[PATCH 4.11 065/197] cxl: Route eeh events to all drivers in cxl_pci_error

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream.

Make sure to check the number of endpoints to avoid accessing memory
beyond the endpoint array should a device lack the expected endpoints.

Note that, as far as I can tell, the gspca framework has already made
sure there is at least one endpoint in the current alternate setting so
there should be no risk for a NULL-pointer dereference here.

Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for
konica chipset using cams")

Cc: Hans de Goede <hdeg...@redhat.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Hans Verkuil <hans...@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/usb/gspca/konica.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/media/usb/gspca/konica.c
+++ b/drivers/media/usb/gspca/konica.c
@@ -184,6 +184,9 @@ static int sd_start(struct gspca_dev *gs
return -EIO;
}

+ if (alt->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);

n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:08 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Nayna Jain <na...@linux.vnet.ibm.com>

commit 0afb7118ae021e80ecf70f5a3336e0935505518a upstream.

Currently, there is an unnecessary 1 msec delay added in
i2c_nuvoton_write_status() for the successful case. This
function is called multiple times during send() and recv(),
which implies adding multiple extra delays for every TPM
operation.

This patch calls usleep_range() only if retry is to be done.

Signed-off-by: Nayna Jain <na...@linux.vnet.ibm.com>
Reviewed-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko....@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko....@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/char/tpm/tpm_i2c_nuvoton.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
@@ -124,8 +124,9 @@ static s32 i2c_nuvoton_write_status(stru
/* this causes the current command to be aborted */
for (i = 0, status = -1; i < TPM_I2C_RETRY_COUNT && status < 0; i++) {
status = i2c_nuvoton_write_buf(client, TPM_STS, 1, &data);
- usleep_range(TPM_I2C_BUS_DELAY, TPM_I2C_BUS_DELAY
- + TPM_I2C_DELAY_RANGE);
+ if (status < 0)
+ usleep_range(TPM_I2C_BUS_DELAY, TPM_I2C_BUS_DELAY
+ + TPM_I2C_DELAY_RANGE);
}
return status;
}

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:08 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit d66bb1607e2d8d384e53f3d93db5c18483c8c4f7 upstream.

proc_create_mount_point() forgot to increase the parent's nlink, and
it resulted in unbalanced hard link numbers, e.g. /proc/fs shows one
less than expected.

Fixes: eb6d38d5427b ("proc: Allow creating permanently empty directories...")
Reported-by: Tristan Ye <trist...@suse.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>
Signed-off-by: Eric W. Biederman <ebie...@xmission.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/proc/generic.c | 1 +

1 file changed, 1 insertion(+)

unread,

May 23, 2017, 4:20:09 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lee Jones <lee....@linaro.org>

commit 43c0c03961d0b19bd225a336897606b46e0021a6 upstream.

Currently when the RC Core is enabled (reachable) core code located
in cec_register_adapter() attempts to populate the RC structure with
a pointer to the 'parent' passed in by the caller.

Unfortunately if the caller did not specify RC capability when calling
cec_allocate_adapter(), then there will be no RC structure to populate.

This causes a "NULL pointer dereference" error.

Fixes: f51e80804f0 ("[media] cec: pass parent device in register(), not allocate()")

Signed-off-by: Lee Jones <lee....@linaro.org>
Signed-off-by: Hans Verkuil <hans.v...@cisco.com>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/cec/cec-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/cec/cec-core.c
+++ b/drivers/media/cec/cec-core.c
@@ -286,8 +286,8 @@ int cec_register_adapter(struct cec_adap
adap->devnode.dev.parent = parent;

#if IS_REACHABLE(CONFIG_RC_CORE)
- adap->rc->dev.parent = parent;
if (adap->capabilities & CEC_CAP_RC) {
+ adap->rc->dev.parent = parent;
res = rc_register_device(adap->rc);

if (res) {

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:09 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ben Skeggs <bsk...@redhat.com>

commit 330bdf62fe6a6c5b99a647f7bf7157107c9348b3 upstream.

The idea here was to avoid having to "manually" program the HW if there's
a new earliest alarm. This was lazy and bad, as it leads to loads of fun
races between inter-related callers (ie. therm).

Turns out, it's not so difficult after all. Go figure ;)

Signed-off-by: Ben Skeggs <bsk...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
@@ -80,12 +80,22 @@ nvkm_timer_alarm(struct nvkm_timer *tmr,
if (list->timestamp > alarm->timestamp)
break;
}
+
list_add_tail(&alarm->head, &list->head);
+
+ /* Update HW if this is now the earliest alarm. */
+ list = list_first_entry(&tmr->alarms, typeof(*list), head);
+ if (list == alarm) {
+ tmr->func->alarm_init(tmr, alarm->timestamp);
+ /* This shouldn't happen if callers aren't stupid.
+ *
+ * Worst case scenario is that it'll take roughly
+ * 4 seconds for the next alarm to trigger.
+ */
+ WARN_ON(alarm->timestamp <= nvkm_timer_read(tmr));
+ }
}
spin_unlock_irqrestore(&tmr->lock, flags);
-
- /* process pending alarms */
- nvkm_timer_alarm_trigger(tmr);
}

void

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:09 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Petr Vandrovec <pe...@vmware.com>

commit fd5c78694f3f1c875e293de7a641ba8a3d60d00d upstream.

When TPM2 log has entries with more than 3 digests, or with digests
not listed in the log header, log gets misparsed, eventually
leading to kernel complaint that code tried to vmalloc 512MB of
memory (I have no idea what would happen on bigger system).

So code should not parse only first 3 digests: both event header
and event itself are already in memory, so we can parse any number
of digests, as long as we do not try to parse whole memory when
given count of 0xFFFFFFFF.

So this change:

* Rejects event entry with more digests than log header describes.
Digest types should be unique, and all should be described in
log header, so there cannot be more digests in the event than in
the header.

* Reject event entry with digest that is not described in the
log header. In theory code could hardcode information about
digest IDs already assigned by TCG, but if firmware authors
cannot get event log format right, why should anyone believe
that they got event log content right.

Fixes: 4d23cc323cdb ("tpm: add securityfs support for TPM 2.0 firmware event log")
Signed-off-by: Petr Vandrovec <pe...@vmware.com>

Reviewed-by: Jarkko Sakkinen <jarkko....@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko....@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/char/tpm/tpm2_eventlog.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/char/tpm/tpm2_eventlog.c
+++ b/drivers/char/tpm/tpm2_eventlog.c
@@ -56,18 +56,24 @@ static int calc_tpm2_event_size(struct t

efispecid = (struct tcg_efi_specid_event *)event_header->event;

- for (i = 0; (i < event->count) && (i < TPM2_ACTIVE_PCR_BANKS);
- i++) {
+ /* Check if event is malformed. */
+ if (event->count > efispecid->num_algs)
+ return 0;
+
+ for (i = 0; i < event->count; i++) {
halg_size = sizeof(event->digests[i].alg_id);
memcpy(&halg, marker, halg_size);
marker = marker + halg_size;
- for (j = 0; (j < efispecid->num_algs); j++) {
+ for (j = 0; j < efispecid->num_algs; j++) {
if (halg == efispecid->digest_sizes[j].alg_id) {
- marker = marker +
+ marker +=
efispecid->digest_sizes[j].digest_size;
break;
}
}
+ /* Algorithm without known length. Such event is unparseable. */
+ if (j == efispecid->num_algs)
+ return 0;
}

event_field = (struct tcg_event_field *)marker;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:09 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 46c319b848268dab3f0e7c4a5b6e9146d3bca8a4 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Reviewed-by: Guenter Roeck <li...@roeck-us.net>
Signed-off-by: Guenter Roeck <li...@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <w...@iguana.be>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/watchdog/pcwd_usb.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/watchdog/pcwd_usb.c
+++ b/drivers/watchdog/pcwd_usb.c
@@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_int
return -ENODEV;
}

+ if (iface_desc->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
/* check out the endpoint: it has to be Interrupt & IN */
endpoint = &iface_desc->endpoint[0].desc;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:09 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tyrel Datwyler <tyr...@linux.vnet.ibm.com>

commit b8475cbee5ab2eac05f9cd5dbcc94c453d3cbf10 upstream.

The call to of_find_node_by_path("/cpus") returns the cpus device_node
with its reference count incremented. There is no matching of_node_put()
call in of_numa_parse_cpu_nodes() which results in a leaked reference
to the "/cpus" node.

This patch adds an of_node_put() to release the reference.

fixes: 298535c00a2c ("of, numa: Add NUMA of binding implementation.")
Signed-off-by: Tyrel Datwyler <tyr...@linux.vnet.ibm.com>
Acked-by: David Daney <david...@cavium.com>
Signed-off-by: Rob Herring <ro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/of/of_numa.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/of/of_numa.c
+++ b/drivers/of/of_numa.c
@@ -57,6 +57,8 @@ static void __init of_numa_parse_cpu_nod
else
node_set(nid, numa_nodes_parsed);
}
+
+ of_node_put(cpus);
}

static int __init of_numa_parse_memory_nodes(void)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ben Skeggs <bsk...@redhat.com>

commit 9fc64667ee48c9a25e7dca1a6bcb6906fec5bcc5 upstream.

At least therm/fantog "attempts" to work around this issue, which could
lead to corruption of the pending alarm list.

Fix it properly by not updating the timestamp without the lock held, or
trying to add an already pending alarm to the pending alarm list....

Signed-off-by: Ben Skeggs <bsk...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
@@ -65,14 +65,17 @@ nvkm_timer_alarm(struct nvkm_timer *tmr,
struct nvkm_alarm *list;
unsigned long flags;

- alarm->timestamp = nvkm_timer_read(tmr) + nsec;
-
- /* append new alarm to list, in soonest-alarm-first order */
+ /* Remove alarm from pending list.
+ *
+ * This both protects against the corruption of the list,
+ * and implements alarm rescheduling/cancellation.
+ */
spin_lock_irqsave(&tmr->lock, flags);
- if (!nsec) {
- if (!list_empty(&alarm->head))
- list_del(&alarm->head);
- } else {
+ list_del_init(&alarm->head);
+
+ if (nsec) {
+ /* Insert into pending list, ordered earliest to latest. */
+ alarm->timestamp = nvkm_timer_read(tmr) + nsec;
list_for_each_entry(list, &tmr->alarms, head) {

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Steffen <Alexande...@infineon.com>

commit 302a6ad7fc77146191126a1f3e2c5d724fd72416 upstream.

TIS v1.3 for TPM 1.2 and PTP for TPM 2.0 disagree about which timeout
value applies to reading a valid burstcount. It is TIMEOUT_D according to
TIS, but TIMEOUT_A according to PTP, so choose the appropriate value
depending on whether we deal with a TPM 1.2 or a TPM 2.0.

This is important since according to the PTP TIMEOUT_D is much smaller
than TIMEOUT_A. So the previous implementation could run into timeouts
with a TPM 2.0, even though the TPM was behaving perfectly fine.

During tpm2_probe TIMEOUT_D will be used even with a TPM 2.0, because
TPM_CHIP_FLAG_TPM2 is not yet set. This is fine, since the timeout values
will only be changed afterwards by tpm_get_timeouts. Until then
TIS_TIMEOUT_D_MAX applies, which is large enough.

Fixes: aec04cbdf723 ("tpm: TPM 2.0 FIFO Interface")

Signed-off-by: Alexander Steffen <Alexande...@infineon.com>
Signed-off-by: Peter Huewe <peter...@infineon.com>

Reviewed-by: Jarkko Sakkinen <jarkko....@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko....@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/char/tpm/tpm_tis_core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -160,8 +160,10 @@ static int get_burstcount(struct tpm_chi
u32 value;

/* wait for burstcount */
- /* which timeout value, spec has 2 answers (c & d) */
- stop = jiffies + chip->timeout_d;
+ if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ stop = jiffies + chip->timeout_a;
+ else
+ stop = jiffies + chip->timeout_d;
do {
rc = tpm_tis_read32(priv, TPM_STS(priv->locality), &value);
if (rc < 0)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <ne...@suse.com>

commit 065e519e71b2c1f41936cce75b46b5ab34adb588 upstream.

if called md_set_readonly and set MD_CLOSING bit, the mddev cannot
be opened any more due to the MD_CLOING bit wasn't cleared. Thus it
needs to be cleared in md_ioctl after any call to md_set_readonly()
or do_md_stop().

Signed-off-by: NeilBrown <ne...@suse.com>
Fixes: af8d8e6f0315 ("md: changes for MD_STILL_CLOSED flag")
Signed-off-by: Zhilong Liu <zl...@suse.com>
Signed-off-by: Shaohua Li <sh...@fb.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/md/md.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -6776,6 +6776,7 @@ static int md_ioctl(struct block_device
void __user *argp = (void __user *)arg;
struct mddev *mddev = NULL;
int ro;
+ bool did_set_md_closing = false;

if (!md_ioctl_valid(cmd))
return -ENOTTY;
@@ -6865,7 +6866,9 @@ static int md_ioctl(struct block_device
err = -EBUSY;
goto out;
}
+ WARN_ON_ONCE(test_bit(MD_CLOSING, &mddev->flags));
set_bit(MD_CLOSING, &mddev->flags);
+ did_set_md_closing = true;
mutex_unlock(&mddev->open_mutex);
sync_blockdev(bdev);
}
@@ -7058,6 +7061,8 @@ unlock:
mddev->hold_active = 0;
mddev_unlock(mddev);
out:
+ if(did_set_md_closing)
+ clear_bit(MD_CLOSING, &mddev->flags);
return err;
}
#ifdef CONFIG_COMPAT

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alyssa Milburn <amil...@zall.org>

commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream.

This code copies actual_length-128 bytes from the header, which will
underflow if the received buffer is too small.

Signed-off-by: Alyssa Milburn <amil...@zall.org>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/usb/zr364xx/zr364xx.c | 8 ++++++++
1 file changed, 8 insertions(+)

--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -600,6 +600,14 @@ static int zr364xx_read_video_callback(s
ptr = pdest = frm->lpvbits;

if (frm->ulState == ZR364XX_READ_IDLE) {
+ if (purb->actual_length < 128) {
+ /* header incomplete */
+ dev_info(&cam->udev->dev,
+ "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
+ __func__, purb->actual_length);
+ return -EINVAL;
+ }
+
frm->ulState = ZR364XX_READ_FRAME;
frm->cur_size = 0;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Marek Szyprowski <m.szyp...@samsung.com>

commit 0c32b8ec02832df167e16ad659cb11dc148f2ddf upstream.

Interrupt routine must wake process waiting for given interrupt AFTER
updating driver's internal structures and contexts. Doing it in-between
is a serious bug. This patch moves all calls to the wake() function to
the end of the interrupt processing block to avoid potential and real
races, especially on multi-core platforms. This also fixes following issue
reported from clock core (clocks were disabled in interrupt after being
unprepared from the other place in the driver, the stack trace however
points to the different place than s5p_mfc driver because of the race):

WARNING: CPU: 1 PID: 18 at drivers/clk/clk.c:544 clk_core_unprepare+0xc8/0x108
Modules linked in:
CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.10.0-next-20170223-00070-g04e18bc99ab9-dirty #2154
Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
Workqueue: pm pm_runtime_work
[<c010d8b0>] (unwind_backtrace) from [<c010a534>] (show_stack+0x10/0x14)
[<c010a534>] (show_stack) from [<c033292c>] (dump_stack+0x74/0x94)
[<c033292c>] (dump_stack) from [<c011cef4>] (__warn+0xd4/0x100)
[<c011cef4>] (__warn) from [<c011cf40>] (warn_slowpath_null+0x20/0x28)
[<c011cf40>] (warn_slowpath_null) from [<c0387a84>] (clk_core_unprepare+0xc8/0x108)
[<c0387a84>] (clk_core_unprepare) from [<c0389d84>] (clk_unprepare+0x24/0x2c)
[<c0389d84>] (clk_unprepare) from [<c03d4660>] (exynos_sysmmu_suspend+0x48/0x60)
[<c03d4660>] (exynos_sysmmu_suspend) from [<c042b9b0>] (pm_generic_runtime_suspend+0x2c/0x38)
[<c042b9b0>] (pm_generic_runtime_suspend) from [<c0437580>] (genpd_runtime_suspend+0x94/0x220)
[<c0437580>] (genpd_runtime_suspend) from [<c042e240>] (__rpm_callback+0x134/0x208)
[<c042e240>] (__rpm_callback) from [<c042e334>] (rpm_callback+0x20/0x80)
[<c042e334>] (rpm_callback) from [<c042d3b8>] (rpm_suspend+0xdc/0x458)
[<c042d3b8>] (rpm_suspend) from [<c042ea24>] (pm_runtime_work+0x80/0x90)
[<c042ea24>] (pm_runtime_work) from [<c01322c4>] (process_one_work+0x120/0x318)
[<c01322c4>] (process_one_work) from [<c0132520>] (worker_thread+0x2c/0x4ac)
[<c0132520>] (worker_thread) from [<c0137ab0>] (kthread+0xfc/0x134)
[<c0137ab0>] (kthread) from [<c0107978>] (ret_from_fork+0x14/0x3c)
---[ end trace 1ead49a7bb83f0d8 ]---

Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver")

Signed-off-by: Marek Szyprowski <m.szyp...@samsung.com>
Reviewed-by: Javier Martinez Canillas <jav...@osg.samsung.com>
Signed-off-by: Sylwester Nawrocki <s.naw...@samsung.com>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/platform/s5p-mfc/s5p_mfc.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)

--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -666,9 +666,9 @@ static irqreturn_t s5p_mfc_irq(int irq,
break;
}
s5p_mfc_hw_call(dev->mfc_ops, clear_int_flags, dev);
- wake_up_ctx(ctx, reason, err);
WARN_ON(test_and_clear_bit(0, &dev->hw_lock) == 0);
s5p_mfc_clock_off();
+ wake_up_ctx(ctx, reason, err);
s5p_mfc_hw_call(dev->mfc_ops, try_run, dev);
} else {
s5p_mfc_handle_frame(ctx, reason, err);
@@ -682,15 +682,11 @@ static irqreturn_t s5p_mfc_irq(int irq,
case S5P_MFC_R2H_CMD_OPEN_INSTANCE_RET:
ctx->inst_no = s5p_mfc_hw_call(dev->mfc_ops, get_inst_no, dev);
ctx->state = MFCINST_GOT_INST;
- clear_work_bit(ctx);
- wake_up(&ctx->queue);
goto irq_cleanup_hw;

case S5P_MFC_R2H_CMD_CLOSE_INSTANCE_RET:
- clear_work_bit(ctx);
ctx->inst_no = MFC_NO_INSTANCE_SET;
ctx->state = MFCINST_FREE;
- wake_up(&ctx->queue);
goto irq_cleanup_hw;

case S5P_MFC_R2H_CMD_SYS_INIT_RET:
@@ -700,9 +696,9 @@ static irqreturn_t s5p_mfc_irq(int irq,
if (ctx)
clear_work_bit(ctx);
s5p_mfc_hw_call(dev->mfc_ops, clear_int_flags, dev);
- wake_up_dev(dev, reason, err);
clear_bit(0, &dev->hw_lock);
clear_bit(0, &dev->enter_suspend);
+ wake_up_dev(dev, reason, err);
break;

case S5P_MFC_R2H_CMD_INIT_BUFFERS_RET:
@@ -717,9 +713,7 @@ static irqreturn_t s5p_mfc_irq(int irq,
break;

case S5P_MFC_R2H_CMD_DPB_FLUSH_RET:
- clear_work_bit(ctx);
ctx->state = MFCINST_RUNNING;
- wake_up(&ctx->queue);
goto irq_cleanup_hw;

default:
@@ -738,6 +732,8 @@ irq_cleanup_hw:
mfc_err("Failed to unlock hw\n");

s5p_mfc_clock_off();
+ clear_work_bit(ctx);
+ wake_up(&ctx->queue);

s5p_mfc_hw_call(dev->mfc_ops, try_run, dev);
spin_unlock(&dev->irqlock);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.va...@sandisk.com>

commit 7083abbbfc4fa706ff72d27d33a5214881979336 upstream.

