From: Sasha Levin Date: Sun, 11 Jul 2021 14:44:15 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.4.132~30^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4cd102fac8f9e64813d9c68284c8095cd81235f2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-bus-call-kobject_put-in-acpi_init-error-path.patch b/queue-4.19/acpi-bus-call-kobject_put-in-acpi_init-error-path.patch new file mode 100644 index 00000000000..0b0315416aa --- /dev/null +++ b/queue-4.19/acpi-bus-call-kobject_put-in-acpi_init-error-path.patch @@ -0,0 +1,36 @@ +From 7a47ed77fe955909c464f656e943841bda71fd94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 17:36:50 +0800 +Subject: ACPI: bus: Call kobject_put() in acpi_init() error path + +From: Hanjun Guo + +[ Upstream commit 4ac7a817f1992103d4e68e9837304f860b5e7300 ] + +Although the system will not be in a good condition or it will not +boot if acpi_bus_init() fails, it is still necessary to put the +kobject in the error path before returning to avoid leaking memory. + +Signed-off-by: Hanjun Guo +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index d60e57d14c85..d9dc9d2f38d5 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -1240,6 +1240,7 @@ static int __init acpi_init(void) + init_acpi_device_notify(); + result = acpi_bus_init(); + if (result) { ++ kobject_put(acpi_kobj); + disable_acpi(); + return result; + } +-- +2.30.2 + diff --git a/queue-4.19/acpi-ec-make-more-asus-laptops-use-ecdt-_gpe.patch b/queue-4.19/acpi-ec-make-more-asus-laptops-use-ecdt-_gpe.patch new file mode 100644 index 00000000000..d55f3e7c963 --- /dev/null +++ b/queue-4.19/acpi-ec-make-more-asus-laptops-use-ecdt-_gpe.patch @@ -0,0 +1,54 @@ +From 2bcbf8df83d0ebcdb3531f28940993d58589d755 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 11:09:50 +0800 +Subject: ACPI: EC: Make more Asus laptops use ECDT _GPE + +From: Chris Chiu + +[ Upstream commit 6306f0431914beaf220634ad36c08234006571d5 ] + +More ASUS laptops have the _GPE define in the DSDT table with a +different value than the _GPE number in the ECDT. + +This is causing media keys not working on ASUS X505BA/BP, X542BA/BP + +Add model info to the quirks list. + +Signed-off-by: Chris Chiu +Signed-off-by: Jian-Hong Pan +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 9415a0041aaf..e3df3dda0332 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1904,6 +1904,22 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "GL702VMK"),}, NULL}, + { ++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BA", { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X505BA"),}, NULL}, ++ { ++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BP", { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X505BP"),}, NULL}, ++ { ++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BA", { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X542BA"),}, NULL}, ++ { ++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BP", { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X542BP"),}, NULL}, ++ { + ec_honor_ecdt_gpe, "ASUS X550VXK", { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "X550VXK"),}, NULL}, +-- +2.30.2 + diff --git a/queue-4.19/acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch b/queue-4.19/acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch new file mode 100644 index 00000000000..99ec6196807 --- /dev/null +++ b/queue-4.19/acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch @@ -0,0 +1,113 @@ +From d31985286daf5b136cf2cca74aa2b07c7bfdd4a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 17:15:14 -0500 +Subject: ACPI: processor idle: Fix up C-state latency if not ordered + +From: Mario Limonciello + +[ Upstream commit 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 ] + +Generally, the C-state latency is provided by the _CST method or +FADT, but some OEM platforms using AMD Picasso, Renoir, Van Gogh, +and Cezanne set the C2 latency greater than C3's which causes the +C2 state to be skipped. + +That will block the core entering PC6, which prevents S0ix working +properly on Linux systems. + +In other operating systems, the latency values are not validated and +this does not cause problems by skipping states. + +To avoid this issue on Linux, detect when latencies are not an +arithmetic progression and sort them. + +Link: https://gitlab.freedesktop.org/agd5f/linux/-/commit/026d186e4592c1ee9c1cb44295912d0294508725 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_712174 +Suggested-by: Prike Liang +Suggested-by: Alex Deucher +Signed-off-by: Mario Limonciello +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/processor_idle.c | 40 +++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index abb559cd28d7..d80010ac2a43 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -29,6 +29,7 @@ + #include + #include + #include /* need_resched() */ ++#include + #include + #include + #include +@@ -544,10 +545,37 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr, + return; + } + ++static int acpi_cst_latency_cmp(const void *a, const void *b) ++{ ++ const struct acpi_processor_cx *x = a, *y = b; ++ ++ if (!(x->valid && y->valid)) ++ return 0; ++ if (x->latency > y->latency) ++ return 1; ++ if (x->latency < y->latency) ++ return -1; ++ return 0; ++} ++static void acpi_cst_latency_swap(void *a, void *b, int n) ++{ ++ struct acpi_processor_cx *x = a, *y = b; ++ u32 tmp; ++ ++ if (!(x->valid && y->valid)) ++ return; ++ tmp = x->latency; ++ x->latency = y->latency; ++ y->latency = tmp; ++} ++ + static int acpi_processor_power_verify(struct acpi_processor *pr) + { + unsigned int i; + unsigned int working = 0; ++ unsigned int last_latency = 0; ++ unsigned int last_type = 0; ++ bool buggy_latency = false; + + pr->power.timer_broadcast_on_state = INT_MAX; + +@@ -571,12 +599,24 @@ static int acpi_processor_power_verify(struct acpi_processor *pr) + } + if (!cx->valid) + continue; ++ if (cx->type >= last_type && cx->latency < last_latency) ++ buggy_latency = true; ++ last_latency = cx->latency; ++ last_type = cx->type; + + lapic_timer_check_state(i, pr, cx); + tsc_check_state(cx->type); + working++; + } + ++ if (buggy_latency) { ++ pr_notice("FW issue: working around C-state latencies out of order\n"); ++ sort(&pr->power.states[1], max_cstate, ++ sizeof(struct acpi_processor_cx), ++ acpi_cst_latency_cmp, ++ acpi_cst_latency_swap); ++ } ++ + lapic_timer_propagate_broadcast(pr); + + return (working); +-- +2.30.2 + diff --git a/queue-4.19/acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch b/queue-4.19/acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch new file mode 100644 index 00000000000..bfeef923b56 --- /dev/null +++ b/queue-4.19/acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch @@ -0,0 +1,73 @@ +From 8452d95cebb4093e4a8878643c372dbec606d64b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 17:12:01 +0000 +Subject: ACPI: sysfs: Fix a buffer overrun problem with description_show() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Wilczyński + +[ Upstream commit 888be6067b97132c3992866bbcf647572253ab3f ] + +Currently, a device description can be obtained using ACPI, if the _STR +method exists for a particular device, and then exposed to the userspace +via a sysfs object as a string value. + +If the _STR method is available for a given device then the data +(usually a Unicode string) is read and stored in a buffer (of the +ACPI_TYPE_BUFFER type) with a pointer to said buffer cached in the +struct acpi_device_pnp for later access. + +The description_show() function is responsible for exposing the device +description to the userspace via a corresponding sysfs object and +internally calls the utf16s_to_utf8s() function with a pointer to the +buffer that contains the Unicode string so that it can be converted from +UTF16 encoding to UTF8 and thus allowing for the value to be safely +stored and later displayed. + +When invoking the utf16s_to_utf8s() function, the description_show() +function also sets a limit of the data that can be saved into a provided +buffer as a result of the character conversion to be a total of +PAGE_SIZE, and upon completion, the utf16s_to_utf8s() function returns +an integer value denoting the number of bytes that have been written +into the provided buffer. + +Following the execution of the utf16s_to_utf8s() a newline character +will be added at the end of the resulting buffer so that when the value +is read in the userspace through the sysfs object then it would include +newline making it more accessible when working with the sysfs file +system in the shell, etc. Normally, this wouldn't be a problem, but if +the function utf16s_to_utf8s() happens to return the number of bytes +written to be precisely PAGE_SIZE, then we would overrun the buffer and +write the newline character outside the allotted space which can have +undefined consequences or result in a failure. + +To fix this buffer overrun, ensure that there always is enough space +left for the newline character to be safely appended. + +Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description") +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Bjorn Helgaas +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/device_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c +index b3b92c54cba8..f792b149a574 100644 +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -452,7 +452,7 @@ static ssize_t description_show(struct device *dev, + (wchar_t *)acpi_dev->pnp.str_obj->buffer.pointer, + acpi_dev->pnp.str_obj->buffer.length, + UTF16_LITTLE_ENDIAN, buf, +- PAGE_SIZE); ++ PAGE_SIZE - 1); + + buf[result++] = '\n'; + +-- +2.30.2 + diff --git a/queue-4.19/acpi-tables-add-custom-dsdt-file-as-makefile-prerequ.patch b/queue-4.19/acpi-tables-add-custom-dsdt-file-as-makefile-prerequ.patch new file mode 100644 index 00000000000..1da56ed4b70 --- /dev/null +++ b/queue-4.19/acpi-tables-add-custom-dsdt-file-as-makefile-prerequ.patch @@ -0,0 +1,43 @@ +From fe3b5ce1ab035e40f51d61ecb650764faafa46da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 16:24:33 +0100 +Subject: ACPI: tables: Add custom DSDT file as makefile prerequisite + +From: Richard Fitzgerald + +[ Upstream commit d1059c1b1146870c52f3dac12cb7b6cbf39ed27f ] + +A custom DSDT file is mostly used during development or debugging, +and in that case it is quite likely to want to rebuild the kernel +after changing ONLY the content of the DSDT. + +This patch adds the custom DSDT as a prerequisite to tables.o +to ensure a rebuild if the DSDT file is updated. Make will merge +the prerequisites from multiple rules for the same target. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile +index 6d59aa109a91..93f667140d8a 100644 +--- a/drivers/acpi/Makefile ++++ b/drivers/acpi/Makefile +@@ -8,6 +8,11 @@ ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT + # + # ACPI Boot-Time Table Parsing + # ++ifeq ($(CONFIG_ACPI_CUSTOM_DSDT),y) ++tables.o: $(src)/../../include/$(subst $\",,$(CONFIG_ACPI_CUSTOM_DSDT_FILE)) ; ++ ++endif ++ + obj-$(CONFIG_ACPI) += tables.o + obj-$(CONFIG_X86) += blacklist.o + +-- +2.30.2 + diff --git a/queue-4.19/acpica-fix-memory-leak-caused-by-_cid-repair-functio.patch b/queue-4.19/acpica-fix-memory-leak-caused-by-_cid-repair-functio.patch new file mode 100644 index 00000000000..28c9de2fc66 --- /dev/null +++ b/queue-4.19/acpica-fix-memory-leak-caused-by-_cid-repair-functio.patch @@ -0,0 +1,55 @@ +From 50aa2465e725ef407e9c262808bd237a9cc1131f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jun 2021 14:25:57 -0700 +Subject: ACPICA: Fix memory leak caused by _CID repair function + +From: Erik Kaneda + +[ Upstream commit c27bac0314131b11bccd735f7e8415ac6444b667 ] + +ACPICA commit 180cb53963aa876c782a6f52cc155d951b26051a + +According to the ACPI spec, _CID returns a package containing +hardware ID's. Each element of an ASL package contains a reference +count from the parent package as well as the element itself. + +Name (TEST, Package() { + "String object" // this package element has a reference count of 2 +}) + +A memory leak was caused in the _CID repair function because it did +not decrement the reference count created by the package. Fix the +memory leak by calling acpi_ut_remove_reference on _CID package elements +that represent a hardware ID (_HID). + +Link: https://github.com/acpica/acpica/commit/180cb539 +Tested-by: Shawn Guo +Signed-off-by: Erik Kaneda +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/nsrepair2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/acpi/acpica/nsrepair2.c b/drivers/acpi/acpica/nsrepair2.c +index a3bd6280882c..4c8ce483805d 100644 +--- a/drivers/acpi/acpica/nsrepair2.c ++++ b/drivers/acpi/acpica/nsrepair2.c +@@ -375,6 +375,13 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info, + + (*element_ptr)->common.reference_count = + original_ref_count; ++ ++ /* ++ * The original_element holds a reference from the package object ++ * that represents _HID. Since a new element was created by _HID, ++ * remove the reference from the _CID package. ++ */ ++ acpi_ut_remove_reference(original_element); + } + + element_ptr++; +-- +2.30.2 + diff --git a/queue-4.19/arm64-dts-marvell-armada-37xx-fix-reg-for-standard-v.patch b/queue-4.19/arm64-dts-marvell-armada-37xx-fix-reg-for-standard-v.patch new file mode 100644 index 00000000000..f83cc7ccc56 --- /dev/null +++ b/queue-4.19/arm64-dts-marvell-armada-37xx-fix-reg-for-standard-v.patch @@ -0,0 +1,41 @@ +From d4e0221f7048ddd6a68da893ffb0aae4b4f2fb85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 00:49:04 +0200 +Subject: arm64: dts: marvell: armada-37xx: Fix reg for standard variant of + UART +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 2cbfdedef39fb5994b8f1e1df068eb8440165975 ] + +UART1 (standard variant with DT node name 'uart0') has register space +0x12000-0x12018 and not whole size 0x200. So fix also this in example. + +Signed-off-by: Pali Rohár +Fixes: c737abc193d1 ("arm64: dts: marvell: Fix A37xx UART0 register size") +Link: https://lore.kernel.org/r/20210624224909.6350-6-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi +index 3a611250f598..1844fb8605f0 100644 +--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi +@@ -121,7 +121,7 @@ + + uart0: serial@12000 { + compatible = "marvell,armada-3700-uart"; +- reg = <0x12000 0x200>; ++ reg = <0x12000 0x18>; + clocks = <&xtalclk>; + interrupts = + , +-- +2.30.2 + diff --git a/queue-4.19/asoc-atmel-i2s-fix-usage-of-capture-and-playback-at-.patch b/queue-4.19/asoc-atmel-i2s-fix-usage-of-capture-and-playback-at-.patch new file mode 100644 index 00000000000..4ae4932570f --- /dev/null +++ b/queue-4.19/asoc-atmel-i2s-fix-usage-of-capture-and-playback-at-.patch @@ -0,0 +1,100 @@ +From f28822cb095a507c3a5a8256efbaf2b4ba262f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 18:07:41 +0300 +Subject: ASoC: atmel-i2s: Fix usage of capture and playback at the same time + +From: Codrin Ciubotariu + +[ Upstream commit 3b7961a326f8a7e03f54a19f02fedae8d488b80f ] + +For both capture and playback streams to work at the same time, only the +needed values from a register need to be updated. Also, clocks should be +enabled only when the first stream is started and stopped when there is no +running stream. + +Fixes: b543e467d1a9 ("ASoC: atmel-i2s: add driver for the new Atmel I2S controller") +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20210618150741.401739-2-codrin.ciubotariu@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/atmel-i2s.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/atmel/atmel-i2s.c b/sound/soc/atmel/atmel-i2s.c +index d88c1d995036..99cc73150576 100644 +--- a/sound/soc/atmel/atmel-i2s.c ++++ b/sound/soc/atmel/atmel-i2s.c +@@ -211,6 +211,7 @@ struct atmel_i2s_dev { + unsigned int fmt; + const struct atmel_i2s_gck_param *gck_param; + const struct atmel_i2s_caps *caps; ++ int clk_use_no; + }; + + static irqreturn_t atmel_i2s_interrupt(int irq, void *dev_id) +@@ -332,9 +333,16 @@ static int atmel_i2s_hw_params(struct snd_pcm_substream *substream, + { + struct atmel_i2s_dev *dev = snd_soc_dai_get_drvdata(dai); + bool is_playback = (substream->stream == SNDRV_PCM_STREAM_PLAYBACK); +- unsigned int mr = 0; ++ unsigned int mr = 0, mr_mask; + int ret; + ++ mr_mask = ATMEL_I2SC_MR_FORMAT_MASK | ATMEL_I2SC_MR_MODE_MASK | ++ ATMEL_I2SC_MR_DATALENGTH_MASK; ++ if (is_playback) ++ mr_mask |= ATMEL_I2SC_MR_TXMONO; ++ else ++ mr_mask |= ATMEL_I2SC_MR_RXMONO; ++ + switch (dev->fmt & SND_SOC_DAIFMT_FORMAT_MASK) { + case SND_SOC_DAIFMT_I2S: + mr |= ATMEL_I2SC_MR_FORMAT_I2S; +@@ -413,7 +421,7 @@ static int atmel_i2s_hw_params(struct snd_pcm_substream *substream, + return -EINVAL; + } + +- return regmap_write(dev->regmap, ATMEL_I2SC_MR, mr); ++ return regmap_update_bits(dev->regmap, ATMEL_I2SC_MR, mr_mask, mr); + } + + static int atmel_i2s_switch_mck_generator(struct atmel_i2s_dev *dev, +@@ -506,18 +514,28 @@ static int atmel_i2s_trigger(struct snd_pcm_substream *substream, int cmd, + is_master = (mr & ATMEL_I2SC_MR_MODE_MASK) == ATMEL_I2SC_MR_MODE_MASTER; + + /* If master starts, enable the audio clock. */ +- if (is_master && mck_enabled) +- err = atmel_i2s_switch_mck_generator(dev, true); +- if (err) +- return err; ++ if (is_master && mck_enabled) { ++ if (!dev->clk_use_no) { ++ err = atmel_i2s_switch_mck_generator(dev, true); ++ if (err) ++ return err; ++ } ++ dev->clk_use_no++; ++ } + + err = regmap_write(dev->regmap, ATMEL_I2SC_CR, cr); + if (err) + return err; + + /* If master stops, disable the audio clock. */ +- if (is_master && !mck_enabled) +- err = atmel_i2s_switch_mck_generator(dev, false); ++ if (is_master && !mck_enabled) { ++ if (dev->clk_use_no == 1) { ++ err = atmel_i2s_switch_mck_generator(dev, false); ++ if (err) ++ return err; ++ } ++ dev->clk_use_no--; ++ } + + return err; + } +-- +2.30.2 + diff --git a/queue-4.19/asoc-cs42l42-correct-definition-of-cs42l42_adc_pdn_m.patch b/queue-4.19/asoc-cs42l42-correct-definition-of-cs42l42_adc_pdn_m.patch new file mode 100644 index 00000000000..a0ed14d56ab --- /dev/null +++ b/queue-4.19/asoc-cs42l42-correct-definition-of-cs42l42_adc_pdn_m.patch @@ -0,0 +1,37 @@ +From 679ab85b651221d4f128581e67cbcc0707a969b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 14:56:04 +0100 +Subject: ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK + +From: Richard Fitzgerald + +[ Upstream commit fac165f22ac947b55407cd3a60a2a9824f905235 ] + +The definition of CS42L42_ADC_PDN_MASK was incorrectly defined +as the HP_PDN bit. + +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Signed-off-by: Richard Fitzgerald +Link: https://lore.kernel.org/r/20210616135604.19363-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l42.h b/sound/soc/codecs/cs42l42.h +index bcaf4f22408d..5a46e7d4f9a3 100644 +--- a/sound/soc/codecs/cs42l42.h ++++ b/sound/soc/codecs/cs42l42.h +@@ -81,7 +81,7 @@ + #define CS42L42_HP_PDN_SHIFT 3 + #define CS42L42_HP_PDN_MASK (1 << CS42L42_HP_PDN_SHIFT) + #define CS42L42_ADC_PDN_SHIFT 2 +-#define CS42L42_ADC_PDN_MASK (1 << CS42L42_HP_PDN_SHIFT) ++#define CS42L42_ADC_PDN_MASK (1 << CS42L42_ADC_PDN_SHIFT) + #define CS42L42_PDN_ALL_SHIFT 0 + #define CS42L42_PDN_ALL_MASK (1 << CS42L42_PDN_ALL_SHIFT) + +-- +2.30.2 + diff --git a/queue-4.19/asoc-hisilicon-fix-missing-clk_disable_unprepare-on-.patch b/queue-4.19/asoc-hisilicon-fix-missing-clk_disable_unprepare-on-.patch new file mode 100644 index 00000000000..3043febf247 --- /dev/null +++ b/queue-4.19/asoc-hisilicon-fix-missing-clk_disable_unprepare-on-.patch @@ -0,0 +1,64 @@ +From 392ef2b0dda41833c2dc194a8debd7cbf071d32b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 12:45:14 +0800 +Subject: ASoC: hisilicon: fix missing clk_disable_unprepare() on error in + hi6210_i2s_startup() + +From: Yang Yingliang + +[ Upstream commit 375904e3931955fcf0a847f029b2492a117efc43 ] + +After calling clk_prepare_enable(), clk_disable_unprepare() need +be called when calling clk_set_rate() failed. + +Fixes: 0bf750f4cbe1 ("ASoC: hisilicon: Add hi6210 i2s audio driver") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210518044514.607010-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/hisilicon/hi6210-i2s.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/hisilicon/hi6210-i2s.c b/sound/soc/hisilicon/hi6210-i2s.c +index 53344a3b7a60..864718ef874f 100644 +--- a/sound/soc/hisilicon/hi6210-i2s.c ++++ b/sound/soc/hisilicon/hi6210-i2s.c +@@ -110,18 +110,15 @@ static int hi6210_i2s_startup(struct snd_pcm_substream *substream, + + for (n = 0; n < i2s->clocks; n++) { + ret = clk_prepare_enable(i2s->clk[n]); +- if (ret) { +- while (n--) +- clk_disable_unprepare(i2s->clk[n]); +- return ret; +- } ++ if (ret) ++ goto err_unprepare_clk; + } + + ret = clk_set_rate(i2s->clk[CLK_I2S_BASE], 49152000); + if (ret) { + dev_err(i2s->dev, "%s: setting 49.152MHz base rate failed %d\n", + __func__, ret); +- return ret; ++ goto err_unprepare_clk; + } + + /* enable clock before frequency division */ +@@ -173,6 +170,11 @@ static int hi6210_i2s_startup(struct snd_pcm_substream *substream, + hi6210_write_reg(i2s, HII2S_SW_RST_N, val); + + return 0; ++ ++err_unprepare_clk: ++ while (n--) ++ clk_disable_unprepare(i2s->clk[n]); ++ return ret; + } + + static void hi6210_i2s_shutdown(struct snd_pcm_substream *substream, +-- +2.30.2 + diff --git a/queue-4.19/asoc-rsnd-tidyup-loop-on-rsnd_adg_clk_query.patch b/queue-4.19/asoc-rsnd-tidyup-loop-on-rsnd_adg_clk_query.patch new file mode 100644 index 00000000000..78db6a98cc2 --- /dev/null +++ b/queue-4.19/asoc-rsnd-tidyup-loop-on-rsnd_adg_clk_query.patch @@ -0,0 +1,49 @@ +From da9e9184ff9f1995e59182e9ba4211334a9d6ef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 15:12:09 +0900 +Subject: ASoC: rsnd: tidyup loop on rsnd_adg_clk_query() + +From: Kuninori Morimoto + +[ Upstream commit cf9d5c6619fadfc41cf8f5154cb990cc38e3da85 ] + +commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under +atomic context") used saved clk_rate, thus for_each_rsnd_clk() +is no longer needed. This patch fixes it. + +Fixes: 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate() under atomic context") +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87v978oe2u.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/adg.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/sh/rcar/adg.c b/sound/soc/sh/rcar/adg.c +index 549a137878a6..dc08260031ee 100644 +--- a/sound/soc/sh/rcar/adg.c ++++ b/sound/soc/sh/rcar/adg.c +@@ -318,7 +318,6 @@ static void rsnd_adg_set_ssi_clk(struct rsnd_mod *ssi_mod, u32 val) + int rsnd_adg_clk_query(struct rsnd_priv *priv, unsigned int rate) + { + struct rsnd_adg *adg = rsnd_priv_to_adg(priv); +- struct clk *clk; + int i; + int sel_table[] = { + [CLKA] = 0x1, +@@ -331,10 +330,9 @@ int rsnd_adg_clk_query(struct rsnd_priv *priv, unsigned int rate) + * find suitable clock from + * AUDIO_CLKA/AUDIO_CLKB/AUDIO_CLKC/AUDIO_CLKI. + */ +- for_each_rsnd_clk(clk, adg, i) { ++ for (i = 0; i < CLKMAX; i++) + if (rate == adg->clk_rate[i]) + return sel_table[i]; +- } + + /* + * find divided clock from BRGA/BRGB +-- +2.30.2 + diff --git a/queue-4.19/ath10k-fix-an-error-code-in-ath10k_add_interface.patch b/queue-4.19/ath10k-fix-an-error-code-in-ath10k_add_interface.patch new file mode 100644 index 00000000000..116f880aed7 --- /dev/null +++ b/queue-4.19/ath10k-fix-an-error-code-in-ath10k_add_interface.patch @@ -0,0 +1,43 @@ +From ad8295d595f84d8eae384ff240ccb010f3ac6f57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 18:46:17 +0800 +Subject: ath10k: Fix an error code in ath10k_add_interface() + +From: Yang Li + +[ Upstream commit e9ca70c735ce66fc6a0e02c8b6958434f74ef8de ] + +When the code execute this if statement, the value of ret is 0. +However, we can see from the ath10k_warn() log that the value of +ret should be -EINVAL. + +Clean up smatch warning: + +drivers/net/wireless/ath/ath10k/mac.c:5596 ath10k_add_interface() warn: +missing error code 'ret' + +Reported-by: Abaci Robot +Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine") +Signed-off-by: Yang Li +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1621939577-62218-1-git-send-email-yang.lee@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index f32d35e03708..8102d684be59 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -5125,6 +5125,7 @@ static int ath10k_add_interface(struct ieee80211_hw *hw, + + if (arvif->nohwcrypt && + !test_bit(ATH10K_FLAG_RAW_MODE, &ar->dev_flags)) { ++ ret = -EINVAL; + ath10k_warn(ar, "cryptmode module param needed for sw crypto\n"); + goto err; + } +-- +2.30.2 + diff --git a/queue-4.19/blk-wbt-introduce-a-new-disable-state-to-prevent-fal.patch b/queue-4.19/blk-wbt-introduce-a-new-disable-state-to-prevent-fal.patch new file mode 100644 index 00000000000..4fb2c590a50 --- /dev/null +++ b/queue-4.19/blk-wbt-introduce-a-new-disable-state-to-prevent-fal.patch @@ -0,0 +1,66 @@ +From 87ea72c8868a1234ce442fabf8d961b495636e16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jun 2021 17:36:59 +0800 +Subject: blk-wbt: introduce a new disable state to prevent false positive by + rwb_enabled() + +From: Zhang Yi + +[ Upstream commit 1d0903d61e9645c6330b94247b96dd873dfc11c8 ] + +Now that we disable wbt by simply zero out rwb->wb_normal in +wbt_disable_default() when switch elevator to bfq, but it's not safe +because it will become false positive if we change queue depth. If it +become false positive between wbt_wait() and wbt_track() when submit +write request, it will lead to drop rqw->inflight to -1 in wbt_done(), +which will end up trigger IO hung. Fix this issue by introduce a new +state which mean the wbt was disabled. + +Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt") +Signed-off-by: Zhang Yi +Link: https://lore.kernel.org/r/20210619093700.920393-2-yi.zhang@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-wbt.c | 5 +++-- + block/blk-wbt.h | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/block/blk-wbt.c b/block/blk-wbt.c +index 50f2abfa1a60..08623f37617f 100644 +--- a/block/blk-wbt.c ++++ b/block/blk-wbt.c +@@ -76,7 +76,8 @@ enum { + + static inline bool rwb_enabled(struct rq_wb *rwb) + { +- return rwb && rwb->wb_normal != 0; ++ return rwb && rwb->enable_state != WBT_STATE_OFF_DEFAULT && ++ rwb->wb_normal != 0; + } + + static void wb_timestamp(struct rq_wb *rwb, unsigned long *var) +@@ -764,7 +765,7 @@ void wbt_disable_default(struct request_queue *q) + rwb = RQWB(rqos); + if (rwb->enable_state == WBT_STATE_ON_DEFAULT) { + blk_stat_deactivate(rwb->cb); +- rwb->wb_normal = 0; ++ rwb->enable_state = WBT_STATE_OFF_DEFAULT; + } + } + EXPORT_SYMBOL_GPL(wbt_disable_default); +diff --git a/block/blk-wbt.h b/block/blk-wbt.h +index f47218d5b3b2..dd0d0f297d1e 100644 +--- a/block/blk-wbt.h ++++ b/block/blk-wbt.h +@@ -34,6 +34,7 @@ enum { + enum { + WBT_STATE_ON_DEFAULT = 1, + WBT_STATE_ON_MANUAL = 2, ++ WBT_STATE_OFF_DEFAULT + }; + + struct rq_wb { +-- +2.30.2 + diff --git a/queue-4.19/blk-wbt-make-sure-throttle-is-enabled-properly.patch b/queue-4.19/blk-wbt-make-sure-throttle-is-enabled-properly.patch new file mode 100644 index 00000000000..c87eee6e0b6 --- /dev/null +++ b/queue-4.19/blk-wbt-make-sure-throttle-is-enabled-properly.patch @@ -0,0 +1,45 @@ +From 4452c324964d3202a6f0ba48dfcc2744168f487b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jun 2021 17:37:00 +0800 +Subject: blk-wbt: make sure throttle is enabled properly + +From: Zhang Yi + +[ Upstream commit 76a8040817b4b9c69b53f9b326987fa891b4082a ] + +After commit a79050434b45 ("blk-rq-qos: refactor out common elements of +blk-wbt"), if throttle was disabled by wbt_disable_default(), we could +not enable again, fix this by set enable_state back to +WBT_STATE_ON_DEFAULT. + +Fixes: a79050434b45 ("blk-rq-qos: refactor out common elements of blk-wbt") +Signed-off-by: Zhang Yi +Link: https://lore.kernel.org/r/20210619093700.920393-3-yi.zhang@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-wbt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/block/blk-wbt.c b/block/blk-wbt.c +index 08623f37617f..880a41adde8f 100644 +--- a/block/blk-wbt.c ++++ b/block/blk-wbt.c +@@ -704,9 +704,13 @@ void wbt_set_write_cache(struct request_queue *q, bool write_cache_on) + void wbt_enable_default(struct request_queue *q) + { + struct rq_qos *rqos = wbt_rq_qos(q); ++ + /* Throttling already enabled? */ +- if (rqos) ++ if (rqos) { ++ if (RQWB(rqos)->enable_state == WBT_STATE_OFF_DEFAULT) ++ RQWB(rqos)->enable_state = WBT_STATE_ON_DEFAULT; + return; ++ } + + /* Queue not registered? Maybe shutting down... */ + if (!blk_queue_registered(q)) +-- +2.30.2 + diff --git a/queue-4.19/block_dump-remove-block_dump-feature-in-mark_inode_d.patch b/queue-4.19/block_dump-remove-block_dump-feature-in-mark_inode_d.patch new file mode 100644 index 00000000000..321d215a8b3 --- /dev/null +++ b/queue-4.19/block_dump-remove-block_dump-feature-in-mark_inode_d.patch @@ -0,0 +1,84 @@ +From 7b68800fd33317cc22783f26c9bda8cc6c45f946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Mar 2021 11:01:44 +0800 +Subject: block_dump: remove block_dump feature in mark_inode_dirty() + +From: zhangyi (F) + +[ Upstream commit 12e0613715e1cf305fffafaf0e89d810d9a85cc0 ] + +block_dump is an old debugging interface, one of it's functions is used +to print the information about who write which file on disk. If we +enable block_dump through /proc/sys/vm/block_dump and turn on debug log +level, we can gather information about write process name, target file +name and disk from kernel message. This feature is realized in +block_dump___mark_inode_dirty(), it print above information into kernel +message directly when marking inode dirty, so it is noisy and can easily +trigger log storm. At the same time, get the dentry refcount is also not +safe, we found it will lead to deadlock on ext4 file system with +data=journal mode. + +After tracepoints has been introduced into the kernel, we got a +tracepoint in __mark_inode_dirty(), which is a better replacement of +block_dump___mark_inode_dirty(). The only downside is that it only trace +the inode number and not a file name, but it probably doesn't matter +because the original printed file name in block_dump is not accurate in +some cases, and we can still find it through the inode number and device +id. So this patch delete the dirting inode part of block_dump feature. + +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210313030146.2882027-2-yi.zhang@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 25 ------------------------- + 1 file changed, 25 deletions(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index a247cb4b00e2..fc9167e65287 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -2115,28 +2115,6 @@ int dirtytime_interval_handler(struct ctl_table *table, int write, + return ret; + } + +-static noinline void block_dump___mark_inode_dirty(struct inode *inode) +-{ +- if (inode->i_ino || strcmp(inode->i_sb->s_id, "bdev")) { +- struct dentry *dentry; +- const char *name = "?"; +- +- dentry = d_find_alias(inode); +- if (dentry) { +- spin_lock(&dentry->d_lock); +- name = (const char *) dentry->d_name.name; +- } +- printk(KERN_DEBUG +- "%s(%d): dirtied inode %lu (%s) on %s\n", +- current->comm, task_pid_nr(current), inode->i_ino, +- name, inode->i_sb->s_id); +- if (dentry) { +- spin_unlock(&dentry->d_lock); +- dput(dentry); +- } +- } +-} +- + /** + * __mark_inode_dirty - internal function + * +@@ -2196,9 +2174,6 @@ void __mark_inode_dirty(struct inode *inode, int flags) + (dirtytime && (inode->i_state & I_DIRTY_INODE))) + return; + +- if (unlikely(block_dump)) +- block_dump___mark_inode_dirty(inode); +- + spin_lock(&inode->i_lock); + if (dirtytime && (inode->i_state & I_DIRTY_INODE)) + goto out_unlock_inode; +-- +2.30.2 + diff --git a/queue-4.19/bluetooth-fix-handling-of-hci_le_advertising_set_ter.patch b/queue-4.19/bluetooth-fix-handling-of-hci_le_advertising_set_ter.patch new file mode 100644 index 00000000000..5526e86ddec --- /dev/null +++ b/queue-4.19/bluetooth-fix-handling-of-hci_le_advertising_set_ter.patch @@ -0,0 +1,56 @@ +From 90619829ed162b25c7f291598c630b85ab77de87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jun 2021 20:59:02 -0700 +Subject: Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event + +From: Luiz Augusto von Dentz + +[ Upstream commit 23837a6d7a1a61818ed94a6b8af552d6cf7d32d5 ] + +Error status of this event means that it has ended due reasons other +than a connection: + + 'If advertising has terminated as a result of the advertising duration + elapsing, the Status parameter shall be set to the error code + Advertising Timeout (0x3C).' + + 'If advertising has terminated because the + Max_Extended_Advertising_Events was reached, the Status parameter + shall be set to the error code Limit Reached (0x43).' + +Fixes: acf0aeae431a0 ("Bluetooth: Handle ADv set terminated event") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 2e2cad58b6cc..45cc864cf2b3 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4986,8 +4986,19 @@ static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb) + + BT_DBG("%s status 0x%2.2x", hdev->name, ev->status); + +- if (ev->status) ++ if (ev->status) { ++ struct adv_info *adv; ++ ++ adv = hci_find_adv_instance(hdev, ev->handle); ++ if (!adv) ++ return; ++ ++ /* Remove advertising as it has been terminated */ ++ hci_remove_adv_instance(hdev, ev->handle); ++ mgmt_advertising_removed(NULL, hdev, ev->handle); ++ + return; ++ } + + conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->conn_handle)); + if (conn) { +-- +2.30.2 + diff --git a/queue-4.19/bluetooth-mgmt-fix-slab-out-of-bounds-in-tlv_data_is.patch b/queue-4.19/bluetooth-mgmt-fix-slab-out-of-bounds-in-tlv_data_is.patch new file mode 100644 index 00000000000..26d228a11c3 --- /dev/null +++ b/queue-4.19/bluetooth-mgmt-fix-slab-out-of-bounds-in-tlv_data_is.patch @@ -0,0 +1,65 @@ +From c3af9517a2107a8f0331701306051b018651717d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 11:45:02 -0700 +Subject: Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid + +From: Luiz Augusto von Dentz + +[ Upstream commit 799acb9347915bfe4eac0ff2345b468f0a1ca207 ] + +This fixes parsing of LTV entries when the length is 0. + +Found with: + +tools/mgmt-tester -s "Add Advertising - Success (ScRsp only)" + +Add Advertising - Success (ScRsp only) - run + Sending Add Advertising (0x003e) + Test condition added, total 1 +[ 11.004577] ================================================================== +[ 11.005292] BUG: KASAN: slab-out-of-bounds in tlv_data_is_valid+0x87/0xe0 +[ 11.005984] Read of size 1 at addr ffff888002c695b0 by task mgmt-tester/87 +[ 11.006711] +[ 11.007176] +[ 11.007429] Allocated by task 87: +[ 11.008151] +[ 11.008438] The buggy address belongs to the object at ffff888002c69580 +[ 11.008438] which belongs to the cache kmalloc-64 of size 64 +[ 11.010526] The buggy address is located 48 bytes inside of +[ 11.010526] 64-byte region [ffff888002c69580, ffff888002c695c0) +[ 11.012423] The buggy address belongs to the page: +[ 11.013291] +[ 11.013544] Memory state around the buggy address: +[ 11.014359] ffff888002c69480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 11.015453] ffff888002c69500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 11.016232] >ffff888002c69580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc +[ 11.017010] ^ +[ 11.017547] ffff888002c69600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc +[ 11.018296] ffff888002c69680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 11.019116] ================================================================== + +Fixes: 2bb36870e8cb2 ("Bluetooth: Unify advertising instance flags check") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 5340b1097afb..e9a4f11278d9 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -6468,6 +6468,9 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data, + for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) { + cur_len = data[i]; + ++ if (!cur_len) ++ continue; ++ + if (data[i + 1] == EIR_FLAGS && + (!is_adv_data || flags_managed(adv_flags))) + return false; +-- +2.30.2 + diff --git a/queue-4.19/bpf-do-not-change-gso_size-during-bpf_skb_change_pro.patch b/queue-4.19/bpf-do-not-change-gso_size-during-bpf_skb_change_pro.patch new file mode 100644 index 00000000000..12e314c61ee --- /dev/null +++ b/queue-4.19/bpf-do-not-change-gso_size-during-bpf_skb_change_pro.patch @@ -0,0 +1,145 @@ +From 9476605672556fd70d32ca6cd47700098f210806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 17:09:51 -0700 +Subject: bpf: Do not change gso_size during bpf_skb_change_proto() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit 364745fbe981a4370f50274475da4675661104df ] + +This is technically a backwards incompatible change in behaviour, but I'm +going to argue that it is very unlikely to break things, and likely to fix +*far* more then it breaks. + +In no particular order, various reasons follow: + +(a) I've long had a bug assigned to myself to debug a super rare kernel crash +on Android Pixel phones which can (per stacktrace) be traced back to BPF clat +IPv6 to IPv4 protocol conversion causing some sort of ugly failure much later +on during transmit deep in the GSO engine, AFAICT precisely because of this +change to gso_size, though I've never been able to manually reproduce it. I +believe it may be related to the particular network offload support of attached +USB ethernet dongle being used for tethering off of an IPv6-only cellular +connection. The reason might be we end up with more segments than max permitted, +or with a GSO packet with only one segment... (either way we break some +assumption and hit a BUG_ON) + +(b) There is no check that the gso_size is > 20 when reducing it by 20, so we +might end up with a negative (or underflowing) gso_size or a gso_size of 0. +This can't possibly be good. Indeed this is probably somehow exploitable (or +at least can result in a kernel crash) by delivering crafted packets and perhaps +triggering an infinite loop or a divide by zero... As a reminder: gso_size (MSS) +is related to MTU, but not directly derived from it: gso_size/MSS may be +significantly smaller then one would get by deriving from local MTU. And on +some NICs (which do loose MTU checking on receive, it may even potentially be +larger, for example my work pc with 1500 MTU can receive 1520 byte frames [and +sometimes does due to bugs in a vendor plat46 implementation]). Indeed even just +going from 21 to 1 is potentially problematic because it increases the number +of segments by a factor of 21 (think DoS, or some other crash due to too many +segments). + +(c) It's always safe to not increase the gso_size, because it doesn't result in +the max packet size increasing. So the skb_increase_gso_size() call was always +unnecessary for correctness (and outright undesirable, see later). As such the +only part which is potentially dangerous (ie. could cause backwards compatibility +issues) is the removal of the skb_decrease_gso_size() call. + +(d) If the packets are ultimately destined to the local device, then there is +absolutely no benefit to playing around with gso_size. It only matters if the +packets will egress the device. ie. we're either forwarding, or transmitting +from the device. + +(e) This logic only triggers for packets which are GSO. It does not trigger for +skbs which are not GSO. It will not convert a non-GSO MTU sized packet into a +GSO packet (and you don't even know what the MTU is, so you can't even fix it). +As such your transmit path must *already* be able to handle an MTU 20 bytes +larger then your receive path (for IPv4 to IPv6 translation) - and indeed 28 +bytes larger due to IPv4 fragments. Thus removing the skb_decrease_gso_size() +call doesn't actually increase the size of the packets your transmit side must +be able to handle. ie. to handle non-GSO max-MTU packets, the IPv4/IPv6 device/ +route MTUs must already be set correctly. Since for example with an IPv4 egress +MTU of 1500, IPv4 to IPv6 translation will already build 1520 byte IPv6 frames, +so you need a 1520 byte device MTU. This means if your IPv6 device's egress +MTU is 1280, your IPv4 route must be 1260 (and actually 1252, because of the +need to handle fragments). This is to handle normal non-GSO packets. Thus the +reduction is simply not needed for GSO packets, because when they're correctly +built, they will already be the right size. + +(f) TSO/GSO should be able to exactly undo GRO: the number of packets (TCP +segments) should not be modified, so that TCP's MSS counting works correctly +(this matters for congestion control). If protocol conversion changes the +gso_size, then the number of TCP segments may increase or decrease. Packet loss +after protocol conversion can result in partial loss of MSS segments that the +sender sent. How's the sending TCP stack going to react to receiving ACKs/SACKs +in the middle of the segments it sent? + +(g) skb_{decrease,increase}_gso_size() are already no-ops for GSO_BY_FRAGS +case (besides triggering WARN_ON_ONCE). This means you already cannot guarantee +that gso_size (and thus resulting packet MTU) is changed. ie. you must assume +it won't be changed. + +(h) changing gso_size is outright buggy for UDP GSO packets, where framing +matters (I believe that's also the case for SCTP, but it's already excluded +by [g]). So the only remaining case is TCP, which also doesn't want it +(see [f]). + +(i) see also the reasoning on the previous attempt at fixing this +(commit fa7b83bf3b156c767f3e4a25bbf3817b08f3ff8e) which shows that the current +behaviour causes TCP packet loss: + + In the forwarding path GRO -> BPF 6 to 4 -> GSO for TCP traffic, the + coalesced packet payload can be > MSS, but < MSS + 20. + + bpf_skb_proto_6_to_4() will upgrade the MSS and it can be > the payload + length. After then tcp_gso_segment checks for the payload length if it + is <= MSS. The condition is causing the packet to be dropped. + + tcp_gso_segment(): + [...] + mss = skb_shinfo(skb)->gso_size; + if (unlikely(skb->len <= mss)) goto out; + [...] + +Thus changing the gso_size is simply a very bad idea. Increasing is unnecessary +and buggy, and decreasing can go negative. + +Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") +Signed-off-by: Maciej Żenczykowski +Signed-off-by: Daniel Borkmann +Cc: Dongseok Yi +Cc: Willem de Bruijn +Link: https://lore.kernel.org/bpf/CANP3RGfjLikQ6dg=YpBU0OeHvyv7JOki7CyOUS9modaXAi-9vQ@mail.gmail.com +Link: https://lore.kernel.org/bpf/20210617000953.2787453-2-zenczykowski@gmail.com +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 01561268d216..01496c7cb42d 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2639,8 +2639,6 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb) + shinfo->gso_type |= SKB_GSO_TCPV6; + } + +- /* Due to IPv6 header, MSS needs to be downgraded. */ +- skb_decrease_gso_size(shinfo, len_diff); + /* Header must be checked, and gso_segs recomputed. */ + shinfo->gso_type |= SKB_GSO_DODGY; + shinfo->gso_segs = 0; +@@ -2680,8 +2678,6 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb) + shinfo->gso_type |= SKB_GSO_TCPV4; + } + +- /* Due to IPv4 header, MSS can be upgraded. */ +- skb_increase_gso_size(shinfo, len_diff); + /* Header must be checked, and gso_segs recomputed. */ + shinfo->gso_type |= SKB_GSO_DODGY; + shinfo->gso_segs = 0; +-- +2.30.2 + diff --git a/queue-4.19/brcmfmac-correctly-report-average-rssi-in-station-in.patch b/queue-4.19/brcmfmac-correctly-report-average-rssi-in-station-in.patch new file mode 100644 index 00000000000..b3d1eba8525 --- /dev/null +++ b/queue-4.19/brcmfmac-correctly-report-average-rssi-in-station-in.patch @@ -0,0 +1,87 @@ +From 781792ae88f168c388ebd094b05971bcfa47900e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 13:20:12 +0000 +Subject: brcmfmac: correctly report average RSSI in station info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alvin Šipraga + +[ Upstream commit 9a1590934d9a02e570636432b93052c0c035f31f ] + +The rx_lastpkt_rssi field provided by the firmware is suitable for +NL80211_STA_INFO_{SIGNAL,CHAIN_SIGNAL}, while the rssi field is an +average. Fix up the assignments and set the correct STA_INFO bits. This +lets userspace know that the average RSSI is part of the station info. + +Fixes: cae355dc90db ("brcmfmac: Add RSSI information to get_station.") +Signed-off-by: Alvin Šipraga +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210506132010.3964484-2-alsi@bang-olufsen.dk +Signed-off-by: Sasha Levin +--- + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 36 ++++++++++--------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index de8fd5780932..75790b13c962 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -2543,8 +2543,9 @@ brcmf_cfg80211_get_station(struct wiphy *wiphy, struct net_device *ndev, + struct brcmf_sta_info_le sta_info_le; + u32 sta_flags; + u32 is_tdls_peer; +- s32 total_rssi; +- s32 count_rssi; ++ s32 total_rssi_avg = 0; ++ s32 total_rssi = 0; ++ s32 count_rssi = 0; + int rssi; + u32 i; + +@@ -2610,24 +2611,27 @@ brcmf_cfg80211_get_station(struct wiphy *wiphy, struct net_device *ndev, + sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES); + sinfo->rx_bytes = le64_to_cpu(sta_info_le.rx_tot_bytes); + } +- total_rssi = 0; +- count_rssi = 0; + for (i = 0; i < BRCMF_ANT_MAX; i++) { +- if (sta_info_le.rssi[i]) { +- sinfo->chains |= BIT(count_rssi); +- sinfo->chain_signal_avg[count_rssi] = +- sta_info_le.rssi[i]; +- sinfo->chain_signal[count_rssi] = +- sta_info_le.rssi[i]; +- total_rssi += sta_info_le.rssi[i]; +- count_rssi++; +- } ++ if (sta_info_le.rssi[i] == 0 || ++ sta_info_le.rx_lastpkt_rssi[i] == 0) ++ continue; ++ sinfo->chains |= BIT(count_rssi); ++ sinfo->chain_signal[count_rssi] = ++ sta_info_le.rx_lastpkt_rssi[i]; ++ sinfo->chain_signal_avg[count_rssi] = ++ sta_info_le.rssi[i]; ++ total_rssi += sta_info_le.rx_lastpkt_rssi[i]; ++ total_rssi_avg += sta_info_le.rssi[i]; ++ count_rssi++; + } + if (count_rssi) { +- sinfo->filled |= BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL); + sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL); +- total_rssi /= count_rssi; +- sinfo->signal = total_rssi; ++ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG); ++ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL); ++ sinfo->filled |= ++ BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG); ++ sinfo->signal = total_rssi / count_rssi; ++ sinfo->signal_avg = total_rssi_avg / count_rssi; + } else if (test_bit(BRCMF_VIF_STATUS_CONNECTED, + &ifp->vif->sme_state)) { + memset(&scb_val, 0, sizeof(scb_val)); +-- +2.30.2 + diff --git a/queue-4.19/brcmfmac-fix-setting-of-station-info-chains-bitmask.patch b/queue-4.19/brcmfmac-fix-setting-of-station-info-chains-bitmask.patch new file mode 100644 index 00000000000..8ce90b46938 --- /dev/null +++ b/queue-4.19/brcmfmac-fix-setting-of-station-info-chains-bitmask.patch @@ -0,0 +1,61 @@ +From 662a644aeacb76b46d9dbba5bb81125682795703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 13:20:12 +0000 +Subject: brcmfmac: fix setting of station info chains bitmask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alvin Šipraga + +[ Upstream commit feb45643762172110cb3a44f99dd54304f33b711 ] + +The sinfo->chains field is a bitmask for filled values in chain_signal +and chain_signal_avg, not a count. Treat it as such so that the driver +can properly report per-chain RSSI information. + +Before (MIMO mode): + + $ iw dev wlan0 station dump + ... + signal: -51 [-51] dBm + +After (MIMO mode): + + $ iw dev wlan0 station dump + ... + signal: -53 [-53, -54] dBm + +Fixes: cae355dc90db ("brcmfmac: Add RSSI information to get_station.") +Signed-off-by: Alvin Šipraga +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210506132010.3964484-1-alsi@bang-olufsen.dk +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index 96dc9e5ab23f..de8fd5780932 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -2614,6 +2614,7 @@ brcmf_cfg80211_get_station(struct wiphy *wiphy, struct net_device *ndev, + count_rssi = 0; + for (i = 0; i < BRCMF_ANT_MAX; i++) { + if (sta_info_le.rssi[i]) { ++ sinfo->chains |= BIT(count_rssi); + sinfo->chain_signal_avg[count_rssi] = + sta_info_le.rssi[i]; + sinfo->chain_signal[count_rssi] = +@@ -2624,8 +2625,6 @@ brcmf_cfg80211_get_station(struct wiphy *wiphy, struct net_device *ndev, + } + if (count_rssi) { + sinfo->filled |= BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL); +- sinfo->chains = count_rssi; +- + sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL); + total_rssi /= count_rssi; + sinfo->signal = total_rssi; +-- +2.30.2 + diff --git a/queue-4.19/brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch b/queue-4.19/brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch new file mode 100644 index 00000000000..bb0d92e8f1f --- /dev/null +++ b/queue-4.19/brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch @@ -0,0 +1,55 @@ +From aeaaa256001c4b60f96b3380fffd0acb2eaaa6cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 22:58:30 +0200 +Subject: brcmsmac: mac80211_if: Fix a resource leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 9a25344d5177c2b9285532236dc3d10a091f39a8 ] + +If 'brcms_attach()' fails, we must undo the previous 'ieee80211_alloc_hw()' +as already done in the remove function. + +Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") +Signed-off-by: Christophe JAILLET +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/8fbc171a1a493b38db5a6f0873c6021fca026a6c.1620852921.