From: Sasha Levin Date: Mon, 21 Sep 2020 10:41:14 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.4.237~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94fd7cbd87a062eba6db0318873548e59848975b;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/asoc-qcom-set-card-owner-to-avoid-warnings.patch b/queue-4.19/asoc-qcom-set-card-owner-to-avoid-warnings.patch new file mode 100644 index 00000000000..927951bd8e0 --- /dev/null +++ b/queue-4.19/asoc-qcom-set-card-owner-to-avoid-warnings.patch @@ -0,0 +1,96 @@ +From 29d059be1828171e198094ee2c2e379ad7da8556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 17:45:11 +0200 +Subject: ASoC: qcom: Set card->owner to avoid warnings + +From: Stephan Gerhold + +[ Upstream commit 3c27ea23ffb43262da6c64964163895951aaed4e ] + +On Linux 5.9-rc1 I get the following warning with apq8016-sbc: + +WARNING: CPU: 2 PID: 69 at sound/core/init.c:207 snd_card_new+0x36c/0x3b0 [snd] +CPU: 2 PID: 69 Comm: kworker/2:1 Not tainted 5.9.0-rc1 #1 +Workqueue: events deferred_probe_work_func +pc : snd_card_new+0x36c/0x3b0 [snd] +lr : snd_card_new+0xf4/0x3b0 [snd] +Call trace: + snd_card_new+0x36c/0x3b0 [snd] + snd_soc_bind_card+0x340/0x9a0 [snd_soc_core] + snd_soc_register_card+0xf4/0x110 [snd_soc_core] + devm_snd_soc_register_card+0x44/0xa0 [snd_soc_core] + apq8016_sbc_platform_probe+0x11c/0x140 [snd_soc_apq8016_sbc] + +This warning was introduced in +commit 81033c6b584b ("ALSA: core: Warn on empty module"). +It looks like we are supposed to set card->owner to THIS_MODULE. + +Fix this for all the qcom ASoC drivers. + +Cc: Srinivas Kandagatla +Fixes: 79119c798649 ("ASoC: qcom: Add Storm machine driver") +Fixes: bdb052e81f62 ("ASoC: qcom: add apq8016 sound card support") +Fixes: a6f933f63f2f ("ASoC: qcom: apq8096: Add db820c machine driver") +Fixes: 6b1687bf76ef ("ASoC: qcom: add sdm845 sound card support") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200820154511.203072-1-stephan@gerhold.net +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/apq8016_sbc.c | 1 + + sound/soc/qcom/apq8096.c | 1 + + sound/soc/qcom/sdm845.c | 1 + + sound/soc/qcom/storm.c | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/sound/soc/qcom/apq8016_sbc.c b/sound/soc/qcom/apq8016_sbc.c +index 4b559932adc33..121460db8eacf 100644 +--- a/sound/soc/qcom/apq8016_sbc.c ++++ b/sound/soc/qcom/apq8016_sbc.c +@@ -233,6 +233,7 @@ static int apq8016_sbc_platform_probe(struct platform_device *pdev) + return -ENOMEM; + + card->dev = dev; ++ card->owner = THIS_MODULE; + card->dapm_widgets = apq8016_sbc_dapm_widgets; + card->num_dapm_widgets = ARRAY_SIZE(apq8016_sbc_dapm_widgets); + data = apq8016_sbc_parse_of(card); +diff --git a/sound/soc/qcom/apq8096.c b/sound/soc/qcom/apq8096.c +index 1543e85629f80..04f814a0a7d51 100644 +--- a/sound/soc/qcom/apq8096.c ++++ b/sound/soc/qcom/apq8096.c +@@ -46,6 +46,7 @@ static int apq8096_platform_probe(struct platform_device *pdev) + return -ENOMEM; + + card->dev = dev; ++ card->owner = THIS_MODULE; + dev_set_drvdata(dev, card); + ret = qcom_snd_parse_of(card); + if (ret) { +diff --git a/sound/soc/qcom/sdm845.c b/sound/soc/qcom/sdm845.c +index 2a781d87ee65e..5fdbfa363ab16 100644 +--- a/sound/soc/qcom/sdm845.c ++++ b/sound/soc/qcom/sdm845.c +@@ -226,6 +226,7 @@ static int sdm845_snd_platform_probe(struct platform_device *pdev) + } + + card->dev = dev; ++ card->owner = THIS_MODULE; + dev_set_drvdata(dev, card); + ret = qcom_snd_parse_of(card); + if (ret) { +diff --git a/sound/soc/qcom/storm.c b/sound/soc/qcom/storm.c +index a9fa972466ad1..00a3f4c1b6fed 100644 +--- a/sound/soc/qcom/storm.c ++++ b/sound/soc/qcom/storm.c +@@ -99,6 +99,7 @@ static int storm_platform_probe(struct platform_device *pdev) + return -ENOMEM; + + card->dev = &pdev->dev; ++ card->owner = THIS_MODULE; + + ret = snd_soc_of_parse_card_name(card, "qcom,model"); + if (ret) { +-- +2.25.1 + diff --git a/queue-4.19/clk-davinci-use-the-correct-size-when-allocating-mem.patch b/queue-4.19/clk-davinci-use-the-correct-size-when-allocating-mem.patch new file mode 100644 index 00000000000..1f8d9f6d298 --- /dev/null +++ b/queue-4.19/clk-davinci-use-the-correct-size-when-allocating-mem.patch @@ -0,0 +1,38 @@ +From 9de3fffd4c5346d6c114bbc2e113a33faa058e49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 16:49:59 +0200 +Subject: clk: davinci: Use the correct size when allocating memory + +From: Christophe JAILLET + +[ Upstream commit 3dabfa2bda48dab717986609762ce2a49335eb99 ] + +'sizeof(*pllen)' should be used in place of 'sizeof(*pllout)' to avoid a +small over-allocation. + +Fixes: 2d1726915159 ("clk: davinci: New driver for davinci PLL clocks") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20200809144959.747986-1-christophe.jaillet@wanadoo.fr +Reviewed-by: David Lechner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/davinci/pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/davinci/pll.c b/drivers/clk/davinci/pll.c +index 1c99e992d6388..796b428998ae0 100644 +--- a/drivers/clk/davinci/pll.c ++++ b/drivers/clk/davinci/pll.c +@@ -491,7 +491,7 @@ struct clk *davinci_pll_clk_register(struct device *dev, + parent_name = postdiv_name; + } + +- pllen = kzalloc(sizeof(*pllout), GFP_KERNEL); ++ pllen = kzalloc(sizeof(*pllen), GFP_KERNEL); + if (!pllen) { + ret = -ENOMEM; + goto err_unregister_postdiv; +-- +2.25.1 + diff --git a/queue-4.19/clk-rockchip-fix-initialization-of-mux_pll_src_4plls.patch b/queue-4.19/clk-rockchip-fix-initialization-of-mux_pll_src_4plls.patch new file mode 100644 index 00000000000..834d6fe6b2a --- /dev/null +++ b/queue-4.19/clk-rockchip-fix-initialization-of-mux_pll_src_4plls.patch @@ -0,0 +1,58 @@ +From f330b943fab9169e3ab0ae335c80a648e898433d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 21:40:20 -0700 +Subject: clk: rockchip: Fix initialization of mux_pll_src_4plls_p +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nathan Chancellor + +[ Upstream commit e9c006bc782c488f485ffe50de20b44e1e3daa18 ] + +A new warning in Clang points out that the initialization of +mux_pll_src_4plls_p appears incorrect: + +../drivers/clk/rockchip/clk-rk3228.c:140:58: warning: suspicious +concatenation of string literals in an array initialization; did you +mean to separate the elements with a comma? [-Wstring-concatenation] +PNAME(mux_pll_src_4plls_p) = { "cpll", "gpll", "hdmiphy" "usb480m" }; + ^ + , +../drivers/clk/rockchip/clk-rk3228.c:140:48: note: place parentheses +around the string literal to silence warning +PNAME(mux_pll_src_4plls_p) = { "cpll", "gpll", "hdmiphy" "usb480m" }; + ^ +1 warning generated. + +Given the name of the variable and the same variable name in rv1108, it +seems that this should have been four distinct elements. Fix it up by +adding the comma as suggested. + +Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228") +Link: https://github.com/ClangBuiltLinux/linux/issues/1123 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20200810044020.2063350-1-natechancellor@gmail.com +Reviewed-by: Heiko Stübner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3228.