If blk_get_request() fails, check whether the failure is due to a path
being removed. If that is the case, fail the path by triggering a call
to fail_path(). This avoids that the following scenario can be
encountered while removing paths:
* CPU usage of a kworker thread jumps to 100%.
* Removing the DM device becomes impossible.

Delay requeueing if blk_get_request() returns -EBUSY or -EWOULDBLOCK,
and the queue is not dying, because in these cases immediate requeuing
is inappropriate.

Signed-off-by: Bart Van Assche <bart.va...@sandisk.com>
Cc: Hannes Reinecke <ha...@suse.com>
Cc: Christoph Hellwig <h...@lst.de>
Signed-off-by: Mike Snitzer <sni...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/md/dm-mpath.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -489,6 +489,7 @@ static int multipath_clone_and_map(struc
struct pgpath *pgpath;
struct block_device *bdev;
struct dm_mpath_io *mpio = get_mpio(map_context);
+ struct request_queue *q;
struct request *clone;

/* Do we need to select a new pgpath? */
@@ -511,12 +512,18 @@ static int multipath_clone_and_map(struc
mpio->nr_bytes = nr_bytes;

bdev = pgpath->path.dev->bdev;
-
- clone = blk_get_request(bdev_get_queue(bdev),
- rq->cmd_flags | REQ_NOMERGE,
- GFP_ATOMIC);
+ q = bdev_get_queue(bdev);
+ clone = blk_get_request(q, rq->cmd_flags | REQ_NOMERGE, GFP_ATOMIC);
if (IS_ERR(clone)) {
/* EBUSY, ENODEV or EWOULDBLOCK: requeue */
+ bool queue_dying = blk_queue_dying(q);
+ DMERR_LIMIT("blk_get_request() returned %ld%s - requeuing",
+ PTR_ERR(clone), queue_dying ? " (path offline)" : "");
+ if (queue_dying) {
+ atomic_inc(&m->pg_init_in_progress);
+ activate_or_offline_path(pgpath);
+ return DM_MAPIO_REQUEUE;
+ }
return DM_MAPIO_DELAY_REQUEUE;
}
clone->bio = clone->biotail = NULL;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tony Lindgren <to...@atomide.com>

commit 3c50ffef25855a9d9e4b07b02d756a8cdd653069 upstream.

Commit d8e5f0eca1e8 ("usb: musb: Fix hardirq-safe hardirq-unsafe
lock order error") caused a regression where musb keeps trying to
enable host mode with no cable connected. This seems to be caused
by the fact that now phy is enabled earlier, and we are wrongly
trying to force USB host mode on an OTG port. The errors we are
getting are "trying to suspend as a_idle while active".

For ports configured as OTG, we should not need to do anything
to try to force USB host mode on it's OTG port. Trying to force host
mode in this case just seems to completely confuse the musb state
machine.

Let's fix the issue by making musb_host_setup() attempt to force the
mode only if port_mode is configured for host mode.

Fixes: d8e5f0eca1e8 ("usb: musb: Fix hardirq-safe hardirq-unsafe lock order error")
Cc: Johan Hovold <jo...@kernel.org>
Reported-by: Laurent Pinchart <laurent....@ideasonboard.com>
Reported-by: Peter Ujfalusi <peter.u...@ti.com>
Tested-by: Peter Ujfalusi <peter.u...@ti.com>
Signed-off-by: Tony Lindgren <to...@atomide.com>
Signed-off-by: Bin Liu <b-...@ti.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/musb/musb_host.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -2780,10 +2780,11 @@ int musb_host_setup(struct musb *musb, i
int ret;
struct usb_hcd *hcd = musb->hcd;

- MUSB_HST_MODE(musb);
- musb->xceiv->otg->default_a = 1;
- musb->xceiv->otg->state = OTG_STATE_A_IDLE;
-
+ if (musb->port_mode == MUSB_PORT_MODE_HOST) {
+ MUSB_HST_MODE(musb);
+ musb->xceiv->otg->default_a = 1;
+ musb->xceiv->otg->state = OTG_STATE_A_IDLE;
+ }
otg_set_host(musb->xceiv->otg, &hcd->self);
hcd->self.otg_port = 1;
musb->xceiv->otg->host = &hcd->self;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alyssa Milburn <amil...@zall.org>

commit 821117dc21083a99dd99174c10848d70ff43de29 upstream.

Return an error rather than memcpy()ing beyond the end of the buffer.
Internal callers use appropriate sizes, but digitv_i2c_xfer may not.

Signed-off-by: Alyssa Milburn <amil...@zall.org>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/usb/dvb-usb/digitv.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/media/usb/dvb-usb/digitv.c
+++ b/drivers/media/usb/dvb-usb/digitv.c
@@ -33,6 +33,9 @@ static int digitv_ctrl_msg(struct dvb_us

wo = (rbuf == NULL || rlen == 0); /* write-only */

+ if (wlen > 4 || rlen > 4)
+ return -EIO;
+
memset(st->sndbuf, 0, 7);
memset(st->rcvbuf, 0, 7);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:11 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 2c25a2c818023df64463aac3288a9f969491e507 upstream.

A SuperSpeed hub descriptor does not have any variable-length fields so
bail out when reading a short descriptor.

This avoids parsing and leaking two bytes of uninitialised slab data
through sysfs removable-attributes.

Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
Cc: John Youn <John...@synopsys.com>
Acked-by: Alan Stern <st...@rowland.harvard.edu>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/core/hub.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -380,8 +380,12 @@ static int get_hub_descriptor(struct usb
USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB,
dtype << 8, 0, data, size,
USB_CTRL_GET_TIMEOUT);
- if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2))
+ if (hub_is_superspeed(hdev)) {
+ if (ret == size)
+ return ret;
+ } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) {
return ret;
+ }
}
return -EINVAL;
}
@@ -1321,7 +1325,7 @@ static int hub_configure(struct usb_hub

/* Request the entire hub descriptor.
* hub->descriptor can handle USB_MAXCHILDREN ports,
- * but the hub can/will return fewer bytes here.
+ * but a (non-SS) hub can/will return fewer bytes here.
*/
ret = get_hub_descriptor(hdev, hub->descriptor);
if (ret < 0) {

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:11 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mike Snitzer <sni...@redhat.com>

commit 10add84e276432d9dd8044679a1028dd4084117e upstream.

Otherwise it is possible to trigger crashes due to the metadata being
inaccessible yet these methods don't safely account for that possibility
without these checks.

Reported-by: Mikulas Patocka <mpat...@redhat.com>
Signed-off-by: Mike Snitzer <sni...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/md/dm-cache-metadata.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -1627,17 +1627,19 @@ void dm_cache_metadata_set_stats(struct

int dm_cache_commit(struct dm_cache_metadata *cmd, bool clean_shutdown)
{
- int r;
+ int r = -EINVAL;
flags_mutator mutator = (clean_shutdown ? set_clean_shutdown :
clear_clean_shutdown);

WRITE_LOCK(cmd);
+ if (cmd->fail_io)
+ goto out;
+
r = __commit_transaction(cmd, mutator);
if (r)
goto out;

r = __begin_transaction(cmd);
-
out:
WRITE_UNLOCK(cmd);
return r;
@@ -1649,7 +1651,8 @@ int dm_cache_get_free_metadata_block_cou
int r = -EINVAL;

READ_LOCK(cmd);
- r = dm_sm_get_nr_free(cmd->metadata_sm, result);
+ if (!cmd->fail_io)
+ r = dm_sm_get_nr_free(cmd->metadata_sm, result);
READ_UNLOCK(cmd);

return r;
@@ -1661,7 +1664,8 @@ int dm_cache_get_metadata_dev_size(struc
int r = -EINVAL;

READ_LOCK(cmd);
- r = dm_sm_get_nr_blocks(cmd->metadata_sm, result);
+ if (!cmd->fail_io)
+ r = dm_sm_get_nr_blocks(cmd->metadata_sm, result);
READ_UNLOCK(cmd);

return r;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:11 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Vinothkumar Raja <vin...@cs.stonybrook.edu>

commit 7d1fedb6e96a960aa91e4ff70714c3fb09195a5a upstream.

dm_btree_find_lowest_key() is giving incorrect results. find_key()
traverses the btree correctly for finding the highest key, but there is
an error in the way it traverses the btree for retrieving the lowest
key. dm_btree_find_lowest_key() fetches the first key of the rightmost
block of the btree instead of fetching the first key from the leftmost
block.

Fix this by conditionally passing the correct parameter to value64()
based on the @find_highest flag.

Signed-off-by: Erez Zadok <e...@fsl.cs.sunysb.edu>
Signed-off-by: Vinothkumar Raja <vin...@cs.stonybrook.edu>
Signed-off-by: Nidhi Panpalia <npan...@cs.stonybrook.edu>

Signed-off-by: Mike Snitzer <sni...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/md/persistent-data/dm-btree.c | 8 ++++++--

1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/md/persistent-data/dm-btree.c
+++ b/drivers/md/persistent-data/dm-btree.c
@@ -902,8 +902,12 @@ static int find_key(struct ro_spine *s,
else
*result_key = le64_to_cpu(ro_node(s)->keys[0]);

- if (next_block || flags & INTERNAL_NODE)
- block = value64(ro_node(s), i);
+ if (next_block || flags & INTERNAL_NODE) {
+ if (find_highest)
+ block = value64(ro_node(s), i);
+ else
+ block = value64(ro_node(s), 0);
+ }

} while (flags & INTERNAL_NODE);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:11 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Thinh Nguyen <Thinh....@synopsys.com>

commit d325a1de49d61ee11aca58a529571c91ecea7879 upstream.

The dwc3 driver can overwite its previous events if its top-half IRQ
handler (TH) gets invoked again before processing the events in the
cache. We see this as a hang in the file transfer and the host will
attempt to reset the device. TH gets the event count and deasserts the
interrupt line by writing DWC3_GEVNTSIZ_INTMASK to DWC3_GEVNTSIZ. If
there's a new event coming between reading the event count and interrupt
deassertion, dwc3 will lose previous pending events. More generally, we
will see 0 event count, which should not affect anything.

This shouldn't be possible in the current dwc3 implementation. However,
through testing and reading the PCIe trace, the TH occasionally still
gets invoked one more time after HW interrupt deassertion. (With PCIe
legacy interrupts, TH is called repeatedly as long as the interrupt line
is asserted). We suspect that there is a small detection delay in the
SW.

To avoid this issue, Check DWC3_EVENT_PENDING flag to determine if the
events are processed in the bottom-half IRQ handler. If not, return
IRQ_HANDLED and don't process new event.

Signed-off-by: Thinh Nguyen <thi...@synopsys.com>
Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/dwc3/gadget.c | 9 +++++++++
1 file changed, 9 insertions(+)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3078,6 +3078,15 @@ static irqreturn_t dwc3_check_event_buf(
return IRQ_HANDLED;
}

+ /*
+ * With PCIe legacy interrupt, test shows that top-half irq handler can
+ * be called again after HW interrupt deassertion. Check if bottom-half
+ * irq event handler completes before caching new event to prevent
+ * losing events.
+ */
+ if (evt->flags & DWC3_EVENT_PENDING)
+ return IRQ_HANDLED;
+
count = dwc3_readl(dwc->regs, DWC3_GEVNTCOUNT(0));
count &= DWC3_GEVNTCOUNT_MASK;
if (!count)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:11 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream.

Make sure to check the number of endpoints to avoid dereferencing a

NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Kalle Valo <kv...@qca.qualcomm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1220,6 +1220,9 @@ static int send_eject_command(struct usb
u8 bulk_out_ep;
int r;

+ if (iface_desc->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
/* Find bulk out endpoint */
for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:11 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Matthias Lange <matthia...@kernkonzept.com>

commit 5db851cf20857c5504b146046e97cb7781f2a743 upstream.

There is no reason to restrict allocations to the first 16MB ISA DMA
addresses.

It is causing problems in a virtualization setup with enabled IOMMU
(x86_64). The result is that USB is not working in the VM.

Signed-off-by: Matthias Lange <matthia...@kernkonzept.com>
Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/xhci-mem.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -56,7 +56,7 @@ static struct xhci_segment *xhci_segment
}

if (max_packet) {
- seg->bounce_buf = kzalloc(max_packet, flags | GFP_DMA);
+ seg->bounce_buf = kzalloc(max_packet, flags);
if (!seg->bounce_buf) {
dma_pool_free(xhci->segment_pool, seg->trbs, dma);
kfree(seg);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:12 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit bec444cd1c94c48df409a35ad4e5b143c245c3f7 upstream.

Add missing sanity check on the non-SuperSpeed hub-descriptor length in
order to avoid parsing and leaking two bytes of uninitialised slab data
through sysfs removable-attributes (or a compound-device debug
statement).

Note that we only make sure that the DeviceRemovable field is always
present (and specifically ignore the unused PortPwrCtrlMask field) in
order to continue support any hubs with non-compliant descriptors. As a
further safeguard, the descriptor buffer is also cleared.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Acked-by: Alan Stern <st...@rowland.harvard.edu>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/core/hub.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -362,7 +362,8 @@ static void usb_set_lpm_parameters(struc
}

/* USB 2.0 spec Section 11.24.4.5 */
-static int get_hub_descriptor(struct usb_device *hdev, void *data)
+static int get_hub_descriptor(struct usb_device *hdev,
+ struct usb_hub_descriptor *desc)
{
int i, ret, size;
unsigned dtype;
@@ -378,12 +379,16 @@ static int get_hub_descriptor(struct usb
for (i = 0; i < 3; i++) {
ret = usb_control_msg(hdev, usb_rcvctrlpipe(hdev, 0),
USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB,
- dtype << 8, 0, data, size,
+ dtype << 8, 0, desc, size,
USB_CTRL_GET_TIMEOUT);
if (hub_is_superspeed(hdev)) {
if (ret == size)
return ret;
- } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) {
+ } else if (ret >= USB_DT_HUB_NONVAR_SIZE + 2) {
+ /* Make sure we have the DeviceRemovable field. */
+ size = USB_DT_HUB_NONVAR_SIZE + desc->bNbrPorts / 8 + 1;
+ if (ret < size)
+ return -EMSGSIZE;
return ret;
}
}
@@ -1317,7 +1322,7 @@ static int hub_configure(struct usb_hub
}
mutex_init(&hub->status_mutex);

- hub->descriptor = kmalloc(sizeof(*hub->descriptor), GFP_KERNEL);
+ hub->descriptor = kzalloc(sizeof(*hub->descriptor), GFP_KERNEL);
if (!hub->descriptor) {
ret = -ENOMEM;
goto fail;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:17 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Srinivas Pandruvada <srinivas....@linux.intel.com>

commit 5d9854eaea776441b38a9a45b4e6879524c4f48c upstream.

This change undo the change done by 'commit 3bec24747446
("iio: hid-sensor-trigger: Change get poll value function order to avoid
sensor properties losing after resume from S3")' as this breaks some
USB/i2c sensor hubs.

Instead of relying on HW for restoring poll and hysteresis, driver stores
and restores on resume (S3). In this way user space modified settings are
not lost for any kind of sensor hub behavior.

In this change, whenever user space modifies sampling frequency or
hysteresis driver will get the feature value from the hub and store in the
per device hid_sensor_common data structure. On resume callback from S3,
system will set the feature to sensor hub, if user space ever modified the
feature value.

