Fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.4/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch b/queue-4.4/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
new file mode 100644 (file)
index 0000000..909124c
--- /dev/null
+++ b/queue-4.4/btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
@@ -0,0 +1,48 @@
+From f6d341a23ab769f8aa0f164d32cb058f93c3e39a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Mar 2021 15:25:21 -0500
+Subject: btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 7a9213a93546e7eaef90e6e153af6b8fc7553f10 ]
+
+A few BUG_ON()'s in replace_path are purely to keep us from making
+logical mistakes, so replace them with ASSERT()'s.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/relocation.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 5681fc3976ad..628b6a046093 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1785,8 +1785,8 @@ int replace_path(struct btrfs_trans_handle *trans,
+       int ret;
+       int slot;
+ 
+-      BUG_ON(src->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+-      BUG_ON(dest->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++      ASSERT(src->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++      ASSERT(dest->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+ 
+       last_snapshot = btrfs_root_last_snapshot(&src->root_item);
+ again:
+@@ -1818,7 +1818,7 @@ again:
+       parent = eb;
+       while (1) {
+               level = btrfs_header_level(parent);
+-              BUG_ON(level < lowest_level);
++              ASSERT(level >= lowest_level);
+ 
+               ret = btrfs_bin_search(parent, &key, level, &slot);
+               if (ret && slot > 0)
+-- 
+2.30.2
+

diff --git a/queue-4.4/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch b/queue-4.4/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
new file mode 100644 (file)
index 0000000..614e452
--- /dev/null
+++ b/queue-4.4/clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
@@ -0,0 +1,38 @@
+From b934e879e3d41308009501e73a72f616ff89690b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 18:01:15 +0100
+Subject: clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 657d4d1934f75a2d978c3cf2086495eaa542e7a9 ]
+
+There is an error return path that is not kfree'ing socfpga_clk leading
+to a memory leak. Fix this by adding in the missing kfree call.
+
+Addresses-Coverity: ("Resource leak")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210406170115.430990-1-colin.king@canonical.com
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/socfpga/clk-gate-a10.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c
+index 1cebf253e8fd..48e371035a63 100644
+--- a/drivers/clk/socfpga/clk-gate-a10.c
++++ b/drivers/clk/socfpga/clk-gate-a10.c
+@@ -158,6 +158,7 @@ static void __init __socfpga_gate_init(struct device_node *node,
+               if (IS_ERR(socfpga_clk->sys_mgr_base_addr)) {
+                       pr_err("%s: failed to find altr,sys-mgr regmap!\n",
+                                       __func__);
++                      kfree(socfpga_clk);
+                       return;
+               }
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.4/drm-amdgpu-fix-null-pointer-dereference.patch b/queue-4.4/drm-amdgpu-fix-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..804a22f
--- /dev/null
+++ b/queue-4.4/drm-amdgpu-fix-null-pointer-dereference.patch
@@ -0,0 +1,60 @@
+From eea95362b5b5b695e28ef33395f392118ab9cd9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 17:52:18 +0800
+Subject: drm/amdgpu: fix NULL pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 3c3dc654333f6389803cdcaf03912e94173ae510 ]
+
+ttm->sg needs to be checked before accessing its child member.
+
+Call Trace:
+ amdgpu_ttm_backend_destroy+0x12/0x70 [amdgpu]
+ ttm_bo_cleanup_memtype_use+0x3a/0x60 [ttm]
+ ttm_bo_release+0x17d/0x300 [ttm]
+ amdgpu_bo_unref+0x1a/0x30 [amdgpu]
+ amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x78b/0x8b0 [amdgpu]
+ kfd_ioctl_alloc_memory_of_gpu+0x118/0x220 [amdgpu]
+ kfd_ioctl+0x222/0x400 [amdgpu]
+ ? kfd_dev_is_large_bar+0x90/0x90 [amdgpu]
+ __x64_sys_ioctl+0x8e/0xd0
+ ? __context_tracking_exit+0x52/0x90
+ do_syscall_64+0x33/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7f97f264d317
+Code: b3 66 90 48 8b 05 71 4b 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 41 4b 2d 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffdb402c338 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f97f3cc63a0 RCX: 00007f97f264d317
+RDX: 00007ffdb402c380 RSI: 00000000c0284b16 RDI: 0000000000000003
+RBP: 00007ffdb402c380 R08: 00007ffdb402c428 R09: 00000000c4000004
+R10: 00000000c4000004 R11: 0000000000000246 R12: 00000000c0284b16
+R13: 0000000000000003 R14: 00007f97f3cc63a0 R15: 00007f8836200000
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+index 062c23125b2a..6beb3e76e1c9 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -566,7 +566,7 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_tt *ttm)
+               DMA_BIDIRECTIONAL : DMA_TO_DEVICE;
+ 
+       /* double check that we don't free the table twice */
+-      if (!ttm->sg->sgl)
++      if (!ttm->sg || !ttm->sg->sgl)
+               return;
+ 
+       /* free the sg table and pages again */
+-- 
+2.30.2
+

diff --git a/queue-4.4/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch b/queue-4.4/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
new file mode 100644 (file)
index 0000000..e34da23
--- /dev/null
+++ b/queue-4.4/drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
@@ -0,0 +1,57 @@
+From d7976ad6a2c06ec3348eb2681dab71f4d7690d7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 23:47:24 +0200
+Subject: drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 2ad52bdb220de5ab348098e3482b01235d15a842 ]
+
+Leaving this at a close-to-maximum register value 0xFFF0 means it takes
+very long for the MDSS to generate a software vsync interrupt when the
+hardware TE interrupt doesn't arrive.  Configuring this to double the
+vtotal (like some downstream kernels) leads to a frame to take at most
+twice before the vsync signal, until hardware TE comes up.
