From: Sasha Levin Date: Sat, 2 Apr 2022 12:59:32 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.17.2~173^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4648aac82a2fce4530a03cb4ff980676bc2242ca;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-apei-fix-return-value-of-__setup-handlers.patch b/queue-4.14/acpi-apei-fix-return-value-of-__setup-handlers.patch new file mode 100644 index 00000000000..d2be7265574 --- /dev/null +++ b/queue-4.14/acpi-apei-fix-return-value-of-__setup-handlers.patch @@ -0,0 +1,86 @@ +From e463a556267f4c50fdc334a9cf80a8ad2df90698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 18:46:20 -0800 +Subject: ACPI: APEI: fix return value of __setup handlers + +From: Randy Dunlap + +[ Upstream commit f3303ff649dbf7dcdc6a6e1a922235b12b3028f4 ] + +__setup() handlers should return 1 to indicate that the boot option +has been handled. Returning 0 causes a boot option to be listed in +the Unknown kernel command line parameters and also added to init's +arg list (if no '=' sign) or environment list (if of the form 'a=b'). + +Unknown kernel command line parameters "erst_disable + bert_disable hest_disable BOOT_IMAGE=/boot/bzImage-517rc6", will be + passed to user space. + + Run /sbin/init as init process + with arguments: + /sbin/init + erst_disable + bert_disable + hest_disable + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc6 + +Fixes: a3e2acc5e37b ("ACPI / APEI: Add Boot Error Record Table (BERT) support") +Fixes: a08f82d08053 ("ACPI, APEI, Error Record Serialization Table (ERST) support") +Fixes: 9dc966641677 ("ACPI, APEI, HEST table parsing") +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Reviewed-by: "Huang, Ying" +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/bert.c | 2 +- + drivers/acpi/apei/erst.c | 2 +- + drivers/acpi/apei/hest.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c +index 12771fcf0417..876824948c19 100644 +--- a/drivers/acpi/apei/bert.c ++++ b/drivers/acpi/apei/bert.c +@@ -82,7 +82,7 @@ static int __init setup_bert_disable(char *str) + { + bert_disable = 1; + +- return 0; ++ return 1; + } + __setup("bert_disable", setup_bert_disable); + +diff --git a/drivers/acpi/apei/erst.c b/drivers/acpi/apei/erst.c +index 5b149d2d52f4..575c63260fc8 100644 +--- a/drivers/acpi/apei/erst.c ++++ b/drivers/acpi/apei/erst.c +@@ -898,7 +898,7 @@ EXPORT_SYMBOL_GPL(erst_clear); + static int __init setup_erst_disable(char *str) + { + erst_disable = 1; +- return 0; ++ return 1; + } + + __setup("erst_disable", setup_erst_disable); +diff --git a/drivers/acpi/apei/hest.c b/drivers/acpi/apei/hest.c +index 9cb74115a43d..3af53ae1f276 100644 +--- a/drivers/acpi/apei/hest.c ++++ b/drivers/acpi/apei/hest.c +@@ -214,7 +214,7 @@ static int __init hest_ghes_dev_register(unsigned int ghes_count) + static int __init setup_hest_disable(char *str) + { + hest_disable = HEST_DISABLED; +- return 0; ++ return 1; + } + + __setup("hest_disable", setup_hest_disable); +-- +2.34.1 + diff --git a/queue-4.14/acpi-apei-limit-printable-size-of-bert-table-data.patch b/queue-4.14/acpi-apei-limit-printable-size-of-bert-table-data.patch new file mode 100644 index 00000000000..f4e5a22d728 --- /dev/null +++ b/queue-4.14/acpi-apei-limit-printable-size-of-bert-table-data.patch @@ -0,0 +1,72 @@ +From b9aaa169cbb25b1e476a1a38983616bb1539dfc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 10:50:48 -0800 +Subject: ACPI/APEI: Limit printable size of BERT table data + +From: Darren Hart + +[ Upstream commit 3f8dec116210ca649163574ed5f8df1e3b837d07 ] + +Platforms with large BERT table data can trigger soft lockup errors +while attempting to print the entire BERT table data to the console at +boot: + + watchdog: BUG: soft lockup - CPU#160 stuck for 23s! [swapper/0:1] + +Observed on Ampere Altra systems with a single BERT record of ~250KB. + +The original bert driver appears to have assumed relatively small table +data. Since it is impractical to reassemble large table data from +interwoven console messages, and the table data is available in + + /sys/firmware/acpi/tables/data/BERT + +limit the size for tables printed to the console to 1024 (for no reason +other than it seemed like a good place to kick off the discussion, would +appreciate feedback from existing users in terms of what size would +maintain their current usage model). + +Alternatively, we could make printing a CONFIG option, use the +bert_disable boot arg (or something similar), or use a debug log level. +However, all those solutions require extra steps or change the existing +behavior for small table data. Limiting the size preserves existing +behavior on existing platforms with small table data, and eliminates the +soft lockups for platforms with large table data, while still making it +available. + +Signed-off-by: Darren Hart +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/bert.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c +index 876824948c19..d2212e092c50 100644 +--- a/drivers/acpi/apei/bert.c ++++ b/drivers/acpi/apei/bert.c +@@ -31,6 +31,7 @@ + + #undef pr_fmt + #define pr_fmt(fmt) "BERT: " fmt ++#define ACPI_BERT_PRINT_MAX_LEN 1024 + + static int bert_disable; + +@@ -59,8 +60,11 @@ static void __init bert_print_all(struct acpi_bert_region *region, + } + + pr_info_once("Error records from previous boot:\n"); +- +- cper_estatus_print(KERN_INFO HW_ERR, estatus); ++ if (region_len < ACPI_BERT_PRINT_MAX_LEN) ++ cper_estatus_print(KERN_INFO HW_ERR, estatus); ++ else ++ pr_info_once("Max print length exceeded, table data is available at:\n" ++ "/sys/firmware/acpi/tables/data/BERT"); + + /* + * Because the boot error source is "one-time polled" type, +-- +2.34.1 + diff --git a/queue-4.14/acpica-avoid-walking-the-acpi-namespace-if-it-is-not.patch b/queue-4.14/acpica-avoid-walking-the-acpi-namespace-if-it-is-not.patch new file mode 100644 index 00000000000..c2095662503 --- /dev/null +++ b/queue-4.14/acpica-avoid-walking-the-acpi-namespace-if-it-is-not.patch @@ -0,0 +1,44 @@ +From be73b909db78a89886b714cb66e152c3b4060a14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 20:28:26 +0100 +Subject: ACPICA: Avoid walking the ACPI Namespace if it is not there + +From: Rafael J. Wysocki + +[ Upstream commit 0c9992315e738e7d6e927ef36839a466b080dba6 ] + +ACPICA commit b1c3656ef4950098e530be68d4b589584f06cddc + +Prevent acpi_ns_walk_namespace() from crashing when called with +start_node equal to ACPI_ROOT_OBJECT if the Namespace has not been +instantiated yet and acpi_gbl_root_node is NULL. + +For instance, this can happen if the kernel is run with "acpi=off" +in the command line. + +Link: https://github.com/acpica/acpica/commit/b1c3656ef4950098e530be68d4b589584f06cddc +Link: https://lore.kernel.org/linux-acpi/CAJZ5v0hJWW_vZ3wwajE7xT38aWjY7cZyvqMJpXHzUL98-SiCVQ@mail.gmail.com/ +Reported-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/nswalk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpica/nswalk.c b/drivers/acpi/acpica/nswalk.c +index 6b6e6f498cff..129fc61f14c4 100644 +--- a/drivers/acpi/acpica/nswalk.c ++++ b/drivers/acpi/acpica/nswalk.c +@@ -203,6 +203,9 @@ acpi_ns_walk_namespace(acpi_object_type type, + + if (start_node == ACPI_ROOT_OBJECT) { + start_node = acpi_gbl_root_node; ++ if (!start_node) { ++ return_ACPI_STATUS(AE_NO_NAMESPACE); ++ } + } + + /* Null child means "get first node" */ +-- +2.34.1 + diff --git a/queue-4.14/af_netlink-fix-shift-out-of-bounds-in-group-mask-cal.patch b/queue-4.14/af_netlink-fix-shift-out-of-bounds-in-group-mask-cal.patch new file mode 100644 index 00000000000..8526497d455 --- /dev/null +++ b/queue-4.14/af_netlink-fix-shift-out-of-bounds-in-group-mask-cal.patch @@ -0,0 +1,62 @@ +From 338535231a5900fa4bd55d2c7358202bcc85bb6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 15:53:06 +0100 +Subject: af_netlink: Fix shift out of bounds in group mask calculation + +From: Petr Machata + +[ Upstream commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f ] + +When a netlink message is received, netlink_recvmsg() fills in the address +of the sender. One of the fields is the 32-bit bitfield nl_groups, which +carries the multicast group on which the message was received. The least +significant bit corresponds to group 1, and therefore the highest group +that the field can represent is 32. Above that, the UB sanitizer flags the +out-of-bounds shift attempts. + +Which bits end up being set in such case is implementation defined, but +it's either going to be a wrong non-zero value, or zero, which is at least +not misleading. Make the latter choice deterministic by always setting to 0 +for higher-numbered multicast groups. + +To get information about membership in groups >= 32, userspace is expected +to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO +socket option. +[0] https://lwn.net/Articles/147608/ + +The way to trigger this issue is e.g. through monitoring the BRVLAN group: + + # bridge monitor vlan & + # ip link add name br type bridge + +Which produces the following citation: + + UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 + shift exponent 32 is too large for 32-bit type 'int' + +Fixes: f7fa9b10edbb ("[NETLINK]: Support dynamic number of multicast groups per netlink family") +Signed-off-by: Petr Machata +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/2bef6aabf201d1fc16cca139a744700cff9dcb04.1647527635.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 0563b4d34eae..24e8ac2b724e 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -154,6 +154,8 @@ static const struct rhashtable_params netlink_rhashtable_params; + + static inline u32 netlink_group_mask(u32 group) + { ++ if (group > 32) ++ return 0; + return group ? 1 << (group - 1) : 0; + } + +-- +2.34.1 + diff --git a/queue-4.14/alsa-firewire-lib-fix-uninitialized-flag-for-av-c-de.patch b/queue-4.14/alsa-firewire-lib-fix-uninitialized-flag-for-av-c-de.patch new file mode 100644 index 00000000000..b4b73ab53e7 --- /dev/null +++ b/queue-4.14/alsa-firewire-lib-fix-uninitialized-flag-for-av-c-de.patch @@ -0,0 +1,84 @@ +From b84b6a8c4c2fe2d43239c1c5614f20f135ae2616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 21:56:47 +0900 +Subject: ALSA: firewire-lib: fix uninitialized flag for AV/C deferred + transaction + +From: Takashi Sakamoto + +[ Upstream commit bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d ] + +AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA: +firewire-lib: Add support for deferred transaction") while 'deferrable' +flag can be uninitialized for non-control/notify AV/C transactions. +UBSAN reports it: + +kernel: ================================================================================ +kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9 +kernel: load of value 158 is not a valid value for type '_Bool' +kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu +kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019 +kernel: Call Trace: +kernel: +kernel: show_stack+0x52/0x58 +kernel: dump_stack_lvl+0x4a/0x5f +kernel: dump_stack+0x10/0x12 +kernel: ubsan_epilogue+0x9/0x45 +kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49 +kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib] +kernel: fcp_response+0x28/0x30 [snd_firewire_lib] +kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core] +kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci] +kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci] +kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core] +kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci] +kernel: tasklet_action_common.constprop.0+0xea/0xf0 +kernel: tasklet_action+0x22/0x30 +kernel: __do_softirq+0xd9/0x2e3 +kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0 +kernel: do_softirq+0x75/0xa0 +kernel: +kernel: +kernel: __local_bh_enable_ip+0x50/0x60 +kernel: irq_forced_thread_fn+0x7e/0x90 +kernel: irq_thread+0xba/0x190 +kernel: ? irq_thread_fn+0x60/0x60 +kernel: kthread+0x11e/0x140 +kernel: ? irq_thread_check_affinity+0xf0/0xf0 +kernel: ? set_kthread_struct+0x50/0x50 +kernel: ret_from_fork+0x22/0x30 +kernel: +kernel: ================================================================================ + +This commit fixes the bug. The bug has no disadvantage for the non- +control/notify AV/C transactions since the flag has an effect for AV/C +response with INTERIM (0x0f) status which is not used for the transactions +in AV/C general specification. + +Fixes: 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20220304125647.78430-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/fcp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/firewire/fcp.c b/sound/firewire/fcp.c +index 61dda828f767..c8fbb54269cb 100644 +--- a/sound/firewire/fcp.c ++++ b/sound/firewire/fcp.c +@@ -240,9 +240,7 @@ int fcp_avc_transaction(struct fw_unit *unit, + t.response_match_bytes = response_match_bytes; + t.state = STATE_PENDING; + init_waitqueue_head(&t.wait); +- +- if (*(const u8 *)command == 0x00 || *(const u8 *)command == 0x03) +- t.deferrable = true; ++ t.deferrable = (*(const u8 *)command == 0x00 || *(const u8 *)command == 0x03); + + spin_lock_irq(&transactions_lock); + list_add_tail(&t.list, &transactions); +-- +2.34.1 + diff --git a/queue-4.14/alsa-spi-add-check-for-clk_enable.patch b/queue-4.14/alsa-spi-add-check-for-clk_enable.patch new file mode 100644 index 00000000000..f3fbefb470e --- /dev/null +++ b/queue-4.14/alsa-spi-add-check-for-clk_enable.patch @@ -0,0 +1,92 @@ +From 2890aa27cd80557eb72415606ddfce3c6bce2557 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 10:28:39 +0800 +Subject: ALSA: spi: Add check for clk_enable() + +From: Jiasheng Jiang + +[ Upstream commit ca1697eb09208f0168d94b88b72f57505339cbe5 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: 3568459a5113 ("ALSA: at73c213: manage SSC clock") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220228022839.3547266-1-jiasheng@iscas.ac.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/spi/at73c213.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/sound/spi/at73c213.c b/sound/spi/at73c213.c +index 1ef52edeb538..3763f06ed784 100644 +--- a/sound/spi/at73c213.c ++++ b/sound/spi/at73c213.c +@@ -221,7 +221,9 @@ static int snd_at73c213_pcm_open(struct snd_pcm_substream *substream) + runtime->hw = snd_at73c213_playback_hw; + chip->substream = substream; + +- clk_enable(chip->ssc->clk); ++ err = clk_enable(chip->ssc->clk); ++ if (err) ++ return err; + + return 0; + } +@@ -787,7 +789,9 @@ static int snd_at73c213_chip_init(struct snd_at73c213 *chip) + goto out; + + /* Enable DAC master clock. */ +- clk_enable(chip->board->dac_clk); ++ retval = clk_enable(chip->board->dac_clk); ++ if (retval) ++ goto out; + + /* Initialize at73c213 on SPI bus. */ + retval = snd_at73c213_write_reg(chip, DAC_RST, 0x04); +@@ -900,7 +904,9 @@ static int snd_at73c213_dev_init(struct snd_card *card, + chip->card = card; + chip->irq = -1; + +- clk_enable(chip->ssc->clk); ++ retval = clk_enable(chip->ssc->clk); ++ if (retval) ++ return retval; + + retval = request_irq(irq, snd_at73c213_interrupt, 0, "at73c213", chip); + if (retval) { +@@ -1019,7 +1025,9 @@ static int snd_at73c213_remove(struct spi_device *spi) + int retval; + + /* Stop playback. */ +- clk_enable(chip->ssc->clk); ++ retval = clk_enable(chip->ssc->clk); ++ if (retval) ++ goto out; + ssc_writel(chip->ssc->regs, CR, SSC_BIT(CR_TXDIS)); + clk_disable(chip->ssc->clk); + +@@ -1099,9 +1107,16 @@ static int snd_at73c213_resume(struct device *dev) + { + struct snd_card *card = dev_get_drvdata(dev); + struct snd_at73c213 *chip = card->private_data; ++ int retval; + +- clk_enable(chip->board->dac_clk); +- clk_enable(chip->ssc->clk); ++ retval = clk_enable(chip->board->dac_clk); ++ if (retval) ++ return retval; ++ retval = clk_enable(chip->ssc->clk); ++ if (retval) { ++ clk_disable(chip->board->dac_clk); ++ return retval; ++ } + ssc_writel(chip->ssc->regs, CR, SSC_BIT(CR_TXEN)); + + return 0; +-- +2.34.1 + diff --git a/queue-4.14/arm-dts-bcm2837-add-the-missing-l1-l2-cache-informat.patch b/queue-4.14/arm-dts-bcm2837-add-the-missing-l1-l2-cache-informat.patch new file mode 100644 index 00000000000..c754b44eeec --- /dev/null +++ b/queue-4.14/arm-dts-bcm2837-add-the-missing-l1-l2-cache-informat.patch @@ -0,0 +1,112 @@ +From 67478599c6bb46a9bc403b322816b464ff8fad62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Dec 2021 21:00:09 +0100 +Subject: ARM: dts: bcm2837: Add the missing L1/L2 cache information + +From: Richard Schleich + +[ Upstream commit bdf8762da268d2a34abf517c36528413906e9cd5 ] + +This patch fixes the kernel warning +"cacheinfo: Unable to detect cache hierarchy for CPU 0" +for the bcm2837 on newer kernel versions. + +Signed-off-by: Richard Schleich +Tested-by: Stefan Wahren +[florian: Align and remove comments matching property values] +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm2837.dtsi | 49 ++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm2837.dtsi b/arch/arm/boot/dts/bcm2837.dtsi +index d5d058a568c3..20407a5aafc8 100644 +--- a/arch/arm/boot/dts/bcm2837.dtsi ++++ b/arch/arm/boot/dts/bcm2837.dtsi +@@ -32,12 +32,26 @@ + #size-cells = <0>; + enable-method = "brcm,bcm2836-smp"; // for ARM 32-bit + ++ /* Source for d/i-cache-line-size and d/i-cache-sets ++ * https://developer.arm.com/documentation/ddi0500/e/level-1-memory-system ++ * /about-the-l1-memory-system?lang=en ++ * ++ * Source for d/i-cache-size ++ * https://magpi.raspberrypi.com/articles/raspberry-pi-3-specs-benchmarks ++ */ + cpu0: cpu@0 { + device_type = "cpu"; + compatible = "arm,cortex-a53"; + reg = <0>; + enable-method = "spin-table"; + cpu-release-addr = <0x0 0x000000d8>; ++ d-cache-size = <0x8000>; ++ d-cache-line-size = <64>; ++ d-cache-sets = <128>; // 32KiB(size)/64(line-size)=512ways/4-way set ++ i-cache-size = <0x8000>; ++ i-cache-line-size = <64>; ++ i-cache-sets = <256>; // 32KiB(size)/64(line-size)=512ways/2-way set ++ next-level-cache = <&l2>; + }; + + cpu1: cpu@1 { +@@ -46,6 +60,13 @@ + reg = <1>; + enable-method = "spin-table"; + cpu-release-addr = <0x0 0x000000e0>; ++ d-cache-size = <0x8000>; ++ d-cache-line-size = <64>; ++ d-cache-sets = <128>; // 32KiB(size)/64(line-size)=512ways/4-way set ++ i-cache-size = <0x8000>; ++ i-cache-line-size = <64>; ++ i-cache-sets = <256>; // 32KiB(size)/64(line-size)=512ways/2-way set ++ next-level-cache = <&l2>; + }; + + cpu2: cpu@2 { +@@ -54,6 +75,13 @@ + reg = <2>; + enable-method = "spin-table"; + cpu-release-addr = <0x0 0x000000e8>; ++ d-cache-size = <0x8000>; ++ d-cache-line-size = <64>; ++ d-cache-sets = <128>; // 32KiB(size)/64(line-size)=512ways/4-way set ++ i-cache-size = <0x8000>; ++ i-cache-line-size = <64>; ++ i-cache-sets = <256>; // 32KiB(size)/64(line-size)=512ways/2-way set ++ next-level-cache = <&l2>; + }; + + cpu3: cpu@3 { +@@ -62,6 +90,27 @@ + reg = <3>; + enable-method = "spin-table"; + cpu-release-addr = <0x0 0x000000f0>; ++ d-cache-size = <0x8000>; ++ d-cache-line-size = <64>; ++ d-cache-sets = <128>; // 32KiB(size)/64(line-size)=512ways/4-way set ++ i-cache-size = <0x8000>; ++ i-cache-line-size = <64>; ++ i-cache-sets = <256>; // 32KiB(size)/64(line-size)=512ways/2-way set ++ next-level-cache = <&l2>; ++ }; ++ ++ /* Source for cache-line-size + cache-sets ++ * https://developer.arm.com/documentation/ddi0500 ++ * /e/level-2-memory-system/about-the-l2-memory-system?lang=en ++ * Source for cache-size ++ * https://datasheets.raspberrypi.com/cm/cm1-and-cm3-datasheet.pdf ++ */ ++ l2: l2-cache0 { ++ compatible = "cache"; ++ cache-size = <0x80000>; ++ cache-line-size = <64>; ++ cache-sets = <512>; // 512KiB(size)/64(line-size)=8192ways/16-way set ++ cache-level = <2>; + }; + }; + }; +-- +2.34.1 + diff --git a/queue-4.14/arm-dts-qcom-fix-gic_irq_domain_translate-warnings-f.patch b/queue-4.14/arm-dts-qcom-fix-gic_irq_domain_translate-warnings-f.patch new file mode 100644 index 00000000000..aeccc2ea0b4 --- /dev/null +++ b/queue-4.14/arm-dts-qcom-fix-gic_irq_domain_translate-warnings-f.patch @@ -0,0 +1,60 @@ +From d6bc16bae664e84cbd43d789a7ac969d04e5fc13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jan 2022 18:42:28 +0100 +Subject: ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960 + +From: David Heidelberg + +[ Upstream commit 6f7e221e7a5cfc3299616543fce42b36e631497b ] + +IRQ types blindly copied from very similar APQ8064. + +Fixes warnings as: +WARNING: CPU: 0 PID: 1 at drivers/irqchip/irq-gic.c:1080 gic_irq_domain_translate+0x118/0x120 +... + +Tested-by: LogicalErzor # boot-tested on Samsung S3 +Signed-off-by: David Heidelberg +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220108174229.60384-1-david@ixit.cz +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-msm8960.dtsi | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-msm8960.dtsi b/arch/arm/boot/dts/qcom-msm8960.dtsi +index 1733d8f40ab1..b256fda0f5ea 100644 +--- a/arch/arm/boot/dts/qcom-msm8960.dtsi ++++ b/arch/arm/boot/dts/qcom-msm8960.dtsi +@@ -140,7 +140,9 @@ + reg = <0x108000 0x1000>; + qcom,ipc = <&l2cc 0x8 2>; + +- interrupts = <0 19 0>, <0 21 0>, <0 22 0>; ++ interrupts = , ++ , ++ ; + interrupt-names = "ack", "err", "wakeup"; + + regulators { +@@ -186,7 +188,7 @@ + compatible = "qcom,msm-uartdm-v1.3", "qcom,msm-uartdm"; + reg = <0x16440000 0x1000>, + <0x16400000 0x1000>; +- interrupts = <0 154 0x0>; ++ interrupts = ; + clocks = <&gcc GSBI5_UART_CLK>, <&gcc GSBI5_H_CLK>; + clock-names = "core", "iface"; + status = "disabled"; +@@ -312,7 +314,7 @@ + #address-cells = <1>; + #size-cells = <0>; + reg = <0x16080000 0x1000>; +- interrupts = <0 147 0>; ++ interrupts = ; + spi-max-frequency = <24000000>; + cs-gpios = <&msmgpio 8 0>; + +-- +2.34.1 + diff --git a/queue-4.14/arm-dts-qcom-ipq4019-fix-sleep-clock.patch b/queue-4.14/arm-dts-qcom-ipq4019-fix-sleep-clock.patch new file mode 100644 index 00000000000..092c9c25c20 --- /dev/null +++ b/queue-4.14/arm-dts-qcom-ipq4019-fix-sleep-clock.patch @@ -0,0 +1,42 @@ +From 81f94d69a2e1e9f45bde2dda1d7e786dad885a33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 18:03:52 +0100 +Subject: ARM: dts: qcom: ipq4019: fix sleep clock + +From: Pavel Kubelun + +[ Upstream commit 3d7e7980993d2c1ae42d3d314040fc2de6a9c45f ] + +It seems like sleep_clk was copied from ipq806x. +Fix ipq40xx sleep_clk to the value QSDK defines. + +Link: https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=d92ec59973484acc86dd24b67f10f8911b4b4b7d +Link: https://patchwork.kernel.org/comment/22721613/ +Fixes: bec6ba4cdf2a ("qcom: ipq4019: Add basic board/dts support for IPQ4019 SoC") +Suggested-by: Bjorn Andersson (clock-output-names) +Signed-off-by: Pavel Kubelun +Signed-off-by: Christian Lamparter (removed clock rename) +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211220170352.34591-1-chunkeey@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-ipq4019.