From: Greg Kroah-Hartman Date: Wed, 15 Sep 2021 12:55:36 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.14.5~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8810e57d16d540d0f263003ae72ae06095ea3e99;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm64-head-avoid-over-mapping-in-map_memory.patch arm64-mm-fix-tlbi-vs-asid-rollover.patch block-bfq-fix-bfq_set_next_ioprio_data.patch clk-socfpga-agilex-add-the-bypass-register-for-s2f_usr0-clock.patch clk-socfpga-agilex-fix-the-parents-of-the-psi_ref_clk.patch clk-socfpga-agilex-fix-up-s2f_user0_clk-representation.patch cpufreq-schedutil-use-kobject-release-method-to-free-sugov_tunables.patch crypto-ccp-shutdown-sev-firmware-on-kexec.patch crypto-public_key-fix-overflow-during-implicit-conversion.patch dm-crypt-avoid-percpu_counter-spinlock-contention-in-crypt_page_alloc.patch dmaengine-imx-sdma-remove-duplicated-sdma_load_context.patch iio-ltc2983-fix-device-probe.patch media-rc-loopback-return-number-of-emitters-rather-than-error.patch media-uvc-don-t-do-dma-on-stack.patch pinctrl-ingenic-fix-incorrect-pull-up-down-info.patch pinctrl-stmfx-fix-hazardous-u8-to-unsigned-long-cast.patch power-supply-max17042-handle-fails-of-reading-status-register.patch revert-dmaengine-imx-sdma-refine-to-load-context-only-once.patch s390-qdio-cancel-the-establish-ccw-after-timeout.patch s390-qdio-fix-roll-back-after-timeout-on-establish-ccw.patch selftests-ftrace-fix-requirement-check-of-readme-file.patch soc-aspeed-lpc-ctrl-fix-boundary-check-for-mmap.patch soc-aspeed-p2a-ctrl-fix-boundary-check-for-mmap.patch soc-qcom-aoss-fix-the-out-of-bound-usage-of-cooling_devs.patch tools-thermal-tmon-add-cross-compiling-support.patch vmci-fix-null-pointer-dereference-when-unmapping-queue-pair.patch wcn36xx-ensure-finish-scan-is-not-requested-before-start-scan.patch --- diff --git a/queue-5.10/arm64-head-avoid-over-mapping-in-map_memory.patch b/queue-5.10/arm64-head-avoid-over-mapping-in-map_memory.patch new file mode 100644 index 00000000000..a68b9efaa76 --- /dev/null +++ b/queue-5.10/arm64-head-avoid-over-mapping-in-map_memory.patch @@ -0,0 +1,106 @@ +From 90268574a3e8a6b883bd802d702a2738577e1006 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Mon, 23 Aug 2021 11:12:53 +0100 +Subject: arm64: head: avoid over-mapping in map_memory + +From: Mark Rutland + +commit 90268574a3e8a6b883bd802d702a2738577e1006 upstream. + +The `compute_indices` and `populate_entries` macros operate on inclusive +bounds, and thus the `map_memory` macro which uses them also operates +on inclusive bounds. + +We pass `_end` and `_idmap_text_end` to `map_memory`, but these are +exclusive bounds, and if one of these is sufficiently aligned (as a +result of kernel configuration, physical placement, and KASLR), then: + +* In `compute_indices`, the computed `iend` will be in the page/block *after* + the final byte of the intended mapping. + +* In `populate_entries`, an unnecessary entry will be created at the end + of each level of table. At the leaf level, this entry will map up to + SWAPPER_BLOCK_SIZE bytes of physical addresses that we did not intend + to map. + +As we may map up to SWAPPER_BLOCK_SIZE bytes more than intended, we may +violate the boot protocol and map physical address past the 2MiB-aligned +end address we are permitted to map. As we map these with Normal memory +attributes, this may result in further problems depending on what these +physical addresses correspond to. + +The final entry at each level may require an additional table at that +level. As EARLY_ENTRIES() calculates an inclusive bound, we allocate +enough memory for this. + +Avoid the extraneous mapping by having map_memory convert the exclusive +end address to an inclusive end address by subtracting one, and do +likewise in EARLY_ENTRIES() when calculating the number of required +tables. For clarity, comments are updated to more clearly document which +boundaries the macros operate on. For consistency with the other +macros, the comments in map_memory are also updated to describe `vstart` +and `vend` as virtual addresses. + +Fixes: 0370b31e4845 ("arm64: Extend early page table code to allow for larger kernels") +Cc: # 4.16.x +Signed-off-by: Mark Rutland +Cc: Anshuman Khandual +Cc: Ard Biesheuvel +Cc: Steve Capper +Cc: Will Deacon +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20210823101253.55567-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kernel-pgtable.h | 4 ++-- + arch/arm64/kernel/head.S | 11 ++++++----- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/arch/arm64/include/asm/kernel-pgtable.h ++++ b/arch/arm64/include/asm/kernel-pgtable.h +@@ -65,8 +65,8 @@ + #define EARLY_KASLR (0) + #endif + +-#define EARLY_ENTRIES(vstart, vend, shift) (((vend) >> (shift)) \ +- - ((vstart) >> (shift)) + 1 + EARLY_KASLR) ++#define EARLY_ENTRIES(vstart, vend, shift) \ ++ ((((vend) - 1) >> (shift)) - ((vstart) >> (shift)) + 1 + EARLY_KASLR) + + #define EARLY_PGDS(vstart, vend) (EARLY_ENTRIES(vstart, vend, PGDIR_SHIFT)) + +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -191,7 +191,7 @@ SYM_CODE_END(preserve_boot_args) + * to be composed of multiple pages. (This effectively scales the end index). + * + * vstart: virtual address of start of range +- * vend: virtual address of end of range ++ * vend: virtual address of end of range - we map [vstart, vend] + * shift: shift used to transform virtual address into index + * ptrs: number of entries in page table + * istart: index in table corresponding to vstart +@@ -228,17 +228,18 @@ SYM_CODE_END(preserve_boot_args) + * + * tbl: location of page table + * rtbl: address to be used for first level page table entry (typically tbl + PAGE_SIZE) +- * vstart: start address to map +- * vend: end address to map - we map [vstart, vend] ++ * vstart: virtual address of start of range ++ * vend: virtual address of end of range - we map [vstart, vend - 1] + * flags: flags to use to map last level entries + * phys: physical address corresponding to vstart - physical memory is contiguous + * pgds: the number of pgd entries + * + * Temporaries: istart, iend, tmp, count, sv - these need to be different registers +- * Preserves: vstart, vend, flags +- * Corrupts: tbl, rtbl, istart, iend, tmp, count, sv ++ * Preserves: vstart, flags ++ * Corrupts: tbl, rtbl, vend, istart, iend, tmp, count, sv + */ + .macro map_memory, tbl, rtbl, vstart, vend, flags, phys, pgds, istart, iend, tmp, count, sv ++ sub \vend, \vend, #1 + add \rtbl, \tbl, #PAGE_SIZE + mov \sv, \rtbl + mov \count, #0 diff --git a/queue-5.10/arm64-mm-fix-tlbi-vs-asid-rollover.patch b/queue-5.10/arm64-mm-fix-tlbi-vs-asid-rollover.patch new file mode 100644 index 00000000000..f79ebaa8925 --- /dev/null +++ b/queue-5.10/arm64-mm-fix-tlbi-vs-asid-rollover.patch @@ -0,0 +1,119 @@ +From 5e10f9887ed85d4f59266d5c60dd09be96b5dbd4 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 6 Aug 2021 12:31:04 +0100 +Subject: arm64: mm: Fix TLBI vs ASID rollover + +From: Will Deacon + +commit 5e10f9887ed85d4f59266d5c60dd09be96b5dbd4 upstream. + +When switching to an 'mm_struct' for the first time following an ASID +rollover, a new ASID may be allocated and assigned to 'mm->context.id'. +This reassignment can happen concurrently with other operations on the +mm, such as unmapping pages and subsequently issuing TLB invalidation. + +Consequently, we need to ensure that (a) accesses to 'mm->context.id' +are atomic and (b) all page-table updates made prior to a TLBI using the +old ASID are guaranteed to be visible to CPUs running with the new ASID. + +This was found by inspection after reviewing the VMID changes from +Shameer but it looks like a real (yet hard to hit) bug. + +Cc: +Cc: Marc Zyngier +Cc: Jade Alglave +Cc: Shameer Kolothum +Signed-off-by: Will Deacon +Reviewed-by: Catalin Marinas +Link: https://lore.kernel.org/r/20210806113109.2475-2-will@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/mmu.h | 29 +++++++++++++++++++++++++---- + arch/arm64/include/asm/tlbflush.h | 11 ++++++----- + 2 files changed, 31 insertions(+), 9 deletions(-) + +--- a/arch/arm64/include/asm/mmu.h ++++ b/arch/arm64/include/asm/mmu.h +@@ -30,11 +30,32 @@ typedef struct { + } mm_context_t; + + /* +- * This macro is only used by the TLBI and low-level switch_mm() code, +- * neither of which can race with an ASID change. We therefore don't +- * need to reload the counter using atomic64_read(). ++ * We use atomic64_read() here because the ASID for an 'mm_struct' can ++ * be reallocated when scheduling one of its threads following a ++ * rollover event (see new_context() and flush_context()). In this case, ++ * a concurrent TLBI (e.g. via try_to_unmap_one() and ptep_clear_flush()) ++ * may use a stale ASID. This is fine in principle as the new ASID is ++ * guaranteed to be clean in the TLB, but the TLBI routines have to take ++ * care to handle the following race: ++ * ++ * CPU 0 CPU 1 CPU 2 ++ * ++ * // ptep_clear_flush(mm) ++ * xchg_relaxed(pte, 0) ++ * DSB ISHST ++ * old = ASID(mm) ++ * | ++ * | new = new_context(mm) ++ * \-----------------> atomic_set(mm->context.id, new) ++ * cpu_switch_mm(mm) ++ * // Hardware walk of pte using new ASID ++ * TLBI(old) ++ * ++ * In this scenario, the barrier on CPU 0 and the dependency on CPU 1 ++ * ensure that the page-table walker on CPU 