From: Sasha Levin Date: Thu, 16 Sep 2021 02:18:22 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.14.5~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f33fd0309caf4efd0e5209fec2f44628222a811;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-dts-qcom-apq8064-correct-clock-names.patch b/queue-4.14/arm-dts-qcom-apq8064-correct-clock-names.patch new file mode 100644 index 00000000000..890d102a35a --- /dev/null +++ b/queue-4.14/arm-dts-qcom-apq8064-correct-clock-names.patch @@ -0,0 +1,50 @@ +From be0fb1496695c29942dd75c7a6c51f14c7ab32bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 15:14:53 +0200 +Subject: ARM: dts: qcom: apq8064: correct clock names + +From: David Heidelberg + +[ Upstream commit 0dc6c59892ead17a9febd11202c9f6794aac1895 ] + +Since new code doesn't take old clk names in account, it does fixes +error: + +msm_dsi 4700000.mdss_dsi: dev_pm_opp_set_clkname: Couldn't find clock: -2 + +and following kernel oops introduced by +b0530eb1191 ("drm/msm/dpu: Use OPP API to set clk/perf state"). + +Also removes warning about deprecated clock names. + +Tested against linux-5.10.y LTS on Nexus 7 2013. + +Reviewed-by: Brian Masney +Signed-off-by: David Heidelberg +Link: https://lore.kernel.org/r/20210707131453.24041-1-david@ixit.cz +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi +index 6089c8d56cd5..eef243998392 100644 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -1228,9 +1228,9 @@ dsi0: mdss_dsi@4700000 { + <&mmcc DSI1_BYTE_CLK>, + <&mmcc DSI_PIXEL_CLK>, + <&mmcc DSI1_ESC_CLK>; +- clock-names = "iface_clk", "bus_clk", "core_mmss_clk", +- "src_clk", "byte_clk", "pixel_clk", +- "core_clk"; ++ clock-names = "iface", "bus", "core_mmss", ++ "src", "byte", "pixel", ++ "core"; + + assigned-clocks = <&mmcc DSI1_BYTE_SRC>, + <&mmcc DSI1_ESC_SRC>, +-- +2.30.2 + diff --git a/queue-4.14/arm-tegra-tamonten-fix-uart-pad-setting.patch b/queue-4.14/arm-tegra-tamonten-fix-uart-pad-setting.patch new file mode 100644 index 00000000000..a71a6eece40 --- /dev/null +++ b/queue-4.14/arm-tegra-tamonten-fix-uart-pad-setting.patch @@ -0,0 +1,61 @@ +From 8308dbc20d0b38bafd56ef20cae28c67b5490e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 16:42:26 +0200 +Subject: ARM: tegra: tamonten: Fix UART pad setting + +From: Andreas Obergschwandtner + +[ Upstream commit 2270ad2f4e123336af685ecedd1618701cb4ca1e ] + +This patch fixes the tristate and pullup configuration for UART 1 to 3 +on the Tamonten SOM. + +Signed-off-by: Andreas Obergschwandtner +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/tegra20-tamonten.dtsi | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/boot/dts/tegra20-tamonten.dtsi b/arch/arm/boot/dts/tegra20-tamonten.dtsi +index 872046d48709..4d69d67792d1 100644 +--- a/arch/arm/boot/dts/tegra20-tamonten.dtsi ++++ b/arch/arm/boot/dts/tegra20-tamonten.dtsi +@@ -185,8 +185,9 @@ conf_ata { + nvidia,pins = "ata", "atb", "atc", "atd", "ate", + "cdev1", "cdev2", "dap1", "dtb", "gma", + "gmb", "gmc", "gmd", "gme", "gpu7", +- "gpv", "i2cp", "pta", "rm", "slxa", +- "slxk", "spia", "spib", "uac"; ++ "gpv", "i2cp", "irrx", "irtx", "pta", ++ "rm", "slxa", "slxk", "spia", "spib", ++ "uac"; + nvidia,pull = ; + nvidia,tristate = ; + }; +@@ -211,7 +212,7 @@ conf_crtp { + conf_ddc { + nvidia,pins = "ddc", "dta", "dtd", "kbca", + "kbcb", "kbcc", "kbcd", "kbce", "kbcf", +- "sdc"; ++ "sdc", "uad", "uca"; + nvidia,pull = ; + nvidia,tristate = ; + }; +@@ -221,10 +222,9 @@ conf_hdint { + "lvp0", "owc", "sdb"; + nvidia,tristate = ; + }; +- conf_irrx { +- nvidia,pins = "irrx", "irtx", "sdd", "spic", +- "spie", "spih", "uaa", "uab", "uad", +- "uca", "ucb"; ++ conf_sdd { ++ nvidia,pins = "sdd", "spic", "spie", "spih", ++ "uaa", "uab", "ucb"; + nvidia,pull = ; + nvidia,tristate = ; + }; +-- +2.30.2 + diff --git a/queue-4.14/arm64-dts-qcom-sdm660-use-reg-value-for-memory-node.patch b/queue-4.14/arm64-dts-qcom-sdm660-use-reg-value-for-memory-node.patch new file mode 100644 index 00000000000..0674dfe1c70 --- /dev/null +++ b/queue-4.14/arm64-dts-qcom-sdm660-use-reg-value-for-memory-node.patch @@ -0,0 +1,38 @@ +From db0d4cd0f6876ff3e8e9c66297807094c50951ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Mar 2021 11:38:25 +0530 +Subject: arm64: dts: qcom: sdm660: use reg value for memory node + +From: Vinod Koul + +[ Upstream commit c81210e38966cfa1c784364e4035081c3227cf5b ] + +memory node like other node should be node@reg, which is missing in this +case, so fix it up + +arch/arm64/boot/dts/qcom/ipq8074-hk01.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 1073741824, 0, 536870912]]} + +Signed-off-by: Vinod Koul +Link: https://lore.kernel.org/r/20210308060826.3074234-18-vkoul@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/ipq8074-hk01.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts +index 6a838b5d321e..1ab7deeb2497 100644 +--- a/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts ++++ b/arch/arm64/boot/dts/qcom/ipq8074-hk01.dts +@@ -27,7 +27,7 @@ chosen { + stdout-path = "serial0"; + }; + +- memory { ++ memory@40000000 { + device_type = "memory"; + reg = <0x0 0x40000000 0x0 0x20000000>; + }; +-- +2.30.2 + diff --git a/queue-4.14/asoc-intel-bytcr_rt5640-move-platform-clock-routes-t.patch b/queue-4.14/asoc-intel-bytcr_rt5640-move-platform-clock-routes-t.patch new file mode 100644 index 00000000000..9646be450ec --- /dev/null +++ b/queue-4.14/asoc-intel-bytcr_rt5640-move-platform-clock-routes-t.patch @@ -0,0 +1,82 @@ +From 35846059b42e7a977b6d575e8ac630663aa9f00f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Aug 2021 16:24:56 +0200 +Subject: ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps + for the matching in-/output + +From: Hans de Goede + +[ Upstream commit dccd1dfd0770bfd494b68d1135b4547b2c602c42 ] + +Move the "Platform Clock" routes for the "Internal Mic" and "Speaker" +routes to the intmic_*_map[] / *_spk_map[] arrays. + +This ensures that these "Platform Clock" routes do not get added when the +BYT_RT5640_NO_INTERNAL_MIC_MAP / BYT_RT5640_NO_SPEAKERS quirks are used. + +Signed-off-by: Hans de Goede +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210802142501.991985-2-hdegoede@redhat.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 4a76b099a508..e389ecf06e63 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -226,9 +226,6 @@ static const struct snd_soc_dapm_widget byt_rt5640_widgets[] = { + static const struct snd_soc_dapm_route byt_rt5640_audio_map[] = { + {"Headphone", NULL, "Platform Clock"}, + {"Headset Mic", NULL, "Platform Clock"}, +- {"Internal Mic", NULL, "Platform Clock"}, +- {"Speaker", NULL, "Platform Clock"}, +- + {"Headset Mic", NULL, "MICBIAS1"}, + {"IN2P", NULL, "Headset Mic"}, + {"Headphone", NULL, "HPOL"}, +@@ -236,19 +233,23 @@ static const struct snd_soc_dapm_route byt_rt5640_audio_map[] = { + }; + + static const struct snd_soc_dapm_route byt_rt5640_intmic_dmic1_map[] = { ++ {"Internal Mic", NULL, "Platform Clock"}, + {"DMIC1", NULL, "Internal Mic"}, + }; + + static const struct snd_soc_dapm_route byt_rt5640_intmic_dmic2_map[] = { ++ {"Internal Mic", NULL, "Platform Clock"}, + {"DMIC2", NULL, "Internal Mic"}, + }; + + static const struct snd_soc_dapm_route byt_rt5640_intmic_in1_map[] = { ++ {"Internal Mic", NULL, "Platform Clock"}, + {"Internal Mic", NULL, "MICBIAS1"}, + {"IN1P", NULL, "Internal Mic"}, + }; + + static const struct snd_soc_dapm_route byt_rt5640_intmic_in3_map[] = { ++ {"Internal Mic", NULL, "Platform Clock"}, + {"Internal Mic", NULL, "MICBIAS1"}, + {"IN3P", NULL, "Internal Mic"}, + }; +@@ -290,6 +291,7 @@ static const struct snd_soc_dapm_route byt_rt5640_ssp0_aif2_map[] = { + }; + + static const struct snd_soc_dapm_route byt_rt5640_stereo_spk_map[] = { ++ {"Speaker", NULL, "Platform Clock"}, + {"Speaker", NULL, "SPOLP"}, + {"Speaker", NULL, "SPOLN"}, + {"Speaker", NULL, "SPORP"}, +@@ -297,6 +299,7 @@ static const struct snd_soc_dapm_route byt_rt5640_stereo_spk_map[] = { + }; + + static const struct snd_soc_dapm_route byt_rt5640_mono_spk_map[] = { ++ {"Speaker", NULL, "Platform Clock"}, + {"Speaker", NULL, "SPOLP"}, + {"Speaker", NULL, "SPOLN"}, + }; +-- +2.30.2 + diff --git a/queue-4.14/asoc-rockchip-i2s-fix-regmap_ops-hang.patch b/queue-4.14/asoc-rockchip-i2s-fix-regmap_ops-hang.patch new file mode 100644 index 00000000000..4c936624685 --- /dev/null +++ b/queue-4.14/asoc-rockchip-i2s-fix-regmap_ops-hang.patch @@ -0,0 +1,87 @@ +From 38e692fc9ef362d5981d396d56541cfaec261e41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 12:01:50 +0800 +Subject: ASoC: rockchip: i2s: Fix regmap_ops hang + +From: Sugar Zhang + +[ Upstream commit 53ca9b9777b95cdd689181d7c547e38dc79adad0 ] + +API 'set_fmt' maybe called when PD is off, in the situation, +any register access will hang the system. so, enable PD +before r/w register. + +Signed-off-by: Sugar Zhang +Link: https://lore.kernel.org/r/1629950520-14190-4-git-send-email-sugar.zhang@rock-chips.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_i2s.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c +index 0e07e3dea7de..93a4829f80cc 100644 +--- a/sound/soc/rockchip/rockchip_i2s.c ++++ b/sound/soc/rockchip/rockchip_i2s.c +@@ -188,7 +188,9 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai, + { + struct rk_i2s_dev *i2s = to_info(cpu_dai); + unsigned int mask = 0, val = 0; ++ int ret = 0; + ++ pm_runtime_get_sync(cpu_dai->dev); + mask = I2S_CKR_MSS_MASK; + switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) { + case SND_SOC_DAIFMT_CBS_CFS: +@@ -201,7 +203,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai, + i2s->is_master_mode = false; + break; + default: +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_pm_put; + } + + regmap_update_bits(i2s->regmap, I2S_CKR, mask, val); +@@ -215,7 +218,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai, + val = I2S_CKR_CKP_POS; + break; + default: +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_pm_put; + } + + regmap_update_bits(i2s->regmap, I2S_CKR, mask, val); +@@ -238,7 +242,8 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai, + val = I2S_TXCR_TFS_PCM | I2S_TXCR_PBM_MODE(1); + break; + default: +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_pm_put; + } + + regmap_update_bits(i2s->regmap, I2S_TXCR, mask, val); +@@ -261,12 +266,16 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai, + val = I2S_RXCR_TFS_PCM | I2S_RXCR_PBM_MODE(1); + break; + default: +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_pm_put; + } + + regmap_update_bits(i2s->regmap, I2S_RXCR, mask, val); + +- return 0; ++err_pm_put: ++ pm_runtime_put(cpu_dai->dev); ++ ++ return ret; + } + + static int rockchip_i2s_hw_params(struct snd_pcm_substream *substream, +-- +2.30.2 + diff --git a/queue-4.14/asoc-rockchip-i2s-fixup-config-for-daifmt_dsp_a-b.patch b/queue-4.14/asoc-rockchip-i2s-fixup-config-for-daifmt_dsp_a-b.patch new file mode 100644 index 00000000000..4943d814f31 --- /dev/null +++ b/queue-4.14/asoc-rockchip-i2s-fixup-config-for-daifmt_dsp_a-b.patch @@ -0,0 +1,62 @@ +From 03f3f2bcaea32e67e2679acaa647a01271780430 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 12:02:36 +0800 +Subject: ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B + +From: Xiaotan Luo + +[ Upstream commit 1bf56843e664eef2525bdbfae6a561e98910f676 ] + +- DSP_A: PCM delay 1 bit mode, L data MSB after FRM LRC +- DSP_B: PCM no delay mode, L data MSB during FRM LRC + +Signed-off-by: Xiaotan Luo +Signed-off-by: Sugar Zhang +Link: https://lore.kernel.org/r/1629950562-14281-3-git-send-email-sugar.zhang@rock-chips.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_i2s.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c +index 93a4829f80cc..8d1a7114f6c2 100644 +--- a/sound/soc/rockchip/rockchip_i2s.c ++++ b/sound/soc/rockchip/rockchip_i2s.c +@@ -235,12 +235,12 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai, + case SND_SOC_DAIFMT_I2S: + val = I2S_TXCR_IBM_NORMAL; + break; +- case SND_SOC_DAIFMT_DSP_A: /* PCM no delay mode */ +- val = I2S_TXCR_TFS_PCM; +- break; +- case SND_SOC_DAIFMT_DSP_B: /* PCM delay 1 mode */ ++ case SND_SOC_DAIFMT_DSP_A: /* PCM delay 1 bit mode */ + val = I2S_TXCR_TFS_PCM | I2S_TXCR_PBM_MODE(1); + break; ++ case SND_SOC_DAIFMT_DSP_B: /* PCM no delay mode */ ++ val = I2S_TXCR_TFS_PCM; ++ break; + default: + ret = -EINVAL; + goto err_pm_put; +@@ -259,12 +259,12 @@ static int rockchip_i2s_set_fmt(struct snd_soc_dai *cpu_dai, + case SND_SOC_DAIFMT_I2S: + val = I2S_RXCR_IBM_NORMAL; + break; +- case SND_SOC_DAIFMT_DSP_A: /* PCM no delay mode */ +- val = I2S_RXCR_TFS_PCM; +- break; +- case SND_SOC_DAIFMT_DSP_B: /* PCM delay 1 mode */ ++ case SND_SOC_DAIFMT_DSP_A: /* PCM delay 1 bit mode */ + val = I2S_RXCR_TFS_PCM | I2S_RXCR_PBM_MODE(1); + break; ++ case SND_SOC_DAIFMT_DSP_B: /* PCM no delay mode */ ++ val = I2S_RXCR_TFS_PCM; ++ break; + default: + ret = -EINVAL; + goto err_pm_put; +-- +2.30.2 + diff --git a/queue-4.14/ata-sata_dwc_460ex-no-need-to-call-phy_exit-befre-ph.patch b/queue-4.14/ata-sata_dwc_460ex-no-need-to-call-phy_exit-befre-ph.patch new file mode 100644 index 00000000000..1bc355adad0 --- /dev/null +++ b/queue-4.14/ata-sata_dwc_460ex-no-need-to-call-phy_exit-befre-ph.patch @@ -0,0 +1,58 @@ +From 02ee21afce7f940ec8512c42436e025fd6667275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 15:51:30 +0300 +Subject: ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init() + +From: Andy Shevchenko + +[ Upstream commit 3ad4a31620355358316fa08fcfab37b9d6c33347 ] + +Last change to device managed APIs cleaned up error path to simple phy_exit() +call, which in some cases has been executed with NULL parameter. This per se +is not a problem, but rather logical misconception: no need to free resource +when it's for sure has not been allocated yet. Fix the driver accordingly. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210727125130.19977-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_dwc_460ex.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/ata/sata_dwc_460ex.c b/drivers/ata/sata_dwc_460ex.c +index ce128d5a6ded..ed301dee200d 100644 +--- a/drivers/ata/sata_dwc_460ex.c ++++ b/drivers/ata/sata_dwc_460ex.c +@@ -1253,24 +1253,20 @@ static int sata_dwc_probe(struct platform_device *ofdev) + irq = irq_of_parse_and_map(np, 0); + if (irq == NO_IRQ) { + dev_err(&ofdev->dev, "no SATA DMA irq\n"); +- err = -ENODEV; +- goto error_out; ++ return -ENODEV; + } + + #ifdef CONFIG_SATA_DWC_OLD_DMA + if (!of_find_property(np, "dmas", NULL)) { + err = sata_dwc_dma_init_old(ofdev, hsdev); + if (err) +- goto error_out; ++ return err; + } + #endif + + hsdev->phy = devm_phy_optional_get(hsdev->dev, "sata-phy"); +- if (IS_ERR(hsdev->phy)) { +- err = PTR_ERR(hsdev->phy); +- hsdev->phy = NULL; +- goto error_out; +- } ++ if (IS_ERR(hsdev->phy)) ++ return PTR_ERR(hsdev->phy); + + err = phy_init(hsdev->phy); + if (err) +-- +2.30.2 + diff --git a/queue-4.14/ath9k-fix-oob-read-ar9300_eeprom_restore_internal.patch b/queue-4.14/ath9k-fix-oob-read-ar9300_eeprom_restore_internal.patch new file mode 100644 index 00000000000..0549b6dde30 --- /dev/null +++ b/queue-4.14/ath9k-fix-oob-read-ar9300_eeprom_restore_internal.patch @@ -0,0 +1,48 @@ +From 4bbde149a3f80998081845649454ad644908b310 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jun 2021 09:29:14 -0400 +Subject: ath9k: fix OOB read ar9300_eeprom_restore_internal + +From: Zekun Shen + +[ Upstream commit 23151b9ae79e3bc4f6a0c4cd3a7f355f68dad128 ] + +Bad header can have large length field which can cause OOB. +cptr is the last bytes for read, and the eeprom is parsed +from high to low address. The OOB, triggered by the condition +length > cptr could cause memory error with a read on +negative index. + +There are some sanity check around length, but it is not +compared with cptr (the remaining bytes). Here, the +corrupted/bad EEPROM can cause panic. + +I was able to reproduce the crash, but I cannot find the +log and the reproducer now. After I applied the patch, the +bug is no longer reproducible. + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YM3xKsQJ0Hw2hjrc@Zekuns-MBP-16.fios-router.home +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +index 76385834a7de..694a58b1e995 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +@@ -3346,7 +3346,8 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah, + "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n", + cptr, code, reference, length, major, minor); + if ((!AR_SREV_9485(ah) && length >= 1024) || +- (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) { ++ (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485) || ++ (length > cptr)) { + ath_dbg(common, EEPROM, "Skipping bad header\n"); + cptr -= COMP_HDR_LEN; + continue; +-- +2.30.2 + diff --git a/queue-4.14/ath9k-fix-sleeping-in-atomic-context.patch b/queue-4.14/ath9k-fix-sleeping-in-atomic-context.patch new file mode 100644 index 00000000000..5224e353a3a --- /dev/null +++ b/queue-4.14/ath9k-fix-sleeping-in-atomic-context.patch @@ -0,0 +1,69 @@ +From 94819da4465267f8ce353ea5dba46f0b2a39600f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 12:05:16 +0800 +Subject: ath9k: fix sleeping in atomic context + +From: Miaoqing Pan + +[ Upstream commit 7c48662b9d56666219f526a71ace8c15e6e12f1f ] + +The problem is that gpio_free() can sleep and the cfg_soc() can be +called with spinlocks held. One problematic call tree is: + +--> ath_reset_internal() takes &sc->sc_pcu_lock spin lock + --> ath9k_hw_reset() + --> ath9k_hw_gpio_request_in() + --> ath9k_hw_gpio_request() + --> ath9k_hw_gpio_cfg_soc() + +Remove gpio_free(), use error message instead, so we should make sure +there is no GPIO conflict. + +Also remove ath9k_hw_gpio_free() from ath9k_hw_apply_gpio_override(), +as gpio_mask will never be set for SOC chips. + +Signed-off-by: Miaoqing Pan +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1628481916-15030-1-git-send-email-miaoqing@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hw.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 933d4f49d6b0..9e3db55a8684 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -1595,7 +1595,6 @@ static void ath9k_hw_apply_gpio_override(struct ath_hw *ah) + ath9k_hw_gpio_request_out(ah, i, NULL, + AR_GPIO_OUTPUT_MUX_AS_OUTPUT); + ath9k_hw_set_gpio(ah, i, !!(ah->gpio_val & BIT(i))); +- ath9k_hw_gpio_free(ah, i); + } + } + +@@ -2702,14 +2701,17 @@ static void ath9k_hw_gpio_cfg_output_mux(struct ath_hw *ah, u32 gpio, u32 type) + static void ath9k_hw_gpio_cfg_soc(struct ath_hw *ah, u32 gpio, bool out, + const char *label) + { ++ int err; ++ + if (ah->caps.gpio_requested & BIT(gpio)) + return; + +- /* may be requested by BSP, free anyway */ +- gpio_free(gpio); +- +- if (gpio_request_one(gpio, out ? GPIOF_OUT_INIT_LOW : GPIOF_IN, label)) ++ err = gpio_request_one(gpio, out ? GPIOF_OUT_INIT_LOW : GPIOF_IN, label); ++ if (err) { ++ ath_err(ath9k_hw_common(ah), "request GPIO%d failed:%d\n", ++ gpio, err); + return; ++ } + + ah->caps.gpio_requested |= BIT(gpio); + } +-- +2.30.2 + diff --git a/queue-4.14/bluetooth-avoid-circular-locks-in-sco_sock_connect.patch b/queue-4.14/bluetooth-avoid-circular-locks-in-sco_sock_connect.patch new file mode 100644 index 00000000000..6d5fb097b36 --- /dev/null +++ b/queue-4.14/bluetooth-avoid-circular-locks-in-sco_sock_connect.patch @@ -0,0 +1,237 @@ +From a4cf83da465e2cb70f4c52c508a4f9162c62b82b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 12:14:06 +0800 +Subject: Bluetooth: avoid circular locks in sco_sock_connect + +From: Desmond Cheong Zhi Xi + +[ Upstream commit 734bc5ff783115aa3164f4e9dd5967ae78e0a8ab ] + +In a future patch, calls to bh_lock_sock in sco.c should be replaced +by lock_sock now that none of the functions are run in IRQ context. + +However, doing so results in a circular locking dependency: + +====================================================== +WARNING: possible circular locking dependency detected +5.14.0-rc4-syzkaller #0 Not tainted +------------------------------------------------------ +syz-executor.2/14867 is trying to acquire lock: +ffff88803e3c1120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: +lock_sock include/net/sock.h:1613 [inline] +ffff88803e3c1120 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: +sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191 + +but task is already holding lock: +ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at: +hci_disconn_cfm include/net/bluetooth/hci_core.h:1497 [inline] +ffffffff8d2dc7c8 (hci_cb_list_lock){+.+.}-{3:3}, at: +hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1608 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #2 (hci_cb_list_lock){+.+.}-{3:3}: + __mutex_lock_common kernel/locking/mutex.c:959 [inline] + __mutex_lock+0x12a/0x10a0 kernel/locking/mutex.c:1104 + hci_connect_cfm include/net/bluetooth/hci_core.h:1482 [inline] + hci_remote_features_evt net/bluetooth/hci_event.c:3263 [inline] + hci_event_packet+0x2f4d/0x7c50 net/bluetooth/hci_event.c:6240 + hci_rx_work+0x4f8/0xd30 net/bluetooth/hci_core.c:5122 + process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 + worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 + kthread+0x3e5/0x4d0 kernel/kthread.c:319 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + +-> #1 (&hdev->lock){+.+.}-{3:3}: + __mutex_lock_common kernel/locking/mutex.c:959 [inline] + __mutex_lock+0x12a/0x10a0 kernel/locking/mutex.c:1104 + sco_connect net/bluetooth/sco.c:245 [inline] + sco_sock_connect+0x227/0xa10 net/bluetooth/sco.c:601 + __sys_connect_file+0x155/0x1a0 net/socket.c:1879 + __sys_connect+0x161/0x190 net/socket.c:1896 + __do_sys_connect net/socket.c:1906 [inline] + __se_sys_connect net/socket.c:1903 [inline] + __x64_sys_connect+0x6f/0xb0 net/socket.c:1903 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: + check_prev_add kernel/locking/lockdep.c:3051 [inline] + check_prevs_add kernel/locking/lockdep.c:3174 [inline] + validate_chain kernel/locking/lockdep.c:3789 [inline] + __lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5015 + lock_acquire kernel/locking/lockdep.c:5625 [inline] + lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590 + lock_sock_nested+0xca/0x120 net/core/sock.c:3170 + lock_sock include/net/sock.h:1613 [inline] + sco_conn_del+0x12a/0x2a0 net/bluetooth/sco.c:191 + sco_disconn_cfm+0x71/0xb0 net/bluetooth/sco.c:1202 + hci_disconn_cfm include/net/bluetooth/hci_core.h:1500 [inline] + hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608 + hci_dev_do_close+0x528/0x1130 net/bluetooth/hci_core.c:1778 + hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4015 + vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 + __fput+0x288/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x1a0 kernel/task_work.c:164 + exit_task_work include/linux/task_work.h:32 [inline] + do_exit+0xbd4/0x2a60 kernel/exit.c:825 + do_group_exit+0x125/0x310 kernel/exit.c:922 + get_signal+0x47f/0x2160 kernel/signal.c:2808 + arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865 + handle_signal_work kernel/entry/common.c:148 [inline] + exit_to_user_mode_loop kernel/entry/common.c:172 [inline] + exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209 + __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] + syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 + ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288 + +other info that might help us debug this: + +Chain exists of: + sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(hci_cb_list_lock); + lock(&hdev->lock); + lock(hci_cb_list_lock); + lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); + + *** DEADLOCK *** + +The issue is that the lock hierarchy should go from &hdev->lock --> +hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO. For example, +one such call trace is: + + hci_dev_do_close(): + hci_dev_lock(); + hci_conn_hash_flush(): + hci_disconn_cfm(): + mutex_lock(&hci_cb_list_lock); + sco_disconn_cfm(): + sco_conn_del(): + lock_sock(sk); + +However, in sco_sock_connect, we call lock_sock before calling +hci_dev_lock inside sco_connect, thus inverting the lock hierarchy. + +We fix this by pulling the call to hci_dev_lock out from sco_connect. + +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 39 ++++++++++++++++----------------------- + 1 file changed, 16 insertions(+), 23 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index f4b997fb33d6..f681e7ce8945 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -209,44 +209,32 @@ static int sco_chan_add(struct sco_conn *conn, struct sock *sk, + return err; + } + +-static int sco_connect(struct sock *sk) ++static int sco_connect(struct hci_dev *hdev, struct sock *sk) + { + struct sco_conn *conn; + struct hci_conn *hcon; +- struct hci_dev *hdev; + int err, type; + + BT_DBG("%pMR -> %pMR", &sco_pi(sk)->src, &sco_pi(sk)->dst); + +- hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src, BDADDR_BREDR); +- if (!hdev) +- return -EHOSTUNREACH; +- +- hci_dev_lock(hdev); +- + if (lmp_esco_capable(hdev) && !disable_esco) + type = ESCO_LINK; + else + type = SCO_LINK; + + if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT && +- (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) { +- err = -EOPNOTSUPP; +- goto done; +- } ++ (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) ++ return -EOPNOTSUPP; + + hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst, + sco_pi(sk)->setting); +- if (IS_ERR(hcon)) { +- err = PTR_ERR(hcon); +- goto done; +- } ++ if (IS_ERR(hcon)) ++ return PTR_ERR(hcon); + + conn = sco_conn_add(hcon); + if (!conn) { + hci_conn_drop(hcon); +- err = -ENOMEM; +- goto done; ++ return -ENOMEM; + } + + /* Update source addr of the socket */ +@@ -254,7 +242,7 @@ static int sco_connect(struct sock *sk) + + err = sco_chan_add(conn, sk, NULL); + if (err) +- goto done; ++ return err; + + if (hcon->state == BT_CONNECTED) { + sco_sock_clear_timer(sk); +@@ -264,9 +252,6 @@ static int sco_connect(struct sock *sk) + sco_sock_set_timer(sk, sk->sk_sndtimeo); + } + +-done: +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); + return err; + } + +@@ -550,6 +535,7 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen + { + struct sockaddr_sco *sa = (struct sockaddr_sco *) addr; + struct sock *sk = sock->sk; ++ struct hci_dev *hdev; + int err; + + BT_DBG("sk %p", sk); +@@ -564,12 +550,19 @@ static int sco_sock_connect(struct socket *sock, struct sockaddr *addr, int alen + if (sk->sk_type != SOCK_SEQPACKET) + return -EINVAL; + ++ hdev = hci_get_route(&sa->sco_bdaddr, &sco_pi(sk)->src, BDADDR_BREDR); ++ if (!hdev) ++ return -EHOSTUNREACH; ++ hci_dev_lock(hdev); ++ + lock_sock(sk); + + /* Set destination address and psm */ + bacpy(&sco_pi(sk)->dst, &sa->sco_bdaddr); + +- err = sco_connect(sk); ++ err = sco_connect(hdev, sk); ++ hci_dev_unlock(hdev); ++ hci_dev_put(hdev); + if (err) + goto done; + +-- +2.30.2 + diff --git a/queue-4.14/bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch b/queue-4.14/bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch new file mode 100644 index 00000000000..d84b0d2d348 --- /dev/null +++ b/queue-4.14/bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch @@ -0,0 +1,59 @@ +From 683efda548d164496bd786c5980be75e4320e502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 15:51:04 +0800 +Subject: Bluetooth: skip invalid hci_sync_conn_complete_evt + +From: Desmond Cheong Zhi Xi + +[ Upstream commit 92fe24a7db751b80925214ede43f8d2be792ea7b ] + +Syzbot reported a corrupted list in kobject_add_internal [1]. This +happens when multiple HCI_EV_SYNC_CONN_COMPLETE event packets with +status 0 are sent for the same HCI connection. This causes us to +register the device more than once which corrupts the kset list. + +As this is forbidden behavior, we add a check for whether we're +trying to process the same HCI_EV_SYNC_CONN_COMPLETE event multiple +times for one connection. If that's the case, the event is invalid, so +we report an error that the device is misbehaving, and ignore the +packet. + +Link: https://syzkaller.appspot.com/bug?extid=66264bf2fd0476be7e6c [1] +Reported-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com +Tested-by: syzbot+66264bf2fd0476be7e6c@syzkaller.appspotmail.com +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index b3253f2e11af..5186f199d892 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3761,6 +3761,21 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, + + switch (ev->status) { + case 0x00: ++ /* The synchronous connection complete event should only be ++ * sent once per new connection. Receiving a successful ++ * complete event when the connection status is already ++ * BT_CONNECTED means that the device is misbehaving and sent ++ * multiple complete event packets for the same new connection. ++ * ++ * Registering the device more than once can corrupt kernel ++ * memory, hence upon detecting this invalid event, we report ++ * an error and ignore the packet. ++ */ ++ if (conn->state == BT_CONNECTED) { ++ bt_dev_err(hdev, "Ignoring connect complete event for existing connection"); ++ goto unlock; ++ } ++ + conn->handle = __le16_to_cpu(ev->handle); + conn->state = BT_CONNECTED; + conn->type = ev->link_type; +-- +2.30.2 + diff --git a/queue-4.14/bpf-fix-off-by-one-in-tail-call-count-limiting.patch b/queue-4.14/bpf-fix-off-by-one-in-tail-call-count-limiting.patch new file mode 100644 index 00000000000..f722fc79f54 --- /dev/null +++ b/queue-4.14/bpf-fix-off-by-one-in-tail-call-count-limiting.patch @@ -0,0 +1,38 @@ +From 6fbf4b748ba3a0b1d8cd685849142b3f0129d71c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 18:47:41 +0200 +Subject: bpf: Fix off-by-one in tail call count limiting + +From: Johan Almbladh + +[ Upstream commit b61a28cf11d61f512172e673b8f8c4a6c789b425 ] + +Before, the interpreter allowed up to MAX_TAIL_CALL_CNT + 1 tail calls. +Now precisely MAX_TAIL_CALL_CNT is allowed, which is in line with the +behavior of the x86 JITs. + +Signed-off-by: Johan Almbladh +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210728164741.350370-1-johan.almbladh@anyfinetworks.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index e7211b0fa27c..1d19f4fa7f44 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1095,7 +1095,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, + + if (unlikely(index >= array->map.max_entries)) + goto out; +- if (unlikely(tail_call_cnt > MAX_TAIL_CALL_CNT)) ++ if (unlikely(tail_call_cnt >= MAX_TAIL_CALL_CNT)) + goto out; + + tail_call_cnt++; +-- +2.30.2 + diff --git a/queue-4.14/bpf-tests-do-not-pass-tests-without-actually-testing.patch b/queue-4.14/bpf-tests-do-not-pass-tests-without-actually-testing.patch new file mode 100644 index 00000000000..485520b41d7 --- /dev/null +++ b/queue-4.14/bpf-tests-do-not-pass-tests-without-actually-testing.patch @@ -0,0 +1,55 @@ +From c2904c3297131e1ded7b535474d08d399d5570d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 12:38:22 +0200 +Subject: bpf/tests: Do not PASS tests without actually testing the result + +From: Johan Almbladh + +[ Upstream commit 2b7e9f25e590726cca76700ebdb10e92a7a72ca1 ] + +Each test case can have a set of sub-tests, where each sub-test can +run the cBPF/eBPF test snippet with its own data_size and expected +result. Before, the end of the sub-test array was indicated by both +data_size and result being zero. However, most or all of the internal +eBPF tests has a data_size of zero already. When such a test also had +an expected value of zero, the test was never run but reported as +PASS anyway. + +Now the test runner always runs the first sub-test, regardless of the +data_size and result values. The sub-test array zero-termination only +applies for any additional sub-tests. + +There are other ways fix it of course, but this solution at least +removes the surprise of eBPF tests with a zero result always succeeding. + +Signed-off-by: Johan Almbladh +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210721103822.3755111-1-johan.almbladh@anyfinetworks.com +Signed-off-by: Sasha Levin +--- + lib/test_bpf.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/test_bpf.c b/lib/test_bpf.c +index 4aa88ba8238c..9a8f957ad86e 100644 +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -6306,7 +6306,14 @@ static int run_one(const struct bpf_prog *fp, struct bpf_test *test) + u64 duration; + u32 ret; + +- if (test->test[i].data_size == 0 && ++ /* ++ * NOTE: Several sub-tests may be present, in which case ++ * a zero {data_size, result} tuple indicates the end of ++ * the sub-test array. The first test is always run, ++ * even if both data_size and result happen to be zero. ++ */ ++ if (i > 0 && ++ test->test[i].data_size == 0 && + test->test[i].result == 0) + break; + +-- +2.30.2 + diff --git a/queue-4.14/bpf-tests-fix-copy-and-paste-error-in-double-word-te.patch b/queue-4.14/bpf-tests-fix-copy-and-paste-error-in-double-word-te.patch new file mode 100644 index 00000000000..081aee1d8fb --- /dev/null +++ b/queue-4.14/bpf-tests-fix-copy-and-paste-error-in-double-word-te.patch @@ -0,0 +1,38 @@ +From 269c41db146b08f45a3ca6033757b2ad535e5be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 12:40:58 +0200 +Subject: bpf/tests: Fix copy-and-paste error in double word test + +From: Johan Almbladh + +[ Upstream commit ae7f47041d928b1a2f28717d095b4153c63cbf6a ] + +This test now operates on DW as stated instead of W, which was +already covered by another test. + +Signed-off-by: Johan Almbladh +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210721104058.3755254-1-johan.almbladh@anyfinetworks.com +Signed-off-by: Sasha Levin +--- + lib/test_bpf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/test_bpf.c b/lib/test_bpf.c +index 75ebf2bbc2ee..4aa88ba8238c 100644 +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -4395,8 +4395,8 @@ static struct bpf_test tests[] = { + .u.insns_int = { + BPF_LD_IMM64(R0, 0), + BPF_LD_IMM64(R1, 0xffffffffffffffffLL), +- BPF_STX_MEM(BPF_W, R10, R1, -40), +- BPF_LDX_MEM(BPF_W, R0, R10, -40), ++ BPF_STX_MEM(BPF_DW, R10, R1, -40), ++ BPF_LDX_MEM(BPF_DW, R0, R10, -40), + BPF_EXIT_INSN(), + }, + INTERNAL, +-- +2.30.2 + diff --git a/queue-4.14/cifs-fix-wrong-release-in-sess_alloc_buffer-failed-p.patch b/queue-4.14/cifs-fix-wrong-release-in-sess_alloc_buffer-failed-p.patch new file mode 100644 index 00000000000..d5ae0f598c6 --- /dev/null +++ b/queue-4.14/cifs-fix-wrong-release-in-sess_alloc_buffer-failed-p.patch @@ -0,0 +1,37 @@ +From 181b9eef13035be25c316f0d09449e28443896bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Aug 2021 22:55:10 +0800 +Subject: cifs: fix wrong release in sess_alloc_buffer() failed path + +From: Ding Hui + +[ Upstream commit d72c74197b70bc3c95152f351a568007bffa3e11 ] + +smb_buf is allocated by small_smb_init_no_tc(), and buf type is +CIFS_SMALL_BUFFER, so we should use cifs_small_buf_release() to +release it in failed path. + +Signed-off-by: Ding Hui +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/sess.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c +index aa23c00367ec..0113dba28eb0 100644 +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -602,7 +602,7 @@ sess_alloc_buffer(struct sess_data *sess_data, int wct) + return 0; + + out_free_smb_buf: +- kfree(smb_buf); ++ cifs_small_buf_release(smb_buf); + sess_data->iov[0].iov_base = NULL; + sess_data->iov[0].iov_len = 0; + sess_data->buf0_type = CIFS_NO_BUFFER; +-- +2.30.2 + diff --git a/queue-4.14/crypto-mxs-dcp-use-sg_mapping_iter-to-copy-data.patch b/queue-4.14/crypto-mxs-dcp-use-sg_mapping_iter-to-copy-data.patch new file mode 100644 index 00000000000..75207540c54 --- /dev/null +++ b/queue-4.14/crypto-mxs-dcp-use-sg_mapping_iter-to-copy-data.patch @@ -0,0 +1,139 @@ +From 1aa837fe1df7bf5ecacc573cb090bbd85e93cdcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 14:56:38 -0400 +Subject: crypto: mxs-dcp - Use sg_mapping_iter to copy data + +From: Sean Anderson + +[ Upstream commit 2e6d793e1bf07fe5e20cfbbdcec9e1af7e5097eb ] + +This uses the sg_pcopy_from_buffer to copy data, instead of doing it +ourselves. + +In addition to reducing code size, this fixes the following oops +resulting from failing to kmap the page: + +[ 68.896381] Unable to handle kernel NULL pointer dereference at virtual address 00000ab8 +[ 68.904539] pgd = 3561adb3 +[ 68.907475] [00000ab8] *pgd=00000000 +[ 68.911153] Internal error: Oops: 805 [#1] ARM +[ 68.915618] Modules linked in: cfg80211 rfkill des_generic libdes arc4 libarc4 cbc ecb algif_skcipher sha256_generic libsha256 sha1_generic hmac aes_generic libaes cmac sha512_generic md5 md4 algif_hash af_alg i2c_imx i2c_core ci_hdrc_imx ci_hdrc mxs_dcp ulpi roles udc_core imx_sdma usbmisc_imx usb_common firmware_class virt_dma phy_mxs_usb nf_tables nfnetlink ip_tables x_tables ipv6 autofs4 +[ 68.950741] CPU: 0 PID: 139 Comm: mxs_dcp_chan/ae Not tainted 5.10.34 #296 +[ 68.958501] Hardware name: Freescale i.MX6 Ultralite (Device Tree) +[ 68.964710] PC is at memcpy+0xa8/0x330 +[ 68.968479] LR is at 0xd7b2bc9d +[ 68.971638] pc : [] lr : [] psr: 000f0013 +[ 68.977920] sp : c2cbbee4 ip : 00000010 fp : 00000010 +[ 68.983159] r10: 00000000 r9 : c3283a40 r8 : 1a5a6f08 +[ 68.988402] r7 : 4bfe0ecc r6 : 76d8a220 r5 : c32f9050 r4 : 00000001 +[ 68.994945] r3 : 00000ab8 r2 : fffffff0 r1 : c32f9050 r0 : 00000ab8 +[ 69.001492] Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 69.008646] Control: 10c53c7d Table: 83664059 DAC: 00000051 +[ 69.014414] Process mxs_dcp_chan/ae (pid: 139, stack limit = 0x667b57ab) +[ 69.021133] Stack: (0xc2cbbee4 to 0xc2cbc000) +[ 69.025519] bee0: c32f9050 c3235408 00000010 00000010 00000ab8 00000001 bf10406c +[ 69.033720] bf00: 00000000 00000000 00000010 00000000 c32355d0 832fb080 00000000 c13de2fc +[ 69.041921] bf20: c3628010 00000010 c33d5780 00000ab8 bf1067e8 00000002 c21e5010 c2cba000 +[ 69.050125] bf40: c32f8040 00000000 bf106a40 c32f9040 c3283a80 00000001 bf105240 c3234040 +[ 69.058327] bf60: ffffe000 c3204100 c2c69800 c2cba000 00000000 bf103b84 00000000 c2eddc54 +[ 69.066530] bf80: c3204144 c0140d1c c2cba000 c2c69800 c0140be8 00000000 00000000 00000000 +[ 69.074730] bfa0: 00000000 00000000 00000000 c0100114 00000000 00000000 00000000 00000000 +[ 69.082932] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 69.091131] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[ 69.099364] [] (memcpy) from [] (dcp_chan_thread_aes+0x4e8/0x840 [mxs_dcp]) +[ 69.108117] [] (dcp_chan_thread_aes [mxs_dcp]) from [] (kthread+0x134/0x160) +[ 69.116941] [] (kthread) from [] (ret_from_fork+0x14/0x20) +[ 69.124178] Exception stack(0xc2cbbfb0 to 0xc2cbbff8) +[ 69.129250] bfa0: 00000000 00000000 00000000 00000000 +[ 69.137450] bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 69.145648] bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 +[ 69.152289] Code: e320f000 e4803004 e4804004 e4805004 (e4806004) + +Signed-off-by: Sean Anderson +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mxs-dcp.c | 36 +++++++++--------------------------- + 1 file changed, 9 insertions(+), 27 deletions(-) + +diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c +index 96b6808847c7..e986be405411 100644 +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -297,21 +297,20 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq) + + struct scatterlist *dst = req->dst; + struct scatterlist *src = req->src; +- const int nents = sg_nents(req->src); ++ int dst_nents = sg_nents(dst); + + const int out_off = DCP_BUF_SZ; + uint8_t *in_buf = sdcp->coh->aes_in_buf; + uint8_t *out_buf = sdcp->coh->aes_out_buf; + +- uint8_t *out_tmp, *src_buf, *dst_buf = NULL; + uint32_t dst_off = 0; ++ uint8_t *src_buf = NULL; + uint32_t last_out_len = 0; + + uint8_t *key = sdcp->coh->aes_key; + + int ret = 0; +- int split = 0; +- unsigned int i, len, clen, rem = 0, tlen = 0; ++ unsigned int i, len, clen, tlen = 0; + int init = 0; + bool limit_hit = false; + +@@ -329,7 +328,7 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq) + memset(key + AES_KEYSIZE_128, 0, AES_KEYSIZE_128); + } + +- for_each_sg(req->src, src, nents, i) { ++ for_each_sg(req->src, src, sg_nents(src), i) { + src_buf = sg_virt(src); + len = sg_dma_len(src); + tlen += len; +@@ -354,34 +353,17 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq) + * submit the buffer. + */ + if (actx->fill == out_off || sg_is_last(src) || +- limit_hit) { ++ limit_hit) { + ret = mxs_dcp_run_aes(actx, req, init); + if (ret) + return ret; + init = 0; + +- out_tmp = out_buf; ++ sg_pcopy_from_buffer(dst, dst_nents, out_buf, ++ actx->fill, dst_off); ++ dst_off += actx->fill; + last_out_len = actx->fill; +- while (dst && actx->fill) { +- if (!split) { +- dst_buf = sg_virt(dst); +- dst_off = 0; +- } +- rem = min(sg_dma_len(dst) - dst_off, +- actx->fill); +- +- memcpy(dst_buf + dst_off, out_tmp, rem); +- out_tmp += rem; +- dst_off += rem; +- actx->fill -= rem; +- +- if (dst_off == sg_dma_len(dst)) { +- dst = sg_next(dst); +- split = 0; +- } else { +- split = 1; +- } +- } ++ actx->fill = 0; + } + } while (len); + +-- +2.30.2 + diff --git a/queue-4.14/docs-fix-infiniband-uverbs-minor-number.patch b/queue-4.14/docs-fix-infiniband-uverbs-minor-number.patch new file mode 100644 index 00000000000..54cecb7d7fb --- /dev/null +++ b/queue-4.14/docs-fix-infiniband-uverbs-minor-number.patch @@ -0,0 +1,45 @@ +From 58c9843372cf6d1ff4c890e3216bf417e64889ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 16:04:12 +0300 +Subject: docs: Fix infiniband uverbs minor number + +From: Leon Romanovsky + +[ Upstream commit 8d7e415d55610d503fdb8815344846b72d194a40 ] + +Starting from the beginning of infiniband subsystem, the uverbs char +devices start from 192 as a minor number, see +commit bc38a6abdd5a ("[PATCH] IB uverbs: core implementation"). + +This patch updates the admin guide documentation to reflect it. + +Fixes: 9d85025b0418 ("docs-rst: create an user's manual book") +Link: https://lore.kernel.org/r/bad03e6bcde45550c01e12908a6fe7dfa4770703.1627477347.