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/qcom-ipq4019.dtsi b/arch/arm/boot/dts/qcom-ipq4019.dtsi +index 19156cbb6003..ed218425a059 100644 +--- a/arch/arm/boot/dts/qcom-ipq4019.dtsi ++++ b/arch/arm/boot/dts/qcom-ipq4019.dtsi +@@ -93,7 +93,8 @@ + clocks { + sleep_clk: sleep_clk { + compatible = "fixed-clock"; +- clock-frequency = <32768>; ++ clock-frequency = <32000>; ++ clock-output-names = "gcc_sleep_clk_src"; + #clock-cells = <0>; + }; + +-- +2.34.1 + diff --git a/queue-4.14/arm-ftrace-avoid-redundant-loads-or-clobbering-ip.patch b/queue-4.14/arm-ftrace-avoid-redundant-loads-or-clobbering-ip.patch new file mode 100644 index 00000000000..eb5a47f199f --- /dev/null +++ b/queue-4.14/arm-ftrace-avoid-redundant-loads-or-clobbering-ip.patch @@ -0,0 +1,135 @@ +From 7901783d3ec767ec9071be56943ced4ec4ad8d7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jan 2022 20:18:33 +0100 +Subject: ARM: ftrace: avoid redundant loads or clobbering IP + +From: Ard Biesheuvel + +[ Upstream commit d11967870815b5ab89843980e35aab616c97c463 ] + +Tweak the ftrace return paths to avoid redundant loads of SP, as well as +unnecessary clobbering of IP. + +This also fixes the inconsistency of using MOV to perform a function +return, which is sub-optimal on recent micro-architectures but more +importantly, does not perform an interworking return, unlike compiler +generated function returns in Thumb2 builds. + +Let's fix this by popping PC from the stack like most ordinary code +does. + +Signed-off-by: Ard Biesheuvel +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-ftrace.S | 51 +++++++++++++++------------------- + 1 file changed, 22 insertions(+), 29 deletions(-) + +diff --git a/arch/arm/kernel/entry-ftrace.S b/arch/arm/kernel/entry-ftrace.S +index 1acf4d05e94c..393c342ecd51 100644 +--- a/arch/arm/kernel/entry-ftrace.S ++++ b/arch/arm/kernel/entry-ftrace.S +@@ -41,10 +41,7 @@ + * mcount can be thought of as a function called in the middle of a subroutine + * call. As such, it needs to be transparent for both the caller and the + * callee: the original lr needs to be restored when leaving mcount, and no +- * registers should be clobbered. (In the __gnu_mcount_nc implementation, we +- * clobber the ip register. This is OK because the ARM calling convention +- * allows it to be clobbered in subroutines and doesn't use it to hold +- * parameters.) ++ * registers should be clobbered. + * + * When using dynamic ftrace, we patch out the mcount call by a "mov r0, r0" + * for the mcount case, and a "pop {lr}" for the __gnu_mcount_nc case (see +@@ -96,26 +93,25 @@ + + .macro __ftrace_regs_caller + +- sub sp, sp, #8 @ space for PC and CPSR OLD_R0, ++ str lr, [sp, #-8]! @ store LR as PC and make space for CPSR/OLD_R0, + @ OLD_R0 will overwrite previous LR + +- add ip, sp, #12 @ move in IP the value of SP as it was +- @ before the push {lr} of the mcount mechanism ++ ldr lr, [sp, #8] @ get previous LR + +- str lr, [sp, #0] @ store LR instead of PC ++ str r0, [sp, #8] @ write r0 as OLD_R0 over previous LR + +- ldr lr, [sp, #8] @ get previous LR ++ str lr, [sp, #-4]! @ store previous LR as LR + +- str r0, [sp, #8] @ write r0 as OLD_R0 over previous LR ++ add lr, sp, #16 @ move in LR the value of SP as it was ++ @ before the push {lr} of the mcount mechanism + +- stmdb sp!, {ip, lr} +- stmdb sp!, {r0-r11, lr} ++ push {r0-r11, ip, lr} + + @ stack content at this point: + @ 0 4 48 52 56 60 64 68 72 +- @ R0 | R1 | ... | LR | SP + 4 | previous LR | LR | PSR | OLD_R0 | ++ @ R0 | R1 | ... | IP | SP + 4 | previous LR | LR | PSR | OLD_R0 | + +- mov r3, sp @ struct pt_regs* ++ mov r3, sp @ struct pt_regs* + + ldr r2, =function_trace_op + ldr r2, [r2] @ pointer to the current +@@ -138,11 +134,9 @@ ftrace_graph_regs_call: + #endif + + @ pop saved regs +- ldmia sp!, {r0-r12} @ restore r0 through r12 +- ldr ip, [sp, #8] @ restore PC +- ldr lr, [sp, #4] @ restore LR +- ldr sp, [sp, #0] @ restore SP +- mov pc, ip @ return ++ pop {r0-r11, ip, lr} @ restore r0 through r12 ++ ldr lr, [sp], #4 @ restore LR ++ ldr pc, [sp], #12 + .endm + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +@@ -158,11 +152,9 @@ ftrace_graph_regs_call: + bl prepare_ftrace_return + + @ pop registers saved in ftrace_regs_caller +- ldmia sp!, {r0-r12} @ restore r0 through r12 +- ldr ip, [sp, #8] @ restore PC +- ldr lr, [sp, #4] @ restore LR +- ldr sp, [sp, #0] @ restore SP +- mov pc, ip @ return ++ pop {r0-r11, ip, lr} @ restore r0 through r12 ++ ldr lr, [sp], #4 @ restore LR ++ ldr pc, [sp], #12 + + .endm + #endif +@@ -273,16 +265,17 @@ ENDPROC(ftrace_graph_caller_old) + .endm + + .macro mcount_exit +- ldmia sp!, {r0-r3, ip, lr} +- ret ip ++ ldmia sp!, {r0-r3} ++ ldr lr, [sp, #4] ++ ldr pc, [sp], #8 + .endm + + ENTRY(__gnu_mcount_nc) + UNWIND(.fnstart) + #ifdef CONFIG_DYNAMIC_FTRACE +- mov ip, lr +- ldmia sp!, {lr} +- ret ip ++ push {lr} ++ ldr lr, [sp, #4] ++ ldr pc, [sp], #8 + #else + __mcount + #endif +-- +2.34.1 + diff --git a/queue-4.14/arm-ftrace-ensure-that-adr-takes-the-thumb-bit-into-.patch b/queue-4.14/arm-ftrace-ensure-that-adr-takes-the-thumb-bit-into-.patch new file mode 100644 index 00000000000..154b6f3a79a --- /dev/null +++ b/queue-4.14/arm-ftrace-ensure-that-adr-takes-the-thumb-bit-into-.patch @@ -0,0 +1,40 @@ +From e3a4944efe6c9f75ba22b35ef87793b2c12a51b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 10:38:15 +0100 +Subject: ARM: ftrace: ensure that ADR takes the Thumb bit into account + +From: Ard Biesheuvel + +[ Upstream commit dd88b03ff0c84f4bcbe1419b93a4bed429fed3be ] + +Using ADR to take the address of 'ftrace_stub' via a local label +produces an address that has the Thumb bit cleared, which means the +subsequent comparison is guaranteed to fail. Instead, use the badr +macro, which forces the Thumb bit to be set. + +Fixes: a3ba87a61499 ("ARM: 6316/1: ftrace: add Thumb-2 support") +Signed-off-by: Ard Biesheuvel +Reviewed-by: Nick Desaulniers +Reviewed-by: Steven Rostedt (Google) +Reviewed-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-ftrace.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/entry-ftrace.S b/arch/arm/kernel/entry-ftrace.S +index efcd9f25a14b..1acf4d05e94c 100644 +--- a/arch/arm/kernel/entry-ftrace.S ++++ b/arch/arm/kernel/entry-ftrace.S +@@ -66,7 +66,7 @@ + mcount_enter + ldr r0, =ftrace_trace_function + ldr r2, [r0] +- adr r0, .Lftrace_stub ++ badr r0, .Lftrace_stub + cmp r0, r2 + bne 1f + +-- +2.34.1 + diff --git a/queue-4.14/arm-mmp-fix-failure-to-remove-sram-device.patch b/queue-4.14/arm-mmp-fix-failure-to-remove-sram-device.patch new file mode 100644 index 00000000000..daf2d57f054 --- /dev/null +++ b/queue-4.14/arm-mmp-fix-failure-to-remove-sram-device.patch @@ -0,0 +1,79 @@ +From 7a94a19a8718ab7cc739e94b29a2e2a777f5f57e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 22:01:58 +0200 +Subject: ARM: mmp: Fix failure to remove sram device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 4036b29a146b2749af3bb213b003eb69f3e5ecc4 ] + +Make sure in .probe() to set driver data before the function is left to +make it possible in .remove() to undo the actions done. + +This fixes a potential memory leak and stops returning an error code in +.remove() that is ignored by the driver core anyhow. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mmp/sram.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/mach-mmp/sram.c b/arch/arm/mach-mmp/sram.c +index bf5e64906e65..a41162dc4af4 100644 +--- a/arch/arm/mach-mmp/sram.c ++++ b/arch/arm/mach-mmp/sram.c +@@ -75,6 +75,8 @@ static int sram_probe(struct platform_device *pdev) + if (!info) + return -ENOMEM; + ++ platform_set_drvdata(pdev, info); ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (res == NULL) { + dev_err(&pdev->dev, "no memory resource defined\n"); +@@ -110,8 +112,6 @@ static int sram_probe(struct platform_device *pdev) + list_add(&info->node, &sram_bank_list); + mutex_unlock(&sram_lock); + +- platform_set_drvdata(pdev, info); +- + dev_info(&pdev->dev, "initialized\n"); + return 0; + +@@ -130,17 +130,19 @@ static int sram_remove(struct platform_device *pdev) + struct sram_bank_info *info; + + info = platform_get_drvdata(pdev); +- if (info == NULL) +- return -ENODEV; + +- mutex_lock(&sram_lock); +- list_del(&info->node); +- mutex_unlock(&sram_lock); ++ if (info->sram_size) { ++ mutex_lock(&sram_lock); ++ list_del(&info->node); ++ mutex_unlock(&sram_lock); ++ ++ gen_pool_destroy(info->gpool); ++ iounmap(info->sram_virt); ++ kfree(info->pool_name); ++ } + +- gen_pool_destroy(info->gpool); +- iounmap(info->sram_virt); +- kfree(info->pool_name); + kfree(info); ++ + return 0; + } + +-- +2.34.1 + diff --git a/queue-4.14/arm-tegra-tamonten-fix-i2c3-pad-setting.patch b/queue-4.14/arm-tegra-tamonten-fix-i2c3-pad-setting.patch new file mode 100644 index 00000000000..5683de1f645 --- /dev/null +++ b/queue-4.14/arm-tegra-tamonten-fix-i2c3-pad-setting.patch @@ -0,0 +1,46 @@ +From 239a7b698c1903034d101363041ec9135b61739c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 17:11:48 +0100 +Subject: ARM: tegra: tamonten: Fix I2C3 pad setting + +From: Richard Leitner + +[ Upstream commit 0092c25b541a5422d7e71892a13c55ee91abc34b ] + +This patch fixes the tristate configuration for i2c3 function assigned +to the dtf pins on the Tamonten Tegra20 SoM. + +Signed-off-by: Richard Leitner +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/tegra20-tamonten.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/tegra20-tamonten.dtsi b/arch/arm/boot/dts/tegra20-tamonten.dtsi +index 4d69d67792d1..b919ca29bb78 100644 +--- a/arch/arm/boot/dts/tegra20-tamonten.dtsi ++++ b/arch/arm/boot/dts/tegra20-tamonten.dtsi +@@ -183,8 +183,8 @@ + }; + conf_ata { + nvidia,pins = "ata", "atb", "atc", "atd", "ate", +- "cdev1", "cdev2", "dap1", "dtb", "gma", +- "gmb", "gmc", "gmd", "gme", "gpu7", ++ "cdev1", "cdev2", "dap1", "dtb", "dtf", ++ "gma", "gmb", "gmc", "gmd", "gme", "gpu7", + "gpv", "i2cp", "irrx", "irtx", "pta", + "rm", "slxa", "slxk", "spia", "spib", + "uac"; +@@ -203,7 +203,7 @@ + }; + conf_crtp { + nvidia,pins = "crtp", "dap2", "dap3", "dap4", +- "dtc", "dte", "dtf", "gpu", "sdio1", ++ "dtc", "dte", "gpu", "sdio1", + "slxc", "slxd", "spdi", "spdo", "spig", + "uda"; + nvidia,pull = ; +-- +2.34.1 + diff --git a/queue-4.14/arm64-dts-broadcom-fix-sata-nodename.patch b/queue-4.14/arm64-dts-broadcom-fix-sata-nodename.patch new file mode 100644 index 00000000000..52b94a7e5ae --- /dev/null +++ b/queue-4.14/arm64-dts-broadcom-fix-sata-nodename.patch @@ -0,0 +1,41 @@ +From 8e3014fdb9b2f480a4aaba682a3a0574069f951e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 16:24:18 +0100 +Subject: arm64: dts: broadcom: Fix sata nodename + +From: Frank Wunderlich + +[ Upstream commit 55927cb44db43a57699fa652e2437a91620385dc ] + +After converting ahci-platform txt binding to yaml nodename is reported +as not matching the standard: + +arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dt.yaml: +ahci@663f2000: $nodename:0: 'ahci@663f2000' does not match '^sata(@.*)?$' + +Fix it to match binding. + +Fixes: ac9aae00f0fc ("arm64: dts: Add SATA3 AHCI and SATA3 PHY DT nodes for NS2") +Signed-off-by: Frank Wunderlich +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi b/arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi +index 05f82819ae2d..46676af48c31 100644 +--- a/arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi ++++ b/arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi +@@ -687,7 +687,7 @@ + }; + }; + +- sata: ahci@663f2000 { ++ sata: sata@663f2000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; + reg = <0x663f2000 0x1000>; + dma-coherent; +-- +2.34.1 + diff --git a/queue-4.14/arm64-dts-ns2-fix-spi-cpol-and-spi-cpha-property.patch b/queue-4.14/arm64-dts-ns2-fix-spi-cpol-and-spi-cpha-property.patch new file mode 100644 index 00000000000..0a68db96db3 --- /dev/null +++ b/queue-4.14/arm64-dts-ns2-fix-spi-cpol-and-spi-cpha-property.patch @@ -0,0 +1,52 @@ +From 8c01b70fb2c2ca4f0439cfa634a1ca2fa2ce8d66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 16:39:03 +0530 +Subject: arm64: dts: ns2: Fix spi-cpol and spi-cpha property + +From: Kuldeep Singh + +[ Upstream commit c953c764e505428f59ffe6afb1c73b89b5b1ac35 ] + +Broadcom ns2 platform has spi-cpol and spi-cpho properties set +incorrectly. As per spi-slave-peripheral-prop.yaml, these properties are +of flag or boolean type and not integer type. Fix the values. + +Fixes: d69dbd9f41a7c (arm64: dts: Add ARM PL022 SPI DT nodes for NS2) +Signed-off-by: Kuldeep Singh +CC: Ray Jui +CC: Scott Branden +CC: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts b/arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts +index ec19fbf928a1..12a4b1c03390 100644 +--- a/arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts ++++ b/arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts +@@ -111,8 +111,8 @@ + compatible = "silabs,si3226x"; + reg = <0>; + spi-max-frequency = <5000000>; +- spi-cpha = <1>; +- spi-cpol = <1>; ++ spi-cpha; ++ spi-cpol; + pl022,hierarchy = <0>; + pl022,interface = <0>; + pl022,slave-tx-disable = <0>; +@@ -135,8 +135,8 @@ + at25,byte-len = <0x8000>; + at25,addr-mode = <2>; + at25,page-size = <64>; +- spi-cpha = <1>; +- spi-cpol = <1>; ++ spi-cpha; ++ spi-cpol; + pl022,hierarchy = <0>; + pl022,interface = <0>; + pl022,slave-tx-disable = <0>; +-- +2.34.1 + diff --git a/queue-4.14/asoc-atmel-add-missing-of_node_put-in-at91sam9g20ek_.patch b/queue-4.14/asoc-atmel-add-missing-of_node_put-in-at91sam9g20ek_.patch new file mode 100644 index 00000000000..a6349dd206f --- /dev/null +++ b/queue-4.14/asoc-atmel-add-missing-of_node_put-in-at91sam9g20ek_.patch @@ -0,0 +1,38 @@ +From 34278a52fea3739629f0ccb97445122e3d4faa96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 12:45:39 +0000 +Subject: ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe + +From: Miaoqian Lin + +[ Upstream commit f590797fa3c1bccdd19e55441592a23b46aef449 ] + +This node pointer is returned by of_parse_phandle() with refcount +incremented in this function. +Calling of_node_put() to avoid the refcount leak. + +Fixes: 531f67e41dcd ("ASoC: at91sam9g20ek-wm8731: convert to dt support") +Signed-off-by: Miaoqian Lin +Reviewed-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220307124539.1743-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/sam9g20_wm8731.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/atmel/sam9g20_wm8731.c b/sound/soc/atmel/sam9g20_wm8731.c +index d7469cdd90dc..39365319c351 100644 +--- a/sound/soc/atmel/sam9g20_wm8731.c ++++ b/sound/soc/atmel/sam9g20_wm8731.c +@@ -226,6 +226,7 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev) + cpu_np = of_parse_phandle(np, "atmel,ssc-controller", 0); + if (!cpu_np) { + dev_err(&pdev->dev, "dai and pcm info missing\n"); ++ of_node_put(codec_np); + return -EINVAL; + } + at91sam9g20ek_dai.cpu_of_node = cpu_np; +-- +2.34.1 + diff --git a/queue-4.14/asoc-atmel_ssc_dai-handle-errors-for-clk_enable.patch b/queue-4.14/asoc-atmel_ssc_dai-handle-errors-for-clk_enable.patch new file mode 100644 index 00000000000..79745735d39 --- /dev/null +++ b/queue-4.14/asoc-atmel_ssc_dai-handle-errors-for-clk_enable.patch @@ -0,0 +1,40 @@ +From a76a1e96becea2ae6932ac83c128c4a036de8dd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 17:06:37 +0800 +Subject: ASoC: atmel_ssc_dai: Handle errors for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit f9e2ca0640e59d19af0ff285ee5591ed39069b09 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error if fals. + +Fixes: cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and shutdown") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220301090637.3776558-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/atmel_ssc_dai.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/atmel/atmel_ssc_dai.c b/sound/soc/atmel/atmel_ssc_dai.c +index a1e2c5682dcd..6741ae42b598 100644 +--- a/sound/soc/atmel/atmel_ssc_dai.c ++++ b/sound/soc/atmel/atmel_ssc_dai.c +@@ -296,7 +296,10 @@ static int atmel_ssc_startup(struct snd_pcm_substream *substream, + + /* Enable PMC peripheral clock for this SSC */ + pr_debug("atmel_ssc_dai: Starting clock\n"); +- clk_enable(ssc_p->ssc->clk); ++ ret = clk_enable(ssc_p->ssc->clk); ++ if (ret) ++ return ret; ++ + ssc_p->mck_rate = clk_get_rate(ssc_p->ssc->clk); + + /* Reset the SSC unless initialized to keep it in a clean state */ +-- +2.34.1 + diff --git a/queue-4.14/asoc-dmaengine-do-not-use-a-null-prepare_slave_confi.patch b/queue-4.14/asoc-dmaengine-do-not-use-a-null-prepare_slave_confi.patch new file mode 100644 index 00000000000..28c4a418dcd --- /dev/null +++ b/queue-4.14/asoc-dmaengine-do-not-use-a-null-prepare_slave_confi.patch @@ -0,0 +1,42 @@ +From d2e0a4ca5b349e8e6602291563beee33fdc4e975 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 14:21:57 +0200 +Subject: ASoC: dmaengine: do not use a NULL prepare_slave_config() callback + +From: Codrin Ciubotariu + +[ Upstream commit 9a1e13440a4f2e7566fd4c5eae6a53e6400e08a4 ] + +Even if struct snd_dmaengine_pcm_config is used, prepare_slave_config() +callback might not be set. Check if this callback is set before using it. + +Fixes: fa654e085300 ("ASoC: dmaengine-pcm: Provide default config") +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220307122202.2251639-2-codrin.ciubotariu@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-generic-dmaengine-pcm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/soc-generic-dmaengine-pcm.c b/sound/soc/soc-generic-dmaengine-pcm.c +index 052778c6afad..5362ceccbd45 100644 +--- a/sound/soc/soc-generic-dmaengine-pcm.c ++++ b/sound/soc/soc-generic-dmaengine-pcm.c +@@ -98,10 +98,10 @@ static int dmaengine_pcm_hw_params(struct snd_pcm_substream *substream, + + memset(&slave_config, 0, sizeof(slave_config)); + +- if (!pcm->config) +- prepare_slave_config = snd_dmaengine_pcm_prepare_slave_config; +- else ++ if (pcm->config && pcm->config->prepare_slave_config) + prepare_slave_config = pcm->config->prepare_slave_config; ++ else ++ prepare_slave_config = snd_dmaengine_pcm_prepare_slave_config; + + if (prepare_slave_config) { + ret = prepare_slave_config(substream, params, &slave_config); +-- +2.34.1 + diff --git a/queue-4.14/asoc-fsi-add-check-for-clk_enable.patch b/queue-4.14/asoc-fsi-add-check-for-clk_enable.patch new file mode 100644 index 00000000000..d5d88dd63a9 --- /dev/null +++ b/queue-4.14/asoc-fsi-add-check-for-clk_enable.patch @@ -0,0 +1,60 @@ +From 16907908b95cd0c0ad344598c9203a27ecf0dc0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 14:28:44 +0800 +Subject: ASoC: fsi: Add check for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 405afed8a728f23cfaa02f75bbc8bdd6b7322123 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: ab6f6d85210c ("ASoC: fsi: add master clock control functions") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220302062844.46869-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/fsi.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/sh/fsi.c b/sound/soc/sh/fsi.c +index 6d3c7706d93f..b564accb6098 100644 +--- a/sound/soc/sh/fsi.c ++++ b/sound/soc/sh/fsi.c +@@ -820,14 +820,27 @@ static int fsi_clk_enable(struct device *dev, + return ret; + } + +- clk_enable(clock->xck); +- clk_enable(clock->ick); +- clk_enable(clock->div); ++ ret = clk_enable(clock->xck); ++ if (ret) ++ goto err; ++ ret = clk_enable(clock->ick); ++ if (ret) ++ goto disable_xck; ++ ret = clk_enable(clock->div); ++ if (ret) ++ goto disable_ick; + + clock->count++; + } + + return ret; ++ ++disable_ick: ++ clk_disable(clock->ick); ++disable_xck: ++ clk_disable(clock->xck); ++err: ++ return ret; + } + + static int fsi_clk_disable(struct device *dev, +-- +2.34.1 + diff --git a/queue-4.14/asoc-imx-es8328-fix-error-return-code-in-imx_es8328_.patch b/queue-4.14/asoc-imx-es8328-fix-error-return-code-in-imx_es8328_.patch new file mode 100644 index 00000000000..37771745f10 --- /dev/null +++ b/queue-4.14/asoc-imx-es8328-fix-error-return-code-in-imx_es8328_.patch @@ -0,0 +1,36 @@ +From d007763cb9aa5bce9c01afb3c7b50aaebf883655 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Mar 2022 09:19:02 +0000 +Subject: ASoC: imx-es8328: Fix error return code in imx_es8328_probe() + +From: Wang Wensheng + +[ Upstream commit 3b891513f95cba3944e72c1139ea706d04f3781b ] + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver") +Signed-off-by: Wang Wensheng +Link: https://lore.kernel.org/r/20220310091902.129299-1-wangwensheng4@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-es8328.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/imx-es8328.c b/sound/soc/fsl/imx-es8328.c +index 9953438086e4..735693274f49 100644 +--- a/sound/soc/fsl/imx-es8328.c ++++ b/sound/soc/fsl/imx-es8328.c +@@ -93,6 +93,7 @@ static int imx_es8328_probe(struct platform_device *pdev) + if (int_port > MUX_PORT_MAX || int_port == 0) { + dev_err(dev, "mux-int-port: hardware only has %d mux ports\n", + MUX_PORT_MAX); ++ ret = -EINVAL; + goto fail; + } + +-- +2.34.1 + diff --git a/queue-4.14/asoc-msm8916-wcd-digital-fix-missing-clk_disable_unp.patch b/queue-4.14/asoc-msm8916-wcd-digital-fix-missing-clk_disable_unp.patch new file mode 100644 index 00000000000..e1864534e3f --- /dev/null +++ b/queue-4.14/asoc-msm8916-wcd-digital-fix-missing-clk_disable_unp.patch @@ -0,0 +1,48 @@ +From b0f8501622401fed2222e77530ff661e3f7e2e75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 08:45:22 +0000 +Subject: ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in + msm8916_wcd_digital_probe + +From: Miaoqian Lin + +[ Upstream commit 375a347da4889f64d86e1ab7f4e6702b6e9bf299 ] + +Fix the missing clk_disable_unprepare() before return +from msm8916_wcd_digital_probe in the error handling case. + +Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220307084523.28687-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/msm8916-wcd-digital.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-digital.c b/sound/soc/codecs/msm8916-wcd-digital.c +index 13354d6304a8..b2571ab13ea1 100644 +--- a/sound/soc/codecs/msm8916-wcd-digital.c ++++ b/sound/soc/codecs/msm8916-wcd-digital.c +@@ -910,7 +910,7 @@ static int msm8916_wcd_digital_probe(struct platform_device *pdev) + ret = clk_prepare_enable(priv->mclk); + if (ret < 0) { + dev_err(dev, "failed to enable mclk %d\n", ret); +- return ret; ++ goto err_clk; + } + + dev_set_drvdata(dev, priv); +@@ -918,6 +918,9 @@ static int msm8916_wcd_digital_probe(struct platform_device *pdev) + return snd_soc_register_codec(dev, &msm8916_wcd_digital, + msm8916_wcd_digital_dai, + ARRAY_SIZE(msm8916_wcd_digital_dai)); ++err_clk: ++ clk_disable_unprepare(priv->ahbclk); ++ return ret; + } + + static int msm8916_wcd_digital_remove(struct platform_device *pdev) +-- +2.34.1 + diff --git a/queue-4.14/asoc-mxs-fix-error-handling-in-mxs_sgtl5000_probe.patch b/queue-4.14/asoc-mxs-fix-error-handling-in-mxs_sgtl5000_probe.patch new file mode 100644 index 00000000000..7ac8985a623 --- /dev/null +++ b/queue-4.14/asoc-mxs-fix-error-handling-in-mxs_sgtl5000_probe.patch @@ -0,0 +1,43 @@ +From b04d7966d0f11e7fd21ac103dd7f9b3007fcd120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 02:01:44 +0000 +Subject: ASoC: mxs: Fix error handling in mxs_sgtl5000_probe + +From: Miaoqian Lin + +[ Upstream commit 6ae0a4d8fec551ec581d620f0eb1fe31f755551c ] + +This function only calls of_node_put() in the regular path. +And it will cause refcount leak in error paths. +For example, when codec_np is NULL, saif_np[0] and saif_np[1] +are not NULL, it will cause leaks. + +of_node_put() will check if the node pointer is NULL, so we can +call it directly to release the refcount of regular pointers. + +Fixes: e968194b45c4 ("ASoC: mxs: add device tree support for mxs-sgtl5000") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220308020146.26496-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mxs/mxs-sgtl5000.