From: Greg Kroah-Hartman Date: Sun, 9 Feb 2020 21:03:38 +0000 (+0100) Subject: 5.5-stable patches X-Git-Tag: v4.19.103~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01d7a2f0af5236f32ccc01567970b2b31e376cdc;p=thirdparty%2Fkernel%2Fstable-queue.git 5.5-stable patches added patches: asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch bpf-fix-trampoline-usage-in-preempt.patch libbpf-extract-and-generalize-cpu-mask-parsing-logic.patch mfd-ab8500-fix-ab8500-clk-typo.patch mfd-bd70528-fix-hour-register-mask.patch mfd-da9062-fix-watchdog-compatible-string.patch mfd-rn5t618-mark-adc-control-register-volatile.patch ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch ubifs-fix-memory-leak-from-c-sup_node.patch virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch --- diff --git a/queue-5.5/asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch b/queue-5.5/asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch new file mode 100644 index 00000000000..6d3c5b34096 --- /dev/null +++ b/queue-5.5/asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch @@ -0,0 +1,136 @@ +From 15adb20f64c302b31e10ad50f22bb224052ce1df Mon Sep 17 00:00:00 2001 +From: Cezary Rojewski +Date: Wed, 22 Jan 2020 19:12:54 +0100 +Subject: ASoC: Intel: skl_hda_dsp_common: Fix global-out-of-bounds bug + +From: Cezary Rojewski + +commit 15adb20f64c302b31e10ad50f22bb224052ce1df upstream. + +Definitions for idisp snd_soc_dai_links within skl_hda_dsp_common are +missing platform component. Add it to address following bug reported by +KASAN: + +[ 10.538502] BUG: KASAN: global-out-of-bounds in skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538509] Write of size 8 at addr ffffffffc0606840 by task systemd-udevd/299 +(...) +[ 10.538519] Call Trace: +[ 10.538524] dump_stack+0x62/0x95 +[ 10.538528] print_address_description+0x2f5/0x3b0 +[ 10.538532] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538535] __kasan_report+0x134/0x191 +[ 10.538538] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538542] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538544] kasan_report+0x12/0x20 +[ 10.538546] __asan_store8+0x57/0x90 +[ 10.538550] skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538553] platform_drv_probe+0x51/0xb0 +[ 10.538556] really_probe+0x311/0x600 +[ 10.538559] driver_probe_device+0x87/0x1b0 +[ 10.538562] device_driver_attach+0x8f/0xa0 +[ 10.538565] ? device_driver_attach+0xa0/0xa0 +[ 10.538567] __driver_attach+0x102/0x1a0 +[ 10.538569] ? device_driver_attach+0xa0/0xa0 +[ 10.538572] bus_for_each_dev+0xe8/0x160 +[ 10.538574] ? subsys_dev_iter_exit+0x10/0x10 +[ 10.538577] ? preempt_count_sub+0x18/0xc0 +[ 10.538580] ? _raw_write_unlock+0x1f/0x40 +[ 10.538582] driver_attach+0x2b/0x30 +[ 10.538585] bus_add_driver+0x251/0x340 +[ 10.538588] driver_register+0xd3/0x1c0 +[ 10.538590] __platform_driver_register+0x6c/0x80 +[ 10.538592] ? 0xffffffffc03e8000 +[ 10.538595] skl_hda_audio_init+0x1c/0x1000 [snd_soc_skl_hda_dsp] +[ 10.538598] do_one_initcall+0xd0/0x36a +[ 10.538600] ? trace_event_raw_event_initcall_finish+0x160/0x160 +[ 10.538602] ? kasan_unpoison_shadow+0x36/0x50 +[ 10.538605] ? __kasan_kmalloc+0xcc/0xe0 +[ 10.538607] ? kasan_unpoison_shadow+0x36/0x50 +[ 10.538609] ? kasan_poison_shadow+0x2f/0x40 +[ 10.538612] ? __asan_register_globals+0x65/0x80 +[ 10.538615] do_init_module+0xf9/0x36f +[ 10.538619] load_module+0x398e/0x4590 +[ 10.538625] ? module_frob_arch_sections+0x20/0x20 +[ 10.538628] ? __kasan_check_write+0x14/0x20 +[ 10.538630] ? kernel_read+0x9a/0xc0 +[ 10.538632] ? __kasan_check_write+0x14/0x20 +[ 10.538634] ? kernel_read_file+0x1d3/0x3c0 +[ 10.538638] ? cap_capable+0xca/0x110 +[ 10.538642] __do_sys_finit_module+0x190/0x1d0 +[ 10.538644] ? __do_sys_finit_module+0x190/0x1d0 +[ 10.538646] ? __x64_sys_init_module+0x50/0x50 +[ 10.538649] ? expand_files+0x380/0x380 +[ 10.538652] ? __kasan_check_write+0x14/0x20 +[ 10.538654] ? fput_many+0x20/0xc0 +[ 10.538658] __x64_sys_finit_module+0x43/0x50 +[ 10.538660] do_syscall_64+0xce/0x700 +[ 10.538662] ? syscall_return_slowpath+0x230/0x230 +[ 10.538665] ? __do_page_fault+0x51e/0x640 +[ 10.538668] ? __kasan_check_read+0x11/0x20 +[ 10.538670] ? prepare_exit_to_usermode+0xc7/0x200 +[ 10.538673] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: a78959f407e6 ("ASoC: Intel: skl_hda_dsp_common: use modern dai_link style") +Signed-off-by: Cezary Rojewski +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200122181254.22801-1-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/boards/skl_hda_dsp_common.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/sound/soc/intel/boards/skl_hda_dsp_common.c ++++ b/sound/soc/intel/boards/skl_hda_dsp_common.c +@@ -41,16 +41,19 @@ int skl_hda_hdmi_add_pcm(struct snd_soc_ + return 0; + } + +-SND_SOC_DAILINK_DEFS(idisp1, +- DAILINK_COMP_ARRAY(COMP_CPU("iDisp1 Pin")), ++SND_SOC_DAILINK_DEF(idisp1_cpu, ++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp1 Pin"))); ++SND_SOC_DAILINK_DEF(idisp1_codec, + DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi1"))); + +-SND_SOC_DAILINK_DEFS(idisp2, +- DAILINK_COMP_ARRAY(COMP_CPU("iDisp2 Pin")), ++SND_SOC_DAILINK_DEF(idisp2_cpu, ++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp2 Pin"))); ++SND_SOC_DAILINK_DEF(idisp2_codec, + DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi2"))); + +-SND_SOC_DAILINK_DEFS(idisp3, +- DAILINK_COMP_ARRAY(COMP_CPU("iDisp3 Pin")), ++SND_SOC_DAILINK_DEF(idisp3_cpu, ++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp3 Pin"))); ++SND_SOC_DAILINK_DEF(idisp3_codec, + DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi3"))); + + SND_SOC_DAILINK_DEF(analog_cpu, +@@ -83,21 +86,21 @@ struct snd_soc_dai_link skl_hda_be_dai_l + .id = 1, + .dpcm_playback = 1, + .no_pcm = 1, +- SND_SOC_DAILINK_REG(idisp1), ++ SND_SOC_DAILINK_REG(idisp1_cpu, idisp1_codec, platform), + }, + { + .name = "iDisp2", + .id = 2, + .dpcm_playback = 1, + .no_pcm = 1, +- SND_SOC_DAILINK_REG(idisp2), ++ SND_SOC_DAILINK_REG(idisp2_cpu, idisp2_codec, platform), + }, + { + .name = "iDisp3", + .id = 3, + .dpcm_playback = 1, + .no_pcm = 1, +- SND_SOC_DAILINK_REG(idisp3), ++ SND_SOC_DAILINK_REG(idisp3_cpu, idisp3_codec, platform), + }, + { + .name = "Analog Playback and Capture", diff --git a/queue-5.5/asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch b/queue-5.5/asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch new file mode 100644 index 00000000000..69e8c6636cc --- /dev/null +++ b/queue-5.5/asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch @@ -0,0 +1,43 @@ +From e19ecbf105b236a6334fab64d8fd5437b12ee019 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Fri, 20 Dec 2019 17:44:50 +0100 +Subject: ASoC: sgtl5000: Fix VDDA and VDDIO comparison + +From: Marek Vasut + +commit e19ecbf105b236a6334fab64d8fd5437b12ee019 upstream. + +Comparing the voltage of VDDA and VDDIO to determine whether or not to +enable VDDC manual override is insufficient. This is a problem in case +the VDDA is supplied from different regulator than VDDIO, while both +report the same voltage to the regulator framework. In that case where +VDDA and VDDIO is supplied by different regulators, the VDDC manual +override must not be applied. + +Fixes: b6319b061ba2 ("ASoC: sgtl5000: Fix charge pump source assignment") +Signed-off-by: Marek Vasut +Cc: Fabio Estevam +Cc: Igor Opaniuk +Cc: Marcel Ziswiler +Cc: Mark Brown +Cc: Oleksandr Suvorov +Link: https://lore.kernel.org/r/20191220164450.1395038-2-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/sgtl5000.