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + Documentation/admin-guide/devices.txt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/admin-guide/devices.txt b/Documentation/admin-guide/devices.txt +index 4ec843123cc3..361bff6d3053 100644 +--- a/Documentation/admin-guide/devices.txt ++++ b/Documentation/admin-guide/devices.txt +@@ -2989,10 +2989,10 @@ + 65 = /dev/infiniband/issm1 Second InfiniBand IsSM device + ... + 127 = /dev/infiniband/issm63 63rd InfiniBand IsSM device +- 128 = /dev/infiniband/uverbs0 First InfiniBand verbs device +- 129 = /dev/infiniband/uverbs1 Second InfiniBand verbs device ++ 192 = /dev/infiniband/uverbs0 First InfiniBand verbs device ++ 193 = /dev/infiniband/uverbs1 Second InfiniBand verbs device + ... +- 159 = /dev/infiniband/uverbs31 31st InfiniBand verbs device ++ 223 = /dev/infiniband/uverbs31 31st InfiniBand verbs device + + 232 char Biometric Devices + 0 = /dev/biometric/sensor0/fingerprint first fingerprint sensor on first device +-- +2.30.2 + diff --git a/queue-4.14/flow_dissector-fix-out-of-bounds-warnings.patch b/queue-4.14/flow_dissector-fix-out-of-bounds-warnings.patch new file mode 100644 index 00000000000..29124099500 --- /dev/null +++ b/queue-4.14/flow_dissector-fix-out-of-bounds-warnings.patch @@ -0,0 +1,86 @@ +From c36852330c5bb4b62c4f85cf6f8e54763b013632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 14:25:11 -0500 +Subject: flow_dissector: Fix out-of-bounds warnings + +From: Gustavo A. R. Silva + +[ Upstream commit 323e0cb473e2a8706ff162b6b4f4fa16023c9ba7 ] + +Fix the following out-of-bounds warnings: + + net/core/flow_dissector.c: In function '__skb_flow_dissect': +>> net/core/flow_dissector.c:1104:4: warning: 'memcpy' offset [24, 39] from the object at '' is out of the bounds of referenced subobject 'saddr' with type 'struct in6_addr' at offset 8 [-Warray-bounds] + 1104 | memcpy(&key_addrs->v6addrs, &iph->saddr, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 1105 | sizeof(key_addrs->v6addrs)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In file included from include/linux/ipv6.h:5, + from net/core/flow_dissector.c:6: + include/uapi/linux/ipv6.h:133:18: note: subobject 'saddr' declared here + 133 | struct in6_addr saddr; + | ^~~~~ +>> net/core/flow_dissector.c:1059:4: warning: 'memcpy' offset [16, 19] from the object at '' is out of the bounds of referenced subobject 'saddr' with type 'unsigned int' at offset 12 [-Warray-bounds] + 1059 | memcpy(&key_addrs->v4addrs, &iph->saddr, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 1060 | sizeof(key_addrs->v4addrs)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + In file included from include/linux/ip.h:17, + from net/core/flow_dissector.c:5: + include/uapi/linux/ip.h:103:9: note: subobject 'saddr' declared here + 103 | __be32 saddr; + | ^~~~~ + +The problem is that the original code is trying to copy data into a +couple of struct members adjacent to each other in a single call to +memcpy(). So, the compiler legitimately complains about it. As these +are just a couple of members, fix this by copying each one of them in +separate calls to memcpy(). + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/d5ae2e65-1f18-2577-246f-bada7eee6ccd@intel.com/ +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 071de3013364..b4dddb685fc2 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -514,8 +514,10 @@ bool __skb_flow_dissect(const struct sk_buff *skb, + FLOW_DISSECTOR_KEY_IPV4_ADDRS, + target_container); + +- memcpy(&key_addrs->v4addrs, &iph->saddr, +- sizeof(key_addrs->v4addrs)); ++ memcpy(&key_addrs->v4addrs.src, &iph->saddr, ++ sizeof(key_addrs->v4addrs.src)); ++ memcpy(&key_addrs->v4addrs.dst, &iph->daddr, ++ sizeof(key_addrs->v4addrs.dst)); + key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; + } + +@@ -564,8 +566,10 @@ bool __skb_flow_dissect(const struct sk_buff *skb, + FLOW_DISSECTOR_KEY_IPV6_ADDRS, + target_container); + +- memcpy(&key_addrs->v6addrs, &iph->saddr, +- sizeof(key_addrs->v6addrs)); ++ memcpy(&key_addrs->v6addrs.src, &iph->saddr, ++ sizeof(key_addrs->v6addrs.src)); ++ memcpy(&key_addrs->v6addrs.dst, &iph->daddr, ++ sizeof(key_addrs->v6addrs.dst)); + key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + } + +-- +2.30.2 + diff --git a/queue-4.14/gfs2-don-t-call-dlm-after-protocol-is-unmounted.patch b/queue-4.14/gfs2-don-t-call-dlm-after-protocol-is-unmounted.patch new file mode 100644 index 00000000000..1904aa0e9a5 --- /dev/null +++ b/queue-4.14/gfs2-don-t-call-dlm-after-protocol-is-unmounted.patch @@ -0,0 +1,54 @@ +From 2348670a485cff08fa8f3c69cb7528ccc73c8676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 12:41:49 -0500 +Subject: gfs2: Don't call dlm after protocol is unmounted + +From: Bob Peterson + +[ Upstream commit d1340f80f0b8066321b499a376780da00560e857 ] + +In the gfs2 withdraw sequence, the dlm protocol is unmounted with a call +to lm_unmount. After a withdraw, users are allowed to unmount the +withdrawn file system. But at that point we may still have glocks left +over that we need to free via unmount's call to gfs2_gl_hash_clear. +These glocks may have never been completed because of whatever problem +caused the withdraw (IO errors or whatever). + +Before this patch, function gdlm_put_lock would still try to call into +dlm to unlock these leftover glocks, which resulted in dlm returning +-EINVAL because the lock space was abandoned. These glocks were never +freed because there was no mechanism after that to free them. + +This patch adds a check to gdlm_put_lock to see if the locking protocol +was inactive (DFL_UNMOUNT flag) and if so, free the glock and not +make the invalid call into dlm. + +I could have combined this "if" with the one that follows, related to +leftover glock LVBs, but I felt the code was more readable with its own +if clause. + +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +--- + fs/gfs2/lock_dlm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c +index de733a6c30bb..f3c16a504c8d 100644 +--- a/fs/gfs2/lock_dlm.c ++++ b/fs/gfs2/lock_dlm.c +@@ -295,6 +295,11 @@ static void gdlm_put_lock(struct gfs2_glock *gl) + gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT); + gfs2_update_request_times(gl); + ++ /* don't want to call dlm if we've unmounted the lock protocol */ ++ if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { ++ gfs2_glock_free(gl); ++ return; ++ } + /* don't want to skip dlm_unlock writing the lvb when lock has one */ + + if (test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags) && +-- +2.30.2 + diff --git a/queue-4.14/gpu-drm-amd-amdgpu-amdgpu_i2c-fix-possible-uninitial.patch b/queue-4.14/gpu-drm-amd-amdgpu-amdgpu_i2c-fix-possible-uninitial.patch new file mode 100644 index 00000000000..e6003f5129b --- /dev/null +++ b/queue-4.14/gpu-drm-amd-amdgpu-amdgpu_i2c-fix-possible-uninitial.patch @@ -0,0 +1,47 @@ +From fa4df3cf13ca02c80eec82a74e3082489567eab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 04:34:58 -0700 +Subject: gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible + uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() + +From: Tuo Li + +[ Upstream commit a211260c34cfadc6068fece8c9e99e0fe1e2a2b6 ] + +The variable val is declared without initialization, and its address is +passed to amdgpu_i2c_get_byte(). In this function, the value of val is +accessed in: + DRM_DEBUG("i2c 0x%02x 0x%02x read failed\n", + addr, *val); + +Also, when amdgpu_i2c_get_byte() returns, val may remain uninitialized, +but it is accessed in: + val &= ~amdgpu_connector->router.ddc_mux_control_pin; + +To fix this possible uninitialized-variable access, initialize val to 0 in +amdgpu_i2c_router_select_ddc_port(). + +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c +index f2739995c335..199eccee0b0b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_i2c.c +@@ -338,7 +338,7 @@ static void amdgpu_i2c_put_byte(struct amdgpu_i2c_chan *i2c_bus, + void + amdgpu_i2c_router_select_ddc_port(const struct amdgpu_connector *amdgpu_connector) + { +- u8 val; ++ u8 val = 0; + + if (!amdgpu_connector->router.ddc_valid) + return; +-- +2.30.2 + diff --git a/queue-4.14/hid-input-do-not-report-stylus-battery-state-as-full.patch b/queue-4.14/hid-input-do-not-report-stylus-battery-state-as-full.patch new file mode 100644 index 00000000000..6795d4793a4 --- /dev/null +++ b/queue-4.14/hid-input-do-not-report-stylus-battery-state-as-full.patch @@ -0,0 +1,46 @@ +From 8a23c1059cf95a8930891859fb8315f01176cc14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jun 2021 11:25:50 -0700 +Subject: HID: input: do not report stylus battery state as "full" + +From: Dmitry Torokhov + +[ Upstream commit f4abaa9eebde334045ed6ac4e564d050f1df3013 ] + +The power supply states of discharging, charging, full, etc, represent +state of charging, not the capacity level of the battery (for which +we have a separate property). Current HID usage tables to not allow +for expressing charging state of the batteries found in generic +styli, so we should simply assume that the battery is discharging +even if current capacity is at 100% when battery strength reporting +is done via HID interface. In fact, we were doing just that before +commit 581c4484769e. + +This change helps UIs to not mis-represent fully charged batteries in +styli as being charging/topping-off. + +Fixes: 581c4484769e ("HID: input: map digitizer battery usage") +Reported-by: Kenneth Albanowski +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 0e63cedcc3b5..96bf221ba572 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -425,8 +425,6 @@ static int hidinput_get_battery_property(struct power_supply *psy, + + if (dev->battery_status == HID_BATTERY_UNKNOWN) + val->intval = POWER_SUPPLY_STATUS_UNKNOWN; +- else if (dev->battery_capacity == 100) +- val->intval = POWER_SUPPLY_STATUS_FULL; + else + val->intval = POWER_SUPPLY_STATUS_DISCHARGING; + break; +-- +2.30.2 + diff --git a/queue-4.14/hvsi-don-t-panic-on-tty_register_driver-failure.patch b/queue-4.14/hvsi-don-t-panic-on-tty_register_driver-failure.patch new file mode 100644 index 00000000000..ae9d0282336 --- /dev/null +++ b/queue-4.14/hvsi-don-t-panic-on-tty_register_driver-failure.patch @@ -0,0 +1,73 @@ +From 33f839da81a6c510fe21325ceec35e0da3f7af30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 09:43:11 +0200 +Subject: hvsi: don't panic on tty_register_driver failure + +From: Jiri Slaby + +[ Upstream commit 7ccbdcc4d08a6d7041e4849219bbb12ffa45db4c ] + +The alloc_tty_driver failure is handled gracefully in hvsi_init. But +tty_register_driver is not. panic is called if that one fails. + +So handle the failure of tty_register_driver gracefully too. This will +keep at least the console functional as it was enabled earlier by +console_initcall in hvsi_console_init. Instead of shooting down the +whole system. + +This means, we disable interrupts and restore hvsi_wait back to +poll_for_state(). + +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20210723074317.32690-3-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/hvsi.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c +index 2e578d6433af..7d7fdfc578a9 100644 +--- a/drivers/tty/hvc/hvsi.c ++++ b/drivers/tty/hvc/hvsi.c +@@ -1051,7 +1051,7 @@ static const struct tty_operations hvsi_ops = { + + static int __init hvsi_init(void) + { +- int i; ++ int i, ret; + + hvsi_driver = alloc_tty_driver(hvsi_count); + if (!hvsi_driver) +@@ -1082,12 +1082,25 @@ static int __init hvsi_init(void) + } + hvsi_wait = wait_for_state; /* irqs active now */ + +- if (tty_register_driver(hvsi_driver)) +- panic("Couldn't register hvsi console driver\n"); ++ ret = tty_register_driver(hvsi_driver); ++ if (ret) { ++ pr_err("Couldn't register hvsi console driver\n"); ++ goto err_free_irq; ++ } + + printk(KERN_DEBUG "HVSI: registered %i devices\n", hvsi_count); + + return 0; ++err_free_irq: ++ hvsi_wait = poll_for_state; ++ for (i = 0; i < hvsi_count; i++) { ++ struct hvsi_struct *hp = &hvsi_ports[i]; ++ ++ free_irq(hp->virq, hp); ++ } ++ tty_driver_kref_put(hvsi_driver); ++ ++ return ret; + } + device_initcall(hvsi_init); + +-- +2.30.2 + diff --git a/queue-4.14/iio-dac-ad5624r-fix-incorrect-handling-of-an-optiona.patch b/queue-4.14/iio-dac-ad5624r-fix-incorrect-handling-of-an-optiona.patch new file mode 100644 index 00000000000..6716e53ff2e --- /dev/null +++ b/queue-4.14/iio-dac-ad5624r-fix-incorrect-handling-of-an-optiona.patch @@ -0,0 +1,71 @@ +From 22ec129036fa80be4c28883c7b9fb2e5453daa4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jun 2021 17:32:37 +0100 +Subject: iio: dac: ad5624r: Fix incorrect handling of an optional regulator. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +[ Upstream commit 97683c851f9cdbd3ea55697cbe2dcb6af4287bbd ] + +The naming of the regulator is problematic. VCC is usually a supply +voltage whereas these devices have a separate VREF pin. + +Secondly, the regulator core might have provided a stub regulator if +a real regulator wasn't provided. That would in turn have failed to +provide a voltage when queried. So reality was that there was no way +to use the internal reference. + +In order to avoid breaking any dts out in the wild, make sure to fallback +to the original vcc naming if vref is not available. + +Signed-off-by: Jonathan Cameron +Reported-by: kernel test robot +Acked-by: Nuno Sá +Link: https://lore.kernel.org/r/20210627163244.1090296-9-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/dac/ad5624r_spi.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/dac/ad5624r_spi.c b/drivers/iio/dac/ad5624r_spi.c +index 5489ec43b95d..e5cefdb674f8 100644 +--- a/drivers/iio/dac/ad5624r_spi.c ++++ b/drivers/iio/dac/ad5624r_spi.c +@@ -231,7 +231,7 @@ static int ad5624r_probe(struct spi_device *spi) + if (!indio_dev) + return -ENOMEM; + st = iio_priv(indio_dev); +- st->reg = devm_regulator_get(&spi->dev, "vcc"); ++ st->reg = devm_regulator_get_optional(&spi->dev, "vref"); + if (!IS_ERR(st->reg)) { + ret = regulator_enable(st->reg); + if (ret) +@@ -242,6 +242,22 @@ static int ad5624r_probe(struct spi_device *spi) + goto error_disable_reg; + + voltage_uv = ret; ++ } else { ++ if (PTR_ERR(st->reg) != -ENODEV) ++ return PTR_ERR(st->reg); ++ /* Backwards compatibility. This naming is not correct */ ++ st->reg = devm_regulator_get_optional(&spi->dev, "vcc"); ++ if (!IS_ERR(st->reg)) { ++ ret = regulator_enable(st->reg); ++ if (ret) ++ return ret; ++ ++ ret = regulator_get_voltage(st->reg); ++ if (ret < 0) ++ goto error_disable_reg; ++ ++ voltage_uv = ret; ++ } + } + + spi_set_drvdata(spi, indio_dev); +-- +2.30.2 + diff --git a/queue-4.14/ipv4-ip_output.c-fix-out-of-bounds-warning-in-ip_cop.patch b/queue-4.14/ipv4-ip_output.c-fix-out-of-bounds-warning-in-ip_cop.patch new file mode 100644 index 00000000000..088b88ff661 --- /dev/null +++ b/queue-4.14/ipv4-ip_output.c-fix-out-of-bounds-warning-in-ip_cop.patch @@ -0,0 +1,59 @@ +From 97e428b3b5d221134505ccba1e2684df16b5b21f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 14:52:51 -0500 +Subject: ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() + +From: Gustavo A. R. Silva + +[ Upstream commit 6321c7acb82872ef6576c520b0e178eaad3a25c0 ] + +Fix the following out-of-bounds warning: + + In function 'ip_copy_addrs', + inlined from '__ip_queue_xmit' at net/ipv4/ip_output.c:517:2: +net/ipv4/ip_output.c:449:2: warning: 'memcpy' offset [40, 43] from the object at 'fl' is out of the bounds of referenced subobject 'saddr' with type 'unsigned int' at offset 36 [-Warray-bounds] + 449 | memcpy(&iph->saddr, &fl4->saddr, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 450 | sizeof(fl4->saddr) + sizeof(fl4->daddr)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The problem is that the original code is trying to copy data into a +couple of struct members adjacent to each other in a single call to +memcpy(). This causes a legitimate compiler warning because memcpy() +overruns the length of &iph->saddr and &fl4->saddr. As these are just +a couple of struct members, fix this by using direct assignments, +instead of memcpy(). + +This helps with the ongoing efforts to globally enable -Warray-bounds +and get us closer to being able to tighten the FORTIFY_SOURCE routines +on memcpy(). + +Link: https://github.com/KSPP/linux/issues/109 +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/d5ae2e65-1f18-2577-246f-bada7eee6ccd@intel.com/ +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_output.