From: Sasha Levin Date: Mon, 22 Jun 2020 12:46:12 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.7.6~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b253c23dd71249347a8c6bc186980dd5958eaf1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch b/queue-4.14/alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch new file mode 100644 index 00000000000..30a4938d323 --- /dev/null +++ b/queue-4.14/alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch @@ -0,0 +1,49 @@ +From e2ae68d4eec138937ec21cbf2c6e63afb88d8fc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 May 2020 12:40:11 +0300 +Subject: ALSA: isa/wavefront: prevent out of bounds write in ioctl + +From: Dan Carpenter + +[ Upstream commit 7f0d5053c5a9d23fe5c2d337495a9d79038d267b ] + +The "header->number" comes from the ioctl and it needs to be clamped to +prevent out of bounds writes. + +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200501094011.GA960082@mwanda +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/wavefront/wavefront_synth.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c +index 0b1e4b34b2996..13c8e6542a2fc 100644 +--- a/sound/isa/wavefront/wavefront_synth.c ++++ b/sound/isa/wavefront/wavefront_synth.c +@@ -1175,7 +1175,10 @@ wavefront_send_alias (snd_wavefront_t *dev, wavefront_patch_info *header) + "alias for %d\n", + header->number, + header->hdr.a.OriginalSample); +- ++ ++ if (header->number >= WF_MAX_SAMPLE) ++ return -EINVAL; ++ + munge_int32 (header->number, &alias_hdr[0], 2); + munge_int32 (header->hdr.a.OriginalSample, &alias_hdr[2], 2); + munge_int32 (*((unsigned int *)&header->hdr.a.sampleStartOffset), +@@ -1206,6 +1209,9 @@ wavefront_send_multisample (snd_wavefront_t *dev, wavefront_patch_info *header) + int num_samples; + unsigned char *msample_hdr; + ++ if (header->number >= WF_MAX_SAMPLE) ++ return -EINVAL; ++ + msample_hdr = kmalloc(WF_MSAMPLE_BYTES, GFP_KERNEL); + if (! msample_hdr) + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-4.14/alsa-usb-audio-improve-frames-size-computation.patch b/queue-4.14/alsa-usb-audio-improve-frames-size-computation.patch new file mode 100644 index 00000000000..4b84b98cbf3 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-improve-frames-size-computation.patch @@ -0,0 +1,167 @@ +From b366cf08395920bf2bdc96183ce2b7023798aea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 05:24:48 +0300 +Subject: ALSA: usb-audio: Improve frames size computation + +From: Alexander Tsoy + +[ Upstream commit f0bd62b64016508938df9babe47f65c2c727d25c ] + +For computation of the the next frame size current value of fs/fps and +accumulated fractional parts of fs/fps are used, where values are stored +in Q16.16 format. This is quite natural for computing frame size for +asynchronous endpoints driven by explicit feedback, since in this case +fs/fps is a value provided by the feedback endpoint and it's already in +the Q format. If an error is accumulated over time, the device can +adjust fs/fps value to prevent buffer overruns/underruns. + +But for synchronous endpoints the accuracy provided by these computations +is not enough. Due to accumulated error the driver periodically produces +frames with incorrect size (+/- 1 audio sample). + +This patch fixes this issue by implementing a different algorithm for +frame size computation. It is based on accumulating of the remainders +from division fs/fps and it doesn't accumulate errors over time. This +new method is enabled for synchronous and adaptive playback endpoints. + +Signed-off-by: Alexander Tsoy +Link: https://lore.kernel.org/r/20200424022449.14972-1-alexander@tsoy.me +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/card.h | 4 ++++ + sound/usb/endpoint.c | 43 ++++++++++++++++++++++++++++++++++++++----- + sound/usb/endpoint.h | 1 + + sound/usb/pcm.c | 2 ++ + 4 files changed, 45 insertions(+), 5 deletions(-) + +diff --git a/sound/usb/card.h b/sound/usb/card.h +index ed87cc83eb47d..9dbcbb27c28eb 100644 +--- a/sound/usb/card.h ++++ b/sound/usb/card.h +@@ -81,6 +81,10 @@ struct snd_usb_endpoint { + dma_addr_t sync_dma; /* DMA address of syncbuf */ + + unsigned int pipe; /* the data i/o pipe */ ++ unsigned int framesize[2]; /* small/large frame sizes in samples */ ++ unsigned int sample_rem; /* remainder from division fs/fps */ ++ unsigned int sample_accum; /* sample accumulator */ ++ unsigned int fps; /* frames per second */ + unsigned int freqn; /* nominal sampling rate in fs/fps in Q16.16 format */ + unsigned int freqm; /* momentary sampling rate in fs/fps in Q16.16 format */ + int freqshift; /* how much to shift the feedback value to get Q16.16 */ +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 8caf0b57f9c62..8412195608720 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -137,12 +137,12 @@ int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep) + + /* + * For streaming based on information derived from sync endpoints, +- * prepare_outbound_urb_sizes() will call next_packet_size() to ++ * prepare_outbound_urb_sizes() will call slave_next_packet_size() to + * determine the number of samples to be sent in the next packet. + * +- * For implicit feedback, next_packet_size() is unused. ++ * For implicit feedback, slave_next_packet_size() is unused. + */ +-int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep) ++int snd_usb_endpoint_slave_next_packet_size(struct snd_usb_endpoint *ep) + { + unsigned long flags; + int ret; +@@ -159,6 +159,29 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep) + return ret; + } + ++/* ++ * For adaptive and synchronous endpoints, prepare_outbound_urb_sizes() ++ * will call next_packet_size() to determine the number of samples to be ++ * sent in the next packet. ++ */ ++int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep) ++{ ++ int ret; ++ ++ if (ep->fill_max) ++ return ep->maxframesize; ++ ++ ep->sample_accum += ep->sample_rem; ++ if (ep->sample_accum >= ep->fps) { ++ ep->sample_accum -= ep->fps; ++ ret = ep->framesize[1]; ++ } else { ++ ret = ep->framesize[0]; ++ } ++ ++ return ret; ++} ++ + static void retire_outbound_urb(struct snd_usb_endpoint *ep, + struct snd_urb_ctx *urb_ctx) + { +@@ -203,6 +226,8 @@ static void prepare_silent_urb(struct snd_usb_endpoint *ep, + + if (ctx->packet_size[i]) + counts = ctx->packet_size[i]; ++ else if (ep->sync_master) ++ counts = snd_usb_endpoint_slave_next_packet_size(ep); + else + counts = snd_usb_endpoint_next_packet_size(ep); + +@@ -889,10 +914,17 @@ int snd_usb_endpoint_set_params(struct snd_usb_endpoint *ep, + ep->maxpacksize = fmt->maxpacksize; + ep->fill_max = !!(fmt->attributes & UAC_EP_CS_ATTR_FILL_MAX); + +- if (snd_usb_get_speed(ep->chip->dev) == USB_SPEED_FULL) ++ if (snd_usb_get_speed(ep->chip->dev) == USB_SPEED_FULL) { + ep->freqn = get_usb_full_speed_rate(rate); +- else ++ ep->fps = 1000; ++ } else { + ep->freqn = get_usb_high_speed_rate(rate); ++ ep->fps = 8000; ++ } ++ ++ ep->sample_rem = rate % ep->fps; ++ ep->framesize[0] = rate / ep->fps; ++ ep->framesize[1] = (rate + (ep->fps - 1)) / ep->fps; + + /* calculate the frequency in 16.16 format */ + ep->freqm = ep->freqn; +@@ -951,6 +983,7 @@ int snd_usb_endpoint_start(struct snd_usb_endpoint *ep) + ep->active_mask = 0; + ep->unlink_mask = 0; + ep->phase = 0; ++ ep->sample_accum = 0; + + snd_usb_endpoint_start_quirk(ep); + +diff --git a/sound/usb/endpoint.h b/sound/usb/endpoint.h +index 63a39d4fa8d8e..d23fa0a8c11bf 100644 +--- a/sound/usb/endpoint.h ++++ b/sound/usb/endpoint.h +@@ -28,6 +28,7 @@ void snd_usb_endpoint_release(struct snd_usb_endpoint *ep); + void snd_usb_endpoint_free(struct snd_usb_endpoint *ep); + + int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep); ++int snd_usb_endpoint_slave_next_packet_size(struct snd_usb_endpoint *ep); + int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep); + + void snd_usb_handle_sync_urb(struct snd_usb_endpoint *ep, +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index ff38fca1781b6..fd73186d60036 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1484,6 +1484,8 @@ static void prepare_playback_urb(struct snd_usb_substream *subs, + for (i = 0; i < ctx->packets; i++) { + if (ctx->packet_size[i]) + counts = ctx->packet_size[i]; ++ else if (ep->sync_master) ++ counts = snd_usb_endpoint_slave_next_packet_size(ep); + else + counts = snd_usb_endpoint_next_packet_size(ep); + +-- +2.25.1 + diff --git a/queue-4.14/apparmor-fix-introspection-of-of-task-mode-for-uncon.patch b/queue-4.14/apparmor-fix-introspection-of-of-task-mode-for-uncon.patch new file mode 100644 index 00000000000..d7ad3e57c03 --- /dev/null +++ b/queue-4.14/apparmor-fix-introspection-of-of-task-mode-for-uncon.patch @@ -0,0 +1,63 @@ +From 2ba001e6d01d1000f7765a0aed1f9d219bc8ec54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 18:12:21 -0700 +Subject: apparmor: fix introspection of of task mode for unconfined tasks + +From: John Johansen + +[ Upstream commit dd2569fbb053719f7df7ef8fdbb45cf47156a701 ] + +Fix two issues with introspecting the task mode. + +1. If a task is attached to a unconfined profile that is not the + ns->unconfined profile then. Mode the mode is always reported + as - + + $ ps -Z + LABEL PID TTY TIME CMD + unconfined 1287 pts/0 00:00:01 bash + test (-) 1892 pts/0 00:00:00 ps + + instead of the correct value of (unconfined) as shown below + + $ ps -Z + LABEL PID TTY TIME CMD + unconfined 2483 pts/0 00:00:01 bash + test (unconfined) 3591 pts/0 00:00:00 ps + +2. if a task is confined by a stack of profiles that are unconfined + the output of label mode is again the incorrect value of (-) like + above, instead of (unconfined). This is because the visibile + profile count increment is skipped by the special casing of + unconfined. + +Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels") +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/label.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/label.c b/security/apparmor/label.c +index ea63710442ae5..212a0f39ddae8 100644 +--- a/security/apparmor/label.c ++++ b/security/apparmor/label.c +@@ -1536,13 +1536,13 @@ static const char *label_modename(struct aa_ns *ns, struct aa_label *label, + + label_for_each(i, label, profile) { + if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) { +- if (profile->mode == APPARMOR_UNCONFINED) ++ count++; ++ if (profile == profile->ns->unconfined) + /* special case unconfined so stacks with + * unconfined don't report as mixed. ie. + * profile_foo//&:ns1:unconfined (mixed) + */ + continue; +- count++; + if (mode == -1) + mode = profile->mode; + else if (mode != profile->mode) +-- +2.25.1 + diff --git a/queue-4.14/arm-integrator-add-some-kconfig-selections.patch b/queue-4.14/arm-integrator-add-some-kconfig-selections.patch new file mode 100644 index 00000000000..dd8861b6620 --- /dev/null +++ b/queue-4.14/arm-integrator-add-some-kconfig-selections.patch @@ -0,0 +1,61 @@ +From 0191f89faa03102bf15c3c1030cc6a2b141c4d09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2020 15:27:54 +0100 +Subject: ARM: integrator: Add some Kconfig selections + +From: Linus Walleij + +[ Upstream commit d2854bbe5f5c4b4bec8061caf4f2e603d8819446 ] + +The CMA and DMA_CMA Kconfig options need to be selected +by the Integrator in order to produce boot console on some +Integrator systems. + +The REGULATOR and REGULATOR_FIXED_VOLTAGE need to be +selected in order to boot the system from an external +MMC card when using MMCI/PL181 from the device tree +probe path. + +Select these things directly from the Kconfig so we are +sure to be able to bring the systems up with console +from any device tree. + +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + arch/arm/mach-integrator/Kconfig | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-integrator/Kconfig b/arch/arm/mach-integrator/Kconfig +index cefe44f6889bd..ba124f8704fac 100644 +--- a/arch/arm/mach-integrator/Kconfig ++++ b/arch/arm/mach-integrator/Kconfig +@@ -3,6 +3,8 @@ menuconfig ARCH_INTEGRATOR + depends on ARCH_MULTI_V4T || ARCH_MULTI_V5 || ARCH_MULTI_V6 + select ARM_AMBA + select COMMON_CLK_VERSATILE ++ select CMA ++ select DMA_CMA + select HAVE_TCM + select ICST + select MFD_SYSCON +@@ -34,14 +36,13 @@ config INTEGRATOR_IMPD1 + select ARM_VIC + select GPIO_PL061 + select GPIOLIB ++ select REGULATOR ++ select REGULATOR_FIXED_VOLTAGE + help + The IM-PD1 is an add-on logic module for the Integrator which + allows ARM(R) Ltd PrimeCells to be developed and evaluated. + The IM-PD1 can be found on the Integrator/PP2 platform. + +- To compile this driver as a module, choose M here: the +- module will be called impd1. +- + config INTEGRATOR_CM7TDMI + bool "Integrator/CM7TDMI core module" + depends on ARCH_INTEGRATOR_AP +-- +2.25.1 + diff --git a/queue-4.14/arm64-hw_breakpoint-don-t-invoke-overflow-handler-on.patch b/queue-4.14/arm64-hw_breakpoint-don-t-invoke-overflow-handler-on.patch new file mode 100644 index 00000000000..9cc8940a5da --- /dev/null +++ b/queue-4.14/arm64-hw_breakpoint-don-t-invoke-overflow-handler-on.patch @@ -0,0 +1,109 @@ +From 4631057708d49876ddcde649fcc8591014dcf2b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 May 2020 14:12:18 +0100 +Subject: arm64: hw_breakpoint: Don't invoke overflow handler on uaccess + watchpoints + +From: Will Deacon + +[ Upstream commit 24ebec25fb270100e252b19c288e21bd7d8cc7f7 ] + +Unprivileged memory accesses generated by the so-called "translated" +instructions (e.g. STTR) at EL1 can cause EL0 watchpoints to fire +unexpectedly if kernel debugging is enabled. In such cases, the +hw_breakpoint logic will invoke the user overflow handler which will +typically raise a SIGTRAP back to the current task. This is futile when +returning back to the kernel because (a) the signal won't have been +delivered and (b) userspace can't handle the thing anyway. + +Avoid invoking the user overflow handler for watchpoints triggered by +kernel uaccess routines, and instead single-step over the faulting +instruction as we would if no overflow handler had been installed. + +(Fixes tag identifies the introduction of unprivileged memory accesses, + which exposed this latent bug in the hw_breakpoint code) + +Cc: Catalin Marinas +Cc: James Morse +Fixes: 57f4959bad0a ("arm64: kernel: Add support for User Access Override") +Reported-by: Luis Machado +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/hw_breakpoint.c | 44 ++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 18 deletions(-) + +diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c +index 95697a9c12451..6e96cea99a4ec 100644 +--- a/arch/arm64/kernel/hw_breakpoint.c ++++ b/arch/arm64/kernel/hw_breakpoint.c +@@ -738,6 +738,27 @@ static u64 get_distance_from_watchpoint(unsigned long addr, u64 val, + return 0; + } + ++static int watchpoint_report(struct perf_event *wp, unsigned long addr, ++ struct pt_regs *regs) ++{ ++ int step = is_default_overflow_handler(wp); ++ struct arch_hw_breakpoint *info = counter_arch_bp(wp); ++ ++ info->trigger = addr; ++ ++ /* ++ * If we triggered a user watchpoint from a uaccess routine, then ++ * handle the stepping ourselves since userspace really can't help ++ * us with this. ++ */ ++ if (!user_mode(regs) && info->ctrl.privilege == AARCH64_BREAKPOINT_EL0) ++ step = 1; ++ else ++ perf_bp_event(wp, regs); ++ ++ return step; ++} ++ + static int watchpoint_handler(unsigned long addr, unsigned int esr, + struct pt_regs *regs) + { +@@ -747,7 +768,6 @@ static int watchpoint_handler(unsigned long addr, unsigned int esr, + u64 val; + struct perf_event *wp, **slots; + struct debug_info *debug_info; +- struct arch_hw_breakpoint *info; + struct arch_hw_breakpoint_ctrl ctrl; + + slots = this_cpu_ptr(wp_on_reg); +@@ -785,25 +805,13 @@ static int watchpoint_handler(unsigned long addr, unsigned int esr, + if (dist != 0) + continue; + +- info = counter_arch_bp(wp); +- info->trigger = addr; +- perf_bp_event(wp, regs); +- +- /* Do we need to handle the stepping? */ +- if (is_default_overflow_handler(wp)) +- step = 1; ++ step = watchpoint_report(wp, addr, regs); + } +- if (min_dist > 0 && min_dist != -1) { +- /* No exact match found. */ +- wp = slots[closest_match]; +- info = counter_arch_bp(wp); +- info->trigger = addr; +- perf_bp_event(wp, regs); + +- /* Do we need to handle the stepping? */ +- if (is_default_overflow_handler(wp)) +- step = 1; +- } ++ /* No exact match found? */ ++ if (min_dist > 0 && min_dist != -1) ++ step = watchpoint_report(slots[closest_match], addr, regs); ++ + rcu_read_unlock(); + + if (!step) +-- +2.25.1 + diff --git a/queue-4.14/asoc-davinci-mcasp-fix-dma_chan-refcnt-leak-when-get.patch b/queue-4.14/asoc-davinci-mcasp-fix-dma_chan-refcnt-leak-when-get.patch new file mode 100644 index 00000000000..3dbd82b9055 --- /dev/null +++ b/queue-4.14/asoc-davinci-mcasp-fix-dma_chan-refcnt-leak-when-get.patch @@ -0,0 +1,53 @@ +From 978424f3534803b1428cefdb1f1a6d6eee9a7bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Apr 2020 20:48:35 +0800 +Subject: ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type + +From: Xiyu Yang + +[ Upstream commit a697ae6ea56e23397341b027098c1b11d9ab13da ] + +davinci_mcasp_get_dma_type() invokes dma_request_chan(), which returns a +reference of the specified dma_chan object to "chan" with increased +refcnt. + +When davinci_mcasp_get_dma_type() returns, local variable "chan" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +davinci_mcasp_get_dma_type(). When chan device is NULL, the function +forgets to decrease the refcnt increased by dma_request_chan(), causing +a refcnt leak. + +Fix this issue by calling dma_release_channel() when chan device is +NULL. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/1587818916-38730-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/davinci/davinci-mcasp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c +index e10e03800cce5..6991718d7c8a2 100644 +--- a/sound/soc/davinci/davinci-mcasp.c ++++ b/sound/soc/davinci/davinci-mcasp.c +@@ -1747,8 +1747,10 @@ static int davinci_mcasp_get_dma_type(struct davinci_mcasp *mcasp) + PTR_ERR(chan)); + return PTR_ERR(chan); + } +- if (WARN_ON(!chan->device || !chan->device->dev)) ++ if (WARN_ON(!chan->device || !chan->device->dev)) { ++ dma_release_channel(chan); + return -EINVAL; ++ } + + if (chan->device->dev->of_node) + ret = of_property_read_string(chan->device->dev->of_node, +-- +2.25.1 + diff --git a/queue-4.14/asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch b/queue-4.14/asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch new file mode 100644 index 00000000000..1cbfa073852 --- /dev/null +++ b/queue-4.14/asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch @@ -0,0 +1,46 @@ +From 4511a9bb227ca37a1ddee811b44bcb33bbcdf10c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 22:12:46 +0800 +Subject: ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed + +From: Xiyu Yang + +[ Upstream commit 36124fb19f1ae68a500cd76a76d40c6e81bee346 ] + +fsl_asrc_dma_hw_params() invokes dma_request_channel() or +fsl_asrc_get_dma_channel(), which returns a reference of the specified +dma_chan object to "pair->dma_chan[dir]" with increased refcnt. + +The reference counting issue happens in one exception handling path of +fsl_asrc_dma_hw_params(). When config DMA channel failed for Back-End, +the function forgets to decrease the refcnt increased by +dma_request_channel() or fsl_asrc_get_dma_channel(), causing a refcnt +leak. + +Fix this issue by calling dma_release_channel() when config DMA channel +failed. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Link: https://lore.kernel.org/r/1590415966-52416-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_asrc_dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/fsl_asrc_dma.c b/sound/soc/fsl/fsl_asrc_dma.c +index e1b97e59275a9..15d7e6da05556 100644 +--- a/sound/soc/fsl/fsl_asrc_dma.c ++++ b/sound/soc/fsl/fsl_asrc_dma.c +@@ -243,6 +243,7 @@ static int fsl_asrc_dma_hw_params(struct snd_pcm_substream *substream, + ret = dmaengine_slave_config(pair->dma_chan[dir], &config_be); + if (ret) { + dev_err(dev, "failed to config DMA channel for Back-End\n"); ++ dma_release_channel(pair->dma_chan[dir]); + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.14/backlight-lp855x-ensure-regulators-are-disabled-on-p.patch b/queue-4.14/backlight-lp855x-ensure-regulators-are-disabled-on-p.patch new file mode 100644 index 00000000000..7188b884ab4 --- /dev/null +++ b/queue-4.14/backlight-lp855x-ensure-regulators-are-disabled-on-p.patch @@ -0,0 +1,123 @@ +From bd4c319ba6df56e0aba7a1264591bada877611ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2020 14:07:48 +0000 +Subject: backlight: lp855x: Ensure regulators are disabled on probe failure + +From: Jon Hunter + +[ Upstream commit d8207c155a7c6015eb7f43739baa7dfb1fa638af ] + +If probing the LP885x backlight fails after the regulators have been +enabled, then the following warning is seen when releasing the +regulators ... + + WARNING: CPU: 1 PID: 289 at drivers/regulator/core.c:2051 _regulator_put.part.28+0x158/0x160 + Modules linked in: tegra_xudc lp855x_bl(+) host1x pwm_tegra ip_tables x_tables ipv6 nf_defrag_ipv6 + CPU: 1 PID: 289 Comm: systemd-udevd Not tainted 5.6.0-rc2-next-20200224 #1 + Hardware name: NVIDIA Jetson TX1 Developer Kit (DT) + + ... + + Call trace: + _regulator_put.part.28+0x158/0x160 + regulator_put+0x34/0x50 + devm_regulator_release+0x10/0x18 + release_nodes+0x12c/0x230 + devres_release_all+0x34/0x50 + really_probe+0x1c0/0x370 + driver_probe_device+0x58/0x100 + device_driver_attach+0x6c/0x78 + __driver_attach+0xb0/0xf0 + bus_for_each_dev+0x68/0xc8 + driver_attach+0x20/0x28 + bus_add_driver+0x160/0x1f0 + driver_register+0x60/0x110 + i2c_register_driver+0x40/0x80 + lp855x_driver_init+0x20/0x1000 [lp855x_bl] + do_one_initcall+0x58/0x1a0 + do_init_module+0x54/0x1d0 + load_module+0x1d80/0x21c8 + __do_sys_finit_module+0xe8/0x100 + __arm64_sys_finit_module+0x18/0x20 + el0_svc_common.constprop.3+0xb0/0x168 + do_el0_svc+0x20/0x98 + el0_sync_handler+0xf4/0x1b0 + el0_sync+0x140/0x180 + +Fix this by ensuring that the regulators are disabled, if enabled, on +probe failure. + +Finally, ensure that the vddio regulator is disabled in the driver +remove handler. + +Signed-off-by: Jon Hunter +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/lp855x_bl.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/video/backlight/lp855x_bl.c b/drivers/video/backlight/lp855x_bl.c +index 939f057836e19..4cdc7a3f6dc5c 100644 +--- a/drivers/video/backlight/lp855x_bl.c ++++ b/drivers/video/backlight/lp855x_bl.c +@@ -460,7 +460,7 @@ static int lp855x_probe(struct i2c_client *cl, const struct i2c_device_id *id) + ret = regulator_enable(lp->enable); + if (ret < 0) { + dev_err(lp->dev, "failed to enable vddio: %d\n", ret); +- return ret; ++ goto disable_supply; + } + + /* +@@ -475,24 +475,34 @@ static int lp855x_probe(struct i2c_client *cl, const struct i2c_device_id *id) + ret = lp855x_configure(lp); + if (ret) { + dev_err(lp->dev, "device config err: %d", ret); +- return ret; ++ goto disable_vddio; + } + + ret = lp855x_backlight_register(lp); + if (ret) { + dev_err(lp->dev, + "failed to register backlight. err: %d\n", ret); +- return ret; ++ goto disable_vddio; + } + + ret = sysfs_create_group(&lp->dev->kobj, &lp855x_attr_group); + if (ret) { + dev_err(lp->dev, "failed to register sysfs. err: %d\n", ret); +- return ret; ++ goto disable_vddio; + } + + backlight_update_status(lp->bl); ++ + return 0; ++ ++disable_vddio: ++ if (lp->enable) ++ regulator_disable(lp->enable); ++disable_supply: ++ if (lp->supply) ++ regulator_disable(lp->supply); ++ ++ return ret; + } + + static int lp855x_remove(struct i2c_client *cl) +@@ -501,6 +511,8 @@ static int lp855x_remove(struct i2c_client *cl) + + lp->bl->props.brightness = 0; + backlight_update_status(lp->bl); ++ if (lp->enable) ++ regulator_disable(lp->enable); + if (lp->supply) + regulator_disable(lp->supply); + sysfs_remove_group(&lp->dev->kobj, &lp855x_attr_group); +-- +2.25.1 + diff --git a/queue-4.14/bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch b/queue-4.14/bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch new file mode 100644 index 00000000000..f69eb4ac5c0 --- /dev/null +++ b/queue-4.14/bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch @@ -0,0 +1,96 @@ +From 363ca0990096ff046f4d989a2d96e385ae10fbf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 00:53:30 +0800 +Subject: bcache: fix potential deadlock problem in btree_gc_coalesce + +From: Zhiqiang Liu + +[ Upstream commit be23e837333a914df3f24bf0b32e87b0331ab8d1 ] + +coccicheck reports: + drivers/md//bcache/btree.c:1538:1-7: preceding lock on line 1417 + +In btree_gc_coalesce func, if the coalescing process fails, we will goto +to out_nocoalesce tag directly without releasing new_nodes[i]->write_lock. +Then, it will cause a deadlock when trying to acquire new_nodes[i]-> +write_lock for freeing new_nodes[i] before return. + +btree_gc_coalesce func details as follows: + if alloc new_nodes[i] fails: + goto out_nocoalesce; + // obtain new_nodes[i]->write_lock + mutex_lock(&new_nodes[i]->write_lock) + // main coalescing process + for (i = nodes - 1; i > 0; --i) + [snipped] + if coalescing process fails: + // Here, directly goto out_nocoalesce + // tag will cause a deadlock + goto out_nocoalesce; + [snipped] + // release new_nodes[i]->write_lock + mutex_unlock(&new_nodes[i]->write_lock) + // coalesing succ, return + return; +out_nocoalesce: + btree_node_free(new_nodes[i]) // free new_nodes[i] + // obtain new_nodes[i]->write_lock + mutex_lock(&new_nodes[i]->write_lock); + // set flag for reuse + clear_bit(BTREE_NODE_dirty, &ew_nodes[i]->flags); + // release new_nodes[i]->write_lock + mutex_unlock(&new_nodes[i]->write_lock); + +To fix the problem, we add a new tag 'out_unlock_nocoalesce' for +releasing new_nodes[i]->write_lock before out_nocoalesce tag. If +coalescing process fails, we will go to out_unlock_nocoalesce tag +for releasing new_nodes[i]->write_lock before free new_nodes[i] in +out_nocoalesce tag. + +(Coly Li helps to clean up commit log format.) + +Fixes: 2a285686c109816 ("bcache: btree locking rework") +Signed-off-by: Zhiqiang Liu +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/btree.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 96a6583e7b522..66c764491a830 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1374,7 +1374,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, + if (__set_blocks(n1, n1->keys + n2->keys, + block_bytes(b->c)) > + btree_blocks(new_nodes[i])) +- goto out_nocoalesce; ++ goto out_unlock_nocoalesce; + + keys = n2->keys; + /* Take the key of the node we're getting rid of */ +@@ -1403,7 +1403,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, + + if (__bch_keylist_realloc(&keylist, + bkey_u64s(&new_nodes[i]->key))) +- goto out_nocoalesce; ++ goto out_unlock_nocoalesce; + + bch_btree_node_write(new_nodes[i], &cl); + bch_keylist_add(&keylist, &new_nodes[i]->key); +@@ -1449,6 +1449,10 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, + /* Invalidated our iterator */ + return -EINTR; + ++out_unlock_nocoalesce: ++ for (i = 0; i < nodes; i++) ++ mutex_unlock(&new_nodes[i]->write_lock); ++ + out_nocoalesce: + closure_sync(&cl); + bch_keylist_free(&keylist); +-- +2.25.1 + diff --git a/queue-4.14/blktrace-fix-endianness-for-blk_log_remap.patch b/queue-4.14/blktrace-fix-endianness-for-blk_log_remap.patch new file mode 100644 index 00000000000..e94184d4faf --- /dev/null +++ b/queue-4.14/blktrace-fix-endianness-for-blk_log_remap.patch @@ -0,0 +1,64 @@ +From 265b79a298b202478d46f5e25393bc8e94d08d63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 00:13:30 -0700 +Subject: blktrace: fix endianness for blk_log_remap() + +From: Chaitanya Kulkarni + +[ Upstream commit 5aec598c456fe3c1b71a1202cbb42bdc2a643277 ] + +The function blk_log_remap() can be simplified by removing the +call to get_pdu_remap() that copies the values into extra variable to +print the data, which also fixes the endiannness warning reported by +sparse. + +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index be97e0b4ae7dc..304a164f5e7e7 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1289,17 +1289,6 @@ static __u64 get_pdu_int(const struct trace_entry *ent, bool has_cg) + return be64_to_cpu(*val); + } + +-static void get_pdu_remap(const struct trace_entry *ent, +- struct blk_io_trace_remap *r, bool has_cg) +-{ +- const struct blk_io_trace_remap *__r = pdu_start(ent, has_cg); +- __u64 sector_from = __r->sector_from; +- +- r->device_from = be32_to_cpu(__r->device_from); +- r->device_to = be32_to_cpu(__r->device_to); +- r->sector_from = be64_to_cpu(sector_from); +-} +- + typedef void (blk_log_action_t) (struct trace_iterator *iter, const char *act, + bool has_cg); + +@@ -1425,13 +1414,13 @@ static void blk_log_with_error(struct trace_seq *s, + + static void blk_log_remap(struct trace_seq *s, const struct trace_entry *ent, bool has_cg) + { +- struct blk_io_trace_remap r = { .device_from = 0, }; ++ const struct blk_io_trace_remap *__r = pdu_start(ent, has_cg); + +- get_pdu_remap(ent, &r, has_cg); + trace_seq_printf(s, "%llu + %u <- (%d,%d) %llu\n", + t_sector(ent), t_sec(ent), +- MAJOR(r.device_from), MINOR(r.device_from), +- (unsigned long long)r.sector_from); ++ MAJOR(be32_to_cpu(__r->device_from)), ++ MINOR(be32_to_cpu(__r->device_from)), ++ be64_to_cpu(__r->sector_from)); + } + + static void blk_log_plug(struct trace_seq *s, const struct trace_entry *ent, bool has_cg) +-- +2.25.1 + diff --git a/queue-4.14/blktrace-fix-endianness-in-get_pdu_int.patch b/queue-4.14/blktrace-fix-endianness-in-get_pdu_int.patch new file mode 100644 index 00000000000..afe49eb14e5 --- /dev/null +++ b/queue-4.14/blktrace-fix-endianness-in-get_pdu_int.patch @@ -0,0 +1,35 @@ +From 7c194f6e425fd8c9b8af1ae6d22264e57810177f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 00:13:29 -0700 +Subject: blktrace: fix endianness in get_pdu_int() + +From: Chaitanya Kulkarni + +[ Upstream commit 71df3fd82e7cccec7b749a8607a4662d9f7febdd ] + +In function get_pdu_len() replace variable type from __u64 to +__be64. This fixes sparse warning. + +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 30a98156f4743..be97e0b4ae7dc 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1285,7 +1285,7 @@ static inline __u16 t_error(const struct trace_entry *ent) + + static __u64 get_pdu_int(const struct trace_entry *ent, bool has_cg) + { +- const __u64 *val = pdu_start(ent, has_cg); ++ const __be64 *val = pdu_start(ent, has_cg); + return be64_to_cpu(*val); + } + +-- +2.25.1 + diff --git a/queue-4.14/blktrace-use-errno-instead-of-bi_status.patch b/queue-4.14/blktrace-use-errno-instead-of-bi_status.patch new file mode 100644 index 00000000000..0fa1e3c3e97 --- /dev/null +++ b/queue-4.14/blktrace-use-errno-instead-of-bi_status.patch @@ -0,0 +1,50 @@ +From 52a35972d23801a230eb54f9e797f67a0c600827 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 00:13:28 -0700 +Subject: blktrace: use errno instead of bi_status + +From: Chaitanya Kulkarni + +[ Upstream commit 48bc3cd3e07a1486f45d9971c75d6090976c3b1b ] + +In blk_add_trace_spliti() blk_add_trace_bio_remap() use +blk_status_to_errno() to pass the error instead of pasing the bi_status. +This fixes the sparse warning. + +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index a60c09e0bda87..30a98156f4743 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1022,8 +1022,10 @@ static void blk_add_trace_split(void *ignore, + + __blk_add_trace(bt, bio->bi_iter.bi_sector, + bio->bi_iter.bi_size, bio_op(bio), bio->bi_opf, +- BLK_TA_SPLIT, bio->bi_status, sizeof(rpdu), +- &rpdu, blk_trace_bio_get_cgid(q, bio)); ++ BLK_TA_SPLIT, ++ blk_status_to_errno(bio->bi_status), ++ sizeof(rpdu), &rpdu, ++ blk_trace_bio_get_cgid(q, bio)); + } + rcu_read_unlock(); + } +@@ -1060,7 +1062,8 @@ static void blk_add_trace_bio_remap(void *ignore, + r.sector_from = cpu_to_be64(from); + + __blk_add_trace(bt, bio->bi_iter.bi_sector, bio->bi_iter.bi_size, +- bio_op(bio), bio->bi_opf, BLK_TA_REMAP, bio->bi_status, ++ bio_op(bio), bio->bi_opf, BLK_TA_REMAP, ++ blk_status_to_errno(bio->bi_status), + sizeof(r), &r, blk_trace_bio_get_cgid(q, bio)); + rcu_read_unlock(); + } +-- +2.25.1 + diff --git a/queue-4.14/block-fix-use-after-free-in-blkdev_get.patch b/queue-4.14/block-fix-use-after-free-in-blkdev_get.patch new file mode 100644 index 00000000000..54201fbb769 --- /dev/null +++ b/queue-4.14/block-fix-use-after-free-in-blkdev_get.patch @@ -0,0 +1,199 @@ +From 6ceed8de3b8d0f6d4b41acb3475b9e8b3b0b203e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 20:16:55 +0800 +Subject: block: Fix use-after-free in blkdev_get() + +From: Jason Yan + +[ Upstream commit 2d3a8e2deddea6c89961c422ec0c5b851e648c14 ] + +In blkdev_get() we call __blkdev_get() to do some internal jobs and if +there is some errors in __blkdev_get(), the bdput() is called which +means we have released the refcount of the bdev (actually the refcount of +the bdev inode). This means we cannot access bdev after that point. But +acctually bdev is still accessed in blkdev_get() after calling +__blkdev_get(). This results in use-after-free if the refcount is the +last one we released in __blkdev_get(). Let's take a look at the +following scenerio: + + CPU0 CPU1 CPU2 +blkdev_open blkdev_open Remove disk + bd_acquire + blkdev_get + __blkdev_get del_gendisk + bdev_unhash_inode + bd_acquire bdev_get_gendisk + bd_forget failed because of unhashed + bdput + bdput (the last one) + bdev_evict_inode + + access bdev => use after free + +[ 459.350216] BUG: KASAN: use-after-free in __lock_acquire+0x24c1/0x31b0 +[ 459.351190] Read of size 8 at addr ffff88806c815a80 by task syz-executor.0/20132 +[ 459.352347] +[ 459.352594] CPU: 0 PID: 20132 Comm: syz-executor.0 Not tainted 4.19.90 #2 +[ 459.353628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 459.354947] Call Trace: +[ 459.355337] dump_stack+0x111/0x19e +[ 459.355879] ? __lock_acquire+0x24c1/0x31b0 +[ 459.356523] print_address_description+0x60/0x223 +[ 459.357248] ? __lock_acquire+0x24c1/0x31b0 +[ 459.357887] kasan_report.cold+0xae/0x2d8 +[ 459.358503] __lock_acquire+0x24c1/0x31b0 +[ 459.359120] ? _raw_spin_unlock_irq+0x24/0x40 +[ 459.359784] ? lockdep_hardirqs_on+0x37b/0x580 +[ 459.360465] ? _raw_spin_unlock_irq+0x24/0x40 +[ 459.361123] ? finish_task_switch+0x125/0x600 +[ 459.361812] ? finish_task_switch+0xee/0x600 +[ 459.362471] ? mark_held_locks+0xf0/0xf0 +[ 459.363108] ? __schedule+0x96f/0x21d0 +[ 459.363716] lock_acquire+0x111/0x320 +[ 459.364285] ? blkdev_get+0xce/0xbe0 +[ 459.364846] ? blkdev_get+0xce/0xbe0 +[ 459.365390] __mutex_lock+0xf9/0x12a0 +[ 459.365948] ? blkdev_get+0xce/0xbe0 +[ 459.366493] ? bdev_evict_inode+0x1f0/0x1f0 +[ 459.367130] ? blkdev_get+0xce/0xbe0 +[ 459.367678] ? destroy_inode+0xbc/0x110 +[ 459.368261] ? mutex_trylock+0x1a0/0x1a0 +[ 459.368867] ? __blkdev_get+0x3e6/0x1280 +[ 459.369463] ? bdev_disk_changed+0x1d0/0x1d0 +[ 459.370114] ? blkdev_get+0xce/0xbe0 +[ 459.370656] blkdev_get+0xce/0xbe0 +[ 459.371178] ? find_held_lock+0x2c/0x110 +[ 459.371774] ? __blkdev_get+0x1280/0x1280 +[ 459.372383] ? lock_downgrade+0x680/0x680 +[ 459.373002] ? lock_acquire+0x111/0x320 +[ 459.373587] ? bd_acquire+0x21/0x2c0 +[ 459.374134] ? do_raw_spin_unlock+0x4f/0x250 +[ 459.374780] blkdev_open+0x202/0x290 +[ 459.375325] do_dentry_open+0x49e/0x1050 +[ 459.375924] ? blkdev_get_by_dev+0x70/0x70 +[ 459.376543] ? __x64_sys_fchdir+0x1f0/0x1f0 +[ 459.377192] ? inode_permission+0xbe/0x3a0 +[ 459.377818] path_openat+0x148c/0x3f50 +[ 459.378392] ? kmem_cache_alloc+0xd5/0x280 +[ 459.379016] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.379802] ? path_lookupat.isra.0+0x900/0x900 +[ 459.380489] ? __lock_is_held+0xad/0x140 +[ 459.381093] do_filp_open+0x1a1/0x280 +[ 459.381654] ? may_open_dev+0xf0/0xf0 +[ 459.382214] ? find_held_lock+0x2c/0x110 +[ 459.382816] ? lock_downgrade+0x680/0x680 +[ 459.383425] ? __lock_is_held+0xad/0x140 +[ 459.384024] ? do_raw_spin_unlock+0x4f/0x250 +[ 459.384668] ? _raw_spin_unlock+0x1f/0x30 +[ 459.385280] ? __alloc_fd+0x448/0x560 +[ 459.385841] do_sys_open+0x3c3/0x500 +[ 459.386386] ? filp_open+0x70/0x70 +[ 459.386911] ? trace_hardirqs_on_thunk+0x1a/0x1c +[ 459.387610] ? trace_hardirqs_off_caller+0x55/0x1c0 +[ 459.388342] ? do_syscall_64+0x1a/0x520 +[ 459.388930] do_syscall_64+0xc3/0x520 +[ 459.389490] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.390248] RIP: 0033:0x416211 +[ 459.390720] Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 +04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f + 05 <48> 8b 3c 24 48 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d + 01 +[ 459.393483] RSP: 002b:00007fe45dfe9a60 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 +[ 459.394610] RAX: ffffffffffffffda RBX: 00007fe45dfea6d4 RCX: 0000000000416211 +[ 459.395678] RDX: 00007fe45dfe9b0a RSI: 0000000000000002 RDI: 00007fe45dfe9b00 +[ 459.396758] RBP: 000000000076bf20 R08: 0000000000000000 R09: 000000000000000a +[ 459.397930] R10: 0000000000000075 R11: 0000000000000293 R12: 00000000ffffffff +[ 459.399022] R13: 0000000000000bd9 R14: 00000000004cdb80 R15: 000000000076bf2c +[ 459.400168] +[ 459.400430] Allocated by task 20132: +[ 459.401038] kasan_kmalloc+0xbf/0xe0 +[ 459.401652] kmem_cache_alloc+0xd5/0x280 +[ 459.402330] bdev_alloc_inode+0x18/0x40 +[ 459.402970] alloc_inode+0x5f/0x180 +[ 459.403510] iget5_locked+0x57/0xd0 +[ 459.404095] bdget+0x94/0x4e0 +[ 459.404607] bd_acquire+0xfa/0x2c0 +[ 459.405113] blkdev_open+0x110/0x290 +[ 459.405702] do_dentry_open+0x49e/0x1050 +[ 459.406340] path_openat+0x148c/0x3f50 +[ 459.406926] do_filp_open+0x1a1/0x280 +[ 459.407471] do_sys_open+0x3c3/0x500 +[ 459.408010] do_syscall_64+0xc3/0x520 +[ 459.408572] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.409415] +[ 459.409679] Freed by task 1262: +[ 459.410212] __kasan_slab_free+0x129/0x170 +[ 459.410919] kmem_cache_free+0xb2/0x2a0 +[ 459.411564] rcu_process_callbacks+0xbb2/0x2320 +[ 459.412318] __do_softirq+0x225/0x8ac + +Fix this by delaying bdput() to the end of blkdev_get() which means we +have finished accessing bdev. + +Fixes: 77ea887e433a ("implement in-kernel gendisk events handling") +Reported-by: Hulk Robot +Signed-off-by: Jason Yan +Tested-by: Sedat Dilek +Reviewed-by: Jan Kara +Reviewed-by: Christoph Hellwig +Reviewed-by: Dan Carpenter +Cc: Christoph Hellwig +Cc: Jens Axboe +Cc: Ming Lei +Cc: Jan Kara +Cc: Dan Carpenter +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/block_dev.