From: Sasha Levin Date: Mon, 6 Jun 2022 10:34:11 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.10.121~135 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21b7651802e396d48306a49ae7a74481545db301;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpica-avoid-cache-flush-inside-virtual-machines.patch b/queue-4.14/acpica-avoid-cache-flush-inside-virtual-machines.patch new file mode 100644 index 00000000000..a7e927edb98 --- /dev/null +++ b/queue-4.14/acpica-avoid-cache-flush-inside-virtual-machines.patch @@ -0,0 +1,71 @@ +From 8911836a4208493d1a65bcf6b67e9761d962a23a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 02:29:38 +0300 +Subject: ACPICA: Avoid cache flush inside virtual machines + +From: Kirill A. Shutemov + +[ Upstream commit e2efb6359e620521d1e13f69b2257de8ceaa9475 ] + +While running inside virtual machine, the kernel can bypass cache +flushing. Changing sleep state in a virtual machine doesn't affect the +host system sleep state and cannot lead to data loss. + +Before entering sleep states, the ACPI code flushes caches to prevent +data loss using the WBINVD instruction. This mechanism is required on +bare metal. + +But, any use WBINVD inside of a guest is worthless. Changing sleep +state in a virtual machine doesn't affect the host system sleep state +and cannot lead to data loss, so most hypervisors simply ignore it. +Despite this, the ACPI code calls WBINVD unconditionally anyway. +It's useless, but also normally harmless. + +In TDX guests, though, WBINVD stops being harmless; it triggers a +virtualization exception (#VE). If the ACPI cache-flushing WBINVD +were left in place, TDX guests would need handling to recover from +the exception. + +Avoid using WBINVD whenever running under a hypervisor. This both +removes the useless WBINVDs and saves TDX from implementing WBINVD +handling. + +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Dave Hansen +Reviewed-by: Dave Hansen +Reviewed-by: Dan Williams +Reviewed-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20220405232939.73860-30-kirill.shutemov@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/acenv.h | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/acenv.h b/arch/x86/include/asm/acenv.h +index 1b010a859b8b..6de59a4f723c 100644 +--- a/arch/x86/include/asm/acenv.h ++++ b/arch/x86/include/asm/acenv.h +@@ -16,7 +16,19 @@ + + /* Asm macros */ + +-#define ACPI_FLUSH_CPU_CACHE() wbinvd() ++/* ++ * ACPI_FLUSH_CPU_CACHE() flushes caches on entering sleep states. ++ * It is required to prevent data loss. ++ * ++ * While running inside virtual machine, the kernel can bypass cache flushing. ++ * Changing sleep state in a virtual machine doesn't affect the host system ++ * sleep state and cannot lead to data loss. ++ */ ++#define ACPI_FLUSH_CPU_CACHE() \ ++do { \ ++ if (!cpu_feature_enabled(X86_FEATURE_HYPERVISOR)) \ ++ wbinvd(); \ ++} while (0) + + int __acpi_acquire_global_lock(unsigned int *lock); + int __acpi_release_global_lock(unsigned int *lock); +-- +2.35.1 + diff --git a/queue-4.14/alsa-jack-access-input_dev-under-mutex.patch b/queue-4.14/alsa-jack-access-input_dev-under-mutex.patch new file mode 100644 index 00000000000..c245f9fd1dd --- /dev/null +++ b/queue-4.14/alsa-jack-access-input_dev-under-mutex.patch @@ -0,0 +1,157 @@ +From d83cf3004f2d13d987ec237b373310da154ee76b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 11:16:28 +0200 +Subject: ALSA: jack: Access input_dev under mutex +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit 1b6a6fc5280e97559287b61eade2d4b363e836f2 ] + +It is possible when using ASoC that input_dev is unregistered while +calling snd_jack_report, which causes NULL pointer dereference. +In order to prevent this serialize access to input_dev using mutex lock. + +Signed-off-by: Amadeusz Sławiński +Reviewed-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20220412091628.3056922-1-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/jack.h | 1 + + sound/core/jack.c | 34 +++++++++++++++++++++++++++------- + 2 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/include/sound/jack.h b/include/sound/jack.h +index 1e84bfb553cf..4742f842b457 100644 +--- a/include/sound/jack.h ++++ b/include/sound/jack.h +@@ -77,6 +77,7 @@ struct snd_jack { + const char *id; + #ifdef CONFIG_SND_JACK_INPUT_DEV + struct input_dev *input_dev; ++ struct mutex input_dev_lock; + int registered; + int type; + char name[100]; +diff --git a/sound/core/jack.c b/sound/core/jack.c +index 36cfe1c54109..d2f9a92453f2 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -48,8 +48,11 @@ static int snd_jack_dev_disconnect(struct snd_device *device) + #ifdef CONFIG_SND_JACK_INPUT_DEV + struct snd_jack *jack = device->device_data; + +- if (!jack->input_dev) ++ mutex_lock(&jack->input_dev_lock); ++ if (!jack->input_dev) { ++ mutex_unlock(&jack->input_dev_lock); + return 0; ++ } + + /* If the input device is registered with the input subsystem + * then we need to use a different deallocator. */ +@@ -58,6 +61,7 @@ static int snd_jack_dev_disconnect(struct snd_device *device) + else + input_free_device(jack->input_dev); + jack->input_dev = NULL; ++ mutex_unlock(&jack->input_dev_lock); + #endif /* CONFIG_SND_JACK_INPUT_DEV */ + return 0; + } +@@ -96,8 +100,11 @@ static int snd_jack_dev_register(struct snd_device *device) + snprintf(jack->name, sizeof(jack->name), "%s %s", + card->shortname, jack->id); + +- if (!jack->input_dev) ++ mutex_lock(&jack->input_dev_lock); ++ if (!jack->input_dev) { ++ mutex_unlock(&jack->input_dev_lock); + return 0; ++ } + + jack->input_dev->name = jack->name; + +@@ -122,6 +129,7 @@ static int snd_jack_dev_register(struct snd_device *device) + if (err == 0) + jack->registered = 1; + ++ mutex_unlock(&jack->input_dev_lock); + return err; + } + #endif /* CONFIG_SND_JACK_INPUT_DEV */ +@@ -242,9 +250,11 @@ int snd_jack_new(struct snd_card *card, const char *id, int type, + return -ENOMEM; + } + +- /* don't creat input device for phantom jack */ +- if (!phantom_jack) { + #ifdef CONFIG_SND_JACK_INPUT_DEV ++ mutex_init(&jack->input_dev_lock); ++ ++ /* don't create input device for phantom jack */ ++ if (!phantom_jack) { + int i; + + jack->input_dev = input_allocate_device(); +@@ -262,8 +272,8 @@ int snd_jack_new(struct snd_card *card, const char *id, int type, + input_set_capability(jack->input_dev, EV_SW, + jack_switch_types[i]); + +-#endif /* CONFIG_SND_JACK_INPUT_DEV */ + } ++#endif /* CONFIG_SND_JACK_INPUT_DEV */ + + err = snd_device_new(card, SNDRV_DEV_JACK, jack, &ops); + if (err < 0) +@@ -303,10 +313,14 @@ EXPORT_SYMBOL(snd_jack_new); + void snd_jack_set_parent(struct snd_jack *jack, struct device *parent) + { + WARN_ON(jack->registered); +- if (!jack->input_dev) ++ mutex_lock(&jack->input_dev_lock); ++ if (!jack->input_dev) { ++ mutex_unlock(&jack->input_dev_lock); + return; ++ } + + jack->input_dev->dev.parent = parent; ++ mutex_unlock(&jack->input_dev_lock); + } + EXPORT_SYMBOL(snd_jack_set_parent); + +@@ -354,6 +368,8 @@ EXPORT_SYMBOL(snd_jack_set_key); + + /** + * snd_jack_report - Report the current status of a jack ++ * Note: This function uses mutexes and should be called from a ++ * context which can sleep (such as a workqueue). + * + * @jack: The jack to report status for + * @status: The current status of the jack +@@ -373,8 +389,11 @@ void snd_jack_report(struct snd_jack *jack, int status) + status & jack_kctl->mask_bits); + + #ifdef CONFIG_SND_JACK_INPUT_DEV +- if (!jack->input_dev) ++ mutex_lock(&jack->input_dev_lock); ++ if (!jack->input_dev) { ++ mutex_unlock(&jack->input_dev_lock); + return; ++ } + + for (i = 0; i < ARRAY_SIZE(jack->key); i++) { + int testbit = SND_JACK_BTN_0 >> i; +@@ -393,6 +412,7 @@ void snd_jack_report(struct snd_jack *jack, int status) + } + + input_sync(jack->input_dev); ++ mutex_unlock(&jack->input_dev_lock); + #endif /* CONFIG_SND_JACK_INPUT_DEV */ + } + EXPORT_SYMBOL(snd_jack_report); +-- +2.35.1 + diff --git a/queue-4.14/arm-dts-bcm2835-rpi-b-fix-gpio-line-names.patch b/queue-4.14/arm-dts-bcm2835-rpi-b-fix-gpio-line-names.patch new file mode 100644 index 00000000000..a8c493b47b6 --- /dev/null +++ b/queue-4.14/arm-dts-bcm2835-rpi-b-fix-gpio-line-names.patch @@ -0,0 +1,52 @@ +From e1b425c52579ac1d8cde53690d34dfcfc024f13e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 22:01:41 +0200 +Subject: ARM: dts: bcm2835-rpi-b: Fix GPIO line names + +From: Stefan Wahren + +[ Upstream commit 97bd8659c1c46c23e4daea7e040befca30939950 ] + +Recently this has been fixed in the vendor tree, so upstream this. + +Fixes: 731b26a6ac17 ("ARM: bcm2835: Add names for the Raspberry Pi GPIO lines") +Signed-off-by: Phil Elwell +Signed-off-by: Stefan Wahren +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm2835-rpi-b.dts | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm2835-rpi-b.dts b/arch/arm/boot/dts/bcm2835-rpi-b.dts +index cca4a75a5651..6f39d5e54cb8 100644 +--- a/arch/arm/boot/dts/bcm2835-rpi-b.dts ++++ b/arch/arm/boot/dts/bcm2835-rpi-b.dts +@@ -48,18 +48,17 @@ + "GPIO18", + "NC", /* GPIO19 */ + "NC", /* GPIO20 */ +- "GPIO21", ++ "CAM_GPIO0", + "GPIO22", + "GPIO23", + "GPIO24", + "GPIO25", + "NC", /* GPIO26 */ +- "CAM_GPIO0", +- /* Binary number representing build/revision */ +- "CONFIG0", +- "CONFIG1", +- "CONFIG2", +- "CONFIG3", ++ "GPIO27", ++ "GPIO28", ++ "GPIO29", ++ "GPIO30", ++ "GPIO31", + "NC", /* GPIO32 */ + "NC", /* GPIO33 */ + "NC", /* GPIO34 */ +-- +2.35.1 + diff --git a/queue-4.14/arm-dts-bcm2835-rpi-zero-w-fix-gpio-line-name-for-wi.patch b/queue-4.14/arm-dts-bcm2835-rpi-zero-w-fix-gpio-line-name-for-wi.patch new file mode 100644 index 00000000000..9b476ad3483 --- /dev/null +++ b/queue-4.14/arm-dts-bcm2835-rpi-zero-w-fix-gpio-line-name-for-wi.patch @@ -0,0 +1,57 @@ +From a85a0cb4abf14e74437eee9b9730543240822a57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 22:01:38 +0200 +Subject: ARM: dts: bcm2835-rpi-zero-w: Fix GPIO line name for Wifi/BT + +From: Phil Elwell + +[ Upstream commit 2c663e5e5bbf2a5b85e0f76ccb69663f583c3e33 ] + +The GPIOs 30 to 39 are connected to the Cypress CYW43438 (Wifi/BT). +So fix the GPIO line names accordingly. + +Fixes: 2c7c040c73e9 ("ARM: dts: bcm2835: Add Raspberry Pi Zero W") +Signed-off-by: Phil Elwell +Signed-off-by: Stefan Wahren +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm2835-rpi-zero-w.dts | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm2835-rpi-zero-w.dts b/arch/arm/boot/dts/bcm2835-rpi-zero-w.dts +index 120776d45441..932e0e6320c5 100644 +--- a/arch/arm/boot/dts/bcm2835-rpi-zero-w.dts ++++ b/arch/arm/boot/dts/bcm2835-rpi-zero-w.dts +@@ -77,16 +77,18 @@ + "GPIO27", + "SDA0", + "SCL0", +- "NC", /* GPIO30 */ +- "NC", /* GPIO31 */ +- "NC", /* GPIO32 */ +- "NC", /* GPIO33 */ +- "NC", /* GPIO34 */ +- "NC", /* GPIO35 */ +- "NC", /* GPIO36 */ +- "NC", /* GPIO37 */ +- "NC", /* GPIO38 */ +- "NC", /* GPIO39 */ ++ /* Used by BT module */ ++ "CTS0", ++ "RTS0", ++ "TXD0", ++ "RXD0", ++ /* Used by Wifi */ ++ "SD1_CLK", ++ "SD1_CMD", ++ "SD1_DATA0", ++ "SD1_DATA1", ++ "SD1_DATA2", ++ "SD1_DATA3", + "CAM_GPIO1", /* GPIO40 */ + "WL_ON", /* GPIO41 */ + "NC", /* GPIO42 */ +-- +2.35.1 + diff --git a/queue-4.14/arm-dts-exynos-add-atmel-24c128-fallback-to-samsung-.patch b/queue-4.14/arm-dts-exynos-add-atmel-24c128-fallback-to-samsung-.patch new file mode 100644 index 00000000000..a242a1450f8 --- /dev/null +++ b/queue-4.14/arm-dts-exynos-add-atmel-24c128-fallback-to-samsung-.patch @@ -0,0 +1,45 @@ +From 6e309b68d39d2306f10991896b34d8f2a81d25dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Apr 2022 20:34:43 +0200 +Subject: ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM + +From: Krzysztof Kozlowski + +[ Upstream commit f038e8186fbc5723d7d38c6fa1d342945107347e ] + +The Samsung s524ad0xd1 EEPROM should use atmel,24c128 fallback, +according to the AT24 EEPROM bindings. + +Reported-by: Rob Herring +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220426183443.243113-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5250-smdk5250.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/exynos5250-smdk5250.dts b/arch/arm/boot/dts/exynos5250-smdk5250.dts +index a3c4b9e03fbf..dc539a4eb27a 100644 +--- a/arch/arm/boot/dts/exynos5250-smdk5250.dts ++++ b/arch/arm/boot/dts/exynos5250-smdk5250.dts +@@ -128,7 +128,7 @@ + samsung,i2c-max-bus-freq = <20000>; + + eeprom@50 { +- compatible = "samsung,s524ad0xd1"; ++ compatible = "samsung,s524ad0xd1", "atmel,24c128"; + reg = <0x50>; + }; + +@@ -287,7 +287,7 @@ + samsung,i2c-max-bus-freq = <20000>; + + eeprom@51 { +- compatible = "samsung,s524ad0xd1"; ++ compatible = "samsung,s524ad0xd1", "atmel,24c128"; + reg = <0x51>; + }; + +-- +2.35.1 + diff --git a/queue-4.14/arm-dts-ox820-align-interrupt-controller-node-name-w.patch b/queue-4.14/arm-dts-ox820-align-interrupt-controller-node-name-w.patch new file mode 100644 index 00000000000..62c699ed049 --- /dev/null +++ b/queue-4.14/arm-dts-ox820-align-interrupt-controller-node-name-w.patch @@ -0,0 +1,37 @@ +From 98da4925d33e8cb745b6cb62b7623df7726bdee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 21:29:59 +0200 +Subject: ARM: dts: ox820: align interrupt controller node name with dtschema + +From: Krzysztof Kozlowski + +[ Upstream commit fbcd5ad7a419ad40644a0bb8b4152bc660172d8a ] + +Fixes dtbs_check warnings like: + + gic@1000: $nodename:0: 'gic@1000' does not match '^interrupt-controller(@[0-9a-f,]+)*$' + +Signed-off-by: Krzysztof Kozlowski +Acked-by: Neil Armstrong +Link: https://lore.kernel.org/r/20220317115705.450427-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/ox820.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/ox820.dtsi b/arch/arm/boot/dts/ox820.dtsi +index 8355cb034525..3382b1a9cac9 100644 +--- a/arch/arm/boot/dts/ox820.dtsi ++++ b/arch/arm/boot/dts/ox820.dtsi +@@ -286,7 +286,7 @@ + clocks = <&armclk>; + }; + +- gic: gic@1000 { ++ gic: interrupt-controller@1000 { + compatible = "arm,arm11mp-gic"; + interrupt-controller; + #interrupt-cells = <3>; +-- +2.35.1 + diff --git a/queue-4.14/arm-hisi-add-missing-of_node_put-after-of_find_compa.patch b/queue-4.14/arm-hisi-add-missing-of_node_put-after-of_find_compa.patch new file mode 100644 index 00000000000..c63a3d0d8db --- /dev/null +++ b/queue-4.14/arm-hisi-add-missing-of_node_put-after-of_find_compa.patch @@ -0,0 +1,52 @@ +From f070f74b6262e210e48ab7b2528c2b5a67481894 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 10:43:06 +0000 +Subject: ARM: hisi: Add missing of_node_put after of_find_compatible_node + +From: Peng Wu + +[ Upstream commit 9bc72e47d4630d58a840a66a869c56b29554cfe4 ] + +of_find_compatible_node will increment the refcount of the returned +device_node. Calling of_node_put() to avoid the refcount leak + +Signed-off-by: Peng Wu +Signed-off-by: Wei Xu +Signed-off-by: Sasha Levin +--- + arch/arm/mach-hisi/platsmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm/mach-hisi/platsmp.c b/arch/arm/mach-hisi/platsmp.c +index da5689ababf7..d7fbfb6d293d 100644 +--- a/arch/arm/mach-hisi/platsmp.c ++++ b/arch/arm/mach-hisi/platsmp.c +@@ -70,14 +70,17 @@ static void __init hi3xxx_smp_prepare_cpus(unsigned int max_cpus) + } + ctrl_base = of_iomap(np, 0); + if (!ctrl_base) { ++ of_node_put(np); + pr_err("failed to map address\n"); + return; + } + if (of_property_read_u32(np, "smp-offset", &offset) < 0) { ++ of_node_put(np); + pr_err("failed to find smp-offset property\n"); + return; + } + ctrl_base += offset; ++ of_node_put(np); + } + } + +@@ -163,6 +166,7 @@ static int hip01_boot_secondary(unsigned int cpu, struct task_struct *idle) + if (WARN_ON(!node)) + return -1; + ctrl_base = of_iomap(node, 0); ++ of_node_put(node); + + /* set the secondary core boot from DDR */ + remap_reg_value = readl_relaxed(ctrl_base + REG_SC_CTRL); +-- +2.35.1 + diff --git a/queue-4.14/arm-omap1-clock-fix-uart-rate-reporting-algorithm.patch b/queue-4.14/arm-omap1-clock-fix-uart-rate-reporting-algorithm.patch new file mode 100644 index 00000000000..60ddd507c5a --- /dev/null +++ b/queue-4.14/arm-omap1-clock-fix-uart-rate-reporting-algorithm.patch @@ -0,0 +1,37 @@ +From 7f8aefaa8bf00d0f3942b75a3786f03df26083db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 15:07:54 +0200 +Subject: ARM: OMAP1: clock: Fix UART rate reporting algorithm + +From: Janusz Krzysztofik + +[ Upstream commit 338d5d476cde853dfd97378d20496baabc2ce3c0 ] + +Since its introduction to the mainline kernel, omap1_uart_recalc() helper +makes incorrect use of clk->enable_bit as a ready to use bitmap mask while +it only provides the bit number. Fix it. + +Signed-off-by: Janusz Krzysztofik +Acked-by: Tony Lindgren +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap1/clock.c b/arch/arm/mach-omap1/clock.c +index fa512413a471..b277409f303a 100644 +--- a/arch/arm/mach-omap1/clock.c ++++ b/arch/arm/mach-omap1/clock.c +@@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(clockfw_lock); + unsigned long omap1_uart_recalc(struct clk *clk) + { + unsigned int val = __raw_readl(clk->enable_reg); +- return val & clk->enable_bit ? 48000000 : 12000000; ++ return val & 1 << clk->enable_bit ? 48000000 : 12000000; + } + + unsigned long omap1_sossi_recalc(struct clk *clk) +-- +2.35.1 + diff --git a/queue-4.14/arm-versatile-add-missing-of_node_put-in-dcscb_init.patch b/queue-4.14/arm-versatile-add-missing-of_node_put-in-dcscb_init.patch new file mode 100644 index 00000000000..8af2bf59471 --- /dev/null +++ b/queue-4.14/arm-versatile-add-missing-of_node_put-in-dcscb_init.patch @@ -0,0 +1,37 @@ +From 577df401aa8f35a0bcc73d60433d655961b47e25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 01:03:56 +0200 +Subject: ARM: versatile: Add missing of_node_put in dcscb_init + +From: Peng Wu + +[ Upstream commit 23b44f9c649bbef10b45fa33080cd8b4166800ae ] + +The device_node pointer is returned by of_find_compatible_node +with refcount incremented. We should use of_node_put() to avoid +the refcount leak. + +Signed-off-by: Peng Wu +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20220428230356.69418-1-linus.walleij@linaro.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-vexpress/dcscb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-vexpress/dcscb.c b/arch/arm/mach-vexpress/dcscb.c +index ee2a0faafaa1..aaade91f6551 100644 +--- a/arch/arm/mach-vexpress/dcscb.c ++++ b/arch/arm/mach-vexpress/dcscb.c +@@ -146,6 +146,7 @@ static int __init dcscb_init(void) + if (!node) + return -ENODEV; + dcscb_base = of_iomap(node, 0); ++ of_node_put(node); + if (!dcscb_base) + return -EADDRNOTAVAIL; + cfg = readl_relaxed(dcscb_base + DCS_CFG_R); +-- +2.35.1 + diff --git a/queue-4.14/asoc-dapm-don-t-fold-register-value-changes-into-not.patch b/queue-4.14/asoc-dapm-don-t-fold-register-value-changes-into-not.patch new file mode 100644 index 00000000000..83b59bdc1a4 --- /dev/null +++ b/queue-4.14/asoc-dapm-don-t-fold-register-value-changes-into-not.patch @@ -0,0 +1,51 @@ +From d41e91bab5540de2d7206fd66fc17a0f1521039b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 17:18:32 +0100 +Subject: ASoC: dapm: Don't fold register value changes into notifications + +From: Mark Brown + +[ Upstream commit ad685980469b9f9b99d4d6ea05f4cb8f57cb2234 ] + +DAPM tracks and reports the value presented to the user from DAPM controls +separately to the register value, these may diverge during initialisation +or when an autodisable control is in use. + +When writing DAPM controls we currently report that a change has occurred +if either the DAPM value or the value stored in the register has changed, +meaning that if the two are out of sync we may appear to report a spurious +event to userspace. Since we use this folded in value for nothing other +than the value reported to userspace simply drop the folding in of the +register change. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220428161833.3690050-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index dd3053c243c1..320d262c16c9 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -3282,7 +3282,6 @@ int snd_soc_dapm_put_volsw(struct snd_kcontrol *kcontrol, + update.val = val; + card->update = &update; + } +- change |= reg_change; + + ret = soc_dapm_mixer_update_power(card, kcontrol, connect, + rconnect); +@@ -3388,7 +3387,6 @@ int snd_soc_dapm_put_enum_double(struct snd_kcontrol *kcontrol, + update.val = val; + card->update = &update; + } +- change |= reg_change; + + ret = soc_dapm_mux_update_power(card, kcontrol, item[0], e); + +-- +2.35.1 + diff --git a/queue-4.14/asoc-mediatek-fix-error-handling-in-mt8173_max98090_.patch b/queue-4.14/asoc-mediatek-fix-error-handling-in-mt8173_max98090_.patch new file mode 100644 index 00000000000..1f47f7becc9 --- /dev/null +++ b/queue-4.14/asoc-mediatek-fix-error-handling-in-mt8173_max98090_.patch @@ -0,0 +1,49 @@ +From 24565117c40c829023cfbd32d68a0c3bb6fb84cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 09:29:01 +0000 +Subject: ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe + +From: Miaoqian Lin + +[ Upstream commit 4f4e0454e226de3bf4efd7e7924d1edc571c52d5 ] + +Call of_node_put(platform_node) to avoid refcount leak in +the error path. + +Fixes: 94319ba10eca ("ASoC: mediatek: Use platform_of_node for machine drivers") +Fixes: 493433785df0 ("ASoC: mediatek: mt8173: fix device_node leak") +Signed-off-by: Miaoqian Lin +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220404092903.26725-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8173/mt8173-max98090.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/mediatek/mt8173/mt8173-max98090.c b/sound/soc/mediatek/mt8173/mt8173-max98090.c +index 0adb7ded61e9..0f460bc77f47 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-max98090.c ++++ b/sound/soc/mediatek/mt8173/mt8173-max98090.c +@@ -164,7 +164,8 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev) + if (!codec_node) { + dev_err(&pdev->dev, + "Property 'audio-codec' missing or invalid\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_platform_node; + } + for (i = 0; i < card->num_links; i++) { + if (mt8173_max98090_dais[i].codec_name) +@@ -179,6 +180,8 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev) + __func__, ret); + + of_node_put(codec_node); ++ ++put_platform_node: + of_node_put(platform_node); + return ret; + } +-- +2.35.1 + diff --git a/queue-4.14/asoc-mediatek-fix-missing-of_node_put-in-mt2701_wm89.patch b/queue-4.14/asoc-mediatek-fix-missing-of_node_put-in-mt2701_wm89.patch new file mode 100644 index 00000000000..2d935e5f877 --- /dev/null +++ b/queue-4.14/asoc-mediatek-fix-missing-of_node_put-in-mt2701_wm89.patch @@ -0,0 +1,60 @@ +From c40195863909ade2ec574c5cf1eb46ae8fcf4997 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 09:35:25 +0000 +Subject: ASoC: mediatek: Fix missing of_node_put in + mt2701_wm8960_machine_probe + +From: Miaoqian Lin + +[ Upstream commit 05654431a18fe24e5e46a375d98904134628a102 ] + +This node pointer is returned by of_parse_phandle() with +refcount incremented in this function. +Calling of_node_put() to avoid the refcount leak. + +Fixes: 8625c1dbd876 ("ASoC: mediatek: Add mt2701-wm8960 machine driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220404093526.30004-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt2701/mt2701-wm8960.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/mediatek/mt2701/mt2701-wm8960.c b/sound/soc/mediatek/mt2701/mt2701-wm8960.c +index a08ce2323bdc..3db92506ccea 100644 +--- a/sound/soc/mediatek/mt2701/mt2701-wm8960.c ++++ b/sound/soc/mediatek/mt2701/mt2701-wm8960.c +@@ -126,7 +126,8 @@ static int mt2701_wm8960_machine_probe(struct platform_device *pdev) + if (!codec_node) { + dev_err(&pdev->dev, + "Property 'audio-codec' missing or invalid\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_platform_node; + } + for (i = 0; i < card->num_links; i++) { + if (mt2701_wm8960_dai_links[i].codec_name) +@@ -137,7 +138,7 @@ static int mt2701_wm8960_machine_probe(struct platform_device *pdev) + ret = snd_soc_of_parse_audio_routing(card, "audio-routing"); + if (ret) { + dev_err(&pdev->dev, "failed to parse audio-routing: %d\n", ret); +- return ret; ++ goto put_codec_node; + } + + ret = devm_snd_soc_register_card(&pdev->dev, card); +@@ -145,6 +146,10 @@ static int mt2701_wm8960_machine_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); + ++put_codec_node: ++ of_node_put(codec_node); ++put_platform_node: ++ of_node_put(platform_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.14/asoc-mxs-saif-fix-refcount-leak-in-mxs_saif_probe.patch b/queue-4.14/asoc-mxs-saif-fix-refcount-leak-in-mxs_saif_probe.patch new file mode 100644 index 00000000000..196e52da9ad --- /dev/null +++ b/queue-4.14/asoc-mxs-saif-fix-refcount-leak-in-mxs_saif_probe.patch @@ -0,0 +1,36 @@ +From 99debb3d482df8fc84071b9017a9a0019f66ba1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 17:37:22 +0400 +Subject: ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe + +From: Miaoqian Lin + +[ Upstream commit 2be84f73785fa9ed6443e3c5b158730266f1c2ee ] + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. + +Fixes: 08641c7c74dd ("ASoC: mxs: add device tree support for mxs-saif") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220511133725.39039-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mxs/mxs-saif.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/mxs/mxs-saif.c b/sound/soc/mxs/mxs-saif.c +index 93c019670199..6d0ab4e75518 100644 +--- a/sound/soc/mxs/mxs-saif.c ++++ b/sound/soc/mxs/mxs-saif.c +@@ -780,6 +780,7 @@ static int mxs_saif_probe(struct platform_device *pdev) + saif->master_id = saif->id; + } else { + ret = of_alias_get_id(master, "saif"); ++ of_node_put(master); + if (ret < 0) + return ret; + else +-- +2.35.1 + diff --git a/queue-4.14/asoc-rt5645-fix-errorenous-cleanup-order.patch b/queue-4.14/asoc-rt5645-fix-errorenous-cleanup-order.patch new file mode 100644 index 00000000000..173b0d0dc5d --- /dev/null +++ b/queue-4.14/asoc-rt5645-fix-errorenous-cleanup-order.patch @@ -0,0 +1,53 @@ +From 4bb24f3ad9b9f019f470cce055ab91e1915d403a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 17:20:35 +0800 +Subject: ASoC: rt5645: Fix errorenous cleanup order + +From: Lin Ma + +[ Upstream commit 2def44d3aec59e38d2701c568d65540783f90f2f ] + +There is a logic error when removing rt5645 device as the function +rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and +delete the &rt5645->btn_check_timer latter. However, since the timer +handler rt5645_btn_check_callback() will re-queue the jack_detect_work, +this cleanup order is buggy. + +That is, once the del_timer_sync in rt5645_i2c_remove is concurrently +run with the rt5645_btn_check_callback, the canceled jack_detect_work +will be rescheduled again, leading to possible use-after-free. + +This patch fix the issue by placing the del_timer_sync function before +the cancel_delayed_work_sync. + +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20220516092035.28283-1-linma@zju.