diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-09-18 17:40:42 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-09-18 19:45:10 +0100 |
commit | 5defbcaac03210f0788b5eede933f551a2ca996d (patch) | |
tree | 2031de93bae920d41899d8fe4952363df44979be | |
parent | 0ab76b52147447177f08d678c5f451fbb6556fca (diff) | |
download | linux-stable-queue-5defbcaac03210f0788b5eede933f551a2ca996d.tar.gz |
Add commits cc'd to stable, up to 5.2-rc1
...plus their obvious dependencies, and some follow-up fixes.
115 files changed, 7096 insertions, 1 deletions
diff --git a/queue-3.16/alsa-hda-hdmi-read-the-pin-sense-from-register-when-repolling.patch b/queue-3.16/alsa-hda-hdmi-read-the-pin-sense-from-register-when-repolling.patch new file mode 100644 index 00000000..e6f1f949 --- /dev/null +++ b/queue-3.16/alsa-hda-hdmi-read-the-pin-sense-from-register-when-repolling.patch @@ -0,0 +1,39 @@ +From: Hui Wang <hui.wang@canonical.com> +Date: Mon, 6 May 2019 22:09:31 +0800 +Subject: ALSA: hda/hdmi - Read the pin sense from register when repolling + +commit 8c2e6728c2bf95765b724e07d0278ae97cd1ee0d upstream. + +The driver will check the monitor presence when resuming from suspend, +starting poll or interrupt triggers. In these 3 situations, the +jack_dirty will be set to 1 first, then the hda_jack.c reads the +pin_sense from register, after reading the register, the jack_dirty +will be set to 0. But hdmi_repoll_work() is enabled in these 3 +situations, It will read the pin_sense a couple of times subsequently, +since the jack_dirty is 0 now, It does not read the register anymore, +instead it uses the shadow pin_sense which is read at the first time. + +It is meaningless to check the shadow pin_sense a couple of times, +we need to read the register to check the real plugging state, so +we set the jack_dirty to 1 in the hdmi_repoll_work(). + +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1632,6 +1632,12 @@ static void hdmi_repoll_eld(struct work_ + { + struct hdmi_spec_per_pin *per_pin = + container_of(to_delayed_work(work), struct hdmi_spec_per_pin, work); ++ struct hda_codec *codec = per_pin->codec; ++ struct hda_jack_tbl *jack; ++ ++ jack = snd_hda_jack_tbl_get(codec, per_pin->pin_nid); ++ if (jack) ++ jack->jack_dirty = 1; + + if (per_pin->repoll_count++ > 6) + per_pin->repoll_count = 0; diff --git a/queue-3.16/alsa-hda-realtek-eapd-turn-on-later.patch b/queue-3.16/alsa-hda-realtek-eapd-turn-on-later.patch new file mode 100644 index 00000000..45e7bbb0 --- /dev/null +++ b/queue-3.16/alsa-hda-realtek-eapd-turn-on-later.patch @@ -0,0 +1,35 @@ +From: Kailang Yang <kailang@realtek.com> +Date: Fri, 26 Apr 2019 16:35:41 +0800 +Subject: ALSA: hda/realtek - EAPD turn on later + +commit 607ca3bd220f4022e6f5356026b19dafc363863a upstream. + +Let EAPD turn on after set pin output. + +[ NOTE: This change is supposed to reduce the possible click noises at + (runtime) PM resume. The functionality should be same (i.e. the + verbs are executed correctly) no matter which order is, so this + should be safe to apply for all codecs -- tiwai ] + +Signed-off-by: Kailang Yang <kailang@realtek.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/pci/hda/patch_realtek.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -831,11 +831,10 @@ static int alc_init(struct hda_codec *co + if (spec->init_hook) + spec->init_hook(codec); + ++ snd_hda_gen_init(codec); + alc_fix_pll(codec); + alc_auto_init_amp(codec, spec->init_amp); + +- snd_hda_gen_init(codec); +- + snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT); + + return 0; diff --git a/queue-3.16/alsa-hda-realtek-fix-overridden-device-specific-initialization.patch b/queue-3.16/alsa-hda-realtek-fix-overridden-device-specific-initialization.patch new file mode 100644 index 00000000..65fbbc16 --- /dev/null +++ b/queue-3.16/alsa-hda-realtek-fix-overridden-device-specific-initialization.patch @@ -0,0 +1,64 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Fri, 30 Aug 2019 12:03:38 +0200 +Subject: ALSA: hda/realtek - Fix overridden device-specific initialization + +commit 89781d0806c2c4f29072d3f00cb2dd4274aabc3d upstream. + +The recent change to shuffle the codec initialization procedure for +Realtek via commit 607ca3bd220f ("ALSA: hda/realtek - EAPD turn on +later") caused the silent output on some machines. This change was +supposed to be safe, but it isn't actually; some devices have quirk +setups to override the EAPD via COEF or BTL in the additional verb +table, which is applied at the beginning of snd_hda_gen_init(). And +this EAPD setup is again overridden in alc_auto_init_amp(). + +For recovering from the regression, tell snd_hda_gen_init() not to +apply the verbs there by a new flag, then apply the verbs in +alc_init(). + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204727 +Fixes: 607ca3bd220f ("ALSA: hda/realtek - EAPD turn on later") +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/pci/hda/hda_generic.c | 3 ++- + sound/pci/hda/hda_generic.h | 1 + + sound/pci/hda/patch_realtek.c | 2 ++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -5348,7 +5348,8 @@ int snd_hda_gen_init(struct hda_codec *c + if (spec->init_hook) + spec->init_hook(codec); + +- snd_hda_apply_verbs(codec); ++ if (!spec->skip_verbs) ++ snd_hda_apply_verbs(codec); + + codec->cached_write = 1; + +--- a/sound/pci/hda/hda_generic.h ++++ b/sound/pci/hda/hda_generic.h +@@ -238,6 +238,7 @@ struct hda_gen_spec { + unsigned int indep_hp_enabled:1; /* independent HP enabled */ + unsigned int have_aamix_ctl:1; + unsigned int hp_mic_jack_modes:1; ++ unsigned int skip_verbs:1; /* don't apply verbs at snd_hda_gen_init() */ + + /* additional mute flags (only effective with auto_mute_via_amp=1) */ + u64 mute_bits; +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -831,9 +831,11 @@ static int alc_init(struct hda_codec *co + if (spec->init_hook) + spec->init_hook(codec); + ++ spec->gen.skip_verbs = 1; /* applied in below */ + snd_hda_gen_init(codec); + alc_fix_pll(codec); + alc_auto_init_amp(codec, spec->init_amp); ++ snd_hda_apply_verbs(codec); /* apply verbs here after own init */ + + snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT); + diff --git a/queue-3.16/alsa-usb-audio-fix-a-memory-leak-bug.patch b/queue-3.16/alsa-usb-audio-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000..33bf660b --- /dev/null +++ b/queue-3.16/alsa-usb-audio-fix-a-memory-leak-bug.patch @@ -0,0 +1,35 @@ +From: Wenwen Wang <wang6495@umn.edu> +Date: Sat, 27 Apr 2019 01:06:46 -0500 +Subject: ALSA: usb-audio: Fix a memory leak bug + +commit cb5173594d50c72b7bfa14113dfc5084b4d2f726 upstream. + +In parse_audio_selector_unit(), the string array 'namelist' is allocated +through kmalloc_array(), and each string pointer in this array, i.e., +'namelist[]', is allocated through kmalloc() in the following for loop. +Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If +an error occurs during the creation process, the string array 'namelist', +including all string pointers in the array 'namelist[]', should be freed, +before the error code ENOMEM is returned. However, the current code does +not free 'namelist[]', resulting in memory leaks. + +To fix the above issue, free all string pointers 'namelist[]' in a loop. + +Signed-off-by: Wenwen Wang <wang6495@umn.edu> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2090,6 +2090,8 @@ static int parse_audio_selector_unit(str + kctl = snd_ctl_new1(&mixer_selectunit_ctl, cval); + if (! kctl) { + usb_audio_err(state->chip, "cannot malloc kcontrol\n"); ++ for (i = 0; i < desc->bNrInPins; i++) ++ kfree(namelist[i]); + kfree(namelist); + kfree(cval); + return -ENOMEM; diff --git a/queue-3.16/alsa-usb-audio-handle-the-error-from.patch b/queue-3.16/alsa-usb-audio-handle-the-error-from.patch new file mode 100644 index 00000000..d7f9e5ad --- /dev/null +++ b/queue-3.16/alsa-usb-audio-handle-the-error-from.patch @@ -0,0 +1,31 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 24 Apr 2019 13:00:03 +0200 +Subject: ALSA: usb-audio: Handle the error from + snd_usb_mixer_apply_create_quirk() + +commit 328e9f6973be2ee67862cb17bf6c0c5c5918cd72 upstream. + +The error from snd_usb_mixer_apply_create_quirk() is ignored in the +current usb-audio driver code, which will continue the probing even +after the error. Let's take it more serious. + +Fixes: 7b1eda223deb ("ALSA: usb-mixer: factor out quirks") +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/usb/mixer.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2499,7 +2499,9 @@ int snd_usb_create_mixer(struct snd_usb_ + (err = snd_usb_mixer_status_create(mixer)) < 0) + goto _error; + +- snd_usb_mixer_apply_create_quirk(mixer); ++ err = snd_usb_mixer_apply_create_quirk(mixer); ++ if (err < 0) ++ goto _error; + + err = snd_device_new(chip->card, SNDRV_DEV_CODEC, mixer, &dev_ops); + if (err < 0) diff --git a/queue-3.16/arm-dts-exynos-fix-interrupt-for-shared-eints-on-exynos5260.patch b/queue-3.16/arm-dts-exynos-fix-interrupt-for-shared-eints-on-exynos5260.patch new file mode 100644 index 00000000..d45252e9 --- /dev/null +++ b/queue-3.16/arm-dts-exynos-fix-interrupt-for-shared-eints-on-exynos5260.patch @@ -0,0 +1,29 @@ +From: Stuart Menefy <stuart.menefy@mathembedded.com> +Date: Tue, 19 Feb 2019 13:03:37 +0000 +Subject: ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260 + +commit b7ed69d67ff0788d8463e599dd5dd1b45c701a7e upstream. + +Fix the interrupt information for the GPIO lines with a shared EINT +interrupt. + +Fixes: 16d7ff2642e7 ("ARM: dts: add dts files for exynos5260 SoC") +Signed-off-by: Stuart Menefy <stuart.menefy@mathembedded.com> +Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/boot/dts/exynos5260.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos5260.dtsi ++++ b/arch/arm/boot/dts/exynos5260.dtsi +@@ -211,7 +211,7 @@ + wakeup-interrupt-controller { + compatible = "samsung,exynos4210-wakeup-eint"; + interrupt-parent = <&gic>; +- interrupts = <0 32 0>; ++ interrupts = <0 48 0>; + }; + }; + diff --git a/queue-3.16/arm-omap2-fix-potentially-uninitialized-return-value-for.patch b/queue-3.16/arm-omap2-fix-potentially-uninitialized-return-value-for.patch new file mode 100644 index 00000000..3e3d7bf6 --- /dev/null +++ b/queue-3.16/arm-omap2-fix-potentially-uninitialized-return-value-for.patch @@ -0,0 +1,36 @@ +From: Tony Lindgren <tony@atomide.com> +Date: Thu, 21 Mar 2019 11:00:21 -0700 +Subject: ARM: OMAP2+: Fix potentially uninitialized return value for + _setup_reset() + +commit 7f0d078667a494466991aa7133f49594f32ff6a2 upstream. + +Commit 747834ab8347 ("ARM: OMAP2+: hwmod: revise hardreset behavior") made +the call to _enable() conditional based on no oh->rst_lines_cnt. This +caused the return value to be potentially uninitialized. Curiously we see +no compiler warnings for this, probably as this gets inlined. + +We call _setup_reset() from _setup() and only _setup_postsetup() if the +return value is zero. Currently the return value can be uninitialized for +cases where oh->rst_lines_cnt is set and HWMOD_INIT_NO_RESET is not set. + +Fixes: 747834ab8347 ("ARM: OMAP2+: hwmod: revise hardreset behavior") +Cc: Paul Walmsley <paul@pwsan.com> +Cc: Tero Kristo <t-kristo@ti.com> +Signed-off-by: Tony Lindgren <tony@atomide.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/mach-omap2/omap_hwmod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -2617,7 +2617,7 @@ static void __init _setup_iclk_autoidle( + */ + static int __init _setup_reset(struct omap_hwmod *oh) + { +- int r; ++ int r = 0; + + if (oh->_state != _HWMOD_STATE_INITIALIZED) + return -EINVAL; diff --git a/queue-3.16/arm-pxa-ssp-fix-warning-invalid-free-of-devm_-allocated-data.patch b/queue-3.16/arm-pxa-ssp-fix-warning-invalid-free-of-devm_-allocated-data.patch new file mode 100644 index 00000000..0ce34b5c --- /dev/null +++ b/queue-3.16/arm-pxa-ssp-fix-warning-invalid-free-of-devm_-allocated-data.patch @@ -0,0 +1,39 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Tue, 29 Jan 2019 16:03:24 +0800 +Subject: ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data" + +commit 9ee8578d953023cc57e7e736ae48502c707c0210 upstream. + +Since commit 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions") +kfree, iounmap, clk_put etc are not needed anymore in remove path. + +Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +[ commit message spelling fix ] +Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/plat-pxa/ssp.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/arch/arm/plat-pxa/ssp.c ++++ b/arch/arm/plat-pxa/ssp.c +@@ -232,18 +232,12 @@ static int pxa_ssp_probe(struct platform + + static int pxa_ssp_remove(struct platform_device *pdev) + { +- struct resource *res; + struct ssp_device *ssp; + + ssp = platform_get_drvdata(pdev); + if (ssp == NULL) + return -ENODEV; + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- release_mem_region(res->start, resource_size(res)); +- +- clk_put(ssp->clk); +- + mutex_lock(&ssp_lock); + list_del(&ssp->node); + mutex_unlock(&ssp_lock); diff --git a/queue-3.16/arm64-compat-reduce-address-limit.patch b/queue-3.16/arm64-compat-reduce-address-limit.patch new file mode 100644 index 00000000..f0ed0b6a --- /dev/null +++ b/queue-3.16/arm64-compat-reduce-address-limit.patch @@ -0,0 +1,48 @@ +From: Vincenzo Frascino <vincenzo.frascino@arm.com> +Date: Mon, 1 Apr 2019 12:30:14 +0100 +Subject: arm64: compat: Reduce address limit + +commit d263119387de9975d2acba1dfd3392f7c5979c18 upstream. + +Currently, compat tasks running on arm64 can allocate memory up to +TASK_SIZE_32 (UL(0x100000000)). + +This means that mmap() allocations, if we treat them as returning an +array, are not compliant with the sections 6.5.8 of the C standard +(C99) which states that: "If the expression P points to an element of +an array object and the expression Q points to the last element of the +same array object, the pointer expression Q+1 compares greater than P". + +Redefine TASK_SIZE_32 to address the issue. + +Cc: Catalin Marinas <catalin.marinas@arm.com> +Cc: Will Deacon <will.deacon@arm.com> +Cc: Jann Horn <jannh@google.com> +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com> +[will: fixed typo in comment] +Signed-off-by: Will Deacon <will.deacon@arm.com> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm64/include/asm/memory.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/arm64/include/asm/memory.h ++++ b/arch/arm64/include/asm/memory.h +@@ -53,7 +53,15 @@ + #define TASK_SIZE_64 (UL(1) << VA_BITS) + + #ifdef CONFIG_COMPAT ++#ifdef CONFIG_ARM64_64K_PAGES ++/* ++ * With CONFIG_ARM64_64K_PAGES enabled, the last page is occupied ++ * by the compat vectors page. ++ */ + #define TASK_SIZE_32 UL(0x100000000) ++#else ++#define TASK_SIZE_32 (UL(0x100000000) - PAGE_SIZE) ++#endif /* CONFIG_ARM64_64K_PAGES */ + #define TASK_SIZE (test_thread_flag(TIF_32BIT) ? \ + TASK_SIZE_32 : TASK_SIZE_64) + #define TASK_SIZE_OF(tsk) (test_tsk_thread_flag(tsk, TIF_32BIT) ? \ diff --git a/queue-3.16/arm64-mmap-ensure-file-offset-is-treated-as-unsigned.patch b/queue-3.16/arm64-mmap-ensure-file-offset-is-treated-as-unsigned.patch new file mode 100644 index 00000000..23604a29 --- /dev/null +++ b/queue-3.16/arm64-mmap-ensure-file-offset-is-treated-as-unsigned.patch @@ -0,0 +1,35 @@ +From: Boyang Zhou <zhouby_cn@126.com> +Date: Mon, 29 Apr 2019 15:27:19 +0100 +Subject: arm64: mmap: Ensure file offset is treated as unsigned + +commit f08cae2f28db24d95be5204046b60618d8de4ddc upstream. + +The file offset argument to the arm64 sys_mmap() implementation is +scaled from bytes to pages by shifting right by PAGE_SHIFT. +Unfortunately, the offset is passed in as a signed 'off_t' type and +therefore large offsets (i.e. with the top bit set) are incorrectly +sign-extended by the shift. This has been observed to cause false mmap() +failures when mapping GPU doorbells on an arm64 server part. + +Change the type of the file offset argument to sys_mmap() from 'off_t' +to 'unsigned long' so that the shifting scales the value as expected. + +Signed-off-by: Boyang Zhou <zhouby_cn@126.com> +[will: rewrote commit message] +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm64/kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/sys.c ++++ b/arch/arm64/kernel/sys.c +@@ -28,7 +28,7 @@ + + SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len, + unsigned long, prot, unsigned long, flags, +- unsigned long, fd, off_t, off) ++ unsigned long, fd, unsigned long, off) + { + if (offset_in_page(off) != 0) + return -EINVAL; diff --git a/queue-3.16/arm64-use-syscall_define6-for-mmap.patch b/queue-3.16/arm64-use-syscall_define6-for-mmap.patch new file mode 100644 index 00000000..c7ddaf1e --- /dev/null +++ b/queue-3.16/arm64-use-syscall_define6-for-mmap.patch @@ -0,0 +1,38 @@ +From: Mark Rutland <mark.rutland@arm.com> +Date: Wed, 11 Jul 2018 14:56:54 +0100 +Subject: arm64: use SYSCALL_DEFINE6() for mmap + +commit d3516c9073b4b81410195489dc169891cd64e4cd upstream. + +We don't currently annotate our mmap implementation as a syscall, as we +need to do to use pt_regs syscall wrappers. + +Let's mark it as a real syscall. + +There should be no functional change as a result of this patch. + +Signed-off-by: Mark Rutland <mark.rutland@arm.com> +Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net> +Acked-by: Catalin Marinas <catalin.marinas@arm.com> +Cc: Will Deacon <will.deacon@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm64/kernel/sys.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/kernel/sys.c ++++ b/arch/arm64/kernel/sys.c +@@ -26,9 +26,9 @@ + #include <linux/slab.h> + #include <linux/syscalls.h> + +-asmlinkage long sys_mmap(unsigned long addr, unsigned long len, +- unsigned long prot, unsigned long flags, +- unsigned long fd, off_t off) ++SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len, ++ unsigned long, prot, unsigned long, flags, ++ unsigned long, fd, off_t, off) + { + if (offset_in_page(off) != 0) + return -EINVAL; diff --git a/queue-3.16/asoc-fsl_esai-fix-missing-break-in-switch-statement.patch b/queue-3.16/asoc-fsl_esai-fix-missing-break-in-switch-statement.patch new file mode 100644 index 00000000..6b25ef9d --- /dev/null +++ b/queue-3.16/asoc-fsl_esai-fix-missing-break-in-switch-statement.patch @@ -0,0 +1,26 @@ +From: "S.j. Wang" <shengjiu.wang@nxp.com> +Date: Sun, 28 Apr 2019 02:24:27 +0000 +Subject: ASoC: fsl_esai: Fix missing break in switch statement + +commit 903c220b1ece12f17c868e43f2243b8f81ff2d4c upstream. + +case ESAI_HCKT_EXTAL and case ESAI_HCKR_EXTAL should be +independent of each other, so replace fall-through with break. + +Fixes: 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver") +Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com> +Acked-by: Nicolin Chen <nicoleotsuka@gmail.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -245,6 +245,7 @@ static int fsl_esai_set_dai_sysclk(struc + break; + case ESAI_HCKT_EXTAL: + ecr |= ESAI_ECR_ETI; ++ break; + case ESAI_HCKR_EXTAL: + ecr |= ESAI_ECR_ERI; + break; diff --git a/queue-3.16/asoc-max98090-fix-restore-of-dapm-muxes.patch b/queue-3.16/asoc-max98090-fix-restore-of-dapm-muxes.patch new file mode 100644 index 00000000..8aec2b3a --- /dev/null +++ b/queue-3.16/asoc-max98090-fix-restore-of-dapm-muxes.patch @@ -0,0 +1,48 @@ +From: Jon Hunter <jonathanh@nvidia.com> +Date: Wed, 1 May 2019 15:29:38 +0100 +Subject: ASoC: max98090: Fix restore of DAPM Muxes + +commit ecb2795c08bc825ebd604997e5be440b060c5b18 upstream. + +The max98090 driver defines 3 DAPM muxes; one for the right line output +(LINMOD Mux), one for the left headphone mixer source (MIXHPLSEL Mux) +and one for the right headphone mixer source (MIXHPRSEL Mux). The same +bit is used for the mux as well as the DAPM enable, and although the mux +can be correctly configured, after playback has completed, the mux will +be reset during the disable phase. This is preventing the state of these +muxes from being saved and restored correctly on system reboot. Fix this +by marking these muxes as SND_SOC_NOPM. + +Note this has been verified this on the Tegra124 Nyan Big which features +the MAX98090 codec. + +Signed-off-by: Jon Hunter <jonathanh@nvidia.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/soc/codecs/max98090.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/soc/codecs/max98090.c ++++ b/sound/soc/codecs/max98090.c +@@ -1271,14 +1271,14 @@ static const struct snd_soc_dapm_widget + &max98090_right_rcv_mixer_controls[0], + ARRAY_SIZE(max98090_right_rcv_mixer_controls)), + +- SND_SOC_DAPM_MUX("LINMOD Mux", M98090_REG_LOUTR_MIXER, +- M98090_LINMOD_SHIFT, 0, &max98090_linmod_mux), ++ SND_SOC_DAPM_MUX("LINMOD Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_linmod_mux), + +- SND_SOC_DAPM_MUX("MIXHPLSEL Mux", M98090_REG_HP_CONTROL, +- M98090_MIXHPLSEL_SHIFT, 0, &max98090_mixhplsel_mux), ++ SND_SOC_DAPM_MUX("MIXHPLSEL Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_mixhplsel_mux), + +- SND_SOC_DAPM_MUX("MIXHPRSEL Mux", M98090_REG_HP_CONTROL, +- M98090_MIXHPRSEL_SHIFT, 0, &max98090_mixhprsel_mux), ++ SND_SOC_DAPM_MUX("MIXHPRSEL Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_mixhprsel_mux), + + SND_SOC_DAPM_PGA("HP Left Out", M98090_REG_OUTPUT_ENABLE, + M98090_HPLEN_SHIFT, 0, NULL, 0), diff --git a/queue-3.16/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver.patch b/queue-3.16/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver.patch new file mode 100644 index 00000000..428fa5ed --- /dev/null +++ b/queue-3.16/at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver.patch @@ -0,0 +1,87 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Mon, 8 Apr 2019 11:45:29 +0800 +Subject: at76c50x-usb: Don't register led_trigger if usb_register_driver + failed + +commit 09ac2694b0475f96be895848687ebcbba97eeecf upstream. + +Syzkaller report this: + +[ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338 +[ 1213.469530] #PF error: [normal kernel read fault] +[ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0 +[ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI +[ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 +[ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 1213.473514] RIP: 0010:strcmp+0x31/0xa0 +[ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d +[ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246 +[ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6 +[ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0 +[ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004 +[ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900 +[ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0 +[ 1213.473514] FS: 00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 +[ 1213.473514] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0 +[ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1213.473514] PKRU: 55555554 +[ 1213.473514] Call Trace: +[ 1213.473514] led_trigger_register+0x112/0x3f0 +[ 1213.473514] led_trigger_register_simple+0x7a/0x110 +[ 1213.473514] ? 0xffffffffc1c10000 +[ 1213.473514] at76_mod_init+0x77/0x1000 [at76c50x_usb] +[ 1213.473514] do_one_initcall+0xbc/0x47d +[ 1213.473514] ? perf_trace_initcall_level+0x3a0/0x3a0 +[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40 +[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40 +[ 1213.473514] do_init_module+0x1b5/0x547 +[ 1213.473514] load_module+0x6405/0x8c10 +[ 1213.473514] ? module_frob_arch_sections+0x20/0x20 +[ 1213.473514] ? kernel_read_file+0x1e6/0x5d0 +[ 1213.473514] ? find_held_lock+0x32/0x1c0 +[ 1213.473514] ? cap_capable+0x1ae/0x210 +[ 1213.473514] ? __do_sys_finit_module+0x162/0x190 +[ 1213.473514] __do_sys_finit_module+0x162/0x190 +[ 1213.473514] ? __ia32_sys_init_module+0xa0/0xa0 +[ 1213.473514] ? __mutex_unlock_slowpath+0xdc/0x690 +[ 1213.473514] ? wait_for_completion+0x370/0x370 +[ 1213.473514] ? vfs_write+0x204/0x4a0 +[ 1213.473514] ? do_syscall_64+0x18/0x450 +[ 1213.473514] do_syscall_64+0x9f/0x450 +[ 1213.473514] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 1213.473514] RIP: 0033:0x462e99 +[ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +[ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +[ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 +[ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000 +[ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc +[ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 + +If usb_register failed, no need to call led_trigger_register_simple. + +Reported-by: Hulk Robot <hulkci@huawei.com> +Fixes: 1264b951463a ("at76c50x-usb: add driver") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/at76c50x-usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/at76c50x-usb.c ++++ b/drivers/net/wireless/at76c50x-usb.c +@@ -2582,8 +2582,8 @@ static int __init at76_mod_init(void) + if (result < 0) + printk(KERN_ERR DRIVER_NAME + ": usb_register failed (status %d)\n", result); +- +- led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); ++ else ++ led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); + return result; + } + diff --git a/queue-3.16/backlight-lm3630a-return-0-on-success-in-update_status-functions.patch b/queue-3.16/backlight-lm3630a-return-0-on-success-in-update_status-functions.patch new file mode 100644 index 00000000..bb161b64 --- /dev/null +++ b/queue-3.16/backlight-lm3630a-return-0-on-success-in-update_status-functions.patch @@ -0,0 +1,42 @@ +From: Brian Masney <masneyb@onstation.org> +Date: Wed, 24 Apr 2019 05:25:03 -0400 +Subject: backlight: lm3630a: Return 0 on success in update_status functions + +commit d3f48ec0954c6aac736ab21c34a35d7554409112 upstream. + +lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status() +both return the brightness value if the brightness was successfully +updated. Writing to these attributes via sysfs would cause a 'Bad +address' error to be returned. These functions should return 0 on +success, so let's change it to correct that error. + +Fixes: 28e64a68a2ef ("backlight: lm3630: apply chip revision") +Signed-off-by: Brian Masney <masneyb@onstation.org> +Acked-by: Pavel Machek <pavel@ucw.cz> +Acked-by: Daniel Thompson <daniel.thompson@linaro.org> +Signed-off-by: Lee Jones <lee.jones@linaro.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/video/backlight/lm3630a_bl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/backlight/lm3630a_bl.c ++++ b/drivers/video/backlight/lm3630a_bl.c +@@ -201,7 +201,7 @@ static int lm3630a_bank_a_update_status( + LM3630A_LEDA_ENABLE, LM3630A_LEDA_ENABLE); + if (ret < 0) + goto out_i2c_err; +- return bl->props.brightness; ++ return 0; + + out_i2c_err: + dev_err(pchip->dev, "i2c failed to access\n"); +@@ -278,7 +278,7 @@ static int lm3630a_bank_b_update_status( + LM3630A_LEDB_ENABLE, LM3630A_LEDB_ENABLE); + if (ret < 0) + goto out_i2c_err; +- return bl->props.brightness; ++ return 0; + + out_i2c_err: + dev_err(pchip->dev, "i2c failed to access REG_CTRL\n"); diff --git a/queue-3.16/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch b/queue-3.16/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch new file mode 100644 index 00000000..3643deb8 --- /dev/null +++ b/queue-3.16/bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch @@ -0,0 +1,76 @@ +From: Liang Chen <liangchen.linux@gmail.com> +Date: Thu, 25 Apr 2019 00:48:31 +0800 +Subject: bcache: fix a race between cache register and cacheset unregister + +commit a4b732a248d12cbdb46999daf0bf288c011335eb upstream. + +There is a race between cache device register and cache set unregister. +For an already registered cache device, register_bcache will call +bch_is_open to iterate through all cachesets and check every cache +there. The race occurs if cache_set_free executes at the same time and +clears the caches right before ca is dereferenced in bch_is_open_cache. +To close the race, let's make sure the clean up work is protected by +the bch_register_lock as well. + +This issue can be reproduced as follows, +while true; do echo /dev/XXX> /sys/fs/bcache/register ; done& +while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done & + +and results in the following oops, + +[ +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998 +[ +0.000457] #PF error: [normal kernel read fault] +[ +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0 +[ +0.000388] Oops: 0000 [#1] SMP PTI +[ +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6 +[ +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014 +[ +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache] +[ +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d +[ +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202 +[ +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000 +[ +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001 +[ +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a +[ +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0 +[ +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620 +[ +0.000384] FS: 00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000 +[ +0.000420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0 +[ +0.000837] Call Trace: +[ +0.000682] ? _cond_resched+0x10/0x20 +[ +0.000691] ? __kmalloc+0x131/0x1b0 +[ +0.000710] kernfs_fop_write+0xfa/0x170 +[ +0.000733] __vfs_write+0x2e/0x190 +[ +0.000688] ? inode_security+0x10/0x30 +[ +0.000698] ? selinux_file_permission+0xd2/0x120 +[ +0.000752] ? security_file_permission+0x2b/0x100 +[ +0.000753] vfs_write+0xa8/0x1a0 +[ +0.000676] ksys_write+0x4d/0xb0 +[ +0.000699] do_syscall_64+0x3a/0xf0 +[ +0.000692] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Liang Chen <liangchen.linux@gmail.com> +Signed-off-by: Coly Li <colyli@suse.de> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/md/bcache/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1364,6 +1364,7 @@ static void cache_set_free(struct closur + bch_btree_cache_free(c); + bch_journal_free(c); + ++ mutex_lock(&bch_register_lock); + for_each_cache(ca, c, i) + if (ca) { + ca->set = NULL; +@@ -1386,7 +1387,6 @@ static void cache_set_free(struct closur + mempool_destroy(c->search); + kfree(c->devices); + +- mutex_lock(&bch_register_lock); + list_del(&c->list); + mutex_unlock(&bch_register_lock); + diff --git a/queue-3.16/bcache-fix-memory-corruption-in-init-error-path.patch b/queue-3.16/bcache-fix-memory-corruption-in-init-error-path.patch new file mode 100644 index 00000000..296c4fde --- /dev/null +++ b/queue-3.16/bcache-fix-memory-corruption-in-init-error-path.patch @@ -0,0 +1,53 @@ +From: Slava Pestov <sp@daterainc.com> +Date: Thu, 19 Jun 2014 15:05:59 -0700 +Subject: bcache: fix memory corruption in init error path + +commit c9a78332b42cbdcdd386a95192a716b67d1711a4 upstream. + +If register_cache_set() failed, we would touch ca->set after +it had already been freed. Also, fix an assertion to catch +this. + +Change-Id: I748e5f5b223e2d9b2602075dec2f997cced2394d +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/md/bcache/super.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1365,8 +1365,11 @@ static void cache_set_free(struct closur + bch_journal_free(c); + + for_each_cache(ca, c, i) +- if (ca) ++ if (ca) { ++ ca->set = NULL; ++ c->cache[ca->sb.nr_this_dev] = NULL; + kobject_put(&ca->kobj); ++ } + + bch_bset_sort_state_free(&c->sort); + free_pages((unsigned long) c->uuids, ilog2(bucket_pages(c))); +@@ -1804,8 +1807,10 @@ void bch_cache_release(struct kobject *k + struct cache *ca = container_of(kobj, struct cache, kobj); + unsigned i; + +- if (ca->set) ++ if (ca->set) { ++ BUG_ON(ca->set->cache[ca->sb.nr_this_dev] != ca); + ca->set->cache[ca->sb.nr_this_dev] = NULL; ++ } + + bio_split_pool_free(&ca->bio_split_hook); + +@@ -1868,7 +1873,7 @@ static int cache_alloc(struct cache_sb * + } + + static int register_cache(struct cache_sb *sb, struct page *sb_page, +- struct block_device *bdev, struct cache *ca) ++ struct block_device *bdev, struct cache *ca) + { + char name[BDEVNAME_SIZE]; + const char *err = NULL; /* must be set for any error case */ diff --git a/queue-3.16/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch b/queue-3.16/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch new file mode 100644 index 00000000..27e4af8f --- /dev/null +++ b/queue-3.16/bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch @@ -0,0 +1,91 @@ +From: Coly Li <colyli@suse.de> +Date: Thu, 25 Apr 2019 00:48:33 +0800 +Subject: bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() + +commit 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc upstream. + +In journal_reclaim() ja->cur_idx of each cache will be update to +reclaim available journal buckets. Variable 'int n' is used to count how +many cache is successfully reclaimed, then n is set to c->journal.key +by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache() +loop will write the jset data onto each cache. + +The problem is, if all jouranl buckets on each cache is full, the +following code in journal_reclaim(), + +529 for_each_cache(ca, c, iter) { +530 struct journal_device *ja = &ca->journal; +531 unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets; +532 +533 /* No space available on this device */ +534 if (next == ja->discard_idx) +535 continue; +536 +537 ja->cur_idx = next; +538 k->ptr[n++] = MAKE_PTR(0, +539 bucket_to_sector(c, ca->sb.d[ja->cur_idx]), +540 ca->sb.nr_this_dev); +541 } +542 +543 bkey_init(k); +544 SET_KEY_PTRS(k, n); + +If there is no available bucket to reclaim, the if() condition at line +534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS() +will set KEY_PTRS field of c->journal.key to 0. + +Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in +journal_write_unlocked() the journal data is written in following loop, + +649 for (i = 0; i < KEY_PTRS(k); i++) { +650-671 submit journal data to cache device +672 } + +If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data +won't be written to cache device here. If system crahed or rebooted +before bkeys of the lost journal entries written into btree nodes, data +corruption will be reported during bcache reload after rebooting the +system. + +Indeed there is only one cache in a cache set, there is no need to set +KEY_PTRS field in journal_reclaim() at all. But in order to keep the +for_each_cache() logic consistent for now, this patch fixes the above +problem by not setting 0 KEY_PTRS of journal key, if there is no bucket +available to reclaim. + +Signed-off-by: Coly Li <colyli@suse.de> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/md/bcache/journal.