+
+In this case the hardware interrupt responsible for providing this
+signal - "disp-te" gpio - is not hooked up to the mdp5 vsync/pp logic at
+all.  This solves severe panel update issues observed on at least the
+Xperia Loire and Tone series, until said gpio is properly hooked up to
+an irq.
+
+Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Link: https://lore.kernel.org/r/20210406214726.131534-2-marijn.suijten@somainline.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
+index 8e6c9b598a57..d8c7b8a6a418 100644
+--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
++++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_cmd_encoder.c
+@@ -128,9 +128,17 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder,
+               | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN;
+       cfg |= MDP5_PP_SYNC_CONFIG_VSYNC_COUNT(vclks_line);
+ 
++      /*
++       * Tearcheck emits a blanking signal every vclks_line * vtotal * 2 ticks on
++       * the vsync_clk equating to roughly half the desired panel refresh rate.
++       * This is only necessary as stability fallback if interrupts from the
++       * panel arrive too late or not at all, but is currently used by default
++       * because these panel interrupts are not wired up yet.
++       */
+       mdp5_write(mdp5_kms, REG_MDP5_PP_SYNC_CONFIG_VSYNC(pp_id), cfg);
+       mdp5_write(mdp5_kms,
+-              REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), 0xfff0);
++              REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), (2 * mode->vtotal));
++
+       mdp5_write(mdp5_kms,
+               REG_MDP5_PP_VSYNC_INIT_VAL(pp_id), mode->vdisplay);
+       mdp5_write(mdp5_kms, REG_MDP5_PP_RD_PTR_IRQ(pp_id), mode->vdisplay + 1);
+-- 
+2.30.2
+

diff --git a/queue-4.4/intel_th-consistency-and-off-by-one-fix.patch b/queue-4.4/intel_th-consistency-and-off-by-one-fix.patch
new file mode 100644 (file)
index 0000000..66c06ba
--- /dev/null
+++ b/queue-4.4/intel_th-consistency-and-off-by-one-fix.patch
@@ -0,0 +1,49 @@
+From b02d5884b97895eafea304d050e4ddeac0338144 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 20:12:49 +0300
+Subject: intel_th: Consistency and off-by-one fix
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit 18ffbc47d45a1489b664dd68fb3a7610a6e1dea3 ]
+
+Consistently use "< ... +1" in for loops.
+
+Fix of-by-one in for_each_set_bit().
+
+Signed-off-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Link: https://lore.kernel.org/lkml/20190724095841.GA6952@amd/
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210414171251.14672-6-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/intel_th/gth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c
+index 189eb6269971..e585b29ce738 100644
+--- a/drivers/hwtracing/intel_th/gth.c
++++ b/drivers/hwtracing/intel_th/gth.c
+@@ -485,7 +485,7 @@ static void intel_th_gth_disable(struct intel_th_device *thdev,
+       output->active = false;
+ 
+       for_each_set_bit(master, gth->output[output->port].master,
+-                       TH_CONFIGURABLE_MASTERS) {
++                       TH_CONFIGURABLE_MASTERS + 1) {
+               gth_master_set(gth, master, -1);
+       }
+       spin_unlock(&gth->gth_lock);
+@@ -597,7 +597,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev,
+       othdev->output.port = -1;
+       othdev->output.active = false;
+       gth->output[port].output = NULL;
+-      for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++)
++      for (master = 0; master < TH_CONFIGURABLE_MASTERS + 1; master++)
+               if (gth->master[master] == port)
+                       gth->master[master] = -1;
+       spin_unlock(&gth->gth_lock);
+-- 
+2.30.2
+

diff --git a/queue-4.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch b/queue-4.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
new file mode 100644 (file)
index 0000000..68c5ce4
--- /dev/null
+++ b/queue-4.4/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
@@ -0,0 +1,83 @@
+From a085c6fffce339a914282ae128e6663c4c3df550 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 21:32:19 +0200
+Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit b7cd0da982e3043f2eec7235ac5530cb18d6af1d ]
+
+syzbot reported memory leak in dvb-usb. The problem was
+in invalid error handling in dvb_usb_adapter_init().
+
+for (n = 0; n < d->props.num_adapters; n++) {
+....
+       if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+               (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+               (ret = dvb_usb_adapter_frontend_init(adap))) {
+               return ret;
+       }
+...
+       d->num_adapters_initialized++;
+...
+}
+
+In case of error in dvb_usb_adapter_dvb_init() or
+dvb_usb_adapter_dvb_init() d->num_adapters_initialized won't be
+incremented, but dvb_usb_adapter_exit() relies on it:
+
+       for (n = 0; n < d->num_adapters_initialized; n++)
+
+So, allocated objects won't be freed.
