From: Sasha Levin Date: Mon, 15 Nov 2021 02:43:15 +0000 (-0500) Subject: Fixes for 4.19 X-Git-Tag: v5.4.160~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c5856d4e86c37e35c070714284dd2b03664cd33;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-battery-accept-charges-over-the-design-capacity.patch b/queue-4.19/acpi-battery-accept-charges-over-the-design-capacity.patch new file mode 100644 index 00000000000..a7dd2460d64 --- /dev/null +++ b/queue-4.19/acpi-battery-accept-charges-over-the-design-capacity.patch @@ -0,0 +1,44 @@ +From 31c394e3c92fbc6d8e44bcb1be9be8129acd85b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 00:05:29 -0300 +Subject: ACPI: battery: Accept charges over the design capacity as full +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Almeida + +[ Upstream commit 2835f327bd1240508db2c89fe94a056faa53c49a ] + +Some buggy firmware and/or brand new batteries can support a charge that's +slightly over the reported design capacity. In such cases, the kernel will +report to userspace that the charging state of the battery is "Unknown", +when in reality the battery charge is "Full", at least from the design +capacity point of view. Make the fallback condition accepts capacities +over the designed capacity so userspace knows that is full. + +Signed-off-by: André Almeida +Reviewed-by: Hans de Goede +Reviewed-by: Sebastian Reichel +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index 674a0e92b798f..0bbf8b453ebf2 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -198,7 +198,7 @@ static int acpi_battery_is_charged(struct acpi_battery *battery) + return 1; + + /* fallback to using design values for broken batteries */ +- if (battery->design_capacity == battery->capacity_now) ++ if (battery->design_capacity <= battery->capacity_now) + return 1; + + /* we don't do any sort of metric based on percentages */ +-- +2.33.0 + diff --git a/queue-4.19/acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch b/queue-4.19/acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch new file mode 100644 index 00000000000..78c86199d34 --- /dev/null +++ b/queue-4.19/acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch @@ -0,0 +1,141 @@ +From f8244c45a84993984846bddec3cbf728fcb1d19e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 16:31:35 +0100 +Subject: ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses + +From: Hans de Goede + +[ Upstream commit 009a789443fe4c8e6b1ecb7c16b4865c026184cd ] + +The handling of PMIC register reads through writing 0 to address 4 +of the OpRegion is wrong. Instead of returning the read value +through the value64, which is a no-op for function == ACPI_WRITE calls, +store the value and then on a subsequent function == ACPI_READ with +address == 3 (the address for the value field of the OpRegion) +return the stored value. + +This has been tested on a Xiaomi Mi Pad 2 and makes the ACPI battery dev +there mostly functional (unfortunately there are still other issues). + +Here are the SET() / GET() functions of the PMIC ACPI device, +which use this OpRegion, which clearly show the new behavior to +be correct: + +OperationRegion (REGS, 0x8F, Zero, 0x50) +Field (REGS, ByteAcc, NoLock, Preserve) +{ + CLNT, 8, + SA, 8, + OFF, 8, + VAL, 8, + RWM, 8 +} + +Method (GET, 3, Serialized) +{ + If ((AVBE == One)) + { + CLNT = Arg0 + SA = Arg1 + OFF = Arg2 + RWM = Zero + If ((AVBG == One)) + { + GPRW = Zero + } + } + + Return (VAL) /* \_SB_.PCI0.I2C7.PMI5.VAL_ */ +} + +Method (SET, 4, Serialized) +{ + If ((AVBE == One)) + { + CLNT = Arg0 + SA = Arg1 + OFF = Arg2 + VAL = Arg3 + RWM = One + If ((AVBG == One)) + { + GPRW = One + } + } +} + +Fixes: 0afa877a5650 ("ACPI / PMIC: intel: add REGS operation region support") +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/pmic/intel_pmic.c | 51 +++++++++++++++++++--------------- + 1 file changed, 28 insertions(+), 23 deletions(-) + +diff --git a/drivers/acpi/pmic/intel_pmic.c b/drivers/acpi/pmic/intel_pmic.c +index ca18e0d23df97..db63d3463617a 100644 +--- a/drivers/acpi/pmic/intel_pmic.c ++++ b/drivers/acpi/pmic/intel_pmic.c +@@ -216,31 +216,36 @@ static acpi_status intel_pmic_regs_handler(u32 function, + void *handler_context, void *region_context) + { + struct intel_pmic_opregion *opregion = region_context; +- int result = 0; ++ int result = -EINVAL; ++ ++ if (function == ACPI_WRITE) { ++ switch (address) { ++ case 0: ++ return AE_OK; ++ case 1: ++ opregion->ctx.addr |= (*value64 & 0xff) << 8; ++ return AE_OK; ++ case 2: ++ opregion->ctx.addr |= *value64 & 0xff; ++ return AE_OK; ++ case 3: ++ opregion->ctx.val = *value64 & 0xff; ++ return AE_OK; ++ case 4: ++ if (*value64) { ++ result = regmap_write(opregion->regmap, opregion->ctx.addr, ++ opregion->ctx.val); ++ } else { ++ result = regmap_read(opregion->regmap, opregion->ctx.addr, ++ &opregion->ctx.val); ++ } ++ opregion->ctx.addr = 0; ++ } ++ } + +- switch (address) { +- case 0: +- return AE_OK; +- case 1: +- opregion->ctx.addr |= (*value64 & 0xff) << 8; ++ if (function == ACPI_READ && address == 3) { ++ *value64 = opregion->ctx.val; + return AE_OK; +- case 2: +- opregion->ctx.addr |= *value64 & 0xff; +- return AE_OK; +- case 3: +- opregion->ctx.val = *value64 & 0xff; +- return AE_OK; +- case 4: +- if (*value64) { +- result = regmap_write(opregion->regmap, opregion->ctx.addr, +- opregion->ctx.val); +- } else { +- result = regmap_read(opregion->regmap, opregion->ctx.addr, +- &opregion->ctx.val); +- if (result == 0) +- *value64 = opregion->ctx.val; +- } +- memset(&opregion->ctx, 0x00, sizeof(opregion->ctx)); + } + + if (result < 0) { +-- +2.33.0 + diff --git a/queue-4.19/acpica-avoid-evaluating-methods-too-early-during-sys.patch b/queue-4.19/acpica-avoid-evaluating-methods-too-early-during-sys.patch new file mode 100644 index 00000000000..f0f0e9f82dc --- /dev/null +++ b/queue-4.19/acpica-avoid-evaluating-methods-too-early-during-sys.patch @@ -0,0 +1,130 @@ +From 77f73cf4a0ac09d493c72cdb334bf41a59cd6ed4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 18:31:25 +0200 +Subject: ACPICA: Avoid evaluating methods too early during system resume + +From: Rafael J. Wysocki + +[ Upstream commit d3c4b6f64ad356c0d9ddbcf73fa471e6a841cc5c ] + +ACPICA commit 0762982923f95eb652cf7ded27356b247c9774de + +During wakeup from system-wide sleep states, acpi_get_sleep_type_data() +is called and it tries to get memory from the slab allocator in order +to evaluate a control method, but if KFENCE is enabled in the kernel, +the memory allocation attempt causes an IRQ work to be queued and a +self-IPI to be sent to the CPU running the code which requires the +memory controller to be ready, so if that happens too early in the +wakeup path, it doesn't work. + +Prevent that from taking place by calling acpi_get_sleep_type_data() +for S0 upfront, when preparing to enter a given sleep state, and +saving the data obtained by it for later use during system wakeup. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214271 +Reported-by: Reik Keutterling +Tested-by: Reik Keutterling +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/acglobal.h | 2 ++ + drivers/acpi/acpica/hwesleep.c | 8 ++------ + drivers/acpi/acpica/hwsleep.c | 11 ++++------- + drivers/acpi/acpica/hwxfsleep.c | 7 +++++++ + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/acpi/acpica/acglobal.h b/drivers/acpi/acpica/acglobal.h +index 1e6204518496c..38712fa4dd9d2 100644 +--- a/drivers/acpi/acpica/acglobal.h ++++ b/drivers/acpi/acpica/acglobal.h +@@ -224,6 +224,8 @@ extern struct acpi_bit_register_info + acpi_gbl_bit_register_info[ACPI_NUM_BITREG]; + ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a); + ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b); ++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a_s0); ++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b_s0); + + /***************************************************************************** + * +diff --git a/drivers/acpi/acpica/hwesleep.c b/drivers/acpi/acpica/hwesleep.c +index e0ad3f11142e4..9516966124ae3 100644 +--- a/drivers/acpi/acpica/hwesleep.c ++++ b/drivers/acpi/acpica/hwesleep.c +@@ -147,17 +147,13 @@ acpi_status acpi_hw_extended_sleep(u8 sleep_state) + + acpi_status acpi_hw_extended_wake_prep(u8 sleep_state) + { +- acpi_status status; + u8 sleep_type_value; + + ACPI_FUNCTION_TRACE(hw_extended_wake_prep); + +- status = acpi_get_sleep_type_data(ACPI_STATE_S0, +- &acpi_gbl_sleep_type_a, +- &acpi_gbl_sleep_type_b); +- if (ACPI_SUCCESS(status)) { ++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) { + sleep_type_value = +- ((acpi_gbl_sleep_type_a << ACPI_X_SLEEP_TYPE_POSITION) & ++ ((acpi_gbl_sleep_type_a_s0 << ACPI_X_SLEEP_TYPE_POSITION) & + ACPI_X_SLEEP_TYPE_MASK); + + (void)acpi_write((u64)(sleep_type_value | ACPI_X_SLEEP_ENABLE), +diff --git a/drivers/acpi/acpica/hwsleep.c b/drivers/acpi/acpica/hwsleep.c +index d8b8fc2ff5633..f4282370947c8 100644 +--- a/drivers/acpi/acpica/hwsleep.c ++++ b/drivers/acpi/acpica/hwsleep.c +@@ -179,7 +179,7 @@ acpi_status acpi_hw_legacy_sleep(u8 sleep_state) + + acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + { +- acpi_status status; ++ acpi_status status = AE_OK; + struct acpi_bit_register_info *sleep_type_reg_info; + struct acpi_bit_register_info *sleep_enable_reg_info; + u32 pm1a_control; +@@ -192,10 +192,7 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + * This is unclear from the ACPI Spec, but it is required + * by some machines. + */ +- status = acpi_get_sleep_type_data(ACPI_STATE_S0, +- &acpi_gbl_sleep_type_a, +- &acpi_gbl_sleep_type_b); +- if (ACPI_SUCCESS(status)) { ++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) { + sleep_type_reg_info = + acpi_hw_get_bit_register_info(ACPI_BITREG_SLEEP_TYPE); + sleep_enable_reg_info = +@@ -216,9 +213,9 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + + /* Insert the SLP_TYP bits */ + +- pm1a_control |= (acpi_gbl_sleep_type_a << ++ pm1a_control |= (acpi_gbl_sleep_type_a_s0 << + sleep_type_reg_info->bit_position); +- pm1b_control |= (acpi_gbl_sleep_type_b << ++ pm1b_control |= (acpi_gbl_sleep_type_b_s0 << + sleep_type_reg_info->bit_position); + + /* Write the control registers and ignore any errors */ +diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c +index 3f22f7dd4556d..dc1e44ccaae20 100644 +--- a/drivers/acpi/acpica/hwxfsleep.c ++++ b/drivers/acpi/acpica/hwxfsleep.c +@@ -288,6 +288,13 @@ acpi_status acpi_enter_sleep_state_prep(u8 sleep_state) + return_ACPI_STATUS(status); + } + ++ status = acpi_get_sleep_type_data(ACPI_STATE_S0, ++ &acpi_gbl_sleep_type_a_s0, ++ &acpi_gbl_sleep_type_b_s0); ++ if (ACPI_FAILURE(status)) { ++ acpi_gbl_sleep_type_a_s0 = ACPI_SLEEP_TYPE_INVALID; ++ } ++ + /* Execute the _PTS method (Prepare To Sleep) */ + + arg_list.count = 1; +-- +2.33.0 + diff --git a/queue-4.19/alsa-hda-reduce-udelay-at-skl-position-reporting.patch b/queue-4.19/alsa-hda-reduce-udelay-at-skl-position-reporting.patch new file mode 100644 index 00000000000..b7c5aa6de7f --- /dev/null +++ b/queue-4.19/alsa-hda-reduce-udelay-at-skl-position-reporting.patch @@ -0,0 +1,116 @@ +From 0665a4bbe88d7149f65d85376499a77c2cd82b89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 09:29:33 +0200 +Subject: ALSA: hda: Reduce udelay() at SKL+ position reporting + +From: Takashi Iwai + +[ Upstream commit 46243b85b0ec5d2cee7545e5ce18c015ce91957e ] + +The position reporting on Intel Skylake and later chips via +azx_get_pos_skl() contains a udelay(20) call for the capture streams. +A call for this alone doesn't sound too harmful. However, as the +pointer PCM ops is one of the hottest path in the PCM operations -- +especially for the timer-scheduled operations like PulseAudio -- such +a delay hogs CPU usage significantly in the total performance. + +The code there was taken from the original code in ASoC SST Skylake +driver blindly. The udelay() is a workaround for the case where the +reported position is behind the period boundary at the timing +triggered from interrupts; applications often expect that the full +data is available for the whole period when returned (and also that's +the definition of the ALSA PCM period). + +OTOH, HD-audio (legacy) driver has already some workarounds for the +delayed position reporting due to its relatively large FIFO, such as +the BDL position adjustment and the delayed period-elapsed call in the +work. That said, the udelay() is almost superfluous for HD-audio +driver unlike SST, and we can drop the udelay(). + +Though, the current code doesn't guarantee the full period readiness +as mentioned in the above, but rather it checks the wallclock and +detects the unexpected jump. That's one missing piece, and the drop +of udelay() needs a bit more sanity checks for the delayed handling. + +This patch implements those: the drop of udelay() call in +azx_get_pos_skl() and the more proper check of hwptr in +azx_position_ok(). The latter change is applied only for the case +where the stream is running in the normal mode without +no_period_wakeup flag. When no_period_wakeup is set, it essentially +ignores the period handling and rather concentrates only on the +current position; which implies that we don't need to care about the +period boundary at all. + +Fixes: f87e7f25893d ("ALSA: hda - Improved position reporting on SKL+") +Reported-by: Jens Axboe +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210929072934.6809-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 2cd8bfd5293b9..7d4b6c31dfe70 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -743,13 +743,17 @@ static int azx_intel_link_power(struct azx *chip, bool enable) + * the update-IRQ timing. The IRQ is issued before actually the + * data is processed. So, we need to process it afterwords in a + * workqueue. ++ * ++ * Returns 1 if OK to proceed, 0 for delay handling, -1 for skipping update + */ + static int azx_position_ok(struct azx *chip, struct azx_dev *azx_dev) + { + struct snd_pcm_substream *substream = azx_dev->core.substream; ++ struct snd_pcm_runtime *runtime = substream->runtime; + int stream = substream->stream; + u32 wallclk; + unsigned int pos; ++ snd_pcm_uframes_t hwptr, target; + + wallclk = azx_readl(chip, WALLCLK) - azx_dev->core.start_wallclk; + if (wallclk < (azx_dev->core.period_wallclk * 2) / 3) +@@ -786,6 +790,24 @@ static int azx_position_ok(struct azx *chip, struct azx_dev *azx_dev) + /* NG - it's below the first next period boundary */ + return chip->bdl_pos_adj ? 0 : -1; + azx_dev->core.start_wallclk += wallclk; ++ ++ if (azx_dev->core.no_period_wakeup) ++ return 1; /* OK, no need to check period boundary */ ++ ++ if (runtime->hw_ptr_base != runtime->hw_ptr_interrupt) ++ return 1; /* OK, already in hwptr updating process */ ++ ++ /* check whether the period gets really elapsed */ ++ pos = bytes_to_frames(runtime, pos); ++ hwptr = runtime->hw_ptr_base + pos; ++ if (hwptr < runtime->status->hw_ptr) ++ hwptr += runtime->buffer_size; ++ target = runtime->hw_ptr_interrupt + runtime->period_size; ++ if (hwptr < target) { ++ /* too early wakeup, process it later */ ++ return chip->bdl_pos_adj ? 0 : -1; ++ } ++ + return 1; /* OK, it's fine */ + } + +@@ -983,11 +1005,7 @@ static unsigned int azx_get_pos_skl(struct azx *chip, struct azx_dev *azx_dev) + if (azx_dev->core.substream->stream == SNDRV_PCM_STREAM_PLAYBACK) + return azx_skl_get_dpib_pos(chip, azx_dev); + +- /* For capture, we need to read posbuf, but it requires a delay +- * for the possible boundary overlap; the read of DPIB fetches the +- * actual posbuf +- */ +- udelay(20); ++ /* read of DPIB fetches the actual posbuf */ + azx_skl_get_dpib_pos(chip, azx_dev); + return azx_get_pos_posbuf(chip, azx_dev); + } +-- +2.33.0 + diff --git a/queue-4.19/apparmor-fix-error-check.patch b/queue-4.19/apparmor-fix-error-check.patch new file mode 100644 index 00000000000..44eaa87993c --- /dev/null +++ b/queue-4.19/apparmor-fix-error-check.patch @@ -0,0 +1,60 @@ +From dd0fee377af5d644763fa3ea3db7434389d6d285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 07:24:22 -0700 +Subject: apparmor: fix error check + +From: Tom Rix + +[ Upstream commit d108370c644b153382632b3e5511ade575c91c86 ] + +clang static analysis reports this representative problem: + +label.c:1463:16: warning: Assigned value is garbage or undefined + label->hname = name; + ^ ~~~~ + +In aa_update_label_name(), this the problem block of code + + if (aa_label_acntsxprint(&name, ...) == -1) + return res; + +On failure, aa_label_acntsxprint() has a more complicated return +that just -1. So check for a negative return. + +It was also noted that the aa_label_acntsxprint() main comment refers +to a nonexistent parameter, so clean up the comment. + +Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels") +Signed-off-by: Tom Rix +Reviewed-by: Nick Desaulniers +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/label.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/label.c b/security/apparmor/label.c +index 6727e6fb69df2..5a80a16a7f751 100644 +--- a/security/apparmor/label.c ++++ b/security/apparmor/label.c +@@ -1463,7 +1463,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp) + if (label->hname || labels_ns(label) != ns) + return res; + +- if (aa_label_acntsxprint(&name, ns, label, FLAGS_NONE, gfp) == -1) ++ if (aa_label_acntsxprint(&name, ns, label, FLAGS_NONE, gfp) < 0) + return res; + + ls = labels_set(label); +@@ -1713,7 +1713,7 @@ int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label, + + /** + * aa_label_acntsxprint - allocate a __counted string buffer and print label +- * @strp: buffer to write to. (MAY BE NULL if @size == 0) ++ * @strp: buffer to write to. + * @ns: namespace profile is being viewed from + * @label: label to view (NOT NULL) + * @flags: flags controlling what label info is printed +-- +2.33.0 + diff --git a/queue-4.19/ar7-fix-kernel-builds-for-compiler-test.patch b/queue-4.19/ar7-fix-kernel-builds-for-compiler-test.patch new file mode 100644 index 00000000000..7e7c070bea7 --- /dev/null +++ b/queue-4.19/ar7-fix-kernel-builds-for-compiler-test.patch @@ -0,0 +1,49 @@ +From c6e1fd7cac9be1694aa63e5aba6e45533bb95b1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 10:49:04 +0800 +Subject: ar7: fix kernel builds for compiler test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jackie Liu + +[ Upstream commit 28b7ee33a2122569ac065cad578bf23f50cc65c3 ] + +TI AR7 Watchdog Timer is only build for 32bit. + +Avoid error like: +In file included from drivers/watchdog/ar7_wdt.c:29: +./arch/mips/include/asm/mach-ar7/ar7.h: In function ‘ar7_is_titan’: +./arch/mips/include/asm/mach-ar7/ar7.h:111:24: error: implicit declaration of function ‘KSEG1ADDR’; did you mean ‘CKSEG1ADDR’? [-Werror=implicit-function-declaration] + 111 | return (readl((void *)KSEG1ADDR(AR7_REGS_GPIO + 0x24)) & 0xffff) == + | ^~~~~~~~~ + | CKSEG1ADDR + +Fixes: da2a68b3eb47 ("watchdog: Enable COMPILE_TEST where possible") +Signed-off-by: Jackie Liu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210907024904.4127611-1-liu.yun@linux.dev +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig +index fa7f4c61524d9..92fdc7dc2ede5 100644 +--- a/drivers/watchdog/Kconfig ++++ b/drivers/watchdog/Kconfig +@@ -1524,7 +1524,7 @@ config SIBYTE_WDOG + + config AR7_WDT + tristate "TI AR7 Watchdog Timer" +- depends on AR7 || (MIPS && COMPILE_TEST) ++ depends on AR7 || (MIPS && 32BIT && COMPILE_TEST) + help + Hardware driver for the TI AR7 Watchdog Timer. + +-- +2.33.0 + diff --git a/queue-4.19/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch b/queue-4.19/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch new file mode 100644 index 00000000000..845a1a1a987 --- /dev/null +++ b/queue-4.19/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch @@ -0,0 +1,47 @@ +From 0b7478698d63cb518ffa0fda53378fcd156ca9ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 15:30:06 +0100 +Subject: ARM: 9136/1: ARMv7-M uses BE-8, not BE-32 + +From: Arnd Bergmann + +[ Upstream commit 345dac33f58894a56d17b92a41be10e16585ceff ] + +When configuring the kernel for big-endian, we set either BE-8 or BE-32 +based on the CPU architecture level. Until linux-4.4, we did not have +any ARMv7-M platform allowing big-endian builds, but now i.MX/Vybrid +is in that category, adn we get a build error because of this: + +arch/arm/kernel/module-plts.c: In function 'get_module_plt': +arch/arm/kernel/module-plts.c:60:46: error: implicit declaration of function '__opcode_to_mem_thumb32' [-Werror=implicit-function-declaration] + +This comes down to picking the wrong default, ARMv7-M uses BE8 +like ARMv7-A does. Changing the default gets the kernel to compile +and presumably works. + +https://lore.kernel.org/all/1455804123-2526139-2-git-send-email-arnd@arndb.de/ + +Tested-by: Vladimir Murzin +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig +index b169e580bf829..9738c1f9737c9 100644 +--- a/arch/arm/mm/Kconfig ++++ b/arch/arm/mm/Kconfig +@@ -751,7 +751,7 @@ config CPU_BIG_ENDIAN + config CPU_ENDIAN_BE8 + bool + depends on CPU_BIG_ENDIAN +- default CPU_V6 || CPU_V6K || CPU_V7 ++ default CPU_V6 || CPU_V6K || CPU_V7 || CPU_V7M + help + Support for the BE-8 (big-endian) mode on ARMv6 and ARMv7 processors. + +-- +2.33.0 + diff --git a/queue-4.19/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch b/queue-4.19/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch new file mode 100644 index 00000000000..eb9c06a09bf --- /dev/null +++ b/queue-4.19/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch @@ -0,0 +1,46 @@ +From db434a8102263851d68236e94dfcb763a38e4081 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 09:55:17 +0900 +Subject: ARM: clang: Do not rely on lr register for stacktrace + +From: Masami Hiramatsu + +[ Upstream commit b3ea5d56f212ad81328c82454829a736197ebccc ] + +Currently the stacktrace on clang compiled arm kernel uses the 'lr' +register to find the first frame address from pt_regs. However, that +is wrong after calling another function, because the 'lr' register +is used by 'bl' instruction and never be recovered. + +As same as gcc arm kernel, directly use the frame pointer (r11) of +the pt_regs to find the first frame address. + +Note that this fixes kretprobe stacktrace issue only with +CONFIG_UNWINDER_FRAME_POINTER=y. For the CONFIG_UNWINDER_ARM, +we need another fix. + +Signed-off-by: Masami Hiramatsu +Reviewed-by: Nick Desaulniers +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/stacktrace.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index d23ab9ec130a3..a452b859f485f 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -53,8 +53,7 @@ int notrace unwind_frame(struct stackframe *frame) + + frame->sp = frame->fp; + frame->fp = *(unsigned long *)(fp); +- frame->pc = frame->lr; +- frame->lr = *(unsigned long *)(fp + 4); ++ frame->pc = *(unsigned long *)(fp + 4); + #else + /* check current frame pointer is within bounds */ + if (fp < low + 12 || fp > high - 4) +-- +2.33.0 + diff --git a/queue-4.19/arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch b/queue-4.19/arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch new file mode 100644 index 00000000000..17ded8417d3 --- /dev/null +++ b/queue-4.19/arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch @@ -0,0 +1,39 @@ +From 61d9b3a5f2ce5758814e351ffeb95b90577521a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 22:37:38 +0200 +Subject: ARM: dts: at91: tse850: the emac<->phy interface is rmii + +From: Peter Rosin + +[ Upstream commit dcdbc335a91a26e022a803e1a6b837266989c032 ] + +This went unnoticed until commit 7897b071ac3b ("net: macb: convert +to phylink") which tickled the problem. The sama5d3 emac has never +been capable of rgmii, and it all just happened to work before that +commit. + +Fixes: 21dd0ece34c2 ("ARM: dts: at91: add devicetree for the Axentia TSE-850") +Signed-off-by: Peter Rosin +Signed-off-by: Nicolas Ferre +Link: https://lore.kernel.org/r/ea781f5e-422f-6cbf-3cf4-d5a7bac9392d@axentia.se +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91-tse850-3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/at91-tse850-3.dts b/arch/arm/boot/dts/at91-tse850-3.dts +index 2fbec69d9cd68..6b2be520066e2 100644 +--- a/arch/arm/boot/dts/at91-tse850-3.dts ++++ b/arch/arm/boot/dts/at91-tse850-3.dts +@@ -269,7 +269,7 @@ + &macb1 { + status = "okay"; + +- phy-mode = "rgmii"; ++ phy-mode = "rmii"; + + #address-cells = <1>; + #size-cells = <0>; +-- +2.33.0 + diff --git a/queue-4.19/arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch b/queue-4.19/arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch new file mode 100644 index 00000000000..b14ecd9357f --- /dev/null +++ b/queue-4.19/arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch @@ -0,0 +1,36 @@ +From 548a805e47e70ebd5704bb81e5461e52e0d3ac95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Oct 2021 09:34:15 +0200 +Subject: arm: dts: omap3-gta04a4: accelerometer irq fix + +From: Andreas Kemnade + +[ Upstream commit 884ea75d79a36faf3731ad9d6b9c29f58697638d ] + +Fix typo in pinctrl. It did only work because the bootloader +seems to have initialized it. + +Fixes: ee327111953b ("ARM: dts: omap3-gta04: Define and use bma180 irq pin") +Signed-off-by: Andreas Kemnade +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap3-gta04.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/omap3-gta04.dtsi b/arch/arm/boot/dts/omap3-gta04.dtsi +index 0c39a2340030b..a5aed92ab54b1 100644 +--- a/arch/arm/boot/dts/omap3-gta04.dtsi ++++ b/arch/arm/boot/dts/omap3-gta04.dtsi +@@ -364,7 +364,7 @@ + compatible = "bosch,bma180"; + reg = <0x41>; + pinctrl-names = "default"; +- pintcrl-0 = <&bma180_pins>; ++ pinctrl-0 = <&bma180_pins>; + interrupt-parent = <&gpio4>; + interrupts = <19 IRQ_TYPE_LEVEL_HIGH>; /* GPIO_115 */ + }; +-- +2.33.0 + diff --git a/queue-4.19/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch b/queue-4.19/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch new file mode 100644 index 00000000000..a7232658934 --- /dev/null +++ b/queue-4.19/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch @@ -0,0 +1,60 @@ +From 2766f569554fb53f15a89bbbb4e207f03b40a400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 20:35:57 +0800 +Subject: ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() + +From: Jackie Liu + +[ Upstream commit 2aa717473ce96c93ae43a5dc8c23cedc8ce7dd9f ] + +The s3c24xx_init_intc() returns an error pointer upon failure, not NULL. +let's add an error pointer check in s3c24xx_handle_irq. + +s3c_intc[0] is not NULL or ERR, we can simplify the code. + +Fixes: 1f629b7a3ced ("ARM: S3C24XX: transform irq handling into a declarative form") +Signed-off-by: Jackie Liu +Link: https://lore.kernel.org/r/20210901123557.1043953-1-liu.yun@linux.dev +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-s3c24xx.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/irqchip/irq-s3c24xx.c b/drivers/irqchip/irq-s3c24xx.c +index c19766fe8a1ae..c11fbd8f1225d 100644 +--- a/drivers/irqchip/irq-s3c24xx.c ++++ b/drivers/irqchip/irq-s3c24xx.c +@@ -368,11 +368,25 @@ static inline int s3c24xx_handle_intc(struct s3c_irq_intc *intc, + asmlinkage void __exception_irq_entry s3c24xx_handle_irq(struct pt_regs *regs) + { + do { +- if (likely(s3c_intc[0])) +- if (s3c24xx_handle_intc(s3c_intc[0], regs, 0)) +- continue; ++ /* ++ * For platform based machines, neither ERR nor NULL can happen here. ++ * The s3c24xx_handle_irq() will be set as IRQ handler iff this succeeds: ++ * ++ * s3c_intc[0] = s3c24xx_init_intc() ++ * ++ * If this fails, the next calls to s3c24xx_init_intc() won't be executed. ++ * ++ * For DT machine, s3c_init_intc_of() could set the IRQ handler without ++ * setting s3c_intc[0] only if it was called with num_ctrl=0. There is no ++ * such code path, so again the s3c_intc[0] will have a valid pointer if ++ * set_handle_irq() is called. ++ * ++ * Therefore in s3c24xx_handle_irq(), the s3c_intc[0] is always something. ++ */ ++ if (s3c24xx_handle_intc(s3c_intc[0], regs, 0)) ++ continue; + +- if (s3c_intc[2]) ++ if (!IS_ERR_OR_NULL(s3c_intc[2])) + if (s3c24xx_handle_intc(s3c_intc[2], regs, 64)) + continue; + +-- +2.33.0 + diff --git a/queue-4.19/arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch b/queue-4.19/arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch new file mode 100644 index 00000000000..9653a98dddf --- /dev/null +++ b/queue-4.19/arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch @@ -0,0 +1,40 @@ +From 751781eff594d3c1f120b26864e28b38b019e71a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 13:59:26 +0200 +Subject: arm64: dts: rockchip: Fix GPU register width for RK3328 + +From: Alex Bee + +[ Upstream commit 932b4610f55b49f3a158b0db451137bab7ed0e1f ] + +As can be seen in RK3328's TRM the register range for the GPU is +0xff300000 to 0xff330000. +It would (and does in vendor kernel) overlap with the registers of +the HEVC encoder (node/driver do not exist yet in upstream kernel). +See already existing h265e_mmu node. + +Fixes: 752fbc0c8da7 ("arm64: dts: rockchip: add rk3328 mali gpu node") +Signed-off-by: Alex Bee +Link: https://lore.kernel.org/r/20210623115926.164861-1-knaerzche@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3328.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +index 05fa0dcb4c690..f6931f8d36f6d 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +@@ -536,7 +536,7 @@ + + gpu: gpu@ff300000 { + compatible = "rockchip,rk3328-mali", "arm,mali-450"; +- reg = <0x0 0xff300000 0x0 0x40000>; ++ reg = <0x0 0xff300000 0x0 0x30000>; + interrupts = , + , + , +-- +2.33.0 + diff --git a/queue-4.19/arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch b/queue-4.19/arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch new file mode 100644 index 00000000000..ae181b0d6bc --- /dev/null +++ b/queue-4.19/arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch @@ -0,0 +1,67 @@ +From 49731faf53d25f639f831498a316655465943ab7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 08:54:03 +0100 +Subject: arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions + +From: Arnd Bergmann + +[ Upstream commit c7c386fbc20262c1d911c615c65db6a58667d92c ] + +gcc warns about undefined behavior the vmalloc code when building +with CONFIG_ARM64_PA_BITS_52, when the 'idx++' in the argument to +__phys_to_pte_val() is evaluated twice: + +mm/vmalloc.c: In function 'vmap_pfn_apply': +mm/vmalloc.c:2800:58: error: operation on 'data->idx' may be undefined [-Werror=sequence-point] + 2800 | *pte = pte_mkspecial(pfn_pte(data->pfns[data->idx++], data->prot)); + | ~~~~~~~~~^~ +arch/arm64/include/asm/pgtable-types.h:25:37: note: in definition of macro '__pte' + 25 | #define __pte(x) ((pte_t) { (x) } ) + | ^ +arch/arm64/include/asm/pgtable.h:80:15: note: in expansion of macro '__phys_to_pte_val' + 80 | __pte(__phys_to_pte_val((phys_addr_t)(pfn) << PAGE_SHIFT) | pgprot_val(prot)) + | ^~~~~~~~~~~~~~~~~ +mm/vmalloc.c:2800:30: note: in expansion of macro 'pfn_pte' + 2800 | *pte = pte_mkspecial(pfn_pte(data->pfns[data->idx++], data->prot)); + | ^~~~~~~ + +I have no idea why this never showed up earlier, but the safest +workaround appears to be changing those macros into inline functions +so the arguments get evaluated only once. + +Cc: Matthew Wilcox +Fixes: 75387b92635e ("arm64: handle 52-bit physical addresses in page table entries") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20211105075414.2553155-1-arnd@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/pgtable.h | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index f43519b710610..71a73ca1e2b05 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -64,9 +64,15 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; + * page table entry, taking care of 52-bit addresses. + */ + #ifdef CONFIG_ARM64_PA_BITS_52 +-#define __pte_to_phys(pte) \ +- ((pte_val(pte) & PTE_ADDR_LOW) | ((pte_val(pte) & PTE_ADDR_HIGH) << 36)) +-#define __phys_to_pte_val(phys) (((phys) | ((phys) >> 36)) & PTE_ADDR_MASK) ++static inline phys_addr_t __pte_to_phys(pte_t pte) ++{ ++ return (pte_val(pte) & PTE_ADDR_LOW) | ++ ((pte_val(pte) & PTE_ADDR_HIGH) << 36); ++} ++static inline pteval_t __phys_to_pte_val(phys_addr_t phys) ++{ ++ return (phys | (phys >> 36)) & PTE_ADDR_MASK; ++} + #else + #define __pte_to_phys(pte) (pte_val(pte) & PTE_ADDR_MASK) + #define __phys_to_pte_val(phys) (phys) +-- +2.33.0 + diff --git a/queue-4.19/asoc-cs42l42-correct-some-register-default-values.patch b/queue-4.19/asoc-cs42l42-correct-some-register-default-values.patch new file mode 100644 index 00000000000..f79e1bc0a19 --- /dev/null +++ b/queue-4.19/asoc-cs42l42-correct-some-register-default-values.patch @@ -0,0 +1,45 @@ +From 76c82e1c873c1ee20f29fac5a9594002616396ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 14:36:06 +0100 +Subject: ASoC: cs42l42: Correct some register default values + +From: Richard Fitzgerald + +[ Upstream commit d591d4b32aa9552af14a0c7c586a2d3fe9ecc6e0 ] + +Some registers had wrong default values in cs42l42_reg_defaults[]. + +Signed-off-by: Richard Fitzgerald +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Link: https://lore.kernel.org/r/20211015133619.4698-4-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 4cb3e11c66af7..f9d6534d4632d 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -95,7 +95,7 @@ static const struct reg_default cs42l42_reg_defaults[] = { + { CS42L42_ASP_RX_INT_MASK, 0x1F }, + { CS42L42_ASP_TX_INT_MASK, 0x0F }, + { CS42L42_CODEC_INT_MASK, 0x03 }, +- { CS42L42_SRCPL_INT_MASK, 0xFF }, ++ { CS42L42_SRCPL_INT_MASK, 0x7F }, + { CS42L42_VPMON_INT_MASK, 0x01 }, + { CS42L42_PLL_LOCK_INT_MASK, 0x01 }, + { CS42L42_TSRS_PLUG_INT_MASK, 0x0F }, +@@ -132,7 +132,7 @@ static const struct reg_default cs42l42_reg_defaults[] = { + { CS42L42_MIXER_CHA_VOL, 0x3F }, + { CS42L42_MIXER_ADC_VOL, 0x3F }, + { CS42L42_MIXER_CHB_VOL, 0x3F }, +- { CS42L42_EQ_COEF_IN0, 0x22 }, ++ { CS42L42_EQ_COEF_IN0, 0x00 }, + { CS42L42_EQ_COEF_IN1, 0x00 }, + { CS42L42_EQ_COEF_IN2, 0x00 }, + { CS42L42_EQ_COEF_IN3, 0x00 }, +-- +2.33.0 + diff --git a/queue-4.19/asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch b/queue-4.19/asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch new file mode 100644 index 00000000000..1cfec26139f --- /dev/null +++ b/queue-4.19/asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch @@ -0,0 +1,43 @@ +From f20d7edf3860914af9647532700500a90ec0ab30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 14:36:08 +0100 +Subject: ASoC: cs42l42: Defer probe if request_threaded_irq() returns + EPROBE_DEFER + +From: Richard Fitzgerald + +[ Upstream commit 0306988789d9d91a18ff70bd2bf165d3ae0ef1dd ] + +The driver can run without an interrupt so if devm_request_threaded_irq() +failed, the probe() just carried on. But if this was EPROBE_DEFER the +driver would continue without an interrupt instead of deferring to wait +for the interrupt to become available. + +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Signed-off-by: Richard Fitzgerald +Link: https://lore.kernel.org/r/20211015133619.4698-6-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index f9d6534d4632d..9471ba17e371b 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -1799,8 +1799,9 @@ static int cs42l42_i2c_probe(struct i2c_client *i2c_client, + NULL, cs42l42_irq_thread, + IRQF_ONESHOT | IRQF_TRIGGER_LOW, + "cs42l42", cs42l42); +- +- if (ret != 0) ++ if (ret == -EPROBE_DEFER) ++ goto err_disable; ++ else if (ret != 0) + dev_err(&i2c_client->dev, + "Failed to request IRQ: %d\n", ret); + +-- +2.33.0 + diff --git a/queue-4.19/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch b/queue-4.19/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch new file mode 100644 index 00000000000..033d87f3600 --- /dev/null +++ b/queue-4.19/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch @@ -0,0 +1,53 @@ +From f1910a17ba5fed55f0714f87625c3709056931c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 08:38:53 -0700 +Subject: ath: dfs_pattern_detector: Fix possible null-pointer dereference in + channel_detector_create() + +From: Tuo Li + +[ Upstream commit 4b6012a7830b813799a7faf40daa02a837e0fd5b ] + +kzalloc() is used to allocate memory for cd->detectors, and if it fails, +channel_detector_exit() behind the label fail will be called: + channel_detector_exit(dpd, cd); + +In channel_detector_exit(), cd->detectors is dereferenced through: + struct pri_detector *de = cd->detectors[i]; + +To fix this possible null-pointer dereference, check cd->detectors before +the for loop to dereference cd->detectors. + +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/dfs_pattern_detector.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c +index a274eb0d19688..a0ad6e48a35b4 100644 +--- a/drivers/net/wireless/ath/dfs_pattern_detector.c ++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c +@@ -182,10 +182,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd, + if (cd == NULL) + return; + list_del(&cd->head); +- for (i = 0; i < dpd->num_radar_types; i++) { +- struct pri_detector *de = cd->detectors[i]; +- if (de != NULL) +- de->exit(de); ++ if (cd->detectors) { ++ for (i = 0; i < dpd->num_radar_types; i++) { ++ struct pri_detector *de = cd->detectors[i]; ++ if (de != NULL) ++ de->exit(de); ++ } + } + kfree(cd->detectors); + kfree(cd); +-- +2.33.0 + diff --git a/queue-4.19/ath10k-fix-max-antenna-gain-unit.patch b/queue-4.19/ath10k-fix-max-antenna-gain-unit.patch new file mode 100644 index 00000000000..d35b68c7fa0 --- /dev/null +++ b/queue-4.19/ath10k-fix-max-antenna-gain-unit.patch @@ -0,0 +1,86 @@ +From 1d674f93e7bb2f6133e8b96febcdd31c0e0a7177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2019 19:21:31 +0200 +Subject: ath10k: fix max antenna gain unit + +From: Sven Eckelmann + +[ Upstream commit 0a491167fe0cf9f26062462de2a8688b96125d48 ] + +Most of the txpower for the ath10k firmware is stored as twicepower (0.5 dB +steps). This isn't the case for max_antenna_gain - which is still expected +by the firmware as dB. + +The firmware is converting it from dB to the internal (twicepower) +representation when it calculates the limits of a channel. This can be seen +in tpc_stats when configuring "12" as max_antenna_gain. Instead of the +expected 12 (6 dB), the tpc_stats shows 24 (12 dB). + +Tested on QCA9888 and IPQ4019 with firmware 10.4-3.5.3-00057. + +Fixes: 02256930d9b8 ("ath10k: use proper tx power unit") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20190611172131.6064-1-sven@narfation.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 6 +++--- + drivers/net/wireless/ath/ath10k/wmi.h | 3 +++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 8102d684be594..6e4096fd66334 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -1003,7 +1003,7 @@ static int ath10k_monitor_vdev_start(struct ath10k *ar, int vdev_id) + arg.channel.min_power = 0; + arg.channel.max_power = channel->max_power * 2; + arg.channel.max_reg_power = channel->max_reg_power * 2; +- arg.channel.max_antenna_gain = channel->max_antenna_gain * 2; ++ arg.channel.max_antenna_gain = channel->max_antenna_gain; + + reinit_completion(&ar->vdev_setup_done); + +@@ -1445,7 +1445,7 @@ static int ath10k_vdev_start_restart(struct ath10k_vif *arvif, + arg.channel.min_power = 0; + arg.channel.max_power = chandef->chan->max_power * 2; + arg.channel.max_reg_power = chandef->chan->max_reg_power * 2; +- arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain * 2; ++ arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain; + + if (arvif->vdev_type == WMI_VDEV_TYPE_AP) { + arg.ssid = arvif->u.ap.ssid; +@@ -3104,7 +3104,7 @@ static int ath10k_update_channel_list(struct ath10k *ar) + ch->min_power = 0; + ch->max_power = channel->max_power * 2; + ch->max_reg_power = channel->max_reg_power * 2; +- ch->max_antenna_gain = channel->max_antenna_gain * 2; ++ ch->max_antenna_gain = channel->max_antenna_gain; + ch->reg_class_id = 0; /* FIXME */ + + /* FIXME: why use only legacy modes, why not any +diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h +index 6bd63d1cd0395..1292f3235e32c 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.h ++++ b/drivers/net/wireless/ath/ath10k/wmi.h +@@ -1988,7 +1988,9 @@ struct wmi_channel { + union { + __le32 reginfo1; + struct { ++ /* note: power unit is 1 dBm */ + u8 antenna_max; ++ /* note: power unit is 0.5 dBm */ + u8 max_tx_power; + } __packed; + } __packed; +@@ -2008,6 +2010,7 @@ struct wmi_channel_arg { + u32 min_power; + u32 max_power; + u32 max_reg_power; ++ /* note: power unit is 1 dBm */ + u32 max_antenna_gain; + u32 reg_class_id; + enum wmi_phy_mode mode; +-- +2.33.0 + diff --git a/queue-4.19/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch b/queue-4.19/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch new file mode 100644 index 00000000000..f255206c8d0 --- /dev/null +++ b/queue-4.19/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch @@ -0,0 +1,99 @@ +From f3b2b3fc363c235f4030a86a8bdbcdd26f64ace6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 16:55:53 +0300 +Subject: ath9k: Fix potential interrupt storm on queue reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 4925642d541278575ad1948c5924d71ffd57ef14 ] + +In tests with two Lima boards from 8devices (QCA4531 based) on OpenWrt +19.07 we could force a silent restart of a device with no serial +output when we were sending a high amount of UDP traffic (iperf3 at 80 +MBit/s in both directions from external hosts, saturating the wifi and +causing a load of about 4.5 to 6) and were then triggering an +ath9k_queue_reset(). + +Further debugging showed that the restart was caused by the ath79 +watchdog. With disabled watchdog we could observe that the device was +constantly going into ath_isr() interrupt handler and was returning +early after the ATH_OP_HW_RESET flag test, without clearing any +interrupts. Even though ath9k_queue_reset() calls +ath9k_hw_kill_interrupts(). + +With JTAG we could observe the following race condition: + +1) ath9k_queue_reset() + ... + -> ath9k_hw_kill_interrupts() + -> set_bit(ATH_OP_HW_RESET, &common->op_flags); + ... + <- returns + + 2) ath9k_tasklet() + ... + -> ath9k_hw_resume_interrupts() + ... + <- returns + + 3) loops around: + ... + handle_int() + -> ath_isr() + ... + -> if (test_bit(ATH_OP_HW_RESET, + &common->op_flags)) + return IRQ_HANDLED; + + x) ath_reset_internal(): + => never reached <= + +And in ath_isr() we would typically see the following interrupts / +interrupt causes: + +* status: 0x00111030 or 0x00110030 +* async_cause: 2 (AR_INTR_MAC_IPQ) +* sync_cause: 0 + +So the ath9k_tasklet() reenables the ath9k interrupts +through ath9k_hw_resume_interrupts() which ath9k_queue_reset() had just +disabled. And ath_isr() then keeps firing because it returns IRQ_HANDLED +without actually clearing the interrupt. + +To fix this IRQ storm also clear/disable the interrupts again when we +are in reset state. + +Cc: Sven Eckelmann +Cc: Simon Wunderlich +Cc: Linus Lüssing +Fixes: 872b5d814f99 ("ath9k: do not access hardware on IRQs during reset") +Signed-off-by: Linus Lüssing +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914192515.9273-3-linus.luessing@c0d3.blue +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index a0097bebcba3b..ee1b9c39bad7a 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -530,8 +530,10 @@ irqreturn_t ath_isr(int irq, void *dev) + ath9k_debug_sync_cause(sc, sync_cause); + status &= ah->imask; /* discard unasked-for bits */ + +- if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) ++ if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) { ++ ath9k_hw_kill_interrupts(sc->sc_ah); + return IRQ_HANDLED; ++ } + + /* + * If there are no status bits set, then this interrupt was not +-- +2.33.0 + diff --git a/queue-4.19/auxdisplay-ht16k33-connect-backlight-to-fbdev.patch b/queue-4.19/auxdisplay-ht16k33-connect-backlight-to-fbdev.patch new file mode 100644 index 00000000000..675a3dee9fa --- /dev/null +++ b/queue-4.19/auxdisplay-ht16k33-connect-backlight-to-fbdev.patch @@ -0,0 +1,107 @@ +From 9ec6494c78b4f9e1544624c8e536fe8a906ff2b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 16:45:08 +0200 +Subject: auxdisplay: ht16k33: Connect backlight to fbdev + +From: Geert Uytterhoeven + +[ Upstream commit 80f9eb70fd9276938f0a131f76d438021bfd8b34 ] + +Currently /sys/class/graphics/fb0/bl_curve is not accessible (-ENODEV), +as the driver does not connect the backlight to the frame buffer device. +Fix this moving backlight initialization up, and filling in +fb_info.bl_dev. + +Fixes: 8992da44c6805d53 ("auxdisplay: ht16k33: Driver for LED controller") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Robin van der Gracht +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/ht16k33.c | 56 ++++++++++++++++++------------------ + 1 file changed, 28 insertions(+), 28 deletions(-) + +diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c +index 194370ae37dd0..f6927871fa4e8 100644 +--- a/drivers/auxdisplay/ht16k33.c ++++ b/drivers/auxdisplay/ht16k33.c +@@ -418,6 +418,33 @@ static int ht16k33_probe(struct i2c_client *client, + if (err) + return err; + ++ /* Backlight */ ++ memset(&bl_props, 0, sizeof(struct backlight_properties)); ++ bl_props.type = BACKLIGHT_RAW; ++ bl_props.max_brightness = MAX_BRIGHTNESS; ++ ++ bl = devm_backlight_device_register(&client->dev, DRIVER_NAME"-bl", ++ &client->dev, priv, ++ &ht16k33_bl_ops, &bl_props); ++ if (IS_ERR(bl)) { ++ dev_err(&client->dev, "failed to register backlight\n"); ++ return PTR_ERR(bl); ++ } ++ ++ err = of_property_read_u32(node, "default-brightness-level", ++ &dft_brightness); ++ if (err) { ++ dft_brightness = MAX_BRIGHTNESS; ++ } else if (dft_brightness > MAX_BRIGHTNESS) { ++ dev_warn(&client->dev, ++ "invalid default brightness level: %u, using %u\n", ++ dft_brightness, MAX_BRIGHTNESS); ++ dft_brightness = MAX_BRIGHTNESS; ++ } ++ ++ bl->props.brightness = dft_brightness; ++ ht16k33_bl_update_status(bl); ++ + /* Framebuffer (2 bytes per column) */ + BUILD_BUG_ON(PAGE_SIZE < HT16K33_FB_SIZE); + fbdev->buffer = (unsigned char *) get_zeroed_page(GFP_KERNEL); +@@ -450,6 +477,7 @@ static int ht16k33_probe(struct i2c_client *client, + fbdev->info->screen_size = HT16K33_FB_SIZE; + fbdev->info->fix = ht16k33_fb_fix; + fbdev->info->var = ht16k33_fb_var; ++ fbdev->info->bl_dev = bl; + fbdev->info->pseudo_palette = NULL; + fbdev->info->flags = FBINFO_FLAG_DEFAULT; + fbdev->info->par = priv; +@@ -462,34 +490,6 @@ static int ht16k33_probe(struct i2c_client *client, + if (err) + goto err_fbdev_unregister; + +- /* Backlight */ +- memset(&bl_props, 0, sizeof(struct backlight_properties)); +- bl_props.type = BACKLIGHT_RAW; +- bl_props.max_brightness = MAX_BRIGHTNESS; +- +- bl = devm_backlight_device_register(&client->dev, DRIVER_NAME"-bl", +- &client->dev, priv, +- &ht16k33_bl_ops, &bl_props); +- if (IS_ERR(bl)) { +- dev_err(&client->dev, "failed to register backlight\n"); +- err = PTR_ERR(bl); +- goto err_fbdev_unregister; +- } +- +- err = of_property_read_u32(node, "default-brightness-level", +- &dft_brightness); +- if (err) { +- dft_brightness = MAX_BRIGHTNESS; +- } else if (dft_brightness > MAX_BRIGHTNESS) { +- dev_warn(&client->dev, +- "invalid default brightness level: %u, using %u\n", +- dft_brightness, MAX_BRIGHTNESS); +- dft_brightness = MAX_BRIGHTNESS; +- } +- +- bl->props.brightness = dft_brightness; +- ht16k33_bl_update_status(bl); +- + ht16k33_fb_queue(priv); + return 0; + +-- +2.33.0 + diff --git a/queue-4.19/auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch b/queue-4.19/auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch new file mode 100644 index 00000000000..f90be3f56ca --- /dev/null +++ b/queue-4.19/auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch @@ -0,0 +1,59 @@ +From 677862e703e34828410a1a9369ce63873ec083f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 16:45:09 +0200 +Subject: auxdisplay: ht16k33: Fix frame buffer device blanking + +From: Geert Uytterhoeven + +[ Upstream commit 840fe258332544aa7321921e1723d37b772af7a9 ] + +As the ht16k33 frame buffer sub-driver does not register an +fb_ops.fb_blank() handler, blanking does not work: + + $ echo 1 > /sys/class/graphics/fb0/blank + sh: write error: Invalid argument + +Fix this by providing a handler that always returns zero, to make sure +blank events will be sent to the actual device handling the backlight. + +Reported-by: Robin van der Gracht +Suggested-by: Robin van der Gracht +Fixes: 8992da44c6805d53 ("auxdisplay: ht16k33: Driver for LED controller") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/ht16k33.