From: Sasha Levin Date: Sun, 16 Aug 2020 13:50:49 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.19.140~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96f60c034d35f6532d46f6d953ad8222e4ba3a16;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/acpica-do-not-increment-operation_region-reference-c.patch b/queue-4.4/acpica-do-not-increment-operation_region-reference-c.patch new file mode 100644 index 00000000000..96b0cf17b39 --- /dev/null +++ b/queue-4.4/acpica-do-not-increment-operation_region-reference-c.patch @@ -0,0 +1,81 @@ +From 815c81ecf08c54adfd11e13be93a08eb0ae4c5e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 10:31:20 -0700 +Subject: ACPICA: Do not increment operation_region reference counts for field + units + +From: Erik Kaneda + +[ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ] + +ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70 + +Object reference counts are used as a part of ACPICA's garbage +collection mechanism. This mechanism keeps track of references to +heap-allocated structures such as the ACPI operand objects. + +Recent server firmware has revealed that this reference count can +overflow on large servers that declare many field units under the +same operation_region. This occurs because each field unit declaration +will add a reference count to the source operation_region. + +This change solves the reference count overflow for operation_regions +objects by preventing fieldunits from incrementing their +operation_region's reference count. Each operation_region's reference +count will not be changed by named objects declared under the Field +operator. During namespace deletion, the operation_region namespace +node will be deleted and each fieldunit will be deleted without +touching the deleted operation_region object. + +Link: https://github.com/acpica/acpica/commit/e17b28cf +Signed-off-by: Erik Kaneda +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exprep.c | 4 ---- + drivers/acpi/acpica/utdelete.c | 6 +----- + 2 files changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c +index 4c2836dc825be..47d8a85c90ff5 100644 +--- a/drivers/acpi/acpica/exprep.c ++++ b/drivers/acpi/acpica/exprep.c +@@ -502,10 +502,6 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) + (u8)access_byte_width; + } + } +- /* An additional reference for the container */ +- +- acpi_ut_add_reference(obj_desc->field.region_obj); +- + ACPI_DEBUG_PRINT((ACPI_DB_BFIELD, + "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n", + obj_desc->field.start_field_bit_offset, +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index 1638312e3d8f9..9f8b088e21d7e 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -590,11 +590,6 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + next_object = object->buffer_field.buffer_obj; + break; + +- case ACPI_TYPE_LOCAL_REGION_FIELD: +- +- next_object = object->field.region_obj; +- break; +- + case ACPI_TYPE_LOCAL_BANK_FIELD: + + next_object = object->bank_field.bank_obj; +@@ -635,6 +630,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + } + break; + ++ case ACPI_TYPE_LOCAL_REGION_FIELD: + case ACPI_TYPE_REGION: + default: + +-- +2.25.1 + diff --git a/queue-4.4/agp-intel-fix-a-memory-leak-on-module-initialisation.patch b/queue-4.4/agp-intel-fix-a-memory-leak-on-module-initialisation.patch new file mode 100644 index 00000000000..b82032ccb46 --- /dev/null +++ b/queue-4.4/agp-intel-fix-a-memory-leak-on-module-initialisation.patch @@ -0,0 +1,43 @@ +From 625c112477f4b50aa731b81dd96b33dc335afcc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 09:34:51 +0100 +Subject: agp/intel: Fix a memory leak on module initialisation failure + +From: Qiushi Wu + +[ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ] + +In intel_gtt_setup_scratch_page(), pointer "page" is not released if +pci_dma_mapping_error() return an error, leading to a memory leak on +module initialisation failure. Simply fix this issue by freeing "page" +before return. + +Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page") +Signed-off-by: Qiushi Wu +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + drivers/char/agp/intel-gtt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c +index 76afc841232cf..3d11f5adb355e 100644 +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -303,8 +303,10 @@ static int intel_gtt_setup_scratch_page(void) + if (intel_private.needs_dmar) { + dma_addr = pci_map_page(intel_private.pcidev, page, 0, + PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); +- if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) ++ if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) { ++ __free_page(page); + return -EINVAL; ++ } + + intel_private.scratch_page_dma = dma_addr; + } else +-- +2.25.1 + diff --git a/queue-4.4/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch b/queue-4.4/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch new file mode 100644 index 00000000000..86eddac758b --- /dev/null +++ b/queue-4.4/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch @@ -0,0 +1,64 @@ +From 571cf66875b5b634bd1dbd281ab921346c599198 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:33:01 +0800 +Subject: ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() + +From: yu kuai + +[ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ] + +if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have +a corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM") +Signed-off-by: yu kuai +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com +Signed-off-by: Sasha Levin +--- + arch/arm/mach-at91/pm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c +index 84eefbc2b4f93..5923f2ca510be 100644 +--- a/arch/arm/mach-at91/pm.c ++++ b/arch/arm/mach-at91/pm.c +@@ -393,13 +393,13 @@ static void __init at91_pm_sram_init(void) + sram_pool = gen_pool_get(&pdev->dev, NULL); + if (!sram_pool) { + pr_warn("%s: sram pool unavailable!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_base = gen_pool_alloc(sram_pool, at91_pm_suspend_in_sram_sz); + if (!sram_base) { + pr_warn("%s: unable to alloc sram!