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 61949e3446e58..77ce77a283247 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1439,10 +1439,8 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + */ + if (!for_part) { + ret = devcgroup_inode_permission(bdev->bd_inode, perm); +- if (ret != 0) { +- bdput(bdev); ++ if (ret != 0) + return ret; +- } + } + + restart: +@@ -1515,8 +1513,10 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + goto out_clear; + BUG_ON(for_part); + ret = __blkdev_get(whole, mode, 1); +- if (ret) ++ if (ret) { ++ bdput(whole); + goto out_clear; ++ } + bdev->bd_contains = whole; + bdev->bd_part = disk_get_part(disk, partno); + if (!(disk->flags & GENHD_FL_UP) || +@@ -1570,7 +1570,6 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + put_disk(disk); + module_put(owner); + out: +- bdput(bdev); + + return ret; + } +@@ -1656,6 +1655,9 @@ int blkdev_get(struct block_device *bdev, fmode_t mode, void *holder) + bdput(whole); + } + ++ if (res) ++ bdput(bdev); ++ + return res; + } + EXPORT_SYMBOL(blkdev_get); +-- +2.25.1 + diff --git a/queue-4.14/clk-bcm2835-fix-return-type-of-bcm2835_register_gate.patch b/queue-4.14/clk-bcm2835-fix-return-type-of-bcm2835_register_gate.patch new file mode 100644 index 00000000000..b6216e0a6a5 --- /dev/null +++ b/queue-4.14/clk-bcm2835-fix-return-type-of-bcm2835_register_gate.patch @@ -0,0 +1,59 @@ +From 63169cab5c5c0a0e1e4d2c4c8a8d3d54d2addefb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 May 2020 01:08:06 -0700 +Subject: clk: bcm2835: Fix return type of bcm2835_register_gate + +From: Nathan Chancellor + +[ Upstream commit f376c43bec4f8ee8d1ba5c5c4cfbd6e84fb279cb ] + +bcm2835_register_gate is used as a callback for the clk_register member +of bcm2835_clk_desc, which expects a struct clk_hw * return type but +bcm2835_register_gate returns a struct clk *. + +This discrepancy is hidden by the fact that bcm2835_register_gate is +cast to the typedef bcm2835_clk_register by the _REGISTER macro. This +turns out to be a control flow integrity violation, which is how this +was noticed. + +Change the return type of bcm2835_register_gate to be struct clk_hw * +and use clk_hw_register_gate to do so. This should be a non-functional +change as clk_register_gate calls clk_hw_register_gate anyways but this +is needed to avoid issues with further changes. + +Fixes: b19f009d4510 ("clk: bcm2835: Migrate to clk_hw based registration and OF APIs") +Link: https://github.com/ClangBuiltLinux/linux/issues/1028 +Signed-off-by: Nathan Chancellor +Link: https://lkml.kernel.org/r/20200516080806.1459784-1-natechancellor@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 5f8082d891313..6db4204e5d5d5 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1483,13 +1483,13 @@ static struct clk_hw *bcm2835_register_clock(struct bcm2835_cprman *cprman, + return &clock->hw; + } + +-static struct clk *bcm2835_register_gate(struct bcm2835_cprman *cprman, ++static struct clk_hw *bcm2835_register_gate(struct bcm2835_cprman *cprman, + const struct bcm2835_gate_data *data) + { +- return clk_register_gate(cprman->dev, data->name, data->parent, +- CLK_IGNORE_UNUSED | CLK_SET_RATE_GATE, +- cprman->regs + data->ctl_reg, +- CM_GATE_BIT, 0, &cprman->regs_lock); ++ return clk_hw_register_gate(cprman->dev, data->name, data->parent, ++ CLK_IGNORE_UNUSED | CLK_SET_RATE_GATE, ++ cprman->regs + data->ctl_reg, ++ CM_GATE_BIT, 0, &cprman->regs_lock); + } + + typedef struct clk_hw *(*bcm2835_clk_register)(struct bcm2835_cprman *cprman, +-- +2.25.1 + diff --git a/queue-4.14/clk-clk-flexgen-fix-clock-critical-handling.patch b/queue-4.14/clk-clk-flexgen-fix-clock-critical-handling.patch new file mode 100644 index 00000000000..86b057c366d --- /dev/null +++ b/queue-4.14/clk-clk-flexgen-fix-clock-critical-handling.patch @@ -0,0 +1,37 @@ +From 96f5ce6aafe385ecd0d427f2d5f8679676001400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Mar 2020 15:07:40 +0100 +Subject: clk: clk-flexgen: fix clock-critical handling + +From: Alain Volmat + +[ Upstream commit a403bbab1a73d798728d76931cab3ff0399b9560 ] + +Fixes an issue leading to having all clocks following a critical +clocks marked as well as criticals. + +Fixes: fa6415affe20 ("clk: st: clk-flexgen: Detect critical clocks") +Signed-off-by: Alain Volmat +Link: https://lkml.kernel.org/r/20200322140740.3970-1-avolmat@me.com +Reviewed-by: Patrice Chotard +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/st/clk-flexgen.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/st/clk-flexgen.c b/drivers/clk/st/clk-flexgen.c +index 918ba3164da94..cd856210db58c 100644 +--- a/drivers/clk/st/clk-flexgen.c ++++ b/drivers/clk/st/clk-flexgen.c +@@ -373,6 +373,7 @@ static void __init st_of_flexgen_setup(struct device_node *np) + break; + } + ++ flex_flags &= ~CLK_IS_CRITICAL; + of_clk_detect_critical(np, i, &flex_flags); + + /* +-- +2.25.1 + diff --git a/queue-4.14/clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch b/queue-4.14/clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch new file mode 100644 index 00000000000..f0004e1d002 --- /dev/null +++ b/queue-4.14/clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch @@ -0,0 +1,94 @@ +From 8facf26623fdde6776dd908552ab490e57bf564d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 13:41:16 +0100 +Subject: clk: qcom: msm8916: Fix the address location of pll->config_reg + +From: Bryan O'Donoghue + +[ Upstream commit f47ab3c2f5338828a67e89d5f688d2cef9605245 ] + +During the process of debugging a processor derived from the msm8916 which +we found the new processor was not starting one of its PLLs. + +After tracing the addresses and writes that downstream was doing and +comparing to upstream it became obvious that we were writing to a different +register location than downstream when trying to configure the PLL. + +This error is also present in upstream msm8916. + +As an example clk-pll.c::clk_pll_recalc_rate wants to write to +pll->config_reg updating the bit-field POST_DIV_RATIO. That bit-field is +defined in PLL_USER_CTL not in PLL_CONFIG_CTL. Taking the BIMC PLL as an +example + +lm80-p0436-13_c_qc_snapdragon_410_processor_hrd.pdf + +0x01823010 GCC_BIMC_PLL_USER_CTL +0x01823014 GCC_BIMC_PLL_CONFIG_CTL + +This pattern is repeated for gpll0, gpll1, gpll2 and bimc_pll. + +This error is likely not apparent since the bootloader will already have +initialized these PLLs. + +This patch corrects the location of config_reg from PLL_CONFIG_CTL to +PLL_USER_CTL for all relevant PLLs on msm8916. + +Fixes commit 3966fab8b6ab ("clk: qcom: Add MSM8916 Global Clock Controller support") + +Cc: Georgi Djakov +Cc: Andy Gross +Cc: Bjorn Andersson +Cc: Michael Turquette +Cc: Stephen Boyd +Signed-off-by: Bryan O'Donoghue +Link: https://lkml.kernel.org/r/20200329124116.4185447-1-bryan.odonoghue@linaro.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-msm8916.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-msm8916.c b/drivers/clk/qcom/gcc-msm8916.c +index 2057809219f4e..7426d910e0797 100644 +--- a/drivers/clk/qcom/gcc-msm8916.c ++++ b/drivers/clk/qcom/gcc-msm8916.c +@@ -270,7 +270,7 @@ static struct clk_pll gpll0 = { + .l_reg = 0x21004, + .m_reg = 0x21008, + .n_reg = 0x2100c, +- .config_reg = 0x21014, ++ .config_reg = 0x21010, + .mode_reg = 0x21000, + .status_reg = 0x2101c, + .status_bit = 17, +@@ -297,7 +297,7 @@ static struct clk_pll gpll1 = { + .l_reg = 0x20004, + .m_reg = 0x20008, + .n_reg = 0x2000c, +- .config_reg = 0x20014, ++ .config_reg = 0x20010, + .mode_reg = 0x20000, + .status_reg = 0x2001c, + .status_bit = 17, +@@ -324,7 +324,7 @@ static struct clk_pll gpll2 = { + .l_reg = 0x4a004, + .m_reg = 0x4a008, + .n_reg = 0x4a00c, +- .config_reg = 0x4a014, ++ .config_reg = 0x4a010, + .mode_reg = 0x4a000, + .status_reg = 0x4a01c, + .status_bit = 17, +@@ -351,7 +351,7 @@ static struct clk_pll bimc_pll = { + .l_reg = 0x23004, + .m_reg = 0x23008, + .n_reg = 0x2300c, +- .config_reg = 0x23014, ++ .config_reg = 0x23010, + .mode_reg = 0x23000, + .status_reg = 0x2301c, + .status_bit = 17, +-- +2.25.1 + diff --git a/queue-4.14/clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch b/queue-4.14/clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch new file mode 100644 index 00000000000..c888a95fb89 --- /dev/null +++ b/queue-4.14/clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch @@ -0,0 +1,68 @@ +From 2c7717a16ba683442bd4632f836ff3040723b0e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 12:26:52 +0200 +Subject: clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 + +From: Marek Szyprowski + +[ Upstream commit 25bdae0f1c6609ceaf55fe6700654f0be2253d8e ] + +Mark the SCLK clock for Exynos5433 I2S1 device with IGNORE_UNUSED flag to +match its behaviour with SCLK clock for AUD_I2S (I2S0) device until +a proper fix for Exynos I2S driver is ready. + +This fixes the following synchronous abort issue revealed by the probe +order change caused by the commit 93d2e4322aa7 ("of: platform: Batch +fwnode parsing when adding all top level devices") + +Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 50 Comm: kworker/0:1 Not tainted 5.7.0-rc5+ #701 +Hardware name: Samsung TM2E board (DT) +Workqueue: events deferred_probe_work_func +pstate: 60000005 (nZCv daif -PAN -UAO) +pc : samsung_i2s_probe+0x768/0x8f0 +lr : samsung_i2s_probe+0x688/0x8f0 +... +Call trace: + samsung_i2s_probe+0x768/0x8f0 + platform_drv_probe+0x50/0xa8 + really_probe+0x108/0x370 + driver_probe_device+0x54/0xb8 + __device_attach_driver+0x90/0xc0 + bus_for_each_drv+0x70/0xc8 + __device_attach+0xdc/0x140 + device_initial_probe+0x10/0x18 + bus_probe_device+0x94/0xa0 + deferred_probe_work_func+0x70/0xa8 + process_one_work+0x2a8/0x718 + worker_thread+0x48/0x470 + kthread+0x134/0x160 + ret_from_fork+0x10/0x1c +Code: 17ffffaf d503201f f94086c0 91003000 (88dffc00) +---[ end trace ccf721c9400ddbd6 ]--- + +Signed-off-by: Marek Szyprowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-exynos5433.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/samsung/clk-exynos5433.c b/drivers/clk/samsung/clk-exynos5433.c +index 1d2265f9ee974..1c327d5de98cb 100644 +--- a/drivers/clk/samsung/clk-exynos5433.c ++++ b/drivers/clk/samsung/clk-exynos5433.c +@@ -1674,7 +1674,8 @@ static const struct samsung_gate_clock peric_gate_clks[] __initconst = { + GATE(CLK_SCLK_PCM1, "sclk_pcm1", "sclk_pcm1_peric", + ENABLE_SCLK_PERIC, 7, CLK_SET_RATE_PARENT, 0), + GATE(CLK_SCLK_I2S1, "sclk_i2s1", "sclk_i2s1_peric", +- ENABLE_SCLK_PERIC, 6, CLK_SET_RATE_PARENT, 0), ++ ENABLE_SCLK_PERIC, 6, ++ CLK_SET_RATE_PARENT | CLK_IGNORE_UNUSED, 0), + GATE(CLK_SCLK_SPI2, "sclk_spi2", "sclk_spi2_peric", ENABLE_SCLK_PERIC, + 5, CLK_SET_RATE_PARENT, 0), + GATE(CLK_SCLK_SPI1, "sclk_spi1", "sclk_spi1_peric", ENABLE_SCLK_PERIC, +-- +2.25.1 + diff --git a/queue-4.14/clk-sunxi-fix-incorrect-usage-of-round_down.patch b/queue-4.14/clk-sunxi-fix-incorrect-usage-of-round_down.patch new file mode 100644 index 00000000000..749b6ab4bd2 --- /dev/null +++ b/queue-4.14/clk-sunxi-fix-incorrect-usage-of-round_down.patch @@ -0,0 +1,39 @@ +From b6fd3eb9f93f7380f12f7aa31efb2dd492818ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 22:13:32 +0100 +Subject: clk: sunxi: Fix incorrect usage of round_down() + +From: Rikard Falkeborn + +[ Upstream commit ee25d9742dabed3fd18158b518f846abeb70f319 ] + +round_down() can only round to powers of 2. If round_down() is asked +to round to something that is not a power of 2, incorrect results are +produced. The incorrect results can be both too large and too small. + +Instead, use rounddown() which can round to any number. + +Fixes: 6a721db180a2 ("clk: sunxi: Add A31 clocks support") +Signed-off-by: Rikard Falkeborn +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi/clk-sunxi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi/clk-sunxi.c b/drivers/clk/sunxi/clk-sunxi.c +index aa4add580516d..0b5e091742f97 100644 +--- a/drivers/clk/sunxi/clk-sunxi.c ++++ b/drivers/clk/sunxi/clk-sunxi.c +@@ -98,7 +98,7 @@ static void sun6i_a31_get_pll1_factors(struct factors_request *req) + * Round down the frequency to the closest multiple of either + * 6 or 16 + */ +- u32 round_freq_6 = round_down(freq_mhz, 6); ++ u32 round_freq_6 = rounddown(freq_mhz, 6); + u32 round_freq_16 = round_down(freq_mhz, 16); + + if (round_freq_6 > round_freq_16) +-- +2.25.1 + diff --git a/queue-4.14/clk-ti-composite-fix-memory-leak.patch b/queue-4.14/clk-ti-composite-fix-memory-leak.patch new file mode 100644 index 00000000000..a4cdcae4295 --- /dev/null +++ b/queue-4.14/clk-ti-composite-fix-memory-leak.patch @@ -0,0 +1,38 @@ +From e63659ac4a0bffa688d88c3adf1306de92b5550b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 16:13:39 +0300 +Subject: clk: ti: composite: fix memory leak + +From: Tero Kristo + +[ Upstream commit c7c1cbbc9217ebb5601b88d138d4a5358548de9d ] + +The parent_names is never released for a component clock definition, +causing some memory leak. Fix by releasing it once it is no longer +needed. + +Reported-by: Tomi Valkeinen +Signed-off-by: Tero Kristo +Link: https://lkml.kernel.org/r/20200429131341.4697-2-t-kristo@ti.com +Acked-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/composite.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/ti/composite.c b/drivers/clk/ti/composite.c +index beea89463ca2c..4ea5c08a1eb66 100644 +--- a/drivers/clk/ti/composite.c ++++ b/drivers/clk/ti/composite.c +@@ -240,6 +240,7 @@ cleanup: + if (!cclk->comp_clks[i]) + continue; + list_del(&cclk->comp_clks[i]->link); ++ kfree(cclk->comp_clks[i]->parent_names); + kfree(cclk->comp_clks[i]); + } + +-- +2.25.1 + diff --git a/queue-4.14/crypto-omap-sham-add-proper-load-balancing-support-f.patch b/queue-4.14/crypto-omap-sham-add-proper-load-balancing-support-f.patch new file mode 100644 index 00000000000..84788bbcf72 --- /dev/null +++ b/queue-4.14/crypto-omap-sham-add-proper-load-balancing-support-f.patch @@ -0,0 +1,169 @@ +From 2ecbdc4331c6a7ce1211115558962549f1fc1fb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 15:24:29 +0300 +Subject: crypto: omap-sham - add proper load balancing support for multicore + +From: Tero Kristo + +[ Upstream commit 281c377872ff5d15d80df25fc4df02d2676c7cde ] + +The current implementation of the multiple accelerator core support for +OMAP SHA does not work properly. It always picks up the first probed +accelerator core if this is available, and rest of the book keeping also +gets confused if there are two cores available. Add proper load +balancing support for SHA, and also fix any bugs related to the +multicore support while doing it. + +Signed-off-by: Tero Kristo +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-sham.c | 64 ++++++++++++++++++-------------------- + 1 file changed, 31 insertions(+), 33 deletions(-) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index c1f8da958c78b..4e38b87c32284 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -168,8 +168,6 @@ struct omap_sham_hmac_ctx { + }; + + struct omap_sham_ctx { +- struct omap_sham_dev *dd; +- + unsigned long flags; + + /* fallback stuff */ +@@ -916,27 +914,35 @@ static int omap_sham_update_dma_stop(struct omap_sham_dev *dd) + return 0; + } + ++struct omap_sham_dev *omap_sham_find_dev(struct omap_sham_reqctx *ctx) ++{ ++ struct omap_sham_dev *dd; ++ ++ if (ctx->dd) ++ return ctx->dd; ++ ++ spin_lock_bh(&sham.lock); ++ dd = list_first_entry(&sham.dev_list, struct omap_sham_dev, list); ++ list_move_tail(&dd->list, &sham.dev_list); ++ ctx->dd = dd; ++ spin_unlock_bh(&sham.lock); ++ ++ return dd; ++} ++ + static int omap_sham_init(struct ahash_request *req) + { + struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); + struct omap_sham_ctx *tctx = crypto_ahash_ctx(tfm); + struct omap_sham_reqctx *ctx = ahash_request_ctx(req); +- struct omap_sham_dev *dd = NULL, *tmp; ++ struct omap_sham_dev *dd; + int bs = 0; + +- spin_lock_bh(&sham.lock); +- if (!tctx->dd) { +- list_for_each_entry(tmp, &sham.dev_list, list) { +- dd = tmp; +- break; +- } +- tctx->dd = dd; +- } else { +- dd = tctx->dd; +- } +- spin_unlock_bh(&sham.lock); ++ ctx->dd = NULL; + +- ctx->dd = dd; ++ dd = omap_sham_find_dev(ctx); ++ if (!dd) ++ return -ENODEV; + + ctx->flags = 0; + +@@ -1186,8 +1192,7 @@ err1: + static int omap_sham_enqueue(struct ahash_request *req, unsigned int op) + { + struct omap_sham_reqctx *ctx = ahash_request_ctx(req); +- struct omap_sham_ctx *tctx = crypto_tfm_ctx(req->base.tfm); +- struct omap_sham_dev *dd = tctx->dd; ++ struct omap_sham_dev *dd = ctx->dd; + + ctx->op = op; + +@@ -1197,7 +1202,7 @@ static int omap_sham_enqueue(struct ahash_request *req, unsigned int op) + static int omap_sham_update(struct ahash_request *req) + { + struct omap_sham_reqctx *ctx = ahash_request_ctx(req); +- struct omap_sham_dev *dd = ctx->dd; ++ struct omap_sham_dev *dd = omap_sham_find_dev(ctx); + + if (!req->nbytes) + return 0; +@@ -1302,21 +1307,8 @@ static int omap_sham_setkey(struct crypto_ahash *tfm, const u8 *key, + struct omap_sham_hmac_ctx *bctx = tctx->base; + int bs = crypto_shash_blocksize(bctx->shash); + int ds = crypto_shash_digestsize(bctx->shash); +- struct omap_sham_dev *dd = NULL, *tmp; + int err, i; + +- spin_lock_bh(&sham.lock); +- if (!tctx->dd) { +- list_for_each_entry(tmp, &sham.dev_list, list) { +- dd = tmp; +- break; +- } +- tctx->dd = dd; +- } else { +- dd = tctx->dd; +- } +- spin_unlock_bh(&sham.lock); +- + err = crypto_shash_setkey(tctx->fallback, key, keylen); + if (err) + return err; +@@ -1334,7 +1326,7 @@ static int omap_sham_setkey(struct crypto_ahash *tfm, const u8 *key, + + memset(bctx->ipad + keylen, 0, bs - keylen); + +- if (!test_bit(FLAGS_AUTO_XOR, &dd->flags)) { ++ if (!test_bit(FLAGS_AUTO_XOR, &sham.flags)) { + memcpy(bctx->opad, bctx->ipad, bs); + + for (i = 0; i < bs; i++) { +@@ -2073,6 +2065,7 @@ static int omap_sham_probe(struct platform_device *pdev) + } + + dd->flags |= dd->pdata->flags; ++ sham.flags |= dd->pdata->flags; + + pm_runtime_use_autosuspend(dev); + pm_runtime_set_autosuspend_delay(dev, DEFAULT_AUTOSUSPEND_DELAY); +@@ -2098,6 +2091,9 @@ static int omap_sham_probe(struct platform_device *pdev) + spin_unlock(&sham.lock); + + for (i = 0; i < dd->pdata->algs_info_size; i++) { ++ if (dd->pdata->algs_info[i].registered) ++ break; ++ + for (j = 0; j < dd->pdata->algs_info[i].size; j++) { + struct ahash_alg *alg; + +@@ -2143,9 +2139,11 @@ static int omap_sham_remove(struct platform_device *pdev) + list_del(&dd->list); + spin_unlock(&sham.lock); + for (i = dd->pdata->algs_info_size - 1; i >= 0; i--) +- for (j = dd->pdata->algs_info[i].registered - 1; j >= 0; j--) ++ for (j = dd->pdata->algs_info[i].registered - 1; j >= 0; j--) { + crypto_unregister_ahash( + &dd->pdata->algs_info[i].algs_list[j]); ++ dd->pdata->algs_info[i].registered--; ++ } + tasklet_kill(&dd->done_task); + pm_runtime_disable(&pdev->dev); + +-- +2.25.1 + diff --git a/queue-4.14/dlm-remove-bug-before-panic.patch b/queue-4.14/dlm-remove-bug-before-panic.patch new file mode 100644 index 00000000000..1facc0930b4 --- /dev/null +++ b/queue-4.14/dlm-remove-bug-before-panic.patch @@ -0,0 +1,51 @@ +From d29fe51931bdde7291896d7584ca3d4bb7fcd75a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 23:34:28 +0200 +Subject: dlm: remove BUG() before panic() + +From: Arnd Bergmann + +[ Upstream commit fe204591cc9480347af7d2d6029b24a62e449486 ] + +Building a kernel with clang sometimes fails with an objtool error in dlm: + +fs/dlm/lock.o: warning: objtool: revert_lock_pc()+0xbd: can't find jump dest instruction at .text+0xd7fc + +The problem is that BUG() never returns and the compiler knows +that anything after it is unreachable, however the panic still +emits some code that does not get fully eliminated. + +Having both BUG() and panic() is really pointless as the BUG() +kills the current process and the subsequent panic() never hits. +In most cases, we probably don't really want either and should +replace the DLM_ASSERT() statements with WARN_ON(), as has +been done for some of them. + +Remove the BUG() here so the user at least sees the panic message +and we can reliably build randconfig kernels. + +Fixes: e7fd41792fc0 ("[DLM] The core of the DLM for GFS2/CLVM") +Cc: Josh Poimboeuf +Cc: clang-built-linux@googlegroups.com +Signed-off-by: Arnd Bergmann +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/dlm_internal.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/dlm/dlm_internal.h b/fs/dlm/dlm_internal.h +index 748e8d59e6111..cb287df13a7aa 100644 +--- a/fs/dlm/dlm_internal.h ++++ b/fs/dlm/dlm_internal.h +@@ -99,7 +99,6 @@ do { \ + __LINE__, __FILE__, #x, jiffies); \ + {do} \ + printk("\n"); \ +- BUG(); \ + panic("DLM: Record message above and reboot.\n"); \ + } \ + } +-- +2.25.1 + diff --git a/queue-4.14/dm-mpath-switch-paths-in-dm_blk_ioctl-code-path.patch b/queue-4.14/dm-mpath-switch-paths-in-dm_blk_ioctl-code-path.patch new file mode 100644 index 00000000000..915d951c6e3 --- /dev/null +++ b/queue-4.14/dm-mpath-switch-paths-in-dm_blk_ioctl-code-path.patch @@ -0,0 +1,49 @@ +From 2f7ccbe15215fd420ae9ed35766f060d636fc410 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2020 22:29:09 +0200 +Subject: dm mpath: switch paths in dm_blk_ioctl() code path + +From: Martin Wilck + +[ Upstream commit 2361ae595352dec015d14292f1b539242d8446d6 ] + +SCSI LUN passthrough code such as qemu's "scsi-block" device model +pass every IO to the host via SG_IO ioctls. Currently, dm-multipath +calls choose_pgpath() only in the block IO code path, not in the ioctl +code path (unless current_pgpath is NULL). This has the effect that no +path switching and thus no load balancing is done for SCSI-passthrough +IO, unless the active path fails. + +Fix this by using the same logic in multipath_prepare_ioctl() as in +multipath_clone_and_map(). + +Note: The allegedly best path selection algorithm, service-time, +still wouldn't work perfectly, because the io size of the current +request is always set to 0. Changing that for the IO passthrough +case would require the ioctl cmd and arg to be passed to dm's +prepare_ioctl() method. + +Signed-off-by: Martin Wilck +Reviewed-by: Hannes Reinecke +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-mpath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c +index 8b7328666eaaf..7c60aace8d25d 100644 +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1815,7 +1815,7 @@ static int multipath_prepare_ioctl(struct dm_target *ti, + int r; + + current_pgpath = READ_ONCE(m->current_pgpath); +- if (!current_pgpath) ++ if (!current_pgpath || !test_bit(MPATHF_QUEUE_IO, &m->flags)) + current_pgpath = choose_pgpath(m, 0); + + if (current_pgpath) { +-- +2.25.1 + diff --git a/queue-4.14/dm-zoned-return-null-if-dmz_get_zone_for_reclaim-fai.patch b/queue-4.14/dm-zoned-return-null-if-dmz_get_zone_for_reclaim-fai.patch new file mode 100644 index 00000000000..e1efdae01ea --- /dev/null +++ b/queue-4.14/dm-zoned-return-null-if-dmz_get_zone_for_reclaim-fai.patch @@ -0,0 +1,64 @@ +From 675a3ae9c8008b9bd87e80f43b98dcf0a3dae3ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 10:14:19 +0200 +Subject: dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a + zone + +From: Hannes Reinecke + +[ Upstream commit 489dc0f06a5837f87482c0ce61d830d24e17082e ] + +The only case where dmz_get_zone_for_reclaim() cannot return a zone is +if the respective lists are empty. So we should just return a simple +NULL value here as we really don't have an error code which would make +sense. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-zoned-metadata.c | 4 ++-- + drivers/md/dm-zoned-reclaim.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/dm-zoned-metadata.c b/drivers/md/dm-zoned-metadata.c +index 4d658a0c60258..c6d3a4bc811ca 100644 +--- a/drivers/md/dm-zoned-metadata.c ++++ b/drivers/md/dm-zoned-metadata.c +@@ -1580,7 +1580,7 @@ static struct dm_zone *dmz_get_rnd_zone_for_reclaim(struct dmz_metadata *zmd) + return dzone; + } + +- return ERR_PTR(-EBUSY); ++ return NULL; + } + + /* +@@ -1600,7 +1600,7 @@ static struct dm_zone *dmz_get_seq_zone_for_reclaim(struct dmz_metadata *zmd) + return zone; + } + +- return ERR_PTR(-EBUSY); ++ return NULL; + } + + /* +diff --git a/drivers/md/dm-zoned-reclaim.c b/drivers/md/dm-zoned-reclaim.c +index 2fad512dce98f..1015b200330b8 100644 +--- a/drivers/md/dm-zoned-reclaim.c ++++ b/drivers/md/dm-zoned-reclaim.c +@@ -350,8 +350,8 @@ static int dmz_do_reclaim(struct dmz_reclaim *zrc) + + /* Get a data zone */ + dzone = dmz_get_zone_for_reclaim(zmd); +- if (IS_ERR(dzone)) +- return PTR_ERR(dzone); ++ if (!dzone) ++ return -EBUSY; + + start = jiffies; + +-- +2.25.1 + diff --git a/queue-4.14/drivers-base-fix-null-pointer-exception-in-__platfor.patch b/queue-4.14/drivers-base-fix-null-pointer-exception-in-__platfor.patch new file mode 100644 index 00000000000..acebe706055 --- /dev/null +++ b/queue-4.14/drivers-base-fix-null-pointer-exception-in-__platfor.patch @@ -0,0 +1,85 @@ +From 0cbd12ceb7d891bb70d507547e3e39ac3f816d01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 14:40:03 -0700 +Subject: drivers: base: Fix NULL pointer exception in + __platform_driver_probe() if a driver developer is foolish + +From: Kuppuswamy Sathyanarayanan + +[ Upstream commit 388bcc6ecc609fca1b4920de7dc3806c98ec535e ] + +If platform bus driver registration is failed then, accessing +platform bus spin lock (&drv->driver.bus->p->klist_drivers.k_lock) +in __platform_driver_probe() without verifying the return value +__platform_driver_register() can lead to NULL pointer exception. + +So check the return value before attempting the spin lock. + +One such example is below: + +For a custom usecase, I have intentionally failed the platform bus +registration and I expected all the platform device/driver +registrations to fail gracefully. But I came across this panic +issue. + +[ 1.331067] BUG: kernel NULL pointer dereference, address: 00000000000000c8 +[ 1.331118] #PF: supervisor write access in kernel mode +[ 1.331163] #PF: error_code(0x0002) - not-present page +[ 1.331208] PGD 0 P4D 0 +[ 1.331233] Oops: 0002 [#1] PREEMPT SMP +[ 1.331268] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 5.6.0-00049-g670d35fb0144 #165 +[ 1.331341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +[ 1.331406] RIP: 0010:_raw_spin_lock+0x15/0x30 +[ 1.331588] RSP: 0000:ffffc9000001be70 EFLAGS: 00010246 +[ 1.331632] RAX: 0000000000000000 RBX: 00000000000000c8 RCX: 0000000000000001 +[ 1.331696] RDX: 0000000000000001 RSI: 0000000000000092 RDI: 0000000000000000 +[ 1.331754] RBP: 00000000ffffffed R08: 0000000000000501 R09: 0000000000000001 +[ 1.331817] R10: ffff88817abcc520 R11: 0000000000000670 R12: 00000000ffffffed +[ 1.331881] R13: ffffffff82dbc268 R14: ffffffff832f070a R15: 0000000000000000 +[ 1.331945] FS: 0000000000000000(0000) GS:ffff88817bd80000(0000) knlGS:0000000000000000 +[ 1.332008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.332062] CR2: 00000000000000c8 CR3: 000000000681e001 CR4: 00000000003606e0 +[ 1.332126] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1.332189] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1.332252] Call Trace: +[ 1.332281] __platform_driver_probe+0x92/0xee +[ 1.332323] ? rtc_dev_init+0x2b/0x2b +[ 1.332358] cmos_init+0x37/0x67 +[ 1.332396] do_one_initcall+0x7d/0x168 +[ 1.332428] kernel_init_freeable+0x16c/0x1c9 +[ 1.332473] ? rest_init+0xc0/0xc0 +[ 1.332508] kernel_init+0x5/0x100 +[ 1.332543] ret_from_fork+0x1f/0x30 +[ 1.332579] CR2: 00000000000000c8 +[ 1.332616] ---[ end trace 3bd87f12e9010b87 ]--- +[ 1.333549] note: swapper/0[1] exited with preempt_count 1 +[ 1.333592] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 +[ 1.333736] Kernel Offset: disabled + +Note, this can only be triggered if a driver errors out from this call, +which should never happen. If it does, the driver needs to be fixed. + +Signed-off-by: Kuppuswamy Sathyanarayanan +Link: https://lore.kernel.org/r/20200408214003.3356-1-sathyanarayanan.kuppuswamy@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index bcb6519fe2113..0ee3cab88f70f 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -702,6 +702,8 @@ int __init_or_module __platform_driver_probe(struct platform_driver *drv, + /* temporary section violation during probe() */ + drv->probe = probe; + retval = code = __platform_driver_register(drv, module); ++ if (retval) ++ return retval; + + /* + * Fixup that section violation, being paranoid about code scanning +-- +2.25.1 + diff --git a/queue-4.14/drm-encoder_slave-fix-refcouting-error-for-modules.patch b/queue-4.14/drm-encoder_slave-fix-refcouting-error-for-modules.patch new file mode 100644 index 00000000000..b0b86e5b213 --- /dev/null +++ b/queue-4.14/drm-encoder_slave-fix-refcouting-error-for-modules.patch @@ -0,0 +1,50 @@ +From 09183299d0212bb4f781446b971e627d02770c27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 09:58:10 +0200 +Subject: drm: encoder_slave: fix refcouting error for modules + +From: Wolfram Sang + +[ Upstream commit f78d4032de60f50fd4afaa0fb68ea03b985f820a ] + +module_put() balances try_module_get(), not request_module(). Fix the +error path to match that. + +Fixes: 2066facca4c7 ("drm/kms: slave encoder interface.") +Signed-off-by: Wolfram Sang +Reviewed-by: Emil Velikov +Acked-by: Daniel Vetter +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_encoder_slave.