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/mxs/mxs-sgtl5000.c b/sound/soc/mxs/mxs-sgtl5000.c +index 2ed3240cc682..d5e1a5e7c238 100644 +--- a/sound/soc/mxs/mxs-sgtl5000.c ++++ b/sound/soc/mxs/mxs-sgtl5000.c +@@ -112,6 +112,9 @@ static int mxs_sgtl5000_probe(struct platform_device *pdev) + codec_np = of_parse_phandle(np, "audio-codec", 0); + if (!saif_np[0] || !saif_np[1] || !codec_np) { + dev_err(&pdev->dev, "phandle missing or invalid\n"); ++ of_node_put(codec_np); ++ of_node_put(saif_np[0]); ++ of_node_put(saif_np[1]); + return -EINVAL; + } + +-- +2.34.1 + diff --git a/queue-4.14/asoc-mxs-saif-handle-errors-for-clk_enable.patch b/queue-4.14/asoc-mxs-saif-handle-errors-for-clk_enable.patch new file mode 100644 index 00000000000..9d5df930e71 --- /dev/null +++ b/queue-4.14/asoc-mxs-saif-handle-errors-for-clk_enable.patch @@ -0,0 +1,40 @@ +From 9aaff7b5feb5ce2ba0a7ffa8d3f16a017e6a5616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 16:17:17 +0800 +Subject: ASoC: mxs-saif: Handle errors for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 2ecf362d220317debf5da376e0390e9f7a3f7b29 ] + +As the potential failure of the clk_enable(), +it should be better to check it, like mxs_saif_trigger(). + +Fixes: d0ba4c014934 ("ASoC: mxs-saif: set a base clock rate for EXTMASTER mode work") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220301081717.3727190-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mxs/mxs-saif.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/mxs/mxs-saif.c b/sound/soc/mxs/mxs-saif.c +index 156aa7c00787..93c019670199 100644 +--- a/sound/soc/mxs/mxs-saif.c ++++ b/sound/soc/mxs/mxs-saif.c +@@ -467,7 +467,10 @@ static int mxs_saif_hw_params(struct snd_pcm_substream *substream, + * basic clock which should be fast enough for the internal + * logic. + */ +- clk_enable(saif->clk); ++ ret = clk_enable(saif->clk); ++ if (ret) ++ return ret; ++ + ret = clk_set_rate(saif->clk, 24000000); + clk_disable(saif->clk); + if (ret) +-- +2.34.1 + diff --git a/queue-4.14/asoc-soc-core-skip-zero-num_dai-component-in-searchi.patch b/queue-4.14/asoc-soc-core-skip-zero-num_dai-component-in-searchi.patch new file mode 100644 index 00000000000..1e09fff0499 --- /dev/null +++ b/queue-4.14/asoc-soc-core-skip-zero-num_dai-component-in-searchi.patch @@ -0,0 +1,47 @@ +From 81d4a76f3f69418254128ed2ab79fa6299a956a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Feb 2022 19:19:12 +0800 +Subject: ASoC: soc-core: skip zero num_dai component in searching dai name + +From: Shengjiu Wang + +[ Upstream commit f7d344a2bd5ec81fbd1ce76928fd059e57ec9bea ] + +In the case like dmaengine which's not a dai but as a component, the +num_dai is zero, dmaengine component has the same component_of_node +as cpu dai, when cpu dai component is not ready, but dmaengine component +is ready, try to get cpu dai name, the snd_soc_get_dai_name() return +-EINVAL, not -EPROBE_DEFER, that cause below error: + +asoc-simple-card : parse error -22 +asoc-simple-card: probe of failed with error -22 + +The sound card failed to probe. + +So this patch fixes the issue above by skipping the zero num_dai +component in searching dai name. + +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1644491952-7457-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 2a172de37466..febf2b649b96 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -4243,7 +4243,7 @@ int snd_soc_get_dai_name(struct of_phandle_args *args, + if (!component_of_node && pos->dev->parent) + component_of_node = pos->dev->parent->of_node; + +- if (component_of_node != args->np) ++ if (component_of_node != args->np || !pos->num_dai) + continue; + + if (pos->driver->of_xlate_dai_name) { +-- +2.34.1 + diff --git a/queue-4.14/asoc-ti-davinci-i2s-add-check-for-clk_enable.patch b/queue-4.14/asoc-ti-davinci-i2s-add-check-for-clk_enable.patch new file mode 100644 index 00000000000..cfe0a00fe19 --- /dev/null +++ b/queue-4.14/asoc-ti-davinci-i2s-add-check-for-clk_enable.patch @@ -0,0 +1,49 @@ +From 84f868a108c3f26ad4dbb786fb20eafbb9e9b9e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 11:15:40 +0800 +Subject: ASoC: ti: davinci-i2s: Add check for clk_enable() + +From: Jiasheng Jiang + +[ Upstream commit ed7c9fef11931fc5d32a83d68017ff390bf5c280 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: 5f9a50c3e55e ("ASoC: Davinci: McBSP: add device tree support for McBSP") +Signed-off-by: Jiasheng Jiang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20220228031540.3571959-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/davinci/davinci-i2s.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/davinci/davinci-i2s.c b/sound/soc/davinci/davinci-i2s.c +index 384961651904..e5f61f1499c6 100644 +--- a/sound/soc/davinci/davinci-i2s.c ++++ b/sound/soc/davinci/davinci-i2s.c +@@ -719,7 +719,9 @@ static int davinci_i2s_probe(struct platform_device *pdev) + dev->clk = clk_get(&pdev->dev, NULL); + if (IS_ERR(dev->clk)) + return -ENODEV; +- clk_enable(dev->clk); ++ ret = clk_enable(dev->clk); ++ if (ret) ++ goto err_put_clk; + + dev->dev = &pdev->dev; + dev_set_drvdata(&pdev->dev, dev); +@@ -741,6 +743,7 @@ static int davinci_i2s_probe(struct platform_device *pdev) + snd_soc_unregister_component(&pdev->dev); + err_release_clk: + clk_disable(dev->clk); ++err_put_clk: + clk_put(dev->clk); + return ret; + } +-- +2.34.1 + diff --git a/queue-4.14/asoc-wm8350-handle-error-for-wm8350_register_irq.patch b/queue-4.14/asoc-wm8350-handle-error-for-wm8350_register_irq.patch new file mode 100644 index 00000000000..999fd62471b --- /dev/null +++ b/queue-4.14/asoc-wm8350-handle-error-for-wm8350_register_irq.patch @@ -0,0 +1,73 @@ +From dc159596e29fc85185ca65f2fe57860e910c82ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 10:38:21 +0800 +Subject: ASoC: wm8350: Handle error for wm8350_register_irq + +From: Jiasheng Jiang + +[ Upstream commit db0350da8084ad549bca16cc0486c11cc70a1f9b ] + +As the potential failure of the wm8350_register_irq(), +it should be better to check it and return error if fails. +Also, use 'free_' in order to avoid the same code. + +Fixes: a6ba2b2dabb5 ("ASoC: Implement WM8350 headphone jack detection") +Signed-off-by: Jiasheng Jiang +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/20220304023821.391936-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8350.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/wm8350.c b/sound/soc/codecs/wm8350.c +index 2efc5b41ad0f..6d719392cdbe 100644 +--- a/sound/soc/codecs/wm8350.c ++++ b/sound/soc/codecs/wm8350.c +@@ -1536,18 +1536,38 @@ static int wm8350_codec_probe(struct snd_soc_codec *codec) + wm8350_clear_bits(wm8350, WM8350_JACK_DETECT, + WM8350_JDL_ENA | WM8350_JDR_ENA); + +- wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_L, ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_L, + wm8350_hpl_jack_handler, 0, "Left jack detect", + priv); +- wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_R, ++ if (ret != 0) ++ goto err; ++ ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_R, + wm8350_hpr_jack_handler, 0, "Right jack detect", + priv); +- wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_MICSCD, ++ if (ret != 0) ++ goto free_jck_det_l; ++ ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_MICSCD, + wm8350_mic_handler, 0, "Microphone short", priv); +- wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_MICD, ++ if (ret != 0) ++ goto free_jck_det_r; ++ ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_MICD, + wm8350_mic_handler, 0, "Microphone detect", priv); ++ if (ret != 0) ++ goto free_micscd; + + return 0; ++ ++free_micscd: ++ wm8350_free_irq(wm8350, WM8350_IRQ_CODEC_MICSCD, priv); ++free_jck_det_r: ++ wm8350_free_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_R, priv); ++free_jck_det_l: ++ wm8350_free_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_L, priv); ++err: ++ return ret; + } + + static int wm8350_codec_remove(struct snd_soc_codec *codec) +-- +2.34.1 + diff --git a/queue-4.14/ath9k_htc-fix-uninit-value-bugs.patch b/queue-4.14/ath9k_htc-fix-uninit-value-bugs.patch new file mode 100644 index 00000000000..b83c4b2c5ff --- /dev/null +++ b/queue-4.14/ath9k_htc-fix-uninit-value-bugs.patch @@ -0,0 +1,100 @@ +From 47f391e50b01b35e56ac83091092606383ce5c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jan 2022 10:52:37 +0200 +Subject: ath9k_htc: fix uninit value bugs + +From: Pavel Skripkin + +[ Upstream commit d1e0df1c57bd30871dd1c855742a7c346dbca853 ] + +Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing +field initialization. + +In htc_connect_service() svc_meta_len and pad are not initialized. Based +on code it looks like in current skb there is no service data, so simply +initialize svc_meta_len to 0. + +htc_issue_send() does not initialize htc_frame_hdr::control array. Based +on firmware code, it will initialize it by itself, so simply zero whole +array to make KMSAN happy + +Fail logs: + +BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 + usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 + hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] + hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 + htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] + htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 +... + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1126 [inline] + htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 +... + +Bytes 4-7 of 18 are uninitialized +Memory access of size 18 starts at ffff888027377e00 + +BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 + usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 + hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] + hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 + htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] + htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 +... + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1126 [inline] + htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 +... + +Bytes 16-17 of 18 are uninitialized +Memory access of size 18 starts at ffff888027377e00 + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220115122733.11160-1-paskripkin@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 05fca38b38ed..e37de14bc502 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -30,6 +30,7 @@ static int htc_issue_send(struct htc_target *target, struct sk_buff* skb, + hdr->endpoint_id = epid; + hdr->flags = flags; + hdr->payload_len = cpu_to_be16(len); ++ memset(hdr->control, 0, sizeof(hdr->control)); + + status = target->hif->send(target->hif_dev, endpoint->ul_pipeid, skb); + +@@ -274,6 +275,10 @@ int htc_connect_service(struct htc_target *target, + conn_msg->dl_pipeid = endpoint->dl_pipeid; + conn_msg->ul_pipeid = endpoint->ul_pipeid; + ++ /* To prevent infoleak */ ++ conn_msg->svc_meta_len = 0; ++ conn_msg->pad = 0; ++ + ret = htc_issue_send(target, skb, skb->len, 0, ENDPOINT0); + if (ret) + goto err; +-- +2.34.1 + diff --git a/queue-4.14/clk-clps711x-terminate-clk_div_table-with-sentinel-e.patch b/queue-4.14/clk-clps711x-terminate-clk_div_table-with-sentinel-e.patch new file mode 100644 index 00000000000..7fba6b0f77b --- /dev/null +++ b/queue-4.14/clk-clps711x-terminate-clk_div_table-with-sentinel-e.patch @@ -0,0 +1,45 @@ +From 308aa6aa5f26bd91901d6a6f8e98ffd0afa4103f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 01:09:20 +0100 +Subject: clk: clps711x: Terminate clk_div_table with sentinel element +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +[ Upstream commit 8bed4ed5aa3431085d9d27afc35d684856460eda ] + +In order that the end of a clk_div_table can be detected, it must be +terminated with a sentinel element (.div = 0). + +Fixes: 631c53478973d ("clk: Add CLPS711X clk driver") +Signed-off-by: Jonathan Neuschäfer +Link: https://lore.kernel.org/r/20220218000922.134857-5-j.neuschaefer@gmx.net +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-clps711x.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/clk-clps711x.c b/drivers/clk/clk-clps711x.c +index 9193f64561f6..4dcf15a88269 100644 +--- a/drivers/clk/clk-clps711x.c ++++ b/drivers/clk/clk-clps711x.c +@@ -32,11 +32,13 @@ static const struct clk_div_table spi_div_table[] = { + { .val = 1, .div = 8, }, + { .val = 2, .div = 2, }, + { .val = 3, .div = 1, }, ++ { /* sentinel */ } + }; + + static const struct clk_div_table timer_div_table[] = { + { .val = 0, .div = 256, }, + { .val = 1, .div = 1, }, ++ { /* sentinel */ } + }; + + struct clps711x_clk { +-- +2.34.1 + diff --git a/queue-4.14/clk-loongson1-terminate-clk_div_table-with-sentinel-.patch b/queue-4.14/clk-loongson1-terminate-clk_div_table-with-sentinel-.patch new file mode 100644 index 00000000000..69c9c8a02ec --- /dev/null +++ b/queue-4.14/clk-loongson1-terminate-clk_div_table-with-sentinel-.patch @@ -0,0 +1,40 @@ +From 2ac8d5f4f35d5c34eabafe02e0b705f57dbccf4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 01:09:18 +0100 +Subject: clk: loongson1: Terminate clk_div_table with sentinel element +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +[ Upstream commit 3eb00f89162e80083dfcaa842468b510462cfeaa ] + +In order that the end of a clk_div_table can be detected, it must be +terminated with a sentinel element (.div = 0). + +Fixes: b4626a7f4892 ("CLK: Add Loongson1C clock support") +Signed-off-by: Jonathan Neuschäfer +Reviewed-by: Philippe Mathieu-Daudé +Link: https://lore.kernel.org/r/20220218000922.134857-3-j.neuschaefer@gmx.net +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/loongson1/clk-loongson1c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/loongson1/clk-loongson1c.c b/drivers/clk/loongson1/clk-loongson1c.c +index 3466f7320b40..e3aa502761a3 100644 +--- a/drivers/clk/loongson1/clk-loongson1c.c ++++ b/drivers/clk/loongson1/clk-loongson1c.c +@@ -40,6 +40,7 @@ static const struct clk_div_table ahb_div_table[] = { + [1] = { .val = 1, .div = 4 }, + [2] = { .val = 2, .div = 3 }, + [3] = { .val = 3, .div = 3 }, ++ [4] = { /* sentinel */ } + }; + + void __init ls1x_clk_init(void) +-- +2.34.1 + diff --git a/queue-4.14/clk-qcom-clk-rcg2-update-the-frac-table-for-pixel-cl.patch b/queue-4.14/clk-qcom-clk-rcg2-update-the-frac-table-for-pixel-cl.patch new file mode 100644 index 00000000000..5edde90ea16 --- /dev/null +++ b/queue-4.14/clk-qcom-clk-rcg2-update-the-frac-table-for-pixel-cl.patch @@ -0,0 +1,37 @@ +From 923355269aa9103167ab04e565fc95a746fd9eeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Feb 2022 23:25:36 +0530 +Subject: clk: qcom: clk-rcg2: Update the frac table for pixel clock + +From: Taniya Das + +[ Upstream commit b527358cb4cd58a8279c9062b0786f1fab628fdc ] + +Support the new numerator and denominator for pixel clock on SM8350 and +support rgb101010, RGB888 use cases on SM8450. + +Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks") +Signed-off-by: Taniya Das +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220227175536.3131-2-tdas@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index 6091d9b6a27b..9743af6ae84f 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -702,6 +702,7 @@ static const struct frac_entry frac_table_pixel[] = { + { 2, 9 }, + { 4, 9 }, + { 1, 1 }, ++ { 2, 3 }, + { } + }; + +-- +2.34.1 + diff --git a/queue-4.14/clk-tegra-tegra124-emc-fix-missing-put_device-call-i.patch b/queue-4.14/clk-tegra-tegra124-emc-fix-missing-put_device-call-i.patch new file mode 100644 index 00000000000..f8b2ce4a7e3 --- /dev/null +++ b/queue-4.14/clk-tegra-tegra124-emc-fix-missing-put_device-call-i.patch @@ -0,0 +1,39 @@ +From c6fed7040e0d8af346eb6377870bc95d64643473 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 10:45:01 +0000 +Subject: clk: tegra: tegra124-emc: Fix missing put_device() call in + emc_ensure_emc_driver + +From: Miaoqian Lin + +[ Upstream commit 6d6ef58c2470da85a99119f74d34216c8074b9f0 ] + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. +Add the corresponding 'put_device()' in the error handling path. + +Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") +Signed-off-by: Miaoqian Lin +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20220112104501.30655-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-emc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-emc.c b/drivers/clk/tegra/clk-emc.c +index 11a5066e5c27..8b47d57cad17 100644 +--- a/drivers/clk/tegra/clk-emc.c ++++ b/drivers/clk/tegra/clk-emc.c +@@ -190,6 +190,7 @@ static struct tegra_emc *emc_ensure_emc_driver(struct tegra_clk_emc *tegra) + + tegra->emc = platform_get_drvdata(pdev); + if (!tegra->emc) { ++ put_device(&pdev->dev); + pr_err("%s: cannot find EMC driver\n", __func__); + return NULL; + } +-- +2.34.1 + diff --git a/queue-4.14/clocksource-acpi_pm-fix-return-value-of-__setup-hand.patch b/queue-4.14/clocksource-acpi_pm-fix-return-value-of-__setup-hand.patch new file mode 100644 index 00000000000..c35e5ce53af --- /dev/null +++ b/queue-4.14/clocksource-acpi_pm-fix-return-value-of-__setup-hand.patch @@ -0,0 +1,50 @@ +From 90eb910e1c8c7931f3ff9e04c4f59fc426818319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 08:39:39 -0700 +Subject: clocksource: acpi_pm: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 6a861abceecb68497dd82a324fee45a5332dcece ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) environment strings. + +The __setup() handler interface isn't meant to handle negative return +values -- they are non-zero, so they mean "handled" (like a return +value of 1 does), but that's just a quirk. So return 1 from +parse_pmtmr(). Also print a warning message if kstrtouint() returns +an error. + +Fixes: 6b148507d3d0 ("pmtmr: allow command line override of ioport") +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/clocksource/acpi_pm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/clocksource/acpi_pm.c b/drivers/clocksource/acpi_pm.c +index 1961e3539b57..05cc8d4e49ad 100644 +--- a/drivers/clocksource/acpi_pm.c ++++ b/drivers/clocksource/acpi_pm.c +@@ -230,8 +230,10 @@ static int __init parse_pmtmr(char *arg) + int ret; + + ret = kstrtouint(arg, 16, &base); +- if (ret) +- return ret; ++ if (ret) { ++ pr_warn("PMTMR: invalid 'pmtmr=' value: '%s'\n", arg); ++ return 1; ++ } + + pr_info("PMTMR IOPort override: 0x%04x -> 0x%04x\n", pmtmr_ioport, + base); +-- +2.34.1 + diff --git a/queue-4.14/crypto-authenc-fix-sleep-in-atomic-context-in-decryp.patch b/queue-4.14/crypto-authenc-fix-sleep-in-atomic-context-in-decryp.patch new file mode 100644 index 00000000000..030e78db6e0 --- /dev/null +++ b/queue-4.14/crypto-authenc-fix-sleep-in-atomic-context-in-decryp.patch @@ -0,0 +1,42 @@ +From 3aed0e38bfa25d1fba89d5b7960ac1d93c80d215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jan 2022 17:58:40 +1100 +Subject: crypto: authenc - Fix sleep in atomic context in decrypt_tail + +From: Herbert Xu + +[ Upstream commit 66eae850333d639fc278d6f915c6fc01499ea893 ] + +The function crypto_authenc_decrypt_tail discards its flags +argument and always relies on the flags from the original request +when starting its sub-request. + +This is clearly wrong as it may cause the SLEEPABLE flag to be +set when it shouldn't. + +Fixes: 92d95ba91772 ("crypto: authenc - Convert to new AEAD interface") +Reported-by: Corentin Labbe +Signed-off-by: Herbert Xu +Tested-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/authenc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/authenc.c b/crypto/authenc.c +index 053287dfad65..533e811a0899 100644 +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -268,7 +268,7 @@ static int crypto_authenc_decrypt_tail(struct aead_request *req, + dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen); + + skcipher_request_set_tfm(skreq, ctx->enc); +- skcipher_request_set_callback(skreq, aead_request_flags(req), ++ skcipher_request_set_callback(skreq, flags, + req->base.complete, req->base.data); + skcipher_request_set_crypt(skreq, src, dst, + req->cryptlen - authsize, req->iv); +-- +2.34.1 + diff --git a/queue-4.14/crypto-ccp-ccp_dmaengine_unregister-release-dma-chan.patch b/queue-4.14/crypto-ccp-ccp_dmaengine_unregister-release-dma-chan.patch new file mode 100644 index 00000000000..d0ad3d1664d --- /dev/null +++ b/queue-4.14/crypto-ccp-ccp_dmaengine_unregister-release-dma-chan.patch @@ -0,0 +1,69 @@ +From dd6e8602cc8ae353fc7cce5bff3865e1d49858b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 05:15:45 +0200 +Subject: crypto: ccp - ccp_dmaengine_unregister release dma channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dāvis Mosāns + +[ Upstream commit 54cce8ecb9254f971b40a72911c6da403720a2d2 ] + +ccp_dmaengine_register adds dma_chan->device_node to dma_dev->channels list +but ccp_dmaengine_unregister didn't remove them. +That can cause crashes in various dmaengine methods that tries to use dma_dev->channels + +Fixes: 58ea8abf4904 ("crypto: ccp - Register the CCP as a DMA...") +Signed-off-by: Dāvis Mosāns +Acked-by: John Allen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-dmaengine.