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reported-by: syzbot+3c2be7424cea3b932b0e@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index 97a89ef7e4c1..151212168c9f 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -82,11 +82,17 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+                       }
+               }
+ 
+-              if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+-                      (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+-                      (ret = dvb_usb_adapter_frontend_init(adap))) {
++              ret = dvb_usb_adapter_stream_init(adap);
++              if (ret)
+                       return ret;
+-              }
++
++              ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
++              if (ret)
++                      goto dvb_init_err;
++
++              ret = dvb_usb_adapter_frontend_init(adap);
++              if (ret)
++                      goto frontend_init_err;
+ 
+               /* use exclusive FE lock if there is multiple shared FEs */
+               if (adap->fe_adap[1].fe)
+@@ -106,6 +112,12 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+       }
+ 
+       return 0;
++
++frontend_init_err:
++      dvb_usb_adapter_dvb_exit(adap);
++dvb_init_err:
++      dvb_usb_adapter_stream_exit(adap);
++      return ret;
+ }
+ 
+ static int dvb_usb_adapter_exit(struct dvb_usb_device *d)
+-- 
+2.30.2
+

diff --git a/queue-4.4/media-em28xx-fix-memory-leak.patch b/queue-4.4/media-em28xx-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..8ceef27
--- /dev/null
+++ b/queue-4.4/media-em28xx-fix-memory-leak.patch
@@ -0,0 +1,41 @@
+From d2c36b6cfdfcaf10ff9e8c9ce97f2fcb2a64f991 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 19:07:53 +0100
+Subject: media: em28xx: fix memory leak
+
+From: Muhammad Usama Anjum <musamaanjum@gmail.com>
+
+[ Upstream commit 0ae10a7dc8992ee682ff0b1752ff7c83d472eef1 ]
+
+If some error occurs, URB buffers should also be freed. If they aren't
+freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB
+buffers as dvb is set to NULL. The function in which error occurs should
+do all the cleanup for the allocations it had done.
+
+Tested the patch with the reproducer provided by syzbot. This patch
+fixes the memleak.
+
+Reported-by: syzbot+889397c820fa56adf25d@syzkaller.appspotmail.com
+Signed-off-by: Muhammad Usama Anjum <musamaanjum@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-dvb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
+index 5502a0fb94fd..a19c89009bf3 100644
+--- a/drivers/media/usb/em28xx/em28xx-dvb.c
++++ b/drivers/media/usb/em28xx/em28xx-dvb.c
+@@ -1757,6 +1757,7 @@ ret:
+       return result;
+ 
+ out_free:
++      em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE);
+       kfree(dvb);
+       dev->dvb = NULL;
+       goto ret;
+-- 
+2.30.2
+

diff --git a/queue-4.4/media-gscpa-stv06xx-fix-memory-leak.patch b/queue-4.4/media-gscpa-stv06xx-fix-memory-leak.patch
new file mode 100644 (file)
index 0000000..022f911
--- /dev/null
+++ b/queue-4.4/media-gscpa-stv06xx-fix-memory-leak.patch
@@ -0,0 +1,84 @@
+From d3a46b4258a04e940dc1569a453a67695288e747 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 12:31:20 +0200
+Subject: media: gscpa/stv06xx: fix memory leak
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ]
+
+For two of the supported sensors the stv06xx driver allocates memory which
+is stored in sd->sensor_priv. This memory is freed on a disconnect, but if
+the probe() fails, then it isn't freed and so this leaks memory.
+
+Add a new probe_error() op that drivers can use to free any allocated
+memory in case there was a probe failure.
+
+Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause
+of the memory leak.
+
+Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/gspca.c           | 2 ++
+ drivers/media/usb/gspca/gspca.h           | 1 +
+ drivers/media/usb/gspca/stv06xx/stv06xx.c | 9 +++++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
+index 17b7b02330c9..a4f64bdb8017 100644
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -2131,6 +2131,8 @@ out:
+ #endif
+       v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+       v4l2_device_unregister(&gspca_dev->v4l2_dev);
++      if (sd_desc->probe_error)
++              sd_desc->probe_error(gspca_dev);
+       kfree(gspca_dev->usb_buf);
+       kfree(gspca_dev);
+       return ret;
+diff --git a/drivers/media/usb/gspca/gspca.h b/drivers/media/usb/gspca/gspca.h
+index d39adf90303b..bec8fccc2c94 100644
+--- a/drivers/media/usb/gspca/gspca.h
++++ b/drivers/media/usb/gspca/gspca.h
+@@ -101,6 +101,7 @@ struct sd_desc {
+       cam_cf_op config;       /* called on probe */
+       cam_op init;            /* called on probe and resume */
+       cam_op init_controls;   /* called on probe */
++      cam_v_op probe_error;   /* called if probe failed, do cleanup here */
+       cam_op start;           /* called on stream on after URBs creation */
+       cam_pkt_op pkt_scan;
+ /* optional operations */
+diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+index 7d255529ed4c..40d4c99debb8 100644
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+@@ -541,12 +541,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev,
+ static int stv06xx_config(struct gspca_dev *gspca_dev,
+                         const struct usb_device_id *id);
+ 
++static void stv06xx_probe_error(struct gspca_dev *gspca_dev)
++{
++      struct sd *sd = (struct sd *)gspca_dev;
++
++      kfree(sd->sensor_priv);
++      sd->sensor_priv = NULL;
++}
++
+ /* sub-driver description */
+ static const struct sd_desc sd_desc = {
+       .name = MODULE_NAME,
+       .config = stv06xx_config,
+       .init = stv06xx_init,
+       .init_controls = stv06xx_init_controls,
++      .probe_error = stv06xx_probe_error,
+       .start = stv06xx_start,
+       .stopN = stv06xx_stopN,
+       .pkt_scan = stv06xx_pkt_scan,
+-- 
+2.30.2
+

diff --git a/queue-4.4/media-gspca-sq905.c-fix-uninitialized-variable.patch b/queue-4.4/media-gspca-sq905.c-fix-uninitialized-variable.patch
new file mode 100644 (file)
index 0000000..bdbc4d2
--- /dev/null
+++ b/queue-4.4/media-gspca-sq905.c-fix-uninitialized-variable.patch
@@ -0,0 +1,36 @@
+From 8c3eca08276fa624b3180a73e033cebcb4393942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 15:46:40 +0100
+Subject: media: gspca/sq905.c: fix uninitialized variable
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit eaaea4681984c79d2b2b160387b297477f0c1aab ]
+
+act_len can be uninitialized if usb_bulk_msg() returns an error.
