From: Sasha Levin Date: Mon, 22 Jun 2020 12:46:12 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v5.7.6~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e8ff287e90d318d6c4f93b6137d3890c783f891;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch b/queue-4.4/alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch new file mode 100644 index 00000000000..0f1803511ea --- /dev/null +++ b/queue-4.4/alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch @@ -0,0 +1,49 @@ +From 2d510ae90e4ced0d2b593f02758fc6473233c3e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 May 2020 12:40:11 +0300 +Subject: ALSA: isa/wavefront: prevent out of bounds write in ioctl + +From: Dan Carpenter + +[ Upstream commit 7f0d5053c5a9d23fe5c2d337495a9d79038d267b ] + +The "header->number" comes from the ioctl and it needs to be clamped to +prevent out of bounds writes. + +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200501094011.GA960082@mwanda +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/wavefront/wavefront_synth.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c +index 718d5e3b7806f..6c06d06457796 100644 +--- a/sound/isa/wavefront/wavefront_synth.c ++++ b/sound/isa/wavefront/wavefront_synth.c +@@ -1174,7 +1174,10 @@ wavefront_send_alias (snd_wavefront_t *dev, wavefront_patch_info *header) + "alias for %d\n", + header->number, + header->hdr.a.OriginalSample); +- ++ ++ if (header->number >= WF_MAX_SAMPLE) ++ return -EINVAL; ++ + munge_int32 (header->number, &alias_hdr[0], 2); + munge_int32 (header->hdr.a.OriginalSample, &alias_hdr[2], 2); + munge_int32 (*((unsigned int *)&header->hdr.a.sampleStartOffset), +@@ -1205,6 +1208,9 @@ wavefront_send_multisample (snd_wavefront_t *dev, wavefront_patch_info *header) + int num_samples; + unsigned char *msample_hdr; + ++ if (header->number >= WF_MAX_SAMPLE) ++ return -EINVAL; ++ + msample_hdr = kmalloc(WF_MSAMPLE_BYTES, GFP_KERNEL); + if (! msample_hdr) + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-4.4/alsa-usb-audio-improve-frames-size-computation.patch b/queue-4.4/alsa-usb-audio-improve-frames-size-computation.patch new file mode 100644 index 00000000000..8e6c337254c --- /dev/null +++ b/queue-4.4/alsa-usb-audio-improve-frames-size-computation.patch @@ -0,0 +1,167 @@ +From 333a6a79ab416d981c7799c9a042f479f77eb242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 05:24:48 +0300 +Subject: ALSA: usb-audio: Improve frames size computation + +From: Alexander Tsoy + +[ Upstream commit f0bd62b64016508938df9babe47f65c2c727d25c ] + +For computation of the the next frame size current value of fs/fps and +accumulated fractional parts of fs/fps are used, where values are stored +in Q16.16 format. This is quite natural for computing frame size for +asynchronous endpoints driven by explicit feedback, since in this case +fs/fps is a value provided by the feedback endpoint and it's already in +the Q format. If an error is accumulated over time, the device can +adjust fs/fps value to prevent buffer overruns/underruns. + +But for synchronous endpoints the accuracy provided by these computations +is not enough. Due to accumulated error the driver periodically produces +frames with incorrect size (+/- 1 audio sample). + +This patch fixes this issue by implementing a different algorithm for +frame size computation. It is based on accumulating of the remainders +from division fs/fps and it doesn't accumulate errors over time. This +new method is enabled for synchronous and adaptive playback endpoints. + +Signed-off-by: Alexander Tsoy +Link: https://lore.kernel.org/r/20200424022449.14972-1-alexander@tsoy.me +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/card.h | 4 ++++ + sound/usb/endpoint.c | 43 ++++++++++++++++++++++++++++++++++++++----- + sound/usb/endpoint.h | 1 + + sound/usb/pcm.c | 2 ++ + 4 files changed, 45 insertions(+), 5 deletions(-) + +diff --git a/sound/usb/card.h b/sound/usb/card.h +index 71778ca4b26aa..844c688638105 100644 +--- a/sound/usb/card.h ++++ b/sound/usb/card.h +@@ -80,6 +80,10 @@ struct snd_usb_endpoint { + dma_addr_t sync_dma; /* DMA address of syncbuf */ + + unsigned int pipe; /* the data i/o pipe */ ++ unsigned int framesize[2]; /* small/large frame sizes in samples */ ++ unsigned int sample_rem; /* remainder from division fs/fps */ ++ unsigned int sample_accum; /* sample accumulator */ ++ unsigned int fps; /* frames per second */ + unsigned int freqn; /* nominal sampling rate in fs/fps in Q16.16 format */ + unsigned int freqm; /* momentary sampling rate in fs/fps in Q16.16 format */ + int freqshift; /* how much to shift the feedback value to get Q16.16 */ +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 66648b4bdd289..666731317b332 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -137,12 +137,12 @@ int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep) + + /* + * For streaming based on information derived from sync endpoints, +- * prepare_outbound_urb_sizes() will call next_packet_size() to ++ * prepare_outbound_urb_sizes() will call slave_next_packet_size() to + * determine the number of samples to be sent in the next packet. + * +- * For implicit feedback, next_packet_size() is unused. ++ * For implicit feedback, slave_next_packet_size() is unused. + */ +-int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep) ++int snd_usb_endpoint_slave_next_packet_size(struct snd_usb_endpoint *ep) + { + unsigned long flags; + int ret; +@@ -159,6 +159,29 @@ int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep) + return ret; + } + ++/* ++ * For adaptive and synchronous endpoints, prepare_outbound_urb_sizes() ++ * will call next_packet_size() to determine the number of samples to be ++ * sent in the next packet. ++ */ ++int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep) ++{ ++ int ret; ++ ++ if (ep->fill_max) ++ return ep->maxframesize; ++ ++ ep->sample_accum += ep->sample_rem; ++ if (ep->sample_accum >= ep->fps) { ++ ep->sample_accum -= ep->fps; ++ ret = ep->framesize[1]; ++ } else { ++ ret = ep->framesize[0]; ++ } ++ ++ return ret; ++} ++ + static void retire_outbound_urb(struct snd_usb_endpoint *ep, + struct snd_urb_ctx *urb_ctx) + { +@@ -203,6 +226,8 @@ static void prepare_silent_urb(struct snd_usb_endpoint *ep, + + if (ctx->packet_size[i]) + counts = ctx->packet_size[i]; ++ else if (ep->sync_master) ++ counts = snd_usb_endpoint_slave_next_packet_size(ep); + else + counts = snd_usb_endpoint_next_packet_size(ep); + +@@ -879,10 +904,17 @@ int snd_usb_endpoint_set_params(struct snd_usb_endpoint *ep, + ep->maxpacksize = fmt->maxpacksize; + ep->fill_max = !!(fmt->attributes & UAC_EP_CS_ATTR_FILL_MAX); + +- if (snd_usb_get_speed(ep->chip->dev) == USB_SPEED_FULL) ++ if (snd_usb_get_speed(ep->chip->dev) == USB_SPEED_FULL) { + ep->freqn = get_usb_full_speed_rate(rate); +- else ++ ep->fps = 1000; ++ } else { + ep->freqn = get_usb_high_speed_rate(rate); ++ ep->fps = 8000; ++ } ++ ++ ep->sample_rem = rate % ep->fps; ++ ep->framesize[0] = rate / ep->fps; ++ ep->framesize[1] = (rate + (ep->fps - 1)) / ep->fps; + + /* calculate the frequency in 16.16 format */ + ep->freqm = ep->freqn; +@@ -941,6 +973,7 @@ int snd_usb_endpoint_start(struct snd_usb_endpoint *ep) + ep->active_mask = 0; + ep->unlink_mask = 0; + ep->phase = 0; ++ ep->sample_accum = 0; + + snd_usb_endpoint_start_quirk(ep); + +diff --git a/sound/usb/endpoint.h b/sound/usb/endpoint.h +index 584f295d7c773..4aad49cbeb5f1 100644 +--- a/sound/usb/endpoint.h ++++ b/sound/usb/endpoint.h +@@ -27,6 +27,7 @@ void snd_usb_endpoint_release(struct snd_usb_endpoint *ep); + void snd_usb_endpoint_free(struct snd_usb_endpoint *ep); + + int snd_usb_endpoint_implicit_feedback_sink(struct snd_usb_endpoint *ep); ++int snd_usb_endpoint_slave_next_packet_size(struct snd_usb_endpoint *ep); + int snd_usb_endpoint_next_packet_size(struct snd_usb_endpoint *ep); + + void snd_usb_handle_sync_urb(struct snd_usb_endpoint *ep, +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index f84c55ecd0fb4..53d91cae86f96 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1473,6 +1473,8 @@ static void prepare_playback_urb(struct snd_usb_substream *subs, + for (i = 0; i < ctx->packets; i++) { + if (ctx->packet_size[i]) + counts = ctx->packet_size[i]; ++ else if (ep->sync_master) ++ counts = snd_usb_endpoint_slave_next_packet_size(ep); + else + counts = snd_usb_endpoint_next_packet_size(ep); + +-- +2.25.1 + diff --git a/queue-4.4/asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch b/queue-4.4/asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch new file mode 100644 index 00000000000..068a1fbc698 --- /dev/null +++ b/queue-4.4/asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch @@ -0,0 +1,46 @@ +From cd382348f9dc6ff8e334ab76ff519262006c81db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 22:12:46 +0800 +Subject: ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed + +From: Xiyu Yang + +[ Upstream commit 36124fb19f1ae68a500cd76a76d40c6e81bee346 ] + +fsl_asrc_dma_hw_params() invokes dma_request_channel() or +fsl_asrc_get_dma_channel(), which returns a reference of the specified +dma_chan object to "pair->dma_chan[dir]" with increased refcnt. + +The reference counting issue happens in one exception handling path of +fsl_asrc_dma_hw_params(). When config DMA channel failed for Back-End, +the function forgets to decrease the refcnt increased by +dma_request_channel() or fsl_asrc_get_dma_channel(), causing a refcnt +leak. + +Fix this issue by calling dma_release_channel() when config DMA channel +failed. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Link: https://lore.kernel.org/r/1590415966-52416-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_asrc_dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/fsl_asrc_dma.c b/sound/soc/fsl/fsl_asrc_dma.c +index ffc000bc1f15b..56a873ba08e47 100644 +--- a/sound/soc/fsl/fsl_asrc_dma.c ++++ b/sound/soc/fsl/fsl_asrc_dma.c +@@ -243,6 +243,7 @@ static int fsl_asrc_dma_hw_params(struct snd_pcm_substream *substream, + ret = dmaengine_slave_config(pair->dma_chan[dir], &config_be); + if (ret) { + dev_err(dev, "failed to config DMA channel for Back-End\n"); ++ dma_release_channel(pair->dma_chan[dir]); + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.4/bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch b/queue-4.4/bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch new file mode 100644 index 00000000000..dddc884599c --- /dev/null +++ b/queue-4.4/bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch @@ -0,0 +1,96 @@ +From d30a67b08497cf7fbcc04b692f70059891788c35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 00:53:30 +0800 +Subject: bcache: fix potential deadlock problem in btree_gc_coalesce + +From: Zhiqiang Liu + +[ Upstream commit be23e837333a914df3f24bf0b32e87b0331ab8d1 ] + +coccicheck reports: + drivers/md//bcache/btree.c:1538:1-7: preceding lock on line 1417 + +In btree_gc_coalesce func, if the coalescing process fails, we will goto +to out_nocoalesce tag directly without releasing new_nodes[i]->write_lock. +Then, it will cause a deadlock when trying to acquire new_nodes[i]-> +write_lock for freeing new_nodes[i] before return. + +btree_gc_coalesce func details as follows: + if alloc new_nodes[i] fails: + goto out_nocoalesce; + // obtain new_nodes[i]->write_lock + mutex_lock(&new_nodes[i]->write_lock) + // main coalescing process + for (i = nodes - 1; i > 0; --i) + [snipped] + if coalescing process fails: + // Here, directly goto out_nocoalesce + // tag will cause a deadlock + goto out_nocoalesce; + [snipped] + // release new_nodes[i]->write_lock + mutex_unlock(&new_nodes[i]->write_lock) + // coalesing succ, return + return; +out_nocoalesce: + btree_node_free(new_nodes[i]) // free new_nodes[i] + // obtain new_nodes[i]->write_lock + mutex_lock(&new_nodes[i]->write_lock); + // set flag for reuse + clear_bit(BTREE_NODE_dirty, &ew_nodes[i]->flags); + // release new_nodes[i]->write_lock + mutex_unlock(&new_nodes[i]->write_lock); + +To fix the problem, we add a new tag 'out_unlock_nocoalesce' for +releasing new_nodes[i]->write_lock before out_nocoalesce tag. If +coalescing process fails, we will go to out_unlock_nocoalesce tag +for releasing new_nodes[i]->write_lock before free new_nodes[i] in +out_nocoalesce tag. + +(Coly Li helps to clean up commit log format.) + +Fixes: 2a285686c109816 ("bcache: btree locking rework") +Signed-off-by: Zhiqiang Liu +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/btree.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 5c93582c71cc6..634e9284b7bee 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1375,7 +1375,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, + if (__set_blocks(n1, n1->keys + n2->keys, + block_bytes(b->c)) > + btree_blocks(new_nodes[i])) +- goto out_nocoalesce; ++ goto out_unlock_nocoalesce; + + keys = n2->keys; + /* Take the key of the node we're getting rid of */ +@@ -1404,7 +1404,7 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, + + if (__bch_keylist_realloc(&keylist, + bkey_u64s(&new_nodes[i]->key))) +- goto out_nocoalesce; ++ goto out_unlock_nocoalesce; + + bch_btree_node_write(new_nodes[i], &cl); + bch_keylist_add(&keylist, &new_nodes[i]->key); +@@ -1450,6 +1450,10 @@ static int btree_gc_coalesce(struct btree *b, struct btree_op *op, + /* Invalidated our iterator */ + return -EINTR; + ++out_unlock_nocoalesce: ++ for (i = 0; i < nodes; i++) ++ mutex_unlock(&new_nodes[i]->write_lock); ++ + out_nocoalesce: + closure_sync(&cl); + bch_keylist_free(&keylist); +-- +2.25.1 + diff --git a/queue-4.4/block-fix-use-after-free-in-blkdev_get.patch b/queue-4.4/block-fix-use-after-free-in-blkdev_get.patch new file mode 100644 index 00000000000..adb434910c5 --- /dev/null +++ b/queue-4.4/block-fix-use-after-free-in-blkdev_get.patch @@ -0,0 +1,199 @@ +From 263d6b51ebac1b915881d3cd1c90390f55f04d68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 20:16:55 +0800 +Subject: block: Fix use-after-free in blkdev_get() + +From: Jason Yan + +[ Upstream commit 2d3a8e2deddea6c89961c422ec0c5b851e648c14 ] + +In blkdev_get() we call __blkdev_get() to do some internal jobs and if +there is some errors in __blkdev_get(), the bdput() is called which +means we have released the refcount of the bdev (actually the refcount of +the bdev inode). This means we cannot access bdev after that point. But +acctually bdev is still accessed in blkdev_get() after calling +__blkdev_get(). This results in use-after-free if the refcount is the +last one we released in __blkdev_get(). Let's take a look at the +following scenerio: + + CPU0 CPU1 CPU2 +blkdev_open blkdev_open Remove disk + bd_acquire + blkdev_get + __blkdev_get del_gendisk + bdev_unhash_inode + bd_acquire bdev_get_gendisk + bd_forget failed because of unhashed + bdput + bdput (the last one) + bdev_evict_inode + + access bdev => use after free + +[ 459.350216] BUG: KASAN: use-after-free in __lock_acquire+0x24c1/0x31b0 +[ 459.351190] Read of size 8 at addr ffff88806c815a80 by task syz-executor.0/20132 +[ 459.352347] +[ 459.352594] CPU: 0 PID: 20132 Comm: syz-executor.0 Not tainted 4.19.90 #2 +[ 459.353628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +[ 459.354947] Call Trace: +[ 459.355337] dump_stack+0x111/0x19e +[ 459.355879] ? __lock_acquire+0x24c1/0x31b0 +[ 459.356523] print_address_description+0x60/0x223 +[ 459.357248] ? __lock_acquire+0x24c1/0x31b0 +[ 459.357887] kasan_report.cold+0xae/0x2d8 +[ 459.358503] __lock_acquire+0x24c1/0x31b0 +[ 459.359120] ? _raw_spin_unlock_irq+0x24/0x40 +[ 459.359784] ? lockdep_hardirqs_on+0x37b/0x580 +[ 459.360465] ? _raw_spin_unlock_irq+0x24/0x40 +[ 459.361123] ? finish_task_switch+0x125/0x600 +[ 459.361812] ? finish_task_switch+0xee/0x600 +[ 459.362471] ? mark_held_locks+0xf0/0xf0 +[ 459.363108] ? __schedule+0x96f/0x21d0 +[ 459.363716] lock_acquire+0x111/0x320 +[ 459.364285] ? blkdev_get+0xce/0xbe0 +[ 459.364846] ? blkdev_get+0xce/0xbe0 +[ 459.365390] __mutex_lock+0xf9/0x12a0 +[ 459.365948] ? blkdev_get+0xce/0xbe0 +[ 459.366493] ? bdev_evict_inode+0x1f0/0x1f0 +[ 459.367130] ? blkdev_get+0xce/0xbe0 +[ 459.367678] ? destroy_inode+0xbc/0x110 +[ 459.368261] ? mutex_trylock+0x1a0/0x1a0 +[ 459.368867] ? __blkdev_get+0x3e6/0x1280 +[ 459.369463] ? bdev_disk_changed+0x1d0/0x1d0 +[ 459.370114] ? blkdev_get+0xce/0xbe0 +[ 459.370656] blkdev_get+0xce/0xbe0 +[ 459.371178] ? find_held_lock+0x2c/0x110 +[ 459.371774] ? __blkdev_get+0x1280/0x1280 +[ 459.372383] ? lock_downgrade+0x680/0x680 +[ 459.373002] ? lock_acquire+0x111/0x320 +[ 459.373587] ? bd_acquire+0x21/0x2c0 +[ 459.374134] ? do_raw_spin_unlock+0x4f/0x250 +[ 459.374780] blkdev_open+0x202/0x290 +[ 459.375325] do_dentry_open+0x49e/0x1050 +[ 459.375924] ? blkdev_get_by_dev+0x70/0x70 +[ 459.376543] ? __x64_sys_fchdir+0x1f0/0x1f0 +[ 459.377192] ? inode_permission+0xbe/0x3a0 +[ 459.377818] path_openat+0x148c/0x3f50 +[ 459.378392] ? kmem_cache_alloc+0xd5/0x280 +[ 459.379016] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.379802] ? path_lookupat.isra.0+0x900/0x900 +[ 459.380489] ? __lock_is_held+0xad/0x140 +[ 459.381093] do_filp_open+0x1a1/0x280 +[ 459.381654] ? may_open_dev+0xf0/0xf0 +[ 459.382214] ? find_held_lock+0x2c/0x110 +[ 459.382816] ? lock_downgrade+0x680/0x680 +[ 459.383425] ? __lock_is_held+0xad/0x140 +[ 459.384024] ? do_raw_spin_unlock+0x4f/0x250 +[ 459.384668] ? _raw_spin_unlock+0x1f/0x30 +[ 459.385280] ? __alloc_fd+0x448/0x560 +[ 459.385841] do_sys_open+0x3c3/0x500 +[ 459.386386] ? filp_open+0x70/0x70 +[ 459.386911] ? trace_hardirqs_on_thunk+0x1a/0x1c +[ 459.387610] ? trace_hardirqs_off_caller+0x55/0x1c0 +[ 459.388342] ? do_syscall_64+0x1a/0x520 +[ 459.388930] do_syscall_64+0xc3/0x520 +[ 459.389490] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.390248] RIP: 0033:0x416211 +[ 459.390720] Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 +04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f + 05 <48> 8b 3c 24 48 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d + 01 +[ 459.393483] RSP: 002b:00007fe45dfe9a60 EFLAGS: 00000293 ORIG_RAX: 0000000000000002 +[ 459.394610] RAX: ffffffffffffffda RBX: 00007fe45dfea6d4 RCX: 0000000000416211 +[ 459.395678] RDX: 00007fe45dfe9b0a RSI: 0000000000000002 RDI: 00007fe45dfe9b00 +[ 459.396758] RBP: 000000000076bf20 R08: 0000000000000000 R09: 000000000000000a +[ 459.397930] R10: 0000000000000075 R11: 0000000000000293 R12: 00000000ffffffff +[ 459.399022] R13: 0000000000000bd9 R14: 00000000004cdb80 R15: 000000000076bf2c +[ 459.400168] +[ 459.400430] Allocated by task 20132: +[ 459.401038] kasan_kmalloc+0xbf/0xe0 +[ 459.401652] kmem_cache_alloc+0xd5/0x280 +[ 459.402330] bdev_alloc_inode+0x18/0x40 +[ 459.402970] alloc_inode+0x5f/0x180 +[ 459.403510] iget5_locked+0x57/0xd0 +[ 459.404095] bdget+0x94/0x4e0 +[ 459.404607] bd_acquire+0xfa/0x2c0 +[ 459.405113] blkdev_open+0x110/0x290 +[ 459.405702] do_dentry_open+0x49e/0x1050 +[ 459.406340] path_openat+0x148c/0x3f50 +[ 459.406926] do_filp_open+0x1a1/0x280 +[ 459.407471] do_sys_open+0x3c3/0x500 +[ 459.408010] do_syscall_64+0xc3/0x520 +[ 459.408572] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 459.409415] +[ 459.409679] Freed by task 1262: +[ 459.410212] __kasan_slab_free+0x129/0x170 +[ 459.410919] kmem_cache_free+0xb2/0x2a0 +[ 459.411564] rcu_process_callbacks+0xbb2/0x2320 +[ 459.412318] __do_softirq+0x225/0x8ac + +Fix this by delaying bdput() to the end of blkdev_get() which means we +have finished accessing bdev. + +Fixes: 77ea887e433a ("implement in-kernel gendisk events handling") +Reported-by: Hulk Robot +Signed-off-by: Jason Yan +Tested-by: Sedat Dilek +Reviewed-by: Jan Kara +Reviewed-by: Christoph Hellwig +Reviewed-by: Dan Carpenter +Cc: Christoph Hellwig +Cc: Jens Axboe +Cc: Ming Lei +Cc: Jan Kara +Cc: Dan Carpenter +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/block_dev.