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/sgtl5000.c ++++ b/sound/soc/codecs/sgtl5000.c +@@ -1344,7 +1344,8 @@ static int sgtl5000_set_power_regs(struc + * if vddio == vdda the source of charge pump should be + * assigned manually to VDDIO + */ +- if (vddio == vdda) { ++ if (regulator_is_equal(sgtl5000->supplies[VDDA].consumer, ++ sgtl5000->supplies[VDDIO].consumer)) { + lreg_ctrl |= SGTL5000_VDDC_ASSN_OVRD; + lreg_ctrl |= SGTL5000_VDDC_MAN_ASSN_VDDIO << + SGTL5000_VDDC_MAN_ASSN_SHIFT; diff --git a/queue-5.5/bpf-fix-trampoline-usage-in-preempt.patch b/queue-5.5/bpf-fix-trampoline-usage-in-preempt.patch new file mode 100644 index 00000000000..6d761d42a97 --- /dev/null +++ b/queue-5.5/bpf-fix-trampoline-usage-in-preempt.patch @@ -0,0 +1,53 @@ +From 05d57f1793fb250c85028c9952c3720010baa853 Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov +Date: Mon, 20 Jan 2020 19:22:31 -0800 +Subject: bpf: Fix trampoline usage in preempt + +From: Alexei Starovoitov + +commit 05d57f1793fb250c85028c9952c3720010baa853 upstream. + +Though the second half of trampoline page is unused a task could be +preempted in the middle of the first half of trampoline and two +updates to trampoline would change the code from underneath the +preempted task. Hence wait for tasks to voluntarily schedule or go +to userspace. Add similar wait before freeing the trampoline. + +Fixes: fec56f5890d9 ("bpf: Introduce BPF trampoline") +Reported-by: Jann Horn +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Acked-by: Paul E. McKenney +Link: https://lore.kernel.org/bpf/20200121032231.3292185-1-ast@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/trampoline.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -150,6 +150,14 @@ static int bpf_trampoline_update(struct + if (fexit_cnt) + flags = BPF_TRAMP_F_CALL_ORIG | BPF_TRAMP_F_SKIP_FRAME; + ++ /* Though the second half of trampoline page is unused a task could be ++ * preempted in the middle of the first half of trampoline and two ++ * updates to trampoline would change the code from underneath the ++ * preempted task. Hence wait for tasks to voluntarily schedule or go ++ * to userspace. ++ */ ++ synchronize_rcu_tasks(); ++ + err = arch_prepare_bpf_trampoline(new_image, &tr->func.model, flags, + fentry, fentry_cnt, + fexit, fexit_cnt, +@@ -240,6 +248,8 @@ void bpf_trampoline_put(struct bpf_tramp + goto out; + if (WARN_ON_ONCE(!hlist_empty(&tr->progs_hlist[BPF_TRAMP_FEXIT]))) + goto out; ++ /* wait for tasks to get out of trampoline before freeing it */ ++ synchronize_rcu_tasks(); + bpf_jit_free_exec(tr->image); + hlist_del(&tr->hlist); + kfree(tr); diff --git a/queue-5.5/libbpf-extract-and-generalize-cpu-mask-parsing-logic.patch b/queue-5.5/libbpf-extract-and-generalize-cpu-mask-parsing-logic.patch new file mode 100644 index 00000000000..2bde84ab99e --- /dev/null +++ b/queue-5.5/libbpf-extract-and-generalize-cpu-mask-parsing-logic.patch @@ -0,0 +1,184 @@ +From 6803ee25f0ead1e836808acb14396bb9a9849113 Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Wed, 11 Dec 2019 17:35:48 -0800 +Subject: libbpf: Extract and generalize CPU mask parsing logic + +From: Andrii Nakryiko + +commit 6803ee25f0ead1e836808acb14396bb9a9849113 upstream. + +This logic is re-used for parsing a set of online CPUs. Having it as an +isolated piece of code working with input string makes it conveninent to test +this logic as well. While refactoring, also improve the robustness of original +implementation. + +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20191212013548.1690564-1-andriin@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/bpf/libbpf.c | 127 ++++++++++++++++++++++++++-------------- + tools/lib/bpf/libbpf_internal.h | 2 + 2 files changed, 87 insertions(+), 42 deletions(-) + +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -6542,61 +6542,104 @@ void bpf_program__bpil_offs_to_addr(stru + } + } + +-int libbpf_num_possible_cpus(void) ++int parse_cpu_mask_str(const char *s, bool **mask, int *mask_sz) + { +- static const char *fcpu = "/sys/devices/system/cpu/possible"; +- int len = 0, n = 0, il = 0, ir = 0; +- unsigned int start = 0, end = 0; +- int tmp_cpus = 0; +- static int cpus; +- char buf[128]; +- int error = 0; +- int fd = -1; ++ int err = 0, n, len, start, end = -1; ++ bool *tmp; + +- tmp_cpus = READ_ONCE(cpus); +- if (tmp_cpus > 0) +- return tmp_cpus; ++ *mask = NULL; ++ *mask_sz = 0; ++ ++ /* Each sub string separated by ',' has format \d+-\d+ or \d+ */ ++ while (*s) { ++ if (*s == ',' || *s == '\n') { ++ s++; ++ continue; ++ } ++ n = sscanf(s, "%d%n-%d%n", &start, &len, &end, &len); ++ if (n <= 0 || n > 2) { ++ pr_warn("Failed to get CPU range %s: %d\n", s, n); ++ err = -EINVAL; ++ goto cleanup; ++ } else if (n == 1) { ++ end = start; ++ } ++ if (start < 0 || start > end) { ++ pr_warn("Invalid CPU range [%d,%d] in %s\n", ++ start, end, s); ++ err = -EINVAL; ++ goto cleanup; ++ } ++ tmp = realloc(*mask, end + 1); ++ if (!tmp) { ++ err = -ENOMEM; ++ goto cleanup; ++ } ++ *mask = tmp; ++ memset(tmp + *mask_sz, 0, start - *mask_sz); ++ memset(tmp + start, 1, end - start + 1); ++ *mask_sz = end + 1; ++ s += len; ++ } ++ if (!*mask_sz) { ++ pr_warn("Empty CPU range\n"); ++ return -EINVAL; ++ } ++ return 0; ++cleanup: ++ free(*mask); ++ *mask = NULL; ++ return err; ++} ++ ++int parse_cpu_mask_file(const char *fcpu, bool **mask, int *mask_sz) ++{ ++ int fd, err = 0, len; ++ char buf[128]; + + fd = open(fcpu, O_RDONLY); + if (fd < 0) { +- error = errno; +- pr_warn("Failed to open file %s: %s\n", fcpu, strerror(error)); +- return -error; ++ err = -errno; ++ pr_warn("Failed to open cpu mask file %s: %d\n", fcpu, err); ++ return err; + } + len = read(fd, buf, sizeof(buf)); + close(fd); + if (len <= 0) { +- error = len ? errno : EINVAL; +- pr_warn("Failed to read # of possible cpus from %s: %s\n", +- fcpu, strerror(error)); +- return -error; +- } +- if (len == sizeof(buf)) { +- pr_warn("File %s size overflow\n", fcpu); +- return -EOVERFLOW; ++ err = len ? -errno : -EINVAL; ++ pr_warn("Failed to read cpu mask from %s: %d\n", fcpu, err); ++ return err; ++ } ++ if (len >= sizeof(buf)) { ++ pr_warn("CPU mask is too big in file %s\n", fcpu); ++ return -E2BIG; + } + buf[len] = '\0'; + +- for (ir = 0, tmp_cpus = 0; ir <= len; ir++) { +- /* Each sub string separated by ',' has format \d+-\d+ or \d+ */ +- if (buf[ir] == ',' || buf[ir] == '\0') { +- buf[ir] = '\0'; +- n = sscanf(&buf[il], "%u-%u", &start, &end); +- if (n <= 0) { +- pr_warn("Failed to get # CPUs from %s\n", +- &buf[il]); +- return -EINVAL; +- } else if (n == 1) { +- end = start; +- } +- tmp_cpus += end - start + 1; +- il = ir + 1; +- } +- } +- if (tmp_cpus <= 0) { +- pr_warn("Invalid #CPUs %d from %s\n", tmp_cpus, fcpu); +- return -EINVAL; ++ return parse_cpu_mask_str(buf, mask, mask_sz); ++} ++ ++int libbpf_num_possible_cpus(void) ++{ ++ static const char *fcpu = "/sys/devices/system/cpu/possible"; ++ static int cpus; ++ int err, n, i, tmp_cpus; ++ bool *mask; ++ ++ tmp_cpus = READ_ONCE(cpus); ++ if (tmp_cpus > 0) ++ return tmp_cpus; ++ ++ err = parse_cpu_mask_file(fcpu, &mask, &n); ++ if (err) ++ return err; ++ ++ tmp_cpus = 0; ++ for (i = 0; i < n; i++) { ++ if (mask[i]) ++ tmp_cpus++; + } ++ free(mask); + + WRITE_ONCE(cpus, tmp_cpus); + return tmp_cpus; +--- a/tools/lib/bpf/libbpf_internal.h ++++ b/tools/lib/bpf/libbpf_internal.h +@@ -95,6 +95,8 @@ static inline bool libbpf_validate_opts( + #define OPTS_GET(opts, field, fallback_value) \ + (OPTS_HAS(opts, field) ? (opts)->field : fallback_value) + ++int parse_cpu_mask_str(const char *s, bool **mask, int *mask_sz); ++int parse_cpu_mask_file(const char *fcpu, bool **mask, int *mask_sz); + int libbpf__load_raw_btf(const char *raw_types, size_t types_len, + const char *str_sec, size_t str_len); + diff --git a/queue-5.5/mfd-ab8500-fix-ab8500-clk-typo.patch b/queue-5.5/mfd-ab8500-fix-ab8500-clk-typo.patch new file mode 100644 index 00000000000..4d349603e1f --- /dev/null +++ b/queue-5.5/mfd-ab8500-fix-ab8500-clk-typo.patch @@ -0,0 +1,37 @@ +From 702204c22c53f94b2e25a3bdcda759cce7b26305 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 11 Dec 2019 12:46:39 +0100 +Subject: mfd: ab8500: Fix ab8500-clk typo + +From: Linus Walleij + +commit 702204c22c53f94b2e25a3bdcda759cce7b26305 upstream. + +Commit f4d41ad84433 ("mfd: ab8500: Example using new OF_MFD_CELL MACRO") +has a typo error renaming "ab8500-clk" to "abx500-clk" +with the result att ALSA SoC audio broke as the clock +driver was not probing anymore. Fixed it up. + +Fixes: f4d41ad84433 ("mfd: ab8500: Example using new OF_MFD_CELL MACRO") +Signed-off-by: Linus Walleij +Reviewed-by: Stephan Gerhold +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/ab8500-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mfd/ab8500-core.c ++++ b/drivers/mfd/ab8500-core.c +@@ -631,8 +631,8 @@ static const struct mfd_cell ab8500_devs + NULL, NULL, 0, 0, "stericsson,ab8500-ext-regulator"), + OF_MFD_CELL("ab8500-regulator", + NULL, NULL, 0, 0, "stericsson,ab8500-regulator"), +- OF_MFD_CELL("abx500-clk", +- NULL, NULL, 0, 0, "stericsson,abx500-clk"), ++ OF_MFD_CELL("ab8500-clk", ++ NULL, NULL, 0, 0, "stericsson,ab8500-clk"), + OF_MFD_CELL("ab8500-gpadc", + NULL, NULL, 0, 0, "stericsson,ab8500-gpadc"), + OF_MFD_CELL("ab8500-rtc", diff --git a/queue-5.5/mfd-bd70528-fix-hour-register-mask.patch b/queue-5.5/mfd-bd70528-fix-hour-register-mask.patch new file mode 100644 index 00000000000..7f75ff3e63e --- /dev/null +++ b/queue-5.5/mfd-bd70528-fix-hour-register-mask.patch @@ -0,0 +1,35 @@ +From 6c883472e1c11cb05561b6dd0c28bb037c2bf2de Mon Sep 17 00:00:00 2001 +From: Matti Vaittinen +Date: Mon, 20 Jan 2020 15:45:11 +0200 +Subject: mfd: bd70528: Fix hour register mask + +From: Matti Vaittinen + +commit 6c883472e1c11cb05561b6dd0c28bb037c2bf2de upstream. + +When RTC is used in 24H mode (and it is by this driver) the maximum +hour value is 24 in BCD. This occupies bits [5:0] - which means +correct mask for HOUR register is 0x3f not 0x1f. Fix the mask + +Fixes: 32a4a4ebf768 ("rtc: bd70528: Initial support for ROHM bd70528 RTC") + +Signed-off-by: Matti Vaittinen +Acked-by: Alexandre Belloni +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mfd/rohm-bd70528.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mfd/rohm-bd70528.h ++++ b/include/linux/mfd/rohm-bd70528.h +@@ -317,7 +317,7 @@ enum { + #define BD70528_MASK_RTC_MINUTE 0x7f + #define BD70528_MASK_RTC_HOUR_24H 0x80 + #define BD70528_MASK_RTC_HOUR_PM 0x20 +-#define BD70528_MASK_RTC_HOUR 0x1f ++#define BD70528_MASK_RTC_HOUR 0x3f + #define BD70528_MASK_RTC_DAY 0x3f + #define BD70528_MASK_RTC_WEEK 0x07 + #define BD70528_MASK_RTC_MONTH 0x1f diff --git a/queue-5.5/mfd-da9062-fix-watchdog-compatible-string.patch b/queue-5.5/mfd-da9062-fix-watchdog-compatible-string.patch new file mode 100644 index 00000000000..58dab93920b --- /dev/null +++ b/queue-5.5/mfd-da9062-fix-watchdog-compatible-string.patch @@ -0,0 +1,35 @@ +From 1112ba02ff1190ca9c15a912f9269e54b46d2d82 Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Wed, 8 Jan 2020 10:57:02 +0100 +Subject: mfd: da9062: Fix watchdog compatible string + +From: Marco Felsch + +commit 1112ba02ff1190ca9c15a912f9269e54b46d2d82 upstream. + +The watchdog driver compatible is "dlg,da9062-watchdog" and not +"dlg,da9062-wdt". Therefore the mfd-core can't populate the of_node and +fwnode. As result the watchdog driver can't parse the devicetree. + +Fixes: 9b40b030c4ad ("mfd: da9062: Supply core driver") +Signed-off-by: Marco Felsch +Acked-by: Guenter Roeck +Reviewed-by: Adam Thomson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/da9062-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mfd/da9062-core.c ++++ b/drivers/mfd/da9062-core.c +@@ -248,7 +248,7 @@ static const struct mfd_cell da9062_devs + .name = "da9062-watchdog", + .num_resources = ARRAY_SIZE(da9062_wdt_resources), + .resources = da9062_wdt_resources, +- .of_compatible = "dlg,da9062-wdt", ++ .of_compatible = "dlg,da9062-watchdog", + }, + { + .name = "da9062-thermal", diff --git a/queue-5.5/mfd-rn5t618-mark-adc-control-register-volatile.patch