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-rk3228.c b/drivers/clk/rockchip/clk-rk3228.c +index 04f4f3739e3be..8d11d76e1db7c 100644 +--- a/drivers/clk/rockchip/clk-rk3228.c ++++ b/drivers/clk/rockchip/clk-rk3228.c +@@ -144,7 +144,7 @@ PNAME(mux_usb480m_p) = { "usb480m_phy", "xin24m" }; + PNAME(mux_hdmiphy_p) = { "hdmiphy_phy", "xin24m" }; + PNAME(mux_aclk_cpu_src_p) = { "cpll_aclk_cpu", "gpll_aclk_cpu", "hdmiphy_aclk_cpu" }; + +-PNAME(mux_pll_src_4plls_p) = { "cpll", "gpll", "hdmiphy" "usb480m" }; ++PNAME(mux_pll_src_4plls_p) = { "cpll", "gpll", "hdmiphy", "usb480m" }; + PNAME(mux_pll_src_3plls_p) = { "cpll", "gpll", "hdmiphy" }; + PNAME(mux_pll_src_2plls_p) = { "cpll", "gpll" }; + PNAME(mux_sclk_hdmi_cec_p) = { "cpll", "gpll", "xin24m" }; +-- +2.25.1 + diff --git a/queue-4.19/drivers-hv-vmbus-add-timeout-to-vmbus_wait_for_unloa.patch b/queue-4.19/drivers-hv-vmbus-add-timeout-to-vmbus_wait_for_unloa.patch new file mode 100644 index 00000000000..b7e93c1733f --- /dev/null +++ b/queue-4.19/drivers-hv-vmbus-add-timeout-to-vmbus_wait_for_unloa.patch @@ -0,0 +1,54 @@ +From 726b88ec0d36569257b30ee11556aa640237825c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 12:47:29 -0700 +Subject: Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload + +From: Michael Kelley + +[ Upstream commit 911e1987efc8f3e6445955fbae7f54b428b92bd3 ] + +vmbus_wait_for_unload() looks for a CHANNELMSG_UNLOAD_RESPONSE message +coming from Hyper-V. But if the message isn't found for some reason, +the panic path gets hung forever. Add a timeout of 10 seconds to prevent +this. + +Fixes: 415719160de3 ("Drivers: hv: vmbus: avoid scheduling in interrupt context in vmbus_initiate_unload()") +Signed-off-by: Michael Kelley +Reviewed-by: Dexuan Cui +Reviewed-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/1600026449-23651-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index c83361a8e2033..7920b0d7e35a7 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -779,7 +779,7 @@ static void vmbus_wait_for_unload(void) + void *page_addr; + struct hv_message *msg; + struct vmbus_channel_message_header *hdr; +- u32 message_type; ++ u32 message_type, i; + + /* + * CHANNELMSG_UNLOAD_RESPONSE is always delivered to the CPU which was +@@ -789,8 +789,11 @@ static void vmbus_wait_for_unload(void) + * functional and vmbus_unload_response() will complete + * vmbus_connection.unload_event. If not, the last thing we can do is + * read message pages for all CPUs directly. ++ * ++ * Wait no more than 10 seconds so that the panic path can't get ++ * hung forever in case the response message isn't seen. + */ +- while (1) { ++ for (i = 0; i < 1000; i++) { + if (completion_done(&vmbus_connection.unload_event)) + break; + +-- +2.25.1 + diff --git a/queue-4.19/drm-mediatek-add-exception-handing-in-mtk_drm_probe-.patch b/queue-4.19/drm-mediatek-add-exception-handing-in-mtk_drm_probe-.patch new file mode 100644 index 00000000000..324a18d4e6f --- /dev/null +++ b/queue-4.19/drm-mediatek-add-exception-handing-in-mtk_drm_probe-.patch @@ -0,0 +1,46 @@ +From d32a06dcebf1e4d6835c8fdddfae567a70f9479e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 16:49:42 +0800 +Subject: drm/mediatek: Add exception handing in mtk_drm_probe() if component + init fail + +From: Yu Kuai + +[ Upstream commit 64c194c00789889b0f9454f583712f079ba414ee ] + +mtk_ddp_comp_init() is called in a loop in mtk_drm_probe(), if it +fail, previous successive init component is not proccessed. + +Thus uninitialize valid component and put their device if component +init failed. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Yu Kuai +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index 947bc6d623020..d143217636071 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -600,8 +600,13 @@ err_pm: + pm_runtime_disable(dev); + err_node: + of_node_put(private->mutex_node); +- for (i = 0; i < DDP_COMPONENT_ID_MAX; i++) ++ for (i = 0; i < DDP_COMPONENT_ID_MAX; i++) { + of_node_put(private->comp_node[i]); ++ if (private->ddp_comp[i]) { ++ put_device(private->ddp_comp[i]->larb_dev); ++ private->ddp_comp[i] = NULL; ++ } ++ } + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.19/drm-mediatek-add-missing-put_device-call-in-mtk_hdmi.patch b/queue-4.19/drm-mediatek-add-missing-put_device-call-in-mtk_hdmi.patch new file mode 100644 index 00000000000..9a0f7d83e4f --- /dev/null +++ b/queue-4.19/drm-mediatek-add-missing-put_device-call-in-mtk_hdmi.patch @@ -0,0 +1,92 @@ +From 38b9342f6cb1ed669d291678fbb65a33defeb8bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 19:21:51 +0800 +Subject: drm/mediatek: Add missing put_device() call in + mtk_hdmi_dt_parse_pdata() + +From: Yu Kuai + +[ Upstream commit 0680a622318b8d657323b94082f4b9a44038dfee ] + +if of_find_device_by_node() succeed, mtk_drm_kms_init() doesn't have +a corresponding put_device(). Thus add jump target to fix the exception +handling for this function implementation. + +Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") +Signed-off-by: Yu Kuai +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index 62444a3a5742a..331fb0c129290 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -1476,25 +1476,30 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi, + dev_err(dev, + "Failed to get system configuration registers: %d\n", + ret); +- return ret; ++ goto put_device; + } + hdmi->sys_regmap = regmap; + + mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + hdmi->regs = devm_ioremap_resource(dev, mem); +- if (IS_ERR(hdmi->regs)) +- return PTR_ERR(hdmi->regs); ++ if (IS_ERR(hdmi->regs)) { ++ ret = PTR_ERR(hdmi->regs); ++ goto put_device; ++ } + + remote = of_graph_get_remote_node(np, 1, 0); +- if (!remote) +- return -EINVAL; ++ if (!remote) { ++ ret = -EINVAL; ++ goto put_device; ++ } + + if (!of_device_is_compatible(remote, "hdmi-connector")) { + hdmi->next_bridge = of_drm_find_bridge(remote); + if (!hdmi->next_bridge) { + dev_err(dev, "Waiting for external bridge\n"); + of_node_put(remote); +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto put_device; + } + } + +@@ -1503,7 +1508,8 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi, + dev_err(dev, "Failed to find ddc-i2c-bus node in %pOF\n", + remote); + of_node_put(remote); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_device; + } + of_node_put(remote); + +@@ -1511,10 +1517,14 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi, + of_node_put(i2c_np); + if (!hdmi->ddc_adpt) { + dev_err(dev, "Failed to get ddc i2c adapter by node\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_device; + } + + return 0; ++put_device: ++ put_device(hdmi->cec_dev); ++ return ret; + } + + /* +-- +2.25.1 + diff --git a/queue-4.19/f2fs-fix-indefinite-loop-scanning-for-free-nid.patch b/queue-4.19/f2fs-fix-indefinite-loop-scanning-for-free-nid.patch new file mode 100644 index 00000000000..6f44735709f --- /dev/null +++ b/queue-4.19/f2fs-fix-indefinite-loop-scanning-for-free-nid.patch @@ -0,0 +1,48 @@ +From f52490645318755051083123397b641a0c0b9eba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:40:14 +0530 +Subject: f2fs: fix indefinite loop scanning for free nid + +From: Sahitya Tummala + +[ Upstream commit e2cab031ba7b5003cd12185b3ef38f1a75e3dae8 ] + +If the sbi->ckpt->next_free_nid is not NAT block aligned and if there +are free nids in that NAT block between the start of the block and +next_free_nid, then those free nids will not be scanned in scan_nat_page(). +This results into mismatch between nm_i->available_nids and the sum of +nm_i->free_nid_count of all NAT blocks scanned. And nm_i->available_nids +will always be greater than the sum of free nids in all the blocks. +Under this condition, if we use all the currently scanned free nids, +then it will loop forever in f2fs_alloc_nid() as nm_i->available_nids +is still not zero but nm_i->free_nid_count of that partially scanned +NAT block is zero. + +Fix this to align the nm_i->next_scan_nid to the first nid of the +corresponding NAT block. + +Signed-off-by: Sahitya Tummala +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 2ff02541c53d5..1934dc6ad1ccd 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -2257,6 +2257,9 @@ static int __f2fs_build_free_nids(struct f2fs_sb_info *sbi, + if (unlikely(nid >= nm_i->max_nid)) + nid = 0; + ++ if (unlikely(nid % NAT_ENTRY_PER_BLOCK)) ++ nid = NAT_BLOCK_OFFSET(nid) * NAT_ENTRY_PER_BLOCK; ++ + /* Enough entries */ + if (nm_i->nid_cnt[FREE_NID] >= NAT_ENTRY_PER_BLOCK) + return 0; +-- +2.25.1 + diff --git a/queue-4.19/f2fs-return-eof-on-unaligned-end-of-file-dio-read.patch b/queue-4.19/f2fs-return-eof-on-unaligned-end-of-file-dio-read.patch new file mode 100644 index 00000000000..e1acb94b615 --- /dev/null +++ b/queue-4.19/f2fs-return-eof-on-unaligned-end-of-file-dio-read.patch @@ -0,0 +1,56 @@ +From b3340422ca603d78b739d36a0b3d3bd06cf77f64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 16:07:31 -0400 +Subject: f2fs: Return EOF on unaligned end of file DIO read + +From: Gabriel Krisman Bertazi + +[ Upstream commit 20d0a107fb35f37578b919f62bd474d6d358d579 ] + +Reading past end of file returns EOF for aligned reads but -EINVAL for +unaligned reads on f2fs. While documentation is not strict about this +corner case, most filesystem returns EOF on this case, like iomap +filesystems. This patch consolidates the behavior for f2fs, by making +it return EOF(0). + +it can be verified by a read loop on a file that does a partial read +before EOF (A file that doesn't end at an aligned address). The +following code fails on an unaligned file on f2fs, but not on +btrfs, ext4, and xfs. + + while (done < total) { + ssize_t delta = pread(fd, buf + done, total - done, off + done); + if (!delta) + break; + ... + } + +It is arguable whether filesystems should actually return EOF or +-EINVAL, but since iomap filesystems support it, and so does the +original DIO code, it seems reasonable to consolidate on that. + +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index c81a1f3f0a101..c63f5e32630ee 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2490,6 +2490,9 @@ static int check_direct_IO(struct inode *inode, struct iov_iter *iter, + unsigned long align = offset | iov_iter_alignment(iter); + struct block_device *bdev = inode->i_sb->s_bdev; + ++ if (iov_iter_rw(iter) == READ && offset >= i_size_read(inode)) ++ return 1; ++ + if (align & blocksize_mask) { + if (bdev) + blkbits = blksize_bits(bdev_logical_block_size(bdev)); +-- +2.25.1 + diff --git a/queue-4.19/fbcon-fix-user-font-detection-test-at-fbcon_resize.patch b/queue-4.19/fbcon-fix-user-font-detection-test-at-fbcon_resize.patch new file mode 100644 index 00000000000..073f3efad05 --- /dev/null +++ b/queue-4.19/fbcon-fix-user-font-detection-test-at-fbcon_resize.patch @@ -0,0 +1,52 @@ +From dce32c1b6e2e5ba35846edda02bc4551f280c2a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 07:57:06 +0900 +Subject: fbcon: Fix user font detection test at fbcon_resize(). + +From: Tetsuo Handa + +[ Upstream commit ec0972adecb391a8d8650832263a4790f3bfb4df ] + +syzbot is reporting OOB read at fbcon_resize() [1], for +commit 39b3cffb8cf31117 ("fbcon: prevent user font height or width change + from causing potential out-of-bounds access") is by error using +registered_fb[con2fb_map[vc->vc_num]]->fbcon_par->p->userfont (which was +set to non-zero) instead of fb_display[vc->vc_num].userfont (which remains +zero for that display). + +We could remove tricky userfont flag [2], for we can determine it by +comparing address of the font data and addresses of built-in font data. +But since that commit is failing to fix the original OOB read [3], this +patch keeps the change minimal in case we decide to revert altogether. + +[1] https://syzkaller.appspot.com/bug?id=ebcbbb6576958a496500fee9cf7aa83ea00b5920 +[2] https://syzkaller.appspot.com/text?tag=Patch&x=14030853900000 +[3] https://syzkaller.appspot.com/bug?id=6fba8c186d97cf1011ab17660e633b1cc4e080c9 + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 39b3cffb8cf31117 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access") +Cc: George Kennedy +Link: https://lore.kernel.org/r/f6e3e611-8704-1263-d163-f52c906a4f06@I-love.SAKURA.ne.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c +index 29226b6cb632d..0bf5ea518558c 100644 +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -1979,7 +1979,7 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width, + struct fb_var_screeninfo var = info->var; + int x_diff, y_diff, virt_w, virt_h, virt_fw, virt_fh; + +- if (ops->p && ops->p->userfont && FNTSIZE(vc->vc_font.data)) { ++ if (p->userfont && FNTSIZE(vc->vc_font.data)) { + int size; + int pitch = PITCH(vc->vc_font.width); + +-- +2.25.1 + diff --git a/queue-4.19/i2c-algo-pca-reapply-i2c-bus-settings-after-reset.patch b/queue-4.19/i2c-algo-pca-reapply-i2c-bus-settings-after-reset.patch new file mode 100644 index 00000000000..5e8ce4a891e --- /dev/null +++ b/queue-4.19/i2c-algo-pca-reapply-i2c-bus-settings-after-reset.patch @@ -0,0 +1,131 @@ +From 0d11aed3dcce7ae13b577e3f658297de78f07221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 08:32:47 +1200 +Subject: i2c: algo: pca: Reapply i2c bus settings after reset + +From: Evan Nimmo + +[ Upstream commit 0a355aeb24081e4538d4d424cd189f16c0bbd983 ] + +If something goes wrong (such as the SCL being stuck low) then we need +to reset the PCA chip. The issue with this is that on reset we lose all +config settings and the chip ends up in a disabled state which results +in a lock up/high CPU usage. We need to re-apply any configuration that +had previously been set and re-enable the chip. + +Signed-off-by: Evan Nimmo +Reviewed-by: Chris Packham +Reviewed-by: Andy Shevchenko +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/algos/i2c-algo-pca.c | 35 +++++++++++++++++++++----------- + include/linux/i2c-algo-pca.h | 15 ++++++++++++++ + 2 files changed, 38 insertions(+), 12 deletions(-) + +diff --git a/drivers/i2c/algos/i2c-algo-pca.c b/drivers/i2c/algos/i2c-algo-pca.c +index 0e745f82d6a53..f328de980855d 100644 +--- a/drivers/i2c/algos/i2c-algo-pca.c ++++ b/drivers/i2c/algos/i2c-algo-pca.c +@@ -50,8 +50,22 @@ static void pca_reset(struct i2c_algo_pca_data *adap) + pca_outw(adap, I2C_PCA_INDPTR, I2C_PCA_IPRESET); + pca_outw(adap, I2C_PCA_IND, 0xA5); + pca_outw(adap, I2C_PCA_IND, 0x5A); ++ ++ /* ++ * After a reset we need to re-apply any configuration ++ * (calculated in pca_init) to get the bus in a working state. ++ */ ++ pca_outw(adap, I2C_PCA_INDPTR, I2C_PCA_IMODE); ++ pca_outw(adap, I2C_PCA_IND, adap->bus_settings.mode); ++ pca_outw(adap, I2C_PCA_INDPTR, I2C_PCA_ISCLL); ++ pca_outw(adap, I2C_PCA_IND, adap->bus_settings.tlow); ++ pca_outw(adap, I2C_PCA_INDPTR, I2C_PCA_ISCLH); ++ pca_outw(adap, I2C_PCA_IND, adap->bus_settings.thi); ++ ++ pca_set_con(adap, I2C_PCA_CON_ENSIO); + } else { + adap->reset_chip(adap->data); ++ pca_set_con(adap, I2C_PCA_CON_ENSIO | adap->bus_settings.clock_freq); + } + } + +@@ -432,13 +446,14 @@ static int pca_init(struct i2c_adapter *adap) + " Use the nominal frequency.\n", adap->name); + } + +- pca_reset(pca_data); +- + clock = pca_clock(pca_data); + printk(KERN_INFO "%s: Clock frequency is %dkHz\n", + adap->name, freqs[clock]); + +- pca_set_con(pca_data, I2C_PCA_CON_ENSIO | clock); ++ /* Store settings as these will be needed when the PCA chip is reset */ ++ pca_data->bus_settings.clock_freq = clock; ++ ++ pca_reset(pca_data); + } else { + int clock; + int mode; +@@ -505,19 +520,15 @@ static int pca_init(struct i2c_adapter *adap) + thi = tlow * min_thi / min_tlow; + } + ++ /* Store settings as these will be needed when the PCA chip is reset */ ++ pca_data->bus_settings.mode = mode; ++ pca_data->bus_settings.tlow = tlow; ++ pca_data->bus_settings.thi = thi; ++ + pca_reset(pca_data); + + printk(KERN_INFO + "%s: Clock frequency is %dHz\n", adap->name, clock * 100); +- +- pca_outw(pca_data, I2C_PCA_INDPTR, I2C_PCA_IMODE); +- pca_outw(pca_data, I2C_PCA_IND, mode); +- pca_outw(pca_data, I2C_PCA_INDPTR, I2C_PCA_ISCLL); +- pca_outw(pca_data, I2C_PCA_IND, tlow); +- pca_outw(pca_data, I2C_PCA_INDPTR, I2C_PCA_ISCLH); +- pca_outw(pca_data, I2C_PCA_IND, thi); +- +- pca_set_con(pca_data, I2C_PCA_CON_ENSIO); + } + udelay(500); /* 500 us for oscillator to stabilise */ + +diff --git a/include/linux/i2c-algo-pca.h b/include/linux/i2c-algo-pca.h +index d03071732db4a..7c522fdd9ea73 100644 +--- a/include/linux/i2c-algo-pca.h ++++ b/include/linux/i2c-algo-pca.h +@@ -53,6 +53,20 @@ + #define I2C_PCA_CON_SI 0x08 /* Serial Interrupt */ + #define I2C_PCA_CON_CR 0x07 /* Clock Rate (MASK) */ + ++/** ++ * struct pca_i2c_bus_settings - The configured PCA i2c bus settings ++ * @mode: Configured i2c bus mode ++ * @tlow: Configured SCL LOW period ++ * @thi: Configured SCL HIGH period ++ * @clock_freq: The configured clock frequency ++ */ ++struct pca_i2c_bus_settings { ++ int mode; ++ int tlow; ++ int thi; ++ int clock_freq; ++}; ++ + struct i2c_algo_pca_data { + void *data; /* private low level data */ + void (*write_byte) (void *data, int reg, int val); +@@ -64,6 +78,7 @@ struct i2c_algo_pca_data { + * For PCA9665, use the frequency you want here. */ + unsigned int i2c_clock; + unsigned int chip; ++ struct pca_i2c_bus_settings bus_settings; + }; + + int i2c_pca_add_bus(struct i2c_adapter *); +-- +2.25.1 + diff --git a/queue-4.19/kvm-mips-change-the-definition-of-kvm-type.patch b/queue-4.19/kvm-mips-change-the-definition-of-kvm-type.patch new file mode 100644 index 00000000000..639a3263910 --- /dev/null +++ b/queue-4.19/kvm-mips-change-the-definition-of-kvm-type.patch @@ -0,0 +1,81 @@ +From cf4061e36038d90ae528b6e2adbc871f98446155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 18:33:51 +0800 +Subject: KVM: MIPS: Change the definition of kvm type + +From: Huacai Chen + +[ Upstream commit 15e9e35cd1dec2bc138464de6bf8ef828df19235 ] + +MIPS defines two kvm types: + + #define KVM_VM_MIPS_TE 0 + #define KVM_VM_MIPS_VZ 1 + +In Documentation/virt/kvm/api.rst it is said that "You probably want to +use 0 as machine type", which implies that type 0 be the "automatic" or +"default" type. And, in user-space libvirt use the null-machine (with +type 0) to detect the kvm capability, which returns "KVM not supported" +on a VZ platform. + +I try to fix it in QEMU but it is ugly: +https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg05629.html + +And Thomas Huth suggests me to change the definition of kvm type: +https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg03281.html + +So I define like this: + + #define KVM_VM_MIPS_AUTO 0 + #define KVM_VM_MIPS_VZ 1 + #define KVM_VM_MIPS_TE 2 + +Since VZ and TE cannot co-exists, using type 0 on a TE platform will +still return success (so old user-space tools have no problems on new +kernels); the advantage is that using type 0 on a VZ platform will not +return failure. So, the only problem is "new user-space tools use type +2 on old kernels", but if we treat this as a kernel bug, we can backport +this patch to old stable kernels. + +Signed-off-by: Huacai Chen +Message-Id: <1599734031-28746-1-git-send-email-chenhc@lemote.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/mips/kvm/mips.c | 2 ++ + include/uapi/linux/kvm.h | 5 +++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c +index e7f5ef6bed0fe..79485790f7b56 100644 +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -131,6 +131,8 @@ void kvm_arch_check_processor_compat(void *rtn) + int kvm_arch_init_vm(struct kvm *kvm, unsigned long type) + { + switch (type) { ++ case KVM_VM_MIPS_AUTO: ++ break; + #ifdef CONFIG_KVM_MIPS_VZ + case KVM_VM_MIPS_VZ: + #else +diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h +index 66ce6659ecb69..c297abc4e6697 100644 +--- a/include/uapi/linux/kvm.h ++++ b/include/uapi/linux/kvm.h +@@ -746,9 +746,10 @@ struct kvm_ppc_resize_hpt { + #define KVM_VM_PPC_HV 1 + #define KVM_VM_PPC_PR 2 + +-/* on MIPS, 0 forces trap & emulate, 1 forces VZ ASE */ +-#define KVM_VM_MIPS_TE 0 ++/* on MIPS, 0 indicates auto, 1 forces VZ ASE, 2 forces trap & emulate */ ++#define KVM_VM_MIPS_AUTO 0 + #define KVM_VM_MIPS_VZ 1 ++#define KVM_VM_MIPS_TE 2 + + #define KVM_S390_SIE_PAGE_OFFSET 1 + +-- +2.25.1 + diff --git a/queue-4.19/mips-sni-fix-mips_l1_cache_shift.patch b/queue-4.19/mips-sni-fix-mips_l1_cache_shift.patch new file mode 100644 index 00000000000..71c2604b273 --- /dev/null +++ b/queue-4.19/mips-sni-fix-mips_l1_cache_shift.patch @@ -0,0 +1,35 @@ +From 52821588e6842fec03dcd914b8437e366a97d1c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 18:05:00 +0200 +Subject: MIPS: SNI: Fix MIPS_L1_CACHE_SHIFT + +From: Thomas Bogendoerfer + +[ Upstream commit 564c836fd945a94b5dd46597d6b7adb464092650 ] + +Commit 930beb5ac09a ("MIPS: introduce MIPS_L1_CACHE_SHIFT_") forgot +to select the correct MIPS_L1_CACHE_SHIFT for SNI RM. This breaks non +coherent DMA because of a wrong allocation alignment. + +Fixes: 930beb5ac09a ("MIPS: introduce MIPS_L1_CACHE_SHIFT_") +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index a830a9701e501..cc8c8d22afaf5 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -852,6 +852,7 @@ config SNI_RM + select I8253 + select I8259 + select ISA ++ select MIPS_L1_CACHE_SHIFT_6 + select SWAP_IO_SPACE if CPU_BIG_ENDIAN + select SYS_HAS_CPU_R4X00 + select SYS_HAS_CPU_R5000 +-- +2.25.1 + diff --git a/queue-4.19/mips-sni-fix-spurious-interrupts.patch b/queue-4.19/mips-sni-fix-spurious-interrupts.patch new file mode 100644 index 00000000000..eb43d752572 --- /dev/null +++ b/queue-4.19/mips-sni-fix-spurious-interrupts.patch @@ -0,0 +1,58 @@ +From 09fbead0b13d41da28da5098a6f8ae3654d70c2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 15:54:37 +0200 +Subject: MIPS: SNI: Fix spurious interrupts + +From: Thomas Bogendoerfer + +[ Upstream commit b959b97860d0fee8c8f6a3e641d3c2ad76eab6be ] + +On A20R machines the interrupt pending bits in cause register need to be +updated by requesting the chipset to do it. This needs to be done to +find the interrupt cause and after interrupt service. In +commit 0b888c7f3a03 ("MIPS: SNI: Convert to new irq_chip functions") the +function to do after service update got lost, which caused spurious +interrupts. + +Fixes: 0b888c7f3a03 ("MIPS: SNI: Convert to new irq_chip functions") +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/sni/a20r.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/sni/a20r.c b/arch/mips/sni/a20r.c +index f9407e1704762..c6af7047eb0d2 100644 +--- a/arch/mips/sni/a20r.c ++++ b/arch/mips/sni/a20r.c +@@ -143,7 +143,10 @@ static struct platform_device sc26xx_pdev = { + }, + }; + +-static u32 a20r_ack_hwint(void) ++/* ++ * Trigger chipset to update CPU's CAUSE IP field ++ */ ++static u32 a20r_update_cause_ip(void) + { + u32 status = read_c0_status(); + +@@ -205,12 +208,14 @@ static void a20r_hwint(void) + int irq; + + clear_c0_status(IE_IRQ0); +- status = a20r_ack_hwint(); ++ status = a20r_update_cause_ip(); + cause = read_c0_cause(); + + irq = ffs(((cause & status) >> 8) & 0xf8); + if (likely(irq > 0)) + do_IRQ(SNI_A20R_IRQ_BASE + irq - 1); ++ ++ a20r_update_cause_ip(); + set_c0_status(IE_IRQ0); + } + +-- +2.25.1 + diff --git a/queue-4.19/nfs-zero-stateid-setattr-should-first-return-delegat.patch b/queue-4.19/nfs-zero-stateid-setattr-should-first-return-delegat.patch new file mode 100644 index 00000000000..158e2b17c37 --- /dev/null +++ b/queue-4.19/nfs-zero-stateid-setattr-should-first-return-delegat.patch @@ -0,0 +1,49 @@ +From fc6f800d28bf3352d71020c0dd03fcd65ab6bb29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 17:39:12 -0400 +Subject: NFS: Zero-stateid SETATTR should first return delegation + +From: Chuck Lever + +[ Upstream commit 644c9f40cf71969f29add32f32349e71d4995c0b ] + +If a write delegation isn't available, the Linux NFS client uses +a zero-stateid when