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -507,11 +507,11 @@ static void journal_reclaim(struct cache + ca->sb.nr_this_dev); + } + +- bkey_init(k); +- SET_KEY_PTRS(k, n); +- +- if (n) ++ if (n) { ++ bkey_init(k); ++ SET_KEY_PTRS(k, n); + c->journal.blocks_free = c->sb.bucket_size >> c->block_bits; ++ } + out: + if (!journal_full(&c->journal)) + __closure_wake_up(&c->journal.wait); +@@ -635,6 +635,9 @@ static void journal_write_unlocked(struc + ca->journal.seq[ca->journal.cur_idx] = w->data->seq; + } + ++ /* If KEY_PTRS(k) == 0, this jset gets lost in air */ ++ BUG_ON(i == 0); ++ + atomic_dec_bug(&fifo_back(&c->journal.pin)); + bch_journal_next(&c->journal); + journal_reclaim(c); diff --git a/queue-3.16/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr.patch b/queue-3.16/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr.patch new file mode 100644 index 00000000..1145804a --- /dev/null +++ b/queue-3.16/bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr.patch @@ -0,0 +1,48 @@ +From: Marcel Holtmann <marcel@holtmann.org> +Date: Wed, 24 Apr 2019 22:19:17 +0200 +Subject: Bluetooth: Align minimum encryption key size for LE and BR/EDR + connections + +commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream. + +The minimum encryption key size for LE connections is 56 bits and to +align LE with BR/EDR, enforce 56 bits of minimum encryption key size for +BR/EDR connections as well. + +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/net/bluetooth/hci_core.h | 3 +++ + net/bluetooth/hci_conn.c | 8 ++++++++ + 2 files changed, 11 insertions(+) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -142,6 +142,9 @@ struct oob_data { + + #define HCI_MAX_SHORT_NAME_LENGTH 10 + ++/* Min encryption key size to match with SMP */ ++#define HCI_MIN_ENC_KEY_SIZE 7 ++ + /* Default LE RPA expiry time, 15 minutes */ + #define HCI_DEFAULT_RPA_TIMEOUT (15 * 60) + +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -868,6 +868,14 @@ int hci_conn_check_link_mode(struct hci_ + if (hci_conn_ssp_enabled(conn) && !(conn->link_mode & HCI_LM_ENCRYPT)) + return 0; + ++ /* The minimum encryption key size needs to be enforced by the ++ * host stack before establishing any L2CAP connections. The ++ * specification in theory allows a minimum of 1, but to align ++ * BR/EDR and LE transports, a minimum of 7 is chosen. ++ */ ++ if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) ++ return 0; ++ + return 1; + } + diff --git a/queue-3.16/bluetooth-fix-faulty-expression-for-minimum-encryption-key-size.patch b/queue-3.16/bluetooth-fix-faulty-expression-for-minimum-encryption-key-size.patch new file mode 100644 index 00000000..0d2da165 --- /dev/null +++ b/queue-3.16/bluetooth-fix-faulty-expression-for-minimum-encryption-key-size.patch @@ -0,0 +1,35 @@ +From: Matias Karhumaa <matias.karhumaa@gmail.com> +Date: Tue, 2 Jul 2019 16:35:09 +0200 +Subject: Bluetooth: Fix faulty expression for minimum encryption key size + check + +commit eca94432934fe5f141d084f2e36ee2c0e614cc04 upstream. + +Fix minimum encryption key size check so that HCI_MIN_ENC_KEY_SIZE is +also allowed as stated in the comment. + +This bug caused connection problems with devices having maximum +encryption key size of 7 octets (56-bit). + +Fixes: 693cd8ce3f88 ("Bluetooth: Fix regression with minimum encryption key size alignment") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203997 +Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bluetooth/l2cap_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1272,7 +1272,7 @@ static bool l2cap_check_enc_key_size(str + * actually encrypted before enforcing a key size. + */ + return (!(hcon->link_mode & HCI_LM_ENCRYPT) || +- hcon->enc_key_size > HCI_MIN_ENC_KEY_SIZE); ++ hcon->enc_key_size >= HCI_MIN_ENC_KEY_SIZE); + } + + static void l2cap_do_start(struct l2cap_chan *chan) diff --git a/queue-3.16/bluetooth-fix-regression-with-minimum-encryption-key-size-alignment.patch b/queue-3.16/bluetooth-fix-regression-with-minimum-encryption-key-size-alignment.patch new file mode 100644 index 00000000..4ff587dd --- /dev/null +++ b/queue-3.16/bluetooth-fix-regression-with-minimum-encryption-key-size-alignment.patch @@ -0,0 +1,147 @@ +From: Marcel Holtmann <marcel@holtmann.org> +Date: Sat, 22 Jun 2019 15:47:01 +0200 +Subject: Bluetooth: Fix regression with minimum encryption key size alignment + +commit 693cd8ce3f882524a5d06f7800dd8492411877b3 upstream. + +When trying to align the minimum encryption key size requirement for +Bluetooth connections, it turns out doing this in a central location in +the HCI connection handling code is not possible. + +Original Bluetooth version up to 2.0 used a security model where the +L2CAP service would enforce authentication and encryption. Starting +with Bluetooth 2.1 and Secure Simple Pairing that model has changed into +that the connection initiator is responsible for providing an encrypted +ACL link before any L2CAP communication can happen. + +Now connecting Bluetooth 2.1 or later devices with Bluetooth 2.0 and +before devices are causing a regression. The encryption key size check +needs to be moved out of the HCI connection handling into the L2CAP +channel setup. + +To achieve this, the current check inside hci_conn_security() has been +moved into l2cap_check_enc_key_size() helper function and then called +from four decisions point inside L2CAP to cover all combinations of +Secure Simple Pairing enabled devices and device using legacy pairing +and legacy service security model. + +Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203643 +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: + - Encryption flag is in hci_conn::link_mode not hci_conn::flags + - Adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bluetooth/hci_conn.c | 18 +++++++++--------- + net/bluetooth/l2cap_core.c | 33 ++++++++++++++++++++++++++++----- + 2 files changed, 37 insertions(+), 14 deletions(-) + +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -868,14 +868,6 @@ int hci_conn_check_link_mode(struct hci_ + if (hci_conn_ssp_enabled(conn) && !(conn->link_mode & HCI_LM_ENCRYPT)) + return 0; + +- /* The minimum encryption key size needs to be enforced by the +- * host stack before establishing any L2CAP connections. The +- * specification in theory allows a minimum of 1, but to align +- * BR/EDR and LE transports, a minimum of 7 is chosen. +- */ +- if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) +- return 0; +- + return 1; + } + +@@ -988,8 +980,16 @@ auth: + return 0; + + encrypt: +- if (conn->link_mode & HCI_LM_ENCRYPT) ++ if (conn->link_mode & HCI_LM_ENCRYPT) { ++ /* Ensure that the encryption key size has been read, ++ * otherwise stall the upper layer responses. ++ */ ++ if (!conn->enc_key_size) ++ return 0; ++ ++ /* Nothing else needed, all requirements are met */ + return 1; ++ } + + hci_conn_encrypt(conn); + return 0; +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1260,6 +1260,21 @@ static void l2cap_start_connection(struc + } + } + ++static bool l2cap_check_enc_key_size(struct hci_conn *hcon) ++{ ++ /* The minimum encryption key size needs to be enforced by the ++ * host stack before establishing any L2CAP connections. The ++ * specification in theory allows a minimum of 1, but to align ++ * BR/EDR and LE transports, a minimum of 7 is chosen. ++ * ++ * This check might also be called for unencrypted connections ++ * that have no key size requirements. Ensure that the link is ++ * actually encrypted before enforcing a key size. ++ */ ++ return (!(hcon->link_mode & HCI_LM_ENCRYPT) || ++ hcon->enc_key_size > HCI_MIN_ENC_KEY_SIZE); ++} ++ + static void l2cap_do_start(struct l2cap_chan *chan) + { + struct l2cap_conn *conn = chan->conn; +@@ -1273,10 +1288,14 @@ static void l2cap_do_start(struct l2cap_ + if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) + return; + +- if (l2cap_chan_check_security(chan) && +- __l2cap_no_conn_pending(chan)) { ++ if (!l2cap_chan_check_security(chan) || ++ !__l2cap_no_conn_pending(chan)) ++ return; ++ ++ if (l2cap_check_enc_key_size(conn->hcon)) + l2cap_start_connection(chan); +- } ++ else ++ __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); + } else { + struct l2cap_info_req req; + req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); +@@ -1366,7 +1385,10 @@ static void l2cap_conn_start(struct l2ca + continue; + } + +- l2cap_start_connection(chan); ++ if (l2cap_check_enc_key_size(conn->hcon)) ++ l2cap_start_connection(chan); ++ else ++ l2cap_chan_close(chan, ECONNREFUSED); + + } else if (chan->state == BT_CONNECT2) { + struct l2cap_conn_rsp rsp; +@@ -7352,7 +7374,7 @@ int l2cap_security_cfm(struct hci_conn * + } + + if (chan->state == BT_CONNECT) { +- if (!status) ++ if (!status && l2cap_check_enc_key_size(hcon)) + l2cap_start_connection(chan); + else + __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); +@@ -7360,7 +7382,7 @@ int l2cap_security_cfm(struct hci_conn * + struct l2cap_conn_rsp rsp; + __u16 res, stat; + +- if (!status) { ++ if (!status && l2cap_check_enc_key_size(hcon)) { + if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { + res = L2CAP_CR_PEND; + stat = L2CAP_CS_AUTHOR_PEND; diff --git a/queue-3.16/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch b/queue-3.16/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch new file mode 100644 index 00000000..e428fcbc --- /dev/null +++ b/queue-3.16/bonding-fix-arp_validate-toggling-in-active-backup-mode.patch @@ -0,0 +1,76 @@ +From: Jarod Wilson <jarod@redhat.com> +Date: Fri, 10 May 2019 17:57:09 -0400 +Subject: bonding: fix arp_validate toggling in active-backup mode + +commit a9b8a2b39ce65df45687cf9ef648885c2a99fe75 upstream. + +There's currently a problem with toggling arp_validate on and off with an +active-backup bond. At the moment, you can start up a bond, like so: + +modprobe bonding mode=1 arp_interval=100 arp_validate=0 arp_ip_targets=192.168.1.1 +ip link set bond0 down +echo "ens4f0" > /sys/class/net/bond0/bonding/slaves +echo "ens4f1" > /sys/class/net/bond0/bonding/slaves +ip link set bond0 up +ip addr add 192.168.1.2/24 dev bond0 + +Pings to 192.168.1.1 work just fine. Now turn on arp_validate: + +echo 1 > /sys/class/net/bond0/bonding/arp_validate + +Pings to 192.168.1.1 continue to work just fine. Now when you go to turn +arp_validate off again, the link falls flat on it's face: + +echo 0 > /sys/class/net/bond0/bonding/arp_validate +dmesg +... +[133191.911987] bond0: Setting arp_validate to none (0) +[133194.257793] bond0: bond_should_notify_peers: slave ens4f0 +[133194.258031] bond0: link status definitely down for interface ens4f0, disabling it +[133194.259000] bond0: making interface ens4f1 the new active one +[133197.330130] bond0: link status definitely down for interface ens4f1, disabling it +[133197.331191] bond0: now running without any active interface! + +The problem lies in bond_options.c, where passing in arp_validate=0 +results in bond->recv_probe getting set to NULL. This flies directly in +the face of commit 3fe68df97c7f, which says we need to set recv_probe = +bond_arp_recv, even if we're not using arp_validate. Said commit fixed +this in bond_option_arp_interval_set, but missed that we can get to that +same state in bond_option_arp_validate_set as well. + +One solution would be to universally set recv_probe = bond_arp_recv here +as well, but I don't think bond_option_arp_validate_set has any business +touching recv_probe at all, and that should be left to the arp_interval +code, so we can just make things much tidier here. + +Fixes: 3fe68df97c7f ("bonding: always set recv_probe to bond_arp_rcv in arp monitor") +CC: Jay Vosburgh <j.vosburgh@gmail.com> +CC: Veaceslav Falico <vfalico@gmail.com> +CC: Andy Gospodarek <andy@greyhouse.net> +CC: "David S. Miller" <davem@davemloft.net> +CC: netdev@vger.kernel.org +Signed-off-by: Jarod Wilson <jarod@redhat.com> +Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/bonding/bond_options.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1068,13 +1068,6 @@ static int bond_option_arp_validate_set( + { + pr_info("%s: Setting arp_validate to %s (%llu)\n", + bond->dev->name, newval->string, newval->value); +- +- if (bond->dev->flags & IFF_UP) { +- if (!newval->value) +- bond->recv_probe = NULL; +- else if (bond->params.arp_interval) +- bond->recv_probe = bond_arp_rcv; +- } + bond->params.arp_validate = newval->value; + + return 0; diff --git a/queue-3.16/cdc-acm-fix-race-between-callback-and-unthrottle.patch b/queue-3.16/cdc-acm-fix-race-between-callback-and-unthrottle.patch new file mode 100644 index 00000000..289553fd --- /dev/null +++ b/queue-3.16/cdc-acm-fix-race-between-callback-and-unthrottle.patch @@ -0,0 +1,57 @@ +From: Oliver Neukum <oneukum@suse.de> +Date: Fri, 20 Mar 2015 09:24:24 +0100 +Subject: cdc-acm: fix race between callback and unthrottle + +commit 36e59e0d70d6150e7a2155c54612ea875e88ce8d upstream. + +Abn URB may be may marked free only after the buffer has been +processed or there is a small window during which it could +be submitted on another CPU and overwrite an unprocessed buffer + +Signed-off-by: Oliver Neukum <oneukum@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/class/cdc-acm.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -419,19 +419,21 @@ static void acm_read_bulk_callback(struc + struct acm_rb *rb = urb->context; + struct acm *acm = rb->instance; + unsigned long flags; ++ int status = urb->status; + + dev_vdbg(&acm->data->dev, "%s - urb %d, len %d\n", __func__, + rb->index, urb->actual_length); +- set_bit(rb->index, &acm->read_urbs_free); + + if (!acm->dev) { ++ set_bit(rb->index, &acm->read_urbs_free); + dev_dbg(&acm->data->dev, "%s - disconnected\n", __func__); + return; + } + + if (urb->status) { ++ set_bit(rb->index, &acm->read_urbs_free); + dev_dbg(&acm->data->dev, "%s - non-zero urb status: %d\n", +- __func__, urb->status); ++ __func__, status); + if ((urb->status != -ENOENT) || (urb->actual_length == 0)) + return; + } +@@ -439,6 +441,12 @@ static void acm_read_bulk_callback(struc + usb_mark_last_busy(acm->dev); + + acm_process_read_urb(acm, urb); ++ /* ++ * Unthrottle may run on another CPU which needs to see events ++ * in the same order. Submission has an implict barrier ++ */ ++ smp_mb__before_atomic(); ++ set_bit(rb->index, &acm->read_urbs_free); + + /* throttle device if requested by tty */ + spin_lock_irqsave(&acm->read_lock, flags); diff --git a/queue-3.16/cdc-acm-handle-read-pipe-errors.patch b/queue-3.16/cdc-acm-handle-read-pipe-errors.patch new file mode 100644 index 00000000..84721b9d --- /dev/null +++ b/queue-3.16/cdc-acm-handle-read-pipe-errors.patch @@ -0,0 +1,148 @@ +From: Ladislav Michl <ladis@linux-mips.org> +Date: Fri, 18 Nov 2016 19:11:26 +0100 +Subject: cdc-acm: handle read pipe errors + +commit 1aba579f3cf51fd0fe0b4d46cc13823fd1200acb upstream. + +Read urbs are submitted back only on success, causing read pipe +running out of urbs after few errors. No more characters can +be read from tty device then until it is reopened and no errors +are reported. +Fix that by always submitting urbs back and clearing stall on +-EPIPE. + +Signed-off-by: Ladislav Michl <ladis@linux-mips.org> +Acked-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/class/cdc-acm.c | 60 ++++++++++++++++++++++++++++++------- + drivers/usb/class/cdc-acm.h | 3 ++ + 2 files changed, 53 insertions(+), 10 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -424,29 +424,41 @@ static void acm_read_bulk_callback(struc + dev_vdbg(&acm->data->dev, "%s - urb %d, len %d\n", __func__, + rb->index, urb->actual_length); + ++ set_bit(rb->index, &acm->read_urbs_free); ++ + if (!acm->dev) { +- set_bit(rb->index, &acm->read_urbs_free); + dev_dbg(&acm->data->dev, "%s - disconnected\n", __func__); + return; + } + +- if (urb->status) { +- set_bit(rb->index, &acm->read_urbs_free); +- dev_dbg(&acm->data->dev, "%s - non-zero urb status: %d\n", +- __func__, status); +- if ((urb->status != -ENOENT) || (urb->actual_length == 0)) +- return; ++ switch (status) { ++ case 0: ++ usb_mark_last_busy(acm->dev); ++ acm_process_read_urb(acm, urb); ++ break; ++ case -EPIPE: ++ set_bit(EVENT_RX_STALL, &acm->flags); ++ schedule_work(&acm->work); ++ return; ++ case -ENOENT: ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ dev_dbg(&acm->data->dev, ++ "%s - urb shutting down with status: %d\n", ++ __func__, status); ++ return; ++ default: ++ dev_dbg(&acm->data->dev, ++ "%s - nonzero urb status received: %d\n", ++ __func__, status); ++ break; + } + +- usb_mark_last_busy(acm->dev); +- +- acm_process_read_urb(acm, urb); + /* + * Unthrottle may run on another CPU which needs to see events + * in the same order. Submission has an implict barrier + */ + smp_mb__before_atomic(); +- set_bit(rb->index, &acm->read_urbs_free); + + /* throttle device if requested by tty */ + spin_lock_irqsave(&acm->read_lock, flags); +@@ -476,16 +488,32 @@ static void acm_write_bulk(struct urb *u + spin_lock_irqsave(&acm->write_lock, flags); + acm_write_done(acm, wb); + spin_unlock_irqrestore(&acm->write_lock, flags); ++ set_bit(EVENT_TTY_WAKEUP, &acm->flags); + schedule_work(&acm->work); + } + + static void acm_softint(struct work_struct *work) + { ++ int i; + struct acm *acm = container_of(work, struct acm, work); + + dev_vdbg(&acm->data->dev, "%s\n", __func__); + +- tty_port_tty_wakeup(&acm->port); ++ if (test_bit(EVENT_RX_STALL, &acm->flags)) { ++ if (!(usb_autopm_get_interface(acm->data))) { ++ for (i = 0; i < acm->rx_buflimit; i++) ++ usb_kill_urb(acm->read_urbs[i]); ++ usb_clear_halt(acm->dev, acm->in); ++ acm_submit_read_urbs(acm, GFP_KERNEL); ++ usb_autopm_put_interface(acm->data); ++ } ++ clear_bit(EVENT_RX_STALL, &acm->flags); ++ } ++ ++ if (test_bit(EVENT_TTY_WAKEUP, &acm->flags)) { ++ tty_port_tty_wakeup(&acm->port); ++ clear_bit(EVENT_TTY_WAKEUP, &acm->flags); ++ } + } + + /* +@@ -1680,6 +1708,15 @@ static int acm_reset_resume(struct usb_i + + #endif /* CONFIG_PM */ + ++static int acm_pre_reset(struct usb_interface *intf) ++{ ++ struct acm *acm = usb_get_intfdata(intf); ++ ++ clear_bit(EVENT_RX_STALL, &acm->flags); ++ ++ return 0; ++} ++ + #define NOKIA_PCSUITE_ACM_INFO(x) \ + USB_DEVICE_AND_INTERFACE_INFO(0x0421, x, \ + USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, \ +@@ -1955,6 +1992,7 @@ static struct usb_driver acm_driver = { + .resume = acm_resume, + .reset_resume = acm_reset_resume, + #endif ++ .pre_reset = acm_pre_reset, + .id_table = acm_ids, + #ifdef CONFIG_PM + .supports_autosuspend = 1, +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -102,6 +102,9 @@ struct acm { + spinlock_t write_lock; + struct mutex mutex; + bool disconnected; ++ unsigned long flags; ++# define EVENT_TTY_WAKEUP 0 ++# define EVENT_RX_STALL 1 + struct usb_cdc_line_coding line; /* bits, stop, parity */ + struct work_struct work; /* work queue entry for line discipline waking up */ + unsigned int ctrlin; /* input control lines (DCD, DSR, RI, break, overruns) */ diff --git a/queue-3.16/cdc-acm-store-in-and-out-pipes-in-acm-structure.patch b/queue-3.16/cdc-acm-store-in-and-out-pipes-in-acm-structure.patch new file mode 100644 index 00000000..164cf171 --- /dev/null +++ b/queue-3.16/cdc-acm-store-in-and-out-pipes-in-acm-structure.patch @@ -0,0 +1,98 @@ +From: Ladislav Michl <ladis@linux-mips.org> +Date: Fri, 18 Nov 2016 19:09:19 +0100 +Subject: cdc-acm: store in and out pipes in acm structure + +commit 74bccc9b71dc41d37e73fcdbcbec85310a670751 upstream. + +Clearing stall needs pipe descriptor, store it in acm structure. + +Signed-off-by: Ladislav Michl <ladis@linux-mips.org> +Acked-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/class/cdc-acm.c | 33 +++++++++++++++++---------------- + drivers/usb/class/cdc-acm.h | 1 + + 2 files changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1355,8 +1355,16 @@ made_compressed_probe: + spin_lock_init(&acm->read_lock); + mutex_init(&acm->mutex); + acm->is_int_ep = usb_endpoint_xfer_int(epread); +- if (acm->is_int_ep) ++ if (acm->is_int_ep) { + acm->bInterval = epread->bInterval; ++ acm->in = usb_rcvintpipe(usb_dev, epread->bEndpointAddress); ++ } else { ++ acm->in = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress); ++ } ++ if (usb_endpoint_xfer_int(epwrite)) ++ acm->out = usb_sndintpipe(usb_dev, epwrite->bEndpointAddress); ++ else ++ acm->out = usb_sndbulkpipe(usb_dev, epwrite->bEndpointAddress); + tty_port_init(&acm->port); + acm->port.ops = &acm_port_ops; + init_usb_anchor(&acm->delayed); +@@ -1401,20 +1409,15 @@ made_compressed_probe: + } + urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + urb->transfer_dma = rb->dma; +- if (acm->is_int_ep) { +- usb_fill_int_urb(urb, acm->dev, +- usb_rcvintpipe(usb_dev, epread->bEndpointAddress), +- rb->base, ++ if (acm->is_int_ep) ++ usb_fill_int_urb(urb, acm->dev, acm->in, rb->base, + acm->readsize, + acm_read_bulk_callback, rb, + acm->bInterval); +- } else { +- usb_fill_bulk_urb(urb, acm->dev, +- usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress), +- rb->base, ++ else ++ usb_fill_bulk_urb(urb, acm->dev, acm->in, rb->base, + acm->readsize, + acm_read_bulk_callback, rb); +- } + + acm->read_urbs[i] = urb; + __set_bit(i, &acm->read_urbs_free); +@@ -1430,12 +1433,10 @@ made_compressed_probe: + } + + if (usb_endpoint_xfer_int(epwrite)) +- usb_fill_int_urb(snd->urb, usb_dev, +- usb_sndintpipe(usb_dev, epwrite->bEndpointAddress), ++ usb_fill_int_urb(snd->urb, usb_dev, acm->out, + NULL, acm->writesize, acm_write_bulk, snd, epwrite->bInterval); + else +- usb_fill_bulk_urb(snd->urb, usb_dev, +- usb_sndbulkpipe(usb_dev, epwrite->bEndpointAddress), ++ usb_fill_bulk_urb(snd->urb, usb_dev, acm->out, + NULL, acm->writesize, acm_write_bulk, snd); + snd->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + if (quirks & SEND_ZERO_PACKET) +@@ -1504,8 +1505,8 @@ skip_countries: + } + + if (quirks & CLEAR_HALT_CONDITIONS) { +- usb_clear_halt(usb_dev, usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress)); +- usb_clear_halt(usb_dev, usb_sndbulkpipe(usb_dev, epwrite->bEndpointAddress)); ++ usb_clear_halt(usb_dev, acm->in); ++ usb_clear_halt(usb_dev, acm->out); + } + + return 0; +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -83,6 +83,7 @@ struct acm { + struct usb_device *dev; /* the corresponding usb device */ + struct usb_interface *control; /* control interface */ + struct usb_interface *data; /* data interface */ ++ unsigned in, out; /* i/o pipes */ + struct tty_port port; /* our tty port data */ + struct urb *ctrlurb; /* urbs */ + u8 *ctrl_buffer; /* buffers of urbs */ diff --git a/queue-3.16/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch b/queue-3.16/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch new file mode 100644 index 00000000..e698eb7d --- /dev/null +++ b/queue-3.16/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch @@ -0,0 +1,43 @@ +From: Jeff Layton <jlayton@kernel.org> +Date: Tue, 7 May 2019 09:20:54 -0400 +Subject: ceph: flush dirty inodes before proceeding with remount + +commit 00abf69dd24f4444d185982379c5cc3bb7b6d1fc upstream. + +xfstest generic/452 was triggering a "Busy inodes after umount" warning. +ceph was allowing the mount to go read-only without first flushing out +dirty inodes in the cache. Ensure we sync out the filesystem before +allowing a remount to proceed. + +Link: http://tracker.ceph.com/issues/39571 +Signed-off-by: Jeff Layton <jlayton@kernel.org> +Reviewed-by: "Yan, Zheng" <zyan@redhat.com> +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ceph/super.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -706,6 +706,12 @@ static void ceph_umount_begin(struct sup + return; + } + ++static int ceph_remount(struct super_block *sb, int *flags, char *data) ++{ ++ sync_filesystem(sb); ++ return 0; ++} ++ + static const struct super_operations ceph_super_ops = { + .alloc_inode = ceph_alloc_inode, + .destroy_inode = ceph_destroy_inode, +@@ -713,6 +719,7 @@ static const struct super_operations cep + .drop_inode = ceph_drop_inode, + .sync_fs = ceph_sync_fs, + .put_super = ceph_put_super, ++ .remount_fs = ceph_remount, + .show_options = ceph_show_options, + .statfs = ceph_statfs, + .umount_begin = ceph_umount_begin, diff --git a/queue-3.16/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in.patch b/queue-3.16/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in.patch new file mode 100644 index 00000000..85ac6c7e --- /dev/null +++ b/queue-3.16/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in.patch @@ -0,0 +1,58 @@ +From: Christoph Probst <kernel@probst.it> +Date: Tue, 7 May 2019 17:16:40 +0200 +Subject: cifs: fix strcat buffer overflow and reduce raciness in + smb21_set_oplock_level() + +commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream. + +Change strcat to strncpy in the "None" case to fix a buffer overflow +when cinode->oplock is reset to 0 by another thread accessing the same +cinode. It is never valid to append "None" to any other message. + +Consolidate multiple writes to cinode->oplock to reduce raciness. + +Signed-off-by: Christoph Probst <kernel@probst.it> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/cifs/smb2ops.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1000,26 +1000,28 @@ smb21_set_oplock_level(struct cifsInodeI + unsigned int epoch, bool *purge_cache) + { + char message[5] = {0}; ++ unsigned int new_oplock = 0; + + oplock &= 0xFF; + if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE) + return; + +- cinode->oplock = 0; + if (oplock & SMB2_LEASE_READ_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_READ_FLG; ++ new_oplock |= CIFS_CACHE_READ_FLG; + strcat(message, "R"); + } + if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_HANDLE_FLG; ++ new_oplock |= CIFS_CACHE_HANDLE_FLG; + strcat(message, "H"); + } + if (oplock & SMB2_LEASE_WRITE_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_WRITE_FLG; ++ new_oplock |= CIFS_CACHE_WRITE_FLG; + strcat(message, "W"); + } +- if (!cinode->oplock) +- strcat(message, "None"); ++ if (!new_oplock) ++ strncpy(message, "None", sizeof(message)); ++ ++ cinode->oplock = new_oplock; + cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, + &cinode->vfs_inode); + } diff --git a/queue-3.16/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides.patch b/queue-3.16/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides.patch new file mode 100644 index 00000000..6b29579f --- /dev/null +++ b/queue-3.16/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides.patch @@ -0,0 +1,35 @@ +From: Dmitry Osipenko <digetx@gmail.com> +Date: Fri, 12 Apr 2019 00:48:34 +0300 +Subject: clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides + divider + +commit 40db569d6769ffa3864fd1b89616b1a7323568a8 upstream. + +There are wrongly set parenthesis in the code that are resulting in a +wrong configuration being programmed for PLLM. The original fix was made +by Danny Huang in the downstream kernel. The patch was tested on Nyan Big +Tegra124 chromebook, PLLM rate changing works correctly now and system +doesn't lock up after changing the PLLM rate due to EMC scaling. + +Tested-by: Steev Klimaszewski <steev@kali.org> +Signed-off-by: Dmitry Osipenko <digetx@gmail.com> +Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com> +Signed-off-by: Stephen Boyd <sboyd@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/clk/tegra/clk-pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/tegra/clk-pll.c ++++ b/drivers/clk/tegra/clk-pll.c +@@ -486,8 +486,8 @@ static void _update_pll_mnp(struct tegra + pll_override_writel(val, params->pmc_divp_reg, pll); + + val = pll_override_readl(params->pmc_divnm_reg, pll); +- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) | +- ~(divn_mask(pll) << div_nmp->override_divn_shift); ++ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) | ++ (divn_mask(pll) << div_nmp->override_divn_shift)); + val |= (cfg->m << div_nmp->override_divm_shift) | + (cfg->n << div_nmp->override_divn_shift); + pll_override_writel(val, params->pmc_divnm_reg, pll); diff --git a/queue-3.16/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch b/queue-3.16/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch new file mode 100644 index 00000000..4b6d27f5 --- /dev/null +++ b/queue-3.16/crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch @@ -0,0 +1,47 @@ +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 9 Apr 2019 23:46:31 -0700 +Subject: crypto: arm/aes-neonbs - don't access already-freed walk.iv + +commit 767f015ea0b7ab9d60432ff6cd06b664fd71f50f upstream. + +If the user-provided IV needs to be aligned to the algorithm's +alignmask, then skcipher_walk_virt() copies the IV into a new aligned +buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then +if the caller unconditionally accesses walk.iv, it's a use-after-free. + +arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't +affected by this despite unconditionally accessing walk.iv. However +this is more subtle than desired, and it was actually broken prior to +the alignmask being removed by commit cc477bf64573 ("crypto: arm/aes - +replace bit-sliced OpenSSL NEON code"). Thus, update xts-aes-neonbs to +start checking the return value of skcipher_walk_virt(). + +Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions") +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/crypto/aesbs-glue.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arm/crypto/aesbs-glue.c ++++ b/arch/arm/crypto/aesbs-glue.c +@@ -259,6 +259,8 @@ static int aesbs_xts_encrypt(struct blkc + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); ++ if (err) ++ return err; + + /* generate the initial tweak */ + AES_encrypt(walk.iv, walk.iv, &ctx->twkey); +@@ -283,6 +285,8 @@ static int aesbs_xts_decrypt(struct blkc + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); ++ if (err) ++ return err; + + /* generate the initial tweak */ + AES_encrypt(walk.iv, walk.iv, &ctx->twkey); diff --git a/queue-3.16/crypto-crct10dif-generic-fix-use-via-crypto_shash_digest.patch b/queue-3.16/crypto-crct10dif-generic-fix-use-via-crypto_shash_digest.patch new file mode 100644 index 00000000..9ffaefff --- /dev/null +++ b/queue-3.16/crypto-crct10dif-generic-fix-use-via-crypto_shash_digest.patch @@ -0,0 +1,60 @@ +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 31 Mar 2019 13:04:12 -0700 +Subject: crypto: crct10dif-generic - fix use via crypto_shash_digest() + +commit 307508d1072979f4435416f87936f87eaeb82054 upstream. + +The ->digest() method of crct10dif-generic reads the current CRC value +from the shash_desc context. But this value is uninitialized, causing +crypto_shash_digest() to compute the wrong result. Fix it. + +Probably this wasn't noticed before because lib/crc-t10dif.c only uses +crypto_shash_update(), not crypto_shash_digest(). Likewise, +crypto_shash_digest() is not yet tested by the crypto self-tests because +those only test the ahash API which only uses shash init/update/final. + +This bug was detected by my patches that improve testmgr to fuzz +algorithms against their generic implementation. + +Fixes: 2d31e518a428 ("crypto: crct10dif - Wrap crc_t10dif function all to use crypto transform framework") +Cc: Tim Chen <tim.c.chen@linux.intel.com> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + crypto/crct10dif_generic.