+Set it to 0 to avoid a KMSAN error.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/sq905.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c
+index a7ae0ec9fa91..03322d2b2e82 100644
+--- a/drivers/media/usb/gspca/sq905.c
++++ b/drivers/media/usb/gspca/sq905.c
+@@ -172,7 +172,7 @@ static int
+ sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock)
+ {
+       int ret;
+-      int act_len;
++      int act_len = 0;
+ 
+       gspca_dev->usb_buf[0] = '\0';
+       if (need_lock)
+-- 
+2.30.2
+

diff --git a/queue-4.4/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch b/queue-4.4/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
new file mode 100644 (file)
index 0000000..d6aac71
--- /dev/null
+++ b/queue-4.4/media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
@@ -0,0 +1,44 @@
+From f591283510ab9d7a4b29a2985aa5f5dda716defd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:48:12 +0200
+Subject: media: i2c: adv7511-v4l2: fix possible use-after-free in
+ adv7511_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 2c9541720c66899adf6f3600984cf3ef151295ad ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7511-v4l2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c
+index b35400e4e9af..e85777dfe81d 100644
+--- a/drivers/media/i2c/adv7511-v4l2.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -1570,7 +1570,7 @@ static int adv7511_remove(struct i2c_client *client)
+                client->addr << 1, client->adapter->name);
+ 
+       adv7511_init_setup(sd);
+-      cancel_delayed_work(&state->edid_handler);
++      cancel_delayed_work_sync(&state->edid_handler);
+       i2c_unregister_device(state->i2c_edid);
+       i2c_unregister_device(state->i2c_pktmem);
+       destroy_workqueue(state->work_queue);
+-- 
+2.30.2
+

diff --git a/queue-4.4/media-ite-cir-check-for-receive-overflow.patch b/queue-4.4/media-ite-cir-check-for-receive-overflow.patch
new file mode 100644 (file)
index 0000000..fe29669
--- /dev/null
+++ b/queue-4.4/media-ite-cir-check-for-receive-overflow.patch
@@ -0,0 +1,41 @@
+From 8cac292458f9826b275e2856642ab64159e54de0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Feb 2021 09:08:35 +0100
+Subject: media: ite-cir: check for receive overflow
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit 28c7afb07ccfc0a939bb06ac1e7afe669901c65a ]
+
+It's best if this condition is reported.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ite-cir.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
+index 63165d324fff..7d3e50d94d86 100644
+--- a/drivers/media/rc/ite-cir.c
++++ b/drivers/media/rc/ite-cir.c
+@@ -292,8 +292,14 @@ static irqreturn_t ite_cir_isr(int irq, void *data)
+       /* read the interrupt flags */
+       iflags = dev->params.get_irq_causes(dev);
+ 
++      /* Check for RX overflow */
++      if (iflags & ITE_IRQ_RX_FIFO_OVERRUN) {
++              dev_warn(&dev->rdev->dev, "receive overflow\n");
++              ir_raw_event_reset(dev->rdev);
++      }
++
+       /* check for the receive interrupt */
+-      if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) {
++      if (iflags & ITE_IRQ_RX_FIFO) {
+               /* read the FIFO bytes */
+               rx_bytes =
+                       dev->params.get_rx_bytes(dev, rx_buf,
+-- 
+2.30.2
+

diff --git a/queue-4.4/media-media-saa7164-fix-saa7164_encoder_register-mem.patch b/queue-4.4/media-media-saa7164-fix-saa7164_encoder_register-mem.patch
new file mode 100644 (file)
index 0000000..981301d
--- /dev/null
+++ b/queue-4.4/media-media-saa7164-fix-saa7164_encoder_register-mem.patch
@@ -0,0 +1,87 @@
+From d51d2f5046dbf1776a8803f78b46a4bf30e4b493 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 03:53:00 +0100
+Subject: media: media/saa7164: fix saa7164_encoder_register() memory leak bugs
+
+From: Daniel Niv <danielniv3@gmail.com>
+
+[ Upstream commit c759b2970c561e3b56aa030deb13db104262adfe ]
+
+Add a fix for the memory leak bugs that can occur when the
+saa7164_encoder_register() function fails.
+The function allocates memory without explicitly freeing
+it when errors occur.
+Add a better error handling that deallocate the unused buffers before the
+function exits during a fail.
+
+Signed-off-by: Daniel Niv <danielniv3@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7164/saa7164-encoder.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-encoder.c b/drivers/media/pci/saa7164/saa7164-encoder.c
+index 1b184c39ba97..966de363c575 100644
+--- a/drivers/media/pci/saa7164/saa7164-encoder.c
++++ b/drivers/media/pci/saa7164/saa7164-encoder.c
+@@ -1031,7 +1031,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+                      "(errno = %d), NO PCI configuration\n",
+                       __func__, result);
+               result = -ENOMEM;
+-              goto failed;
++              goto fail_pci;
+       }
+ 
+       /* Establish encoder defaults here */
+@@ -1085,7 +1085,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+                         100000, ENCODER_DEF_BITRATE);
+       if (hdl->error) {
+               result = hdl->error;
+-              goto failed;
++              goto fail_hdl;
+       }
+ 
+       port->std = V4L2_STD_NTSC_M;
+@@ -1103,7 +1103,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+               printk(KERN_INFO "%s: can't allocate mpeg device\n",
+                       dev->name);
+               result = -ENOMEM;
+-              goto failed;
++              goto fail_hdl;
+       }
+ 
+       port->v4l_device->ctrl_handler = hdl;
+@@ -1114,10 +1114,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+       if (result < 0) {
+               printk(KERN_INFO "%s: can't register mpeg device\n",
+                       dev->name);
+-              /* TODO: We're going to leak here if we don't dealloc
+-               The buffers above. The unreg function can't deal wit it.