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c +index f6927871fa4e8..03a87dd1f625e 100644 +--- a/drivers/auxdisplay/ht16k33.c ++++ b/drivers/auxdisplay/ht16k33.c +@@ -219,6 +219,15 @@ static const struct backlight_ops ht16k33_bl_ops = { + .check_fb = ht16k33_bl_check_fb, + }; + ++/* ++ * Blank events will be passed to the actual device handling the backlight when ++ * we return zero here. ++ */ ++static int ht16k33_blank(int blank, struct fb_info *info) ++{ ++ return 0; ++} ++ + static int ht16k33_mmap(struct fb_info *info, struct vm_area_struct *vma) + { + struct ht16k33_priv *priv = info->par; +@@ -231,6 +240,7 @@ static struct fb_ops ht16k33_fb_ops = { + .owner = THIS_MODULE, + .fb_read = fb_sys_read, + .fb_write = fb_sys_write, ++ .fb_blank = ht16k33_blank, + .fb_fillrect = sys_fillrect, + .fb_copyarea = sys_copyarea, + .fb_imageblit = sys_imageblit, +-- +2.33.0 + diff --git a/queue-4.19/auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch b/queue-4.19/auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch new file mode 100644 index 00000000000..6fb554a3f20 --- /dev/null +++ b/queue-4.19/auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch @@ -0,0 +1,53 @@ +From a1530a451a7c3d504ece046a0f2d565ff0676dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 16:45:02 +0200 +Subject: auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string + +From: Geert Uytterhoeven + +[ Upstream commit afcb5a811ff3ab3969f09666535eb6018a160358 ] + +While writing an empty string to a device attribute is a no-op, and thus +does not need explicit safeguards, the user can still write a single +newline to an attribute file: + + echo > .../message + +If that happens, img_ascii_lcd_display() trims the newline, yielding an +empty string, and causing an infinite loop in img_ascii_lcd_scroll(). + +Fix this by adding a check for empty strings. Clear the display in case +one is encountered. + +Fixes: 0cad855fbd083ee5 ("auxdisplay: img-ascii-lcd: driver for simple ASCII LCD displays") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/img-ascii-lcd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/auxdisplay/img-ascii-lcd.c b/drivers/auxdisplay/img-ascii-lcd.c +index 834509506ef64..c4bc6723acfa5 100644 +--- a/drivers/auxdisplay/img-ascii-lcd.c ++++ b/drivers/auxdisplay/img-ascii-lcd.c +@@ -284,6 +284,16 @@ static int img_ascii_lcd_display(struct img_ascii_lcd_ctx *ctx, + if (msg[count - 1] == '\n') + count--; + ++ if (!count) { ++ /* clear the LCD */ ++ devm_kfree(&ctx->pdev->dev, ctx->message); ++ ctx->message = NULL; ++ ctx->message_len = 0; ++ memset(ctx->curr, ' ', ctx->cfg->num_chars); ++ ctx->cfg->update(ctx); ++ return 0; ++ } ++ + new_msg = devm_kmalloc(&ctx->pdev->dev, count + 1, GFP_KERNEL); + if (!new_msg) + return -ENOMEM; +-- +2.33.0 + diff --git a/queue-4.19/b43-fix-a-lower-bounds-test.patch b/queue-4.19/b43-fix-a-lower-bounds-test.patch new file mode 100644 index 00000000000..f3b687a4628 --- /dev/null +++ b/queue-4.19/b43-fix-a-lower-bounds-test.patch @@ -0,0 +1,47 @@ +From e633d70d737064618b39501926f6a81a7333f345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:36:22 +0300 +Subject: b43: fix a lower bounds test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 9b793db5fca44d01f72d3564a168171acf7c4076 ] + +The problem is that "channel" is an unsigned int, when it's less 5 the +value of "channel - 5" is not a negative number as one would expect but +is very high positive value instead. + +This means that "start" becomes a very high positive value. The result +of that is that we never enter the "for (i = start; i <= end; i++) {" +loop. Instead of storing the result from b43legacy_radio_aci_detect() +it just uses zero. + +Fixes: ef1a628d83fc ("b43: Implement dynamic PHY API") +Signed-off-by: Dan Carpenter +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211006073621.GE8404@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/phy_g.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43/phy_g.c b/drivers/net/wireless/broadcom/b43/phy_g.c +index f59c021664626..40e10d0b7cd73 100644 +--- a/drivers/net/wireless/broadcom/b43/phy_g.c ++++ b/drivers/net/wireless/broadcom/b43/phy_g.c +@@ -2310,7 +2310,7 @@ static u8 b43_gphy_aci_scan(struct b43_wldev *dev) + b43_phy_mask(dev, B43_PHY_G_CRS, 0x7FFF); + b43_set_all_gains(dev, 3, 8, 1); + +- start = (channel - 5 > 0) ? channel - 5 : 1; ++ start = (channel > 5) ? channel - 5 : 1; + end = (channel + 5 < 14) ? channel + 5 : 13; + + for (i = start; i <= end; i++) { +-- +2.33.0 + diff --git a/queue-4.19/b43legacy-fix-a-lower-bounds-test.patch b/queue-4.19/b43legacy-fix-a-lower-bounds-test.patch new file mode 100644 index 00000000000..57ba9c5d3f9 --- /dev/null +++ b/queue-4.19/b43legacy-fix-a-lower-bounds-test.patch @@ -0,0 +1,47 @@ +From 241e09b24079763a22da08aed90dd7219700d535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:35:42 +0300 +Subject: b43legacy: fix a lower bounds test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit c1c8380b0320ab757e60ed90efc8b1992a943256 ] + +The problem is that "channel" is an unsigned int, when it's less 5 the +value of "channel - 5" is not a negative number as one would expect but +is very high positive value instead. + +This means that "start" becomes a very high positive value. The result +of that is that we never enter the "for (i = start; i <= end; i++) {" +loop. Instead of storing the result from b43legacy_radio_aci_detect() +it just uses zero. + +Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") +Signed-off-by: Dan Carpenter +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211006073542.GD8404@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43legacy/radio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43legacy/radio.c b/drivers/net/wireless/broadcom/b43legacy/radio.c +index eab1c93878468..8f845db23766b 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/radio.c ++++ b/drivers/net/wireless/broadcom/b43legacy/radio.c +@@ -299,7 +299,7 @@ u8 b43legacy_radio_aci_scan(struct b43legacy_wldev *dev) + & 0x7FFF); + b43legacy_set_all_gains(dev, 3, 8, 1); + +- start = (channel - 5 > 0) ? channel - 5 : 1; ++ start = (channel > 5) ? channel - 5 : 1; + end = (channel + 5 < 14) ? channel + 5 : 13; + + for (i = start; i <= end; i++) { +-- +2.33.0 + diff --git a/queue-4.19/bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch b/queue-4.19/bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch new file mode 100644 index 00000000000..7de7119533b --- /dev/null +++ b/queue-4.19/bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch @@ -0,0 +1,66 @@ +From d74912ad1ea6603c4d6e896cdb77a186744af83d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 23:13:06 -0400 +Subject: Bluetooth: fix init and cleanup of sco_conn.timeout_work + +From: Desmond Cheong Zhi Xi + +[ Upstream commit 49d8a5606428ca0962d09050a5af81461ff90fbb ] + +Before freeing struct sco_conn, all delayed timeout work should be +cancelled. Otherwise, sco_sock_timeout could potentially use the +sco_conn after it has been freed. + +Additionally, sco_conn.timeout_work should be initialized when the +connection is allocated, not when the channel is added. This is +because an sco_conn can create channels with multiple sockets over its +lifetime, which happens if sockets are released but the connection +isn't deleted. + +Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index d052b454dc4e1..1e0a1c0a56b57 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -133,6 +133,7 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon) + return NULL; + + spin_lock_init(&conn->lock); ++ INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout); + + hcon->sco_data = conn; + conn->hcon = hcon; +@@ -196,11 +197,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err) + sco_chan_del(sk, err); + bh_unlock_sock(sk); + sock_put(sk); +- +- /* Ensure no more work items will run before freeing conn. */ +- cancel_delayed_work_sync(&conn->timeout_work); + } + ++ /* Ensure no more work items will run before freeing conn. */ ++ cancel_delayed_work_sync(&conn->timeout_work); ++ + hcon->sco_data = NULL; + kfree(conn); + } +@@ -213,8 +214,6 @@ static void __sco_chan_add(struct sco_conn *conn, struct sock *sk, + sco_pi(sk)->conn = conn; + conn->sk = sk; + +- INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout); +- + if (parent) + bt_accept_enqueue(parent, sk, true); + } +-- +2.33.0 + diff --git a/queue-4.19/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch b/queue-4.19/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch new file mode 100644 index 00000000000..f4f343dbd05 --- /dev/null +++ b/queue-4.19/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch @@ -0,0 +1,139 @@ +From 7df83e3b83471615559ac53b5dd37d14ed359357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 17:35:37 -0700 +Subject: Bluetooth: fix use-after-free error in lock_sock_nested() + +From: Wang ShaoBo + +[ Upstream commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c ] + +use-after-free error in lock_sock_nested is reported: + +[ 179.140137][ T3731] ===================================================== +[ 179.142675][ T3731] BUG: KMSAN: use-after-free in lock_sock_nested+0x280/0x2c0 +[ 179.145494][ T3731] CPU: 4 PID: 3731 Comm: kworker/4:2 Not tainted 5.12.0-rc6+ #54 +[ 179.148432][ T3731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +[ 179.151806][ T3731] Workqueue: events l2cap_chan_timeout +[ 179.152730][ T3731] Call Trace: +[ 179.153301][ T3731] dump_stack+0x24c/0x2e0 +[ 179.154063][ T3731] kmsan_report+0xfb/0x1e0 +[ 179.154855][ T3731] __msan_warning+0x5c/0xa0 +[ 179.155579][ T3731] lock_sock_nested+0x280/0x2c0 +[ 179.156436][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.157257][ T3731] l2cap_sock_teardown_cb+0xb8/0x890 +[ 179.158154][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 +[ 179.159141][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.159994][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 +[ 179.160959][ T3731] ? l2cap_sock_recv_cb+0x420/0x420 +[ 179.161834][ T3731] l2cap_chan_del+0x3e1/0x1d50 +[ 179.162608][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.163435][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 +[ 179.164406][ T3731] l2cap_chan_close+0xeea/0x1050 +[ 179.165189][ T3731] ? kmsan_internal_unpoison_shadow+0x42/0x70 +[ 179.166180][ T3731] l2cap_chan_timeout+0x1da/0x590 +[ 179.167066][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 +[ 179.168023][ T3731] ? l2cap_chan_create+0x560/0x560 +[ 179.168818][ T3731] process_one_work+0x121d/0x1ff0 +[ 179.169598][ T3731] worker_thread+0x121b/0x2370 +[ 179.170346][ T3731] kthread+0x4ef/0x610 +[ 179.171010][ T3731] ? process_one_work+0x1ff0/0x1ff0 +[ 179.171828][ T3731] ? kthread_blkcg+0x110/0x110 +[ 179.172587][ T3731] ret_from_fork+0x1f/0x30 +[ 179.173348][ T3731] +[ 179.173752][ T3731] Uninit was created at: +[ 179.174409][ T3731] kmsan_internal_poison_shadow+0x5c/0xf0 +[ 179.175373][ T3731] kmsan_slab_free+0x76/0xc0 +[ 179.176060][ T3731] kfree+0x3a5/0x1180 +[ 179.176664][ T3731] __sk_destruct+0x8af/0xb80 +[ 179.177375][ T3731] __sk_free+0x812/0x8c0 +[ 179.178032][ T3731] sk_free+0x97/0x130 +[ 179.178686][ T3731] l2cap_sock_release+0x3d5/0x4d0 +[ 179.179457][ T3731] sock_close+0x150/0x450 +[ 179.180117][ T3731] __fput+0x6bd/0xf00 +[ 179.180787][ T3731] ____fput+0x37/0x40 +[ 179.181481][ T3731] task_work_run+0x140/0x280 +[ 179.182219][ T3731] do_exit+0xe51/0x3e60 +[ 179.182930][ T3731] do_group_exit+0x20e/0x450 +[ 179.183656][ T3731] get_signal+0x2dfb/0x38f0 +[ 179.184344][ T3731] arch_do_signal_or_restart+0xaa/0xe10 +[ 179.185266][ T3731] exit_to_user_mode_prepare+0x2d2/0x560 +[ 179.186136][ T3731] syscall_exit_to_user_mode+0x35/0x60 +[ 179.186984][ T3731] do_syscall_64+0xc5/0x140 +[ 179.187681][ T3731] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 179.188604][ T3731] ===================================================== + +In our case, there are two Thread A and B: + +Context: Thread A: Context: Thread B: + +l2cap_chan_timeout() __se_sys_shutdown() + l2cap_chan_close() l2cap_sock_shutdown() + l2cap_chan_del() l2cap_chan_close() + l2cap_sock_teardown_cb() l2cap_sock_teardown_cb() + +Once l2cap_sock_teardown_cb() excuted, this sock will be marked as SOCK_ZAPPED, +and can be treated as killable in l2cap_sock_kill() if sock_orphan() has +excuted, at this time we close sock through sock_close() which end to call +l2cap_sock_kill() like Thread C: + +Context: Thread C: + +sock_close() + l2cap_sock_release() + sock_orphan() + l2cap_sock_kill() #free sock if refcnt is 1 + +If C completed, Once A or B reaches l2cap_sock_teardown_cb() again, +use-after-free happened. + +We should set chan->data to NULL if sock is destructed, for telling teardown +operation is not allowed in l2cap_sock_teardown_cb(), and also we should +avoid killing an already killed socket in l2cap_sock_close_cb(). + +Signed-off-by: Wang ShaoBo +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 967a9bb144157..d938311c58a8d 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1328,6 +1328,9 @@ static void l2cap_sock_close_cb(struct l2cap_chan *chan) + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + l2cap_sock_kill(sk); + } + +@@ -1336,6 +1339,9 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + struct sock *sk = chan->data; + struct sock *parent; + ++ if (!sk) ++ return; ++ + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + + /* This callback can be called both for server (BT_LISTEN) +@@ -1519,8 +1525,10 @@ static void l2cap_sock_destruct(struct sock *sk) + { + BT_DBG("sk %p", sk); + +- if (l2cap_pi(sk)->chan) ++ if (l2cap_pi(sk)->chan) { ++ l2cap_pi(sk)->chan->data = NULL; + l2cap_chan_put(l2cap_pi(sk)->chan); ++ } + + if (l2cap_pi(sk)->rx_busy_skb) { + kfree_skb(l2cap_pi(sk)->rx_busy_skb); +-- +2.33.0 + diff --git a/queue-4.19/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch b/queue-4.19/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch new file mode 100644 index 00000000000..c3d852c696f --- /dev/null +++ b/queue-4.19/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch @@ -0,0 +1,96 @@ +From e549e2b8c73680ad7819b585259230361f150a89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 18:18:18 +0200 +Subject: Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() + +From: Takashi Iwai + +[ Upstream commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ] + +The sco_send_frame() also takes lock_sock() during memcpy_from_msg() +call that may be endlessly blocked by a task with userfaultd +technique, and this will result in a hung task watchdog trigger. + +Just like the similar fix for hci_sock_sendmsg() in commit +92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves +the memcpy_from_msg() out of lock_sock() for addressing the hang. + +This should be the last piece for fixing CVE-2021-3640 after a few +already queued fixes. + +Signed-off-by: Takashi Iwai +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 007a01b08dbe9..d052b454dc4e1 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -280,7 +280,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk) + return err; + } + +-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) ++static int sco_send_frame(struct sock *sk, void *buf, int len, ++ unsigned int msg_flags) + { + struct sco_conn *conn = sco_pi(sk)->conn; + struct sk_buff *skb; +@@ -292,15 +293,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) + + BT_DBG("sk %p len %d", sk, len); + +- skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); ++ skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err); + if (!skb) + return err; + +- if (memcpy_from_msg(skb_put(skb, len), msg, len)) { +- kfree_skb(skb); +- return -EFAULT; +- } +- ++ memcpy(skb_put(skb, len), buf, len); + hci_send_sco(conn->hcon, skb); + + return len; +@@ -714,6 +711,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { + struct sock *sk = sock->sk; ++ void *buf; + int err; + + BT_DBG("sock %p, sk %p", sock, sk); +@@ -725,14 +723,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + ++ buf = kmalloc(len, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ if (memcpy_from_msg(buf, msg, len)) { ++ kfree(buf); ++ return -EFAULT; ++ } ++ + lock_sock(sk); + + if (sk->sk_state == BT_CONNECTED) +- err = sco_send_frame(sk, msg, len); ++ err = sco_send_frame(sk, buf, len, msg->msg_flags); + else + err = -ENOTCONN; + + release_sock(sk); ++ kfree(buf); + return err; + } + +-- +2.33.0 + diff --git a/queue-4.19/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch b/queue-4.19/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch new file mode 100644 index 00000000000..4a54a280ba8 --- /dev/null +++ b/queue-4.19/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch @@ -0,0 +1,200 @@ +From fc6f3780524c10dd54f40121fbcc5ef40fa4df87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 17:37:33 +0800 +Subject: bonding: Fix a use-after-free problem when bond_sysfs_slave_add() + failed + +From: Huang Guobin + +[ Upstream commit b93c6a911a3fe926b00add28f3b932007827c4ca ] + +When I do fuzz test for bonding device interface, I got the following +use-after-free Calltrace: + +================================================================== +BUG: KASAN: use-after-free in bond_enslave+0x1521/0x24f0 +Read of size 8 at addr ffff88825bc11c00 by task ifenslave/7365 + +CPU: 5 PID: 7365 Comm: ifenslave Tainted: G E 5.15.0-rc1+ #13 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +Call Trace: + dump_stack_lvl+0x6c/0x8b + print_address_description.constprop.0+0x48/0x70 + kasan_report.cold+0x82/0xdb + __asan_load8+0x69/0x90 + bond_enslave+0x1521/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f19159cf577 +Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 78 +RSP: 002b:00007ffeb3083c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007ffeb3084bca RCX: 00007f19159cf577 +RDX: 00007ffeb3083ce0 RSI: 0000000000008990 RDI: 0000000000000003 +RBP: 00007ffeb3084bc4 R08: 0000000000000040 R09: 0000000000000000 +R10: 00007ffeb3084bc0 R11: 0000000000000246 R12: 00007ffeb3083ce0 +R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffeb3083cb0 + +Allocated by task 7365: + kasan_save_stack+0x23/0x50 + __kasan_kmalloc+0x83/0xa0 + kmem_cache_alloc_trace+0x22e/0x470 + bond_enslave+0x2e1/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Freed by task 7365: + kasan_save_stack+0x23/0x50 + kasan_set_track+0x20/0x30 + kasan_set_free_info+0x24/0x40 + __kasan_slab_free+0xf2/0x130 + kfree+0xd1/0x5c0 + slave_kobj_release+0x61/0x90 + kobject_put+0x102/0x180 + bond_sysfs_slave_add+0x7a/0xa0 + bond_enslave+0x11b6/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Last potentially related work creation: + kasan_save_stack+0x23/0x50 + kasan_record_aux_stack+0xb7/0xd0 + insert_work+0x43/0x190 + __queue_work+0x2e3/0x970 + delayed_work_timer_fn+0x3e/0x50 + call_timer_fn+0x148/0x470 + run_timer_softirq+0x8a8/0xc50 + __do_softirq+0x107/0x55f + +Second to last potentially related work creation: + kasan_save_stack+0x23/0x50 + kasan_record_aux_stack+0xb7/0xd0 + insert_work+0x43/0x190 + __queue_work+0x2e3/0x970 + __queue_delayed_work+0x130/0x180 + queue_delayed_work_on+0xa7/0xb0 + bond_enslave+0xe25/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff88825bc11c00 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 0 bytes inside of + 1024-byte region [ffff88825bc11c00, ffff88825bc12000) +The buggy address belongs to the page: +page:ffffea00096f0400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25bc10 +head:ffffea00096f0400 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff) +raw: 057ff00000010200 ffffea0009a71c08 ffff888240001968 ffff88810004dbc0 +raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88825bc11b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88825bc11b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88825bc11c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88825bc11c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88825bc11d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Put new_slave in bond_sysfs_slave_add() will cause use-after-free problems +when new_slave is accessed in the subsequent error handling process. Since +new_slave will be put in the subsequent error handling process, remove the +unnecessary put to fix it. +In addition, when sysfs_create_file() fails, if some files have been crea- +ted successfully, we need to call sysfs_remove_file() to remove them. +Since there are sysfs_create_files() & sysfs_remove_files() can be used, +use these two functions instead. + +Fixes: 7afcaec49696 (bonding: use kobject_put instead of _del after kobject_add) +Signed-off-by: Huang Guobin +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_sysfs_slave.c | 36 ++++++++------------------ + 1 file changed, 11 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c +index 9ec0498d7d54e..1bc20de8e57be 100644 +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -112,15 +112,15 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf) + } + static SLAVE_ATTR_RO(ad_partner_oper_port_state); + +-static const struct slave_attribute *slave_attrs[] = { +- &slave_attr_state, +- &slave_attr_mii_status, +- &slave_attr_link_failure_count, +- &slave_attr_perm_hwaddr, +- &slave_attr_queue_id, +- &slave_attr_ad_aggregator_id, +- &slave_attr_ad_actor_oper_port_state, +- &slave_attr_ad_partner_oper_port_state, ++static const struct attribute *slave_attrs[] = { ++ &slave_attr_state.attr, ++ &slave_attr_mii_status.attr, ++ &slave_attr_link_failure_count.attr, ++ &slave_attr_perm_hwaddr.attr, ++ &slave_attr_queue_id.attr, ++ &slave_attr_ad_aggregator_id.attr, ++ &slave_attr_ad_actor_oper_port_state.attr, ++ &slave_attr_ad_partner_oper_port_state.attr, + NULL + }; + +@@ -141,24 +141,10 @@ const struct sysfs_ops slave_sysfs_ops = { + + int bond_sysfs_slave_add(struct slave *slave) + { +- const struct slave_attribute **a; +- int err; +- +- for (a = slave_attrs; *a; ++a) { +- err = sysfs_create_file(&slave->kobj, &((*a)->attr)); +- if (err) { +- kobject_put(&slave->kobj); +- return err; +- } +- } +- +- return 0; ++ return sysfs_create_files(&slave->kobj, slave_attrs); + } + + void bond_sysfs_slave_del(struct slave *slave) + { +- const struct slave_attribute **a; +- +- for (a = slave_attrs; *a; ++a) +- sysfs_remove_file(&slave->kobj, &((*a)->attr)); ++ sysfs_remove_files(&slave->kobj, slave_attrs); + } +-- +2.33.0 + diff --git a/queue-4.19/cgroup-make-rebind_subsystems-disable-v2-controllers.patch b/queue-4.19/cgroup-make-rebind_subsystems-disable-v2-controllers.patch new file mode 100644 index 00000000000..eb956971d22 --- /dev/null +++ b/queue-4.19/cgroup-make-rebind_subsystems-disable-v2-controllers.patch @@ -0,0 +1,120 @@ +From 8a4b31229004c271bac6ad217fa8abc6b77c9793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 18:53:08 -0400 +Subject: cgroup: Make rebind_subsystems() disable v2 controllers all at once + +From: Waiman Long + +[ Upstream commit 7ee285395b211cad474b2b989db52666e0430daf ] + +It was found that the following warning was displayed when remounting +controllers from cgroup v2 to v1: + +[ 8042.997778] WARNING: CPU: 88 PID: 80682 at kernel/cgroup/cgroup.c:3130 cgroup_apply_control_disable+0x158/0x190 + : +[ 8043.091109] RIP: 0010:cgroup_apply_control_disable+0x158/0x190 +[ 8043.096946] Code: ff f6 45 54 01 74 39 48 8d 7d 10 48 c7 c6 e0 46 5a a4 e8 7b 67 33 00 e9 41 ff ff ff 49 8b 84 24 e8 01 00 00 0f b7 40 08 eb 95 <0f> 0b e9 5f ff ff ff 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 +[ 8043.115692] RSP: 0018:ffffba8a47c23d28 EFLAGS: 00010202 +[ 8043.120916] RAX: 0000000000000036 RBX: ffffffffa624ce40 RCX: 000000000000181a +[ 8043.128047] RDX: ffffffffa63c43e0 RSI: ffffffffa63c43e0 RDI: ffff9d7284ee1000 +[ 8043.135180] RBP: ffff9d72874c5800 R08: ffffffffa624b090 R09: 0000000000000004 +[ 8043.142314] R10: ffffffffa624b080 R11: 0000000000002000 R12: ffff9d7284ee1000 +[ 8043.149447] R13: ffff9d7284ee1000 R14: ffffffffa624ce70 R15: ffffffffa6269e20 +[ 8043.156576] FS: 00007f7747cff740(0000) GS:ffff9d7a5fc00000(0000) knlGS:0000000000000000 +[ 8043.164663] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 8043.170409] CR2: 00007f7747e96680 CR3: 0000000887d60001 CR4: 00000000007706e0 +[ 8043.177539] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 8043.184673] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 8043.191804] PKRU: 55555554 +[ 8043.194517] Call Trace: +[ 8043.196970] rebind_subsystems+0x18c/0x470 +[ 8043.201070] cgroup_setup_root+0x16c/0x2f0 +[ 8043.205177] cgroup1_root_to_use+0x204/0x2a0 +[ 8043.209456] cgroup1_get_tree+0x3e/0x120 +[ 8043.213384] vfs_get_tree+0x22/0xb0 +[ 8043.216883] do_new_mount+0x176/0x2d0 +[ 8043.220550] __x64_sys_mount+0x103/0x140 +[ 8043.224474] do_syscall_64+0x38/0x90 +[ 8043.228063] entry_SYSCALL_64_after_hwframe+0x44/0xae + +It was caused by the fact that rebind_subsystem() disables +controllers to be rebound one by one. If more than one disabled +controllers are originally from the default hierarchy, it means that +cgroup_apply_control_disable() will be called multiple times for the +same default hierarchy. A controller may be killed by css_kill() in +the first round. In the second round, the killed controller may not be +completely dead yet leading to the warning. + +To avoid this problem, we collect all the ssid's of controllers that +needed to be disabled from the default hierarchy and then disable them +in one go instead of one by one. + +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index a74549693e7f5..63eff85f251f3 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -1650,6 +1650,7 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask) + struct cgroup *dcgrp = &dst_root->cgrp; + struct cgroup_subsys *ss; + int ssid, i, ret; ++ u16 dfl_disable_ss_mask = 0; + + lockdep_assert_held(&cgroup_mutex); + +@@ -1666,8 +1667,28 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask) + /* can't move between two non-dummy roots either */ + if (ss->root != &cgrp_dfl_root && dst_root != &cgrp_dfl_root) + return -EBUSY; ++ ++ /* ++ * Collect ssid's that need to be disabled from default ++ * hierarchy. ++ */ ++ if (ss->root == &cgrp_dfl_root) ++ dfl_disable_ss_mask |= 1 << ssid; ++ + } while_each_subsys_mask(); + ++ if (dfl_disable_ss_mask) { ++ struct cgroup *scgrp = &cgrp_dfl_root.cgrp; ++ ++ /* ++ * Controllers from default hierarchy that need to be rebound ++ * are all disabled together in one go. ++ */ ++ cgrp_dfl_root.subsys_mask &= ~dfl_disable_ss_mask; ++ WARN_ON(cgroup_apply_control(scgrp)); ++ cgroup_finalize_control(scgrp, 0); ++ } ++ + do_each_subsys_mask(ss, ssid, ss_mask) { + struct cgroup_root *src_root = ss->root; + struct cgroup *scgrp = &src_root->cgrp; +@@ -1676,10 +1697,12 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask) + + WARN_ON(!css || cgroup_css(dcgrp, ss)); + +- /* disable from the source */ +- src_root->subsys_mask &= ~(1 << ssid); +- WARN_ON(cgroup_apply_control(scgrp)); +- cgroup_finalize_control(scgrp, 0); ++ if (src_root != &cgrp_dfl_root) { ++ /* disable from the source */ ++ src_root->subsys_mask &= ~(1 << ssid); ++ WARN_ON(cgroup_apply_control(scgrp)); ++ cgroup_finalize_control(scgrp, 0); ++ } + + /* rebind */ + RCU_INIT_POINTER(scgrp->subsys[ssid], NULL); +-- +2.33.0 + diff --git a/queue-4.19/clocksource-drivers-timer-ti-dm-select-timer_of.patch b/queue-4.19/clocksource-drivers-timer-ti-dm-select-timer_of.patch new file mode 100644 index 00000000000..addbd353d55 --- /dev/null +++ b/queue-4.19/clocksource-drivers-timer-ti-dm-select-timer_of.patch @@ -0,0 +1,49 @@ +From 2846b59a3f6c514020bb4e475d8b5e999a6564d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 10:57:47 -0700 +Subject: clocksource/drivers/timer-ti-dm: Select TIMER_OF + +From: Kees Cook + +[ Upstream commit eda9a4f7af6ee47e9e131f20e4f8a41a97379293 ] + +When building OMAP_DM_TIMER without TIMER_OF, there are orphan sections +due to the use of TIMER_OF_DELCARE() without CONFIG_TIMER_OF. Select +CONFIG_TIMER_OF when enaling OMAP_DM_TIMER: + +arm-linux-gnueabi-ld: warning: orphan section `__timer_of_table' from `drivers/clocksource/timer-ti-dm-systimer.o' being placed in section `__timer_of_table' + +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/202108282255.tkdt4ani-lkp@intel.com/ +Cc: Tony Lindgren +Cc: Daniel Lezcano +Cc: Keerthy +Cc: Sebastian Reichel +Cc: Ladislav Michl +Cc: Grygorii Strashko +Cc: linux-omap@vger.kernel.org +Fixes: 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support") +Signed-off-by: Kees Cook +Acked-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210828175747.3777891-1-keescook@chromium.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig +index 4d37f018d846c..06504384c3765 100644 +--- a/drivers/clocksource/Kconfig ++++ b/drivers/clocksource/Kconfig +@@ -23,6 +23,7 @@ config I8253_LOCK + + config OMAP_DM_TIMER + bool ++ select TIMER_OF + + config CLKBLD_I8253 + def_bool y if CLKSRC_I8253 || CLKEVT_I8253 || I8253_LOCK +-- +2.33.0 + diff --git a/queue-4.19/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch b/queue-4.19/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch new file mode 100644 index 00000000000..d8817deac32 --- /dev/null +++ b/queue-4.19/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch @@ -0,0 +1,70 @@ +From f654d97938a087b264bf209fd3e3d19a3d9f217a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 18:34:40 +0000 +Subject: cpuidle: Fix kobject memory leaks in error paths + +From: Anel Orazgaliyeva + +[ Upstream commit e5f5a66c9aa9c331da5527c2e3fd9394e7091e01 ] + +Commit c343bf1ba5ef ("cpuidle: Fix three reference count leaks") +fixes the cleanup of kobjects; however, it removes kfree() calls +altogether, leading to memory leaks. + +Fix those and also defer the initialization of dev->kobj_dev until +after the error check, so that we do not end up with a dangling +pointer. + +Fixes: c343bf1ba5ef ("cpuidle: Fix three reference count leaks") +Signed-off-by: Anel Orazgaliyeva +Suggested-by: Aman Priyadarshi +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/sysfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c +index 66979dc336807..d9b917529abaf 100644 +--- a/drivers/cpuidle/sysfs.c ++++ b/drivers/cpuidle/sysfs.c +@@ -468,6 +468,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device) + &kdev->kobj, "state%d", i); + if (ret) { + kobject_put(&kobj->kobj); ++ kfree(kobj); + goto error_state; + } + cpuidle_add_s2idle_attr_group(kobj); +@@ -599,6 +600,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev) + &kdev->kobj, "driver"); + if (ret) { + kobject_put(&kdrv->kobj); ++ kfree(kdrv); + return ret; + } + +@@ -685,7 +687,6 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + if (!kdev) + return -ENOMEM; + kdev->dev = dev; +- dev->kobj_dev = kdev; + + init_completion(&kdev->kobj_unregister); + +@@ -693,9 +694,11 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + "cpuidle"); + if (error) { + kobject_put(&kdev->kobj); ++ kfree(kdev); + return error; + } + ++ dev->kobj_dev = kdev; + kobject_uevent(&kdev->kobj, KOBJ_ADD); + + return 0; +-- +2.33.0 + diff --git a/queue-4.19/crypto-pcrypt-delay-write-to-padata-info.patch b/queue-4.19/crypto-pcrypt-delay-write-to-padata-info.patch new file mode 100644 index 00000000000..aa59eb6a58f --- /dev/null +++ b/queue-4.19/crypto-pcrypt-delay-write-to-padata-info.patch @@ -0,0 +1,85 @@ +From 31361153f5a22ead597d262380cc93b3ba70b85f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 14:30:28 -0400 +Subject: crypto: pcrypt - Delay write to padata->info + +From: Daniel Jordan + +[ Upstream commit 68b6dea802cea0dbdd8bd7ccc60716b5a32a5d8a ] + +These three events can race when pcrypt is used multiple times in a +template ("pcrypt(pcrypt(...))"): + + 1. [taskA] The caller makes the crypto request via crypto_aead_encrypt() + 2. [kworkerB] padata serializes the inner pcrypt request + 3. [kworkerC] padata serializes the outer pcrypt request + +3 might finish before the call to crypto_aead_encrypt() returns in 1, +resulting in two possible issues. + +First, a use-after-free of the crypto request's memory when, for +example, taskA writes to the outer pcrypt request's padata->info in +pcrypt_aead_enc() after kworkerC completes the request. + +Second, the outer pcrypt request overwrites the inner pcrypt request's +return code with -EINPROGRESS, making a successful request appear to +fail. For instance, kworkerB writes the outer pcrypt request's +padata->info in pcrypt_aead_done() and then taskA overwrites it +in pcrypt_aead_enc(). + +Avoid both situations by delaying the write of padata->info until after +the inner crypto request's return code is checked. This prevents the +use-after-free by not touching the crypto request's memory after the +next-inner crypto request is made, and stops padata->info from being +overwritten. + +Fixes: 5068c7a883d16 ("crypto: pcrypt - Add pcrypt crypto parallelization wrapper") +Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com +Signed-off-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/pcrypt.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c +index 85082574c5154..62e11835f220e 100644 +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -138,12 +138,14 @@ static void pcrypt_aead_enc(struct padata_priv *padata) + { + struct pcrypt_request *preq = pcrypt_padata_request(padata); + struct aead_request *req = pcrypt_request_ctx(preq); ++ int ret; + +- padata->info = crypto_aead_encrypt(req); ++ ret = crypto_aead_encrypt(req); + +- if (padata->info == -EINPROGRESS) ++ if (ret == -EINPROGRESS) + return; + ++ padata->info = ret; + padata_do_serial(padata); + } + +@@ -180,12 +182,14 @@ static void pcrypt_aead_dec(struct padata_priv *padata) + { + struct pcrypt_request *preq = pcrypt_padata_request(padata); + struct aead_request *req = pcrypt_request_ctx(preq); ++ int ret; + +- padata->info = crypto_aead_decrypt(req); ++ ret = crypto_aead_decrypt(req); + +- if (padata->info == -EINPROGRESS) ++ if (ret == -EINPROGRESS) + return; + ++ padata->info = ret; + padata_do_serial(padata); + } + +-- +2.33.0 + diff --git a/queue-4.19/crypto-qat-detect-pfvf-collision-after-ack.patch b/queue-4.19/crypto-qat-detect-pfvf-collision-after-ack.patch new file mode 100644 index 00000000000..aba3a5cb2f3 --- /dev/null +++ b/queue-4.19/crypto-qat-detect-pfvf-collision-after-ack.patch @@ -0,0 +1,46 @@ +From e24f4a727929a2ded803e74680e8c426cbdf9851 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:44:29 +0100 +Subject: crypto: qat - detect PFVF collision after ACK + +From: Giovanni Cabiddu + +[ Upstream commit 9b768e8a3909ac1ab39ed44a3933716da7761a6f ] + +Detect a PFVF collision between the local and the remote function by +checking if the message on the PFVF CSR has been overwritten. +This is done after the remote function confirms that the message has +been received, by clearing the interrupt bit, or the maximum number of +attempts (ADF_IOV_MSG_ACK_MAX_RETRY) to check the CSR has been exceeded. + +Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV") +Signed-off-by: Giovanni Cabiddu +Co-developed-by: Marco Chiappero +Signed-off-by: Marco Chiappero +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index c64481160b711..72fd2bbbe704e 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -195,6 +195,13 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset); + } while ((val & int_bit) && (count++ < ADF_IOV_MSG_ACK_MAX_RETRY)); + ++ if (val != msg) { ++ dev_dbg(&GET_DEV(accel_dev), ++ "Collision - PFVF CSR overwritten by remote function\n"); ++ ret = -EIO; ++ goto out; ++ } ++ + if (val & int_bit) { + dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n"); + val &= ~int_bit; +-- +2.33.0 + diff --git a/queue-4.19/crypto-qat-disregard-spurious-pfvf-interrupts.patch b/queue-4.19/crypto-qat-disregard-spurious-pfvf-interrupts.patch new file mode 100644 index 00000000000..84f2c32e42a --- /dev/null +++ b/queue-4.19/crypto-qat-disregard-spurious-pfvf-interrupts.patch @@ -0,0 +1,75 @@ +From acafa99b712b2a167cc1a7c3fa5a0f0ea2e29e82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:44:30 +0100 +Subject: crypto: qat - disregard spurious PFVF interrupts + +From: Giovanni Cabiddu + +[ Upstream commit 18fcba469ba5359c1de7e3fb16f7b9e8cd1b8e02 ] + +Upon receiving a PFVF message, check if the interrupt bit is set in the +message. If it is not, that means that the interrupt was probably +triggered by a collision. In this case, disregard the message and +re-enable the interrupts. + +Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Marco Chiappero +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 6 ++++++ + drivers/crypto/qat/qat_common/adf_vf_isr.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index 72fd2bbbe704e..180016e157771 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -250,6 +250,11 @@ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info) + + /* Read message from the VF */ + msg = ADF_CSR_RD(pmisc_addr, hw_data->get_pf2vf_offset(vf_nr)); ++ if (!(msg & ADF_VF2PF_INT)) { ++ dev_info(&GET_DEV(accel_dev), ++ "Spurious VF2PF interrupt, msg %X. Ignored\n", msg); ++ goto out; ++ } + + /* To ACK, clear the VF2PFINT bit */ + msg &= ~ADF_VF2PF_INT; +@@ -333,6 +338,7 @@ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info) + if (resp && adf_iov_putmsg(accel_dev, resp, vf_nr)) + dev_err(&GET_DEV(accel_dev), "Failed to send response to VF\n"); + ++out: + /* re-enable interrupt on PF from this VF */ + adf_enable_vf2pf_interrupts(accel_dev, (1 << vf_nr)); + return; +diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c +index ef90902c8200d..86274e3c6781d 100644 +--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c ++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c +@@ -123,6 +123,11 @@ static void adf_pf2vf_bh_handler(void *data) + + /* Read the message from PF */ + msg = ADF_CSR_RD(pmisc_bar_addr, hw_data->get_pf2vf_offset(0)); ++ if (!(msg & ADF_PF2VF_INT)) { ++ dev_info(&GET_DEV(accel_dev), ++ "Spurious PF2VF interrupt, msg %X. Ignored\n", msg); ++ goto out; ++ } + + if (!