_pin_ctrl);
+ if (ret)
+ return ret;
+
+- /* After switching to the GPADC pin give things some time to settle */
+- usleep_range(6000, 10000);
++ if (adc_ts_pin_ctrl & AXP288_ADC_TS_CURRENT_ON_OFF_MASK) {
++ ret = regmap_update_bits(regmap, AXP288_ADC_TS_PIN_CTRL,
++ AXP288_ADC_TS_CURRENT_ON_OFF_MASK,
++ AXP288_ADC_TS_CURRENT_ON_ONDEMAND);
++ if (ret)
++ return ret;
++
++ /* Wait a bit after switching the current-source */
++ usleep_range(6000, 10000);
++ }
+
+ ret = regmap_bulk_read(regmap, AXP288_GP_ADC_H, buf, 2);
+ if (ret == 0)
+ ret = (buf[0] << 4) + ((buf[1] >> 4) & 0x0f);
+
+- regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, AXP288_ADC_TS_PIN_ON);
++ if (adc_ts_pin_ctrl & AXP288_ADC_TS_CURRENT_ON_OFF_MASK) {
++ regmap_update_bits(regmap, AXP288_ADC_TS_PIN_CTRL,
++ AXP288_ADC_TS_CURRENT_ON_OFF_MASK,
++ AXP288_ADC_TS_CURRENT_ON);
++ }
+
+ return ret;
+ }
--- /dev/null
+From 7d7b467cb95bf29597b417d4990160d4ea6d69b9 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 30 Dec 2018 18:25:00 +0100
+Subject: ACPI: power: Skip duplicate power resource references in _PRx
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 7d7b467cb95bf29597b417d4990160d4ea6d69b9 upstream.
+
+Some ACPI tables contain duplicate power resource references like this:
+
+ Name (_PR0, Package (0x04) // _PR0: Power Resources for D0
+ {
+ P28P,
+ P18P,
+ P18P,
+ CLK4
+ })
+
+This causes a WARN_ON in sysfs_add_link_to_group() because we end up
+adding a link to the same acpi_device twice:
+
+sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A08:00/808622C1:00/OVTI2680:00/power_resources_D0/LNXPOWER:0a'
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.12-301.fc29.x86_64 #1
+Hardware name: Insyde CherryTrail/Type2 - Board Product Name, BIOS jumperx.T87.KFBNEEA02 04/13/2016
+Call Trace:
+ dump_stack+0x5c/0x80
+ sysfs_warn_dup.cold.3+0x17/0x2a
+ sysfs_do_create_link_sd.isra.2+0xa9/0xb0
+ sysfs_add_link_to_group+0x30/0x50
+ acpi_power_expose_list+0x74/0xa0
+ acpi_power_add_remove_device+0x50/0xa0
+ acpi_add_single_object+0x26b/0x5f0
+ acpi_bus_check_add+0xc4/0x250
+ ...
+
+To address this issue, make acpi_extract_power_resources() check for
+duplicates and simply skip them when found.
+
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+[ rjw: Subject & changelog, comments ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/power.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/drivers/acpi/power.c
++++ b/drivers/acpi/power.c
+@@ -131,6 +131,23 @@ void acpi_power_resources_list_free(stru
+ }
+ }
+
++static bool acpi_power_resource_is_dup(union acpi_object *package,
++ unsigned int start, unsigned int i)
++{
++ acpi_handle rhandle, dup;
++ unsigned int j;
++
++ /* The caller is expected to check the package element types */
++ rhandle = package->package.elements[i].reference.handle;
++ for (j = start; j < i; j++) {
++ dup = package->package.elements[j].reference.handle;
++ if (dup == rhandle)
++ return true;
++ }
++
++ return false;
++}
++
+ int acpi_extract_power_resources(union acpi_object *package, unsigned int start,
+ struct list_head *list)
+ {
+@@ -150,6 +167,11 @@ int acpi_extract_power_resources(union a
+ err = -ENODEV;
+ break;
+ }
++
++ /* Some ACPI tables contain duplicate power resource references */
++ if (acpi_power_resource_is_dup(package, start, i))
++ continue;
++
+ err = acpi_add_power_resource(rhandle);
+ if (err)
+ break;
--- /dev/null
+From 6ebec961d59bccf65d08b13fc1ad4e6272a89338 Mon Sep 17 00:00:00 2001
+From: Yi Zeng <yizeng@asrmicro.com>
+Date: Wed, 9 Jan 2019 15:33:07 +0800
+Subject: i2c: dev: prevent adapter retries and timeout being set as minus value
+
+From: Yi Zeng <yizeng@asrmicro.com>
+
+commit 6ebec961d59bccf65d08b13fc1ad4e6272a89338 upstream.