+-              */
+-              goto failed;
++              goto fail_reg;
+       }
+ 
+       printk(KERN_INFO "%s: registered device video%d [mpeg]\n",
+@@ -1139,9 +1136,14 @@ int saa7164_encoder_register(struct saa7164_port *port)
+ 
+       saa7164_api_set_encoder(port);
+       saa7164_api_get_encoder(port);
++      return 0;
+ 
+-      result = 0;
+-failed:
++fail_reg:
++      video_device_release(port->v4l_device);
++      port->v4l_device = NULL;
++fail_hdl:
++      v4l2_ctrl_handler_free(hdl);
++fail_pci:
+       return result;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.4/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch b/queue-4.4/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
new file mode 100644 (file)
index 0000000..c9bd57e
--- /dev/null
+++ b/queue-4.4/pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
@@ -0,0 +1,72 @@
+From 71d2449049b9b32f1263affde2dadc57cb2d0219 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 16:51:40 +0100
+Subject: PCI: PM: Do not read power state in pci_enable_device_flags()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 4514d991d99211f225d83b7e640285f29f0755d0 ]
+
+It should not be necessary to update the current_state field of
+struct pci_dev in pci_enable_device_flags() before calling
+do_pci_enable_device() for the device, because none of the
+code between that point and the pci_set_power_state() call in
+do_pci_enable_device() invoked later depends on it.
+
+Moreover, doing that is actively harmful in some cases.  For example,
+if the given PCI device depends on an ACPI power resource whose _STA
+method initially returns 0 ("off"), but the config space of the PCI
+device is accessible and the power state retrieved from the
+PCI_PM_CTRL register is D0, the current_state field in the struct
+pci_dev representing that device will get out of sync with the
+power.state of its ACPI companion object and that will lead to
+power management issues going forward.
+
+To avoid such issues it is better to leave the current_state value
+as is until it is changed to PCI_D0 by do_pci_enable_device() as
+appropriate.  However, the power state of the device is not changed
+to PCI_D0 if it is already enabled when pci_enable_device_flags()
+gets called for it, so update its current_state in that case, but
+use pci_update_current_state() covering platform PM too for that.
+
+Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/
+Reported-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index b7f65fc54dc2..22e8172f373d 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1328,20 +1328,10 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
+       int err;
+       int i, bars = 0;
+ 
+-      /*
+-       * Power state could be unknown at this point, either due to a fresh
+-       * boot or a device removal call.  So get the current power state
+-       * so that things like MSI message writing will behave as expected
+-       * (e.g. if the device really is in D0 at enable time).
+-       */
+-      if (dev->pm_cap) {
+-              u16 pmcsr;
+-              pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
+-              dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
+-      }
+-
+-      if (atomic_inc_return(&dev->enable_cnt) > 1)
++      if (atomic_inc_return(&dev->enable_cnt) > 1) {
++              pci_update_current_state(dev, dev->current_state);
+               return 0;               /* already enabled */
++      }
+ 
+       bridge = pci_upstream_bridge(dev);
+       if (bridge)
+-- 
+2.30.2
+

diff --git a/queue-4.4/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch b/queue-4.4/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
new file mode 100644 (file)
index 0000000..d518af7
--- /dev/null
+++ b/queue-4.4/phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
@@ -0,0 +1,45 @@
+From 14a76a0319b4e9593d449fa2c9569c64d2983929 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:27:16 +0800
+Subject: phy: phy-twl4030-usb: Fix possible use-after-free in
+ twl4030_usb_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e1723d8b87b73ab363256e7ca3af3ddb75855680 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210407092716.3270248-1-yangyingliang@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/phy-twl4030-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/phy-twl4030-usb.c b/drivers/phy/phy-twl4030-usb.c
+index f96065a81d1e..168780eb29aa 100644
+--- a/drivers/phy/phy-twl4030-usb.c
++++ b/drivers/phy/phy-twl4030-usb.c
+@@ -753,7 +753,7 @@ static int twl4030_usb_remove(struct platform_device *pdev)
+ 
+       usb_remove_phy(&twl->phy);
+       pm_runtime_get_sync(twl->dev);
+-      cancel_delayed_work(&twl->id_workaround_work);
++      cancel_delayed_work_sync(&twl->id_workaround_work);
+       device_remove_file(twl->dev, &dev_attr_vbus);
+ 
+       /* set transceiver mode to power on defaults */
+-- 
+2.30.2
+