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/crypto/crct10dif_generic.c ++++ b/crypto/crct10dif_generic.c +@@ -65,10 +65,9 @@ static int chksum_final(struct shash_des + return 0; + } + +-static int __chksum_finup(__u16 *crcp, const u8 *data, unsigned int len, +- u8 *out) ++static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out) + { +- *(__u16 *)out = crc_t10dif_generic(*crcp, data, len); ++ *(__u16 *)out = crc_t10dif_generic(crc, data, len); + return 0; + } + +@@ -77,15 +76,13 @@ static int chksum_finup(struct shash_des + { + struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); + +- return __chksum_finup(&ctx->crc, data, len, out); ++ return __chksum_finup(ctx->crc, data, len, out); + } + + static int chksum_digest(struct shash_desc *desc, const u8 *data, + unsigned int length, u8 *out) + { +- struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); +- +- return __chksum_finup(&ctx->crc, data, length, out); ++ return __chksum_finup(0, data, length, out); + } + + static struct shash_alg alg = { diff --git a/queue-3.16/crypto-salsa20-don-t-access-already-freed-walk.iv.patch b/queue-3.16/crypto-salsa20-don-t-access-already-freed-walk.iv.patch new file mode 100644 index 00000000..d8e40705 --- /dev/null +++ b/queue-3.16/crypto-salsa20-don-t-access-already-freed-walk.iv.patch @@ -0,0 +1,40 @@ +From: Eric Biggers <ebiggers@google.com> +Date: Tue, 9 Apr 2019 23:46:30 -0700 +Subject: crypto: salsa20 - don't access already-freed walk.iv + +commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream. + +If the user-provided IV needs to be aligned to the algorithm's +alignmask, then skcipher_walk_virt() copies the IV into a new aligned +buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then +if the caller unconditionally accesses walk.iv, it's a use-after-free. + +salsa20-generic doesn't set an alignmask, so currently it isn't affected +by this despite unconditionally accessing walk.iv. However this is more +subtle than desired, and it was actually broken prior to the alignmask +being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup +and convert to skcipher API"). + +Since salsa20-generic does not update the IV and does not need any IV +alignment, update it to use req->iv instead of walk.iv. + +Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher") +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + crypto/salsa20_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/salsa20_generic.c ++++ b/crypto/salsa20_generic.c +@@ -186,7 +186,7 @@ static int encrypt(struct blkcipher_desc + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 64); + +- salsa20_ivsetup(ctx, walk.iv); ++ salsa20_ivsetup(ctx, desc->info); + + while (walk.nbytes >= 64) { + salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, diff --git a/queue-3.16/crypto-x86-crct10dif-pcl-fix-use-via-crypto_shash_digest.patch b/queue-3.16/crypto-x86-crct10dif-pcl-fix-use-via-crypto_shash_digest.patch new file mode 100644 index 00000000..cad048ff --- /dev/null +++ b/queue-3.16/crypto-x86-crct10dif-pcl-fix-use-via-crypto_shash_digest.patch @@ -0,0 +1,64 @@ +From: Eric Biggers <ebiggers@google.com> +Date: Sun, 31 Mar 2019 13:04:13 -0700 +Subject: crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest() + +commit dec3d0b1071a0f3194e66a83d26ecf4aa8c5910e upstream. + +The ->digest() method of crct10dif-pclmul reads the current CRC value +from the shash_desc context. But this value is uninitialized, causing +crypto_shash_digest() to compute the wrong result. Fix it. + +Probably this wasn't noticed before because lib/crc-t10dif.c only uses +crypto_shash_update(), not crypto_shash_digest(). Likewise, +crypto_shash_digest() is not yet tested by the crypto self-tests because +those only test the ahash API which only uses shash init/update/final. + +Fixes: 0b95a7f85718 ("crypto: crct10dif - Glue code to cast accelerated CRCT10DIF assembly as a crypto transform") +Cc: Tim Chen <tim.c.chen@linux.intel.com> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/crypto/crct10dif-pclmul_glue.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/arch/x86/crypto/crct10dif-pclmul_glue.c ++++ b/arch/x86/crypto/crct10dif-pclmul_glue.c +@@ -76,15 +76,14 @@ static int chksum_final(struct shash_des + return 0; + } + +-static int __chksum_finup(__u16 *crcp, const u8 *data, unsigned int len, +- u8 *out) ++static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out) + { + if (irq_fpu_usable()) { + kernel_fpu_begin(); +- *(__u16 *)out = crc_t10dif_pcl(*crcp, data, len); ++ *(__u16 *)out = crc_t10dif_pcl(crc, data, len); + kernel_fpu_end(); + } else +- *(__u16 *)out = crc_t10dif_generic(*crcp, data, len); ++ *(__u16 *)out = crc_t10dif_generic(crc, data, len); + return 0; + } + +@@ -93,15 +92,13 @@ static int chksum_finup(struct shash_des + { + struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); + +- return __chksum_finup(&ctx->crc, data, len, out); ++ return __chksum_finup(ctx->crc, data, len, out); + } + + static int chksum_digest(struct shash_desc *desc, const u8 *data, + unsigned int length, u8 *out) + { +- struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); +- +- return __chksum_finup(&ctx->crc, data, length, out); ++ return __chksum_finup(0, data, length, out); + } + + static struct shash_alg alg = { diff --git a/queue-3.16/cxgb3-l2t-fix-undefined-behaviour.patch b/queue-3.16/cxgb3-l2t-fix-undefined-behaviour.patch new file mode 100644 index 00000000..50b8fca9 --- /dev/null +++ b/queue-3.16/cxgb3-l2t-fix-undefined-behaviour.patch @@ -0,0 +1,43 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Fri, 29 Mar 2019 10:27:26 -0500 +Subject: cxgb3/l2t: Fix undefined behaviour + +commit 76497732932f15e7323dc805e8ea8dc11bb587cf upstream. + +The use of zero-sized array causes undefined behaviour when it is not +the last member in a structure. As it happens to be in this case. + +Also, the current code makes use of a language extension to the C90 +standard, but the preferred mechanism to declare variable-length +types such as this one is a flexible array member, introduced in +C99: + +struct foo { + int stuff; + struct boo array[]; +}; + +By making use of the mechanism above, we will get a compiler warning +in case the flexible array does not occur last. Which is beneficial +to cultivate a high-quality code. + +Fixes: e48f129c2f20 ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference") +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h ++++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +@@ -75,8 +75,8 @@ struct l2t_data { + struct l2t_entry *rover; /* starting point for next allocation */ + atomic_t nfree; /* number of free entries */ + rwlock_t lock; +- struct l2t_entry l2tab[0]; + struct rcu_head rcu_head; /* to handle rcu cleanup */ ++ struct l2t_entry l2tab[]; + }; + + typedef void (*arp_failure_handler_func)(struct t3cdev * dev, diff --git a/queue-3.16/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch b/queue-3.16/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch new file mode 100644 index 00000000..f741c276 --- /dev/null +++ b/queue-3.16/drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch @@ -0,0 +1,99 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 14 May 2019 15:47:00 -0700 +Subject: drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl + +commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream. + +strndup_user() returns error pointers on error, and then in the error +handling we pass the error pointers to kfree(). It will cause an Oops. + +Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Timur Tabi <timur@freescale.com> +Cc: Mihai Caraman <mihai.caraman@freescale.com> +Cc: Kumar Gala <galak@kernel.crashing.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/virt/fsl_hypervisor.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -338,8 +338,8 @@ static long ioctl_dtprop(struct fsl_hv_i + struct fsl_hv_ioctl_prop param; + char __user *upath, *upropname; + void __user *upropval; +- char *path = NULL, *propname = NULL; +- void *propval = NULL; ++ char *path, *propname; ++ void *propval; + int ret = 0; + + /* Get the parameters from the user. */ +@@ -351,32 +351,30 @@ static long ioctl_dtprop(struct fsl_hv_i + upropval = (void __user *)(uintptr_t)param.propval; + + path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN); +- if (IS_ERR(path)) { +- ret = PTR_ERR(path); +- goto out; +- } ++ if (IS_ERR(path)) ++ return PTR_ERR(path); + + propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN); + if (IS_ERR(propname)) { + ret = PTR_ERR(propname); +- goto out; ++ goto err_free_path; + } + + if (param.proplen > FH_DTPROP_MAX_PROPLEN) { + ret = -EINVAL; +- goto out; ++ goto err_free_propname; + } + + propval = kmalloc(param.proplen, GFP_KERNEL); + if (!propval) { + ret = -ENOMEM; +- goto out; ++ goto err_free_propname; + } + + if (set) { + if (copy_from_user(propval, upropval, param.proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + + param.ret = fh_partition_set_dtprop(param.handle, +@@ -395,7 +393,7 @@ static long ioctl_dtprop(struct fsl_hv_i + if (copy_to_user(upropval, propval, param.proplen) || + put_user(param.proplen, &p->proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + } + } +@@ -403,10 +401,12 @@ static long ioctl_dtprop(struct fsl_hv_i + if (put_user(param.ret, &p->ret)) + ret = -EFAULT; + +-out: +- kfree(path); ++err_free_propval: + kfree(propval); ++err_free_propname: + kfree(propname); ++err_free_path: ++ kfree(path); + + return ret; + } diff --git a/queue-3.16/drm-fb-helper-dpms_legacy-only-set-on-connectors-in-use.patch b/queue-3.16/drm-fb-helper-dpms_legacy-only-set-on-connectors-in-use.patch new file mode 100644 index 00000000..e1d20ec4 --- /dev/null +++ b/queue-3.16/drm-fb-helper-dpms_legacy-only-set-on-connectors-in-use.patch @@ -0,0 +1,53 @@ +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org> +Date: Tue, 26 Mar 2019 18:55:32 +0100 +Subject: drm/fb-helper: dpms_legacy(): Only set on connectors in use +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 65a102f68005891d7f39354cfd79099908df6d51 upstream. + +For each enabled crtc the functions sets dpms on all registered connectors. +Limit this to only doing it once and on the connectors actually in use. + +Signed-off-by: Noralf Trønnes <noralf@tronnes.org> +Fixes: 023eb571a1d0 ("drm: correctly update connector DPMS status in drm_fb_helper") +Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: https://patchwork.freedesktop.org/patch/msgid/20190326175546.18126-3-noralf@tronnes.org +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpu/drm/drm_fb_helper.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/drm_fb_helper.c ++++ b/drivers/gpu/drm/drm_fb_helper.c +@@ -453,8 +453,8 @@ static void drm_fb_helper_dpms(struct fb + { + struct drm_fb_helper *fb_helper = info->par; + struct drm_device *dev = fb_helper->dev; +- struct drm_crtc *crtc; + struct drm_connector *connector; ++ struct drm_mode_set *modeset; + int i, j; + + /* +@@ -475,14 +475,13 @@ static void drm_fb_helper_dpms(struct fb + } + + for (i = 0; i < fb_helper->crtc_count; i++) { +- crtc = fb_helper->crtc_info[i].mode_set.crtc; ++ modeset = &fb_helper->crtc_info[i].mode_set; + +- if (!crtc->enabled) ++ if (!modeset->crtc->enabled) + continue; + +- /* Walk the connectors & encoders on this fb turning them on/off */ +- for (j = 0; j < fb_helper->connector_count; j++) { +- connector = fb_helper->connector_info[j]->connector; ++ for (j = 0; j < modeset->num_connectors; j++) { ++ connector = modeset->connectors[j]; + connector->funcs->dpms(connector, dpms_mode); + drm_object_property_set_value(&connector->base, + dev->mode_config.dpms_property, dpms_mode); diff --git a/queue-3.16/drm-radeon-prefer-lower-reference-dividers.patch b/queue-3.16/drm-radeon-prefer-lower-reference-dividers.patch new file mode 100644 index 00000000..76597719 --- /dev/null +++ b/queue-3.16/drm-radeon-prefer-lower-reference-dividers.patch @@ -0,0 +1,40 @@ +From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com> +Date: Mon, 6 May 2019 19:57:52 +0200 +Subject: drm/radeon: prefer lower reference dividers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 2e26ccb119bde03584be53406bbd22e711b0d6e6 upstream. + +Instead of the closest reference divider prefer the lowest, +this fixes flickering issues on HP Compaq nx9420. + +Bugs: https://bugs.freedesktop.org/show_bug.cgi?id=108514 +Suggested-by: Paul Dufresne <dufresnep@gmail.com> +Signed-off-by: Christian König <christian.koenig@amd.com> +Acked-by: Alex Deucher <alexander.deucher@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpu/drm/radeon/radeon_display.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -942,12 +942,12 @@ static void avivo_get_fb_ref_div(unsigne + ref_div_max = max(min(100 / post_div, ref_div_max), 1u); + + /* get matching reference and feedback divider */ +- *ref_div = min(max(DIV_ROUND_CLOSEST(den, post_div), 1u), ref_div_max); ++ *ref_div = min(max(den/post_div, 1u), ref_div_max); + *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den); + + /* limit fb divider to its maximum */ + if (*fb_div > fb_div_max) { +- *ref_div = DIV_ROUND_CLOSEST(*ref_div * fb_div_max, *fb_div); ++ *ref_div = (*ref_div * fb_div_max)/(*fb_div); + *fb_div = fb_div_max; + } + } diff --git a/queue-3.16/ehea-fix-a-copy-paste-err-in-ehea_init_port_res.patch b/queue-3.16/ehea-fix-a-copy-paste-err-in-ehea_init_port_res.patch new file mode 100644 index 00000000..5c60040d --- /dev/null +++ b/queue-3.16/ehea-fix-a-copy-paste-err-in-ehea_init_port_res.patch @@ -0,0 +1,30 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Wed, 3 Apr 2019 15:47:59 +0800 +Subject: ehea: Fix a copy-paste err in ehea_init_port_res + +commit c8f191282f819ab4e9b47b22a65c6c29734cefce upstream. + +pr->tx_bytes should be assigned to tx_bytes other than +rx_bytes. + +Reported-by: Hulk Robot <hulkci@huawei.com> +Fixes: ce45b873028f ("ehea: Fixing statistics") +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/ibm/ehea/ehea_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -1476,7 +1476,7 @@ static int ehea_init_port_res(struct ehe + + memset(pr, 0, sizeof(struct ehea_port_res)); + +- pr->tx_bytes = rx_bytes; ++ pr->tx_bytes = tx_bytes; + pr->tx_packets = tx_packets; + pr->rx_bytes = rx_bytes; + pr->rx_packets = rx_packets; diff --git a/queue-3.16/ext4-actually-request-zeroing-of-inode-table-after-grow.patch b/queue-3.16/ext4-actually-request-zeroing-of-inode-table-after-grow.patch new file mode 100644 index 00000000..f534b40e --- /dev/null +++ b/queue-3.16/ext4-actually-request-zeroing-of-inode-table-after-grow.patch @@ -0,0 +1,32 @@ +From: Kirill Tkhai <ktkhai@virtuozzo.com> +Date: Thu, 25 Apr 2019 13:06:18 -0400 +Subject: ext4: actually request zeroing of inode table after grow + +commit 310a997fd74de778b9a4848a64be9cda9f18764a upstream. + +It is never possible, that number of block groups decreases, +since only online grow is supported. + +But after a growing occured, we have to zero inode tables +for just created new block groups. + +Fixes: 19c5246d2516 ("ext4: add new online resize interface") +Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Jan Kara <jack@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext4/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -634,7 +634,7 @@ group_add_out: + if (err == 0) + err = err2; + mnt_drop_write_file(filp); +- if (!err && (o_group > EXT4_SB(sb)->s_groups_count) && ++ if (!err && (o_group < EXT4_SB(sb)->s_groups_count) && + ext4_has_group_desc_csum(sb) && + test_opt(sb, INIT_INODE_TABLE)) + err = ext4_register_li_request(sb, o_group); diff --git a/queue-3.16/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned.patch b/queue-3.16/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned.patch new file mode 100644 index 00000000..0b10baf9 --- /dev/null +++ b/queue-3.16/ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned.patch @@ -0,0 +1,48 @@ +From: Lukas Czerner <lczerner@redhat.com> +Date: Fri, 10 May 2019 21:45:33 -0400 +Subject: ext4: fix data corruption caused by overlapping unaligned and aligned + IO + +commit 57a0da28ced8707cb9f79f071a016b9d005caf5a upstream. + +Unaligned AIO must be serialized because the zeroing of partial blocks +of unaligned AIO can result in data corruption in case it's overlapping +another in flight IO. + +Currently we wait for all unwritten extents before we submit unaligned +AIO which protects data in case of unaligned AIO is following overlapping +IO. However if a unaligned AIO is followed by overlapping aligned AIO we +can still end up corrupting data. + +To fix this, we must make sure that the unaligned AIO is the only IO in +flight by waiting for unwritten extents conversion not just before the +IO submission, but right after it as well. + +This problem can be reproduced by xfstest generic/538 + +Signed-off-by: Lukas Czerner <lczerner@redhat.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +[bwh: Backported to 3.16: + - Test aio_mutex instead of unaligned_aio + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext4/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -173,6 +173,13 @@ ext4_file_write_iter(struct kiocb *iocb, + } + + ret = __generic_file_write_iter(iocb, from); ++ /* ++ * Unaligned direct AIO must be the only IO in flight. Otherwise ++ * overlapping aligned IO after unaligned might result in data ++ * corruption. ++ */ ++ if (ret == -EIOCBQUEUED && aio_mutex) ++ ext4_unwritten_wait(inode); + mutex_unlock(&inode->i_mutex); + + if (ret > 0) { diff --git a/queue-3.16/fuse-fallocate-fix-return-with-locked-inode.patch b/queue-3.16/fuse-fallocate-fix-return-with-locked-inode.patch new file mode 100644 index 00000000..13950ef3 --- /dev/null +++ b/queue-3.16/fuse-fallocate-fix-return-with-locked-inode.patch @@ -0,0 +1,31 @@ +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Mon, 27 May 2019 11:42:07 +0200 +Subject: fuse: fallocate: fix return with locked inode + +commit 35d6fcbb7c3e296a52136347346a698a35af3fda upstream. + +Do the proper cleanup in case the size check fails. + +Tested with xfstests:generic/228 + +Reported-by: kbuild test robot <lkp@intel.com> +Reported-by: Dan Carpenter <dan.carpenter@oracle.com> +Fixes: 0cbade024ba5 ("fuse: honor RLIMIT_FSIZE in fuse_file_fallocate") +Cc: Liu Bo <bo.liu@linux.alibaba.com> +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -3021,7 +3021,7 @@ static long fuse_file_fallocate(struct f + offset + length > i_size_read(inode)) { + err = inode_newsize_ok(inode, offset + length); + if (err) +- return err; ++ goto out; + } + + if (!(mode & FALLOC_FL_KEEP_SIZE)) diff --git a/queue-3.16/fuse-fix-writepages-on-32bit.patch b/queue-3.16/fuse-fix-writepages-on-32bit.patch new file mode 100644 index 00000000..b4e0aff1 --- /dev/null +++ b/queue-3.16/fuse-fix-writepages-on-32bit.patch @@ -0,0 +1,31 @@ +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Wed, 24 Apr 2019 17:05:06 +0200 +Subject: fuse: fix writepages on 32bit + +commit 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 upstream. + +Writepage requests were cropped to i_size & 0xffffffff, which meant that +mmaped writes to any file larger than 4G might be silently discarded. + +Fix by storing the file size in a properly sized variable (loff_t instead +of size_t). + +Reported-by: Antonio SJ Musumeci <trapexit@spawn.link> +Fixes: 6eaf4782eb09 ("fuse: writepages: crop secondary requests") +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1597,7 +1597,7 @@ __acquires(fc->lock) + { + struct fuse_conn *fc = get_fuse_conn(inode); + struct fuse_inode *fi = get_fuse_inode(inode); +- size_t crop = i_size_read(inode); ++ loff_t crop = i_size_read(inode); + struct fuse_req *req; + + while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) { diff --git a/queue-3.16/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch b/queue-3.16/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch new file mode 100644 index 00000000..64bbb5d1 --- /dev/null +++ b/queue-3.16/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch @@ -0,0 +1,35 @@ +From: Liu Bo <bo.liu@linux.alibaba.com> +Date: Thu, 18 Apr 2019 04:04:41 +0800 +Subject: fuse: honor RLIMIT_FSIZE in fuse_file_fallocate + +commit 0cbade024ba501313da3b7e5dd2a188a6bc491b5 upstream. + +fstests generic/228 reported this failure that fuse fallocate does not +honor what 'ulimit -f' has set. + +This adds the necessary inode_newsize_ok() check. + +Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> +Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation") +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/fuse/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -3017,6 +3017,13 @@ static long fuse_file_fallocate(struct f + } + } + ++ if (!(mode & FALLOC_FL_KEEP_SIZE) && ++ offset + length > i_size_read(inode)) { ++ err = inode_newsize_ok(inode, offset + length); ++ if (err) ++ return err; ++ } ++ + if (!(mode & FALLOC_FL_KEEP_SIZE)) + set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); + diff --git a/queue-3.16/hwmon-f71805f-use-request_muxed_region-for-super-io-accesses.patch b/queue-3.16/hwmon-f71805f-use-request_muxed_region-for-super-io-accesses.patch new file mode 100644 index 00000000..a3645f92 --- /dev/null +++ b/queue-3.16/hwmon-f71805f-use-request_muxed_region-for-super-io-accesses.patch @@ -0,0 +1,85 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Thu, 4 Apr 2019 10:52:43 -0700 +Subject: hwmon: (f71805f) Use request_muxed_region for Super-IO accesses + +commit 73e6ff71a7ea924fb7121d576a2d41e3be3fc6b5 upstream. + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Unable to handle kernel paging request at virtual address ffffffbffee0002e +pgd = ffffffc1d68d4000 +[ffffffbffee0002e] *pgd=0000000000000000, *pud=0000000000000000 +Internal error: Oops: 94000046 [#1] PREEMPT SMP +Modules linked in: f71805f(+) hwmon +CPU: 3 PID: 1659 Comm: insmod Not tainted 4.5.0+ #88 +Hardware name: linux,dummy-virt (DT) +task: ffffffc1f6665400 ti: ffffffc1d6418000 task.ti: ffffffc1d6418000 +PC is at f71805f_find+0x6c/0x358 [f71805f] + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple +drivers is synchronized. + +Fixes: e53004e20a58e ("hwmon: New f71805f driver") +Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com> +Reported-by: John Garry <john.garry@huawei.com> +Cc: John Garry <john.garry@huawei.com> +Acked-by: John Garry <john.garry@huawei.com> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hwmon/f71805f.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/f71805f.c ++++ b/drivers/hwmon/f71805f.c +@@ -96,17 +96,23 @@ superio_select(int base, int ld) + outb(ld, base + 1); + } + +-static inline void ++static inline int + superio_enter(int base) + { ++ if (!request_muxed_region(base, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x87, base); + outb(0x87, base); ++ ++ return 0; + } + + static inline void + superio_exit(int base) + { + outb(0xaa, base); ++ release_region(base, 2); + } + + /* +@@ -1562,7 +1568,7 @@ exit: + static int __init f71805f_find(int sioaddr, unsigned short *address, + struct f71805f_sio_data *sio_data) + { +- int err = -ENODEV; ++ int err; + u16 devid; + + static const char * const names[] = { +@@ -1570,8 +1576,11 @@ static int __init f71805f_find(int sioad + "F71872F/FG or F71806F/FG", + }; + +- superio_enter(sioaddr); ++ err = superio_enter(sioaddr); ++ if (err) ++ return err; + ++ err = -ENODEV; + devid = superio_inw(sioaddr, SIO_REG_MANID); + if (devid != SIO_FINTEK_ID) + goto exit; diff --git a/queue-3.16/hwmon-pc87427-use-request_muxed_region-for-super-io-accesses.patch b/queue-3.16/hwmon-pc87427-use-request_muxed_region-for-super-io-accesses.patch new file mode 100644 index 00000000..85318a22 --- /dev/null +++ b/queue-3.16/hwmon-pc87427-use-request_muxed_region-for-super-io-accesses.patch @@ -0,0 +1,63 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Thu, 4 Apr 2019 11:16:20 -0700 +Subject: hwmon: (pc87427) Use request_muxed_region for Super-IO accesses + +commit 755a9b0f8aaa5639ba5671ca50080852babb89ce upstream. + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: ba224e2c4f0a7 ("hwmon: New PC87427 hardware monitoring driver") +Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com> +Reported-by: John Garry <john.garry@huawei.com> +Cc: John Garry <john.garry@huawei.com> +Acked-by: John Garry <john.garry@huawei.com> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hwmon/pc87427.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/pc87427.c ++++ b/drivers/hwmon/pc87427.c +@@ -106,6 +106,13 @@ static const char *logdev_str[2] = { DRV + #define LD_IN 1 + #define LD_TEMP 1 + ++static inline int superio_enter(int sioaddr) ++{ ++ if (!request_muxed_region(sioaddr, 2, DRVNAME)) ++ return -EBUSY; ++ return 0; ++} ++ + static inline void superio_outb(int sioaddr, int reg, int val) + { + outb(reg, sioaddr); +@@ -122,6 +129,7 @@ static inline void superio_exit(int sioa + { + outb(0x02, sioaddr); + outb(0x02, sioaddr + 1); ++ release_region(sioaddr, 2); + } + + /* +@@ -1221,7 +1229,11 @@ static int __init pc87427_find(int sioad + { + u16 val; + u8 cfg, cfg_b; +- int i, err = 0; ++ int i, err; ++ ++ err = superio_enter(sioaddr); ++ if (err) ++ return err; + + /* Identify device */ + val = force_id ? force_id : superio_inb(sioaddr, SIOREG_DEVID); diff --git a/queue-3.16/hwmon-smsc47b397-use-request_muxed_region-for-super-io-accesses.patch b/queue-3.16/hwmon-smsc47b397-use-request_muxed_region-for-super-io-accesses.patch new file mode 100644 index 00000000..88083bcf --- /dev/null +++ b/queue-3.16/hwmon-smsc47b397-use-request_muxed_region-for-super-io-accesses.patch @@ -0,0 +1,63 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Thu, 4 Apr 2019 11:22:42 -0700 +Subject: hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses + +commit 8c0826756744c0ac1df600a5e4cca1a341b13101 upstream. + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)") +Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com> +Reported-by: John Garry <john.garry@huawei.com> +Cc: John Garry <john.garry@huawei.com> +Acked-by: John Garry <john.garry@huawei.com> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hwmon/smsc47b397.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/smsc47b397.c ++++ b/drivers/hwmon/smsc47b397.c +@@ -72,14 +72,19 @@ static inline void superio_select(int ld + superio_outb(0x07, ld); + } + +-static inline void superio_enter(void) ++static inline int superio_enter(void) + { ++ if (!request_muxed_region(REG, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x55, REG); ++ return 0; + } + + static inline void superio_exit(void) + { + outb(0xAA, REG); ++ release_region(REG, 2); + } + + #define SUPERIO_REG_DEVID 0x20 +@@ -338,8 +343,12 @@ static int __init smsc47b397_find(void) + u8 id, rev; + char *name; + unsigned short addr; ++ int err; ++ ++ err = superio_enter(); ++ if (err) ++ return err; + +- superio_enter(); + id = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID); + + switch (id) { diff --git a/queue-3.16/hwmon-smsc47m1-use-request_muxed_region-for-super-io-accesses.patch b/queue-3.16/hwmon-smsc47m1-use-request_muxed_region-for-super-io-accesses.patch new file mode 100644 index 00000000..8133bcaa --- /dev/null +++ b/queue-3.16/hwmon-smsc47m1-use-request_muxed_region-for-super-io-accesses.patch @@ -0,0 +1,87 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Thu, 4 Apr 2019 11:28:37 -0700 +Subject: hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses + +commit d6410408ad2a798c4cc685252c1baa713be0ad69 upstream. + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)") +Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com> +Reported-by: John Garry <john.garry@huawei.com> +Cc: John Garry <john.garry@huawei.com> +Acked-by: John Garry <john.garry@huawei.com> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hwmon/smsc47m1.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +--- a/drivers/hwmon/smsc47m1.c ++++ b/drivers/hwmon/smsc47m1.c +@@ -73,16 +73,21 @@ superio_inb(int reg) + /* logical device for fans is 0x0A */ + #define superio_select() superio_outb(0x07, 0x0A) + +-static inline void ++static inline int + superio_enter(void) + { ++ if (!request_muxed_region(REG, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x55, REG); ++ return 0; + } + + static inline void + superio_exit(void) + { + outb(0xAA, REG); ++ release_region(REG, 2); + } + + #define SUPERIO_REG_ACT 0x30 +@@ -495,8 +500,12 @@ static int __init smsc47m1_find(struct s + { + u8 val; + unsigned short addr; ++ int err; ++ ++ err = superio_enter(); ++ if (err) ++ return err; + +- superio_enter(); + val = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID); + + /* +@@ -572,13 +581,14 @@ static int __init smsc47m1_find(struct s + static void smsc47m1_restore(const struct smsc47m1_sio_data *sio_data) + { + if ((sio_data->activate & 0x01) == 0) { +- superio_enter(); +- superio_select(); +- +- pr_info("Disabling device\n"); +- superio_outb(SUPERIO_REG_ACT, sio_data->activate); +- +- superio_exit(); ++ if (!superio_enter()) { ++ superio_select(); ++ pr_info("Disabling device\n"); ++ superio_outb(SUPERIO_REG_ACT, sio_data->activate); ++ superio_exit(); ++ } else { ++ pr_warn("Failed to disable device\n"); ++ } + } + } + diff --git a/queue-3.16/hwmon-vt1211-use-request_muxed_region-for-super-io-accesses.patch b/queue-3.16/hwmon-vt1211-use-request_muxed_region-for-super-io-accesses.patch new file mode 100644 index 00000000..4f127021 --- /dev/null +++ b/queue-3.16/hwmon-vt1211-use-request_muxed_region-for-super-io-accesses.patch @@ -0,0 +1,64 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Fri, 5 Apr 2019 08:53:08 -0700 +Subject: hwmon: (vt1211) Use request_muxed_region for Super-IO accesses + +commit 14b97ba5c20056102b3dd22696bf17b057e60976 upstream. + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: 2219cd81a6cd ("hwmon/vt1211: Add probing of alternate config index port") +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hwmon/vt1211.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/vt1211.c ++++ b/drivers/hwmon/vt1211.c +@@ -226,15 +226,21 @@ static inline void superio_select(int si + outb(ldn, sio_cip + 1); + } + +-static inline void superio_enter(int sio_cip) ++static inline int superio_enter(int sio_cip) + { ++ if (!request_muxed_region(sio_cip, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x87, sio_cip); + outb(0x87, sio_cip); ++ ++ return 0; + } + + static inline void superio_exit(int sio_cip) + { + outb(0xaa, sio_cip); ++ release_region(sio_cip, 2); + } + + /* --------------------------------------------------------------------- +@@ -1280,11 +1286,14 @@ EXIT: + + static int __init vt1211_find(int sio_cip, unsigned short *address) + { +- int err = -ENODEV; ++ int err; + int devid; + +- superio_enter(sio_cip); ++ err = superio_enter(sio_cip); ++ if (err) ++ return err; + ++ err = -ENODEV; + devid = force_id ? force_id : superio_inb(sio_cip, SIO_VT1211_DEVID); + if (devid != SIO_VT1211_ID) + goto EXIT; diff --git a/queue-3.16/hwmon-w83627hf-use-request_muxed_region-for-super-io-accesses.patch b/queue-3.16/hwmon-w83627hf-use-request_muxed_region-for-super-io-accesses.patch new file mode 100644 index 00000000..23c6649d --- /dev/null +++ b/queue-3.16/hwmon-w83627hf-use-request_muxed_region-for-super-io-accesses.patch @@ -0,0 +1,113 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Fri, 5 Apr 2019 08:44:41 -0700 +Subject: hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses + +commit e95fd518d05bfc087da6fcdea4900a57cfb083bd upstream. + +Super-IO accesses may fail on a system with no or unmapped LPC bus. + +Also, other drivers may attempt to access the LPC bus at the same time, +resulting in undefined behavior. + +Use request_muxed_region() to ensure that IO access on the requested +address space is supported, and to ensure that access by multiple drivers +is synchronized. + +Fixes: b72656dbc491 ("hwmon: (w83627hf) Stop using globals for I/O port numbers") +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hwmon/w83627hf.c | 42 +++++++++++++++++++++++++++++++++++----- + 1 file changed, 37 insertions(+), 5 deletions(-) + +--- a/drivers/hwmon/w83627hf.c ++++ b/drivers/hwmon/w83627hf.c +@@ -130,17 +130,23 @@ superio_select(struct w83627hf_sio_data + outb(ld, sio->sioaddr + 1); + } + +-static inline void ++static inline int + superio_enter(struct w83627hf_sio_data *sio) + { ++ if (!request_muxed_region(sio->sioaddr, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x87, sio->sioaddr); + outb(0x87, sio->sioaddr); ++ ++ return 0; + } + + static inline void + superio_exit(struct w83627hf_sio_data *sio) + { + outb(0xAA, sio->sioaddr); ++ release_region(sio->sioaddr, 2); + } + + #define W627_DEVID 0x52 +@@ -1273,7 +1279,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n + static int __init w83627hf_find(int sioaddr, unsigned short *addr, + struct w83627hf_sio_data *sio_data) + { +- int err = -ENODEV; ++ int err; + u16 val; + + static __initconst char *const names[] = { +@@ -1285,7 +1291,11 @@ static int __init w83627hf_find(int sioa + }; + + sio_data->sioaddr = sioaddr; +- superio_enter(sio_data); ++ err = superio_enter(sio_data); ++ if (err) ++ return err; ++ ++ err = -ENODEV; + val = force_id ? force_id : superio_inb(sio_data, DEVID); + switch (val) { + case W627_DEVID: +@@ -1639,9 +1649,21 @@ static int w83627thf_read_gpio5(struct p + struct w83627hf_sio_data *sio_data = dev_get_platdata(&pdev->dev); + int res = 0xff, sel; + +- superio_enter(sio_data); ++ if (superio_enter(sio_data)) { ++ /* ++ * Some other driver reserved the address space for itself. ++ * We don't want to fail driver instantiation because of that, ++ * so display a warning and keep going. ++ */ ++ dev_warn(&pdev->dev, ++ "Can not read VID data: Failed to enable SuperIO access\n"); ++ return res; ++ } ++ + superio_select(sio_data, W83627HF_LD_GPIO5); + ++ res = 0xff; ++ + /* Make sure these GPIO pins are enabled */ + if (!