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 5ec185a9dcab..c9f82525bfa4 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -419,8 +419,9 @@ static void ip_copy_addrs(struct iphdr *iph, const struct flowi4 *fl4) + { + BUILD_BUG_ON(offsetof(typeof(*fl4), daddr) != + offsetof(typeof(*fl4), saddr) + sizeof(fl4->saddr)); +- memcpy(&iph->saddr, &fl4->saddr, +- sizeof(fl4->saddr) + sizeof(fl4->daddr)); ++ ++ iph->saddr = fl4->saddr; ++ iph->daddr = fl4->daddr; + } + + /* Note: skb->sk can be different from sk, in case of tunnels */ +-- +2.30.2 + diff --git a/queue-4.14/media-dib8000-rewrite-the-init-prbs-logic.patch b/queue-4.14/media-dib8000-rewrite-the-init-prbs-logic.patch new file mode 100644 index 00000000000..365887ffa91 --- /dev/null +++ b/queue-4.14/media-dib8000-rewrite-the-init-prbs-logic.patch @@ -0,0 +1,139 @@ +From 063625855c3f4cc2db0f1fb0bc8cbac9fa494661 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 13:28:57 +0200 +Subject: media: dib8000: rewrite the init prbs logic + +From: Mauro Carvalho Chehab + +[ Upstream commit 8db11aebdb8f93f46a8513c22c9bd52fa23263aa ] + +The logic at dib8000_get_init_prbs() has a few issues: + +1. the tables used there has an extra unused value at the beginning; +2. the dprintk() message doesn't write the right value when + transmission mode is not 8K; +3. the array overflow validation is done by the callers. + +Rewrite the code to fix such issues. + +This should also shut up those smatch warnings: + + drivers/media/dvb-frontends/dib8000.c:2125 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_8k' 14 <= 14 + drivers/media/dvb-frontends/dib8000.c:2129 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_2k' 14 <= 14 + drivers/media/dvb-frontends/dib8000.c:2131 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_4k' 14 <= 14 + drivers/media/dvb-frontends/dib8000.c:2134 dib8000_get_init_prbs() error: buffer overflow 'lut_prbs_8k' 14 <= 14 + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib8000.c | 58 +++++++++++++++++++-------- + 1 file changed, 41 insertions(+), 17 deletions(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index 5d9381509b07..59ab01dc62b1 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -2110,32 +2110,55 @@ static void dib8000_load_ana_fe_coefs(struct dib8000_state *state, const s16 *an + dib8000_write_word(state, 117 + mode, ana_fe[mode]); + } + +-static const u16 lut_prbs_2k[14] = { +- 0, 0x423, 0x009, 0x5C7, 0x7A6, 0x3D8, 0x527, 0x7FF, 0x79B, 0x3D6, 0x3A2, 0x53B, 0x2F4, 0x213 ++static const u16 lut_prbs_2k[13] = { ++ 0x423, 0x009, 0x5C7, ++ 0x7A6, 0x3D8, 0x527, ++ 0x7FF, 0x79B, 0x3D6, ++ 0x3A2, 0x53B, 0x2F4, ++ 0x213 + }; +-static const u16 lut_prbs_4k[14] = { +- 0, 0x208, 0x0C3, 0x7B9, 0x423, 0x5C7, 0x3D8, 0x7FF, 0x3D6, 0x53B, 0x213, 0x029, 0x0D0, 0x48E ++ ++static const u16 lut_prbs_4k[13] = { ++ 0x208, 0x0C3, 0x7B9, ++ 0x423, 0x5C7, 0x3D8, ++ 0x7FF, 0x3D6, 0x53B, ++ 0x213, 0x029, 0x0D0, ++ 0x48E + }; +-static const u16 lut_prbs_8k[14] = { +- 0, 0x740, 0x069, 0x7DD, 0x208, 0x7B9, 0x5C7, 0x7FF, 0x53B, 0x029, 0x48E, 0x4C4, 0x367, 0x684 ++ ++static const u16 lut_prbs_8k[13] = { ++ 0x740, 0x069, 0x7DD, ++ 0x208, 0x7B9, 0x5C7, ++ 0x7FF, 0x53B, 0x029, ++ 0x48E, 0x4C4, 0x367, ++ 0x684 + }; + + static u16 dib8000_get_init_prbs(struct dib8000_state *state, u16 subchannel) + { + int sub_channel_prbs_group = 0; ++ int prbs_group; + +- sub_channel_prbs_group = (subchannel / 3) + 1; +- dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n", sub_channel_prbs_group, subchannel, lut_prbs_8k[sub_channel_prbs_group]); ++ sub_channel_prbs_group = subchannel / 3; ++ if (sub_channel_prbs_group >= ARRAY_SIZE(lut_prbs_2k)) ++ return 0; + + switch (state->fe[0]->dtv_property_cache.transmission_mode) { + case TRANSMISSION_MODE_2K: +- return lut_prbs_2k[sub_channel_prbs_group]; ++ prbs_group = lut_prbs_2k[sub_channel_prbs_group]; ++ break; + case TRANSMISSION_MODE_4K: +- return lut_prbs_4k[sub_channel_prbs_group]; ++ prbs_group = lut_prbs_4k[sub_channel_prbs_group]; ++ break; + default: + case TRANSMISSION_MODE_8K: +- return lut_prbs_8k[sub_channel_prbs_group]; ++ prbs_group = lut_prbs_8k[sub_channel_prbs_group]; + } ++ ++ dprintk("sub_channel_prbs_group = %d , subchannel =%d prbs = 0x%04x\n", ++ sub_channel_prbs_group, subchannel, prbs_group); ++ ++ return prbs_group; + } + + static void dib8000_set_13seg_channel(struct dib8000_state *state) +@@ -2412,10 +2435,8 @@ static void dib8000_set_isdbt_common_channel(struct dib8000_state *state, u8 seq + /* TSB or ISDBT ? apply it now */ + if (c->isdbt_sb_mode) { + dib8000_set_sb_channel(state); +- if (c->isdbt_sb_subchannel < 14) +- init_prbs = dib8000_get_init_prbs(state, c->isdbt_sb_subchannel); +- else +- init_prbs = 0; ++ init_prbs = dib8000_get_init_prbs(state, ++ c->isdbt_sb_subchannel); + } else { + dib8000_set_13seg_channel(state); + init_prbs = 0xfff; +@@ -3007,6 +3028,7 @@ static int dib8000_tune(struct dvb_frontend *fe) + + unsigned long *timeout = &state->timeout; + unsigned long now = jiffies; ++ u16 init_prbs; + #ifdef DIB8000_AGC_FREEZE + u16 agc1, agc2; + #endif +@@ -3305,8 +3327,10 @@ static int dib8000_tune(struct dvb_frontend *fe) + break; + + case CT_DEMOD_STEP_11: /* 41 : init prbs autosearch */ +- if (state->subchannel <= 41) { +- dib8000_set_subchannel_prbs(state, dib8000_get_init_prbs(state, state->subchannel)); ++ init_prbs = dib8000_get_init_prbs(state, state->subchannel); ++ ++ if (init_prbs) { ++ dib8000_set_subchannel_prbs(state, init_prbs); + *tune_state = CT_DEMOD_STEP_9; + } else { + *tune_state = CT_DEMOD_STOP; +-- +2.30.2 + diff --git a/queue-4.14/media-v4l2-dv-timings.c-fix-wrong-condition-in-two-f.patch b/queue-4.14/media-v4l2-dv-timings.c-fix-wrong-condition-in-two-f.patch new file mode 100644 index 00000000000..f066ae34e63 --- /dev/null +++ b/queue-4.14/media-v4l2-dv-timings.c-fix-wrong-condition-in-two-f.patch @@ -0,0 +1,53 @@ +From 922312d3f01d3ab0141aabeb9daed7fce163bef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 10:22:59 +0200 +Subject: media: v4l2-dv-timings.c: fix wrong condition in two for-loops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans Verkuil + +[ Upstream commit 4108b3e6db31acc4c68133290bbcc87d4db905c9 ] + +These for-loops should test against v4l2_dv_timings_presets[i].bt.width, +not if i < v4l2_dv_timings_presets[i].bt.width. Luckily nothing ever broke, +since the smallest width is still a lot higher than the total number of +presets, but it is wrong. + +The last item in the presets array is all 0, so the for-loop must stop +when it reaches that sentinel. + +Signed-off-by: Hans Verkuil +Reported-by: Krzysztof Hałasa +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-dv-timings.c b/drivers/media/v4l2-core/v4l2-dv-timings.c +index 5c8c49d240d1..bed6b7db43f5 100644 +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -207,7 +207,7 @@ bool v4l2_find_dv_timings_cap(struct v4l2_dv_timings *t, + if (!v4l2_valid_dv_timings(t, cap, fnc, fnc_handle)) + return false; + +- for (i = 0; i < v4l2_dv_timings_presets[i].bt.width; i++) { ++ for (i = 0; v4l2_dv_timings_presets[i].bt.width; i++) { + if (v4l2_valid_dv_timings(v4l2_dv_timings_presets + i, cap, + fnc, fnc_handle) && + v4l2_match_dv_timings(t, v4l2_dv_timings_presets + i, +@@ -229,7 +229,7 @@ bool v4l2_find_dv_timings_cea861_vic(struct v4l2_dv_timings *t, u8 vic) + { + unsigned int i; + +- for (i = 0; i < v4l2_dv_timings_presets[i].bt.width; i++) { ++ for (i = 0; v4l2_dv_timings_presets[i].bt.width; i++) { + const struct v4l2_bt_timings *bt = + &v4l2_dv_timings_presets[i].bt; + +-- +2.30.2 + diff --git a/queue-4.14/mips-malta-fix-alignment-of-the-devicetree-buffer.patch b/queue-4.14/mips-malta-fix-alignment-of-the-devicetree-buffer.patch new file mode 100644 index 00000000000..8b4ee0e2264 --- /dev/null +++ b/queue-4.14/mips-malta-fix-alignment-of-the-devicetree-buffer.patch @@ -0,0 +1,44 @@ +From 93df2f659aaf854457147108c8de32d5146b93fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 09:19:51 +0200 +Subject: MIPS: Malta: fix alignment of the devicetree buffer + +From: Oleksij Rempel + +[ Upstream commit bea6a94a279bcbe6b2cde348782b28baf12255a5 ] + +Starting with following patch MIPS Malta is not able to boot: +| commit 79edff12060fe7772af08607eff50c0e2486c5ba +| Author: Rob Herring +| scripts/dtc: Update to upstream version v1.6.0-51-g183df9e9c2b9 + +The reason is the alignment test added to the fdt_ro_probe_(). To fix +this issue, we need to make sure that fdt_buf is aligned. + +Since the dtc patch was designed to uncover potential issue, I handle +initial MIPS Malta patch as initial bug. + +Fixes: e81a8c7dabac ("MIPS: Malta: Setup RAM regions via DT") +Signed-off-by: Oleksij Rempel +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mti-malta/malta-dtshim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/mti-malta/malta-dtshim.c b/arch/mips/mti-malta/malta-dtshim.c +index 7859b6e49863..5b5d78a7882a 100644 +--- a/arch/mips/mti-malta/malta-dtshim.c ++++ b/arch/mips/mti-malta/malta-dtshim.c +@@ -26,7 +26,7 @@ + #define ROCIT_CONFIG_GEN1_MEMMAP_SHIFT 8 + #define ROCIT_CONFIG_GEN1_MEMMAP_MASK (0xf << 8) + +-static unsigned char fdt_buf[16 << 10] __initdata; ++static unsigned char fdt_buf[16 << 10] __initdata __aligned(8); + + /* determined physical memory size, not overridden by command line args */ + extern unsigned long physical_memsize; +-- +2.30.2 + diff --git a/queue-4.14/mmc-rtsx_pci-fix-long-reads-when-clock-is-prescaled.patch b/queue-4.14/mmc-rtsx_pci-fix-long-reads-when-clock-is-prescaled.patch new file mode 100644 index 00000000000..565d857f71a --- /dev/null +++ b/queue-4.14/mmc-rtsx_pci-fix-long-reads-when-clock-is-prescaled.patch @@ -0,0 +1,106 @@ +From 9c2a74c97b426e18549fe1fb6b94f4ad4b1e2132 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Aug 2021 04:46:14 -0700 +Subject: mmc: rtsx_pci: Fix long reads when clock is prescaled + +From: Thomas Hebb + +[ Upstream commit 3ac5e45291f3f0d699a721357380d4593bc2dcb3 ] + +For unexplained reasons, the prescaler register for this device needs to +be cleared (set to 1) while performing a data read or else the command +will hang. This does not appear to affect the real clock rate sent out +on the bus, so I assume it's purely to work around a hardware bug. + +During normal operation, the prescaler is already set to 1, so nothing +needs to be done. However, in "initial mode" (which is used for sub-MHz +clock speeds, like the core sets while enumerating cards), it's set to +128 and so we need to reset it during data reads. We currently fail to +do this for long reads. + +This has no functional affect on the driver's operation currently +written, as the MMC core always sets a clock above 1MHz before +attempting any long reads. However, the core could conceivably set any +clock speed at any time and the driver should still work, so I think +this fix is worthwhile. + +I personally encountered this issue while performing data recovery on an +external chip. My connections had poor signal integrity, so I modified +the core code to reduce the clock speed. Without this change, I saw the +card enumerate but was unable to actually read any data. + +Writes don't seem to work in the situation described above even with +this change (and even if the workaround is extended to encompass data +write commands). I was not able to find a way to get them working. + +Signed-off-by: Thomas Hebb +Link: https://lore.kernel.org/r/2fef280d8409ab0100c26c6ac7050227defd098d.1627818365.git.tommyhebb@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/rtsx_pci_sdmmc.c | 36 ++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +diff --git a/drivers/mmc/host/rtsx_pci_sdmmc.c b/drivers/mmc/host/rtsx_pci_sdmmc.c +index 41b57713b620..9de6a32f0c9f 100644 +--- a/drivers/mmc/host/rtsx_pci_sdmmc.c ++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c +@@ -551,9 +551,22 @@ static int sd_write_long_data(struct realtek_pci_sdmmc *host, + return 0; + } + ++static inline void sd_enable_initial_mode(struct realtek_pci_sdmmc *host) ++{ ++ rtsx_pci_write_register(host->pcr, SD_CFG1, ++ SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_128); ++} ++ ++static inline void sd_disable_initial_mode(struct realtek_pci_sdmmc *host) ++{ ++ rtsx_pci_write_register(host->pcr, SD_CFG1, ++ SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0); ++} ++ + static int sd_rw_multi(struct realtek_pci_sdmmc *host, struct mmc_request *mrq) + { + struct mmc_data *data = mrq->data; ++ int err; + + if (host->sg_count < 0) { + data->error = host->sg_count; +@@ -562,22 +575,19 @@ static int sd_rw_multi(struct realtek_pci_sdmmc *host, struct mmc_request *mrq) + return data->error; + } + +- if (data->flags & MMC_DATA_READ) +- return sd_read_long_data(host, mrq); ++ if (data->flags & MMC_DATA_READ) { ++ if (host->initial_mode) ++ sd_disable_initial_mode(host); + +- return sd_write_long_data(host, mrq); +-} ++ err = sd_read_long_data(host, mrq); + +-static inline void sd_enable_initial_mode(struct realtek_pci_sdmmc *host) +-{ +- rtsx_pci_write_register(host->pcr, SD_CFG1, +- SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_128); +-} ++ if (host->initial_mode) ++ sd_enable_initial_mode(host); + +-static inline void sd_disable_initial_mode(struct realtek_pci_sdmmc *host) +-{ +- rtsx_pci_write_register(host->pcr, SD_CFG1, +- SD_CLK_DIVIDE_MASK, SD_CLK_DIVIDE_0); ++ return err; ++ } ++ ++ return sd_write_long_data(host, mrq); + } + + static void sd_normal_rw(struct realtek_pci_sdmmc *host, +-- +2.30.2 + diff --git a/queue-4.14/mmc-sdhci-of-arasan-check-return-value-of-non-void-f.patch b/queue-4.14/mmc-sdhci-of-arasan-check-return-value-of-non-void-f.patch new file mode 100644 index 00000000000..c41a019c7a9 --- /dev/null +++ b/queue-4.14/mmc-sdhci-of-arasan-check-return-value-of-non-void-f.patch @@ -0,0 +1,69 @@ +From cc3e3a63ecdac691c5355935f69f6c0bbfdc0ac0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 16:13:54 +0530 +Subject: mmc: sdhci-of-arasan: Check return value of non-void funtions + +From: Manish Narani + +[ Upstream commit 66bad6ed2204fdb78a0a8fb89d824397106a5471 ] + +At a couple of places, the return values of the non-void functions were +not getting checked. This was reported by the coverity tool. Modify the +code to check the return values of the same. + +Addresses-Coverity: ("check_return") +Signed-off-by: Manish Narani +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/1623753837-21035-5-git-send-email-manish.narani@xilinx.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-of-arasan.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-of-arasan.c b/drivers/mmc/host/sdhci-of-arasan.c +index e033ad477715..0a2bfd034df3 100644 +--- a/drivers/mmc/host/sdhci-of-arasan.c ++++ b/drivers/mmc/host/sdhci-of-arasan.c +@@ -179,7 +179,12 @@ static void sdhci_arasan_set_clock(struct sdhci_host *host, unsigned int clock) + * through low speeds without power cycling. + */ + sdhci_set_clock(host, host->max_clk); +- phy_power_on(sdhci_arasan->phy); ++ if (phy_power_on(sdhci_arasan->phy)) { ++ pr_err("%s: Cannot power on phy.\n", ++ mmc_hostname(host->mmc)); ++ return; ++ } ++ + sdhci_arasan->is_phy_on = true; + + /* +@@ -205,7 +210,12 @@ static void sdhci_arasan_set_clock(struct sdhci_host *host, unsigned int clock) + sdhci_set_clock(host, clock); + + if (ctrl_phy) { +- phy_power_on(sdhci_arasan->phy); ++ if (phy_power_on(sdhci_arasan->phy)) { ++ pr_err("%s: Cannot power on phy.\n", ++ mmc_hostname(host->mmc)); ++ return; ++ } ++ + sdhci_arasan->is_phy_on = true; + } + } +@@ -305,7 +315,9 @@ static int sdhci_arasan_suspend(struct device *dev) + ret = phy_power_off(sdhci_arasan->phy); + if (ret) { + dev_err(dev, "Cannot power off phy.\n"); +- sdhci_resume_host(host); ++ if (sdhci_resume_host(host)) ++ dev_err(dev, "Cannot resume host.\n"); ++ + return ret; + } + sdhci_arasan->is_phy_on = false; +-- +2.30.2 + diff --git a/queue-4.14/net-ethernet-stmmac-do-not-use-unreachable-in-ipq806.patch b/queue-4.14/net-ethernet-stmmac-do-not-use-unreachable-in-ipq806.patch new file mode 100644 index 00000000000..3087a867d3c --- /dev/null +++ b/queue-4.14/net-ethernet-stmmac-do-not-use-unreachable-in-ipq806.patch @@ -0,0 +1,89 @@ +From 04828a38351f13777060a18ac0cb5fd8f430d5a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 12:13:40 -0700 +Subject: net: ethernet: stmmac: Do not use unreachable() in + ipq806x_gmac_probe() + +From: Nathan Chancellor + +[ Upstream commit 4367355dd90942a71641c98c40c74589c9bddf90 ] + +When compiling with clang in certain configurations, an objtool warning +appears: + +drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.o: warning: objtool: +ipq806x_gmac_probe() falls through to next function phy_modes() + +This happens because the unreachable annotation in the third switch +statement is not eliminated. The compiler should know that the first +default case would prevent the second and third from being reached as +the comment notes but sanitizer options can make it harder for the +compiler to reason this out. + +Help the compiler out by eliminating the unreachable() annotation and +unifying the default case error handling so that there is no objtool +warning, the meaning of the code stays the same, and there is less +duplication. + +Reported-by: Sami Tolvanen +Tested-by: Sami Tolvanen +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/stmicro/stmmac/dwmac-ipq806x.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +index f4ff43a1b5ba..d8c40b68bc96 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c +@@ -300,10 +300,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + val &= ~NSS_COMMON_GMAC_CTL_PHY_IFACE_SEL; + break; + default: +- dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n", +- phy_modes(gmac->phy_mode)); +- err = -EINVAL; +- goto err_remove_config_dt; ++ goto err_unsupported_phy; + } + regmap_write(gmac->nss_common, NSS_COMMON_GMAC_CTL(gmac->id), val); + +@@ -320,10 +317,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + NSS_COMMON_CLK_SRC_CTRL_OFFSET(gmac->id); + break; + default: +- dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n", +- phy_modes(gmac->phy_mode)); +- err = -EINVAL; +- goto err_remove_config_dt; ++ goto err_unsupported_phy; + } + regmap_write(gmac->nss_common, NSS_COMMON_CLK_SRC_CTRL, val); + +@@ -340,8 +334,7 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + NSS_COMMON_CLK_GATE_GMII_TX_EN(gmac->id); + break; + default: +- /* We don't get here; the switch above will have errored out */ +- unreachable(); ++ goto err_unsupported_phy; + } + regmap_write(gmac->nss_common, NSS_COMMON_CLK_GATE, val); + +@@ -372,6 +365,11 @@ static int ipq806x_gmac_probe(struct platform_device *pdev) + + return 0; + ++err_unsupported_phy: ++ dev_err(&pdev->dev, "Unsupported PHY mode: \"%s\"\n", ++ phy_modes(gmac->phy_mode)); ++ err = -EINVAL; ++ + err_remove_config_dt: + stmmac_remove_config_dt(pdev, plat_dat); + +-- +2.30.2 + diff --git a/queue-4.14/net-fix-null-pointer-reference-in-cipso_v4_doi_free.patch b/queue-4.14/net-fix-null-pointer-reference-in-cipso_v4_doi_free.patch new file mode 100644 index 00000000000..075ce954da2 --- /dev/null +++ b/queue-4.14/net-fix-null-pointer-reference-in-cipso_v4_doi_free.patch @@ -0,0 +1,59 @@ +From f49816ecaf8db7dc7fdcb702eed412437012ebf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Aug 2021 18:28:01 +0800 +Subject: net: fix NULL pointer reference in cipso_v4_doi_free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: 王贇 + +[ Upstream commit 733c99ee8be9a1410287cdbb943887365e83b2d6 ] + +In netlbl_cipsov4_add_std() when 'doi_def->map.std' alloc +failed, we sometime observe panic: + + BUG: kernel NULL pointer dereference, address: + ... + RIP: 0010:cipso_v4_doi_free+0x3a/0x80 + ... + Call Trace: + netlbl_cipsov4_add_std+0xf4/0x8c0 + netlbl_cipsov4_add+0x13f/0x1b0 + genl_family_rcv_msg_doit.isra.15+0x132/0x170 + genl_rcv_msg+0x125/0x240 + +This is because in cipso_v4_doi_free() there is no check +on 'doi_def->map.std' when 'doi_def->type' equal 1, which +is possibe, since netlbl_cipsov4_add_std() haven't initialize +it before alloc 'doi_def->map.std'. + +This patch just add the check to prevent panic happen for similar +cases. + +Reported-by: Abaci +Signed-off-by: Michael Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_cipso_v4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c +index 0559d442ad80..e252f62bb8c2 100644 +--- a/net/netlabel/netlabel_cipso_v4.c ++++ b/net/netlabel/netlabel_cipso_v4.c +@@ -156,8 +156,8 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, + return -ENOMEM; + doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL); + if (doi_def->map.std == NULL) { +- ret_val = -ENOMEM; +- goto add_std_failure; ++ kfree(doi_def); ++ return -ENOMEM; + } + doi_def->type = CIPSO_V4_MAP_TRANS; + +-- +2.30.2 + diff --git a/queue-4.14/net-w5100-check-return-value-after-calling-platform_.patch b/queue-4.14/net-w5100-check-return-value-after-calling-platform_.patch new file mode 100644 index 00000000000..ca0549ce8ad --- /dev/null +++ b/queue-4.14/net-w5100-check-return-value-after-calling-platform_.patch @@ -0,0 +1,35 @@ +From b5e37f1ee0b2be72443f356ed1abd734a2a47c31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 16:40:18 +0800 +Subject: net: w5100: check return value after calling platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit a39ff4a47f3e1da3b036817ef436b1a9be10783a ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wiznet/w5100.