From: Greg Kroah-Hartman Date: Sat, 2 Apr 2022 13:10:29 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.17.2~178 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=228cd6584f2c44639988894521023ed23d493bc0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: acpi-properties-consistently-return-enoent-if-there-are-no-more-references.patch arm-dts-at91-sama5d2-fix-pmerrloc-resource-size.patch arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5250.patch arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5420.patch arm-dts-exynos-fix-uart3-pins-configuration-in-exynos5250.patch block-don-t-merge-across-cgroup-boundaries-if-blkcg-is-enabled.patch brcmfmac-firmware-allocate-space-for-default-boardrev-in-nvram.patch brcmfmac-pcie-replace-brcmf_pcie_copy_mem_todev-with-memcpy_toio.patch carl9170-fix-missing-bit-wise-or-operator-for-tx_params.patch dec-limit-pmax-memory-probing-to-r3k-systems.patch drbd-fix-potential-silent-data-corruption.patch drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_timer.patch drm-edid-check-basic-audio-support-on-cea-extension-block.patch lib-raid6-test-fix-multiple-definition-linking-error.patch media-davinci-vpif-fix-unbalanced-runtime-pm-get.patch mm-hwpoison-unmap-poisoned-page-before-invalidation.patch pci-pciehp-clear-cmd_busy-bit-in-polling-mode.patch powerpc-kvm-fix-kvm_use_magic_page.patch thermal-int340x-increase-bitmap-size.patch video-fbdev-atari-atari-2-bpp-ste-palette-bugfix.patch video-fbdev-sm712fb-fix-crash-in-smtcfb_read.patch --- diff --git a/queue-4.19/acpi-properties-consistently-return-enoent-if-there-are-no-more-references.patch b/queue-4.19/acpi-properties-consistently-return-enoent-if-there-are-no-more-references.patch new file mode 100644 index 00000000000..66c5f55d600 --- /dev/null +++ b/queue-4.19/acpi-properties-consistently-return-enoent-if-there-are-no-more-references.patch @@ -0,0 +1,36 @@ +From babc92da5928f81af951663fc436997352e02d3a Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 14 Jan 2022 13:24:49 +0200 +Subject: ACPI: properties: Consistently return -ENOENT if there are no more references + +From: Sakari Ailus + +commit babc92da5928f81af951663fc436997352e02d3a upstream. + +__acpi_node_get_property_reference() is documented to return -ENOENT if +the caller requests a property reference at an index that does not exist, +not -EINVAL which it actually does. + +Fix this by returning -ENOENT consistenly, independently of whether the +property value is a plain reference or a package. + +Fixes: c343bc2ce2c6 ("ACPI: properties: Align return codes of __acpi_node_get_property_reference()") +Cc: 4.14+ # 4.14+ +Signed-off-by: Sakari Ailus +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/property.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -618,7 +618,7 @@ int __acpi_node_get_property_reference(c + */ + if (obj->type == ACPI_TYPE_LOCAL_REFERENCE) { + if (index) +- return -EINVAL; ++ return -ENOENT; + + ret = acpi_bus_get_device(obj->reference.handle, &device); + if (ret) diff --git a/queue-4.19/arm-dts-at91-sama5d2-fix-pmerrloc-resource-size.patch b/queue-4.19/arm-dts-at91-sama5d2-fix-pmerrloc-resource-size.patch new file mode 100644 index 00000000000..b5ce92ee6ca --- /dev/null +++ b/queue-4.19/arm-dts-at91-sama5d2-fix-pmerrloc-resource-size.patch @@ -0,0 +1,36 @@ +From 0fb578a529ac7aca326a9fa475b4a6f58a756fda Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Tue, 11 Jan 2022 15:23:01 +0200 +Subject: ARM: dts: at91: sama5d2: Fix PMERRLOC resource size + +From: Tudor Ambarus + +commit 0fb578a529ac7aca326a9fa475b4a6f58a756fda upstream. + +PMERRLOC resource size was set to 0x100, which resulted in HSMC_ERRLOCx +register being truncated to offset x = 21, causing error correction to +fail if more than 22 bit errors and if 24 or 32 bit error correction +was supported. + +Fixes: d9c41bf30cf8 ("ARM: dts: at91: Declare EBI/NAND controllers") +Signed-off-by: Tudor Ambarus +Cc: # 4.13.x +Acked-by: Alexander Dahl +Signed-off-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20220111132301.906712-1-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/sama5d2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/sama5d2.dtsi ++++ b/arch/arm/boot/dts/sama5d2.dtsi +@@ -1125,7 +1125,7 @@ + pmecc: ecc-engine@f8014070 { + compatible = "atmel,sama5d2-pmecc"; + reg = <0xf8014070 0x490>, +- <0xf8014500 0x100>; ++ <0xf8014500 0x200>; + }; + }; + diff --git a/queue-4.19/arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5250.patch b/queue-4.19/arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5250.patch new file mode 100644 index 00000000000..3b4be873e7f --- /dev/null +++ b/queue-4.19/arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5250.patch @@ -0,0 +1,34 @@ +From 60a9914cb2061ba612a3f14f6ad329912b486360 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 8 Feb 2022 18:18:14 +0100 +Subject: ARM: dts: exynos: add missing HDMI supplies on SMDK5250 + +From: Krzysztof Kozlowski + +commit 60a9914cb2061ba612a3f14f6ad329912b486360 upstream. + +Add required VDD supplies to HDMI block on SMDK5250. Without them, the +HDMI driver won't probe. Because of lack of schematics, use same +supplies as on Arndale 5250 board (voltage matches). + +Cc: # v3.15+ +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20220208171823.226211-2-krzysztof.kozlowski@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5250-smdk5250.dts | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/boot/dts/exynos5250-smdk5250.dts ++++ b/arch/arm/boot/dts/exynos5250-smdk5250.dts +@@ -116,6 +116,9 @@ + status = "okay"; + ddc = <&i2c_2>; + hpd-gpios = <&gpx3 7 GPIO_ACTIVE_HIGH>; ++ vdd-supply = <&ldo8_reg>; ++ vdd_osc-supply = <&ldo10_reg>; ++ vdd_pll-supply = <&ldo8_reg>; + }; + + &i2c_0 { diff --git a/queue-4.19/arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5420.patch b/queue-4.19/arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5420.patch new file mode 100644 index 00000000000..4315cb4201f --- /dev/null +++ b/queue-4.19/arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5420.patch @@ -0,0 +1,34 @@ +From 453a24ded415f7fce0499c6b0a2c7b28f84911f2 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 8 Feb 2022 18:18:15 +0100 +Subject: ARM: dts: exynos: add missing HDMI supplies on SMDK5420 + +From: Krzysztof Kozlowski + +commit 453a24ded415f7fce0499c6b0a2c7b28f84911f2 upstream. + +Add required VDD supplies to HDMI block on SMDK5420. Without them, the +HDMI driver won't probe. Because of lack of schematics, use same +supplies as on Arndale Octa and Odroid XU3 boards (voltage matches). + +Cc: # v3.15+ +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20220208171823.226211-3-krzysztof.kozlowski@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5420-smdk5420.dts | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/boot/dts/exynos5420-smdk5420.dts ++++ b/arch/arm/boot/dts/exynos5420-smdk5420.dts +@@ -131,6 +131,9 @@ + hpd-gpios = <&gpx3 7 GPIO_ACTIVE_HIGH>; + pinctrl-names = "default"; + pinctrl-0 = <&hdmi_hpd_irq>; ++ vdd-supply = <&ldo6_reg>; ++ vdd_osc-supply = <&ldo7_reg>; ++ vdd_pll-supply = <&ldo6_reg>; + }; + + &hsi2c_4 { diff --git a/queue-4.19/arm-dts-exynos-fix-uart3-pins-configuration-in-exynos5250.patch b/queue-4.19/arm-dts-exynos-fix-uart3-pins-configuration-in-exynos5250.patch new file mode 100644 index 00000000000..e224f38a7c0 --- /dev/null +++ b/queue-4.19/arm-dts-exynos-fix-uart3-pins-configuration-in-exynos5250.patch @@ -0,0 +1,34 @@ +From 372d7027fed43c8570018e124cf78b89523a1f8e Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Dec 2021 20:53:23 +0100 +Subject: ARM: dts: exynos: fix UART3 pins configuration in Exynos5250 + +From: Krzysztof Kozlowski + +commit 372d7027fed43c8570018e124cf78b89523a1f8e upstream. + +The gpa1-4 pin was put twice in UART3 pin configuration of Exynos5250, +instead of proper pin gpa1-5. + +Fixes: f8bfe2b050f3 ("ARM: dts: add pin state information in client nodes for Exynos5 platforms") +Cc: +Signed-off-by: Krzysztof Kozlowski +Tested-by: Marek Szyprowski +Reviewed-by: Alim Akhtar +Link: https://lore.kernel.org/r/20211230195325.328220-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos5250-pinctrl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos5250-pinctrl.dtsi ++++ b/arch/arm/boot/dts/exynos5250-pinctrl.dtsi +@@ -260,7 +260,7 @@ + }; + + uart3_data: uart3-data { +- samsung,pins = "gpa1-4", "gpa1-4"; ++ samsung,pins = "gpa1-4", "gpa1-5"; + samsung,pin-function = ; + samsung,pin-pud = ; + samsung,pin-drv = ; diff --git a/queue-4.19/block-don-t-merge-across-cgroup-boundaries-if-blkcg-is-enabled.patch b/queue-4.19/block-don-t-merge-across-cgroup-boundaries-if-blkcg-is-enabled.patch new file mode 100644 index 00000000000..15680b88ffa --- /dev/null +++ b/queue-4.19/block-don-t-merge-across-cgroup-boundaries-if-blkcg-is-enabled.patch @@ -0,0 +1,112 @@ +From 6b2b04590b51aa4cf395fcd185ce439cab5961dc Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 14 Mar 2022 14:30:11 -1000 +Subject: block: don't merge across cgroup boundaries if blkcg is enabled + +From: Tejun Heo + +commit 6b2b04590b51aa4cf395fcd185ce439cab5961dc upstream. + +blk-iocost and iolatency are cgroup aware rq-qos policies but they didn't +disable merges across different cgroups. This obviously can lead to +accounting and control errors but more importantly to priority inversions - +e.g. an IO which belongs to a higher priority cgroup or IO class may end up +getting throttled incorrectly because it gets merged to an IO issued from a +low priority cgroup. + +Fix it by adding blk_cgroup_mergeable() which is called from merge paths and +rejects cross-cgroup and cross-issue_as_root merges. + +Signed-off-by: Tejun Heo +Fixes: d70675121546 ("block: introduce blk-iolatency io controller") +Cc: stable@vger.kernel.org # v4.19+ +Cc: Josef Bacik +Link: https://lore.kernel.org/r/Yi/eE/6zFNyWJ+qd@slm.duckdns.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-merge.c | 11 +++++++++++ + include/linux/blk-cgroup.h | 17 +++++++++++++++++ + 2 files changed, 28 insertions(+) + +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + + #include + +@@ -486,6 +487,9 @@ static inline int ll_new_hw_segment(stru + if (req->nr_phys_segments + nr_phys_segs > queue_max_segments(q)) + goto no_merge; + ++ if (!blk_cgroup_mergeable(req, bio)) ++ goto no_merge; ++ + if (blk_integrity_merge_bio(q, req, bio) == false) + goto no_merge; + +@@ -609,6 +613,9 @@ static int ll_merge_requests_fn(struct r + if (total_phys_segments > queue_max_segments(q)) + return 0; + ++ if (!blk_cgroup_mergeable(req, next->bio)) ++ return 0; ++ + if (blk_integrity_merge_rq(q, req, next) == false) + return 0; + +@@ -843,6 +850,10 @@ bool blk_rq_merge_ok(struct request *rq, + if (rq->rq_disk != bio->bi_disk || req_no_special_merge(rq)) + return false; + ++ /* don't merge across cgroup boundaries */ ++ if (!blk_cgroup_mergeable(rq, bio)) ++ return false; ++ + /* only merge integrity protected bio into ditto rq */ + if (blk_integrity_merge_bio(rq->q, rq, bio) == false) + return false; +--- a/include/linux/blk-cgroup.h ++++ b/include/linux/blk-cgroup.h +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + /* percpu_counter batch for blkg_[rw]stats, per-cpu drift doesn't matter */ + #define BLKG_STAT_CPU_BATCH (INT_MAX / 2) +@@ -844,6 +845,21 @@ static inline