(superio_inb(sio_data, W83627THF_GPIO5_EN) & (1<<3))) { + dev_dbg(&pdev->dev, "GPIO5 disabled, no VID function\n"); +@@ -1672,7 +1694,17 @@ static int w83687thf_read_vid(struct pla + struct w83627hf_sio_data *sio_data = dev_get_platdata(&pdev->dev); + int res = 0xff; + +- superio_enter(sio_data); ++ if (superio_enter(sio_data)) { ++ /* ++ * Some other driver reserved the address space for itself. ++ * We don't want to fail driver instantiation because of that, ++ * so display a warning and keep going. ++ */ ++ dev_warn(&pdev->dev, ++ "Can not read VID data: Failed to enable SuperIO access\n"); ++ return res; ++ } ++ + superio_select(sio_data, W83627HF_LD_HWM); + + /* Make sure these GPIO pins are enabled */ diff --git a/queue-3.16/iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch b/queue-3.16/iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch new file mode 100644 index 00000000..304262c7 --- /dev/null +++ b/queue-3.16/iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch @@ -0,0 +1,48 @@ +From: Lu Baolu <baolu.lu@linux.intel.com> +Date: Thu, 2 May 2019 09:34:25 +0800 +Subject: iommu/vt-d: Set intel_iommu_gfx_mapped correctly + +commit cf1ec4539a50bdfe688caad4615ca47646884316 upstream. + +The intel_iommu_gfx_mapped flag is exported by the Intel +IOMMU driver to indicate whether an IOMMU is used for the +graphic device. In a virtualized IOMMU environment (e.g. +QEMU), an include-all IOMMU is used for graphic device. +This flag is found to be clear even the IOMMU is used. + +Cc: Ashok Raj <ashok.raj@intel.com> +Cc: Jacob Pan <jacob.jun.pan@linux.intel.com> +Cc: Kevin Tian <kevin.tian@intel.com> +Reported-by: Zhenyu Wang <zhenyuw@linux.intel.com> +Fixes: c0771df8d5297 ("intel-iommu: Export a flag indicating that the IOMMU is used for iGFX.") +Suggested-by: Kevin Tian <kevin.tian@intel.com> +Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> +Signed-off-by: Joerg Roedel <jroedel@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iommu/intel-iommu.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -3578,9 +3578,7 @@ static void __init init_no_remapping_dev + + /* This IOMMU has *only* gfx devices. Either bypass it or + set the gfx_mapped flag, as appropriate */ +- if (dmar_map_gfx) { +- intel_iommu_gfx_mapped = 1; +- } else { ++ if (!dmar_map_gfx) { + drhd->ignored = 1; + for_each_active_dev_scope(drhd->devices, + drhd->devices_cnt, i, dev) +@@ -4074,6 +4072,9 @@ int __init intel_iommu_init(void) + goto out_free_reserved_range; + } + ++ if (dmar_map_gfx) ++ intel_iommu_gfx_mapped = 1; ++ + init_no_remapping_devices(); + + ret = init_dmars(); diff --git a/queue-3.16/ipv4-fix-raw-socket-lookup-for-local-traffic.patch b/queue-3.16/ipv4-fix-raw-socket-lookup-for-local-traffic.patch new file mode 100644 index 00000000..28090ebc --- /dev/null +++ b/queue-3.16/ipv4-fix-raw-socket-lookup-for-local-traffic.patch @@ -0,0 +1,44 @@ +From: David Ahern <dsahern@gmail.com> +Date: Tue, 7 May 2019 20:44:59 -0700 +Subject: ipv4: Fix raw socket lookup for local traffic + +commit 19e4e768064a87b073a4b4c138b55db70e0cfb9f upstream. + +inet_iif should be used for the raw socket lookup. inet_iif considers +rt_iif which handles the case of local traffic. + +As it stands, ping to a local address with the '-I <dev>' option fails +ever since ping was changed to use SO_BINDTODEVICE instead of +cmsg + IP_PKTINFO. + +IPv6 works fine. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/raw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -167,6 +167,7 @@ static int icmp_filter(const struct sock + */ + static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) + { ++ int dif = inet_iif(skb); + struct sock *sk; + struct hlist_head *head; + int delivered = 0; +@@ -179,8 +180,7 @@ static int raw_v4_input(struct sk_buff * + + net = dev_net(skb->dev); + sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol, +- iph->saddr, iph->daddr, +- skb->dev->ifindex); ++ iph->saddr, iph->daddr, dif); + + while (sk) { + delivered = 1; diff --git a/queue-3.16/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while.patch b/queue-3.16/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while.patch new file mode 100644 index 00000000..7105142f --- /dev/null +++ b/queue-3.16/ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while.patch @@ -0,0 +1,33 @@ +From: Stephen Suryaputra <ssuryaextr@gmail.com> +Date: Mon, 24 Jun 2019 20:14:06 -0400 +Subject: ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while + loop + +commit 38c73529de13e1e10914de7030b659a2f8b01c3b upstream. + +In commit 19e4e768064a8 ("ipv4: Fix raw socket lookup for local +traffic"), the dif argument to __raw_v4_lookup() is coming from the +returned value of inet_iif() but the change was done only for the first +lookup. Subsequent lookups in the while loop still use skb->dev->ifIndex. + +Fixes: 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic") +Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> +Reviewed-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/raw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -193,7 +193,7 @@ static int raw_v4_input(struct sk_buff * + } + sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol, + iph->saddr, iph->daddr, +- skb->dev->ifindex); ++ dif); + } + out: + read_unlock(&raw_v4_hashinfo.lock); diff --git a/queue-3.16/jbd2-check-superblock-mapped-prior-to-committing.patch b/queue-3.16/jbd2-check-superblock-mapped-prior-to-committing.patch new file mode 100644 index 00000000..fbcbc334 --- /dev/null +++ b/queue-3.16/jbd2-check-superblock-mapped-prior-to-committing.patch @@ -0,0 +1,45 @@ +From: Jiufei Xue <jiufei.xue@linux.alibaba.com> +Date: Sat, 6 Apr 2019 18:57:40 -0400 +Subject: jbd2: check superblock mapped prior to committing + +commit 742b06b5628f2cd23cb51a034cb54dc33c6162c5 upstream. + +We hit a BUG at fs/buffer.c:3057 if we detached the nbd device +before unmounting ext4 filesystem. + +The typical chain of events leading to the BUG: +jbd2_write_superblock + submit_bh + submit_bh_wbc + BUG_ON(!buffer_mapped(bh)); + +The block device is removed and all the pages are invalidated. JBD2 +was trying to write journal superblock to the block device which is +no longer present. + +Fix this by checking the journal superblock's buffer head prior to +submitting. + +Reported-by: Eric Ren <renzhen@linux.alibaba.com> +Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Reviewed-by: Jan Kara <jack@suse.cz> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/jbd2/journal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1344,6 +1344,10 @@ static int jbd2_write_superblock(journal + journal_superblock_t *sb = journal->j_superblock; + int ret; + ++ /* Buffer got discarded which means block device got invalidated */ ++ if (!buffer_mapped(bh)) ++ return -EIO; ++ + trace_jbd2_write_superblock(journal, write_op); + if (!(journal->j_flags & JBD2_BARRIER)) + write_op &= ~(REQ_FUA | REQ_FLUSH); diff --git a/queue-3.16/kdb-do-a-sanity-check-on-the-cpu-in-kdb_per_cpu.patch b/queue-3.16/kdb-do-a-sanity-check-on-the-cpu-in-kdb_per_cpu.patch new file mode 100644 index 00000000..9919f004 --- /dev/null +++ b/queue-3.16/kdb-do-a-sanity-check-on-the-cpu-in-kdb_per_cpu.patch @@ -0,0 +1,30 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Mon, 6 May 2019 15:50:18 +0300 +Subject: kdb: do a sanity check on the cpu in kdb_per_cpu() + +commit b586627e10f57ee3aa8f0cfab0d6f7dc4ae63760 upstream. + +The "whichcpu" comes from argv[3]. The cpu_online() macro looks up the +cpu in a bitmap of online cpus, but if the value is too high then it +could read beyond the end of the bitmap and possibly Oops. + +Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Douglas Anderson <dianders@chromium.org> +Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/debug/kdb/kdb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -2569,7 +2569,7 @@ static int kdb_per_cpu(int argc, const c + diag = kdbgetularg(argv[3], &whichcpu); + if (diag) + return diag; +- if (!cpu_online(whichcpu)) { ++ if (whichcpu >= nr_cpu_ids || !cpu_online(whichcpu)) { + kdb_printf("cpu %ld is not online\n", whichcpu); + return KDB_BADCPUNUM; + } diff --git a/queue-3.16/kobject-don-t-trigger-kobject_uevent-kobj_remove-twice.patch b/queue-3.16/kobject-don-t-trigger-kobject_uevent-kobj_remove-twice.patch new file mode 100644 index 00000000..13ec48bb --- /dev/null +++ b/queue-3.16/kobject-don-t-trigger-kobject_uevent-kobj_remove-twice.patch @@ -0,0 +1,62 @@ +From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Date: Sun, 17 Mar 2019 14:02:31 +0900 +Subject: kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice. + +commit c03a0fd0b609e2f5c669c2b7f27c8e1928e9196e upstream. + +syzbot is hitting use-after-free bug in uinput module [1]. This is because +kobject_uevent(KOBJ_REMOVE) is called again due to commit 0f4dafc0563c6c49 +("Kobject: auto-cleanup on final unref") after memory allocation fault +injection made kobject_uevent(KOBJ_REMOVE) from device_del() from +input_unregister_device() fail, while uinput_destroy_device() is expecting +that kobject_uevent(KOBJ_REMOVE) is not called after device_del() from +input_unregister_device() completed. + +That commit intended to catch cases where nobody even attempted to send +"remove" uevents. But there is no guarantee that an event will ultimately +be sent. We are at the point of no return as far as the rest of the kernel +is concerned; there are no repeats or do-overs. + +Also, it is not clear whether some subsystem depends on that commit. +If no subsystem depends on that commit, it will be better to remove +the state_{add,remove}_uevent_sent logic. But we don't want to risk +a regression (in a patch which will be backported) by trying to remove +that logic. Therefore, as a first step, let's avoid the use-after-free bug +by making sure that kobject_uevent(KOBJ_REMOVE) won't be triggered twice. + +[1] https://syzkaller.appspot.com/bug?id=8b17c134fe938bbddd75a45afaa9e68af43a362d + +Reported-by: syzbot <syzbot+f648cfb7e0b52bf7ae32@syzkaller.appspotmail.com> +Analyzed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Fixes: 0f4dafc0563c6c49 ("Kobject: auto-cleanup on final unref") +Cc: Kay Sievers <kay@vrfy.org> +Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/lib/kobject_uevent.c ++++ b/lib/kobject_uevent.c +@@ -178,6 +178,13 @@ int kobject_uevent_env(struct kobject *k + struct uevent_sock *ue_sk; + #endif + ++ /* ++ * Mark "remove" event done regardless of result, for some subsystems ++ * do not want to re-trigger "remove" event via automatic cleanup. ++ */ ++ if (action == KOBJ_REMOVE) ++ kobj->state_remove_uevent_sent = 1; ++ + pr_debug("kobject: '%s' (%p): %s\n", + kobject_name(kobj), kobj, __func__); + +@@ -275,8 +282,6 @@ int kobject_uevent_env(struct kobject *k + */ + if (action == KOBJ_ADD) + kobj->state_add_uevent_sent = 1; +- else if (action == KOBJ_REMOVE) +- kobj->state_remove_uevent_sent = 1; + + mutex_lock(&uevent_sock_mutex); + /* we will send an event, so request a new sequence number */ diff --git a/queue-3.16/m68k-mac-fix-via-timer-counter-accesses.patch b/queue-3.16/m68k-mac-fix-via-timer-counter-accesses.patch new file mode 100644 index 00000000..b2e5a67f --- /dev/null +++ b/queue-3.16/m68k-mac-fix-via-timer-counter-accesses.patch @@ -0,0 +1,148 @@ +From: Finn Thain <fthain@telegraphics.com.au> +Date: Sat, 1 Dec 2018 11:53:10 +1100 +Subject: m68k: mac: Fix VIA timer counter accesses + +commit 0ca7ce7db771580433bf24454f7a1542bd326078 upstream. + +This resolves some bugs that affect VIA timer counter accesses. +Avoid lost interrupts caused by reading the counter low byte register. +Make allowance for the fact that the counter will be decremented to +0xFFFF before being reloaded. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/m68k/mac/via.c | 102 +++++++++++++++++++++++--------------------- + 1 file changed, 53 insertions(+), 49 deletions(-) + +--- a/arch/m68k/mac/via.c ++++ b/arch/m68k/mac/via.c +@@ -54,16 +54,6 @@ static __u8 rbv_clear; + static int gIER,gIFR,gBufA,gBufB; + + /* +- * Timer defs. +- */ +- +-#define TICK_SIZE 10000 +-#define MAC_CLOCK_TICK (783300/HZ) /* ticks per HZ */ +-#define MAC_CLOCK_LOW (MAC_CLOCK_TICK&0xFF) +-#define MAC_CLOCK_HIGH (MAC_CLOCK_TICK>>8) +- +- +-/* + * On Macs with a genuine VIA chip there is no way to mask an individual slot + * interrupt. This limitation also seems to apply to VIA clone logic cores in + * Quadra-like ASICs. (RBV and OSS machines don't have this limitation.) +@@ -278,22 +268,6 @@ void __init via_init(void) + } + + /* +- * Start the 100 Hz clock +- */ +- +-void __init via_init_clock(irq_handler_t func) +-{ +- via1[vACR] |= 0x40; +- via1[vT1LL] = MAC_CLOCK_LOW; +- via1[vT1LH] = MAC_CLOCK_HIGH; +- via1[vT1CL] = MAC_CLOCK_LOW; +- via1[vT1CH] = MAC_CLOCK_HIGH; +- +- if (request_irq(IRQ_MAC_TIMER_1, func, 0, "timer", func)) +- pr_err("Couldn't register %s interrupt\n", "timer"); +-} +- +-/* + * Debugging dump, used in various places to see what's going on. + */ + +@@ -321,29 +295,6 @@ void via_debug_dump(void) + } + + /* +- * This is always executed with interrupts disabled. +- * +- * TBI: get time offset between scheduling timer ticks +- */ +- +-u32 mac_gettimeoffset(void) +-{ +- unsigned long ticks, offset = 0; +- +- /* read VIA1 timer 2 current value */ +- ticks = via1[vT1CL] | (via1[vT1CH] << 8); +- /* The probability of underflow is less than 2% */ +- if (ticks > MAC_CLOCK_TICK - MAC_CLOCK_TICK / 50) +- /* Check for pending timer interrupt in VIA1 IFR */ +- if (via1[vIFR] & 0x40) offset = TICK_SIZE; +- +- ticks = MAC_CLOCK_TICK - ticks; +- ticks = ticks * 10000L / MAC_CLOCK_TICK; +- +- return (ticks + offset) * 1000; +-} +- +-/* + * Flush the L2 cache on Macs that have it by flipping + * the system into 24-bit mode for an instant. + */ +@@ -619,3 +570,56 @@ int via2_scsi_drq_pending(void) + return via2[gIFR] & (1 << IRQ_IDX(IRQ_MAC_SCSIDRQ)); + } + EXPORT_SYMBOL(via2_scsi_drq_pending); ++ ++/* timer and clock source */ ++ ++#define VIA_CLOCK_FREQ 783360 /* VIA "phase 2" clock in Hz */ ++#define VIA_TIMER_INTERVAL (1000000 / HZ) /* microseconds per jiffy */ ++#define VIA_TIMER_CYCLES (VIA_CLOCK_FREQ / HZ) /* clock cycles per jiffy */ ++ ++#define VIA_TC (VIA_TIMER_CYCLES - 2) /* including 0 and -1 */ ++#define VIA_TC_LOW (VIA_TC & 0xFF) ++#define VIA_TC_HIGH (VIA_TC >> 8) ++ ++void __init via_init_clock(irq_handler_t timer_routine) ++{ ++ if (request_irq(IRQ_MAC_TIMER_1, timer_routine, 0, "timer", NULL)) { ++ pr_err("Couldn't register %s interrupt\n", "timer"); ++ return; ++ } ++ ++ via1[vT1LL] = VIA_TC_LOW; ++ via1[vT1LH] = VIA_TC_HIGH; ++ via1[vT1CL] = VIA_TC_LOW; ++ via1[vT1CH] = VIA_TC_HIGH; ++ via1[vACR] |= 0x40; ++} ++ ++u32 mac_gettimeoffset(void) ++{ ++ unsigned long flags; ++ u8 count_high; ++ u16 count, offset = 0; ++ ++ /* ++ * Timer counter wrap-around is detected with the timer interrupt flag ++ * but reading the counter low byte (vT1CL) would reset the flag. ++ * Also, accessing both counter registers is essentially a data race. ++ * These problems are avoided by ignoring the low byte. Clock accuracy ++ * is 256 times worse (error can reach 0.327 ms) but CPU overhead is ++ * reduced by avoiding slow VIA register accesses. ++ */ ++ ++ local_irq_save(flags); ++ count_high = via1[vT1CH]; ++ if (count_high == 0xFF) ++ count_high = 0; ++ if (count_high > 0 && (via1[vIFR] & VIA_TIMER_1_INT)) ++ offset = VIA_TIMER_CYCLES; ++ local_irq_restore(flags); ++ ++ count = count_high << 8; ++ count = VIA_TIMER_CYCLES - count + offset; ++ ++ return ((count * VIA_TIMER_INTERVAL) / VIA_TIMER_CYCLES) * 1000; ++} diff --git a/queue-3.16/media-cx18-update-pos-correctly-in-cx18_read_pos.patch b/queue-3.16/media-cx18-update-pos-correctly-in-cx18_read_pos.patch new file mode 100644 index 00000000..85f7e7d1 --- /dev/null +++ b/queue-3.16/media-cx18-update-pos-correctly-in-cx18_read_pos.patch @@ -0,0 +1,29 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 22 Feb 2019 01:37:02 -0500 +Subject: media: cx18: update *pos correctly in cx18_read_pos() + +commit 7afb0df554292dca7568446f619965fb8153085d upstream. + +We should be updating *pos. The current code is a no-op. + +Fixes: 1c1e45d17b66 ("V4L/DVB (7786): cx18: new driver for the Conexant CX23418 MPEG encoder chip") + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/pci/cx18/cx18-fileops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/cx18/cx18-fileops.c ++++ b/drivers/media/pci/cx18/cx18-fileops.c +@@ -489,7 +489,7 @@ static ssize_t cx18_read_pos(struct cx18 + + CX18_DEBUG_HI_FILE("read %zd from %s, got %zd\n", count, s->name, rc); + if (rc > 0) +- pos += rc; ++ *pos += rc; + return rc; + } + diff --git a/queue-3.16/media-davinci-isif-avoid-uninitialized-variable-use.patch b/queue-3.16/media-davinci-isif-avoid-uninitialized-variable-use.patch new file mode 100644 index 00000000..795d8003 --- /dev/null +++ b/queue-3.16/media-davinci-isif-avoid-uninitialized-variable-use.patch @@ -0,0 +1,70 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Fri, 22 Mar 2019 10:34:22 -0400 +Subject: media: davinci-isif: avoid uninitialized variable use + +commit 0e633f97162c1c74c68e2eb20bbd9259dce87cd9 upstream. + +clang warns about a possible variable use that gcc never +complained about: + +drivers/media/platform/davinci/isif.c:982:32: error: variable 'frame_size' is uninitialized when used here + [-Werror,-Wuninitialized] + dm365_vpss_set_pg_frame_size(frame_size); + ^~~~~~~~~~ +drivers/media/platform/davinci/isif.c:887:2: note: variable 'frame_size' is declared here + struct vpss_pg_frame_size frame_size; + ^ +1 error generated. + +There is no initialization for this variable at all, and there +has never been one in the mainline kernel, so we really should +not put that stack data into an mmio register. + +On the other hand, I suspect that gcc checks the condition +more closely and notices that the global +isif_cfg.bayer.config_params.test_pat_gen flag is initialized +to zero and never written to from any code path, so anything +depending on it can be eliminated. + +To shut up the clang warning, just remove the dead code manually, +it has probably never been used because any attempt to do so +would have resulted in undefined behavior. + +Fixes: 63e3ab142fa3 ("V4L/DVB: V4L - vpfe capture - source for ISIF driver on DM365") + +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Reviewed-by: Nathan Chancellor <natechancellor@gmail.com> +Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/platform/davinci/isif.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/media/platform/davinci/isif.c ++++ b/drivers/media/platform/davinci/isif.c +@@ -890,9 +890,7 @@ static int isif_set_hw_if_params(struct + static int isif_config_ycbcr(void) + { + struct isif_ycbcr_config *params = &isif_cfg.ycbcr; +- struct vpss_pg_frame_size frame_size; + u32 modeset = 0, ccdcfg = 0; +- struct vpss_sync_pol sync; + + dev_dbg(isif_cfg.dev, "\nStarting isif_config_ycbcr..."); + +@@ -980,13 +978,6 @@ static int isif_config_ycbcr(void) + /* two fields are interleaved in memory */ + regw(0x00000249, SDOFST); + +- /* Setup test pattern if enabled */ +- if (isif_cfg.bayer.config_params.test_pat_gen) { +- sync.ccdpg_hdpol = params->hd_pol; +- sync.ccdpg_vdpol = params->vd_pol; +- dm365_vpss_set_sync_pol(sync); +- dm365_vpss_set_pg_frame_size(frame_size); +- } + return 0; + } + diff --git a/queue-3.16/media-davinci-vpbe-array-underflow-in-vpbe_enum_outputs.patch b/queue-3.16/media-davinci-vpbe-array-underflow-in-vpbe_enum_outputs.patch new file mode 100644 index 00000000..3b671218 --- /dev/null +++ b/queue-3.16/media-davinci-vpbe-array-underflow-in-vpbe_enum_outputs.patch @@ -0,0 +1,44 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 24 Apr 2019 05:46:27 -0400 +Subject: media: davinci/vpbe: array underflow in vpbe_enum_outputs() + +commit b72845ee5577b227131b1fef23f9d9a296621d7b upstream. + +In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but +the problem is that "temp_index" can be negative. This patch changes +the types to unsigned to address this array underflow bug. + +Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver") + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Acked-by: "Lad, Prabhakar" <prabhakar.csengg@gmail.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/platform/davinci/vpbe.c | 2 +- + include/media/davinci/vpbe.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/davinci/vpbe.c ++++ b/drivers/media/platform/davinci/vpbe.c +@@ -130,7 +130,7 @@ static int vpbe_enum_outputs(struct vpbe + struct v4l2_output *output) + { + struct vpbe_config *cfg = vpbe_dev->cfg; +- int temp_index = output->index; ++ unsigned int temp_index = output->index; + + if (temp_index >= cfg->num_outputs) + return -EINVAL; +--- a/include/media/davinci/vpbe.h ++++ b/include/media/davinci/vpbe.h +@@ -96,7 +96,7 @@ struct vpbe_config { + struct encoder_config_info *ext_encoders; + /* amplifier information goes here */ + struct amp_config_info *amp; +- int num_outputs; ++ unsigned int num_outputs; + /* Order is venc outputs followed by LCD and then external encoders */ + struct vpbe_output *outputs; + }; diff --git a/queue-3.16/media-ivtv-update-pos-correctly-in-ivtv_read_pos.patch b/queue-3.16/media-ivtv-update-pos-correctly-in-ivtv_read_pos.patch new file mode 100644 index 00000000..b7e31ec3 --- /dev/null +++ b/queue-3.16/media-ivtv-update-pos-correctly-in-ivtv_read_pos.patch @@ -0,0 +1,29 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 22 Feb 2019 01:36:41 -0500 +Subject: media: ivtv: update *pos correctly in ivtv_read_pos() + +commit f8e579f3ca0973daef263f513da5edff520a6c0d upstream. + +We had intended to update *pos, but the current code is a no-op. + +Fixes: 1a0adaf37c30 ("V4L/DVB (5345): ivtv driver for Conexant cx23416/cx23415 MPEG encoder/decoder") + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/pci/ivtv/ivtv-fileops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/ivtv/ivtv-fileops.c ++++ b/drivers/media/pci/ivtv/ivtv-fileops.c +@@ -420,7 +420,7 @@ static ssize_t ivtv_read_pos(struct ivtv + + IVTV_DEBUG_HI_FILE("read %zd from %s, got %zd\n", count, s->name, rc); + if (rc > 0) +- pos += rc; ++ *pos += rc; + return rc; + } + diff --git a/queue-3.16/media-omap_vout-potential-buffer-overflow-in-vidioc_dqbuf.patch b/queue-3.16/media-omap_vout-potential-buffer-overflow-in-vidioc_dqbuf.patch new file mode 100644 index 00000000..df25f650 --- /dev/null +++ b/queue-3.16/media-omap_vout-potential-buffer-overflow-in-vidioc_dqbuf.patch @@ -0,0 +1,60 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 11 Apr 2019 05:01:57 -0400 +Subject: media: omap_vout: potential buffer overflow in vidioc_dqbuf() + +commit dd6e2a981bfe83aa4a493143fd8cf1edcda6c091 upstream. + +The "b->index" is a u32 the comes from the user in the ioctl. It hasn't +been checked. We aren't supposed to use it but we're instead supposed +to use the value that gets written to it when we call videobuf_dqbuf(). + +The videobuf_dqbuf() first memsets it to zero and then re-initializes it +inside the videobuf_status() function. It's this final value which we +want. + +Hans Verkuil pointed out that we need to check the return from +videobuf_dqbuf(). I ended up doing a little cleanup related to that as +well. + +Fixes: 72915e851da9 ("[media] V4L2: OMAP: VOUT: dma map and unmap v4l2 buffers in qbuf and dqbuf") + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/platform/omap/omap_vout.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/media/platform/omap/omap_vout.c ++++ b/drivers/media/platform/omap/omap_vout.c +@@ -1596,23 +1596,20 @@ static int vidioc_dqbuf(struct file *fil + unsigned long size; + struct videobuf_buffer *vb; + +- vb = q->bufs[b->index]; +- + if (!vout->streaming) + return -EINVAL; + +- if (file->f_flags & O_NONBLOCK) +- /* Call videobuf_dqbuf for non blocking mode */ +- ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 1); +- else +- /* Call videobuf_dqbuf for blocking mode */ +- ret = videobuf_dqbuf(q, (struct v4l2_buffer *)b, 0); ++ ret = videobuf_dqbuf(q, b, !!(file->f_flags & O_NONBLOCK)); ++ if (ret) ++ return ret; ++ ++ vb = q->bufs[b->index]; + + addr = (unsigned long) vout->buf_phy_addr[vb->i]; + size = (unsigned long) vb->size; + dma_unmap_single(vout->vid_dev->v4l2_dev.dev, addr, + size, DMA_TO_DEVICE); +- return ret; ++ return 0; + } + + static int vidioc_streamon(struct file *file, void *fh, enum v4l2_buf_type i) diff --git a/queue-3.16/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch b/queue-3.16/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch new file mode 100644 index 00000000..e05de1b9 --- /dev/null +++ b/queue-3.16/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch @@ -0,0 +1,43 @@ +From: Janusz Krzysztofik <jmkrzyszt@gmail.com> +Date: Sun, 24 Mar 2019 20:21:12 -0400 +Subject: media: ov6650: Fix sensor possibly not detected on probe + +commit 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 upstream. + +After removal of clock_start() from before soc_camera_init_i2c() in +soc_camera_probe() by commit 9aea470b399d ("[media] soc-camera: switch +I2C subdevice drivers to use v4l2-clk") introduced in v3.11, the ov6650 +driver could no longer probe the sensor successfully because its clock +was no longer turned on in advance. The issue was initially worked +around by adding that missing clock_start() equivalent to OMAP1 camera +interface driver - the only user of this sensor - but a propoer fix +should be rather implemented in the sensor driver code itself. + +Fix the issue by inserting a delay between the clock is turned on and +the sensor I2C registers are read for the first time. + +Tested on Amstrad Delta with now out of tree but still locally +maintained omap1_camera host driver. + +Fixes: 9aea470b399d ("[media] soc-camera: switch I2C subdevice drivers to use v4l2-clk") + +Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com> +Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/i2c/soc_camera/ov6650.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -829,6 +829,8 @@ static int ov6650_video_probe(struct i2c + if (ret < 0) + return ret; + ++ msleep(20); ++ + /* + * check and show product ID and manufacturer ID + */ diff --git a/queue-3.16/media-pvrusb2-prevent-a-buffer-overflow.patch b/queue-3.16/media-pvrusb2-prevent-a-buffer-overflow.patch new file mode 100644 index 00000000..2cf04a0c --- /dev/null +++ b/queue-3.16/media-pvrusb2-prevent-a-buffer-overflow.patch @@ -0,0 +1,52 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Mon, 8 Apr 2019 05:52:38 -0400 +Subject: media: pvrusb2: Prevent a buffer overflow + +commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb upstream. + +The ctrl_check_input() function is called from pvr2_ctrl_range_check(). +It's supposed to validate user supplied input and return true or false +depending on whether the input is valid or not. The problem is that +negative shifts or shifts greater than 31 are undefined in C. In +practice with GCC they result in shift wrapping so this function returns +true for some inputs which are not valid and this could result in a +buffer overflow: + + drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname() + warn: uncapped user index 'names[val]' + +The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create() +and the highest valid bit is BIT(4). + +Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability") + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++ + drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -670,6 +670,8 @@ static int ctrl_get_input(struct pvr2_ct + + static int ctrl_check_input(struct pvr2_ctrl *cptr,int v) + { ++ if (v < 0 || v > PVR2_CVAL_INPUT_MAX) ++ return 0; + return ((1 << v) & cptr->hdw->input_allowed_mask) != 0; + } + +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h +@@ -54,6 +54,7 @@ + #define PVR2_CVAL_INPUT_COMPOSITE 2 + #define PVR2_CVAL_INPUT_SVIDEO 3 + #define PVR2_CVAL_INPUT_RADIO 4 ++#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO + + enum pvr2_config { + pvr2_config_empty, /* No configuration */ diff --git a/queue-3.16/media-wl128x-fix-an-error-code-in-fm_download_firmware.patch b/queue-3.16/media-wl128x-fix-an-error-code-in-fm_download_firmware.patch new file mode 100644 index 00000000..5786df0e --- /dev/null +++ b/queue-3.16/media-wl128x-fix-an-error-code-in-fm_download_firmware.patch @@ -0,0 +1,32 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 6 Mar 2019 02:27:43 -0500 +Subject: media: wl128x: Fix an error code in fm_download_firmware() + +commit ef4bb63dc1f7213c08e13f6943c69cd27f69e4a3 upstream. + +We forgot to set "ret" on this error path. + +Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/media/radio/wl128x/fmdrv_common.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/radio/wl128x/fmdrv_common.c ++++ b/drivers/media/radio/wl128x/fmdrv_common.c +@@ -1278,8 +1278,9 @@ static int fm_download_firmware(struct f + + switch (action->type) { + case ACTION_SEND_COMMAND: /* Send */ +- if (fmc_send_cmd(fmdev, 0, 0, action->data, +- action->size, NULL, NULL)) ++ ret = fmc_send_cmd(fmdev, 0, 0, action->data, ++ action->size, NULL, NULL); ++ if (ret) + goto rel_fw; + + cmd_cnt++; diff --git a/queue-3.16/media-wl128x-prevent-two-potential-buffer-overflows.patch b/queue-3.16/media-wl128x-prevent-two-potential-buffer-overflows.patch new file mode 100644 index 00000000..65fc9d55 --- /dev/null +++ b/queue-3.16/media-wl128x-prevent-two-potential-buffer-overflows.patch @@ -0,0 +1,55 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 26 Mar 2019 01:12:07 -0400 +Subject: media: wl128x: prevent two potential buffer overflows + +commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 upstream. + +Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen" +can copy up to 255 bytes and we only have room for two bytes. Even +if this comes from the firmware and we trust it, the new policy +generally is just to fix it as kernel hardenning. + +I can't test this code so I tried to be very conservative. I considered +not allowing "evt_hdr->dlen == 1" because it doesn't initialize the +whole variable but in the end I decided to allow it and manually +initialized "asic_id" and "asic_ver" to zero. + +Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/media/radio/wl128x/fmdrv_common.c ++++ b/drivers/media/radio/wl128x/fmdrv_common.c +@@ -494,7 +494,8 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 + return -EIO; + } + /* Send response data to caller */ +- if (response != NULL && response_len != NULL && evt_hdr->dlen) { ++ if (response != NULL && response_len != NULL && evt_hdr->dlen && ++ evt_hdr->dlen <= payload_len) { + /* Skip header info and copy only response data */ + skb_pull(skb, sizeof(struct fm_event_msg_hdr)); + memcpy(response, skb->data, evt_hdr->dlen); +@@ -590,6 +591,8 @@ static void fm_irq_handle_flag_getcmd_re + return; + + fm_evt_hdr = (void *)skb->data; ++ if (fm_evt_hdr->dlen > sizeof(fmdev->irq_info.flag)) ++ return; + + /* Skip header info and copy only response data */ + skb_pull(skb, sizeof(struct fm_event_msg_hdr)); +@@ -1318,7 +1321,8 @@ static int load_default_rx_configuration + /* Does FM power on sequence */ + static int fm_power_up(struct fmdev *fmdev, u8 mode) + { +- u16 payload, asic_id, asic_ver; ++ u16 payload; ++ __be16 asic_id = 0, asic_ver = 0; + int resp_len, ret; + u8 fw_name[50]; + diff --git a/queue-3.16/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for.patch b/queue-3.16/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for.patch new file mode 100644 index 00000000..666f2635 --- /dev/null +++ b/queue-3.16/mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for.patch @@ -0,0 +1,35 @@ +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Fri, 26 Apr 2019 14:33:35 +0100 +Subject: mfd: da9063: Fix OTP control register names to match datasheets for + DA9063/63L + +commit 6b4814a9451add06d457e198be418bf6a3e6a990 upstream. + +Mismatch between what is found in the Datasheets for DA9063 and DA9063L +provided by Dialog Semiconductor, and the register names provided in the +MFD registers file. The changes are for the OTP (one-time-programming) +control registers. The two naming errors are OPT instead of OTP, and +COUNT instead of CONT (i.e. control). + +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Signed-off-by: Lee Jones <lee.jones@linaro.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/mfd/da9063/registers.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/linux/mfd/da9063/registers.h ++++ b/include/linux/mfd/da9063/registers.h +@@ -204,9 +204,9 @@ + + /* DA9063 Configuration registers */ + /* OTP */ +-#define DA9063_REG_OPT_COUNT 0x101 +-#define DA9063_REG_OPT_ADDR 0x102 +-#define DA9063_REG_OPT_DATA 0x103 ++#define DA9063_REG_OTP_CONT 0x101 ++#define DA9063_REG_OTP_ADDR 0x102 ++#define DA9063_REG_OTP_DATA 0x103 + + /* Customer Trim and Configuration */ + #define DA9063_REG_T_OFFSET 0x104 diff --git a/queue-3.16/mwl8k-fix-rate_idx-underflow.patch b/queue-3.16/mwl8k-fix-rate_idx-underflow.patch new file mode 100644 index 00000000..4ddb9ea0 --- /dev/null +++ b/queue-3.16/mwl8k-fix-rate_idx-underflow.patch @@ -0,0 +1,78 @@ +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz> +Date: Thu, 11 Apr 2019 20:13:30 +0200 +Subject: mwl8k: Fix rate_idx underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 6b583201fa219b7b1b6aebd8966c8fd9357ef9f4 upstream. + +It was reported on OpenWrt bug tracking system[1], that several users +are affected by the endless reboot of their routers if they configure +5GHz interface with channel 44 or 48. + +The reboot loop is caused by the following excessive number of WARN_ON +messages: + + WARNING: CPU: 0 PID: 0 at backports-4.19.23-1/net/mac80211/rx.c:4516 + ieee80211_rx_napi+0x1fc/0xa54 [mac80211] + +as the messages are being correctly emitted by the following guard: + + case RX_ENC_LEGACY: + if (WARN_ON(status->rate_idx >= sband->n_bitrates)) + +as the rate_idx is in this case erroneously set to 251 (0xfb). This fix +simply converts previously used magic number to proper constant and +guards against substraction which is leading to the currently observed +underflow. + +1. https://bugs.openwrt.org/index.php?do=details&task_id=2218 + +Fixes: 854783444bab ("mwl8k: properly set receive status rate index on 5 GHz receive") +Tested-by: Eubert Bao <bunnier@gmail.com> +Reported-by: Eubert Bao <bunnier@gmail.com> +Signed-off-by: Petr Å tetiar <ynezz@true.cz> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/mwl8k.