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5645.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c +index a98647ac497c..01de25813c72 100644 +--- a/sound/soc/codecs/rt5645.c ++++ b/sound/soc/codecs/rt5645.c +@@ -3972,9 +3972,14 @@ static int rt5645_i2c_remove(struct i2c_client *i2c) + if (i2c->irq) + free_irq(i2c->irq, rt5645); + ++ /* ++ * Since the rt5645_btn_check_callback() can queue jack_detect_work, ++ * the timer need to be delted first ++ */ ++ del_timer_sync(&rt5645->btn_check_timer); ++ + cancel_delayed_work_sync(&rt5645->jack_detect_work); + cancel_delayed_work_sync(&rt5645->rcclock_work); +- del_timer_sync(&rt5645->btn_check_timer); + + snd_soc_unregister_codec(&i2c->dev); + regulator_bulk_disable(ARRAY_SIZE(rt5645->supplies), rt5645->supplies); +-- +2.35.1 + diff --git a/queue-4.14/asoc-wm2000-fix-missing-clk_disable_unprepare-on-err.patch b/queue-4.14/asoc-wm2000-fix-missing-clk_disable_unprepare-on-err.patch new file mode 100644 index 00000000000..259e07ceeea --- /dev/null +++ b/queue-4.14/asoc-wm2000-fix-missing-clk_disable_unprepare-on-err.patch @@ -0,0 +1,55 @@ +From cc454fedb43b62efc8acdd27197f088a528b364a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 17:10:53 +0800 +Subject: ASoC: wm2000: fix missing clk_disable_unprepare() on error in + wm2000_anc_transition() + +From: Yang Yingliang + +[ Upstream commit be2af740e2a9c7134f2d8ab4f104006e110b13de ] + +Fix the missing clk_disable_unprepare() before return +from wm2000_anc_transition() in the error handling case. + +Fixes: 514cfd6dd725 ("ASoC: wm2000: Integrate with clock API") +Signed-off-by: Yang Yingliang +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/20220514091053.686416-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm2000.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wm2000.c b/sound/soc/codecs/wm2000.c +index 23cde3a0dc11..73cda3c2a861 100644 +--- a/sound/soc/codecs/wm2000.c ++++ b/sound/soc/codecs/wm2000.c +@@ -545,7 +545,7 @@ static int wm2000_anc_transition(struct wm2000_priv *wm2000, + { + struct i2c_client *i2c = wm2000->i2c; + int i, j; +- int ret; ++ int ret = 0; + + if (wm2000->anc_mode == mode) + return 0; +@@ -575,13 +575,13 @@ static int wm2000_anc_transition(struct wm2000_priv *wm2000, + ret = anc_transitions[i].step[j](i2c, + anc_transitions[i].analogue); + if (ret != 0) +- return ret; ++ break; + } + + if (anc_transitions[i].dest == ANC_OFF) + clk_disable_unprepare(wm2000->mclk); + +- return 0; ++ return ret; + } + + static int wm2000_anc_set_mode(struct wm2000_priv *wm2000) +-- +2.35.1 + diff --git a/queue-4.14/ath9k-fix-ar9003_get_eepmisc.patch b/queue-4.14/ath9k-fix-ar9003_get_eepmisc.patch new file mode 100644 index 00000000000..c59f9d35d5d --- /dev/null +++ b/queue-4.14/ath9k-fix-ar9003_get_eepmisc.patch @@ -0,0 +1,40 @@ +From 13da770170d015798128ac5ce915c03c72f3a119 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Mar 2022 17:30:08 -0600 +Subject: ath9k: fix ar9003_get_eepmisc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wenli Looi + +[ Upstream commit 9aaff3864b603408c02c629957ae8d8ff5d5a4f2 ] + +The current implementation is reading the wrong eeprom type. + +Fixes: d8ec2e2a63e8 ("ath9k: Add an eeprom_ops callback for retrieving the eepmisc value") +Signed-off-by: Wenli Looi +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220320233010.123106-5-wlooi@ucalgary.ca +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +index 694a58b1e995..bdbe0427b90e 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +@@ -5501,7 +5501,7 @@ unsigned int ar9003_get_paprd_scale_factor(struct ath_hw *ah, + + static u8 ar9003_get_eepmisc(struct ath_hw *ah) + { +- return ah->eeprom.map4k.baseEepHeader.eepMisc; ++ return ah->eeprom.ar9300_eep.baseEepHeader.opCapFlags.eepMisc; + } + + const struct eeprom_ops eep_ar9300_ops = { +-- +2.35.1 + diff --git a/queue-4.14/ath9k-fix-qca9561-pa-bias-level.patch b/queue-4.14/ath9k-fix-qca9561-pa-bias-level.patch new file mode 100644 index 00000000000..03495b06221 --- /dev/null +++ b/queue-4.14/ath9k-fix-qca9561-pa-bias-level.patch @@ -0,0 +1,54 @@ +From 8226f486636c2b89fa0de45a6a18023ff8366b4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Apr 2022 16:51:45 +0200 +Subject: ath9k: fix QCA9561 PA bias level +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thibaut VARÈNE + +[ Upstream commit e999a5da28a0e0f7de242d841ef7d5e48f4646ae ] + +This patch fixes an invalid TX PA DC bias level on QCA9561, which +results in a very low output power and very low throughput as devices +are further away from the AP (compared to other 2.4GHz APs). + +This patch was suggested by Felix Fietkau, who noted[1]: +"The value written to that register is wrong, because while the mask +definition AR_CH0_TOP2_XPABIASLVL uses a different value for 9561, the +shift definition AR_CH0_TOP2_XPABIASLVL_S is hardcoded to 12, which is +wrong for 9561." + +In real life testing, without this patch the 2.4GHz throughput on +Yuncore XD3200 is around 10Mbps sitting next to the AP, and closer to +practical maximum with the patch applied. + +[1] https://lore.kernel.org/all/91c58969-c60e-2f41-00ac-737786d435ae@nbd.name + +Signed-off-by: Thibaut VARÈNE +Acked-by: Felix Fietkau +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220417145145.1847-1-hacks+kernel@slashdirt.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_phy.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.h b/drivers/net/wireless/ath/ath9k/ar9003_phy.h +index a171dbb29fbb..ad949eb02f3d 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.h ++++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.h +@@ -720,7 +720,7 @@ + #define AR_CH0_TOP2 (AR_SREV_9300(ah) ? 0x1628c : \ + (AR_SREV_9462(ah) ? 0x16290 : 0x16284)) + #define AR_CH0_TOP2_XPABIASLVL (AR_SREV_9561(ah) ? 0x1e00 : 0xf000) +-#define AR_CH0_TOP2_XPABIASLVL_S 12 ++#define AR_CH0_TOP2_XPABIASLVL_S (AR_SREV_9561(ah) ? 9 : 12) + + #define AR_CH0_XTAL (AR_SREV_9300(ah) ? 0x16294 : \ + ((AR_SREV_9462(ah) || AR_SREV_9565(ah)) ? 0x16298 : \ +-- +2.35.1 + diff --git a/queue-4.14/ath9k_htc-fix-potential-out-of-bounds-access-with-in.patch b/queue-4.14/ath9k_htc-fix-potential-out-of-bounds-access-with-in.patch new file mode 100644 index 00000000000..13145b3132b --- /dev/null +++ b/queue-4.14/ath9k_htc-fix-potential-out-of-bounds-access-with-in.patch @@ -0,0 +1,51 @@ +From 0234e76bccc8407ad767f7d49607b3e5a252963b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Apr 2022 09:12:25 +0300 +Subject: ath9k_htc: fix potential out of bounds access with invalid + rxstatus->rs_keyix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 2dc509305cf956381532792cb8dceef2b1504765 ] + +The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to +ensure that it is within the bitmap. + +drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept() +error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()' + +Fixes: 4ed1a8d4a257 ("ath9k_htc: use ath9k_cmn_rx_accept") +Signed-off-by: Dan Carpenter +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220409061225.GA5447@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index 6782c3d0c333..e62ed7f42281 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -1005,6 +1005,14 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + goto rx_next; + } + ++ if (rxstatus->rs_keyix >= ATH_KEYMAX && ++ rxstatus->rs_keyix != ATH9K_RXKEYIX_INVALID) { ++ ath_dbg(common, ANY, ++ "Invalid keyix, dropping (keyix: %d)\n", ++ rxstatus->rs_keyix); ++ goto rx_next; ++ } ++ + /* Get the RX status information */ + + memset(rx_status, 0, sizeof(struct ieee80211_rx_status)); +-- +2.35.1 + diff --git a/queue-4.14/b43-fix-assigning-negative-value-to-unsigned-variabl.patch b/queue-4.14/b43-fix-assigning-negative-value-to-unsigned-variabl.patch new file mode 100644 index 00000000000..d9b25bf9069 --- /dev/null +++ b/queue-4.14/b43-fix-assigning-negative-value-to-unsigned-variabl.patch @@ -0,0 +1,37 @@ +From 07b9d8e3a0ad960e761870fe47b552da9f0efaf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Mar 2022 18:15:15 +0800 +Subject: b43: Fix assigning negative value to unsigned variable + +From: Haowen Bai + +[ Upstream commit 11800d893b38e0e12d636c170c1abc19c43c730c ] + +fix warning reported by smatch: +drivers/net/wireless/broadcom/b43/phy_n.c:585 b43_nphy_adjust_lna_gain_table() +warn: assigning (-2) to unsigned variable '*(lna_gain[0])' + +Signed-off-by: Haowen Bai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1648203315-28093-1-git-send-email-baihaowen@meizu.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/phy_n.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43/phy_n.c b/drivers/net/wireless/broadcom/b43/phy_n.c +index d1afa74aa144..9cbc17c2751c 100644 +--- a/drivers/net/wireless/broadcom/b43/phy_n.c ++++ b/drivers/net/wireless/broadcom/b43/phy_n.c +@@ -594,7 +594,7 @@ static void b43_nphy_adjust_lna_gain_table(struct b43_wldev *dev) + u16 data[4]; + s16 gain[2]; + u16 minmax[2]; +- static const u16 lna_gain[4] = { -2, 10, 19, 25 }; ++ static const s16 lna_gain[4] = { -2, 10, 19, 25 }; + + if (nphy->hang_avoid) + b43_nphy_stay_in_carrier_search(dev, 1); +-- +2.35.1 + diff --git a/queue-4.14/b43legacy-fix-assigning-negative-value-to-unsigned-v.patch b/queue-4.14/b43legacy-fix-assigning-negative-value-to-unsigned-v.patch new file mode 100644 index 00000000000..b782910a43d --- /dev/null +++ b/queue-4.14/b43legacy-fix-assigning-negative-value-to-unsigned-v.patch @@ -0,0 +1,37 @@ +From 2145cfa68859caee9412e786d71e058f18fc4122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Mar 2022 18:17:13 +0800 +Subject: b43legacy: Fix assigning negative value to unsigned variable + +From: Haowen Bai + +[ Upstream commit 3f6b867559b3d43a7ce1b4799b755e812fc0d503 ] + +fix warning reported by smatch: +drivers/net/wireless/broadcom/b43legacy/phy.c:1181 b43legacy_phy_lo_b_measure() +warn: assigning (-772) to unsigned variable 'fval' + +Signed-off-by: Haowen Bai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1648203433-8736-1-git-send-email-baihaowen@meizu.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43legacy/phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43legacy/phy.c b/drivers/net/wireless/broadcom/b43legacy/phy.c +index 995c7d0c212a..11ee5ee48976 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/phy.c ++++ b/drivers/net/wireless/broadcom/b43legacy/phy.c +@@ -1148,7 +1148,7 @@ void b43legacy_phy_lo_b_measure(struct b43legacy_wldev *dev) + struct b43legacy_phy *phy = &dev->phy; + u16 regstack[12] = { 0 }; + u16 mls; +- u16 fval; ++ s16 fval; + int i; + int j; + +-- +2.35.1 + diff --git a/queue-4.14/bluetooth-fix-dangling-sco_conn-and-use-after-free-i.patch b/queue-4.14/bluetooth-fix-dangling-sco_conn-and-use-after-free-i.patch new file mode 100644 index 00000000000..6fbdc5278a4 --- /dev/null +++ b/queue-4.14/bluetooth-fix-dangling-sco_conn-and-use-after-free-i.patch @@ -0,0 +1,88 @@ +From ad6345e54d2e10a907c7fdbb06189587b9098439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Mar 2022 07:09:28 +0000 +Subject: Bluetooth: fix dangling sco_conn and use-after-free in + sco_sock_timeout + +From: Ying Hsu + +[ Upstream commit 7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2 ] + +Connecting the same socket twice consecutively in sco_sock_connect() +could lead to a race condition where two sco_conn objects are created +but only one is associated with the socket. If the socket is closed +before the SCO connection is established, the timer associated with the +dangling sco_conn object won't be canceled. As the sock object is being +freed, the use-after-free problem happens when the timer callback +function sco_sock_timeout() accesses the socket. Here's the call trace: + +dump_stack+0x107/0x163 +? refcount_inc+0x1c/ +print_address_description.constprop.0+0x1c/0x47e +? refcount_inc+0x1c/0x7b +kasan_report+0x13a/0x173 +? refcount_inc+0x1c/0x7b +check_memory_region+0x132/0x139 +refcount_inc+0x1c/0x7b +sco_sock_timeout+0xb2/0x1ba +process_one_work+0x739/0xbd1 +? cancel_delayed_work+0x13f/0x13f +? __raw_spin_lock_init+0xf0/0xf0 +? to_kthread+0x59/0x85 +worker_thread+0x593/0x70e +kthread+0x346/0x35a +? drain_workqueue+0x31a/0x31a +? kthread_bind+0x4b/0x4b +ret_from_fork+0x1f/0x30 + +Link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b +Reported-by: syzbot+2bef95d3ab4daa10155b@syzkaller.appspotmail.com +Fixes: e1dee2c1de2b ("Bluetooth: fix repeated calls to sco_sock_kill") +Signed-off-by: Ying Hsu +Reviewed-by: Joseph Hwang +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 5c411118b30d..22761a404e0d 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -563,19 +563,24 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen + addr->sa_family != AF_BLUETOOTH) + return -EINVAL; + +- if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) +- return -EBADFD; ++ lock_sock(sk); ++ if (sk->sk_state != BT_OPEN && sk->sk_state != BT_BOUND) { ++ err = -EBADFD; ++ goto done; ++ } + +- if (sk->sk_type != SOCK_SEQPACKET) +- return -EINVAL; ++ if (sk->sk_type != SOCK_SEQPACKET) { ++ err = -EINVAL; ++ goto done; ++ } + + hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR); +- if (!hdev) +- return -EHOSTUNREACH; ++ if (!hdev) { ++ err = -EHOSTUNREACH; ++ goto done; ++ } + hci_dev_lock(hdev); + +- lock_sock(sk); +- + /* Set destination address and psm */ + bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr); + +-- +2.35.1 + diff --git a/queue-4.14/dma-debug-change-allocation-mode-from-gfp_nowait-to-.patch b/queue-4.14/dma-debug-change-allocation-mode-from-gfp_nowait-to-.patch new file mode 100644 index 00000000000..463a32d44d1 --- /dev/null +++ b/queue-4.14/dma-debug-change-allocation-mode-from-gfp_nowait-to-.patch @@ -0,0 +1,41 @@ +From c5c853e3252bbf7bdfea3c09fb363a28e5d15fa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 13:17:32 -0400 +Subject: dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC + +From: Mikulas Patocka + +[ Upstream commit 84bc4f1dbbbb5f8aa68706a96711dccb28b518e5 ] + +We observed the error "cacheline tracking ENOMEM, dma-debug disabled" +during a light system load (copying some files). The reason for this error +is that the dma_active_cacheline radix tree uses GFP_NOWAIT allocation - +so it can't access the emergency memory reserves and it fails as soon as +anybody reaches the watermark. + +This patch changes GFP_NOWAIT to GFP_ATOMIC, so that it can access the +emergency memory reserves. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + lib/dma-debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dma-debug.c b/lib/dma-debug.c +index 61e7240947f5..163e0e9b357f 100644 +--- a/lib/dma-debug.c ++++ b/lib/dma-debug.c +@@ -465,7 +465,7 @@ EXPORT_SYMBOL(debug_dma_dump_mappings); + * At any time debug_dma_assert_idle() can be called to trigger a + * warning if any cachelines in the given page are in the active set. + */ +-static RADIX_TREE(dma_active_cacheline, GFP_NOWAIT); ++static RADIX_TREE(dma_active_cacheline, GFP_ATOMIC); + static DEFINE_SPINLOCK(radix_lock); + #define ACTIVE_CACHELINE_MAX_OVERLAP ((1 << RADIX_TREE_MAX_TAGS) - 1) + #define CACHELINE_PER_PAGE_SHIFT (PAGE_SHIFT - L1_CACHE_SHIFT) +-- +2.35.1 + diff --git a/queue-4.14/drivers-base-node.c-fix-compaction-sysfs-file-leak.patch b/queue-4.14/drivers-base-node.c-fix-compaction-sysfs-file-leak.patch new file mode 100644 index 00000000000..f0e5514d30f --- /dev/null +++ b/queue-4.14/drivers-base-node.c-fix-compaction-sysfs-file-leak.patch @@ -0,0 +1,44 @@ +From 63997bb7d253c705550fc91e7cc6892836f2ed60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Apr 2022 23:16:06 -0700 +Subject: drivers/base/node.c: fix compaction sysfs file leak + +From: Miaohe Lin + +[ Upstream commit da63dc84befaa9e6079a0bc363ff0eaa975f9073 ] + +Compaction sysfs file is created via compaction_register_node in +register_node. But we forgot to remove it in unregister_node. Thus +compaction sysfs file is leaked. Using compaction_unregister_node to fix +this issue. + +Link: https://lkml.kernel.org/r/20220401070905.43679-1-linmiaohe@huawei.com +Fixes: ed4a6d7f0676 ("mm: compaction: add /sys trigger for per-node memory compaction") +Signed-off-by: Miaohe Lin +Cc: Greg Kroah-Hartman +Cc: Rafael J. Wysocki +Cc: Mel Gorman +Cc: Minchan Kim +Cc: KAMEZAWA Hiroyuki +Cc: KOSAKI Motohiro +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/base/node.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/base/node.c b/drivers/base/node.c +index 5c39f14d15a5..57eef6b24448 100644 +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -337,6 +337,7 @@ static int register_node(struct node *node, int num) + */ + void unregister_node(struct node *node) + { ++ compaction_unregister_node(node); + hugetlb_unregister_node(node); /* no-op, if memoryless node */ + + device_unregister(&node->dev); +-- +2.35.1 + diff --git a/queue-4.14/drm-amd-pm-fix-double-free-in-si_parse_power_table.patch b/queue-4.14/drm-amd-pm-fix-double-free-in-si_parse_power_table.patch new file mode 100644 index 00000000000..514bd15d082 --- /dev/null +++ b/queue-4.14/drm-amd-pm-fix-double-free-in-si_parse_power_table.patch @@ -0,0 +1,70 @@ +From ec734c70e6c89f5e1260eb8faf2c722ed2abcdc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 10:37:19 +0000 +Subject: drm/amd/pm: fix double free in si_parse_power_table() + +From: Keita Suzuki + +[ Upstream commit f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd ] + +In function si_parse_power_table(), array adev->pm.dpm.ps and its member +is allocated. If the allocation of each member fails, the array itself +is freed and returned with an error code. However, the array is later +freed again in si_dpm_fini() function which is called when the function +returns an error. + +This leads to potential double free of the array adev->pm.dpm.ps, as +well as leak of its array members, since the members are not freed in +the allocation function and the array is not nulled when freed. +In addition adev->pm.dpm.num_ps, which keeps track of the allocated +array member, is not updated until the member allocation is +successfully finished, this could also lead to either use after free, +or uninitialized variable access in si_dpm_fini(). + +Fix this by postponing the free of the array until si_dpm_fini() and +increment adev->pm.dpm.num_ps everytime the array member is allocated. + +Signed-off-by: Keita Suzuki +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/si_dpm.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +index 55613f425931..288ac692f536 100644 +--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +@@ -7238,17 +7238,15 @@ static int si_parse_power_table(struct amdgpu_device *adev) + if (!adev->pm.dpm.ps) + return -ENOMEM; + power_state_offset = (u8 *)state_array->states; +- for (i = 0; i < state_array->ucNumEntries; i++) { ++ for (adev->pm.dpm.num_ps = 0, i = 0; i < state_array->ucNumEntries; i++) { + u8 *idx; + power_state = (union pplib_power_state *)power_state_offset; + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; + ps = kzalloc(sizeof(struct si_ps), GFP_KERNEL); +- if (ps == NULL) { +- kfree(adev->pm.dpm.ps); ++ if (ps == NULL) + return -ENOMEM; +- } + adev->pm.dpm.ps[i].ps_priv = ps; + si_parse_pplib_non_clock_info(adev, &adev->pm.dpm.ps[i], + non_clock_info, +@@ -7270,8 +7268,8 @@ static int si_parse_power_table(struct amdgpu_device *adev) + k++; + } + power_state_offset += 2 + power_state->v2.ucNumDPMLevels; ++ adev->pm.dpm.num_ps++; + } +- adev->pm.dpm.num_ps = state_array->ucNumEntries; + + /* fill in the vce power states */ + for (i = 0; i < adev->pm.dpm.num_of_vce_states; i++) { +-- +2.35.1 + diff --git a/queue-4.14/drm-amd-pm-fix-the-compile-warning.patch b/queue-4.14/drm-amd-pm-fix-the-compile-warning.patch new file mode 100644 index 00000000000..8ddad71cbed --- /dev/null +++ b/queue-4.14/drm-amd-pm-fix-the-compile-warning.patch @@ -0,0 +1,51 @@ +From 04c4ebc02824f7971a33f9fd1a525159ffa99f33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Apr 2022 10:16:46 +0800 +Subject: drm/amd/pm: fix the compile warning + +From: Evan Quan + +[ Upstream commit 555238d92ac32dbad2d77ad2bafc48d17391990c ] + +Fix the compile warning below: +drivers/gpu/drm/amd/amdgpu/../pm/legacy-dpm/kv_dpm.c:1641 +kv_get_acp_boot_level() warn: always true condition '(table->entries[i]->clk >= 0) => (0-u32max >= 0)' + +Reported-by: kernel test robot +CC: Alex Deucher +Signed-off-by: Evan Quan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 14 +------------- + 1 file changed, 1 insertion(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +index c76073b422d6..d99fb88341f4 100644 +--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +@@ -1608,19 +1608,7 @@ static int kv_update_samu_dpm(struct amdgpu_device *adev, bool gate) + + static u8 kv_get_acp_boot_level(struct amdgpu_device *adev) + { +- u8 i; +- struct amdgpu_clock_voltage_dependency_table *table = +- &adev->pm.dpm.dyn_state.acp_clock_voltage_dependency_table; +- +- for (i = 0; i < table->count; i++) { +- if (table->entries[i].clk >= 0) /* XXX */ +- break; +- } +- +- if (i >= table->count) +- i = table->count - 1; +- +- return i; ++ return 0; + } + + static void kv_update_acp_boot_level(struct amdgpu_device *adev) +-- +2.35.1 + diff --git a/queue-4.14/drm-fix-edid-struct-for-old-arm-oabi-format.patch b/queue-4.14/drm-fix-edid-struct-for-old-arm-oabi-format.patch new file mode 100644 index 00000000000..684f67ad303 --- /dev/null +++ b/queue-4.14/drm-fix-edid-struct-for-old-arm-oabi-format.patch @@ -0,0 +1,114 @@ +From a8d870a57598746f0472bd933f79ae0ed8f287b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 May 2022 11:08:48 -0700 +Subject: drm: fix EDID struct for old ARM OABI format + +From: Linus Torvalds + +[ Upstream commit 47f15561b69e226bfc034e94ff6dbec51a4662af ] + +When building the kernel for arm with the "-mabi=apcs-gnu" option, gcc +will force alignment of all structures and unions to a word boundary +(see also STRUCTURE_SIZE_BOUNDARY and the "-mstructure-size-boundary=XX" +option if you're a gcc person), even when the members of said structures +do not want or need said alignment. + +This completely messes up the structure alignment of 'struct edid' on +those targets, because even though all the embedded structures are +marked with "__attribute__((packed))", the unions that contain them are +not. + +This was exposed by commit f1e4c916f97f ("drm/edid: add EDID block count +and size helpers"), but the bug is pre-existing. That commit just made +the structure layout problem cause a build failure due to the addition +of the + + BUILD_BUG_ON(sizeof(*edid) != EDID_LENGTH); + +sanity check in drivers/gpu/drm/drm_edid.c:edid_block_data(). + +This legacy union alignment should probably not be used in the first +place, but we can fix the layout by adding the packed attribute to the +union entries even when each member is already packed and it shouldn't +matter in a sane build environment. + +You can see this issue with a trivial test program: + + union { + struct { + char c[5]; + }; + struct { + char d; + unsigned e; + } __attribute__((packed)); + } a = { "1234" }; + +where building this with a normal "gcc -S" will result in the expected +5-byte size of said union: + + .type a, @object + .size a, 5 + +but with an ARM compiler and the old ABI: + + arm-linux-gnu-gcc -mabi=apcs-gnu -mfloat-abi=soft -S t.c + +you get + + .type a, %object + .size a, 8 + +instead, because even though each member of the union is packed, the +union itself still gets aligned. + +This was reported by Sudip for the spear3xx_defconfig target. + +Link: https://lore.kernel.org/lkml/YpCUzStDnSgQLNFN@debian/ +Reported-by: Sudip Mukherjee +Acked-by: Arnd Bergmann +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: Thomas Zimmermann +Cc: David Airlie +Cc: Daniel Vetter +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/drm/drm_edid.