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/wiznet/w5100.c b/drivers/net/ethernet/wiznet/w5100.c +index 2bdfb39215e9..87610d8b3462 100644 +--- a/drivers/net/ethernet/wiznet/w5100.c ++++ b/drivers/net/ethernet/wiznet/w5100.c +@@ -1059,6 +1059,8 @@ static int w5100_mmio_probe(struct platform_device *pdev) + mac_addr = data->mac_addr; + + mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!mem) ++ return -EINVAL; + if (resource_size(mem) < W5100_BUS_DIRECT_SIZE) + ops = &w5100_mmio_indirect_ops; + else +-- +2.30.2 + diff --git a/queue-4.14/netlink-deal-with-esrch-error-in-nlmsg_notify.patch b/queue-4.14/netlink-deal-with-esrch-error-in-nlmsg_notify.patch new file mode 100644 index 00000000000..0da601353c8 --- /dev/null +++ b/queue-4.14/netlink-deal-with-esrch-error-in-nlmsg_notify.patch @@ -0,0 +1,69 @@ +From 30ab405b58bda2ce1933a068c7314a4244f0ccb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jul 2021 13:18:16 +0800 +Subject: netlink: Deal with ESRCH error in nlmsg_notify() + +From: Yajun Deng + +[ Upstream commit fef773fc8110d8124c73a5e6610f89e52814637d ] + +Yonghong Song report: +The bpf selftest tc_bpf failed with latest bpf-next. +The following is the command to run and the result: +$ ./test_progs -n 132 +[ 40.947571] bpf_testmod: loading out-of-tree module taints kernel. +test_tc_bpf:PASS:test_tc_bpf__open_and_load 0 nsec +test_tc_bpf:PASS:bpf_tc_hook_create(BPF_TC_INGRESS) 0 nsec +test_tc_bpf:PASS:bpf_tc_hook_create invalid hook.attach_point 0 nsec +test_tc_bpf_basic:PASS:bpf_obj_get_info_by_fd 0 nsec +test_tc_bpf_basic:PASS:bpf_tc_attach 0 nsec +test_tc_bpf_basic:PASS:handle set 0 nsec +test_tc_bpf_basic:PASS:priority set 0 nsec +test_tc_bpf_basic:PASS:prog_id set 0 nsec +test_tc_bpf_basic:PASS:bpf_tc_attach replace mode 0 nsec +test_tc_bpf_basic:PASS:bpf_tc_query 0 nsec +test_tc_bpf_basic:PASS:handle set 0 nsec +test_tc_bpf_basic:PASS:priority set 0 nsec +test_tc_bpf_basic:PASS:prog_id set 0 nsec +libbpf: Kernel error message: Failed to send filter delete notification +test_tc_bpf_basic:FAIL:bpf_tc_detach unexpected error: -3 (errno 3) +test_tc_bpf:FAIL:test_tc_internal ingress unexpected error: -3 (errno 3) + +The failure seems due to the commit + cfdf0d9ae75b ("rtnetlink: use nlmsg_notify() in rtnetlink_send()") + +Deal with ESRCH error in nlmsg_notify() even the report variable is zero. + +Reported-by: Yonghong Song +Signed-off-by: Yajun Deng +Link: https://lore.kernel.org/r/20210719051816.11762-1-yajun.deng@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 140bec3568ec..955041c54702 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2476,13 +2476,15 @@ int nlmsg_notify(struct sock *sk, struct sk_buff *skb, u32 portid, + /* errors reported via destination sk->sk_err, but propagate + * delivery errors if NETLINK_BROADCAST_ERROR flag is set */ + err = nlmsg_multicast(sk, skb, exclude_portid, group, flags); ++ if (err == -ESRCH) ++ err = 0; + } + + if (report) { + int err2; + + err2 = nlmsg_unicast(sk, skb, portid); +- if (!err || err == -ESRCH) ++ if (!err) + err = err2; + } + +-- +2.30.2 + diff --git a/queue-4.14/openrisc-don-t-printk-unconditionally.patch b/queue-4.14/openrisc-don-t-printk-unconditionally.patch new file mode 100644 index 00000000000..a03baf487cd --- /dev/null +++ b/queue-4.14/openrisc-don-t-printk-unconditionally.patch @@ -0,0 +1,52 @@ +From d0cbcac5c8403486fa5d98ea7e1b81b4b9f90d53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jul 2021 19:33:09 -0700 +Subject: openrisc: don't printk() unconditionally + +From: Randy Dunlap + +[ Upstream commit 946e1052cdcc7e585ee5d1e72528ca49fb295243 ] + +Don't call printk() when CONFIG_PRINTK is not set. +Fixes the following build errors: + +or1k-linux-ld: arch/openrisc/kernel/entry.o: in function `_external_irq_handler': +(.text+0x804): undefined reference to `printk' +(.text+0x804): relocation truncated to fit: R_OR1K_INSN_REL_26 against undefined symbol `printk' + +Fixes: 9d02a4283e9c ("OpenRISC: Boot code") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Jonas Bonn +Cc: Stefan Kristiansson +Cc: Stafford Horne +Cc: openrisc@lists.librecores.org +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/entry.S | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/openrisc/kernel/entry.S b/arch/openrisc/kernel/entry.S +index 0fdfa7142f4b..272eda8d6368 100644 +--- a/arch/openrisc/kernel/entry.S ++++ b/arch/openrisc/kernel/entry.S +@@ -495,6 +495,7 @@ EXCEPTION_ENTRY(_external_irq_handler) + l.bnf 1f // ext irq enabled, all ok. + l.nop + ++#ifdef CONFIG_PRINTK + l.addi r1,r1,-0x8 + l.movhi r3,hi(42f) + l.ori r3,r3,lo(42f) +@@ -508,6 +509,7 @@ EXCEPTION_ENTRY(_external_irq_handler) + .string "\n\rESR interrupt bug: in _external_irq_handler (ESR %x)\n\r" + .align 4 + .previous ++#endif + + l.ori r4,r4,SPR_SR_IEE // fix the bug + // l.sw PT_SR(r1),r4 +-- +2.30.2 + diff --git a/queue-4.14/parport-remove-non-zero-check-on-count.patch b/queue-4.14/parport-remove-non-zero-check-on-count.patch new file mode 100644 index 00000000000..827c68c2969 --- /dev/null +++ b/queue-4.14/parport-remove-non-zero-check-on-count.patch @@ -0,0 +1,44 @@ +From 03f34b6f9101d89d3e0c4c9cb81ca952d2d25332 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 11:07:10 +0100 +Subject: parport: remove non-zero check on count + +From: Colin Ian King + +[ Upstream commit 0be883a0d795d9146f5325de582584147dd0dcdc ] + +The check for count appears to be incorrect since a non-zero count +check occurs a couple of statements earlier. Currently the check is +always false and the dev->port->irq != PARPORT_IRQ_NONE part of the +check is never tested and the if statement is dead-code. Fix this +by removing the check on count. + +Note that this code is pre-git history, so I can't find a sha for +it. + +Acked-by: Sudip Mukherjee +Signed-off-by: Colin Ian King +Addresses-Coverity: ("Logically dead code") +Link: https://lore.kernel.org/r/20210730100710.27405-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/parport/ieee1284_ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/parport/ieee1284_ops.c b/drivers/parport/ieee1284_ops.c +index 5d41dda6da4e..75daa16f38b7 100644 +--- a/drivers/parport/ieee1284_ops.c ++++ b/drivers/parport/ieee1284_ops.c +@@ -535,7 +535,7 @@ size_t parport_ieee1284_ecp_read_data (struct parport *port, + goto out; + + /* Yield the port for a while. */ +- if (count && dev->port->irq != PARPORT_IRQ_NONE) { ++ if (dev->port->irq != PARPORT_IRQ_NONE) { + parport_release (dev); + schedule_timeout_interruptible(msecs_to_jiffies(40)); + parport_claim_or_block (dev); +-- +2.30.2 + diff --git a/queue-4.14/pci-use-pci_update_current_state-in-pci_enable_devic.patch b/queue-4.14/pci-use-pci_update_current_state-in-pci_enable_devic.patch new file mode 100644 index 00000000000..b4644935c67 --- /dev/null +++ b/queue-4.14/pci-use-pci_update_current_state-in-pci_enable_devic.patch @@ -0,0 +1,53 @@ +From 6a7c751b7ddbd8885ea40fff8120c948f919c07f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 15:25:06 +0200 +Subject: PCI: Use pci_update_current_state() in pci_enable_device_flags() + +From: Rafael J. Wysocki + +[ Upstream commit 14858dcc3b3587f4bb5c48e130ee7d68fc2b0a29 ] + +Updating the current_state field of struct pci_dev the way it is done +in pci_enable_device_flags() before calling do_pci_enable_device() may +not work. For example, if the given PCI device depends on an ACPI +power resource whose _STA method initially returns 0 ("off"), but the +config space of the PCI device is accessible and the power state +retrieved from the PCI_PM_CTRL register is D0, the current_state +field in the struct pci_dev representing that device will get out of +sync with the power.state of its ACPI companion object and that will +lead to power management issues going forward. + +To avoid such issues, make pci_enable_device_flags() call +pci_update_current_state() which takes ACPI device power management +into account, if present, to retrieve the current power state of the +device. + +Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/ +Reported-by: Maximilian Luz +Signed-off-by: Rafael J. Wysocki +Tested-by: Maximilian Luz +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 1c5c0937c5da..4ff7f2575d28 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1384,11 +1384,7 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags) + * so that things like MSI message writing will behave as expected + * (e.g. if the device really is in D0 at enable time). + */ +- if (dev->pm_cap) { +- u16 pmcsr; +- pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr); +- dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK); +- } ++ pci_update_current_state(dev, dev->current_state); + + if (atomic_inc_return(&dev->enable_cnt) > 1) + return 0; /* already enabled */ +-- +2.30.2 + diff --git a/queue-4.14/pinctrl-samsung-fix-pinctrl-bank-pin-count.patch b/queue-4.14/pinctrl-samsung-fix-pinctrl-bank-pin-count.patch new file mode 100644 index 00000000000..2b410ad3577 --- /dev/null +++ b/queue-4.14/pinctrl-samsung-fix-pinctrl-bank-pin-count.patch @@ -0,0 +1,42 @@ +From 7a3d9a4a9746fcdd309b92d54cf8b91cef1ec2df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 22:29:05 +0300 +Subject: pinctrl: samsung: Fix pinctrl bank pin count + +From: Jaehyoung Choi + +[ Upstream commit 70115558ab02fe8d28a6634350b3491a542aaa02 ] + +Commit 1abd18d1a51a ("pinctrl: samsung: Register pinctrl before GPIO") +changes the order of GPIO and pinctrl registration: now pinctrl is +registered before GPIO. That means gpio_chip->ngpio is not set when +samsung_pinctrl_register() called, and one cannot rely on that value +anymore. Use `pin_bank->nr_pins' instead of `pin_bank->gpio_chip.ngpio' +to fix mentioned inconsistency. + +Fixes: 1abd18d1a51a ("pinctrl: samsung: Register pinctrl before GPIO") +Signed-off-by: Jaehyoung Choi +Signed-off-by: Sam Protsenko +Link: https://lore.kernel.org/r/20210730192905.7173-1-semen.protsenko@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/samsung/pinctrl-samsung.c b/drivers/pinctrl/samsung/pinctrl-samsung.c +index 7c0f5d4e89f3..ab04d4c4941d 100644 +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -891,7 +891,7 @@ static int samsung_pinctrl_register(struct platform_device *pdev, + pin_bank->grange.pin_base = drvdata->pin_base + + pin_bank->pin_base; + pin_bank->grange.base = pin_bank->grange.pin_base; +- pin_bank->grange.npins = pin_bank->gpio_chip.ngpio; ++ pin_bank->grange.npins = pin_bank->nr_pins; + pin_bank->grange.gc = &pin_bank->gpio_chip; + pinctrl_add_gpio_range(drvdata->pctl_dev, &pin_bank->grange); + } +-- +2.30.2 + diff --git a/queue-4.14/pinctrl-single-fix-error-return-code-in-pcs_parse_bi.patch b/queue-4.14/pinctrl-single-fix-error-return-code-in-pcs_parse_bi.patch new file mode 100644 index 00000000000..b1b005b2566 --- /dev/null +++ b/queue-4.14/pinctrl-single-fix-error-return-code-in-pcs_parse_bi.patch @@ -0,0 +1,38 @@ +From 6ace0dc39c3d3b72cf63603ea6329e504aab47ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jul 2021 11:39:29 +0800 +Subject: pinctrl: single: Fix error return code in + pcs_parse_bits_in_pinctrl_entry() + +From: Zhen Lei + +[ Upstream commit d789a490d32fdf0465275e3607f8a3bc87d3f3ba ] + +Fix to return -ENOTSUPP instead of 0 when PCS_HAS_PINCONF is true, which +is the same as that returned in pcs_parse_pinconf(). + +Fixes: 4e7e8017a80e ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210722033930.4034-2-thunder.leizhen@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-single.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index f751b5c3bf7e..e33972c3a420 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1161,6 +1161,7 @@ static int pcs_parse_bits_in_pinctrl_entry(struct pcs_device *pcs, + + if (PCS_HAS_PINCONF) { + dev_err(pcs->dev, "pinconf not supported\n"); ++ res = -ENOTSUPP; + goto free_pingroups; + } + +-- +2.30.2 + diff --git a/queue-4.14/rdma-iwcm-release-resources-if-iw_cm-module-initiali.patch b/queue-4.14/rdma-iwcm-release-resources-if-iw_cm-module-initiali.patch new file mode 100644 index 00000000000..ac75c8dfc29 --- /dev/null +++ b/queue-4.14/rdma-iwcm-release-resources-if-iw_cm-module-initiali.patch @@ -0,0 +1,72 @@ +From e28b95a963cb0e9726189a6e3f2db9cd7a4771fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 17:08:55 +0300 +Subject: RDMA/iwcm: Release resources if iw_cm module initialization fails + +From: Leon Romanovsky + +[ Upstream commit e677b72a0647249370f2635862bf0241c86f66ad ] + +The failure during iw_cm module initialization partially left the system +with unreleased memory and other resources. Rewrite the module init/exit +routines in such way that netlink commands will be opened only after +successful initialization. + +Fixes: b493d91d333e ("iwcm: common code for port mapper") +Link: https://lore.kernel.org/r/b01239f99cb1a3e6d2b0694c242d89e6410bcd93.1627048781.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/iwcm.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c +index 16b0c10348e8..66204e08ce5a 100644 +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -1176,29 +1176,34 @@ static int __init iw_cm_init(void) + + ret = iwpm_init(RDMA_NL_IWCM); + if (ret) +- pr_err("iw_cm: couldn't init iwpm\n"); +- else +- rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table); ++ return ret; ++ + iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0); + if (!iwcm_wq) +- return -ENOMEM; ++ goto err_alloc; + + iwcm_ctl_table_hdr = register_net_sysctl(&init_net, "net/iw_cm", + iwcm_ctl_table); + if (!iwcm_ctl_table_hdr) { + pr_err("iw_cm: couldn't register sysctl paths\n"); +- destroy_workqueue(iwcm_wq); +- return -ENOMEM; ++ goto err_sysctl; + } + ++ rdma_nl_register(RDMA_NL_IWCM, iwcm_nl_cb_table); + return 0; ++ ++err_sysctl: ++ destroy_workqueue(iwcm_wq); ++err_alloc: ++ iwpm_exit(RDMA_NL_IWCM); ++ return -ENOMEM; + } + + static void __exit iw_cm_cleanup(void) + { ++ rdma_nl_unregister(RDMA_NL_IWCM); + unregister_net_sysctl_table(iwcm_ctl_table_hdr); + destroy_workqueue(iwcm_wq); +- rdma_nl_unregister(RDMA_NL_IWCM); + iwpm_exit(RDMA_NL_IWCM); + } + +-- +2.30.2 + diff --git a/queue-4.14/revert-usb-xhci-fix-u1-u2-handling-for-hardware-with.patch b/queue-4.14/revert-usb-xhci-fix-u1-u2-handling-for-hardware-with.patch new file mode 100644 index 00000000000..7ac72379714 --- /dev/null +++ b/queue-4.14/revert-usb-xhci-fix-u1-u2-handling-for-hardware-with.patch @@ -0,0 +1,96 @@ +From 75509f85c2f53b6bbaa91d3f98d1e14520a85b32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 15:35:01 +0300 +Subject: Revert "USB: xhci: fix U1/U2 handling for hardware with + XHCI_INTEL_HOST quirk set" + +From: Mathias Nyman + +[ Upstream commit 2847c46c61486fd8bca9136a6e27177212e78c69 ] + +This reverts commit 5d5323a6f3625f101dbfa94ba3ef7706cce38760. + +That commit effectively disabled Intel host initiated U1/U2 lpm for devices +with periodic endpoints. + +Before that commit we disabled host initiated U1/U2 lpm if the exit latency +was larger than any periodic endpoint service interval, this is according +to xhci spec xhci 1.1 specification section 4.23.5.2 + +After that commit we incorrectly checked that service interval was smaller +than U1/U2 inactivity timeout. This is not relevant, and can't happen for +Intel hosts as previously set U1/U2 timeout = 105% * service interval. + +Patch claimed it solved cases where devices can't be enumerated because of +bandwidth issues. This might be true but it's a side effect of accidentally +turning off lpm. + +exit latency calculations have been revised since then + +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210820123503.2605901-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 3cab64f2e861..e4a82da434c2 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4400,19 +4400,19 @@ static u16 xhci_calculate_u1_timeout(struct xhci_hcd *xhci, + { + unsigned long long timeout_ns; + +- if (xhci->quirks & XHCI_INTEL_HOST) +- timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc); +- else +- timeout_ns = udev->u1_params.sel; +- + /* Prevent U1 if service interval is shorter than U1 exit latency */ + if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) { +- if (xhci_service_interval_to_ns(desc) <= timeout_ns) { ++ if (xhci_service_interval_to_ns(desc) <= udev->u1_params.mel) { + dev_dbg(&udev->dev, "Disable U1, ESIT shorter than exit latency\n"); + return USB3_LPM_DISABLED; + } + } + ++ if (xhci->quirks & XHCI_INTEL_HOST) ++ timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc); ++ else ++ timeout_ns = udev->u1_params.sel; ++ + /* The U1 timeout is encoded in 1us intervals. + * Don't return a timeout of zero, because that's USB3_LPM_DISABLED. + */ +@@ -4464,19 +4464,19 @@ static u16 xhci_calculate_u2_timeout(struct xhci_hcd *xhci, + { + unsigned long long timeout_ns; + +- if (xhci->quirks & XHCI_INTEL_HOST) +- timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc); +- else +- timeout_ns = udev->u2_params.sel; +- + /* Prevent U2 if service interval is shorter than U2 exit latency */ + if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) { +- if (xhci_service_interval_to_ns(desc) <= timeout_ns) { ++ if (xhci_service_interval_to_ns(desc) <= udev->u2_params.mel) { + dev_dbg(&udev->dev, "Disable U2, ESIT shorter than exit latency\n"); + return USB3_LPM_DISABLED; + } + } + ++ if (xhci->quirks & XHCI_INTEL_HOST) ++ timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc); ++ else ++ timeout_ns = udev->u2_params.sel; ++ + /* The U2 timeout is encoded in 256us intervals */ + timeout_ns = DIV_ROUND_UP_ULL(timeout_ns, 256 * 1000); + /* If the necessary timeout value is bigger than what we can set in the +-- +2.30.2 + diff --git a/queue-4.14/rpc-fix-gss_svc_init-cleanup-on-failure.patch b/queue-4.14/rpc-fix-gss_svc_init-cleanup-on-failure.patch new file mode 100644 index 00000000000..159bafc4cdf --- /dev/null +++ b/queue-4.14/rpc-fix-gss_svc_init-cleanup-on-failure.patch @@ -0,0 +1,34 @@ +From 549240b55bed4d3433af10461a7659c4dc39a886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 16:41:42 -0400 +Subject: rpc: fix gss_svc_init cleanup on failure + +From: J. Bruce Fields + +[ Upstream commit 5a4753446253a427c0ff1e433b9c4933e5af207c ] + +The failure case here should be rare, but it's obviously wrong. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/svcauth_gss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 27dfd85830d8..4f41a1bc59bf 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1861,7 +1861,7 @@ gss_svc_init_net(struct net *net) + goto out2; + return 0; + out2: +- destroy_use_gss_proxy_proc_entry(net); ++ rsi_cache_destroy_net(net); + out1: + rsc_cache_destroy_net(net); + return rv; +-- +2.30.2 + diff --git a/queue-4.14/s390-jump_label-print-real-address-in-a-case-of-a-ju.patch b/queue-4.14/s390-jump_label-print-real-address-in-a-case-of-a-ju.patch new file mode 100644 index 00000000000..4cd5bede75d --- /dev/null +++ b/queue-4.14/s390-jump_label-print-real-address-in-a-case-of-a-ju.patch @@ -0,0 +1,35 @@ +From 9d58b3559d467ca72a96382bc9c7f16f4aa5ec1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 19:26:01 +0200 +Subject: s390/jump_label: print real address in a case of a jump label bug + +From: Heiko Carstens + +[ Upstream commit 5492886c14744d239e87f1b0b774b5a341e755cc ] + +In case of a jump label print the real address of the piece of code +where a mismatch was detected. This is right before the system panics, +so there is nothing revealed. + +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/jump_label.