b/queue-5.5/mfd-rn5t618-mark-adc-control-register-volatile.patch new file mode 100644 index 00000000000..feada6ef12d --- /dev/null +++ b/queue-5.5/mfd-rn5t618-mark-adc-control-register-volatile.patch @@ -0,0 +1,30 @@ +From 2f3dc25c0118de03a00ddc88b61f7216854f534d Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Fri, 17 Jan 2020 22:59:22 +0100 +Subject: mfd: rn5t618: Mark ADC control register volatile + +From: Andreas Kemnade + +commit 2f3dc25c0118de03a00ddc88b61f7216854f534d upstream. + +There is a bit which gets cleared after conversion. + +Fixes: 9bb9e29c78f8 ("mfd: Add Ricoh RN5T618 PMIC core driver") +Signed-off-by: Andreas Kemnade +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/rn5t618.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mfd/rn5t618.c ++++ b/drivers/mfd/rn5t618.c +@@ -26,6 +26,7 @@ static bool rn5t618_volatile_reg(struct + case RN5T618_WATCHDOGCNT: + case RN5T618_DCIRQ: + case RN5T618_ILIMDATAH ... RN5T618_AIN0DATAL: ++ case RN5T618_ADCCNT3: + case RN5T618_IR_ADC1 ... RN5T618_IR_ADC3: + case RN5T618_IR_GPR: + case RN5T618_IR_GPF: diff --git a/queue-5.5/series b/queue-5.5/series index fdd289ceeae..7afc82be5a9 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -298,3 +298,16 @@ staging-wfx-revert-unexpected-change-in-debugfs-output.patch nfsd-fix-delay-timer-on-32-bit-architectures.patch nfsd-fix-jiffies-time_t-mixup-in-lru-list.patch nfsd-return-the-correct-number-of-bytes-written-to-the-file.patch +virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch +virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch +ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch +ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch +ubifs-fix-memory-leak-from-c-sup_node.patch +asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch +asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch +mfd-da9062-fix-watchdog-compatible-string.patch +mfd-rn5t618-mark-adc-control-register-volatile.patch +mfd-bd70528-fix-hour-register-mask.patch +mfd-ab8500-fix-ab8500-clk-typo.patch +bpf-fix-trampoline-usage-in-preempt.patch +libbpf-extract-and-generalize-cpu-mask-parsing-logic.patch diff --git a/queue-5.5/ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch b/queue-5.5/ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch new file mode 100644 index 00000000000..6228462ed5b --- /dev/null +++ b/queue-5.5/ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch @@ -0,0 +1,34 @@ +From ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 23 Oct 2019 11:58:12 +0200 +Subject: ubi: fastmap: Fix inverted logic in seen selfcheck + +From: Sascha Hauer + +commit ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045 upstream. + +set_seen() sets the bit corresponding to the PEB number in the bitmap, +so when self_check_seen() wants to find PEBs that haven't been seen we +have to print the PEBs that have their bit cleared, not the ones which +have it set. + +Fixes: 5d71afb00840 ("ubi: Use bitmaps in Fastmap self-check code") +Signed-off-by: Sascha Hauer +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/fastmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -64,7 +64,7 @@ static int self_check_seen(struct ubi_de + return 0; + + for (pnum = 0; pnum < ubi->peb_count; pnum++) { +- if (test_bit(pnum, seen) && ubi->lookuptbl[pnum]) { ++ if (!test_bit(pnum, seen) && ubi->lookuptbl[pnum]) { + ubi_err(ubi, "self-check failed for PEB %d, fastmap didn't see it", pnum); + ret = -EINVAL; + } diff --git a/queue-5.5/ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch b/queue-5.5/ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch new file mode 100644 index 00000000000..ebdde2c2747 --- /dev/null +++ b/queue-5.5/ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch @@ -0,0 +1,97 @@ +From 5d3805af279c93ef49a64701f35254676d709622 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 13 Jan 2020 16:23:46 +0300 +Subject: ubi: Fix an error pointer dereference in error handling code + +From: Dan Carpenter + +commit 5d3805af279c93ef49a64701f35254676d709622 upstream. + +If "seen_pebs = init_seen(ubi);" fails then "seen_pebs" is an error pointer +and we try to kfree() it which results in an Oops. + +This patch re-arranges the error handling so now it only frees things +which have been allocated successfully. + +Fixes: daef3dd1f0ae ("UBI: Fastmap: Add self check to detect absent PEBs") +Signed-off-by: Dan Carpenter +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/fastmap.