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mwl8k.c ++++ b/drivers/net/wireless/mwl8k.c +@@ -436,6 +436,9 @@ static const struct ieee80211_rate mwl8k + #define MWL8K_CMD_UPDATE_STADB 0x1123 + #define MWL8K_CMD_BASTREAM 0x1125 + ++#define MWL8K_LEGACY_5G_RATE_OFFSET \ ++ (ARRAY_SIZE(mwl8k_rates_24) - ARRAY_SIZE(mwl8k_rates_50)) ++ + static const char *mwl8k_cmd_name(__le16 cmd, char *buf, int bufsize) + { + u16 command = le16_to_cpu(cmd); +@@ -1011,8 +1014,9 @@ mwl8k_rxd_ap_process(void *_rxd, struct + + if (rxd->channel > 14) { + status->band = IEEE80211_BAND_5GHZ; +- if (!(status->flag & RX_FLAG_HT)) +- status->rate_idx -= 5; ++ if (!(status->flag & RX_FLAG_HT) && ++ status->rate_idx >= MWL8K_LEGACY_5G_RATE_OFFSET) ++ status->rate_idx -= MWL8K_LEGACY_5G_RATE_OFFSET; + } else { + status->band = IEEE80211_BAND_2GHZ; + } +@@ -1119,8 +1123,9 @@ mwl8k_rxd_sta_process(void *_rxd, struct + + if (rxd->channel > 14) { + status->band = IEEE80211_BAND_5GHZ; +- if (!(status->flag & RX_FLAG_HT)) +- status->rate_idx -= 5; ++ if (!(status->flag & RX_FLAG_HT) && ++ status->rate_idx >= MWL8K_LEGACY_5G_RATE_OFFSET) ++ status->rate_idx -= MWL8K_LEGACY_5G_RATE_OFFSET; + } else { + status->band = IEEE80211_BAND_2GHZ; + } diff --git a/queue-3.16/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch b/queue-3.16/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch new file mode 100644 index 00000000..5e22d4d5 --- /dev/null +++ b/queue-3.16/net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch @@ -0,0 +1,78 @@ +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Fri, 3 May 2019 13:33:23 +0000 +Subject: net: ucc_geth - fix Oops when changing number of buffers in the ring + +commit ee0df19305d9fabd9479b785918966f6e25b733b upstream. + +When changing the number of buffers in the RX ring while the interface +is running, the following Oops is encountered due to the new number +of buffers being taken into account immediately while their allocation +is done when opening the device only. + +[ 69.882706] Unable to handle kernel paging request for data at address 0xf0000100 +[ 69.890172] Faulting instruction address: 0xc033e164 +[ 69.895122] Oops: Kernel access of bad area, sig: 11 [#1] +[ 69.900494] BE PREEMPT CMPCPRO +[ 69.907120] CPU: 0 PID: 0 Comm: swapper Not tainted 4.14.115-00006-g179ade8ce3-dirty #269 +[ 69.915956] task: c0684310 task.stack: c06da000 +[ 69.920470] NIP: c033e164 LR: c02e44d0 CTR: c02e41fc +[ 69.925504] REGS: dfff1e20 TRAP: 0300 Not tainted (4.14.115-00006-g179ade8ce3-dirty) +[ 69.934161] MSR: 00009032 <EE,ME,IR,DR,RI> CR: 22004428 XER: 20000000 +[ 69.940869] DAR: f0000100 DSISR: 20000000 +[ 69.940869] GPR00: c0352d70 dfff1ed0 c0684310 f00000a4 00000040 dfff1f68 00000000 0000001f +[ 69.940869] GPR08: df53f410 1cc00040 00000021 c0781640 42004424 100c82b6 f00000a4 df53f5b0 +[ 69.940869] GPR16: df53f6c0 c05daf84 00000040 00000000 00000040 c0782be4 00000000 00000001 +[ 69.940869] GPR24: 00000000 df53f400 000001b0 df53f410 df53f000 0000003f df708220 1cc00044 +[ 69.978348] NIP [c033e164] skb_put+0x0/0x5c +[ 69.982528] LR [c02e44d0] ucc_geth_poll+0x2d4/0x3f8 +[ 69.987384] Call Trace: +[ 69.989830] [dfff1ed0] [c02e4554] ucc_geth_poll+0x358/0x3f8 (unreliable) +[ 69.996522] [dfff1f20] [c0352d70] net_rx_action+0x248/0x30c +[ 70.002099] [dfff1f80] [c04e93e4] __do_softirq+0xfc/0x310 +[ 70.007492] [dfff1fe0] [c0021124] irq_exit+0xd0/0xd4 +[ 70.012458] [dfff1ff0] [c000e7e0] call_do_irq+0x24/0x3c +[ 70.017683] [c06dbe80] [c0006bac] do_IRQ+0x64/0xc4 +[ 70.022474] [c06dbea0] [c001097c] ret_from_except+0x0/0x14 +[ 70.027964] --- interrupt: 501 at rcu_idle_exit+0x84/0x90 +[ 70.027964] LR = rcu_idle_exit+0x74/0x90 +[ 70.037585] [c06dbf60] [20000000] 0x20000000 (unreliable) +[ 70.042984] [c06dbf80] [c004bb0c] do_idle+0xb4/0x11c +[ 70.047945] [c06dbfa0] [c004bd14] cpu_startup_entry+0x18/0x1c +[ 70.053682] [c06dbfb0] [c05fb034] start_kernel+0x370/0x384 +[ 70.059153] [c06dbff0] [00003438] 0x3438 +[ 70.063062] Instruction dump: +[ 70.066023] 38a00000 38800000 90010014 4bfff015 80010014 7c0803a6 3123ffff 7c691910 +[ 70.073767] 38210010 4e800020 38600000 4e800020 <80e3005c> 80c30098 3107ffff 7d083910 +[ 70.081690] ---[ end trace be7ccd9c1e1a9f12 ]--- + +This patch forbids the modification of the number of buffers in the +ring while the interface is running. + +Fixes: ac421852b3a0 ("ucc_geth: add ethtool support") +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/freescale/ucc_geth_ethtool.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/freescale/ucc_geth_ethtool.c ++++ b/drivers/net/ethernet/freescale/ucc_geth_ethtool.c +@@ -253,14 +253,12 @@ uec_set_ringparam(struct net_device *net + return -EINVAL; + } + ++ if (netif_running(netdev)) ++ return -EBUSY; ++ + ug_info->bdRingLenRx[queue] = ring->rx_pending; + ug_info->bdRingLenTx[queue] = ring->tx_pending; + +- if (netif_running(netdev)) { +- /* FIXME: restart automatically */ +- netdev_info(netdev, "Please re-open the interface\n"); +- } +- + return ret; + } + diff --git a/queue-3.16/netfilter-ebtables-config_compat-reject-trailing-data-after-last.patch b/queue-3.16/netfilter-ebtables-config_compat-reject-trailing-data-after-last.patch new file mode 100644 index 00000000..d8b79bba --- /dev/null +++ b/queue-3.16/netfilter-ebtables-config_compat-reject-trailing-data-after-last.patch @@ -0,0 +1,36 @@ +From: Florian Westphal <fw@strlen.de> +Date: Sun, 5 May 2019 18:47:33 +0200 +Subject: netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last + rule + +commit 680f6af5337c98d116e4f127cea7845339dba8da upstream. + +If userspace provides a rule blob with trailing data after last target, +we trigger a splat, then convert ruleset to 64bit format (with trailing +data), then pass that to do_replace_finish() which then returns -EINVAL. + +Erroring out right away avoids the splat plus unneeded translation and +error unwind. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bridge/netfilter/ebtables.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2139,7 +2139,9 @@ static int compat_copy_entries(unsigned + if (ret < 0) + return ret; + +- WARN_ON(size_remaining); ++ if (size_remaining) ++ return -EINVAL; ++ + return state->buf_kern_offset; + } + diff --git a/queue-3.16/nfs4-fix-v4.0-client-state-corruption-when-mount.patch b/queue-3.16/nfs4-fix-v4.0-client-state-corruption-when-mount.patch new file mode 100644 index 00000000..516746b9 --- /dev/null +++ b/queue-3.16/nfs4-fix-v4.0-client-state-corruption-when-mount.patch @@ -0,0 +1,42 @@ +From: ZhangXiaoxu <zhangxiaoxu5@huawei.com> +Date: Mon, 6 May 2019 11:57:03 +0800 +Subject: NFS4: Fix v4.0 client state corruption when mount + +commit f02f3755dbd14fb935d24b14650fff9ba92243b8 upstream. + +stat command with soft mount never return after server is stopped. + +When alloc a new client, the state of the client will be set to +NFS4CLNT_LEASE_EXPIRED. + +When the server is stopped, the state manager will work, and accord +the state to recover. But the state is NFS4CLNT_LEASE_EXPIRED, it +will drain the slot table and lead other task to wait queue, until +the client recovered. Then the stat command is hung. + +When discover server trunking, the client will renew the lease, +but check the client state, it lead the client state corruption. + +So, we need to call state manager to recover it when detect server +ip trunking. + +Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/nfs/nfs4state.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -140,6 +140,10 @@ int nfs40_discover_server_trunking(struc + /* Sustain the lease, even if it's empty. If the clientid4 + * goes stale it's of no use for trunking discovery. */ + nfs4_schedule_state_renewal(*result); ++ ++ /* If the client state need to recover, do it. */ ++ if (clp->cl_state) ++ nfs4_schedule_state_manager(clp); + } + out: + return status; diff --git a/queue-3.16/ntp-allow-tai-utc-offset-to-be-set-to-zero.patch b/queue-3.16/ntp-allow-tai-utc-offset-to-be-set-to-zero.patch new file mode 100644 index 00000000..a122e838 --- /dev/null +++ b/queue-3.16/ntp-allow-tai-utc-offset-to-be-set-to-zero.patch @@ -0,0 +1,40 @@ +From: Miroslav Lichvar <mlichvar@redhat.com> +Date: Wed, 17 Apr 2019 10:48:33 +0200 +Subject: ntp: Allow TAI-UTC offset to be set to zero + +commit fdc6bae940ee9eb869e493990540098b8c0fd6ab upstream. + +The ADJ_TAI adjtimex mode sets the TAI-UTC offset of the system clock. +It is typically set by NTP/PTP implementations and it is automatically +updated by the kernel on leap seconds. The initial value is zero (which +applications may interpret as unknown), but this value cannot be set by +adjtimex. This limitation seems to go back to the original "nanokernel" +implementation by David Mills. + +Change the ADJ_TAI check to accept zero as a valid TAI-UTC offset in +order to allow setting it back to the initial value. + +Fixes: 153b5d054ac2 ("ntp: support for TAI") +Suggested-by: Ondrej Mosnacek <omosnace@redhat.com> +Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: John Stultz <john.stultz@linaro.org> +Cc: Richard Cochran <richardcochran@gmail.com> +Cc: Prarit Bhargava <prarit@redhat.com> +Link: https://lkml.kernel.org/r/20190417084833.7401-1-mlichvar@redhat.com +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/time/ntp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -588,7 +588,7 @@ static inline void process_adjtimex_mode + time_constant = max(time_constant, 0l); + } + +- if (txc->modes & ADJ_TAI && txc->constant > 0) ++ if (txc->modes & ADJ_TAI && txc->constant >= 0) + *time_tai = txc->constant; + + if (txc->modes & ADJ_OFFSET) diff --git a/queue-3.16/ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch b/queue-3.16/ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch new file mode 100644 index 00000000..c5373a0e --- /dev/null +++ b/queue-3.16/ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch @@ -0,0 +1,176 @@ +From: Shuning Zhang <sunny.s.zhang@oracle.com> +Date: Mon, 13 May 2019 17:15:56 -0700 +Subject: ocfs2: fix ocfs2 read inode data panic in ocfs2_iget + +commit e091eab028f9253eac5c04f9141bbc9d170acab3 upstream. + +In some cases, ocfs2_iget() reads the data of inode, which has been +deleted for some reason. That will make the system panic. So We should +judge whether this inode has been deleted, and tell the caller that the +inode is a bad inode. + +For example, the ocfs2 is used as the backed of nfs, and the client is +nfsv3. This issue can be reproduced by the following steps. + +on the nfs server side, +..../patha/pathb + +Step 1: The process A was scheduled before calling the function fh_verify. + +Step 2: The process B is removing the 'pathb', and just completed the call +to function dput. Then the dentry of 'pathb' has been deleted from the +dcache, and all ancestors have been deleted also. The relationship of +dentry and inode was deleted through the function hlist_del_init. The +following is the call stack. +dentry_iput->hlist_del_init(&dentry->d_u.d_alias) + +At this time, the inode is still in the dcache. + +Step 3: The process A call the function ocfs2_get_dentry, which get the +inode from dcache. Then the refcount of inode is 1. The following is the +call stack. +nfsd3_proc_getacl->fh_verify->exportfs_decode_fh->fh_to_dentry(ocfs2_get_dentry) + +Step 4: Dirty pages are flushed by bdi threads. So the inode of 'patha' +is evicted, and this directory was deleted. But the inode of 'pathb' +can't be evicted, because the refcount of the inode was 1. + +Step 5: The process A keep running, and call the function +reconnect_path(in exportfs_decode_fh), which call function +ocfs2_get_parent of ocfs2. Get the block number of parent +directory(patha) by the name of ... Then read the data from disk by the +block number. But this inode has been deleted, so the system panic. + +Process A Process B +1. in nfsd3_proc_getacl | +2. | dput +3. fh_to_dentry(ocfs2_get_dentry) | +4. bdi flush dirty cache | +5. ocfs2_iget | + +[283465.542049] OCFS2: ERROR (device sdp): ocfs2_validate_inode_block: +Invalid dinode #580640: OCFS2_VALID_FL not set + +[283465.545490] Kernel panic - not syncing: OCFS2: (device sdp): panic forced +after error + +[283465.546889] CPU: 5 PID: 12416 Comm: nfsd Tainted: G W +4.1.12-124.18.6.el6uek.bug28762940v3.x86_64 #2 +[283465.548382] Hardware name: VMware, Inc. VMware Virtual Platform/440BX +Desktop Reference Platform, BIOS 6.00 09/21/2015 +[283465.549657] 0000000000000000 ffff8800a56fb7b8 ffffffff816e839c +ffffffffa0514758 +[283465.550392] 000000000008dc20 ffff8800a56fb838 ffffffff816e62d3 +0000000000000008 +[283465.551056] ffff880000000010 ffff8800a56fb848 ffff8800a56fb7e8 +ffff88005df9f000 +[283465.551710] Call Trace: +[283465.552516] [<ffffffff816e839c>] dump_stack+0x63/0x81 +[283465.553291] [<ffffffff816e62d3>] panic+0xcb/0x21b +[283465.554037] [<ffffffffa04e66b0>] ocfs2_handle_error+0xf0/0xf0 [ocfs2] +[283465.554882] [<ffffffffa04e7737>] __ocfs2_error+0x67/0x70 [ocfs2] +[283465.555768] [<ffffffffa049c0f9>] ocfs2_validate_inode_block+0x229/0x230 +[ocfs2] +[283465.556683] [<ffffffffa047bcbc>] ocfs2_read_blocks+0x46c/0x7b0 [ocfs2] +[283465.557408] [<ffffffffa049bed0>] ? ocfs2_inode_cache_io_unlock+0x20/0x20 +[ocfs2] +[283465.557973] [<ffffffffa049f0eb>] ocfs2_read_inode_block_full+0x3b/0x60 +[ocfs2] +[283465.558525] [<ffffffffa049f5ba>] ocfs2_iget+0x4aa/0x880 [ocfs2] +[283465.559082] [<ffffffffa049146e>] ocfs2_get_parent+0x9e/0x220 [ocfs2] +[283465.559622] [<ffffffff81297c05>] reconnect_path+0xb5/0x300 +[283465.560156] [<ffffffff81297f46>] exportfs_decode_fh+0xf6/0x2b0 +[283465.560708] [<ffffffffa062faf0>] ? nfsd_proc_getattr+0xa0/0xa0 [nfsd] +[283465.561262] [<ffffffff810a8196>] ? prepare_creds+0x26/0x110 +[283465.561932] [<ffffffffa0630860>] fh_verify+0x350/0x660 [nfsd] +[283465.562862] [<ffffffffa0637804>] ? nfsd_cache_lookup+0x44/0x630 [nfsd] +[283465.563697] [<ffffffffa063a8b9>] nfsd3_proc_getattr+0x69/0xf0 [nfsd] +[283465.564510] [<ffffffffa062cf60>] nfsd_dispatch+0xe0/0x290 [nfsd] +[283465.565358] [<ffffffffa05eb892>] ? svc_tcp_adjust_wspace+0x12/0x30 +[sunrpc] +[283465.566272] [<ffffffffa05ea652>] svc_process_common+0x412/0x6a0 [sunrpc] +[283465.567155] [<ffffffffa05eaa03>] svc_process+0x123/0x210 [sunrpc] +[283465.568020] [<ffffffffa062c90f>] nfsd+0xff/0x170 [nfsd] +[283465.568962] [<ffffffffa062c810>] ? nfsd_destroy+0x80/0x80 [nfsd] +[283465.570112] [<ffffffff810a622b>] kthread+0xcb/0xf0 +[283465.571099] [<ffffffff810a6160>] ? kthread_create_on_node+0x180/0x180 +[283465.572114] [<ffffffff816f11b8>] ret_from_fork+0x58/0x90 +[283465.573156] [<ffffffff810a6160>] ? kthread_create_on_node+0x180/0x180 + +Link: http://lkml.kernel.org/r/1554185919-3010-1-git-send-email-sunny.s.zhang@oracle.com +Signed-off-by: Shuning Zhang <sunny.s.zhang@oracle.com> +Reviewed-by: Joseph Qi <jiangqi903@gmail.com> +Cc: Mark Fasheh <mark@fasheh.com> +Cc: Joel Becker <jlbec@evilplan.org> +Cc: Junxiao Bi <junxiao.bi@oracle.com> +Cc: Changwei Ge <gechangwei@live.cn> +Cc: piaojun <piaojun@huawei.com> +Cc: "Gang He" <ghe@suse.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ocfs2/export.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +--- a/fs/ocfs2/export.c ++++ b/fs/ocfs2/export.c +@@ -148,16 +148,24 @@ static struct dentry *ocfs2_get_parent(s + u64 blkno; + struct dentry *parent; + struct inode *dir = child->d_inode; ++ int set; + + trace_ocfs2_get_parent(child, child->d_name.len, child->d_name.name, + (unsigned long long)OCFS2_I(dir)->ip_blkno); + ++ status = ocfs2_nfs_sync_lock(OCFS2_SB(dir->i_sb), 1); ++ if (status < 0) { ++ mlog(ML_ERROR, "getting nfs sync lock(EX) failed %d\n", status); ++ parent = ERR_PTR(status); ++ goto bail; ++ } ++ + status = ocfs2_inode_lock(dir, NULL, 0); + if (status < 0) { + if (status != -ENOENT) + mlog_errno(status); + parent = ERR_PTR(status); +- goto bail; ++ goto unlock_nfs_sync; + } + + status = ocfs2_lookup_ino_from_name(dir, "..", 2, &blkno); +@@ -166,11 +174,31 @@ static struct dentry *ocfs2_get_parent(s + goto bail_unlock; + } + ++ status = ocfs2_test_inode_bit(OCFS2_SB(dir->i_sb), blkno, &set); ++ if (status < 0) { ++ if (status == -EINVAL) { ++ status = -ESTALE; ++ } else ++ mlog(ML_ERROR, "test inode bit failed %d\n", status); ++ parent = ERR_PTR(status); ++ goto bail_unlock; ++ } ++ ++ trace_ocfs2_get_dentry_test_bit(status, set); ++ if (!set) { ++ status = -ESTALE; ++ parent = ERR_PTR(status); ++ goto bail_unlock; ++ } ++ + parent = d_obtain_alias(ocfs2_iget(OCFS2_SB(dir->i_sb), blkno, 0, 0)); + + bail_unlock: + ocfs2_inode_unlock(dir, 0); + ++unlock_nfs_sync: ++ ocfs2_nfs_sync_unlock(OCFS2_SB(dir->i_sb), 1); ++ + bail: + trace_ocfs2_get_parent_end(parent); + diff --git a/queue-3.16/of-fix-clang-wunsequenced-for-be32_to_cpu.patch b/queue-3.16/of-fix-clang-wunsequenced-for-be32_to_cpu.patch new file mode 100644 index 00000000..a26a58e3 --- /dev/null +++ b/queue-3.16/of-fix-clang-wunsequenced-for-be32_to_cpu.patch @@ -0,0 +1,51 @@ +From: Phong Tran <tranmanphong@gmail.com> +Date: Tue, 30 Apr 2019 21:56:24 +0700 +Subject: of: fix clang -Wunsequenced for be32_to_cpu() + +commit 440868661f36071886ed360d91de83bd67c73b4f upstream. + +Now, make the loop explicit to avoid clang warning. + +./include/linux/of.h:238:37: warning: multiple unsequenced modifications +to 'cell' [-Wunsequenced] + r = (r << 32) | be32_to_cpu(*(cell++)); + ^~ +./include/linux/byteorder/generic.h:95:21: note: expanded from macro +'be32_to_cpu' + ^ +./include/uapi/linux/byteorder/little_endian.h:40:59: note: expanded +from macro '__be32_to_cpu' + ^ +./include/uapi/linux/swab.h:118:21: note: expanded from macro '__swab32' + ___constant_swab32(x) : \ + ^ +./include/uapi/linux/swab.h:18:12: note: expanded from macro +'___constant_swab32' + (((__u32)(x) & (__u32)0x000000ffUL) << 24) | \ + ^ + +Signed-off-by: Phong Tran <tranmanphong@gmail.com> +Reported-by: Nick Desaulniers <ndesaulniers@google.com> +Link: https://github.com/ClangBuiltLinux/linux/issues/460 +Suggested-by: David Laight <David.Laight@ACULAB.COM> +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +[robh: fix up whitespace] +Signed-off-by: Rob Herring <robh@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/of.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -171,8 +171,8 @@ extern struct device_node *of_find_all_n + static inline u64 of_read_number(const __be32 *cell, int size) + { + u64 r = 0; +- while (size--) +- r = (r << 32) | be32_to_cpu(*(cell++)); ++ for (; size--; cell++) ++ r = (r << 32) | be32_to_cpu(*cell); + return r; + } + diff --git a/queue-3.16/p54-drop-device-reference-count-if-fails-to-enable-device.patch b/queue-3.16/p54-drop-device-reference-count-if-fails-to-enable-device.patch new file mode 100644 index 00000000..ccbeabb1 --- /dev/null +++ b/queue-3.16/p54-drop-device-reference-count-if-fails-to-enable-device.patch @@ -0,0 +1,38 @@ +From: Pan Bian <bianpan2016@163.com> +Date: Wed, 17 Apr 2019 17:41:23 +0800 +Subject: p54: drop device reference count if fails to enable device + +commit 8149069db81853570a665f5e5648c0e526dc0e43 upstream. + +The function p54p_probe takes an extra reference count of the PCI +device. However, the extra reference count is not dropped when it fails +to enable the PCI device. This patch fixes the bug. + +Signed-off-by: Pan Bian <bianpan2016@163.com> +Acked-by: Christian Lamparter <chunkeey@gmail.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/p54/p54pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/p54/p54pci.c ++++ b/drivers/net/wireless/p54/p54pci.c +@@ -551,7 +551,7 @@ static int p54p_probe(struct pci_dev *pd + err = pci_enable_device(pdev); + if (err) { + dev_err(&pdev->dev, "Cannot enable new PCI device\n"); +- return err; ++ goto err_put; + } + + mem_addr = pci_resource_start(pdev, 0); +@@ -636,6 +636,7 @@ static int p54p_probe(struct pci_dev *pd + pci_release_regions(pdev); + err_disable_dev: + pci_disable_device(pdev); ++err_put: + pci_dev_put(pdev); + return err; + } diff --git a/queue-3.16/parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd.patch b/queue-3.16/parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd.patch new file mode 100644 index 00000000..eeb434ae --- /dev/null +++ b/queue-3.16/parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd.patch @@ -0,0 +1,71 @@ +From: Helge Deller <deller@gmx.de> +Date: Sun, 5 May 2019 23:54:34 +0200 +Subject: parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD + code + +commit 1829dda0e87f4462782ca81be474c7890efe31ce upstream. + +LEVEL is a very common word, and now after many years it suddenly +clashed with another LEVEL define in the DRBD code. +Rename it to PA_ASM_LEVEL instead. + +Reported-by: kbuild test robot <lkp@intel.com> +Signed-off-by: Helge Deller <deller@gmx.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/parisc/include/asm/assembly.h | 6 +++--- + arch/parisc/kernel/head.S | 4 ++-- + arch/parisc/kernel/syscall.S | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/parisc/include/asm/assembly.h ++++ b/arch/parisc/include/asm/assembly.h +@@ -59,14 +59,14 @@ + #define LDCW ldcw,co + #define BL b,l + # ifdef CONFIG_64BIT +-# define LEVEL 2.0w ++# define PA_ASM_LEVEL 2.0w + # else +-# define LEVEL 2.0 ++# define PA_ASM_LEVEL 2.0 + # endif + #else + #define LDCW ldcw + #define BL bl +-#define LEVEL 1.1 ++#define PA_ASM_LEVEL 1.1 + #endif + + #ifdef __ASSEMBLY__ +--- a/arch/parisc/kernel/head.S ++++ b/arch/parisc/kernel/head.S +@@ -22,7 +22,7 @@ + #include <linux/linkage.h> + #include <linux/init.h> + +- .level LEVEL ++ .level PA_ASM_LEVEL + + __INITDATA + ENTRY(boot_args) +@@ -245,7 +245,7 @@ stext_pdc_ret: + ldo R%PA(fault_vector_11)(%r10),%r10 + + $is_pa20: +- .level LEVEL /* restore 1.1 || 2.0w */ ++ .level PA_ASM_LEVEL /* restore 1.1 || 2.0w */ + #endif /*!CONFIG_64BIT*/ + load32 PA(fault_vector_20),%r10 + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -48,7 +48,7 @@ registers). + */ + #define KILL_INSN break 0,0 + +- .level LEVEL ++ .level PA_ASM_LEVEL + + .text + diff --git a/queue-3.16/pci-factor-out-pcie_retrain_link-function.patch b/queue-3.16/pci-factor-out-pcie_retrain_link-function.patch new file mode 100644 index 00000000..70979c78 --- /dev/null +++ b/queue-3.16/pci-factor-out-pcie_retrain_link-function.patch @@ -0,0 +1,83 @@ +From: =?UTF-8?q?Stefan=20M=C3=A4tje?= <stefan.maetje@esd.eu> +Date: Fri, 29 Mar 2019 18:07:34 +0100 +Subject: PCI: Factor out pcie_retrain_link() function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 86fa6a344209d9414ea962b1f1ac6ade9dd7563a upstream. + +Factor out pcie_retrain_link() to use for Pericom Retrain Link quirk. No +functional change intended. + +Signed-off-by: Stefan Mätje <stefan.maetje@esd.eu> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pci/pcie/aspm.c | 40 ++++++++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 16 deletions(-) + +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -175,6 +175,29 @@ static void pcie_clkpm_cap_init(struct p + link->clkpm_capable = (blacklist) ? 0 : capable; + } + ++static bool pcie_retrain_link(struct pcie_link_state *link) ++{ ++ struct pci_dev *parent = link->pdev; ++ unsigned long start_jiffies; ++ u16 reg16; ++ ++ pcie_capability_read_word(parent, PCI_EXP_LNKCTL, ®16); ++ reg16 |= PCI_EXP_LNKCTL_RL; ++ pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16); ++ ++ /* Wait for link training end. Break out after waiting for timeout */ ++ start_jiffies = jiffies; ++ for (;;) { ++ pcie_capability_read_word(parent, PCI_EXP_LNKSTA, ®16); ++ if (!(reg16 & PCI_EXP_LNKSTA_LT)) ++ break; ++ if (time_after(jiffies, start_jiffies + LINK_RETRAIN_TIMEOUT)) ++ break; ++ msleep(1); ++ } ++ return !(reg16 & PCI_EXP_LNKSTA_LT); ++} ++ + /* + * pcie_aspm_configure_common_clock: check if the 2 ends of a link + * could use common clock. If they are, configure them to use the +@@ -184,7 +207,6 @@ static void pcie_aspm_configure_common_c + { + int same_clock = 1; + u16 reg16, parent_reg, child_reg[8]; +- unsigned long start_jiffies; + struct pci_dev *child, *parent = link->pdev; + struct pci_bus *linkbus = parent->subordinate; + /* +@@ -224,21 +246,7 @@ static void pcie_aspm_configure_common_c + reg16 &= ~PCI_EXP_LNKCTL_CCC; + pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16); + +- /* Retrain link */ +- reg16 |= PCI_EXP_LNKCTL_RL; +- pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16); +- +- /* Wait for link training end. Break out after waiting for timeout */ +- start_jiffies = jiffies; +- for (;;) { +- pcie_capability_read_word(parent, PCI_EXP_LNKSTA, ®16); +- if (!(reg16 & PCI_EXP_LNKSTA_LT)) +- break; +- if (time_after(jiffies, start_jiffies + LINK_RETRAIN_TIMEOUT)) +- break; +- msleep(1); +- } +- if (!(reg16 & PCI_EXP_LNKSTA_LT)) ++ if (pcie_retrain_link(link)) + return; + + /* Training failed. Restore common clock configurations */ diff --git a/queue-3.16/pci-mark-atheros-ar9462-to-avoid-bus-reset.patch b/queue-3.16/pci-mark-atheros-ar9462-to-avoid-bus-reset.patch new file mode 100644 index 00000000..22d6f594 --- /dev/null +++ b/queue-3.16/pci-mark-atheros-ar9462-to-avoid-bus-reset.patch @@ -0,0 +1,29 @@ +From: James Prestwood <james.prestwood@linux.intel.com> +Date: Mon, 7 Jan 2019 13:32:48 -0800 +Subject: PCI: Mark Atheros AR9462 to avoid bus reset + +commit 6afb7e26978da5e86e57e540fdce65c8b04f398a upstream. + +When using PCI passthrough with this device, the host machine locks up +completely when starting the VM, requiring a hard reboot. Add a quirk to +avoid bus resets on this device. + +Fixes: c3e59ee4e766 ("PCI: Mark Atheros AR93xx to avoid bus reset") +Link: https://lore.kernel.org/linux-pci/20190107213248.3034-1-james.prestwood@linux.intel.com +Signed-off-by: James Prestwood <james.prestwood@linux.intel.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3154,6 +3154,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset); + + static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f, + struct pci_fixup *end) diff --git a/queue-3.16/pci-reset-lenovo-thinkpad-p50-nvgpu-at-boot-if-necessary.patch b/queue-3.16/pci-reset-lenovo-thinkpad-p50-nvgpu-at-boot-if-necessary.patch new file mode 100644 index 00000000..c2329972 --- /dev/null +++ b/queue-3.16/pci-reset-lenovo-thinkpad-p50-nvgpu-at-boot-if-necessary.patch @@ -0,0 +1,149 @@ +From: Lyude Paul <lyude@redhat.com> +Date: Tue, 12 Feb 2019 17:02:30 -0500 +Subject: PCI: Reset Lenovo ThinkPad P50 nvgpu at boot if necessary + +commit e0547c81bfcfad01cbbfa93a5e66bb98ab932f80 upstream. + +On ThinkPad P50 SKUs with an Nvidia Quadro M1000M instead of the M2000M +variant, the BIOS does not always reset the secondary Nvidia GPU during +reboot if the laptop is configured in Hybrid Graphics mode. The reason is +unknown, but the following steps and possibly a good bit of patience will +reproduce the issue: + + 1. Boot up the laptop normally in Hybrid Graphics mode + 2. Make sure nouveau is loaded and that the GPU is awake + 3. Allow the Nvidia GPU to runtime suspend itself after being idle + 4. Reboot the machine, the more sudden the better (e.g. sysrq-b may help) + 5. If nouveau loads up properly, reboot the machine again and go back to + step 2 until you reproduce the issue + +This results in some very strange behavior: the GPU will be left in exactly +the same state it was in when the previously booted kernel started the +reboot. This has all sorts of bad side effects: for starters, this +completely breaks nouveau starting with a mysterious EVO channel failure +that happens well before we've actually used the EVO channel for anything: + + nouveau 0000:01:00.0: disp: chid 0 mthd 0000 data 00000400 00001000 00000002 + +This causes a timeout trying to bring up the GR ctx: + + nouveau 0000:01:00.0: timeout + WARNING: CPU: 0 PID: 12 at drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgf100.c:1547 gf100_grctx_generate+0x7b2/0x850 [nouveau] + Hardware name: LENOVO 20EQS64N0B/20EQS64N0B, BIOS N1EET82W (1.55 ) 12/18/2018 + Workqueue: events_long drm_dp_mst_link_probe_work [drm_kms_helper] + ... + nouveau 0000:01:00.0: gr: wait for idle timeout (en: 1, ctxsw: 0, busy: 1) + nouveau 0000:01:00.0: gr: wait for idle timeout (en: 1, ctxsw: 0, busy: 1) + nouveau 0000:01:00.0: fifo: fault 01 [WRITE] at 0000000000008000 engine 00 [GR] client 15 [HUB/SCC_NB] reason c4 [] on channel -1 [0000000000 unknown] + +The GPU never manages to recover. Booting without loading nouveau causes +issues as well, since the GPU starts sending spurious interrupts that cause +other device's IRQs to get disabled by the kernel: + + irq 16: nobody cared (try booting with the "irqpoll" option) + ... + handlers: + [<000000007faa9e99>] i801_isr [i2c_i801] + Disabling IRQ #16 + ... + serio: RMI4 PS/2 pass-through port at rmi4-00.fn03 + i801_smbus 0000:00:1f.4: Timeout waiting for interrupt! + i801_smbus 0000:00:1f.4: Transaction timeout + rmi4_f03 rmi4-00.fn03: rmi_f03_pt_write: Failed to write to F03 TX register (-110). + i801_smbus 0000:00:1f.4: Timeout waiting for interrupt! + i801_smbus 0000:00:1f.4: Transaction timeout + rmi4_physical rmi4-00: rmi_driver_set_irq_bits: Failed to change enabled interrupts! + +This causes the touchpad and sometimes other things to get disabled. + +Since this happens without nouveau, we can't fix this problem from nouveau +itself. + +Add a PCI quirk for the specific P50 variant of this GPU. Make sure the +GPU is advertising NoReset- so we don't reset the GPU when the machine is +in Dedicated graphics mode (where the GPU being initialized by the BIOS is +normal and expected). Map the GPU MMIO space and read the magic 0x2240c +register, which will have bit 1 set if the device was POSTed during a +previous boot. Once we've confirmed all of this, reset the GPU and +re-disable it - bringing it back to a healthy state. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=203003 +Link: https://lore.kernel.org/lkml/20190212220230.1568-1-lyude@redhat.com +Signed-off-by: Lyude Paul <lyude@redhat.com> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Cc: nouveau@lists.freedesktop.org +Cc: dri-devel@lists.freedesktop.org +Cc: Karol Herbst <kherbst@redhat.com> +Cc: Ben Skeggs <skeggsb@gmail.com> +[bwh: Backported to 3.16: + - Use dev_{err,info}() instead of pci_{err,info}() + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pci/quirks.c | 58 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 58 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3900,3 +3900,61 @@ void pci_dev_specific_enable_acs(struct + } + } + } ++ ++/* ++ * On Lenovo Thinkpad P50 SKUs with a Nvidia Quadro M1000M, the BIOS does ++ * not always reset the secondary Nvidia GPU between reboots if the system ++ * is configured to use Hybrid Graphics mode. This results in the GPU ++ * being left in whatever state it was in during the *previous* boot, which ++ * causes spurious interrupts from the GPU, which in turn causes us to ++ * disable the wrong IRQ and end up breaking the touchpad. Unsurprisingly, ++ * this also completely breaks nouveau. ++ * ++ * Luckily, it seems a simple reset of the Nvidia GPU brings it back to a ++ * clean state and fixes all these issues. ++ * ++ * When the machine is configured in Dedicated display mode, the issue ++ * doesn't occur. Fortunately the GPU advertises NoReset+ when in this ++ * mode, so we can detect that and avoid resetting it. ++ */ ++static void quirk_reset_lenovo_thinkpad_p50_nvgpu(struct pci_dev *pdev) ++{ ++ void __iomem *map; ++ int ret; ++ ++ if (pdev->subsystem_vendor != PCI_VENDOR_ID_LENOVO || ++ pdev->subsystem_device != 0x222e || ++ !pdev->reset_fn) ++ return; ++ ++ if (pci_enable_device_mem(pdev)) ++ return; ++ ++ /* ++ * Based on nvkm_device_ctor() in ++ * drivers/gpu/drm/nouveau/nvkm/engine/device/base.c ++ */ ++ map = pci_iomap(pdev, 0, 0x23000); ++ if (!map) { ++ dev_err(&pdev->dev, "Can't map MMIO space\n"); ++ goto out_disable; ++ } ++ ++ /* ++ * Make sure the GPU looks like it's been POSTed before resetting ++ * it. ++ */ ++ if (ioread32(map + 0x2240c) & 0x2) { ++ dev_info(&pdev->dev, FW_BUG "GPU left initialized by EFI, resetting\n"); ++ ret = pci_reset_function(pdev); ++ if (ret < 0) ++ dev_err(&pdev->dev, "Failed to reset GPU: %d\n", ret); ++ } ++ ++ iounmap(map); ++out_disable: ++ pci_disable_device(pdev); ++} ++DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_NVIDIA, 0x13b1, ++ PCI_CLASS_DISPLAY_VGA, 8, ++ quirk_reset_lenovo_thinkpad_p50_nvgpu); diff --git a/queue-3.16/pci-work-around-pericom-pcie-to-pci-bridge-retrain-link-erratum.patch b/queue-3.16/pci-work-around-pericom-pcie-to-pci-bridge-retrain-link-erratum.patch new file mode 100644 index 00000000..8c892f88 --- /dev/null +++ b/queue-3.16/pci-work-around-pericom-pcie-to-pci-bridge-retrain-link-erratum.patch @@ -0,0 +1,99 @@ +From: =?UTF-8?q?Stefan=20M=C3=A4tje?