From: Sasha Levin Date: Mon, 13 Sep 2021 01:33:31 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.4.146~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=511ebfaad72767f1107aaa60b784ec94d27b0c8b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch b/queue-4.19/arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch new file mode 100644 index 00000000000..40d15cd6726 --- /dev/null +++ b/queue-4.19/arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch @@ -0,0 +1,41 @@ +From 446da72483671bf5be07544afbd476eebe984f33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 09:21:10 +0200 +Subject: arm64: dts: exynos: correct GIC CPU interfaces address range on + Exynos7 + +From: Krzysztof Kozlowski + +[ Upstream commit 01c72cad790cb6cd3ccbe4c1402b6cb6c6bbffd0 ] + +The GIC-400 CPU interfaces address range is defined as 0x2000-0x3FFF (by +ARM). + +Reported-by: Sam Protsenko +Reported-by: Marc Zyngier +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Sam Protsenko +Reviewed-by: Alim Akhtar +Fixes: b9024cbc937d ("arm64: dts: Add initial device tree support for exynos7") +Link: https://lore.kernel.org/r/20210805072110.4730-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos7.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/exynos/exynos7.dtsi b/arch/arm64/boot/dts/exynos/exynos7.dtsi +index 5c5e57026c27..c607297922fd 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7.dtsi ++++ b/arch/arm64/boot/dts/exynos/exynos7.dtsi +@@ -91,7 +91,7 @@ + #address-cells = <0>; + interrupt-controller; + reg = <0x11001000 0x1000>, +- <0x11002000 0x1000>, ++ <0x11002000 0x2000>, + <0x11004000 0x2000>, + <0x11006000 0x2000>; + }; +-- +2.30.2 + diff --git a/queue-4.19/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch b/queue-4.19/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch new file mode 100644 index 00000000000..d77c77aebe1 --- /dev/null +++ b/queue-4.19/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch @@ -0,0 +1,42 @@ +From c3bcc468cecd0d49965d6c2fc0912992669b7056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 14:34:38 +0300 +Subject: ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() + +From: Dan Carpenter + +[ Upstream commit fd6729ec534cffbbeb3917761e6d1fe6a412d3fe ] + +This error path is unlikely because of it checked for NULL and +returned -ENOMEM earlier in the function. But it should return +an error code here as well if we ever do hit it because of a +race condition or something. + +Fixes: bdcd81707973 ("Add ath6kl cleaned up driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210813113438.GB30697@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index 987ebae8ea0e..afa7a82ffd5d 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -2513,8 +2513,10 @@ static int ath6kl_wmi_sync_point(struct wmi *wmi, u8 if_idx) + goto free_data_skb; + + for (index = 0; index < num_pri_streams; index++) { +- if (WARN_ON(!data_sync_bufs[index].skb)) ++ if (WARN_ON(!data_sync_bufs[index].skb)) { ++ ret = -ENOMEM; + goto free_data_skb; ++ } + + ep_id = ath6kl_ac2_endpoint_id(wmi->parent_dev, + data_sync_bufs[index]. +-- +2.30.2 + diff --git a/queue-4.19/bcache-add-proper-error-unwinding-in-bcache_device_i.patch b/queue-4.19/bcache-add-proper-error-unwinding-in-bcache_device_i.patch new file mode 100644 index 00000000000..5c7335a7375 --- /dev/null +++ b/queue-4.19/bcache-add-proper-error-unwinding-in-bcache_device_i.patch @@ -0,0 +1,69 @@ +From f96b37728fcb4a5899ba9c4ffcbc58fb07f3076e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 08:40:26 +0200 +Subject: bcache: add proper error unwinding in bcache_device_init + +From: Christoph Hellwig + +[ Upstream commit 224b0683228c5f332f9cee615d85e75e9a347170 ] + +Except for the IDA none of the allocations in bcache_device_init is +unwound on error, fix that. + +Signed-off-by: Christoph Hellwig +Acked-by: Coly Li +Link: https://lore.kernel.org/r/20210809064028.1198327-7-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 7787ec42f81e..2df75db52e91 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -824,20 +824,20 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size, + n = BITS_TO_LONGS(d->nr_stripes) * sizeof(unsigned long); + d->full_dirty_stripes = kvzalloc(n, GFP_KERNEL); + if (!d->full_dirty_stripes) +- return -ENOMEM; ++ goto out_free_stripe_sectors_dirty; + + idx = ida_simple_get(&bcache_device_idx, 0, + BCACHE_DEVICE_IDX_MAX, GFP_KERNEL); + if (idx < 0) +- return idx; ++ goto out_free_full_dirty_stripes; + + if (bioset_init(&d->bio_split, 4, offsetof(struct bbio, bio), + BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER)) +- goto err; ++ goto out_ida_remove; + + d->disk = alloc_disk(BCACHE_MINORS); + if (!d->disk) +- goto err; ++ goto out_bioset_exit; + + set_capacity(d->disk, sectors); + snprintf(d->disk->disk_name, DISK_NAME_LEN, "bcache%i", idx); +@@ -872,8 +872,14 @@ static int bcache_device_init(struct bcache_device *d, unsigned int block_size, + + return 0; + +-err: ++out_bioset_exit: ++ bioset_exit(&d->bio_split); ++out_ida_remove: + ida_simple_remove(&bcache_device_idx, idx); ++out_free_full_dirty_stripes: ++ kvfree(d->full_dirty_stripes); ++out_free_stripe_sectors_dirty: ++ kvfree(d->stripe_sectors_dirty); + return -ENOMEM; + + } +-- +2.30.2 + diff --git a/queue-4.19/bcma-fix-memory-leak-for-internally-handled-cores.patch b/queue-4.19/bcma-fix-memory-leak-for-internally-handled-cores.patch new file mode 100644 index 00000000000..230cc2be096 --- /dev/null +++ b/queue-4.19/bcma-fix-memory-leak-for-internally-handled-cores.patch @@ -0,0 +1,65 @@ +From 738376be841aa50d71cf05e24b4ae45eb64125a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 10:52:31 +0800 +Subject: bcma: Fix memory leak for internally-handled cores + +From: Zenghui Yu + +[ Upstream commit b63aed3ff195130fef12e0af590f4838cf0201d8 ] + +kmemleak reported that dev_name() of internally-handled cores were leaked +on driver unbinding. Let's use device_initialize() to take refcounts for +them and put_device() to properly free the related stuff. + +While looking at it, there's another potential issue for those which should +be *registered* into driver core. If device_register() failed, we put +device once and freed bcma_device structures. In bcma_unregister_cores(), +they're treated as unregistered and we hit both UAF and double-free. That +smells not good and has also been fixed now. + +Fixes: ab54bc8460b5 ("bcma: fill core details for every device") +Signed-off-by: Zenghui Yu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210727025232.663-2-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/bcma/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c +index fc1f4acdd189..c0f203deaf0b 100644 +--- a/drivers/bcma/main.c ++++ b/drivers/bcma/main.c +@@ -236,6 +236,7 @@ EXPORT_SYMBOL(bcma_core_irq); + + void bcma_prepare_core(struct bcma_bus *bus, struct bcma_device *core) + { ++ device_initialize(&core->dev); + core->dev.release = bcma_release_core_dev; + core->dev.bus = &bcma_bus_type; + dev_set_name(&core->dev, "bcma%d:%d", bus->num, core->core_index); +@@ -299,11 +300,10 @@ static void bcma_register_core(struct bcma_bus *bus, struct bcma_device *core) + { + int err; + +- err = device_register(&core->dev); ++ err = device_add(&core->dev); + if (err) { + bcma_err(bus, "Could not register dev for core 0x%03X\n", + core->id.id); +- put_device(&core->dev); + return; + } + core->dev_registered = true; +@@ -394,7 +394,7 @@ void bcma_unregister_cores(struct bcma_bus *bus) + /* Now noone uses internally-handled cores, we can free them */ + list_for_each_entry_safe(core, tmp, &bus->cores, list) { + list_del(&core->list); +- kfree(core); ++ put_device(&core->dev); + } + } + +-- +2.30.2 + diff --git a/queue-4.19/block-nbd-add-sanity-check-for-first_minor.patch b/queue-4.19/block-nbd-add-sanity-check-for-first_minor.patch new file mode 100644 index 00000000000..34f0b95a785 --- /dev/null +++ b/queue-4.19/block-nbd-add-sanity-check-for-first_minor.patch @@ -0,0 +1,62 @@ +From 00e00416181706229822e75c561f73c9ff792b43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 12:15:01 +0300 +Subject: block: nbd: add sanity check for first_minor + +From: Pavel Skripkin + +[ Upstream commit b1a811633f7321cf1ae2bb76a66805b7720e44c9 ] + +Syzbot hit WARNING in internal_create_group(). The problem was in +too big disk->first_minor. + +disk->first_minor is initialized by value, which comes from userspace +and there wasn't any sanity checks about value correctness. It can cause +duplicate creation of sysfs files/links, because disk->first_minor will +be passed to MKDEV() which causes truncation to byte. Since maximum +minor value is 0xff, let's check if first_minor is correct minor number. + +NOTE: the root case of the reported warning was in wrong error handling +in register_disk(), but we can avoid passing knowingly wrong values to +sysfs API, because sysfs error messages can confuse users. For example: +user passed 1048576 as index, but sysfs complains about duplicate +creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0. +Log and reproducer for above example can be found on syzkaller bug +report page. + +Link: https://syzkaller.appspot.com/bug?id=03c2ae9146416edf811958d5fd7acfab75b143d1 +Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") +Reported-by: syzbot+9937dc42271cd87d4b98@syzkaller.appspotmail.com +Reviewed-by: Christoph Hellwig +Signed-off-by: Pavel Skripkin +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 81b955670b12..d50784ac3c3d 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1685,7 +1685,17 @@ static int nbd_dev_add(int index) + refcount_set(&nbd->refs, 1); + INIT_LIST_HEAD(&nbd->list); + disk->major = NBD_MAJOR; ++ ++ /* Too big first_minor can cause duplicate creation of ++ * sysfs files/links, since first_minor will be truncated to ++ * byte in __device_add_disk(). ++ */ + disk->first_minor = index << part_shift; ++ if (disk->first_minor > 0xff) { ++ err = -EINVAL; ++ goto out_free_idr; ++ } ++ + disk->fops = &nbd_fops; + disk->private_data = nbd; + sprintf(disk->disk_name, "nbd%d", index); +-- +2.30.2 + diff --git a/queue-4.19/bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch b/queue-4.19/bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch new file mode 100644 index 00000000000..3225ba0759b --- /dev/null +++ b/queue-4.19/bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch @@ -0,0 +1,46 @@ +From 3b75def6c1bf49762a3ebb8bc8387e05a9b9f53c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 18:15:21 +0300 +Subject: Bluetooth: add timeout sanity check to hci_inquiry + +From: Pavel Skripkin + +[ Upstream commit f41a4b2b5eb7872109723dab8ae1603bdd9d9ec1 ] + +Syzbot hit "task hung" bug in hci_req_sync(). The problem was in +unreasonable huge inquiry timeout passed from userspace. +Fix it by adding sanity check for timeout value to hci_inquiry(). + +Since hci_inquiry() is the only user of hci_req_sync() with user +controlled timeout value, it makes sense to check timeout value in +hci_inquiry() and don't touch hci_req_sync(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index ec6150564f59..26acacb2fa95 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1296,6 +1296,12 @@ int hci_inquiry(void __user *arg) + goto done; + } + ++ /* Restrict maximum inquiry length to 60 seconds */ ++ if (ir.length > 60) { ++ err = -EINVAL; ++ goto done; ++ } ++ + hci_dev_lock(hdev); + if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX || + inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) { +-- +2.30.2 + diff --git a/queue-4.19/bluetooth-fix-repeated-calls-to-sco_sock_kill.patch b/queue-4.19/bluetooth-fix-repeated-calls-to-sco_sock_kill.patch new file mode 100644 index 00000000000..bbdbf417ce6 --- /dev/null +++ b/queue-4.19/bluetooth-fix-repeated-calls-to-sco_sock_kill.patch @@ -0,0 +1,86 @@ +From 27e269a8ecb18a148bbf9dfaa865f297dfab78b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 12:14:10 +0800 +Subject: Bluetooth: fix repeated calls to sco_sock_kill + +From: Desmond Cheong Zhi Xi + +[ Upstream commit e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 ] + +In commit 4e1a720d0312 ("Bluetooth: avoid killing an already killed +socket"), a check was added to sco_sock_kill to skip killing a socket +if the SOCK_DEAD flag was set. + +This was done after a trace for a use-after-free bug showed that the +same sock pointer was being killed twice. + +Unfortunately, this check prevents sco_sock_kill from running on any +socket. sco_sock_kill kills a socket only if it's zapped and orphaned, +however sock_orphan announces that the socket is dead before detaching +it. i.e., orphaned sockets have the SOCK_DEAD flag set. + +To fix this, we remove the check for SOCK_DEAD, and avoid repeated +calls to sco_sock_kill by removing incorrect calls in: + +1. sco_sock_timeout. The socket should not be killed on timeout as +further processing is expected to be done. For example, +sco_sock_connect sets the timer then waits for the socket to be +connected or for an error to be returned. + +2. sco_conn_del. This function should clean up resources for the +connection, but the socket itself should be cleaned up in +sco_sock_release. + +3. sco_sock_close. Calls to sco_sock_close in sco_sock_cleanup_listen +and sco_sock_release are followed by sco_sock_kill. Hence the +duplicated call should be removed. + +Fixes: 4e1a720d0312 ("Bluetooth: avoid killing an already killed socket") +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 2561e462400e..2fbea653540b 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -84,7 +84,6 @@ static void sco_sock_timeout(struct timer_list *t) + sk->sk_state_change(sk); + bh_unlock_sock(sk); + +- sco_sock_kill(sk); + sock_put(sk); + } + +@@ -176,7 +175,6 @@ static void sco_conn_del(struct hci_conn *hcon, int err) + sco_sock_clear_timer(sk); + sco_chan_del(sk, err); + bh_unlock_sock(sk); +- sco_sock_kill(sk); + sock_put(sk); + } + +@@ -393,8 +391,7 @@ static void sco_sock_cleanup_listen(struct sock *parent) + */ + static void sco_sock_kill(struct sock *sk) + { +- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket || +- sock_flag(sk, SOCK_DEAD)) ++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) + return; + + BT_DBG("sk %p state %d", sk, sk->sk_state); +@@ -446,7 +443,6 @@ static void sco_sock_close(struct sock *sk) + lock_sock(sk); + __sco_sock_close(sk); + release_sock(sk); +- sco_sock_kill(sk); + } + + static void sco_sock_init(struct sock *sk, struct sock *parent) +-- +2.30.2 + diff --git a/queue-4.19/bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch b/queue-4.19/bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch new file mode 100644 index 00000000000..96a00b12ad9 --- /dev/null +++ b/queue-4.19/bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch @@ -0,0 +1,41 @@ +From 9176f4079f225304d69d29233f33069097a352d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 16:09:51 +0100 +Subject: Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer + overflow + +From: Colin Ian King + +[ Upstream commit 713baf3dae8f45dc8ada4ed2f5fdcbf94a5c274d ] + +An earlier commit replaced using batostr to using %pMR sprintf for the +construction of session->name. Static analysis detected that this new +method can use a total of 21 characters (including the trailing '\0') +so we need to increase the BTNAMSIZ from 18 to 21 to fix potential +buffer overflows. + +Addresses-Coverity: ("Out-of-bounds write") +Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr") +Signed-off-by: Colin Ian King +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/cmtp/cmtp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h +index c32638dddbf9..f6b9dc4e408f 100644 +--- a/net/bluetooth/cmtp/cmtp.h ++++ b/net/bluetooth/cmtp/cmtp.h +@@ -26,7 +26,7 @@ + #include + #include + +-#define BTNAMSIZ 18 ++#define BTNAMSIZ 21 + + /* CMTP ioctl defines */ + #define CMTPCONNADD _IOW('C', 200, int) +-- +2.30.2 + diff --git a/queue-4.19/bluetooth-move-shutdown-callback-before-flushing-tx-.patch b/queue-4.19/bluetooth-move-shutdown-callback-before-flushing-tx-.patch new file mode 100644 index 00000000000..3da4740a2b1 --- /dev/null +++ b/queue-4.19/bluetooth-move-shutdown-callback-before-flushing-tx-.patch @@ -0,0 +1,64 @@ +From 00cd55b58c12c56b520d474c7d726272d63234ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 12:53:15 +0800 +Subject: Bluetooth: Move shutdown callback before flushing tx and rx queue + +From: Kai-Heng Feng + +[ Upstream commit 0ea53674d07fb6db2dd7a7ec2fdc85a12eb246c2 ] + +Commit 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues +are flushed or cancelled") introduced a regression that makes mtkbtsdio +driver stops working: +[ 36.593956] Bluetooth: hci0: Firmware already downloaded +[ 46.814613] Bluetooth: hci0: Execution of wmt command timed out +[ 46.814619] Bluetooth: hci0: Failed to send wmt func ctrl (-110) + +The shutdown callback depends on the result of hdev->rx_work, so we +should call it before flushing rx_work: +-> btmtksdio_shutdown() + -> mtk_hci_wmt_sync() + -> __hci_cmd_send() + -> wait for BTMTKSDIO_TX_WAIT_VND_EVT gets cleared + +-> btmtksdio_recv_event() + -> hci_recv_frame() + -> queue_work(hdev->workqueue, &hdev->rx_work) + -> clears BTMTKSDIO_TX_WAIT_VND_EVT + +So move the shutdown callback before flushing TX/RX queue to resolve the +issue. + +Reported-and-tested-by: Mattijs Korpershoek +Tested-by: Hsin-Yi Wang +Cc: Guenter Roeck +Fixes: 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues are flushed or cancelled") +Signed-off-by: Kai-Heng Feng +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 7a85f215da45..ec6150564f59 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1622,6 +1622,14 @@ int hci_dev_do_close(struct hci_dev *hdev) + hci_request_cancel_all(hdev); + hci_req_sync_lock(hdev); + ++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && ++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && ++ test_bit(HCI_UP, &hdev->flags)) { ++ /* Execute vendor specific shutdown routine */ ++ if (hdev->shutdown) ++ hdev->shutdown(hdev); ++ } ++ + if (!test_and_clear_bit(HCI_UP, &hdev->flags)) { + cancel_delayed_work_sync(&hdev->cmd_timer); + hci_req_sync_unlock(hdev); +-- +2.30.2 + diff --git a/queue-4.19/bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch b/queue-4.19/bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch new file mode 100644 index 00000000000..a64a303db23 --- /dev/null +++ b/queue-4.19/bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch @@ -0,0 +1,45 @@ +From 1f9518a889f89ec38b00bbfa1f4f7de3f018378d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 18:00:09 +0300 +Subject: Bluetooth: sco: prevent information leak in sco_conn_defer_accept() + +From: Dan Carpenter + +[ Upstream commit 59da0b38bc2ea570ede23a3332ecb3e7574ce6b2 ] + +Smatch complains that some of these struct members are not initialized +leading to a stack information disclosure: + + net/bluetooth/sco.c:778 sco_conn_defer_accept() warn: + check that 'cp.retrans_effort' doesn't leak information + +This seems like a valid warning. I've added a default case to fix +this issue. + +Fixes: 2f69a82acf6f ("Bluetooth: Use voice setting in deferred SCO connection request") +Signed-off-by: Dan Carpenter +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index a4ca55df7390..2561e462400e 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -761,6 +761,11 @@ static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting) + cp.max_latency = cpu_to_le16(0xffff); + cp.retrans_effort = 0xff; + break; ++ default: ++ /* use CVSD settings as fallback */ ++ cp.max_latency = cpu_to_le16(0xffff); ++ cp.retrans_effort = 0xff; ++ break; + } + + hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, +-- +2.30.2 + diff --git a/queue-4.19/certs-trigger-creation-of-rsa-module-signing-key-if-.patch b/queue-4.19/certs-trigger-creation-of-rsa-module-signing-key-if-.patch new file mode 100644 index 00000000000..597f7b1de7a --- /dev/null +++ b/queue-4.19/certs-trigger-creation-of-rsa-module-signing-key-if-.patch @@ -0,0 +1,56 @@ +From 53cca673283879c3627db691a485ef23676720a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jun 2021 17:34:20 -0400 +Subject: certs: Trigger creation of RSA module signing key if it's not an RSA + key + +From: Stefan Berger + +[ Upstream commit ea35e0d5df6c92fa2e124bb1b91d09b2240715ba ] + +Address a kbuild issue where a developer created an ECDSA key for signing +kernel modules and then builds an older version of the kernel, when bi- +secting the kernel for example, that does not support ECDSA keys. + +If openssl is installed, trigger the creation of an RSA module signing +key if it is not an RSA key. + +Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") +Cc: David Howells +Cc: David Woodhouse +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + certs/Makefile | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/certs/Makefile b/certs/Makefile +index 5d0999b9e21b..ca3c71e3a3d9 100644 +--- a/certs/Makefile ++++ b/certs/Makefile +@@ -46,11 +46,19 @@ endif + redirect_openssl = 2>&1 + quiet_redirect_openssl = 2>&1 + silent_redirect_openssl = 2>/dev/null ++openssl_available = $(shell openssl help 2>/dev/null && echo yes) + + # We do it this way rather than having a boolean option for enabling an + # external private key, because 'make randconfig' might enable such a + # boolean option and we unfortunately can't make it depend on !RANDCONFIG. + ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") ++ ++ifeq ($(openssl_available),yes) ++X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null) ++ ++$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) ++endif ++ + $(obj)/signing_key.pem: $(obj)/x509.genkey + @$(kecho) "###" + @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." +-- +2.30.2 + diff --git a/queue-4.19/cifs-fix-a-potencially-linear-read-overflow.patch b/queue-4.19/cifs-fix-a-potencially-linear-read-overflow.patch new file mode 100644 index 00000000000..d382198b735 --- /dev/null +++ b/queue-4.19/cifs-fix-a-potencially-linear-read-overflow.patch @@ -0,0 +1,53 @@ +From 32c7f284d890d4f004e785477ac2993ced00b56c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Aug 2021 12:27:09 +0200 +Subject: CIFS: Fix a potencially linear read overflow + +From: Len Baker + +[ Upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8 ] + +strlcpy() reads the entire source buffer first. This read may exceed the +destination size limit. This is both inefficient and can lead to linear +read overflows if a source string is not NUL-terminated. + +Also, the strnlen() call does not avoid the read overflow in the strlcpy +function when a not NUL-terminated string is passed. + +So, replace this block by a call to kstrndup() that avoids this type of +overflow and does the same. + +Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions") +Signed-off-by: Len Baker +Reviewed-by: Paulo Alcantara (SUSE) +Reviewed-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifs_unicode.