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c +index df82af3dd970..27a738c57119 100644 +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -632,6 +632,20 @@ static int ccp_terminate_all(struct dma_chan *dma_chan) + return 0; + } + ++static void ccp_dma_release(struct ccp_device *ccp) ++{ ++ struct ccp_dma_chan *chan; ++ struct dma_chan *dma_chan; ++ unsigned int i; ++ ++ for (i = 0; i < ccp->cmd_q_count; i++) { ++ chan = ccp->ccp_dma_chan + i; ++ dma_chan = &chan->dma_chan; ++ tasklet_kill(&chan->cleanup_tasklet); ++ list_del_rcu(&dma_chan->device_node); ++ } ++} ++ + int ccp_dmaengine_register(struct ccp_device *ccp) + { + struct ccp_dma_chan *chan; +@@ -733,6 +747,7 @@ int ccp_dmaengine_register(struct ccp_device *ccp) + return 0; + + err_reg: ++ ccp_dma_release(ccp); + kmem_cache_destroy(ccp->dma_desc_cache); + + err_cache: +@@ -746,6 +761,7 @@ void ccp_dmaengine_unregister(struct ccp_device *ccp) + struct dma_device *dma_dev = &ccp->dma_dev; + + dma_async_device_unregister(dma_dev); ++ ccp_dma_release(ccp); + + kmem_cache_destroy(ccp->dma_desc_cache); + kmem_cache_destroy(ccp->dma_cmd_cache); +-- +2.34.1 + diff --git a/queue-4.14/crypto-mxs-dcp-fix-scatterlist-processing.patch b/queue-4.14/crypto-mxs-dcp-fix-scatterlist-processing.patch new file mode 100644 index 00000000000..fbfc2cd15cb --- /dev/null +++ b/queue-4.14/crypto-mxs-dcp-fix-scatterlist-processing.patch @@ -0,0 +1,35 @@ +From 56d702e2fbe31abfd5b390a3df473079ec904de8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jan 2022 18:07:53 +0100 +Subject: crypto: mxs-dcp - Fix scatterlist processing + +From: Tomas Paukrt + +[ Upstream commit 28e9b6d8199a3f124682b143800c2dacdc3d70dd ] + +This patch fixes a bug in scatterlist processing that may cause incorrect AES block encryption/decryption. + +Fixes: 2e6d793e1bf0 ("crypto: mxs-dcp - Use sg_mapping_iter to copy data") +Signed-off-by: Tomas Paukrt +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mxs-dcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c +index e986be405411..3e4068badffd 100644 +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -328,7 +328,7 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq) + memset(key + AES_KEYSIZE_128, 0, AES_KEYSIZE_128); + } + +- for_each_sg(req->src, src, sg_nents(src), i) { ++ for_each_sg(req->src, src, sg_nents(req->src), i) { + src_buf = sg_virt(src); + len = sg_dma_len(src); + tlen += len; +-- +2.34.1 + diff --git a/queue-4.14/crypto-vmx-add-missing-dependencies.patch b/queue-4.14/crypto-vmx-add-missing-dependencies.patch new file mode 100644 index 00000000000..180cf6dbd2e --- /dev/null +++ b/queue-4.14/crypto-vmx-add-missing-dependencies.patch @@ -0,0 +1,62 @@ +From 43548aa3e2f85315eadb17002ddb9d0e1ec491c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Feb 2022 16:11:15 +0100 +Subject: crypto: vmx - add missing dependencies + +From: Petr Vorel + +[ Upstream commit 647d41d3952d726d4ae49e853a9eff68ebad3b3f ] + +vmx-crypto module depends on CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or +CRYPTO_XTS, thus add them. + +These dependencies are likely to be enabled, but if +CRYPTO_DEV_VMX=y && !CRYPTO_MANAGER_DISABLE_TESTS +and either of CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS is built +as module or disabled, alg_test() from crypto/testmgr.c complains during +boot about failing to allocate the generic fallback implementations +(2 == ENOENT): + +[ 0.540953] Failed to allocate xts(aes) fallback: -2 +[ 0.541014] alg: skcipher: failed to allocate transform for p8_aes_xts: -2 +[ 0.541120] alg: self-tests for p8_aes_xts (xts(aes)) failed (rc=-2) +[ 0.544440] Failed to allocate ctr(aes) fallback: -2 +[ 0.544497] alg: skcipher: failed to allocate transform for p8_aes_ctr: -2 +[ 0.544603] alg: self-tests for p8_aes_ctr (ctr(aes)) failed (rc=-2) +[ 0.547992] Failed to allocate cbc(aes) fallback: -2 +[ 0.548052] alg: skcipher: failed to allocate transform for p8_aes_cbc: -2 +[ 0.548156] alg: self-tests for p8_aes_cbc (cbc(aes)) failed (rc=-2) +[ 0.550745] Failed to allocate transformation for 'aes': -2 +[ 0.550801] alg: cipher: Failed to load transform for p8_aes: -2 +[ 0.550892] alg: self-tests for p8_aes (aes) failed (rc=-2) + +Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") +Fixes: d2e3ae6f3aba ("crypto: vmx - Enabling VMX module for PPC64") + +Suggested-by: Nicolai Stange +Signed-off-by: Petr Vorel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/vmx/Kconfig | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/crypto/vmx/Kconfig b/drivers/crypto/vmx/Kconfig +index c3d524ea6998..f39eeca87932 100644 +--- a/drivers/crypto/vmx/Kconfig ++++ b/drivers/crypto/vmx/Kconfig +@@ -1,7 +1,11 @@ + config CRYPTO_DEV_VMX_ENCRYPT + tristate "Encryption acceleration support on P8 CPU" + depends on CRYPTO_DEV_VMX ++ select CRYPTO_AES ++ select CRYPTO_CBC ++ select CRYPTO_CTR + select CRYPTO_GHASH ++ select CRYPTO_XTS + default m + help + Support for VMX cryptographic acceleration instructions on Power8 CPU. +-- +2.34.1 + diff --git a/queue-4.14/dm-crypt-fix-get_key_size-compiler-warning-if-config.patch b/queue-4.14/dm-crypt-fix-get_key_size-compiler-warning-if-config.patch new file mode 100644 index 00000000000..5b2bdc24d0d --- /dev/null +++ b/queue-4.14/dm-crypt-fix-get_key_size-compiler-warning-if-config.patch @@ -0,0 +1,40 @@ +From dd25b697a42c626378cef8e4ef782bfc976248be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Feb 2022 12:15:38 +0000 +Subject: dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS + +From: Aashish Sharma + +[ Upstream commit 6fc51504388c1a1a53db8faafe9fff78fccc7c87 ] + +Explicitly convert unsigned int in the right of the conditional +expression to int to match the left side operand and the return type, +fixing the following compiler warning: + +drivers/md/dm-crypt.c:2593:43: warning: signed and unsigned +type in conditional expression [-Wsign-compare] + +Fixes: c538f6ec9f56 ("dm crypt: add ability to use keys from the kernel key retention service") +Signed-off-by: Aashish Sharma +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-crypt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index b8a9695af141..0b6d4337aaab 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2114,7 +2114,7 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string + + static int get_key_size(char **key_string) + { +- return (*key_string[0] == ':') ? -EINVAL : strlen(*key_string) >> 1; ++ return (*key_string[0] == ':') ? -EINVAL : (int)(strlen(*key_string) >> 1); + } + + #endif +-- +2.34.1 + diff --git a/queue-4.14/drm-edid-don-t-clear-formats-if-using-deep-color.patch b/queue-4.14/drm-edid-don-t-clear-formats-if-using-deep-color.patch new file mode 100644 index 00000000000..daab03b556c --- /dev/null +++ b/queue-4.14/drm-edid-don-t-clear-formats-if-using-deep-color.patch @@ -0,0 +1,76 @@ +From 27be301766ea64fa1f0de3216187902c0e17cd67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jan 2022 16:16:11 +0100 +Subject: drm/edid: Don't clear formats if using deep color +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Ripard + +[ Upstream commit 75478b3b393bcbdca4e6da76fe3a9f1a4133ec5d ] + +The current code, when parsing the EDID Deep Color depths, that the +YUV422 cannot be used, referring to the HDMI 1.3 Specification. + +This specification, in its section 6.2.4, indeed states: + + For each supported Deep Color mode, RGB 4:4:4 shall be supported and + optionally YCBCR 4:4:4 may be supported. + + YCBCR 4:2:2 is not permitted for any Deep Color mode. + +This indeed can be interpreted like the code does, but the HDMI 1.4 +specification further clarifies that statement in its section 6.2.4: + + For each supported Deep Color mode, RGB 4:4:4 shall be supported and + optionally YCBCR 4:4:4 may be supported. + + YCBCR 4:2:2 is also 36-bit mode but does not require the further use + of the Deep Color modes described in section 6.5.2 and 6.5.3. + +This means that, even though YUV422 can be used with 12 bit per color, +it shouldn't be treated as a deep color mode. + +This is also broken with YUV444 if it's supported by the display, but +DRM_EDID_HDMI_DC_Y444 isn't set. In such a case, the code will clear +color_formats of the YUV444 support set previously in +drm_parse_cea_ext(), but will not set it back. + +Since the formats supported are already setup properly in +drm_parse_cea_ext(), let's just remove the code modifying the formats in +drm_parse_hdmi_deep_color_info() + +Fixes: d0c94692e0a3 ("drm/edid: Parse and handle HDMI deep color modes.") +Signed-off-by: Maxime Ripard +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220120151625.594595-3-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_edid.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c +index 4824c775dd7d..de5fc79379e8 100644 +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -4319,16 +4319,8 @@ static void drm_parse_hdmi_deep_color_info(struct drm_connector *connector, + connector->name, dc_bpc); + info->bpc = dc_bpc; + +- /* +- * Deep color support mandates RGB444 support for all video +- * modes and forbids YCRCB422 support for all video modes per +- * HDMI 1.3 spec. +- */ +- info->color_formats = DRM_COLOR_FORMAT_RGB444; +- + /* YCRCB444 is optional according to spec. */ + if (hdmi[6] & DRM_EDID_HDMI_DC_Y444) { +- info->color_formats |= DRM_COLOR_FORMAT_YCRCB444; + DRM_DEBUG("%s: HDMI sink does YCRCB444 in deep color.\n", + connector->name); + } +-- +2.34.1 + diff --git a/queue-4.14/drm-tegra-fix-reference-leak-in-tegra_dsi_ganged_pro.patch b/queue-4.14/drm-tegra-fix-reference-leak-in-tegra_dsi_ganged_pro.patch new file mode 100644 index 00000000000..292e69988dc --- /dev/null +++ b/queue-4.14/drm-tegra-fix-reference-leak-in-tegra_dsi_ganged_pro.patch @@ -0,0 +1,39 @@ +From 85264759d4462461a19993dc98784e939dc18fbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jan 2022 06:53:16 +0000 +Subject: drm/tegra: Fix reference leak in tegra_dsi_ganged_probe + +From: Miaoqian Lin + +[ Upstream commit 221e3638feb8bc42143833c9a704fa89b6c366bb ] + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. Add put_device() call to fix this. + +Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") +Signed-off-by: Miaoqian Lin +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index 046649ec9441..4e06af34c048 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1480,8 +1480,10 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi) + dsi->slave = platform_get_drvdata(gangster); + of_node_put(np); + +- if (!dsi->slave) ++ if (!dsi->slave) { ++ put_device(&gangster->dev); + return -EPROBE_DEFER; ++ } + + dsi->slave->master = dsi; + } +-- +2.34.1 + diff --git a/queue-4.14/ext2-correct-max-file-size-computing.patch b/queue-4.14/ext2-correct-max-file-size-computing.patch new file mode 100644 index 00000000000..3e04145b190 --- /dev/null +++ b/queue-4.14/ext2-correct-max-file-size-computing.patch @@ -0,0 +1,58 @@ +From 1624de7997012d23003d37343d5d97e082e9d6b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Feb 2022 13:05:32 +0800 +Subject: ext2: correct max file size computing + +From: Zhang Yi + +[ Upstream commit 50b3a818991074177a56c87124c7a7bdf5fa4f67 ] + +We need to calculate the max file size accurately if the total blocks +that can address by block tree exceed the upper_limit. But this check is +not correct now, it only compute the total data blocks but missing +metadata blocks are needed. So in the case of "data blocks < upper_limit +&& total blocks > upper_limit", we will get wrong result. Fortunately, +this case could not happen in reality, but it's confused and better to +correct the computing. + + bits data blocks metadatablocks upper_limit + 10 16843020 66051 2147483647 + 11 134480396 263171 1073741823 + 12 1074791436 1050627 536870911 (*) + 13 8594130956 4198403 268435455 (*) + 14 68736258060 16785411 134217727 (*) + 15 549822930956 67125251 67108863 (*) + 16 4398314962956 268468227 33554431 (*) + + [*] Need to calculate in depth. + +Fixes: 1c2d14212b15 ("ext2: Fix underflow in ext2_max_size()") +Link: https://lore.kernel.org/r/20220212050532.179055-1-yi.zhang@huawei.com +Signed-off-by: Zhang Yi +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/super.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index 4a338576ebb1..f3d55f1c0ce4 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -773,8 +773,12 @@ static loff_t ext2_max_size(int bits) + res += 1LL << (bits-2); + res += 1LL << (2*(bits-2)); + res += 1LL << (3*(bits-2)); ++ /* Compute how many metadata blocks are needed */ ++ meta_blocks = 1; ++ meta_blocks += 1 + ppb; ++ meta_blocks += 1 + ppb + ppb * ppb; + /* Does block tree limit file size? */ +- if (res < upper_limit) ++ if (res + meta_blocks <= upper_limit) + goto check_lfs; + + res = upper_limit; +-- +2.34.1 + diff --git a/queue-4.14/ext4-don-t-bug-if-someone-dirty-pages-without-asking.patch b/queue-4.14/ext4-don-t-bug-if-someone-dirty-pages-without-asking.patch new file mode 100644 index 00000000000..feaa2ba7690 --- /dev/null +++ b/queue-4.14/ext4-don-t-bug-if-someone-dirty-pages-without-asking.patch @@ -0,0 +1,84 @@ +From dc1a0b4e878c06b0e71fbf468214703efefbf26d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 09:38:47 -0500 +Subject: ext4: don't BUG if someone dirty pages without asking ext4 first + +From: Theodore Ts'o + +[ Upstream commit cc5095747edfb054ca2068d01af20be3fcc3634f ] + +[un]pin_user_pages_remote is dirtying pages without properly warning +the file system in advance. A related race was noted by Jan Kara in +2018[1]; however, more recently instead of it being a very hard-to-hit +race, it could be reliably triggered by process_vm_writev(2) which was +discovered by Syzbot[2]. + +This is technically a bug in mm/gup.c, but arguably ext4 is fragile in +that if some other kernel subsystem dirty pages without properly +notifying the file system using page_mkwrite(), ext4 will BUG, while +other file systems will not BUG (although data will still be lost). + +So instead of crashing with a BUG, issue a warning (since there may be +potential data loss) and just mark the page as clean to avoid +unprivileged denial of service attacks until the problem can be +properly fixed. More discussion and background can be found in the +thread starting at [2]. + +[1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz +[2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com + +Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com +Reported-by: Lee Jones +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.edu +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 9c07c8674b21..4d3eefff3c84 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2147,6 +2147,15 @@ static int ext4_writepage(struct page *page, + else + len = PAGE_SIZE; + ++ /* Should never happen but for bugs in other kernel subsystems */ ++ if (!page_has_buffers(page)) { ++ ext4_warning_inode(inode, ++ "page %lu does not have buffers attached", page->index); ++ ClearPageDirty(page); ++ unlock_page(page); ++ return 0; ++ } ++ + page_bufs = page_buffers(page); + /* + * We cannot do block allocation or other extent handling in this +@@ -2706,6 +2715,22 @@ static int mpage_prepare_extent_to_map(struct mpage_da_data *mpd) + wait_on_page_writeback(page); + BUG_ON(PageWriteback(page)); + ++ /* ++ * Should never happen but for buggy code in ++ * other subsystems that call ++ * set_page_dirty() without properly warning ++ * the file system first. See [1] for more ++ * information. ++ * ++ * [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz ++ */ ++ if (!page_has_buffers(page)) { ++ ext4_warning_inode(mpd->inode, "page %lu does not have buffers attached", page->index); ++ ClearPageDirty(page); ++ unlock_page(page); ++ continue; ++ } ++ + if (mpd->map.m_len == 0) + mpd->first_page = page->index; + mpd->next_page = page->index + 1; +-- +2.34.1 + diff --git a/queue-4.14/fix-incorrect-type-in-assignment-of-ipv6-port-for-au.patch b/queue-4.14/fix-incorrect-type-in-assignment-of-ipv6-port-for-au.patch new file mode 100644 index 00000000000..7f671db98d0 --- /dev/null +++ b/queue-4.14/fix-incorrect-type-in-assignment-of-ipv6-port-for-au.patch @@ -0,0 +1,35 @@ +From fb172b22885d47985b333562a7e1b451c52cedd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 15:45:32 -0800 +Subject: Fix incorrect type in assignment of ipv6 port for audit + +From: Casey Schaufler + +[ Upstream commit a5cd1ab7ab679d252a6d2f483eee7d45ebf2040c ] + +Remove inappropriate use of ntohs() and assign the +port value directly. + +Reported-by: kernel test robot +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index a0e1b99212b2..fe070669dc18 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2563,7 +2563,7 @@ static int smk_ipv6_check(struct smack_known *subject, + #ifdef CONFIG_AUDIT + smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); + ad.a.u.net->family = PF_INET6; +- ad.a.u.net->dport = ntohs(address->sin6_port); ++ ad.a.u.net->dport = address->sin6_port; + if (act == SMK_RECEIVING) + ad.a.u.net->v6info.saddr = address->sin6_addr; + else +-- +2.34.1 + diff --git a/queue-4.14/hid-i2c-hid-fix-get-set_report-for-unnumbered-report.patch b/queue-4.14/hid-i2c-hid-fix-get-set_report-for-unnumbered-report.patch new file mode 100644 index 00000000000..333bbfbe6ee --- /dev/null +++ b/queue-4.14/hid-i2c-hid-fix-get-set_report-for-unnumbered-report.patch @@ -0,0 +1,91 @@ +From 8bab59336bf421d224712bdef182ea620540c272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jan 2022 23:26:18 -0800 +Subject: HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports + +From: Dmitry Torokhov + +[ Upstream commit a5e5e03e94764148a01757b2fa4737d3445c13a6 ] + +Internally kernel prepends all report buffers, for both numbered and +unnumbered reports, with report ID, therefore to properly handle unnumbered +reports we should prepend it ourselves. + +For the same reason we should skip the first byte of the buffer when +calling i2c_hid_set_or_send_report() which then will take care of properly +formatting the transfer buffer based on its separate report ID argument +along with report payload. + +[jkosina@suse.cz: finalize trimmed sentence in changelog as spotted by Benjamin] +Fixes: 9b5a9ae88573 ("HID: i2c-hid: implement ll_driver transport-layer callbacks") +Signed-off-by: Dmitry Torokhov +Tested-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 32 ++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index b16bf4358485..9a070d65ed34 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -582,6 +582,17 @@ static int i2c_hid_get_raw_report(struct hid_device *hid, + if (report_type == HID_OUTPUT_REPORT) + return -EINVAL; + ++ /* ++ * In case of unnumbered reports the response from the device will ++ * not have the report ID that the upper layers expect, so we need ++ * to stash it the buffer ourselves and adjust the data size. ++ */ ++ if (!report_number) { ++ buf[0] = 0; ++ buf++; ++ count--; ++ } ++ + /* +2 bytes to include the size of the reply in the query buffer */ + ask_count = min(count + 2, (size_t)ihid->bufsize); + +@@ -603,6 +614,9 @@ static int i2c_hid_get_raw_report(struct hid_device *hid, + count = min(count, ret_count - 2); + memcpy(buf, ihid->rawbuf + 2, count); + ++ if (!report_number) ++ count++; ++ + return count; + } + +@@ -619,17 +633,19 @@ static int i2c_hid_output_raw_report(struct hid_device *hid, __u8 *buf, + + mutex_lock(&ihid->reset_lock); + +- if (report_id) { +- buf++; +- count--; +- } +- ++ /* ++ * Note that both numbered and unnumbered reports passed here ++ * are supposed to have report ID stored in the 1st byte of the ++ * buffer, so we strip it off unconditionally before passing payload ++ * to i2c_hid_set_or_send_report which takes care of encoding ++ * everything properly. ++ */ + ret = i2c_hid_set_or_send_report(client, + report_type == HID_FEATURE_REPORT ? 0x03 : 0x02, +- report_id, buf, count, use_data); ++ report_id, buf + 1, count - 1, use_data); + +- if (report_id && ret >= 0) +- ret++; /* add report_id to the number of transfered bytes */ ++ if (ret >= 0) ++ ret++; /* add report_id to the number of transferred bytes */ + + mutex_unlock(&ihid->reset_lock); + +-- +2.34.1 + diff --git a/queue-4.14/hwmon-pmbus-add-mutex-to-regulator-ops.patch b/queue-4.14/hwmon-pmbus-add-mutex-to-regulator-ops.patch new file mode 100644 index 00000000000..912e0c4ab88 --- /dev/null +++ b/queue-4.14/hwmon-pmbus-add-mutex-to-regulator-ops.patch @@ -0,0 +1,71 @@ +From 242063b14834ac516faac434901d1037917671cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 17:06:09 +0100 +Subject: hwmon: (pmbus) Add mutex to regulator ops + +From: Patrick Rudolph + +[ Upstream commit 686d303ee6301261b422ea51e64833d7909a2c36 ] + +On PMBUS devices with multiple pages, the regulator ops need to be +protected with the update mutex. This prevents accidentally changing +the page in a separate thread while operating on the PMBUS_OPERATION +register. + +Tested on Infineon xdpe11280 while a separate thread polls for sensor +data. + +Signed-off-by: Patrick Rudolph +Signed-off-by: Marcello Sylvester Bauer +Link: https://lore.kernel.org/r/b991506bcbf665f7af185945f70bf9d5cf04637c.1645804976.git.sylv@sylv.io +Fixes: ddbb4db4ced1b ("hwmon: (pmbus) Add regulator support") +Cc: Alan Tull +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/pmbus_core.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c +index cb9064ac4977..66c72aedde5e 100644 +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -1861,10 +1861,14 @@ static int pmbus_regulator_is_enabled(struct regulator_dev *rdev) + { + struct device *dev = rdev_get_dev(rdev); + struct i2c_client *client = to_i2c_client(dev->parent); ++ struct pmbus_data *data = i2c_get_clientdata(client); + u8 page = rdev_get_id(rdev); + int ret; + ++ mutex_lock(&data->update_lock); + ret = pmbus_read_byte_data(client, page, PMBUS_OPERATION); ++ mutex_unlock(&data->update_lock); ++ + if (ret < 0) + return ret; + +@@ -1875,11 +1879,17 @@ static int _pmbus_regulator_on_off(struct regulator_dev *rdev, bool enable) + { + struct device *dev = rdev_get_dev(rdev); + struct i2c_client *client = to_i2c_client(dev->parent); ++ struct pmbus_data *data = i2c_get_clientdata(client); + u8 page = rdev_get_id(rdev); ++ int ret; + +- return pmbus_update_byte_data(client, page, PMBUS_OPERATION, +- PB_OPERATION_CONTROL_ON, +- enable ? PB_OPERATION_CONTROL_ON : 0); ++ mutex_lock(&data->update_lock); ++ ret = pmbus_update_byte_data(client, page, PMBUS_OPERATION, ++ PB_OPERATION_CONTROL_ON, ++ enable ? PB_OPERATION_CONTROL_ON : 0); ++ mutex_unlock(&data->update_lock); ++ ++ return ret; + } + + static int pmbus_regulator_enable(struct regulator_dev *rdev) +-- +2.34.1 + diff --git a/queue-4.14/hwmon-pmbus-add-vin-unit-off-handling.patch b/queue-4.14/hwmon-pmbus-add-vin-unit-off-handling.patch new file mode 100644 index 00000000000..8ceb693c733 --- /dev/null +++ b/queue-4.14/hwmon-pmbus-add-vin-unit-off-handling.patch @@ -0,0 +1,61 @@ +From 7b494865eb985f71fc5512f89622f3bde3c82782 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 23:21:23 +0000 +Subject: hwmon: (pmbus) Add Vin unit off handling + +From: Brandon Wyman + +[ Upstream commit a5436af598779219b375c1977555c82def1c35d0 ] + +If there is an input undervoltage fault, reported in STATUS_INPUT +command response, there is quite likely a "Unit Off For Insufficient +Input Voltage" condition as well. + +Add a constant for bit 3 of STATUS_INPUT. Update the Vin limit +attributes to include both bits in the mask for clearing faults. + +If an input undervoltage fault occurs, causing a unit off for +insufficient input voltage, but the unit is off bit is not cleared, the +STATUS_WORD will not be updated to clear the input fault condition. +Including the unit is off bit (bit 3) allows for the input fault +condition to completely clear. + +Signed-off-by: Brandon Wyman +Link: https://lore.kernel.org/r/20220317232123.2103592-1-bjwyman@gmail.com +Fixes: b4ce237b7f7d3 ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers") +[groeck: Dropped unnecessary ()] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/pmbus.h | 1 + + drivers/hwmon/pmbus/pmbus_core.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/pmbus/pmbus.h b/drivers/hwmon/pmbus/pmbus.h +index fa613bd209e3..1fed8ed36d5e 100644 +--- a/drivers/hwmon/pmbus/pmbus.h ++++ b/drivers/hwmon/pmbus/pmbus.h +@@ -262,6 +262,7 @@ enum pmbus_regs { + /* + * STATUS_VOUT, STATUS_INPUT + */ ++#define PB_VOLTAGE_VIN_OFF BIT(3) + #define PB_VOLTAGE_UV_FAULT BIT(4) + #define PB_VOLTAGE_UV_WARNING BIT(5) + #define PB_VOLTAGE_OV_WARNING BIT(6) +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c +index 66c72aedde5e..b736fe1a05b7 100644 +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -1162,7 +1162,7 @@ static const struct pmbus_limit_attr vin_limit_attrs[] = { + .reg = PMBUS_VIN_UV_FAULT_LIMIT, + .attr = "lcrit", + .alarm = "lcrit_alarm", +- .sbit = PB_VOLTAGE_UV_FAULT, ++ .sbit = PB_VOLTAGE_UV_FAULT | PB_VOLTAGE_VIN_OFF, + }, { + .reg = PMBUS_VIN_OV_WARN_LIMIT, + .attr = "max", +-- +2.34.1 + diff --git a/queue-4.14/hwmon-sch56xx-common-replace-wdog_active-with-wdog_h.patch b/queue-4.14/hwmon-sch56xx-common-replace-wdog_active-with-wdog_h.patch new file mode 100644 index 00000000000..3fd9098ce7e --- /dev/null +++ b/queue-4.14/hwmon-sch56xx-common-replace-wdog_active-with-wdog_h.patch @@ -0,0 +1,45 @@ +From dfa90a575c506a5c28584c7d74c04c46dbbcaee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jan 2022 22:19:35 +0100 +Subject: hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING + +From: Armin Wolf + +[ Upstream commit 647d6f09bea7dacf4cdb6d4ea7e3051883955297 ] + +If the watchdog was already enabled by the BIOS after booting, the +watchdog infrastructure needs to regularly send keepalives to +prevent a unexpected reset. +WDOG_ACTIVE only serves as an status indicator for userspace, +we want to use WDOG_HW_RUNNING instead. + +Since my Fujitsu Esprimo P720 does not support the watchdog, +this change is compile-tested only. + +Suggested-by: Guenter Roeck +Fixes: fb551405c0f8 (watchdog: sch56xx: Use watchdog core) +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20220131211935.3656-5-W_Armin@gmx.de +Reviewed-by: Hans de Goede +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/sch56xx-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/sch56xx-common.c b/drivers/hwmon/sch56xx-common.c +index bda3d5285586..e1c4e6937a64 100644 +--- a/drivers/hwmon/sch56xx-common.c ++++ b/drivers/hwmon/sch56xx-common.c +@@ -437,7 +437,7 @@ struct sch56xx_watchdog_data *sch56xx_watchdog_register(struct device *parent, + if (nowayout) + set_bit(WDOG_NO_WAY_OUT, &data->wddev.status); + if (output_enable & SCH56XX_WDOG_OUTPUT_ENABLE) +- set_bit(WDOG_ACTIVE, &data->wddev.status); ++ set_bit(WDOG_HW_RUNNING, &data->wddev.status); + + /* Since the watchdog uses a downcounter there is no register to read + the BIOS set timeout from (if any was set at all) -> +-- +2.34.1 + diff --git a/queue-4.14/hwrng-atmel-disable-trng-on-failure-path.patch b/queue-4.14/hwrng-atmel-disable-trng-on-failure-path.patch new file mode 100644 index 00000000000..c08d265cf0a --- /dev/null +++ b/queue-4.14/hwrng-atmel-disable-trng-on-failure-path.patch @@ -0,0 +1,34 @@ +From fa3a8f8341e6f217726a85168ff9c307b1c67599 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Feb 2022 09:59:23 +0200 +Subject: hwrng: atmel - disable trng on failure path + +From: Claudiu Beznea + +[ Upstream commit a223ea9f89ab960eb254ba78429efd42eaf845eb ] + +Call atmel_trng_disable() on failure path of probe. + +Fixes: a1fa98d8116f ("hwrng: atmel - disable TRNG during suspend") +Signed-off-by: Claudiu Beznea +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/atmel-rng.