(msg & ADF_PF2VF_MSGORIGIN_SYSTEM)) + /* Ignore legacy non-system (non-kernel) PF2VF messages */ +@@ -171,6 +176,7 @@ static void adf_pf2vf_bh_handler(void *data) + msg &= ~ADF_PF2VF_INT; + ADF_CSR_WR(pmisc_bar_addr, hw_data->get_pf2vf_offset(0), msg); + ++out: + /* Re-enable PF2VF interrupts */ + adf_enable_pf2vf_interrupts(accel_dev); + return; +-- +2.33.0 + diff --git a/queue-4.19/cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch b/queue-4.19/cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch new file mode 100644 index 00000000000..438b4ccaa2e --- /dev/null +++ b/queue-4.19/cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch @@ -0,0 +1,61 @@ +From 8bdc9ce91a7e2f86dc043a63e08985a893c890f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Nov 2021 15:55:16 +0530 +Subject: cxgb4: fix eeprom len when diagnostics not implemented + +From: Rahul Lakkireddy + +[ Upstream commit 4ca110bf8d9b31a60f8f8ff6706ea147d38ad97c ] + +Ensure diagnostics monitoring support is implemented for the SFF 8472 +compliant port module and set the correct length for ethtool port +module eeprom read. + +Fixes: f56ec6766dcf ("cxgb4: Add support for ethtool i2c dump") +Signed-off-by: Manoj Malviya +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 7 +++++-- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.h | 2 ++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +index d07230c892a54..db0248ab7fe4a 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +@@ -1304,12 +1304,15 @@ static int cxgb4_get_module_info(struct net_device *dev, + if (ret) + return ret; + +- if (!sff8472_comp || (sff_diag_type & 4)) { ++ if (!sff8472_comp || (sff_diag_type & SFP_DIAG_ADDRMODE)) { + modinfo->type = ETH_MODULE_SFF_8079; + modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN; + } else { + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; ++ if (sff_diag_type & SFP_DIAG_IMPLEMENTED) ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; ++ else ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN / 2; + } + break; + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h +index 361d5032c2884..91603639ac428 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h +@@ -292,6 +292,8 @@ enum { + #define I2C_PAGE_SIZE 0x100 + #define SFP_DIAG_TYPE_ADDR 0x5c + #define SFP_DIAG_TYPE_LEN 0x1 ++#define SFP_DIAG_ADDRMODE BIT(2) ++#define SFP_DIAG_IMPLEMENTED BIT(6) + #define SFF_8472_COMP_ADDR 0x5e + #define SFF_8472_COMP_LEN 0x1 + #define SFF_REV_ADDR 0x1 +-- +2.33.0 + diff --git a/queue-4.19/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch b/queue-4.19/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch new file mode 100644 index 00000000000..90520a0d7a6 --- /dev/null +++ b/queue-4.19/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch @@ -0,0 +1,41 @@ +From af0d402a0d4769be75c08fda94cabf27584a67c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 14:12:28 +0300 +Subject: dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro + +From: Claudiu Beznea + +[ Upstream commit 320c88a3104dc955f928a1eecebd551ff89530c0 ] + +AT_XDMAC_CC_PERID() should be used to setup bits 24..30 of XDMAC_CC +register. Using it without parenthesis around 0x7f & (i) will lead to +setting all the time zero for bits 24..30 of XDMAC_CC as the << operator +has higher precedence over bitwise &. Thus, add paranthesis around +0x7f & (i). + +Fixes: 15a03850ab8f ("dmaengine: at_xdmac: fix macro typo") +Signed-off-by: Claudiu Beznea +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211007111230.2331837-3-claudiu.beznea@microchip.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 7db66f974041e..1624eee76f96a 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -156,7 +156,7 @@ + #define AT_XDMAC_CC_WRIP (0x1 << 23) /* Write in Progress (read only) */ + #define AT_XDMAC_CC_WRIP_DONE (0x0 << 23) + #define AT_XDMAC_CC_WRIP_IN_PROGRESS (0x1 << 23) +-#define AT_XDMAC_CC_PERID(i) (0x7f & (i) << 24) /* Channel Peripheral Identifier */ ++#define AT_XDMAC_CC_PERID(i) ((0x7f & (i)) << 24) /* Channel Peripheral Identifier */ + #define AT_XDMAC_CDS_MSP 0x2C /* Channel Data Stride Memory Set Pattern */ + #define AT_XDMAC_CSUS 0x30 /* Channel Source Microblock Stride */ + #define AT_XDMAC_CDUS 0x34 /* Channel Destination Microblock Stride */ +-- +2.33.0 + diff --git a/queue-4.19/dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch b/queue-4.19/dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch new file mode 100644 index 00000000000..38bfa395707 --- /dev/null +++ b/queue-4.19/dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch @@ -0,0 +1,64 @@ +From e74d1d8b7216761a60cc9964a8a056c9ca5dd4cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Oct 2021 15:41:01 +0200 +Subject: dmaengine: dmaengine_desc_callback_valid(): Check for + `callback_result` + +From: Lars-Peter Clausen + +[ Upstream commit e7e1e880b114ca640a2f280b0d5d38aed98f98c6 ] + +Before the `callback_result` callback was introduced drivers coded their +invocation to the callback in a similar way to: + + if (cb->callback) { + spin_unlock(&dma->lock); + cb->callback(cb->callback_param); + spin_lock(&dma->lock); + } + +With the introduction of `callback_result` two helpers where introduced to +transparently handle both types of callbacks. And drivers where updated to +look like this: + + if (dmaengine_desc_callback_valid(cb)) { + spin_unlock(&dma->lock); + dmaengine_desc_callback_invoke(cb, ...); + spin_lock(&dma->lock); + } + +dmaengine_desc_callback_invoke() correctly handles both `callback_result` +and `callback`. But we forgot to update the dmaengine_desc_callback_valid() +function to check for `callback_result`. As a result DMA descriptors that +use the `callback_result` rather than `callback` don't have their callback +invoked by drivers that follow the pattern above. + +Fix this by checking for both `callback` and `callback_result` in +dmaengine_desc_callback_valid(). + +Fixes: f067025bc676 ("dmaengine: add support to provide error result from a DMA transation") +Signed-off-by: Lars-Peter Clausen +Acked-by: Dave Jiang +Link: https://lore.kernel.org/r/20211023134101.28042-1-lars@metafoo.de +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmaengine.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/dmaengine.h b/drivers/dma/dmaengine.h +index 501c0b063f852..302f13efd35d9 100644 +--- a/drivers/dma/dmaengine.h ++++ b/drivers/dma/dmaengine.h +@@ -168,7 +168,7 @@ dmaengine_desc_get_callback_invoke(struct dma_async_tx_descriptor *tx, + static inline bool + dmaengine_desc_callback_valid(struct dmaengine_desc_callback *cb) + { +- return (cb->callback) ? true : false; ++ return cb->callback || cb->callback_result; + } + + #endif +-- +2.33.0 + diff --git a/queue-4.19/drm-amdgpu-fix-warning-for-overflow-check.patch b/queue-4.19/drm-amdgpu-fix-warning-for-overflow-check.patch new file mode 100644 index 00000000000..2c45a265d90 --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-warning-for-overflow-check.patch @@ -0,0 +1,62 @@ +From 5b2ac1030647dfb93c52e5292d4c229109e7550d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 14:58:10 +0200 +Subject: drm/amdgpu: fix warning for overflow check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 335aea75b0d95518951cad7c4c676e6f1c02c150 ] + +The overflow check in amdgpu_bo_list_create() causes a warning with +clang-14 on 64-bit architectures, since the limit can never be +exceeded. + +drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c:74:18: error: result of comparison of constant 256204778801521549 with expression of type 'unsigned int' is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (num_entries > (SIZE_MAX - sizeof(struct amdgpu_bo_list)) + ~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The check remains useful for 32-bit architectures, so just avoid the +warning by using size_t as the type for the count. + +Fixes: 920990cb080a ("drm/amdgpu: allocate the bo_list array after the list") +Reviewed-by: Christian König +Signed-off-by: Arnd Bergmann +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +index ce7f18c5ccb26..fda8d68a87fd6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +@@ -57,7 +57,7 @@ static void amdgpu_bo_list_free(struct kref *ref) + + int amdgpu_bo_list_create(struct amdgpu_device *adev, struct drm_file *filp, + struct drm_amdgpu_bo_list_entry *info, +- unsigned num_entries, struct amdgpu_bo_list **result) ++ size_t num_entries, struct amdgpu_bo_list **result) + { + unsigned last_entry = 0, first_userptr = num_entries; + struct amdgpu_bo_list_entry *array; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h +index 61b089768e1ce..64c8195426ac8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h +@@ -61,7 +61,7 @@ int amdgpu_bo_create_list_entry_array(struct drm_amdgpu_bo_list_in *in, + int amdgpu_bo_list_create(struct amdgpu_device *adev, + struct drm_file *filp, + struct drm_amdgpu_bo_list_entry *info, +- unsigned num_entries, ++ size_t num_entries, + struct amdgpu_bo_list **list); + + static inline struct amdgpu_bo_list_entry * +-- +2.33.0 + diff --git a/queue-4.19/drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch b/queue-4.19/drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch new file mode 100644 index 00000000000..ca4724629ea --- /dev/null +++ b/queue-4.19/drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch @@ -0,0 +1,54 @@ +From bd8e0d980a9da7b4713307dc3bb6c26018e70a1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 10:57:33 -0700 +Subject: drm/msm: Fix potential NULL dereference in DPU SSPP + +From: Jessica Zhang + +[ Upstream commit 8bf71a5719b6cc5b6ba358096081e5d50ea23ab6 ] + +Move initialization of sblk in _sspp_subblk_offset() after NULL check to +avoid potential NULL pointer dereference. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Reported-by: Dan Carpenter +Signed-off-by: Jessica Zhang +Link: https://lore.kernel.org/r/20211020175733.3379-1-jesszhan@codeaurora.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c +index c25b52a6b2198..7db24e9df4b9b 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c +@@ -146,11 +146,13 @@ static inline int _sspp_subblk_offset(struct dpu_hw_pipe *ctx, + u32 *idx) + { + int rc = 0; +- const struct dpu_sspp_sub_blks *sblk = ctx->cap->sblk; ++ const struct dpu_sspp_sub_blks *sblk; + +- if (!ctx) ++ if (!ctx || !ctx->cap || !ctx->cap->sblk) + return -EINVAL; + ++ sblk = ctx->cap->sblk; ++ + switch (s_id) { + case DPU_SSPP_SRC: + *idx = sblk->src_blk.base; +@@ -413,7 +415,7 @@ static void _dpu_hw_sspp_setup_scaler3(struct dpu_hw_pipe *ctx, + + (void)pe; + if (_sspp_subblk_offset(ctx, DPU_SSPP_SCALER_QSEED3, &idx) || !sspp +- || !scaler3_cfg || !ctx || !ctx->cap || !ctx->cap->sblk) ++ || !scaler3_cfg) + return; + + dpu_hw_setup_scaler3(&ctx->hw, scaler3_cfg, idx, +-- +2.33.0 + diff --git a/queue-4.19/drm-msm-uninitialized-variable-in-msm_gem_import.patch b/queue-4.19/drm-msm-uninitialized-variable-in-msm_gem_import.patch new file mode 100644 index 00000000000..7fdd6bd1166 --- /dev/null +++ b/queue-4.19/drm-msm-uninitialized-variable-in-msm_gem_import.patch @@ -0,0 +1,52 @@ +From 8d3463ebed7ca7125f4ae0b0a62d36bf69e6049f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 11:13:15 +0300 +Subject: drm/msm: uninitialized variable in msm_gem_import() + +From: Dan Carpenter + +[ Upstream commit 2203bd0e5c12ffc53ffdd4fbd7b12d6ba27e0424 ] + +The msm_gem_new_impl() function cleans up after itself so there is no +need to call drm_gem_object_put(). Conceptually, it does not make sense +to call a kref_put() function until after the reference counting has +been initialized which happens immediately after this call in the +drm_gem_(private_)object_init() functions. + +In the msm_gem_import() function the "obj" pointer is uninitialized, so +it will lead to a crash. + +Fixes: 05b849111c07 ("drm/msm: prime support") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211013081315.GG6010@kili +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index 7c0b30c955c39..c551d84444976 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -965,7 +965,7 @@ static struct drm_gem_object *_msm_gem_new(struct drm_device *dev, + + ret = msm_gem_new_impl(dev, size, flags, NULL, &obj, struct_mutex_locked); + if (ret) +- goto fail; ++ return ERR_PTR(ret); + + if (use_vram) { + struct msm_gem_vma *vma; +@@ -1035,7 +1035,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev, + + ret = msm_gem_new_impl(dev, size, MSM_BO_WC, dmabuf->resv, &obj, false); + if (ret) +- goto fail; ++ return ERR_PTR(ret); + + drm_gem_private_object_init(dev, obj, size); + +-- +2.33.0 + diff --git a/queue-4.19/drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch b/queue-4.19/drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch new file mode 100644 index 00000000000..49ed7d18a89 --- /dev/null +++ b/queue-4.19/drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch @@ -0,0 +1,42 @@ +From 4f102270f806c154b240923305ea1ad33ceed433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 May 2021 13:04:26 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 + 2-in-1 + +From: Hans de Goede + +[ Upstream commit a53f1dd3ab9fec715c6c2e8e01bf4d3c07eef8e5 ] + +The KD Kurio Smart C15200 2-in-1 uses a panel which has been mounted 90 +degrees rotated. Add a quirk for this. + +Signed-off-by: Hans de Goede +Acked-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-3-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 48be8590ebe81..3b70a338e5b47 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -170,6 +170,13 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_BOARD_NAME, "TW891"), + }, + .driver_data = (void *)&itworks_tw891, ++ }, { /* KD Kurio Smart C15200 2-in-1 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "KD Interactive"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Kurio Smart"), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "KDM960BCP"), ++ }, ++ .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* + * Lenovo Ideapad Miix 310 laptop, only some production batches + * have a portrait screen, the resolution checks makes the quirk +-- +2.33.0 + diff --git a/queue-4.19/drm-plane-helper-fix-uninitialized-variable-referenc.patch b/queue-4.19/drm-plane-helper-fix-uninitialized-variable-referenc.patch new file mode 100644 index 00000000000..de5009f503c --- /dev/null +++ b/queue-4.19/drm-plane-helper-fix-uninitialized-variable-referenc.patch @@ -0,0 +1,46 @@ +From 4a08ebd2219ad1dafdc04f3ee4cbd77c11c87b71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 02:37:06 -0400 +Subject: drm/plane-helper: fix uninitialized variable reference + +From: Alex Xu (Hello71) + +[ Upstream commit 7be28bd73f23e53d6e7f5fe891ba9503fc0c7210 ] + +drivers/gpu/drm/drm_plane_helper.c: In function 'drm_primary_helper_update': +drivers/gpu/drm/drm_plane_helper.c:113:32: error: 'visible' is used uninitialized [-Werror=uninitialized] + 113 | struct drm_plane_state plane_state = { + | ^~~~~~~~~~~ +drivers/gpu/drm/drm_plane_helper.c:178:14: note: 'visible' was declared here + 178 | bool visible; + | ^~~~~~~ +cc1: all warnings being treated as errors + +visible is an output, not an input. in practice this use might turn out +OK but it's still UB. + +Fixes: df86af9133b4 ("drm/plane-helper: Add drm_plane_helper_check_state()") +Reviewed-by: Simon Ser +Signed-off-by: Alex Xu (Hello71) +Signed-off-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20211007063706.305984-1-alex_y_xu@yahoo.ca +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_plane_helper.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_plane_helper.c b/drivers/gpu/drm/drm_plane_helper.c +index 621f17643bb07..1f3362ce47ae2 100644 +--- a/drivers/gpu/drm/drm_plane_helper.c ++++ b/drivers/gpu/drm/drm_plane_helper.c +@@ -150,7 +150,6 @@ int drm_plane_helper_check_update(struct drm_plane *plane, + .crtc_w = drm_rect_width(dst), + .crtc_h = drm_rect_height(dst), + .rotation = rotation, +- .visible = *visible, + }; + struct drm_crtc_state crtc_state = { + .crtc = crtc, +-- +2.33.0 + diff --git a/queue-4.19/fs-orangefs-fix-error-return-code-of-orangefs_revali.patch b/queue-4.19/fs-orangefs-fix-error-return-code-of-orangefs_revali.patch new file mode 100644 index 00000000000..c78ec112963 --- /dev/null +++ b/queue-4.19/fs-orangefs-fix-error-return-code-of-orangefs_revali.patch @@ -0,0 +1,41 @@ +From e043209fda835777c7edba1c4a981f789de288d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 00:00:20 -0800 +Subject: fs: orangefs: fix error return code of orangefs_revalidate_lookup() + +From: Jia-Ju Bai + +[ Upstream commit 4c2b46c824a78fc8190d8eafaaea5a9078fe7479 ] + +When op_alloc() returns NULL to new_op, no error return code of +orangefs_revalidate_lookup() is assigned. +To fix this bug, ret is assigned with -ENOMEM in this case. + +Fixes: 8bb8aefd5afb ("OrangeFS: Change almost all instances of the string PVFS2 to OrangeFS.") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/dcache.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/orangefs/dcache.c b/fs/orangefs/dcache.c +index fe484cf93e5cd..8bbe9486e3a62 100644 +--- a/fs/orangefs/dcache.c ++++ b/fs/orangefs/dcache.c +@@ -26,8 +26,10 @@ static int orangefs_revalidate_lookup(struct dentry *dentry) + gossip_debug(GOSSIP_DCACHE_DEBUG, "%s: attempting lookup.\n", __func__); + + new_op = op_alloc(ORANGEFS_VFS_OP_LOOKUP); +- if (!new_op) ++ if (!new_op) { ++ ret = -ENOMEM; + goto out_put_parent; ++ } + + new_op->upcall.req.lookup.sym_follow = ORANGEFS_LOOKUP_LINK_NO_FOLLOW; + new_op->upcall.req.lookup.parent_refn = parent->refn; +-- +2.33.0 + diff --git a/queue-4.19/gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch b/queue-4.19/gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch new file mode 100644 index 00000000000..e333bb7ea0f --- /dev/null +++ b/queue-4.19/gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch @@ -0,0 +1,44 @@ +From 48c2b75a123797eb5d4fa5f2a622db6bcbd5b793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 16:06:18 -0400 +Subject: gre/sit: Don't generate link-local addr if addr_gen_mode is + IN6_ADDR_GEN_MODE_NONE + +From: Stephen Suryaputra + +[ Upstream commit 61e18ce7348bfefb5688a8bcd4b4d6b37c0f9b2a ] + +When addr_gen_mode is set to IN6_ADDR_GEN_MODE_NONE, the link-local addr +should not be generated. But it isn't the case for GRE (as well as GRE6) +and SIT tunnels. Make it so that tunnels consider the addr_gen_mode, +especially for IN6_ADDR_GEN_MODE_NONE. + +Do this in add_v4_addrs() to cover both GRE and SIT only if the addr +scope is link. + +Signed-off-by: Stephen Suryaputra +Acked-by: Antonio Quartulli +Link: https://lore.kernel.org/r/20211020200618.467342-1-ssuryaextr@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 76c097552ea74..9d8b791f63efc 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3054,6 +3054,9 @@ static void sit_add_v4_addrs(struct inet6_dev *idev) + memcpy(&addr.s6_addr32[3], idev->dev->dev_addr, 4); + + if (idev->dev->flags&IFF_POINTOPOINT) { ++ if (idev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_NONE) ++ return; ++ + addr.s6_addr32[0] = htonl(0xfe800000); + scope = IFA_LINK; + plen = 64; +-- +2.33.0 + diff --git a/queue-4.19/hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch b/queue-4.19/hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch new file mode 100644 index 00000000000..a32042392e8 --- /dev/null +++ b/queue-4.19/hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch @@ -0,0 +1,68 @@ +From 63899991667f4e0f0e93e3154f69005adb82e13d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 19:27:58 +0800 +Subject: hwmon: Fix possible memleak in __hwmon_device_register() + +From: Yang Yingliang + +[ Upstream commit ada61aa0b1184a8fda1a89a340c7d6cc4e59aee5 ] + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888102740438 (size 8): + comm "27", pid 859, jiffies 4295031351 (age 143.992s) + hex dump (first 8 bytes): + 68 77 6d 6f 6e 30 00 00 hwmon0.. + backtrace: + [<00000000544b5996>] __kmalloc_track_caller+0x1a6/0x300 + [<00000000df0d62b9>] kvasprintf+0xad/0x140 + [<00000000d3d2a3da>] kvasprintf_const+0x62/0x190 + [<000000005f8f0f29>] kobject_set_name_vargs+0x56/0x140 + [<00000000b739e4b9>] dev_set_name+0xb0/0xe0 + [<0000000095b69c25>] __hwmon_device_register+0xf19/0x1e50 [hwmon] + [<00000000a7e65b52>] hwmon_device_register_with_info+0xcb/0x110 [hwmon] + [<000000006f181e86>] devm_hwmon_device_register_with_info+0x85/0x100 [hwmon] + [<0000000081bdc567>] tmp421_probe+0x2d2/0x465 [tmp421] + [<00000000502cc3f8>] i2c_device_probe+0x4e1/0xbb0 + [<00000000f90bda3b>] really_probe+0x285/0xc30 + [<000000007eac7b77>] __driver_probe_device+0x35f/0x4f0 + [<000000004953d43d>] driver_probe_device+0x4f/0x140 + [<000000002ada2d41>] __device_attach_driver+0x24c/0x330 + [<00000000b3977977>] bus_for_each_drv+0x15d/0x1e0 + [<000000005bf2a8e3>] __device_attach+0x267/0x410 + +When device_register() returns an error, the name allocated in +dev_set_name() will be leaked, the put_device() should be used +instead of calling hwmon_dev_release() to give up the device +reference, then the name will be freed in kobject_cleanup(). + +Reported-by: Hulk Robot +Fixes: bab2243ce189 ("hwmon: Introduce hwmon_device_register_with_groups") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211012112758.2681084-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/hwmon.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c +index d34de21d43adb..c4051a3e63c29 100644 +--- a/drivers/hwmon/hwmon.c ++++ b/drivers/hwmon/hwmon.c +@@ -631,8 +631,10 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata, + dev_set_drvdata(hdev, drvdata); + dev_set_name(hdev, HWMON_ID_FORMAT, id); + err = device_register(hdev); +- if (err) +- goto free_hwmon; ++ if (err) { ++ put_device(hdev); ++ goto ida_remove; ++ } + + if (dev && dev->of_node && chip && chip->ops->read && + chip->info[0]->type == hwmon_chip && +-- +2.33.0 + diff --git a/queue-4.19/hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch b/queue-4.19/hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch new file mode 100644 index 00000000000..e9f72e11eec --- /dev/null +++ b/queue-4.19/hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch @@ -0,0 +1,38 @@ +From ebec1d097dc63c576fc43394852dd0bc061009f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 02:22:38 -0700 +Subject: hwmon: (pmbus/lm25066) Let compiler determine outer dimension of + lm25066_coeff + +From: Zev Weiss + +[ Upstream commit b7931a7b0e0df4d2a25fedd895ad32c746b77bc1 ] + +Maintaining this manually is error prone (there are currently only +five chips supported, not six); gcc can do it for us automatically. + +Signed-off-by: Zev Weiss +Fixes: 666c14906b49 ("hwmon: (pmbus/lm25066) Drop support for LM25063") +Link: https://lore.kernel.org/r/20210928092242.30036-5-zev@bewilderbeest.net +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/lm25066.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/pmbus/lm25066.c b/drivers/hwmon/pmbus/lm25066.c +index 6eafcbb75dcd9..e25b801490862 100644 +--- a/drivers/hwmon/pmbus/lm25066.c ++++ b/drivers/hwmon/pmbus/lm25066.c +@@ -60,7 +60,7 @@ struct __coeff { + #define PSC_CURRENT_IN_L (PSC_NUM_CLASSES) + #define PSC_POWER_L (PSC_NUM_CLASSES + 1) + +-static struct __coeff lm25066_coeff[6][PSC_NUM_CLASSES + 2] = { ++static struct __coeff lm25066_coeff[][PSC_NUM_CLASSES + 2] = { + [lm25056] = { + [PSC_VOLTAGE_IN] = { + .m = 16296, +-- +2.33.0 + diff --git a/queue-4.19/hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch b/queue-4.19/hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch new file mode 100644 index 00000000000..b6811df68f7 --- /dev/null +++ b/queue-4.19/hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch @@ -0,0 +1,53 @@ +From 40dd804beea01b61477776446c3f6ae0ae61ac7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Sep 2021 21:12:42 +0200 +Subject: hwrng: mtk - Force runtime pm ops for sleep ops + +From: Markus Schneider-Pargmann + +[ Upstream commit b6f5f0c8f72d348b2d07b20d7b680ef13a7ffe98 ] + +Currently mtk_rng_runtime_suspend/resume is called for both runtime pm +and system sleep operations. + +This is wrong as these should only be runtime ops as the name already +suggests. Currently freezing the system will lead to a call to +mtk_rng_runtime_suspend even if the device currently isn't active. This +leads to a clock warning because it is disabled/unprepared although it +isn't enabled/prepared currently. + +This patch fixes this by only setting the runtime pm ops and forces to +call the runtime pm ops from the system sleep ops as well if active but +not otherwise. + +Fixes: 81d2b34508c6 ("hwrng: mtk - add runtime PM support") +Signed-off-by: Markus Schneider-Pargmann +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/mtk-rng.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c +index 7f99cd52b40ef..8dc256c761137 100644 +--- a/drivers/char/hw_random/mtk-rng.c ++++ b/drivers/char/hw_random/mtk-rng.c +@@ -182,8 +182,13 @@ static int mtk_rng_runtime_resume(struct device *dev) + return mtk_rng_init(&priv->rng); + } + +-static UNIVERSAL_DEV_PM_OPS(mtk_rng_pm_ops, mtk_rng_runtime_suspend, +- mtk_rng_runtime_resume, NULL); ++static const struct dev_pm_ops mtk_rng_pm_ops = { ++ SET_RUNTIME_PM_OPS(mtk_rng_runtime_suspend, ++ mtk_rng_runtime_resume, NULL) ++ SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, ++ pm_runtime_force_resume) ++}; ++ + #define MTK_RNG_PM_OPS (&mtk_rng_pm_ops) + #else /* CONFIG_PM */ + #define MTK_RNG_PM_OPS NULL +-- +2.33.0 + diff --git a/queue-4.19/i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch b/queue-4.19/i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch new file mode 100644 index 00000000000..58796d1763d --- /dev/null +++ b/queue-4.19/i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch @@ -0,0 +1,51 @@ +From 43f65fe3783ff4fc8712c542937690b38d06dbfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 22:48:08 +0200 +Subject: i2c: xlr: Fix a resource leak in the error handling path of + 'xlr_i2c_probe()' + +From: Christophe JAILLET + +[ Upstream commit 7f98960c046ee1136e7096aee168eda03aef8a5d ] + +A successful 'clk_prepare()' call should be balanced by a corresponding +'clk_unprepare()' call in the error handling path of the probe, as already +done in the remove function. + +More specifically, 'clk_prepare_enable()' is used, but 'clk_disable()' is +also already called. So just the unprepare step has still to be done. + +Update the error handling path accordingly. + +Fixes: 75d31c2372e4 ("i2c: xlr: add support for Sigma Designs controller variant") +Signed-off-by: Christophe JAILLET +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xlr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-xlr.c b/drivers/i2c/busses/i2c-xlr.c +index 34cd4b3085402..dda6cb848405b 100644 +--- a/drivers/i2c/busses/i2c-xlr.c ++++ b/drivers/i2c/busses/i2c-xlr.c +@@ -433,11 +433,15 @@ static int xlr_i2c_probe(struct platform_device *pdev) + i2c_set_adapdata(&priv->adap, priv); + ret = i2c_add_numbered_adapter(&priv->adap); + if (ret < 0) +- return ret; ++ goto err_unprepare_clk; + + platform_set_drvdata(pdev, priv); + dev_info(&priv->adap.dev, "Added I2C Bus.\n"); + return 0; ++ ++err_unprepare_clk: ++ clk_unprepare(clk); ++ return ret; + } + + static int xlr_i2c_remove(struct platform_device *pdev) +-- +2.33.0 + diff --git a/queue-4.19/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch b/queue-4.19/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch new file mode 100644 index 00000000000..47dbb639b69 --- /dev/null +++ b/queue-4.19/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch @@ -0,0 +1,53 @@ +From 21f207dd3caa477407196f646954cec02d9c479a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Sep 2021 10:12:24 -0700 +Subject: ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK + +From: Randy Dunlap + +[ Upstream commit c15b5fc054c3d6c97e953617605235c5cb8ce979 ] + +When CONFIG_PRINTK is not set, the CMPXCHG_BUGCHECK() macro calls +_printk(), but _printk() is a static inline function, not available +as an extern. +Since the purpose of the macro is to print the BUGCHECK info, +make this config option depend on PRINTK. + +Fixes multiple occurrences of this build error: + +../include/linux/printk.h:208:5: error: static declaration of '_printk' follows non-static declaration + 208 | int _printk(const char *s, ...) + | ^~~~~~~ +In file included from ../arch/ia64/include/asm/cmpxchg.h:5, +../arch/ia64/include/uapi/asm/cmpxchg.h:146:28: note: previous declaration of '_printk' with type 'int(const char *, ...)' + 146 | extern int _printk(const char *fmt, ...); + +Cc: linux-ia64@vger.kernel.org +Cc: Andrew Morton +Cc: Tony Luck +Cc: Chris Down +Cc: Paul Gortmaker +Cc: John Paul Adrian Glaubitz +Signed-off-by: Randy Dunlap +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + arch/ia64/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/ia64/Kconfig.debug b/arch/ia64/Kconfig.debug +index 1371efc9b0055..637ac79c29b6d 100644 +--- a/arch/ia64/Kconfig.debug ++++ b/arch/ia64/Kconfig.debug +@@ -39,7 +39,7 @@ config DISABLE_VHPT + + config IA64_DEBUG_CMPXCHG + bool "Turn on compare-and-exchange bug checking (slow!)" +- depends on DEBUG_KERNEL ++ depends on DEBUG_KERNEL && PRINTK + help + Selecting this option turns on bug checking for the IA-64 + compare-and-exchange instructions. This is slow! Itaniums +-- +2.33.0 + diff --git a/queue-4.19/ibmvnic-process-crqs-after-enabling-interrupts.patch b/queue-4.19/ibmvnic-process-crqs-after-enabling-interrupts.patch new file mode 100644 index 00000000000..f7724c636b0 --- /dev/null +++ b/queue-4.19/ibmvnic-process-crqs-after-enabling-interrupts.patch @@ -0,0 +1,44 @@ +From a0698f216714211f07c82e5801ebfaae07234b31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 15:03:15 -0700 +Subject: ibmvnic: Process crqs after enabling interrupts + +From: Sukadev Bhattiprolu + +[ Upstream commit 6e20d00158f31f7631d68b86996b7e951c4451c8 ] + +Soon after registering a CRQ it is possible that we get a fail over or +maybe a CRQ_INIT from the VIOS while interrupts were disabled. + +Look for any such CRQs after enabling interrupts. + +Otherwise we can intermittently fail to bring up ibmvnic adapters during +boot, specially in kexec/kdump kernels. + +Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") +Reported-by: Vaishnavi Bhat +Signed-off-by: Sukadev Bhattiprolu +Reviewed-by: Dany Madden +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index d97641b9928bb..c52c26fc44e59 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -4603,6 +4603,9 @@ static int init_crq_queue(struct ibmvnic_adapter *adapter) + crq->cur = 0; + spin_lock_init(&crq->lock); + ++ /* process any CRQs that were queued before we enabled interrupts */ ++ tasklet_schedule(&adapter->tasklet); ++ + return retrc; + + req_irq_failed: +-- +2.33.0 + diff --git a/queue-4.19/irq-mips-avoid-nested-irq_enter.patch b/queue-4.19/irq-mips-avoid-nested-irq_enter.patch new file mode 100644 index 00000000000..7ad75f758ee --- /dev/null +++ b/queue-4.19/irq-mips-avoid-nested-irq_enter.patch @@ -0,0 +1,52 @@ +From 9122f1ade1bc96513f385f244ab0ada343c350f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 17:25:22 +0100 +Subject: irq: mips: avoid nested irq_enter() + +From: Mark Rutland + +[ Upstream commit c65b52d02f6c1a06ddb20cba175ad49eccd6410d ] + +As bcm6345_l1_irq_handle() is a chained irqchip handler, it will be +invoked within the context of the root irqchip handler, which must have +entered IRQ context already. + +When bcm6345_l1_irq_handle() calls arch/mips's do_IRQ() , this will nest +another call to irq_enter(), and the resulting nested increment to +`rcu_data.dynticks_nmi_nesting` will cause rcu_is_cpu_rrupt_from_idle() +to fail to identify wakeups from idle, resulting in failure to preempt, +and RCU stalls. + +Chained irqchip handlers must invoke IRQ handlers by way of thee core +irqchip code, i.e. generic_handle_irq() or generic_handle_domain_irq() +and should not call do_IRQ(), which is intended only for root irqchip +handlers. + +Fix bcm6345_l1_irq_handle() by calling generic_handle_irq() directly. + +Fixes: c7c42ec2baa1de7a ("irqchips/bmips: Add bcm6345-l1 interrupt controller") +Signed-off-by: Mark Rutland +Reviewed-by: Marc Zyngier +Acked-by: Thomas Bogendoerfer +Cc: Thomas Gleixner +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-bcm6345-l1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-bcm6345-l1.c b/drivers/irqchip/irq-bcm6345-l1.c +index 43f8abe40878a..31ea6332ecb83 100644 +--- a/drivers/irqchip/irq-bcm6345-l1.c ++++ b/drivers/irqchip/irq-bcm6345-l1.c +@@ -143,7 +143,7 @@ static void bcm6345_l1_irq_handle(struct irq_desc *desc) + for_each_set_bit(hwirq, &pending, IRQS_PER_WORD) { + irq = irq_linear_revmap(intc->domain, base + hwirq); + if (irq) +- do_IRQ(irq); ++ generic_handle_irq(irq); + else + spurious_interrupt(); + } +-- +2.33.0 + diff --git a/queue-4.19/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch b/queue-4.19/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch new file mode 100644 index 00000000000..6c4c170c0b0 --- /dev/null +++ b/queue-4.19/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch @@ -0,0 +1,39 @@ +From 9dae76c070e6757991e71d995bf85a689a3f4e6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 11:43:40 +0300 +Subject: iwlwifi: mvm: disable RX-diversity in powersave + +From: Johannes Berg + +[ Upstream commit e5322b9ab5f63536c41301150b7ce64605ce52cc ] + +Just like we have default SMPS mode as dynamic in powersave, +we should not enable RX-diversity in powersave, to reduce +power consumption when connected to a non-MIMO AP. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211017113927.fc896bc5cdaa.I1d11da71b8a5cbe921a37058d5f578f1b14a2023@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c +index 00712205c05f2..bc3f67e0bf334 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c +@@ -1018,6 +1018,9 @@ bool iwl_mvm_rx_diversity_allowed(struct iwl_mvm *mvm) + + lockdep_assert_held(&mvm->mutex); + ++ if (iwlmvm_mod_params.power_scheme != IWL_POWER_SCHEME_CAM) ++ return false; ++ + if (num_of_ant(iwl_mvm_get_valid_rx_ant(mvm)) == 1) + return false; + +-- +2.33.0 + diff --git a/queue-4.19/jfs-fix-memleak-in-jfs_mount.patch b/queue-4.19/jfs-fix-memleak-in-jfs_mount.patch new file mode 100644 index 00000000000..7082e31496f --- /dev/null +++ b/queue-4.19/jfs-fix-memleak-in-jfs_mount.patch @@ -0,0 +1,158 @@ +From 3ee4b3f02f5e7e0cbc56814cffa0c38f20d566c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 10:37:41 +0800 +Subject: JFS: fix memleak in jfs_mount + +From: Dongliang Mu + +[ Upstream commit c48a14dca2cb57527dde6b960adbe69953935f10 ] + +In jfs_mount, when diMount(ipaimap2) fails, it goes to errout35. However, +the following code does not free ipaimap2 allocated by diReadSpecial. + +Fix this by refactoring the error handling code of jfs_mount. To be +specific, modify the lable name and free ipaimap2 when the above error +ocurrs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Dongliang Mu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_mount.c | 51 ++++++++++++++++++++-------------------------- + 1 file changed, 22 insertions(+), 29 deletions(-) + +diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c +index b5214c9ac47ac..f1a705d159043 100644 +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -93,14 +93,14 @@ int jfs_mount(struct super_block *sb) + * (initialize mount inode from the superblock) + */ + if ((rc = chkSuper(sb))) { +- goto errout20; ++ goto out; + } + + ipaimap = diReadSpecial(sb, AGGREGATE_I, 0); + if (ipaimap == NULL) { + jfs_err("jfs_mount: Failed to read AGGREGATE_I"); + rc = -EIO; +- goto errout20; ++ goto out; + } + sbi->ipaimap = ipaimap; + +@@ -111,7 +111,7 @@ int jfs_mount(struct super_block *sb) + */ + if ((rc = diMount(ipaimap))) { + jfs_err("jfs_mount: diMount(ipaimap) failed w/rc = %d", rc); +- goto errout21; ++ goto err_ipaimap; + } + + /* +@@ -120,7 +120,7 @@ int jfs_mount(struct super_block *sb) + ipbmap = diReadSpecial(sb, BMAP_I, 0); + if (ipbmap == NULL) { + rc = -EIO; +- goto errout22; ++ goto err_umount_ipaimap; + } + + jfs_info("jfs_mount: ipbmap:0x%p", ipbmap); +@@ -132,7 +132,7 @@ int jfs_mount(struct super_block *sb) + */ + if ((rc = dbMount(ipbmap))) { + jfs_err("jfs_mount: dbMount failed w/rc = %d", rc); +- goto errout22; ++ goto err_ipbmap; + } + + /* +@@ -151,7 +151,7 @@ int jfs_mount(struct super_block *sb) + if (!ipaimap2) { + jfs_err("jfs_mount: Failed to read AGGREGATE_I"); + rc = -EIO; +- goto errout35; ++ goto err_umount_ipbmap; + } + sbi->ipaimap2 = ipaimap2; + +@@ -163,7 +163,7 @@ int jfs_mount(struct super_block *sb) + if ((rc = diMount(ipaimap2))) { + jfs_err("jfs_mount: diMount(ipaimap2) failed, rc = %d", + rc); +- goto errout35; ++ goto err_ipaimap2; + } + } else + /* Secondary aggregate inode table is not valid */ +@@ -180,7 +180,7 @@ int jfs_mount(struct super_block *sb) + jfs_err("jfs_mount: Failed to read FILESYSTEM_I"); + /* open fileset secondary inode allocation map */ + rc = -EIO; +- goto errout40; ++ goto err_umount_ipaimap2; + } + jfs_info("jfs_mount: ipimap:0x%p", ipimap); + +@@ -190,41 +190,34 @@ int jfs_mount(struct super_block *sb) + /* initialize fileset inode allocation map */ + if ((rc = diMount(ipimap))) { + jfs_err("jfs_mount: diMount failed w/rc = %d", rc); +- goto errout41; ++ goto err_ipimap; + } + +- goto out; ++ return rc; + + /* + * unwind on error + */ +- errout41: /* close fileset inode allocation map inode */ ++err_ipimap: ++ /* close fileset inode allocation map inode */ + diFreeSpecial(ipimap); +- +- errout40: /* fileset closed */ +- ++err_umount_ipaimap2: + /* close secondary aggregate inode allocation map */ +- if (ipaimap2) { ++ if (ipaimap2) + diUnmount(ipaimap2, 1); ++err_ipaimap2: ++ /* close aggregate inodes */ ++ if (ipaimap2) + diFreeSpecial(ipaimap2); +- } +- +- errout35: +- +- /* close aggregate block allocation map */ ++err_umount_ipbmap: /* close aggregate block allocation map */ + dbUnmount(ipbmap, 1); ++err_ipbmap: /* close aggregate inodes */ + diFreeSpecial(ipbmap); +- +- errout22: /* close aggregate inode allocation map */ +- ++err_umount_ipaimap: /* close aggregate inode allocation map */ + diUnmount(ipaimap, 1); +- +- errout21: /* close aggregate inodes */ ++err_ipaimap: /* close aggregate inodes */ + diFreeSpecial(ipaimap); +- errout20: /* aggregate closed */ +- +- out: +- ++out: + if (rc) + jfs_err("Mount JFS Failure: %d", rc); + +-- +2.33.0 + diff --git a/queue-4.19/kvm-s390-fix-handle_sske-page-fault-handling.patch b/queue-4.19/kvm-s390-fix-handle_sske-page-fault-handling.patch new file mode 100644 index 00000000000..fd63c5bdb97 --- /dev/null +++ b/queue-4.19/kvm-s390-fix-handle_sske-page-fault-handling.patch @@ -0,0 +1,46 @@ +From d60f55466749e866dd021ddc3c3cf325d0481212 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 17:26:48 +0200 +Subject: KVM: s390: Fix handle_sske page fault handling + +From: Janis Schoetterl-Glausch + +[ Upstream commit 85f517b29418158d3e6e90c3f0fc01b306d2f1a1 ] + +If handle_sske cannot set the storage key, because there is no +page table entry or no present large page entry, it calls +fixup_user_fault. +However, currently, if the call succeeds, handle_sske returns +-EAGAIN, without having set the storage key. +Instead, retry by continue'ing the loop without incrementing the +address. +The same issue in handle_pfmf was fixed by +a11bdb1a6b78 ("KVM: s390: Fix pfmf and conditional skey emulation"). + +Fixes: bd096f644319 ("KVM: s390: Add skey emulation fault handling") +Signed-off-by: Janis Schoetterl-Glausch +Reviewed-by: Christian Borntraeger +Reviewed-by: Claudio Imbrenda +Link: https://lore.kernel.org/r/20211022152648.26536-1-scgl@linux.ibm.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/priv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c +index 8679bd74d337a..9abdfb8b1a1ea 100644 +--- a/arch/s390/kvm/priv.c ++++ b/arch/s390/kvm/priv.c +@@ -397,6 +397,8 @@ static int handle_sske(struct kvm_vcpu *vcpu) + up_read(¤t->mm->mmap_sem); + if (rc == -EFAULT) + return kvm_s390_inject_program_int(vcpu, PGM_ADDRESSING); ++ if (rc == -EAGAIN) ++ continue; + if (rc < 0) + return rc; + start += PAGE_SIZE; +-- +2.33.0 + diff --git a/queue-4.19/leaking_addresses-always-print-a-trailing-newline.patch b/queue-4.19/leaking_addresses-always-print-a-trailing-newline.patch new file mode 100644 index 00000000000..a59318e8832 --- /dev/null +++ b/queue-4.19/leaking_addresses-always-print-a-trailing-newline.patch @@ -0,0 +1,44 @@ +From 124d132bbf2be9980036626ccbdaa9cd384b5d04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 15:02:18 -0700 +Subject: leaking_addresses: Always print a trailing newline + +From: Kees Cook + +[ Upstream commit cf2a85efdade117e2169d6e26641016cbbf03ef0 ] + +For files that lack trailing newlines and match a leaking address (e.g. +wchan[1]), the leaking_addresses.pl report would run together with the +next line, making things look corrupted. + +Unconditionally remove the newline on input, and write it back out on +output. + +[1] https://lore.kernel.org/all/20210103142726.GC30643@xsang-OptiPlex-9020/ + +Signed-off-by: Kees Cook +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20211008111626.151570317@infradead.org +Signed-off-by: Sasha Levin +--- + scripts/leaking_addresses.pl | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl +index 6a897788f5a7e..6e4b0f7ae38cf 100755 +--- a/scripts/leaking_addresses.pl ++++ b/scripts/leaking_addresses.pl +@@ -456,8 +456,9 @@ sub parse_file + + open my $fh, "<", $file or return; + while ( <$fh> ) { ++ chomp; + if (may_leak_address($_)) { +- print $file . ': ' . $_; ++ printf("$file: $_\n"); + } + } + close $fh; +-- +2.33.0 + diff --git a/queue-4.19/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch b/queue-4.19/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch new file mode 100644 index 00000000000..1b412ce4896 --- /dev/null +++ b/queue-4.19/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch @@ -0,0 +1,91 @@ +From 510be8b8b3aed3362f37cc3b7c9723c6f31d54d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 05:31:39 +0800 +Subject: lib/xz: Avoid overlapping memcpy() with invalid input with in-place + decompression + +From: Lasse Collin + +[ Upstream commit 83d3c4f22a36d005b55f44628f46cc0d319a75e8 ] + +With valid files, the safety margin described in lib/decompress_unxz.c +ensures that these buffers cannot overlap. But if the uncompressed size +of the input is larger than the caller thought, which is possible when +the input file is invalid/corrupt, the buffers can overlap. Obviously +the result will then be garbage (and usually the decoder will return +an error too) but no other harm will happen when such an over-run occurs. + +This change only affects uncompressed LZMA2 chunks and so this +should have no effect on performance. + +Link: https://lore.kernel.org/r/20211010213145.17462-2-xiang@kernel.org +Signed-off-by: Lasse Collin +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + lib/decompress_unxz.c | 2 +- + lib/xz/xz_dec_lzma2.c | 21 +++++++++++++++++++-- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/lib/decompress_unxz.c b/lib/decompress_unxz.c +index 25d59a95bd668..abea25310ac73 100644 +--- a/lib/decompress_unxz.c ++++ b/lib/decompress_unxz.c +@@ -167,7 +167,7 @@ + * memeq and memzero are not used much and any remotely sane implementation + * is fast enough. memcpy/memmove speed matters in multi-call mode, but + * the kernel image is decompressed in single-call mode, in which only +- * memcpy speed can matter and only if there is a lot of uncompressible data ++ * memmove speed can matter and only if there is a lot of uncompressible data + * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the + * functions below should just be kept small; it's probably not worth + * optimizing for speed. +diff --git a/lib/xz/xz_dec_lzma2.c b/lib/xz/xz_dec_lzma2.c +index 08c3c80499983..2c5197d6b944d 100644 +--- a/lib/xz/xz_dec_lzma2.c ++++ b/lib/xz/xz_dec_lzma2.c +@@ -387,7 +387,14 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b, + + *left -= copy_size; + +- memcpy(dict->buf + dict->pos, b->in + b->in_pos, copy_size); ++ /* ++ * If doing in-place decompression in single-call mode and the ++ * uncompressed size of the file is larger than the caller ++ * thought (i.e. it is invalid input!), the buffers below may ++ * overlap and cause undefined behavior with memcpy(). ++ * With valid inputs memcpy() would be fine here. ++ */ ++ memmove(dict->buf + dict->pos, b->in + b->in_pos, copy_size); + dict->pos += copy_size; + + if (dict->full < dict->pos) +@@ -397,7 +404,11 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b, + if (dict->pos == dict->end) + dict->pos = 0; + +- memcpy(b->out + b->out_pos, b->in + b->in_pos, ++ /* ++ * Like above but for multi-call mode: use memmove() ++ * to avoid undefined behavior with invalid input. ++ */ ++ memmove(b->out + b->out_pos, b->in + b->in_pos, + copy_size); + } + +@@ -421,6 +432,12 @@ static uint32_t dict_flush(struct dictionary *dict, struct xz_buf *b) + if (dict->pos == dict->end) + dict->pos = 0; + ++ /* ++ * These buffers cannot overlap even if doing in-place ++ * decompression because in multi-call mode dict->buf ++ * has been allocated by us in this file; it's not ++ * provided by the caller like in single-call mode. ++ */ + memcpy(b->out + b->out_pos, dict->buf + dict->start, + copy_size); + } +-- +2.33.0 + diff --git a/queue-4.19/lib-xz-validate-the-value-before-assigning-it-to-an-.patch b/queue-4.19/lib-xz-validate-the-value-before-assigning-it-to-an-.patch new file mode 100644 index 00000000000..1a0181bc6fe --- /dev/null +++ b/queue-4.19/lib-xz-validate-the-value-before-assigning-it-to-an-.patch @@ -0,0 +1,51 @@ +From e9b8be77303878766ca2e358c74ff416f4708bcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 05:31:40 +0800 +Subject: lib/xz: Validate the value before assigning it to an enum variable + +From: Lasse Collin + +[ Upstream commit 4f8d7abaa413c34da9d751289849dbfb7c977d05 ] + +This might matter, for example, if the underlying type of enum xz_check +was a signed char. In such a case the validation wouldn't have caught an +unsupported header. I don't know if this problem can occur in the kernel +on any arch but it's still good to fix it because some people might copy +the XZ code to their own projects from Linux instead of the upstream +XZ Embedded repository. + +This change may increase the code size by a few bytes. An alternative +would have been to use an unsigned int instead of enum xz_check but +using an enumeration looks cleaner. + +Link: https://lore.kernel.org/r/20211010213145.17462-3-xiang@kernel.org +Signed-off-by: Lasse Collin +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + lib/xz/xz_dec_stream.