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/drm/drm_edid.h b/include/drm/drm_edid.h +index 267e0426c479..0262e32ab59e 100644 +--- a/include/drm/drm_edid.h ++++ b/include/drm/drm_edid.h +@@ -115,7 +115,7 @@ struct detailed_data_monitor_range { + u8 supported_scalings; + u8 preferred_refresh; + } __attribute__((packed)) cvt; +- } formula; ++ } __attribute__((packed)) formula; + } __attribute__((packed)); + + struct detailed_data_wpindex { +@@ -148,7 +148,7 @@ struct detailed_non_pixel { + struct detailed_data_wpindex color; + struct std_timing timings[6]; + struct cvt_timing cvt[4]; +- } data; ++ } __attribute__((packed)) data; + } __attribute__((packed)); + + #define EDID_DETAIL_EST_TIMINGS 0xf7 +@@ -166,7 +166,7 @@ struct detailed_timing { + union { + struct detailed_pixel_timing pixel_data; + struct detailed_non_pixel other_data; +- } data; ++ } __attribute__((packed)) data; + } __attribute__((packed)); + + #define DRM_EDID_INPUT_SERRATION_VSYNC (1 << 0) +-- +2.35.1 + diff --git a/queue-4.14/drm-mediatek-fix-mtk_cec_mask.patch b/queue-4.14/drm-mediatek-fix-mtk_cec_mask.patch new file mode 100644 index 00000000000..c601260db99 --- /dev/null +++ b/queue-4.14/drm-mediatek-fix-mtk_cec_mask.patch @@ -0,0 +1,45 @@ +From b442ec34117b21a87ceda5b945ffc8c79b5d48a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 07:23:00 +0800 +Subject: drm/mediatek: Fix mtk_cec_mask() + +From: Miles Chen + +[ Upstream commit 2c5d69b0a141e1e98febe3111e6f4fd8420493a5 ] + +In current implementation, mtk_cec_mask() writes val into target register +and ignores the mask. After talking to our hdmi experts, mtk_cec_mask() +should read a register, clean only mask bits, and update (val | mask) bits +to the register. + +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20220315232301.2434-1-miles.chen@mediatek.com/ +Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") +Signed-off-by: Miles Chen +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Matthias Brugger +Cc: Zhiqiang Lin +Cc: CK Hu +Cc: Matthias Brugger +Cc: AngeloGioacchino Del Regno +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_cec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_cec.c b/drivers/gpu/drm/mediatek/mtk_cec.c +index 7a3eb8c17ef9..4e5482986dc2 100644 +--- a/drivers/gpu/drm/mediatek/mtk_cec.c ++++ b/drivers/gpu/drm/mediatek/mtk_cec.c +@@ -91,7 +91,7 @@ static void mtk_cec_mask(struct mtk_cec *cec, unsigned int offset, + u32 tmp = readl(cec->regs + offset) & ~mask; + + tmp |= val & mask; +- writel(val, cec->regs + offset); ++ writel(tmp, cec->regs + offset); + } + + void mtk_cec_set_hpd_event(struct device *dev, +-- +2.35.1 + diff --git a/queue-4.14/drm-msm-dsi-fix-error-checks-and-return-values-for-d.patch b/queue-4.14/drm-msm-dsi-fix-error-checks-and-return-values-for-d.patch new file mode 100644 index 00000000000..f4f59ba3456 --- /dev/null +++ b/queue-4.14/drm-msm-dsi-fix-error-checks-and-return-values-for-d.patch @@ -0,0 +1,85 @@ +From d0247ca7f5afb7f87a9c66a1d61cf5dde85a90f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Apr 2022 02:11:04 +0300 +Subject: drm/msm/dsi: fix error checks and return values for DSI xmit + functions + +From: Dmitry Baryshkov + +[ Upstream commit f0e7e9ed379c012c4d6b09a09b868accc426223c ] + +As noticed by Dan ([1] an the followup thread) there are multiple issues +with the return values for MSM DSI command transmission callback. In +the error case it can easily return a positive value when it should +have returned a proper error code. + +This commits attempts to fix these issues both in TX and in RX paths. + +[1]: https://lore.kernel.org/linux-arm-msm/20211001123617.GH2283@kili/ + +Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") +Reported-by: Dan Carpenter +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Tested-by: Marijn Suijten +Patchwork: https://patchwork.freedesktop.org/patch/480501/ +Link: https://lore.kernel.org/r/20220401231104.967193-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index d49f17748119..c9c8d2190515 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1240,10 +1240,10 @@ static int dsi_cmds2buf_tx(struct msm_dsi_host *msm_host, + dsi_get_bpp(msm_host->format) / 8; + + len = dsi_cmd_dma_add(msm_host, msg); +- if (!len) { ++ if (len < 0) { + pr_err("%s: failed to add cmd type = 0x%x\n", + __func__, msg->type); +- return -EINVAL; ++ return len; + } + + /* for video mode, do not send cmds more than +@@ -1262,10 +1262,14 @@ static int dsi_cmds2buf_tx(struct msm_dsi_host *msm_host, + } + + ret = dsi_cmd_dma_tx(msm_host, len); +- if (ret < len) { +- pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, len=%d\n", +- __func__, msg->type, (*(u8 *)(msg->tx_buf)), len); +- return -ECOMM; ++ if (ret < 0) { ++ pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, len=%d, ret=%d\n", ++ __func__, msg->type, (*(u8 *)(msg->tx_buf)), len, ret); ++ return ret; ++ } else if (ret < len) { ++ pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, ret=%d len=%d\n", ++ __func__, msg->type, (*(u8 *)(msg->tx_buf)), ret, len); ++ return -EIO; + } + + return len; +@@ -1988,9 +1992,12 @@ int msm_dsi_host_cmd_rx(struct mipi_dsi_host *host, + } + + ret = dsi_cmds2buf_tx(msm_host, msg); +- if (ret < msg->tx_len) { ++ if (ret < 0) { + pr_err("%s: Read cmd Tx failed, %d\n", __func__, ret); + return ret; ++ } else if (ret < msg->tx_len) { ++ pr_err("%s: Read cmd Tx failed, too short: %d\n", __func__, ret); ++ return -ECOMM; + } + + /* +-- +2.35.1 + diff --git a/queue-4.14/drm-msm-hdmi-check-return-value-after-calling-platfo.patch b/queue-4.14/drm-msm-hdmi-check-return-value-after-calling-platfo.patch new file mode 100644 index 00000000000..734258915d5 --- /dev/null +++ b/queue-4.14/drm-msm-hdmi-check-return-value-after-calling-platfo.patch @@ -0,0 +1,42 @@ +From c31904e7bebd77fbc0b246d31faefec6fd187871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 11:22:27 +0800 +Subject: drm/msm/hdmi: check return value after calling + platform_get_resource_byname() + +From: Yang Yingliang + +[ Upstream commit a36e506711548df923ceb7ec9f6001375be799a5 ] + +It will cause null-ptr-deref if platform_get_resource_byname() returns NULL, +we need check the return value. + +Fixes: c6a57a50ad56 ("drm/msm/hdmi: add hdmi hdcp support (V3)") +Signed-off-by: Yang Yingliang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/482992/ +Link: https://lore.kernel.org/r/20220422032227.2991553-1-yangyingliang@huawei.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/hdmi/hdmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c +index 17e069a133a4..0df62c9c2856 100644 +--- a/drivers/gpu/drm/msm/hdmi/hdmi.c ++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c +@@ -148,6 +148,10 @@ static struct hdmi *msm_hdmi_init(struct platform_device *pdev) + /* HDCP needs physical address of hdmi register */ + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + config->mmio_name); ++ if (!res) { ++ ret = -EINVAL; ++ goto fail; ++ } + hdmi->mmio_phy_addr = res->start; + + hdmi->qfprom_mmio = msm_ioremap(pdev, +-- +2.35.1 + diff --git a/queue-4.14/drm-msm-return-an-error-pointer-in-msm_gem_prime_get.patch b/queue-4.14/drm-msm-return-an-error-pointer-in-msm_gem_prime_get.patch new file mode 100644 index 00000000000..050146e6113 --- /dev/null +++ b/queue-4.14/drm-msm-return-an-error-pointer-in-msm_gem_prime_get.patch @@ -0,0 +1,40 @@ +From e2e8f5c44b983814fe425c818cc782d38a8ebb51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 13:28:05 +0300 +Subject: drm/msm: return an error pointer in msm_gem_prime_get_sg_table() + +From: Dan Carpenter + +[ Upstream commit cf575e31611eb6dccf08fad02e57e35b2187704d ] + +The msm_gem_prime_get_sg_table() needs to return error pointers on +error. This is called from drm_gem_map_dma_buf() and returning a +NULL will lead to a crash in that function. + +Fixes: ac45146733b0 ("drm/msm: fix msm_gem_prime_get_sg_table()") +Signed-off-by: Dan Carpenter +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/485023/ +Link: https://lore.kernel.org/r/YnOmtS5tfENywR9m@kili +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem_prime.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem_prime.c b/drivers/gpu/drm/msm/msm_gem_prime.c +index 13403c6da6c7..7e4664968106 100644 +--- a/drivers/gpu/drm/msm/msm_gem_prime.c ++++ b/drivers/gpu/drm/msm/msm_gem_prime.c +@@ -26,7 +26,7 @@ struct sg_table *msm_gem_prime_get_sg_table(struct drm_gem_object *obj) + int npages = obj->size >> PAGE_SHIFT; + + if (WARN_ON(!msm_obj->pages)) /* should have already pinned! */ +- return NULL; ++ return ERR_PTR(-ENOMEM); + + return drm_prime_pages_to_sg(msm_obj->pages, npages); + } +-- +2.35.1 + diff --git a/queue-4.14/drm-rockchip-vop-fix-possible-null-ptr-deref-in-vop_.patch b/queue-4.14/drm-rockchip-vop-fix-possible-null-ptr-deref-in-vop_.patch new file mode 100644 index 00000000000..e8f8b6acb37 --- /dev/null +++ b/queue-4.14/drm-rockchip-vop-fix-possible-null-ptr-deref-in-vop_.patch @@ -0,0 +1,41 @@ +From 6cc51df3a526b66d96b487375c58bd7827ba234b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 11:28:54 +0800 +Subject: drm/rockchip: vop: fix possible null-ptr-deref in vop_bind() + +From: Yang Yingliang + +[ Upstream commit f8c242908ad15bbd604d3bcb54961b7d454c43f8 ] + +It will cause null-ptr-deref in resource_size(), if platform_get_resource() +returns NULL, move calling resource_size() after devm_ioremap_resource() that +will check 'res' to avoid null-ptr-deref. + +Fixes: 2048e3286f34 ("drm: rockchip: Add basic drm driver") +Signed-off-by: Yang Yingliang +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20220422032854.2995175-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index 7010424b2f89..80a65eaed0be 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -1551,10 +1551,10 @@ static int vop_bind(struct device *dev, struct device *master, void *data) + vop_win_init(vop); + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- vop->len = resource_size(res); + vop->regs = devm_ioremap_resource(dev, res); + if (IS_ERR(vop->regs)) + return PTR_ERR(vop->regs); ++ vop->len = resource_size(res); + + vop->regsbak = devm_kzalloc(dev, vop->len, GFP_KERNEL); + if (!vop->regsbak) +-- +2.35.1 + diff --git a/queue-4.14/drm-virtio-fix-null-pointer-dereference-in-virtio_gp.patch b/queue-4.14/drm-virtio-fix-null-pointer-dereference-in-virtio_gp.patch new file mode 100644 index 00000000000..5f03c38f5b4 --- /dev/null +++ b/queue-4.14/drm-virtio-fix-null-pointer-dereference-in-virtio_gp.patch @@ -0,0 +1,88 @@ +From 795799071a9f0151330f0fe98a3e13dc77187926 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 17:17:30 +0800 +Subject: drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes + +From: Liu Zixian + +[ Upstream commit 194d250cdc4a40ccbd179afd522a9e9846957402 ] + +drm_cvt_mode may return NULL and we should check it. + +This bug is found by syzkaller: + +FAULT_INJECTION stacktrace: +[ 168.567394] FAULT_INJECTION: forcing a failure. +name failslab, interval 1, probability 0, space 0, times 1 +[ 168.567403] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1 +[ 168.567406] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +[ 168.567408] Call trace: +[ 168.567414] dump_backtrace+0x0/0x310 +[ 168.567418] show_stack+0x28/0x38 +[ 168.567423] dump_stack+0xec/0x15c +[ 168.567427] should_fail+0x3ac/0x3d0 +[ 168.567437] __should_failslab+0xb8/0x120 +[ 168.567441] should_failslab+0x28/0xc0 +[ 168.567445] kmem_cache_alloc_trace+0x50/0x640 +[ 168.567454] drm_mode_create+0x40/0x90 +[ 168.567458] drm_cvt_mode+0x48/0xc78 +[ 168.567477] virtio_gpu_conn_get_modes+0xa8/0x140 [virtio_gpu] +[ 168.567485] drm_helper_probe_single_connector_modes+0x3a4/0xd80 +[ 168.567492] drm_mode_getconnector+0x2e0/0xa70 +[ 168.567496] drm_ioctl_kernel+0x11c/0x1d8 +[ 168.567514] drm_ioctl+0x558/0x6d0 +[ 168.567522] do_vfs_ioctl+0x160/0xf30 +[ 168.567525] ksys_ioctl+0x98/0xd8 +[ 168.567530] __arm64_sys_ioctl+0x50/0xc8 +[ 168.567536] el0_svc_common+0xc8/0x320 +[ 168.567540] el0_svc_handler+0xf8/0x160 +[ 168.567544] el0_svc+0x10/0x218 + +KASAN stacktrace: +[ 168.567561] BUG: KASAN: null-ptr-deref in virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu] +[ 168.567565] Read of size 4 at addr 0000000000000054 by task syz/6425 +[ 168.567566] +[ 168.567571] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1 +[ 168.567573] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +[ 168.567575] Call trace: +[ 168.567578] dump_backtrace+0x0/0x310 +[ 168.567582] show_stack+0x28/0x38 +[ 168.567586] dump_stack+0xec/0x15c +[ 168.567591] kasan_report+0x244/0x2f0 +[ 168.567594] __asan_load4+0x58/0xb0 +[ 168.567607] virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu] +[ 168.567612] drm_helper_probe_single_connector_modes+0x3a4/0xd80 +[ 168.567617] drm_mode_getconnector+0x2e0/0xa70 +[ 168.567621] drm_ioctl_kernel+0x11c/0x1d8 +[ 168.567624] drm_ioctl+0x558/0x6d0 +[ 168.567628] do_vfs_ioctl+0x160/0xf30 +[ 168.567632] ksys_ioctl+0x98/0xd8 +[ 168.567636] __arm64_sys_ioctl+0x50/0xc8 +[ 168.567641] el0_svc_common+0xc8/0x320 +[ 168.567645] el0_svc_handler+0xf8/0x160 +[ 168.567649] el0_svc+0x10/0x218 + +Signed-off-by: Liu Zixian +Link: http://patchwork.freedesktop.org/patch/msgid/20220322091730.1653-1-liuzixian4@huawei.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_display.c b/drivers/gpu/drm/virtio/virtgpu_display.c +index b6d52055a11f..3a5f73bc2a37 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_display.c ++++ b/drivers/gpu/drm/virtio/virtgpu_display.c +@@ -187,6 +187,8 @@ static int virtio_gpu_conn_get_modes(struct drm_connector *connector) + DRM_DEBUG("add mode: %dx%d\n", width, height); + mode = drm_cvt_mode(connector->dev, width, height, 60, + false, false, false); ++ if (!mode) ++ return count; + mode->type |= DRM_MODE_TYPE_PREFERRED; + drm_mode_probed_add(connector, mode); + count++; +-- +2.35.1 + diff --git a/queue-4.14/efi-add-missing-prototype-for-efi_capsule_setup_info.patch b/queue-4.14/efi-add-missing-prototype-for-efi_capsule_setup_info.patch new file mode 100644 index 00000000000..9e3aba856a5 --- /dev/null +++ b/queue-4.14/efi-add-missing-prototype-for-efi_capsule_setup_info.patch @@ -0,0 +1,37 @@ +From bcccc99a5f67c43c18cf1d127a0c106769831165 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 07:36:37 +0100 +Subject: efi: Add missing prototype for efi_capsule_setup_info + +From: Jan Kiszka + +[ Upstream commit aa480379d8bdb33920d68acfd90f823c8af32578 ] + +Fixes "no previous declaration for 'efi_capsule_setup_info'" warnings +under W=1. + +Fixes: 2959c95d510c ("efi/capsule: Add support for Quark security header") +Signed-off-by: Jan Kiszka +Link: https://lore.kernel.org/r/c28d3f86-dd72-27d1-e2c2-40971b8da6bd@siemens.com +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + include/linux/efi.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 598ee6ba5b18..2c63afd68978 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -150,6 +150,8 @@ struct capsule_info { + size_t page_bytes_remain; + }; + ++int efi_capsule_setup_info(struct capsule_info *cap_info, void *kbuff, ++ size_t hdr_bytes); + int __efi_capsule_setup_info(struct capsule_info *cap_info); + + /* +-- +2.35.1 + diff --git a/queue-4.14/eth-tg3-silence-the-gcc-12-array-bounds-warning.patch b/queue-4.14/eth-tg3-silence-the-gcc-12-array-bounds-warning.patch new file mode 100644 index 00000000000..efc23053feb --- /dev/null +++ b/queue-4.14/eth-tg3-silence-the-gcc-12-array-bounds-warning.patch @@ -0,0 +1,47 @@ +From 5d1a9a29fa83aee06e07539751e285cfd007b717 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 12:56:05 -0700 +Subject: eth: tg3: silence the GCC 12 array-bounds warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Kicinski + +[ Upstream commit 9dec850fd7c210a04b4707df8e6c95bfafdd6a4b ] + +GCC 12 currently generates a rather inconsistent warning: + +drivers/net/ethernet/broadcom/tg3.c:17795:51: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ [-Warray-bounds] +17795 | struct tg3_napi *tnapi = &tp->napi[i]; + | ~~~~~~~~^~~ + +i is guaranteed < tp->irq_max which in turn is either 1 or 5. +There are more loops like this one in the driver, but strangely +GCC 12 dislikes only this single one. + +Silence this silliness for now. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/Makefile b/drivers/net/ethernet/broadcom/Makefile +index 7046ad6d3d0e..ac50da49ca77 100644 +--- a/drivers/net/ethernet/broadcom/Makefile ++++ b/drivers/net/ethernet/broadcom/Makefile +@@ -16,3 +16,8 @@ obj-$(CONFIG_BGMAC_BCMA) += bgmac-bcma.o bgmac-bcma-mdio.o + obj-$(CONFIG_BGMAC_PLATFORM) += bgmac-platform.o + obj-$(CONFIG_SYSTEMPORT) += bcmsysport.o + obj-$(CONFIG_BNXT) += bnxt/ ++ ++# FIXME: temporarily silence -Warray-bounds on non W=1+ builds ++ifndef KBUILD_EXTRA_WARN ++CFLAGS_tg3.o += -Wno-array-bounds ++endif +-- +2.35.1 + diff --git a/queue-4.14/fat-add-ratelimit-to-fat-_ent_bread.patch b/queue-4.14/fat-add-ratelimit-to-fat-_ent_bread.patch new file mode 100644 index 00000000000..8d0a3e35ef3 --- /dev/null +++ b/queue-4.14/fat-add-ratelimit-to-fat-_ent_bread.patch @@ -0,0 +1,50 @@ +From 56482f334a78e92b91c05721f7a7a62cd6ea3ed7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 14:38:02 -0700 +Subject: fat: add ratelimit to fat*_ent_bread() + +From: OGAWA Hirofumi + +[ Upstream commit 183c3237c928109d2008c0456dff508baf692b20 ] + +fat*_ent_bread() can be the cause of too many report on I/O error path. +So use fat_msg_ratelimit() instead. + +Link: https://lkml.kernel.org/r/87bkxogfeq.fsf@mail.parknet.co.jp +Signed-off-by: OGAWA Hirofumi +Reported-by: qianfan +Tested-by: qianfan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/fat/fatent.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c +index 24ed1f4e48ae..3ef3e773da1b 100644 +--- a/fs/fat/fatent.c ++++ b/fs/fat/fatent.c +@@ -92,7 +92,8 @@ static int fat12_ent_bread(struct super_block *sb, struct fat_entry *fatent, + err_brelse: + brelse(bhs[0]); + err: +- fat_msg(sb, KERN_ERR, "FAT read failed (blocknr %llu)", (llu)blocknr); ++ fat_msg_ratelimit(sb, KERN_ERR, "FAT read failed (blocknr %llu)", ++ (llu)blocknr); + return -EIO; + } + +@@ -105,8 +106,8 @@ static int fat_ent_bread(struct super_block *sb, struct fat_entry *fatent, + fatent->fat_inode = MSDOS_SB(sb)->fat_inode; + fatent->bhs[0] = sb_bread(sb, blocknr); + if (!fatent->bhs[0]) { +- fat_msg(sb, KERN_ERR, "FAT read failed (blocknr %llu)", +- (llu)blocknr); ++ fat_msg_ratelimit(sb, KERN_ERR, "FAT read failed (blocknr %llu)", ++ (llu)blocknr); + return -EIO; + } + fatent->nr_bhs = 1; +-- +2.35.1 + diff --git a/queue-4.14/fs-jfs-fix-possible-null-pointer-dereference-in-dbfr.patch b/queue-4.14/fs-jfs-fix-possible-null-pointer-dereference-in-dbfr.patch new file mode 100644 index 00000000000..0d7c887b4ae --- /dev/null +++ b/queue-4.14/fs-jfs-fix-possible-null-pointer-dereference-in-dbfr.patch @@ -0,0 +1,59 @@ +From 72657ae985e992a7be969971a8a0e320871d40cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 18:45:34 +0800 +Subject: fs: jfs: fix possible NULL pointer dereference in dbFree() + +From: Zixuan Fu + +[ Upstream commit 0d4837fdb796f99369cf7691d33de1b856bcaf1f ] + +In our fault-injection testing, the variable "nblocks" in dbFree() can be +zero when kmalloc_array() fails in dtSearch(). In this case, the variable + "mp" in dbFree() would be NULL and then it is dereferenced in +"write_metapage(mp)". + +The failure log is listed as follows: + +[ 13.824137] BUG: kernel NULL pointer dereference, address: 0000000000000020 +... +[ 13.827416] RIP: 0010:dbFree+0x5f7/0x910 [jfs] +[ 13.834341] Call Trace: +[ 13.834540] +[ 13.834713] txFreeMap+0x7b4/0xb10 [jfs] +[ 13.835038] txUpdateMap+0x311/0x650 [jfs] +[ 13.835375] jfs_lazycommit+0x5f2/0xc70 [jfs] +[ 13.835726] ? sched_dynamic_update+0x1b0/0x1b0 +[ 13.836092] kthread+0x3c2/0x4a0 +[ 13.836355] ? txLockFree+0x160/0x160 [jfs] +[ 13.836763] ? kthread_unuse_mm+0x160/0x160 +[ 13.837106] ret_from_fork+0x1f/0x30 +[ 13.837402] +... + +This patch adds a NULL check of "mp" before "write_metapage(mp)" is called. + +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 6dac48e29d28..a07fbb60ac3c 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -398,7 +398,8 @@ int dbFree(struct inode *ip, s64 blkno, s64 nblocks) + } + + /* write the last buffer. */ +- write_metapage(mp); ++ if (mp) ++ write_metapage(mp); + + IREAD_UNLOCK(ipbmap); + +-- +2.35.1 + diff --git a/queue-4.14/fsnotify-fix-wrong-lockdep-annotations.patch b/queue-4.14/fsnotify-fix-wrong-lockdep-annotations.patch new file mode 100644 index 00000000000..3cf8f4bccdd --- /dev/null +++ b/queue-4.14/fsnotify-fix-wrong-lockdep-annotations.patch @@ -0,0 +1,74 @@ +From bda1877bd56a4c60cb87d93859deeb4367519f81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 15:03:14 +0300 +Subject: fsnotify: fix wrong lockdep annotations + +From: Amir Goldstein + +[ Upstream commit 623af4f538b5df9b416e1b82f720af7371b4c771 ] + +Commit 6960b0d909cd ("fsnotify: change locking order") changed some +of the mark_mutex locks in direct reclaim path to use: + mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); + +This change is explained: + "...It uses nested locking to avoid deadlock in case we do the final + iput() on an inode which still holds marks and thus would take the + mutex again when calling fsnotify_inode_delete() in destroy_inode()." + +The problem is that the mutex_lock_nested() is not a nested lock at +all. In fact, it has the opposite effect of preventing lockdep from +warning about a very possible deadlock. + +Due to these wrong annotations, a deadlock that was introduced with +nfsd filecache in kernel v5.4 went unnoticed in v5.4.y for over two +years until it was reported recently by Khazhismel Kumykov, only to +find out that the deadlock was already fixed in kernel v5.5. + +Fix the wrong lockdep annotations. + +Cc: Khazhismel Kumykov +Fixes: 6960b0d909cd ("fsnotify: change locking order") +Link: https://lore.kernel.org/r/20220321112310.vpr7oxro2xkz5llh@quack3.lan/ +Link: https://lore.kernel.org/r/20220422120327.3459282-4-amir73il@gmail.com +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/notify/mark.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/notify/mark.c b/fs/notify/mark.c +index 258d99087183..9b7201d1398f 100644 +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -387,7 +387,7 @@ void fsnotify_free_mark(struct fsnotify_mark *mark) + void fsnotify_destroy_mark(struct fsnotify_mark *mark, + struct fsnotify_group *group) + { +- mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); ++ mutex_lock(&group->mark_mutex); + fsnotify_detach_mark(mark); + mutex_unlock(&group->mark_mutex); + fsnotify_free_mark(mark); +@@ -666,7 +666,7 @@ void fsnotify_clear_marks_by_group(struct fsnotify_group *group, + * move marks to free to to_free list in one go and then free marks in + * to_free list one by one. + */ +- mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); ++ mutex_lock(&group->mark_mutex); + list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) { + if (mark->connector->flags & type) + list_move(&mark->g_list, &to_free); +@@ -675,7 +675,7 @@ void fsnotify_clear_marks_by_group(struct fsnotify_group *group, + + clear: + while (1) { +- mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); ++ mutex_lock(&group->mark_mutex); + if (list_empty(head)) { + mutex_unlock(&group->mark_mutex); + break; +-- +2.35.1 + diff --git a/queue-4.14/hid-hid-led-fix-maximum-brightness-for-dream-cheeky.patch b/queue-4.14/hid-hid-led-fix-maximum-brightness-for-dream-cheeky.patch new file mode 100644 index 00000000000..a36164d75d9 --- /dev/null +++ b/queue-4.14/hid-hid-led-fix-maximum-brightness-for-dream-cheeky.patch @@ -0,0 +1,38 @@ +From 53340c0afe8735e2f2f50038a4280bab9ea97500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Mar 2022 19:48:18 +0000 +Subject: HID: hid-led: fix maximum brightness for Dream Cheeky + +From: Jonathan Teh + +[ Upstream commit 116c3f4a78ebe478d5ad5a038baf931e93e7d748 ] + +Increase maximum brightness for Dream Cheeky to 63. Emperically +determined based on testing in kernel 4.4 on this device: + +Bus 003 Device 002: ID 1d34:0004 Dream Cheeky Webmail Notifier + +Fixes: 6c7ad07e9e05 ("HID: migrate USB LED driver from usb misc to hid") +Signed-off-by: Jonathan Teh +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-led.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-led.c b/drivers/hid/hid-led.c +index d3e1ab162f7c..7fc5982a0ca4 100644 +--- a/drivers/hid/hid-led.c ++++ b/drivers/hid/hid-led.c +@@ -369,7 +369,7 @@ static const struct hidled_config hidled_configs[] = { + .type = DREAM_CHEEKY, + .name = "Dream Cheeky Webmail Notifier", + .short_name = "dream_cheeky", +- .max_brightness = 31, ++ .max_brightness = 63, + .num_leds = 1, + .report_size = 9, + .report_type = RAW_REQUEST, +-- +2.35.1 + diff --git a/queue-4.14/inotify-show-inotify-mask-flags-in-proc-fdinfo.patch b/queue-4.14/inotify-show-inotify-mask-flags-in-proc-fdinfo.patch new file mode 100644 index 00000000000..6c61f2fcef9 --- /dev/null +++ b/queue-4.14/inotify-show-inotify-mask-flags-in-proc-fdinfo.patch @@ -0,0 +1,86 @@ +From ca812808e46e202e6e17859402fe27e2549da6c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 15:03:12 +0300 +Subject: inotify: show inotify mask flags in proc fdinfo + +From: Amir Goldstein + +[ Upstream commit a32e697cda27679a0327ae2cafdad8c7170f548f ] + +The inotify mask flags IN_ONESHOT and IN_EXCL_UNLINK are not "internal +to kernel" and should be exposed in procfs fdinfo so CRIU can restore +them. + +Fixes: 6933599697c9 ("inotify: hide internal kernel bits from fdinfo") +Link: https://lore.kernel.org/r/20220422120327.3459282-2-amir73il@gmail.com +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/notify/fdinfo.c | 11 ++--------- + fs/notify/inotify/inotify.h | 12 ++++++++++++ + fs/notify/inotify/inotify_user.c | 2 +- + 3 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c +index 517f88c1dbe5..c62a87ee3b00 100644 +--- a/fs/notify/fdinfo.c ++++ b/fs/notify/fdinfo.c +@@ -83,16 +83,9 @@ static void inotify_fdinfo(struct seq_file *m, struct fsnotify_mark *mark) + inode_mark = container_of(mark, struct inotify_inode_mark, fsn_mark); + inode = igrab(mark->connector->inode); + if (inode) { +- /* +- * IN_ALL_EVENTS represents all of the mask bits +- * that we expose to userspace. There is at +- * least one bit (FS_EVENT_ON_CHILD) which is +- * used only internally to the kernel. +- */ +- u32 mask = mark->mask & IN_ALL_EVENTS; +- seq_printf(m, "inotify wd:%x ino:%lx sdev:%x mask:%x ignored_mask:%x ", ++ seq_printf(m, "inotify wd:%x ino:%lx sdev:%x mask:%x ignored_mask:0 ", + inode_mark->wd, inode->i_ino, inode->i_sb->s_dev, +- mask, mark->ignored_mask); ++ inotify_mark_user_mask(mark)); + show_mark_fhandle(m, inode); + seq_putc(m, '\n'); + iput(inode); +diff --git a/fs/notify/inotify/inotify.h b/fs/notify/inotify/inotify.h +index c00d2caca894..63050e25c84d 100644 +--- a/fs/notify/inotify/inotify.h ++++ b/fs/notify/inotify/inotify.h +@@ -21,6 +21,18 @@ static inline struct inotify_event_info *INOTIFY_E(struct fsnotify_event *fse) + return container_of(fse, struct inotify_event_info, fse); + } + ++/* ++ * INOTIFY_USER_FLAGS represents all of the mask bits that we expose to ++ * userspace. There is at least one bit (FS_EVENT_ON_CHILD) which is ++ * used only internally to the kernel. ++ */ ++#define INOTIFY_USER_MASK (IN_ALL_EVENTS | IN_ONESHOT | IN_EXCL_UNLINK) ++ ++static inline __u32 inotify_mark_user_mask(struct fsnotify_mark *fsn_mark) ++{ ++ return fsn_mark->mask & INOTIFY_USER_MASK; ++} ++ + extern void inotify_ignored_and_remove_idr(struct fsnotify_mark *fsn_mark, + struct fsnotify_group *group); + extern int inotify_handle_event(struct fsnotify_group *group, +diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c +index 7cc7d3fb1862..2393956542bc 100644 +--- a/fs/notify/inotify/inotify_user.c ++++ b/fs/notify/inotify/inotify_user.c +@@ -95,7 +95,7 @@ static inline __u32 inotify_arg_to_mask(u32 arg) + mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT); + + /* mask off the flags used to open the fd */ +- mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT | IN_EXCL_UNLINK)); ++ mask |= (arg & INOTIFY_USER_MASK); + + return mask; + } +-- +2.35.1 + diff --git a/queue-4.14/input-sparcspkr-fix-refcount-leak-in-bbc_beep_probe.patch b/queue-4.14/input-sparcspkr-fix-refcount-leak-in-bbc_beep_probe.patch new file mode 100644 index 00000000000..185ee6e1d0c --- /dev/null +++ b/queue-4.14/input-sparcspkr-fix-refcount-leak-in-bbc_beep_probe.patch @@ -0,0 +1,38 @@ +From b999963d74b2e1c5f58d4e3803ea72f0151d12fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 14:55:55 -0700 +Subject: Input: sparcspkr - fix refcount leak in bbc_beep_probe + +From: Miaoqian Lin + +[ Upstream commit c8994b30d71d64d5dcc9bc0edbfdf367171aa96f ] + +of_find_node_by_path() calls of_find_node_opts_by_path(), +which returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 9c1a5077fdca ("input: Rewrite sparcspkr device probing.") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220516081018.42728-1-linmq006@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/sparcspkr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/sparcspkr.c b/drivers/input/misc/sparcspkr.c +index 4a5afc7fe96e..f6e1f38267d9 100644 +--- a/drivers/input/misc/sparcspkr.c ++++ b/drivers/input/misc/sparcspkr.c +@@ -204,6 +204,7 @@ static int bbc_beep_probe(struct platform_device *op) + + info = &state->u.bbc; + info->clock_freq = of_getintprop_default(dp, "clock-frequency", 0); ++ of_node_put(dp); + if (!info->clock_freq) + goto out_free; + +-- +2.35.1 + diff --git a/queue-4.14/iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch b/queue-4.14/iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch new file mode 100644 index 00000000000..b4ced7ceba8 --- /dev/null +++ b/queue-4.14/iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch @@ -0,0 +1,54 @@ +From 2ca22738eabb7bb880560219bb80bf03a9e18366 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 12:22:14 +0200 +Subject: iommu/amd: Increase timeout waiting for GA log enablement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joerg Roedel + +[ Upstream commit 42bb5aa043382f09bef2cc33b8431be867c70f8e ] + +On some systems it can take a long time for the hardware to enable the +GA log of the AMD IOMMU. The current wait time is only 0.1ms, but +testing showed that it can take up to 14ms for the GA log to enter +running state after it has been enabled. + +Sometimes the long delay happens when booting the system, sometimes +only on resume. Adjust the timeout accordingly to not print a warning +when hardware takes a longer than usual. + +There has already been an attempt to fix this with commit + + 9b45a7738eec ("iommu/amd: Fix loop timeout issue in iommu_ga_log_enable()") + +But that commit was based on some wrong math and did not fix the issue +in all cases. + +Cc: "D. Ziegfeld" +Cc: Jörg-Volker Peetz +Fixes: 8bda0cfbdc1a ("iommu/amd: Detect and initialize guest vAPIC log") +Signed-off-by: Joerg Roedel +Link: https://lore.kernel.org/r/20220520102214.12563-1-joro@8bytes.org +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index 5dddbb9b06f1..2a6a108f0e8c 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -89,7 +89,7 @@ + #define ACPI_DEVFLAG_LINT1 0x80 + #define ACPI_DEVFLAG_ATSDIS 0x10000000 + +-#define LOOP_TIMEOUT 100000 ++#define LOOP_TIMEOUT 2000000 + /* + * ACPI table definitions + * +-- +2.35.1 + diff --git a/queue-4.14/iommu-mediatek-add-list_del-in-mtk_iommu_remove.patch b/queue-4.14/iommu-mediatek-add-list_del-in-mtk_iommu_remove.patch new file mode 100644 index 00000000000..b239bcfe51c --- /dev/null +++ b/queue-4.14/iommu-mediatek-add-list_del-in-mtk_iommu_remove.patch @@ -0,0 +1,43 @@ +From 83d7e0a9bfb2d288996824f4da4d91a651ad0397 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 May 2022 15:13:56 +0800 +Subject: iommu/mediatek: Add list_del in mtk_iommu_remove + +From: Yong Wu + +[ Upstream commit ee55f75e4bcade81d253163641b63bef3e76cac4 ] + +Lack the list_del in the mtk_iommu_remove, and remove +bus_set_iommu(*, NULL) since there may be several iommu HWs. +we can not bus_set_iommu null when one iommu driver unbind. + +This could be a fix for mt2712 which support 2 M4U HW and list them. + +Fixes: 7c3a2ec02806 ("iommu/mediatek: Merge 2 M4U HWs into one iommu domain") +Signed-off-by: Yong Wu +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Matthias Brugger +Link: https://lore.kernel.org/r/20220503071427.2285-6-yong.wu@mediatek.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/mtk_iommu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c +index 0f99e95a1a73..7ac868c71577 100644 +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -696,8 +696,7 @@ static int mtk_iommu_remove(struct platform_device *pdev) + iommu_device_sysfs_remove(&data->iommu); + iommu_device_unregister(&data->iommu); + +- if (iommu_present(&platform_bus_type)) +- bus_set_iommu(&platform_bus_type, NULL); ++ list_del(&data->list); + + clk_disable_unprepare(data->bclk); + devm_free_irq(&pdev->dev, data->irq, data); +-- +2.35.1 + diff --git a/queue-4.14/ipmi-ssif-check-for-null-msg-when-handling-events-an.patch b/queue-4.14/ipmi-ssif-check-for-null-msg-when-handling-events-an.patch new file mode 100644 index 00000000000..b8da508849b --- /dev/null +++ b/queue-4.14/ipmi-ssif-check-for-null-msg-when-handling-events-an.patch @@ -0,0 +1,75 @@ +From 723133087ef9be5b6e55613e316561f6f99e1472 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Apr 2022 07:44:53 -0500 +Subject: ipmi:ssif: Check for NULL msg when handling events and messages + +From: Corey Minyard + +[ Upstream commit 7602b957e2404e5f98d9a40b68f1fd27f0028712 ] + +Even though it's not possible to get into the SSIF_GETTING_MESSAGES and +SSIF_GETTING_EVENTS states without a valid message in the msg field, +it's probably best to be defensive here and check and print a log, since +that means something else went wrong. + +Also add a default clause to that switch statement to release the lock +and print a log, in case the state variable gets messed up somehow. + +Reported-by: Haowen Bai +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_ssif.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index cf87bfe971e6..171c54c86356 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -816,6 +816,14 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, + break; + + case SSIF_GETTING_EVENTS: ++ if (!msg) { ++ /* Should never happen, but just in case. */ ++ dev_warn(&ssif_info->client->dev, ++ "No message set while getting events\n"); ++ ipmi_ssif_unlock_cond(ssif_info, flags); ++ break; ++ } ++ + if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) { + /* Error getting event, probably done. */ + msg->done(msg); +@@ -839,6 +847,14 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, + break; + + case SSIF_GETTING_MESSAGES: ++ if (!msg) { ++ /* Should never happen, but just in case. */ ++ dev_warn(&ssif_info->client->dev, ++ "No message set while getting messages\n"); ++ ipmi_ssif_unlock_cond(ssif_info, flags); ++ break; ++ } ++ + if ((result < 0) || (len < 3) || (msg->rsp[2] != 0)) { + /* Error getting event, probably done. */ + msg->done(msg); +@@ -861,6 +877,13 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, + deliver_recv_msg(ssif_info, msg); + } + break; ++ ++ default: ++ /* Should never happen, but just in case. */ ++ dev_warn(&ssif_info->client->dev, ++ "Invalid state in message done handling: %d\n", ++ ssif_info->ssif_state); ++ ipmi_ssif_unlock_cond(ssif_info, flags); + } + + flags = ipmi_ssif_lock_cond(ssif_info, &oflags); +-- +2.35.1 + diff --git a/queue-4.14/ipv6-don-t-send-rs-packets-to-the-interface-of-arphr.patch b/queue-4.14/ipv6-don-t-send-rs-packets-to-the-interface-of-arphr.patch new file mode 100644 index 00000000000..a304fcc6012 --- /dev/null +++ b/queue-4.14/ipv6-don-t-send-rs-packets-to-the-interface-of-arphr.patch @@ -0,0 +1,50 @@ +From 6f101ceb7791fc89b09d5e74f19363627595d651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 13:38:02 +0800 +Subject: ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL + +From: jianghaoran + +[ Upstream commit b52e1cce31ca721e937d517411179f9196ee6135 ] + +ARPHRD_TUNNEL interface can't process rs packets +and will generate TX errors + +ex: +ip tunnel add ethn mode ipip local 192.168.1.1 remote 192.168.1.2 +ifconfig ethn x.x.x.x + +ethn: flags=209 mtu 1480 + inet x.x.x.x netmask 255.255.255.255 destination x.x.x.x + inet6 fe80::5efe:ac1e:3cdb prefixlen 64 scopeid 0x20 + tunnel txqueuelen 1000 (IPIP Tunnel) + RX packets 0 bytes 0 (0.0 B) + RX errors 0 dropped 0 overruns 0 frame 0 + TX packets 0 bytes 0 (0.0 B) + TX errors 3 dropped 0 overruns 0 carrier 0 collisions 0 + +Signed-off-by: jianghaoran +Link: https://lore.kernel.org/r/20220429053802.246681-1-jianghaoran@kylinos.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 09807202bd1c..0d3e76b160a5 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -4058,7 +4058,8 @@ static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id, + send_rs = send_mld && + ipv6_accept_ra(ifp->idev) && + ifp->idev->cnf.rtr_solicits != 0 && +- (dev->flags&IFF_LOOPBACK) == 0; ++ (dev->flags & IFF_LOOPBACK) == 0 && ++ (dev->type != ARPHRD_TUNNEL); + read_unlock_bh(&ifp->idev->lock); + + /* While dad is in progress mld report's source address is in6_addrany. +-- +2.35.1 + diff --git a/queue-4.14/ipw2x00-fix-potential-null-dereference-in-libipw_xmi.patch b/queue-4.14/ipw2x00-fix-potential-null-dereference-in-libipw_xmi.patch new file mode 100644 index 00000000000..18f0d9b4bb8 --- /dev/null +++ b/queue-4.14/ipw2x00-fix-potential-null-dereference-in-libipw_xmi.patch @@ -0,0 +1,36 @@ +From 442a5629972359c3d4d9da5202b6b302ff6498eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Apr 2022 15:10:54 +0800 +Subject: ipw2x00: Fix potential NULL dereference in libipw_xmit() + +From: Haowen Bai + +[ Upstream commit e8366bbabe1d207cf7c5b11ae50e223ae6fc278b ] + +crypt and crypt->ops could be null, so we need to checking null +before dereference + +Signed-off-by: Haowen Bai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1648797055-25730-1-git-send-email-baihaowen@meizu.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c +index 84205aa508df..daa4f9eb08ff 100644 +--- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c ++++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c +@@ -397,7 +397,7 @@ netdev_tx_t libipw_xmit(struct sk_buff *skb, struct net_device *dev) + + /* Each fragment may need to have room for encryption + * pre/postfix */ +- if (host_encrypt) ++ if (host_encrypt && crypt && crypt->ops) + bytes_per_frag -= crypt->ops->extra_mpdu_prefix_len + + crypt->ops->extra_mpdu_postfix_len; + +-- +2.35.1 + diff --git a/queue-4.14/irqchip-aspeed-i2c-ic-fix-irq_of_parse_and_map-retur.patch b/queue-4.14/irqchip-aspeed-i2c-ic-fix-irq_of_parse_and_map-retur.patch new file mode 100644 index 00000000000..a534ea33aea --- /dev/null +++ b/queue-4.14/irqchip-aspeed-i2c-ic-fix-irq_of_parse_and_map-retur.patch @@ -0,0 +1,38 @@ +From 7afbda50d15252ad570f80851778236e4b00bb86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Apr 2022 11:42:26 +0200 +Subject: irqchip/aspeed-i2c-ic: Fix irq_of_parse_and_map() return value + +From: Krzysztof Kozlowski + +[ Upstream commit 50f0f26e7c8665763d0d7d3372dbcf191f94d077 ] + +The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. + +Fixes: f48e699ddf70 ("irqchip/aspeed-i2c-ic: Add I2C IRQ controller for Aspeed") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220423094227.33148-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-aspeed-i2c-ic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-aspeed-i2c-ic.c b/drivers/irqchip/irq-aspeed-i2c-ic.c +index 815b88dd18f2..45de46066d06 100644 +--- a/drivers/irqchip/irq-aspeed-i2c-ic.c ++++ b/drivers/irqchip/irq-aspeed-i2c-ic.c +@@ -82,8 +82,8 @@ static int __init aspeed_i2c_ic_of_init(struct device_node *node, + } + + i2c_ic->parent_irq = irq_of_parse_and_map(node, 0); +- if (i2c_ic->parent_irq < 0) { +- ret = i2c_ic->parent_irq; ++ if (!i2c_ic->parent_irq) { ++ ret = -EINVAL; + goto err_iounmap; + } + +-- +2.35.1 + diff --git a/queue-4.14/m68k-math-emu-fix-dependencies-of-math-emulation-sup.patch b/queue-4.14/m68k-math-emu-fix-dependencies-of-math-emulation-sup.patch new file mode 100644 index 00000000000..3c6be2ad7e7 --- /dev/null +++ b/queue-4.14/m68k-math-emu-fix-dependencies-of-math-emulation-sup.patch @@ -0,0 +1,56 @@ +From 820408ce22caf21d2c32e5927322100d2e56a3d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 14:50:28 +0200 +Subject: m68k: math-emu: Fix dependencies of math emulation support + +From: Geert Uytterhoeven + +[ Upstream commit ed6bc6bf0a7d75e80eb1df883c09975ebb74e590 ] + +If CONFIG_M54xx=y, CONFIG_MMU=y, and CONFIG_M68KFPU_EMU=y: + + {standard input}:272: Error: invalid instruction for this architecture; needs 68000 or higher (68000 [68ec000, 68hc000, 68hc001, 68008, 68302, 68306, 68307, 68322, 68356], 68010, 68020 [68k, 68ec020], 68030 [68ec030], 68040 [68ec040], 68060 [68ec060], cpu32 [68330, 68331, 68332, 68333, 68334, 68336, 68340, 68341, 68349, 68360], fidoa [fido]) -- statement `sub.b %d1,%d3' ignored + {standard input}:609: Error: invalid instruction for this architecture; needs 68020 or higher (68020 [68k, 68ec020], 68030 [68ec030], 68040 [68ec040], 68060 [68ec060]) -- statement `bfextu 4(%a1){%d0,#8},%d0' ignored + {standard input}:752: Error: operands mismatch -- statement `mulu.l 4(%a0),%d3:%d0' ignored + {standard input}:1155: Error: operands mismatch -- statement `divu.l %d0,%d3:%d7' ignored + +The math emulation support code is intended for 68020 and higher, and +uses several instructions or instruction modes not available on coldfire +or 68000. + +Originally, the dependency of M68KFPU_EMU on MMU was fine, as MMU +support was only available on 68020 or higher. But this assumption +was broken by the introduction of MMU support for M547x and M548x. + +Drop the dependency on MMU, as the code should work fine on 68020 and up +without MMU (which are not yet supported by Linux, though). +Add dependencies on M68KCLASSIC (to rule out Coldfire) and FPU (kernel +has some type of floating-point support --- be it hardware or software +emulated, to rule out anything below 68020). + +Fixes: 1f7034b9616e6f14 ("m68k: allow ColdFire 547x and 548x CPUs to be built with MMU enabled") +Reported-by: kernel test robot +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Greg Ungerer +Link: https://lore.kernel.org/r/18c34695b7c95107f60ccca82a4ff252f3edf477.1652446117.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.cpu | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/m68k/Kconfig.cpu b/arch/m68k/Kconfig.cpu +index ff5f0896318b..6f13c53c8dc7 100644 +--- a/arch/m68k/Kconfig.cpu ++++ b/arch/m68k/Kconfig.cpu +@@ -308,7 +308,7 @@ comment "Processor Specific Options" + + config M68KFPU_EMU + bool "Math emulation support" +- depends on MMU ++ depends on M68KCLASSIC && FPU + help + At some point in the future, this will cause floating-point math + instructions to be emulated by the kernel on machines that lack a +-- +2.35.1 + diff --git a/queue-4.14/macintosh-via-pmu-fix-build-failure-when-config_inpu.patch b/queue-4.14/macintosh-via-pmu-fix-build-failure-when-config_inpu.patch new file mode 100644 index 00000000000..a0dae9faf0f --- /dev/null +++ b/queue-4.14/macintosh-via-pmu-fix-build-failure-when-config_inpu.patch @@ -0,0 +1,82 @@ +From 80e77e81b129ab1bc5a48f5c43f63a800ad7e15b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 20:11:32 +1000 +Subject: macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled + +From: Finn Thain + +[ Upstream commit 86ce436e30d86327c9f5260f718104ae7b21f506 ] + +drivers/macintosh/via-pmu-event.o: In function `via_pmu_event': +via-pmu-event.c:(.text+0x44): undefined reference to `input_event' +via-pmu-event.c:(.text+0x68): undefined reference to `input_event' +via-pmu-event.c:(.text+0x94): undefined reference to `input_event' +via-pmu-event.c:(.text+0xb8): undefined reference to `input_event' +drivers/macintosh/via-pmu-event.o: In function `via_pmu_event_init': +via-pmu-event.c:(.init.text+0x20): undefined reference to `input_allocate_device' +via-pmu-event.c:(.init.text+0xc4): undefined reference to `input_register_device' +via-pmu-event.c:(.init.text+0xd4): undefined reference to `input_free_device' +make[1]: *** [Makefile:1155: vmlinux] Error 1 +make: *** [Makefile:350: __build_one_by_one] Error 2 + +Don't call into the input subsystem unless CONFIG_INPUT is built-in. + +Reported-by: kernel test robot +Signed-off-by: Finn Thain +Tested-by: Randy Dunlap +Reviewed-by: Christophe Leroy +Acked-by: Randy Dunlap +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/5edbe76ce68227f71e09af4614cc4c1bd61c7ec8.1649326292.git.fthain@linux-m68k.org +Signed-off-by: Sasha Levin +--- + drivers/macintosh/Kconfig | 4 ++++ + drivers/macintosh/Makefile | 3 ++- + drivers/macintosh/via-pmu.c | 2 +- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/macintosh/Kconfig b/drivers/macintosh/Kconfig +index 97a420c11eed..5e47d91da519 100644 +--- a/drivers/macintosh/Kconfig ++++ b/drivers/macintosh/Kconfig +@@ -77,6 +77,10 @@ config ADB_PMU + this device; you should do so if your machine is one of those + mentioned above. + ++config ADB_PMU_EVENT ++ def_bool y ++ depends on ADB_PMU && INPUT=y ++ + config ADB_PMU_LED + bool "Support for the Power/iBook front LED" + depends on ADB_PMU +diff --git a/drivers/macintosh/Makefile b/drivers/macintosh/Makefile +index ee803638e595..ff099c7d4edd 100644 +--- a/drivers/macintosh/Makefile ++++ b/drivers/macintosh/Makefile +@@ -12,7 +12,8 @@ obj-$(CONFIG_MAC_EMUMOUSEBTN) += mac_hid.o + obj-$(CONFIG_INPUT_ADBHID) += adbhid.o + obj-$(CONFIG_ANSLCD) += ans-lcd.o + +-obj-$(CONFIG_ADB_PMU) += via-pmu.o via-pmu-event.o ++obj-$(CONFIG_ADB_PMU) += via-pmu.o ++obj-$(CONFIG_ADB_PMU_EVENT) += via-pmu-event.o + obj-$(CONFIG_ADB_PMU_LED) += via-pmu-led.o + obj-$(CONFIG_PMAC_BACKLIGHT) += via-pmu-backlight.o + obj-$(CONFIG_ADB_CUDA) += via-cuda.o +diff --git a/drivers/macintosh/via-pmu.c b/drivers/macintosh/via-pmu.c +index f6e040fcad9a..9d6828f49779 100644 +--- a/drivers/macintosh/via-pmu.c ++++ b/drivers/macintosh/via-pmu.c +@@ -1440,7 +1440,7 @@ pmu_handle_data(unsigned char *data, int len) + pmu_pass_intr(data, len); + /* len == 6 is probably a bad check. But how do I + * know what PMU versions send what events here? */ +- if (len == 6) { ++ if (IS_ENABLED(CONFIG_ADB_PMU_EVENT) && len == 6) { + via_pmu_event(PMU_EVT_POWER, !!(data[1]&8)); + via_pmu_event(PMU_EVT_LID, data[1]&1); + } +-- +2.35.1 + diff --git a/queue-4.14/mailbox-forward-the-hrtimer-if-not-queued-and-under-.patch b/queue-4.14/mailbox-forward-the-hrtimer-if-not-queued-and-under-.patch new file mode 100644 index 00000000000..6cee3893928 --- /dev/null +++ b/queue-4.14/mailbox-forward-the-hrtimer-if-not-queued-and-under-.patch @@ -0,0 +1,112 @@ +From 2f5e45c1896b827e1caa8462b6547066374ea51f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 09:01:15 +0200 +Subject: mailbox: forward the hrtimer if not queued and under a lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Ardö + +[ Upstream commit bca1a1004615efe141fd78f360ecc48c60bc4ad5 ] + +This reverts commit c7dacf5b0f32957b24ef29df1207dc2cd8307743, +"mailbox: avoid timer start from callback" + +The previous commit was reverted since it lead to a race that +caused the hrtimer to not be started at all. The check for +hrtimer_active() in msg_submit() will return true if the +callback function txdone_hrtimer() is currently running. This +function could return HRTIMER_NORESTART and then the timer +will not be restarted, and also msg_submit() will not start +the timer. This will lead to a message actually being submitted +but no timer will start to check for its compleation. + +The original fix that added checking hrtimer_active() was added to +avoid a warning with hrtimer_forward. Looking in the kernel +another solution to avoid this warning is to check hrtimer_is_queued() +before calling hrtimer_forward_now() instead. This however requires a +lock so the timer is not started by msg_submit() inbetween this check +and the hrtimer_forward() call. + +Fixes: c7dacf5b0f32 ("mailbox: avoid timer start from callback") +Signed-off-by: Björn Ardö +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox.c | 19 +++++++++++++------ + include/linux/mailbox_controller.h | 1 + + 2 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c +index 10a559cfb7ea..aa28fdcb81b9 100644 +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -85,11 +85,11 @@ static void msg_submit(struct mbox_chan *chan) + exit: + spin_unlock_irqrestore(&chan->lock, flags); + +- /* kick start the timer immediately to avoid delays */ + if (!err && (chan->txdone_method & TXDONE_BY_POLL)) { +- /* but only if not already active */ +- if (!hrtimer_active(&chan->mbox->poll_hrt)) +- hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL); ++ /* kick start the timer immediately to avoid delays */ ++ spin_lock_irqsave(&chan->mbox->poll_hrt_lock, flags); ++ hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL); ++ spin_unlock_irqrestore(&chan->mbox->poll_hrt_lock, flags); + } + } + +@@ -123,20 +123,26 @@ static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer) + container_of(hrtimer, struct mbox_controller, poll_hrt); + bool txdone, resched = false; + int i; ++ unsigned long flags; + + for (i = 0; i < mbox->num_chans; i++) { + struct mbox_chan *chan = &mbox->chans[i]; + + if (chan->active_req && chan->cl) { +- resched = true; + txdone = chan->mbox->ops->last_tx_done(chan); + if (txdone) + tx_tick(chan, 0); ++ else ++ resched = true; + } + } + + if (resched) { +- hrtimer_forward_now(hrtimer, ms_to_ktime(mbox->txpoll_period)); ++ spin_lock_irqsave(&mbox->poll_hrt_lock, flags); ++ if (!hrtimer_is_queued(hrtimer)) ++ hrtimer_forward_now(hrtimer, ms_to_ktime(mbox->txpoll_period)); ++ spin_unlock_irqrestore(&mbox->poll_hrt_lock, flags); ++ + return HRTIMER_RESTART; + } + return HRTIMER_NORESTART; +@@ -473,6 +479,7 @@ int mbox_controller_register(struct mbox_controller *mbox) + hrtimer_init(&mbox->poll_hrt, CLOCK_MONOTONIC, + HRTIMER_MODE_REL); + mbox->poll_hrt.function = txdone_hrtimer; ++ spin_lock_init(&mbox->poll_hrt_lock); + } + + for (i = 0; i < mbox->num_chans; i++) { +diff --git a/include/linux/mailbox_controller.h b/include/linux/mailbox_controller.h +index 74deadb42d76..5a4524f66ea1 100644 +--- a/include/linux/mailbox_controller.h ++++ b/include/linux/mailbox_controller.h +@@ -83,6 +83,7 @@ struct mbox_controller { + const struct of_phandle_args *sp); + /* Internal to API */ + struct hrtimer poll_hrt; ++ spinlock_t poll_hrt_lock; + struct list_head node; + }; + +-- +2.35.1 + diff --git a/queue-4.14/media-cx25821-fix-the-warning-when-removing-the-modu.patch b/queue-4.14/media-cx25821-fix-the-warning-when-removing-the-modu.patch new file mode 100644 index 00000000000..c23157bb4b8 --- /dev/null +++ b/queue-4.14/media-cx25821-fix-the-warning-when-removing-the-modu.patch @@ -0,0 +1,57 @@ +From c194fc2d998e105222ea08336eb2696b8e4713c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 08:44:09 +0100 +Subject: media: cx25821: Fix the warning when removing the module + +From: Zheyu Ma + +[ Upstream commit 2203436a4d24302871617373a7eb21bc17e38762 ] + +When removing the module, we will get the following warning: + +[ 14.746697] remove_proc_entry: removing non-empty directory 'irq/21', leaking at least 'cx25821[1]' +[ 14.747449] WARNING: CPU: 4 PID: 368 at fs/proc/generic.c:717 remove_proc_entry+0x389/0x3f0 +[ 14.751611] RIP: 0010:remove_proc_entry+0x389/0x3f0 +[ 14.759589] Call Trace: +[ 14.759792] +[ 14.759975] unregister_irq_proc+0x14c/0x170 +[ 14.760340] irq_free_descs+0x94/0xe0 +[ 14.760640] mp_unmap_irq+0xb6/0x100 +[ 14.760937] acpi_unregister_gsi_ioapic+0x27/0x40 +[ 14.761334] acpi_pci_irq_disable+0x1d3/0x320 +[ 14.761688] pci_disable_device+0x1ad/0x380 +[ 14.762027] ? _raw_spin_unlock_irqrestore+0x2d/0x60 +[ 14.762442] ? cx25821_shutdown+0x20/0x9f0 [cx25821] +[ 14.762848] cx25821_finidev+0x48/0xc0 [cx25821] +[ 14.763242] pci_device_remove+0x92/0x240 + +Fix this by freeing the irq before call pci_disable_device(). + +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx25821/cx25821-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c +index 79582071f139..c5e0fa447e4d 100644 +--- a/drivers/media/pci/cx25821/cx25821-core.c ++++ b/drivers/media/pci/cx25821/cx25821-core.c +@@ -1350,11 +1350,11 @@ static void cx25821_finidev(struct pci_dev *pci_dev) + struct cx25821_dev *dev = get_cx25821(v4l2_dev); + + cx25821_shutdown(dev); +- pci_disable_device(pci_dev); + + /* unregister stuff */ + if (pci_dev->irq) + free_irq(pci_dev->irq, dev); ++ pci_disable_device(pci_dev); + + cx25821_dev_unregister(dev); + v4l2_device_unregister(v4l2_dev); +-- +2.35.1 + diff --git a/queue-4.14/media-exynos4-is-change-clk_disable-to-clk_disable_u.patch b/queue-4.14/media-exynos4-is-change-clk_disable-to-clk_disable_u.patch new file mode 100644 index 00000000000..d293f1646c0 --- /dev/null +++ b/queue-4.14/media-exynos4-is-change-clk_disable-to-clk_disable_u.patch @@ -0,0 +1,39 @@ +From da6a888a994229e978a8dd73930aec141f961235 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Mar 2022 12:01:01 +0100 +Subject: media: exynos4-is: Change clk_disable to clk_disable_unprepare + +From: Miaoqian Lin + +[ Upstream commit 9fadab72a6916c7507d7fedcd644859eef995078 ] + +The corresponding API for clk_prepare_enable is clk_disable_unprepare, +other than clk_disable. + +Fix this by changing clk_disable to clk_disable_unprepare. + +Fixes: b4155d7d5b2c ("[media] exynos4-is: Ensure fimc-is clocks are not enabled until properly configured") +Signed-off-by: Miaoqian Lin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-is.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-is.c b/drivers/media/platform/exynos4-is/fimc-is.c +index 0fe9be93fabe..0f3f82bd4d20 100644 +--- a/drivers/media/platform/exynos4-is/fimc-is.c ++++ b/drivers/media/platform/exynos4-is/fimc-is.c +@@ -144,7 +144,7 @@ static int fimc_is_enable_clocks(struct fimc_is *is) + dev_err(&is->pdev->dev, "clock %s enable failed\n", + fimc_is_clocks[i]); + for (--i; i >= 0; i--) +- clk_disable(is->clocks[i]); ++ clk_disable_unprepare(is->clocks[i]); + return ret; + } + pr_debug("enabled clock: %s\n", fimc_is_clocks[i]); +-- +2.35.1 + diff --git a/queue-4.14/media-exynos4-is-fix-compile-warning.patch b/queue-4.14/media-exynos4-is-fix-compile-warning.patch new file mode 100644 index 00000000000..7a6882e2d9e --- /dev/null +++ b/queue-4.14/media-exynos4-is-fix-compile-warning.patch @@ -0,0 +1,39 @@ +From d0a5bb54993adc179024a52acb314fb77e4e51ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Apr 2022 03:16:45 +0200 +Subject: media: exynos4-is: Fix compile warning + +From: Kwanghoon Son + +[ Upstream commit e080f5c1f2b6d02c02ee5d674e0e392ccf63bbaf ] + +Declare static on function 'fimc_isp_video_device_unregister'. + +When VIDEO_EXYNOS4_ISP_DMA_CAPTURE=n, compiler warns about +warning: no previous prototype for function [-Wmissing-prototypes] + +Reported-by: kernel test robot +Signed-off-by: Kwanghoon Son +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-isp-video.