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_encoder_slave.c b/drivers/gpu/drm/drm_encoder_slave.c +index cf804389f5eca..d50a7884e69e1 100644 +--- a/drivers/gpu/drm/drm_encoder_slave.c ++++ b/drivers/gpu/drm/drm_encoder_slave.c +@@ -84,7 +84,7 @@ int drm_i2c_encoder_init(struct drm_device *dev, + + err = encoder_drv->encoder_init(client, dev, encoder); + if (err) +- goto fail_unregister; ++ goto fail_module_put; + + if (info->platform_data) + encoder->slave_funcs->set_config(&encoder->base, +@@ -92,9 +92,10 @@ int drm_i2c_encoder_init(struct drm_device *dev, + + return 0; + ++fail_module_put: ++ module_put(module); + fail_unregister: + i2c_unregister_device(client); +- module_put(module); + fail: + return err; + } +-- +2.25.1 + diff --git a/queue-4.14/drm-msm-mdp5-fix-mdp5_init-error-path-for-failed-mdp.patch b/queue-4.14/drm-msm-mdp5-fix-mdp5_init-error-path-for-failed-mdp.patch new file mode 100644 index 00000000000..57052196c18 --- /dev/null +++ b/queue-4.14/drm-msm-mdp5-fix-mdp5_init-error-path-for-failed-mdp.patch @@ -0,0 +1,37 @@ +From 3a7314cb1e950876d1bec6d252af35ffac7ce28f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2020 18:07:37 +0100 +Subject: drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation + +From: Roy Spliet + +[ Upstream commit e4337877c5d578722c0716f131fb774522013cf5 ] + +When allocation for mdp5_kms fails, calling mdp5_destroy() leads to undefined +behaviour, likely a nullptr exception or use-after-free troubles. + +Signed-off-by: Roy Spliet +Reviewed-by: Abhinav Kumar +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/mdp/mdp5/mdp5_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_kms.c b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_kms.c +index f7c0698fec401..791a74b9907d8 100644 +--- a/drivers/gpu/drm/msm/mdp/mdp5/mdp5_kms.c ++++ b/drivers/gpu/drm/msm/mdp/mdp5/mdp5_kms.c +@@ -972,7 +972,8 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev) + + return 0; + fail: +- mdp5_destroy(pdev); ++ if (mdp5_kms) ++ mdp5_destroy(pdev); + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.14/drm-sun4i-hdmi-ddc-clk-fix-size-of-m-divider.patch b/queue-4.14/drm-sun4i-hdmi-ddc-clk-fix-size-of-m-divider.patch new file mode 100644 index 00000000000..a06cd06f0ce --- /dev/null +++ b/queue-4.14/drm-sun4i-hdmi-ddc-clk-fix-size-of-m-divider.patch @@ -0,0 +1,51 @@ +From c45cac14f7f40969b3c1e0d368fcb7b8d60d5cc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Apr 2020 11:54:57 +0200 +Subject: drm/sun4i: hdmi ddc clk: Fix size of m divider + +From: Jernej Skrabec + +[ Upstream commit 54e1e06bcf1cf6e7ac3f86daa5f7454add24b494 ] + +m divider in DDC clock register is 4 bits wide. Fix that. + +Fixes: 9c5681011a0c ("drm/sun4i: Add HDMI support") +Signed-off-by: Jernej Skrabec +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20200413095457.1176754-1-jernej.skrabec@siol.net +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_hdmi.h | 2 +- + drivers/gpu/drm/sun4i/sun4i_hdmi_ddc_clk.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_hdmi.h b/drivers/gpu/drm/sun4i/sun4i_hdmi.h +index a1f8cba251a24..3d9148eb40a7e 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_hdmi.h ++++ b/drivers/gpu/drm/sun4i/sun4i_hdmi.h +@@ -143,7 +143,7 @@ + #define SUN4I_HDMI_DDC_CMD_IMPLICIT_WRITE 3 + + #define SUN4I_HDMI_DDC_CLK_REG 0x528 +-#define SUN4I_HDMI_DDC_CLK_M(m) (((m) & 0x7) << 3) ++#define SUN4I_HDMI_DDC_CLK_M(m) (((m) & 0xf) << 3) + #define SUN4I_HDMI_DDC_CLK_N(n) ((n) & 0x7) + + #define SUN4I_HDMI_DDC_LINE_CTRL_REG 0x540 +diff --git a/drivers/gpu/drm/sun4i/sun4i_hdmi_ddc_clk.c b/drivers/gpu/drm/sun4i/sun4i_hdmi_ddc_clk.c +index 4692e8c345ed4..58d9557a774fe 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_hdmi_ddc_clk.c ++++ b/drivers/gpu/drm/sun4i/sun4i_hdmi_ddc_clk.c +@@ -32,7 +32,7 @@ static unsigned long sun4i_ddc_calc_divider(unsigned long rate, + unsigned long best_rate = 0; + u8 best_m = 0, best_n = 0, _m, _n; + +- for (_m = 0; _m < 8; _m++) { ++ for (_m = 0; _m < 16; _m++) { + for (_n = 0; _n < 8; _n++) { + unsigned long tmp_rate; + +-- +2.25.1 + diff --git a/queue-4.14/elfnote-mark-all-.note-sections-shf_alloc.patch b/queue-4.14/elfnote-mark-all-.note-sections-shf_alloc.patch new file mode 100644 index 00000000000..6de0b9a7a0b --- /dev/null +++ b/queue-4.14/elfnote-mark-all-.note-sections-shf_alloc.patch @@ -0,0 +1,61 @@ +From 965aa34e568b22eec3d48d2eb2503f6a95c5e424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:50:49 -0700 +Subject: elfnote: mark all .note sections SHF_ALLOC + +From: Nick Desaulniers + +[ Upstream commit 51da9dfb7f20911ae4e79e9b412a9c2d4c373d4b ] + +ELFNOTE_START allows callers to specify flags for .pushsection assembler +directives. All callsites but ELF_NOTE use "a" for SHF_ALLOC. For vdso's +that explicitly use ELF_NOTE_START and BUILD_SALT, the same section is +specified twice after preprocessing, once with "a" flag, once without. +Example: + +.pushsection .note.Linux, "a", @note ; +.pushsection .note.Linux, "", @note ; + +While GNU as allows this ordering, it warns for the opposite ordering, +making these directives position dependent. We'd prefer not to precisely +match this behavior in Clang's integrated assembler. Instead, the non +__ASSEMBLY__ definition of ELF_NOTE uses +__attribute__((section(".note.Linux"))) which is created with SHF_ALLOC, +so let's make the __ASSEMBLY__ definition of ELF_NOTE consistent with C +and just always use "a" flag. + +This allows Clang to assemble a working mainline (5.6) kernel via: +$ make CC=clang AS=clang + +Signed-off-by: Nick Desaulniers +Signed-off-by: Andrew Morton +Reviewed-by: Nathan Chancellor +Reviewed-by: Fangrui Song +Cc: Jeremy Fitzhardinge +Cc: Thomas Gleixner +Cc: Vincenzo Frascino +Link: https://github.com/ClangBuiltLinux/linux/issues/913 +Link: http://lkml.kernel.org/r/20200325231250.99205-1-ndesaulniers@google.com +Debugged-by: Ilie Halip +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/elfnote.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/elfnote.h b/include/linux/elfnote.h +index f236f5b931b2a..7fdd7f355b529 100644 +--- a/include/linux/elfnote.h ++++ b/include/linux/elfnote.h +@@ -54,7 +54,7 @@ + .popsection ; + + #define ELFNOTE(name, type, desc) \ +- ELFNOTE_START(name, type, "") \ ++ ELFNOTE_START(name, type, "a") \ + desc ; \ + ELFNOTE_END + +-- +2.25.1 + diff --git a/queue-4.14/extcon-adc-jack-fix-an-error-handling-path-in-adc_ja.patch b/queue-4.14/extcon-adc-jack-fix-an-error-handling-path-in-adc_ja.patch new file mode 100644 index 00000000000..8f1a4bb6ca3 --- /dev/null +++ b/queue-4.14/extcon-adc-jack-fix-an-error-handling-path-in-adc_ja.patch @@ -0,0 +1,49 @@ +From eb42235bf1702ef60d10a11ad45a9a6fd510f2e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 May 2020 11:53:03 +0200 +Subject: extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' + +From: Christophe JAILLET + +[ Upstream commit bc84cff2c92ae5ccb2c37da73756e7174b1b430f ] + +In some error handling paths, a call to 'iio_channel_get()' is not balanced +by a corresponding call to 'iio_channel_release()'. + +This can be achieved easily by using the devm_ variant of +'iio_channel_get()'. + +This has the extra benefit to simplify the remove function. + +Fixes: 19939860dcae ("extcon: adc_jack: adc-jack driver to support 3.5 pi or simliar devices") +Signed-off-by: Christophe JAILLET +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-adc-jack.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/extcon/extcon-adc-jack.c b/drivers/extcon/extcon-adc-jack.c +index 6f6537ab0a791..59e6ca685be85 100644 +--- a/drivers/extcon/extcon-adc-jack.c ++++ b/drivers/extcon/extcon-adc-jack.c +@@ -128,7 +128,7 @@ static int adc_jack_probe(struct platform_device *pdev) + for (i = 0; data->adc_conditions[i].id != EXTCON_NONE; i++); + data->num_conditions = i; + +- data->chan = iio_channel_get(&pdev->dev, pdata->consumer_channel); ++ data->chan = devm_iio_channel_get(&pdev->dev, pdata->consumer_channel); + if (IS_ERR(data->chan)) + return PTR_ERR(data->chan); + +@@ -170,7 +170,6 @@ static int adc_jack_remove(struct platform_device *pdev) + + free_irq(data->irq, data); + cancel_work_sync(&data->handler.work); +- iio_channel_release(data->chan); + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.14/f2fs-report-delalloc-reserve-as-non-free-in-statfs-f.patch b/queue-4.14/f2fs-report-delalloc-reserve-as-non-free-in-statfs-f.patch new file mode 100644 index 00000000000..fc12688c1fe --- /dev/null +++ b/queue-4.14/f2fs-report-delalloc-reserve-as-non-free-in-statfs-f.patch @@ -0,0 +1,41 @@ +From daf584fda1d7ce8186997534d3f92e9c539c2425 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 09:15:18 +0300 +Subject: f2fs: report delalloc reserve as non-free in statfs for project quota + +From: Konstantin Khlebnikov + +[ Upstream commit baaa7ebf25c78c5cb712fac16b7f549100beddd3 ] + +This reserved space isn't committed yet but cannot be used for +allocations. For userspace it has no difference from used space. + +See the same fix in ext4 commit f06925c73942 ("ext4: report delalloc +reserve as non-free in statfs for project quota"). + +Fixes: ddc34e328d06 ("f2fs: introduce f2fs_statfs_project") +Signed-off-by: Konstantin Khlebnikov +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 2d021a33914a6..89319c3524061 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -918,7 +918,8 @@ static int f2fs_statfs_project(struct super_block *sb, + limit >>= sb->s_blocksize_bits; + + if (limit && buf->f_blocks > limit) { +- curblock = dquot->dq_dqb.dqb_curspace >> sb->s_blocksize_bits; ++ curblock = (dquot->dq_dqb.dqb_curspace + ++ dquot->dq_dqb.dqb_rsvspace) >> sb->s_blocksize_bits; + buf->f_blocks = limit; + buf->f_bfree = buf->f_bavail = + (buf->f_blocks > curblock) ? +-- +2.25.1 + diff --git a/queue-4.14/geneve-change-from-tx_error-to-tx_dropped-on-missing.patch b/queue-4.14/geneve-change-from-tx_error-to-tx_dropped-on-missing.patch new file mode 100644 index 00000000000..237d098de55 --- /dev/null +++ b/queue-4.14/geneve-change-from-tx_error-to-tx_dropped-on-missing.patch @@ -0,0 +1,64 @@ +From 1c419b4ccfb7dfde31ebf0dd937d802cd281bdbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 11:12:14 +0200 +Subject: geneve: change from tx_error to tx_dropped on missing metadata + +From: Jiri Benc + +[ Upstream commit 9d149045b3c0e44c049cdbce8a64e19415290017 ] + +If the geneve interface is in collect_md (external) mode, it can't send any +packets submitted directly to its net interface, as such packets won't have +metadata attached. This is expected. + +However, the kernel itself sends some packets to the interface, most +notably, IPv6 DAD, IPv6 multicast listener reports, etc. This is not wrong, +as tunnel metadata can be specified in routing table (although technically, +that has never worked for IPv6, but hopefully will be fixed eventually) and +then the interface must correctly participate in IPv6 housekeeping. + +The problem is that any such attempt increases the tx_error counter. Just +bringing up a geneve interface with IPv6 enabled is enough to see a number +of tx_errors. That causes confusion among users, prompting them to find +a network error where there is none. + +Change the counter used to tx_dropped. That better conveys the meaning +(there's nothing wrong going on, just some packets are getting dropped) and +hopefully will make admins panic less. + +Signed-off-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/geneve.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index 6d3fa36b16160..3c9f8770f7e78 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -915,9 +915,10 @@ static netdev_tx_t geneve_xmit(struct sk_buff *skb, struct net_device *dev) + if (geneve->collect_md) { + info = skb_tunnel_info(skb); + if (unlikely(!info || !(info->mode & IP_TUNNEL_INFO_TX))) { +- err = -EINVAL; + netdev_dbg(dev, "no tunnel metadata\n"); +- goto tx_error; ++ dev_kfree_skb(skb); ++ dev->stats.tx_dropped++; ++ return NETDEV_TX_OK; + } + } else { + info = &geneve->info; +@@ -934,7 +935,7 @@ static netdev_tx_t geneve_xmit(struct sk_buff *skb, struct net_device *dev) + + if (likely(!err)) + return NETDEV_TX_OK; +-tx_error: ++ + dev_kfree_skb(skb); + + if (err == -ELOOP) +-- +2.25.1 + diff --git a/queue-4.14/gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch b/queue-4.14/gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch new file mode 100644 index 00000000000..f4c3e45f98e --- /dev/null +++ b/queue-4.14/gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch @@ -0,0 +1,46 @@ +From 1a2cb324a544850e0f788d90902041e1279fb627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 08:45:54 -0500 +Subject: gfs2: Allow lock_nolock mount to specify jid=X + +From: Bob Peterson + +[ Upstream commit ea22eee4e6027d8927099de344f7fff43c507ef9 ] + +Before this patch, a simple typo accidentally added \n to the jid= +string for lock_nolock mounts. This made it impossible to mount a +gfs2 file system with a journal other than journal0. Thus: + +mount -tgfs2 -o hostdata="jid=1" + +Resulted in: +mount: wrong fs type, bad option, bad superblock on + +In most cases this is not a problem. However, for debugging and +testing purposes we sometimes want to test the integrity of other +journals. This patch removes the unnecessary \n and thus allows +lock_nolock users to specify an alternate journal. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/ops_fstype.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index 057be88eb1b42..7ed0359ebac61 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -922,7 +922,7 @@ fail: + } + + static const match_table_t nolock_tokens = { +- { Opt_jid, "jid=%d\n", }, ++ { Opt_jid, "jid=%d", }, + { Opt_err, NULL }, + }; + +-- +2.25.1 + diff --git a/queue-4.14/gfs2-fix-use-after-free-on-transaction-ail-lists.patch b/queue-4.14/gfs2-fix-use-after-free-on-transaction-ail-lists.patch new file mode 100644 index 00000000000..aaff5792439 --- /dev/null +++ b/queue-4.14/gfs2-fix-use-after-free-on-transaction-ail-lists.patch @@ -0,0 +1,79 @@ +From 929bd8b14499557e1e22306b95fda86877e1e5b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 14:28:58 -0500 +Subject: gfs2: fix use-after-free on transaction ail lists + +From: Bob Peterson + +[ Upstream commit 83d060ca8d90fa1e3feac227f995c013100862d3 ] + +Before this patch, transactions could be merged into the system +transaction by function gfs2_merge_trans(), but the transaction ail +lists were never merged. Because the ail flushing mechanism can run +separately, bd elements can be attached to the transaction's buffer +list during the transaction (trans_add_meta, etc) but quickly moved +to its ail lists. Later, in function gfs2_trans_end, the transaction +can be freed (by gfs2_trans_end) while it still has bd elements +queued to its ail lists, which can cause it to either lose track of +the bd elements altogether (memory leak) or worse, reference the bd +elements after the parent transaction has been freed. + +Although I've not seen any serious consequences, the problem becomes +apparent with the previous patch's addition of: + + gfs2_assert_warn(sdp, list_empty(&tr->tr_ail1_list)); + +to function gfs2_trans_free(). + +This patch adds logic into gfs2_merge_trans() to move the merged +transaction's ail lists to the sdp transaction. This prevents the +use-after-free. To do this properly, we need to hold the ail lock, +so we pass sdp into the function instead of the transaction itself. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/log.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c +index a3208511f35aa..f30418911e1bd 100644 +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -804,8 +804,10 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, + * @new: New transaction to be merged + */ + +-static void gfs2_merge_trans(struct gfs2_trans *old, struct gfs2_trans *new) ++static void gfs2_merge_trans(struct gfs2_sbd *sdp, struct gfs2_trans *new) + { ++ struct gfs2_trans *old = sdp->sd_log_tr; ++ + WARN_ON_ONCE(!test_bit(TR_ATTACHED, &old->tr_flags)); + + old->tr_num_buf_new += new->tr_num_buf_new; +@@ -817,6 +819,11 @@ static void gfs2_merge_trans(struct gfs2_trans *old, struct gfs2_trans *new) + + list_splice_tail_init(&new->tr_databuf, &old->tr_databuf); + list_splice_tail_init(&new->tr_buf, &old->tr_buf); ++ ++ spin_lock(&sdp->sd_ail_lock); ++ list_splice_tail_init(&new->tr_ail1_list, &old->tr_ail1_list); ++ list_splice_tail_init(&new->tr_ail2_list, &old->tr_ail2_list); ++ spin_unlock(&sdp->sd_ail_lock); + } + + static void log_refund(struct gfs2_sbd *sdp, struct gfs2_trans *tr) +@@ -828,7 +835,7 @@ static void log_refund(struct gfs2_sbd *sdp, struct gfs2_trans *tr) + gfs2_log_lock(sdp); + + if (sdp->sd_log_tr) { +- gfs2_merge_trans(sdp->sd_log_tr, tr); ++ gfs2_merge_trans(sdp, tr); + } else if (tr->tr_num_buf_new || tr->tr_num_databuf_new) { + gfs2_assert_withdraw(sdp, test_bit(TR_ALLOCED, &tr->tr_flags)); + sdp->sd_log_tr = tr; +-- +2.25.1 + diff --git a/queue-4.14/i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch b/queue-4.14/i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch new file mode 100644 index 00000000000..996857cfb67 --- /dev/null +++ b/queue-4.14/i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch @@ -0,0 +1,51 @@ +From 170d936d10997e154555d74611c000b76b4a6b31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Apr 2020 15:48:44 -0500 +Subject: i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets + +From: Adam Honse + +[ Upstream commit f27237c174fd9653033330e4e532cd9d153ce824 ] + +The AMD X370 and other AM4 chipsets (A/B/X 3/4/5 parts) and Threadripper +equivalents have a secondary SMBus controller at I/O port address +0x0B20. This bus is used by several manufacturers to control +motherboard RGB lighting via embedded controllers. I have been using +this bus in my OpenRGB project to control the Aura RGB on many +motherboards and ASRock also uses this bus for their Polychrome RGB +controller. + +I am not aware of any CZ-compatible platforms which do not have the +second SMBus channel. All of AMD's AM4- and Threadripper- series +chipsets that OpenRGB users have tested appear to have this secondary +bus. I also noticed this secondary bus is present on older AMD +platforms including my FM1 home server. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202587 +Signed-off-by: Adam Honse +Reviewed-by: Jean Delvare +Reviewed-by: Sebastian Reichel +Tested-by: Sebastian Reichel +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-piix4.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-piix4.c b/drivers/i2c/busses/i2c-piix4.c +index 4b81dc231b18f..5345b731bb7cc 100644 +--- a/drivers/i2c/busses/i2c-piix4.c ++++ b/drivers/i2c/busses/i2c-piix4.c +@@ -960,7 +960,8 @@ static int piix4_probe(struct pci_dev *dev, const struct pci_device_id *id) + } + + if (dev->vendor == PCI_VENDOR_ID_AMD && +- dev->device == PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) { ++ (dev->device == PCI_DEVICE_ID_AMD_HUDSON2_SMBUS || ++ dev->device == PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)) { + retval = piix4_setup_sb800(dev, id, 1); + } + +-- +2.25.1 + diff --git a/queue-4.14/i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch b/queue-4.14/i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch new file mode 100644 index 00000000000..86585f32454 --- /dev/null +++ b/queue-4.14/i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch @@ -0,0 +1,45 @@ +From 5616b079925bb4af63e7de5166b1ad4e73ce601e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 10:36:38 +0100 +Subject: i2c: pxa: clear all master action bits in i2c_pxa_stop_message() + +From: Russell King + +[ Upstream commit e81c979f4e071d516aa27cf5a0c3939da00dc1ca ] + +If we timeout during a message transfer, the control register may +contain bits that cause an action to be set. Read-modify-writing the +register leaving these bits set may trigger the hardware to attempt +one of these actions unintentionally. + +Always clear these bits when cleaning up after a message or after +a timeout. + +Signed-off-by: Russell King +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-pxa.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-pxa.c b/drivers/i2c/busses/i2c-pxa.c +index 600d264e080c5..ecc84aea51319 100644 +--- a/drivers/i2c/busses/i2c-pxa.c ++++ b/drivers/i2c/busses/i2c-pxa.c +@@ -709,11 +709,9 @@ static inline void i2c_pxa_stop_message(struct pxa_i2c *i2c) + { + u32 icr; + +- /* +- * Clear the STOP and ACK flags +- */ ++ /* Clear the START, STOP, ACK, TB and MA flags */ + icr = readl(_ICR(i2c)); +- icr &= ~(ICR_STOP | ICR_ACKNAK); ++ icr &= ~(ICR_START | ICR_STOP | ICR_ACKNAK | ICR_TB | ICR_MA); + writel(icr, _ICR(i2c)); + } + +-- +2.25.1 + diff --git a/queue-4.14/i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch b/queue-4.14/i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch new file mode 100644 index 00000000000..31e04517ffd --- /dev/null +++ b/queue-4.14/i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch @@ -0,0 +1,54 @@ +From 96bded781c2d6c40bd8c7ab27ae929bf338adfc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 19:49:22 +0100 +Subject: i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output + +From: Russell King + +[ Upstream commit 88b73ee7ca4c90baf136ed5a8377fc5a9b73ac08 ] + +The IRQ log output is supposed to appear on a single line. However, +commit 3a2dc1677b60 ("i2c: pxa: Update debug function to dump more info +on error") resulted in it being printed one-entry-per-line, which is +excessively long. + +Fixing this is not a trivial matter; using pr_cont() doesn't work as +the previous dev_dbg() may not have been compiled in, or may be +dynamic. + +Since the rest of this function output is at error level, and is also +debug output, promote this to error level as well to avoid this +problem. + +Reduce the number of always zero prefix digits to save screen real- +estate. + +Signed-off-by: Russell King +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-pxa.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-pxa.c b/drivers/i2c/busses/i2c-pxa.c +index ecc84aea51319..e300f9530f190 100644 +--- a/drivers/i2c/busses/i2c-pxa.c ++++ b/drivers/i2c/busses/i2c-pxa.c +@@ -315,11 +315,10 @@ static void i2c_pxa_scream_blue_murder(struct pxa_i2c *i2c, const char *why) + dev_err(dev, "IBMR: %08x IDBR: %08x ICR: %08x ISR: %08x\n", + readl(_IBMR(i2c)), readl(_IDBR(i2c)), readl(_ICR(i2c)), + readl(_ISR(i2c))); +- dev_dbg(dev, "log: "); ++ dev_err(dev, "log:"); + for (i = 0; i < i2c->irqlogidx; i++) +- pr_debug("[%08x:%08x] ", i2c->isrlog[i], i2c->icrlog[i]); +- +- pr_debug("\n"); ++ pr_cont(" [%03x:%05x]", i2c->isrlog[i], i2c->icrlog[i]); ++ pr_cont("\n"); + } + + #else /* ifdef DEBUG */ +-- +2.25.1 + diff --git a/queue-4.14/ib-cma-fix-ports-memory-leak-in-cma_configfs.patch b/queue-4.14/ib-cma-fix-ports-memory-leak-in-cma_configfs.patch new file mode 100644 index 00000000000..962471152b6 --- /dev/null +++ b/queue-4.14/ib-cma-fix-ports-memory-leak-in-cma_configfs.patch @@ -0,0 +1,54 @@ +From e41061a3d9671e3b2c631f8c04a8f9d8a4041e07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 10:26:50 +0300 +Subject: IB/cma: Fix ports memory leak in cma_configfs + +From: Maor Gottlieb + +[ Upstream commit 63a3345c2d42a9b29e1ce2d3a4043689b3995cea ] + +The allocated ports structure in never freed. The free function should be +called by release_cma_ports_group, but the group is never released since +we don't remove its default group. + +Remove default groups when device group is deleted. + +Fixes: 045959db65c6 ("IB/cma: Add configfs for rdma_cm") +Link: https://lore.kernel.org/r/20200521072650.567908-1-leon@kernel.org +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma_configfs.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/infiniband/core/cma_configfs.c b/drivers/infiniband/core/cma_configfs.c +index 54076a3e80076..ac47e8a1dfbf4 100644 +--- a/drivers/infiniband/core/cma_configfs.c ++++ b/drivers/infiniband/core/cma_configfs.c +@@ -319,8 +319,21 @@ fail: + return ERR_PTR(err); + } + ++static void drop_cma_dev(struct config_group *cgroup, struct config_item *item) ++{ ++ struct config_group *group = ++ container_of(item, struct config_group, cg_item); ++ struct cma_dev_group *cma_dev_group = ++ container_of(group, struct cma_dev_group, device_group); ++ ++ configfs_remove_default_groups(&cma_dev_group->ports_group); ++ configfs_remove_default_groups(&cma_dev_group->device_group); ++ config_item_put(item); ++} ++ + static struct configfs_group_operations cma_subsys_group_ops = { + .make_group = make_cma_dev, ++ .drop_item = drop_cma_dev, + }; + + static struct config_item_type cma_subsys_type = { +-- +2.25.1 + diff --git a/queue-4.14/iio-bmp280-fix-compensation-of-humidity.patch b/queue-4.14/iio-bmp280-fix-compensation-of-humidity.patch new file mode 100644 index 00000000000..d57359da1a7 --- /dev/null +++ b/queue-4.14/iio-bmp280-fix-compensation-of-humidity.patch @@ -0,0 +1,50 @@ +From 9d3f4ec761ce0b67e7552aaf054ed19827024700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 May 2020 20:10:34 +0200 +Subject: iio: bmp280: fix compensation of humidity + +From: Andreas Klinger + +[ Upstream commit dee2dabc0e4115b80945fe2c91603e634f4b4686 ] + +Limit the output of humidity compensation to the range between 0 and 100 +percent. + +Depending on the calibration parameters of the individual sensor it +happens, that a humidity above 100 percent or below 0 percent is +calculated, which don't make sense in terms of relative humidity. + +Add a clamp to the compensation formula as described in the datasheet of +the sensor in chapter 4.2.3. + +Although this clamp is documented, it was never in the driver of the +kernel. + +It depends on the circumstances (calibration parameters, temperature, +humidity) if one can see a value above 100 percent without the clamp. +The writer of this patch was working with this type of sensor without +noting this error. So it seems to be a rare event when this bug occures. + +Signed-off-by: Andreas Klinger +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/pressure/bmp280-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c +index 3204dff34e0ad..ae415b4e381af 100644 +--- a/drivers/iio/pressure/bmp280-core.c ++++ b/drivers/iio/pressure/bmp280-core.c +@@ -182,6 +182,8 @@ static u32 bmp280_compensate_humidity(struct bmp280_data *data, + + (s32)2097152) * H2 + 8192) >> 14); + var -= ((((var >> 15) * (var >> 15)) >> 7) * (s32)H1) >> 4; + ++ var = clamp_val(var, 0, 419430400); ++ + return var >> 12; + }; + +-- +2.25.1 + diff --git a/queue-4.14/iio-pressure-bmp280-tolerate-irq-before-registering.patch b/queue-4.14/iio-pressure-bmp280-tolerate-irq-before-registering.patch new file mode 100644 index 00000000000..0dbd9910b65 --- /dev/null +++ b/queue-4.14/iio-pressure-bmp280-tolerate-irq-before-registering.patch @@ -0,0 +1,58 @@ +From b59e9ab315a0ec7d806582ec64562fd97ce54b16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 12:41:25 +0200 +Subject: iio: pressure: bmp280: Tolerate IRQ before registering + +From: Andy Shevchenko + +[ Upstream commit 97b31a6f5fb95b1ec6575b78a7240baddba34384 ] + +With DEBUG_SHIRQ enabled we have a kernel crash + +[ 116.482696] BUG: kernel NULL pointer dereference, address: 0000000000000000 + +... + +[ 116.606571] Call Trace: +[ 116.609023] +[ 116.611047] complete+0x34/0x50 +[ 116.614206] bmp085_eoc_irq+0x9/0x10 [bmp280] + +because DEBUG_SHIRQ mechanism fires an IRQ before registration and drivers +ought to be able to handle an interrupt happening before request_irq() returns. + +Fixes: aae953949651 ("iio: pressure: bmp280: add support for BMP085 EOC interrupt") +Signed-off-by: Andy Shevchenko +Acked-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/pressure/bmp280-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c +index 5f625ffa2a88d..3204dff34e0ad 100644 +--- a/drivers/iio/pressure/bmp280-core.c ++++ b/drivers/iio/pressure/bmp280-core.c +@@ -651,7 +651,7 @@ static int bmp180_measure(struct bmp280_data *data, u8 ctrl_meas) + unsigned int ctrl; + + if (data->use_eoc) +- init_completion(&data->done); ++ reinit_completion(&data->done); + + ret = regmap_write(data->regmap, BMP280_REG_CTRL_MEAS, ctrl_meas); + if (ret) +@@ -907,6 +907,9 @@ static int bmp085_fetch_eoc_irq(struct device *dev, + "trying to enforce it\n"); + irq_trig = IRQF_TRIGGER_RISING; + } ++ ++ init_completion(&data->done); ++ + ret = devm_request_threaded_irq(dev, + irq, + bmp085_eoc_irq, +-- +2.25.1 + diff --git a/queue-4.14/include-linux-bitops.h-avoid-clang-shift-count-overf.patch b/queue-4.14/include-linux-bitops.h-avoid-clang-shift-count-overf.patch new file mode 100644 index 00000000000..727d613fd22 --- /dev/null +++ b/queue-4.14/include-linux-bitops.h-avoid-clang-shift-count-overf.patch @@ -0,0 +1,65 @@ +From ff7caad9634f2c983d2693d592216c75bed95624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:50:30 -0700 +Subject: include/linux/bitops.h: avoid clang shift-count-overflow warnings + +From: Arnd Bergmann + +[ Upstream commit bd93f003b7462ae39a43c531abca37fe7073b866 ] + +Clang normally does not warn about certain issues in inline functions when +it only happens in an eliminated code path. However if something else +goes wrong, it does tend to complain about the definition of hweight_long() +on 32-bit targets: + + include/linux/bitops.h:75:41: error: shift count >= width of type [-Werror,-Wshift-count-overflow] + return sizeof(w) == 4 ? hweight32(w) : hweight64(w); + ^~~~~~~~~~~~ + include/asm-generic/bitops/const_hweight.h:29:49: note: expanded from macro 'hweight64' + define hweight64(w) (__builtin_constant_p(w) ? __const_hweight64(w) : __arch_hweight64(w)) + ^~~~~~~~~~~~~~~~~~~~ + include/asm-generic/bitops/const_hweight.h:21:76: note: expanded from macro '__const_hweight64' + define __const_hweight64(w) (__const_hweight32(w) + __const_hweight32((w) >> 32)) + ^ ~~ + include/asm-generic/bitops/const_hweight.h:20:49: note: expanded from macro '__const_hweight32' + define __const_hweight32(w) (__const_hweight16(w) + __const_hweight16((w) >> 16)) + ^ + include/asm-generic/bitops/const_hweight.h:19:72: note: expanded from macro '__const_hweight16' + define __const_hweight16(w) (__const_hweight8(w) + __const_hweight8((w) >> 8 )) + ^ + include/asm-generic/bitops/const_hweight.h:12:9: note: expanded from macro '__const_hweight8' + (!!((w) & (1ULL << 2))) + \ + +Adding an explicit cast to __u64 avoids that warning and makes it easier +to read other output. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Andrew Morton +Acked-by: Christian Brauner +Cc: Andy Shevchenko +Cc: Rasmus Villemoes +Cc: Josh Poimboeuf +Cc: Nick Desaulniers +Link: http://lkml.kernel.org/r/20200505135513.65265-1-arnd@arndb.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/bitops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index c51574fab0b00..00dcb1bad76b8 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -50,7 +50,7 @@ static inline int get_bitmask_order(unsigned int count) + + static __always_inline unsigned long hweight_long(unsigned long w) + { +- return sizeof(w) == 4 ? hweight32(w) : hweight64(w); ++ return sizeof(w) == 4 ? hweight32(w) : hweight64((__u64)w); + } + + /** +-- +2.25.1 + diff --git a/queue-4.14/lib-zlib-remove-outdated-and-incorrect-pre-increment.patch b/queue-4.14/lib-zlib-remove-outdated-and-incorrect-pre-increment.patch new file mode 100644 index 00000000000..b4b9277e8e1 --- /dev/null +++ b/queue-4.14/lib-zlib-remove-outdated-and-incorrect-pre-increment.patch @@ -0,0 +1,279 @@ +From eec970ebd0fcffa9c5d06a48858863fa6aafa63a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:50:17 -0700 +Subject: lib/zlib: remove outdated and incorrect pre-increment optimization + +From: Jann Horn + +[ Upstream commit acaab7335bd6f0c0b54ce3a00bd7f18222ce0f5f ] + +The zlib inflate code has an old micro-optimization based on the +assumption that for pre-increment memory accesses, the compiler will +generate code that fits better into the processor's pipeline than what +would be generated for post-increment memory accesses. + +This optimization was already removed in upstream zlib in 2016: +https://github.com/madler/zlib/commit/9aaec95e8211 + +This optimization causes UB according to C99, which says in section 6.5.6 +"Additive operators": "If both the pointer operand and the result point to +elements of the same array object, or one past the last element of the +array object, the evaluation shall not produce an overflow; otherwise, the +behavior is undefined". + +This UB is not only a theoretical concern, but can also cause trouble for +future work on compiler-based sanitizers. + +According to the zlib commit, this optimization also is not optimal +anymore with modern compilers. + +Replace uses of OFF, PUP and UP_UNALIGNED with their definitions in the +POSTINC case, and remove the macro definitions, just like in the upstream +patch. + +Signed-off-by: Jann Horn +Signed-off-by: Andrew Morton +Cc: Mikhail Zaslonko +Link: http://lkml.kernel.org/r/20200507123112.252723-1-jannh@google.