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c +index 9986817532b1..7932e20555d2 100644 +--- a/fs/cifs/cifs_unicode.c ++++ b/fs/cifs/cifs_unicode.c +@@ -371,14 +371,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen, + if (!dst) + return NULL; + cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage, +- NO_MAP_UNI_RSVD); ++ NO_MAP_UNI_RSVD); + } else { +- len = strnlen(src, maxlen); +- len++; +- dst = kmalloc(len, GFP_KERNEL); +- if (!dst) +- return NULL; +- strlcpy(dst, src, len); ++ dst = kstrndup(src, maxlen, GFP_KERNEL); + } + + return dst; +-- +2.30.2 + diff --git a/queue-4.19/clocksource-drivers-sh_cmt-fix-wrong-setting-if-don-.patch b/queue-4.19/clocksource-drivers-sh_cmt-fix-wrong-setting-if-don-.patch new file mode 100644 index 00000000000..d641ea78e72 --- /dev/null +++ b/queue-4.19/clocksource-drivers-sh_cmt-fix-wrong-setting-if-don-.patch @@ -0,0 +1,102 @@ +From 70e40b2fef7f56ad3c11362e76866a41a901eed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 14:34:43 +0200 +Subject: clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ + for clock source channel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Phong Hoang + +[ Upstream commit be83c3b6e7b8ff22f72827a613bf6f3aa5afadbb ] + +If CMT instance has at least two channels, one channel will be used +as a clock source and another one used as a clock event device. +In that case, IRQ is not requested for clock source channel so +sh_cmt_clock_event_program_verify() might work incorrectly. +Besides, when a channel is only used for clock source, don't need to +re-set the next match_value since it should be maximum timeout as +it still is. + +On the other hand, due to no IRQ, total_cycles is not counted up +when reaches compare match time (timer counter resets to zero), +so sh_cmt_clocksource_read() returns unexpected value. +Therefore, use 64-bit clocksoure's mask for 32-bit or 16-bit variants +will also lead to wrong delta calculation. Hence, this mask should +correspond to timer counter width, and above function just returns +the raw value of timer counter register. + +Fixes: bfa76bb12f23 ("clocksource: sh_cmt: Request IRQ for clock event device only") +Fixes: 37e7742c55ba ("clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines") +Signed-off-by: Phong Hoang +Signed-off-by: Niklas Söderlund +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210422123443.73334-1-niklas.soderlund+renesas@ragnatech.se +Signed-off-by: Sasha Levin +--- + drivers/clocksource/sh_cmt.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c +index cec90a4c79b3..7a6d4c4c0feb 100644 +--- a/drivers/clocksource/sh_cmt.c ++++ b/drivers/clocksource/sh_cmt.c +@@ -576,7 +576,8 @@ static int sh_cmt_start(struct sh_cmt_channel *ch, unsigned long flag) + ch->flags |= flag; + + /* setup timeout if no clockevent */ +- if ((flag == FLAG_CLOCKSOURCE) && (!(ch->flags & FLAG_CLOCKEVENT))) ++ if (ch->cmt->num_channels == 1 && ++ flag == FLAG_CLOCKSOURCE && (!(ch->flags & FLAG_CLOCKEVENT))) + __sh_cmt_set_next(ch, ch->max_match_value); + out: + raw_spin_unlock_irqrestore(&ch->lock, flags); +@@ -612,20 +613,25 @@ static struct sh_cmt_channel *cs_to_sh_cmt(struct clocksource *cs) + static u64 sh_cmt_clocksource_read(struct clocksource *cs) + { + struct sh_cmt_channel *ch = cs_to_sh_cmt(cs); +- unsigned long flags; + u32 has_wrapped; +- u64 value; +- u32 raw; + +- raw_spin_lock_irqsave(&ch->lock, flags); +- value = ch->total_cycles; +- raw = sh_cmt_get_counter(ch, &has_wrapped); ++ if (ch->cmt->num_channels == 1) { ++ unsigned long flags; ++ u64 value; ++ u32 raw; + +- if (unlikely(has_wrapped)) +- raw += ch->match_value + 1; +- raw_spin_unlock_irqrestore(&ch->lock, flags); ++ raw_spin_lock_irqsave(&ch->lock, flags); ++ value = ch->total_cycles; ++ raw = sh_cmt_get_counter(ch, &has_wrapped); ++ ++ if (unlikely(has_wrapped)) ++ raw += ch->match_value + 1; ++ raw_spin_unlock_irqrestore(&ch->lock, flags); ++ ++ return value + raw; ++ } + +- return value + raw; ++ return sh_cmt_get_counter(ch, &has_wrapped); + } + + static int sh_cmt_clocksource_enable(struct clocksource *cs) +@@ -688,7 +694,7 @@ static int sh_cmt_register_clocksource(struct sh_cmt_channel *ch, + cs->disable = sh_cmt_clocksource_disable; + cs->suspend = sh_cmt_clocksource_suspend; + cs->resume = sh_cmt_clocksource_resume; +- cs->mask = CLOCKSOURCE_MASK(sizeof(u64) * 8); ++ cs->mask = CLOCKSOURCE_MASK(ch->cmt->info->width); + cs->flags = CLOCK_SOURCE_IS_CONTINUOUS; + + dev_info(&ch->cmt->pdev->dev, "ch%u: used as clock source\n", +-- +2.30.2 + diff --git a/queue-4.19/crypto-mxs-dcp-check-for-dma-mapping-errors.patch b/queue-4.19/crypto-mxs-dcp-check-for-dma-mapping-errors.patch new file mode 100644 index 00000000000..1c9647aee4c --- /dev/null +++ b/queue-4.19/crypto-mxs-dcp-check-for-dma-mapping-errors.patch @@ -0,0 +1,125 @@ +From e4b33e81113dbe8236bd0cb773a8ab7b9dcef8f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 14:56:37 -0400 +Subject: crypto: mxs-dcp - Check for DMA mapping errors + +From: Sean Anderson + +[ Upstream commit df6313d707e575a679ada3313358289af24454c0 ] + +After calling dma_map_single(), we must also call dma_mapping_error(). +This fixes the following warning when compiling with CONFIG_DMA_API_DEBUG: + +[ 311.241478] WARNING: CPU: 0 PID: 428 at kernel/dma/debug.c:1027 check_unmap+0x79c/0x96c +[ 311.249547] DMA-API: mxs-dcp 2280000.crypto: device driver failed to check map error[device address=0x00000000860cb080] [size=32 bytes] [mapped as single] + +Signed-off-by: Sean Anderson +Reviewed-by: Richard Weinberger +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mxs-dcp.c | 45 +++++++++++++++++++++++++++++++--------- + 1 file changed, 35 insertions(+), 10 deletions(-) + +diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c +index b0c592073a4a..d220e6a3f836 100644 +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -167,15 +167,19 @@ static struct dcp *global_sdcp; + + static int mxs_dcp_start_dma(struct dcp_async_ctx *actx) + { ++ int dma_err; + struct dcp *sdcp = global_sdcp; + const int chan = actx->chan; + uint32_t stat; + unsigned long ret; + struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan]; +- + dma_addr_t desc_phys = dma_map_single(sdcp->dev, desc, sizeof(*desc), + DMA_TO_DEVICE); + ++ dma_err = dma_mapping_error(sdcp->dev, desc_phys); ++ if (dma_err) ++ return dma_err; ++ + reinit_completion(&sdcp->completion[chan]); + + /* Clear status register. */ +@@ -213,18 +217,29 @@ static int mxs_dcp_start_dma(struct dcp_async_ctx *actx) + static int mxs_dcp_run_aes(struct dcp_async_ctx *actx, + struct ablkcipher_request *req, int init) + { ++ dma_addr_t key_phys, src_phys, dst_phys; + struct dcp *sdcp = global_sdcp; + struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan]; + struct dcp_aes_req_ctx *rctx = ablkcipher_request_ctx(req); + int ret; + +- dma_addr_t key_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_key, +- 2 * AES_KEYSIZE_128, +- DMA_TO_DEVICE); +- dma_addr_t src_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf, +- DCP_BUF_SZ, DMA_TO_DEVICE); +- dma_addr_t dst_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_out_buf, +- DCP_BUF_SZ, DMA_FROM_DEVICE); ++ key_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_key, ++ 2 * AES_KEYSIZE_128, DMA_TO_DEVICE); ++ ret = dma_mapping_error(sdcp->dev, key_phys); ++ if (ret) ++ return ret; ++ ++ src_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf, ++ DCP_BUF_SZ, DMA_TO_DEVICE); ++ ret = dma_mapping_error(sdcp->dev, src_phys); ++ if (ret) ++ goto err_src; ++ ++ dst_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_out_buf, ++ DCP_BUF_SZ, DMA_FROM_DEVICE); ++ ret = dma_mapping_error(sdcp->dev, dst_phys); ++ if (ret) ++ goto err_dst; + + if (actx->fill % AES_BLOCK_SIZE) { + dev_err(sdcp->dev, "Invalid block size!\n"); +@@ -262,10 +277,12 @@ static int mxs_dcp_run_aes(struct dcp_async_ctx *actx, + ret = mxs_dcp_start_dma(actx); + + aes_done_run: ++ dma_unmap_single(sdcp->dev, dst_phys, DCP_BUF_SZ, DMA_FROM_DEVICE); ++err_dst: ++ dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE); ++err_src: + dma_unmap_single(sdcp->dev, key_phys, 2 * AES_KEYSIZE_128, + DMA_TO_DEVICE); +- dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE); +- dma_unmap_single(sdcp->dev, dst_phys, DCP_BUF_SZ, DMA_FROM_DEVICE); + + return ret; + } +@@ -565,6 +582,10 @@ static int mxs_dcp_run_sha(struct ahash_request *req) + dma_addr_t buf_phys = dma_map_single(sdcp->dev, sdcp->coh->sha_in_buf, + DCP_BUF_SZ, DMA_TO_DEVICE); + ++ ret = dma_mapping_error(sdcp->dev, buf_phys); ++ if (ret) ++ return ret; ++ + /* Fill in the DMA descriptor. */ + desc->control0 = MXS_DCP_CONTROL0_DECR_SEMAPHORE | + MXS_DCP_CONTROL0_INTERRUPT | +@@ -597,6 +618,10 @@ static int mxs_dcp_run_sha(struct ahash_request *req) + if (rctx->fini) { + digest_phys = dma_map_single(sdcp->dev, sdcp->coh->sha_out_buf, + DCP_SHA_PAY_SZ, DMA_FROM_DEVICE); ++ ret = dma_mapping_error(sdcp->dev, digest_phys); ++ if (ret) ++ goto done_run; ++ + desc->control0 |= MXS_DCP_CONTROL0_HASH_TERM; + desc->payload = digest_phys; + } +-- +2.30.2 + diff --git a/queue-4.19/crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch b/queue-4.19/crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch new file mode 100644 index 00000000000..ba049c8a944 --- /dev/null +++ b/queue-4.19/crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch @@ -0,0 +1,43 @@ +From 00fb03fdd40e6b6a3b139ac18f0c3b4044ca673b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 13:23:34 +0300 +Subject: crypto: omap-sham - clear dma flags only after + omap_sham_update_dma_stop() + +From: Tony Lindgren + +[ Upstream commit fe28140b3393b0ba1eb95cc109f974a7e58b26fd ] + +We should not clear FLAGS_DMA_ACTIVE before omap_sham_update_dma_stop() is +done calling dma_unmap_sg(). We already clear FLAGS_DMA_ACTIVE at the +end of omap_sham_update_dma_stop(). + +The early clearing of FLAGS_DMA_ACTIVE is not causing issues as we do not +need to defer anything based on FLAGS_DMA_ACTIVE currently. So this can be +applied as clean-up. + +Cc: Lokesh Vutla +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-sham.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index 4d31ef472436..180f2f61b8fb 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -1739,7 +1739,7 @@ static void omap_sham_done_task(unsigned long data) + if (test_and_clear_bit(FLAGS_OUTPUT_READY, &dd->flags)) + goto finish; + } else if (test_bit(FLAGS_DMA_READY, &dd->flags)) { +- if (test_and_clear_bit(FLAGS_DMA_ACTIVE, &dd->flags)) { ++ if (test_bit(FLAGS_DMA_ACTIVE, &dd->flags)) { + omap_sham_update_dma_stop(dd); + if (dd->err) { + err = dd->err; +-- +2.30.2 + diff --git a/queue-4.19/crypto-qat-do-not-export-adf_iov_putmsg.patch b/queue-4.19/crypto-qat-do-not-export-adf_iov_putmsg.patch new file mode 100644 index 00000000000..74ba00e91e4 --- /dev/null +++ b/queue-4.19/crypto-qat-do-not-export-adf_iov_putmsg.patch @@ -0,0 +1,36 @@ +From 79fedf511543d649ccf66319343623b536b4125c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:28 +0100 +Subject: crypto: qat - do not export adf_iov_putmsg() + +From: Giovanni Cabiddu + +[ Upstream commit 645ae0af1840199086c33e4f841892ebee73f615 ] + +The function adf_iov_putmsg() is only used inside the intel_qat module +therefore should not be exported. +Remove EXPORT_SYMBOL for the function adf_iov_putmsg(). + +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index 9dab2cc11fdf..c64481160b71 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -231,7 +231,6 @@ int adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + + return ret; + } +-EXPORT_SYMBOL_GPL(adf_iov_putmsg); + + void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info) + { +-- +2.30.2 + diff --git a/queue-4.19/crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch b/queue-4.19/crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch new file mode 100644 index 00000000000..af17dbd8428 --- /dev/null +++ b/queue-4.19/crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch @@ -0,0 +1,51 @@ +From 52a76a7d77dc3b6cf77f9b450e0491adff363a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:13 +0100 +Subject: crypto: qat - do not ignore errors from enable_vf2pf_comms() + +From: Giovanni Cabiddu + +[ Upstream commit 5147f0906d50a9d26f2b8698cd06b5680e9867ff ] + +The function adf_dev_init() ignores the error code reported by +enable_vf2pf_comms(). If the latter fails, e.g. the VF is not compatible +with the pf, then the load of the VF driver progresses. +This patch changes adf_dev_init() so that the error code from +enable_vf2pf_comms() is returned to the caller. + +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Marco Chiappero +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_init.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c +index 26556c713049..7a7d43c47534 100644 +--- a/drivers/crypto/qat/qat_common/adf_init.c ++++ b/drivers/crypto/qat/qat_common/adf_init.c +@@ -105,6 +105,7 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) + struct service_hndl *service; + struct list_head *list_itr; + struct adf_hw_device_data *hw_data = accel_dev->hw_device; ++ int ret; + + if (!hw_data) { + dev_err(&GET_DEV(accel_dev), +@@ -171,9 +172,9 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) + } + + hw_data->enable_error_correction(accel_dev); +- hw_data->enable_vf2pf_comms(accel_dev); ++ ret = hw_data->enable_vf2pf_comms(accel_dev); + +- return 0; ++ return ret; + } + EXPORT_SYMBOL_GPL(adf_dev_init); + +-- +2.30.2 + diff --git a/queue-4.19/crypto-qat-fix-naming-for-init-shutdown-vf-to-pf-not.patch b/queue-4.19/crypto-qat-fix-naming-for-init-shutdown-vf-to-pf-not.patch new file mode 100644 index 00000000000..36931f72990 --- /dev/null +++ b/queue-4.19/crypto-qat-fix-naming-for-init-shutdown-vf-to-pf-not.patch @@ -0,0 +1,162 @@ +From f310dc071c0f24454e77e4c599fd7387aeb2068b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:22 +0100 +Subject: crypto: qat - fix naming for init/shutdown VF to PF notifications + +From: Marco Chiappero + +[ Upstream commit b90c1c4d3fa8cd90f4e8245b13564380fd0bfad1 ] + +At start and shutdown, VFs notify the PF about their state. These +notifications are carried out through a message exchange using the PFVF +protocol. + +Function names lead to believe they do perform init or shutdown logic. +This is to fix the naming to better reflect their purpose. + +Signed-off-by: Marco Chiappero +Co-developed-by: Giovanni Cabiddu +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c | 4 ++-- + drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c | 4 ++-- + drivers/crypto/qat/qat_common/adf_common_drv.h | 8 ++++---- + drivers/crypto/qat/qat_common/adf_vf2pf_msg.c | 12 ++++++------ + .../qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c | 4 ++-- + 5 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c b/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c +index d2d0ae445fd8..7c7d49a8a403 100644 +--- a/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c ++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.c +@@ -123,10 +123,10 @@ void adf_init_hw_data_c3xxxiov(struct adf_hw_device_data *hw_data) + hw_data->enable_error_correction = adf_vf_void_noop; + hw_data->init_admin_comms = adf_vf_int_noop; + hw_data->exit_admin_comms = adf_vf_void_noop; +- hw_data->send_admin_init = adf_vf2pf_init; ++ hw_data->send_admin_init = adf_vf2pf_notify_init; + hw_data->init_arb = adf_vf_int_noop; + hw_data->exit_arb = adf_vf_void_noop; +- hw_data->disable_iov = adf_vf2pf_shutdown; ++ hw_data->disable_iov = adf_vf2pf_notify_shutdown; + hw_data->get_accel_mask = get_accel_mask; + hw_data->get_ae_mask = get_ae_mask; + hw_data->get_num_accels = get_num_accels; +diff --git a/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c b/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c +index 38e4bc04f407..90e8a7564756 100644 +--- a/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c ++++ b/drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.c +@@ -123,10 +123,10 @@ void adf_init_hw_data_c62xiov(struct adf_hw_device_data *hw_data) + hw_data->enable_error_correction = adf_vf_void_noop; + hw_data->init_admin_comms = adf_vf_int_noop; + hw_data->exit_admin_comms = adf_vf_void_noop; +- hw_data->send_admin_init = adf_vf2pf_init; ++ hw_data->send_admin_init = adf_vf2pf_notify_init; + hw_data->init_arb = adf_vf_int_noop; + hw_data->exit_arb = adf_vf_void_noop; +- hw_data->disable_iov = adf_vf2pf_shutdown; ++ hw_data->disable_iov = adf_vf2pf_notify_shutdown; + hw_data->get_accel_mask = get_accel_mask; + hw_data->get_ae_mask = get_ae_mask; + hw_data->get_num_accels = get_num_accels; +diff --git a/drivers/crypto/qat/qat_common/adf_common_drv.h b/drivers/crypto/qat/qat_common/adf_common_drv.h +index d78f8d5c89c3..289dd7e48d4a 100644 +--- a/drivers/crypto/qat/qat_common/adf_common_drv.h ++++ b/drivers/crypto/qat/qat_common/adf_common_drv.h +@@ -239,8 +239,8 @@ void adf_enable_vf2pf_interrupts(struct adf_accel_dev *accel_dev, + void adf_enable_pf2vf_interrupts(struct adf_accel_dev *accel_dev); + void adf_disable_pf2vf_interrupts(struct adf_accel_dev *accel_dev); + +-int adf_vf2pf_init(struct adf_accel_dev *accel_dev); +-void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev); ++int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev); ++void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev); + int adf_init_pf_wq(void); + void adf_exit_pf_wq(void); + int adf_init_vf_wq(void); +@@ -263,12 +263,12 @@ static inline void adf_disable_pf2vf_interrupts(struct adf_accel_dev *accel_dev) + { + } + +-static inline int adf_vf2pf_init(struct adf_accel_dev *accel_dev) ++static inline int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev) + { + return 0; + } + +-static inline void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev) ++static inline void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev) + { + } + +diff --git a/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c b/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c +index cd5f37dffe8a..1830194567e8 100644 +--- a/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_vf2pf_msg.c +@@ -49,14 +49,14 @@ + #include "adf_pf2vf_msg.h" + + /** +- * adf_vf2pf_init() - send