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + .../wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +index 6188275b17e5..288d4d4d4454 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +@@ -1223,6 +1223,7 @@ static int brcms_bcma_probe(struct bcma_device *pdev) + { + struct brcms_info *wl; + struct ieee80211_hw *hw; ++ int ret; + + dev_info(&pdev->dev, "mfg %x core %x rev %d class %d irq %d\n", + pdev->id.manuf, pdev->id.id, pdev->id.rev, pdev->id.class, +@@ -1247,11 +1248,16 @@ static int brcms_bcma_probe(struct bcma_device *pdev) + wl = brcms_attach(pdev); + if (!wl) { + pr_err("%s: brcms_attach failed!\n", __func__); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_free_ieee80211; + } + brcms_led_register(wl); + + return 0; ++ ++err_free_ieee80211: ++ ieee80211_free_hw(hw); ++ return ret; + } + + static int brcms_suspend(struct bcma_device *pdev) +-- +2.30.2 + diff --git a/queue-4.19/btrfs-abort-transaction-if-we-fail-to-update-the-del.patch b/queue-4.19/btrfs-abort-transaction-if-we-fail-to-update-the-del.patch new file mode 100644 index 00000000000..fff2b00095c --- /dev/null +++ b/queue-4.19/btrfs-abort-transaction-if-we-fail-to-update-the-del.patch @@ -0,0 +1,43 @@ +From 2e9715e2fc94d0d8636cae476866ef90ae828d7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 16:44:09 -0400 +Subject: btrfs: abort transaction if we fail to update the delayed inode + +From: Josef Bacik + +[ Upstream commit 04587ad9bef6ce9d510325b4ba9852b6129eebdb ] + +If we fail to update the delayed inode we need to abort the transaction, +because we could leave an inode with the improper counts or some other +such corruption behind. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/delayed-inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index f3994ee1a6e6..1fbe2dee1e70 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -1071,6 +1071,14 @@ err_out: + btrfs_delayed_inode_release_metadata(fs_info, node, (ret < 0)); + btrfs_release_delayed_inode(node); + ++ /* ++ * If we fail to update the delayed inode we need to abort the ++ * transaction, because we could leave the inode with the improper ++ * counts behind. ++ */ ++ if (ret && ret != -ENOENT) ++ btrfs_abort_transaction(trans, ret); ++ + return ret; + + search: +-- +2.30.2 + diff --git a/queue-4.19/btrfs-clear-log-tree-recovering-status-if-starting-t.patch b/queue-4.19/btrfs-clear-log-tree-recovering-status-if-starting-t.patch new file mode 100644 index 00000000000..380ae99dd40 --- /dev/null +++ b/queue-4.19/btrfs-clear-log-tree-recovering-status-if-starting-t.patch @@ -0,0 +1,44 @@ +From 0547d2c7261f6e70b13555897d764e41b878bfe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jul 2020 18:38:05 +0200 +Subject: btrfs: clear log tree recovering status if starting transaction fails + +From: David Sterba + +[ Upstream commit 1aeb6b563aea18cd55c73cf666d1d3245a00f08c ] + +When a log recovery is in progress, lots of operations have to take that +into account, so we keep this status per tree during the operation. Long +time ago error handling revamp patch 79787eaab461 ("btrfs: replace many +BUG_ONs with proper error handling") removed clearing of the status in +an error branch. Add it back as was intended in e02119d5a7b4 ("Btrfs: +Add a write ahead tree log to optimize synchronous operations"). + +There are probably no visible effects, log replay is done only during +mount and if it fails all structures are cleared so the stale status +won't be kept. + +Fixes: 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling") +Reviewed-by: Qu Wenruo +Reviewed-by: Anand Jain +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 93e59ce00174..3a7b7e9cb889 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -5970,6 +5970,7 @@ next: + error: + if (wc.trans) + btrfs_end_transaction(wc.trans); ++ clear_bit(BTRFS_FS_LOG_RECOVERING, &fs_info->flags); + btrfs_free_path(path); + return ret; + } +-- +2.30.2 + diff --git a/queue-4.19/btrfs-disable-build-on-platforms-having-page-size-25.patch b/queue-4.19/btrfs-disable-build-on-platforms-having-page-size-25.patch new file mode 100644 index 00000000000..2a96a12819e --- /dev/null +++ b/queue-4.19/btrfs-disable-build-on-platforms-having-page-size-25.patch @@ -0,0 +1,54 @@ +From dd190d70bf5ef6a3997ba9591105c348d9805ccf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 05:23:02 +0000 +Subject: btrfs: disable build on platforms having page size 256K + +From: Christophe Leroy + +[ Upstream commit b05fbcc36be1f8597a1febef4892053a0b2f3f60 ] + +With a config having PAGE_SIZE set to 256K, BTRFS build fails +with the following message + + include/linux/compiler_types.h:326:38: error: call to + '__compiletime_assert_791' declared with attribute error: + BUILD_BUG_ON failed: (BTRFS_MAX_COMPRESSED % PAGE_SIZE) != 0 + +BTRFS_MAX_COMPRESSED being 128K, BTRFS cannot support platforms with +256K pages at the time being. + +There are two platforms that can select 256K pages: + - hexagon + - powerpc + +Disable BTRFS when 256K page size is selected. Supporting this would +require changes to the subpage mode that's currently being developed. +Given that 256K is many times larger than page sizes commonly used and +for what the algorithms and structures have been tuned, it's out of +scope and disabling build is a reasonable option. + +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +[ update changelog ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/Kconfig b/fs/btrfs/Kconfig +index 23537bc8c827..7233127bb93a 100644 +--- a/fs/btrfs/Kconfig ++++ b/fs/btrfs/Kconfig +@@ -12,6 +12,8 @@ config BTRFS_FS + select RAID6_PQ + select XOR_BLOCKS + select SRCU ++ depends on !PPC_256K_PAGES # powerpc ++ depends on !PAGE_SIZE_256KB # hexagon + + help + Btrfs is a general purpose copy-on-write filesystem with extents, +-- +2.30.2 + diff --git a/queue-4.19/btrfs-fix-error-handling-in-__btrfs_update_delayed_i.patch b/queue-4.19/btrfs-fix-error-handling-in-__btrfs_update_delayed_i.patch new file mode 100644 index 00000000000..883499aff1d --- /dev/null +++ b/queue-4.19/btrfs-fix-error-handling-in-__btrfs_update_delayed_i.patch @@ -0,0 +1,73 @@ +From fee8702fa8eb0993190f01baa80bf09ba1336d50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 16:44:08 -0400 +Subject: btrfs: fix error handling in __btrfs_update_delayed_inode + +From: Josef Bacik + +[ Upstream commit bb385bedded3ccbd794559600de4a09448810f4a ] + +If we get an error while looking up the inode item we'll simply bail +without cleaning up the delayed node. This results in this style of +warning happening on commit: + + WARNING: CPU: 0 PID: 76403 at fs/btrfs/delayed-inode.c:1365 btrfs_assert_delayed_root_empty+0x5b/0x90 + CPU: 0 PID: 76403 Comm: fsstress Tainted: G W 5.13.0-rc1+ #373 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 + RIP: 0010:btrfs_assert_delayed_root_empty+0x5b/0x90 + RSP: 0018:ffffb8bb815a7e50 EFLAGS: 00010286 + RAX: 0000000000000000 RBX: ffff95d6d07e1888 RCX: ffff95d6c0fa3000 + RDX: 0000000000000002 RSI: 000000000029e91c RDI: ffff95d6c0fc8060 + RBP: ffff95d6c0fc8060 R08: 00008d6d701a2c1d R09: 0000000000000000 + R10: ffff95d6d1760ea0 R11: 0000000000000001 R12: ffff95d6c15a4d00 + R13: ffff95d6c0fa3000 R14: 0000000000000000 R15: ffffb8bb815a7e90 + FS: 00007f490e8dbb80(0000) GS:ffff95d73bc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f6e75555cb0 CR3: 00000001101ce001 CR4: 0000000000370ef0 + Call Trace: + btrfs_commit_transaction+0x43c/0xb00 + ? finish_wait+0x80/0x80 + ? vfs_fsync_range+0x90/0x90 + iterate_supers+0x8c/0x100 + ksys_sync+0x50/0x90 + __do_sys_sync+0xa/0x10 + do_syscall_64+0x3d/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Because the iref isn't dropped and this leaves an elevated node->count, +so any release just re-queues it onto the delayed inodes list. Fix this +by going to the out label to handle the proper cleanup of the delayed +node. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/delayed-inode.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index fea5ccfade5c..f3994ee1a6e6 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -1030,12 +1030,10 @@ static int __btrfs_update_delayed_inode(struct btrfs_trans_handle *trans, + nofs_flag = memalloc_nofs_save(); + ret = btrfs_lookup_inode(trans, root, path, &key, mod); + memalloc_nofs_restore(nofs_flag); +- if (ret > 0) { +- btrfs_release_path(path); +- return -ENOENT; +- } else if (ret < 0) { +- return ret; +- } ++ if (ret > 0) ++ ret = -ENOENT; ++ if (ret < 0) ++ goto out; + + leaf = path->nodes[0]; + inode_item = btrfs_item_ptr(leaf, path->slots[0], +-- +2.30.2 + diff --git a/queue-4.19/btrfs-fix-the-filemap_range_has_page-call-in-btrfs_p.patch b/queue-4.19/btrfs-fix-the-filemap_range_has_page-call-in-btrfs_p.patch new file mode 100644 index 00000000000..fbf879d08ee --- /dev/null +++ b/queue-4.19/btrfs-fix-the-filemap_range_has_page-call-in-btrfs_p.patch @@ -0,0 +1,104 @@ +From dc680db8555a55fc2c6a357d10caaf015e233dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 16:50:54 +0800 +Subject: btrfs: fix the filemap_range_has_page() call in + btrfs_punch_hole_lock_range() + +From: Qu Wenruo + +[ Upstream commit 0528476b6ac7832f31e2ed740a57ae31316b124e ] + +[BUG] +With current subpage RW support, the following script can hang the fs +with 64K page size. + + # mkfs.btrfs -f -s 4k $dev + # mount $dev -o nospace_cache $mnt + # fsstress -w -n 50 -p 1 -s 1607749395 -d $mnt + +The kernel will do an infinite loop in btrfs_punch_hole_lock_range(). + +[CAUSE] +In btrfs_punch_hole_lock_range() we: + +- Truncate page cache range +- Lock extent io tree +- Wait any ordered extents in the range. + +We exit the loop until we meet all the following conditions: + +- No ordered extent in the lock range +- No page is in the lock range + +The latter condition has a pitfall, it only works for sector size == +PAGE_SIZE case. + +While can't handle the following subpage case: + + 0 32K 64K 96K 128K + | |///////||//////| || + +lockstart=32K +lockend=96K - 1 + +In this case, although the range crosses 2 pages, +truncate_pagecache_range() will invalidate no page at all, but only zero +the [32K, 96K) range of the two pages. + +Thus filemap_range_has_page(32K, 96K-1) will always return true, thus we +will never meet the loop exit condition. + +[FIX] +Fix the problem by doing page alignment for the lock range. + +Function filemap_range_has_page() has already handled lend < lstart +case, we only need to round up @lockstart, and round_down @lockend for +truncate_pagecache_range(). + +This modification should not change any thing for sector size == +PAGE_SIZE case, as in that case our range is already page aligned. + +Tested-by: Ritesh Harjani # [ppc64] +Tested-by: Anand Jain # [aarch64] +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 41ad37f8062a..cfbe2961bd1d 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2444,6 +2444,17 @@ static int btrfs_punch_hole_lock_range(struct inode *inode, + const u64 lockend, + struct extent_state **cached_state) + { ++ /* ++ * For subpage case, if the range is not at page boundary, we could ++ * have pages at the leading/tailing part of the range. ++ * This could lead to dead loop since filemap_range_has_page() ++ * will always return true. ++ * So here we need to do extra page alignment for ++ * filemap_range_has_page(). ++ */ ++ const u64 page_lockstart = round_up(lockstart, PAGE_SIZE); ++ const u64 page_lockend = round_down(lockend + 1, PAGE_SIZE) - 1; ++ + while (1) { + struct btrfs_ordered_extent *ordered; + int ret; +@@ -2463,7 +2474,7 @@ static int btrfs_punch_hole_lock_range(struct inode *inode, + (ordered->file_offset + ordered->len <= lockstart || + ordered->file_offset > lockend)) && + !filemap_range_has_page(inode->i_mapping, +- lockstart, lockend)) { ++ page_lockstart, page_lockend)) { + if (ordered) + btrfs_put_ordered_extent(ordered); + break; +-- +2.30.2 + diff --git a/queue-4.19/char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch b/queue-4.19/char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch new file mode 100644 index 00000000000..94d49dfbddb --- /dev/null +++ b/queue-4.19/char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch @@ -0,0 +1,41 @@ +From cb568991738876d366b03c4fe0828a0c90a3e33e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 20:06:17 +0800 +Subject: char: pcmcia: error out if 'num_bytes_read' is greater than 4 in + set_protocol() + +From: Yu Kuai + +[ Upstream commit 37188559c610f1b7eec83c8e448936c361c578de ] + +Theoretically, it will cause index out of bounds error if +'num_bytes_read' is greater than 4. As we expect it(and was tested) +never to be greater than 4, error out if it happens. + +Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20210521120617.138396-1-yukuai3@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/pcmcia/cm4000_cs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c +index a219964cb770..cdc72db29ae0 100644 +--- a/drivers/char/pcmcia/cm4000_cs.c ++++ b/drivers/char/pcmcia/cm4000_cs.c +@@ -544,6 +544,10 @@ static int set_protocol(struct cm4000_dev *dev, struct ptsreq *ptsreq) + io_read_num_rec_bytes(iobase, &num_bytes_read); + if (num_bytes_read >= 4) { + DEBUGP(2, dev, "NumRecBytes = %i\n", num_bytes_read); ++ if (num_bytes_read > 4) { ++ rc = -EIO; ++ goto exit_setprotocol; ++ } + break; + } + mdelay(10); +-- +2.30.2 + diff --git a/queue-4.19/clocksource-retry-clock-read-if-long-delays-detected.patch b/queue-4.19/clocksource-retry-clock-read-if-long-delays-detected.patch new file mode 100644 index 00000000000..ddbf736116c --- /dev/null +++ b/queue-4.19/clocksource-retry-clock-read-if-long-delays-detected.patch @@ -0,0 +1,144 @@ +From ddf8bef1e538d0050099f0475785c0cebb097c29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 12:01:19 -0700 +Subject: clocksource: Retry clock read if long delays detected + +From: Paul E. McKenney + +[ Upstream commit db3a34e17433de2390eb80d436970edcebd0ca3e ] + +When the clocksource watchdog marks a clock as unstable, this might be due +to that clock being unstable or it might be due to delays that happen to +occur between the reads of the two clocks. Yes, interrupts are disabled +across those two reads, but there are no shortage of things that can delay +interrupts-disabled regions of code ranging from SMI handlers to vCPU +preemption. It would be good to have some indication as to why the clock +was marked unstable. + +Therefore, re-read the watchdog clock on either side of the read from the +clock under test. If the watchdog clock shows an excessive time delta +between its pair of reads, the reads are retried. + +The maximum number of retries is specified by a new kernel boot parameter +clocksource.max_cswd_read_retries, which defaults to three, that is, up to +four reads, one initial and up to three retries. If more than one retry +was required, a message is printed on the console (the occasional single +retry is expected behavior, especially in guest OSes). If the maximum +number of retries is exceeded, the clock under test will be marked +unstable. However, the probability of this happening due to various sorts +of delays is quite small. In addition, the reason (clock-read delays) for +the unstable marking will be apparent. + +Reported-by: Chris Mason +Signed-off-by: Paul E. McKenney +Signed-off-by: Thomas Gleixner +Acked-by: Feng Tang +Link: https://lore.kernel.org/r/20210527190124.440372-1-paulmck@kernel.org +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 6 +++ + kernel/time/clocksource.c | 53 ++++++++++++++++--- + 2 files changed, 53 insertions(+), 6 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 558332df02a8..6795e9d187d0 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -558,6 +558,12 @@ + loops can be debugged more effectively on production + systems. + ++ clocksource.max_cswd_read_retries= [KNL] ++ Number of clocksource_watchdog() retries due to ++ external delays before the clock will be marked ++ unstable. Defaults to three retries, that is, ++ four attempts to read the clock under test. ++ + clearcpuid=BITNUM[,BITNUM...] [X86] + Disable CPUID feature X for the kernel. See + arch/x86/include/asm/cpufeatures.h for the valid bit +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index f80bb104c41a..221f8e7464c5 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -142,6 +142,13 @@ static void __clocksource_change_rating(struct clocksource *cs, int rating); + #define WATCHDOG_INTERVAL (HZ >> 1) + #define WATCHDOG_THRESHOLD (NSEC_PER_SEC >> 4) + ++/* ++ * Maximum permissible delay between two readouts of the watchdog ++ * clocksource surrounding a read of the clocksource being validated. ++ * This delay could be due to SMIs, NMIs, or to VCPU preemptions. ++ */ ++#define WATCHDOG_MAX_SKEW (100 * NSEC_PER_USEC) ++ + static void clocksource_watchdog_work(struct work_struct *work) + { + /* +@@ -202,12 +209,45 @@ void clocksource_mark_unstable(struct clocksource *cs) + spin_unlock_irqrestore(&watchdog_lock, flags); + } + ++static ulong max_cswd_read_retries = 3; ++module_param(max_cswd_read_retries, ulong, 0644); ++ ++static bool cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow) ++{ ++ unsigned int nretries; ++ u64 wd_end, wd_delta; ++ int64_t wd_delay; ++ ++ for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) { ++ local_irq_disable(); ++ *wdnow = watchdog->read(watchdog); ++ *csnow = cs->read(cs); ++ wd_end = watchdog->read(watchdog); ++ local_irq_enable(); ++ ++ wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask); ++ wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, ++ watchdog->shift); ++ if (wd_delay <= WATCHDOG_MAX_SKEW) { ++ if (nretries > 1 || nretries >= max_cswd_read_retries) { ++ pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n", ++ smp_processor_id(), watchdog->name, nretries); ++ } ++ return true; ++ } ++ } ++ ++ pr_warn("timekeeping watchdog on CPU%d: %s read-back delay of %lldns, attempt %d, marking unstable\n", ++ smp_processor_id(), watchdog->name, wd_delay, nretries); ++ return false; ++} ++ + static void clocksource_watchdog(struct timer_list *unused) + { +- struct clocksource *cs; + u64 csnow, wdnow, cslast, wdlast, delta; +- int64_t wd_nsec, cs_nsec; + int next_cpu, reset_pending; ++ int64_t wd_nsec, cs_nsec; ++ struct clocksource *cs; + + spin_lock(&watchdog_lock); + if (!watchdog_running) +@@ -224,10 +264,11 @@ static void clocksource_watchdog(struct timer_list *unused) + continue; + } + +- local_irq_disable(); +- csnow = cs->read(cs); +- wdnow = watchdog->read(watchdog); +- local_irq_enable(); ++ if (!cs_watchdog_read(cs, &csnow, &wdnow)) { ++ /* Clock readout unreliable, so give it up. */ ++ __clocksource_unstable(cs); ++ continue; ++ } + + /* Clocksource initialized ? */ + if (!(cs->flags & CLOCK_SOURCE_WATCHDOG) || +-- +2.30.2 + diff --git a/queue-4.19/configfs-fix-memleak-in-configfs_release_bin_file.patch b/queue-4.19/configfs-fix-memleak-in-configfs_release_bin_file.patch new file mode 100644 index 00000000000..6e4f59456ed --- /dev/null +++ b/queue-4.19/configfs-fix-memleak-in-configfs_release_bin_file.patch @@ -0,0 +1,47 @@ +From 1e151b93906acf00835e62691e2c5f2e1e7537f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 15:59:25 +0800 +Subject: configfs: fix memleak in configfs_release_bin_file + +From: Chung-Chiang Cheng + +[ Upstream commit 3c252b087de08d3cb32468b54a158bd7ad0ae2f7 ] + +When reading binary attributes in progress, buffer->bin_buffer is setup in +configfs_read_bin_file() but never freed. + +Fixes: 03607ace807b4 ("configfs: implement binary attributes") +Signed-off-by: Chung-Chiang Cheng +[hch: move the vfree rather than duplicating it] +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/file.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/configfs/file.c b/fs/configfs/file.c +index 50b7c4c4310e..38eb80e29715 100644 +--- a/fs/configfs/file.c ++++ b/fs/configfs/file.c +@@ -496,13 +496,13 @@ static int configfs_release_bin_file(struct inode *inode, struct file *file) + buffer->bin_buffer_size); + } + up_read(&frag->frag_sem); +- /* vfree on NULL is safe */ +- vfree(buffer->bin_buffer); +- buffer->bin_buffer = NULL; +- buffer->bin_buffer_size = 0; +- buffer->needs_read_fill = 1; + } + ++ vfree(buffer->bin_buffer); ++ buffer->bin_buffer = NULL; ++ buffer->bin_buffer_size = 0; ++ buffer->needs_read_fill = 1; ++ + configfs_release(inode, file); + return 0; + } +-- +2.30.2 + diff --git a/queue-4.19/crypto-ccp-fix-a-resource-leak-in-an-error-handling-.patch b/queue-4.19/crypto-ccp-fix-a-resource-leak-in-an-error-handling-.patch new file mode 100644 index 00000000000..d3bc0c25574 --- /dev/null +++ b/queue-4.19/crypto-ccp-fix-a-resource-leak-in-an-error-handling-.patch @@ -0,0 +1,53 @@ +From 94cc1deb2350852171fdb32c549849f882d86e81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 May 2021 08:58:04 +0200 +Subject: crypto: ccp - Fix a resource leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit a6f8e68e238a15bb15f1726b35c695136c64eaba ] + +If an error occurs after calling 'sp_get_irqs()', 'sp_free_irqs()' must be +called as already done in the error handling path. + +Fixes: f4d18d656f88 ("crypto: ccp - Abstract interrupt registeration") +Signed-off-by: Christophe JAILLET +Acked-by: John Allen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sp-pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c +index 7da93e9bebed..9b2742212ea8 100644 +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -216,7 +216,7 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (ret) { + dev_err(dev, "dma_set_mask_and_coherent failed (%d)\n", + ret); +- goto e_err; ++ goto free_irqs; + } + } + +@@ -224,12 +224,14 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + + ret = sp_init(sp); + if (ret) +- goto e_err; ++ goto free_irqs; + + dev_notice(dev, "enabled\n"); + + return 0; + ++free_irqs: ++ sp_free_irqs(sp); + e_err: + dev_notice(dev, "initialization failed\n"); + return ret; +-- +2.30.2 + diff --git a/queue-4.19/crypto-ixp4xx-dma_unmap-the-correct-address.patch b/queue-4.19/crypto-ixp4xx-dma_unmap-the-correct-address.patch new file mode 100644 index 00000000000..67ccaaef247 --- /dev/null +++ b/queue-4.19/crypto-ixp4xx-dma_unmap-the-correct-address.patch @@ -0,0 +1,38 @@ +From 281d767871e0e22069553c2705a7fd4809cd5f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 20:26:08 +0000 +Subject: crypto: ixp4xx - dma_unmap the correct address + +From: Corentin Labbe + +[ Upstream commit 9395c58fdddd79cdd3882132cdd04e8ac7ad525f ] + +Testing ixp4xx_crypto with CONFIG_DMA_API_DEBUG lead to the following error: +DMA-API: platform ixp4xx_crypto.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=24 bytes] + +This is due to dma_unmap using the wrong address. + +Fixes: 0d44dc59b2b4 ("crypto: ixp4xx - Fix handling of chained sg buffers") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ixp4xx_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index 9b7b8558db31..abb84996f2ca 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -332,7 +332,7 @@ static void free_buf_chain(struct device *dev, struct buffer_desc *buf,u32 phys) + + buf1 = buf->next; + phys1 = buf->phys_next; +- dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir); ++ dma_unmap_single(dev, buf->phys_addr, buf->buf_len, buf->dir); + dma_pool_free(buffer_pool, buf, phys); + buf = buf1; + phys = phys1; +-- +2.30.2 + diff --git a/queue-4.19/crypto-nx-add-missing-module_device_table.patch b/queue-4.19/crypto-nx-add-missing-module_device_table.patch new file mode 100644 index 00000000000..66deba7b8bc --- /dev/null +++ b/queue-4.19/crypto-nx-add-missing-module_device_table.patch @@ -0,0 +1,36 @@ +From 900a6baf76656ff1eb101943174117dbae5d9d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 11:14:55 +0800 +Subject: crypto: nx - add missing MODULE_DEVICE_TABLE + +From: Bixuan Cui + +[ Upstream commit 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/nx-842-pseries.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c +index 66869976cfa2..fa40edae231e 100644 +--- a/drivers/crypto/nx/nx-842-pseries.c ++++ b/drivers/crypto/nx/nx-842-pseries.c +@@ -1086,6 +1086,7 @@ static const struct vio_device_id nx842_vio_driver_ids[] = { + {"ibm,compression-v1", "ibm,compression"}, + {"", ""}, + }; ++MODULE_DEVICE_TABLE(vio, nx842_vio_driver_ids); + + static struct vio_driver nx842_vio_driver = { + .name = KBUILD_MODNAME, +-- +2.30.2 + diff --git a/queue-4.19/crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch b/queue-4.19/crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch new file mode 100644 index 00000000000..aaca941b25f --- /dev/null +++ b/queue-4.19/crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch @@ -0,0 +1,61 @@ +From d08052d0a3c8ae3df9b2da1c83ccf873b222c8e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 15:57:12 +0800 +Subject: crypto: nx - Fix RCU warning in nx842_OF_upd_status + +From: Herbert Xu + +[ Upstream commit 2a96726bd0ccde4f12b9b9a9f61f7b1ac5af7e10 ] + +The function nx842_OF_upd_status triggers a sparse RCU warning when +it directly dereferences the RCU-protected devdata. This appears +to be an accident as there was another variable of the same name +that was passed in from the caller. + +After it was removed (because the main purpose of using it, to +update the status member was itself removed) the global variable +unintenionally stood in as its replacement. + +This patch restores the devdata parameter. + +Fixes: 90fd73f912f0 ("crypto: nx - remove pSeries NX 'status' field") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/nx-842-pseries.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c +index fa40edae231e..41f4950c9fc6 100644 +--- a/drivers/crypto/nx/nx-842-pseries.c ++++ b/drivers/crypto/nx/nx-842-pseries.c +@@ -553,13 +553,15 @@ static int nx842_OF_set_defaults(struct nx842_devdata *devdata) + * The status field indicates if the device is enabled when the status + * is 'okay'. Otherwise the device driver will be disabled. + * +- * @prop - struct property point containing the maxsyncop for the update ++ * @devdata: struct nx842_devdata to use for dev_info ++ * @prop: struct property point containing the maxsyncop for the update + * + * Returns: + * 0 - Device is available + * -ENODEV - Device is not available + */ +-static int nx842_OF_upd_status(struct property *prop) ++static int nx842_OF_upd_status(struct nx842_devdata *devdata, ++ struct property *prop) + { + const char *status = (const char *)prop->value; + +@@ -773,7 +775,7 @@ static int nx842_OF_upd(struct property *new_prop) + goto out; + + /* Perform property updates */ +- ret = nx842_OF_upd_status(status); ++ ret = nx842_OF_upd_status(new_devdata, status); + if (ret) + goto error_out; + +-- +2.30.2 + diff --git a/queue-4.19/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch b/queue-4.19/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch new file mode 100644 index 00000000000..776d99a3f32 --- /dev/null +++ b/queue-4.19/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch @@ -0,0 +1,47 @@ +From 4357fc0677fe2291c3cd4bc1b8cd428d07ee88e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 05:13:15 -0400 +Subject: crypto: qat - check return code of qat_hal_rd_rel_reg() + +From: Jack Xu + +[ Upstream commit 96b57229209490c8bca4335b01a426a96173dc56 ] + +Check the return code of the function qat_hal_rd_rel_reg() and return it +to the caller. + +This is to fix the following warning when compiling the driver with +clang scan-build: + + drivers/crypto/qat/qat_common/qat_hal.c:1436:2: warning: 6th function call argument is an uninitialized value + +Signed-off-by: Jack Xu +Co-developed-by: Zhehui Xiang +Signed-off-by: Zhehui Xiang +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/qat_hal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c +index dac130bb807a..eda692271f0c 100644 +--- a/drivers/crypto/qat/qat_common/qat_hal.c ++++ b/drivers/crypto/qat/qat_common/qat_hal.c +@@ -1256,7 +1256,11 @@ static int qat_hal_put_rel_wr_xfer(struct icp_qat_fw_loader_handle *handle, + pr_err("QAT: bad xfrAddr=0x%x\n", xfr_addr); + return -EINVAL; + } +- qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval); ++ status = qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval); ++ if (status) { ++ pr_err("QAT: failed to read register"); ++ return status; ++ } + gpr_addr = qat_hal_get_reg_addr(ICP_GPB_REL, gprnum); + data16low = 0xffff & data; + data16hi = 0xffff & (data >> 0x10); +-- +2.30.2 + diff --git a/queue-4.19/crypto-qat-remove-unused-macro-in-fw-loader.patch b/queue-4.19/crypto-qat-remove-unused-macro-in-fw-loader.patch new file mode 100644 index 00000000000..c387c72d035 --- /dev/null +++ b/queue-4.19/crypto-qat-remove-unused-macro-in-fw-loader.patch @@ -0,0 +1,42 @@ +From 861d32fde6597f870cb66aaa3dac2e561c8a75a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 05:13:16 -0400 +Subject: crypto: qat - remove unused macro in FW loader + +From: Jack Xu + +[ Upstream commit 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 ] + +Remove the unused macro ICP_DH895XCC_PESRAM_BAR_SIZE in the firmware +loader. + +This is to fix the following warning when compiling the driver using the +clang compiler with CC=clang W=2: + + drivers/crypto/qat/qat_common/qat_uclo.c:345:9: warning: macro is not used [-Wunused-macros] + +Signed-off-by: Jack Xu +Co-developed-by: Zhehui Xiang +Signed-off-by: Zhehui Xiang +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/qat_uclo.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c +index aeb03081415c..9542423bb7ca 100644 +--- a/drivers/crypto/qat/qat_common/qat_uclo.c ++++ b/drivers/crypto/qat/qat_common/qat_uclo.c +@@ -385,7 +385,6 @@ static int qat_uclo_init_umem_seg(struct icp_qat_fw_loader_handle *handle, + return 0; + } + +-#define ICP_DH895XCC_PESRAM_BAR_SIZE 0x80000 + static int qat_uclo_init_ae_memory(struct icp_qat_fw_loader_handle *handle, + struct icp_qat_uof_initmem *init_mem) + { +-- +2.30.2 + diff --git a/queue-4.19/crypto-shash-avoid-comparing-pointers-to-exported-fu.patch b/queue-4.19/crypto-shash-avoid-comparing-pointers-to-exported-fu.patch new file mode 100644 index 00000000000..9a208f2e02a --- /dev/null +++ b/queue-4.19/crypto-shash-avoid-comparing-pointers-to-exported-fu.patch @@ -0,0 +1,88 @@ +From c389af168d585e451c257940dd6f8a208ebce81a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 08:21:50 +0200 +Subject: crypto: shash - avoid comparing pointers to exported functions under + CFI + +From: Ard Biesheuvel + +[ Upstream commit 22ca9f4aaf431a9413dcc115dd590123307f274f ] + +crypto_shash_alg_has_setkey() is implemented by testing whether the +.setkey() member of a struct shash_alg points to the default version, +called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static +inline, this requires shash_no_setkey() to be exported to modules. + +Unfortunately, when building with CFI, function pointers are routed +via CFI stubs which are private to each module (or to the kernel proper) +and so this function pointer comparison may fail spuriously. + +Let's fix this by turning crypto_shash_alg_has_setkey() into an out of +line function. + +Cc: Sami Tolvanen +Cc: Eric Biggers +Signed-off-by: Ard Biesheuvel +Reviewed-by: Eric Biggers +Reviewed-by: Sami Tolvanen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/shash.c | 18 +++++++++++++++--- + include/crypto/internal/hash.h | 8 +------- + 2 files changed, 16 insertions(+), 10 deletions(-) + +diff --git a/crypto/shash.c b/crypto/shash.c +index a04145e5306a..55e7a2f63b34 100644 +--- a/crypto/shash.c ++++ b/crypto/shash.c +@@ -25,12 +25,24 @@ + + static const struct crypto_type crypto_shash_type; + +-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, +- unsigned int keylen) ++static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, ++ unsigned int keylen) + { + return -ENOSYS; + } +-EXPORT_SYMBOL_GPL(shash_no_setkey); ++ ++/* ++ * Check whether an shash algorithm has a setkey function. ++ * ++ * For CFI compatibility, this must not be an inline function. This is because ++ * when CFI is enabled, modules won't get the same address for shash_no_setkey ++ * (if it were exported, which inlining would require) as the core kernel will. ++ */ ++bool crypto_shash_alg_has_setkey(struct shash_alg *alg) ++{ ++ return alg->setkey != shash_no_setkey; ++} ++EXPORT_SYMBOL_GPL(crypto_shash_alg_has_setkey); + + static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key, + unsigned int keylen) +diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h +index a0b0ad9d585e..64283c22f1ee 100644 +--- a/include/crypto/internal/hash.h ++++ b/include/crypto/internal/hash.h +@@ -82,13 +82,7 @@ int ahash_register_instance(struct crypto_template *tmpl, + struct ahash_instance *inst); + void ahash_free_instance(struct crypto_instance *inst); + +-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, +- unsigned int keylen); +- +-static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg) +-{ +- return alg->setkey != shash_no_setkey; +-} ++bool crypto_shash_alg_has_setkey(struct shash_alg *alg); + + bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg); + +-- +2.30.2 + diff --git a/queue-4.19/crypto-ux500-fix-error-return-code-in-hash_hw_final.patch b/queue-4.19/crypto-ux500-fix-error-return-code-in-hash_hw_final.patch new file mode 100644 index 00000000000..92b10c81340 --- /dev/null +++ b/queue-4.19/crypto-ux500-fix-error-return-code-in-hash_hw_final.patch @@ -0,0 +1,37 @@ +From f71427c96a73e8b79fd1a9a32d83602219ae658e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 15:00:49 +0800 +Subject: crypto: ux500 - Fix error return code in hash_hw_final() + +From: Zhen Lei + +[ Upstream commit b01360384009ab066940b45f34880991ea7ccbfb ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 8a63b1994c50 ("crypto: ux500 - Add driver for HASH hardware") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Reviewed-by: Linus Walleij +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ux500/hash/hash_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index a0bb8a6eec3f..18ef5b8cc18a 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -1007,6 +1007,7 @@ static int hash_hw_final(struct ahash_request *req) + goto out; + } + } else if (req->nbytes == 0 && ctx->keylen > 0) { ++ ret = -EPERM; + dev_err(device_data->dev, "%s: Empty message with keylength > 0, NOT supported\n", + __func__); + goto out; +-- +2.30.2 + diff --git a/queue-4.19/drm-qxl-ensure-surf.data-is-ininitialized.patch b/queue-4.19/drm-qxl-ensure-surf.data-is-ininitialized.patch new file mode 100644 index 00000000000..06833d06666 --- /dev/null +++ b/queue-4.19/drm-qxl-ensure-surf.data-is-ininitialized.patch @@ -0,0 +1,40 @@ +From 45520432a4f9ac4f2bbd0b31ff939be42b38f951 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 17:13:13 +0100 +Subject: drm: qxl: ensure surf.data is ininitialized + +From: Colin Ian King + +[ Upstream commit fbbf23ddb2a1cc0c12c9f78237d1561c24006f50 ] + +The object surf is not fully initialized and the uninitialized +field surf.data is being copied by the call to qxl_bo_create +via the call to qxl_gem_object_create. Set surf.data to zero +to ensure garbage data from the stack is not being copied. + +Addresses-Coverity: ("Uninitialized scalar variable") +Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") +Signed-off-by: Colin Ian King +Link: http://patchwork.freedesktop.org/patch/msgid/20210608161313.161922-1-colin.king@canonical.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/qxl/qxl_dumb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c +index c666b89eed5d..e89491b5155f 100644 +--- a/drivers/gpu/drm/qxl/qxl_dumb.c ++++ b/drivers/gpu/drm/qxl/qxl_dumb.c +@@ -57,6 +57,8 @@ int qxl_mode_dumb_create(struct drm_file *file_priv, + surf.height = args->height; + surf.stride = pitch; + surf.format = format; ++ surf.data = 0; ++ + r = qxl_gem_object_create_with_handle(qdev, file_priv, + QXL_GEM_DOMAIN_VRAM, + args->size, &surf, &qobj, +-- +2.30.2 + diff --git a/queue-4.19/drm-rockchip-cdn-dp-core-add-missing-clk_disable_unp.patch b/queue-4.19/drm-rockchip-cdn-dp-core-add-missing-clk_disable_unp.patch new file mode 100644 index 00000000000..a21ab792bc7 --- /dev/null +++ b/queue-4.19/drm-rockchip-cdn-dp-core-add-missing-clk_disable_unp.patch @@ -0,0 +1,38 @@ +From 6906746a2a4418968aaff2b7000079eb942b2325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 21:49:28 +0800 +Subject: drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on + error in cdn_dp_grf_write() + +From: Yang Yingliang + +[ Upstream commit ae41d925c75b53798f289c69ee8d9f7d36432f6d ] + +After calling clk_prepare_enable(), clk_disable_unprepare() need +be called when calling regmap_write() failed. + +Fixes: 1a0f7ed3abe2 ("drm/rockchip: cdn-dp: add cdn DP support for rk3399") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20210519134928.2696617-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/cdn-dp-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c +index 8ad0d773dc33..3feab563e50a 100644 +--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c +@@ -81,6 +81,7 @@ static int cdn_dp_grf_write(struct cdn_dp_device *dp, + ret = regmap_write(dp->grf, reg, val); + if (ret) { + DRM_DEV_ERROR(dp->dev, "Could not write to GRF: %d\n", ret); ++ clk_disable_unprepare(dp->grf_clk); + return ret; + } + +-- +2.30.2 + diff --git a/queue-4.19/edac-ti-add-missing-module_device_table.patch b/queue-4.19/edac-ti-add-missing-module_device_table.patch new file mode 100644 index 00000000000..95b40b213ff --- /dev/null +++ b/queue-4.19/edac-ti-add-missing-module_device_table.patch @@ -0,0 +1,39 @@ +From 3887b5b592635d30a8ca1c28de2c760bf44d4d74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 11:37:27 +0800 +Subject: EDAC/ti: Add missing MODULE_DEVICE_TABLE + +From: Bixuan Cui + +[ Upstream commit 0a37f32ba5272b2d4ec8c8d0f6b212b81b578f7e ] + +The module misses MODULE_DEVICE_TABLE() for of_device_id tables and thus +never autoloads on ID matches. + +Add the missing declaration. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Signed-off-by: Borislav Petkov +Cc: Tero Kristo +Link: https://lkml.kernel.org/r/20210512033727.26701-1-cuibixuan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ti_edac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c +index 324768946743..9ab9fa0a911b 100644 +--- a/drivers/edac/ti_edac.c ++++ b/drivers/edac/ti_edac.c +@@ -197,6 +197,7 @@ static const struct of_device_id ti_edac_of_match[] = { + { .compatible = "ti,emif-dra7xx", .data = (void *)EMIF_TYPE_DRA7 }, + {}, + }; ++MODULE_DEVICE_TABLE(of, ti_edac_of_match); + + static int _emif_get_id(struct device_node *node) + { +-- +2.30.2 + diff --git a/queue-4.19/eeprom-idt_89hpesx-put-fwnode-in-matching-case-durin.patch b/queue-4.19/eeprom-idt_89hpesx-put-fwnode-in-matching-case-durin.patch new file mode 100644 index 00000000000..f2d5c5b5760 --- /dev/null +++ b/queue-4.19/eeprom-idt_89hpesx-put-fwnode-in-matching-case-durin.patch @@ -0,0 +1,37 @@ +From fc4ed5c94f02e04ee15deb8764a3a7c0796c3718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 01:17:55 +0300 +Subject: eeprom: idt_89hpesx: Put fwnode in matching case during ->probe() + +From: Andy Shevchenko + +[ Upstream commit 3f6ee1c095156a74ab2df605af13020f1ce3e600 ] + +device_get_next_child_node() bumps a reference counting of a returned variable. +We have to balance it whenever we return to the caller. + +Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing") +Cc: Huy Duong +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210607221757.81465-1-andy.shevchenko@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/idt_89hpesx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/eeprom/idt_89hpesx.c b/drivers/misc/eeprom/idt_89hpesx.c +index 8a4659518c33..b93b83fc3e3e 100644 +--- a/drivers/misc/eeprom/idt_89hpesx.c ++++ b/drivers/misc/eeprom/idt_89hpesx.c +@@ -1163,6 +1163,7 @@ static void idt_get_fw_data(struct idt_89hpesx_dev *pdev) + else /* if (!fwnode_property_read_bool(node, "read-only")) */ + pdev->eero = false; + ++ fwnode_handle_put(fwnode); + dev_info(dev, "EEPROM of %d bytes found by 0x%x", + pdev->eesize, pdev->eeaddr); + } +-- +2.30.2 + diff --git a/queue-4.19/eeprom-idt_89hpesx-restore-printing-the-unsupported-.patch b/queue-4.19/eeprom-idt_89hpesx-restore-printing-the-unsupported-.patch new file mode 100644 index 00000000000..de008b82db2 --- /dev/null +++ b/queue-4.19/eeprom-idt_89hpesx-restore-printing-the-unsupported-.patch @@ -0,0 +1,46 @@ +From 450a1c8359cf81cb54fc160f08675b7eecbf5c63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 01:17:56 +0300 +Subject: eeprom: idt_89hpesx: Restore printing the unsupported fwnode name + +From: Andy Shevchenko + +[ Upstream commit e0db3deea73ba418bf5dc21f5a4e32ca87d16dde ] + +When iterating over child firmware nodes restore printing the name of ones +that are not supported. + +While at it, refactor loop body to clearly show that we stop at the first match. + +Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing") +Cc: Huy Duong +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210607221757.81465-2-andy.shevchenko@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/idt_89hpesx.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/misc/eeprom/idt_89hpesx.c b/drivers/misc/eeprom/idt_89hpesx.c +index b93b83fc3e3e..5879ba82c718 100644 +--- a/drivers/misc/eeprom/idt_89hpesx.c ++++ b/drivers/misc/eeprom/idt_89hpesx.c +@@ -1128,11 +1128,10 @@ static void idt_get_fw_data(struct idt_89hpesx_dev *pdev) + + device_for_each_child_node(dev, fwnode) { + ee_id = idt_ee_match_id(fwnode); +- if (!ee_id) { +- dev_warn(dev, "Skip unsupported EEPROM device"); +- continue; +- } else ++ if (ee_id) + break; ++ ++ dev_warn(dev, "Skip unsupported EEPROM device %pfw\n", fwnode); + } + + /* If there is no fwnode EEPROM device, then set zero size */ +-- +2.30.2 + diff --git a/queue-4.19/ehea-fix-error-return-code-in-ehea_restart_qps.patch b/queue-4.19/ehea-fix-error-return-code-in-ehea_restart_qps.patch new file mode 100644 index 00000000000..e7d7673e7c4 --- /dev/null +++ b/queue-4.19/ehea-fix-error-return-code-in-ehea_restart_qps.patch @@ -0,0 +1,69 @@ +From d39136dc9806a3f9c84676b857888bd326bb7a51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 16:55:55 +0800 +Subject: ehea: fix error return code in ehea_restart_qps() + +From: Zhen Lei + +[ Upstream commit 015dbf5662fd689d581c0bc980711b073ca09a1a ] + +Fix to return -EFAULT from the error handling case instead of 0, as done +elsewhere in this function. + +By the way, when get_zeroed_page() fails, directly return -ENOMEM to +simplify code. + +Fixes: 2c69448bbced ("ehea: DLPAR memory add fix") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210528085555.9390-1-thunder.leizhen@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c +index 0f799e8e093c..5a1fe49030b1 100644 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -2636,10 +2636,8 @@ static int ehea_restart_qps(struct net_device *dev) + u16 dummy16 = 0; + + cb0 = (void *)get_zeroed_page(GFP_KERNEL); +- if (!cb0) { +- ret = -ENOMEM; +- goto out; +- } ++ if (!cb0) ++ return -ENOMEM; + + for (i = 0; i < (port->num_def_qps); i++) { + struct ehea_port_res *pr = &port->port_res[i]; +@@ -2659,6 +2657,7 @@ static int ehea_restart_qps(struct net_device *dev) + cb0); + if (hret != H_SUCCESS) { + netdev_err(dev, "query_ehea_qp failed (1)\n"); ++ ret = -EFAULT; + goto out; + } + +@@ -2671,6 +2670,7 @@ static int ehea_restart_qps(struct net_device *dev) + &dummy64, &dummy16, &dummy16); + if (hret != H_SUCCESS) { + netdev_err(dev, "modify_ehea_qp failed (1)\n"); ++ ret = -EFAULT; + goto out; + } + +@@ -2679,6 +2679,7 @@ static int ehea_restart_qps(struct net_device *dev) + cb0); + if (hret != H_SUCCESS) { + netdev_err(dev, "query_ehea_qp failed (2)\n"); ++ ret = -EFAULT; + goto out; + } + +-- +2.30.2 + diff --git a/queue-4.19/evm-fix-writing-securityfs-evm-overflow.patch b/queue-4.19/evm-fix-writing-securityfs-evm-overflow.patch new file mode 100644 index 00000000000..ff260e4088b --- /dev/null +++ b/queue-4.19/evm-fix-writing-securityfs-evm-overflow.patch @@ -0,0 +1,44 @@ +From 2ec3997a04a6ff512834ef4071bb1377dea6daa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Apr 2021 18:13:45 -0400 +Subject: evm: fix writing /evm overflow + +From: Mimi Zohar + +[ Upstream commit 49219d9b8785ba712575c40e48ce0f7461254626 ] + +EVM_SETUP_COMPLETE is defined as 0x80000000, which is larger than INT_MAX. +The "-fno-strict-overflow" compiler option properly prevents signaling +EVM that the EVM policy setup is complete. Define and read an unsigned +int. + +Fixes: f00d79750712 ("EVM: Allow userspace to signal an RSA key has been loaded") +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_secfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c +index 7024b14831e3..c5c44203a59c 100644 +--- a/security/integrity/evm/evm_secfs.c ++++ b/security/integrity/evm/evm_secfs.c +@@ -71,12 +71,13 @@ static ssize_t evm_read_key(struct file *filp, char __user *buf, + static ssize_t evm_write_key(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- int i, ret; ++ unsigned int i; ++ int ret; + + if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP_COMPLETE)) + return -EPERM; + +- ret = kstrtoint_from_user(buf, count, 0, &i); ++ ret = kstrtouint_from_user(buf, count, 0, &i); + + if (ret) + return ret; +-- +2.30.2 + diff --git a/queue-4.19/extcon-max8997-add-missing-modalias-string.patch b/queue-4.19/extcon-max8997-add-missing-modalias-string.patch new file mode 100644 index 00000000000..5631a328da2 --- /dev/null +++ b/queue-4.19/extcon-max8997-add-missing-modalias-string.patch @@ -0,0 +1,33 @@ +From 135d91b72836925cbe726f69dbae90601127750d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 22:46:24 +0200 +Subject: extcon: max8997: Add missing modalias string + +From: Marek Szyprowski + +[ Upstream commit dc11fc2991e9efbceef93912b83e333d2835fb19 ] + +The platform device driver name is "max8997-muic", so advertise it +properly in the modalias string. This fixes automated module loading when +this driver is compiled as a module. + +Fixes: b76668ba8a77 ("Extcon: add MAX8997 extcon driver") +Signed-off-by: Marek Szyprowski +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-max8997.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/extcon/extcon-max8997.c b/drivers/extcon/extcon-max8997.c +index 7a767b66dd86..98285eb8dd79 100644 +--- a/drivers/extcon/extcon-max8997.c ++++ b/drivers/extcon/extcon-max8997.c +@@ -783,3 +783,4 @@ module_platform_driver(max8997_muic_driver); + MODULE_DESCRIPTION("Maxim MAX8997 Extcon driver"); + MODULE_AUTHOR("Donggeun Kim "); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:max8997-muic"); +-- +2.30.2 + diff --git a/queue-4.19/extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch b/queue-4.19/extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch new file mode 100644 index 00000000000..56be3991e30 --- /dev/null +++ b/queue-4.19/extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch @@ -0,0 +1,40 @@ +From 1e6fcc719230db18150b76cec6e03f994643ac74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 15:34:35 +0200 +Subject: extcon: sm5502: Drop invalid register write in sm5502_reg_data + +From: Stephan Gerhold + +[ Upstream commit d25b224f8e5507879b36a769a6d1324cf163466c ] + +When sm5502_init_dev_type() iterates over sm5502_reg_data to +initialize the registers it is limited by ARRAY_SIZE(sm5502_reg_data). +There is no need to add another empty element to sm5502_reg_data. + +Having the additional empty element in sm5502_reg_data will just +result in writing 0xff to register 0x00, which does not really +make sense. + +Fixes: 914b881f9452 ("extcon: sm5502: Add support new SM5502 extcon device driver") +Signed-off-by: Stephan Gerhold +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-sm5502.