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 26bbaaefdff48..b2ebfd96785b7 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1181,10 +1181,8 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + */ + if (!for_part) { + ret = devcgroup_inode_permission(bdev->bd_inode, perm); +- if (ret != 0) { +- bdput(bdev); ++ if (ret != 0) + return ret; +- } + } + + restart: +@@ -1253,8 +1251,10 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + goto out_clear; + BUG_ON(for_part); + ret = __blkdev_get(whole, mode, 1); +- if (ret) ++ if (ret) { ++ bdput(whole); + goto out_clear; ++ } + bdev->bd_contains = whole; + bdev->bd_part = disk_get_part(disk, partno); + if (!(disk->flags & GENHD_FL_UP) || +@@ -1311,7 +1311,6 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part) + put_disk(disk); + module_put(owner); + out: +- bdput(bdev); + + return ret; + } +@@ -1397,6 +1396,9 @@ int blkdev_get(struct block_device *bdev, fmode_t mode, void *holder) + bdput(whole); + } + ++ if (res) ++ bdput(bdev); ++ + return res; + } + EXPORT_SYMBOL(blkdev_get); +-- +2.25.1 + diff --git a/queue-4.4/clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch b/queue-4.4/clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch new file mode 100644 index 00000000000..a4bdcdd8665 --- /dev/null +++ b/queue-4.4/clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch @@ -0,0 +1,94 @@ +From 68921457d934b387fd6b41fc8ba36fe1a5aecf4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 13:41:16 +0100 +Subject: clk: qcom: msm8916: Fix the address location of pll->config_reg + +From: Bryan O'Donoghue + +[ Upstream commit f47ab3c2f5338828a67e89d5f688d2cef9605245 ] + +During the process of debugging a processor derived from the msm8916 which +we found the new processor was not starting one of its PLLs. + +After tracing the addresses and writes that downstream was doing and +comparing to upstream it became obvious that we were writing to a different +register location than downstream when trying to configure the PLL. + +This error is also present in upstream msm8916. + +As an example clk-pll.c::clk_pll_recalc_rate wants to write to +pll->config_reg updating the bit-field POST_DIV_RATIO. That bit-field is +defined in PLL_USER_CTL not in PLL_CONFIG_CTL. Taking the BIMC PLL as an +example + +lm80-p0436-13_c_qc_snapdragon_410_processor_hrd.pdf + +0x01823010 GCC_BIMC_PLL_USER_CTL +0x01823014 GCC_BIMC_PLL_CONFIG_CTL + +This pattern is repeated for gpll0, gpll1, gpll2 and bimc_pll. + +This error is likely not apparent since the bootloader will already have +initialized these PLLs. + +This patch corrects the location of config_reg from PLL_CONFIG_CTL to +PLL_USER_CTL for all relevant PLLs on msm8916. + +Fixes commit 3966fab8b6ab ("clk: qcom: Add MSM8916 Global Clock Controller support") + +Cc: Georgi Djakov +Cc: Andy Gross +Cc: Bjorn Andersson +Cc: Michael Turquette +Cc: Stephen Boyd +Signed-off-by: Bryan O'Donoghue +Link: https://lkml.kernel.org/r/20200329124116.4185447-1-bryan.odonoghue@linaro.org +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-msm8916.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-msm8916.c b/drivers/clk/qcom/gcc-msm8916.c +index 95a4dd290f35a..d7dd0417ef5e8 100644 +--- a/drivers/clk/qcom/gcc-msm8916.c ++++ b/drivers/clk/qcom/gcc-msm8916.c +@@ -270,7 +270,7 @@ static struct clk_pll gpll0 = { + .l_reg = 0x21004, + .m_reg = 0x21008, + .n_reg = 0x2100c, +- .config_reg = 0x21014, ++ .config_reg = 0x21010, + .mode_reg = 0x21000, + .status_reg = 0x2101c, + .status_bit = 17, +@@ -297,7 +297,7 @@ static struct clk_pll gpll1 = { + .l_reg = 0x20004, + .m_reg = 0x20008, + .n_reg = 0x2000c, +- .config_reg = 0x20014, ++ .config_reg = 0x20010, + .mode_reg = 0x20000, + .status_reg = 0x2001c, + .status_bit = 17, +@@ -324,7 +324,7 @@ static struct clk_pll gpll2 = { + .l_reg = 0x4a004, + .m_reg = 0x4a008, + .n_reg = 0x4a00c, +- .config_reg = 0x4a014, ++ .config_reg = 0x4a010, + .mode_reg = 0x4a000, + .status_reg = 0x4a01c, + .status_bit = 17, +@@ -351,7 +351,7 @@ static struct clk_pll bimc_pll = { + .l_reg = 0x23004, + .m_reg = 0x23008, + .n_reg = 0x2300c, +- .config_reg = 0x23014, ++ .config_reg = 0x23010, + .mode_reg = 0x23000, + .status_reg = 0x2301c, + .status_bit = 17, +-- +2.25.1 + diff --git a/queue-4.4/clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch b/queue-4.4/clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch new file mode 100644 index 00000000000..da0a51d8fe5 --- /dev/null +++ b/queue-4.4/clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch @@ -0,0 +1,68 @@ +From e7a025efa4ea8a57bfc538cf0bb009b067ce0598 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2020 12:26:52 +0200 +Subject: clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 + +From: Marek Szyprowski + +[ Upstream commit 25bdae0f1c6609ceaf55fe6700654f0be2253d8e ] + +Mark the SCLK clock for Exynos5433 I2S1 device with IGNORE_UNUSED flag to +match its behaviour with SCLK clock for AUD_I2S (I2S0) device until +a proper fix for Exynos I2S driver is ready. + +This fixes the following synchronous abort issue revealed by the probe +order change caused by the commit 93d2e4322aa7 ("of: platform: Batch +fwnode parsing when adding all top level devices") + +Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 50 Comm: kworker/0:1 Not tainted 5.7.0-rc5+ #701 +Hardware name: Samsung TM2E board (DT) +Workqueue: events deferred_probe_work_func +pstate: 60000005 (nZCv daif -PAN -UAO) +pc : samsung_i2s_probe+0x768/0x8f0 +lr : samsung_i2s_probe+0x688/0x8f0 +... +Call trace: + samsung_i2s_probe+0x768/0x8f0 + platform_drv_probe+0x50/0xa8 + really_probe+0x108/0x370 + driver_probe_device+0x54/0xb8 + __device_attach_driver+0x90/0xc0 + bus_for_each_drv+0x70/0xc8 + __device_attach+0xdc/0x140 + device_initial_probe+0x10/0x18 + bus_probe_device+0x94/0xa0 + deferred_probe_work_func+0x70/0xa8 + process_one_work+0x2a8/0x718 + worker_thread+0x48/0x470 + kthread+0x134/0x160 + ret_from_fork+0x10/0x1c +Code: 17ffffaf d503201f f94086c0 91003000 (88dffc00) +---[ end trace ccf721c9400ddbd6 ]--- + +Signed-off-by: Marek Szyprowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-exynos5433.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/samsung/clk-exynos5433.c b/drivers/clk/samsung/clk-exynos5433.c +index 91c89ac193b9a..77ae2d21c4882 100644 +--- a/drivers/clk/samsung/clk-exynos5433.c ++++ b/drivers/clk/samsung/clk-exynos5433.c +@@ -1708,7 +1708,8 @@ static struct samsung_gate_clock peric_gate_clks[] __initdata = { + GATE(CLK_SCLK_PCM1, "sclk_pcm1", "sclk_pcm1_peric", + ENABLE_SCLK_PERIC, 7, CLK_SET_RATE_PARENT, 0), + GATE(CLK_SCLK_I2S1, "sclk_i2s1", "sclk_i2s1_peric", +- ENABLE_SCLK_PERIC, 6, CLK_SET_RATE_PARENT, 0), ++ ENABLE_SCLK_PERIC, 6, ++ CLK_SET_RATE_PARENT | CLK_IGNORE_UNUSED, 0), + GATE(CLK_SCLK_SPI2, "sclk_spi2", "sclk_spi2_peric", ENABLE_SCLK_PERIC, + 5, CLK_SET_RATE_PARENT, 0), + GATE(CLK_SCLK_SPI1, "sclk_spi1", "sclk_spi1_peric", ENABLE_SCLK_PERIC, +-- +2.25.1 + diff --git a/queue-4.4/clk-sunxi-fix-incorrect-usage-of-round_down.patch b/queue-4.4/clk-sunxi-fix-incorrect-usage-of-round_down.patch new file mode 100644 index 00000000000..6b2fd2185b8 --- /dev/null +++ b/queue-4.4/clk-sunxi-fix-incorrect-usage-of-round_down.patch @@ -0,0 +1,39 @@ +From 5b831e302e77e0c10487c2943c6ae1dd9ee57dbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Mar 2020 22:13:32 +0100 +Subject: clk: sunxi: Fix incorrect usage of round_down() + +From: Rikard Falkeborn + +[ Upstream commit ee25d9742dabed3fd18158b518f846abeb70f319 ] + +round_down() can only round to powers of 2. If round_down() is asked +to round to something that is not a power of 2, incorrect results are +produced. The incorrect results can be both too large and too small. + +Instead, use rounddown() which can round to any number. + +Fixes: 6a721db180a2 ("clk: sunxi: Add A31 clocks support") +Signed-off-by: Rikard Falkeborn +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi/clk-sunxi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi/clk-sunxi.c b/drivers/clk/sunxi/clk-sunxi.c +index 9c79af0c03b21..2cec9e83831fd 100644 +--- a/drivers/clk/sunxi/clk-sunxi.c ++++ b/drivers/clk/sunxi/clk-sunxi.c +@@ -311,7 +311,7 @@ static void sun6i_a31_get_pll1_factors(u32 *freq, u32 parent_rate, + * Round down the frequency to the closest multiple of either + * 6 or 16 + */ +- u32 round_freq_6 = round_down(freq_mhz, 6); ++ u32 round_freq_6 = rounddown(freq_mhz, 6); + u32 round_freq_16 = round_down(freq_mhz, 16); + + if (round_freq_6 > round_freq_16) +-- +2.25.1 + diff --git a/queue-4.4/clk-ti-composite-fix-memory-leak.patch b/queue-4.4/clk-ti-composite-fix-memory-leak.patch new file mode 100644 index 00000000000..27a84e38f83 --- /dev/null +++ b/queue-4.4/clk-ti-composite-fix-memory-leak.patch @@ -0,0 +1,38 @@ +From 840dac9f4b52396c03d14997297ec0dcaf1695e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 16:13:39 +0300 +Subject: clk: ti: composite: fix memory leak + +From: Tero Kristo + +[ Upstream commit c7c1cbbc9217ebb5601b88d138d4a5358548de9d ] + +The parent_names is never released for a component clock definition, +causing some memory leak. Fix by releasing it once it is no longer +needed. + +Reported-by: Tomi Valkeinen +Signed-off-by: Tero Kristo +Link: https://lkml.kernel.org/r/20200429131341.4697-2-t-kristo@ti.com +Acked-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/composite.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/ti/composite.c b/drivers/clk/ti/composite.c +index dbef218fe5ecd..14201c52b44bc 100644 +--- a/drivers/clk/ti/composite.c ++++ b/drivers/clk/ti/composite.c +@@ -228,6 +228,7 @@ cleanup: + if (!cclk->comp_clks[i]) + continue; + list_del(&cclk->comp_clks[i]->link); ++ kfree(cclk->comp_clks[i]->parent_names); + kfree(cclk->comp_clks[i]); + } + +-- +2.25.1 + diff --git a/queue-4.4/dlm-remove-bug-before-panic.patch b/queue-4.4/dlm-remove-bug-before-panic.patch new file mode 100644 index 00000000000..e5bb92dc0dd --- /dev/null +++ b/queue-4.4/dlm-remove-bug-before-panic.patch @@ -0,0 +1,51 @@ +From 21c890fcda3c63327015ea7ad187bba65e383c48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 23:34:28 +0200 +Subject: dlm: remove BUG() before panic() + +From: Arnd Bergmann + +[ Upstream commit fe204591cc9480347af7d2d6029b24a62e449486 ] + +Building a kernel with clang sometimes fails with an objtool error in dlm: + +fs/dlm/lock.o: warning: objtool: revert_lock_pc()+0xbd: can't find jump dest instruction at .text+0xd7fc + +The problem is that BUG() never returns and the compiler knows +that anything after it is unreachable, however the panic still +emits some code that does not get fully eliminated. + +Having both BUG() and panic() is really pointless as the BUG() +kills the current process and the subsequent panic() never hits. +In most cases, we probably don't really want either and should +replace the DLM_ASSERT() statements with WARN_ON(), as has +been done for some of them. + +Remove the BUG() here so the user at least sees the panic message +and we can reliably build randconfig kernels. + +Fixes: e7fd41792fc0 ("[DLM] The core of the DLM for GFS2/CLVM") +Cc: Josh Poimboeuf +Cc: clang-built-linux@googlegroups.com +Signed-off-by: Arnd Bergmann +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/dlm_internal.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/dlm/dlm_internal.h b/fs/dlm/dlm_internal.h +index 5eff6ea3e27f1..63e856d90ed05 100644 +--- a/fs/dlm/dlm_internal.h ++++ b/fs/dlm/dlm_internal.h +@@ -92,7 +92,6 @@ do { \ + __LINE__, __FILE__, #x, jiffies); \ + {do} \ + printk("\n"); \ +- BUG(); \ + panic("DLM: Record message above and reboot.\n"); \ + } \ + } +-- +2.25.1 + diff --git a/queue-4.4/drivers-base-fix-null-pointer-exception-in-__platfor.patch b/queue-4.4/drivers-base-fix-null-pointer-exception-in-__platfor.patch new file mode 100644 index 00000000000..8ff70747af6 --- /dev/null +++ b/queue-4.4/drivers-base-fix-null-pointer-exception-in-__platfor.patch @@ -0,0 +1,85 @@ +From 6774fd4d13bac66eb78533ee34c7ed265e945aa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 14:40:03 -0700 +Subject: drivers: base: Fix NULL pointer exception in + __platform_driver_probe() if a driver developer is foolish + +From: Kuppuswamy Sathyanarayanan + +[ Upstream commit 388bcc6ecc609fca1b4920de7dc3806c98ec535e ] + +If platform bus driver registration is failed then, accessing +platform bus spin lock (&drv->driver.bus->p->klist_drivers.k_lock) +in __platform_driver_probe() without verifying the return value +__platform_driver_register() can lead to NULL pointer exception. + +So check the return value before attempting the spin lock. + +One such example is below: + +For a custom usecase, I have intentionally failed the platform bus +registration and I expected all the platform device/driver +registrations to fail gracefully. But I came across this panic +issue. + +[ 1.331067] BUG: kernel NULL pointer dereference, address: 00000000000000c8 +[ 1.331118] #PF: supervisor write access in kernel mode +[ 1.331163] #PF: error_code(0x0002) - not-present page +[ 1.331208] PGD 0 P4D 0 +[ 1.331233] Oops: 0002 [#1] PREEMPT SMP +[ 1.331268] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 5.6.0-00049-g670d35fb0144 #165 +[ 1.331341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +[ 1.331406] RIP: 0010:_raw_spin_lock+0x15/0x30 +[ 1.331588] RSP: 0000:ffffc9000001be70 EFLAGS: 00010246 +[ 1.331632] RAX: 0000000000000000 RBX: 00000000000000c8 RCX: 0000000000000001 +[ 1.331696] RDX: 0000000000000001 RSI: 0000000000000092 RDI: 0000000000000000 +[ 1.331754] RBP: 00000000ffffffed R08: 0000000000000501 R09: 0000000000000001 +[ 1.331817] R10: ffff88817abcc520 R11: 0000000000000670 R12: 00000000ffffffed +[ 1.331881] R13: ffffffff82dbc268 R14: ffffffff832f070a R15: 0000000000000000 +[ 1.331945] FS: 0000000000000000(0000) GS:ffff88817bd80000(0000) knlGS:0000000000000000 +[ 1.332008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.332062] CR2: 00000000000000c8 CR3: 000000000681e001 CR4: 00000000003606e0 +[ 1.332126] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1.332189] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1.332252] Call Trace: +[ 1.332281] __platform_driver_probe+0x92/0xee +[ 1.332323] ? rtc_dev_init+0x2b/0x2b +[ 1.332358] cmos_init+0x37/0x67 +[ 1.332396] do_one_initcall+0x7d/0x168 +[ 1.332428] kernel_init_freeable+0x16c/0x1c9 +[ 1.332473] ? rest_init+0xc0/0xc0 +[ 1.332508] kernel_init+0x5/0x100 +[ 1.332543] ret_from_fork+0x1f/0x30 +[ 1.332579] CR2: 00000000000000c8 +[ 1.332616] ---[ end trace 3bd87f12e9010b87 ]--- +[ 1.333549] note: swapper/0[1] exited with preempt_count 1 +[ 1.333592] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 +[ 1.333736] Kernel Offset: disabled + +Note, this can only be triggered if a driver errors out from this call, +which should never happen. If it does, the driver needs to be fixed. + +Signed-off-by: Kuppuswamy Sathyanarayanan +Link: https://lore.kernel.org/r/20200408214003.3356-1-sathyanarayanan.kuppuswamy@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 065fcc4be263a..f89cb143f1cdf 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -638,6 +638,8 @@ int __init_or_module __platform_driver_probe(struct platform_driver *drv, + /* temporary section violation during probe() */ + drv->probe = probe; + retval = code = __platform_driver_register(drv, module); ++ if (retval) ++ return retval; + + /* + * Fixup that section violation, being paranoid about code scanning +-- +2.25.1 + diff --git a/queue-4.4/drm-encoder_slave-fix-refcouting-error-for-modules.patch b/queue-4.4/drm-encoder_slave-fix-refcouting-error-for-modules.patch new file mode 100644 index 00000000000..c9e66cc0382 --- /dev/null +++ b/queue-4.4/drm-encoder_slave-fix-refcouting-error-for-modules.patch @@ -0,0 +1,50 @@ +From 79d0523baa9ec5721d29793def5b7fe1fe6b7951 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 09:58:10 +0200 +Subject: drm: encoder_slave: fix refcouting error for modules + +From: Wolfram Sang + +[ Upstream commit f78d4032de60f50fd4afaa0fb68ea03b985f820a ] + +module_put() balances try_module_get(), not request_module(). Fix the +error path to match that. + +Fixes: 2066facca4c7 ("drm/kms: slave encoder interface.") +Signed-off-by: Wolfram Sang +Reviewed-by: Emil Velikov +Acked-by: Daniel Vetter +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_encoder_slave.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_encoder_slave.c b/drivers/gpu/drm/drm_encoder_slave.c +index d18b88b755c34..5c595d9f7e8f2 100644 +--- a/drivers/gpu/drm/drm_encoder_slave.c ++++ b/drivers/gpu/drm/drm_encoder_slave.c +@@ -84,7 +84,7 @@ int drm_i2c_encoder_init(struct drm_device *dev, + + err = encoder_drv->encoder_init(client, dev, encoder); + if (err) +- goto fail_unregister; ++ goto fail_module_put; + + if (info->platform_data) + encoder->slave_funcs->set_config(&encoder->base, +@@ -92,9 +92,10 @@ int drm_i2c_encoder_init(struct drm_device *dev, + + return 0; + ++fail_module_put: ++ module_put(module); + fail_unregister: + i2c_unregister_device(client); +- module_put(module); + fail: + return err; + } +-- +2.25.1 + diff --git a/queue-4.4/elfnote-mark-all-.note-sections-shf_alloc.patch b/queue-4.4/elfnote-mark-all-.note-sections-shf_alloc.patch new file mode 100644 index 00000000000..5d56a8047dd --- /dev/null +++ b/queue-4.4/elfnote-mark-all-.note-sections-shf_alloc.patch @@ -0,0 +1,61 @@ +From 8a28fc6fe035574591bdb52b17946d199b6e0d24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:50:49 -0700 +Subject: elfnote: mark all .note sections SHF_ALLOC + +From: Nick Desaulniers + +[ Upstream commit 51da9dfb7f20911ae4e79e9b412a9c2d4c373d4b ] + +ELFNOTE_START allows callers to specify flags for .pushsection assembler +directives. All callsites but ELF_NOTE use "a" for SHF_ALLOC. For vdso's +that explicitly use ELF_NOTE_START and BUILD_SALT, the same section is +specified twice after preprocessing, once with "a" flag, once without. +Example: + +.pushsection .note.Linux, "a", @note ; +.pushsection .note.Linux, "", @note ; + +While GNU as allows this ordering, it warns for the opposite ordering, +making these directives position dependent. We'd prefer not to precisely +match this behavior in Clang's integrated assembler. Instead, the non +__ASSEMBLY__ definition of ELF_NOTE uses +__attribute__((section(".note.Linux"))) which is created with SHF_ALLOC, +so let's make the __ASSEMBLY__ definition of ELF_NOTE consistent with C +and just always use "a" flag. + +This allows Clang to assemble a working mainline (5.6) kernel via: +$ make CC=clang AS=clang + +Signed-off-by: Nick Desaulniers +Signed-off-by: Andrew Morton +Reviewed-by: Nathan Chancellor +Reviewed-by: Fangrui Song +Cc: Jeremy Fitzhardinge +Cc: Thomas Gleixner +Cc: Vincenzo Frascino +Link: https://github.com/ClangBuiltLinux/linux/issues/913 +Link: http://lkml.kernel.org/r/20200325231250.99205-1-ndesaulniers@google.com +Debugged-by: Ilie Halip +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/elfnote.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/elfnote.h b/include/linux/elfnote.h +index 278e3ef053369..56c6d9031663d 100644 +--- a/include/linux/elfnote.h ++++ b/include/linux/elfnote.h +@@ -53,7 +53,7 @@ + .popsection ; + + #define ELFNOTE(name, type, desc) \ +- ELFNOTE_START(name, type, "") \ ++ ELFNOTE_START(name, type, "a") \ + desc ; \ + ELFNOTE_END + +-- +2.25.1 + diff --git a/queue-4.4/gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch b/queue-4.4/gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch new file mode 100644 index 00000000000..97986e5ba6e --- /dev/null +++ b/queue-4.4/gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch @@ -0,0 +1,46 @@ +From 7ba1887d98136a7ddc074685068414df50468c15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 08:45:54 -0500 +Subject: gfs2: Allow lock_nolock mount to specify jid=X + +From: Bob Peterson + +[ Upstream commit ea22eee4e6027d8927099de344f7fff43c507ef9 ] + +Before this patch, a simple typo accidentally added \n to the jid= +string for lock_nolock mounts. This made it impossible to mount a +gfs2 file system with a journal other than journal0. Thus: + +mount -tgfs2 -o hostdata="jid=1" + +Resulted in: +mount: wrong fs type, bad option, bad superblock on + +In most cases this is not a problem. However, for debugging and +testing purposes we sometimes want to test the integrity of other +journals. This patch removes the unnecessary \n and thus allows +lock_nolock users to specify an alternate journal. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/ops_fstype.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index de7143e2b361a..b7b43d00cc6d7 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -916,7 +916,7 @@ fail: + } + + static const match_table_t nolock_tokens = { +- { Opt_jid, "jid=%d\n", }, ++ { Opt_jid, "jid=%d", }, + { Opt_err, NULL }, + }; + +-- +2.25.1 + diff --git a/queue-4.4/i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch b/queue-4.4/i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch new file mode 100644 index 00000000000..25300eff6d9 --- /dev/null +++ b/queue-4.4/i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch @@ -0,0 +1,51 @@ +From 1346be28a2ef5cdb60c7207dcdae48619b1cf58d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Apr 2020 15:48:44 -0500 +Subject: i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets + +From: Adam Honse + +[ Upstream commit f27237c174fd9653033330e4e532cd9d153ce824 ] + +The AMD X370 and other AM4 chipsets (A/B/X 3/4/5 parts) and Threadripper +equivalents have a secondary SMBus controller at I/O port address +0x0B20. This bus is used by several manufacturers to control +motherboard RGB lighting via embedded controllers. I have been using +this bus in my OpenRGB project to control the Aura RGB on many +motherboards and ASRock also uses this bus for their Polychrome RGB +controller. + +I am not aware of any CZ-compatible platforms which do not have the +second SMBus channel. All of AMD's AM4- and Threadripper- series +chipsets that OpenRGB users have tested appear to have this secondary +bus. I also noticed this secondary bus is present on older AMD +platforms including my FM1 home server. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202587 +Signed-off-by: Adam Honse +Reviewed-by: Jean Delvare +Reviewed-by: Sebastian Reichel +Tested-by: Sebastian Reichel +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-piix4.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-piix4.c b/drivers/i2c/busses/i2c-piix4.c +index b61db9db3ca5d..c85ac178c4838 100644 +--- a/drivers/i2c/busses/i2c-piix4.c ++++ b/drivers/i2c/busses/i2c-piix4.c +@@ -647,7 +647,8 @@ static int piix4_probe(struct pci_dev *dev, const struct pci_device_id *id) + } + + if (dev->vendor == PCI_VENDOR_ID_AMD && +- dev->device == PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) { ++ (dev->device == PCI_DEVICE_ID_AMD_HUDSON2_SMBUS || ++ dev->device == PCI_DEVICE_ID_AMD_KERNCZ_SMBUS)) { + retval = piix4_setup_sb800(dev, id, 1); + } + +-- +2.25.1 + diff --git a/queue-4.4/i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch b/queue-4.4/i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch new file mode 100644 index 00000000000..8744ee3501b --- /dev/null +++ b/queue-4.4/i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch @@ -0,0 +1,45 @@ +From e968eb4c30ffba4ce06cecec2030ea4cc173687c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 10:36:38 +0100 +Subject: i2c: pxa: clear all master action bits in i2c_pxa_stop_message() + +From: Russell King + +[ Upstream commit e81c979f4e071d516aa27cf5a0c3939da00dc1ca ] + +If we timeout during a message transfer, the control register may +contain bits that cause an action to be set. Read-modify-writing the +register leaving these bits set may trigger the hardware to attempt +one of these actions unintentionally. + +Always clear these bits when cleaning up after a message or after +a timeout. + +Signed-off-by: Russell King +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-pxa.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-pxa.c b/drivers/i2c/busses/i2c-pxa.c +index 0d351954db02b..3264b50311ff0 100644 +--- a/drivers/i2c/busses/i2c-pxa.c ++++ b/drivers/i2c/busses/i2c-pxa.c +@@ -691,11 +691,9 @@ static inline void i2c_pxa_stop_message(struct pxa_i2c *i2c) + { + u32 icr; + +- /* +- * Clear the STOP and ACK flags +- */ ++ /* Clear the START, STOP, ACK, TB and MA flags */ + icr = readl(_ICR(i2c)); +- icr &= ~(ICR_STOP | ICR_ACKNAK); ++ icr &= ~(ICR_START | ICR_STOP | ICR_ACKNAK | ICR_TB | ICR_MA); + writel(icr, _ICR(i2c)); + } + +-- +2.25.1 + diff --git a/queue-4.4/i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch b/queue-4.4/i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch new file mode 100644 index 00000000000..910e62aea61 --- /dev/null +++ b/queue-4.4/i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch @@ -0,0 +1,54 @@ +From 0ce487c533872768053a40b455aaa03e0d71142a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 19:49:22 +0100 +Subject: i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output + +From: Russell King + +[ Upstream commit 88b73ee7ca4c90baf136ed5a8377fc5a9b73ac08 ] + +The IRQ log output is supposed to appear on a single line. However, +commit 3a2dc1677b60 ("i2c: pxa: Update debug function to dump more info +on error") resulted in it being printed one-entry-per-line, which is +excessively long. + +Fixing this is not a trivial matter; using pr_cont() doesn't work as +the previous dev_dbg() may not have been compiled in, or may be +dynamic. + +Since the rest of this function output is at error level, and is also +debug output, promote this to error level as well to avoid this +problem. + +Reduce the number of always zero prefix digits to save screen real- +estate. + +Signed-off-by: Russell King +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-pxa.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-pxa.c b/drivers/i2c/busses/i2c-pxa.c +index 3264b50311ff0..8fca6e3dd7504 100644 +--- a/drivers/i2c/busses/i2c-pxa.c ++++ b/drivers/i2c/busses/i2c-pxa.c +@@ -297,11 +297,10 @@ static void i2c_pxa_scream_blue_murder(struct pxa_i2c *i2c, const char *why) + dev_err(dev, "IBMR: %08x IDBR: %08x ICR: %08x ISR: %08x\n", + readl(_IBMR(i2c)), readl(_IDBR(i2c)), readl(_ICR(i2c)), + readl(_ISR(i2c))); +- dev_dbg(dev, "log: "); ++ dev_err(dev, "log:"); + for (i = 0; i < i2c->irqlogidx; i++) +- pr_debug("[%08x:%08x] ", i2c->isrlog[i], i2c->icrlog[i]); +- +- pr_debug("\n"); ++ pr_cont(" [%03x:%05x]", i2c->isrlog[i], i2c->icrlog[i]); ++ pr_cont("\n"); + } + + #else /* ifdef DEBUG */ +-- +2.25.1 + diff --git a/queue-4.4/include-linux-bitops.h-avoid-clang-shift-count-overf.patch b/queue-4.4/include-linux-bitops.h-avoid-clang-shift-count-overf.patch new file mode 100644 index 00000000000..8d24d009045 --- /dev/null +++ b/queue-4.4/include-linux-bitops.h-avoid-clang-shift-count-overf.patch @@ -0,0 +1,65 @@ +From 9f685bb365c8358650ba983a79d6832710bd8f67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:50:30 -0700 +Subject: include/linux/bitops.h: avoid clang shift-count-overflow warnings + +From: Arnd Bergmann + +[ Upstream commit bd93f003b7462ae39a43c531abca37fe7073b866 ] + +Clang normally does not warn about certain issues in inline functions when +it only happens in an eliminated code path. However if something else +goes wrong, it does tend to complain about the definition of hweight_long() +on 32-bit targets: + + include/linux/bitops.h:75:41: error: shift count >= width of type [-Werror,-Wshift-count-overflow] + return sizeof(w) == 4 ? hweight32(w) : hweight64(w); + ^~~~~~~~~~~~ + include/asm-generic/bitops/const_hweight.h:29:49: note: expanded from macro 'hweight64' + define hweight64(w) (__builtin_constant_p(w) ? __const_hweight64(w) : __arch_hweight64(w)) + ^~~~~~~~~~~~~~~~~~~~ + include/asm-generic/bitops/const_hweight.h:21:76: note: expanded from macro '__const_hweight64' + define __const_hweight64(w) (__const_hweight32(w) + __const_hweight32((w) >> 32)) + ^ ~~ + include/asm-generic/bitops/const_hweight.h:20:49: note: expanded from macro '__const_hweight32' + define __const_hweight32(w) (__const_hweight16(w) + __const_hweight16((w) >> 16)) + ^ + include/asm-generic/bitops/const_hweight.h:19:72: note: expanded from macro '__const_hweight16' + define __const_hweight16(w) (__const_hweight8(w) + __const_hweight8((w) >> 8 )) + ^ + include/asm-generic/bitops/const_hweight.h:12:9: note: expanded from macro '__const_hweight8' + (!!((w) & (1ULL << 2))) + \ + +Adding an explicit cast to __u64 avoids that warning and makes it easier +to read other output. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Andrew Morton +Acked-by: Christian Brauner +Cc: Andy Shevchenko +Cc: Rasmus Villemoes +Cc: Josh Poimboeuf +Cc: Nick Desaulniers +Link: http://lkml.kernel.org/r/20200505135513.65265-1-arnd@arndb.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/bitops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index ce2bb045b3fdd..9b9711ea267a4 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -59,7 +59,7 @@ static inline int get_count_order(unsigned int count) + + static __always_inline unsigned long hweight_long(unsigned long w) + { +- return sizeof(w) == 4 ? hweight32(w) : hweight64(w); ++ return sizeof(w) == 4 ? hweight32(w) : hweight64((__u64)w); + } + + /** +-- +2.25.1 + diff --git a/queue-4.4/lib-zlib-remove-outdated-and-incorrect-pre-increment.patch b/queue-4.4/lib-zlib-remove-outdated-and-incorrect-pre-increment.patch new file mode 100644 index 00000000000..be567448202 --- /dev/null +++ b/queue-4.4/lib-zlib-remove-outdated-and-incorrect-pre-increment.patch @@ -0,0 +1,279 @@ +From aedfac9ea62bdb49877a89b29bda0948c88465ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 16:50:17 -0700 +Subject: lib/zlib: remove outdated and incorrect pre-increment optimization + +From: Jann Horn + +[ Upstream commit acaab7335bd6f0c0b54ce3a00bd7f18222ce0f5f ] + +The zlib inflate code has an old micro-optimization based on the +assumption that for pre-increment memory accesses, the compiler will +generate code that fits better into the processor's pipeline than what +would be generated for post-increment memory accesses. + +This optimization was already removed in upstream zlib in 2016: +https://github.com/madler/zlib/commit/9aaec95e8211 + +This optimization causes UB according to C99, which says in section 6.5.6 +"Additive operators": "If both the pointer operand and the result point to +elements of the same array object, or one past the last element of the +array object, the evaluation shall not produce an overflow; otherwise, the +behavior is undefined". + +This UB is not only a theoretical concern, but can also cause trouble for +future work on compiler-based sanitizers. + +According to the zlib commit, this optimization also is not optimal +anymore with modern compilers. + +Replace uses of OFF, PUP and UP_UNALIGNED with their definitions in the +POSTINC case, and remove the macro definitions, just like in the upstream +patch. + +Signed-off-by: Jann Horn +Signed-off-by: Andrew Morton +Cc: Mikhail Zaslonko +Link: http://lkml.kernel.org/r/20200507123112.252723-1-jannh@google.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/zlib_inflate/inffast.c | 91 +++++++++++++++----------------------- + 1 file changed, 35 insertions(+), 56 deletions(-) + +diff --git a/lib/zlib_inflate/inffast.c b/lib/zlib_inflate/inffast.c +index 2c13ecc5bb2c7..ed1f3df272602 100644 +--- a/lib/zlib_inflate/inffast.c ++++ b/lib/zlib_inflate/inffast.c +@@ -10,17 +10,6 @@ + + #ifndef ASMINF + +-/* Allow machine dependent optimization for post-increment or pre-increment. +- Based on testing to date, +- Pre-increment preferred for: +- - PowerPC G3 (Adler) +- - MIPS R5000 (Randers-Pehrson) +- Post-increment preferred for: +- - none +- No measurable difference: +- - Pentium III (Anderson) +- - M68060 (Nikl) +- */ + union uu { + unsigned short us; + unsigned char b[2]; +@@ -38,16 +27,6 @@ get_unaligned16(const unsigned short *p) + return mm.us; + } + +-#ifdef POSTINC +-# define OFF 0 +-# define PUP(a) *(a)++ +-# define UP_UNALIGNED(a) get_unaligned16((a)++) +-#else +-# define OFF 1 +-# define PUP(a) *++(a) +-# define UP_UNALIGNED(a) get_unaligned16(++(a)) +-#endif +- + /* + Decode literal, length, and distance codes and write out the resulting + literal and match bytes until either not enough input or output is +@@ -115,9 +94,9 @@ void inflate_fast(z_streamp strm, unsigned start) + + /* copy state to local variables */ + state = (struct inflate_state *)strm->state; +- in = strm->next_in - OFF; ++ in = strm->next_in; + last = in + (strm->avail_in - 5); +- out = strm->next_out - OFF; ++ out = strm->next_out; + beg = out - (start - strm->avail_out); + end = out + (strm->avail_out - 257); + #ifdef INFLATE_STRICT +@@ -138,9 +117,9 @@ void inflate_fast(z_streamp strm, unsigned start) + input data or output space */ + do { + if (bits < 15) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + this = lcode[hold & lmask]; +@@ -150,14 +129,14 @@ void inflate_fast(z_streamp strm, unsigned start) + bits -= op; + op = (unsigned)(this.op); + if (op == 0) { /* literal */ +- PUP(out) = (unsigned char)(this.val); ++ *out++ = (unsigned char)(this.val); + } + else if (op & 16) { /* length base */ + len = (unsigned)(this.val); + op &= 15; /* number of extra bits */ + if (op) { + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + len += (unsigned)hold & ((1U << op) - 1); +@@ -165,9 +144,9 @@ void inflate_fast(z_streamp strm, unsigned start) + bits -= op; + } + if (bits < 15) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + this = dcode[hold & dmask]; +@@ -180,10 +159,10 @@ void inflate_fast(z_streamp strm, unsigned start) + dist = (unsigned)(this.val); + op &= 15; /* number of extra bits */ + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + } +@@ -205,13 +184,13 @@ void inflate_fast(z_streamp strm, unsigned start) + state->mode = BAD; + break; + } +- from = window - OFF; ++ from = window; + if (write == 0) { /* very common case */ + from += wsize - op; + if (op < len) { /* some from window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } +@@ -222,14 +201,14 @@ void inflate_fast(z_streamp strm, unsigned start) + if (op < len) { /* some from end of window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); +- from = window - OFF; ++ from = window; + if (write < len) { /* some from start of window */ + op = write; + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } +@@ -240,21 +219,21 @@ void inflate_fast(z_streamp strm, unsigned start) + if (op < len) { /* some from window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } + } + while (len > 2) { +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); ++ *out++ = *from++; ++ *out++ = *from++; ++ *out++ = *from++; + len -= 3; + } + if (len) { +- PUP(out) = PUP(from); ++ *out++ = *from++; + if (len > 1) +- PUP(out) = PUP(from); ++ *out++ = *from++; + } + } + else { +@@ -264,29 +243,29 @@ void inflate_fast(z_streamp strm, unsigned start) + from = out - dist; /* copy direct from output */ + /* minimum length is three */ + /* Align out addr */ +- if (!((long)(out - 1 + OFF) & 1)) { +- PUP(out) = PUP(from); ++ if (!((long)(out - 1) & 1)) { ++ *out++ = *from++; + len--; + } +- sout = (unsigned short *)(out - OFF); ++ sout = (unsigned short *)(out); + if (dist > 2) { + unsigned short *sfrom; + +- sfrom = (unsigned short *)(from - OFF); ++ sfrom = (unsigned short *)(from); + loops = len >> 1; + do + #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS +- PUP(sout) = PUP(sfrom); ++ *sout++ = *sfrom++; + #else +- PUP(sout) = UP_UNALIGNED(sfrom); ++ *sout++ = get_unaligned16(sfrom++); + #endif + while (--loops); +- out = (unsigned char *)sout + OFF; +- from = (unsigned char *)sfrom + OFF; ++ out = (unsigned char *)sout; ++ from = (unsigned char *)sfrom; + } else { /* dist == 1 or dist == 2 */ + unsigned short pat16; + +- pat16 = *(sout-1+OFF); ++ pat16 = *(sout-1); + if (dist == 1) { + union uu mm; + /* copy one char pattern to both bytes */ +@@ -296,12 +275,12 @@ void inflate_fast(z_streamp strm, unsigned start) + } + loops = len >> 1; + do +- PUP(sout) = pat16; ++ *sout++ = pat16; + while (--loops); +- out = (unsigned char *)sout + OFF; ++ out = (unsigned char *)sout; + } + if (len & 1) +- PUP(out) = PUP(from); ++ *out++ = *from++; + } + } + else if ((op & 64) == 0) { /* 2nd level distance code */ +@@ -336,8 +315,8 @@ void inflate_fast(z_streamp strm, unsigned start) + hold &= (1U << bits) - 1; + + /* update state and return */ +- strm->next_in = in + OFF; +- strm->next_out = out + OFF; ++ strm->next_in = in; ++ strm->next_out = out; + strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last)); + strm->avail_out = (unsigned)(out < end ? + 257 + (end - out) : 257 - (out - end)); +-- +2.25.1 + diff --git a/queue-4.4/libata-use-per-port-sync-for-detach.patch b/queue-4.4/libata-use-per-port-sync-for-detach.patch new file mode 100644 index 00000000000..daa3c91959d --- /dev/null +++ b/queue-4.4/libata-use-per-port-sync-for-detach.patch @@ -0,0 +1,93 @@ +From c1ced1985729c2c1d2500ae5ecffeb5ca35438a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 15:48:19 +0800 +Subject: libata: Use per port sync for detach + +From: Kai-Heng Feng + +[ Upstream commit b5292111de9bb70cba3489075970889765302136 ] + +Commit 130f4caf145c ("libata: Ensure ata_port probe has completed before +detach") may cause system freeze during suspend. + +Using async_synchronize_full() in PM callbacks is wrong, since async +callbacks that are already scheduled may wait for not-yet-scheduled +callbacks, causes a circular dependency. + +Instead of using big hammer like async_synchronize_full(), use async +cookie to make sure port probe are synced, without affecting other +scheduled PM callbacks. + +Fixes: 130f4caf145c ("libata: Ensure ata_port probe has completed before detach") +Suggested-by: John Garry +Signed-off-by: Kai-Heng Feng +Tested-by: John Garry +BugLink: https://bugs.launchpad.net/bugs/1867983 +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 11 +++++------ + include/linux/libata.h | 3 +++ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index fc4bf8ff40ead..17cebfe5acc82 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -56,7 +56,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -6222,7 +6221,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht) + /* perform each probe asynchronously */ + for (i = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; +- async_schedule(async_port_probe, ap); ++ ap->cookie = async_schedule(async_port_probe, ap); + } + + return 0; +@@ -6355,11 +6354,11 @@ void ata_host_detach(struct ata_host *host) + { + int i; + +- /* Ensure ata_port probe has completed */ +- async_synchronize_full(); +- +- for (i = 0; i < host->n_ports; i++) ++ for (i = 0; i < host->n_ports; i++) { ++ /* Ensure ata_port probe has completed */ ++ async_synchronize_cookie(host->ports[i]->cookie + 1); + ata_port_detach(host->ports[i]); ++ } + + /* the host is dead now, dissociate ACPI */ + ata_acpi_dissociate(host); +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 6428ac4746dee..af561d33221d6 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + /* + * Define if arch has non-standard setup. This is a _PCI_ standard +@@ -872,6 +873,8 @@ struct ata_port { + struct timer_list fastdrain_timer; + unsigned long fastdrain_cnt; + ++ async_cookie_t cookie; ++ + int em_message_type; + void *private_data; + +-- +2.25.1 + diff --git a/queue-4.4/mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch b/queue-4.4/mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch new file mode 100644 index 00000000000..967ab08edbe --- /dev/null +++ b/queue-4.4/mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch @@ -0,0 +1,38 @@ +From 1a4c0d3066f4b6c2b7014f10ed1d04adc5f7bb80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 09:48:29 +0200 +Subject: mfd: wm8994: Fix driver operation if loaded as modules + +From: Marek Szyprowski + +[ Upstream commit d4f9b5428b53dd67f49ee8deed8d4366ed6b1933 ] + +WM8994 chip has built-in regulators, which might be used for chip +operation. They are controlled by a separate wm8994-regulator driver, +which should be loaded before this driver calls regulator_get(), because +that driver also provides consumer-supply mapping for the them. If that +driver is not yet loaded, regulator core substitute them with dummy +regulator, what breaks chip operation, because the built-in regulators are +never enabled. Fix this by annotating this driver with MODULE_SOFTDEP() +"pre" dependency to "wm8994_regulator" module. + +Signed-off-by: Marek Szyprowski +Acked-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/wm8994-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/wm8994-core.c b/drivers/mfd/wm8994-core.c +index 7eec619a6023c..3d1457189fa21 100644 +--- a/drivers/mfd/wm8994-core.c ++++ b/drivers/mfd/wm8994-core.c +@@ -690,3 +690,4 @@ module_i2c_driver(wm8994_i2c_driver); + MODULE_DESCRIPTION("Core support for the WM8994 audio CODEC"); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Mark Brown "); ++MODULE_SOFTDEP("pre: wm8994_regulator"); +-- +2.25.1 + diff --git a/queue-4.4/mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch b/queue-4.4/mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch new file mode 100644 index 00000000000..86e7e9f1e77 --- /dev/null +++ b/queue-4.4/mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch @@ -0,0 +1,46 @@ +From aff4c3324cf42c85c8e79db3f3cc89a728a46882 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 15:45:17 +0800 +Subject: mksysmap: Fix the mismatch of '.L' symbols in System.map + +From: ashimida + +[ Upstream commit 72d24accf02add25e08733f0ecc93cf10fcbd88c ] + +When System.map was generated, the kernel used mksysmap to +filter the kernel symbols, but all the symbols with the +second letter 'L' in the kernel were filtered out, not just +the symbols starting with 'dot + L'. + +For example: +ashimida@ubuntu:~/linux$ cat System.map |grep ' .L' +ashimida@ubuntu:~/linux$ nm -n vmlinux |grep ' .L' +ffff0000088028e0 t bLength_show +...... +ffff0000092e0408 b PLLP_OUTC_lock +ffff0000092e0410 b PLLP_OUTA_lock + +The original intent should be to filter out all local symbols +starting with '.L', so the dot should be escaped. + +Fixes: 00902e984732 ("mksysmap: Add h8300 local symbol pattern") +Signed-off-by: ashimida +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mksysmap | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mksysmap b/scripts/mksysmap +index a35acc0d0b827..9aa23d15862a0 100755 +--- a/scripts/mksysmap ++++ b/scripts/mksysmap +@@ -41,4 +41,4 @@ + # so we just ignore them to let readprofile continue to work. + # (At least sparc64 has __crc_ in the middle). + +-$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( .L\)' > $2 ++$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)' > $2 +-- +2.25.1 + diff --git a/queue-4.4/net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch b/queue-4.4/net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch new file mode 100644 index 00000000000..9362b9921be --- /dev/null +++ b/queue-4.4/net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch @@ -0,0 +1,45 @@ +From dcb0eb8f1df2db9fb6b6bcac84335ccd5ad7d429 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Mar 2020 14:56:55 +0300 +Subject: net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' + +From: Fedor Tokarev + +[ Upstream commit 118917d696dc59fd3e1741012c2f9db2294bed6f ] + +Fix off-by-one issues in 'rpc_ntop6': + - 'snprintf' returns the number of characters which would have been + written if enough space had been available, excluding the terminating + null byte. Thus, a return value of 'sizeof(scopebuf)' means that the + last character was dropped. + - 'strcat' adds a terminating null byte to the string, thus if len == + buflen, the null byte is written past the end of the buffer. + +Signed-off-by: Fedor Tokarev +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/addr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c +index 2e0a6f92e563d..8391c27855501 100644 +--- a/net/sunrpc/addr.c ++++ b/net/sunrpc/addr.c +@@ -81,11 +81,11 @@ static size_t rpc_ntop6(const struct sockaddr *sap, + + rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u", + IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id); +- if (unlikely((size_t)rc > sizeof(scopebuf))) ++ if (unlikely((size_t)rc >= sizeof(scopebuf))) + return 0; + + len += rc; +- if (unlikely(len > buflen)) ++ if (unlikely(len >= buflen)) + return 0; + + strcat(buf, scopebuf); +-- +2.25.1 + diff --git a/queue-4.4/nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch b/queue-4.4/nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch new file mode 100644 index 00000000000..171cc9237c7 --- /dev/null +++ b/queue-4.4/nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch @@ -0,0 +1,44 @@ +From 13c8d2de913702e58fbbe3242f35fdf96ac950db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 22:15:41 +0800 +Subject: nfsd: Fix svc_xprt refcnt leak when setup callback client failed + +From: Xiyu Yang + +[ Upstream commit a4abc6b12eb1f7a533c2e7484cfa555454ff0977 ] + +nfsd4_process_cb_update() invokes svc_xprt_get(), which increases the +refcount of the "c->cn_xprt". + +The reference counting issue happens in one exception handling path of +nfsd4_process_cb_update(). When setup callback client failed, the +function forgets to decrease the refcnt increased by svc_xprt_get(), +causing a refcnt leak. + +Fix this issue by calling svc_xprt_put() when setup callback client +failed. + +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4callback.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 4fa3f0ba9ab3c..0a0b41071ed77 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -1096,6 +1096,8 @@ static void nfsd4_process_cb_update(struct nfsd4_callback *cb) + err = setup_callback_client(clp, &conn, ses); + if (err) { + nfsd4_mark_cb_down(clp, err); ++ if (c) ++ svc_xprt_put(c->cn_xprt); + return; + } + } +-- +2.25.1 + diff --git a/queue-4.4/openrisc-fix-issue-with-argument-clobbering-for-clon.patch b/queue-4.4/openrisc-fix-issue-with-argument-clobbering-for-clon.patch new file mode 100644 index 00000000000..a4bb646eb17 --- /dev/null +++ b/queue-4.4/openrisc-fix-issue-with-argument-clobbering-for-clon.patch @@ -0,0 +1,48 @@ +From 0543c6b29df04da770ae57a12da1ea57b1a3cba3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 20:24:11 +0900 +Subject: openrisc: Fix issue with argument clobbering for clone/fork + +From: Stafford Horne + +[ Upstream commit 6bd140e14d9aaa734ec37985b8b20a96c0ece948 ] + +Working on the OpenRISC glibc port I found that sometimes clone was +working strange. That the tls data argument sent in r7 was always +wrong. Further investigation revealed that the arguments were getting +clobbered in the entry code. This patch removes the code that writes to +the argument registers. This was likely due to some old code hanging +around. + +This patch fixes this up for clone and fork. This fork clobber is +harmless but also useless so remove. + +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/entry.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/openrisc/kernel/entry.S b/arch/openrisc/kernel/entry.S +index c17e8451d9978..3fbe420f49c43 100644 +--- a/arch/openrisc/kernel/entry.S ++++ b/arch/openrisc/kernel/entry.S +@@ -1092,13 +1092,13 @@ ENTRY(__sys_clone) + l.movhi r29,hi(sys_clone) + l.ori r29,r29,lo(sys_clone) + l.j _fork_save_extra_regs_and_call +- l.addi r7,r1,0 ++ l.nop + + ENTRY(__sys_fork) + l.movhi r29,hi(sys_fork) + l.ori r29,r29,lo(sys_fork) + l.j _fork_save_extra_regs_and_call +- l.addi r3,r1,0 ++ l.nop + + ENTRY(sys_rt_sigreturn) + l.j _sys_rt_sigreturn +-- +2.25.1 + diff --git a/queue-4.4/pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch b/queue-4.4/pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch new file mode 100644 index 00000000000..3e884918a5e --- /dev/null +++ b/queue-4.4/pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch @@ -0,0 +1,55 @@ +From 7bad31692587d428886937590896b2b2ded96352 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 May 2020 01:34:21 +0800 +Subject: PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges + +From: Kai-Heng Feng + +[ Upstream commit 66ff14e59e8a30690755b08bc3042359703fb07a ] + +7d715a6c1ae5 ("PCI: add PCI Express ASPM support") added the ability for +Linux to enable ASPM, but for some undocumented reason, it didn't enable +ASPM on links where the downstream component is a PCIe-to-PCI/PCI-X Bridge. + +Remove this exclusion so we can enable ASPM on these links. + +The Dell OptiPlex 7080 mentioned in the bugzilla has a TI XIO2001 +PCIe-to-PCI Bridge. Enabling ASPM on the link leading to it allows the +Intel SoC to enter deeper Package C-states, which is a significant power +savings. + +[bhelgaas: commit log] +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207571 +Link: https://lore.kernel.org/r/20200505173423.26968-1-kai.heng.feng@canonical.com +Signed-off-by: Kai-Heng Feng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index c6a012b5ba390..966b6947e5656 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -388,16 +388,6 @@ static void pcie_aspm_cap_init(struct pcie_link_state *link, int blacklist) + + /* Setup initial capable state. Will be updated later */ + link->aspm_capable = link->aspm_support; +- /* +- * If the downstream component has pci bridge function, don't +- * do ASPM for now. +- */ +- list_for_each_entry(child, &linkbus->devices, bus_list) { +- if (pci_pcie_type(child) == PCI_EXP_TYPE_PCI_BRIDGE) { +- link->aspm_disable = ASPM_STATE_ALL; +- break; +- } +- } + + /* Get and check endpoint acceptable latencies */ + list_for_each_entry(child, &linkbus->devices, bus_list) { +-- +2.25.1 + diff --git a/queue-4.4/perf-report-fix-null-pointer-dereference-in-hists__f.patch b/queue-4.4/perf-report-fix-null-pointer-dereference-in-hists__f.patch new file mode 100644 index 00000000000..d01bb852898 --- /dev/null +++ b/queue-4.4/perf-report-fix-null-pointer-dereference-in-hists__f.patch @@ -0,0 +1,46 @@ +From 9d6676eceef440423d34bb9307aa3dff1a38580a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 13:18:17 -0300 +Subject: perf report: Fix NULL pointer dereference in + hists__fprintf_nr_sample_events() + +From: Gaurav Singh + +[ Upstream commit 11b6e5482e178055ec1f2444b55f2518713809d1 ] + +The 'evname' variable can be NULL, as it is checked a few lines back, +check it before using. + +Fixes: 9e207ddfa207 ("perf report: Show call graph from reference events") +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/ +Signed-off-by: Gaurav Singh +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index f256fac1e7225..74dd196acdac3 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -334,8 +334,7 @@ static size_t hists__fprintf_nr_sample_events(struct hists *hists, struct report + if (evname != NULL) + ret += fprintf(fp, " of event '%s'", evname); + +- if (symbol_conf.show_ref_callgraph && +- strstr(evname, "call-graph=no")) { ++ if (symbol_conf.show_ref_callgraph && evname && strstr(evname, "call-graph=no")) { + ret += fprintf(fp, ", show reference callgraph"); + } + +-- +2.25.1 + diff --git a/queue-4.4/power-supply-smb347-charger-irqstat_d-is-volatile.patch b/queue-4.4/power-supply-smb347-charger-irqstat_d-is-volatile.patch new file mode 100644 index 00000000000..e2c5f4e4738 --- /dev/null +++ b/queue-4.4/power-supply-smb347-charger-irqstat_d-is-volatile.patch @@ -0,0 +1,38 @@ +From 9fbf594299b1119ce0e3af8b8d5150d7946790ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 18:15:44 +0200 +Subject: power: supply: smb347-charger: IRQSTAT_D is volatile + +From: Dmitry Osipenko + +[ Upstream commit c32ea07a30630ace950e07ffe7a18bdcc25898e1 ] + +Fix failure when USB cable is connected: +smb347 2-006a: reading IRQSTAT_D failed + +Fixes: 1502cfe19bac ("smb347-charger: Fix battery status reporting logic for charger faults") + +Tested-by: David Heidelberg +Signed-off-by: Dmitry Osipenko +Signed-off-by: David Heidelberg +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/smb347-charger.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/smb347-charger.c b/drivers/power/smb347-charger.c +index 072c5189bd6d1..0655dbdc7000d 100644 +--- a/drivers/power/smb347-charger.c ++++ b/drivers/power/smb347-charger.c +@@ -1141,6 +1141,7 @@ static bool smb347_volatile_reg(struct device *dev, unsigned int reg) + switch (reg) { + case IRQSTAT_A: + case IRQSTAT_C: ++ case IRQSTAT_D: + case IRQSTAT_E: + case IRQSTAT_F: + case STAT_A: +-- +2.25.1 + diff --git a/queue-4.4/powerpc-crashkernel-take-mem-option-into-account.patch b/queue-4.4/powerpc-crashkernel-take-mem-option-into-account.patch new file mode 100644 index 00000000000..5e7387ae6e1 --- /dev/null +++ b/queue-4.4/powerpc-crashkernel-take-mem-option-into-account.patch @@ -0,0 +1,81 @@ +From 5b7f677ba4e5b71d657bb24fbacfd778eaa3a954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Apr 2020 22:00:44 +0800 +Subject: powerpc/crashkernel: Take "mem=" option into account + +From: Pingfan Liu + +[ Upstream commit be5470e0c285a68dc3afdea965032f5ddc8269d7 ] + +'mem=" option is an easy way to put high pressure on memory during +some test. Hence after applying the memory limit, instead of total +mem, the actual usable memory should be considered when reserving mem +for crashkernel. Otherwise the boot up may experience OOM issue. + +E.g. it would reserve 4G prior to the change and 512M afterward, if +passing +crashkernel="2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G", +and mem=5G on a 256G machine. + +This issue is powerpc specific because it puts higher priority on +fadump and kdump reservation than on "mem=". Referring the following +code: + if (fadump_reserve_mem() == 0) + reserve_crashkernel(); + ... + /* Ensure that total memory size is page-aligned. */ + limit = ALIGN(memory_limit ?: memblock_phys_mem_size(), PAGE_SIZE); + memblock_enforce_memory_limit(limit); + +While on other arches, the effect of "mem=" takes a higher priority +and pass through memblock_phys_mem_size() before calling +reserve_crashkernel(). + +Signed-off-by: Pingfan Liu +Reviewed-by: Hari Bathini +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1585749644-4148-1-git-send-email-kernelfans@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/machine_kexec.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kernel/machine_kexec.c b/arch/powerpc/kernel/machine_kexec.c +index 8dff2b3712190..a14d9b008f744 100644 +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -113,11 +113,12 @@ void machine_kexec(struct kimage *image) + + void __init reserve_crashkernel(void) + { +- unsigned long long crash_size, crash_base; ++ unsigned long long crash_size, crash_base, total_mem_sz; + int ret; + ++ total_mem_sz = memory_limit ? memory_limit : memblock_phys_mem_size(); + /* use common parsing */ +- ret = parse_crashkernel(boot_command_line, memblock_phys_mem_size(), ++ ret = parse_crashkernel(boot_command_line, total_mem_sz, + &crash_size, &crash_base); + if (ret == 0 && crash_size > 0) { + crashk_res.start = crash_base; +@@ -176,6 +177,7 @@ void __init reserve_crashkernel(void) + /* Crash kernel trumps memory limit */ + if (memory_limit && memory_limit <= crashk_res.end) { + memory_limit = crashk_res.end + 1; ++ total_mem_sz = memory_limit; + printk("Adjusted memory limit for crashkernel, now 0x%llx\n", + memory_limit); + } +@@ -184,7 +186,7 @@ void __init reserve_crashkernel(void) + "for crashkernel (System RAM: %ldMB)\n", + (unsigned long)(crash_size >> 20), + (unsigned long)(crashk_res.start >> 20), +- (unsigned long)(memblock_phys_mem_size() >> 20)); ++ (unsigned long)(total_mem_sz >> 20)); + + if (!memblock_is_region_memory(crashk_res.start, crash_size) || + memblock_reserve(crashk_res.start, crash_size)) { +-- +2.25.1 + diff --git a/queue-4.4/powerpc-ps3-fix-kexec-shutdown-hang.patch b/queue-4.4/powerpc-ps3-fix-kexec-shutdown-hang.patch new file mode 100644 index 00000000000..64cc2f2b8ed --- /dev/null +++ b/queue-4.4/powerpc-ps3-fix-kexec-shutdown-hang.patch @@ -0,0 +1,83 @@ +From 6b47211ab69008f287b3ea6589dfb4577360ad4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2020 18:58:32 +0000 +Subject: powerpc/ps3: Fix kexec shutdown hang + +From: Geoff Levand + +[ Upstream commit 126554465d93b10662742128918a5fc338cda4aa ] + +The ps3_mm_region_destroy() and ps3_mm_vas_destroy() routines +are called very late in the shutdown via kexec's mmu_cleanup_all +routine. By the time mmu_cleanup_all runs it is too late to use +udbg_printf, and calling it will cause PS3 systems to hang. + +Remove all debugging statements from ps3_mm_region_destroy() and +ps3_mm_vas_destroy() and replace any error reporting with calls +to lv1_panic. + +With this change builds with 'DEBUG' defined will not cause kexec +reboots to hang, and builds with 'DEBUG' defined or not will end +in lv1_panic if an error is encountered. + +Signed-off-by: Geoff Levand +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/7325c4af2b4c989c19d6a26b90b1fec9c0615ddf.1589049250.git.geoff@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/ps3/mm.