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/zlib_inflate/inffast.c | 91 +++++++++++++++----------------------- + 1 file changed, 35 insertions(+), 56 deletions(-) + +diff --git a/lib/zlib_inflate/inffast.c b/lib/zlib_inflate/inffast.c +index 2c13ecc5bb2c7..ed1f3df272602 100644 +--- a/lib/zlib_inflate/inffast.c ++++ b/lib/zlib_inflate/inffast.c +@@ -10,17 +10,6 @@ + + #ifndef ASMINF + +-/* Allow machine dependent optimization for post-increment or pre-increment. +- Based on testing to date, +- Pre-increment preferred for: +- - PowerPC G3 (Adler) +- - MIPS R5000 (Randers-Pehrson) +- Post-increment preferred for: +- - none +- No measurable difference: +- - Pentium III (Anderson) +- - M68060 (Nikl) +- */ + union uu { + unsigned short us; + unsigned char b[2]; +@@ -38,16 +27,6 @@ get_unaligned16(const unsigned short *p) + return mm.us; + } + +-#ifdef POSTINC +-# define OFF 0 +-# define PUP(a) *(a)++ +-# define UP_UNALIGNED(a) get_unaligned16((a)++) +-#else +-# define OFF 1 +-# define PUP(a) *++(a) +-# define UP_UNALIGNED(a) get_unaligned16(++(a)) +-#endif +- + /* + Decode literal, length, and distance codes and write out the resulting + literal and match bytes until either not enough input or output is +@@ -115,9 +94,9 @@ void inflate_fast(z_streamp strm, unsigned start) + + /* copy state to local variables */ + state = (struct inflate_state *)strm->state; +- in = strm->next_in - OFF; ++ in = strm->next_in; + last = in + (strm->avail_in - 5); +- out = strm->next_out - OFF; ++ out = strm->next_out; + beg = out - (start - strm->avail_out); + end = out + (strm->avail_out - 257); + #ifdef INFLATE_STRICT +@@ -138,9 +117,9 @@ void inflate_fast(z_streamp strm, unsigned start) + input data or output space */ + do { + if (bits < 15) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + this = lcode[hold & lmask]; +@@ -150,14 +129,14 @@ void inflate_fast(z_streamp strm, unsigned start) + bits -= op; + op = (unsigned)(this.op); + if (op == 0) { /* literal */ +- PUP(out) = (unsigned char)(this.val); ++ *out++ = (unsigned char)(this.val); + } + else if (op & 16) { /* length base */ + len = (unsigned)(this.val); + op &= 15; /* number of extra bits */ + if (op) { + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + len += (unsigned)hold & ((1U << op) - 1); +@@ -165,9 +144,9 @@ void inflate_fast(z_streamp strm, unsigned start) + bits -= op; + } + if (bits < 15) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + this = dcode[hold & dmask]; +@@ -180,10 +159,10 @@ void inflate_fast(z_streamp strm, unsigned start) + dist = (unsigned)(this.val); + op &= 15; /* number of extra bits */ + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + } +@@ -205,13 +184,13 @@ void inflate_fast(z_streamp strm, unsigned start) + state->mode = BAD; + break; + } +- from = window - OFF; ++ from = window; + if (write == 0) { /* very common case */ + from += wsize - op; + if (op < len) { /* some from window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } +@@ -222,14 +201,14 @@ void inflate_fast(z_streamp strm, unsigned start) + if (op < len) { /* some from end of window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); +- from = window - OFF; ++ from = window; + if (write < len) { /* some from start of window */ + op = write; + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } +@@ -240,21 +219,21 @@ void inflate_fast(z_streamp strm, unsigned start) + if (op < len) { /* some from window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } + } + while (len > 2) { +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); ++ *out++ = *from++; ++ *out++ = *from++; ++ *out++ = *from++; + len -= 3; + } + if (len) { +- PUP(out) = PUP(from); ++ *out++ = *from++; + if (len > 1) +- PUP(out) = PUP(from); ++ *out++ = *from++; + } + } + else { +@@ -264,29 +243,29 @@ void inflate_fast(z_streamp strm, unsigned start) + from = out - dist; /* copy direct from output */ + /* minimum length is three */ + /* Align out addr */ +- if (!((long)(out - 1 + OFF) & 1)) { +- PUP(out) = PUP(from); ++ if (!((long)(out - 1) & 1)) { ++ *out++ = *from++; + len--; + } +- sout = (unsigned short *)(out - OFF); ++ sout = (unsigned short *)(out); + if (dist > 2) { + unsigned short *sfrom; + +- sfrom = (unsigned short *)(from - OFF); ++ sfrom = (unsigned short *)(from); + loops = len >> 1; + do + #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS +- PUP(sout) = PUP(sfrom); ++ *sout++ = *sfrom++; + #else +- PUP(sout) = UP_UNALIGNED(sfrom); ++ *sout++ = get_unaligned16(sfrom++); + #endif + while (--loops); +- out = (unsigned char *)sout + OFF; +- from = (unsigned char *)sfrom + OFF; ++ out = (unsigned char *)sout; ++ from = (unsigned char *)sfrom; + } else { /* dist == 1 or dist == 2 */ + unsigned short pat16; + +- pat16 = *(sout-1+OFF); ++ pat16 = *(sout-1); + if (dist == 1) { + union uu mm; + /* copy one char pattern to both bytes */ +@@ -296,12 +275,12 @@ void inflate_fast(z_streamp strm, unsigned start) + } + loops = len >> 1; + do +- PUP(sout) = pat16; ++ *sout++ = pat16; + while (--loops); +- out = (unsigned char *)sout + OFF; ++ out = (unsigned char *)sout; + } + if (len & 1) +- PUP(out) = PUP(from); ++ *out++ = *from++; + } + } + else if ((op & 64) == 0) { /* 2nd level distance code */ +@@ -336,8 +315,8 @@ void inflate_fast(z_streamp strm, unsigned start) + hold &= (1U << bits) - 1; + + /* update state and return */ +- strm->next_in = in + OFF; +- strm->next_out = out + OFF; ++ strm->next_in = in; ++ strm->next_out = out; + strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last)); + strm->avail_out = (unsigned)(out < end ? + 257 + (end - out) : 257 - (out - end)); +-- +2.25.1 + diff --git a/queue-4.14/libata-use-per-port-sync-for-detach.patch b/queue-4.14/libata-use-per-port-sync-for-detach.patch new file mode 100644 index 00000000000..44fc72b8c0b --- /dev/null +++ b/queue-4.14/libata-use-per-port-sync-for-detach.patch @@ -0,0 +1,93 @@ +From ec1c8c38536d57810de9e8d0afeb91f995cfbe90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 15:48:19 +0800 +Subject: libata: Use per port sync for detach + +From: Kai-Heng Feng + +[ Upstream commit b5292111de9bb70cba3489075970889765302136 ] + +Commit 130f4caf145c ("libata: Ensure ata_port probe has completed before +detach") may cause system freeze during suspend. + +Using async_synchronize_full() in PM callbacks is wrong, since async +callbacks that are already scheduled may wait for not-yet-scheduled +callbacks, causes a circular dependency. + +Instead of using big hammer like async_synchronize_full(), use async +cookie to make sure port probe are synced, without affecting other +scheduled PM callbacks. + +Fixes: 130f4caf145c ("libata: Ensure ata_port probe has completed before detach") +Suggested-by: John Garry +Signed-off-by: Kai-Heng Feng +Tested-by: John Garry +BugLink: https://bugs.launchpad.net/bugs/1867983 +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 11 +++++------ + include/linux/libata.h | 3 +++ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 33eb5e342a7a9..a3a65f5490c02 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -57,7 +57,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -6536,7 +6535,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) + /* perform each probe asynchronously */ + for (i = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; +- async_schedule(async_port_probe, ap); ++ ap->cookie = async_schedule(async_port_probe, ap); + } + + return 0; +@@ -6676,11 +6675,11 @@ void ata_host_detach(struct ata_host *host) + { + int i; + +- /* Ensure ata_port probe has completed */ +- async_synchronize_full(); +- +- for (i = 0; i < host->n_ports; i++) ++ for (i = 0; i < host->n_ports; i++) { ++ /* Ensure ata_port probe has completed */ ++ async_synchronize_cookie(host->ports[i]->cookie + 1); + ata_port_detach(host->ports[i]); ++ } + + /* the host is dead now, dissociate ACPI */ + ata_acpi_dissociate(host); +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 93838d98e3f38..5c9a44e3a0278 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + /* + * Define if arch has non-standard setup. This is a _PCI_ standard +@@ -884,6 +885,8 @@ struct ata_port { + struct timer_list fastdrain_timer; + unsigned long fastdrain_cnt; + ++ async_cookie_t cookie; ++ + int em_message_type; + void *private_data; + +-- +2.25.1 + diff --git a/queue-4.14/m68k-pci-fix-a-memory-leak-in-an-error-handling-path.patch b/queue-4.14/m68k-pci-fix-a-memory-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..4885c4a80eb --- /dev/null +++ b/queue-4.14/m68k-pci-fix-a-memory-leak-in-an-error-handling-path.patch @@ -0,0 +1,40 @@ +From a1a4996925e2878e7dc54ce16652390ae35b2677 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Apr 2020 09:07:51 +0200 +Subject: m68k/PCI: Fix a memory leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit c3f4ec050f56eeab7c1f290321f9b762c95bd332 ] + +If 'ioremap' fails, we must free 'bridge', as done in other error handling +path bellow. + +Fixes: 19cc4c843f40 ("m68k/PCI: Replace pci_fixup_irqs() call with host bridge IRQ mapping hooks") +Signed-off-by: Christophe JAILLET +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +--- + arch/m68k/coldfire/pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/m68k/coldfire/pci.c b/arch/m68k/coldfire/pci.c +index 3097fa2ca7467..1e428d18d268a 100644 +--- a/arch/m68k/coldfire/pci.c ++++ b/arch/m68k/coldfire/pci.c +@@ -316,8 +316,10 @@ static int __init mcf_pci_init(void) + + /* Keep a virtual mapping to IO/config space active */ + iospace = (unsigned long) ioremap(PCI_IO_PA, PCI_IO_SIZE); +- if (iospace == 0) ++ if (iospace == 0) { ++ pci_free_host_bridge(bridge); + return -ENODEV; ++ } + pr_info("Coldfire: PCI IO/config window mapped to 0x%x\n", + (u32) iospace); + +-- +2.25.1 + diff --git a/queue-4.14/mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch b/queue-4.14/mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch new file mode 100644 index 00000000000..68c86844fd0 --- /dev/null +++ b/queue-4.14/mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch @@ -0,0 +1,38 @@ +From ca9e65760fead513f049f07e4f80ff714ac97412 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 09:48:29 +0200 +Subject: mfd: wm8994: Fix driver operation if loaded as modules + +From: Marek Szyprowski + +[ Upstream commit d4f9b5428b53dd67f49ee8deed8d4366ed6b1933 ] + +WM8994 chip has built-in regulators, which might be used for chip +operation. They are controlled by a separate wm8994-regulator driver, +which should be loaded before this driver calls regulator_get(), because +that driver also provides consumer-supply mapping for the them. If that +driver is not yet loaded, regulator core substitute them with dummy +regulator, what breaks chip operation, because the built-in regulators are +never enabled. Fix this by annotating this driver with MODULE_SOFTDEP() +"pre" dependency to "wm8994_regulator" module. + +Signed-off-by: Marek Szyprowski +Acked-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/wm8994-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/wm8994-core.c b/drivers/mfd/wm8994-core.c +index 953d0790ffd56..3259fb82d3c46 100644 +--- a/drivers/mfd/wm8994-core.c ++++ b/drivers/mfd/wm8994-core.c +@@ -696,3 +696,4 @@ module_i2c_driver(wm8994_i2c_driver); + MODULE_DESCRIPTION("Core support for the WM8994 audio CODEC"); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Mark Brown "); ++MODULE_SOFTDEP("pre: wm8994_regulator"); +-- +2.25.1 + diff --git a/queue-4.14/mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch b/queue-4.14/mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch new file mode 100644 index 00000000000..0804b677340 --- /dev/null +++ b/queue-4.14/mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch @@ -0,0 +1,46 @@ +From 6161076fa7291f472b349af246e204b466855669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 15:45:17 +0800 +Subject: mksysmap: Fix the mismatch of '.L' symbols in System.map + +From: ashimida + +[ Upstream commit 72d24accf02add25e08733f0ecc93cf10fcbd88c ] + +When System.map was generated, the kernel used mksysmap to +filter the kernel symbols, but all the symbols with the +second letter 'L' in the kernel were filtered out, not just +the symbols starting with 'dot + L'. + +For example: +ashimida@ubuntu:~/linux$ cat System.map |grep ' .L' +ashimida@ubuntu:~/linux$ nm -n vmlinux |grep ' .L' +ffff0000088028e0 t bLength_show +...... +ffff0000092e0408 b PLLP_OUTC_lock +ffff0000092e0410 b PLLP_OUTA_lock + +The original intent should be to filter out all local symbols +starting with '.L', so the dot should be escaped. + +Fixes: 00902e984732 ("mksysmap: Add h8300 local symbol pattern") +Signed-off-by: ashimida +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mksysmap | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mksysmap b/scripts/mksysmap +index a35acc0d0b827..9aa23d15862a0 100755 +--- a/scripts/mksysmap ++++ b/scripts/mksysmap +@@ -41,4 +41,4 @@ + # so we just ignore them to let readprofile continue to work. + # (At least sparc64 has __crc_ in the middle). + +-$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( .L\)' > $2 ++$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)' > $2 +-- +2.25.1 + diff --git a/queue-4.14/net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch b/queue-4.14/net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch new file mode 100644 index 00000000000..fb8411c7ae9 --- /dev/null +++ b/queue-4.14/net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch @@ -0,0 +1,45 @@ +From b0dc561f16d92d259579ac4dae8f17b402a91be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2020 14:56:55 +0300 +Subject: net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' + +From: Fedor Tokarev + +[ Upstream commit 118917d696dc59fd3e1741012c2f9db2294bed6f ] + +Fix off-by-one issues in 'rpc_ntop6': + - 'snprintf' returns the number of characters which would have been + written if enough space had been available, excluding the terminating + null byte. Thus, a return value of 'sizeof(scopebuf)' means that the + last character was dropped. + - 'strcat' adds a terminating null byte to the string, thus if len == + buflen, the null byte is written past the end of the buffer. + +Signed-off-by: Fedor Tokarev +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/addr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c +index 2e0a6f92e563d..8391c27855501 100644 +--- a/net/sunrpc/addr.c ++++ b/net/sunrpc/addr.c +@@ -81,11 +81,11 @@ static size_t rpc_ntop6(const struct sockaddr *sap, + + rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u", + IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id); +- if (unlikely((size_t)rc > sizeof(scopebuf))) ++ if (unlikely((size_t)rc >= sizeof(scopebuf))) + return 0; + + len += rc; +- if (unlikely(len > buflen)) ++ if (unlikely(len >= buflen)) + return 0; + + strcat(buf, scopebuf); +-- +2.25.1 + diff --git a/queue-4.14/nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch b/queue-4.14/nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch new file mode 100644 index 00000000000..bcb7930d5e5 --- /dev/null +++ b/queue-4.14/nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch @@ -0,0 +1,44 @@ +From ef504c04d417ca7d665ac200f72226a3d6b427f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 22:15:41 +0800 +Subject: nfsd: Fix svc_xprt refcnt leak when setup callback client failed + +From: Xiyu Yang + +[ Upstream commit a4abc6b12eb1f7a533c2e7484cfa555454ff0977 ] + +nfsd4_process_cb_update() invokes svc_xprt_get(), which increases the +refcount of the "c->cn_xprt". + +The reference counting issue happens in one exception handling path of +nfsd4_process_cb_update(). When setup callback client failed, the +function forgets to decrease the refcnt increased by svc_xprt_get(), +causing a refcnt leak. + +Fix this issue by calling svc_xprt_put() when setup callback client +failed. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4callback.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 80aeb19b176b2..22b784e7ef50b 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -1161,6 +1161,8 @@ static void nfsd4_process_cb_update(struct nfsd4_callback *cb) + err = setup_callback_client(clp, &conn, ses); + if (err) { + nfsd4_mark_cb_down(clp, err); ++ if (c) ++ svc_xprt_put(c->cn_xprt); + return; + } + } +-- +2.25.1 + diff --git a/queue-4.14/nfsv4.1-fix-rpc_call_done-assignment-for-bind_conn_t.patch b/queue-4.14/nfsv4.1-fix-rpc_call_done-assignment-for-bind_conn_t.patch new file mode 100644 index 00000000000..4a664a07285 --- /dev/null +++ b/queue-4.14/nfsv4.1-fix-rpc_call_done-assignment-for-bind_conn_t.patch @@ -0,0 +1,33 @@ +From 82cce0fe0e5c171679f50444ebeb7a9be67e8ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2020 11:30:00 -0400 +Subject: NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION + +From: Olga Kornievskaia + +[ Upstream commit 1c709b766e73e54d64b1dde1b7cfbcf25bcb15b9 ] + +Fixes: 02a95dee8cf0 ("NFS add callback_ops to nfs4_proc_bind_conn_to_session_callback") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 4d45786738ab4..a19bbcfab7c5e 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7309,7 +7309,7 @@ nfs4_bind_one_conn_to_session_done(struct rpc_task *task, void *calldata) + } + + static const struct rpc_call_ops nfs4_bind_one_conn_to_session_ops = { +- .rpc_call_done = &nfs4_bind_one_conn_to_session_done, ++ .rpc_call_done = nfs4_bind_one_conn_to_session_done, + }; + + /* +-- +2.25.1 + diff --git a/queue-4.14/ntb-fix-the-default-port-and-peer-numbers-for-legacy.patch b/queue-4.14/ntb-fix-the-default-port-and-peer-numbers-for-legacy.patch new file mode 100644 index 00000000000..e856bbdc3f8 --- /dev/null +++ b/queue-4.14/ntb-fix-the-default-port-and-peer-numbers-for-legacy.patch @@ -0,0 +1,69 @@ +From 61b260a23269401e98311ed11c3f314ae82b9b4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jan 2019 12:22:28 -0700 +Subject: NTB: Fix the default port and peer numbers for legacy drivers + +From: Logan Gunthorpe + +[ Upstream commit fc8b086d9dbd57458d136c4fa70ee26f832c3a2e ] + +When the commit adding ntb_default_port_number() and +ntb_default_peer_port_number() entered the kernel there was no +users of it so it was impossible to tell what the API needed. + +When a user finally landed a year later (ntb_pingpong) there were +more NTB topologies were created and no consideration was considered +to how other drivers had changed. + +Now that there is a user it can be fixed to provide a sensible default +for the legacy drivers that do not implement ntb_{peer_}port_number(). +Seeing ntb_pingpong doesn't check error codes returning EINVAL was also +not sensible. + +Patches for ntb_pingpong and ntb_perf follow (which are broken +otherwise) to support hardware that doesn't have port numbers. This is +important not only to not break support with existing drivers but for +the cross link topology which, due to its perfect symmetry, cannot +assign unique port numbers to each side. + +Fixes: 1e5301196a88 ("NTB: Add indexed ports NTB API") +Signed-off-by: Logan Gunthorpe +Acked-by: Allen Hubbe +Tested-by: Alexander Fomichev +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/ntb/ntb.c b/drivers/ntb/ntb.c +index 03b80d89b9800..b75ec229b39a5 100644 +--- a/drivers/ntb/ntb.c ++++ b/drivers/ntb/ntb.c +@@ -216,10 +216,8 @@ int ntb_default_port_number(struct ntb_dev *ntb) + case NTB_TOPO_B2B_DSD: + return NTB_PORT_SEC_DSD; + default: +- break; ++ return 0; + } +- +- return -EINVAL; + } + EXPORT_SYMBOL(ntb_default_port_number); + +@@ -242,10 +240,8 @@ int ntb_default_peer_port_number(struct ntb_dev *ntb, int pidx) + case NTB_TOPO_B2B_DSD: + return NTB_PORT_PRI_USD; + default: +- break; ++ return 0; + } +- +- return -EINVAL; + } + EXPORT_SYMBOL(ntb_default_peer_port_number); + +-- +2.25.1 + diff --git a/queue-4.14/openrisc-fix-issue-with-argument-clobbering-for-clon.patch b/queue-4.14/openrisc-fix-issue-with-argument-clobbering-for-clon.patch new file mode 100644 index 00000000000..139104d6bdb --- /dev/null +++ b/queue-4.14/openrisc-fix-issue-with-argument-clobbering-for-clon.patch @@ -0,0 +1,48 @@ +From 053b0c2cdbd76ae67ab70c7338aeb075654dc9dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 20:24:11 +0900 +Subject: openrisc: Fix issue with argument clobbering for clone/fork + +From: Stafford Horne + +[ Upstream commit 6bd140e14d9aaa734ec37985b8b20a96c0ece948 ] + +Working on the OpenRISC glibc port I found that sometimes clone was +working strange. That the tls data argument sent in r7 was always +wrong. Further investigation revealed that the arguments were getting +clobbered in the entry code. This patch removes the code that writes to +the argument registers. This was likely due to some old code hanging +around. + +This patch fixes this up for clone and fork. This fork clobber is +harmless but also useless so remove. + +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/entry.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/openrisc/kernel/entry.S b/arch/openrisc/kernel/entry.S +index 1107d34e45bf1..0fdfa7142f4b3 100644 +--- a/arch/openrisc/kernel/entry.S ++++ b/arch/openrisc/kernel/entry.S +@@ -1102,13 +1102,13 @@ ENTRY(__sys_clone) + l.movhi r29,hi(sys_clone) + l.ori r29,r29,lo(sys_clone) + l.j _fork_save_extra_regs_and_call +- l.addi r7,r1,0 ++ l.nop + + ENTRY(__sys_fork) + l.movhi r29,hi(sys_fork) + l.ori r29,r29,lo(sys_fork) + l.j _fork_save_extra_regs_and_call +- l.addi r3,r1,0 ++ l.nop + + ENTRY(sys_rt_sigreturn) + l.jal _sys_rt_sigreturn +-- +2.25.1 + diff --git a/queue-4.14/ovl-verify-permissions-in-ovl_path_open.patch b/queue-4.14/ovl-verify-permissions-in-ovl_path_open.patch new file mode 100644 index 00000000000..b7787522aeb --- /dev/null +++ b/queue-4.14/ovl-verify-permissions-in-ovl_path_open.patch @@ -0,0 +1,72 @@ +From d3d73d1797c87b53a86cffe77b7e3d65e9d1e6f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 22:20:26 +0200 +Subject: ovl: verify permissions in ovl_path_open() + +From: Miklos Szeredi + +[ Upstream commit 56230d956739b9cb1cbde439d76227d77979a04d ] + +Check permission before opening a real file. + +ovl_path_open() is used by readdir and copy-up routines. + +ovl_permission() theoretically already checked copy up permissions, but it +doesn't hurt to re-do these checks during the actual copy-up. + +For directory reading ovl_permission() only checks access to topmost +underlying layer. Readdir on a merged directory accesses layers below the +topmost one as well. Permission wasn't checked for these layers. + +Note: modifying ovl_permission() to perform this check would be far more +complex and hence more bug prone. The result is less precise permissions +returned in access(2). If this turns out to be an issue, we can revisit +this bug. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/overlayfs/util.c | 27 ++++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c +index afdc2533ce74d..76d6610767f6f 100644 +--- a/fs/overlayfs/util.c ++++ b/fs/overlayfs/util.c +@@ -307,7 +307,32 @@ bool ovl_is_whiteout(struct dentry *dentry) + + struct file *ovl_path_open(struct path *path, int flags) + { +- return dentry_open(path, flags | O_NOATIME, current_cred()); ++ struct inode *inode = d_inode(path->dentry); ++ int err, acc_mode; ++ ++ if (flags & ~(O_ACCMODE | O_LARGEFILE)) ++ BUG(); ++ ++ switch (flags & O_ACCMODE) { ++ case O_RDONLY: ++ acc_mode = MAY_READ; ++ break; ++ case O_WRONLY: ++ acc_mode = MAY_WRITE; ++ break; ++ default: ++ BUG(); ++ } ++ ++ err = inode_permission(inode, acc_mode | MAY_OPEN); ++ if (err) ++ return ERR_PTR(err); ++ ++ /* O_NOATIME is an optimization, don't fail if not permitted */ ++ if (inode_owner_or_capable(inode)) ++ flags |= O_NOATIME; ++ ++ return dentry_open(path, flags, current_cred()); + } + + int ovl_copy_up_start(struct dentry *dentry) +-- +2.25.1 + diff --git a/queue-4.14/pci-aardvark-don-t-blindly-enable-aspm-l0s-and-don-t.patch b/queue-4.14/pci-aardvark-don-t-blindly-enable-aspm-l0s-and-don-t.patch new file mode 100644 index 00000000000..a07aa3da9f3 --- /dev/null +++ b/queue-4.14/pci-aardvark-don-t-blindly-enable-aspm-l0s-and-don-t.patch @@ -0,0 +1,69 @@ +From e98c123ce18a550b2c507053c73a0bae2aca40c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 10:06:15 +0200 +Subject: PCI: aardvark: Don't blindly enable ASPM L0s and don't write to + read-only register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 90c6cb4a355e7befcb557d217d1d8b8bd5875a05 ] + +Trying to change Link Status register does not have any effect as this +is a read-only register. Trying to overwrite bits for Negotiated Link +Width does not make sense. + +In future proper change of link width can be done via Lane Count Select +bits in PCIe Control 0 register. + +Trying to unconditionally enable ASPM L0s via ASPM Control bits in Link +Control register is wrong. There should be at least some detection if +endpoint supports L0s as isn't mandatory. + +Moreover ASPM Control bits in Link Control register are controlled by +pcie/aspm.c code which sets it according to system ASPM settings, +immediately after aardvark driver probes. So setting these bits by +aardvark driver has no long running effect. + +Remove code which touches ASPM L0s bits from this driver and let +kernel's ASPM implementation to set ASPM state properly. + +Some users are reporting issues that this code is problematic for some +Intel wifi cards and removing it fixes them, see e.g.: +https://bugzilla.kernel.org/show_bug.cgi?id=196339 + +If problems with Intel wifi cards occur even after this commit, then +pcie/aspm.c code could be modified / hooked to not enable ASPM L0s state +for affected problematic cards. + +Link: https://lore.kernel.org/r/20200430080625.26070-3-pali@kernel.org +Tested-by: Tomasz Maciej Nowak +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Acked-by: Rob Herring +Acked-by: Thomas Petazzoni +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pci-aardvark.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/pci/host/pci-aardvark.c b/drivers/pci/host/pci-aardvark.c +index 5f3048e75becb..c1db09fbbe041 100644 +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -365,10 +365,6 @@ static void advk_pcie_setup_hw(struct advk_pcie *pcie) + + advk_pcie_wait_for_link(pcie); + +- reg = PCIE_CORE_LINK_L0S_ENTRY | +- (1 << PCIE_CORE_LINK_WIDTH_SHIFT); +- advk_writel(pcie, reg, PCIE_CORE_LINK_CTRL_STAT_REG); +- + reg = advk_readl(pcie, PCIE_CORE_CMD_STATUS_REG); + reg |= PCIE_CORE_CMD_MEM_ACCESS_EN | + PCIE_CORE_CMD_IO_ACCESS_EN | +-- +2.25.1 + diff --git a/queue-4.14/pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch b/queue-4.14/pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch new file mode 100644 index 00000000000..e0848429aad --- /dev/null +++ b/queue-4.14/pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch @@ -0,0 +1,55 @@ +From f7ac0f6cea387ce98db38f223190cf6b5319235d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 01:34:21 +0800 +Subject: PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges + +From: Kai-Heng Feng + +[ Upstream commit 66ff14e59e8a30690755b08bc3042359703fb07a ] + +7d715a6c1ae5 ("PCI: add PCI Express ASPM support") added the ability for +Linux to enable ASPM, but for some undocumented reason, it didn't enable +ASPM on links where the downstream component is a PCIe-to-PCI/PCI-X Bridge. + +Remove this exclusion so we can enable ASPM on these links. + +The Dell OptiPlex 7080 mentioned in the bugzilla has a TI XIO2001 +PCIe-to-PCI Bridge. Enabling ASPM on the link leading to it allows the +Intel SoC to enter deeper Package C-states, which is a significant power +savings. + +[bhelgaas: commit log] +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207571 +Link: https://lore.kernel.org/r/20200505173423.26968-1-kai.heng.feng@canonical.com +Signed-off-by: Kai-Heng Feng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 400031622b761..04d5c62588b77 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -584,16 +584,6 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) + + /* Setup initial capable state. Will be updated later */ + link->aspm_capable = link->aspm_support; +- /* +- * If the downstream component has pci bridge function, don't +- * do ASPM for now. +- */ +- list_for_each_entry(child, &linkbus->devices, bus_list) { +- if (pci_pcie_type(child) == PCI_EXP_TYPE_PCI_BRIDGE) { +- link->aspm_disable = ASPM_STATE_ALL; +- break; +- } +- } + + /* Get and check endpoint acceptable latencies */ + list_for_each_entry(child, &linkbus->devices, bus_list) { +-- +2.25.1 + diff --git a/queue-4.14/pci-fix-pci_register_host_bridge-device_register-err.patch b/queue-4.14/pci-fix-pci_register_host_bridge-device_register-err.patch new file mode 100644 index 00000000000..366634b0f05 --- /dev/null +++ b/queue-4.14/pci-fix-pci_register_host_bridge-device_register-err.patch @@ -0,0 +1,43 @@ +From e9fd99595b3f6f6b9c4820794cd27228b09eac68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 17:38:58 -0500 +Subject: PCI: Fix pci_register_host_bridge() device_register() error handling + +From: Rob Herring + +[ Upstream commit 1b54ae8327a4d630111c8d88ba7906483ec6010b ] + +If device_register() has an error, we should bail out of +pci_register_host_bridge() rather than continuing on. + +Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface") +Link: https://lore.kernel.org/r/20200513223859.11295-1-robh@kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lorenzo Pieralisi +Reviewed-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index 31cc04aeaaaab..55ece07e584a0 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -792,9 +792,10 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge) + goto free; + + err = device_register(&bridge->dev); +- if (err) ++ if (err) { + put_device(&bridge->dev); +- ++ goto free; ++ } + bus->bridge = get_device(&bridge->dev); + device_enable_async_suspend(bus->bridge); + pci_set_bus_of_node(bus); +-- +2.25.1 + diff --git a/queue-4.14/pci-ptm-inherit-switch-downstream-port-ptm-settings-.patch b/queue-4.14/pci-ptm-inherit-switch-downstream-port-ptm-settings-.patch new file mode 100644 index 00000000000..13ffbe294b4 --- /dev/null +++ b/queue-4.14/pci-ptm-inherit-switch-downstream-port-ptm-settings-.patch @@ -0,0 +1,78 @@ +From ed54263988f13a0842bfb641def4e7151f1029ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 15:40:07 -0500 +Subject: PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream + Port + +From: Bjorn Helgaas + +[ Upstream commit 7b38fd9760f51cc83d80eed2cfbde8b5ead9e93a ] + +Except for Endpoints, we enable PTM at enumeration-time. Previously we did +not account for the fact that Switch Downstream Ports are not permitted to +have a PTM capability; their PTM behavior is controlled by the Upstream +Port (PCIe r5.0, sec 7.9.16). Since Downstream Ports don't have a PTM +capability, we did not mark them as "ptm_enabled", which meant that +pci_enable_ptm() on an Endpoint failed because there was no PTM path to it. + +Mark Downstream Ports as "ptm_enabled" if their Upstream Port has PTM +enabled. + +Fixes: eec097d43100 ("PCI: Add pci_enable_ptm() for drivers to enable PTM on endpoints") +Reported-by: Aditya Paluri +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/ptm.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/pcie/ptm.c b/drivers/pci/pcie/ptm.c +index 3008bba360f35..ec6f6213960b4 100644 +--- a/drivers/pci/pcie/ptm.c ++++ b/drivers/pci/pcie/ptm.c +@@ -47,10 +47,6 @@ void pci_ptm_init(struct pci_dev *dev) + if (!pci_is_pcie(dev)) + return; + +- pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_PTM); +- if (!pos) +- return; +- + /* + * Enable PTM only on interior devices (root ports, switch ports, + * etc.) on the assumption that it causes no link traffic until an +@@ -60,6 +56,23 @@ void pci_ptm_init(struct pci_dev *dev) + pci_pcie_type(dev) == PCI_EXP_TYPE_RC_END)) + return; + ++ /* ++ * Switch Downstream Ports are not permitted to have a PTM ++ * capability; their PTM behavior is controlled by the Upstream ++ * Port (PCIe r5.0, sec 7.9.16). ++ */ ++ ups = pci_upstream_bridge(dev); ++ if (pci_pcie_type(dev) == PCI_EXP_TYPE_DOWNSTREAM && ++ ups && ups->ptm_enabled) { ++ dev->ptm_granularity = ups->ptm_granularity; ++ dev->ptm_enabled = 1; ++ return; ++ } ++ ++ pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_PTM); ++ if (!pos) ++ return; ++ + pci_read_config_dword(dev, pos + PCI_PTM_CAP, &cap); + local_clock = (cap & PCI_PTM_GRANULARITY_MASK) >> 8; + +@@ -69,7 +82,6 @@ void pci_ptm_init(struct pci_dev *dev) + * the spec recommendation (PCIe r3.1, sec 7.32.3), select the + * furthest upstream Time Source as the PTM Root. + */ +- ups = pci_upstream_bridge(dev); + if (ups && ups->ptm_enabled) { + ctrl = PCI_PTM_CTRL_ENABLE; + if (ups->ptm_granularity == 0) +-- +2.25.1 + diff --git a/queue-4.14/pci-rcar-fix-incorrect-programming-of-ob-windows.patch b/queue-4.14/pci-rcar-fix-incorrect-programming-of-ob-windows.patch new file mode 100644 index 00000000000..7f7096b3755 --- /dev/null +++ b/queue-4.14/pci-rcar-fix-incorrect-programming-of-ob-windows.patch @@ -0,0 +1,74 @@ +From ba21b94e31f72a043cd088f430943e3cbf338eb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Oct 2019 14:29:41 +0100 +Subject: PCI: rcar: Fix incorrect programming of OB windows + +From: Andrew Murray + +[ Upstream commit 2b9f217433e31d125fb697ca7974d3de3ecc3e92 ] + +The outbound windows (PCIEPAUR(x), PCIEPALR(x)) describe a mapping between +a CPU address (which is determined by the window number 'x') and a +programmed PCI address - Thus allowing the controller to translate CPU +accesses into PCI accesses. + +However the existing code incorrectly writes the CPU address - lets fix +this by writing the PCI address instead. + +For memory transactions, existing DT users describe a 1:1 identity mapping +and thus this change should have no effect. However the same isn't true for +I/O. + +Link: https://lore.kernel.org/r/20191004132941.6660-1-andrew.murray@arm.com +Fixes: c25da4778803 ("PCI: rcar: Add Renesas R-Car PCIe driver") +Tested-by: Marek Vasut +Signed-off-by: Andrew Murray +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Marek Vasut +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pcie-rcar.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/host/pcie-rcar.c b/drivers/pci/host/pcie-rcar.c +index 2b0a1f3b8265f..0077afca24932 100644 +--- a/drivers/pci/host/pcie-rcar.c ++++ b/drivers/pci/host/pcie-rcar.c +@@ -328,11 +328,12 @@ static struct pci_ops rcar_pcie_ops = { + }; + + static void rcar_pcie_setup_window(int win, struct rcar_pcie *pcie, +- struct resource *res) ++ struct resource_entry *window) + { + /* Setup PCIe address space mappings for each resource */ + resource_size_t size; + resource_size_t res_start; ++ struct resource *res = window->res; + u32 mask; + + rcar_pci_write_reg(pcie, 0x00000000, PCIEPTCTLR(win)); +@@ -346,9 +347,9 @@ static void rcar_pcie_setup_window(int win, struct rcar_pcie *pcie, + rcar_pci_write_reg(pcie, mask << 7, PCIEPAMR(win)); + + if (res->flags & IORESOURCE_IO) +- res_start = pci_pio_to_address(res->start); ++ res_start = pci_pio_to_address(res->start) - window->offset; + else +- res_start = res->start; ++ res_start = res->start - window->offset; + + rcar_pci_write_reg(pcie, upper_32_bits(res_start), PCIEPAUR(win)); + rcar_pci_write_reg(pcie, lower_32_bits(res_start) & ~0x7F, +@@ -377,7 +378,7 @@ static int rcar_pcie_setup(struct list_head *resource, struct rcar_pcie *pci) + switch (resource_type(res)) { + case IORESOURCE_IO: + case IORESOURCE_MEM: +- rcar_pcie_setup_window(i, pci, res); ++ rcar_pcie_setup_window(i, pci, win); + i++; + break; + case IORESOURCE_BUS: +-- +2.25.1 + diff --git a/queue-4.14/perf-report-fix-null-pointer-dereference-in-hists__f.patch b/queue-4.14/perf-report-fix-null-pointer-dereference-in-hists__f.patch new file mode 100644 index 00000000000..45c71e0511d --- /dev/null +++ b/queue-4.14/perf-report-fix-null-pointer-dereference-in-hists__f.patch @@ -0,0 +1,46 @@ +From 07a3ca7ae125c21768a85b8fe5ef631b1e30f923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 13:18:17 -0300 +Subject: perf report: Fix NULL pointer dereference in + hists__fprintf_nr_sample_events() + +From: Gaurav Singh + +[ Upstream commit 11b6e5482e178055ec1f2444b55f2518713809d1 ] + +The 'evname' variable can be NULL, as it is checked a few lines back, +check it before using. + +Fixes: 9e207ddfa207 ("perf report: Show call graph from reference events") +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/ +Signed-off-by: Gaurav Singh +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index 429c3e140dc32..35a10b5985447 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -401,8 +401,7 @@ static size_t hists__fprintf_nr_sample_events(struct hists *hists, struct report + if (evname != NULL) + ret += fprintf(fp, " of event '%s'", evname); + +- if (symbol_conf.show_ref_callgraph && +- strstr(evname, "call-graph=no")) { ++ if (symbol_conf.show_ref_callgraph && evname && strstr(evname, "call-graph=no")) { + ret += fprintf(fp, ", show reference callgraph"); + } + +-- +2.25.1 + diff --git a/queue-4.14/pinctrl-freescale-imx-fix-an-error-handling-path-in-.patch b/queue-4.14/pinctrl-freescale-imx-fix-an-error-handling-path-in-.patch new file mode 100644 index 00000000000..a5b2b50ffda --- /dev/null +++ b/queue-4.14/pinctrl-freescale-imx-fix-an-error-handling-path-in-.patch @@ -0,0 +1,74 @@ +From e9e9fdf81cfb26018a8b9a599d2ca7d4526f98ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 22:49:55 +0200 +Subject: pinctrl: freescale: imx: Fix an error handling path in + 'imx_pinctrl_probe()' + +From: Christophe JAILLET + +[ Upstream commit 11d8da5cabf7c6c3263ba2cd9c00260395867048 ] + +'pinctrl_unregister()' should not be called to undo +'devm_pinctrl_register_and_init()', it is already handled by the framework. + +This simplifies the error handling paths of the probe function. +The 'imx_free_resources()' can be removed as well. + +Fixes: a51c158bf0f7 ("pinctrl: imx: use radix trees for groups and functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Dong Aisheng +Link: https://lore.kernel.org/r/20200530204955.588962-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/freescale/pinctrl-imx.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/drivers/pinctrl/freescale/pinctrl-imx.c b/drivers/pinctrl/freescale/pinctrl-imx.c +index 17f2c5a505b25..ec0119e1e7810 100644 +--- a/drivers/pinctrl/freescale/pinctrl-imx.c ++++ b/drivers/pinctrl/freescale/pinctrl-imx.c +@@ -661,16 +661,6 @@ static int imx_pinctrl_probe_dt(struct platform_device *pdev, + return 0; + } + +-/* +- * imx_free_resources() - free memory used by this driver +- * @info: info driver instance +- */ +-static void imx_free_resources(struct imx_pinctrl *ipctl) +-{ +- if (ipctl->pctl) +- pinctrl_unregister(ipctl->pctl); +-} +- + int imx_pinctrl_probe(struct platform_device *pdev, + struct imx_pinctrl_soc_info *info) + { +@@ -761,21 +751,16 @@ int imx_pinctrl_probe(struct platform_device *pdev, + &ipctl->pctl); + if (ret) { + dev_err(&pdev->dev, "could not register IMX pinctrl driver\n"); +- goto free; ++ return ret; + } + + ret = imx_pinctrl_probe_dt(pdev, ipctl); + if (ret) { + dev_err(&pdev->dev, "fail to probe dt properties\n"); +- goto free; ++ return ret; + } + + dev_info(&pdev->dev, "initialized IMX pinctrl driver\n"); + + return pinctrl_enable(ipctl->pctl); +- +-free: +- imx_free_resources(ipctl); +- +- return ret; + } +-- +2.25.1 + diff --git a/queue-4.14/pinctrl-imxl-fix-an-error-handling-path-in-imx1_pinc.patch b/queue-4.14/pinctrl-imxl-fix-an-error-handling-path-in-imx1_pinc.patch new file mode 100644 index 00000000000..d903a1b0997 --- /dev/null +++ b/queue-4.14/pinctrl-imxl-fix-an-error-handling-path-in-imx1_pinc.patch @@ -0,0 +1,39 @@ +From 0d2c9a60f8006de595f0cfc83bc7c02f75758328 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 22:19:52 +0200 +Subject: pinctrl: imxl: Fix an error handling path in + 'imx1_pinctrl_core_probe()' + +From: Christophe JAILLET + +[ Upstream commit 9eb728321286c4b31e964d2377fca2368526d408 ] + +When 'pinctrl_register()' has been turned into 'devm_pinctrl_register()', +an error handling path has not been updated. + +Axe a now unneeded 'pinctrl_unregister()'. + +Fixes: e55e025d1687 ("pinctrl: imxl: Use devm_pinctrl_register() for pinctrl registration") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20200530201952.585798-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/freescale/pinctrl-imx1-core.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/pinctrl/freescale/pinctrl-imx1-core.c b/drivers/pinctrl/freescale/pinctrl-imx1-core.c +index e2cca91fd2669..68108c4c3969a 100644 +--- a/drivers/pinctrl/freescale/pinctrl-imx1-core.c ++++ b/drivers/pinctrl/freescale/pinctrl-imx1-core.c +@@ -642,7 +642,6 @@ int imx1_pinctrl_core_probe(struct platform_device *pdev, + + ret = of_platform_populate(pdev->dev.of_node, NULL, NULL, &pdev->dev); + if (ret) { +- pinctrl_unregister(ipctl->pctl); + dev_err(&pdev->dev, "Failed to populate subdevices\n"); + return ret; + } +-- +2.25.1 + diff --git a/queue-4.14/power-supply-bq24257_charger-replace-depends-on-regm.patch b/queue-4.14/power-supply-bq24257_charger-replace-depends-on-regm.patch new file mode 100644 index 00000000000..c169338c497 --- /dev/null +++ b/queue-4.14/power-supply-bq24257_charger-replace-depends-on-regm.patch @@ -0,0 +1,39 @@ +From a8ec1d50a79e77b8bd9858f6b414710aff10a5ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Apr 2020 16:10:51 +0200 +Subject: power: supply: bq24257_charger: Replace depends on REGMAP_I2C with + select + +From: Enric Balletbo i Serra + +[ Upstream commit 87c3d579c8ed0eaea6b1567d529a8daa85a2bc6c ] + +regmap is a library function that gets selected by drivers that need +it. No driver modules should depend on it. Depending on REGMAP_I2C makes +this driver only build if another driver already selected REGMAP_I2C, +as the symbol can't be selected through the menu kernel configuration. + +Fixes: 2219a935963e ("power_supply: Add TI BQ24257 charger driver") +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/Kconfig b/drivers/power/supply/Kconfig +index 5ab90c1f3f7c4..24163cf8612c5 100644 +--- a/drivers/power/supply/Kconfig ++++ b/drivers/power/supply/Kconfig +@@ -530,7 +530,7 @@ config CHARGER_BQ24257 + tristate "TI BQ24250/24251/24257 battery charger driver" + depends on I2C + depends on GPIOLIB || COMPILE_TEST +- depends on REGMAP_I2C ++ select REGMAP_I2C + help + Say Y to enable support for the TI BQ24250, BQ24251, and BQ24257 battery + chargers. +-- +2.25.1 + diff --git a/queue-4.14/power-supply-lp8788-fix-an-error-handling-path-in-lp.patch b/queue-4.14/power-supply-lp8788-fix-an-error-handling-path-in-lp.patch new file mode 100644 index 00000000000..ff202399b2d --- /dev/null +++ b/queue-4.14/power-supply-lp8788-fix-an-error-handling-path-in-lp.patch @@ -0,0 +1,71 @@ +From 73c67ee937841bc0e102efefa6b2324116506ada Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2020 10:23:23 +0200 +Subject: power: supply: lp8788: Fix an error handling path in + 'lp8788_charger_probe()' + +From: Christophe JAILLET + +[ Upstream commit 934ed3847a4ebc75b655659c4d2349ba4337941c ] + +In the probe function, in case of error, resources allocated in +'lp8788_setup_adc_channel()' must be released. + +This can be achieved easily by using the devm_ variant of +'iio_channel_get()'. +This has the extra benefit to simplify the remove function and to axe the +'lp8788_release_adc_channel()' function which is now useless. + +Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/lp8788-charger.c | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/drivers/power/supply/lp8788-charger.c b/drivers/power/supply/lp8788-charger.c +index 0f3432795f3c2..b8f7dac7ac3fe 100644 +--- a/drivers/power/supply/lp8788-charger.c ++++ b/drivers/power/supply/lp8788-charger.c +@@ -600,27 +600,14 @@ static void lp8788_setup_adc_channel(struct device *dev, + return; + + /* ADC channel for battery voltage */ +- chan = iio_channel_get(dev, pdata->adc_vbatt); ++ chan = devm_iio_channel_get(dev, pdata->adc_vbatt); + pchg->chan[LP8788_VBATT] = IS_ERR(chan) ? NULL : chan; + + /* ADC channel for battery temperature */ +- chan = iio_channel_get(dev, pdata->adc_batt_temp); ++ chan = devm_iio_channel_get(dev, pdata->adc_batt_temp); + pchg->chan[LP8788_BATT_TEMP] = IS_ERR(chan) ? NULL : chan; + } + +-static void lp8788_release_adc_channel(struct lp8788_charger *pchg) +-{ +- int i; +- +- for (i = 0; i < LP8788_NUM_CHG_ADC; i++) { +- if (!pchg->chan[i]) +- continue; +- +- iio_channel_release(pchg->chan[i]); +- pchg->chan[i] = NULL; +- } +-} +- + static ssize_t lp8788_show_charger_status(struct device *dev, + struct device_attribute *attr, char *buf) + { +@@ -747,7 +734,6 @@ static int lp8788_charger_remove(struct platform_device *pdev) + lp8788_irq_unregister(pdev, pchg); + sysfs_remove_group(&pdev->dev.kobj, &lp8788_attr_group); + lp8788_psy_unregister(pchg); +- lp8788_release_adc_channel(pchg); + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.14/power-supply-smb347-charger-irqstat_d-is-volatile.patch b/queue-4.14/power-supply-smb347-charger-irqstat_d-is-volatile.patch new file mode 100644 index 00000000000..08ff753ca78 --- /dev/null +++ b/queue-4.14/power-supply-smb347-charger-irqstat_d-is-volatile.patch @@ -0,0 +1,38 @@ +From b2d30f05c38223239edd31bf3829f8467da28e38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 18:15:44 +0200 +Subject: power: supply: smb347-charger: IRQSTAT_D is volatile + +From: Dmitry Osipenko + +[ Upstream commit c32ea07a30630ace950e07ffe7a18bdcc25898e1 ] + +Fix failure when USB cable is connected: +smb347 2-006a: reading IRQSTAT_D failed + +Fixes: 1502cfe19bac ("smb347-charger: Fix battery status reporting logic for charger faults") + +Tested-by: David Heidelberg +Signed-off-by: Dmitry Osipenko +Signed-off-by: David Heidelberg +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/smb347-charger.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/supply/smb347-charger.c b/drivers/power/supply/smb347-charger.c +index 072c5189bd6d1..0655dbdc7000d 100644 +--- a/drivers/power/supply/smb347-charger.c ++++ b/drivers/power/supply/smb347-charger.c +@@ -1141,6 +1141,7 @@ static bool smb347_volatile_reg(struct device *dev, unsigned int reg) + switch (reg) { + case IRQSTAT_A: + case IRQSTAT_C: ++ case IRQSTAT_D: + case IRQSTAT_E: + case IRQSTAT_F: + case STAT_A: +-- +2.25.1 + diff --git a/queue-4.14/powerpc-4xx-don-t-unmap-null-mbase.patch b/queue-4.14/powerpc-4xx-don-t-unmap-null-mbase.patch new file mode 100644 index 00000000000..53b610989bd --- /dev/null +++ b/queue-4.14/powerpc-4xx-don-t-unmap-null-mbase.patch @@ -0,0 +1,43 @@ +From ca189d8409f6cd7f7aca85bb68447341263120a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 17:26:48 +1000 +Subject: powerpc/4xx: Don't unmap NULL mbase + +From: huhai + +[ Upstream commit bcec081ecc940fc38730b29c743bbee661164161 ] + +Signed-off-by: huhai +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200521072648.1254699-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/4xx/pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/arch/powerpc/platforms/4xx/pci.c b/arch/powerpc/platforms/4xx/pci.c +index 73e6b36bcd512..256943af58aae 100644 +--- a/arch/powerpc/platforms/4xx/pci.c ++++ b/arch/powerpc/platforms/4xx/pci.c +@@ -1242,7 +1242,7 @@ static void __init ppc460sx_pciex_check_link(struct ppc4xx_pciex_port *port) + if (mbase == NULL) { + printk(KERN_ERR "%pOF: Can't map internal config space !", + port->node); +- goto done; ++ return; + } + + while (attempt && (0 == (in_le32(mbase + PECFG_460SX_DLLSTA) +@@ -1252,9 +1252,7 @@ static void __init ppc460sx_pciex_check_link(struct ppc4xx_pciex_port *port) + } + if (attempt) + port->link = 1; +-done: + iounmap(mbase); +- + } + + static struct ppc4xx_pciex_hwops ppc460sx_pcie_hwops __initdata = { +-- +2.25.1 + diff --git a/queue-4.14/powerpc-64s-pgtable-fix-an-undefined-behaviour.patch b/queue-4.14/powerpc-64s-pgtable-fix-an-undefined-behaviour.patch new file mode 100644 index 00000000000..c2843b5ee8e --- /dev/null +++ b/queue-4.14/powerpc-64s-pgtable-fix-an-undefined-behaviour.patch @@ -0,0 +1,79 @@ +From 62ad0bd6857bef28bf6130b33783604489036e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2020 23:48:52 -0500 +Subject: powerpc/64s/pgtable: fix an undefined behaviour + +From: Qian Cai + +[ Upstream commit c2e929b18cea6cbf71364f22d742d9aad7f4677a ] + +Booting a power9 server with hash MMU could trigger an undefined +behaviour because pud_offset(p4d, 0) will do, + +0 >> (PAGE_SHIFT:16 + PTE_INDEX_SIZE:8 + H_PMD_INDEX_SIZE:10) + +Fix it by converting pud_index() and friends to static inline +functions. + +UBSAN: shift-out-of-bounds in arch/powerpc/mm/ptdump/ptdump.c:282:15 +shift exponent 34 is too large for 32-bit type 'int' +CPU: 6 PID: 1 Comm: swapper/0 Not tainted 5.6.0-rc4-next-20200303+ #13 +Call Trace: +dump_stack+0xf4/0x164 (unreliable) +ubsan_epilogue+0x18/0x78 +__ubsan_handle_shift_out_of_bounds+0x160/0x21c +walk_pagetables+0x2cc/0x700 +walk_pud at arch/powerpc/mm/ptdump/ptdump.c:282 +(inlined by) walk_pagetables at arch/powerpc/mm/ptdump/ptdump.c:311 +ptdump_check_wx+0x8c/0xf0 +mark_rodata_ro+0x48/0x80 +kernel_init+0x74/0x194 +ret_from_kernel_thread+0x5c/0x74 + +Suggested-by: Christophe Leroy +Signed-off-by: Qian Cai +Signed-off-by: Michael Ellerman +Reviewed-by: Christophe Leroy +Link: https://lore.kernel.org/r/20200306044852.3236-1-cai@lca.pw +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/book3s/64/pgtable.h | 23 ++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable.h b/arch/powerpc/include/asm/book3s/64/pgtable.h +index bcb79a96a6c83..618ee2c0ed53d 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable.h +@@ -898,10 +898,25 @@ extern struct page *pgd_page(pgd_t pgd); + #define pud_page_vaddr(pud) __va(pud_val(pud) & ~PUD_MASKED_BITS) + #define pgd_page_vaddr(pgd) __va(pgd_val(pgd) & ~PGD_MASKED_BITS) + +-#define pgd_index(address) (((address) >> (PGDIR_SHIFT)) & (PTRS_PER_PGD - 1)) +-#define pud_index(address) (((address) >> (PUD_SHIFT)) & (PTRS_PER_PUD - 1)) +-#define pmd_index(address) (((address) >> (PMD_SHIFT)) & (PTRS_PER_PMD - 1)) +-#define pte_index(address) (((address) >> (PAGE_SHIFT)) & (PTRS_PER_PTE - 1)) ++static inline unsigned long pgd_index(unsigned long address) ++{ ++ return (address >> PGDIR_SHIFT) & (PTRS_PER_PGD - 1); ++} ++ ++static inline unsigned long pud_index(unsigned long address) ++{ ++ return (address >> PUD_SHIFT) & (PTRS_PER_PUD - 1); ++} ++ ++static inline unsigned long pmd_index(unsigned long address) ++{ ++ return (address >> PMD_SHIFT) & (PTRS_PER_PMD - 1); ++} ++ ++static inline unsigned long pte_index(unsigned long address) ++{ ++ return (address >> PAGE_SHIFT) & (PTRS_PER_PTE - 1); ++} + + /* + * Find an entry in a page-table-directory. We combine the address region +-- +2.25.1 + diff --git a/queue-4.14/powerpc-crashkernel-take-mem-option-into-account.patch b/queue-4.14/powerpc-crashkernel-take-mem-option-into-account.patch new file mode 100644 index 00000000000..84a4545886b --- /dev/null +++ b/queue-4.14/powerpc-crashkernel-take-mem-option-into-account.patch @@ -0,0 +1,81 @@ +From 6acb2b12169447a2e6c1a7c2129a7fba977e2bd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 22:00:44 +0800 +Subject: powerpc/crashkernel: Take "mem=" option into account + +From: Pingfan Liu + +[ Upstream commit be5470e0c285a68dc3afdea965032f5ddc8269d7 ] + +'mem=" option is an easy way to put high pressure on memory during +some test. Hence after applying the memory limit, instead of total +mem, the actual usable memory should be considered when reserving mem +for crashkernel. Otherwise the boot up may experience OOM issue. + +E.g. it would reserve 4G prior to the change and 512M afterward, if +passing +crashkernel="2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G", +and mem=5G on a 256G machine. + +This issue is powerpc specific because it puts higher priority on +fadump and kdump reservation than on "mem=". Referring the following +code: + if (fadump_reserve_mem() == 0) + reserve_crashkernel(); + ... + /* Ensure that total memory size is page-aligned. */ + limit = ALIGN(memory_limit ?: memblock_phys_mem_size(), PAGE_SIZE); + memblock_enforce_memory_limit(limit); + +While on other arches, the effect of "mem=" takes a higher priority +and pass through memblock_phys_mem_size() before calling +reserve_crashkernel(). + +Signed-off-by: Pingfan Liu +Reviewed-by: Hari Bathini +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1585749644-4148-1-git-send-email-kernelfans@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/machine_kexec.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/machine_kexec.c b/arch/powerpc/kernel/machine_kexec.c +index 9dafd7af39b8f..cb4d6cd949fc4 100644 +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -113,11 +113,12 @@ void machine_kexec(struct kimage *image) + + void __init reserve_crashkernel(void) + { +- unsigned long long crash_size, crash_base; ++ unsigned long long crash_size, crash_base, total_mem_sz; + int ret; + ++ total_mem_sz = memory_limit ? memory_limit : memblock_phys_mem_size(); + /* use common parsing */ +- ret = parse_crashkernel(boot_command_line, memblock_phys_mem_size(), ++ ret = parse_crashkernel(boot_command_line, total_mem_sz, + &crash_size, &crash_base); + if (ret == 0 && crash_size > 0) { + crashk_res.start = crash_base; +@@ -176,6 +177,7 @@ void __init reserve_crashkernel(void) + /* Crash kernel trumps memory limit */ + if (memory_limit && memory_limit <= crashk_res.end) { + memory_limit = crashk_res.end + 1; ++ total_mem_sz = memory_limit; + printk("Adjusted memory limit for crashkernel, now 0x%llx\n", + memory_limit); + } +@@ -184,7 +186,7 @@ void __init reserve_crashkernel(void) + "for crashkernel (System RAM: %ldMB)\n", + (unsigned long)(crash_size >> 20), + (unsigned long)(crashk_res.start >> 20), +- (unsigned long)(memblock_phys_mem_size() >> 20)); ++ (unsigned long)(total_mem_sz >> 20)); + + if (!memblock_is_region_memory(crashk_res.start, crash_size) || + memblock_reserve(crashk_res.start, crash_size)) { +-- +2.25.1 + diff --git a/queue-4.14/powerpc-perf-hv-24x7-fix-inconsistent-output-values-.patch b/queue-4.14/powerpc-perf-hv-24x7-fix-inconsistent-output-values-.patch new file mode 100644 index 00000000000..fa232983db4 --- /dev/null +++ b/queue-4.14/powerpc-perf-hv-24x7-fix-inconsistent-output-values-.patch @@ -0,0 +1,96 @@ +From 99f9bb0d408352f8cf71bf3cd23dcf3694a13897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 16:13:03 +0530 +Subject: powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple + hv-24x7 events run + +From: Kajol Jain + +[ Upstream commit b4ac18eead28611ff470d0f47a35c4e0ac080d9c ] + +Commit 2b206ee6b0df ("powerpc/perf/hv-24x7: Display change in counter +values")' added to print _change_ in the counter value rather then raw +value for 24x7 counters. Incase of transactions, the event count +is set to 0 at the beginning of the transaction. It also sets +the event's prev_count to the raw value at the time of initialization. +Because of setting event count to 0, we are seeing some weird behaviour, +whenever we run multiple 24x7 events at a time. + +For example: + +command#: ./perf stat -e "{hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/, + hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/}" + -C 0 -I 1000 sleep 100 + + 1.000121704 120 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + 1.000121704 5 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/ + 2.000357733 8 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + 2.000357733 10 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/ + 3.000495215 18,446,744,073,709,551,616 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + 3.000495215 18,446,744,073,709,551,616 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/ + 4.000641884 56 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + 4.000641884 18,446,744,073,709,551,616 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/ + 5.000791887 18,446,744,073,709,551,616 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + +Getting these large values in case we do -I. + +As we are setting event_count to 0, for interval case, overall event_count is not +coming in incremental order. As we may can get new delta lesser then previous count. +Because of which when we print intervals, we are getting negative value which create +these large values. + +This patch removes part where we set event_count to 0 in function +'h_24x7_event_read'. There won't be much impact as we do set event->hw.prev_count +to the raw value at the time of initialization to print change value. + +With this patch +In power9 platform + +command#: ./perf stat -e "{hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/, + hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/}" + -C 0 -I 1000 sleep 100 + + 1.000117685 93 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + 1.000117685 1 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/ + 2.000349331 98 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + 2.000349331 2 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/ + 3.000495900 131 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + 3.000495900 4 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/ + 4.000645920 204 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + 4.000645920 61 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=1/ + 4.284169997 22 hv_24x7/PM_MCS01_128B_RD_DISP_PORT01,chip=0/ + +Suggested-by: Sukadev Bhattiprolu +Signed-off-by: Kajol Jain +Tested-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200525104308.9814-2-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-24x7.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/arch/powerpc/perf/hv-24x7.c b/arch/powerpc/perf/hv-24x7.c +index 72238eedc360f..2bb798918483d 100644 +--- a/arch/powerpc/perf/hv-24x7.c ++++ b/arch/powerpc/perf/hv-24x7.c +@@ -1413,16 +1413,6 @@ static void h_24x7_event_read(struct perf_event *event) + h24x7hw = &get_cpu_var(hv_24x7_hw); + h24x7hw->events[i] = event; + put_cpu_var(h24x7hw); +- /* +- * Clear the event count so we can compute the _change_ +- * in the 24x7 raw counter value at the end of the txn. +- * +- * Note that we could alternatively read the 24x7 value +- * now and save its value in event->hw.prev_count. But +- * that would require issuing a hcall, which would then +- * defeat the purpose of using the txn interface. +- */ +- local64_set(&event->count, 0); + } + + put_cpu_var(hv_24x7_reqb); +-- +2.25.1 + diff --git a/queue-4.14/powerpc-ps3-fix-kexec-shutdown-hang.patch b/queue-4.14/powerpc-ps3-fix-kexec-shutdown-hang.patch new file mode 100644 index 00000000000..4765977ed62 --- /dev/null +++ b/queue-4.14/powerpc-ps3-fix-kexec-shutdown-hang.patch @@ -0,0 +1,83 @@ +From 3da237a75e7da8c6e603defbdd6dc8ee3f5985ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2020 18:58:32 +0000 +Subject: powerpc/ps3: Fix kexec shutdown hang + +From: Geoff Levand + +[ Upstream commit 126554465d93b10662742128918a5fc338cda4aa ] + +The ps3_mm_region_destroy() and ps3_mm_vas_destroy() routines +are called very late in the shutdown via kexec's mmu_cleanup_all +routine. By the time mmu_cleanup_all runs it is too late to use +udbg_printf, and calling it will cause PS3 systems to hang. + +Remove all debugging statements from ps3_mm_region_destroy() and +ps3_mm_vas_destroy() and replace any error reporting with calls +to lv1_panic. + +With this change builds with 'DEBUG' defined will not cause kexec +reboots to hang, and builds with 'DEBUG' defined or not will end +in lv1_panic if an error is encountered. + +Signed-off-by: Geoff Levand +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/7325c4af2b4c989c19d6a26b90b1fec9c0615ddf.1589049250.git.geoff@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/ps3/mm.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/platforms/ps3/mm.c b/arch/powerpc/platforms/ps3/mm.c +index b0f34663b1aec..19bae78b1f25b 100644 +--- a/arch/powerpc/platforms/ps3/mm.c ++++ b/arch/powerpc/platforms/ps3/mm.c +@@ -212,13 +212,14 @@ void ps3_mm_vas_destroy(void) + { + int result; + +- DBG("%s:%d: map.vas_id = %llu\n", __func__, __LINE__, map.vas_id); +- + if (map.vas_id) { + result = lv1_select_virtual_address_space(0); +- BUG_ON(result); +- result = lv1_destruct_virtual_address_space(map.vas_id); +- BUG_ON(result); ++ result += lv1_destruct_virtual_address_space(map.vas_id); ++ ++ if (result) { ++ lv1_panic(0); ++ } ++ + map.vas_id = 0; + } + } +@@ -316,19 +317,20 @@ static void ps3_mm_region_destroy(struct mem_region *r) + int result; + + if (!r->destroy) { +- pr_info("%s:%d: Not destroying high region: %llxh %llxh\n", +- __func__, __LINE__, r->base, r->size); + return; + } + +- DBG("%s:%d: r->base = %llxh\n", __func__, __LINE__, r->base); +- + if (r->base) { + result = lv1_release_memory(r->base); +- BUG_ON(result); ++ ++ if (result) { ++ lv1_panic(0); ++ } ++ + r->size = r->base = r->offset = 0; + map.total = map.rm.size; + } ++ + ps3_mm_set_repository_highmem(NULL); + } + +-- +2.25.1 + diff --git a/queue-4.14/powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch b/queue-4.14/powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch new file mode 100644 index 00000000000..4ed3fa655b1 --- /dev/null +++ b/queue-4.14/powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch @@ -0,0 +1,46 @@ +From de6dc256ec4687d13bf747021e66d85e72aa32c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 14:33:58 +1000 +Subject: powerpc/pseries/ras: Fix FWNMI_VALID off by one + +From: Nicholas Piggin + +[ Upstream commit deb70f7a35a22dffa55b2c3aac71bc6fb0f486ce ] + +This was discovered developing qemu fwnmi sreset support. This +off-by-one bug means the last 16 bytes of the rtas area can not +be used for a 16 byte save area. + +It's not a serious bug, and QEMU implementation has to retain a +workaround for old kernels, but it's good to tighten it. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Acked-by: Mahesh Salgaonkar +Link: https://lore.kernel.org/r/20200508043408.886394-7-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/ras.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c +index 99d1152ae2241..5ec935521204a 100644 +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -325,10 +325,11 @@ static irqreturn_t ras_error_interrupt(int irq, void *dev_id) + /* + * Some versions of FWNMI place the buffer inside the 4kB page starting at + * 0x7000. Other versions place it inside the rtas buffer. We check both. ++ * Minimum size of the buffer is 16 bytes. + */ + #define VALID_FWNMI_BUFFER(A) \ +- ((((A) >= 0x7000) && ((A) < 0x7ff0)) || \ +- (((A) >= rtas.base) && ((A) < (rtas.base + rtas.size - 16)))) ++ ((((A) >= 0x7000) && ((A) <= 0x8000 - 16)) || \ ++ (((A) >= rtas.base) && ((A) <= (rtas.base + rtas.size - 16)))) + + /* + * Get the error information for errors coming through the +-- +2.25.1 + diff --git a/queue-4.14/ps3disk-use-the-default-segment-boundary.patch b/queue-4.14/ps3disk-use-the-default-segment-boundary.patch new file mode 100644 index 00000000000..e99256164a1 --- /dev/null +++ b/queue-4.14/ps3disk-use-the-default-segment-boundary.patch @@ -0,0 +1,89 @@ +From f35359775dadc1d008c09bc419f8993907fdf0a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2020 18:58:32 +0000 +Subject: ps3disk: use the default segment boundary + +From: Emmanuel Nicolet + +[ Upstream commit 720bc316690bd27dea9d71510b50f0cd698ffc32 ] + +Since commit dcebd755926b ("block: use bio_for_each_bvec() to compute +multi-page bvec count"), the kernel will bug_on on the PS3 because +bio_split() is called with sectors == 0: + + kernel BUG at block/bio.c:1853! + Oops: Exception in kernel mode, sig: 5 [#1] + BE PAGE_SIZE=4K MMU=Hash PREEMPT SMP NR_CPUS=8 NUMA PS3 + Modules linked in: firewire_sbp2 rtc_ps3(+) soundcore ps3_gelic(+) \ + ps3rom(+) firewire_core ps3vram(+) usb_common crc_itu_t + CPU: 0 PID: 97 Comm: blkid Not tainted 5.3.0-rc4 #1 + NIP: c00000000027d0d0 LR: c00000000027d0b0 CTR: 0000000000000000 + REGS: c00000000135ae90 TRAP: 0700 Not tainted (5.3.0-rc4) + MSR: 8000000000028032 CR: 44008240 XER: 20000000 + IRQMASK: 0 + GPR00: c000000000289368 c00000000135b120 c00000000084a500 c000000004ff8300 + GPR04: 0000000000000c00 c000000004c905e0 c000000004c905e0 000000000000ffff + GPR08: 0000000000000000 0000000000000001 0000000000000000 000000000000ffff + GPR12: 0000000000000000 c0000000008ef000 000000000000003e 0000000000080001 + GPR16: 0000000000000100 000000000000ffff 0000000000000000 0000000000000004 + GPR20: c00000000062fd7e 0000000000000001 000000000000ffff 0000000000000080 + GPR24: c000000000781788 c00000000135b350 0000000000000080 c000000004c905e0 + GPR28: c00000000135b348 c000000004ff8300 0000000000000000 c000000004c90000 + NIP [c00000000027d0d0] .bio_split+0x28/0xac + LR [c00000000027d0b0] .bio_split+0x8/0xac + Call Trace: + [c00000000135b120] [c00000000027d130] .bio_split+0x88/0xac (unreliable) + [c00000000135b1b0] [c000000000289368] .__blk_queue_split+0x11c/0x53c + [c00000000135b2d0] [c00000000028f614] .blk_mq_make_request+0x80/0x7d4 + [c00000000135b3d0] [c000000000283a8c] .generic_make_request+0x118/0x294 + [c00000000135b4b0] [c000000000283d34] .submit_bio+0x12c/0x174 + [c00000000135b580] [c000000000205a44] .mpage_bio_submit+0x3c/0x4c + [c00000000135b600] [c000000000206184] .mpage_readpages+0xa4/0x184 + [c00000000135b750] [c0000000001ff8fc] .blkdev_readpages+0x24/0x38 + [c00000000135b7c0] [c0000000001589f0] .read_pages+0x6c/0x1a8 + [c00000000135b8b0] [c000000000158c74] .__do_page_cache_readahead+0x118/0x184 + [c00000000135b9b0] [c0000000001591a8] .force_page_cache_readahead+0xe4/0xe8 + [c00000000135ba50] [c00000000014fc24] .generic_file_read_iter+0x1d8/0x830 + [c00000000135bb50] [c0000000001ffadc] .blkdev_read_iter+0x40/0x5c + [c00000000135bbc0] [c0000000001b9e00] .new_sync_read+0x144/0x1a0 + [c00000000135bcd0] [c0000000001bc454] .vfs_read+0xa0/0x124 + [c00000000135bd70] [c0000000001bc7a4] .ksys_read+0x70/0xd8 + [c00000000135be20] [c00000000000a524] system_call+0x5c/0x70 + Instruction dump: + 7fe3fb78 482e30dc 7c0802a6 482e3085 7c9e2378 f821ff71 7ca42b78 7d3e00d0 + 7c7d1b78 79290fe0 7cc53378 69290001 <0b090000> 81230028 7bca0020 7929ba62 + [ end trace 313fec760f30aa1f ]--- + +The problem originates from setting the segment boundary of the +request queue to -1UL. This makes get_max_segment_size() return zero +when offset is zero, whatever the max segment size. The test with +BLK_SEG_BOUNDARY_MASK fails and 'mask - (mask & offset) + 1' overflows +to zero in the return statement. + +Not setting the segment boundary and using the default +value (BLK_SEG_BOUNDARY_MASK) fixes the problem. + +Signed-off-by: Emmanuel Nicolet +Signed-off-by: Geoff Levand +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/060a416c43138f45105c0540eff1a45539f7e2fc.1589049250.git.geoff@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/block/ps3disk.