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/extcon/extcon-sm5502.c b/drivers/extcon/extcon-sm5502.c +index 2efcd94f74fc..59ec4c3e7c4d 100644 +--- a/drivers/extcon/extcon-sm5502.c ++++ b/drivers/extcon/extcon-sm5502.c +@@ -92,7 +92,6 @@ static struct reg_data sm5502_reg_data[] = { + | SM5502_REG_INTM2_MHL_MASK, + .invert = true, + }, +- { } + }; + + /* List of detectable cables */ +-- +2.30.2 + diff --git a/queue-4.19/fs-dlm-cancel-work-sync-othercon.patch b/queue-4.19/fs-dlm-cancel-work-sync-othercon.patch new file mode 100644 index 00000000000..44eec1bb536 --- /dev/null +++ b/queue-4.19/fs-dlm-cancel-work-sync-othercon.patch @@ -0,0 +1,38 @@ +From 17f1dad19182334fc30e14fd6ad7a0fdbd4f8e7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 15:08:38 -0400 +Subject: fs: dlm: cancel work sync othercon + +From: Alexander Aring + +[ Upstream commit c6aa00e3d20c2767ba3f57b64eb862572b9744b3 ] + +These rx tx flags arguments are for signaling close_connection() from +which worker they are called. Obviously the receive worker cannot cancel +itself and vice versa for swork. For the othercon the receive worker +should only be used, however to avoid deadlocks we should pass the same +flags as the original close_connection() was called. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lowcomms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index a93ebffe84b3..f476a90e8aae 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -609,7 +609,7 @@ static void close_connection(struct connection *con, bool and_other, + } + if (con->othercon && and_other) { + /* Will only re-enter once. */ +- close_connection(con->othercon, false, true, true); ++ close_connection(con->othercon, false, tx, rx); + } + if (con->rx_page) { + __free_page(con->rx_page); +-- +2.30.2 + diff --git a/queue-4.19/fs-dlm-fix-memory-leak-when-fenced.patch b/queue-4.19/fs-dlm-fix-memory-leak-when-fenced.patch new file mode 100644 index 00000000000..40d16f33790 --- /dev/null +++ b/queue-4.19/fs-dlm-fix-memory-leak-when-fenced.patch @@ -0,0 +1,85 @@ +From 879a46e565954511de17ba7934ccd3c5f4dc0c48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 09:45:16 -0400 +Subject: fs: dlm: fix memory leak when fenced + +From: Alexander Aring + +[ Upstream commit 700ab1c363c7b54c9ea3222379b33fc00ab02f7b ] + +I got some kmemleak report when a node was fenced. The user space tool +dlm_controld will therefore run some rmdir() in dlm configfs which was +triggering some memleaks. This patch stores the sps and cms attributes +which stores some handling for subdirectories of the configfs cluster +entry and free them if they get released as the parent directory gets +freed. + +unreferenced object 0xffff88810d9e3e00 (size 192): + comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 73 70 61 63 65 73 00 00 ........spaces.. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000db8b640b>] make_cluster+0x5d/0x360 + [<000000006a571db4>] configfs_mkdir+0x274/0x730 + [<00000000b094501c>] vfs_mkdir+0x27e/0x340 + [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0 + [<00000000d1ffd156>] do_syscall_64+0x40/0x80 + [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae +unreferenced object 0xffff88810d9e3a00 (size 192): + comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 63 6f 6d 6d 73 00 00 00 ........comms... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000a7ef6ad2>] make_cluster+0x82/0x360 + [<000000006a571db4>] configfs_mkdir+0x274/0x730 + [<00000000b094501c>] vfs_mkdir+0x27e/0x340 + [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0 + [<00000000d1ffd156>] do_syscall_64+0x40/0x80 + [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/config.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/dlm/config.c b/fs/dlm/config.c +index f13d86524450..42b53e2a4e96 100644 +--- a/fs/dlm/config.c ++++ b/fs/dlm/config.c +@@ -80,6 +80,9 @@ struct dlm_cluster { + unsigned int cl_new_rsb_count; + unsigned int cl_recover_callbacks; + char cl_cluster_name[DLM_LOCKSPACE_LEN]; ++ ++ struct dlm_spaces *sps; ++ struct dlm_comms *cms; + }; + + static struct dlm_cluster *config_item_to_cluster(struct config_item *i) +@@ -356,6 +359,9 @@ static struct config_group *make_cluster(struct config_group *g, + if (!cl || !sps || !cms) + goto fail; + ++ cl->sps = sps; ++ cl->cms = cms; ++ + config_group_init_type_name(&cl->group, name, &cluster_type); + config_group_init_type_name(&sps->ss_group, "spaces", &spaces_type); + config_group_init_type_name(&cms->cs_group, "comms", &comms_type); +@@ -405,6 +411,9 @@ static void drop_cluster(struct config_group *g, struct config_item *i) + static void release_cluster(struct config_item *i) + { + struct dlm_cluster *cl = config_item_to_cluster(i); ++ ++ kfree(cl->sps); ++ kfree(cl->cms); + kfree(cl); + } + +-- +2.30.2 + diff --git a/queue-4.19/fsi-core-fix-return-of-error-values-on-failures.patch b/queue-4.19/fsi-core-fix-return-of-error-values-on-failures.patch new file mode 100644 index 00000000000..8f305401ba2 --- /dev/null +++ b/queue-4.19/fsi-core-fix-return-of-error-values-on-failures.patch @@ -0,0 +1,50 @@ +From 39f8fb31c294c4a0ba60f640abe915d4a201ec3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 13:28:12 +0100 +Subject: fsi: core: Fix return of error values on failures + +From: Colin Ian King + +[ Upstream commit 910810945707fe9877ca86a0dca4e585fd05e37b ] + +Currently the cfam_read and cfam_write functions return the provided +number of bytes given in the count parameter and not the error return +code in variable rc, hence all failures of read/writes are being +silently ignored. Fix this by returning the error code in rc. + +Addresses-Coverity: ("Unused value") +Fixes: d1dcd6782576 ("fsi: Add cfam char devices") +Signed-off-by: Colin Ian King +Reviewed-by: Jeremy Kerr +Link: https://lore.kernel.org/r/20210603122812.83587-1-colin.king@canonical.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c +index bd62236d3f97..5b4ca6142270 100644 +--- a/drivers/fsi/fsi-core.c ++++ b/drivers/fsi/fsi-core.c +@@ -726,7 +726,7 @@ static ssize_t cfam_read(struct file *filep, char __user *buf, size_t count, + rc = count; + fail: + *offset = off; +- return count; ++ return rc; + } + + static ssize_t cfam_write(struct file *filep, const char __user *buf, +@@ -763,7 +763,7 @@ static ssize_t cfam_write(struct file *filep, const char __user *buf, + rc = count; + fail: + *offset = off; +- return count; ++ return rc; + } + + static loff_t cfam_llseek(struct file *file, loff_t offset, int whence) +-- +2.30.2 + diff --git a/queue-4.19/fsi-sbefifo-clean-up-correct-fifo-when-receiving-res.patch b/queue-4.19/fsi-sbefifo-clean-up-correct-fifo-when-receiving-res.patch new file mode 100644 index 00000000000..7ed99d6b934 --- /dev/null +++ b/queue-4.19/fsi-sbefifo-clean-up-correct-fifo-when-receiving-res.patch @@ -0,0 +1,39 @@ +From a85bf83e946abe154655ca8b58dfc5f0cc7aca17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 16:45:17 +0930 +Subject: fsi/sbefifo: Clean up correct FIFO when receiving reset request from + SBE + +From: Joachim Fenkes + +[ Upstream commit 95152433e46fdb36652ebdbea442356a16ae1fa6 ] + +When the SBE requests a reset via the down FIFO, that is also the +FIFO we should go and reset ;) + +Fixes: 9f4a8a2d7f9d ("fsi/sbefifo: Add driver for the SBE FIFO") +Signed-off-by: Joachim Fenkes +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20200724071518.430515-2-joel@jms.id.au +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-sbefifo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c +index 9fa3959e0855..b43c2d424d00 100644 +--- a/drivers/fsi/fsi-sbefifo.c ++++ b/drivers/fsi/fsi-sbefifo.c +@@ -400,7 +400,7 @@ static int sbefifo_cleanup_hw(struct sbefifo *sbefifo) + /* The FIFO already contains a reset request from the SBE ? */ + if (down_status & SBEFIFO_STS_RESET_REQ) { + dev_info(dev, "Cleanup: FIFO reset request set, resetting\n"); +- rc = sbefifo_regw(sbefifo, SBEFIFO_UP, SBEFIFO_PERFORM_RESET); ++ rc = sbefifo_regw(sbefifo, SBEFIFO_DOWN, SBEFIFO_PERFORM_RESET); + if (rc) { + sbefifo->broken = true; + dev_err(dev, "Cleanup: Reset reg write failed, rc=%d\n", rc); +-- +2.30.2 + diff --git a/queue-4.19/fsi-sbefifo-fix-reset-timeout.patch b/queue-4.19/fsi-sbefifo-fix-reset-timeout.patch new file mode 100644 index 00000000000..d02f6b84623 --- /dev/null +++ b/queue-4.19/fsi-sbefifo-fix-reset-timeout.patch @@ -0,0 +1,60 @@ +From 1c5066a9ba5d50d6aecd87d947f16682877ac705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 16:45:18 +0930 +Subject: fsi/sbefifo: Fix reset timeout + +From: Joachim Fenkes + +[ Upstream commit 9ab1428dfe2c66b51e0b41337cd0164da0ab6080 ] + +On BMCs with lower timer resolution than 1ms, msleep(1) will take +way longer than 1ms, so looping 10k times won't wait for 10s but +significantly longer. + +Fix this by using jiffies like the rest of the code. + +Fixes: 9f4a8a2d7f9d ("fsi/sbefifo: Add driver for the SBE FIFO") +Signed-off-by: Joachim Fenkes +Link: https://lore.kernel.org/r/20200724071518.430515-3-joel@jms.id.au +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-sbefifo.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c +index b43c2d424d00..ace42cd2915e 100644 +--- a/drivers/fsi/fsi-sbefifo.c ++++ b/drivers/fsi/fsi-sbefifo.c +@@ -325,7 +325,8 @@ static int sbefifo_up_write(struct sbefifo *sbefifo, __be32 word) + static int sbefifo_request_reset(struct sbefifo *sbefifo) + { + struct device *dev = &sbefifo->fsi_dev->dev; +- u32 status, timeout; ++ unsigned long end_time; ++ u32 status; + int rc; + + dev_dbg(dev, "Requesting FIFO reset\n"); +@@ -341,7 +342,8 @@ static int sbefifo_request_reset(struct sbefifo *sbefifo) + } + + /* Wait for it to complete */ +- for (timeout = 0; timeout < SBEFIFO_RESET_TIMEOUT; timeout++) { ++ end_time = jiffies + msecs_to_jiffies(SBEFIFO_RESET_TIMEOUT); ++ while (!time_after(jiffies, end_time)) { + rc = sbefifo_regr(sbefifo, SBEFIFO_UP | SBEFIFO_STS, &status); + if (rc) { + dev_err(dev, "Failed to read UP fifo status during reset" +@@ -355,7 +357,7 @@ static int sbefifo_request_reset(struct sbefifo *sbefifo) + return 0; + } + +- msleep(1); ++ cond_resched(); + } + dev_err(dev, "FIFO reset timed out\n"); + +-- +2.30.2 + diff --git a/queue-4.19/fsi-scom-reset-the-fsi2pib-engine-for-any-error.patch b/queue-4.19/fsi-scom-reset-the-fsi2pib-engine-for-any-error.patch new file mode 100644 index 00000000000..3821de73b65 --- /dev/null +++ b/queue-4.19/fsi-scom-reset-the-fsi2pib-engine-for-any-error.patch @@ -0,0 +1,63 @@ +From 792d4814134bf43e6df993017f9f0d7501dc5938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 10:13:44 -0500 +Subject: fsi: scom: Reset the FSI2PIB engine for any error + +From: Eddie James + +[ Upstream commit a5c317dac5567206ca7b6bc9d008dd6890c8bced ] + +The error bits in the FSI2PIB status are only cleared by a reset. So +the driver needs to perform a reset after seeing any of the FSI2PIB +errors, otherwise subsequent operations will also look like failures. + +Fixes: 6b293258cded ("fsi: scom: Major overhaul") +Signed-off-by: Eddie James +Reviewed-by: Joel Stanley +Link: https://lore.kernel.org/r/20210329151344.14246-1-eajames@linux.ibm.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-scom.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/fsi/fsi-scom.c b/drivers/fsi/fsi-scom.c +index fdc0e458dbaa..6a48b3144410 100644 +--- a/drivers/fsi/fsi-scom.c ++++ b/drivers/fsi/fsi-scom.c +@@ -47,9 +47,10 @@ + #define SCOM_STATUS_PIB_RESP_MASK 0x00007000 + #define SCOM_STATUS_PIB_RESP_SHIFT 12 + +-#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_PROTECTION | \ +- SCOM_STATUS_PARITY | \ +- SCOM_STATUS_PIB_ABORT | \ ++#define SCOM_STATUS_FSI2PIB_ERROR (SCOM_STATUS_PROTECTION | \ ++ SCOM_STATUS_PARITY | \ ++ SCOM_STATUS_PIB_ABORT) ++#define SCOM_STATUS_ANY_ERR (SCOM_STATUS_FSI2PIB_ERROR | \ + SCOM_STATUS_PIB_RESP_MASK) + /* SCOM address encodings */ + #define XSCOM_ADDR_IND_FLAG BIT_ULL(63) +@@ -249,13 +250,14 @@ static int handle_fsi2pib_status(struct scom_device *scom, uint32_t status) + { + uint32_t dummy = -1; + +- if (status & SCOM_STATUS_PROTECTION) +- return -EPERM; +- if (status & SCOM_STATUS_PARITY) { ++ if (status & SCOM_STATUS_FSI2PIB_ERROR) + fsi_device_write(scom->fsi_dev, SCOM_FSI2PIB_RESET_REG, &dummy, + sizeof(uint32_t)); ++ ++ if (status & SCOM_STATUS_PROTECTION) ++ return -EPERM; ++ if (status & SCOM_STATUS_PARITY) + return -EIO; +- } + /* Return -EBUSY on PIB abort to force a retry */ + if (status & SCOM_STATUS_PIB_ABORT) + return -EBUSY; +-- +2.30.2 + diff --git a/queue-4.19/hid-do-not-use-down_interruptible-when-unbinding-dev.patch b/queue-4.19/hid-do-not-use-down_interruptible-when-unbinding-dev.patch new file mode 100644 index 00000000000..3e5ac78d73f --- /dev/null +++ b/queue-4.19/hid-do-not-use-down_interruptible-when-unbinding-dev.patch @@ -0,0 +1,53 @@ +From d410c9d314be4cc04f8cd659002f5a68bfdf8515 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Mar 2021 17:27:16 -0700 +Subject: HID: do not use down_interruptible() when unbinding devices + +From: Dmitry Torokhov + +[ Upstream commit f2145f8dc566c4f3b5a8deb58dcd12bed4e20194 ] + +Action of unbinding driver from a device is not cancellable and should not +fail, and driver core does not pay attention to the result of "remove" +method, therefore using down_interruptible() in hid_device_remove() does +not make sense. + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index acbbc21e6233..4549fbb74156 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2124,12 +2124,8 @@ static int hid_device_remove(struct device *dev) + { + struct hid_device *hdev = to_hid_device(dev); + struct hid_driver *hdrv; +- int ret = 0; + +- if (down_interruptible(&hdev->driver_input_lock)) { +- ret = -EINTR; +- goto end; +- } ++ down(&hdev->driver_input_lock); + hdev->io_started = false; + + hdrv = hdev->driver; +@@ -2144,8 +2140,8 @@ static int hid_device_remove(struct device *dev) + + if (!hdev->io_started) + up(&hdev->driver_input_lock); +-end: +- return ret; ++ ++ return 0; + } + + static ssize_t modalias_show(struct device *dev, struct device_attribute *a, +-- +2.30.2 + diff --git a/queue-4.19/hid-wacom-correct-base-usage-for-capacitive-expressk.patch b/queue-4.19/hid-wacom-correct-base-usage-for-capacitive-expressk.patch new file mode 100644 index 00000000000..28cb681922a --- /dev/null +++ b/queue-4.19/hid-wacom-correct-base-usage-for-capacitive-expressk.patch @@ -0,0 +1,35 @@ +From a13bd143506ba003da4361e9c5002912b421ef25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 09:58:09 -0700 +Subject: HID: wacom: Correct base usage for capacitive ExpressKey status bits + +From: Jason Gerecke + +[ Upstream commit 424d8237945c6c448c8b3f23885d464fb5685c97 ] + +The capacitive status of ExpressKeys is reported with usages beginning +at 0x940, not 0x950. Bring our driver into alignment with reality. + +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/wacom_wac.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h +index 46da97162ef4..0abed1e5b526 100644 +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -126,7 +126,7 @@ + #define WACOM_HID_WD_TOUCHONOFF (WACOM_HID_UP_WACOMDIGITIZER | 0x0454) + #define WACOM_HID_WD_BATTERY_LEVEL (WACOM_HID_UP_WACOMDIGITIZER | 0x043b) + #define WACOM_HID_WD_EXPRESSKEY00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0910) +-#define WACOM_HID_WD_EXPRESSKEYCAP00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0950) ++#define WACOM_HID_WD_EXPRESSKEYCAP00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0940) + #define WACOM_HID_WD_MODE_CHANGE (WACOM_HID_UP_WACOMDIGITIZER | 0x0980) + #define WACOM_HID_WD_MUTE_DEVICE (WACOM_HID_UP_WACOMDIGITIZER | 0x0981) + #define WACOM_HID_WD_CONTROLPANEL (WACOM_HID_UP_WACOMDIGITIZER | 0x0982) +-- +2.30.2 + diff --git a/queue-4.19/hv_utils-fix-passing-zero-to-ptr_err-warning.patch b/queue-4.19/hv_utils-fix-passing-zero-to-ptr_err-warning.patch new file mode 100644 index 00000000000..3080658a34e --- /dev/null +++ b/queue-4.19/hv_utils-fix-passing-zero-to-ptr_err-warning.patch @@ -0,0 +1,43 @@ +From 7e88e17b0421544164fa4275563e9a5a0d55f7fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 15:01:16 +0800 +Subject: hv_utils: Fix passing zero to 'PTR_ERR' warning + +From: YueHaibing + +[ Upstream commit c6a8625fa4c6b0a97860d053271660ccedc3d1b3 ] + +Sparse warn this: + +drivers/hv/hv_util.c:753 hv_timesync_init() warn: + passing zero to 'PTR_ERR' + +Use PTR_ERR_OR_ZERO instead of PTR_ERR to fix this. + +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20210514070116.16800-1-yuehaibing@huawei.com +[ wei: change %ld to %d ] +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/hv_util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hv/hv_util.c b/drivers/hv/hv_util.c +index 423205077bf6..2003314dcfbe 100644 +--- a/drivers/hv/hv_util.c ++++ b/drivers/hv/hv_util.c +@@ -548,8 +548,8 @@ static int hv_timesync_init(struct hv_util_service *srv) + */ + hv_ptp_clock = ptp_clock_register(&ptp_hyperv_info, NULL); + if (IS_ERR_OR_NULL(hv_ptp_clock)) { +- pr_err("cannot register PTP clock: %ld\n", +- PTR_ERR(hv_ptp_clock)); ++ pr_err("cannot register PTP clock: %d\n", ++ PTR_ERR_OR_ZERO(hv_ptp_clock)); + hv_ptp_clock = NULL; + } + +-- +2.30.2 + diff --git a/queue-4.19/hwmon-max31722-remove-non-standard-acpi-device-ids.patch b/queue-4.19/hwmon-max31722-remove-non-standard-acpi-device-ids.patch new file mode 100644 index 00000000000..dec775145d2 --- /dev/null +++ b/queue-4.19/hwmon-max31722-remove-non-standard-acpi-device-ids.patch @@ -0,0 +1,58 @@ +From 992067c8ac2b51fe89ad0ceeb67885adc7ddea82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 09:50:25 -0700 +Subject: hwmon: (max31722) Remove non-standard ACPI device IDs + +From: Guenter Roeck + +[ Upstream commit 97387c2f06bcfd79d04a848d35517b32ee6dca7c ] + +Valid Maxim Integrated ACPI device IDs would start with MXIM, +not with MAX1. On top of that, ACPI device IDs reflecting chip names +are almost always invalid. + +Remove the invalid ACPI IDs. + +Fixes: 04e1e70afec6 ("hwmon: (max31722) Add support for MAX31722/MAX31723 temperature sensors") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max31722.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/drivers/hwmon/max31722.c b/drivers/hwmon/max31722.c +index 30a100e70a0d..877c3d7dca01 100644 +--- a/drivers/hwmon/max31722.c ++++ b/drivers/hwmon/max31722.c +@@ -9,7 +9,6 @@ + * directory of this archive for more details. + */ + +-#include + #include + #include + #include +@@ -138,20 +137,12 @@ static const struct spi_device_id max31722_spi_id[] = { + {"max31723", 0}, + {} + }; +- +-static const struct acpi_device_id __maybe_unused max31722_acpi_id[] = { +- {"MAX31722", 0}, +- {"MAX31723", 0}, +- {} +-}; +- + MODULE_DEVICE_TABLE(spi, max31722_spi_id); + + static struct spi_driver max31722_driver = { + .driver = { + .name = "max31722", + .pm = &max31722_pm_ops, +- .acpi_match_table = ACPI_PTR(max31722_acpi_id), + }, + .probe = max31722_probe, + .remove = max31722_remove, +-- +2.30.2 + diff --git a/queue-4.19/hwmon-max31790-fix-fan-speed-reporting-for-fan7.12.patch b/queue-4.19/hwmon-max31790-fix-fan-speed-reporting-for-fan7.12.patch new file mode 100644 index 00000000000..a0a317ad807 --- /dev/null +++ b/queue-4.19/hwmon-max31790-fix-fan-speed-reporting-for-fan7.12.patch @@ -0,0 +1,50 @@ +From 268cd83e9d32571b693c514dc52ba991cc2ed8a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 08:40:16 -0700 +Subject: hwmon: (max31790) Fix fan speed reporting for fan7..12 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guenter Roeck + +[ Upstream commit cbbf244f0515af3472084f22b6213121b4a63835 ] + +Fans 7..12 do not have their own set of configuration registers. +So far the code ignored that and read beyond the end of the configuration +register range to get the tachometer period. This resulted in more or less +random fan speed values for those fans. + +The datasheet is quite vague when it comes to defining the tachometer +period for fans 7..12. Experiments confirm that the period is the same +for both fans associated with a given set of configuration registers. + +Fixes: 54187ff9d766 ("hwmon: (max31790) Convert to use new hwmon registration API") +Fixes: 195a4b4298a7 ("hwmon: Driver for Maxim MAX31790") +Cc: Jan Kundrát +Reviewed-by: Jan Kundrát +Cc: Václav Kubernát +Reviewed-by: Jan Kundrát +Signed-off-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210526154022.3223012-2-linux@roeck-us.net +Signed-off-by: Sasha Levin +--- + drivers/hwmon/max31790.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c +index 281491cca510..66cf772de7d2 100644 +--- a/drivers/hwmon/max31790.c ++++ b/drivers/hwmon/max31790.c +@@ -179,7 +179,7 @@ static int max31790_read_fan(struct device *dev, u32 attr, int channel, + + switch (attr) { + case hwmon_fan_input: +- sr = get_tach_period(data->fan_dynamics[channel]); ++ sr = get_tach_period(data->fan_dynamics[channel % NR_CHANNEL]); + rpm = RPM_FROM_REG(data->tach[channel], sr); + *val = rpm; + return 0; +-- +2.30.2 + diff --git a/queue-4.19/i40e-fix-autoneg-disabling-for-non-10gbaset-links.patch b/queue-4.19/i40e-fix-autoneg-disabling-for-non-10gbaset-links.patch new file mode 100644 index 00000000000..ea66b544940 --- /dev/null +++ b/queue-4.19/i40e-fix-autoneg-disabling-for-non-10gbaset-links.patch @@ -0,0 +1,41 @@ +From a5a77b7d738fbfa52f3625c8c8681a3abd713c49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 11:12:54 +0000 +Subject: i40e: Fix autoneg disabling for non-10GBaseT links + +From: Mateusz Palczewski + +[ Upstream commit 9262793e59f0423437166a879a73d056b1fe6f9a ] + +Disabling autonegotiation was allowed only for 10GBaseT PHY. +The condition was changed to check if link media type is BaseT. + +Fixes: 3ce12ee9d8f9 ("i40e: Fix order of checks when enabling/disabling autoneg in ethtool") +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Karen Sornek +Signed-off-by: Dawid Lukwinski +Signed-off-by: Mateusz Palczewski +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 9148d93c5c63..4c7c1998f358 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -948,8 +948,7 @@ static int i40e_set_link_ksettings(struct net_device *netdev, + if (ethtool_link_ksettings_test_link_mode(&safe_ks, + supported, + Autoneg) && +- hw->phy.link_info.phy_type != +- I40E_PHY_TYPE_10GBASE_T) { ++ hw->phy.media_type != I40E_MEDIA_TYPE_BASET) { + netdev_info(netdev, "Autoneg cannot be disabled on this phy\n"); + err = -EINVAL; + goto done; +-- +2.30.2 + diff --git a/queue-4.19/i40e-fix-error-handling-in-i40e_vsi_open.patch b/queue-4.19/i40e-fix-error-handling-in-i40e_vsi_open.patch new file mode 100644 index 00000000000..b3968675655 --- /dev/null +++ b/queue-4.19/i40e-fix-error-handling-in-i40e_vsi_open.patch @@ -0,0 +1,38 @@ +From e9c5aeb1248bc63171c49d457e5aa61e5edfe93b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Feb 2021 19:50:58 +0800 +Subject: i40e: Fix error handling in i40e_vsi_open + +From: Dinghao Liu + +[ Upstream commit 9c04cfcd4aad232e36306cdc5c74cd9fc9148a7e ] + +When vsi->type == I40E_VSI_FDIR, we have caught the return value of +i40e_vsi_request_irq() but without further handling. Check and execute +memory clean on failure just like the other i40e_vsi_request_irq(). + +Fixes: 8a9eb7d3cbcab ("i40e: rework fdir setup and teardown") +Signed-off-by: Dinghao Liu +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index fa0e7582159f..1b101b526ed3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -7743,6 +7743,8 @@ int i40e_vsi_open(struct i40e_vsi *vsi) + dev_driver_string(&pf->pdev->dev), + dev_name(&pf->pdev->dev)); + err = i40e_vsi_request_irq(vsi, int_name); ++ if (err) ++ goto err_setup_rx; + + } else { + err = -EINVAL; +-- +2.30.2 + diff --git a/queue-4.19/ia64-mca_drv-fix-incorrect-array-size-calculation.patch b/queue-4.19/ia64-mca_drv-fix-incorrect-array-size-calculation.patch new file mode 100644 index 00000000000..59e08268ebf --- /dev/null +++ b/queue-4.19/ia64-mca_drv-fix-incorrect-array-size-calculation.patch @@ -0,0 +1,48 @@ +From 521a96dd4970915ba92804a68964f7267c3a85dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 19:33:41 -0700 +Subject: ia64: mca_drv: fix incorrect array size calculation + +From: Arnd Bergmann + +[ Upstream commit c5f320ff8a79501bb59338278336ec43acb9d7e2 ] + +gcc points out a mistake in the mca driver that goes back to before the +git history: + +arch/ia64/kernel/mca_drv.c: In function 'init_record_index_pools': +arch/ia64/kernel/mca_drv.c:346:54: error: expression does not compute the number of elements in this array; element typ +e is 'int', not 'size_t' {aka 'long unsigned int'} [-Werror=sizeof-array-div] + 346 | for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++) + | ^ + +This is the same as sizeof(size_t), which is two shorter than the actual +array. Use the ARRAY_SIZE() macro to get the correct calculation instead. + +Link: https://lkml.kernel.org/r/20210514214123.875971-1-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Cc: Masahiro Yamada +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/ia64/kernel/mca_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/ia64/kernel/mca_drv.c b/arch/ia64/kernel/mca_drv.c +index dfe40cbdf3b3..06419a95af30 100644 +--- a/arch/ia64/kernel/mca_drv.c ++++ b/arch/ia64/kernel/mca_drv.c +@@ -343,7 +343,7 @@ init_record_index_pools(void) + + /* - 2 - */ + sect_min_size = sal_log_sect_min_sizes[0]; +- for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++) ++ for (i = 1; i < ARRAY_SIZE(sal_log_sect_min_sizes); i++) + if (sect_min_size > sal_log_sect_min_sizes[i]) + sect_min_size = sal_log_sect_min_sizes[i]; + +-- +2.30.2 + diff --git a/queue-4.19/ibmvnic-free-tx_pool-if-tso_pool-alloc-fails.patch b/queue-4.19/ibmvnic-free-tx_pool-if-tso_pool-alloc-fails.patch new file mode 100644 index 00000000000..45e5ac8e102 --- /dev/null +++ b/queue-4.19/ibmvnic-free-tx_pool-if-tso_pool-alloc-fails.patch @@ -0,0 +1,44 @@ +From 64c26bfe3c7a4f996e184754b53a9d7e9bfe2ef5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 21:13:15 -0700 +Subject: ibmvnic: free tx_pool if tso_pool alloc fails + +From: Sukadev Bhattiprolu + +[ Upstream commit f6ebca8efa52e4ae770f0325d618e7bcf08ada0c ] + +Free tx_pool and clear it, if allocation of tso_pool fails. + +release_tx_pools() assumes we have both tx and tso_pools if ->tx_pool is +non-NULL. If allocation of tso_pool fails in init_tx_pools(), the assumption +will not be true and we would end up dereferencing ->tx_buff, ->free_map +fields from a NULL pointer. + +Fixes: 3205306c6b8d ("ibmvnic: Update TX pool initialization routine") +Signed-off-by: Sukadev Bhattiprolu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 0eb06750a5d6..4008007c2e34 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -698,8 +698,11 @@ static int init_tx_pools(struct net_device *netdev) + + adapter->tso_pool = kcalloc(tx_subcrqs, + sizeof(struct ibmvnic_tx_pool), GFP_KERNEL); +- if (!adapter->tso_pool) ++ if (!adapter->tso_pool) { ++ kfree(adapter->tx_pool); ++ adapter->tx_pool = NULL; + return -1; ++ } + + adapter->num_active_tx_pools = tx_subcrqs; + +-- +2.30.2 + diff --git a/queue-4.19/ieee802154-hwsim-avoid-possible-crash-in-hwsim_del_e.patch b/queue-4.19/ieee802154-hwsim-avoid-possible-crash-in-hwsim_del_e.patch new file mode 100644 index 00000000000..95ce3aae07f --- /dev/null +++ b/queue-4.19/ieee802154-hwsim-avoid-possible-crash-in-hwsim_del_e.patch @@ -0,0 +1,41 @@ +From b5f6190f87ae55ecf2e737a491a10d86c1fa0c82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 11:02:44 -0700 +Subject: ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl() + +From: Eric Dumazet + +[ Upstream commit 0303b30375dff5351a79cc2c3c87dfa4fda29bed ] + +Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE +must be present to avoid a crash. + +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Signed-off-by: Eric Dumazet +Cc: Alexander Aring +Cc: Stefan Schmidt +Reported-by: syzbot +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210621180244.882076-1-eric.dumazet@gmail.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index 6cda4aa4f680..06aadebc2d5b 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -496,7 +496,7 @@ static int hwsim_del_edge_nl(struct sk_buff *msg, struct genl_info *info) + struct hwsim_edge *e; + u32 v0, v1; + +- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] && ++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] || + !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE]) + return -EINVAL; + +-- +2.30.2 + diff --git a/queue-4.19/ieee802154-hwsim-fix-memory-leak-in-hwsim_add_one.patch b/queue-4.19/ieee802154-hwsim-fix-memory-leak-in-hwsim_add_one.patch new file mode 100644 index 00000000000..167ece8a272 --- /dev/null +++ b/queue-4.19/ieee802154-hwsim-fix-memory-leak-in-hwsim_add_one.patch @@ -0,0 +1,60 @@ +From 9c612d4089bfa41cdd028637b76086cc287da90e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 10:09:01 +0800 +Subject: ieee802154: hwsim: Fix memory leak in hwsim_add_one + +From: Dongliang Mu + +[ Upstream commit 28a5501c3383f0e6643012c187b7c2027ef42aea ] + +No matter from hwsim_remove or hwsim_del_radio_nl, hwsim_del fails to +remove the entry in the edges list. Take the example below, phy0, phy1 +and e0 will be deleted, resulting in e1 not freed and accessed in the +future. + + hwsim_phys + | + ------------------------------ + | | +phy0 (edges) phy1 (edges) + ----> e1 (idx = 1) ----> e0 (idx = 0) + +Fix this by deleting and freeing all the entries in the edges list +between hwsim_edge_unsubscribe_me and list_del(&phy->list). + +Reported-by: syzbot+b80c9959009a9325cdff@syzkaller.appspotmail.com +Fixes: 1c9f4a3fce77 ("ieee802154: hwsim: fix rcu handling") +Signed-off-by: Dongliang Mu +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210616020901.2759466-1-mudongliangabcd@gmail.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index c66a010650e0..6cda4aa4f680 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -843,12 +843,17 @@ err_pib: + static void hwsim_del(struct hwsim_phy *phy) + { + struct hwsim_pib *pib; ++ struct hwsim_edge *e; + + hwsim_edge_unsubscribe_me(phy); + + list_del(&phy->list); + + rcu_read_lock(); ++ list_for_each_entry_rcu(e, &phy->edges, list) { ++ list_del_rcu(&e->list); ++ hwsim_free_edge(e); ++ } + pib = rcu_dereference(phy->pib); + rcu_read_unlock(); + +-- +2.30.2 + diff --git a/queue-4.19/ieee802154-hwsim-fix-possible-memory-leak-in-hwsim_s.patch b/queue-4.19/ieee802154-hwsim-fix-possible-memory-leak-in-hwsim_s.patch new file mode 100644 index 00000000000..d668e213368 --- /dev/null +++ b/queue-4.19/ieee802154-hwsim-fix-possible-memory-leak-in-hwsim_s.patch @@ -0,0 +1,49 @@ +From 17f5193f8b4a67aa3b9e43609223c45cdc611ee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 09:58:12 +0800 +Subject: ieee802154: hwsim: Fix possible memory leak in + hwsim_subscribe_all_others + +From: Dongliang Mu + +[ Upstream commit ab372c2293f5d0b279f31c8d768566ea37602dc9 ] + +In hwsim_subscribe_all_others, the error handling code performs +incorrectly if the second hwsim_alloc_edge fails. When this issue occurs, +it goes to sub_fail, without cleaning the edges allocated before. + +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Signed-off-by: Dongliang Mu +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210611015812.1626999-1-mudongliangabcd@gmail.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index be1f1a86bcd6..c66a010650e0 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -734,6 +734,8 @@ static int hwsim_subscribe_all_others(struct hwsim_phy *phy) + + return 0; + ++sub_fail: ++ hwsim_edge_unsubscribe_me(phy); + me_fail: + rcu_read_lock(); + list_for_each_entry_rcu(e, &phy->edges, list) { +@@ -741,8 +743,6 @@ me_fail: + hwsim_free_edge(e); + } + rcu_read_unlock(); +-sub_fail: +- hwsim_edge_unsubscribe_me(phy); + return -ENOMEM; + } + +-- +2.30.2 + diff --git a/queue-4.19/iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch b/queue-4.19/iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch new file mode 100644 index 00000000000..3fbd41dacfd --- /dev/null +++ b/queue-4.19/iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch @@ -0,0 +1,60 @@ +From 0bbface45842458db74da4d053d7b22a70218d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:03 +0100 +Subject: iio: accel: bma180: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit fc36da3131a747a9367a05caf06de19be1bcc972 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: b9a6a237ffc9 ("iio:bma180: Drop _update_scan_mode()") +Signed-off-by: Jonathan Cameron +Cc: Peter Meerwald +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-2-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/bma180.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c +index cb9765a3de60..4bedf48d662a 100644 +--- a/drivers/iio/accel/bma180.c ++++ b/drivers/iio/accel/bma180.c +@@ -121,7 +121,11 @@ struct bma180_data { + int scale; + int bw; + bool pmode; +- u8 buff[16]; /* 3x 16-bit + 8-bit + padding + timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ s16 chan[4]; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + enum bma180_chan { +@@ -667,12 +671,12 @@ static irqreturn_t bma180_trigger_handler(int irq, void *p) + mutex_unlock(&data->mutex); + goto err; + } +- ((s16 *)data->buff)[i++] = ret; ++ data->scan.chan[i++] = ret; + } + + mutex_unlock(&data->mutex); + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buff, time_ns); ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, time_ns); + err: + iio_trigger_notify_done(indio_dev->trig); + +-- +2.30.2 + diff --git a/queue-4.19/iio-accel-bma220-fix-buffer-alignment-in-iio_push_to.patch b/queue-4.19/iio-accel-bma220-fix-buffer-alignment-in-iio_push_to.patch new file mode 100644 index 00000000000..72a10cadc7c --- /dev/null +++ b/queue-4.19/iio-accel-bma220-fix-buffer-alignment-in-iio_push_to.patch @@ -0,0 +1,59 @@ +From 1ce645f2e71848876f13cd2607e779a04a37c20e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:04 +0100 +Subject: iio: accel: bma220: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 151dbf0078da98206817ee0b87d499035479ef11 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: 194dc4c71413 ("iio: accel: Add triggered buffer support for BMA220") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-3-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/bma220_spi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/accel/bma220_spi.c b/drivers/iio/accel/bma220_spi.c +index e25d91c017ed..a548dc11e7c7 100644 +--- a/drivers/iio/accel/bma220_spi.c ++++ b/drivers/iio/accel/bma220_spi.c +@@ -76,7 +76,11 @@ static const int bma220_scale_table[][4] = { + struct bma220_data { + struct spi_device *spi_device; + struct mutex lock; +- s8 buffer[16]; /* 3x8-bit channels + 5x8 padding + 8x8 timestamp */ ++ struct { ++ s8 chans[3]; ++ /* Ensure timestamp is naturally aligned. */ ++ s64 timestamp __aligned(8); ++ } scan; + u8 tx_buf[2] ____cacheline_aligned; + }; + +@@ -107,12 +111,12 @@ static irqreturn_t bma220_trigger_handler(int irq, void *p) + + mutex_lock(&data->lock); + data->tx_buf[0] = BMA220_REG_ACCEL_X | BMA220_READ_MASK; +- ret = spi_write_then_read(spi, data->tx_buf, 1, data->buffer, ++ ret = spi_write_then_read(spi, data->tx_buf, 1, &data->scan.chans, + ARRAY_SIZE(bma220_channels) - 1); + if (ret < 0) + goto err; + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); + err: + mutex_unlock(&data->lock); +-- +2.30.2 + diff --git a/queue-4.19/iio-accel-hid-fix-buffer-alignment-in-iio_push_to_bu.patch b/queue-4.19/iio-accel-hid-fix-buffer-alignment-in-iio_push_to_bu.patch new file mode 100644 index 00000000000..311f728a9a5 --- /dev/null +++ b/queue-4.19/iio-accel-hid-fix-buffer-alignment-in-iio_push_to_bu.patch @@ -0,0 +1,68 @@ +From ae44847489f7c25563c253473b54aaeeaf1d0561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:05 +0100 +Subject: iio: accel: hid: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit c6559bf796ccdb3a0c79db846af96c8f7046880b ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. +Note this matches what was done in all the other hid sensor drivers. +This one was missed previously due to an extra level of indirection. + +Found during an audit of all calls of this function. + +Fixes: a96cd0f901ee ("iio: accel: hid-sensor-accel-3d: Add timestamp") +Signed-off-by: Jonathan Cameron +Cc: Srinivas Pandruvada +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-4-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/hid-sensor-accel-3d.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/accel/hid-sensor-accel-3d.c b/drivers/iio/accel/hid-sensor-accel-3d.c +index 38ff374a3ca4..32d5438d4519 100644 +--- a/drivers/iio/accel/hid-sensor-accel-3d.c ++++ b/drivers/iio/accel/hid-sensor-accel-3d.c +@@ -42,8 +42,11 @@ struct accel_3d_state { + struct hid_sensor_hub_callbacks callbacks; + struct hid_sensor_common common_attributes; + struct hid_sensor_hub_attribute_info accel[ACCEL_3D_CHANNEL_MAX]; +- /* Reserve for 3 channels + padding + timestamp */ +- u32 accel_val[ACCEL_3D_CHANNEL_MAX + 3]; ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ u32 accel_val[3]; ++ s64 timestamp __aligned(8); ++ } scan; + int scale_pre_decml; + int scale_post_decml; + int scale_precision; +@@ -254,8 +257,8 @@ static int accel_3d_proc_event(struct hid_sensor_hub_device *hsdev, + accel_state->timestamp = iio_get_time_ns(indio_dev); + + hid_sensor_push_data(indio_dev, +- accel_state->accel_val, +- sizeof(accel_state->accel_val), ++ &accel_state->scan, ++ sizeof(accel_state->scan), + accel_state->timestamp); + + accel_state->timestamp = 0; +@@ -280,7 +283,7 @@ static int accel_3d_capture_sample(struct hid_sensor_hub_device *hsdev, + case HID_USAGE_SENSOR_ACCEL_Y_AXIS: + case HID_USAGE_SENSOR_ACCEL_Z_AXIS: + offset = usage_id - HID_USAGE_SENSOR_ACCEL_X_AXIS; +- accel_state->accel_val[CHANNEL_SCAN_INDEX_X + offset] = ++ accel_state->scan.accel_val[CHANNEL_SCAN_INDEX_X + offset] = + *(u32 *)raw_data; + ret = 0; + break; +-- +2.30.2 + diff --git a/queue-4.19/iio-accel-kxcjk-1013-fix-buffer-alignment-in-iio_pus.patch b/queue-4.19/iio-accel-kxcjk-1013-fix-buffer-alignment-in-iio_pus.patch new file mode 100644 index 00000000000..c1b03d8a55a --- /dev/null +++ b/queue-4.19/iio-accel-kxcjk-1013-fix-buffer-alignment-in-iio_pus.patch @@ -0,0 +1,86 @@ +From d4086ffe2da929e24101147b6e1e6403587e969e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:06 +0100 +Subject: iio: accel: kxcjk-1013: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 3ab3aa2e7bd57497f9a7c6275c00dce237d2c9ba ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: 1a4fbf6a9286 ("iio: accel: kxcjk1013 3-axis accelerometer driver") +Signed-off-by: Jonathan Cameron +Cc: Srinivas Pandruvada +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-5-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/kxcjk-1013.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c +index c22afc979206..0ca6f9de5192 100644 +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -140,12 +140,23 @@ enum kx_acpi_type { + ACPI_KIOX010A, + }; + ++enum kxcjk1013_axis { ++ AXIS_X, ++ AXIS_Y, ++ AXIS_Z, ++ AXIS_MAX ++}; ++ + struct kxcjk1013_data { + struct i2c_client *client; + struct iio_trigger *dready_trig; + struct iio_trigger *motion_trig; + struct mutex mutex; +- s16 buffer[8]; ++ /* Ensure timestamp naturally aligned */ ++ struct { ++ s16 chans[AXIS_MAX]; ++ s64 timestamp __aligned(8); ++ } scan; + u8 odr_bits; + u8 range; + int wake_thres; +@@ -159,13 +170,6 @@ struct kxcjk1013_data { + enum kx_acpi_type acpi_type; + }; + +-enum kxcjk1013_axis { +- AXIS_X, +- AXIS_Y, +- AXIS_Z, +- AXIS_MAX, +-}; +- + enum kxcjk1013_mode { + STANDBY, + OPERATION, +@@ -1086,12 +1090,12 @@ static irqreturn_t kxcjk1013_trigger_handler(int irq, void *p) + ret = i2c_smbus_read_i2c_block_data_or_emulated(data->client, + KXCJK1013_REG_XOUT_L, + AXIS_MAX * 2, +- (u8 *)data->buffer); ++ (u8 *)data->scan.chans); + mutex_unlock(&data->mutex); + if (ret < 0) + goto err; + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + data->timestamp); + err: + iio_trigger_notify_done(indio_dev->trig); +-- +2.30.2 + diff --git a/queue-4.19/iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch b/queue-4.19/iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch new file mode 100644 index 00000000000..7588cba9569 --- /dev/null +++ b/queue-4.19/iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch @@ -0,0 +1,68 @@ +From 912e32ed7481ee9982fb9ee81be5b04ff0fb23a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:08 +0100 +Subject: iio: accel: stk8312: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit f40a71ffec808e7e51848f63f0c0d3c32d65081b ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: 95c12bba51c3 ("iio: accel: Add buffer mode for Sensortek STK8312") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-7-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/stk8312.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/accel/stk8312.c b/drivers/iio/accel/stk8312.c +index cacc0da2f874..52c33addf47b 100644 +--- a/drivers/iio/accel/stk8312.c ++++ b/drivers/iio/accel/stk8312.c +@@ -106,7 +106,11 @@ struct stk8312_data { + u8 mode; + struct iio_trigger *dready_trig; + bool dready_trigger_on; +- s8 buffer[16]; /* 3x8-bit channels + 5x8 padding + 64-bit timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ s8 chans[3]; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + static IIO_CONST_ATTR(in_accel_scale_available, STK8312_SCALE_AVAIL); +@@ -441,7 +445,7 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p) + ret = i2c_smbus_read_i2c_block_data(data->client, + STK8312_REG_XOUT, + STK8312_ALL_CHANNEL_SIZE, +- data->buffer); ++ data->scan.chans); + if (ret < STK8312_ALL_CHANNEL_SIZE) { + dev_err(&data->client->dev, "register read failed\n"); + mutex_unlock(&data->lock); +@@ -455,12 +459,12 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p) + mutex_unlock(&data->lock); + goto err; + } +- data->buffer[i++] = ret; ++ data->scan.chans[i++] = ret; + } + } + mutex_unlock(&data->lock); + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); + err: + iio_trigger_notify_done(indio_dev->trig); +-- +2.30.2 + diff --git a/queue-4.19/iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch b/queue-4.19/iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch new file mode 100644 index 00000000000..6d32eca50fe --- /dev/null +++ b/queue-4.19/iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch @@ -0,0 +1,71 @@ +From 6174b689562f79b73c7fc645fdb5727a04788d41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:09 +0100 +Subject: iio: accel: stk8ba50: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 334883894bc1e145a1e0f5de1b0d1b6a1133f0e6 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: db6a19b8251f ("iio: accel: Add trigger support for STK8BA50") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-8-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/stk8ba50.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/iio/accel/stk8ba50.c b/drivers/iio/accel/stk8ba50.c +index 576b6b140f08..0d9067d3ccc4 100644 +--- a/drivers/iio/accel/stk8ba50.c ++++ b/drivers/iio/accel/stk8ba50.c +@@ -94,12 +94,11 @@ struct stk8ba50_data { + u8 sample_rate_idx; + struct iio_trigger *dready_trig; + bool dready_trigger_on; +- /* +- * 3 x 16-bit channels (10-bit data, 6-bit padding) + +- * 1 x 16 padding + +- * 4 x 16 64-bit timestamp +- */ +- s16 buffer[8]; ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ s16 chans[3]; ++ s64 timetamp __aligned(8); ++ } scan; + }; + + #define STK8BA50_ACCEL_CHANNEL(index, reg, axis) { \ +@@ -327,7 +326,7 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p) + ret = i2c_smbus_read_i2c_block_data(data->client, + STK8BA50_REG_XOUT, + STK8BA50_ALL_CHANNEL_SIZE, +- (u8 *)data->buffer); ++ (u8 *)data->scan.chans); + if (ret < STK8BA50_ALL_CHANNEL_SIZE) { + dev_err(&data->client->dev, "register read failed\n"); + goto err; +@@ -340,10 +339,10 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p) + if (ret < 0) + goto err; + +- data->buffer[i++] = ret; ++ data->scan.chans[i++] = ret; + } + } +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); + err: + mutex_unlock(&data->lock); +-- +2.30.2 + diff --git a/queue-4.19/iio-adc-hx711-fix-buffer-alignment-in-iio_push_to_bu.patch b/queue-4.19/iio-adc-hx711-fix-buffer-alignment-in-iio_push_to_bu.patch new file mode 100644 index 00000000000..b39069c2ee6 --- /dev/null +++ b/queue-4.19/iio-adc-hx711-fix-buffer-alignment-in-iio_push_to_bu.patch @@ -0,0 +1,47 @@ +From 6fbf78420e33ab8587cf24c8e91f4c3bc6122cf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jun 2021 16:22:55 +0100 +Subject: iio: adc: hx711: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +[ Upstream commit afe2a789fbf7acd1a05407fc7839cc08d23825e3 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: d3bf60450d47 ("iio: hx711: add triggered buffer support") +Signed-off-by: Jonathan Cameron +Cc: Andreas Klinger +Reviewed-by: Nuno Sá +Link: https://lore.kernel.org/r/20210613152301.571002-3-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/hx711.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/hx711.c b/drivers/iio/adc/hx711.c +index 6c5d81a89aec..0dc487dd1674 100644 +--- a/drivers/iio/adc/hx711.c ++++ b/drivers/iio/adc/hx711.c +@@ -94,9 +94,9 @@ struct hx711_data { + struct mutex lock; + /* + * triggered buffer +- * 2x32-bit channel + 64-bit timestamp ++ * 2x32-bit channel + 64-bit naturally aligned timestamp + */ +- u32 buffer[4]; ++ u32 buffer[4] __aligned(8); + /* + * delay after a rising edge on SCK until the data is ready DOUT + * this is dependent on the hx711 where the datasheet tells a +-- +2.30.2 + diff --git a/queue-4.19/iio-adc-mxs-lradc-fix-buffer-alignment-in-iio_push_t.patch b/queue-4.19/iio-adc-mxs-lradc-fix-buffer-alignment-in-iio_push_t.patch new file mode 100644 index 00000000000..0c20dbd917f --- /dev/null +++ b/queue-4.19/iio-adc-mxs-lradc-fix-buffer-alignment-in-iio_push_t.patch @@ -0,0 +1,47 @@ +From dd3f6aa054a3100a3b16384ada2bff561c321551 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jun 2021 16:22:56 +0100 +Subject: iio: adc: mxs-lradc: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +[ Upstream commit 6a6be221b8bd561b053f0701ec752a5ed9007f69 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. +Add a comment on why the buffer is the size it is as not immediately +obvious. + +Found during an audit of all calls of this function. + +Fixes: 6dd112b9f85e ("iio: adc: mxs-lradc: Add support for ADC driver") +Signed-off-by: Jonathan Cameron +Cc: Andreas Klinger +Reviewed-by: Nuno Sá +Link: https://lore.kernel.org/r/20210613152301.571002-4-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/mxs-lradc-adc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/mxs-lradc-adc.c b/drivers/iio/adc/mxs-lradc-adc.c +index c627513d9f0f..fc8b70d8d64c 100644 +--- a/drivers/iio/adc/mxs-lradc-adc.c ++++ b/drivers/iio/adc/mxs-lradc-adc.c +@@ -124,7 +124,8 @@ struct mxs_lradc_adc { + struct device *dev; + + void __iomem *base; +- u32 buffer[10]; ++ /* Maximum of 8 channels + 8 byte ts */ ++ u32 buffer[10] __aligned(8); + struct iio_trigger *trig; + struct completion completion; + spinlock_t lock; +-- +2.30.2 + diff --git a/queue-4.19/iio-adc-ti-ads1015-fix-buffer-alignment-in-iio_push_.patch b/queue-4.19/iio-adc-ti-ads1015-fix-buffer-alignment-in-iio_push_.patch new file mode 100644 index 00000000000..cf4968574a6 --- /dev/null +++ b/queue-4.19/iio-adc-ti-ads1015-fix-buffer-alignment-in-iio_push_.patch @@ -0,0 +1,63 @@ +From d705808d25353f33c7ea105cc02a45c0a71ec4e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:10 +0100 +Subject: iio: adc: ti-ads1015: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit d85d71dd1ab67eaa7351f69fec512d8f09d164e1 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support") +Signed-off-by: Jonathan Cameron +Cc: Daniel Baluta +Cc: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-9-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ti-ads1015.