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/jump_label.c b/arch/s390/kernel/jump_label.c +index 43f8430fb67d..608b363cd35b 100644 +--- a/arch/s390/kernel/jump_label.c ++++ b/arch/s390/kernel/jump_label.c +@@ -43,7 +43,7 @@ static void jump_label_bug(struct jump_entry *entry, struct insn *expected, + unsigned char *ipe = (unsigned char *)expected; + unsigned char *ipn = (unsigned char *)new; + +- pr_emerg("Jump label code mismatch at %pS [%p]\n", ipc, ipc); ++ pr_emerg("Jump label code mismatch at %pS [%px]\n", ipc, ipc); + pr_emerg("Found: %6ph\n", ipc); + pr_emerg("Expected: %6ph\n", ipe); + pr_emerg("New: %6ph\n", ipn); +-- +2.30.2 + diff --git a/queue-4.14/scsi-qedi-fix-error-codes-in-qedi_alloc_global_queue.patch b/queue-4.14/scsi-qedi-fix-error-codes-in-qedi_alloc_global_queue.patch new file mode 100644 index 00000000000..0f44c67cd45 --- /dev/null +++ b/queue-4.14/scsi-qedi-fix-error-codes-in-qedi_alloc_global_queue.patch @@ -0,0 +1,82 @@ +From 6fbc1b2b61ff2afe04953354637c661cea1aa33e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 11:47:53 +0300 +Subject: scsi: qedi: Fix error codes in qedi_alloc_global_queues() + +From: Dan Carpenter + +[ Upstream commit 4dbe57d46d54a847875fa33e7d05877bb341585e ] + +This function had some left over code that returned 1 on error instead +negative error codes. Convert everything to use negative error codes. The +caller treats all non-zero returns the same so this does not affect run +time. + +A couple places set "rc" instead of "status" so those error paths ended up +returning success by mistake. Get rid of the "rc" variable and use +"status" everywhere. + +Remove the bogus "status = 0" initialization, as a future proofing measure +so the compiler will warn about uninitialized error codes. + +Link: https://lore.kernel.org/r/20210810084753.GD23810@kili +Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") +Acked-by: Manish Rangankar +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_main.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c +index 06958a192a5b..09f57ef35990 100644 +--- a/drivers/scsi/qedi/qedi_main.c ++++ b/drivers/scsi/qedi/qedi_main.c +@@ -1302,7 +1302,7 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi) + { + u32 *list; + int i; +- int status = 0, rc; ++ int status; + u32 *pbl; + dma_addr_t page; + int num_pages; +@@ -1313,14 +1313,14 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi) + */ + if (!qedi->num_queues) { + QEDI_ERR(&qedi->dbg_ctx, "No MSI-X vectors available!\n"); +- return 1; ++ return -ENOMEM; + } + + /* Make sure we allocated the PBL that will contain the physical + * addresses of our queues + */ + if (!qedi->p_cpuq) { +- status = 1; ++ status = -EINVAL; + goto mem_alloc_failure; + } + +@@ -1335,13 +1335,13 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi) + "qedi->global_queues=%p.\n", qedi->global_queues); + + /* Allocate DMA coherent buffers for BDQ */ +- rc = qedi_alloc_bdq(qedi); +- if (rc) ++ status = qedi_alloc_bdq(qedi); ++ if (status) + goto mem_alloc_failure; + + /* Allocate DMA coherent buffers for NVM_ISCSI_CFG */ +- rc = qedi_alloc_nvm_iscsi_cfg(qedi); +- if (rc) ++ status = qedi_alloc_nvm_iscsi_cfg(qedi); ++ if (status) + goto mem_alloc_failure; + + /* Allocate a CQ and an associated PBL for each MSI-X +-- +2.30.2 + diff --git a/queue-4.14/selftests-bpf-enlarge-select-timeout-for-test_maps.patch b/queue-4.14/selftests-bpf-enlarge-select-timeout-for-test_maps.patch new file mode 100644 index 00000000000..b5347eb9e48 --- /dev/null +++ b/queue-4.14/selftests-bpf-enlarge-select-timeout-for-test_maps.patch @@ -0,0 +1,57 @@ +From 84e5141cdc21b6ab808377bfb60bca2f78ccdd63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 09:55:53 +0800 +Subject: selftests/bpf: Enlarge select() timeout for test_maps + +From: Li Zhijian + +[ Upstream commit 2d82d73da35b72b53fe0d96350a2b8d929d07e42 ] + +0Day robot observed that it's easily timeout on a heavy load host. +------------------- + # selftests: bpf: test_maps + # Fork 1024 tasks to 'test_update_delete' + # Fork 1024 tasks to 'test_update_delete' + # Fork 100 tasks to 'test_hashmap' + # Fork 100 tasks to 'test_hashmap_percpu' + # Fork 100 tasks to 'test_hashmap_sizes' + # Fork 100 tasks to 'test_hashmap_walk' + # Fork 100 tasks to 'test_arraymap' + # Fork 100 tasks to 'test_arraymap_percpu' + # Failed sockmap unexpected timeout + not ok 3 selftests: bpf: test_maps # exit=1 + # selftests: bpf: test_lru_map + # nr_cpus:8 +------------------- +Since this test will be scheduled by 0Day to a random host that could have +only a few cpus(2-8), enlarge the timeout to avoid a false NG report. + +In practice, i tried to pin it to only one cpu by 'taskset 0x01 ./test_maps', +and knew 10S is likely enough, but i still perfer to a larger value 30. + +Reported-by: kernel test robot +Signed-off-by: Li Zhijian +Signed-off-by: Alexei Starovoitov +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20210820015556.23276-2-lizhijian@cn.fujitsu.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_maps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c +index 96c6238a4a1f..3f503ad37a2b 100644 +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -730,7 +730,7 @@ static void test_sockmap(int tasks, void *data) + + FD_ZERO(&w); + FD_SET(sfd[3], &w); +- to.tv_sec = 1; ++ to.tv_sec = 30; + to.tv_usec = 0; + s = select(sfd[3] + 1, &w, NULL, NULL, &to); + if (s == -1) { +-- +2.30.2 + diff --git a/queue-4.14/serial-8250-define-rx-trigger-levels-for-oxsemi-950-.patch b/queue-4.14/serial-8250-define-rx-trigger-levels-for-oxsemi-950-.patch new file mode 100644 index 00000000000..7ef9b6d9db9 --- /dev/null +++ b/queue-4.14/serial-8250-define-rx-trigger-levels-for-oxsemi-950-.patch @@ -0,0 +1,75 @@ +From ac2731d89da21ea1b744f1da181e9d8bf734d185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Jun 2021 06:11:51 +0200 +Subject: serial: 8250: Define RX trigger levels for OxSemi 950 devices + +From: Maciej W. Rozycki + +[ Upstream commit d7aff291d069c4418285f3c8ee27b0ff67ce5998 ] + +Oxford Semiconductor 950 serial port devices have a 128-byte FIFO and in +the enhanced (650) mode, which we select in `autoconfig_has_efr' with +the ECB bit set in the EFR register, they support the receive interrupt +trigger level selectable with FCR bits 7:6 from the set of 16, 32, 112, +120. This applies to the original OX16C950 discrete UART[1] as well as +950 cores embedded into more complex devices. + +For these devices we set the default to 112, which sets an excessively +high level of 112 or 7/8 of the FIFO capacity, unlike with other port +types where we choose at most 1/2 of their respective FIFO capacities. +Additionally we don't make the trigger level configurable. Consequently +frequent input overruns happen with high bit rates where hardware flow +control cannot be used (e.g. terminal applications) even with otherwise +highly-performant systems. + +Lower the default receive interrupt trigger level to 32 then, and make +it configurable. Document the trigger levels along with other port +types, including the set of 16, 32, 64, 112 for the transmit interrupt +as well[2]. + +References: + +[1] "OX16C950 rev B High Performance UART with 128 byte FIFOs", Oxford + Semiconductor, Inc., DS-0031, Sep 05, Table 10: "Receiver Trigger + Levels", p. 22 + +[2] same, Table 9: "Transmit Interrupt Trigger Levels", p. 22 + +Signed-off-by: Maciej W. Rozycki +Link: https://lore.kernel.org/r/alpine.DEB.2.21.2106260608480.37803@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 3 ++- + include/uapi/linux/serial_reg.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 20f58e9da2fb..7ac6bb38948f 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -136,7 +136,8 @@ static const struct serial8250_config uart_config[] = { + .name = "16C950/954", + .fifo_size = 128, + .tx_loadsz = 128, +- .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10, ++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_01, ++ .rxtrig_bytes = {16, 32, 112, 120}, + /* UART_CAP_EFR breaks billionon CF bluetooth card. */ + .flags = UART_CAP_FIFO | UART_CAP_SLEEP, + }, +diff --git a/include/uapi/linux/serial_reg.h b/include/uapi/linux/serial_reg.h +index 619fe6111dc9..a31ae32161f3 100644 +--- a/include/uapi/linux/serial_reg.h ++++ b/include/uapi/linux/serial_reg.h +@@ -62,6 +62,7 @@ + * ST16C654: 8 16 56 60 8 16 32 56 PORT_16654 + * TI16C750: 1 16 32 56 xx xx xx xx PORT_16750 + * TI16C752: 8 16 56 60 8 16 32 56 ++ * OX16C950: 16 32 112 120 16 32 64 112 PORT_16C950 + * Tegra: 1 4 8 14 16 8 4 1 PORT_TEGRA + */ + #define UART_FCR_R_TRIG_00 0x00 +-- +2.30.2 + diff --git a/queue-4.14/serial-8250_pci-make-setup_port-parameters-explicitl.patch b/queue-4.14/serial-8250_pci-make-setup_port-parameters-explicitl.patch new file mode 100644 index 00000000000..e5bc6845b86 --- /dev/null +++ b/queue-4.14/serial-8250_pci-make-setup_port-parameters-explicitl.patch @@ -0,0 +1,39 @@ +From fde236aa4ba10dc91a3a71e046bc7acef1642895 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 15:07:17 +0200 +Subject: serial: 8250_pci: make setup_port() parameters explicitly unsigned + +From: Greg Kroah-Hartman + +[ Upstream commit 3a96e97ab4e835078e6f27b7e1c0947814df3841 ] + +The bar and offset parameters to setup_port() are used in pointer math, +and while it would be very difficult to get them to wrap as a negative +number, just be "safe" and make them unsigned so that static checkers do +not trip over them unintentionally. + +Cc: Jiri Slaby +Reported-by: Jordy Zomer +Link: https://lore.kernel.org/r/20210726130717.2052096-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 071ee37399b7..72015cc7b33f 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -73,7 +73,7 @@ static void moan_device(const char *str, struct pci_dev *dev) + + static int + setup_port(struct serial_private *priv, struct uart_8250_port *port, +- int bar, int offset, int regshift) ++ u8 bar, unsigned int offset, int regshift) + { + struct pci_dev *dev = priv->dev; + +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 6c42c51330d..325d3e51167 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -121,3 +121,67 @@ pci-return-0-data-on-pciconfig_read-cap_sys_admin-failure.patch pci-xilinx-nwl-enable-the-clock-through-ccf.patch pci-aardvark-increase-polling-delay-to-1.5s-while-waiting-for-pio-response.patch pci-aardvark-fix-masking-and-unmasking-legacy-intx-interrupts.patch +hid-input-do-not-report-stylus-battery-state-as-full.patch +rdma-iwcm-release-resources-if-iw_cm-module-initiali.patch +docs-fix-infiniband-uverbs-minor-number.patch +pinctrl-samsung-fix-pinctrl-bank-pin-count.patch +vfio-use-config-not-menuconfig-for-vfio_noiommu.patch +openrisc-don-t-printk-unconditionally.patch +pinctrl-single-fix-error-return-code-in-pcs_parse_bi.patch +scsi-qedi-fix-error-codes-in-qedi_alloc_global_queue.patch +mips-malta-fix-alignment-of-the-devicetree-buffer.patch +media-dib8000-rewrite-the-init-prbs-logic.patch +crypto-mxs-dcp-use-sg_mapping_iter-to-copy-data.patch +pci-use-pci_update_current_state-in-pci_enable_devic.patch +iio-dac-ad5624r-fix-incorrect-handling-of-an-optiona.patch +arm-dts-qcom-apq8064-correct-clock-names.patch +video-fbdev-kyro-fix-a-dos-bug-by-restricting-user-i.patch +netlink-deal-with-esrch-error-in-nlmsg_notify.patch +smack-fix-wrong-semantics-in-smk_access_entry.patch +usb-host-fotg210-fix-the-endpoint-s-transactional-op.patch +usb-host-fotg210-fix-the-actual_length-of-an-iso-pac.patch +usb-gadget-u_ether-fix-a-potential-null-pointer-dere.patch +usb-gadget-composite-allow-bmaxpower-0-if-self-power.patch +staging-board-fix-uninitialized-spinlock-when-attach.patch +tty-serial-jsm-hold-port-lock-when-reporting-modem-l.patch +bpf-tests-fix-copy-and-paste-error-in-double-word-te.patch +bpf-tests-do-not-pass-tests-without-actually-testing.patch +video-fbdev-asiliantfb-error-out-if-pixclock-equals-.patch +video-fbdev-kyro-error-out-if-pixclock-equals-zero.patch +video-fbdev-riva-error-out-if-pixclock-equals-zero.patch +ipv4-ip_output.c-fix-out-of-bounds-warning-in-ip_cop.patch +flow_dissector-fix-out-of-bounds-warnings.patch +s390-jump_label-print-real-address-in-a-case-of-a-ju.patch +serial-8250-define-rx-trigger-levels-for-oxsemi-950-.patch +xtensa-iss-don-t-panic-in-rs_init.patch +hvsi-don-t-panic-on-tty_register_driver-failure.patch +serial-8250_pci-make-setup_port-parameters-explicitl.patch +staging-ks7010-fix-the-initialization-of-the-sleep_s.patch +ata-sata_dwc_460ex-no-need-to-call-phy_exit-befre-ph.patch +bluetooth-skip-invalid-hci_sync_conn_complete_evt.patch +asoc-intel-bytcr_rt5640-move-platform-clock-routes-t.patch +bpf-fix-off-by-one-in-tail-call-count-limiting.patch +media-v4l2-dv-timings.c-fix-wrong-condition-in-two-f.patch +arm64-dts-qcom-sdm660-use-reg-value-for-memory-node.patch +net-ethernet-stmmac-do-not-use-unreachable-in-ipq806.patch +bluetooth-avoid-circular-locks-in-sco_sock_connect.patch +gpu-drm-amd-amdgpu-amdgpu_i2c-fix-possible-uninitial.patch +arm-tegra-tamonten-fix-uart-pad-setting.patch +rpc-fix-gss_svc_init-cleanup-on-failure.patch +staging-rts5208-fix-get_ms_information-heap-buffer-s.patch +gfs2-don-t-call-dlm-after-protocol-is-unmounted.patch +mmc-sdhci-of-arasan-check-return-value-of-non-void-f.patch +mmc-rtsx_pci-fix-long-reads-when-clock-is-prescaled.patch +selftests-bpf-enlarge-select-timeout-for-test_maps.patch +cifs-fix-wrong-release-in-sess_alloc_buffer-failed-p.patch +revert-usb-xhci-fix-u1-u2-handling-for-hardware-with.patch +usb-musb-musb_dsps-request_irq-after-initializing-mu.patch +usbip-give-back-urbs-for-unsent-unlink-requests-duri.patch +usbip-vhci_hcd-usb-port-can-get-stuck-in-the-disable.patch +asoc-rockchip-i2s-fix-regmap_ops-hang.patch +asoc-rockchip-i2s-fixup-config-for-daifmt_dsp_a-b.patch +parport-remove-non-zero-check-on-count.patch +ath9k-fix-oob-read-ar9300_eeprom_restore_internal.patch +ath9k-fix-sleeping-in-atomic-context.patch +net-fix-null-pointer-reference-in-cipso_v4_doi_free.patch +net-w5100-check-return-value-after-calling-platform_.patch diff --git a/queue-4.14/smack-fix-wrong-semantics-in-smk_access_entry.patch b/queue-4.14/smack-fix-wrong-semantics-in-smk_access_entry.patch new file mode 100644 index 00000000000..3ecd639b280 --- /dev/null +++ b/queue-4.14/smack-fix-wrong-semantics-in-smk_access_entry.patch @@ -0,0 +1,60 @@ +From fc3c5b32e062b42aae48ebf68918be78934574d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jul 2021 17:17:24 +0800 +Subject: Smack: Fix wrong semantics in smk_access_entry() + +From: Tianjia Zhang + +[ Upstream commit 6d14f5c7028eea70760df284057fe198ce7778dd ] + +In the smk_access_entry() function, if no matching rule is found +in the rust_list, a negative error code will be used to perform bit +operations with the MAY_ enumeration value. This is semantically +wrong. This patch fixes this issue. + +Signed-off-by: Tianjia Zhang +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_access.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c +index a9c20821a726..c8e82d6a12b5 100644 +--- a/security/smack/smack_access.c ++++ b/security/smack/smack_access.c +@@ -85,23 +85,22 @@ int log_policy = SMACK_AUDIT_DENIED; + int smk_access_entry(char *subject_label, char *object_label, + struct list_head *rule_list) + { +- int may = -ENOENT; + struct smack_rule *srp; + + list_for_each_entry_rcu(srp, rule_list, list) { + if (srp->smk_object->smk_known == object_label && + srp->smk_subject->smk_known == subject_label) { +- may = srp->smk_access; +- break; ++ int may = srp->smk_access; ++ /* ++ * MAY_WRITE implies MAY_LOCK. ++ */ ++ if ((may & MAY_WRITE) == MAY_WRITE) ++ may |= MAY_LOCK; ++ return may; + } + } + +- /* +- * MAY_WRITE implies MAY_LOCK. +- */ +- if ((may & MAY_WRITE) == MAY_WRITE) +- may |= MAY_LOCK; +- return may; ++ return -ENOENT; + } + + /** +-- +2.30.2 + diff --git a/queue-4.14/staging-board-fix-uninitialized-spinlock-when-attach.patch b/queue-4.14/staging-board-fix-uninitialized-spinlock-when-attach.patch new file mode 100644 index 00000000000..c8df3bcc600 --- /dev/null +++ b/queue-4.14/staging-board-fix-uninitialized-spinlock-when-attach.patch @@ -0,0 +1,67 @@ +From 9ab07f3346d51c9107b58dcb980111de1f1fdf39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 12:13:46 +0200 +Subject: staging: board: Fix uninitialized spinlock when attaching genpd + +From: Geert Uytterhoeven + +[ Upstream commit df00609821bf17f50a75a446266d19adb8339d84 ] + +On Armadillo-800-EVA with CONFIG_DEBUG_SPINLOCK=y: + + BUG: spinlock bad magic on CPU#0, swapper/1 + lock: lcdc0_device+0x10c/0x308, .magic: 00000000, .owner: /-1, .owner_cpu: 0 + CPU: 0 PID: 1 Comm: swapper Not tainted 5.11.0-rc5-armadillo-00036-gbbca04be7a80-dirty #287 + Hardware name: Generic R8A7740 (Flattened Device Tree) + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (do_raw_spin_lock+0x20/0x94) + [] (do_raw_spin_lock) from [] (dev_pm_get_subsys_data+0x8c/0x11c) + [] (dev_pm_get_subsys_data) from [] (genpd_add_device+0x78/0x2b8) + [] (genpd_add_device) from [] (of_genpd_add_device+0x34/0x4c) + [] (of_genpd_add_device) from [] (board_staging_register_device+0x11c/0x148) + [] (board_staging_register_device) from [] (board_staging_register_devices+0x24/0x28) + +of_genpd_add_device() is called before platform_device_register(), as it +needs to attach the genpd before the device is probed. But the spinlock +is only initialized when the device is registered. + +Fix this by open-coding the spinlock initialization, cfr. +device_pm_init_common() in the internal drivers/base code, and in the +SuperH early platform code. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/57783ece7ddae55f2bda2f59f452180bff744ea0.1626257398.git.geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/board/board.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/board/board.c b/drivers/staging/board/board.c +index 86dc41101610..1e2b33912a8a 100644 +--- a/drivers/staging/board/board.c ++++ b/drivers/staging/board/board.c +@@ -139,6 +139,7 @@ int __init board_staging_register_clock(const struct board_staging_clk *bsc) + static int board_staging_add_dev_domain(struct platform_device *pdev, + const char *domain) + { ++ struct device *dev = &pdev->dev; + struct of_phandle_args pd_args; + struct device_node *np; + +@@ -151,7 +152,11 @@ static int board_staging_add_dev_domain(struct platform_device *pdev, + pd_args.np = np; + pd_args.args_count = 0; + +- return of_genpd_add_device(&pd_args, &pdev->dev); ++ /* Initialization similar to device_pm_init_common() */ ++ spin_lock_init(&dev->power.lock); ++ dev->power.early_init = true; ++ ++ return of_genpd_add_device(&pd_args, dev); + } + #else + static inline int board_staging_add_dev_domain(struct platform_device *pdev, +-- +2.30.2 + diff --git a/queue-4.14/staging-ks7010-fix-the-initialization-of-the-sleep_s.patch b/queue-4.14/staging-ks7010-fix-the-initialization-of-the-sleep_s.patch new file mode 100644 index 00000000000..96640d130aa --- /dev/null +++ b/queue-4.14/staging-ks7010-fix-the-initialization-of-the-sleep_s.patch @@ -0,0 +1,39 @@ +From 3008a3b1c2efa40a3c8b398b5a70b23954913456 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 10:45:11 +0200 +Subject: staging: ks7010: Fix the initialization of the 'sleep_status' + structure + +From: Christophe JAILLET + +[ Upstream commit 56315e55119c0ea57e142b6efb7c31208628ad86 ] + +'sleep_status' has 3 atomic_t members. Initialize the 3 of them instead of +initializing only 2 of them and setting 0 twice to the same variable. + +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/d2e52a33a9beab41879551d0ae2fdfc99970adab.1626856991.