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/platforms/ps3/mm.c b/arch/powerpc/platforms/ps3/mm.c +index b0f34663b1aec..19bae78b1f25b 100644 +--- a/arch/powerpc/platforms/ps3/mm.c ++++ b/arch/powerpc/platforms/ps3/mm.c +@@ -212,13 +212,14 @@ void ps3_mm_vas_destroy(void) + { + int result; + +- DBG("%s:%d: map.vas_id = %llu\n", __func__, __LINE__, map.vas_id); +- + if (map.vas_id) { + result = lv1_select_virtual_address_space(0); +- BUG_ON(result); +- result = lv1_destruct_virtual_address_space(map.vas_id); +- BUG_ON(result); ++ result += lv1_destruct_virtual_address_space(map.vas_id); ++ ++ if (result) { ++ lv1_panic(0); ++ } ++ + map.vas_id = 0; + } + } +@@ -316,19 +317,20 @@ static void ps3_mm_region_destroy(struct mem_region *r) + int result; + + if (!r->destroy) { +- pr_info("%s:%d: Not destroying high region: %llxh %llxh\n", +- __func__, __LINE__, r->base, r->size); + return; + } + +- DBG("%s:%d: r->base = %llxh\n", __func__, __LINE__, r->base); +- + if (r->base) { + result = lv1_release_memory(r->base); +- BUG_ON(result); ++ ++ if (result) { ++ lv1_panic(0); ++ } ++ + r->size = r->base = r->offset = 0; + map.total = map.rm.size; + } ++ + ps3_mm_set_repository_highmem(NULL); + } + +-- +2.25.1 + diff --git a/queue-4.4/powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch b/queue-4.4/powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch new file mode 100644 index 00000000000..3222514d757 --- /dev/null +++ b/queue-4.4/powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch @@ -0,0 +1,46 @@ +From 4f421bec8353789af70801cc5f1c725d07fc092d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 14:33:58 +1000 +Subject: powerpc/pseries/ras: Fix FWNMI_VALID off by one + +From: Nicholas Piggin + +[ Upstream commit deb70f7a35a22dffa55b2c3aac71bc6fb0f486ce ] + +This was discovered developing qemu fwnmi sreset support. This +off-by-one bug means the last 16 bytes of the rtas area can not +be used for a 16 byte save area. + +It's not a serious bug, and QEMU implementation has to retain a +workaround for old kernels, but it's good to tighten it. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Acked-by: Mahesh Salgaonkar +Link: https://lore.kernel.org/r/20200508043408.886394-7-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/ras.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c +index 9795e52bab3d3..9e817c1b78087 100644 +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -265,10 +265,11 @@ static irqreturn_t ras_error_interrupt(int irq, void *dev_id) + /* + * Some versions of FWNMI place the buffer inside the 4kB page starting at + * 0x7000. Other versions place it inside the rtas buffer. We check both. ++ * Minimum size of the buffer is 16 bytes. + */ + #define VALID_FWNMI_BUFFER(A) \ +- ((((A) >= 0x7000) && ((A) < 0x7ff0)) || \ +- (((A) >= rtas.base) && ((A) < (rtas.base + rtas.size - 16)))) ++ ((((A) >= 0x7000) && ((A) <= 0x8000 - 16)) || \ ++ (((A) >= rtas.base) && ((A) <= (rtas.base + rtas.size - 16)))) + + /* + * Get the error information for errors coming through the +-- +2.25.1 + diff --git a/queue-4.4/powerpc-pseries-update-hv-24x7-information-after-mig.patch b/queue-4.4/powerpc-pseries-update-hv-24x7-information-after-mig.patch new file mode 100644 index 00000000000..3750d64109a --- /dev/null +++ b/queue-4.4/powerpc-pseries-update-hv-24x7-information-after-mig.patch @@ -0,0 +1,46 @@ +From 7fb81b435f7646e758b424504d3b627e45ac160c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 16:13:07 +0530 +Subject: powerpc/pseries: Update hv-24x7 information after migration + +From: Kajol Jain + +[ Upstream commit 373b373053384f12951ae9f916043d955501d482 ] + +Function 'read_sys_info_pseries()' is added to get system parameter +values like number of sockets and chips per socket. +and it gets these details via rtas_call with token +"PROCESSOR_MODULE_INFO". + +Incase lpar migrate from one system to another, system +parameter details like chips per sockets or number of sockets might +change. So, it needs to be re-initialized otherwise, these values +corresponds to previous system values. +This patch adds a call to 'read_sys_info_pseries()' from +'post-mobility_fixup()' to re-init the physsockets and physchips values + +Signed-off-by: Kajol Jain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200525104308.9814-6-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/mobility.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index 8d30a425a88ab..58ddc4389a511 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -326,6 +326,9 @@ void post_mobility_fixup(void) + /* Possibly switch to a new RFI flush type */ + pseries_setup_rfi_flush(); + ++ /* Reinitialise system information for hv-24x7 */ ++ read_24x7_sys_info(); ++ + return; + } + +-- +2.25.1 + diff --git a/queue-4.4/ps3disk-use-the-default-segment-boundary.patch b/queue-4.4/ps3disk-use-the-default-segment-boundary.patch new file mode 100644 index 00000000000..bf98dd71758 --- /dev/null +++ b/queue-4.4/ps3disk-use-the-default-segment-boundary.patch @@ -0,0 +1,89 @@ +From 32a54cf994a5540df4cc92e3e98800838cc48ed7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 May 2020 18:58:32 +0000 +Subject: ps3disk: use the default segment boundary + +From: Emmanuel Nicolet + +[ Upstream commit 720bc316690bd27dea9d71510b50f0cd698ffc32 ] + +Since commit dcebd755926b ("block: use bio_for_each_bvec() to compute +multi-page bvec count"), the kernel will bug_on on the PS3 because +bio_split() is called with sectors == 0: + + kernel BUG at block/bio.c:1853! + Oops: Exception in kernel mode, sig: 5 [#1] + BE PAGE_SIZE=4K MMU=Hash PREEMPT SMP NR_CPUS=8 NUMA PS3 + Modules linked in: firewire_sbp2 rtc_ps3(+) soundcore ps3_gelic(+) \ + ps3rom(+) firewire_core ps3vram(+) usb_common crc_itu_t + CPU: 0 PID: 97 Comm: blkid Not tainted 5.3.0-rc4 #1 + NIP: c00000000027d0d0 LR: c00000000027d0b0 CTR: 0000000000000000 + REGS: c00000000135ae90 TRAP: 0700 Not tainted (5.3.0-rc4) + MSR: 8000000000028032 CR: 44008240 XER: 20000000 + IRQMASK: 0 + GPR00: c000000000289368 c00000000135b120 c00000000084a500 c000000004ff8300 + GPR04: 0000000000000c00 c000000004c905e0 c000000004c905e0 000000000000ffff + GPR08: 0000000000000000 0000000000000001 0000000000000000 000000000000ffff + GPR12: 0000000000000000 c0000000008ef000 000000000000003e 0000000000080001 + GPR16: 0000000000000100 000000000000ffff 0000000000000000 0000000000000004 + GPR20: c00000000062fd7e 0000000000000001 000000000000ffff 0000000000000080 + GPR24: c000000000781788 c00000000135b350 0000000000000080 c000000004c905e0 + GPR28: c00000000135b348 c000000004ff8300 0000000000000000 c000000004c90000 + NIP [c00000000027d0d0] .bio_split+0x28/0xac + LR [c00000000027d0b0] .bio_split+0x8/0xac + Call Trace: + [c00000000135b120] [c00000000027d130] .bio_split+0x88/0xac (unreliable) + [c00000000135b1b0] [c000000000289368] .__blk_queue_split+0x11c/0x53c + [c00000000135b2d0] [c00000000028f614] .blk_mq_make_request+0x80/0x7d4 + [c00000000135b3d0] [c000000000283a8c] .generic_make_request+0x118/0x294 + [c00000000135b4b0] [c000000000283d34] .submit_bio+0x12c/0x174 + [c00000000135b580] [c000000000205a44] .mpage_bio_submit+0x3c/0x4c + [c00000000135b600] [c000000000206184] .mpage_readpages+0xa4/0x184 + [c00000000135b750] [c0000000001ff8fc] .blkdev_readpages+0x24/0x38 + [c00000000135b7c0] [c0000000001589f0] .read_pages+0x6c/0x1a8 + [c00000000135b8b0] [c000000000158c74] .__do_page_cache_readahead+0x118/0x184 + [c00000000135b9b0] [c0000000001591a8] .force_page_cache_readahead+0xe4/0xe8 + [c00000000135ba50] [c00000000014fc24] .generic_file_read_iter+0x1d8/0x830 + [c00000000135bb50] [c0000000001ffadc] .blkdev_read_iter+0x40/0x5c + [c00000000135bbc0] [c0000000001b9e00] .new_sync_read+0x144/0x1a0 + [c00000000135bcd0] [c0000000001bc454] .vfs_read+0xa0/0x124 + [c00000000135bd70] [c0000000001bc7a4] .ksys_read+0x70/0xd8 + [c00000000135be20] [c00000000000a524] system_call+0x5c/0x70 + Instruction dump: + 7fe3fb78 482e30dc 7c0802a6 482e3085 7c9e2378 f821ff71 7ca42b78 7d3e00d0 + 7c7d1b78 79290fe0 7cc53378 69290001 <0b090000> 81230028 7bca0020 7929ba62 + [ end trace 313fec760f30aa1f ]--- + +The problem originates from setting the segment boundary of the +request queue to -1UL. This makes get_max_segment_size() return zero +when offset is zero, whatever the max segment size. The test with +BLK_SEG_BOUNDARY_MASK fails and 'mask - (mask & offset) + 1' overflows +to zero in the return statement. + +Not setting the segment boundary and using the default +value (BLK_SEG_BOUNDARY_MASK) fixes the problem. + +Signed-off-by: Emmanuel Nicolet +Signed-off-by: Geoff Levand +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/060a416c43138f45105c0540eff1a45539f7e2fc.1589049250.git.geoff@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/block/ps3disk.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/block/ps3disk.c b/drivers/block/ps3disk.c +index c120d70d3fb3b..fc7a20286090d 100644 +--- a/drivers/block/ps3disk.c ++++ b/drivers/block/ps3disk.c +@@ -464,7 +464,6 @@ static int ps3disk_probe(struct ps3_system_bus_device *_dev) + blk_queue_bounce_limit(queue, BLK_BOUNCE_HIGH); + + blk_queue_max_hw_sectors(queue, dev->bounce_size >> 9); +- blk_queue_segment_boundary(queue, -1UL); + blk_queue_dma_alignment(queue, dev->blk_size-1); + blk_queue_logical_block_size(queue, dev->blk_size); + +-- +2.25.1 + diff --git a/queue-4.4/s390-qdio-put-thinint-indicator-after-early-error.patch b/queue-4.4/s390-qdio-put-thinint-indicator-after-early-error.patch new file mode 100644 index 00000000000..adc026bf0da --- /dev/null +++ b/queue-4.4/s390-qdio-put-thinint-indicator-after-early-error.patch @@ -0,0 +1,85 @@ +From 13a10a7955d2fceb3083841d83b313e424bbedff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Apr 2020 09:59:39 +0200 +Subject: s390/qdio: put thinint indicator after early error + +From: Julian Wiedmann + +[ Upstream commit 75e82bec6b2622c6f455b7a543fb5476a5d0eed7 ] + +qdio_establish() calls qdio_setup_thinint() via qdio_setup_irq(). +If the subsequent qdio_establish_thinint() fails, we miss to put the +DSCI again. Thus the DSCI isn't available for re-use. Given enough of +such errors, we could end up with having only the shared DSCI available. + +Merge qdio_setup_thinint() into qdio_establish_thinint(), and deal with +such an error internally. + +Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") +Signed-off-by: Julian Wiedmann +Reviewed-by: Benjamin Block +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio.h | 1 - + drivers/s390/cio/qdio_setup.c | 1 - + drivers/s390/cio/qdio_thinint.c | 14 ++++++++------ + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/s390/cio/qdio.h b/drivers/s390/cio/qdio.h +index 7e70f9298cc13..11f6ebd045456 100644 +--- a/drivers/s390/cio/qdio.h ++++ b/drivers/s390/cio/qdio.h +@@ -376,7 +376,6 @@ static inline int multicast_outbound(struct qdio_q *q) + extern u64 last_ai_time; + + /* prototypes for thin interrupt */ +-void qdio_setup_thinint(struct qdio_irq *irq_ptr); + int qdio_establish_thinint(struct qdio_irq *irq_ptr); + void qdio_shutdown_thinint(struct qdio_irq *irq_ptr); + void tiqdio_add_input_queues(struct qdio_irq *irq_ptr); +diff --git a/drivers/s390/cio/qdio_setup.c b/drivers/s390/cio/qdio_setup.c +index d0090c5c88e74..a64615a10352b 100644 +--- a/drivers/s390/cio/qdio_setup.c ++++ b/drivers/s390/cio/qdio_setup.c +@@ -479,7 +479,6 @@ int qdio_setup_irq(struct qdio_initialize *init_data) + setup_queues(irq_ptr, init_data); + + setup_qib(irq_ptr, init_data); +- qdio_setup_thinint(irq_ptr); + set_impl_params(irq_ptr, init_data->qib_param_field_format, + init_data->qib_param_field, + init_data->input_slib_elements, +diff --git a/drivers/s390/cio/qdio_thinint.c b/drivers/s390/cio/qdio_thinint.c +index debe69adfc705..aecb6445a5671 100644 +--- a/drivers/s390/cio/qdio_thinint.c ++++ b/drivers/s390/cio/qdio_thinint.c +@@ -268,17 +268,19 @@ int __init tiqdio_register_thinints(void) + + int qdio_establish_thinint(struct qdio_irq *irq_ptr) + { ++ int rc; ++ + if (!is_thinint_irq(irq_ptr)) + return 0; +- return set_subchannel_ind(irq_ptr, 0); +-} + +-void qdio_setup_thinint(struct qdio_irq *irq_ptr) +-{ +- if (!is_thinint_irq(irq_ptr)) +- return; + irq_ptr->dsci = get_indicator(); + DBF_HEX(&irq_ptr->dsci, sizeof(void *)); ++ ++ rc = set_subchannel_ind(irq_ptr, 0); ++ if (rc) ++ put_indicator(irq_ptr->dsci); ++ ++ return rc; + } + + void qdio_shutdown_thinint(struct qdio_irq *irq_ptr) +-- +2.25.1 + diff --git a/queue-4.4/scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch b/queue-4.4/scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch new file mode 100644 index 00000000000..a7c9e448289 --- /dev/null +++ b/queue-4.4/scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch @@ -0,0 +1,40 @@ +From cab71db15f734c42220fef9c6e81f06f3f186cea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 10:16:22 +0200 +Subject: scsi: acornscsi: Fix an error handling path in acornscsi_probe() + +From: Christophe JAILLET + +[ Upstream commit 42c76c9848e13dbe0538d7ae0147a269dfa859cb ] + +'ret' is known to be 0 at this point. Explicitly return -ENOMEM if one of +the 'ecardm_iomap()' calls fail. + +Link: https://lore.kernel.org/r/20200530081622.577888-1-christophe.jaillet@wanadoo.fr +Fixes: e95a1b656a98 ("[ARM] rpc: acornscsi: update to new style ecard driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/acornscsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/acornscsi.c b/drivers/scsi/arm/acornscsi.c +index deaaf84989cd1..be595add8026b 100644 +--- a/drivers/scsi/arm/acornscsi.c ++++ b/drivers/scsi/arm/acornscsi.c +@@ -2912,8 +2912,10 @@ static int acornscsi_probe(struct expansion_card *ec, const struct ecard_id *id) + + ashost->base = ecardm_iomap(ec, ECARD_RES_MEMC, 0, 0); + ashost->fast = ecardm_iomap(ec, ECARD_RES_IOCFAST, 0, 0); +- if (!ashost->base || !ashost->fast) ++ if (!ashost->base || !ashost->fast) { ++ ret = -ENOMEM; + goto out_put; ++ } + + host->irq = ec->irq; + ashost->host = host; +-- +2.25.1 + diff --git a/queue-4.4/scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch b/queue-4.4/scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch new file mode 100644 index 00000000000..c232e18a51c --- /dev/null +++ b/queue-4.4/scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch @@ -0,0 +1,46 @@ +From 52b52ee75a11cd6c7913b8ee325e93af9c24c762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 15:36:32 -0500 +Subject: scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM + +From: Tyrel Datwyler + +[ Upstream commit 4919b33b63c8b69d8dcf2b867431d0e3b6dc6d28 ] + +The adapter info MAD is used to send the client info and receive the host +info as a response. A persistent buffer is used and as such the client info +is overwritten after the response. During the course of a normal adapter +reset the client info is refreshed in the buffer in preparation for sending +the adapter info MAD. + +However, in the special case of LPM where we reenable the CRQ instead of a +full CRQ teardown and reset we fail to refresh the client info in the +adapter info buffer. As a result, after Live Partition Migration (LPM) we +erroneously report the host's info as our own. + +[mkp: typos] + +Link: https://lore.kernel.org/r/20200603203632.18426-1-tyreld@linux.ibm.com +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvscsi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/ibmvscsi/ibmvscsi.c b/drivers/scsi/ibmvscsi/ibmvscsi.c +index e26747a1b35a1..e7075aae15daa 100644 +--- a/drivers/scsi/ibmvscsi/ibmvscsi.c ++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c +@@ -427,6 +427,8 @@ static int ibmvscsi_reenable_crq_queue(struct crq_queue *queue, + int rc = 0; + struct vio_dev *vdev = to_vio_dev(hostdata->dev); + ++ set_adapter_info(hostdata); ++ + /* Re-enable the CRQ */ + do { + if (rc) +-- +2.25.1 + diff --git a/queue-4.4/scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch b/queue-4.4/scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch new file mode 100644 index 00000000000..4ccbe637512 --- /dev/null +++ b/queue-4.4/scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch @@ -0,0 +1,38 @@ +From c32a5851a6d2497a1bd027943a725e6132941b39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 15:13:53 -0500 +Subject: scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj + +From: Qiushi Wu + +[ Upstream commit 0267ffce562c8bbf9b57ebe0e38445ad04972890 ] + +kobject_init_and_add() takes reference even when it fails. If this +function returns an error, kobject_put() must be called to properly +clean up the memory associated with the object. + +Link: https://lore.kernel.org/r/20200528201353.14849-1-wu000273@umn.edu +Reviewed-by: Lee Duncan +Signed-off-by: Qiushi Wu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_boot_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/iscsi_boot_sysfs.c b/drivers/scsi/iscsi_boot_sysfs.c +index 680bf6f0ce767..476f46aad54cb 100644 +--- a/drivers/scsi/iscsi_boot_sysfs.c ++++ b/drivers/scsi/iscsi_boot_sysfs.c +@@ -319,7 +319,7 @@ iscsi_boot_create_kobj(struct iscsi_boot_kset *boot_kset, + boot_kobj->kobj.kset = boot_kset->kset; + if (kobject_init_and_add(&boot_kobj->kobj, &iscsi_boot_ktype, + NULL, name, index)) { +- kfree(boot_kobj); ++ kobject_put(&boot_kobj->kobj); + return NULL; + } + boot_kobj->data = data; +-- +2.25.1 + diff --git a/queue-4.4/scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch b/queue-4.4/scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch new file mode 100644 index 00000000000..e396ff7f992 --- /dev/null +++ b/queue-4.4/scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch @@ -0,0 +1,51 @@ +From ab06f9fb055e4a1d23dab29affe2bcd32d6e7394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2020 22:16:24 +0800 +Subject: scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event + +From: Xiyu Yang + +[ Upstream commit 7217e6e694da3aae6d17db8a7f7460c8d4817ebf ] + +In order to create or activate a new node, lpfc_els_unsol_buffer() invokes +lpfc_nlp_init() or lpfc_enable_node() or lpfc_nlp_get(), all of them will +return a reference of the specified lpfc_nodelist object to "ndlp" with +increased refcnt. + +When lpfc_els_unsol_buffer() returns, local variable "ndlp" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +lpfc_els_unsol_buffer(). When "ndlp" in DEV_LOSS, the function forgets to +decrease the refcnt increased by lpfc_nlp_init() or