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ti-ads1015.c b/drivers/iio/adc/ti-ads1015.c +index dc8d859e4b92..b1cccc3eeea6 100644 +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -391,10 +391,14 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p) + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct ads1015_data *data = iio_priv(indio_dev); +- s16 buf[8]; /* 1x s16 ADC val + 3x s16 padding + 4x s16 timestamp */ ++ /* Ensure natural alignment of timestamp */ ++ struct { ++ s16 chan; ++ s64 timestamp __aligned(8); ++ } scan; + int chan, ret, res; + +- memset(buf, 0, sizeof(buf)); ++ memset(&scan, 0, sizeof(scan)); + + mutex_lock(&data->lock); + chan = find_first_bit(indio_dev->active_scan_mask, +@@ -405,10 +409,10 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p) + goto err; + } + +- buf[0] = res; ++ scan.chan = res; + mutex_unlock(&data->lock); + +- iio_push_to_buffers_with_timestamp(indio_dev, buf, ++ iio_push_to_buffers_with_timestamp(indio_dev, &scan, + iio_get_time_ns(indio_dev)); + + err: +-- +2.30.2 + diff --git a/queue-4.19/iio-adc-ti-ads8688-fix-alignment-of-buffer-in-iio_pu.patch b/queue-4.19/iio-adc-ti-ads8688-fix-alignment-of-buffer-in-iio_pu.patch new file mode 100644 index 00000000000..15011a2c48b --- /dev/null +++ b/queue-4.19/iio-adc-ti-ads8688-fix-alignment-of-buffer-in-iio_pu.patch @@ -0,0 +1,43 @@ +From cded4f796ed87c81eac99aa0a3094619fc0d3a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jun 2021 16:22:57 +0100 +Subject: iio: adc: ti-ads8688: Fix alignment of buffer in + iio_push_to_buffers_with_timestamp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +[ Upstream commit 61fa5dfa5f52806f5ce37a0ba5712c271eb22f98 ] + +Add __aligned(8) to ensure the buffer passed to +iio_push_to_buffers_with_timestamp() is suitable for the naturally +aligned timestamp that will be inserted. + +Fixes: f214ff521fb1 ("iio: ti-ads8688: Update buffer allocation for timestamps") +Signed-off-by: Jonathan Cameron +Reviewed-by: Nuno Sá +Link: https://lore.kernel.org/r/20210613152301.571002-5-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ti-ads8688.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ti-ads8688.c b/drivers/iio/adc/ti-ads8688.c +index 7f16c77b99fb..9bcb05897c9d 100644 +--- a/drivers/iio/adc/ti-ads8688.c ++++ b/drivers/iio/adc/ti-ads8688.c +@@ -386,7 +386,8 @@ static irqreturn_t ads8688_trigger_handler(int irq, void *p) + { + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; +- u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)]; ++ /* Ensure naturally aligned timestamp */ ++ u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8); + int i, j = 0; + + for (i = 0; i < indio_dev->masklength; i++) { +-- +2.30.2 + diff --git a/queue-4.19/iio-adc-vf610-fix-buffer-alignment-in-iio_push_to_bu.patch b/queue-4.19/iio-adc-vf610-fix-buffer-alignment-in-iio_push_to_bu.patch new file mode 100644 index 00000000000..039ca4e6b2f --- /dev/null +++ b/queue-4.19/iio-adc-vf610-fix-buffer-alignment-in-iio_push_to_bu.patch @@ -0,0 +1,59 @@ +From 5b526fe2260b1baf895c1dceeed2117f718ed27d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:11 +0100 +Subject: iio: adc: vf610: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 7765dfaa22ea08abf0c175e7553826ba2a939632 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp() + +Fixes: 0010d6b44406 ("iio: adc: vf610: Add IIO buffer support for Vybrid ADC") +Signed-off-by: Jonathan Cameron +Cc: Stefan-Gabriel Mirea +Cc: Sanchayan Maity +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-10-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/vf610_adc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/adc/vf610_adc.c b/drivers/iio/adc/vf610_adc.c +index bbcb7a4d7edf..3e480244ad9a 100644 +--- a/drivers/iio/adc/vf610_adc.c ++++ b/drivers/iio/adc/vf610_adc.c +@@ -180,7 +180,11 @@ struct vf610_adc { + u32 sample_freq_avail[5]; + + struct completion completion; +- u16 buffer[8]; ++ /* Ensure the timestamp is naturally aligned */ ++ struct { ++ u16 chan; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + static const u32 vf610_hw_avgs[] = { 1, 4, 8, 16, 32 }; +@@ -592,9 +596,9 @@ static irqreturn_t vf610_adc_isr(int irq, void *dev_id) + if (coco & VF610_ADC_HS_COCO0) { + info->value = vf610_adc_read_data(info); + if (iio_buffer_enabled(indio_dev)) { +- info->buffer[0] = info->value; ++ info->scan.chan = info->value; + iio_push_to_buffers_with_timestamp(indio_dev, +- info->buffer, ++ &info->scan, + iio_get_time_ns(indio_dev)); + iio_trigger_notify_done(indio_dev->trig); + } else +-- +2.30.2 + diff --git a/queue-4.19/iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch b/queue-4.19/iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch new file mode 100644 index 00000000000..a24564785ac --- /dev/null +++ b/queue-4.19/iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch @@ -0,0 +1,42 @@ +From a1ff10f1776e45c42e4db59f2f628e9a9c389abd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 12:19:03 +0200 +Subject: iio: adis_buffer: do not return ints in irq handlers + +From: Nuno Sa + +[ Upstream commit d877539ad8e8fdde9af69887055fec6402be1a13 ] + +On an IRQ handler we should not return normal error codes as 'irqreturn_t' +is expected. + +Not necessarily stable material as the old check cannot fail, so it's a bug +we can not hit. + +Fixes: ccd2b52f4ac69 ("staging:iio: Add common ADIS library") +Reviewed-by: Alexandru Ardelean +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20210422101911.135630-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/adis_buffer.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c +index e59d0438de73..bde68462b5ed 100644 +--- a/drivers/iio/imu/adis_buffer.c ++++ b/drivers/iio/imu/adis_buffer.c +@@ -83,9 +83,6 @@ static irqreturn_t adis_trigger_handler(int irq, void *p) + struct adis *adis = iio_device_get_drvdata(indio_dev); + int ret; + +- if (!adis->buffer) +- return -ENOMEM; +- + if (adis->data->has_paging) { + mutex_lock(&adis->txrx_lock); + if (adis->current_page != 0) { +-- +2.30.2 + diff --git a/queue-4.19/iio-gyro-bmg160-fix-buffer-alignment-in-iio_push_to_.patch b/queue-4.19/iio-gyro-bmg160-fix-buffer-alignment-in-iio_push_to_.patch new file mode 100644 index 00000000000..9c3a82fe62d --- /dev/null +++ b/queue-4.19/iio-gyro-bmg160-fix-buffer-alignment-in-iio_push_to_.patch @@ -0,0 +1,61 @@ +From ebe8ab82de6d3d316323a8e39fcb9e4e4717af18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:12 +0100 +Subject: iio: gyro: bmg160: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 06778d881f3798ce93ffbbbf801234292250b598 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp() + +Fixes: 13426454b649 ("iio: bmg160: Separate i2c and core driver") +Signed-off-by: Jonathan Cameron +Cc: Stephan Gerhold +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-11-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/gyro/bmg160_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c +index 92c07ab826eb..ef8ef96201f6 100644 +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -103,7 +103,11 @@ struct bmg160_data { + struct iio_trigger *dready_trig; + struct iio_trigger *motion_trig; + struct mutex mutex; +- s16 buffer[8]; ++ /* Ensure naturally aligned timestamp */ ++ struct { ++ s16 chans[3]; ++ s64 timestamp __aligned(8); ++ } scan; + u32 dps_range; + int ev_enable_state; + int slope_thres; +@@ -872,12 +876,12 @@ static irqreturn_t bmg160_trigger_handler(int irq, void *p) + + mutex_lock(&data->mutex); + ret = regmap_bulk_read(data->regmap, BMG160_REG_XOUT_L, +- data->buffer, AXIS_MAX * 2); ++ data->scan.chans, AXIS_MAX * 2); + mutex_unlock(&data->mutex); + if (ret < 0) + goto err; + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); + err: + iio_trigger_notify_done(indio_dev->trig); +-- +2.30.2 + diff --git a/queue-4.19/iio-humidity-am2315-fix-buffer-alignment-in-iio_push.patch b/queue-4.19/iio-humidity-am2315-fix-buffer-alignment-in-iio_push.patch new file mode 100644 index 00000000000..2715200c616 --- /dev/null +++ b/queue-4.19/iio-humidity-am2315-fix-buffer-alignment-in-iio_push.patch @@ -0,0 +1,71 @@ +From 5fc7e87104c73def609252a8b66ffd0f8e951c66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:13 +0100 +Subject: iio: humidity: am2315: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit f4ca2e2595d9fee65d5ce0d218b22ce00e5b2915 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp() + +Fixes: 0d96d5ead3f7 ("iio: humidity: Add triggered buffer support for AM2315") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-12-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/humidity/am2315.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/iio/humidity/am2315.c b/drivers/iio/humidity/am2315.c +index 7d8669dc6547..b09bd0b39c9c 100644 +--- a/drivers/iio/humidity/am2315.c ++++ b/drivers/iio/humidity/am2315.c +@@ -36,7 +36,11 @@ + struct am2315_data { + struct i2c_client *client; + struct mutex lock; +- s16 buffer[8]; /* 2x16-bit channels + 2x16 padding + 4x16 timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ s16 chans[2]; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + struct am2315_sensor_data { +@@ -170,20 +174,20 @@ static irqreturn_t am2315_trigger_handler(int irq, void *p) + + mutex_lock(&data->lock); + if (*(indio_dev->active_scan_mask) == AM2315_ALL_CHANNEL_MASK) { +- data->buffer[0] = sensor_data.hum_data; +- data->buffer[1] = sensor_data.temp_data; ++ data->scan.chans[0] = sensor_data.hum_data; ++ data->scan.chans[1] = sensor_data.temp_data; + } else { + i = 0; + for_each_set_bit(bit, indio_dev->active_scan_mask, + indio_dev->masklength) { +- data->buffer[i] = (bit ? sensor_data.temp_data : +- sensor_data.hum_data); ++ data->scan.chans[i] = (bit ? sensor_data.temp_data : ++ sensor_data.hum_data); + i++; + } + } + mutex_unlock(&data->lock); + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); + err: + iio_trigger_notify_done(indio_dev->trig); +-- +2.30.2 + diff --git a/queue-4.19/iio-light-isl29125-fix-buffer-alignment-in-iio_push_.patch b/queue-4.19/iio-light-isl29125-fix-buffer-alignment-in-iio_push_.patch new file mode 100644 index 00000000000..4c54e4b38cc --- /dev/null +++ b/queue-4.19/iio-light-isl29125-fix-buffer-alignment-in-iio_push_.patch @@ -0,0 +1,58 @@ +From 6d9d102be7c1567e63f55aef50ba54418a18ae60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:19 +0100 +Subject: iio: light: isl29125: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 3d4725194de6935dba2ad7c9cc075c885008f747 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp() + +Fixes: 6c25539cbc46 ("iio: Add Intersil isl29125 digital color light sensor driver") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-18-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/light/isl29125.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/light/isl29125.c b/drivers/iio/light/isl29125.c +index ed38edcd5efe..d0f5fd42c0ec 100644 +--- a/drivers/iio/light/isl29125.c ++++ b/drivers/iio/light/isl29125.c +@@ -54,7 +54,11 @@ + struct isl29125_data { + struct i2c_client *client; + u8 conf1; +- u16 buffer[8]; /* 3x 16-bit, padding, 8 bytes timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ u16 chans[3]; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + #define ISL29125_CHANNEL(_color, _si) { \ +@@ -187,10 +191,10 @@ static irqreturn_t isl29125_trigger_handler(int irq, void *p) + if (ret < 0) + goto done; + +- data->buffer[j++] = ret; ++ data->scan.chans[j++] = ret; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); + + done: +-- +2.30.2 + diff --git a/queue-4.19/iio-light-tcs3414-fix-buffer-alignment-in-iio_push_t.patch b/queue-4.19/iio-light-tcs3414-fix-buffer-alignment-in-iio_push_t.patch new file mode 100644 index 00000000000..7650993e6f4 --- /dev/null +++ b/queue-4.19/iio-light-tcs3414-fix-buffer-alignment-in-iio_push_t.patch @@ -0,0 +1,58 @@ +From 2008d30c5a281af002672f59ac7d4b01e7630f4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:20 +0100 +Subject: iio: light: tcs3414: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit ff08fbc22ab32ccc6690c21b0e5e1d402dcc076f ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp() + +Fixes: a244e7b57f0f ("iio: Add driver for AMS/TAOS tcs3414 digital color sensor") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-19-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/light/tcs3414.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/light/tcs3414.c b/drivers/iio/light/tcs3414.c +index 205e5659ce6b..c525420e7c62 100644 +--- a/drivers/iio/light/tcs3414.c ++++ b/drivers/iio/light/tcs3414.c +@@ -56,7 +56,11 @@ struct tcs3414_data { + u8 control; + u8 gain; + u8 timing; +- u16 buffer[8]; /* 4x 16-bit + 8 bytes timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ u16 chans[4]; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + #define TCS3414_CHANNEL(_color, _si, _addr) { \ +@@ -212,10 +216,10 @@ static irqreturn_t tcs3414_trigger_handler(int irq, void *p) + if (ret < 0) + goto done; + +- data->buffer[j++] = ret; ++ data->scan.chans[j++] = ret; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); + + done: +-- +2.30.2 + diff --git a/queue-4.19/iio-light-tcs3472-fix-buffer-alignment-in-iio_push_t.patch b/queue-4.19/iio-light-tcs3472-fix-buffer-alignment-in-iio_push_t.patch new file mode 100644 index 00000000000..2cfc1f9e2d4 --- /dev/null +++ b/queue-4.19/iio-light-tcs3472-fix-buffer-alignment-in-iio_push_t.patch @@ -0,0 +1,62 @@ +From 0466eae29862d08dac542a13ed34745ef481d9ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:21 +0100 +Subject: iio: light: tcs3472: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit df2f37cffd6ed486d613e7ee22aadc8e49ae2dd3 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp(). + +Fixes tag is not strictly accurate as prior to that patch there was +potentially an unaligned write. However, any backport past there will +need to be done manually. + +Fixes: 0624bf847dd0 ("iio:tcs3472: Use iio_push_to_buffers_with_timestamp()") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-20-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/light/tcs3472.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/light/tcs3472.c b/drivers/iio/light/tcs3472.c +index 1995cc5cd732..82204414c7a1 100644 +--- a/drivers/iio/light/tcs3472.c ++++ b/drivers/iio/light/tcs3472.c +@@ -67,7 +67,11 @@ struct tcs3472_data { + u8 control; + u8 atime; + u8 apers; +- u16 buffer[8]; /* 4 16-bit channels + 64-bit timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ u16 chans[4]; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + static const struct iio_event_spec tcs3472_events[] = { +@@ -389,10 +393,10 @@ static irqreturn_t tcs3472_trigger_handler(int irq, void *p) + if (ret < 0) + goto done; + +- data->buffer[j++] = ret; ++ data->scan.chans[j++] = ret; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); + + done: +-- +2.30.2 + diff --git a/queue-4.19/iio-potentiostat-lmp91000-fix-alignment-of-buffer-in.patch b/queue-4.19/iio-potentiostat-lmp91000-fix-alignment-of-buffer-in.patch new file mode 100644 index 00000000000..66078e8f0d7 --- /dev/null +++ b/queue-4.19/iio-potentiostat-lmp91000-fix-alignment-of-buffer-in.patch @@ -0,0 +1,45 @@ +From 46eddd17c0275f7164446923fd95b0aed0701b3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:13:48 +0100 +Subject: iio: potentiostat: lmp91000: Fix alignment of buffer in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 8979b67ec61abc232636400ee8c758a16a73c95f ] + +Add __aligned(8) to ensure the buffer passed to +iio_push_to_buffers_with_timestamp() is suitable for the naturally +aligned timestamp that will be inserted. + +Here structure is not used, because this buffer is also used +elsewhere in the driver. + +Fixes: 67e17300dc1d ("iio: potentiostat: add LMP91000 support") +Signed-off-by: Jonathan Cameron +Cc: Matt Ranostay +Acked-by: Matt Ranostay +Link: https://lore.kernel.org/r/20210501171352.512953-8-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/potentiostat/lmp91000.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/potentiostat/lmp91000.c b/drivers/iio/potentiostat/lmp91000.c +index 90e895adf997..68f4f6fa27da 100644 +--- a/drivers/iio/potentiostat/lmp91000.c ++++ b/drivers/iio/potentiostat/lmp91000.c +@@ -71,8 +71,8 @@ struct lmp91000_data { + + struct completion completion; + u8 chan_select; +- +- u32 buffer[4]; /* 64-bit data + 64-bit timestamp */ ++ /* 64-bit data + 64-bit naturally aligned timestamp */ ++ u32 buffer[4] __aligned(8); + }; + + static const struct iio_chan_spec lmp91000_channels[] = { +-- +2.30.2 + diff --git a/queue-4.19/iio-prox-as3935-fix-buffer-alignment-in-iio_push_to_.patch b/queue-4.19/iio-prox-as3935-fix-buffer-alignment-in-iio_push_to_.patch new file mode 100644 index 00000000000..f61d7f79b92 --- /dev/null +++ b/queue-4.19/iio-prox-as3935-fix-buffer-alignment-in-iio_push_to_.patch @@ -0,0 +1,58 @@ +From f90c5e4ad04340b784a52307831b9039c4f2f606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:16 +0100 +Subject: iio: prox: as3935: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 37eb8d8c64f2ecb3a5521ba1cc1fad973adfae41 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp() + +Fixes: 37b1ba2c68cf ("iio: proximity: as3935: fix buffer stack trashing") +Signed-off-by: Jonathan Cameron +Cc: Matt Ranostay +Acked-by: Matt Ranostay +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-15-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/proximity/as3935.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/proximity/as3935.c b/drivers/iio/proximity/as3935.c +index f130388a16a0..9069eec46093 100644 +--- a/drivers/iio/proximity/as3935.c ++++ b/drivers/iio/proximity/as3935.c +@@ -61,7 +61,11 @@ struct as3935_state { + unsigned long noise_tripped; + u32 tune_cap; + u32 nflwdth_reg; +- u8 buffer[16]; /* 8-bit data + 56-bit padding + 64-bit timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ u8 chan; ++ s64 timestamp __aligned(8); ++ } scan; + u8 buf[2] ____cacheline_aligned; + }; + +@@ -227,8 +231,8 @@ static irqreturn_t as3935_trigger_handler(int irq, void *private) + if (ret) + goto err_read; + +- st->buffer[0] = val & AS3935_DATA_MASK; +- iio_push_to_buffers_with_timestamp(indio_dev, &st->buffer, ++ st->scan.chan = val & AS3935_DATA_MASK; ++ iio_push_to_buffers_with_timestamp(indio_dev, &st->scan, + iio_get_time_ns(indio_dev)); + err_read: + iio_trigger_notify_done(indio_dev->trig); +-- +2.30.2 + diff --git a/queue-4.19/iio-prox-isl29501-fix-buffer-alignment-in-iio_push_t.patch b/queue-4.19/iio-prox-isl29501-fix-buffer-alignment-in-iio_push_t.patch new file mode 100644 index 00000000000..27430f04cfc --- /dev/null +++ b/queue-4.19/iio-prox-isl29501-fix-buffer-alignment-in-iio_push_t.patch @@ -0,0 +1,47 @@ +From df447032c1a6dd04788b5960a67780cef50a4927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jun 2021 16:23:01 +0100 +Subject: iio: prox: isl29501: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +[ Upstream commit 92babc9938ebbf4050f2fba774836f7edc16a570 ] + +Add __aligned(8) to ensure the buffer passed to +iio_push_to_buffers_with_timestamp() is suitable for the naturally +aligned timestamp that will be inserted. + +Here an explicit structure is not used, because the holes would +necessitate the addition of an explict memset(), to avoid a kernel +data leak, making for a less minimal fix. + +Fixes: 1c28799257bc ("iio: light: isl29501: Add support for the ISL29501 ToF sensor.") +Signed-off-by: Jonathan Cameron +Cc: Mathieu Othacehe +Reviewed-by: Nuno Sá +Link: https://lore.kernel.org/r/20210613152301.571002-9-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/proximity/isl29501.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/proximity/isl29501.c b/drivers/iio/proximity/isl29501.c +index e5e94540f404..a99d26023ef7 100644 +--- a/drivers/iio/proximity/isl29501.c ++++ b/drivers/iio/proximity/isl29501.c +@@ -946,7 +946,7 @@ static irqreturn_t isl29501_trigger_handler(int irq, void *p) + struct iio_dev *indio_dev = pf->indio_dev; + struct isl29501_private *isl29501 = iio_priv(indio_dev); + const unsigned long *active_mask = indio_dev->active_scan_mask; +- u32 buffer[4] = {}; /* 1x16-bit + ts */ ++ u32 buffer[4] __aligned(8) = {}; /* 1x16-bit + naturally aligned ts */ + + if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask)) + isl29501_register_read(isl29501, REG_DISTANCE, buffer); +-- +2.30.2 + diff --git a/queue-4.19/iio-prox-pulsed-light-fix-buffer-alignment-in-iio_pu.patch b/queue-4.19/iio-prox-pulsed-light-fix-buffer-alignment-in-iio_pu.patch new file mode 100644 index 00000000000..6c64d6071a2 --- /dev/null +++ b/queue-4.19/iio-prox-pulsed-light-fix-buffer-alignment-in-iio_pu.patch @@ -0,0 +1,59 @@ +From df332043f81df55dbbfa1ada7b857f8ae98262f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:15 +0100 +Subject: iio: prox: pulsed-light: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 679cc377a03ff1944491eafc7355c1eb1fad4109 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp() + +Fixes: cb119d535083 ("iio: proximity: add support for PulsedLight LIDAR") +Signed-off-by: Jonathan Cameron +Cc: Matt Ranostay +Acked-by: Matt Ranostay +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-14-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/proximity/pulsedlight-lidar-lite-v2.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c +index 67f85268b63d..0c7617022407 100644 +--- a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c ++++ b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c +@@ -43,7 +43,11 @@ struct lidar_data { + int (*xfer)(struct lidar_data *data, u8 reg, u8 *val, int len); + int i2c_enabled; + +- u16 buffer[8]; /* 2 byte distance + 8 byte timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ u16 chan; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + static const struct iio_chan_spec lidar_channels[] = { +@@ -228,9 +232,9 @@ static irqreturn_t lidar_trigger_handler(int irq, void *private) + struct lidar_data *data = iio_priv(indio_dev); + int ret; + +- ret = lidar_get_measurement(data, data->buffer); ++ ret = lidar_get_measurement(data, &data->scan.chan); + if (!ret) { +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); + } else if (ret != -EINVAL) { + dev_err(&data->client->dev, "cannot read LIDAR measurement"); +-- +2.30.2 + diff --git a/queue-4.19/iio-prox-srf08-fix-buffer-alignment-in-iio_push_to_b.patch b/queue-4.19/iio-prox-srf08-fix-buffer-alignment-in-iio_push_to_b.patch new file mode 100644 index 00000000000..b318f6aac21 --- /dev/null +++ b/queue-4.19/iio-prox-srf08-fix-buffer-alignment-in-iio_push_to_b.patch @@ -0,0 +1,62 @@ +From 118bdcd0ce2a25f2de3dfb90bed9a46bdfa16e62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:14 +0100 +Subject: iio: prox: srf08: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 19f1a254fe4949fff1e67db386409f48cf438bd7 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of uses of +iio_push_to_buffers_with_timestamp() + +Fixes: 78f839029e1d ("iio: distance: srf08: add IIO driver for us ranger") +Signed-off-by: Jonathan Cameron +Cc: Andreas Klinger +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-13-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/proximity/srf08.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/iio/proximity/srf08.c b/drivers/iio/proximity/srf08.c +index f2bf783f829a..5e8d3707738b 100644 +--- a/drivers/iio/proximity/srf08.c ++++ b/drivers/iio/proximity/srf08.c +@@ -66,11 +66,11 @@ struct srf08_data { + int range_mm; + struct mutex lock; + +- /* +- * triggered buffer +- * 1x16-bit channel + 3x16 padding + 4x16 timestamp +- */ +- s16 buffer[8]; ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ s16 chan; ++ s64 timestamp __aligned(8); ++ } scan; + + /* Sensor-Type */ + enum srf08_sensor_type sensor_type; +@@ -193,9 +193,9 @@ static irqreturn_t srf08_trigger_handler(int irq, void *p) + + mutex_lock(&data->lock); + +- data->buffer[0] = sensor_data; ++ data->scan.chan = sensor_data; + iio_push_to_buffers_with_timestamp(indio_dev, +- data->buffer, pf->timestamp); ++ &data->scan, pf->timestamp); + + mutex_unlock(&data->lock); + err: +-- +2.30.2 + diff --git a/queue-4.19/input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch b/queue-4.19/input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch new file mode 100644 index 00000000000..9452ee5302d --- /dev/null +++ b/queue-4.19/input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch @@ -0,0 +1,37 @@ +From d751403e65155ce24609edd32484fec5e625c884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 11:52:42 -0700 +Subject: Input: hil_kbd - fix error return code in hil_dev_connect() + +From: Zhen Lei + +[ Upstream commit d9b576917a1d0efa293801a264150a1b37691617 ] + +Return error code -EINVAL rather than '0' when the combo devices are not +supported. + +Fixes: fa71c605c2bb ("Input: combine hil_kbd and hil_ptr drivers") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210515030053.6824-1-thunder.leizhen@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/hil_kbd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/keyboard/hil_kbd.c b/drivers/input/keyboard/hil_kbd.c +index bb29a7c9a1c0..54afb38601b9 100644 +--- a/drivers/input/keyboard/hil_kbd.c ++++ b/drivers/input/keyboard/hil_kbd.c +@@ -512,6 +512,7 @@ static int hil_dev_connect(struct serio *serio, struct serio_driver *drv) + HIL_IDD_NUM_AXES_PER_SET(*idd)) { + printk(KERN_INFO PREFIX + "combo devices are not supported.\n"); ++ error = -EINVAL; + goto bail1; + } + +-- +2.30.2 + diff --git a/queue-4.19/ipv6-exthdrs-do-not-blindly-use-init_net.patch b/queue-4.19/ipv6-exthdrs-do-not-blindly-use-init_net.patch new file mode 100644 index 00000000000..2ff1c0bf67c --- /dev/null +++ b/queue-4.19/ipv6-exthdrs-do-not-blindly-use-init_net.patch @@ -0,0 +1,61 @@ +From 66a674ec0e32782c638bc3a111c153a3f6f74940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 08:27:00 -0700 +Subject: ipv6: exthdrs: do not blindly use init_net + +From: Eric Dumazet + +[ Upstream commit bcc3f2a829b9edbe3da5fb117ee5a63686d31834 ] + +I see no reason why max_dst_opts_cnt and max_hbh_opts_cnt +are fetched from the initial net namespace. + +The other sysctls (max_dst_opts_len & max_hbh_opts_len) +are in fact already using the current ns. + +Note: it is not clear why ipv6_destopt_rcv() use two ways to +get to the netns : + + 1) dev_net(dst->dev) + Originally used to increment IPSTATS_MIB_INHDRERRORS + + 2) dev_net(skb->dev) + Tom used this variant in his patch. + +Maybe this calls to use ipv6_skb_net() instead ? + +Fixes: 47d3d7ac656a ("ipv6: Implement limits on Hop-by-Hop and Destination options") +Signed-off-by: Eric Dumazet +Cc: Tom Herbert +Cc: Coco Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/exthdrs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c +index 20291c2036fc..68b8084da83a 100644 +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -309,7 +309,7 @@ fail_and_free: + #endif + + if (ip6_parse_tlv(tlvprocdestopt_lst, skb, +- init_net.ipv6.sysctl.max_dst_opts_cnt)) { ++ net->ipv6.sysctl.max_dst_opts_cnt)) { + skb->transport_header += extlen; + opt = IP6CB(skb); + #if IS_ENABLED(CONFIG_IPV6_MIP6) +@@ -848,7 +848,7 @@ fail_and_free: + + opt->flags |= IP6SKB_HOPBYHOP; + if (ip6_parse_tlv(tlvprochopopt_lst, skb, +- init_net.ipv6.sysctl.max_hbh_opts_cnt)) { ++ net->ipv6.sysctl.max_hbh_opts_cnt)) { + skb->transport_header += extlen; + opt = IP6CB(skb); + opt->nhoff = sizeof(struct ipv6hdr); +-- +2.30.2 + diff --git a/queue-4.19/ipv6-fix-out-of-bound-access-in-ip6_parse_tlv.patch b/queue-4.19/ipv6-fix-out-of-bound-access-in-ip6_parse_tlv.patch new file mode 100644 index 00000000000..6b0b25286c3 --- /dev/null +++ b/queue-4.19/ipv6-fix-out-of-bound-access-in-ip6_parse_tlv.patch @@ -0,0 +1,89 @@ +From 6441443d1fe2ce1f2a815fadc51b78a7d00a0dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 03:07:20 -0700 +Subject: ipv6: fix out-of-bound access in ip6_parse_tlv() + +From: Eric Dumazet + +[ Upstream commit 624085a31c1ad6a80b1e53f686bf6ee92abbf6e8 ] + +First problem is that optlen is fetched without checking +there is more than one byte to parse. + +Fix this by taking care of IPV6_TLV_PAD1 before +fetching optlen (under appropriate sanity checks against len) + +Second problem is that IPV6_TLV_PADN checks of zero +padding are performed before the check of remaining length. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: c1412fce7ecc ("net/ipv6/exthdrs.c: Strict PadN option checking") +Signed-off-by: Eric Dumazet +Cc: Paolo Abeni +Cc: Tom Herbert +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/exthdrs.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c +index 68b8084da83a..fe2497ae4523 100644 +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -138,18 +138,23 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs, + len -= 2; + + while (len > 0) { +- int optlen = nh[off + 1] + 2; +- int i; ++ int optlen, i; + +- switch (nh[off]) { +- case IPV6_TLV_PAD1: +- optlen = 1; ++ if (nh[off] == IPV6_TLV_PAD1) { + padlen++; + if (padlen > 7) + goto bad; +- break; ++ off++; ++ len--; ++ continue; ++ } ++ if (len < 2) ++ goto bad; ++ optlen = nh[off + 1] + 2; ++ if (optlen > len) ++ goto bad; + +- case IPV6_TLV_PADN: ++ if (nh[off] == IPV6_TLV_PADN) { + /* RFC 2460 states that the purpose of PadN is + * to align the containing header to multiples + * of 8. 7 is therefore the highest valid value. +@@ -166,12 +171,7 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs, + if (nh[off + i] != 0) + goto bad; + } +- break; +- +- default: /* Other TLV code so scan list */ +- if (optlen > len) +- goto bad; +- ++ } else { + tlv_count++; + if (tlv_count > max_count) + goto bad; +@@ -191,7 +191,6 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs, + return false; + + padlen = 0; +- break; + } + off += optlen; + len -= optlen; +-- +2.30.2 + diff --git a/queue-4.19/leds-as3645a-fix-error-return-code-in-as3645a_parse_.patch b/queue-4.19/leds-as3645a-fix-error-return-code-in-as3645a_parse_.patch new file mode 100644 index 00000000000..e441f2fea49 --- /dev/null +++ b/queue-4.19/leds-as3645a-fix-error-return-code-in-as3645a_parse_.patch @@ -0,0 +1,37 @@ +From e111a3a891b84d7ebe68fe7fb13c6c2a8deec552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 11:06:46 +0800 +Subject: leds: as3645a: Fix error return code in as3645a_parse_node() + +From: Zhen Lei + +[ Upstream commit 96a30960a2c5246c8ffebe8a3c9031f9df094d97 ] + +Return error code -ENODEV rather than '0' when the indicator node can not +be found. + +Fixes: a56ba8fbcb55 ("media: leds: as3645a: Add LED flash class driver") +Reported-by: Hulk Robot +Acked-by: Sakari Ailus +Signed-off-by: Zhen Lei +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-as3645a.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/leds/leds-as3645a.c b/drivers/leds/leds-as3645a.c +index f883616d9e60..821944379f2c 100644 +--- a/drivers/leds/leds-as3645a.c ++++ b/drivers/leds/leds-as3645a.c +@@ -565,6 +565,7 @@ static int as3645a_parse_node(struct as3645a *flash, + if (!flash->indicator_node) { + dev_warn(&flash->client->dev, + "can't find indicator node\n"); ++ rval = -ENODEV; + goto out_err; + } + +-- +2.30.2 + diff --git a/queue-4.19/leds-ktd2692-fix-an-error-handling-path.patch b/queue-4.19/leds-ktd2692-fix-an-error-handling-path.patch new file mode 100644 index 00000000000..f5e858d3c36 --- /dev/null +++ b/queue-4.19/leds-ktd2692-fix-an-error-handling-path.patch @@ -0,0 +1,85 @@ +From f1458a7960c3c548b11916276b6dc9cdb198bfc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 13:21:01 +0200 +Subject: leds: ktd2692: Fix an error handling path + +From: Christophe JAILLET + +[ Upstream commit ee78b9360e14c276f5ceaa4a0d06f790f04ccdad ] + +In 'ktd2692_parse_dt()', if an error occurs after a successful +'regulator_enable()' call, we should call 'regulator_enable()'. + +This is the same in 'ktd2692_probe()', if an error occurs after a +successful 'ktd2692_parse_dt()' call. + +Instead of adding 'regulator_enable()' in several places, implement a +resource managed solution and simplify the remove function accordingly. + +Fixes: b7da8c5c725c ("leds: Add ktd2692 flash LED driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-ktd2692.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/leds/leds-ktd2692.c b/drivers/leds/leds-ktd2692.c +index 45296aaca9da..02738b5b1dbf 100644 +--- a/drivers/leds/leds-ktd2692.c ++++ b/drivers/leds/leds-ktd2692.c +@@ -259,6 +259,17 @@ static void ktd2692_setup(struct ktd2692_context *led) + | KTD2692_REG_FLASH_CURRENT_BASE); + } + ++static void regulator_disable_action(void *_data) ++{ ++ struct device *dev = _data; ++ struct ktd2692_context *led = dev_get_drvdata(dev); ++ int ret; ++ ++ ret = regulator_disable(led->regulator); ++ if (ret) ++ dev_err(dev, "Failed to disable supply: %d\n", ret); ++} ++ + static int ktd2692_parse_dt(struct ktd2692_context *led, struct device *dev, + struct ktd2692_led_config_data *cfg) + { +@@ -289,8 +300,14 @@ static int ktd2692_parse_dt(struct ktd2692_context *led, struct device *dev, + + if (led->regulator) { + ret = regulator_enable(led->regulator); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to enable supply: %d\n", ret); ++ } else { ++ ret = devm_add_action_or_reset(dev, ++ regulator_disable_action, dev); ++ if (ret) ++ return ret; ++ } + } + + child_node = of_get_next_available_child(np, NULL); +@@ -380,17 +397,9 @@ static int ktd2692_probe(struct platform_device *pdev) + static int ktd2692_remove(struct platform_device *pdev) + { + struct ktd2692_context *led = platform_get_drvdata(pdev); +- int ret; + + led_classdev_flash_unregister(&led->fled_cdev); + +- if (led->regulator) { +- ret = regulator_disable(led->regulator); +- if (ret) +- dev_err(&pdev->dev, +- "Failed to disable supply: %d\n", ret); +- } +- + mutex_destroy(&led->lock); + + return 0; +-- +2.30.2 + diff --git a/queue-4.19/lib-vsprintf-fix-handling-of-number-field-widths-in-.patch b/queue-4.19/lib-vsprintf-fix-handling-of-number-field-widths-in-.patch new file mode 100644 index 00000000000..782b0bef481 --- /dev/null +++ b/queue-4.19/lib-vsprintf-fix-handling-of-number-field-widths-in-.patch @@ -0,0 +1,233 @@ +From 58beb485f6cef3ef3a6bad21ae977b1a3e1fc8f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 17:12:04 +0100 +Subject: lib: vsprintf: Fix handling of number field widths in vsscanf + +From: Richard Fitzgerald + +[ Upstream commit 900fdc4573766dd43b847b4f54bd4a1ee2bc7360 ] + +The existing code attempted to handle numbers by doing a strto[u]l(), +ignoring the field width, and then repeatedly dividing to extract the +field out of the full converted value. If the string contains a run of +valid digits longer than will fit in a long or long long, this would +overflow and no amount of dividing can recover the correct value. + +This patch fixes vsscanf() to obey number field widths when parsing +the number. + +A new _parse_integer_limit() is added that takes a limit for the number +of characters to parse. The number field conversion in vsscanf is changed +to use this new function. + +If a number starts with a radix prefix, the field width must be long +enough for at last one digit after the prefix. If not, it will be handled +like this: + + sscanf("0x4", "%1i", &i): i=0, scanning continues with the 'x' + sscanf("0x4", "%2i", &i): i=0, scanning continues with the '4' + +This is consistent with the observed behaviour of userland sscanf. + +Note that this patch does NOT fix the problem of a single field value +overflowing the target type. So for example: + + sscanf("123456789abcdef", "%x", &i); + +Will not produce the correct result because the value obviously overflows +INT_MAX. But sscanf will report a successful conversion. + +Note that where a very large number is used to mean "unlimited", the value +INT_MAX is used for consistency with the behaviour of vsnprintf(). + +Signed-off-by: Richard Fitzgerald +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210514161206.30821-2-rf@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + lib/kstrtox.c | 13 ++++++-- + lib/kstrtox.h | 2 ++ + lib/vsprintf.c | 82 +++++++++++++++++++++++++++++--------------------- + 3 files changed, 60 insertions(+), 37 deletions(-) + +diff --git a/lib/kstrtox.c b/lib/kstrtox.c +index 661a1e807bd1..1a02b87b19c7 100644 +--- a/lib/kstrtox.c ++++ b/lib/kstrtox.c +@@ -39,20 +39,22 @@ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base) + + /* + * Convert non-negative integer string representation in explicitly given radix +- * to an integer. ++ * to an integer. A maximum of max_chars characters will be converted. ++ * + * Return number of characters consumed maybe or-ed with overflow bit. + * If overflow occurs, result integer (incorrect) is still returned. + * + * Don't you dare use this function. + */ +-unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p) ++unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *p, ++ size_t max_chars) + { + unsigned long long res; + unsigned int rv; + + res = 0; + rv = 0; +- while (1) { ++ while (max_chars--) { + unsigned int c = *s; + unsigned int lc = c | 0x20; /* don't tolower() this line */ + unsigned int val; +@@ -82,6 +84,11 @@ unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long + return rv; + } + ++unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p) ++{ ++ return _parse_integer_limit(s, base, p, INT_MAX); ++} ++ + static int _kstrtoull(const char *s, unsigned int base, unsigned long long *res) + { + unsigned long long _res; +diff --git a/lib/kstrtox.h b/lib/kstrtox.h +index 3b4637bcd254..158c400ca865 100644 +--- a/lib/kstrtox.h ++++ b/lib/kstrtox.h +@@ -4,6 +4,8 @@ + + #define KSTRTOX_OVERFLOW (1U << 31) + const char *_parse_integer_fixup_radix(const char *s, unsigned int *base); ++unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *res, ++ size_t max_chars); + unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *res); + + #endif +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index 812e59e13fe6..c2619510636e 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -47,6 +47,31 @@ + #include + #include "kstrtox.h" + ++static unsigned long long simple_strntoull(const char *startp, size_t max_chars, ++ char **endp, unsigned int base) ++{ ++ const char *cp; ++ unsigned long long result = 0ULL; ++ size_t prefix_chars; ++ unsigned int rv; ++ ++ cp = _parse_integer_fixup_radix(startp, &base); ++ prefix_chars = cp - startp; ++ if (prefix_chars < max_chars) { ++ rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars); ++ /* FIXME */ ++ cp += (rv & ~KSTRTOX_OVERFLOW); ++ } else { ++ /* Field too short for prefix + digit, skip over without converting */ ++ cp = startp + max_chars; ++ } ++ ++ if (endp) ++ *endp = (char *)cp; ++ ++ return result; ++} ++ + /** + * simple_strtoull - convert a string to an unsigned long long + * @cp: The start of the string +@@ -57,18 +82,7 @@ + */ + unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base) + { +- unsigned long long result; +- unsigned int rv; +- +- cp = _parse_integer_fixup_radix(cp, &base); +- rv = _parse_integer(cp, base, &result); +- /* FIXME */ +- cp += (rv & ~KSTRTOX_OVERFLOW); +- +- if (endp) +- *endp = (char *)cp; +- +- return result; ++ return simple_strntoull(cp, INT_MAX, endp, base); + } + EXPORT_SYMBOL(simple_strtoull); + +@@ -103,6 +117,21 @@ long simple_strtol(const char *cp, char **endp, unsigned int base) + } + EXPORT_SYMBOL(simple_strtol); + ++static long long simple_strntoll(const char *cp, size_t max_chars, char **endp, ++ unsigned int base) ++{ ++ /* ++ * simple_strntoull() safely handles receiving max_chars==0 in the ++ * case cp[0] == '-' && max_chars == 1. ++ * If max_chars == 0 we can drop through and pass it to simple_strntoull() ++ * and the content of *cp is irrelevant. ++ */ ++ if (*cp == '-' && max_chars > 0) ++ return -simple_strntoull(cp + 1, max_chars - 1, endp, base); ++ ++ return simple_strntoull(cp, max_chars, endp, base); ++} ++ + /** + * simple_strtoll - convert a string to a signed long long + * @cp: The start of the string +@@ -113,10 +142,7 @@ EXPORT_SYMBOL(simple_strtol); + */ + long long simple_strtoll(const char *cp, char **endp, unsigned int base) + { +- if (*cp == '-') +- return -simple_strtoull(cp + 1, endp, base); +- +- return simple_strtoull(cp, endp, base); ++ return simple_strntoll(cp, INT_MAX, endp, base); + } + EXPORT_SYMBOL(simple_strtoll); + +@@ -3117,25 +3143,13 @@ int vsscanf(const char *buf, const char *fmt, va_list args) + break; + + if (is_sign) +- val.s = qualifier != 'L' ? +- simple_strtol(str, &next, base) : +- simple_strtoll(str, &next, base); ++ val.s = simple_strntoll(str, ++ field_width >= 0 ? field_width : INT_MAX, ++ &next, base); + else +- val.u = qualifier != 'L' ? +- simple_strtoul(str, &next, base) : +- simple_strtoull(str, &next, base); +- +- if (field_width > 0 && next - str > field_width) { +- if (base == 0) +- _parse_integer_fixup_radix(str, &base); +- while (next - str > field_width) { +- if (is_sign) +- val.s = div_s64(val.s, base); +- else +- val.u = div_u64(val.u, base); +- --next; +- } +- } ++ val.u = simple_strntoull(str, ++ field_width >= 0 ? field_width : INT_MAX, ++ &next, base); + + switch (qualifier) { + case 'H': /* that's 'hh' in format */ +-- +2.30.2 + diff --git a/queue-4.19/mac80211-remove-iwlwifi-specific-workaround-ndps-of-.patch b/queue-4.19/mac80211-remove-iwlwifi-specific-workaround-ndps-of-.patch new file mode 100644 index 00000000000..83d75f5c171 --- /dev/null +++ b/queue-4.19/mac80211-remove-iwlwifi-specific-workaround-ndps-of-.patch @@ -0,0 +1,41 @@ +From a07d90ab6c63804dfe2e51eddf58e9ee5911217b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 21:48:25 +0800 +Subject: mac80211: remove iwlwifi specific workaround NDPs of null_response + +From: Ping-Ke Shih + +[ Upstream commit 744757e46bf13ec3a7b3507d17ab3faab9516d43 ] + +Remove the remaining workaround that is not removed by the +commit e41eb3e408de ("mac80211: remove iwlwifi specific workaround +that broke sta NDP tx") + +Fixes: 41cbb0f5a295 ("mac80211: add support for HE") +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20210623134826.10318-1-pkshih@realtek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 71c6a462277f..3a907ba7f763 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1344,11 +1344,6 @@ static void ieee80211_send_null_response(struct sta_info *sta, int tid, + struct ieee80211_tx_info *info; + struct ieee80211_chanctx_conf *chanctx_conf; + +- /* Don't send NDPs when STA is connected HE */ +- if (sdata->vif.type == NL80211_IFTYPE_STATION && +- !(sdata->u.mgd.flags & IEEE80211_STA_DISABLE_HE)) +- return; +- + if (qos) { + fc = cpu_to_le16(IEEE80211_FTYPE_DATA | + IEEE80211_STYPE_QOS_NULLFUNC | +-- +2.30.2 + diff --git a/queue-4.19/media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch b/queue-4.19/media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch new file mode 100644 index 00000000000..e4b9f5d4d71 --- /dev/null +++ b/queue-4.19/media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch @@ -0,0 +1,122 @@ +From e28ae81e2d81a6eb6e6ef52698075078c054d01e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 17:18:36 +0200 +Subject: media: bt8xx: Fix a missing check bug in bt878_probe + +From: Zheyu Ma + +[ Upstream commit 1a4520090681853e6b850cbe54b27247a013e0e5 ] + +In 'bt878_irq', the driver calls 'tasklet_schedule', but this tasklet is +set in 'dvb_bt8xx_load_card' of another driver 'dvb-bt8xx'. +However, this two drivers are separate. The user may not load the +'dvb-bt8xx' driver when loading the 'bt8xx' driver, that is, the tasklet +has not been initialized when 'tasklet_schedule' is called, so it is +necessary to check whether the tasklet is initialized in 'bt878_probe'. + +Fix this by adding a check at the end of bt878_probe. + +The KASAN's report reveals it: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +PGD 800000006aab2067 P4D 800000006aab2067 PUD 6b2ea067 PMD 0 +Oops: 0010 [#1] PREEMPT SMP KASAN PTI +CPU: 2 PID: 8724 Comm: syz-executor.0 Not tainted 4.19.177- +gdba4159c14ef-dirty #40 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59- +gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +RIP: 0010: (null) +Code: Bad RIP value. +RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246 +RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000 +RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774 +R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000 +R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90 +FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS: +0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + tasklet_action_common.isra.17+0x141/0x420 kernel/softirq.c:522 + tasklet_action+0x50/0x70 kernel/softirq.c:540 + __do_softirq+0x224/0x92c kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:372 [inline] + irq_exit+0x15a/0x180 kernel/softirq.c:412 + exiting_irq arch/x86/include/asm/apic.h:535 [inline] + do_IRQ+0x123/0x1e0 arch/x86/kernel/irq.c:260 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 + +RIP: 0010:__do_sys_interrupt kernel/sys.c:2593 [inline] +RIP: 0010:__se_sys_interrupt kernel/sys.c:2584 [inline] +RIP: 0010:__x64_sys_interrupt+0x5b/0x80 kernel/sys.c:2584 +Code: ba 00 04 00 00 48 c7 c7 c0 99 31 8c e8 ae 76 5e 01 48 85 c0 75 21 e8 +14 ae 24 00 48 c7 c3 c0 99 31 8c b8 0c 00 00 00 0f 01 c1 <31> db e8 fe ad +24 00 48 89 d8 5b 5d c3 48 c7 c3 ea ff ff ff eb ec +RSP: 0018:ffff888054167f10 EFLAGS: 00000212 ORIG_RAX: ffffffffffffffde +RAX: 000000000000000c RBX: ffffffff8c3199c0 RCX: ffffc90001ca6000 +RDX: 000000000000001a RSI: ffffffff813478fc RDI: ffffffff8c319dc0 +RBP: ffff888054167f18 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000080 R11: fffffbfff18633b7 R12: ffff888054167f58 +R13: ffff88805f638000 R14: 0000000000000000 R15: 0000000000000000 + do_syscall_64+0xb0/0x4e0 arch/x86/entry/common.c:293 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4692a9 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 +48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff +ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f6b550e5c48 EFLAGS: 00000246 ORIG_RAX: 000000000000014f +RAX: ffffffffffffffda RBX: 000000000077bf60 RCX: 00000000004692a9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140 +RBP: 00000000004cf7eb R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf60 +R13: 0000000000000000 R14: 000000000077bf60 R15: 00007fff55a1dca0 +Modules linked in: +Dumping ftrace buffer: + (ftrace buffer empty) +CR2: 0000000000000000 +---[ end trace 68e5849c3f77cbb6 ]--- +RIP: 0010: (null) +Code: Bad RIP value. +RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246 +RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000 +RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774 +R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000 +R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90 +FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS: +0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Reported-by: Zheyu Ma +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/bt8xx/bt878.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c +index f5f87e03f94b..855f8dc2a4ee 100644 +--- a/drivers/media/pci/bt8xx/bt878.c ++++ b/drivers/media/pci/bt8xx/bt878.c +@@ -494,6 +494,9 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + btwrite(0, BT878_AINT_MASK); + bt878_num++; + ++ if (!bt->tasklet.func) ++ tasklet_disable(&bt->tasklet); ++ + return 0; + + fail2: +-- +2.30.2 + diff --git a/queue-4.19/media-cobalt-fix-race-condition-in-setting-hpd.patch b/queue-4.19/media-cobalt-fix-race-condition-in-setting-hpd.patch new file mode 100644 index 00000000000..981ca5aaa44 --- /dev/null +++ b/queue-4.19/media-cobalt-fix-race-condition-in-setting-hpd.patch @@ -0,0 +1,70 @@ +From b6f5af453fd4db4dba4f998171b043d2a9cd7c6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 10:00:49 +0200 +Subject: media: cobalt: fix race condition in setting HPD + +From: Hans Verkuil + +[ Upstream commit 3d37ef41bed0854805ab9af22c422267510e1344 ] + +The cobalt_s_bit_sysctrl reads the old register value over PCI, +then changes a bit and sets writes the new value to the register. + +This is used among other things for setting the HPD output pin. + +But if the HPD is changed for multiple inputs at the same time, +then this causes a race condition where a stale value is read. + +Serialize this function with a mutex. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cobalt/cobalt-driver.c | 1 + + drivers/media/pci/cobalt/cobalt-driver.h | 7 ++++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cobalt/cobalt-driver.c b/drivers/media/pci/cobalt/cobalt-driver.c +index 4885e833c052..f422558e6392 100644 +--- a/drivers/media/pci/cobalt/cobalt-driver.c ++++ b/drivers/media/pci/cobalt/cobalt-driver.c +@@ -675,6 +675,7 @@ static int cobalt_probe(struct pci_dev *pci_dev, + return -ENOMEM; + cobalt->pci_dev = pci_dev; + cobalt->instance = i; ++ mutex_init(&cobalt->pci_lock); + + retval = v4l2_device_register(&pci_dev->dev, &cobalt->v4l2_dev); + if (retval) { +diff --git a/drivers/media/pci/cobalt/cobalt-driver.h b/drivers/media/pci/cobalt/cobalt-driver.h +index 429bee4ef79c..883093e5adea 100644 +--- a/drivers/media/pci/cobalt/cobalt-driver.h ++++ b/drivers/media/pci/cobalt/cobalt-driver.h +@@ -250,6 +250,8 @@ struct cobalt { + int instance; + struct pci_dev *pci_dev; + struct v4l2_device v4l2_dev; ++ /* serialize PCI access in cobalt_s_bit_sysctrl() */ ++ struct mutex pci_lock; + + void __iomem *bar0, *bar1; + +@@ -319,10 +321,13 @@ static inline u32 cobalt_g_sysctrl(struct cobalt *cobalt) + static inline void cobalt_s_bit_sysctrl(struct cobalt *cobalt, + int bit, int val) + { +- u32 ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE); ++ u32 ctrl; + ++ mutex_lock(&cobalt->pci_lock); ++ ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE); + cobalt_write_bar1(cobalt, COBALT_SYS_CTRL_BASE, + (ctrl & ~(1UL << bit)) | (val << bit)); ++ mutex_unlock(&cobalt->pci_lock); + } + + static inline u32 cobalt_g_sysstat(struct cobalt *cobalt) +-- +2.30.2 + diff --git a/queue-4.19/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch b/queue-4.19/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch new file mode 100644 index 00000000000..659297abd2c --- /dev/null +++ b/queue-4.19/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch @@ -0,0 +1,104 @@ +From ba67d97f67cbb838e34d99a2b0f5cae6894871ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 21:43:45 +0200 +Subject: media: cpia2: fix memory leak in cpia2_usb_probe + +From: Pavel Skripkin + +[ Upstream commit be8656e62e9e791837b606a027802b504a945c97 ] + +syzbot reported leak in cpia2 usb driver. The problem was +in invalid error handling. + +v4l2_device_register() is called in cpia2_init_camera_struct(), but +all error cases after cpia2_init_camera_struct() did not call the +v4l2_device_unregister() + +Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/cpia2/cpia2.h | 1 + + drivers/media/usb/cpia2/cpia2_core.c | 12 ++++++++++++ + drivers/media/usb/cpia2/cpia2_usb.c | 13 +++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/cpia2/cpia2.h b/drivers/media/usb/cpia2/cpia2.h +index ab238ac8bfc0..50c952250dc9 100644 +--- a/drivers/media/usb/cpia2/cpia2.h ++++ b/drivers/media/usb/cpia2/cpia2.h +@@ -438,6 +438,7 @@ int cpia2_send_command(struct camera_data *cam, struct cpia2_command *cmd); + int cpia2_do_command(struct camera_data *cam, + unsigned int command, + unsigned char direction, unsigned char param); ++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf); + struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf); + int cpia2_init_camera(struct camera_data *cam); + int cpia2_allocate_buffers(struct camera_data *cam); +diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c +index 3dfbb545c0e3..42cce7e94101 100644 +--- a/drivers/media/usb/cpia2/cpia2_core.c ++++ b/drivers/media/usb/cpia2/cpia2_core.c +@@ -2172,6 +2172,18 @@ static void reset_camera_struct(struct camera_data *cam) + cam->height = cam->params.roi.height; + } + ++/****************************************************************************** ++ * ++ * cpia2_init_camera_struct ++ * ++ * Deinitialize camera struct ++ *****************************************************************************/ ++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf) ++{ ++ v4l2_device_unregister(&cam->v4l2_dev); ++ kfree(cam); ++} ++ + /****************************************************************************** + * + * cpia2_init_camera_struct +diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c +index 4c191fcd3a7f..839217574069 100644 +--- a/drivers/media/usb/cpia2/cpia2_usb.c ++++ b/drivers/media/usb/cpia2/cpia2_usb.c +@@ -853,15 +853,13 @@ static int cpia2_usb_probe(struct usb_interface *intf, + ret = set_alternate(cam, USBIF_CMDONLY); + if (ret < 0) { + ERR("%s: usb_set_interface error (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + + + if((ret = cpia2_init_camera(cam)) < 0) { + ERR("%s: failed to initialize cpia2 camera (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + LOG(" CPiA Version: %d.%02d (%d.%d)\n", + cam->params.version.firmware_revision_hi, +@@ -881,11 +879,14 @@ static int cpia2_usb_probe(struct usb_interface *intf, + ret = cpia2_register_camera(cam); + if (ret < 0) { + ERR("%s: Failed to register cpia2 camera (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + + return 0; ++ ++alt_err: ++ cpia2_deinit_camera_struct(cam, intf); ++ return ret; + } + + /****************************************************************************** +-- +2.30.2 + diff --git a/queue-4.19/media-dvb_net-avoid-speculation-from-net-slot.patch b/queue-4.19/media-dvb_net-avoid-speculation-from-net-slot.patch new file mode 100644 index 00000000000..28b5fe4bc09 --- /dev/null +++ b/queue-4.19/media-dvb_net-avoid-speculation-from-net-slot.patch @@ -0,0 +1,89 @@ +From 104763bc6a27c2cb20d99d30e711c82ce53593d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 13:13:54 +0200 +Subject: media: dvb_net: avoid speculation from net slot + +From: Mauro Carvalho Chehab + +[ Upstream commit abc0226df64dc137b48b911c1fe4319aec5891bb ] + +The risk of especulation is actually almost-non-existing here, +as there are very few users of TCP/IP using the DVB stack, +as, this is mainly used with DVB-S/S2 cards, and only by people +that receives TCP/IP from satellite connections, which limits +a lot the number of users of such feature(*). + +(*) In thesis, DVB-C cards could also benefit from it, but I'm +yet to see a hardware that supports it. + +Yet, fixing it is trivial. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_net.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c +index 10f78109bb3f..3f154755bbc6 100644 +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -56,6 +56,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1473,14 +1474,20 @@ static int dvb_net_do_ioctl(struct file *file, + struct net_device *netdev; + struct dvb_net_priv *priv_data; + struct dvb_net_if *dvbnetif = parg; ++ int if_num = dvbnetif->if_num; + +- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX || +- !dvbnet->state[dvbnetif->if_num]) { ++ if (if_num >= DVB_NET_DEVICES_MAX) { + ret = -EINVAL; + goto ioctl_error; + } ++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX); + +- netdev = dvbnet->device[dvbnetif->if_num]; ++ if (!dvbnet->state[if_num]) { ++ ret = -EINVAL; ++ goto ioctl_error; ++ } ++ ++ netdev = dvbnet->device[if_num]; + + priv_data = netdev_priv(netdev); + dvbnetif->pid=priv_data->pid; +@@ -1533,14 +1540,20 @@ static int dvb_net_do_ioctl(struct file *file, + struct net_device *netdev; + struct dvb_net_priv *priv_data; + struct __dvb_net_if_old *dvbnetif = parg; ++ int if_num = dvbnetif->if_num; ++ ++ if (if_num >= DVB_NET_DEVICES_MAX) { ++ ret = -EINVAL; ++ goto ioctl_error; ++ } ++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX); + +- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX || +- !dvbnet->state[dvbnetif->if_num]) { ++ if (!dvbnet->state[if_num]) { + ret = -EINVAL; + goto ioctl_error; + } + +- netdev = dvbnet->device[dvbnetif->if_num]; ++ netdev = dvbnet->device[if_num]; + + priv_data = netdev_priv(netdev); + dvbnetif->pid=priv_data->pid; +-- +2.30.2 + diff --git a/queue-4.19/media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch b/queue-4.19/media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch new file mode 100644 index 00000000000..c7bf7fb91df --- /dev/null +++ b/queue-4.19/media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch @@ -0,0 +1,52 @@ +From 3730bbd2a6e6556be9c8941eb47383b9bc7543a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 15:06:52 +0200 +Subject: media: dvd_usb: memory leak in cinergyt2_fe_attach + +From: Dongliang Mu + +[ Upstream commit 9ad1efee086e0e913914fa2b2173efb830bad68c ] + +When the driver fails to talk with the hardware with dvb_usb_generic_rw, +it will return an error to dvb_usb_adapter_frontend_init. However, the +driver forgets to free the resource (e.g., struct cinergyt2_fe_state), +which leads to a memory leak. + +Fix this by freeing struct cinergyt2_fe_state when dvb_usb_generic_rw +fails in cinergyt2_frontend_attach. + +backtrace: + [<0000000056e17b1a>] kmalloc include/linux/slab.h:552 [inline] + [<0000000056e17b1a>] kzalloc include/linux/slab.h:682 [inline] + [<0000000056e17b1a>] cinergyt2_fe_attach+0x21/0x80 drivers/media/usb/dvb-usb/cinergyT2-fe.c:271 + [<00000000ae0b1711>] cinergyt2_frontend_attach+0x21/0x70 drivers/media/usb/dvb-usb/cinergyT2-core.c:74 + [<00000000d0254861>] dvb_usb_adapter_frontend_init+0x11b/0x1b0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290 + [<0000000002e08ac6>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:84 [inline] + [<0000000002e08ac6>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:173 [inline] + [<0000000002e08ac6>] dvb_usb_device_init.cold+0x4d0/0x6ae drivers/media/usb/dvb-usb/dvb-usb-init.c:287 + +Reported-by: syzbot+e1de8986786b3722050e@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/cinergyT2-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c +index 6131aa7914a9..fb59dda7547a 100644 +--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c ++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c +@@ -88,6 +88,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap) + + ret = dvb_usb_generic_rw(d, st->data, 1, st->data, 3, 0); + if (ret < 0) { ++ if (adap->fe_adap[0].fe) ++ adap->fe_adap[0].fe->ops.release(adap->fe_adap[0].fe); + deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep state info\n"); + } + mutex_unlock(&d->data_mutex); +-- +2.30.2 + diff --git a/queue-4.19/media-em28xx-fix-possible-memory-leak-of-em28xx-stru.patch b/queue-4.19/media-em28xx-fix-possible-memory-leak-of-em28xx-stru.patch new file mode 100644 index 00000000000..b939e978548 --- /dev/null +++ b/queue-4.19/media-em28xx-fix-possible-memory-leak-of-em28xx-stru.patch @@ -0,0 +1,58 @@ +From 1ee82cb398a177cfd6a0f158da437416a2febfa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 20:32:49 +0200 +Subject: media: em28xx: Fix possible memory leak of em28xx struct + +From: Igor Matheus Andrade Torrente + +[ Upstream commit ac5688637144644f06ed1f3c6d4dd8bb7db96020 ] + +The em28xx struct kref isn't being decreased after an error in the +em28xx_ir_init, leading to a possible memory leak. + +A kref_put and em28xx_shutdown_buttons is added to the error handler code. + +Signed-off-by: Igor Matheus Andrade Torrente +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-input.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c +index f84a1208d5d3..3612f0d730dd 100644 +--- a/drivers/media/usb/em28xx/em28xx-input.c ++++ b/drivers/media/usb/em28xx/em28xx-input.c +@@ -736,7 +736,8 @@ static int em28xx_ir_init(struct em28xx *dev) + dev->board.has_ir_i2c = 0; + dev_warn(&dev->intf->dev, + "No i2c IR remote control device found.\n"); +- return -ENODEV; ++ err = -ENODEV; ++ goto ref_put; + } + } + +@@ -751,7 +752,7 @@ static int em28xx_ir_init(struct em28xx *dev) + + ir = kzalloc(sizeof(*ir), GFP_KERNEL); + if (!ir) +- return -ENOMEM; ++ goto ref_put; + rc = rc_allocate_device(RC_DRIVER_SCANCODE); + if (!rc) + goto error; +@@ -862,6 +863,9 @@ error: + dev->ir = NULL; + rc_free_device(rc); + kfree(ir); ++ref_put: ++ em28xx_shutdown_buttons(dev); ++ kref_put(&dev->ref, em28xx_free_device); + return err; + } + +-- +2.30.2 + diff --git a/queue-4.19/media-exynos4-is-fix-a-use-after-free-in-isp_video_r.patch b/queue-4.19/media-exynos4-is-fix-a-use-after-free-in-isp_video_r.patch new file mode 100644 index 00000000000..a04685a6be7 --- /dev/null +++ b/queue-4.19/media-exynos4-is-fix-a-use-after-free-in-isp_video_r.patch @@ -0,0 +1,57 @@ +From fa465014d3f523660510b9360349ef0017466f69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 May 2021 10:12:31 +0200 +Subject: media: exynos4-is: Fix a use after free in isp_video_release + +From: Lv Yunlong + +[ Upstream commit 01fe904c9afd26e79c1f73aa0ca2e3d785e5e319 ] + +In isp_video_release, file->private_data is freed via +_vb2_fop_release()->v4l2_fh_release(). But the freed +file->private_data is still used in v4l2_fh_is_singular_file() +->v4l2_fh_is_singular(file->private_data), which is a use +after free bug. + +My patch uses a variable 'is_singular_file' to avoid the uaf. +v3: https://lore.kernel.org/patchwork/patch/1419058/ + +Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver") +Signed-off-by: Lv Yunlong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-isp-video.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.c b/drivers/media/platform/exynos4-is/fimc-isp-video.c +index 39340abefd14..c9ef74ee476a 100644 +--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c +@@ -308,17 +308,20 @@ static int isp_video_release(struct file *file) + struct fimc_is_video *ivc = &isp->video_capture; + struct media_entity *entity = &ivc->ve.vdev.entity; + struct media_device *mdev = entity->graph_obj.mdev; ++ bool is_singular_file; + + mutex_lock(&isp->video_lock); + +- if (v4l2_fh_is_singular_file(file) && ivc->streaming) { ++ is_singular_file = v4l2_fh_is_singular_file(file); ++ ++ if (is_singular_file && ivc->streaming) { + media_pipeline_stop(entity); + ivc->streaming = 0; + } + + _vb2_fop_release(file, NULL); + +- if (v4l2_fh_is_singular_file(file)) { ++ if (is_singular_file) { + fimc_pipeline_call(&ivc->ve, close); + + mutex_lock(&mdev->graph_mutex); +-- +2.30.2 + diff --git a/queue-4.19/media-gspca-gl860-fix-zero-length-control-requests.patch b/queue-4.19/media-gspca-gl860-fix-zero-length-control-requests.patch new file mode 100644 index 00000000000..9c5c7fb4b91 --- /dev/null +++ b/queue-4.19/media-gspca-gl860-fix-zero-length-control-requests.patch @@ -0,0 +1,48 @@ +From 6d86e6d5db8f9015862093e1b541d0eaa5844def Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 13:09:18 +0200 +Subject: media: gspca/gl860: fix zero-length control requests + +From: Johan Hovold + +[ Upstream commit 8ed339f23d41e21660a389adf2e7b2966d457ff6 ] + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Control transfers without a data stage are treated as OUT requests by +the USB stack and should be using usb_sndctrlpipe(). Failing to do so +will now trigger a warning. + +Fix the gl860_RTx() helper so that zero-length control reads fail with +an error message instead. Note that there are no current callers that +would trigger this. + +Fixes: 4f7cb8837cec ("V4L/DVB (12954): gspca - gl860: Addition of GL860 based webcams") +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/gspca/gl860/gl860.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/gspca/gl860/gl860.c b/drivers/media/usb/gspca/gl860/gl860.c +index 262200af76a3..7da437e7785f 100644 +--- a/drivers/media/usb/gspca/gl860/gl860.c ++++ b/drivers/media/usb/gspca/gl860/gl860.c +@@ -573,8 +573,8 @@ int gl860_RTx(struct gspca_dev *gspca_dev, + len, 400 + 200 * (len > 1)); + memcpy(pdata, gspca_dev->usb_buf, len); + } else { +- r = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), +- req, pref, val, index, NULL, len, 400); ++ gspca_err(gspca_dev, "zero-length read request\n"); ++ r = -EINVAL; + } + } + +-- +2.30.2 + diff --git a/queue-4.19/media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch b/queue-4.19/media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch new file mode 100644 index 00000000000..b5beee831fd --- /dev/null +++ b/queue-4.19/media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch @@ -0,0 +1,244 @@ +From a8d821e75e0fbe356ef2e765db758a3fa0703e72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 22:19:55 +0200 +Subject: media: I2C: change 'RST' to "RSET" to fix multiple build errors + +From: Randy Dunlap + +[ Upstream commit 8edcb5049ac29aa3c8acc5ef15dd4036543d747e ] + +The use of an enum named 'RST' conflicts with a #define macro +named 'RST' in arch/mips/include/asm/mach-rc32434/rb.h. + +The MIPS use of RST was there first (AFAICT), so change the +media/i2c/ uses of RST to be named 'RSET'. +'git grep -w RSET' does not report any naming conflicts with the +new name. + +This fixes multiple build errors: + +arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token + 15 | #define RST (1 << 15) + | ^ +drivers/media/i2c/s5c73m3/s5c73m3.h:356:2: note: in expansion of macro 'RST' + 356 | RST, + | ^~~ + +../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token + 15 | #define RST (1 << 15) + | ^ +../drivers/media/i2c/s5k6aa.c:180:2: note: in expansion of macro 'RST' + 180 | RST, + | ^~~ + +../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token + 15 | #define RST (1 << 15) + | ^ +../drivers/media/i2c/s5k5baf.c:238:2: note: in expansion of macro 'RST' + 238 | RST, + | ^~~ + +and some others that I have trimmed. + +Fixes: cac47f1822fc ("[media] V4L: Add S5C73M3 camera driver") +Fixes: 8b99312b7214 ("[media] Add v4l2 subdev driver for S5K4ECGX sensor") +Fixes: 7d459937dc09 ("[media] Add driver for Samsung S5K5BAF camera sensor") +Fixes: bfa8dd3a0524 ("[media] v4l: Add v4l2 subdev driver for S5K6AAFX sensor") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: Fabio Estevam +Cc: NXP Linux Team +Cc: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) +Cc: Andrzej Hajda +Cc: Sylwester Nawrocki +Cc: Sangwook Lee +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/s5c73m3/s5c73m3-core.c | 6 +++--- + drivers/media/i2c/s5c73m3/s5c73m3.h | 2 +- + drivers/media/i2c/s5k4ecgx.c | 10 +++++----- + drivers/media/i2c/s5k5baf.c | 6 +++--- + drivers/media/i2c/s5k6aa.c | 10 +++++----- + 5 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/media/i2c/s5c73m3/s5c73m3-core.c b/drivers/media/i2c/s5c73m3/s5c73m3-core.c +index ce196b60f917..37cb2f82c36b 100644 +--- a/drivers/media/i2c/s5c73m3/s5c73m3-core.c ++++ b/drivers/media/i2c/s5c73m3/s5c73m3-core.c +@@ -1394,7 +1394,7 @@ static int __s5c73m3_power_on(struct s5c73m3 *state) + s5c73m3_gpio_deassert(state, STBY); + usleep_range(100, 200); + +- s5c73m3_gpio_deassert(state, RST); ++ s5c73m3_gpio_deassert(state, RSET); + usleep_range(50, 100); + + return 0; +@@ -1409,7 +1409,7 @@ static int __s5c73m3_power_off(struct s5c73m3 *state) + { + int i, ret; + +- if (s5c73m3_gpio_assert(state, RST)) ++ if (s5c73m3_gpio_assert(state, RSET)) + usleep_range(10, 50); + + if (s5c73m3_gpio_assert(state, STBY)) +@@ -1614,7 +1614,7 @@ static int s5c73m3_get_platform_data(struct s5c73m3 *state) + + state->mclk_frequency = pdata->mclk_frequency; + state->gpio[STBY] = pdata->gpio_stby; +- state->gpio[RST] = pdata->gpio_reset; ++ state->gpio[RSET] = pdata->gpio_reset; + return 0; + } + +diff --git a/drivers/media/i2c/s5c73m3/s5c73m3.h b/drivers/media/i2c/s5c73m3/s5c73m3.h +index 653f68e7ea07..e267b2522149 100644 +--- a/drivers/media/i2c/s5c73m3/s5c73m3.h ++++ b/drivers/media/i2c/s5c73m3/s5c73m3.h +@@ -361,7 +361,7 @@ struct s5c73m3_ctrls { + + enum s5c73m3_gpio_id { + STBY, +- RST, ++ RSET, + GPIO_NUM, + }; + +diff --git a/drivers/media/i2c/s5k4ecgx.c b/drivers/media/i2c/s5k4ecgx.c +index 6ebcf254989a..75fb13a33eab 100644 +--- a/drivers/media/i2c/s5k4ecgx.c ++++ b/drivers/media/i2c/s5k4ecgx.c +@@ -177,7 +177,7 @@ static const char * const s5k4ecgx_supply_names[] = { + + enum s5k4ecgx_gpio_id { + STBY, +- RST, ++ RSET, + GPIO_NUM, + }; + +@@ -482,7 +482,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv) + if (s5k4ecgx_gpio_set_value(priv, STBY, priv->gpio[STBY].level)) + usleep_range(30, 50); + +- if (s5k4ecgx_gpio_set_value(priv, RST, priv->gpio[RST].level)) ++ if (s5k4ecgx_gpio_set_value(priv, RSET, priv->gpio[RSET].level)) + usleep_range(30, 50); + + return 0; +@@ -490,7 +490,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv) + + static int __s5k4ecgx_power_off(struct s5k4ecgx *priv) + { +- if (s5k4ecgx_gpio_set_value(priv, RST, !priv->gpio[RST].level)) ++ if (s5k4ecgx_gpio_set_value(priv, RSET, !priv->gpio[RSET].level)) + usleep_range(30, 50); + + if (s5k4ecgx_gpio_set_value(priv, STBY, !priv->gpio[STBY].level)) +@@ -878,7 +878,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv, + int ret; + + priv->gpio[STBY].gpio = -EINVAL; +- priv->gpio[RST].gpio = -EINVAL; ++ priv->gpio[RSET].gpio = -EINVAL; + + ret = s5k4ecgx_config_gpio(gpio->gpio, gpio->level, "S5K4ECGX_STBY"); + +@@ -897,7 +897,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv, + s5k4ecgx_free_gpios(priv); + return ret; + } +- priv->gpio[RST] = *gpio; ++ priv->gpio[RSET] = *gpio; + if (gpio_is_valid(gpio->gpio)) + gpio_set_value(gpio->gpio, 0); + +diff --git a/drivers/media/i2c/s5k5baf.c b/drivers/media/i2c/s5k5baf.c +index 5007c9659342..de3329f04fdf 100644 +--- a/drivers/media/i2c/s5k5baf.c ++++ b/drivers/media/i2c/s5k5baf.c +@@ -238,7 +238,7 @@ struct s5k5baf_gpio { + + enum s5k5baf_gpio_id { + STBY, +- RST, ++ RSET, + NUM_GPIOS, + }; + +@@ -973,7 +973,7 @@ static int s5k5baf_power_on(struct s5k5baf *state) + + s5k5baf_gpio_deassert(state, STBY); + usleep_range(50, 100); +- s5k5baf_gpio_deassert(state, RST); ++ s5k5baf_gpio_deassert(state, RSET); + return 0; + + err_reg_dis: +@@ -991,7 +991,7 @@ static int s5k5baf_power_off(struct s5k5baf *state) + state->apply_cfg = 0; + state->apply_crop = 0; + +- s5k5baf_gpio_assert(state, RST); ++ s5k5baf_gpio_assert(state, RSET); + s5k5baf_gpio_assert(state, STBY); + + if (!IS_ERR(state->clock)) +diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c +index 13c10b5e2b45..e9c6e41cd44d 100644 +--- a/drivers/media/i2c/s5k6aa.c ++++ b/drivers/media/i2c/s5k6aa.c +@@ -181,7 +181,7 @@ static const char * const s5k6aa_supply_names[] = { + + enum s5k6aa_gpio_id { + STBY, +- RST, ++ RSET, + GPIO_NUM, + }; + +@@ -845,7 +845,7 @@ static int __s5k6aa_power_on(struct s5k6aa *s5k6aa) + ret = s5k6aa->s_power(1); + usleep_range(4000, 5000); + +- if (s5k6aa_gpio_deassert(s5k6aa, RST)) ++ if (s5k6aa_gpio_deassert(s5k6aa, RSET)) + msleep(20); + + return ret; +@@ -855,7 +855,7 @@ static int __s5k6aa_power_off(struct s5k6aa *s5k6aa) + { + int ret; + +- if (s5k6aa_gpio_assert(s5k6aa, RST)) ++ if (s5k6aa_gpio_assert(s5k6aa, RSET)) + usleep_range(100, 150); + + if (s5k6aa->s_power) { +@@ -1514,7 +1514,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa, + int ret; + + s5k6aa->gpio[STBY].gpio = -EINVAL; +- s5k6aa->gpio[RST].gpio = -EINVAL; ++ s5k6aa->gpio[RSET].gpio = -EINVAL; + + gpio = &pdata->gpio_stby; + if (gpio_is_valid(gpio->gpio)) { +@@ -1537,7 +1537,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa, + if (ret < 0) + return ret; + +- s5k6aa->gpio[RST] = *gpio; ++ s5k6aa->gpio[RSET] = *gpio; + } + + return 0; +-- +2.30.2 + diff --git a/queue-4.19/media-imx-csi-skip-first-few-frames-from-a-bt.656-so.patch b/queue-4.19/media-imx-csi-skip-first-few-frames-from-a-bt.656-so.patch new file mode 100644 index 00000000000..998bd159ac6 --- /dev/null +++ b/queue-4.19/media-imx-csi-skip-first-few-frames-from-a-bt.656-so.patch @@ -0,0 +1,63 @@ +From 5fbbfd03ecbc535da5af0a8812276e318d965a7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 16:29:23 +0200 +Subject: media: imx-csi: Skip first few frames from a BT.656 source + +From: Steve Longerbeam + +[ Upstream commit e198be37e52551bb863d07d2edc535d0932a3c4f ] + +Some BT.656 sensors (e.g. ADV718x) transmit frames with unstable BT.656 +sync codes after initial power on. This confuses the imx CSI,resulting +in vertical and/or horizontal sync issues. Skip the first 20 frames +to avoid the unstable sync codes. + +[fabio: fixed checkpatch warning and increased the frame skipping to 20] + +Signed-off-by: Steve Longerbeam +Signed-off-by: Fabio Estevam +Reviewed-by: Tim Harvey +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/imx/imx-media-csi.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c +index 0f8fdc347091..c7df0ffb3510 100644 +--- a/drivers/staging/media/imx/imx-media-csi.c ++++ b/drivers/staging/media/imx/imx-media-csi.c +@@ -730,9 +730,10 @@ static int csi_setup(struct csi_priv *priv) + + static int csi_start(struct csi_priv *priv) + { +- struct v4l2_fract *output_fi; ++ struct v4l2_fract *input_fi, *output_fi; + int ret; + ++ input_fi = &priv->frame_interval[CSI_SINK_PAD]; + output_fi = &priv->frame_interval[priv->active_output_pad]; + + /* start upstream */ +@@ -741,6 +742,17 @@ static int csi_start(struct csi_priv *priv) + if (ret) + return ret; + ++ /* Skip first few frames from a BT.656 source */ ++ if (priv->upstream_ep.bus_type == V4L2_MBUS_BT656) { ++ u32 delay_usec, bad_frames = 20; ++ ++ delay_usec = DIV_ROUND_UP_ULL((u64)USEC_PER_SEC * ++ input_fi->numerator * bad_frames, ++ input_fi->denominator); ++ ++ usleep_range(delay_usec, delay_usec + 1000); ++ } ++ + if (priv->dest == IPU_CSI_DEST_IDMAC) { + ret = csi_idmac_start(priv); + if (ret) +-- +2.30.2 + diff --git a/queue-4.19/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch b/queue-4.19/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch new file mode 100644 index 00000000000..9b0e77e9ac3 --- /dev/null +++ b/queue-4.19/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch @@ -0,0 +1,60 @@ +From 2fed05d69d837792f01c58d772ac26b4550ebb4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 19:08:58 +0200 +Subject: media: pvrusb2: fix warning in pvr2_i2c_core_done + +From: Anirudh Rayabharam + +[ Upstream commit f8194e5e63fdcb349e8da9eef9e574d5b1d687cb ] + +syzbot has reported the following warning in pvr2_i2c_done: + + sysfs group 'power' not found for kobject '1-0043' + +When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is +not unregistered along with the USB and v4l2 teardown. As part of the USB +device disconnect, the sysfs files of the subdevices are also deleted. +So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the +sysfs files have been deleted. + +To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make +the device deregistration code shared by calling pvr_hdw_disconnect from +pvr2_hdw_destroy. + +Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com +Tested-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Anirudh Rayabharam +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +index fcb201a40920..d1bbfe4000dd 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -2668,9 +2668,8 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw) + pvr2_stream_destroy(hdw->vid_stream); + hdw->vid_stream = NULL; + } +- pvr2_i2c_core_done(hdw); + v4l2_device_unregister(&hdw->v4l2_dev); +- pvr2_hdw_remove_usb_stuff(hdw); ++ pvr2_hdw_disconnect(hdw); + mutex_lock(&pvr2_unit_mtx); + do { + if ((hdw->unit_number >= 0) && +@@ -2697,6 +2696,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw) + { + pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw); + LOCK_TAKE(hdw->big_lock); ++ pvr2_i2c_core_done(hdw); + LOCK_TAKE(hdw->ctl_lock); + pvr2_hdw_remove_usb_stuff(hdw); + LOCK_GIVE(hdw->ctl_lock); +-- +2.30.2 + diff --git a/queue-4.19/media-rc-i2c-fix-an-error-message.patch b/queue-4.19/media-rc-i2c-fix-an-error-message.patch new file mode 100644 index 00000000000..5f3d3d4a64a --- /dev/null +++ b/queue-4.19/media-rc-i2c-fix-an-error-message.patch @@ -0,0 +1,40 @@ +From ea17853e530859871492b87dd256bc988da5e08f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 07:38:56 +0200 +Subject: media: rc: i2c: Fix an error message + +From: Christophe JAILLET + +[ Upstream commit 9c87ae1a0dbeb5794957421157fd266d38a869b4 ] + +'ret' is known to be 1 here. In fact 'i' is expected instead. +Store the return value of 'i2c_master_recv()' in 'ret' so that the error +message print the correct error code. + +Fixes: acaa34bf06e9 ("media: rc: implement zilog transmitter") +Signed-off-by: Christophe JAILLET +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ir-kbd-i2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ir-kbd-i2c.c b/drivers/media/i2c/ir-kbd-i2c.c +index a14a74e6b986..19ff9cb08e88 100644 +--- a/drivers/media/i2c/ir-kbd-i2c.c ++++ b/drivers/media/i2c/ir-kbd-i2c.c +@@ -688,8 +688,8 @@ static int zilog_tx(struct rc_dev *rcdev, unsigned int *txbuf, + goto out_unlock; + } + +- i = i2c_master_recv(ir->tx_c, buf, 1); +- if (i != 1) { ++ ret = i2c_master_recv(ir->tx_c, buf, 1); ++ if (ret != 1) { + dev_err(&ir->rc->dev, "i2c_master_recv failed with %d\n", ret); + ret = -EIO; + goto out_unlock; +-- +2.30.2 + diff --git a/queue-4.19/media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch b/queue-4.19/media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch new file mode 100644 index 00000000000..c97c94f6f98 --- /dev/null +++ b/queue-4.19/media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch @@ -0,0 +1,40 @@ +From e3a6f2e83132646ef9fabaac85f4249db238c69b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 17:18:32 +0200 +Subject: media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx + +From: Dillon Min + +[ Upstream commit 5d11e6aad1811ea293ee2996cec9124f7fccb661 ] + +The m2m_ctx resources was allocated by v4l2_m2m_ctx_init() in g2d_open() +should be freed from g2d_release() when it's not used. + +Fix it + +Fixes: 918847341af0 ("[media] v4l: add G2D driver for s5p device family") +Signed-off-by: Dillon Min +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-g2d/g2d.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c +index 1f58574d0b96..4cf5b559420f 100644 +--- a/drivers/media/platform/s5p-g2d/g2d.c ++++ b/drivers/media/platform/s5p-g2d/g2d.c +@@ -285,6 +285,9 @@ static int g2d_release(struct file *file) + struct g2d_dev *dev = video_drvdata(file); + struct g2d_ctx *ctx = fh2ctx(file->private_data); + ++ mutex_lock(&dev->mutex); ++ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); ++ mutex_unlock(&dev->mutex); + v4l2_ctrl_handler_free(&ctx->ctrl_handler); + v4l2_fh_del(&ctx->fh); + v4l2_fh_exit(&ctx->fh); +-- +2.30.2 + diff --git a/queue-4.19/media-s5p_cec-decrement-usage-count-if-disabled.patch b/queue-4.19/media-s5p_cec-decrement-usage-count-if-disabled.patch new file mode 100644 index 00000000000..593d44da2ca --- /dev/null +++ b/queue-4.19/media-s5p_cec-decrement-usage-count-if-disabled.patch @@ -0,0 +1,39 @@ +From 87482fc050b4dba70545d3ed1fbb77b20fe5ed5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Apr 2021 09:38:56 +0200 +Subject: media: s5p_cec: decrement usage count if disabled + +From: Mauro Carvalho Chehab + +[ Upstream commit 747bad54a677d8633ec14b39dfbeb859c821d7f2 ] + +There's a bug at s5p_cec_adap_enable(): if called to +disable the device, it should call pm_runtime_put() +instead of pm_runtime_disable(), as the goal here is to +decrement the usage_count and not to disable PM runtime. + +Reported-by: Sylwester Nawrocki +Reviewed-by: Jonathan Cameron +Fixes: 1bcbf6f4b6b0 ("[media] cec: s5p-cec: Add s5p-cec driver") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-cec/s5p_cec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c +index 8837e2678bde..3032247c63a5 100644 +--- a/drivers/media/platform/s5p-cec/s5p_cec.c ++++ b/drivers/media/platform/s5p-cec/s5p_cec.c +@@ -55,7 +55,7 @@ static int s5p_cec_adap_enable(struct cec_adapter *adap, bool enable) + } else { + s5p_cec_mask_tx_interrupts(cec); + s5p_cec_mask_rx_interrupts(cec); +- pm_runtime_disable(cec->dev); ++ pm_runtime_put(cec->dev); + } + + return 0; +-- +2.30.2 + diff --git a/queue-4.19/media-siano-fix-device-register-error-path.patch b/queue-4.19/media-siano-fix-device-register-error-path.patch new file mode 100644 index 00000000000..9d99a4baf3f --- /dev/null +++ b/queue-4.19/media-siano-fix-device-register-error-path.patch @@ -0,0 +1,39 @@ +From bc3338c196457fb2b4e5e12aeb95393c588289a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 08:57:02 +0200 +Subject: media: siano: fix device register error path + +From: Mauro Carvalho Chehab + +[ Upstream commit 5368b1ee2939961a16e74972b69088433fc52195 ] + +As reported by smatch: + drivers/media/common/siano/smsdvb-main.c:1231 smsdvb_hotplug() warn: '&client->entry' not removed from list + +If an error occur at the end of the registration logic, it won't +drop the device from the list. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/common/siano/smsdvb-main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/common/siano/smsdvb-main.c b/drivers/media/common/siano/smsdvb-main.c +index afca47b97c2a..637ace7a2b5c 100644 +--- a/drivers/media/common/siano/smsdvb-main.c ++++ b/drivers/media/common/siano/smsdvb-main.c +@@ -1187,6 +1187,10 @@ static int smsdvb_hotplug(struct smscore_device_t *coredev, + return 0; + + media_graph_error: ++ mutex_lock(&g_smsdvb_clientslock); ++ list_del(&client->entry); ++ mutex_unlock(&g_smsdvb_clientslock); ++ + smsdvb_debugfs_release(client); + + client_error: +-- +2.30.2 + diff --git a/queue-4.19/media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch b/queue-4.19/media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch new file mode 100644 index 00000000000..b59c72d156d --- /dev/null +++ b/queue-4.19/media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch @@ -0,0 +1,167 @@ +From c227af007241fec736b2de5eb83d3a8b11e8fee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 19:40:43 -0600 +Subject: media: siano: Fix out-of-bounds warnings in + smscore_load_firmware_family2() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +[ Upstream commit 13dfead49db07225335d4f587a560a2210391a1a ] + +Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of +its msg_data array from 4 to 5 elements. Notice that at some point +the 5th element of msg_data is being accessed in function +smscore_load_firmware_family2(): + +1006 trigger_msg->msg_data[4] = 4; /* Task ID */ + +Also, there is no need for the object _trigger_msg_ of type struct +sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data +in struct sms_msg_data is a one-element array, which causes multiple +out-of-bounds warnings when accessing beyond its first element +in function smscore_load_firmware_family2(): + + 992 struct sms_msg_data *trigger_msg = + 993 (struct sms_msg_data *) msg; + 994 + 995 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); + 996 SMS_INIT_MSG(&msg->x_msg_header, + 997 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, + 998 sizeof(struct sms_msg_hdr) + + 999 sizeof(u32) * 5); +1000 +1001 trigger_msg->msg_data[0] = firmware->start_address; +1002 /* Entry point */ +1003 trigger_msg->msg_data[1] = 6; /* Priority */ +1004 trigger_msg->msg_data[2] = 0x200; /* Stack size */ +1005 trigger_msg->msg_data[3] = 0; /* Parameter */ +1006 trigger_msg->msg_data[4] = 4; /* Task ID */ + +even when enough dynamic memory is allocated for _msg_: + + 929 /* PAGE_SIZE buffer shall be enough and dma aligned */ + 930 msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags); + +but as _msg_ is casted to (struct sms_msg_data *): + + 992 struct sms_msg_data *trigger_msg = + 993 (struct sms_msg_data *) msg; + +the out-of-bounds warnings are actually valid and should be addressed. + +Fix this by declaring object _msg_ of type struct sms_msg_data5 *, +which contains a 5-elements array, instead of just 4. And use +_msg_ directly, instead of creating object trigger_msg. + +This helps with the ongoing efforts to enable -Warray-bounds by fixing +the following warnings: + + CC [M] drivers/media/common/siano/smscoreapi.o +drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’: +drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] + 1003 | trigger_msg->msg_data[1] = 6; /* Priority */ + | ~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from drivers/media/common/siano/smscoreapi.c:12: +drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ + 619 | u32 msg_data[1]; + | ^~~~~~~~ +drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] + 1004 | trigger_msg->msg_data[2] = 0x200; /* Stack size */ + | ~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from drivers/media/common/siano/smscoreapi.c:12: +drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ + 619 | u32 msg_data[1]; + | ^~~~~~~~ +drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] + 1005 | trigger_msg->msg_data[3] = 0; /* Parameter */ + | ~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from drivers/media/common/siano/smscoreapi.c:12: +drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ + 619 | u32 msg_data[1]; + | ^~~~~~~~ +drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] + 1006 | trigger_msg->msg_data[4] = 4; /* Task ID */ + | ~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from drivers/media/common/siano/smscoreapi.c:12: +drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ + 619 | u32 msg_data[1]; + | ^~~~~~~~ + +Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares") +Co-developed-by: Kees Cook +Signed-off-by: Kees Cook +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Sasha Levin +--- + drivers/media/common/siano/smscoreapi.c | 22 +++++++++------------- + drivers/media/common/siano/smscoreapi.h | 4 ++-- + 2 files changed, 11 insertions(+), 15 deletions(-) + +diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c +index 3b02cb570a6e..661920dd84d1 100644 +--- a/drivers/media/common/siano/smscoreapi.c ++++ b/drivers/media/common/siano/smscoreapi.c +@@ -916,7 +916,7 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev, + void *buffer, size_t size) + { + struct sms_firmware *firmware = (struct sms_firmware *) buffer; +- struct sms_msg_data4 *msg; ++ struct sms_msg_data5 *msg; + u32 mem_address, calc_checksum = 0; + u32 i, *ptr; + u8 *payload = firmware->payload; +@@ -997,24 +997,20 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev, + goto exit_fw_download; + + if (coredev->mode == DEVICE_MODE_NONE) { +- struct sms_msg_data *trigger_msg = +- (struct sms_msg_data *) msg; +- + pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); + SMS_INIT_MSG(&msg->x_msg_header, + MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, +- sizeof(struct sms_msg_hdr) + +- sizeof(u32) * 5); ++ sizeof(*msg)); + +- trigger_msg->msg_data[0] = firmware->start_address; ++ msg->msg_data[0] = firmware->start_address; + /* Entry point */ +- trigger_msg->msg_data[1] = 6; /* Priority */ +- trigger_msg->msg_data[2] = 0x200; /* Stack size */ +- trigger_msg->msg_data[3] = 0; /* Parameter */ +- trigger_msg->msg_data[4] = 4; /* Task ID */ ++ msg->msg_data[1] = 6; /* Priority */ ++ msg->msg_data[2] = 0x200; /* Stack size */ ++ msg->msg_data[3] = 0; /* Parameter */ ++ msg->msg_data[4] = 4; /* Task ID */ + +- rc = smscore_sendrequest_and_wait(coredev, trigger_msg, +- trigger_msg->x_msg_header.msg_length, ++ rc = smscore_sendrequest_and_wait(coredev, msg, ++ msg->x_msg_header.msg_length, + &coredev->trigger_done); + } else { + SMS_INIT_MSG(&msg->x_msg_header, MSG_SW_RELOAD_EXEC_REQ, +diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h +index eb58853008c9..4de4d257c6b6 100644 +--- a/drivers/media/common/siano/smscoreapi.h ++++ b/drivers/media/common/siano/smscoreapi.h +@@ -640,9 +640,9 @@ struct sms_msg_data2 { + u32 msg_data[2]; + }; + +-struct sms_msg_data4 { ++struct sms_msg_data5 { + struct sms_msg_hdr x_msg_header; +- u32 msg_data[4]; ++ u32 msg_data[5]; + }; + + struct sms_data_download { +-- +2.30.2 + diff --git a/queue-4.19/media-st-hva-fix-potential-null-pointer-dereferences.patch b/queue-4.19/media-st-hva-fix-potential-null-pointer-dereferences.patch new file mode 100644 index 00000000000..dbdec64c07c --- /dev/null +++ b/queue-4.19/media-st-hva-fix-potential-null-pointer-dereferences.patch @@ -0,0 +1,40 @@ +From 4caf9049e72a5dc364a11aba0365b4d0bb1163ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 14:04:49 +0200 +Subject: media: st-hva: Fix potential NULL pointer dereferences + +From: Evgeny Novikov + +[ Upstream commit b7fdd208687ba59ebfb09b2199596471c63b69e3 ] + +When ctx_id >= HVA_MAX_INSTANCES in hva_hw_its_irq_thread() it tries to +access fields of ctx that is NULL at that point. The patch gets rid of +these accesses. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/hva/hva-hw.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c +index d826c011c095..6b852b0bb15a 100644 +--- a/drivers/media/platform/sti/hva/hva-hw.c ++++ b/drivers/media/platform/sti/hva/hva-hw.c +@@ -130,8 +130,7 @@ static irqreturn_t hva_hw_its_irq_thread(int irq, void *arg) + ctx_id = (hva->sts_reg & 0xFF00) >> 8; + if (ctx_id >= HVA_MAX_INSTANCES) { + dev_err(dev, "%s %s: bad context identifier: %d\n", +- ctx->name, __func__, ctx_id); +- ctx->hw_err = true; ++ HVA_PREFIX, __func__, ctx_id); + goto out; + } + +-- +2.30.2 + diff --git a/queue-4.19/media-tc358743-fix-error-return-code-in-tc358743_pro.patch b/queue-4.19/media-tc358743-fix-error-return-code-in-tc358743_pro.patch new file mode 100644 index 00000000000..1bc465c8b87 --- /dev/null +++ b/queue-4.19/media-tc358743-fix-error-return-code-in-tc358743_pro.patch @@ -0,0 +1,38 @@ +From d9a62aa0655a193b0bab5f09de403413214f4852 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 08:58:30 +0200 +Subject: media: tc358743: Fix error return code in tc358743_probe_of() + +From: Zhen Lei + +[ Upstream commit a6b1e7093f0a099571fc8836ab4a589633f956a8 ] + +When the CSI bps per lane is not in the valid range, an appropriate error +code -EINVAL should be returned. However, we currently do not explicitly +assign this error code to 'ret'. As a result, 0 was incorrectly returned. + +Fixes: 256148246852 ("[media] tc358743: support probe from device tree") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 041b16965b96..079b8db4bc48 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1972,6 +1972,7 @@ static int tc358743_probe_of(struct tc358743_state *state) + bps_pr_lane = 2 * endpoint->link_frequencies[0]; + if (bps_pr_lane < 62500000U || bps_pr_lane > 1000000000U) { + dev_err(dev, "unsupported bps per lane: %u bps\n", bps_pr_lane); ++ ret = -EINVAL; + goto disable_clk; + } + +-- +2.30.2 + diff --git a/queue-4.19/media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch b/queue-4.19/media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch new file mode 100644 index 00000000000..10c73cbd1b8 --- /dev/null +++ b/queue-4.19/media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch @@ -0,0 +1,39 @@ +From becf5b7c191092815da8141a689809a43c4499d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 May 2021 10:24:02 +0200 +Subject: media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release + +From: Lv Yunlong + +[ Upstream commit 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c ] + +A use after free bug caused by the dangling pointer +filp->privitate_data in v4l2_fh_release. +See https://lore.kernel.org/patchwork/patch/1419058/. + +My patch sets the dangling pointer to NULL to provide +robust. + +Signed-off-by: Lv Yunlong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-fh.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c +index c91a7bd3ecfc..ac8282d059fc 100644 +--- a/drivers/media/v4l2-core/v4l2-fh.c ++++ b/drivers/media/v4l2-core/v4l2-fh.c +@@ -104,6 +104,7 @@ int v4l2_fh_release(struct file *filp) + v4l2_fh_del(fh); + v4l2_fh_exit(fh); + kfree(fh); ++ filp->private_data = NULL; + } + return 0; + } +-- +2.30.2 + diff --git a/queue-4.19/mm-huge_memory.c-don-t-discard-hugepage-if-other-pro.patch b/queue-4.19/mm-huge_memory.c-don-t-discard-hugepage-if-other-pro.patch new file mode 100644 index 00000000000..0e7dade8e0f --- /dev/null +++ b/queue-4.19/mm-huge_memory.c-don-t-discard-hugepage-if-other-pro.patch @@ -0,0 +1,58 @@ +From f101a4a7cbd90f7192992664da2479675ad79370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 18:47:57 -0700 +Subject: mm/huge_memory.c: don't discard hugepage if other processes are + mapping it + +From: Miaohe Lin + +[ Upstream commit babbbdd08af98a59089334eb3effbed5a7a0cf7f ] + +If other processes are mapping any other subpages of the hugepage, i.e. +in pte-mapped thp case, page_mapcount() will return 1 incorrectly. Then +we would discard the page while other processes are still mapping it. Fix +it by using total_mapcount() which can tell whether other processes are +still mapping it. + +Link: https://lkml.kernel.org/r/20210511134857.1581273-6-linmiaohe@huawei.com +Fixes: b8d3c4c3009d ("mm/huge_memory.c: don't split THP page when MADV_FREE syscall is called") +Reviewed-by: Yang Shi +Signed-off-by: Miaohe Lin +Cc: Alexey Dobriyan +Cc: "Aneesh Kumar K . V" +Cc: Anshuman Khandual +Cc: David Hildenbrand +Cc: Hugh Dickins +Cc: Johannes Weiner +Cc: Kirill A. Shutemov +Cc: Matthew Wilcox +Cc: Minchan Kim +Cc: Ralph Campbell +Cc: Rik van Riel +Cc: Song Liu +Cc: William Kucharski +Cc: Zi Yan +Cc: Mike Kravetz +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/huge_memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 4400957d8e4e..800d7de32af8 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1692,7 +1692,7 @@ bool madvise_free_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, + * If other processes are mapping this page, we couldn't discard + * the page unless they all do MADV_FREE so let's skip the page. + */ +- if (page_mapcount(page) != 1) ++ if (total_mapcount(page) != 1) + goto out; + + if (!trylock_page(page)) +-- +2.30.2 + diff --git a/queue-4.19/mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch b/queue-4.19/mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch new file mode 100644 index 00000000000..16660602270 --- /dev/null +++ b/queue-4.19/mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch @@ -0,0 +1,37 @@ +From fb6766334abcdaa95accd81e9484e6fa80ba00da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 10:03:21 +0800 +Subject: mmc: usdhi6rol0: fix error return code in usdhi6_probe() + +From: Zhen Lei + +[ Upstream commit 2f9ae69e5267f53e89e296fccee291975a85f0eb ] + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210508020321.1677-1-thunder.leizhen@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/usdhi6rol0.