diff --git a/queue-4.4/power-supply-generic-adc-battery-fix-possible-use-af.patch b/queue-4.4/power-supply-generic-adc-battery-fix-possible-use-af.patch
new file mode 100644 (file)
index 0000000..7aa5991
--- /dev/null
+++ b/queue-4.4/power-supply-generic-adc-battery-fix-possible-use-af.patch
@@ -0,0 +1,43 @@
+From a8d63dda905e2e15024536657e7cfb5a821e7444 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:17:06 +0800
+Subject: power: supply: generic-adc-battery: fix possible use-after-free in
+ gab_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/generic-adc-battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/generic-adc-battery.c b/drivers/power/generic-adc-battery.c
+index fedc5818fab7..86289f9da85a 100644
+--- a/drivers/power/generic-adc-battery.c
++++ b/drivers/power/generic-adc-battery.c
+@@ -379,7 +379,7 @@ static int gab_remove(struct platform_device *pdev)
+       }
+ 
+       kfree(adc_bat->psy_desc.properties);
+-      cancel_delayed_work(&adc_bat->bat_work);
++      cancel_delayed_work_sync(&adc_bat->bat_work);
+       return 0;
+ }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.4/power-supply-s3c_adc_battery-fix-possible-use-after-.patch b/queue-4.4/power-supply-s3c_adc_battery-fix-possible-use-after-.patch
new file mode 100644 (file)
index 0000000..affd3c5
--- /dev/null
+++ b/queue-4.4/power-supply-s3c_adc_battery-fix-possible-use-after-.patch
@@ -0,0 +1,44 @@
+From 04a31a9a51a5b69376ac9d8b2efa1b85134b88c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:19:03 +0800
+Subject: power: supply: s3c_adc_battery: fix possible use-after-free in
+ s3c_adc_bat_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/s3c_adc_battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/s3c_adc_battery.c b/drivers/power/s3c_adc_battery.c
+index 0ffe5cd3abf6..06b412c43aa7 100644
+--- a/drivers/power/s3c_adc_battery.c
++++ b/drivers/power/s3c_adc_battery.c
+@@ -392,7 +392,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev)
+               gpio_free(pdata->gpio_charge_finished);
+       }
+ 
+-      cancel_delayed_work(&bat_work);
++      cancel_delayed_work_sync(&bat_work);
+ 
+       if (pdata->exit)
+               pdata->exit();
+-- 
+2.30.2
+

diff --git a/queue-4.4/scsi-libfc-fix-a-format-specifier.patch b/queue-4.4/scsi-libfc-fix-a-format-specifier.patch
new file mode 100644 (file)
index 0000000..8e6a3cf
--- /dev/null
+++ b/queue-4.4/scsi-libfc-fix-a-format-specifier.patch
@@ -0,0 +1,45 @@
+From 3fca755f1e92245e2e35f245295779c3f170b99f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 15:08:13 -0700
+Subject: scsi: libfc: Fix a format specifier
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 90d6697810f06aceea9de71ad836a8c7669789cd ]
+
+Since the 'mfs' member has been declared as 'u32' in include/scsi/libfc.h,
+use the %u format specifier instead of %hu. This patch fixes the following
+clang compiler warning:
+
+warning: format specifies type
+      'unsigned short' but the argument has type 'u32' (aka 'unsigned int')
+      [-Wformat]
+                             "lport->mfs:%hu\n", mfs, lport->mfs);
+                                         ~~~          ^~~~~~~~~~
+                                         %u
+
+Link: https://lore.kernel.org/r/20210415220826.29438-8-bvanassche@acm.org
+Cc: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_lport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
+index 867fc036d6ef..815d224b9ff8 100644
+--- a/drivers/scsi/libfc/fc_lport.c
++++ b/drivers/scsi/libfc/fc_lport.c
+@@ -1754,7 +1754,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+ 
+       if (mfs < FC_SP_MIN_MAX_PAYLOAD || mfs > FC_SP_MAX_MAX_PAYLOAD) {
+               FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, "
+-                           "lport->mfs:%hu\n", mfs, lport->mfs);
++                           "lport->mfs:%u\n", mfs, lport->mfs);
+               fc_lport_error(lport, fp);
+               goto out;
+       }
+-- 
+2.30.2
+

diff --git a/queue-4.4/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch b/queue-4.4/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
new file mode 100644 (file)
index 0000000..2d44fd8
--- /dev/null
+++ b/queue-4.4/scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
@@ -0,0 +1,60 @@
+From c8c4c767299d2045a22aafffd33ddcdbfa64e127 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:13 -0700
+Subject: scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO
+ response
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit fffd18ec6579c2d9c72b212169259062fe747888 ]
+
+Fix a crash caused by a double put on the node when the driver completed an
+ACC for an unsolicted abort on the same node.  The second put was executed
+by lpfc_nlp_not_used() and is wrong because the completion routine executes
+the nlp_put when the iocbq was released.  Additionally, the driver is
+issuing a LOGO then immediately calls lpfc_nlp_set_state to put the node
+into NPR.  This call does nothing.