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -1137,7 +1137,7 @@ static int ubi_write_fastmap(struct ubi_ + struct rb_node *tmp_rb; + int ret, i, j, free_peb_count, used_peb_count, vol_count; + int scrub_peb_count, erase_peb_count; +- unsigned long *seen_pebs = NULL; ++ unsigned long *seen_pebs; + + fm_raw = ubi->fm_buf; + memset(ubi->fm_buf, 0, ubi->fm_size); +@@ -1151,7 +1151,7 @@ static int ubi_write_fastmap(struct ubi_ + dvbuf = new_fm_vbuf(ubi, UBI_FM_DATA_VOLUME_ID); + if (!dvbuf) { + ret = -ENOMEM; +- goto out_kfree; ++ goto out_free_avbuf; + } + + avhdr = ubi_get_vid_hdr(avbuf); +@@ -1160,7 +1160,7 @@ static int ubi_write_fastmap(struct ubi_ + seen_pebs = init_seen(ubi); + if (IS_ERR(seen_pebs)) { + ret = PTR_ERR(seen_pebs); +- goto out_kfree; ++ goto out_free_dvbuf; + } + + spin_lock(&ubi->volumes_lock); +@@ -1328,7 +1328,7 @@ static int ubi_write_fastmap(struct ubi_ + ret = ubi_io_write_vid_hdr(ubi, new_fm->e[0]->pnum, avbuf); + if (ret) { + ubi_err(ubi, "unable to write vid_hdr to fastmap SB!"); +- goto out_kfree; ++ goto out_free_seen; + } + + for (i = 0; i < new_fm->used_blocks; i++) { +@@ -1350,7 +1350,7 @@ static int ubi_write_fastmap(struct ubi_ + if (ret) { + ubi_err(ubi, "unable to write vid_hdr to PEB %i!", + new_fm->e[i]->pnum); +- goto out_kfree; ++ goto out_free_seen; + } + } + +@@ -1360,7 +1360,7 @@ static int ubi_write_fastmap(struct ubi_ + if (ret) { + ubi_err(ubi, "unable to write fastmap to PEB %i!", + new_fm->e[i]->pnum); +- goto out_kfree; ++ goto out_free_seen; + } + } + +@@ -1370,10 +1370,13 @@ static int ubi_write_fastmap(struct ubi_ + ret = self_check_seen(ubi, seen_pebs); + dbg_bld("fastmap written!"); + +-out_kfree: +- ubi_free_vid_buf(avbuf); +- ubi_free_vid_buf(dvbuf); ++out_free_seen: + free_seen(seen_pebs); ++out_free_dvbuf: ++ ubi_free_vid_buf(dvbuf); ++out_free_avbuf: ++ ubi_free_vid_buf(avbuf); ++ + out: + return ret; + } diff --git a/queue-5.5/ubifs-fix-memory-leak-from-c-sup_node.patch b/queue-5.5/ubifs-fix-memory-leak-from-c-sup_node.patch new file mode 100644 index 00000000000..6a5a91a638a --- /dev/null +++ b/queue-5.5/ubifs-fix-memory-leak-from-c-sup_node.patch @@ -0,0 +1,56 @@ +From ff90bdfb206e49c8b418811efbdd0c77380fa8c2 Mon Sep 17 00:00:00 2001 +From: Quanyang Wang +Date: Tue, 14 Jan 2020 13:43:11 +0800 +Subject: ubifs: Fix memory leak from c->sup_node + +From: Quanyang Wang + +commit ff90bdfb206e49c8b418811efbdd0c77380fa8c2 upstream. + +The c->sup_node is allocated in function ubifs_read_sb_node but +is not freed. This will cause memory leak as below: + +unreferenced object 0xbc9ce000 (size 4096): + comm "mount", pid 500, jiffies 4294952946 (age 315.820s) + hex dump (first 32 bytes): + 31 18 10 06 06 7b f1 11 02 00 00 00 00 00 00 00 1....{.......... + 00 10 00 00 06 00 00 00 00 00 00 00 08 00 00 00 ................ + backtrace: + [] ubifs_read_superblock+0x48/0xebc + [] ubifs_mount+0x974/0x1420 + [<8589ecc3>] legacy_get_tree+0x2c/0x50 + [<5f1fb889>] vfs_get_tree+0x28/0xfc + [] do_mount+0x4f8/0x748 + [<4151f538>] ksys_mount+0x78/0xa0 + [] ret_fast_syscall+0x0/0x54 + [<1cc40005>] 0x7ea02790 + +Free it in ubifs_umount and in the error path of mount_ubifs. + +Fixes: fd6150051bec ("ubifs: Store read superblock node") +Signed-off-by: Quanyang Wang +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1599,6 +1599,7 @@ out_free: + vfree(c->ileb_buf); + vfree(c->sbuf); + kfree(c->bottom_up_buf); ++ kfree(c->sup_node); + ubifs_debugging_exit(c); + return err; + } +@@ -1641,6 +1642,7 @@ static void ubifs_umount(struct ubifs_in + vfree(c->ileb_buf); + vfree(c->sbuf); + kfree(c->bottom_up_buf); ++ kfree(c->sup_node); + ubifs_debugging_exit(c); + } + diff --git a/queue-5.5/virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch b/queue-5.5/virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch new file mode 100644 index 00000000000..301202c7944 --- /dev/null +++ b/queue-5.5/virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch @@ -0,0 +1,39 @@ +From 6c22dc61c76b7e7d355f1697ba0ecf26d1334ba6 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 5 Feb 2020 17:34:00 +0100 +Subject: virtio-balloon: Fix memory leak when unloading while hinting is in progress + +From: David Hildenbrand + +commit 6c22dc61c76b7e7d355f1697ba0ecf26d1334ba6 upstream. + +When unloading the driver while hinting is in progress, we will not +release the free page blocks back to MM, resulting in a memory leak. + +Fixes: 86a559787e6f ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Wei Wang +Cc: Liang Li +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20200205163402.42627-2-david@redhat.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -968,6 +968,10 @@ static void remove_common(struct virtio_ + leak_balloon(vb, vb->num_pages); + update_balloon_size(vb); + ++ /* There might be free pages that are being reported: release them. */ ++ if (virtio_has_feature(vb->vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT)) ++ return_free_pages_to_mm(vb, ULONG_MAX); ++ + /* Now we reset the device so we can clean up the queues. */ + vb->vdev->config->reset(vb->vdev); + diff --git a/queue-5.5/virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch b/queue-5.5/virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch new file mode 100644 index 00000000000..85d0bcb565f --- /dev/null +++ b/queue-5.5/virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch @@ -0,0 +1,66 @@ +From 1ad6f58ea9364b0a5d8ae06249653ac9304a8578 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 5 Feb 2020 17:34:01 +0100 +Subject: virtio_balloon: Fix memory leaks on errors in virtballoon_probe() + +From: David Hildenbrand + +commit 1ad6f58ea9364b0a5d8ae06249653ac9304a8578 upstream. + +We forget to put the inode and unmount the kernfs used for compaction. + +Fixes: 71994620bb25 ("virtio_balloon: replace oom notifier with shrinker") +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Wei Wang +Cc: Liang Li +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20200205163402.42627-3-david@redhat.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -901,8 +901,7 @@ static int virtballoon_probe(struct virt + vb->vb_dev_info.inode = alloc_anon_inode(balloon_mnt->mnt_sb); + if (IS_ERR(vb->vb_dev_info.inode)) { + err = PTR_ERR(vb->vb_dev_info.inode); +- kern_unmount(balloon_mnt); +- goto out_del_vqs; ++ goto out_kern_unmount; + } + vb->vb_dev_info.inode->i_mapping->a_ops = &balloon_aops; + #endif +@@ -913,13 +912,13 @@ static int virtballoon_probe(struct virt + */ + if (virtqueue_get_vring_size(vb->free_page_vq) < 2) { + err = -ENOSPC; +- goto out_del_vqs; ++ goto out_iput; + } + vb->balloon_wq = alloc_workqueue("balloon-wq", + WQ_FREEZABLE | WQ_CPU_INTENSIVE, 0); + if (!vb->balloon_wq) { + err = -ENOMEM; +- goto out_del_vqs; ++ goto out_iput; + } + INIT_WORK(&vb->report_free_page_work, report_free_page_func); + vb->cmd_id_received_cache = VIRTIO_BALLOON_CMD_ID_STOP; +@@ -953,6 +952,12 @@ static int virtballoon_probe(struct virt + out_del_balloon_wq: + if (virtio_has_feature(vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT)) + destroy_workqueue(vb->balloon_wq); ++out_iput: ++#ifdef CONFIG_BALLOON_COMPACTION ++ iput(vb->vb_dev_info.inode); ++out_kern_unmount: ++ kern_unmount(balloon_mnt); ++#endif + out_del_vqs: + vdev->config->del_vqs(vdev); + out_free_vb: