From: Sasha Levin Date: Sun, 21 Nov 2021 23:00:37 +0000 (-0500) Subject: Fixes for 4.4 X-Git-Tag: v5.15.5~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=538fb507bf990d0e8e6aab53b15c73f4abfbb401;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/alsa-gus-fix-null-pointer-dereference-on-pointer-blo.patch b/queue-4.4/alsa-gus-fix-null-pointer-dereference-on-pointer-blo.patch new file mode 100644 index 00000000000..6766b321974 --- /dev/null +++ b/queue-4.4/alsa-gus-fix-null-pointer-dereference-on-pointer-blo.patch @@ -0,0 +1,37 @@ +From 0cc78414b1b3c18d264d2e875bd969cd22b6b167 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Oct 2021 03:46:11 -0700 +Subject: ALSA: gus: fix null pointer dereference on pointer block + +From: Chengfeng Ye + +[ Upstream commit a0d21bb3279476c777434c40d969ea88ca64f9aa ] + +The pointer block return from snd_gf1_dma_next_block could be +null, so there is a potential null pointer dereference issue. +Fix this by adding a null check before dereference. + +Signed-off-by: Chengfeng Ye +Link: https://lore.kernel.org/r/20211024104611.9919-1-cyeaa@connect.ust.hk +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/gus/gus_dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/isa/gus/gus_dma.c b/sound/isa/gus/gus_dma.c +index 36c27c8323601..2e27cd3427c87 100644 +--- a/sound/isa/gus/gus_dma.c ++++ b/sound/isa/gus/gus_dma.c +@@ -141,6 +141,8 @@ static void snd_gf1_dma_interrupt(struct snd_gus_card * gus) + } + block = snd_gf1_dma_next_block(gus); + spin_unlock(&gus->dma_lock); ++ if (!block) ++ return; + snd_gf1_dma_program(gus, block->addr, block->buf_addr, block->count, (unsigned short) block->cmd); + kfree(block); + #if 0 +-- +2.33.0 + diff --git a/queue-4.4/arm-dts-omap-fix-gpmc-mux-add-data-type.patch b/queue-4.4/arm-dts-omap-fix-gpmc-mux-add-data-type.patch new file mode 100644 index 00000000000..455c944dba0 --- /dev/null +++ b/queue-4.4/arm-dts-omap-fix-gpmc-mux-add-data-type.patch @@ -0,0 +1,52 @@ +From 22bdeaef5c3a69c4bbc18105247fbc4310396f9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 15:08:30 +0300 +Subject: ARM: dts: omap: fix gpmc,mux-add-data type + +From: Roger Quadros + +[ Upstream commit 51b9e22ffd3c4c56cbb7caae9750f70e55ffa603 ] + +gpmc,mux-add-data is not boolean. + +Fixes the below errors flagged by dtbs_check. + +"ethernet@4,0:gpmc,mux-add-data: True is not of type 'array'" + +Signed-off-by: Roger Quadros +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap-gpmc-smsc9221.dtsi | 2 +- + arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/omap-gpmc-smsc9221.dtsi b/arch/arm/boot/dts/omap-gpmc-smsc9221.dtsi +index 73e272fadc202..58d288fddd9c2 100644 +--- a/arch/arm/boot/dts/omap-gpmc-smsc9221.dtsi ++++ b/arch/arm/boot/dts/omap-gpmc-smsc9221.dtsi +@@ -28,7 +28,7 @@ + compatible = "smsc,lan9221","smsc,lan9115"; + bank-width = <2>; + +- gpmc,mux-add-data; ++ gpmc,mux-add-data = <0>; + gpmc,cs-on-ns = <0>; + gpmc,cs-rd-off-ns = <42>; + gpmc,cs-wr-off-ns = <36>; +diff --git a/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi b/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi +index 82e98ee3023ad..3dbeb7a6c569c 100644 +--- a/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi ++++ b/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi +@@ -25,7 +25,7 @@ + compatible = "smsc,lan9221","smsc,lan9115"; + bank-width = <2>; + +- gpmc,mux-add-data; ++ gpmc,mux-add-data = <0>; + gpmc,cs-on-ns = <0>; + gpmc,cs-rd-off-ns = <42>; + gpmc,cs-wr-off-ns = <36>; +-- +2.33.0 + diff --git a/queue-4.4/maple-fix-wrong-return-value-of-maple_bus_init.patch b/queue-4.4/maple-fix-wrong-return-value-of-maple_bus_init.patch new file mode 100644 index 00000000000..f23ddd08b56 --- /dev/null +++ b/queue-4.4/maple-fix-wrong-return-value-of-maple_bus_init.patch @@ -0,0 +1,50 @@ +From bda93277864b222abfeab3a5a46d62f74528807f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Nov 2020 10:43:11 +0800 +Subject: maple: fix wrong return value of maple_bus_init(). + +From: Lu Wei + +[ Upstream commit bde82ee391fa6d3ad054313c4aa7b726d32515ce ] + +If KMEM_CACHE or maple_alloc_dev failed, the maple_bus_init() will return 0 +rather than error, because the retval is not changed after KMEM_CACHE or +maple_alloc_dev failed. + +Fixes: 17be2d2b1c33 ("sh: Add maple bus support for the SEGA Dreamcast.") +Reported-by: Hulk Robot +Signed-off-by: Lu Wei +Acked-by: John Paul Adrian Glaubitz +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +--- + drivers/sh/maple/maple.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/sh/maple/maple.c b/drivers/sh/maple/maple.c +index bec81c2404f78..1682fa3671bc3 100644 +--- a/drivers/sh/maple/maple.c ++++ b/drivers/sh/maple/maple.c +@@ -835,8 +835,10 @@ static int __init maple_bus_init(void) + + maple_queue_cache = KMEM_CACHE(maple_buffer, SLAB_HWCACHE_ALIGN); + +- if (!maple_queue_cache) ++ if (!maple_queue_cache) { ++ retval = -ENOMEM; + goto cleanup_bothirqs; ++ } + + INIT_LIST_HEAD(&maple_waitq); + INIT_LIST_HEAD(&maple_sentq); +@@ -849,6 +851,7 @@ static int __init maple_bus_init(void) + if (!mdev[i]) { + while (i-- > 0) + maple_free_dev(mdev[i]); ++ retval = -ENOMEM; + goto cleanup_cache; + } + baseunits[i] = mdev[i]; +-- +2.33.0 + diff --git a/queue-4.4/mips-bcm63xx-add-support-for-clk_get_parent.patch b/queue-4.4/mips-bcm63xx-add-support-for-clk_get_parent.patch new file mode 100644 index 00000000000..b1673b87be4 --- /dev/null +++ b/queue-4.4/mips-bcm63xx-add-support-for-clk_get_parent.patch @@ -0,0 +1,65 @@ +From abdf7f078018cc9cedfd481478c926eeb8963139 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Nov 2021 16:42:18 -0800 +Subject: mips: bcm63xx: add support for clk_get_parent() + +From: Randy Dunlap + +[ Upstream commit e8f67482e5a4bc8d0b65d606d08cb60ee123b468 ] + +BCM63XX selects HAVE_LEGACY_CLK but does not provide/support +clk_get_parent(), so add a simple implementation of that +function so that callers of it will build without errors. + +Fixes these build errors: + +mips-linux-ld: drivers/iio/adc/ingenic-adc.o: in function `jz4770_adc_init_clk_div': +ingenic-adc.c:(.text+0xe4): undefined reference to `clk_get_parent' +mips-linux-ld: drivers/iio/adc/ingenic-adc.o: in function `jz4725b_adc_init_clk_div': +ingenic-adc.c:(.text+0x1b8): undefined reference to `clk_get_parent' + +Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs." ) +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Suggested-by: Russell King (Oracle) +Cc: Artur Rojek +Cc: Paul Cercueil +Cc: linux-mips@vger.kernel.org +Cc: Jonathan Cameron +Cc: Lars-Peter Clausen +Cc: linux-iio@vger.kernel.org +Cc: Florian Fainelli +Cc: Andy Shevchenko +Cc: Russell King +Cc: bcm-kernel-feedback-list@broadcom.com +Cc: Jonas Gorski +Reviewed-by: Andy Shevchenko +Acked-by: Jonathan Cameron +Acked-by: Russell King (Oracle) +Acked-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bcm63xx/clk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c +index 637565284732d..ef268c9aac80d 100644 +--- a/arch/mips/bcm63xx/clk.c ++++ b/arch/mips/bcm63xx/clk.c +@@ -333,6 +333,12 @@ void clk_disable(struct clk *clk) + + EXPORT_SYMBOL(clk_disable); + ++struct clk *clk_get_parent(struct clk *clk) ++{ ++ return NULL; ++} ++EXPORT_SYMBOL(clk_get_parent); ++ + unsigned long clk_get_rate(struct clk *clk) + { + return clk->rate; +-- +2.33.0 + diff --git a/queue-4.4/mips-bcm63xx-ensure-that-cpu_supports_32bit_kernel-i.patch