void blkcg_use_delay(struc + atomic_inc(&blkg->blkcg->css.cgroup->congestion_count); + } + ++/** ++ * blk_cgroup_mergeable - Determine whether to allow or disallow merges ++ * @rq: request to merge into ++ * @bio: bio to merge ++ * ++ * @bio and @rq should belong to the same cgroup and their issue_as_root should ++ * match. The latter is necessary as we don't want to throttle e.g. a metadata ++ * update because it happens to be next to a regular IO. ++ */ ++static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio) ++{ ++ return rq->bio->bi_blkg == bio->bi_blkg && ++ bio_issue_as_root_blkg(rq->bio) == bio_issue_as_root_blkg(bio); ++} ++ + static inline int blkcg_unuse_delay(struct blkcg_gq *blkg) + { + int old = atomic_read(&blkg->use_delay); +@@ -947,6 +963,7 @@ static inline struct request_list *blk_r + + static inline bool blkcg_bio_issue_check(struct request_queue *q, + struct bio *bio) { return true; } ++static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio) { return true; } + + #define blk_queue_for_each_rl(rl, q) \ + for ((rl) = &(q)->root_rl; (rl); (rl) = NULL) diff --git a/queue-4.19/brcmfmac-firmware-allocate-space-for-default-boardrev-in-nvram.patch b/queue-4.19/brcmfmac-firmware-allocate-space-for-default-boardrev-in-nvram.patch new file mode 100644 index 00000000000..c3138e36f60 --- /dev/null +++ b/queue-4.19/brcmfmac-firmware-allocate-space-for-default-boardrev-in-nvram.patch @@ -0,0 +1,36 @@ +From d19d8e3ba256f81ea4a27209dbbd1f0a00ef1903 Mon Sep 17 00:00:00 2001 +From: Hector Martin +Date: Tue, 1 Feb 2022 01:07:06 +0900 +Subject: brcmfmac: firmware: Allocate space for default boardrev in nvram + +From: Hector Martin + +commit d19d8e3ba256f81ea4a27209dbbd1f0a00ef1903 upstream. + +If boardrev is missing from the NVRAM we add a default one, but this +might need more space in the output buffer than was allocated. Ensure +we have enough padding for this in the buffer. + +Fixes: 46f2b38a91b0 ("brcmfmac: insert default boardrev in nvram data if missing") +Reviewed-by: Arend van Spriel +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin +Reviewed-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220131160713.245637-3-marcan@marcan.st +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +@@ -217,6 +217,8 @@ static int brcmf_init_nvram_parser(struc + size = BRCMF_FW_MAX_NVRAM_SIZE; + else + size = data_len; ++ /* Add space for properties we may add */ ++ size += strlen(BRCMF_FW_DEFAULT_BOARDREV) + 1; + /* Alloc for extra 0 byte + roundup by 4 + length field */ + size += 1 + 3 + sizeof(u32); + nvp->nvram = kzalloc(size, GFP_KERNEL); diff --git a/queue-4.19/brcmfmac-pcie-replace-brcmf_pcie_copy_mem_todev-with-memcpy_toio.patch b/queue-4.19/brcmfmac-pcie-replace-brcmf_pcie_copy_mem_todev-with-memcpy_toio.patch new file mode 100644 index 00000000000..a94e0923e6b --- /dev/null +++ b/queue-4.19/brcmfmac-pcie-replace-brcmf_pcie_copy_mem_todev-with-memcpy_toio.patch @@ -0,0 +1,108 @@ +From 9466987f246758eb7e9071ae58005253f631271e Mon Sep 17 00:00:00 2001 +From: Hector Martin +Date: Tue, 1 Feb 2022 01:07:09 +0900 +Subject: brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio + +From: Hector Martin + +commit 9466987f246758eb7e9071ae58005253f631271e upstream. + +The alignment check was wrong (e.g. & 4 instead of & 3), and the logic +was also inefficient if the length was not a multiple of 4, since it +would needlessly fall back to copying the entire buffer bytewise. + +We already have a perfectly good memcpy_toio function, so just call that +instead of rolling our own copy logic here. brcmf_pcie_init_ringbuffers +was already using it anyway. + +Fixes: 9e37f045d5e7 ("brcmfmac: Adding PCIe bus layer support.") +Reviewed-by: Linus Walleij +Reviewed-by: Arend van Spriel +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Signed-off-by: Hector Martin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220131160713.245637-6-marcan@marcan.st +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 48 +--------------- + 1 file changed, 4 insertions(+), 44 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -442,47 +443,6 @@ brcmf_pcie_write_ram32(struct brcmf_pcie + + + static void +-brcmf_pcie_copy_mem_todev(struct brcmf_pciedev_info *devinfo, u32 mem_offset, +- void *srcaddr, u32 len) +-{ +- void __iomem *address = devinfo->tcm + mem_offset; +- __le32 *src32; +- __le16 *src16; +- u8 *src8; +- +- if (((ulong)address & 4) || ((ulong)srcaddr & 4) || (len & 4)) { +- if (((ulong)address & 2) || ((ulong)srcaddr & 2) || (len & 2)) { +- src8 = (u8 *)srcaddr; +- while (len) { +- iowrite8(*src8, address); +- address++; +- src8++; +- len--; +- } +- } else { +- len = len / 2; +- src16 = (__le16 *)srcaddr; +- while (len) { +- iowrite16(le16_to_cpu(*src16), address); +- address += 2; +- src16++; +- len--; +- } +- } +- } else { +- len = len / 4; +- src32 = (__le32 *)srcaddr; +- while (len) { +- iowrite32(le32_to_cpu(*src32), address); +- address += 4; +- src32++; +- len--; +- } +- } +-} +- +- +-static void + brcmf_pcie_copy_dev_tomem(struct brcmf_pciedev_info *devinfo, u32 mem_offset, + void *dstaddr, u32 len) + { +@@ -1503,8 +1463,8 @@ static int brcmf_pcie_download_fw_nvram( + return err; + + brcmf_dbg(PCIE, "Download FW %s\n", devinfo->fw_name); +- brcmf_pcie_copy_mem_todev(devinfo, devinfo->ci->rambase, +- (void *)fw->data, fw->size); ++ memcpy_toio(devinfo->tcm + devinfo->ci->rambase, ++ (void *)fw->data, fw->size); + + resetintr = get_unaligned_le32(fw->data); + release_firmware(fw); +@@ -1518,7 +1478,7 @@ static int brcmf_pcie_download_fw_nvram( + brcmf_dbg(PCIE, "Download NVRAM %s\n", devinfo->nvram_name); + address = devinfo->ci->rambase + devinfo->ci->ramsize - + nvram_len; +- brcmf_pcie_copy_mem_todev(devinfo, address, nvram, nvram_len); ++ memcpy_toio(devinfo->tcm + address, nvram, nvram_len); + brcmf_fw_nvram_free(nvram); + } else { + brcmf_dbg(PCIE, "No matching NVRAM file found %s\n", diff --git a/queue-4.19/carl9170-fix-missing-bit-wise-or-operator-for-tx_params.patch b/queue-4.19/carl9170-fix-missing-bit-wise-or-operator-for-tx_params.patch new file mode 100644 index 00000000000..6cbbb74330c --- /dev/null +++ b/queue-4.19/carl9170-fix-missing-bit-wise-or-operator-for-tx_params.patch @@ -0,0 +1,39 @@ +From 02a95374b5eebdbd3b6413fd7ddec151d2ea75a1 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 25 Jan 2022 00:44:06 +0000 +Subject: carl9170: fix missing bit-wise or operator for tx_params + +From: Colin Ian King + +commit 02a95374b5eebdbd3b6413fd7ddec151d2ea75a1 upstream. + +Currently tx_params is being re-assigned with a new value and the +previous setting IEEE80211_HT_MCS_TX_RX_DIFF is being overwritten. +The assignment operator is incorrect, the original intent was to +bit-wise or the value in. Fix this by replacing the = operator +with |= instead. + +Kudos to Christian Lamparter for suggesting the correct fix. + +Fixes: fe8ee9ad80b2 ("carl9170: mac80211 glue and command interface") +Signed-off-by: Colin Ian King +Cc: +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220125004406.344422-1-colin.i.king@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/carl9170/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/carl9170/main.c ++++ b/drivers/net/wireless/ath/carl9170/main.c +@@ -1922,7 +1922,7 @@ static int carl9170_parse_eeprom(struct + WARN_ON(!(tx_streams >= 1 && tx_streams <= + IEEE80211_HT_MCS_TX_MAX_STREAMS)); + +- tx_params = (tx_streams - 1) << ++ tx_params |= (tx_streams - 1) << + IEEE80211_HT_MCS_TX_MAX_STREAMS_SHIFT; + + carl9170_band_2GHz.ht_cap.mcs.tx_params |= tx_params; diff --git a/queue-4.19/dec-limit-pmax-memory-probing-to-r3k-systems.patch b/queue-4.19/dec-limit-pmax-memory-probing-to-r3k-systems.patch new file mode 100644 index 00000000000..3d8b80a4e76 --- /dev/null +++ b/queue-4.19/dec-limit-pmax-memory-probing-to-r3k-systems.patch @@ -0,0 +1,70 @@ +From 244eae91a94c6dab82b3232967d10eeb9dfa21c6 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 4 Mar 2022 20:16:23 +0000 +Subject: DEC: Limit PMAX memory probing to R3k systems + +From: Maciej W. Rozycki + +commit 244eae91a94c6dab82b3232967d10eeb9dfa21c6 upstream. + +Recent tightening of the opcode table in binutils so as to consistently +disallow the assembly or disassembly of CP0 instructions not supported +by the processor architecture chosen has caused a regression like below: + +arch/mips/dec/prom/locore.S: Assembler messages: +arch/mips/dec/prom/locore.S:29: Error: opcode not supported on this processor: r4600 (mips3) `rfe' + +in a piece of code used to probe for memory with PMAX DECstation models, +which have non-REX firmware. Those computers always have an R2000 CPU +and consequently the exception handler used in memory probing uses the +RFE instruction, which those processors use. + +While adding 64-bit support this code was correctly excluded for 64-bit +configurations, however it should have also been excluded for irrelevant +32-bit configurations. Do this now then, and only enable PMAX memory +probing for R3k systems. + +Reported-by: Jan-Benedict Glaw +Reported-by: Sudip Mukherjee +Signed-off-by: Maciej W. Rozycki +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org # v2.6.12+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/dec/prom/Makefile | 2 +- + arch/mips/include/asm/dec/prom.h | 15 +++++---------- + 2 files changed, 6 insertions(+), 11 deletions(-) + +--- a/arch/mips/dec/prom/Makefile ++++ b/arch/mips/dec/prom/Makefile +@@ -5,4 +5,4 @@ + + lib-y += init.o memory.o cmdline.o identify.o console.o + +-lib-$(CONFIG_32BIT) += locore.o ++lib-$(CONFIG_CPU_R3000) += locore.o +--- a/arch/mips/include/asm/dec/prom.h ++++ b/arch/mips/include/asm/dec/prom.h +@@ -47,16 +47,11 @@ + */ + #define REX_PROM_MAGIC 0x30464354 + +-#ifdef CONFIG_64BIT +- +-#define prom_is_rex(magic) 1 /* KN04 and KN05 are REX PROMs. */ +- +-#else /* !CONFIG_64BIT */ +- +-#define prom_is_rex(magic) ((magic) == REX_PROM_MAGIC) +- +-#endif /* !CONFIG_64BIT */ +- ++/* KN04 and KN05 are REX PROMs, so only do the check for R3k systems. */ ++static inline bool prom_is_rex(u32 magic) ++{ ++ return !IS_ENABLED(CONFIG_CPU_R3000) || magic == REX_PROM_MAGIC; ++} + + /* + * 3MIN/MAXINE PROM entry points for DS5000/1xx's, DS5000/xx's and diff --git a/queue-4.19/drbd-fix-potential-silent-data-corruption.patch b/queue-4.19/drbd-fix-potential-silent-data-corruption.patch new file mode 100644 index 00000000000..20299e6c70f --- /dev/null +++ b/queue-4.19/drbd-fix-potential-silent-data-corruption.patch @@ -0,0 +1,67 @@ +From f4329d1f848ac35757d9cc5487669d19dfc5979c Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Wed, 30 Mar 2022 20:55:51 +0200 +Subject: drbd: fix potential silent data corruption +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lars Ellenberg + +commit f4329d1f848ac35757d9cc5487669d19dfc5979c upstream. + +Scenario: +--------- + +bio chain generated by blk_queue_split(). +Some split bio fails and propagates its error status to the "parent" bio. +But then the (last part of the) parent bio itself completes without error. + +We would clobber the already recorded error status with BLK_STS_OK, +causing silent data corruption. + +Reproducer: +----------- + +How to trigger this in the real world within seconds: + +DRBD on top of degraded parity raid, +small stripe_cache_size, large read_ahead setting. +Drop page cache (sysctl vm.drop_caches=1, fadvise "DONTNEED", +umount and mount again, "reboot"). + +Cause significant read ahead. + +Large read ahead request is split by blk_queue_split(). +Parts of the read ahead that are already in the stripe cache, +or find an available stripe cache to use, can be serviced. +Parts of the read ahead that would need "too much work", +would need to wait for a "stripe_head" to become available, +are rejected immediately. + +For larger read ahead requests that are split in many pieces, it is very +likely that some "splits" will be serviced, but then the stripe cache is +exhausted/busy, and the remaining ones will be rejected. + +Signed-off-by: Lars Ellenberg +Signed-off-by: Christoph Böhmwalder +Cc: # 4.13.x +Link: https://lore.kernel.org/r/20220330185551.3553196-1-christoph.boehmwalder@linbit.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_req.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/drbd/drbd_req.c ++++ b/drivers/block/drbd/drbd_req.c +@@ -207,7 +207,8 @@ void start_new_tl_epoch(struct drbd_conn + void complete_master_bio(struct drbd_device *device, + struct bio_and_error *m) + { +- m->bio->bi_status = errno_to_blk_status(m->error); ++ if (unlikely(m->error)) ++ m->bio->bi_status = errno_to_blk_status(m->error); + bio_endio(m->bio); + dec_ap_bio(device); + } diff --git a/queue-4.19/drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_timer.patch b/queue-4.19/drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_timer.patch new file mode 100644 index 00000000000..13a4be01bc0 --- /dev/null +++ b/queue-4.19/drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_timer.patch @@ -0,0 +1,87 @@ +From efe4186e6a1b54bf38b9e05450d43b0da1fd7739 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Thu, 17 Feb 2022 09:43:03 +0800 +Subject: drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() + +From: Duoming Zhou + +commit efe4186e6a1b54bf38b9e05450d43b0da1fd7739 upstream. + +When a 6pack device is detaching, the sixpack_close() will act to cleanup +necessary resources. Although del_timer_sync() in sixpack_close() +won't return if there is an active timer, one could use mod_timer() in +sp_xmit_on_air() to wake up timer again by calling userspace syscall such +as ax25_sendmsg(), ax25_connect() and ax25_ioctl(). + +This unexpected waked handler, sp_xmit_on_air(), realizes nothing about +the undergoing cleanup and may still call pty_write() to use driver layer +resources that have already been released. + +One of the possible race conditions is shown below: + + (USE) | (FREE) +ax25_sendmsg() | + ax25_queue_xmit() | + ... | + sp_xmit() | + sp_encaps() | sixpack_close() + sp_xmit_on_air() | del_timer_sync(&sp->tx_t) + mod_timer(&sp->tx_t,...) | ... + | unregister_netdev() + | ... + (wait a while) | tty_release() + | tty_release_struct() + | release_tty() + sp_xmit_on_air() | tty_kref_put(tty_struct) //FREE + pty_write(tty_struct) //USE | ... + +The corresponding fail log is shown below: +=============================================================== +BUG: KASAN: use-after-free in __run_timers.part.0+0x170/0x470 +Write of size 8 at addr ffff88800a652ab8 by task swapper/2/0 +... +Call Trace: + ... + queue_work_on+0x3f/0x50 + pty_write+0xcd/0xe0pty_write+0xcd/0xe0 + sp_xmit_on_air+0xb2/0x1f0 + call_timer_fn+0x28/0x150 + __run_timers.part.0+0x3c2/0x470 + run_timer_softirq+0x3b/0x80 + __do_softirq+0xf1/0x380 + ... + +This patch reorders the del_timer_sync() after the unregister_netdev() +to avoid UAF bugs. Because the unregister_netdev() is well synchronized, +it flushs out any pending queues, waits the refcount of net_device +decreases to zero and removes net_device from kernel. There is not any +running routines after executing unregister_netdev(). Therefore, we could +not arouse timer from userspace again. + +Signed-off-by: Duoming Zhou +Reviewed-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/6pack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -674,14 +674,14 @@ static void sixpack_close(struct tty_str + */ + netif_stop_queue(sp->dev); + ++ unregister_netdev(sp->dev); ++ + del_timer_sync(&sp->tx_t); + del_timer_sync(&sp->resync_t); + + /* Free all 6pack frame buffers. */ + kfree(sp->rbuff); + kfree(sp->xbuff); +- +- unregister_netdev(sp->dev); + } + + /* Perform I/O control on an active 6pack channel. */ diff --git a/queue-4.19/drm-edid-check-basic-audio-support-on-cea-extension-block.patch b/queue-4.19/drm-edid-check-basic-audio-support-on-cea-extension-block.patch new file mode 100644 index 00000000000..29ced0b47b6 --- /dev/null +++ b/queue-4.19/drm-edid-check-basic-audio-support-on-cea-extension-block.patch @@ -0,0 +1,42 @@ +From 5662abf6e21338be6d085d6375d3732ac6147fd2 Mon Sep 17 00:00:00 2001 +From: Cooper Chiou +Date: Thu, 24 Mar 2022 14:12:18 +0800 +Subject: drm/edid: check basic audio support on CEA extension block + +From: Cooper Chiou + +commit 5662abf6e21338be6d085d6375d3732ac6147fd2 upstream. + +Tag code stored in bit7:5 for CTA block byte[3] is not the same as +CEA extension block definition. Only check CEA block has +basic audio support. + +v3: update commit message. + +Cc: stable@vger.kernel.org +Cc: Jani Nikula +Cc: Shawn C Lee +Cc: intel-gfx +Signed-off-by: Cooper Chiou +Signed-off-by: Lee Shawn C +Fixes: e28ad544f462 ("drm/edid: parse CEA blocks embedded in DisplayID") +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20220324061218.32739-1-shawn.c.lee@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_edid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -4323,7 +4323,8 @@ bool drm_detect_monitor_audio(struct edi + if (!edid_ext) + goto end; + +- has_audio = ((edid_ext[3] & EDID_BASIC_AUDIO) != 0); ++ has_audio = (edid_ext[0] == CEA_EXT && ++ (edid_ext[3] & EDID_BASIC_AUDIO) != 0); + + if (has_audio) { + DRM_DEBUG_KMS("Monitor has basic audio support\n"); diff --git a/queue-4.19/lib-raid6-test-fix-multiple-definition-linking-error.patch b/queue-4.19/lib-raid6-test-fix-multiple-definition-linking-error.patch new file mode 100644 index 00000000000..f7ed9c60cef --- /dev/null +++ b/queue-4.19/lib-raid6-test-fix-multiple-definition-linking-error.patch @@ -0,0 +1,41 @@ +From a5359ddd052860bacf957e65fe819c63e974b3a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dirk=20M=C3=BCller?= +Date: Tue, 8 Feb 2022 17:50:50 +0100 +Subject: lib/raid6/test: fix multiple definition linking error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dirk Müller + +commit a5359ddd052860bacf957e65fe819c63e974b3a6 upstream. + +GCC 10+ defaults to -fno-common, which enforces proper declaration of +external references using "extern". without this change a link would +fail with: + + lib/raid6/test/algos.c:28: multiple definition of `raid6_call'; + lib/raid6/test/test.c:22: first defined here + +the pq.h header that is included already includes an extern declaration +so we can just remove the redundant one here. + +Cc: +Signed-off-by: Dirk Müller +Reviewed-by: Paul Menzel +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + lib/raid6/test/test.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/lib/raid6/test/test.c ++++ b/lib/raid6/test/test.c +@@ -22,7 +22,6 @@ + #define NDISKS 16 /* Including P and Q */ + + const char raid6_empty_zero_page[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); +-struct raid6_calls raid6_call; + + char *dataptrs[NDISKS]; + char data[NDISKS][PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); diff --git a/queue-4.19/media-davinci-vpif-fix-unbalanced-runtime-pm-get.patch b/queue-4.19/media-davinci-vpif-fix-unbalanced-runtime-pm-get.patch new file mode 100644 index 00000000000..4e2e5fba8cb --- /dev/null +++ b/queue-4.19/media-davinci-vpif-fix-unbalanced-runtime-pm-get.patch @@ -0,0 +1,33 @@ +From 4a321de239213300a714fa0353a5f1272d381a44 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Dec 2021 15:20:22 +0100 +Subject: media: davinci: vpif: fix unbalanced runtime PM get + +From: Johan Hovold + +commit 4a321de239213300a714fa0353a5f1272d381a44 upstream. + +Make sure to balance the runtime PM usage counter on driver unbind. + +Fixes: 407ccc65bfd2 ("[media] davinci: vpif: add pm_runtime support") +Cc: stable@vger.kernel.org # 3.9 +Cc: Lad, Prabhakar +Signed-off-by: Johan Hovold +Reviewed-by: Lad Prabhakar +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/davinci/vpif.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/davinci/vpif.c ++++ b/drivers/media/platform/davinci/vpif.c +@@ -496,6 +496,7 @@ static int vpif_probe(struct platform_de + + static int vpif_remove(struct platform_device *pdev) + { ++ pm_runtime_put(&pdev->dev); + pm_runtime_disable(&pdev->dev); + return 0; + } diff --git a/queue-4.19/mm-hwpoison-unmap-poisoned-page-before-invalidation.patch b/queue-4.19/mm-hwpoison-unmap-poisoned-page-before-invalidation.patch new file mode 100644 index 00000000000..78400021507 --- /dev/null +++ b/queue-4.19/mm-hwpoison-unmap-poisoned-page-before-invalidation.patch @@ -0,0 +1,67 @@ +From 3149c79f3cb0e2e3bafb7cfadacec090cbd250d3 Mon Sep 17 00:00:00 2001 +From: Rik van Riel +Date: Fri, 1 Apr 2022 11:28:42 -0700 +Subject: mm,hwpoison: unmap poisoned page before invalidation + +From: Rik van Riel + +commit 3149c79f3cb0e2e3bafb7cfadacec090cbd250d3 upstream. + +In some cases it appears the invalidation of a hwpoisoned page fails +because the page is still mapped in another process. This can cause a +program to be continuously restarted and die when it page faults on the +page that was not invalidated. Avoid that problem by unmapping the +hwpoisoned page when we find it. + +Another issue is that sometimes we end up oopsing in finish_fault, if +the code tries to do something with the now-NULL vmf->page. I did not +hit this error when submitting the previous patch because there are +several opportunities for alloc_set_pte to bail out before accessing +vmf->page, and that apparently happened on those systems, and most of +the time on other systems, too. + +However, across several million systems that error does occur a handful +of times a day. It can be avoided by returning VM_FAULT_NOPAGE which +will cause do_read_fault to return before calling finish_fault. + +Link: https://lkml.kernel.org/r/20220325161428.5068d97e@imladris.surriel.com +Fixes: e53ac7374e64 ("mm: invalidate hwpoison page cache page in fault path") +Signed-off-by: Rik van Riel +Reviewed-by: Miaohe Lin +Tested-by: Naoya Horiguchi +Reviewed-by: Oscar Salvador +Cc: Mel Gorman +Cc: Johannes Weiner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3416,14 +3416,18 @@ static vm_fault_t __do_fault(struct vm_f + return ret; + + if (unlikely(PageHWPoison(vmf->page))) { ++ struct page *page = vmf->page; + vm_fault_t poisonret = VM_FAULT_HWPOISON; + if (ret & VM_FAULT_LOCKED) { ++ if (page_mapped(page)) ++ unmap_mapping_pages(page_mapping(page), ++ page->index, 1, false); + /* Retry if a clean page was removed from the cache. */ +- if (invalidate_inode_page(vmf->page)) +- poisonret = 0; +- unlock_page(vmf->page); ++ if (invalidate_inode_page(page)) ++ poisonret = VM_FAULT_NOPAGE; ++ unlock_page(page); + } +- put_page(vmf->page); ++ put_page(page); + vmf->page = NULL; + return poisonret; + } diff --git a/queue-4.19/pci-pciehp-clear-cmd_busy-bit-in-polling-mode.patch b/queue-4.19/pci-pciehp-clear-cmd_busy-bit-in-polling-mode.patch