From: Sasha Levin Date: Wed, 6 Nov 2019 13:20:21 +0000 (-0500) Subject: fixes for 4.14 X-Git-Tag: v4.4.200~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=096e15a2947a49e2b02b4d5c91f338cb7a98eb99;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-8926-1-v7m-remove-register-save-to-stack-before-.patch b/queue-4.14/arm-8926-1-v7m-remove-register-save-to-stack-before-.patch new file mode 100644 index 00000000000..aa32bc67d1b --- /dev/null +++ b/queue-4.14/arm-8926-1-v7m-remove-register-save-to-stack-before-.patch @@ -0,0 +1,63 @@ +From f2ef60deefa866990527c44c0c898037f97adbc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 06:06:14 +0100 +Subject: ARM: 8926/1: v7m: remove register save to stack before svc + +From: afzal mohammed + +[ Upstream commit 2ecb287998a47cc0a766f6071f63bc185f338540 ] + +r0-r3 & r12 registers are saved & restored, before & after svc +respectively. Intention was to preserve those registers across thread to +handler mode switch. + +On v7-M, hardware saves the register context upon exception in AAPCS +complaint way. Restoring r0-r3 & r12 is done from stack location where +hardware saves it, not from the location on stack where these registers +were saved. + +To clarify, on stm32f429 discovery board: + +1. before svc, sp - 0x90009ff8 +2. r0-r3,r12 saved to 0x90009ff8 - 0x9000a00b +3. upon svc, h/w decrements sp by 32 & pushes registers onto stack +4. after svc, sp - 0x90009fd8 +5. r0-r3,r12 restored from 0x90009fd8 - 0x90009feb + +Above means r0-r3,r12 is not restored from the location where they are +saved, but since hardware pushes the registers onto stack, the registers +are restored correctly. + +Note that during register saving to stack (step 2), it goes past +0x9000a000. And it seems, based on objdump, there are global symbols +residing there, and it perhaps can cause issues on a non-XIP Kernel +(on XIP, data section is setup later). + +Based on the analysis above, manually saving registers onto stack is at +best no-op and at worst can cause data section corruption. Hence remove +storing of registers onto stack before svc. + +Fixes: b70cd406d7fe ("ARM: 8671/1: V7M: Preserve registers across switch from Thread to Handler mode") +Signed-off-by: afzal mohammed +Acked-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7m.S | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/mm/proc-v7m.S b/arch/arm/mm/proc-v7m.S +index 92e84181933ad..c68408d51c4bc 100644 +--- a/arch/arm/mm/proc-v7m.S ++++ b/arch/arm/mm/proc-v7m.S +@@ -135,7 +135,6 @@ __v7m_setup_cont: + dsb + mov r6, lr @ save LR + ldr sp, =init_thread_union + THREAD_START_SP +- stmia sp, {r0-r3, r12} + cpsie i + svc #0 + 1: cpsid i +-- +2.20.1 + diff --git a/queue-4.14/arm-davinci-dm365-fix-mcbsp-dma_slave_map-entry.patch b/queue-4.14/arm-davinci-dm365-fix-mcbsp-dma_slave_map-entry.patch new file mode 100644 index 00000000000..abf45d8bcf3 --- /dev/null +++ b/queue-4.14/arm-davinci-dm365-fix-mcbsp-dma_slave_map-entry.patch @@ -0,0 +1,37 @@ +From 7a759add27a1f6cd4d6854844e82f227253f620c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2019 13:22:02 +0300 +Subject: ARM: davinci: dm365: Fix McBSP dma_slave_map entry + +From: Peter Ujfalusi + +[ Upstream commit 564b6bb9d42d31fc80c006658cf38940a9b99616 ] + +dm365 have only single McBSP, so the device name is without .0 + +Fixes: 0c750e1fe481d ("ARM: davinci: dm365: Add dma_slave_map to edma") +Signed-off-by: Peter Ujfalusi +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/dm365.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-davinci/dm365.c b/arch/arm/mach-davinci/dm365.c +index 8be04ec95adf5..d80b2290ac2e0 100644 +--- a/arch/arm/mach-davinci/dm365.c ++++ b/arch/arm/mach-davinci/dm365.c +@@ -856,8 +856,8 @@ static s8 dm365_queue_priority_mapping[][2] = { + }; + + static const struct dma_slave_map dm365_edma_map[] = { +- { "davinci-mcbsp.0", "tx", EDMA_FILTER_PARAM(0, 2) }, +- { "davinci-mcbsp.0", "rx", EDMA_FILTER_PARAM(0, 3) }, ++ { "davinci-mcbsp", "tx", EDMA_FILTER_PARAM(0, 2) }, ++ { "davinci-mcbsp", "rx", EDMA_FILTER_PARAM(0, 3) }, + { "davinci_voicecodec", "tx", EDMA_FILTER_PARAM(0, 2) }, + { "davinci_voicecodec", "rx", EDMA_FILTER_PARAM(0, 3) }, + { "spi_davinci.2", "tx", EDMA_FILTER_PARAM(0, 10) }, +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-imx7s-correct-gpt-s-ipg-clock-source.patch b/queue-4.14/arm-dts-imx7s-correct-gpt-s-ipg-clock-source.patch new file mode 100644 index 00000000000..b46bf5fda14 --- /dev/null +++ b/queue-4.14/arm-dts-imx7s-correct-gpt-s-ipg-clock-source.patch @@ -0,0 +1,64 @@ +From 75a02db827de7e5a173668ac3eb276feb1f03031 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 08:43:42 +0800 +Subject: ARM: dts: imx7s: Correct GPT's ipg clock source + +From: Anson Huang + +[ Upstream commit 252b9e21bcf46b0d16f733f2e42b21fdc60addee ] + +i.MX7S/D's GPT ipg clock should be from GPT clock root and +controlled by CCM's GPT CCGR, using correct clock source for +GPT ipg clock instead of IMX7D_CLK_DUMMY. + +Fixes: 3ef79ca6bd1d ("ARM: dts: imx7d: use imx7s.dtsi as base device tree") +Signed-off-by: Anson Huang +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index bf15efbe8a710..836550f2297ac 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -450,7 +450,7 @@ + compatible = "fsl,imx7d-gpt", "fsl,imx6sx-gpt"; + reg = <0x302d0000 0x10000>; + interrupts = ; +- clocks = <&clks IMX7D_CLK_DUMMY>, ++ clocks = <&clks IMX7D_GPT1_ROOT_CLK>, + <&clks IMX7D_GPT1_ROOT_CLK>; + clock-names = "ipg", "per"; + }; +@@ -459,7 +459,7 @@ + compatible = "fsl,imx7d-gpt", "fsl,imx6sx-gpt"; + reg = <0x302e0000 0x10000>; + interrupts = ; +- clocks = <&clks IMX7D_CLK_DUMMY>, ++ clocks = <&clks IMX7D_GPT2_ROOT_CLK>, + <&clks IMX7D_GPT2_ROOT_CLK>; + clock-names = "ipg", "per"; + status = "disabled"; +@@ -469,7 +469,7 @@ + compatible = "fsl,imx7d-gpt", "fsl,imx6sx-gpt"; + reg = <0x302f0000 0x10000>; + interrupts = ; +- clocks = <&clks IMX7D_CLK_DUMMY>, ++ clocks = <&clks IMX7D_GPT3_ROOT_CLK>, + <&clks IMX7D_GPT3_ROOT_CLK>; + clock-names = "ipg", "per"; + status = "disabled"; +@@ -479,7 +479,7 @@ + compatible = "fsl,imx7d-gpt", "fsl,imx6sx-gpt"; + reg = <0x30300000 0x10000>; + interrupts = ; +- clocks = <&clks IMX7D_CLK_DUMMY>, ++ clocks = <&clks IMX7D_GPT4_ROOT_CLK>, + <&clks IMX7D_GPT4_ROOT_CLK>; + clock-names = "ipg", "per"; + status = "disabled"; +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-logicpd-torpedo-som-remove-twl_keypad.patch b/queue-4.14/arm-dts-logicpd-torpedo-som-remove-twl_keypad.patch new file mode 100644 index 00000000000..bcc0103c255 --- /dev/null +++ b/queue-4.14/arm-dts-logicpd-torpedo-som-remove-twl_keypad.patch @@ -0,0 +1,40 @@ +From 268a173acd2952c6c7ca28ac988eadab2c14b726 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 17:58:12 -0500 +Subject: ARM: dts: logicpd-torpedo-som: Remove twl_keypad + +From: Adam Ford + +[ Upstream commit 6b512b0ee091edcb8e46218894e4c917d919d3dc ] + +The TWL4030 used on the Logit PD Torpedo SOM does not have the +keypad pins routed. This patch disables the twl_keypad driver +to remove some splat during boot: + +twl4030_keypad 48070000.i2c:twl@48:keypad: missing or malformed property linux,keymap: -22 +twl4030_keypad 48070000.i2c:twl@48:keypad: Failed to build keymap +twl4030_keypad: probe of 48070000.i2c:twl@48:keypad failed with error -22 + +Signed-off-by: Adam Ford +[tony@atomide.com: removed error time stamps] +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/logicpd-torpedo-som.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi +index fe4cbdc72359e..7265d7072b5cb 100644 +--- a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi ++++ b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi +@@ -270,3 +270,7 @@ + &twl_gpio { + ti,use-leds; + }; ++ ++&twl_keypad { ++ status = "disabled"; ++}; +-- +2.20.1 + diff --git a/queue-4.14/arm-mm-fix-alignment-handler-faults-under-memory-pre.patch b/queue-4.14/arm-mm-fix-alignment-handler-faults-under-memory-pre.patch new file mode 100644 index 00000000000..e1afe3848ad --- /dev/null +++ b/queue-4.14/arm-mm-fix-alignment-handler-faults-under-memory-pre.patch @@ -0,0 +1,110 @@ +From c3286055bfbe52bf38a772f2a2ec00d80190f018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2019 17:01:58 +0100 +Subject: ARM: mm: fix alignment handler faults under memory pressure + +From: Russell King + +[ Upstream commit 67e15fa5b487adb9b78a92789eeff2d6ec8f5cee ] + +When the system has high memory pressure, the page containing the +instruction may be paged out. Using probe_kernel_address() means that +if the page is swapped out, the resulting page fault will not be +handled because page faults are disabled by this function. + +Use get_user() to read the instruction instead. + +Reported-by: Jing Xiangfeng +Fixes: b255188f90e2 ("ARM: fix scheduling while atomic warning in alignment handling code") +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/alignment.c | 44 +++++++++++++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c +index 2c96190e018bd..96b17a870b91d 100644 +--- a/arch/arm/mm/alignment.c ++++ b/arch/arm/mm/alignment.c +@@ -768,6 +768,36 @@ do_alignment_t32_to_handler(unsigned long *pinstr, struct pt_regs *regs, + return NULL; + } + ++static int alignment_get_arm(struct pt_regs *regs, u32 *ip, unsigned long *inst) ++{ ++ u32 instr = 0; ++ int fault; ++ ++ if (user_mode(regs)) ++ fault = get_user(instr, ip); ++ else ++ fault = probe_kernel_address(ip, instr); ++ ++ *inst = __mem_to_opcode_arm(instr); ++ ++ return fault; ++} ++ ++static int alignment_get_thumb(struct pt_regs *regs, u16 *ip, u16 *inst) ++{ ++ u16 instr = 0; ++ int fault; ++ ++ if (user_mode(regs)) ++ fault = get_user(instr, ip); ++ else ++ fault = probe_kernel_address(ip, instr); ++ ++ *inst = __mem_to_opcode_thumb16(instr); ++ ++ return fault; ++} ++ + static int + do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + { +@@ -775,10 +805,10 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + unsigned long instr = 0, instrptr; + int (*handler)(unsigned long addr, unsigned long instr, struct pt_regs *regs); + unsigned int type; +- unsigned int fault; + u16 tinstr = 0; + int isize = 4; + int thumb2_32b = 0; ++ int fault; + + if (interrupts_enabled(regs)) + local_irq_enable(); +@@ -787,15 +817,14 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + + if (thumb_mode(regs)) { + u16 *ptr = (u16 *)(instrptr & ~1); +- fault = probe_kernel_address(ptr, tinstr); +- tinstr = __mem_to_opcode_thumb16(tinstr); ++ ++ fault = alignment_get_thumb(regs, ptr, &tinstr); + if (!fault) { + if (cpu_architecture() >= CPU_ARCH_ARMv7 && + IS_T32(tinstr)) { + /* Thumb-2 32-bit */ +- u16 tinst2 = 0; +- fault = probe_kernel_address(ptr + 1, tinst2); +- tinst2 = __mem_to_opcode_thumb16(tinst2); ++ u16 tinst2; ++ fault = alignment_get_thumb(regs, ptr + 1, &tinst2); + instr = __opcode_thumb32_compose(tinstr, tinst2); + thumb2_32b = 1; + } else { +@@ -804,8 +833,7 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + } + } + } else { +- fault = probe_kernel_address((void *)instrptr, instr); +- instr = __mem_to_opcode_arm(instr); ++ fault = alignment_get_arm(regs, (void *)instrptr, &instr); + } + + if (fault) { +-- +2.20.1 + diff --git a/queue-4.14/arm64-dts-fix-gpio-to-pinmux-mapping.patch b/queue-4.14/arm64-dts-fix-gpio-to-pinmux-mapping.patch new file mode 100644 index 00000000000..3cf6f48690b --- /dev/null +++ b/queue-4.14/arm64-dts-fix-gpio-to-pinmux-mapping.patch @@ -0,0 +1,61 @@ +From ef53b58fd627f2b9401a47440ca1802fe6dcca0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2019 14:05:27 +0530 +Subject: arm64: dts: Fix gpio to pinmux mapping + +From: Rayagonda Kokatanur + +[ Upstream commit 965f6603e3335a953f4f876792074cb36bf65f7f ] + +There are total of 151 non-secure gpio (0-150) and four +pins of pinmux (91, 92, 93 and 94) are not mapped to any +gpio pin, hence update same in DT. + +Fixes: 8aa428cc1e2e ("arm64: dts: Add pinctrl DT nodes for Stingray SOC") +Signed-off-by: Rayagonda Kokatanur +Reviewed-by: Ray Jui +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/broadcom/stingray/stingray-pinctrl.dtsi | 5 +++-- + arch/arm64/boot/dts/broadcom/stingray/stingray.dtsi | 3 +-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/broadcom/stingray/stingray-pinctrl.dtsi b/arch/arm64/boot/dts/broadcom/stingray/stingray-pinctrl.dtsi +index 15214d05fec1c..8c20d4a0cb4ed 100644 +--- a/arch/arm64/boot/dts/broadcom/stingray/stingray-pinctrl.dtsi ++++ b/arch/arm64/boot/dts/broadcom/stingray/stingray-pinctrl.dtsi +@@ -42,13 +42,14 @@ + + pinmux: pinmux@0014029c { + compatible = "pinctrl-single"; +- reg = <0x0014029c 0x250>; ++ reg = <0x0014029c 0x26c>; + #address-cells = <1>; + #size-cells = <1>; + pinctrl-single,register-width = <32>; + pinctrl-single,function-mask = <0xf>; + pinctrl-single,gpio-range = < +- &range 0 154 MODE_GPIO ++ &range 0 91 MODE_GPIO ++ &range 95 60 MODE_GPIO + >; + range: gpio-range { + #pinctrl-single,gpio-range-cells = <3>; +diff --git a/arch/arm64/boot/dts/broadcom/stingray/stingray.dtsi b/arch/arm64/boot/dts/broadcom/stingray/stingray.dtsi +index 2b76293b51c83..3d2921ef29351 100644 +--- a/arch/arm64/boot/dts/broadcom/stingray/stingray.dtsi ++++ b/arch/arm64/boot/dts/broadcom/stingray/stingray.dtsi +@@ -444,8 +444,7 @@ + <&pinmux 108 16 27>, + <&pinmux 135 77 6>, + <&pinmux 141 67 4>, +- <&pinmux 145 149 6>, +- <&pinmux 151 91 4>; ++ <&pinmux 145 149 6>; + }; + + i2c1: i2c@000e0000 { +-- +2.20.1 + diff --git a/queue-4.14/asoc-rockchip-i2s-fix-rpm-imbalance.patch b/queue-4.14/asoc-rockchip-i2s-fix-rpm-imbalance.patch new file mode 100644 index 00000000000..89a9f5955f9 --- /dev/null +++ b/queue-4.14/asoc-rockchip-i2s-fix-rpm-imbalance.patch @@ -0,0 +1,39 @@ +From 8eb550d8c4317cbcc5ef8405d517e1363307b24e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 16:30:37 +0100 +Subject: ASoc: rockchip: i2s: Fix RPM imbalance + +From: Robin Murphy + +[ Upstream commit b1e620e7d32f5aad5353cc3cfc13ed99fea65d3a ] + +If rockchip_pcm_platform_register() fails, e.g. upon deferring to wait +for an absent DMA channel, we return without disabling RPM, which makes +subsequent re-probe attempts scream with errors about the unbalanced +enable. Don't do that. + +Fixes: ebb75c0bdba2 ("ASoC: rockchip: i2s: Adjust devm usage") +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/bcb12a849a05437fb18372bc7536c649b94bdf07.1570029862.git.robin.murphy@arm.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_i2s.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c +index 66fc13a2396a0..0e07e3dea7de4 100644 +--- a/sound/soc/rockchip/rockchip_i2s.c ++++ b/sound/soc/rockchip/rockchip_i2s.c +@@ -676,7 +676,7 @@ static int rockchip_i2s_probe(struct platform_device *pdev) + ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0); + if (ret) { + dev_err(&pdev->dev, "Could not register PCM\n"); +- return ret; ++ goto err_suspend; + } + + return 0; +-- +2.20.1 + diff --git a/queue-4.14/asoc-wm_adsp-don-t-generate-kcontrols-without-read-f.patch b/queue-4.14/asoc-wm_adsp-don-t-generate-kcontrols-without-read-f.patch new file mode 100644 index 00000000000..c80da2645b6 --- /dev/null +++ b/queue-4.14/asoc-wm_adsp-don-t-generate-kcontrols-without-read-f.patch @@ -0,0 +1,39 @@ +From 63d99c3028dac62fe99da5cd374fcb80f240d666 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Oct 2019 09:42:40 +0100 +Subject: ASoC: wm_adsp: Don't generate kcontrols without READ flags + +From: Stuart Henderson + +[ Upstream commit 3ae7359c0e39f42a96284d6798fc669acff38140 ] + +User space always expects to be able to read ALSA controls, so ensure +no kcontrols are generated without an appropriate READ flag. In the case +of a read of such a control zeros will be returned. + +Signed-off-by: Stuart Henderson +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20191002084240.21589-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm_adsp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index d632a0511d62a..158ce68bc9bf3 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -1169,8 +1169,7 @@ static unsigned int wmfw_convert_flags(unsigned int in, unsigned int len) + } + + if (in) { +- if (in & WMFW_CTL_FLAG_READABLE) +- out |= rd; ++ out |= rd; + if (in & WMFW_CTL_FLAG_WRITEABLE) + out |= wr; + if (in & WMFW_CTL_FLAG_VOLATILE) +-- +2.20.1 + diff --git a/queue-4.14/cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconn.patch b/queue-4.14/cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconn.patch new file mode 100644 index 00000000000..366b86bdb39 --- /dev/null +++ b/queue-4.14/cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconn.patch @@ -0,0 +1,180 @@ +From 0d48d3cde671b3098582011350b77c701fb7256b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 05:02:33 -0400 +Subject: cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs + +From: Dave Wysochanski + +[ Upstream commit d46b0da7a33dd8c99d969834f682267a45444ab3 ] + +There's a deadlock that is possible and can easily be seen with +a test where multiple readers open/read/close of the same file +and a disruption occurs causing reconnect. The deadlock is due +a reader thread inside cifs_strict_readv calling down_read and +obtaining lock_sem, and then after reconnect inside +cifs_reopen_file calling down_read a second time. If in +between the two down_read calls, a down_write comes from +another process, deadlock occurs. + + CPU0 CPU1 + ---- ---- +cifs_strict_readv() + down_read(&cifsi->lock_sem); + _cifsFileInfo_put + OR + cifs_new_fileinfo + down_write(&cifsi->lock_sem); +cifs_reopen_file() + down_read(&cifsi->lock_sem); + +Fix the above by changing all down_write(lock_sem) calls to +down_write_trylock(lock_sem)/msleep() loop, which in turn +makes the second down_read call benign since it will never +block behind the writer while holding lock_sem. + +Signed-off-by: Dave Wysochanski +Suggested-by: Ronnie Sahlberg +Reviewed--by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsglob.h | 5 +++++ + fs/cifs/cifsproto.h | 1 + + fs/cifs/file.c | 23 +++++++++++++++-------- + fs/cifs/smb2file.c | 2 +- + 4 files changed, 22 insertions(+), 9 deletions(-) + +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 7b7ab10a9db18..600bb838c15b8 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1210,6 +1210,11 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file); + struct cifsInodeInfo { + bool can_cache_brlcks; + struct list_head llist; /* locks helb by this inode */ ++ /* ++ * NOTE: Some code paths call down_read(lock_sem) twice, so ++ * we must always use use cifs_down_write() instead of down_write() ++ * for this semaphore to avoid deadlocks. ++ */ + struct rw_semaphore lock_sem; /* protect the fields above */ + /* BB add in lists for dirty pages i.e. write caching info for oplock */ + struct list_head openFileList; +diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h +index ccdb42f71b2e8..3a7fb8e750e97 100644 +--- a/fs/cifs/cifsproto.h ++++ b/fs/cifs/cifsproto.h +@@ -149,6 +149,7 @@ extern int cifs_unlock_range(struct