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/xz/xz_dec_stream.c b/lib/xz/xz_dec_stream.c +index bd1d182419d7e..0b161f90d8d80 100644 +--- a/lib/xz/xz_dec_stream.c ++++ b/lib/xz/xz_dec_stream.c +@@ -402,12 +402,12 @@ static enum xz_ret dec_stream_header(struct xz_dec *s) + * we will accept other check types too, but then the check won't + * be verified and a warning (XZ_UNSUPPORTED_CHECK) will be given. + */ ++ if (s->temp.buf[HEADER_MAGIC_SIZE + 1] > XZ_CHECK_MAX) ++ return XZ_OPTIONS_ERROR; ++ + s->check_type = s->temp.buf[HEADER_MAGIC_SIZE + 1]; + + #ifdef XZ_DEC_ANY_CHECK +- if (s->check_type > XZ_CHECK_MAX) +- return XZ_OPTIONS_ERROR; +- + if (s->check_type > XZ_CHECK_CRC32) + return XZ_UNSUPPORTED_CHECK; + #else +-- +2.33.0 + diff --git a/queue-4.19/libertas-fix-possible-memory-leak-in-probe-and-disco.patch b/queue-4.19/libertas-fix-possible-memory-leak-in-probe-and-disco.patch new file mode 100644 index 00000000000..807a9fcc67d --- /dev/null +++ b/queue-4.19/libertas-fix-possible-memory-leak-in-probe-and-disco.patch @@ -0,0 +1,72 @@ +From bfc2ed937a82f732dc3807f3f3165b6c0a66632d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 20:03:45 +0800 +Subject: libertas: Fix possible memory leak in probe and disconnect + +From: Wang Hai + +[ Upstream commit 9692151e2fe7a326bafe99836fd1f20a2cc3a049 ] + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88812c7d7400 (size 512): + comm "kworker/6:1", pid 176, jiffies 4295003332 (age 822.830s) + hex dump (first 32 bytes): + 00 68 1e 04 81 88 ff ff 01 00 00 00 00 00 00 00 .h.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] if_usb_probe+0x63/0x446 [usb8xxx] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x190/0x480 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_set_configuration+0xb01/0xcc0 [usbcore] + [] usb_generic_driver_probe+0x6e/0x90 [usbcore] + [] usb_probe_device+0x6f/0x130 [usbcore] + +cardp is missing being freed in the error handling path of the probe +and the path of the disconnect, which will cause memory leak. + +This patch adds the missing kfree(). + +Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020120345.2016045-3-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/if_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c +index 9e82ec12564bb..f29a154d995c8 100644 +--- a/drivers/net/wireless/marvell/libertas/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas/if_usb.c +@@ -288,6 +288,7 @@ err_add_card: + if_usb_reset_device(cardp); + dealloc: + if_usb_free(cardp); ++ kfree(cardp); + + error: + return r; +@@ -312,6 +313,7 @@ static void if_usb_disconnect(struct usb_interface *intf) + + /* Unlink and free urb */ + if_usb_free(cardp); ++ kfree(cardp); + + usb_set_intfdata(intf, NULL); + usb_put_dev(interface_to_usbdev(intf)); +-- +2.33.0 + diff --git a/queue-4.19/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch b/queue-4.19/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch new file mode 100644 index 00000000000..c07704d15a2 --- /dev/null +++ b/queue-4.19/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch @@ -0,0 +1,72 @@ +From 64febb318b4a1f66669c221b827dc71066b7e643 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 20:03:44 +0800 +Subject: libertas_tf: Fix possible memory leak in probe and disconnect + +From: Wang Hai + +[ Upstream commit d549107305b4634c81223a853701c06bcf657bc3 ] + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88810a2ddc00 (size 512): + comm "kworker/6:1", pid 176, jiffies 4295009893 (age 757.220s) + hex dump (first 32 bytes): + 00 50 05 18 81 88 ff ff 00 00 00 00 00 00 00 00 .P.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] if_usb_probe+0x60/0x37c [libertas_tf_usb] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x190/0x480 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_set_configuration+0xb01/0xcc0 [usbcore] + [] usb_generic_driver_probe+0x6e/0x90 [usbcore] + [] usb_probe_device+0x6f/0x130 [usbcore] + +cardp is missing being freed in the error handling path of the probe +and the path of the disconnect, which will cause memory leak. + +This patch adds the missing kfree(). + +Fixes: c305a19a0d0a ("libertas_tf: usb specific functions") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020120345.2016045-2-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +index 6ede6168bd85a..60941c319b421 100644 +--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +@@ -234,6 +234,7 @@ static int if_usb_probe(struct usb_interface *intf, + + dealloc: + if_usb_free(cardp); ++ kfree(cardp); + error: + lbtf_deb_leave(LBTF_DEB_MAIN); + return -ENOMEM; +@@ -258,6 +259,7 @@ static void if_usb_disconnect(struct usb_interface *intf) + + /* Unlink and free urb */ + if_usb_free(cardp); ++ kfree(cardp); + + usb_set_intfdata(intf, NULL); + usb_put_dev(interface_to_usbdev(intf)); +-- +2.33.0 + diff --git a/queue-4.19/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch b/queue-4.19/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch new file mode 100644 index 00000000000..39a4a955d40 --- /dev/null +++ b/queue-4.19/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch @@ -0,0 +1,68 @@ +From c9fc64c05b44f58372f6bd243dd23243c887d914 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 14:42:14 -0700 +Subject: llc: fix out-of-bound array index in llc_sk_dev_hash() + +From: Eric Dumazet + +[ Upstream commit 8ac9dfd58b138f7e82098a4e0a0d46858b12215b ] + +Both ifindex and LLC_SK_DEV_HASH_ENTRIES are signed. + +This means that (ifindex % LLC_SK_DEV_HASH_ENTRIES) is negative +if @ifindex is negative. + +We could simply make LLC_SK_DEV_HASH_ENTRIES unsigned. + +In this patch I chose to use hash_32() to get more entropy +from @ifindex, like llc_sk_laddr_hashfn(). + +UBSAN: array-index-out-of-bounds in ./include/net/llc.h:75:26 +index -43 is out of range for type 'hlist_head [64]' +CPU: 1 PID: 20999 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 + __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291 + llc_sk_dev_hash include/net/llc.h:75 [inline] + llc_sap_add_socket+0x49c/0x520 net/llc/llc_conn.c:697 + llc_ui_bind+0x680/0xd70 net/llc/af_llc.c:404 + __sys_bind+0x1e9/0x250 net/socket.c:1693 + __do_sys_bind net/socket.c:1704 [inline] + __se_sys_bind net/socket.c:1702 [inline] + __x64_sys_bind+0x6f/0xb0 net/socket.c:1702 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fa503407ae9 + +Fixes: 6d2e3ea28446 ("llc: use a device based hash table to speed up multicast delivery") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/llc.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/net/llc.h b/include/net/llc.h +index df282d9b40170..9c10b121b49b0 100644 +--- a/include/net/llc.h ++++ b/include/net/llc.h +@@ -72,7 +72,9 @@ struct llc_sap { + static inline + struct hlist_head *llc_sk_dev_hash(struct llc_sap *sap, int ifindex) + { +- return &sap->sk_dev_hash[ifindex % LLC_SK_DEV_HASH_ENTRIES]; ++ u32 bucket = hash_32(ifindex, LLC_SK_DEV_HASH_BITS); ++ ++ return &sap->sk_dev_hash[bucket]; + } + + static inline +-- +2.33.0 + diff --git a/queue-4.19/locking-lockdep-avoid-rcu-induced-noinstr-fail.patch b/queue-4.19/locking-lockdep-avoid-rcu-induced-noinstr-fail.patch new file mode 100644 index 00000000000..fca3f9eb9a1 --- /dev/null +++ b/queue-4.19/locking-lockdep-avoid-rcu-induced-noinstr-fail.patch @@ -0,0 +1,34 @@ +From 187b43cbd749cc0dda3b4b25d4529224d2d0f058 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 11:41:10 +0200 +Subject: locking/lockdep: Avoid RCU-induced noinstr fail + +From: Peter Zijlstra + +[ Upstream commit ce0b9c805dd66d5e49fd53ec5415ae398f4c56e6 ] + +vmlinux.o: warning: objtool: look_up_lock_class()+0xc7: call to rcu_read_lock_any_held() leaves .noinstr.text section + +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20210624095148.311980536@infradead.org +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 126c6d524a0f2..4dc79f57af827 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -689,7 +689,7 @@ look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass) + if (DEBUG_LOCKS_WARN_ON(!irqs_disabled())) + return NULL; + +- hlist_for_each_entry_rcu(class, hash_head, hash_entry) { ++ hlist_for_each_entry_rcu_notrace(class, hash_head, hash_entry) { + if (class->key == key) { + /* + * Huh! same key, different name? Did someone trample +-- +2.33.0 + diff --git a/queue-4.19/m68k-set-a-default-value-for-memory_reserve.patch b/queue-4.19/m68k-set-a-default-value-for-memory_reserve.patch new file mode 100644 index 00000000000..1bdbdefdec4 --- /dev/null +++ b/queue-4.19/m68k-set-a-default-value-for-memory_reserve.patch @@ -0,0 +1,50 @@ +From 678a81cf3816d1edc133b58bb99ff50c7743ec4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Oct 2021 17:02:23 -0700 +Subject: m68k: set a default value for MEMORY_RESERVE + +From: Randy Dunlap + +[ Upstream commit 1aaa557b2db95c9506ed0981bc34505c32d6b62b ] + +'make randconfig' can produce a .config file with +"CONFIG_MEMORY_RESERVE=" (no value) since it has no default. +When a subsequent 'make all' is done, kconfig restarts the config +and prompts for a value for MEMORY_RESERVE. This breaks +scripting/automation where there is no interactive user input. + +Add a default value for MEMORY_RESERVE. (Any integer value will +work here for kconfig.) + +Fixes a kconfig warning: + +.config:214:warning: symbol value '' invalid for MEMORY_RESERVE +* Restart config... +Memory reservation (MiB) (MEMORY_RESERVE) [] (NEW) + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # from beginning of git history +Signed-off-by: Randy Dunlap +Reviewed-by: Geert Uytterhoeven +Cc: Greg Ungerer +Cc: linux-m68k@lists.linux-m68k.org +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.machine | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/m68k/Kconfig.machine b/arch/m68k/Kconfig.machine +index 64a6414677360..0c451081432ab 100644 +--- a/arch/m68k/Kconfig.machine ++++ b/arch/m68k/Kconfig.machine +@@ -185,6 +185,7 @@ config INIT_LCD + config MEMORY_RESERVE + int "Memory reservation (MiB)" + depends on (UCSIMM || UCDIMM) ++ default 0 + help + Reserve certain memory regions on 68x328 based boards. + +-- +2.33.0 + diff --git a/queue-4.19/media-cx23885-fix-snd_card_free-call-on-null-card-po.patch b/queue-4.19/media-cx23885-fix-snd_card_free-call-on-null-card-po.patch new file mode 100644 index 00000000000..7ac023a6eab --- /dev/null +++ b/queue-4.19/media-cx23885-fix-snd_card_free-call-on-null-card-po.patch @@ -0,0 +1,50 @@ +From aa081060d1a996fd7bb9642c6c2962fbb0834673 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 10:50:10 +0200 +Subject: media: cx23885: Fix snd_card_free call on null card pointer + +From: Colin Ian King + +[ Upstream commit 7266dda2f1dfe151b12ef0c14eb4d4e622fb211c ] + +Currently a call to snd_card_new that fails will set card with a NULL +pointer, this causes a null pointer dereference on the error cleanup +path when card it passed to snd_card_free. Fix this by adding a new +error exit path that does not call snd_card_free and exiting via this +new path. + +Addresses-Coverity: ("Explicit null dereference") + +Fixes: 9e44d63246a9 ("[media] cx23885: Add ALSA support") +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-alsa.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx23885/cx23885-alsa.c b/drivers/media/pci/cx23885/cx23885-alsa.c +index db1e8ff35474a..150106eb36052 100644 +--- a/drivers/media/pci/cx23885/cx23885-alsa.c ++++ b/drivers/media/pci/cx23885/cx23885-alsa.c +@@ -559,7 +559,7 @@ struct cx23885_audio_dev *cx23885_audio_register(struct cx23885_dev *dev) + SNDRV_DEFAULT_IDX1, SNDRV_DEFAULT_STR1, + THIS_MODULE, sizeof(struct cx23885_audio_dev), &card); + if (err < 0) +- goto error; ++ goto error_msg; + + chip = (struct cx23885_audio_dev *) card->private_data; + chip->dev = dev; +@@ -585,6 +585,7 @@ struct cx23885_audio_dev *cx23885_audio_register(struct cx23885_dev *dev) + + error: + snd_card_free(card); ++error_msg: + pr_err("%s(): Failed to register analog audio adapter\n", + __func__); + +-- +2.33.0 + diff --git a/queue-4.19/media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch b/queue-4.19/media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch new file mode 100644 index 00000000000..7beeb27bd09 --- /dev/null +++ b/queue-4.19/media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch @@ -0,0 +1,80 @@ +From 32f5e0d0ca4df6931420343d5b0fd1713e6b3ae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Aug 2021 11:48:03 +0200 +Subject: media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable() + +From: Evgeny Novikov + +[ Upstream commit 69a10678e2fba3d182e78ea041f2d1b1a6058764 ] + +mn88443x_cmn_power_on() did not handle possible errors of +clk_prepare_enable() and always finished successfully so that its caller +mn88443x_probe() did not care about failed preparing/enabling of clocks +as well. + +Add missed error handling in both mn88443x_cmn_power_on() and +mn88443x_probe(). This required to change the return value of the former +from "void" to "int". + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 0f408ce8941f ("media: dvb-frontends: add Socionext MN88443x ISDB-S/T demodulator driver") +Signed-off-by: Evgeny Novikov +Co-developed-by: Kirill Shilimanov +Signed-off-by: Kirill Shilimanov +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/mn88443x.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-frontends/mn88443x.c b/drivers/media/dvb-frontends/mn88443x.c +index 9ec1aeef03d5a..53981ff9422e0 100644 +--- a/drivers/media/dvb-frontends/mn88443x.c ++++ b/drivers/media/dvb-frontends/mn88443x.c +@@ -204,11 +204,18 @@ struct mn88443x_priv { + struct regmap *regmap_t; + }; + +-static void mn88443x_cmn_power_on(struct mn88443x_priv *chip) ++static int mn88443x_cmn_power_on(struct mn88443x_priv *chip) + { ++ struct device *dev = &chip->client_s->dev; + struct regmap *r_t = chip->regmap_t; ++ int ret; + +- clk_prepare_enable(chip->mclk); ++ ret = clk_prepare_enable(chip->mclk); ++ if (ret) { ++ dev_err(dev, "Failed to prepare and enable mclk: %d\n", ++ ret); ++ return ret; ++ } + + gpiod_set_value_cansleep(chip->reset_gpio, 1); + usleep_range(100, 1000); +@@ -222,6 +229,8 @@ static void mn88443x_cmn_power_on(struct mn88443x_priv *chip) + } else { + regmap_write(r_t, HIZSET3, 0x8f); + } ++ ++ return 0; + } + + static void mn88443x_cmn_power_off(struct mn88443x_priv *chip) +@@ -738,7 +747,10 @@ static int mn88443x_probe(struct i2c_client *client, + chip->fe.demodulator_priv = chip; + i2c_set_clientdata(client, chip); + +- mn88443x_cmn_power_on(chip); ++ ret = mn88443x_cmn_power_on(chip); ++ if (ret) ++ goto err_i2c_t; ++ + mn88443x_s_sleep(chip); + mn88443x_t_sleep(chip); + +-- +2.33.0 + diff --git a/queue-4.19/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch b/queue-4.19/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch new file mode 100644 index 00000000000..cc02b26716d --- /dev/null +++ b/queue-4.19/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch @@ -0,0 +1,39 @@ +From db3e5c3db200bdb601aaa735fdcbf4108d18086d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 16:34:20 +0200 +Subject: media: dvb-usb: fix ununit-value in az6027_rc_query + +From: Pavel Skripkin + +[ Upstream commit afae4ef7d5ad913cab1316137854a36bea6268a5 ] + +Syzbot reported ununit-value bug in az6027_rc_query(). The problem was +in missing state pointer initialization. Since this function does nothing +we can simply initialize state to REMOTE_NO_KEY_PRESSED. + +Reported-and-tested-by: syzbot+2cd8c5db4a85f0a04142@syzkaller.appspotmail.com + +Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/az6027.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index 6321b8e302612..990719727dc37 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -394,6 +394,7 @@ static struct rc_map_table rc_map_az6027_table[] = { + /* remote control stuff (does not work with my box) */ + static int az6027_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + { ++ *state = REMOTE_NO_KEY_PRESSED; + return 0; + } + +-- +2.33.0 + diff --git a/queue-4.19/media-em28xx-add-missing-em28xx_close_extension.patch b/queue-4.19/media-em28xx-add-missing-em28xx_close_extension.patch new file mode 100644 index 00000000000..659f1ce9b0a --- /dev/null +++ b/queue-4.19/media-em28xx-add-missing-em28xx_close_extension.patch @@ -0,0 +1,44 @@ +From b1b00286b993dab611cc14d4f6de89c857c781f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 22:23:33 +0200 +Subject: media: em28xx: add missing em28xx_close_extension + +From: Pavel Skripkin + +[ Upstream commit 2c98b8a3458df03abdc6945bbef67ef91d181938 ] + +If em28xx dev has ->dev_next pointer, we need to delete ->dev_next list +node from em28xx_extension_devlist on disconnect to avoid UAF bugs and +corrupted list bugs, since driver frees this pointer on disconnect. + +Reported-and-tested-by: syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com + +Fixes: 1a23f81b7dc3 ("V4L/DVB (9979): em28xx: move usb probe code to a proper place") +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-cards.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index 3f59a98dbf9a1..ec608f60d2c75 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -4030,8 +4030,11 @@ static void em28xx_usb_disconnect(struct usb_interface *intf) + + em28xx_close_extension(dev); + +- if (dev->dev_next) ++ if (dev->dev_next) { ++ em28xx_close_extension(dev->dev_next); + em28xx_release_resources(dev->dev_next); ++ } ++ + em28xx_release_resources(dev); + + if (dev->dev_next) { +-- +2.33.0 + diff --git a/queue-4.19/media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch b/queue-4.19/media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch new file mode 100644 index 00000000000..940747751c5 --- /dev/null +++ b/queue-4.19/media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch @@ -0,0 +1,43 @@ +From 44468884cba616ab501e0c26cdb644347b37b620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 18:07:02 +0200 +Subject: media: em28xx: Don't use ops->suspend if it is NULL + +From: Colin Ian King + +[ Upstream commit 51fa3b70d27342baf1ea8aaab3e96e5f4f26d5b2 ] + +The call to ops->suspend for the dev->dev_next case can currently +trigger a call on a null function pointer if ops->suspend is null. +Skip over the use of function ops->suspend if it is null. + +Addresses-Coverity: ("Dereference after null check") + +Fixes: be7fd3c3a8c5 ("media: em28xx: Hauppauge DualHD second tuner functionality") +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c +index d0f95a5cb4d23..437651307056f 100644 +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -1151,8 +1151,9 @@ int em28xx_suspend_extension(struct em28xx *dev) + dev_info(&dev->intf->dev, "Suspending extensions\n"); + mutex_lock(&em28xx_devlist_mutex); + list_for_each_entry(ops, &em28xx_extension_devlist, next) { +- if (ops->suspend) +- ops->suspend(dev); ++ if (!ops->suspend) ++ continue; ++ ops->suspend(dev); + if (dev->dev_next) + ops->suspend(dev->dev_next); + } +-- +2.33.0 + diff --git a/queue-4.19/media-mceusb-return-without-resubmitting-urb-in-case.patch b/queue-4.19/media-mceusb-return-without-resubmitting-urb-in-case.patch new file mode 100644 index 00000000000..dee86f5cbc6 --- /dev/null +++ b/queue-4.19/media-mceusb-return-without-resubmitting-urb-in-case.patch @@ -0,0 +1,40 @@ +From 999dea242a59cd5cbd66e6d52b2ddfbdcce509bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 22:31:10 +0200 +Subject: media: mceusb: return without resubmitting URB in case of -EPROTO + error. + +From: Rajat Asthana + +[ Upstream commit 476db72e521983ecb847e4013b263072bb1110fc ] + +Syzkaller reported a warning called "rcu detected stall in dummy_timer". + +The error seems to be an error in mceusb_dev_recv(). In the case of +-EPROTO error, the routine immediately resubmits the URB. Instead it +should return without resubmitting URB. + +Reported-by: syzbot+4d3749e9612c2cfab956@syzkaller.appspotmail.com +Signed-off-by: Rajat Asthana +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/mceusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c +index 845583e2af4d5..cf4bcf7c62f2e 100644 +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1323,6 +1323,7 @@ static void mceusb_dev_recv(struct urb *urb) + case -ECONNRESET: + case -ENOENT: + case -EILSEQ: ++ case -EPROTO: + case -ESHUTDOWN: + usb_unlink_urb(urb); + return; +-- +2.33.0 + diff --git a/queue-4.19/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch b/queue-4.19/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch new file mode 100644 index 00000000000..c21174d430e --- /dev/null +++ b/queue-4.19/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch @@ -0,0 +1,89 @@ +From 08af22223e275578565d5c4d3d0167f303db1928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 09:35:15 +0200 +Subject: media: mt9p031: Fix corrupted frame after restarting stream + +From: Dirk Bender + +[ Upstream commit 0961ba6dd211a4a52d1dd4c2d59be60ac2dc08c7 ] + +To prevent corrupted frames after starting and stopping the sensor its +datasheet specifies a specific pause sequence to follow: + +Stopping: + Set Pause_Restart Bit -> Set Restart Bit -> Set Chip_Enable Off + +Restarting: + Set Chip_Enable On -> Clear Pause_Restart Bit + +The Restart Bit is cleared automatically and must not be cleared +manually as this would cause undefined behavior. + +Signed-off-by: Dirk Bender +Signed-off-by: Stefan Riedmueller +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9p031.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c +index 715be3632b01a..eb08acf43e3a2 100644 +--- a/drivers/media/i2c/mt9p031.c ++++ b/drivers/media/i2c/mt9p031.c +@@ -81,7 +81,9 @@ + #define MT9P031_PIXEL_CLOCK_INVERT (1 << 15) + #define MT9P031_PIXEL_CLOCK_SHIFT(n) ((n) << 8) + #define MT9P031_PIXEL_CLOCK_DIVIDE(n) ((n) << 0) +-#define MT9P031_FRAME_RESTART 0x0b ++#define MT9P031_RESTART 0x0b ++#define MT9P031_FRAME_PAUSE_RESTART (1 << 1) ++#define MT9P031_FRAME_RESTART (1 << 0) + #define MT9P031_SHUTTER_DELAY 0x0c + #define MT9P031_RST 0x0d + #define MT9P031_RST_ENABLE 1 +@@ -448,9 +450,23 @@ static int mt9p031_set_params(struct mt9p031 *mt9p031) + static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable) + { + struct mt9p031 *mt9p031 = to_mt9p031(subdev); ++ struct i2c_client *client = v4l2_get_subdevdata(subdev); ++ int val; + int ret; + + if (!enable) { ++ /* enable pause restart */ ++ val = MT9P031_FRAME_PAUSE_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ ++ /* enable restart + keep pause restart set */ ++ val |= MT9P031_FRAME_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ + /* Stop sensor readout */ + ret = mt9p031_set_output_control(mt9p031, + MT9P031_OUTPUT_CONTROL_CEN, 0); +@@ -470,6 +486,16 @@ static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable) + if (ret < 0) + return ret; + ++ /* ++ * - clear pause restart ++ * - don't clear restart as clearing restart manually can cause ++ * undefined behavior ++ */ ++ val = MT9P031_FRAME_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ + return mt9p031_pll_enable(mt9p031); + } + +-- +2.33.0 + diff --git a/queue-4.19/media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch b/queue-4.19/media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch new file mode 100644 index 00000000000..2a6c6047ba4 --- /dev/null +++ b/queue-4.19/media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch @@ -0,0 +1,52 @@ +From 4187183d4d92bdf95bed00e7206bbbdc9c005440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 22:21:25 +0200 +Subject: media: mtk-vpu: Fix a resource leak in the error handling path of + 'mtk_vpu_probe()' + +From: Christophe JAILLET + +[ Upstream commit 2143ad413c05c7be24c3a92760e367b7f6aaac92 ] + +A successful 'clk_prepare()' call should be balanced by a corresponding +'clk_unprepare()' call in the error handling path of the probe, as already +done in the remove function. + +Update the error handling path accordingly. + +Fixes: 3003a180ef6b ("[media] VPU: mediatek: support Mediatek VPU") +Signed-off-by: Christophe JAILLET +Reviewed-by: Houlong Wei +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vpu/mtk_vpu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.c b/drivers/media/platform/mtk-vpu/mtk_vpu.c +index f8d35e3ac1dcc..9b57fb2857285 100644 +--- a/drivers/media/platform/mtk-vpu/mtk_vpu.c ++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.c +@@ -818,7 +818,8 @@ static int mtk_vpu_probe(struct platform_device *pdev) + vpu->wdt.wq = create_singlethread_workqueue("vpu_wdt"); + if (!vpu->wdt.wq) { + dev_err(dev, "initialize wdt workqueue failed\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto clk_unprepare; + } + INIT_WORK(&vpu->wdt.ws, vpu_wdt_reset_func); + mutex_init(&vpu->vpu_mutex); +@@ -917,6 +918,8 @@ disable_vpu_clk: + vpu_clock_disable(vpu); + workqueue_destroy: + destroy_workqueue(vpu->wdt.wq); ++clk_unprepare: ++ clk_unprepare(vpu->clk); + + return ret; + } +-- +2.33.0 + diff --git a/queue-4.19/media-netup_unidvb-handle-interrupt-properly-accordi.patch b/queue-4.19/media-netup_unidvb-handle-interrupt-properly-accordi.patch new file mode 100644 index 00000000000..cb30635b1f9 --- /dev/null +++ b/queue-4.19/media-netup_unidvb-handle-interrupt-properly-accordi.patch @@ -0,0 +1,178 @@ +From 7b48eaf21fb73609f51931d6724de358df20f443 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 08:01:05 +0200 +Subject: media: netup_unidvb: handle interrupt properly according to the + firmware + +From: Zheyu Ma + +[ Upstream commit dbb4cfea6efe979ed153bd59a6a527a90d3d0ab3 ] + +The interrupt handling should be related to the firmware version. If +the driver matches an old firmware, then the driver should not handle +interrupt such as i2c or dma, otherwise it will cause some errors. + +This log reveals it: + +[ 27.708641] INFO: trying to register non-static key. +[ 27.710851] The code is fine but needs lockdep annotation, or maybe +[ 27.712010] you didn't initialize this object before use? +[ 27.712396] turning off the locking correctness validator. +[ 27.712787] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169 +[ 27.713349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 27.714149] Call Trace: +[ 27.714329] +[ 27.714480] dump_stack+0xba/0xf5 +[ 27.714737] register_lock_class+0x873/0x8f0 +[ 27.715052] ? __lock_acquire+0x323/0x1930 +[ 27.715353] __lock_acquire+0x75/0x1930 +[ 27.715636] lock_acquire+0x1dd/0x3e0 +[ 27.715905] ? netup_i2c_interrupt+0x19/0x310 +[ 27.716226] _raw_spin_lock_irqsave+0x4b/0x60 +[ 27.716544] ? netup_i2c_interrupt+0x19/0x310 +[ 27.716863] netup_i2c_interrupt+0x19/0x310 +[ 27.717178] netup_unidvb_isr+0xd3/0x160 +[ 27.717467] __handle_irq_event_percpu+0x53/0x3e0 +[ 27.717808] handle_irq_event_percpu+0x35/0x90 +[ 27.718129] handle_irq_event+0x39/0x60 +[ 27.718409] handle_fasteoi_irq+0xc2/0x1d0 +[ 27.718707] __common_interrupt+0x7f/0x150 +[ 27.719008] common_interrupt+0xb4/0xd0 +[ 27.719289] +[ 27.719446] asm_common_interrupt+0x1e/0x40 +[ 27.719747] RIP: 0010:native_safe_halt+0x17/0x20 +[ 27.720084] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6 +[ 27.721386] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 27.721758] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 +[ 27.722262] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6 +[ 27.722770] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001 +[ 27.723277] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408 +[ 27.723781] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000 +[ 27.724289] default_idle+0x9/0x10 +[ 27.724537] arch_cpu_idle+0xa/0x10 +[ 27.724791] default_idle_call+0x6e/0x250 +[ 27.725082] do_idle+0x1f0/0x2d0 +[ 27.725326] cpu_startup_entry+0x18/0x20 +[ 27.725613] start_secondary+0x11f/0x160 +[ 27.725902] secondary_startup_64_no_verify+0xb0/0xbb +[ 27.726272] BUG: kernel NULL pointer dereference, address: 0000000000000002 +[ 27.726768] #PF: supervisor read access in kernel mode +[ 27.727138] #PF: error_code(0x0000) - not-present page +[ 27.727507] PGD 8000000118688067 P4D 8000000118688067 PUD 10feab067 PMD 0 +[ 27.727999] Oops: 0000 [#1] PREEMPT SMP PTI +[ 27.728302] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169 +[ 27.728861] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 27.729660] RIP: 0010:netup_i2c_interrupt+0x23/0x310 +[ 27.730019] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02 +[ 27.731339] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046 +[ 27.731716] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000 +[ 27.732223] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8 +[ 27.732727] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001 +[ 27.733239] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000 +[ 27.733745] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400 +[ 27.734251] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 27.734821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 27.735228] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0 +[ 27.735735] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 27.736241] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 27.736744] Call Trace: +[ 27.736924] +[ 27.737074] netup_unidvb_isr+0xd3/0x160 +[ 27.737363] __handle_irq_event_percpu+0x53/0x3e0 +[ 27.737706] handle_irq_event_percpu+0x35/0x90 +[ 27.738028] handle_irq_event+0x39/0x60 +[ 27.738306] handle_fasteoi_irq+0xc2/0x1d0 +[ 27.738602] __common_interrupt+0x7f/0x150 +[ 27.738899] common_interrupt+0xb4/0xd0 +[ 27.739176] +[ 27.739331] asm_common_interrupt+0x1e/0x40 +[ 27.739633] RIP: 0010:native_safe_halt+0x17/0x20 +[ 27.739967] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6 +[ 27.741275] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 27.741647] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 +[ 27.742148] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6 +[ 27.742652] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001 +[ 27.743154] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408 +[ 27.743652] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000 +[ 27.744157] default_idle+0x9/0x10 +[ 27.744405] arch_cpu_idle+0xa/0x10 +[ 27.744658] default_idle_call+0x6e/0x250 +[ 27.744948] do_idle+0x1f0/0x2d0 +[ 27.745190] cpu_startup_entry+0x18/0x20 +[ 27.745475] start_secondary+0x11f/0x160 +[ 27.745761] secondary_startup_64_no_verify+0xb0/0xbb +[ 27.746123] Modules linked in: +[ 27.746348] Dumping ftrace buffer: +[ 27.746596] (ftrace buffer empty) +[ 27.746852] CR2: 0000000000000002 +[ 27.747094] ---[ end trace ebafd46f83ab946d ]--- +[ 27.747424] RIP: 0010:netup_i2c_interrupt+0x23/0x310 +[ 27.747778] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02 +[ 27.749082] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046 +[ 27.749461] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000 +[ 27.749966] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8 +[ 27.750471] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001 +[ 27.750976] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000 +[ 27.751480] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400 +[ 27.751986] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 27.752560] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 27.752970] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0 +[ 27.753481] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 27.753984] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 27.754487] Kernel panic - not syncing: Fatal exception in interrupt +[ 27.755033] Dumping ftrace buffer: +[ 27.755279] (ftrace buffer empty) +[ 27.755534] Kernel Offset: disabled +[ 27.755785] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../pci/netup_unidvb/netup_unidvb_core.c | 27 +++++++++++-------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index ead59fabd15ff..de3fc62810e6c 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -267,19 +267,24 @@ static irqreturn_t netup_unidvb_isr(int irq, void *dev_id) + if ((reg40 & AVL_IRQ_ASSERTED) != 0) { + /* IRQ is being signaled */ + reg_isr = readw(ndev->bmmio0 + REG_ISR); +- if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) { +- iret = netup_i2c_interrupt(&ndev->i2c[0]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) { +- iret = netup_i2c_interrupt(&ndev->i2c[1]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_SPI) { ++ if (reg_isr & NETUP_UNIDVB_IRQ_SPI) + iret = netup_spi_interrupt(ndev->spi); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) { +- iret = netup_dma_interrupt(&ndev->dma[0]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) { +- iret = netup_dma_interrupt(&ndev->dma[1]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) { +- iret = netup_ci_interrupt(ndev); ++ else if (!ndev->old_fw) { ++ if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) { ++ iret = netup_i2c_interrupt(&ndev->i2c[0]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) { ++ iret = netup_i2c_interrupt(&ndev->i2c[1]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) { ++ iret = netup_dma_interrupt(&ndev->dma[0]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) { ++ iret = netup_dma_interrupt(&ndev->dma[1]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) { ++ iret = netup_ci_interrupt(ndev); ++ } else { ++ goto err; ++ } + } else { ++err: + dev_err(&pci_dev->dev, + "%s(): unknown interrupt 0x%x\n", + __func__, reg_isr); +-- +2.33.0 + diff --git a/queue-4.19/media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch b/queue-4.19/media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch new file mode 100644 index 00000000000..e8a0c247eb5 --- /dev/null +++ b/queue-4.19/media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch @@ -0,0 +1,45 @@ +From addfa37c1356fa09313a40d0d0b159f35bf0ab39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 19:18:16 +0200 +Subject: media: rcar-csi2: Add checking to rcsi2_start_receiver() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nadezda Lutovinova + +[ Upstream commit fc41665498332ad394b7db37f23e9394096ddc71 ] + +If rcsi2_code_to_fmt() return NULL, then null pointer dereference occurs +in the next cycle. That should not be possible now but adding checking +protects from future bugs. +The patch adds checking if format is NULL. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Nadezda Lutovinova +Reviewed-by: Jacopo Mondi +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-csi2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c +index dc5ae8025832a..23f55514b002a 100644 +--- a/drivers/media/platform/rcar-vin/rcar-csi2.c ++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c +@@ -474,6 +474,8 @@ static int rcsi2_start(struct rcar_csi2 *priv) + + /* Code is validated in set_fmt. */ + format = rcsi2_code_to_fmt(priv->mf.code); ++ if (!format) ++ return -EINVAL; + + /* + * Enable all Virtual Channels. +-- +2.33.0 + diff --git a/queue-4.19/media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch b/queue-4.19/media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch new file mode 100644 index 00000000000..3ad9803c4b4 --- /dev/null +++ b/queue-4.19/media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch @@ -0,0 +1,41 @@ +From cf6bfeb32239e8641a0ed689e96db9e121850bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 15:32:28 +0200 +Subject: media: s5p-mfc: Add checking to s5p_mfc_probe(). + +From: Nadezda Lutovinova + +[ Upstream commit cdfaf4752e6915a4b455ad4400133e540e4dc965 ] + +If of_device_get_match_data() return NULL, +then null pointer dereference occurs in s5p_mfc_init_pm(). +The patch adds checking if dev->variant is NULL. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Nadezda Lutovinova +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index 80bb58d31c3f6..0fc101bc58d67 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1281,6 +1281,10 @@ static int s5p_mfc_probe(struct platform_device *pdev) + } + + dev->variant = of_device_get_match_data(&pdev->dev); ++ if (!dev->variant) { ++ dev_err(&pdev->dev, "Failed to get device MFC hardware variant information\n"); ++ return -ENOENT; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + dev->regs_base = devm_ioremap_resource(&pdev->dev, res); +-- +2.33.0 + diff --git a/queue-4.19/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch b/queue-4.19/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch new file mode 100644 index 00000000000..15b11f75b84 --- /dev/null +++ b/queue-4.19/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch @@ -0,0 +1,49 @@ +From d2757b8b0cd2eb73b078cfe0eedc149f69299b27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 09:55:35 +0200 +Subject: media: s5p-mfc: fix possible null-pointer dereference in + s5p_mfc_probe() + +From: Tuo Li + +[ Upstream commit 8515965e5e33f4feb56134348c95953f3eadfb26 ] + +The variable pdev is assigned to dev->plat_dev, and dev->plat_dev is +checked in: + if (!dev->plat_dev) + +This indicates both dev->plat_dev and pdev can be NULL. If so, the +function dev_err() is called to print error information. + dev_err(&pdev->dev, "No platform data specified\n"); + +However, &pdev->dev is an illegal address, and it is dereferenced in +dev_err(). + +To fix this possible null-pointer dereference, replace dev_err() with +mfc_err(). + +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index 4b8516c35bc20..80bb58d31c3f6 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1276,7 +1276,7 @@ static int s5p_mfc_probe(struct platform_device *pdev) + spin_lock_init(&dev->condlock); + dev->plat_dev = pdev; + if (!dev->plat_dev) { +- dev_err(&pdev->dev, "No platform data specified\n"); ++ mfc_err("No platform data specified\n"); + return -ENODEV; + } + +-- +2.33.0 + diff --git a/queue-4.19/media-si470x-avoid-card-name-truncation.patch b/queue-4.19/media-si470x-avoid-card-name-truncation.patch new file mode 100644 index 00000000000..015c16e4768 --- /dev/null +++ b/queue-4.19/media-si470x-avoid-card-name-truncation.patch @@ -0,0 +1,54 @@ +From c0b647311cbae828f023c2d6286a92fb68c04065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 21:46:09 +0200 +Subject: media: si470x: Avoid card name truncation + +From: Kees Cook + +[ Upstream commit 2908249f3878a591f7918368fdf0b7b0a6c3158c ] + +The "card" string only holds 31 characters (and the terminating NUL). +In order to avoid truncation, use a shorter card description instead of +the current result, "Silicon Labs Si470x FM Radio Re". + +Suggested-by: Hans Verkuil +Fixes: 78656acdcf48 ("V4L/DVB (7038): USB radio driver for Silicon Labs Si470x FM Radio Receivers") +Fixes: cc35bbddfe10 ("V4L/DVB (12416): radio-si470x: add i2c driver for si470x") +Signed-off-by: Kees Cook +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/si470x/radio-si470x-i2c.c | 2 +- + drivers/media/radio/si470x/radio-si470x-usb.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c +index aa12fd2663895..cc68bdac0c367 100644 +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -20,7 +20,7 @@ + + /* driver definitions */ + #define DRIVER_AUTHOR "Joonyoung Shim "; +-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver" ++#define DRIVER_CARD "Silicon Labs Si470x FM Radio" + #define DRIVER_DESC "I2C radio driver for Si470x FM Radio Receivers" + #define DRIVER_VERSION "1.0.2" + +diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c +index 19e381dd58089..ba43a727c0b95 100644 +--- a/drivers/media/radio/si470x/radio-si470x-usb.c ++++ b/drivers/media/radio/si470x/radio-si470x-usb.c +@@ -25,7 +25,7 @@ + + /* driver definitions */ + #define DRIVER_AUTHOR "Tobias Lorenz " +-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver" ++#define DRIVER_CARD "Silicon Labs Si470x FM Radio" + #define DRIVER_DESC "USB radio driver for Si470x FM Radio Receivers" + #define DRIVER_VERSION "1.0.10" + +-- +2.33.0 + diff --git a/queue-4.19/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch b/queue-4.19/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch new file mode 100644 index 00000000000..70ef23d397d --- /dev/null +++ b/queue-4.19/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch @@ -0,0 +1,41 @@ +From 4f1eb3a8420fe1d21bdbb8e6c3fb2571b6ed808f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Dec 2020 07:16:06 +0100 +Subject: media: usb: dvd-usb: fix uninit-value bug in + dibusb_read_eeprom_byte() + +From: Anant Thazhemadam + +[ Upstream commit 899a61a3305d49e8a712e9ab20d0db94bde5929f ] + +In dibusb_read_eeprom_byte(), if dibusb_i2c_msg() fails, val gets +assigned an value that's not properly initialized. +Using kzalloc() in place of kmalloc() for the buffer fixes this issue, +as the val can now be set to 0 in the event dibusb_i2c_msg() fails. + +Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Tested-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dibusb-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dibusb-common.c b/drivers/media/usb/dvb-usb/dibusb-common.c +index fb1b4f2d5f9de..85b7838b3ede3 100644 +--- a/drivers/media/usb/dvb-usb/dibusb-common.c ++++ b/drivers/media/usb/dvb-usb/dibusb-common.c +@@ -226,7 +226,7 @@ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val) + u8 *buf; + int rc; + +- buf = kmalloc(2, GFP_KERNEL); ++ buf = kzalloc(2, GFP_KERNEL); + if (!buf) + return -ENOMEM; + +-- +2.33.0 + diff --git a/queue-4.19/media-uvcvideo-return-eio-for-control-errors.patch b/queue-4.19/media-uvcvideo-return-eio-for-control-errors.patch new file mode 100644 index 00000000000..18996cb008e --- /dev/null +++ b/queue-4.19/media-uvcvideo-return-eio-for-control-errors.patch @@ -0,0 +1,48 @@ +From 7bb592c3fe0d75f7853ecd020dfdf9446d87758a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 14:29:09 +0200 +Subject: media: uvcvideo: Return -EIO for control errors + +From: Ricardo Ribalda + +[ Upstream commit ffccdde5f0e17d2f0d788a9d831a027187890eaa ] + +The device is doing something unexpected with the control. Either because +the protocol is not properly implemented or there has been a HW error. + +Fixes v4l2-compliance: + +Control ioctls (Input 0): + fail: v4l2-test-controls.cpp(448): s_ctrl returned an error (22) + test VIDIOC_G/S_CTRL: FAIL + fail: v4l2-test-controls.cpp(698): s_ext_ctrls returned an error (22) + test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL + +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_video.