init msg to PF ++ * adf_vf2pf_notify_init() - send init msg to PF + * @accel_dev: Pointer to acceleration VF device. + * + * Function sends an init messge from the VF to a PF + * + * Return: 0 on success, error code otherwise. + */ +-int adf_vf2pf_init(struct adf_accel_dev *accel_dev) ++int adf_vf2pf_notify_init(struct adf_accel_dev *accel_dev) + { + u32 msg = (ADF_VF2PF_MSGORIGIN_SYSTEM | + (ADF_VF2PF_MSGTYPE_INIT << ADF_VF2PF_MSGTYPE_SHIFT)); +@@ -69,17 +69,17 @@ int adf_vf2pf_init(struct adf_accel_dev *accel_dev) + set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status); + return 0; + } +-EXPORT_SYMBOL_GPL(adf_vf2pf_init); ++EXPORT_SYMBOL_GPL(adf_vf2pf_notify_init); + + /** +- * adf_vf2pf_shutdown() - send shutdown msg to PF ++ * adf_vf2pf_notify_shutdown() - send shutdown msg to PF + * @accel_dev: Pointer to acceleration VF device. + * + * Function sends a shutdown messge from the VF to a PF + * + * Return: void + */ +-void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev) ++void adf_vf2pf_notify_shutdown(struct adf_accel_dev *accel_dev) + { + u32 msg = (ADF_VF2PF_MSGORIGIN_SYSTEM | + (ADF_VF2PF_MSGTYPE_SHUTDOWN << ADF_VF2PF_MSGTYPE_SHIFT)); +@@ -89,4 +89,4 @@ void adf_vf2pf_shutdown(struct adf_accel_dev *accel_dev) + dev_err(&GET_DEV(accel_dev), + "Failed to send Shutdown event to PF\n"); + } +-EXPORT_SYMBOL_GPL(adf_vf2pf_shutdown); ++EXPORT_SYMBOL_GPL(adf_vf2pf_notify_shutdown); +diff --git a/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c b/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c +index a3b4dd8099a7..3a8361c83f0b 100644 +--- a/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c ++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.c +@@ -123,10 +123,10 @@ void adf_init_hw_data_dh895xcciov(struct adf_hw_device_data *hw_data) + hw_data->enable_error_correction = adf_vf_void_noop; + hw_data->init_admin_comms = adf_vf_int_noop; + hw_data->exit_admin_comms = adf_vf_void_noop; +- hw_data->send_admin_init = adf_vf2pf_init; ++ hw_data->send_admin_init = adf_vf2pf_notify_init; + hw_data->init_arb = adf_vf_int_noop; + hw_data->exit_arb = adf_vf_void_noop; +- hw_data->disable_iov = adf_vf2pf_shutdown; ++ hw_data->disable_iov = adf_vf2pf_notify_shutdown; + hw_data->get_accel_mask = get_accel_mask; + hw_data->get_ae_mask = get_ae_mask; + hw_data->get_num_accels = get_num_accels; +-- +2.30.2 + diff --git a/queue-4.19/crypto-qat-fix-reuse-of-completion-variable.patch b/queue-4.19/crypto-qat-fix-reuse-of-completion-variable.patch new file mode 100644 index 00000000000..94b0edd1b91 --- /dev/null +++ b/queue-4.19/crypto-qat-fix-reuse-of-completion-variable.patch @@ -0,0 +1,39 @@ +From 6814aab7d19a9e0d77f0b725084ae1743021b4a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:19 +0100 +Subject: crypto: qat - fix reuse of completion variable + +From: Marco Chiappero + +[ Upstream commit 3d655732b0199562267a05c7ff69ecdd11632939 ] + +Use reinit_completion() to set to a clean state a completion variable, +used to coordinate the VF to PF request-response flow, before every +new VF request. + +Signed-off-by: Marco Chiappero +Co-developed-by: Giovanni Cabiddu +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index b3875fdf6cd7..9dab2cc11fdf 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -361,6 +361,8 @@ static int adf_vf2pf_request_version(struct adf_accel_dev *accel_dev) + msg |= ADF_PFVF_COMPATIBILITY_VERSION << ADF_VF2PF_COMPAT_VER_REQ_SHIFT; + BUILD_BUG_ON(ADF_PFVF_COMPATIBILITY_VERSION > 255); + ++ reinit_completion(&accel_dev->vf.iov_msg_completion); ++ + /* Send request from VF to PF */ + ret = adf_iov_putmsg(accel_dev, msg, 0); + if (ret) { +-- +2.30.2 + diff --git a/queue-4.19/crypto-qat-handle-both-source-of-interrupt-in-vf-isr.patch b/queue-4.19/crypto-qat-handle-both-source-of-interrupt-in-vf-isr.patch new file mode 100644 index 00000000000..acd23b3515e --- /dev/null +++ b/queue-4.19/crypto-qat-handle-both-source-of-interrupt-in-vf-isr.patch @@ -0,0 +1,63 @@ +From abc605de0e8a3b500faa676e5f523b2421a4fc26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:14 +0100 +Subject: crypto: qat - handle both source of interrupt in VF ISR + +From: Giovanni Cabiddu + +[ Upstream commit 0a73c762e1eee33a5e5dc0e3488f1b7cd17249b3 ] + +The top half of the VF drivers handled only a source at the time. +If an interrupt for PF2VF and bundle occurred at the same time, the ISR +scheduled only the bottom half for PF2VF. +This patch fixes the VF top half so that if both sources of interrupt +trigger at the same time, both bottom halves are scheduled. + +This patch is based on earlier work done by Conor McLoughlin. + +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Marco Chiappero +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_vf_isr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c +index df9a1f35b832..ef90902c8200 100644 +--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c ++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c +@@ -203,6 +203,7 @@ static irqreturn_t adf_isr(int irq, void *privdata) + struct adf_bar *pmisc = + &GET_BARS(accel_dev)[hw_data->get_misc_bar_id(hw_data)]; + void __iomem *pmisc_bar_addr = pmisc->virt_addr; ++ bool handled = false; + u32 v_int; + + /* Read VF INT source CSR to determine the source of VF interrupt */ +@@ -215,7 +216,7 @@ static irqreturn_t adf_isr(int irq, void *privdata) + + /* Schedule tasklet to handle interrupt BH */ + tasklet_hi_schedule(&accel_dev->vf.pf2vf_bh_tasklet); +- return IRQ_HANDLED; ++ handled = true; + } + + /* Check bundle interrupt */ +@@ -227,10 +228,10 @@ static irqreturn_t adf_isr(int irq, void *privdata) + WRITE_CSR_INT_FLAG_AND_COL(bank->csr_addr, bank->bank_number, + 0); + tasklet_hi_schedule(&bank->resp_handler); +- return IRQ_HANDLED; ++ handled = true; + } + +- return IRQ_NONE; ++ return handled ? IRQ_HANDLED : IRQ_NONE; + } + + static int adf_request_msi_irq(struct adf_accel_dev *accel_dev) +-- +2.30.2 + diff --git a/queue-4.19/crypto-qat-use-proper-type-for-vf_mask.patch b/queue-4.19/crypto-qat-use-proper-type-for-vf_mask.patch new file mode 100644 index 00000000000..067271df7e1 --- /dev/null +++ b/queue-4.19/crypto-qat-use-proper-type-for-vf_mask.patch @@ -0,0 +1,72 @@ +From 8808b9b2958f685d86a043472f3b00665ff2e924 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:10 +0100 +Subject: crypto: qat - use proper type for vf_mask + +From: Giovanni Cabiddu + +[ Upstream commit 462354d986b6a89c6449b85f17aaacf44e455216 ] + +Replace vf_mask type with unsigned long to avoid a stack-out-of-bound. + +This is to fix the following warning reported by KASAN the first time +adf_msix_isr_ae() gets called. + + [ 692.091987] BUG: KASAN: stack-out-of-bounds in find_first_bit+0x28/0x50 + [ 692.092017] Read of size 8 at addr ffff88afdf789e60 by task swapper/32/0 + [ 692.092076] Call Trace: + [ 692.092089] + [ 692.092101] dump_stack+0x9c/0xcf + [ 692.092132] print_address_description.constprop.0+0x18/0x130 + [ 692.092164] ? find_first_bit+0x28/0x50 + [ 692.092185] kasan_report.cold+0x7f/0x111 + [ 692.092213] ? static_obj+0x10/0x80 + [ 692.092234] ? find_first_bit+0x28/0x50 + [ 692.092262] find_first_bit+0x28/0x50 + [ 692.092288] adf_msix_isr_ae+0x16e/0x230 [intel_qat] + +Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Marco Chiappero +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_isr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_isr.c b/drivers/crypto/qat/qat_common/adf_isr.c +index 4898ef41fd9f..7d319c5c071c 100644 +--- a/drivers/crypto/qat/qat_common/adf_isr.c ++++ b/drivers/crypto/qat/qat_common/adf_isr.c +@@ -59,6 +59,8 @@ + #include "adf_transport_access_macros.h" + #include "adf_transport_internal.h" + ++#define ADF_MAX_NUM_VFS 32 ++ + static int adf_enable_msix(struct adf_accel_dev *accel_dev) + { + struct adf_accel_pci *pci_dev_info = &accel_dev->accel_pci_dev; +@@ -111,7 +113,7 @@ static irqreturn_t adf_msix_isr_ae(int irq, void *dev_ptr) + struct adf_bar *pmisc = + &GET_BARS(accel_dev)[hw_data->get_misc_bar_id(hw_data)]; + void __iomem *pmisc_bar_addr = pmisc->virt_addr; +- u32 vf_mask; ++ unsigned long vf_mask; + + /* Get the interrupt sources triggered by VFs */ + vf_mask = ((ADF_CSR_RD(pmisc_bar_addr, ADF_ERRSOU5) & +@@ -132,8 +134,7 @@ static irqreturn_t adf_msix_isr_ae(int irq, void *dev_ptr) + * unless the VF is malicious and is attempting to + * flood the host OS with VF2PF interrupts. + */ +- for_each_set_bit(i, (const unsigned long *)&vf_mask, +- (sizeof(vf_mask) * BITS_PER_BYTE)) { ++ for_each_set_bit(i, &vf_mask, ADF_MAX_NUM_VFS) { + vf_info = accel_dev->pf.vf_info + i; + + if (!__ratelimit(&vf_info->vf2pf_ratelimit)) { +-- +2.30.2 + diff --git a/queue-4.19/drm-msm-dpu-make-dpu_hw_ctl_clear_all_blendstages-cl.patch b/queue-4.19/drm-msm-dpu-make-dpu_hw_ctl_clear_all_blendstages-cl.patch new file mode 100644 index 00000000000..d2061dfb0b8 --- /dev/null +++ b/queue-4.19/drm-msm-dpu-make-dpu_hw_ctl_clear_all_blendstages-cl.patch @@ -0,0 +1,48 @@ +From 3428a0cee903a65aef9ebb804ae0d4a3edd63770 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 02:05:19 +0300 +Subject: drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary + LMs + +From: Dmitry Baryshkov + +[ Upstream commit a41cdb693595ae1904dd793fc15d6954f4295e27 ] + +dpu_hw_ctl_clear_all_blendstages() clears settings for the few first LMs +instead of mixers actually used for the CTL. Change it to clear +necessary data, using provided mixer ids. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210704230519.4081467-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c +index 79bafea66354..a40ea5c68572 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c +@@ -296,10 +296,12 @@ static void dpu_hw_ctl_clear_all_blendstages(struct dpu_hw_ctl *ctx) + int i; + + for (i = 0; i < ctx->mixer_count; i++) { +- DPU_REG_WRITE(c, CTL_LAYER(LM_0 + i), 0); +- DPU_REG_WRITE(c, CTL_LAYER_EXT(LM_0 + i), 0); +- DPU_REG_WRITE(c, CTL_LAYER_EXT2(LM_0 + i), 0); +- DPU_REG_WRITE(c, CTL_LAYER_EXT3(LM_0 + i), 0); ++ enum dpu_lm mixer_id = ctx->mixer_hw_caps[i].id; ++ ++ DPU_REG_WRITE(c, CTL_LAYER(mixer_id), 0); ++ DPU_REG_WRITE(c, CTL_LAYER_EXT(mixer_id), 0); ++ DPU_REG_WRITE(c, CTL_LAYER_EXT2(mixer_id), 0); ++ DPU_REG_WRITE(c, CTL_LAYER_EXT3(mixer_id), 0); + } + } + +-- +2.30.2 + diff --git a/queue-4.19/drm-msm-dsi-fix-some-reference-counted-resource-leak.patch b/queue-4.19/drm-msm-dsi-fix-some-reference-counted-resource-leak.patch new file mode 100644 index 00000000000..61f9c24ca2e --- /dev/null +++ b/queue-4.19/drm-msm-dsi-fix-some-reference-counted-resource-leak.patch @@ -0,0 +1,62 @@ +From 5e342f1d84675238c71a0ecf871151e5a305cf0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 11:15:13 +0200 +Subject: drm/msm/dsi: Fix some reference counted resource leaks + +From: Christophe JAILLET + +[ Upstream commit 6977cc89c87506ff17e6c05f0e37f46752256e82 ] + +'of_find_device_by_node()' takes a reference that must be released when +not needed anymore. +This is expected to be done in 'dsi_destroy()'. + +However, there are 2 issues in 'dsi_get_phy()'. + +First, if 'of_find_device_by_node()' succeeds but 'platform_get_drvdata()' +returns NULL, 'msm_dsi->phy_dev' will still be NULL, and the reference +won't be released in 'dsi_destroy()'. + +Secondly, as 'of_find_device_by_node()' already takes a reference, there is +no need for an additional 'get_device()'. + +Move the assignment to 'msm_dsi->phy_dev' a few lines above and remove the +unneeded 'get_device()' to solve both issues. + +Fixes: ec31abf6684e ("drm/msm/dsi: Separate PHY to another platform device") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/f15bc57648a00e7c99f943903468a04639d50596.1628241097.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c +index ff8164cc6738..822cef472a7e 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi.c ++++ b/drivers/gpu/drm/msm/dsi/dsi.c +@@ -34,8 +34,10 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi) + } + + phy_pdev = of_find_device_by_node(phy_node); +- if (phy_pdev) ++ if (phy_pdev) { + msm_dsi->phy = platform_get_drvdata(phy_pdev); ++ msm_dsi->phy_dev = &phy_pdev->dev; ++ } + + of_node_put(phy_node); + +@@ -44,8 +46,6 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi) + return -EPROBE_DEFER; + } + +- msm_dsi->phy_dev = get_device(&phy_pdev->dev); +- + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.19/fcntl-fix-potential-deadlock-for-fasync_struct.fa_lo.patch b/queue-4.19/fcntl-fix-potential-deadlock-for-fasync_struct.fa_lo.patch new file mode 100644 index 00000000000..4e59d907705 --- /dev/null +++ b/queue-4.19/fcntl-fix-potential-deadlock-for-fasync_struct.fa_lo.patch @@ -0,0 +1,78 @@ +From c0b4931543e8af387b63234e25345464b5864413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 17:18:31 +0800 +Subject: fcntl: fix potential deadlock for &fasync_struct.fa_lock + +From: Desmond Cheong Zhi Xi + +[ Upstream commit 2f488f698fda820f8e6fa0407630154eceb145d6 ] + +There is an existing lock hierarchy of +&dev->event_lock --> &fasync_struct.fa_lock --> &f->f_owner.lock +from the following call chain: + + input_inject_event(): + spin_lock_irqsave(&dev->event_lock,...); + input_handle_event(): + input_pass_values(): + input_to_handler(): + evdev_events(): + evdev_pass_values(): + spin_lock(&client->buffer_lock); + __pass_event(): + kill_fasync(): + kill_fasync_rcu(): + read_lock(&fa->fa_lock); + send_sigio(): + read_lock_irqsave(&fown->lock,...); + +&dev->event_lock is HARDIRQ-safe, so interrupts have to be disabled +while grabbing &fasync_struct.fa_lock, otherwise we invert the lock +hierarchy. However, since kill_fasync which calls kill_fasync_rcu is +an exported symbol, it may not necessarily be called with interrupts +disabled. + +As kill_fasync_rcu may be called with interrupts disabled (for +example, in the call chain above), we replace calls to +read_lock/read_unlock on &fasync_struct.fa_lock in kill_fasync_rcu +with read_lock_irqsave/read_unlock_irqrestore. + +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Jeff Layton +Signed-off-by: Sasha Levin +--- + fs/fcntl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/fcntl.c b/fs/fcntl.c +index e039af1872ab..dffb5245ae72 100644 +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -993,13 +993,14 @@ static void kill_fasync_rcu(struct fasync_struct *fa, int sig, int band) + { + while (fa) { + struct fown_struct *fown; ++ unsigned long flags; + + if (fa->magic != FASYNC_MAGIC) { + printk(KERN_ERR "kill_fasync: bad magic number in " + "fasync_struct!\n"); + return; + } +- read_lock(&fa->fa_lock); ++ read_lock_irqsave(&fa->fa_lock, flags); + if (fa->fa_file) { + fown = &fa->fa_file->f_owner; + /* Don't send SIGURG to processes which have not set a +@@ -1008,7 +1009,7 @@ static void kill_fasync_rcu(struct fasync_struct *fa, int sig, int band) + if (!(sig == SIGURG && fown->signum == 0)) + send_sigio(fown, fa->fa_fd, band); + } +- read_unlock(&fa->fa_lock); ++ read_unlock_irqrestore(&fa->fa_lock, flags); + fa = rcu_dereference(fa->fa_next); + } + } +-- +2.30.2 + diff --git a/queue-4.19/hrtimer-avoid-double-reprogramming-in-__hrtimer_star.patch b/queue-4.19/hrtimer-avoid-double-reprogramming-in-__hrtimer_star.patch new file mode 100644 index 00000000000..cb0736b0ce3 --- /dev/null +++ b/queue-4.19/hrtimer-avoid-double-reprogramming-in-__hrtimer_star.patch @@ -0,0 +1,139 @@ +From 00d8058dd2d52d3022bc30be68168d556a1be45c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jul 2021 15:39:46 +0200 +Subject: hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() + +From: Thomas Gleixner + +[ Upstream commit 627ef5ae2df8eeccb20d5af0e4cfa4df9e61ed28 ] + +If __hrtimer_start_range_ns() is invoked with an already armed hrtimer then +the timer has to be canceled first and then added back. If the timer is the +first expiring timer then on removal the clockevent device is reprogrammed +to the next expiring timer to avoid that the pending expiry fires needlessly. + +If the new expiry time ends up to be the first expiry again then the clock +event device has to reprogrammed again. + +Avoid this by checking whether the timer is the first to expire and in that +case, keep the timer on the current CPU and delay the reprogramming up to +the point where the timer has been enqueued again. + +Reported-by: Lorenzo Colitti +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20210713135157.873137732@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/time/hrtimer.c | 60 ++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 53 insertions(+), 7 deletions(-) + +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 0e04b24cec81..32ee24f5142a 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1020,12 +1020,13 @@ static void __remove_hrtimer(struct hrtimer *timer, + * remove hrtimer, called with base lock held + */ + static inline int +-remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool restart) ++remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, ++ bool restart, bool keep_local) + { + u8 state = timer->state; + + if (state & HRTIMER_STATE_ENQUEUED) { +- int reprogram; ++ bool reprogram; + + /* + * Remove the timer and force reprogramming when high +@@ -1038,8 +1039,16 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool rest + debug_deactivate(timer); + reprogram = base->cpu_base == this_cpu_ptr(&hrtimer_bases); + ++ /* ++ * If the timer is not restarted then reprogramming is ++ * required if the timer is local. If it is local and about ++ * to be restarted, avoid programming it twice (on removal ++ * and a moment later when it's requeued). ++ */ + if (!restart) + state = HRTIMER_STATE_INACTIVE; ++ else ++ reprogram &= !keep_local; + + __remove_hrtimer(timer, base, state, reprogram); + return 1; +@@ -1093,9 +1102,31 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, + struct hrtimer_clock_base *base) + { + struct hrtimer_clock_base *new_base; ++ bool force_local, first; + +- /* Remove an active timer from the queue: */ +- remove_hrtimer(timer, base, true); ++ /* ++ * If the timer is on the local cpu base and is the first expiring ++ * timer then this might end up reprogramming the hardware twice ++ * (on removal and on enqueue). To avoid that by prevent the ++ * reprogram on removal, keep the timer local to the current CPU ++ * and enforce reprogramming after it is queued no matter whether ++ * it is the new first expiring timer again or not. ++ */ ++ force_local = base->cpu_base == this_cpu_ptr(&hrtimer_bases); ++ force_local &= base->cpu_base->next_timer == timer; ++ ++ /* ++ * Remove an active timer from the queue. In case it is not queued ++ * on the current CPU, make sure that remove_hrtimer() updates the ++ * remote data correctly. ++ * ++ * If it's on the current CPU and the first expiring timer, then ++ * skip reprogramming, keep the timer local and enforce ++ * reprogramming later if it was the first expiring timer. This ++ * avoids programming the underlying clock event twice (once at ++ * removal and once after enqueue). ++ */ ++ remove_hrtimer(timer, base, true, force_local); + + if (mode & HRTIMER_MODE_REL) + tim = ktime_add_safe(tim, base->get_time()); +@@ -1105,9 +1136,24 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, + hrtimer_set_expires_range_ns(timer, tim, delta_ns); + + /* Switch the timer base, if necessary: */ +- new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED); ++ if (!force_local) { ++ new_base = switch_hrtimer_base(timer, base, ++ mode & HRTIMER_MODE_PINNED); ++ } else { ++ new_base = base; ++ } ++ ++ first = enqueue_hrtimer(timer, new_base, mode); ++ if (!force_local) ++ return first; + +- return enqueue_hrtimer(timer, new_base, mode); ++ /* ++ * Timer was forced to stay on the current CPU to avoid ++ * reprogramming on removal and enqueue. Force reprogram the ++ * hardware by evaluating the new first expiring timer. ++ */ ++ hrtimer_force_reprogram(new_base->cpu_base, 1); ++ return 0; + } + + /** +@@ -1168,7 +1214,7 @@ int hrtimer_try_to_cancel(struct hrtimer *timer) + base = lock_hrtimer_base(timer, &flags); + + if (!hrtimer_callback_running(timer)) +- ret = remove_hrtimer(timer, base, false); ++ ret = remove_hrtimer(timer, base, false, false); + + unlock_hrtimer_base(timer, &flags); + +-- +2.30.2 + diff --git a/queue-4.19/i2c-highlander-add-irq-check.patch b/queue-4.19/i2c-highlander-add-irq-check.patch new file mode 100644 index 00000000000..4983db7693d --- /dev/null +++ b/queue-4.19/i2c-highlander-add-irq-check.patch @@ -0,0 +1,39 @@ +From 1a8577195a51f674771244515d71244a0144c573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 May 2021 22:13:45 +0300 +Subject: i2c: highlander: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit f16a3bb69aa6baabf8f0aca982c8cf21e2a4f6bc ] + +The driver is written as if platform_get_irq() returns 0 on errors (while +actually it returns a negative error code), blithely passing these error +codes to request_irq() (which takes *unsigned* IRQ #) -- which fails with +-EINVAL. Add the necessary error check to the pre-existing *if* statement +forcing the driver into the polling mode... + +Fixes: 4ad48e6ab18c ("i2c: Renesas Highlander FPGA SMBus support") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-highlander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-highlander.c b/drivers/i2c/busses/i2c-highlander.c +index ff340d7ae2e5..6a880c262380 100644 +--- a/drivers/i2c/busses/i2c-highlander.c ++++ b/drivers/i2c/busses/i2c-highlander.c +@@ -379,7 +379,7 @@ static int highlander_i2c_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, dev); + + dev->irq = platform_get_irq(pdev, 0); +- if (iic_force_poll) ++ if (dev->irq < 0 || iic_force_poll) + dev->irq = 0; + + if (dev->irq) { +-- +2.30.2 + diff --git a/queue-4.19/i2c-iop3xx-fix-deferred-probing.patch b/queue-4.19/i2c-iop3xx-fix-deferred-probing.patch new file mode 100644 index 00000000000..0ddd6e63aac --- /dev/null +++ b/queue-4.19/i2c-iop3xx-fix-deferred-probing.patch @@ -0,0 +1,53 @@ +From 811bf1c737948c0ae5aceefb59256599f12b5299 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 23:35:09 +0300 +Subject: i2c: iop3xx: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit a1299505162ad00def3573260c2c68b9c8e8d697 ] + +When adding the code to handle platform_get_irq*() errors in the commit +489447380a29 ("handle errors returned by platform_get_irq*()"), the +actual error code was enforced to be -ENXIO in the driver for some +strange reason. This didn't matter much until the deferred probing was +introduced -- which requires an actual error code to be propagated +upstream from the failure site. + +While fixing this, also stop overriding the errors from request_irq() to +-EIO (done since the pre-git era). + +Fixes: 489447380a29 ("[PATCH] handle errors returned by platform_get_irq*()") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-iop3xx.