lpfc_enable_node() or +lpfc_nlp_get(), causing a refcnt leak. + +Fix this issue by calling lpfc_nlp_put() when "ndlp" in DEV_LOSS. + +Link: https://lore.kernel.org/r/1590416184-52592-1-git-send-email-xiyuyang19@fudan.edu.cn +Reviewed-by: Daniel Wagner +Reviewed-by: James Smart +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 530b7df21322a..315dd25a0c44e 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -7315,6 +7315,8 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, + spin_lock_irq(shost->host_lock); + if (ndlp->nlp_flag & NLP_IN_DEV_LOSS) { + spin_unlock_irq(shost->host_lock); ++ if (newnode) ++ lpfc_nlp_put(ndlp); + goto dropit; + } + spin_unlock_irq(shost->host_lock); +-- +2.25.1 + diff --git a/queue-4.4/scsi-mpt3sas-fix-double-free-warnings.patch b/queue-4.4/scsi-mpt3sas-fix-double-free-warnings.patch new file mode 100644 index 00000000000..1b577e30631 --- /dev/null +++ b/queue-4.4/scsi-mpt3sas-fix-double-free-warnings.patch @@ -0,0 +1,43 @@ +From 69619e3ddbce0edcbbcdb2717cd086f3101927d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 07:07:38 -0400 +Subject: scsi: mpt3sas: Fix double free warnings + +From: Suganath Prabu S + +[ Upstream commit cbbfdb2a2416c9f0cde913cf09670097ac281282 ] + +Fix following warning from Smatch static analyser: + +drivers/scsi/mpt3sas/mpt3sas_base.c:5256 _base_allocate_memory_pools() +warn: 'ioc->hpr_lookup' double freed + +drivers/scsi/mpt3sas/mpt3sas_base.c:5256 _base_allocate_memory_pools() +warn: 'ioc->internal_lookup' double freed + +Link: https://lore.kernel.org/r/20200508110738.30732-1-suganath-prabu.subramani@broadcom.com +Reported-by: Dan Carpenter +Signed-off-by: Suganath Prabu S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 7af7a08594785..8d52afd1f71db 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -3136,7 +3136,9 @@ _base_release_memory_pools(struct MPT3SAS_ADAPTER *ioc) + ioc->scsi_lookup = NULL; + } + kfree(ioc->hpr_lookup); ++ ioc->hpr_lookup = NULL; + kfree(ioc->internal_lookup); ++ ioc->internal_lookup = NULL; + if (ioc->chain_lookup) { + for (i = 0; i < ioc->chain_depth; i++) { + if (ioc->chain_lookup[i].chain_buffer) +-- +2.25.1 + diff --git a/queue-4.4/scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch b/queue-4.4/scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch new file mode 100644 index 00000000000..c331f170edf --- /dev/null +++ b/queue-4.4/scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch @@ -0,0 +1,91 @@ +From a59b7f9a8c417f34af1a22b10cf4cd9cfce709f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2020 13:55:52 +0300 +Subject: scsi: qla2xxx: Fix issue with adapter's stopping state + +From: Viacheslav Dubeyko + +[ Upstream commit 803e45550b11c8e43d89812356fe6f105adebdf9 ] + +The goal of the following command sequence is to restart the adapter. +However, the tgt_stop flag remains set, indicating that the adapter is +still in stopping state even after re-enabling it. + +echo 0x7fffffff > /sys/module/qla2xxx/parameters/logging +modprobe target_core_mod +modprobe tcm_qla2xxx +mkdir /sys/kernel/config/target/qla2xxx +mkdir /sys/kernel/config/target/qla2xxx/ +mkdir /sys/kernel/config/target/qla2xxx//tpgt_1 +echo 1 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable +echo 0 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable +echo 1 > /sys/kernel/config/target/qla2xxx//tpgt_1/enable + +kernel: PID 1396:qla_target.c:1555 qlt_stop_phase1(): tgt_stop 0x0, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-e803:1: PID 1396:qla_target.c:1567: Stopping target for host 1(c0000000033557e8) +kernel: PID 1396:qla_target.c:1579 qlt_stop_phase1(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: PID 1396:qla_target.c:1266 qlt_schedule_sess_for_deletion(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-e801:1: PID 1396:qla_target.c:1316: Scheduling sess c00000002d5cd800 for deletion 21:00:00:24:ff:7f:35:c7 + +kernel: qla2xxx [0001:00:02.0]-290a:1: PID 340:qla_target.c:1187: qlt_unreg_sess sess c00000002d5cd800 for deletion 21:00:00:24:ff:7f:35:c7 + +kernel: qla2xxx [0001:00:02.0]-f801:1: PID 340:qla_target.c:1145: Unregistration of sess c00000002d5cd800 21:00:00:24:ff:7f:35:c7 finished fcp_cnt 0 +kernel: PID 340:qla_target.c:1155 qlt_free_session_done(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-4807:1: PID 346:qla_os.c:6329: ISP abort scheduled. + +kernel: qla2xxx [0001:00:02.0]-28f1:1: PID 346:qla_os.c:3956: Mark all dev lost +kernel: PID 346:qla_target.c:1266 qlt_schedule_sess_for_deletion(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-4808:1: PID 346:qla_os.c:6338: ISP abort end. + +kernel: PID 1396:qla_target.c:6812 qlt_enable_vha(): tgt_stop 0x1, tgt_stopped 0x0 + +kernel: qla2xxx [0001:00:02.0]-4807:1: PID 346:qla_os.c:6329: ISP abort scheduled. + +kernel: qla2xxx [0001:00:02.0]-4808:1: PID 346:qla_os.c:6338: ISP abort end. + +qlt_handle_cmd_for_atio() rejects the request to send commands because the +adapter is in the stopping state: + +kernel: PID 0:qla_target.c:4442 qlt_handle_cmd_for_atio(): tgt_stop 0x1, tgt_stopped 0x0 +kernel: qla2xxx [0001:00:02.0]-3861:1: PID 0:qla_target.c:4447: New command while device c000000005314600 is shutting down +kernel: qla2xxx [0001:00:02.0]-e85f:1: PID 0:qla_target.c:5728: qla_target: Unable to send command to target + +This patch calls qla_stop_phase2() in addition to qlt_stop_phase1() in +tcm_qla2xxx_tpg_enable_store() and tcm_qla2xxx_npiv_tpg_enable_store(). The +qlt_stop_phase1() marks adapter as stopping (tgt_stop == 0x1, tgt_stopped +== 0x0) but qlt_stop_phase2() marks adapter as stopped (tgt_stop == 0x0, +tgt_stopped == 0x1). + +Link: https://lore.kernel.org/r/52be1e8a3537f6c5407eae3edd4c8e08a9545ea5.camel@yadro.com +Reviewed-by: Roman Bolshakov +Reviewed-by: Himanshu Madhani +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +index b1233ce6cb475..1cef25ea0da13 100644 +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -827,6 +827,7 @@ static ssize_t tcm_qla2xxx_tpg_enable_store(struct config_item *item, + + atomic_set(&tpg->lport_tpg_enabled, 0); + qlt_stop_phase1(vha->vha_tgt.qla_tgt); ++ qlt_stop_phase2(vha->vha_tgt.qla_tgt); + } + + return count; +@@ -990,6 +991,7 @@ static ssize_t tcm_qla2xxx_npiv_tpg_enable_store(struct config_item *item, + + atomic_set(&tpg->lport_tpg_enabled, 0); + qlt_stop_phase1(vha->vha_tgt.qla_tgt); ++ qlt_stop_phase2(vha->vha_tgt.qla_tgt); + } + + return count; +-- +2.25.1 + diff --git a/queue-4.4/scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch b/queue-4.4/scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch new file mode 100644 index 00000000000..361839b4726 --- /dev/null +++ b/queue-4.4/scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch @@ -0,0 +1,47 @@ +From bf560bf4db155dce4f7c71e981d8a450d42321e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 May 2020 18:59:44 +0100 +Subject: scsi: sr: Fix sr_probe() missing deallocate of device minor + +From: Simon Arlott + +[ Upstream commit 6555781b3fdec5e94e6914511496144241df7dee ] + +If the cdrom fails to be registered then the device minor should be +deallocated. + +Link: https://lore.kernel.org/r/072dac4b-8402-4de8-36bd-47e7588969cd@0882a8b5-c6c3-11e9-b005-00805fc181fe +Signed-off-by: Simon Arlott +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index 5dc288fecace4..7dd4d9ded2491 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -746,7 +746,7 @@ static int sr_probe(struct device *dev) + cd->cdi.disk = disk; + + if (register_cdrom(&cd->cdi)) +- goto fail_put; ++ goto fail_minor; + + /* + * Initialize block layer runtime PM stuffs before the +@@ -764,6 +764,10 @@ static int sr_probe(struct device *dev) + + return 0; + ++fail_minor: ++ spin_lock(&sr_index_lock); ++ clear_bit(minor, sr_index_bits); ++ spin_unlock(&sr_index_lock); + fail_put: + put_disk(disk); + fail_free: +-- +2.25.1 + diff --git a/queue-4.4/selftests-net-in-timestamping-strncpy-needs-to-prese.patch b/queue-4.4/selftests-net-in-timestamping-strncpy-needs-to-prese.patch new file mode 100644 index 00000000000..74f70d33173 --- /dev/null +++ b/queue-4.4/selftests-net-in-timestamping-strncpy-needs-to-prese.patch @@ -0,0 +1,68 @@ +From 5ae0b5f609a0c70a2989498f17c4e95743d7828a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 15:37:15 -0400 +Subject: selftests/net: in timestamping, strncpy needs to preserve null byte +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: tannerlove + +[ Upstream commit 8027bc0307ce59759b90679fa5d8b22949586d20 ] + +If user passed an interface option longer than 15 characters, then +device.ifr_name and hwtstamp.ifr_name became non-null-terminated +strings. The compiler warned about this: + +timestamping.c:353:2: warning: ‘strncpy’ specified bound 16 equals \ +destination size [-Wstringop-truncation] + 353 | strncpy(device.ifr_name, interface, sizeof(device.ifr_name)); + +Fixes: cb9eff097831 ("net: new user space API for time stamping of incoming and outgoing packets") +Signed-off-by: Tanner Love +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../selftests/networking/timestamping/timestamping.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/networking/timestamping/timestamping.c b/tools/testing/selftests/networking/timestamping/timestamping.c +index 5cdfd743447b7..900ed4b478996 100644 +--- a/tools/testing/selftests/networking/timestamping/timestamping.c ++++ b/tools/testing/selftests/networking/timestamping/timestamping.c +@@ -332,10 +332,16 @@ int main(int argc, char **argv) + int val; + socklen_t len; + struct timeval next; ++ size_t if_len; + + if (argc < 2) + usage(0); + interface = argv[1]; ++ if_len = strlen(interface); ++ if (if_len >= IFNAMSIZ) { ++ printf("interface name exceeds IFNAMSIZ\n"); ++ exit(1); ++ } + + for (i = 2; i < argc; i++) { + if (!strcasecmp(argv[i], "SO_TIMESTAMP")) +@@ -369,12 +375,12 @@ int main(int argc, char **argv) + bail("socket"); + + memset(&device, 0, sizeof(device)); +- strncpy(device.ifr_name, interface, sizeof(device.ifr_name)); ++ memcpy(device.ifr_name, interface, if_len + 1); + if (ioctl(sock, SIOCGIFADDR, &device) < 0) + bail("getting interface IP address"); + + memset(&hwtstamp, 0, sizeof(hwtstamp)); +- strncpy(hwtstamp.ifr_name, interface, sizeof(hwtstamp.ifr_name)); ++ memcpy(hwtstamp.ifr_name, interface, if_len + 1); + hwtstamp.ifr_data = (void *)&hwconfig; + memset(&hwconfig, 0, sizeof(hwconfig)); + hwconfig.tx_type = +-- +2.25.1 + diff --git a/queue-4.4/serial-amba-pl011-make-sure-we-initialize-the-port.l.patch b/queue-4.4/serial-amba-pl011-make-sure-we-initialize-the-port.l.patch new file mode 100644 index 00000000000..ec793f4c67a --- /dev/null +++ b/queue-4.4/serial-amba-pl011-make-sure-we-initialize-the-port.l.patch @@ -0,0 +1,87 @@ +From 083033eacbe99d89817a0cc746916f1b84d1651b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 18:40:50 +0000 +Subject: serial: amba-pl011: Make sure we initialize the port.lock spinlock + +From: John Stultz + +[ Upstream commit 8508f4cba308f785b2fd4b8c38849c117b407297 ] + +Valentine reported seeing: + +[ 3.626638] INFO: trying to register non-static key. +[ 3.626639] the code is fine but needs lockdep annotation. +[ 3.626640] turning off the locking correctness validator. +[ 3.626644] CPU: 7 PID: 51 Comm: kworker/7:1 Not tainted 5.7.0-rc2-00115-g8c2e9790f196 #116 +[ 3.626646] Hardware name: HiKey960 (DT) +[ 3.626656] Workqueue: events deferred_probe_work_func +[ 3.632476] sd 0:0:0:0: [sda] Optimal transfer size 8192 bytes not a multiple of physical block size (16384 bytes) +[ 3.640220] Call trace: +[ 3.640225] dump_backtrace+0x0/0x1b8 +[ 3.640227] show_stack+0x20/0x30 +[ 3.640230] dump_stack+0xec/0x158 +[ 3.640234] register_lock_class+0x598/0x5c0 +[ 3.640235] __lock_acquire+0x80/0x16c0 +[ 3.640236] lock_acquire+0xf4/0x4a0 +[ 3.640241] _raw_spin_lock_irqsave+0x70/0xa8 +[ 3.640245] uart_add_one_port+0x388/0x4b8 +[ 3.640248] pl011_register_port+0x70/0xf0 +[ 3.640250] pl011_probe+0x184/0x1b8 +[ 3.640254] amba_probe+0xdc/0x180 +[ 3.640256] really_probe+0xe0/0x338 +[ 3.640257] driver_probe_device+0x60/0xf8 +[ 3.640259] __device_attach_driver+0x8c/0xd0 +[ 3.640260] bus_for_each_drv+0x84/0xd8 +[ 3.640261] __device_attach+0xe4/0x140 +[ 3.640263] device_initial_probe+0x1c/0x28 +[ 3.640265] bus_probe_device+0xa4/0xb0 +[ 3.640266] deferred_probe_work_func+0x7c/0xb8 +[ 3.640269] process_one_work+0x2c0/0x768 +[ 3.640271] worker_thread+0x4c/0x498 +[ 3.640272] kthread+0x14c/0x158 +[ 3.640275] ret_from_fork+0x10/0x1c + +Which seems to be due to the fact that after allocating the uap +structure, nothing initializes the spinlock. + +Its a little confusing, as uart_port_spin_lock_init() is one +place where the lock is supposed to be initialized, but it has +an exception for the case where the port is a console. + +This makes it seem like a deeper fix is needed to properly +register the console, but I'm not sure what that entails, and +Andy suggested that this approach is less invasive. + +Thus, this patch resolves the issue by initializing the spinlock +in the driver, and resolves the resulting warning. + +Cc: Andy Shevchenko +Cc: Russell King +Cc: Jiri Slaby +Cc: linux-serial@vger.kernel.org +Reported-by: Valentin Schneider +Reviewed-by: Andy Shevchenko +Signed-off-by: John Stultz +Reviewed-and-tested-by: Valentin Schneider +Link: https://lore.kernel.org/r/20200428184050.6501-1-john.stultz@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl011.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index 899a77187bdea..c5da46f7b9093 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -2323,6 +2323,7 @@ static int pl011_setup_port(struct device *dev, struct uart_amba_port *uap, + uap->port.fifosize = uap->fifosize; + uap->port.flags = UPF_BOOT_AUTOCONF; + uap->port.line = index; ++ spin_lock_init(&uap->port.lock); + + amba_ports[index] = uap; + +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..6885f68f595 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,62 @@ +clk-sunxi-fix-incorrect-usage-of-round_down.patch +i2c-piix4-detect-secondary-smbus-controller-on-amd-a.patch +clk-qcom-msm8916-fix-the-address-location-of-pll-con.patch +alsa-isa-wavefront-prevent-out-of-bounds-write-in-io.patch +scsi-qla2xxx-fix-issue-with-adapter-s-stopping-state.patch +i2c-pxa-clear-all-master-action-bits-in-i2c_pxa_stop.patch +usblp-poison-urbs-upon-disconnect.patch +ps3disk-use-the-default-segment-boundary.patch +vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch +mfd-wm8994-fix-driver-operation-if-loaded-as-modules.patch +scsi-lpfc-fix-lpfc_nodelist-leak-when-processing-uns.patch +powerpc-pseries-update-hv-24x7-information-after-mig.patch +nfsd-fix-svc_xprt-refcnt-leak-when-setup-callback-cl.patch +powerpc-crashkernel-take-mem-option-into-account.patch +yam-fix-possible-memory-leak-in-yam_init_driver.patch +mksysmap-fix-the-mismatch-of-.l-symbols-in-system.ma.patch +scsi-sr-fix-sr_probe-missing-deallocate-of-device-mi.patch +scsi-ibmvscsi-don-t-send-host-info-in-adapter-info-m.patch +staging-rtl8712-fix-multiline-derefernce-warnings.patch +alsa-usb-audio-improve-frames-size-computation.patch +s390-qdio-put-thinint-indicator-after-early-error.patch +tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch +staging-sm750fb-add-missing-case-while-setting-fb_vi.patch +i2c-pxa-fix-i2c_pxa_scream_blue_murder-debug-output.patch +serial-amba-pl011-make-sure-we-initialize-the-port.l.patch +drivers-base-fix-null-pointer-exception-in-__platfor.patch +pci-aspm-allow-aspm-on-links-to-pcie-to-pci-pci-x-br.patch +power-supply-smb347-charger-irqstat_d-is-volatile.patch +scsi-mpt3sas-fix-double-free-warnings.patch +dlm-remove-bug-before-panic.patch +clk-ti-composite-fix-memory-leak.patch +tty-n_gsm-fix-sof-skipping.patch +tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch +powerpc-pseries-ras-fix-fwnmi_valid-off-by-one.patch +powerpc-ps3-fix-kexec-shutdown-hang.patch +vfio-pci-mask-cap-zero.patch +usb-ohci-platform-fix-a-warning-when-hibernating.patch +usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch +tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch +clk-samsung-exynos5433-add-ignore_unused-flag-to-scl.patch +watchdog-da9062-no-need-to-ping-manually-before-sett.patch +usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch +usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch +usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch +usb-gadget-fix-potential-double-free-in-m66592_probe.patch +net-sunrpc-fix-off-by-one-issues-in-rpc_ntop6.patch +asoc-fsl_asrc_dma-fix-dma_chan-leak-when-config-dma-.patch +openrisc-fix-issue-with-argument-clobbering-for-clon.patch +gfs2-allow-lock_nolock-mount-to-specify-jid-x.patch +scsi-iscsi-fix-reference-count-leak-in-iscsi_boot_cr.patch +lib-zlib-remove-outdated-and-incorrect-pre-increment.patch +include-linux-bitops.h-avoid-clang-shift-count-overf.patch +elfnote-mark-all-.note-sections-shf_alloc.patch +selftests-net-in-timestamping-strncpy-needs-to-prese.patch +scsi-acornscsi-fix-an-error-handling-path-in-acornsc.patch +usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch +usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch +perf-report-fix-null-pointer-dereference-in-hists__f.patch +bcache-fix-potential-deadlock-problem-in-btree_gc_co.patch +block-fix-use-after-free-in-blkdev_get.patch +libata-use-per-port-sync-for-detach.patch +drm-encoder_slave-fix-refcouting-error-for-modules.patch diff --git a/queue-4.4/staging-rtl8712-fix-multiline-derefernce-warnings.patch b/queue-4.4/staging-rtl8712-fix-multiline-derefernce-warnings.patch new file mode 100644 index 00000000000..54807ce26aa --- /dev/null +++ b/queue-4.4/staging-rtl8712-fix-multiline-derefernce-warnings.patch @@ -0,0 +1,80 @@ +From e57d07be798de1feb15dbfb69de95f11f42086ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Mar 2020 14:57:47 -0400 +Subject: staging: rtl8712: fix multiline derefernce warnings + +From: Aiman Najjar + +[ Upstream commit 269da10b1477c31c660288633c8d613e421b131f ] + +This patch fixes remaining checkpatch warnings +in rtl871x_xmit.c: + +WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->PrivacyKeyIndex' +636: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:636: ++ (u8)psecuritypriv-> ++ PrivacyKeyIndex); + +WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->XGrpKeyid' +643: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:643: ++ (u8)psecuritypriv-> ++ XGrpKeyid); + +WARNING: Avoid multiple line dereference - prefer 'psecuritypriv->XGrpKeyid' +652: FILE: drivers/staging//rtl8712/rtl871x_xmit.c:652: ++ (u8)psecuritypriv-> ++ XGrpKeyid); + +Signed-off-by: Aiman Najjar +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/98805a72b92e9bbf933e05b827d27944663b7bc1.1585508171.git.aiman.najjar@hurranet.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8712/rtl871x_xmit.