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/block/ps3disk.c b/drivers/block/ps3disk.c +index 075662f2cf466..d20f66d578040 100644 +--- a/drivers/block/ps3disk.c ++++ b/drivers/block/ps3disk.c +@@ -468,7 +468,6 @@ static int ps3disk_probe(struct ps3_system_bus_device *_dev) + blk_queue_bounce_limit(queue, BLK_BOUNCE_HIGH); + + blk_queue_max_hw_sectors(queue, dev->bounce_size >> 9); +- blk_queue_segment_boundary(queue, -1UL); + blk_queue_dma_alignment(queue, dev->blk_size-1); + blk_queue_logical_block_size(queue, dev->blk_size); + +-- +2.25.1 + diff --git a/queue-4.14/remoteproc-fix-idr-initialisation-in-rproc_alloc.patch b/queue-4.14/remoteproc-fix-idr-initialisation-in-rproc_alloc.patch new file mode 100644 index 00000000000..cfcae8fa757 --- /dev/null +++ b/queue-4.14/remoteproc-fix-idr-initialisation-in-rproc_alloc.patch @@ -0,0 +1,60 @@ +From 3b90432e0d8f0fc5a1883813df8267f8ba141d8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Apr 2020 14:48:52 -0600 +Subject: remoteproc: Fix IDR initialisation in rproc_alloc() + +From: Alex Elder + +[ Upstream commit 6442df49400b466431979e7634849a464a5f1861 ] + +If ida_simple_get() returns an error when called in rproc_alloc(), +put_device() is called to clean things up. By this time the rproc +device type has been assigned, with rproc_type_release() as the +release function. + +The first thing rproc_type_release() does is call: + idr_destroy(&rproc->notifyids); + +But at the time the ida_simple_get() call is made, the notifyids +field in the remoteproc structure has not been initialized. + +I'm not actually sure this case causes an observable problem, but +it's incorrect. Fix this by initializing the notifyids field before +calling ida_simple_get() in rproc_alloc(). + +Fixes: b5ab5e24e960 ("remoteproc: maintain a generic child device for each rproc") +Signed-off-by: Alex Elder +Reviewed-by: Mathieu Poirier +Reviewed-by: Suman Anna +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20200415204858.2448-2-mathieu.poirier@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index 8f4fa1a52f057..d6372470e5bea 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -1432,6 +1432,7 @@ struct rproc *rproc_alloc(struct device *dev, const char *name, + rproc->dev.type = &rproc_type; + rproc->dev.class = &rproc_class; + rproc->dev.driver_data = rproc; ++ idr_init(&rproc->notifyids); + + /* Assign a unique device index and name */ + rproc->index = ida_simple_get(&rproc_dev_index, 0, 0, GFP_KERNEL); +@@ -1450,8 +1451,6 @@ struct rproc *rproc_alloc(struct device *dev, const char *name, + + mutex_init(&rproc->lock); + +- idr_init(&rproc->notifyids); +- + INIT_LIST_HEAD(&rproc->carveouts); + INIT_LIST_HEAD(&rproc->mappings); + INIT_LIST_HEAD(&rproc->traces); +-- +2.25.1 + diff --git a/queue-4.14/s390-qdio-put-thinint-indicator-after-early-error.patch b/queue-4.14/s390-qdio-put-thinint-indicator-after-early-error.patch new file mode 100644 index 00000000000..dfd52831c5e --- /dev/null +++ b/queue-4.14/s390-qdio-put-thinint-indicator-after-early-error.patch @@ -0,0 +1,85 @@ +From 2691108ead240193d4bfeb03a5387ee0edf8eb15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 09:59:39 +0200 +Subject: s390/qdio: put thinint indicator after early error + +From: Julian Wiedmann + +[ Upstream commit 75e82bec6b2622c6f455b7a543fb5476a5d0eed7 ] + +qdio_establish() calls qdio_setup_thinint() via qdio_setup_irq(). +If the subsequent qdio_establish_thinint() fails, we miss to put the +DSCI again. Thus the DSCI isn't available for re-use. Given enough of +such errors, we could end up with having only the shared DSCI available. + +Merge qdio_setup_thinint() into qdio_establish_thinint(), and deal with +such an error internally. + +Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") +Signed-off-by: Julian Wiedmann +Reviewed-by: Benjamin Block +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio.h | 1 - + drivers/s390/cio/qdio_setup.c | 1 - + drivers/s390/cio/qdio_thinint.c | 14 ++++++++------ + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/s390/cio/qdio.h b/drivers/s390/cio/qdio.h +index 29d6b5222f1cd..0f8d13288611e 100644 +--- a/drivers/s390/cio/qdio.h ++++ b/drivers/s390/cio/qdio.h +@@ -377,7 +377,6 @@ static inline int multicast_outbound(struct qdio_q *q) + extern u64 last_ai_time; + + /* prototypes for thin interrupt */ +-void qdio_setup_thinint(struct qdio_irq *irq_ptr); + int qdio_establish_thinint(struct qdio_irq *irq_ptr); + void qdio_shutdown_thinint(struct qdio_irq *irq_ptr); + void tiqdio_add_input_queues(struct qdio_irq *irq_ptr); +diff --git a/drivers/s390/cio/qdio_setup.c b/drivers/s390/cio/qdio_setup.c +index d0090c5c88e74..a64615a10352b 100644 +--- a/drivers/s390/cio/qdio_setup.c ++++ b/drivers/s390/cio/qdio_setup.c +@@ -479,7 +479,6 @@ int qdio_setup_irq(struct qdio_initialize *init_data) + setup_queues(irq_ptr, init_data); + + setup_qib(irq_ptr, init_data); +- qdio_setup_thinint(irq_ptr); + set_impl_params(irq_ptr, init_data->qib_param_field_format, + init_data->qib_param_field, + init_data->input_slib_elements, +diff --git a/drivers/s390/cio/qdio_thinint.c b/drivers/s390/cio/qdio_thinint.c +index 831a3a0a2837b..4dc1108069d4a 100644 +--- a/drivers/s390/cio/qdio_thinint.c ++++ b/drivers/s390/cio/qdio_thinint.c +@@ -270,17 +270,19 @@ int __init tiqdio_register_thinints(void) + + int qdio_establish_thinint(struct qdio_irq *irq_ptr) + { ++ int rc; ++ + if (!is_thinint_irq(irq_ptr)) + return 0; +- return set_subchannel_ind(irq_ptr, 0); +-} + +-void qdio_setup_thinint(struct qdio_irq *irq_ptr) +-{ +- if (!is_thinint_irq(irq_ptr)) +- return; + irq_ptr->dsci = get_indicator(); + DBF_HEX(&irq_ptr->dsci, sizeof(void *)); ++ ++ rc = set_subchannel_ind(irq_ptr, 0); ++ if (rc) ++ put_indicator(irq_ptr->dsci); ++ ++ return rc; + } + + void qdio_shutdown_thinint(struct qdio_irq *irq_ptr) +-- +2.25.1 + diff --git a/queue-4.14/scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch b/queue-4.14/scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch new file mode 100644 index 00000000000..1ba165989f0 --- /dev/null +++ b/queue-4.14/scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch @@ -0,0 +1,40 @@ +From 19d7996819e37b1ac560e2f353ff4c3183e3a7c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 10:16:22 +0200 +Subject: scsi: acornscsi: Fix an error handling path in acornscsi_probe() + +From: Christophe JAILLET + +[ Upstream commit 42c76c9848e13dbe0538d7ae0147a269dfa859cb ] + +'ret' is known to be 0 at this point. Explicitly return -ENOMEM if one of +the 'ecardm_iomap()' calls fail. + +Link: https://lore.kernel.org/r/20200530081622.577888-1-christophe.jaillet@wanadoo.fr +Fixes: e95a1b656a98 ("[ARM] rpc: acornscsi: update to new style ecard driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/acornscsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/acornscsi.c b/drivers/scsi/arm/acornscsi.c +index 421fe869a11ef..ef9d907f2df5c 100644 +--- a/drivers/scsi/arm/acornscsi.c ++++ b/drivers/scsi/arm/acornscsi.c +@@ -2914,8 +2914,10 @@ static int acornscsi_probe(struct expansion_card *ec, const struct ecard_id *id) + + ashost->base = ecardm_iomap(ec, ECARD_RES_MEMC, 0, 0); + ashost->fast = ecardm_iomap(ec, ECARD_RES_IOCFAST, 0, 0); +- if (!ashost->base || !ashost->fast) ++ if (!ashost->base || !ashost->fast) { ++ ret = -ENOMEM; + goto out_put; ++ } + + host->irq = ec->irq; + ashost->host = host; +-- +2.25.1 + diff --git a/queue-4.14/scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch b/queue-4.14/scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch new file mode 100644 index 00000000000..57c757e5da2 --- /dev/null +++ b/queue-4.14/scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch @@ -0,0 +1,46 @@ +From c3347a1ea4b92c2c9f4dc2075fb2e530a27acee2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 15:36:32 -0500 +Subject: scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM + +From: Tyrel Datwyler + +[ Upstream commit 4919b33b63c8b69d8dcf2b867431d0e3b6dc6d28 ] + +The adapter info MAD is used to send the client info and receive the host +info as a response. A persistent buffer is used and as such the client info +is overwritten after the response. During the course of a normal adapter +reset the client info is refreshed in the buffer in preparation for sending +the adapter info MAD. + +However, in the special case of LPM where we reenable the CRQ instead of a +full CRQ teardown and reset we fail to refresh the client info in the +adapter info buffer. As a result, after Live Partition Migration (LPM) we +erroneously report the host's info as our own. + +[mkp: typos] + +Link: https://lore.kernel.org/r/20200603203632.18426-1-tyreld@linux.ibm.com +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvscsi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c +index 83645a1c6f82e..aff868afe68d0 100644 +--- a/drivers/scsi/ibmvscsi/ibmvscsi.c ++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c +@@ -429,6 +429,8 @@ static int ibmvscsi_reenable_crq_queue(struct crq_queue *queue, + int rc = 0; + struct vio_dev *vdev = to_vio_dev(hostdata->dev); + ++ set_adapter_info(hostdata); ++ + /* Re-enable the CRQ */ + do { + if (rc) +-- +2.25.1 + diff --git a/queue-4.14/scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch b/queue-4.14/scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch new file mode 100644 index 00000000000..b298f039e0e --- /dev/null +++ b/queue-4.14/scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch @@ -0,0 +1,38 @@ +From b95a6149a615e4cd7d17ee14d28082dde69483cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 15:13:53 -0500 +Subject: scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj + +From: Qiushi Wu + +[ Upstream commit 0267ffce562c8bbf9b57ebe0e38445ad04972890 ] + +kobject_init_and_add() takes reference even when it fails. If this +function returns an error, kobject_put() must be called to properly +clean up the memory associated with the object. + +Link: https://lore.kernel.org/r/20200528201353.14849-1-wu000273@umn.edu +Reviewed-by: Lee Duncan +Signed-off-by: Qiushi Wu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_boot_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/iscsi_boot_sysfs.c b/drivers/scsi/iscsi_boot_sysfs.c +index d453667612f88..15d64f96e623c 100644 +--- a/drivers/scsi/iscsi_boot_sysfs.c ++++ b/drivers/scsi/iscsi_boot_sysfs.c +@@ -360,7 +360,7 @@ iscsi_boot_create_kobj(struct iscsi_boot_kset *boot_kset, + boot_kobj->kobj.kset = boot_kset->kset; + if (kobject_init_and_add(&boot_kobj->kobj, &iscsi_boot_ktype, + NULL, name, index)) { +- kfree(boot_kobj); ++ kobject_put(&boot_kobj->kobj); + return NULL; + } + boot_kobj->data = data; +-- +2.25.1 + diff --git a/queue-4.14/scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch b/queue-4.14/scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch new file mode 100644 index 00000000000..b039aaa7e8f --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch @@ -0,0 +1,51 @@ +From db6746247432399c50eb8c2c1417af7c764f9c75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 22:16:24 +0800 +Subject: scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event + +From: Xiyu Yang + +[ Upstream commit 7217e6e694da3aae6d17db8a7f7460c8d4817ebf ] + +In order to create or activate a new node, lpfc_els_unsol_buffer() invokes +lpfc_nlp_init() or lpfc_enable_node() or lpfc_nlp_get(), all of them will +return a reference of the specified lpfc_nodelist object to "ndlp" with +increased refcnt. + +When lpfc_els_unsol_buffer() returns, local variable "ndlp" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +lpfc_els_unsol_buffer(). When "ndlp" in DEV_LOSS, the function forgets to +decrease the refcnt increased by lpfc_nlp_init() or lpfc_enable_node() or +lpfc_nlp_get(), causing a refcnt leak. + +Fix this issue by calling lpfc_nlp_put() when "ndlp" in DEV_LOSS. + +Link: https://lore.kernel.org/r/1590416184-52592-1-git-send-email-xiyuyang19@fudan.edu.cn +Reviewed-by: Daniel Wagner +Reviewed-by: James Smart +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 4c84c2ae1112d..db1111f7e85ae 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7913,6 +7913,8 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + spin_lock_irq(shost->host_lock); + if (ndlp->nlp_flag & NLP_IN_DEV_LOSS) { + spin_unlock_irq(shost->host_lock); ++ if (newnode) ++ lpfc_nlp_put(ndlp); + goto dropit; + } + spin_unlock_irq(shost->host_lock); +-- +2.25.1 + diff --git a/queue-4.14/scsi-mpt3sas-fix-double-free-warnings.patch b/queue-4.14/scsi-mpt3sas-fix-double-free-warnings.patch new file mode 100644 index 00000000000..8275feab4d4 --- /dev/null +++ b/queue-4.14/scsi-mpt3sas-fix-double-free-warnings.patch @@ -0,0 +1,43 @@ +From f8c70f6b181ac27914878ffa3f71b8c5539b9574 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 07:07:38 -0400 +Subject: scsi: mpt3sas: Fix double free warnings + +From: Suganath Prabu S + +[ Upstream commit cbbfdb2a2416c9f0cde913cf09670097ac281282 ] + +Fix following warning from Smatch static analyser: + +drivers/scsi/mpt3sas/mpt3sas_base.c:5256 _base_allocate_memory_pools() +warn: 'ioc->hpr_lookup' double freed + +drivers/scsi/mpt3sas/mpt3sas_base.c:5256 _base_allocate_memory_pools() +warn: 'ioc->internal_lookup' double freed + +Link: https://lore.kernel.org/r/20200508110738.30732-1-suganath-prabu.subramani@broadcom.com +Reported-by: Dan Carpenter +Signed-off-by: Suganath Prabu S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 817a7963a038b..556971c5f0b0e 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -3263,7 +3263,9 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc) + ioc->scsi_lookup = NULL; + } + kfree(ioc->hpr_lookup); ++ ioc->hpr_lookup = NULL; + kfree(ioc->internal_lookup); ++ ioc->internal_lookup = NULL; + if (ioc->chain_lookup) { + for (i = 0; i < ioc->chain_depth; i++) { + if (ioc->chain_lookup[i].chain_buffer) +-- +2.25.1 + diff --git a/queue-4.14/scsi-qedi-check-for-buffer-overflow-in-qedi_set_path.patch b/queue-4.14/scsi-qedi-check-for-buffer-overflow-in-qedi_set_path.patch new file mode 100644 index 00000000000..7d0ba179314 --- /dev/null +++ b/queue-4.14/scsi-qedi-check-for-buffer-overflow-in-qedi_set_path.patch @@ -0,0 +1,45 @@ +From 48d1a8d0c26cda3f054278080b93fd0105230d9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 16:19:39 +0300 +Subject: scsi: qedi: Check for buffer overflow in qedi_set_path() + +From: Dan Carpenter + +[ Upstream commit 4a4c0cfb4be74e216dd4446b254594707455bfc6 ] + +Smatch complains that the "path_data->handle" variable is user controlled. +It comes from iscsi_set_path() so that seems possible. It's harmless to +add a limit check. + +The qedi->ep_tbl[] array has qedi->max_active_conns elements (which is +always ISCSI_MAX_SESS_PER_HBA (4096) elements). The array is allocated in +the qedi_cm_alloc_mem() function. + +Link: https://lore.kernel.org/r/20200428131939.GA696531@mwanda +Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") +Acked-by: Manish Rangankar +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_iscsi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index 94f3829b1974a..1effac1111d5e 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -1224,6 +1224,10 @@ static int qedi_set_path(struct Scsi_Host *shost, struct iscsi_path *path_data) + } + + iscsi_cid = (u32)path_data->handle; ++ if (iscsi_cid >= qedi->max_active_conns) { ++ ret = -EINVAL; ++ goto set_path_exit; ++ } + qedi_ep = qedi->ep_tbl[iscsi_cid]; + QEDI_INFO(&qedi->dbg_ctx, QEDI_LOG_INFO, + "iscsi_cid=0x%x, qedi_ep=%p\n", iscsi_cid, qedi_ep); +-- +2.25.1 + diff --git a/queue-4.14/scsi-qedi-do-not-flush-offload-work-if-arp-not-resol.patch b/queue-4.14/scsi-qedi-do-not-flush-offload-work-if-arp-not-resol.patch new file mode 100644 index 00000000000..331ac6773fb --- /dev/null +++ b/queue-4.14/scsi-qedi-do-not-flush-offload-work-if-arp-not-resol.patch @@ -0,0 +1,97 @@ +From c816996e755d899b8b37a346bc2e0dd33246a3bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Apr 2020 23:43:30 -0700 +Subject: scsi: qedi: Do not flush offload work if ARP not resolved + +From: Nilesh Javali + +[ Upstream commit 927527aea0e2a9c1d336c7d33f77f1911481d008 ] + +For an unreachable target, offload_work is not initialized and the endpoint +state is set to OFLDCONN_NONE. This results in a WARN_ON due to the check +of the work function field being set to zero. + +------------[ cut here ]------------ +WARNING: CPU: 24 PID: 18587 at ../kernel/workqueue.c:3037 __flush_work+0x1c1/0x1d0 +: +Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 02/01/2020 +RIP: 0010:__flush_work+0x1c1/0x1d0 +Code: ba 6d 00 03 80 c9 f0 eb b6 48 c7 c7 20 ee 6c a4 e8 52 d3 04 00 0f 0b 31 c0 e9 d1 fe ff +ff 48 c7 c7 20 ee 6c a4 e8 3d d3 04 00 <0f> 0b 31 c0 e9 bc fe ff ff e8 11 f3 f + 00 31 f6 +RSP: 0018:ffffac5a8cd47a80 EFLAGS: 00010282 +RAX: 0000000000000024 RBX: ffff98d68c1fcaf0 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff98ce9fd99898 RDI: ffff98ce9fd99898 +RBP: ffff98d68c1fcbc0 R08: 00000000000006fa R09: 0000000000000001 +R10: ffffac5a8cd47b50 R11: 0000000000000001 R12: 0000000000000000 +R13: 000000000000489b R14: ffff98d68c1fc800 R15: ffff98d692132c00 +FS: 00007f65f7f62280(0000) GS:ffff98ce9fd80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd2435e880 CR3: 0000000809334003 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + ? class_create_release+0x40/0x40 + ? klist_put+0x2c/0x80 + qedi_ep_disconnect+0xdd/0x400 [qedi] + iscsi_if_ep_disconnect.isra.20+0x59/0x70 [scsi_transport_iscsi] + iscsi_if_rx+0x129b/0x1670 [scsi_transport_iscsi] + ? __netlink_lookup+0xe7/0x160 + netlink_unicast+0x21d/0x300 + netlink_sendmsg+0x30f/0x430 + sock_sendmsg+0x5b/0x60 + ____sys_sendmsg+0x1e2/0x240 + ? copy_msghdr_from_user+0xd9/0x160 + ___sys_sendmsg+0x88/0xd0 + ? ___sys_recvmsg+0xa2/0xe0 + ? hrtimer_try_to_cancel+0x25/0x100 + ? do_nanosleep+0x9c/0x170 + ? __sys_sendmsg+0x5e/0xa0 + __sys_sendmsg+0x5e/0xa0 + do_syscall_64+0x60/0x1f0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7f65f6f16107 +Code: 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 80 00 00 00 00 8b 05 aa d2 2b 00 48 63 d2 48 +63 ff 85 c0 75 18 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 59 f3 c3 0f 1f 8 + 0 00 00 00 00 53 48 89 f3 48 + RSP: 002b:00007ffd24367ca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 000055a7aeaaf110 RCX: 00007f65f6f16107 + RDX: 0000000000000000 RSI: 00007ffd24367cc0 RDI: 0000000000000003 + RBP: 0000000000000070 R08: 0000000000000000 R09: 0000000000000000 + R10: 000000000000075c R11: 0000000000000246 R12: 00007ffd24367cc0 + R13: 000055a7ae560008 R14: 00007ffd24367db0 R15: 0000000000000000 + ---[ end trace 54f499c05d41f8bb ]--- + +Only flush if the connection endpoint state if different from +OFLDCONN_NONE. + +[mkp: clarified commit desc] + +Link: https://lore.kernel.org/r/20200408064332.19377-5-mrangankar@marvell.com +Reviewed-by: Lee Duncan +Signed-off-by: Nilesh Javali +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_iscsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index 1effac1111d5e..fb6439bc1d9a9 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -1007,7 +1007,8 @@ static void qedi_ep_disconnect(struct iscsi_endpoint *ep) + if (qedi_ep->state == EP_STATE_OFLDCONN_START) + goto ep_exit_recover; + +- flush_work(&qedi_ep->offload_work); ++ if (qedi_ep->state != EP_STATE_OFLDCONN_NONE) ++ flush_work(&qedi_ep->offload_work); + + if (qedi_ep->conn) { + qedi_conn = qedi_ep->conn; +-- +2.25.1 + diff --git a/queue-4.14/scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch b/queue-4.14/scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch new file mode 100644 index 00000000000..07e1a75b59e --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch @@ -0,0 +1,91 @@ +From 0b1dff32fff1dec45632a66eb228842c40f085e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 13:55:52 +0300 +Subject: scsi: qla2xxx: Fix issue with adapter's stopping state + +From: Viacheslav Dubeyko + +[ Upstream commit 803e45550b11c8e43d89812356fe6f105adebdf9 ] + +The goal of the following command sequence is to restart the adapter. +However, the tgt_stop flag remains set, indicating that the adapter is +still in stopping state even after re-enabling it. + +echo 0x7fffffff > /sys/module/qla2xxx/parameters/logging +modprobe target_core_mod +modprobe tcm_qla2xxx +mkdir /sys/kernel/config/target/qla2xxx +mkdir /sys/kernel/config/target/qla2xxx/ +mkdir /sys/kernel/config/target/qla2xxx//tpgt_1 +echo 1 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable +echo 0 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable +echo 1 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable + +kernel: PID 1396:qla_target.c:1555 qlt_stop_phase1(): tgt_stop 0x0, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-e803:1: PID 1396:qla_target.c:1567: Stopping target for host 1(c0000000033557e8) +kernel: PID 1396:qla_target.c:1579 qlt_stop_phase1(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: PID 1396:qla_target.c:1266 qlt_schedule_sess_for_deletion(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-e801:1: PID 1396:qla_target.c:1316: Scheduling sess c00000002d5cd800 for deletion 21:00:00:24:ff:7f:35:c7 + +kernel: qla2xxx [0001:00:02.0]-290a:1: PID 340:qla_target.c:1187: qlt_unreg_sess sess c00000002d5cd800 for deletion 21:00:00:24:ff:7f:35:c7 + +kernel: qla2xxx [0001:00:02.0]-f801:1: PID 340:qla_target.c:1145: Unregistration of sess c00000002d5cd800 21:00:00:24:ff:7f:35:c7 finished fcp_cnt 0 +kernel: PID 340:qla_target.c:1155 qlt_free_session_done(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-4807:1: PID 346:qla_os.c:6329: ISP abort scheduled. + +kernel: qla2xxx [0001:00:02.0]-28f1:1: PID 346:qla_os.c:3956: Mark all dev lost +kernel: PID 346:qla_target.c:1266 qlt_schedule_sess_for_deletion(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-4808:1: PID 346:qla_os.c:6338: ISP abort end. + +kernel: PID 1396:qla_target.c:6812 qlt_enable_vha(): tgt_stop 0x1, tgt_stopped 0x0 + +kernel: qla2xxx [0001:00:02.0]-4807:1: PID 346:qla_os.c:6329: ISP abort scheduled. + +kernel: qla2xxx [0001:00:02.0]-4808:1: PID 346:qla_os.c:6338: ISP abort end. + +qlt_handle_cmd_for_atio() rejects the request to send commands because the +adapter is in the stopping state: + +kernel: PID 0:qla_target.c:4442 qlt_handle_cmd_for_atio(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-3861:1: PID 0:qla_target.c:4447: New command while device c000000005314600 is shutting down +kernel: qla2xxx [0001:00:02.0]-e85f:1: PID 0:qla_target.c:5728: qla_target: Unable to send command to target + +This patch calls qla_stop_phase2() in addition to qlt_stop_phase1() in +tcm_qla2xxx_tpg_enable_store() and tcm_qla2xxx_npiv_tpg_enable_store(). The +qlt_stop_phase1() marks adapter as stopping (tgt_stop == 0x1, tgt_stopped +== 0x0) but qlt_stop_phase2() marks adapter as stopped (tgt_stop == 0x0, +tgt_stopped == 0x1). + +Link: https://lore.kernel.org/r/52be1e8a3537f6c5407eae3edd4c8e08a9545ea5.camel@yadro.com +Reviewed-by: Roman Bolshakov +Reviewed-by: Himanshu Madhani +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index e08ac431bc496..e7aee067b0565 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -937,6 +937,7 @@ static ssize_t tcm_qla2xxx_tpg_enable_store(struct config_item *item, + + atomic_set(&tpg->lport_tpg_enabled, 0); + qlt_stop_phase1(vha->vha_tgt.qla_tgt); ++ qlt_stop_phase2(vha->vha_tgt.qla_tgt); + } + + return count; +@@ -1101,6 +1102,7 @@ static ssize_t tcm_qla2xxx_npiv_tpg_enable_store(struct config_item *item, + + atomic_set(&tpg->lport_tpg_enabled, 0); + qlt_stop_phase1(vha->vha_tgt.qla_tgt); ++ qlt_stop_phase2(vha->vha_tgt.qla_tgt); + } + + return count; +-- +2.25.1 + diff --git a/queue-4.14/scsi-qla2xxx-fix-warning-after-fc-target-reset.patch b/queue-4.14/scsi-qla2xxx-fix-warning-after-fc-target-reset.patch new file mode 100644 index 00000000000..9be19a9c282 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-warning-after-fc-target-reset.patch @@ -0,0 +1,108 @@ +From 8279f798531291d60e1bfdb29f6b7e0383f42683 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Apr 2020 11:07:08 +0300 +Subject: scsi: qla2xxx: Fix warning after FC target reset + +From: Viacheslav Dubeyko + +[ Upstream commit f839544ccff60cbe534282aac68858fc3fb278ca ] + +Currently, FC target reset finishes with the warning message: + +[84010.596893] ------------[ cut here ]------------ +[84010.596917] WARNING: CPU: 238 PID: 279973 at ../drivers/scsi/qla2xxx/qla_target.c:6644 qlt_enable_vha+0x1d0/0x260 [qla2xxx] +[84010.596918] Modules linked in: vrf af_packet 8021q garp mrp stp llc netlink_diag target_tatlin_tblock(OEX) dm_ec(OEX) ttln_rdma(OEX) dm_frontend(OEX) nvme_rdma nvmet tcm_qla2xxx iscsi_target_mod target_core_mod at24 nvmem_core pnv_php ipmi_watchdog ipmi_ssif vmx_crypto gf128mul crct10dif_vpmsum qla2xxx rpcrdma nvme_fc powernv_flash(X) nvme_fabrics uio_pdrv_genirq mtd rtc_opal(X) ibmpowernv(X) opal_prd(X) uio scsi_transport_fc i2c_opal(X) ses enclosure ipmi_poweroff ast i2c_algo_bit ttm bmc_mcu(OEX) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm drm_panel_orientation_quirks agpgart nfsd auth_rpcgss nfs_acl ipmi_powernv(X) lockd ipmi_devintf ipmi_msghandler grace dummy ext4 crc16 jbd2 mbcache sd_mod rdma_ucm ib_iser rdma_cm ib_umad iw_cm ib_ipoib libiscsi scsi_transport_iscsi ib_cm +[84010.596975] configfs mlx5_ib ib_uverbs ib_core mlx5_core crc32c_vpmsum xhci_pci xhci_hcd mpt3sas(OEX) tg3 usbcore mlxfw tls raid_class libphy scsi_transport_sas devlink ptp pps_core nvme nvme_core sunrpc dm_mirror dm_region_hash dm_log sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4 +[84010.597001] Supported: Yes, External +[84010.597004] CPU: 238 PID: 279973 Comm: bash Tainted: G OE 4.12.14-197.29-default #1 SLE15-SP1 +[84010.597006] task: c000000a104c0000 task.stack: c000000b52188000 +[84010.597007] NIP: d00000001ffd7f78 LR: d00000001ffd7f6c CTR: c0000000001676c0 +[84010.597008] REGS: c000000b5218b910 TRAP: 0700 Tainted: G OE (4.12.14-197.29-default) +[84010.597008] MSR: 900000010282b033 +[84010.597015] CR: 48242424 XER: 00000000 +[84010.597016] CFAR: d00000001ff45d08 SOFTE: 1 + GPR00: d00000001ffd7f6c c000000b5218bb90 d00000002001b228 0000000000000102 + GPR04: 0000000000000001 0000000000000001 00013d91ed0a5e2d 0000000000000000 + GPR08: c000000007793300 0000000000000000 0000000000000000 c000000a086e7818 + GPR12: 0000000000002200 c000000007793300 0000000000000000 000000012bc937c0 + GPR16: 000000012bbf7ed0 0000000000000000 000000012bc3dd10 0000000000000000 + GPR20: 000000012bc4db28 0000010036442810 000000012bc97828 000000012bc96c70 + GPR24: 00000100365b1550 0000000000000000 00000100363f3d80 c000000be20d3080 + GPR28: c000000bda7eae00 c000000be20db7e8 c000000be20d3778 c000000be20db7e8 +[84010.597042] NIP [d00000001ffd7f78] qlt_enable_vha+0x1d0/0x260 [qla2xxx] +[84010.597051] LR [d00000001ffd7f6c] qlt_enable_vha+0x1c4/0x260 [qla2xxx] +[84010.597051] Call Trace: +[84010.597061] [c000000b5218bb90] [d00000001ffd7f6c] qlt_enable_vha+0x1c4/0x260 [qla2xxx] (unreliable) +[84010.597064] [c000000b5218bc20] [d000000009820b6c] tcm_qla2xxx_tpg_enable_store+0xc4/0x130 [tcm_qla2xxx] +[84010.597067] [c000000b5218bcb0] [d0000000185d0e68] configfs_write_file+0xd0/0x190 [configfs] +[84010.597072] [c000000b5218bd00] [c0000000003d0edc] __vfs_write+0x3c/0x1e0 +[84010.597074] [c000000b5218bd90] [c0000000003d2ea8] vfs_write+0xd8/0x220 +[84010.597076] [c000000b5218bde0] [c0000000003d4ddc] SyS_write+0x6c/0x110 +[84010.597079] [c000000b5218be30] [c00000000000b188] system_call+0x3c/0x130 +[84010.597080] Instruction dump: +[84010.597082] 7d0050a8 7d084b78 7d0051ad 40c2fff4 7fa3eb78 4bf73965 60000000 7fa3eb78 +[84010.597086] 4bf6dcd9 60000000 2fa30000 419eff40 <0fe00000> 4bffff38 e95f0058 a12a0180 +[84010.597090] ---[ end trace e32abaf6e6fee826 ]--- + +To reproduce: + +echo 0x7fffffff > /sys/module/qla2xxx/parameters/logging +modprobe target_core_mod +modprobe tcm_qla2xxx +mkdir /sys/kernel/config/target/qla2xxx +mkdir /sys/kernel/config/target/qla2xxx/ +mkdir /sys/kernel/config/target/qla2xxx//tpgt_1 +echo 1 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable +echo 0 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable +echo 1 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable + +SYSTEM START +kernel: pid 327:drivers/scsi/qla2xxx/qla_init.c:2174 qla2x00_initialize_adapter(): vha->flags.online 0x0 +<...> +kernel: pid 327:drivers/scsi/qla2xxx/qla_os.c:3444 qla2x00_probe_one(): vha->flags.online 0x1 + +echo 1 > /sys/kernel/config/target/qla2xxx/21:00:00:24:ff:86:a6:2a/tpgt_1/enable +kernel: pid 348:drivers/scsi/qla2xxx/qla_init.c:6641 qla2x00_abort_isp_cleanup(): vha->flags.online 0x0, ISP_ABORT_NEEDED 0x0 +<...> +kernel: pid 348:drivers/scsi/qla2xxx/qla_init.c:6998 qla2x00_restart_isp(): vha->flags.online 0x0 + +echo 0 > /sys/kernel/config/target/qla2xxx/21:00:00:24:ff:86:a6:2a/tpgt_1/enable +kernel: pid 348:drivers/scsi/qla2xxx/qla_init.c:6641 qla2x00_abort_isp_cleanup(): vha->flags.online 0x0, ISP_ABORT_NEEDED 0x0 +<...> +kernel: pid 1404:drivers/scsi/qla2xxx/qla_os.c:1107 qla2x00_wait_for_hba_online(): base_vha->flags.online 0x0 + +echo 1 > /sys/kernel/config/target/qla2xxx/21:00:00:24:ff:86:a6:2a/tpgt_1/enable +kernel: pid 1404:drivers/scsi/qla2xxx/qla_os.c:1107 qla2x00_wait_for_hba_online(): base_vha->flags.online 0x0 +kernel: -----------[ cut here ]----------- +kernel: WARNING: CPU: 1 PID: 1404 at drivers/scsi/qla2xxx/qla_target.c:6654 qlt_enable_vha+0x1e0/0x280 [qla2xxx] + +The issue happens because no real ISP reset is executed. The +qla2x00_abort_isp(scsi_qla_host_t *vha) function expects that +vha->flags.online will be not zero for ISP reset procedure. This patch +sets vha->flags.online to 1 before calling ->abort_isp() for starting the +ISP reset. + +Link: https://lore.kernel.org/r/1d7b21bf9f7676643239eb3d60eaca7cfa505cf0.camel@yadro.com +Reviewed-by: Roman Bolshakov +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_os.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index d4024015f859f..ea60c6e603c06 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -5824,6 +5824,7 @@ qla2x00_do_dpc(void *data) + + if (do_reset && !(test_and_set_bit(ABORT_ISP_ACTIVE, + &base_vha->dpc_flags))) { ++ base_vha->flags.online = 1; + ql_dbg(ql_dbg_dpc, base_vha, 0x4007, + "ISP abort scheduled.\n"); + if (ha->isp_ops->abort_isp(base_vha)) { +-- +2.25.1 + diff --git a/queue-4.14/scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch b/queue-4.14/scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch new file mode 100644 index 00000000000..6a4474ddcfe --- /dev/null +++ b/queue-4.14/scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch @@ -0,0 +1,47 @@ +From 3ea5ef38e016d30472ace8c003625d02bf7e328e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 18:59:44 +0100 +Subject: scsi: sr: Fix sr_probe() missing deallocate of device minor + +From: Simon Arlott + +[ Upstream commit 6555781b3fdec5e94e6914511496144241df7dee ] + +If the cdrom fails to be registered then the device minor should be +deallocated. + +Link: https://lore.kernel.org/r/072dac4b-8402-4de8-36bd-47e7588969cd@0882a8b5-c6c3-11e9-b005-00805fc181fe +Signed-off-by: Simon Arlott +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index d0389b20574d0..5be3d6b7991b4 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -748,7 +748,7 @@ static int sr_probe(struct device *dev) + cd->cdi.disk = disk; + + if (register_cdrom(&cd->cdi)) +- goto fail_put; ++ goto fail_minor; + + /* + * Initialize block layer runtime PM stuffs before the +@@ -766,6 +766,10 @@ static int sr_probe(struct device *dev) + + return 0; + ++fail_minor: ++ spin_lock(&sr_index_lock); ++ clear_bit(minor, sr_index_bits); ++ spin_unlock(&sr_index_lock); + fail_put: + put_disk(disk); + fail_free: +-- +2.25.1 + diff --git a/queue-4.14/scsi-ufs-don-t-update-urgent-bkops-level-when-toggli.patch b/queue-4.14/scsi-ufs-don-t-update-urgent-bkops-level-when-toggli.patch new file mode 100644 index 00000000000..0e73d5507df --- /dev/null +++ b/queue-4.14/scsi-ufs-don-t-update-urgent-bkops-level-when-toggli.patch @@ -0,0 +1,41 @@ +From 73c4e8c48e13eab54b25c2b12e2deee3f2076344 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 19:24:42 -0700 +Subject: scsi: ufs: Don't update urgent bkops level when toggling auto bkops + +From: Can Guo + +[ Upstream commit be32acff43800c87dc5c707f5d47cc607b76b653 ] + +Urgent bkops level is used to compare against actual bkops status read from +UFS device. Urgent bkops level is set during initialization and might be +updated in exception event handler during runtime. But it should not be +updated to the actual bkops status every time when auto bkops is toggled. +Otherwise, if urgent bkops level is updated to 0, auto bkops shall always +be kept enabled. + +Link: https://lore.kernel.org/r/1590632686-17866-1-git-send-email-cang@codeaurora.org +Fixes: 24366c2afbb0 ("scsi: ufs: Recheck bkops level if bkops is disabled") +Reviewed-by: Stanley Chu +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 3a98e5a1d830c..1e2a97a10033b 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4890,7 +4890,6 @@ static int ufshcd_bkops_ctrl(struct ufs_hba *hba, + err = ufshcd_enable_auto_bkops(hba); + else + err = ufshcd_disable_auto_bkops(hba); +- hba->urgent_bkops_lvl = curr_status; + out: + return err; + } +-- +2.25.1 + diff --git a/queue-4.14/scsi-ufs-qcom-fix-scheduling-while-atomic-issue.patch b/queue-4.14/scsi-ufs-qcom-fix-scheduling-while-atomic-issue.patch new file mode 100644 index 00000000000..9e782b912bd --- /dev/null +++ b/queue-4.14/scsi-ufs-qcom-fix-scheduling-while-atomic-issue.patch @@ -0,0 +1,54 @@ +From af6a620395b8cc638cfe298af757c6137aed2d9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 13:41:25 -0700 +Subject: scsi: ufs-qcom: Fix scheduling while atomic issue + +From: Jeffrey Hugo + +[ Upstream commit 3be60b564de49875e47974c37fabced893cd0931 ] + +ufs_qcom_dump_dbg_regs() uses usleep_range, a sleeping function, but can be +called from atomic context in the following flow: + +ufshcd_intr -> ufshcd_sl_intr -> ufshcd_check_errors -> +ufshcd_print_host_regs -> ufshcd_vops_dbg_register_dump -> +ufs_qcom_dump_dbg_regs + +This causes a boot crash on the Lenovo Miix 630 when the interrupt is +handled on the idle thread. + +Fix the issue by switching to udelay(). + +Link: https://lore.kernel.org/r/20200525204125.46171-1-jeffrey.l.hugo@gmail.com +Fixes: 9c46b8676271 ("scsi: ufs-qcom: dump additional testbus registers") +Reviewed-by: Bean Huo +Reviewed-by: Avri Altman +Signed-off-by: Jeffrey Hugo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-qcom.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c +index f2b8de195d8af..ee3589ac64abf 100644 +--- a/drivers/scsi/ufs/ufs-qcom.c ++++ b/drivers/scsi/ufs/ufs-qcom.c +@@ -1649,11 +1649,11 @@ static void ufs_qcom_dump_dbg_regs(struct ufs_hba *hba) + + /* sleep a bit intermittently as we are dumping too much data */ + ufs_qcom_print_hw_debug_reg_all(hba, NULL, ufs_qcom_dump_regs_wrapper); +- usleep_range(1000, 1100); ++ udelay(1000); + ufs_qcom_testbus_read(hba); +- usleep_range(1000, 1100); ++ udelay(1000); + ufs_qcom_print_unipro_testbus(hba); +- usleep_range(1000, 1100); ++ udelay(1000); + } + + /** +-- +2.25.1 + diff --git a/queue-4.14/selftests-net-in-timestamping-strncpy-needs-to-prese.patch b/queue-4.14/selftests-net-in-timestamping-strncpy-needs-to-prese.patch new file mode 100644 index 00000000000..79bab44a2c8 --- /dev/null +++ b/queue-4.14/selftests-net-in-timestamping-strncpy-needs-to-prese.patch @@ -0,0 +1,68 @@ +From e6afdcd01e78716da6aaf34390062d968b2bc9ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 15:37:15 -0400 +Subject: selftests/net: in timestamping, strncpy needs to preserve null byte +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: tannerlove + +[ Upstream commit 8027bc0307ce59759b90679fa5d8b22949586d20 ] + +If user passed an interface option longer than 15 characters, then +device.ifr_name and hwtstamp.ifr_name became non-null-terminated +strings. The compiler warned about this: + +timestamping.c:353:2: warning: ‘strncpy’ specified bound 16 equals \ +destination size [-Wstringop-truncation] + 353 | strncpy(device.ifr_name, interface, sizeof(device.ifr_name)); + +Fixes: cb9eff097831 ("net: new user space API for time stamping of incoming and outgoing packets") +Signed-off-by: Tanner Love +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../selftests/networking/timestamping/timestamping.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/networking/timestamping/timestamping.c b/tools/testing/selftests/networking/timestamping/timestamping.c +index 5cdfd743447b7..900ed4b478996 100644 +--- a/tools/testing/selftests/networking/timestamping/timestamping.c ++++ b/tools/testing/selftests/networking/timestamping/timestamping.c +@@ -332,10 +332,16 @@ int main(int argc, char **argv) + int val; + socklen_t len; + struct timeval next; ++ size_t if_len; + + if (argc < 2) + usage(0); + interface = argv[1]; ++ if_len = strlen(interface); ++ if (if_len >= IFNAMSIZ) { ++ printf("interface name exceeds IFNAMSIZ\n"); ++ exit(1); ++ } + + for (i = 2; i < argc; i++) { + if (!strcasecmp(argv[i], "SO_TIMESTAMP")) +@@ -369,12 +375,12 @@ int main(int argc, char **argv) + bail("socket"); + + memset(&device, 0, sizeof(device)); +- strncpy(device.ifr_name, interface, sizeof(device.ifr_name)); ++ memcpy(device.ifr_name, interface, if_len + 1); + if (ioctl(sock, SIOCGIFADDR, &device) < 0) + bail("getting interface IP address"); + + memset(&hwtstamp, 0, sizeof(hwtstamp)); +- strncpy(hwtstamp.ifr_name, interface, sizeof(hwtstamp.ifr_name)); ++ memcpy(hwtstamp.ifr_name, interface, if_len + 1); + hwtstamp.ifr_data = (void *)&hwconfig; + memset(&hwconfig, 0, sizeof(hwconfig)); + hwconfig.tx_type = +-- +2.25.1 + diff --git a/queue-4.14/selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch b/queue-4.14/selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch new file mode 100644 index 00000000000..dfed2eb618e --- /dev/null +++ b/queue-4.14/selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch @@ -0,0 +1,60 @@ +From 12716b4ed48c1db4969692300fd076e582fb1e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:52:05 -0700 +Subject: selftests/vm/pkeys: fix alloc_random_pkey() to make it really random + +From: Ram Pai + +[ Upstream commit 6e373263ce07eeaa6410843179535fbdf561fc31 ] + +alloc_random_pkey() was allocating the same pkey every time. Not all +pkeys were geting tested. This fixes it. + +Signed-off-by: Ram Pai +Signed-off-by: Sandipan Das +Signed-off-by: Andrew Morton +Acked-by: Dave Hansen +Cc: Dave Hansen +Cc: Florian Weimer +Cc: "Desnes A. Nunes do Rosario" +Cc: Ingo Molnar +Cc: Thiago Jung Bauermann +Cc: "Aneesh Kumar K.V" +Cc: Michael Ellerman +Cc: Michal Hocko +Cc: Michal Suchanek +Cc: Shuah Khan +Link: http://lkml.kernel.org/r/0162f55816d4e783a0d6e49e554d0ab9a3c9a23b.1585646528.git.sandipan@linux.ibm.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/x86/protection_keys.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/x86/protection_keys.c b/tools/testing/selftests/x86/protection_keys.c +index 5d546dcdbc805..b8778960da106 100644 +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -24,6 +24,7 @@ + #define _GNU_SOURCE + #include + #include ++#include + #include + #include + #include +@@ -612,10 +613,10 @@ int alloc_random_pkey(void) + int nr_alloced = 0; + int random_index; + memset(alloced_pkeys, 0, sizeof(alloced_pkeys)); ++ srand((unsigned int)time(NULL)); + + /* allocate every possible key and make a note of which ones we got */ + max_nr_pkey_allocs = NR_PKEYS; +- max_nr_pkey_allocs = 1; + for (i = 0; i < max_nr_pkey_allocs; i++) { + int new_pkey = alloc_pkey(); + if (new_pkey < 0) +-- +2.25.1 + diff --git a/queue-4.14/serial-amba-pl011-make-sure-we-initialize-the-port.l.patch b/queue-4.14/serial-amba-pl011-make-sure-we-initialize-the-port.l.patch new file mode 100644 index 00000000000..52c812e9cc3 --- /dev/null +++ b/queue-4.14/serial-amba-pl011-make-sure-we-initialize-the-port.l.patch @@ -0,0 +1,87 @@ +From 23cd5a0ff4a372b0f248e2a43f3096402095b9f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 18:40:50 +0000 +Subject: serial: amba-pl011: Make sure we initialize the port.lock spinlock + +From: John Stultz + +[ Upstream commit 8508f4cba308f785b2fd4b8c38849c117b407297 ] + +Valentine reported seeing: + +[ 3.626638] INFO: trying to register non-static key. +[ 3.626639] the code is fine but needs lockdep annotation. +[ 3.626640] turning off the locking correctness validator. +[ 3.626644] CPU: 7 PID: 51 Comm: kworker/7:1 Not tainted 5.7.0-rc2-00115-g8c2e9790f196 #116 +[ 3.626646] Hardware name: HiKey960 (DT) +[ 3.626656] Workqueue: events deferred_probe_work_func +[ 3.632476] sd 0:0:0:0: [sda] Optimal transfer size 8192 bytes not a multiple of physical block size (16384 bytes) +[ 3.640220] Call trace: +[ 3.640225] dump_backtrace+0x0/0x1b8 +[ 3.640227] show_stack+0x20/0x30 +[ 3.640230] dump_stack+0xec/0x158 +[ 3.640234] register_lock_class+0x598/0x5c0 +[ 3.640235] __lock_acquire+0x80/0x16c0 +[ 3.640236] lock_acquire+0xf4/0x4a0 +[ 3.640241] _raw_spin_lock_irqsave+0x70/0xa8 +[ 3.640245] uart_add_one_port+0x388/0x4b8 +[ 3.640248] pl011_register_port+0x70/0xf0 +[ 3.640250] pl011_probe+0x184/0x1b8 +[ 3.640254] amba_probe+0xdc/0x180 +[ 3.640256] really_probe+0xe0/0x338 +[ 3.640257] driver_probe_device+0x60/0xf8 +[ 3.640259] __device_attach_driver+0x8c/0xd0 +[ 3.640260] bus_for_each_drv+0x84/0xd8 +[ 3.640261] __device_attach+0xe4/0x140 +[ 3.640263] device_initial_probe+0x1c/0x28 +[ 3.640265] bus_probe_device+0xa4/0xb0 +[ 3.640266] deferred_probe_work_func+0x7c/0xb8 +[ 3.640269] process_one_work+0x2c0/0x768 +[ 3.640271] worker_thread+0x4c/0x498 +[ 3.640272] kthread+0x14c/0x158 +[ 3.640275] ret_from_fork+0x10/0x1c + +Which seems to be due to the fact that after allocating the uap +structure, nothing initializes the spinlock. + +Its a little confusing, as uart_port_spin_lock_init() is one +place where the lock is supposed to be initialized, but it has +an exception for the case where the port is a console. + +This makes it seem like a deeper fix is needed to properly +register the console, but I'm not sure what that entails, and +Andy suggested that this approach is less invasive. + +Thus, this patch resolves the issue by initializing the spinlock +in the driver, and resolves the resulting warning. + +Cc: Andy Shevchenko +Cc: Russell King +Cc: Jiri Slaby +Cc: linux-serial@vger.kernel.org +Reported-by: Valentin Schneider +Reviewed-by: Andy Shevchenko +Signed-off-by: John Stultz +Reviewed-and-tested-by: Valentin Schneider +Link: https://lore.kernel.org/r/20200428184050.6501-1-john.stultz@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl011.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index 637f72fb6427f..e55b556337214 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2605,6 +2605,7 @@ static int pl011_setup_port(struct device *dev, struct uart_amba_port *uap, + uap->port.fifosize = uap->fifosize; + uap->port.flags = UPF_BOOT_AUTOCONF; + uap->port.line = index; ++ spin_lock_init(&uap->port.lock); + + amba_ports[index] = uap; + +-- +2.25.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..ea480dd6812 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,110 @@ +power-supply-bq24257_charger-replace-depends-on-regm.patch +clk-sunxi-fix-incorrect-usage-of-round_down.patch +i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch +iio-pressure-bmp280-tolerate-irq-before-registering.patch +remoteproc-fix-idr-initialisation-in-rproc_alloc.patch +clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch +backlight-lp855x-ensure-regulators-are-disabled-on-p.patch +asoc-davinci-mcasp-fix-dma_chan-refcnt-leak-when-get.patch +arm-integrator-add-some-kconfig-selections.patch +scsi-qedi-check-for-buffer-overflow-in-qedi_set_path.patch +alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch +scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch +iio-bmp280-fix-compensation-of-humidity.patch +f2fs-report-delalloc-reserve-as-non-free-in-statfs-f.patch +i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch +usblp-poison-urbs-upon-disconnect.patch +dm-mpath-switch-paths-in-dm_blk_ioctl-code-path.patch +pci-aardvark-don-t-blindly-enable-aspm-l0s-and-don-t.patch +ps3disk-use-the-default-segment-boundary.patch +vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch +m68k-pci-fix-a-memory-leak-in-an-error-handling-path.patch +mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch +scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch +clk-clk-flexgen-fix-clock-critical-handling.patch +powerpc-perf-hv-24x7-fix-inconsistent-output-values-.patch +nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch +powerpc-crashkernel-take-mem-option-into-account.patch +yam-fix-possible-memory-leak-in-yam_init_driver.patch +ntb-fix-the-default-port-and-peer-numbers-for-legacy.patch +mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch +apparmor-fix-introspection-of-of-task-mode-for-uncon.patch +scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch +scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch +staging-greybus-fix-a-missing-check-bug-in-gb_lights.patch +staging-rtl8712-fix-multiline-derefernce-warnings.patch +scsi-qedi-do-not-flush-offload-work-if-arp-not-resol.patch +alsa-usb-audio-improve-frames-size-computation.patch +s390-qdio-put-thinint-indicator-after-early-error.patch +tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch +thermal-drivers-ti-soc-thermal-avoid-dereferencing-e.patch +staging-sm750fb-add-missing-case-while-setting-fb_vi.patch +i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch +serial-amba-pl011-make-sure-we-initialize-the-port.l.patch +drivers-base-fix-null-pointer-exception-in-__platfor.patch +pci-rcar-fix-incorrect-programming-of-ob-windows.patch +pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch +scsi-qla2xxx-fix-warning-after-fc-target-reset.patch +power-supply-lp8788-fix-an-error-handling-path-in-lp.patch +power-supply-smb347-charger-irqstat_d-is-volatile.patch +scsi-mpt3sas-fix-double-free-warnings.patch +dlm-remove-bug-before-panic.patch +clk-ti-composite-fix-memory-leak.patch +pci-fix-pci_register_host_bridge-device_register-err.patch +tty-n_gsm-fix-sof-skipping.patch +tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch +powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch +powerpc-ps3-fix-kexec-shutdown-hang.patch +vfio-pci-mask-cap-zero.patch +usb-ohci-platform-fix-a-warning-when-hibernating.patch +drm-msm-mdp5-fix-mdp5_init-error-path-for-failed-mdp.patch +usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch +tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch +clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch +powerpc-64s-pgtable-fix-an-undefined-behaviour.patch +dm-zoned-return-null-if-dmz_get_zone_for_reclaim-fai.patch +pci-ptm-inherit-switch-downstream-port-ptm-settings-.patch +ib-cma-fix-ports-memory-leak-in-cma_configfs.patch +watchdog-da9062-no-need-to-ping-manually-before-sett.patch +usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch +usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch +usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch +usb-gadget-fix-potential-double-free-in-m66592_probe.patch +usb-gadget-fix-issue-with-config_ep_by_speed-functio.patch +x86-apic-make-tsc-deadline-timer-detection-message-v.patch +clk-bcm2835-fix-return-type-of-bcm2835_register_gate.patch +scsi-ufs-qcom-fix-scheduling-while-atomic-issue.patch +net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch +nfsv4.1-fix-rpc_call_done-assignment-for-bind_conn_t.patch +powerpc-4xx-don-t-unmap-null-mbase.patch +extcon-adc-jack-fix-an-error-handling-path-in-adc_ja.patch +asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch +vfio-mdev-fix-reference-count-leak-in-add_mdev_suppo.patch +openrisc-fix-issue-with-argument-clobbering-for-clon.patch +gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch +ovl-verify-permissions-in-ovl_path_open.patch +scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch +scsi-ufs-don-t-update-urgent-bkops-level-when-toggli.patch +pinctrl-imxl-fix-an-error-handling-path-in-imx1_pinc.patch +pinctrl-freescale-imx-fix-an-error-handling-path-in-.patch +crypto-omap-sham-add-proper-load-balancing-support-f.patch +geneve-change-from-tx_error-to-tx_dropped-on-missing.patch +lib-zlib-remove-outdated-and-incorrect-pre-increment.patch +include-linux-bitops.h-avoid-clang-shift-count-overf.patch +elfnote-mark-all-.note-sections-shf_alloc.patch +selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch +blktrace-use-errno-instead-of-bi_status.patch +blktrace-fix-endianness-in-get_pdu_int.patch +blktrace-fix-endianness-for-blk_log_remap.patch +gfs2-fix-use-after-free-on-transaction-ail-lists.patch +selftests-net-in-timestamping-strncpy-needs-to-prese.patch +drm-sun4i-hdmi-ddc-clk-fix-size-of-m-divider.patch +scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch +usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch +usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch +perf-report-fix-null-pointer-dereference-in-hists__f.patch +bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch +block-fix-use-after-free-in-blkdev_get.patch +arm64-hw_breakpoint-don-t-invoke-overflow-handler-on.patch +libata-use-per-port-sync-for-detach.patch +drm-encoder_slave-fix-refcouting-error-for-modules.patch diff --git a/queue-4.14/staging-greybus-fix-a-missing-check-bug-in-gb_lights.patch b/queue-4.14/staging-greybus-fix-a-missing-check-bug-in-gb_lights.patch new file mode 100644 index 00000000000..84aa9ed0840 --- /dev/null +++ b/queue-4.14/staging-greybus-fix-a-missing-check-bug-in-gb_lights.patch @@ -0,0 +1,38 @@ +From f09ba45ee68c8279885ef8a56b3a69ff8da2efde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 11:00:17 +0800 +Subject: staging: greybus: fix a missing-check bug in gb_lights_light_config() + +From: Chen Zhou + +[ Upstream commit 9bb086e5ba9495ac150fbbcc5c8c2bccc06261dd ] + +In gb_lights_light_config(), 'light->name' is allocated by kstrndup(). +It returns NULL when fails, add check for it. + +Signed-off-by: Chen Zhou +Acked-by: Rui Miguel Silva +Link: https://lore.kernel.org/r/20200401030017.100274-1-chenzhou10@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/light.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c +index 4e7575147775d..9fab0e2751aa6 100644 +--- a/drivers/staging/greybus/light.c ++++ b/drivers/staging/greybus/light.c +@@ -1033,7 +1033,8 @@ static int gb_lights_light_config(struct gb_lights *glights, u8 id) + + light->channels_count = conf.channel_count; + light->name = kstrndup(conf.name, NAMES_MAX, GFP_KERNEL); +- ++ if (!light->name) ++ return -ENOMEM; + light->channels = kcalloc(light->channels_count, + sizeof(struct gb_channel), GFP_KERNEL); + if (!light->channels) +-- +2.25.1 + diff --git a/queue-4.14/staging-rtl8712-fix-multiline-derefernce-warnings.patch b/queue-4.14/staging-rtl8712-fix-multiline-derefernce-warnings.patch new file mode 100644 index 00000000000..33ca81dcf5a --- /dev/null +++ b/queue-4.14/staging-rtl8712-fix-multiline-derefernce-warnings.patch @@ -0,0 +1,80 @@ +From 8c858bf882f4f4813797582f632c56b26261d2bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 14:57:47 -0400 +Subject: staging: rtl8712: fix multiline derefernce warnings + +From: Aiman Najjar + +[ Upstream commit 269da10b1477c31c660288633c8d613e421b131f ] + +This patch fixes remaining checkpatch warnings +in rtl871x_xmit.c: + +WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->PrivacyKeyIndex' +636: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:636: ++ (u8)psecuritypriv-> ++ PrivacyKeyIndex); + +WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->XGrpKeyid' +643: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:643: ++ (u8)psecuritypriv-> ++ XGrpKeyid); + +WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->XGrpKeyid' +652: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:652: ++ (u8)psecuritypriv-> ++ XGrpKeyid); + +Signed-off-by: Aiman Najjar +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/98805a72b92e9bbf933e05b827d27944663b7bc1.1585508171.git.aiman.najjar@hurranet.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8712/rtl871x_xmit.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/staging/rtl8712/rtl871x_xmit.c b/drivers/staging/rtl8712/rtl871x_xmit.c +index eda2aee02ff89..06e2377092fe0 100644 +--- a/drivers/staging/rtl8712/rtl871x_xmit.c ++++ b/drivers/staging/rtl8712/rtl871x_xmit.c +@@ -601,7 +601,7 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt, + addr_t addr; + u8 *pframe, *mem_start, *ptxdesc; + struct sta_info *psta; +- struct security_priv *psecuritypriv = &padapter->securitypriv; ++ struct security_priv *psecpriv = &padapter->securitypriv; + struct mlme_priv *pmlmepriv = &padapter->mlmepriv; + struct xmit_priv *pxmitpriv = &padapter->xmitpriv; + struct pkt_attrib *pattrib = &pxmitframe->attrib; +@@ -644,15 +644,13 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt, + case _WEP40_: + case _WEP104_: + WEP_IV(pattrib->iv, psta->txpn, +- (u8)psecuritypriv-> +- PrivacyKeyIndex); ++ (u8)psecpriv->PrivacyKeyIndex); + break; + case _TKIP_: + if (bmcst) + TKIP_IV(pattrib->iv, + psta->txpn, +- (u8)psecuritypriv-> +- XGrpKeyid); ++ (u8)psecpriv->XGrpKeyid); + else + TKIP_IV(pattrib->iv, psta->txpn, + 0); +@@ -660,8 +658,7 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt, + case _AES_: + if (bmcst) + AES_IV(pattrib->iv, psta->txpn, +- (u8)psecuritypriv-> +- XGrpKeyid); ++ (u8)psecpriv->XGrpKeyid); + else + AES_IV(pattrib->iv, psta->txpn, + 0); +-- +2.25.1 + diff --git a/queue-4.14/staging-sm750fb-add-missing-case-while-setting-fb_vi.patch b/queue-4.14/staging-sm750fb-add-missing-case-while-setting-fb_vi.patch new file mode 100644 index 00000000000..1009c95f05b --- /dev/null +++ b/queue-4.14/staging-sm750fb-add-missing-case-while-setting-fb_vi.patch @@ -0,0 +1,36 @@ +From 5d22a7f8f35217a03a52051ef4bf5c2fdf1f8ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 22:09:24 +0200 +Subject: staging: sm750fb: add missing case while setting FB_VISUAL + +From: Matej Dujava + +[ Upstream commit fa90133377f4a7f15a937df6ad55133bb57c5665 ] + +Switch statement does not contain all cases: 8, 16, 24, 32. +This patch will add missing one (24) + +Fixes: 81dee67e215b ("staging: sm750fb: add sm750 to staging") +Signed-off-by: Matej Dujava +Link: https://lore.kernel.org/r/1588277366-19354-2-git-send-email-mdujava@kocurkovo.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/sm750fb/sm750.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c +index 67207b0554cd4..5d6f3686c0deb 100644 +--- a/drivers/staging/sm750fb/sm750.c ++++ b/drivers/staging/sm750fb/sm750.c +@@ -899,6 +899,7 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index) + fix->visual = FB_VISUAL_PSEUDOCOLOR; + break; + case 16: ++ case 24: + case 32: + fix->visual = FB_VISUAL_TRUECOLOR; + break; +-- +2.25.1 + diff --git a/queue-4.14/thermal-drivers-ti-soc-thermal-avoid-dereferencing-e.patch b/queue-4.14/thermal-drivers-ti-soc-thermal-avoid-dereferencing-e.patch new file mode 100644 index 00000000000..171a0bebda8 --- /dev/null +++ b/queue-4.14/thermal-drivers-ti-soc-thermal-avoid-dereferencing-e.patch @@ -0,0 +1,57 @@ +From 81cc8764fbb6c5e92455a443449fdb4938f616ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 17:19:44 +0100 +Subject: thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR + +From: Sudip Mukherjee + +[ Upstream commit 7440f518dad9d861d76c64956641eeddd3586f75 ] + +On error the function ti_bandgap_get_sensor_data() returns the error +code in ERR_PTR() but we only checked if the return value is NULL or +not. And, so we can dereference an error code inside ERR_PTR. +While at it, convert a check to IS_ERR_OR_NULL. + +Signed-off-by: Sudip Mukherjee +Reviewed-by: Amit Kucheria +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20200424161944.6044-1-sudipm.mukherjee@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/thermal/ti-soc-thermal/ti-thermal-common.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c +index c211a8e4a2105..fa98c398d70f3 100644 +--- a/drivers/thermal/ti-soc-thermal/ti-thermal-common.c ++++ b/drivers/thermal/ti-soc-thermal/ti-thermal-common.c +@@ -183,7 +183,7 @@ int ti_thermal_expose_sensor(struct ti_bandgap *bgp, int id, + + data = ti_bandgap_get_sensor_data(bgp, id); + +- if (!data || IS_ERR(data)) ++ if (!IS_ERR_OR_NULL(data)) + data = ti_thermal_build_data(bgp, id); + + if (!data) +@@ -210,7 +210,7 @@ int ti_thermal_remove_sensor(struct ti_bandgap *bgp, int id) + + data = ti_bandgap_get_sensor_data(bgp, id); + +- if (data && data->ti_thermal) { ++ if (!IS_ERR_OR_NULL(data) && data->ti_thermal) { + if (data->our_zone) + thermal_zone_device_unregister(data->ti_thermal); + } +@@ -276,7 +276,7 @@ int ti_thermal_unregister_cpu_cooling(struct ti_bandgap *bgp, int id) + + data = ti_bandgap_get_sensor_data(bgp, id); + +- if (data) { ++ if (!IS_ERR_OR_NULL(data)) { + cpufreq_cooling_unregister(data->cool_dev); + cpufreq_cpu_put(data->policy); + } +-- +2.25.1 + diff --git a/queue-4.14/tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch b/queue-4.14/tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch new file mode 100644 index 00000000000..92e3e384299 --- /dev/null +++ b/queue-4.14/tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch @@ -0,0 +1,81 @@ +From 7aa7f5bfdbcc12c5c52f005d8a600ce8df6a5199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 20:26:01 -0700 +Subject: tty: hvc: Fix data abort due to race in hvc_open + +From: Raghavendra Rao Ananta + +[ Upstream commit e2bd1dcbe1aa34ff5570b3427c530e4332ecf0fe ] + +Potentially, hvc_open() can be called in parallel when two tasks calls +open() on /dev/hvcX. In such a scenario, if the hp->ops->notifier_add() +callback in the function fails, where it sets the tty->driver_data to +NULL, the parallel hvc_open() can see this NULL and cause a memory abort. +Hence, serialize hvc_open and check if tty->private_data is NULL before +proceeding ahead. + +The issue can be easily reproduced by launching two tasks simultaneously +that does nothing but open() and close() on /dev/hvcX. +For example: +$ ./simple_open_close /dev/hvc0 & ./simple_open_close /dev/hvc0 & + +Signed-off-by: Raghavendra Rao Ananta +Link: https://lore.kernel.org/r/20200428032601.22127-1-rananta@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/hvc_console.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c +index d52221ae1b85a..663cbe3669e11 100644 +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -88,6 +88,8 @@ static LIST_HEAD(hvc_structs); + */ + static DEFINE_SPINLOCK(hvc_structs_lock); + ++/* Mutex to serialize hvc_open */ ++static DEFINE_MUTEX(hvc_open_mutex); + /* + * This value is used to assign a tty->index value to a hvc_struct based + * upon order of exposure via hvc_probe(), when we can not match it to +@@ -332,16 +334,24 @@ static int hvc_install(struct tty_driver *driver, struct tty_struct *tty) + */ + static int hvc_open(struct tty_struct *tty, struct file * filp) + { +- struct hvc_struct *hp = tty->driver_data; ++ struct hvc_struct *hp; + unsigned long flags; + int rc = 0; + ++ mutex_lock(&hvc_open_mutex); ++ ++ hp = tty->driver_data; ++ if (!hp) { ++ rc = -EIO; ++ goto out; ++ } ++ + spin_lock_irqsave(&hp->port.lock, flags); + /* Check and then increment for fast path open. */ + if (hp->port.count++ > 0) { + spin_unlock_irqrestore(&hp->port.lock, flags); + hvc_kick(); +- return 0; ++ goto out; + } /* else count == 0 */ + spin_unlock_irqrestore(&hp->port.lock, flags); + +@@ -369,6 +379,8 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) + /* Force wakeup of the polling thread */ + hvc_kick(); + ++out: ++ mutex_unlock(&hvc_open_mutex); + return rc; + } + +-- +2.25.1 + diff --git a/queue-4.14/tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch b/queue-4.14/tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch new file mode 100644 index 00000000000..e7661f644ac --- /dev/null +++ b/queue-4.14/tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch @@ -0,0 +1,53 @@ +From 5267ccd31c82f3b9d3cdaac5442323dcd3066643 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 10:45:13 +0200 +Subject: tty: n_gsm: Fix bogus i++ in gsm_data_kick + +From: Gregory CLEMENT + +[ Upstream commit 4dd31f1ffec6c370c3c2e0c605628bf5e16d5c46 ] + +When submitting the previous fix "tty: n_gsm: Fix waking up upper tty +layer when room available". It was suggested to switch from a while to +a for loop, but when doing it, there was a remaining bogus i++. + +This patch removes this i++ and also reorganizes the code making it more +compact. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20200518084517.2173242-3-gregory.clement@bootlin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index e7417eac3f216..c70e79a0e9f28 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -715,17 +715,9 @@ static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci) + } else { + int i = 0; + +- for (i = 0; i < NUM_DLCI; i++) { +- struct gsm_dlci *dlci; +- +- dlci = gsm->dlci[i]; +- if (dlci == NULL) { +- i++; +- continue; +- } +- +- tty_port_tty_wakeup(&dlci->port); +- } ++ for (i = 0; i < NUM_DLCI; i++) ++ if (gsm->dlci[i]) ++ tty_port_tty_wakeup(&gsm->dlci[i]->port); + } + } + } +-- +2.25.1 + diff --git a/queue-4.14/tty-n_gsm-fix-sof-skipping.patch b/queue-4.14/tty-n_gsm-fix-sof-skipping.patch new file mode 100644 index 00000000000..0b0e1ad357e --- /dev/null +++ b/queue-4.14/tty-n_gsm-fix-sof-skipping.patch @@ -0,0 +1,58 @@ +From deb81734fa5709cb27b3fb6f4182dc58ecfc741c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 13:53:22 +0200 +Subject: tty: n_gsm: Fix SOF skipping + +From: Gregory CLEMENT + +[ Upstream commit 84d6f81c1fb58b56eba81ff0a36cf31946064b40 ] + +For at least some modems like the TELIT LE910, skipping SOF makes +transfers blocking indefinitely after a short amount of data +transferred. + +Given the small improvement provided by skipping the SOF (just one +byte on about 100 bytes), it seems better to completely remove this +"feature" than make it optional. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20200512115323.1447922-3-gregory.clement@bootlin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index f46bd1af7a10b..eabdcfa414aad 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -681,7 +681,6 @@ static void gsm_data_kick(struct gsm_mux *gsm) + { + struct gsm_msg *msg, *nmsg; + int len; +- int skip_sof = 0; + + list_for_each_entry_safe(msg, nmsg, &gsm->tx_list, list) { + if (gsm->constipated && msg->addr) +@@ -703,15 +702,10 @@ static void gsm_data_kick(struct gsm_mux *gsm) + print_hex_dump_bytes("gsm_data_kick: ", + DUMP_PREFIX_OFFSET, + gsm->txframe, len); +- +- if (gsm->output(gsm, gsm->txframe + skip_sof, +- len - skip_sof) < 0) ++ if (gsm->output(gsm, gsm->txframe, len) < 0) + break; + /* FIXME: Can eliminate one SOF in many more cases */ + gsm->tx_bytes -= msg->len; +- /* For a burst of frames skip the extra SOF within the +- burst */ +- skip_sof = 1; + + list_del(&msg->list); + kfree(msg); +-- +2.25.1 + diff --git a/queue-4.14/tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch b/queue-4.14/tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch new file mode 100644 index 00000000000..1f844c205b1 --- /dev/null +++ b/queue-4.14/tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch @@ -0,0 +1,90 @@ +From 42e8a7e5d0f79f1100e49253c07455fcbe4cfc49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 13:53:23 +0200 +Subject: tty: n_gsm: Fix waking up upper tty layer when room available + +From: Gregory CLEMENT + +[ Upstream commit 01dbb362f0a114fbce19c8abe4cd6f4710e934d5 ] + +Warn the upper layer when n_gms is ready to receive data +again. Without this the associated virtual tty remains blocked +indefinitely. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20200512115323.1447922-4-gregory.clement@bootlin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index eabdcfa414aad..e7417eac3f216 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -677,7 +677,7 @@ static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len, + * FIXME: lock against link layer control transmissions + */ + +-static void gsm_data_kick(struct gsm_mux *gsm) ++static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci) + { + struct gsm_msg *msg, *nmsg; + int len; +@@ -709,6 +709,24 @@ static void gsm_data_kick(struct gsm_mux *gsm) + + list_del(&msg->list); + kfree(msg); ++ ++ if (dlci) { ++ tty_port_tty_wakeup(&dlci->port); ++ } else { ++ int i = 0; ++ ++ for (i = 0; i < NUM_DLCI; i++) { ++ struct gsm_dlci *dlci; ++ ++ dlci = gsm->dlci[i]; ++ if (dlci == NULL) { ++ i++; ++ continue; ++ } ++ ++ tty_port_tty_wakeup(&dlci->port); ++ } ++ } + } + } + +@@ -760,7 +778,7 @@ static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg) + /* Add to the actual output queue */ + list_add_tail(&msg->list, &gsm->tx_list); + gsm->tx_bytes += msg->len; +- gsm_data_kick(gsm); ++ gsm_data_kick(gsm, dlci); + } + + /** +@@ -1221,7 +1239,7 @@ static void gsm_control_message(struct gsm_mux *gsm, unsigned int command, + gsm_control_reply(gsm, CMD_FCON, NULL, 0); + /* Kick the link in case it is idling */ + spin_lock_irqsave(&gsm->tx_lock, flags); +- gsm_data_kick(gsm); ++ gsm_data_kick(gsm, NULL); + spin_unlock_irqrestore(&gsm->tx_lock, flags); + break; + case CMD_FCOFF: +@@ -2420,7 +2438,7 @@ static void gsmld_write_wakeup(struct tty_struct *tty) + /* Queue poll */ + clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); + spin_lock_irqsave(&gsm->tx_lock, flags); +- gsm_data_kick(gsm); ++ gsm_data_kick(gsm, NULL); + if (gsm->tx_bytes < TX_THRESH_LO) { + gsm_dlci_data_sweep(gsm); + } +-- +2.25.1 + diff --git a/queue-4.14/usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch b/queue-4.14/usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch new file mode 100644 index 00000000000..42927be42c7 --- /dev/null +++ b/queue-4.14/usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch @@ -0,0 +1,51 @@ +From 3f695b0bd30a2527e8b374ca4559323ef25eef2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 13:55:53 +0200 +Subject: usb: dwc2: gadget: move gadget resume after the core is in L0 state + +From: Fabrice Gasnier + +[ Upstream commit 8c935deacebb8fac8f41378701eb79d12f3c2e2d ] + +When the remote wakeup interrupt is triggered, lx_state is resumed from L2 +to L0 state. But when the gadget resume is called, lx_state is still L2. +This prevents the resume callback to queue any request. Any attempt +to queue a request from resume callback will result in: +- "submit request only in active state" debug message to be issued +- dwc2_hsotg_ep_queue() returns -EAGAIN + +Call the gadget resume routine after the core is in L0 state. + +Fixes: f81f46e1f530 ("usb: dwc2: implement hibernation during bus suspend/resume") + +Acked-by: Minas Harutyunyan +Signed-off-by: Fabrice Gasnier +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/core_intr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc2/core_intr.c b/drivers/usb/dwc2/core_intr.c +index b8bcb007c92a9..e3e0a3ab31daa 100644 +--- a/drivers/usb/dwc2/core_intr.c ++++ b/drivers/usb/dwc2/core_intr.c +@@ -364,10 +364,13 @@ static void dwc2_handle_wakeup_detected_intr(struct dwc2_hsotg *hsotg) + if (ret && (ret != -ENOTSUPP)) + dev_err(hsotg->dev, "exit hibernation failed\n"); + ++ /* Change to L0 state */ ++ hsotg->lx_state = DWC2_L0; + call_gadget(hsotg, resume); ++ } else { ++ /* Change to L0 state */ ++ hsotg->lx_state = DWC2_L0; + } +- /* Change to L0 state */ +- hsotg->lx_state = DWC2_L0; + } else { + if (hsotg->params.hibernation) + return; +-- +2.25.1 + diff --git a/queue-4.14/usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch b/queue-4.14/usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch new file mode 100644 index 00000000000..9f136c7c232 --- /dev/null +++ b/queue-4.14/usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch @@ -0,0 +1,52 @@ +From 587ed5f8c38a471ebfa98f594adbb4f7433e2983 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 16:49:31 +0100 +Subject: usb/ehci-platform: Set PM runtime as active on resume + +From: Qais Yousef + +[ Upstream commit 16bdc04cc98ab0c74392ceef2475ecc5e73fcf49 ] + +Follow suit of ohci-platform.c and perform pm_runtime_set_active() on +resume. + +ohci-platform.c had a warning reported due to the missing +pm_runtime_set_active() [1]. + +[1] https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/ + +Acked-by: Alan Stern +Signed-off-by: Qais Yousef +CC: Tony Prisk +CC: Greg Kroah-Hartman +CC: Mathias Nyman +CC: Oliver Neukum +CC: linux-arm-kernel@lists.infradead.org +CC: linux-usb@vger.kernel.org +CC: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20200518154931.6144-3-qais.yousef@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-platform.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/host/ehci-platform.c b/drivers/usb/host/ehci-platform.c +index f1908ea9fbd86..6fcd332880143 100644 +--- a/drivers/usb/host/ehci-platform.c ++++ b/drivers/usb/host/ehci-platform.c +@@ -390,6 +390,11 @@ static int ehci_platform_resume(struct device *dev) + } + + ehci_resume(hcd, priv->reset_on_resume); ++ ++ pm_runtime_disable(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ + return 0; + } + #endif /* CONFIG_PM_SLEEP */ +-- +2.25.1 + diff --git a/queue-4.14/usb-gadget-fix-issue-with-config_ep_by_speed-functio.patch b/queue-4.14/usb-gadget-fix-issue-with-config_ep_by_speed-functio.patch new file mode 100644 index 00000000000..3e328ffdc8b --- /dev/null +++ b/queue-4.14/usb-gadget-fix-issue-with-config_ep_by_speed-functio.patch @@ -0,0 +1,226 @@ +From 81b83b73fbf3b6093f972f74121a3b2859e06b3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 12:08:45 +0200 +Subject: usb: gadget: Fix issue with config_ep_by_speed function + +From: Pawel Laszczak + +[ Upstream commit 5d363120aa548ba52d58907a295eee25f8207ed2 ] + +This patch adds new config_ep_by_speed_and_alt function which +extends the config_ep_by_speed about alt parameter. +This additional parameter allows to find proper usb_ss_ep_comp_descriptor. + +Problem has appeared during testing f_tcm (BOT/UAS) driver function. + +f_tcm function for SS use array of headers for both BOT/UAS alternate +setting: + +static struct usb_descriptor_header *uasp_ss_function_desc[] = { + (struct usb_descriptor_header *) &bot_intf_desc, + (struct usb_descriptor_header *) &uasp_ss_bi_desc, + (struct usb_descriptor_header *) &bot_bi_ep_comp_desc, + (struct usb_descriptor_header *) &uasp_ss_bo_desc, + (struct usb_descriptor_header *) &bot_bo_ep_comp_desc, + + (struct usb_descriptor_header *) &uasp_intf_desc, + (struct usb_descriptor_header *) &uasp_ss_bi_desc, + (struct usb_descriptor_header *) &uasp_bi_ep_comp_desc, + (struct usb_descriptor_header *) &uasp_bi_pipe_desc, + (struct usb_descriptor_header *) &uasp_ss_bo_desc, + (struct usb_descriptor_header *) &uasp_bo_ep_comp_desc, + (struct usb_descriptor_header *) &uasp_bo_pipe_desc, + (struct usb_descriptor_header *) &uasp_ss_status_desc, + (struct usb_descriptor_header *) &uasp_status_in_ep_comp_desc, + (struct usb_descriptor_header *) &uasp_status_pipe_desc, + (struct usb_descriptor_header *) &uasp_ss_cmd_desc, + (struct usb_descriptor_header *) &uasp_cmd_comp_desc, + (struct usb_descriptor_header *) &uasp_cmd_pipe_desc, + NULL, +}; + +The first 5 descriptors are associated with BOT alternate setting, +and others are associated with UAS. + +During handling UAS alternate setting f_tcm driver invokes +config_ep_by_speed and this function sets incorrect companion endpoint +descriptor in usb_ep object. + +Instead setting ep->comp_desc to uasp_bi_ep_comp_desc function in this +case set ep->comp_desc to uasp_ss_bi_desc. + +This is due to the fact that it searches endpoint based on endpoint +address: + + for_each_ep_desc(speed_desc, d_spd) { + chosen_desc = (struct usb_endpoint_descriptor *)*d_spd; + if (chosen_desc->bEndpoitAddress == _ep->address) + goto ep_found; + } + +And in result it uses the descriptor from BOT alternate setting +instead UAS. + +Finally, it causes that controller driver during enabling endpoints +detect that just enabled endpoint for bot. + +Signed-off-by: Jayshri Pawar +Signed-off-by: Pawel Laszczak +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 78 ++++++++++++++++++++++++++-------- + include/linux/usb/composite.h | 3 ++ + 2 files changed, 64 insertions(+), 17 deletions(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index c1f037af97027..7d2715e899bb8 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -100,40 +100,43 @@ function_descriptors(struct usb_function *f, + } + + /** +- * next_ep_desc() - advance to the next EP descriptor ++ * next_desc() - advance to the next desc_type descriptor + * @t: currect pointer within descriptor array ++ * @desc_type: descriptor type + * +- * Return: next EP descriptor or NULL ++ * Return: next desc_type descriptor or NULL + * +- * Iterate over @t until either EP descriptor found or ++ * Iterate over @t until either desc_type descriptor found or + * NULL (that indicates end of list) encountered + */ + static struct usb_descriptor_header** +-next_ep_desc(struct usb_descriptor_header **t) ++next_desc(struct usb_descriptor_header **t, u8 desc_type) + { + for (; *t; t++) { +- if ((*t)->bDescriptorType == USB_DT_ENDPOINT) ++ if ((*t)->bDescriptorType == desc_type) + return t; + } + return NULL; + } + + /* +- * for_each_ep_desc()- iterate over endpoint descriptors in the +- * descriptors list +- * @start: pointer within descriptor array. +- * @ep_desc: endpoint descriptor to use as the loop cursor ++ * for_each_desc() - iterate over desc_type descriptors in the ++ * descriptors list ++ * @start: pointer within descriptor array. ++ * @iter_desc: desc_type descriptor to use as the loop cursor ++ * @desc_type: wanted descriptr type + */ +-#define for_each_ep_desc(start, ep_desc) \ +- for (ep_desc = next_ep_desc(start); \ +- ep_desc; ep_desc = next_ep_desc(ep_desc+1)) ++#define for_each_desc(start, iter_desc, desc_type) \ ++ for (iter_desc = next_desc(start, desc_type); \ ++ iter_desc; iter_desc = next_desc(iter_desc + 1, desc_type)) + + /** +- * config_ep_by_speed() - configures the given endpoint ++ * config_ep_by_speed_and_alt() - configures the given endpoint + * according to gadget speed. + * @g: pointer to the gadget + * @f: usb function + * @_ep: the endpoint to configure ++ * @alt: alternate setting number + * + * Return: error code, 0 on success + * +@@ -146,11 +149,13 @@ next_ep_desc(struct usb_descriptor_header **t) + * Note: the supplied function should hold all the descriptors + * for supported speeds + */ +-int config_ep_by_speed(struct usb_gadget *g, +- struct usb_function *f, +- struct usb_ep *_ep) ++int config_ep_by_speed_and_alt(struct usb_gadget *g, ++ struct usb_function *f, ++ struct usb_ep *_ep, ++ u8 alt) + { + struct usb_endpoint_descriptor *chosen_desc = NULL; ++ struct usb_interface_descriptor *int_desc = NULL; + struct usb_descriptor_header **speed_desc = NULL; + + struct usb_ss_ep_comp_descriptor *comp_desc = NULL; +@@ -186,8 +191,21 @@ int config_ep_by_speed(struct usb_gadget *g, + default: + speed_desc = f->fs_descriptors; + } ++ ++ /* find correct alternate setting descriptor */ ++ for_each_desc(speed_desc, d_spd, USB_DT_INTERFACE) { ++ int_desc = (struct usb_interface_descriptor *)*d_spd; ++ ++ if (int_desc->bAlternateSetting == alt) { ++ speed_desc = d_spd; ++ goto intf_found; ++ } ++ } ++ return -EIO; ++ ++intf_found: + /* find descriptors */ +- for_each_ep_desc(speed_desc, d_spd) { ++ for_each_desc(speed_desc, d_spd, USB_DT_ENDPOINT) { + chosen_desc = (struct usb_endpoint_descriptor *)*d_spd; + if (chosen_desc->bEndpointAddress == _ep->address) + goto ep_found; +@@ -240,6 +258,32 @@ ep_found: + } + return 0; + } ++EXPORT_SYMBOL_GPL(config_ep_by_speed_and_alt); ++ ++/** ++ * config_ep_by_speed() - configures the given endpoint ++ * according to gadget speed. ++ * @g: pointer to the gadget ++ * @f: usb function ++ * @_ep: the endpoint to configure ++ * ++ * Return: error code, 0 on success ++ * ++ * This function chooses the right descriptors for a given ++ * endpoint according to gadget speed and saves it in the ++ * endpoint desc field. If the endpoint already has a descriptor ++ * assigned to it - overwrites it with currently corresponding ++ * descriptor. The endpoint maxpacket field is updated according ++ * to the chosen descriptor. ++ * Note: the supplied function should hold all the descriptors ++ * for supported speeds ++ */ ++int config_ep_by_speed(struct usb_gadget *g, ++ struct usb_function *f, ++ struct usb_ep *_ep) ++{ ++ return config_ep_by_speed_and_alt(g, f, _ep, 0); ++} + EXPORT_SYMBOL_GPL(config_ep_by_speed); + + /** +diff --git a/include/linux/usb/composite.h b/include/linux/usb/composite.h +index 590d313b5f39f..a865698361c13 100644 +--- a/include/linux/usb/composite.h ++++ b/include/linux/usb/composite.h +@@ -248,6 +248,9 @@ int usb_function_activate(struct usb_function *); + + int usb_interface_id(struct usb_configuration *, struct usb_function *); + ++int config_ep_by_speed_and_alt(struct usb_gadget *g, struct usb_function *f, ++ struct usb_ep *_ep, u8 alt); ++ + int config_ep_by_speed(struct usb_gadget *g, struct usb_function *f, + struct usb_ep *_ep); + +-- +2.25.1 + diff --git a/queue-4.14/usb-gadget-fix-potential-double-free-in-m66592_probe.patch b/queue-4.14/usb-gadget-fix-potential-double-free-in-m66592_probe.patch new file mode 100644 index 00000000000..c61ef44e3cd --- /dev/null +++ b/queue-4.14/usb-gadget-fix-potential-double-free-in-m66592_probe.patch @@ -0,0 +1,38 @@ +From 0a02d0cacf04e6677ceef2f0618742eb262a125b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 23:06:25 -0500 +Subject: usb: gadget: fix potential double-free in m66592_probe. + +From: Qiushi Wu + +[ Upstream commit 44734a594196bf1d474212f38fe3a0d37a73278b ] + +m66592_free_request() is called under label "err_add_udc" +and "clean_up", and m66592->ep0_req is not set to NULL after +first free, leading to a double-free. Fix this issue by +setting m66592->ep0_req to NULL after the first free. + +Fixes: 0f91349b89f3 ("usb: gadget: convert all users to the new udc infrastructure") +Signed-off-by: Qiushi Wu +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/m66592-udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/m66592-udc.c b/drivers/usb/gadget/udc/m66592-udc.c +index 46ce7bc15f2b0..53abad98af6d8 100644 +--- a/drivers/usb/gadget/udc/m66592-udc.c ++++ b/drivers/usb/gadget/udc/m66592-udc.c +@@ -1672,7 +1672,7 @@ static int m66592_probe(struct platform_device *pdev) + + err_add_udc: + m66592_free_request(&m66592->ep[0].ep, m66592->ep0_req); +- ++ m66592->ep0_req = NULL; + clean_up3: + if (m66592->pdata->on_chip) { + clk_disable(m66592->clk); +-- +2.25.1 + diff --git a/queue-4.14/usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch b/queue-4.14/usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch new file mode 100644 index 00000000000..a721318f893 --- /dev/null +++ b/queue-4.14/usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch @@ -0,0 +1,71 @@ +From 57ebb5731b3f368902d880c4adba153114b21e1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 16:13:00 +0100 +Subject: usb: gadget: lpc32xx_udc: don't dereference ep pointer before null + check + +From: Colin Ian King + +[ Upstream commit eafa80041645cd7604c4357b1a0cd4a3c81f2227 ] + +Currently pointer ep is being dereferenced before it is null checked +leading to a null pointer dereference issue. Fix this by only assigning +pointer udc once ep is known to be not null. Also remove a debug +message that requires a valid udc which may not be possible at that +point. + +Addresses-Coverity: ("Dereference before null check") +Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx") +Signed-off-by: Colin Ian King +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/lpc32xx_udc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c +index ac2aa04ca6573..7107931617953 100644 +--- a/drivers/usb/gadget/udc/lpc32xx_udc.c ++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c +@@ -1615,17 +1615,17 @@ static int lpc32xx_ep_enable(struct usb_ep *_ep, + const struct usb_endpoint_descriptor *desc) + { + struct lpc32xx_ep *ep = container_of(_ep, struct lpc32xx_ep, ep); +- struct lpc32xx_udc *udc = ep->udc; ++ struct lpc32xx_udc *udc; + u16 maxpacket; + u32 tmp; + unsigned long flags; + + /* Verify EP data */ + if ((!_ep) || (!ep) || (!desc) || +- (desc->bDescriptorType != USB_DT_ENDPOINT)) { +- dev_dbg(udc->dev, "bad ep or descriptor\n"); ++ (desc->bDescriptorType != USB_DT_ENDPOINT)) + return -EINVAL; +- } ++ ++ udc = ep->udc; + maxpacket = usb_endpoint_maxp(desc); + if ((maxpacket == 0) || (maxpacket > ep->maxpacket)) { + dev_dbg(udc->dev, "bad ep descriptor's packet size\n"); +@@ -1873,7 +1873,7 @@ static int lpc32xx_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req) + static int lpc32xx_ep_set_halt(struct usb_ep *_ep, int value) + { + struct lpc32xx_ep *ep = container_of(_ep, struct lpc32xx_ep, ep); +- struct lpc32xx_udc *udc = ep->udc; ++ struct lpc32xx_udc *udc; + unsigned long flags; + + if ((!ep) || (ep->hwep_num <= 1)) +@@ -1883,6 +1883,7 @@ static int lpc32xx_ep_set_halt(struct usb_ep *_ep, int value) + if (ep->is_in) + return -EAGAIN; + ++ udc = ep->udc; + spin_lock_irqsave(&udc->lock, flags); + + if (value == 1) { +-- +2.25.1 + diff --git a/queue-4.14/usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch b/queue-4.14/usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch new file mode 100644 index 00000000000..9becb60531a --- /dev/null +++ b/queue-4.14/usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch @@ -0,0 +1,57 @@ +From 2a8d05963932d2531b52e6db00f60b9f5857c18a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 09:29:24 -0700 +Subject: USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in + s3c2410_udc_nuke + +From: Nathan Chancellor + +[ Upstream commit 7a0fbcf7c308920bc6116b3a5fb21c8cc5fec128 ] + +Clang warns: + +drivers/usb/gadget/udc/s3c2410_udc.c:255:11: warning: comparison of +address of 'ep->queue' equal to a null pointer is always false +[-Wtautological-pointer-compare] + if (&ep->queue == NULL) + ~~~~^~~~~ ~~~~ +1 warning generated. + +It is not wrong, queue is not a pointer so if ep is not NULL, the +address of queue cannot be NULL. No other driver does a check like this +and this check has been around since the driver was first introduced, +presumably with no issues so it does not seem like this check should be +something else. Just remove it. + +Commit afe956c577b2d ("kbuild: Enable -Wtautological-compare") exposed +this but it is not the root cause of the warning. + +Fixes: 3fc154b6b8134 ("USB Gadget driver for Samsung s3c2410 ARM SoC") +Link: https://github.com/ClangBuiltLinux/linux/issues/1004 +Reviewed-by: Nick Desaulniers +Reported-by: kbuild test robot +Signed-off-by: Nathan Chancellor +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/s3c2410_udc.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/usb/gadget/udc/s3c2410_udc.c b/drivers/usb/gadget/udc/s3c2410_udc.c +index 394abd5d65c02..cf12ca567e692 100644 +--- a/drivers/usb/gadget/udc/s3c2410_udc.c ++++ b/drivers/usb/gadget/udc/s3c2410_udc.c +@@ -268,10 +268,6 @@ static void s3c2410_udc_done(struct s3c2410_ep *ep, + static void s3c2410_udc_nuke(struct s3c2410_udc *udc, + struct s3c2410_ep *ep, int status) + { +- /* Sanity check */ +- if (&ep->queue == NULL) +- return; +- + while (!list_empty(&ep->queue)) { + struct s3c2410_request *req; + req = list_entry(ep->queue.next, struct s3c2410_request, +-- +2.25.1 + diff --git a/queue-4.14/usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch b/queue-4.14/usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch new file mode 100644 index 00000000000..b78f78cdd83 --- /dev/null +++ b/queue-4.14/usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch @@ -0,0 +1,39 @@ +From 9053fdf511a8a13029cd152f4934e491bc8b8582 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 21:26:47 +0800 +Subject: USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() + +From: Tang Bin + +[ Upstream commit d49292025f79693d3348f8e2029a8b4703be0f0a ] + +The function ehci_mxc_drv_probe() does not perform sufficient error +checking after executing platform_get_irq(), thus fix it. + +Fixes: 7e8d5cd93fac ("USB: Add EHCI support for MX27 and MX31 based boards") +Signed-off-by: Zhang Shengju +Signed-off-by: Tang Bin +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/20200513132647.5456-1-tangbin@cmss.chinamobile.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-mxc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/ehci-mxc.c b/drivers/usb/host/ehci-mxc.c +index c7a9b31eeaeff..637079a350032 100644 +--- a/drivers/usb/host/ehci-mxc.c ++++ b/drivers/usb/host/ehci-mxc.c +@@ -63,6 +63,8 @@ static int ehci_mxc_drv_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) ++ return irq; + + hcd = usb_create_hcd(&ehci_mxc_hc_driver, dev, dev_name(dev)); + if (!hcd) +-- +2.25.1 + diff --git a/queue-4.14/usb-ohci-platform-fix-a-warning-when-hibernating.patch b/queue-4.14/usb-ohci-platform-fix-a-warning-when-hibernating.patch new file mode 100644 index 00000000000..cd03105cf7b --- /dev/null +++ b/queue-4.14/usb-ohci-platform-fix-a-warning-when-hibernating.patch @@ -0,0 +1,102 @@ +From eecbda8d3aae07181996980b912402236ac26df9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 16:49:29 +0100 +Subject: usb/ohci-platform: Fix a warning when hibernating + +From: Qais Yousef + +[ Upstream commit 1cb3b0095c3d0bb96912bfbbce4fc006d41f367c ] + +The following warning was observed when attempting to suspend to disk +using a USB flash as a swap device. + +[ 111.779649] ------------[ cut here ]------------ +[ 111.788382] URB (____ptrval____) submitted while active +[ 111.796646] WARNING: CPU: 3 PID: 365 at drivers/usb/core/urb.c:363 usb_submit_urb+0x3d8/0x590 +[ 111.805417] Modules linked in: +[ 111.808584] CPU: 3 PID: 365 Comm: kworker/3:2 Not tainted 5.6.0-rc6-00002-gdfd1731f9a3e-dirty #545 +[ 111.817796] Hardware name: ARM Juno development board (r2) (DT) +[ 111.823896] Workqueue: usb_hub_wq hub_event +[ 111.828217] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 111.833156] pc : usb_submit_urb+0x3d8/0x590 +[ 111.837471] lr : usb_submit_urb+0x3d8/0x590 +[ 111.841783] sp : ffff800018de38b0 +[ 111.845205] x29: ffff800018de38b0 x28: 0000000000000003 +[ 111.850682] x27: ffff000970530b20 x26: ffff8000133fd000 +[ 111.856159] x25: ffff8000133fd000 x24: ffff800018de3b38 +[ 111.861635] x23: 0000000000000004 x22: 0000000000000c00 +[ 111.867112] x21: 0000000000000000 x20: 00000000fffffff0 +[ 111.872589] x19: ffff0009704e7a00 x18: ffffffffffffffff +[ 111.878065] x17: 00000000a7c8f4bc x16: 000000002af33de8 +[ 111.883542] x15: ffff8000133fda88 x14: 0720072007200720 +[ 111.889019] x13: 0720072007200720 x12: 0720072007200720 +[ 111.894496] x11: 0000000000000000 x10: 00000000a5286134 +[ 111.899973] x9 : 0000000000000002 x8 : ffff000970c837a0 +[ 111.905449] x7 : 0000000000000000 x6 : ffff800018de3570 +[ 111.910926] x5 : 0000000000000001 x4 : 0000000000000003 +[ 111.916401] x3 : 0000000000000000 x2 : ffff800013427118 +[ 111.921879] x1 : 9d4e965b4b7d7c00 x0 : 0000000000000000 +[ 111.927356] Call trace: +[ 111.929892] usb_submit_urb+0x3d8/0x590 +[ 111.933852] hub_activate+0x108/0x7f0 +[ 111.937633] hub_resume+0xac/0x148 +[ 111.941149] usb_resume_interface.isra.10+0x60/0x138 +[ 111.946265] usb_resume_both+0xe4/0x140 +[ 111.950225] usb_runtime_resume+0x24/0x30 +[ 111.954365] __rpm_callback+0xdc/0x138 +[ 111.958236] rpm_callback+0x34/0x98 +[ 111.961841] rpm_resume+0x4a8/0x720 +[ 111.965445] rpm_resume+0x50c/0x720 +[ 111.969049] __pm_runtime_resume+0x4c/0xb8 +[ 111.973276] usb_autopm_get_interface+0x28/0x60 +[ 111.977948] hub_event+0x80/0x16d8 +[ 111.981466] process_one_work+0x2a4/0x748 +[ 111.985604] worker_thread+0x48/0x498 +[ 111.989387] kthread+0x13c/0x140 +[ 111.992725] ret_from_fork+0x10/0x18 +[ 111.996415] irq event stamp: 354 +[ 111.999756] hardirqs last enabled at (353): [] console_unlock+0x504/0x5b8 +[ 112.008441] hardirqs last disabled at (354): [] do_debug_exception+0x1a8/0x258 +[ 112.017479] softirqs last enabled at (350): [] __do_softirq+0x4bc/0x568 +[ 112.025984] softirqs last disabled at (343): [] irq_exit+0x144/0x150 +[ 112.034129] ---[ end trace dc96030b9cf6c8a3 ]--- + +The problem was tracked down to a missing call to +pm_runtime_set_active() on resume in ohci-platform. + +Link: https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/ +Acked-by: Alan Stern +Signed-off-by: Qais Yousef +CC: Tony Prisk +CC: Greg Kroah-Hartman +CC: Mathias Nyman +CC: Oliver Neukum +CC: linux-arm-kernel@lists.infradead.org +CC: linux-usb@vger.kernel.org +CC: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20200518154931.6144-1-qais.yousef@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-platform.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/host/ohci-platform.c b/drivers/usb/host/ohci-platform.c +index 61fe2b985070f..742cefa22c2b5 100644 +--- a/drivers/usb/host/ohci-platform.c ++++ b/drivers/usb/host/ohci-platform.c +@@ -355,6 +355,11 @@ static int ohci_platform_resume(struct device *dev) + } + + ohci_resume(hcd, false); ++ ++ pm_runtime_disable(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ + return 0; + } + #endif /* CONFIG_PM_SLEEP */ +-- +2.25.1 + diff --git a/queue-4.14/usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch b/queue-4.14/usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch new file mode 100644 index 00000000000..363486e8893 --- /dev/null +++ b/queue-4.14/usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch @@ -0,0 +1,56 @@ +From 41d2fe0ad914e360f55b6694d72693aad8b72b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 16:49:30 +0100 +Subject: usb/xhci-plat: Set PM runtime as active on resume + +From: Qais Yousef + +[ Upstream commit 79112cc3c29f4a8c73a21428fbcbcb0afb005e3e ] + +Follow suit of ohci-platform.c and perform pm_runtime_set_active() on +resume. + +ohci-platform.c had a warning reported due to the missing +pm_runtime_set_active() [1]. + +[1] https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/ + +Signed-off-by: Qais Yousef +CC: Tony Prisk +CC: Greg Kroah-Hartman +CC: Mathias Nyman +CC: Oliver Neukum +CC: linux-arm-kernel@lists.infradead.org +CC: linux-usb@vger.kernel.org +CC: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20200518154931.6144-2-qais.yousef@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-plat.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 2a73592908e1e..7219cbf7c54c2 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -381,7 +381,15 @@ static int __maybe_unused xhci_plat_resume(struct device *dev) + if (ret) + return ret; + +- return xhci_resume(xhci, 0); ++ ret = xhci_resume(xhci, 0); ++ if (ret) ++ return ret; ++ ++ pm_runtime_disable(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ ++ return 0; + } + + static int __maybe_unused xhci_plat_runtime_suspend(struct device *dev) +-- +2.25.1 + diff --git a/queue-4.14/usblp-poison-urbs-upon-disconnect.patch b/queue-4.14/usblp-poison-urbs-upon-disconnect.patch new file mode 100644 index 00000000000..678c5cd1d07 --- /dev/null +++ b/queue-4.14/usblp-poison-urbs-upon-disconnect.patch @@ -0,0 +1,50 @@ +From 64709d69a441f87b4a405ac32a270474da2b876a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 10:58:06 +0200 +Subject: usblp: poison URBs upon disconnect + +From: Oliver Neukum + +[ Upstream commit 296a193b06120aa6ae7cf5c0d7b5e5b55968026e ] + +syzkaller reported an URB that should have been killed to be active. +We do not understand it, but this should fix the issue if it is real. + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20200507085806.5793-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/class/usblp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c +index 5e456a83779d5..b0471ce34011a 100644 +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -481,7 +481,8 @@ static int usblp_release(struct inode *inode, struct file *file) + usb_autopm_put_interface(usblp->intf); + + if (!usblp->present) /* finish cleanup from disconnect */ +- usblp_cleanup(usblp); ++ usblp_cleanup(usblp); /* any URBs must be dead */ ++ + mutex_unlock(&usblp_mutex); + return 0; + } +@@ -1388,9 +1389,11 @@ static void usblp_disconnect(struct usb_interface *intf) + + usblp_unlink_urbs(usblp); + mutex_unlock(&usblp->mut); ++ usb_poison_anchored_urbs(&usblp->urbs); + + if (!usblp->used) + usblp_cleanup(usblp); ++ + mutex_unlock(&usblp_mutex); + } + +-- +2.25.1 + diff --git a/queue-4.14/vfio-mdev-fix-reference-count-leak-in-add_mdev_suppo.patch b/queue-4.14/vfio-mdev-fix-reference-count-leak-in-add_mdev_suppo.patch new file mode 100644 index 00000000000..569f096d571 --- /dev/null +++ b/queue-4.14/vfio-mdev-fix-reference-count-leak-in-add_mdev_suppo.patch @@ -0,0 +1,41 @@ +From c26dcbdd6bff5a95623ee4ad5b65832b39188ff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 21:01:09 -0500 +Subject: vfio/mdev: Fix reference count leak in add_mdev_supported_type + +From: Qiushi Wu + +[ Upstream commit aa8ba13cae3134b8ef1c1b6879f66372531da738 ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. Thus, +replace kfree() by kobject_put() to fix this issue. Previous +commit "b8eb718348b8" fixed a similar problem. + +Fixes: 7b96953bc640 ("vfio: Mediated device Core driver") +Signed-off-by: Qiushi Wu +Reviewed-by: Cornelia Huck +Reviewed-by: Kirti Wankhede +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/mdev/mdev_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/mdev/mdev_sysfs.c b/drivers/vfio/mdev/mdev_sysfs.c +index 802df210929ba..7e474e41c85e3 100644 +--- a/drivers/vfio/mdev/mdev_sysfs.c ++++ b/drivers/vfio/mdev/mdev_sysfs.c +@@ -113,7 +113,7 @@ struct mdev_type *add_mdev_supported_type(struct mdev_parent *parent, + "%s-%s", dev_driver_string(parent->dev), + group->name); + if (ret) { +- kfree(type); ++ kobject_put(&type->kobj); + return ERR_PTR(ret); + } + +-- +2.25.1 + diff --git a/queue-4.14/vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch b/queue-4.14/vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch new file mode 100644 index 00000000000..feecb0bfb19 --- /dev/null +++ b/queue-4.14/vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch @@ -0,0 +1,74 @@ +From fedc693e0f6ae9bce8266e0a33efbb5da5dfd8ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 May 2020 12:16:56 -0400 +Subject: vfio/pci: fix memory leaks in alloc_perm_bits() + +From: Qian Cai + +[ Upstream commit 3e63b94b6274324ff2e7d8615df31586de827c4e ] + +vfio_pci_disable() calls vfio_config_free() but forgets to call +free_perm_bits() resulting in memory leaks, + +unreferenced object 0xc000000c4db2dee0 (size 16): + comm "qemu-kvm", pid 4305, jiffies 4295020272 (age 3463.780s) + hex dump (first 16 bytes): + 00 00 ff 00 ff ff ff ff ff ff ff ff ff ff 00 00 ................ + backtrace: + [<00000000a6a4552d>] alloc_perm_bits+0x58/0xe0 [vfio_pci] + [<00000000ac990549>] vfio_config_init+0xdf0/0x11b0 [vfio_pci] + init_pci_cap_msi_perm at drivers/vfio/pci/vfio_pci_config.c:1125 + (inlined by) vfio_msi_cap_len at drivers/vfio/pci/vfio_pci_config.c:1180 + (inlined by) vfio_cap_len at drivers/vfio/pci/vfio_pci_config.c:1241 + (inlined by) vfio_cap_init at drivers/vfio/pci/vfio_pci_config.c:1468 + (inlined by) vfio_config_init at drivers/vfio/pci/vfio_pci_config.c:1707 + [<000000006db873a1>] vfio_pci_open+0x234/0x700 [vfio_pci] + [<00000000630e1906>] vfio_group_fops_unl_ioctl+0x8e0/0xb84 [vfio] + [<000000009e34c54f>] ksys_ioctl+0xd8/0x130 + [<000000006577923d>] sys_ioctl+0x28/0x40 + [<000000006d7b1cf2>] system_call_exception+0x114/0x1e0 + [<0000000008ea7dd5>] system_call_common+0xf0/0x278 +unreferenced object 0xc000000c4db2e330 (size 16): + comm "qemu-kvm", pid 4305, jiffies 4295020272 (age 3463.780s) + hex dump (first 16 bytes): + 00 ff ff 00 ff ff ff ff ff ff ff ff ff ff 00 00 ................ + backtrace: + [<000000004c71914f>] alloc_perm_bits+0x44/0xe0 [vfio_pci] + [<00000000ac990549>] vfio_config_init+0xdf0/0x11b0 [vfio_pci] + [<000000006db873a1>] vfio_pci_open+0x234/0x700 [vfio_pci] + [<00000000630e1906>] vfio_group_fops_unl_ioctl+0x8e0/0xb84 [vfio] + [<000000009e34c54f>] ksys_ioctl+0xd8/0x130 + [<000000006577923d>] sys_ioctl+0x28/0x40 + [<000000006d7b1cf2>] system_call_exception+0x114/0x1e0 + [<0000000008ea7dd5>] system_call_common+0xf0/0x278 + +Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver") +Signed-off-by: Qian Cai +[aw: rolled in follow-up patch] +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_config.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index 423ea1f98441a..c2d300bc37f64 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -1732,8 +1732,11 @@ void vfio_config_free(struct vfio_pci_device *vdev) + vdev->vconfig = NULL; + kfree(vdev->pci_config_map); + vdev->pci_config_map = NULL; +- kfree(vdev->msi_perm); +- vdev->msi_perm = NULL; ++ if (vdev->msi_perm) { ++ free_perm_bits(vdev->msi_perm); ++ kfree(vdev->msi_perm); ++ vdev->msi_perm = NULL; ++ } + } + + /* +-- +2.25.1 + diff --git a/queue-4.14/vfio-pci-mask-cap-zero.patch b/queue-4.14/vfio-pci-mask-cap-zero.patch new file mode 100644 index 00000000000..5ea8078ce72 --- /dev/null +++ b/queue-4.14/vfio-pci-mask-cap-zero.patch @@ -0,0 +1,50 @@ +From fa3226c8277cc1f870cd377d739bbb63c4e9bd63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 11:45:28 -0600 +Subject: vfio-pci: Mask cap zero + +From: Alex Williamson + +[ Upstream commit bc138db1b96264b9c1779cf18d5a3b186aa90066 ] + +The PCI Code and ID Assignment Specification changed capability ID 0 +from reserved to a NULL capability in the v1.1 revision. The NULL +capability is defined to include only the 16-bit capability header, +ie. only the ID and next pointer. Unfortunately vfio-pci creates a +map of config space, where ID 0 is used to reserve the standard type +0 header. Finding an actual capability with this ID therefore results +in a bogus range marked in that map and conflicts with subsequent +capabilities. As this seems to be a dummy capability anyway and we +already support dropping capabilities, let's hide this one rather than +delving into the potentially subtle dependencies within our map. + +Seen on an NVIDIA Tesla T4. + +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_config.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index c2d300bc37f64..36bc8f104e42e 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -1464,7 +1464,12 @@ static int vfio_cap_init(struct vfio_pci_device *vdev) + if (ret) + return ret; + +- if (cap <= PCI_CAP_ID_MAX) { ++ /* ++ * ID 0 is a NULL capability, conflicting with our fake ++ * PCI_CAP_ID_BASIC. As it has no content, consider it ++ * hidden for now. ++ */ ++ if (cap && cap <= PCI_CAP_ID_MAX) { + len = pci_cap_length[cap]; + if (len == 0xFF) { /* Variable length */ + len = vfio_cap_len(vdev, cap, pos); +-- +2.25.1 + diff --git a/queue-4.14/watchdog-da9062-no-need-to-ping-manually-before-sett.patch b/queue-4.14/watchdog-da9062-no-need-to-ping-manually-before-sett.patch new file mode 100644 index 00000000000..c23bb290e7b --- /dev/null +++ b/queue-4.14/watchdog-da9062-no-need-to-ping-manually-before-sett.patch @@ -0,0 +1,49 @@ +From a6d9f400753e0d55ea035d175d58df988005a05a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 15:07:28 +0200 +Subject: watchdog: da9062: No need to ping manually before setting timeout + +From: Stefan Riedmueller + +[ Upstream commit a0948ddba65f4f6d3cfb5e2b84685485d0452966 ] + +There is actually no need to ping the watchdog before disabling it +during timeout change. Disabling the watchdog already takes care of +resetting the counter. + +This fixes an issue during boot when the userspace watchdog handler takes +over and the watchdog is already running. Opening the watchdog in this case +leads to the first ping and directly after that without the required +heartbeat delay a second ping issued by the set_timeout call. Due to the +missing delay this resulted in a reset. + +Signed-off-by: Stefan Riedmueller +Reviewed-by: Guenter Roeck +Reviewed-by: Adam Thomson +Link: https://lore.kernel.org/r/20200403130728.39260-3-s.riedmueller@phytec.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/da9062_wdt.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/watchdog/da9062_wdt.c b/drivers/watchdog/da9062_wdt.c +index 79383ff620199..1443386bb590b 100644 +--- a/drivers/watchdog/da9062_wdt.c ++++ b/drivers/watchdog/da9062_wdt.c +@@ -94,11 +94,6 @@ static int da9062_wdt_update_timeout_register(struct da9062_watchdog *wdt, + unsigned int regval) + { + struct da9062 *chip = wdt->hw; +- int ret; +- +- ret = da9062_reset_watchdog_timer(wdt); +- if (ret) +- return ret; + + return regmap_update_bits(chip->regmap, + DA9062AA_CONTROL_D, +-- +2.25.1 + diff --git a/queue-4.14/x86-apic-make-tsc-deadline-timer-detection-message-v.patch b/queue-4.14/x86-apic-make-tsc-deadline-timer-detection-message-v.patch new file mode 100644 index 00000000000..b98040e99fc --- /dev/null +++ b/queue-4.14/x86-apic-make-tsc-deadline-timer-detection-message-v.patch @@ -0,0 +1,47 @@ +From b1fd8918d189e04125d6494fd92eef16b7dc9794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 12:38:39 +0200 +Subject: x86/apic: Make TSC deadline timer detection message visible + +From: Borislav Petkov + +[ Upstream commit de308d1815c9e8fe602a958c5c76142ff6501d75 ] + +The commit + + c84cb3735fd5 ("x86/apic: Move TSC deadline timer debug printk") + +removed the message which said that the deadline timer was enabled. +It added a pr_debug() message which is issued when deadline timer +validation succeeds. + +Well, issued only when CONFIG_DYNAMIC_DEBUG is enabled - otherwise +pr_debug() calls get optimized away if DEBUG is not defined in the +compilation unit. + +Therefore, make the above message pr_info() so that it is visible in +dmesg. + +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200525104218.27018-1-bp@alien8.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 48ab5fdd10442..ee33f09513223 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1915,7 +1915,7 @@ void __init init_apic_mappings(void) + unsigned int new_apicid; + + if (apic_validate_deadline_timer()) +- pr_debug("TSC deadline timer available\n"); ++ pr_info("TSC deadline timer available\n"); + + if (x2apic_mode) { + boot_cpu_physical_apicid = read_apic_id(); +-- +2.25.1 + diff --git a/queue-4.14/yam-fix-possible-memory-leak-in-yam_init_driver.patch b/queue-4.14/yam-fix-possible-memory-leak-in-yam_init_driver.patch new file mode 100644 index 00000000000..59da9749a28 --- /dev/null +++ b/queue-4.14/yam-fix-possible-memory-leak-in-yam_init_driver.patch @@ -0,0 +1,36 @@ +From fe265283c3b1fee08c726e93ba8c621f64f15624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:18:51 +0800 +Subject: yam: fix possible memory leak in yam_init_driver + +From: Wang Hai + +[ Upstream commit 98749b7188affbf2900c2aab704a8853901d1139 ] + +If register_netdev(dev) fails, free_netdev(dev) needs +to be called, otherwise a memory leak will occur. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/yam.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c +index 16a6e11939122..b74c735a423dd 100644 +--- a/drivers/net/hamradio/yam.c ++++ b/drivers/net/hamradio/yam.c +@@ -1162,6 +1162,7 @@ static int __init yam_init_driver(void) + err = register_netdev(dev); + if (err) { + printk(KERN_WARNING "yam: cannot register net device %s\n", dev->name); ++ free_netdev(dev); + goto error; + } + yam_devs[i] = dev; +-- +2.25.1 +