+
+If adapter->retries is set to a minus value from user space via ioctl,
+it will make __i2c_transfer and __i2c_smbus_xfer skip the calling to
+adapter->algo->master_xfer and adapter->algo->smbus_xfer that is
+registered by the underlying bus drivers, and return value 0 to all the
+callers. The bus driver will never be accessed anymore by all users,
+besides, the users may still get successful return value without any
+error or information log print out.
+
+If adapter->timeout is set to minus value from user space via ioctl,
+it will make the retrying loop in __i2c_transfer and __i2c_smbus_xfer
+always break after the the first try, due to the time_after always
+returns true.
+
+Signed-off-by: Yi Zeng <yizeng@asrmicro.com>
+[wsa: minor grammar updates to commit message]
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/i2c-dev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -470,9 +470,15 @@ static long i2cdev_ioctl(struct file *fi
+ data_arg.data);
+ }
+ case I2C_RETRIES:
++ if (arg > INT_MAX)
++ return -EINVAL;
++
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
++ if (arg > INT_MAX)
++ return -EINVAL;
++
+ /* For historical reasons, user-space sets the timeout
+ * value in units of 10 ms.
+ */
--- /dev/null
+From 81d9bdf59092e4755fc4307c93c4589ef0fe2e0f Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Sun, 23 Dec 2018 01:31:26 +0100
+Subject: mtd: rawnand: qcom: fix memory corruption that causes panic
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+commit 81d9bdf59092e4755fc4307c93c4589ef0fe2e0f upstream.
+
+This patch fixes a memory corruption that occurred in the
+qcom-nandc driver since it was converted to nand_scan().
+
+On boot, an affected device will panic from a NPE at a weird place:
+| Unable to handle kernel NULL pointer dereference at virtual address 0
+| pgd = (ptrval)
+| [00000000] *pgd=00000000
+| Internal error: Oops: 80000005 [#1] SMP ARM
+| CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.9 #0
+| Hardware name: Generic DT based system
+| PC is at (null)
+| LR is at nand_block_isbad+0x90/0xa4
+| pc : [<00000000>] lr : [<c0592240>] psr: 80000013
+| sp : cf839d40 ip : 00000000 fp : cfae9e20
+| r10: cf815810 r9 : 00000000 r8 : 00000000
+| r7 : 00000000 r6 : 00000000 r5 : 00000001 r4 : cf815810
+| r3 : 00000000 r2 : cfae9810 r1 : ffffffff r0 : cf815810
+| Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+| Control: 10c5387d Table: 8020406a DAC: 00000051
+| Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
+| [<c0592240>] (nand_block_isbad) from [<c0580a94>]
+| [<c0580a94>] (allocate_partition) from [<c05811e4>]
+| [<c05811e4>] (add_mtd_partitions) from [<c0581164>]
+| [<c0581164>] (parse_mtd_partitions) from [<c057def4>]
+| [<c057def4>] (mtd_device_parse_register) from [<c059d274>]
+| [<c059d274>] (qcom_nandc_probe) from [<c0567f00>]
+
+The problem is that the nand_scan()'s qcom_nand_attach_chip callback
+is updating the nandc->max_cwperpage from 1 to 4. This causes the
+sg_init_table of clear_bam_transaction() in the driver's
+qcom_nandc_block_bad() to memset much more than what was initially
+allocated by alloc_bam_transaction().