b/queue-4.4/mips-bcm63xx-ensure-that-cpu_supports_32bit_kernel-i.patch new file mode 100644 index 00000000000..9caec41be2a --- /dev/null +++ b/queue-4.4/mips-bcm63xx-ensure-that-cpu_supports_32bit_kernel-i.patch @@ -0,0 +1,64 @@ +From ff0435e58af3cf39c3efd9d08b0f84d5ac598be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Nov 2021 08:49:11 -0700 +Subject: mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set + +From: Randy Dunlap + +[ Upstream commit 5eeaafc8d69373c095e461bdb39e5c9b62228ac5 ] + +Several header files need info on CONFIG_32BIT or CONFIG_64BIT, +but kconfig symbol BCM63XX does not provide that info. This leads +to many build errors, e.g.: + + arch/mips/include/asm/page.h:196:13: error: use of undeclared identifier 'CAC_BASE' + return x - PAGE_OFFSET + PHYS_OFFSET; + arch/mips/include/asm/mach-generic/spaces.h:91:23: note: expanded from macro 'PAGE_OFFSET' + #define PAGE_OFFSET (CAC_BASE + PHYS_OFFSET) + arch/mips/include/asm/io.h:134:28: error: use of undeclared identifier 'CAC_BASE' + return (void *)(address + PAGE_OFFSET - PHYS_OFFSET); + arch/mips/include/asm/mach-generic/spaces.h:91:23: note: expanded from macro 'PAGE_OFFSET' + #define PAGE_OFFSET (CAC_BASE + PHYS_OFFSET) + +arch/mips/include/asm/uaccess.h:82:10: error: use of undeclared identifier '__UA_LIMIT' + return (__UA_LIMIT & (addr | (addr + size) | __ua_size(size))) == 0; + +Selecting the SYS_HAS_CPU_BMIPS* symbols causes SYS_HAS_CPU_BMIPS to be +set, which then selects CPU_SUPPORT_32BIT_KERNEL, which causes +CONFIG_32BIT to be set. (a bit more indirect than v1 [RFC].) + +Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs.") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Thomas Bogendoerfer +Cc: Florian Fainelli +Cc: bcm-kernel-feedback-list@broadcom.com +Cc: linux-mips@vger.kernel.org +Cc: Paul Burton +Cc: Maxime Bizon +Cc: Ralf Baechle +Suggested-by: Florian Fainelli +Acked-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index 9f1376788820e..98312d3e4f414 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -211,6 +211,9 @@ config BCM63XX + select SYS_SUPPORTS_32BIT_KERNEL + select SYS_SUPPORTS_BIG_ENDIAN + select SYS_HAS_EARLY_PRINTK ++ select SYS_HAS_CPU_BMIPS32_3300 ++ select SYS_HAS_CPU_BMIPS4350 ++ select SYS_HAS_CPU_BMIPS4380 + select SWAP_IO_SPACE + select ARCH_REQUIRE_GPIOLIB + select HAVE_CLK +-- +2.33.0 + diff --git a/queue-4.4/mips-sni-fix-the-build.patch b/queue-4.4/mips-sni-fix-the-build.patch new file mode 100644 index 00000000000..f533e0e4699 --- /dev/null +++ b/queue-4.4/mips-sni-fix-the-build.patch @@ -0,0 +1,54 @@ +From 27dbfeb32a721f42ac5561bcdf23fb3f18875410 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 15:23:12 -0700 +Subject: MIPS: sni: Fix the build +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bart Van Assche + +[ Upstream commit c91cf42f61dc77b289784ea7b15a8531defa41c0 ] + +This patch fixes the following gcc 10 build error: + +arch/mips/sni/time.c: In function ‘a20r_set_periodic’: +arch/mips/sni/time.c:15:26: error: unsigned conversion from ‘int’ to ‘u8’ {aka ‘volatile unsigned char’} changes value from ‘576’ to ‘64’ [-Werror=overflow] + 15 | #define SNI_COUNTER0_DIV ((SNI_CLOCK_TICK_RATE / SNI_COUNTER2_DIV) / HZ) + | ^ +arch/mips/sni/time.c:21:45: note: in expansion of macro ‘SNI_COUNTER0_DIV’ + 21 | *(volatile u8 *)(A20R_PT_CLOCK_BASE + 0) = SNI_COUNTER0_DIV; + | ^~~~~~~~~~~~~~~~ + +Cc: linux-mips@vger.kernel.org +Signed-off-by: Bart Van Assche +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/sni/time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/sni/time.c b/arch/mips/sni/time.c +index fb4b3520cdc61..d72dd0d2ff595 100644 +--- a/arch/mips/sni/time.c ++++ b/arch/mips/sni/time.c +@@ -18,14 +18,14 @@ static int a20r_set_periodic(struct clock_event_device *evt) + { + *(volatile u8 *)(A20R_PT_CLOCK_BASE + 12) = 0x34; + wmb(); +- *(volatile u8 *)(A20R_PT_CLOCK_BASE + 0) = SNI_COUNTER0_DIV; ++ *(volatile u8 *)(A20R_PT_CLOCK_BASE + 0) = SNI_COUNTER0_DIV & 0xff; + wmb(); + *(volatile u8 *)(A20R_PT_CLOCK_BASE + 0) = SNI_COUNTER0_DIV >> 8; + wmb(); + + *(volatile u8 *)(A20R_PT_CLOCK_BASE + 12) = 0xb4; + wmb(); +- *(volatile u8 *)(A20R_PT_CLOCK_BASE + 8) = SNI_COUNTER2_DIV; ++ *(volatile u8 *)(A20R_PT_CLOCK_BASE + 8) = SNI_COUNTER2_DIV & 0xff; + wmb(); + *(volatile u8 *)(A20R_PT_CLOCK_BASE + 8) = SNI_COUNTER2_DIV >> 8; + wmb(); +-- +2.33.0 + diff --git a/queue-4.4/net-bnx2x-fix-variable-dereferenced-before-check.patch b/queue-4.4/net-bnx2x-fix-variable-dereferenced-before-check.patch new file mode 100644 index 00000000000..f0c8df906f3 --- /dev/null +++ b/queue-4.4/net-bnx2x-fix-variable-dereferenced-before-check.patch @@ -0,0 +1,46 @@ +From 6a6e630ab166e923ff6533d87e6db6df7048570d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Nov 2021 01:36:36 +0300 +Subject: net: bnx2x: fix variable dereferenced before check + +From: Pavel Skripkin + +[ Upstream commit f8885ac89ce310570e5391fe0bf0ec9c7c9b4fdc ] + +Smatch says: + bnx2x_init_ops.h:640 bnx2x_ilt_client_mem_op() + warn: variable dereferenced before check 'ilt' (see line 638) + +Move ilt_cli variable initialization _after_ ilt validation, because +it's unsafe to deref the pointer before validation check. + +Fixes: 523224a3b3cd ("bnx2x, cnic, bnx2i: use new FW/HSI") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h +index 1835d2e451c01..fc7fce642666c 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_init_ops.h +@@ -635,11 +635,13 @@ static int bnx2x_ilt_client_mem_op(struct bnx2x *bp, int cli_num, + { + int i, rc; + struct bnx2x_ilt *ilt = BP_ILT(bp); +- struct ilt_client_info *ilt_cli = &ilt->clients[cli_num]; ++ struct ilt_client_info *ilt_cli; + + if (!ilt || !ilt->lines) + return -1; + ++ ilt_cli = &ilt->clients[cli_num]; ++ + if (ilt_cli->flags & (ILT_CLIENT_SKIP_INIT | ILT_CLIENT_SKIP_MEM)) + return 0; + +-- +2.33.0 + diff --git a/queue-4.4/nfc-reorder-the-logic-in-nfc_-un-register_device.patch b/queue-4.4/nfc-reorder-the-logic-in-nfc_-un-register_device.patch new file mode 100644 index 00000000000..c49a973d0a2 --- /dev/null +++ b/queue-4.4/nfc-reorder-the-logic-in-nfc_-un-register_device.patch @@ -0,0 +1,129 @@ +From 7094e0e7c5394e294be6843bbcfca9f75d292436 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 23:26:52 +0800 +Subject: NFC: reorder the logic in nfc_{un,}register_device + +From: Lin Ma + +[ Upstream commit 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 ] + +There is a potential UAF between the unregistration routine and the NFC +netlink operations. + +The race that cause that UAF can be shown as below: + + (FREE) | (USE) +nfcmrvl_nci_unregister_dev | nfc_genl_dev_up + nci_close_device | + nci_unregister_device | nfc_get_device + nfc_unregister_device | nfc_dev_up + rfkill_destory | + device_del | rfkill_blocked + ... | ... + +The root cause for this race is concluded below: +1. The rfkill_blocked (USE) in nfc_dev_up is supposed to be placed after +the device_is_registered check. +2. Since the netlink operations are possible just after the device_add +in nfc_register_device, the nfc_dev_up() can happen anywhere during the +rfkill creation process, which leads to data race. + +This patch reorder these actions to permit +1. Once device_del is finished, the nfc_dev_up cannot dereference the +rfkill object. +2. The rfkill_register need to be placed after the device_add of nfc_dev +because the parent device need to be created first. So this patch keeps +the order but inject device_lock to prevent the data race. + +Signed-off-by: Lin Ma +Fixes: be055b2f89b5 ("NFC: RFKILL support") +Reviewed-by: Jakub Kicinski +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20211116152652.19217-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/core.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 1471e4b0aa2c6..8c7f221e1d125 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -106,13 +106,13 @@ int nfc_dev_up(struct nfc_dev *dev) + + device_lock(&dev->dev); + +- if (dev->rfkill && rfkill_blocked(dev->rfkill)) { +- rc = -ERFKILL; ++ if (!device_is_registered(&dev->dev)) { ++ rc = -ENODEV; + goto error; + } + +- if (!device_is_registered(&dev->dev)) { +- rc = -ENODEV; ++ if (dev->rfkill && rfkill_blocked(dev->rfkill)) { ++ rc = -ERFKILL; + goto error; + } + +@@ -1120,11 +1120,7 @@ int nfc_register_device(struct nfc_dev *dev) + if (rc) + pr_err("Could not register llcp device\n"); + +- rc = nfc_genl_device_added(dev); +- if (rc) +- pr_debug("The userspace won't be notified that the device %s was added\n", +- dev_name(&dev->dev)); +- ++ device_lock(&dev->dev); + dev->rfkill = rfkill_alloc(dev_name(&dev->dev), &dev->dev, + RFKILL_TYPE_NFC, &nfc_rfkill_ops, dev); + if (dev->rfkill) { +@@ -1133,6 +1129,12 @@ int nfc_register_device(struct nfc_dev *dev) + dev->rfkill = NULL; + } + } ++ device_unlock(&dev->dev); ++ ++ rc = nfc_genl_device_added(dev); ++ if (rc) ++ pr_debug("The userspace won't be notified that the device %s was added\n", ++ dev_name(&dev->dev)); + + return 0; + } +@@ -1149,10 +1151,17 @@ void nfc_unregister_device(struct nfc_dev *dev) + + pr_debug("dev_name=%s\n", dev_name(&dev->dev)); + ++ rc = nfc_genl_device_removed(dev); ++ if (rc) ++ pr_debug("The userspace won't be notified that the device %s " ++ "was removed\n", dev_name(&dev->dev)); ++ ++ device_lock(&dev->dev); + if (dev->rfkill) { + rfkill_unregister(dev->rfkill); + rfkill_destroy(dev->rfkill); + } ++ device_unlock(&dev->dev); + + if (dev->ops->check_presence) { + device_lock(&dev->dev); +@@ -1162,11 +1171,6 @@ void nfc_unregister_device(struct nfc_dev *dev) + cancel_work_sync(&dev->check_pres_work); + } + +- rc = nfc_genl_device_removed(dev); +- if (rc) +- pr_debug("The userspace won't be notified that the device %s " +- "was removed\n", dev_name(&dev->dev)); +- + nfc_llcp_unregister_device(dev); + + mutex_lock(&nfc_devlist_mutex); +-- +2.33.0 + diff --git a/queue-4.4/nfc-reorganize-the-functions-in-nci_request.patch b/queue-4.4/nfc-reorganize-the-functions-in-nci_request.patch new file mode 100644 index 00000000000..b8cdc4e6024 --- /dev/null +++ b/queue-4.4/nfc-reorganize-the-functions-in-nci_request.patch @@ -0,0 +1,62 @@ +From 492964c4c09b34fb9d66b9efcf627d948b7f926f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 22:56:00 +0800 +Subject: NFC: reorganize the functions in nci_request + +From: Lin Ma + +[ Upstream commit 86cdf8e38792545161dbe3350a7eced558ba4d15 ] + +There is a possible data race as shown below: + +thread-A in nci_request() | thread-B in nci_close_device() + | mutex_lock(&ndev->req_lock); +test_bit(NCI_UP, &ndev->flags); | +... | test_and_clear_bit(NCI_UP, &ndev->flags) +mutex_lock(&ndev->req_lock); | + | + +This race will allow __nci_request() to be awaked while the device is +getting removed. + +Similar to commit e2cb6b891ad2 ("bluetooth: eliminate the potential race +condition when removing the HCI controller"). this patch alters the +function sequence in nci_request() to prevent the data races between the +nci_close_device(). + +Signed-off-by: Lin Ma +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Link: https://lore.kernel.org/r/20211115145600.8320-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index 35cc290389c8a..27df5a5d69e80 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -149,12 +149,15 @@ inline int nci_request(struct nci_dev *ndev, + { + int rc; + +- if (!test_bit(NCI_UP, &ndev->flags)) +- return -ENETDOWN; +- + /* Serialize all requests */ + mutex_lock(&ndev->req_lock); +- rc = __nci_request(ndev, req, opt, timeout); ++ /* check the state after obtaing the lock against any races ++ * from nci_close_device when the device gets removed. ++ */ ++ if (test_bit(NCI_UP, &ndev->flags)) ++ rc = __nci_request(ndev, req, opt, timeout); ++ else ++ rc = -ENETDOWN; + mutex_unlock(&ndev->req_lock); + + return rc; +-- +2.33.0 + diff --git a/queue-4.4/perf-bench-fix-two-memory-leaks-detected-with-asan.patch b/queue-4.4/perf-bench-fix-two-memory-leaks-detected-with-asan.patch new file mode 100644 index 00000000000..a33544276f3 --- /dev/null +++ b/queue-4.4/perf-bench-fix-two-memory-leaks-detected-with-asan.patch @@ -0,0 +1,56 @@ +From 69505b7b0117db791fc23f8408b0c40c9b8961dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 04:20:11 +0200 +Subject: perf bench: Fix two memory leaks detected with ASan + +From: Sohaib Mohamed + +[ Upstream commit 92723ea0f11d92496687db8c9725248e9d1e5e1d ] + +ASan reports memory leaks while running: + + $ perf bench sched all + +Fixes: e27454cc6352c422 ("perf bench: Add sched-messaging.c: Benchmark for scheduler and IPC mechanisms based on hackbench") +Signed-off-by: Sohaib Mohamed +Acked-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Hitoshi Mitake +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Paul Russel +Cc: Peter Zijlstra +Cc: Pierre Gondois +Link: http://lore.kernel.org/lkml/20211110022012.16620-1-sohaib.amhmd@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/sched-messaging.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/perf/bench/sched-messaging.c b/tools/perf/bench/sched-messaging.c +index d4ff1b539cfd2..1841e10fdb964 100644 +--- a/tools/perf/bench/sched-messaging.c ++++ b/tools/perf/bench/sched-messaging.c +@@ -224,6 +224,8 @@ static unsigned int group(pthread_t *pth, + snd_ctx->out_fds[i] = fds[1]; + if (!thread_mode) + close(fds[0]); ++ ++ free(ctx); + } + + /* Now we have all the fds, fork the senders */ +@@ -240,6 +242,8 @@ static unsigned int group(pthread_t *pth, + for (i = 0; i < num_fds; i++) + close(snd_ctx->out_fds[i]); + ++ free(snd_ctx); ++ + /* Return number of children to reap */ + return num_fds * 2; + } +-- +2.33.0 + diff --git a/queue-4.4/platform-x86-hp_accel-fix-an-error-handling-path-in-.patch b/queue-4.4/platform-x86-hp_accel-fix-an-error-handling-path-in-.patch new file mode 100644 index 00000000000..f5f81424597 --- /dev/null +++ b/queue-4.4/platform-x86-hp_accel-fix-an-error-handling-path-in-.patch @@ -0,0 +1,46 @@ +From 2020770e537489e6aa68082221201d239e810ea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Nov 2021 20:57:07 +0100 +Subject: platform/x86: hp_accel: Fix an error handling path in + 'lis3lv02d_probe()' + +From: Christophe JAILLET + +[ Upstream commit c961a7d2aa23ae19e0099fbcdf1040fb760eea83 ] + +If 'led_classdev_register()' fails, some additional resources should be +released. + +Add the missing 'i8042_remove_filter()' and 'lis3lv02d_remove_fs()' calls +that are already in the remove function but are missing here. + +Fixes: a4c724d0723b ("platform: hp_accel: add a i8042 filter to remove HPQ6000 data from kb bus stream") +Fixes: 9e0c79782143 ("lis3lv02d: merge with leds hp disk") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/5a4f218f8f16d2e3a7906b7ca3654ffa946895f8.1636314074.git.christophe.jaillet@wanadoo.fr +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp_accel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/platform/x86/hp_accel.c b/drivers/platform/x86/hp_accel.c +index a06262e91a933..411616e6cb744 100644 +--- a/drivers/platform/x86/hp_accel.c ++++ b/drivers/platform/x86/hp_accel.c +@@ -377,9 +377,11 @@ static int lis3lv02d_add(struct acpi_device *device) + INIT_WORK(&hpled_led.work, delayed_set_status_worker); + ret = led_classdev_register(NULL, &hpled_led.led_classdev); + if (ret) { ++ i8042_remove_filter(hp_accel_i8042_filter); + lis3lv02d_joystick_disable(&lis3_dev); + lis3lv02d_poweroff(&lis3_dev); + flush_work(&hpled_led.work); ++ lis3lv02d_remove_fs(&lis3_dev); + return ret; + } + +-- +2.33.0 + diff --git a/queue-4.4/powerpc-5200-dts-fix-memory-node-unit-name.patch b/queue-4.4/powerpc-5200-dts-fix-memory-node-unit-name.patch new file mode 100644 index 00000000000..864d2c1684d --- /dev/null +++ b/queue-4.4/powerpc-5200-dts-fix-memory-node-unit-name.patch @@ -0,0 +1,191 @@ +From 57a75e6371d5d11a16a6d6b00a824879a08173f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 00:05:31 +0200 +Subject: powerpc/5200: dts: fix memory node unit name + +From: Anatolij Gustschin + +[ Upstream commit aed2886a5e9ffc8269a4220bff1e9e030d3d2eb1 ] + +Fixes build warnings: +Warning (unit_address_vs_reg): /memory: node has a reg or ranges property, but no unit name + +Signed-off-by: Anatolij Gustschin +Reviewed-by: Rob Herring +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211013220532.24759-4-agust@denx.de +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/dts/charon.dts | 2 +- + arch/powerpc/boot/dts/digsy_mtc.dts | 2 +- + arch/powerpc/boot/dts/lite5200.dts | 2 +- + arch/powerpc/boot/dts/lite5200b.dts | 2 +- + arch/powerpc/boot/dts/media5200.dts | 2 +- + arch/powerpc/boot/dts/mpc5200b.dtsi | 2 +- + arch/powerpc/boot/dts/o2d.dts | 2 +- + arch/powerpc/boot/dts/o2d.dtsi | 2 +- + arch/powerpc/boot/dts/o2dnt2.dts | 2 +- + arch/powerpc/boot/dts/o3dnt.dts | 2 +- + arch/powerpc/boot/dts/pcm032.dts | 2 +- + arch/powerpc/boot/dts/tqm5200.dts | 2 +- + 12 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/powerpc/boot/dts/charon.dts b/arch/powerpc/boot/dts/charon.dts +index 0e00e508eaa6a..1c8fe20752e6a 100644 +--- a/arch/powerpc/boot/dts/charon.dts ++++ b/arch/powerpc/boot/dts/charon.dts +@@ -39,7 +39,7 @@ + }; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>; // 128MB + }; +diff --git a/arch/powerpc/boot/dts/digsy_mtc.dts b/arch/powerpc/boot/dts/digsy_mtc.dts +index 955bff629df3c..bf511255f3ae8 100644 +--- a/arch/powerpc/boot/dts/digsy_mtc.dts ++++ b/arch/powerpc/boot/dts/digsy_mtc.dts +@@ -20,7 +20,7 @@ + model = "intercontrol,digsy-mtc"; + compatible = "intercontrol,digsy-mtc"; + +- memory { ++ memory@0 { + reg = <0x00000000 0x02000000>; // 32MB + }; + +diff --git a/arch/powerpc/boot/dts/lite5200.dts b/arch/powerpc/boot/dts/lite5200.dts +index 179a1785d6454..18d137a3393f0 100644 +--- a/arch/powerpc/boot/dts/lite5200.dts ++++ b/arch/powerpc/boot/dts/lite5200.dts +@@ -36,7 +36,7 @@ + }; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x04000000>; // 64MB + }; +diff --git a/arch/powerpc/boot/dts/lite5200b.dts b/arch/powerpc/boot/dts/lite5200b.dts +index 5abb46c5cc951..29419cf81e044 100644 +--- a/arch/powerpc/boot/dts/lite5200b.dts ++++ b/arch/powerpc/boot/dts/lite5200b.dts +@@ -35,7 +35,7 @@ + led4 { gpios = <&gpio_simple 2 1>; }; + }; + +- memory { ++ memory@0 { + reg = <0x00000000 0x10000000>; // 256MB + }; + +diff --git a/arch/powerpc/boot/dts/media5200.dts b/arch/powerpc/boot/dts/media5200.dts +index b5413cb85f134..3d57463bc49da 100644 +--- a/arch/powerpc/boot/dts/media5200.dts ++++ b/arch/powerpc/boot/dts/media5200.dts +@@ -36,7 +36,7 @@ + }; + }; + +- memory { ++ memory@0 { + reg = <0x00000000 0x08000000>; // 128MB RAM + }; + +diff --git a/arch/powerpc/boot/dts/mpc5200b.dtsi b/arch/powerpc/boot/dts/mpc5200b.dtsi +index 969b2200b2f97..ecfba675b5611 100644 +--- a/arch/powerpc/boot/dts/mpc5200b.dtsi ++++ b/arch/powerpc/boot/dts/mpc5200b.dtsi +@@ -37,7 +37,7 @@ + }; + }; + +- memory: memory { ++ memory: memory@0 { + device_type = "memory"; + reg = <0x00000000 0x04000000>; // 64MB + }; +diff --git a/arch/powerpc/boot/dts/o2d.dts b/arch/powerpc/boot/dts/o2d.dts +index 9f6dd4d889b32..5a676e8141caf 100644 +--- a/arch/powerpc/boot/dts/o2d.dts ++++ b/arch/powerpc/boot/dts/o2d.dts +@@ -16,7 +16,7 @@ + model = "ifm,o2d"; + compatible = "ifm,o2d"; + +- memory { ++ memory@0 { + reg = <0x00000000 0x08000000>; // 128MB + }; + +diff --git a/arch/powerpc/boot/dts/o2d.dtsi b/arch/powerpc/boot/dts/o2d.dtsi +index cf073e693f24d..1b4df5f64b580 100644 +--- a/arch/powerpc/boot/dts/o2d.dtsi ++++ b/arch/powerpc/boot/dts/o2d.dtsi +@@ -23,7 +23,7 @@ + model = "ifm,o2d"; + compatible = "ifm,o2d"; + +- memory { ++ memory@0 { + reg = <0x00000000 0x04000000>; // 64MB + }; + +diff --git a/arch/powerpc/boot/dts/o2dnt2.dts b/arch/powerpc/boot/dts/o2dnt2.dts +index a0f5b97a4f06e..5184c461a205f 100644 +--- a/arch/powerpc/boot/dts/o2dnt2.dts ++++ b/arch/powerpc/boot/dts/o2dnt2.dts +@@ -16,7 +16,7 @@ + model = "ifm,o2dnt2"; + compatible = "ifm,o2d"; + +- memory { ++ memory@0 { + reg = <0x00000000 0x08000000>; // 128MB + }; + +diff --git a/arch/powerpc/boot/dts/o3dnt.dts b/arch/powerpc/boot/dts/o3dnt.dts +index acce49326491b..045b901719245 100644 +--- a/arch/powerpc/boot/dts/o3dnt.dts ++++ b/arch/powerpc/boot/dts/o3dnt.dts +@@ -16,7 +16,7 @@ + model = "ifm,o3dnt"; + compatible = "ifm,o2d"; + +- memory { ++ memory@0 { + reg = <0x00000000 0x04000000>; // 64MB + }; + +diff --git a/arch/powerpc/boot/dts/pcm032.dts b/arch/powerpc/boot/dts/pcm032.dts +index 96b139bf50e9c..ac3f53c1a1f5b 100644 +--- a/arch/powerpc/boot/dts/pcm032.dts ++++ b/arch/powerpc/boot/dts/pcm032.dts +@@ -26,7 +26,7 @@ + model = "phytec,pcm032"; + compatible = "phytec,pcm032"; + +- memory { ++ memory@0 { + reg = <0x00000000 0x08000000>; // 128MB + }; + +diff --git a/arch/powerpc/boot/dts/tqm5200.dts b/arch/powerpc/boot/dts/tqm5200.dts +index 1db07f6cf133c..68b9e8240fb5b 100644 +--- a/arch/powerpc/boot/dts/tqm5200.dts ++++ b/arch/powerpc/boot/dts/tqm5200.dts +@@ -36,7 +36,7 @@ + }; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x04000000>; // 64MB + }; +-- +2.33.0 + diff --git a/queue-4.4/powerpc-dcr-use-cmplwi-instead-of-3-argument-cmpli.patch b/queue-4.4/powerpc-dcr-use-cmplwi-instead-of-3-argument-cmpli.patch new file mode 100644 index 00000000000..09363f1399d --- /dev/null +++ b/queue-4.4/powerpc-dcr-use-cmplwi-instead-of-3-argument-cmpli.patch @@ -0,0 +1,66 @@ +From 314fd9bc66825dc03fb239b353978d9b7696015c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 13:44:24 +1100 +Subject: powerpc/dcr: Use cmplwi instead of 3-argument cmpli +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit fef071be57dc43679a32d5b0e6ee176d6f12e9f2 ] + +In dcr-low.S we use cmpli with three arguments, instead of four +arguments as defined in the ISA: + + cmpli cr0,r3,1024 + +This appears to be a PPC440-ism, looking at the "PPC440x5 CPU Core +User’s Manual" it shows cmpli having no L field, but implied to be 0 due +to the core being 32-bit. It mentions that the ISA defines four +arguments and recommends using cmplwi. + +It also corresponds to the old POWER instruction set, which had no L +field there, a reserved bit instead. + +dcr-low.S is only built 32-bit, because it is only built when +DCR_NATIVE=y, which is only selected by 40x and 44x. Looking at the +generated code (with gcc/gas) we see cmplwi as expected. + +Although gas is happy with the 3-argument version when building for +32-bit, the LLVM assembler is not and errors out with: + + arch/powerpc/sysdev/dcr-low.S:27:10: error: invalid operand for instruction + cmpli 0,%r3,1024; ... + ^ + +Switch to the cmplwi extended opcode, which avoids any confusion when +reading the ISA, fixes the issue with the LLVM assembler, and also means +the code could be built 64-bit in future (though that's very unlikely). + +Reported-by: Nick Desaulniers +Reviewed-by: Nick Desaulniers +Signed-off-by: Michael Ellerman +BugLink: https://github.com/ClangBuiltLinux/linux/issues/1419 +Link: https://lore.kernel.org/r/20211014024424.528848-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/dcr-low.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/sysdev/dcr-low.S b/arch/powerpc/sysdev/dcr-low.S +index d3098ef1404a2..3943d19d5f63b 100644 +--- a/arch/powerpc/sysdev/dcr-low.S ++++ b/arch/powerpc/sysdev/dcr-low.S +@@ -14,7 +14,7 @@ + #include + + #define DCR_ACCESS_PROLOG(table) \ +- cmpli cr0,r3,1024; \ ++ cmplwi cr0,r3,1024; \ + rlwinm r3,r3,4,18,27; \ + lis r5,table@h; \ + ori r5,r5,table@l; \ +-- +2.33.0 + diff --git a/queue-4.4/sched-core-mitigate-race-cpus_share_cache-update_top.patch b/queue-4.4/sched-core-mitigate-race-cpus_share_cache-update_top.patch new file mode 100644 index 00000000000..5db596cd911 --- /dev/null +++ b/queue-4.4/sched-core-mitigate-race-cpus_share_cache-update_top.patch @@ -0,0 +1,61 @@ +From 22f7a05c798d36c2c9a88b952f564a7ec16eab1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 17:51:20 +0000 +Subject: sched/core: Mitigate race + cpus_share_cache()/update_top_cache_domain() + +From: Vincent Donnefort + +[ Upstream commit 42dc938a590c96eeb429e1830123fef2366d9c80 ] + +Nothing protects the access to the per_cpu variable sd_llc_id. When testing +the same CPU (i.e. this_cpu == that_cpu), a race condition exists with +update_top_cache_domain(). One scenario being: + + CPU1 CPU2 + ================================================================== + + per_cpu(sd_llc_id, CPUX) => 0 + partition_sched_domains_locked() + detach_destroy_domains() + cpus_share_cache(CPUX, CPUX) update_top_cache_domain(CPUX) + per_cpu(sd_llc_id, CPUX) => 0 + per_cpu(sd_llc_id, CPUX) = CPUX + per_cpu(sd_llc_id, CPUX) => CPUX + return false + +ttwu_queue_cond() wouldn't catch smp_processor_id() == cpu and the result +is a warning triggered from ttwu_queue_wakelist(). + +Avoid a such race in cpus_share_cache() by always returning true when +this_cpu == that_cpu. + +Fixes: 518cd6234178 ("sched: Only queue remote wakeups when crossing cache boundaries") +Reported-by: Jing-Ting Wu +Signed-off-by: Vincent Donnefort +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20211104175120.857087-1-vincent.donnefort@arm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 4a0a754f24c87..69c6c740da11b 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1885,6 +1885,9 @@ out: + + bool cpus_share_cache(int this_cpu, int that_cpu) + { ++ if (this_cpu == that_cpu) ++ return true; ++ + return per_cpu(sd_llc_id, this_cpu) == per_cpu(sd_llc_id, that_cpu); + } + #endif /* CONFIG_SMP */ +-- +2.33.0 + diff --git a/queue-4.4/scsi-advansys-fix-kernel-pointer-leak.patch b/queue-4.4/scsi-advansys-fix-kernel-pointer-leak.patch new file mode 100644 index 00000000000..00c43c12b4b --- /dev/null +++ b/queue-4.4/scsi-advansys-fix-kernel-pointer-leak.patch @@ -0,0 +1,40 @@ +From 192088e1ecf69c53c9fd7eb0f143989f24473fa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 20:25:37 +0800 +Subject: scsi: advansys: Fix kernel pointer leak + +From: Guo Zhi + +[ Upstream commit d4996c6eac4c81b8872043e9391563f67f13e406 ] + +Pointers should be printed with %p or %px rather than cast to 'unsigned +long' and printed with %lx. + +Change %lx to %p to print the hashed pointer. + +Link: https://lore.kernel.org/r/20210929122538.1158235-1-qtxuning1999@sjtu.edu.cn +Signed-off-by: Guo Zhi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/advansys.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/advansys.c b/drivers/scsi/advansys.c +index 24e57e770432b..6efd17692a55a 100644 +--- a/drivers/scsi/advansys.c ++++ b/drivers/scsi/advansys.c +@@ -3370,8 +3370,8 @@ static void asc_prt_adv_board_info(struct seq_file *m, struct Scsi_Host *shost) + shost->host_no); + + seq_printf(m, +- " iop_base 0x%lx, cable_detect: %X, err_code %u\n", +- (unsigned long)v->iop_base, ++ " iop_base 0x%p, cable_detect: %X, err_code %u\n", ++ v->iop_base, + AdvReadWordRegister(iop_base,IOPW_SCSI_CFG1) & CABLE_DETECT, + v->err_code); + +-- +2.33.0 + diff --git a/queue-4.4/scsi-lpfc-fix-list_add-corruption-in-lpfc_drain_txq.patch b/queue-4.4/scsi-lpfc-fix-list_add-corruption-in-lpfc_drain_txq.patch new file mode 100644 index 00000000000..f9fa6ab1b4b --- /dev/null +++ b/queue-4.4/scsi-lpfc-fix-list_add-corruption-in-lpfc_drain_txq.patch @@ -0,0 +1,48 @@ +From 244019da09381a5b4893845053640687344917a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 16:31:46 -0700 +Subject: scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() + +From: James Smart + +[ Upstream commit 99154581b05c8fb22607afb7c3d66c1bace6aa5d ] + +When parsing the txq list in lpfc_drain_txq(), the driver attempts to pass +the requests to the adapter. If such an attempt fails, a local "fail_msg" +string is set and a log message output. The job is then added to a +completions list for cancellation. + +Processing of any further jobs from the txq list continues, but since +"fail_msg" remains set, jobs are added to the completions list regardless +of whether a wqe was passed to the adapter. If successfully added to +txcmplq, jobs are added to both lists resulting in list corruption. + +Fix by clearing the fail_msg string after adding a job to the completions +list. This stops the subsequent jobs from being added to the completions +list unless they had an appropriate failure. + +Link: https://lore.kernel.org/r/20210910233159.115896-2-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 9055a8fce3d4a..2087125922a11 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -17071,6 +17071,7 @@ lpfc_drain_txq(struct lpfc_hba *phba) + fail_msg, + piocbq->iotag, piocbq->sli4_xritag); + list_add_tail(&piocbq->list, &completions); ++ fail_msg = NULL; + } + spin_unlock_irqrestore(&pring->ring_lock, iflags); + } +-- +2.33.0 + diff --git a/queue-4.4/scsi-target-fix-alua_tg_pt_gps_count-tracking.patch b/queue-4.4/scsi-target-fix-alua_tg_pt_gps_count-tracking.patch new file mode 100644 index 00000000000..771626cc7b1 --- /dev/null +++ b/queue-4.4/scsi-target-fix-alua_tg_pt_gps_count-tracking.patch @@ -0,0 +1,45 @@ +From 80533ab9d8d74715c9eb27f8e3c024445f7d38c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 21:04:20 -0500 +Subject: scsi: target: Fix alua_tg_pt_gps_count tracking + +From: Mike Christie + +[ Upstream commit 1283c0d1a32bb924324481586b5d6e8e76f676ba ] + +We can't free the tg_pt_gp in core_alua_set_tg_pt_gp_id() because it's +still accessed via configfs. Its release must go through the normal +configfs/refcount process. + +The max alua_tg_pt_gps_count check should probably have been done in +core_alua_allocate_tg_pt_gp(), but with the current code userspace could +have created 0x0000ffff + 1 groups, but only set the id for 0x0000ffff. +Then it could have deleted a group with an ID set, and then set the ID for +that extra group and it would work ok. + +It's unlikely, but just in case this patch continues to allow that type of +behavior, and just fixes the kfree() while in use bug. + +Link: https://lore.kernel.org/r/20210930020422.92578-4-michael.christie@oracle.com +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_alua.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/target/target_core_alua.c b/drivers/target/target_core_alua.c +index 1fe782f9ee816..f1e09e7704afe 100644 +--- a/drivers/target/target_core_alua.c ++++ b/drivers/target/target_core_alua.c +@@ -1735,7 +1735,6 @@ int core_alua_set_tg_pt_gp_id( + pr_err("Maximum ALUA alua_tg_pt_gps_count:" + " 0x0000ffff reached\n"); + spin_unlock(&dev->t10_alua.tg_pt_gps_lock); +- kmem_cache_free(t10_alua_tg_pt_gp_cache, tg_pt_gp); + return -ENOSPC; + } + again: +-- +2.33.0 + diff --git a/queue-4.4/scsi-target-fix-ordered-tag-handling.patch b/queue-4.4/scsi-target-fix-ordered-tag-handling.patch new file mode 100644 index 00000000000..ef0ea5f706c --- /dev/null +++ b/queue-4.4/scsi-target-fix-ordered-tag-handling.patch @@ -0,0 +1,268 @@ +From 36b644c79bf63b8a5ef2296f590a62062f59c291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 21:04:19 -0500 +Subject: scsi: target: Fix ordered tag handling + +From: Mike Christie + +[ Upstream commit ed1227e080990ffec5bf39006ec8a57358e6689a ] + +This patch fixes the following bugs: + +1. If there are multiple ordered cmds queued and multiple simple cmds + completing, target_restart_delayed_cmds() could be called on different + CPUs and each instance could start a ordered cmd. They could then run in + different orders than they were queued. + +2. target_restart_delayed_cmds() and target_handle_task_attr() can race + where: + + 1. target_handle_task_attr() has passed the simple_cmds == 0 check. + + 2. transport_complete_task_attr() then decrements simple_cmds to 0. + + 3. transport_complete_task_attr() runs target_restart_delayed_cmds() and + it does not see any cmds on the delayed_cmd_list. + + 4. target_handle_task_attr() adds the cmd to the delayed_cmd_list. + + The cmd will then end up timing out. + +3. If we are sent > 1 ordered cmds and simple_cmds == 0, we can execute + them out of order, because target_handle_task_attr() will hit that + simple_cmds check first and return false for all ordered cmds sent. + +4. We run target_restart_delayed_cmds() after every cmd completion, so if + there is more than 1 simple cmd running, we start executing ordered cmds + after that first cmd instead of waiting for all of them to complete. + +5. Ordered cmds are not supposed to start until HEAD OF QUEUE and all older + cmds have completed, and not just simple. + +6. It's not a bug but it doesn't make sense to take the delayed_cmd_lock + for every cmd completion when ordered cmds are almost never used. Just + replacing that lock with an atomic increases IOPs by up to 10% when + completions are spread over multiple CPUs and there are multiple + sessions/ mqs/thread accessing the same device. + +This patch moves the queued delayed handling to a per device work to +serialze the cmd executions for each device and adds a new counter to track +HEAD_OF_QUEUE and SIMPLE cmds. We can then check the new counter to +determine when to run the work on the completion path. + +Link: https://lore.kernel.org/r/20210930020422.92578-3-michael.christie@oracle.com +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_device.c | 2 + + drivers/target/target_core_internal.h | 1 + + drivers/target/target_core_transport.c | 76 ++++++++++++++++++-------- + include/target/target_core_base.h | 6 +- + 4 files changed, 61 insertions(+), 24 deletions(-) + +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c +index 4198ed4ac6073..7a8da5758be8b 100644 +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -800,6 +800,8 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name) + INIT_LIST_HEAD(&dev->t10_alua.lba_map_list); + spin_lock_init(&dev->t10_alua.lba_map_lock); + ++ INIT_WORK(&dev->delayed_cmd_work, target_do_delayed_work); ++ + dev->t10_wwn.t10_dev = dev; + dev->t10_alua.t10_dev = dev; + +diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h +index 272e6f755322c..c0ee5e1f2b104 100644 +--- a/drivers/target/target_core_internal.h ++++ b/drivers/target/target_core_internal.h +@@ -146,6 +146,7 @@ void transport_clear_lun_ref(struct se_lun *); + void transport_send_task_abort(struct se_cmd *); + sense_reason_t target_cmd_size_check(struct se_cmd *cmd, unsigned int size); + void target_qf_do_work(struct work_struct *work); ++void target_do_delayed_work(struct work_struct *work); + bool target_check_wce(struct se_device *dev); + bool target_check_fua(struct se_device *dev); + void __target_execute_cmd(struct se_cmd *, bool); +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 6c6aa23ced45f..75b29458c4da8 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1877,32 +1877,35 @@ static bool target_handle_task_attr(struct se_cmd *cmd) + */ + switch (cmd->sam_task_attr) { + case TCM_HEAD_TAG: ++ atomic_inc_mb(&dev->non_ordered); + pr_debug("Added HEAD_OF_QUEUE for CDB: 0x%02x\n", + cmd->t_task_cdb[0]); + return false; + case TCM_ORDERED_TAG: +- atomic_inc_mb(&dev->dev_ordered_sync); ++ atomic_inc_mb(&dev->delayed_cmd_count); + + pr_debug("Added ORDERED for CDB: 0x%02x to ordered list\n", + cmd->t_task_cdb[0]); +- +- /* +- * Execute an ORDERED command if no other older commands +- * exist that need to be completed first. +- */ +- if (!atomic_read(&dev->simple_cmds)) +- return false; + break; + default: + /* + * For SIMPLE and UNTAGGED Task Attribute commands + */ +- atomic_inc_mb(&dev->simple_cmds); ++ atomic_inc_mb(&dev->non_ordered); ++ ++ if (atomic_read(&dev->delayed_cmd_count) == 0) ++ return false; + break; + } + +- if (atomic_read(&dev->dev_ordered_sync) == 0) +- return false; ++ if (cmd->sam_task_attr != TCM_ORDERED_TAG) { ++ atomic_inc_mb(&dev->delayed_cmd_count); ++ /* ++ * We will account for this when we dequeue from the delayed ++ * list. ++ */ ++ atomic_dec_mb(&dev->non_ordered); ++ } + + spin_lock(&dev->delayed_cmd_lock); + list_add_tail(&cmd->se_delayed_node, &dev->delayed_cmd_list); +@@ -1910,6 +1913,12 @@ static bool target_handle_task_attr(struct se_cmd *cmd) + + pr_debug("Added CDB: 0x%02x Task Attr: 0x%02x to delayed CMD listn", + cmd->t_task_cdb[0], cmd->sam_task_attr); ++ /* ++ * We may have no non ordered cmds when this function started or we ++ * could have raced with the last simple/head cmd completing, so kick ++ * the delayed handler here. ++ */ ++ schedule_work(&dev->delayed_cmd_work); + return true; + } + +@@ -1960,29 +1969,48 @@ EXPORT_SYMBOL(target_execute_cmd); + * Process all commands up to the last received ORDERED task attribute which + * requires another blocking boundary + */ +-static void target_restart_delayed_cmds(struct se_device *dev) ++void target_do_delayed_work(struct work_struct *work) + { +- for (;;) { ++ struct se_device *dev = container_of(work, struct se_device, ++ delayed_cmd_work); ++ ++ spin_lock(&dev->delayed_cmd_lock); ++ while (!dev->ordered_sync_in_progress) { + struct se_cmd *cmd; + +- spin_lock(&dev->delayed_cmd_lock); +- if (list_empty(&dev->delayed_cmd_list)) { +- spin_unlock(&dev->delayed_cmd_lock); ++ if (list_empty(&dev->delayed_cmd_list)) + break; +- } + + cmd = list_entry(dev->delayed_cmd_list.next, + struct