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-iop3xx.c b/drivers/i2c/busses/i2c-iop3xx.c +index 85cbe4b55578..d4fe7ccccb22 100644 +--- a/drivers/i2c/busses/i2c-iop3xx.c ++++ b/drivers/i2c/busses/i2c-iop3xx.c +@@ -456,16 +456,14 @@ iop3xx_i2c_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- ret = -ENXIO; ++ ret = irq; + goto unmap; + } + ret = request_irq(irq, iop3xx_i2c_irq_handler, 0, + pdev->name, adapter_data); + +- if (ret) { +- ret = -EIO; ++ if (ret) + goto unmap; +- } + + memcpy(new_adapter->name, pdev->name, strlen(pdev->name)); + new_adapter->owner = THIS_MODULE; +-- +2.30.2 + diff --git a/queue-4.19/i2c-mt65xx-fix-irq-check.patch b/queue-4.19/i2c-mt65xx-fix-irq-check.patch new file mode 100644 index 00000000000..5e4c848db8a --- /dev/null +++ b/queue-4.19/i2c-mt65xx-fix-irq-check.patch @@ -0,0 +1,38 @@ +From c7ae2b61efc4b5bbbfd5f50007cf25d8b5be1880 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jul 2021 17:38:45 +0300 +Subject: i2c: mt65xx: fix IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 58fb7c643d346e2364404554f531cfa6a1a3917c ] + +Iff platform_get_irq() returns 0, the driver's probe() method will return 0 +early (as if the method's call was successful). Let's consider IRQ0 valid +for simplicity -- devm_request_irq() can always override that decision... + +Fixes: ce38815d39ea ("I2C: mediatek: Add driver for MediaTek I2C controller") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Qii Wang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mt65xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-mt65xx.c b/drivers/i2c/busses/i2c-mt65xx.c +index 2bb4d20ead32..e09b065a6aff 100644 +--- a/drivers/i2c/busses/i2c-mt65xx.c ++++ b/drivers/i2c/busses/i2c-mt65xx.c +@@ -804,7 +804,7 @@ static int mtk_i2c_probe(struct platform_device *pdev) + return PTR_ERR(i2c->pdmabase); + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) ++ if (irq < 0) + return irq; + + init_completion(&i2c->msg_complete); +-- +2.30.2 + diff --git a/queue-4.19/i2c-s3c2410-fix-irq-check.patch b/queue-4.19/i2c-s3c2410-fix-irq-check.patch new file mode 100644 index 00000000000..9d2af40e3f0 --- /dev/null +++ b/queue-4.19/i2c-s3c2410-fix-irq-check.patch @@ -0,0 +1,38 @@ +From fa559266a431614bf9e7ae0cb180dccb79abbd1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jul 2021 17:45:25 +0300 +Subject: i2c: s3c2410: fix IRQ check + +From: Sergey Shtylyov + +[ Upstream commit d6840a5e370b7ea4fde16ce2caf431bcc87f9a75 ] + +Iff platform_get_irq() returns 0, the driver's probe() method will return 0 +early (as if the method's call was successful). Let's consider IRQ0 valid +for simplicity -- devm_request_irq() can always override that decision... + +Fixes: e0d1ec97853f ("i2c-s3c2410: Change IRQ to be plain integer.") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-s3c2410.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c +index d3603e261a84..4c6036920388 100644 +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -1179,7 +1179,7 @@ static int s3c24xx_i2c_probe(struct platform_device *pdev) + */ + if (!(i2c->quirks & QUIRK_POLL)) { + i2c->irq = ret = platform_get_irq(pdev, 0); +- if (ret <= 0) { ++ if (ret < 0) { + dev_err(&pdev->dev, "cannot find IRQ\n"); + clk_unprepare(i2c->clk); + return ret; +-- +2.30.2 + diff --git a/queue-4.19/ipv4-fix-endianness-issue-in-inet_rtm_getroute_build.patch b/queue-4.19/ipv4-fix-endianness-issue-in-inet_rtm_getroute_build.patch new file mode 100644 index 00000000000..78c5a977069 --- /dev/null +++ b/queue-4.19/ipv4-fix-endianness-issue-in-inet_rtm_getroute_build.patch @@ -0,0 +1,43 @@ +From 717e9cbe1a5f8efc1a3e48949bafe9216a0d87bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Aug 2021 19:02:10 -0700 +Subject: ipv4: fix endianness issue in inet_rtm_getroute_build_skb() + +From: Eric Dumazet + +[ Upstream commit 92548b0ee220e000d81c27ac9a80e0ede895a881 ] + +The UDP length field should be in network order. +This removes the following sparse error: + +net/ipv4/route.c:3173:27: warning: incorrect type in assignment (different base types) +net/ipv4/route.c:3173:27: expected restricted __be16 [usertype] len +net/ipv4/route.c:3173:27: got unsigned long + +Fixes: 404eb77ea766 ("ipv4: support sport, dport and ip_proto in RTM_GETROUTE") +Signed-off-by: Eric Dumazet +Cc: Roopa Prabhu +Cc: David Ahern +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index d72bffab6ffc..730a15fc497c 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2815,7 +2815,7 @@ static struct sk_buff *inet_rtm_getroute_build_skb(__be32 src, __be32 dst, + udph = skb_put_zero(skb, sizeof(struct udphdr)); + udph->source = sport; + udph->dest = dport; +- udph->len = sizeof(struct udphdr); ++ udph->len = htons(sizeof(struct udphdr)); + udph->check = 0; + break; + } +-- +2.30.2 + diff --git a/queue-4.19/ipv4-make-exception-cache-less-predictible.patch b/queue-4.19/ipv4-make-exception-cache-less-predictible.patch new file mode 100644 index 00000000000..ccd4263bd91 --- /dev/null +++ b/queue-4.19/ipv4-make-exception-cache-less-predictible.patch @@ -0,0 +1,127 @@ +From 72463df94e4cc23919066af0fb4bab9bfaa63862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Aug 2021 15:16:15 -0700 +Subject: ipv4: make exception cache less predictible + +From: Eric Dumazet + +[ Upstream commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e ] + +Even after commit 6457378fe796 ("ipv4: use siphash instead of Jenkins in +fnhe_hashfun()"), an attacker can still use brute force to learn +some secrets from a victim linux host. + +One way to defeat these attacks is to make the max depth of the hash +table bucket a random value. + +Before this patch, each bucket of the hash table used to store exceptions +could contain 6 items under attack. + +After the patch, each bucket would contains a random number of items, +between 6 and 10. The attacker can no longer infer secrets. + +This is slightly increasing memory size used by the hash table, +by 50% in average, we do not expect this to be a problem. + +This patch is more complex than the prior one (IPv6 equivalent), +because IPv4 was reusing the oldest entry. +Since we need to be able to evict more than one entry per +update_or_create_fnhe() call, I had to replace +fnhe_oldest() with fnhe_remove_oldest(). + +Also note that we will queue extra kfree_rcu() calls under stress, +which hopefully wont be a too big issue. + +Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.") +Signed-off-by: Eric Dumazet +Reported-by: Keyu Man +Cc: Willy Tarreau +Signed-off-by: David S. Miller +Reviewed-by: David Ahern +Tested-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 46 ++++++++++++++++++++++++++++++---------------- + 1 file changed, 30 insertions(+), 16 deletions(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 1491d239385e..d72bffab6ffc 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -604,18 +604,25 @@ static void fnhe_flush_routes(struct fib_nh_exception *fnhe) + } + } + +-static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash) ++static void fnhe_remove_oldest(struct fnhe_hash_bucket *hash) + { +- struct fib_nh_exception *fnhe, *oldest; ++ struct fib_nh_exception __rcu **fnhe_p, **oldest_p; ++ struct fib_nh_exception *fnhe, *oldest = NULL; + +- oldest = rcu_dereference(hash->chain); +- for (fnhe = rcu_dereference(oldest->fnhe_next); fnhe; +- fnhe = rcu_dereference(fnhe->fnhe_next)) { +- if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) ++ for (fnhe_p = &hash->chain; ; fnhe_p = &fnhe->fnhe_next) { ++ fnhe = rcu_dereference_protected(*fnhe_p, ++ lockdep_is_held(&fnhe_lock)); ++ if (!fnhe) ++ break; ++ if (!oldest || ++ time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) { + oldest = fnhe; ++ oldest_p = fnhe_p; ++ } + } + fnhe_flush_routes(oldest); +- return oldest; ++ *oldest_p = oldest->fnhe_next; ++ kfree_rcu(oldest, rcu); + } + + static inline u32 fnhe_hashfun(__be32 daddr) +@@ -692,16 +699,21 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, + if (rt) + fill_route_from_fnhe(rt, fnhe); + } else { +- if (depth > FNHE_RECLAIM_DEPTH) +- fnhe = fnhe_oldest(hash); +- else { +- fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC); +- if (!fnhe) +- goto out_unlock; +- +- fnhe->fnhe_next = hash->chain; +- rcu_assign_pointer(hash->chain, fnhe); ++ /* Randomize max depth to avoid some side channels attacks. */ ++ int max_depth = FNHE_RECLAIM_DEPTH + ++ prandom_u32_max(FNHE_RECLAIM_DEPTH); ++ ++ while (depth > max_depth) { ++ fnhe_remove_oldest(hash); ++ depth--; + } ++ ++ fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC); ++ if (!fnhe) ++ goto out_unlock; ++ ++ fnhe->fnhe_next = hash->chain; ++ + fnhe->fnhe_genid = genid; + fnhe->fnhe_daddr = daddr; + fnhe->fnhe_gw = gw; +@@ -709,6 +721,8 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, + fnhe->fnhe_mtu_locked = lock; + fnhe->fnhe_expires = max(1UL, expires); + ++ rcu_assign_pointer(hash->chain, fnhe); ++ + /* Exception created; mark the cached routes for the nexthop + * stale, so anyone caching it rechecks if this exception + * applies to them. +-- +2.30.2 + diff --git a/queue-4.19/isofs-joliet-fix-iocharset-utf8-mount-option.patch b/queue-4.19/isofs-joliet-fix-iocharset-utf8-mount-option.patch new file mode 100644 index 00000000000..1816f5cf808 --- /dev/null +++ b/queue-4.19/isofs-joliet-fix-iocharset-utf8-mount-option.patch @@ -0,0 +1,153 @@ +From 240046c2c95a0c48f09b8ece4a9d80dfe2b51cdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Aug 2021 18:24:37 +0200 +Subject: isofs: joliet: Fix iocharset=utf8 mount option +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 28ce50f8d96ec9035f60c9348294ea26b94db944 ] + +Currently iocharset=utf8 mount option is broken. To use UTF-8 as iocharset, +it is required to use utf8 mount option. + +Fix iocharset=utf8 mount option to use be equivalent to the utf8 mount +option. + +If UTF-8 as iocharset is used then s_nls_iocharset is set to NULL. So +simplify code around, remove s_utf8 field as to distinguish between UTF-8 +and non-UTF-8 it is needed just to check if s_nls_iocharset is set to NULL +or not. + +Link: https://lore.kernel.org/r/20210808162453.1653-5-pali@kernel.org +Signed-off-by: Pali Rohár +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/isofs/inode.c | 27 +++++++++++++-------------- + fs/isofs/isofs.h | 1 - + fs/isofs/joliet.c | 4 +--- + 3 files changed, 14 insertions(+), 18 deletions(-) + +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c +index 488a9e7f8f66..2355ad62b81f 100644 +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -157,7 +157,6 @@ struct iso9660_options{ + unsigned int overriderockperm:1; + unsigned int uid_set:1; + unsigned int gid_set:1; +- unsigned int utf8:1; + unsigned char map; + unsigned char check; + unsigned int blocksize; +@@ -357,7 +356,6 @@ static int parse_options(char *options, struct iso9660_options *popt) + popt->gid = GLOBAL_ROOT_GID; + popt->uid = GLOBAL_ROOT_UID; + popt->iocharset = NULL; +- popt->utf8 = 0; + popt->overriderockperm = 0; + popt->session=-1; + popt->sbsector=-1; +@@ -390,10 +388,13 @@ static int parse_options(char *options, struct iso9660_options *popt) + case Opt_cruft: + popt->cruft = 1; + break; ++#ifdef CONFIG_JOLIET + case Opt_utf8: +- popt->utf8 = 1; ++ kfree(popt->iocharset); ++ popt->iocharset = kstrdup("utf8", GFP_KERNEL); ++ if (!popt->iocharset) ++ return 0; + break; +-#ifdef CONFIG_JOLIET + case Opt_iocharset: + kfree(popt->iocharset); + popt->iocharset = match_strdup(&args[0]); +@@ -496,7 +497,6 @@ static int isofs_show_options(struct seq_file *m, struct dentry *root) + if (sbi->s_nocompress) seq_puts(m, ",nocompress"); + if (sbi->s_overriderockperm) seq_puts(m, ",overriderockperm"); + if (sbi->s_showassoc) seq_puts(m, ",showassoc"); +- if (sbi->s_utf8) seq_puts(m, ",utf8"); + + if (sbi->s_check) seq_printf(m, ",check=%c", sbi->s_check); + if (sbi->s_mapping) seq_printf(m, ",map=%c", sbi->s_mapping); +@@ -519,9 +519,10 @@ static int isofs_show_options(struct seq_file *m, struct dentry *root) + seq_printf(m, ",fmode=%o", sbi->s_fmode); + + #ifdef CONFIG_JOLIET +- if (sbi->s_nls_iocharset && +- strcmp(sbi->s_nls_iocharset->charset, CONFIG_NLS_DEFAULT) != 0) ++ if (sbi->s_nls_iocharset) + seq_printf(m, ",iocharset=%s", sbi->s_nls_iocharset->charset); ++ else ++ seq_puts(m, ",iocharset=utf8"); + #endif + return 0; + } +@@ -865,14 +866,13 @@ root_found: + sbi->s_nls_iocharset = NULL; + + #ifdef CONFIG_JOLIET +- if (joliet_level && opt.utf8 == 0) { ++ if (joliet_level) { + char *p = opt.iocharset ? opt.iocharset : CONFIG_NLS_DEFAULT; +- sbi->s_nls_iocharset = load_nls(p); +- if (! sbi->s_nls_iocharset) { +- /* Fail only if explicit charset specified */ +- if (opt.iocharset) ++ if (strcmp(p, "utf8") != 0) { ++ sbi->s_nls_iocharset = opt.iocharset ? ++ load_nls(opt.iocharset) : load_nls_default(); ++ if (!sbi->s_nls_iocharset) + goto out_freesbi; +- sbi->s_nls_iocharset = load_nls_default(); + } + } + #endif +@@ -888,7 +888,6 @@ root_found: + sbi->s_gid = opt.gid; + sbi->s_uid_set = opt.uid_set; + sbi->s_gid_set = opt.gid_set; +- sbi->s_utf8 = opt.utf8; + sbi->s_nocompress = opt.nocompress; + sbi->s_overriderockperm = opt.overriderockperm; + /* +diff --git a/fs/isofs/isofs.h b/fs/isofs/isofs.h +index 055ec6c586f7..dcdc191ed183 100644 +--- a/fs/isofs/isofs.h ++++ b/fs/isofs/isofs.h +@@ -44,7 +44,6 @@ struct isofs_sb_info { + unsigned char s_session; + unsigned int s_high_sierra:1; + unsigned int s_rock:2; +- unsigned int s_utf8:1; + unsigned int s_cruft:1; /* Broken disks with high byte of length + * containing junk */ + unsigned int s_nocompress:1; +diff --git a/fs/isofs/joliet.c b/fs/isofs/joliet.c +index be8b6a9d0b92..c0f04a1e7f69 100644 +--- a/fs/isofs/joliet.c ++++ b/fs/isofs/joliet.c +@@ -41,14 +41,12 @@ uni16_to_x8(unsigned char *ascii, __be16 *uni, int len, struct nls_table *nls) + int + get_joliet_filename(struct iso_directory_record * de, unsigned char *outname, struct inode * inode) + { +- unsigned char utf8; + struct nls_table *nls; + unsigned char len = 0; + +- utf8 = ISOFS_SB(inode->i_sb)->s_utf8; + nls = ISOFS_SB(inode->i_sb)->s_nls_iocharset; + +- if (utf8) { ++ if (!nls) { + len = utf16s_to_utf8s((const wchar_t *) de->name, + de->name_len[0] >> 1, UTF16_BIG_ENDIAN, + outname, PAGE_SIZE); +-- +2.30.2 + diff --git a/queue-4.19/lib-mpi-use-kcalloc-in-mpi_resize.patch b/queue-4.19/lib-mpi-use-kcalloc-in-mpi_resize.patch new file mode 100644 index 00000000000..1e56f9ab45f --- /dev/null +++ b/queue-4.19/lib-mpi-use-kcalloc-in-mpi_resize.patch @@ -0,0 +1,58 @@ +From 35c7d67c9167c7f5f6f1cdaaa68a77e760307f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 16:53:32 +0800 +Subject: lib/mpi: use kcalloc in mpi_resize + +From: Hongbo Li + +[ Upstream commit b6f756726e4dfe75be1883f6a0202dcecdc801ab ] + +We should set the additional space to 0 in mpi_resize(). +So use kcalloc() instead of kmalloc_array(). + +In lib/mpi/ec.c: +/**************** + * Resize the array of A to NLIMBS. the additional space is cleared + * (set to 0) [done by m_realloc()] + */ +int mpi_resize(MPI a, unsigned nlimbs) + +Like the comment of kernel's mpi_resize() said, the additional space +need to be set to 0, but when a->d is not NULL, it does not set. + +The kernel's mpi lib is from libgcrypt, the mpi resize in libgcrypt +is _gcry_mpi_resize() which set the additional space to 0. + +This bug may cause mpi api which use mpi_resize() get wrong result +under the condition of using the additional space without initiation. +If this condition is not met, the bug would not be triggered. +Currently in kernel, rsa, sm2 and dh use mpi lib, and they works well, +so the bug is not triggered in these cases. + +add_points_edwards() use the additional space directly, so it will +get a wrong result. + +Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)") +Signed-off-by: Hongbo Li +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/mpiutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/mpi/mpiutil.c b/lib/mpi/mpiutil.c +index 20ed0f766787..00825028cc84 100644 +--- a/lib/mpi/mpiutil.c ++++ b/lib/mpi/mpiutil.c +@@ -91,7 +91,7 @@ int mpi_resize(MPI a, unsigned nlimbs) + return 0; /* no need to do it */ + + if (a->d) { +- p = kmalloc_array(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL); ++ p = kcalloc(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL); + if (!p) + return -ENOMEM; + memcpy(p, a->d, a->alloced * sizeof(mpi_limb_t)); +-- +2.30.2 + diff --git a/queue-4.19/libata-fix-ata_host_start.patch b/queue-4.19/libata-fix-ata_host_start.patch new file mode 100644 index 00000000000..c053e99cde0 --- /dev/null +++ b/queue-4.19/libata-fix-ata_host_start.patch @@ -0,0 +1,39 @@ +From 58a3367b2709fb18238e4d9965eb7f41f91d6986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 10:44:47 +0900 +Subject: libata: fix ata_host_start() + +From: Damien Le Moal + +[ Upstream commit 355a8031dc174450ccad2a61c513ad7222d87a97 ] + +The loop on entry of ata_host_start() may not initialize host->ops to a +non NULL value. The test on the host_stop field of host->ops must then +be preceded by a check that host->ops is not NULL. + +Reported-by: kernel test robot +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20210816014456.2191776-3-damien.lemoal@wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index db1d86af21b4..d9b1c3e95592 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6412,7 +6412,7 @@ int ata_host_start(struct ata_host *host) + have_stop = 1; + } + +- if (host->ops->host_stop) ++ if (host->ops && host->ops->host_stop) + have_stop = 1; + + if (have_stop) { +-- +2.30.2 + diff --git a/queue-4.19/locking-mutex-fix-handoff-condition.patch b/queue-4.19/locking-mutex-fix-handoff-condition.patch new file mode 100644 index 00000000000..23a0e1f6278 --- /dev/null +++ b/queue-4.19/locking-mutex-fix-handoff-condition.patch @@ -0,0 +1,73 @@ +From e7f81676dbeaa5e86bddcd32af3811b7abeedd9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 17:35:18 +0200 +Subject: locking/mutex: Fix HANDOFF condition + +From: Peter Zijlstra + +[ Upstream commit 048661a1f963e9517630f080687d48af79ed784c ] + +Yanfei reported that setting HANDOFF should not depend on recomputing +@first, only on @first state. Which would then give: + + if (ww_ctx || !first) + first = __mutex_waiter_is_first(lock, &waiter); + if (first) + __mutex_set_flag(lock, MUTEX_FLAG_HANDOFF); + +But because 'ww_ctx || !first' is basically 'always' and the test for +first is relatively cheap, omit that first branch entirely. + +Reported-by: Yanfei Xu +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Waiman Long +Reviewed-by: Yanfei Xu +Link: https://lore.kernel.org/r/20210630154114.896786297@infradead.org +Signed-off-by: Sasha Levin +--- + kernel/locking/mutex.