Fixes: 3bec24747446 ("iio: hid-sensor-trigger: Change get poll value function order to avoid sensor properties losing after resume from S3")
Reported-by: Ritesh Raj Sarraf <r...@researchut.com>
Tested-by: Ritesh Raj Sarraf <r...@researchut.com>
Tested-by: Song, Hongyan <hongya...@intel.com>
Signed-off-by: Srinivas Pandruvada <srinivas....@linux.intel.com>
Signed-off-by: Jonathan Cameron <ji...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 26 +++++++++++++++--
drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 20 +++++++++++--
include/linux/hid-sensor-hub.h | 2 +
3 files changed, 43 insertions(+), 5 deletions(-)

--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
@@ -221,7 +221,15 @@ int hid_sensor_write_samp_freq_value(str
if (ret < 0 || value < 0)
ret = -EINVAL;

- return ret;
+ ret = sensor_hub_get_feature(st->hsdev,
+ st->poll.report_id,
+ st->poll.index, sizeof(value), &value);
+ if (ret < 0 || value < 0)
+ return -EINVAL;
+
+ st->poll_interval = value;
+
+ return 0;
}
EXPORT_SYMBOL(hid_sensor_write_samp_freq_value);

@@ -266,7 +274,16 @@ int hid_sensor_write_raw_hyst_value(stru
if (ret < 0 || value < 0)
ret = -EINVAL;

- return ret;
+ ret = sensor_hub_get_feature(st->hsdev,
+ st->sensitivity.report_id,
+ st->sensitivity.index, sizeof(value),
+ &value);
+ if (ret < 0 || value < 0)
+ return -EINVAL;
+
+ st->raw_hystersis = value;
+
+ return 0;
}
EXPORT_SYMBOL(hid_sensor_write_raw_hyst_value);

@@ -369,6 +386,9 @@ int hid_sensor_get_reporting_interval(st
/* Default unit of measure is milliseconds */
if (st->poll.units == 0)
st->poll.units = HID_USAGE_SENSOR_UNITS_MILLISECOND;
+
+ st->poll_interval = -1;
+
return 0;

}
@@ -399,6 +419,8 @@ int hid_sensor_parse_common_attributes(s
HID_USAGE_SENSOR_PROP_SENSITIVITY_ABS,
&st->sensitivity);

+ st->raw_hystersis = -1;
+
sensor_hub_input_get_attribute_info(hsdev,
HID_INPUT_REPORT, usage_id,
HID_USAGE_SENSOR_TIME_TIMESTAMP,
--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
+++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
@@ -51,6 +51,8 @@ static int _hid_sensor_power_state(struc
st->report_state.report_id,
st->report_state.index,
HID_USAGE_SENSOR_PROP_REPORTING_STATE_ALL_EVENTS_ENUM);
+
+ poll_value = hid_sensor_read_poll_value(st);
} else {
int val;

@@ -87,9 +89,7 @@ static int _hid_sensor_power_state(struc
sensor_hub_get_feature(st->hsdev, st->power_state.report_id,
st->power_state.index,
sizeof(state_val), &state_val);
- if (state)
- poll_value = hid_sensor_read_poll_value(st);
- if (poll_value > 0)
+ if (state && poll_value)
msleep_interruptible(poll_value * 2);

return 0;
@@ -127,6 +127,20 @@ static void hid_sensor_set_power_work(st
struct hid_sensor_common *attrb = container_of(work,
struct hid_sensor_common,
work);
+
+ if (attrb->poll_interval >= 0)
+ sensor_hub_set_feature(attrb->hsdev, attrb->poll.report_id,
+ attrb->poll.index,
+ sizeof(attrb->poll_interval),
+ &attrb->poll_interval);
+
+ if (attrb->raw_hystersis >= 0)
+ sensor_hub_set_feature(attrb->hsdev,
+ attrb->sensitivity.report_id,
+ attrb->sensitivity.index,
+ sizeof(attrb->raw_hystersis),
+ &attrb->raw_hystersis);
+
_hid_sensor_power_state(attrb, true);
}

--- a/include/linux/hid-sensor-hub.h
+++ b/include/linux/hid-sensor-hub.h
@@ -231,6 +231,8 @@ struct hid_sensor_common {
unsigned usage_id;
atomic_t data_ready;
atomic_t user_requested_state;
+ int poll_interval;
+ int raw_hystersis;
struct iio_trigger *trigger;
int timestamp_ns_scale;
struct hid_sensor_hub_attribute_info poll;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:17 PM5/23/17

to

This is the start of the stable review cycle for the 4.11.3 release.
There are 197 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu May 25 20:07:44 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.11.3-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.11.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gre...@linuxfoundation.org>
Linux 4.11.3-rc1

Tadeusz Struk <tadeus...@intel.com>
IB/hfi1: Protect the global dev_cntr_names and port_cntr_names

Chris Wilson <ch...@chris-wilson.co.uk>
drm/i915/gvt: Disable access to stolen memory as a guest

Julius Werner <jwe...@chromium.org>
drivers: char: mem: Check for address space wraparound with mmap()

Trond Myklebust <trond.m...@primarydata.com>
nfsd: Fix up the "supattr_exclcreat" attributes

J. Bruce Fields <bfi...@redhat.com>
nfsd: encoders mustn't use unitialized values in error cases

Ari Kauppi <a...@synopsys.com>
nfsd: fix undefined behavior in nfsd4_layout_verify

Trond Myklebust <trond.m...@primarydata.com>
NFSv4: Fix an rcu lock leak

Trond Myklebust <trond.m...@primarydata.com>
pNFS/flexfiles: Check the result of nfs4_pnfs_ds_connect

Benjamin Coddington <bcod...@redhat.com>
NFS: Use GFP_NOIO for two allocations in writeback

Fred Isaman <fred....@gmail.com>
NFS: Fix use after free in write error path

Trond Myklebust <trond.m...@primarydata.com>
NFSv4: Fix a hang in OPEN related to server reboot

Mario Kleiner <mario.kl...@gmail.com>
drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2

Alexander Couzens <lyn...@fe80.eu>
mtd: nand: add ooblayout for old hamming layout

Roger Quadros <rog...@ti.com>
mtd: nand: omap2: Fix partition creation via cmdline mtdparts

Simon Baatz <gmbn...@gmail.com>
mtd: nand: orion: fix clk handling

Lukas Wunner <lu...@wunner.de>
PCI: Freeze PME scan before suspending devices

David Woodhouse <dw...@amazon.co.uk>
PCI: Only allow WC mmap on prefetchable resources

David Woodhouse <dw...@amazon.co.uk>
PCI: Fix another sanity check bug in /proc/pci mmap

David Woodhouse <dw...@amazon.co.uk>
PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms

K. Y. Srinivasan <k...@microsoft.com>
PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs

K. Y. Srinivasan <k...@microsoft.com>
PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC

Tomasz Nowicki <t...@semihalf.com>
PCI/ACPI: Add ThunderX pass2.x 2nd node MCFG quirk

Bjorn Helgaas <bhel...@google.com>
PCI/ACPI: Tidy up MCFG quirk whitespace

Dawei Chien <dawei...@mediatek.com>
thermal: mt8173: minor mtk_thermal.c cleanups

Thomas Gleixner <tg...@linutronix.de>
tracing/kprobes: Enforce kprobes teardown after testing

Arnd Bergmann <ar...@arndb.de>
firmware: ti_sci: fix strncat length check

Masami Hiramatsu <mhir...@kernel.org>
um: Fix to call read_initrd after init_bootmem

Lars Ellenberg <lars.el...@linbit.com>
drbd: fix request leak introduced by locking/atomic, kref: Kill kref_sub()

Al Viro <vi...@zeniv.linux.org.uk>
osf_wait4(): fix infoleak

Suzuki K Poulose <suzuki....@arm.com>
kvm: arm/arm64: Force reading uncached stage2 PGD

Suzuki K Poulose <suzuki....@arm.com>
kvm: arm/arm64: Fix use after free of stage2 page table

Suzuki K Poulose <suzuki....@arm.com>
kvm: arm/arm64: Fix race in resetting stage2 PGD

Huacai Chen <che...@lemote.com>
MIPS: Loongson-3: Select MIPS_L1_CACHE_SHIFT_6

Jon Derrick <jonathan...@intel.com>
nvme: unmap CMB and remove sysfs file in reset path

Thomas Gleixner <tg...@linutronix.de>
genirq: Fix chained interrupt data ordering

Johan Hovold <jo...@kernel.org>
uwb: fix device quirk on big-endian hosts

Daniel Micay <danie...@gmail.com>
stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms

James Hogan <james...@imgtec.com>
metag/uaccess: Check access_ok in strncpy_from_user

James Hogan <james...@imgtec.com>
metag/uaccess: Fix access_ok()

Li, Fei <fei...@intel.com>
cpuidle: check dev before usage in cpuidle_use_deepest_state()

KarimAllah Ahmed <kara...@amazon.de>
iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings

Malcolm Priestley <tvbo...@gmail.com>
staging: rtl8192e: GetTs Fix invalid TID 7 warning.

Malcolm Priestley <tvbo...@gmail.com>
staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.

Malcolm Priestley <tvbo...@gmail.com>
staging: rtl8192e: fix 2 byte alignment of register BSSIDR.

Malcolm Priestley <tvbo...@gmail.com>
staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.

Phil Elwell <ph...@raspberrypi.org>
staging: vc04_services: Fix bulk cache maintenance

Kristina Martsenko <kristina....@arm.com>
arm64: documentation: document tagged pointer stack constraints

Kristina Martsenko <kristina....@arm.com>
arm64: entry: improve data abort handling of tagged pointers

Kristina Martsenko <kristina....@arm.com>
arm64: hw_breakpoint: fix watchpoint matching for tagged pointers

Kristina Martsenko <kristina....@arm.com>
arm64: traps: fix userspace cache maintenance emulation on a tagged pointer

Mark Rutland <mark.r...@arm.com>
arm64: uaccess: ensure extension of access_ok() addr

Mark Rutland <mark.r...@arm.com>
arm64: armv8_deprecated: ensure extension of addr

Mark Rutland <mark.r...@arm.com>
arm64: ensure extension of smp_store_release value

Mark Rutland <mark.r...@arm.com>
arm64: xchg: hazard against entire exchange variable

Daniel Lezcano <daniel....@linaro.org>
arm64: dts: hi6220: Reset the mmc hosts

Leonard Crestez <leonard...@nxp.com>
ARM: dts: imx6sx-sdb: Remove OPP override

Ludovic Desroches <ludovic....@microchip.com>
ARM: dts: at91: sama5d3_xplained: not all ADC channels are available

Ludovic Desroches <ludovic....@microchip.com>
ARM: dts: at91: sama5d3_xplained: fix ADC vref

Vladimir Murzin <vladimi...@arm.com>
ARM: 8670/1: V7M: Do not corrupt vector table around v7m_invalidate_l1 call

Jon Medhurst <ti...@linaro.org>
ARM: 8667/3: Fix memory attribute inconsistencies when using fixmap

Ard Biesheuvel <ard.bie...@linaro.org>
ARM: 8662/1: module: split core and init PLT sections

Zhichao Huang <zhicha...@linaro.org>
KVM: arm: plug potential guest hardware debug leakage

Marc Zyngier <marc.z...@arm.com>
KVM: arm/arm64: vgic-v3: Do not use Active+Pending state for a HW interrupt

Marc Zyngier <marc.z...@arm.com>
KVM: arm/arm64: vgic-v2: Do not use Active+Pending state for a HW interrupt

Marc Zyngier <marc.z...@arm.com>
arm: KVM: Do not use stack-protector to compile HYP code

Marc Zyngier <marc.z...@arm.com>
arm64: KVM: Do not use stack-protector to compile EL2 code

Michael Neuling <mi...@neuling.org>
powerpc/tm: Fix FP and VMX register corruption

Michael Ellerman <m...@ellerman.id.au>
powerpc/mm: Fix crash in page table dump with huge pages

LiuHailong <liu.ha...@zte.com.cn>
powerpc/64e: Fix hang when debugging programs with relocated kernel

Alistair Popple <alis...@popple.id.au>
powerpc/powernv: Fix TCE kill on NVLink2

Alexey Kardashevskiy <a...@ozlabs.ru>
powerpc/iommu: Do not call PageTransHuge() on tail pages

Tyrel Datwyler <tyr...@linux.vnet.ibm.com>
powerpc/sysfs: Fix reference leak of cpu device_nodes present at boot

Tyrel Datwyler <tyr...@linux.vnet.ibm.com>
powerpc/pseries: Fix of_node_put() underflow during DLPAR remove

Mahesh Salgaonkar <mah...@linux.vnet.ibm.com>
powerpc/book3s/mce: Move add_taint() later in virtual mode

Russell Currey <rus...@russell.cc>
powerpc/eeh: Avoid use after free in eeh_handle_special_event()

David Gibson <da...@gibson.dropbear.id.au>
powerpc/mm: Ensure IRQs are off in switch_mm()

Johan Hovold <jo...@kernel.org>
cx231xx-cards: fix NULL-deref at probe

Johan Hovold <jo...@kernel.org>
cx231xx-audio: fix NULL-deref at probe

Johan Hovold <jo...@kernel.org>
cx231xx-audio: fix init error path

Alyssa Milburn <amil...@zall.org>
dw2102: limit messages to buffer size

Alyssa Milburn <amil...@zall.org>
digitv: limit messages to buffer size

Daniel Scheller <d.sch...@gmx.net>
dvb-frontends/cxd2841er: define symbol_rate_min/max in T/C fe-ops

Alyssa Milburn <amil...@zall.org>
zr364xx: enforce minimum size when reading header

Johan Hovold <jo...@kernel.org>
dib0700: fix NULL-deref at probe

Marek Szyprowski <m.szyp...@samsung.com>
s5p-mfc: Fix unbalanced call to clock management

Johan Hovold <jo...@kernel.org>
gspca: konica: add missing endpoint sanity check

Marek Szyprowski <m.szyp...@samsung.com>
s5p-mfc: Fix race between interrupt routine and device functions

Lee Jones <lee....@linaro.org>
cec: Fix runtime BUG when (CONFIG_RC_CORE && !CEC_CAP_RC)

Srinivas Pandruvada <srinivas....@linux.intel.com>
iio: hid-sensor: Store restore poll and hysteresis on S3

Matt Ranostay <matt.r...@konsulko.com>
iio: proximity: as3935: fix as3935_write

Dan Carpenter <dan.ca...@oracle.com>
ipx: call ipxitf_put() in ioctl error path

Johan Hovold <jo...@kernel.org>
USB: hub: fix non-SS hub-descriptor handling

Johan Hovold <jo...@kernel.org>
USB: hub: fix SS hub-descriptor handling

Johan Hovold <jo...@kernel.org>
USB: serial: io_ti: fix div-by-zero in set_termios

Johan Hovold <jo...@kernel.org>
USB: serial: mct_u232: fix big-endian baud-rate handling

Bjørn Mork <bj...@mork.no>
USB: serial: qcserial: add more Lenovo EM74xx device IDs

Daniele Palmas <dnl...@gmail.com>
usb: serial: option: add Telit ME910 support

Johan Hovold <jo...@kernel.org>
USB: iowarrior: fix info ioctl on big-endian hosts

Tony Lindgren <to...@atomide.com>
usb: musb: Fix trying to suspend while active for OTG configurations

Peter Ujfalusi <peter.u...@ti.com>
usb: musb: tusb6010_omap: Do not reset the other direction's packet size

Thinh Nguyen <Thinh....@synopsys.com>
usb: dwc3: gadget: Prevent losing events in event cache

Ben Hutchings <b...@decadent.org.uk>
dvb-usb-dibusb-mc-common: Add MODULE_LICENSE

Alyssa Milburn <amil...@zall.org>
ttusb2: limit messages to buffer size

Johan Hovold <jo...@kernel.org>
mceusb: fix NULL-deref at probe

Johan Hovold <jo...@kernel.org>
usbvision: fix NULL-deref at probe

Johan Hovold <jo...@kernel.org>
net: irda: irda-usb: fix firmware name on big-endian hosts

Peter Chen <peter...@nxp.com>
usb: host: xhci-mem: allocate zeroed Scratchpad Buffer

Mathias Nyman <mathia...@linux.intel.com>
xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton

Alan Stern <st...@rowland.harvard.edu>
USB: xhci: fix lock-inversion problem

Thomas Petazzoni <thomas.p...@free-electrons.com>
usb: host: xhci-plat: propagate return value of platform_get_irq()

Matthias Lange <matthia...@kernkonzept.com>
xhci: remove GFP_DMA flag from allocation

Mathias Nyman <mathia...@linux.intel.com>
xhci: Fix command ring stop regression in 4.11

Yazen Ghannam <yazen....@amd.com>
EDAC, amd64: Fix reporting of Chip Select sizes on Fam17h

Jan Kara <ja...@suse.cz>
dax: fix data corruption when fault races with write

Toshi Kani <toshi...@hpe.com>
libnvdimm: fix clear length of nvdimm_forget_poison()

David Howells <dhow...@redhat.com>
Make stat/lstat/fstatat pass AT_NO_AUTOMOUNT to vfs_statx()

Johan Hovold <jo...@kernel.org>
USB: chaoskey: fix Alea quirk on big-endian hosts

Andrey Korolyov <and...@xdel.ru>
USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs

Anthony Mallet <anthony...@laas.fr>
USB: serial: ftdi_sio: fix setting latency for unprivileged users

Kirill Tkhai <ktk...@virtuozzo.com>
pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes()

Eric W. Biederman <ebie...@xmission.com>
pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes

Michael J. Ruhl <michael...@intel.com>
IB/hfi1: Fix a subcontext memory leak

Michael J. Ruhl <michael...@intel.com>
IB/hfi1: Return an error on memory allocation failure

Fabrice Gasnier <fabrice...@st.com>
iio: stm32 trigger: fix sampling_frequency read

Andreas Klinger <a...@it-klinger.de>
IIO: bmp280-core.c: fix error in humidity calculation

Pavel Roskin <plro...@gmail.com>
iio: dac: ad7303: fix channel description

James Smart <jsmar...@gmail.com>
scsi: lpfc: Fix panic on BFS configuration

Bryant G. Ly <brya...@linux.vnet.ibm.com>
ibmvscsis: Do not send aborted task response

Johan Hovold <jo...@kernel.org>
of: fdt: add missing allocation-failure check

Tyrel Datwyler <tyr...@linux.vnet.ibm.com>
of: fix "/cpus" reference leak in of_numa_parse_cpu_nodes()

Rob Herring <ro...@kernel.org>
of: fix sparse warning in of_pci_range_parser_one

Takashi Iwai <ti...@suse.de>
proc: Fix unbalanced hard link numbers

Vaibhav Jain <vai...@linux.vnet.ibm.com>
cxl: Route eeh events to all drivers in cxl_pci_error_detected()

Vaibhav Jain <vai...@linux.vnet.ibm.com>
cxl: Force context lock during EEH flow

Gerd Hoffmann <kra...@redhat.com>
ohci-pci: add qemu quirk

Tobias Herzog <t-he...@gmx.de>
cdc-acm: fix possible invalid access when processing notification

David Rivshin <DRiv...@allworx.com>
gpio: omap: return error if requested debounce time is not possible

Ben Skeggs <bsk...@redhat.com>
drm/nouveau/tmr: handle races with hw when updating the next alarm time

Ben Skeggs <bsk...@redhat.com>
drm/nouveau/tmr: avoid processing completed alarms when adding a new one

Ben Skeggs <bsk...@redhat.com>
drm/nouveau/tmr: fix corruption of the pending list when rescheduling an alarm

Ben Skeggs <bsk...@redhat.com>
drm/nouveau/tmr: ack interrupt before processing alarms

Ben Skeggs <bsk...@redhat.com>
drm/nouveau/kms/nv50: skip core channel cursor update on position-only changes

Ben Skeggs <bsk...@redhat.com>
drm/nouveau/kms/nv50: fix source-rect-only plane updates

Ben Skeggs <bsk...@redhat.com>
drm/nouveau/therm: remove ineffective workarounds for alarm bugs

Mario Kleiner <mario.kl...@gmail.com>
drm/amdgpu: Add missing lb_vblank_lead_lines setup to DCE-6 path.