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/char/hw_random/atmel-rng.c b/drivers/char/hw_random/atmel-rng.c +index 661c82cde0f2..92a8960ceba5 100644 +--- a/drivers/char/hw_random/atmel-rng.c ++++ b/drivers/char/hw_random/atmel-rng.c +@@ -95,6 +95,7 @@ static int atmel_trng_probe(struct platform_device *pdev) + + err_register: + clk_disable_unprepare(trng->clk); ++ atmel_trng_disable(trng); + return ret; + } + +-- +2.34.1 + diff --git a/queue-4.14/i2c-mux-demux-pinctrl-do-not-deactivate-a-master-tha.patch b/queue-4.14/i2c-mux-demux-pinctrl-do-not-deactivate-a-master-tha.patch new file mode 100644 index 00000000000..c94f4716f9b --- /dev/null +++ b/queue-4.14/i2c-mux-demux-pinctrl-do-not-deactivate-a-master-tha.patch @@ -0,0 +1,53 @@ +From ca77051091d61b87bd0cdd1dc359c90ed677a0a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 12:22:35 +0100 +Subject: i2c: mux: demux-pinctrl: do not deactivate a master that is not + active + +From: Peter Rosin + +[ Upstream commit 1a22aabf20adf89cb216f566913196128766f25b ] + +Attempting to rollback the activation of the current master when +the current master has not been activated is bad. priv->cur_chan +and priv->cur_adap are both still zeroed out and the rollback +may result in attempts to revert an of changeset that has not been +applied and do result in calls to both del and put the zeroed out +i2c_adapter. Maybe it crashes, or whatever, but it's bad in any +case. + +Fixes: e9d1a0a41d44 ("i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()'") +Signed-off-by: Peter Rosin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/muxes/i2c-demux-pinctrl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/muxes/i2c-demux-pinctrl.c b/drivers/i2c/muxes/i2c-demux-pinctrl.c +index 0c637ae81404..c638b2fc7fa2 100644 +--- a/drivers/i2c/muxes/i2c-demux-pinctrl.c ++++ b/drivers/i2c/muxes/i2c-demux-pinctrl.c +@@ -259,7 +259,7 @@ static int i2c_demux_pinctrl_probe(struct platform_device *pdev) + + err = device_create_file(&pdev->dev, &dev_attr_available_masters); + if (err) +- goto err_rollback; ++ goto err_rollback_activation; + + err = device_create_file(&pdev->dev, &dev_attr_current_master); + if (err) +@@ -269,8 +269,9 @@ static int i2c_demux_pinctrl_probe(struct platform_device *pdev) + + err_rollback_available: + device_remove_file(&pdev->dev, &dev_attr_available_masters); +-err_rollback: ++err_rollback_activation: + i2c_demux_deactivate_master(priv); ++err_rollback: + for (j = 0; j < i; j++) { + of_node_put(priv->chan[j].parent_np); + of_changeset_destroy(&priv->chan[j].chgset); +-- +2.34.1 + diff --git a/queue-4.14/i2c-xiic-make-bus-names-unique.patch b/queue-4.14/i2c-xiic-make-bus-names-unique.patch new file mode 100644 index 00000000000..74ee4ad3a13 --- /dev/null +++ b/queue-4.14/i2c-xiic-make-bus-names-unique.patch @@ -0,0 +1,49 @@ +From 7c815bd6111a3829cab13e257f57ca5b4f38febb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 11:50:13 -0600 +Subject: i2c: xiic: Make bus names unique + +From: Robert Hancock + +[ Upstream commit 1d366c2f9df8279df2adbb60471f86fc40a1c39e ] + +This driver is for an FPGA logic core, so there can be arbitrarily many +instances of the bus on a given system. Previously all of the I2C bus +names were "xiic-i2c" which caused issues with lm_sensors when trying to +map human-readable names to sensor inputs because it could not properly +distinguish the busses, for example. Append the platform device name to +the I2C bus name so it is unique between different instances. + +Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface") +Signed-off-by: Robert Hancock +Tested-by: Michal Simek +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 5a94f732049e..da526cc471cc 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -731,7 +731,6 @@ static const struct i2c_adapter_quirks xiic_quirks = { + + static const struct i2c_adapter xiic_adapter = { + .owner = THIS_MODULE, +- .name = DRIVER_NAME, + .class = I2C_CLASS_DEPRECATED, + .algo = &xiic_algorithm, + .quirks = &xiic_quirks, +@@ -768,6 +767,8 @@ static int xiic_i2c_probe(struct platform_device *pdev) + i2c_set_adapdata(&i2c->adap, i2c); + i2c->adap.dev.parent = &pdev->dev; + i2c->adap.dev.of_node = pdev->dev.of_node; ++ snprintf(i2c->adap.name, sizeof(i2c->adap.name), ++ DRIVER_NAME " %s", pdev->name); + + mutex_init(&i2c->lock); + init_waitqueue_head(&i2c->wait); +-- +2.34.1 + diff --git a/queue-4.14/iio-adc-add-check-for-devm_request_threaded_irq.patch b/queue-4.14/iio-adc-add-check-for-devm_request_threaded_irq.patch new file mode 100644 index 00000000000..719a2862537 --- /dev/null +++ b/queue-4.14/iio-adc-add-check-for-devm_request_threaded_irq.patch @@ -0,0 +1,38 @@ +From 66e0ba8aeae31ebebb8f11d83a67534fc18acc3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 14:28:49 +0800 +Subject: iio: adc: Add check for devm_request_threaded_irq + +From: Jiasheng Jiang + +[ Upstream commit b30537a4cedcacf0ade2f33ebb7610178ed1e7d7 ] + +As the potential failure of the devm_request_threaded_irq(), +it should be better to check the return value and return +error if fails. + +Fixes: fa659a40b80b ("iio: adc: twl6030-gpadc: Use devm_* API family") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220224062849.3280966-1-jiasheng@iscas.ac.cn +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/twl6030-gpadc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/adc/twl6030-gpadc.c b/drivers/iio/adc/twl6030-gpadc.c +index bc0e60b9da45..6a4ec58eb9c5 100644 +--- a/drivers/iio/adc/twl6030-gpadc.c ++++ b/drivers/iio/adc/twl6030-gpadc.c +@@ -927,6 +927,8 @@ static int twl6030_gpadc_probe(struct platform_device *pdev) + ret = devm_request_threaded_irq(dev, irq, NULL, + twl6030_gpadc_irq_handler, + IRQF_ONESHOT, "twl6030_gpadc", indio_dev); ++ if (ret) ++ return ret; + + ret = twl6030_gpadc_enable_irq(TWL6030_GPADC_RT_SW1_EOC_MASK); + if (ret < 0) { +-- +2.34.1 + diff --git a/queue-4.14/irqchip-nvic-release-nvic_base-upon-failure.patch b/queue-4.14/irqchip-nvic-release-nvic_base-upon-failure.patch new file mode 100644 index 00000000000..a6c9df81c69 --- /dev/null +++ b/queue-4.14/irqchip-nvic-release-nvic_base-upon-failure.patch @@ -0,0 +1,50 @@ +From 909036b9c25849253bc6552c9fda00a6140af99d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 22:03:03 +0530 +Subject: irqchip/nvic: Release nvic_base upon failure + +From: Souptick Joarder (HPE) + +[ Upstream commit e414c25e3399b2b3d7337dc47abccab5c71b7c8f ] + +smatch warning was reported as below -> + +smatch warnings: +drivers/irqchip/irq-nvic.c:131 nvic_of_init() +warn: 'nvic_base' not released on lines: 97. + +Release nvic_base upon failure. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Souptick Joarder (HPE) +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220218163303.33344-1-jrdr.linux@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-nvic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/irqchip/irq-nvic.c b/drivers/irqchip/irq-nvic.c +index 9694529b709d..330beb62d015 100644 +--- a/drivers/irqchip/irq-nvic.c ++++ b/drivers/irqchip/irq-nvic.c +@@ -108,6 +108,7 @@ static int __init nvic_of_init(struct device_node *node, + + if (!nvic_irq_domain) { + pr_warn("Failed to allocate irq domain\n"); ++ iounmap(nvic_base); + return -ENOMEM; + } + +@@ -117,6 +118,7 @@ static int __init nvic_of_init(struct device_node *node, + if (ret) { + pr_warn("Failed to allocate irq chips\n"); + irq_domain_remove(nvic_irq_domain); ++ iounmap(nvic_base); + return ret; + } + +-- +2.34.1 + diff --git a/queue-4.14/iwlwifi-fix-eio-error-code-that-is-never-returned.patch b/queue-4.14/iwlwifi-fix-eio-error-code-that-is-never-returned.patch new file mode 100644 index 00000000000..86177c86d10 --- /dev/null +++ b/queue-4.14/iwlwifi-fix-eio-error-code-that-is-never-returned.patch @@ -0,0 +1,39 @@ +From f00e95e208e49fddf797f655a23dbb1e244a2f49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 11:46:58 +0100 +Subject: iwlwifi: Fix -EIO error code that is never returned + +From: Colin Ian King + +[ Upstream commit c305c94bdc18e45b5ad1db54da4269f8cbfdff6b ] + +Currently the error -EIO is being assinged to variable ret when +the READY_BIT is not set but the function iwlagn_mac_start returns +0 rather than ret. Fix this by returning ret instead of 0. + +Addresses-Coverity: ("Unused value") +Fixes: 7335613ae27a ("iwlwifi: move all mac80211 related functions to one place") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210907104658.14706-1-colin.king@canonical.com +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c +index 82caae02dd09..f2e0cfa2f4a2 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c +@@ -317,7 +317,7 @@ static int iwlagn_mac_start(struct ieee80211_hw *hw) + + priv->is_open = 1; + IWL_DEBUG_MAC80211(priv, "leave\n"); +- return 0; ++ return ret; + } + + static void iwlagn_mac_stop(struct ieee80211_hw *hw) +-- +2.34.1 + diff --git a/queue-4.14/jfs-fix-divide-error-in-dbnextag.patch b/queue-4.14/jfs-fix-divide-error-in-dbnextag.patch new file mode 100644 index 00000000000..4b45b9dc56e --- /dev/null +++ b/queue-4.14/jfs-fix-divide-error-in-dbnextag.patch @@ -0,0 +1,56 @@ +From 46ab645dcda5a79fe65636edcdb28521d64df89d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 22:30:00 +0300 +Subject: jfs: fix divide error in dbNextAG + +From: Pavel Skripkin + +[ Upstream commit 2cc7cc01c15f57d056318c33705647f87dcd4aab ] + +Syzbot reported divide error in dbNextAG(). The problem was in missing +validation check for malicious image. + +Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any +validation checks, but dbNextAG() blindly use bmp->db_numag in divide +expression + +Fix it by validating bmp->db_numag in dbMount() and return an error if +image is malicious + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 9ff510a489cb..6dac48e29d28 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -161,6 +161,7 @@ static const s8 budtab[256] = { + * 0 - success + * -ENOMEM - insufficient memory + * -EIO - i/o error ++ * -EINVAL - wrong bmap data + */ + int dbMount(struct inode *ipbmap) + { +@@ -192,6 +193,12 @@ int dbMount(struct inode *ipbmap) + bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); ++ if (!bmp->db_numag) { ++ release_metapage(mp); ++ kfree(bmp); ++ return -EINVAL; ++ } ++ + bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel); + bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag); + bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref); +-- +2.34.1 + diff --git a/queue-4.14/kgdboc-fix-return-value-of-__setup-handler.patch b/queue-4.14/kgdboc-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..a9868d78700 --- /dev/null +++ b/queue-4.14/kgdboc-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,76 @@ +From 80b0a3decbc68d6fed1709cf683f7dea19b58b02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 19:30:18 -0800 +Subject: kgdboc: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit ab818c7aa7544bf8d2dd4bdf68878b17a02eb332 ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) environment strings. +So return 1 from kgdboc_option_setup(). + +Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 + kgdboc=kbd kgdbts=", will be passed to user space. + + Run /sbin/init as init process + with arguments: + /sbin/init + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc7 + kgdboc=kbd + kgdbts= + +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Fixes: 1bd54d851f50 ("kgdboc: Passing ekgdboc to command line causes panic") +Fixes: f2d937f3bf00 ("consoles: polling support, kgdboc") +Cc: He Zhe +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: kgdb-bugreport@lists.sourceforge.net +Cc: Jason Wessel +Cc: Daniel Thompson +Cc: Douglas Anderson +Cc: linux-serial@vger.kernel.org +Reported-by: Igor Zhbanov +Reviewed-by: Douglas Anderson +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20220309033018.17936-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/kgdboc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c +index 0314e78e31ff..72b89702d008 100644 +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -304,16 +304,16 @@ static int kgdboc_option_setup(char *opt) + { + if (!opt) { + pr_err("config string not provided\n"); +- return -EINVAL; ++ return 1; + } + + if (strlen(opt) >= MAX_CONFIG_LEN) { + pr_err("config string too long\n"); +- return -ENOSPC; ++ return 1; + } + strcpy(config, opt); + +- return 0; ++ return 1; + } + + __setup("kgdboc=", kgdboc_option_setup); +-- +2.34.1 + diff --git a/queue-4.14/kgdbts-fix-return-value-of-__setup-handler.patch b/queue-4.14/kgdbts-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..2e0643b7d2d --- /dev/null +++ b/queue-4.14/kgdbts-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,65 @@ +From e112b10903bfafe053dad4f1cf00fe8cc5eb8079 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 19:32:55 -0800 +Subject: kgdbts: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 96c9e802c64014a7716865332d732cc9c7f24593 ] + +__setup() handlers should return 1 to indicate that the boot option +has been handled. A return of 0 causes the boot option/value to be +listed as an Unknown kernel parameter and added to init's (limited) +environment strings. So return 1 from kgdbts_option_setup(). + +Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 + kgdboc=kbd kgdbts=", will be passed to user space. + + Run /sbin/init as init process + with arguments: + /sbin/init + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc7 + kgdboc=kbd + kgdbts= + +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Fixes: e8d31c204e36 ("kgdb: add kgdb internal test suite") +Cc: kgdb-bugreport@lists.sourceforge.net +Cc: Jason Wessel +Cc: Daniel Thompson +Cc: Douglas Anderson +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Reported-by: Igor Zhbanov +Reviewed-by: Douglas Anderson +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20220308033255.22118-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/kgdbts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c +index aa70e22e247b..d14b4b0a1d7c 100644 +--- a/drivers/misc/kgdbts.c ++++ b/drivers/misc/kgdbts.c +@@ -1068,10 +1068,10 @@ static int kgdbts_option_setup(char *opt) + { + if (strlen(opt) >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdbts: config string too long\n"); +- return -ENOSPC; ++ return 1; + } + strcpy(config, opt); +- return 0; ++ return 1; + } + + __setup("kgdbts=", kgdbts_option_setup); +-- +2.34.1 + diff --git a/queue-4.14/kvm-x86-emulator-defer-not-present-segment-check-in-.patch b/queue-4.14/kvm-x86-emulator-defer-not-present-segment-check-in-.patch new file mode 100644 index 00000000000..e1d3732a39c --- /dev/null +++ b/queue-4.14/kvm-x86-emulator-defer-not-present-segment-check-in-.patch @@ -0,0 +1,69 @@ +From 8300bdfac65cc22d32ec798181610f49ca053aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 17:34:03 +0800 +Subject: KVM: x86/emulator: Defer not-present segment check in + __load_segment_descriptor() + +From: Hou Wenlong + +[ Upstream commit ca85f002258fdac3762c57d12d5e6e401b6a41af ] + +Per Intel's SDM on the "Instruction Set Reference", when +loading segment descriptor, not-present segment check should +be after all type and privilege checks. But the emulator checks +it first, then #NP is triggered instead of #GP if privilege fails +and segment is not present. Put not-present segment check after +type and privilege checks in __load_segment_descriptor(). + +Fixes: 38ba30ba51a00 (KVM: x86 emulator: Emulate task switch in emulator.c) +Reviewed-by: Sean Christopherson +Signed-off-by: Hou Wenlong +Message-Id: <52573c01d369f506cadcf7233812427cf7db81a7.1644292363.git.houwenlong.hwl@antgroup.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/emulate.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 23d3329e1c73..c5f2a72343e3 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1682,11 +1682,6 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + goto exception; + } + +- if (!seg_desc.p) { +- err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR; +- goto exception; +- } +- + dpl = seg_desc.dpl; + + switch (seg) { +@@ -1726,6 +1721,10 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + case VCPU_SREG_TR: + if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9)) + goto exception; ++ if (!seg_desc.p) { ++ err_vec = NP_VECTOR; ++ goto exception; ++ } + old_desc = seg_desc; + seg_desc.type |= 2; /* busy */ + ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, +@@ -1750,6 +1749,11 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + break; + } + ++ if (!seg_desc.p) { ++ err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR; ++ goto exception; ++ } ++ + if (seg_desc.s) { + /* mark segment as accessed */ + if (!(seg_desc.type & 1)) { +-- +2.34.1 + diff --git a/queue-4.14/kvm-x86-fix-emulation-in-writing-cr8.patch b/queue-4.14/kvm-x86-fix-emulation-in-writing-cr8.patch new file mode 100644 index 00000000000..e622b089221 --- /dev/null +++ b/queue-4.14/kvm-x86-fix-emulation-in-writing-cr8.patch @@ -0,0 +1,65 @@ +From d958cce220a14867babe81923d8ebf51e0553e89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Feb 2022 17:45:06 +0800 +Subject: KVM: x86: Fix emulation in writing cr8 + +From: Zhenzhong Duan + +[ Upstream commit f66af9f222f08d5b11ea41c1bd6c07a0f12daa07 ] + +In emulation of writing to cr8, one of the lowest four bits in TPR[3:0] +is kept. + +According to Intel SDM 10.8.6.1(baremetal scenario): +"APIC.TPR[bits 7:4] = CR8[bits 3:0], APIC.TPR[bits 3:0] = 0"; + +and SDM 28.3(use TPR shadow): +"MOV to CR8. The instruction stores bits 3:0 of its source operand into +bits 7:4 of VTPR; the remainder of VTPR (bits 3:0 and bits 31:8) are +cleared."; + +and AMD's APM 16.6.4: +"Task Priority Sub-class (TPS)-Bits 3 : 0. The TPS field indicates the +current sub-priority to be used when arbitrating lowest-priority messages. +This field is written with zero when TPR is written using the architectural +CR8 register."; + +so in KVM emulated scenario, clear TPR[3:0] to make a consistent behavior +as in other scenarios. + +This doesn't impact evaluation and delivery of pending virtual interrupts +because processor does not use the processor-priority sub-class to +determine which interrupts to delivery and which to inhibit. + +Sub-class is used by hardware to arbitrate lowest priority interrupts, +but KVM just does a round-robin style delivery. + +Fixes: b93463aa59d6 ("KVM: Accelerated apic support") +Signed-off-by: Zhenzhong Duan +Reviewed-by: Sean Christopherson +Message-Id: <20220210094506.20181-1-zhenzhong.duan@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index d4fdf0e52144..99b3fa3a29bf 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1929,10 +1929,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data) + + void kvm_lapic_set_tpr(struct kvm_vcpu *vcpu, unsigned long cr8) + { +- struct kvm_lapic *apic = vcpu->arch.apic; +- +- apic_set_tpr(apic, ((cr8 & 0x0f) << 4) +- | (kvm_lapic_get_reg(apic, APIC_TASKPRI) & 4)); ++ apic_set_tpr(vcpu->arch.apic, (cr8 & 0x0f) << 4); + } + + u64 kvm_lapic_get_cr8(struct kvm_vcpu *vcpu) +-- +2.34.1 + diff --git a/queue-4.14/lib-test-use-after-free-in-register_test_dev_kmod.patch b/queue-4.14/lib-test-use-after-free-in-register_test_dev_kmod.patch new file mode 100644 index 00000000000..8305659acb2 --- /dev/null +++ b/queue-4.14/lib-test-use-after-free-in-register_test_dev_kmod.patch @@ -0,0 +1,34 @@ +From 5a852817b8db47dfbd6c69bf404ba4d3f8d2df08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 08:52:07 +0300 +Subject: lib/test: use after free in register_test_dev_kmod() + +From: Dan Carpenter + +[ Upstream commit dc0ce6cc4b133f5f2beb8b47dacae13a7d283c2c ] + +The "test_dev" pointer is freed but then returned to the caller. + +Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") +Signed-off-by: Dan Carpenter +Signed-off-by: Luis Chamberlain +Signed-off-by: Sasha Levin +--- + lib/test_kmod.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/test_kmod.c b/lib/test_kmod.c +index c0ce0156d54b..74f8d386f85e 100644 +--- a/lib/test_kmod.c ++++ b/lib/test_kmod.c +@@ -1162,6 +1162,7 @@ static struct kmod_test_device *register_test_dev_kmod(void) + if (ret) { + pr_err("could not register misc device: %d\n", ret); + free_test_dev_kmod(test_dev); ++ test_dev = NULL; + goto out; + } + +-- +2.34.1 + diff --git a/queue-4.14/loop-use-sysfs_emit-in-the-sysfs-xxx-show.patch b/queue-4.14/loop-use-sysfs_emit-in-the-sysfs-xxx-show.patch new file mode 100644 index 00000000000..f78e4f2e889 --- /dev/null +++ b/queue-4.14/loop-use-sysfs_emit-in-the-sysfs-xxx-show.patch @@ -0,0 +1,73 @@ +From 258ff976103a0e84e715a6e4ba91d315351fe1fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 13:33:07 -0800 +Subject: loop: use sysfs_emit() in the sysfs xxx show() + +From: Chaitanya Kulkarni + +[ Upstream commit b27824d31f09ea7b4a6ba2c1b18bd328df3e8bed ] + +sprintf does not know the PAGE_SIZE maximum of the temporary buffer +used for outputting sysfs content and it's possible to overrun the +PAGE_SIZE buffer length. + +Use a generic sysfs_emit function that knows the size of the +temporary buffer and ensures that no overrun is done for offset +attribute in +loop_attr_[offset|sizelimit|autoclear|partscan|dio]_show() callbacks. + +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Himanshu Madhani +Link: https://lore.kernel.org/r/20220215213310.7264-2-kch@nvidia.