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c +index 354151fef06a..fbc62d360419 100644 +--- a/kernel/locking/mutex.c ++++ b/kernel/locking/mutex.c +@@ -911,7 +911,6 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass, + struct ww_acquire_ctx *ww_ctx, const bool use_ww_ctx) + { + struct mutex_waiter waiter; +- bool first = false; + struct ww_mutex *ww; + int ret; + +@@ -986,6 +985,8 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass, + + set_current_state(state); + for (;;) { ++ bool first; ++ + /* + * Once we hold wait_lock, we're serialized against + * mutex_unlock() handing the lock off to us, do a trylock +@@ -1014,15 +1015,9 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass, + spin_unlock(&lock->wait_lock); + schedule_preempt_disabled(); + +- /* +- * ww_mutex needs to always recheck its position since its waiter +- * list is not FIFO ordered. +- */ +- if (ww_ctx || !first) { +- first = __mutex_waiter_is_first(lock, &waiter); +- if (first) +- __mutex_set_flag(lock, MUTEX_FLAG_HANDOFF); +- } ++ first = __mutex_waiter_is_first(lock, &waiter); ++ if (first) ++ __mutex_set_flag(lock, MUTEX_FLAG_HANDOFF); + + set_current_state(state); + /* +-- +2.30.2 + diff --git a/queue-4.19/m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch b/queue-4.19/m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch new file mode 100644 index 00000000000..c12ead3dd1a --- /dev/null +++ b/queue-4.19/m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch @@ -0,0 +1,40 @@ +From 5415d5e8a8e7b0cad4966a0fd59a8ea02eb46d55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 23:47:27 +0300 +Subject: m68k: emu: Fix invalid free in nfeth_cleanup() + +From: Pavel Skripkin + +[ Upstream commit 761608f5cf70e8876c2f0e39ca54b516bdcb7c12 ] + +In the for loop all nfeth_dev array members should be freed, not only +the first one. Freeing only the first array member can cause +double-free bugs and memory leaks. + +Fixes: 9cd7b148312f ("m68k/atari: ARAnyM - Add support for network access") +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20210705204727.10743-1-paskripkin@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/emu/nfeth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/m68k/emu/nfeth.c b/arch/m68k/emu/nfeth.c +index e45ce4243aaa..76262dc40e79 100644 +--- a/arch/m68k/emu/nfeth.c ++++ b/arch/m68k/emu/nfeth.c +@@ -258,8 +258,8 @@ static void __exit nfeth_cleanup(void) + + for (i = 0; i < MAX_UNIT; i++) { + if (nfeth_dev[i]) { +- unregister_netdev(nfeth_dev[0]); +- free_netdev(nfeth_dev[0]); ++ unregister_netdev(nfeth_dev[i]); ++ free_netdev(nfeth_dev[i]); + } + } + free_irq(nfEtherIRQ, nfeth_interrupt); +-- +2.30.2 + diff --git a/queue-4.19/mac80211-fix-insufficient-headroom-issue-for-amsdu.patch b/queue-4.19/mac80211-fix-insufficient-headroom-issue-for-amsdu.patch new file mode 100644 index 00000000000..538def5d4b8 --- /dev/null +++ b/queue-4.19/mac80211-fix-insufficient-headroom-issue-for-amsdu.patch @@ -0,0 +1,42 @@ +From 6393e4865cb09eb17d968ace4b5548d571b8bff7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 16:51:28 +0800 +Subject: mac80211: Fix insufficient headroom issue for AMSDU + +From: Chih-Kang Chang + +[ Upstream commit f50d2ff8f016b79a2ff4acd5943a1eda40c545d4 ] + +ieee80211_amsdu_realloc_pad() fails to account for extra_tx_headroom, +the original reserved headroom might be eaten. Add the necessary +extra_tx_headroom. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Chih-Kang Chang +Signed-off-by: Ping-Ke Shih +Link: https://lore.kernel.org/r/20210816085128.10931-2-pkshih@realtek.com +[fix indentation] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 3530d1a5fc98..5c5908127fcb 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3142,7 +3142,9 @@ static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata, + if (info->control.flags & IEEE80211_TX_CTRL_AMSDU) + return true; + +- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr))) ++ if (!ieee80211_amsdu_realloc_pad(local, skb, ++ sizeof(*amsdu_hdr) + ++ local->hw.extra_tx_headroom)) + return false; + + data = skb_push(skb, sizeof(*amsdu_hdr)); +-- +2.30.2 + diff --git a/queue-4.19/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch b/queue-4.19/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch new file mode 100644 index 00000000000..00176724eeb --- /dev/null +++ b/queue-4.19/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch @@ -0,0 +1,52 @@ +From 6ae583d13c5e447edd5c230f87c875567b3c42be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 07:33:27 +0200 +Subject: media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init + +From: Dongliang Mu + +[ Upstream commit c5453769f77ce19a5b03f1f49946fd3f8a374009 ] + +If dibusb_read_eeprom_byte fails, the mac address is not initialized. +And nova_t_read_mac_address does not handle this failure, which leads to +the uninit-value in dvb_usb_adapter_dvb_init. + +Fix this by handling the failure of dibusb_read_eeprom_byte. + +Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/nova-t-usb2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/nova-t-usb2.c b/drivers/media/usb/dvb-usb/nova-t-usb2.c +index 43e0e0fd715b..705c2901a89e 100644 +--- a/drivers/media/usb/dvb-usb/nova-t-usb2.c ++++ b/drivers/media/usb/dvb-usb/nova-t-usb2.c +@@ -133,7 +133,7 @@ ret: + + static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6]) + { +- int i; ++ int i, ret; + u8 b; + + mac[0] = 0x00; +@@ -142,7 +142,9 @@ static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6]) + + /* this is a complete guess, but works for my box */ + for (i = 136; i < 139; i++) { +- dibusb_read_eeprom_byte(d,i, &b); ++ ret = dibusb_read_eeprom_byte(d, i, &b); ++ if (ret) ++ return ret; + + mac[5 - (i - 136)] = b; + } +-- +2.30.2 + diff --git a/queue-4.19/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch b/queue-4.19/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch new file mode 100644 index 00000000000..f6bfb55318f --- /dev/null +++ b/queue-4.19/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch @@ -0,0 +1,57 @@ +From 45298cd8b9fa88eb24c781eda266203a4ea2421c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 07:59:04 +0200 +Subject: media: dvb-usb: fix uninit-value in vp702x_read_mac_addr + +From: Dongliang Mu + +[ Upstream commit 797c061ad715a9a1480eb73f44b6939fbe3209ed ] + +If vp702x_usb_in_op fails, the mac address is not initialized. +And vp702x_read_mac_addr does not handle this failure, which leads to +the uninit-value in dvb_usb_adapter_dvb_init. + +Fix this by handling the failure of vp702x_usb_in_op. + +Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/vp702x.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/vp702x.c b/drivers/media/usb/dvb-usb/vp702x.c +index c3529ea59da9..fcd66757b34d 100644 +--- a/drivers/media/usb/dvb-usb/vp702x.c ++++ b/drivers/media/usb/dvb-usb/vp702x.c +@@ -294,16 +294,22 @@ static int vp702x_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + static int vp702x_read_mac_addr(struct dvb_usb_device *d,u8 mac[6]) + { + u8 i, *buf; ++ int ret; + struct vp702x_device_state *st = d->priv; + + mutex_lock(&st->buf_mutex); + buf = st->buf; +- for (i = 6; i < 12; i++) +- vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, &buf[i - 6], 1); ++ for (i = 6; i < 12; i++) { ++ ret = vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, ++ &buf[i - 6], 1); ++ if (ret < 0) ++ goto err; ++ } + + memcpy(mac, buf, 6); ++err: + mutex_unlock(&st->buf_mutex); +- return 0; ++ return ret; + } + + static int vp702x_frontend_attach(struct dvb_usb_adapter *adap) +-- +2.30.2 + diff --git a/queue-4.19/media-em28xx-input-fix-refcount-bug-in-em28xx_usb_di.patch b/queue-4.19/media-em28xx-input-fix-refcount-bug-in-em28xx_usb_di.patch new file mode 100644 index 00000000000..6b0c4af9328 --- /dev/null +++ b/queue-4.19/media-em28xx-input-fix-refcount-bug-in-em28xx_usb_di.patch @@ -0,0 +1,67 @@ +From 4c78d554e65ce3f0754d598ae0d9dea57d13300a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 11:34:09 +0200 +Subject: media: em28xx-input: fix refcount bug in em28xx_usb_disconnect + +From: Dongliang Mu + +[ Upstream commit 6fa54bc713c262e1cfbc5613377ef52280d7311f ] + +If em28xx_ir_init fails, it would decrease the refcount of dev. However, +in the em28xx_ir_fini, when ir is NULL, it goes to ref_put and decrease +the refcount of dev. This will lead to a refcount bug. + +Fix this bug by removing the kref_put in the error handling code +of em28xx_ir_init. + +refcount_t: underflow; use-after-free. +WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x18e/0x1a0 lib/refcount.c:28 +Modules linked in: +CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.13.0 #3 +Workqueue: usb_hub_wq hub_event +RIP: 0010:refcount_warn_saturate+0x18e/0x1a0 lib/refcount.c:28 +Call Trace: + kref_put.constprop.0+0x60/0x85 include/linux/kref.h:69 + em28xx_usb_disconnect.cold+0xd7/0xdc drivers/media/usb/em28xx/em28xx-cards.c:4150 + usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458 + __device_release_driver drivers/base/dd.c:1201 [inline] + device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1232 + bus_remove_device+0x108/0x160 drivers/base/bus.c:529 + device_del+0x1fe/0x510 drivers/base/core.c:3540 + usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419 + usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2221 + hub_port_connect drivers/usb/core/hub.c:5151 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5440 [inline] + port_event drivers/usb/core/hub.c:5586 [inline] + hub_event+0xf81/0x1d40 drivers/usb/core/hub.c:5668 + process_one_work+0x2c9/0x610 kernel/workqueue.c:2276 + process_scheduled_works kernel/workqueue.c:2338 [inline] + worker_thread+0x333/0x5b0 kernel/workqueue.c:2424 + kthread+0x188/0x1d0 kernel/kthread.c:319 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + +Reported-by: Dongliang Mu +Fixes: ac5688637144 ("media: em28xx: Fix possible memory leak of em28xx struct") +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-input.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c +index 3612f0d730dd..92007a225d8e 100644 +--- a/drivers/media/usb/em28xx/em28xx-input.c ++++ b/drivers/media/usb/em28xx/em28xx-input.c +@@ -865,7 +865,6 @@ error: + kfree(ir); + ref_put: + em28xx_shutdown_buttons(dev); +- kref_put(&dev->ref, em28xx_free_device); + return err; + } + +-- +2.30.2 + diff --git a/queue-4.19/media-go7007-remove-redundant-initialization.patch b/queue-4.19/media-go7007-remove-redundant-initialization.patch new file mode 100644 index 00000000000..47f404df7ce --- /dev/null +++ b/queue-4.19/media-go7007-remove-redundant-initialization.patch @@ -0,0 +1,87 @@ +From 6496a3fd3ba4cf76351234de7b061ec775027583 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Jun 2021 21:45:42 +0200 +Subject: media: go7007: remove redundant initialization + +From: Pavel Skripkin + +[ Upstream commit 6f5885a7750545973bf1a942d2f0f129aef0aa06 ] + +In go7007_alloc() kzalloc() is used for struct go7007 +allocation. It means that there is no need in zeroing +any members, because kzalloc will take care of it. + +Removing these reduntant initialization steps increases +execution speed a lot: + + Before: + + 86.802 us | go7007_alloc(); + After: + + 29.595 us | go7007_alloc(); + +Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-driver.c | 26 ------------------------ + 1 file changed, 26 deletions(-) + +diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c +index 62aeebcdd7f7..c7b5a3321cd7 100644 +--- a/drivers/media/usb/go7007/go7007-driver.c ++++ b/drivers/media/usb/go7007/go7007-driver.c +@@ -699,49 +699,23 @@ struct go7007 *go7007_alloc(const struct go7007_board_info *board, + struct device *dev) + { + struct go7007 *go; +- int i; + + go = kzalloc(sizeof(struct go7007), GFP_KERNEL); + if (go == NULL) + return NULL; + go->dev = dev; + go->board_info = board; +- go->board_id = 0; + go->tuner_type = -1; +- go->channel_number = 0; +- go->name[0] = 0; + mutex_init(&go->hw_lock); + init_waitqueue_head(&go->frame_waitq); + spin_lock_init(&go->spinlock); + go->status = STATUS_INIT; +- memset(&go->i2c_adapter, 0, sizeof(go->i2c_adapter)); +- go->i2c_adapter_online = 0; +- go->interrupt_available = 0; + init_waitqueue_head(&go->interrupt_waitq); +- go->input = 0; + go7007_update_board(go); +- go->encoder_h_halve = 0; +- go->encoder_v_halve = 0; +- go->encoder_subsample = 0; + go->format = V4L2_PIX_FMT_MJPEG; + go->bitrate = 1500000; + go->fps_scale = 1; +- go->pali = 0; + go->aspect_ratio = GO7007_RATIO_1_1; +- go->gop_size = 0; +- go->ipb = 0; +- go->closed_gop = 0; +- go->repeat_seqhead = 0; +- go->seq_header_enable = 0; +- go->gop_header_enable = 0; +- go->dvd_mode = 0; +- go->interlace_coding = 0; +- for (i = 0; i < 4; ++i) +- go->modet[i].enable = 0; +- for (i = 0; i < 1624; ++i) +- go->modet_map[i] = 0; +- go->audio_deliver = NULL; +- go->audio_enabled = 0; + + return go; + } +-- +2.30.2 + diff --git a/queue-4.19/media-tda1997x-enable-edid-support.patch b/queue-4.19/media-tda1997x-enable-edid-support.patch new file mode 100644 index 00000000000..be9ccc80524 --- /dev/null +++ b/queue-4.19/media-tda1997x-enable-edid-support.patch @@ -0,0 +1,40 @@ +From c4b66a19649fa85e756cc6371dfc8d5ba23b9ead Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 07:13:55 +0200 +Subject: media: TDA1997x: enable EDID support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Hałasa + +[ Upstream commit ea3e1c36e38810427485f06c2becc1f29e54521d ] + +Without this patch, the TDA19971 chip's EDID is inactive. +EDID never worked with this driver, it was all tested with HDMI signal +sources which don't need EDID support. + +Signed-off-by: Krzysztof Halasa +Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver") +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tda1997x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c +index d114ac5243ec..dab441bbc9f0 100644 +--- a/drivers/media/i2c/tda1997x.c ++++ b/drivers/media/i2c/tda1997x.c +@@ -2229,6 +2229,7 @@ static int tda1997x_core_init(struct v4l2_subdev *sd) + /* get initial HDMI status */ + state->hdmi_status = io_read(sd, REG_HDMI_FLAGS); + ++ io_write(sd, REG_EDID_ENABLE, EDID_ENABLE_A_EN | EDID_ENABLE_B_EN); + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.19/media-venus-venc-fix-potential-null-pointer-derefere.patch b/queue-4.19/media-venus-venc-fix-potential-null-pointer-derefere.patch new file mode 100644 index 00000000000..ba0cacaab31 --- /dev/null +++ b/queue-4.19/media-venus-venc-fix-potential-null-pointer-derefere.patch @@ -0,0 +1,42 @@ +From ae470573e142ec738c9d61257eb639f7e2c00d9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 14:30:25 +0200 +Subject: media: venus: venc: Fix potential null pointer dereference on pointer + fmt + +From: Colin Ian King + +[ Upstream commit 09ea9719a423fc675d40dd05407165e161ea0c48 ] + +Currently the call to find_format can potentially return a NULL to +fmt and the nullpointer is later dereferenced on the assignment of +pixmp->num_planes = fmt->num_planes. Fix this by adding a NULL pointer +check and returning NULL for the failure case. + +Addresses-Coverity: ("Dereference null return") + +Fixes: aaaa93eda64b ("[media] media: venus: venc: add video encoder files") +Signed-off-by: Colin Ian King +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/venc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c +index 420897241248..4197b311cff4 100644 +--- a/drivers/media/platform/qcom/venus/venc.c ++++ b/drivers/media/platform/qcom/venus/venc.c +@@ -316,6 +316,8 @@ venc_try_fmt_common(struct venus_inst *inst, struct v4l2_format *f) + else + return NULL; + fmt = find_format(inst, pixmp->pixelformat, f->type); ++ if (!fmt) ++ return NULL; + } + + pixmp->width = clamp(pixmp->width, frame_width_min(inst), +-- +2.30.2 + diff --git a/queue-4.19/mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch b/queue-4.19/mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch new file mode 100644 index 00000000000..2edabf51bbc --- /dev/null +++ b/queue-4.19/mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch @@ -0,0 +1,47 @@ +From c2ac1620687d4ccb88fdf5703f239c81ac53d3ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 11:16:43 +0300 +Subject: mmc: dw_mmc: Fix issue with uninitialized dma_slave_config + +From: Tony Lindgren + +[ Upstream commit c3ff0189d3bc9c03845fe37472c140f0fefd0c79 ] + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For dw_mmc, this is probably not currently an issue but is still good to +fix though. + +Fixes: 3fc7eaef44db ("mmc: dw_mmc: Add external dma interface support") +Cc: Shawn Lin +Cc: Jaehoon Chung +Cc: Peter Ujfalusi +Cc: Vinod Koul +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210810081644.19353-2-tony@atomide.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/dw_mmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c +index 8e09586f880f..e3991df078ef 100644 +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -808,6 +808,7 @@ static int dw_mci_edmac_start_dma(struct dw_mci *host, + int ret = 0; + + /* Set external dma config: burst size, burst width */ ++ memset(&cfg, 0, sizeof(cfg)); + cfg.dst_addr = host->phy_regs + fifo_offset; + cfg.src_addr = cfg.dst_addr; + cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +-- +2.30.2 + diff --git a/queue-4.19/mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch b/queue-4.19/mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch new file mode 100644 index 00000000000..fb344f52f7a --- /dev/null +++ b/queue-4.19/mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch @@ -0,0 +1,46 @@ +From c5c56b47dd6574300a40e6f6714e7280ededbac7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 11:16:44 +0300 +Subject: mmc: moxart: Fix issue with uninitialized dma_slave_config + +From: Tony Lindgren + +[ Upstream commit ee5165354d498e5bceb0b386e480ac84c5f8c28c ] + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For moxart, this is probably not currently an issue but is still good to +fix though. + +Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver") +Cc: Jonas Jensen +Cc: Vinod Koul +Cc: Peter Ujfalusi +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210810081644.19353-3-tony@atomide.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/moxart-mmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c +index a0670e9cd012..5553a5643f40 100644 +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -631,6 +631,7 @@ static int moxart_probe(struct platform_device *pdev) + host->dma_chan_tx, host->dma_chan_rx); + host->have_dma = true; + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + +-- +2.30.2 + diff --git a/queue-4.19/net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch b/queue-4.19/net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch new file mode 100644 index 00000000000..1ba7282a333 --- /dev/null +++ b/queue-4.19/net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch @@ -0,0 +1,70 @@ +From 5621fe2633cfd239702fc5e091717828f575fe7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 19:35:30 +0300 +Subject: net: cipso: fix warnings in netlbl_cipsov4_add_std + +From: Pavel Skripkin + +[ Upstream commit 8ca34a13f7f9b3fa2c464160ffe8cc1a72088204 ] + +Syzbot reported warning in netlbl_cipsov4_add(). The +problem was in too big doi_def->map.std->lvl.local_size +passed to kcalloc(). Since this value comes from userpace there is +no need to warn if value is not correct. + +The same problem may occur with other kcalloc() calls in +this function, so, I've added __GFP_NOWARN flag to all +kcalloc() calls there. + +Reported-and-tested-by: syzbot+cdd51ee2e6b0b2e18c0d@syzkaller.appspotmail.com +Fixes: 96cb8e3313c7 ("[NetLabel]: CIPSOv4 and Unlabeled packet integration") +Acked-by: Paul Moore +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_cipso_v4.