+
+This patch restores the old behavior by reallocating the shared bam
+transaction alloc_bam_transaction() after the chip was identified,
+but before mtd_device_parse_register() (which is an alias for
+mtd_device_register() - see panic) gets called. This fixes the
+corruption and the driver is working again.
+
+Cc: stable@vger.kernel.org
+Fixes: 6a3cec64f18c ("mtd: rawnand: qcom: convert driver to nand_scan()")
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/qcom_nandc.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/mtd/nand/raw/qcom_nandc.c
++++ b/drivers/mtd/nand/raw/qcom_nandc.c
+@@ -2833,6 +2833,16 @@ static int qcom_nand_host_init_and_regis
+ if (ret)
+ return ret;
+
++ if (nandc->props->is_bam) {
++ free_bam_transaction(nandc);
++ nandc->bam_txn = alloc_bam_transaction(nandc);
++ if (!nandc->bam_txn) {
++ dev_err(nandc->dev,
++ "failed to allocate bam transaction\n");
++ return -ENOMEM;
++ }
++ }
++
+ ret = mtd_device_register(mtd, NULL, 0);
+ if (ret)
+ nand_cleanup(chip);
+@@ -2847,16 +2857,6 @@ static int qcom_probe_nand_devices(struc
+ struct qcom_nand_host *host;
+ int ret;
+
+- if (nandc->props->is_bam) {
+- free_bam_transaction(nandc);
+- nandc->bam_txn = alloc_bam_transaction(nandc);
+- if (!nandc->bam_txn) {
+- dev_err(nandc->dev,
+- "failed to allocate bam transaction\n");
+- return -ENOMEM;
+- }
+- }
+-
+ for_each_available_child_of_node(dn, child) {
+ host = devm_kzalloc(dev, sizeof(*host), GFP_KERNEL);
+ if (!host) {
slab-alien-caches-must-not-be-initialized-if-the-allocation-of-the-alien-cache-failed.patch
mm-usercopy.c-no-check-page-span-for-stack-objects.patch
mm-memcg-fix-reclaim-deadlock-with-writeback.patch
+acpi-power-skip-duplicate-power-resource-references-in-_prx.patch
+acpi-pmic-xpower-fix-ts-pin-current-source-handling.patch
+acpi-iort-fix-rc_dma_get_range.patch
+i2c-dev-prevent-adapter-retries-and-timeout-being-set-as-minus-value.patch
+mtd-rawnand-qcom-fix-memory-corruption-that-causes-panic.patch
+vfio-type1-fix-unmap-overflow-off-by-one.patch
mm-page_mapped-don-t-assume-compound-page-is-huge-or-thp.patch
--- /dev/null
+From 58fec830fc19208354895d9832785505046d6c01 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 7 Jan 2019 22:13:22 -0700
+Subject: vfio/type1: Fix unmap overflow off-by-one
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 58fec830fc19208354895d9832785505046d6c01 upstream.
+
+The below referenced commit adds a test for integer overflow, but in
+doing so prevents the unmap ioctl from ever including the last page of
+the address space. Subtract one to compare to the last address of the
+unmap to avoid the overflow and wrap-around.
+
+Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning")
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
+Cc: stable@vger.kernel.org # v4.15+
+Reported-by: Pei Zhang <pezhang@redhat.com>
+Debugged-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Tested-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/vfio_iommu_type1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio
+ return -EINVAL;
+ if (!unmap->size || unmap->size & mask)
+ return -EINVAL;
+- if (unmap->iova + unmap->size < unmap->iova ||
++ if (unmap->iova + unmap->size - 1 < unmap->iova ||
+ unmap->size > SIZE_MAX)
+ return -EINVAL;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