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index c6157ccb9498..4c115c1e9209 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -765,33 +765,33 @@ static ssize_t loop_attr_backing_file_show(struct loop_device *lo, char *buf) + + static ssize_t loop_attr_offset_show(struct loop_device *lo, char *buf) + { +- return sprintf(buf, "%llu\n", (unsigned long long)lo->lo_offset); ++ return sysfs_emit(buf, "%llu\n", (unsigned long long)lo->lo_offset); + } + + static ssize_t loop_attr_sizelimit_show(struct loop_device *lo, char *buf) + { +- return sprintf(buf, "%llu\n", (unsigned long long)lo->lo_sizelimit); ++ return sysfs_emit(buf, "%llu\n", (unsigned long long)lo->lo_sizelimit); + } + + static ssize_t loop_attr_autoclear_show(struct loop_device *lo, char *buf) + { + int autoclear = (lo->lo_flags & LO_FLAGS_AUTOCLEAR); + +- return sprintf(buf, "%s\n", autoclear ? "1" : "0"); ++ return sysfs_emit(buf, "%s\n", autoclear ? "1" : "0"); + } + + static ssize_t loop_attr_partscan_show(struct loop_device *lo, char *buf) + { + int partscan = (lo->lo_flags & LO_FLAGS_PARTSCAN); + +- return sprintf(buf, "%s\n", partscan ? "1" : "0"); ++ return sysfs_emit(buf, "%s\n", partscan ? "1" : "0"); + } + + static ssize_t loop_attr_dio_show(struct loop_device *lo, char *buf) + { + int dio = (lo->lo_flags & LO_FLAGS_DIRECT_IO); + +- return sprintf(buf, "%s\n", dio ? "1" : "0"); ++ return sysfs_emit(buf, "%s\n", dio ? "1" : "0"); + } + + LOOP_ATTR_RO(backing_file); +-- +2.34.1 + diff --git a/queue-4.14/media-coda-fix-missing-put_device-call-in-coda_get_v.patch b/queue-4.14/media-coda-fix-missing-put_device-call-in-coda_get_v.patch new file mode 100644 index 00000000000..182805be6a1 --- /dev/null +++ b/queue-4.14/media-coda-fix-missing-put_device-call-in-coda_get_v.patch @@ -0,0 +1,37 @@ +From f80867bf9725a50d827aa43a52ec59ecab27d96b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 12:05:54 +0100 +Subject: media: coda: Fix missing put_device() call in coda_get_vdoa_data + +From: Miaoqian Lin + +[ Upstream commit ca85d271531a1e1c86f24b892f57b7d0a3ddb5a6 ] + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. +Add the corresponding 'put_device()' in the error handling path. + +Fixes: e7f3c5481035 ("[media] coda: use VDOA for un-tiling custom macroblock format") +Signed-off-by: Miaoqian Lin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c +index 5b87c488ee11..993208944ace 100644 +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -360,6 +360,7 @@ static struct vdoa_data *coda_get_vdoa_data(void) + if (!vdoa_data) + vdoa_data = ERR_PTR(-EPROBE_DEFER); + ++ put_device(&vdoa_pdev->dev); + out: + if (vdoa_node) + of_node_put(vdoa_node); +-- +2.34.1 + diff --git a/queue-4.14/media-cx88-mpeg-clear-interrupt-status-register-befo.patch b/queue-4.14/media-cx88-mpeg-clear-interrupt-status-register-befo.patch new file mode 100644 index 00000000000..a0a67c9facd --- /dev/null +++ b/queue-4.14/media-cx88-mpeg-clear-interrupt-status-register-befo.patch @@ -0,0 +1,47 @@ +From 7c0833b3a6059bf671a0f75478cdee06709241fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Feb 2022 19:19:50 +0100 +Subject: media: cx88-mpeg: clear interrupt status register before streaming + video +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel González Cabanelas + +[ Upstream commit 56cb61f70e547e1b0cdfe6ff5a1f1ce6242e6d96 ] + +Some cx88 video cards may have transport stream status interrupts set +to 1 from cold start, causing errors like this: + + cx88xx: cx88_print_irqbits: core:irq mpeg [0x100000] ts_err?* + cx8802: cx8802_mpeg_irq: mpeg:general errors: 0x00100000 + +According to CX2388x datasheet, the interrupt status register should be +cleared before enabling IRQs to stream video. + +Fix it by clearing the Transport Stream Interrupt Status register. + +Signed-off-by: Daniel González Cabanelas +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx88/cx88-mpeg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/pci/cx88/cx88-mpeg.c b/drivers/media/pci/cx88/cx88-mpeg.c +index 52ff00ebd4bd..281eca525340 100644 +--- a/drivers/media/pci/cx88/cx88-mpeg.c ++++ b/drivers/media/pci/cx88/cx88-mpeg.c +@@ -171,6 +171,9 @@ int cx8802_start_dma(struct cx8802_dev *dev, + cx_write(MO_TS_GPCNTRL, GP_COUNT_CONTROL_RESET); + q->count = 0; + ++ /* clear interrupt status register */ ++ cx_write(MO_TS_INTSTAT, 0x1f1111); ++ + /* enable irqs */ + dprintk(1, "setting the interrupt mask\n"); + cx_set(MO_PCI_INTMSK, core->pci_irqmask | PCI_INT_TSINT); +-- +2.34.1 + diff --git a/queue-4.14/media-hdpvr-initialize-dev-worker-at-hdpvr_register_.patch b/queue-4.14/media-hdpvr-initialize-dev-worker-at-hdpvr_register_.patch new file mode 100644 index 00000000000..e753c5a7d60 --- /dev/null +++ b/queue-4.14/media-hdpvr-initialize-dev-worker-at-hdpvr_register_.patch @@ -0,0 +1,61 @@ +From 98f1107ae98bc23019848a71c6de9291551d29ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 10:41:30 +0100 +Subject: media: hdpvr: initialize dev->worker at hdpvr_register_videodev + +From: Dongliang Mu + +[ Upstream commit 07922937e9a580825f9965c46fd15e23ba5754b6 ] + +hdpvr_register_videodev is responsible to initialize a worker in +hdpvr_device. However, the worker is only initialized at +hdpvr_start_streaming other than hdpvr_register_videodev. +When hdpvr_probe does not initialize its worker, the hdpvr_disconnect +will encounter one WARN in flush_work.The stack trace is as follows: + + hdpvr_disconnect+0xb8/0xf2 drivers/media/usb/hdpvr/hdpvr-core.c:425 + usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458 + __device_release_driver drivers/base/dd.c:1206 [inline] + device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1237 + bus_remove_device+0x108/0x160 drivers/base/bus.c:529 + device_del+0x1fe/0x510 drivers/base/core.c:3592 + usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419 + usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2228 + +Fix this by moving the initialization of dev->worker to the starting of +hdpvr_register_videodev + +Reported-by: syzkaller +Signed-off-by: Dongliang Mu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/hdpvr/hdpvr-video.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c +index 991f820a4530..1cecb37e16d2 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-video.c ++++ b/drivers/media/usb/hdpvr/hdpvr-video.c +@@ -312,7 +312,6 @@ static int hdpvr_start_streaming(struct hdpvr_device *dev) + + dev->status = STATUS_STREAMING; + +- INIT_WORK(&dev->worker, hdpvr_transmit_buffers); + schedule_work(&dev->worker); + + v4l2_dbg(MSG_BUFFER, hdpvr_debug, &dev->v4l2_dev, +@@ -1175,6 +1174,9 @@ int hdpvr_register_videodev(struct hdpvr_device *dev, struct device *parent, + bool ac3 = dev->flags & HDPVR_FLAG_AC3_CAP; + int res; + ++ // initialize dev->worker ++ INIT_WORK(&dev->worker, hdpvr_transmit_buffers); ++ + dev->cur_std = V4L2_STD_525_60; + dev->width = 720; + dev->height = 480; +-- +2.34.1 + diff --git a/queue-4.14/media-stk1160-if-start-stream-fails-return-buffers-w.patch b/queue-4.14/media-stk1160-if-start-stream-fails-return-buffers-w.patch new file mode 100644 index 00000000000..c667390849f --- /dev/null +++ b/queue-4.14/media-stk1160-if-start-stream-fails-return-buffers-w.patch @@ -0,0 +1,143 @@ +From c6b72b0059137ac1bec31c6a92946da02b632598 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 09:02:11 +0100 +Subject: media: stk1160: If start stream fails, return buffers with + VB2_BUF_STATE_QUEUED + +From: Dafna Hirschfeld + +[ Upstream commit fbe04b49a54e31f4321d632270207f0e6304cd16 ] + +If the callback 'start_streaming' fails, then all +queued buffers in the driver should be returned with +state 'VB2_BUF_STATE_QUEUED'. Currently, they are +returned with 'VB2_BUF_STATE_ERROR' which is wrong. +Fix this. This also fixes the warning: + +[ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common] +[ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6 +[ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14 +[ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT) +[ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common] +[ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common] +[ 65.592395] sp : ffff800012bc3ad0 +[ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8 +[ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612 +[ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0 +[ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff +[ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78 +[ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce +[ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228 +[ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78 +[ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880 +[ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0 +[ 65.598940] Call trace: +[ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common] +[ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common] +[ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2] +[ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2] +[ 65.601103] v4l_streamon+0x3c/0x50 [videodev] +[ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev] +[ 65.601977] video_usercopy+0x320/0x828 [videodev] +[ 65.602419] video_ioctl2+0x3c/0x58 [videodev] +[ 65.602830] v4l2_ioctl+0x60/0x90 [videodev] +[ 65.603227] __arm64_sys_ioctl+0xa8/0xe0 +[ 65.603576] invoke_syscall+0x54/0x118 +[ 65.603911] el0_svc_common.constprop.3+0x84/0x100 +[ 65.604332] do_el0_svc+0x34/0xa0 +[ 65.604625] el0_svc+0x1c/0x50 +[ 65.604897] el0t_64_sync_handler+0x88/0xb0 +[ 65.605264] el0t_64_sync+0x16c/0x170 +[ 65.605587] ---[ end trace 578e0ba07742170d ]--- + +Fixes: 8ac456495a33d ("[media] stk1160: Stop device and unqueue buffers when start_streaming() fails") +Signed-off-by: Dafna Hirschfeld +Reviewed-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/stk1160/stk1160-core.c | 2 +- + drivers/media/usb/stk1160/stk1160-v4l.c | 10 +++++----- + drivers/media/usb/stk1160/stk1160.h | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/usb/stk1160/stk1160-core.c b/drivers/media/usb/stk1160/stk1160-core.c +index 8e434b31cb98..7f02c2739ec2 100644 +--- a/drivers/media/usb/stk1160/stk1160-core.c ++++ b/drivers/media/usb/stk1160/stk1160-core.c +@@ -410,7 +410,7 @@ static void stk1160_disconnect(struct usb_interface *interface) + /* Here is the only place where isoc get released */ + stk1160_uninit_isoc(dev); + +- stk1160_clear_queue(dev); ++ stk1160_clear_queue(dev, VB2_BUF_STATE_ERROR); + + video_unregister_device(&dev->vdev); + v4l2_device_disconnect(&dev->v4l2_dev); +diff --git a/drivers/media/usb/stk1160/stk1160-v4l.c b/drivers/media/usb/stk1160/stk1160-v4l.c +index 77b759a0bcd9..43676abc1694 100644 +--- a/drivers/media/usb/stk1160/stk1160-v4l.c ++++ b/drivers/media/usb/stk1160/stk1160-v4l.c +@@ -269,7 +269,7 @@ static int stk1160_start_streaming(struct stk1160 *dev) + stk1160_uninit_isoc(dev); + out_stop_hw: + usb_set_interface(dev->udev, 0, 0); +- stk1160_clear_queue(dev); ++ stk1160_clear_queue(dev, VB2_BUF_STATE_QUEUED); + + mutex_unlock(&dev->v4l_lock); + +@@ -317,7 +317,7 @@ static int stk1160_stop_streaming(struct stk1160 *dev) + + stk1160_stop_hw(dev); + +- stk1160_clear_queue(dev); ++ stk1160_clear_queue(dev, VB2_BUF_STATE_ERROR); + + stk1160_dbg("streaming stopped\n"); + +@@ -762,7 +762,7 @@ static const struct video_device v4l_template = { + /********************************************************************/ + + /* Must be called with both v4l_lock and vb_queue_lock hold */ +-void stk1160_clear_queue(struct stk1160 *dev) ++void stk1160_clear_queue(struct stk1160 *dev, enum vb2_buffer_state vb2_state) + { + struct stk1160_buffer *buf; + unsigned long flags; +@@ -773,7 +773,7 @@ void stk1160_clear_queue(struct stk1160 *dev) + buf = list_first_entry(&dev->avail_bufs, + struct stk1160_buffer, list); + list_del(&buf->list); +- vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR); ++ vb2_buffer_done(&buf->vb.vb2_buf, vb2_state); + stk1160_dbg("buffer [%p/%d] aborted\n", + buf, buf->vb.vb2_buf.index); + } +@@ -783,7 +783,7 @@ void stk1160_clear_queue(struct stk1160 *dev) + buf = dev->isoc_ctl.buf; + dev->isoc_ctl.buf = NULL; + +- vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR); ++ vb2_buffer_done(&buf->vb.vb2_buf, vb2_state); + stk1160_dbg("buffer [%p/%d] aborted\n", + buf, buf->vb.vb2_buf.index); + } +diff --git a/drivers/media/usb/stk1160/stk1160.h b/drivers/media/usb/stk1160/stk1160.h +index acd1c811db08..54a046aacd33 100644 +--- a/drivers/media/usb/stk1160/stk1160.h ++++ b/drivers/media/usb/stk1160/stk1160.h +@@ -177,7 +177,7 @@ struct regval { + int stk1160_vb2_setup(struct stk1160 *dev); + int stk1160_video_register(struct stk1160 *dev); + void stk1160_video_unregister(struct stk1160 *dev); +-void stk1160_clear_queue(struct stk1160 *dev); ++void stk1160_clear_queue(struct stk1160 *dev, enum vb2_buffer_state vb2_state); + + /* Provided by stk1160-video.c */ + int stk1160_alloc_isoc(struct stk1160 *dev); +-- +2.34.1 + diff --git a/queue-4.14/media-usb-go7007-s2250-board-fix-leak-in-probe.patch b/queue-4.14/media-usb-go7007-s2250-board-fix-leak-in-probe.patch new file mode 100644 index 00000000000..dac79440dc5 --- /dev/null +++ b/queue-4.14/media-usb-go7007-s2250-board-fix-leak-in-probe.patch @@ -0,0 +1,57 @@ +From f573c0cb2ce1cd85f376245a526f2cf868cbb0b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Feb 2022 20:52:01 +0300 +Subject: media: usb: go7007: s2250-board: fix leak in probe() + +From: Dan Carpenter + +[ Upstream commit 67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d ] + +Call i2c_unregister_device(audio) on this error path. + +Fixes: d3b2ccd9e307 ("[media] s2250: convert to the control framework") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/s2250-board.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/go7007/s2250-board.c b/drivers/media/usb/go7007/s2250-board.c +index 1466db150d82..625e77f4dbd2 100644 +--- a/drivers/media/usb/go7007/s2250-board.c ++++ b/drivers/media/usb/go7007/s2250-board.c +@@ -512,6 +512,7 @@ static int s2250_probe(struct i2c_client *client, + u8 *data; + struct go7007 *go = i2c_get_adapdata(adapter); + struct go7007_usb *usb = go->hpi_context; ++ int err = -EIO; + + audio = i2c_new_dummy(adapter, TLV320_ADDRESS >> 1); + if (audio == NULL) +@@ -540,11 +541,8 @@ static int s2250_probe(struct i2c_client *client, + V4L2_CID_HUE, -512, 511, 1, 0); + sd->ctrl_handler = &state->hdl; + if (state->hdl.error) { +- int err = state->hdl.error; +- +- v4l2_ctrl_handler_free(&state->hdl); +- kfree(state); +- return err; ++ err = state->hdl.error; ++ goto fail; + } + + state->std = V4L2_STD_NTSC; +@@ -608,7 +606,7 @@ static int s2250_probe(struct i2c_client *client, + i2c_unregister_device(audio); + v4l2_ctrl_handler_free(&state->hdl); + kfree(state); +- return -EIO; ++ return err; + } + + static int s2250_remove(struct i2c_client *client) +-- +2.34.1 + diff --git a/queue-4.14/memory-emif-add-check-for-setup_interrupts.patch b/queue-4.14/memory-emif-add-check-for-setup_interrupts.patch new file mode 100644 index 00000000000..f227bc347ea --- /dev/null +++ b/queue-4.14/memory-emif-add-check-for-setup_interrupts.patch @@ -0,0 +1,49 @@ +From 2cccf22cba63c70ebe579f5379b4c5a99010c801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 10:54:44 +0800 +Subject: memory: emif: Add check for setup_interrupts + +From: Jiasheng Jiang + +[ Upstream commit fd7bd80b46373887b390852f490f21b07e209498 ] + +As the potential failure of the devm_request_threaded_irq(), +it should be better to check the return value of the +setup_interrupts() and return error if fails. + +Fixes: 68b4aee35d1f ("memory: emif: add interrupt and temperature handling") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220224025444.3256530-1-jiasheng@iscas.ac.cn +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/emif.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/emif.c b/drivers/memory/emif.c +index 88c32b8dc88a..ed6c5fcb136f 100644 +--- a/drivers/memory/emif.c ++++ b/drivers/memory/emif.c +@@ -1517,7 +1517,7 @@ static int __init_or_module emif_probe(struct platform_device *pdev) + { + struct emif_data *emif; + struct resource *res; +- int irq; ++ int irq, ret; + + if (pdev->dev.of_node) + emif = of_get_memory_device_details(pdev->dev.of_node, &pdev->dev); +@@ -1551,7 +1551,9 @@ static int __init_or_module emif_probe(struct platform_device *pdev) + emif_onetime_settings(emif); + emif_debugfs_init(emif); + disable_and_clear_all_interrupts(emif); +- setup_interrupts(emif, irq); ++ ret = setup_interrupts(emif, irq); ++ if (ret) ++ goto error; + + /* One-time actions taken on probing the first device */ + if (!emif1) { +-- +2.34.1 + diff --git a/queue-4.14/memory-emif-check-the-pointer-temp-in-get_device_det.patch b/queue-4.14/memory-emif-check-the-pointer-temp-in-get_device_det.patch new file mode 100644 index 00000000000..6466db65d97 --- /dev/null +++ b/queue-4.14/memory-emif-check-the-pointer-temp-in-get_device_det.patch @@ -0,0 +1,37 @@ +From dad3bb101d246a0ed433a8acc16f4720206dbdb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 05:25:52 -0800 +Subject: memory: emif: check the pointer temp in get_device_details() + +From: Jia-Ju Bai + +[ Upstream commit 5b5ab1bfa1898c6d52936a57c25c5ceba2cb2f87 ] + +The pointer temp is allocated by devm_kzalloc(), so it should be +checked for error handling. + +Fixes: 7ec944538dde ("memory: emif: add basic infrastructure for EMIF driver") +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20220225132552.27894-1-baijiaju1990@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/emif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memory/emif.c b/drivers/memory/emif.c +index ed6c5fcb136f..9f293b931144 100644 +--- a/drivers/memory/emif.c ++++ b/drivers/memory/emif.c +@@ -1425,7 +1425,7 @@ static struct emif_data *__init_or_module get_device_details( + temp = devm_kzalloc(dev, sizeof(*pd), GFP_KERNEL); + dev_info = devm_kzalloc(dev, sizeof(*dev_info), GFP_KERNEL); + +- if (!emif || !pd || !dev_info) { ++ if (!emif || !temp || !dev_info) { + dev_err(dev, "%s:%d: allocation error\n", __func__, __LINE__); + goto error; + } +-- +2.34.1 + diff --git a/queue-4.14/mfd-asic3-add-missing-iounmap-on-error-asic3_mfd_pro.patch b/queue-4.14/mfd-asic3-add-missing-iounmap-on-error-asic3_mfd_pro.patch new file mode 100644 index 00000000000..b3ee9b669dd --- /dev/null +++ b/queue-4.14/mfd-asic3-add-missing-iounmap-on-error-asic3_mfd_pro.patch @@ -0,0 +1,59 @@ +From 5f0a245c1e602f263351359127c90af58bb99b56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 07:29:47 +0000 +Subject: mfd: asic3: Add missing iounmap() on error asic3_mfd_probe + +From: Miaoqian Lin + +[ Upstream commit e84ee1a75f944a0fe3c277aaa10c426603d2b0bc ] + +Add the missing iounmap() before return from asic3_mfd_probe +in the error handling case. + +Fixes: 64e8867ba809 ("mfd: tmio_mmc hardware abstraction for CNF area") +Signed-off-by: Miaoqian Lin +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220307072947.5369-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/asic3.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/asic3.c b/drivers/mfd/asic3.c +index cf2e25ab2940..21424c43ba72 100644 +--- a/drivers/mfd/asic3.c ++++ b/drivers/mfd/asic3.c +@@ -915,14 +915,14 @@ static int __init asic3_mfd_probe(struct platform_device *pdev, + ret = mfd_add_devices(&pdev->dev, pdev->id, + &asic3_cell_ds1wm, 1, mem, asic->irq_base, NULL); + if (ret < 0) +- goto out; ++ goto out_unmap; + } + + if (mem_sdio && (irq >= 0)) { + ret = mfd_add_devices(&pdev->dev, pdev->id, + &asic3_cell_mmc, 1, mem_sdio, irq, NULL); + if (ret < 0) +- goto out; ++ goto out_unmap; + } + + ret = 0; +@@ -936,8 +936,12 @@ static int __init asic3_mfd_probe(struct platform_device *pdev, + ret = mfd_add_devices(&pdev->dev, 0, + asic3_cell_leds, ASIC3_NUM_LEDS, NULL, 0, NULL); + } ++ return ret; + +- out: ++out_unmap: ++ if (asic->tmio_cnf) ++ iounmap(asic->tmio_cnf); ++out: + return ret; + } + +-- +2.34.1 + diff --git a/queue-4.14/mfd-mc13xxx-add-check-for-mc13xxx_irq_request.patch b/queue-4.14/mfd-mc13xxx-add-check-for-mc13xxx_irq_request.patch new file mode 100644 index 00000000000..23b942c9cbe --- /dev/null +++ b/queue-4.14/mfd-mc13xxx-add-check-for-mc13xxx_irq_request.patch @@ -0,0 +1,41 @@ +From cd93dc6767fb4fdad00ce5b538dea4aaf204c9f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 10:23:31 +0800 +Subject: mfd: mc13xxx: Add check for mc13xxx_irq_request + +From: Jiasheng Jiang + +[ Upstream commit e477e51a41cb5d6034f3c5ea85a71ad4613996b9 ] + +As the potential failure of the devm_request_threaded_irq(), +it should be better to check the return value of the +mc13xxx_irq_request() and return error if fails. + +Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220224022331.3208275-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/mc13xxx-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c +index 75d52034f89d..5b4faebdcae2 100644 +--- a/drivers/mfd/mc13xxx-core.c ++++ b/drivers/mfd/mc13xxx-core.c +@@ -313,8 +313,10 @@ int mc13xxx_adc_do_conversion(struct mc13xxx *mc13xxx, unsigned int mode, + adc1 |= MC13783_ADC1_ATOX; + + dev_dbg(mc13xxx->dev, "%s: request irq\n", __func__); +- mc13xxx_irq_request(mc13xxx, MC13XXX_IRQ_ADCDONE, ++ ret = mc13xxx_irq_request(mc13xxx, MC13XXX_IRQ_ADCDONE, + mc13xxx_handler_adcdone, __func__, &adcdone_data); ++ if (ret) ++ goto out; + + mc13xxx_reg_write(mc13xxx, MC13XXX_ADC0, adc0); + mc13xxx_reg_write(mc13xxx, MC13XXX_ADC1, adc1); +-- +2.34.1 + diff --git a/queue-4.14/mips-rb532-fix-return-value-of-__setup-handler.patch b/queue-4.14/mips-rb532-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..c344e534ed8 --- /dev/null +++ b/queue-4.14/mips-rb532-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,57 @@ +From c4b24eff2cbd103d3f21ef4ef95bad9e3f430da0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 20:20:26 -0800 +Subject: MIPS: RB532: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 8755d57ba1ff910666572fab9e32890e8cc6ed3b ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) argument or environment +strings. Also, error return codes don't mean anything to +obsolete_checksetup() -- only non-zero (usually 1) or zero. +So return 1 from setup_kmac(). + +Fixes: 9e21c7e40b7e ("MIPS: RB532: Replace parse_mac_addr() with mac_pton().") +Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system") +Signed-off-by: Randy Dunlap +From: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Phil Sutter +Cc: Florian Fainelli +Cc: Ralf Baechle +Cc: Daniel Walter +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/rb532/devices.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/mips/rb532/devices.c b/arch/mips/rb532/devices.c +index 32ea3e6731d6..ea500873f023 100644 +--- a/arch/mips/rb532/devices.c ++++ b/arch/mips/rb532/devices.c +@@ -313,11 +313,9 @@ static int __init plat_setup_devices(void) + static int __init setup_kmac(char *s) + { + printk(KERN_INFO "korina mac = %s\n", s); +- if (!mac_pton(s, korina_dev0_data.mac)) { ++ if (!mac_pton(s, korina_dev0_data.mac)) + printk(KERN_ERR "Invalid mac\n"); +- return -EINVAL; +- } +- return 0; ++ return 1; + } + + __setup("kmac=", setup_kmac); +-- +2.34.1 + diff --git a/queue-4.14/mmc-host-return-an-error-when-enable_sdio_irq-ops-is.patch b/queue-4.14/mmc-host-return-an-error-when-enable_sdio_irq-ops-is.patch new file mode 100644 index 00000000000..bef854d7e20 --- /dev/null +++ b/queue-4.14/mmc-host-return-an-error-when-enable_sdio_irq-ops-is.patch @@ -0,0 +1,60 @@ +From ce729442e34126997c520047efd9f2f3a707848d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 17:51:42 +0100 +Subject: mmc: host: Return an error when ->enable_sdio_irq() ops is missing + +From: Ulf Hansson + +[ Upstream commit d6c9219ca1139b74541b2a98cee47a3426d754a9 ] + +Even if the current WARN() notifies the user that something is severely +wrong, we can still end up in a PANIC() when trying to invoke the missing +->enable_sdio_irq() ops. Therefore, let's also return an error code and +prevent the host from being added. + +While at it, move the code into a separate function to prepare for +subsequent changes and for further host caps validations. + +Signed-off-by: Ulf Hansson +Link: https://lore.kernel.org/r/20220303165142.129745-1-ulf.hansson@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/host.