1 *must* see the invalid PTE ++ * written by CPU 0. + */ +-#define ASID(mm) ((mm)->context.id.counter & 0xffff) ++#define ASID(mm) (atomic64_read(&(mm)->context.id) & 0xffff) + + static inline bool arm64_kernel_unmapped_at_el0(void) + { +--- a/arch/arm64/include/asm/tlbflush.h ++++ b/arch/arm64/include/asm/tlbflush.h +@@ -245,9 +245,10 @@ static inline void flush_tlb_all(void) + + static inline void flush_tlb_mm(struct mm_struct *mm) + { +- unsigned long asid = __TLBI_VADDR(0, ASID(mm)); ++ unsigned long asid; + + dsb(ishst); ++ asid = __TLBI_VADDR(0, ASID(mm)); + __tlbi(aside1is, asid); + __tlbi_user(aside1is, asid); + dsb(ish); +@@ -256,9 +257,10 @@ static inline void flush_tlb_mm(struct m + static inline void flush_tlb_page_nosync(struct vm_area_struct *vma, + unsigned long uaddr) + { +- unsigned long addr = __TLBI_VADDR(uaddr, ASID(vma->vm_mm)); ++ unsigned long addr; + + dsb(ishst); ++ addr = __TLBI_VADDR(uaddr, ASID(vma->vm_mm)); + __tlbi(vale1is, addr); + __tlbi_user(vale1is, addr); + } +@@ -283,9 +285,7 @@ static inline void __flush_tlb_range(str + { + int num = 0; + int scale = 0; +- unsigned long asid = ASID(vma->vm_mm); +- unsigned long addr; +- unsigned long pages; ++ unsigned long asid, addr, pages; + + start = round_down(start, stride); + end = round_up(end, stride); +@@ -305,6 +305,7 @@ static inline void __flush_tlb_range(str + } + + dsb(ishst); ++ asid = ASID(vma->vm_mm); + + /* + * When the CPU does not support TLB range operations, flush the TLB diff --git a/queue-5.10/block-bfq-fix-bfq_set_next_ioprio_data.patch b/queue-5.10/block-bfq-fix-bfq_set_next_ioprio_data.patch new file mode 100644 index 00000000000..3bc4260e848 --- /dev/null +++ b/queue-5.10/block-bfq-fix-bfq_set_next_ioprio_data.patch @@ -0,0 +1,38 @@ +From a680dd72ec336b81511e3bff48efac6dbfa563e7 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Wed, 11 Aug 2021 12:36:57 +0900 +Subject: block: bfq: fix bfq_set_next_ioprio_data() + +From: Damien Le Moal + +commit a680dd72ec336b81511e3bff48efac6dbfa563e7 upstream. + +For a request that has a priority level equal to or larger than +IOPRIO_BE_NR, bfq_set_next_ioprio_data() prints a critical warning but +defaults to setting the request new_ioprio field to IOPRIO_BE_NR. This +is not consistent with the warning and the allowed values for priority +levels. Fix this by setting the request new_ioprio field to +IOPRIO_BE_NR - 1, the lowest priority level allowed. + +Cc: +Fixes: aee69d78dec0 ("block, bfq: introduce the BFQ-v0 I/O scheduler as an extra scheduler") +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20210811033702.368488-2-damien.lemoal@wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/bfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5011,7 +5011,7 @@ bfq_set_next_ioprio_data(struct bfq_queu + if (bfqq->new_ioprio >= IOPRIO_BE_NR) { + pr_crit("bfq_set_next_ioprio_data: new_ioprio %d\n", + bfqq->new_ioprio); +- bfqq->new_ioprio = IOPRIO_BE_NR; ++ bfqq->new_ioprio = IOPRIO_BE_NR - 1; + } + + bfqq->entity.new_weight = bfq_ioprio_to_weight(bfqq->new_ioprio); diff --git a/queue-5.10/clk-socfpga-agilex-add-the-bypass-register-for-s2f_usr0-clock.patch b/queue-5.10/clk-socfpga-agilex-add-the-bypass-register-for-s2f_usr0-clock.patch new file mode 100644 index 00000000000..3a5c9d6bbc4 --- /dev/null +++ b/queue-5.10/clk-socfpga-agilex-add-the-bypass-register-for-s2f_usr0-clock.patch @@ -0,0 +1,33 @@ +From d17929eb1066d1c1653aae9bb4396a9f1d6602ac Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Tue, 13 Jul 2021 09:46:21 -0500 +Subject: clk: socfpga: agilex: add the bypass register for s2f_usr0 clock + +From: Dinh Nguyen + +commit d17929eb1066d1c1653aae9bb4396a9f1d6602ac upstream. + +Add the bypass register for the s2f_user0_clk. + +Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform") +Cc: stable@vger.kernel.org +Signed-off-by: Kris Chaplin +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20210713144621.605140-3-dinguyen@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/socfpga/clk-agilex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/socfpga/clk-agilex.c ++++ b/drivers/clk/socfpga/clk-agilex.c +@@ -267,7 +267,7 @@ static const struct stratix10_perip_cnt_ + { AGILEX_SDMMC_FREE_CLK, "sdmmc_free_clk", NULL, sdmmc_free_mux, + ARRAY_SIZE(sdmmc_free_mux), 0, 0xE4, 0, 0, 0}, + { AGILEX_S2F_USER0_FREE_CLK, "s2f_user0_free_clk", NULL, s2f_usr0_free_mux, +- ARRAY_SIZE(s2f_usr0_free_mux), 0, 0xE8, 0, 0, 0}, ++ ARRAY_SIZE(s2f_usr0_free_mux), 0, 0xE8, 0, 0x30, 2}, + { AGILEX_S2F_USER1_FREE_CLK, "s2f_user1_free_clk", NULL, s2f_usr1_free_mux, + ARRAY_SIZE(s2f_usr1_free_mux), 0, 0xEC, 0, 0x88, 5}, + { AGILEX_PSI_REF_FREE_CLK, "psi_ref_free_clk", NULL, psi_ref_free_mux, diff --git a/queue-5.10/clk-socfpga-agilex-fix-the-parents-of-the-psi_ref_clk.patch b/queue-5.10/clk-socfpga-agilex-fix-the-parents-of-the-psi_ref_clk.patch new file mode 100644 index 00000000000..539467ad645 --- /dev/null +++ b/queue-5.10/clk-socfpga-agilex-fix-the-parents-of-the-psi_ref_clk.patch @@ -0,0 +1,40 @@ +From 9d563236cca43fc4fe190b3be173444bd48e2a3b Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Tue, 13 Jul 2021 09:46:19 -0500 +Subject: clk: socfpga: agilex: fix the parents of the psi_ref_clk + +From: Dinh Nguyen + +commit 9d563236cca43fc4fe190b3be173444bd48e2a3b upstream. + +The psi_ref_clk comes from the C2 node of the main_pll and periph_pll, +not the C3. + +Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform") +Cc: stable@vger.kernel.org +Signed-off-by: Kris Chaplin +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20210713144621.605140-1-dinguyen@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/socfpga/clk-agilex.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clk/socfpga/clk-agilex.c ++++ b/drivers/clk/socfpga/clk-agilex.c +@@ -107,10 +107,10 @@ static const struct clk_parent_data gpio + }; + + static const struct clk_parent_data psi_ref_free_mux[] = { +- { .fw_name = "main_pll_c3", +- .name = "main_pll_c3", }, +- { .fw_name = "peri_pll_c3", +- .name = "peri_pll_c3", }, ++ { .fw_name = "main_pll_c2", ++ .name = "main_pll_c2", }, ++ { .fw_name = "peri_pll_c2", ++ .name = "peri_pll_c2", }, + { .fw_name = "osc1", + .name = "osc1", }, + { .fw_name = "cb-intosc-hs-div2-clk", diff --git a/queue-5.10/clk-socfpga-agilex-fix-up-s2f_user0_clk-representation.patch b/queue-5.10/clk-socfpga-agilex-fix-up-s2f_user0_clk-representation.patch new file mode 100644 index 00000000000..6e7becde104 --- /dev/null +++ b/queue-5.10/clk-socfpga-agilex-fix-up-s2f_user0_clk-representation.patch @@ -0,0 +1,47 @@ +From f817c132db679d492d96c60993fa2f2c67ab18d0 Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Tue, 13 Jul 2021 09:46:20 -0500 +Subject: clk: socfpga: agilex: fix up s2f_user0_clk representation + +From: Dinh Nguyen + +commit f817c132db679d492d96c60993fa2f2c67ab18d0 upstream. + +Correct the s2f_user0_mux clock representation. + +Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform") +Cc: stable@vger.kernel.org +Signed-off-by: Kris Chaplin +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20210713144621.605140-2-dinguyen@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/socfpga/clk-agilex.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/clk/socfpga/clk-agilex.c ++++ b/drivers/clk/socfpga/clk-agilex.c +@@ -193,6 +193,13 @@ static const struct clk_parent_data sdmm + .name = "boot_clk", }, + }; + ++static const struct clk_parent_data s2f_user0_mux[] = { ++ { .fw_name = "s2f_user0_free_clk", ++ .name = "s2f_user0_free_clk", }, ++ { .fw_name = "boot_clk", ++ .name = "boot_clk", }, ++}; ++ + static const struct clk_parent_data s2f_user1_mux[] = { + { .fw_name = "s2f_user1_free_clk", + .name = "s2f_user1_free_clk", }, +@@ -306,6 +313,8 @@ static const struct stratix10_gate_clock + 4, 0x98, 0, 16, 0x88, 3, 0}, + { AGILEX_SDMMC_CLK, "sdmmc_clk", NULL, sdmmc_mux, ARRAY_SIZE(sdmmc_mux), 0, 0x7C, + 5, 0, 0, 0, 0x88, 4, 4}, ++ { AGILEX_S2F_USER0_CLK, "s2f_user0_clk", NULL, s2f_user0_mux, ARRAY_SIZE(s2f_user0_mux), 0, 0x24, ++ 6, 0, 0, 0, 0x30, 2, 0}, + { AGILEX_S2F_USER1_CLK, "s2f_user1_clk", NULL, s2f_user1_mux, ARRAY_SIZE(s2f_user1_mux), 0, 0x7C, + 6, 0, 0, 0, 0x88, 5, 0}, + { AGILEX_PSI_REF_CLK, "psi_ref_clk", NULL, psi_mux, ARRAY_SIZE(psi_mux), 0, 0x7C, diff --git a/queue-5.10/cpufreq-schedutil-use-kobject-release-method-to-free-sugov_tunables.patch b/queue-5.10/cpufreq-schedutil-use-kobject-release-method-to-free-sugov_tunables.patch new file mode 100644 index 00000000000..4562196f6ba --- /dev/null +++ b/queue-5.10/cpufreq-schedutil-use-kobject-release-method-to-free-sugov_tunables.patch @@ -0,0 +1,125 @@ +From e5c6b312ce3cc97e90ea159446e6bfa06645364d Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Thu, 5 Aug 2021 15:29:17 +0800 +Subject: cpufreq: schedutil: Use kobject release() method to free sugov_tunables + +From: Kevin Hao + +commit e5c6b312ce3cc97e90ea159446e6bfa06645364d upstream. + +The struct sugov_tunables is protected by the kobject, so we can't free +it directly. Otherwise we would get a call trace like this: + ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30 + WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100 + Modules linked in: + CPU: 3 PID: 720 Comm: a.sh Tainted: G W 5.14.0-rc1-next-20210715-yocto-standard+ #507 + Hardware name: Marvell OcteonTX CN96XX board (DT) + pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) + pc : debug_print_object+0xb8/0x100 + lr : debug_print_object+0xb8/0x100 + sp : ffff80001ecaf910 + x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80 + x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000 + x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20 + x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010 + x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365 + x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69 + x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0 + x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001 + x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000 + x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000 + Call trace: + debug_print_object+0xb8/0x100 + __debug_check_no_obj_freed+0x1c0/0x230 + debug_check_no_obj_freed+0x20/0x88 + slab_free_freelist_hook+0x154/0x1c8 + kfree+0x114/0x5d0 + sugov_exit+0xbc/0xc0 + cpufreq_exit_governor+0x44/0x90 + cpufreq_set_policy+0x268/0x4a8 + store_scaling_governor+0xe0/0x128 + store+0xc0/0xf0 + sysfs_kf_write+0x54/0x80 + kernfs_fop_write_iter+0x128/0x1c0 + new_sync_write+0xf0/0x190 + vfs_write+0x2d4/0x478 + ksys_write+0x74/0x100 + __arm64_sys_write+0x24/0x30 + invoke_syscall.constprop.0+0x54/0xe0 + do_el0_svc+0x64/0x158 + el0_svc+0x2c/0xb0 + el0t_64_sync_handler+0xb0/0xb8 + el0t_64_sync+0x198/0x19c + irq event stamp: 5518 + hardirqs last enabled at (5517): [] console_unlock+0x554/0x6c8 + hardirqs last disabled at (5518): [] el1_dbg+0x28/0xa0 + softirqs last enabled at (5504): [] __do_softirq+0x4d0/0x6c0 + softirqs last disabled at (5483): [] irq_exit+0x1b0/0x1b8 + +So split the original sugov_tunables_free() into two functions, +sugov_clear_global_tunables() is just used to clear the global_tunables +and the new sugov_tunables_free() is used as kobj_type::release to +release the sugov_tunables safely. + +Fixes: 9bdcb44e391d ("cpufreq: schedutil: New governor based on scheduler utilization data") +Cc: 4.7+ # 4.7+ +Signed-off-by: Kevin Hao +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/cpufreq_schedutil.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -610,9 +610,17 @@ static struct attribute *sugov_attrs[] = + }; + ATTRIBUTE_GROUPS(sugov); + ++static void sugov_tunables_free(struct kobject *kobj) ++{ ++ struct gov_attr_set *attr_set = container_of(kobj, struct gov_attr_set, kobj); ++ ++ kfree(to_sugov_tunables(attr_set)); ++} ++ + static struct kobj_type sugov_tunables_ktype = { + .default_groups = sugov_groups, + .sysfs_ops = &governor_sysfs_ops, ++ .release = &sugov_tunables_free, + }; + + /********************** cpufreq governor interface *********************/ +@@ -712,12 +720,10 @@ static struct sugov_tunables *sugov_tuna + return tunables; + } + +-static void sugov_tunables_free(struct sugov_tunables *tunables) ++static void sugov_clear_global_tunables(void) + { + if (!have_governor_per_policy()) + global_tunables = NULL; +- +- kfree(tunables); + } + + static int sugov_init(struct cpufreq_policy *policy) +@@ -780,7 +786,7 @@ out: + fail: + kobject_put(&tunables->attr_set.kobj); + policy->governor_data = NULL; +- sugov_tunables_free(tunables); ++ sugov_clear_global_tunables(); + + stop_kthread: + sugov_kthread_stop(sg_policy); +@@ -807,7 +813,7 @@ static void sugov_exit(struct cpufreq_po + count = gov_attr_set_put(&tunables->attr_set, &sg_policy->tunables_hook); + policy->governor_data = NULL; + if (!count) +- sugov_tunables_free(tunables); ++ sugov_clear_global_tunables(); + + mutex_unlock(&global_tunables_lock); + diff --git a/queue-5.10/crypto-ccp-shutdown-sev-firmware-on-kexec.patch b/queue-5.10/crypto-ccp-shutdown-sev-firmware-on-kexec.patch new file mode 100644 index 00000000000..3a97a0def28 --- /dev/null +++ b/queue-5.10/crypto-ccp-shutdown-sev-firmware-on-kexec.patch @@ -0,0 +1,151 @@ +From 5441a07a127f106c9936e4f9fa1a8a93e3f31828 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Wed, 28 Jul 2021 10:15:21 -0500 +Subject: crypto: ccp - shutdown SEV firmware on kexec + +From: Brijesh Singh + +commit 5441a07a127f106c9936e4f9fa1a8a93e3f31828 upstream. + +The commit 97f9ac3db6612 ("crypto: ccp - Add support for SEV-ES to the +PSP driver") added support to allocate Trusted Memory Region (TMR) +used during the SEV-ES firmware initialization. The TMR gets locked +during the firmware initialization and unlocked during the shutdown. +While the TMR is locked, access to it is disallowed. + +Currently, the CCP driver does not shutdown the firmware during the +kexec reboot, leaving the TMR memory locked. + +Register a callback to shutdown the SEV firmware on the kexec boot. + +Fixes: 97f9ac3db6612 ("crypto: ccp - Add support for SEV-ES to the PSP driver") +Reported-by: Lucas Nussbaum +Tested-by: Lucas Nussbaum +Cc: +Cc: Tom Lendacky +Cc: Joerg Roedel +Cc: Herbert Xu +Cc: David Rientjes +Signed-off-by: Brijesh Singh +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 49 ++++++++++++++++++++----------------------- + drivers/crypto/ccp/sp-pci.c | 12 ++++++++++ + 2 files changed, 35 insertions(+), 26 deletions(-) + +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -278,6 +278,9 @@ static int __sev_platform_shutdown_locke + struct sev_device *sev = psp_master->sev_data; + int ret; + ++ if (sev->state == SEV_STATE_UNINIT) ++ return 0; ++ + ret = __sev_do_cmd_locked(SEV_CMD_SHUTDOWN, NULL, error); + if (ret) + return ret; +@@ -1018,6 +1021,20 @@ e_err: + return ret; + } + ++static void sev_firmware_shutdown(struct sev_device *sev) ++{ ++ sev_platform_shutdown(NULL); ++ ++ if (sev_es_tmr) { ++ /* The TMR area was encrypted, flush it from the cache */ ++ wbinvd_on_all_cpus(); ++ ++ free_pages((unsigned long)sev_es_tmr, ++ get_order(SEV_ES_TMR_SIZE)); ++ sev_es_tmr = NULL; ++ } ++} ++ + void sev_dev_destroy(struct psp_device *psp) + { + struct sev_device *sev = psp->sev_data; +@@ -1025,6 +1042,8 @@ void sev_dev_destroy(struct psp_device * + if (!sev) + return; + ++ sev_firmware_shutdown(sev); ++ + if (sev->misc) + kref_put(&misc_dev->refcount, sev_exit); + +@@ -1055,21 +1074,6 @@ void sev_pci_init(void) + if (sev_get_api_version()) + goto err; + +- /* +- * If platform is not in UNINIT state then firmware upgrade and/or +- * platform INIT command will fail. These command require UNINIT state. +- * +- * In a normal boot we should never run into case where the firmware +- * is not in UNINIT state on boot. But in case of kexec boot, a reboot +- * may not go through a typical shutdown sequence and may leave the +- * firmware in INIT or WORKING state. +- */ +- +- if (sev->state != SEV_STATE_UNINIT) { +- sev_platform_shutdown(NULL); +- sev->state = SEV_STATE_UNINIT; +- } +- + if (sev_version_greater_or_equal(0, 15) && + sev_update_firmware(sev->dev) == 0) + sev_get_api_version(); +@@ -1114,17 +1118,10 @@ err: + + void sev_pci_exit(void) + { +- if (!psp_master->sev_data) +- return; +- +- sev_platform_shutdown(NULL); ++ struct sev_device *sev = psp_master->sev_data; + +- if (sev_es_tmr) { +- /* The TMR area was encrypted, flush it from the cache */ +- wbinvd_on_all_cpus(); ++ if (!sev) ++ return; + +- free_pages((unsigned long)sev_es_tmr, +- get_order(SEV_ES_TMR_SIZE)); +- sev_es_tmr = NULL; +- } ++ sev_firmware_shutdown(sev); + } +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -241,6 +241,17 @@ e_err: + return ret; + } + ++static void sp_pci_shutdown(struct pci_dev *pdev) ++{ ++ struct device *dev = &pdev->dev; ++ struct sp_device *sp = dev_get_drvdata(dev); ++ ++ if (!sp) ++ return; ++ ++ sp_destroy(sp); ++} ++ + static void sp_pci_remove(struct pci_dev *pdev) + { + struct device *dev = &pdev->dev; +@@ -370,6 +381,7 @@ static struct pci_driver sp_pci_driver = + .id_table = sp_pci_table, + .probe = sp_pci_probe, + .remove = sp_pci_remove, ++ .shutdown = sp_pci_shutdown, + .driver.pm = &sp_pci_pm_ops, + }; + diff --git a/queue-5.10/crypto-public_key-fix-overflow-during-implicit-conversion.patch b/queue-5.10/crypto-public_key-fix-overflow-during-implicit-conversion.patch new file mode 100644 index 00000000000..3404b584e63 --- /dev/null +++ b/queue-5.10/crypto-public_key-fix-overflow-during-implicit-conversion.patch @@ -0,0 +1,70 @@ +From f985911b7bc75d5c98ed24d8aaa8b94c590f7c6a Mon Sep 17 00:00:00 2001 +From: zhenwei pi +Date: Thu, 19 Aug 2021 20:37:10 +0800 +Subject: crypto: public_key: fix overflow during implicit conversion + +From: zhenwei pi + +commit f985911b7bc75d5c98ed24d8aaa8b94c590f7c6a upstream. + +Hit kernel warning like this, it can be reproduced by verifying 256 +bytes datafile by keyctl command, run script: +RAWDATA=rawdata +SIGDATA=sigdata + +modprobe pkcs8_key_parser + +rm -rf *.der *.pem *.pfx +rm -rf $RAWDATA +dd if=/dev/random of=$RAWDATA bs=256 count=1 + +openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \ + -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=xx.com/emailAddress=yy@xx.com" + +KEY_ID=`openssl pkcs8 -in key.pem -topk8 -nocrypt -outform DER | keyctl \ + padd asymmetric 123 @s` + +keyctl pkey_sign $KEY_ID 0 $RAWDATA enc=pkcs1 hash=sha1 > $SIGDATA +keyctl pkey_verify $KEY_ID 0 $RAWDATA $SIGDATA enc=pkcs1 hash=sha1 + +Then the kernel reports: + WARNING: CPU: 5 PID: 344556 at crypto/rsa-pkcs1pad.c:540 + pkcs1pad_verify+0x160/0x190 + ... + Call Trace: + public_key_verify_signature+0x282/0x380 + ? software_key_query+0x12d/0x180 + ? keyctl_pkey_params_get+0xd6/0x130 + asymmetric_key_verify_signature+0x66/0x80 + keyctl_pkey_verify+0xa5/0x100 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The reason of this issue, in function 'asymmetric_key_verify_signature': +'.digest_size(u8) = params->in_len(u32)' leads overflow of an u8 value, +so use u32 instead of u8 for digest_size field. And reorder struct +public_key_signature, it saves 8 bytes on a 64-bit machine. + +Cc: stable@vger.kernel.org +Signed-off-by: zhenwei pi +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + include/crypto/public_key.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/crypto/public_key.h ++++ b/include/crypto/public_key.h +@@ -39,9 +39,9 @@ extern void public_key_free(struct publi + struct public_key_signature { + struct asymmetric_key_id *auth_ids[2]; + u8 *s; /* Signature */ +- u32 s_size; /* Number of bytes in signature */ + u8 *digest; +- u8 digest_size; /* Number of bytes in digest */ ++ u32 s_size; /* Number of bytes in signature */ ++ u32 digest_size; /* Number of bytes in digest */ + const char *pkey_algo; + const char *hash_algo; + const char *encoding; diff --git a/queue-5.10/dm-crypt-avoid-percpu_counter-spinlock-contention-in-crypt_page_alloc.patch b/queue-5.10/dm-crypt-avoid-percpu_counter-spinlock-contention-in-crypt_page_alloc.patch new file mode 100644 index 00000000000..6b5b403b62e --- /dev/null +++ b/queue-5.10/dm-crypt-avoid-percpu_counter-spinlock-contention-in-crypt_page_alloc.patch @@ -0,0 +1,128 @@ +From 528b16bfc3ae5f11638e71b3b63a81f9999df727 Mon Sep 17 00:00:00 2001 +From: Arne Welzel +Date: Sat, 14 Aug 2021 00:40:38 +0200 +Subject: dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() + +From: Arne Welzel + +commit 528b16bfc3ae5f11638e71b3b63a81f9999df727 upstream. + +On systems with many cores using dm-crypt, heavy spinlock contention in +percpu_counter_compare() can be observed when the page allocation limit +for a given device is reached or close to be reached. This is due +to percpu_counter_compare() taking a spinlock to compute an exact +result on potentially many CPUs at the same time. + +Switch to non-exact comparison of allocated and allowed pages by using +the value returned by percpu_counter_read_positive() to avoid taking +the percpu_counter spinlock. + +This may over/under estimate the actual number of allocated pages by at +most (batch-1) * num_online_cpus(). + +Currently, batch is bounded by 32. The system on which this issue was +first observed has 256 CPUs and 512GB of RAM. With a 4k page size, this +change may over/under estimate by 31MB. With ~10G (2%) allowed dm-crypt +allocations, this seems an acceptable error. Certainly preferred over +running into the spinlock contention. + +This behavior was reproduced on an EC2 c5.24xlarge instance with 96 CPUs +and 192GB RAM as follows, but can be provoked on systems with less CPUs +as well. + + * Disable swap + * Tune vm settings to promote regular writeback + $ echo 50 > /proc/sys/vm/dirty_expire_centisecs + $ echo 25 > /proc/sys/vm/dirty_writeback_centisecs + $ echo $((128 * 1024 * 1024)) > /proc/sys/vm/dirty_background_bytes + + * Create 8 dmcrypt devices based on files on a tmpfs + * Create and mount an ext4 filesystem on each crypt devices + * Run stress-ng --hdd 8 within one of above filesystems + +Total %system usage collected from sysstat goes to ~35%. Write throughput +on the underlying loop device is ~2GB/s. perf profiling an individual +kworker kcryptd thread shows the following profile, indicating spinlock +contention in percpu_counter_compare(): + + 99.98% 0.00% kworker/u193:46 [kernel.kallsyms] [k] ret_from_fork + | + --ret_from_fork + kthread + worker_thread + | + --99.92%--process_one_work + | + |--80.52%--kcryptd_crypt + | | + | |--62.58%--mempool_alloc + | | | + | | --62.24%--crypt_page_alloc + | | | + | | --61.51%--__percpu_counter_compare + | | | + | | --61.34%--__percpu_counter_sum + | | | + | | |--58.68%--_raw_spin_lock_irqsave + | | | | + | | | --58.30%--native_queued_spin_lock_slowpath + | | | + | | --0.69%--cpumask_next + | | | + | | --0.51%--_find_next_bit + | | + | |--10.61%--crypt_convert + | | | + | | |--6.05%--xts_crypt + ... + +After applying this patch and running the same test, %system usage is +lowered to ~7% and write throughput on the loop device increases +to ~2.7GB/s. perf report shows mempool_alloc() as ~8% rather than ~62% +in the profile and not hitting the percpu_counter() spinlock anymore. + + |--8.15%--mempool_alloc + | | + | |--3.93%--crypt_page_alloc + | | | + | | --3.75%--__alloc_pages + | | | + | | --3.62%--get_page_from_freelist + | | | + | | --3.22%--rmqueue_bulk + | | | + | | --2.59%--_raw_spin_lock + | | | + | | --2.57%--native_queued_spin_lock_slowpath + | | + | --3.05%--_raw_spin_lock_irqsave + | | + | --2.49%--native_queued_spin_lock_slowpath + +Suggested-by: DJ Gregor +Reviewed-by: Mikulas Patocka +Signed-off-by: Arne Welzel +Fixes: 5059353df86e ("dm crypt: limit the number of allocated pages") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2643,7 +2643,12 @@ static void *crypt_page_alloc(gfp_t gfp_ + struct crypt_config *cc = pool_data; + struct page *page; + +- if (unlikely(percpu_counter_compare(&cc->n_allocated_pages, dm_crypt_pages_per_client) >= 0) && ++ /* ++ * Note, percpu_counter_read_positive() may over (and under) estimate ++ * the current usage by at most (batch - 1) * num_online_cpus() pages, ++ * but avoids potential spinlock contention of an exact result. ++ */ ++ if (unlikely(percpu_counter_read_positive(&cc->n_allocated_pages) >= dm_crypt_pages_per_client) && + likely(gfp_mask & __GFP_NORETRY)) + return NULL; + diff --git a/queue-5.10/dmaengine-imx-sdma-remove-duplicated-sdma_load_context.patch b/queue-5.10/dmaengine-imx-sdma-remove-duplicated-sdma_load_context.patch new file mode 100644 index 00000000000..b947e0b9521 --- /dev/null +++ b/queue-5.10/dmaengine-imx-sdma-remove-duplicated-sdma_load_context.patch @@ -0,0 +1,44 @@ +From e555a03b112838883fdd8185d613c35d043732f2 Mon Sep 17 00:00:00 2001 +From: Robin Gong +Date: Wed, 14 Jul 2021 18:20:44 +0800 +Subject: dmaengine: imx-sdma: remove duplicated sdma_load_context + +From: Robin Gong + +commit e555a03b112838883fdd8185d613c35d043732f2 upstream. + +Since sdma_transfer_init() will do sdma_load_context before any +sdma transfer, no need once more in sdma_config_channel(). + +Fixes: ad0d92d7ba6a ("dmaengine: imx-sdma: refine to load context only once") +Cc: +Signed-off-by: Robin Gong +Acked-by: Vinod Koul +Tested-by: Richard Leitner +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/imx-sdma.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1138,7 +1138,6 @@ static void sdma_set_watermarklevel_for_ + static int sdma_config_channel(struct dma_chan *chan) + { + struct sdma_channel *sdmac = to_sdma_chan(chan); +- int ret; + + sdma_disable_channel(chan); + +@@ -1178,9 +1177,7 @@ static int sdma_config_channel(struct dm + sdmac->watermark_level = 0; /* FIXME: M3_BASE_ADDRESS */ + } + +- ret = sdma_load_context(sdmac); +- +- return ret; ++ return 0; + } + + static int sdma_set_channel_priority(struct sdma_channel *sdmac, diff --git a/queue-5.10/iio-ltc2983-fix-device-probe.patch b/queue-5.10/iio-ltc2983-fix-device-probe.patch new file mode 100644 index 00000000000..e191218370c --- /dev/null +++ b/queue-5.10/iio-ltc2983-fix-device-probe.patch @@ -0,0 +1,98 @@ +From b76d26d69ecc97ebb24aaf40427a13c808a4f488 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Wed, 11 Aug 2021 15:32:20 +0200 +Subject: iio: ltc2983: fix device probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit b76d26d69ecc97ebb24aaf40427a13c808a4f488 upstream. + +There is no reason to assume that the IRQ rising edge (indicating that +the device start up phase is done) will happen after we request the IRQ. +If the device is already up by the time we request it, the call to +'wait_for_completion_timeout()' will timeout and we will fail the device +probe even though there's nothing wrong. + +Fix it by just polling the status register until we get the indication that +the device is up and running. As a side effect of this fix, requesting the +IRQ is also moved to after the setup function. + +Fixes: f110f3188e563 ("iio: temperature: Add support for LTC2983") +Reported-and-tested-by: Drew Fustini +Reviewed-by: Drew Fustini +Signed-off-by: Nuno Sá +Reviewed-by: Andy Shevchenko +Cc: +Link: https://lore.kernel.org/r/20210811133220.190264-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/temperature/ltc2983.c | 30 ++++++++++++++---------------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +--- a/drivers/iio/temperature/ltc2983.c ++++ b/drivers/iio/temperature/ltc2983.c +@@ -89,6 +89,8 @@ + + #define LTC2983_STATUS_START_MASK BIT(7) + #define LTC2983_STATUS_START(x) FIELD_PREP(LTC2983_STATUS_START_MASK, x) ++#define LTC2983_STATUS_UP_MASK GENMASK(7, 6) ++#define LTC2983_STATUS_UP(reg) FIELD_GET(LTC2983_STATUS_UP_MASK, reg) + + #define LTC2983_STATUS_CHAN_SEL_MASK GENMASK(4, 0) + #define LTC2983_STATUS_CHAN_SEL(x) \ +@@ -1362,17 +1364,16 @@ put_child: + + static int ltc2983_setup(struct ltc2983_data *st, bool assign_iio) + { +- u32 iio_chan_t = 0, iio_chan_v = 0, chan, iio_idx = 0; ++ u32 iio_chan_t = 0, iio_chan_v = 0, chan, iio_idx = 0, status; + int ret; +- unsigned long time; +- +- /* make sure the device is up */ +- time = wait_for_completion_timeout(&st->completion, +- msecs_to_jiffies(250)); + +- if (!time) { ++ /* make sure the device is up: start bit (7) is 0 and done bit (6) is 1 */ ++ ret = regmap_read_poll_timeout(st->regmap, LTC2983_STATUS_REG, status, ++ LTC2983_STATUS_UP(status) == 1, 25000, ++ 25000 * 10); ++ if (ret) { + dev_err(&st->spi->dev, "Device startup timed out\n"); +- return -ETIMEDOUT; ++ return ret; + } + + st->iio_chan = devm_kzalloc(&st->spi->dev, +@@ -1492,10 +1493,11 @@ static int ltc2983_probe(struct spi_devi + ret = ltc2983_parse_dt(st); + if (ret) + return ret; +- /* +- * let's request the irq now so it is used to sync the device +- * startup in ltc2983_setup() +- */ ++ ++ ret = ltc2983_setup(st, true); ++ if (ret) ++ return ret; ++ + ret = devm_request_irq(&spi->dev, spi->irq, ltc2983_irq_handler, + IRQF_TRIGGER_RISING, name, st); + if (ret) { +@@ -1503,10 +1505,6 @@ static int ltc2983_probe(struct spi_devi + return ret; + } + +- ret = ltc2983_setup(st, true); +- if (ret) +- return ret; +- + indio_dev->name = name; + indio_dev->num_channels = st->iio_channels; + indio_dev->channels = st->iio_chan; diff --git a/queue-5.10/media-rc-loopback-return-number-of-emitters-rather-than-error.patch b/queue-5.10/media-rc-loopback-return-number-of-emitters-rather-than-error.patch new file mode 100644 index 00000000000..fc19a508579 --- /dev/null +++ b/queue-5.10/media-rc-loopback-return-number-of-emitters-rather-than-error.patch @@ -0,0 +1,31 @@ +From 6b7f554be8c92319d7e6df92fd247ebb9beb4a45 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sat, 3 Jul 2021 15:37:17 +0200 +Subject: media: rc-loopback: return number of emitters rather than error + +From: Sean Young + +commit 6b7f554be8c92319d7e6df92fd247ebb9beb4a45 upstream. + +The LIRC_SET_TRANSMITTER_MASK ioctl should return the number of emitters +if an invalid list was set. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/rc-loopback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/rc-loopback.c ++++ b/drivers/media/rc/rc-loopback.c +@@ -42,7 +42,7 @@ static int loop_set_tx_mask(struct rc_de + + if ((mask & (RXMASK_REGULAR | RXMASK_LEARNING)) != mask) { + dprintk("invalid tx mask: %u\n", mask); +- return -EINVAL; ++ return 2; + } + + dprintk("setting tx mask: %u\n", mask); diff --git a/queue-5.10/media-uvc-don-t-do-dma-on-stack.patch b/queue-5.10/media-uvc-don-t-do-dma-on-stack.patch new file mode 100644 index 00000000000..99222e911df --- /dev/null +++ b/queue-5.10/media-uvc-don-t-do-dma-on-stack.patch @@ -0,0 +1,96 @@ +From 1a10d7fdb6d0e235e9d230916244cc2769d3f170 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 17 Jun 2021 14:33:29 +0200 +Subject: media: uvc: don't do DMA on stack + +From: Mauro Carvalho Chehab + +commit 1a10d7fdb6d0e235e9d230916244cc2769d3f170 upstream. + +As warned by smatch: + drivers/media/usb/uvc/uvc_v4l2.c:911 uvc_ioctl_g_input() error: doing dma on the stack (&i) + drivers/media/usb/uvc/uvc_v4l2.c:943 uvc_ioctl_s_input() error: doing dma on the stack (&i) + +those two functions call uvc_query_ctrl passing a pointer to +a data at the DMA stack. those are used to send URBs via +usb_control_msg(). Using DMA stack is not supported and should +not work anymore on modern Linux versions. + +So, use a kmalloc'ed buffer. + +Cc: stable@vger.kernel.org # Kernel 4.9 and upper +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_v4l2.c | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -898,8 +898,8 @@ static int uvc_ioctl_g_input(struct file + { + struct uvc_fh *handle = fh; + struct uvc_video_chain *chain = handle->chain; ++ u8 *buf; + int ret; +- u8 i; + + if (chain->selector == NULL || + (chain->dev->quirks & UVC_QUIRK_IGNORE_SELECTOR_UNIT)) { +@@ -907,22 +907,27 @@ static int uvc_ioctl_g_input(struct file + return 0; + } + ++ buf = kmalloc(1, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ + ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR, chain->selector->id, + chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, +- &i, 1); +- if (ret < 0) +- return ret; ++ buf, 1); ++ if (!ret) ++ *input = *buf - 1; + +- *input = i - 1; +- return 0; ++ kfree(buf); ++ ++ return ret; + } + + static int uvc_ioctl_s_input(struct file *file, void *fh, unsigned int input) + { + struct uvc_fh *handle = fh; + struct uvc_video_chain *chain = handle->chain; ++ u8 *buf; + int ret; +- u32 i; + + ret = uvc_acquire_privileges(handle); + if (ret < 0) +@@ -938,10 +943,17 @@ static int uvc_ioctl_s_input(struct file + if (input >= chain->selector->bNrInPins) + return -EINVAL; + +- i = input + 1; +- return uvc_query_ctrl(chain->dev, UVC_SET_CUR, chain->selector->id, +- chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, +- &i, 1); ++ buf = kmalloc(1, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ *buf = input + 1; ++ ret = uvc_query_ctrl(chain->dev, UVC_SET_CUR, chain->selector->id, ++ chain->dev->intfnum, UVC_SU_INPUT_SELECT_CONTROL, ++ buf, 1); ++ kfree(buf); ++ ++ return ret; + } + + static int uvc_ioctl_queryctrl(struct file *file, void *fh, diff --git a/queue-5.10/pinctrl-ingenic-fix-incorrect-pull-up-down-info.patch b/queue-5.10/pinctrl-ingenic-fix-incorrect-pull-up-down-info.patch new file mode 100644 index 00000000000..1a47a8e9f92 --- /dev/null +++ b/queue-5.10/pinctrl-ingenic-fix-incorrect-pull-up-down-info.patch @@ -0,0 +1,52 @@ +From d5e931403942b3af39212960c2592b5ba741b2bf Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sat, 17 Jul 2021 18:48:34 +0100 +Subject: pinctrl: ingenic: Fix incorrect pull up/down info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Cercueil + +commit d5e931403942b3af39212960c2592b5ba741b2bf upstream. + +Fix the pull up/down info for both the JZ4760 and JZ4770 SoCs, as the +previous values sometimes contradicted what's written in the programming +manual. + +Fixes: b5c23aa46537 ("pinctrl: add a pinctrl driver for the Ingenic jz47xx SoCs") +Cc: # v4.12 +Signed-off-by: Paul Cercueil +Tested-by: 周琰杰 (Zhou Yanjie) +Link: https://lore.kernel.org/r/20210717174836.14776-1-paul@crapouillou.net +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-ingenic.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/pinctrl-ingenic.c ++++ b/drivers/pinctrl/pinctrl-ingenic.c +@@ -363,7 +363,7 @@ static const struct ingenic_chip_info jz + }; + + static const u32 jz4760_pull_ups[6] = { +- 0xffffffff, 0xfffcf3ff, 0xffffffff, 0xffffcfff, 0xfffffb7c, 0xfffff00f, ++ 0xffffffff, 0xfffcf3ff, 0xffffffff, 0xffffcfff, 0xfffffb7c, 0x0000000f, + }; + + static const u32 jz4760_pull_downs[6] = { +@@ -618,11 +618,11 @@ static const struct ingenic_chip_info jz + }; + + static const u32 jz4770_pull_ups[6] = { +- 0x3fffffff, 0xfff0030c, 0xffffffff, 0xffff4fff, 0xfffffb7c, 0xffa7f00f, ++ 0x3fffffff, 0xfff0f3fc, 0xffffffff, 0xffff4fff, 0xfffffb7c, 0x0024f00f, + }; + + static const u32 jz4770_pull_downs[6] = { +- 0x00000000, 0x000f0c03, 0x00000000, 0x0000b000, 0x00000483, 0x00580ff0, ++ 0x00000000, 0x000f0c03, 0x00000000, 0x0000b000, 0x00000483, 0x005b0ff0, + }; + + static int jz4770_uart0_data_pins[] = { 0xa0, 0xa3, }; diff --git a/queue-5.10/pinctrl-stmfx-fix-hazardous-u8-to-unsigned-long-cast.patch b/queue-5.10/pinctrl-stmfx-fix-hazardous-u8-to-unsigned-long-cast.patch new file mode 100644 index 00000000000..bbf59ec10dc --- /dev/null +++ b/queue-5.10/pinctrl-stmfx-fix-hazardous-u8-to-unsigned-long-cast.patch @@ -0,0 +1,57 @@ +From 1b73e588f47397dee6e4bdfd953e0306c60b5fe5 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Sun, 25 Jul 2021 19:08:30 +0100 +Subject: pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast + +From: Marc Zyngier + +commit 1b73e588f47397dee6e4bdfd953e0306c60b5fe5 upstream. + +Casting a small array of u8 to an unsigned long is *never* OK: + +- it does funny thing when the array size is less than that of a long, + as it accesses random places in the stack +- it makes everything even more fun with a BE kernel + +Fix this by building the unsigned long used as a bitmap byte by byte, +in a way that works across endianess and has no undefined behaviours. + +An extra BUILD_BUG_ON() catches the unlikely case where the array +would be larger than a single unsigned long. + +Fixes: 1490d9f841b1 ("pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver") +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Cc: Amelie Delaunay +Cc: Linus Walleij +Cc: Maxime Coquelin +Cc: Alexandre Torgue +Link: https://lore.kernel.org/r/20210725180830.250218-1-maz@kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-stmfx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/pinctrl-stmfx.c ++++ b/drivers/pinctrl/pinctrl-stmfx.c +@@ -566,7 +566,7 @@ static irqreturn_t stmfx_pinctrl_irq_thr + u8 pending[NR_GPIO_REGS]; + u8 src[NR_GPIO_REGS] = {0, 0, 0}; + unsigned long n, status; +- int ret; ++ int i, ret; + + ret = regmap_bulk_read(pctl->stmfx->map, STMFX_REG_IRQ_GPI_PENDING, + &pending, NR_GPIO_REGS); +@@ -576,7 +576,9 @@ static irqreturn_t stmfx_pinctrl_irq_thr + regmap_bulk_write(pctl->stmfx->map, STMFX_REG_IRQ_GPI_SRC, + src, NR_GPIO_REGS); + +- status = *(unsigned long *)pending; ++ BUILD_BUG_ON(NR_GPIO_REGS > sizeof(status)); ++ for (i = 0, status = 0; i < NR_GPIO_REGS; i++) ++ status |= (unsigned long)pending[i] << (i * 8); + for_each_set_bit(n, &status, gc->ngpio) { + handle_nested_irq(irq_find_mapping(gc->irq.domain, n)); + stmfx_pinctrl_irq_toggle_trigger(pctl, n); diff --git a/queue-5.10/power-supply-max17042-handle-fails-of-reading-status-register.patch b/queue-5.10/power-supply-max17042-handle-fails-of-reading-status-register.patch new file mode 100644 index 00000000000..9994d399b87 --- /dev/null +++ b/queue-5.10/power-supply-max17042-handle-fails-of-reading-status-register.patch @@ -0,0 +1,43 @@ +From 54784ffa5b267f57161eb8fbb811499f22a0a0bf Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 16 Aug 2021 10:27:14 +0200 +Subject: power: supply: max17042: handle fails of reading status register + +From: Krzysztof Kozlowski + +commit 54784ffa5b267f57161eb8fbb811499f22a0a0bf upstream. + +Reading status register can fail in the interrupt handler. In such +case, the regmap_read() will not store anything useful under passed +'val' variable and random stack value will be used to determine type of +interrupt. + +Handle the regmap_read() failure to avoid handling interrupt type and +triggering changed power supply event based on random stack value. + +Fixes: 39e7213edc4f ("max17042_battery: Support regmap to access device's registers") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/max17042_battery.