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index 56b058d60a0dc..9c26e586bb01d 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -117,6 +117,11 @@ int uvc_query_ctrl(struct uvc_device *dev, u8 query, u8 unit, + case 5: /* Invalid unit */ + case 6: /* Invalid control */ + case 7: /* Invalid Request */ ++ /* ++ * The firmware has not properly implemented ++ * the control or there has been a HW error. ++ */ ++ return -EIO; + case 8: /* Invalid value within range */ + return -EINVAL; + default: /* reserved or unknown */ +-- +2.33.0 + diff --git a/queue-4.19/media-uvcvideo-set-capability-in-s_param.patch b/queue-4.19/media-uvcvideo-set-capability-in-s_param.patch new file mode 100644 index 00000000000..7bfddce4100 --- /dev/null +++ b/queue-4.19/media-uvcvideo-set-capability-in-s_param.patch @@ -0,0 +1,47 @@ +From e38768f78b4c5849c166d8e2f2d80c2bbc410a41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 14:29:08 +0200 +Subject: media: uvcvideo: Set capability in s_param + +From: Ricardo Ribalda + +[ Upstream commit 97a2777a96070afb7da5d587834086c0b586c8cc ] + +Fixes v4l2-compliance: + +Format ioctls (Input 0): + warn: v4l2-test-formats.cpp(1339): S_PARM is supported but doesn't report V4L2_CAP_TIMEPERFRAME + fail: v4l2-test-formats.cpp(1241): node->has_frmintervals && !cap->capability + +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 2ca1e8ce6159d..e858f4f189ed9 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -474,10 +474,13 @@ static int uvc_v4l2_set_streamparm(struct uvc_streaming *stream, + uvc_simplify_fraction(&timeperframe.numerator, + &timeperframe.denominator, 8, 333); + +- if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) ++ if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { + parm->parm.capture.timeperframe = timeperframe; +- else ++ parm->parm.capture.capability = V4L2_CAP_TIMEPERFRAME; ++ } else { + parm->parm.output.timeperframe = timeperframe; ++ parm->parm.output.capability = V4L2_CAP_TIMEPERFRAME; ++ } + + return 0; + } +-- +2.33.0 + diff --git a/queue-4.19/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch b/queue-4.19/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch new file mode 100644 index 00000000000..65eeb870aad --- /dev/null +++ b/queue-4.19/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch @@ -0,0 +1,73 @@ +From 42df1a7ac8dfb1f01e99485d48d52b44d4f3a5c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Sep 2021 23:14:32 +0800 +Subject: memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe + +From: Dongliang Mu + +[ Upstream commit 4ed2f3545c2e5acfbccd7f85fea5b1a82e9862d7 ] + +The error handling code of fsl_ifc_ctrl_probe is problematic. When +fsl_ifc_ctrl_init fails or request_irq of fsl_ifc_ctrl_dev->irq fails, +it forgets to free the irq and nand_irq. Meanwhile, if request_irq of +fsl_ifc_ctrl_dev->nand_irq fails, it will still free nand_irq even if +the request_irq is not successful. + +Fix this by refactoring the error handling code. + +Fixes: d2ae2e20fbdd ("driver/memory:Move Freescale IFC driver to a common driver") +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20210925151434.8170-1-mudongliangabcd@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl_ifc.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c +index 38b945eb410f3..9c0e70b047c39 100644 +--- a/drivers/memory/fsl_ifc.c ++++ b/drivers/memory/fsl_ifc.c +@@ -276,7 +276,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + + ret = fsl_ifc_ctrl_init(fsl_ifc_ctrl_dev); + if (ret < 0) +- goto err; ++ goto err_unmap_nandirq; + + init_waitqueue_head(&fsl_ifc_ctrl_dev->nand_wait); + +@@ -285,7 +285,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + if (ret != 0) { + dev_err(&dev->dev, "failed to install irq (%d)\n", + fsl_ifc_ctrl_dev->irq); +- goto err_irq; ++ goto err_unmap_nandirq; + } + + if (fsl_ifc_ctrl_dev->nand_irq) { +@@ -294,17 +294,16 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + if (ret != 0) { + dev_err(&dev->dev, "failed to install irq (%d)\n", + fsl_ifc_ctrl_dev->nand_irq); +- goto err_nandirq; ++ goto err_free_irq; + } + } + + return 0; + +-err_nandirq: +- free_irq(fsl_ifc_ctrl_dev->nand_irq, fsl_ifc_ctrl_dev); +- irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq); +-err_irq: ++err_free_irq: + free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev); ++err_unmap_nandirq: ++ irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq); + irq_dispose_mapping(fsl_ifc_ctrl_dev->irq); + err: + iounmap(fsl_ifc_ctrl_dev->gregs); +-- +2.33.0 + diff --git a/queue-4.19/memstick-avoid-out-of-range-warning.patch b/queue-4.19/memstick-avoid-out-of-range-warning.patch new file mode 100644 index 00000000000..0f5805df39d --- /dev/null +++ b/queue-4.19/memstick-avoid-out-of-range-warning.patch @@ -0,0 +1,44 @@ +From e8c5b5ba0a3d0cd30ab7cdb29403ecc839e867c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 11:44:47 +0200 +Subject: memstick: avoid out-of-range warning + +From: Arnd Bergmann + +[ Upstream commit 4853396f03c3019eccf5cd113e464231e9ddf0b3 ] + +clang-14 complains about a sanity check that always passes when the +page size is 64KB or larger: + +drivers/memstick/core/ms_block.c:1739:21: error: result of comparison of constant 65536 with expression of type 'unsigned short' is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (msb->page_size > PAGE_SIZE) { + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~ + +This is fine, it will still work on all architectures, so just shut +up that warning with a cast. + +Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210927094520.696665-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/ms_block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c +index 8a02f11076f9a..7aab26128f6d9 100644 +--- a/drivers/memstick/core/ms_block.c ++++ b/drivers/memstick/core/ms_block.c +@@ -1731,7 +1731,7 @@ static int msb_init_card(struct memstick_dev *card) + msb->pages_in_block = boot_block->attr.block_size * 2; + msb->block_size = msb->page_size * msb->pages_in_block; + +- if (msb->page_size > PAGE_SIZE) { ++ if ((size_t)msb->page_size > PAGE_SIZE) { + /* this isn't supported by linux at all, anyway*/ + dbg("device page %d size isn't supported", msb->page_size); + return -EINVAL; +-- +2.33.0 + diff --git a/queue-4.19/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch b/queue-4.19/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch new file mode 100644 index 00000000000..d352dea9afd --- /dev/null +++ b/queue-4.19/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch @@ -0,0 +1,40 @@ +From 04bde46f9881e433f6c82b8c68805cd095fc26ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 15:39:12 +0300 +Subject: memstick: jmb38x_ms: use appropriate free function in + jmb38x_ms_alloc_host() + +From: Dan Carpenter + +[ Upstream commit beae4a6258e64af609ad5995cc6b6056eb0d898e ] + +The "msh" pointer is device managed, meaning that memstick_alloc_host() +calls device_initialize() on it. That means that it can't be free +using kfree() but must instead be freed with memstick_free_host(). +Otherwise it leads to a tiny memory leak of device resources. + +Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211011123912.GD15188@kili +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/jmb38x_ms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/host/jmb38x_ms.c b/drivers/memstick/host/jmb38x_ms.c +index 29f5021d21ea6..0610d3c9f1318 100644 +--- a/drivers/memstick/host/jmb38x_ms.c ++++ b/drivers/memstick/host/jmb38x_ms.c +@@ -907,7 +907,7 @@ static struct memstick_host *jmb38x_ms_alloc_host(struct jmb38x_ms *jm, int cnt) + + iounmap(host->addr); + err_out_free: +- kfree(msh); ++ memstick_free_host(msh); + return NULL; + } + +-- +2.33.0 + diff --git a/queue-4.19/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch b/queue-4.19/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch new file mode 100644 index 00000000000..a7b22066513 --- /dev/null +++ b/queue-4.19/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch @@ -0,0 +1,80 @@ +From 794ef0160fc37a37bd39fee0c093dc593ad44b37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 11:26:21 +0000 +Subject: memstick: r592: Fix a UAF bug when removing the driver + +From: Zheyu Ma + +[ Upstream commit 738216c1953e802aa9f930c5d15b8f9092c847ff ] + +In r592_remove(), the driver will free dma after freeing the host, which +may cause a UAF bug. + +The following log reveals it: + +[ 45.361796 ] BUG: KASAN: use-after-free in r592_remove+0x269/0x350 [r592] +[ 45.364286 ] Call Trace: +[ 45.364472 ] dump_stack_lvl+0xa8/0xd1 +[ 45.364751 ] print_address_description+0x87/0x3b0 +[ 45.365137 ] kasan_report+0x172/0x1c0 +[ 45.365415 ] ? r592_remove+0x269/0x350 [r592] +[ 45.365834 ] ? r592_remove+0x269/0x350 [r592] +[ 45.366168 ] __asan_report_load8_noabort+0x14/0x20 +[ 45.366531 ] r592_remove+0x269/0x350 [r592] +[ 45.378785 ] +[ 45.378903 ] Allocated by task 4674: +[ 45.379162 ] ____kasan_kmalloc+0xb5/0xe0 +[ 45.379455 ] __kasan_kmalloc+0x9/0x10 +[ 45.379730 ] __kmalloc+0x150/0x280 +[ 45.379984 ] memstick_alloc_host+0x2a/0x190 +[ 45.380664 ] +[ 45.380781 ] Freed by task 5509: +[ 45.381014 ] kasan_set_track+0x3d/0x70 +[ 45.381293 ] kasan_set_free_info+0x23/0x40 +[ 45.381635 ] ____kasan_slab_free+0x10b/0x140 +[ 45.381950 ] __kasan_slab_free+0x11/0x20 +[ 45.382241 ] slab_free_freelist_hook+0x81/0x150 +[ 45.382575 ] kfree+0x13e/0x290 +[ 45.382805 ] memstick_free+0x1c/0x20 +[ 45.383070 ] device_release+0x9c/0x1d0 +[ 45.383349 ] kobject_put+0x2ef/0x4c0 +[ 45.383616 ] put_device+0x1f/0x30 +[ 45.383865 ] memstick_free_host+0x24/0x30 +[ 45.384162 ] r592_remove+0x242/0x350 [r592] +[ 45.384473 ] pci_device_remove+0xa9/0x250 + +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/1634383581-11055-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index 4559593ecd5a9..4728a42d54b88 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -840,15 +840,15 @@ static void r592_remove(struct pci_dev *pdev) + } + memstick_remove_host(dev->host); + ++ if (dev->dummy_dma_page) ++ dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page, ++ dev->dummy_dma_page_physical_address); ++ + free_irq(dev->irq, dev); + iounmap(dev->mmio); + pci_release_regions(pdev); + pci_disable_device(pdev); + memstick_free_host(dev->host); +- +- if (dev->dummy_dma_page) +- dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page, +- dev->dummy_dma_page_physical_address); + } + + #ifdef CONFIG_PM_SLEEP +-- +2.33.0 + diff --git a/queue-4.19/mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch b/queue-4.19/mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch new file mode 100644 index 00000000000..b1d8268ce34 --- /dev/null +++ b/queue-4.19/mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch @@ -0,0 +1,142 @@ +From edb13196e6b534f5d582646003615459cb8fb874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 11:58:16 +0200 +Subject: mips: cm: Convert to bitfield API to fix out-of-bounds access + +From: Geert Uytterhoeven + +[ Upstream commit 18b8f5b6fc53d097cadb94a93d8d6566ba88e389 ] + +mips_cm_error_report() extracts the cause and other cause from the error +register using shifts. This works fine for the former, as it is stored +in the top bits, and the shift will thus remove all non-related bits. +However, the latter is stored in the bottom bits, hence thus needs masking +to get rid of non-related bits. Without such masking, using it as an +index into the cm2_causes[] array will lead to an out-of-bounds access, +probably causing a crash. + +Fix this by using FIELD_GET() instead. Bite the bullet and convert all +MIPS CM handling to the bitfield API, to improve readability and safety. + +Fixes: 3885c2b463f6a236 ("MIPS: CM: Add support for reporting CM cache errors") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mips-cm.h | 12 ++++++------ + arch/mips/kernel/mips-cm.c | 21 ++++++++++----------- + 2 files changed, 16 insertions(+), 17 deletions(-) + +diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h +index 8bc5df49b0e1d..890e51b159e06 100644 +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -15,6 +15,7 @@ + #ifndef __MIPS_ASM_MIPS_CM_H__ + #define __MIPS_ASM_MIPS_CM_H__ + ++#include + #include + #include + +@@ -157,8 +158,8 @@ GCR_ACCESSOR_RO(32, 0x030, rev) + #define CM_GCR_REV_MINOR GENMASK(7, 0) + + #define CM_ENCODE_REV(major, minor) \ +- (((major) << __ffs(CM_GCR_REV_MAJOR)) | \ +- ((minor) << __ffs(CM_GCR_REV_MINOR))) ++ (FIELD_PREP(CM_GCR_REV_MAJOR, major) | \ ++ FIELD_PREP(CM_GCR_REV_MINOR, minor)) + + #define CM_REV_CM2 CM_ENCODE_REV(6, 0) + #define CM_REV_CM2_5 CM_ENCODE_REV(7, 0) +@@ -366,10 +367,10 @@ static inline int mips_cm_revision(void) + static inline unsigned int mips_cm_max_vp_width(void) + { + extern int smp_num_siblings; +- uint32_t cfg; + + if (mips_cm_revision() >= CM_REV_CM3) +- return read_gcr_sys_config2() & CM_GCR_SYS_CONFIG2_MAXVPW; ++ return FIELD_GET(CM_GCR_SYS_CONFIG2_MAXVPW, ++ read_gcr_sys_config2()); + + if (mips_cm_present()) { + /* +@@ -377,8 +378,7 @@ static inline unsigned int mips_cm_max_vp_width(void) + * number of VP(E)s, and if that ever changes then this will + * need revisiting. + */ +- cfg = read_gcr_cl_config() & CM_GCR_Cx_CONFIG_PVPE; +- return (cfg >> __ffs(CM_GCR_Cx_CONFIG_PVPE)) + 1; ++ return FIELD_GET(CM_GCR_Cx_CONFIG_PVPE, read_gcr_cl_config()) + 1; + } + + if (IS_ENABLED(CONFIG_SMP)) +diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c +index 50d3d74001cbe..51cfcb44e6703 100644 +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -183,8 +183,7 @@ static void mips_cm_probe_l2sync(void) + phys_addr_t addr; + + /* L2-only sync was introduced with CM major revision 6 */ +- major_rev = (read_gcr_rev() & CM_GCR_REV_MAJOR) >> +- __ffs(CM_GCR_REV_MAJOR); ++ major_rev = FIELD_GET(CM_GCR_REV_MAJOR, read_gcr_rev()); + if (major_rev < 6) + return; + +@@ -267,13 +266,13 @@ void mips_cm_lock_other(unsigned int cluster, unsigned int core, + preempt_disable(); + + if (cm_rev >= CM_REV_CM3) { +- val = core << __ffs(CM3_GCR_Cx_OTHER_CORE); +- val |= vp << __ffs(CM3_GCR_Cx_OTHER_VP); ++ val = FIELD_PREP(CM3_GCR_Cx_OTHER_CORE, core) | ++ FIELD_PREP(CM3_GCR_Cx_OTHER_VP, vp); + + if (cm_rev >= CM_REV_CM3_5) { + val |= CM_GCR_Cx_OTHER_CLUSTER_EN; +- val |= cluster << __ffs(CM_GCR_Cx_OTHER_CLUSTER); +- val |= block << __ffs(CM_GCR_Cx_OTHER_BLOCK); ++ val |= FIELD_PREP(CM_GCR_Cx_OTHER_CLUSTER, cluster); ++ val |= FIELD_PREP(CM_GCR_Cx_OTHER_BLOCK, block); + } else { + WARN_ON(cluster != 0); + WARN_ON(block != CM_GCR_Cx_OTHER_BLOCK_LOCAL); +@@ -303,7 +302,7 @@ void mips_cm_lock_other(unsigned int cluster, unsigned int core, + spin_lock_irqsave(&per_cpu(cm_core_lock, curr_core), + per_cpu(cm_core_lock_flags, curr_core)); + +- val = core << __ffs(CM_GCR_Cx_OTHER_CORENUM); ++ val = FIELD_PREP(CM_GCR_Cx_OTHER_CORENUM, core); + } + + write_gcr_cl_other(val); +@@ -347,8 +346,8 @@ void mips_cm_error_report(void) + cm_other = read_gcr_error_mult(); + + if (revision < CM_REV_CM3) { /* CM2 */ +- cause = cm_error >> __ffs(CM_GCR_ERROR_CAUSE_ERRTYPE); +- ocause = cm_other >> __ffs(CM_GCR_ERROR_MULT_ERR2ND); ++ cause = FIELD_GET(CM_GCR_ERROR_CAUSE_ERRTYPE, cm_error); ++ ocause = FIELD_GET(CM_GCR_ERROR_MULT_ERR2ND, cm_other); + + if (!cause) + return; +@@ -390,8 +389,8 @@ void mips_cm_error_report(void) + ulong core_id_bits, vp_id_bits, cmd_bits, cmd_group_bits; + ulong cm3_cca_bits, mcp_bits, cm3_tr_bits, sched_bit; + +- cause = cm_error >> __ffs64(CM3_GCR_ERROR_CAUSE_ERRTYPE); +- ocause = cm_other >> __ffs(CM_GCR_ERROR_MULT_ERR2ND); ++ cause = FIELD_GET(CM3_GCR_ERROR_CAUSE_ERRTYPE, cm_error); ++ ocause = FIELD_GET(CM_GCR_ERROR_MULT_ERR2ND, cm_other); + + if (!cause) + return; +-- +2.33.0 + diff --git a/queue-4.19/mips-lantiq-dma-add-small-delay-after-reset.patch b/queue-4.19/mips-lantiq-dma-add-small-delay-after-reset.patch new file mode 100644 index 00000000000..50de4096d80 --- /dev/null +++ b/queue-4.19/mips-lantiq-dma-add-small-delay-after-reset.patch @@ -0,0 +1,43 @@ +From 67de42e55b46a549e4800eee7b80e6bd127ed3ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:20:58 +0200 +Subject: MIPS: lantiq: dma: add small delay after reset + +From: Aleksander Jan Bajkowski + +[ Upstream commit c12aa581f6d5e80c3c3675ab26a52c2b3b62f76e ] + +Reading the DMA registers immediately after the reset causes +Data Bus Error. Adding a small delay fixes this issue. + +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/xway/dma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c +index 664f2f7f55c1c..45a622b72cd13 100644 +--- a/arch/mips/lantiq/xway/dma.c ++++ b/arch/mips/lantiq/xway/dma.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -233,6 +234,8 @@ ltq_dma_init(struct platform_device *pdev) + clk_enable(clk); + ltq_dma_w32_mask(0, DMA_RESET, LTQ_DMA_CTRL); + ++ usleep_range(1, 10); ++ + /* disable all interrupts */ + ltq_dma_w32(0, LTQ_DMA_IRNEN); + +-- +2.33.0 + diff --git a/queue-4.19/mips-lantiq-dma-reset-correct-number-of-channel.patch b/queue-4.19/mips-lantiq-dma-reset-correct-number-of-channel.patch new file mode 100644 index 00000000000..989b93e4e82 --- /dev/null +++ b/queue-4.19/mips-lantiq-dma-reset-correct-number-of-channel.patch @@ -0,0 +1,79 @@ +From 2b5c6a34397c71ba2037fe3069db8413ef8c8ef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:20:59 +0200 +Subject: MIPS: lantiq: dma: reset correct number of channel + +From: Aleksander Jan Bajkowski + +[ Upstream commit 5ca9ce2ba4d5884cd94d1a856c675ab1242cd242 ] + +Different SoCs have a different number of channels, e.g .: +* amazon-se has 10 channels, +* danube+ar9 have 20 channels, +* vr9 has 28 channels, +* ar10 has 24 channels. + +We can read the ID register and, depending on the reported +number of channels, reset the appropriate number of channels. + +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/xway/dma.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c +index 45a622b72cd13..efee1c538a518 100644 +--- a/arch/mips/lantiq/xway/dma.c ++++ b/arch/mips/lantiq/xway/dma.c +@@ -41,6 +41,7 @@ + #define LTQ_DMA_PCTRL 0x44 + #define LTQ_DMA_IRNEN 0xf4 + ++#define DMA_ID_CHNR GENMASK(26, 20) /* channel number */ + #define DMA_DESCPT BIT(3) /* descriptor complete irq */ + #define DMA_TX BIT(8) /* TX channel direction */ + #define DMA_CHAN_ON BIT(0) /* channel on / off bit */ +@@ -51,7 +52,6 @@ + #define DMA_POLL BIT(31) /* turn on channel polling */ + #define DMA_CLK_DIV4 BIT(6) /* polling clock divider */ + #define DMA_2W_BURST BIT(1) /* 2 word burst length */ +-#define DMA_MAX_CHANNEL 20 /* the soc has 20 channels */ + #define DMA_ETOP_ENDIANNESS (0xf << 8) /* endianness swap etop channels */ + #define DMA_WEIGHT (BIT(17) | BIT(16)) /* default channel wheight */ + +@@ -218,7 +218,7 @@ ltq_dma_init(struct platform_device *pdev) + { + struct clk *clk; + struct resource *res; +- unsigned id; ++ unsigned int id, nchannels; + int i; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +@@ -240,17 +240,18 @@ ltq_dma_init(struct platform_device *pdev) + ltq_dma_w32(0, LTQ_DMA_IRNEN); + + /* reset/configure each channel */ +- for (i = 0; i < DMA_MAX_CHANNEL; i++) { ++ id = ltq_dma_r32(LTQ_DMA_ID); ++ nchannels = ((id & DMA_ID_CHNR) >> 20); ++ for (i = 0; i < nchannels; i++) { + ltq_dma_w32(i, LTQ_DMA_CS); + ltq_dma_w32(DMA_CHAN_RST, LTQ_DMA_CCTRL); + ltq_dma_w32(DMA_POLL | DMA_CLK_DIV4, LTQ_DMA_CPOLL); + ltq_dma_w32_mask(DMA_CHAN_ON, 0, LTQ_DMA_CCTRL); + } + +- id = ltq_dma_r32(LTQ_DMA_ID); + dev_info(&pdev->dev, + "Init done - hw rev: %X, ports: %d, channels: %d\n", +- id & 0x1f, (id >> 16) & 0xf, id >> 20); ++ id & 0x1f, (id >> 16) & 0xf, nchannels); + + return 0; + } +-- +2.33.0 + diff --git a/queue-4.19/mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch b/queue-4.19/mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch new file mode 100644 index 00000000000..bde38ae042d --- /dev/null +++ b/queue-4.19/mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch @@ -0,0 +1,50 @@ +From 521f319003595bd61f3e9286a84b5fc18dd1ff1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Sep 2021 14:19:08 +0800 +Subject: MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jackie Liu + +[ Upstream commit 7f3b3c2bfa9c93ab9b5595543496f570983dc330 ] + +mach/loongson64 fails to build when the FPU support is disabled: + +arch/mips/loongson64/cop2-ex.c:45:15: error: implicit declaration of function ‘__is_fpu_owner’; did you mean ‘is_fpu_owner’? [-Werror=implicit-function-declaration] +arch/mips/loongson64/cop2-ex.c:98:30: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:99:30: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:131:43: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:137:38: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:203:30: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:219:30: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:283:38: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:301:38: error: ‘struct thread_struct’ has no member named ‘fpu’ + +Fixes: ef2f826c8f2f ("MIPS: Loongson-3: Enable the COP2 usage") +Suggested-by: Huacai Chen +Reviewed-by: Huacai Chen +Reported-by: k2ci robot +Signed-off-by: Jackie Liu +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index cc8c8d22afaf5..fb8554c41e803 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -1375,6 +1375,7 @@ config CPU_LOONGSON3 + select WEAK_REORDERING_BEYOND_LLSC + select MIPS_PGD_C0_CONTEXT + select MIPS_L1_CACHE_SHIFT_6 ++ select MIPS_FP_SUPPORT + select GPIOLIB + select SWIOTLB + help +-- +2.33.0 + diff --git a/queue-4.19/mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch b/queue-4.19/mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch new file mode 100644 index 00000000000..1245fdea83d --- /dev/null +++ b/queue-4.19/mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch @@ -0,0 +1,65 @@ +From f9df58216cd082fa7ac10a87fce25c0ff6879e87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 13:45:03 -0700 +Subject: mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and + zs_unregister_migration() + +From: Miaohe Lin + +[ Upstream commit afe8605ca45424629fdddfd85984b442c763dc47 ] + +There is one possible race window between zs_pool_dec_isolated() and +zs_unregister_migration() because wait_for_isolated_drain() checks the +isolated count without holding class->lock and there is no order inside +zs_pool_dec_isolated(). Thus the below race window could be possible: + + zs_pool_dec_isolated zs_unregister_migration + check pool->destroying != 0 + pool->destroying = true; + smp_mb(); + wait_for_isolated_drain() + wait for pool->isolated_pages == 0 + atomic_long_dec(&pool->isolated_pages); + atomic_long_read(&pool->isolated_pages) == 0 + +Since we observe the pool->destroying (false) before atomic_long_dec() +for pool->isolated_pages, waking pool->migration_wait up is missed. + +Fix this by ensure checking pool->destroying happens after the +atomic_long_dec(&pool->isolated_pages). + +Link: https://lkml.kernel.org/r/20210708115027.7557-1-linmiaohe@huawei.com +Fixes: 701d678599d0 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool") +Signed-off-by: Miaohe Lin +Cc: Minchan Kim +Cc: Sergey Senozhatsky +Cc: Henry Burns +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/zsmalloc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c +index d52c005a060f1..11e81b3ff0cf3 100644 +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -1904,10 +1904,11 @@ static inline void zs_pool_dec_isolated(struct zs_pool *pool) + VM_BUG_ON(atomic_long_read(&pool->isolated_pages) <= 0); + atomic_long_dec(&pool->isolated_pages); + /* +- * There's no possibility of racing, since wait_for_isolated_drain() +- * checks the isolated count under &class->lock after enqueuing +- * on migration_wait. ++ * Checking pool->destroying must happen after atomic_long_dec() ++ * for pool->isolated_pages above. Paired with the smp_mb() in ++ * zs_unregister_migration(). + */ ++ smp_mb__after_atomic(); + if (atomic_long_read(&pool->isolated_pages) == 0 && pool->destroying) + wake_up_all(&pool->migration_wait); + } +-- +2.33.0 + diff --git a/queue-4.19/mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch b/queue-4.19/mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch new file mode 100644 index 00000000000..3c91d215620 --- /dev/null +++ b/queue-4.19/mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch @@ -0,0 +1,55 @@ +From 913e89f5517ac8af89a17ae22bfed50ae481b910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 08:21:44 +0200 +Subject: mmc: mxs-mmc: disable regulator on error and in the remove function + +From: Christophe JAILLET + +[ Upstream commit ce5f6c2c9b0fcb4094f8e162cfd37fb4294204f7 ] + +The 'reg_vmmc' regulator is enabled in the probe. It is never disabled. +Neither in the error handling path of the probe nor in the remove +function. + +Register a devm_action to disable it when needed. + +Fixes: 4dc5a79f1350 ("mmc: mxs-mmc: enable regulator for mmc slot") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/4aadb3c97835f7b80f00819c3d549e6130384e67.1634365151.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mxs-mmc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c +index 7125687faf76a..d7601dc5e85dc 100644 +--- a/drivers/mmc/host/mxs-mmc.c ++++ b/drivers/mmc/host/mxs-mmc.c +@@ -579,6 +579,11 @@ static const struct of_device_id mxs_mmc_dt_ids[] = { + }; + MODULE_DEVICE_TABLE(of, mxs_mmc_dt_ids); + ++static void mxs_mmc_regulator_disable(void *regulator) ++{ ++ regulator_disable(regulator); ++} ++ + static int mxs_mmc_probe(struct platform_device *pdev) + { + const struct of_device_id *of_id = +@@ -622,6 +627,11 @@ static int mxs_mmc_probe(struct platform_device *pdev) + "Failed to enable vmmc regulator: %d\n", ret); + goto out_mmc_free; + } ++ ++ ret = devm_add_action_or_reset(&pdev->dev, mxs_mmc_regulator_disable, ++ reg_vmmc); ++ if (ret) ++ goto out_mmc_free; + } + + ssp->clk = devm_clk_get(&pdev->dev, NULL); +-- +2.33.0 + diff --git a/queue-4.19/mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch b/queue-4.19/mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch new file mode 100644 index 00000000000..c907401cedb --- /dev/null +++ b/queue-4.19/mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch @@ -0,0 +1,55 @@ +From 6f5e7ce7d7b2caba500ad6c1dc239fd252b8ad3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 14:00:25 +0300 +Subject: mmc: sdhci-omap: Fix NULL pointer exception if regulator is not + configured + +From: Tony Lindgren + +[ Upstream commit 8e0e7bd38b1ec7f9e5d18725ad41828be4e09859 ] + +If sdhci-omap is configured for an unused device instance and the device +is not set as disabled, we can get a NULL pointer dereference: + +Unable to handle kernel NULL pointer dereference at virtual address +00000045 +... +(regulator_set_voltage) from [] (mmc_regulator_set_ocr+0x44/0xd0) +(mmc_regulator_set_ocr) from [] (sdhci_set_ios+0xa4/0x490) +(sdhci_set_ios) from [] (sdhci_omap_set_ios+0x124/0x160) +(sdhci_omap_set_ios) from [] (mmc_power_up.part.0+0x3c/0x154) +(mmc_power_up.part.0) from [] (mmc_start_host+0x88/0x9c) +(mmc_start_host) from [] (mmc_add_host+0x58/0x7c) +(mmc_add_host) from [] (__sdhci_add_host+0xf0/0x22c) +(__sdhci_add_host) from [] (sdhci_omap_probe+0x318/0x72c) +(sdhci_omap_probe) from [] (platform_probe+0x58/0xb8) + +AFAIK we are not seeing this with the devices configured in the mainline +kernel but this can cause issues for folks bringing up their boards. + +Fixes: 7d326930d352 ("mmc: sdhci-omap: Add OMAP SDHCI driver") +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210921110029.21944-2-tony@atomide.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-omap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-omap.c b/drivers/mmc/host/sdhci-omap.c +index 05ade7a2dd243..f5bff9e710fb2 100644 +--- a/drivers/mmc/host/sdhci-omap.c ++++ b/drivers/mmc/host/sdhci-omap.c +@@ -690,7 +690,8 @@ static void sdhci_omap_set_power(struct sdhci_host *host, unsigned char mode, + { + struct mmc_host *mmc = host->mmc; + +- mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, vdd); ++ if (!IS_ERR(mmc->supply.vmmc)) ++ mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, vdd); + } + + static int sdhci_omap_enable_dma(struct sdhci_host *host) +-- +2.33.0 + diff --git a/queue-4.19/mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch b/queue-4.19/mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch new file mode 100644 index 00000000000..f682bd73769 --- /dev/null +++ b/queue-4.19/mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch @@ -0,0 +1,42 @@ +From 22bab4c18de5a4ff1241f65f89e3c461dbc408d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:45:29 +0300 +Subject: mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() + +From: Evgeny Novikov + +[ Upstream commit 78e4d342187625585932bb437ec26e1060f7fc6f ] + +hisi_spi_nor_probe() invokes clk_disable_unprepare() on all paths after +successful call of clk_prepare_enable(). Besides, the clock is enabled by +hispi_spi_nor_prep() and disabled by hispi_spi_nor_unprep(). So at remove +time it is not possible to have the clock enabled. The patch removes +excessive clk_disable_unprepare() from hisi_spi_nor_remove(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver") +Signed-off-by: Evgeny Novikov +Signed-off-by: Tudor Ambarus +Reviewed-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20210709144529.31379-1-novikov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/hisi-sfc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mtd/spi-nor/hisi-sfc.c b/drivers/mtd/spi-nor/hisi-sfc.c +index 184ba5069ac51..36d2eb0918d9f 100644 +--- a/drivers/mtd/spi-nor/hisi-sfc.c ++++ b/drivers/mtd/spi-nor/hisi-sfc.c +@@ -485,7 +485,6 @@ static int hisi_spi_nor_remove(struct platform_device *pdev) + + hisi_spi_nor_unregister_all(host); + mutex_destroy(&host->lock); +- clk_disable_unprepare(host->clk); + return 0; + } + +-- +2.33.0 + diff --git a/queue-4.19/mwifiex-properly-initialize-private-structure-on-int.patch b/queue-4.19/mwifiex-properly-initialize-private-structure-on-int.patch new file mode 100644 index 00000000000..169db7a3461 --- /dev/null +++ b/queue-4.19/mwifiex-properly-initialize-private-structure-on-int.patch @@ -0,0 +1,65 @@ +From 50a1927f0ad941a5676167b53fdfa869418909fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 21:59:08 +0200 +Subject: mwifiex: Properly initialize private structure on interface type + changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit c606008b70627a2fc485732a53cc22f0f66d0981 ] + +When creating a new virtual interface in mwifiex_add_virtual_intf(), we +update our internal driver states like bss_type, bss_priority, bss_role +and bss_mode to reflect the mode the firmware will be set to. + +When switching virtual interface mode using +mwifiex_init_new_priv_params() though, we currently only update bss_mode +and bss_role. In order for the interface mode switch to actually work, +we also need to update bss_type to its proper value, so do that. + +This fixes a crash of the firmware (because the driver tries to execute +commands that are invalid in AP mode) when switching from station mode +to AP mode. + +Signed-off-by: Jonas Dreßler +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914195909.36035-9-verdre@v0yd.nl +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index becde7c254de2..892247145f428 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -912,16 +912,20 @@ mwifiex_init_new_priv_params(struct mwifiex_private *priv, + switch (type) { + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_ADHOC: +- priv->bss_role = MWIFIEX_BSS_ROLE_STA; ++ priv->bss_role = MWIFIEX_BSS_ROLE_STA; ++ priv->bss_type = MWIFIEX_BSS_TYPE_STA; + break; + case NL80211_IFTYPE_P2P_CLIENT: +- priv->bss_role = MWIFIEX_BSS_ROLE_STA; ++ priv->bss_role = MWIFIEX_BSS_ROLE_STA; ++ priv->bss_type = MWIFIEX_BSS_TYPE_P2P; + break; + case NL80211_IFTYPE_P2P_GO: +- priv->bss_role = MWIFIEX_BSS_ROLE_UAP; ++ priv->bss_role = MWIFIEX_BSS_ROLE_UAP; ++ priv->bss_type = MWIFIEX_BSS_TYPE_P2P; + break; + case NL80211_IFTYPE_AP: + priv->bss_role = MWIFIEX_BSS_ROLE_UAP; ++ priv->bss_type = MWIFIEX_BSS_TYPE_UAP; + break; + default: + mwifiex_dbg(adapter, ERROR, +-- +2.33.0 + diff --git a/queue-4.19/mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch b/queue-4.19/mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch new file mode 100644 index 00000000000..cb80de543b3 --- /dev/null +++ b/queue-4.19/mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch @@ -0,0 +1,77 @@ +From b45b7dbeaaa5d3b6b672795db710996f18e7a67a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 21:59:03 +0200 +Subject: mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit c2e9666cdffd347460a2b17988db4cfaf2a68fb9 ] + +We currently handle changing from the P2P to the STATION virtual +interface type slightly different than changing from P2P to ADHOC: When +changing to STATION, we don't send the SET_BSS_MODE command. We do send +that command on all other type-changes though, and it probably makes +sense to send the command since after all we just changed our BSS_MODE. +Looking at prior changes to this part of the code, it seems that this is +simply a leftover from old refactorings. + +Since sending the SET_BSS_MODE command is the only difference between +mwifiex_change_vif_to_sta_adhoc() and the current code, we can now use +mwifiex_change_vif_to_sta_adhoc() for both switching to ADHOC and +STATION interface type. + +This does not fix any particular bug and just "looked right", so there's +a small chance it might be a regression. + +Signed-off-by: Jonas Dreßler +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914195909.36035-4-verdre@v0yd.nl +Signed-off-by: Sasha Levin +--- + .../net/wireless/marvell/mwifiex/cfg80211.c | 22 ++++--------------- + 1 file changed, 4 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 650191db25cbe..becde7c254de2 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -1233,29 +1233,15 @@ mwifiex_cfg80211_change_virtual_intf(struct wiphy *wiphy, + break; + case NL80211_IFTYPE_P2P_CLIENT: + case NL80211_IFTYPE_P2P_GO: ++ if (mwifiex_cfg80211_deinit_p2p(priv)) ++ return -EFAULT; ++ + switch (type) { +- case NL80211_IFTYPE_STATION: +- if (mwifiex_cfg80211_deinit_p2p(priv)) +- return -EFAULT; +- priv->adapter->curr_iface_comb.p2p_intf--; +- priv->adapter->curr_iface_comb.sta_intf++; +- dev->ieee80211_ptr->iftype = type; +- if (mwifiex_deinit_priv_params(priv)) +- return -1; +- if (mwifiex_init_new_priv_params(priv, dev, type)) +- return -1; +- if (mwifiex_sta_init_cmd(priv, false, false)) +- return -1; +- break; + case NL80211_IFTYPE_ADHOC: +- if (mwifiex_cfg80211_deinit_p2p(priv)) +- return -EFAULT; ++ case NL80211_IFTYPE_STATION: + return mwifiex_change_vif_to_sta_adhoc(dev, curr_iftype, + type, params); +- break; + case NL80211_IFTYPE_AP: +- if (mwifiex_cfg80211_deinit_p2p(priv)) +- return -EFAULT; + return mwifiex_change_vif_to_ap(dev, curr_iftype, type, + params); + case NL80211_IFTYPE_UNSPECIFIED: +-- +2.33.0 + diff --git a/queue-4.19/mwifiex-send-delba-requests-according-to-spec.patch b/queue-4.19/mwifiex-send-delba-requests-according-to-spec.patch new file mode 100644 index 00000000000..14026e507e5 --- /dev/null +++ b/queue-4.19/mwifiex-send-delba-requests-according-to-spec.patch @@ -0,0 +1,56 @@ +From d96932442332bcc012c5e7a3d079cd9d8ed763bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 17:32:43 +0200 +Subject: mwifiex: Send DELBA requests according to spec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit cc8a8bc37466f79b24d972555237f3d591150602 ] + +While looking at on-air packets using Wireshark, I noticed we're never +setting the initiator bit when sending DELBA requests to the AP: While +we set the bit on our del_ba_param_set bitmask, we forget to actually +copy that bitmask over to the command struct, which means we never +actually set the initiator bit. + +Fix that and copy the bitmask over to the host_cmd_ds_11n_delba command +struct. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Jonas Dreßler +Acked-by: Pali Rohár +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211016153244.24353-5-verdre@v0yd.nl +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c +index 5d75c971004b4..5dcc305cc8127 100644 +--- a/drivers/net/wireless/marvell/mwifiex/11n.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n.c +@@ -664,14 +664,15 @@ int mwifiex_send_delba(struct mwifiex_private *priv, int tid, u8 *peer_mac, + uint16_t del_ba_param_set; + + memset(&delba, 0, sizeof(delba)); +- delba.del_ba_param_set = cpu_to_le16(tid << DELBA_TID_POS); + +- del_ba_param_set = le16_to_cpu(delba.del_ba_param_set); ++ del_ba_param_set = tid << DELBA_TID_POS; ++ + if (initiator) + del_ba_param_set |= IEEE80211_DELBA_PARAM_INITIATOR_MASK; + else + del_ba_param_set &= ~IEEE80211_DELBA_PARAM_INITIATOR_MASK; + ++ delba.del_ba_param_set = cpu_to_le16(del_ba_param_set); + memcpy(&delba.peer_mac_addr, peer_mac, ETH_ALEN); + + /* We don't wait for the response of this command */ +-- +2.33.0 + diff --git a/queue-4.19/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch b/queue-4.19/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch new file mode 100644 index 00000000000..c87e1f7f84f --- /dev/null +++ b/queue-4.19/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch @@ -0,0 +1,61 @@ +From be17e678243ca36c8b248e3cecdfc06d60c9335b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 04:02:59 +0000 +Subject: mwl8k: Fix use-after-free in mwl8k_fw_state_machine() + +From: Zheyu Ma + +[ Upstream commit 257051a235c17e33782b6e24a4b17f2d7915aaec ] + +When the driver fails to request the firmware, it calls its error +handler. In the error handler, the driver detaches device from driver +first before releasing the firmware, which can cause a use-after-free bug. + +Fix this by releasing firmware first. + +The following log reveals it: + +[ 9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010143 ] Workqueue: events request_firmware_work_func +[ 9.010830 ] Call Trace: +[ 9.010830 ] dump_stack_lvl+0xa8/0xd1 +[ 9.010830 ] print_address_description+0x87/0x3b0 +[ 9.010830 ] kasan_report+0x172/0x1c0 +[ 9.010830 ] ? mutex_unlock+0xd/0x10 +[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] __asan_report_load8_noabort+0x14/0x20 +[ 9.010830 ] mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] ? mwl8k_load_firmware+0x5f0/0x5f0 +[ 9.010830 ] request_firmware_work_func+0x172/0x250 +[ 9.010830 ] ? read_lock_is_recursive+0x20/0x20 +[ 9.010830 ] ? process_one_work+0x7a1/0x1100 +[ 9.010830 ] ? request_firmware_nowait+0x460/0x460 +[ 9.010830 ] ? __this_cpu_preempt_check+0x13/0x20 +[ 9.010830 ] process_one_work+0x9bb/0x1100 + +Signed-off-by: Zheyu Ma +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwl8k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c +index 6769b0c5a5cde..ee842797570b7 100644 +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -5793,8 +5793,8 @@ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context) + fail: + priv->fw_state = FW_STATE_ERROR; + complete(&priv->firmware_loading_complete); +- device_release_driver(&priv->pdev->dev); + mwl8k_release_firmware(priv); ++ device_release_driver(&priv->pdev->dev); + } + + #define MAX_RESTART_ATTEMPTS 1 +-- +2.33.0 + diff --git a/queue-4.19/net-amd-xgbe-toggle-pll-settings-during-rate-change.patch b/queue-4.19/net-amd-xgbe-toggle-pll-settings-during-rate-change.patch new file mode 100644 index 00000000000..f220a528200 --- /dev/null +++ b/queue-4.19/net-amd-xgbe-toggle-pll-settings-during-rate-change.patch @@ -0,0 +1,110 @@ +From 8621818850169b7c5c3720ae7dc2b6f5630be5de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 15:27:27 +0530 +Subject: net: amd-xgbe: Toggle PLL settings during rate change + +From: Shyam Sundar S K + +[ Upstream commit daf182d360e509a494db18666799f4e85d83dda0 ] + +For each rate change command submission, the FW has to do a phy +power off sequence internally. For this to happen correctly, the +PLL re-initialization control setting has to be turned off before +sending mailbox commands and re-enabled once the command submission +is complete. + +Without the PLL control setting, the link up takes longer time in a +fixed phy configuration. + +Fixes: 47f164deab22 ("amd-xgbe: Add PCI device support") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-common.h | 8 ++++++++ + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 20 +++++++++++++++++++- + 2 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +index b2cd3bdba9f89..533b8519ec352 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +@@ -1331,6 +1331,10 @@ + #define MDIO_VEND2_PMA_CDR_CONTROL 0x8056 + #endif + ++#ifndef MDIO_VEND2_PMA_MISC_CTRL0 ++#define MDIO_VEND2_PMA_MISC_CTRL0 0x8090 ++#endif ++ + #ifndef MDIO_CTRL1_SPEED1G + #define MDIO_CTRL1_SPEED1G (MDIO_CTRL1_SPEED10G & ~BMCR_SPEED100) + #endif +@@ -1389,6 +1393,10 @@ + #define XGBE_PMA_RX_RST_0_RESET_ON 0x10 + #define XGBE_PMA_RX_RST_0_RESET_OFF 0x00 + ++#define XGBE_PMA_PLL_CTRL_MASK BIT(15) ++#define XGBE_PMA_PLL_CTRL_ENABLE BIT(15) ++#define XGBE_PMA_PLL_CTRL_DISABLE 0x0000 ++ + /* Bit setting and getting macros + * The get macro will extract the current bit field value from within + * the variable +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 54753c8a6a9d7..714aead72c579 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -1966,12 +1966,26 @@ static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata) + } + } + ++static void xgbe_phy_pll_ctrl(struct xgbe_prv_data *pdata, bool enable) ++{ ++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_MISC_CTRL0, ++ XGBE_PMA_PLL_CTRL_MASK, ++ enable ? XGBE_PMA_PLL_CTRL_ENABLE ++ : XGBE_PMA_PLL_CTRL_DISABLE); ++ ++ /* Wait for command to complete */ ++ usleep_range(100, 200); ++} ++ + static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + unsigned int cmd, unsigned int sub_cmd) + { + unsigned int s0 = 0; + unsigned int wait; + ++ /* Disable PLL re-initialization during FW command processing */ ++ xgbe_phy_pll_ctrl(pdata, false); ++ + /* Log if a previous command did not complete */ + if (XP_IOREAD_BITS(pdata, XP_DRIVER_INT_RO, STATUS)) { + netif_dbg(pdata, link, pdata->netdev, +@@ -1992,7 +2006,7 @@ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + wait = XGBE_RATECHANGE_COUNT; + while (wait--) { + if (!XP_IOREAD_BITS(pdata, XP_DRIVER_INT_RO, STATUS)) +- return; ++ goto reenable_pll; + + usleep_range(1000, 2000); + } +@@ -2002,6 +2016,10 @@ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + + /* Reset on error */ + xgbe_phy_rx_reset(pdata); ++ ++reenable_pll: ++ /* Enable PLL re-initialization */ ++ xgbe_phy_pll_ctrl(pdata, true); + } + + static void xgbe_phy_rrc(struct xgbe_prv_data *pdata) +-- +2.33.0 + diff --git a/queue-4.19/net-davinci_emac-fix-interrupt-pacing-disable.patch b/queue-4.19/net-davinci_emac-fix-interrupt-pacing-disable.patch new file mode 100644 index 00000000000..c7e17ac3a05 --- /dev/null +++ b/queue-4.19/net-davinci_emac-fix-interrupt-pacing-disable.patch @@ -0,0 +1,59 @@ +From 3e9162c750e8986bf42ebb9d527c3a618d2af160 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 18:23:41 +0300 +Subject: net: davinci_emac: Fix interrupt pacing disable + +From: Maxim Kiselev + +[ Upstream commit d52bcb47bdf971a59a2467975d2405fcfcb2fa19 ] + +This patch allows to use 0 for `coal->rx_coalesce_usecs` param to +disable rx irq coalescing. + +Previously we could enable rx irq coalescing via ethtool +(For ex: `ethtool -C eth0 rx-usecs 2000`) but we couldn't disable +it because this part rejects 0 value: + + if (!coal->rx_coalesce_usecs) + return -EINVAL; + +Fixes: 84da2658a619 ("TI DaVinci EMAC : Implement interrupt pacing functionality.") +Signed-off-by: Maxim Kiselev +Reviewed-by: Grygorii Strashko +Link: https://lore.kernel.org/r/20211101152343.4193233-1-bigunclemax@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/davinci_emac.