+
+Remove the lpfc_nlp_not_used call and additional set_state in the
+completion routine.  Remove the lpfc_nlp_set_state post issue_logo.  Isn't
+necessary.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-3-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 2 --
+ drivers/scsi/lpfc/lpfc_sli.c       | 1 -
+ 2 files changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 6aa0698925da..1a44102b43c3 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -1604,8 +1604,6 @@ lpfc_cmpl_reglogin_reglogin_issue(struct lpfc_vport *vport,
+               ndlp->nlp_last_elscmd = ELS_CMD_PLOGI;
+ 
+               lpfc_issue_els_logo(vport, ndlp, 0);
+-              ndlp->nlp_prev_state = NLP_STE_REG_LOGIN_ISSUE;
+-              lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE);
+               return ndlp->nlp_state;
+       }
+ 
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 97c0d79a2601..9055a8fce3d4 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -15049,7 +15049,6 @@ lpfc_sli4_seq_abort_rsp_cmpl(struct lpfc_hba *phba,
+       if (cmd_iocbq) {
+               ndlp = (struct lpfc_nodelist *)cmd_iocbq->context1;
+               lpfc_nlp_put(ndlp);
+-              lpfc_nlp_not_used(ndlp);
+               lpfc_sli_release_iocbq(phba, cmd_iocbq);
+       }
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.4/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch b/queue-4.4/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
new file mode 100644 (file)
index 0000000..7e56f89
--- /dev/null
+++ b/queue-4.4/scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
@@ -0,0 +1,46 @@
+From e866a3f5464a8edd234f860ba6f1b9fd7cc7839a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Feb 2021 21:56:26 -0800
+Subject: scsi: target: pscsi: Fix warning in pscsi_complete_cmd()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+
+[ Upstream commit fd48c056a32ed6e7754c7c475490f3bed54ed378 ]
+
+This fixes a compilation warning in pscsi_complete_cmd():
+
+     drivers/target/target_core_pscsi.c: In function ‘pscsi_complete_cmd’:
+     drivers/target/target_core_pscsi.c:624:5: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+     ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
+
+Link: https://lore.kernel.org/r/20210228055645.22253-5-chaitanya.kulkarni@wdc.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pscsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
+index d72a4058fd08..0ce3697ecbd7 100644
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -629,8 +629,9 @@ static void pscsi_transport_complete(struct se_cmd *cmd, struct scatterlist *sg,
+                       unsigned char *buf;
+ 
+                       buf = transport_kmap_data_sg(cmd);
+-                      if (!buf)
++                      if (!buf) {
+                               ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
++                      }
+ 
+                       if (cdb[0] == MODE_SENSE_10) {
+                               if (!(buf[3] & 0x80))
+-- 
+2.30.2
+

diff --git a/queue-4.4/series b/queue-4.4/series
index ed3af6baf3abd16966817ac565e1852b5c4b7139..ec2bfffab78782e8c684fce31cbb36d72d75df47 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -12,3 +12,27 @@ ecryptfs-fix-kernel-panic-with-null-dev_name.patch
 mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
 mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
 fbdev-zero-fill-colormap-in-fbcmap.c.patch
+staging-wimax-i2400m-fix-byte-order-issue.patch
+usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
+pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
+x86-build-propagate-clang_flags-to-realmode_flags.patch
+spi-dln2-fix-reference-leak-to-master.patch
+spi-omap-100k-fix-reference-leak-to-master.patch
+intel_th-consistency-and-off-by-one-fix.patch
+phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
+btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
+scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
+media-ite-cir-check-for-receive-overflow.patch
+media-media-saa7164-fix-saa7164_encoder_register-mem.patch
+media-gspca-sq905.c-fix-uninitialized-variable.patch
+media-em28xx-fix-memory-leak.patch
+clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
+power-supply-generic-adc-battery-fix-possible-use-af.patch
+power-supply-s3c_adc_battery-fix-possible-use-after-.patch
+media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
+media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
+media-gscpa-stv06xx-fix-memory-leak.patch
+drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
+drm-amdgpu-fix-null-pointer-dereference.patch
+scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
+scsi-libfc-fix-a-format-specifier.patch

diff --git a/queue-4.4/spi-dln2-fix-reference-leak-to-master.patch b/queue-4.4/spi-dln2-fix-reference-leak-to-master.patch
new file mode 100644 (file)
index 0000000..e5a07c2
--- /dev/null
+++ b/queue-4.4/spi-dln2-fix-reference-leak-to-master.patch
@@ -0,0 +1,40 @@
+From 8b0c6fc2941661a42c0777f3087c6dee80ea23bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:55 +0000
+Subject: spi: dln2: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9b844b087124c1538d05f40fda8a4fec75af55be ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082955.2907950-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dln2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dln2.c b/drivers/spi/spi-dln2.c
+index 3b7d91d94fea..64b64174ce2f 100644
+--- a/drivers/spi/spi-dln2.c
++++ b/drivers/spi/spi-dln2.c
+@@ -781,7 +781,7 @@ exit_free_master:
+ 
+ static int dln2_spi_remove(struct platform_device *pdev)
+ {
+-      struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++      struct spi_master *master = platform_get_drvdata(pdev);
+       struct dln2_spi *dln2 = spi_master_get_devdata(master);
+ 
+       pm_runtime_disable(&pdev->dev);
+-- 
+2.30.2
+

diff --git a/queue-4.4/spi-omap-100k-fix-reference-leak-to-master.patch b/queue-4.4/spi-omap-100k-fix-reference-leak-to-master.patch
new file mode 100644 (file)
index 0000000..e08f3d5
--- /dev/null
+++ b/queue-4.4/spi-omap-100k-fix-reference-leak-to-master.patch
@@ -0,0 +1,58 @@
+From ac42620fa2702bef1cb0d7f279048e15002e1e88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:54 +0000
+Subject: spi: omap-100k: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit a23faea76d4cf5f75decb574491e66f9ecd707e7 ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082954.2906933-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index 76a8425be227..1eccdc4a4581 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -435,7 +435,7 @@ err:
+ 
+ static int omap1_spi100k_remove(struct platform_device *pdev)