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.h b/drivers/media/platform/exynos4-is/fimc-isp-video.h +index f79a1b348aa6..67ef85249912 100644 +--- a/drivers/media/platform/exynos4-is/fimc-isp-video.h ++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.h +@@ -35,7 +35,7 @@ static inline int fimc_isp_video_device_register(struct fimc_isp *isp, + return 0; + } + +-void fimc_isp_video_device_unregister(struct fimc_isp *isp, ++static inline void fimc_isp_video_device_unregister(struct fimc_isp *isp, + enum v4l2_buf_type type) + { + } +-- +2.35.1 + diff --git a/queue-4.14/media-pci-cx23885-fix-the-error-handling-in-cx23885_.patch b/queue-4.14/media-pci-cx23885-fix-the-error-handling-in-cx23885_.patch new file mode 100644 index 00000000000..495e9728efa --- /dev/null +++ b/queue-4.14/media-pci-cx23885-fix-the-error-handling-in-cx23885_.patch @@ -0,0 +1,66 @@ +From 69a498dee62f88896234d156b22d30f5d2738269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 08:34:41 +0100 +Subject: media: pci: cx23885: Fix the error handling in cx23885_initdev() + +From: Zheyu Ma + +[ Upstream commit e8123311cf06d7dae71e8c5fe78e0510d20cd30b ] + +When the driver fails to call the dma_set_mask(), the driver will get +the following splat: + +[ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240 +[ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590 +[ 55.856822] Call Trace: +[ 55.860327] __process_removed_driver+0x3c/0x240 +[ 55.861347] bus_for_each_dev+0x102/0x160 +[ 55.861681] i2c_del_driver+0x2f/0x50 + +This is because the driver has initialized the i2c related resources +in cx23885_dev_setup() but not released them in error handling, fix this +bug by modifying the error path that jumps after failing to call the +dma_set_mask(). + +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/pci/cx23885/cx23885-core.c b/drivers/media/pci/cx23885/cx23885-core.c +index 4612f26fcd6d..6f297caf5540 100644 +--- a/drivers/media/pci/cx23885/cx23885-core.c ++++ b/drivers/media/pci/cx23885/cx23885-core.c +@@ -2005,7 +2005,7 @@ static int cx23885_initdev(struct pci_dev *pci_dev, + err = pci_set_dma_mask(pci_dev, 0xffffffff); + if (err) { + pr_err("%s/0: Oops: no 32bit PCI DMA ???\n", dev->name); +- goto fail_ctrl; ++ goto fail_dma_set_mask; + } + + err = request_irq(pci_dev->irq, cx23885_irq, +@@ -2013,7 +2013,7 @@ static int cx23885_initdev(struct pci_dev *pci_dev, + if (err < 0) { + pr_err("%s: can't get IRQ %d\n", + dev->name, pci_dev->irq); +- goto fail_irq; ++ goto fail_dma_set_mask; + } + + switch (dev->board) { +@@ -2035,7 +2035,7 @@ static int cx23885_initdev(struct pci_dev *pci_dev, + + return 0; + +-fail_irq: ++fail_dma_set_mask: + cx23885_dev_unregister(dev); + fail_ctrl: + v4l2_ctrl_handler_free(hdl); +-- +2.35.1 + diff --git a/queue-4.14/media-pvrusb2-fix-array-index-out-of-bounds-in-pvr2_.patch b/queue-4.14/media-pvrusb2-fix-array-index-out-of-bounds-in-pvr2_.patch new file mode 100644 index 00000000000..6bd822a8692 --- /dev/null +++ b/queue-4.14/media-pvrusb2-fix-array-index-out-of-bounds-in-pvr2_.patch @@ -0,0 +1,58 @@ +From 0aea51bc83653bddccf468a8527643533c9e00a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 23:24:48 +0200 +Subject: media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init + +From: Pavel Skripkin + +[ Upstream commit 471bec68457aaf981add77b4f590d65dd7da1059 ] + +Syzbot reported that -1 is used as array index. The problem was in +missing validation check. + +hdw->unit_number is initialized with -1 and then if init table walk fails +this value remains unchanged. Since code blindly uses this member for +array indexing adding sanity check is the easiest fix for that. + +hdw->workpoll initialization moved upper to prevent warning in +__flush_work. + +Reported-and-tested-by: syzbot+1a247e36149ffd709a9b@syzkaller.appspotmail.com + +Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18") +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +index 4ca7e1fad08b..4b0d44e25396 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -2563,6 +2563,11 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf, + } while (0); + mutex_unlock(&pvr2_unit_mtx); + ++ INIT_WORK(&hdw->workpoll, pvr2_hdw_worker_poll); ++ ++ if (hdw->unit_number == -1) ++ goto fail; ++ + cnt1 = 0; + cnt2 = scnprintf(hdw->name+cnt1,sizeof(hdw->name)-cnt1,"pvrusb2"); + cnt1 += cnt2; +@@ -2574,8 +2579,6 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf, + if (cnt1 >= sizeof(hdw->name)) cnt1 = sizeof(hdw->name)-1; + hdw->name[cnt1] = 0; + +- INIT_WORK(&hdw->workpoll,pvr2_hdw_worker_poll); +- + pvr2_trace(PVR2_TRACE_INIT,"Driver unit number is %d, name is %s", + hdw->unit_number,hdw->name); + +-- +2.35.1 + diff --git a/queue-4.14/media-st-delta-fix-pm-disable-depth-imbalance-in-del.patch b/queue-4.14/media-st-delta-fix-pm-disable-depth-imbalance-in-del.patch new file mode 100644 index 00000000000..454950cfca6 --- /dev/null +++ b/queue-4.14/media-st-delta-fix-pm-disable-depth-imbalance-in-del.patch @@ -0,0 +1,57 @@ +From 6dffd50ce8d600ac0e05e03a0dc73b3191a70a1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 09:08:59 +0100 +Subject: media: st-delta: Fix PM disable depth imbalance in delta_probe + +From: Miaoqian Lin + +[ Upstream commit 94e3dba710fe0afc772172305444250023fc2d30 ] + +The pm_runtime_enable will decrease power disable depth. +If the probe fails, we should use pm_runtime_disable() to balance +pm_runtime_enable(). + +Fixes: f386509e4959 ("[media] st-delta: STiH4xx multi-format video decoder v4l2 driver") +Signed-off-by: Miaoqian Lin +Acked-by: Hugues Fruchet +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/delta/delta-v4l2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sti/delta/delta-v4l2.c b/drivers/media/platform/sti/delta/delta-v4l2.c +index 7c925f309158..a489d0d17989 100644 +--- a/drivers/media/platform/sti/delta/delta-v4l2.c ++++ b/drivers/media/platform/sti/delta/delta-v4l2.c +@@ -1880,7 +1880,7 @@ static int delta_probe(struct platform_device *pdev) + if (ret) { + dev_err(delta->dev, "%s failed to initialize firmware ipc channel\n", + DELTA_PREFIX); +- goto err; ++ goto err_pm_disable; + } + + /* register all available decoders */ +@@ -1894,7 +1894,7 @@ static int delta_probe(struct platform_device *pdev) + if (ret) { + dev_err(delta->dev, "%s failed to register V4L2 device\n", + DELTA_PREFIX); +- goto err; ++ goto err_pm_disable; + } + + delta->work_queue = create_workqueue(DELTA_NAME); +@@ -1919,6 +1919,8 @@ static int delta_probe(struct platform_device *pdev) + destroy_workqueue(delta->work_queue); + err_v4l2: + v4l2_device_unregister(&delta->v4l2_dev); ++err_pm_disable: ++ pm_runtime_disable(dev); + err: + return ret; + } +-- +2.35.1 + diff --git a/queue-4.14/media-uvcvideo-fix-missing-check-to-determine-if-ele.patch b/queue-4.14/media-uvcvideo-fix-missing-check-to-determine-if-ele.patch new file mode 100644 index 00000000000..9ea95dd0f5c --- /dev/null +++ b/queue-4.14/media-uvcvideo-fix-missing-check-to-determine-if-ele.patch @@ -0,0 +1,87 @@ +From eeef9262b303a8ef461097e5d3f7712ab4156335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 11:22:22 +0100 +Subject: media: uvcvideo: Fix missing check to determine if element is found + in list + +From: Xiaomeng Tong + +[ Upstream commit 261f33388c29f6f3c12a724e6d89172b7f6d5996 ] + +The list iterator will point to a bogus position containing HEAD if +the list is empty or the element is not found in list. This case +should be checked before any use of the iterator, otherwise it will +lead to a invalid memory access. The missing check here is before +"pin = iterm->id;", just add check here to fix the security bug. + +In addition, the list iterator value will *always* be set and non-NULL +by list_for_each_entry(), so it is incorrect to assume that the iterator +value will be NULL if the element is not found in list, considering +the (mis)use here: "if (iterm == NULL". + +Use a new value 'it' as the list iterator, while use the old value +'iterm' as a dedicated pointer to point to the found element, which +1. can fix this bug, due to 'iterm' is NULL only if it's not found. +2. do not need to change all the uses of 'iterm' after the loop. +3. can also limit the scope of the list iterator 'it' *only inside* + the traversal loop by simply declaring 'it' inside the loop in the + future, as usage of the iterator outside of the list_for_each_entry + is considered harmful. https://lkml.org/lkml/2022/2/17/1032 + +Fixes: d5e90b7a6cd1c ("[media] uvcvideo: Move to video_ioctl2") +Signed-off-by: Xiaomeng Tong +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 2b0ca32d7196..800b37a5bbe8 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -841,29 +841,31 @@ static int uvc_ioctl_enum_input(struct file *file, void *fh, + struct uvc_video_chain *chain = handle->chain; + const struct uvc_entity *selector = chain->selector; + struct uvc_entity *iterm = NULL; ++ struct uvc_entity *it; + u32 index = input->index; +- int pin = 0; + + if (selector == NULL || + (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) { + if (index != 0) + return -EINVAL; +- list_for_each_entry(iterm, &chain->entities, chain) { +- if (UVC_ENTITY_IS_ITERM(iterm)) ++ list_for_each_entry(it, &chain->entities, chain) { ++ if (UVC_ENTITY_IS_ITERM(it)) { ++ iterm = it; + break; ++ } + } +- pin = iterm->id; + } else if (index < selector->bNrInPins) { +- pin = selector->baSourceID[index]; +- list_for_each_entry(iterm, &chain->entities, chain) { +- if (!UVC_ENTITY_IS_ITERM(iterm)) ++ list_for_each_entry(it, &chain->entities, chain) { ++ if (!UVC_ENTITY_IS_ITERM(it)) + continue; +- if (iterm->id == pin) ++ if (it->id == selector->baSourceID[index]) { ++ iterm = it; + break; ++ } + } + } + +- if (iterm == NULL || iterm->id != pin) ++ if (iterm == NULL) + return -EINVAL; + + memset(input, 0, sizeof(*input)); +-- +2.35.1 + diff --git a/queue-4.14/media-venus-hfi-avoid-null-dereference-in-deinit.patch b/queue-4.14/media-venus-hfi-avoid-null-dereference-in-deinit.patch new file mode 100644 index 00000000000..d4a42e8c048 --- /dev/null +++ b/queue-4.14/media-venus-hfi-avoid-null-dereference-in-deinit.patch @@ -0,0 +1,41 @@ +From dc132a1556fe8420558f03269c7655bdf245490c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jan 2022 11:02:26 +0000 +Subject: media: venus: hfi: avoid null dereference in deinit + +From: Luca Weiss + +[ Upstream commit 86594f6af867b5165d2ba7b5a71fae3a5961e56c ] + +If venus_probe fails at pm_runtime_put_sync the error handling first +calls hfi_destroy and afterwards hfi_core_deinit. As hfi_destroy sets +core->ops to NULL, hfi_core_deinit cannot call the core_deinit function +anymore. + +Avoid this null pointer derefence by skipping the call when necessary. + +Signed-off-by: Luca Weiss +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/hfi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/qcom/venus/hfi.c b/drivers/media/platform/qcom/venus/hfi.c +index ba29fd4d4984..7d1d3e64007c 100644 +--- a/drivers/media/platform/qcom/venus/hfi.c ++++ b/drivers/media/platform/qcom/venus/hfi.c +@@ -117,6 +117,9 @@ int hfi_core_deinit(struct venus_core *core, bool blocking) + mutex_lock(&core->lock); + } + ++ if (!core->ops) ++ goto unlock; ++ + ret = core->ops->core_deinit(core); + + if (!ret) +-- +2.35.1 + diff --git a/queue-4.14/mfd-ipaq-micro-fix-error-check-return-value-of-platf.patch b/queue-4.14/mfd-ipaq-micro-fix-error-check-return-value-of-platf.patch new file mode 100644 index 00000000000..dcf096f65d1 --- /dev/null +++ b/queue-4.14/mfd-ipaq-micro-fix-error-check-return-value-of-platf.patch @@ -0,0 +1,39 @@ +From 50fda70b607d4bb7c4400c9c9185848df3a612e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 08:53:05 +0000 +Subject: mfd: ipaq-micro: Fix error check return value of platform_get_irq() + +From: Lv Ruyi + +[ Upstream commit 3b49ae380ce1a3054e0c505dd9a356b82a5b48e8 ] + +platform_get_irq() return negative value on failure, so null check of +irq is incorrect. Fix it by comparing whether it is less than zero. + +Fixes: dcc21cc09e3c ("mfd: Add driver for Atmel Microcontroller on iPaq h3xxx") +Reported-by: Zeal Robot +Signed-off-by: Lv Ruyi +Reviewed-by: Linus Walleij +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220412085305.2533030-1-lv.ruyi@zte.com.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/ipaq-micro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/ipaq-micro.c b/drivers/mfd/ipaq-micro.c +index cd762d08f116..2ba0e2d575c0 100644 +--- a/drivers/mfd/ipaq-micro.c ++++ b/drivers/mfd/ipaq-micro.c +@@ -410,7 +410,7 @@ static int __init micro_probe(struct platform_device *pdev) + micro_reset_comm(micro); + + irq = platform_get_irq(pdev, 0); +- if (!irq) ++ if (irq < 0) + return -EINVAL; + ret = devm_request_irq(&pdev->dev, irq, micro_serial_isr, + IRQF_SHARED, "ipaq-micro", +-- +2.35.1 + diff --git a/queue-4.14/mwifiex-add-mutex-lock-for-call-in-mwifiex_dfs_chan_.patch b/queue-4.14/mwifiex-add-mutex-lock-for-call-in-mwifiex_dfs_chan_.patch new file mode 100644 index 00000000000..a84e9c071b2 --- /dev/null +++ b/queue-4.14/mwifiex-add-mutex-lock-for-call-in-mwifiex_dfs_chan_.patch @@ -0,0 +1,49 @@ +From d4e3f1ad6af47353155e7df08d88f32782f8043f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Mar 2022 23:55:16 +0100 +Subject: mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue + +From: Niels Dossche + +[ Upstream commit 3e12968f6d12a34b540c39cbd696a760cc4616f0 ] + +cfg80211_ch_switch_notify uses ASSERT_WDEV_LOCK to assert that +net_device->ieee80211_ptr->mtx (which is the same as priv->wdev.mtx) +is held during the function's execution. +mwifiex_dfs_chan_sw_work_queue is one of its callers, which does not +hold that lock, therefore violating the assertion. +Add a lock around the call. + +Disclaimer: +I am currently working on a static analyser to detect missing locks. +This was a reported case. I manually verified the report by looking +at the code, so that I do not send wrong information or patches. +After concluding that this seems to be a true positive, I created +this patch. +However, as I do not in fact have this particular hardware, +I was unable to test it. + +Reviewed-by: Brian Norris +Signed-off-by: Niels Dossche +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220321225515.32113-1-dossche.niels@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/11h.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/11h.c b/drivers/net/wireless/marvell/mwifiex/11h.c +index 238accfe4f41..c4176e357b22 100644 +--- a/drivers/net/wireless/marvell/mwifiex/11h.c ++++ b/drivers/net/wireless/marvell/mwifiex/11h.c +@@ -303,5 +303,7 @@ void mwifiex_dfs_chan_sw_work_queue(struct work_struct *work) + + mwifiex_dbg(priv->adapter, MSG, + "indicating channel switch completion to kernel\n"); ++ mutex_lock(&priv->wdev.mtx); + cfg80211_ch_switch_notify(priv->netdev, &priv->dfs_chandef); ++ mutex_unlock(&priv->wdev.mtx); + } +-- +2.35.1 + diff --git a/queue-4.14/net-phy-micrel-allow-probing-without-.driver_data.patch b/queue-4.14/net-phy-micrel-allow-probing-without-.driver_data.patch new file mode 100644 index 00000000000..738428c9275 --- /dev/null +++ b/queue-4.14/net-phy-micrel-allow-probing-without-.driver_data.patch @@ -0,0 +1,72 @@ +From f31d2c1abdad3f1dd9e5fe7dd9b29059a3c7284b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 08:46:12 -0300 +Subject: net: phy: micrel: Allow probing without .driver_data + +From: Fabio Estevam + +[ Upstream commit f2ef6f7539c68c6bd6c32323d8845ee102b7c450 ] + +Currently, if the .probe element is present in the phy_driver structure +and the .driver_data is not, a NULL pointer dereference happens. + +Allow passing .probe without .driver_data by inserting NULL checks +for priv->type. + +Signed-off-by: Fabio Estevam +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220513114613.762810-1-festevam@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 755aa6741292..6f15cd5d4e7a 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -285,7 +285,7 @@ static int kszphy_config_reset(struct phy_device *phydev) + } + } + +- if (priv->led_mode >= 0) ++ if (priv->type && priv->led_mode >= 0) + kszphy_setup_led(phydev, priv->type->led_mode_reg, priv->led_mode); + + return 0; +@@ -301,10 +301,10 @@ static int kszphy_config_init(struct phy_device *phydev) + + type = priv->type; + +- if (type->has_broadcast_disable) ++ if (type && type->has_broadcast_disable) + kszphy_broadcast_disable(phydev); + +- if (type->has_nand_tree_disable) ++ if (type && type->has_nand_tree_disable) + kszphy_nand_tree_disable(phydev); + + return kszphy_config_reset(phydev); +@@ -764,7 +764,7 @@ static int kszphy_probe(struct phy_device *phydev) + + priv->type = type; + +- if (type->led_mode_reg) { ++ if (type && type->led_mode_reg) { + ret = of_property_read_u32(np, "micrel,led-mode", + &priv->led_mode); + if (ret) +@@ -785,7 +785,8 @@ static int kszphy_probe(struct phy_device *phydev) + unsigned long rate = clk_get_rate(clk); + bool rmii_ref_clk_sel_25_mhz; + +- priv->rmii_ref_clk_sel = type->has_rmii_ref_clk_sel; ++ if (type) ++ priv->rmii_ref_clk_sel = type->has_rmii_ref_clk_sel; + rmii_ref_clk_sel_25_mhz = of_property_read_bool(np, + "micrel,rmii-reference-clock-select-25-mhz"); + +-- +2.35.1 + diff --git a/queue-4.14/net-remove-two-bug-from-skb_checksum_help.patch b/queue-4.14/net-remove-two-bug-from-skb_checksum_help.patch new file mode 100644 index 00000000000..de98a887f85 --- /dev/null +++ b/queue-4.14/net-remove-two-bug-from-skb_checksum_help.patch @@ -0,0 +1,49 @@ +From 6374a2d901c66437fda6b4796c915b0d95dd7000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 20:57:40 -0700 +Subject: net: remove two BUG() from skb_checksum_help() + +From: Eric Dumazet + +[ Upstream commit d7ea0d9df2a6265b2b180d17ebc64b38105968fc ] + +I have a syzbot report that managed to get a crash in skb_checksum_help() + +If syzbot can trigger these BUG(), it makes sense to replace +them with more friendly WARN_ON_ONCE() since skb_checksum_help() +can instead return an error code. + +Note that syzbot will still crash there, until real bug is fixed. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index ea09e0809c12..d99dce0efedc 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2641,11 +2641,15 @@ int skb_checksum_help(struct sk_buff *skb) + } + + offset = skb_checksum_start_offset(skb); +- BUG_ON(offset >= skb_headlen(skb)); ++ ret = -EINVAL; ++ if (WARN_ON_ONCE(offset >= skb_headlen(skb))) ++ goto out; ++ + csum = skb_checksum(skb, offset, skb->len - offset, 0); + + offset += skb->csum_offset; +- BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb)); ++ if (WARN_ON_ONCE(offset + sizeof(__sum16) > skb_headlen(skb))) ++ goto out; + + if (skb_cloned(skb) && + !skb_clone_writable(skb, offset + sizeof(__sum16))) { +-- +2.35.1 + diff --git a/queue-4.14/nfc-null-out-the-dev-rfkill-to-prevent-uaf.patch b/queue-4.14/nfc-null-out-the-dev-rfkill-to-prevent-uaf.patch new file mode 100644 index 00000000000..a647b09e4a6 --- /dev/null +++ b/queue-4.14/nfc-null-out-the-dev-rfkill-to-prevent-uaf.patch @@ -0,0 +1,150 @@ +From d280782332dbd1498ea017a85db25f0f6286b50f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 13:32:08 +0800 +Subject: NFC: NULL out the dev->rfkill to prevent UAF + +From: Lin Ma + +[ Upstream commit 1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9 ] + +Commit 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device") +assumes the device_is_registered() in function nfc_dev_up() will help +to check when the rfkill is unregistered. However, this check only +take effect when device_del(&dev->dev) is done in nfc_unregister_device(). +Hence, the rfkill object is still possible be dereferenced. + +The crash trace in latest kernel (5.18-rc2): + +[ 68.760105] ================================================================== +[ 68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750 +[ 68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313 +[ 68.760756] +[ 68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4 +[ 68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 68.760756] Call Trace: +[ 68.760756] +[ 68.760756] dump_stack_lvl+0x57/0x7d +[ 68.760756] print_report.cold+0x5e/0x5db +[ 68.760756] ? __lock_acquire+0x3ec1/0x6750 +[ 68.760756] kasan_report+0xbe/0x1c0 +[ 68.760756] ? __lock_acquire+0x3ec1/0x6750 +[ 68.760756] __lock_acquire+0x3ec1/0x6750 +[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410 +[ 68.760756] ? register_lock_class+0x18d0/0x18d0 +[ 68.760756] lock_acquire+0x1ac/0x4f0 +[ 68.760756] ? rfkill_blocked+0xe/0x60 +[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410 +[ 68.760756] ? mutex_lock_io_nested+0x12c0/0x12c0 +[ 68.760756] ? nla_get_range_signed+0x540/0x540 +[ 68.760756] ? _raw_spin_lock_irqsave+0x4e/0x50 +[ 68.760756] _raw_spin_lock_irqsave+0x39/0x50 +[ 68.760756] ? rfkill_blocked+0xe/0x60 +[ 68.760756] rfkill_blocked+0xe/0x60 +[ 68.760756] nfc_dev_up+0x84/0x260 +[ 68.760756] nfc_genl_dev_up+0x90/0xe0 +[ 68.760756] genl_family_rcv_msg_doit+0x1f4/0x2f0 +[ 68.760756] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230 +[ 68.760756] ? security_capable+0x51/0x90 +[ 68.760756] genl_rcv_msg+0x280/0x500 +[ 68.760756] ? genl_get_cmd+0x3c0/0x3c0 +[ 68.760756] ? lock_acquire+0x1ac/0x4f0 +[ 68.760756] ? nfc_genl_dev_down+0xe0/0xe0 +[ 68.760756] ? lockdep_hardirqs_on_prepare+0x410/0x410 +[ 68.760756] netlink_rcv_skb+0x11b/0x340 +[ 68.760756] ? genl_get_cmd+0x3c0/0x3c0 +[ 68.760756] ? netlink_ack+0x9c0/0x9c0 +[ 68.760756] ? netlink_deliver_tap+0x136/0xb00 +[ 68.760756] genl_rcv+0x1f/0x30 +[ 68.760756] netlink_unicast+0x430/0x710 +[ 68.760756] ? memset+0x20/0x40 +[ 68.760756] ? netlink_attachskb+0x740/0x740 +[ 68.760756] ? __build_skb_around+0x1f4/0x2a0 +[ 68.760756] netlink_sendmsg+0x75d/0xc00 +[ 68.760756] ? netlink_unicast+0x710/0x710 +[ 68.760756] ? netlink_unicast+0x710/0x710 +[ 68.760756] sock_sendmsg+0xdf/0x110 +[ 68.760756] __sys_sendto+0x19e/0x270 +[ 68.760756] ? __ia32_sys_getpeername+0xa0/0xa0 +[ 68.760756] ? fd_install+0x178/0x4c0 +[ 68.760756] ? fd_install+0x195/0x4c0 +[ 68.760756] ? kernel_fpu_begin_mask+0x1c0/0x1c0 +[ 68.760756] __x64_sys_sendto+0xd8/0x1b0 +[ 68.760756] ? lockdep_hardirqs_on+0xbf/0x130 +[ 68.760756] ? syscall_enter_from_user_mode+0x1d/0x50 +[ 68.760756] do_syscall_64+0x3b/0x90 +[ 68.760756] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 68.760756] RIP: 0033:0x7f67fb50e6b3 +... +[ 68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c +[ 68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3 +[ 68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003 +[ 68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c +[ 68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e +[ 68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003 + +[ 68.760756] +[ 68.760756] +[ 68.760756] Allocated by task 279: +[ 68.760756] kasan_save_stack+0x1e/0x40 +[ 68.760756] __kasan_kmalloc+0x81/0xa0 +[ 68.760756] rfkill_alloc+0x7f/0x280 +[ 68.760756] nfc_register_device+0xa3/0x1a0 +[ 68.760756] nci_register_device+0x77a/0xad0 +[ 68.760756] nfcmrvl_nci_register_dev+0x20b/0x2c0 +[ 68.760756] nfcmrvl_nci_uart_open+0xf2/0x1dd +[ 68.760756] nci_uart_tty_ioctl+0x2c3/0x4a0 +[ 68.760756] tty_ioctl+0x764/0x1310 +[ 68.760756] __x64_sys_ioctl+0x122/0x190 +[ 68.760756] do_syscall_64+0x3b/0x90 +[ 68.760756] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 68.760756] +[ 68.760756] Freed by task 314: +[ 68.760756] kasan_save_stack+0x1e/0x40 +[ 68.760756] kasan_set_track+0x21/0x30 +[ 68.760756] kasan_set_free_info+0x20/0x30 +[ 68.760756] __kasan_slab_free+0x108/0x170 +[ 68.760756] kfree+0xb0/0x330 +[ 68.760756] device_release+0x96/0x200 +[ 68.760756] kobject_put+0xf9/0x1d0 +[ 68.760756] nfc_unregister_device+0x77/0x190 +[ 68.760756] nfcmrvl_nci_unregister_dev+0x88/0xd0 +[ 68.760756] nci_uart_tty_close+0xdf/0x180 +[ 68.760756] tty_ldisc_kill+0x73/0x110 +[ 68.760756] tty_ldisc_hangup+0x281/0x5b0 +[ 68.760756] __tty_hangup.part.0+0x431/0x890 +[ 68.760756] tty_release+0x3a8/0xc80 +[ 68.760756] __fput+0x1f0/0x8c0 +[ 68.760756] task_work_run+0xc9/0x170 +[ 68.760756] exit_to_user_mode_prepare+0x194/0x1a0 +[ 68.760756] syscall_exit_to_user_mode+0x19/0x50 +[ 68.760756] do_syscall_64+0x48/0x90 +[ 68.760756] entry_SYSCALL_64_after_hwframe+0x44/0xae + +This patch just add the null out of dev->rfkill to make sure such +dereference cannot happen. This is safe since the device_lock() already +protect the check/write from data race. + +Fixes: 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device") +Signed-off-by: Lin Ma +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 8c38a21fb0c6..120259c2b6a7 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -1174,6 +1174,7 @@ void nfc_unregister_device(struct nfc_dev *dev) + if (dev->rfkill) { + rfkill_unregister(dev->rfkill); + rfkill_destroy(dev->rfkill); ++ dev->rfkill = NULL; + } + dev->shutting_down = true; + device_unlock(&dev->dev); +-- +2.35.1 + diff --git a/queue-4.14/nvme-pci-fix-a-null-pointer-dereference-in-nvme_allo.patch b/queue-4.14/nvme-pci-fix-a-null-pointer-dereference-in-nvme_allo.patch new file mode 100644 index 00000000000..44d698d5157 --- /dev/null +++ b/queue-4.14/nvme-pci-fix-a-null-pointer-dereference-in-nvme_allo.patch @@ -0,0 +1,45 @@ +From 67e144236df4b94477c20f10ee6706b133923088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 14:40:32 +0000 +Subject: nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags + +From: Smith, Kyle Miller (Nimble Kernel) + +[ Upstream commit da42761181627e9bdc37d18368b827948a583929 ] + +In nvme_alloc_admin_tags, the admin_q can be set to an error (typically +-ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which +is checked immediately after the call. However, when we return the error +message up the stack, to nvme_reset_work the error takes us to +nvme_remove_dead_ctrl() + nvme_dev_disable() + nvme_suspend_queue(&dev->queues[0]). + +Here, we only check that the admin_q is non-NULL, rather than not +an error or NULL, and begin quiescing a queue that never existed, leading +to bad / NULL pointer dereference. + +Signed-off-by: Kyle Smith +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 92f269a0846c..de23f2814877 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1424,6 +1424,7 @@ static int nvme_alloc_admin_tags(struct nvme_dev *dev) + dev->ctrl.admin_q = blk_mq_init_queue(&dev->admin_tagset); + if (IS_ERR(dev->ctrl.admin_q)) { + blk_mq_free_tag_set(&dev->admin_tagset); ++ dev->ctrl.admin_q = NULL; + return -ENOMEM; + } + if (!blk_get_queue(dev->ctrl.admin_q)) { +-- +2.35.1 + diff --git a/queue-4.14/openrisc-start-cpu-timer-early-in-boot.patch b/queue-4.14/openrisc-start-cpu-timer-early-in-boot.patch new file mode 100644 index 00000000000..a41e7c4dfaf --- /dev/null +++ b/queue-4.14/openrisc-start-cpu-timer-early-in-boot.patch @@ -0,0 +1,62 @@ +From bb372c7a50ff80e51c4e1c7657bc8fe2632d2e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Apr 2022 21:11:41 +0200 +Subject: openrisc: start CPU timer early in boot + +From: Jason A. Donenfeld + +[ Upstream commit 516dd4aacd67a0f27da94f3fe63fe0f4dbab6e2b ] + +In order to measure the boot process, the timer should be switched on as +early in boot as possible. As well, the commit