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -859,8 +859,12 @@ static irqreturn_t max17042_thread_handl + { + struct max17042_chip *chip = dev; + u32 val; ++ int ret; ++ ++ ret = regmap_read(chip->regmap, MAX17042_STATUS, &val); ++ if (ret) ++ return IRQ_HANDLED; + +- regmap_read(chip->regmap, MAX17042_STATUS, &val); + if ((val & STATUS_INTR_SOCMIN_BIT) || + (val & STATUS_INTR_SOCMAX_BIT)) { + dev_info(&chip->client->dev, "SOC threshold INTR\n"); diff --git a/queue-5.10/revert-dmaengine-imx-sdma-refine-to-load-context-only-once.patch b/queue-5.10/revert-dmaengine-imx-sdma-refine-to-load-context-only-once.patch new file mode 100644 index 00000000000..8f96ef2808a --- /dev/null +++ b/queue-5.10/revert-dmaengine-imx-sdma-refine-to-load-context-only-once.patch @@ -0,0 +1,68 @@ +From 8592f02464d52776c5cfae4627c6413b0ae7602d Mon Sep 17 00:00:00 2001 +From: Robin Gong +Date: Wed, 14 Jul 2021 18:20:43 +0800 +Subject: Revert "dmaengine: imx-sdma: refine to load context only once" + +From: Robin Gong + +commit 8592f02464d52776c5cfae4627c6413b0ae7602d upstream. + +This reverts commit ad0d92d7ba6aecbe2705907c38ff8d8be4da1e9c, because +in spi-imx case, burst length may be changed dynamically. + +Fixes: ad0d92d7ba6a ("dmaengine: imx-sdma: refine to load context only once") +Cc: +Signed-off-by: Robin Gong +Acked-by: Sascha Hauer +Tested-by: Richard Leitner +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/imx-sdma.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -379,7 +379,6 @@ struct sdma_channel { + unsigned long watermark_level; + u32 shp_addr, per_addr; + enum dma_status status; +- bool context_loaded; + struct imx_dma_data data; + struct work_struct terminate_worker; + }; +@@ -985,9 +984,6 @@ static int sdma_load_context(struct sdma + int ret; + unsigned long flags; + +- if (sdmac->context_loaded) +- return 0; +- + if (sdmac->direction == DMA_DEV_TO_MEM) + load_address = sdmac->pc_from_device; + else if (sdmac->direction == DMA_DEV_TO_DEV) +@@ -1030,8 +1026,6 @@ static int sdma_load_context(struct sdma + + spin_unlock_irqrestore(&sdma->channel_0_lock, flags); + +- sdmac->context_loaded = true; +- + return ret; + } + +@@ -1070,7 +1064,6 @@ static void sdma_channel_terminate_work( + vchan_get_all_descriptors(&sdmac->vc, &head); + spin_unlock_irqrestore(&sdmac->vc.lock, flags); + vchan_dma_desc_free_list(&sdmac->vc, &head); +- sdmac->context_loaded = false; + } + + static int sdma_terminate_all(struct dma_chan *chan) +@@ -1338,7 +1331,6 @@ static void sdma_free_chan_resources(str + + sdmac->event_id0 = 0; + sdmac->event_id1 = 0; +- sdmac->context_loaded = false; + + sdma_set_channel_priority(sdmac, 0); + diff --git a/queue-5.10/s390-qdio-cancel-the-establish-ccw-after-timeout.patch b/queue-5.10/s390-qdio-cancel-the-establish-ccw-after-timeout.patch new file mode 100644 index 00000000000..ac85606ec41 --- /dev/null +++ b/queue-5.10/s390-qdio-cancel-the-establish-ccw-after-timeout.patch @@ -0,0 +1,102 @@ +From 1c1dc8bda3a05c60877a6649775894db5343bdea Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 31 May 2021 18:33:02 +0300 +Subject: s390/qdio: cancel the ESTABLISH ccw after timeout + +From: Julian Wiedmann + +commit 1c1dc8bda3a05c60877a6649775894db5343bdea upstream. + +When the ESTABLISH ccw does not complete within the specified timeout, +try our best to cancel the ccw program that is still active on the +device. Otherwise the IO subsystem might be accessing it even after +the driver eg. called qdio_free(). + +Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") +Signed-off-by: Julian Wiedmann +Reviewed-by: Benjamin Block +Cc: # 2.6.27 +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/qdio_main.c | 51 +++++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 21 deletions(-) + +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -1025,6 +1025,33 @@ static void qdio_shutdown_queues(struct + } + } + ++static int qdio_cancel_ccw(struct qdio_irq *irq, int how) ++{ ++ struct ccw_device *cdev = irq->cdev; ++ int rc; ++ ++ spin_lock_irq(get_ccwdev_lock(cdev)); ++ qdio_set_state(irq, QDIO_IRQ_STATE_CLEANUP); ++ if (how & QDIO_FLAG_CLEANUP_USING_CLEAR) ++ rc = ccw_device_clear(cdev, QDIO_DOING_CLEANUP); ++ else ++ /* default behaviour is halt */ ++ rc = ccw_device_halt(cdev, QDIO_DOING_CLEANUP); ++ spin_unlock_irq(get_ccwdev_lock(cdev)); ++ if (rc) { ++ DBF_ERROR("%4x SHUTD ERR", irq->schid.sch_no); ++ DBF_ERROR("rc:%4d", rc); ++ return rc; ++ } ++ ++ wait_event_interruptible_timeout(cdev->private->wait_q, ++ irq->state == QDIO_IRQ_STATE_INACTIVE || ++ irq->state == QDIO_IRQ_STATE_ERR, ++ 10 * HZ); ++ ++ return 0; ++} ++ + /** + * qdio_shutdown - shut down a qdio subchannel + * @cdev: associated ccw device +@@ -1063,27 +1090,7 @@ int qdio_shutdown(struct ccw_device *cde + qdio_shutdown_queues(irq_ptr); + qdio_shutdown_debug_entries(irq_ptr); + +- /* cleanup subchannel */ +- spin_lock_irq(get_ccwdev_lock(cdev)); +- qdio_set_state(irq_ptr, QDIO_IRQ_STATE_CLEANUP); +- if (how & QDIO_FLAG_CLEANUP_USING_CLEAR) +- rc = ccw_device_clear(cdev, QDIO_DOING_CLEANUP); +- else +- /* default behaviour is halt */ +- rc = ccw_device_halt(cdev, QDIO_DOING_CLEANUP); +- spin_unlock_irq(get_ccwdev_lock(cdev)); +- if (rc) { +- DBF_ERROR("%4x SHUTD ERR", irq_ptr->schid.sch_no); +- DBF_ERROR("rc:%4d", rc); +- goto no_cleanup; +- } +- +- wait_event_interruptible_timeout(cdev->private->wait_q, +- irq_ptr->state == QDIO_IRQ_STATE_INACTIVE || +- irq_ptr->state == QDIO_IRQ_STATE_ERR, +- 10 * HZ); +- +-no_cleanup: ++ rc = qdio_cancel_ccw(irq_ptr, how); + qdio_shutdown_thinint(irq_ptr); + qdio_shutdown_irq(irq_ptr); + +@@ -1316,10 +1323,12 @@ int qdio_establish(struct ccw_device *cd + return 0; + + err_ccw_timeout: ++ qdio_cancel_ccw(irq_ptr, QDIO_FLAG_CLEANUP_USING_CLEAR); + err_ccw_start: + qdio_shutdown_thinint(irq_ptr); + err_thinint: + qdio_shutdown_irq(irq_ptr); ++ qdio_set_state(irq_ptr, QDIO_IRQ_STATE_INACTIVE); + mutex_unlock(&irq_ptr->setup_mutex); + return rc; + } diff --git a/queue-5.10/s390-qdio-fix-roll-back-after-timeout-on-establish-ccw.patch b/queue-5.10/s390-qdio-fix-roll-back-after-timeout-on-establish-ccw.patch new file mode 100644 index 00000000000..f51b0e4b6df --- /dev/null +++ b/queue-5.10/s390-qdio-fix-roll-back-after-timeout-on-establish-ccw.patch @@ -0,0 +1,110 @@ +From 2c197870e4701610ec3b1143808d4e31152caf30 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 31 May 2021 18:40:06 +0300 +Subject: s390/qdio: fix roll-back after timeout on ESTABLISH ccw + +From: Julian Wiedmann + +commit 2c197870e4701610ec3b1143808d4e31152caf30 upstream. + +When qdio_establish() times out while waiting for the ESTABLISH ccw to +complete, it calls qdio_shutdown() to roll back all of its previous +actions. But at this point the qdio_irq's state is still +QDIO_IRQ_STATE_INACTIVE, so qdio_shutdown() will exit immediately +without doing any actual work. + +Which means that eg. the qdio_irq's thinint-indicator stays registered, +and cdev->handler isn't restored to its old value. And since +commit 954d6235be41 ("s390/qdio: make thinint registration symmetric") +the qdio_irq also stays on the tiq_list, so on the next qdio_establish() +we might get a helpful BUG from the list-debugging code: + +... +[ 4633.512591] list_add double add: new=00000000005a4110, prev=00000001b357db78, next=00000000005a4110. +[ 4633.512621] ------------[ cut here ]------------ +[ 4633.512623] kernel BUG at lib/list_debug.c:29! +... +[ 4633.512796] [<00000001b2c6ee9a>] __list_add_valid+0x82/0xa0 +[ 4633.512798] ([<00000001b2c6ee96>] __list_add_valid+0x7e/0xa0) +[ 4633.512800] [<00000001b2fcecce>] qdio_establish_thinint+0x116/0x190 +[ 4633.512805] [<00000001b2fcbe58>] qdio_establish+0x128/0x498 +... + +Fix this by extracting a goto-chain from the existing error exits in +qdio_establish(), and check the return value of the wait_event_...