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index 56130cf293f37..566da1e3cfbcc 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -426,8 +426,20 @@ static int emac_set_coalesce(struct net_device *ndev, + u32 int_ctrl, num_interrupts = 0; + u32 prescale = 0, addnl_dvdr = 1, coal_intvl = 0; + +- if (!coal->rx_coalesce_usecs) +- return -EINVAL; ++ if (!coal->rx_coalesce_usecs) { ++ priv->coal_intvl = 0; ++ ++ switch (priv->version) { ++ case EMAC_VERSION_2: ++ emac_ctrl_write(EMAC_DM646X_CMINTCTRL, 0); ++ break; ++ default: ++ emac_ctrl_write(EMAC_CTRL_EWINTTCNT, 0); ++ break; ++ } ++ ++ return 0; ++ } + + coal_intvl = coal->rx_coalesce_usecs; + +-- +2.33.0 + diff --git a/queue-4.19/net-dsa-rtl8366rb-fix-off-by-one-bug.patch b/queue-4.19/net-dsa-rtl8366rb-fix-off-by-one-bug.patch new file mode 100644 index 00000000000..9f1090fdfd6 --- /dev/null +++ b/queue-4.19/net-dsa-rtl8366rb-fix-off-by-one-bug.patch @@ -0,0 +1,50 @@ +From 6c98374bf24ada0be6ccaaf40235abcc3107d191 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Sep 2021 00:59:27 +0200 +Subject: net: dsa: rtl8366rb: Fix off-by-one bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +[ Upstream commit 5f5f12f5d4b108399130bb5c11f07765851d9cdb ] + +The max VLAN number with non-4K VLAN activated is 15, and the +range is 0..15. Not 16. + +The impact should be low since we by default have 4K VLAN and +thus have 4095 VLANs to play with in this switch. There will +not be a problem unless the code is rewritten to only use +16 VLANs. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Cc: Mauri Sandberg +Cc: DENG Qingfang +Cc: Florian Fainelli +Reviewed-by: Alvin Å ipraga +Reviewed-by: Vladimir Oltean +Signed-off-by: Linus Walleij +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366rb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/rtl8366rb.c b/drivers/net/dsa/rtl8366rb.c +index 5aefd7a4696a5..87832e36c3d5a 100644 +--- a/drivers/net/dsa/rtl8366rb.c ++++ b/drivers/net/dsa/rtl8366rb.c +@@ -1265,7 +1265,7 @@ static int rtl8366rb_set_mc_index(struct realtek_smi *smi, int port, int index) + + static bool rtl8366rb_is_vlan_valid(struct realtek_smi *smi, unsigned int vlan) + { +- unsigned int max = RTL8366RB_NUM_VLANS; ++ unsigned int max = RTL8366RB_NUM_VLANS - 1; + + if (smi->vlan4k_enabled) + max = RTL8366RB_NUM_VIDS - 1; +-- +2.33.0 + diff --git a/queue-4.19/net-phylink-avoid-mvneta-warning-when-setting-pause-.patch b/queue-4.19/net-phylink-avoid-mvneta-warning-when-setting-pause-.patch new file mode 100644 index 00000000000..7599183450f --- /dev/null +++ b/queue-4.19/net-phylink-avoid-mvneta-warning-when-setting-pause-.patch @@ -0,0 +1,44 @@ +From df0b13df86df34fef4223cb6f4a4b750fa126549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 15:55:34 +0100 +Subject: net: phylink: avoid mvneta warning when setting pause parameters + +From: Russell King (Oracle) + +[ Upstream commit fd8d9731bcdfb22d28e45bce789bcb211c868c78 ] + +mvneta does not support asymetric pause modes, and it flags this by the +lack of AsymPause in the supported field. When setting pause modes, we +check that pause->rx_pause == pause->tx_pause, but only when pause +autoneg is enabled. When pause autoneg is disabled, we still allow +pause->rx_pause != pause->tx_pause, which is incorrect when the MAC +does not support asymetric pause, and causes mvneta to issue a warning. + +Fix this by removing the test for pause->autoneg, so we always check +that pause->rx_pause == pause->tx_pause for network devices that do not +support AsymPause. + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: Russell King (Oracle) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 723611ac91027..e808efd762122 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -1259,7 +1259,7 @@ int phylink_ethtool_set_pauseparam(struct phylink *pl, + return -EOPNOTSUPP; + + if (!phylink_test(pl->supported, Asym_Pause) && +- !pause->autoneg && pause->rx_pause != pause->tx_pause) ++ pause->rx_pause != pause->tx_pause) + return -EINVAL; + + config->pause &= ~(MLO_PAUSE_AN | MLO_PAUSE_TXRX_MASK); +-- +2.33.0 + diff --git a/queue-4.19/net-sched-update-default-qdisc-visibility-after-tx-q.patch b/queue-4.19/net-sched-update-default-qdisc-visibility-after-tx-q.patch new file mode 100644 index 00000000000..245da4d86e7 --- /dev/null +++ b/queue-4.19/net-sched-update-default-qdisc-visibility-after-tx-q.patch @@ -0,0 +1,186 @@ +From 7e6357da4daea8ce61537967fa165db6951ea0c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Sep 2021 15:53:30 -0700 +Subject: net: sched: update default qdisc visibility after Tx queue cnt + changes + +From: Jakub Kicinski + +[ Upstream commit 1e080f17750d1083e8a32f7b350584ae1cd7ff20 ] + +mq / mqprio make the default child qdiscs visible. They only do +so for the qdiscs which are within real_num_tx_queues when the +device is registered. Depending on order of calls in the driver, +or if user space changes config via ethtool -L the number of +qdiscs visible under tc qdisc show will differ from the number +of queues. This is confusing to users and potentially to system +configuration scripts which try to make sure qdiscs have the +right parameters. + +Add a new Qdisc_ops callback and make relevant qdiscs TTRT. + +Note that this uncovers the "shortcut" created by +commit 1f27cde313d7 ("net: sched: use pfifo_fast for non real queues") +The default child qdiscs beyond initial real_num_tx are always +pfifo_fast, no matter what the sysfs setting is. Fixing this +gets a little tricky because we'd need to keep a reference +on whatever the default qdisc was at the time of creation. +In practice this is likely an non-issue the qdiscs likely have +to be configured to non-default settings, so whatever user space +is doing such configuration can replace the pfifos... now that +it will see them. + +Reported-by: Matthew Massey +Reviewed-by: Dave Taht +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 4 ++++ + net/core/dev.c | 2 ++ + net/sched/sch_generic.c | 9 +++++++++ + net/sched/sch_mq.c | 24 ++++++++++++++++++++++++ + net/sched/sch_mqprio.c | 23 +++++++++++++++++++++++ + 5 files changed, 62 insertions(+) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index d737a6a2600be..286bc674a6e79 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -216,6 +216,8 @@ struct Qdisc_ops { + struct netlink_ext_ack *extack); + void (*attach)(struct Qdisc *sch); + int (*change_tx_queue_len)(struct Qdisc *, unsigned int); ++ void (*change_real_num_tx)(struct Qdisc *sch, ++ unsigned int new_real_tx); + + int (*dump)(struct Qdisc *, struct sk_buff *); + int (*dump_stats)(struct Qdisc *, struct gnet_dump *); +@@ -547,6 +549,8 @@ void qdisc_class_hash_grow(struct Qdisc *, struct Qdisc_class_hash *); + void qdisc_class_hash_destroy(struct Qdisc_class_hash *); + + int dev_qdisc_change_tx_queue_len(struct net_device *dev); ++void dev_qdisc_change_real_num_tx(struct net_device *dev, ++ unsigned int new_real_tx); + void dev_init_scheduler(struct net_device *dev); + void dev_shutdown(struct net_device *dev); + void dev_activate(struct net_device *dev); +diff --git a/net/core/dev.c b/net/core/dev.c +index 397bc2f50de08..2519a90a14827 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2648,6 +2648,8 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq) + if (dev->num_tc) + netif_setup_tc(dev, txq); + ++ dev_qdisc_change_real_num_tx(dev, txq); ++ + dev->real_num_tx_queues = txq; + + if (disabling) { +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index 4e15913e7519e..2128b77d5cb33 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1256,6 +1256,15 @@ static int qdisc_change_tx_queue_len(struct net_device *dev, + return 0; + } + ++void dev_qdisc_change_real_num_tx(struct net_device *dev, ++ unsigned int new_real_tx) ++{ ++ struct Qdisc *qdisc = dev->qdisc; ++ ++ if (qdisc->ops->change_real_num_tx) ++ qdisc->ops->change_real_num_tx(qdisc, new_real_tx); ++} ++ + int dev_qdisc_change_tx_queue_len(struct net_device *dev) + { + bool up = dev->flags & IFF_UP; +diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c +index c008a316e9436..699b6bb444cea 100644 +--- a/net/sched/sch_mq.c ++++ b/net/sched/sch_mq.c +@@ -130,6 +130,29 @@ static void mq_attach(struct Qdisc *sch) + priv->qdiscs = NULL; + } + ++static void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx) ++{ ++#ifdef CONFIG_NET_SCHED ++ struct net_device *dev = qdisc_dev(sch); ++ struct Qdisc *qdisc; ++ unsigned int i; ++ ++ for (i = new_real_tx; i < dev->real_num_tx_queues; i++) { ++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping; ++ /* Only update the default qdiscs we created, ++ * qdiscs with handles are always hashed. ++ */ ++ if (qdisc != &noop_qdisc && !qdisc->handle) ++ qdisc_hash_del(qdisc); ++ } ++ for (i = dev->real_num_tx_queues; i < new_real_tx; i++) { ++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping; ++ if (qdisc != &noop_qdisc && !qdisc->handle) ++ qdisc_hash_add(qdisc, false); ++ } ++#endif ++} ++ + static int mq_dump(struct Qdisc *sch, struct sk_buff *skb) + { + struct net_device *dev = qdisc_dev(sch); +@@ -285,6 +308,7 @@ struct Qdisc_ops mq_qdisc_ops __read_mostly = { + .init = mq_init, + .destroy = mq_destroy, + .attach = mq_attach, ++ .change_real_num_tx = mq_change_real_num_tx, + .dump = mq_dump, + .owner = THIS_MODULE, + }; +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index fcfe41a954733..3fd0e5dd7ae3e 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -308,6 +308,28 @@ static void mqprio_attach(struct Qdisc *sch) + priv->qdiscs = NULL; + } + ++static void mqprio_change_real_num_tx(struct Qdisc *sch, ++ unsigned int new_real_tx) ++{ ++ struct net_device *dev = qdisc_dev(sch); ++ struct Qdisc *qdisc; ++ unsigned int i; ++ ++ for (i = new_real_tx; i < dev->real_num_tx_queues; i++) { ++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping; ++ /* Only update the default qdiscs we created, ++ * qdiscs with handles are always hashed. ++ */ ++ if (qdisc != &noop_qdisc && !qdisc->handle) ++ qdisc_hash_del(qdisc); ++ } ++ for (i = dev->real_num_tx_queues; i < new_real_tx; i++) { ++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping; ++ if (qdisc != &noop_qdisc && !qdisc->handle) ++ qdisc_hash_add(qdisc, false); ++ } ++} ++ + static struct netdev_queue *mqprio_queue_get(struct Qdisc *sch, + unsigned long cl) + { +@@ -632,6 +654,7 @@ static struct Qdisc_ops mqprio_qdisc_ops __read_mostly = { + .init = mqprio_init, + .destroy = mqprio_destroy, + .attach = mqprio_attach, ++ .change_real_num_tx = mqprio_change_real_num_tx, + .dump = mqprio_dump, + .owner = THIS_MODULE, + }; +-- +2.33.0 + diff --git a/queue-4.19/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch b/queue-4.19/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch new file mode 100644 index 00000000000..e05aa20ff87 --- /dev/null +++ b/queue-4.19/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch @@ -0,0 +1,68 @@ +From c4fe2b88503430be06c595cd9ba92315298e3d25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 06:37:39 -0700 +Subject: net: stream: don't purge sk_error_queue in sk_stream_kill_queues() + +From: Jakub Kicinski + +[ Upstream commit 24bcbe1cc69fa52dc4f7b5b2456678ed464724d8 ] + +sk_stream_kill_queues() can be called on close when there are +still outstanding skbs to transmit. Those skbs may try to queue +notifications to the error queue (e.g. timestamps). +If sk_stream_kill_queues() purges the queue without taking +its lock the queue may get corrupted, and skbs leaked. + +This shows up as a warning about an rmem leak: + +WARNING: CPU: 24 PID: 0 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x... + +The leak is always a multiple of 0x300 bytes (the value is in +%rax on my builds, so RAX: 0000000000000300). 0x300 is truesize of +an empty sk_buff. Indeed if we dump the socket state at the time +of the warning the sk_error_queue is often (but not always) +corrupted. The ->next pointer points back at the list head, +but not the ->prev pointer. Indeed we can find the leaked skb +by scanning the kernel memory for something that looks like +an skb with ->sk = socket in question, and ->truesize = 0x300. +The contents of ->cb[] of the skb confirms the suspicion that +it is indeed a timestamp notification (as generated in +__skb_complete_tx_timestamp()). + +Removing purging of sk_error_queue should be okay, since +inet_sock_destruct() does it again once all socket refs +are gone. Eric suggests this may cause sockets that go +thru disconnect() to maintain notifications from the +previous incarnations of the socket, but that should be +okay since the race was there anyway, and disconnect() +is not exactly dependable. + +Thanks to Jonathan Lemon and Omar Sandoval for help at various +stages of tracing the issue. + +Fixes: cb9eff097831 ("net: new user space API for time stamping of incoming and outgoing packets") +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/core/stream.c b/net/core/stream.c +index 7f5eaa95a6756..3d98774cf1285 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -195,9 +195,6 @@ void sk_stream_kill_queues(struct sock *sk) + /* First the read buffer. */ + __skb_queue_purge(&sk->sk_receive_queue); + +- /* Next, the error queue. */ +- __skb_queue_purge(&sk->sk_error_queue); +- + /* Next, the write queue. */ + WARN_ON(!skb_queue_empty(&sk->sk_write_queue)); + +-- +2.33.0 + diff --git a/queue-4.19/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch b/queue-4.19/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch new file mode 100644 index 00000000000..5a0613d9812 --- /dev/null +++ b/queue-4.19/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch @@ -0,0 +1,86 @@ +From 571472b0b82812d0b6d862e400b1002023fbd2bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 10:12:18 +0800 +Subject: net: vlan: fix a UAF in vlan_dev_real_dev() + +From: Ziyang Xuan + +[ Upstream commit 563bcbae3ba233c275c244bfce2efe12938f5363 ] + +The real_dev of a vlan net_device may be freed after +unregister_vlan_dev(). Access the real_dev continually by +vlan_dev_real_dev() will trigger the UAF problem for the +real_dev like following: + +================================================================== +BUG: KASAN: use-after-free in vlan_dev_real_dev+0xf9/0x120 +Call Trace: + kasan_report.cold+0x83/0xdf + vlan_dev_real_dev+0xf9/0x120 + is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0 + is_eth_port_of_netdev_filter+0x28/0x40 + ib_enum_roce_netdev+0x1a3/0x300 + ib_enum_all_roce_netdevs+0xc7/0x140 + netdevice_event_work_handler+0x9d/0x210 +... + +Freed by task 9288: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0xfc/0x130 + slab_free_freelist_hook+0xdd/0x240 + kfree+0xe4/0x690 + kvfree+0x42/0x50 + device_release+0x9f/0x240 + kobject_put+0x1c8/0x530 + put_device+0x1b/0x30 + free_netdev+0x370/0x540 + ppp_destroy_interface+0x313/0x3d0 +... + +Move the put_device(real_dev) to vlan_dev_free(). Ensure +real_dev not be freed before vlan_dev unregistered. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+e4df4e1389e28972e955@syzkaller.appspotmail.com +Signed-off-by: Ziyang Xuan +Reviewed-by: Jason Gunthorpe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 3 --- + net/8021q/vlan_dev.c | 3 +++ + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 512ada90657b2..64ad86419b08d 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -112,9 +112,6 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) + } + + vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id); +- +- /* Get rid of the vlan's reference to real_dev */ +- dev_put(real_dev); + } + + int vlan_check_real_dev(struct net_device *real_dev, +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index 84ef837721141..52428d9c93b06 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -816,6 +816,9 @@ static void vlan_dev_free(struct net_device *dev) + + free_percpu(vlan->vlan_pcpu_stats); + vlan->vlan_pcpu_stats = NULL; ++ ++ /* Get rid of the vlan's reference to real_dev */ ++ dev_put(vlan->real_dev); + } + + void vlan_setup(struct net_device *dev) +-- +2.33.0 + diff --git a/queue-4.19/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch b/queue-4.19/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch new file mode 100644 index 00000000000..48bf5aa4723 --- /dev/null +++ b/queue-4.19/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch @@ -0,0 +1,55 @@ +From 13144b92be97bbcb03d5aa6a6dd4991d98bb56fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 18:08:10 +0200 +Subject: netfilter: nfnetlink_queue: fix OOB when mac header was cleared + +From: Florian Westphal + +[ Upstream commit 5648b5e1169ff1d6d6a46c35c0b5fbebd2a5cbb2 ] + +On 64bit platforms the MAC header is set to 0xffff on allocation and +also when a helper like skb_unset_mac_header() is called. + +dev_parse_header may call skb_mac_header() which assumes valid mac offset: + + BUG: KASAN: use-after-free in eth_header_parse+0x75/0x90 + Read of size 6 at addr ffff8881075a5c05 by task nf-queue/1364 + Call Trace: + memcpy+0x20/0x60 + eth_header_parse+0x75/0x90 + __nfqnl_enqueue_packet+0x1a61/0x3380 + __nf_queue+0x597/0x1300 + nf_queue+0xf/0x40 + nf_hook_slow+0xed/0x190 + nf_hook+0x184/0x440 + ip_output+0x1c0/0x2a0 + nf_reinject+0x26f/0x700 + nfqnl_recv_verdict+0xa16/0x18b0 + nfnetlink_rcv_msg+0x506/0xe70 + +The existing code only works if the skb has a mac header. + +Fixes: 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index f81a3ce0fe48e..eb5a052d3b252 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -566,7 +566,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + goto nla_put_failure; + + if (indev && entskb->dev && +- entskb->mac_header != entskb->network_header) { ++ skb_mac_header_was_set(entskb)) { + struct nfqnl_msg_packet_hw phw; + int len; + +-- +2.33.0 + diff --git a/queue-4.19/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch b/queue-4.19/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch new file mode 100644 index 00000000000..b5bba789b04 --- /dev/null +++ b/queue-4.19/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch @@ -0,0 +1,59 @@ +From 89945828bc0bd9c1f410c92fb40179d68d606534 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 06:36:36 -0700 +Subject: nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails + +From: Chengfeng Ye + +[ Upstream commit 9fec40f850658e00a14a7dd9e06f7fbc7e59cc4a ] + +skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs, +but follow error handler branch when pn533_fill_fragment_skbs() +fails, skb is freed again, results in double free issue. Fix this +by not free skb in error path of pn533_fill_fragment_skbs. + +Fixes: 963a82e07d4e ("NFC: pn533: Split large Tx frames in chunks") +Fixes: 93ad42020c2d ("NFC: pn533: Target mode Tx fragmentation support") +Signed-off-by: Chengfeng Ye +Reviewed-by: Dan Carpenter +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/pn533.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c +index 01da9331f4cb6..79bf8e1bd39c2 100644 +--- a/drivers/nfc/pn533/pn533.c ++++ b/drivers/nfc/pn533/pn533.c +@@ -2084,7 +2084,7 @@ static int pn533_fill_fragment_skbs(struct pn533 *dev, struct sk_buff *skb) + frag = pn533_alloc_skb(dev, frag_size); + if (!frag) { + skb_queue_purge(&dev->fragment_skb); +- break; ++ return -ENOMEM; + } + + if (!dev->tgt_mode) { +@@ -2154,7 +2154,7 @@ static int pn533_transceive(struct nfc_dev *nfc_dev, + /* jumbo frame ? */ + if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) { + rc = pn533_fill_fragment_skbs(dev, skb); +- if (rc <= 0) ++ if (rc < 0) + goto error; + + skb = skb_dequeue(&dev->fragment_skb); +@@ -2226,7 +2226,7 @@ static int pn533_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb) + /* let's split in multiple chunks if size's too big */ + if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) { + rc = pn533_fill_fragment_skbs(dev, skb); +- if (rc <= 0) ++ if (rc < 0) + goto error; + + /* get the first skb */ +-- +2.33.0 + diff --git a/queue-4.19/nfs-fix-deadlocks-in-nfs_scan_commit_list.patch b/queue-4.19/nfs-fix-deadlocks-in-nfs_scan_commit_list.patch new file mode 100644 index 00000000000..8f1f80278bc --- /dev/null +++ b/queue-4.19/nfs-fix-deadlocks-in-nfs_scan_commit_list.patch @@ -0,0 +1,66 @@ +From c6b1f3cf58224f47b73199068d101b817080a0af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 15:44:16 -0400 +Subject: NFS: Fix deadlocks in nfs_scan_commit_list() + +From: Trond Myklebust + +[ Upstream commit 64a93dbf25d3a1368bb58ddf0f61d0a92d7479e3 ] + +Partially revert commit 2ce209c42c01 ("NFS: Wait for requests that are +locked on the commit list"), since it can lead to deadlocks between +commit requests and nfs_join_page_group(). +For now we should assume that any locked requests on the commit list are +either about to be removed and committed by another task, or the writes +they describe are about to be retransmitted. In either case, we should +not need to worry. + +Fixes: 2ce209c42c01 ("NFS: Wait for requests that are locked on the commit list") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/write.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index d419d89b91f7c..ec0fd6b3d185a 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1045,25 +1045,11 @@ nfs_scan_commit_list(struct list_head *src, struct list_head *dst, + struct nfs_page *req, *tmp; + int ret = 0; + +-restart: + list_for_each_entry_safe(req, tmp, src, wb_list) { + kref_get(&req->wb_kref); + if (!nfs_lock_request(req)) { +- int status; +- +- /* Prevent deadlock with nfs_lock_and_join_requests */ +- if (!list_empty(dst)) { +- nfs_release_request(req); +- continue; +- } +- /* Ensure we make progress to prevent livelock */ +- mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex); +- status = nfs_wait_on_request(req); + nfs_release_request(req); +- mutex_lock(&NFS_I(cinfo->inode)->commit_mutex); +- if (status < 0) +- break; +- goto restart; ++ continue; + } + nfs_request_remove_commit_list(req, cinfo); + clear_bit(PG_COMMIT_TO_DS, &req->wb_flags); +@@ -1911,6 +1897,7 @@ static int __nfs_commit_inode(struct inode *inode, int how, + int may_wait = how & FLUSH_SYNC; + int ret, nscan; + ++ how &= ~FLUSH_SYNC; + nfs_init_cinfo_from_inode(&cinfo, inode); + nfs_commit_begin(cinfo.mds); + for (;;) { +-- +2.33.0 + diff --git a/queue-4.19/nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch b/queue-4.19/nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch new file mode 100644 index 00000000000..3159ee73b94 --- /dev/null +++ b/queue-4.19/nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch @@ -0,0 +1,43 @@ +From 5359e5e856720a3904c62ce5469690b8a0621a3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 11:58:16 +0300 +Subject: nvme-rdma: fix error code in nvme_rdma_setup_ctrl + +From: Max Gurtovoy + +[ Upstream commit 09748122009aed7bfaa7acc33c10c083a4758322 ] + +In case that icdoff is not zero or mandatory keyed sgls are not +supported by the NVMe/RDMA target, we'll go to error flow but we'll +return 0 to the caller. Fix it by returning an appropriate error code. + +Fixes: c66e2998c8ca ("nvme-rdma: centralize controller setup sequence") +Signed-off-by: Max Gurtovoy +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index ffd6a7204509a..1f41cf80f827c 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -967,11 +967,13 @@ static int nvme_rdma_setup_ctrl(struct nvme_rdma_ctrl *ctrl, bool new) + return ret; + + if (ctrl->ctrl.icdoff) { ++ ret = -EOPNOTSUPP; + dev_err(ctrl->ctrl.device, "icdoff is not supported!\n"); + goto destroy_admin; + } + + if (!(ctrl->ctrl.sgls & (1 << 2))) { ++ ret = -EOPNOTSUPP; + dev_err(ctrl->ctrl.device, + "Mandatory keyed sgls are not supported!\n"); + goto destroy_admin; +-- +2.33.0 + diff --git a/queue-4.19/parisc-fix-warning-in-flush_tlb_all.patch b/queue-4.19/parisc-fix-warning-in-flush_tlb_all.patch new file mode 100644 index 00000000000..994db3cd512 --- /dev/null +++ b/queue-4.19/parisc-fix-warning-in-flush_tlb_all.patch @@ -0,0 +1,68 @@ +From f114f8c8c352b90ee521fe1958c520a42b50811a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 20:24:39 +0200 +Subject: parisc: fix warning in flush_tlb_all + +From: Sven Schnelle + +[ Upstream commit 1030d681319b43869e0d5b568b9d0226652d1a6f ] + +I've got the following splat after enabling preemption: + +[ 3.724721] BUG: using __this_cpu_add() in preemptible [00000000] code: swapper/0/1 +[ 3.734630] caller is __this_cpu_preempt_check+0x38/0x50 +[ 3.740635] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc4-64bit+ #324 +[ 3.744605] Hardware name: 9000/785/C8000 +[ 3.744605] Backtrace: +[ 3.744605] [<00000000401d9d58>] show_stack+0x74/0xb0 +[ 3.744605] [<0000000040c27bd4>] dump_stack_lvl+0x10c/0x188 +[ 3.744605] [<0000000040c27c84>] dump_stack+0x34/0x48 +[ 3.744605] [<0000000040c33438>] check_preemption_disabled+0x178/0x1b0 +[ 3.744605] [<0000000040c334f8>] __this_cpu_preempt_check+0x38/0x50 +[ 3.744605] [<00000000401d632c>] flush_tlb_all+0x58/0x2e0 +[ 3.744605] [<00000000401075c0>] 0x401075c0 +[ 3.744605] [<000000004010b8fc>] 0x4010b8fc +[ 3.744605] [<00000000401080fc>] 0x401080fc +[ 3.744605] [<00000000401d5224>] do_one_initcall+0x128/0x378 +[ 3.744605] [<0000000040102de8>] 0x40102de8 +[ 3.744605] [<0000000040c33864>] kernel_init+0x60/0x3a8 +[ 3.744605] [<00000000401d1020>] ret_from_kernel_thread+0x20/0x28 +[ 3.744605] + +Fix this by moving the __inc_irq_stat() into the locked section. + +Signed-off-by: Sven Schnelle +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/mm/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c +index 10a52664e29f0..038fcb6c76dc1 100644 +--- a/arch/parisc/mm/init.c ++++ b/arch/parisc/mm/init.c +@@ -895,9 +895,9 @@ void flush_tlb_all(void) + { + int do_recycle; + +- __inc_irq_stat(irq_tlb_count); + do_recycle = 0; + spin_lock(&sid_lock); ++ __inc_irq_stat(irq_tlb_count); + if (dirty_space_ids > RECYCLE_THRESHOLD) { + BUG_ON(recycle_inuse); /* FIXME: Use a semaphore/wait queue here */ + get_dirty_sids(&recycle_ndirty,recycle_dirty_array); +@@ -916,8 +916,8 @@ void flush_tlb_all(void) + #else + void flush_tlb_all(void) + { +- __inc_irq_stat(irq_tlb_count); + spin_lock(&sid_lock); ++ __inc_irq_stat(irq_tlb_count); + flush_tlb_all_local(NULL); + recycle_sids(); + spin_unlock(&sid_lock); +-- +2.33.0 + diff --git a/queue-4.19/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch b/queue-4.19/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch new file mode 100644 index 00000000000..556bb99b321 --- /dev/null +++ b/queue-4.19/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch @@ -0,0 +1,78 @@ +From ecc1837652b0344ae9ee569421a11162638ff10e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 21:49:23 +0200 +Subject: parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling + +From: Sven Schnelle + +[ Upstream commit 66e29fcda1824f0427966fbee2bd2c85bf362c82 ] + +With idle polling, IPIs are not sent when a CPU idle, but queued +and run later from do_idle(). The default kgdb_call_nmi_hook() +implementation gets the pointer to struct pt_regs from get_irq_reqs(), +which doesn't work in that case because it was not called from the +IPI interrupt handler. Fix it by defining our own kgdb_roundup() +function which sents an IPI_ENTER_KGDB. When that IPI is received +on the target CPU kgdb_nmicallback() is called. + +Signed-off-by: Sven Schnelle +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/smp.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/kernel/smp.c b/arch/parisc/kernel/smp.c +index 5e26dbede5fc2..ae4fc8769c38b 100644 +--- a/arch/parisc/kernel/smp.c ++++ b/arch/parisc/kernel/smp.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -74,7 +75,10 @@ enum ipi_message_type { + IPI_CALL_FUNC, + IPI_CPU_START, + IPI_CPU_STOP, +- IPI_CPU_TEST ++ IPI_CPU_TEST, ++#ifdef CONFIG_KGDB ++ IPI_ENTER_KGDB, ++#endif + }; + + +@@ -170,7 +174,12 @@ ipi_interrupt(int irq, void *dev_id) + case IPI_CPU_TEST: + smp_debug(100, KERN_DEBUG "CPU%d is alive!\n", this_cpu); + break; +- ++#ifdef CONFIG_KGDB ++ case IPI_ENTER_KGDB: ++ smp_debug(100, KERN_DEBUG "CPU%d ENTER_KGDB\n", this_cpu); ++ kgdb_nmicallback(raw_smp_processor_id(), get_irq_regs()); ++ break; ++#endif + default: + printk(KERN_CRIT "Unknown IPI num on CPU%d: %lu\n", + this_cpu, which); +@@ -226,6 +235,12 @@ send_IPI_allbutself(enum ipi_message_type op) + } + } + ++#ifdef CONFIG_KGDB ++void kgdb_roundup_cpus(void) ++{ ++ send_IPI_allbutself(IPI_ENTER_KGDB); ++} ++#endif + + inline void + smp_send_stop(void) { send_IPI_allbutself(IPI_CPU_STOP); } +-- +2.33.0 + diff --git a/queue-4.19/parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch b/queue-4.19/parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch new file mode 100644 index 00000000000..4611105939c --- /dev/null +++ b/queue-4.19/parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch @@ -0,0 +1,101 @@ +From d0ce31a25468c40a5b5769810cf78ca94cdffcc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 23:15:17 +0200 +Subject: parisc/unwind: fix unwinder when CONFIG_64BIT is enabled + +From: Sven Schnelle + +[ Upstream commit 8e0ba125c2bf1030af3267058019ba86da96863f ] + +With 64 bit kernels unwind_special() is not working because +it compares the pc to the address of the function descriptor. +Add a helper function that compares pc with the dereferenced +address. This fixes all of the backtraces on my c8000. Without +this changes, a lot of backtraces are missing in kdb or the +show-all-tasks command from /proc/sysrq-trigger. + +Signed-off-by: Sven Schnelle +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/unwind.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/arch/parisc/kernel/unwind.c b/arch/parisc/kernel/unwind.c +index 2d14f17838d23..fa52c939e8a3b 100644 +--- a/arch/parisc/kernel/unwind.c ++++ b/arch/parisc/kernel/unwind.c +@@ -21,6 +21,8 @@ + #include + + #include ++#include ++#include + + /* #define DEBUG 1 */ + #ifdef DEBUG +@@ -203,6 +205,11 @@ int __init unwind_init(void) + return 0; + } + ++static bool pc_is_kernel_fn(unsigned long pc, void *fn) ++{ ++ return (unsigned long)dereference_kernel_function_descriptor(fn) == pc; ++} ++ + static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int frame_size) + { + /* +@@ -221,7 +228,7 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + extern void * const _call_on_stack; + #endif /* CONFIG_IRQSTACKS */ + +- if (pc == (unsigned long) &handle_interruption) { ++ if (pc_is_kernel_fn(pc, handle_interruption)) { + struct pt_regs *regs = (struct pt_regs *)(info->sp - frame_size - PT_SZ_ALGN); + dbg("Unwinding through handle_interruption()\n"); + info->prev_sp = regs->gr[30]; +@@ -229,13 +236,13 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + return 1; + } + +- if (pc == (unsigned long) &ret_from_kernel_thread || +- pc == (unsigned long) &syscall_exit) { ++ if (pc_is_kernel_fn(pc, ret_from_kernel_thread) || ++ pc_is_kernel_fn(pc, syscall_exit)) { + info->prev_sp = info->prev_ip = 0; + return 1; + } + +- if (pc == (unsigned long) &intr_return) { ++ if (pc_is_kernel_fn(pc, intr_return)) { + struct pt_regs *regs; + + dbg("Found intr_return()\n"); +@@ -246,20 +253,20 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + return 1; + } + +- if (pc == (unsigned long) &_switch_to_ret) { ++ if (pc_is_kernel_fn(pc, _switch_to) || ++ pc_is_kernel_fn(pc, _switch_to_ret)) { + info->prev_sp = info->sp - CALLEE_SAVE_FRAME_SIZE; + info->prev_ip = *(unsigned long *)(info->prev_sp - RP_OFFSET); + return 1; + } + + #ifdef CONFIG_IRQSTACKS +- if (pc == (unsigned long) &_call_on_stack) { ++ if (pc_is_kernel_fn(pc, _call_on_stack)) { + info->prev_sp = *(unsigned long *)(info->sp - FRAME_SIZE - REG_SZ); + info->prev_ip = *(unsigned long *)(info->sp - FRAME_SIZE - RP_OFFSET); + return 1; + } + #endif +- + return 0; + } + +-- +2.33.0 + diff --git a/queue-4.19/pci-aardvark-don-t-spam-about-pio-response-status.patch b/queue-4.19/pci-aardvark-don-t-spam-about-pio-response-status.patch new file mode 100644 index 00000000000..9bd57126870 --- /dev/null +++ b/queue-4.19/pci-aardvark-don-t-spam-about-pio-response-status.patch @@ -0,0 +1,42 @@ +From 095cf12f8e8d36e6f953658b5f714c33e818585e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 20:09:42 +0200 +Subject: PCI: aardvark: Don't spam about PIO Response Status +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 464de7e7fff767e87429cd7be09c4f2cb50a6ccb ] + +Use dev_dbg() instead of dev_err() in advk_pcie_check_pio_status(). + +For example CRS is not an error status, it just says that the request +should be retried. + +Link: https://lore.kernel.org/r/20211005180952.6812-4-kabel@kernel.org +Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver") +Signed-off-by: Marek Behún +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-aardvark.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c +index e5ac846e2a20f..98fb3c1f45e4d 100644 +--- a/drivers/pci/controller/pci-aardvark.c ++++ b/drivers/pci/controller/pci-aardvark.c +@@ -404,7 +404,7 @@ static int advk_pcie_check_pio_status(struct advk_pcie *pcie, u32 *val) + else + str_posted = "Posted"; + +- dev_err(dev, "%s PIO Response Status: %s, %#x @ %#x\n", ++ dev_dbg(dev, "%s PIO Response Status: %s, %#x @ %#x\n", + str_posted, strcomp_status, reg, advk_readl(pcie, PIO_ADDR_LS)); + + return -EFAULT; +-- +2.33.0 + diff --git a/queue-4.19/phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch b/queue-4.19/phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch new file mode 100644 index 00000000000..ce77652e7c0 --- /dev/null +++ b/queue-4.19/phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch @@ -0,0 +1,57 @@ +From 3f4bb6a0a064e7a28e181e0609b6ba48307e21e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 21:16:47 +0200 +Subject: phy: micrel: ksz8041nl: do not use power down mode + +From: Stefan Agner + +[ Upstream commit 2641b62d2fab52648e34cdc6994b2eacde2d27c1 ] + +Some Micrel KSZ8041NL PHY chips exhibit continuous RX errors after using +the power down mode bit (0.11). If the PHY is taken out of power down +mode in a certain temperature range, the PHY enters a weird state which +leads to continuously reporting RX errors. In that state, the MAC is not +able to receive or send any Ethernet frames and the activity LED is +constantly blinking. Since Linux is using the suspend callback when the +interface is taken down, ending up in that state can easily happen +during a normal startup. + +Micrel confirmed the issue in errata DS80000700A [*], caused by abnormal +clock recovery when using power down mode. Even the latest revision (A4, +Revision ID 0x1513) seems to suffer that problem, and according to the +errata is not going to be fixed. + +Remove the suspend/resume callback to avoid using the power down mode +completely. + +[*] https://ww1.microchip.com/downloads/en/DeviceDoc/80000700A.pdf + +Fixes: 1a5465f5d6a2 ("phy/micrel: Add suspend/resume support to Micrel PHYs") +Signed-off-by: Stefan Agner +Acked-by: Marcel Ziswiler +Signed-off-by: Francesco Dolcini +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 55caaaf969da5..0135903300595 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -880,8 +880,9 @@ static struct phy_driver ksphy_driver[] = { + .get_sset_count = kszphy_get_sset_count, + .get_strings = kszphy_get_strings, + .get_stats = kszphy_get_stats, +- .suspend = genphy_suspend, +- .resume = genphy_resume, ++ /* No suspend/resume callbacks because of errata DS80000700A, ++ * receiver error following software power down. ++ */ + }, { + .phy_id = PHY_ID_KSZ8041RNLI, + .phy_id_mask = MICREL_PHY_ID_MASK, +-- +2.33.0 + diff --git a/queue-4.19/phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch b/queue-4.19/phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch new file mode 100644 index 00000000000..c6edd26406b --- /dev/null +++ b/queue-4.19/phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch @@ -0,0 +1,94 @@ +From 945bba426b6bb581ef76ecd777bf4d99af33e5c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 02:35:48 +0300 +Subject: phy: qcom-qusb2: Fix a memory leak on probe + +From: Vladimir Zapolskiy + +[ Upstream commit bf7ffcd0069d30e2e7ba2b827f08c89f471cd1f3 ] + +On success nvmem_cell_read() returns a pointer to a dynamically allocated +buffer, and therefore it shall be freed after usage. + +The issue is reported by kmemleak: + + # cat /sys/kernel/debug/kmemleak + unreferenced object 0xffff3b3803e4b280 (size 128): + comm "kworker/u16:1", pid 107, jiffies 4294892861 (age 94.120s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000007739afdc>] __kmalloc+0x27c/0x41c + [<0000000071c0fbf8>] nvmem_cell_read+0x40/0xe0 + [<00000000e803ef1f>] qusb2_phy_init+0x258/0x5bc + [<00000000fc81fcfa>] phy_init+0x70/0x110 + [<00000000e3d48a57>] dwc3_core_soft_reset+0x4c/0x234 + [<0000000027d1dbd4>] dwc3_core_init+0x68/0x990 + [<000000001965faf9>] dwc3_probe+0x4f4/0x730 + [<000000002f7617ca>] platform_probe+0x74/0xf0 + [<00000000a2576cac>] really_probe+0xc4/0x470 + [<00000000bc77f2c5>] __driver_probe_device+0x11c/0x190 + [<00000000130db71f>] driver_probe_device+0x48/0x110 + [<0000000019f36c2b>] __device_attach_driver+0xa4/0x140 + [<00000000e5812ff7>] bus_for_each_drv+0x84/0xe0 + [<00000000f4bac574>] __device_attach+0xe4/0x1c0 + [<00000000d3beb631>] device_initial_probe+0x20/0x30 + [<000000008019b9db>] bus_probe_device+0xa4/0xb0 + +Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210922233548.2150244-1-vladimir.zapolskiy@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index 9b7ae93e9df1e..901f525c86e2b 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -395,7 +395,7 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) + { + struct device *dev = &qphy->phy->dev; + const struct qusb2_phy_cfg *cfg = qphy->cfg; +- u8 *val; ++ u8 *val, hstx_trim; + + /* efuse register is optional */ + if (!qphy->cell) +@@ -409,7 +409,13 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) + * set while configuring the phy. + */ + val = nvmem_cell_read(qphy->cell, NULL); +- if (IS_ERR(val) || !val[0]) { ++ if (IS_ERR(val)) { ++ dev_dbg(dev, "failed to read a valid hs-tx trim value\n"); ++ return; ++ } ++ hstx_trim = val[0]; ++ kfree(val); ++ if (!hstx_trim) { + dev_dbg(dev, "failed to read a valid hs-tx trim value\n"); + return; + } +@@ -417,12 +423,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) + /* Fused TUNE1/2 value is the higher nibble only */ + if (cfg->update_tune1_with_efuse) + qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE1], +- val[0] << HSTX_TRIM_SHIFT, +- HSTX_TRIM_MASK); ++ hstx_trim << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK); + else + qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2], +- val[0] << HSTX_TRIM_SHIFT, +- HSTX_TRIM_MASK); ++ hstx_trim << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK); + } + + static int qusb2_phy_set_mode(struct phy *phy, enum phy_mode mode) +-- +2.33.0 + diff --git a/queue-4.19/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch b/queue-4.19/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch new file mode 100644 index 00000000000..979e8c86343 --- /dev/null +++ b/queue-4.19/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch @@ -0,0 +1,50 @@ +From 950301c0dfb675c02169b9d9b1e5fb0c6c149a2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 11:25:37 -0700 +Subject: platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning + +From: Nathan Chancellor + +[ Upstream commit fd96e35ea7b95f1e216277805be89d66e4ae962d ] + +A new warning in clang points out a use of bitwise OR with boolean +expressions in this driver: + +drivers/platform/x86/thinkpad_acpi.c:9061:11: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical] + else if ((strlencmp(cmd, "level disengaged") == 0) | + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + || +drivers/platform/x86/thinkpad_acpi.c:9061:11: note: cast one or both operands to int to silence this warning +1 error generated. + +This should clearly be a logical OR so change it to fix the warning. + +Fixes: fe98a52ce754 ("ACPI: thinkpad-acpi: add sysfs support to fan subdriver") +Link: https://github.com/ClangBuiltLinux/linux/issues/1476 +Reported-by: Tor Vic +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20211018182537.2316800-1-nathan@kernel.org +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 35c7d3185fea3..fa8bcbe3d2762 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -9124,7 +9124,7 @@ static int fan_write_cmd_level(const char *cmd, int *rc) + + if (strlencmp(cmd, "level auto") == 0) + level = TP_EC_FAN_AUTO; +- else if ((strlencmp(cmd, "level disengaged") == 0) | ++ else if ((strlencmp(cmd, "level disengaged") == 0) || + (strlencmp(cmd, "level full-speed") == 0)) + level = TP_EC_FAN_FULLSPEED; + else if (sscanf(cmd, "level %d", &level) != 1) +-- +2.33.0 + diff --git a/queue-4.19/platform-x86-wmi-do-not-fail-if-disabling-fails.patch b/queue-4.19/platform-x86-wmi-do-not-fail-if-disabling-fails.patch new file mode 100644 index 00000000000..694ee7b0ee4 --- /dev/null +++ b/queue-4.19/platform-x86-wmi-do-not-fail-if-disabling-fails.patch @@ -0,0 +1,52 @@ +From dccfffa498dfc31f5983eaa4a9deec0bf122a3a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:56:26 +0000 +Subject: platform/x86: wmi: do not fail if disabling fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 1975718c488a39128f1f515b23ae61a5a214cc3d ] + +Previously, `__query_block()` would fail if the +second WCxx method call failed. However, the +WQxx method might have succeeded, and potentially +allocated memory for the result. Instead of +throwing away the result and potentially +leaking memory, ignore the result of +the second WCxx call. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-25-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 35cdc3998eb59..387358af685c5 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -350,7 +350,14 @@ static acpi_status __query_block(struct wmi_block *wblock, u8 instance, + * the WQxx method failed - we should disable collection anyway. + */ + if ((block->flags & ACPI_WMI_EXPENSIVE) && ACPI_SUCCESS(wc_status)) { +- status = acpi_execute_simple_method(handle, wc_method, 0); ++ /* ++ * Ignore whether this WCxx call succeeds or not since ++ * the previously executed WQxx method call might have ++ * succeeded, and returning the failing status code ++ * of this call would throw away the result of the WQxx ++ * call, potentially leaking memory. ++ */ ++ acpi_execute_simple_method(handle, wc_method, 0); + } + + return status; +-- +2.33.0 + diff --git a/queue-4.19/pm-hibernate-fix-sparse-warnings.patch b/queue-4.19/pm-hibernate-fix-sparse-warnings.patch new file mode 100644 index 00000000000..693a55f346d --- /dev/null +++ b/queue-4.19/pm-hibernate-fix-sparse-warnings.patch @@ -0,0 +1,52 @@ +From 00dad3506dcec0d63a599e9b92a6de6488c6ef5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 21:13:37 +0200 +Subject: PM: hibernate: fix sparse warnings + +From: Anders Roxell + +[ Upstream commit 01de5fcd8b1ac0ca28d2bb0921226a54fdd62684 ] + +When building the kernel with sparse enabled 'C=1' the following +warnings shows up: + +kernel/power/swap.c:390:29: warning: incorrect type in assignment (different base types) +kernel/power/swap.c:390:29: expected int ret +kernel/power/swap.c:390:29: got restricted blk_status_t + +This is due to function hib_wait_io() returns a 'blk_status_t' which is +a bitwise u8. Commit 5416da01ff6e ("PM: hibernate: Remove +blk_status_to_errno in hib_wait_io") seemed to have mixed up the return +type. However, the 4e4cbee93d56 ("block: switch bios to blk_status_t") +actually broke the behaviour by returning the wrong type. + +Rework so function hib_wait_io() returns a 'int' instead of +'blk_status_t' and make sure to call function +blk_status_to_errno(hb->error)' when returning from function +hib_wait_io() a int gets returned. + +Fixes: 4e4cbee93d56 ("block: switch bios to blk_status_t") +Fixes: 5416da01ff6e ("PM: hibernate: Remove blk_status_to_errno in hib_wait_io") +Signed-off-by: Anders Roxell +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/swap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/power/swap.c b/kernel/power/swap.c +index b5b97df142d26..9db7f2f93fae3 100644 +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -294,7 +294,7 @@ static int hib_submit_io(int op, int op_flags, pgoff_t page_off, void *addr, + return error; + } + +-static blk_status_t hib_wait_io(struct hib_bio_batch *hb) ++static int hib_wait_io(struct hib_bio_batch *hb) + { + wait_event(hb->wait, atomic_read(&hb->count) == 0); + return blk_status_to_errno(hb->error); +-- +2.33.0 + diff --git a/queue-4.19/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch b/queue-4.19/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch new file mode 100644 index 00000000000..72b2fe3a7ac --- /dev/null +++ b/queue-4.19/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch @@ -0,0 +1,100 @@ +From a7a61b0c9ab3d2a26d45396166826f272d3fd4d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 20:19:14 +0800 +Subject: PM: hibernate: Get block device exclusively in swsusp_check() + +From: Ye Bin + +[ Upstream commit 39fbef4b0f77f9c89c8f014749ca533643a37c9f ] + +The following kernel crash can be triggered: + +[ 89.266592] ------------[ cut here ]------------ +[ 89.267427] kernel BUG at fs/buffer.c:3020! +[ 89.268264] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 89.269116] CPU: 7 PID: 1750 Comm: kmmpd-loop0 Not tainted 5.10.0-862.14.0.6.x86_64-08610-gc932cda3cef4-dirty #20 +[ 89.273169] RIP: 0010:submit_bh_wbc.isra.0+0x538/0x6d0 +[ 89.277157] RSP: 0018:ffff888105ddfd08 EFLAGS: 00010246 +[ 89.278093] RAX: 0000000000000005 RBX: ffff888124231498 RCX: ffffffffb2772612 +[ 89.279332] RDX: 1ffff11024846293 RSI: 0000000000000008 RDI: ffff888124231498 +[ 89.280591] RBP: ffff8881248cc000 R08: 0000000000000001 R09: ffffed1024846294 +[ 89.281851] R10: ffff88812423149f R11: ffffed1024846293 R12: 0000000000003800 +[ 89.283095] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8881161f7000 +[ 89.284342] FS: 0000000000000000(0000) GS:ffff88839b5c0000(0000) knlGS:0000000000000000 +[ 89.285711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 89.286701] CR2: 00007f166ebc01a0 CR3: 0000000435c0e000 CR4: 00000000000006e0 +[ 89.287919] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 89.289138] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 89.290368] Call Trace: +[ 89.290842] write_mmp_block+0x2ca/0x510 +[ 89.292218] kmmpd+0x433/0x9a0 +[ 89.294902] kthread+0x2dd/0x3e0 +[ 89.296268] ret_from_fork+0x22/0x30 +[ 89.296906] Modules linked in: + +by running the following commands: + + 1. mkfs.ext4 -O mmp /dev/sda -b 1024 + 2. mount /dev/sda /home/test + 3. echo "/dev/sda" > /sys/power/resume + +That happens because swsusp_check() calls set_blocksize() on the +target partition which confuses the file system: + + Thread1 Thread2 +mount /dev/sda /home/test +get s_mmp_bh --> has mapped flag +start kmmpd thread + echo "/dev/sda" > /sys/power/resume + resume_store + software_resume + swsusp_check + set_blocksize + truncate_inode_pages_range + truncate_cleanup_page + block_invalidatepage + discard_buffer --> clean mapped flag +write_mmp_block + submit_bh + submit_bh_wbc + BUG_ON(!buffer_mapped(bh)) + +To address this issue, modify swsusp_check() to open the target block +device with exclusive access. + +Signed-off-by: Ye Bin +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/swap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/power/swap.c b/kernel/power/swap.c +index e9494c29f1ca4..b5b97df142d26 100644 +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -1512,9 +1512,10 @@ end: + int swsusp_check(void) + { + int error; ++ void *holder; + + hib_resume_bdev = blkdev_get_by_dev(swsusp_resume_device, +- FMODE_READ, NULL); ++ FMODE_READ | FMODE_EXCL, &holder); + if (!IS_ERR(hib_resume_bdev)) { + set_blocksize(hib_resume_bdev, PAGE_SIZE); + clear_page(swsusp_header); +@@ -1536,7 +1537,7 @@ int swsusp_check(void) + + put: + if (error) +- blkdev_put(hib_resume_bdev, FMODE_READ); ++ blkdev_put(hib_resume_bdev, FMODE_READ | FMODE_EXCL); + else + pr_debug("Image signature found, resuming\n"); + } else { +-- +2.33.0 + diff --git a/queue-4.19/pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch b/queue-4.19/pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch new file mode 100644 index 00000000000..37df1fffaf2 --- /dev/null +++ b/queue-4.19/pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch @@ -0,0 +1,74 @@ +From 0784a7100e987f351a70207bf48f1ae252b05c34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 11:59:24 +1000 +Subject: pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds + +From: Baptiste Lepers + +[ Upstream commit a2915fa06227b056a8f9b0d79b61dca08ad5cfc6 ] + +_nfs4_pnfs_v3/v4_ds_connect do + some work + smp_wmb + ds->ds_clp = clp; + +And nfs4_ff_layout_prepare_ds currently does + smp_rmb + if(ds->ds_clp) + ... + +This patch places the smp_rmb after the if. This ensures that following +reads only happen once nfs4_ff_layout_prepare_ds has checked that data +has been properly initialized. + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Baptiste Lepers +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 4 ++-- + fs/nfs/pnfs_nfs.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +index 8da239b6cc16f..f1f0519f1ecef 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -429,10 +429,10 @@ nfs4_ff_layout_prepare_ds(struct pnfs_layout_segment *lseg, u32 ds_idx, + goto out_fail; + + ds = mirror->mirror_ds->ds; ++ if (READ_ONCE(ds->ds_clp)) ++ goto out; + /* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */ + smp_rmb(); +- if (ds->ds_clp) +- goto out; + + /* FIXME: For now we assume the server sent only one version of NFS + * to use for the DS. +diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c +index 3f0c2436254ac..bd6190d794c49 100644 +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -635,7 +635,7 @@ static int _nfs4_pnfs_v3_ds_connect(struct nfs_server *mds_srv, + } + + smp_wmb(); +- ds->ds_clp = clp; ++ WRITE_ONCE(ds->ds_clp, clp); + dprintk("%s [new] addr: %s\n", __func__, ds->ds_remotestr); + out: + return status; +@@ -708,7 +708,7 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + } + + smp_wmb(); +- ds->ds_clp = clp; ++ WRITE_ONCE(ds->ds_clp, clp); + dprintk("%s [new] addr: %s\n", __func__, ds->ds_remotestr); + out: + return status; +-- +2.33.0 + diff --git a/queue-4.19/power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch b/queue-4.19/power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch new file mode 100644 index 00000000000..f5c342fad43 --- /dev/null +++ b/queue-4.19/power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch @@ -0,0 +1,45 @@ +From 98b084052de50b9d671273735dc9fb5fe2c89875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 16:25:22 +0100 +Subject: power: supply: bq27xxx: Fix kernel crash on IRQ handler register + error + +From: Hans de Goede + +[ Upstream commit cdf10ffe8f626d8a2edc354abf063df0078b2d71 ] + +When registering the IRQ handler fails, do not just return the error code, +this will free the devm_kzalloc()-ed data struct while leaving the queued +work queued and the registered power_supply registered with both of them +now pointing to free-ed memory, resulting in various kernel crashes +soon afterwards. + +Instead properly tear-down things on IRQ handler register errors. + +Fixes: 703df6c09795 ("power: bq27xxx_battery: Reorganize I2C into a module") +Cc: Andrew F. Davis +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c +index 40069128ad44f..06dd5077104cc 100644 +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -195,7 +195,8 @@ static int bq27xxx_battery_i2c_probe(struct i2c_client *client, + dev_err(&client->dev, + "Unable to register IRQ %d error %d\n", + client->irq, ret); +- return ret; ++ bq27xxx_battery_teardown(di); ++ goto err_failed; + } + } + +-- +2.33.0 + diff --git a/queue-4.19/power-supply-rt5033_battery-change-voltage-values-to.patch b/queue-4.19/power-supply-rt5033_battery-change-voltage-values-to.patch new file mode 100644 index 00000000000..cf47ebb27a5 --- /dev/null +++ b/queue-4.19/power-supply-rt5033_battery-change-voltage-values-to.patch @@ -0,0 +1,42 @@ +From 0b5ad94f51a82b87b9c46b6087a4a58dcdd14c2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 10:32:45 +0200 +Subject: =?UTF-8?q?power:=20supply:=20rt5033=5Fbattery:=20Change=20voltage?= + =?UTF-8?q?=20values=20to=20=C2=B5V?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakob Hauser + +[ Upstream commit bf895295e9a73411889816f1a0c1f4f1a2d9c678 ] + +Currently the rt5033_battery driver provides voltage values in mV. It +should be µV as stated in Documentation/power/power_supply_class.rst. + +Fixes: b847dd96e659 ("power: rt5033_battery: Add RT5033 Fuel gauge device driver") +Cc: Beomho Seo +Cc: Chanwoo Choi +Signed-off-by: Jakob Hauser +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/rt5033_battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/rt5033_battery.c b/drivers/power/supply/rt5033_battery.c +index 9310b85f3405e..7eec7014086d8 100644 +--- a/drivers/power/supply/rt5033_battery.c ++++ b/drivers/power/supply/rt5033_battery.c +@@ -63,7 +63,7 @@ static int rt5033_battery_get_watt_prop(struct i2c_client *client, + regmap_read(battery->regmap, regh, &msb); + regmap_read(battery->regmap, regl, &lsb); + +- ret = ((msb << 4) + (lsb >> 4)) * 1250 / 1000; ++ ret = ((msb << 4) + (lsb >> 4)) * 1250; + + return ret; + } +-- +2.33.0 + diff --git a/queue-4.19/rdma-bnxt_re-fix-query-srq-failure.patch b/queue-4.19/rdma-bnxt_re-fix-query-srq-failure.patch new file mode 100644 index 00000000000..001792046a1 --- /dev/null +++ b/queue-4.19/rdma-bnxt_re-fix-query-srq-failure.patch @@ -0,0 +1,43 @@ +From 5a174b11572cd9922f2deea420591387cf486971 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 05:32:38 -0700 +Subject: RDMA/bnxt_re: Fix query SRQ failure + +From: Selvin Xavier + +[ Upstream commit 598d16fa1bf93431ad35bbab3ed1affe4fb7b562 ] + +Fill the missing parameters for the FW command while querying SRQ. + +Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters") +Link: https://lore.kernel.org/r/1631709163-2287-8-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 60f2fb7e7dbfe..d52ae7259e62d 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -637,12 +637,13 @@ int bnxt_qplib_query_srq(struct bnxt_qplib_res *res, + int rc = 0; + + RCFW_CMD_PREP(req, QUERY_SRQ, cmd_flags); +- req.srq_cid = cpu_to_le32(srq->id); + + /* Configure the request */ + sbuf = bnxt_qplib_rcfw_alloc_sbuf(rcfw, sizeof(*sb)); + if (!sbuf) + return -ENOMEM; ++ req.resp_size = sizeof(*sb) / BNXT_QPLIB_CMDQE_UNITS; ++ req.srq_cid = cpu_to_le32(srq->id); + sb = sbuf->sb; + rc = bnxt_qplib_rcfw_send_message(rcfw, (void *)&req, (void *)&resp, + (void *)sbuf, 0); +-- +2.33.0 + diff --git a/queue-4.19/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch b/queue-4.19/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch new file mode 100644 index 00000000000..38deb1a66ba --- /dev/null +++ b/queue-4.19/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch @@ -0,0 +1,42 @@ +From 9cff305fcff4b0702e96db8d08955d46ec04a3b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 10:28:43 +0300 +Subject: RDMA/mlx4: Return missed an error if device doesn't support steering + +From: Leon Romanovsky + +[ Upstream commit f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b ] + +The error flow fixed in this patch is not possible because all kernel +users of create QP interface check that device supports steering before +set IB_QP_CREATE_NETIF_QP flag. + +Fixes: c1c98501121e ("IB/mlx4: Add support for steerable IB UD QPs") +Link: https://lore.kernel.org/r/91c61f6e60eb0240f8bbc321fda7a1d2986dd03c.1634023677.git.leonro@nvidia.com +Reported-by: Dan Carpenter +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index 73bd35d34a257..7209b8a9b0dd2 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -1057,8 +1057,10 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd, + if (dev->steering_support == + MLX4_STEERING_MODE_DEVICE_MANAGED) + qp->flags |= MLX4_IB_QP_NETIF; +- else ++ else { ++ err = -EINVAL; + goto err; ++ } + } + + err = set_kernel_sq_size(dev, &init_attr->cap, qp_type, qp); +-- +2.33.0 + diff --git a/queue-4.19/rdma-rxe-fix-wrong-port_cap_flags.patch b/queue-4.19/rdma-rxe-fix-wrong-port_cap_flags.patch new file mode 100644 index 00000000000..5a86df506e0 --- /dev/null +++ b/queue-4.19/rdma-rxe-fix-wrong-port_cap_flags.patch @@ -0,0 +1,39 @@ +From 8d15a484d95aab94c283fa1444001aab1b3941bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 16:32:23 +0800 +Subject: RDMA/rxe: Fix wrong port_cap_flags + +From: Junji Wei + +[ Upstream commit dcd3f985b20ffcc375f82ca0ca9f241c7025eb5e ] + +The port->attr.port_cap_flags should be set to enum +ib_port_capability_mask_bits in ib_mad.h, not +RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210831083223.65797-1-weijunji@bytedance.com +Signed-off-by: Junji Wei +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_param.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_param.h b/drivers/infiniband/sw/rxe/rxe_param.h +index 4555510d86c42..154c92c0e0cd7 100644 +--- a/drivers/infiniband/sw/rxe/rxe_param.h ++++ b/drivers/infiniband/sw/rxe/rxe_param.h +@@ -143,7 +143,7 @@ enum rxe_port_param { + RXE_PORT_MAX_MTU = IB_MTU_4096, + RXE_PORT_ACTIVE_MTU = IB_MTU_256, + RXE_PORT_GID_TBL_LEN = 1024, +- RXE_PORT_PORT_CAP_FLAGS = RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP, ++ RXE_PORT_PORT_CAP_FLAGS = IB_PORT_CM_SUP, + RXE_PORT_MAX_MSG_SZ = 0x800000, + RXE_PORT_BAD_PKEY_CNTR = 0, + RXE_PORT_QKEY_VIOL_CNTR = 0, +-- +2.33.0 + diff --git a/queue-4.19/rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch b/queue-4.19/rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch new file mode 100644 index 00000000000..1c53fa6c33e --- /dev/null +++ b/queue-4.19/rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch @@ -0,0 +1,38 @@ +From b76f4c43d7632b389cc4da918cbf0ea2519406a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 14:39:12 +0200 +Subject: rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined + +From: Arnaud Pouliquen + +[ Upstream commit 537d3af1bee8ad1415fda9b622d1ea6d1ae76dfa ] + +According to the description of the rpmsg_create_ept in rpmsg_core.c +the function should return NULL on error. + +Fixes: 2c8a57088045 ("rpmsg: Provide function stubs for API") +Signed-off-by: Arnaud Pouliquen +Reviewed-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20210712123912.10672-1-arnaud.pouliquen@foss.st.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + include/linux/rpmsg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/rpmsg.h b/include/linux/rpmsg.h +index 9fe156d1c018e..a68972b097b72 100644 +--- a/include/linux/rpmsg.h ++++ b/include/linux/rpmsg.h +@@ -177,7 +177,7 @@ static inline struct rpmsg_endpoint *rpmsg_create_ept(struct rpmsg_device *rpdev + /* This shouldn't be possible */ + WARN_ON(1); + +- return ERR_PTR(-ENXIO); ++ return NULL; + } + + static inline int rpmsg_send(struct rpmsg_endpoint *ept, void *data, int len) +-- +2.33.0 + diff --git a/queue-4.19/rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch b/queue-4.19/rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch new file mode 100644 index 00000000000..ba478879dfc --- /dev/null +++ b/queue-4.19/rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch @@ -0,0 +1,61 @@ +From 9f1108eff98281a2561b52d6fe8c47cb26adbc01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 12:03:35 +0800 +Subject: rsi: stop thread firstly in rsi_91x_init() error handling + +From: Ziyang Xuan + +[ Upstream commit 515e7184bdf0a3ebf1757cc77fb046b4fe282189 ] + +When fail to init coex module, free 'common' and 'adapter' directly, but +common->tx_thread which will access 'common' and 'adapter' is running at +the same time. That will trigger the UAF bug. + +================================================================== +BUG: KASAN: use-after-free in rsi_tx_scheduler_thread+0x50f/0x520 [rsi_91x] +Read of size 8 at addr ffff8880076dc000 by task Tx-Thread/124777 +CPU: 0 PID: 124777 Comm: Tx-Thread Not tainted 5.15.0-rc5+ #19 +Call Trace: + dump_stack_lvl+0xe2/0x152 + print_address_description.constprop.0+0x21/0x140 + ? rsi_tx_scheduler_thread+0x50f/0x520 + kasan_report.cold+0x7f/0x11b + ? rsi_tx_scheduler_thread+0x50f/0x520 + rsi_tx_scheduler_thread+0x50f/0x520 +... + +Freed by task 111873: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0x109/0x140 + kfree+0x117/0x4c0 + rsi_91x_init+0x741/0x8a0 [rsi_91x] + rsi_probe+0x9f/0x1750 [rsi_usb] + +Stop thread before free 'common' and 'adapter' to fix it. + +Fixes: 2108df3c4b18 ("rsi: add coex support") +Signed-off-by: Ziyang Xuan +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211015040335.1021546-1-william.xuanziyang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c +index a376d3d78e42c..d90d8ab56fa28 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_main.c ++++ b/drivers/net/wireless/rsi/rsi_91x_main.c +@@ -373,6 +373,7 @@ struct rsi_hw *rsi_91x_init(u16 oper_mode) + if (common->coex_mode > 1) { + if (rsi_coex_attach(common)) { + rsi_dbg(ERR_ZONE, "Failed to init coex module\n"); ++ rsi_kill_thread(&common->tx_thread); + goto err; + } + } +-- +2.33.0 + diff --git a/queue-4.19/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch b/queue-4.19/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch new file mode 100644 index 00000000000..a104e2e9fde --- /dev/null +++ b/queue-4.19/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch @@ -0,0 +1,48 @@ +From 1ed2fc384482fde0e026bfd94a4259f91ea9e5c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 18:22:41 +0200 +Subject: s390/gmap: don't unconditionally call pte_unmap_unlock() in + __gmap_zap() + +From: David Hildenbrand + +[ Upstream commit b159f94c86b43cf7e73e654bc527255b1f4eafc4 ] + +... otherwise we will try unlocking a spinlock that was never locked via a +garbage pointer. + +At the time we reach this code path, we usually successfully looked up +a PGSTE already; however, evil user space could have manipulated the VMA +layout in the meantime and triggered removal of the page table. + +Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c") +Signed-off-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/gmap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index 7cde0f2f52e14..65ccb9d797270 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -684,9 +684,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) + vmaddr |= gaddr & ~PMD_MASK; + /* Get pointer to the page table entry */ + ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); +- if (likely(ptep)) ++ if (likely(ptep)) { + ptep_zap_unused(gmap->mm, vmaddr, ptep, 0); +- pte_unmap_unlock(ptep, ptl); ++ pte_unmap_unlock(ptep, ptl); ++ } + } + } + EXPORT_SYMBOL_GPL(__gmap_zap); +-- +2.33.0 + diff --git a/queue-4.19/samples-kretprobes-fix-return-value-if-register_kret.patch b/queue-4.19/samples-kretprobes-fix-return-value-if-register_kret.patch new file mode 100644 index 00000000000..608b74f0cec --- /dev/null +++ b/queue-4.19/samples-kretprobes-fix-return-value-if-register_kret.patch @@ -0,0 +1,49 @@ +From e4c8f099e467463e9b2c72d14049b42cfddb825e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 09:51:28 +0800 +Subject: samples/kretprobes: Fix return value if register_kretprobe() failed + +From: Tiezhu Yang + +[ Upstream commit f76fbbbb5061fe14824ba5807c44bd7400a6b4e1 ] + +Use the actual return value instead of always -1 if register_kretprobe() +failed. + +E.g. without this patch: + + # insmod samples/kprobes/kretprobe_example.ko func=no_such_func + insmod: ERROR: could not insert module samples/kprobes/kretprobe_example.ko: Operation not permitted + +With this patch: + + # insmod samples/kprobes/kretprobe_example.ko func=no_such_func + insmod: ERROR: could not insert module samples/kprobes/kretprobe_example.ko: Unknown symbol in module + +Link: https://lkml.kernel.org/r/1635213091-24387-2-git-send-email-yangtiezhu@loongson.cn + +Fixes: 804defea1c02 ("Kprobes: move kprobe examples to samples/") +Signed-off-by: Tiezhu Yang +Acked-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + samples/kprobes/kretprobe_example.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/kprobes/kretprobe_example.c b/samples/kprobes/kretprobe_example.c +index 7f9060f435cde..da6de5e78e1dd 100644 +--- a/samples/kprobes/kretprobe_example.c ++++ b/samples/kprobes/kretprobe_example.c +@@ -83,7 +83,7 @@ static int __init kretprobe_init(void) + ret = register_kretprobe(&my_kretprobe); + if (ret < 0) { + pr_err("register_kretprobe failed, returned %d\n", ret); +- return -1; ++ return ret; + } + pr_info("Planted return probe at %s: %p\n", + my_kretprobe.kp.symbol_name, my_kretprobe.kp.addr); +-- +2.33.0 + diff --git a/queue-4.19/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch b/queue-4.19/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch new file mode 100644 index 00000000000..30434a031b2 --- /dev/null +++ b/queue-4.19/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch @@ -0,0 +1,40 @@ +From 8d6d48ca2120c9770b9f3d1c6bb11a12b763c7dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:32:43 +0300 +Subject: scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() + +From: Dan Carpenter + +[ Upstream commit f4875d509a0a78ad294a1a538d534b5ba94e685a ] + +This variable is just a temporary variable, used to do an endian +conversion. The problem is that the last byte is not initialized. After +the conversion is completely done, the last byte is discarded so it doesn't +cause a problem. But static checkers and the KMSan runtime checker can +detect the uninitialized read and will complain about it. + +Link: https://lore.kernel.org/r/20211006073242.GA8404@kili +Fixes: 5036f0a0ecd3 ("[SCSI] csiostor: Fix sparse warnings.") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_lnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c +index a8e29e3d35726..98944fb3f0b85 100644 +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -619,7 +619,7 @@ csio_ln_vnp_read_cbfn(struct csio_hw *hw, struct csio_mb *mbp) + struct fc_els_csp *csp; + struct fc_els_cssp *clsp; + enum fw_retval retval; +- __be32 nport_id; ++ __be32 nport_id = 0; + + retval = FW_CMD_RETVAL_G(ntohl(rsp->alloc_to_len16)); + if (retval != FW_SUCCESS) { +-- +2.33.0 + diff --git a/queue-4.19/scsi-dc395-fix-error-case-unwinding.patch b/queue-4.19/scsi-dc395-fix-error-case-unwinding.patch new file mode 100644 index 00000000000..c92651baa0d --- /dev/null +++ b/queue-4.19/scsi-dc395-fix-error-case-unwinding.patch @@ -0,0 +1,43 @@ +From 9866814fb93cbb21812b5daf2a899dbf7dda03ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 21:07:02 -0700 +Subject: scsi: dc395: Fix error case unwinding + +From: Tong Zhang + +[ Upstream commit cbd9a3347c757383f3d2b50cf7cfd03eb479c481 ] + +dc395x_init_one()->adapter_init() might fail. In this case, the acb is +already cleaned up by adapter_init(), no need to do that in +adapter_uninit(acb) again. + +[ 1.252251] dc395x: adapter init failed +[ 1.254900] RIP: 0010:adapter_uninit+0x94/0x170 [dc395x] +[ 1.260307] Call Trace: +[ 1.260442] dc395x_init_one.cold+0x72a/0x9bb [dc395x] + +Link: https://lore.kernel.org/r/20210907040702.1846409-1-ztong0001@gmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Finn Thain +Signed-off-by: Tong Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/dc395x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c +index 3943347ec3c7c..16b9dc2fff6bd 100644 +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -4805,6 +4805,7 @@ static int dc395x_init_one(struct pci_dev *dev, const struct pci_device_id *id) + /* initialise the adapter and everything we need */ + if (adapter_init(acb, io_port_base, io_port_len, irq)) { + dprintkl(KERN_INFO, "adapter init failed\n"); ++ acb = NULL; + goto fail; + } + +-- +2.33.0 + diff --git a/queue-4.19/scsi-qla2xxx-fix-gnl-list-corruption.patch b/queue-4.19/scsi-qla2xxx-fix-gnl-list-corruption.patch new file mode 100644 index 00000000000..95866b673c5 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-gnl-list-corruption.patch @@ -0,0 +1,79 @@ +From 369e44d5f677c5c78b41e6e672e48f0715c39c8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:01 -0700 +Subject: scsi: qla2xxx: Fix gnl list corruption + +From: Quinn Tran + +[ Upstream commit c98c5daaa24b583cba1369b7d167f93c6ae7299c ] + +Current code does list element deletion and addition in and out of lock +protection. This patch moves deletion behind lock. + +list_add double add: new=ffff9130b5eb89f8, prev=ffff9130b5eb89f8, + next=ffff9130c6a715f0. + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:31! + invalid opcode: 0000 [#1] SMP PTI + CPU: 1 PID: 182395 Comm: kworker/1:37 Kdump: loaded Tainted: G W OE + --------- - - 4.18.0-193.el8.x86_64 #1 + Hardware name: HP ProLiant DL160 Gen8, BIOS J03 02/10/2014 + Workqueue: qla2xxx_wq qla2x00_iocb_work_fn [qla2xxx] + RIP: 0010:__list_add_valid+0x41/0x50 + Code: 85 94 00 00 00 48 39 c7 74 0b 48 39 d7 74 06 b8 01 00 00 00 c3 48 89 f2 + 4c 89 c1 48 89 fe 48 c7 c7 60 83 ad 97 e8 4d bd ce ff <0f> 0b 0f 1f 00 66 2e + 0f 1f 84 00 00 00 00 00 48 8b 07 48 8b 57 08 + RSP: 0018:ffffaba306f47d68 EFLAGS: 00010046 + RAX: 0000000000000058 RBX: ffff9130b5eb8800 RCX: 0000000000000006 + RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9130b7456a00 + RBP: ffff9130c6a70a58 R08: 000000000008d7be R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000001 R12: ffff9130c6a715f0 + R13: ffff9130b5eb8824 R14: ffff9130b5eb89f8 R15: ffff9130b5eb89f8 + FS: 0000000000000000(0000) GS:ffff9130b7440000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007efcaaef11a0 CR3: 000000005200a002 CR4: 00000000000606e0 + Call Trace: + qla24xx_async_gnl+0x113/0x3c0 [qla2xxx] + ? qla2x00_iocb_work_fn+0x53/0x80 [qla2xxx] + ? process_one_work+0x1a7/0x3b0 + ? worker_thread+0x30/0x390 + ? create_worker+0x1a0/0x1a0 + ? kthread+0x112/0x130 + +Link: https://lore.kernel.org/r/20211026115412.27691-3-njavali@marvell.com +Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 2ebf4e4e02344..613e5467b4bc2 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -797,8 +797,6 @@ qla24xx_async_gnl_sp_done(void *s, int res) + sp->name, res, sp->u.iocb_cmd.u.mbx.in_mb[1], + sp->u.iocb_cmd.u.mbx.in_mb[2]); + +- if (res == QLA_FUNCTION_TIMEOUT) +- return; + + sp->fcport->flags &= ~(FCF_ASYNC_SENT|FCF_ASYNC_ACTIVE); + memset(&ea, 0, sizeof(ea)); +@@ -837,8 +835,8 @@ qla24xx_async_gnl_sp_done(void *s, int res) + spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); + + list_for_each_entry_safe(fcport, tf, &h, gnl_entry) { +- list_del_init(&fcport->gnl_entry); + spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags); ++ list_del_init(&fcport->gnl_entry); + fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE); + spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); + ea.fcport = fcport; +-- +2.33.0 + diff --git a/queue-4.19/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch b/queue-4.19/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch new file mode 100644 index 00000000000..6024d35c458 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch @@ -0,0 +1,131 @@ +From a552c5951254be0d90ba7e5ac235c9c2e579bffb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:02 -0700 +Subject: scsi: qla2xxx: Turn off target reset during issue_lip + +From: Quinn Tran + +[ Upstream commit 0b7a9fd934a68ebfc1019811b7bdc1742072ad7b ] + +When user uses issue_lip to do link bounce, driver sends additional target +reset to remote device before resetting the link. The target reset would +affect other paths with active I/Os. This patch will remove the unnecessary +target reset. + +Link: https://lore.kernel.org/r/20211026115412.27691-4-njavali@marvell.com +Fixes: 5854771e314e ("[SCSI] qla2xxx: Add ISPFX00 specific bus reset routine") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_gbl.h | 2 -- + drivers/scsi/qla2xxx/qla_mr.c | 23 ----------------------- + drivers/scsi/qla2xxx/qla_os.c | 27 ++------------------------- + 3 files changed, 2 insertions(+), 50 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h +index b8e4abe804d5d..5b98a00bfc178 100644 +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -144,7 +144,6 @@ extern int ql2xasynctmfenable; + extern int ql2xgffidenable; + extern int ql2xenabledif; + extern int ql2xenablehba_err_chk; +-extern int ql2xtargetreset; + extern int ql2xdontresethba; + extern uint64_t ql2xmaxlun; + extern int ql2xmdcapmask; +@@ -754,7 +753,6 @@ extern void qlafx00_abort_iocb(srb_t *, struct abort_iocb_entry_fx00 *); + extern void qlafx00_fxdisc_iocb(srb_t *, struct fxdisc_entry_fx00 *); + extern void qlafx00_timer_routine(scsi_qla_host_t *); + extern int qlafx00_rescan_isp(scsi_qla_host_t *); +-extern int qlafx00_loop_reset(scsi_qla_host_t *vha); + + /* qla82xx related functions */ + +diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c +index 521a513705549..0c00aaea9768b 100644 +--- a/drivers/scsi/qla2xxx/qla_mr.c ++++ b/drivers/scsi/qla2xxx/qla_mr.c +@@ -739,29 +739,6 @@ qlafx00_lun_reset(fc_port_t *fcport, uint64_t l, int tag) + return qla2x00_async_tm_cmd(fcport, TCF_LUN_RESET, l, tag); + } + +-int +-qlafx00_loop_reset(scsi_qla_host_t *vha) +-{ +- int ret; +- struct fc_port *fcport; +- struct qla_hw_data *ha = vha->hw; +- +- if (ql2xtargetreset) { +- list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->port_type != FCT_TARGET) +- continue; +- +- ret = ha->isp_ops->target_reset(fcport, 0, 0); +- if (ret != QLA_SUCCESS) { +- ql_dbg(ql_dbg_taskm, vha, 0x803d, +- "Bus Reset failed: Reset=%d " +- "d_id=%x.\n", ret, fcport->d_id.b24); +- } +- } +- } +- return QLA_SUCCESS; +-} +- + int + qlafx00_iospace_config(struct qla_hw_data *ha) + { +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index 7cbdd32a238d4..207af1d5ed292 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -188,12 +188,6 @@ MODULE_PARM_DESC(ql2xdbwr, + " 0 -- Regular doorbell.\n" + " 1 -- CAMRAM doorbell (faster).\n"); + +-int ql2xtargetreset = 1; +-module_param(ql2xtargetreset, int, S_IRUGO); +-MODULE_PARM_DESC(ql2xtargetreset, +- "Enable target reset." +- "Default is 1 - use hw defaults."); +- + int ql2xgffidenable; + module_param(ql2xgffidenable, int, S_IRUGO); + MODULE_PARM_DESC(ql2xgffidenable, +@@ -1662,27 +1656,10 @@ int + qla2x00_loop_reset(scsi_qla_host_t *vha) + { + int ret; +- struct fc_port *fcport; + struct qla_hw_data *ha = vha->hw; + +- if (IS_QLAFX00(ha)) { +- return qlafx00_loop_reset(vha); +- } +- +- if (ql2xtargetreset == 1 && ha->flags.enable_target_reset) { +- list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->port_type != FCT_TARGET) +- continue; +- +- ret = ha->isp_ops->target_reset(fcport, 0, 0); +- if (ret != QLA_SUCCESS) { +- ql_dbg(ql_dbg_taskm, vha, 0x802c, +- "Bus Reset failed: Reset=%d " +- "d_id=%x.\n", ret, fcport->d_id.b24); +- } +- } +- } +- ++ if (IS_QLAFX00(ha)) ++ return QLA_SUCCESS; + + if (ha->flags.enable_lip_full_login && !IS_CNA_CAPABLE(ha)) { + atomic_set(&vha->loop_state, LOOP_DOWN); +-- +2.33.0 + diff --git a/queue-4.19/selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch b/queue-4.19/selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch new file mode 100644 index 00000000000..988d0e18f43 --- /dev/null +++ b/queue-4.19/selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch @@ -0,0 +1,47 @@ +From 853a03a97cd963b449c8f9204d78bf7366c43a8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 16:34:09 +0200 +Subject: selftests/bpf: Fix fclose/pclose mismatch in test_progs + +From: Andrea Righi + +[ Upstream commit f48ad69097fe79d1de13c4d8fef556d4c11c5e68 ] + +Make sure to use pclose() to properly close the pipe opened by popen(). + +Fixes: 81f77fd0deeb ("bpf: add selftest for stackmap with BPF_F_STACK_BUILD_ID") +Signed-off-by: Andrea Righi +Signed-off-by: Daniel Borkmann +Reviewed-by: Shuah Khan +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20211026143409.42666-1-andrea.righi@canonical.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_progs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c +index bad3505d66e05..0fcd38ffcc24c 100644 +--- a/tools/testing/selftests/bpf/test_progs.c ++++ b/tools/testing/selftests/bpf/test_progs.c +@@ -1112,7 +1112,7 @@ static int extract_build_id(char *build_id, size_t size) + + if (getline(&line, &len, fp) == -1) + goto err; +- fclose(fp); ++ pclose(fp); + + if (len > size) + len = size; +@@ -1121,7 +1121,7 @@ static int extract_build_id(char *build_id, size_t size) + free(line); + return 0; + err: +- fclose(fp); ++ pclose(fp); + return -1; + } + +-- +2.33.0 + diff --git a/queue-4.19/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch b/queue-4.19/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch new file mode 100644 index 00000000000..b8448413106 --- /dev/null +++ b/queue-4.19/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch @@ -0,0 +1,40 @@ +From ef9ef88de1649a090e6680674d9e442c9cc0b74e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 16:45:16 +0300 +Subject: serial: 8250_dw: Drop wrong use of ACPI_PTR() + +From: Andy Shevchenko + +[ Upstream commit ebabb77a2a115b6c5e68f7364b598310b5f61fb2 ] + +ACPI_PTR() is more harmful than helpful. For example, in this case +if CONFIG_ACPI=n, the ID table left unused which is not what we want. + +Instead of adding ifdeffery here and there, drop ACPI_PTR(). + +Fixes: 6a7320c4669f ("serial: 8250_dw: Add ACPI 5.0 support") +Reported-by: Daniel Palmer +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20211005134516.23218-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_dw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index 284e8d052fc3c..c73d0eddd9b8d 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -769,7 +769,7 @@ static struct platform_driver dw8250_platform_driver = { + .name = "dw-apb-uart", + .pm = &dw8250_pm_ops, + .of_match_table = dw8250_of_match, +- .acpi_match_table = ACPI_PTR(dw8250_acpi_match), ++ .acpi_match_table = dw8250_acpi_match, + }, + .probe = dw8250_probe, + .remove = dw8250_remove, +-- +2.33.0 + diff --git a/queue-4.19/serial-xilinx_uartps-fix-race-condition-causing-stuc.patch b/queue-4.19/serial-xilinx_uartps-fix-race-condition-causing-stuc.patch new file mode 100644 index 00000000000..04a217391e0 --- /dev/null +++ b/queue-4.19/serial-xilinx_uartps-fix-race-condition-causing-stuc.patch @@ -0,0 +1,69 @@ +From e5a1e0817547e718d3b57a46817f1bb73da58a7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 13:27:41 +0300 +Subject: serial: xilinx_uartps: Fix race condition causing stuck TX + +From: Anssi Hannula + +[ Upstream commit 88b20f84f0fe47409342669caf3e58a3fc64c316 ] + +xilinx_uartps .start_tx() clears TXEMPTY when enabling TXEMPTY to avoid +any previous TXEVENT event asserting the UART interrupt. This clear +operation is done immediately after filling the TX FIFO. + +However, if the bytes inserted by cdns_uart_handle_tx() are consumed by +the UART before the TXEMPTY is cleared, the clear operation eats the new +TXEMPTY event as well, causing cdns_uart_isr() to never receive the +TXEMPTY event. If there are bytes still queued in circbuf, TX will get +stuck as they will never get transferred to FIFO (unless new bytes are +queued to circbuf in which case .start_tx() is called again). + +While the racy missed TXEMPTY occurs fairly often with short data +sequences (e.g. write 1 byte), in those cases circbuf is usually empty +so no action on TXEMPTY would have been needed anyway. On the other +hand, longer data sequences make the race much more unlikely as UART +takes longer to consume the TX FIFO. Therefore it is rare for this race +to cause visible issues in general. + +Fix the race by clearing the TXEMPTY bit in ISR *before* filling the +FIFO. + +The TXEMPTY bit in ISR will only get asserted at the exact moment the +TX FIFO *becomes* empty, so clearing the bit before filling FIFO does +not cause an extra immediate assertion even if the FIFO is initially +empty. + +This is hard to reproduce directly on a normal system, but inserting +e.g. udelay(200) after cdns_uart_handle_tx(port), setting 4000000 baud, +and then running "dd if=/dev/zero bs=128 of=/dev/ttyPS0 count=50" +reliably reproduces the issue on my ZynqMP test system unless this fix +is applied. + +Fixes: 85baf542d54e ("tty: xuartps: support 64 byte FIFO size") +Signed-off-by: Anssi Hannula +Link: https://lore.kernel.org/r/20211026102741.2910441-1-anssi.hannula@bitwise.fi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 23f9b0cdff086..c22bd40fc6f0b 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -591,9 +591,10 @@ static void cdns_uart_start_tx(struct uart_port *port) + if (uart_circ_empty(&port->state->xmit)) + return; + ++ writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_ISR); ++ + cdns_uart_handle_tx(port); + +- writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_ISR); + /* Enable the TX Empty interrupt */ + writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_IER); + } +-- +2.33.