defines the get_cycles +macro, like the previous patches in this series, so that generic code is +aware that it's implemented by the platform, as is done on other archs. + +Cc: Thomas Gleixner +Cc: Arnd Bergmann +Cc: Jonas Bonn +Cc: Stefan Kristiansson +Acked-by: Stafford Horne +Reported-by: Guenter Roeck +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + arch/openrisc/include/asm/timex.h | 1 + + arch/openrisc/kernel/head.S | 9 +++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/arch/openrisc/include/asm/timex.h b/arch/openrisc/include/asm/timex.h +index 9935cad1b9b9..34d015bf0462 100644 +--- a/arch/openrisc/include/asm/timex.h ++++ b/arch/openrisc/include/asm/timex.h +@@ -27,6 +27,7 @@ static inline cycles_t get_cycles(void) + { + return mfspr(SPR_TTCR); + } ++#define get_cycles get_cycles + + /* This isn't really used any more */ + #define CLOCK_TICK_RATE 1000 +diff --git a/arch/openrisc/kernel/head.S b/arch/openrisc/kernel/head.S +index 4d878d13b860..3f1e9d168710 100644 +--- a/arch/openrisc/kernel/head.S ++++ b/arch/openrisc/kernel/head.S +@@ -459,6 +459,15 @@ _start: + l.ori r3,r0,0x1 + l.mtspr r0,r3,SPR_SR + ++ /* ++ * Start the TTCR as early as possible, so that the RNG can make use of ++ * measurements of boot time from the earliest opportunity. Especially ++ * important is that the TTCR does not return zero by the time we reach ++ * rand_initialize(). ++ */ ++ l.movhi r3,hi(SPR_TTMR_CR) ++ l.mtspr r0,r3,SPR_TTMR ++ + CLEAR_GPR(r1) + CLEAR_GPR(r2) + CLEAR_GPR(r3) +-- +2.35.1 + diff --git a/queue-4.14/pci-avoid-pci_dev_lock-ab-ba-deadlock-with-sriov_num.patch b/queue-4.14/pci-avoid-pci_dev_lock-ab-ba-deadlock-with-sriov_num.patch new file mode 100644 index 00000000000..0d437d6a2ec --- /dev/null +++ b/queue-4.14/pci-avoid-pci_dev_lock-ab-ba-deadlock-with-sriov_num.patch @@ -0,0 +1,90 @@ +From b6f7245d08ebfac01c69525bb211d291ff13cae2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 14:25:39 +0800 +Subject: PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store() + +From: Yicong Yang + +[ Upstream commit a91ee0e9fca9d7501286cfbced9b30a33e52740a ] + +The sysfs sriov_numvfs_store() path acquires the device lock before the +config space access lock: + + sriov_numvfs_store + device_lock # A (1) acquire device lock + sriov_configure + vfio_pci_sriov_configure # (for example) + vfio_pci_core_sriov_configure + pci_disable_sriov + sriov_disable + pci_cfg_access_lock + pci_wait_cfg # B (4) wait for dev->block_cfg_access == 0 + +Previously, pci_dev_lock() acquired the config space access lock before the +device lock: + + pci_dev_lock + pci_cfg_access_lock + dev->block_cfg_access = 1 # B (2) set dev->block_cfg_access = 1 + device_lock # A (3) wait for device lock + +Any path that uses pci_dev_lock(), e.g., pci_reset_function(), may +deadlock with sriov_numvfs_store() if the operations occur in the sequence +(1) (2) (3) (4). + +Avoid the deadlock by reversing the order in pci_dev_lock() so it acquires +the device lock before the config space access lock, the same as the +sriov_numvfs_store() path. + +[bhelgaas: combined and adapted commit log from Jay Zhou's independent +subsequent posting: +https://lore.kernel.org/r/20220404062539.1710-1-jianjay.zhou@huawei.com] +Link: https://lore.kernel.org/linux-pci/1583489997-17156-1-git-send-email-yangyicong@hisilicon.com/ +Also-posted-by: Jay Zhou +Signed-off-by: Yicong Yang +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 4ff7f2575d28..efcd06064953 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -4153,18 +4153,18 @@ static int pci_dev_reset_slot_function(struct pci_dev *dev, int probe) + + static void pci_dev_lock(struct pci_dev *dev) + { +- pci_cfg_access_lock(dev); + /* block PM suspend, driver probe, etc. */ + device_lock(&dev->dev); ++ pci_cfg_access_lock(dev); + } + + /* Return 1 on successful lock, 0 on contention */ + static int pci_dev_trylock(struct pci_dev *dev) + { +- if (pci_cfg_access_trylock(dev)) { +- if (device_trylock(&dev->dev)) ++ if (device_trylock(&dev->dev)) { ++ if (pci_cfg_access_trylock(dev)) + return 1; +- pci_cfg_access_unlock(dev); ++ device_unlock(&dev->dev); + } + + return 0; +@@ -4172,8 +4172,8 @@ static int pci_dev_trylock(struct pci_dev *dev) + + static void pci_dev_unlock(struct pci_dev *dev) + { +- device_unlock(&dev->dev); + pci_cfg_access_unlock(dev); ++ device_unlock(&dev->dev); + } + + static void pci_dev_save_and_disable(struct pci_dev *dev) +-- +2.35.1 + diff --git a/queue-4.14/perf-c2c-use-stdio-interface-if-slang-is-not-support.patch b/queue-4.14/perf-c2c-use-stdio-interface-if-slang-is-not-support.patch new file mode 100644 index 00000000000..dfe0931565f --- /dev/null +++ b/queue-4.14/perf-c2c-use-stdio-interface-if-slang-is-not-support.patch @@ -0,0 +1,82 @@ +From a76875a2c5ef3f012d688861ec815989b534d0b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 22:54:00 +0800 +Subject: perf c2c: Use stdio interface if slang is not supported + +From: Leo Yan + +[ Upstream commit c4040212bc97d16040712a410335f93bc94d2262 ] + +If the slang lib is not installed on the system, perf c2c tool disables TUI +mode and roll back to use stdio mode; but the flag 'c2c.use_stdio' is +missed to set true and thus it wrongly applies UI quirks in the function +ui_quirks(). + +This commit forces to use stdio interface if slang is not supported, and +it can avoid to apply the UI quirks and show the correct metric header. + +Before: + +================================================= + Shared Cache Line Distribution Pareto +================================================= + ------------------------------------------------------------------------------- + 0 0 0 99 0 0 0 0xaaaac17d6000 + ------------------------------------------------------------------------------- + 0.00% 0.00% 6.06% 0.00% 0.00% 0.00% 0x20 N/A 0 0xaaaac17c25ac 0 0 43 375 18469 2 [.] 0x00000000000025ac memstress memstress[25ac] 0 + 0.00% 0.00% 93.94% 0.00% 0.00% 0.00% 0x29 N/A 0 0xaaaac17c3e88 0 0 173 180 135 2 [.] 0x0000000000003e88 memstress memstress[3e88] 0 + +After: + +================================================= + Shared Cache Line Distribution Pareto +================================================= + ------------------------------------------------------------------------------- + 0 0 0 99 0 0 0 0xaaaac17d6000 + ------------------------------------------------------------------------------- + 0.00% 0.00% 6.06% 0.00% 0.00% 0.00% 0x20 N/A 0 0xaaaac17c25ac 0 0 43 375 18469 2 [.] 0x00000000000025ac memstress memstress[25ac] 0 + 0.00% 0.00% 93.94% 0.00% 0.00% 0.00% 0x29 N/A 0 0xaaaac17c3e88 0 0 173 180 135 2 [.] 0x0000000000003e88 memstress memstress[3e88] 0 + +Fixes: 5a1a99cd2e4e1557 ("perf c2c report: Add main TUI browser") +Reported-by: Joe Mario +Signed-off-by: Leo Yan +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20220526145400.611249-1-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-c2c.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c +index 264d458bfe2a..9cbd8b0d5b77 100644 +--- a/tools/perf/builtin-c2c.c ++++ b/tools/perf/builtin-c2c.c +@@ -2552,9 +2552,7 @@ static int perf_c2c__report(int argc, const char **argv) + "the input file to process"), + OPT_INCR('N', "node-info", &c2c.node_info, + "show extra node info in report (repeat for more info)"), +-#ifdef HAVE_SLANG_SUPPORT + OPT_BOOLEAN(0, "stdio", &c2c.use_stdio, "Use the stdio interface"), +-#endif + OPT_BOOLEAN(0, "stats", &c2c.stats_only, + "Display only statistic tables (implies --stdio)"), + OPT_BOOLEAN(0, "full-symbols", &c2c.symbol_full, +@@ -2581,6 +2579,10 @@ static int perf_c2c__report(int argc, const char **argv) + if (argc) + usage_with_options(report_c2c_usage, options); + ++#ifndef HAVE_SLANG_SUPPORT ++ c2c.use_stdio = true; ++#endif ++ + if (c2c.stats_only) + c2c.use_stdio = true; + +-- +2.35.1 + diff --git a/queue-4.14/perf-jevents-fix-event-syntax-error-caused-by-extsel.patch b/queue-4.14/perf-jevents-fix-event-syntax-error-caused-by-extsel.patch new file mode 100644 index 00000000000..2bc0682b1ef --- /dev/null +++ b/queue-4.14/perf-jevents-fix-event-syntax-error-caused-by-extsel.patch @@ -0,0 +1,62 @@ +From dc58ae5b45cbcce436b05c9a5c01a29d9fa7a4ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 May 2022 22:04:10 +0800 +Subject: perf jevents: Fix event syntax error caused by ExtSel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhengjun Xing + +[ Upstream commit f4df0dbbe62ee8e4405a57b27ccd54393971c773 ] + +In the origin code, when "ExtSel" is 1, the eventcode will change to +"eventcode |= 1 << 21”. For event “UNC_Q_RxL_CREDITS_CONSUMED_VN0.DRS", +its "ExtSel" is "1", its eventcode will change from 0x1E to 0x20001E, +but in fact the eventcode should <=0x1FF, so this will cause the parse +fail: + + # perf stat -e "UNC_Q_RxL_CREDITS_CONSUMED_VN0.DRS" -a sleep 0.1 + event syntax error: '.._RxL_CREDITS_CONSUMED_VN0.DRS' + \___ value too big for format, maximum is 511 + +On the perf kernel side, the kernel assumes the valid bits are continuous. +It will adjust the 0x100 (bit 8 for perf tool) to bit 21 in HW. + +DEFINE_UNCORE_FORMAT_ATTR(event_ext, event, "config:0-7,21"); + +So the perf tool follows the kernel side and just set bit8 other than bit21. + +Fixes: fedb2b518239cbc0 ("perf jevents: Add support for parsing uncore json files") +Reviewed-by: Kan Liang +Signed-off-by: Xing Zhengjun +Acked-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20220525140410.1706851-1-zhengjun.xing@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/pmu-events/jevents.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c +index 8e487b2a37a6..dcfbbade657e 100644 +--- a/tools/perf/pmu-events/jevents.c ++++ b/tools/perf/pmu-events/jevents.c +@@ -428,7 +428,7 @@ int json_events(const char *fn, + } else if (json_streq(map, field, "ExtSel")) { + char *code = NULL; + addfield(map, &code, "", "", val); +- eventcode |= strtoul(code, NULL, 0) << 21; ++ eventcode |= strtoul(code, NULL, 0) << 8; + free(code); + } else if (json_streq(map, field, "EventName")) { + addfield(map, &name, "", "", val); +-- +2.35.1 + diff --git a/queue-4.14/pinctrl-mvebu-fix-irq_of_parse_and_map-return-value.patch b/queue-4.14/pinctrl-mvebu-fix-irq_of_parse_and_map-return-value.patch new file mode 100644 index 00000000000..8f109d3241e --- /dev/null +++ b/queue-4.14/pinctrl-mvebu-fix-irq_of_parse_and_map-return-value.patch @@ -0,0 +1,36 @@ +From b372a7fef56340ca81d724cfd497277c0050d6f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 12:53:38 +0200 +Subject: pinctrl: mvebu: Fix irq_of_parse_and_map() return value + +From: Krzysztof Kozlowski + +[ Upstream commit 71bc7cf3be65bab441e03667cf215c557712976c ] + +The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. + +Fixes: 2f227605394b ("pinctrl: armada-37xx: Add irqchip support") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220422105339.78810-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index 9f7d917458c7..d90aae2a5cfd 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -710,7 +710,7 @@ static int armada_37xx_irqchip_register(struct platform_device *pdev, + for (i = 0; i < nr_irq_parent; i++) { + int irq = irq_of_parse_and_map(np, i); + +- if (irq < 0) ++ if (!irq) + continue; + + gpiochip_set_chained_irqchip(gc, irqchip, irq, +-- +2.35.1 + diff --git a/queue-4.14/powerpc-4xx-cpm-fix-return-value-of-__setup-handler.patch b/queue-4.14/powerpc-4xx-cpm-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..9b092e1c88e --- /dev/null +++ b/queue-4.14/powerpc-4xx-cpm-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,44 @@ +From 74ba28eff6cb7d81f1e89ffb29536df29bf76186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 12:29:41 -0700 +Subject: powerpc/4xx/cpm: Fix return value of __setup() handler + +From: Randy Dunlap + +[ Upstream commit 5bb99fd4090fe1acfdb90a97993fcda7f8f5a3d6 ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. + +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) argument or environment +strings. + +Also, error return codes don't mean anything to obsolete_checksetup() -- +only non-zero (usually 1) or zero. So return 1 from cpm_powersave_off(). + +Fixes: d164f6d4f910 ("powerpc/4xx: Add suspend and idle support") +Reported-by: Igor Zhbanov +Signed-off-by: Randy Dunlap +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220502192941.20955-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/4xx/cpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/4xx/cpm.c b/arch/powerpc/platforms/4xx/cpm.c +index 53ff81ca8a3c..6400ae376216 100644 +--- a/arch/powerpc/platforms/4xx/cpm.c ++++ b/arch/powerpc/platforms/4xx/cpm.c +@@ -341,6 +341,6 @@ late_initcall(cpm_init); + static int __init cpm_powersave_off(char *arg) + { + cpm.powersave_off = 1; +- return 0; ++ return 1; + } + __setup("powersave=off", cpm_powersave_off); +-- +2.35.1 + diff --git a/queue-4.14/powerpc-8xx-export-cpm_setbrg-for-modules.patch b/queue-4.14/powerpc-8xx-export-cpm_setbrg-for-modules.patch new file mode 100644 index 00000000000..880c2014ee3 --- /dev/null +++ b/queue-4.14/powerpc-8xx-export-cpm_setbrg-for-modules.patch @@ -0,0 +1,40 @@ +From c3790bdab19efe5c514c016c801ef0ecbfb22499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 17:08:19 -0800 +Subject: powerpc/8xx: export 'cpm_setbrg' for modules + +From: Randy Dunlap + +[ Upstream commit 22f8e625ebabd7ed3185b82b44b4f12fc0402113 ] + +Fix missing export for a loadable module build: + +ERROR: modpost: "cpm_setbrg" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined! + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +[chleroy: Changed Fixes: tag] +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210122010819.30986-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/cpm1.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/cpm1.c b/arch/powerpc/sysdev/cpm1.c +index c6f154b602fb..72eaa77c1f85 100644 +--- a/arch/powerpc/sysdev/cpm1.c ++++ b/arch/powerpc/sysdev/cpm1.c +@@ -291,6 +291,7 @@ cpm_setbrg(uint brg, uint rate) + out_be32(bp, (((BRG_UART_CLK_DIV16 / rate) - 1) << 1) | + CPM_BRG_EN | CPM_BRG_DIV16); + } ++EXPORT_SYMBOL(cpm_setbrg); + + struct cpm_ioport16 { + __be16 dir, par, odr_sor, dat, intr; +-- +2.35.1 + diff --git a/queue-4.14/powerpc-fsl_rio-fix-refcount-leak-in-fsl_rio_setup.patch b/queue-4.14/powerpc-fsl_rio-fix-refcount-leak-in-fsl_rio_setup.patch new file mode 100644 index 00000000000..1192bbe6655 --- /dev/null +++ b/queue-4.14/powerpc-fsl_rio-fix-refcount-leak-in-fsl_rio_setup.patch @@ -0,0 +1,40 @@ +From 3d4a18e1206ca4d56777073b3db675969d183ad2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 16:37:18 +0400 +Subject: powerpc/fsl_rio: Fix refcount leak in fsl_rio_setup + +From: Miaoqian Lin + +[ Upstream commit fcee96924ba1596ca80a6770b2567ca546f9a482 ] + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: abc3aeae3aaa ("fsl-rio: Add two ports and rapidio message units support") +Signed-off-by: Miaoqian Lin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220512123724.62931-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/fsl_rio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/fsl_rio.c b/arch/powerpc/sysdev/fsl_rio.c +index 5011ffea4e4b..c48ebe677962 100644 +--- a/arch/powerpc/sysdev/fsl_rio.c ++++ b/arch/powerpc/sysdev/fsl_rio.c +@@ -509,8 +509,10 @@ int fsl_rio_setup(struct platform_device *dev) + if (rc) { + dev_err(&dev->dev, "Can't get %pOF property 'reg'\n", + rmu_node); ++ of_node_put(rmu_node); + goto err_rmu; + } ++ of_node_put(rmu_node); + rmu_regs_win = ioremap(rmu_regs.start, resource_size(&rmu_regs)); + if (!rmu_regs_win) { + dev_err(&dev->dev, "Unable to map rmu register window\n"); +-- +2.35.1 + diff --git a/queue-4.14/powerpc-idle-fix-return-value-of-__setup-handler.patch b/queue-4.14/powerpc-idle-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..4612d65101d --- /dev/null +++ b/queue-4.14/powerpc-idle-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,45 @@ +From 956b20ebdab8c8db628f8dc1220f23167f64cc51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 May 2022 12:29:25 -0700 +Subject: powerpc/idle: Fix return value of __setup() handler + +From: Randy Dunlap + +[ Upstream commit b793a01000122d2bd133ba451a76cc135b5e162c ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. + +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) argument or environment +strings. + +Also, error return codes don't mean anything to obsolete_checksetup() -- +only non-zero (usually 1) or zero. So return 1 from powersave_off(). + +Fixes: 302eca184fb8 ("[POWERPC] cell: use ppc_md->power_save instead of cbe_idle_loop") +Reported-by: Igor Zhbanov +Signed-off-by: Randy Dunlap +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220502192925.19954-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/idle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/idle.c b/arch/powerpc/kernel/idle.c +index d7216c9abda1..ca79aacfeda2 100644 +--- a/arch/powerpc/kernel/idle.c ++++ b/arch/powerpc/kernel/idle.c +@@ -41,7 +41,7 @@ static int __init powersave_off(char *arg) + { + ppc_md.power_save = NULL; + cpuidle_disable = IDLE_POWERSAVE_OFF; +- return 0; ++ return 1; + } + __setup("powersave=off", powersave_off); + +-- +2.35.1 + diff --git a/queue-4.14/powerpc-perf-fix-the-threshold-compare-group-constra.patch b/queue-4.14/powerpc-perf-fix-the-threshold-compare-group-constra.patch new file mode 100644 index 00000000000..f4ce6fe84c9 --- /dev/null +++ b/queue-4.14/powerpc-perf-fix-the-threshold-compare-group-constra.patch @@ -0,0 +1,76 @@ +From 2651430fc4fe9fd3aba731470364f95ba6963e07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 11:40:15 +0530 +Subject: powerpc/perf: Fix the threshold compare group constraint for power9 + +From: Kajol Jain + +[ Upstream commit ab0cc6bbf0c812731c703ec757fcc3fc3a457a34 ] + +Thresh compare bits for a event is used to program thresh compare +field in Monitor Mode Control Register A (MMCRA: 9-18 bits for power9). +When scheduling events as a group, all events in that group should +match value in threshold bits (like thresh compare, thresh control, +thresh select). Otherwise event open for the sibling events should fail. +But in the current code, incase thresh compare bits are not valid, +we are not failing in group_constraint function which can result +in invalid group schduling. + +Fix the issue by returning -1 incase event is threshold and threshold +compare value is not valid. + +Thresh control bits in the event code is used to program thresh_ctl +field in Monitor Mode Control Register A (MMCRA: 48-55). In below example, +the scheduling of group events PM_MRK_INST_CMPL (873534401e0) and +PM_THRESH_MET (8734340101ec) is expected to fail as both event +request different thresh control bits and invalid thresh compare value. + +Result before the patch changes: + +[command]# perf stat -e "{r8735340401e0,r8734340101ec}" sleep 1 + + Performance counter stats for 'sleep 1': + + 11,048 r8735340401e0 + 1,967 r8734340101ec + + 1.001354036 seconds time elapsed + + 0.001421000 seconds user + 0.000000000 seconds sys + +Result after the patch changes: + +[command]# perf stat -e "{r8735340401e0,r8734340101ec}" sleep 1 +Error: +The sys_perf_event_open() syscall returned with 22 (Invalid argument) +for event (r8735340401e0). +/bin/dmesg | grep -i perf may provide additional information. + +Fixes: 78a16d9fc1206 ("powerpc/perf: Avoid FAB_*_MATCH checks for power9") +Signed-off-by: Kajol Jain +Reviewed-by: Athira Rajeev +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220506061015.43916-2-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/isa207-common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c +index 24a78565bca6..279bf3a3afbf 100644 +--- a/arch/powerpc/perf/isa207-common.c ++++ b/arch/powerpc/perf/isa207-common.c +@@ -324,7 +324,8 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp) + if (event_is_threshold(event) && is_thresh_cmp_valid(event)) { + mask |= CNST_THRESH_MASK; + value |= CNST_THRESH_VAL(event >> EVENT_THRESH_SHIFT); +- } ++ } else if (event_is_threshold(event)) ++ return -1; + } else { + /* + * Special case for PM_MRK_FAB_RSP_MATCH and PM_MRK_FAB_RSP_MATCH_CYC, +-- +2.35.1 + diff --git a/queue-4.14/powerpc-xics-fix-refcount-leak-in-icp_opal_init.patch b/queue-4.14/powerpc-xics-fix-refcount-leak-in-icp_opal_init.patch new file mode 100644 index 00000000000..9bd8bbca3cd --- /dev/null +++ b/queue-4.14/powerpc-xics-fix-refcount-leak-in-icp_opal_init.patch @@ -0,0 +1,36 @@ +From 6fbd0d7e7a967b2ad23cd41bcfee4f41479e13c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Apr 2022 01:34:19 +0000 +Subject: powerpc/xics: fix refcount leak in icp_opal_init() + +From: Lv Ruyi + +[ Upstream commit 5dd9e27ea4a39f7edd4bf81e9e70208e7ac0b7c9 ] + +The of_find_compatible_node() function returns a node pointer with +refcount incremented, use of_node_put() on it when done. + +Reported-by: Zeal Robot +Signed-off-by: Lv Ruyi +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220402013419.2410298-1-lv.ruyi@zte.com.cn +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xics/icp-opal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/xics/icp-opal.c b/arch/powerpc/sysdev/xics/icp-opal.c +index c71d2ea42627..3c9dd871491e 100644 +--- a/arch/powerpc/sysdev/xics/icp-opal.c ++++ b/arch/powerpc/sysdev/xics/icp-opal.c +@@ -199,6 +199,7 @@ int icp_opal_init(void) + + printk("XICS: Using OPAL ICP fallbacks\n"); + ++ of_node_put(np); + return 0; + } + +-- +2.35.1 + diff --git a/queue-4.14/rdma-hfi1-prevent-panic-when-sdma-is-disabled.patch b/queue-4.14/rdma-hfi1-prevent-panic-when-sdma-is-disabled.patch new file mode 100644 index 00000000000..33b505cbdbc --- /dev/null +++ b/queue-4.14/rdma-hfi1-prevent-panic-when-sdma-is-disabled.patch @@ -0,0 +1,50 @@ +From c13106f71590fc6a8a6077085ad2ef515ffe14d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 14:37:06 -0400 +Subject: RDMA/hfi1: Prevent panic when SDMA is disabled + +From: Douglas Miller + +[ Upstream commit 629e052d0c98e46dde9f0824f0aa437f678d9b8f ] + +If the hfi1 module is loaded with HFI1_CAP_SDMA off, a call to +hfi1_write_iter() will dereference a NULL pointer and panic. A typical +stack frame is: + + sdma_select_user_engine [hfi1] + hfi1_user_sdma_process_request [hfi1] + hfi1_write_iter [hfi1] + do_iter_readv_writev + do_iter_write + vfs_writev + do_writev + do_syscall_64 + +The fix is to test for SDMA in hfi1_write_iter() and fail the I/O with +EINVAL. + +Link: https://lore.kernel.org/r/20220520183706.48973.79803.stgit@awfm-01.cornelisnetworks.com +Signed-off-by: Douglas Miller +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/file_ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c +index b3ab803bf8b1..7b8644610feb 100644 +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -424,6 +424,8 @@ static ssize_t hfi1_write_iter(struct kiocb *kiocb, struct iov_iter *from) + unsigned long dim = from->nr_segs; + int idx; + ++ if (!HFI1_CAP_IS_KSET(SDMA)) ++ return -EINVAL; + idx = srcu_read_lock(&fd->pq_srcu); + pq = srcu_dereference(fd->pq, &fd->pq_srcu); + if (!cq || !pq) { +-- +2.35.1 + diff --git a/queue-4.14/regulator-pfuze100-fix-refcount-leak-in-pfuze_parse_.patch b/queue-4.14/regulator-pfuze100-fix-refcount-leak-in-pfuze_parse_.patch new file mode 100644 index 00000000000..b5f03ab12f4 --- /dev/null +++ b/queue-4.14/regulator-pfuze100-fix-refcount-leak-in-pfuze_parse_.patch @@ -0,0 +1,44 @@ +From 74549ed6b0b4be7fd5a9ebf03faf7adbe9738579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 15:35:05 +0400 +Subject: regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt + +From: Miaoqian Lin + +[ Upstream commit afaa7b933ef00a2d3262f4d1252087613fb5c06d ] + +of_node_get() returns a node with refcount incremented. +Calling of_node_put() to drop the reference when not needed anymore. + +Fixes: 3784b6d64dc5 ("regulator: pfuze100: add pfuze100 regulator driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220511113506.45185-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pfuze100-regulator.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c +index 4f205366d8ae..587a6bf9037b 100644 +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -431,6 +431,7 @@ static int pfuze_parse_regulators_dt(struct pfuze_chip *chip) + parent = of_get_child_by_name(np, "regulators"); + if (!parent) { + dev_err(dev, "regulators node not found\n"); ++ of_node_put(np); + return -EINVAL; + } + +@@ -455,6 +456,7 @@ static int pfuze_parse_regulators_dt(struct pfuze_chip *chip) + } + + of_node_put(parent); ++ of_node_put(np); + if (ret < 0) { + dev_err(dev, "Error parsing regulator init data: %d\n", + ret); +-- +2.35.1 + diff --git a/queue-4.14/rtlwifi-use-pr_warn-instead-of-warn_once.patch b/queue-4.14/rtlwifi-use-pr_warn-instead-of-warn_once.patch new file mode 100644 index 00000000000..9728b449e89 --- /dev/null +++ b/queue-4.14/rtlwifi-use-pr_warn-instead-of-warn_once.patch @@ -0,0 +1,39 @@ +From 8da4d209e29df8e5ee6e92c819459ab10ed137c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 09:44:52 +0800 +Subject: rtlwifi: Use pr_warn instead of WARN_ONCE + +From: Dongliang Mu + +[ Upstream commit ad732da434a2936128769216eddaece3b1af4588 ] + +This memory allocation failure can be triggered by fault injection or +high pressure testing, resulting a WARN. + +Fix this by replacing WARN with pr_warn. + +Reported-by: syzkaller +Signed-off-by: Dongliang Mu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220511014453.1621366-1-dzm91@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 4fa4d877f913..c29beb00203c 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1060,7 +1060,7 @@ int rtl_usb_probe(struct usb_interface *intf, + hw = ieee80211_alloc_hw(sizeof(struct rtl_priv) + + sizeof(struct rtl_usb_priv), &rtl_ops); + if (!hw) { +- WARN_ONCE(true, "rtl_usb: ieee80211 alloc failed\n"); ++ pr_warn("rtl_usb: ieee80211 alloc failed\n"); + return -ENOMEM; + } + rtlpriv = hw->priv; +-- +2.35.1 + diff --git a/queue-4.14/rxrpc-don-t-try-to-resend-the-request-if-we-re-recei.patch b/queue-4.14/rxrpc-don-t-try-to-resend-the-request-if-we-re-recei.patch new file mode 100644 index 00000000000..0eb8662f7be --- /dev/null +++ b/queue-4.14/rxrpc-don-t-try-to-resend-the-request-if-we-re-recei.patch @@ -0,0 +1,45 @@ +From c41e0d9d24e4e6008e5a71d22bdc2841f89f294c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 09:03:11 +0100 +Subject: rxrpc: Don't try to resend the request if we're receiving the reply + +From: David Howells + +[ Upstream commit 114af61f88fbe34d641b13922d098ffec4c1be1b ] + +rxrpc has a timer to trigger resending of unacked data packets in a call. +This is not cancelled when a client call switches to the receive phase on +the basis that most calls don't last long enough for it to ever expire. +However, if it *does* expire after we've started to receive the reply, we +shouldn't then go into trying to retransmit or pinging the server to find +out if an ack got lost. + +Fix this by skipping the resend code if we're into receiving the reply to a +client call. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Signed-off-by: David Howells +cc: linux-afs@lists.infradead.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/call_event.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c +index 7a77844aab16..7444290b228a 100644 +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -403,7 +403,8 @@ void rxrpc_process_call(struct work_struct *work) + goto recheck_state; + } + +- if (test_and_clear_bit(RXRPC_CALL_EV_RESEND, &call->events)) { ++ if (test_and_clear_bit(RXRPC_CALL_EV_RESEND, &call->events) && ++ call->state != RXRPC_CALL_CLIENT_RECV_REPLY) { + rxrpc_resend(call, now); + goto recheck_state; + } +-- +2.35.1 + diff --git a/queue-4.14/rxrpc-fix-listen-setting-the-bar-too-high-for-the-pr.patch b/queue-4.14/rxrpc-fix-listen-setting-the-bar-too-high-for-the-pr.patch new file mode 100644 index 00000000000..41409850cd3 --- /dev/null +++ b/queue-4.14/rxrpc-fix-listen-setting-the-bar-too-high-for-the-pr.patch @@ -0,0 +1,74 @@ +From 9692bad0448d2378ef7f5c8dba3ddead40a458d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 09:03:04 +0100 +Subject: rxrpc: Fix listen() setting the bar too high for the prealloc rings + +From: David Howells + +[ Upstream commit 88e22159750b0d55793302eeed8ee603f5c1a95c ] + +AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump +up the sysctl), but whilst the preallocation circular buffers have 32 slots +in them, one of them has to be a dead slot because we're using CIRC_CNT(). + +This means that listen(rxrpc_sock, 32) will cause an oops when the socket +is closed because rxrpc_service_prealloc_one() allocated one too many calls +and rxrpc_discard_prealloc() won't then be able to get rid of them because +it'll think the ring is empty. rxrpc_release_calls_on_socket() then tries +to abort them, but oopses because call->peer isn't yet set. + +Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match +the ring capacity. + + BUG: kernel NULL pointer dereference, address: 0000000000000086 + ... + RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc] + Call Trace: + + ? __wake_up_common_lock+0x7a/0x90 + ? rxrpc_notify_socket+0x8e/0x140 [rxrpc] + ? rxrpc_abort_call+0x4c/0x60 [rxrpc] + rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc] + rxrpc_release+0xc9/0x1c0 [rxrpc] + __sock_release+0x37/0xa0 + sock_close+0x11/0x20 + __fput+0x89/0x240 + task_work_run+0x59/0x90 + do_exit+0x319/0xaa0 + +Fixes: 00e907127e6f ("rxrpc: Preallocate peers, conns and calls for incoming service requests") +Reported-by: Marc Dionne +Signed-off-by: David Howells +cc: linux-afs@lists.infradead.org +Link: https://lists.infradead.org/pipermail/linux-afs/2022-March/005079.html +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/sysctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/rxrpc/sysctl.c b/net/rxrpc/sysctl.c +index 34c706d2f79c..f9afc21b7e2c 100644 +--- a/net/rxrpc/sysctl.c ++++ b/net/rxrpc/sysctl.c +@@ -18,7 +18,7 @@ static struct ctl_table_header *rxrpc_sysctl_reg_table; + static const unsigned int zero = 0; + static const unsigned int one = 1; + static const unsigned int four = 4; +-static const unsigned int thirtytwo = 32; ++static const unsigned int max_backlog = RXRPC_BACKLOG_MAX - 1; + static const unsigned int n_65535 = 65535; + static const unsigned int n_max_acks = RXRPC_RXTX_BUFF_SIZE - 1; + +@@ -114,7 +114,7 @@ static struct ctl_table rxrpc_sysctl_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = (void *)&four, +- .extra2 = (void *)&thirtytwo, ++ .extra2 = (void *)&max_backlog, + }, + { + .procname = "rx_window_size", +-- +2.35.1 + diff --git a/queue-4.14/rxrpc-return-an-error-to-sendmsg-if-call-failed.patch b/queue-4.14/rxrpc-return-an-error-to-sendmsg-if-call-failed.patch new file mode 100644 index 00000000000..bba3c331106 --- /dev/null +++ b/queue-4.14/rxrpc-return-an-error-to-sendmsg-if-call-failed.patch @@ -0,0 +1,84 @@ +From 993c5aba5c5cee83386eec2d9a812f0d415f8460 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 08:45:41 +0100 +Subject: rxrpc: Return an error to sendmsg if call failed + +From: David Howells + +[ Upstream commit 4ba68c5192554876bd8c3afd904e3064d2915341 ] + +If at the end of rxrpc sendmsg() or rxrpc_kernel_send_data() the call that +was being given data was aborted remotely or otherwise failed, return an +error rather than returning the amount of data buffered for transmission. + +The call (presumably) did not complete, so there's not much point +continuing with it. AF_RXRPC considers it "complete" and so will be +unwilling to do anything else with it - and won't send a notification for +it, deeming the return from sendmsg sufficient. + +Not returning an error causes afs to incorrectly handle a StoreData +operation that gets interrupted by a change of address due to NAT +reconfiguration. + +This doesn't normally affect most operations since their request parameters +tend to fit into a single UDP packet and afs_make_call() returns before the +server responds; StoreData is different as it involves transmission of a +lot of data. + +This can be triggered on a client by doing something like: + + dd if=/dev/zero of=/afs/example.com/foo bs=1M count=512 + +at one prompt, and then changing the network address at another prompt, +e.g.: + + ifconfig enp6s0 inet 192.168.6.2 && route add 192.168.6.1 dev enp6s0 + +Tracing packets on an Auristor fileserver looks something like: + +192.168.6.1 -> 192.168.6.3 RX 107 ACK Idle Seq: 0 Call: 4 Source Port: 7000 Destination Port: 7001 +192.168.6.3 -> 192.168.6.1 AFS (RX) 1482 FS Request: Unknown(64538) (64538) +192.168.6.3 -> 192.168.6.1 AFS (RX) 1482 FS Request: Unknown(64538) (64538) +192.168.6.1 -> 192.168.6.3 RX 107 ACK Idle Seq: 0 Call: 4 Source Port: 7000 Destination Port: 7001 + +192.168.6.2 -> 192.168.6.1 AFS (RX) 1482 FS Request: Unknown(0) (0) +192.168.6.2 -> 192.168.6.1 AFS (RX) 1482 FS Request: Unknown(0) (0) +192.168.6.1 -> 192.168.6.2 RX 107 ACK Exceeds Window Seq: 0 Call: 4 Source Port: 7000 Destination Port: 7001 +192.168.6.1 -> 192.168.6.2 RX 74 ABORT Seq: 0 Call: 4 Source Port: 7000 Destination Port: 7001 +192.168.6.1 -> 192.168.6.2 RX 74 ABORT Seq: 29321 Call: 4 Source Port: 7000 Destination Port: 7001 + +The Auristor fileserver logs code -453 (RXGEN_SS_UNMARSHAL), but the abort +code received by kafs is -5 (RX_PROTOCOL_ERROR) as the rx layer sees the +condition and generates an abort first and the unmarshal error is a +consequence of that at the application layer. + +Reported-by: Marc Dionne +Signed-off-by: David Howells +cc: linux-afs@lists.infradead.org +Link: http://lists.infradead.org/pipermail/linux-afs/2021-December/004810.html # v1 +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/sendmsg.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c +index 8f9a2a7eeb7c..de73c2effc89 100644 +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -383,6 +383,12 @@ static int rxrpc_send_data(struct rxrpc_sock *rx, + + success: + ret = copied; ++ if (READ_ONCE(call->state) == RXRPC_CALL_COMPLETE) { ++ read_lock_bh(&call->state_lock); ++ if (call->error < 0) ++ ret = call->error; ++ read_unlock_bh(&call->state_lock); ++ } + out: + call->tx_pending = skb; + _leave(" = %d", ret); +-- +2.35.1 + diff --git a/queue-4.14/s390-preempt-disable-__preempt_count_add-optimizatio.patch b/queue-4.14/s390-preempt-disable-__preempt_count_add-optimizatio.patch new file mode 100644 index 00000000000..047bc503e18 --- /dev/null +++ b/queue-4.14/s390-preempt-disable-__preempt_count_add-optimizatio.patch @@ -0,0 +1,65 @@ +From a1fa105df4b816c8c00e854fabdcb40b66429dd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 11:33:19 +0200 +Subject: s390/preempt: disable __preempt_count_add() optimization for + PROFILE_ALL_BRANCHES +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Heiko Carstens + +[ Upstream commit 63678eecec57fc51b778be3da35a397931287170 ] + +gcc 12 does not (always) optimize away code that should only be generated +if parameters are constant and within in a certain range. This depends on +various obscure kernel config options, however in particular +PROFILE_ALL_BRANCHES can trigger this compile error: + +In function ‘__atomic_add_const’, + inlined from ‘__preempt_count_add.part.0’ at ./arch/s390/include/asm/preempt.h:50:3: +./arch/s390/include/asm/atomic_ops.h:80:9: error: impossible constraint in ‘asm’ + 80 | asm volatile( \ + | ^~~ + +Workaround this by simply disabling the optimization for +PROFILE_ALL_BRANCHES, since the kernel will be so slow, that this +optimization won't matter at all. + +Reported-by: Thomas Richter +Reviewed-by: Sven Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/preempt.h | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/include/asm/preempt.h b/arch/s390/include/asm/preempt.h +index 23a14d187fb1..1aebf09fbcd8 100644 +--- a/arch/s390/include/asm/preempt.h ++++ b/arch/s390/include/asm/preempt.h +@@ -50,10 +50,17 @@ static inline bool test_preempt_need_resched(void) + + static inline void __preempt_count_add(int val) + { +- if (__builtin_constant_p(val) && (val >= -128) && (val <= 127)) +- __atomic_add_const(val, &S390_lowcore.preempt_count); +- else +- __atomic_add(val, &S390_lowcore.preempt_count); ++ /* ++ * With some obscure config options and CONFIG_PROFILE_ALL_BRANCHES ++ * enabled, gcc 12 fails to handle __builtin_constant_p(). ++ */ ++ if (!IS_ENABLED(CONFIG_PROFILE_ALL_BRANCHES)) { ++ if (__builtin_constant_p(val) && (val >= -128) && (val <= 127)) { ++ __atomic_add_const(val, &S390_lowcore.preempt_count); ++ return; ++ } ++ } ++ __atomic_add(val, &S390_lowcore.preempt_count); + } + + static inline void __preempt_count_sub(int val) +-- +2.35.1 + diff --git a/queue-4.14/scsi-fcoe-fix-wstringop-overflow-warnings-in-fcoe_ww.patch b/queue-4.14/scsi-fcoe-fix-wstringop-overflow-warnings-in-fcoe_ww.patch new file mode 100644 index 00000000000..5b8cb1b401f --- /dev/null +++ b/queue-4.14/scsi-fcoe-fix-wstringop-overflow-warnings-in-fcoe_ww.patch @@ -0,0 +1,130 @@ +From 292e30e96cb880e855e4daca5cf670a09473be76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 17:55:21 -0600 +Subject: scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +[ Upstream commit 54db804d5d7d36709d1ce70bde3b9a6c61b290b6 ] + +Fix the following Wstringop-overflow warnings when building with GCC-11: + +drivers/scsi/fcoe/fcoe.c: In function ‘fcoe_netdev_config’: +drivers/scsi/fcoe/fcoe.c:744:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=] + 744 | wwnn = fcoe_wwn_from_mac(ctlr->ctl_src_addr, 1, 0); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/fcoe/fcoe.c:744:32: note: referencing argument 1 of type ‘unsigned char *’ +In file included from drivers/scsi/fcoe/fcoe.c:36: +./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’ + 252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int); + | ^~~~~~~~~~~~~~~~~ +drivers/scsi/fcoe/fcoe.c:747:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=] + 747 | wwpn = fcoe_wwn_from_mac(ctlr->ctl_src_addr, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 748 | 2, 0); + | ~~~~~ +drivers/scsi/fcoe/fcoe.c:747:32: note: referencing argument 1 of type ‘unsigned char *’ +In file included from drivers/scsi/fcoe/fcoe.c:36: +./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’ + 252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int); + | ^~~~~~~~~~~~~~~~~ + CC drivers/scsi/bnx2fc/bnx2fc_io.o +In function ‘bnx2fc_net_config’, + inlined from ‘bnx2fc_if_create’ at drivers/scsi/bnx2fc/bnx2fc_fcoe.c:1543:7: +drivers/scsi/bnx2fc/bnx2fc_fcoe.c:833:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=] + 833 | wwnn = fcoe_wwn_from_mac(ctlr->ctl_src_addr, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 834 | 1, 0); + | ~~~~~ +drivers/scsi/bnx2fc/bnx2fc_fcoe.c: In function ‘bnx2fc_if_create’: +drivers/scsi/bnx2fc/bnx2fc_fcoe.c:833:32: note: referencing argument 1 of type ‘unsigned char *’ +In file included from drivers/scsi/bnx2fc/bnx2fc.h:53, + from drivers/scsi/bnx2fc/bnx2fc_fcoe.c:17: +./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’ + 252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int); + | ^~~~~~~~~~~~~~~~~ +In function ‘bnx2fc_net_config’, + inlined from ‘bnx2fc_if_create’ at drivers/scsi/bnx2fc/bnx2fc_fcoe.c:1543:7: +drivers/scsi/bnx2fc/bnx2fc_fcoe.c:839:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=] + 839 | wwpn = fcoe_wwn_from_mac(ctlr->ctl_src_addr, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 840 | 2, 0); + | ~~~~~ +drivers/scsi/bnx2fc/bnx2fc_fcoe.c: In function ‘bnx2fc_if_create’: +drivers/scsi/bnx2fc/bnx2fc_fcoe.c:839:32: note: referencing argument 1 of type ‘unsigned char *’ +In file included from drivers/scsi/bnx2fc/bnx2fc.h:53, + from drivers/scsi/bnx2fc/bnx2fc_fcoe.c:17: +./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’ + 252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int); + | ^~~~~~~~~~~~~~~~~ +drivers/scsi/qedf/qedf_main.c: In function ‘__qedf_probe’: +drivers/scsi/qedf/qedf_main.c:3520:30: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=] + 3520 | qedf->wwnn = fcoe_wwn_from_mac(qedf->mac, 1, 0); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/qedf/qedf_main.c:3520:30: note: referencing argument 1 of type ‘unsigned char *’ +In file included from drivers/scsi/qedf/qedf.h:9, + from drivers/scsi/qedf/qedf_main.c:23: +./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’ + 252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int); + | ^~~~~~~~~~~~~~~~~ +drivers/scsi/qedf/qedf_main.c:3521:30: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=] + 3521 | qedf->wwpn = fcoe_wwn_from_mac(qedf->mac, 2, 0); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/qedf/qedf_main.c:3521:30: note: referencing argument 1 of type ‘unsigned char *’ +In file included from drivers/scsi/qedf/qedf.h:9, + from drivers/scsi/qedf/qedf_main.c:23: +./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’ + 252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int); + | ^~~~~~~~~~~~~~~~~ + +by changing the array size to the correct value of ETH_ALEN in the +argument declaration. + +Also, fix a couple of checkpatch warnings: +WARNING: function definition argument 'unsigned int' should also have an identifier name + +This helps with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/181 +Fixes: 85b4aa4926a5 ("[SCSI] fcoe: Fibre Channel over Ethernet") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 2 +- + include/scsi/libfcoe.h | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/fcoe/fcoe_ctlr.c b/drivers/scsi/fcoe/fcoe_ctlr.c +index eaab59afd90c..1c8fa41aa3ab 100644 +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -1978,7 +1978,7 @@ EXPORT_SYMBOL(fcoe_ctlr_recv_flogi); + * + * Returns: u64 fc world wide name + */ +-u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], ++u64 fcoe_wwn_from_mac(unsigned char mac[ETH_ALEN], + unsigned int scheme, unsigned int port) + { + u64 wwn; +diff --git a/include/scsi/libfcoe.h b/include/scsi/libfcoe.h +index 78b9ad2df0b1..6f3571f42529 100644 +--- a/include/scsi/libfcoe.h ++++ b/include/scsi/libfcoe.h +@@ -261,7 +261,8 @@ int fcoe_ctlr_recv_flogi(struct fcoe_ctlr *, struct fc_lport *, + struct fc_frame *); + + /* libfcoe funcs */ +-u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int); ++u64 fcoe_wwn_from_mac(unsigned char mac[ETH_ALEN], unsigned int scheme, ++ unsigned int port); + int fcoe_libfc_config(struct fc_lport *, struct fcoe_ctlr *, + const struct libfc_function_template *, int init_fcp); + u32 fcoe_fc_crc(struct fc_frame *fp); +-- +2.35.1 + diff --git a/queue-4.14/scsi-megaraid-fix-error-check-return-value-of-regist.patch b/queue-4.14/scsi-megaraid-fix-error-check-return-value-of-regist.patch new file mode 100644 index 00000000000..ab56c3b8d8c --- /dev/null +++ b/queue-4.14/scsi-megaraid-fix-error-check-return-value-of-regist.patch @@ -0,0 +1,38 @@ +From 2ed22aea5aafbdcecc43018969885c435030633a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Apr 2022 10:57:55 +0000 +Subject: scsi: megaraid: Fix error check return value of register_chrdev() + +From: Lv Ruyi + +[ Upstream commit c5acd61dbb32b6bda0f3a354108f2b8dcb788985 ] + +If major equals 0, register_chrdev() returns an error code when it fails. +This function dynamically allocates a major and returns its number on +success, so we should use "< 0" to check it instead of "!". + +Link: https://lore.kernel.org/r/20220418105755.2558828-1-lv.ruyi@zte.com.cn +Reported-by: Zeal Robot +Signed-off-by: Lv Ruyi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c +index f5c09bbf9374..eed6d45b8025 100644 +--- a/drivers/scsi/megaraid.c ++++ b/drivers/scsi/megaraid.c +@@ -4707,7 +4707,7 @@ static int __init megaraid_init(void) + * major number allocation. + */ + major = register_chrdev(0, "megadev_legacy", &megadev_fops); +- if (!major) { ++ if (major < 0) { + printk(KERN_WARNING + "megaraid: failed to register char device\n"); + } +-- +2.35.1 + diff --git a/queue-4.14/sctp-read-sk-sk_bound_dev_if-once-in-sctp_rcv.patch b/queue-4.14/sctp-read-sk-sk_bound_dev_if-once-in-sctp_rcv.patch new file mode 100644 index 00000000000..2106a865361 --- /dev/null +++ b/queue-4.14/sctp-read-sk-sk_bound_dev_if-once-in-sctp_rcv.patch @@ -0,0 +1,49 @@ +From 20591916073cbed27dc15af59067f6056bc25a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 11:55:42 -0700 +Subject: sctp: read sk->sk_bound_dev_if once in sctp_rcv() + +From: Eric Dumazet + +[ Upstream commit a20ea298071f46effa3aaf965bf9bb34c901db3f ] + +sctp_rcv() reads sk->sk_bound_dev_if twice while the socket +is not locked. Another cpu could change this field under us. + +Fixes: 0fd9a65a76e8 ("[SCTP] Support SO_BINDTODEVICE socket option on incoming packets.") +Signed-off-by: Eric Dumazet +Cc: Neil Horman +Cc: Vlad Yasevich +Cc: Marcelo Ricardo Leitner +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/input.c b/net/sctp/input.c +index b20a1fbea8bf..3305e11035fd 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -103,6 +103,7 @@ int sctp_rcv(struct sk_buff *skb) + struct sctp_chunk *chunk; + union sctp_addr src; + union sctp_addr dest; ++ int bound_dev_if; + int family; + struct sctp_af *af; + struct net *net = dev_net(skb->dev); +@@ -180,7 +181,8 @@ int sctp_rcv(struct sk_buff *skb) + * If a frame arrives on an interface and the receiving socket is + * bound to another interface, via SO_BINDTODEVICE, treat it as OOTB + */ +- if (sk->sk_bound_dev_if && (sk->sk_bound_dev_if != af->skb_iif(skb))) { ++ bound_dev_if = READ_ONCE(sk->sk_bound_dev_if); ++ if (bound_dev_if && (bound_dev_if != af->skb_iif(skb))) { + if (transport) { + sctp_transport_put(transport); + asoc = NULL; +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index d878b3388f3..c4ef7ee7359 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -5,3 +5,98 @@ ptrace-xtensa-replace-pt_singlestep-with-tif_singlestep.patch ptrace-reimplement-ptrace_kill-by-always-sending-sigkill.patch btrfs-add-0x-prefix-for-unsupported-optional-features.patch btrfs-repair-super-block-num_devices-automatically.patch +drm-virtio-fix-null-pointer-dereference-in-virtio_gp.patch +mwifiex-add-mutex-lock-for-call-in-mwifiex_dfs_chan_.patch +b43legacy-fix-assigning-negative-value-to-unsigned-v.patch +b43-fix-assigning-negative-value-to-unsigned-variabl.patch +ipw2x00-fix-potential-null-dereference-in-libipw_xmi.patch +acpica-avoid-cache-flush-inside-virtual-machines.patch +alsa-jack-access-input_dev-under-mutex.patch +drm-amd-pm-fix-double-free-in-si_parse_power_table.patch +ath9k-fix-qca9561-pa-bias-level.patch +media-venus-hfi-avoid-null-dereference-in-deinit.patch +media-pci-cx23885-fix-the-error-handling-in-cx23885_.patch +media-cx25821-fix-the-warning-when-removing-the-modu.patch +scsi-megaraid-fix-error-check-return-value-of-regist.patch +drm-amd-pm-fix-the-compile-warning.patch +ipv6-don-t-send-rs-packets-to-the-interface-of-arphr.patch +asoc-dapm-don-t-fold-register-value-changes-into-not.patch +net-remove-two-bug-from-skb_checksum_help.patch +s390-preempt-disable-__preempt_count_add-optimizatio.patch +dma-debug-change-allocation-mode-from-gfp_nowait-to-.patch +ipmi-ssif-check-for-null-msg-when-handling-events-an.patch +rtlwifi-use-pr_warn-instead-of-warn_once.patch +openrisc-start-cpu-timer-early-in-boot.patch +nvme-pci-fix-a-null-pointer-dereference-in-nvme_allo.patch +asoc-rt5645-fix-errorenous-cleanup-order.patch +net-phy-micrel-allow-probing-without-.driver_data.patch +media-exynos4-is-fix-compile-warning.patch +rxrpc-return-an-error-to-sendmsg-if-call-failed.patch +eth-tg3-silence-the-gcc-12-array-bounds-warning.patch +arm-dts-ox820-align-interrupt-controller-node-name-w.patch +fs-jfs-fix-possible-null-pointer-dereference-in-dbfr.patch +arm-omap1-clock-fix-uart-rate-reporting-algorithm.patch +fat-add-ratelimit-to-fat-_ent_bread.patch +arm-versatile-add-missing-of_node_put-in-dcscb_init.patch +arm-dts-exynos-add-atmel-24c128-fallback-to-samsung-.patch +arm-hisi-add-missing-of_node_put-after-of_find_compa.patch +pci-avoid-pci_dev_lock-ab-ba-deadlock-with-sriov_num.patch +tracing-incorrect-isolate_mote_t-cast-in-mm_vmscan_l.patch +powerpc-xics-fix-refcount-leak-in-icp_opal_init.patch +macintosh-via-pmu-fix-build-failure-when-config_inpu.patch +rdma-hfi1-prevent-panic-when-sdma-is-disabled.patch +drm-fix-edid-struct-for-old-arm-oabi-format.patch +ath9k-fix-ar9003_get_eepmisc.patch +asoc-mediatek-fix-error-handling-in-mt8173_max98090_.patch +asoc-mediatek-fix-missing-of_node_put-in-mt2701_wm89.patch +x86-delay-fix-the-wrong-asm-constraint-in-delay_loop.patch +drm-mediatek-fix-mtk_cec_mask.patch +spi-spi-ti-qspi-fix-return-value-handling-of-wait_fo.patch +nfc-null-out-the-dev-rfkill-to-prevent-uaf.patch +efi-add-missing-prototype-for-efi_capsule_setup_info.patch +hid-hid-led-fix-maximum-brightness-for-dream-cheeky.patch +spi-img-spfi-fix-pm_runtime_get_sync-error-checking.patch +ath9k_htc-fix-potential-out-of-bounds-access-with-in.patch +inotify-show-inotify-mask-flags-in-proc-fdinfo.patch +fsnotify-fix-wrong-lockdep-annotations.patch +x86-pm-fix-false-positive-kmemleak-report-in-msr_bui.patch +drm-msm-dsi-fix-error-checks-and-return-values-for-d.patch +drm-msm-hdmi-check-return-value-after-calling-platfo.patch +drm-rockchip-vop-fix-possible-null-ptr-deref-in-vop_.patch +x86-fix-return-value-of-__setup-handlers.patch +irqchip-aspeed-i2c-ic-fix-irq_of_parse_and_map-retur.patch +x86-mm-cleanup-the-control_va_addr_alignment-__setup.patch +drm-msm-return-an-error-pointer-in-msm_gem_prime_get.patch +media-uvcvideo-fix-missing-check-to-determine-if-ele.patch +asoc-mxs-saif-fix-refcount-leak-in-mxs_saif_probe.patch +regulator-pfuze100-fix-refcount-leak-in-pfuze_parse_.patch +media-st-delta-fix-pm-disable-depth-imbalance-in-del.patch +media-exynos4-is-change-clk_disable-to-clk_disable_u.patch +media-pvrusb2-fix-array-index-out-of-bounds-in-pvr2_.patch +bluetooth-fix-dangling-sco_conn-and-use-after-free-i.patch +m68k-math-emu-fix-dependencies-of-math-emulation-sup.patch +sctp-read-sk-sk_bound_dev_if-once-in-sctp_rcv.patch +asoc-wm2000-fix-missing-clk_disable_unprepare-on-err.patch +rxrpc-fix-listen-setting-the-bar-too-high-for-the-pr.patch +rxrpc-don-t-try-to-resend-the-request-if-we-re-recei.patch +soc-qcom-smp2p-fix-missing-of_node_put-in-smp2p_pars.patch +soc-qcom-smsm-fix-missing-of_node_put-in-smsm_parse_.patch +arm-dts-bcm2835-rpi-zero-w-fix-gpio-line-name-for-wi.patch +arm-dts-bcm2835-rpi-b-fix-gpio-line-names.patch +mfd-ipaq-micro-fix-error-check-return-value-of-platf.patch +scsi-fcoe-fix-wstringop-overflow-warnings-in-fcoe_ww.patch +pinctrl-mvebu-fix-irq_of_parse_and_map-return-value.patch +drivers-base-node.c-fix-compaction-sysfs-file-leak.patch +powerpc-8xx-export-cpm_setbrg-for-modules.patch +powerpc-idle-fix-return-value-of-__setup-handler.patch +powerpc-4xx-cpm-fix-return-value-of-__setup-handler.patch +tty-fix-deadlock-caused-by-calling-printk-under-tty_.patch +input-sparcspkr-fix-refcount-leak-in-bbc_beep_probe.patch +powerpc-perf-fix-the-threshold-compare-group-constra.patch +powerpc-fsl_rio-fix-refcount-leak-in-fsl_rio_setup.patch +mailbox-forward-the-hrtimer-if-not-queued-and-under-.patch +iommu-mediatek-add-list_del-in-mtk_iommu_remove.patch +video-fbdev-clcdfb-fix-refcount-leak-in-clcdfb_of_vr.patch +iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch +perf-c2c-use-stdio-interface-if-slang-is-not-support.patch +perf-jevents-fix-event-syntax-error-caused-by-extsel.patch diff --git a/queue-4.14/soc-qcom-smp2p-fix-missing-of_node_put-in-smp2p_pars.patch b/queue-4.14/soc-qcom-smp2p-fix-missing-of_node_put-in-smp2p_pars.patch new file mode 100644 index 00000000000..b4af2bfd883 --- /dev/null +++ b/queue-4.14/soc-qcom-smp2p-fix-missing-of_node_put-in-smp2p_pars.patch @@ -0,0 +1,36 @@ +From 50935a3936a1504e0e1c5626ba77193b08497b14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 07:19:42 +0000 +Subject: soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc + +From: Miaoqian Lin + +[ Upstream commit 8fd3f18ea31a398ecce4a6d3804433658678b0a3 ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: 50e99641413e ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point") +Signed-off-by: Miaoqian Lin +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220308071942.22942-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smp2p.