() +to detect the timeout condition. + +Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") +Root-caused-by: Benjamin Block +Signed-off-by: Julian Wiedmann +Reviewed-by: Benjamin Block +Cc: # 2.6.27 +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/qdio_main.c | 31 +++++++++++++++++++------------ + 1 file changed, 19 insertions(+), 12 deletions(-) + +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -1243,6 +1243,7 @@ int qdio_establish(struct ccw_device *cd + { + struct qdio_irq *irq_ptr = cdev->private->qdio_data; + struct subchannel_id schid; ++ long timeout; + int rc; + + ccw_device_get_schid(cdev, &schid); +@@ -1268,11 +1269,8 @@ int qdio_establish(struct ccw_device *cd + qdio_setup_irq(irq_ptr, init_data); + + rc = qdio_establish_thinint(irq_ptr); +- if (rc) { +- qdio_shutdown_irq(irq_ptr); +- mutex_unlock(&irq_ptr->setup_mutex); +- return rc; +- } ++ if (rc) ++ goto err_thinint; + + /* establish q */ + irq_ptr->ccw.cmd_code = irq_ptr->equeue.cmd; +@@ -1288,15 +1286,16 @@ int qdio_establish(struct ccw_device *cd + if (rc) { + DBF_ERROR("%4x est IO ERR", irq_ptr->schid.sch_no); + DBF_ERROR("rc:%4x", rc); +- qdio_shutdown_thinint(irq_ptr); +- qdio_shutdown_irq(irq_ptr); +- mutex_unlock(&irq_ptr->setup_mutex); +- return rc; ++ goto err_ccw_start; + } + +- wait_event_interruptible_timeout(cdev->private->wait_q, +- irq_ptr->state == QDIO_IRQ_STATE_ESTABLISHED || +- irq_ptr->state == QDIO_IRQ_STATE_ERR, HZ); ++ timeout = wait_event_interruptible_timeout(cdev->private->wait_q, ++ irq_ptr->state == QDIO_IRQ_STATE_ESTABLISHED || ++ irq_ptr->state == QDIO_IRQ_STATE_ERR, HZ); ++ if (timeout <= 0) { ++ rc = (timeout == -ERESTARTSYS) ? -EINTR : -ETIME; ++ goto err_ccw_timeout; ++ } + + if (irq_ptr->state != QDIO_IRQ_STATE_ESTABLISHED) { + mutex_unlock(&irq_ptr->setup_mutex); +@@ -1315,6 +1314,14 @@ int qdio_establish(struct ccw_device *cd + qdio_print_subchannel_info(irq_ptr); + qdio_setup_debug_entries(irq_ptr); + return 0; ++ ++err_ccw_timeout: ++err_ccw_start: ++ qdio_shutdown_thinint(irq_ptr); ++err_thinint: ++ qdio_shutdown_irq(irq_ptr); ++ mutex_unlock(&irq_ptr->setup_mutex); ++ return rc; + } + EXPORT_SYMBOL_GPL(qdio_establish); + diff --git a/queue-5.10/selftests-ftrace-fix-requirement-check-of-readme-file.patch b/queue-5.10/selftests-ftrace-fix-requirement-check-of-readme-file.patch new file mode 100644 index 00000000000..2ee2d5823b4 --- /dev/null +++ b/queue-5.10/selftests-ftrace-fix-requirement-check-of-readme-file.patch @@ -0,0 +1,43 @@ +From 210f9df02611cbe641ced3239122b270fd907d86 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 20 Aug 2021 16:46:47 -0400 +Subject: selftests/ftrace: Fix requirement check of README file + +From: Steven Rostedt (VMware) + +commit 210f9df02611cbe641ced3239122b270fd907d86 upstream. + +The selftest for ftrace checks some features by checking if the README has +text that states the feature is supported by that kernel. Unfortunately, +this check gives false positives because it many not be checked if there's +spaces in the string to check. This is due to the compare between the +required variable with the ":README" string stripped, because neither has +quotes around them. + +Link: https://lkml.kernel.org/r/20210820204742.087177341@goodmis.org + +Cc: "Tzvetomir Stoyanov" +Cc: Tom Zanussi +Cc: Shuah Khan +Cc: Shuah Khan +Cc: linux-kselftest@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 1b8eec510ba64 ("selftests/ftrace: Support ":README" suffix for requires") +Acked-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/functions | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/ftrace/test.d/functions ++++ b/tools/testing/selftests/ftrace/test.d/functions +@@ -115,7 +115,7 @@ check_requires() { # Check required file + echo "Required tracer $t is not configured." + exit_unsupported + fi +- elif [ $r != $i ]; then ++ elif [ "$r" != "$i" ]; then + if ! grep -Fq "$r" README ; then + echo "Required feature pattern \"$r\" is not in README." + exit_unsupported diff --git a/queue-5.10/series b/queue-5.10/series index e180380aebb..6b91a949f14 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -13,3 +13,30 @@ powerpc-perf-hv-gpci-fix-counter-value-parsing.patch xen-fix-setting-of-max_pfn-in-shared_info.patch 9p-xen-fix-end-of-loop-tests-for-list_for_each_entry.patch ceph-fix-dereference-of-null-pointer-cf.patch +selftests-ftrace-fix-requirement-check-of-readme-file.patch +tools-thermal-tmon-add-cross-compiling-support.patch +clk-socfpga-agilex-fix-the-parents-of-the-psi_ref_clk.patch +clk-socfpga-agilex-fix-up-s2f_user0_clk-representation.patch +clk-socfpga-agilex-add-the-bypass-register-for-s2f_usr0-clock.patch +pinctrl-stmfx-fix-hazardous-u8-to-unsigned-long-cast.patch +pinctrl-ingenic-fix-incorrect-pull-up-down-info.patch +soc-qcom-aoss-fix-the-out-of-bound-usage-of-cooling_devs.patch +soc-aspeed-lpc-ctrl-fix-boundary-check-for-mmap.patch +soc-aspeed-p2a-ctrl-fix-boundary-check-for-mmap.patch +arm64-mm-fix-tlbi-vs-asid-rollover.patch +arm64-head-avoid-over-mapping-in-map_memory.patch +iio-ltc2983-fix-device-probe.patch +wcn36xx-ensure-finish-scan-is-not-requested-before-start-scan.patch +crypto-public_key-fix-overflow-during-implicit-conversion.patch +block-bfq-fix-bfq_set_next_ioprio_data.patch +power-supply-max17042-handle-fails-of-reading-status-register.patch +cpufreq-schedutil-use-kobject-release-method-to-free-sugov_tunables.patch +dm-crypt-avoid-percpu_counter-spinlock-contention-in-crypt_page_alloc.patch +crypto-ccp-shutdown-sev-firmware-on-kexec.patch +vmci-fix-null-pointer-dereference-when-unmapping-queue-pair.patch +media-uvc-don-t-do-dma-on-stack.patch +media-rc-loopback-return-number-of-emitters-rather-than-error.patch +s390-qdio-fix-roll-back-after-timeout-on-establish-ccw.patch +s390-qdio-cancel-the-establish-ccw-after-timeout.patch +revert-dmaengine-imx-sdma-refine-to-load-context-only-once.patch +dmaengine-imx-sdma-remove-duplicated-sdma_load_context.patch diff --git a/queue-5.10/soc-aspeed-lpc-ctrl-fix-boundary-check-for-mmap.patch b/queue-5.10/soc-aspeed-lpc-ctrl-fix-boundary-check-for-mmap.patch new file mode 100644 index 00000000000..24c5103bac2 --- /dev/null +++ b/queue-5.10/soc-aspeed-lpc-ctrl-fix-boundary-check-for-mmap.patch @@ -0,0 +1,38 @@ +From b49a0e69a7b1a68c8d3f64097d06dabb770fec96 Mon Sep 17 00:00:00 2001 +From: Iwona Winiarska +Date: Wed, 4 Aug 2021 01:48:18 +0200 +Subject: soc: aspeed: lpc-ctrl: Fix boundary check for mmap + +From: Iwona Winiarska + +commit b49a0e69a7b1a68c8d3f64097d06dabb770fec96 upstream. + +The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one +side of the comparison, and uses resource address (rather than just the +resource size) on the other side of the comparison. +This can allow malicious userspace to easily bypass the boundary check and +map pages that are located outside memory-region reserved by the driver. + +Fixes: 6c4e97678501 ("drivers/misc: Add Aspeed LPC control driver") +Cc: stable@vger.kernel.org +Signed-off-by: Iwona Winiarska +Reviewed-by: Andrew Jeffery +Tested-by: Andrew Jeffery +Reviewed-by: Joel Stanley +Signed-off-by: Joel Stanley +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/aspeed/aspeed-lpc-ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/aspeed/aspeed-lpc-ctrl.c ++++ b/drivers/soc/aspeed/aspeed-lpc-ctrl.c +@@ -46,7 +46,7 @@ static int aspeed_lpc_ctrl_mmap(struct f + unsigned long vsize = vma->vm_end - vma->vm_start; + pgprot_t prot = vma->vm_page_prot; + +- if (vma->vm_pgoff + vsize > lpc_ctrl->mem_base + lpc_ctrl->mem_size) ++ if (vma->vm_pgoff + vma_pages(vma) > lpc_ctrl->mem_size >> PAGE_SHIFT) + return -EINVAL; + + /* ast2400/2500 AHB accesses are not cache coherent */ diff --git a/queue-5.10/soc-aspeed-p2a-ctrl-fix-boundary-check-for-mmap.patch b/queue-5.10/soc-aspeed-p2a-ctrl-fix-boundary-check-for-mmap.patch new file mode 100644 index 00000000000..b229867dc3f --- /dev/null +++ b/queue-5.10/soc-aspeed-p2a-ctrl-fix-boundary-check-for-mmap.patch @@ -0,0 +1,38 @@ +From 8b07e990fb254fcbaa919616ac77f981cb48c73d Mon Sep 17 00:00:00 2001 +From: Iwona Winiarska +Date: Wed, 4 Aug 2021 01:48:19 +0200 +Subject: soc: aspeed: p2a-ctrl: Fix boundary check for mmap + +From: Iwona Winiarska + +commit 8b07e990fb254fcbaa919616ac77f981cb48c73d upstream. + +The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one +side of the comparison, and uses resource address (rather than just the +resource size) on the other side of the comparison. +This can allow malicious userspace to easily bypass the boundary check and +map pages that are located outside memory-region reserved by the driver. + +Fixes: 01c60dcea9f7 ("drivers/misc: Add Aspeed P2A control driver") +Cc: stable@vger.kernel.org +Signed-off-by: Iwona Winiarska +Reviewed-by: Andrew Jeffery +Tested-by: Andrew Jeffery +Reviewed-by: Joel Stanley +Signed-off-by: Joel Stanley +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/aspeed/aspeed-p2a-ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/aspeed/aspeed-p2a-ctrl.c ++++ b/drivers/soc/aspeed/aspeed-p2a-ctrl.c +@@ -110,7 +110,7 @@ static int aspeed_p2a_mmap(struct file * + vsize = vma->vm_end - vma->vm_start; + prot = vma->vm_page_prot; + +- if (vma->vm_pgoff + vsize > ctrl->mem_base + ctrl->mem_size) ++ if (vma->vm_pgoff + vma_pages(vma) > ctrl->mem_size >> PAGE_SHIFT) + return -EINVAL; + + /* ast2400/2500 AHB accesses are not cache coherent */ diff --git a/queue-5.10/soc-qcom-aoss-fix-the-out-of-bound-usage-of-cooling_devs.patch b/queue-5.10/soc-qcom-aoss-fix-the-out-of-bound-usage-of-cooling_devs.patch new file mode 100644 index 00000000000..cd428f50f10 --- /dev/null +++ b/queue-5.10/soc-qcom-aoss-fix-the-out-of-bound-usage-of-cooling_devs.patch @@ -0,0 +1,66 @@ +From a89f355e469dcda129c2522be4fdba00c1c74c83 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Tue, 29 Jun 2021 21:02:49 +0530 +Subject: soc: qcom: aoss: Fix the out of bound usage of cooling_devs + +From: Manivannan Sadhasivam + +commit a89f355e469dcda129c2522be4fdba00c1c74c83 upstream. + +In "qmp_cooling_devices_register", the count value is initially +QMP_NUM_COOLING_RESOURCES, which is 2. Based on the initial count value, +the memory for cooling_devs is allocated. Then while calling the +"qmp_cooling_device_add" function, count value is post-incremented for +each child node. + +This makes the out of bound access to the cooling_dev array. Fix it by +passing the QMP_NUM_COOLING_RESOURCES definition to devm_kzalloc() and +initializing the count to 0. + +While at it, let's also free the memory allocated to cooling_dev if no +cooling device is found in DT and during unroll phase. + +Cc: stable@vger.kernel.org # 5.4 +Fixes: 05589b30b21a ("soc: qcom: Extend AOSS QMP driver to support resources that are used to wake up the SoC.") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20210629153249.73428-1-manivannan.sadhasivam@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/qcom_aoss.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/soc/qcom/qcom_aoss.c ++++ b/drivers/soc/qcom/qcom_aoss.c +@@ -476,12 +476,12 @@ static int qmp_cooling_device_add(struct + static int qmp_cooling_devices_register(struct qmp *qmp) + { + struct device_node *np, *child; +- int count = QMP_NUM_COOLING_RESOURCES; ++ int count = 0; + int ret; + + np = qmp->dev->of_node; + +- qmp->cooling_devs = devm_kcalloc(qmp->dev, count, ++ qmp->cooling_devs = devm_kcalloc(qmp->dev, QMP_NUM_COOLING_RESOURCES, + sizeof(*qmp->cooling_devs), + GFP_KERNEL); + +@@ -497,12 +497,16 @@ static int qmp_cooling_devices_register( + goto unroll; + } + ++ if (!count) ++ devm_kfree(qmp->dev, qmp->cooling_devs); ++ + return 0; + + unroll: + while (--count >= 0) + thermal_cooling_device_unregister + (qmp->cooling_devs[count].cdev); ++ devm_kfree(qmp->dev, qmp->cooling_devs); + + return ret; + } diff --git a/queue-5.10/tools-thermal-tmon-add-cross-compiling-support.patch b/queue-5.10/tools-thermal-tmon-add-cross-compiling-support.patch new file mode 100644 index 00000000000..e538ce4cde4 --- /dev/null +++ b/queue-5.10/tools-thermal-tmon-add-cross-compiling-support.patch @@ -0,0 +1,34 @@ +From b5f7912bb604b47a0fe024560488a7556dce8ee7 Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer +Date: Fri, 30 Jul 2021 13:51:54 +0200 +Subject: tools/thermal/tmon: Add cross compiling support + +From: Rolf Eike Beer + +commit b5f7912bb604b47a0fe024560488a7556dce8ee7 upstream. + +Default to prefixed pkg-config when crosscompiling, this matches what +other parts of the tools/ directory already do. + +[dlezcano] : Reworked description + +Signed-off-by: Rolf Eike Beer +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/31302992.qZodDJZGDc@devpool47 +Signed-off-by: Greg Kroah-Hartman +--- + tools/thermal/tmon/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/thermal/tmon/Makefile ++++ b/tools/thermal/tmon/Makefile +@@ -10,7 +10,7 @@ override CFLAGS+= $(call cc-option,-O3,- + # Add "-fstack-protector" only if toolchain supports it. + override CFLAGS+= $(call cc-option,-fstack-protector-strong) + CC?= $(CROSS_COMPILE)gcc +-PKG_CONFIG?= pkg-config ++PKG_CONFIG?= $(CROSS_COMPILE)pkg-config + + override CFLAGS+=-D VERSION=\"$(VERSION)\" + LDFLAGS+= diff --git a/queue-5.10/vmci-fix-null-pointer-dereference-when-unmapping-queue-pair.patch b/queue-5.10/vmci-fix-null-pointer-dereference-when-unmapping-queue-pair.patch new file mode 100644 index 00000000000..f33f2df35d1 --- /dev/null +++ b/queue-5.10/vmci-fix-null-pointer-dereference-when-unmapping-queue-pair.patch @@ -0,0 +1,79 @@ +From a30dc6cf0dc51419021550152e435736aaef8799 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Wed, 18 Aug 2021 20:48:45 +0800 +Subject: VMCI: fix NULL pointer dereference when unmapping queue pair + +From: Wang Hai + +commit a30dc6cf0dc51419021550152e435736aaef8799 upstream. + +I got a NULL pointer dereference report when doing fuzz test: + +Call Trace: + qp_release_pages+0xae/0x130 + qp_host_unregister_user_memory.isra.25+0x2d/0x80 + vmci_qp_broker_unmap+0x191/0x320 + ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0 + vmci_host_unlocked_ioctl+0x59f/0xd50 + ? do_vfs_ioctl+0x14b/0xa10 + ? tomoyo_file_ioctl+0x28/0x30 + ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0 + __x64_sys_ioctl+0xea/0x120 + do_syscall_64+0x34/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +When a queue pair is created by the following call, it will not +register the user memory if the page_store is NULL, and the +entry->state will be set to VMCIQPB_CREATED_NO_MEM. + +vmci_host_unlocked_ioctl + vmci_host_do_alloc_queuepair + vmci_qp_broker_alloc + qp_broker_alloc + qp_broker_create // set entry->state = VMCIQPB_CREATED_NO_MEM; + +When unmapping this queue pair, qp_host_unregister_user_memory() will +be called to unregister the non-existent user memory, which will +result in a null pointer reference. It will also change +VMCIQPB_CREATED_NO_MEM to VMCIQPB_CREATED_MEM, which should not be +present in this operation. + +Only when the qp broker has mem, it can unregister the user +memory when unmapping the qp broker. + +Only when the qp broker has no mem, it can register the user +memory when mapping the qp broker. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Cc: stable +Reported-by: Hulk Robot +Reviewed-by: Jorgen Hansen +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20210818124845.488312-1-wanghai38@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -2238,7 +2238,8 @@ int vmci_qp_broker_map(struct vmci_handl + + result = VMCI_SUCCESS; + +- if (context_id != VMCI_HOST_CONTEXT_ID) { ++ if (context_id != VMCI_HOST_CONTEXT_ID && ++ !QPBROKERSTATE_HAS_MEM(entry)) { + struct vmci_qp_page_store page_store; + + page_store.pages = guest_mem; +@@ -2345,7 +2346,8 @@ int vmci_qp_broker_unmap(struct vmci_han + goto out; + } + +- if (context_id != VMCI_HOST_CONTEXT_ID) { ++ if (context_id != VMCI_HOST_CONTEXT_ID && ++ QPBROKERSTATE_HAS_MEM(entry)) { + qp_acquire_queue_mutex(entry->produce_q); + result = qp_save_headers(entry); + if (result < VMCI_SUCCESS) diff --git a/queue-5.10/wcn36xx-ensure-finish-scan-is-not-requested-before-start-scan.patch b/queue-5.10/wcn36xx-ensure-finish-scan-is-not-requested-before-start-scan.patch new file mode 100644 index 00000000000..8ed52eee0b0 --- /dev/null +++ b/queue-5.10/wcn36xx-ensure-finish-scan-is-not-requested-before-start-scan.patch @@ -0,0 +1,71 @@ +From d195d7aac09bddabc2c8326fb02fcec2b0a2de02 Mon Sep 17 00:00:00 2001 +From: Joseph Gates +Date: Wed, 18 Aug 2021 13:31:43 +0200 +Subject: wcn36xx: Ensure finish scan is not requested before start scan + +From: Joseph Gates + +commit d195d7aac09bddabc2c8326fb02fcec2b0a2de02 upstream. + +If the operating channel is the first in the scan list, it was seen that +a finish scan request would be sent before a start scan request was +sent, causing the firmware to fail all future scans. Track the current +channel being scanned to avoid requesting the scan finish before it +starts. + +Cc: +Fixes: 5973a2947430 ("wcn36xx: Fix software-driven scan") +Signed-off-by: Joseph Gates +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1629286303-13179-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wcn36xx/main.c | 5 ++++- + drivers/net/wireless/ath/wcn36xx/wcn36xx.h | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -405,13 +405,14 @@ static int wcn36xx_config(struct ieee802 + wcn36xx_dbg(WCN36XX_DBG_MAC, "wcn36xx_config channel switch=%d\n", + ch); + +- if (wcn->sw_scan_opchannel == ch) { ++ if (wcn->sw_scan_opchannel == ch && wcn->sw_scan_channel) { + /* If channel is the initial operating channel, we may + * want to receive/transmit regular data packets, then + * simply stop the scan session and exit PS mode. + */ + wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, + wcn->sw_scan_vif); ++ wcn->sw_scan_channel = 0; + } else if (wcn->sw_scan) { + /* A scan is ongoing, do not change the operating + * channel, but start a scan session on the channel. +@@ -419,6 +420,7 @@ static int wcn36xx_config(struct ieee802 + wcn36xx_smd_init_scan(wcn, HAL_SYS_MODE_SCAN, + wcn->sw_scan_vif); + wcn36xx_smd_start_scan(wcn, ch); ++ wcn->sw_scan_channel = ch; + } else { + wcn36xx_change_opchannel(wcn, ch); + } +@@ -699,6 +701,7 @@ static void wcn36xx_sw_scan_start(struct + + wcn->sw_scan = true; + wcn->sw_scan_vif = vif; ++ wcn->sw_scan_channel = 0; + if (vif_priv->sta_assoc) + wcn->sw_scan_opchannel = WCN36XX_HW_CHANNEL(wcn); + else +--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h ++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h +@@ -232,6 +232,7 @@ struct wcn36xx { + struct cfg80211_scan_request *scan_req; + bool sw_scan; + u8 sw_scan_opchannel; ++ u8 sw_scan_channel; + struct ieee80211_vif *sw_scan_vif; + struct mutex scan_lock; + bool scan_aborted;