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c +index ef3aa8b52078..b88728b686e8 100644 +--- a/drivers/mmc/host/usdhi6rol0.c ++++ b/drivers/mmc/host/usdhi6rol0.c +@@ -1809,6 +1809,7 @@ static int usdhi6_probe(struct platform_device *pdev) + + version = usdhi6_read(host, USDHI6_VERSION); + if ((version & 0xfff) != 0xa0d) { ++ ret = -EPERM; + dev_err(dev, "Version not recognized %x\n", version); + goto e_clk_off; + } +-- +2.30.2 + diff --git a/queue-4.19/mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch b/queue-4.19/mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch new file mode 100644 index 00000000000..8479900bbe9 --- /dev/null +++ b/queue-4.19/mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch @@ -0,0 +1,140 @@ +From 90ed8940bbb134fe00a138a7cf808d61d5d17bbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 13:33:20 +0000 +Subject: mmc: via-sdmmc: add a check against NULL pointer dereference + +From: Zheyu Ma + +[ Upstream commit 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 ] + +Before referencing 'host->data', the driver needs to check whether it is +null pointer, otherwise it will cause a null pointer reference. + +This log reveals it: + +[ 29.355199] BUG: kernel NULL pointer dereference, address: +0000000000000014 +[ 29.357323] #PF: supervisor write access in kernel mode +[ 29.357706] #PF: error_code(0x0002) - not-present page +[ 29.358088] PGD 0 P4D 0 +[ 29.358280] Oops: 0002 [#1] PREEMPT SMP PTI +[ 29.358595] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4- +g70e7f0549188-dirty #102 +[ 29.359164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), +BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 29.359978] RIP: 0010:via_sdc_isr+0x21f/0x410 +[ 29.360314] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00 +10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43 +18 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77 +[ 29.361661] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046 +[ 29.362042] RAX: 0000000000000000 RBX: ffff888107d77880 +RCX: 0000000000000000 +[ 29.362564] RDX: 0000000000000000 RSI: ffffffff835d20bb +RDI: 00000000ffffffff +[ 29.363085] RBP: ffffc90000118ed8 R08: 0000000000000001 +R09: 0000000000000001 +[ 29.363604] R10: 0000000000000000 R11: 0000000000000001 +R12: 0000000000008600 +[ 29.364128] R13: ffff888107d779c8 R14: ffffc90009c00200 +R15: 0000000000008000 +[ 29.364651] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) +knlGS:0000000000000000 +[ 29.365235] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 29.365655] CR2: 0000000000000014 CR3: 0000000005a2e000 +CR4: 00000000000006e0 +[ 29.366170] DR0: 0000000000000000 DR1: 0000000000000000 +DR2: 0000000000000000 +[ 29.366683] DR3: 0000000000000000 DR6: 00000000fffe0ff0 +DR7: 0000000000000400 +[ 29.367197] Call Trace: +[ 29.367381] +[ 29.367537] __handle_irq_event_percpu+0x53/0x3e0 +[ 29.367916] handle_irq_event_percpu+0x35/0x90 +[ 29.368247] handle_irq_event+0x39/0x60 +[ 29.368632] handle_fasteoi_irq+0xc2/0x1d0 +[ 29.368950] __common_interrupt+0x7f/0x150 +[ 29.369254] common_interrupt+0xb4/0xd0 +[ 29.369547] +[ 29.369708] asm_common_interrupt+0x1e/0x40 +[ 29.370016] RIP: 0010:native_safe_halt+0x17/0x20 +[ 29.370360] Code: 07 0f 00 2d db 80 43 00 f4 5d c3 0f 1f 84 00 00 00 +00 00 8b 05 c2 37 e5 01 55 48 89 e5 85 c0 7e 07 0f 00 2d bb 80 43 00 fb +f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d f9 91 +[ 29.371696] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 29.372079] RAX: 0000000000000000 RBX: 0000000000000002 +RCX: 0000000000000000 +[ 29.372595] RDX: 0000000000000000 RSI: ffffffff854f67a4 +RDI: ffffffff85403406 +[ 29.373122] RBP: ffffc9000008fe90 R08: 0000000000000001 +R09: 0000000000000001 +[ 29.373646] R10: 0000000000000000 R11: 0000000000000001 +R12: ffffffff86009188 +[ 29.374160] R13: 0000000000000000 R14: 0000000000000000 +R15: ffff888100258000 +[ 29.374690] default_idle+0x9/0x10 +[ 29.374944] arch_cpu_idle+0xa/0x10 +[ 29.375198] default_idle_call+0x6e/0x250 +[ 29.375491] do_idle+0x1f0/0x2d0 +[ 29.375740] cpu_startup_entry+0x18/0x20 +[ 29.376034] start_secondary+0x11f/0x160 +[ 29.376328] secondary_startup_64_no_verify+0xb0/0xbb +[ 29.376705] Modules linked in: +[ 29.376939] Dumping ftrace buffer: +[ 29.377187] (ftrace buffer empty) +[ 29.377460] CR2: 0000000000000014 +[ 29.377712] ---[ end trace 51a473dffb618c47 ]--- +[ 29.378056] RIP: 0010:via_sdc_isr+0x21f/0x410 +[ 29.378380] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00 +10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43 +18 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77 +[ 29.379714] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046 +[ 29.380098] RAX: 0000000000000000 RBX: ffff888107d77880 +RCX: 0000000000000000 +[ 29.380614] RDX: 0000000000000000 RSI: ffffffff835d20bb +RDI: 00000000ffffffff +[ 29.381134] RBP: ffffc90000118ed8 R08: 0000000000000001 +R09: 0000000000000001 +[ 29.381653] R10: 0000000000000000 R11: 0000000000000001 +R12: 0000000000008600 +[ 29.382176] R13: ffff888107d779c8 R14: ffffc90009c00200 +R15: 0000000000008000 +[ 29.382697] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) +knlGS:0000000000000000 +[ 29.383277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 29.383697] CR2: 0000000000000014 CR3: 0000000005a2e000 +CR4: 00000000000006e0 +[ 29.384223] DR0: 0000000000000000 DR1: 0000000000000000 +DR2: 0000000000000000 +[ 29.384736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 +DR7: 0000000000000400 +[ 29.385260] Kernel panic - not syncing: Fatal exception in interrupt +[ 29.385882] Dumping ftrace buffer: +[ 29.386135] (ftrace buffer empty) +[ 29.386401] Kernel Offset: disabled +[ 29.386656] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/1622727200-15808-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/via-sdmmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index 9fdb92729c28..1b66466d2ed4 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -865,6 +865,9 @@ static void via_sdc_data_isr(struct via_crdr_mmc_host *host, u16 intmask) + { + BUG_ON(intmask == 0); + ++ if (!host->data) ++ return; ++ + if (intmask & VIA_CRDR_SDSTS_DT) + host->data->error = -ETIMEDOUT; + else if (intmask & (VIA_CRDR_SDSTS_RC | VIA_CRDR_SDSTS_WC)) +-- +2.30.2 + diff --git a/queue-4.19/mtd-rawnand-marvell-add-missing-clk_disable_unprepar.patch b/queue-4.19/mtd-rawnand-marvell-add-missing-clk_disable_unprepar.patch new file mode 100644 index 00000000000..6984e53ca9b --- /dev/null +++ b/queue-4.19/mtd-rawnand-marvell-add-missing-clk_disable_unprepar.patch @@ -0,0 +1,41 @@ +From f24fae31249f7445e7ceae6c01da4a18942317b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 20:58:14 +0800 +Subject: mtd: rawnand: marvell: add missing clk_disable_unprepare() on error + in marvell_nfc_resume() + +From: Yang Yingliang + +[ Upstream commit ae94c49527aa9bd3b563349adc4b5617747ca6bd ] + +Add clk_disable_unprepare() on error path in marvell_nfc_resume(). + +Fixes: bd9c3f9b3c00 ("mtd: rawnand: marvell: add suspend and resume hooks") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210601125814.3260364-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/marvell_nand.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c +index 00b1adcfad86..07bd41dd4356 100644 +--- a/drivers/mtd/nand/raw/marvell_nand.c ++++ b/drivers/mtd/nand/raw/marvell_nand.c +@@ -2880,8 +2880,10 @@ static int __maybe_unused marvell_nfc_resume(struct device *dev) + return ret; + + ret = clk_prepare_enable(nfc->reg_clk); +- if (ret < 0) ++ if (ret < 0) { ++ clk_disable_unprepare(nfc->core_clk); + return ret; ++ } + + /* + * Reset nfc->selected_chip so the next command will cause the timing +-- +2.30.2 + diff --git a/queue-4.19/mwifiex-re-fix-for-unaligned-accesses.patch b/queue-4.19/mwifiex-re-fix-for-unaligned-accesses.patch new file mode 100644 index 00000000000..dbcd40f29ef --- /dev/null +++ b/queue-4.19/mwifiex-re-fix-for-unaligned-accesses.patch @@ -0,0 +1,62 @@ +From 17fe36615e708d138d6c24cb02f0e805a1c3e56a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 00:07:55 +0200 +Subject: mwifiex: re-fix for unaligned accesses + +From: Arnd Bergmann + +[ Upstream commit 8f4e3d48bb50765ab27ae5bebed2595b20de80a1 ] + +A patch from 2017 changed some accesses to DMA memory to use +get_unaligned_le32() and similar interfaces, to avoid problems +with doing unaligned accesson uncached memory. + +However, the change in the mwifiex_pcie_alloc_sleep_cookie_buf() +function ended up changing the size of the access instead, +as it operates on a pointer to u8. + +Change this function back to actually access the entire 32 bits. +Note that the pointer is aligned by definition because it came +from dma_alloc_coherent(). + +Fixes: 92c70a958b0b ("mwifiex: fix for unaligned reads") +Acked-by: Kalle Valo +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c +index 5907b34037c2..2f0141c964e2 100644 +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -1084,7 +1084,7 @@ static int mwifiex_pcie_delete_cmdrsp_buf(struct mwifiex_adapter *adapter) + static int mwifiex_pcie_alloc_sleep_cookie_buf(struct mwifiex_adapter *adapter) + { + struct pcie_service_card *card = adapter->card; +- u32 tmp; ++ u32 *cookie; + + card->sleep_cookie_vbase = pci_alloc_consistent(card->dev, sizeof(u32), + &card->sleep_cookie_pbase); +@@ -1093,13 +1093,11 @@ static int mwifiex_pcie_alloc_sleep_cookie_buf(struct mwifiex_adapter *adapter) + "pci_alloc_consistent failed!\n"); + return -ENOMEM; + } ++ cookie = (u32 *)card->sleep_cookie_vbase; + /* Init val of Sleep Cookie */ +- tmp = FW_AWAKE_COOKIE; +- put_unaligned(tmp, card->sleep_cookie_vbase); ++ *cookie = FW_AWAKE_COOKIE; + +- mwifiex_dbg(adapter, INFO, +- "alloc_scook: sleep cookie=0x%x\n", +- get_unaligned(card->sleep_cookie_vbase)); ++ mwifiex_dbg(adapter, INFO, "alloc_scook: sleep cookie=0x%x\n", *cookie); + + return 0; + } +-- +2.30.2 + diff --git a/queue-4.19/net-bcmgenet-fix-attaching-to-pyh-failed-on-rpi-4b.patch b/queue-4.19/net-bcmgenet-fix-attaching-to-pyh-failed-on-rpi-4b.patch new file mode 100644 index 00000000000..3b74723665d --- /dev/null +++ b/queue-4.19/net-bcmgenet-fix-attaching-to-pyh-failed-on-rpi-4b.patch @@ -0,0 +1,47 @@ +From ae83e27ff5afe6882f51ce666be482b20c27f085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 11:28:03 +0800 +Subject: net: bcmgenet: Fix attaching to PYH failed on RPi 4B + +From: Jian-Hong Pan + +[ Upstream commit b2ac9800cfe0f8da16abc4e74e003440361c112e ] + +The Broadcom UniMAC MDIO bus from mdio-bcm-unimac module comes too late. +So, GENET cannot find the ethernet PHY on UniMAC MDIO bus. This leads +GENET fail to attach the PHY as following log: + +bcmgenet fd580000.ethernet: GENET 5.0 EPHY: 0x0000 +... +could not attach to PHY +bcmgenet fd580000.ethernet eth0: failed to connect to PHY +uart-pl011 fe201000.serial: no DMA platform data +libphy: bcmgenet MII bus: probed +... +unimac-mdio unimac-mdio.-19: Broadcom UniMAC MDIO bus + +This patch adds the soft dependency to load mdio-bcm-unimac module +before genet module to avoid the issue. + +Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver") +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=213485 +Signed-off-by: Jian-Hong Pan +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index c3e824f5e50e..1546a9bd9203 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3750,3 +3750,4 @@ MODULE_AUTHOR("Broadcom Corporation"); + MODULE_DESCRIPTION("Broadcom GENET Ethernet controller driver"); + MODULE_ALIAS("platform:bcmgenet"); + MODULE_LICENSE("GPL"); ++MODULE_SOFTDEP("pre: mdio-bcm-unimac"); +-- +2.30.2 + diff --git a/queue-4.19/net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch b/queue-4.19/net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch new file mode 100644 index 00000000000..a041c479671 --- /dev/null +++ b/queue-4.19/net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch @@ -0,0 +1,54 @@ +From dea9938a803ab3cb1c4e6efc8abe1f0e8928378f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 17:57:31 +0300 +Subject: net: ethernet: aeroflex: fix UAF in greth_of_remove + +From: Pavel Skripkin + +[ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ] + +static int greth_of_remove(struct platform_device *of_dev) +{ +... + struct greth_private *greth = netdev_priv(ndev); +... + unregister_netdev(ndev); + free_netdev(ndev); + + of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); +... +} + +greth is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing greth +pointer. So, fix it by moving free_netdev() after of_iounmap() +call. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index 4309be3724ad..a20e95b39cf7 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -1546,10 +1546,11 @@ static int greth_of_remove(struct platform_device *of_dev) + mdiobus_unregister(greth->mdio); + + unregister_netdev(ndev); +- free_netdev(ndev); + + of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); + ++ free_netdev(ndev); ++ + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.19/net-ethernet-ezchip-fix-error-handling.patch b/queue-4.19/net-ethernet-ezchip-fix-error-handling.patch new file mode 100644 index 00000000000..b35e6bcfa30 --- /dev/null +++ b/queue-4.19/net-ethernet-ezchip-fix-error-handling.patch @@ -0,0 +1,44 @@ +From b6faf77e7e87bf13bd89a6aaa191966e32d4dc2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 19:14:47 +0300 +Subject: net: ethernet: ezchip: fix error handling + +From: Pavel Skripkin + +[ Upstream commit 0de449d599594f5472e00267d651615c7f2c6c1d ] + +As documented at drivers/base/platform.c for platform_get_irq: + + * Gets an IRQ for a platform device and prints an error message if finding the + * IRQ fails. Device drivers should check the return value for errors so as to + * not pass a negative integer value to the request_irq() APIs. + +So, the driver should check that platform_get_irq() return value +is _negative_, not that it's equal to zero, because -ENXIO (return +value from request_irq() if irq was not found) will +pass this check and it leads to passing negative irq to request_irq() + +Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ezchip/nps_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c +index fbadf08b7c5d..70ccbd11b9e7 100644 +--- a/drivers/net/ethernet/ezchip/nps_enet.c ++++ b/drivers/net/ethernet/ezchip/nps_enet.c +@@ -623,7 +623,7 @@ static s32 nps_enet_probe(struct platform_device *pdev) + + /* Get IRQ number */ + priv->irq = platform_get_irq(pdev, 0); +- if (!priv->irq) { ++ if (priv->irq < 0) { + dev_err(dev, "failed to retrieve value from device tree\n"); + err = -ENODEV; + goto out_netdev; +-- +2.30.2 + diff --git a/queue-4.19/net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch b/queue-4.19/net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch new file mode 100644 index 00000000000..c7a9211462a --- /dev/null +++ b/queue-4.19/net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch @@ -0,0 +1,39 @@ +From 6658005b3ab4524f14226f31a59dfb67b18ded24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 19:14:31 +0300 +Subject: net: ethernet: ezchip: fix UAF in nps_enet_remove + +From: Pavel Skripkin + +[ Upstream commit e4b8700e07a86e8eab6916aa5c5ba99042c34089 ] + +priv is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing priv +pointer. So, fix it by moving free_netdev() after netif_napi_del() +call. + +Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ezchip/nps_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c +index 659f1ad37e96..fbadf08b7c5d 100644 +--- a/drivers/net/ethernet/ezchip/nps_enet.c ++++ b/drivers/net/ethernet/ezchip/nps_enet.c +@@ -658,8 +658,8 @@ static s32 nps_enet_remove(struct platform_device *pdev) + struct nps_enet_priv *priv = netdev_priv(ndev); + + unregister_netdev(ndev); +- free_netdev(ndev); + netif_napi_del(&priv->napi); ++ free_netdev(ndev); + + return 0; + } +-- +2.30.2 + diff --git a/queue-4.19/net-ipv4-swap-flow-ports-when-validating-source.patch b/queue-4.19/net-ipv4-swap-flow-ports-when-validating-source.patch new file mode 100644 index 00000000000..5c2e0395b7c --- /dev/null +++ b/queue-4.19/net-ipv4-swap-flow-ports-when-validating-source.patch @@ -0,0 +1,39 @@ +From d383e5a0c5ff99469b2e90c3ef8a03a832858344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jun 2021 12:24:50 +0800 +Subject: net/ipv4: swap flow ports when validating source + +From: Miao Wang + +[ Upstream commit c69f114d09891adfa3e301a35d9e872b8b7b5a50 ] + +When doing source address validation, the flowi4 struct used for +fib_lookup should be in the reverse direction to the given skb. +fl4_dport and fl4_sport returned by fib4_rules_early_flow_dissect +should thus be swapped. + +Fixes: 5a847a6e1477 ("net/ipv4: Initialize proto and ports in flow struct") +Signed-off-by: Miao Wang +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_frontend.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index b96aa88087be..70e5e9e5d835 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -353,6 +353,8 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, + fl4.flowi4_proto = 0; + fl4.fl4_sport = 0; + fl4.fl4_dport = 0; ++ } else { ++ swap(fl4.fl4_sport, fl4.fl4_dport); + } + + if (fib_lookup(net, &fl4, &res, 0)) +-- +2.30.2 + diff --git a/queue-4.19/net-lwtunnel-handle-mtu-calculation-in-forwading.patch b/queue-4.19/net-lwtunnel-handle-mtu-calculation-in-forwading.patch new file mode 100644 index 00000000000..a2f6f2b13ea --- /dev/null +++ b/queue-4.19/net-lwtunnel-handle-mtu-calculation-in-forwading.patch @@ -0,0 +1,142 @@ +From 902a579ed536b02e2b7348b659f2c0af3f72a1bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 19:21:39 +0300 +Subject: net: lwtunnel: handle MTU calculation in forwading + +From: Vadim Fedorenko + +[ Upstream commit fade56410c22cacafb1be9f911a0afd3701d8366 ] + +Commit 14972cbd34ff ("net: lwtunnel: Handle fragmentation") moved +fragmentation logic away from lwtunnel by carry encap headroom and +use it in output MTU calculation. But the forwarding part was not +covered and created difference in MTU for output and forwarding and +further to silent drops on ipv4 forwarding path. Fix it by taking +into account lwtunnel encap headroom. + +The same commit also introduced difference in how to treat RTAX_MTU +in IPv4 and IPv6 where latter explicitly removes lwtunnel encap +headroom from route MTU. Make IPv4 version do the same. + +Fixes: 14972cbd34ff ("net: lwtunnel: Handle fragmentation") +Suggested-by: David Ahern +Signed-off-by: Vadim Fedorenko +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 12 ++++++++---- + include/net/ip6_route.h | 16 ++++++++++++---- + net/ipv4/route.c | 3 ++- + 3 files changed, 22 insertions(+), 9 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index aad003685c31..e8fa25280cbf 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + #define IPV4_MAX_PMTU 65535U /* RFC 2675, Section 5.1 */ + #define IPV4_MIN_MTU 68 /* RFC 791 */ +@@ -408,22 +409,25 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst, + + /* 'forwarding = true' case should always honour route mtu */ + mtu = dst_metric_raw(dst, RTAX_MTU); +- if (mtu) +- return mtu; ++ if (!mtu) ++ mtu = min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU); + +- return min(READ_ONCE(dst->dev->mtu), IP_MAX_MTU); ++ return mtu - lwtunnel_headroom(dst->lwtstate, mtu); + } + + static inline unsigned int ip_skb_dst_mtu(struct sock *sk, + const struct sk_buff *skb) + { ++ unsigned int mtu; ++ + if (!sk || !sk_fullsock(sk) || ip_sk_use_pmtu(sk)) { + bool forwarding = IPCB(skb)->flags & IPSKB_FORWARDED; + + return ip_dst_mtu_maybe_forward(skb_dst(skb), forwarding); + } + +- return min(READ_ONCE(skb_dst(skb)->dev->mtu), IP_MAX_MTU); ++ mtu = min(READ_ONCE(skb_dst(skb)->dev->mtu), IP_MAX_MTU); ++ return mtu - lwtunnel_headroom(skb_dst(skb)->lwtstate, mtu); + } + + int ip_metrics_convert(struct net *net, struct nlattr *fc_mx, int fc_mx_len, +diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h +index 5e26d61867b2..5c38a80cee3a 100644 +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -243,11 +243,18 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + + static inline int ip6_skb_dst_mtu(struct sk_buff *skb) + { ++ int mtu; ++ + struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ? + inet6_sk(skb->sk) : NULL; + +- return (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) ? +- skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); ++ if (np && np->pmtudisc >= IPV6_PMTUDISC_PROBE) { ++ mtu = READ_ONCE(skb_dst(skb)->dev->mtu); ++ mtu -= lwtunnel_headroom(skb_dst(skb)->lwtstate, mtu); ++ } else ++ mtu = dst_mtu(skb_dst(skb)); ++ ++ return mtu; + } + + static inline bool ip6_sk_accept_pmtu(const struct sock *sk) +@@ -288,7 +295,7 @@ static inline unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst) + if (dst_metric_locked(dst, RTAX_MTU)) { + mtu = dst_metric_raw(dst, RTAX_MTU); + if (mtu) +- return mtu; ++ goto out; + } + + mtu = IPV6_MIN_MTU; +@@ -298,7 +305,8 @@ static inline unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst) + mtu = idev->cnf.mtu6; + rcu_read_unlock(); + +- return mtu; ++out: ++ return mtu - lwtunnel_headroom(dst->lwtstate, mtu); + } + + u32 ip6_mtu_from_fib6(struct fib6_info *f6i, struct in6_addr *daddr, +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 484bd646df5f..1491d239385e 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1318,7 +1318,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst) + mtu = dst_metric_raw(dst, RTAX_MTU); + + if (mtu) +- return mtu; ++ goto out; + + mtu = READ_ONCE(dst->dev->mtu); + +@@ -1327,6 +1327,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst) + mtu = 576; + } + ++out: + mtu = min_t(unsigned int, mtu, IP_MAX_MTU); + + return mtu - lwtunnel_headroom(dst->lwtstate, mtu); +-- +2.30.2 + diff --git a/queue-4.19/net-mvpp2-put-fwnode-in-error-case-during-probe.patch b/queue-4.19/net-mvpp2-put-fwnode-in-error-case-during-probe.patch new file mode 100644 index 00000000000..f4a92895ee7 --- /dev/null +++ b/queue-4.19/net-mvpp2-put-fwnode-in-error-case-during-probe.patch @@ -0,0 +1,40 @@ +From 2e16955c50d887ae06fd2dbaff4d8b0b20666802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 12:58:05 +0300 +Subject: net: mvpp2: Put fwnode in error case during ->probe() + +From: Andy Shevchenko + +[ Upstream commit 71f0891c84dfdc448736082ab0a00acd29853896 ] + +In each iteration fwnode_for_each_available_child_node() bumps a reference +counting of a loop variable followed by dropping in on a next iteration, + +Since in error case the loop is broken, we have to drop a reference count +by ourselves. Do it for port_fwnode in error case during ->probe(). + +Fixes: 248122212f68 ("net: mvpp2: use device_*/fwnode_* APIs instead of of_*") +Cc: Marcin Wojtas +Signed-off-by: Andy Shevchenko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index bc5cfe062b10..e65750b3c44f 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -5314,6 +5314,8 @@ static int mvpp2_probe(struct platform_device *pdev) + return 0; + + err_port_probe: ++ fwnode_handle_put(port_fwnode); ++ + i = 0; + fwnode_for_each_available_child_node(fwnode, port_fwnode) { + if (priv->port_list[i]) +-- +2.30.2 + diff --git a/queue-4.19/net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch b/queue-4.19/net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch new file mode 100644 index 00000000000..51d84c5c2b6 --- /dev/null +++ b/queue-4.19/net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch @@ -0,0 +1,56 @@ +From 1b3504d4b80c701bc353ebf2cf2a2f6cd09eb4c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 19:39:27 +0300 +Subject: net: pch_gbe: Propagate error from devm_gpio_request_one() + +From: Andy Shevchenko + +[ Upstream commit 9e3617a7b84512bf96c04f9cf82d1a7257d33794 ] + +If GPIO controller is not available yet we need to defer +the probe of GBE until provider will become available. + +While here, drop GPIOF_EXPORT because it's deprecated and +may not be available. + +Fixes: f1a26fdf5944 ("pch_gbe: Add MinnowBoard support") +Signed-off-by: Andy Shevchenko +Tested-by: Flavio Suligoi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 3a4225837049..70f3276539c4 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -2546,9 +2546,13 @@ static int pch_gbe_probe(struct pci_dev *pdev, + adapter->pdev = pdev; + adapter->hw.back = adapter; + adapter->hw.reg = pcim_iomap_table(pdev)[PCH_GBE_PCI_BAR]; ++ + adapter->pdata = (struct pch_gbe_privdata *)pci_id->driver_data; +- if (adapter->pdata && adapter->pdata->platform_init) +- adapter->pdata->platform_init(pdev); ++ if (adapter->pdata && adapter->pdata->platform_init) { ++ ret = adapter->pdata->platform_init(pdev); ++ if (ret) ++ goto err_free_netdev; ++ } + + adapter->ptp_pdev = + pci_get_domain_bus_and_slot(pci_domain_nr(adapter->pdev->bus), +@@ -2643,7 +2647,7 @@ err_free_netdev: + */ + static int pch_gbe_minnow_platform_init(struct pci_dev *pdev) + { +- unsigned long flags = GPIOF_DIR_OUT | GPIOF_INIT_HIGH | GPIOF_EXPORT; ++ unsigned long flags = GPIOF_OUT_INIT_HIGH; + unsigned gpio = MINNOW_PHY_RESET_GPIO; + int ret; + +-- +2.30.2 + diff --git a/queue-4.19/net-sched-fix-warning-in-tcindex_alloc_perfect_hash.patch b/queue-4.19/net-sched-fix-warning-in-tcindex_alloc_perfect_hash.patch new file mode 100644 index 00000000000..a7bea044abd --- /dev/null +++ b/queue-4.19/net-sched-fix-warning-in-tcindex_alloc_perfect_hash.patch @@ -0,0 +1,40 @@ +From 42fd5fb6431bd8b85cf086c9c52618b84c51ad3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 23:23:48 +0300 +Subject: net: sched: fix warning in tcindex_alloc_perfect_hash + +From: Pavel Skripkin + +[ Upstream commit 3f2db250099f46988088800052cdf2332c7aba61 ] + +Syzbot reported warning in tcindex_alloc_perfect_hash. The problem +was in too big cp->hash, which triggers warning in kmalloc. Since +cp->hash comes from userspace, there is no need to warn if value +is not correct + +Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()") +Reported-and-tested-by: syzbot+1071ad60cd7df39fdadb@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_tcindex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c +index e41bc5ecaa09..4070197f9543 100644 +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -276,7 +276,7 @@ static int tcindex_alloc_perfect_hash(struct net *net, struct tcindex_data *cp) + int i, err = 0; + + cp->perfect = kcalloc(cp->hash, sizeof(struct tcindex_filter_result), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (!cp->perfect) + return -ENOMEM; + +-- +2.30.2 + diff --git a/queue-4.19/netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch b/queue-4.19/netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch new file mode 100644 index 00000000000..cdedc1b1a52 --- /dev/null +++ b/queue-4.19/netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch @@ -0,0 +1,38 @@ +From 04ae2b9592e815897579f6e4c3fba7a292abc0cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 20:20:30 +0200 +Subject: netfilter: nft_exthdr: check for IPv6 packet before further + processing + +From: Pablo Neira Ayuso + +[ Upstream commit cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 ] + +ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a +sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet +is passed for parsing. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_exthdr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c +index a940c9fd9045..64e69d6683ca 100644 +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -45,6 +45,9 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, + unsigned int offset = 0; + int err; + ++ if (pkt->skb->protocol != htons(ETH_P_IPV6)) ++ goto err; ++ + err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL); + if (priv->flags & NFT_EXTHDR_F_PRESENT) { + *dest = (err >= 0); +-- +2.30.2 + diff --git a/queue-4.19/netfilter-nft_osf-check-for-tcp-packet-before-furthe.patch b/queue-4.19/netfilter-nft_osf-check-for-tcp-packet-before-furthe.patch new file mode 100644 index 00000000000..d02ab34789f --- /dev/null +++ b/queue-4.19/netfilter-nft_osf-check-for-tcp-packet-before-furthe.patch @@ -0,0 +1,40 @@ +From da684e55042597c1c92c8d2aafc6924db3e25fc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 20:20:31 +0200 +Subject: netfilter: nft_osf: check for TCP packet before further processing + +From: Pablo Neira Ayuso + +[ Upstream commit 8f518d43f89ae00b9cf5460e10b91694944ca1a8 ] + +The osf expression only supports for TCP packets, add a upfront sanity +check to skip packet parsing if this is not a TCP packet. + +Fixes: b96af92d6eaf ("netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf") +Signed-off-by: Pablo Neira Ayuso +Reported-by: kernel test robot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_osf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c +index a003533ff4d9..e259454b6a64 100644 +--- a/net/netfilter/nft_osf.c ++++ b/net/netfilter/nft_osf.c +@@ -22,6 +22,11 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs, + struct tcphdr _tcph; + const char *os_name; + ++ if (pkt->tprot != IPPROTO_TCP) { ++ regs->verdict.code = NFT_BREAK; ++ return; ++ } ++ + tcp = skb_header_pointer(skb, ip_hdrlen(skb), + sizeof(struct tcphdr), &_tcph); + if (!tcp) { +-- +2.30.2 + diff --git a/queue-4.19/netfilter-nft_tproxy-restrict-support-to-tcp-and-udp.patch b/queue-4.19/netfilter-nft_tproxy-restrict-support-to-tcp-and-udp.patch new file mode 100644 index 00000000000..354248e49f5 --- /dev/null +++ b/queue-4.19/netfilter-nft_tproxy-restrict-support-to-tcp-and-udp.patch @@ -0,0 +1,50 @@ +From 8f9e6d4963c5704a90bc07f11a1af5d6286f2451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jun 2021 19:26:56 +0200 +Subject: netfilter: nft_tproxy: restrict support to TCP and UDP transport + protocols + +From: Pablo Neira Ayuso + +[ Upstream commit 52f0f4e178c757b3d356087376aad8bd77271828 ] + +Add unfront check for TCP and UDP packets before performing further +processing. + +Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tproxy.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c +index 95980154ef02..b97ab1198b03 100644 +--- a/net/netfilter/nft_tproxy.c ++++ b/net/netfilter/nft_tproxy.c +@@ -30,6 +30,12 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr, + __be16 tport = 0; + struct sock *sk; + ++ if (pkt->tprot != IPPROTO_TCP && ++ pkt->tprot != IPPROTO_UDP) { ++ regs->verdict.code = NFT_BREAK; ++ return; ++ } ++ + hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr); + if (!hp) { + regs->verdict.code = NFT_BREAK; +@@ -91,7 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr, + + memset(&taddr, 0, sizeof(taddr)); + +- if (!pkt->tprot_set) { ++ if (pkt->tprot != IPPROTO_TCP && ++ pkt->tprot != IPPROTO_UDP) { + regs->verdict.code = NFT_BREAK; + return; + } +-- +2.30.2 + diff --git a/queue-4.19/netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch b/queue-4.19/netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch new file mode 100644 index 00000000000..bedd4276f78 --- /dev/null +++ b/queue-4.19/netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch @@ -0,0 +1,114 @@ +From f1a9b9961926878f6bced3a45d97348866c7130f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 10:14:44 +0800 +Subject: netlabel: Fix memory leak in netlbl_mgmt_add_common + +From: Liu Shixin + +[ Upstream commit b8f6b0522c298ae9267bd6584e19b942a0636910 ] + +Hulk Robot reported memory leak in netlbl_mgmt_add_common. +The problem is non-freed map in case of netlbl_domhsh_add() failed. + +BUG: memory leak +unreferenced object 0xffff888100ab7080 (size 96): + comm "syz-executor537", pid 360, jiffies 4294862456 (age 22.678s) + hex dump (first 32 bytes): + 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ + backtrace: + [<0000000008b40026>] netlbl_mgmt_add_common.isra.0+0xb2a/0x1b40 + [<000000003be10950>] netlbl_mgmt_add+0x271/0x3c0 + [<00000000c70487ed>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 + [<000000001f2ff614>] genl_rcv_msg+0x2bf/0x4f0 + [<0000000089045792>] netlink_rcv_skb+0x134/0x3d0 + [<0000000020e96fdd>] genl_rcv+0x24/0x40 + [<0000000042810c66>] netlink_unicast+0x4a0/0x6a0 + [<000000002e1659f0>] netlink_sendmsg+0x789/0xc70 + [<000000006e43415f>] sock_sendmsg+0x139/0x170 + [<00000000680a73d7>] ____sys_sendmsg+0x658/0x7d0 + [<0000000065cbb8af>] ___sys_sendmsg+0xf8/0x170 + [<0000000019932b6c>] __sys_sendmsg+0xd3/0x190 + [<00000000643ac172>] do_syscall_64+0x37/0x90 + [<000000009b79d6dc>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 63c416887437 ("netlabel: Add network address selectors to the NetLabel/LSM domain mapping") +Reported-by: Hulk Robot +Signed-off-by: Liu Shixin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_mgmt.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c +index 21e0095b1d14..71ba69cb50c9 100644 +--- a/net/netlabel/netlabel_mgmt.c ++++ b/net/netlabel/netlabel_mgmt.c +@@ -90,6 +90,7 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = { + static int netlbl_mgmt_add_common(struct genl_info *info, + struct netlbl_audit *audit_info) + { ++ void *pmap = NULL; + int ret_val = -EINVAL; + struct netlbl_domaddr_map *addrmap = NULL; + struct cipso_v4_doi *cipsov4 = NULL; +@@ -189,6 +190,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + ret_val = -ENOMEM; + goto add_free_addrmap; + } ++ pmap = map; + map->list.addr = addr->s_addr & mask->s_addr; + map->list.mask = mask->s_addr; + map->list.valid = 1; +@@ -197,10 +199,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + map->def.cipso = cipsov4; + + ret_val = netlbl_af4list_add(&map->list, &addrmap->list4); +- if (ret_val != 0) { +- kfree(map); +- goto add_free_addrmap; +- } ++ if (ret_val != 0) ++ goto add_free_map; + + entry->family = AF_INET; + entry->def.type = NETLBL_NLTYPE_ADDRSELECT; +@@ -237,6 +237,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + ret_val = -ENOMEM; + goto add_free_addrmap; + } ++ pmap = map; + map->list.addr = *addr; + map->list.addr.s6_addr32[0] &= mask->s6_addr32[0]; + map->list.addr.s6_addr32[1] &= mask->s6_addr32[1]; +@@ -249,10 +250,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + map->def.calipso = calipso; + + ret_val = netlbl_af6list_add(&map->list, &addrmap->list6); +- if (ret_val != 0) { +- kfree(map); +- goto add_free_addrmap; +- } ++ if (ret_val != 0) ++ goto add_free_map; + + entry->family = AF_INET6; + entry->def.type = NETLBL_NLTYPE_ADDRSELECT; +@@ -262,10 +261,12 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + + ret_val = netlbl_domhsh_add(entry, audit_info); + if (ret_val != 0) +- goto add_free_addrmap; ++ goto add_free_map; + + return 0; + ++add_free_map: ++ kfree(pmap); + add_free_addrmap: + kfree(addrmap); + add_doi_put_def: +-- +2.30.2 + diff --git a/queue-4.19/ocfs2-fix-snprintf-checking.patch b/queue-4.19/ocfs2-fix-snprintf-checking.patch new file mode 100644 index 00000000000..7522b906e57 --- /dev/null +++ b/queue-4.19/ocfs2-fix-snprintf-checking.patch @@ -0,0 +1,85 @@ +From 3e2cb9218bc372fd0159a9e3a7c8eea2c09eb42c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 19:34:01 -0700 +Subject: ocfs2: fix snprintf() checking + +From: Dan Carpenter + +[ Upstream commit 54e948c60cc843b6e84dc44496edc91f51d2a28e ] + +The snprintf() function returns the number of bytes which would have been +printed if the buffer was large enough. In other words it can return ">= +remain" but this code assumes it returns "== remain". + +The run time impact of this bug is not very severe. The next iteration +through the loop would trigger a WARN() when we pass a negative limit to +snprintf(). We would then return success instead of -E2BIG. + +The kernel implementation of snprintf() will never return negatives so +there is no need to check and I have deleted that dead code. + +Link: https://lkml.kernel.org/r/20210511135350.GV1955@kadam +Fixes: a860f6eb4c6a ("ocfs2: sysfile interfaces for online file check") +Fixes: 74ae4e104dfc ("ocfs2: Create stack glue sysfs files.") +Signed-off-by: Dan Carpenter +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/filecheck.c | 6 +----- + fs/ocfs2/stackglue.c | 8 ++------ + 2 files changed, 3 insertions(+), 11 deletions(-) + +diff --git a/fs/ocfs2/filecheck.c b/fs/ocfs2/filecheck.c +index 1906cc962c4d..345ca9e14028 100644 +--- a/fs/ocfs2/filecheck.c ++++ b/fs/ocfs2/filecheck.c +@@ -336,11 +336,7 @@ static ssize_t ocfs2_filecheck_attr_show(struct kobject *kobj, + ret = snprintf(buf + total, remain, "%lu\t\t%u\t%s\n", + p->fe_ino, p->fe_done, + ocfs2_filecheck_error(p->fe_status)); +- if (ret < 0) { +- total = ret; +- break; +- } +- if (ret == remain) { ++ if (ret >= remain) { + /* snprintf() didn't fit */ + total = -E2BIG; + break; +diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c +index c4b029c43464..e7eb08ac4215 100644 +--- a/fs/ocfs2/stackglue.c ++++ b/fs/ocfs2/stackglue.c +@@ -510,11 +510,7 @@ static ssize_t ocfs2_loaded_cluster_plugins_show(struct kobject *kobj, + list_for_each_entry(p, &ocfs2_stack_list, sp_list) { + ret = snprintf(buf, remain, "%s\n", + p->sp_name); +- if (ret < 0) { +- total = ret; +- break; +- } +- if (ret == remain) { ++ if (ret >= remain) { + /* snprintf() didn't fit */ + total = -E2BIG; + break; +@@ -541,7 +537,7 @@ static ssize_t ocfs2_active_cluster_plugin_show(struct kobject *kobj, + if (active_stack) { + ret = snprintf(buf, PAGE_SIZE, "%s\n", + active_stack->sp_name); +- if (ret == PAGE_SIZE) ++ if (ret >= PAGE_SIZE) + ret = -E2BIG; + } + spin_unlock(&ocfs2_stack_lock); +-- +2.30.2 + diff --git a/queue-4.19/of-fix-truncation-of-memory-sizes-on-32-bit-platform.patch b/queue-4.19/of-fix-truncation-of-memory-sizes-on-32-bit-platform.patch new file mode 100644 index 00000000000..93ecfb95a1c --- /dev/null +++ b/queue-4.19/of-fix-truncation-of-memory-sizes-on-32-bit-platform.patch @@ -0,0 +1,87 @@ +From b0d6f36e4491ea506d88913948c793861217b4a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 11:27:44 +0200 +Subject: of: Fix truncation of memory sizes on 32-bit platforms + +From: Geert Uytterhoeven + +[ Upstream commit 2892d8a00d23d511a0591ac4b2ff3f050ae1f004 ] + +Variable "size" has type "phys_addr_t", which can be either 32-bit or +64-bit on 32-bit systems, while "unsigned long" is always 32-bit on +32-bit systems. Hence the cast in + + (unsigned long)size / SZ_1M + +may truncate a 64-bit size to 32-bit, as casts have a higher operator +precedence than divisions. + +Fix this by inverting the order of the cast and division, which should +be safe for memory blocks smaller than 4 PiB. Note that the division is +actually a shift, as SZ_1M is a power-of-two constant, hence there is no +need to use div_u64(). + +While at it, use "%lu" to format "unsigned long". + +Fixes: e8d9d1f5485b52ec ("drivers: of: add initialization code for static reserved memory") +Fixes: 3f0c8206644836e4 ("drivers: of: add initialization code for dynamic reserved memory") +Signed-off-by: Geert Uytterhoeven +Acked-by: Marek Szyprowski +Link: https://lore.kernel.org/r/4a1117e72d13d26126f57be034c20dac02f1e915.1623835273.git.geert+renesas@glider.be +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 8 ++++---- + drivers/of/of_reserved_mem.c | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 800ad252cf9c..1eb6af6439ad 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -576,11 +576,11 @@ static int __init __reserved_mem_reserve_reg(unsigned long node, + + if (size && + early_init_dt_reserve_memory_arch(base, size, nomap) == 0) +- pr_debug("Reserved memory: reserved region for node '%s': base %pa, size %ld MiB\n", +- uname, &base, (unsigned long)size / SZ_1M); ++ pr_debug("Reserved memory: reserved region for node '%s': base %pa, size %lu MiB\n", ++ uname, &base, (unsigned long)(size / SZ_1M)); + else +- pr_info("Reserved memory: failed to reserve memory for node '%s': base %pa, size %ld MiB\n", +- uname, &base, (unsigned long)size / SZ_1M); ++ pr_info("Reserved memory: failed to reserve memory for node '%s': base %pa, size %lu MiB\n", ++ uname, &base, (unsigned long)(size / SZ_1M)); + + len -= t_len; + if (first) { +diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c +index 19f95552da4d..ff230ee2423f 100644 +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -154,9 +154,9 @@ static int __init __reserved_mem_alloc_size(unsigned long node, + ret = early_init_dt_alloc_reserved_memory_arch(size, + align, start, end, nomap, &base); + if (ret == 0) { +- pr_debug("allocated memory for '%s' node: base %pa, size %ld MiB\n", ++ pr_debug("allocated memory for '%s' node: base %pa, size %lu MiB\n", + uname, &base, +- (unsigned long)size / SZ_1M); ++ (unsigned long)(size / SZ_1M)); + break; + } + len -= t_len; +@@ -166,8 +166,8 @@ static int __init __reserved_mem_alloc_size(unsigned long node, + ret = early_init_dt_alloc_reserved_memory_arch(size, align, + 0, 0, nomap, &base); + if (ret == 0) +- pr_debug("allocated memory for '%s' node: base %pa, size %ld MiB\n", +- uname, &base, (unsigned long)size / SZ_1M); ++ pr_debug("allocated memory for '%s' node: base %pa, size %lu MiB\n", ++ uname, &base, (unsigned long)(size / SZ_1M)); + } + + if (base == 0) { +-- +2.30.2 + diff --git a/queue-4.19/pata_ep93xx-fix-deferred-probing.patch b/queue-4.19/pata_ep93xx-fix-deferred-probing.patch new file mode 100644 index 00000000000..7c5156c53ee --- /dev/null +++ b/queue-4.19/pata_ep93xx-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From c0a3ba198c9ba8d1c92f1c97058b1d4c11887d78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Mar 2021 23:32:38 +0300 +Subject: pata_ep93xx: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 5c8121262484d99bffb598f39a0df445cecd8efb ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Propagate the error code +upstream, as it should have been done from the start... + +Fixes: 2fff27512600 ("PATA host controller driver for ep93xx") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/509fda88-2e0d-2cc7-f411-695d7e94b136@omprussia.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_ep93xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/pata_ep93xx.c b/drivers/ata/pata_ep93xx.c +index cc6d06c1b2c7..7ce62cdb63a5 100644 +--- a/drivers/ata/pata_ep93xx.c ++++ b/drivers/ata/pata_ep93xx.c +@@ -927,7 +927,7 @@ static int ep93xx_pata_probe(struct platform_device *pdev) + /* INT[3] (IRQ_EP93XX_EXT3) line connected as pull down */ + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- err = -ENXIO; ++ err = irq; + goto err_rel_gpio; + } + +-- +2.30.2 + diff --git a/queue-4.19/pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch b/queue-4.19/pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch new file mode 100644 index 00000000000..d0c19894074 --- /dev/null +++ b/queue-4.19/pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch @@ -0,0 +1,45 @@ +From 845f36f6aedf429d63384e95d21a38c0daf86f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 23:38:54 +0300 +Subject: pata_octeon_cf: avoid WARN_ON() in ata_host_activate() + +From: Sergey Shtylyov + +[ Upstream commit bfc1f378c8953e68ccdbfe0a8c20748427488b80 ] + +Iff platform_get_irq() fails (or returns IRQ0) and thus the polling mode +has to be used, ata_host_activate() hits the WARN_ON() due to 'irq_handler' +parameter being non-NULL if the polling mode is selected. Let's only set +the pointer to the driver's IRQ handler if platform_get_irq() returns a +valid IRQ # -- this should avoid the unnecessary WARN_ON()... + +Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/3a241167-f84d-1d25-5b9b-be910afbe666@omp.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_octeon_cf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c +index d3d851b014a3..ac3b1fda820f 100644 +--- a/drivers/ata/pata_octeon_cf.c ++++ b/drivers/ata/pata_octeon_cf.c +@@ -898,10 +898,11 @@ static int octeon_cf_probe(struct platform_device *pdev) + return -EINVAL; + } + +- irq_handler = octeon_cf_interrupt; + i = platform_get_irq(dma_dev, 0); +- if (i > 0) ++ if (i > 0) { + irq = i; ++ irq_handler = octeon_cf_interrupt; ++ } + } + of_node_put(dma_node); + } +-- +2.30.2 + diff --git a/queue-4.19/pata_rb532_cf-fix-deferred-probing.patch b/queue-4.19/pata_rb532_cf-fix-deferred-probing.patch new file mode 100644 index 00000000000..88d5a389172 --- /dev/null +++ b/queue-4.19/pata_rb532_cf-fix-deferred-probing.patch @@ -0,0 +1,46 @@ +From ac642660715d798097003946418ba64a83403d9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 14:46:53 +0300 +Subject: pata_rb532_cf: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 2d3a62fbae8e5badc2342388f65ab2191c209cc0 ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENOENT, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Switch to propagating the +error code upstream, still checking/overriding IRQ0 as libata regards it +as "no IRQ" (thus polling) anyway... + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/771ced55-3efb-21f5-f21c-b99920aae611@omprussia.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_rb532_cf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/pata_rb532_cf.c b/drivers/ata/pata_rb532_cf.c +index 653b9a0bf727..0416a390b94c 100644 +--- a/drivers/ata/pata_rb532_cf.c ++++ b/drivers/ata/pata_rb532_cf.c +@@ -120,10 +120,12 @@ static int rb532_pata_driver_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) { ++ if (irq < 0) { + dev_err(&pdev->dev, "no IRQ resource found\n"); +- return -ENOENT; ++ return irq; + } ++ if (!irq) ++ return -EINVAL; + + pdata = dev_get_platdata(&pdev->dev); + if (!pdata) { +-- +2.30.2 + diff --git a/queue-4.19/perf-llvm-return-enomem-when-asprintf-fails.patch b/queue-4.19/perf-llvm-return-enomem-when-asprintf-fails.patch new file mode 100644 index 00000000000..d0ddb3afce0 --- /dev/null +++ b/queue-4.19/perf-llvm-return-enomem-when-asprintf-fails.patch @@ -0,0 +1,57 @@ +From 8ed6e1252b16d6a4f238d3fe66d84a5ab5bcf526 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 14:20:58 -0300 +Subject: perf llvm: Return -ENOMEM when asprintf() fails + +From: Arnaldo Carvalho de Melo + +[ Upstream commit c435c166dcf526ac827bc964d82cc0d5e7a1fd0b ] + +Zhihao sent a patch but it made llvm__compile_bpf() return what +asprintf() returns on error, which is just -1, but since this function +returns -errno, fix it by returning -ENOMEM for this case instead. + +Fixes: cb76371441d098 ("perf llvm: Allow passing options to llc ...") +Fixes: 5eab5a7ee032ac ("perf llvm: Display eBPF compiling command ...") +Reported-by: Hulk Robot +Reported-by: Zhihao Cheng +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkmann +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Cc: Yu Kuai +Cc: clang-built-linux@googlegroups.com +Link: http://lore.kernel.org/lkml/20210609115945.2193194-1-chengzhihao1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/llvm-utils.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/llvm-utils.c b/tools/perf/util/llvm-utils.c +index 2344d86cd778..46ec9a1bb94c 100644 +--- a/tools/perf/util/llvm-utils.c ++++ b/tools/perf/util/llvm-utils.c +@@ -500,6 +500,7 @@ int llvm__compile_bpf(const char *path, void **p_obj_buf, + goto errout; + } + ++ err = -ENOMEM; + if (asprintf(&pipe_template, "%s -emit-llvm | %s -march=bpf %s -filetype=obj -o -", + template, llc_path, opts) < 0) { + pr_err("ERROR:\tnot enough memory to setup command line\n"); +@@ -520,6 +521,7 @@ int llvm__compile_bpf(const char *path, void **p_obj_buf, + + pr_debug("llvm compiling command template: %s\n", template); + ++ err = -ENOMEM; + if (asprintf(&command_echo, "echo -n \"%s\"", template) < 0) + goto errout; + +-- +2.30.2 + diff --git a/queue-4.19/phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch b/queue-4.19/phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch new file mode 100644 index 00000000000..d0c6b7356f0 --- /dev/null +++ b/queue-4.19/phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch @@ -0,0 +1,62 @@ +From b3f6e13f761bc3cc125da28dd8d536bb0fbf6759 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jun 2021 15:17:43 +0200 +Subject: phy: ti: dm816x: Fix the error handling path in + 'dm816x_usb_phy_probe() + +From: Christophe JAILLET + +[ Upstream commit f7eedcb8539ddcbb6fe7791f1b4ccf43f905c72f ] + +Add an error handling path in the probe to release some resources, as +already done in the remove function. + +Fixes: 609adde838f4 ("phy: Add a driver for dm816x USB PHY") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/ac5136881f6bdec50be19b3bf73b3bc1b15ef1f1.1622898974.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/ti/phy-dm816x-usb.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/phy/ti/phy-dm816x-usb.c b/drivers/phy/ti/phy-dm816x-usb.c +index cbcce7cf0028..2ed5fe20d779 100644 +--- a/drivers/phy/ti/phy-dm816x-usb.c ++++ b/drivers/phy/ti/phy-dm816x-usb.c +@@ -246,19 +246,28 @@ static int dm816x_usb_phy_probe(struct platform_device *pdev) + + pm_runtime_enable(phy->dev); + generic_phy = devm_phy_create(phy->dev, NULL, &ops); +- if (IS_ERR(generic_phy)) +- return PTR_ERR(generic_phy); ++ if (IS_ERR(generic_phy)) { ++ error = PTR_ERR(generic_phy); ++ goto clk_unprepare; ++ } + + phy_set_drvdata(generic_phy, phy); + + phy_provider = devm_of_phy_provider_register(phy->dev, + of_phy_simple_xlate); +- if (IS_ERR(phy_provider)) +- return PTR_ERR(phy_provider); ++ if (IS_ERR(phy_provider)) { ++ error = PTR_ERR(phy_provider); ++ goto clk_unprepare; ++ } + + usb_add_phy_dev(&phy->phy); + + return 0; ++ ++clk_unprepare: ++ pm_runtime_disable(phy->dev); ++ clk_unprepare(phy->refclk); ++ return error; + } + + static int dm816x_usb_phy_remove(struct platform_device *pdev) +-- +2.30.2 + diff --git a/queue-4.19/pkt_sched-sch_qfq-fix-qfq_change_class-error-path.patch b/queue-4.19/pkt_sched-sch_qfq-fix-qfq_change_class-error-path.patch new file mode 100644 index 00000000000..6682f7fb19a --- /dev/null +++ b/queue-4.19/pkt_sched-sch_qfq-fix-qfq_change_class-error-path.patch @@ -0,0 +1,203 @@ +From 64744252dc8fa8f6f0494b227480157b33581b8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 10:54:49 -0700 +Subject: pkt_sched: sch_qfq: fix qfq_change_class() error path + +From: Eric Dumazet + +[ Upstream commit 0cd58e5c53babb9237b741dbef711f0a9eb6d3fd ] + +If qfq_change_class() is unable to allocate memory for qfq_aggregate, +it frees the class that has been inserted in the class hash table, +but does not unhash it. + +Defer the insertion after the problematic allocation. + +BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:884 [inline] +BUG: KASAN: use-after-free in qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731 +Write of size 8 at addr ffff88814a534f10 by task syz-executor.4/31478 + +CPU: 0 PID: 31478 Comm: syz-executor.4 Not tainted 5.13.