= <stefan.maetje@esd.eu> +Date: Fri, 29 Mar 2019 18:07:35 +0100 +Subject: PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 4ec73791a64bab25cabf16a6067ee478692e506d upstream. + +Due to an erratum in some Pericom PCIe-to-PCI bridges in reverse mode +(conventional PCI on primary side, PCIe on downstream side), the Retrain +Link bit needs to be cleared manually to allow the link training to +complete successfully. + +If it is not cleared manually, the link training is continuously restarted +and no devices below the PCI-to-PCIe bridge can be accessed. That means +drivers for devices below the bridge will be loaded but won't work and may +even crash because the driver is only reading 0xffff. + +See the Pericom Errata Sheet PI7C9X111SLB_errata_rev1.2_102711.pdf for +details. Devices known as affected so far are: PI7C9X110, PI7C9X111SL, +PI7C9X130. + +Add a new flag, clear_retrain_link, in struct pci_dev. Quirks for affected +devices set this bit. + +Note that pcie_retrain_link() lives in aspm.c because that's currently the +only place we use it, but this erratum is not specific to ASPM, and we may +retrain links for other reasons in the future. + +Signed-off-by: Stefan Mätje <stefan.maetje@esd.eu> +[bhelgaas: apply regardless of CONFIG_PCIEASPM] +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +[bwh: Backported to 3.16: + - Use dev_info() instead of pci_info() + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pci/pcie/aspm.c | 9 +++++++++ + drivers/pci/quirks.c | 17 +++++++++++++++++ + include/linux/pci.h | 2 ++ + 3 files changed, 28 insertions(+) + +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -184,6 +184,15 @@ static bool pcie_retrain_link(struct pci + pcie_capability_read_word(parent, PCI_EXP_LNKCTL, ®16); + reg16 |= PCI_EXP_LNKCTL_RL; + pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16); ++ if (parent->clear_retrain_link) { ++ /* ++ * Due to an erratum in some devices the Retrain Link bit ++ * needs to be cleared again manually to allow the link ++ * training to succeed. ++ */ ++ reg16 &= ~PCI_EXP_LNKCTL_RL; ++ pcie_capability_write_word(parent, PCI_EXP_LNKCTL, reg16); ++ } + + /* Wait for link training end. Break out after waiting for timeout */ + start_jiffies = jiffies; +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -2047,6 +2047,23 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x10f4, quirk_disable_aspm_l0s); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x1508, quirk_disable_aspm_l0s); + ++/* ++ * Some Pericom PCIe-to-PCI bridges in reverse mode need the PCIe Retrain ++ * Link bit cleared after starting the link retrain process to allow this ++ * process to finish. ++ * ++ * Affected devices: PI7C9X110, PI7C9X111SL, PI7C9X130. See also the ++ * Pericom Errata Sheet PI7C9X111SLB_errata_rev1.2_102711.pdf. ++ */ ++static void quirk_enable_clear_retrain_link(struct pci_dev *dev) ++{ ++ dev->clear_retrain_link = 1; ++ dev_info(&dev->dev, "Enable PCIe Retrain Link quirk\n"); ++} ++DECLARE_PCI_FIXUP_HEADER(0x12d8, 0xe110, quirk_enable_clear_retrain_link); ++DECLARE_PCI_FIXUP_HEADER(0x12d8, 0xe111, quirk_enable_clear_retrain_link); ++DECLARE_PCI_FIXUP_HEADER(0x12d8, 0xe130, quirk_enable_clear_retrain_link); ++ + static void fixup_rev1_53c810(struct pci_dev *dev) + { + /* rev 1 ncr53c810 chips don't set the class at all which means +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -308,6 +308,8 @@ struct pci_dev { + powered on/off by the + corresponding bridge */ + unsigned int ignore_hotplug:1; /* Ignore hotplug events */ ++ unsigned int clear_retrain_link:1; /* Need to clear Retrain Link ++ bit manually */ + unsigned int d3_delay; /* D3->D0 transition time in ms */ + unsigned int d3cold_delay; /* D3cold->D0 transition time in ms */ + diff --git a/queue-3.16/platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized.patch b/queue-3.16/platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized.patch new file mode 100644 index 00000000..46ee7547 --- /dev/null +++ b/queue-3.16/platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized.patch @@ -0,0 +1,58 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Sat, 30 Mar 2019 00:17:12 +0000 +Subject: platform/x86: alienware-wmi: fix kfree on potentially uninitialized + pointer + +commit 98e2630284ab741804bd0713e932e725466f2f84 upstream. + +Currently the kfree of output.pointer can be potentially freeing +an uninitalized pointer in the case where out_data is NULL. Fix this +by reworking the case where out_data is not-null to perform the +ACPI status check and also the kfree of outpoint.pointer in one block +and hence ensuring the pointer is only freed when it has been used. + +Also replace the if (ptr != NULL) idiom with just if (ptr). + +Fixes: ff0e9f26288d ("platform/x86: alienware-wmi: Correct a memory leak") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/platform/x86/alienware-wmi.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/platform/x86/alienware-wmi.c ++++ b/drivers/platform/x86/alienware-wmi.c +@@ -433,23 +433,22 @@ static acpi_status alienware_hdmi_comman + + input.length = (acpi_size) sizeof(*in_args); + input.pointer = in_args; +- if (out_data != NULL) { ++ if (out_data) { + output.length = ACPI_ALLOCATE_BUFFER; + output.pointer = NULL; + status = wmi_evaluate_method(WMAX_CONTROL_GUID, 1, + command, &input, &output); +- } else ++ if (ACPI_SUCCESS(status)) { ++ obj = (union acpi_object *)output.pointer; ++ if (obj && obj->type == ACPI_TYPE_INTEGER) ++ *out_data = (u32)obj->integer.value; ++ } ++ kfree(output.pointer); ++ } else { + status = wmi_evaluate_method(WMAX_CONTROL_GUID, 1, + command, &input, NULL); +- +- if (ACPI_SUCCESS(status) && out_data != NULL) { +- obj = (union acpi_object *)output.pointer; +- if (obj && obj->type == ACPI_TYPE_INTEGER) +- *out_data = (u32) obj->integer.value; + } +- kfree(output.pointer); + return status; +- + } + + static ssize_t show_hdmi_cable(struct device *dev, diff --git a/queue-3.16/platform-x86-alienware-wmi-printing-the-wrong-error-code.patch b/queue-3.16/platform-x86-alienware-wmi-printing-the-wrong-error-code.patch new file mode 100644 index 00000000..2bc041d4 --- /dev/null +++ b/queue-3.16/platform-x86-alienware-wmi-printing-the-wrong-error-code.patch @@ -0,0 +1,30 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 24 Apr 2019 12:44:18 +0300 +Subject: platform/x86: alienware-wmi: printing the wrong error code + +commit 6d1f8b3d75419a8659ac916a1e9543bb3513a882 upstream. + +The "out_data" variable is uninitialized at the point. Originally, this +used to print "status" instead and that seems like the correct thing to +print. + +Fixes: bc2ef884320b ("alienware-wmi: For WMAX HDMI method, introduce a way to query HDMI cable status") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Reviewed-by: Mario Limonciello <mario.limonciello@dell.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/platform/x86/alienware-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/alienware-wmi.c ++++ b/drivers/platform/x86/alienware-wmi.c +@@ -494,7 +494,7 @@ static ssize_t show_hdmi_source(struct d + return scnprintf(buf, PAGE_SIZE, + "input [gpu] unknown\n"); + } +- pr_err("alienware-wmi: unknown HDMI source status: %d\n", out_data); ++ pr_err("alienware-wmi: unknown HDMI source status: %u\n", status); + return scnprintf(buf, PAGE_SIZE, "input gpu [unknown]\n"); + } + diff --git a/queue-3.16/platform-x86-sony-laptop-fix-unintentional-fall-through.patch b/queue-3.16/platform-x86-sony-laptop-fix-unintentional-fall-through.patch new file mode 100644 index 00000000..1220b0a8 --- /dev/null +++ b/queue-3.16/platform-x86-sony-laptop-fix-unintentional-fall-through.patch @@ -0,0 +1,48 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 24 Apr 2019 13:09:34 -0500 +Subject: platform/x86: sony-laptop: Fix unintentional fall-through + +commit 1cbd7a64959d33e7a2a1fa2bf36a62b350a9fcbd upstream. + +It seems that the default case should return AE_CTRL_TERMINATE, instead +of falling through to case ACPI_RESOURCE_TYPE_END_TAG and returning AE_OK; +otherwise the line of code at the end of the function is unreachable and +makes no sense: + +return AE_CTRL_TERMINATE; + +This fix is based on the following thread of discussion: + +https://lore.kernel.org/patchwork/patch/959782/ + +Fixes: 33a04454527e ("sony-laptop: Add SNY6001 device handling (sonypi reimplementation)") +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/platform/x86/sony-laptop.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/sony-laptop.c ++++ b/drivers/platform/x86/sony-laptop.c +@@ -4401,14 +4401,16 @@ sony_pic_read_possible_resource(struct a + } + return AE_OK; + } ++ ++ case ACPI_RESOURCE_TYPE_END_TAG: ++ return AE_OK; ++ + default: + dprintk("Resource %d isn't an IRQ nor an IO port\n", + resource->type); ++ return AE_CTRL_TERMINATE; + +- case ACPI_RESOURCE_TYPE_END_TAG: +- return AE_OK; + } +- return AE_CTRL_TERMINATE; + } + + static int sony_pic_possible_resources(struct acpi_device *device) diff --git a/queue-3.16/powerpc-83xx-add-missing-of_node_put-after.patch b/queue-3.16/powerpc-83xx-add-missing-of_node_put-after.patch new file mode 100644 index 00000000..971dea90 --- /dev/null +++ b/queue-3.16/powerpc-83xx-add-missing-of_node_put-after.patch @@ -0,0 +1,32 @@ +From: Julia Lawall <Julia.Lawall@lip6.fr> +Date: Sat, 23 Feb 2019 14:20:34 +0100 +Subject: powerpc/83xx: Add missing of_node_put() after + of_device_is_available() + +commit 4df2cb633b5b22ba152511f1a55e718efca6c0d9 upstream. + +Add an of_node_put() when a tested device node is not available. + +Fixes: c026c98739c7e ("powerpc/83xx: Do not configure or probe disabled FSL DR USB controllers") +Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> +Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/platforms/83xx/usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/83xx/usb.c ++++ b/arch/powerpc/platforms/83xx/usb.c +@@ -222,8 +222,10 @@ int mpc837x_usb_cfg(void) + int ret = 0; + + np = of_find_compatible_node(NULL, NULL, "fsl-usb2-dr"); +- if (!np || !of_device_is_available(np)) ++ if (!np || !of_device_is_available(np)) { ++ of_node_put(np); + return -ENODEV; ++ } + prop = of_get_property(np, "phy_type", NULL); + + if (!prop || (strcmp(prop, "ulpi") && strcmp(prop, "serial"))) { diff --git a/queue-3.16/powerpc-booke64-set-ri-in-default-msr.patch b/queue-3.16/powerpc-booke64-set-ri-in-default-msr.patch new file mode 100644 index 00000000..6570b301 --- /dev/null +++ b/queue-3.16/powerpc-booke64-set-ri-in-default-msr.patch @@ -0,0 +1,29 @@ +From: Laurentiu Tudor <laurentiu.tudor@nxp.com> +Date: Mon, 15 Apr 2019 14:52:11 +0300 +Subject: powerpc/booke64: set RI in default MSR + +commit 5266e58d6cd90ac85c187d673093ad9cb649e16d upstream. + +Set RI in the default kernel's MSR so that the architected way of +detecting unrecoverable machine check interrupts has a chance to work. +This is inline with the MSR setup of the rest of booke powerpc +architectures configured here. + +Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/include/asm/reg_booke.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/reg_booke.h ++++ b/arch/powerpc/include/asm/reg_booke.h +@@ -29,7 +29,7 @@ + #if defined(CONFIG_PPC_BOOK3E_64) + #define MSR_64BIT MSR_CM + +-#define MSR_ (MSR_ME | MSR_CE) ++#define MSR_ (MSR_ME | MSR_RI | MSR_CE) + #define MSR_KERNEL (MSR_ | MSR_64BIT) + #define MSR_USER32 (MSR_ | MSR_PR | MSR_EE) + #define MSR_USER64 (MSR_USER32 | MSR_64BIT) diff --git a/queue-3.16/pwm-fix-deadlock-warning-when-removing-pwm-device.patch b/queue-3.16/pwm-fix-deadlock-warning-when-removing-pwm-device.patch new file mode 100644 index 00000000..11ab1781 --- /dev/null +++ b/queue-3.16/pwm-fix-deadlock-warning-when-removing-pwm-device.patch @@ -0,0 +1,265 @@ +From: Phong Hoang <phong.hoang.wz@renesas.com> +Date: Tue, 19 Mar 2019 19:40:08 +0900 +Subject: pwm: Fix deadlock warning when removing PWM device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 347ab9480313737c0f1aaa08e8f2e1a791235535 upstream. + +This patch fixes deadlock warning if removing PWM device +when CONFIG_PROVE_LOCKING is enabled. + +This issue can be reproceduced by the following steps on +the R-Car H3 Salvator-X board if the backlight is disabled: + + # cd /sys/class/pwm/pwmchip0 + # echo 0 > export + # ls + device export npwm power pwm0 subsystem uevent unexport + # cd device/driver + # ls + bind e6e31000.pwm uevent unbind + # echo e6e31000.pwm > unbind + +[ 87.659974] ====================================================== +[ 87.666149] WARNING: possible circular locking dependency detected +[ 87.672327] 5.0.0 #7 Not tainted +[ 87.675549] ------------------------------------------------------ +[ 87.681723] bash/2986 is trying to acquire lock: +[ 87.686337] 000000005ea0e178 (kn->count#58){++++}, at: kernfs_remove_by_name_ns+0x50/0xa0 +[ 87.694528] +[ 87.694528] but task is already holding lock: +[ 87.700353] 000000006313b17c (pwm_lock){+.+.}, at: pwmchip_remove+0x28/0x13c +[ 87.707405] +[ 87.707405] which lock already depends on the new lock. +[ 87.707405] +[ 87.715574] +[ 87.715574] the existing dependency chain (in reverse order) is: +[ 87.723048] +[ 87.723048] -> #1 (pwm_lock){+.+.}: +[ 87.728017] __mutex_lock+0x70/0x7e4 +[ 87.732108] mutex_lock_nested+0x1c/0x24 +[ 87.736547] pwm_request_from_chip.part.6+0x34/0x74 +[ 87.741940] pwm_request_from_chip+0x20/0x40 +[ 87.746725] export_store+0x6c/0x1f4 +[ 87.750820] dev_attr_store+0x18/0x28 +[ 87.754998] sysfs_kf_write+0x54/0x64 +[ 87.759175] kernfs_fop_write+0xe4/0x1e8 +[ 87.763615] __vfs_write+0x40/0x184 +[ 87.767619] vfs_write+0xa8/0x19c +[ 87.771448] ksys_write+0x58/0xbc +[ 87.775278] __arm64_sys_write+0x18/0x20 +[ 87.779721] el0_svc_common+0xd0/0x124 +[ 87.783986] el0_svc_compat_handler+0x1c/0x24 +[ 87.788858] el0_svc_compat+0x8/0x18 +[ 87.792947] +[ 87.792947] -> #0 (kn->count#58){++++}: +[ 87.798260] lock_acquire+0xc4/0x22c +[ 87.802353] __kernfs_remove+0x258/0x2c4 +[ 87.806790] kernfs_remove_by_name_ns+0x50/0xa0 +[ 87.811836] remove_files.isra.1+0x38/0x78 +[ 87.816447] sysfs_remove_group+0x48/0x98 +[ 87.820971] sysfs_remove_groups+0x34/0x4c +[ 87.825583] device_remove_attrs+0x6c/0x7c +[ 87.830197] device_del+0x11c/0x33c +[ 87.834201] device_unregister+0x14/0x2c +[ 87.838638] pwmchip_sysfs_unexport+0x40/0x4c +[ 87.843509] pwmchip_remove+0xf4/0x13c +[ 87.847773] rcar_pwm_remove+0x28/0x34 +[ 87.852039] platform_drv_remove+0x24/0x64 +[ 87.856651] device_release_driver_internal+0x18c/0x21c +[ 87.862391] device_release_driver+0x14/0x1c +[ 87.867175] unbind_store+0xe0/0x124 +[ 87.871265] drv_attr_store+0x20/0x30 +[ 87.875442] sysfs_kf_write+0x54/0x64 +[ 87.879618] kernfs_fop_write+0xe4/0x1e8 +[ 87.884055] __vfs_write+0x40/0x184 +[ 87.888057] vfs_write+0xa8/0x19c +[ 87.891887] ksys_write+0x58/0xbc +[ 87.895716] __arm64_sys_write+0x18/0x20 +[ 87.900154] el0_svc_common+0xd0/0x124 +[ 87.904417] el0_svc_compat_handler+0x1c/0x24 +[ 87.909289] el0_svc_compat+0x8/0x18 +[ 87.913378] +[ 87.913378] other info that might help us debug this: +[ 87.913378] +[ 87.921374] Possible unsafe locking scenario: +[ 87.921374] +[ 87.927286] CPU0 CPU1 +[ 87.931808] ---- ---- +[ 87.936331] lock(pwm_lock); +[ 87.939293] lock(kn->count#58); +[ 87.945120] lock(pwm_lock); +[ 87.950599] lock(kn->count#58); +[ 87.953908] +[ 87.953908] *** DEADLOCK *** +[ 87.953908] +[ 87.959821] 4 locks held by bash/2986: +[ 87.963563] #0: 00000000ace7bc30 (sb_writers#6){.+.+}, at: vfs_write+0x188/0x19c +[ 87.971044] #1: 00000000287991b2 (&of->mutex){+.+.}, at: kernfs_fop_write+0xb4/0x1e8 +[ 87.978872] #2: 00000000f739d016 (&dev->mutex){....}, at: device_release_driver_internal+0x40/0x21c +[ 87.988001] #3: 000000006313b17c (pwm_lock){+.+.}, at: pwmchip_remove+0x28/0x13c +[ 87.995481] +[ 87.995481] stack backtrace: +[ 87.999836] CPU: 0 PID: 2986 Comm: bash Not tainted 5.0.0 #7 +[ 88.005489] Hardware name: Renesas Salvator-X board based on r8a7795 ES1.x (DT) +[ 88.012791] Call trace: +[ 88.015235] dump_backtrace+0x0/0x190 +[ 88.018891] show_stack+0x14/0x1c +[ 88.022204] dump_stack+0xb0/0xec +[ 88.025514] print_circular_bug.isra.32+0x1d0/0x2e0 +[ 88.030385] __lock_acquire+0x1318/0x1864 +[ 88.034388] lock_acquire+0xc4/0x22c +[ 88.037958] __kernfs_remove+0x258/0x2c4 +[ 88.041874] kernfs_remove_by_name_ns+0x50/0xa0 +[ 88.046398] remove_files.isra.1+0x38/0x78 +[ 88.050487] sysfs_remove_group+0x48/0x98 +[ 88.054490] sysfs_remove_groups+0x34/0x4c +[ 88.058580] device_remove_attrs+0x6c/0x7c +[ 88.062671] device_del+0x11c/0x33c +[ 88.066154] device_unregister+0x14/0x2c +[ 88.070070] pwmchip_sysfs_unexport+0x40/0x4c +[ 88.074421] pwmchip_remove+0xf4/0x13c +[ 88.078163] rcar_pwm_remove+0x28/0x34 +[ 88.081906] platform_drv_remove+0x24/0x64 +[ 88.085996] device_release_driver_internal+0x18c/0x21c +[ 88.091215] device_release_driver+0x14/0x1c +[ 88.095478] unbind_store+0xe0/0x124 +[ 88.099048] drv_attr_store+0x20/0x30 +[ 88.102704] sysfs_kf_write+0x54/0x64 +[ 88.106359] kernfs_fop_write+0xe4/0x1e8 +[ 88.110275] __vfs_write+0x40/0x184 +[ 88.113757] vfs_write+0xa8/0x19c +[ 88.117065] ksys_write+0x58/0xbc +[ 88.120374] __arm64_sys_write+0x18/0x20 +[ 88.124291] el0_svc_common+0xd0/0x124 +[ 88.128034] el0_svc_compat_handler+0x1c/0x24 +[ 88.132384] el0_svc_compat+0x8/0x18 + +The sysfs unexport in pwmchip_remove() is completely asymmetric +to what we do in pwmchip_add_with_polarity() and commit 0733424c9ba9 +("pwm: Unexport children before chip removal") is a strong indication +that this was wrong to begin with. We should just move +pwmchip_sysfs_unexport() where it belongs, which is right after +pwmchip_sysfs_unexport_children(). In that case, we do not need +separate functions anymore either. + +We also really want to remove sysfs irrespective of whether or not +the chip will be removed as a result of pwmchip_remove(). We can only +assume that the driver will be gone after that, so we shouldn't leave +any dangling sysfs files around. + +This warning disappears if we move pwmchip_sysfs_unexport() to +the top of pwmchip_remove(), pwmchip_sysfs_unexport_children(). +That way it is also outside of the pwm_lock section, which indeed +doesn't seem to be needed. + +Moving the pwmchip_sysfs_export() call outside of that section also +seems fine and it'd be perfectly symmetric with pwmchip_remove() again. + +So, this patch fixes them. + +Signed-off-by: Phong Hoang <phong.hoang.wz@renesas.com> +[shimoda: revise the commit log and code] +Fixes: 76abbdde2d95 ("pwm: Add sysfs interface") +Fixes: 0733424c9ba9 ("pwm: Unexport children before chip removal") +Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> +Tested-by: Hoan Nguyen An <na-hoan@jinso.co.jp> +Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> +Reviewed-by: Simon Horman <horms+renesas@verge.net.au> +Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> +Signed-off-by: Thierry Reding <thierry.reding@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pwm/core.c | 10 +++++----- + drivers/pwm/sysfs.c | 14 +------------- + include/linux/pwm.h | 5 ----- + 3 files changed, 6 insertions(+), 23 deletions(-) + +--- a/drivers/pwm/core.c ++++ b/drivers/pwm/core.c +@@ -273,10 +273,12 @@ int pwmchip_add(struct pwm_chip *chip) + if (IS_ENABLED(CONFIG_OF)) + of_pwmchip_add(chip); + +- pwmchip_sysfs_export(chip); +- + out: + mutex_unlock(&pwm_lock); ++ ++ if (!ret) ++ pwmchip_sysfs_export(chip); ++ + return ret; + } + EXPORT_SYMBOL_GPL(pwmchip_add); +@@ -293,7 +295,7 @@ int pwmchip_remove(struct pwm_chip *chip + unsigned int i; + int ret = 0; + +- pwmchip_sysfs_unexport_children(chip); ++ pwmchip_sysfs_unexport(chip); + + mutex_lock(&pwm_lock); + +@@ -313,8 +315,6 @@ int pwmchip_remove(struct pwm_chip *chip + + free_pwms(chip); + +- pwmchip_sysfs_unexport(chip); +- + out: + mutex_unlock(&pwm_lock); + return ret; +--- a/drivers/pwm/sysfs.c ++++ b/drivers/pwm/sysfs.c +@@ -330,19 +330,6 @@ void pwmchip_sysfs_export(struct pwm_chi + void pwmchip_sysfs_unexport(struct pwm_chip *chip) + { + struct device *parent; +- +- parent = class_find_device(&pwm_class, NULL, chip, +- pwmchip_sysfs_match); +- if (parent) { +- /* for class_find_device() */ +- put_device(parent); +- device_unregister(parent); +- } +-} +- +-void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) +-{ +- struct device *parent; + unsigned int i; + + parent = class_find_device(&pwm_class, NULL, chip, +@@ -358,6 +345,7 @@ void pwmchip_sysfs_unexport_children(str + } + + put_device(parent); ++ device_unregister(parent); + } + + static int __init pwm_sysfs_init(void) +--- a/include/linux/pwm.h ++++ b/include/linux/pwm.h +@@ -299,7 +299,6 @@ static inline void pwm_add_table(struct + #ifdef CONFIG_PWM_SYSFS + void pwmchip_sysfs_export(struct pwm_chip *chip); + void pwmchip_sysfs_unexport(struct pwm_chip *chip); +-void pwmchip_sysfs_unexport_children(struct pwm_chip *chip); + #else + static inline void pwmchip_sysfs_export(struct pwm_chip *chip) + { +@@ -308,10 +307,6 @@ static inline void pwmchip_sysfs_export( + static inline void pwmchip_sysfs_unexport(struct pwm_chip *chip) + { + } +- +-static inline void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) +-{ +-} + #endif /* CONFIG_PWM_SYSFS */ + + #endif /* __LINUX_PWM_H */ diff --git a/queue-3.16/pwm-tiehrpwm-update-shadow-register-for-disabling-pwms.patch b/queue-3.16/pwm-tiehrpwm-update-shadow-register-for-disabling-pwms.patch new file mode 100644 index 00000000..b9f984c2 --- /dev/null +++ b/queue-3.16/pwm-tiehrpwm-update-shadow-register-for-disabling-pwms.patch @@ -0,0 +1,41 @@ +From: =?UTF-8?q?Christoph=20Vogtl=C3=A4nder?= + <c.vogtlaender@sigma-surface-science.com> +Date: Tue, 12 Mar 2019 14:38:46 +0530 +Subject: pwm: tiehrpwm: Update shadow register for disabling PWMs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit b00ef53053191d3025c15e8041699f8c9d132daf upstream. + +It must be made sure that immediate mode is not already set, when +modifying shadow register value in ehrpwm_pwm_disable(). Otherwise +modifications to the action-qualifier continuous S/W force +register(AQSFRC) will be done in the active register. +This may happen when both channels are being disabled. In this case, +only the first channel state will be recorded as disabled in the shadow +register. Later, when enabling the first channel again, the second +channel would be enabled as well. Setting RLDCSF to zero, first, ensures +that the shadow register is updated as desired. + +Fixes: 38dabd91ff0b ("pwm: tiehrpwm: Fix disabling of output of PWMs") +Signed-off-by: Christoph Vogtländer <c.vogtlaender@sigma-surface-science.com> +[vigneshr@ti.com: Improve commit message] +Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com> +Signed-off-by: Thierry Reding <thierry.reding@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pwm/pwm-tiehrpwm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pwm/pwm-tiehrpwm.c ++++ b/drivers/pwm/pwm-tiehrpwm.c +@@ -379,6 +379,8 @@ static void ehrpwm_pwm_disable(struct pw + } + + /* Update shadow register first before modifying active register */ ++ ehrpwm_modify(pc->mmio_base, AQSFRC, AQSFRC_RLDCSF_MASK, ++ AQSFRC_RLDCSF_ZRO); + ehrpwm_modify(pc->mmio_base, AQCSFRC, aqcsfrc_mask, aqcsfrc_val); + /* + * Changes to immediate action on Action Qualifier. This puts diff --git a/queue-3.16/rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb-failure.patch b/queue-3.16/rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb-failure.patch new file mode 100644 index 00000000..31bd13d8 --- /dev/null +++ b/queue-3.16/rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb-failure.patch @@ -0,0 +1,32 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Sat, 13 Apr 2019 17:00:26 +0100 +Subject: RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure + +commit a6d2a5a92e67d151c98886babdc86d530d27111c upstream. + +Currently if alloc_skb fails to allocate the skb a null skb is passed to +t4_set_arp_err_handler and this ends up dereferencing the null skb. Avoid +the NULL pointer dereference by checking for a NULL skb and returning +early. + +Addresses-Coverity: ("Dereference null return") +Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Acked-by: Potnuri Bharat Teja <bharat@chelsio.com> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/infiniband/hw/cxgb4/cm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -346,6 +346,8 @@ static struct sk_buff *get_skb(struct sk + skb_reset_transport_header(skb); + } else { + skb = alloc_skb(len, gfp); ++ if (!skb) ++ return NULL; + } + t4_set_arp_err_handler(skb, NULL, NULL); + return skb; diff --git a/queue-3.16/regulator-da9055-fix-notifier-mutex-lock-warning.patch b/queue-3.16/regulator-da9055-fix-notifier-mutex-lock-warning.patch new file mode 100644 index 00000000..b88df3d2 --- /dev/null +++ b/queue-3.16/regulator-da9055-fix-notifier-mutex-lock-warning.patch @@ -0,0 +1,37 @@ +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Tue, 26 Feb 2019 14:59:59 +0000 +Subject: regulator: da9055: Fix notifier mutex lock warning + +commit 5e6afb3832bedf420dd8e4c5b32ed85117c5087d upstream. + +The mutex for the regulator_dev must be controlled by the caller of +the regulator_notifier_call_chain(), as described in the comment +for that function. + +Failure to mutex lock and unlock surrounding the notifier call results +in a kernel WARN_ON_ONCE() which will dump a backtrace for the +regulator_notifier_call_chain() when that function call is first made. +The mutex can be controlled using the regulator_lock/unlock() API. + +Fixes: f6130be652d0 ("regulator: DA9055 regulator driver") +Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/regulator/da9055-regulator.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/regulator/da9055-regulator.c ++++ b/drivers/regulator/da9055-regulator.c +@@ -515,8 +515,10 @@ static irqreturn_t da9055_ldo5_6_oc_irq( + { + struct da9055_regulator *regulator = data; + ++ regulator_lock(regulator->rdev); + regulator_notifier_call_chain(regulator->rdev, + REGULATOR_EVENT_OVER_CURRENT, NULL); ++ regulator_unlock(regulator->rdev); + + return IRQ_HANDLED; + } diff --git a/queue-3.16/regulator-da9063-fix-notifier-mutex-lock-warning.patch b/queue-3.16/regulator-da9063-fix-notifier-mutex-lock-warning.patch new file mode 100644 index 00000000..ecb4e4df --- /dev/null +++ b/queue-3.16/regulator-da9063-fix-notifier-mutex-lock-warning.patch @@ -0,0 +1,40 @@ +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Tue, 26 Feb 2019 15:23:02 +0000 +Subject: regulator: da9063: Fix notifier mutex lock warning + +commit 29d40b4a5776ec4727c9f0e00a884423dd5e3366 upstream. + +The mutex for the regulator_dev must be controlled by the caller of +the regulator_notifier_call_chain(), as described in the comment +for that function. + +Failure to mutex lock and unlock surrounding the notifier call results +in a kernel WARN_ON_ONCE() which will dump a backtrace for the +regulator_notifier_call_chain() when that function call is first made. +The mutex can be controlled using the regulator_lock/unlock() API. + +Fixes: 69ca3e58d178 ("regulator: da9063: Add Dialog DA9063 voltage regulators support.") +Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/regulator/da9063-regulator.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/regulator/da9063-regulator.c ++++ b/drivers/regulator/da9063-regulator.c +@@ -610,9 +610,12 @@ static irqreturn_t da9063_ldo_lim_event( + if (regl->info->oc_event.reg != DA9063_REG_STATUS_D) + continue; + +- if (BIT(regl->info->oc_event.lsb) & bits) ++ if (BIT(regl->info->oc_event.lsb) & bits) { ++ regulator_lock(regl->rdev); + regulator_notifier_call_chain(regl->rdev, + REGULATOR_EVENT_OVER_CURRENT, NULL); ++ regulator_unlock(regl->rdev); ++ } + } + + return IRQ_HANDLED; diff --git a/queue-3.16/regulator-lp8755-fix-notifier-mutex-lock-warning.patch b/queue-3.16/regulator-lp8755-fix-notifier-mutex-lock-warning.patch new file mode 100644 index 00000000..0e81b772 --- /dev/null +++ b/queue-3.16/regulator-lp8755-fix-notifier-mutex-lock-warning.patch @@ -0,0 +1,68 @@ +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Tue, 26 Feb 2019 15:32:18 +0000 +Subject: regulator: lp8755: Fix notifier mutex lock warning + +commit 89b2758c192c35068b07766a6830433bfbdc1f44 upstream. + +The mutex for the regulator_dev must be controlled by the caller of +the regulator_notifier_call_chain(), as described in the comment +for that function. + +Failure to mutex lock and unlock surrounding the notifier call results +in a kernel WARN_ON_ONCE() which will dump a backtrace for the +regulator_notifier_call_chain() when that function call is first made. +The mutex can be controlled using the regulator_lock/unlock() API. + +Fixes: b59320cc5a5e ("regulator: lp8755: new driver for LP8755") +Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/regulator/lp8755.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/regulator/lp8755.c ++++ b/drivers/regulator/lp8755.c +@@ -376,10 +376,13 @@ static irqreturn_t lp8755_irq_handler(in + for (icnt = 0; icnt < LP8755_BUCK_MAX; icnt++) + if ((flag0 & (0x4 << icnt)) + && (pchip->irqmask & (0x04 << icnt)) +- && (pchip->rdev[icnt] != NULL)) ++ && (pchip->rdev[icnt] != NULL)) { ++ regulator_lock(pchip->rdev[icnt]); + regulator_notifier_call_chain(pchip->rdev[icnt], + LP8755_EVENT_PWR_FAULT, + NULL); ++ regulator_unlock(pchip->rdev[icnt]); ++ } + + /* read flag1 register */ + ret = lp8755_read(pchip, 0x0E, &flag1); +@@ -393,18 +396,24 @@ static irqreturn_t lp8755_irq_handler(in + /* send OCP event to all regualtor devices */ + if ((flag1 & 0x01) && (pchip->irqmask & 0x01)) + for (icnt = 0; icnt < LP8755_BUCK_MAX; icnt++) +- if (pchip->rdev[icnt] != NULL) ++ if (pchip->rdev[icnt] != NULL) { ++ regulator_lock(pchip->rdev[icnt]); + regulator_notifier_call_chain(pchip->rdev[icnt], + LP8755_EVENT_OCP, + NULL); ++ regulator_unlock(pchip->rdev[icnt]); ++ } + + /* send OVP event to all regualtor devices */ + if ((flag1 & 0x02) && (pchip->irqmask & 0x02)) + for (icnt = 0; icnt < LP8755_BUCK_MAX; icnt++) +- if (pchip->rdev[icnt] != NULL) ++ if (pchip->rdev[icnt] != NULL) { ++ regulator_lock(pchip->rdev[icnt]); + regulator_notifier_call_chain(pchip->rdev[icnt], + LP8755_EVENT_OVP, + NULL); ++ regulator_unlock(pchip->rdev[icnt]); ++ } + return IRQ_HANDLED; + + err_i2c: diff --git a/queue-3.16/regulator-ltc3589-fix-notifier-mutex-lock-warning.patch b/queue-3.16/regulator-ltc3589-fix-notifier-mutex-lock-warning.patch new file mode 100644 index 00000000..02a19af7 --- /dev/null +++ b/queue-3.16/regulator-ltc3589-fix-notifier-mutex-lock-warning.patch @@ -0,0 +1,51 @@ +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Tue, 26 Feb 2019 15:35:35 +0000 +Subject: regulator: ltc3589: Fix notifier mutex lock warning + +commit f132da2534ec6599c78c4adcef15340cff2e9dd9 upstream. + +The mutex for the regulator_dev must be controlled by the caller of +the regulator_notifier_call_chain(), as described in the comment +for that function. + +Failure to mutex lock and unlock surrounding the notifier call results +in a kernel WARN_ON_ONCE() which will dump a backtrace for the +regulator_notifier_call_chain() when that function call is first made. +The mutex can be controlled using the regulator_lock/unlock() API. + +Fixes: 3eb2c7ecb7ea ("regulator: Add LTC3589 support") +Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/regulator/ltc3589.