Mario Kleiner <mario.kl...@gmail.com>
drm/amdgpu: Avoid overflows/divide-by-zero in latency_watermark calculations.

Mario Kleiner <mario.kl...@gmail.com>
drm/amdgpu: Make display watermark calculations more accurate

Johan Hovold <jo...@kernel.org>
ath9k_htc: fix NULL-deref at probe

Dmitry Tunin <hanipo...@gmail.com>
ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device

Martin Schwidefsky <schwi...@de.ibm.com>
s390/cputime: fix incorrect system time

Michael Holzheu <hol...@linux.vnet.ibm.com>
s390/kdump: Add final note

Richard Cochran <rcoc...@linutronix.de>
regulator: tps65023: Fix inverted core enable logic.

Wadim Egorov <w.eg...@phytec.de>
regulator: rk808: Fix RK818 LDO2

Linus Torvalds <torv...@linux-foundation.org>
x86: fix 32-bit case of __get_user_asm_u64()

Wanpeng Li <wanpe...@hotmail.com>
KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation

Wanpeng Li <wanpe...@hotmail.com>
KVM: x86: Fix potential preemption when get the current kvmclock timestamp

Wanpeng Li <wanpe...@hotmail.com>
KVM: x86: Fix load damaged SSEx MXCSR register

Daniel Glöckner <d...@emlix.com>
ima: accept previously set IMA_NEW_FILE

Brian Norris <brian...@chromium.org>
mwifiex: pcie: fix cmd_buf use-after-free in remove/reset

Brian Norris <brian...@chromium.org>
mwifiex: MAC randomization should not be persistent

Larry Finger <Larry....@lwfinger.net>
rtlwifi: rtl8821ae: setup 8812ae RFE according to device type

NeilBrown <ne...@suse.com>
md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop

Dennis Yang <denni...@qnap.com>
md: update slab_cache before releasing new stripes when stripes resizing

Joe Thornber <e...@redhat.com>
dm space map disk: fix some book keeping in the disk space map

Joe Thornber <e...@redhat.com>
dm thin metadata: call precommit before saving the roots

Mikulas Patocka <mpat...@redhat.com>
dm bufio: make the parameter "retain_bytes" unsigned long

Mike Snitzer <sni...@redhat.com>
dm cache metadata: fail operations if fail_io mode has been established

Bart Van Assche <bart.va...@sandisk.com>
dm mpath: delay requeuing while path initialization is in progress

Bart Van Assche <bart.va...@sandisk.com>
dm mpath: avoid that path removal can trigger an infinite loop

Bart Van Assche <bart.va...@sandisk.com>
dm mpath: split and rename activate_path() to prepare for its expanded use

Bart Van Assche <bart.va...@sandisk.com>
dm mpath: requeue after a small delay if blk_get_request() fails

Mikulas Patocka <mpat...@redhat.com>
dm bufio: check new buffer allocation watermark every 30 seconds

Mikulas Patocka <mpat...@redhat.com>
dm bufio: avoid a possible ABBA deadlock

Mikulas Patocka <mpat...@redhat.com>
dm raid: select the Kconfig option CONFIG_MD_RAID0

Vinothkumar Raja <vin...@cs.stonybrook.edu>
dm btree: fix for dm_btree_find_lowest_key()

Paolo Abeni <pab...@redhat.com>
infiniband: call ipv6 route lookup via the stub interface

Sagi Grimberg <sa...@grimberg.me>
mlx5: Fix mlx5_ib_map_mr_sg mr length

Alexander Sverdlin <alexander...@gmail.com>
ASoC: cs4271: configure reset GPIO as output

Petr Vandrovec <pe...@vmware.com>
tpm: fix handling of the TPM 2.0 event logs

Hon Ching \(Vicky) Lo <hon...@linux.vnet.ibm.com>
vTPM: Fix missing NULL check

Jerry Snitselaar <jsni...@redhat.com>
tpm_crb: check for bad response size

Nayna Jain <na...@linux.vnet.ibm.com>
tpm: add sleep only for retry in i2c_nuvoton_write_status()

Nayna Jain <na...@linux.vnet.ibm.com>
tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver

Peter Huewe <peter...@infineon.com>
tpm_tis_spi: Add small delay after last transfer

Peter Huewe <peter...@infineon.com>
tpm_tis_spi: Remove limitation of transfers to MAX_SPI_FRAMESIZE bytes

Peter Huewe <peter...@infineon.com>
tpm_tis_spi: Check correct byte for wait state indicator

Peter Huewe <peter...@infineon.com>
tpm_tis_spi: Abort transfer when too many wait states are signaled

Peter Huewe <peter...@infineon.com>
tpm_tis_spi: Use single function to transfer data

Amir Goldstein <amir...@gmail.com>
fanotify: don't expose EOPENSTALE to userspace

Jeeja KP <jeej...@intel.com>
ALSA: hda: Fix cpu lockup when stopping the cmd dmas

Alexander Steffen <Alexande...@infineon.com>
tpm_tis_core: Choose appropriate timeout for reading burstcount

Vamsi Krishna Samavedam <vskr...@codeaurora.org>
USB: core: replace %p with %pK

Willy Tarreau <w...@1wt.eu>
char: lp: fix possible integer overflow in lp_setup()

Johan Hovold <jo...@kernel.org>
watchdog: pcwd_usb: fix NULL-deref at probe

Alan Stern <st...@rowland.harvard.edu>
USB: ene_usb6250: fix DMA to the stack

Maksim Salau <maksim...@gmail.com>
usb: misc: legousbtower: Fix memory leak

Maksim Salau <maksim...@gmail.com>
usb: misc: legousbtower: Fix buffers on stack

-------------

Diffstat:

Documentation/arm64/tagged-pointers.txt | 62 ++++++--
Makefile | 4 +-
arch/alpha/kernel/osf_sys.c | 6 +-
arch/arm/boot/dts/at91-sama5d3_xplained.dts | 5 +-
arch/arm/boot/dts/imx6sx-sdb.dts | 17 ---
arch/arm/include/asm/fixmap.h | 2 +-
arch/arm/include/asm/kvm_coproc.h | 3 +-
arch/arm/include/asm/module.h | 9 +-
arch/arm/kernel/module-plts.c | 87 +++++++----
arch/arm/kernel/module.lds | 1 +
arch/arm/kernel/setup.c | 4 +-
arch/arm/kvm/coproc.c | 77 +++++++---
arch/arm/kvm/handle_exit.c | 4 +-
arch/arm/kvm/hyp/Makefile | 2 +
arch/arm/kvm/hyp/switch.c | 4 +-
arch/arm/kvm/mmu.c | 33 +++--
arch/arm/mm/mmu.c | 16 ++-
arch/arm/mm/proc-v7m.S | 4 +-
arch/arm64/boot/dts/hisilicon/hi6220.dtsi | 3 +
arch/arm64/include/asm/asm-uaccess.h | 9 ++
arch/arm64/include/asm/barrier.h | 20 ++-
arch/arm64/include/asm/cmpxchg.h | 2 +-
arch/arm64/include/asm/uaccess.h | 9 +-
arch/arm64/kernel/armv8_deprecated.c | 3 +-
arch/arm64/kernel/entry.S | 5 +-
arch/arm64/kernel/hw_breakpoint.c | 3 +
arch/arm64/kernel/traps.c | 4 +-
arch/arm64/kvm/hyp/Makefile | 2 +
arch/metag/include/asm/uaccess.h | 49 ++++---
arch/mips/Kconfig | 1 +
arch/powerpc/include/asm/mmu_context.h | 17 ++-
arch/powerpc/kernel/eeh_driver.c | 19 ++-
arch/powerpc/kernel/exceptions-64e.S | 12 ++
arch/powerpc/kernel/mce.c | 2 +
arch/powerpc/kernel/process.c | 19 +++
arch/powerpc/kernel/sysfs.c | 6 +
arch/powerpc/kernel/traps.c | 4 +-
arch/powerpc/mm/dump_linuxpagetables.c | 7 +-
arch/powerpc/mm/mmu_context_iommu.c | 4 +-
arch/powerpc/platforms/powernv/npu-dma.c | 8 +-
arch/powerpc/platforms/powernv/pci-ioda.c | 10 +-
arch/powerpc/platforms/powernv/pci.h | 2 +-
arch/powerpc/platforms/pseries/dlpar.c | 1 -
arch/s390/kernel/crash_dump.c | 15 ++
arch/s390/kernel/entry.S | 21 ++-
arch/um/kernel/initrd.c | 4 +-
arch/um/kernel/um_arch.c | 6 +
arch/x86/include/asm/uaccess.h | 6 +-
arch/x86/kernel/fpu/init.c | 1 +
arch/x86/kvm/x86.c | 43 ++++--
drivers/acpi/pci_mcfg.c | 14 +-
drivers/block/drbd/drbd_req.c | 27 ++--
drivers/char/lp.c | 6 +-
drivers/char/mem.c | 5 +
drivers/char/tpm/tpm2_eventlog.c | 14 +-
drivers/char/tpm/tpm_crb.c | 3 +-
drivers/char/tpm/tpm_i2c_nuvoton.c | 24 ++--
drivers/char/tpm/tpm_ibmvtpm.c | 8 +-
drivers/char/tpm/tpm_tis_core.c | 6 +-
drivers/char/tpm/tpm_tis_spi.c | 160 +++++++++------------
drivers/cpuidle/cpuidle.c | 3 +-
drivers/edac/amd64_edac.c | 40 +++---
drivers/firmware/ti_sci.c | 3 +-
drivers/gpio/gpio-omap.c | 23 ++-
drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 29 ++--
drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 29 ++--
drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 36 ++---
drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 29 ++--
drivers/gpu/drm/drm_edid.c | 8 ++
drivers/gpu/drm/i915/i915_gem_stolen.c | 5 +
drivers/gpu/drm/nouveau/nv50_display.c | 18 +--
drivers/gpu/drm/nouveau/nvkm/subdev/therm/base.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/therm/fan.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/therm/fantog.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/therm/temp.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 59 +++++---
drivers/gpu/drm/nouveau/nvkm/subdev/timer/nv04.c | 2 +-
.../iio/common/hid-sensors/hid-sensor-attributes.c | 26 +++-
.../iio/common/hid-sensors/hid-sensor-trigger.c | 20 ++-
drivers/iio/dac/ad7303.c | 6 +-
drivers/iio/pressure/bmp280-core.c | 11 +-
drivers/iio/proximity/as3935.c | 3 +-
drivers/iio/trigger/stm32-timer-trigger.c | 6 +-
drivers/infiniband/core/addr.c | 4 +-
drivers/infiniband/hw/hfi1/file_ops.c | 5 +-
drivers/infiniband/hw/hfi1/init.c | 1 +
drivers/infiniband/hw/hfi1/user_exp_rcv.c | 32 +++--
drivers/infiniband/hw/hfi1/user_exp_rcv.h | 1 +
drivers/infiniband/hw/hfi1/verbs.c | 12 +-
drivers/infiniband/hw/mlx5/mr.c | 2 +-
drivers/iommu/intel-iommu.c | 5 +-
drivers/md/Kconfig | 1 +
drivers/md/dm-bufio.c | 35 +++--
drivers/md/dm-cache-metadata.c | 12 +-
drivers/md/dm-mpath.c | 47 ++++--
drivers/md/dm-rq.c | 2 +-
drivers/md/dm-thin-metadata.c | 4 +-
drivers/md/md.c | 5 +
drivers/md/persistent-data/dm-btree.c | 8 +-
drivers/md/persistent-data/dm-space-map-disk.c | 15 +-
drivers/md/raid5.c | 6 +-
drivers/media/cec/cec-core.c | 2 +-
drivers/media/dvb-frontends/cxd2841er.c | 4 +-
drivers/media/platform/s5p-mfc/s5p_mfc.c | 13 +-
drivers/media/rc/mceusb.c | 4 +-
drivers/media/usb/cx231xx/cx231xx-audio.c | 42 ++++--
drivers/media/usb/cx231xx/cx231xx-cards.c | 45 +++++-
drivers/media/usb/dvb-usb/dib0700_core.c | 3 +
drivers/media/usb/dvb-usb/dibusb-mc-common.c | 2 +
drivers/media/usb/dvb-usb/digitv.c | 3 +
drivers/media/usb/dvb-usb/dw2102.c | 54 +++++++
drivers/media/usb/dvb-usb/ttusb2.c | 19 +++
drivers/media/usb/gspca/konica.c | 3 +
drivers/media/usb/usbvision/usbvision-video.c | 9 +-
drivers/media/usb/zr364xx/zr364xx.c | 8 ++
drivers/misc/cxl/pci.c | 34 +++--
drivers/mtd/nand/nand_base.c | 70 ++++++++-
drivers/mtd/nand/omap2.c | 9 ++
drivers/mtd/nand/orion_nand.c | 42 +++---
drivers/net/irda/irda-usb.c | 2 +-
drivers/net/wireless/ath/ath9k/hif_usb.c | 4 +
drivers/net/wireless/marvell/mwifiex/cfg80211.c | 4 +-
drivers/net/wireless/marvell/mwifiex/pcie.c | 7 +
.../net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 122 +++++++++++++---
.../net/wireless/realtek/rtlwifi/rtl8821ae/reg.h | 1 +
drivers/nvdimm/bus.c | 5 +-
drivers/nvme/host/pci.c | 7 +-
drivers/of/address.c | 2 +-
drivers/of/fdt.c | 3 +
drivers/of/of_numa.c | 2 +
drivers/pci/host/pci-hyperv.c | 13 +-
drivers/pci/pci-sysfs.c | 10 +-
drivers/pci/pci.c | 9 +-
drivers/pci/proc.c | 21 ++-
drivers/regulator/rk808-regulator.c | 2 +-
drivers/regulator/tps65023-regulator.c | 3 +-
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 114 +++++++++++----
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.h | 2 +
drivers/scsi/lpfc/lpfc_crtn.h | 1 +
drivers/scsi/lpfc/lpfc_init.c | 7 +
drivers/scsi/lpfc/lpfc_sli.c | 19 ++-
drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 24 ++--
drivers/staging/rtl8192e/rtl819x_TSProc.c | 15 +-
.../interface/vchiq_arm/vchiq_2835_arm.c | 31 ++--
drivers/thermal/mtk_thermal.c | 2 +-
drivers/usb/class/cdc-acm.c | 13 +-
drivers/usb/core/devio.c | 14 +-
drivers/usb/core/hcd.c | 4 +-
drivers/usb/core/hub.c | 19 ++-
drivers/usb/core/urb.c | 2 +-
drivers/usb/dwc3/gadget.c | 9 ++
drivers/usb/host/ohci-hcd.c | 3 +-
drivers/usb/host/ohci-pci.c | 16 +++
drivers/usb/host/ohci.h | 1 +
drivers/usb/host/xhci-hub.c | 2 +-
drivers/usb/host/xhci-mem.c | 4 +-
drivers/usb/host/xhci-pci.c | 7 +-
drivers/usb/host/xhci-plat.c | 2 +-
drivers/usb/host/xhci-ring.c | 13 +-
drivers/usb/host/xhci.c | 8 +-
drivers/usb/misc/chaoskey.c | 2 +-
drivers/usb/misc/iowarrior.c | 2 +-
drivers/usb/misc/legousbtower.c | 38 +++--
drivers/usb/musb/musb_host.c | 9 +-
drivers/usb/musb/tusb6010_omap.c | 13 +-
drivers/usb/serial/ftdi_sio.c | 10 +-
drivers/usb/serial/ftdi_sio_ids.h | 2 +
drivers/usb/serial/io_ti.c | 5 +-
drivers/usb/serial/mct_u232.c | 2 +-
drivers/usb/serial/option.c | 8 ++
drivers/usb/serial/qcserial.c | 2 +
drivers/usb/storage/ene_ub6250.c | 90 +++++++-----
drivers/uwb/i1480/dfu/usb.c | 5 +-
drivers/watchdog/pcwd_usb.c | 3 +
fs/dax.c | 32 ++---
fs/nfs/callback_proc.c | 6 +-
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
fs/nfs/nfs4proc.c | 4 +-
fs/nfs/pagelist.c | 15 +-
fs/nfs/write.c | 2 +-
fs/nfsd/nfs4proc.c | 3 +-
fs/nfsd/nfs4xdr.c | 19 ++-
fs/notify/fanotify/fanotify_user.c | 26 ++--
fs/proc/generic.c | 1 +
include/linux/fs.h | 8 +-
include/linux/hid-sensor-hub.h | 2 +
include/linux/kprobes.h | 3 +
kernel/fork.c | 10 +-
kernel/irq/chip.c | 2 +-
kernel/kprobes.c | 2 +-
kernel/pid_namespace.c | 2 +-
kernel/trace/trace_kprobe.c | 5 +
net/ipx/af_ipx.c | 5 +-
security/integrity/ima/ima_appraise.c | 5 +-
sound/hda/hdac_controller.c | 4 +
sound/soc/codecs/cs4271.c | 2 +-
virt/kvm/arm/vgic/vgic-v2.c | 7 +
virt/kvm/arm/vgic/vgic-v3.c | 7 +
198 files changed, 1908 insertions(+), 857 deletions(-)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:25 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Anthony Mallet <anthony...@laas.fr>

commit bb246681b3ed0967489a7401ad528c1aaa1a4c2e upstream.

Commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
flag") enables unprivileged users to set the FTDI latency timer,
but there was a logic flaw that skipped sending the corresponding
USB control message to the device.

Specifically, the device latency timer would not be updated until next
open, something which was later also inadvertently broken by commit
c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port
probe").

A recent commit c6dce2626606 ("USB: serial: ftdi_sio: fix extreme
low-latency setting") disabled the low-latency mode by default so we now
need this fix to allow unprivileged users to again enable it.

Signed-off-by: Anthony Mallet <anthony...@laas.fr>
[johan: amend commit message]
Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
Fixes: c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port probe").
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/serial/ftdi_sio.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1506,9 +1506,9 @@ static int set_serial_info(struct tty_st
(new_serial.flags & ASYNC_FLAGS));
priv->custom_divisor = new_serial.custom_divisor;

+check_and_exit:
write_latency_timer(port);

-check_and_exit:
if ((old_priv.flags & ASYNC_SPD_MASK) !=
(priv->flags & ASYNC_SPD_MASK)) {
if ((priv->flags & ASYNC_SPD_MASK) == ASYNC_SPD_HI)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:25 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Maksim Salau <maksim...@gmail.com>

commit 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3 upstream.

get_version_reply is not freed if function returns with success.