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/staging/rtl8712/rtl871x_xmit.c b/drivers/staging/rtl8712/rtl871x_xmit.c +index d3ad89c7b8afd..f82bbbe82244f 100644 +--- a/drivers/staging/rtl8712/rtl871x_xmit.c ++++ b/drivers/staging/rtl8712/rtl871x_xmit.c +@@ -593,7 +593,7 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt, + addr_t addr; + u8 *pframe, *mem_start, *ptxdesc; + struct sta_info *psta; +- struct security_priv *psecuritypriv = &padapter->securitypriv; ++ struct security_priv *psecpriv = &padapter->securitypriv; + struct mlme_priv *pmlmepriv = &padapter->mlmepriv; + struct xmit_priv *pxmitpriv = &padapter->xmitpriv; + struct pkt_attrib *pattrib = &pxmitframe->attrib; +@@ -636,15 +636,13 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt, + case _WEP40_: + case _WEP104_: + WEP_IV(pattrib->iv, psta->txpn, +- (u8)psecuritypriv-> +- PrivacyKeyIndex); ++ (u8)psecpriv->PrivacyKeyIndex); + break; + case _TKIP_: + if (bmcst) + TKIP_IV(pattrib->iv, + psta->txpn, +- (u8)psecuritypriv-> +- XGrpKeyid); ++ (u8)psecpriv->XGrpKeyid); + else + TKIP_IV(pattrib->iv, psta->txpn, + 0); +@@ -652,8 +650,7 @@ sint r8712_xmitframe_coalesce(struct _adapter *padapter, _pkt *pkt, + case _AES_: + if (bmcst) + AES_IV(pattrib->iv, psta->txpn, +- (u8)psecuritypriv-> +- XGrpKeyid); ++ (u8)psecpriv->XGrpKeyid); + else + AES_IV(pattrib->iv, psta->txpn, + 0); +-- +2.25.1 + diff --git a/queue-4.4/staging-sm750fb-add-missing-case-while-setting-fb_vi.patch b/queue-4.4/staging-sm750fb-add-missing-case-while-setting-fb_vi.patch new file mode 100644 index 00000000000..023196d3c1d --- /dev/null +++ b/queue-4.4/staging-sm750fb-add-missing-case-while-setting-fb_vi.patch @@ -0,0 +1,36 @@ +From 81130b6aea46b762d2a6b988da0989efc8d6a16e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 22:09:24 +0200 +Subject: staging: sm750fb: add missing case while setting FB_VISUAL + +From: Matej Dujava + +[ Upstream commit fa90133377f4a7f15a937df6ad55133bb57c5665 ] + +Switch statement does not contain all cases: 8, 16, 24, 32. +This patch will add missing one (24) + +Fixes: 81dee67e215b ("staging: sm750fb: add sm750 to staging") +Signed-off-by: Matej Dujava +Link: https://lore.kernel.org/r/1588277366-19354-2-git-send-email-mdujava@kocurkovo.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/sm750fb/sm750.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c +index 860e1c288ad5e..75b47d61318a1 100644 +--- a/drivers/staging/sm750fb/sm750.c ++++ b/drivers/staging/sm750fb/sm750.c +@@ -894,6 +894,7 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index) + fix->visual = FB_VISUAL_PSEUDOCOLOR; + break; + case 16: ++ case 24: + case 32: + fix->visual = FB_VISUAL_TRUECOLOR; + break; +-- +2.25.1 + diff --git a/queue-4.4/tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch b/queue-4.4/tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch new file mode 100644 index 00000000000..3d7663f53d8 --- /dev/null +++ b/queue-4.4/tty-hvc-fix-data-abort-due-to-race-in-hvc_open.patch @@ -0,0 +1,81 @@ +From 1afb32eb305c0c5fa51772b009e5b75c26c98250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 20:26:01 -0700 +Subject: tty: hvc: Fix data abort due to race in hvc_open + +From: Raghavendra Rao Ananta + +[ Upstream commit e2bd1dcbe1aa34ff5570b3427c530e4332ecf0fe ] + +Potentially, hvc_open() can be called in parallel when two tasks calls +open() on /dev/hvcX. In such a scenario, if the hp->ops->notifier_add() +callback in the function fails, where it sets the tty->driver_data to +NULL, the parallel hvc_open() can see this NULL and cause a memory abort. +Hence, serialize hvc_open and check if tty->private_data is NULL before +proceeding ahead. + +The issue can be easily reproduced by launching two tasks simultaneously +that does nothing but open() and close() on /dev/hvcX. +For example: +$ ./simple_open_close /dev/hvc0 & ./simple_open_close /dev/hvc0 & + +Signed-off-by: Raghavendra Rao Ananta +Link: https://lore.kernel.org/r/20200428032601.22127-1-rananta@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/hvc_console.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c +index acf6d143c7531..81f23af8beca9 100644 +--- a/drivers/tty/hvc/hvc_console.c ++++ b/drivers/tty/hvc/hvc_console.c +@@ -89,6 +89,8 @@ static LIST_HEAD(hvc_structs); + */ + static DEFINE_SPINLOCK(hvc_structs_lock); + ++/* Mutex to serialize hvc_open */ ++static DEFINE_MUTEX(hvc_open_mutex); + /* + * This value is used to assign a tty->index value to a hvc_struct based + * upon order of exposure via hvc_probe(), when we can not match it to +@@ -333,16 +335,24 @@ static int hvc_install(struct tty_driver *driver, struct tty_struct *tty) + */ + static int hvc_open(struct tty_struct *tty, struct file * filp) + { +- struct hvc_struct *hp = tty->driver_data; ++ struct hvc_struct *hp; + unsigned long flags; + int rc = 0; + ++ mutex_lock(&hvc_open_mutex); ++ ++ hp = tty->driver_data; ++ if (!hp) { ++ rc = -EIO; ++ goto out; ++ } ++ + spin_lock_irqsave(&hp->port.lock, flags); + /* Check and then increment for fast path open. */ + if (hp->port.count++ > 0) { + spin_unlock_irqrestore(&hp->port.lock, flags); + hvc_kick(); +- return 0; ++ goto out; + } /* else count == 0 */ + spin_unlock_irqrestore(&hp->port.lock, flags); + +@@ -371,6 +381,8 @@ static int hvc_open(struct tty_struct *tty, struct file * filp) + /* Force wakeup of the polling thread */ + hvc_kick(); + ++out: ++ mutex_unlock(&hvc_open_mutex); + return rc; + } + +-- +2.25.1 + diff --git a/queue-4.4/tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch b/queue-4.4/tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch new file mode 100644 index 00000000000..a963ecaa4be --- /dev/null +++ b/queue-4.4/tty-n_gsm-fix-bogus-i-in-gsm_data_kick.patch @@ -0,0 +1,53 @@ +From 150c81021020bfcb16c4c80ec1b5c6deafa3458c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 10:45:13 +0200 +Subject: tty: n_gsm: Fix bogus i++ in gsm_data_kick + +From: Gregory CLEMENT + +[ Upstream commit 4dd31f1ffec6c370c3c2e0c605628bf5e16d5c46 ] + +When submitting the previous fix "tty: n_gsm: Fix waking up upper tty +layer when room available". It was suggested to switch from a while to +a for loop, but when doing it, there was a remaining bogus i++. + +This patch removes this i++ and also reorganizes the code making it more +compact. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20200518084517.2173242-3-gregory.clement@bootlin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 0020de4fe66f5..9b2beada2ff3b 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -719,17 +719,9 @@ static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci) + } else { + int i = 0; + +- for (i = 0; i < NUM_DLCI; i++) { +- struct gsm_dlci *dlci; +- +- dlci = gsm->dlci[i]; +- if (dlci == NULL) { +- i++; +- continue; +- } +- +- tty_port_tty_wakeup(&dlci->port); +- } ++ for (i = 0; i < NUM_DLCI; i++) ++ if (gsm->dlci[i]) ++ tty_port_tty_wakeup(&gsm->dlci[i]->port); + } + } + } +-- +2.25.1 + diff --git a/queue-4.4/tty-n_gsm-fix-sof-skipping.patch b/queue-4.4/tty-n_gsm-fix-sof-skipping.patch new file mode 100644 index 00000000000..573e435a2c9 --- /dev/null +++ b/queue-4.4/tty-n_gsm-fix-sof-skipping.patch @@ -0,0 +1,58 @@ +From 59961277baad2a030903cf0c51667da3369a500a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 13:53:22 +0200 +Subject: tty: n_gsm: Fix SOF skipping + +From: Gregory CLEMENT + +[ Upstream commit 84d6f81c1fb58b56eba81ff0a36cf31946064b40 ] + +For at least some modems like the TELIT LE910, skipping SOF makes +transfers blocking indefinitely after a short amount of data +transferred. + +Given the small improvement provided by skipping the SOF (just one +byte on about 100 bytes), it seems better to completely remove this +"feature" than make it optional. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20200512115323.1447922-3-gregory.clement@bootlin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 6060c3e8925ef..08aaf993221e7 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -685,7 +685,6 @@ static void gsm_data_kick(struct gsm_mux *gsm) + { + struct gsm_msg *msg, *nmsg; + int len; +- int skip_sof = 0; + + list_for_each_entry_safe(msg, nmsg, &gsm->tx_list, list) { + if (gsm->constipated && msg->addr) +@@ -707,15 +706,10 @@ static void gsm_data_kick(struct gsm_mux *gsm) + print_hex_dump_bytes("gsm_data_kick: ", + DUMP_PREFIX_OFFSET, + gsm->txframe, len); +- +- if (gsm->output(gsm, gsm->txframe + skip_sof, +- len - skip_sof) < 0) ++ if (gsm->output(gsm, gsm->txframe, len) < 0) + break; + /* FIXME: Can eliminate one SOF in many more cases */ + gsm->tx_bytes -= msg->len; +- /* For a burst of frames skip the extra SOF within the +- burst */ +- skip_sof = 1; + + list_del(&msg->list); + kfree(msg); +-- +2.25.1 + diff --git a/queue-4.4/tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch b/queue-4.4/tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch new file mode 100644 index 00000000000..7d877caaa49 --- /dev/null +++ b/queue-4.4/tty-n_gsm-fix-waking-up-upper-tty-layer-when-room-av.patch @@ -0,0 +1,90 @@ +From 790cd3c2f56e77b291f1f5830eeeeba76d6e1952 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 May 2020 13:53:23 +0200 +Subject: tty: n_gsm: Fix waking up upper tty layer when room available + +From: Gregory CLEMENT + +[ Upstream commit 01dbb362f0a114fbce19c8abe4cd6f4710e934d5 ] + +Warn the upper layer when n_gms is ready to receive data +again. Without this the associated virtual tty remains blocked +indefinitely. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20200512115323.1447922-4-gregory.clement@bootlin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 08aaf993221e7..0020de4fe66f5 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -681,7 +681,7 @@ static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len, + * FIXME: lock against link layer control transmissions + */ + +-static void gsm_data_kick(struct gsm_mux *gsm) ++static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci) + { + struct gsm_msg *msg, *nmsg; + int len; +@@ -713,6 +713,24 @@ static void gsm_data_kick(struct gsm_mux *gsm) + + list_del(&msg->list); + kfree(msg); ++ ++ if (dlci) { ++ tty_port_tty_wakeup(&dlci->port); ++ } else { ++ int i = 0; ++ ++ for (i = 0; i < NUM_DLCI; i++) { ++ struct gsm_dlci *dlci; ++ ++ dlci = gsm->dlci[i]; ++ if (dlci == NULL) { ++ i++; ++ continue; ++ } ++ ++ tty_port_tty_wakeup(&dlci->port); ++ } ++ } + } + } + +@@ -764,7 +782,7 @@ static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg) + /* Add to the actual output queue */ + list_add_tail(&msg->list, &gsm->tx_list); + gsm->tx_bytes += msg->len; +- gsm_data_kick(gsm); ++ gsm_data_kick(gsm, dlci); + } + + /** +@@ -1225,7 +1243,7 @@ static void gsm_control_message(struct gsm_mux *gsm, unsigned int command, + gsm_control_reply(gsm, CMD_FCON, NULL, 0); + /* Kick the link in case it is idling */ + spin_lock_irqsave(&gsm->tx_lock, flags); +- gsm_data_kick(gsm); ++ gsm_data_kick(gsm, NULL); + spin_unlock_irqrestore(&gsm->tx_lock, flags); + break; + case CMD_FCOFF: +@@ -2423,7 +2441,7 @@ static void gsmld_write_wakeup(struct tty_struct *tty) + /* Queue poll */ + clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); + spin_lock_irqsave(&gsm->tx_lock, flags); +- gsm_data_kick(gsm); ++ gsm_data_kick(gsm, NULL); + if (gsm->tx_bytes < TX_THRESH_LO) { + gsm_dlci_data_sweep(gsm); + } +-- +2.25.1 + diff --git a/queue-4.4/usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch b/queue-4.4/usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch new file mode 100644 index 00000000000..d9b0ed0fb61 --- /dev/null +++ b/queue-4.4/usb-dwc2-gadget-move-gadget-resume-after-the-core-is.patch @@ -0,0 +1,51 @@ +From 9a03d6c5e23e8995bfa3c958612ba557fb8a2801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 13:55:53 +0200 +Subject: usb: dwc2: gadget: move gadget resume after the core is in L0 state + +From: Fabrice Gasnier + +[ Upstream commit 8c935deacebb8fac8f41378701eb79d12f3c2e2d ] + +When the remote wakeup interrupt is triggered, lx_state is resumed from L2 +to L0 state. But when the gadget resume is called, lx_state is still L2. +This prevents the resume callback to queue any request. Any attempt +to queue a request from resume callback will result in: +- "submit request only in active state" debug message to be issued +- dwc2_hsotg_ep_queue() returns -EAGAIN + +Call the gadget resume routine after the core is in L0 state. + +Fixes: f81f46e1f530 ("usb: dwc2: implement hibernation during bus suspend/resume") + +Acked-by: Minas Harutyunyan +Signed-off-by: Fabrice Gasnier +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/core_intr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc2/core_intr.c b/drivers/usb/dwc2/core_intr.c +index 27daa42788b1a..796d60d49ac5f 100644 +--- a/drivers/usb/dwc2/core_intr.c ++++ b/drivers/usb/dwc2/core_intr.c +@@ -363,10 +363,13 @@ static void dwc2_handle_wakeup_detected_intr(struct dwc2_hsotg *hsotg) + if (ret && (ret != -ENOTSUPP)) + dev_err(hsotg->dev, "exit hibernation failed\n"); + ++ /* Change to L0 state */ ++ hsotg->lx_state = DWC2_L0; + call_gadget(hsotg, resume); ++ } else { ++ /* Change to L0 state */ ++ hsotg->lx_state = DWC2_L0; + } +- /* Change to L0 state */ +- hsotg->lx_state = DWC2_L0; + } else { + if (hsotg->core_params->hibernation) { + dwc2_writel(GINTSTS_WKUPINT, hsotg->regs + GINTSTS); +-- +2.25.1 + diff --git a/queue-4.4/usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch b/queue-4.4/usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch new file mode 100644 index 00000000000..091f5d8063e --- /dev/null +++ b/queue-4.4/usb-ehci-platform-set-pm-runtime-as-active-on-resume.patch @@ -0,0 +1,52 @@ +From eb34c99e1a1121f7d41bd8761293eed2ab14a7e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 16:49:31 +0100 +Subject: usb/ehci-platform: Set PM runtime as active on resume + +From: Qais Yousef + +[ Upstream commit 16bdc04cc98ab0c74392ceef2475ecc5e73fcf49 ] + +Follow suit of ohci-platform.c and perform pm_runtime_set_active() on +resume. + +ohci-platform.c had a warning reported due to the missing +pm_runtime_set_active() [1]. + +[1] https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/ + +Acked-by: Alan Stern +Signed-off-by: Qais Yousef +CC: Tony Prisk +CC: Greg Kroah-Hartman +CC: Mathias Nyman +CC: Oliver Neukum +CC: linux-arm-kernel@lists.infradead.org +CC: linux-usb@vger.kernel.org +CC: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20200518154931.6144-3-qais.yousef@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-platform.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/host/ehci-platform.c b/drivers/usb/host/ehci-platform.c +index bd7082f297bbe..56200650b46b4 100644 +--- a/drivers/usb/host/ehci-platform.c ++++ b/drivers/usb/host/ehci-platform.c +@@ -375,6 +375,11 @@ static int ehci_platform_resume(struct device *dev) + } + + ehci_resume(hcd, priv->reset_on_resume); ++ ++ pm_runtime_disable(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ + return 0; + } + #endif /* CONFIG_PM_SLEEP */ +-- +2.25.1 + diff --git a/queue-4.4/usb-gadget-fix-potential-double-free-in-m66592_probe.patch b/queue-4.4/usb-gadget-fix-potential-double-free-in-m66592_probe.patch new file mode 100644 index 00000000000..5d41edd04e2 --- /dev/null +++ b/queue-4.4/usb-gadget-fix-potential-double-free-in-m66592_probe.patch @@ -0,0 +1,38 @@ +From 1aa91c86f37a0fb28da35f3ba39b14105222a334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 23:06:25 -0500 +Subject: usb: gadget: fix potential double-free in m66592_probe. + +From: Qiushi Wu + +[ Upstream commit 44734a594196bf1d474212f38fe3a0d37a73278b ] + +m66592_free_request() is called under label "err_add_udc" +and "clean_up", and m66592->ep0_req is not set to NULL after +first free, leading to a double-free. Fix this issue by +setting m66592->ep0_req to NULL after the first free. + +Fixes: 0f91349b89f3 ("usb: gadget: convert all users to the new udc infrastructure") +Signed-off-by: Qiushi Wu +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/m66592-udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/m66592-udc.c b/drivers/usb/gadget/udc/m66592-udc.c +index b1cfa96cc88f8..db95eab8b4328 100644 +--- a/drivers/usb/gadget/udc/m66592-udc.c ++++ b/drivers/usb/gadget/udc/m66592-udc.c +@@ -1684,7 +1684,7 @@ static int m66592_probe(struct platform_device *pdev) + + err_add_udc: + m66592_free_request(&m66592->ep[0].ep, m66592->ep0_req); +- ++ m66592->ep0_req = NULL; + clean_up3: + if (m66592->pdata->on_chip) { + clk_disable(m66592->clk); +-- +2.25.1 + diff --git a/queue-4.4/usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch b/queue-4.4/usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch new file mode 100644 index 00000000000..55d38247d03 --- /dev/null +++ b/queue-4.4/usb-gadget-lpc32xx_udc-don-t-dereference-ep-pointer-.patch @@ -0,0 +1,71 @@ +From 1c8f424484d10864d70c2c3373f3cbb7f2c3a6b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 16:13:00 +0100 +Subject: usb: gadget: lpc32xx_udc: don't dereference ep pointer before null + check + +From: Colin Ian King + +[ Upstream commit eafa80041645cd7604c4357b1a0cd4a3c81f2227 ] + +Currently pointer ep is being dereferenced before it is null checked +leading to a null pointer dereference issue. Fix this by only assigning +pointer udc once ep is known to be not null. Also remove a debug +message that requires a valid udc which may not be possible at that +point. + +Addresses-Coverity: ("Dereference before null check") +Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx") +Signed-off-by: Colin Ian King +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/lpc32xx_udc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c +index ea43cb74a6f27..c9590949e4f0a 100644 +--- a/drivers/usb/gadget/udc/lpc32xx_udc.c ++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c +@@ -1662,17 +1662,17 @@ static int lpc32xx_ep_enable(struct usb_ep *_ep, + const struct usb_endpoint_descriptor *desc) + { + struct lpc32xx_ep *ep = container_of(_ep, struct lpc32xx_ep, ep); +- struct lpc32xx_udc *udc = ep->udc; ++ struct lpc32xx_udc *udc; + u16 maxpacket; + u32 tmp; + unsigned long flags; + + /* Verify EP data */ + if ((!_ep) || (!ep) || (!desc) || +- (desc->bDescriptorType != USB_DT_ENDPOINT)) { +- dev_dbg(udc->dev, "bad ep or descriptor\n"); ++ (desc->bDescriptorType != USB_DT_ENDPOINT)) + return -EINVAL; +- } ++ ++ udc = ep->udc; + maxpacket = usb_endpoint_maxp(desc); + if ((maxpacket == 0) || (maxpacket > ep->maxpacket)) { + dev_dbg(udc->dev, "bad ep descriptor's packet size\n"); +@@ -1920,7 +1920,7 @@ static int lpc32xx_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req) + static int lpc32xx_ep_set_halt(struct usb_ep *_ep, int value) + { + struct lpc32xx_ep *ep = container_of(_ep, struct lpc32xx_ep, ep); +- struct lpc32xx_udc *udc = ep->udc; ++ struct lpc32xx_udc *udc; + unsigned long flags; + + if ((!ep) || (ep->hwep_num <= 1)) +@@ -1930,6 +1930,7 @@ static int lpc32xx_ep_set_halt(struct usb_ep *_ep, int value) + if (ep->is_in) + return -EAGAIN; + ++ udc = ep->udc; + spin_lock_irqsave(&udc->lock, flags); + + if (value == 1) { +-- +2.25.1 + diff --git a/queue-4.4/usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch b/queue-4.4/usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch new file mode 100644 index 00000000000..bd307f8fa61 --- /dev/null +++ b/queue-4.4/usb-gadget-udc-s3c2410_udc-remove-pointless-null-che.patch @@ -0,0 +1,57 @@ +From 9995aac34f863464b0333b3ad76e1e3d2ac2d800 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 09:29:24 -0700 +Subject: USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in + s3c2410_udc_nuke + +From: Nathan Chancellor + +[ Upstream commit 7a0fbcf7c308920bc6116b3a5fb21c8cc5fec128 ] + +Clang warns: + +drivers/usb/gadget/udc/s3c2410_udc.c:255:11: warning: comparison of +address of 'ep->queue' equal to a null pointer is always false +[-Wtautological-pointer-compare] + if (&ep->queue == NULL) + ~~~~^~~~~ ~~~~ +1 warning generated. + +It is not wrong, queue is not a pointer so if ep is not NULL, the +address of queue cannot be NULL. No other driver does a check like this +and this check has been around since the driver was first introduced, +presumably with no issues so it does not seem like this check should be +something else. Just remove it. + +Commit afe956c577b2d ("kbuild: Enable -Wtautological-compare") exposed +this but it is not the root cause of the warning. + +Fixes: 3fc154b6b8134 ("USB Gadget driver for Samsung s3c2410 ARM SoC") +Link: https://github.com/ClangBuiltLinux/linux/issues/1004 +Reviewed-by: Nick Desaulniers +Reported-by: kbuild test robot +Signed-off-by: Nathan Chancellor +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/s3c2410_udc.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/usb/gadget/udc/s3c2410_udc.c b/drivers/usb/gadget/udc/s3c2410_udc.c +index eb3571ee59e3c..08153a48704bb 100644 +--- a/drivers/usb/gadget/udc/s3c2410_udc.c ++++ b/drivers/usb/gadget/udc/s3c2410_udc.c +@@ -269,10 +269,6 @@ static void s3c2410_udc_done(struct s3c2410_ep *ep, + static void s3c2410_udc_nuke(struct s3c2410_udc *udc, + struct s3c2410_ep *ep, int status) + { +- /* Sanity check */ +- if (&ep->queue == NULL) +- return; +- + while (!list_empty(&ep->queue)) { + struct s3c2410_request *req; + req = list_entry(ep->queue.next, struct s3c2410_request, +-- +2.25.1 + diff --git a/queue-4.4/usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch b/queue-4.4/usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch new file mode 100644 index 00000000000..4fe7f766136 --- /dev/null +++ b/queue-4.4/usb-host-ehci-mxc-add-error-handling-in-ehci_mxc_drv.patch @@ -0,0 +1,39 @@ +From 9c222c412ee85eb7a3d1c04194939ef39466c81b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 21:26:47 +0800 +Subject: USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() + +From: Tang Bin + +[ Upstream commit d49292025f79693d3348f8e2029a8b4703be0f0a ] + +The function ehci_mxc_drv_probe() does not perform sufficient error +checking after executing platform_get_irq(), thus fix it. + +Fixes: 7e8d5cd93fac ("USB: Add EHCI support for MX27 and MX31 based boards") +Signed-off-by: Zhang Shengju +Signed-off-by: Tang Bin +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/20200513132647.5456-1-tangbin@cmss.chinamobile.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-mxc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/ehci-mxc.c b/drivers/usb/host/ehci-mxc.c +index c7a9b31eeaeff..637079a350032 100644 +--- a/drivers/usb/host/ehci-mxc.c ++++ b/drivers/usb/host/ehci-mxc.c +@@ -63,6 +63,8 @@ static int ehci_mxc_drv_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) ++ return irq; + + hcd = usb_create_hcd(&ehci_mxc_hc_driver, dev, dev_name(dev)); + if (!hcd) +-- +2.25.1 + diff --git a/queue-4.4/usb-ohci-platform-fix-a-warning-when-hibernating.patch b/queue-4.4/usb-ohci-platform-fix-a-warning-when-hibernating.patch new file mode 100644 index 00000000000..f8268728646 --- /dev/null +++ b/queue-4.4/usb-ohci-platform-fix-a-warning-when-hibernating.patch @@ -0,0 +1,102 @@ +From b8ab68e119b4c4086e5a229bdb2eb9082fa7eca8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 16:49:29 +0100 +Subject: usb/ohci-platform: Fix a warning when hibernating + +From: Qais Yousef + +[ Upstream commit 1cb3b0095c3d0bb96912bfbbce4fc006d41f367c ] + +The following warning was observed when attempting to suspend to disk +using a USB flash as a swap device. + +[ 111.779649] ------------[ cut here ]------------ +[ 111.788382] URB (____ptrval____) submitted while active +[ 111.796646] WARNING: CPU: 3 PID: 365 at drivers/usb/core/urb.c:363 usb_submit_urb+0x3d8/0x590 +[ 111.805417] Modules linked in: +[ 111.808584] CPU: 3 PID: 365 Comm: kworker/3:2 Not tainted 5.6.0-rc6-00002-gdfd1731f9a3e-dirty #545 +[ 111.817796] Hardware name: ARM Juno development board (r2) (DT) +[ 111.823896] Workqueue: usb_hub_wq hub_event +[ 111.828217] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 111.833156] pc : usb_submit_urb+0x3d8/0x590 +[ 111.837471] lr : usb_submit_urb+0x3d8/0x590 +[ 111.841783] sp : ffff800018de38b0 +[ 111.845205] x29: ffff800018de38b0 x28: 0000000000000003 +[ 111.850682] x27: ffff000970530b20 x26: ffff8000133fd000 +[ 111.856159] x25: ffff8000133fd000 x24: ffff800018de3b38 +[ 111.861635] x23: 0000000000000004 x22: 0000000000000c00 +[ 111.867112] x21: 0000000000000000 x20: 00000000fffffff0 +[ 111.872589] x19: ffff0009704e7a00 x18: ffffffffffffffff +[ 111.878065] x17: 00000000a7c8f4bc x16: 000000002af33de8 +[ 111.883542] x15: ffff8000133fda88 x14: 0720072007200720 +[ 111.889019] x13: 0720072007200720 x12: 0720072007200720 +[ 111.894496] x11: 0000000000000000 x10: 00000000a5286134 +[ 111.899973] x9 : 0000000000000002 x8 : ffff000970c837a0 +[ 111.905449] x7 : 0000000000000000 x6 : ffff800018de3570 +[ 111.910926] x5 : 0000000000000001 x4 : 0000000000000003 +[ 111.916401] x3 : 0000000000000000 x2 : ffff800013427118 +[ 111.921879] x1 : 9d4e965b4b7d7c00 x0 : 0000000000000000 +[ 111.927356] Call trace: +[ 111.929892] usb_submit_urb+0x3d8/0x590 +[ 111.933852] hub_activate+0x108/0x7f0 +[ 111.937633] hub_resume+0xac/0x148 +[ 111.941149] usb_resume_interface.isra.10+0x60/0x138 +[ 111.946265] usb_resume_both+0xe4/0x140 +[ 111.950225] usb_runtime_resume+0x24/0x30 +[ 111.954365] __rpm_callback+0xdc/0x138 +[ 111.958236] rpm_callback+0x34/0x98 +[ 111.961841] rpm_resume+0x4a8/0x720 +[ 111.965445] rpm_resume+0x50c/0x720 +[ 111.969049] __pm_runtime_resume+0x4c/0xb8 +[ 111.973276] usb_autopm_get_interface+0x28/0x60 +[ 111.977948] hub_event+0x80/0x16d8 +[ 111.981466] process_one_work+0x2a4/0x748 +[ 111.985604] worker_thread+0x48/0x498 +[ 111.989387] kthread+0x13c/0x140 +[ 111.992725] ret_from_fork+0x10/0x18 +[ 111.996415] irq event stamp: 354 +[ 111.999756] hardirqs last enabled at (353): [] console_unlock+0x504/0x5b8 +[ 112.008441] hardirqs last disabled at (354): [] do_debug_exception+0x1a8/0x258 +[ 112.017479] softirqs last enabled at (350): [] __do_softirq+0x4bc/0x568 +[ 112.025984] softirqs last disabled at (343): [] irq_exit+0x144/0x150 +[ 112.034129] ---[ end trace dc96030b9cf6c8a3 ]--- + +The problem was tracked down to a missing call to +pm_runtime_set_active() on resume in ohci-platform. + +Link: https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/ +Acked-by: Alan Stern +Signed-off-by: Qais Yousef +CC: Tony Prisk +CC: Greg Kroah-Hartman +CC: Mathias Nyman +CC: Oliver Neukum +CC: linux-arm-kernel@lists.infradead.org +CC: linux-usb@vger.kernel.org +CC: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20200518154931.6144-1-qais.yousef@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-platform.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/host/ohci-platform.c b/drivers/usb/host/ohci-platform.c +index c2669f185f658..0e5580e6f35cb 100644 +--- a/drivers/usb/host/ohci-platform.c ++++ b/drivers/usb/host/ohci-platform.c +@@ -339,6 +339,11 @@ static int ohci_platform_resume(struct device *dev) + } + + ohci_resume(hcd, false); ++ ++ pm_runtime_disable(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ + return 0; + } + #endif /* CONFIG_PM_SLEEP */ +-- +2.25.1 + diff --git a/queue-4.4/usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch b/queue-4.4/usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch new file mode 100644 index 00000000000..9186c8f3fa1 --- /dev/null +++ b/queue-4.4/usb-xhci-plat-set-pm-runtime-as-active-on-resume.patch @@ -0,0 +1,58 @@ +From 7ac70ece8a945f0c3acecf9c76f6cb9aff561e8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 May 2020 16:49:30 +0100 +Subject: usb/xhci-plat: Set PM runtime as active on resume + +From: Qais Yousef + +[ Upstream commit 79112cc3c29f4a8c73a21428fbcbcb0afb005e3e ] + +Follow suit of ohci-platform.c and perform pm_runtime_set_active() on +resume. + +ohci-platform.c had a warning reported due to the missing +pm_runtime_set_active() [1]. + +[1] https://lore.kernel.org/lkml/20200323143857.db5zphxhq4hz3hmd@e107158-lin.cambridge.arm.com/ + +Signed-off-by: Qais Yousef +CC: Tony Prisk +CC: Greg Kroah-Hartman +CC: Mathias Nyman +CC: Oliver Neukum +CC: linux-arm-kernel@lists.infradead.org +CC: linux-usb@vger.kernel.org +CC: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20200518154931.6144-2-qais.yousef@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-plat.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index c4c40e9d42471..510fb7853f92a 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -249,8 +249,17 @@ static int xhci_plat_resume(struct device *dev) + { + struct usb_hcd *hcd = dev_get_drvdata(dev); + struct xhci_hcd *xhci = hcd_to_xhci(hcd); ++ int ret; ++ ++ ret = xhci_resume(xhci, 0); ++ if (ret) ++ return ret; + +- return xhci_resume(xhci, 0); ++ pm_runtime_disable(dev); ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ ++ return 0; + } + + static const struct dev_pm_ops xhci_plat_pm_ops = { +-- +2.25.1 + diff --git a/queue-4.4/usblp-poison-urbs-upon-disconnect.patch b/queue-4.4/usblp-poison-urbs-upon-disconnect.patch new file mode 100644 index 00000000000..c18faf2b0b7 --- /dev/null +++ b/queue-4.4/usblp-poison-urbs-upon-disconnect.patch @@ -0,0 +1,50 @@ +From 71a14de65d2046b0e165060f5e9a0ae16120685c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 10:58:06 +0200 +Subject: usblp: poison URBs upon disconnect + +From: Oliver Neukum + +[ Upstream commit 296a193b06120aa6ae7cf5c0d7b5e5b55968026e ] + +syzkaller reported an URB that should have been killed to be active. +We do not understand it, but this should fix the issue if it is real. + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+be5b5f86a162a6c281e6@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20200507085806.5793-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/class/usblp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c +index 07c3c3449147f..c578d64edc153 100644 +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -481,7 +481,8 @@ static int usblp_release(struct inode *inode, struct file *file) + usb_autopm_put_interface(usblp->intf); + + if (!usblp->present) /* finish cleanup from disconnect */ +- usblp_cleanup(usblp); ++ usblp_cleanup(usblp); /* any URBs must be dead */ ++ + mutex_unlock(&usblp_mutex); + return 0; + } +@@ -1397,9 +1398,11 @@ static void usblp_disconnect(struct usb_interface *intf) + + usblp_unlink_urbs(usblp); + mutex_unlock(&usblp->mut); ++ usb_poison_anchored_urbs(&usblp->urbs); + + if (!usblp->used) + usblp_cleanup(usblp); ++ + mutex_unlock(&usblp_mutex); + } + +-- +2.25.1 + diff --git a/queue-4.4/vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch b/queue-4.4/vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch new file mode 100644 index 00000000000..4abdd6e9a2f --- /dev/null +++ b/queue-4.4/vfio-pci-fix-memory-leaks-in-alloc_perm_bits.patch @@ -0,0 +1,74 @@ +From 6a9dbf4f18852fe6fdbfe9af583f49df3e472155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 May 2020 12:16:56 -0400 +Subject: vfio/pci: fix memory leaks in alloc_perm_bits() + +From: Qian Cai + +[ Upstream commit 3e63b94b6274324ff2e7d8615df31586de827c4e ] + +vfio_pci_disable() calls vfio_config_free() but forgets to call +free_perm_bits() resulting in memory leaks, + +unreferenced object 0xc000000c4db2dee0 (size 16): + comm "qemu-kvm", pid 4305, jiffies 4295020272 (age 3463.780s) + hex dump (first 16 bytes): + 00 00 ff 00 ff ff ff ff ff ff ff ff ff ff 00 00 ................ + backtrace: + [<00000000a6a4552d>] alloc_perm_bits+0x58/0xe0 [vfio_pci] + [<00000000ac990549>] vfio_config_init+0xdf0/0x11b0 [vfio_pci] + init_pci_cap_msi_perm at drivers/vfio/pci/vfio_pci_config.c:1125 + (inlined by) vfio_msi_cap_len at drivers/vfio/pci/vfio_pci_config.c:1180 + (inlined by) vfio_cap_len at drivers/vfio/pci/vfio_pci_config.c:1241 + (inlined by) vfio_cap_init at drivers/vfio/pci/vfio_pci_config.c:1468 + (inlined by) vfio_config_init at drivers/vfio/pci/vfio_pci_config.c:1707 + [<000000006db873a1>] vfio_pci_open+0x234/0x700 [vfio_pci] + [<00000000630e1906>] vfio_group_fops_unl_ioctl+0x8e0/0xb84 [vfio] + [<000000009e34c54f>] ksys_ioctl+0xd8/0x130 + [<000000006577923d>] sys_ioctl+0x28/0x40 + [<000000006d7b1cf2>] system_call_exception+0x114/0x1e0 + [<0000000008ea7dd5>] system_call_common+0xf0/0x278 +unreferenced object 0xc000000c4db2e330 (size 16): + comm "qemu-kvm", pid 4305, jiffies 4295020272 (age 3463.780s) + hex dump (first 16 bytes): + 00 ff ff 00 ff ff ff ff ff ff ff ff ff ff 00 00 ................ + backtrace: + [<000000004c71914f>] alloc_perm_bits+0x44/0xe0 [vfio_pci] + [<00000000ac990549>] vfio_config_init+0xdf0/0x11b0 [vfio_pci] + [<000000006db873a1>] vfio_pci_open+0x234/0x700 [vfio_pci] + [<00000000630e1906>] vfio_group_fops_unl_ioctl+0x8e0/0xb84 [vfio] + [<000000009e34c54f>] ksys_ioctl+0xd8/0x130 + [<000000006577923d>] sys_ioctl+0x28/0x40 + [<000000006d7b1cf2>] system_call_exception+0x114/0x1e0 + [<0000000008ea7dd5>] system_call_common+0xf0/0x278 + +Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver") +Signed-off-by: Qian Cai +[aw: rolled in follow-up patch] +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_config.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index 98a12be76c9cf..bf65572f47a8f 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -1644,8 +1644,11 @@ void vfio_config_free(struct vfio_pci_device *vdev) + vdev->vconfig = NULL; + kfree(vdev->pci_config_map); + vdev->pci_config_map = NULL; +- kfree(vdev->msi_perm); +- vdev->msi_perm = NULL; ++ if (vdev->msi_perm) { ++ free_perm_bits(vdev->msi_perm); ++ kfree(vdev->msi_perm); ++ vdev->msi_perm = NULL; ++ } + } + + /* +-- +2.25.1 + diff --git a/queue-4.4/vfio-pci-mask-cap-zero.patch b/queue-4.4/vfio-pci-mask-cap-zero.patch new file mode 100644 index 00000000000..bd9056fb0a9 --- /dev/null +++ b/queue-4.4/vfio-pci-mask-cap-zero.patch @@ -0,0 +1,50 @@ +From daab111f93f7520d86abeb65a4666f25b93f4c14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Apr 2020 11:45:28 -0600 +Subject: vfio-pci: Mask cap zero + +From: Alex Williamson + +[ Upstream commit bc138db1b96264b9c1779cf18d5a3b186aa90066 ] + +The PCI Code and ID Assignment Specification changed capability ID 0 +from reserved to a NULL capability in the v1.1 revision. The NULL +capability is defined to include only the 16-bit capability header, +ie. only the ID and next pointer. Unfortunately vfio-pci creates a +map of config space, where ID 0 is used to reserve the standard type +0 header. Finding an actual capability with this ID therefore results +in a bogus range marked in that map and conflicts with subsequent +capabilities. As this seems to be a dummy capability anyway and we +already support dropping capabilities, let's hide this one rather than +delving into the potentially subtle dependencies within our map. + +Seen on an NVIDIA Tesla T4. + +Reviewed-by: Cornelia Huck +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_config.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c +index bf65572f47a8f..666b234acca0a 100644 +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -1405,7 +1405,12 @@ static int vfio_cap_init(struct vfio_pci_device *vdev) + if (ret) + return ret; + +- if (cap <= PCI_CAP_ID_MAX) { ++ /* ++ * ID 0 is a NULL capability, conflicting with our fake ++ * PCI_CAP_ID_BASIC. As it has no content, consider it ++ * hidden for now. ++ */ ++ if (cap && cap <= PCI_CAP_ID_MAX) { + len = pci_cap_length[cap]; + if (len == 0xFF) { /* Variable length */ + len = vfio_cap_len(vdev, cap, pos); +-- +2.25.1 + diff --git a/queue-4.4/watchdog-da9062-no-need-to-ping-manually-before-sett.patch b/queue-4.4/watchdog-da9062-no-need-to-ping-manually-before-sett.patch new file mode 100644 index 00000000000..bb36599e8fc --- /dev/null +++ b/queue-4.4/watchdog-da9062-no-need-to-ping-manually-before-sett.patch @@ -0,0 +1,49 @@ +From 5dece24da314e5da86526fd709912e21d74424a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 15:07:28 +0200 +Subject: watchdog: da9062: No need to ping manually before setting timeout + +From: Stefan Riedmueller + +[ Upstream commit a0948ddba65f4f6d3cfb5e2b84685485d0452966 ] + +There is actually no need to ping the watchdog before disabling it +during timeout change. Disabling the watchdog already takes care of +resetting the counter. + +This fixes an issue during boot when the userspace watchdog handler takes +over and the watchdog is already running. Opening the watchdog in this case +leads to the first ping and directly after that without the required +heartbeat delay a second ping issued by the set_timeout call. Due to the +missing delay this resulted in a reset. + +Signed-off-by: Stefan Riedmueller +Reviewed-by: Guenter Roeck +Reviewed-by: Adam Thomson +Link: https://lore.kernel.org/r/20200403130728.39260-3-s.riedmueller@phytec.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/da9062_wdt.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/watchdog/da9062_wdt.c b/drivers/watchdog/da9062_wdt.c +index daeb645fcea8a..519419136ce8f 100644 +--- a/drivers/watchdog/da9062_wdt.c ++++ b/drivers/watchdog/da9062_wdt.c +@@ -94,11 +94,6 @@ static int da9062_wdt_update_timeout_register(struct da9062_watchdog *wdt, + unsigned int regval) + { + struct da9062 *chip = wdt->hw; +- int ret; +- +- ret = da9062_reset_watchdog_timer(wdt); +- if (ret) +- return ret; + + return regmap_update_bits(chip->regmap, + DA9062AA_CONTROL_D, +-- +2.25.1 + diff --git a/queue-4.4/yam-fix-possible-memory-leak-in-yam_init_driver.patch b/queue-4.4/yam-fix-possible-memory-leak-in-yam_init_driver.patch new file mode 100644 index 00000000000..13ff03c5257 --- /dev/null +++ b/queue-4.4/yam-fix-possible-memory-leak-in-yam_init_driver.patch @@ -0,0 +1,36 @@ +From 01cad0f096479cf3c054a33bca297a969c87ffab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:18:51 +0800 +Subject: yam: fix possible memory leak in yam_init_driver + +From: Wang Hai + +[ Upstream commit 98749b7188affbf2900c2aab704a8853901d1139 ] + +If register_netdev(dev) fails, free_netdev(dev) needs +to be called, otherwise a memory leak will occur. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/yam.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c +index 1a4729c36aa49..623e4225e7c84 100644 +--- a/drivers/net/hamradio/yam.c ++++ b/drivers/net/hamradio/yam.c +@@ -1160,6 +1160,7 @@ static int __init yam_init_driver(void) + err = register_netdev(dev); + if (err) { + printk(KERN_WARNING "yam: cannot register net device %s\n", dev->name); ++ free_netdev(dev); + goto error; + } + yam_devs[i] = dev; +-- +2.25.1 +