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 9c67fc15026..026fda876e1 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -83,3 +83,153 @@ pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch iio-dac-ad5446-fix-ad5622_write-return-value.patch usb-serial-keyspan-fix-memleak-on-probe-errors.patch usb-iowarrior-fix-control-message-timeouts.patch +drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch +bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch +bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch +platform-x86-wmi-do-not-fail-if-disabling-fails.patch +mips-lantiq-dma-add-small-delay-after-reset.patch +mips-lantiq-dma-reset-correct-number-of-channel.patch +locking-lockdep-avoid-rcu-induced-noinstr-fail.patch +net-sched-update-default-qdisc-visibility-after-tx-q.patch +smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch +x86-increase-exception-stack-sizes.patch +mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch +mwifiex-properly-initialize-private-structure-on-int.patch +media-mt9p031-fix-corrupted-frame-after-restarting-s.patch +media-netup_unidvb-handle-interrupt-properly-accordi.patch +media-uvcvideo-set-capability-in-s_param.patch +media-uvcvideo-return-eio-for-control-errors.patch +media-s5p-mfc-fix-possible-null-pointer-dereference-.patch +media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch +media-mceusb-return-without-resubmitting-urb-in-case.patch +ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch +media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch +acpica-avoid-evaluating-methods-too-early-during-sys.patch +media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch +tracefs-have-tracefs-directories-not-set-oth-permiss.patch +ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch +acpi-battery-accept-charges-over-the-design-capacity.patch +leaking_addresses-always-print-a-trailing-newline.patch +memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch +lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch +lib-xz-validate-the-value-before-assigning-it-to-an-.patch +workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch +tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch +mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch +pm-hibernate-get-block-device-exclusively-in-swsusp_.patch +iwlwifi-mvm-disable-rx-diversity-in-powersave.patch +smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch +arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch +gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch +arm-9136-1-armv7-m-uses-be-8-not-be-32.patch +spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch +x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch +parisc-fix-warning-in-flush_tlb_all.patch +task_stack-fix-end_of_stack-for-architectures-with-u.patch +parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch +parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch +bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch +cgroup-make-rebind_subsystems-disable-v2-controllers.patch +net-dsa-rtl8366rb-fix-off-by-one-bug.patch +drm-amdgpu-fix-warning-for-overflow-check.patch +media-em28xx-add-missing-em28xx_close_extension.patch +media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch +media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch +media-si470x-avoid-card-name-truncation.patch +media-cx23885-fix-snd_card_free-call-on-null-card-po.patch +cpuidle-fix-kobject-memory-leaks-in-error-paths.patch +media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch +ath9k-fix-potential-interrupt-storm-on-queue-reset.patch +media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch +crypto-qat-detect-pfvf-collision-after-ack.patch +crypto-qat-disregard-spurious-pfvf-interrupts.patch +hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch +b43legacy-fix-a-lower-bounds-test.patch +b43-fix-a-lower-bounds-test.patch +mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch +memstick-avoid-out-of-range-warning.patch +memstick-jmb38x_ms-use-appropriate-free-function-in-.patch +hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch +hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch +ath10k-fix-max-antenna-gain-unit.patch +drm-msm-uninitialized-variable-in-msm_gem_import.patch +net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch +mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch +platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch +rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch +mwifiex-send-delba-requests-according-to-spec.patch +phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch +nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch +pm-hibernate-fix-sparse-warnings.patch +clocksource-drivers-timer-ti-dm-select-timer_of.patch +drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch +smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch +s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch +irq-mips-avoid-nested-irq_enter.patch +tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch +samples-kretprobes-fix-return-value-if-register_kret.patch +kvm-s390-fix-handle_sske-page-fault-handling.patch +libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch +libertas-fix-possible-memory-leak-in-probe-and-disco.patch +wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch +net-amd-xgbe-toggle-pll-settings-during-rate-change.patch +net-phylink-avoid-mvneta-warning-when-setting-pause-.patch +crypto-pcrypt-delay-write-to-padata-info.patch +selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch +ibmvnic-process-crqs-after-enabling-interrupts.patch +rdma-rxe-fix-wrong-port_cap_flags.patch +arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch +arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch +rdma-bnxt_re-fix-query-srq-failure.patch +arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch +scsi-dc395-fix-error-case-unwinding.patch +mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch +jfs-fix-memleak-in-jfs_mount.patch +alsa-hda-reduce-udelay-at-skl-position-reporting.patch +arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch +soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch +memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch +video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch +serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch +usb-gadget-hid-fix-error-code-in-do_config.patch +power-supply-rt5033_battery-change-voltage-values-to.patch +scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch +rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch +asoc-cs42l42-correct-some-register-default-values.patch +asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch +phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch +serial-xilinx_uartps-fix-race-condition-causing-stuc.patch +mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch +power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch +apparmor-fix-error-check.patch +rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch +pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch +drm-plane-helper-fix-uninitialized-variable-referenc.patch +pci-aardvark-don-t-spam-about-pio-response-status.patch +nfs-fix-deadlocks-in-nfs_scan_commit_list.patch +fs-orangefs-fix-error-return-code-of-orangefs_revali.patch +mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch +dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch +auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch +auxdisplay-ht16k33-connect-backlight-to-fbdev.patch +auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch +netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch +dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch +m68k-set-a-default-value-for-memory_reserve.patch +watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch +ar7-fix-kernel-builds-for-compiler-test.patch +scsi-qla2xxx-fix-gnl-list-corruption.patch +scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch +i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch +xen-pciback-fix-return-in-pm_ctrl_init.patch +net-davinci_emac-fix-interrupt-pacing-disable.patch +net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch +acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch +bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch +mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch +zram-off-by-one-in-read_block_state.patch +llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch +nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch +arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch +vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch +cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch diff --git a/queue-4.19/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch b/queue-4.19/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch new file mode 100644 index 00000000000..6b0b42342f0 --- /dev/null +++ b/queue-4.19/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch @@ -0,0 +1,55 @@ +From bb86181688cae700aa02051fda46a09110e54455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 23:41:40 -0700 +Subject: smackfs: Fix use-after-free in netlbl_catmap_walk() + +From: Pawan Gupta + +[ Upstream commit 0817534ff9ea809fac1322c5c8c574be8483ea57 ] + +Syzkaller reported use-after-free bug as described in [1]. The bug is +triggered when smk_set_cipso() tries to free stale category bitmaps +while there are concurrent reader(s) using the same bitmaps. + +Wait for RCU grace period to finish before freeing the category bitmaps +in smk_set_cipso(). This makes sure that there are no more readers using +the stale bitmaps and freeing them should be safe. + +[1] https://lore.kernel.org/netdev/000000000000a814c505ca657a4e@google.com/ + +Reported-by: syzbot+3f91de0b813cc3d19a80@syzkaller.appspotmail.com +Signed-off-by: Pawan Gupta +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 009e83ee2d002..25705a72d31bc 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -859,6 +859,7 @@ static int smk_open_cipso(struct inode *inode, struct file *file) + static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + size_t count, loff_t *ppos, int format) + { ++ struct netlbl_lsm_catmap *old_cat; + struct smack_known *skp; + struct netlbl_lsm_secattr ncats; + char mapcatset[SMK_CIPSOLEN]; +@@ -948,9 +949,11 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + + rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); + if (rc >= 0) { +- netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat); ++ old_cat = skp->smk_netlabel.attr.mls.cat; + skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; + skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; ++ synchronize_rcu(); ++ netlbl_catmap_free(old_cat); + rc = count; + } + +-- +2.33.0 + diff --git a/queue-4.19/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch b/queue-4.19/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch new file mode 100644 index 00000000000..ad80f009bf0 --- /dev/null +++ b/queue-4.19/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch @@ -0,0 +1,41 @@ +From 98be89f16e2e8174222b45d837260a36aac61d1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 20:54:31 +0900 +Subject: smackfs: use __GFP_NOFAIL for smk_cipso_doi() + +From: Tetsuo Handa + +[ Upstream commit f91488ee15bd3cac467e2d6a361fc2d34d1052ae ] + +syzbot is reporting kernel panic at smk_cipso_doi() due to memory +allocation fault injection [1]. The reason for need to use panic() was +not explained. But since no fix was proposed for 18 months, for now +let's use __GFP_NOFAIL for utilizing syzbot resource on other bugs. + +Link: https://syzkaller.appspot.com/bug?extid=89731ccb6fec15ce1c22 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 25705a72d31bc..9fdf404a318f9 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -721,9 +721,7 @@ static void smk_cipso_doi(void) + printk(KERN_WARNING "%s:%d remove rc = %d\n", + __func__, __LINE__, rc); + +- doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL); +- if (doip == NULL) +- panic("smack: Failed to initialize cipso DOI.\n"); ++ doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL); + doip->map.std = NULL; + doip->doi = smk_cipso_doi_value; + doip->type = CIPSO_V4_MAP_PASS; +-- +2.33.0 + diff --git a/queue-4.19/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch b/queue-4.19/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch new file mode 100644 index 00000000000..8221677d19d --- /dev/null +++ b/queue-4.19/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch @@ -0,0 +1,41 @@ +From 69d4fd8c69da3db58f5e3a1cc5567ca77667bc78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 20:27:26 +0900 +Subject: smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi + +From: Tetsuo Handa + +[ Upstream commit 0934ad42bb2c5df90a1b9de690f93de735b622fe ] + +syzbot is reporting UAF at cipso_v4_doi_search() [1], for smk_cipso_doi() +is calling kfree() without removing from the cipso_v4_doi_list list after +netlbl_cfg_cipsov4_map_add() returned an error. We need to use +netlbl_cfg_cipsov4_del() in order to remove from the list and wait for +RCU grace period before kfree(). + +Link: https://syzkaller.appspot.com/bug?extid=93dba5b91f0fed312cbd [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 6c2e8ac0953fccdd ("netlabel: Update kernel configuration API") +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 9fdf404a318f9..a9c516362170a 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -740,7 +740,7 @@ static void smk_cipso_doi(void) + if (rc != 0) { + printk(KERN_WARNING "%s:%d map add rc = %d\n", + __func__, __LINE__, rc); +- kfree(doip); ++ netlbl_cfg_cipsov4_del(doip->doi, &nai); + return; + } + } +-- +2.33.0 + diff --git a/queue-4.19/soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch b/queue-4.19/soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch new file mode 100644 index 00000000000..3483aa64e26 --- /dev/null +++ b/queue-4.19/soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch @@ -0,0 +1,41 @@ +From a8dc74d0846852e277f578beae3fbcc49ad455b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jun 2021 17:54:31 +0200 +Subject: soc/tegra: Fix an error handling path in tegra_powergate_power_up() + +From: Christophe JAILLET + +[ Upstream commit 986b5094708e508baa452a23ffe809870934a7df ] + +If an error occurs after a successful tegra_powergate_enable_clocks() +call, it must be undone by a tegra_powergate_disable_clocks() call, as +already done in the below and above error handling paths of this function. + +Update the 'goto' to branch at the correct place of the error handling +path. + +Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jon Hunter +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/pmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c +index f17a678154047..6c57e43787cbf 100644 +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -408,7 +408,7 @@ static int tegra_powergate_power_up(struct tegra_powergate *pg, + + err = reset_control_deassert(pg->reset); + if (err) +- goto powergate_off; ++ goto disable_clks; + + usleep_range(10, 20); + +-- +2.33.0 + diff --git a/queue-4.19/spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch b/queue-4.19/spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch new file mode 100644 index 00000000000..9a1ccb7c418 --- /dev/null +++ b/queue-4.19/spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch @@ -0,0 +1,55 @@ +From a561ea26f0e39ecd828ad9881a9c93de7290b0b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 15:34:13 +0800 +Subject: spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in + bcm_qspi_probe() + +From: Yang Yingliang + +[ Upstream commit ca9b8f56ec089d3a436050afefd17b7237301f47 ] + +Fix the missing clk_disable_unprepare() before return +from bcm_qspi_probe() in the error handling case. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211018073413.2029081-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm-qspi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index 4ee92f7ca20bd..b2fd7a3691964 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1305,7 +1305,7 @@ int bcm_qspi_probe(struct platform_device *pdev, + &qspi->dev_ids[val]); + if (ret < 0) { + dev_err(&pdev->dev, "IRQ %s not found\n", name); +- goto qspi_probe_err; ++ goto qspi_unprepare_err; + } + + qspi->dev_ids[val].dev = qspi; +@@ -1320,7 +1320,7 @@ int bcm_qspi_probe(struct platform_device *pdev, + if (!num_ints) { + dev_err(&pdev->dev, "no IRQs registered, cannot init driver\n"); + ret = -EINVAL; +- goto qspi_probe_err; ++ goto qspi_unprepare_err; + } + + /* +@@ -1371,6 +1371,7 @@ int bcm_qspi_probe(struct platform_device *pdev, + + qspi_reg_err: + bcm_qspi_hw_uninit(qspi); ++qspi_unprepare_err: + clk_disable_unprepare(qspi->clk); + qspi_probe_err: + kfree(qspi->dev_ids); +-- +2.33.0 + diff --git a/queue-4.19/task_stack-fix-end_of_stack-for-architectures-with-u.patch b/queue-4.19/task_stack-fix-end_of_stack-for-architectures-with-u.patch new file mode 100644 index 00000000000..c9154592287 --- /dev/null +++ b/queue-4.19/task_stack-fix-end_of_stack-for-architectures-with-u.patch @@ -0,0 +1,44 @@ +From 67680f3c48de3ed2153d7c368fb3931212c19922 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 00:05:43 +0200 +Subject: task_stack: Fix end_of_stack() for architectures with upwards-growing + stack + +From: Helge Deller + +[ Upstream commit 9cc2fa4f4a92ccc6760d764e7341be46ee8aaaa1 ] + +The function end_of_stack() returns a pointer to the last entry of a +stack. For architectures like parisc where the stack grows upwards +return the pointer to the highest address in the stack. + +Without this change I faced a crash on parisc, because the stackleak +functionality wrote STACKLEAK_POISON to the lowest address and thus +overwrote the first 4 bytes of the task_struct which included the +TIF_FLAGS. + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + include/linux/sched/task_stack.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h +index 6a841929073f9..4f099d3fed3a9 100644 +--- a/include/linux/sched/task_stack.h ++++ b/include/linux/sched/task_stack.h +@@ -25,7 +25,11 @@ static inline void *task_stack_page(const struct task_struct *task) + + static inline unsigned long *end_of_stack(const struct task_struct *task) + { ++#ifdef CONFIG_STACK_GROWSUP ++ return (unsigned long *)((unsigned long)task->stack + THREAD_SIZE) - 1; ++#else + return task->stack; ++#endif + } + + #elif !defined(__HAVE_THREAD_FUNCTIONS) +-- +2.33.0 + diff --git a/queue-4.19/tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch b/queue-4.19/tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch new file mode 100644 index 00000000000..a5d8add9708 --- /dev/null +++ b/queue-4.19/tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch @@ -0,0 +1,65 @@ +From 38b85e8c7b932e05974b9c5a009a7f359d400922 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 10:59:03 +1100 +Subject: tcp: don't free a FIN sk_buff in tcp_remove_empty_skb() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jon Maxwell + +[ Upstream commit cf12e6f9124629b18a6182deefc0315f0a73a199 ] + +v1: Implement a more general statement as recommended by Eric Dumazet. The +sequence number will be advanced, so this check will fix the FIN case and +other cases. + +A customer reported sockets stuck in the CLOSING state. A Vmcore revealed that +the write_queue was not empty as determined by tcp_write_queue_empty() but the +sk_buff containing the FIN flag had been freed and the socket was zombied in +that state. Corresponding pcaps show no FIN from the Linux kernel on the wire. + +Some instrumentation was added to the kernel and it was found that there is a +timing window where tcp_sendmsg() can run after tcp_send_fin(). + +tcp_sendmsg() will hit an error, for example: + +1269 ▹ if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))↩ +1270 ▹ ▹ goto do_error;↩ + +tcp_remove_empty_skb() will then free the FIN sk_buff as "skb->len == 0". The +TCP socket is now wedged in the FIN-WAIT-1 state because the FIN is never sent. + +If the other side sends a FIN packet the socket will transition to CLOSING and +remain that way until the system is rebooted. + +Fix this by checking for the FIN flag in the sk_buff and don't free it if that +is the case. Testing confirmed that fixed the issue. + +Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases") +Signed-off-by: Jon Maxwell +Reported-by: Monir Zouaoui +Reported-by: Simon Stier +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 769e1f683471a..4dce1b418acc2 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -952,7 +952,7 @@ static int tcp_send_mss(struct sock *sk, int *size_goal, int flags) + */ + static void tcp_remove_empty_skb(struct sock *sk, struct sk_buff *skb) + { +- if (skb && !skb->len) { ++ if (skb && TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq) { + tcp_unlink_write_queue(skb, sk); + if (tcp_write_queue_empty(sk)) + tcp_chrono_stop(sk, TCP_CHRONO_BUSY); +-- +2.33.0 + diff --git a/queue-4.19/tracefs-have-tracefs-directories-not-set-oth-permiss.patch b/queue-4.19/tracefs-have-tracefs-directories-not-set-oth-permiss.patch new file mode 100644 index 00000000000..8503ad1913b --- /dev/null +++ b/queue-4.19/tracefs-have-tracefs-directories-not-set-oth-permiss.patch @@ -0,0 +1,47 @@ +From a038c2e64b89258e530bd86d5f856259b7ba0698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 11:24:50 -0400 +Subject: tracefs: Have tracefs directories not set OTH permission bits by + default + +From: Steven Rostedt (VMware) + +[ Upstream commit 49d67e445742bbcb03106b735b2ab39f6e5c56bc ] + +The tracefs file system is by default mounted such that only root user can +access it. But there are legitimate reasons to create a group and allow +those added to the group to have access to tracing. By changing the +permissions of the tracefs mount point to allow access, it will allow +group access to the tracefs directory. + +There should not be any real reason to allow all access to the tracefs +directory as it contains sensitive information. Have the default +permission of directories being created not have any OTH (other) bits set, +such that an admin that wants to give permission to a group has to first +disable all OTH bits in the file system. + +Link: https://lkml.kernel.org/r/20210818153038.664127804@goodmis.org + +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + fs/tracefs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c +index 7098c49f36934..990f794b1dd0a 100644 +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -427,7 +427,8 @@ static struct dentry *__create_dir(const char *name, struct dentry *parent, + if (unlikely(!inode)) + return failed_creating(dentry); + +- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; ++ /* Do not set bits for OTH */ ++ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP; + inode->i_op = ops; + inode->i_fop = &simple_dir_operations; + +-- +2.33.0 + diff --git a/queue-4.19/tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch b/queue-4.19/tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch new file mode 100644 index 00000000000..ca77cfc00d2 --- /dev/null +++ b/queue-4.19/tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch @@ -0,0 +1,134 @@ +From 79b2e2aa206769404faf03f72c3f455b3177bf25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 21:52:17 -0700 +Subject: tracing/cfi: Fix cmp_entries_* functions signature mismatch + +From: Kalesh Singh + +[ Upstream commit 7ce1bb83a14019f8c396d57ec704d19478747716 ] + +If CONFIG_CFI_CLANG=y, attempting to read an event histogram will cause +the kernel to panic due to failed CFI check. + + 1. echo 'hist:keys=common_pid' >> events/sched/sched_switch/trigger + 2. cat events/sched/sched_switch/hist + 3. kernel panics on attempting to read hist + +This happens because the sort() function expects a generic +int (*)(const void *, const void *) pointer for the compare function. +To prevent this CFI failure, change tracing map cmp_entries_* function +signatures to match this. + +Also, fix the build error reported by the kernel test robot [1]. + +[1] https://lore.kernel.org/r/202110141140.zzi4dRh4-lkp@intel.com/ + +Link: https://lkml.kernel.org/r/20211014045217.3265162-1-kaleshsingh@google.com + +Signed-off-by: Kalesh Singh +Reported-by: kernel test robot +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/tracing_map.c | 40 ++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c +index 9e31bfc818ff8..10657b8dc2c2d 100644 +--- a/kernel/trace/tracing_map.c ++++ b/kernel/trace/tracing_map.c +@@ -834,29 +834,35 @@ int tracing_map_init(struct tracing_map *map) + return err; + } + +-static int cmp_entries_dup(const struct tracing_map_sort_entry **a, +- const struct tracing_map_sort_entry **b) ++static int cmp_entries_dup(const void *A, const void *B) + { ++ const struct tracing_map_sort_entry *a, *b; + int ret = 0; + +- if (memcmp((*a)->key, (*b)->key, (*a)->elt->map->key_size)) ++ a = *(const struct tracing_map_sort_entry **)A; ++ b = *(const struct tracing_map_sort_entry **)B; ++ ++ if (memcmp(a->key, b->key, a->elt->map->key_size)) + ret = 1; + + return ret; + } + +-static int cmp_entries_sum(const struct tracing_map_sort_entry **a, +- const struct tracing_map_sort_entry **b) ++static int cmp_entries_sum(const void *A, const void *B) + { + const struct tracing_map_elt *elt_a, *elt_b; ++ const struct tracing_map_sort_entry *a, *b; + struct tracing_map_sort_key *sort_key; + struct tracing_map_field *field; + tracing_map_cmp_fn_t cmp_fn; + void *val_a, *val_b; + int ret = 0; + +- elt_a = (*a)->elt; +- elt_b = (*b)->elt; ++ a = *(const struct tracing_map_sort_entry **)A; ++ b = *(const struct tracing_map_sort_entry **)B; ++ ++ elt_a = a->elt; ++ elt_b = b->elt; + + sort_key = &elt_a->map->sort_key; + +@@ -873,18 +879,21 @@ static int cmp_entries_sum(const struct tracing_map_sort_entry **a, + return ret; + } + +-static int cmp_entries_key(const struct tracing_map_sort_entry **a, +- const struct tracing_map_sort_entry **b) ++static int cmp_entries_key(const void *A, const void *B) + { + const struct tracing_map_elt *elt_a, *elt_b; ++ const struct tracing_map_sort_entry *a, *b; + struct tracing_map_sort_key *sort_key; + struct tracing_map_field *field; + tracing_map_cmp_fn_t cmp_fn; + void *val_a, *val_b; + int ret = 0; + +- elt_a = (*a)->elt; +- elt_b = (*b)->elt; ++ a = *(const struct tracing_map_sort_entry **)A; ++ b = *(const struct tracing_map_sort_entry **)B; ++ ++ elt_a = a->elt; ++ elt_b = b->elt; + + sort_key = &elt_a->map->sort_key; + +@@ -989,10 +998,8 @@ static void sort_secondary(struct tracing_map *map, + struct tracing_map_sort_key *primary_key, + struct tracing_map_sort_key *secondary_key) + { +- int (*primary_fn)(const struct tracing_map_sort_entry **, +- const struct tracing_map_sort_entry **); +- int (*secondary_fn)(const struct tracing_map_sort_entry **, +- const struct tracing_map_sort_entry **); ++ int (*primary_fn)(const void *, const void *); ++ int (*secondary_fn)(const void *, const void *); + unsigned i, start = 0, n_sub = 1; + + if (is_key(map, primary_key->field_idx)) +@@ -1061,8 +1068,7 @@ int tracing_map_sort_entries(struct tracing_map *map, + unsigned int n_sort_keys, + struct tracing_map_sort_entry ***sort_entries) + { +- int (*cmp_entries_fn)(const struct tracing_map_sort_entry **, +- const struct tracing_map_sort_entry **); ++ int (*cmp_entries_fn)(const void *, const void *); + struct tracing_map_sort_entry *sort_entry, **entries; + int i, n_entries, ret; + +-- +2.33.0 + diff --git a/queue-4.19/usb-gadget-hid-fix-error-code-in-do_config.patch b/queue-4.19/usb-gadget-hid-fix-error-code-in-do_config.patch new file mode 100644 index 00000000000..c3a69ca2411 --- /dev/null +++ b/queue-4.19/usb-gadget-hid-fix-error-code-in-do_config.patch @@ -0,0 +1,40 @@ +From 5f74af29ca7c6ea6e45ab3b4680e7fb13314eb93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 15:37:39 +0300 +Subject: usb: gadget: hid: fix error code in do_config() + +From: Dan Carpenter + +[ Upstream commit 68e7c510fdf4f6167404609da52e1979165649f6 ] + +Return an error code if usb_get_function() fails. Don't return success. + +Fixes: 4bc8a33f2407 ("usb: gadget: hid: convert to new interface of f_hid") +Acked-by: Felipe Balbi +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211011123739.GC15188@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/hid.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/legacy/hid.c b/drivers/usb/gadget/legacy/hid.c +index 5b27d289443fe..3912cc805f3af 100644 +--- a/drivers/usb/gadget/legacy/hid.c ++++ b/drivers/usb/gadget/legacy/hid.c +@@ -99,8 +99,10 @@ static int do_config(struct usb_configuration *c) + + list_for_each_entry(e, &hidg_func_list, node) { + e->f = usb_get_function(e->fi); +- if (IS_ERR(e->f)) ++ if (IS_ERR(e->f)) { ++ status = PTR_ERR(e->f); + goto put; ++ } + status = usb_add_function(c, e->f); + if (status < 0) { + usb_put_function(e->f); +-- +2.33.0 + diff --git a/queue-4.19/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch b/queue-4.19/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch new file mode 100644 index 00000000000..f7322c6c7d1 --- /dev/null +++ b/queue-4.19/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch @@ -0,0 +1,84 @@ +From c3e52c2be4529e802d44cb22554e18da28afdfd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 15:34:35 +0200 +Subject: video: fbdev: chipsfb: use memset_io() instead of memset() + +From: Christophe Leroy + +[ Upstream commit f2719b26ae27282c145202ffd656d5ff1fe737cc ] + +While investigating a lockup at startup on Powerbook 3400C, it was +identified that the fbdev driver generates alignment exception at +startup: + + --- interrupt: 600 at memset+0x60/0xc0 + NIP: c0021414 LR: c03fc49c CTR: 00007fff + REGS: ca021c10 TRAP: 0600 Tainted: G W (5.14.2-pmac-00727-g12a41fa69492) + MSR: 00009032 CR: 44008442 XER: 20000100 + DAR: cab80020 DSISR: 00017c07 + GPR00: 00000007 ca021cd0 c14412e0 cab80000 00000000 00100000 cab8001c 00000004 + GPR08: 00100000 00007fff 00000000 00000000 84008442 00000000 c0006fb4 00000000 + GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100000 + GPR24: 00000000 81800000 00000320 c15fa400 c14d1878 00000000 c14d1800 c094e19c + NIP [c0021414] memset+0x60/0xc0 + LR [c03fc49c] chipsfb_pci_init+0x160/0x580 + --- interrupt: 600 + [ca021cd0] [c03fc46c] chipsfb_pci_init+0x130/0x580 (unreliable) + [ca021d20] [c03a3a70] pci_device_probe+0xf8/0x1b8 + [ca021d50] [c043d584] really_probe.part.0+0xac/0x388 + [ca021d70] [c043d914] __driver_probe_device+0xb4/0x170 + [ca021d90] [c043da18] driver_probe_device+0x48/0x144 + [ca021dc0] [c043e318] __driver_attach+0x11c/0x1c4 + [ca021de0] [c043ad30] bus_for_each_dev+0x88/0xf0 + [ca021e10] [c043c724] bus_add_driver+0x190/0x22c + [ca021e40] [c043ee94] driver_register+0x9c/0x170 + [ca021e60] [c0006c28] do_one_initcall+0x54/0x1ec + [ca021ed0] [c08246e4] kernel_init_freeable+0x1c0/0x270 + [ca021f10] [c0006fdc] kernel_init+0x28/0x11c + [ca021f30] [c0017148] ret_from_kernel_thread+0x14/0x1c + Instruction dump: + 7d4601a4 39490777 7d4701a4 39490888 7d4801a4 39490999 7d4901a4 39290aaa + 7d2a01a4 4c00012c 4bfffe88 0fe00000 <4bfffe80> 9421fff0 38210010 48001970 + +This is due to 'dcbz' instruction being used on non-cached memory. +'dcbz' instruction is used by memset() to zeroize a complete +cacheline at once, and memset() is not expected to be used on non +cached memory. + +When performing a 'sparse' check on fbdev driver, it also appears +that the use of memset() is unexpected: + + drivers/video/fbdev/chipsfb.c:334:17: warning: incorrect type in argument 1 (different address spaces) + drivers/video/fbdev/chipsfb.c:334:17: expected void * + drivers/video/fbdev/chipsfb.c:334:17: got char [noderef] __iomem *screen_base + drivers/video/fbdev/chipsfb.c:334:15: warning: memset with byte count of 1048576 + +Use fb_memset() instead of memset(). fb_memset() is defined as +memset_io() for powerpc. + +Fixes: 8c8709334cec ("[PATCH] ppc32: Remove CONFIG_PMAC_PBOOK") +Reported-by: Stan Johnson +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/884a54f1e5cb774c1d9b4db780209bee5d4f6718.1631712563.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/chipsfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/chipsfb.c b/drivers/video/fbdev/chipsfb.c +index f9b366d175875..413b465e69d8e 100644 +--- a/drivers/video/fbdev/chipsfb.c ++++ b/drivers/video/fbdev/chipsfb.c +@@ -332,7 +332,7 @@ static const struct fb_var_screeninfo chipsfb_var = { + + static void init_chips(struct fb_info *p, unsigned long addr) + { +- memset(p->screen_base, 0, 0x100000); ++ fb_memset(p->screen_base, 0, 0x100000); + + p->fix = chipsfb_fix; + p->fix.smem_start = addr; +-- +2.33.0 + diff --git a/queue-4.19/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch b/queue-4.19/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch new file mode 100644 index 00000000000..abd6b46c31b --- /dev/null +++ b/queue-4.19/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch @@ -0,0 +1,42 @@ +From 608e677af8fa53b604b96e4eb1bfe09aaec57ae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Nov 2021 00:15:02 +0000 +Subject: vsock: prevent unnecessary refcnt inc for nonblocking connect + +From: Eiichi Tsukata + +[ Upstream commit c7cd82b90599fa10915f41e3dd9098a77d0aa7b6 ] + +Currently vosck_connect() increments sock refcount for nonblocking +socket each time it's called, which can lead to memory leak if +it's called multiple times because connect timeout function decrements +sock refcount only once. + +Fixes it by making vsock_connect() return -EALREADY immediately when +sock state is already SS_CONNECTING. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reviewed-by: Stefano Garzarella +Signed-off-by: Eiichi Tsukata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 2d31fce5c2185..37329e11dc3cc 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1159,6 +1159,8 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + * non-blocking call. + */ + err = -EALREADY; ++ if (flags & O_NONBLOCK) ++ goto out; + break; + default: + if ((sk->sk_state == TCP_LISTEN) || +-- +2.33.0 + diff --git a/queue-4.19/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch b/queue-4.19/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch new file mode 100644 index 00000000000..cecc247a15a --- /dev/null +++ b/queue-4.19/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch @@ -0,0 +1,53 @@ +From 0888638ab831ac7fa27397c9c2e8dbbc9579c752 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 18:20:31 +0200 +Subject: watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT + +From: Ahmad Fatoum + +[ Upstream commit 164483c735190775f29d0dcbac0363adc51a068d ] + +The fintek watchdog timer can configure timeouts of second granularity +only up to 255 seconds. Beyond that, the timeout needs to be configured +with minute granularity. WDIOC_GETTIMEOUT should report the actual +timeout configured, not just echo back the timeout configured by the +user. Do so. + +Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG") +Suggested-by: Guenter Roeck +Reviewed-by: Guenter Roeck +Signed-off-by: Ahmad Fatoum +Link: https://lore.kernel.org/r/5e17960fe8cc0e3cb2ba53de4730b75d9a0f33d5.1628525954.git-series.a.fatoum@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/f71808e_wdt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index 5d0ea419070dc..6b751d1aab084 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -237,15 +237,17 @@ static int watchdog_set_timeout(int timeout) + + mutex_lock(&watchdog.lock); + +- watchdog.timeout = timeout; + if (timeout > 0xff) { + watchdog.timer_val = DIV_ROUND_UP(timeout, 60); + watchdog.minutes_mode = true; ++ timeout = watchdog.timer_val * 60; + } else { + watchdog.timer_val = timeout; + watchdog.minutes_mode = false; + } + ++ watchdog.timeout = timeout; ++ + mutex_unlock(&watchdog.lock); + + return 0; +-- +2.33.0 + diff --git a/queue-4.19/wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch b/queue-4.19/wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch new file mode 100644 index 00000000000..72bb3f6db32 --- /dev/null +++ b/queue-4.19/wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch @@ -0,0 +1,66 @@ +From fcacab2a87accbbffa120cd26061a0861a7534b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 17:15:28 -0700 +Subject: wcn36xx: add proper DMA memory barriers in rx path + +From: Benjamin Li + +[ Upstream commit 9bfe38e064af5decba2ffce66a2958ab8b10eaa4 ] + +This is essentially exactly following the dma_wmb()/dma_rmb() usage +instructions in Documentation/memory-barriers.txt. + +The theoretical races here are: + +1. DXE (the DMA Transfer Engine in the Wi-Fi subsystem) seeing the +dxe->ctrl & WCN36xx_DXE_CTRL_VLD write before the dxe->dst_addr_l +write, thus performing DMA into the wrong address. + +2. CPU reading dxe->dst_addr_l before DXE unsets dxe->ctrl & +WCN36xx_DXE_CTRL_VLD. This should generally be harmless since DXE +doesn't write dxe->dst_addr_l (no risk of freeing the wrong skb). + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Benjamin Li +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211023001528.3077822-1-benl@squareup.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c +index 06cfe8d311f39..657525988d1ee 100644 +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -565,6 +565,10 @@ static int wcn36xx_rx_handle_packets(struct wcn36xx *wcn, + dxe = ctl->desc; + + while (!(READ_ONCE(dxe->ctrl) & WCN36xx_DXE_CTRL_VLD)) { ++ /* do not read until we own DMA descriptor */ ++ dma_rmb(); ++ ++ /* read/modify DMA descriptor */ + skb = ctl->skb; + dma_addr = dxe->dst_addr_l; + ret = wcn36xx_dxe_fill_skb(wcn->dev, ctl, GFP_ATOMIC); +@@ -575,9 +579,15 @@ static int wcn36xx_rx_handle_packets(struct wcn36xx *wcn, + dma_unmap_single(wcn->dev, dma_addr, WCN36XX_PKT_SIZE, + DMA_FROM_DEVICE); + wcn36xx_rx_skb(wcn, skb); +- } /* else keep old skb not submitted and use it for rx DMA */ ++ } ++ /* else keep old skb not submitted and reuse it for rx DMA ++ * (dropping the packet that it contained) ++ */ + ++ /* flush descriptor changes before re-marking as valid */ ++ dma_wmb(); + dxe->ctrl = ctrl; ++ + ctl = ctl->next; + dxe = ctl->desc; + } +-- +2.33.0 + diff --git a/queue-4.19/workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch b/queue-4.19/workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch new file mode 100644 index 00000000000..396a950fdf8 --- /dev/null +++ b/queue-4.19/workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch @@ -0,0 +1,71 @@ +From 85856e79246f0b425d8828c48cca9c19483c9161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 20:04:02 +0800 +Subject: workqueue: make sysfs of unbound kworker cpumask more clever + +From: Menglong Dong + +[ Upstream commit d25302e46592c97d29f70ccb1be558df31a9a360 ] + +Some unfriendly component, such as dpdk, write the same mask to +unbound kworker cpumask again and again. Every time it write to +this interface some work is queue to cpu, even though the mask +is same with the original mask. + +So, fix it by return success and do nothing if the cpumask is +equal with the old one. + +Signed-off-by: Mengen Sun +Signed-off-by: Menglong Dong +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 1573d1bf63007..b1bb6cb5802ec 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5125,9 +5125,6 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask) + int ret = -EINVAL; + cpumask_var_t saved_cpumask; + +- if (!zalloc_cpumask_var(&saved_cpumask, GFP_KERNEL)) +- return -ENOMEM; +- + /* + * Not excluding isolated cpus on purpose. + * If the user wishes to include them, we allow that. +@@ -5135,6 +5132,15 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask) + cpumask_and(cpumask, cpumask, cpu_possible_mask); + if (!cpumask_empty(cpumask)) { + apply_wqattrs_lock(); ++ if (cpumask_equal(cpumask, wq_unbound_cpumask)) { ++ ret = 0; ++ goto out_unlock; ++ } ++ ++ if (!zalloc_cpumask_var(&saved_cpumask, GFP_KERNEL)) { ++ ret = -ENOMEM; ++ goto out_unlock; ++ } + + /* save the old wq_unbound_cpumask. */ + cpumask_copy(saved_cpumask, wq_unbound_cpumask); +@@ -5147,10 +5153,11 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask) + if (ret < 0) + cpumask_copy(wq_unbound_cpumask, saved_cpumask); + ++ free_cpumask_var(saved_cpumask); ++out_unlock: + apply_wqattrs_unlock(); + } + +- free_cpumask_var(saved_cpumask); + return ret; + } + +-- +2.33.0 + diff --git a/queue-4.19/x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch b/queue-4.19/x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch new file mode 100644 index 00000000000..5c6abb80c29 --- /dev/null +++ b/queue-4.19/x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch @@ -0,0 +1,72 @@ +From 8be4cee2625bcdd25a83ac15aec65ab8d3c01314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 17:50:05 +0200 +Subject: x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted + +From: Vitaly Kuznetsov + +[ Upstream commit 285f68afa8b20f752b0b7194d54980b5e0e27b75 ] + +The following issue is observed with CONFIG_DEBUG_PREEMPT when KVM loads: + + KVM: vmx: using Hyper-V Enlightened VMCS + BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/488 + caller is set_hv_tscchange_cb+0x16/0x80 + CPU: 1 PID: 488 Comm: systemd-udevd Not tainted 5.15.0-rc5+ #396 + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 + Call Trace: + dump_stack_lvl+0x6a/0x9a + check_preemption_disabled+0xde/0xe0 + ? kvm_gen_update_masterclock+0xd0/0xd0 [kvm] + set_hv_tscchange_cb+0x16/0x80 + kvm_arch_init+0x23f/0x290 [kvm] + kvm_init+0x30/0x310 [kvm] + vmx_init+0xaf/0x134 [kvm_intel] + ... + +set_hv_tscchange_cb() can get preempted in between acquiring +smp_processor_id() and writing to HV_X64_MSR_REENLIGHTENMENT_CONTROL. This +is not an issue by itself: HV_X64_MSR_REENLIGHTENMENT_CONTROL is a +partition-wide MSR and it doesn't matter which particular CPU will be +used to receive reenlightenment notifications. The only real problem can +(in theory) be observed if the CPU whose id was acquired with +smp_processor_id() goes offline before we manage to write to the MSR, +the logic in hv_cpu_die() won't be able to reassign it correctly. + +Reported-by: Michael Kelley +Signed-off-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/20211012155005.1613352-1-vkuznets@redhat.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/hv_init.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c +index 1663ad84778ba..bd4b6951b1483 100644 +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -192,7 +192,6 @@ void set_hv_tscchange_cb(void (*cb)(void)) + struct hv_reenlightenment_control re_ctrl = { + .vector = HYPERV_REENLIGHTENMENT_VECTOR, + .enabled = 1, +- .target_vp = hv_vp_index[smp_processor_id()] + }; + struct hv_tsc_emulation_control emu_ctrl = {.enabled = 1}; + +@@ -206,8 +205,12 @@ void set_hv_tscchange_cb(void (*cb)(void)) + /* Make sure callback is registered before we write to MSRs */ + wmb(); + ++ re_ctrl.target_vp = hv_vp_index[get_cpu()]; ++ + wrmsrl(HV_X64_MSR_REENLIGHTENMENT_CONTROL, *((u64 *)&re_ctrl)); + wrmsrl(HV_X64_MSR_TSC_EMULATION_CONTROL, *((u64 *)&emu_ctrl)); ++ ++ put_cpu(); + } + EXPORT_SYMBOL_GPL(set_hv_tscchange_cb); + +-- +2.33.0 + diff --git a/queue-4.19/x86-increase-exception-stack-sizes.patch b/queue-4.19/x86-increase-exception-stack-sizes.patch new file mode 100644 index 00000000000..a226aac07ec --- /dev/null +++ b/queue-4.19/x86-increase-exception-stack-sizes.patch @@ -0,0 +1,37 @@ +From efcd7f534871073d1d2953fdb04a6a51fe4cf2d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 16:19:46 +0200 +Subject: x86: Increase exception stack sizes + +From: Peter Zijlstra + +[ Upstream commit 7fae4c24a2b84a66c7be399727aca11e7a888462 ] + +It turns out that a single page of stack is trivial to overflow with +all the tracing gunk enabled. Raise the exception stacks to 2 pages, +which is still half the interrupt stacks, which are at 4 pages. + +Reported-by: Michael Wang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/YUIO9Ye98S5Eb68w@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/page_64_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h +index 0b6352aabbd3d..b16fb3e185134 100644 +--- a/arch/x86/include/asm/page_64_types.h ++++ b/arch/x86/include/asm/page_64_types.h +@@ -20,7 +20,7 @@ + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + #define CURRENT_MASK (~(THREAD_SIZE - 1)) + +-#define EXCEPTION_STACK_ORDER (0 + KASAN_STACK_ORDER) ++#define EXCEPTION_STACK_ORDER (1 + KASAN_STACK_ORDER) + #define EXCEPTION_STKSZ (PAGE_SIZE << EXCEPTION_STACK_ORDER) + + #define DEBUG_STACK_ORDER (EXCEPTION_STACK_ORDER + 1) +-- +2.33.0 + diff --git a/queue-4.19/xen-pciback-fix-return-in-pm_ctrl_init.patch b/queue-4.19/xen-pciback-fix-return-in-pm_ctrl_init.patch new file mode 100644 index 00000000000..ae4437e97b2 --- /dev/null +++ b/queue-4.19/xen-pciback-fix-return-in-pm_ctrl_init.patch @@ -0,0 +1,40 @@ +From 572cdcde4aa3a3684cdf77a8ccbaf97783fdc592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 15:44:17 +0800 +Subject: xen-pciback: Fix return in pm_ctrl_init() + +From: YueHaibing + +[ Upstream commit 4745ea2628bb43a7ec34b71763b5a56407b33990 ] + +Return NULL instead of passing to ERR_PTR while err is zero, +this fix smatch warnings: +drivers/xen/xen-pciback/conf_space_capability.c:163 + pm_ctrl_init() warn: passing zero to 'ERR_PTR' + +Fixes: a92336a1176b ("xen/pciback: Drop two backends, squash and cleanup some code.") +Signed-off-by: YueHaibing +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20211008074417.8260-1-yuehaibing@huawei.com +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +--- + drivers/xen/xen-pciback/conf_space_capability.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c +index e5694133ebe57..42f0f64fcba47 100644 +--- a/drivers/xen/xen-pciback/conf_space_capability.c ++++ b/drivers/xen/xen-pciback/conf_space_capability.c +@@ -160,7 +160,7 @@ static void *pm_ctrl_init(struct pci_dev *dev, int offset) + } + + out: +- return ERR_PTR(err); ++ return err ? ERR_PTR(err) : NULL; + } + + static const struct config_field caplist_pm[] = { +-- +2.33.0 + diff --git a/queue-4.19/zram-off-by-one-in-read_block_state.patch b/queue-4.19/zram-off-by-one-in-read_block_state.patch new file mode 100644 index 00000000000..907a964f862 --- /dev/null +++ b/queue-4.19/zram-off-by-one-in-read_block_state.patch @@ -0,0 +1,44 @@ +From ea47306901ac58edecb8031ae6f2076f6986c035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 13:45:12 -0700 +Subject: zram: off by one in read_block_state() + +From: Dan Carpenter + +[ Upstream commit a88e03cf3d190cf46bc4063a9b7efe87590de5f4 ] + +snprintf() returns the number of bytes it would have printed if there +were space. But it does not count the NUL terminator. So that means +that if "count == copied" then this has already overflowed by one +character. + +This bug likely isn't super harmful in real life. + +Link: https://lkml.kernel.org/r/20210916130404.GA25094@kili +Fixes: c0265342bff4 ("zram: introduce zram memory tracking") +Signed-off-by: Dan Carpenter +Cc: Minchan Kim +Cc: Sergey Senozhatsky +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/zram/zram_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c +index 104206a795015..5e05bfcecd7b7 100644 +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -699,7 +699,7 @@ static ssize_t read_block_state(struct file *file, char __user *buf, + zram_test_flag(zram, index, ZRAM_WB) ? 'w' : '.', + zram_test_flag(zram, index, ZRAM_HUGE) ? 'h' : '.'); + +- if (count < copied) { ++ if (count <= copied) { + zram_slot_unlock(zram, index); + break; + } +-- +2.33.0 +