Fixes: 942a48730faf ("usb: misc: legousbtower: Fix buffers on stack")
Reported-by: Heikki Krogerus <heikki....@linux.intel.com>
Signed-off-by: Maksim Salau <maksim...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/misc/legousbtower.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/usb/misc/legousbtower.c
+++ b/drivers/usb/misc/legousbtower.c
@@ -941,6 +941,7 @@ static int tower_probe (struct usb_inter
USB_MAJOR, dev->minor);

exit:
+ kfree(get_version_reply);
return retval;

error:

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:25 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Richard Cochran <rcoc...@linutronix.de>

commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream.

Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use
regmap_read/write(), regmap_update_bits functions directly") intended
to replace working inline helper functions with standard regmap
calls. However, it also inverted the set/clear logic of the "CORE ADJ
Allowed" bit. That patch was clearly never tested, since without that
bit cleared, the core VDCDC1 voltage output does not react to I2C
configuration changes.

This patch fixes the issue by clearing the bit as in the original,
correct implementation. Note for stable back porting that, due to
subsequent driver churn, this patch will not apply on every kernel
version.

Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly")
Signed-off-by: Richard Cochran <rcoc...@linutronix.de>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/regulator/tps65023-regulator.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/regulator/tps65023-regulator.c
+++ b/drivers/regulator/tps65023-regulator.c
@@ -311,8 +311,7 @@ static int tps_65023_probe(struct i2c_cl

/* Enable setting output voltage by I2C */
regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2,
- TPS65023_REG_CTRL2_CORE_ADJ,
- TPS65023_REG_CTRL2_CORE_ADJ);
+ TPS65023_REG_CTRL2_CORE_ADJ, 0);

return 0;
}

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:26 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Wadim Egorov <w.eg...@phytec.de>

commit 75f88115391156b3f0fecbbae76bf870c89bcab8 upstream.

Set the correct voltage select register for LDO2.

Signed-off-by: Wadim Egorov <w.eg...@phytec.de>

Signed-off-by: Mark Brown <bro...@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/regulator/rk808-regulator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/regulator/rk808-regulator.c
+++ b/drivers/regulator/rk808-regulator.c
@@ -519,7 +519,7 @@ static const struct regulator_desc rk818
RK818_LDO1_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG,
BIT(0), 400),
RK8XX_DESC(RK818_ID_LDO2, "LDO_REG2", "vcc6", 1800, 3400, 100,
- RK818_LDO1_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG,
+ RK818_LDO2_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG,
BIT(1), 400),
{
.name = "LDO_REG3",

Greg Kroah-Hartman

unread,

May 23, 2017, 4:20:27 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit eacb975b48272f54532b62f515a3cf7eefa35123 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface
modification")

Cc: Thierry MERLE <thierr...@free.fr>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Hans Verkuil <hans.v...@cisco.com>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/usb/usbvision/usbvision-video.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1501,7 +1501,14 @@ static int usbvision_probe(struct usb_in
}

for (i = 0; i < usbvision->num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < 2) {
+ ret = -ENODEV;
+ goto err_pkt;
+ }
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
wMaxPacketSize);
usbvision->alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:25:41 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Sverdlin <alexander...@gmail.com>

commit 49b2e27ab9f66b0a22c21980ad8118a4038324ae upstream.

During reset "refactoring" the output configuration was lost.
This commit repairs sound on EDB93XX boards.

Fixes: 9a397f4 ("ASoC: cs4271: add regulator consumer support")
Signed-off-by: Alexander Sverdlin <alexander...@gmail.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

sound/soc/codecs/cs4271.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/codecs/cs4271.c
+++ b/sound/soc/codecs/cs4271.c
@@ -498,7 +498,7 @@ static int cs4271_reset(struct snd_soc_c
struct cs4271_private *cs4271 = snd_soc_codec_get_drvdata(codec);

if (gpio_is_valid(cs4271->gpio_nreset)) {
- gpio_set_value(cs4271->gpio_nreset, 0);
+ gpio_direction_output(cs4271->gpio_nreset, 0);
mdelay(1);
gpio_set_value(cs4271->gpio_nreset, 1);
mdelay(1);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:26:13 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 upstream.

Add missing endianness conversion when using the USB device-descriptor
bcdDevice field to construct a firmware file name.

Fixes: 8ef80aef118e ("[IRDA]: irda-usb.c: STIR421x cleanups")
Cc: Nick Fedchik <nfed...@atlantic-link.com.ua>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/net/irda/irda-usb.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/irda/irda-usb.c
+++ b/drivers/net/irda/irda-usb.c
@@ -1077,7 +1077,7 @@ static int stir421x_patch_device(struct
* are "42101001.sb" or "42101002.sb"
*/
sprintf(stir421x_fw_name, "4210%4X.sb",
- self->usbdev->descriptor.bcdDevice);
+ le16_to_cpu(self->usbdev->descriptor.bcdDevice));
ret = request_firmware(&fw, stir421x_fw_name, &self->usbdev->dev);
if (ret < 0)
return ret;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:05 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvbo...@gmail.com>

commit 95d93e271d920dfda369d4740b1cc1061d41fe7f upstream.

TID 7 is a valid value for QoS IEEE 802.11e.

The switch statement that follows states 7 is valid.

Remove function IsACValid and use the default case to filter
invalid TIDs.

Signed-off-by: Malcolm Priestley <tvbo...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/staging/rtl8192e/rtl819x_TSProc.c | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)

--- a/drivers/staging/rtl8192e/rtl819x_TSProc.c
+++ b/drivers/staging/rtl8192e/rtl819x_TSProc.c
@@ -306,11 +306,6 @@ static void MakeTSEntry(struct ts_common
pTsCommonInfo->TClasNum = TCLAS_Num;
}

-static bool IsACValid(unsigned int tid)
-{
- return tid < 7;
-}
-
bool GetTs(struct rtllib_device *ieee, struct ts_common_info **ppTS,
u8 *Addr, u8 TID, enum tr_select TxRxSelect, bool bAddNewTs)
{
@@ -328,12 +323,6 @@ bool GetTs(struct rtllib_device *ieee, s
if (ieee->current_network.qos_data.supported == 0) {
UP = 0;
} else {
- if (!IsACValid(TID)) {
- netdev_warn(ieee->dev, "%s(): TID(%d) is not valid\n",
- __func__, TID);
- return false;
- }
-
switch (TID) {
case 0:
case 3:
@@ -351,6 +340,10 @@ bool GetTs(struct rtllib_device *ieee, s
case 7:
UP = 7;
break;
+ default:
+ netdev_warn(ieee->dev, "%s(): TID(%d) is not valid\n",
+ __func__, TID);
+ return false;
}
}

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:05 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Vladimir Murzin <vladimi...@arm.com>

commit 6d80594936914e798b1b54b3bfe4bd68d8418966 upstream.

We save/restore registers around v7m_invalidate_l1 to address pointed
by r12, which is vector table, so the first eight entries are
overwritten with a garbage. We already have stack setup at that stage,
so use it to save/restore register.

Fixes: 6a8146f420be ("ARM: 8609/1: V7M: Add support for the Cortex-M7 processor")
Signed-off-by: Vladimir Murzin <vladimi...@arm.com>
Signed-off-by: Russell King <rmk+k...@armlinux.org.uk>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/mm/proc-v7m.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/mm/proc-v7m.S
+++ b/arch/arm/mm/proc-v7m.S
@@ -147,10 +147,10 @@ __v7m_setup_cont:

@ Configure caches (if implemented)
teq r8, #0
- stmneia r12, {r0-r6, lr} @ v7m_invalidate_l1 touches r0-r6
+ stmneia sp, {r0-r6, lr} @ v7m_invalidate_l1 touches r0-r6
blne v7m_invalidate_l1
teq r8, #0 @ re-evalutae condition
- ldmneia r12, {r0-r6, lr}
+ ldmneia sp, {r0-r6, lr}

@ Configure the System Control Register to ensure 8-byte stack alignment
@ Note the STKALIGN bit is either RW or RAO.

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:05 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ben Skeggs <bsk...@redhat.com>

commit 330bdf62fe6a6c5b99a647f7bf7157107c9348b3 upstream.

The idea here was to avoid having to "manually" program the HW if there's
a new earliest alarm. This was lazy and bad, as it leads to loads of fun
races between inter-related callers (ie. therm).

Turns out, it's not so difficult after all. Go figure ;)

Signed-off-by: Ben Skeggs <bsk...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
@@ -80,12 +80,22 @@ nvkm_timer_alarm(struct nvkm_timer *tmr,
if (list->timestamp > alarm->timestamp)
break;
}
+
list_add_tail(&alarm->head, &list->head);
+
+ /* Update HW if this is now the earliest alarm. */
+ list = list_first_entry(&tmr->alarms, typeof(*list), head);
+ if (list == alarm) {
+ tmr->func->alarm_init(tmr, alarm->timestamp);
+ /* This shouldn't happen if callers aren't stupid.
+ *
+ * Worst case scenario is that it'll take roughly
+ * 4 seconds for the next alarm to trigger.
+ */
+ WARN_ON(alarm->timestamp <= nvkm_timer_read(tmr));
+ }
}
spin_unlock_irqrestore(&tmr->lock, flags);
-
- /* process pending alarms */
- nvkm_timer_alarm_trigger(tmr);
}

void

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:05 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tyrel Datwyler <tyr...@linux.vnet.ibm.com>

commit b8475cbee5ab2eac05f9cd5dbcc94c453d3cbf10 upstream.

The call to of_find_node_by_path("/cpus") returns the cpus device_node
with its reference count incremented. There is no matching of_node_put()
call in of_numa_parse_cpu_nodes() which results in a leaked reference
to the "/cpus" node.

This patch adds an of_node_put() to release the reference.

fixes: 298535c00a2c ("of, numa: Add NUMA of binding implementation.")
Signed-off-by: Tyrel Datwyler <tyr...@linux.vnet.ibm.com>
Acked-by: David Daney <david...@cavium.com>
Signed-off-by: Rob Herring <ro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/of/of_numa.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/of/of_numa.c
+++ b/drivers/of/of_numa.c
@@ -57,6 +57,8 @@ static void __init of_numa_parse_cpu_nod
else
node_set(nid, numa_nodes_parsed);
}
+
+ of_node_put(cpus);
}

static int __init of_numa_parse_memory_nodes(void)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:05 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <vi...@zeniv.linux.org.uk>

commit a8c39544a6eb2093c04afd5005b6192bd0e880c6 upstream.

failing sys_wait4() won't fill struct rusage...

Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/alpha/kernel/osf_sys.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/alpha/kernel/osf_sys.c
+++ b/arch/alpha/kernel/osf_sys.c
@@ -1199,8 +1199,10 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
return -EFAULT;

- err = 0;
- err |= put_user(status, ustatus);
+ err = put_user(status, ustatus);
+ if (ret < 0)
+ return err ? err : ret;
+
err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:05 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mahesh Salgaonkar <mah...@linux.vnet.ibm.com>

commit d93b0ac01a9ce276ec39644be47001873d3d183c upstream.

machine_check_early() gets called in real mode. The very first time when
add_taint() is called, it prints a warning which ends up calling opal
call (that uses OPAL_CALL wrapper) for writing it to console. If we get a
very first machine check while we are in opal we are doomed. OPAL_CALL
overwrites the PACASAVEDMSR in r13 and in this case when we are done with
MCE handling the original opal call will use this new MSR on it's way
back to opal_return. This usually leads to unexpected behaviour or the
kernel to panic. Instead move the add_taint() call later in the virtual
mode where it is safe to call.

This is broken with current FW level. We got lucky so far for not getting
very first MCE hit while in OPAL. But easily reproducible on Mambo.

Fixes: 27ea2c420cad ("powerpc: Set the correct kernel taint on machine check errors.")
Signed-off-by: Mahesh Salgaonkar <mah...@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/powerpc/kernel/mce.c | 2 ++
arch/powerpc/kernel/traps.c | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/mce.c
+++ b/arch/powerpc/kernel/mce.c
@@ -221,6 +221,8 @@ static void machine_check_process_queued
{
int index;

+ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_NOW_UNRELIABLE);
+
/*
* For now just print it to console.
* TODO: log this error event to FSP or nvram.
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -306,8 +306,6 @@ long machine_check_early(struct pt_regs

__this_cpu_inc(irq_stat.mce_exceptions);

- add_taint(TAINT_MACHINE_CHECK, LOCKDEP_NOW_UNRELIABLE);
-
if (cur_cpu_spec && cur_cpu_spec->machine_check_early)
handled = cur_cpu_spec->machine_check_early(regs);
return handled;
@@ -741,6 +739,8 @@ void machine_check_exception(struct pt_r

__this_cpu_inc(irq_stat.mce_exceptions);

+ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_NOW_UNRELIABLE);
+
/* See if any machine dependent calls. In theory, we would want
* to call the CPU first, and call the ppc_md. one if the CPU
* one returns a positive number. However there is existing code

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:06 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Maksim Salau <maksim...@gmail.com>

commit 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3 upstream.

get_version_reply is not freed if function returns with success.

Fixes: 942a48730faf ("usb: misc: legousbtower: Fix buffers on stack")
Reported-by: Heikki Krogerus <heikki....@linux.intel.com>
Signed-off-by: Maksim Salau <maksim...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:06 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jon Derrick <jonathan...@intel.com>

commit f63572dff1421b6ca6abce71d46e03411e605c94 upstream.

CMB doesn't get unmapped until removal while getting remapped on every
reset. Add the unmapping and sysfs file removal to the reset path in
nvme_pci_disable to match the mapping path in nvme_pci_enable.

Fixes: 202021c1a ("nvme : Add sysfs entry for NVMe CMBs when appropriate")

Signed-off-by: Jon Derrick <jonathan...@intel.com>
Acked-by: Keith Busch <keith...@intel.com>
Reviewed-By: Stephen Bates <sba...@raithlin.com>
Signed-off-by: Christoph Hellwig <h...@lst.de>
Signed-off-by: Jens Axboe <ax...@fb.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/nvme/host/pci.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1394,6 +1394,11 @@ static inline void nvme_release_cmb(stru
if (dev->cmb) {
iounmap(dev->cmb);
dev->cmb = NULL;
+ if (dev->cmbsz) {
+ sysfs_remove_file_from_group(&dev->ctrl.device->kobj,
+ &dev_attr_cmb.attr, NULL);
+ dev->cmbsz = 0;
+ }
}
}

@@ -1665,6 +1670,7 @@ static void nvme_pci_disable(struct nvme
{
struct pci_dev *pdev = to_pci_dev(dev->dev);

+ nvme_release_cmb(dev);
pci_free_irq_vectors(pdev);

if (pci_is_enabled(pdev)) {
@@ -2062,7 +2068,6 @@ static void nvme_remove(struct pci_dev *
nvme_dev_disable(dev, true);
nvme_dev_remove_admin(dev);
nvme_free_queues(dev, 0);
- nvme_release_cmb(dev);
nvme_release_prp_pools(dev);
nvme_dev_unmap(dev);
nvme_put_ctrl(&dev->ctrl);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:06 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Roger Quadros <rog...@ti.com>

commit 2d283ede59869159f4bb84ae689258c5caffce54 upstream.

commit c9711ec5250b ("mtd: nand: omap: Clean up device tree support")
caused the parent device name to be changed from "omap2-nand.0"
to "<base address>.nand" (e.g. 30000000.nand on omap3 platforms).
This caused mtd->name to be changed as well. This breaks partition
creation via mtdparts passed by u-boot as it uses "omap2-nand.0"
for the mtd-id.

Fix this by explicitly setting the mtd->name to "omap2-nand.<CS number>"
if it isn't already set by nand_set_flash_node(). CS number is the
NAND controller instance ID.

Fixes: c9711ec5250b ("mtd: nand: omap: Clean up device tree support")
Reported-by: Leto Enrico <enric...@siemens.com>
Reported-by: Adam Ford <afor...@gmail.com>
Suggested-by: Boris Brezillon <boris.b...@free-electrons.com>
Tested-by: Adam Ford <afor...@gmail.com>
Signed-off-by: Roger Quadros <rog...@ti.com>
Signed-off-by: Boris Brezillon <boris.b...@free-electrons.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/mtd/nand/omap2.c | 9 +++++++++

1 file changed, 9 insertions(+)

--- a/drivers/mtd/nand/omap2.c
+++ b/drivers/mtd/nand/omap2.c
@@ -1856,6 +1856,15 @@ static int omap_nand_probe(struct platfo
nand_chip->ecc.priv = NULL;
nand_set_flash_node(nand_chip, dev->of_node);

+ if (!mtd->name) {
+ mtd->name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "omap2-nand.%d", info->gpmc_cs);
+ if (!mtd->name) {
+ dev_err(&pdev->dev, "Failed to set MTD name\n");
+ return -ENOMEM;
+ }
+ }
+
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
nand_chip->IO_ADDR_R = devm_ioremap_resource(&pdev->dev, res);
if (IS_ERR(nand_chip->IO_ADDR_R))

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:07 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 46c319b848268dab3f0e7c4a5b6e9146d3bca8a4 upstream.

Make sure to check the number of endpoints to avoid dereferencing a

NULL-pointer should a malicious device lack endpoints.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>

Reviewed-by: Guenter Roeck <li...@roeck-us.net>
Signed-off-by: Guenter Roeck <li...@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <w...@iguana.be>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/watchdog/pcwd_usb.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/watchdog/pcwd_usb.c
+++ b/drivers/watchdog/pcwd_usb.c
@@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_int
return -ENODEV;
}

+ if (iface_desc->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
/* check out the endpoint: it has to be Interrupt & IN */
endpoint = &iface_desc->endpoint[0].desc;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:07 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Gerd Hoffmann <kra...@redhat.com>

commit 21a60f6e65181cad64fd66ccc8080d413721ba27 upstream.

On a loaded virtualization host (dozen guests booting at the same time)
it may happen that the ohci controller emulation doesn't manage to do
timely frame processing, with the result that the io watchdog fires and
considers the controller being dead, even though it's only the emulation
being unusual slow due to the load peak.