cifsFileInfo *cfile, + struct file_lock *flock, const unsigned int xid); + extern int cifs_push_mandatory_locks(struct cifsFileInfo *cfile); + ++extern void cifs_down_write(struct rw_semaphore *sem); + extern struct cifsFileInfo *cifs_new_fileinfo(struct cifs_fid *fid, + struct file *file, + struct tcon_link *tlink, +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 71a960da7cce1..40f22932343c6 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -280,6 +280,13 @@ cifs_has_mand_locks(struct cifsInodeInfo *cinode) + return has_locks; + } + ++void ++cifs_down_write(struct rw_semaphore *sem) ++{ ++ while (!down_write_trylock(sem)) ++ msleep(10); ++} ++ + struct cifsFileInfo * + cifs_new_fileinfo(struct cifs_fid *fid, struct file *file, + struct tcon_link *tlink, __u32 oplock) +@@ -305,7 +312,7 @@ cifs_new_fileinfo(struct cifs_fid *fid, struct file *file, + INIT_LIST_HEAD(&fdlocks->locks); + fdlocks->cfile = cfile; + cfile->llist = fdlocks; +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + list_add(&fdlocks->llist, &cinode->llist); + up_write(&cinode->lock_sem); + +@@ -457,7 +464,7 @@ void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) + * Delete any outstanding lock records. We'll lose them when the file + * is closed anyway. + */ +- down_write(&cifsi->lock_sem); ++ cifs_down_write(&cifsi->lock_sem); + list_for_each_entry_safe(li, tmp, &cifs_file->llist->locks, llist) { + list_del(&li->llist); + cifs_del_lock_waiters(li); +@@ -1011,7 +1018,7 @@ static void + cifs_lock_add(struct cifsFileInfo *cfile, struct cifsLockInfo *lock) + { + struct cifsInodeInfo *cinode = CIFS_I(d_inode(cfile->dentry)); +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + list_add_tail(&lock->llist, &cfile->llist->locks); + up_write(&cinode->lock_sem); + } +@@ -1033,7 +1040,7 @@ cifs_lock_add_if(struct cifsFileInfo *cfile, struct cifsLockInfo *lock, + + try_again: + exist = false; +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + + exist = cifs_find_lock_conflict(cfile, lock->offset, lock->length, + lock->type, &conf_lock, CIFS_LOCK_OP); +@@ -1055,7 +1062,7 @@ cifs_lock_add_if(struct cifsFileInfo *cfile, struct cifsLockInfo *lock, + (lock->blist.next == &lock->blist)); + if (!rc) + goto try_again; +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + list_del_init(&lock->blist); + } + +@@ -1108,7 +1115,7 @@ cifs_posix_lock_set(struct file *file, struct file_lock *flock) + return rc; + + try_again: +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + if (!cinode->can_cache_brlcks) { + up_write(&cinode->lock_sem); + return rc; +@@ -1314,7 +1321,7 @@ cifs_push_locks(struct cifsFileInfo *cfile) + int rc = 0; + + /* we are going to update can_cache_brlcks here - need a write access */ +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + if (!cinode->can_cache_brlcks) { + up_write(&cinode->lock_sem); + return rc; +@@ -1505,7 +1512,7 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, + if (!buf) + return -ENOMEM; + +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + for (i = 0; i < 2; i++) { + cur = buf; + num = 0; +diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c +index 1add404618f06..2c809233084bb 100644 +--- a/fs/cifs/smb2file.c ++++ b/fs/cifs/smb2file.c +@@ -139,7 +139,7 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, + + cur = buf; + +- down_write(&cinode->lock_sem); ++ cifs_down_write(&cinode->lock_sem); + list_for_each_entry_safe(li, tmp, &cfile->llist->locks, llist) { + if (flock->fl_start > li->offset || + (flock->fl_start + length) < +-- +2.20.1 + diff --git a/queue-4.14/i2c-stm32f7-remove-warning-when-compiling-with-w-1.patch b/queue-4.14/i2c-stm32f7-remove-warning-when-compiling-with-w-1.patch new file mode 100644 index 00000000000..b69ed47e031 --- /dev/null +++ b/queue-4.14/i2c-stm32f7-remove-warning-when-compiling-with-w-1.patch @@ -0,0 +1,43 @@ +From 32424c400f0cabae9034226a0634e49e82865ffa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2019 15:11:58 +0200 +Subject: i2c: stm32f7: remove warning when compiling with W=1 + +From: Alain Volmat + +[ Upstream commit 348e46fbb4cdb2aead79aee1fd8bb25ec5fd25db ] + +Remove the following warning: + +drivers/i2c/busses/i2c-stm32f7.c:315: +warning: cannot understand function prototype: +'struct stm32f7_i2c_spec i2c_specs[] = + +Replace a comment starting with /** by simply /* to avoid having +it interpreted as a kernel-doc comment. + +Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver") +Signed-off-by: Alain Volmat +Reviewed-by: Pierre-Yves MORDRET +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-stm32f7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-stm32f7.c b/drivers/i2c/busses/i2c-stm32f7.c +index d8cbe149925b5..14f60751729e7 100644 +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -219,7 +219,7 @@ struct stm32f7_i2c_dev { + struct stm32f7_i2c_timings timing; + }; + +-/** ++/* + * All these values are coming from I2C Specification, Version 6.0, 4th of + * April 2014. + * +-- +2.20.1 + diff --git a/queue-4.14/mips-bmips-mark-exception-vectors-as-char-arrays.patch b/queue-4.14/mips-bmips-mark-exception-vectors-as-char-arrays.patch new file mode 100644 index 00000000000..12aad5469d4 --- /dev/null +++ b/queue-4.14/mips-bmips-mark-exception-vectors-as-char-arrays.patch @@ -0,0 +1,107 @@ +From a4b29799b6321b84948cb34929f1f79a222607da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2019 21:11:00 +0200 +Subject: MIPS: bmips: mark exception vectors as char arrays + +From: Jonas Gorski + +[ Upstream commit e4f5cb1a9b27c0f94ef4f5a0178a3fde2d3d0e9e ] + +The vectors span more than one byte, so mark them as arrays. + +Fixes the following build error when building when using GCC 8.3: + +In file included from ./include/linux/string.h:19, + from ./include/linux/bitmap.h:9, + from ./include/linux/cpumask.h:12, + from ./arch/mips/include/asm/processor.h:15, + from ./arch/mips/include/asm/thread_info.h:16, + from ./include/linux/thread_info.h:38, + from ./include/asm-generic/preempt.h:5, + from ./arch/mips/include/generated/asm/preempt.h:1, + from ./include/linux/preempt.h:81, + from ./include/linux/spinlock.h:51, + from ./include/linux/mmzone.h:8, + from ./include/linux/bootmem.h:8, + from arch/mips/bcm63xx/prom.c:10: +arch/mips/bcm63xx/prom.c: In function 'prom_init': +./arch/mips/include/asm/string.h:162:11: error: '__builtin_memcpy' forming offset [2, 32] is out of the bounds [0, 1] of object 'bmips_smp_movevec' with type 'char' [-Werror=array-bounds] + __ret = __builtin_memcpy((dst), (src), __len); \ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/mips/bcm63xx/prom.c:97:3: note: in expansion of macro 'memcpy' + memcpy((void *)0xa0000200, &bmips_smp_movevec, 0x20); + ^~~~~~ +In file included from arch/mips/bcm63xx/prom.c:14: +./arch/mips/include/asm/bmips.h:80:13: note: 'bmips_smp_movevec' declared here + extern char bmips_smp_movevec; + +Fixes: 18a1eef92dcd ("MIPS: BMIPS: Introduce bmips.h") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: Ralf Baechle +Cc: James Hogan +Signed-off-by: Sasha Levin +--- + arch/mips/bcm63xx/prom.c | 2 +- + arch/mips/include/asm/bmips.h | 10 +++++----- + arch/mips/kernel/smp-bmips.c | 8 ++++---- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/mips/bcm63xx/prom.c b/arch/mips/bcm63xx/prom.c +index 7019e2967009e..bbbf8057565b2 100644 +--- a/arch/mips/bcm63xx/prom.c ++++ b/arch/mips/bcm63xx/prom.c +@@ -84,7 +84,7 @@ void __init prom_init(void) + * Here we will start up CPU1 in the background and ask it to + * reconfigure itself then go back to sleep. + */ +- memcpy((void *)0xa0000200, &bmips_smp_movevec, 0x20); ++ memcpy((void *)0xa0000200, bmips_smp_movevec, 0x20); + __sync(); + set_c0_cause(C_SW0); + cpumask_set_cpu(1, &bmips_booted_mask); +diff --git a/arch/mips/include/asm/bmips.h b/arch/mips/include/asm/bmips.h +index b3e2975f83d36..a564915fddc40 100644 +--- a/arch/mips/include/asm/bmips.h ++++ b/arch/mips/include/asm/bmips.h +@@ -75,11 +75,11 @@ static inline int register_bmips_smp_ops(void) + #endif + } + +-extern char bmips_reset_nmi_vec; +-extern char bmips_reset_nmi_vec_end; +-extern char bmips_smp_movevec; +-extern char bmips_smp_int_vec; +-extern char bmips_smp_int_vec_end; ++extern char bmips_reset_nmi_vec[]; ++extern char bmips_reset_nmi_vec_end[]; ++extern char bmips_smp_movevec[]; ++extern char bmips_smp_int_vec[]; ++extern char bmips_smp_int_vec_end[]; + + extern int bmips_smp_enabled; + extern int bmips_cpu_offset; +diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c +index 382d12eb88f0f..45fbcbbf2504e 100644 +--- a/arch/mips/kernel/smp-bmips.c ++++ b/arch/mips/kernel/smp-bmips.c +@@ -457,10 +457,10 @@ static void bmips_wr_vec(unsigned long dst, char *start, char *end) + + static inline void bmips_nmi_handler_setup(void) + { +- bmips_wr_vec(BMIPS_NMI_RESET_VEC, &bmips_reset_nmi_vec, +- &bmips_reset_nmi_vec_end); +- bmips_wr_vec(BMIPS_WARM_RESTART_VEC, &bmips_smp_int_vec, +- &bmips_smp_int_vec_end); ++ bmips_wr_vec(BMIPS_NMI_RESET_VEC, bmips_reset_nmi_vec, ++ bmips_reset_nmi_vec_end); ++ bmips_wr_vec(BMIPS_WARM_RESTART_VEC, bmips_smp_int_vec, ++ bmips_smp_int_vec_end); + } + + struct reset_vec_info { +-- +2.20.1 + diff --git a/queue-4.14/nbd-handle-racing-with-error-ed-out-commands.patch b/queue-4.14/nbd-handle-racing-with-error-ed-out-commands.patch new file mode 100644 index 00000000000..3e5bfb4acc8 --- /dev/null +++ b/queue-4.14/nbd-handle-racing-with-error-ed-out-commands.patch @@ -0,0 +1,69 @@ +From 4e4975526e702665b7cfc0a2f74c0040844863ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 15:56:28 -0400 +Subject: nbd: handle racing with error'ed out commands + +From: Josef Bacik + +[ Upstream commit 7ce23e8e0a9cd38338fc8316ac5772666b565ca9 ] + +We hit the following warning in production + +print_req_error: I/O error, dev nbd0, sector 7213934408 flags 80700 +------------[ cut here ]------------ +refcount_t: underflow; use-after-free. +WARNING: CPU: 25 PID: 32407 at lib/refcount.c:190 refcount_sub_and_test_checked+0x53/0x60 +Workqueue: knbd-recv recv_work [nbd] +RIP: 0010:refcount_sub_and_test_checked+0x53/0x60 +Call Trace: + blk_mq_free_request+0xb7/0xf0 + blk_mq_complete_request+0x62/0xf0 + recv_work+0x29/0xa1 [nbd] + process_one_work+0x1f5/0x3f0 + worker_thread+0x2d/0x3d0 + ? rescuer_thread+0x340/0x340 + kthread+0x111/0x130 + ? kthread_create_on_node+0x60/0x60 + ret_from_fork+0x1f/0x30 +---[ end trace b079c3c67f98bb7c ]--- + +This was preceded by us timing out everything and shutting down the +sockets for the device. The problem is we had a request in the queue at +the same time, so we completed the request twice. This can actually +happen in a lot of cases, we fail to get a ref on our config, we only +have one connection and just error out the command, etc. + +Fix this by checking cmd->status in nbd_read_stat. We only change this +under the cmd->lock, so we are safe to check this here and see if we've +already error'ed this command out, which would indicate that we've +completed it as well. + +Reviewed-by: Mike Christie +Signed-off-by: Josef Bacik + +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index f3d0bc9a99058..34dfadd4dcd41 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -648,6 +648,12 @@ static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index) + ret = -ENOENT; + goto out; + } ++ if (cmd->status != BLK_STS_OK) { ++ dev_err(disk_to_dev(nbd->disk), "Command already handled %p\n", ++ req); ++ ret = -ENOENT; ++ goto out; ++ } + if (test_bit(NBD_CMD_REQUEUED, &cmd->flags)) { + dev_err(disk_to_dev(nbd->disk), "Raced with timeout on req %p\n", + req); +-- +2.20.1 + diff --git a/queue-4.14/of-unittest-fix-memory-leak-in-unittest_data_add.patch b/queue-4.14/of-unittest-fix-memory-leak-in-unittest_data_add.patch new file mode 100644 index 00000000000..c50e352f00c --- /dev/null +++ b/queue-4.14/of-unittest-fix-memory-leak-in-unittest_data_add.patch @@ -0,0 +1,37 @@ +From de6cdedb1adf65454c8a6f78ed83526d7b2a4407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 13:58:43 -0500 +Subject: of: unittest: fix memory leak in unittest_data_add + +From: Navid Emamdoost + +[ Upstream commit e13de8fe0d6a51341671bbe384826d527afe8d44 ] + +In unittest_data_add, a copy buffer is created via kmemdup. This buffer +is leaked if of_fdt_unflatten_tree fails. The release for the +unittest_data buffer is added. + +Fixes: b951f9dc7f25 ("Enabling OF selftest to run without machine's devicetree") +Signed-off-by: Navid Emamdoost +Reviewed-by: Frank Rowand +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 7c6aff7618009..87650d42682fc 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1002,6 +1002,7 @@ static int __init unittest_data_add(void) + of_fdt_unflatten_tree(unittest_data, NULL, &unittest_data_node); + if (!unittest_data_node) { + pr_warn("%s: No tree to attach; not running tests\n", __func__); ++ kfree(unittest_data); + return -ENODATA; + } + of_node_set_flag(unittest_data_node, OF_DETACHED); +-- +2.20.1 + diff --git a/queue-4.14/perf-c2c-fix-memory-leak-in-build_cl_output.patch b/queue-4.14/perf-c2c-fix-memory-leak-in-build_cl_output.patch new file mode 100644 index 00000000000..ac0c2298f67 --- /dev/null +++ b/queue-4.14/perf-c2c-fix-memory-leak-in-build_cl_output.patch @@ -0,0 +1,72 @@ +From 035466a9096829c52608515d696b7fdbd1108730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2019 10:54:14 +0800 +Subject: perf c2c: Fix memory leak in build_cl_output() + +From: Yunfeng Ye + +[ Upstream commit ae199c580da1754a2b051321eeb76d6dacd8707b ] + +There is a memory leak problem in the failure paths of +build_cl_output(), so fix it. + +Signed-off-by: Yunfeng Ye +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Feilong Lin +Cc: Hu Shiyuan +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/4d3c0178-5482-c313-98e1-f82090d2d456@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-c2c.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c +index 32e64a8a6443f..bec7a2f1fb4dc 100644 +--- a/tools/perf/builtin-c2c.c ++++ b/tools/perf/builtin-c2c.c +@@ -2454,6 +2454,7 @@ static int build_cl_output(char *cl_sort, bool no_source) + bool add_sym = false; + bool add_dso = false; + bool add_src = false; ++ int ret = 0; + + if (!buf) + return -ENOMEM; +@@ -2472,7 +2473,8 @@ static int build_cl_output(char *cl_sort, bool no_source) + add_dso = true; + } else if (strcmp(tok, "offset")) { + pr_err("unrecognized sort token: %s\n", tok); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; + } + } + +@@ -2495,13 +2497,15 @@ static int build_cl_output(char *cl_sort, bool no_source) + add_sym ? "symbol," : "", + add_dso ? "dso," : "", + add_src ? "cl_srcline," : "", +- "node") < 0) +- return -ENOMEM; ++ "node") < 0) { ++ ret = -ENOMEM; ++ goto err; ++ } + + c2c.show_src = add_src; +- ++err: + free(buf); +- return 0; ++ return ret; + } + + static int setup_coalesce(const char *coalesce, bool no_source) +-- +2.20.1 + diff --git a/queue-4.14/perf-kmem-fix-memory-leak-in-compact_gfp_flags.patch b/queue-4.14/perf-kmem-fix-memory-leak-in-compact_gfp_flags.patch new file mode 100644 index 00000000000..5b3f00c3c70 --- /dev/null +++ b/queue-4.14/perf-kmem-fix-memory-leak-in-compact_gfp_flags.patch @@ -0,0 +1,45 @@ +From 46de4c0c787be03a63365147829c9262cab936ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Oct 2019 16:38:45 +0800 +Subject: perf kmem: Fix memory leak in compact_gfp_flags() + +From: Yunfeng Ye + +[ Upstream commit 1abecfcaa7bba21c9985e0136fa49836164dd8fd ] + +The memory @orig_flags is allocated by strdup(), it is freed on the +normal path, but leak to free on the error path. + +Fix this by adding free(orig_flags) on the error path. + +Fixes: 0e11115644b3 ("perf kmem: Print gfp flags in human readable string") +Signed-off-by: Yunfeng Ye +Cc: Alexander Shishkin +Cc: Feilong Lin +Cc: Hu Shiyuan +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/f9e9f458-96f3-4a97-a1d5-9feec2420e07@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-kmem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/builtin-kmem.c b/tools/perf/builtin-kmem.c +index 9e693ce4b73b0..ce786f363476e 100644 +--- a/tools/perf/builtin-kmem.c ++++ b/tools/perf/builtin-kmem.c +@@ -687,6 +687,7 @@ static char *compact_gfp_flags(char *gfp_flags) + new = realloc(new_flags, len + strlen(cpt) + 2); + if (new == NULL) { + free(new_flags); ++ free(orig_flags); + return NULL; + } + +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-ns2-fix-off-by-one-bugs-in-ns2_pinmux_enable.patch b/queue-4.14/pinctrl-ns2-fix-off-by-one-bugs-in-ns2_pinmux_enable.patch new file mode 100644 index 00000000000..3ddea25c20a --- /dev/null +++ b/queue-4.14/pinctrl-ns2-fix-off-by-one-bugs-in-ns2_pinmux_enable.patch @@ -0,0 +1,42 @@ +From 2d2434d39f14b268590e4687c4be5a87ad1a743c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2019 11:14:26 +0300 +Subject: pinctrl: ns2: Fix off by one bugs in ns2_pinmux_enable() + +From: Dan Carpenter + +[ Upstream commit 39b65fbb813089e366b376bd8acc300b6fd646dc ] + +The pinctrl->functions[] array has pinctrl->num_functions elements and +the pinctrl->groups[] array is the same way. These are set in +ns2_pinmux_probe(). So the > comparisons should be >= so that we don't +read one element beyond the end of the array. + +Fixes: b5aa1006e4a9 ("pinctrl: ns2: add pinmux driver support for Broadcom NS2 SoC") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20190926081426.GB2332@mwanda +Acked-by: Scott Branden +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/bcm/pinctrl-ns2-mux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/bcm/pinctrl-ns2-mux.c b/drivers/pinctrl/bcm/pinctrl-ns2-mux.c +index 4b5cf0e0f16e2..951090faa6a91 100644 +--- a/drivers/pinctrl/bcm/pinctrl-ns2-mux.c ++++ b/drivers/pinctrl/bcm/pinctrl-ns2-mux.c +@@ -640,8 +640,8 @@ static int ns2_pinmux_enable(struct pinctrl_dev *pctrl_dev, + const struct ns2_pin_function *func; + const struct ns2_pin_group *grp; + +- if (grp_select > pinctrl->num_groups || +- func_select > pinctrl->num_functions) ++ if (grp_select >= pinctrl->num_groups || ++ func_select >= pinctrl->num_functions) + return -EINVAL; + + func = &pinctrl->functions[func_select]; +-- +2.20.1 + diff --git a/queue-4.14/regulator-pfuze100-regulator-variable-val-in-pfuze10.patch b/queue-4.14/regulator-pfuze100-regulator-variable-val-in-pfuze10.patch new file mode 100644 index 00000000000..85f79d4df86 --- /dev/null +++ b/queue-4.14/regulator-pfuze100-regulator-variable-val-in-pfuze10.patch @@ -0,0 +1,45 @@ +From c1533373b84f80b632ea73ab13dacaac004ac486 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Sep 2019 10:09:57 -0700 +Subject: regulator: pfuze100-regulator: Variable "val" in + pfuze100_regulator_probe() could be uninitialized + +From: Yizhuo + +[ Upstream commit 1252b283141f03c3dffd139292c862cae10e174d ] + +In function pfuze100_regulator_probe(), variable "val" could be +initialized if regmap_read() fails. However, "val" is used to +decide the control flow later in the if statement, which is +potentially unsafe. + +Signed-off-by: Yizhuo +Link: https://lore.kernel.org/r/20190929170957.14775-1-yzhai003@ucr.