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/regulator/ltc3589.c ++++ b/drivers/regulator/ltc3589.c +@@ -417,16 +417,22 @@ static irqreturn_t ltc3589_isr(int irq, + + if (irqstat & LTC3589_IRQSTAT_THERMAL_WARN) { + event = REGULATOR_EVENT_OVER_TEMP; +- for (i = 0; i < LTC3589_NUM_REGULATORS; i++) ++ for (i = 0; i < LTC3589_NUM_REGULATORS; i++) { ++ regulator_lock(ltc3589->regulators[i]); + regulator_notifier_call_chain(ltc3589->regulators[i], + event, NULL); ++ regulator_unlock(ltc3589->regulators[i]); ++ } + } + + if (irqstat & LTC3589_IRQSTAT_UNDERVOLT_WARN) { + event = REGULATOR_EVENT_UNDER_VOLTAGE; +- for (i = 0; i < LTC3589_NUM_REGULATORS; i++) ++ for (i = 0; i < LTC3589_NUM_REGULATORS; i++) { ++ regulator_lock(ltc3589->regulators[i]); + regulator_notifier_call_chain(ltc3589->regulators[i], + event, NULL); ++ regulator_unlock(ltc3589->regulators[i]); ++ } + } + + /* Clear warning condition */ diff --git a/queue-3.16/regulator-wm831x-fix-notifier-mutex-lock-warning.patch b/queue-3.16/regulator-wm831x-fix-notifier-mutex-lock-warning.patch new file mode 100644 index 00000000..5909d255 --- /dev/null +++ b/queue-3.16/regulator-wm831x-fix-notifier-mutex-lock-warning.patch @@ -0,0 +1,51 @@ +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Tue, 26 Feb 2019 15:48:46 +0000 +Subject: regulator: wm831x: Fix notifier mutex lock warning + +commit 119c4f5085c45b60cb23c5595e45d06135b89518 upstream. + +The mutex for the regulator_dev must be controlled by the caller of +the regulator_notifier_call_chain(), as described in the comment +for that function. + +Failure to mutex lock and unlock surrounding the notifier call results +in a kernel WARN_ON_ONCE() which will dump a backtrace for the +regulator_notifier_call_chain() when that function call is first made. +The mutex can be controlled using the regulator_lock/unlock() API. + +Fixes: e4ee831f949a ("regulator: Add WM831x DC-DC buck convertor support") +Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/regulator/wm831x-dcdc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/regulator/wm831x-dcdc.c ++++ b/drivers/regulator/wm831x-dcdc.c +@@ -183,9 +183,11 @@ static irqreturn_t wm831x_dcdc_uv_irq(in + { + struct wm831x_dcdc *dcdc = data; + ++ regulator_lock(dcdc->regulator); + regulator_notifier_call_chain(dcdc->regulator, + REGULATOR_EVENT_UNDER_VOLTAGE, + NULL); ++ regulator_unlock(dcdc->regulator); + + return IRQ_HANDLED; + } +@@ -194,9 +196,11 @@ static irqreturn_t wm831x_dcdc_oc_irq(in + { + struct wm831x_dcdc *dcdc = data; + ++ regulator_lock(dcdc->regulator); + regulator_notifier_call_chain(dcdc->regulator, + REGULATOR_EVENT_OVER_CURRENT, + NULL); ++ regulator_unlock(dcdc->regulator); + + return IRQ_HANDLED; + } diff --git a/queue-3.16/regulator-wm831x-isink-fix-notifier-mutex-lock-warning.patch b/queue-3.16/regulator-wm831x-isink-fix-notifier-mutex-lock-warning.patch new file mode 100644 index 00000000..f2fb04d3 --- /dev/null +++ b/queue-3.16/regulator-wm831x-isink-fix-notifier-mutex-lock-warning.patch @@ -0,0 +1,39 @@ +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Tue, 26 Feb 2019 15:51:28 +0000 +Subject: regulator: wm831x isink: Fix notifier mutex lock warning + +commit f7a621728a6a23bfd2c6ac4d3e42e1303aefde0f upstream. + +The mutex for the regulator_dev must be controlled by the caller of +the regulator_notifier_call_chain(), as described in the comment +for that function. + +Failure to mutex lock and unlock surrounding the notifier call results +in a kernel WARN_ON_ONCE() which will dump a backtrace for the +regulator_notifier_call_chain() when that function call is first made. +The mutex can be controlled using the regulator_lock/unlock() API. + +Fixes: d4d6b722e780 ("regulator: Add WM831x ISINK support") +Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/regulator/wm831x-isink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/regulator/wm831x-isink.c ++++ b/drivers/regulator/wm831x-isink.c +@@ -140,9 +140,11 @@ static irqreturn_t wm831x_isink_irq(int + { + struct wm831x_isink *isink = data; + ++ regulator_lock(isink->regulator); + regulator_notifier_call_chain(isink->regulator, + REGULATOR_EVENT_OVER_CURRENT, + NULL); ++ regulator_unlock(isink->regulator); + + return IRQ_HANDLED; + } diff --git a/queue-3.16/regulator-wm831x-ldo-fix-notifier-mutex-lock-warning.patch b/queue-3.16/regulator-wm831x-ldo-fix-notifier-mutex-lock-warning.patch new file mode 100644 index 00000000..2f29b0b8 --- /dev/null +++ b/queue-3.16/regulator-wm831x-ldo-fix-notifier-mutex-lock-warning.patch @@ -0,0 +1,39 @@ +From: Steve Twiss <stwiss.opensource@diasemi.com> +Date: Tue, 26 Feb 2019 15:54:01 +0000 +Subject: regulator: wm831x ldo: Fix notifier mutex lock warning + +commit 8be64b6d87bd47d81753b60ddafe70102ebfd76b upstream. + +The mutex for the regulator_dev must be controlled by the caller of +the regulator_notifier_call_chain(), as described in the comment +for that function. + +Failure to mutex lock and unlock surrounding the notifier call results +in a kernel WARN_ON_ONCE() which will dump a backtrace for the +regulator_notifier_call_chain() when that function call is first made. +The mutex can be controlled using the regulator_lock/unlock() API. + +Fixes: d1c6b4fe668b ("regulator: Add WM831x LDO support") +Suggested-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> +Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com> +Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/regulator/wm831x-ldo.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/regulator/wm831x-ldo.c ++++ b/drivers/regulator/wm831x-ldo.c +@@ -51,9 +51,11 @@ static irqreturn_t wm831x_ldo_uv_irq(int + { + struct wm831x_ldo *ldo = data; + ++ regulator_lock(ldo->regulator); + regulator_notifier_call_chain(ldo->regulator, + REGULATOR_EVENT_UNDER_VOLTAGE, + NULL); ++ regulator_unlock(ldo->regulator); + + return IRQ_HANDLED; + } diff --git a/queue-3.16/rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch b/queue-3.16/rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch new file mode 100644 index 00000000..ba3b8744 --- /dev/null +++ b/queue-3.16/rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch @@ -0,0 +1,33 @@ +From: Wolfram Sang <wsa+renesas@sang-engineering.com> +Date: Wed, 3 Apr 2019 17:19:52 +0200 +Subject: rtc: don't reference bogus function pointer in kdoc + +commit c48cadf5bf4becefcd0751b97995d2350aa9bb57 upstream. + +The mentioned function pointer is long gone since early 2011. Remove the +reference in the comment and reword it slightly. + +Fixes: 51ba60c5bb3b ("RTC: Cleanup rtc_class_ops->update_irq_enable()") +Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/rtc/interface.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -492,10 +492,9 @@ out: + mutex_unlock(&rtc->ops_lock); + #ifdef CONFIG_RTC_INTF_DEV_UIE_EMUL + /* +- * Enable emulation if the driver did not provide +- * the update_irq_enable function pointer or if returned +- * -EINVAL to signal that it has been configured without +- * interrupts or that are not available at the moment. ++ * Enable emulation if the driver returned -EINVAL to signal that it has ++ * been configured without interrupts or they are not available at the ++ * moment. + */ + if (err == -EINVAL) + err = rtc_dev_update_irq_enable_emul(rtc, enabled); diff --git a/queue-3.16/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch b/queue-3.16/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch new file mode 100644 index 00000000..01d9e7c6 --- /dev/null +++ b/queue-3.16/scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch @@ -0,0 +1,41 @@ +From: Andrew Vasquez <andrewv@marvell.com> +Date: Tue, 2 Apr 2019 14:24:25 -0700 +Subject: scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS + routines + +commit 5cbdae10bf11f96e30b4d14de7b08c8b490e903c upstream. + +Commit e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs +code") incorrectly set 'optrom_region_size' to 'start+size', which can +overflow option-rom boundaries when 'start' is non-zero. Continue setting +optrom_region_size to the proper adjusted value of 'size'. + +Fixes: e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code") +Signed-off-by: Andrew Vasquez <andrewv@marvell.com> +Signed-off-by: Himanshu Madhani <hmadhani@marvell.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/qla2xxx/qla_attr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -423,7 +423,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SREADING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +@@ -495,7 +495,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SWRITING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); diff --git a/queue-3.16/scsi-qla2xxx-unregister-chrdev-if-module-initialization-fails.patch b/queue-3.16/scsi-qla2xxx-unregister-chrdev-if-module-initialization-fails.patch new file mode 100644 index 00000000..b0d52dbf --- /dev/null +++ b/queue-3.16/scsi-qla2xxx-unregister-chrdev-if-module-initialization-fails.patch @@ -0,0 +1,92 @@ +From: Bart Van Assche <bvanassche@acm.org> +Date: Thu, 4 Apr 2019 12:44:46 -0700 +Subject: scsi: qla2xxx: Unregister chrdev if module initialization fails + +commit c794d24ec9eb6658909955772e70f34bef5b5b91 upstream. + +If module initialization fails after the character device has been +registered, unregister the character device. Additionally, avoid +duplicating error path code. + +Cc: Himanshu Madhani <hmadhani@marvell.com> +Cc: Giridhar Malavali <giridhar.malavali@qlogic.com> +Fixes: 6a03b4cd78f3 ("[SCSI] qla2xxx: Add char device to increase driver use count") # v2.6.35. +Signed-off-by: Bart Van Assche <bvanassche@acm.org> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/qla2xxx/qla_os.c | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -5775,8 +5775,7 @@ qla2x00_module_init(void) + /* Initialize target kmem_cache and mem_pools */ + ret = qlt_init(); + if (ret < 0) { +- kmem_cache_destroy(srb_cachep); +- return ret; ++ goto destroy_cache; + } else if (ret > 0) { + /* + * If initiator mode is explictly disabled by qlt_init(), +@@ -5795,11 +5794,10 @@ qla2x00_module_init(void) + qla2xxx_transport_template = + fc_attach_transport(&qla2xxx_transport_functions); + if (!qla2xxx_transport_template) { +- kmem_cache_destroy(srb_cachep); + ql_log(ql_log_fatal, NULL, 0x0002, + "fc_attach_transport failed...Failing load!.\n"); +- qlt_exit(); +- return -ENODEV; ++ ret = -ENODEV; ++ goto qlt_exit; + } + + apidev_major = register_chrdev(0, QLA2XXX_APIDEV, &apidev_fops); +@@ -5811,27 +5809,37 @@ qla2x00_module_init(void) + qla2xxx_transport_vport_template = + fc_attach_transport(&qla2xxx_transport_vport_functions); + if (!qla2xxx_transport_vport_template) { +- kmem_cache_destroy(srb_cachep); +- qlt_exit(); +- fc_release_transport(qla2xxx_transport_template); + ql_log(ql_log_fatal, NULL, 0x0004, + "fc_attach_transport vport failed...Failing load!.\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto unreg_chrdev; + } + ql_log(ql_log_info, NULL, 0x0005, + "QLogic Fibre Channel HBA Driver: %s.\n", + qla2x00_version_str); + ret = pci_register_driver(&qla2xxx_pci_driver); + if (ret) { +- kmem_cache_destroy(srb_cachep); +- qlt_exit(); +- fc_release_transport(qla2xxx_transport_template); +- fc_release_transport(qla2xxx_transport_vport_template); + ql_log(ql_log_fatal, NULL, 0x0006, + "pci_register_driver failed...ret=%d Failing load!.\n", + ret); ++ goto release_vport_transport; + } + return ret; ++ ++release_vport_transport: ++ fc_release_transport(qla2xxx_transport_vport_template); ++ ++unreg_chrdev: ++ if (apidev_major >= 0) ++ unregister_chrdev(apidev_major, QLA2XXX_APIDEV); ++ fc_release_transport(qla2xxx_transport_template); ++ ++qlt_exit: ++ qlt_exit(); ++ ++destroy_cache: ++ kmem_cache_destroy(srb_cachep); ++ return ret; + } + + /** diff --git a/queue-3.16/scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch b/queue-3.16/scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch new file mode 100644 index 00000000..d72ed5b3 --- /dev/null +++ b/queue-3.16/scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch @@ -0,0 +1,46 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Fri, 22 Mar 2019 15:25:03 +0100 +Subject: scsi: qla4xxx: avoid freeing unallocated dma memory + +commit 608f729c31d4caf52216ea00d20092a80959256d upstream. + +Clang -Wuninitialized notices that on is_qla40XX we never allocate any DMA +memory in get_fw_boot_info() but attempt to free it anyway: + +drivers/scsi/qla4xxx/ql4_os.c:5915:7: error: variable 'buf_dma' is used uninitialized whenever 'if' condition is false + [-Werror,-Wsometimes-uninitialized] + if (!(val & 0x07)) { + ^~~~~~~~~~~~~ +drivers/scsi/qla4xxx/ql4_os.c:5985:47: note: uninitialized use occurs here + dma_free_coherent(&ha->pdev->dev, size, buf, buf_dma); + ^~~~~~~ +drivers/scsi/qla4xxx/ql4_os.c:5915:3: note: remove the 'if' if its condition is always true + if (!(val & 0x07)) { + ^~~~~~~~~~~~~~~~~~~ +drivers/scsi/qla4xxx/ql4_os.c:5885:20: note: initialize the variable 'buf_dma' to silence this warning + dma_addr_t buf_dma; + ^ + = 0 + +Skip the call to dma_free_coherent() here. + +Fixes: 2a991c215978 ("[SCSI] qla4xxx: Boot from SAN support for open-iscsi") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Reviewed-by: Nathan Chancellor <natechancellor@gmail.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -5923,7 +5923,7 @@ static int get_fw_boot_info(struct scsi_ + val = rd_nvram_byte(ha, sec_addr); + if (val & BIT_7) + ddb_index[1] = (val & 0x7f); +- ++ goto exit_boot_info; + } else if (is_qla80XX(ha)) { + buf = dma_alloc_coherent(&ha->pdev->dev, size, + &buf_dma, GFP_KERNEL); diff --git a/queue-3.16/selftests-ipc-fix-msgque-compiler-warnings.patch b/queue-3.16/selftests-ipc-fix-msgque-compiler-warnings.patch new file mode 100644 index 00000000..333f5b9e --- /dev/null +++ b/queue-3.16/selftests-ipc-fix-msgque-compiler-warnings.patch @@ -0,0 +1,68 @@ +From: Kees Cook <keescook@chromium.org> +Date: Mon, 8 Apr 2019 10:13:44 -0700 +Subject: selftests/ipc: Fix msgque compiler warnings + +commit a147faa96f832f76e772b1e448e94ea84c774081 upstream. + +This fixes the various compiler warnings when building the msgque +selftest. The primary change is using sys/msg.h instead of linux/msg.h +directly to gain the API declarations. + +Fixes: 3a665531a3b7 ("selftests: IPC message queue copy feature test") +Signed-off-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + tools/testing/selftests/ipc/msgque.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/ipc/msgque.c ++++ b/tools/testing/selftests/ipc/msgque.c +@@ -1,8 +1,9 @@ ++#define _GNU_SOURCE + #include <stdlib.h> + #include <stdio.h> + #include <string.h> + #include <errno.h> +-#include <linux/msg.h> ++#include <sys/msg.h> + #include <fcntl.h> + + #define MAX_MSG_SIZE 32 +@@ -70,7 +71,7 @@ int restore_queue(struct msgque_data *ms + return 0; + + destroy: +- if (msgctl(id, IPC_RMID, 0)) ++ if (msgctl(id, IPC_RMID, NULL)) + printf("Failed to destroy queue: %d\n", -errno); + return ret; + } +@@ -117,7 +118,7 @@ int check_and_destroy_queue(struct msgqu + + ret = 0; + err: +- if (msgctl(msgque->msq_id, IPC_RMID, 0)) { ++ if (msgctl(msgque->msq_id, IPC_RMID, NULL)) { + printf("Failed to destroy queue: %d\n", -errno); + return -errno; + } +@@ -126,7 +127,7 @@ err: + + int dump_queue(struct msgque_data *msgque) + { +- struct msqid64_ds ds; ++ struct msqid_ds ds; + int kern_id; + int i, ret; + +@@ -243,7 +244,7 @@ int main(int argc, char **argv) + return 0; + + err_destroy: +- if (msgctl(msgque.msq_id, IPC_RMID, 0)) { ++ if (msgctl(msgque.msq_id, IPC_RMID, NULL)) { + printf("Failed to destroy queue: %d\n", -errno); + return -errno; + } diff --git a/queue-3.16/series b/queue-3.16/series new file mode 100644 index 00000000..95f394df --- /dev/null +++ b/queue-3.16/series @@ -0,0 +1,113 @@ +regulator-da9055-fix-notifier-mutex-lock-warning.patch +regulator-wm831x-fix-notifier-mutex-lock-warning.patch +regulator-da9063-fix-notifier-mutex-lock-warning.patch +regulator-lp8755-fix-notifier-mutex-lock-warning.patch +regulator-ltc3589-fix-notifier-mutex-lock-warning.patch +regulator-wm831x-isink-fix-notifier-mutex-lock-warning.patch +regulator-wm831x-ldo-fix-notifier-mutex-lock-warning.patch +spi-rspi-fix-register-initialization-while-runtime-suspended.patch +spi-rspi-fix-sequencer-reset-during-initialization.patch +media-ivtv-update-pos-correctly-in-ivtv_read_pos.patch +media-cx18-update-pos-correctly-in-cx18_read_pos.patch +arm-dts-exynos-fix-interrupt-for-shared-eints-on-exynos5260.patch +media-wl128x-fix-an-error-code-in-fm_download_firmware.patch +pwm-fix-deadlock-warning-when-removing-pwm-device.patch +pwm-tiehrpwm-update-shadow-register-for-disabling-pwms.patch +m68k-mac-fix-via-timer-counter-accesses.patch +scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch +arm-omap2-fix-potentially-uninitialized-return-value-for.patch +tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch +media-davinci-isif-avoid-uninitialized-variable-use.patch +media-wl128x-prevent-two-potential-buffer-overflows.patch +kobject-don-t-trigger-kobject_uevent-kobj_remove-twice.patch +cxgb3-l2t-fix-undefined-behaviour.patch +drm-fb-helper-dpms_legacy-only-set-on-connectors-in-use.patch +scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs.patch +rtc-don-t-reference-bogus-function-pointer-in-kdoc.patch +ehea-fix-a-copy-paste-err-in-ehea_init_port_res.patch +pci-factor-out-pcie_retrain_link-function.patch +pci-work-around-pericom-pcie-to-pci-bridge-retrain-link-erratum.patch +jbd2-check-superblock-mapped-prior-to-committing.patch +crypto-crct10dif-generic-fix-use-via-crypto_shash_digest.patch +crypto-x86-crct10dif-pcl-fix-use-via-crypto_shash_digest.patch +scsi-qla2xxx-unregister-chrdev-if-module-initialization-fails.patch +arm64-compat-reduce-address-limit.patch +arm-pxa-ssp-fix-warning-invalid-free-of-devm_-allocated-data.patch +hwmon-f71805f-use-request_muxed_region-for-super-io-accesses.patch +hwmon-pc87427-use-request_muxed_region-for-super-io-accesses.patch +hwmon-smsc47b397-use-request_muxed_region-for-super-io-accesses.patch +hwmon-smsc47m1-use-request_muxed_region-for-super-io-accesses.patch +hwmon-w83627hf-use-request_muxed_region-for-super-io-accesses.patch +hwmon-vt1211-use-request_muxed_region-for-super-io-accesses.patch +rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb-failure.patch +platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized.patch +crypto-salsa20-don-t-access-already-freed-walk.iv.patch +crypto-arm-aes-neonbs-don-t-access-already-freed-walk.iv.patch +selftests-ipc-fix-msgque-compiler-warnings.patch +powerpc-83xx-add-missing-of_node_put-after.patch +media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch +media-pvrusb2-prevent-a-buffer-overflow.patch +pci-mark-atheros-ar9462-to-avoid-bus-reset.patch +smpboot-place-the-__percpu-annotation-correctly.patch +x86-uaccess-dont-leak-the-ac-flag-into-__put_user-argument.patch +alsa-usb-audio-handle-the-error-from.patch +fuse-fix-writepages-on-32bit.patch +fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch +fuse-fallocate-fix-return-with-locked-inode.patch +bcache-fix-memory-corruption-in-init-error-path.patch +bcache-fix-a-race-between-cache-register-and-cacheset-unregister.patch +bcache-never-set-key_ptrs-of-journal-key-to-0-in-journal_reclaim.patch +tty-serial_core-add-install.patch +pci-reset-lenovo-thinkpad-p50-nvgpu-at-boot-if-necessary.patch +bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr.patch +bluetooth-fix-regression-with-minimum-encryption-key-size-alignment.patch +bluetooth-fix-faulty-expression-for-minimum-encryption-key-size.patch +clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides.patch +at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver.patch +mwl8k-fix-rate_idx-underflow.patch +p54-drop-device-reference-count-if-fails-to-enable-device.patch +ext4-actually-request-zeroing-of-inode-table-after-grow.patch +usb-serial-fix-initial-termios-handling.patch +alsa-hda-realtek-eapd-turn-on-later.patch +alsa-hda-realtek-fix-overridden-device-specific-initialization.patch +alsa-usb-audio-fix-a-memory-leak-bug.patch +cdc-acm-fix-race-between-callback-and-unthrottle.patch +cdc-acm-store-in-and-out-pipes-in-acm-structure.patch +cdc-acm-handle-read-pipe-errors.patch +usb-cdc-acm-fix-race-during-wakeup-blocking-tx-traffic.patch +usb-cdc-acm-fix-unthrottle-races.patch +arm64-use-syscall_define6-for-mmap.patch +arm64-mmap-ensure-file-offset-is-treated-as-unsigned.patch +usb-serial-use-variable-for-status.patch +usb-serial-fix-unthrottle-races.patch +uas-fix-alignment-of-scatter-gather-segments.patch +of-fix-clang-wunsequenced-for-be32_to_cpu.patch +asoc-fsl_esai-fix-missing-break-in-switch-statement.patch +powerpc-booke64-set-ri-in-default-msr.patch +iommu-vt-d-set-intel_iommu_gfx_mapped-correctly.patch +net-ucc_geth-fix-oops-when-changing-number-of-buffers-in-the-ring.patch +parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd.patch +alsa-hda-hdmi-read-the-pin-sense-from-register-when-repolling.patch +asoc-max98090-fix-restore-of-dapm-muxes.patch +ceph-flush-dirty-inodes-before-proceeding-with-remount.patch +cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in.patch +tracing-fix-partial-reading-of-trace-event-s-id-file.patch +ipv4-fix-raw-socket-lookup-for-local-traffic.patch +ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while.patch +media-omap_vout-potential-buffer-overflow-in-vidioc_dqbuf.patch +media-davinci-vpbe-array-underflow-in-vpbe_enum_outputs.patch +platform-x86-alienware-wmi-printing-the-wrong-error-code.patch +platform-x86-sony-laptop-fix-unintentional-fall-through.patch +netfilter-ebtables-config_compat-reject-trailing-data-after-last.patch +ntp-allow-tai-utc-offset-to-be-set-to-zero.patch +nfs4-fix-v4.0-client-state-corruption-when-mount.patch +drm-radeon-prefer-lower-reference-dividers.patch +ext4-fix-data-corruption-caused-by-overlapping-unaligned-and-aligned.patch +kdb-do-a-sanity-check-on-the-cpu-in-kdb_per_cpu.patch +bonding-fix-arp_validate-toggling-in-active-backup-mode.patch +mfd-da9063-fix-otp-control-register-names-to-match-datasheets-for.patch +backlight-lm3630a-return-0-on-success-in-update_status-functions.patch +ocfs2-fix-ocfs2-read-inode-data-panic-in-ocfs2_iget.patch +drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch +x86-speculation-mds-revert-cpu-buffer-clear-on-double-fault-exit.patch +x86-speculation-mds-improve-cpu-buffer-clear-documentation.patch diff --git a/queue-3.16/smpboot-place-the-__percpu-annotation-correctly.patch b/queue-3.16/smpboot-place-the-__percpu-annotation-correctly.patch new file mode 100644 index 00000000..6023d98a --- /dev/null +++ b/queue-3.16/smpboot-place-the-__percpu-annotation-correctly.patch @@ -0,0 +1,41 @@ +From: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Date: Wed, 24 Apr 2019 10:52:53 +0200 +Subject: smpboot: Place the __percpu annotation correctly + +commit d4645d30b50d1691c26ff0f8fa4e718b08f8d3bb upstream. + +The test robot reported a wrong assignment of a per-CPU variable which +it detected by using sparse and sent a report. The assignment itself is +correct. The annotation for sparse was wrong and hence the report. +The first pointer is a "normal" pointer and points to the per-CPU memory +area. That means that the __percpu annotation has to be moved. + +Move the __percpu annotation to pointer which points to the per-CPU +area. This change affects only the sparse tool (and is ignored by the +compiler). + +Reported-by: kbuild test robot <lkp@intel.com> +Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Paul E. McKenney <paulmck@linux.ibm.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Fixes: f97f8f06a49fe ("smpboot: Provide infrastructure for percpu hotplug threads") +Link: http://lkml.kernel.org/r/20190424085253.12178-1-bigeasy@linutronix.de +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/smpboot.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/smpboot.h ++++ b/include/linux/smpboot.h +@@ -31,7 +31,7 @@ struct smpboot_thread_data; + * @thread_comm: The base name of the thread + */ + struct smp_hotplug_thread { +- struct task_struct __percpu **store; ++ struct task_struct * __percpu *store; + struct list_head list; + int (*thread_should_run)(unsigned int cpu); + void (*thread_fn)(unsigned int cpu); diff --git a/queue-3.16/spi-rspi-fix-register-initialization-while-runtime-suspended.patch b/queue-3.16/spi-rspi-fix-register-initialization-while-runtime-suspended.patch new file mode 100644 index 00000000..0c4d3848 --- /dev/null +++ b/queue-3.16/spi-rspi-fix-register-initialization-while-runtime-suspended.patch @@ -0,0 +1,106 @@ +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Tue, 12 Mar 2019 19:43:31 +0100 +Subject: spi: rspi: Fix register initialization while runtime-suspended + +commit 42bdaaece121b3bb50fd4d1203d6d0170279f9fa upstream. + +The Renesas RSPI/QSPI driver performs SPI controller register +initialization in its spi_operations.setup() callback, without calling +pm_runtime_get_sync() first, which may cause spurious failures. + +So far this went unnoticed, as this SPI controller is typically used +with a single SPI NOR FLASH containing the boot loader: + 1. If the device's module clock is still enabled (left enabled by the + bootloader, and not yet disabled by the clk_disable_unused() late + initcall), register initialization succeeds, + 2. If the device's module clock is disabled, register writes don't + seem to cause lock-ups or crashes. + Data received in the first SPI message may be corrupted, though. + Subsequent SPI messages seem to be OK. + E.g. on r8a7791/koelsch, one bit is lost while receiving the 6th + byte of the JEDEC ID for the s25fl512s FLASH, corrupting that byte + and all later bytes. But until commit a2126b0a010905e5 ("mtd: + spi-nor: refine Spansion S25FL512S ID"), the 6th byte was not + considered for FLASH identification. + +Fix this by moving all initialization from the .setup() to the +.prepare_message() callback. The latter is always called after the +device has been runtime-resumed by the SPI core. + +This also makes the driver follow the rule that .setup() must not change +global driver state or register values, as that might break a transfer +in progress. + +Fixes: 490c97747d5dc77d ("spi: rspi: Add runtime PM support, using spi core auto_runtime_pm") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Mark Brown <broonie@kernel.org> +[bwh: Backported to 3.16: s/(controller|ctlr)/master/g] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/spi/spi-rspi.c | 39 ++++++++++++++++----------------------- + 1 file changed, 16 insertions(+), 23 deletions(-) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -726,28 +726,6 @@ static int qspi_transfer_one(struct spi_ + } + } + +-static int rspi_setup(struct spi_device *spi) +-{ +- struct rspi_data *rspi = spi_master_get_devdata(spi->master); +- +- rspi->max_speed_hz = spi->max_speed_hz; +- +- rspi->spcmd = SPCMD_SSLKP; +- if (spi->mode & SPI_CPOL) +- rspi->spcmd |= SPCMD_CPOL; +- if (spi->mode & SPI_CPHA) +- rspi->spcmd |= SPCMD_CPHA; +- +- /* CMOS output mode and MOSI signal from previous transfer */ +- rspi->sppcr = 0; +- if (spi->mode & SPI_LOOP) +- rspi->sppcr |= SPPCR_SPLP; +- +- set_config_register(rspi, 8); +- +- return 0; +-} +- + static u16 qspi_transfer_mode(const struct spi_transfer *xfer) + { + if (xfer->tx_buf) +@@ -817,8 +795,24 @@ static int rspi_prepare_message(struct s + struct spi_message *msg) + { + struct rspi_data *rspi = spi_master_get_devdata(master); ++ struct spi_device *spi = msg->spi; + int ret; + ++ rspi->max_speed_hz = spi->max_speed_hz; ++ ++ rspi->spcmd = SPCMD_SSLKP; ++ if (spi->mode & SPI_CPOL) ++ rspi->spcmd |= SPCMD_CPOL; ++ if (spi->mode & SPI_CPHA) ++ rspi->spcmd |= SPCMD_CPHA; ++ ++ /* CMOS output mode and MOSI signal from previous transfer */ ++ rspi->sppcr = 0; ++ if (spi->mode & SPI_LOOP) ++ rspi->sppcr |= SPPCR_SPLP; ++ ++ set_config_register(rspi, 8); ++ + if (msg->spi->mode & + (SPI_TX_DUAL | SPI_TX_QUAD | SPI_RX_DUAL | SPI_RX_QUAD)) { + /* Setup sequencer for messages with multiple transfer modes */ +@@ -1119,7 +1113,6 @@ static int rspi_probe(struct platform_de + init_waitqueue_head(&rspi->wait); + + master->bus_num = pdev->id; +- master->setup = rspi_setup; + master->auto_runtime_pm = true; + master->transfer_one = ops->transfer_one; + master->prepare_message = rspi_prepare_message; diff --git a/queue-3.16/spi-rspi-fix-sequencer-reset-during-initialization.patch b/queue-3.16/spi-rspi-fix-sequencer-reset-during-initialization.patch new file mode 100644 index 00000000..0d1eac50 --- /dev/null +++ b/queue-3.16/spi-rspi-fix-sequencer-reset-during-initialization.patch @@ -0,0 +1,53 @@ +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Tue, 12 Mar 2019 19:45:13 +0100 +Subject: spi: rspi: Fix sequencer reset during initialization + +commit 26843bb128590edd7eba1ad7ce22e4b9f1066ce3 upstream. + +While the sequencer is reset after each SPI message since commit +880c6d114fd79a69 ("spi: rspi: Add support for Quad and Dual SPI +Transfers on QSPI"), it was never reset for the first message, thus +relying on reset state or bootloader settings. + +Fix this by initializing it explicitly during configuration. + +Fixes: 0b2182ddac4b8837 ("spi: add support for Renesas RSPI") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/spi/spi-rspi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -277,7 +277,8 @@ static int rspi_set_config_register(stru + /* Sets parity, interrupt mask */ + rspi_write8(rspi, 0x00, RSPI_SPCR2); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + +@@ -311,7 +312,8 @@ static int rspi_rz_set_config_register(s + rspi_write8(rspi, 0x00, RSPI_SSLND); + rspi_write8(rspi, 0x00, RSPI_SPND); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + +@@ -362,7 +364,8 @@ static int qspi_set_config_register(stru + /* Sets buffer to allow normal operation */ + rspi_write8(rspi, 0x00, QSPI_SPBFCR); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + + /* Enables SPI function in master mode */ diff --git a/queue-3.16/tracing-fix-partial-reading-of-trace-event-s-id-file.patch b/queue-3.16/tracing-fix-partial-reading-of-trace-event-s-id-file.patch new file mode 100644 index 00000000..061ac35c --- /dev/null +++ b/queue-3.16/tracing-fix-partial-reading-of-trace-event-s-id-file.patch @@ -0,0 +1,72 @@ +From: Elazar Leibovich <elazar@lightbitslabs.com> +Date: Mon, 31 Dec 2018 13:58:37 +0200 +Subject: tracing: Fix partial reading of trace event's id file + +commit cbe08bcbbe787315c425dde284dcb715cfbf3f39 upstream. + +When reading only part of the id file, the ppos isn't tracked correctly. +This is taken care by simple_read_from_buffer. + +Reading a single byte, and then the next byte would result EOF. + +While this seems like not a big deal, this breaks abstractions that +reads information from files unbuffered. See for example +https://github.com/golang/go/issues/29399 + +This code was mentioned as problematic in +commit cd458ba9d5a5 +("tracing: Do not (ab)use trace_seq in event_id_read()") + +An example C code that show this bug is: + + #include <stdio.h> + #include <stdint.h> + + #include <sys/types.h> + #include <sys/stat.h> + #include <fcntl.h> + #include <unistd.h> + + int main(int argc, char **argv) { + if (argc < 2) + return 1; + int fd = open(argv[1], O_RDONLY); + char c; + read(fd, &c, 1); + printf("First %c\n", c); + read(fd, &c, 1); + printf("Second %c\n", c); + } + +Then run with, e.g. + + sudo ./a.out /sys/kernel/debug/tracing/events/tcp/tcp_set_state/id + +You'll notice you're getting the first character twice, instead of the +first two characters in the id file. + +Link: http://lkml.kernel.org/r/20181231115837.4932-1-elazar@lightbitslabs.com + +Cc: Orit Wasserman <orit.was@gmail.com> +Cc: Oleg Nesterov <oleg@redhat.com> +Cc: Ingo Molnar <mingo@redhat.com> +Fixes: 23725aeeab10b ("ftrace: provide an id file for each event") +Signed-off-by: Elazar Leibovich <elazar@lightbitslabs.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/trace/trace_events.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -1007,9 +1007,6 @@ event_id_read(struct file *filp, char __ + char buf[32]; + int len; + +- if (*ppos) +- return 0; +- + if (unlikely(!id)) + return -ENODEV; + diff --git a/queue-3.16/tty-serial_core-add-install.patch b/queue-3.16/tty-serial_core-add-install.patch new file mode 100644 index 00000000..2a482a0d --- /dev/null +++ b/queue-3.16/tty-serial_core-add-install.patch @@ -0,0 +1,111 @@ +From: Jiri Slaby <jslaby@suse.cz> +Date: Wed, 17 Apr 2019 10:58:53 +0200 +Subject: TTY: serial_core, add ->install + +commit 4cdd17ba1dff20ffc99fdbd2e6f0201fc7fe67df upstream. + +We need to compute the uart state only on the first open. This is +usually what is done in the ->install hook. serial_core used to do this +in ->open on every open. So move it to ->install. + +As a side effect, it ensures the state is set properly in the window +after tty_init_dev is called, but before uart_open. This fixes a bunch +of races between tty_open and flush_to_ldisc we were dealing with +recently. + +One of such bugs was attempted to fix in commit fedb5760648a (serial: +fix race between flush_to_ldisc and tty_open), but it only took care of +a couple of functions (uart_start and uart_unthrottle). I was able to +reproduce the crash on a SLE system, but in uart_write_room which is +also called from flush_to_ldisc via process_echoes. I was *unable* to +reproduce the bug locally. It is due to having this patch in my queue +since 2012! + + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 5 Comm: kworker/u4:0 Tainted: G L 4.12.14-396-default #1 SLE15-SP1 (unreleased) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014 + Workqueue: events_unbound flush_to_ldisc + task: ffff8800427d8040 task.stack: ffff8800427f0000 + RIP: 0010:uart_write_room+0xc4/0x590 + RSP: 0018:ffff8800427f7088 EFLAGS: 00010202 + RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 000000000000002f RSI: 00000000000000ee RDI: ffff88003888bd90 + RBP: ffffffffb9545850 R08: 0000000000000001 R09: 0000000000000400 + R10: ffff8800427d825c R11: 000000000000006e R12: 1ffff100084fee12 + R13: ffffc900004c5000 R14: ffff88003888bb28 R15: 0000000000000178 + FS: 0000000000000000(0000) GS:ffff880043300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000561da0794148 CR3: 000000000ebf4000 CR4: 00000000000006e0 + Call Trace: + tty_write_room+0x6d/0xc0 + __process_echoes+0x55/0x870 + n_tty_receive_buf_common+0x105e/0x26d0 + tty_ldisc_receive_buf+0xb7/0x1c0 + tty_port_default_receive_buf+0x107/0x180 + flush_to_ldisc+0x35d/0x5c0 +... + +0 in rbx means tty->driver_data is NULL in uart_write_room. 0x178 is +tried to be dereferenced (0x178 >> 3 is 0x2f in rdx) at +uart_write_room+0xc4. 0x178 is exactly (struct uart_state *)NULL->refcount +used in uart_port_lock from uart_write_room. + +So revert the upstream commit here as my local patch should fix the +whole family. + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Cc: Li RongQing <lirongqing@baidu.com> +Cc: Wang Li <wangli39@baidu.com> +Cc: Zhang Yu <zhangyu31@baidu.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: The previous fix didn't apply, so we don't need + to revert it here.] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1541,6 +1541,16 @@ static void uart_dtr_rts(struct tty_port + uart_clear_mctrl(uport, TIOCM_DTR | TIOCM_RTS); + } + ++static int uart_install(struct tty_driver *driver, struct tty_struct *tty) ++{ ++ struct uart_driver *drv = driver->driver_state; ++ struct uart_state *state = drv->state + tty->index; ++ ++ tty->driver_data = state; ++ ++ return tty_standard_install(driver, tty); ++} ++ + /* + * Calls to uart_open are serialised by the tty_lock in + * drivers/tty/tty_io.c:tty_open() +@@ -1553,9 +1563,8 @@ static void uart_dtr_rts(struct tty_port + */ + static int uart_open(struct tty_struct *tty, struct file *filp) + { +- struct uart_driver *drv = (struct uart_driver *)tty->driver->driver_state; + int retval, line = tty->index; +- struct uart_state *state = drv->state + line; ++ struct uart_state *state = tty->driver_data; + struct tty_port *port = &state->port; + + pr_debug("uart_open(%d) called\n", line); +@@ -1583,7 +1592,6 @@ static int uart_open(struct tty_struct * + * uart_close() will decrement the driver module use count. + * Any failures from here onwards should not touch the count. + */ +- tty->driver_data = state; + state->uart_port->state = state; + state->port.low_latency = + (state->uart_port->flags & UPF_LOW_LATENCY) ? 1 : 0; +@@ -2265,6 +2273,7 @@ static void uart_poll_put_char(struct tt + #endif + + static const struct tty_operations uart_ops = { ++ .install = uart_install, + .open = uart_open, + .close = uart_close, + .write = uart_write, diff --git a/queue-3.16/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch b/queue-3.16/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch new file mode 100644 index 00000000..dacc61d2 --- /dev/null +++ b/queue-3.16/tty-vt-fix-write-write-race-in-ioctl-kdskbsent-handler.patch @@ -0,0 +1,178 @@ +From: Sergei Trofimovich <slyfox@gentoo.org> +Date: Sun, 10 Mar 2019 21:24:15 +0000 +Subject: tty/vt: fix write/write race in ioctl(KDSKBSENT) handler + +commit 46ca3f735f345c9d87383dd3a09fa5d43870770e upstream. + +The bug manifests as an attempt to access deallocated memory: + + BUG: unable to handle kernel paging request at ffff9c8735448000 + #PF error: [PROT] [WRITE] + PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161 + Oops: 0003 [#1] PREEMPT SMP + CPU: 6 PID: 388 Comm: loadkeys Tainted: G C 5.0.0-rc6-00153-g5ded5871030e #91 + Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013 + RIP: 0010:__memmove+0x81/0x1a0 + Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49 + RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203 + RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf + RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb + RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b + R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000 + R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c + FS: 00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0 + Call Trace: + vt_do_kdgkb_ioctl+0x34d/0x440 + vt_ioctl+0xba3/0x1190 + ? __bpf_prog_run32+0x39/0x60 + ? mem_cgroup_commit_charge+0x7b/0x4e0 + tty_ioctl+0x23f/0x920 + ? preempt_count_sub+0x98/0xe0 + ? __seccomp_filter+0x67/0x600 + do_vfs_ioctl+0xa2/0x6a0 + ? syscall_trace_enter+0x192/0x2d0 + ksys_ioctl+0x3a/0x70 + __x64_sys_ioctl+0x16/0x20 + do_syscall_64+0x54/0xe0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The bug manifests on systemd systems with multiple vtcon devices: + # cat /sys/devices/virtual/vtconsole/vtcon0/name + (S) dummy device + # cat /sys/devices/virtual/vtconsole/vtcon1/name + (M) frame buffer device + +There systemd runs 'loadkeys' tool in tapallel for each vtcon +instance. This causes two parallel ioctl(KDSKBSENT) calls to +race into adding the same entry into 'func_table' array at: + + drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl() + +The function has no locking around writes to 'func_table'. + +The simplest reproducer is to have initrams with the following +init on a 8-CPU machine x86_64: + + #!/bin/sh + + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + loadkeys -q windowkeys ru4 & + wait + +The change adds lock on write path only. Reads are still racy. + +CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +CC: Jiri Slaby <jslaby@suse.com> +Link: https://lkml.org/lkml/2019/2/17/256 +Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/vt/keyboard.c | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -120,6 +120,7 @@ static const int NR_TYPES = ARRAY_SIZE(m + static struct input_handler kbd_handler; + static DEFINE_SPINLOCK(kbd_event_lock); + static DEFINE_SPINLOCK(led_lock); ++static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */ + static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */ + static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */ + static bool dead_key_next; +@@ -1865,11 +1866,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + char *p; + u_char *q; + u_char __user *up; +- int sz; ++ int sz, fnw_sz; + int delta; + char *first_free, *fj, *fnw; + int i, j, k; + int ret; ++ unsigned long flags; + + if (!capable(CAP_SYS_TTY_CONFIG)) + perm = 0; +@@ -1912,7 +1914,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + goto reterr; + } + ++ fnw = NULL; ++ fnw_sz = 0; ++ /* race aginst other writers */ ++ again: ++ spin_lock_irqsave(&func_buf_lock, flags); + q = func_table[i]; ++ ++ /* fj pointer to next entry after 'q' */ + first_free = funcbufptr + (funcbufsize - funcbufleft); + for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++) + ; +@@ -1920,10 +1929,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + fj = func_table[j]; + else + fj = first_free; +- ++ /* buffer usage increase by new entry */ + delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string); ++ + if (delta <= funcbufleft) { /* it fits in current buf */ + if (j < MAX_NR_FUNC) { ++ /* make enough space for new entry at 'fj' */ + memmove(fj + delta, fj, first_free - fj); + for (k = j; k < MAX_NR_FUNC; k++) + if (func_table[k]) +@@ -1936,20 +1947,28 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + sz = 256; + while (sz < funcbufsize - funcbufleft + delta) + sz <<= 1; +- fnw = kmalloc(sz, GFP_KERNEL); +- if(!fnw) { +- ret = -ENOMEM; +- goto reterr; ++ if (fnw_sz != sz) { ++ spin_unlock_irqrestore(&func_buf_lock, flags); ++ kfree(fnw); ++ fnw = kmalloc(sz, GFP_KERNEL); ++ fnw_sz = sz; ++ if (!fnw) { ++ ret = -ENOMEM; ++ goto reterr; ++ } ++ goto again; + } + + if (!q) + func_table[i] = fj; ++ /* copy data before insertion point to new location */ + if (fj > funcbufptr) + memmove(fnw, funcbufptr, fj - funcbufptr); + for (k = 0; k < j; k++) + if (func_table[k]) + func_table[k] = fnw + (func_table[k] - funcbufptr); + ++ /* copy data after insertion point to new location */ + if (first_free > fj) { + memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj); + for (k = j; k < MAX_NR_FUNC; k++) +@@ -1962,7 +1981,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + funcbufleft = funcbufleft - delta + sz - funcbufsize; + funcbufsize = sz; + } ++ /* finally insert item itself */ + strcpy(func_table[i], kbs->kb_string); ++ spin_unlock_irqrestore(&func_buf_lock, flags); + break; + } + ret = 0; diff --git a/queue-3.16/uas-fix-alignment-of-scatter-gather-segments.patch b/queue-3.16/uas-fix-alignment-of-scatter-gather-segments.patch new file mode 100644 index 00000000..a70cd4ca --- /dev/null +++ b/queue-3.16/uas-fix-alignment-of-scatter-gather-segments.patch @@ -0,0 +1,71 @@ +From: Oliver Neukum <oneukum@suse.com> +Date: Tue, 30 Apr 2019 12:21:45 +0200 +Subject: UAS: fix alignment of scatter/gather segments + +commit 3ae62a42090f1ed48e2313ed256a1182a85fb575 upstream. + +This is the UAS version of + +747668dbc061b3e62bc1982767a3a1f9815fcf0e +usb-storage: Set virt_boundary_mask to avoid SG overflows + +We are not as likely to be vulnerable as storage, as it is unlikelier +that UAS is run over a controller without native support for SG, +but the issue exists. +The issue has been existing since the inception of the driver. + +Fixes: 115bb1ffa54c ("USB: Add UAS driver") +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -952,23 +952,33 @@ static int uas_slave_alloc(struct scsi_d + { + struct uas_dev_info *devinfo = + (struct uas_dev_info *)sdev->host->hostdata; ++ int maxp; + + sdev->hostdata = devinfo; + +- /* USB has unusual DMA-alignment requirements: Although the +- * starting address of each scatter-gather element doesn't matter, +- * the length of each element except the last must be divisible +- * by the Bulk maxpacket value. There's currently no way to +- * express this by block-layer constraints, so we'll cop out +- * and simply require addresses to be aligned at 512-byte +- * boundaries. This is okay since most block I/O involves +- * hardware sectors that are multiples of 512 bytes in length, +- * and since host controllers up through USB 2.0 have maxpacket +- * values no larger than 512. ++ /* ++ * We have two requirements here. We must satisfy the requirements ++ * of the physical HC and the demands of the protocol, as we ++ * definitely want no additional memory allocation in this path ++ * ruling out using bounce buffers. + * +- * But it doesn't suffice for Wireless USB, where Bulk maxpacket +- * values can be as large as 2048. To make that work properly +- * will require changes to the block layer. ++ * For a transmission on USB to continue we must never send ++ * a package that is smaller than maxpacket. Hence the length of each ++ * scatterlist element except the last must be divisible by the ++ * Bulk maxpacket value. ++ * If the HC does not ensure that through SG, ++ * the upper layer must do that. We must assume nothing ++ * about the capabilities off the HC, so we use the most ++ * pessimistic requirement. ++ */ ++ ++ maxp = usb_maxpacket(devinfo->udev, devinfo->data_in_pipe, 0); ++ blk_queue_virt_boundary(sdev->request_queue, maxp - 1); ++ ++ /* ++ * The protocol has no requirements on alignment in the strict sense. ++ * Controllers may or may not have alignment restrictions. ++ * As this is not exported, we use an extremely conservative guess. + */ + blk_queue_update_dma_alignment(sdev->request_queue, (512 - 1)); + diff --git a/queue-3.16/usb-cdc-acm-fix-race-during-wakeup-blocking-tx-traffic.patch b/queue-3.16/usb-cdc-acm-fix-race-during-wakeup-blocking-tx-traffic.patch new file mode 100644 index 00000000..c2e562a7 --- /dev/null +++ b/queue-3.16/usb-cdc-acm-fix-race-during-wakeup-blocking-tx-traffic.patch @@ -0,0 +1,42 @@ +From: Romain Izard <romain.izard.pro@gmail.com> +Date: Fri, 22 Mar 2019 16:53:02 +0100 +Subject: usb: cdc-acm: fix race during wakeup blocking TX traffic + +commit 93e1c8a638308980309e009cc40b5a57ef87caf1 upstream. + +When the kernel is compiled with preemption enabled, the URB completion +handler can run in parallel with the work responsible for waking up the +tty layer. If the URB handler sets the EVENT_TTY_WAKEUP bit during the +call to tty_port_tty_wakeup() to signal that there is room for additional +input, it will be cleared at the end of this call. As a result, TX traffic +on the upper layer will be blocked. + +This can be seen with a kernel configured with CONFIG_PREEMPT, and a fast +modem connected with PPP running over a USB CDC-ACM port. + +Use test_and_clear_bit() instead, which ensures that each wakeup requested +by the URB completion code will trigger a call to tty_port_tty_wakeup(). + +Fixes: 1aba579f3cf5 cdc-acm: handle read pipe errors +Signed-off-by: Romain Izard <romain.izard.pro@gmail.com> +Acked-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/class/cdc-acm.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -510,10 +510,8 @@ static void acm_softint(struct work_stru + clear_bit(EVENT_RX_STALL, &acm->flags); + } + +- if (test_bit(EVENT_TTY_WAKEUP, &acm->flags)) { ++ if (test_and_clear_bit(EVENT_TTY_WAKEUP, &acm->flags)) + tty_port_tty_wakeup(&acm->port); +- clear_bit(EVENT_TTY_WAKEUP, &acm->flags); +- } + } + + /* diff --git a/queue-3.16/usb-cdc-acm-fix-unthrottle-races.patch b/queue-3.16/usb-cdc-acm-fix-unthrottle-races.patch new file mode 100644 index 00000000..300cca4e --- /dev/null +++ b/queue-3.16/usb-cdc-acm-fix-unthrottle-races.patch @@ -0,0 +1,128 @@ +From: Johan Hovold <johan@kernel.org> +Date: Thu, 25 Apr 2019 18:05:39 +0200 +Subject: USB: cdc-acm: fix unthrottle races + +commit 764478f41130f1b8d8057575b89e69980a0f600d upstream. + +Fix two long-standing bugs which could potentially lead to memory +corruption or leave the port throttled until it is reopened (on weakly +ordered systems), respectively, when read-URB completion races with +unthrottle(). + +First, the URB must not be marked as free before processing is complete +to prevent it from being submitted by unthrottle() on another CPU. + + CPU 1 CPU 2 + ================ ================ + complete() unthrottle() + process_urb(); + smp_mb__before_atomic(); + set_bit(i, free); if (test_and_clear_bit(i, free)) + submit_urb(); + +Second, the URB must be marked as free before checking the throttled +flag to prevent unthrottle() on another CPU from failing to observe that +the URB needs to be submitted if complete() sees that the throttled flag +is set. + + CPU 1 CPU 2 + ================ ================ + complete() unthrottle() + set_bit(i, free); throttled = 0; + smp_mb__after_atomic(); smp_mb(); + if (throttled) if (test_and_clear_bit(i, free)) + return; submit_urb(); + +Note that test_and_clear_bit() only implies barriers when the test is +successful. To handle the case where the URB is still in use an explicit +barrier needs to be added to unthrottle() for the second race condition. + +Also note that the first race was fixed by 36e59e0d70d6 ("cdc-acm: fix +race between callback and unthrottle") back in 2015, but the bug was +reintroduced a year later. + +Fixes: 1aba579f3cf5 ("cdc-acm: handle read pipe errors") +Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing") +Signed-off-by: Johan Hovold <johan@kernel.org> +Acked-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/class/cdc-acm.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -420,12 +420,12 @@ static void acm_read_bulk_callback(struc + struct acm *acm = rb->instance; + unsigned long flags; + int status = urb->status; ++ bool stopped = false; ++ bool stalled = false; + + dev_vdbg(&acm->data->dev, "%s - urb %d, len %d\n", __func__, + rb->index, urb->actual_length); + +- set_bit(rb->index, &acm->read_urbs_free); +- + if (!acm->dev) { + dev_dbg(&acm->data->dev, "%s - disconnected\n", __func__); + return; +@@ -438,15 +438,16 @@ static void acm_read_bulk_callback(struc + break; + case -EPIPE: + set_bit(EVENT_RX_STALL, &acm->flags); +- schedule_work(&acm->work); +- return; ++ stalled = true; ++ break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&acm->data->dev, + "%s - urb shutting down with status: %d\n", + __func__, status); +- return; ++ stopped = true; ++ break; + default: + dev_dbg(&acm->data->dev, + "%s - nonzero urb status received: %d\n", +@@ -455,10 +456,24 @@ static void acm_read_bulk_callback(struc + } + + /* +- * Unthrottle may run on another CPU which needs to see events +- * in the same order. Submission has an implict barrier ++ * Make sure URB processing is done before marking as free to avoid ++ * racing with unthrottle() on another CPU. Matches the barriers ++ * implied by the test_and_clear_bit() in acm_submit_read_urb(). + */ + smp_mb__before_atomic(); ++ set_bit(rb->index, &acm->read_urbs_free); ++ /* ++ * Make sure URB is marked as free before checking the throttled flag ++ * to avoid racing with unthrottle() on another CPU. Matches the ++ * smp_mb() in unthrottle(). ++ */ ++ smp_mb__after_atomic(); ++ ++ if (stopped || stalled) { ++ if (stalled) ++ schedule_work(&acm->work); ++ return; ++ } + + /* throttle device if requested by tty */ + spin_lock_irqsave(&acm->read_lock, flags); +@@ -807,6 +822,9 @@ static void acm_tty_unthrottle(struct tt + acm->throttle_req = 0; + spin_unlock_irq(&acm->read_lock); + ++ /* Matches the smp_mb__after_atomic() in acm_read_bulk_callback(). */ ++ smp_mb(); ++ + if (was_throttled) + acm_submit_read_urbs(acm, GFP_KERNEL); + } diff --git a/queue-3.16/usb-serial-fix-initial-termios-handling.patch b/queue-3.16/usb-serial-fix-initial-termios-handling.patch new file mode 100644 index 00000000..85e9555d --- /dev/null +++ b/queue-3.16/usb-serial-fix-initial-termios-handling.patch @@ -0,0 +1,70 @@ +From: Johan Hovold <johan@kernel.org> +Date: Sun, 21 Apr 2019 14:21:46 +0200 +Subject: USB: serial: fix initial-termios handling + +commit 579bebe5dd522580019e7b10b07daaf500f9fb1e upstream. + +The USB-serial driver init_termios callback is used to override the +default initial terminal settings provided by USB-serial core. + +After a bug was fixed in the original implementation introduced by +commit fe1ae7fdd2ee ("tty: USB serial termios bits"), the init_termios +callback was no longer called just once on first use as intended but +rather on every (first) open. + +This specifically meant that the terminal settings saved on (final) +close were ignored when reopening a port for drivers overriding the +initial settings. + +Also update the outdated function header referring to the creation of +termios objects. + +Fixes: 7e29bb4b779f ("usb-serial: fix termios initialization logic") +Signed-off-by: Johan Hovold <johan@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/usb-serial.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -167,9 +167,9 @@ void usb_serial_put(struct usb_serial *s + * @driver: the driver (USB in our case) + * @tty: the tty being created + * +- * Create the termios objects for this tty. We use the default ++ * Initialise the termios structure for this tty. We use the default + * USB serial settings but permit them to be overridden by +- * serial->type->init_termios. ++ * serial->type->init_termios on first open. + * + * This is the first place a new tty gets used. Hence this is where we + * acquire references to the usb_serial structure and the driver module, +@@ -181,6 +181,7 @@ static int serial_install(struct tty_dri + int idx = tty->index; + struct usb_serial *serial; + struct usb_serial_port *port; ++ bool init_termios; + int retval = -ENODEV; + + port = usb_serial_port_get_by_minor(idx); +@@ -195,14 +196,16 @@ static int serial_install(struct tty_dri + if (retval) + goto error_get_interface; + ++ init_termios = (driver->termios[idx] == NULL); ++ + retval = tty_port_install(&port->port, driver, tty); + if (retval) + goto error_init_termios; + + mutex_unlock(&serial->disc_mutex); + +- /* allow the driver to update the settings */ +- if (serial->type->init_termios) ++ /* allow the driver to update the initial settings */ ++ if (init_termios && serial->type->init_termios) + serial->type->init_termios(tty); + + tty->driver_data = port; diff --git a/queue-3.16/usb-serial-fix-unthrottle-races.patch b/queue-3.16/usb-serial-fix-unthrottle-races.patch new file mode 100644 index 00000000..7cec2a44 --- /dev/null +++ b/queue-3.16/usb-serial-fix-unthrottle-races.patch @@ -0,0 +1,128 @@ +From: Johan Hovold <johan@kernel.org> +Date: Thu, 25 Apr 2019 18:05:36 +0200 +Subject: USB: serial: fix unthrottle races + +commit 3f5edd58d040bfa4b74fb89bc02f0bc6b9cd06ab upstream. + +Fix two long-standing bugs which could potentially lead to memory +corruption or leave the port throttled until it is reopened (on weakly +ordered systems), respectively, when read-URB completion races with +unthrottle(). + +First, the URB must not be marked as free before processing is complete +to prevent it from being submitted by unthrottle() on another CPU. + + CPU 1 CPU 2 + ================ ================ + complete() unthrottle() + process_urb(); + smp_mb__before_atomic(); + set_bit(i, free); if (test_and_clear_bit(i, free)) + submit_urb(); + +Second, the URB must be marked as free before checking the throttled +flag to prevent unthrottle() on another CPU from failing to observe that +the URB needs to be submitted if complete() sees that the throttled flag +is set. + + CPU 1 CPU 2 + ================ ================ + complete() unthrottle() + set_bit(i, free); throttled = 0; + smp_mb__after_atomic(); smp_mb(); + if (throttled) if (test_and_clear_bit(i, free)) + return; submit_urb(); + +Note that test_and_clear_bit() only implies barriers when the test is +successful. To handle the case where the URB is still in use an explicit +barrier needs to be added to unthrottle() for the second race condition. + +Fixes: d83b405383c9 ("USB: serial: add support for multiple read urbs") +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/generic.c | 39 +++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +--- a/drivers/usb/serial/generic.c ++++ b/drivers/usb/serial/generic.c +@@ -350,6 +350,7 @@ void usb_serial_generic_read_bulk_callba + struct usb_serial_port *port = urb->context; + unsigned char *data = urb->transfer_buffer; + unsigned long flags; ++ bool stopped = false; + int status = urb->status; + int i; + +@@ -357,33 +358,51 @@ void usb_serial_generic_read_bulk_callba + if (urb == port->read_urbs[i]) + break; + } +- set_bit(i, &port->read_urbs_free); + + dev_dbg(&port->dev, "%s - urb %d, len %d\n", __func__, i, + urb->actual_length); + switch (status) { + case 0: ++ usb_serial_debug_data(&port->dev, __func__, urb->actual_length, ++ data); ++ port->serial->type->process_read_urb(urb); + break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&port->dev, "%s - urb stopped: %d\n", + __func__, status); +- return; ++ stopped = true; ++ break; + case -EPIPE: + dev_err(&port->dev, "%s - urb stopped: %d\n", + __func__, status); +- return; ++ stopped = true; ++ break; + default: + dev_dbg(&port->dev, "%s - nonzero urb status: %d\n", + __func__, status); +- goto resubmit; ++ break; + } + +- usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data); +- port->serial->type->process_read_urb(urb); ++ /* ++ * Make sure URB processing is done before marking as free to avoid ++ * racing with unthrottle() on another CPU. Matches the barriers ++ * implied by the test_and_clear_bit() in ++ * usb_serial_generic_submit_read_urb(). ++ */ ++ smp_mb__before_atomic(); ++ set_bit(i, &port->read_urbs_free); ++ /* ++ * Make sure URB is marked as free before checking the throttled flag ++ * to avoid racing with unthrottle() on another CPU. Matches the ++ * smp_mb() in unthrottle(). ++ */ ++ smp_mb__after_atomic(); ++ ++ if (stopped) ++ return; + +-resubmit: + /* Throttle the device if requested by tty */ + spin_lock_irqsave(&port->lock, flags); + port->throttled = port->throttle_req; +@@ -458,6 +477,12 @@ void usb_serial_generic_unthrottle(struc + port->throttled = port->throttle_req = 0; + spin_unlock_irq(&port->lock); + ++ /* ++ * Matches the smp_mb__after_atomic() in ++ * usb_serial_generic_read_bulk_callback(). ++ */ ++ smp_mb(); ++ + if (was_throttled) + usb_serial_generic_submit_read_urbs(port, GFP_KERNEL); + } diff --git a/queue-3.16/usb-serial-use-variable-for-status.patch b/queue-3.16/usb-serial-use-variable-for-status.patch new file mode 100644 index 00000000..3ac3a84e --- /dev/null +++ b/queue-3.16/usb-serial-use-variable-for-status.patch @@ -0,0 +1,89 @@ +From: Oliver Neukum <oneukum@suse.com> +Date: Thu, 14 Jul 2016 15:01:40 +0200 +Subject: USB: serial: use variable for status + +commit 3161da970d38cd6ed2ba8cadec93874d1d06e11e upstream. + +This patch turns status in a variable read once from the URB. +The long term plan is to deliver status to the callback. +In addition it makes the code a bit more elegant. + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/generic.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/usb/serial/generic.c ++++ b/drivers/usb/serial/generic.c +@@ -350,6 +350,7 @@ void usb_serial_generic_read_bulk_callba + struct usb_serial_port *port = urb->context; + unsigned char *data = urb->transfer_buffer; + unsigned long flags; ++ int status = urb->status; + int i; + + for (i = 0; i < ARRAY_SIZE(port->read_urbs); ++i) { +@@ -360,22 +361,22 @@ void usb_serial_generic_read_bulk_callba + + dev_dbg(&port->dev, "%s - urb %d, len %d\n", __func__, i, + urb->actual_length); +- switch (urb->status) { ++ switch (status) { + case 0: + break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); ++ __func__, status); + return; + case -EPIPE: + dev_err(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); ++ __func__, status); + return; + default: + dev_dbg(&port->dev, "%s - nonzero urb status: %d\n", +- __func__, urb->status); ++ __func__, status); + goto resubmit; + } + +@@ -399,6 +400,7 @@ void usb_serial_generic_write_bulk_callb + { + unsigned long flags; + struct usb_serial_port *port = urb->context; ++ int status = urb->status; + int i; + + for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i) { +@@ -410,22 +412,22 @@ void usb_serial_generic_write_bulk_callb + set_bit(i, &port->write_urbs_free); + spin_unlock_irqrestore(&port->lock, flags); + +- switch (urb->status) { ++ switch (status) { + case 0: + break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); ++ __func__, status); + return; + case -EPIPE: + dev_err_console(port, "%s - urb stopped: %d\n", +- __func__, urb->status); ++ __func__, status); + return; + default: + dev_err_console(port, "%s - nonzero urb status: %d\n", +- __func__, urb->status); ++ __func__, status); + goto resubmit; + } + diff --git a/queue-3.16/x86-speculation-mds-improve-cpu-buffer-clear-documentation.patch b/queue-3.16/x86-speculation-mds-improve-cpu-buffer-clear-documentation.patch new file mode 100644 index 00000000..54f24ff6 --- /dev/null +++ b/queue-3.16/x86-speculation-mds-improve-cpu-buffer-clear-documentation.patch @@ -0,0 +1,75 @@ +From: Andy Lutomirski <luto@kernel.org> +Date: Tue, 14 May 2019 13:24:40 -0700 +Subject: x86/speculation/mds: Improve CPU buffer clear documentation + +commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream. + +On x86_64, all returns to usermode go through +prepare_exit_to_usermode(), with the sole exception of do_nmi(). +This even includes machine checks -- this was added several years +ago to support MCE recovery. Update the documentation. + +Signed-off-by: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@suse.de> +Cc: Frederic Weisbecker <frederic@kernel.org> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: Jon Masters <jcm@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") +Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + Documentation/x86/mds.rst | 39 +++++++-------------------------------- + 1 file changed, 7 insertions(+), 32 deletions(-) + +--- a/Documentation/x86/mds.rst ++++ b/Documentation/x86/mds.rst +@@ -142,38 +142,13 @@ Mitigation points + mds_user_clear. + + The mitigation is invoked in prepare_exit_to_usermode() which covers +- most of the kernel to user space transitions. There are a few exceptions +- which are not invoking prepare_exit_to_usermode() on return to user +- space. These exceptions use the paranoid exit code. +- +- - Non Maskable Interrupt (NMI): +- +- Access to sensible data like keys, credentials in the NMI context is +- mostly theoretical: The CPU can do prefetching or execute a +- misspeculated code path and thereby fetching data which might end up +- leaking through a buffer. +- +- But for mounting other attacks the kernel stack address of the task is +- already valuable information. So in full mitigation mode, the NMI is +- mitigated on the return from do_nmi() to provide almost complete +- coverage. +- +- - Machine Check Exception (#MC): +- +- Another corner case is a #MC which hits between the CPU buffer clear +- invocation and the actual return to user. As this still is in kernel +- space it takes the paranoid exit path which does not clear the CPU +- buffers. So the #MC handler repopulates the buffers to some +- extent. Machine checks are not reliably controllable and the window is +- extremly small so mitigation would just tick a checkbox that this +- theoretical corner case is covered. To keep the amount of special +- cases small, ignore #MC. +- +- - Debug Exception (#DB): +- +- This takes the paranoid exit path only when the INT1 breakpoint is in +- kernel space. #DB on a user space address takes the regular exit path, +- so no extra mitigation required. ++ all but one of the kernel to user space transitions. The exception ++ is when we return from a Non Maskable Interrupt (NMI), which is ++ handled directly in do_nmi(). ++ ++ (The reason that NMI is special is that prepare_exit_to_usermode() can ++ enable IRQs. In NMI context, NMIs are blocked, and we don't want to ++ enable IRQs with NMIs blocked.) + + + 2. C-State transition diff --git a/queue-3.16/x86-speculation-mds-revert-cpu-buffer-clear-on-double-fault-exit.patch b/queue-3.16/x86-speculation-mds-revert-cpu-buffer-clear-on-double-fault-exit.patch new file mode 100644 index 00000000..1317540d --- /dev/null +++ b/queue-3.16/x86-speculation-mds-revert-cpu-buffer-clear-on-double-fault-exit.patch @@ -0,0 +1,69 @@ +From: Andy Lutomirski <luto@kernel.org> +Date: Tue, 14 May 2019 13:24:39 -0700 +Subject: x86/speculation/mds: Revert CPU buffer clear on double fault exit + +commit 88640e1dcd089879530a49a8d212d1814678dfe7 upstream. + +The double fault ESPFIX path doesn't return to user mode at all -- +it returns back to the kernel by simulating a #GP fault. +prepare_exit_to_usermode() will run on the way out of +general_protection before running user code. + +Signed-off-by: Andy Lutomirski <luto@kernel.org> +Cc: Borislav Petkov <bp@suse.de> +Cc: Frederic Weisbecker <frederic@kernel.org> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: Jon Masters <jcm@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user") +Link: http://lkml.kernel.org/r/ac97612445c0a44ee10374f6ea79c222fe22a5c4.1557865329.git.luto@kernel.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + Documentation/x86/mds.rst | 7 ------- + arch/x86/kernel/traps.c | 8 -------- + 2 files changed, 15 deletions(-) + +--- a/Documentation/x86/mds.rst ++++ b/Documentation/x86/mds.rst +@@ -158,13 +158,6 @@ Mitigation points + mitigated on the return from do_nmi() to provide almost complete + coverage. + +- - Double fault (#DF): +- +- A double fault is usually fatal, but the ESPFIX workaround, which can +- be triggered from user space through modify_ldt(2) is a recoverable +- double fault. #DF uses the paranoid exit path, so explicit mitigation +- in the double fault handler is required. +- + - Machine Check Exception (#MC): + + Another corner case is a #MC which hits between the CPU buffer clear +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -55,7 +55,6 @@ + #include <asm/fixmap.h> + #include <asm/mach_traps.h> + #include <asm/alternative.h> +-#include <asm/nospec-branch.h> + + #ifdef CONFIG_X86_64 + #include <asm/x86_init.h> +@@ -260,13 +259,6 @@ dotraplinkage void do_double_fault(struc + regs->ip = (unsigned long)general_protection; + regs->sp = (unsigned long)&normal_regs->orig_ax; + +- /* +- * This situation can be triggered by userspace via +- * modify_ldt(2) and the return does not take the regular +- * user space exit, so a CPU buffer clear is required when +- * MDS mitigation is enabled. +- */ +- mds_user_clear_cpu_buffers(); + return; + } + #endif diff --git a/queue-3.16/x86-uaccess-dont-leak-the-ac-flag-into-__put_user-argument.patch b/queue-3.16/x86-uaccess-dont-leak-the-ac-flag-into-__put_user-argument.patch new file mode 100644 index 00000000..b69dc2a3 --- /dev/null +++ b/queue-3.16/x86-uaccess-dont-leak-the-ac-flag-into-__put_user-argument.patch @@ -0,0 +1,55 @@ +From: Peter Zijlstra <peterz@infradead.org> +Date: Wed, 24 Apr 2019 09:19:24 +0200 +Subject: x86/uaccess: Dont leak the AC flag into __put_user() argument + evaluation + +commit 6ae865615fc43d014da2fd1f1bba7e81ee622d1b upstream. + +The __put_user() macro evaluates it's @ptr argument inside the +__uaccess_begin() / __uaccess_end() region. While this would normally +not be expected to be an issue, an UBSAN bug (it ignored -fwrapv, +fixed in GCC 8+) would transform the @ptr evaluation for: + + drivers/gpu/drm/i915/i915_gem_execbuffer.c: if (unlikely(__put_user(offset, &urelocs[r-stack].presumed_offset))) { + +into a signed-overflow-UB check and trigger the objtool AC validation. + +Finish this commit: + + 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation") + +and explicitly evaluate all 3 arguments early. + +Reported-by: Randy Dunlap <rdunlap@infradead.org> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested +Acked-by: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: luto@kernel.org +Fixes: 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation") +Link: http://lkml.kernel.org/r/20190424072208.695962771@infradead.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/include/asm/uaccess.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -422,10 +422,11 @@ do { \ + #define __put_user_nocheck(x, ptr, size) \ + ({ \ + int __pu_err; \ +- __typeof__(*(ptr)) __pu_val; \ +- __pu_val = x; \ ++ __typeof__(*(ptr)) __pu_val = (x); \ ++ __typeof__(ptr) __pu_ptr = (ptr); \ ++ __typeof__(size) __pu_size = (size); \ + __uaccess_begin(); \ +- __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT); \ ++ __put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_err, -EFAULT); \ + __uaccess_end(); \ + __pu_err; \ + }) diff --git a/upstream-head b/upstream-head index e5ac138f..bda2a574 100644 --- a/upstream-head +++ b/upstream-head @@ -1 +1 @@ -e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd +a188339ca5a396acc588e5851ed7e19f66b0ebd9 |