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233 + __kasan_report mm/kasan/report.c:419 [inline] + kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436 + hlist_add_head include/linux/list.h:884 [inline] + qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731 + qfq_change_class+0x96c/0x1990 net/sched/sch_qfq.c:489 + tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 + netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x4665d9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fdc7b5f0188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 +RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 +RBP: 00007fdc7b5f01d0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 +R13: 00007ffcf7310b3f R14: 00007fdc7b5f0300 R15: 0000000000022000 + +Allocated by task 31445: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:428 [inline] + ____kasan_kmalloc mm/kasan/common.c:507 [inline] + ____kasan_kmalloc mm/kasan/common.c:466 [inline] + __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:516 + kmalloc include/linux/slab.h:556 [inline] + kzalloc include/linux/slab.h:686 [inline] + qfq_change_class+0x705/0x1990 net/sched/sch_qfq.c:464 + tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 + netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Freed by task 31445: + kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 + kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 + kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 + ____kasan_slab_free mm/kasan/common.c:360 [inline] + ____kasan_slab_free mm/kasan/common.c:325 [inline] + __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368 + kasan_slab_free include/linux/kasan.h:212 [inline] + slab_free_hook mm/slub.c:1583 [inline] + slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1608 + slab_free mm/slub.c:3168 [inline] + kfree+0xe5/0x7f0 mm/slub.c:4212 + qfq_change_class+0x10fb/0x1990 net/sched/sch_qfq.c:518 + tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113 + rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564 + netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 + netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] + netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 + netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:674 + ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 + ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 + __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 + do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff88814a534f00 + which belongs to the cache kmalloc-128 of size 128 +The buggy address is located 16 bytes inside of + 128-byte region [ffff88814a534f00, ffff88814a534f80) +The buggy address belongs to the page: +page:ffffea0005294d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a534 +flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff) +raw: 057ff00000000200 ffffea00004fee00 0000000600000006 ffff8880110418c0 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 29797, ts 604817765317, free_ts 604810151744 + prep_new_page mm/page_alloc.c:2358 [inline] + get_page_from_freelist+0x1033/0x2b60 mm/page_alloc.c:3994 + __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200 + alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272 + alloc_slab_page mm/slub.c:1646 [inline] + allocate_slab+0x2c5/0x4c0 mm/slub.c:1786 + new_slab mm/slub.c:1849 [inline] + new_slab_objects mm/slub.c:2595 [inline] + ___slab_alloc+0x4a1/0x810 mm/slub.c:2758 + __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2798 + slab_alloc_node mm/slub.c:2880 [inline] + slab_alloc mm/slub.c:2922 [inline] + __kmalloc+0x315/0x330 mm/slub.c:4050 + kmalloc include/linux/slab.h:561 [inline] + kzalloc include/linux/slab.h:686 [inline] + __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1318 + mpls_dev_sysctl_register+0x1b7/0x2d0 net/mpls/af_mpls.c:1421 + mpls_add_dev net/mpls/af_mpls.c:1472 [inline] + mpls_dev_notify+0x214/0x8b0 net/mpls/af_mpls.c:1588 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2121 + call_netdevice_notifiers_extack net/core/dev.c:2133 [inline] + call_netdevice_notifiers net/core/dev.c:2147 [inline] + register_netdevice+0x106b/0x1500 net/core/dev.c:10312 + veth_newlink+0x585/0xac0 drivers/net/veth.c:1547 + __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3452 + rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500 +page last free stack trace: + reset_page_owner include/linux/page_owner.h:24 [inline] + free_pages_prepare mm/page_alloc.c:1298 [inline] + free_pcp_prepare+0x223/0x300 mm/page_alloc.c:1342 + free_unref_page_prepare mm/page_alloc.c:3250 [inline] + free_unref_page+0x12/0x1d0 mm/page_alloc.c:3298 + __vunmap+0x783/0xb60 mm/vmalloc.c:2566 + free_work+0x58/0x70 mm/vmalloc.c:80 + process_one_work+0x98d/0x1600 kernel/workqueue.c:2276 + worker_thread+0x64c/0x1120 kernel/workqueue.c:2422 + kthread+0x3b1/0x4a0 kernel/kthread.c:313 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 + +Memory state around the buggy address: + ffff88814a534e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88814a534e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88814a534f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88814a534f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88814a535000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index bb1a9c11fc54..a93402fe1a9f 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -497,11 +497,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + + if (cl->qdisc != &noop_qdisc) + qdisc_hash_add(cl->qdisc, true); +- sch_tree_lock(sch); +- qdisc_class_hash_insert(&q->clhash, &cl->common); +- sch_tree_unlock(sch); +- +- qdisc_class_hash_grow(sch, &q->clhash); + + set_change_agg: + sch_tree_lock(sch); +@@ -519,8 +514,11 @@ set_change_agg: + } + if (existing) + qfq_deact_rm_from_agg(q, cl); ++ else ++ qdisc_class_hash_insert(&q->clhash, &cl->common); + qfq_add_to_agg(q, new_agg, cl); + sch_tree_unlock(sch); ++ qdisc_class_hash_grow(sch, &q->clhash); + + *arg = (unsigned long)cl; + return 0; +-- +2.30.2 + diff --git a/queue-4.19/platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch b/queue-4.19/platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch new file mode 100644 index 00000000000..38b71a261f9 --- /dev/null +++ b/queue-4.19/platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch @@ -0,0 +1,42 @@ +From 98ff9d75a52c678fdafd3ee56fea6aeb8f548c08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 18:05:48 +0800 +Subject: platform/x86: toshiba_acpi: Fix missing error code in + toshiba_acpi_setup_keyboard() + +From: Jiapeng Chong + +[ Upstream commit 28e367127718a9cb85d615a71e152f7acee41bfc ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'error'. + +Eliminate the follow smatch warning: + +drivers/platform/x86/toshiba_acpi.c:2834 toshiba_acpi_setup_keyboard() +warn: missing error code 'error'. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Link: https://lore.kernel.org/r/1622628348-87035-1-git-send-email-jiapeng.chong@linux.alibaba.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/toshiba_acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c +index 8c3e9bac4754..bed2fd56a6d0 100644 +--- a/drivers/platform/x86/toshiba_acpi.c ++++ b/drivers/platform/x86/toshiba_acpi.c +@@ -2853,6 +2853,7 @@ static int toshiba_acpi_setup_keyboard(struct toshiba_acpi_dev *dev) + + if (!dev->info_supported && !dev->system_event_supported) { + pr_warn("No hotkey query interface found\n"); ++ error = -EINVAL; + goto err_remove_filter; + } + +-- +2.30.2 + diff --git a/queue-4.19/powerpc-offline-cpu-in-stop_this_cpu.patch b/queue-4.19/powerpc-offline-cpu-in-stop_this_cpu.patch new file mode 100644 index 00000000000..f45bd75b2a1 --- /dev/null +++ b/queue-4.19/powerpc-offline-cpu-in-stop_this_cpu.patch @@ -0,0 +1,61 @@ +From dbbe9ec5729e087e4ca9cd8c3b27b16ecdf02d23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 14:12:45 +1000 +Subject: powerpc: Offline CPU in stop_this_cpu() + +From: Nicholas Piggin + +[ Upstream commit bab26238bbd44d5a4687c0a64fd2c7f2755ea937 ] + +printk_safe_flush_on_panic() has special lock breaking code for the case +where we panic()ed with the console lock held. It relies on panic IPI +causing other CPUs to mark themselves offline. + +Do as most other architectures do. + +This effectively reverts commit de6e5d38417e ("powerpc: smp_send_stop do +not offline stopped CPUs"), unfortunately it may result in some false +positive warnings, but the alternative is more situations where we can +crash without getting messages out. + +Fixes: de6e5d38417e ("powerpc: smp_send_stop do not offline stopped CPUs") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210623041245.865134-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/smp.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index a9ec4467705c..14adfeacfa46 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -570,6 +570,8 @@ static void nmi_stop_this_cpu(struct pt_regs *regs) + /* + * IRQs are already hard disabled by the smp_handle_nmi_ipi. + */ ++ set_cpu_online(smp_processor_id(), false); ++ + spin_begin(); + while (1) + spin_cpu_relax(); +@@ -585,6 +587,15 @@ void smp_send_stop(void) + static void stop_this_cpu(void *dummy) + { + hard_irq_disable(); ++ ++ /* ++ * Offlining CPUs in stop_this_cpu can result in scheduler warnings, ++ * (see commit de6e5d38417e), but printk_safe_flush_on_panic() wants ++ * to know other CPUs are offline before it breaks locks to flush ++ * printk buffers, in case we panic()ed while holding the lock. ++ */ ++ set_cpu_online(smp_processor_id(), false); ++ + spin_begin(); + while (1) + spin_cpu_relax(); +-- +2.30.2 + diff --git a/queue-4.19/random32-fix-implicit-truncation-warning-in-prandom_.patch b/queue-4.19/random32-fix-implicit-truncation-warning-in-prandom_.patch new file mode 100644 index 00000000000..2d6b3c1664c --- /dev/null +++ b/queue-4.19/random32-fix-implicit-truncation-warning-in-prandom_.patch @@ -0,0 +1,48 @@ +From 1f06667a6a20ca3427b87cfc613ed08c7714584a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 13:20:12 +0100 +Subject: random32: Fix implicit truncation warning in prandom_seed_state() + +From: Richard Fitzgerald + +[ Upstream commit d327ea15a305024ef0085252fa3657bbb1ce25f5 ] + +sparse generates the following warning: + + include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from + constant value + +This is because the 64-bit seed value is manipulated and then placed in a +u32, causing an implicit cast and truncation. A forced cast to u32 doesn't +prevent this warning, which is reasonable because a typecast doesn't prove +that truncation was expected. + +Logical-AND the value with 0xffffffff to make explicit that truncation to +32-bit is intended. + +Reported-by: kernel test robot +Signed-off-by: Richard Fitzgerald +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + include/linux/prandom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/prandom.h b/include/linux/prandom.h +index cc1e71334e53..e20339c78a84 100644 +--- a/include/linux/prandom.h ++++ b/include/linux/prandom.h +@@ -93,7 +93,7 @@ static inline u32 __seed(u32 x, u32 m) + */ + static inline void prandom_seed_state(struct rnd_state *state, u64 seed) + { +- u32 i = (seed >> 32) ^ (seed << 10) ^ seed; ++ u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL; + + state->s1 = __seed(i, 2U); + state->s2 = __seed(i, 8U); +-- +2.30.2 + diff --git a/queue-4.19/rdma-mlx5-don-t-access-null-cleared-mpi-pointer.patch b/queue-4.19/rdma-mlx5-don-t-access-null-cleared-mpi-pointer.patch new file mode 100644 index 00000000000..ed0ea4faaea --- /dev/null +++ b/queue-4.19/rdma-mlx5-don-t-access-null-cleared-mpi-pointer.patch @@ -0,0 +1,93 @@ +From 19efe2631a039d8303d7bb453e32eb09bd128b84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jun 2021 11:51:38 +0300 +Subject: RDMA/mlx5: Don't access NULL-cleared mpi pointer + +From: Leon Romanovsky + +[ Upstream commit 4a754d7637026b42b0c9ba5787ad5ee3bc2ff77f ] + +The "dev->port[i].mp.mpi" is set to NULL during mlx5_ib_unbind_slave_port() +execution, however that field is needed to add device to unaffiliated list. + +Such flow causes to the following kernel panic while unloading mlx5_ib +module in multi-port mode, hence the device should be added to the list +prior to unbind call. + + RPC: Unregistered rdma transport module. + RPC: Unregistered rdma backchannel transport module. + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 0 P4D 0 + Oops: 0002 [#1] SMP NOPTI + CPU: 4 PID: 1904 Comm: modprobe Not tainted 5.13.0-rc7_for_upstream_min_debug_2021_06_24_12_08 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5_ib_cleanup_multiport_master+0x18b/0x2d0 [mlx5_ib] + Code: 00 04 0f 85 c4 00 00 00 48 89 df e8 ef fa ff ff 48 8b 83 40 0d 00 00 48 8b 15 b9 e8 05 00 4a 8b 44 28 20 48 89 05 ad e8 05 00 <48> c7 00 d0 57 c5 a0 48 89 50 08 48 89 02 39 ab 88 0a 00 00 0f 86 + RSP: 0018:ffff888116ee3df8 EFLAGS: 00010296 + RAX: 0000000000000000 RBX: ffff8881154f6000 RCX: 0000000000000080 + RDX: ffffffffa0c557d0 RSI: ffff88810b69d200 RDI: 000000000002d8a0 + RBP: 0000000000000002 R08: ffff888110780408 R09: 0000000000000000 + R10: ffff88812452e1c0 R11: fffffffffff7e028 R12: 0000000000000000 + R13: 0000000000000080 R14: ffff888102c58000 R15: 0000000000000000 + FS: 00007f884393a740(0000) GS:ffff8882f5a00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001249f6004 CR4: 0000000000370ea0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + mlx5_ib_stage_init_cleanup+0x16/0xd0 [mlx5_ib] + __mlx5_ib_remove+0x33/0x90 [mlx5_ib] + mlx5r_remove+0x22/0x30 [mlx5_ib] + auxiliary_bus_remove+0x18/0x30 + __device_release_driver+0x177/0x220 + driver_detach+0xc4/0x100 + bus_remove_driver+0x58/0xd0 + auxiliary_driver_unregister+0x12/0x20 + mlx5_ib_cleanup+0x13/0x897 [mlx5_ib] + __x64_sys_delete_module+0x154/0x230 + ? exit_to_user_mode_prepare+0x104/0x140 + do_syscall_64+0x3f/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f8842e095c7 + Code: 73 01 c3 48 8b 0d d9 48 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a9 48 2c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffc68f6e758 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 + RAX: ffffffffffffffda RBX: 00005638207929c0 RCX: 00007f8842e095c7 + RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000563820792a28 + RBP: 00005638207929c0 R08: 00007ffc68f6d701 R09: 0000000000000000 + R10: 00007f8842e82880 R11: 0000000000000206 R12: 0000563820792a28 + R13: 0000000000000001 R14: 0000563820792a28 R15: 00007ffc68f6fb40 + Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter overlay rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_ipoib ib_cm ib_umad mlx5_ib(-) mlx4_ib ib_uverbs ib_core mlx4_en mlx4_core mlx5_core ptp pps_core [last unloaded: rpcrdma] + CR2: 0000000000000000 + ---[ end trace a0bb7e20804e9e9b ]--- + +Fixes: 7ce6095e3bff ("RDMA/mlx5: Don't add slave port to unaffiliated list") +Link: https://lore.kernel.org/r/899ac1b33a995be5ec0e16a4765c4e43c2b1ba5b.1624956444.git.leonro@nvidia.com +Reviewed-by: Itay Aveksis +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index eaf9de421f8d..1688c06d5c3c 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -5522,9 +5522,9 @@ static void mlx5_ib_cleanup_multiport_master(struct mlx5_ib_dev *dev) + dev->port[i].mp.mpi = NULL; + } else { + mlx5_ib_dbg(dev, "unbinding port_num: %d\n", i + 1); +- mlx5_ib_unbind_slave_port(dev, dev->port[i].mp.mpi); + list_add_tail(&dev->port[i].mp.mpi->list, + &mlx5_ib_unaffiliated_port_list); ++ mlx5_ib_unbind_slave_port(dev, dev->port[i].mp.mpi); + } + } + } +-- +2.30.2 + diff --git a/queue-4.19/rdma-mlx5-don-t-add-slave-port-to-unaffiliated-list.patch b/queue-4.19/rdma-mlx5-don-t-add-slave-port-to-unaffiliated-list.patch new file mode 100644 index 00000000000..d95aed73a4e --- /dev/null +++ b/queue-4.19/rdma-mlx5-don-t-add-slave-port-to-unaffiliated-list.patch @@ -0,0 +1,49 @@ +From 6f80c30d8e2f3ba6ba1cb48f53222c9f64bf70a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 19:04:44 +0300 +Subject: RDMA/mlx5: Don't add slave port to unaffiliated list + +From: Leon Romanovsky + +[ Upstream commit 7ce6095e3bff8e20ce018b050960b527e298f7df ] + +The mlx5_ib_bind_slave_port() doesn't remove multiport device from the +unaffiliated list, but mlx5_ib_unbind_slave_port() did it. This unbalanced +flow caused to the situation where mlx5_ib_unaffiliated_port_list was +changed during iteration. + +Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE") +Link: https://lore.kernel.org/r/2726e6603b1e6ecfe76aa5a12a063af72173bcf7.1622477058.git.leonro@nvidia.com +Reported-by: Dan Carpenter +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 13513466df01..eaf9de421f8d 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -5374,8 +5374,6 @@ static void mlx5_ib_unbind_slave_port(struct mlx5_ib_dev *ibdev, + + port->mp.mpi = NULL; + +- list_add_tail(&mpi->list, &mlx5_ib_unaffiliated_port_list); +- + spin_unlock(&port->mp.mpi_lock); + + err = mlx5_nic_vport_unaffiliate_multiport(mpi->mdev); +@@ -5525,6 +5523,8 @@ static void mlx5_ib_cleanup_multiport_master(struct mlx5_ib_dev *dev) + } else { + mlx5_ib_dbg(dev, "unbinding port_num: %d\n", i + 1); + mlx5_ib_unbind_slave_port(dev, dev->port[i].mp.mpi); ++ list_add_tail(&dev->port[i].mp.mpi->list, ++ &mlx5_ib_unaffiliated_port_list); + } + } + } +-- +2.30.2 + diff --git a/queue-4.19/rdma-rxe-fix-failure-during-driver-load.patch b/queue-4.19/rdma-rxe-fix-failure-during-driver-load.patch new file mode 100644 index 00000000000..779d868b873 --- /dev/null +++ b/queue-4.19/rdma-rxe-fix-failure-during-driver-load.patch @@ -0,0 +1,58 @@ +From 34d50fe242a14c6ff78f0f118c396e90d0116342 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 12:01:12 +0300 +Subject: RDMA/rxe: Fix failure during driver load + +From: Kamal Heib + +[ Upstream commit 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 ] + +To avoid the following failure when trying to load the rdma_rxe module +while IPv6 is disabled, add a check for EAFNOSUPPORT and ignore the +failure, also delete the needless debug print from rxe_setup_udp_tunnel(). + +$ modprobe rdma_rxe +modprobe: ERROR: could not insert 'rdma_rxe': Operation not permitted + +Fixes: dfdd6158ca2c ("IB/rxe: Fix kernel panic in udp_setup_tunnel") +Link: https://lore.kernel.org/r/20210603090112.36341-1-kamalheib1@gmail.com +Reported-by: Yi Zhang +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_net.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c +index 04bfc36cc8d7..5874e8e8253d 100644 +--- a/drivers/infiniband/sw/rxe/rxe_net.c ++++ b/drivers/infiniband/sw/rxe/rxe_net.c +@@ -290,10 +290,8 @@ static struct socket *rxe_setup_udp_tunnel(struct net *net, __be16 port, + + /* Create UDP socket */ + err = udp_sock_create(net, &udp_cfg, &sock); +- if (err < 0) { +- pr_err("failed to create udp socket. err = %d\n", err); ++ if (err < 0) + return ERR_PTR(err); +- } + + tnl_cfg.encap_type = 1; + tnl_cfg.encap_rcv = rxe_udp_encap_recv; +@@ -717,6 +715,12 @@ static int rxe_net_ipv6_init(void) + + recv_sockets.sk6 = rxe_setup_udp_tunnel(&init_net, + htons(ROCE_V2_UDP_DPORT), true); ++ if (PTR_ERR(recv_sockets.sk6) == -EAFNOSUPPORT) { ++ recv_sockets.sk6 = NULL; ++ pr_warn("IPv6 is not supported, can not create a UDPv6 socket\n"); ++ return 0; ++ } ++ + if (IS_ERR(recv_sockets.sk6)) { + recv_sockets.sk6 = NULL; + pr_err("Failed to create IPv6 UDP tunnel\n"); +-- +2.30.2 + diff --git a/queue-4.19/rdma-rxe-fix-qp-reference-counting-for-atomic-ops.patch b/queue-4.19/rdma-rxe-fix-qp-reference-counting-for-atomic-ops.patch new file mode 100644 index 00000000000..bec037b7bbc --- /dev/null +++ b/queue-4.19/rdma-rxe-fix-qp-reference-counting-for-atomic-ops.patch @@ -0,0 +1,60 @@ +From e27f46a86dc6f653c08caa79920c888ddf6cbe24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jun 2021 18:05:59 -0500 +Subject: RDMA/rxe: Fix qp reference counting for atomic ops + +From: Bob Pearson + +[ Upstream commit 15ae1375ea91ae2dee6f12d71a79d8c0a10a30bf ] + +Currently the rdma_rxe driver attempts to protect atomic responder +resources by taking a reference to the qp which is only freed when the +resource is recycled for a new read or atomic operation. This means that +in normal circumstances there is almost always an extra qp reference once +an atomic operation has been executed which prevents cleaning up the qp +and associated pd and cqs when the qp is destroyed. + +This patch removes the call to rxe_add_ref() in send_atomic_ack() and the +call to rxe_drop_ref() in free_rd_atomic_resource(). If the qp is +destroyed while a peer is retrying an atomic op it will cause the +operation to fail which is acceptable. + +Link: https://lore.kernel.org/r/20210604230558.4812-1-rpearsonhpe@gmail.com +Reported-by: Zhu Yanjun +Fixes: 86af61764151 ("IB/rxe: remove unnecessary skb_clone") +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 1 - + drivers/infiniband/sw/rxe/rxe_resp.c | 2 -- + 2 files changed, 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 41c9ede98c26..4798b718b085 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -151,7 +151,6 @@ static void free_rd_atomic_resources(struct rxe_qp *qp) + void free_rd_atomic_resource(struct rxe_qp *qp, struct resp_res *res) + { + if (res->type == RXE_ATOMIC_MASK) { +- rxe_drop_ref(qp); + kfree_skb(res->atomic.skb); + } else if (res->type == RXE_READ_MASK) { + if (res->read.mr) +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index 9078cfd3b8bd..b36d364f0fb5 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -999,8 +999,6 @@ static int send_atomic_ack(struct rxe_qp *qp, struct rxe_pkt_info *pkt, + goto out; + } + +- rxe_add_ref(qp); +- + res = &qp->resp.resources[qp->resp.res_head]; + free_rd_atomic_resource(qp, res); + rxe_advance_resp_resource(qp); +-- +2.30.2 + diff --git a/queue-4.19/regulator-da9052-ensure-enough-delay-time-for-.set_v.patch b/queue-4.19/regulator-da9052-ensure-enough-delay-time-for-.set_v.patch new file mode 100644 index 00000000000..3014f29e2ed --- /dev/null +++ b/queue-4.19/regulator-da9052-ensure-enough-delay-time-for-.set_v.patch @@ -0,0 +1,39 @@ +From e3637ab0ec749aeb14df4b33806d47e9f56cbd10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 22:14:11 +0800 +Subject: regulator: da9052: Ensure enough delay time for .set_voltage_time_sel + +From: Axel Lin + +[ Upstream commit a336dc8f683e5be794186b5643cd34cb28dd2c53 ] + +Use DIV_ROUND_UP to prevent truncation by integer division issue. +This ensures we return enough delay time. + +Also fix returning negative value when new_sel < old_sel. + +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210618141412.4014912-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/da9052-regulator.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/da9052-regulator.c b/drivers/regulator/da9052-regulator.c +index 9ececfef42d6..bd91c95f73e0 100644 +--- a/drivers/regulator/da9052-regulator.c ++++ b/drivers/regulator/da9052-regulator.c +@@ -258,7 +258,8 @@ static int da9052_regulator_set_voltage_time_sel(struct regulator_dev *rdev, + case DA9052_ID_BUCK3: + case DA9052_ID_LDO2: + case DA9052_ID_LDO3: +- ret = (new_sel - old_sel) * info->step_uV / 6250; ++ ret = DIV_ROUND_UP(abs(new_sel - old_sel) * info->step_uV, ++ 6250); + break; + } + +-- +2.30.2 + diff --git a/queue-4.19/regulator-uniphier-add-missing-module_device_table.patch b/queue-4.19/regulator-uniphier-add-missing-module_device_table.patch new file mode 100644 index 00000000000..193514b8c29 --- /dev/null +++ b/queue-4.19/regulator-uniphier-add-missing-module_device_table.patch @@ -0,0 +1,37 @@ +From e5d596e8058274a39a37f154a70fb875d4a2c6c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 11:53:18 +0800 +Subject: regulator: uniphier: Add missing MODULE_DEVICE_TABLE + +From: Zou Wei + +[ Upstream commit d019f38a1af3c6015cde6a47951a3ec43beeed80 ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Link: https://lore.kernel.org/r/1620705198-104566-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/uniphier-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/uniphier-regulator.c b/drivers/regulator/uniphier-regulator.c +index abf22acbd13e..a2e3654b6332 100644 +--- a/drivers/regulator/uniphier-regulator.c ++++ b/drivers/regulator/uniphier-regulator.c +@@ -197,6 +197,7 @@ static const struct of_device_id uniphier_regulator_match[] = { + }, + { /* Sentinel */ }, + }; ++MODULE_DEVICE_TABLE(of, uniphier_regulator_match); + + static struct platform_driver uniphier_regulator_driver = { + .probe = uniphier_regulator_probe, +-- +2.30.2 + diff --git a/queue-4.19/revert-ibmvnic-remove-duplicate-napi_schedule-call-i.patch b/queue-4.19/revert-ibmvnic-remove-duplicate-napi_schedule-call-i.patch new file mode 100644 index 00000000000..0d6121b3f12 --- /dev/null +++ b/queue-4.19/revert-ibmvnic-remove-duplicate-napi_schedule-call-i.patch @@ -0,0 +1,46 @@ +From bfc81eb3d6ef47bb705e415b887f59b89482ac3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 21:13:11 -0700 +Subject: Revert "ibmvnic: remove duplicate napi_schedule call in open + function" + +From: Dany Madden + +[ Upstream commit 2ca220f92878470c6ba03f9946e412323093cc94 ] + +This reverts commit 7c451f3ef676c805a4b77a743a01a5c21a250a73. + +When a vnic interface is taken down and then up, connectivity is not +restored. We bisected it to this commit. Reverting this commit until +we can fully investigate the issue/benefit of the change. + +Fixes: 7c451f3ef676 ("ibmvnic: remove duplicate napi_schedule call in open function") +Reported-by: Cristobal Forno +Reported-by: Abdul Haleem +Signed-off-by: Dany Madden +Signed-off-by: Sukadev Bhattiprolu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 9f72cd3b1d24..0eb06750a5d6 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1099,6 +1099,11 @@ static int __ibmvnic_open(struct net_device *netdev) + + netif_tx_start_all_queues(netdev); + ++ if (prev_state == VNIC_CLOSED) { ++ for (i = 0; i < adapter->req_rx_queues; i++) ++ napi_schedule(&adapter->napi[i]); ++ } ++ + adapter->state = VNIC_OPEN; + return rc; + } +-- +2.30.2 + diff --git a/queue-4.19/s390-appldata-depends-on-proc_sysctl.patch b/queue-4.19/s390-appldata-depends-on-proc_sysctl.patch new file mode 100644 index 00000000000..1d429223ac0 --- /dev/null +++ b/queue-4.19/s390-appldata-depends-on-proc_sysctl.patch @@ -0,0 +1,46 @@ +From e6b237d8a6604f3301da4ca3d3e64571361497d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 17:24:20 -0700 +Subject: s390: appldata depends on PROC_SYSCTL + +From: Randy Dunlap + +[ Upstream commit 5d3516b3647621d5a1180672ea9e0817fb718ada ] + +APPLDATA_BASE should depend on PROC_SYSCTL instead of PROC_FS. +Building with PROC_FS but not PROC_SYSCTL causes a build error, +since appldata_base.c uses data and APIs from fs/proc/proc_sysctl.c. + +arch/s390/appldata/appldata_base.o: in function `appldata_generic_handler': +appldata_base.c:(.text+0x192): undefined reference to `sysctl_vals' + +Fixes: c185b783b099 ("[S390] Remove config options.") +Signed-off-by: Randy Dunlap +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Christian Borntraeger +Cc: linux-s390@vger.kernel.org +Signed-off-by: Vasily Gorbik +Link: https://lore.kernel.org/r/20210528002420.17634-1-rdunlap@infradead.org +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig +index 9a9c7a6fe925..ce4c3b659f70 100644 +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -867,7 +867,7 @@ config CMM_IUCV + config APPLDATA_BASE + def_bool n + prompt "Linux - VM Monitor Stream, base infrastructure" +- depends on PROC_FS ++ depends on PROC_SYSCTL + help + This provides a kernel interface for creating and updating z/VM APPLDATA + monitor records. The monitor records are updated at certain time +-- +2.30.2 + diff --git a/queue-4.19/samples-bpf-fix-the-error-return-code-of-xdp_redirec.patch b/queue-4.19/samples-bpf-fix-the-error-return-code-of-xdp_redirec.patch new file mode 100644 index 00000000000..b5f579970eb --- /dev/null +++ b/queue-4.19/samples-bpf-fix-the-error-return-code-of-xdp_redirec.patch @@ -0,0 +1,37 @@ +From 2e8842b1842cd7f38bbe22338dec743564b28a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 12:25:34 +0800 +Subject: samples/bpf: Fix the error return code of xdp_redirect's main() + +From: Wang Hai + +[ Upstream commit 7c6090ee2a7b3315410cfc83a94c3eb057407b25 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +If bpf_map_update_elem() failed, main() should return a negative error. + +Fixes: 832622e6bd18 ("xdp: sample program for new bpf_redirect helper") +Signed-off-by: Wang Hai +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210616042534.315097-1-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + samples/bpf/xdp_redirect_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/xdp_redirect_user.c b/samples/bpf/xdp_redirect_user.c +index 81a69e36cb78..0f96a26b6ec5 100644 +--- a/samples/bpf/xdp_redirect_user.c ++++ b/samples/bpf/xdp_redirect_user.c +@@ -146,5 +146,5 @@ int main(int argc, char **argv) + poll_stats(2, ifindex_out); + + out: +- return 0; ++ return ret; + } +-- +2.30.2 + diff --git a/queue-4.19/sata_highbank-fix-deferred-probing.patch b/queue-4.19/sata_highbank-fix-deferred-probing.patch new file mode 100644 index 00000000000..dec5b711e22 --- /dev/null +++ b/queue-4.19/sata_highbank-fix-deferred-probing.patch @@ -0,0 +1,46 @@ +From 21b33ee32a464c484a42ae82f2e3cf49bea79a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Mar 2021 23:34:27 +0300 +Subject: sata_highbank: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 4a24efa16e7db02306fb5db84518bb0a7ada5a46 ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Switch to propagating the +error code upstream, still checking/overriding IRQ0 as libata regards it +as "no IRQ" (thus polling) anyway... + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/105b456d-1199-f6e9-ceb7-ffc5ba551d1a@omprussia.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_highbank.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/sata_highbank.c b/drivers/ata/sata_highbank.c +index e67815b896fc..1dd47a05b34b 100644 +--- a/drivers/ata/sata_highbank.c ++++ b/drivers/ata/sata_highbank.c +@@ -483,10 +483,12 @@ static int ahci_highbank_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) { ++ if (irq < 0) { + dev_err(dev, "no irq\n"); +- return -EINVAL; ++ return irq; + } ++ if (!irq) ++ return -EINVAL; + + hpriv = devm_kzalloc(dev, sizeof(*hpriv), GFP_KERNEL); + if (!hpriv) { +-- +2.30.2 + diff --git a/queue-4.19/sched-fair-fix-ascii-art-by-relpacing-tabs.patch b/queue-4.19/sched-fair-fix-ascii-art-by-relpacing-tabs.patch new file mode 100644 index 00000000000..df9243d112a --- /dev/null +++ b/queue-4.19/sched-fair-fix-ascii-art-by-relpacing-tabs.patch @@ -0,0 +1,65 @@ +From da91dadd7d5bf183e8963946a5219c317eb275fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 14:52:02 +0200 +Subject: sched/fair: Fix ascii art by relpacing tabs + +From: Odin Ugedal + +[ Upstream commit 08f7c2f4d0e9f4283f5796b8168044c034a1bfcb ] + +When using something other than 8 spaces per tab, this ascii art +makes not sense, and the reader might end up wondering what this +advanced equation "is". + +Signed-off-by: Odin Ugedal +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Vincent Guittot +Link: https://lkml.kernel.org/r/20210518125202.78658-4-odin@uged.al +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index acb34e9df551..9cdbc07bb70f 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -2940,7 +2940,7 @@ void reweight_task(struct task_struct *p, int prio) + * + * tg->weight * grq->load.weight + * ge->load.weight = ----------------------------- (1) +- * \Sum grq->load.weight ++ * \Sum grq->load.weight + * + * Now, because computing that sum is prohibitively expensive to compute (been + * there, done that) we approximate it with this average stuff. The average +@@ -2954,7 +2954,7 @@ void reweight_task(struct task_struct *p, int prio) + * + * tg->weight * grq->avg.load_avg + * ge->load.weight = ------------------------------ (3) +- * tg->load_avg ++ * tg->load_avg + * + * Where: tg->load_avg ~= \Sum grq->avg.load_avg + * +@@ -2970,7 +2970,7 @@ void reweight_task(struct task_struct *p, int prio) + * + * tg->weight * grq->load.weight + * ge->load.weight = ----------------------------- = tg->weight (4) +- * grp->load.weight ++ * grp->load.weight + * + * That is, the sum collapses because all other CPUs are idle; the UP scenario. + * +@@ -2989,7 +2989,7 @@ void reweight_task(struct task_struct *p, int prio) + * + * tg->weight * grq->load.weight + * ge->load.weight = ----------------------------- (6) +- * tg_load_avg' ++ * tg_load_avg' + * + * Where: + * +-- +2.30.2 + diff --git a/queue-4.19/scsi-flashpoint-rename-si_flags-field.patch b/queue-4.19/scsi-flashpoint-rename-si_flags-field.patch new file mode 100644 index 00000000000..60a7379531b --- /dev/null +++ b/queue-4.19/scsi-flashpoint-rename-si_flags-field.patch @@ -0,0 +1,163 @@ +From dfa2000e771ea665e316209f1b4fe74f32da9eaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 May 2021 16:48:57 -0700 +Subject: scsi: FlashPoint: Rename si_flags field + +From: Randy Dunlap + +[ Upstream commit 4d431153e751caa93f3b7e6f6313446974e92253 ] + +The BusLogic driver has build errors on ia64 due to a name collision (in +the #included FlashPoint.c file). Rename the struct field in struct +sccb_mgr_info from si_flags to si_mflags (manager flags) to mend the build. + +This is the first problem. There are 50+ others after this one: + +In file included from ../include/uapi/linux/signal.h:6, + from ../include/linux/signal_types.h:10, + from ../include/linux/sched.h:29, + from ../include/linux/hardirq.h:9, + from ../include/linux/interrupt.h:11, + from ../drivers/scsi/BusLogic.c:27: +../arch/ia64/include/uapi/asm/siginfo.h:15:27: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token + 15 | #define si_flags _sifields._sigfault._flags + | ^ +../drivers/scsi/FlashPoint.c:43:6: note: in expansion of macro 'si_flags' + 43 | u16 si_flags; + | ^~~~~~~~ +In file included from ../drivers/scsi/BusLogic.c:51: +../drivers/scsi/FlashPoint.c: In function 'FlashPoint_ProbeHostAdapter': +../drivers/scsi/FlashPoint.c:1076:11: error: 'struct sccb_mgr_info' has no member named '_sifields' + 1076 | pCardInfo->si_flags = 0x0000; + | ^~ +../drivers/scsi/FlashPoint.c:1079:12: error: 'struct sccb_mgr_info' has no member named '_sifields' + +Link: https://lore.kernel.org/r/20210529234857.6870-1-rdunlap@infradead.org +Fixes: 391e2f25601e ("[SCSI] BusLogic: Port driver to 64-bit.") +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: Christoph Hellwig +Cc: Jens Axboe +Cc: Hannes Reinecke +Cc: Khalid Aziz +Cc: Khalid Aziz +Reported-by: kernel test robot +Reviewed-by: Hannes Reinecke +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/FlashPoint.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/scsi/FlashPoint.c b/drivers/scsi/FlashPoint.c +index 867b864f5047..4bca37d52bad 100644 +--- a/drivers/scsi/FlashPoint.c ++++ b/drivers/scsi/FlashPoint.c +@@ -40,7 +40,7 @@ struct sccb_mgr_info { + u16 si_per_targ_ultra_nego; + u16 si_per_targ_no_disc; + u16 si_per_targ_wide_nego; +- u16 si_flags; ++ u16 si_mflags; + unsigned char si_card_family; + unsigned char si_bustype; + unsigned char si_card_model[3]; +@@ -1070,22 +1070,22 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo) + ScamFlg = + (unsigned char)FPT_utilEERead(ioport, SCAM_CONFIG / 2); + +- pCardInfo->si_flags = 0x0000; ++ pCardInfo->si_mflags = 0x0000; + + if (i & 0x01) +- pCardInfo->si_flags |= SCSI_PARITY_ENA; ++ pCardInfo->si_mflags |= SCSI_PARITY_ENA; + + if (!(i & 0x02)) +- pCardInfo->si_flags |= SOFT_RESET; ++ pCardInfo->si_mflags |= SOFT_RESET; + + if (i & 0x10) +- pCardInfo->si_flags |= EXTENDED_TRANSLATION; ++ pCardInfo->si_mflags |= EXTENDED_TRANSLATION; + + if (ScamFlg & SCAM_ENABLED) +- pCardInfo->si_flags |= FLAG_SCAM_ENABLED; ++ pCardInfo->si_mflags |= FLAG_SCAM_ENABLED; + + if (ScamFlg & SCAM_LEVEL2) +- pCardInfo->si_flags |= FLAG_SCAM_LEVEL2; ++ pCardInfo->si_mflags |= FLAG_SCAM_LEVEL2; + + j = (RD_HARPOON(ioport + hp_bm_ctrl) & ~SCSI_TERM_ENA_L); + if (i & 0x04) { +@@ -1101,7 +1101,7 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo) + + if (!(RD_HARPOON(ioport + hp_page_ctrl) & NARROW_SCSI_CARD)) + +- pCardInfo->si_flags |= SUPPORT_16TAR_32LUN; ++ pCardInfo->si_mflags |= SUPPORT_16TAR_32LUN; + + pCardInfo->si_card_family = HARPOON_FAMILY; + pCardInfo->si_bustype = BUSTYPE_PCI; +@@ -1137,15 +1137,15 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo) + + if (pCardInfo->si_card_model[1] == '3') { + if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7)) +- pCardInfo->si_flags |= LOW_BYTE_TERM; ++ pCardInfo->si_mflags |= LOW_BYTE_TERM; + } else if (pCardInfo->si_card_model[2] == '0') { + temp = RD_HARPOON(ioport + hp_xfer_pad); + WR_HARPOON(ioport + hp_xfer_pad, (temp & ~BIT(4))); + if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7)) +- pCardInfo->si_flags |= LOW_BYTE_TERM; ++ pCardInfo->si_mflags |= LOW_BYTE_TERM; + WR_HARPOON(ioport + hp_xfer_pad, (temp | BIT(4))); + if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7)) +- pCardInfo->si_flags |= HIGH_BYTE_TERM; ++ pCardInfo->si_mflags |= HIGH_BYTE_TERM; + WR_HARPOON(ioport + hp_xfer_pad, temp); + } else { + temp = RD_HARPOON(ioport + hp_ee_ctrl); +@@ -1163,9 +1163,9 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo) + WR_HARPOON(ioport + hp_ee_ctrl, temp); + WR_HARPOON(ioport + hp_xfer_pad, temp2); + if (!(temp3 & BIT(7))) +- pCardInfo->si_flags |= LOW_BYTE_TERM; ++ pCardInfo->si_mflags |= LOW_BYTE_TERM; + if (!(temp3 & BIT(6))) +- pCardInfo->si_flags |= HIGH_BYTE_TERM; ++ pCardInfo->si_mflags |= HIGH_BYTE_TERM; + } + + ARAM_ACCESS(ioport); +@@ -1272,7 +1272,7 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info + WR_HARPOON(ioport + hp_arb_id, pCardInfo->si_id); + CurrCard->ourId = pCardInfo->si_id; + +- i = (unsigned char)pCardInfo->si_flags; ++ i = (unsigned char)pCardInfo->si_mflags; + if (i & SCSI_PARITY_ENA) + WR_HARPOON(ioport + hp_portctrl_1, (HOST_MODE8 | CHK_SCSI_P)); + +@@ -1286,14 +1286,14 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info + j |= SCSI_TERM_ENA_H; + WR_HARPOON(ioport + hp_ee_ctrl, j); + +- if (!(pCardInfo->si_flags & SOFT_RESET)) { ++ if (!(pCardInfo->si_mflags & SOFT_RESET)) { + + FPT_sresb(ioport, thisCard); + + FPT_scini(thisCard, pCardInfo->si_id, 0); + } + +- if (pCardInfo->si_flags & POST_ALL_UNDERRRUNS) ++ if (pCardInfo->si_mflags & POST_ALL_UNDERRRUNS) + CurrCard->globalFlags |= F_NO_FILTER; + + if (pCurrNvRam) { +-- +2.30.2 + diff --git a/queue-4.19/scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch b/queue-4.19/scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch new file mode 100644 index 00000000000..ff73285c9d2 --- /dev/null +++ b/queue-4.19/scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch @@ -0,0 +1,43 @@ +From 26a8c4e61e9b5cd128761a5a1dfb61506712b740 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 16:13:00 +0800 +Subject: scsi: mpt3sas: Fix error return value in _scsih_expander_add() + +From: Zhen Lei + +[ Upstream commit d6c2ce435ffe23ef7f395ae76ec747414589db46 ] + +When an expander does not contain any 'phys', an appropriate error code -1 +should be returned, as done elsewhere in this function. However, we +currently do not explicitly assign this error code to 'rc'. As a result, 0 +was incorrectly returned. + +Link: https://lore.kernel.org/r/20210514081300.6650-1-thunder.leizhen@huawei.com +Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index 5a5e5c3da657..add699b01836 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -5745,8 +5745,10 @@ _scsih_expander_add(struct MPT3SAS_ADAPTER *ioc, u16 handle) + handle, parent_handle, (unsigned long long) + sas_expander->sas_address, sas_expander->num_phys); + +- if (!sas_expander->num_phys) ++ if (!sas_expander->num_phys) { ++ rc = -1; + goto out_fail; ++ } + sas_expander->phy = kcalloc(sas_expander->num_phys, + sizeof(struct _sas_phy), GFP_KERNEL); + if (!sas_expander->phy) { +-- +2.30.2 + diff --git a/queue-4.19/selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch b/queue-4.19/selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch new file mode 100644 index 00000000000..89e9cfb3420 --- /dev/null +++ b/queue-4.19/selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch @@ -0,0 +1,102 @@ +From 272b3f0c3b14ed206cc9045b560ecd00a60f5f42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 18:56:53 -0700 +Subject: selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really + random + +From: Dave Hansen + +[ Upstream commit f36ef407628835a7d7fb3d235b1f1aac7022d9a3 ] + +Patch series "selftests/vm/pkeys: Bug fixes and a new test". + +There has been a lot of activity on the x86 front around the XSAVE +architecture which is used to context-switch processor state (among other +things). In addition, AMD has recently joined the protection keys club by +adding processor support for PKU. + +The AMD implementation helped uncover a kernel bug around the PKRU "init +state", which actually applied to Intel's implementation but was just +harder to hit. This series adds a test which is expected to help find +this class of bug both on AMD and Intel. All the work around pkeys on x86 +also uncovered a few bugs in the selftest. + +This patch (of 4): + +The "random" pkey allocation code currently does the good old: + + srand((unsigned int)time(NULL)); + +*But*, it unfortunately does this on every random pkey allocation. + +There may be thousands of these a second. time() has a one second +resolution. So, each time alloc_random_pkey() is called, the PRNG is +*RESET* to time(). This is nasty. Normally, if you do: + + srand(); + foo = rand(); + bar = rand(); + +You'll be quite guaranteed that 'foo' and 'bar' are different. But, if +you do: + + srand(1); + foo = rand(); + srand(1); + bar = rand(); + +You are quite guaranteed that 'foo' and 'bar' are the *SAME*. The recent +"fix" effectively forced the test case to use the same "random" pkey for +the whole test, unless the test run crossed a second boundary. + +Only run srand() once at program startup. + +This explains some very odd and persistent test failures I've been seeing. + +Link: https://lkml.kernel.org/r/20210611164153.91B76FB8@viggo.jf.intel.com +Link: https://lkml.kernel.org/r/20210611164155.192D00FF@viggo.jf.intel.com +Fixes: 6e373263ce07 ("selftests/vm/pkeys: fix alloc_random_pkey() to make it really random") +Signed-off-by: Dave Hansen +Signed-off-by: Thomas Gleixner +Tested-by: Aneesh Kumar K.V +Cc: Ram Pai +Cc: Sandipan Das +Cc: Florian Weimer +Cc: "Desnes A. Nunes do Rosario" +Cc: Ingo Molnar +Cc: Thiago Jung Bauermann +Cc: Michael Ellerman +Cc: Michal Hocko +Cc: Michal Suchanek +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/x86/protection_keys.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/x86/protection_keys.c b/tools/testing/selftests/x86/protection_keys.c +index b8778960da10..27661302a698 100644 +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -613,7 +613,6 @@ int alloc_random_pkey(void) + int nr_alloced = 0; + int random_index; + memset(alloced_pkeys, 0, sizeof(alloced_pkeys)); +- srand((unsigned int)time(NULL)); + + /* allocate every possible key and make a note of which ones we got */ + max_nr_pkey_allocs = NR_PKEYS; +@@ -1479,6 +1478,8 @@ int main(void) + { + int nr_iterations = 22; + ++ srand((unsigned int)time(NULL)); ++ + setup_handlers(); + + printf("has pku: %d\n", cpu_has_pku()); +-- +2.30.2 + diff --git a/queue-4.19/serial-8250-actually-allow-upf_magic_multiplier-baud.patch b/queue-4.19/serial-8250-actually-allow-upf_magic_multiplier-baud.patch new file mode 100644 index 00000000000..b5f1f3116dc --- /dev/null +++ b/queue-4.19/serial-8250-actually-allow-upf_magic_multiplier-baud.patch @@ -0,0 +1,84 @@ +From 25d2106d9fab4d2476058fc803658a377f538c72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 20:38:34 +0200 +Subject: serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates + +From: Maciej W. Rozycki + +[ Upstream commit 78bcae8616ac277d6cb7f38e211493948ed73e30 ] + +Support for magic baud rate divisors of 32770 and 32769 used with SMSC +Super I/O chips for extra baud rates of 230400 and 460800 respectively +where base rate is 115200[1] has been added around Linux 2.5.64, which +predates our repo history, but the origin could be identified as commit +2a717aad772f ("Merge with Linux 2.5.64.") with the old MIPS/Linux repo +also at: . + +Code that is now in `serial8250_do_get_divisor' was added back then to +`serial8250_get_divisor', but that code would only ever trigger if one +of the higher baud rates was actually requested, and that cannot ever +happen, because the earlier call to `serial8250_get_baud_rate' never +returns them. This is because it calls `uart_get_baud_rate' with the +maximum requested being the base rate, that is clk/16 or 115200 for SMSC +chips at their nominal clock rate. + +Fix it then and allow UPF_MAGIC_MULTIPLIER baud rates to be selected, by +requesting the maximum baud rate of clk/4 rather than clk/16 if the flag +has been set. Also correct the minimum baud rate, observing that these +ports only support actual (non-magic) divisors of up to 32767 only. + +References: + +[1] "FDC37M81x, PC98/99 Compliant Enhanced Super I/O Controller with + Keyboard/Mouse Wake-Up", Standard Microsystems Corporation, Rev. + 03/27/2000, Table 31 - "Baud Rates", p. 77 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Maciej W. Rozycki +Link: https://lore.kernel.org/r/alpine.DEB.2.21.2105190412280.29169@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 60ca19eca1f6..56693dfe0f5b 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2646,6 +2646,21 @@ static unsigned int serial8250_get_baud_rate(struct uart_port *port, + struct ktermios *old) + { + unsigned int tolerance = port->uartclk / 100; ++ unsigned int min; ++ unsigned int max; ++ ++ /* ++ * Handle magic divisors for baud rates above baud_base on SMSC ++ * Super I/O chips. Enable custom rates of clk/4 and clk/8, but ++ * disable divisor values beyond 32767, which are unavailable. ++ */ ++ if (port->flags & UPF_MAGIC_MULTIPLIER) { ++ min = port->uartclk / 16 / UART_DIV_MAX >> 1; ++ max = (port->uartclk + tolerance) / 4; ++ } else { ++ min = port->uartclk / 16 / UART_DIV_MAX; ++ max = (port->uartclk + tolerance) / 16; ++ } + + /* + * Ask the core to calculate the divisor for us. +@@ -2653,9 +2668,7 @@ static unsigned int serial8250_get_baud_rate(struct uart_port *port, + * slower than nominal still match standard baud rates without + * causing transmission errors. + */ +- return uart_get_baud_rate(port, termios, old, +- port->uartclk / 16 / UART_DIV_MAX, +- (port->uartclk + tolerance) / 16); ++ return uart_get_baud_rate(port, termios, old, min, max); + } + + void +-- +2.30.2 + diff --git a/queue-4.19/serial-mvebu-uart-correctly-calculate-minimal-possib.patch b/queue-4.19/serial-mvebu-uart-correctly-calculate-minimal-possib.patch new file mode 100644 index 00000000000..0cd6245930e --- /dev/null +++ b/queue-4.19/serial-mvebu-uart-correctly-calculate-minimal-possib.patch @@ -0,0 +1,66 @@ +From a1f0f207f38190498ffd75dc55f5dbf2666e03ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 00:49:02 +0200 +Subject: serial: mvebu-uart: correctly calculate minimal possible baudrate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit deeaf963569a0d9d1b08babb771f61bb501a5704 ] + +For default (x16) scheme which is currently used by mvebu-uart.c driver, +maximal divisor of UART base clock is 1023*16. Therefore there is limit for +minimal supported baudrate. This change calculate it correctly and prevents +setting invalid divisor 0 into hardware registers. + +Signed-off-by: Pali Rohár +Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") +Link: https://lore.kernel.org/r/20210624224909.6350-4-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/mvebu-uart.