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/qcom/smp2p.c b/drivers/soc/qcom/smp2p.c +index 4c5767c73b7a..a0562dec9604 100644 +--- a/drivers/soc/qcom/smp2p.c ++++ b/drivers/soc/qcom/smp2p.c +@@ -416,6 +416,7 @@ static int smp2p_parse_ipc(struct qcom_smp2p *smp2p) + } + + smp2p->ipc_regmap = syscon_node_to_regmap(syscon); ++ of_node_put(syscon); + if (IS_ERR(smp2p->ipc_regmap)) + return PTR_ERR(smp2p->ipc_regmap); + +-- +2.35.1 + diff --git a/queue-4.14/soc-qcom-smsm-fix-missing-of_node_put-in-smsm_parse_.patch b/queue-4.14/soc-qcom-smsm-fix-missing-of_node_put-in-smsm_parse_.patch new file mode 100644 index 00000000000..e909c9783db --- /dev/null +++ b/queue-4.14/soc-qcom-smsm-fix-missing-of_node_put-in-smsm_parse_.patch @@ -0,0 +1,36 @@ +From 0e2903653847f51c26fdb02d7ce9d2c760cbddd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 07:36:48 +0000 +Subject: soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc + +From: Miaoqian Lin + +[ Upstream commit aad66a3c78da668f4506356c2fdb70b7a19ecc76 ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM") +Signed-off-by: Miaoqian Lin +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220308073648.24634-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smsm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c +index 2b49d2c212da..5304529b41c9 100644 +--- a/drivers/soc/qcom/smsm.c ++++ b/drivers/soc/qcom/smsm.c +@@ -367,6 +367,7 @@ static int smsm_parse_ipc(struct qcom_smsm *smsm, unsigned host_id) + return 0; + + host->ipc_regmap = syscon_node_to_regmap(syscon); ++ of_node_put(syscon); + if (IS_ERR(host->ipc_regmap)) + return PTR_ERR(host->ipc_regmap); + +-- +2.35.1 + diff --git a/queue-4.14/spi-img-spfi-fix-pm_runtime_get_sync-error-checking.patch b/queue-4.14/spi-img-spfi-fix-pm_runtime_get_sync-error-checking.patch new file mode 100644 index 00000000000..0a790241de1 --- /dev/null +++ b/queue-4.14/spi-img-spfi-fix-pm_runtime_get_sync-error-checking.patch @@ -0,0 +1,38 @@ +From 0129c781dfeba8be590dc031ed840f9cd7b0be92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 06:26:41 +0000 +Subject: spi: img-spfi: Fix pm_runtime_get_sync() error checking + +From: Zheng Yongjun + +[ Upstream commit cc470d55343056d6b2a5c32e10e0aad06f324078 ] + +If the device is already in a runtime PM enabled state +pm_runtime_get_sync() will return 1, so a test for negative +value should be used to check for errors. + +Fixes: deba25800a12b ("spi: Add driver for IMG SPFI controller") +Signed-off-by: Zheng Yongjun +Link: https://lore.kernel.org/r/20220422062641.10486-1-zhengyongjun3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-img-spfi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-img-spfi.c b/drivers/spi/spi-img-spfi.c +index 2a340234c85c..82ab1bc2196a 100644 +--- a/drivers/spi/spi-img-spfi.c ++++ b/drivers/spi/spi-img-spfi.c +@@ -771,7 +771,7 @@ static int img_spfi_resume(struct device *dev) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret) { ++ if (ret < 0) { + pm_runtime_put_noidle(dev); + return ret; + } +-- +2.35.1 + diff --git a/queue-4.14/spi-spi-ti-qspi-fix-return-value-handling-of-wait_fo.patch b/queue-4.14/spi-spi-ti-qspi-fix-return-value-handling-of-wait_fo.patch new file mode 100644 index 00000000000..b827a86cb3a --- /dev/null +++ b/queue-4.14/spi-spi-ti-qspi-fix-return-value-handling-of-wait_fo.patch @@ -0,0 +1,51 @@ +From 4941908862d78362b4b7a5bdca402b7256f75ce9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 11:10:33 +0000 +Subject: spi: spi-ti-qspi: Fix return value handling of + wait_for_completion_timeout + +From: Miaoqian Lin + +[ Upstream commit 8b1ea69a63eb62f97cef63e6d816b64ed84e8760 ] + +wait_for_completion_timeout() returns unsigned long not int. +It returns 0 if timed out, and positive if completed. +The check for <= 0 is ambiguous and should be == 0 here +indicating timeout which is the only error case. + +Fixes: 5720ec0a6d26 ("spi: spi-ti-qspi: Add DMA support for QSPI mmap read") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220411111034.24447-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-ti-qspi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-ti-qspi.c b/drivers/spi/spi-ti-qspi.c +index d9b02e7668ae..e5db20d11e3f 100644 +--- a/drivers/spi/spi-ti-qspi.c ++++ b/drivers/spi/spi-ti-qspi.c +@@ -405,6 +405,7 @@ static int ti_qspi_dma_xfer(struct ti_qspi *qspi, dma_addr_t dma_dst, + enum dma_ctrl_flags flags = DMA_CTRL_ACK | DMA_PREP_INTERRUPT; + struct dma_async_tx_descriptor *tx; + int ret; ++ unsigned long time_left; + + tx = dmaengine_prep_dma_memcpy(chan, dma_dst, dma_src, len, flags); + if (!tx) { +@@ -424,9 +425,9 @@ static int ti_qspi_dma_xfer(struct ti_qspi *qspi, dma_addr_t dma_dst, + } + + dma_async_issue_pending(chan); +- ret = wait_for_completion_timeout(&qspi->transfer_complete, ++ time_left = wait_for_completion_timeout(&qspi->transfer_complete, + msecs_to_jiffies(len)); +- if (ret <= 0) { ++ if (time_left == 0) { + dmaengine_terminate_sync(chan); + dev_err(qspi->dev, "DMA wait_for_completion_timeout\n"); + return -ETIMEDOUT; +-- +2.35.1 + diff --git a/queue-4.14/tracing-incorrect-isolate_mote_t-cast-in-mm_vmscan_l.patch b/queue-4.14/tracing-incorrect-isolate_mote_t-cast-in-mm_vmscan_l.patch new file mode 100644 index 00000000000..5df7284fbc7 --- /dev/null +++ b/queue-4.14/tracing-incorrect-isolate_mote_t-cast-in-mm_vmscan_l.patch @@ -0,0 +1,54 @@ +From 42e38718b8e910ed73ca86d2cd4afc7d55e20be2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 12:46:53 +0300 +Subject: tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate + +From: Vasily Averin + +[ Upstream commit 2b132903de7124dd9a758be0c27562e91a510848 ] + +Fixes following sparse warnings: + + CHECK mm/vmscan.c +mm/vmscan.c: note: in included file (through +include/trace/trace_events.h, include/trace/define_trace.h, +include/trace/events/vmscan.h): +./include/trace/events/vmscan.h:281:1: sparse: warning: + cast to restricted isolate_mode_t +./include/trace/events/vmscan.h:281:1: sparse: warning: + restricted isolate_mode_t degrades to integer + +Link: https://lkml.kernel.org/r/e85d7ff2-fd10-53f8-c24e-ba0458439c1b@openvz.org +Signed-off-by: Vasily Averin +Acked-by: Steven Rostedt (Google) +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/trace/events/vmscan.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/trace/events/vmscan.h b/include/trace/events/vmscan.h +index dc23cf032403..9553f6167e51 100644 +--- a/include/trace/events/vmscan.h ++++ b/include/trace/events/vmscan.h +@@ -290,7 +290,7 @@ TRACE_EVENT(mm_vmscan_lru_isolate, + __field(unsigned long, nr_scanned) + __field(unsigned long, nr_skipped) + __field(unsigned long, nr_taken) +- __field(isolate_mode_t, isolate_mode) ++ __field(unsigned int, isolate_mode) + __field(int, lru) + ), + +@@ -301,7 +301,7 @@ TRACE_EVENT(mm_vmscan_lru_isolate, + __entry->nr_scanned = nr_scanned; + __entry->nr_skipped = nr_skipped; + __entry->nr_taken = nr_taken; +- __entry->isolate_mode = isolate_mode; ++ __entry->isolate_mode = (__force unsigned int)isolate_mode; + __entry->lru = lru; + ), + +-- +2.35.1 + diff --git a/queue-4.14/tty-fix-deadlock-caused-by-calling-printk-under-tty_.patch b/queue-4.14/tty-fix-deadlock-caused-by-calling-printk-under-tty_.patch new file mode 100644 index 00000000000..f9cc199ebc1 --- /dev/null +++ b/queue-4.14/tty-fix-deadlock-caused-by-calling-printk-under-tty_.patch @@ -0,0 +1,143 @@ +From 20081b46e21ae928d76b4058d66618d52d040c96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 20:38:37 -0700 +Subject: tty: fix deadlock caused by calling printk() under tty_port->lock + +From: Qi Zheng + +[ Upstream commit 6b9dbedbe3499fef862c4dff5217cf91f34e43b3 ] + +pty_write() invokes kmalloc() which may invoke a normal printk() to print +failure message. This can cause a deadlock in the scenario reported by +syz-bot below: + + CPU0 CPU1 CPU2 + ---- ---- ---- + lock(console_owner); + lock(&port_lock_key); + lock(&port->lock); + lock(&port_lock_key); + lock(&port->lock); + lock(console_owner); + +As commit dbdda842fe96 ("printk: Add console owner and waiter logic to +load balance console writes") said, such deadlock can be prevented by +using printk_deferred() in kmalloc() (which is invoked in the section +guarded by the port->lock). But there are too many printk() on the +kmalloc() path, and kmalloc() can be called from anywhere, so changing +printk() to printk_deferred() is too complicated and inelegant. + +Therefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so +that printk() will not be called, and this deadlock problem can be +avoided. + +Syzbot reported the following lockdep error: + +====================================================== +WARNING: possible circular locking dependency detected +5.4.143-00237-g08ccc19a-dirty #10 Not tainted +------------------------------------------------------ +syz-executor.4/29420 is trying to acquire lock: +ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline] +ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023 + +but task is already holding lock: +ffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #2 (&port->lock){-.-.}-{2:2}: + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 + tty_port_tty_get drivers/tty/tty_port.c:288 [inline] <-- lock(&port->lock); + tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47 + serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767 + serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854 + serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] <-- lock(&port_lock_key); + serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870 + serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126 + __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156 + [...] + +-> #1 (&port_lock_key){-.-.}-{2:2}: + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 + serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198 + <-- lock(&port_lock_key); + call_console_drivers kernel/printk/printk.c:1819 [inline] + console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504 + vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024 <-- lock(console_owner); + vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394 + printk+0xba/0xed kernel/printk/printk.c:2084 + register_console+0x8b3/0xc10 kernel/printk/printk.c:2829 + univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681 + console_init+0x49d/0x6d3 kernel/printk/printk.c:2915 + start_kernel+0x5e9/0x879 init/main.c:713 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 + +-> #0 (console_owner){....}-{0:0}: + [...] + lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734 + console_trylock_spinning kernel/printk/printk.c:1773 [inline] <-- lock(console_owner); + vprintk_emit+0x307/0x470 kernel/printk/printk.c:2023 + vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394 + printk+0xba/0xed kernel/printk/printk.c:2084 + fail_dump lib/fault-inject.c:45 [inline] + should_fail+0x67b/0x7c0 lib/fault-inject.c:144 + __should_failslab+0x152/0x1c0 mm/failslab.c:33 + should_failslab+0x5/0x10 mm/slab_common.c:1224 + slab_pre_alloc_hook mm/slab.h:468 [inline] + slab_alloc_node mm/slub.c:2723 [inline] + slab_alloc mm/slub.c:2807 [inline] + __kmalloc+0x72/0x300 mm/slub.c:3871 + kmalloc include/linux/slab.h:582 [inline] + tty_buffer_alloc+0x23f/0x2a0 drivers/tty/tty_buffer.c:175 + __tty_buffer_request_room+0x156/0x2a0 drivers/tty/tty_buffer.c:273 + tty_insert_flip_string_fixed_flag+0x93/0x250 drivers/tty/tty_buffer.c:318 + tty_insert_flip_string include/linux/tty_flip.h:37 [inline] + pty_write+0x126/0x1f0 drivers/tty/pty.c:122 <-- lock(&port->lock); + n_tty_write+0xa7a/0xfc0 drivers/tty/n_tty.c:2356 + do_tty_write drivers/tty/tty_io.c:961 [inline] + tty_write+0x512/0x930 drivers/tty/tty_io.c:1045 + __vfs_write+0x76/0x100 fs/read_write.c:494 + [...] + +other info that might help us debug this: + +Chain exists of: + console_owner --> &port_lock_key --> &port->lock + +Link: https://lkml.kernel.org/r/20220511061951.1114-2-zhengqi.arch@bytedance.com +Link: https://lkml.kernel.org/r/20220510113809.80626-2-zhengqi.arch@bytedance.com +Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag") +Signed-off-by: Qi Zheng +Acked-by: Jiri Slaby +Acked-by: Greg Kroah-Hartman +Cc: Akinobu Mita +Cc: Vlastimil Babka +Cc: Steven Rostedt (Google) +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_buffer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index a5b32dd056be..608769f6a564 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -166,7 +166,8 @@ static struct tty_buffer *tty_buffer_alloc(struct tty_port *port, size_t size) + have queued and recycle that ? */ + if (atomic_read(&port->buf.mem_used) > port->buf.mem_limit) + return NULL; +- p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC); ++ p = kmalloc(sizeof(struct tty_buffer) + 2 * size, ++ GFP_ATOMIC | __GFP_NOWARN); + if (p == NULL) + return NULL; + +-- +2.35.1 + diff --git a/queue-4.14/video-fbdev-clcdfb-fix-refcount-leak-in-clcdfb_of_vr.patch b/queue-4.14/video-fbdev-clcdfb-fix-refcount-leak-in-clcdfb_of_vr.patch new file mode 100644 index 00000000000..682d42075a6 --- /dev/null +++ b/queue-4.14/video-fbdev-clcdfb-fix-refcount-leak-in-clcdfb_of_vr.patch @@ -0,0 +1,45 @@ +From 9c90ef70de0ccea830d29be739e635fb614d9b96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 15:59:08 +0400 +Subject: video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup + +From: Miaoqian Lin + +[ Upstream commit b23789a59fa6f00e98a319291819f91fbba0deb8 ] + +of_parse_phandle() returns a node pointer with refcount incremented, we should +use of_node_put() on it when not need anymore. Add missing of_node_put() to +avoid refcount leak. + +Fixes: d10715be03bd ("video: ARM CLCD: Add DT support") +Signed-off-by: Miaoqian Lin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/amba-clcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/amba-clcd.c b/drivers/video/fbdev/amba-clcd.c +index 36d25190b48c..66c7d766e330 100644 +--- a/drivers/video/fbdev/amba-clcd.c ++++ b/drivers/video/fbdev/amba-clcd.c +@@ -838,12 +838,15 @@ static int clcdfb_of_vram_setup(struct clcd_fb *fb) + return -ENODEV; + + fb->fb.screen_base = of_iomap(memory, 0); +- if (!fb->fb.screen_base) ++ if (!fb->fb.screen_base) { ++ of_node_put(memory); + return -ENOMEM; ++ } + + fb->fb.fix.smem_start = of_translate_address(memory, + of_get_address(memory, 0, &size, NULL)); + fb->fb.fix.smem_len = size; ++ of_node_put(memory); + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.14/x86-delay-fix-the-wrong-asm-constraint-in-delay_loop.patch b/queue-4.14/x86-delay-fix-the-wrong-asm-constraint-in-delay_loop.patch new file mode 100644 index 00000000000..4f05b3ba023 --- /dev/null +++ b/queue-4.14/x86-delay-fix-the-wrong-asm-constraint-in-delay_loop.patch @@ -0,0 +1,51 @@ +From 522c577aeac6aa8d72c41d7b9da216407b3b93da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Mar 2022 17:47:04 +0700 +Subject: x86/delay: Fix the wrong asm constraint in delay_loop() + +From: Ammar Faizi + +[ Upstream commit b86eb74098a92afd789da02699b4b0dd3f73b889 ] + +The asm constraint does not reflect the fact that the asm statement can +modify the value of the local variable loops. Which it does. + +Specifying the wrong constraint may lead to undefined behavior, it may +clobber random stuff (e.g. local variable, important temporary value in +regs, etc.). This is especially dangerous when the compiler decides to +inline the function and since it doesn't know that the value gets +modified, it might decide to use it from a register directly without +reloading it. + +Change the constraint to "+a" to denote that the first argument is an +input and an output argument. + + [ bp: Fix typo, massage commit message. ] + +Fixes: e01b70ef3eb3 ("x86: fix bug in arch/i386/lib/delay.c file, delay_loop function") +Signed-off-by: Ammar Faizi +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220329104705.65256-2-ammarfaizi2@gnuweeb.org +Signed-off-by: Sasha Levin +--- + arch/x86/lib/delay.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/lib/delay.c b/arch/x86/lib/delay.c +index 17a0d0f5a1bf..ea1d00159ea6 100644 +--- a/arch/x86/lib/delay.c ++++ b/arch/x86/lib/delay.c +@@ -43,8 +43,8 @@ static void delay_loop(unsigned long loops) + " jnz 2b \n" + "3: dec %0 \n" + +- : /* we don't need output */ +- :"a" (loops) ++ : "+a" (loops) ++ : + ); + } + +-- +2.35.1 + diff --git a/queue-4.14/x86-fix-return-value-of-__setup-handlers.patch b/queue-4.14/x86-fix-return-value-of-__setup-handlers.patch new file mode 100644 index 00000000000..af95205df19 --- /dev/null +++ b/queue-4.14/x86-fix-return-value-of-__setup-handlers.patch @@ -0,0 +1,104 @@ +From 1cf15c39cd22e880e41cdc5e9b2eaeac309d243c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Mar 2022 18:27:25 -0700 +Subject: x86: Fix return value of __setup handlers + +From: Randy Dunlap + +[ Upstream commit 12441ccdf5e2f5a01a46e344976cbbd3d46845c9 ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. A return +of 0 causes the boot option/value to be listed as an Unknown kernel +parameter and added to init's (limited) argument (no '=') or environment +(with '=') strings. So return 1 from these x86 __setup handlers. + +Examples: + + Unknown kernel command line parameters "apicpmtimer + BOOT_IMAGE=/boot/bzImage-517rc8 vdso=1 ring3mwait=disable", will be + passed to user space. + + Run /sbin/init as init process + with arguments: + /sbin/init + apicpmtimer + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc8 + vdso=1 + ring3mwait=disable + +Fixes: 2aae950b21e4 ("x86_64: Add vDSO for x86-64 with gettimeofday/clock_gettime/getcpu") +Fixes: 77b52b4c5c66 ("x86: add "debugpat" boot option") +Fixes: e16fd002afe2 ("x86/cpufeature: Enable RING3MWAIT for Knights Landing") +Fixes: b8ce33590687 ("x86_64: convert to clock events") +Reported-by: Igor Zhbanov +Signed-off-by: Randy Dunlap +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Link: https://lore.kernel.org/r/20220314012725.26661-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/entry/vdso/vma.c | 2 +- + arch/x86/kernel/apic/apic.c | 2 +- + arch/x86/kernel/cpu/intel.c | 2 +- + arch/x86/mm/pat.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index 2ab8628aef10..63ed146abef0 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -328,7 +328,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) + static __init int vdso_setup(char *s) + { + vdso64_enabled = simple_strtoul(s, NULL, 0); +- return 0; ++ return 1; + } + __setup("vdso=", vdso_setup); + #endif +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 76f2bbba92f9..488e0853a44d 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -167,7 +167,7 @@ static __init int setup_apicpmtimer(char *s) + { + apic_calibrate_pmtmr = 1; + notsc_setup(NULL); +- return 0; ++ return 1; + } + __setup("apicpmtimer", setup_apicpmtimer); + #endif +diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c +index 3a5ea741701b..541e190c3f0e 100644 +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -71,7 +71,7 @@ static bool ring3mwait_disabled __read_mostly; + static int __init ring3mwait_disable(char *__unused) + { + ring3mwait_disabled = true; +- return 0; ++ return 1; + } + __setup("ring3mwait=disable", ring3mwait_disable); + +diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c +index fe7d57a8fb60..49aeb4e73a35 100644 +--- a/arch/x86/mm/pat.c ++++ b/arch/x86/mm/pat.c +@@ -74,7 +74,7 @@ int pat_debug_enable; + static int __init pat_debug_setup(char *str) + { + pat_debug_enable = 1; +- return 0; ++ return 1; + } + __setup("debugpat", pat_debug_setup); + +-- +2.35.1 + diff --git a/queue-4.14/x86-mm-cleanup-the-control_va_addr_alignment-__setup.patch b/queue-4.14/x86-mm-cleanup-the-control_va_addr_alignment-__setup.patch new file mode 100644 index 00000000000..b5fc62cf274 --- /dev/null +++ b/queue-4.14/x86-mm-cleanup-the-control_va_addr_alignment-__setup.patch @@ -0,0 +1,59 @@ +From 64cb4931cc058ddf6ffd049d757fbda8bca63eb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Mar 2022 17:10:45 -0700 +Subject: x86/mm: Cleanup the control_va_addr_alignment() __setup handler + +From: Randy Dunlap + +[ Upstream commit 1ef64b1e89e6d4018da46e08ffc32779a31160c7 ] + +Clean up control_va_addr_alignment(): + +a. Make '=' required instead of optional (as documented). +b. Print a warning if an invalid option value is used. +c. Return 1 from the __setup handler when an invalid option value is + used. This prevents the kernel from polluting init's (limited) + environment space with the entire string. + +Fixes: dfb09f9b7ab0 ("x86, amd: Avoid cache aliasing penalties on AMD family 15h") +Reported-by: Igor Zhbanov +Signed-off-by: Randy Dunlap +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Link: https://lore.kernel.org/r/20220315001045.7680-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/sys_x86_64.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index a63fe77b3217..7a08c42770f1 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -70,9 +70,6 @@ static int __init control_va_addr_alignment(char *str) + if (*str == 0) + return 1; + +- if (*str == '=') +- str++; +- + if (!strcmp(str, "32")) + va_align.flags = ALIGN_VA_32; + else if (!strcmp(str, "64")) +@@ -82,11 +79,11 @@ static int __init control_va_addr_alignment(char *str) + else if (!strcmp(str, "on")) + va_align.flags = ALIGN_VA_32 | ALIGN_VA_64; + else +- return 0; ++ pr_warn("invalid option value: 'align_va_addr=%s'\n", str); + + return 1; + } +-__setup("align_va_addr", control_va_addr_alignment); ++__setup("align_va_addr=", control_va_addr_alignment); + + SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len, + unsigned long, prot, unsigned long, flags, +-- +2.35.1 + diff --git a/queue-4.14/x86-pm-fix-false-positive-kmemleak-report-in-msr_bui.patch b/queue-4.14/x86-pm-fix-false-positive-kmemleak-report-in-msr_bui.patch new file mode 100644 index 00000000000..65fa747a7d8 --- /dev/null +++ b/queue-4.14/x86-pm-fix-false-positive-kmemleak-report-in-msr_bui.patch @@ -0,0 +1,161 @@ +From 07ed30b998f6e3f9c7fc971674b15a7fd913d877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Apr 2022 20:24:10 +0200 +Subject: x86/pm: Fix false positive kmemleak report in msr_build_context() + +From: Matthieu Baerts + +[ Upstream commit b0b592cf08367719e1d1ef07c9f136e8c17f7ec3 ] + +Since + + e2a1256b17b1 ("x86/speculation: Restore speculation related MSRs during S3 resume") + +kmemleak reports this issue: + + unreferenced object 0xffff888009cedc00 (size 256): + comm "swapper/0", pid 1, jiffies 4294693823 (age 73.764s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 ........H....... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + msr_build_context (include/linux/slab.h:621) + pm_check_save_msr (arch/x86/power/cpu.c:520) + do_one_initcall (init/main.c:1298) + kernel_init_freeable (init/main.c:1370) + kernel_init (init/main.c:1504) + ret_from_fork (arch/x86/entry/entry_64.S:304) + +Reproducer: + + - boot the VM with a debug kernel config (see + https://github.com/multipath-tcp/mptcp_net-next/issues/268) + - wait ~1 minute + - start a kmemleak scan + +The root cause here is alignment within the packed struct saved_context +(from suspend_64.h). Kmemleak only searches for pointers that are +aligned (see how pointers are scanned in kmemleak.c), but pahole shows +that the saved_msrs struct member and all members after it in the +structure are unaligned: + + struct saved_context { + struct pt_regs regs; /* 0 168 */ + /* --- cacheline 2 boundary (128 bytes) was 40 bytes ago --- */ + u16 ds; /* 168 2 */ + + ... + + u64 misc_enable; /* 232 8 */ + bool misc_enable_saved; /* 240 1 */ + + /* Note below odd offset values for the remainder of this struct */ + + struct saved_msrs saved_msrs; /* 241 16 */ + /* --- cacheline 4 boundary (256 bytes) was 1 bytes ago --- */ + long unsigned int efer; /* 257 8 */ + u16 gdt_pad; /* 265 2 */ + struct desc_ptr gdt_desc; /* 267 10 */ + u16 idt_pad; /* 277 2 */ + struct desc_ptr idt; /* 279 10 */ + u16 ldt; /* 289 2 */ + u16 tss; /* 291 2 */ + long unsigned int tr; /* 293 8 */ + long unsigned int safety; /* 301 8 */ + long unsigned int return_address; /* 309 8 */ + + /* size: 317, cachelines: 5, members: 25 */ + /* last cacheline: 61 bytes */ + } __attribute__((__packed__)); + +Move misc_enable_saved to the end of the struct declaration so that +saved_msrs fits in before the cacheline 4 boundary. + +The comment above the saved_context declaration says to fix wakeup_64.S +file and __save/__restore_processor_state() if the struct is modified: +it looks like all the accesses in wakeup_64.S are done through offsets +which are computed at build-time. Update that comment accordingly. + +At the end, the false positive kmemleak report is due to a limitation +from kmemleak but it is always good to avoid unaligned members for +optimisation purposes. + +Please note that it looks like this issue is not new, e.g. + + https://lore.kernel.org/all/9f1bb619-c4ee-21c4-a251-870bd4db04fa@lwfinger.net/ + https://lore.kernel.org/all/94e48fcd-1dbd-ebd2-4c91-f39941735909@molgen.mpg.de/ + + [ bp: Massage + cleanup commit message. ] + +Fixes: 7a9c2dd08ead ("x86/pm: Introduce quirk framework to save/restore extra MSR registers around suspend/resume") +Suggested-by: Mat Martineau +Signed-off-by: Matthieu Baerts +Signed-off-by: Borislav Petkov +Reviewed-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20220426202138.498310-1-matthieu.baerts@tessares.net +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/suspend_32.h | 2 +- + arch/x86/include/asm/suspend_64.h | 12 ++++++++---- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/include/asm/suspend_32.h b/arch/x86/include/asm/suspend_32.h +index 8be6afb58471..32662cbaa27e 100644 +--- a/arch/x86/include/asm/suspend_32.h ++++ b/arch/x86/include/asm/suspend_32.h +@@ -21,7 +21,6 @@ struct saved_context { + #endif + unsigned long cr0, cr2, cr3, cr4; + u64 misc_enable; +- bool misc_enable_saved; + struct saved_msrs saved_msrs; + struct desc_ptr gdt_desc; + struct desc_ptr idt; +@@ -30,6 +29,7 @@ struct saved_context { + unsigned long tr; + unsigned long safety; + unsigned long return_address; ++ bool misc_enable_saved; + } __attribute__((packed)); + + #endif /* _ASM_X86_SUSPEND_32_H */ +diff --git a/arch/x86/include/asm/suspend_64.h b/arch/x86/include/asm/suspend_64.h +index a7af9f53c0cb..b2861400c6a2 100644 +--- a/arch/x86/include/asm/suspend_64.h ++++ b/arch/x86/include/asm/suspend_64.h +@@ -14,9 +14,13 @@ + * Image of the saved processor state, used by the low level ACPI suspend to + * RAM code and by the low level hibernation code. + * +- * If you modify it, fix arch/x86/kernel/acpi/wakeup_64.S and make sure that +- * __save/__restore_processor_state(), defined in arch/x86/kernel/suspend_64.c, +- * still work as required. ++ * If you modify it, check how it is used in arch/x86/kernel/acpi/wakeup_64.S ++ * and make sure that __save/__restore_processor_state(), defined in ++ * arch/x86/power/cpu.c, still work as required. ++ * ++ * Because the structure is packed, make sure to avoid unaligned members. For ++ * optimisation purposes but also because tools like kmemleak only search for ++ * pointers that are aligned. + */ + struct saved_context { + struct pt_regs regs; +@@ -36,7 +40,6 @@ struct saved_context { + + unsigned long cr0, cr2, cr3, cr4, cr8; + u64 misc_enable; +- bool misc_enable_saved; + struct saved_msrs saved_msrs; + unsigned long efer; + u16 gdt_pad; /* Unused */ +@@ -48,6 +51,7 @@ struct saved_context { + unsigned long tr; + unsigned long safety; + unsigned long return_address; ++ bool misc_enable_saved; + } __attribute__((packed)); + + #define loaddebug(thread,register) \ +-- +2.35.1 +