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/ks7010/ks7010_sdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/ks7010/ks7010_sdio.c b/drivers/staging/ks7010/ks7010_sdio.c +index 8cfdff198334..84a5b6ebfd07 100644 +--- a/drivers/staging/ks7010/ks7010_sdio.c ++++ b/drivers/staging/ks7010/ks7010_sdio.c +@@ -904,9 +904,9 @@ static int ks7010_sdio_probe(struct sdio_func *func, + memset(&priv->wstats, 0, sizeof(priv->wstats)); + + /* sleep mode */ ++ atomic_set(&priv->sleepstatus.status, 0); + atomic_set(&priv->sleepstatus.doze_request, 0); + atomic_set(&priv->sleepstatus.wakeup_request, 0); +- atomic_set(&priv->sleepstatus.wakeup_request, 0); + + trx_device_init(priv); + hostif_init(priv); +-- +2.30.2 + diff --git a/queue-4.14/staging-rts5208-fix-get_ms_information-heap-buffer-s.patch b/queue-4.14/staging-rts5208-fix-get_ms_information-heap-buffer-s.patch new file mode 100644 index 00000000000..2c5d22fedd4 --- /dev/null +++ b/queue-4.14/staging-rts5208-fix-get_ms_information-heap-buffer-s.patch @@ -0,0 +1,84 @@ +From d52f46fc54d821e371e2c9b6d31df6de9ce61222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Aug 2021 21:42:52 -0700 +Subject: staging: rts5208: Fix get_ms_information() heap buffer size + +From: Kees Cook + +[ Upstream commit cbe34165cc1b7d1110b268ba8b9f30843c941639 ] + +Fix buf allocation size (it needs to be 2 bytes larger). Found when +__alloc_size() annotations were added to kmalloc() interfaces. + +In file included from ./include/linux/string.h:253, + from ./include/linux/bitmap.h:10, + from ./include/linux/cpumask.h:12, + from ./arch/x86/include/asm/paravirt.h:17, + from ./arch/x86/include/asm/irqflags.h:63, + from ./include/linux/irqflags.h:16, + from ./include/linux/rcupdate.h:26, + from ./include/linux/rculist.h:11, + from ./include/linux/pid.h:5, + from ./include/linux/sched.h:14, + from ./include/linux/blkdev.h:5, + from drivers/staging/rts5208/rtsx_scsi.c:12: +In function 'get_ms_information', + inlined from 'ms_sp_cmnd' at drivers/staging/rts5208/rtsx_scsi.c:2877:12, + inlined from 'rtsx_scsi_handler' at drivers/staging/rts5208/rtsx_scsi.c:3247:12: +./include/linux/fortify-string.h:54:29: warning: '__builtin_memcpy' forming offset [106, 107] is out + of the bounds [0, 106] [-Warray-bounds] + 54 | #define __underlying_memcpy __builtin_memcpy + | ^ +./include/linux/fortify-string.h:417:2: note: in expansion of macro '__underlying_memcpy' + 417 | __underlying_##op(p, q, __fortify_size); \ + | ^~~~~~~~~~~~~ +./include/linux/fortify-string.h:463:26: note: in expansion of macro '__fortify_memcpy_chk' + 463 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \ + | ^~~~~~~~~~~~~~~~~~~~ +drivers/staging/rts5208/rtsx_scsi.c:2851:3: note: in expansion of macro 'memcpy' + 2851 | memcpy(buf + i, ms_card->raw_sys_info, 96); + | ^~~~~~ + +Cc: Greg Kroah-Hartman +Cc: linux-staging@lists.linux.dev +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20210818044252.1533634-1-keescook@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rts5208/rtsx_scsi.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/staging/rts5208/rtsx_scsi.c b/drivers/staging/rts5208/rtsx_scsi.c +index a401b13f5f5e..c46ac0e5e852 100644 +--- a/drivers/staging/rts5208/rtsx_scsi.c ++++ b/drivers/staging/rts5208/rtsx_scsi.c +@@ -3026,10 +3026,10 @@ static int get_ms_information(struct scsi_cmnd *srb, struct rtsx_chip *chip) + } + + if (dev_info_id == 0x15) { +- buf_len = 0x3A; ++ buf_len = 0x3C; + data_len = 0x3A; + } else { +- buf_len = 0x6A; ++ buf_len = 0x6C; + data_len = 0x6A; + } + +@@ -3081,11 +3081,7 @@ static int get_ms_information(struct scsi_cmnd *srb, struct rtsx_chip *chip) + } + + rtsx_stor_set_xfer_buf(buf, buf_len, srb); +- +- if (dev_info_id == 0x15) +- scsi_set_resid(srb, scsi_bufflen(srb) - 0x3C); +- else +- scsi_set_resid(srb, scsi_bufflen(srb) - 0x6C); ++ scsi_set_resid(srb, scsi_bufflen(srb) - buf_len); + + kfree(buf); + return STATUS_SUCCESS; +-- +2.30.2 + diff --git a/queue-4.14/tty-serial-jsm-hold-port-lock-when-reporting-modem-l.patch b/queue-4.14/tty-serial-jsm-hold-port-lock-when-reporting-modem-l.patch new file mode 100644 index 00000000000..49156c6ceb6 --- /dev/null +++ b/queue-4.14/tty-serial-jsm-hold-port-lock-when-reporting-modem-l.patch @@ -0,0 +1,86 @@ +From 3e7fa54d263e8b06043a035cad0e53051449dac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 05:53:23 +0000 +Subject: tty: serial: jsm: hold port lock when reporting modem line changes + +From: Zheyu Ma + +[ Upstream commit 240e126c28df084222f0b661321e8e3ecb0d232e ] + +uart_handle_dcd_change() requires a port lock to be held and will emit a +warning when lockdep is enabled. + +Held corresponding lock to fix the following warnings. + +[ 132.528648] WARNING: CPU: 5 PID: 11600 at drivers/tty/serial/serial_core.c:3046 uart_handle_dcd_change+0xf4/0x120 +[ 132.530482] Modules linked in: +[ 132.531050] CPU: 5 PID: 11600 Comm: jsm Not tainted 5.14.0-rc1-00003-g7fef2edf7cc7-dirty #31 +[ 132.535268] RIP: 0010:uart_handle_dcd_change+0xf4/0x120 +[ 132.557100] Call Trace: +[ 132.557562] ? __free_pages+0x83/0xb0 +[ 132.558213] neo_parse_modem+0x156/0x220 +[ 132.558897] neo_param+0x399/0x840 +[ 132.559495] jsm_tty_open+0x12f/0x2d0 +[ 132.560131] uart_startup.part.18+0x153/0x340 +[ 132.560888] ? lock_is_held_type+0xe9/0x140 +[ 132.561660] uart_port_activate+0x7f/0xe0 +[ 132.562351] ? uart_startup.part.18+0x340/0x340 +[ 132.563003] tty_port_open+0x8d/0xf0 +[ 132.563523] ? uart_set_options+0x1e0/0x1e0 +[ 132.564125] uart_open+0x24/0x40 +[ 132.564604] tty_open+0x15c/0x630 + +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/1626242003-3809-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/jsm/jsm_neo.c | 2 ++ + drivers/tty/serial/jsm/jsm_tty.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/tty/serial/jsm/jsm_neo.c b/drivers/tty/serial/jsm/jsm_neo.c +index c6fdd6369534..96e01bf4599c 100644 +--- a/drivers/tty/serial/jsm/jsm_neo.c ++++ b/drivers/tty/serial/jsm/jsm_neo.c +@@ -827,7 +827,9 @@ static void neo_parse_isr(struct jsm_board *brd, u32 port) + /* Parse any modem signal changes */ + jsm_dbg(INTR, &ch->ch_bd->pci_dev, + "MOD_STAT: sending to parse_modem_sigs\n"); ++ spin_lock_irqsave(&ch->uart_port.lock, lock_flags); + neo_parse_modem(ch, readb(&ch->ch_neo_uart->msr)); ++ spin_unlock_irqrestore(&ch->uart_port.lock, lock_flags); + } + } + +diff --git a/drivers/tty/serial/jsm/jsm_tty.c b/drivers/tty/serial/jsm/jsm_tty.c +index ec7d8383900f..7c790ff6b511 100644 +--- a/drivers/tty/serial/jsm/jsm_tty.c ++++ b/drivers/tty/serial/jsm/jsm_tty.c +@@ -195,6 +195,7 @@ static void jsm_tty_break(struct uart_port *port, int break_state) + + static int jsm_tty_open(struct uart_port *port) + { ++ unsigned long lock_flags; + struct jsm_board *brd; + struct jsm_channel *channel = + container_of(port, struct jsm_channel, uart_port); +@@ -248,6 +249,7 @@ static int jsm_tty_open(struct uart_port *port) + channel->ch_cached_lsr = 0; + channel->ch_stops_sent = 0; + ++ spin_lock_irqsave(&port->lock, lock_flags); + termios = &port->state->port.tty->termios; + channel->ch_c_cflag = termios->c_cflag; + channel->ch_c_iflag = termios->c_iflag; +@@ -267,6 +269,7 @@ static int jsm_tty_open(struct uart_port *port) + jsm_carrier(channel); + + channel->ch_open_count++; ++ spin_unlock_irqrestore(&port->lock, lock_flags); + + jsm_dbg(OPEN, &channel->ch_bd->pci_dev, "finish\n"); + return 0; +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-composite-allow-bmaxpower-0-if-self-power.patch b/queue-4.14/usb-gadget-composite-allow-bmaxpower-0-if-self-power.patch new file mode 100644 index 00000000000..3dc2244f15f --- /dev/null +++ b/queue-4.14/usb-gadget-composite-allow-bmaxpower-0-if-self-power.patch @@ -0,0 +1,69 @@ +From b51d1c5213bb3df4b07a7a0a21089df1162446be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 01:09:07 -0700 +Subject: usb: gadget: composite: Allow bMaxPower=0 if self-powered + +From: Jack Pham + +[ Upstream commit bcacbf06c891374e7fdd7b72d11cda03b0269b43 ] + +Currently the composite driver encodes the MaxPower field of +the configuration descriptor by reading the c->MaxPower of the +usb_configuration only if it is non-zero, otherwise it falls back +to using the value hard-coded in CONFIG_USB_GADGET_VBUS_DRAW. +However, there are cases when a configuration must explicitly set +bMaxPower to 0, particularly if its bmAttributes also has the +Self-Powered bit set, which is a valid combination. + +This is specifically called out in the USB PD specification section +9.1, in which a PDUSB device "shall report zero in the bMaxPower +field after negotiating a mutually agreeable Contract", and also +verified by the USB Type-C Functional Test TD.4.10.2 Sink Power +Precedence Test. + +The fix allows the c->MaxPower to be used for encoding the bMaxPower +even if it is 0, if the self-powered bit is also set. An example +usage of this would be for a ConfigFS gadget to be dynamically +updated by userspace when the Type-C connection is determined to be +operating in Power Delivery mode. + +Co-developed-by: Ronak Vijay Raheja +Acked-by: Felipe Balbi +Signed-off-by: Ronak Vijay Raheja +Signed-off-by: Jack Pham +Link: https://lore.kernel.org/r/20210720080907.30292-1-jackp@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 6696fdd97530..49806837b98b 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -484,7 +484,7 @@ static u8 encode_bMaxPower(enum usb_device_speed speed, + { + unsigned val; + +- if (c->MaxPower) ++ if (c->MaxPower || (c->bmAttributes & USB_CONFIG_ATT_SELFPOWER)) + val = c->MaxPower; + else + val = CONFIG_USB_GADGET_VBUS_DRAW; +@@ -894,7 +894,11 @@ static int set_config(struct usb_composite_dev *cdev, + } + + /* when we return, be sure our power usage is valid */ +- power = c->MaxPower ? c->MaxPower : CONFIG_USB_GADGET_VBUS_DRAW; ++ if (c->MaxPower || (c->bmAttributes & USB_CONFIG_ATT_SELFPOWER)) ++ power = c->MaxPower; ++ else ++ power = CONFIG_USB_GADGET_VBUS_DRAW; ++ + if (gadget->speed < USB_SPEED_SUPER) + power = min(power, 500U); + else +-- +2.30.2 + diff --git a/queue-4.14/usb-gadget-u_ether-fix-a-potential-null-pointer-dere.patch b/queue-4.14/usb-gadget-u_ether-fix-a-potential-null-pointer-dere.patch new file mode 100644 index 00000000000..9b1975f09cd --- /dev/null +++ b/queue-4.14/usb-gadget-u_ether-fix-a-potential-null-pointer-dere.patch @@ -0,0 +1,57 @@ +From 00eb5eb41524007279d6e0e7779c535938177442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 04:48:34 -0700 +Subject: usb: gadget: u_ether: fix a potential null pointer dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit 8ae01239609b29ec2eff55967c8e0fe3650cfa09 ] + +f_ncm tx timeout can call us with null skb to flush +a pending frame. In this case skb is NULL to begin +with but ceases to be null after dev->wrap() completes. + +In such a case in->maxpacket will be read, even though +we've failed to check that 'in' is not NULL. + +Though I've never observed this fail in practice, +however the 'flush operation' simply does not make sense with +a null usb IN endpoint - there's nowhere to flush to... +(note that we're the gadget/device, and IN is from the point + of view of the host, so here IN actually means outbound...) + +Cc: Brooke Basile +Cc: "Bryan O'Donoghue" +Cc: Felipe Balbi +Cc: Greg Kroah-Hartman +Cc: Lorenzo Colitti +Signed-off-by: Maciej Żenczykowski +Link: https://lore.kernel.org/r/20210701114834.884597-6-zenczykowski@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_ether.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index 989682cc8686..38a35f57b22c 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -495,8 +495,9 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb, + } + spin_unlock_irqrestore(&dev->lock, flags); + +- if (skb && !in) { +- dev_kfree_skb_any(skb); ++ if (!in) { ++ if (skb) ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +-- +2.30.2 + diff --git a/queue-4.14/usb-host-fotg210-fix-the-actual_length-of-an-iso-pac.patch b/queue-4.14/usb-host-fotg210-fix-the-actual_length-of-an-iso-pac.patch new file mode 100644 index 00000000000..f66a70f97ae --- /dev/null +++ b/queue-4.14/usb-host-fotg210-fix-the-actual_length-of-an-iso-pac.patch @@ -0,0 +1,60 @@ +From 75d1f1085820660f3c712ca23c963de0fbe7b4ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jun 2021 20:57:47 +0800 +Subject: usb: host: fotg210: fix the actual_length of an iso packet + +From: Kelly Devilliv + +[ Upstream commit 091cb2f782f32ab68c6f5f326d7868683d3d4875 ] + +We should acquire the actual_length of an iso packet +from the iTD directly using FOTG210_ITD_LENGTH() macro. + +Signed-off-by: Kelly Devilliv +Link: https://lore.kernel.org/r/20210627125747.127646-4-kelly.devilliv@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/fotg210-hcd.c | 5 ++--- + drivers/usb/host/fotg210.h | 5 ----- + 2 files changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c +index 849816ab5b77..3008d692000a 100644 +--- a/drivers/usb/host/fotg210-hcd.c ++++ b/drivers/usb/host/fotg210-hcd.c +@@ -4487,13 +4487,12 @@ static bool itd_complete(struct fotg210_hcd *fotg210, struct fotg210_itd *itd) + + /* HC need not update length with this error */ + if (!(t & FOTG210_ISOC_BABBLE)) { +- desc->actual_length = +- fotg210_itdlen(urb, desc, t); ++ desc->actual_length = FOTG210_ITD_LENGTH(t); + urb->actual_length += desc->actual_length; + } + } else if (likely((t & FOTG210_ISOC_ACTIVE) == 0)) { + desc->status = 0; +- desc->actual_length = fotg210_itdlen(urb, desc, t); ++ desc->actual_length = FOTG210_ITD_LENGTH(t); + urb->actual_length += desc->actual_length; + } else { + /* URB was too late */ +diff --git a/drivers/usb/host/fotg210.h b/drivers/usb/host/fotg210.h +index 7fcd785c7bc8..0f1da9503bc6 100644 +--- a/drivers/usb/host/fotg210.h ++++ b/drivers/usb/host/fotg210.h +@@ -683,11 +683,6 @@ static inline unsigned fotg210_read_frame_index(struct fotg210_hcd *fotg210) + return fotg210_readl(fotg210, &fotg210->regs->frame_index); + } + +-#define fotg210_itdlen(urb, desc, t) ({ \ +- usb_pipein((urb)->pipe) ? \ +- (desc)->length - FOTG210_ITD_LENGTH(t) : \ +- FOTG210_ITD_LENGTH(t); \ +-}) + /*-------------------------------------------------------------------------*/ + + #endif /* __LINUX_FOTG210_H */ +-- +2.30.2 + diff --git a/queue-4.14/usb-host-fotg210-fix-the-endpoint-s-transactional-op.patch b/queue-4.14/usb-host-fotg210-fix-the-endpoint-s-transactional-op.patch new file mode 100644 index 00000000000..fced951f808 --- /dev/null +++ b/queue-4.14/usb-host-fotg210-fix-the-endpoint-s-transactional-op.patch @@ -0,0 +1,143 @@ +From 3f458ccef0ed7e6fc03556fceca36f9a974575fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jun 2021 20:57:46 +0800 +Subject: usb: host: fotg210: fix the endpoint's transactional opportunities + calculation + +From: Kelly Devilliv + +[ Upstream commit c2e898764245c852bc8ee4857613ba4f3a6d761d ] + +Now that usb_endpoint_maxp() only returns the lowest +11 bits from wMaxPacketSize, we should make use of the +usb_endpoint_* helpers instead and remove the unnecessary +max_packet()/hb_mult() macro. + +Signed-off-by: Kelly Devilliv +Link: https://lore.kernel.org/r/20210627125747.127646-3-kelly.devilliv@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/fotg210-hcd.c | 36 ++++++++++++++++------------------ + 1 file changed, 17 insertions(+), 19 deletions(-) + +diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c +index bbe1ea00d887..849816ab5b77 100644 +--- a/drivers/usb/host/fotg210-hcd.c ++++ b/drivers/usb/host/fotg210-hcd.c +@@ -2536,11 +2536,6 @@ static unsigned qh_completions(struct fotg210_hcd *fotg210, + return count; + } + +-/* high bandwidth multiplier, as encoded in highspeed endpoint descriptors */ +-#define hb_mult(wMaxPacketSize) (1 + (((wMaxPacketSize) >> 11) & 0x03)) +-/* ... and packet size, for any kind of endpoint descriptor */ +-#define max_packet(wMaxPacketSize) ((wMaxPacketSize) & 0x07ff) +- + /* reverse of qh_urb_transaction: free a list of TDs. + * used for cleanup after errors, before HC sees an URB's TDs. + */ +@@ -2626,7 +2621,7 @@ static struct list_head *qh_urb_transaction(struct fotg210_hcd *fotg210, + token |= (1 /* "in" */ << 8); + /* else it's already initted to "out" pid (0 << 8) */ + +- maxpacket = max_packet(usb_maxpacket(urb->dev, urb->pipe, !is_input)); ++ maxpacket = usb_maxpacket(urb->dev, urb->pipe, !is_input); + + /* + * buffer gets wrapped in one or more qtds; +@@ -2740,9 +2735,11 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb, + gfp_t flags) + { + struct fotg210_qh *qh = fotg210_qh_alloc(fotg210, flags); ++ struct usb_host_endpoint *ep; + u32 info1 = 0, info2 = 0; + int is_input, type; + int maxp = 0; ++ int mult; + struct usb_tt *tt = urb->dev->tt; + struct fotg210_qh_hw *hw; + +@@ -2757,14 +2754,15 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb, + + is_input = usb_pipein(urb->pipe); + type = usb_pipetype(urb->pipe); +- maxp = usb_maxpacket(urb->dev, urb->pipe, !is_input); ++ ep = usb_pipe_endpoint(urb->dev, urb->pipe); ++ maxp = usb_endpoint_maxp(&ep->desc); ++ mult = usb_endpoint_maxp_mult(&ep->desc); + + /* 1024 byte maxpacket is a hardware ceiling. High bandwidth + * acts like up to 3KB, but is built from smaller packets. + */ +- if (max_packet(maxp) > 1024) { +- fotg210_dbg(fotg210, "bogus qh maxpacket %d\n", +- max_packet(maxp)); ++ if (maxp > 1024) { ++ fotg210_dbg(fotg210, "bogus qh maxpacket %d\n", maxp); + goto done; + } + +@@ -2778,8 +2776,7 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb, + */ + if (type == PIPE_INTERRUPT) { + qh->usecs = NS_TO_US(usb_calc_bus_time(USB_SPEED_HIGH, +- is_input, 0, +- hb_mult(maxp) * max_packet(maxp))); ++ is_input, 0, mult * maxp)); + qh->start = NO_FRAME; + + if (urb->dev->speed == USB_SPEED_HIGH) { +@@ -2816,7 +2813,7 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb, + think_time = tt ? tt->think_time : 0; + qh->tt_usecs = NS_TO_US(think_time + + usb_calc_bus_time(urb->dev->speed, +- is_input, 0, max_packet(maxp))); ++ is_input, 0, maxp)); + qh->period = urb->interval; + if (qh->period > fotg210->periodic_size) { + qh->period = fotg210->periodic_size; +@@ -2879,11 +2876,11 @@ static struct fotg210_qh *qh_make(struct fotg210_hcd *fotg210, struct urb *urb, + * to help them do so. So now people expect to use + * such nonconformant devices with Linux too; sigh. + */ +- info1 |= max_packet(maxp) << 16; ++ info1 |= maxp << 16; + info2 |= (FOTG210_TUNE_MULT_HS << 30); + } else { /* PIPE_INTERRUPT */ +- info1 |= max_packet(maxp) << 16; +- info2 |= hb_mult(maxp) << 30; ++ info1 |= maxp << 16; ++ info2 |= mult << 30; + } + break; + default: +@@ -3953,6 +3950,7 @@ static void iso_stream_init(struct fotg210_hcd *fotg210, + int is_input; + long bandwidth; + unsigned multi; ++ struct usb_host_endpoint *ep; + + /* + * this might be a "high bandwidth" highspeed endpoint, +@@ -3960,14 +3958,14 @@ static void iso_stream_init(struct fotg210_hcd *fotg210, + */ + epnum = usb_pipeendpoint(pipe); + is_input = usb_pipein(pipe) ? USB_DIR_IN : 0; +- maxp = usb_maxpacket(dev, pipe, !is_input); ++ ep = usb_pipe_endpoint(dev, pipe); ++ maxp = usb_endpoint_maxp(&ep->desc); + if (is_input) + buf1 = (1 << 11); + else + buf1 = 0; + +- maxp = max_packet(maxp); +- multi = hb_mult(maxp); ++ multi = usb_endpoint_maxp_mult(&ep->desc); + buf1 |= maxp; + maxp *= multi; + +-- +2.30.2 + diff --git a/queue-4.14/usb-musb-musb_dsps-request_irq-after-initializing-mu.patch b/queue-4.14/usb-musb-musb_dsps-request_irq-after-initializing-mu.patch new file mode 100644 index 00000000000..7b47824db93 --- /dev/null +++ b/queue-4.14/usb-musb-musb_dsps-request_irq-after-initializing-mu.patch @@ -0,0 +1,63 @@ +From e59c9204af34300f5f3c2136dff874a8f3fd0266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 19:33:23 +0300 +Subject: usb: musb: musb_dsps: request_irq() after initializing musb + +From: Nadezda Lutovinova + +[ Upstream commit 7c75bde329d7e2a93cf86a5c15c61f96f1446cdc ] + +If IRQ occurs between calling dsps_setup_optional_vbus_irq() +and dsps_create_musb_pdev(), then null pointer dereference occurs +since glue->musb wasn't initialized yet. + +The patch puts initializing of neccesery data before registration +of the interrupt handler. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Nadezda Lutovinova +Link: https://lore.kernel.org/r/20210819163323.17714-1-lutovinova@ispras.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/musb_dsps.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/musb/musb_dsps.c b/drivers/usb/musb/musb_dsps.c +index b7d460adaa61..a582c3847dc2 100644 +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -930,23 +930,22 @@ static int dsps_probe(struct platform_device *pdev) + if (!glue->usbss_base) + return -ENXIO; + +- if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) { +- ret = dsps_setup_optional_vbus_irq(pdev, glue); +- if (ret) +- goto err_iounmap; +- } +- + platform_set_drvdata(pdev, glue); + pm_runtime_enable(&pdev->dev); + ret = dsps_create_musb_pdev(glue, pdev); + if (ret) + goto err; + ++ if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) { ++ ret = dsps_setup_optional_vbus_irq(pdev, glue); ++ if (ret) ++ goto err; ++ } ++ + return 0; + + err: + pm_runtime_disable(&pdev->dev); +-err_iounmap: + iounmap(glue->usbss_base); + return ret; + } +-- +2.30.2 + diff --git a/queue-4.14/usbip-give-back-urbs-for-unsent-unlink-requests-duri.patch b/queue-4.14/usbip-give-back-urbs-for-unsent-unlink-requests-duri.patch new file mode 100644 index 00000000000..834814a57ed --- /dev/null +++ b/queue-4.14/usbip-give-back-urbs-for-unsent-unlink-requests-duri.patch @@ -0,0 +1,71 @@ +From 3450b2be521000f7514f053654775012028b934d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Aug 2021 00:31:21 +0530 +Subject: usbip: give back URBs for unsent unlink requests during cleanup + +From: Anirudh Rayabharam + +[ Upstream commit 258c81b341c8025d79073ce2d6ce19dcdc7d10d2 ] + +In vhci_device_unlink_cleanup(), the URBs for unsent unlink requests are +not given back. This sometimes causes usb_kill_urb to wait indefinitely +for that urb to be given back. syzbot has reported a hung task issue [1] +for this. + +To fix this, give back the urbs corresponding to unsent unlink requests +(unlink_tx list) similar to how urbs corresponding to unanswered unlink +requests (unlink_rx list) are given back. + +[1]: https://syzkaller.appspot.com/bug?id=08f12df95ae7da69814e64eb5515d5a85ed06b76 + +Reported-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com +Tested-by: syzbot+74d6ef051d3d2eacf428@syzkaller.appspotmail.com +Reviewed-by: Shuah Khan +Signed-off-by: Anirudh Rayabharam +Link: https://lore.kernel.org/r/20210820190122.16379-2-mail@anirudhrb.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/vhci_hcd.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c +index 9833f307d70e..709214df2c18 100644 +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -971,8 +971,32 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev) + spin_lock(&vdev->priv_lock); + + list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) { ++ struct urb *urb; ++ ++ /* give back urb of unsent unlink request */ + pr_info("unlink cleanup tx %lu\n", unlink->unlink_seqnum); ++ ++ urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum); ++ if (!urb) { ++ list_del(&unlink->list); ++ kfree(unlink); ++ continue; ++ } ++ ++ urb->status = -ENODEV; ++ ++ usb_hcd_unlink_urb_from_ep(hcd, urb); ++ + list_del(&unlink->list); ++ ++ spin_unlock(&vdev->priv_lock); ++ spin_unlock_irqrestore(&vhci->lock, flags); ++ ++ usb_hcd_giveback_urb(hcd, urb, urb->status); ++ ++ spin_lock_irqsave(&vhci->lock, flags); ++ spin_lock(&vdev->priv_lock); ++ + kfree(unlink); + } + +-- +2.30.2 + diff --git a/queue-4.14/usbip-vhci_hcd-usb-port-can-get-stuck-in-the-disable.patch b/queue-4.14/usbip-vhci_hcd-usb-port-can-get-stuck-in-the-disable.patch new file mode 100644 index 00000000000..88c40dd4b96 --- /dev/null +++ b/queue-4.14/usbip-vhci_hcd-usb-port-can-get-stuck-in-the-disable.patch @@ -0,0 +1,58 @@ +From f8d2c408b97d70191d8153fdd4346614224e93f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 16:59:37 -0600 +Subject: usbip:vhci_hcd USB port can get stuck in the disabled state + +From: Shuah Khan + +[ Upstream commit 66cce9e73ec61967ed1f97f30cee79bd9a2bb7ee ] + +When a remote usb device is attached to the local Virtual USB +Host Controller Root Hub port, the bound device driver may send +a port reset command. + +vhci_hcd accepts port resets only when the device doesn't have +port address assigned to it. When reset happens device is in +assigned/used state and vhci_hcd rejects it leaving the port in +a stuck state. + +This problem was found when a blue-tooth or xbox wireless dongle +was passed through using usbip. + +A few drivers reset the port during probe including mt76 driver +specific to this bug report. Fix the problem with a change to +honor reset requests when device is in used state (VDEV_ST_USED). + +Reported-and-tested-by: Michael +Suggested-by: Michael +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/20210819225937.41037-1-skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/vhci_hcd.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c +index 709214df2c18..22e8cda7a137 100644 +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -469,8 +469,14 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + vhci_hcd->port_status[rhport] &= ~(1 << USB_PORT_FEAT_RESET); + vhci_hcd->re_timeout = 0; + ++ /* ++ * A few drivers do usb reset during probe when ++ * the device could be in VDEV_ST_USED state ++ */ + if (vhci_hcd->vdev[rhport].ud.status == +- VDEV_ST_NOTASSIGNED) { ++ VDEV_ST_NOTASSIGNED || ++ vhci_hcd->vdev[rhport].ud.status == ++ VDEV_ST_USED) { + usbip_dbg_vhci_rh( + " enable rhport %d (status %u)\n", + rhport, +-- +2.30.2 + diff --git a/queue-4.14/vfio-use-config-not-menuconfig-for-vfio_noiommu.patch b/queue-4.14/vfio-use-config-not-menuconfig-for-vfio_noiommu.patch new file mode 100644 index 00000000000..cd935e5e085 --- /dev/null +++ b/queue-4.14/vfio-use-config-not-menuconfig-for-vfio_noiommu.patch @@ -0,0 +1,38 @@ +From ff6738296ddefa0ace8e7d7b9fe1b54ea99bef67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jul 2021 15:39:12 -0300 +Subject: vfio: Use config not menuconfig for VFIO_NOIOMMU + +From: Jason Gunthorpe + +[ Upstream commit 26c22cfde5dd6e63f25c48458b0185dcb0fbb2fd ] + +VFIO_NOIOMMU is supposed to be an element in the VFIO menu, not start +a new menu. Correct this copy-paste mistake. + +Fixes: 03a76b60f8ba ("vfio: Include No-IOMMU mode") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Cornelia Huck +Link: https://lore.kernel.org/r/0-v1-3f0b685c3679+478-vfio_menuconfig_jgg@nvidia.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/Kconfig b/drivers/vfio/Kconfig +index c84333eb5eb5..b7765271d0fb 100644 +--- a/drivers/vfio/Kconfig ++++ b/drivers/vfio/Kconfig +@@ -29,7 +29,7 @@ menuconfig VFIO + + If you don't know what to do here, say N. + +-menuconfig VFIO_NOIOMMU ++config VFIO_NOIOMMU + bool "VFIO No-IOMMU support" + depends on VFIO + help +-- +2.30.2 + diff --git a/queue-4.14/video-fbdev-asiliantfb-error-out-if-pixclock-equals-.patch b/queue-4.14/video-fbdev-asiliantfb-error-out-if-pixclock-equals-.patch new file mode 100644 index 00000000000..c228bed1f33 --- /dev/null +++ b/queue-4.14/video-fbdev-asiliantfb-error-out-if-pixclock-equals-.patch @@ -0,0 +1,63 @@ +From ebd7638a3f74ec7ededb1ab9c7ccc52fde89f41e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 10:03:53 +0000 +Subject: video: fbdev: asiliantfb: Error out if 'pixclock' equals zero + +From: Zheyu Ma + +[ Upstream commit b36b242d4b8ea178f7fd038965e3cac7f30c3f09 ] + +The userspace program could pass any values to the driver through +ioctl() interface. If the driver doesn't check the value of 'pixclock', +it may cause divide error. + +Fix this by checking whether 'pixclock' is zero first. + +The following log reveals it: + +[ 43.861711] divide error: 0000 [#1] PREEMPT SMP KASAN PTI +[ 43.861737] CPU: 2 PID: 11764 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #224 +[ 43.861756] RIP: 0010:asiliantfb_check_var+0x4e/0x730 +[ 43.861843] Call Trace: +[ 43.861848] ? asiliantfb_remove+0x190/0x190 +[ 43.861858] fb_set_var+0x2e4/0xeb0 +[ 43.861866] ? fb_blank+0x1a0/0x1a0 +[ 43.861873] ? lock_acquire+0x1ef/0x530 +[ 43.861884] ? lock_release+0x810/0x810 +[ 43.861892] ? lock_is_held_type+0x100/0x140 +[ 43.861903] ? ___might_sleep+0x1ee/0x2d0 +[ 43.861914] ? __mutex_lock+0x620/0x1190 +[ 43.861921] ? do_fb_ioctl+0x313/0x700 +[ 43.861929] ? mutex_lock_io_nested+0xfa0/0xfa0 +[ 43.861936] ? __this_cpu_preempt_check+0x1d/0x30 +[ 43.861944] ? _raw_spin_unlock_irqrestore+0x46/0x60 +[ 43.861952] ? lockdep_hardirqs_on+0x59/0x100 +[ 43.861959] ? _raw_spin_unlock_irqrestore+0x46/0x60 +[ 43.861967] ? trace_hardirqs_on+0x6a/0x1c0 +[ 43.861978] do_fb_ioctl+0x31e/0x700 + +Signed-off-by: Zheyu Ma +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-2-git-send-email-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/asiliantfb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/asiliantfb.c b/drivers/video/fbdev/asiliantfb.c +index ea31054a28ca..c1d6e6336225 100644 +--- a/drivers/video/fbdev/asiliantfb.c ++++ b/drivers/video/fbdev/asiliantfb.c +@@ -227,6 +227,9 @@ static int asiliantfb_check_var(struct fb_var_screeninfo *var, + { + unsigned long Ftarget, ratio, remainder; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + ratio = 1000000 / var->pixclock; + remainder = 1000000 % var->pixclock; + Ftarget = 1000000 * ratio + (1000000 * remainder) / var->pixclock; +-- +2.30.2 + diff --git a/queue-4.14/video-fbdev-kyro-error-out-if-pixclock-equals-zero.patch b/queue-4.14/video-fbdev-kyro-error-out-if-pixclock-equals-zero.patch new file mode 100644 index 00000000000..d3a5be8509b --- /dev/null +++ b/queue-4.14/video-fbdev-kyro-error-out-if-pixclock-equals-zero.patch @@ -0,0 +1,71 @@ +From dd1cc2b72ce3ba4d3d82444c0cfba0ab01285c95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 10:03:54 +0000 +Subject: video: fbdev: kyro: Error out if 'pixclock' equals zero + +From: Zheyu Ma + +[ Upstream commit 1520b4b7ba964f8eec2e7dd14c571d50de3e5191 ] + +The userspace program could pass any values to the driver through +ioctl() interface. if the driver doesn't check the value of 'pixclock', +it may cause divide error because the value of 'lineclock' and +'frameclock' will be zero. + +Fix this by checking whether 'pixclock' is zero in kyrofb_check_var(). + +The following log reveals it: + +[ 103.073930] divide error: 0000 [#1] PREEMPT SMP KASAN PTI +[ 103.073942] CPU: 4 PID: 12483 Comm: syz-executor Not tainted 5.14.0-rc2-00478-g2734d6c1b1a0-dirty #118 +[ 103.073959] RIP: 0010:kyrofb_set_par+0x316/0xc80 +[ 103.074045] Call Trace: +[ 103.074048] ? ___might_sleep+0x1ee/0x2d0 +[ 103.074060] ? kyrofb_ioctl+0x330/0x330 +[ 103.074069] fb_set_var+0x5bf/0xeb0 +[ 103.074078] ? fb_blank+0x1a0/0x1a0 +[ 103.074085] ? lock_acquire+0x3bd/0x530 +[ 103.074094] ? lock_release+0x810/0x810 +[ 103.074103] ? ___might_sleep+0x1ee/0x2d0 +[ 103.074114] ? __mutex_lock+0x620/0x1190 +[ 103.074126] ? trace_hardirqs_on+0x6a/0x1c0 +[ 103.074137] do_fb_ioctl+0x31e/0x700 +[ 103.074144] ? fb_getput_cmap+0x280/0x280 +[ 103.074152] ? rcu_read_lock_sched_held+0x11/0x80 +[ 103.074162] ? rcu_read_lock_sched_held+0x11/0x80 +[ 103.074171] ? __sanitizer_cov_trace_switch+0x67/0xf0 +[ 103.074181] ? __sanitizer_cov_trace_const_cmp2+0x20/0x80 +[ 103.074191] ? do_vfs_ioctl+0x14b/0x16c0 +[ 103.074199] ? vfs_fileattr_set+0xb60/0xb60 +[ 103.074207] ? rcu_read_lock_sched_held+0x11/0x80 +[ 103.074216] ? lock_release+0x483/0x810 +[ 103.074224] ? __fget_files+0x217/0x3d0 +[ 103.074234] ? __fget_files+0x239/0x3d0 +[ 103.074243] ? do_fb_ioctl+0x700/0x700 +[ 103.074250] fb_ioctl+0xe6/0x130 + +Signed-off-by: Zheyu Ma +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-3-git-send-email-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/kyro/fbdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c +index d7aa431e6846..74bf26b527b9 100644 +--- a/drivers/video/fbdev/kyro/fbdev.c ++++ b/drivers/video/fbdev/kyro/fbdev.c +@@ -399,6 +399,9 @@ static int kyrofb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + { + struct kyrofb_info *par = info->par; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + if (var->bits_per_pixel != 16 && var->bits_per_pixel != 32) { + printk(KERN_WARNING "kyrofb: depth not supported: %u\n", var->bits_per_pixel); + return -EINVAL; +-- +2.30.2 + diff --git a/queue-4.14/video-fbdev-kyro-fix-a-dos-bug-by-restricting-user-i.patch b/queue-4.14/video-fbdev-kyro-fix-a-dos-bug-by-restricting-user-i.patch new file mode 100644 index 00000000000..36c21e71d16 --- /dev/null +++ b/queue-4.14/video-fbdev-kyro-fix-a-dos-bug-by-restricting-user-i.patch @@ -0,0 +1,55 @@ +From 0d07bdbf4e398710d524158c2a81ffa301f20eed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 04:09:22 +0000 +Subject: video: fbdev: kyro: fix a DoS bug by restricting user input + +From: Zheyu Ma + +[ Upstream commit 98a65439172dc69cb16834e62e852afc2adb83ed ] + +The user can pass in any value to the driver through the 'ioctl' +interface. The driver dost not check, which may cause DoS bugs. + +The following log reveals it: + +divide error: 0000 [#1] PREEMPT SMP KASAN PTI +RIP: 0010:SetOverlayViewPort+0x133/0x5f0 drivers/video/fbdev/kyro/STG4000OverlayDevice.c:476 +Call Trace: + kyro_dev_overlay_viewport_set drivers/video/fbdev/kyro/fbdev.c:378 [inline] + kyrofb_ioctl+0x2eb/0x330 drivers/video/fbdev/kyro/fbdev.c:603 + do_fb_ioctl+0x1f3/0x700 drivers/video/fbdev/core/fbmem.c:1171 + fb_ioctl+0xeb/0x130 drivers/video/fbdev/core/fbmem.c:1185 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __x64_sys_ioctl+0x19b/0x220 fs/ioctl.c:739 + do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Signed-off-by: Zheyu Ma +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/1626235762-2590-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/kyro/fbdev.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c +index a7bd9f25911b..d7aa431e6846 100644 +--- a/drivers/video/fbdev/kyro/fbdev.c ++++ b/drivers/video/fbdev/kyro/fbdev.c +@@ -372,6 +372,11 @@ static int kyro_dev_overlay_viewport_set(u32 x, u32 y, u32 ulWidth, u32 ulHeight + /* probably haven't called CreateOverlay yet */ + return -EINVAL; + ++ if (ulWidth == 0 || ulWidth == 0xffffffff || ++ ulHeight == 0 || ulHeight == 0xffffffff || ++ (x < 2 && ulWidth + 2 == 0)) ++ return -EINVAL; ++ + /* Stop Ramdac Output */ + DisableRamdacOutput(deviceInfo.pSTGReg); + +-- +2.30.2 + diff --git a/queue-4.14/video-fbdev-riva-error-out-if-pixclock-equals-zero.patch b/queue-4.14/video-fbdev-riva-error-out-if-pixclock-equals-zero.patch new file mode 100644 index 00000000000..f8aa2b893e3 --- /dev/null +++ b/queue-4.14/video-fbdev-riva-error-out-if-pixclock-equals-zero.patch @@ -0,0 +1,71 @@ +From d0f4a5ad3889894ac085b367ab276bf98806370a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 10:03:55 +0000 +Subject: video: fbdev: riva: Error out if 'pixclock' equals zero + +From: Zheyu Ma + +[ Upstream commit f92763cb0feba247e0939ed137b495601fd072a5 ] + +The userspace program could pass any values to the driver through +ioctl() interface. If the driver doesn't check the value of 'pixclock', +it may cause divide error. + +Fix this by checking whether 'pixclock' is zero first. + +The following log reveals it: + +[ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI +[ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #222 +[ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70 +[ 33.396969] Call Trace: +[ 33.396973] ? debug_smp_processor_id+0x1c/0x20 +[ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90 +[ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0 +[ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0 +[ 33.397014] ? vprintk_emit+0x110/0x4b0 +[ 33.397024] ? vprintk_default+0x26/0x30 +[ 33.397033] ? vprintk+0x9c/0x1f0 +[ 33.397041] ? printk+0xba/0xed +[ 33.397054] ? record_print_text.cold+0x16/0x16 +[ 33.397063] ? __kasan_check_read+0x11/0x20 +[ 33.397074] ? profile_tick+0xc0/0x100 +[ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80 +[ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0 +[ 33.397102] rivafb_set_par+0xbe/0x610 +[ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0 +[ 33.397119] fb_set_var+0x5bf/0xeb0 +[ 33.397127] ? fb_blank+0x1a0/0x1a0 +[ 33.397134] ? lock_acquire+0x1ef/0x530 +[ 33.397143] ? lock_release+0x810/0x810 +[ 33.397151] ? lock_is_held_type+0x100/0x140 +[ 33.397159] ? ___might_sleep+0x1ee/0x2d0 +[ 33.397170] ? __mutex_lock+0x620/0x1190 +[ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 +[ 33.397190] do_fb_ioctl+0x31e/0x700 + +Signed-off-by: Zheyu Ma +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-4-git-send-email-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/riva/fbdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/riva/fbdev.c b/drivers/video/fbdev/riva/fbdev.c +index 1ea78bb911fb..c080d14f9d2a 100644 +--- a/drivers/video/fbdev/riva/fbdev.c ++++ b/drivers/video/fbdev/riva/fbdev.c +@@ -1088,6 +1088,9 @@ static int rivafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) + int mode_valid = 0; + + NVTRACE_ENTER(); ++ if (!var->pixclock) ++ return -EINVAL; ++ + switch (var->bits_per_pixel) { + case 1 ... 8: + var->red.offset = var->green.offset = var->blue.offset = 0; +-- +2.30.2 + diff --git a/queue-4.14/xtensa-iss-don-t-panic-in-rs_init.patch b/queue-4.14/xtensa-iss-don-t-panic-in-rs_init.patch new file mode 100644 index 00000000000..515cc784776 --- /dev/null +++ b/queue-4.14/xtensa-iss-don-t-panic-in-rs_init.patch @@ -0,0 +1,73 @@ +From 1ce9f0ab2019d45340d277a056ccfc176dd369a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 09:43:10 +0200 +Subject: xtensa: ISS: don't panic in rs_init + +From: Jiri Slaby + +[ Upstream commit 23411c720052ad860b3e579ee4873511e367130a ] + +While alloc_tty_driver failure in rs_init would mean we have much bigger +problem, there is no reason to panic when tty_register_driver fails +there. It can fail for various reasons. + +So handle the failure gracefully. Actually handle them both while at it. +This will make at least the console functional as it was enabled earlier +by console_initcall in iss_console_init. Instead of shooting down the +whole system. + +We move tty_port_init() after alloc_tty_driver(), so that we don't need +to destroy the port in case the latter function fails. + +Cc: Chris Zankel +Cc: Max Filippov +Cc: linux-xtensa@linux-xtensa.org +Acked-by: Max Filippov +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20210723074317.32690-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + arch/xtensa/platforms/iss/console.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/xtensa/platforms/iss/console.c b/arch/xtensa/platforms/iss/console.c +index 0140a22551c8..63d6d043af16 100644 +--- a/arch/xtensa/platforms/iss/console.c ++++ b/arch/xtensa/platforms/iss/console.c +@@ -182,9 +182,13 @@ static const struct tty_operations serial_ops = { + + int __init rs_init(void) + { +- tty_port_init(&serial_port); ++ int ret; + + serial_driver = alloc_tty_driver(SERIAL_MAX_NUM_LINES); ++ if (!serial_driver) ++ return -ENOMEM; ++ ++ tty_port_init(&serial_port); + + printk ("%s %s\n", serial_name, serial_version); + +@@ -204,8 +208,15 @@ int __init rs_init(void) + tty_set_operations(serial_driver, &serial_ops); + tty_port_link_device(&serial_port, serial_driver, 0); + +- if (tty_register_driver(serial_driver)) +- panic("Couldn't register serial driver\n"); ++ ret = tty_register_driver(serial_driver); ++ if (ret) { ++ pr_err("Couldn't register serial driver\n"); ++ tty_driver_kref_put(serial_driver); ++ tty_port_destroy(&serial_port); ++ ++ return ret; ++ } ++ + return 0; + } + +-- +2.30.2 +