So, add a quirk for qemu and don't use the watchdog in case we figure we
are running on emulated ohci. The virtual ohci controller masquerades
as apple ohci controller, but we can identify it by subsystem id.

Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Signed-off-by: Alan Stern <st...@rowland.harvard.edu>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/ohci-hcd.c | 3 ++-
drivers/usb/host/ohci-pci.c | 16 ++++++++++++++++
drivers/usb/host/ohci.h | 1 +
3 files changed, 19 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/ohci-hcd.c
+++ b/drivers/usb/host/ohci-hcd.c
@@ -231,7 +231,8 @@ static int ohci_urb_enqueue (

/* Start up the I/O watchdog timer, if it's not running */
if (!timer_pending(&ohci->io_watchdog) &&
- list_empty(&ohci->eds_in_use)) {
+ list_empty(&ohci->eds_in_use) &&
+ !(ohci->flags & OHCI_QUIRK_QEMU)) {
ohci->prev_frame_no = ohci_frame_no(ohci);
mod_timer(&ohci->io_watchdog,
jiffies + IO_WATCHDOG_DELAY);
--- a/drivers/usb/host/ohci-pci.c
+++ b/drivers/usb/host/ohci-pci.c
@@ -164,6 +164,15 @@ static int ohci_quirk_amd700(struct usb_
return 0;
}

+static int ohci_quirk_qemu(struct usb_hcd *hcd)
+{
+ struct ohci_hcd *ohci = hcd_to_ohci(hcd);
+
+ ohci->flags |= OHCI_QUIRK_QEMU;
+ ohci_dbg(ohci, "enabled qemu quirk\n");
+ return 0;
+}
+
/* List of quirks for OHCI */
static const struct pci_device_id ohci_pci_quirks[] = {
{
@@ -214,6 +223,13 @@ static const struct pci_device_id ohci_p
PCI_DEVICE(PCI_VENDOR_ID_ATI, 0x4399),
.driver_data = (unsigned long)ohci_quirk_amd700,
},
+ {
+ .vendor = PCI_VENDOR_ID_APPLE,
+ .device = 0x003f,
+ .subvendor = PCI_SUBVENDOR_ID_REDHAT_QUMRANET,
+ .subdevice = PCI_SUBDEVICE_ID_QEMU,
+ .driver_data = (unsigned long)ohci_quirk_qemu,
+ },

/* FIXME for some of the early AMD 760 southbridges, OHCI
* won't work at all. blacklist them.
--- a/drivers/usb/host/ohci.h
+++ b/drivers/usb/host/ohci.h
@@ -418,6 +418,7 @@ struct ohci_hcd {
#define OHCI_QUIRK_AMD_PLL 0x200 /* AMD PLL quirk*/
#define OHCI_QUIRK_AMD_PREFETCH 0x400 /* pre-fetch for ISO transfer */
#define OHCI_QUIRK_GLOBAL_SUSPEND 0x800 /* must suspend ports */
+#define OHCI_QUIRK_QEMU 0x1000 /* relax timing expectations */

// there are also chip quirks/bugs in init logic

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:08 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Leonard Crestez <leonard...@nxp.com>

commit d8581c7c8be172dac156a19d261f988a72ce596f upstream.

The board file for imx6sx-sdb overrides cpufreq operating points to use
higher voltages. This is done because the board has a shared rail for
VDD_ARM_IN and VDD_SOC_IN and when using LDO bypass the shared voltage
needs to be a value suitable for both ARM and SOC.

This only applies to LDO bypass mode, a feature not present in upstream.
When LDOs are enabled the effect is to use higher voltages than necessary
for no good reason.

Setting these higher voltages can make some boards fail to boot with ugly
semi-random crashes reminiscent of memory corruption. These failures only
happen on board rev. C, rev. B is reported to still work.

Signed-off-by: Leonard Crestez <leonard...@nxp.com>
Fixes: 54183bd7f766 ("ARM: imx6sx-sdb: add revb board and make it default")
Signed-off-by: Shawn Guo <shaw...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/boot/dts/imx6sx-sdb.dts | 17 -----------------
1 file changed, 17 deletions(-)

--- a/arch/arm/boot/dts/imx6sx-sdb.dts
+++ b/arch/arm/boot/dts/imx6sx-sdb.dts
@@ -12,23 +12,6 @@
model = "Freescale i.MX6 SoloX SDB RevB Board";
};

-&cpu0 {
- operating-points = <
- /* kHz uV */
- 996000 1250000
- 792000 1175000
- 396000 1175000
- 198000 1175000
- >;
- fsl,soc-operating-points = <
- /* ARM kHz SOC uV */
- 996000 1250000
- 792000 1175000
- 396000 1175000
- 198000 1175000
- >;
-};
-
&i2c1 {
clock-frequency = <100000>;
pinctrl-names = "default";

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:08 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvbo...@gmail.com>

commit 90be652c9f157d44b9c2803f902a8839796c090d upstream.

EPROM_CMD is 2 byte aligned on PCI map so calling with rtl92e_readl
will return invalid data so use rtl92e_readw.

The device is unable to select the right eeprom type.

Signed-off-by: Malcolm Priestley <tvbo...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

unread,

May 23, 2017, 4:30:09 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Matthias Lange <matthia...@kernkonzept.com>

commit 5db851cf20857c5504b146046e97cb7781f2a743 upstream.

There is no reason to restrict allocations to the first 16MB ISA DMA
addresses.

It is causing problems in a virtualization setup with enabled IOMMU
(x86_64). The result is that USB is not working in the VM.

Signed-off-by: Matthias Lange <matthia...@kernkonzept.com>
Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/xhci-mem.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -56,7 +56,7 @@ static struct xhci_segment *xhci_segment
}

if (max_packet) {
- seg->bounce_buf = kzalloc(max_packet, flags | GFP_DMA);
+ seg->bounce_buf = kzalloc(max_packet, flags);
if (!seg->bounce_buf) {
dma_pool_free(xhci->segment_pool, seg->trbs, dma);
kfree(seg);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Fred Isaman <fred....@gmail.com>

commit 1f84ccdf37d0db3a70714d02d51b0b6d45887fb8 upstream.

Signed-off-by: Fred Isaman <fred....@gmail.com>
Fixes: 0bcbf039f6b2b ("nfs: handle request add failure properly")
Signed-off-by: Trond Myklebust <trond.m...@primarydata.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/nfs/write.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -548,9 +548,9 @@ static void nfs_write_error_remove_page(
{
nfs_unlock_request(req);
nfs_end_page_writeback(req);
- nfs_release_request(req);
generic_error_remove_page(page_file_mapping(req->wb_page),
req->wb_page);
+ nfs_release_request(req);
}

/*

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:10 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torv...@linux-foundation.org>

commit 33c9e9729033387ef0521324c62e7eba529294af upstream.

The code to fetch a 64-bit value from user space was entirely buggered,
and has been since the code was merged in early 2016 in commit
b2f680380ddf ("x86/mm/32: Add support for 64-bit __get_user() on 32-bit
kernels").

Happily the buggered routine is almost certainly entirely unused, since
the normal way to access user space memory is just with the non-inlined
"get_user()", and the inlined version didn't even historically exist.

The normal "get_user()" case is handled by external hand-written asm in
arch/x86/lib/getuser.S that doesn't have either of these issues.

There were two independent bugs in __get_user_asm_u64():

- it still did the STAC/CLAC user space access marking, even though
that is now done by the wrapper macros, see commit 11f1a4b9755f
("x86: reorganize SMAP handling in user space accesses").

This didn't result in a semantic error, it just means that the
inlined optimized version was hugely less efficient than the
allegedly slower standard version, since the CLAC/STAC overhead is
quite high on modern Intel CPU's.

- the double register %eax/%edx was marked as an output, but the %eax
part of it was touched early in the asm, and could thus clobber other
inputs to the asm that gcc didn't expect it to touch.

In particular, that meant that the generated code could look like
this:

mov (%eax),%eax
mov 0x4(%eax),%edx

where the load of %edx obviously was _supposed_ to be from the 32-bit
word that followed the source of %eax, but because %eax was
overwritten by the first instruction, the source of %edx was
basically random garbage.

The fixes are trivial: remove the extraneous STAC/CLAC entries, and mark
the 64-bit output as early-clobber to let gcc know that no inputs should
alias with the output register.

Cc: Al Viro <vi...@zeniv.linux.org.uk>
Cc: Benjamin LaHaise <bc...@kvack.org>
Cc: Ingo Molnar <mi...@kernel.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/x86/include/asm/uaccess.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -315,10 +315,10 @@ do { \
#define __get_user_asm_u64(x, ptr, retval, errret) \
({ \
__typeof__(ptr) __ptr = (ptr); \
- asm volatile(ASM_STAC "\n" \
+ asm volatile("\n" \
"1: movl %2,%%eax\n" \
"2: movl %3,%%edx\n" \
- "3: " ASM_CLAC "\n" \
+ "3:\n" \
".section .fixup,\"ax\"\n" \
"4: mov %4,%0\n" \
" xorl %%eax,%%eax\n" \
@@ -327,7 +327,7 @@ do { \
".previous\n" \
_ASM_EXTABLE(1b, 4b) \
_ASM_EXTABLE(2b, 4b) \
- : "=r" (retval), "=A"(x) \
+ : "=r" (retval), "=&A"(x) \
: "m" (__m(__ptr)), "m" __m(((u32 *)(__ptr)) + 1), \
"i" (errret), "0" (retval)); \
})

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:10 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ben Skeggs <bsk...@redhat.com>

commit 9fc64667ee48c9a25e7dca1a6bcb6906fec5bcc5 upstream.

At least therm/fantog "attempts" to work around this issue, which could
lead to corruption of the pending alarm list.

Fix it properly by not updating the timestamp without the lock held, or
trying to add an already pending alarm to the pending alarm list....

Signed-off-by: Ben Skeggs <bsk...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)

--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c
@@ -65,14 +65,17 @@ nvkm_timer_alarm(struct nvkm_timer *tmr,
struct nvkm_alarm *list;
unsigned long flags;

- alarm->timestamp = nvkm_timer_read(tmr) + nsec;
-
- /* append new alarm to list, in soonest-alarm-first order */
+ /* Remove alarm from pending list.
+ *
+ * This both protects against the corruption of the list,
+ * and implements alarm rescheduling/cancellation.
+ */
spin_lock_irqsave(&tmr->lock, flags);
- if (!nsec) {
- if (!list_empty(&alarm->head))
- list_del(&alarm->head);
- } else {
+ list_del_init(&alarm->head);
+
+ if (nsec) {
+ /* Insert into pending list, ordered earliest to latest. */
+ alarm->timestamp = nvkm_timer_read(tmr) + nsec;
list_for_each_entry(list, &tmr->alarms, head) {

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tg...@linutronix.de>

commit 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd upstream.

Enabling the tracer selftest triggers occasionally the warning in
text_poke(), which warns when the to be modified page is not marked
reserved.

The reason is that the tracer selftest installs kprobes on functions marked
__init for testing. These probes are removed after the tests, but that
removal schedules the delayed kprobes_optimizer work, which will do the
actual text poke. If the work is executed after the init text is freed,
then the warning triggers. The bug can be reproduced reliably when the work
delay is increased.

Flush the optimizer work and wait for the optimizing/unoptimizing lists to
become empty before returning from the kprobes tracer selftest. That
ensures that all operations which were queued due to the probes removal
have completed.

Link: http://lkml.kernel.org/r/20170516094...@gandalf.local.home

Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
Acked-by: Masami Hiramatsu <mhir...@kernel.org>
Fixes: 6274de498 ("kprobes: Support delayed unoptimizing")
Signed-off-by: Steven Rostedt (VMware) <ros...@goodmis.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

include/linux/kprobes.h | 3 +++
kernel/kprobes.c | 2 +-
kernel/trace/trace_kprobe.c | 5 +++++
3 files changed, 9 insertions(+), 1 deletion(-)

--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -347,6 +347,9 @@ extern int proc_kprobes_optimization_han
int write, void __user *buffer,
size_t *length, loff_t *ppos);
#endif
+extern void wait_for_kprobe_optimizer(void);
+#else
+static inline void wait_for_kprobe_optimizer(void) { }
#endif /* CONFIG_OPTPROBES */
#ifdef CONFIG_KPROBES_ON_FTRACE
extern void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -598,7 +598,7 @@ static void kprobe_optimizer(struct work
}

/* Wait for completing optimization and unoptimization */
-static void wait_for_kprobe_optimizer(void)
+void wait_for_kprobe_optimizer(void)
{
mutex_lock(&kprobe_mutex);

--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -1511,6 +1511,11 @@ static __init int kprobe_trace_self_test

end:
release_all_trace_kprobes();
+ /*
+ * Wait for the optimizer work to finish. Otherwise it might fiddle
+ * with probes in already freed __init text.
+ */
+ wait_for_kprobe_optimizer();
if (warn)
pr_cont("NG: Some tests are failed. Please check them.\n");
else

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:10 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit d66bb1607e2d8d384e53f3d93db5c18483c8c4f7 upstream.

proc_create_mount_point() forgot to increase the parent's nlink, and
it resulted in unbalanced hard link numbers, e.g. /proc/fs shows one
less than expected.

Fixes: eb6d38d5427b ("proc: Allow creating permanently empty directories...")
Reported-by: Tristan Ye <trist...@suse.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>
Signed-off-by: Eric W. Biederman <ebie...@xmission.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/proc/generic.c | 1 +

1 file changed, 1 insertion(+)

--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -471,6 +471,7 @@ struct proc_dir_entry *proc_create_mount
ent->data = NULL;
ent->proc_fops = NULL;
ent->proc_iops = NULL;
+ parent->nlink++;
if (proc_register(parent, ent) < 0) {
kfree(ent);
parent->nlink--;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:10 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 49e67dd17649b60b4d54966e18ec9c80198227f0 upstream.

The memory allocator passed to __unflatten_device_tree() (e.g. a wrapped
kzalloc) can fail so add the missing sanity check to avoid dereferencing
a NULL pointer.

Fixes: fe14042358fa ("of/flattree: Refactor unflatten_device_tree and add fdt_unflatten_tree")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Rob Herring <ro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/of/fdt.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -505,6 +505,9 @@ static void *__unflatten_device_tree(con

/* Allocate memory for the expanded device tree */
mem = dt_alloc(size + 4, __alignof__(struct device_node));
+ if (!mem)
+ return NULL;
+
memset(mem, 0, size);

*(__be32 *)(mem + size) = cpu_to_be32(0xdeadbeef);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Woodhouse <dw...@amazon.co.uk>

commit cef4d02305a06be581bb7f4353446717a1b319ec upstream.

The /proc/bus/pci mmap interface allows the user to specify whether they
want WC or not. Don't let them do so on non-prefetchable BARs.

Signed-off-by: David Woodhouse <dw...@amazon.co.uk>
Signed-off-by: Bjorn Helgaas <bhel...@google.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/pci/proc.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,7 +231,7 @@ static int proc_bus_pci_mmap(struct file
{
struct pci_dev *dev = PDE_DATA(file_inode(file));
struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine, res_bit;
+ int i, ret, write_combine = 0, res_bit;

if (!capable(CAP_SYS_RAWIO))
return -EPERM;
@@ -251,10 +251,13 @@ static int proc_bus_pci_mmap(struct file
if (i >= PCI_ROM_RESOURCE)
return -ENODEV;

- if (fpriv->mmap_state == pci_mmap_mem)
- write_combine = fpriv->write_combine;
- else
- write_combine = 0;
+ if (fpriv->mmap_state == pci_mmap_mem &&
+ fpriv->write_combine) {
+ if (dev->resource[i].flags & IORESOURCE_PREFETCH)
+ write_combine = 1;
+ else
+ return -EINVAL;
+ }
ret = pci_mmap_page_range(dev, vma,
fpriv->mmap_state, write_combine);
if (ret < 0)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:10 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jon Medhurst <ti...@linaro.org>

commit b089c31c519c3906c14801b6ec483e18a5152a50 upstream.

To cope with the variety in ARM architectures and configurations, the
pagetable attributes for kernel memory are generated at runtime to match
the system the kernel finds itself on. This calculated value is stored
in pgprot_kernel.

However, when early fixmap support was added for ARM (commit
a5f4c561b3b1) the attributes used for mappings were hard coded because
pgprot_kernel is not set up early enough. Unfortunately, when fixmap is
used after early boot this means the memory being mapped can have
different attributes to existing mappings, potentially leading to
unpredictable behaviour. A specific problem also exists due to the hard
coded values not include the 'shareable' attribute which means on
systems where this matters (e.g. those with multiple CPU clusters) the
cache contents for a memory location can become inconsistent between
CPUs.

To resolve these issues we change fixmap to use the same memory
attributes (from pgprot_kernel) that the rest of the kernel uses. To
enable this we need to refactor the initialisation code so
build_mem_type_table() is called early enough. Note, that relies on early
param parsing for memory type overrides passed via the kernel command
line, so we need to make sure this call is still after
parse_early_params().