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c +index 3e3494c8d42f..0559d442ad80 100644 +--- a/net/netlabel/netlabel_cipso_v4.c ++++ b/net/netlabel/netlabel_cipso_v4.c +@@ -198,14 +198,14 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, + } + doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size, + sizeof(u32), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (doi_def->map.std->lvl.local == NULL) { + ret_val = -ENOMEM; + goto add_std_failure; + } + doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size, + sizeof(u32), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (doi_def->map.std->lvl.cipso == NULL) { + ret_val = -ENOMEM; + goto add_std_failure; +@@ -273,7 +273,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, + doi_def->map.std->cat.local = kcalloc( + doi_def->map.std->cat.local_size, + sizeof(u32), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (doi_def->map.std->cat.local == NULL) { + ret_val = -ENOMEM; + goto add_std_failure; +@@ -281,7 +281,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, + doi_def->map.std->cat.cipso = kcalloc( + doi_def->map.std->cat.cipso_size, + sizeof(u32), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (doi_def->map.std->cat.cipso == NULL) { + ret_val = -ENOMEM; + goto add_std_failure; +-- +2.30.2 + diff --git a/queue-4.19/net-qualcomm-fix-qca7000-checksum-handling.patch b/queue-4.19/net-qualcomm-fix-qca7000-checksum-handling.patch new file mode 100644 index 00000000000..0d9c2c91a37 --- /dev/null +++ b/queue-4.19/net-qualcomm-fix-qca7000-checksum-handling.patch @@ -0,0 +1,52 @@ +From 72e53b8f6b98abffa4a8cb36c096d89b67e6fa81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 16:23:15 +0200 +Subject: net: qualcomm: fix QCA7000 checksum handling + +From: Stefan Wahren + +[ Upstream commit 429205da6c834447a57279af128bdd56ccd5225e ] + +Based on tests the QCA7000 doesn't support checksum offloading. So assume +ip_summed is CHECKSUM_NONE and let the kernel take care of the checksum +handling. This fixes data transfer issues in noisy environments. + +Reported-by: Michael Heimpold +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: Stefan Wahren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 2 +- + drivers/net/ethernet/qualcomm/qca_uart.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c +index 9d188931bc09..afd49c7fd87f 100644 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -413,7 +413,7 @@ qcaspi_receive(struct qcaspi *qca) + skb_put(qca->rx_skb, retcode); + qca->rx_skb->protocol = eth_type_trans( + qca->rx_skb, qca->rx_skb->dev); +- qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY; ++ skb_checksum_none_assert(qca->rx_skb); + netif_rx_ni(qca->rx_skb); + qca->rx_skb = netdev_alloc_skb_ip_align(net_dev, + net_dev->mtu + VLAN_ETH_HLEN); +diff --git a/drivers/net/ethernet/qualcomm/qca_uart.c b/drivers/net/ethernet/qualcomm/qca_uart.c +index db6068cd7a1f..466e9d07697a 100644 +--- a/drivers/net/ethernet/qualcomm/qca_uart.c ++++ b/drivers/net/ethernet/qualcomm/qca_uart.c +@@ -107,7 +107,7 @@ qca_tty_receive(struct serdev_device *serdev, const unsigned char *data, + skb_put(qca->rx_skb, retcode); + qca->rx_skb->protocol = eth_type_trans( + qca->rx_skb, qca->rx_skb->dev); +- qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY; ++ skb_checksum_none_assert(qca->rx_skb); + netif_rx_ni(qca->rx_skb); + qca->rx_skb = netdev_alloc_skb_ip_align(netdev, + netdev->mtu + +-- +2.30.2 + diff --git a/queue-4.19/net-sched-fix-qdisc_rate_table-refcount-leak-when-ge.patch b/queue-4.19/net-sched-fix-qdisc_rate_table-refcount-leak-when-ge.patch new file mode 100644 index 00000000000..daf7b5c8979 --- /dev/null +++ b/queue-4.19/net-sched-fix-qdisc_rate_table-refcount-leak-when-ge.patch @@ -0,0 +1,43 @@ +From 62b6dd9268fa69184d1584ac8e74b7177d96882f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Aug 2021 23:58:01 +0800 +Subject: net: sched: Fix qdisc_rate_table refcount leak when get tcf_block + failed + +From: Xiyu Yang + +[ Upstream commit c66070125837900163b81a03063ddd657a7e9bfb ] + +The reference counting issue happens in one exception handling path of +cbq_change_class(). When failing to get tcf_block, the function forgets +to decrease the refcount of "rtab" increased by qdisc_put_rtab(), +causing a refcount leak. + +Fix this issue by jumping to "failure" label when get tcf_block failed. + +Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure") +Signed-off-by: Xiyu Yang +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/r/1630252681-71588-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cbq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c +index ebc3c8c7e666..bc62e1b24653 100644 +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -1616,7 +1616,7 @@ cbq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, struct nlattr **t + err = tcf_block_get(&cl->block, &cl->filter_list, sch, extack); + if (err) { + kfree(cl); +- return err; ++ goto failure; + } + + if (tca[TCA_RATE]) { +-- +2.30.2 + diff --git a/queue-4.19/nvme-rdma-don-t-update-queue-count-when-failing-to-s.patch b/queue-4.19/nvme-rdma-don-t-update-queue-count-when-failing-to-s.patch new file mode 100644 index 00000000000..5e38b088da1 --- /dev/null +++ b/queue-4.19/nvme-rdma-don-t-update-queue-count-when-failing-to-s.patch @@ -0,0 +1,47 @@ +From 37ca2c3b9d01bed2d64c4a32b4b8b2adc4b54c12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 17:41:20 +0800 +Subject: nvme-rdma: don't update queue count when failing to set io queues + +From: Ruozhu Li + +[ Upstream commit 85032874f80ba17bf187de1d14d9603bf3f582b8 ] + +We update ctrl->queue_count and schedule another reconnect when io queue +count is zero.But we will never try to create any io queue in next reco- +nnection, because ctrl->queue_count already set to zero.We will end up +having an admin-only session in Live state, which is exactly what we try +to avoid in the original patch. +Update ctrl->queue_count after queue_count zero checking to fix it. + +Signed-off-by: Ruozhu Li +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 8798274dc3ba..ffd6a7204509 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -643,13 +643,13 @@ static int nvme_rdma_alloc_io_queues(struct nvme_rdma_ctrl *ctrl) + if (ret) + return ret; + +- ctrl->ctrl.queue_count = nr_io_queues + 1; +- if (ctrl->ctrl.queue_count < 2) { ++ if (nr_io_queues == 0) { + dev_err(ctrl->ctrl.device, + "unable to set any I/O queues\n"); + return -ENOMEM; + } + ++ ctrl->ctrl.queue_count = nr_io_queues + 1; + dev_info(ctrl->ctrl.device, + "creating %d I/O queues.\n", nr_io_queues); + +-- +2.30.2 + diff --git a/queue-4.19/pci-pm-avoid-forcing-pci_d0-for-wakeup-reasons-incon.patch b/queue-4.19/pci-pm-avoid-forcing-pci_d0-for-wakeup-reasons-incon.patch new file mode 100644 index 00000000000..65c2ab043d3 --- /dev/null +++ b/queue-4.19/pci-pm-avoid-forcing-pci_d0-for-wakeup-reasons-incon.patch @@ -0,0 +1,66 @@ +From 4873b2cb3003beacc0e6362093932d7f44e107bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 17:54:28 +0200 +Subject: PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently + +From: Rafael J. Wysocki + +[ Upstream commit da9f2150684ea684a7ddd6d7f0e38b2bdf43dcd8 ] + +It is inconsistent to return PCI_D0 from pci_target_state() instead +of the original target state if 'wakeup' is true and the device +cannot signal PME from D0. + +This only happens when the device cannot signal PME from the original +target state and any shallower power states (including D0) and that +case is effectively equivalent to the one in which PME singaling is +not supported at all. Since the original target state is returned in +the latter case, make the function do that in the former one too. + +Link: https://lore.kernel.org/linux-pm/3149540.aeNJFYEL58@kreacher/ +Fixes: 666ff6f83e1d ("PCI/PM: Avoid using device_may_wakeup() for runtime PM") +Reported-by: Mika Westerberg +Reported-by: Utkarsh H Patel +Reported-by: Koba Ko +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Tested-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 9ebf32de8575..a9fc40458d62 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2274,16 +2274,20 @@ static pci_power_t pci_target_state(struct pci_dev *dev, bool wakeup) + if (dev->current_state == PCI_D3cold) + target_state = PCI_D3cold; + +- if (wakeup) { ++ if (wakeup && dev->pme_support) { ++ pci_power_t state = target_state; ++ + /* + * Find the deepest state from which the device can generate + * PME#. + */ +- if (dev->pme_support) { +- while (target_state +- && !(dev->pme_support & (1 << target_state))) +- target_state--; +- } ++ while (state && !(dev->pme_support & (1 << state))) ++ state--; ++ ++ if (state) ++ return state; ++ else if (dev->pme_support & 1) ++ return PCI_D0; + } + + return target_state; +-- +2.30.2 + diff --git a/queue-4.19/pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch b/queue-4.19/pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch new file mode 100644 index 00000000000..7954f386ab9 --- /dev/null +++ b/queue-4.19/pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch @@ -0,0 +1,56 @@ +From e0b3cd505afa92981c07fc1935b47507fa3f884c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 16:49:10 +0200 +Subject: PCI: PM: Enable PME if it can be signaled from D3cold + +From: Rafael J. Wysocki + +[ Upstream commit 0e00392a895c95c6d12d42158236c8862a2f43f2 ] + +PME signaling is only enabled by __pci_enable_wake() if the target +device can signal PME from the given target power state (to avoid +pointless reconfiguration of the device), but if the hierarchy above +the device goes into D3cold, the device itself will end up in D3cold +too, so if it can signal PME from D3cold, it should be enabled to +do so in __pci_enable_wake(). + +[Note that if the device does not end up in D3cold and it cannot + signal PME from the original target power state, it will not signal + PME, so in that case the behavior does not change.] + +Link: https://lore.kernel.org/linux-pm/3149540.aeNJFYEL58@kreacher/ +Fixes: 5bcc2fb4e815 ("PCI PM: Simplify PCI wake-up code") +Reported-by: Mika Westerberg +Reported-by: Utkarsh H Patel +Reported-by: Koba Ko +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Tested-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index a9fc40458d62..1a78bf39ee9a 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2170,7 +2170,14 @@ static int __pci_enable_wake(struct pci_dev *dev, pci_power_t state, bool enable + if (enable) { + int error; + +- if (pci_pme_capable(dev, state)) ++ /* ++ * Enable PME signaling if the device can signal PME from ++ * D3cold regardless of whether or not it can signal PME from ++ * the current target state, because that will allow it to ++ * signal PME when the hierarchy above it goes into D3cold and ++ * the device itself ends up in D3cold as a result of that. ++ */ ++ if (pci_pme_capable(dev, state) || pci_pme_capable(dev, PCI_D3cold)) + pci_pme_active(dev, true); + else + ret = 1; +-- +2.30.2 + diff --git a/queue-4.19/posix-cpu-timers-force-next-expiration-recalc-after-.patch b/queue-4.19/posix-cpu-timers-force-next-expiration-recalc-after-.patch new file mode 100644 index 00000000000..588a813c04d --- /dev/null +++ b/queue-4.19/posix-cpu-timers-force-next-expiration-recalc-after-.patch @@ -0,0 +1,54 @@ +From c505dc5f056d0fc763109b52c41cb96ef52b089b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 14:55:10 +0200 +Subject: posix-cpu-timers: Force next expiration recalc after itimer reset + +From: Frederic Weisbecker + +[ Upstream commit 406dd42bd1ba0c01babf9cde169bb319e52f6147 ] + +When an itimer deactivates a previously armed expiration, it simply doesn't +do anything. As a result the process wide cputime counter keeps running and +the tick dependency stays set until it reaches the old ghost expiration +value. + +This can be reproduced with the following snippet: + + void trigger_process_counter(void) + { + struct itimerval n = {}; + + n.it_value.tv_sec = 100; + setitimer(ITIMER_VIRTUAL, &n, NULL); + n.it_value.tv_sec = 0; + setitimer(ITIMER_VIRTUAL, &n, NULL); + } + +Fix this with resetting the relevant base expiration. This is similar to +disarming a timer. + +Signed-off-by: Frederic Weisbecker +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20210726125513.271824-4-frederic@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/time/posix-cpu-timers.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c +index bfaa44a80c03..d9feac7aad52 100644 +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -1230,8 +1230,6 @@ void set_process_cpu_timer(struct task_struct *tsk, unsigned int clock_idx, + } + } + +- if (!*newval) +- return; + *newval += now; + } + +-- +2.30.2 + diff --git a/queue-4.19/power-supply-axp288_fuel_gauge-report-register-addre.patch b/queue-4.19/power-supply-axp288_fuel_gauge-report-register-addre.patch new file mode 100644 index 00000000000..2828960dc13 --- /dev/null +++ b/queue-4.19/power-supply-axp288_fuel_gauge-report-register-addre.patch @@ -0,0 +1,50 @@ +From 8c2121fdf4cc71ff0b15988c4bff558a95ac2d3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Aug 2021 15:30:59 +0200 +Subject: power: supply: axp288_fuel_gauge: Report register-address on readb / + writeb errors + +From: Hans de Goede + +[ Upstream commit caa534c3ba40c6e8352b42cbbbca9ba481814ac8 ] + +When fuel_gauge_reg_readb()/_writeb() fails, report which register we +were trying to read / write when the error happened. + +Also reword the message a bit: +- Drop the axp288 prefix, dev_err() already prints this +- Switch from telegram / abbreviated style to a normal sentence, aligning + the message with those from fuel_gauge_read_*bit_word() + +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/axp288_fuel_gauge.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c +index 157cf5ec6b02..1641868c345c 100644 +--- a/drivers/power/supply/axp288_fuel_gauge.c ++++ b/drivers/power/supply/axp288_fuel_gauge.c +@@ -158,7 +158,7 @@ static int fuel_gauge_reg_readb(struct axp288_fg_info *info, int reg) + } + + if (ret < 0) { +- dev_err(&info->pdev->dev, "axp288 reg read err:%d\n", ret); ++ dev_err(&info->pdev->dev, "Error reading reg 0x%02x err: %d\n", reg, ret); + return ret; + } + +@@ -172,7 +172,7 @@ static int fuel_gauge_reg_writeb(struct axp288_fg_info *info, int reg, u8 val) + ret = regmap_write(info->regmap, reg, (unsigned int)val); + + if (ret < 0) +- dev_err(&info->pdev->dev, "axp288 reg write err:%d\n", ret); ++ dev_err(&info->pdev->dev, "Error writing reg 0x%02x err: %d\n", reg, ret); + + return ret; + } +-- +2.30.2 + diff --git a/queue-4.19/power-supply-max17042_battery-fix-typo-in-max17042_t.patch b/queue-4.19/power-supply-max17042_battery-fix-typo-in-max17042_t.patch new file mode 100644 index 00000000000..99a3bbff5d0 --- /dev/null +++ b/queue-4.19/power-supply-max17042_battery-fix-typo-in-max17042_t.patch @@ -0,0 +1,46 @@ +From b8d12b46c132f5fbb3287d70ac837ea512f60f71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 18:50:14 +0200 +Subject: power: supply: max17042_battery: fix typo in MAx17042_TOFF + +From: Sebastian Krzyszkowiak + +[ Upstream commit ed0d0a0506025f06061325cedae1bbebd081620a ] + +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max17042_battery.c | 2 +- + include/linux/power/max17042_battery.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c +index 00a3a581e079..8618dbb72392 100644 +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -740,7 +740,7 @@ static inline void max17042_override_por_values(struct max17042_chip *chip) + struct max17042_config_data *config = chip->pdata->config_data; + + max17042_override_por(map, MAX17042_TGAIN, config->tgain); +- max17042_override_por(map, MAx17042_TOFF, config->toff); ++ max17042_override_por(map, MAX17042_TOFF, config->toff); + max17042_override_por(map, MAX17042_CGAIN, config->cgain); + max17042_override_por(map, MAX17042_COFF, config->coff); + +diff --git a/include/linux/power/max17042_battery.h b/include/linux/power/max17042_battery.h +index a7ed29baf44a..86e5ad8aeee4 100644 +--- a/include/linux/power/max17042_battery.h ++++ b/include/linux/power/max17042_battery.h +@@ -82,7 +82,7 @@ enum max17042_register { + MAX17042_RelaxCFG = 0x2A, + MAX17042_MiscCFG = 0x2B, + MAX17042_TGAIN = 0x2C, +- MAx17042_TOFF = 0x2D, ++ MAX17042_TOFF = 0x2D, + MAX17042_CGAIN = 0x2E, + MAX17042_COFF = 0x2F, + +-- +2.30.2 + diff --git a/queue-4.19/regmap-fix-the-offset-of-register-error-log.patch b/queue-4.19/regmap-fix-the-offset-of-register-error-log.patch new file mode 100644 index 00000000000..19eb9ce9b59 --- /dev/null +++ b/queue-4.19/regmap-fix-the-offset-of-register-error-log.patch @@ -0,0 +1,36 @@ +From acc504a14591c93b4703393b6231d2984b87e4f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 23:26:30 +0900 +Subject: regmap: fix the offset of register error log + +From: Jeongtae Park + +[ Upstream commit 1852f5ed358147095297a09cc3c6f160208a676d ] + +This patch fixes the offset of register error log +by using regmap_get_offset(). + +Signed-off-by: Jeongtae Park +Link: https://lore.kernel.org/r/20210701142630.44936-1-jeongtae.park@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index e8b3353c18eb..330ab9c85d1b 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1479,7 +1479,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + if (ret) { + dev_err(map->dev, + "Error in caching of register: %x ret: %d\n", +- reg + i, ret); ++ reg + regmap_get_offset(map, i), ret); + return ret; + } + } +-- +2.30.2 + diff --git a/queue-4.19/s390-cio-add-dev_busid-sysfs-entry-for-each-subchann.patch b/queue-4.19/s390-cio-add-dev_busid-sysfs-entry-for-each-subchann.patch new file mode 100644 index 00000000000..7a032f42b0b --- /dev/null +++ b/queue-4.19/s390-cio-add-dev_busid-sysfs-entry-for-each-subchann.patch @@ -0,0 +1,65 @@ +From ecffe199873968491eb39d2e200fc52692eaf188 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 10:52:38 +0200 +Subject: s390/cio: add dev_busid sysfs entry for each subchannel + +From: Vineeth Vijayan + +[ Upstream commit d3683c055212bf910d4e318f7944910ce10dbee6 ] + +Introduce dev_busid, which exports the device-id associated with the +io-subchannel (and message-subchannel). The dev_busid indicates that of +the device which may be physically installed on the corrosponding +subchannel. The dev_busid value "none" indicates that the subchannel +is not valid, there is no I/O device currently associated with the +subchannel. + +The dev_busid information would be helpful to write device-specific +udev-rules associated with the subchannel. The dev_busid interface would +be available even when the sch is not bound to any driver or if there is +no operational device connected on it. Hence this attribute can be used to +write udev-rules which are specific to the device associated with the +subchannel. + +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/css.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/s390/cio/css.c b/drivers/s390/cio/css.c +index 825a8f2703b4..6efe50d70c4b 100644 +--- a/drivers/s390/cio/css.c ++++ b/drivers/s390/cio/css.c +@@ -364,9 +364,26 @@ static ssize_t pimpampom_show(struct device *dev, + } + static DEVICE_ATTR_RO(pimpampom); + ++static ssize_t dev_busid_show(struct device *dev, ++ struct device_attribute *attr, ++ char *buf) ++{ ++ struct subchannel *sch = to_subchannel(dev); ++ struct pmcw *pmcw = &sch->schib.pmcw; ++ ++ if ((pmcw->st == SUBCHANNEL_TYPE_IO || ++ pmcw->st == SUBCHANNEL_TYPE_MSG) && pmcw->dnv) ++ return sysfs_emit(buf, "0.%x.%04x\n", sch->schid.ssid, ++ pmcw->dev); ++ else ++ return sysfs_emit(buf, "none\n"); ++} ++static DEVICE_ATTR_RO(dev_busid); ++ + static struct attribute *io_subchannel_type_attrs[] = { + &dev_attr_chpids.attr, + &dev_attr_pimpampom.attr, ++ &dev_attr_dev_busid.attr, + NULL, + }; + ATTRIBUTE_GROUPS(io_subchannel_type); +-- +2.30.2 + diff --git a/queue-4.19/sched-deadline-fix-missing-clock-update-in-migrate_t.patch b/queue-4.19/sched-deadline-fix-missing-clock-update-in-migrate_t.patch new file mode 100644 index 00000000000..ac4dc1d25f1 --- /dev/null +++ b/queue-4.19/sched-deadline-fix-missing-clock-update-in-migrate_t.patch @@ -0,0 +1,81 @@ +From 5ed14b7569b7046a07b1196cdb57abc52ba5eb45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 15:59:25 +0200 +Subject: sched/deadline: Fix missing clock update in migrate_task_rq_dl() + +From: Dietmar Eggemann + +[ Upstream commit b4da13aa28d4fd0071247b7b41c579ee8a86c81a ] + +A missing clock update is causing the following warning: + +rq->clock_update_flags < RQCF_ACT_SKIP +WARNING: CPU: 112 PID: 2041 at kernel/sched/sched.h:1453 +sub_running_bw.isra.0+0x190/0x1a0 +... +CPU: 112 PID: 2041 Comm: sugov:112 Tainted: G W 5.14.0-rc1 #1 +Hardware name: WIWYNN Mt.Jade Server System +B81.030Z1.0007/Mt.Jade Motherboard, BIOS 1.6.20210526 (SCP: +1.06.20210526) 2021/05/26 +... +Call trace: + sub_running_bw.isra.0+0x190/0x1a0 + migrate_task_rq_dl+0xf8/0x1e0 + set_task_cpu+0xa8/0x1f0 + try_to_wake_up+0x150/0x3d4 + wake_up_q+0x64/0xc0 + __up_write+0xd0/0x1c0 + up_write+0x4c/0x2b0 + cppc_set_perf+0x120/0x2d0 + cppc_cpufreq_set_target+0xe0/0x1a4 [cppc_cpufreq] + __cpufreq_driver_target+0x74/0x140 + sugov_work+0x64/0x80 + kthread_worker_fn+0xe0/0x230 + kthread+0x138/0x140 + ret_from_fork+0x10/0x18 + +The task causing this is the `cppc_fie` DL task introduced by +commit 1eb5dde674f5 ("cpufreq: CPPC: Add support for frequency +invariance"). + +With CONFIG_ACPI_CPPC_CPUFREQ_FIE=y and schedutil cpufreq governor on +slow-switching system (like on this Ampere Altra WIWYNN Mt. Jade Arm +Server): + +DL task `curr=sugov:112` lets `p=cppc_fie` migrate and since the latter +is in `non_contending` state, migrate_task_rq_dl() calls + + sub_running_bw()->__sub_running_bw()->cpufreq_update_util()-> + rq_clock()->assert_clock_updated() + +on p. + +Fix this by updating the clock for a non_contending task in +migrate_task_rq_dl() before calling sub_running_bw(). + +Reported-by: Bruno Goncalves +Signed-off-by: Dietmar Eggemann +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Daniel Bristot de Oliveira +Acked-by: Juri Lelli +Link: https://lore.kernel.org/r/20210804135925.3734605-1-dietmar.eggemann@arm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 9b2bb5f3ce09..beec5081a55a 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1654,6 +1654,7 @@ static void migrate_task_rq_dl(struct task_struct *p, int new_cpu __maybe_unused + */ + raw_spin_lock(&rq->lock); + if (p->dl.dl_non_contending) { ++ update_rq_clock(rq); + sub_running_bw(&p->dl, &rq->dl); + p->dl.dl_non_contending = 0; + /* +-- +2.30.2 + diff --git a/queue-4.19/sched-deadline-fix-reset_on_fork-reporting-of-dl-tas.patch b/queue-4.19/sched-deadline-fix-reset_on_fork-reporting-of-dl-tas.patch new file mode 100644 index 00000000000..2c1c37813a9 --- /dev/null +++ b/queue-4.19/sched-deadline-fix-reset_on_fork-reporting-of-dl-tas.patch @@ -0,0 +1,81 @@ +From 29f44377a4fa0e54a4304974ad2170c41a449463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 11:11:01 +0100 +Subject: sched/deadline: Fix reset_on_fork reporting of DL tasks + +From: Quentin Perret + +[ Upstream commit f95091536f78971b269ec321b057b8d630b0ad8a ] + +It is possible for sched_getattr() to incorrectly report the state of +the reset_on_fork flag when called on a deadline task. + +Indeed, if the flag was set on a deadline task using sched_setattr() +with flags (SCHED_FLAG_RESET_ON_FORK | SCHED_FLAG_KEEP_PARAMS), then +p->sched_reset_on_fork will be set, but __setscheduler() will bail out +early, which means that the dl_se->flags will not get updated by +__setscheduler_params()->__setparam_dl(). Consequently, if +sched_getattr() is then called on the task, __getparam_dl() will +override kattr.sched_flags with the now out-of-date copy in dl_se->flags +and report the stale value to userspace. + +To fix this, make sure to only copy the flags that are relevant to +sched_deadline to and from the dl_se->flags field. + +Signed-off-by: Quentin Perret +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20210727101103.2729607-2-qperret@google.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 7 ++++--- + kernel/sched/sched.h | 2 ++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index aa592dc3cb40..9b2bb5f3ce09 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -2615,7 +2615,7 @@ void __setparam_dl(struct task_struct *p, const struct sched_attr *attr) + dl_se->dl_runtime = attr->sched_runtime; + dl_se->dl_deadline = attr->sched_deadline; + dl_se->dl_period = attr->sched_period ?: dl_se->dl_deadline; +- dl_se->flags = attr->sched_flags; ++ dl_se->flags = attr->sched_flags & SCHED_DL_FLAGS; + dl_se->dl_bw = to_ratio(dl_se->dl_period, dl_se->dl_runtime); + dl_se->dl_density = to_ratio(dl_se->dl_deadline, dl_se->dl_runtime); + } +@@ -2628,7 +2628,8 @@ void __getparam_dl(struct task_struct *p, struct sched_attr *attr) + attr->sched_runtime = dl_se->dl_runtime; + attr->sched_deadline = dl_se->dl_deadline; + attr->sched_period = dl_se->dl_period; +- attr->sched_flags = dl_se->flags; ++ attr->sched_flags &= ~SCHED_DL_FLAGS; ++ attr->sched_flags |= dl_se->flags; + } + + /* +@@ -2703,7 +2704,7 @@ bool dl_param_changed(struct task_struct *p, const struct sched_attr *attr) + if (dl_se->dl_runtime != attr->sched_runtime || + dl_se->dl_deadline != attr->sched_deadline || + dl_se->dl_period != attr->sched_period || +- dl_se->flags != attr->sched_flags) ++ dl_se->flags != (attr->sched_flags & SCHED_DL_FLAGS)) + return true; + + return false; +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 7b7ba91e319b..55e695080fc6 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -209,6 +209,8 @@ static inline int task_has_dl_policy(struct task_struct *p) + */ + #define SCHED_FLAG_SUGOV 0x10000000 + ++#define SCHED_DL_FLAGS (SCHED_FLAG_RECLAIM | SCHED_FLAG_DL_OVERRUN | SCHED_FLAG_SUGOV) ++ + static inline bool dl_entity_is_special(struct sched_dl_entity *dl_se) + { + #ifdef CONFIG_CPU_FREQ_GOV_SCHEDUTIL +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 3a230c0f09e..4ddc73c2ca6 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -29,3 +29,78 @@ usb-mtu3-use-mult-for-hs-isoc-or-intr.patch usb-mtu3-fix-the-wrong-hs-mult-value.patch x86-reboot-limit-dell-optiplex-990-quirk-to-early-bios-versions.patch pci-call-max-payload-size-related-fixup-quirks-early.patch +locking-mutex-fix-handoff-condition.patch +regmap-fix-the-offset-of-register-error-log.patch +crypto-mxs-dcp-check-for-dma-mapping-errors.patch +sched-deadline-fix-reset_on_fork-reporting-of-dl-tas.patch +power-supply-axp288_fuel_gauge-report-register-addre.patch +crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch +sched-deadline-fix-missing-clock-update-in-migrate_t.patch +posix-cpu-timers-force-next-expiration-recalc-after-.patch +hrtimer-avoid-double-reprogramming-in-__hrtimer_star.patch +udf-check-lvid-earlier.patch +isofs-joliet-fix-iocharset-utf8-mount-option.patch +bcache-add-proper-error-unwinding-in-bcache_device_i.patch +nvme-rdma-don-t-update-queue-count-when-failing-to-s.patch +power-supply-max17042_battery-fix-typo-in-max17042_t.patch +s390-cio-add-dev_busid-sysfs-entry-for-each-subchann.patch +libata-fix-ata_host_start.patch +crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch +crypto-qat-handle-both-source-of-interrupt-in-vf-isr.patch +crypto-qat-fix-reuse-of-completion-variable.patch +crypto-qat-fix-naming-for-init-shutdown-vf-to-pf-not.patch +crypto-qat-do-not-export-adf_iov_putmsg.patch +fcntl-fix-potential-deadlock-for-fasync_struct.fa_lo.patch +udf_get_extendedattr-had-no-boundary-checks.patch +m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch +spi-spi-fsl-dspi-fix-issue-with-uninitialized-dma_sl.patch +spi-spi-pic32-fix-issue-with-uninitialized-dma_slave.patch +lib-mpi-use-kcalloc-in-mpi_resize.patch +clocksource-drivers-sh_cmt-fix-wrong-setting-if-don-.patch +block-nbd-add-sanity-check-for-first_minor.patch +crypto-qat-use-proper-type-for-vf_mask.patch +certs-trigger-creation-of-rsa-module-signing-key-if-.patch +spi-sprd-fix-the-wrong-wdg_load_val.patch +media-tda1997x-enable-edid-support.patch +soc-rockchip-rockchip_grf-should-not-default-to-y-un.patch +media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch +media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch +media-go7007-remove-redundant-initialization.patch +bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch +tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch +net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch +i2c-highlander-add-irq-check.patch +media-em28xx-input-fix-refcount-bug-in-em28xx_usb_di.patch +media-venus-venc-fix-potential-null-pointer-derefere.patch +pci-pm-avoid-forcing-pci_d0-for-wakeup-reasons-incon.patch +pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch +soc-qcom-smsm-fix-missed-interrupts-if-state-changes.patch +bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch +drm-msm-dpu-make-dpu_hw_ctl_clear_all_blendstages-cl.patch +arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch +bluetooth-fix-repeated-calls-to-sco_sock_kill.patch +drm-msm-dsi-fix-some-reference-counted-resource-leak.patch +usb-gadget-udc-at91-add-irq-check.patch +usb-phy-fsl-usb-add-irq-check.patch +usb-phy-twl6030-add-irq-checks.patch +bluetooth-move-shutdown-callback-before-flushing-tx-.patch +usb-host-ohci-tmio-add-irq-check.patch +usb-phy-tahvo-add-irq-check.patch +mac80211-fix-insufficient-headroom-issue-for-amsdu.patch +usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch +bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch +i2c-iop3xx-fix-deferred-probing.patch +i2c-s3c2410-fix-irq-check.patch +mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch +mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch +cifs-fix-a-potencially-linear-read-overflow.patch +i2c-mt65xx-fix-irq-check.patch +usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch +usb-bdc-fix-an-error-handling-path-in-bdc_probe-when.patch +tty-serial-fsl_lpuart-fix-the-wrong-mapbase-value.patch +ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch +bcma-fix-memory-leak-for-internally-handled-cores.patch +ipv4-make-exception-cache-less-predictible.patch +net-sched-fix-qdisc_rate_table-refcount-leak-when-ge.patch +net-qualcomm-fix-qca7000-checksum-handling.patch +ipv4-fix-endianness-issue-in-inet_rtm_getroute_build.patch diff --git a/queue-4.19/soc-qcom-smsm-fix-missed-interrupts-if-state-changes.patch b/queue-4.19/soc-qcom-smsm-fix-missed-interrupts-if-state-changes.patch new file mode 100644 index 00000000000..d957e311eaf --- /dev/null +++ b/queue-4.19/soc-qcom-smsm-fix-missed-interrupts-if-state-changes.patch @@ -0,0 +1,78 @@ +From a28f0a8cc5ccd9d7675c9747b2baa163b5445cb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 15:57:03 +0200 +Subject: soc: qcom: smsm: Fix missed interrupts if state changes while masked + +From: Stephan Gerhold + +[ Upstream commit e3d4571955050736bbf3eda0a9538a09d9fcfce8 ] + +The SMSM driver detects interrupt edges by tracking the last state +it has seen (and has triggered the interrupt handler for). This works +fine, but only if the interrupt does not change state while masked. + +For example, if an interrupt is unmasked while the state is HIGH, +the stored last_value for that interrupt might still be LOW. Then, +when the remote processor triggers smsm_intr() we assume that nothing +has changed, even though the state might have changed from HIGH to LOW. + +Attempt to fix this by checking the current remote state before +unmasking an IRQ. Use atomic operations to avoid the interrupt handler +from interfering with the unmask function. + +This fixes modem crashes in some edge cases with the BAM-DMUX driver. +Specifically, the BAM-DMUX interrupt handler is not called for the +HIGH -> LOW smsm state transition if the BAM-DMUX driver is loaded +(and therefore unmasks the interrupt) after the modem was already started: + +qcom-q6v5-mss 4080000.remoteproc: fatal error received: a2_task.c:3188: + Assert FALSE failed: A2 DL PER deadlock timer expired waiting for Apps ACK + +Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20210712135703.324748-2-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smsm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c +index 50214b620865..2b49d2c212da 100644 +--- a/drivers/soc/qcom/smsm.c ++++ b/drivers/soc/qcom/smsm.c +@@ -117,7 +117,7 @@ struct smsm_entry { + DECLARE_BITMAP(irq_enabled, 32); + DECLARE_BITMAP(irq_rising, 32); + DECLARE_BITMAP(irq_falling, 32); +- u32 last_value; ++ unsigned long last_value; + + u32 *remote_state; + u32 *subscription; +@@ -212,8 +212,7 @@ static irqreturn_t smsm_intr(int irq, void *data) + u32 val; + + val = readl(entry->remote_state); +- changed = val ^ entry->last_value; +- entry->last_value = val; ++ changed = val ^ xchg(&entry->last_value, val); + + for_each_set_bit(i, entry->irq_enabled, 32) { + if (!(changed & BIT(i))) +@@ -274,6 +273,12 @@ static void smsm_unmask_irq(struct irq_data *irqd) + struct qcom_smsm *smsm = entry->smsm; + u32 val; + ++ /* Make sure our last cached state is up-to-date */ ++ if (readl(entry->remote_state) & BIT(irq)) ++ set_bit(irq, &entry->last_value); ++ else ++ clear_bit(irq, &entry->last_value); ++ + set_bit(irq, entry->irq_enabled); + + if (entry->subscription) { +-- +2.30.2 + diff --git a/queue-4.19/soc-rockchip-rockchip_grf-should-not-default-to-y-un.patch b/queue-4.19/soc-rockchip-rockchip_grf-should-not-default-to-y-un.patch new file mode 100644 index 00000000000..8fd3c8c97ab --- /dev/null +++ b/queue-4.19/soc-rockchip-rockchip_grf-should-not-default-to-y-un.patch @@ -0,0 +1,40 @@ +From ca30d5df316fa20f72e311cc0b8dca8587e62893 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Feb 2021 15:38:55 +0100 +Subject: soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally + +From: Geert Uytterhoeven + +[ Upstream commit 2a1c55d4762dd34a8b0f2e36fb01b7b16b60735b ] + +Merely enabling CONFIG_COMPILE_TEST should not enable additional code. +To fix this, restrict the automatic enabling of ROCKCHIP_GRF to +ARCH_ROCKCHIP, and ask the user in case of compile-testing. + +Fixes: 4c58063d4258f6be ("soc: rockchip: add driver handling grf setup") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20210208143855.418374-1-geert+renesas@glider.be +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/soc/rockchip/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/rockchip/Kconfig b/drivers/soc/rockchip/Kconfig +index 20da55d9cbb1..d483b0e29b81 100644 +--- a/drivers/soc/rockchip/Kconfig ++++ b/drivers/soc/rockchip/Kconfig +@@ -5,8 +5,8 @@ if ARCH_ROCKCHIP || COMPILE_TEST + # + + config ROCKCHIP_GRF +- bool +- default y ++ bool "Rockchip General Register Files support" if COMPILE_TEST ++ default y if ARCH_ROCKCHIP + help + The General Register Files are a central component providing + special additional settings registers for a lot of soc-components. +-- +2.30.2 + diff --git a/queue-4.19/spi-spi-fsl-dspi-fix-issue-with-uninitialized-dma_sl.patch b/queue-4.19/spi-spi-fsl-dspi-fix-issue-with-uninitialized-dma_sl.patch new file mode 100644 index 00000000000..58680ea15a6 --- /dev/null +++ b/queue-4.19/spi-spi-fsl-dspi-fix-issue-with-uninitialized-dma_sl.patch @@ -0,0 +1,48 @@ +From c3ac9e3ccc8ddfbf2563a5dc89ae0d41880eb90e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 11:17:26 +0300 +Subject: spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config + +From: Tony Lindgren + +[ Upstream commit 209ab223ad5b18e437289235e3bde12593b94ac4 ] + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For spi-fsl-dspi, this is probably not currently an issue but is still +good to fix though. + +Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid") +Cc: Sanchayan Maity +Cc: Vladimir Oltean +Cc: Peter Ujfalusi +Cc: Vinod Koul +Signed-off-by: Tony Lindgren +Acked-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20210810081727.19491-1-tony@atomide.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsl-dspi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c +index 25486ee8379b..cfbf1ffb61bf 100644 +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -430,6 +430,7 @@ static int dspi_request_dma(struct fsl_dspi *dspi, phys_addr_t phy_addr) + goto err_rx_dma_buf; + } + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.src_addr = phy_addr + SPI_POPR; + cfg.dst_addr = phy_addr + SPI_PUSHR; + cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +-- +2.30.2 + diff --git a/queue-4.19/spi-spi-pic32-fix-issue-with-uninitialized-dma_slave.patch b/queue-4.19/spi-spi-pic32-fix-issue-with-uninitialized-dma_slave.patch new file mode 100644 index 00000000000..aa453a4af4e --- /dev/null +++ b/queue-4.19/spi-spi-pic32-fix-issue-with-uninitialized-dma_slave.patch @@ -0,0 +1,46 @@ +From 500b0ef4b1910b97e1cfc42196f07fb5d3ef6e03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 11:17:27 +0300 +Subject: spi: spi-pic32: Fix issue with uninitialized dma_slave_config + +From: Tony Lindgren + +[ Upstream commit 976c1de1de147bb7f4e0d87482f375221c05aeaf ] + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For spi-pic32, this is probably not currently an issue but is still good to +fix though. + +Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver") +Cc: Purna Chandra Mandal +Cc: Peter Ujfalusi +Cc: Vinod Koul +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210810081727.19491-2-tony@atomide.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-pic32.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-pic32.c b/drivers/spi/spi-pic32.c +index 661a40c653e9..d8cdb13ce3e4 100644 +--- a/drivers/spi/spi-pic32.c ++++ b/drivers/spi/spi-pic32.c +@@ -369,6 +369,7 @@ static int pic32_spi_dma_config(struct pic32_spi *pic32s, u32 dma_width) + struct dma_slave_config cfg; + int ret; + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.device_fc = true; + cfg.src_addr = pic32s->dma_base + buf_offset; + cfg.dst_addr = pic32s->dma_base + buf_offset; +-- +2.30.2 + diff --git a/queue-4.19/spi-sprd-fix-the-wrong-wdg_load_val.patch b/queue-4.19/spi-sprd-fix-the-wrong-wdg_load_val.patch new file mode 100644 index 00000000000..fcfbb637375 --- /dev/null +++ b/queue-4.19/spi-sprd-fix-the-wrong-wdg_load_val.patch @@ -0,0 +1,38 @@ +From c0eb99ecfeb3f9b8ab0033cbef94b8bc8d912fe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 17:15:46 +0800 +Subject: spi: sprd: Fix the wrong WDG_LOAD_VAL + +From: Chunyan Zhang + +[ Upstream commit 245ca2cc212bb2a078332ec99afbfbb202f44c2d ] + +Use 50ms as default timeout value and the time clock is 32768HZ. +The original value of WDG_LOAD_VAL is not correct, so this patch +fixes it. + +Fixes: ac1775012058 ("spi: sprd: Add the support of restarting the system") +Signed-off-by: Chunyan Zhang +Link: https://lore.kernel.org/r/20210826091549.2138125-2-zhang.lyra@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index e41976010dc4..97f44458ee7b 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -99,7 +99,7 @@ + #define HWRST_STATUS_SPRDISK 0xc0 + + /* Use default timeout 50 ms that converts to watchdog values */ +-#define WDG_LOAD_VAL ((50 * 1000) / 32768) ++#define WDG_LOAD_VAL ((50 * 32768) / 1000) + #define WDG_LOAD_MASK GENMASK(15, 0) + #define WDG_UNLOCK_KEY 0xe551 + +-- +2.30.2 + diff --git a/queue-4.19/tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch b/queue-4.19/tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch new file mode 100644 index 00000000000..60839b6977a --- /dev/null +++ b/queue-4.19/tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch @@ -0,0 +1,75 @@ +From 28b2643d1b47213120f97a421df60a97a421a983 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 13:05:41 -0700 +Subject: tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos + +From: Martin KaFai Lau + +[ Upstream commit 525e2f9fd0229eb10cb460a9e6d978257f24804e ] + +st->bucket stores the current bucket number. +st->offset stores the offset within this bucket that is the sk to be +seq_show(). Thus, st->offset only makes sense within the same +st->bucket. + +These two variables are an optimization for the common no-lseek case. +When resuming the seq_file iteration (i.e. seq_start()), +tcp_seek_last_pos() tries to continue from the st->offset +at bucket st->bucket. + +However, it is possible that the bucket pointed by st->bucket +has changed and st->offset may end up skipping the whole st->bucket +without finding a sk. In this case, tcp_seek_last_pos() currently +continues to satisfy the offset condition in the next (and incorrect) +bucket. Instead, regardless of the offset value, the first sk of the +next bucket should be returned. Thus, "bucket == st->bucket" check is +added to tcp_seek_last_pos(). + +The chance of hitting this is small and the issue is a decade old, +so targeting for the next tree. + +Fixes: a8b690f98baf ("tcp: Fix slowness in read /proc/net/tcp") +Signed-off-by: Martin KaFai Lau +Signed-off-by: Andrii Nakryiko +Reviewed-by: Eric Dumazet +Acked-by: Kuniyuki Iwashima +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210701200541.1033917-1-kafai@fb.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 71236aa7388d..de4edfbc9e46 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2177,6 +2177,7 @@ static void *tcp_get_idx(struct seq_file *seq, loff_t pos) + static void *tcp_seek_last_pos(struct seq_file *seq) + { + struct tcp_iter_state *st = seq->private; ++ int bucket = st->bucket; + int offset = st->offset; + int orig_num = st->num; + void *rc = NULL; +@@ -2187,7 +2188,7 @@ static void *tcp_seek_last_pos(struct seq_file *seq) + break; + st->state = TCP_SEQ_STATE_LISTENING; + rc = listening_get_next(seq, NULL); +- while (offset-- && rc) ++ while (offset-- && rc && bucket == st->bucket) + rc = listening_get_next(seq, rc); + if (rc) + break; +@@ -2198,7 +2199,7 @@ static void *tcp_seek_last_pos(struct seq_file *seq) + if (st->bucket > tcp_hashinfo.ehash_mask) + break; + rc = established_get_first(seq); +- while (offset-- && rc) ++ while (offset-- && rc && bucket == st->bucket) + rc = established_get_next(seq, rc); + } + +-- +2.30.2 + diff --git a/queue-4.19/tty-serial-fsl_lpuart-fix-the-wrong-mapbase-value.patch b/queue-4.19/tty-serial-fsl_lpuart-fix-the-wrong-mapbase-value.patch new file mode 100644 index 00000000000..f47fdf11984 --- /dev/null +++ b/queue-4.19/tty-serial-fsl_lpuart-fix-the-wrong-mapbase-value.patch @@ -0,0 +1,42 @@ +From fc41591a9366ebd1835ea9d56aa7ffba07572413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 10:10:33 +0800 +Subject: tty: serial: fsl_lpuart: fix the wrong mapbase value + +From: Andy Duan + +[ Upstream commit d5c38948448abc2bb6b36dbf85a554bf4748885e ] + +Register offset needs to be applied on mapbase also. +dma_tx/rx_request use the physical address of UARTDATA. +Register offset is currently only applied to membase (the +corresponding virtual addr) but not on mapbase. + +Fixes: 24b1e5f0e83c ("tty: serial: lpuart: add imx7ulp support") +Reviewed-by: Leonard Crestez +Signed-off-by: Adriana Reus +Signed-off-by: Sherry Sun +Signed-off-by: Andy Duan +Link: https://lore.kernel.org/r/20210819021033.32606-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index deb9d4fa9cb0..b757fd1bdbfa 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -2164,7 +2164,7 @@ static int lpuart_probe(struct platform_device *pdev) + return PTR_ERR(sport->port.membase); + + sport->port.membase += sdata->reg_off; +- sport->port.mapbase = res->start; ++ sport->port.mapbase = res->start + sdata->reg_off; + sport->port.dev = &pdev->dev; + sport->port.type = PORT_LPUART; + ret = platform_get_irq(pdev, 0); +-- +2.30.2 + diff --git a/queue-4.19/udf-check-lvid-earlier.patch b/queue-4.19/udf-check-lvid-earlier.patch new file mode 100644 index 00000000000..a2d51496c84 --- /dev/null +++ b/queue-4.19/udf-check-lvid-earlier.patch @@ -0,0 +1,86 @@ +From 0d99aaa8dc4e25f792504d904bfbcb4319ecab1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 May 2021 11:39:03 +0200 +Subject: udf: Check LVID earlier + +From: Jan Kara + +[ Upstream commit 781d2a9a2fc7d0be53a072794dc03ef6de770f3d ] + +We were checking validity of LVID entries only when getting +implementation use information from LVID in udf_sb_lvidiu(). However if +the LVID is suitably corrupted, it can cause problems also to code such +as udf_count_free() which doesn't use udf_sb_lvidiu(). So check validity +of LVID already when loading it from the disk and just disable LVID +altogether when it is not valid. + +Reported-by: syzbot+7fbfe5fed73ebb675748@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index c7f6243f318b..9c71246e6d60 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -112,16 +112,10 @@ struct logicalVolIntegrityDescImpUse *udf_sb_lvidiu(struct super_block *sb) + return NULL; + lvid = (struct logicalVolIntegrityDesc *)UDF_SB(sb)->s_lvid_bh->b_data; + partnum = le32_to_cpu(lvid->numOfPartitions); +- if ((sb->s_blocksize - sizeof(struct logicalVolIntegrityDescImpUse) - +- offsetof(struct logicalVolIntegrityDesc, impUse)) / +- (2 * sizeof(uint32_t)) < partnum) { +- udf_err(sb, "Logical volume integrity descriptor corrupted " +- "(numOfPartitions = %u)!\n", partnum); +- return NULL; +- } + /* The offset is to skip freeSpaceTable and sizeTable arrays */ + offset = partnum * 2 * sizeof(uint32_t); +- return (struct logicalVolIntegrityDescImpUse *)&(lvid->impUse[offset]); ++ return (struct logicalVolIntegrityDescImpUse *) ++ (((uint8_t *)(lvid + 1)) + offset); + } + + /* UDF filesystem type */ +@@ -1529,6 +1523,7 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_ + struct udf_sb_info *sbi = UDF_SB(sb); + struct logicalVolIntegrityDesc *lvid; + int indirections = 0; ++ u32 parts, impuselen; + + while (++indirections <= UDF_MAX_LVID_NESTING) { + final_bh = NULL; +@@ -1555,15 +1550,27 @@ static void udf_load_logicalvolint(struct super_block *sb, struct kernel_extent_ + + lvid = (struct logicalVolIntegrityDesc *)final_bh->b_data; + if (lvid->nextIntegrityExt.extLength == 0) +- return; ++ goto check; + + loc = leea_to_cpu(lvid->nextIntegrityExt); + } + + udf_warn(sb, "Too many LVID indirections (max %u), ignoring.\n", + UDF_MAX_LVID_NESTING); ++out_err: + brelse(sbi->s_lvid_bh); + sbi->s_lvid_bh = NULL; ++ return; ++check: ++ parts = le32_to_cpu(lvid->numOfPartitions); ++ impuselen = le32_to_cpu(lvid->lengthOfImpUse); ++ if (parts >= sb->s_blocksize || impuselen >= sb->s_blocksize || ++ sizeof(struct logicalVolIntegrityDesc) + impuselen + ++ 2 * parts * sizeof(u32) > sb->s_blocksize) { ++ udf_warn(sb, "Corrupted LVID (parts=%u, impuselen=%u), " ++ "ignoring.\n", parts, impuselen); ++ goto out_err; ++ } + } + + /* +-- +2.30.2 + diff --git a/queue-4.19/udf_get_extendedattr-had-no-boundary-checks.patch b/queue-4.19/udf_get_extendedattr-had-no-boundary-checks.patch new file mode 100644 index 00000000000..c53aada69c3 --- /dev/null +++ b/queue-4.19/udf_get_extendedattr-had-no-boundary-checks.patch @@ -0,0 +1,52 @@ +From ba0fc3e6e290dbd26e0d6983d22bc3ebf27402ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Aug 2021 11:33:32 +0200 +Subject: udf_get_extendedattr() had no boundary checks. + +From: Stian Skjelstad + +[ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ] + +When parsing the ExtendedAttr data, malicous or corrupt attribute length +could cause kernel hangs and buffer overruns in some special cases. + +Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com +Signed-off-by: Stian Skjelstad +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/misc.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/udf/misc.c b/fs/udf/misc.c +index 401e64cde1be..853bcff51043 100644 +--- a/fs/udf/misc.c ++++ b/fs/udf/misc.c +@@ -173,13 +173,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type, + else + offset = le32_to_cpu(eahd->appAttrLocation); + +- while (offset < iinfo->i_lenEAttr) { ++ while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) { ++ uint32_t attrLength; ++ + gaf = (struct genericFormat *)&ea[offset]; ++ attrLength = le32_to_cpu(gaf->attrLength); ++ ++ /* Detect undersized elements and buffer overflows */ ++ if ((attrLength < sizeof(*gaf)) || ++ (attrLength > (iinfo->i_lenEAttr - offset))) ++ break; ++ + if (le32_to_cpu(gaf->attrType) == type && + gaf->attrSubtype == subtype) + return gaf; + else +- offset += le32_to_cpu(gaf->attrLength); ++ offset += attrLength; + } + } + +-- +2.30.2 + diff --git a/queue-4.19/usb-bdc-fix-an-error-handling-path-in-bdc_probe-when.patch b/queue-4.19/usb-bdc-fix-an-error-handling-path-in-bdc_probe-when.patch new file mode 100644 index 00000000000..75c5830924f --- /dev/null +++ b/queue-4.19/usb-bdc-fix-an-error-handling-path-in-bdc_probe-when.patch @@ -0,0 +1,43 @@ +From 9761ae5a8dba4d97b74b4b9b43ad409827fb894a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 21:32:38 +0200 +Subject: usb: bdc: Fix an error handling path in 'bdc_probe()' when no + suitable DMA config is available + +From: Christophe JAILLET + +[ Upstream commit d2f42e09393c774ab79088d8e3afcc62b3328fc9 ] + +If no suitable DMA configuration is available, a previous 'bdc_phy_init()' +call must be undone by a corresponding 'bdc_phy_exit()' call. + +Branch to the existing error handling path instead of returning +directly. + +Fixes: cc29d4f67757 ("usb: bdc: Add support for USB phy") +Acked-by: Florian Fainelli +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/0c5910979f39225d5d8fe68c9ab1c147c68ddee1.1629314734.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/bdc/bdc_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index e174b1b889da..d04de117bf63 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -568,7 +568,8 @@ static int bdc_probe(struct platform_device *pdev) + if (ret) { + dev_err(dev, + "No suitable DMA config available, abort\n"); +- return -ENOTSUPP; ++ ret = -ENOTSUPP; ++ goto phycleanup; + } + dev_dbg(dev, "Using 32-bit address\n"); + } +-- +2.30.2 + diff --git a/queue-4.19/usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch b/queue-4.19/usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch new file mode 100644 index 00000000000..ada4781ab30 --- /dev/null +++ b/queue-4.19/usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch @@ -0,0 +1,64 @@ +From df1baab4c242f7d671115710e7bf648a80d5c9d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Aug 2021 20:09:02 +0300 +Subject: usb: ehci-orion: Handle errors of clk_prepare_enable() in probe + +From: Evgeny Novikov + +[ Upstream commit 4720f1bf4ee4a784d9ece05420ba33c9222a3004 ] + +ehci_orion_drv_probe() did not account for possible errors of +clk_prepare_enable() that in particular could cause invocation of +clk_disable_unprepare() on clocks that were not prepared/enabled yet, +e.g. in remove or on handling errors of usb_add_hcd() in probe. Though, +there were several patches fixing different issues with clocks in this +driver, they did not solve this problem. + +Add handling of errors of clk_prepare_enable() in ehci_orion_drv_probe() +to avoid calls of clk_disable_unprepare() without previous successful +invocation of clk_prepare_enable(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 8c869edaee07 ("ARM: Orion: EHCI: Add support for enabling clocks") +Co-developed-by: Kirill Shilimanov +Reviewed-by: Andrew Lunn +Acked-by: Alan Stern +Signed-off-by: Evgeny Novikov +Signed-off-by: Kirill Shilimanov +Link: https://lore.kernel.org/r/20210825170902.11234-1-novikov@ispras.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-orion.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c +index 1ad72647a069..da0f36af0b38 100644 +--- a/drivers/usb/host/ehci-orion.c ++++ b/drivers/usb/host/ehci-orion.c +@@ -250,8 +250,11 @@ static int ehci_orion_drv_probe(struct platform_device *pdev) + * the clock does not exists. + */ + priv->clk = devm_clk_get(&pdev->dev, NULL); +- if (!IS_ERR(priv->clk)) +- clk_prepare_enable(priv->clk); ++ if (!IS_ERR(priv->clk)) { ++ err = clk_prepare_enable(priv->clk); ++ if (err) ++ goto err_put_hcd; ++ } + + priv->phy = devm_phy_optional_get(&pdev->dev, "usb"); + if (IS_ERR(priv->phy)) { +@@ -312,6 +315,7 @@ err_phy_init: + err_phy_get: + if (!IS_ERR(priv->clk)) + clk_disable_unprepare(priv->clk); ++err_put_hcd: + usb_put_hcd(hcd); + err: + dev_err(&pdev->dev, "init %s fail, %d\n", +-- +2.30.2 + diff --git a/queue-4.19/usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch b/queue-4.19/usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch new file mode 100644 index 00000000000..b54e93fb746 --- /dev/null +++ b/queue-4.19/usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch @@ -0,0 +1,76 @@ +From 680e44a9e3b512acd98f5af4236d3bd4bcfaf688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 17:12:47 +0300 +Subject: usb: gadget: mv_u3d: request_irq() after initializing UDC + +From: Nadezda Lutovinova + +[ Upstream commit 2af0c5ffadaf9d13eca28409d4238b4e672942d3 ] + +If IRQ occurs between calling request_irq() and mv_u3d_eps_init(), +then null pointer dereference occurs since u3d->eps[] wasn't +initialized yet but used in mv_u3d_nuke(). + +The patch puts registration of the interrupt handler after +initializing of neccesery data. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers") +Acked-by: Felipe Balbi +Signed-off-by: Nadezda Lutovinova +Link: https://lore.kernel.org/r/20210818141247.4794-1-lutovinova@ispras.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/mv_u3d_core.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c +index 35e02a8d0091..bdba3f48c052 100644 +--- a/drivers/usb/gadget/udc/mv_u3d_core.c ++++ b/drivers/usb/gadget/udc/mv_u3d_core.c +@@ -1922,14 +1922,6 @@ static int mv_u3d_probe(struct platform_device *dev) + goto err_get_irq; + } + u3d->irq = r->start; +- if (request_irq(u3d->irq, mv_u3d_irq, +- IRQF_SHARED, driver_name, u3d)) { +- u3d->irq = 0; +- dev_err(&dev->dev, "Request irq %d for u3d failed\n", +- u3d->irq); +- retval = -ENODEV; +- goto err_request_irq; +- } + + /* initialize gadget structure */ + u3d->gadget.ops = &mv_u3d_ops; /* usb_gadget_ops */ +@@ -1942,6 +1934,15 @@ static int mv_u3d_probe(struct platform_device *dev) + + mv_u3d_eps_init(u3d); + ++ if (request_irq(u3d->irq, mv_u3d_irq, ++ IRQF_SHARED, driver_name, u3d)) { ++ u3d->irq = 0; ++ dev_err(&dev->dev, "Request irq %d for u3d failed\n", ++ u3d->irq); ++ retval = -ENODEV; ++ goto err_request_irq; ++ } ++ + /* external vbus detection */ + if (u3d->vbus) { + u3d->clock_gating = 1; +@@ -1965,8 +1966,8 @@ static int mv_u3d_probe(struct platform_device *dev) + + err_unregister: + free_irq(u3d->irq, u3d); +-err_request_irq: + err_get_irq: ++err_request_irq: + kfree(u3d->status_req); + err_alloc_status_req: + kfree(u3d->eps); +-- +2.30.2 + diff --git a/queue-4.19/usb-gadget-udc-at91-add-irq-check.patch b/queue-4.19/usb-gadget-udc-at91-add-irq-check.patch new file mode 100644 index 00000000000..ebf4ee6b195 --- /dev/null +++ b/queue-4.19/usb-gadget-udc-at91-add-irq-check.patch @@ -0,0 +1,42 @@ +From 0b8406287ea42801858848e0d7005c7cd90e7e35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 23:27:28 +0300 +Subject: usb: gadget: udc: at91: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 50855c31573b02963f0aa2aacfd4ea41c31ae0e0 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_irq() (which takes +*unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original +error code. Stop calling devm_request_irq() with the invalid IRQ #s. + +Fixes: 8b2e76687b39 ("USB: AT91 UDC updates, mostly power management") +Signed-off-by: Sergey Shtylyov +Acked-by: Felipe Balbi +Link: https://lore.kernel.org/r/6654a224-739a-1a80-12f0-76d920f87b6c@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/at91_udc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/at91_udc.c b/drivers/usb/gadget/udc/at91_udc.c +index 03959dc86cfd..dd5cdcdfa403 100644 +--- a/drivers/usb/gadget/udc/at91_udc.c ++++ b/drivers/usb/gadget/udc/at91_udc.c +@@ -1879,7 +1879,9 @@ static int at91udc_probe(struct platform_device *pdev) + clk_disable(udc->iclk); + + /* request UDC and maybe VBUS irqs */ +- udc->udp_irq = platform_get_irq(pdev, 0); ++ udc->udp_irq = retval = platform_get_irq(pdev, 0); ++ if (retval < 0) ++ goto err_unprepare_iclk; + retval = devm_request_irq(dev, udc->udp_irq, at91_udc_irq, 0, + driver_name, udc); + if (retval) { +-- +2.30.2 + diff --git a/queue-4.19/usb-host-ohci-tmio-add-irq-check.patch b/queue-4.19/usb-host-ohci-tmio-add-irq-check.patch new file mode 100644 index 00000000000..cc5d1a1126e --- /dev/null +++ b/queue-4.19/usb-host-ohci-tmio-add-irq-check.patch @@ -0,0 +1,42 @@ +From ea8c9aa386bc658934d73458c62ad9959534dbc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 23:30:18 +0300 +Subject: usb: host: ohci-tmio: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 4ac5132e8a4300637a2da8f5d6bc7650db735b8a ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to usb_add_hcd() (which takes +*unsigned* IRQ #), causing request_irq() that it calls to fail with +-EINVAL, overriding an original error code. Stop calling usb_add_hcd() +with the invalid IRQ #s. + +Fixes: 78c73414f4f6 ("USB: ohci: add support for tmio-ohci cell") +Acked-by: Alan Stern +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/402e1a45-a0a4-0e08-566a-7ca1331506b1@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-tmio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/host/ohci-tmio.c b/drivers/usb/host/ohci-tmio.c +index a631dbb369d7..983a00e2988d 100644 +--- a/drivers/usb/host/ohci-tmio.c ++++ b/drivers/usb/host/ohci-tmio.c +@@ -199,6 +199,9 @@ static int ohci_hcd_tmio_drv_probe(struct platform_device *dev) + if (!cell) + return -EINVAL; + ++ if (irq < 0) ++ return irq; ++ + hcd = usb_create_hcd(&ohci_tmio_hc_driver, &dev->dev, dev_name(&dev->dev)); + if (!hcd) { + ret = -ENOMEM; +-- +2.30.2 + diff --git a/queue-4.19/usb-phy-fsl-usb-add-irq-check.patch b/queue-4.19/usb-phy-fsl-usb-add-irq-check.patch new file mode 100644 index 00000000000..5ba5ce930b2 --- /dev/null +++ b/queue-4.19/usb-phy-fsl-usb-add-irq-check.patch @@ -0,0 +1,40 @@ +From e27949d155d9c6063a0f4a18a15335a42caba093 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 23:50:18 +0300 +Subject: usb: phy: fsl-usb: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit ecc2f30dbb25969908115c81ec23650ed982b004 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to request_irq() (which takes +*unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original +error code. Stop calling request_irq() with the invalid IRQ #s. + +Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver") +Acked-by: Felipe Balbi +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/b0a86089-8b8b-122e-fd6d-73e8c2304964@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-fsl-usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/phy/phy-fsl-usb.c b/drivers/usb/phy/phy-fsl-usb.c +index f7c96d209eda..981db219234e 100644 +--- a/drivers/usb/phy/phy-fsl-usb.c ++++ b/drivers/usb/phy/phy-fsl-usb.c +@@ -873,6 +873,8 @@ int usb_otg_start(struct platform_device *pdev) + + /* request irq */ + p_otg->irq = platform_get_irq(pdev, 0); ++ if (p_otg->irq < 0) ++ return p_otg->irq; + status = request_irq(p_otg->irq, fsl_otg_isr, + IRQF_SHARED, driver_name, p_otg); + if (status) { +-- +2.30.2 + diff --git a/queue-4.19/usb-phy-tahvo-add-irq-check.patch b/queue-4.19/usb-phy-tahvo-add-irq-check.patch new file mode 100644 index 00000000000..e6be5640f68 --- /dev/null +++ b/queue-4.19/usb-phy-tahvo-add-irq-check.patch @@ -0,0 +1,43 @@ +From 9dc0fd26cb2da59b2ab6cec3245d72a0eae7b601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 23:32:38 +0300 +Subject: usb: phy: tahvo: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 0d45a1373e669880b8beaecc8765f44cb0241e47 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to request_threaded_irq() (which +takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an +original error code. Stop calling request_threaded_irq() with the invalid +IRQ #s. + +Fixes: 9ba96ae5074c ("usb: omap1: Tahvo USB transceiver driver") +Acked-by: Felipe Balbi +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/8280d6a4-8e9a-7cfe-1aa9-db586dc9afdf@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-tahvo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c +index 0981abc3d1ad..60d390e28289 100644 +--- a/drivers/usb/phy/phy-tahvo.c ++++ b/drivers/usb/phy/phy-tahvo.c +@@ -396,7 +396,9 @@ static int tahvo_usb_probe(struct platform_device *pdev) + + dev_set_drvdata(&pdev->dev, tu); + +- tu->irq = platform_get_irq(pdev, 0); ++ tu->irq = ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ return ret; + ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt, + IRQF_ONESHOT, + "tahvo-vbus", tu); +-- +2.30.2 + diff --git a/queue-4.19/usb-phy-twl6030-add-irq-checks.patch b/queue-4.19/usb-phy-twl6030-add-irq-checks.patch new file mode 100644 index 00000000000..73362c340a2 --- /dev/null +++ b/queue-4.19/usb-phy-twl6030-add-irq-checks.patch @@ -0,0 +1,44 @@ +From d885fd7c95a72386113b57fc2be767536e20759d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 23:53:16 +0300 +Subject: usb: phy: twl6030: add IRQ checks + +From: Sergey Shtylyov + +[ Upstream commit 0881e22c06e66af0b64773c91c8868ead3d01aa1 ] + +The driver neglects to check the result of platform_get_irq()'s calls and +blithely passes the negative error codes to request_threaded_irq() (which +takes *unsigned* IRQ #), causing them both to fail with -EINVAL, overriding +an original error code. Stop calling request_threaded_irq() with the +invalid IRQ #s. + +Fixes: c33fad0c3748 ("usb: otg: Adding twl6030-usb transceiver driver for OMAP4430") +Acked-by: Felipe Balbi +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/9507f50b-50f1-6dc4-f57c-3ed4e53a1c25@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-twl6030-usb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/phy/phy-twl6030-usb.c b/drivers/usb/phy/phy-twl6030-usb.c +index dade34d70419..859af6113b45 100644 +--- a/drivers/usb/phy/phy-twl6030-usb.c ++++ b/drivers/usb/phy/phy-twl6030-usb.c +@@ -342,6 +342,11 @@ static int twl6030_usb_probe(struct platform_device *pdev) + twl->irq2 = platform_get_irq(pdev, 1); + twl->linkstat = MUSB_UNKNOWN; + ++ if (twl->irq1 < 0) ++ return twl->irq1; ++ if (twl->irq2 < 0) ++ return twl->irq2; ++ + twl->comparator.set_vbus = twl6030_set_vbus; + twl->comparator.start_srp = twl6030_start_srp; + +-- +2.30.2 +