performing a SETATTR. + +NFSv4.0 provides no mechanism for an NFS server to match such a +request to a particular client. It recalls all delegations for that +file, even delegations held by the client issuing the request. If +that client happens to hold a read delegation, the server will +recall it immediately, resulting in an NFS4ERR_DELAY/CB_RECALL/ +DELEGRETURN sequence. + +Optimize out this pipeline bubble by having the client return any +delegations it may hold on a file before it issues a +SETATTR(zero-stateid) on that file. + +Signed-off-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 929f1d72bfd39..b2a2ff3f22a46 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3129,8 +3129,10 @@ static int _nfs4_do_setattr(struct inode *inode, + + /* Servers should only apply open mode checks for file size changes */ + truncate = (arg->iap->ia_valid & ATTR_SIZE) ? true : false; +- if (!truncate) ++ if (!truncate) { ++ nfs4_inode_make_writeable(inode); + goto zero_stateid; ++ } + + if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) { + /* Use that stateid */ +-- +2.25.1 + diff --git a/queue-4.19/nfsv4.1-handle-err_delay-error-reclaiming-locking-st.patch b/queue-4.19/nfsv4.1-handle-err_delay-error-reclaiming-locking-st.patch new file mode 100644 index 00000000000..dfec11783ee --- /dev/null +++ b/queue-4.19/nfsv4.1-handle-err_delay-error-reclaiming-locking-st.patch @@ -0,0 +1,45 @@ +From bea28538076ab85aafd1c8d62724e101ff4684a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:52:43 -0400 +Subject: NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation + recall + +From: Olga Kornievskaia + +[ Upstream commit 3d7a9520f0c3e6a68b6de8c5812fc8b6d7a52626 ] + +A client should be able to handle getting an ERR_DELAY error +while doing a LOCK call to reclaim state due to delegation being +recalled. This is a transient error that can happen due to server +moving its volumes and invalidating its file location cache and +upon reference to it during the LOCK call needing to do an +expensive lookup (leading to an ERR_DELAY error on a PUTFH). + +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 1ef75b1deffa3..929f1d72bfd39 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7006,7 +7006,12 @@ int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, + err = nfs4_set_lock_state(state, fl); + if (err != 0) + return err; +- err = _nfs4_do_setlk(state, F_SETLK, fl, NFS_LOCK_NEW); ++ do { ++ err = _nfs4_do_setlk(state, F_SETLK, fl, NFS_LOCK_NEW); ++ if (err != -NFS4ERR_DELAY) ++ break; ++ ssleep(1); ++ } while (err == -NFS4ERR_DELAY); + return nfs4_handle_delegation_recall_error(server, state, stateid, fl, err); + } + +-- +2.25.1 + diff --git a/queue-4.19/nvme-fc-cancel-async-events-before-freeing-event-str.patch b/queue-4.19/nvme-fc-cancel-async-events-before-freeing-event-str.patch new file mode 100644 index 00000000000..c6cdd831de5 --- /dev/null +++ b/queue-4.19/nvme-fc-cancel-async-events-before-freeing-event-str.patch @@ -0,0 +1,36 @@ +From 1b5e499fa56c8f5bd31923f2a1d3824d239c3e2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 17:42:54 -0500 +Subject: nvme-fc: cancel async events before freeing event struct + +From: David Milburn + +[ Upstream commit e126e8210e950bb83414c4f57b3120ddb8450742 ] + +Cancel async event work in case async event has been queued up, and +nvme_fc_submit_async_event() runs after event has been freed. + +Signed-off-by: David Milburn +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/fc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index bb3b447c56468..73db32f97abf3 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -1791,6 +1791,7 @@ nvme_fc_term_aen_ops(struct nvme_fc_ctrl *ctrl) + struct nvme_fc_fcp_op *aen_op; + int i; + ++ cancel_work_sync(&ctrl->ctrl.async_event_work); + aen_op = ctrl->aen_ops; + for (i = 0; i < NVME_NR_AEN_COMMANDS; i++, aen_op++) { + if (!aen_op->fcp_req.private) +-- +2.25.1 + diff --git a/queue-4.19/nvme-rdma-cancel-async-events-before-freeing-event-s.patch b/queue-4.19/nvme-rdma-cancel-async-events-before-freeing-event-s.patch new file mode 100644 index 00000000000..f7c5713ca44 --- /dev/null +++ b/queue-4.19/nvme-rdma-cancel-async-events-before-freeing-event-s.patch @@ -0,0 +1,36 @@ +From 8144eaa158a1cb4a3bfe7027f1b25a9b94e3e1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 17:42:52 -0500 +Subject: nvme-rdma: cancel async events before freeing event struct + +From: David Milburn + +[ Upstream commit 925dd04c1f9825194b9e444c12478084813b2b5d ] + +Cancel async event work in case async event has been queued up, and +nvme_rdma_submit_async_event() runs after event has been freed. + +Signed-off-by: David Milburn +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 7e2cdb17c26d8..077c678166651 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -740,6 +740,7 @@ static void nvme_rdma_destroy_admin_queue(struct nvme_rdma_ctrl *ctrl, + nvme_rdma_free_tagset(&ctrl->ctrl, ctrl->ctrl.admin_tagset); + } + if (ctrl->async_event_sqe.data) { ++ cancel_work_sync(&ctrl->ctrl.async_event_work); + nvme_rdma_free_qe(ctrl->device->dev, &ctrl->async_event_sqe, + sizeof(struct nvme_command), DMA_TO_DEVICE); + ctrl->async_event_sqe.data = NULL; +-- +2.25.1 + diff --git a/queue-4.19/openrisc-fix-cache-api-compile-issue-when-not-inlini.patch b/queue-4.19/openrisc-fix-cache-api-compile-issue-when-not-inlini.patch new file mode 100644 index 00000000000..d9e2435b98d --- /dev/null +++ b/queue-4.19/openrisc-fix-cache-api-compile-issue-when-not-inlini.patch @@ -0,0 +1,57 @@ +From 40c3c87b9870578d3b89ac252ec034c6450a4f71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 05:48:58 +0900 +Subject: openrisc: Fix cache API compile issue when not inlining + +From: Stafford Horne + +[ Upstream commit 3ae90d764093dfcd6ab8ab6875377302892c87d4 ] + +I found this when compiling a kbuild random config with GCC 11. The +config enables CONFIG_DEBUG_SECTION_MISMATCH, which sets CFLAGS +-fno-inline-functions-called-once. This causes the call to cache_loop in +cache.c to not be inlined causing the below compile error. + + In file included from arch/openrisc/mm/cache.c:13: + arch/openrisc/mm/cache.c: In function 'cache_loop': + ./arch/openrisc/include/asm/spr.h:16:27: warning: 'asm' operand 0 probably does not match constraints + 16 | #define mtspr(_spr, _val) __asm__ __volatile__ ( \ + | ^~~~~~~ + arch/openrisc/mm/cache.c:25:3: note: in expansion of macro 'mtspr' + 25 | mtspr(reg, line); + | ^~~~~ + ./arch/openrisc/include/asm/spr.h:16:27: error: impossible constraint in 'asm' + 16 | #define mtspr(_spr, _val) __asm__ __volatile__ ( \ + | ^~~~~~~ + arch/openrisc/mm/cache.c:25:3: note: in expansion of macro 'mtspr' + 25 | mtspr(reg, line); + | ^~~~~ + make[1]: *** [scripts/Makefile.build:283: arch/openrisc/mm/cache.o] Error 1 + +The asm constraint "K" requires a immediate constant argument to mtspr, +however because of no inlining a register argument is passed causing a +failure. Fix this by using __always_inline. + +Link: https://lore.kernel.org/lkml/202008200453.ohnhqkjQ%25lkp@intel.com/ +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/mm/cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/openrisc/mm/cache.c b/arch/openrisc/mm/cache.c +index b747bf1fc1b63..4272d9123f9ed 100644 +--- a/arch/openrisc/mm/cache.c ++++ b/arch/openrisc/mm/cache.c +@@ -20,7 +20,7 @@ + #include + #include + +-static void cache_loop(struct page *page, const unsigned int reg) ++static __always_inline void cache_loop(struct page *page, const unsigned int reg) + { + unsigned long paddr = page_to_pfn(page) << PAGE_SHIFT; + unsigned long line = paddr & ~(L1_CACHE_BYTES - 1); +-- +2.25.1 + diff --git a/queue-4.19/perf-test-fix-the-signal-test-inline-assembly.patch