[ardb: keep early_fixmap_init() before param parsing, for earlycon]

Fixes: a5f4c561b3b1 ("ARM: 8415/1: early fixmap support for earlycon")
Tested-by: afzal mohammed <afzal....@gmail.com>
Signed-off-by: Jon Medhurst <ti...@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.bie...@linaro.org>
Signed-off-by: Russell King <rmk+k...@armlinux.org.uk>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/include/asm/fixmap.h | 2 +-
arch/arm/kernel/setup.c | 4 ++--
arch/arm/mm/mmu.c | 16 +++++++++++++---
3 files changed, 16 insertions(+), 6 deletions(-)

--- a/arch/arm/include/asm/fixmap.h
+++ b/arch/arm/include/asm/fixmap.h
@@ -41,7 +41,7 @@ static const enum fixed_addresses __end_

#define FIXMAP_PAGE_COMMON (L_PTE_YOUNG | L_PTE_PRESENT | L_PTE_XN | L_PTE_DIRTY)

-#define FIXMAP_PAGE_NORMAL (FIXMAP_PAGE_COMMON | L_PTE_MT_WRITEBACK)
+#define FIXMAP_PAGE_NORMAL (pgprot_kernel | L_PTE_XN)
#define FIXMAP_PAGE_RO (FIXMAP_PAGE_NORMAL | L_PTE_RDONLY)

/* Used by set_fixmap_(io|nocache), both meant for mapping a device */
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -80,7 +80,7 @@ __setup("fpe=", fpe_setup);

extern void init_default_cache_policy(unsigned long);
extern void paging_init(const struct machine_desc *desc);
-extern void early_paging_init(const struct machine_desc *);
+extern void early_mm_init(const struct machine_desc *);
extern void adjust_lowmem_bounds(void);
extern enum reboot_mode reboot_mode;
extern void setup_dma_zone(const struct machine_desc *desc);
@@ -1088,7 +1088,7 @@ void __init setup_arch(char **cmdline_p)
parse_early_param();

#ifdef CONFIG_MMU
- early_paging_init(mdesc);
+ early_mm_init(mdesc);
#endif
setup_dma_zone(mdesc);
xen_early_init();
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -414,6 +414,11 @@ void __set_fixmap(enum fixed_addresses i
FIXADDR_END);
BUG_ON(idx >= __end_of_fixed_addresses);

+ /* we only support device mappings until pgprot_kernel has been set */
+ if (WARN_ON(pgprot_val(prot) != pgprot_val(FIXMAP_PAGE_IO) &&
+ pgprot_val(pgprot_kernel) == 0))
+ return;
+
if (pgprot_val(prot))
set_pte_at(NULL, vaddr, pte,
pfn_pte(phys >> PAGE_SHIFT, prot));
@@ -1492,7 +1497,7 @@ pgtables_remap lpae_pgtables_remap_asm;
* early_paging_init() recreates boot time page table setup, allowing machines
* to switch over to a high (>4G) address space on LPAE systems
*/
-void __init early_paging_init(const struct machine_desc *mdesc)
+static void __init early_paging_init(const struct machine_desc *mdesc)
{
pgtables_remap *lpae_pgtables_remap;
unsigned long pa_pgd;
@@ -1560,7 +1565,7 @@ void __init early_paging_init(const stru

#else

-void __init early_paging_init(const struct machine_desc *mdesc)
+static void __init early_paging_init(const struct machine_desc *mdesc)
{
long long offset;

@@ -1616,7 +1621,6 @@ void __init paging_init(const struct mac
{
void *zero_page;

- build_mem_type_table();
prepare_page_table();
map_lowmem();
memblock_set_current_limit(arm_lowmem_limit);
@@ -1636,3 +1640,9 @@ void __init paging_init(const struct mac
empty_zero_page = virt_to_page(zero_page);
__flush_dcache_page(NULL, empty_zero_page);
}
+
+void __init early_mm_init(const struct machine_desc *mdesc)
+{
+ build_mem_type_table();
+ early_paging_init(mdesc);
+}

May 23, 2017, 4:30:11 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dawei Chien <dawei...@mediatek.com>

commit 05d7839aa290901429d8edcd8f7974c9df2bcaa5 upstream.

If thermal bank with 4 sensors, thermal driver should read TEMP_MSR3.

However, currently thermal driver would not read TEMP_MSR3 since mt8173
thermal driver only use 3 sensors on each thermal bank at the same time,
so this patch would not effect temperature.
Only if mt mt8173 thermal driver use 4 sensors on any thermal bank, would
read third sensor two times, and lose fourth sensor of vale.

Fixes: b7cf0053738c ("thermal: Add Mediatek thermal driver for mt2701.")
Reviewed-by: Matthias Brugger <matthi...@gmail.com>
Signed-off-by: Dawei Chien <dawei...@mediatek.com>
Signed-off-by: Eduardo Valentin <edub...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/thermal/mtk_thermal.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/thermal/mtk_thermal.c
+++ b/drivers/thermal/mtk_thermal.c
@@ -191,7 +191,7 @@ static const int mt8173_bank_data[MT8173
};

static const int mt8173_msr[MT8173_NUM_SENSORS_PER_ZONE] = {
- TEMP_MSR0, TEMP_MSR1, TEMP_MSR2, TEMP_MSR2
+ TEMP_MSR0, TEMP_MSR1, TEMP_MSR2, TEMP_MSR3
};

static const int mt8173_adcpnp[MT8173_NUM_SENSORS_PER_ZONE] = {

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:11 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.r...@arm.com>

commit 55de49f9aa17b0b2b144dd2af587177b9aadf429 upstream.

Our compat swp emulation holds the compat user address in an unsigned
int, which it passes to __user_swpX_asm(). When a 32-bit value is passed
in a register, the upper 32 bits of the register are unknown, and we
must extend the value to 64 bits before we can use it as a base address.

This patch casts the address to unsigned long to ensure it has been
suitably extended, avoiding the potential issue, and silencing a related
warning from clang.

Fixes: bd35a4adc413 ("arm64: Port SWP/SWPB emulation support from arm")

Acked-by: Will Deacon <will....@arm.com>
Signed-off-by: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Catalin Marinas <catalin...@arm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm64/kernel/armv8_deprecated.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/arm64/kernel/armv8_deprecated.c
+++ b/arch/arm64/kernel/armv8_deprecated.c
@@ -306,7 +306,8 @@ do { \
_ASM_EXTABLE(0b, 4b) \
_ASM_EXTABLE(1b, 4b) \
: "=&r" (res), "+r" (data), "=&r" (temp), "=&r" (temp2) \
- : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT), \
+ : "r" ((unsigned long)addr), "i" (-EAGAIN), \
+ "i" (-EFAULT), \
"i" (__SWP_LL_SC_LOOPS) \
: "memory"); \
uaccess_disable(); \

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:12 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alistair Popple <alis...@popple.id.au>

commit 6b3d12a948d27977816a15eb48409a298902a548 upstream.

Commit 616badd2fb49 ("powerpc/powernv: Use OPAL call for TCE kill on
NVLink2") forced all TCE kills to go via the OPAL call for
NVLink2. However the PHB3 implementation of TCE kill was still being
called directly from some functions which in some circumstances caused
a machine check.

This patch adds an equivalent IODA2 version of the function which uses
the correct invalidation method depending on PHB model and changes all
external callers to use it instead.

Fixes: 616badd2fb49 ("powerpc/powernv: Use OPAL call for TCE kill on NVLink2")
Signed-off-by: Alistair Popple <alis...@popple.id.au>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/powerpc/platforms/powernv/npu-dma.c | 8 ++++----
arch/powerpc/platforms/powernv/pci-ioda.c | 10 +++++++++-
arch/powerpc/platforms/powernv/pci.h | 2 +-
3 files changed, 14 insertions(+), 6 deletions(-)

--- a/arch/powerpc/platforms/powernv/npu-dma.c
+++ b/arch/powerpc/platforms/powernv/npu-dma.c
@@ -180,7 +180,7 @@ long pnv_npu_set_window(struct pnv_ioda_
pe_err(npe, "Failed to configure TCE table, err %lld\n", rc);
return rc;
}
- pnv_pci_phb3_tce_invalidate_entire(phb, false);
+ pnv_pci_ioda2_tce_invalidate_entire(phb, false);

/* Add the table to the list so its TCE cache will get invalidated */
pnv_pci_link_table_and_group(phb->hose->node, num,
@@ -204,7 +204,7 @@ long pnv_npu_unset_window(struct pnv_iod
pe_err(npe, "Unmapping failed, ret = %lld\n", rc);
return rc;
}
- pnv_pci_phb3_tce_invalidate_entire(phb, false);
+ pnv_pci_ioda2_tce_invalidate_entire(phb, false);

pnv_pci_unlink_table_and_group(npe->table_group.tables[num],
&npe->table_group);
@@ -270,7 +270,7 @@ static int pnv_npu_dma_set_bypass(struct
0 /* bypass base */, top);

if (rc == OPAL_SUCCESS)
- pnv_pci_phb3_tce_invalidate_entire(phb, false);
+ pnv_pci_ioda2_tce_invalidate_entire(phb, false);

return rc;
}
@@ -334,7 +334,7 @@ void pnv_npu_take_ownership(struct pnv_i
pe_err(npe, "Failed to disable bypass, err %lld\n", rc);
return;
}
- pnv_pci_phb3_tce_invalidate_entire(npe->phb, false);
+ pnv_pci_ioda2_tce_invalidate_entire(npe->phb, false);
}

struct pnv_ioda_pe *pnv_pci_npu_setup_iommu(struct pnv_ioda_pe *npe)
--- a/arch/powerpc/platforms/powernv/pci-ioda.c
+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
@@ -1883,7 +1883,7 @@ static struct iommu_table_ops pnv_ioda1_
#define PHB3_TCE_KILL_INVAL_PE PPC_BIT(1)
#define PHB3_TCE_KILL_INVAL_ONE PPC_BIT(2)

-void pnv_pci_phb3_tce_invalidate_entire(struct pnv_phb *phb, bool rm)
+static void pnv_pci_phb3_tce_invalidate_entire(struct pnv_phb *phb, bool rm)
{
__be64 __iomem *invalidate = pnv_ioda_get_inval_reg(phb, rm);
const unsigned long val = PHB3_TCE_KILL_INVAL_ALL;
@@ -1979,6 +1979,14 @@ static void pnv_pci_ioda2_tce_invalidate
}
}

+void pnv_pci_ioda2_tce_invalidate_entire(struct pnv_phb *phb, bool rm)
+{
+ if (phb->model == PNV_PHB_MODEL_NPU || phb->model == PNV_PHB_MODEL_PHB3)
+ pnv_pci_phb3_tce_invalidate_entire(phb, rm);
+ else
+ opal_pci_tce_kill(phb->opal_id, OPAL_PCI_TCE_KILL, 0, 0, 0, 0);
+}
+
static int pnv_ioda2_tce_build(struct iommu_table *tbl, long index,
long npages, unsigned long uaddr,
enum dma_data_direction direction,
--- a/arch/powerpc/platforms/powernv/pci.h
+++ b/arch/powerpc/platforms/powernv/pci.h
@@ -229,7 +229,7 @@ extern void pe_level_printk(const struct

/* Nvlink functions */
extern void pnv_npu_try_dma_set_bypass(struct pci_dev *gpdev, bool bypass);
-extern void pnv_pci_phb3_tce_invalidate_entire(struct pnv_phb *phb, bool rm);
+extern void pnv_pci_ioda2_tce_invalidate_entire(struct pnv_phb *phb, bool rm);
extern struct pnv_ioda_pe *pnv_pci_npu_setup_iommu(struct pnv_ioda_pe *npe);
extern long pnv_npu_set_window(struct pnv_ioda_pe *npe, int num,
struct iommu_table *tbl);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:30:12 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kristina Martsenko <kristina....@arm.com>

commit 276e93279a630657fff4b086ba14c95955912dfa upstream.

When handling a data abort from EL0, we currently zero the top byte of
the faulting address, as we assume the address is a TTBR0 address, which
may contain a non-zero address tag. However, the address may be a TTBR1
address, in which case we should not zero the top byte. This patch fixes
that. The effect is that the full TTBR1 address is passed to the task's
signal handler (or printed out in the kernel log).

When handling a data abort from EL1, we leave the faulting address
intact, as we assume it's either a TTBR1 address or a TTBR0 address with
tag 0x00. This is true as far as I'm aware, we don't seem to access a
tagged TTBR0 address anywhere in the kernel. Regardless, it's easy to
forget about address tags, and code added in the future may not always
remember to remove tags from addresses before accessing them. So add tag
handling to the EL1 data abort handler as well. This also makes it
consistent with the EL0 data abort handler.

Fixes: d50240a5f6ce ("arm64: mm: permit use of tagged pointers at EL0")
Reviewed-by: Dave Martin <Dave....@arm.com>
Acked-by: Will Deacon <will....@arm.com>
Signed-off-by: Kristina Martsenko <kristina....@arm.com>
Signed-off-by: Catalin Marinas <catalin...@arm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm64/include/asm/asm-uaccess.h | 9 +++++++++
arch/arm64/kernel/entry.S | 5 +++--
2 files changed, 12 insertions(+), 2 deletions(-)

--- a/arch/arm64/include/asm/asm-uaccess.h
+++ b/arch/arm64/include/asm/asm-uaccess.h
@@ -62,4 +62,13 @@ alternative_if ARM64_ALT_PAN_NOT_UAO
alternative_else_nop_endif
.endm

+/*
+ * Remove the address tag from a virtual address, if present.
+ */
+ .macro clear_address_tag, dst, addr
+ tst \addr, #(1 << 55)
+ bic \dst, \addr, #(0xff << 56)
+ csel \dst, \dst, \addr, eq
+ .endm
+
#endif
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -428,12 +428,13 @@ el1_da:
/*
* Data abort handling
*/
- mrs x0, far_el1
+ mrs x3, far_el1
enable_dbg
// re-enable interrupts if they were enabled in the aborted context
tbnz x23, #7, 1f // PSR_I_BIT
enable_irq
1:
+ clear_address_tag x0, x3
mov x2, sp // struct pt_regs
bl do_mem_abort

@@ -594,7 +595,7 @@ el0_da:
// enable interrupts before calling the main handler
enable_dbg_and_irq
ct_user_exit
- bic x0, x26, #(0xff << 56)
+ clear_address_tag x0, x26
mov x1, x25
mov x2, sp
bl do_mem_abort

Greg Kroah-Hartman

unread,

arch/arm64/kernel/traps.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -443,7 +443,7 @@ int cpu_enable_cache_maint_trap(void *__
}

#define __user_cache_maint(insn, address, res) \
- if (untagged_addr(address) >= user_addr_max()) { \
+ if (address >= user_addr_max()) { \
res = -EFAULT; \
} else { \
uaccess_ttbr0_enable(); \
@@ -469,7 +469,7 @@ static void user_cache_maint_handler(uns
int crm = (esr & ESR_ELx_SYS64_ISS_CRM_MASK) >> ESR_ELx_SYS64_ISS_CRM_SHIFT;
int ret = 0;

- address = pt_regs_read_reg(regs, rt);
+ address = untagged_addr(pt_regs_read_reg(regs, rt));

switch (crm) {
case ESR_ELx_SYS64_ISS_CRM_DC_CVAU: /* DC CVAU, gets promoted */

Greg Kroah-Hartman

unread,

May 23, 2017, 4:35:45 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit 76cefef8e838304a71725a0b5007c375619d78fb upstream.

gcc-7 notices that the length we pass to strncat is wrong:

drivers/firmware/ti_sci.c: In function 'ti_sci_probe':
drivers/firmware/ti_sci.c:204:32: error: specified bound 50 equals the size of the destination [-Werror=stringop-overflow=]

Instead of the total length, we must pass the length of the
remaining space here.

Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol")
Acked-by: Nishanth Menon <n...@ti.com>
Acked-by: Santosh Shilimkar <ssan...@kernel.org>
Signed-off-by: Arnd Bergmann <ar...@arndb.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/firmware/ti_sci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/firmware/ti_sci.c
+++ b/drivers/firmware/ti_sci.c
@@ -202,7 +202,8 @@ static int ti_sci_debugfs_create(struct
info->debug_buffer[info->debug_region_size] = 0;

info->d = debugfs_create_file(strncat(debug_name, dev_name(dev),
- sizeof(debug_name)),
+ sizeof(debug_name) -
+ sizeof("ti_sci_debug@")),
0444, NULL, info, &ti_sci_debug_fops);
if (IS_ERR(info->d))
return PTR_ERR(info->d);

Greg Kroah-Hartman

unread,

May 23, 2017, 4:36:15 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Anthony Mallet <anthony...@laas.fr>

commit bb246681b3ed0967489a7401ad528c1aaa1a4c2e upstream.

Commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
flag") enables unprivileged users to set the FTDI latency timer,
but there was a logic flaw that skipped sending the corresponding
USB control message to the device.

Specifically, the device latency timer would not be updated until next
open, something which was later also inadvertently broken by commit
c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port
probe").

A recent commit c6dce2626606 ("USB: serial: ftdi_sio: fix extreme
low-latency setting") disabled the low-latency mode by default so we now
need this fix to allow unprivileged users to again enable it.

Signed-off-by: Anthony Mallet <anthony...@laas.fr>
[johan: amend commit message]
Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
Fixes: c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port probe").
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/serial/ftdi_sio.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1508,9 +1508,9 @@ static int set_serial_info(struct tty_st
(new_serial.flags & ASYNC_FLAGS));
priv->custom_divisor = new_serial.custom_divisor;

+check_and_exit:
write_latency_timer(port);

-check_and_exit:
if ((old_priv.flags & ASYNC_SPD_MASK) !=
(priv->flags & ASYNC_SPD_MASK)) {
if ((priv->flags & ASYNC_SPD_MASK) == ASYNC_SPD_HI)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:36:20 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Couzens <lyn...@fe80.eu>

commit 6a623e07694437ad09f382a13f76cffc32239a7f upstream.

The old 1-bit hamming layout requires ECC data to be placed at a
fixed offset, and not necessarily at the end of the OOB area.
Add this old layout back in order to fix legacy setups.

Fixes: 41b207a70d3a ("mtd: nand: implement the default mtd_ooblayout_ops")
Signed-off-by: Alexander Couzens <lyn...@fe80.eu>
Acked-by: Boris Brezillon <boris.b...@free-electrons.com>
Signed-off-by: Brian Norris <computer...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/mtd/nand/nand_base.c | 70 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 69 insertions(+), 1 deletion(-)

--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -139,6 +139,74 @@ const struct mtd_ooblayout_ops nand_oobl
};
EXPORT_SYMBOL_GPL(nand_ooblayout_lp_ops);

+/*
+ * Support the old "large page" layout used for 1-bit Hamming ECC where ECC
+ * are placed at a fixed offset.
+ */
+static int nand_ooblayout_ecc_lp_hamming(struct mtd_info *mtd, int section,
+ struct mtd_oob_region *oobregion)
+{
+ struct nand_chip *chip = mtd_to_nand(mtd);
+ struct nand_ecc_ctrl *ecc = &chip->ecc;
+
+ if (section)
+ return -ERANGE;
+
+ switch (mtd->oobsize) {
+ case 64:
+ oobregion->offset = 40;
+ break;
+ case 128:
+ oobregion->offset = 80;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ oobregion->length = ecc->total;
+ if (oobregion->offset + oobregion->length > mtd->oobsize)
+ return -ERANGE;
+
+ return 0;
+}
+
+static int nand_ooblayout_free_lp_hamming(struct mtd_info *mtd, int section,
+ struct mtd_oob_region *oobregion)
+{
+ struct nand_chip *chip = mtd_to_nand(mtd);
+ struct nand_ecc_ctrl *ecc = &chip->ecc;
+ int ecc_offset = 0;
+
+ if (section < 0 || section > 1)
+ return -ERANGE;
+
+ switch (mtd->oobsize) {
+ case 64:
+ ecc_offset = 40;
+ break;
+ case 128:
+ ecc_offset = 80;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ if (section == 0) {
+ oobregion->offset = 2;
+ oobregion->length = ecc_offset - 2;
+ } else {
+ oobregion->offset = ecc_offset + ecc->total;
+ oobregion->length = mtd->oobsize - oobregion->offset;
+ }
+
+ return 0;
+}
+
+const struct mtd_ooblayout_ops nand_ooblayout_lp_hamming_ops = {
+ .ecc = nand_ooblayout_ecc_lp_hamming,
+ .free = nand_ooblayout_free_lp_hamming,
+};
+
static int check_offs_len(struct mtd_info *mtd,
loff_t ofs, uint64_t len)
{
@@ -4653,7 +4721,7 @@ int nand_scan_tail(struct mtd_info *mtd)
break;
case 64:
case 128:
- mtd_set_ooblayout(mtd, &nand_ooblayout_lp_ops);
+ mtd_set_ooblayout(mtd, &nand_ooblayout_lp_hamming_ops);
break;
default:
WARN(1, "No oob scheme defined for oobsize %d\n",

Greg Kroah-Hartman

unread,

May 23, 2017, 4:36:25 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Steffen <Alexande...@infineon.com>

commit 302a6ad7fc77146191126a1f3e2c5d724fd72416 upstream.