se_cmd, se_delayed_node); ++ ++ if (cmd->sam_task_attr == TCM_ORDERED_TAG) { ++ /* ++ * Check if we started with: ++ * [ordered] [simple] [ordered] ++ * and we are now at the last ordered so we have to wait ++ * for the simple cmd. ++ */ ++ if (atomic_read(&dev->non_ordered) > 0) ++ break; ++ ++ dev->ordered_sync_in_progress = true; ++ } ++ + list_del(&cmd->se_delayed_node); ++ atomic_dec_mb(&dev->delayed_cmd_count); + spin_unlock(&dev->delayed_cmd_lock); + ++ if (cmd->sam_task_attr != TCM_ORDERED_TAG) ++ atomic_inc_mb(&dev->non_ordered); ++ + cmd->transport_state |= CMD_T_SENT; + + __target_execute_cmd(cmd, true); + +- if (cmd->sam_task_attr == TCM_ORDERED_TAG) +- break; ++ spin_lock(&dev->delayed_cmd_lock); + } ++ spin_unlock(&dev->delayed_cmd_lock); + } + + /* +@@ -2000,16 +2028,19 @@ static void transport_complete_task_attr(struct se_cmd *cmd) + goto restart; + + if (cmd->sam_task_attr == TCM_SIMPLE_TAG) { +- atomic_dec_mb(&dev->simple_cmds); ++ atomic_dec_mb(&dev->non_ordered); + dev->dev_cur_ordered_id++; + pr_debug("Incremented dev->dev_cur_ordered_id: %u for SIMPLE\n", + dev->dev_cur_ordered_id); + } else if (cmd->sam_task_attr == TCM_HEAD_TAG) { ++ atomic_dec_mb(&dev->non_ordered); + dev->dev_cur_ordered_id++; + pr_debug("Incremented dev_cur_ordered_id: %u for HEAD_OF_QUEUE\n", + dev->dev_cur_ordered_id); + } else if (cmd->sam_task_attr == TCM_ORDERED_TAG) { +- atomic_dec_mb(&dev->dev_ordered_sync); ++ spin_lock(&dev->delayed_cmd_lock); ++ dev->ordered_sync_in_progress = false; ++ spin_unlock(&dev->delayed_cmd_lock); + + dev->dev_cur_ordered_id++; + pr_debug("Incremented dev_cur_ordered_id: %u for ORDERED\n", +@@ -2018,7 +2049,8 @@ static void transport_complete_task_attr(struct se_cmd *cmd) + cmd->se_cmd_flags &= ~SCF_TASK_ATTR_SET; + + restart: +- target_restart_delayed_cmds(dev); ++ if (atomic_read(&dev->delayed_cmd_count) > 0) ++ schedule_work(&dev->delayed_cmd_work); + } + + static void transport_complete_qf(struct se_cmd *cmd) +diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h +index 5aa8e0e62e309..7b08d0c5b6624 100644 +--- a/include/target/target_core_base.h ++++ b/include/target/target_core_base.h +@@ -787,8 +787,9 @@ struct se_device { + atomic_long_t read_bytes; + atomic_long_t write_bytes; + /* Active commands on this virtual SE device */ +- atomic_t simple_cmds; +- atomic_t dev_ordered_sync; ++ atomic_t non_ordered; ++ bool ordered_sync_in_progress; ++ atomic_t delayed_cmd_count; + atomic_t dev_qf_count; + u32 export_count; + spinlock_t delayed_cmd_lock; +@@ -811,6 +812,7 @@ struct se_device { + struct list_head dev_tmr_list; + struct workqueue_struct *tmr_wq; + struct work_struct qf_work_queue; ++ struct work_struct delayed_cmd_work; + struct list_head delayed_cmd_list; + struct list_head state_list; + struct list_head qf_cmd_list; +-- +2.33.0 + diff --git a/queue-4.4/series b/queue-4.4/series index 8728dc4b24a..7730a83480e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -114,3 +114,27 @@ pci-add-pci_exp_devctl_payload_-macros.patch parisc-entry-fix-trace-test-in-syscall-exit-path.patch pci-msi-destroy-sysfs-before-freeing-entries.patch net-batman-adv-fix-error-handling.patch +scsi-lpfc-fix-list_add-corruption-in-lpfc_drain_txq.patch +usb-musb-tusb6010-check-return-value-after-calling-p.patch +scsi-advansys-fix-kernel-pointer-leak.patch +arm-dts-omap-fix-gpmc-mux-add-data-type.patch +usb-host-ohci-tmio-check-return-value-after-calling-.patch +tty-tty_buffer-fix-the-softlockup-issue-in-flush_to_.patch +mips-sni-fix-the-build.patch +scsi-target-fix-ordered-tag-handling.patch +scsi-target-fix-alua_tg_pt_gps_count-tracking.patch +powerpc-5200-dts-fix-memory-node-unit-name.patch +alsa-gus-fix-null-pointer-dereference-on-pointer-blo.patch +powerpc-dcr-use-cmplwi-instead-of-3-argument-cmpli.patch +sh-check-return-code-of-request_irq.patch +maple-fix-wrong-return-value-of-maple_bus_init.patch +sh-fix-kconfig-unmet-dependency-warning-for-frame_po.patch +sh-define-__big_endian-for-math-emu.patch +mips-bcm63xx-ensure-that-cpu_supports_32bit_kernel-i.patch +sched-core-mitigate-race-cpus_share_cache-update_top.patch +net-bnx2x-fix-variable-dereferenced-before-check.patch +mips-bcm63xx-add-support-for-clk_get_parent.patch +platform-x86-hp_accel-fix-an-error-handling-path-in-.patch +nfc-reorganize-the-functions-in-nci_request.patch +nfc-reorder-the-logic-in-nfc_-un-register_device.patch +perf-bench-fix-two-memory-leaks-detected-with-asan.patch diff --git a/queue-4.4/sh-check-return-code-of-request_irq.patch b/queue-4.4/sh-check-return-code-of-request_irq.patch new file mode 100644 index 00000000000..3f386ae889c --- /dev/null +++ b/queue-4.4/sh-check-return-code-of-request_irq.patch @@ -0,0 +1,45 @@ +From 83ca0fc8c22c3f5279b4545367dca9ed6baf6c95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Dec 2020 12:54:01 -0800 +Subject: sh: check return code of request_irq + +From: Nick Desaulniers + +[ Upstream commit 0e38225c92c7964482a8bb6b3e37fde4319e965c ] + +request_irq is marked __must_check, but the call in shx3_prepare_cpus +has a void return type, so it can't propagate failure to the caller. +Follow cues from hexagon and just print an error. + +Fixes: c7936b9abcf5 ("sh: smp: Hook in to the generic IPI handler for SH-X3 SMP.") +Cc: Miguel Ojeda +Cc: Paul Mundt +Reported-by: Guenter Roeck +Signed-off-by: Nick Desaulniers +Tested-by: John Paul Adrian Glaubitz +Reviewed-by: Miguel Ojeda +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/cpu/sh4a/smp-shx3.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/sh/kernel/cpu/sh4a/smp-shx3.c b/arch/sh/kernel/cpu/sh4a/smp-shx3.c +index 4a298808789c4..4a1cee5da2dc5 100644 +--- a/arch/sh/kernel/cpu/sh4a/smp-shx3.c ++++ b/arch/sh/kernel/cpu/sh4a/smp-shx3.c +@@ -78,8 +78,9 @@ static void shx3_prepare_cpus(unsigned int max_cpus) + BUILD_BUG_ON(SMP_MSG_NR >= 8); + + for (i = 0; i < SMP_MSG_NR; i++) +- request_irq(104 + i, ipi_interrupt_handler, +- IRQF_PERCPU, "IPI", (void *)(long)i); ++ if (request_irq(104 + i, ipi_interrupt_handler, ++ IRQF_PERCPU, "IPI", (void *)(long)i)) ++ pr_err("Failed to request irq %d\n", i); + + for (i = 0; i < max_cpus; i++) + set_cpu_present(i, true); +-- +2.33.0 + diff --git a/queue-4.4/sh-define-__big_endian-for-math-emu.patch b/queue-4.4/sh-define-__big_endian-for-math-emu.patch new file mode 100644 index 00000000000..e3942efffe1 --- /dev/null +++ b/queue-4.4/sh-define-__big_endian-for-math-emu.patch @@ -0,0 +1,59 @@ +From 46962031355e55e0cb3a4fbde6a9e2122de5e64b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 17:19:13 -0700 +Subject: sh: define __BIG_ENDIAN for math-emu + +From: Randy Dunlap + +[ Upstream commit b929926f01f2d14635345d22eafcf60feed1085e ] + +Fix this by defining both ENDIAN macros in + so that they can be utilized in + according to the latter's comment: +/* Allow sfp-machine to have its own byte order definitions. */ + +(This is what is done in arch/nds32/include/asm/sfp-machine.h.) + +This placates these build warnings: + +In file included from ../arch/sh/math-emu/math.c:23: +.../include/math-emu/single.h:50:21: warning: "__BIG_ENDIAN" is not defined, evaluates to 0 [-Wundef] + 50 | #if __BYTE_ORDER == __BIG_ENDIAN +In file included from ../arch/sh/math-emu/math.c:24: +.../include/math-emu/double.h:59:21: warning: "__BIG_ENDIAN" is not defined, evaluates to 0 [-Wundef] + 59 | #if __BYTE_ORDER == __BIG_ENDIAN + +Fixes: 4b565680d163 ("sh: math-emu support") +Signed-off-by: Randy Dunlap +Cc: Yoshinori Sato +Cc: John Paul Adrian Glaubitz +Reviewed-by: Geert Uytterhoeven +Tested-by: John Paul Adrian Glaubitz +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +--- + arch/sh/include/asm/sfp-machine.