+ {
+-      struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++      struct spi_master *master = platform_get_drvdata(pdev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ 
+       pm_runtime_disable(&pdev->dev);
+@@ -449,7 +449,7 @@ static int omap1_spi100k_remove(struct platform_device *pdev)
+ #ifdef CONFIG_PM
+ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ {
+-      struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++      struct spi_master *master = dev_get_drvdata(dev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ 
+       clk_disable_unprepare(spi100k->ick);
+@@ -460,7 +460,7 @@ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ 
+ static int omap1_spi100k_runtime_resume(struct device *dev)
+ {
+-      struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++      struct spi_master *master = dev_get_drvdata(dev);
+       struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+       int ret;
+ 
+-- 
+2.30.2
+

diff --git a/queue-4.4/staging-wimax-i2400m-fix-byte-order-issue.patch b/queue-4.4/staging-wimax-i2400m-fix-byte-order-issue.patch
new file mode 100644 (file)
index 0000000..0598458
--- /dev/null
+++ b/queue-4.4/staging-wimax-i2400m-fix-byte-order-issue.patch
@@ -0,0 +1,36 @@
+From be4e63e9fc0e8227d2301574340a9a9efe5786cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Feb 2021 21:01:05 +0530
+Subject: staging: wimax/i2400m: fix byte-order issue
+
+From: karthik alapati <mail@karthek.com>
+
+[ Upstream commit 0c37baae130df39b19979bba88bde2ee70a33355 ]
+
+fix sparse byte-order warnings by converting host byte-order
+type to __le16 byte-order types before assigning to hdr.length
+
+Signed-off-by: karthik alapati <mail@karthek.com>
+Link: https://lore.kernel.org/r/0ae5c5c4c646506d8be871e7be5705542671a1d5.1613921277.git.mail@karthek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c
+index dc6fe93ce71f..e8473047b2d1 100644
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -101,7 +101,7 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev,
+       if (cmd == NULL)
+               goto error_alloc;
+       cmd->hdr.type = cpu_to_le16(I2400M_MT_CMD_RF_CONTROL);
+-      cmd->hdr.length = sizeof(cmd->sw_rf);
++      cmd->hdr.length = cpu_to_le16(sizeof(cmd->sw_rf));
+       cmd->hdr.version = cpu_to_le16(I2400M_L3L4_VERSION);
+       cmd->sw_rf.hdr.type = cpu_to_le16(I2400M_TLV_RF_OPERATION);
+       cmd->sw_rf.hdr.length = cpu_to_le16(sizeof(cmd->sw_rf.status));
+-- 
+2.30.2
+

diff --git a/queue-4.4/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch b/queue-4.4/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
new file mode 100644 (file)
index 0000000..8d45ae4
--- /dev/null
+++ b/queue-4.4/usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
@@ -0,0 +1,52 @@
+From e3d7dcd0171e9f0ae1043b7025275c07322de5ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 13:53:38 +0100
+Subject: usb: gadget: uvc: add bInterval checking for HS mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+[ Upstream commit 26adde04acdff14a1f28d4a5dce46a8513a3038b ]
+
+Patch adds extra checking for bInterval passed by configfs.
+The 5.6.4 chapter of USB Specification (rev. 2.0) say:
+"A high-bandwidth endpoint must specify a period of 1x125 µs
+(i.e., a bInterval value of 1)."
+
+The issue was observed during testing UVC class on CV.
+I treat this change as improvement because we can control
+bInterval by configfs.
+
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20210308125338.4824-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
+index f8a1881609a2..89da34ef7b3f 100644
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -625,7 +625,12 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
+ 
+       uvc_hs_streaming_ep.wMaxPacketSize =
+               cpu_to_le16(max_packet_size | ((max_packet_mult - 1) << 11));
+-      uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
++
++      /* A high-bandwidth endpoint must specify a bInterval value of 1 */
++      if (max_packet_mult > 1)
++              uvc_hs_streaming_ep.bInterval = 1;
++      else
++              uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
+ 
+       uvc_ss_streaming_ep.wMaxPacketSize = cpu_to_le16(max_packet_size);
+       uvc_ss_streaming_ep.bInterval = opts->streaming_interval;
+-- 
+2.30.2
+

diff --git a/queue-4.4/x86-build-propagate-clang_flags-to-realmode_flags.patch b/queue-4.4/x86-build-propagate-clang_flags-to-realmode_flags.patch
new file mode 100644 (file)
index 0000000..cb0a9a9
--- /dev/null
+++ b/queue-4.4/x86-build-propagate-clang_flags-to-realmode_flags.patch
@@ -0,0 +1,66 @@
+From 907349bb0f76715b2319a9ce89ab696e94af2f27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:04:33 -0700
+Subject: x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Millikin <john@john-millikin.com>
+
+[ Upstream commit 8abe7fc26ad8f28bfdf78adbed56acd1fa93f82d ]
+
+When cross-compiling with Clang, the `$(CLANG_FLAGS)' variable
+contains additional flags needed to build C and assembly sources
+for the target platform. Normally this variable is automatically
+included in `$(KBUILD_CFLAGS)' via the top-level Makefile.
+
+The x86 real-mode makefile builds `$(REALMODE_CFLAGS)' from a
+plain assignment and therefore drops the Clang flags. This causes
+Clang to not recognize x86-specific assembler directives:
+
+  arch/x86/realmode/rm/header.S:36:1: error: unknown directive
+  .type real_mode_header STT_OBJECT ; .size real_mode_header, .-real_mode_header
+  ^
+
+Explicit propagation of `$(CLANG_FLAGS)' to `$(REALMODE_CFLAGS)',
+which is inherited by real-mode make rules, fixes cross-compilation
+with Clang for x86 targets.
+
+Relevant flags:
+
+* `--target' sets the target architecture when cross-compiling. This
+  flag must be set for both compilation and assembly (`KBUILD_AFLAGS')
+  to support architecture-specific assembler directives.
+
+* `-no-integrated-as' tells clang to assemble with GNU Assembler
+  instead of its built-in LLVM assembler. This flag is set by default
+  unless `LLVM_IAS=1' is set, because the LLVM assembler can't yet
+  parse certain GNU extensions.
+
+Signed-off-by: John Millikin <john@john-millikin.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Link: https://lkml.kernel.org/r/20210326000435.4785-2-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index 2b3adb3008c3..c0045e3ad0f5 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -40,6 +40,7 @@ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4))
++REALMODE_CFLAGS += $(CLANG_FLAGS)
+ export REALMODE_CFLAGS
+ 
+ # BITS is used as extension for files which are available in a 32 bit
+-- 
+2.30.2
+