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/core/host.c b/drivers/mmc/core/host.c +index 3740fb0052a4..4da2bcfd0649 100644 +--- a/drivers/mmc/core/host.c ++++ b/drivers/mmc/core/host.c +@@ -401,6 +401,16 @@ struct mmc_host *mmc_alloc_host(int extra, struct device *dev) + + EXPORT_SYMBOL(mmc_alloc_host); + ++static int mmc_validate_host_caps(struct mmc_host *host) ++{ ++ if (host->caps & MMC_CAP_SDIO_IRQ && !host->ops->enable_sdio_irq) { ++ dev_warn(host->parent, "missing ->enable_sdio_irq() ops\n"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + /** + * mmc_add_host - initialise host hardware + * @host: mmc host +@@ -413,8 +423,9 @@ int mmc_add_host(struct mmc_host *host) + { + int err; + +- WARN_ON((host->caps & MMC_CAP_SDIO_IRQ) && +- !host->ops->enable_sdio_irq); ++ err = mmc_validate_host_caps(host); ++ if (err) ++ return err; + + err = device_add(&host->class_dev); + if (err) +-- +2.34.1 + diff --git a/queue-4.14/mtd-onenand-check-for-error-irq.patch b/queue-4.14/mtd-onenand-check-for-error-irq.patch new file mode 100644 index 00000000000..c2e9a498b34 --- /dev/null +++ b/queue-4.14/mtd-onenand-check-for-error-irq.patch @@ -0,0 +1,47 @@ +From a20d75f7db44cf2dbe5b32b1a98a3d59d0cf905c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 00:26:58 +0800 +Subject: mtd: onenand: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit 3e68f331c8c759c0daa31cc92c3449b23119a215 ] + +For the possible failure of the platform_get_irq(), the returned irq +could be error number and will finally cause the failure of the +request_irq(). +Consider that platform_get_irq() can now in certain cases return +-EPROBE_DEFER, and the consequences of letting request_irq() effectively +convert that into -EINVAL, even at probe time rather than later on. +So it might be better to check just now. + +Fixes: 2c22120fbd01 ("MTD: OneNAND: interrupt based wait support") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220104162658.1988142-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mtd/onenand/generic.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/onenand/generic.c b/drivers/mtd/onenand/generic.c +index 125da34d8ff9..23a878e7974e 100644 +--- a/drivers/mtd/onenand/generic.c ++++ b/drivers/mtd/onenand/generic.c +@@ -58,7 +58,12 @@ static int generic_onenand_probe(struct platform_device *pdev) + } + + info->onenand.mmcontrol = pdata ? pdata->mmcontrol : NULL; +- info->onenand.irq = platform_get_irq(pdev, 0); ++ ++ err = platform_get_irq(pdev, 0); ++ if (err < 0) ++ goto out_iounmap; ++ ++ info->onenand.irq = err; + + info->mtd.dev.parent = &pdev->dev; + info->mtd.priv = &info->onenand; +-- +2.34.1 + diff --git a/queue-4.14/mtd-rawnand-atmel-fix-refcount-issue-in-atmel_nand_c.patch b/queue-4.14/mtd-rawnand-atmel-fix-refcount-issue-in-atmel_nand_c.patch new file mode 100644 index 00000000000..fa7730381dc --- /dev/null +++ b/queue-4.14/mtd-rawnand-atmel-fix-refcount-issue-in-atmel_nand_c.patch @@ -0,0 +1,75 @@ +From 2fd99595d90f13eb6c31dfee17b650a2a61e50a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 16:53:32 +0800 +Subject: mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init + +From: Xin Xiong + +[ Upstream commit fecbd4a317c95d73c849648c406bcf1b6a0ec1cf ] + +The reference counting issue happens in several error handling paths +on a refcounted object "nc->dmac". In these paths, the function simply +returns the error code, forgetting to balance the reference count of +"nc->dmac", increased earlier by dma_request_channel(), which may +cause refcount leaks. + +Fix it by decrementing the refcount of specific object in those error +paths. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Co-developed-by: Xiyu Yang +Signed-off-by: Xiyu Yang +Co-developed-by: Xin Tan +Signed-off-by: Xin Tan +Signed-off-by: Xin Xiong +Reviewed-by: Claudiu Beznea +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220304085330.3610-1-xiongx18@fudan.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/atmel/nand-controller.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/mtd/nand/atmel/nand-controller.c b/drivers/mtd/nand/atmel/nand-controller.c +index d5a493e8ee08..475c751f2d1e 100644 +--- a/drivers/mtd/nand/atmel/nand-controller.c ++++ b/drivers/mtd/nand/atmel/nand-controller.c +@@ -1998,13 +1998,15 @@ static int atmel_nand_controller_init(struct atmel_nand_controller *nc, + nc->mck = of_clk_get(dev->parent->of_node, 0); + if (IS_ERR(nc->mck)) { + dev_err(dev, "Failed to retrieve MCK clk\n"); +- return PTR_ERR(nc->mck); ++ ret = PTR_ERR(nc->mck); ++ goto out_release_dma; + } + + np = of_parse_phandle(dev->parent->of_node, "atmel,smc", 0); + if (!np) { + dev_err(dev, "Missing or invalid atmel,smc property\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out_release_dma; + } + + nc->smc = syscon_node_to_regmap(np); +@@ -2012,10 +2014,16 @@ static int atmel_nand_controller_init(struct atmel_nand_controller *nc, + if (IS_ERR(nc->smc)) { + ret = PTR_ERR(nc->smc); + dev_err(dev, "Could not get SMC regmap (err = %d)\n", ret); +- return ret; ++ goto out_release_dma; + } + + return 0; ++ ++out_release_dma: ++ if (nc->dmac) ++ dma_release_channel(nc->dmac); ++ ++ return ret; + } + + static int +-- +2.34.1 + diff --git a/queue-4.14/mxser-fix-xmit_buf-leak-in-activate-when-lsr-0xff.patch b/queue-4.14/mxser-fix-xmit_buf-leak-in-activate-when-lsr-0xff.patch new file mode 100644 index 00000000000..60f23e44bba --- /dev/null +++ b/queue-4.14/mxser-fix-xmit_buf-leak-in-activate-when-lsr-0xff.patch @@ -0,0 +1,76 @@ +From fa95ff8d0716e524cef9fd3a9fbf6f1a1a28d5ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 08:14:24 +0100 +Subject: mxser: fix xmit_buf leak in activate when LSR == 0xff + +From: Jiri Slaby + +[ Upstream commit cd3a4907ee334b40d7aa880c7ab310b154fd5cd4 ] + +When LSR is 0xff in ->activate() (rather unlike), we return an error. +Provided ->shutdown() is not called when ->activate() fails, nothing +actually frees the buffer in this case. + +Fix this by properly freeing the buffer in a designated label. We jump +there also from the "!info->type" if now too. + +Fixes: 6769140d3047 ("tty: mxser: use the tty_port_open method") +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220124071430.14907-6-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/mxser.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/mxser.c b/drivers/tty/mxser.c +index 7dd38047ba23..31d5a4d95c2d 100644 +--- a/drivers/tty/mxser.c ++++ b/drivers/tty/mxser.c +@@ -866,6 +866,7 @@ static int mxser_activate(struct tty_port *port, struct tty_struct *tty) + struct mxser_port *info = container_of(port, struct mxser_port, port); + unsigned long page; + unsigned long flags; ++ int ret; + + page = __get_free_page(GFP_KERNEL); + if (!page) +@@ -875,9 +876,9 @@ static int mxser_activate(struct tty_port *port, struct tty_struct *tty) + + if (!info->ioaddr || !info->type) { + set_bit(TTY_IO_ERROR, &tty->flags); +- free_page(page); + spin_unlock_irqrestore(&info->slock, flags); +- return 0; ++ ret = 0; ++ goto err_free_xmit; + } + info->port.xmit_buf = (unsigned char *) page; + +@@ -903,8 +904,10 @@ static int mxser_activate(struct tty_port *port, struct tty_struct *tty) + if (capable(CAP_SYS_ADMIN)) { + set_bit(TTY_IO_ERROR, &tty->flags); + return 0; +- } else +- return -ENODEV; ++ } ++ ++ ret = -ENODEV; ++ goto err_free_xmit; + } + + /* +@@ -949,6 +952,10 @@ static int mxser_activate(struct tty_port *port, struct tty_struct *tty) + spin_unlock_irqrestore(&info->slock, flags); + + return 0; ++err_free_xmit: ++ free_page(page); ++ info->port.xmit_buf = NULL; ++ return ret; + } + + /* +-- +2.34.1 + diff --git a/queue-4.14/net-bcmgenet-use-stronger-register-read-writes-to-as.patch b/queue-4.14/net-bcmgenet-use-stronger-register-read-writes-to-as.patch new file mode 100644 index 00000000000..15381253e00 --- /dev/null +++ b/queue-4.14/net-bcmgenet-use-stronger-register-read-writes-to-as.patch @@ -0,0 +1,115 @@ +From fc1af0ac692855cf3682d6cf579839e14d264816 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 22:53:58 -0600 +Subject: net: bcmgenet: Use stronger register read/writes to assure ordering + +From: Jeremy Linton + +[ Upstream commit 8d3ea3d402db94b61075617e71b67459a714a502 ] + +GCC12 appears to be much smarter about its dependency tracking and is +aware that the relaxed variants are just normal loads and stores and +this is causing problems like: + +[ 210.074549] ------------[ cut here ]------------ +[ 210.079223] NETDEV WATCHDOG: enabcm6e4ei0 (bcmgenet): transmit queue 1 timed out +[ 210.086717] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:529 dev_watchdog+0x234/0x240 +[ 210.095044] Modules linked in: genet(E) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat] +[ 210.146561] ACPI CPPC: PCC check channel failed for ss: 0. ret=-110 +[ 210.146927] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 5.17.0-rc7G12+ #58 +[ 210.153226] CPPC Cpufreq:cppc_scale_freq_workfn: failed to read perf counters +[ 210.161349] Hardware name: Raspberry Pi Foundation Raspberry Pi 4 Model B/Raspberry Pi 4 Model B, BIOS EDK2-DEV 02/08/2022 +[ 210.161353] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 210.161358] pc : dev_watchdog+0x234/0x240 +[ 210.161364] lr : dev_watchdog+0x234/0x240 +[ 210.161368] sp : ffff8000080a3a40 +[ 210.161370] x29: ffff8000080a3a40 x28: ffffcd425af87000 x27: ffff8000080a3b20 +[ 210.205150] x26: ffffcd425aa00000 x25: 0000000000000001 x24: ffffcd425af8ec08 +[ 210.212321] x23: 0000000000000100 x22: ffffcd425af87000 x21: ffff55b142688000 +[ 210.219491] x20: 0000000000000001 x19: ffff55b1426884c8 x18: ffffffffffffffff +[ 210.226661] x17: 64656d6974203120 x16: 0000000000000001 x15: 6d736e617274203a +[ 210.233831] x14: 2974656e65676d63 x13: ffffcd4259c300d8 x12: ffffcd425b07d5f0 +[ 210.241001] x11: 00000000ffffffff x10: ffffcd425b07d5f0 x9 : ffffcd4258bdad9c +[ 210.248171] x8 : 00000000ffffdfff x7 : 000000000000003f x6 : 0000000000000000 +[ 210.255341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000001000 +[ 210.262511] x2 : 0000000000001000 x1 : 0000000000000005 x0 : 0000000000000044 +[ 210.269682] Call trace: +[ 210.272133] dev_watchdog+0x234/0x240 +[ 210.275811] call_timer_fn+0x3c/0x15c +[ 210.279489] __run_timers.part.0+0x288/0x310 +[ 210.283777] run_timer_softirq+0x48/0x80 +[ 210.287716] __do_softirq+0x128/0x360 +[ 210.291392] __irq_exit_rcu+0x138/0x140 +[ 210.295243] irq_exit_rcu+0x1c/0x30 +[ 210.298745] el1_interrupt+0x38/0x54 +[ 210.302334] el1h_64_irq_handler+0x18/0x24 +[ 210.306445] el1h_64_irq+0x7c/0x80 +[ 210.309857] arch_cpu_idle+0x18/0x2c +[ 210.313445] default_idle_call+0x4c/0x140 +[ 210.317470] cpuidle_idle_call+0x14c/0x1a0 +[ 210.321584] do_idle+0xb0/0x100 +[ 210.324737] cpu_startup_entry+0x30/0x8c +[ 210.328675] secondary_start_kernel+0xe4/0x110 +[ 210.333138] __secondary_switched+0x94/0x98 + +The assumption when these were relaxed seems to be that device memory +would be mapped non reordering, and that other constructs +(spinlocks/etc) would provide the barriers to assure that packet data +and in memory rings/queues were ordered with respect to device +register reads/writes. This itself seems a bit sketchy, but the real +problem with GCC12 is that it is moving the actual reads/writes around +at will as though they were independent operations when in truth they +are not, but the compiler can't know that. When looking at the +assembly dumps for many of these routines its possible to see very +clean, but not strictly in program order operations occurring as the +compiler would be free to do if these weren't actually register +reads/write operations. + +Its possible to suppress the timeout with a liberal bit of dma_mb()'s +sprinkled around but the device still seems unable to reliably +send/receive data. A better plan is to use the safer readl/writel +everywhere. + +Since this partially reverts an older commit, which notes the use of +the relaxed variants for performance reasons. I would suggest that +any performance problems with this commit are targeted at relaxing only +the performance critical code paths after assuring proper barriers. + +Fixes: 69d2ea9c79898 ("net: bcmgenet: Use correct I/O accessors") +Reported-by: Peter Robinson +Signed-off-by: Jeremy Linton +Acked-by: Peter Robinson +Tested-by: Peter Robinson +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220310045358.224350-1-jeremy.linton@arm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index b819a9bde6cc..268ca60f256f 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -83,7 +83,7 @@ static inline void bcmgenet_writel(u32 value, void __iomem *offset) + if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) + __raw_writel(value, offset); + else +- writel_relaxed(value, offset); ++ writel(value, offset); + } + + static inline u32 bcmgenet_readl(void __iomem *offset) +@@ -91,7 +91,7 @@ static inline u32 bcmgenet_readl(void __iomem *offset) + if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) + return __raw_readl(offset); + else +- return readl_relaxed(offset); ++ return readl(offset); + } + + static inline void dmadesc_set_length_status(struct bcmgenet_priv *priv, +-- +2.34.1 + diff --git a/queue-4.14/net-phy-broadcom-fix-brcm_fet_config_init.patch b/queue-4.14/net-phy-broadcom-fix-brcm_fet_config_init.patch new file mode 100644 index 00000000000..cc8f90cef4c --- /dev/null +++ b/queue-4.14/net-phy-broadcom-fix-brcm_fet_config_init.patch @@ -0,0 +1,79 @@ +From 132e64f3573f9ec3038c6f6738fbe22e0d0aeafd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 16:24:38 -0700 +Subject: net: phy: broadcom: Fix brcm_fet_config_init() + +From: Florian Fainelli + +[ Upstream commit bf8bfc4336f7a34e48b3bbd19b1542bf085bdc3d ] + +A Broadcom AC201 PHY (same entry as 5241) would be flagged by the +Broadcom UniMAC MDIO controller as not completing the turn around +properly since the PHY expects 65 MDC clock cycles to complete a write +cycle, and the MDIO controller was only sending 64 MDC clock cycles as +determined by looking at a scope shot. + +This would make the subsequent read fail with the UniMAC MDIO controller +command field having MDIO_READ_FAIL set and we would abort the +brcm_fet_config_init() function and thus not probe the PHY at all. + +After issuing a software reset, wait for at least 1ms which is well +above the 1us reset delay advertised by the datasheet and issue a dummy +read to let the PHY turn around the line properly. This read +specifically ignores -EIO which would be returned by MDIO controllers +checking for the line being turned around. + +If we have a genuine reaad failure, the next read of the interrupt +status register would pick it up anyway. + +Fixes: d7a2ed9248a3 ("broadcom: Add AC131 phy support") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220324232438.1156812-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index 1e9ad30a35c8..97e017a54eb5 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -15,6 +15,7 @@ + */ + + #include "bcm-phy-lib.h" ++#include + #include + #include + #include +@@ -444,6 +445,26 @@ static int brcm_fet_config_init(struct phy_device *phydev) + if (err < 0) + return err; + ++ /* The datasheet indicates the PHY needs up to 1us to complete a reset, ++ * build some slack here. ++ */ ++ usleep_range(1000, 2000); ++ ++ /* The PHY requires 65 MDC clock cycles to complete a write operation ++ * and turnaround the line properly. ++ * ++ * We ignore -EIO here as the MDIO controller (e.g.: mdio-bcm-unimac) ++ * may flag the lack of turn-around as a read failure. This is ++ * particularly true with this combination since the MDIO controller ++ * only used 64 MDC cycles. This is not a critical failure in this ++ * specific case and it has no functional impact otherwise, so we let ++ * that one go through. If there is a genuine bus error, the next read ++ * of MII_BRCM_FET_INTREG will error out. ++ */ ++ err = phy_read(phydev, MII_BMCR); ++ if (err < 0 && err != -EIO) ++ return err; ++ + reg = phy_read(phydev, MII_BRCM_FET_INTREG); + if (reg < 0) + return reg; +-- +2.34.1 + diff --git a/queue-4.14/net-x25-fix-null-ptr-deref-caused-by-x25_disconnect.patch b/queue-4.14/net-x25-fix-null-ptr-deref-caused-by-x25_disconnect.patch new file mode 100644 index 00000000000..678f92caea4 --- /dev/null +++ b/queue-4.14/net-x25-fix-null-ptr-deref-caused-by-x25_disconnect.patch @@ -0,0 +1,65 @@ +From d7bb2d35b6f681691f68051e5afd58f67ef87363 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Mar 2022 18:43:46 +0800 +Subject: net/x25: Fix null-ptr-deref caused by x25_disconnect + +From: Duoming Zhou + +[ Upstream commit 7781607938c8371d4c2b243527430241c62e39c2 ] + +When the link layer is terminating, x25->neighbour will be set to NULL +in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in +x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is +shown below. + + (Thread 1) | (Thread 2) +x25_link_terminated() | x25_recvmsg() + x25_kill_by_neigh() | ... + x25_disconnect() | lock_sock(sk) + ... | ... + x25->neighbour = NULL //(1) | + ... | x25->neighbour->extended //(2) + +The code sets NULL to x25->neighbour in position (1) and dereferences +x25->neighbour in position (2), which could cause null-ptr-deref bug. + +This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize +with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the +sock held by lock_sock() is not NULL, because it is extracted from x25_list +and uses x25_list_lock to synchronize. + +Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") +Signed-off-by: Duoming Zhou +Reviewed-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index fd0a6c6c77b6..e103ec39759f 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1796,10 +1796,15 @@ void x25_kill_by_neigh(struct x25_neigh *nb) + + write_lock_bh(&x25_list_lock); + +- sk_for_each(s, &x25_list) +- if (x25_sk(s)->neighbour == nb) ++ sk_for_each(s, &x25_list) { ++ if (x25_sk(s)->neighbour == nb) { ++ write_unlock_bh(&x25_list_lock); ++ lock_sock(s); + x25_disconnect(s, ENETUNREACH, 0, 0); +- ++ release_sock(s); ++ write_lock_bh(&x25_list_lock); ++ } ++ } + write_unlock_bh(&x25_list_lock); + + /* Remove any related forwards */ +-- +2.34.1 + diff --git a/queue-4.14/netfilter-nf_conntrack_tcp-preserve-liberal-flag-in-.patch b/queue-4.14/netfilter-nf_conntrack_tcp-preserve-liberal-flag-in-.patch new file mode 100644 index 00000000000..abd3fec4310 --- /dev/null +++ b/queue-4.14/netfilter-nf_conntrack_tcp-preserve-liberal-flag-in-.patch @@ -0,0 +1,71 @@ +From 4a457957a1d54b799eee90061d27789b2900c778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Mar 2022 11:38:32 +0100 +Subject: netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options + +From: Pablo Neira Ayuso + +[ Upstream commit f2dd495a8d589371289981d5ed33e6873df94ecc ] + +Do not reset IP_CT_TCP_FLAG_BE_LIBERAL flag in out-of-sync scenarios +coming before the TCP window tracking, otherwise such connections will +fail in the window check. + +Update tcp_options() to leave this flag in place and add a new helper +function to reset the tcp window state. + +Based on patch from Sven Auhagen. + +Fixes: c4832c7bbc3f ("netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking") +Tested-by: Sven Auhagen +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_tcp.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index cba1c6ffe51a..5239c502c016 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -383,8 +383,8 @@ static void tcp_options(const struct sk_buff *skb, + length, buff); + BUG_ON(ptr == NULL); + +- state->td_scale = +- state->flags = 0; ++ state->td_scale = 0; ++ state->flags &= IP_CT_TCP_FLAG_BE_LIBERAL; + + while (length > 0) { + int opcode=*ptr++; +@@ -797,6 +797,16 @@ static unsigned int *tcp_get_timeouts(struct net *net) + return tcp_pernet(net)->timeouts; + } + ++static void nf_ct_tcp_state_reset(struct ip_ct_tcp_state *state) ++{ ++ state->td_end = 0; ++ state->td_maxend = 0; ++ state->td_maxwin = 0; ++ state->td_maxack = 0; ++ state->td_scale = 0; ++ state->flags &= IP_CT_TCP_FLAG_BE_LIBERAL; ++} ++ + /* Returns verdict for packet, or -1 for invalid. */ + static int tcp_packet(struct nf_conn *ct, + const struct sk_buff *skb, +@@ -897,8 +907,7 @@ static int tcp_packet(struct nf_conn *ct, + ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK; + ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags = + ct->proto.tcp.last_flags; +- memset(&ct->proto.tcp.seen[dir], 0, +- sizeof(struct ip_ct_tcp_state)); ++ nf_ct_tcp_state_reset(&ct->proto.tcp.seen[dir]); + break; + } + ct->proto.tcp.last_index = index; +-- +2.34.1 + diff --git a/queue-4.14/netfilter-nf_nat_h323-eliminate-anonymous-module_ini.patch b/queue-4.14/netfilter-nf_nat_h323-eliminate-anonymous-module_ini.patch new file mode 100644 index 00000000000..a3f314a393f --- /dev/null +++ b/queue-4.14/netfilter-nf_nat_h323-eliminate-anonymous-module_ini.patch @@ -0,0 +1,74 @@ +From 808d99ce8d4d5b743f7f51ca1542c869dace7f34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 12:20:05 -0700 +Subject: netfilter: nf_nat_h323: eliminate anonymous module_init & module_exit + +From: Randy Dunlap + +[ Upstream commit fd4213929053bb58b0b2a080ca17f2dd1a9b6df4 ] + +Eliminate anonymous module_init() and module_exit(), which can lead to +confusion or ambiguity when reading System.map, crashes/oops/bugs, +or an initcall_debug log. + +Give each of these init and exit functions unique driver-specific +names to eliminate the anonymous names. + +Example 1: (System.map) + ffffffff832fc78c t init + ffffffff832fc79e t init + ffffffff832fc8f8 t init + +Example 2: (initcall_debug log) + calling init+0x0/0x12 @ 1 + initcall init+0x0/0x12 returned 0 after 15 usecs + calling init+0x0/0x60 @ 1 + initcall init+0x0/0x60 returned 0 after 2 usecs + calling init+0x0/0x9a @ 1 + initcall init+0x0/0x9a returned 0 after 74 usecs + +Fixes: f587de0e2feb ("[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port") +Signed-off-by: Randy Dunlap +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nf_nat_h323.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c +index ac8342dcb55e..0a21dbfb40ad 100644 +--- a/net/ipv4/netfilter/nf_nat_h323.c ++++ b/net/ipv4/netfilter/nf_nat_h323.c +@@ -581,7 +581,7 @@ static struct nf_ct_helper_expectfn callforwarding_nat = { + }; + + /****************************************************************************/ +-static int __init init(void) ++static int __init nf_nat_h323_init(void) + { + BUG_ON(set_h245_addr_hook != NULL); + BUG_ON(set_h225_addr_hook != NULL); +@@ -608,7 +608,7 @@ static int __init init(void) + } + + /****************************************************************************/ +-static void __exit fini(void) ++static void __exit nf_nat_h323_fini(void) + { + RCU_INIT_POINTER(set_h245_addr_hook, NULL); + RCU_INIT_POINTER(set_h225_addr_hook, NULL); +@@ -625,8 +625,8 @@ static void __exit fini(void) + } + + /****************************************************************************/ +-module_init(init); +-module_exit(fini); ++module_init(nf_nat_h323_init); ++module_exit(nf_nat_h323_fini); + + MODULE_AUTHOR("Jing Min Zhao "); + MODULE_DESCRIPTION("H.323 NAT helper"); +-- +2.34.1 + diff --git a/queue-4.14/nfs-remove-unneeded-check-in-decode_devicenotify_arg.patch b/queue-4.14/nfs-remove-unneeded-check-in-decode_devicenotify_arg.patch new file mode 100644 index 00000000000..47d6583e7ef --- /dev/null +++ b/queue-4.14/nfs-remove-unneeded-check-in-decode_devicenotify_arg.patch @@ -0,0 +1,39 @@ +From 9474178c639465a5eb38b9a8e623c832701bec07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 13:17:04 +0300 +Subject: NFS: remove unneeded check in decode_devicenotify_args() + +From: Alexey Khoroshilov + +[ Upstream commit cb8fac6d2727f79f211e745b16c9abbf4d8be652 ] + +[You don't often get email from khoroshilov@ispras.ru. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.] + +Overflow check in not needed anymore after we switch to kmalloc_array(). + +Signed-off-by: Alexey Khoroshilov +Fixes: a4f743a6bb20 ("NFSv4.1: Convert open-coded array allocation calls to kmalloc_array()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_xdr.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c +index 36c34be839d0..737c37603fb1 100644 +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -278,10 +278,6 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp, + n = ntohl(*p++); + if (n == 0) + goto out; +- if (n > ULONG_MAX / sizeof(*args->devs)) { +- status = htonl(NFS4ERR_BADXDR); +- goto out; +- } + + args->devs = kmalloc_array(n, sizeof(*args->devs), GFP_KERNEL); + if (!args->devs) { +-- +2.34.1 + diff --git a/queue-4.14/nfsv4-pnfs-fix-another-issue-with-a-list-iterator-po.patch b/queue-4.14/nfsv4-pnfs-fix-another-issue-with-a-list-iterator-po.patch new file mode 100644 index 00000000000..80b10c49b60 --- /dev/null +++ b/queue-4.14/nfsv4-pnfs-fix-another-issue-with-a-list-iterator-po.patch @@ -0,0 +1,120 @@ +From 5f575253cc1ce6826084468c7ac687aae60224b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Mar 2022 08:36:34 -0400 +Subject: NFSv4/pNFS: Fix another issue with a list iterator pointing to the + head + +From: Trond Myklebust + +[ Upstream commit 7c9d845f0612e5bcd23456a2ec43be8ac43458f1 ] + +In nfs4_callback_devicenotify(), if we don't find a matching entry for +the deviceid, we're left with a pointer to 'struct nfs_server' that +actually points to the list of super blocks associated with our struct +nfs_client. +Furthermore, even if we have a valid pointer, nothing pins the super +block, and so the struct nfs_server could end up getting freed while +we're using it. + +Since all we want is a pointer to the struct pnfs_layoutdriver_type, +let's skip all the iteration over super blocks, and just use APIs to +find the layout driver directly. + +Reported-by: Xiaomeng Tong +Fixes: 1be5683b03a7 ("pnfs: CB_NOTIFY_DEVICEID") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_proc.c | 27 +++++++++------------------ + fs/nfs/pnfs.c | 11 +++++++++++ + fs/nfs/pnfs.h | 2 ++ + 3 files changed, 22 insertions(+), 18 deletions(-) + +diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c +index 3998b432e1b9..825b3166605d 100644 +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -355,12 +355,11 @@ __be32 nfs4_callback_devicenotify(void *argp, void *resp, + struct cb_process_state *cps) + { + struct cb_devicenotifyargs *args = argp; ++ const struct pnfs_layoutdriver_type *ld = NULL; + uint32_t i; + __be32 res = 0; +- struct nfs_client *clp = cps->clp; +- struct nfs_server *server = NULL; + +- if (!clp) { ++ if (!cps->clp) { + res = cpu_to_be32(NFS4ERR_OP_NOT_IN_SESSION); + goto out; + } +@@ -368,23 +367,15 @@ __be32 nfs4_callback_devicenotify(void *argp, void *resp, + for (i = 0; i < args->ndevs; i++) { + struct cb_devicenotifyitem *dev = &args->devs[i]; + +- if (!server || +- server->pnfs_curr_ld->id != dev->cbd_layout_type) { +- rcu_read_lock(); +- list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) +- if (server->pnfs_curr_ld && +- server->pnfs_curr_ld->id == dev->cbd_layout_type) { +- rcu_read_unlock(); +- goto found; +- } +- rcu_read_unlock(); +- continue; ++ if (!ld || ld->id != dev->cbd_layout_type) { ++ pnfs_put_layoutdriver(ld); ++ ld = pnfs_find_layoutdriver(dev->cbd_layout_type); ++ if (!ld) ++ continue; + } +- +- found: +- nfs4_delete_deviceid(server->pnfs_curr_ld, clp, &dev->cbd_dev_id); ++ nfs4_delete_deviceid(ld, cps->clp, &dev->cbd_dev_id); + } +- ++ pnfs_put_layoutdriver(ld); + out: + kfree(args->devs); + return res; +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 619fc5c4c82c..18bbdaefd940 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -91,6 +91,17 @@ find_pnfs_driver(u32 id) + return local; + } + ++const struct pnfs_layoutdriver_type *pnfs_find_layoutdriver(u32 id) ++{ ++ return find_pnfs_driver(id); ++} ++ ++void pnfs_put_layoutdriver(const struct pnfs_layoutdriver_type *ld) ++{ ++ if (ld) ++ module_put(ld->owner); ++} ++ + void + unset_pnfs_layoutdriver(struct nfs_server *nfss) + { +diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h +index 965d657086c8..3504826c1ee7 100644 +--- a/fs/nfs/pnfs.h ++++ b/fs/nfs/pnfs.h +@@ -219,6 +219,8 @@ struct pnfs_devicelist { + + extern int pnfs_register_layoutdriver(struct pnfs_layoutdriver_type *); + extern void pnfs_unregister_layoutdriver(struct pnfs_layoutdriver_type *); ++extern const struct pnfs_layoutdriver_type *pnfs_find_layoutdriver(u32 id); ++extern void pnfs_put_layoutdriver(const struct pnfs_layoutdriver_type *ld); + + /* nfs4proc.c */ + extern int nfs4_proc_getdeviceinfo(struct nfs_server *server, +-- +2.34.1 + diff --git a/queue-4.14/ntfs-add-sanity-check-on-allocation-size.patch b/queue-4.14/ntfs-add-sanity-check-on-allocation-size.patch new file mode 100644 index 00000000000..9e40963f489 --- /dev/null +++ b/queue-4.14/ntfs-add-sanity-check-on-allocation-size.patch @@ -0,0 +1,43 @@ +From fd35e7da9c2c33953f297b537e397c9606671557 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 14:38:39 -0700 +Subject: ntfs: add sanity check on allocation size + +From: Dongliang Mu + +[ Upstream commit 714fbf2647b1a33d914edd695d4da92029c7e7c0 ] + +ntfs_read_inode_mount invokes ntfs_malloc_nofs with zero allocation +size. It triggers one BUG in the __ntfs_malloc function. + +Fix this by adding sanity check on ni->attr_list_size. + +Link: https://lkml.kernel.org/r/20220120094914.47736-1-dzm91@hust.edu.cn +Reported-by: syzbot+3c765c5248797356edaa@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Acked-by: Anton Altaparmakov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ntfs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c +index 8cd134750ebb..4150b3633f77 100644 +--- a/fs/ntfs/inode.c ++++ b/fs/ntfs/inode.c +@@ -1915,6 +1915,10 @@ int ntfs_read_inode_mount(struct inode *vi) + } + /* Now allocate memory for the attribute list. */ + ni->attr_list_size = (u32)ntfs_attr_size(a); ++ if (!ni->attr_list_size) { ++ ntfs_error(sb, "Attr_list_size is zero"); ++ goto put_err_out; ++ } + ni->attr_list = ntfs_malloc_nofs(ni->attr_list_size); + if (!ni->attr_list) { + ntfs_error(sb, "Not enough memory to allocate buffer " +-- +2.34.1 + diff --git a/queue-4.14/pci-reduce-warnings-on-possible-rw1c-corruption.patch b/queue-4.14/pci-reduce-warnings-on-possible-rw1c-corruption.patch new file mode 100644 index 00000000000..e3179a10169 --- /dev/null +++ b/queue-4.14/pci-reduce-warnings-on-possible-rw1c-corruption.patch @@ -0,0 +1,71 @@ +From d18dec45138f2d6c680db0732a1bb709eb00e5c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 16:14:55 +1200 +Subject: PCI: Reduce warnings on possible RW1C corruption + +From: Mark Tomlinson + +[ Upstream commit 92c45b63ce22c8898aa41806e8d6692bcd577510 ] + +For hardware that only supports 32-bit writes to PCI there is the +possibility of clearing RW1C (write-one-to-clear) bits. A rate-limited +messages was introduced by fb2659230120, but rate-limiting is not the best +choice here. Some devices may not show the warnings they should if another +device has just produced a bunch of warnings. Also, the number of messages +can be a nuisance on devices which are otherwise working fine. + +Change the ratelimit to a single warning per bus. This ensures no bus is +'starved' of emitting a warning and also that there isn't a continuous +stream of warnings. It would be preferable to have a warning per device, +but the pci_dev structure is not available here, and a lookup from devfn +would be far too slow. + +Suggested-by: Bjorn Helgaas +Fixes: fb2659230120 ("PCI: Warn on possible RW1C corruption for sub-32 bit config writes") +Link: https://lore.kernel.org/r/20200806041455.11070-1-mark.tomlinson@alliedtelesis.co.nz +Signed-off-by: Mark Tomlinson +Signed-off-by: Bjorn Helgaas +Reviewed-by: Florian Fainelli +Reviewed-by: Rob Herring +Acked-by: Scott Branden +Signed-off-by: Sasha Levin +--- + drivers/pci/access.c | 9 ++++++--- + include/linux/pci.h | 1 + + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/access.c b/drivers/pci/access.c +index 8c585e7ca520..9ae710a63d38 100644 +--- a/drivers/pci/access.c ++++ b/drivers/pci/access.c +@@ -161,9 +161,12 @@ int pci_generic_config_write32(struct pci_bus *bus, unsigned int devfn, + * write happen to have any RW1C (write-one-to-clear) bits set, we + * just inadvertently cleared something we shouldn't have. + */ +- dev_warn_ratelimited(&bus->dev, "%d-byte config write to %04x:%02x:%02x.%d offset %#x may corrupt adjacent RW1C bits\n", +- size, pci_domain_nr(bus), bus->number, +- PCI_SLOT(devfn), PCI_FUNC(devfn), where); ++ if (!bus->unsafe_warn) { ++ dev_warn(&bus->dev, "%d-byte config write to %04x:%02x:%02x.%d offset %#x may corrupt adjacent RW1C bits\n", ++ size, pci_domain_nr(bus), bus->number, ++ PCI_SLOT(devfn), PCI_FUNC(devfn), where); ++ bus->unsafe_warn = 1; ++ } + + mask = ~(((1 << (size * 8)) - 1) << ((where & 0x3) * 8)); + tmp = readl(addr) & mask; +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 66c0d5fad0cb..521030233c8d 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -569,6 +569,7 @@ struct pci_bus { + struct bin_attribute *legacy_io; /* legacy I/O for this bus */ + struct bin_attribute *legacy_mem; /* legacy mem */ + unsigned int is_added:1; ++ unsigned int unsafe_warn:1; /* warned about RW1C config write */ + }; + + #define to_pci_bus(n) container_of(n, struct pci_bus, dev) +-- +2.34.1 + diff --git a/queue-4.14/perf-core-fix-address-filter-parser-for-multiple-fil.patch b/queue-4.14/perf-core-fix-address-filter-parser-for-multiple-fil.patch new file mode 100644 index 00000000000..c84080e50f4 --- /dev/null +++ b/queue-4.14/perf-core-fix-address-filter-parser-for-multiple-fil.patch @@ -0,0 +1,40 @@ +From c38f78f41e424c8eb68cb402ea096b1f60da7fb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jan 2022 09:24:51 +0200 +Subject: perf/core: Fix address filter parser for multiple filters + +From: Adrian Hunter + +[ Upstream commit d680ff24e9e14444c63945b43a37ede7cd6958f9 ] + +Reset appropriate variables in the parser loop between parsing separate +filters, so that they do not interfere with parsing the next filter. + +Fixes: 375637bc524952 ("perf/core: Introduce address range filtering") +Signed-off-by: Adrian Hunter +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220131072453.2839535-4-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 54da9e12381f..0f49ab48cb14 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8641,8 +8641,11 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr, + } + + /* ready to consume more filters */ ++ kfree(filename); ++ filename = NULL; + state = IF_STATE_ACTION; + filter = NULL; ++ kernel = 0; + } + } + +-- +2.34.1 + diff --git a/queue-4.14/perf-x86-intel-pt-fix-address-filter-config-for-32-b.patch b/queue-4.14/perf-x86-intel-pt-fix-address-filter-config-for-32-b.patch new file mode 100644 index 00000000000..7b43e739c08 --- /dev/null +++ b/queue-4.14/perf-x86-intel-pt-fix-address-filter-config-for-32-b.patch @@ -0,0 +1,37 @@ +From d7807d6dc98cd4b9b4711567352f5b644a9aa31a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jan 2022 09:24:52 +0200 +Subject: perf/x86/intel/pt: Fix address filter config for 32-bit kernel + +From: Adrian Hunter + +[ Upstream commit e5524bf1047eb3b3f3f33b5f59897ba67b3ade87 ] + +Change from shifting 'unsigned long' to 'u64' to prevent the config bits +being lost on a 32-bit kernel. + +Fixes: eadf48cab4b6b0 ("perf/x86/intel/pt: Add support for address range filtering in PT") +Signed-off-by: Adrian Hunter +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220131072453.2839535-5-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/pt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c +index 990ca9614b23..ad273bba5126 100644 +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -460,7 +460,7 @@ static u64 pt_config_filters(struct perf_event *event) + pt->filters.filter[range].msr_b = filter->msr_b; + } + +- rtit_ctl |= filter->config << pt_address_ranges[range].reg_off; ++ rtit_ctl |= (u64)filter->config << pt_address_ranges[range].reg_off; + } + + return rtit_ctl; +-- +2.34.1 + diff --git a/queue-4.14/pinctrl-mediatek-fix-missing-of_node_put-in-mtk_pctr.patch b/queue-4.14/pinctrl-mediatek-fix-missing-of_node_put-in-mtk_pctr.patch new file mode 100644 index 00000000000..df274ec71ca --- /dev/null +++ b/queue-4.14/pinctrl-mediatek-fix-missing-of_node_put-in-mtk_pctr.patch @@ -0,0 +1,45 @@ +From 24ecae6f3d402f422a75e3667ba29e126c68fde3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 07:11:54 +0000 +Subject: pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init + +From: Miaoqian Lin + +[ Upstream commit dab4df9ca919f59e5b9dd84385eaf34d4f20dbb0 ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: a6df410d420a ("pinctrl: mediatek: Add Pinctrl/GPIO driver for mt8135.") +Signed-off-by: Miaoqian Lin +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220308071155.21114-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c +index 3cf384f8b122..8b07439bb694 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c +@@ -1367,6 +1367,7 @@ int mtk_pctrl_init(struct platform_device *pdev, + node = of_parse_phandle(np, "mediatek,pctl-regmap", 0); + if (node) { + pctl->regmap1 = syscon_node_to_regmap(node); ++ of_node_put(node); + if (IS_ERR(pctl->regmap1)) + return PTR_ERR(pctl->regmap1); + } else if (regmap) { +@@ -1380,6 +1381,7 @@ int mtk_pctrl_init(struct platform_device *pdev, + node = of_parse_phandle(np, "mediatek,pctl-regmap", 1); + if (node) { + pctl->regmap2 = syscon_node_to_regmap(node); ++ of_node_put(node); + if (IS_ERR(pctl->regmap2)) + return PTR_ERR(pctl->regmap2); + } +-- +2.34.1 + diff --git a/queue-4.14/pinctrl-nomadik-add-missing-of_node_put-in-nmk_pinct.patch b/queue-4.14/pinctrl-nomadik-add-missing-of_node_put-in-nmk_pinct.patch new file mode 100644 index 00000000000..bf7190bcf1f --- /dev/null +++ b/queue-4.14/pinctrl-nomadik-add-missing-of_node_put-in-nmk_pinct.patch @@ -0,0 +1,41 @@ +From 04e012bbbbf8f9d9839129e705c24ebc4163b0cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 11:51:16 +0000 +Subject: pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe + +From: Miaoqian Lin + +[ Upstream commit c09ac191b1f97cfa06f394dbfd7a5db07986cefc ] + +This node pointer is returned by of_parse_phandle() with refcount +incremented in this function. Calling of_node_put() to avoid +the refcount leak. + +Fixes: 32e67eee670e ("pinctrl: nomadik: Allow prcm_base to be extracted from Device Tree") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220307115116.25316-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/nomadik/pinctrl-nomadik.c b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +index a53f1a9b1ed2..69c702b366bc 100644 +--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c ++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +@@ -1916,8 +1916,10 @@ static int nmk_pinctrl_probe(struct platform_device *pdev) + } + + prcm_np = of_parse_phandle(np, "prcm", 0); +- if (prcm_np) ++ if (prcm_np) { + npct->prcm_base = of_iomap(prcm_np, 0); ++ of_node_put(prcm_np); ++ } + if (!npct->prcm_base) { + if (version == PINCTRL_NMK_STN8815) { + dev_info(&pdev->dev, +-- +2.34.1 + diff --git a/queue-4.14/pinctrl-rockchip-add-missing-of_node_put-in-rockchip.patch b/queue-4.14/pinctrl-rockchip-add-missing-of_node_put-in-rockchip.patch new file mode 100644 index 00000000000..9d6d0a80ef8 --- /dev/null +++ b/queue-4.14/pinctrl-rockchip-add-missing-of_node_put-in-rockchip.patch @@ -0,0 +1,45 @@ +From d778a17253deea0ae570313467bf6b1f25c7da3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 12:02:34 +0000 +Subject: pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe + +From: Miaoqian Lin + +[ Upstream commit 89388f8730699c259f8090ec435fb43569efe4ac ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: 1e747e59cc4d ("pinctrl: rockchip: base regmap supplied by a syscon") +Fixes: 14dee8677e19 ("pinctrl: rockchip: let pmu registers be supplied by a syscon") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220307120234.28657-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index d6b344163448..0c237dd13f2f 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -3168,6 +3168,7 @@ static int rockchip_pinctrl_probe(struct platform_device *pdev) + node = of_parse_phandle(np, "rockchip,grf", 0); + if (node) { + info->regmap_base = syscon_node_to_regmap(node); ++ of_node_put(node); + if (IS_ERR(info->regmap_base)) + return PTR_ERR(info->regmap_base); + } else { +@@ -3204,6 +3205,7 @@ static int rockchip_pinctrl_probe(struct platform_device *pdev) + node = of_parse_phandle(np, "rockchip,pmu", 0); + if (node) { + info->regmap_pmu = syscon_node_to_regmap(node); ++ of_node_put(node); + if (IS_ERR(info->regmap_pmu)) + return PTR_ERR(info->regmap_pmu); + } +-- +2.34.1 + diff --git a/queue-4.14/pm-core-keep-irq-flags-in-device_pm_check_callbacks.patch b/queue-4.14/pm-core-keep-irq-flags-in-device_pm_check_callbacks.patch new file mode 100644 index 00000000000..4459753e667 --- /dev/null +++ b/queue-4.14/pm-core-keep-irq-flags-in-device_pm_check_callbacks.patch @@ -0,0 +1,105 @@ +From 6f6661eb1a34d1989ec9349944db19cc13bb54ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 14:02:14 +0300 +Subject: PM: core: keep irq flags in device_pm_check_callbacks() + +From: Dmitry Baryshkov + +[ Upstream commit 524bb1da785a7ae43dd413cd392b5071c6c367f8 ] + +The function device_pm_check_callbacks() can be called under the spin +lock (in the reported case it happens from genpd_add_device() -> +dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes. + +However this function uncoditionally uses spin_lock_irq() / +spin_unlock_irq(), thus not preserving the CPU flags. Use the +irqsave/irqrestore instead. + +The backtrace for the reference: +[ 2.752010] ------------[ cut here ]------------ +[ 2.756769] raw_local_irq_restore() called with IRQs enabled +[ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50 +[ 2.772338] Modules linked in: +[ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684 +[ 2.781384] Freeing initrd memory: 46024K +[ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50 +[ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50 +[ 2.785846] sp : ffff80000805b7d0 +[ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002 +[ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800 +[ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00 +[ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff +[ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7 +[ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8 +[ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0 +[ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0 +[ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 +[ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000 +[ 2.889774] Call trace: +[ 2.892290] warn_bogus_irq_restore+0x34/0x50 +[ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0 +[ 2.901690] genpd_unlock_spin+0x20/0x30 +[ 2.905724] genpd_add_device+0x100/0x2d0 +[ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c +[ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190 +[ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0 +[ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30 +[ 2.929102] psci_dt_attach_cpu+0x24/0x90 +[ 2.933230] psci_cpuidle_probe+0x2d4/0x46c +[ 2.937534] platform_probe+0x68/0xe0 +[ 2.941304] really_probe.part.0+0x9c/0x2fc +[ 2.945605] __driver_probe_device+0x98/0x144 +[ 2.950085] driver_probe_device+0x44/0x15c +[ 2.954385] __device_attach_driver+0xb8/0x120 +[ 2.958950] bus_for_each_drv+0x78/0xd0 +[ 2.962896] __device_attach+0xd8/0x180 +[ 2.966843] device_initial_probe+0x14/0x20 +[ 2.971144] bus_probe_device+0x9c/0xa4 +[ 2.975092] device_add+0x380/0x88c +[ 2.978679] platform_device_add+0x114/0x234 +[ 2.983067] platform_device_register_full+0x100/0x190 +[ 2.988344] psci_idle_init+0x6c/0xb0 +[ 2.992113] do_one_initcall+0x74/0x3a0 +[ 2.996060] kernel_init_freeable+0x2fc/0x384 +[ 3.000543] kernel_init+0x28/0x130 +[ 3.004132] ret_from_fork+0x10/0x20 +[ 3.007817] irq event stamp: 319826 +[ 3.011404] hardirqs last enabled at (319825): [] __up_console_sem+0x78/0x84 +[ 3.020332] hardirqs last disabled at (319826): [] el1_dbg+0x24/0x8c +[ 3.028458] softirqs last enabled at (318312): [] _stext+0x410/0x588 +[ 3.036678] softirqs last disabled at (318299): [] __irq_exit_rcu+0x158/0x174 +[ 3.045607] ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 4fd49d55bc3e..3d51e457a4cd 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1901,7 +1901,9 @@ static bool pm_ops_is_empty(const struct dev_pm_ops *ops) + + void device_pm_check_callbacks(struct device *dev) + { +- spin_lock_irq(&dev->power.lock); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&dev->power.lock, flags); + dev->power.no_pm_callbacks = + (!dev->bus || (pm_ops_is_empty(dev->bus->pm) && + !dev->bus->suspend && !dev->bus->resume)) && +@@ -1911,5 +1913,5 @@ void device_pm_check_callbacks(struct device *dev) + (!dev->pm_domain || pm_ops_is_empty(&dev->pm_domain->ops)) && + (!dev->driver || (pm_ops_is_empty(dev->driver->pm) && + !dev->driver->suspend && !dev->driver->resume)); +- spin_unlock_irq(&dev->power.lock); ++ spin_unlock_irqrestore(&dev->power.lock, flags); + } +-- +2.34.1 + diff --git a/queue-4.14/pm-hibernate-fix-__setup-handler-error-handling.patch b/queue-4.14/pm-hibernate-fix-__setup-handler-error-handling.patch new file mode 100644 index 00000000000..0bfa14d2640 --- /dev/null +++ b/queue-4.14/pm-hibernate-fix-__setup-handler-error-handling.patch @@ -0,0 +1,40 @@ +From 15b2a1c46a56a95b04be3f3be7050d03b589cd8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 14:05:32 -0800 +Subject: PM: hibernate: fix __setup handler error handling + +From: Randy Dunlap + +[ Upstream commit ba7ffcd4c4da374b0f64666354eeeda7d3827131 ] + +If an invalid value is used in "resumedelay=", it is +silently ignored. Add a warning message and then let the __setup +handler return 1 to indicate that the kernel command line option +has been handled. + +Fixes: 317cf7e5e85e3 ("PM / hibernate: convert simple_strtoul to kstrtoul") +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/hibernate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index e68b1c20ad3d..f4ecb23c9194 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -1186,7 +1186,7 @@ static int __init resumedelay_setup(char *str) + int rc = kstrtouint(str, 0, &resume_delay); + + if (rc) +- return rc; ++ pr_warn("resumedelay: bad option string '%s'\n", str); + return 1; + } + +-- +2.34.1 + diff --git a/queue-4.14/pm-suspend-fix-return-value-of-__setup-handler.patch b/queue-4.14/pm-suspend-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..1afb491fb7d --- /dev/null +++ b/queue-4.14/pm-suspend-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,73 @@ +From 522aafc9acdce65b2d9524d9cf8575970bb39940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 14:05:44 -0800 +Subject: PM: suspend: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 7a64ca17e4dd50d5f910769167f3553902777844 ] + +If an invalid option is given for "test_suspend=