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pfuze100-regulator.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c +index 659e516455bee..4f205366d8aea 100644 +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -632,7 +632,13 @@ static int pfuze100_regulator_probe(struct i2c_client *client, + + /* SW2~SW4 high bit check and modify the voltage value table */ + if (i >= sw_check_start && i <= sw_check_end) { +- regmap_read(pfuze_chip->regmap, desc->vsel_reg, &val); ++ ret = regmap_read(pfuze_chip->regmap, ++ desc->vsel_reg, &val); ++ if (ret) { ++ dev_err(&client->dev, "Fails to read from the register.\n"); ++ return ret; ++ } ++ + if (val & sw_hi) { + if (pfuze_chip->chip_id == PFUZE3000) { + desc->volt_table = pfuze3000_sw2hi; +-- +2.20.1 + diff --git a/queue-4.14/regulator-ti-abb-fix-timeout-in-ti_abb_wait_txdone-t.patch b/queue-4.14/regulator-ti-abb-fix-timeout-in-ti_abb_wait_txdone-t.patch new file mode 100644 index 00000000000..5c6547897af --- /dev/null +++ b/queue-4.14/regulator-ti-abb-fix-timeout-in-ti_abb_wait_txdone-t.patch @@ -0,0 +1,80 @@ +From 2edc58ff7f6f59b67264ab1b60afedaeeec8cac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Sep 2019 17:58:48 +0800 +Subject: regulator: ti-abb: Fix timeout in + ti_abb_wait_txdone/ti_abb_clear_all_txdone + +From: Axel Lin + +[ Upstream commit f64db548799e0330897c3203680c2ee795ade518 ] + +ti_abb_wait_txdone() may return -ETIMEDOUT when ti_abb_check_txdone() +returns true in the latest iteration of the while loop because the timeout +value is abb->settling_time + 1. Similarly, ti_abb_clear_all_txdone() may +return -ETIMEDOUT when ti_abb_check_txdone() returns false in the latest +iteration of the while loop. Fix it. + +Signed-off-by: Axel Lin +Acked-by: Nishanth Menon +Link: https://lore.kernel.org/r/20190929095848.21960-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/ti-abb-regulator.c | 26 ++++++++------------------ + 1 file changed, 8 insertions(+), 18 deletions(-) + +diff --git a/drivers/regulator/ti-abb-regulator.c b/drivers/regulator/ti-abb-regulator.c +index d2f9942987535..6d17357b3a248 100644 +--- a/drivers/regulator/ti-abb-regulator.c ++++ b/drivers/regulator/ti-abb-regulator.c +@@ -173,19 +173,14 @@ static int ti_abb_wait_txdone(struct device *dev, struct ti_abb *abb) + while (timeout++ <= abb->settling_time) { + status = ti_abb_check_txdone(abb); + if (status) +- break; ++ return 0; + + udelay(1); + } + +- if (timeout > abb->settling_time) { +- dev_warn_ratelimited(dev, +- "%s:TRANXDONE timeout(%duS) int=0x%08x\n", +- __func__, timeout, readl(abb->int_base)); +- return -ETIMEDOUT; +- } +- +- return 0; ++ dev_warn_ratelimited(dev, "%s:TRANXDONE timeout(%duS) int=0x%08x\n", ++ __func__, timeout, readl(abb->int_base)); ++ return -ETIMEDOUT; + } + + /** +@@ -205,19 +200,14 @@ static int ti_abb_clear_all_txdone(struct device *dev, const struct ti_abb *abb) + + status = ti_abb_check_txdone(abb); + if (!status) +- break; ++ return 0; + + udelay(1); + } + +- if (timeout > abb->settling_time) { +- dev_warn_ratelimited(dev, +- "%s:TRANXDONE timeout(%duS) int=0x%08x\n", +- __func__, timeout, readl(abb->int_base)); +- return -ETIMEDOUT; +- } +- +- return 0; ++ dev_warn_ratelimited(dev, "%s:TRANXDONE timeout(%duS) int=0x%08x\n", ++ __func__, timeout, readl(abb->int_base)); ++ return -ETIMEDOUT; + } + + /** +-- +2.20.1 + diff --git a/queue-4.14/scsi-fix-kconfig-dependency-warning-related-to-53c70.patch b/queue-4.14/scsi-fix-kconfig-dependency-warning-related-to-53c70.patch new file mode 100644 index 00000000000..02da2dc61a0 --- /dev/null +++ b/queue-4.14/scsi-fix-kconfig-dependency-warning-related-to-53c70.patch @@ -0,0 +1,42 @@ +From 72f979bd97c6fa185ec537620219fdabe974077d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 17:11:28 +0200 +Subject: scsi: fix kconfig dependency warning related to 53C700_LE_ON_BE + +From: Thomas Bogendoerfer + +[ Upstream commit 8cbf0c173aa096dda526d1ccd66fc751c31da346 ] + +When building a kernel with SCSI_SNI_53C710 enabled, Kconfig warns: + +WARNING: unmet direct dependencies detected for 53C700_LE_ON_BE + Depends on [n]: SCSI_LOWLEVEL [=y] && SCSI [=y] && SCSI_LASI700 [=n] + Selected by [y]: + - SCSI_SNI_53C710 [=y] && SCSI_LOWLEVEL [=y] && SNI_RM [=y] && SCSI [=y] + +Add the missing depends SCSI_SNI_53C710 to 53C700_LE_ON_BE to fix it. + +Link: https://lore.kernel.org/r/20191009151128.32411-1-tbogendoerfer@suse.de +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/Kconfig b/drivers/scsi/Kconfig +index 41366339b9501..881906dc33b83 100644 +--- a/drivers/scsi/Kconfig ++++ b/drivers/scsi/Kconfig +@@ -966,7 +966,7 @@ config SCSI_SNI_53C710 + + config 53C700_LE_ON_BE + bool +- depends on SCSI_LASI700 ++ depends on SCSI_LASI700 || SCSI_SNI_53C710 + default y + + config SCSI_STEX +-- +2.20.1 + diff --git a/queue-4.14/scsi-scsi_dh_alua-handle-rtpg-sense-code-correctly-d.patch b/queue-4.14/scsi-scsi_dh_alua-handle-rtpg-sense-code-correctly-d.patch new file mode 100644 index 00000000000..eeb87642c0c --- /dev/null +++ b/queue-4.14/scsi-scsi_dh_alua-handle-rtpg-sense-code-correctly-d.patch @@ -0,0 +1,79 @@ +From 31d06b500a319681f61b14504721044194453a27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2019 15:57:01 +0200 +Subject: scsi: scsi_dh_alua: handle RTPG sense code correctly during state + transitions + +From: Hannes Reinecke + +[ Upstream commit b6ce6fb121a655aefe41dccc077141c102145a37 ] + +Some arrays are not capable of returning RTPG data during state +transitioning, but rather return an 'LUN not accessible, asymmetric access +state transition' sense code. In these cases we can set the state to +'transitioning' directly and don't need to evaluate the RTPG data (which we +won't have anyway). + +Link: https://lore.kernel.org/r/20191007135701.32389-1-hare@suse.de +Reviewed-by: Laurence Oberman +Reviewed-by: Ewan D. Milne +Reviewed-by: Bart Van Assche +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index 41f5f64101630..135376ee2cbf0 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -523,6 +523,7 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + unsigned int tpg_desc_tbl_off; + unsigned char orig_transition_tmo; + unsigned long flags; ++ bool transitioning_sense = false; + + if (!pg->expiry) { + unsigned long transition_tmo = ALUA_FAILOVER_TIMEOUT * HZ; +@@ -567,13 +568,19 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + goto retry; + } + /* +- * Retry on ALUA state transition or if any +- * UNIT ATTENTION occurred. ++ * If the array returns with 'ALUA state transition' ++ * sense code here it cannot return RTPG data during ++ * transition. So set the state to 'transitioning' directly. + */ + if (sense_hdr.sense_key == NOT_READY && +- sense_hdr.asc == 0x04 && sense_hdr.ascq == 0x0a) +- err = SCSI_DH_RETRY; +- else if (sense_hdr.sense_key == UNIT_ATTENTION) ++ sense_hdr.asc == 0x04 && sense_hdr.ascq == 0x0a) { ++ transitioning_sense = true; ++ goto skip_rtpg; ++ } ++ /* ++ * Retry on any other UNIT ATTENTION occurred. ++ */ ++ if (sense_hdr.sense_key == UNIT_ATTENTION) + err = SCSI_DH_RETRY; + if (err == SCSI_DH_RETRY && + pg->expiry != 0 && time_before(jiffies, pg->expiry)) { +@@ -661,7 +668,11 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + off = 8 + (desc[7] * 4); + } + ++ skip_rtpg: + spin_lock_irqsave(&pg->lock, flags); ++ if (transitioning_sense) ++ pg->state = SCSI_ACCESS_STATE_TRANSITIONING; ++ + sdev_printk(KERN_INFO, sdev, + "%s: port group %02x state %c %s supports %c%c%c%c%c%c%c\n", + ALUA_DH_NAME, pg->group_id, print_alua_state(pg->state), +-- +2.20.1 + diff --git a/queue-4.14/scsi-sni_53c710-fix-compilation-error.patch b/queue-4.14/scsi-sni_53c710-fix-compilation-error.patch new file mode 100644 index 00000000000..75e8a9ed107 --- /dev/null +++ b/queue-4.14/scsi-sni_53c710-fix-compilation-error.patch @@ -0,0 +1,40 @@ +From 6f0212f7d743f520ef3cebfa2369aea900ef9a39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2019 17:11:18 +0200 +Subject: scsi: sni_53c710: fix compilation error + +From: Thomas Bogendoerfer + +[ Upstream commit 0ee6211408a8e939428f662833c7301394125b80 ] + +Drop out memory dev_printk() with wrong device pointer argument. + +[mkp: typo] + +Link: https://lore.kernel.org/r/20191009151118.32350-1-tbogendoerfer@suse.de +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sni_53c710.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/scsi/sni_53c710.c b/drivers/scsi/sni_53c710.c +index 1f9a087daf69f..3102a75984d3b 100644 +--- a/drivers/scsi/sni_53c710.c ++++ b/drivers/scsi/sni_53c710.c +@@ -78,10 +78,8 @@ static int snirm710_probe(struct platform_device *dev) + + base = res->start; + hostdata = kzalloc(sizeof(*hostdata), GFP_KERNEL); +- if (!hostdata) { +- dev_printk(KERN_ERR, dev, "Failed to allocate host data\n"); ++ if (!hostdata) + return -ENOMEM; +- } + + hostdata->dev = &dev->dev; + dma_set_mask(&dev->dev, DMA_BIT_MASK(32)); +-- +2.20.1 + diff --git a/queue-4.14/scsi-target-core-do-not-overwrite-cdb-byte-1.patch b/queue-4.14/scsi-target-core-do-not-overwrite-cdb-byte-1.patch new file mode 100644 index 00000000000..479422f9c2f --- /dev/null +++ b/queue-4.14/scsi-target-core-do-not-overwrite-cdb-byte-1.patch @@ -0,0 +1,61 @@ +From f4cca95388fd9c943952eba4ba7a38318800a9b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2019 20:29:04 +0200 +Subject: scsi: target: core: Do not overwrite CDB byte 1 + +From: Bodo Stroesser + +[ Upstream commit 27e84243cb63601a10e366afe3e2d05bb03c1cb5 ] + +passthrough_parse_cdb() - used by TCMU and PSCSI - attepts to reset the LUN +field of SCSI-2 CDBs (bits 5,6,7 of byte 1). The current code is wrong as +for newer commands not having the LUN field it overwrites relevant command +bits (e.g. for SECURITY PROTOCOL IN / OUT). We think this code was +unnecessary from the beginning or at least it is no longer useful. So we +remove it entirely. + +Link: https://lore.kernel.org/r/12498eab-76fd-eaad-1316-c2827badb76a@ts.fujitsu.com +Signed-off-by: Bodo Stroesser +Reviewed-by: Bart Van Assche +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_device.c | 21 --------------------- + 1 file changed, 21 deletions(-) + +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 84742125f7730..92b52d2314b53 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1151,27 +1151,6 @@ passthrough_parse_cdb(struct se_cmd *cmd, + struct se_device *dev = cmd->se_dev; + unsigned int size; + +- /* +- * Clear a lun set in the cdb if the initiator talking to use spoke +- * and old standards version, as we can't assume the underlying device +- * won't choke up on it. +- */ +- switch (cdb[0]) { +- case READ_10: /* SBC - RDProtect */ +- case READ_12: /* SBC - RDProtect */ +- case READ_16: /* SBC - RDProtect */ +- case SEND_DIAGNOSTIC: /* SPC - SELF-TEST Code */ +- case VERIFY: /* SBC - VRProtect */ +- case VERIFY_16: /* SBC - VRProtect */ +- case WRITE_VERIFY: /* SBC - VRProtect */ +- case WRITE_VERIFY_12: /* SBC - VRProtect */ +- case MAINTENANCE_IN: /* SPC - Parameter Data Format for SA RTPG */ +- break; +- default: +- cdb[1] &= 0x1f; /* clear logical unit number */ +- break; +- } +- + /* + * For REPORT LUNS we always need to emulate the response, for everything + * else, pass it up. +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..68d215df81e --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,22 @@ +arm64-dts-fix-gpio-to-pinmux-mapping.patch +regulator-ti-abb-fix-timeout-in-ti_abb_wait_txdone-t.patch +regulator-pfuze100-regulator-variable-val-in-pfuze10.patch +asoc-wm_adsp-don-t-generate-kcontrols-without-read-f.patch +asoc-rockchip-i2s-fix-rpm-imbalance.patch +arm-dts-logicpd-torpedo-som-remove-twl_keypad.patch +pinctrl-ns2-fix-off-by-one-bugs-in-ns2_pinmux_enable.patch +arm-mm-fix-alignment-handler-faults-under-memory-pre.patch +scsi-scsi_dh_alua-handle-rtpg-sense-code-correctly-d.patch +scsi-sni_53c710-fix-compilation-error.patch +scsi-fix-kconfig-dependency-warning-related-to-53c70.patch +arm-dts-imx7s-correct-gpt-s-ipg-clock-source.patch +perf-c2c-fix-memory-leak-in-build_cl_output.patch +perf-kmem-fix-memory-leak-in-compact_gfp_flags.patch +arm-davinci-dm365-fix-mcbsp-dma_slave_map-entry.patch +scsi-target-core-do-not-overwrite-cdb-byte-1.patch +arm-8926-1-v7m-remove-register-save-to-stack-before-.patch +of-unittest-fix-memory-leak-in-unittest_data_add.patch +mips-bmips-mark-exception-vectors-as-char-arrays.patch +i2c-stm32f7-remove-warning-when-compiling-with-w-1.patch +cifs-fix-cifsinodeinfo-lock_sem-deadlock-when-reconn.patch +nbd-handle-racing-with-error-ed-out-commands.patch