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/sh/include/asm/sfp-machine.h b/arch/sh/include/asm/sfp-machine.h +index d3c548443f2a6..dd195c6f3b9d8 100644 +--- a/arch/sh/include/asm/sfp-machine.h ++++ b/arch/sh/include/asm/sfp-machine.h +@@ -25,6 +25,14 @@ + #ifndef _SFP_MACHINE_H + #define _SFP_MACHINE_H + ++#ifdef __BIG_ENDIAN__ ++#define __BYTE_ORDER __BIG_ENDIAN ++#define __LITTLE_ENDIAN 0 ++#else ++#define __BYTE_ORDER __LITTLE_ENDIAN ++#define __BIG_ENDIAN 0 ++#endif ++ + #define _FP_W_TYPE_SIZE 32 + #define _FP_W_TYPE unsigned long + #define _FP_WS_TYPE signed long +-- +2.33.0 + diff --git a/queue-4.4/sh-fix-kconfig-unmet-dependency-warning-for-frame_po.patch b/queue-4.4/sh-fix-kconfig-unmet-dependency-warning-for-frame_po.patch new file mode 100644 index 00000000000..7a6ff8cefb5 --- /dev/null +++ b/queue-4.4/sh-fix-kconfig-unmet-dependency-warning-for-frame_po.patch @@ -0,0 +1,47 @@ +From c05f4a2c65abd5ec7e800d010b93e9a8a2131ea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 17:19:10 -0700 +Subject: sh: fix kconfig unmet dependency warning for FRAME_POINTER + +From: Randy Dunlap + +[ Upstream commit fda1bc533094a7db68b11e7503d2c6c73993d12a ] + +FRAME_POINTER depends on DEBUG_KERNEL so DWARF_UNWINDER should +depend on DEBUG_KERNEL before selecting FRAME_POINTER. + +WARNING: unmet direct dependencies detected for FRAME_POINTER + Depends on [n]: DEBUG_KERNEL [=n] && (M68K || UML || SUPERH [=y]) || ARCH_WANT_FRAME_POINTERS [=n] + Selected by [y]: + - DWARF_UNWINDER [=y] + +Fixes: bd353861c735 ("sh: dwarf unwinder support.") +Signed-off-by: Randy Dunlap +Cc: Matt Fleming +Cc: Matt Fleming +Cc: Yoshinori Sato +Cc: John Paul Adrian Glaubitz +Cc: Geert Uytterhoeven +Reviewed-by: Geert Uytterhoeven +Tested-by: John Paul Adrian Glaubitz +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +--- + arch/sh/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/sh/Kconfig.debug b/arch/sh/Kconfig.debug +index 5f2bb4242c0f7..c50c397cbcf75 100644 +--- a/arch/sh/Kconfig.debug ++++ b/arch/sh/Kconfig.debug +@@ -60,6 +60,7 @@ config DUMP_CODE + + config DWARF_UNWINDER + bool "Enable the DWARF unwinder for stacktraces" ++ depends on DEBUG_KERNEL + select FRAME_POINTER + depends on SUPERH32 + default n +-- +2.33.0 + diff --git a/queue-4.4/tty-tty_buffer-fix-the-softlockup-issue-in-flush_to_.patch b/queue-4.4/tty-tty_buffer-fix-the-softlockup-issue-in-flush_to_.patch new file mode 100644 index 00000000000..120f97be4d5 --- /dev/null +++ b/queue-4.4/tty-tty_buffer-fix-the-softlockup-issue-in-flush_to_.patch @@ -0,0 +1,69 @@ +From 710da6524007f04f43f80f47909de03a5428ee40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 22:08:24 +0800 +Subject: tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc + +From: Guanghui Feng + +[ Upstream commit 3968ddcf05fb4b9409cd1859feb06a5b0550a1c1 ] + +When running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup, +which look like this one: + + Workqueue: events_unbound flush_to_ldisc + Call trace: + dump_backtrace+0x0/0x1ec + show_stack+0x24/0x30 + dump_stack+0xd0/0x128 + panic+0x15c/0x374 + watchdog_timer_fn+0x2b8/0x304 + __run_hrtimer+0x88/0x2c0 + __hrtimer_run_queues+0xa4/0x120 + hrtimer_interrupt+0xfc/0x270 + arch_timer_handler_phys+0x40/0x50 + handle_percpu_devid_irq+0x94/0x220 + __handle_domain_irq+0x88/0xf0 + gic_handle_irq+0x84/0xfc + el1_irq+0xc8/0x180 + slip_unesc+0x80/0x214 [slip] + tty_ldisc_receive_buf+0x64/0x80 + tty_port_default_receive_buf+0x50/0x90 + flush_to_ldisc+0xbc/0x110 + process_one_work+0x1d4/0x4b0 + worker_thread+0x180/0x430 + kthread+0x11c/0x120 + +In the testcase pty04, The first process call the write syscall to send +data to the pty master. At the same time, the workqueue will do the +flush_to_ldisc to pop data in a loop until there is no more data left. +When the sender and workqueue running in different core, the sender sends +data fastly in full time which will result in workqueue doing work in loop +for a long time and occuring softlockup in flush_to_ldisc with kernel +configured without preempt. So I add need_resched check and cond_resched +in the flush_to_ldisc loop to avoid it. + +Signed-off-by: Guanghui Feng +Link: https://lore.kernel.org/r/1633961304-24759-1-git-send-email-guanghuifeng@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index 4706df20191b1..832aec1f145f9 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -519,6 +519,9 @@ static void flush_to_ldisc(struct work_struct *work) + if (!count) + break; + head->read += count; ++ ++ if (need_resched()) ++ cond_resched(); + } + + mutex_unlock(&buf->lock); +-- +2.33.0 + diff --git a/queue-4.4/usb-host-ohci-tmio-check-return-value-after-calling-.patch b/queue-4.4/usb-host-ohci-tmio-check-return-value-after-calling-.patch new file mode 100644 index 00000000000..8fa6b801a52 --- /dev/null +++ b/queue-4.4/usb-host-ohci-tmio-check-return-value-after-calling-.patch @@ -0,0 +1,38 @@ +From ac576bcf280b236480ac78bf1abe872997c4154f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 21:49:20 +0800 +Subject: usb: host: ohci-tmio: check return value after calling + platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit 9eff2b2e59fda25051ab36cd1cb5014661df657b ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Acked-by: Alan Stern +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211011134920.118477-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-tmio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/ohci-tmio.c b/drivers/usb/host/ohci-tmio.c +index 9c9e97294c18d..4d42ae3b2fd6d 100644 +--- a/drivers/usb/host/ohci-tmio.c ++++ b/drivers/usb/host/ohci-tmio.c +@@ -199,7 +199,7 @@ static int ohci_hcd_tmio_drv_probe(struct platform_device *dev) + if (usb_disabled()) + return -ENODEV; + +- if (!cell) ++ if (!cell || !regs || !config || !sram) + return -EINVAL; + + if (irq < 0) +-- +2.33.0 + diff --git a/queue-4.4/usb-musb-tusb6010-check-return-value-after-calling-p.patch b/queue-4.4/usb-musb-tusb6010-check-return-value-after-calling-p.patch new file mode 100644 index 00000000000..1167b25a3e5 --- /dev/null +++ b/queue-4.4/usb-musb-tusb6010-check-return-value-after-calling-p.patch @@ -0,0 +1,40 @@ +From 63362cbae975b0599f6847da8ec64c8c6a8f7744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 11:49:25 +0800 +Subject: usb: musb: tusb6010: check return value after calling + platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit 14651496a3de6807a17c310f63c894ea0c5d858e ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210915034925.2399823-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/tusb6010.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/musb/tusb6010.c b/drivers/usb/musb/tusb6010.c +index 85a57385958fd..f4297e5495958 100644 +--- a/drivers/usb/musb/tusb6010.c ++++ b/drivers/usb/musb/tusb6010.c +@@ -1120,6 +1120,11 @@ static int tusb_musb_init(struct musb *musb) + + /* dma address for async dma */ + mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!mem) { ++ pr_debug("no async dma resource?\n"); ++ ret = -ENODEV; ++ goto done; ++ } + musb->async = mem->start; + + /* dma address for sync dma */ +-- +2.33.0 +