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c +index 0515b5e6326d..9369b4d42d24 100644 +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -471,7 +471,7 @@ static void mvebu_uart_set_termios(struct uart_port *port, + struct ktermios *old) + { + unsigned long flags; +- unsigned int baud; ++ unsigned int baud, min_baud, max_baud; + + spin_lock_irqsave(&port->lock, flags); + +@@ -490,16 +490,21 @@ static void mvebu_uart_set_termios(struct uart_port *port, + port->ignore_status_mask |= STAT_RX_RDY(port) | STAT_BRK_ERR; + + /* ++ * Maximal divisor is 1023 * 16 when using default (x16) scheme. + * Maximum achievable frequency with simple baudrate divisor is 230400. + * Since the error per bit frame would be of more than 15%, achieving + * higher frequencies would require to implement the fractional divisor + * feature. + */ +- baud = uart_get_baud_rate(port, termios, old, 0, 230400); ++ min_baud = DIV_ROUND_UP(port->uartclk, 1023 * 16); ++ max_baud = 230400; ++ ++ baud = uart_get_baud_rate(port, termios, old, min_baud, max_baud); + if (mvebu_uart_baud_rate_set(port, baud)) { + /* No clock available, baudrate cannot be changed */ + if (old) +- baud = uart_get_baud_rate(port, old, NULL, 0, 230400); ++ baud = uart_get_baud_rate(port, old, NULL, ++ min_baud, max_baud); + } else { + tty_termios_encode_baud_rate(termios, baud, baud); + uart_update_timeout(port, termios->c_cflag, baud); +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index ec016874de9..bfe490b1083 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -47,3 +47,178 @@ powerpc-stacktrace-fix-spurious-stale-traces-in-raise_backtrace_ipi.patch evm-execute-evm_inode_init_security-only-when-an-hmac-key-is-loaded.patch evm-refuse-evm_allow_metadata_writes-only-if-an-hmac-key-is-loaded.patch fuse-check-connected-before-queueing-on-fpq-io.patch +spi-make-of_register_spi_device-also-set-the-fwnode.patch +spi-spi-loopback-test-fix-tx_buf-might-be-rx_buf.patch +spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch +spi-omap-100k-fix-the-length-judgment-problem.patch +regulator-uniphier-add-missing-module_device_table.patch +crypto-nx-add-missing-module_device_table.patch +media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch +media-cobalt-fix-race-condition-in-setting-hpd.patch +media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch +crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch +crypto-qat-remove-unused-macro-in-fw-loader.patch +sched-fair-fix-ascii-art-by-relpacing-tabs.patch +media-em28xx-fix-possible-memory-leak-of-em28xx-stru.patch +media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch +media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch +media-st-hva-fix-potential-null-pointer-dereferences.patch +media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch +mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch +crypto-shash-avoid-comparing-pointers-to-exported-fu.patch +media-dvb_net-avoid-speculation-from-net-slot.patch +media-siano-fix-device-register-error-path.patch +media-imx-csi-skip-first-few-frames-from-a-bt.656-so.patch +btrfs-fix-error-handling-in-__btrfs_update_delayed_i.patch +btrfs-abort-transaction-if-we-fail-to-update-the-del.patch +btrfs-fix-the-filemap_range_has_page-call-in-btrfs_p.patch +btrfs-disable-build-on-platforms-having-page-size-25.patch +regulator-da9052-ensure-enough-delay-time-for-.set_v.patch +hid-do-not-use-down_interruptible-when-unbinding-dev.patch +edac-ti-add-missing-module_device_table.patch +acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch +hv_utils-fix-passing-zero-to-ptr_err-warning.patch +lib-vsprintf-fix-handling-of-number-field-widths-in-.patch +acpi-ec-make-more-asus-laptops-use-ecdt-_gpe.patch +block_dump-remove-block_dump-feature-in-mark_inode_d.patch +fs-dlm-cancel-work-sync-othercon.patch +random32-fix-implicit-truncation-warning-in-prandom_.patch +fs-dlm-fix-memory-leak-when-fenced.patch +acpica-fix-memory-leak-caused-by-_cid-repair-functio.patch +acpi-bus-call-kobject_put-in-acpi_init-error-path.patch +platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch +clocksource-retry-clock-read-if-long-delays-detected.patch +acpi-tables-add-custom-dsdt-file-as-makefile-prerequ.patch +hid-wacom-correct-base-usage-for-capacitive-expressk.patch +ia64-mca_drv-fix-incorrect-array-size-calculation.patch +media-s5p_cec-decrement-usage-count-if-disabled.patch +crypto-ixp4xx-dma_unmap-the-correct-address.patch +crypto-ux500-fix-error-return-code-in-hash_hw_final.patch +sata_highbank-fix-deferred-probing.patch +pata_rb532_cf-fix-deferred-probing.patch +media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch +pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch +evm-fix-writing-securityfs-evm-overflow.patch +crypto-ccp-fix-a-resource-leak-in-an-error-handling-.patch +media-rc-i2c-fix-an-error-message.patch +pata_ep93xx-fix-deferred-probing.patch +media-exynos4-is-fix-a-use-after-free-in-isp_video_r.patch +media-tc358743-fix-error-return-code-in-tc358743_pro.patch +media-gspca-gl860-fix-zero-length-control-requests.patch +media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch +mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch +media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch +hwmon-max31722-remove-non-standard-acpi-device-ids.patch +hwmon-max31790-fix-fan-speed-reporting-for-fan7.12.patch +btrfs-clear-log-tree-recovering-status-if-starting-t.patch +spi-spi-sun6i-fix-chipselect-clock-bug.patch +crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch +acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch +blk-wbt-introduce-a-new-disable-state-to-prevent-fal.patch +blk-wbt-make-sure-throttle-is-enabled-properly.patch +ocfs2-fix-snprintf-checking.patch +net-mvpp2-put-fwnode-in-error-case-during-probe.patch +net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch +drm-rockchip-cdn-dp-core-add-missing-clk_disable_unp.patch +ehea-fix-error-return-code-in-ehea_restart_qps.patch +rdma-rxe-fix-failure-during-driver-load.patch +drm-qxl-ensure-surf.data-is-ininitialized.patch +tools-bpftool-fix-error-return-code-in-do_batch.patch +wireless-carl9170-fix-leds-build-errors-warnings.patch +ieee802154-hwsim-fix-possible-memory-leak-in-hwsim_s.patch +wcn36xx-move-hal_buf-allocation-to-devm_kmalloc-in-p.patch +ssb-fix-error-return-code-in-ssb_bus_scan.patch +brcmfmac-fix-setting-of-station-info-chains-bitmask.patch +brcmfmac-correctly-report-average-rssi-in-station-in.patch +brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch +ath10k-fix-an-error-code-in-ath10k_add_interface.patch +netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch +rdma-mlx5-don-t-add-slave-port-to-unaffiliated-list.patch +netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch +netfilter-nft_osf-check-for-tcp-packet-before-furthe.patch +netfilter-nft_tproxy-restrict-support-to-tcp-and-udp.patch +rdma-rxe-fix-qp-reference-counting-for-atomic-ops.patch +samples-bpf-fix-the-error-return-code-of-xdp_redirec.patch +net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch +net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch +net-ethernet-ezchip-fix-error-handling.patch +pkt_sched-sch_qfq-fix-qfq_change_class-error-path.patch +vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch +net-ipv4-swap-flow-ports-when-validating-source.patch +ieee802154-hwsim-fix-memory-leak-in-hwsim_add_one.patch +ieee802154-hwsim-avoid-possible-crash-in-hwsim_del_e.patch +mac80211-remove-iwlwifi-specific-workaround-ndps-of-.patch +net-bcmgenet-fix-attaching-to-pyh-failed-on-rpi-4b.patch +ipv6-exthdrs-do-not-blindly-use-init_net.patch +bpf-do-not-change-gso_size-during-bpf_skb_change_pro.patch +i40e-fix-error-handling-in-i40e_vsi_open.patch +i40e-fix-autoneg-disabling-for-non-10gbaset-links.patch +revert-ibmvnic-remove-duplicate-napi_schedule-call-i.patch +ibmvnic-free-tx_pool-if-tso_pool-alloc-fails.patch +ipv6-fix-out-of-bound-access-in-ip6_parse_tlv.patch +bluetooth-mgmt-fix-slab-out-of-bounds-in-tlv_data_is.patch +bluetooth-fix-handling-of-hci_le_advertising_set_ter.patch +writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch +net-lwtunnel-handle-mtu-calculation-in-forwading.patch +net-sched-fix-warning-in-tcindex_alloc_perfect_hash.patch +rdma-mlx5-don-t-access-null-cleared-mpi-pointer.patch +tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch +mwifiex-re-fix-for-unaligned-accesses.patch +iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch +iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch +iio-accel-bma220-fix-buffer-alignment-in-iio_push_to.patch +iio-accel-hid-fix-buffer-alignment-in-iio_push_to_bu.patch +iio-accel-kxcjk-1013-fix-buffer-alignment-in-iio_pus.patch +iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch +iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch +iio-adc-ti-ads1015-fix-buffer-alignment-in-iio_push_.patch +iio-adc-vf610-fix-buffer-alignment-in-iio_push_to_bu.patch +iio-gyro-bmg160-fix-buffer-alignment-in-iio_push_to_.patch +iio-humidity-am2315-fix-buffer-alignment-in-iio_push.patch +iio-prox-srf08-fix-buffer-alignment-in-iio_push_to_b.patch +iio-prox-pulsed-light-fix-buffer-alignment-in-iio_pu.patch +iio-prox-as3935-fix-buffer-alignment-in-iio_push_to_.patch +iio-light-isl29125-fix-buffer-alignment-in-iio_push_.patch +iio-light-tcs3414-fix-buffer-alignment-in-iio_push_t.patch +iio-light-tcs3472-fix-buffer-alignment-in-iio_push_t.patch +iio-potentiostat-lmp91000-fix-alignment-of-buffer-in.patch +asoc-hisilicon-fix-missing-clk_disable_unprepare-on-.patch +asoc-rsnd-tidyup-loop-on-rsnd_adg_clk_query.patch +input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch +char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch +tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch +scsi-flashpoint-rename-si_flags-field.patch +fsi-core-fix-return-of-error-values-on-failures.patch +fsi-scom-reset-the-fsi2pib-engine-for-any-error.patch +fsi-sbefifo-clean-up-correct-fifo-when-receiving-res.patch +fsi-sbefifo-fix-reset-timeout.patch +visorbus-fix-error-return-code-in-visorchipset_init.patch +s390-appldata-depends-on-proc_sysctl.patch +eeprom-idt_89hpesx-put-fwnode-in-matching-case-durin.patch +eeprom-idt_89hpesx-restore-printing-the-unsupported-.patch +iio-adc-hx711-fix-buffer-alignment-in-iio_push_to_bu.patch +iio-adc-mxs-lradc-fix-buffer-alignment-in-iio_push_t.patch +iio-adc-ti-ads8688-fix-alignment-of-buffer-in-iio_pu.patch +staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch +staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch +staging-mt7621-dts-fix-pci-address-for-pci-memory-ra.patch +serial-8250-actually-allow-upf_magic_multiplier-baud.patch +iio-prox-isl29501-fix-buffer-alignment-in-iio_push_t.patch +asoc-cs42l42-correct-definition-of-cs42l42_adc_pdn_m.patch +of-fix-truncation-of-memory-sizes-on-32-bit-platform.patch +mtd-rawnand-marvell-add-missing-clk_disable_unprepar.patch +scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch +phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch +extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch +extcon-max8997-add-missing-modalias-string.patch +asoc-atmel-i2s-fix-usage-of-capture-and-playback-at-.patch +configfs-fix-memleak-in-configfs_release_bin_file.patch +leds-as3645a-fix-error-return-code-in-as3645a_parse_.patch +leds-ktd2692-fix-an-error-handling-path.patch +powerpc-offline-cpu-in-stop_this_cpu.patch +serial-mvebu-uart-correctly-calculate-minimal-possib.patch +arm64-dts-marvell-armada-37xx-fix-reg-for-standard-v.patch +vfio-pci-handle-concurrent-vma-faults.patch +mm-huge_memory.c-don-t-discard-hugepage-if-other-pro.patch +selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch +perf-llvm-return-enomem-when-asprintf-fails.patch diff --git a/queue-4.19/spi-make-of_register_spi_device-also-set-the-fwnode.patch b/queue-4.19/spi-make-of_register_spi_device-also-set-the-fwnode.patch new file mode 100644 index 00000000000..bdae82ba6cb --- /dev/null +++ b/queue-4.19/spi-make-of_register_spi_device-also-set-the-fwnode.patch @@ -0,0 +1,62 @@ +From b98c8934db5f5569313573c079383f334527b242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 11:14:02 +0100 +Subject: spi: Make of_register_spi_device also set the fwnode + +From: Charles Keepax + +[ Upstream commit 0e793ba77c18382f08e440260fe72bc6fce2a3cb ] + +Currently, the SPI core doesn't set the struct device fwnode pointer +when it creates a new SPI device. This means when the device is +registered the fwnode is NULL and the check in device_add which sets +the fwnode->dev pointer is skipped. This wasn't previously an issue, +however these two patches: + +commit 4731210c09f5 ("gpiolib: Bind gpio_device to a driver to enable +fw_devlink=on by default") +commit ced2af419528 ("gpiolib: Don't probe gpio_device if it's not the +primary device") + +Added some code to the GPIO core which relies on using that +fwnode->dev pointer to determine if a driver is bound to the fwnode +and if not bind a stub GPIO driver. This means the GPIO providers +behind SPI will get both the expected driver and this stub driver +causing the stub driver to fail if it attempts to request any pin +configuration. For example on my system: + +madera-pinctrl madera-pinctrl: pin gpio5 already requested by madera-pinctrl; cannot claim for gpiochip3 +madera-pinctrl madera-pinctrl: pin-4 (gpiochip3) status -22 +madera-pinctrl madera-pinctrl: could not request pin 4 (gpio5) from group aif1 on device madera-pinctrl +gpio_stub_drv gpiochip3: Error applying setting, reverse things back +gpio_stub_drv: probe of gpiochip3 failed with error -22 + +The firmware node on the device created by the GPIO framework is set +through the of_node pointer hence things generally actually work, +however that fwnode->dev is never set, as the check was skipped at +device_add time. This fix appears to match how the I2C subsystem +handles the same situation. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20210421101402.8468-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index bbe33016d371..49f592e433a8 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1678,6 +1678,7 @@ of_register_spi_device(struct spi_controller *ctlr, struct device_node *nc) + /* Store a pointer to the node in the device structure */ + of_node_get(nc); + spi->dev.of_node = nc; ++ spi->dev.fwnode = of_fwnode_handle(nc); + + /* Register the new device */ + rc = spi_add_device(spi); +-- +2.30.2 + diff --git a/queue-4.19/spi-omap-100k-fix-the-length-judgment-problem.patch b/queue-4.19/spi-omap-100k-fix-the-length-judgment-problem.patch new file mode 100644 index 00000000000..f016791d998 --- /dev/null +++ b/queue-4.19/spi-omap-100k-fix-the-length-judgment-problem.patch @@ -0,0 +1,36 @@ +From 1c499a7ab81d3f19187f13eec0e8cb501ce61b5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 19:20:48 +0800 +Subject: spi: omap-100k: Fix the length judgment problem + +From: Tian Tao + +[ Upstream commit e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 ] + +word_len should be checked in the omap1_spi100k_setup_transfer +function to see if it exceeds 32. + +Signed-off-by: Tian Tao +Link: https://lore.kernel.org/r/1619695248-39045-1-git-send-email-tiantao6@hisilicon.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap-100k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c +index 1eccdc4a4581..2eeb0fe2eed2 100644 +--- a/drivers/spi/spi-omap-100k.c ++++ b/drivers/spi/spi-omap-100k.c +@@ -251,7 +251,7 @@ static int omap1_spi100k_setup_transfer(struct spi_device *spi, + else + word_len = spi->bits_per_word; + +- if (spi->bits_per_word > 32) ++ if (word_len > 32) + return -EINVAL; + cs->word_len = word_len; + +-- +2.30.2 + diff --git a/queue-4.19/spi-spi-loopback-test-fix-tx_buf-might-be-rx_buf.patch b/queue-4.19/spi-spi-loopback-test-fix-tx_buf-might-be-rx_buf.patch new file mode 100644 index 00000000000..22d13c7b7c2 --- /dev/null +++ b/queue-4.19/spi-spi-loopback-test-fix-tx_buf-might-be-rx_buf.patch @@ -0,0 +1,35 @@ +From 8bcb10130093c1cf69c6637cbd01e19e70d4e5a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 14:58:23 +0800 +Subject: spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf' + +From: Jay Fang + +[ Upstream commit 9e37a3ab0627011fb63875e9a93094b6fc8ddf48 ] + +In function 'spi_test_run_iter': Value 'tx_buf' might be 'rx_buf'. + +Signed-off-by: Jay Fang +Link: https://lore.kernel.org/r/1620629903-15493-5-git-send-email-f.fangjian@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-loopback-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c +index b9a7117b6dce..85d3475915dd 100644 +--- a/drivers/spi/spi-loopback-test.c ++++ b/drivers/spi/spi-loopback-test.c +@@ -877,7 +877,7 @@ static int spi_test_run_iter(struct spi_device *spi, + test.transfers[i].len = len; + if (test.transfers[i].tx_buf) + test.transfers[i].tx_buf += tx_off; +- if (test.transfers[i].tx_buf) ++ if (test.transfers[i].rx_buf) + test.transfers[i].rx_buf += rx_off; + } + +-- +2.30.2 + diff --git a/queue-4.19/spi-spi-sun6i-fix-chipselect-clock-bug.patch b/queue-4.19/spi-spi-sun6i-fix-chipselect-clock-bug.patch new file mode 100644 index 00000000000..8aecdc89d84 --- /dev/null +++ b/queue-4.19/spi-spi-sun6i-fix-chipselect-clock-bug.patch @@ -0,0 +1,56 @@ +From da6d40243ca9250a69c0d574818b4b80c133179c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 16:45:07 +0200 +Subject: spi: spi-sun6i: Fix chipselect/clock bug + +From: Mirko Vogt + +[ Upstream commit 0d7993b234c9fad8cb6bec6adfaa74694ba85ecb ] + +The current sun6i SPI implementation initializes the transfer too early, +resulting in SCK going high before the transfer. When using an additional +(gpio) chipselect with sun6i, the chipselect is asserted at a time when +clock is high, making the SPI transfer fail. + +This is due to SUN6I_GBL_CTL_BUS_ENABLE being written into +SUN6I_GBL_CTL_REG at an early stage. Moving that to the transfer +function, hence, right before the transfer starts, mitigates that +problem. + +Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver) +Signed-off-by: Mirko Vogt +Signed-off-by: Ralf Schlatterbeck +Link: https://lore.kernel.org/r/20210614144507.y3udezjfbko7eavv@runtux.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sun6i.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c +index 21a22d42818c..ef62366899ad 100644 +--- a/drivers/spi/spi-sun6i.c ++++ b/drivers/spi/spi-sun6i.c +@@ -301,6 +301,10 @@ static int sun6i_spi_transfer_one(struct spi_master *master, + } + + sun6i_spi_write(sspi, SUN6I_CLK_CTL_REG, reg); ++ /* Finally enable the bus - doing so before might raise SCK to HIGH */ ++ reg = sun6i_spi_read(sspi, SUN6I_GBL_CTL_REG); ++ reg |= SUN6I_GBL_CTL_BUS_ENABLE; ++ sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG, reg); + + /* Setup the transfer now... */ + if (sspi->tx_buf) +@@ -409,7 +413,7 @@ static int sun6i_spi_runtime_resume(struct device *dev) + } + + sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG, +- SUN6I_GBL_CTL_BUS_ENABLE | SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP); ++ SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP); + + return 0; + +-- +2.30.2 + diff --git a/queue-4.19/spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch b/queue-4.19/spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch new file mode 100644 index 00000000000..c7e6c63bd85 --- /dev/null +++ b/queue-4.19/spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch @@ -0,0 +1,42 @@ +From 0056fd90d263eb3ab953bdc5059dcc08919d9877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 15:08:08 +0800 +Subject: spi: spi-topcliff-pch: Fix potential double free in + pch_spi_process_messages() + +From: Jay Fang + +[ Upstream commit 026a1dc1af52742c5897e64a3431445371a71871 ] + +pch_spi_set_tx() frees data->pkt_tx_buff on failure of kzalloc() for +data->pkt_rx_buff, but its caller, pch_spi_process_messages(), will +free data->pkt_tx_buff again. Set data->pkt_tx_buff to NULL after +kfree() to avoid double free. + +Signed-off-by: Jay Fang +Link: https://lore.kernel.org/r/1620284888-65215-1-git-send-email-f.fangjian@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-topcliff-pch.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c +index 8a5966963834..ef19e050612c 100644 +--- a/drivers/spi/spi-topcliff-pch.c ++++ b/drivers/spi/spi-topcliff-pch.c +@@ -584,8 +584,10 @@ static void pch_spi_set_tx(struct pch_spi_data *data, int *bpw) + data->pkt_tx_buff = kzalloc(size, GFP_KERNEL); + if (data->pkt_tx_buff != NULL) { + data->pkt_rx_buff = kzalloc(size, GFP_KERNEL); +- if (!data->pkt_rx_buff) ++ if (!data->pkt_rx_buff) { + kfree(data->pkt_tx_buff); ++ data->pkt_tx_buff = NULL; ++ } + } + + if (!data->pkt_rx_buff) { +-- +2.30.2 + diff --git a/queue-4.19/ssb-fix-error-return-code-in-ssb_bus_scan.patch b/queue-4.19/ssb-fix-error-return-code-in-ssb_bus_scan.patch new file mode 100644 index 00000000000..532e6e0122b --- /dev/null +++ b/queue-4.19/ssb-fix-error-return-code-in-ssb_bus_scan.patch @@ -0,0 +1,41 @@ +From 0e7bd086f8bb75d4f4492aa195c020f73060ee67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 15:29:49 +0800 +Subject: ssb: Fix error return code in ssb_bus_scan() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhen Lei + +[ Upstream commit 77a0989baa427dbd242c5784d05a53ca3d197d43 ] + +Fix to return -EINVAL from the error handling case instead of 0, as done +elsewhere in this function. + +Fixes: 61e115a56d1a ("[SSB]: add Sonics Silicon Backplane bus support") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210515072949.7151-1-thunder.leizhen@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/ssb/scan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ssb/scan.c b/drivers/ssb/scan.c +index 6ceee98ed6ff..5c7e61cafd19 100644 +--- a/drivers/ssb/scan.c ++++ b/drivers/ssb/scan.c +@@ -325,6 +325,7 @@ int ssb_bus_scan(struct ssb_bus *bus, + if (bus->nr_devices > ARRAY_SIZE(bus->devices)) { + pr_err("More than %d ssb cores found (%d)\n", + SSB_MAX_NR_CORES, bus->nr_devices); ++ err = -EINVAL; + goto err_unmap; + } + if (bus->bustype == SSB_BUSTYPE_SSB) { +-- +2.30.2 + diff --git a/queue-4.19/staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch b/queue-4.19/staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch new file mode 100644 index 00000000000..f34709ca93f --- /dev/null +++ b/queue-4.19/staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch @@ -0,0 +1,61 @@ +From c320605b8c5f0c5370889fb164920a1249a172d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 12:55:35 +0300 +Subject: staging: gdm724x: check for buffer overflow in + gdm_lte_multi_sdu_pkt() + +From: Dan Carpenter + +[ Upstream commit 4a36e160856db8a8ddd6a3d2e5db5a850ab87f82 ] + +There needs to be a check to verify that we don't read beyond the end +of "buf". This function is called from do_rx(). The "buf" is the USB +transfer_buffer and "len" is "urb->actual_length". + +Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YMcnl4zCwGWGDVMG@mwanda +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/gdm724x/gdm_lte.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c +index 3c2aab7a921e..25135980349a 100644 +--- a/drivers/staging/gdm724x/gdm_lte.c ++++ b/drivers/staging/gdm724x/gdm_lte.c +@@ -677,6 +677,7 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len) + struct sdu *sdu = NULL; + u8 endian = phy_dev->get_endian(phy_dev->priv_dev); + u8 *data = (u8 *)multi_sdu->data; ++ int copied; + u16 i = 0; + u16 num_packet; + u16 hci_len; +@@ -688,6 +689,12 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len) + num_packet = gdm_dev16_to_cpu(endian, multi_sdu->num_packet); + + for (i = 0; i < num_packet; i++) { ++ copied = data - multi_sdu->data; ++ if (len < copied + sizeof(*sdu)) { ++ pr_err("rx prevent buffer overflow"); ++ return; ++ } ++ + sdu = (struct sdu *)data; + + cmd_evt = gdm_dev16_to_cpu(endian, sdu->cmd_evt); +@@ -698,7 +705,8 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len) + pr_err("rx sdu wrong hci %04x\n", cmd_evt); + return; + } +- if (hci_len < 12) { ++ if (hci_len < 12 || ++ len < copied + sizeof(*sdu) + (hci_len - 12)) { + pr_err("rx sdu invalid len %d\n", hci_len); + return; + } +-- +2.30.2 + diff --git a/queue-4.19/staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch b/queue-4.19/staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch new file mode 100644 index 00000000000..6ee3892e193 --- /dev/null +++ b/queue-4.19/staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch @@ -0,0 +1,45 @@ +From ed22bd4ab8fab18e96f10d2af5c004eebc5b334c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 12:58:36 +0300 +Subject: staging: gdm724x: check for overflow in gdm_lte_netif_rx() + +From: Dan Carpenter + +[ Upstream commit 7002b526f4ff1f6da34356e67085caafa6be383a ] + +This code assumes that "len" is at least 62 bytes, but we need a check +to prevent a read overflow. + +Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwanda +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/gdm724x/gdm_lte.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c +index 25135980349a..3c537807f4d1 100644 +--- a/drivers/staging/gdm724x/gdm_lte.c ++++ b/drivers/staging/gdm724x/gdm_lte.c +@@ -611,10 +611,12 @@ static void gdm_lte_netif_rx(struct net_device *dev, char *buf, + * bytes (99,130,83,99 dec) + */ + } __packed; +- void *addr = buf + sizeof(struct iphdr) + +- sizeof(struct udphdr) + +- offsetof(struct dhcp_packet, chaddr); +- ether_addr_copy(nic->dest_mac_addr, addr); ++ int offset = sizeof(struct iphdr) + ++ sizeof(struct udphdr) + ++ offsetof(struct dhcp_packet, chaddr); ++ if (offset + ETH_ALEN > len) ++ return; ++ ether_addr_copy(nic->dest_mac_addr, buf + offset); + } + } + +-- +2.30.2 + diff --git a/queue-4.19/staging-mt7621-dts-fix-pci-address-for-pci-memory-ra.patch b/queue-4.19/staging-mt7621-dts-fix-pci-address-for-pci-memory-ra.patch new file mode 100644 index 00000000000..f0c1279e2d8 --- /dev/null +++ b/queue-4.19/staging-mt7621-dts-fix-pci-address-for-pci-memory-ra.patch @@ -0,0 +1,54 @@ +From 021128d92a1f72ba710f9b4360a26c5cef95148c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 12:06:17 +0200 +Subject: staging: mt7621-dts: fix pci address for PCI memory range + +From: Sergio Paracuellos + +[ Upstream commit 5b4f167ef3555ec4c334a8dc89c1b44bb2c6bff5 ] + +Driver code call 'devm_of_pci_get_host_bridge_resources' +to get resources and properly fill 'bridge->windows' and +'bridge->dma_ranges'. After parsing the ranges and store +as resources, at the end it makes a call to pci function +'pci_add_resource_offset' to set the offset for the +memory resource. To calculate offset, resource start address +subtracts pci address of the range. MT7621 does not need +any offset for the memory resource. Moreover, setting an +offset got into 'WARN_ON' calls from pci devices driver code. +Until now memory range pci_addr was being '0x00000000' and +res->start is '0x60000000' but becase pci controller driver +was manually setting resources and adding them using pci function +'pci_add_resource' where a zero is passed as offset, things +was properly working. Since PCI_IOBASE is defined now for +ralink we don't set nothing manually anymore so we have to +properly fix PCI address for this range to make things work +and the new pci address must be set to '0x60000000'. Doing +in this way the subtract result obtain zero as offset +and pci device driver code properly works. + +Fixes: d59578da2bb8 ("staging: mt7621-dts: add dts files") +Signed-off-by: Sergio Paracuellos +Link: https://lore.kernel.org/r/20210614100617.28753-4-sergio.paracuellos@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/mt7621-dts/mt7621.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/mt7621-dts/mt7621.dtsi b/drivers/staging/mt7621-dts/mt7621.dtsi +index 2e837e60663a..9891e53e7895 100644 +--- a/drivers/staging/mt7621-dts/mt7621.dtsi ++++ b/drivers/staging/mt7621-dts/mt7621.dtsi +@@ -409,7 +409,7 @@ + + bus-range = <0 255>; + ranges = < +- 0x02000000 0 0x00000000 0x60000000 0 0x10000000 /* pci memory */ ++ 0x02000000 0 0x60000000 0x60000000 0 0x10000000 /* pci memory */ + 0x01000000 0 0x00000000 0x1e160000 0 0x00010000 /* io space */ + >; + +-- +2.30.2 + diff --git a/queue-4.19/tools-bpftool-fix-error-return-code-in-do_batch.patch b/queue-4.19/tools-bpftool-fix-error-return-code-in-do_batch.patch new file mode 100644 index 00000000000..0b492f19d71 --- /dev/null +++ b/queue-4.19/tools-bpftool-fix-error-return-code-in-do_batch.patch @@ -0,0 +1,42 @@ +From 5120ba0ec0b1483f5a6a6d8fa9ada9a677f5f947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jun 2021 19:59:16 +0800 +Subject: tools/bpftool: Fix error return code in do_batch() + +From: Zhihao Cheng + +[ Upstream commit ca16b429f39b4ce013bfa7e197f25681e65a2a42 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 668da745af3c2 ("tools: bpftool: add support for quotations ...") +Reported-by: Hulk Robot +Signed-off-by: Zhihao Cheng +Signed-off-by: Andrii Nakryiko +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20210609115916.2186872-1-chengzhihao1@huawei.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c +index d15a62be6cf0..37610144f6b0 100644 +--- a/tools/bpf/bpftool/main.c ++++ b/tools/bpf/bpftool/main.c +@@ -291,8 +291,10 @@ static int do_batch(int argc, char **argv) + n_argc = make_args(buf, n_argv, BATCH_ARG_NB_MAX, lines); + if (!n_argc) + continue; +- if (n_argc < 0) ++ if (n_argc < 0) { ++ err = n_argc; + goto err_close; ++ } + + if (json_output) { + jsonw_start_object(json_wtr); +-- +2.30.2 + diff --git a/queue-4.19/tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch b/queue-4.19/tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch new file mode 100644 index 00000000000..3153a678d5f --- /dev/null +++ b/queue-4.19/tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch @@ -0,0 +1,39 @@ +From 4df95c140d5dbcec64bb9b5505298ad470c90995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 May 2021 19:22:33 +0200 +Subject: tty: nozomi: Fix a resource leak in an error handling function + +From: Christophe JAILLET + +[ Upstream commit 31a9a318255960d32ae183e95d0999daf2418608 ] + +A 'request_irq()' call is not balanced by a corresponding 'free_irq()' in +the error handling path, as already done in the remove function. + +Add it. + +Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result") +Reviewed-by: Jiri Slaby +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/4f0d2b3038e82f081d370ccb0cade3ad88463fe7.1620580838.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/nozomi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c +index fed820e9ab9d..8dde9412a1aa 100644 +--- a/drivers/tty/nozomi.c ++++ b/drivers/tty/nozomi.c +@@ -1445,6 +1445,7 @@ err_free_tty: + tty_unregister_device(ntty_driver, dc->index_start + i); + tty_port_destroy(&dc->port[i].port); + } ++ free_irq(pdev->irq, dc); + err_free_kfifo: + for (i = 0; i < MAX_PORT; i++) + kfifo_free(&dc->port[i].fifo_ul); +-- +2.30.2 + diff --git a/queue-4.19/tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch b/queue-4.19/tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch new file mode 100644 index 00000000000..33478dc37d8 --- /dev/null +++ b/queue-4.19/tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch @@ -0,0 +1,58 @@ +From 94bdd0b4340db5ae7f5301821d3a859f3207ed0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 20:51:57 +0200 +Subject: tty: nozomi: Fix the error handling path of 'nozomi_card_init()' + +From: Christophe JAILLET + +[ Upstream commit 6ae7d0f5a92b9619f6e3c307ce56b2cefff3f0e9 ] + +The error handling path is broken and we may un-register things that have +never been registered. + +Update the loops index accordingly. + +Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result") +Suggested-by: Dan Carpenter +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/e28c2e92c7475da25b03d022ea2d6dcf1ba807a2.1621968629.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/nozomi.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c +index 8dde9412a1aa..f291f4b06b68 100644 +--- a/drivers/tty/nozomi.c ++++ b/drivers/tty/nozomi.c +@@ -1403,7 +1403,7 @@ static int nozomi_card_init(struct pci_dev *pdev, + NOZOMI_NAME, dc); + if (unlikely(ret)) { + dev_err(&pdev->dev, "can't request irq %d\n", pdev->irq); +- goto err_free_kfifo; ++ goto err_free_all_kfifo; + } + + DBG1("base_addr: %p", dc->base_addr); +@@ -1441,13 +1441,15 @@ static int nozomi_card_init(struct pci_dev *pdev, + return 0; + + err_free_tty: +- for (i = 0; i < MAX_PORT; ++i) { ++ for (i--; i >= 0; i--) { + tty_unregister_device(ntty_driver, dc->index_start + i); + tty_port_destroy(&dc->port[i].port); + } + free_irq(pdev->irq, dc); ++err_free_all_kfifo: ++ i = MAX_PORT; + err_free_kfifo: +- for (i = 0; i < MAX_PORT; i++) ++ for (i--; i >= PORT_MDM; i--) + kfifo_free(&dc->port[i].fifo_ul); + err_free_sbuf: + kfree(dc->send_buf); +-- +2.30.2 + diff --git a/queue-4.19/vfio-pci-handle-concurrent-vma-faults.patch b/queue-4.19/vfio-pci-handle-concurrent-vma-faults.patch new file mode 100644 index 00000000000..cefd3c0c9ef --- /dev/null +++ b/queue-4.19/vfio-pci-handle-concurrent-vma-faults.patch @@ -0,0 +1,124 @@ +From ec516be34833eb38f79b0f4d207d2e81c8c02bd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 14:08:12 -0600 +Subject: vfio/pci: Handle concurrent vma faults + +From: Alex Williamson + +[ Upstream commit 6a45ece4c9af473555f01f0f8b97eba56e3c7d0d ] + +io_remap_pfn_range() will trigger a BUG_ON if it encounters a +populated pte within the mapping range. This can occur because we map +the entire vma on fault and multiple faults can be blocked behind the +vma_lock. This leads to traces like the one reported below. + +We can use our vma_list to test whether a given vma is mapped to avoid +this issue. + +[ 1591.733256] kernel BUG at mm/memory.c:2177! +[ 1591.739515] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +[ 1591.747381] Modules linked in: vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) +[ 1591.760536] CPU: 2 PID: 227 Comm: lcore-worker-2 Tainted: G O 5.11.0-rc3+ #1 +[ 1591.770735] Hardware name: , BIOS HixxxxFPGA 1P B600 V121-1 +[ 1591.778872] pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) +[ 1591.786134] pc : remap_pfn_range+0x214/0x340 +[ 1591.793564] lr : remap_pfn_range+0x1b8/0x340 +[ 1591.799117] sp : ffff80001068bbd0 +[ 1591.803476] x29: ffff80001068bbd0 x28: 0000042eff6f0000 +[ 1591.810404] x27: 0000001100910000 x26: 0000001300910000 +[ 1591.817457] x25: 0068000000000fd3 x24: ffffa92f1338e358 +[ 1591.825144] x23: 0000001140000000 x22: 0000000000000041 +[ 1591.832506] x21: 0000001300910000 x20: ffffa92f141a4000 +[ 1591.839520] x19: 0000001100a00000 x18: 0000000000000000 +[ 1591.846108] x17: 0000000000000000 x16: ffffa92f11844540 +[ 1591.853570] x15: 0000000000000000 x14: 0000000000000000 +[ 1591.860768] x13: fffffc0000000000 x12: 0000000000000880 +[ 1591.868053] x11: ffff0821bf3d01d0 x10: ffff5ef2abd89000 +[ 1591.875932] x9 : ffffa92f12ab0064 x8 : ffffa92f136471c0 +[ 1591.883208] x7 : 0000001140910000 x6 : 0000000200000000 +[ 1591.890177] x5 : 0000000000000001 x4 : 0000000000000001 +[ 1591.896656] x3 : 0000000000000000 x2 : 0168044000000fd3 +[ 1591.903215] x1 : ffff082126261880 x0 : fffffc2084989868 +[ 1591.910234] Call trace: +[ 1591.914837] remap_pfn_range+0x214/0x340 +[ 1591.921765] vfio_pci_mmap_fault+0xac/0x130 [vfio_pci] +[ 1591.931200] __do_fault+0x44/0x12c +[ 1591.937031] handle_mm_fault+0xcc8/0x1230 +[ 1591.942475] do_page_fault+0x16c/0x484 +[ 1591.948635] do_translation_fault+0xbc/0xd8 +[ 1591.954171] do_mem_abort+0x4c/0xc0 +[ 1591.960316] el0_da+0x40/0x80 +[ 1591.965585] el0_sync_handler+0x168/0x1b0 +[ 1591.971608] el0_sync+0x174/0x180 +[ 1591.978312] Code: eb1b027f 540000c0 f9400022 b4fffe02 (d4210000) + +Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking") +Reported-by: Zeng Tao +Suggested-by: Zeng Tao +Link: https://lore.kernel.org/r/162497742783.3883260.3282953006487785034.stgit@omen +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index c48e1d84efb6..51b791c750f1 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -1359,6 +1359,7 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf) + { + struct vm_area_struct *vma = vmf->vma; + struct vfio_pci_device *vdev = vma->vm_private_data; ++ struct vfio_pci_mmap_vma *mmap_vma; + vm_fault_t ret = VM_FAULT_NOPAGE; + + mutex_lock(&vdev->vma_lock); +@@ -1366,24 +1367,36 @@ static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf) + + if (!__vfio_pci_memory_enabled(vdev)) { + ret = VM_FAULT_SIGBUS; +- mutex_unlock(&vdev->vma_lock); + goto up_out; + } + +- if (__vfio_pci_add_vma(vdev, vma)) { +- ret = VM_FAULT_OOM; +- mutex_unlock(&vdev->vma_lock); +- goto up_out; ++ /* ++ * We populate the whole vma on fault, so we need to test whether ++ * the vma has already been mapped, such as for concurrent faults ++ * to the same vma. io_remap_pfn_range() will trigger a BUG_ON if ++ * we ask it to fill the same range again. ++ */ ++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) { ++ if (mmap_vma->vma == vma) ++ goto up_out; + } + +- mutex_unlock(&vdev->vma_lock); +- + if (io_remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, +- vma->vm_end - vma->vm_start, vma->vm_page_prot)) ++ vma->vm_end - vma->vm_start, ++ vma->vm_page_prot)) { + ret = VM_FAULT_SIGBUS; ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start); ++ goto up_out; ++ } ++ ++ if (__vfio_pci_add_vma(vdev, vma)) { ++ ret = VM_FAULT_OOM; ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start); ++ } + + up_out: + up_read(&vdev->memory_lock); ++ mutex_unlock(&vdev->vma_lock); + return ret; + } + +-- +2.30.2 + diff --git a/queue-4.19/visorbus-fix-error-return-code-in-visorchipset_init.patch b/queue-4.19/visorbus-fix-error-return-code-in-visorchipset_init.patch new file mode 100644 index 00000000000..729151164f4 --- /dev/null +++ b/queue-4.19/visorbus-fix-error-return-code-in-visorchipset_init.patch @@ -0,0 +1,58 @@ +From 44456107b8347ca5f7faab9767ddb6266baf6333 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 16:26:14 +0800 +Subject: visorbus: fix error return code in visorchipset_init() + +From: Zhen Lei + +[ Upstream commit ce52ec5beecc1079c251f60e3973b3758f60eb59 ] + +Commit 1366a3db3dcf ("staging: unisys: visorbus: visorchipset_init clean +up gotos") assigns the initial value -ENODEV to the local variable 'err', +and the first several error branches will return this value after "goto +error". But commit f1f537c2e7f5 ("staging: unisys: visorbus: Consolidate +controlvm channel creation.") overwrites 'err' in the middle of the way. +As a result, some error branches do not successfully return the initial +value -ENODEV of 'err', but return 0. + +In addition, when kzalloc() fails, -ENOMEM should be returned instead of +-ENODEV. + +Fixes: f1f537c2e7f5 ("staging: unisys: visorbus: Consolidate controlvm channel creation.") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210528082614.9337-1-thunder.leizhen@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/visorbus/visorchipset.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/visorbus/visorchipset.c b/drivers/visorbus/visorchipset.c +index cb1eb7e05f87..5668cad86e37 100644 +--- a/drivers/visorbus/visorchipset.c ++++ b/drivers/visorbus/visorchipset.c +@@ -1561,7 +1561,7 @@ schedule_out: + + static int visorchipset_init(struct acpi_device *acpi_device) + { +- int err = -ENODEV; ++ int err = -ENOMEM; + struct visorchannel *controlvm_channel; + + chipset_dev = kzalloc(sizeof(*chipset_dev), GFP_KERNEL); +@@ -1584,8 +1584,10 @@ static int visorchipset_init(struct acpi_device *acpi_device) + "controlvm", + sizeof(struct visor_controlvm_channel), + VISOR_CONTROLVM_CHANNEL_VERSIONID, +- VISOR_CHANNEL_SIGNATURE)) ++ VISOR_CHANNEL_SIGNATURE)) { ++ err = -ENODEV; + goto error_delete_groups; ++ } + /* if booting in a crash kernel */ + if (is_kdump_kernel()) + INIT_DELAYED_WORK(&chipset_dev->periodic_controlvm_work, +-- +2.30.2 + diff --git a/queue-4.19/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch b/queue-4.19/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch new file mode 100644 index 00000000000..5cdbbfc772e --- /dev/null +++ b/queue-4.19/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch @@ -0,0 +1,84 @@ +From 6312854d9d99bba60d0fb9c9e64f76e955df8910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 07:44:17 -0700 +Subject: vxlan: add missing rcu_read_lock() in neigh_reduce() + +From: Eric Dumazet + +[ Upstream commit 85e8b032d6ebb0f698a34dd22c2f13443d905888 ] + +syzbot complained in neigh_reduce(), because rcu_read_lock_bh() +is treated differently than rcu_read_lock() + +WARNING: suspicious RCU usage +5.13.0-rc6-syzkaller #0 Not tainted +----------------------------- +include/net/addrconf.h:313 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +3 locks held by kworker/0:0/5: + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:617 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2247 + #1: ffffc90000ca7da8 ((work_completion)(&port->wq)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2251 + #2: ffffffff8bf795c0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1da/0x3130 net/core/dev.c:4180 + +stack backtrace: +CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.13.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events ipvlan_process_multicast +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + __in6_dev_get include/net/addrconf.h:313 [inline] + __in6_dev_get include/net/addrconf.h:311 [inline] + neigh_reduce drivers/net/vxlan.c:2167 [inline] + vxlan_xmit+0x34d5/0x4c30 drivers/net/vxlan.c:2919 + __netdev_start_xmit include/linux/netdevice.h:4944 [inline] + netdev_start_xmit include/linux/netdevice.h:4958 [inline] + xmit_one net/core/dev.c:3654 [inline] + dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3670 + __dev_queue_xmit+0x2133/0x3130 net/core/dev.c:4246 + ipvlan_process_multicast+0xa99/0xd70 drivers/net/ipvlan/ipvlan_core.c:287 + process_one_work+0x98d/0x1600 kernel/workqueue.c:2276 + worker_thread+0x64c/0x1120 kernel/workqueue.c:2422 + kthread+0x3b1/0x4a0 kernel/kthread.c:313 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 + +Fixes: f564f45c4518 ("vxlan: add ipv6 proxy support") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 49e8c6d42cda..eacc1e32d547 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1682,6 +1682,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + struct neighbour *n; + struct nd_msg *msg; + ++ rcu_read_lock(); + in6_dev = __in6_dev_get(dev); + if (!in6_dev) + goto out; +@@ -1733,6 +1734,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) + } + + out: ++ rcu_read_unlock(); + consume_skb(skb); + return NETDEV_TX_OK; + } +-- +2.30.2 + diff --git a/queue-4.19/wcn36xx-move-hal_buf-allocation-to-devm_kmalloc-in-p.patch b/queue-4.19/wcn36xx-move-hal_buf-allocation-to-devm_kmalloc-in-p.patch new file mode 100644 index 00000000000..65c8f9b42e1 --- /dev/null +++ b/queue-4.19/wcn36xx-move-hal_buf-allocation-to-devm_kmalloc-in-p.patch @@ -0,0 +1,92 @@ +From 503a8c6a36970f8649a61008ed29da9e55092be0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jun 2021 18:33:47 +0100 +Subject: wcn36xx: Move hal_buf allocation to devm_kmalloc in probe + +From: Bryan O'Donoghue + +[ Upstream commit ef48667557c53d4b51a1ee3090eab7699324c9de ] + +Right now wcn->hal_buf is allocated in wcn36xx_start(). This is a problem +since we should have setup all of the buffers we required by the time +ieee80211_register_hw() is called. + +struct ieee80211_ops callbacks may run prior to mac_start() and therefore +wcn->hal_buf must be initialized. + +This is easily remediated by moving the allocation to probe() taking the +opportunity to tidy up freeing memory by using devm_kmalloc(). + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210605173347.2266003-1-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 46ae4ec4ad47..556ba3c6c5d8 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -293,23 +293,16 @@ static int wcn36xx_start(struct ieee80211_hw *hw) + goto out_free_dxe_pool; + } + +- wcn->hal_buf = kmalloc(WCN36XX_HAL_BUF_SIZE, GFP_KERNEL); +- if (!wcn->hal_buf) { +- wcn36xx_err("Failed to allocate smd buf\n"); +- ret = -ENOMEM; +- goto out_free_dxe_ctl; +- } +- + ret = wcn36xx_smd_load_nv(wcn); + if (ret) { + wcn36xx_err("Failed to push NV to chip\n"); +- goto out_free_smd_buf; ++ goto out_free_dxe_ctl; + } + + ret = wcn36xx_smd_start(wcn); + if (ret) { + wcn36xx_err("Failed to start chip\n"); +- goto out_free_smd_buf; ++ goto out_free_dxe_ctl; + } + + if (!wcn36xx_is_fw_version(wcn, 1, 2, 2, 24)) { +@@ -336,8 +329,6 @@ static int wcn36xx_start(struct ieee80211_hw *hw) + + out_smd_stop: + wcn36xx_smd_stop(wcn); +-out_free_smd_buf: +- kfree(wcn->hal_buf); + out_free_dxe_ctl: + wcn36xx_dxe_free_ctl_blks(wcn); + out_free_dxe_pool: +@@ -374,8 +365,6 @@ static void wcn36xx_stop(struct ieee80211_hw *hw) + + wcn36xx_dxe_free_mem_pools(wcn); + wcn36xx_dxe_free_ctl_blks(wcn); +- +- kfree(wcn->hal_buf); + } + + static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed) +@@ -1322,6 +1311,12 @@ static int wcn36xx_probe(struct platform_device *pdev) + mutex_init(&wcn->hal_mutex); + mutex_init(&wcn->scan_lock); + ++ wcn->hal_buf = devm_kmalloc(wcn->dev, WCN36XX_HAL_BUF_SIZE, GFP_KERNEL); ++ if (!wcn->hal_buf) { ++ ret = -ENOMEM; ++ goto out_wq; ++ } ++ + ret = dma_set_mask_and_coherent(wcn->dev, DMA_BIT_MASK(32)); + if (ret < 0) { + wcn36xx_err("failed to set DMA mask: %d\n", ret); +-- +2.30.2 + diff --git a/queue-4.19/wireless-carl9170-fix-leds-build-errors-warnings.patch b/queue-4.19/wireless-carl9170-fix-leds-build-errors-warnings.patch new file mode 100644 index 00000000000..e6b66d59164 --- /dev/null +++ b/queue-4.19/wireless-carl9170-fix-leds-build-errors-warnings.patch @@ -0,0 +1,66 @@ +From 0c2f98ec2453715d95261baa93d80e8e323bd834 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 17:41:28 +0300 +Subject: wireless: carl9170: fix LEDS build errors & warnings + +From: Randy Dunlap + +[ Upstream commit 272fdc0c4542fad173b44965be02a16d6db95499 ] + +kernel test robot reports over 200 build errors and warnings +that are due to this Kconfig problem when CARL9170=m, +MAC80211=y, and LEDS_CLASS=m. + +WARNING: unmet direct dependencies detected for MAC80211_LEDS + Depends on [n]: NET [=y] && WIRELESS [=y] && MAC80211 [=y] && (LEDS_CLASS [=m]=y || LEDS_CLASS [=m]=MAC80211 [=y]) + Selected by [m]: + - CARL9170_LEDS [=y] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && CARL9170 [=m] + +CARL9170_LEDS selects MAC80211_LEDS even though its kconfig +dependencies are not met. This happens because 'select' does not follow +any Kconfig dependency chains. + +Fix this by making CARL9170_LEDS depend on MAC80211_LEDS, where +the latter supplies any needed dependencies on LEDS_CLASS. + +Fixes: 1d7e1e6b1b8ed ("carl9170: Makefile, Kconfig files and MAINTAINERS") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Kalle Valo +Cc: Christian Lamparter +Cc: linux-wireless@vger.kernel.org +Cc: Arnd Bergmann +Suggested-by: Christian Lamparter +Acked-by: Arnd Bergmann +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210530031134.23274-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/carl9170/Kconfig | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/carl9170/Kconfig b/drivers/net/wireless/ath/carl9170/Kconfig +index 2e34baeaf764..2b782db20fde 100644 +--- a/drivers/net/wireless/ath/carl9170/Kconfig ++++ b/drivers/net/wireless/ath/carl9170/Kconfig +@@ -15,13 +15,11 @@ config CARL9170 + + config CARL9170_LEDS + bool "SoftLED Support" +- depends on CARL9170 +- select MAC80211_LEDS +- select LEDS_CLASS +- select NEW_LEDS + default y ++ depends on CARL9170 ++ depends on MAC80211_LEDS + help +- This option is necessary, if you want your device' LEDs to blink ++ This option is necessary, if you want your device's LEDs to blink. + + Say Y, unless you need the LEDs for firmware debugging. + +-- +2.30.2 + diff --git a/queue-4.19/writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch b/queue-4.19/writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch new file mode 100644 index 00000000000..b6076a22e5d --- /dev/null +++ b/queue-4.19/writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch @@ -0,0 +1,61 @@ +From 9740b967ce47c0cae31e7042736c5af858aa358b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 17:11:45 +0800 +Subject: writeback: fix obtain a reference to a freeing memcg css + +From: Muchun Song + +[ Upstream commit 8b0ed8443ae6458786580d36b7d5f8125535c5d4 ] + +The caller of wb_get_create() should pin the memcg, because +wb_get_create() relies on this guarantee. The rcu read lock +only can guarantee that the memcg css returned by css_from_id() +cannot be released, but the reference of the memcg can be zero. + + rcu_read_lock() + memcg_css = css_from_id() + wb_get_create(memcg_css) + cgwb_create(memcg_css) + // css_get can change the ref counter from 0 back to 1 + css_get(memcg_css) + rcu_read_unlock() + +Fix it by holding a reference to the css before calling +wb_get_create(). This is not a problem I encountered in the +real world. Just the result of a code review. + +Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates") +Link: https://lore.kernel.org/r/20210402091145.80635-1-songmuchun@bytedance.com +Signed-off-by: Muchun Song +Acked-by: Michal Hocko +Acked-by: Tejun Heo +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index fc9167e65287..869a34a48958 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -512,9 +512,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + /* find and pin the new wb */ + rcu_read_lock(); + memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys); +- if (memcg_css) +- isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC); ++ if (memcg_css && !css_tryget(memcg_css)) ++ memcg_css = NULL; + rcu_read_unlock(); ++ if (!memcg_css) ++ goto out_free; ++ ++ isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC); ++ css_put(memcg_css); + if (!isw->new_wb) + goto out_free; + +-- +2.30.2 +