b/queue-4.19/perf-test-fix-the-signal-test-inline-assembly.patch new file mode 100644 index 00000000000..32bc9e1f1d1 --- /dev/null +++ b/queue-4.19/perf-test-fix-the-signal-test-inline-assembly.patch @@ -0,0 +1,107 @@ +From 590673df6ea774df775b4cacfb21343146548085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 15:00:05 +0200 +Subject: perf test: Fix the "signal" test inline assembly + +From: Jiri Olsa + +[ Upstream commit 8a39e8c4d9baf65d88f66d49ac684df381e30055 ] + +When compiling with DEBUG=1 on Fedora 32 I'm getting crash for 'perf +test signal': + + Program received signal SIGSEGV, Segmentation fault. + 0x0000000000c68548 in __test_function () + (gdb) bt + #0 0x0000000000c68548 in __test_function () + #1 0x00000000004d62e9 in test_function () at tests/bp_signal.c:61 + #2 0x00000000004d689a in test__bp_signal (test=0xa8e280 DW_AT_producer : (indirect string, offset: 0x254a): GNU C99 10.2.1 20200723 (Red Hat 10.2.1-1) -mtune=generic -march=x86-64 -ggdb3 -std=gnu99 -fno-omit-frame-pointer -funwind-tables -fstack-protector-all + ^^^^^ + ^^^^^ + ^^^^^ + $ + +Before: + + $ perf test signal + 20: Breakpoint overflow signal handler : FAILED! + $ + +After: + + $ perf test signal + 20: Breakpoint overflow signal handler : Ok + $ + +Fixes: 8fd34e1cce18 ("perf test: Improve bp_signal") +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Link: http://lore.kernel.org/lkml/20200911130005.1842138-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/bp_signal.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/bp_signal.c b/tools/perf/tests/bp_signal.c +index 6cf00650602ef..697423ce3bdfc 100644 +--- a/tools/perf/tests/bp_signal.c ++++ b/tools/perf/tests/bp_signal.c +@@ -44,10 +44,13 @@ volatile long the_var; + #if defined (__x86_64__) + extern void __test_function(volatile long *ptr); + asm ( ++ ".pushsection .text;" + ".globl __test_function\n" ++ ".type __test_function, @function;" + "__test_function:\n" + "incq (%rdi)\n" +- "ret\n"); ++ "ret\n" ++ ".popsection\n"); + #else + static void __test_function(volatile long *ptr) + { +-- +2.25.1 + diff --git a/queue-4.19/perf-test-free-formats-for-perf-pmu-parse-test.patch b/queue-4.19/perf-test-free-formats-for-perf-pmu-parse-test.patch new file mode 100644 index 00000000000..c097f8457fb --- /dev/null +++ b/queue-4.19/perf-test-free-formats-for-perf-pmu-parse-test.patch @@ -0,0 +1,94 @@ +From 672f3270d799286def6e793a9098057ea8610d30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 12:18:19 +0900 +Subject: perf test: Free formats for perf pmu parse test + +From: Namhyung Kim + +[ Upstream commit d26383dcb2b4b8629fde05270b4e3633be9e3d4b ] + +The following leaks were detected by ASAN: + + Indirect leak of 360 byte(s) in 9 object(s) allocated from: + #0 0x7fecc305180e in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10780e) + #1 0x560578f6dce5 in perf_pmu__new_format util/pmu.c:1333 + #2 0x560578f752fc in perf_pmu_parse util/pmu.y:59 + #3 0x560578f6a8b7 in perf_pmu__format_parse util/pmu.c:73 + #4 0x560578e07045 in test__pmu tests/pmu.c:155 + #5 0x560578de109b in run_test tests/builtin-test.c:410 + #6 0x560578de109b in test_and_print tests/builtin-test.c:440 + #7 0x560578de401a in __cmd_test tests/builtin-test.c:661 + #8 0x560578de401a in cmd_test tests/builtin-test.c:807 + #9 0x560578e49354 in run_builtin /home/namhyung/project/linux/tools/perf/perf.c:312 + #10 0x560578ce71a8 in handle_internal_command /home/namhyung/project/linux/tools/perf/perf.c:364 + #11 0x560578ce71a8 in run_argv /home/namhyung/project/linux/tools/perf/perf.c:408 + #12 0x560578ce71a8 in main /home/namhyung/project/linux/tools/perf/perf.c:538 + #13 0x7fecc2b7acc9 in __libc_start_main ../csu/libc-start.c:308 + +Fixes: cff7f956ec4a1 ("perf tests: Move pmu tests into separate object") +Signed-off-by: Namhyung Kim +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ian Rogers +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20200915031819.386559-12-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/pmu.c | 1 + + tools/perf/util/pmu.c | 11 +++++++++++ + tools/perf/util/pmu.h | 1 + + 3 files changed, 13 insertions(+) + +diff --git a/tools/perf/tests/pmu.c b/tools/perf/tests/pmu.c +index 7bedf8608fdde..3e183eef6f857 100644 +--- a/tools/perf/tests/pmu.c ++++ b/tools/perf/tests/pmu.c +@@ -172,6 +172,7 @@ int test__pmu(struct test *test __maybe_unused, int subtest __maybe_unused) + ret = 0; + } while (0); + ++ perf_pmu__del_formats(&formats); + test_format_dir_put(format); + return ret; + } +diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c +index c1acf04c9f7ab..c42054f42e7e6 100644 +--- a/tools/perf/util/pmu.c ++++ b/tools/perf/util/pmu.c +@@ -1282,6 +1282,17 @@ void perf_pmu__set_format(unsigned long *bits, long from, long to) + set_bit(b, bits); + } + ++void perf_pmu__del_formats(struct list_head *formats) ++{ ++ struct perf_pmu_format *fmt, *tmp; ++ ++ list_for_each_entry_safe(fmt, tmp, formats, list) { ++ list_del(&fmt->list); ++ free(fmt->name); ++ free(fmt); ++ } ++} ++ + static int sub_non_neg(int a, int b) + { + if (b > a) +diff --git a/tools/perf/util/pmu.h b/tools/perf/util/pmu.h +index 76fecec7b3f91..21335425f2e42 100644 +--- a/tools/perf/util/pmu.h ++++ b/tools/perf/util/pmu.h +@@ -79,6 +79,7 @@ int perf_pmu__new_format(struct list_head *list, char *name, + int config, unsigned long *bits); + void perf_pmu__set_format(unsigned long *bits, long from, long to); + int perf_pmu__format_parse(char *dir, struct list_head *head); ++void perf_pmu__del_formats(struct list_head *formats); + + struct perf_pmu *perf_pmu__scan(struct perf_pmu *pmu); + +-- +2.25.1 + diff --git a/queue-4.19/rapidio-replace-select-dmaengines-with-depends-on.patch b/queue-4.19/rapidio-replace-select-dmaengines-with-depends-on.patch new file mode 100644 index 00000000000..aba9a0227c6 --- /dev/null +++ b/queue-4.19/rapidio-replace-select-dmaengines-with-depends-on.patch @@ -0,0 +1,37 @@ +From f9ae7da24a93436d93555fd4bb03fb015b2992a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 01:19:40 +0300 +Subject: rapidio: Replace 'select' DMAENGINES 'with depends on' + +From: Laurent Pinchart + +[ Upstream commit d2b86100245080cfdf1e95e9e07477474c1be2bd ] + +Enabling a whole subsystem from a single driver 'select' is frowned +upon and won't be accepted in new drivers, that need to use 'depends on' +instead. Existing selection of DMAENGINES will then cause circular +dependencies. Replace them with a dependency. + +Signed-off-by: Laurent Pinchart +Acked-by: Randy Dunlap +Signed-off-by: Sasha Levin +--- + drivers/rapidio/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rapidio/Kconfig b/drivers/rapidio/Kconfig +index d6d2f20c45977..21df2816def76 100644 +--- a/drivers/rapidio/Kconfig ++++ b/drivers/rapidio/Kconfig +@@ -25,7 +25,7 @@ config RAPIDIO_ENABLE_RX_TX_PORTS + config RAPIDIO_DMA_ENGINE + bool "DMA Engine support for RapidIO" + depends on RAPIDIO +- select DMADEVICES ++ depends on DMADEVICES + select DMA_ENGINE + help + Say Y here if you want to use DMA Engine frameork for RapidIO data +-- +2.25.1 + diff --git a/queue-4.19/regulator-pwm-fix-machine-constraints-application.patch b/queue-4.19/regulator-pwm-fix-machine-constraints-application.patch new file mode 100644 index 00000000000..01d6149978a --- /dev/null +++ b/queue-4.19/regulator-pwm-fix-machine-constraints-application.patch @@ -0,0 +1,63 @@ +From 131efa52f871456e70fac6a318e24525fb54f833 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 15:09:52 +0200 +Subject: regulator: pwm: Fix machine constraints application + +From: Vincent Whitchurch + +[ Upstream commit 59ae97a7a9e1499c2070e29841d1c4be4ae2994a ] + +If the zero duty cycle doesn't correspond to any voltage in the voltage +table, the PWM regulator returns an -EINVAL from get_voltage_sel() which +results in the core erroring out with a "failed to get the current +voltage" and ending up not applying the machine constraints. + +Instead, return -ENOTRECOVERABLE which makes the core set the voltage +since it's at an unknown value. + +For example, with this device tree: + + fooregulator { + compatible = "pwm-regulator"; + pwms = <&foopwm 0 100000>; + regulator-min-microvolt = <2250000>; + regulator-max-microvolt = <2250000>; + regulator-name = "fooregulator"; + regulator-always-on; + regulator-boot-on; + voltage-table = <2250000 30>; + }; + +Before this patch: + + fooregulator: failed to get the current voltage(-22) + +After this patch: + + fooregulator: Setting 2250000-2250000uV + fooregulator: 2250 mV + +Signed-off-by: Vincent Whitchurch +Link: https://lore.kernel.org/r/20200902130952.24880-1-vincent.whitchurch@axis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pwm-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pwm-regulator.c b/drivers/regulator/pwm-regulator.c +index a2fd140eff81a..34f3b9778ffa1 100644 +--- a/drivers/regulator/pwm-regulator.c ++++ b/drivers/regulator/pwm-regulator.c +@@ -285,7 +285,7 @@ static int pwm_regulator_init_table(struct platform_device *pdev, + return ret; + } + +- drvdata->state = -EINVAL; ++ drvdata->state = -ENOTRECOVERABLE; + drvdata->duty_cycle_table = duty_cycle_table; + memcpy(&drvdata->ops, &pwm_regulator_voltage_table_ops, + sizeof(drvdata->ops)); +-- +2.25.1 + diff --git a/queue-4.19/scsi-libfc-fix-for-double-free.patch b/queue-4.19/scsi-libfc-fix-for-double-free.patch new file mode 100644 index 00000000000..11b09731102 --- /dev/null +++ b/queue-4.19/scsi-libfc-fix-for-double-free.patch @@ -0,0 +1,37 @@ +From b0c3f8b780925624537ab6320686e6f46d5d268a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 02:39:40 -0700 +Subject: scsi: libfc: Fix for double free() + +From: Javed Hasan + +[ Upstream commit 5a5b80f98534416b3b253859897e2ba1dc241e70 ] + +Fix for '&fp->skb' double free. + +Link: +https://lore.kernel.org/r/20200825093940.19612-1-jhasan@marvell.com +Reported-by: Dan Carpenter +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_disc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/scsi/libfc/fc_disc.c b/drivers/scsi/libfc/fc_disc.c +index 78cf5b32bca67..0b3f4538c1d4d 100644 +--- a/drivers/scsi/libfc/fc_disc.c ++++ b/drivers/scsi/libfc/fc_disc.c +@@ -646,8 +646,6 @@ free_fp: + fc_frame_free(fp); + out: + kref_put(&rdata->kref, fc_rport_destroy); +- if (!IS_ERR(fp)) +- fc_frame_free(fp); + } + + /** +-- +2.25.1 + diff --git a/queue-4.19/scsi-lpfc-fix-flogi-plogi-receive-race-condition-in-.patch b/queue-4.19/scsi-lpfc-fix-flogi-plogi-receive-race-condition-in-.patch new file mode 100644 index 00000000000..2f7da8f5df5 --- /dev/null +++ b/queue-4.19/scsi-lpfc-fix-flogi-plogi-receive-race-condition-in-.patch @@ -0,0 +1,62 @@ +From f630b541a36c5fe03393310789f3a94aa45e535c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 10:53:30 -0700 +Subject: scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery + +From: James Smart + +[ Upstream commit 7b08e89f98cee9907895fabb64cf437bc505ce9a ] + +The driver is unable to successfully login with remote device. During pt2pt +login, the driver completes its FLOGI request with the remote device having +WWN precedence. The remote device issues its own (delayed) FLOGI after +accepting the driver's and, upon transmitting the FLOGI, immediately +recognizes it has already processed the driver's FLOGI thus it transitions +to sending a PLOGI before waiting for an ACC to its FLOGI. + +In the driver, the FLOGI is received and an ACC sent, followed by the PLOGI +being received and an ACC sent. The issue is that the PLOGI reception +occurs before the response from the adapter from the FLOGI ACC is +received. Processing of the PLOGI sets state flags to perform the REG_RPI +mailbox command and proceed with the rest of discovery on the port. The +same completion routine used by both FLOGI and PLOGI is generic in +nature. One of the things it does is clear flags, and those flags happen to +drive the rest of discovery. So what happened was the PLOGI processing set +the flags, the FLOGI ACC completion cleared them, thus when the PLOGI ACC +completes it doesn't see the flags and stops. + +Fix by modifying the generic completion routine to not clear the rest of +discovery flag (NLP_ACC_REGLOGIN) unless the completion is also associated +with performing a mailbox command as part of its handling. For things such +as FLOGI ACC, there isn't a subsequent action to perform with the adapter, +thus there is no mailbox cmd ptr. PLOGI ACC though will perform REG_RPI +upon completion, thus there is a mailbox cmd ptr. + +Link: https://lore.kernel.org/r/20200828175332.130300-3-james.smart@broadcom.com +Co-developed-by: Dick Kennedy +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 9032793c405eb..6a4b496081e4a 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -4112,7 +4112,9 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + out: + if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) { + spin_lock_irq(shost->host_lock); +- ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI); ++ if (mbox) ++ ndlp->nlp_flag &= ~NLP_ACC_REGLOGIN; ++ ndlp->nlp_flag &= ~NLP_RM_DFLT_RPI; + spin_unlock_irq(shost->host_lock); + + /* If the node is not being used by another discovery thread, +-- +2.25.1 + diff --git a/queue-4.19/scsi-pm8001-fix-memleak-in-pm8001_exec_internal_task.patch b/queue-4.19/scsi-pm8001-fix-memleak-in-pm8001_exec_internal_task.patch new file mode 100644 index 00000000000..32b8590dccd --- /dev/null +++ b/queue-4.19/scsi-pm8001-fix-memleak-in-pm8001_exec_internal_task.patch @@ -0,0 +1,37 @@ +From c1534d8c34d325d272aa3149c2de86e54587ac62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 17:14:53 +0800 +Subject: scsi: pm8001: Fix memleak in pm8001_exec_internal_task_abort + +From: Dinghao Liu + +[ Upstream commit ea403fde7552bd61bad6ea45e3feb99db77cb31e ] + +When pm8001_tag_alloc() fails, task should be freed just like it is done in +the subsequent error paths. + +Link: https://lore.kernel.org/r/20200823091453.4782-1-dinghao.liu@zju.edu.cn +Acked-by: Jack Wang +Signed-off-by: Dinghao Liu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_sas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c +index 5be4212312cb0..ba79b37d8cf7e 100644 +--- a/drivers/scsi/pm8001/pm8001_sas.c ++++ b/drivers/scsi/pm8001/pm8001_sas.c +@@ -794,7 +794,7 @@ pm8001_exec_internal_task_abort(struct pm8001_hba_info *pm8001_ha, + + res = pm8001_tag_alloc(pm8001_ha, &ccb_tag); + if (res) +- return res; ++ goto ex_err; + ccb = &pm8001_ha->ccb_info[ccb_tag]; + ccb->device = pm8001_dev; + ccb->ccb_tag = ccb_tag; +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index ba590e848c8..5ae4af5b283 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -6,3 +6,31 @@ gfs2-initialize-transaction-tr_ailx_lists-earlier.patch rdma-bnxt_re-restrict-the-max_gids-to-256.patch net-handle-the-return-value-of-pskb_carve_frag_list-correctly.patch hv_netvsc-remove-unlikely-from-netvsc_select_queue.patch +nfsv4.1-handle-err_delay-error-reclaiming-locking-st.patch +scsi-pm8001-fix-memleak-in-pm8001_exec_internal_task.patch +scsi-libfc-fix-for-double-free.patch +scsi-lpfc-fix-flogi-plogi-receive-race-condition-in-.patch +regulator-pwm-fix-machine-constraints-application.patch +spi-spi-loopback-test-fix-out-of-bounds-read.patch +nfs-zero-stateid-setattr-should-first-return-delegat.patch +sunrpc-stop-printk-reading-past-end-of-string.patch +rapidio-replace-select-dmaengines-with-depends-on.patch +openrisc-fix-cache-api-compile-issue-when-not-inlini.patch +nvme-fc-cancel-async-events-before-freeing-event-str.patch +nvme-rdma-cancel-async-events-before-freeing-event-s.patch +f2fs-fix-indefinite-loop-scanning-for-free-nid.patch +f2fs-return-eof-on-unaligned-end-of-file-dio-read.patch +i2c-algo-pca-reapply-i2c-bus-settings-after-reset.patch +spi-fix-memory-leak-on-splited-transfers.patch +kvm-mips-change-the-definition-of-kvm-type.patch +clk-davinci-use-the-correct-size-when-allocating-mem.patch +clk-rockchip-fix-initialization-of-mux_pll_src_4plls.patch +asoc-qcom-set-card-owner-to-avoid-warnings.patch +drivers-hv-vmbus-add-timeout-to-vmbus_wait_for_unloa.patch +perf-test-fix-the-signal-test-inline-assembly.patch +mips-sni-fix-mips_l1_cache_shift.patch +perf-test-free-formats-for-perf-pmu-parse-test.patch +fbcon-fix-user-font-detection-test-at-fbcon_resize.patch +mips-sni-fix-spurious-interrupts.patch +drm-mediatek-add-exception-handing-in-mtk_drm_probe-.patch +drm-mediatek-add-missing-put_device-call-in-mtk_hdmi.patch diff --git a/queue-4.19/spi-fix-memory-leak-on-splited-transfers.patch b/queue-4.19/spi-fix-memory-leak-on-splited-transfers.patch new file mode 100644 index 00000000000..4b15bbd5970 --- /dev/null +++ b/queue-4.19/spi-fix-memory-leak-on-splited-transfers.patch @@ -0,0 +1,77 @@ +From f854d7c808294993796716132b06b80b17a8c5d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 17:11:29 +0200 +Subject: spi: Fix memory leak on splited transfers + +From: Gustav Wiklander + +[ Upstream commit b59a7ca15464c78ea1ba3b280cfc5ac5ece11ade ] + +In the prepare_message callback the bus driver has the +opportunity to split a transfer into smaller chunks. +spi_map_msg is done after prepare_message. + +Function spi_res_release releases the splited transfers +in the message. Therefore spi_res_release should be called +after spi_map_msg. + +The previous try at this was commit c9ba7a16d0f1 +which released the splited transfers after +spi_finalize_current_message had been called. +This introduced a race since the message struct could be +out of scope because the spi_sync call got completed. + +Fixes this leak on spi bus driver spi-bcm2835.c when transfer +size is greater than 65532: + +Kmemleak: +sg_alloc_table+0x28/0xc8 +spi_map_buf+0xa4/0x300 +__spi_pump_messages+0x370/0x748 +__spi_sync+0x1d4/0x270 +spi_sync+0x34/0x58 +spi_test_execute_msg+0x60/0x340 [spi_loopback_test] +spi_test_run_iter+0x548/0x578 [spi_loopback_test] +spi_test_run_test+0x94/0x140 [spi_loopback_test] +spi_test_run_tests+0x150/0x180 [spi_loopback_test] +spi_loopback_test_probe+0x50/0xd0 [spi_loopback_test] +spi_drv_probe+0x84/0xe0 + +Signed-off-by: Gustav Wiklander +Link: https://lore.kernel.org/r/20200908151129.15915-1-gustav.wiklander@axis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 92e6b6774d98e..1fd529a2d2f6b 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1116,8 +1116,6 @@ out: + if (msg->status && ctlr->handle_err) + ctlr->handle_err(ctlr, msg); + +- spi_res_release(ctlr, msg); +- + spi_finalize_current_message(ctlr); + + return ret; +@@ -1375,6 +1373,13 @@ void spi_finalize_current_message(struct spi_controller *ctlr) + + spi_unmap_msg(ctlr, mesg); + ++ /* In the prepare_messages callback the spi bus has the opportunity to ++ * split a transfer to smaller chunks. ++ * Release splited transfers here since spi_map_msg is done on the ++ * splited transfers. ++ */ ++ spi_res_release(ctlr, mesg); ++ + if (ctlr->cur_msg_prepared && ctlr->unprepare_message) { + ret = ctlr->unprepare_message(ctlr, mesg); + if (ret) { +-- +2.25.1 + diff --git a/queue-4.19/spi-spi-loopback-test-fix-out-of-bounds-read.patch b/queue-4.19/spi-spi-loopback-test-fix-out-of-bounds-read.patch new file mode 100644 index 00000000000..4ec4fecb45e --- /dev/null +++ b/queue-4.19/spi-spi-loopback-test-fix-out-of-bounds-read.patch @@ -0,0 +1,65 @@ +From 04c8857d0d324faeb60febee732274e31cfc1b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 15:23:41 +0200 +Subject: spi: spi-loopback-test: Fix out-of-bounds read + +From: Vincent Whitchurch + +[ Upstream commit 837ba18dfcd4db21ad58107c65bfe89753aa56d7 ] + +The "tx/rx-transfer - crossing PAGE_SIZE" test always fails when +len=131071 and rx_offset >= 5: + + spi-loopback-test spi0.0: Running test tx/rx-transfer - crossing PAGE_SIZE + ... + with iteration values: len = 131071, tx_off = 0, rx_off = 3 + with iteration values: len = 131071, tx_off = 0, rx_off = 4 + with iteration values: len = 131071, tx_off = 0, rx_off = 5 + loopback strangeness - rx changed outside of allowed range at: ...a4321000 + spi_msg@ffffffd5a4157690 + frame_length: 131071 + actual_length: 131071 + spi_transfer@ffffffd5a41576f8 + len: 131071 + tx_buf: ffffffd5a4340ffc + +Note that rx_offset > 3 can only occur if the SPI controller driver sets +->dma_alignment to a higher value than 4, so most SPI controller drivers +are not affect. + +The allocated Rx buffer is of size SPI_TEST_MAX_SIZE_PLUS, which is 132 +KiB (assuming 4 KiB pages). This test uses an initial offset into the +rx_buf of PAGE_SIZE - 4, and a len of 131071, so the range expected to +be written in this transfer ends at (4096 - 4) + 5 + 131071 == 132 KiB, +which is also the end of the allocated buffer. But the code which +verifies the content of the buffer reads a byte beyond the allocated +buffer and spuriously fails because this out-of-bounds read doesn't +return the expected value. + +Fix this by using ITERATE_LEN instead of ITERATE_MAX_LEN to avoid +testing sizes which cause out-of-bounds reads. + +Signed-off-by: Vincent Whitchurch +Link: https://lore.kernel.org/r/20200902132341.7079-1-vincent.whitchurch@axis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-loopback-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c +index bed7403bb6b3a..b9a7117b6dce3 100644 +--- a/drivers/spi/spi-loopback-test.c ++++ b/drivers/spi/spi-loopback-test.c +@@ -99,7 +99,7 @@ static struct spi_test spi_tests[] = { + { + .description = "tx/rx-transfer - crossing PAGE_SIZE", + .fill_option = FILL_COUNT_8, +- .iterate_len = { ITERATE_MAX_LEN }, ++ .iterate_len = { ITERATE_LEN }, + .iterate_tx_align = ITERATE_ALIGN, + .iterate_rx_align = ITERATE_ALIGN, + .transfer_count = 1, +-- +2.25.1 + diff --git a/queue-4.19/sunrpc-stop-printk-reading-past-end-of-string.patch b/queue-4.19/sunrpc-stop-printk-reading-past-end-of-string.patch new file mode 100644 index 00000000000..faf945d0b0c --- /dev/null +++ b/queue-4.19/sunrpc-stop-printk-reading-past-end-of-string.patch @@ -0,0 +1,39 @@ +From dde0d151a3fef43d171ba5058968d0c442ed049c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 10:03:26 -0400 +Subject: SUNRPC: stop printk reading past end of string + +From: J. Bruce Fields + +[ Upstream commit 8c6b6c793ed32b8f9770ebcdf1ba99af423c303b ] + +Since p points at raw xdr data, there's no guarantee that it's NULL +terminated, so we should give a length. And probably escape any special +characters too. + +Reported-by: Zhi Li +Signed-off-by: J. Bruce Fields +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/rpcb_clnt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c +index 08b5fa4a2852a..ba8f367312289 100644 +--- a/net/sunrpc/rpcb_clnt.c ++++ b/net/sunrpc/rpcb_clnt.c +@@ -981,8 +981,8 @@ static int rpcb_dec_getaddr(struct rpc_rqst *req, struct xdr_stream *xdr, + p = xdr_inline_decode(xdr, len); + if (unlikely(p == NULL)) + goto out_fail; +- dprintk("RPC: %5u RPCB_%s reply: %s\n", req->rq_task->tk_pid, +- req->rq_task->tk_msg.rpc_proc->p_name, (char *)p); ++ dprintk("RPC: %5u RPCB_%s reply: %*pE\n", req->rq_task->tk_pid, ++ req->rq_task->tk_msg.rpc_proc->p_name, len, (char *)p); + + if (rpc_uaddr2sockaddr(req->rq_xprt->xprt_net, (char *)p, len, + sap, sizeof(address)) == 0) +-- +2.25.1 +