TIS v1.3 for TPM 1.2 and PTP for TPM 2.0 disagree about which timeout
value applies to reading a valid burstcount. It is TIMEOUT_D according to
TIS, but TIMEOUT_A according to PTP, so choose the appropriate value
depending on whether we deal with a TPM 1.2 or a TPM 2.0.

This is important since according to the PTP TIMEOUT_D is much smaller
than TIMEOUT_A. So the previous implementation could run into timeouts
with a TPM 2.0, even though the TPM was behaving perfectly fine.

During tpm2_probe TIMEOUT_D will be used even with a TPM 2.0, because
TPM_CHIP_FLAG_TPM2 is not yet set. This is fine, since the timeout values
will only be changed afterwards by tpm_get_timeouts. Until then
TIS_TIMEOUT_D_MAX applies, which is large enough.

Fixes: aec04cbdf723 ("tpm: TPM 2.0 FIFO Interface")

Signed-off-by: Alexander Steffen <Alexande...@infineon.com>
Signed-off-by: Peter Huewe <peter...@infineon.com>
Reviewed-by: Jarkko Sakkinen <jarkko....@linux.intel.com>

Signed-off-by: Jarkko Sakkinen <jarkko....@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/char/tpm/tpm_tis_core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -160,8 +160,10 @@ static int get_burstcount(struct tpm_chi
u32 value;

/* wait for burstcount */
- /* which timeout value, spec has 2 answers (c & d) */
- stop = jiffies + chip->timeout_d;
+ if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ stop = jiffies + chip->timeout_a;
+ else
+ stop = jiffies + chip->timeout_d;
do {
rc = tpm_tis_read32(priv, TPM_STS(priv->locality), &value);
if (rc < 0)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:36:46 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.bie...@linaro.org>

commit b7ede5a1f5905ac394cc8e61712a13e3c5cb7b8f upstream.

Since commit 35fa91eed817 ("ARM: kernel: merge core and init PLTs"),
the ARM module PLT code allocates all PLT entries in a single core
section, since the overhead of having a separate init PLT section is
not justified by the small number of PLT entries usually required for
init code.

However, the core and init module regions are allocated independently,
and there is a corner case where the core region may be allocated from
the VMALLOC region if the dedicated module region is exhausted, but the
init region, being much smaller, can still be allocated from the module
region. This puts the PLT entries out of reach of the relocated branch
instructions, defeating the whole purpose of PLTs.

So split the core and init PLT regions, and name the latter ".init.plt"
so it gets allocated along with (and sufficiently close to) the .init
sections that it serves. Also, given that init PLT entries may need to
be emitted for branches that target the core module, modify the logic
that disregards defined symbols to only disregard symbols that are
defined in the same section.

Fixes: 35fa91eed817 ("ARM: kernel: merge core and init PLTs")
Reported-by: Angus Clark <an...@angusclark.org>
Tested-by: Angus Clark <an...@angusclark.org>

Signed-off-by: Ard Biesheuvel <ard.bie...@linaro.org>
Signed-off-by: Russell King <rmk+k...@armlinux.org.uk>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arm/include/asm/module.h | 9 +++-
arch/arm/kernel/module-plts.c | 85 +++++++++++++++++++++++++++++-------------
arch/arm/kernel/module.lds | 1
3 files changed, 67 insertions(+), 28 deletions(-)

--- a/arch/arm/include/asm/module.h
+++ b/arch/arm/include/asm/module.h
@@ -18,13 +18,18 @@ enum {
};
#endif

+struct mod_plt_sec {
+ struct elf32_shdr *plt;
+ int plt_count;
+};
+
struct mod_arch_specific {
#ifdef CONFIG_ARM_UNWIND
struct unwind_table *unwind[ARM_SEC_MAX];
#endif
#ifdef CONFIG_ARM_MODULE_PLTS
- struct elf32_shdr *plt;
- int plt_count;
+ struct mod_plt_sec core;
+ struct mod_plt_sec init;
#endif
};

--- a/arch/arm/kernel/module-plts.c
+++ b/arch/arm/kernel/module-plts.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Linaro Ltd. <ard.bie...@linaro.org>
+ * Copyright (C) 2014-2017 Linaro Ltd. <ard.bie...@linaro.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -31,9 +31,17 @@ struct plt_entries {
u32 lit[PLT_ENT_COUNT];
};

+static bool in_init(const struct module *mod, unsigned long loc)
+{
+ return loc - (u32)mod->init_layout.base < mod->init_layout.size;
+}
+
u32 get_module_plt(struct module *mod, unsigned long loc, Elf32_Addr val)
{
- struct plt_entries *plt = (struct plt_entries *)mod->arch.plt->sh_addr;
+ struct mod_plt_sec *pltsec = !in_init(mod, loc) ? &mod->arch.core :
+ &mod->arch.init;
+
+ struct plt_entries *plt = (struct plt_entries *)pltsec->plt->sh_addr;
int idx = 0;

/*
@@ -41,9 +49,9 @@ u32 get_module_plt(struct module *mod, u
* relocations are sorted, this will be the last entry we allocated.
* (if one exists).
*/
- if (mod->arch.plt_count > 0) {
- plt += (mod->arch.plt_count - 1) / PLT_ENT_COUNT;
- idx = (mod->arch.plt_count - 1) % PLT_ENT_COUNT;
+ if (pltsec->plt_count > 0) {
+ plt += (pltsec->plt_count - 1) / PLT_ENT_COUNT;
+ idx = (pltsec->plt_count - 1) % PLT_ENT_COUNT;

if (plt->lit[idx] == val)
return (u32)&plt->ldr[idx];
@@ -53,8 +61,8 @@ u32 get_module_plt(struct module *mod, u
plt++;
}

- mod->arch.plt_count++;
- BUG_ON(mod->arch.plt_count * PLT_ENT_SIZE > mod->arch.plt->sh_size);
+ pltsec->plt_count++;
+ BUG_ON(pltsec->plt_count * PLT_ENT_SIZE > pltsec->plt->sh_size);

if (!idx)
/* Populate a new set of entries */
@@ -129,7 +137,7 @@ static bool duplicate_rel(Elf32_Addr bas

/* Count how many PLT entries we may need */
static unsigned int count_plts(const Elf32_Sym *syms, Elf32_Addr base,
- const Elf32_Rel *rel, int num)
+ const Elf32_Rel *rel, int num, Elf32_Word dstidx)
{
unsigned int ret = 0;
const Elf32_Sym *s;
@@ -144,13 +152,17 @@ static unsigned int count_plts(const Elf
case R_ARM_THM_JUMP24:
/*
* We only have to consider branch targets that resolve
- * to undefined symbols. This is not simply a heuristic,
- * it is a fundamental limitation, since the PLT itself
- * is part of the module, and needs to be within range
- * as well, so modules can never grow beyond that limit.
+ * to symbols that are defined in a different section.
+ * This is not simply a heuristic, it is a fundamental
+ * limitation, since there is no guaranteed way to emit
+ * PLT entries sufficiently close to the branch if the
+ * section size exceeds the range of a branch
+ * instruction. So ignore relocations against defined
+ * symbols if they live in the same section as the
+ * relocation target.
*/
s = syms + ELF32_R_SYM(rel[i].r_info);
- if (s->st_shndx != SHN_UNDEF)
+ if (s->st_shndx == dstidx)
break;

/*
@@ -161,7 +173,12 @@ static unsigned int count_plts(const Elf
* So we need to support them, but there is no need to
* take them into consideration when trying to optimize
* this code. So let's only check for duplicates when
- * the addend is zero.
+ * the addend is zero. (Note that calls into the core
+ * module via init PLT entries could involve section
+ * relative symbol references with non-zero addends, for
+ * which we may end up emitting duplicates, but the init
+ * PLT is released along with the rest of the .init
+ * region as soon as module loading completes.)
*/
if (!is_zero_addend_relocation(base, rel + i) ||
!duplicate_rel(base, rel, i))
@@ -174,7 +191,8 @@ static unsigned int count_plts(const Elf
int module_frob_arch_sections(Elf_Ehdr *ehdr, Elf_Shdr *sechdrs,
char *secstrings, struct module *mod)
{
- unsigned long plts = 0;
+ unsigned long core_plts = 0;
+ unsigned long init_plts = 0;
Elf32_Shdr *s, *sechdrs_end = sechdrs + ehdr->e_shnum;
Elf32_Sym *syms = NULL;

@@ -184,13 +202,15 @@ int module_frob_arch_sections(Elf_Ehdr *
*/
for (s = sechdrs; s < sechdrs_end; ++s) {
if (strcmp(".plt", secstrings + s->sh_name) == 0)
- mod->arch.plt = s;
+ mod->arch.core.plt = s;
+ else if (strcmp(".init.plt", secstrings + s->sh_name) == 0)
+ mod->arch.init.plt = s;
else if (s->sh_type == SHT_SYMTAB)
syms = (Elf32_Sym *)s->sh_addr;
}

- if (!mod->arch.plt) {
- pr_err("%s: module PLT section missing\n", mod->name);
+ if (!mod->arch.core.plt || !mod->arch.init.plt) {
+ pr_err("%s: module PLT section(s) missing\n", mod->name);
return -ENOEXEC;
}
if (!syms) {
@@ -213,16 +233,29 @@ int module_frob_arch_sections(Elf_Ehdr *
/* sort by type and symbol index */
sort(rels, numrels, sizeof(Elf32_Rel), cmp_rel, NULL);

- plts += count_plts(syms, dstsec->sh_addr, rels, numrels);
+ if (strncmp(secstrings + dstsec->sh_name, ".init", 5) != 0)
+ core_plts += count_plts(syms, dstsec->sh_addr, rels,
+ numrels, s->sh_info);
+ else
+ init_plts += count_plts(syms, dstsec->sh_addr, rels,
+ numrels, s->sh_info);
}

- mod->arch.plt->sh_type = SHT_NOBITS;
- mod->arch.plt->sh_flags = SHF_EXECINSTR | SHF_ALLOC;
- mod->arch.plt->sh_addralign = L1_CACHE_BYTES;
- mod->arch.plt->sh_size = round_up(plts * PLT_ENT_SIZE,
- sizeof(struct plt_entries));
- mod->arch.plt_count = 0;
+ mod->arch.core.plt->sh_type = SHT_NOBITS;
+ mod->arch.core.plt->sh_flags = SHF_EXECINSTR | SHF_ALLOC;
+ mod->arch.core.plt->sh_addralign = L1_CACHE_BYTES;
+ mod->arch.core.plt->sh_size = round_up(core_plts * PLT_ENT_SIZE,
+ sizeof(struct plt_entries));
+ mod->arch.core.plt_count = 0;
+
+ mod->arch.init.plt->sh_type = SHT_NOBITS;
+ mod->arch.init.plt->sh_flags = SHF_EXECINSTR | SHF_ALLOC;
+ mod->arch.init.plt->sh_addralign = L1_CACHE_BYTES;
+ mod->arch.init.plt->sh_size = round_up(init_plts * PLT_ENT_SIZE,
+ sizeof(struct plt_entries));
+ mod->arch.init.plt_count = 0;

- pr_debug("%s: plt=%x\n", __func__, mod->arch.plt->sh_size);
+ pr_debug("%s: plt=%x, init.plt=%x\n", __func__,
+ mod->arch.core.plt->sh_size, mod->arch.init.plt->sh_size);
return 0;
}
--- a/arch/arm/kernel/module.lds
+++ b/arch/arm/kernel/module.lds
@@ -1,3 +1,4 @@
SECTIONS {
.plt : { BYTE(0) }
+ .init.plt : { BYTE(0) }
}

Greg Kroah-Hartman

unread,

May 23, 2017, 4:37:28 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Woodhouse <dw...@amazon.co.uk>

commit 6bccc7f426abd640f08d8c75fb22f99483f201b4 upstream.

In the PCI_MMAP_PROCFS case when the address being passed by the user is a
'user visible' resource address based on the bus window, and not the actual
contents of the resource, that's what we need to be checking it against.

Signed-off-by: David Woodhouse <dw...@amazon.co.uk>
Signed-off-by: Bjorn Helgaas <bhel...@google.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/pci/pci-sysfs.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -985,15 +985,19 @@ void pci_remove_legacy_files(struct pci_
int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma,
enum pci_mmap_api mmap_api)
{
- unsigned long nr, start, size, pci_start;
+ unsigned long nr, start, size;
+ resource_size_t pci_start = 0, pci_end;

if (pci_resource_len(pdev, resno) == 0)
return 0;
nr = vma_pages(vma);
start = vma->vm_pgoff;
size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1;
- pci_start = (mmap_api == PCI_MMAP_PROCFS) ?
- pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
+ if (mmap_api == PCI_MMAP_PROCFS) {
+ pci_resource_to_user(pdev, resno, &pdev->resource[resno],
+ &pci_start, &pci_end);
+ pci_start >>= PAGE_SHIFT;
+ }
if (start >= pci_start && start < pci_start + size &&
start + nr <= pci_start + size)
return 1;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:37:33 PM5/23/17

to

4.11-stable review patch. If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.m...@primarydata.com>

commit 56e0d71ef12f026d96213e45a662bde6bbff4676 upstream.

If the server fails to return the attributes as part of an OPEN
reply, and then reboots, we can end up hanging. The reason is that
the client attempts to send a GETATTR in order to pick up the
missing OPEN call, but fails to release the slot first, causing
reboot recovery to deadlock.

Signed-off-by: Trond Myklebust <trond.m...@primarydata.com>
Fixes: 2e80dbe7ac51a ("NFSv4.1: Close callback races for OPEN, LAYOUTGET...")

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/nfs/nfs4proc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2300,8 +2300,10 @@ static int _nfs4_proc_open(struct nfs4_o
if (status != 0)
return status;
}
- if (!(o_res->f_attr->valid & NFS_ATTR_FATTR))
+ if (!(o_res->f_attr->valid & NFS_ATTR_FATTR)) {
+ nfs4_sequence_free_slot(&o_res->seq_res);
nfs4_proc_getattr(server, &o_res->fh, o_res->f_attr, o_res->f_label);
+ }
return 0;
}

Greg Kroah-Hartman

unread,

May 23, 2017, 4:38:13 PM5/23/17

to

4.9-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Kalle Valo <kv...@qca.qualcomm.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++

unread,

May 23, 2017, 4:40:08 PM5/23/17

to

4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Anthony Mallet <anthony...@laas.fr>

commit bb246681b3ed0967489a7401ad528c1aaa1a4c2e upstream.

Commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
flag") enables unprivileged users to set the FTDI latency timer,
but there was a logic flaw that skipped sending the corresponding
USB control message to the device.

Specifically, the device latency timer would not be updated until next
open, something which was later also inadvertently broken by commit
c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port
probe").

A recent commit c6dce2626606 ("USB: serial: ftdi_sio: fix extreme
low-latency setting") disabled the low-latency mode by default so we now
need this fix to allow unprivileged users to again enable it.

Signed-off-by: Anthony Mallet <anthony...@laas.fr>
[johan: amend commit message]
Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
Fixes: c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port probe").
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/serial/ftdi_sio.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

Greg Kroah-Hartman

unread,

May 23, 2017, 4:40:08 PM5/23/17

to

4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream.

Make sure to check the number of endpoints to avoid accessing memory
beyond the endpoint array should a device lack the expected endpoints.

Note that, as far as I can tell, the gspca framework has already made
sure there is at least one endpoint in the current alternate setting so
there should be no risk for a NULL-pointer dereference here.

Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for
konica chipset using cams")

Cc: Hans de Goede <hdeg...@redhat.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Hans Verkuil <hans...@cisco.com>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/usb/gspca/konica.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/media/usb/gspca/konica.c
+++ b/drivers/media/usb/gspca/konica.c
@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs
return -EIO;
}

+ if (alt->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);

n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:40:09 PM5/23/17

to

4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 upstream.

Add missing endianness conversion when using the USB device-descriptor
bcdDevice field to construct a firmware file name.

Fixes: 8ef80aef118e ("[IRDA]: irda-usb.c: STIR421x cleanups")
Cc: Nick Fedchik <nfed...@atlantic-link.com.ua>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/net/irda/irda-usb.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/irda/irda-usb.c
+++ b/drivers/net/irda/irda-usb.c
@@ -1077,7 +1077,7 @@ static int stir421x_patch_device(struct
* are "42101001.sb" or "42101002.sb"
*/
sprintf(stir421x_fw_name, "4210%4X.sb",
- self->usbdev->descriptor.bcdDevice);
+ le16_to_cpu(self->usbdev->descriptor.bcdDevice));
ret = request_firmware(&fw, stir421x_fw_name, &self->usbdev->dev);
if (ret < 0)
return ret;

Greg Kroah-Hartman

unread,

May 23, 2017, 4:40:09 PM5/23/17

to

4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit eacb975b48272f54532b62f515a3cf7eefa35123 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface
modification")

Cc: Thierry MERLE <thierr...@free.fr>

Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Hans Verkuil <hans.v...@cisco.com>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/usb/usbvision/usbvision-video.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c

@@ -1523,7 +1523,14 @@ static int usbvision_probe(struct usb_in

[PATCH 4.11 065/197] cxl: Route eeh events to all drivers in cxl_pci_error_detected()

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Linus Torvalds

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman