From: Greg Kroah-Hartman Date: Mon, 1 Mar 2021 12:59:37 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.259~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43591e1ffd19c942da31831d699eb37398083be9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch floppy-reintroduce-o_ndelay-fix.patch fs-affs-release-old-buffer-head-on-error-path.patch hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch seq_file-document-how-per-entry-resources-are-managed.patch watchdog-mei_wdt-request-stop-on-unregister.patch watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch x86-fix-seq_file-iteration-for-pat-memtype.c.patch --- diff --git a/queue-5.4/arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch b/queue-5.4/arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch new file mode 100644 index 00000000000..79be7949a31 --- /dev/null +++ b/queue-5.4/arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch @@ -0,0 +1,36 @@ +From 656d1d58d8e0958d372db86c24f0b2ea36f50888 Mon Sep 17 00:00:00 2001 +From: qiuguorui1 +Date: Thu, 18 Feb 2021 20:59:00 +0800 +Subject: arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails + +From: qiuguorui1 + +commit 656d1d58d8e0958d372db86c24f0b2ea36f50888 upstream. + +in function create_dtb(), if fdt_open_into() fails, we need to vfree +buf before return. + +Fixes: 52b2a8af7436 ("arm64: kexec_file: load initrd and device-tree") +Cc: stable@vger.kernel.org # v5.0 +Signed-off-by: qiuguorui1 +Link: https://lore.kernel.org/r/20210218125900.6810-1-qiuguorui1@huawei.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/machine_kexec_file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/machine_kexec_file.c ++++ b/arch/arm64/kernel/machine_kexec_file.c +@@ -150,8 +150,10 @@ static int create_dtb(struct kimage *ima + + /* duplicate a device tree blob */ + ret = fdt_open_into(initial_boot_params, buf, buf_size); +- if (ret) ++ if (ret) { ++ vfree(buf); + return -EINVAL; ++ } + + ret = setup_dtb(image, initrd_load_addr, initrd_len, + cmdline, buf); diff --git a/queue-5.4/arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch b/queue-5.4/arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch new file mode 100644 index 00000000000..bc270e64b0d --- /dev/null +++ b/queue-5.4/arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch @@ -0,0 +1,38 @@ +From d47422d953e258ad587b5edf2274eb95d08bdc7d Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Tue, 23 Feb 2021 16:25:34 +0800 +Subject: arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing + +From: He Zhe + +commit d47422d953e258ad587b5edf2274eb95d08bdc7d upstream. + +As stated in linux/errno.h, ENOTSUPP should never be seen by user programs. +When we set up uprobe with 32-bit perf and arm64 kernel, we would see the +following vague error without useful hint. + +The sys_perf_event_open() syscall returned with 524 (INTERNAL ERROR: +strerror_r(524, [buf], 128)=22) + +Use EOPNOTSUPP instead to indicate such cases. + +Signed-off-by: He Zhe +Link: https://lore.kernel.org/r/20210223082535.48730-1-zhe.he@windriver.com +Cc: +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/probes/uprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/probes/uprobes.c ++++ b/arch/arm64/kernel/probes/uprobes.c +@@ -38,7 +38,7 @@ int arch_uprobe_analyze_insn(struct arch + + /* TODO: Currently we do not support AARCH32 instruction probing */ + if (mm->context.flags & MMCF_AARCH32) +- return -ENOTSUPP; ++ return -EOPNOTSUPP; + else if (!IS_ALIGNED(addr, AARCH64_INSN_SIZE)) + return -EINVAL; + diff --git a/queue-5.4/floppy-reintroduce-o_ndelay-fix.patch b/queue-5.4/floppy-reintroduce-o_ndelay-fix.patch new file mode 100644 index 00000000000..5031087ddcf --- /dev/null +++ b/queue-5.4/floppy-reintroduce-o_ndelay-fix.patch @@ -0,0 +1,81 @@ +From 8a0c014cd20516ade9654fc13b51345ec58e7be8 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Fri, 22 Jan 2021 12:13:20 +0100 +Subject: floppy: reintroduce O_NDELAY fix + +From: Jiri Kosina + +commit 8a0c014cd20516ade9654fc13b51345ec58e7be8 upstream. + +This issue was originally fixed in 09954bad4 ("floppy: refactor open() +flags handling"). + +The fix as a side-effect, however, introduce issue for open(O_ACCMODE) +that is being used for ioctl-only open. I wrote a fix for that, but +instead of it being merged, full revert of 09954bad4 was performed, +re-introducing the O_NDELAY / O_NONBLOCK issue, and it strikes again. + +This is a forward-port of the original fix to current codebase; the +original submission had the changelog below: + +==== +Commit 09954bad4 ("floppy: refactor open() flags handling"), as a +side-effect, causes open(/dev/fdX, O_ACCMODE) to fail. It turns out that +this is being used setfdprm userspace for ioctl-only open(). + +Reintroduce back the original behavior wrt !(FMODE_READ|FMODE_WRITE) +modes, while still keeping the original O_NDELAY bug fixed. + +Link: https://lore.kernel.org/r/nycvar.YFH.7.76.2101221209060.5622@cbobk.fhfr.pm +Cc: stable@vger.kernel.org +Reported-by: Wim Osterholt +Tested-by: Wim Osterholt +Reported-and-tested-by: Kurt Garloff +Fixes: 09954bad4 ("floppy: refactor open() flags handling") +Fixes: f2791e7ead ("Revert "floppy: refactor open() flags handling"") +Signed-off-by: Jiri Kosina +Signed-off-by: Denis Efremov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4063,21 +4063,22 @@ static int floppy_open(struct block_devi + if (UFDCS->rawcmd == 1) + UFDCS->rawcmd = 2; + +- if (!(mode & FMODE_NDELAY)) { +- if (mode & (FMODE_READ|FMODE_WRITE)) { +- UDRS->last_checked = 0; +- clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags); +- check_disk_change(bdev); +- if (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags)) +- goto out; +- if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags)) +- goto out; +- } +- res = -EROFS; +- if ((mode & FMODE_WRITE) && +- !test_bit(FD_DISK_WRITABLE_BIT, &UDRS->flags)) ++ if (mode & (FMODE_READ|FMODE_WRITE)) { ++ UDRS->last_checked = 0; ++ clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags); ++ check_disk_change(bdev); ++ if (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags)) ++ goto out; ++ if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags)) + goto out; + } ++ ++ res = -EROFS; ++ ++ if ((mode & FMODE_WRITE) && ++ !test_bit(FD_DISK_WRITABLE_BIT, &UDRS->flags)) ++ goto out; ++ + mutex_unlock(&open_lock); + mutex_unlock(&floppy_mutex); + return 0; diff --git a/queue-5.4/fs-affs-release-old-buffer-head-on-error-path.patch b/queue-5.4/fs-affs-release-old-buffer-head-on-error-path.patch new file mode 100644 index 00000000000..891d03d79c3 --- /dev/null +++ b/queue-5.4/fs-affs-release-old-buffer-head-on-error-path.patch @@ -0,0 +1,35 @@ +From 70779b897395b330ba5a47bed84f94178da599f9 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 20 Jan 2021 00:51:13 -0800 +Subject: fs/affs: release old buffer head on error path + +From: Pan Bian + +commit 70779b897395b330ba5a47bed84f94178da599f9 upstream. + +The reference count of the old buffer head should be decremented on path +that fails to get the new buffer head. + +Fixes: 6b4657667ba0 ("fs/affs: add rename exchange") +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Pan Bian +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/affs/namei.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/affs/namei.c ++++ b/fs/affs/namei.c +@@ -460,8 +460,10 @@ affs_xrename(struct inode *old_dir, stru + return -EIO; + + bh_new = affs_bread(sb, d_inode(new_dentry)->i_ino); +- if (!bh_new) ++ if (!bh_new) { ++ affs_brelse(bh_old); + return -EIO; ++ } + + /* Remove old header from its parent directory. */ + affs_lock_dir(old_dir); diff --git a/queue-5.4/hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch b/queue-5.4/hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch new file mode 100644 index 00000000000..e1dc96312ff --- /dev/null +++ b/queue-5.4/hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch @@ -0,0 +1,67 @@ +From 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Wed, 24 Feb 2021 12:07:54 -0800 +Subject: hugetlb: fix copy_huge_page_from_user contig page struct assumption + +From: Mike Kravetz + +commit 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef upstream. + +page structs are not guaranteed to be contiguous for gigantic pages. The +routine copy_huge_page_from_user can encounter gigantic pages, yet it +assumes page structs are contiguous when copying pages from user space. + +Since page structs for the target gigantic page are not contiguous, the +data copied from user space could overwrite other pages not associated +with the gigantic page and cause data corruption. + +Non-contiguous page structs are generally not an issue. However, they can +exist with a specific kernel configuration and hotplug operations. For +example: Configure the kernel with CONFIG_SPARSEMEM and +!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where +the gigantic page will be allocated. + +Link: https://lkml.kernel.org/r/20210217184926.33567-2-mike.kravetz@oracle.com +Fixes: 8fb5debc5fcd ("userfaultfd: hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support") +Signed-off-by: Mike Kravetz +Cc: Zi Yan +Cc: Davidlohr Bueso +Cc: "Kirill A . Shutemov" +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Cc: Oscar Salvador +Cc: Joao Martins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4718,17 +4718,19 @@ long copy_huge_page_from_user(struct pag + void *page_kaddr; + unsigned long i, rc = 0; + unsigned long ret_val = pages_per_huge_page * PAGE_SIZE; ++ struct page *subpage = dst_page; + +- for (i = 0; i < pages_per_huge_page; i++) { ++ for (i = 0; i < pages_per_huge_page; ++ i++, subpage = mem_map_next(subpage, dst_page, i)) { + if (allow_pagefault) +- page_kaddr = kmap(dst_page + i); ++ page_kaddr = kmap(subpage); + else +- page_kaddr = kmap_atomic(dst_page + i); ++ page_kaddr = kmap_atomic(subpage); + rc = copy_from_user(page_kaddr, + (const void __user *)(src + i * PAGE_SIZE), + PAGE_SIZE); + if (allow_pagefault) +- kunmap(dst_page + i); ++ kunmap(subpage); + else + kunmap_atomic(page_kaddr); + diff --git a/queue-5.4/hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch b/queue-5.4/hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch new file mode 100644 index 00000000000..26567dcb8a5 --- /dev/null +++ b/queue-5.4/hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch @@ -0,0 +1,68 @@ +From dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Wed, 24 Feb 2021 12:07:50 -0800 +Subject: hugetlb: fix update_and_free_page contig page struct assumption +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mike Kravetz + +commit dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 upstream. + +page structs are not guaranteed to be contiguous for gigantic pages. The +routine update_and_free_page can encounter a gigantic page, yet it assumes +page structs are contiguous when setting page flags in subpages. + +If update_and_free_page encounters non-contiguous page structs, we can see +“BUG: Bad page state in process …” errors. + +Non-contiguous page structs are generally not an issue. However, they can +exist with a specific kernel configuration and hotplug operations. For +example: Configure the kernel with CONFIG_SPARSEMEM and +!CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where +the gigantic page will be allocated. Zi Yan outlined steps to reproduce +here [1]. + +[1] https://lore.kernel.org/linux-mm/16F7C58B-4D79-41C5-9B64-A1A1628F4AF2@nvidia.com/ + +Link: https://lkml.kernel.org/r/20210217184926.33567-1-mike.kravetz@oracle.com +Fixes: 944d9fec8d7a ("hugetlb: add support for gigantic page allocation at runtime") +Signed-off-by: Zi Yan +Signed-off-by: Mike Kravetz +Cc: Zi Yan +Cc: Davidlohr Bueso +Cc: "Kirill A . Shutemov" +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Cc: Oscar Salvador +Cc: Joao Martins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -1192,14 +1192,16 @@ static inline void destroy_compound_giga + static void update_and_free_page(struct hstate *h, struct page *page) + { + int i; ++ struct page *subpage = page; + + if (hstate_is_gigantic(h) && !gigantic_page_runtime_supported()) + return; + + h->nr_huge_pages--; + h->nr_huge_pages_node[page_to_nid(page)]--; +- for (i = 0; i < pages_per_huge_page(h); i++) { +- page[i].flags &= ~(1 << PG_locked | 1 << PG_error | ++ for (i = 0; i < pages_per_huge_page(h); ++ i++, subpage = mem_map_next(subpage, page, i)) { ++ subpage->flags &= ~(1 << PG_locked | 1 << PG_error | + 1 << PG_referenced | 1 << PG_dirty | + 1 << PG_active | 1 << PG_private | + 1 << PG_writeback); diff --git a/queue-5.4/mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch b/queue-5.4/mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch new file mode 100644 index 00000000000..4479d564797 --- /dev/null +++ b/queue-5.4/mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch @@ -0,0 +1,35 @@ +From 58fa22f68fcaff20ce4d08a6adffa64f65ccd37d Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Fri, 2 Oct 2020 14:18:02 +0900 +Subject: mtd: spi-nor: core: Add erase size check for erase command initialization + +From: Takahiro Kuwano + +commit 58fa22f68fcaff20ce4d08a6adffa64f65ccd37d upstream. + +Even if erase type is same as previous region, erase size can be different +if the previous region is overlaid region. Since 'region->size' is assigned +to 'cmd->size' for overlaid region, comparing 'erase->size' and 'cmd->size' +can detect previous overlaid region. + +Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") +Cc: stable@vger.kernel.org +Signed-off-by: Takahiro Kuwano +[ta: Add Fixes tag and Cc to stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/13d47e8d8991b8a7fd8cc7b9e2a5319c56df35cc.1601612872.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/spi-nor.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mtd/spi-nor/spi-nor.c ++++ b/drivers/mtd/spi-nor/spi-nor.c +@@ -1153,6 +1153,7 @@ static int spi_nor_init_erase_cmd_list(s + goto destroy_erase_cmd_list; + + if (prev_erase != erase || ++ erase->size != cmd->size || + region->offset & SNOR_OVERLAID_REGION) { + cmd = spi_nor_init_erase_cmd(region, erase); + if (IS_ERR(cmd)) { diff --git a/queue-5.4/mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch b/queue-5.4/mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch new file mode 100644 index 00000000000..581901ce1fa --- /dev/null +++ b/queue-5.4/mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch @@ -0,0 +1,50 @@ +From 969b276718de37dfe66fce3a5633f611e8cd58fd Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Fri, 2 Oct 2020 14:18:01 +0900 +Subject: mtd: spi-nor: core: Fix erase type discovery for overlaid region + +From: Takahiro Kuwano + +commit 969b276718de37dfe66fce3a5633f611e8cd58fd upstream. + +In case of overlaid regions in which their biggest erase size command +overpasses in size the region's size, only the non-overlaid portion of +the sector gets erased. For example, if a Sector Erase command is applied +to a 256-kB range that is overlaid by 4-kB sectors, the overlaid 4-kB +sectors are not affected by the erase. +For overlaid regions, 'region->size' is assigned to 'cmd->size' later in +spi_nor_init_erase_cmd(), so 'erase->size' can be greater than 'len'. + +Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") +Cc: stable@vger.kernel.org +Signed-off-by: Takahiro Kuwano +[ta: Update commit description, add Fixes tag and Cc to stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/fa5d8b944a5cca488ac54ba37c95e775ac2deb34.1601612872.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/spi-nor.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/spi-nor/spi-nor.c ++++ b/drivers/mtd/spi-nor/spi-nor.c +@@ -1011,14 +1011,15 @@ spi_nor_find_best_erase_type(const struc + + erase = &map->erase_type[i]; + ++ /* Alignment is not mandatory for overlaid regions */ ++ if (region->offset & SNOR_OVERLAID_REGION && ++ region->size <= len) ++ return erase; ++ + /* Don't erase more than what the user has asked for. */ + if (erase->size > len) + continue; + +- /* Alignment is not mandatory for overlaid regions */ +- if (region->offset & SNOR_OVERLAID_REGION) +- return erase; +- + spi_nor_div_by_erase_size(erase, addr, &rem); + if (rem) + continue; diff --git a/queue-5.4/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch b/queue-5.4/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch new file mode 100644 index 00000000000..46807f28d23 --- /dev/null +++ b/queue-5.4/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch @@ -0,0 +1,36 @@ +From fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 21 Jan 2021 01:18:47 -0800 +Subject: mtd: spi-nor: hisi-sfc: Put child node np on error path + +From: Pan Bian + +commit fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 upstream. + +Put the child node np when it fails to get or register device. + +Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver") +Cc: stable@vger.kernel.org +Signed-off-by: Pan Bian +[ta: Add Fixes tag and Cc stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20210121091847.85362-1-bianpan2016@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/hisi-sfc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/hisi-sfc.c ++++ b/drivers/mtd/spi-nor/hisi-sfc.c +@@ -396,8 +396,10 @@ static int hisi_spi_nor_register_all(str + + for_each_available_child_of_node(dev->of_node, np) { + ret = hisi_spi_nor_register(np, host); +- if (ret) ++ if (ret) { ++ of_node_put(np); + goto fail; ++ } + + if (host->num_chip == HIFMC_MAX_CHIP_NUM) { + dev_warn(dev, "Flash device number exceeds the maximum chipselect number\n"); diff --git a/queue-5.4/mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch b/queue-5.4/mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch new file mode 100644 index 00000000000..12874607aea --- /dev/null +++ b/queue-5.4/mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch @@ -0,0 +1,42 @@ +From 9166f4af32db74e1544a2149aef231ff24515ea3 Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Fri, 2 Oct 2020 14:18:00 +0900 +Subject: mtd: spi-nor: sfdp: Fix last erase region marking + +From: Takahiro Kuwano + +commit 9166f4af32db74e1544a2149aef231ff24515ea3 upstream. + +The place of spi_nor_region_mark_end() must be moved, because 'i' is +re-used for the index of erase[]. + +Fixes: b038e8e3be72 ("mtd: spi-nor: parse SFDP Sector Map Parameter Table") +Cc: stable@vger.kernel.org +Signed-off-by: Takahiro Kuwano +[ta: Add Fixes tag and Cc to stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/02ce8d84b7989ebee33382f6494df53778dd508e.1601612872.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/spi-nor.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/mtd/spi-nor/spi-nor.c ++++ b/drivers/mtd/spi-nor/spi-nor.c +@@ -3770,6 +3770,7 @@ spi_nor_init_non_uniform_erase_map(struc + offset = (region[i].offset & ~SNOR_ERASE_FLAGS_MASK) + + region[i].size; + } ++ spi_nor_region_mark_end(®ion[i - 1]); + + save_uniform_erase_type = map->uniform_erase_type; + map->uniform_erase_type = spi_nor_sort_erase_mask(map, +@@ -3793,8 +3794,6 @@ spi_nor_init_non_uniform_erase_map(struc + if (!(regions_erase_type & BIT(erase[i].idx))) + spi_nor_set_erase_type(&erase[i], 0, 0xFF); + +- spi_nor_region_mark_end(®ion[i - 1]); +- + return 0; + } + diff --git a/queue-5.4/mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch b/queue-5.4/mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch new file mode 100644 index 00000000000..b93a0d9bb2d --- /dev/null +++ b/queue-5.4/mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch @@ -0,0 +1,35 @@ +From abdf5a5ef9652bad4d58058bc22ddf23543ba3e1 Mon Sep 17 00:00:00 2001 +From: Takahiro Kuwano +Date: Fri, 2 Oct 2020 14:17:59 +0900 +Subject: mtd: spi-nor: sfdp: Fix wrong erase type bitmask for overlaid region + +From: Takahiro Kuwano + +commit abdf5a5ef9652bad4d58058bc22ddf23543ba3e1 upstream. + +At the time spi_nor_region_check_overlay() is called, the erase types are +sorted in ascending order of erase size. The 'erase_type' should be masked +with 'BIT(erase[i].idx)' instead of 'BIT(i)'. + +Fixes: b038e8e3be72 ("mtd: spi-nor: parse SFDP Sector Map Parameter Table") +Cc: stable@vger.kernel.org +Signed-off-by: Takahiro Kuwano +[ta: Add Fixes tag and Cc to stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/fd90c40d5b626a1319a78fc2bcee79a8871d4d57.1601612872.git.Takahiro.Kuwano@infineon.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/spi-nor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/spi-nor.c ++++ b/drivers/mtd/spi-nor/spi-nor.c +@@ -3700,7 +3700,7 @@ spi_nor_region_check_overlay(struct spi_ + int i; + + for (i = 0; i < SNOR_ERASE_TYPE_MAX; i++) { +- if (!(erase_type & BIT(i))) ++ if (!(erase[i].size && erase_type & BIT(erase[i].idx))) + continue; + if (region->size & erase[i].size_mask) { + spi_nor_region_mark_overlay(region); diff --git a/queue-5.4/seq_file-document-how-per-entry-resources-are-managed.patch b/queue-5.4/seq_file-document-how-per-entry-resources-are-managed.patch new file mode 100644 index 00000000000..e4c355bd034 --- /dev/null +++ b/queue-5.4/seq_file-document-how-per-entry-resources-are-managed.patch @@ -0,0 +1,83 @@ +From b3656d8227f4c45812c6b40815d8f4e446ed372a Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 25 Feb 2021 17:22:25 -0800 +Subject: seq_file: document how per-entry resources are managed. + +From: NeilBrown + +commit b3656d8227f4c45812c6b40815d8f4e446ed372a upstream. + +Patch series "Fix some seq_file users that were recently broken". + +A recent change to seq_file broke some users which were using seq_file +in a non-"standard" way ... though the "standard" isn't documented, so +they can be excused. The result is a possible leak - of memory in one +case, of references to a 'transport' in the other. + +These three patches: + 1/ document and explain the problem + 2/ fix the problem user in x86 + 3/ fix the problem user in net/sctp + +This patch (of 3): + +Users of seq_file will sometimes find it convenient to take a resource, +such as a lock or memory allocation, in the ->start or ->next operations. +These are per-entry resources, distinct from per-session resources which +are taken in ->start and released in ->stop. + +The preferred management of these is release the resource on the +subsequent call to ->next or ->stop. + +However prior to Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file +iteration code and interface") it happened that ->show would always be +called after ->start or ->next, and a few users chose to release the +resource in ->show. + +This is no longer reliable. Since the mentioned commit, ->next will +always come after a successful ->show (to ensure m->index is updated +correctly), so the original ordering cannot be maintained. + +This patch updates the documentation to clearly state the required +behaviour. Other patches will fix the few problematic users. + +[akpm@linux-foundation.org: fix typo, per Willy] + +Link: https://lkml.kernel.org/r/161248518659.21478.2484341937387294998.stgit@noble1 +Link: https://lkml.kernel.org/r/161248539020.21478.3147971477400875336.stgit@noble1 +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") +Signed-off-by: NeilBrown +Cc: Xin Long +Cc: Alexander Viro +Cc: Jonathan Corbet +Cc: Ingo Molnar +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Vlad Yasevich +Cc: Neil Horman +Cc: Marcelo Ricardo Leitner +Cc: "David S. Miller" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/filesystems/seq_file.txt | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/Documentation/filesystems/seq_file.txt ++++ b/Documentation/filesystems/seq_file.txt +@@ -192,6 +192,12 @@ between the calls to start() and stop(), + is a reasonable thing to do. The seq_file code will also avoid taking any + other locks while the iterator is active. + ++The iterater value returned by start() or next() is guaranteed to be ++passed to a subsequent next() or stop() call. This allows resources ++such as locks that were taken to be reliably released. There is *no* ++guarantee that the iterator will be passed to show(), though in practice ++it often will be. ++ + + Formatted output + diff --git a/queue-5.4/series b/queue-5.4/series index c6f14b04227..3aedf85db74 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -287,3 +287,18 @@ powerpc-prom-fix-ibm-arch-vec-5-platform-support-scan.patch rcu-pull-deferred-rcuog-wake-up-to-rcu_eqs_enter-callers.patch rcu-nocb-perform-deferred-wake-up-before-last-idle-s-need_resched-check.patch rcu-nocb-trigger-self-ipi-on-late-deferred-wake-up-before-user-resume.patch +floppy-reintroduce-o_ndelay-fix.patch +arm64-kexec_file-fix-memory-leakage-in-create_dtb-when-fdt_open_into-fails.patch +arm64-uprobe-return-eopnotsupp-for-aarch32-instruction-probing.patch +watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch +watchdog-mei_wdt-request-stop-on-unregister.patch +mtd-spi-nor-sfdp-fix-last-erase-region-marking.patch +mtd-spi-nor-sfdp-fix-wrong-erase-type-bitmask-for-overlaid-region.patch +mtd-spi-nor-core-fix-erase-type-discovery-for-overlaid-region.patch +mtd-spi-nor-core-add-erase-size-check-for-erase-command-initialization.patch +mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch +fs-affs-release-old-buffer-head-on-error-path.patch +seq_file-document-how-per-entry-resources-are-managed.patch +x86-fix-seq_file-iteration-for-pat-memtype.c.patch +hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch +hugetlb-fix-copy_huge_page_from_user-contig-page-struct-assumption.patch diff --git a/queue-5.4/watchdog-mei_wdt-request-stop-on-unregister.patch b/queue-5.4/watchdog-mei_wdt-request-stop-on-unregister.patch new file mode 100644 index 00000000000..c83fb0bfaac --- /dev/null +++ b/queue-5.4/watchdog-mei_wdt-request-stop-on-unregister.patch @@ -0,0 +1,43 @@ +From 740c0a57b8f1e36301218bf549f3c9cc833a60be Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 24 Jan 2021 13:49:38 +0200 +Subject: watchdog: mei_wdt: request stop on unregister + +From: Alexander Usyskin + +commit 740c0a57b8f1e36301218bf549f3c9cc833a60be upstream. + +The MEI bus has a special behavior on suspend it destroys +all the attached devices, this is due to the fact that also +firmware context is not persistent across power flows. + +If watchdog on MEI bus is ticking before suspending the firmware +times out and reports that the OS is missing watchdog tick. +Send the stop command to the firmware on watchdog unregistered +to eliminate the false event on suspend. +This does not make the things worse from the user-space perspective +as a user-space should re-open watchdog device after +suspending before this patch. + +Cc: +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210124114938.373885-1-tomas.winkler@intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/mei_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/watchdog/mei_wdt.c ++++ b/drivers/watchdog/mei_wdt.c +@@ -382,6 +382,7 @@ static int mei_wdt_register(struct mei_w + + watchdog_set_drvdata(&wdt->wdd, wdt); + watchdog_stop_on_reboot(&wdt->wdd); ++ watchdog_stop_on_unregister(&wdt->wdd); + + ret = watchdog_register_device(&wdt->wdd); + if (ret) diff --git a/queue-5.4/watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch b/queue-5.4/watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch new file mode 100644 index 00000000000..7f8952d32bb --- /dev/null +++ b/queue-5.4/watchdog-qcom-remove-incorrect-usage-of-qcom_wdt_enable_irq.patch @@ -0,0 +1,66 @@ +From a4f3407c41605d14f09e490045d0609990cd5d94 Mon Sep 17 00:00:00 2001 +From: Sai Prakash Ranjan +Date: Tue, 26 Jan 2021 20:32:41 +0530 +Subject: watchdog: qcom: Remove incorrect usage of QCOM_WDT_ENABLE_IRQ + +From: Sai Prakash Ranjan + +commit a4f3407c41605d14f09e490045d0609990cd5d94 upstream. + +As per register documentation, QCOM_WDT_ENABLE_IRQ which is BIT(1) +of watchdog control register is wakeup interrupt enable bit and +not related to bark interrupt at all, BIT(0) is used for that. +So remove incorrect usage of this bit when supporting bark irq for +pre-timeout notification. Currently with this bit set and bark +interrupt specified, pre-timeout notification and/or watchdog +reset/bite does not occur. + +Fixes: 36375491a439 ("watchdog: qcom: support pre-timeout when the bark irq is available") +Cc: stable@vger.kernel.org +Signed-off-by: Sai Prakash Ranjan +Reviewed-by: Guenter Roeck +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20210126150241.10009-1-saiprakash.ranjan@codeaurora.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/qcom-wdt.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +--- a/drivers/watchdog/qcom-wdt.c ++++ b/drivers/watchdog/qcom-wdt.c +@@ -22,7 +22,6 @@ enum wdt_reg { + }; + + #define QCOM_WDT_ENABLE BIT(0) +-#define QCOM_WDT_ENABLE_IRQ BIT(1) + + static const u32 reg_offset_data_apcs_tmr[] = { + [WDT_RST] = 0x38, +@@ -58,16 +57,6 @@ struct qcom_wdt *to_qcom_wdt(struct watc + return container_of(wdd, struct qcom_wdt, wdd); + } + +-static inline int qcom_get_enable(struct watchdog_device *wdd) +-{ +- int enable = QCOM_WDT_ENABLE; +- +- if (wdd->pretimeout) +- enable |= QCOM_WDT_ENABLE_IRQ; +- +- return enable; +-} +- + static irqreturn_t qcom_wdt_isr(int irq, void *arg) + { + struct watchdog_device *wdd = arg; +@@ -86,7 +75,7 @@ static int qcom_wdt_start(struct watchdo + writel(1, wdt_addr(wdt, WDT_RST)); + writel(bark * wdt->rate, wdt_addr(wdt, WDT_BARK_TIME)); + writel(wdd->timeout * wdt->rate, wdt_addr(wdt, WDT_BITE_TIME)); +- writel(qcom_get_enable(wdd), wdt_addr(wdt, WDT_EN)); ++ writel(QCOM_WDT_ENABLE, wdt_addr(wdt, WDT_EN)); + return 0; + } + diff --git a/queue-5.4/x86-fix-seq_file-iteration-for-pat-memtype.c.patch b/queue-5.4/x86-fix-seq_file-iteration-for-pat-memtype.c.patch new file mode 100644 index 00000000000..01c4bde25e0 --- /dev/null +++ b/queue-5.4/x86-fix-seq_file-iteration-for-pat-memtype.c.patch @@ -0,0 +1,67 @@ +From 3d2fc4c082448e9c05792f9b2a11c1d5db408b85 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 25 Feb 2021 17:22:29 -0800 +Subject: x86: fix seq_file iteration for pat/memtype.c + +From: NeilBrown + +commit 3d2fc4c082448e9c05792f9b2a11c1d5db408b85 upstream. + +The memtype seq_file iterator allocates a buffer in the ->start and ->next +functions and frees it in the ->show function. The preferred handling for +such resources is to free them in the subsequent ->next or ->stop function +call. + +Since Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration +code and interface") there is no guarantee that ->show will be called +after ->next, so this function can now leak memory. + +So move the freeing of the buffer to ->next and ->stop. + +Link: https://lkml.kernel.org/r/161248539022.21478.13874455485854739066.stgit@noble1 +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") +Signed-off-by: NeilBrown +Cc: Xin Long +Cc: Alexander Viro +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: "David S. Miller" +Cc: Ingo Molnar +Cc: Jonathan Corbet +Cc: Marcelo Ricardo Leitner +Cc: Neil Horman +Cc: Peter Zijlstra +Cc: Vlad Yasevich +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/pat.c ++++ b/arch/x86/mm/pat.c +@@ -1132,12 +1132,14 @@ static void *memtype_seq_start(struct se + + static void *memtype_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { ++ kfree(v); + ++*pos; + return memtype_get_idx(*pos); + } + + static void memtype_seq_stop(struct seq_file *seq, void *v) + { ++ kfree(v); + } + + static int memtype_seq_show(struct seq_file *seq, void *v) +@@ -1146,7 +1148,6 @@ static int memtype_seq_show(struct seq_f + + seq_printf(seq, "%s @ 0x%Lx-0x%Lx\n", cattr_name(print_entry->type), + print_entry->start, print_entry->end); +- kfree(print_entry); + + return 0; + }