new file mode 100644 index 00000000000..4a83a88e8b7 --- /dev/null +++ b/queue-4.19/pci-pciehp-clear-cmd_busy-bit-in-polling-mode.patch @@ -0,0 +1,53 @@ +From 92912b175178c7e895f5e5e9f1e30ac30319162b Mon Sep 17 00:00:00 2001 +From: Liguang Zhang +Date: Thu, 11 Nov 2021 13:42:58 +0800 +Subject: PCI: pciehp: Clear cmd_busy bit in polling mode + +From: Liguang Zhang + +commit 92912b175178c7e895f5e5e9f1e30ac30319162b upstream. + +Writes to a Downstream Port's Slot Control register are PCIe hotplug +"commands." If the Port supports Command Completed events, software must +wait for a command to complete before writing to Slot Control again. + +pcie_do_write_cmd() sets ctrl->cmd_busy when it writes to Slot Control. If +software notification is enabled, i.e., PCI_EXP_SLTCTL_HPIE and +PCI_EXP_SLTCTL_CCIE are set, ctrl->cmd_busy is cleared by pciehp_isr(). + +But when software notification is disabled, as it is when pcie_init() +powers off an empty slot, pcie_wait_cmd() uses pcie_poll_cmd() to poll for +command completion, and it neglects to clear ctrl->cmd_busy, which leads to +spurious timeouts: + + pcieport 0000:00:03.0: pciehp: Timeout on hotplug command 0x01c0 (issued 2264 msec ago) + pcieport 0000:00:03.0: pciehp: Timeout on hotplug command 0x05c0 (issued 2288 msec ago) + +Clear ctrl->cmd_busy in pcie_poll_cmd() when it detects a Command Completed +event (PCI_EXP_SLTSTA_CC). + +[bhelgaas: commit log] +Fixes: a5dd4b4b0570 ("PCI: pciehp: Wait for hotplug command completion where necessary") +Link: https://lore.kernel.org/r/20211111054258.7309-1-zhangliguang@linux.alibaba.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215143 +Link: https://lore.kernel.org/r/20211126173309.GA12255@wunner.de +Signed-off-by: Liguang Zhang +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.19+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/hotplug/pciehp_hpc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -80,6 +80,8 @@ static int pcie_poll_cmd(struct controll + if (slot_status & PCI_EXP_SLTSTA_CC) { + pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, + PCI_EXP_SLTSTA_CC); ++ ctrl->cmd_busy = 0; ++ smp_mb(); + return 1; + } + if (timeout < 0) diff --git a/queue-4.19/powerpc-kvm-fix-kvm_use_magic_page.patch b/queue-4.19/powerpc-kvm-fix-kvm_use_magic_page.patch new file mode 100644 index 00000000000..db4412fa9de --- /dev/null +++ b/queue-4.19/powerpc-kvm-fix-kvm_use_magic_page.patch @@ -0,0 +1,33 @@ +From 0c8eb2884a42d992c7726539328b7d3568f22143 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 2 Aug 2021 13:46:19 +0200 +Subject: powerpc/kvm: Fix kvm_use_magic_page + +From: Andreas Gruenbacher + +commit 0c8eb2884a42d992c7726539328b7d3568f22143 upstream. + +When switching from __get_user to fault_in_pages_readable, commit +9f9eae5ce717 broke kvm_use_magic_page: like __get_user, +fault_in_pages_readable returns 0 on success. + +Fixes: 9f9eae5ce717 ("powerpc/kvm: Prefer fault_in_pages_readable function") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Anand Jain +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/kvm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/kvm.c ++++ b/arch/powerpc/kernel/kvm.c +@@ -680,7 +680,7 @@ static void kvm_use_magic_page(void) + on_each_cpu(kvm_map_magic_page, &features, 1); + + /* Quick self-test to see if the mapping works */ +- if (!fault_in_pages_readable((const char *)KVM_MAGIC_PAGE, sizeof(u32))) { ++ if (fault_in_pages_readable((const char *)KVM_MAGIC_PAGE, sizeof(u32))) { + kvm_patching_worked = false; + return; + } diff --git a/queue-4.19/series b/queue-4.19/series index ef25bef7e8f..80fe0fde95a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -42,3 +42,24 @@ qed-validate-and-restrict-untrusted-vfs-vlan-promisc-mode.patch revert-input-clear-btn_right-middle-on-buttonpads.patch alsa-cs4236-fix-an-incorrect-null-check-on-list-iterator.patch alsa-hda-realtek-fix-audio-regression-on-mi-notebook-pro-2020.patch +mm-hwpoison-unmap-poisoned-page-before-invalidation.patch +drbd-fix-potential-silent-data-corruption.patch +powerpc-kvm-fix-kvm_use_magic_page.patch +acpi-properties-consistently-return-enoent-if-there-are-no-more-references.patch +drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_timer.patch +block-don-t-merge-across-cgroup-boundaries-if-blkcg-is-enabled.patch +drm-edid-check-basic-audio-support-on-cea-extension-block.patch +video-fbdev-sm712fb-fix-crash-in-smtcfb_read.patch +video-fbdev-atari-atari-2-bpp-ste-palette-bugfix.patch +arm-dts-at91-sama5d2-fix-pmerrloc-resource-size.patch +arm-dts-exynos-fix-uart3-pins-configuration-in-exynos5250.patch +arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5250.patch +arm-dts-exynos-add-missing-hdmi-supplies-on-smdk5420.patch +carl9170-fix-missing-bit-wise-or-operator-for-tx_params.patch +thermal-int340x-increase-bitmap-size.patch +lib-raid6-test-fix-multiple-definition-linking-error.patch +dec-limit-pmax-memory-probing-to-r3k-systems.patch +media-davinci-vpif-fix-unbalanced-runtime-pm-get.patch +brcmfmac-firmware-allocate-space-for-default-boardrev-in-nvram.patch +brcmfmac-pcie-replace-brcmf_pcie_copy_mem_todev-with-memcpy_toio.patch +pci-pciehp-clear-cmd_busy-bit-in-polling-mode.patch diff --git a/queue-4.19/thermal-int340x-increase-bitmap-size.patch b/queue-4.19/thermal-int340x-increase-bitmap-size.patch new file mode 100644 index 00000000000..551024a6f9c --- /dev/null +++ b/queue-4.19/thermal-int340x-increase-bitmap-size.patch @@ -0,0 +1,35 @@ +From 668f69a5f863b877bc3ae129efe9a80b6f055141 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Mon, 14 Mar 2022 15:08:55 -0700 +Subject: thermal: int340x: Increase bitmap size + +From: Srinivas Pandruvada + +commit 668f69a5f863b877bc3ae129efe9a80b6f055141 upstream. + +The number of policies are 10, so can't be supported by the bitmap size +of u8. + +Even though there are no platfoms with these many policies, but +for correctness increase to u32. + +Signed-off-by: Srinivas Pandruvada +Fixes: 16fc8eca1975 ("thermal/int340x_thermal: Add additional UUIDs") +Cc: 5.1+ # 5.1+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/int340x_thermal/int3400_thermal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thermal/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c +@@ -53,7 +53,7 @@ struct int3400_thermal_priv { + struct art *arts; + int trt_count; + struct trt *trts; +- u8 uuid_bitmap; ++ u32 uuid_bitmap; + int rel_misc_dev_res; + int current_uuid_index; + }; diff --git a/queue-4.19/video-fbdev-atari-atari-2-bpp-ste-palette-bugfix.patch b/queue-4.19/video-fbdev-atari-atari-2-bpp-ste-palette-bugfix.patch new file mode 100644 index 00000000000..4cc700734a2 --- /dev/null +++ b/queue-4.19/video-fbdev-atari-atari-2-bpp-ste-palette-bugfix.patch @@ -0,0 +1,62 @@ +From c8be5edbd36ceed2ff3d6b8f8e40643c3f396ea3 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 16 Feb 2022 20:26:25 +1300 +Subject: video: fbdev: atari: Atari 2 bpp (STe) palette bugfix + +From: Michael Schmitz + +commit c8be5edbd36ceed2ff3d6b8f8e40643c3f396ea3 upstream. + +The code to set the shifter STe palette registers has a long +standing operator precedence bug, manifesting as colors set +on a 2 bits per pixel frame buffer coming up with a distinctive +blue tint. + +Add parentheses around the calculation of the per-color palette +data before shifting those into their respective bit field position. + +This bug goes back a long way (2.4 days at the very least) so there +won't be a Fixes: tag. + +Tested on ARAnyM as well on Falcon030 hardware. + +Cc: stable@vger.kernel.org +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/all/CAMuHMdU3ievhXxKR_xi_v3aumnYW7UNUO6qMdhgfyWTyVSsCkQ@mail.gmail.com +Tested-by: Michael Schmitz +Tested-by: Geert Uytterhoeven +Signed-off-by: Michael Schmitz +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/atafb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/video/fbdev/atafb.c ++++ b/drivers/video/fbdev/atafb.c +@@ -1713,9 +1713,9 @@ static int falcon_setcolreg(unsigned int + ((blue & 0xfc00) >> 8)); + if (regno < 16) { + shifter_tt.color_reg[regno] = +- (((red & 0xe000) >> 13) | ((red & 0x1000) >> 12) << 8) | +- (((green & 0xe000) >> 13) | ((green & 0x1000) >> 12) << 4) | +- ((blue & 0xe000) >> 13) | ((blue & 0x1000) >> 12); ++ ((((red & 0xe000) >> 13) | ((red & 0x1000) >> 12)) << 8) | ++ ((((green & 0xe000) >> 13) | ((green & 0x1000) >> 12)) << 4) | ++ ((blue & 0xe000) >> 13) | ((blue & 0x1000) >> 12); + ((u32 *)info->pseudo_palette)[regno] = ((red & 0xf800) | + ((green & 0xfc00) >> 5) | + ((blue & 0xf800) >> 11)); +@@ -2001,9 +2001,9 @@ static int stste_setcolreg(unsigned int + green >>= 12; + if (ATARIHW_PRESENT(EXTD_SHIFTER)) + shifter_tt.color_reg[regno] = +- (((red & 0xe) >> 1) | ((red & 1) << 3) << 8) | +- (((green & 0xe) >> 1) | ((green & 1) << 3) << 4) | +- ((blue & 0xe) >> 1) | ((blue & 1) << 3); ++ ((((red & 0xe) >> 1) | ((red & 1) << 3)) << 8) | ++ ((((green & 0xe) >> 1) | ((green & 1) << 3)) << 4) | ++ ((blue & 0xe) >> 1) | ((blue & 1) << 3); + else + shifter_tt.color_reg[regno] = + ((red & 0xe) << 7) | diff --git a/queue-4.19/video-fbdev-sm712fb-fix-crash-in-smtcfb_read.patch b/queue-4.19/video-fbdev-sm712fb-fix-crash-in-smtcfb_read.patch new file mode 100644 index 00000000000..18f7e526ad6 --- /dev/null +++ b/queue-4.19/video-fbdev-sm712fb-fix-crash-in-smtcfb_read.patch @@ -0,0 +1,76 @@ +From bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 27 Feb 2022 08:43:56 +0100 +Subject: video: fbdev: sm712fb: Fix crash in smtcfb_read() + +From: Helge Deller + +commit bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 upstream. + +Zheyu Ma reported this crash in the sm712fb driver when reading +three bytes from the framebuffer: + + BUG: unable to handle page fault for address: ffffc90001ffffff + RIP: 0010:smtcfb_read+0x230/0x3e0 + Call Trace: + vfs_read+0x198/0xa00 + ? do_sys_openat2+0x27d/0x350 + ? __fget_light+0x54/0x340 + ksys_read+0xce/0x190 + do_syscall_64+0x43/0x90 + +Fix it by removing the open-coded endianess fixup-code and +by moving the pointer post decrement out the fb_readl() function. + +Reported-by: Zheyu Ma +Signed-off-by: Helge Deller +Tested-by: Zheyu Ma +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/sm712fb.c | 25 +++++++------------------ + 1 file changed, 7 insertions(+), 18 deletions(-) + +--- a/drivers/video/fbdev/sm712fb.c ++++ b/drivers/video/fbdev/sm712fb.c +@@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_inf + if (count + p > total_size) + count = total_size - p; + +- buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL); ++ buffer = kmalloc(PAGE_SIZE, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +@@ -1059,25 +1059,14 @@ static ssize_t smtcfb_read(struct fb_inf + while (count) { + c = (count > PAGE_SIZE) ? PAGE_SIZE : count; + dst = buffer; +- for (i = c >> 2; i--;) { +- *dst = fb_readl(src++); +- *dst = big_swap(*dst); ++ for (i = (c + 3) >> 2; i--;) { ++ u32 val; ++ ++ val = fb_readl(src); ++ *dst = big_swap(val); ++ src++; + dst++; + } +- if (c & 3) { +- u8 *dst8 = (u8 *)dst; +- u8 __iomem *src8 = (u8 __iomem *)src; +- +- for (i = c & 3; i--;) { +- if (i & 1) { +- *dst8++ = fb_readb(++src8); +- } else { +- *dst8++ = fb_readb(--src8); +- src8 += 2; +- } +- } +- src = (u32 __iomem *)src8; +- } + + if (copy_to_user(buf, buffer, c)) { + err = -EFAULT;