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_pbase = gen_pool_virt_to_phys(sram_pool, sram_base); +@@ -407,12 +407,17 @@ static void __init at91_pm_sram_init(void) + at91_pm_suspend_in_sram_sz, false); + if (!at91_suspend_sram_fn) { + pr_warn("SRAM: Could not map\n"); +- return; ++ goto out_put_device; + } + + /* Copy the pm suspend handler to SRAM */ + at91_suspend_sram_fn = fncpy(at91_suspend_sram_fn, + &at91_pm_suspend_in_sram, at91_pm_suspend_in_sram_sz); ++ return; ++ ++out_put_device: ++ put_device(&pdev->dev); ++ return; + } + + static void __init at91_pm_init(void) +-- +2.25.1 + diff --git a/queue-4.4/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch b/queue-4.4/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch new file mode 100644 index 00000000000..7647d1984e5 --- /dev/null +++ b/queue-4.4/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch @@ -0,0 +1,64 @@ +From f180d55ec8ff4feaa79eff6700574cc0b1bdccc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 21:45:51 +0800 +Subject: ARM: socfpga: PM: add missing put_device() call in + socfpga_setup_ocram_self_refresh() + +From: Yu Kuai + +[ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ] + +if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh +doesn't have a corresponding put_device(). Thus add a jump target to +fix the exception handling for this function implementation. + +Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram") +Signed-off-by: Yu Kuai +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/arm/mach-socfpga/pm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c +index c378ab0c24317..93f2245c97750 100644 +--- a/arch/arm/mach-socfpga/pm.c ++++ b/arch/arm/mach-socfpga/pm.c +@@ -60,14 +60,14 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -78,7 +78,7 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!suspend_ocram_base) { + pr_warn("%s: __arm_ioremap_exec failed!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + /* Copy the code that puts DDR in self refresh to ocram */ +@@ -92,6 +92,8 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!socfpga_sdram_self_refresh_in_ocram) + ret = -EFAULT; + ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(np); + +-- +2.25.1 + diff --git a/queue-4.4/bcache-fix-super-block-seq-numbers-comparision-in-re.patch b/queue-4.4/bcache-fix-super-block-seq-numbers-comparision-in-re.patch new file mode 100644 index 00000000000..ca2ef0af85d --- /dev/null +++ b/queue-4.4/bcache-fix-super-block-seq-numbers-comparision-in-re.patch @@ -0,0 +1,79 @@ +From 968b8b3e68dacac3fa5d441acd0096b52bb882da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 20:00:26 +0800 +Subject: bcache: fix super block seq numbers comparision in + register_cache_set() + +From: Coly Li + +[ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ] + +In register_cache_set(), c is pointer to struct cache_set, and ca is +pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this +registering cache has up to date version and other members, the in- +memory version and other members should be updated to the newer value. + +But current implementation makes a cache set only has a single cache +device, so the above assumption works well except for a special case. +The execption is when a cache device new created and both ca->sb.seq and +c->sb.seq are 0, because the super block is never flushed out yet. In +the location for the following if() check, +2156 if (ca->sb.seq > c->sb.seq) { +2157 c->sb.version = ca->sb.version; +2158 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); +2159 c->sb.flags = ca->sb.flags; +2160 c->sb.seq = ca->sb.seq; +2161 pr_debug("set version = %llu\n", c->sb.version); +2162 } +c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0, +the if() check will fail (because both values are 0), and the cache set +version, set_uuid, flags and seq won't be updated. + +The above problem is hiden for current code, because the bucket size is +compatible among different super block version. And the next time when +running cache set again, ca->sb.seq will be larger than 0 and cache set +super block version will be updated properly. + +But if the large bucket feature is enabled, sb->bucket_size is the low +16bits of the bucket size. For a power of 2 value, when the actual +bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then +read_super_common() will fail because the if() check to +is_power_of_2(sb->bucket_size) is false. This is how the long time +hidden bug is triggered. + +This patch modifies the if() check to the following way, +2156 if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { +Then cache set's version, set_uuid, flags and seq will always be updated +corectly including for a new created cache device. + +Signed-off-by: Coly Li +Reviewed-by: Hannes Reinecke +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index df8f1e69077f6..23ffd4469dabb 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1778,7 +1778,14 @@ static const char *register_cache_set(struct cache *ca) + sysfs_create_link(&c->kobj, &ca->kobj, buf)) + goto err; + +- if (ca->sb.seq > c->sb.seq) { ++ /* ++ * A special case is both ca->sb.seq and c->sb.seq are 0, ++ * such condition happens on a new created cache device whose ++ * super block is never flushed yet. In this case c->sb.version ++ * and other members should be updated too, otherwise we will ++ * have a mistaken super block version in cache set. ++ */ ++ if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { + c->sb.version = ca->sb.version; + memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); + c->sb.flags = ca->sb.flags; +-- +2.25.1 + diff --git a/queue-4.4/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch b/queue-4.4/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch new file mode 100644 index 00000000000..239e24b5d0d --- /dev/null +++ b/queue-4.4/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch @@ -0,0 +1,92 @@ +From 89b98416110c0196f7b692b367d908a5ef10df30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 13:07:42 -0400 +Subject: bdc: Fix bug causing crash after multiple disconnects + +From: Sasi Kumar + +[ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ] + +Multiple connects/disconnects can cause a crash on the second +disconnect. The driver had a problem where it would try to send +endpoint commands after it was disconnected which is not allowed +by the hardware. The fix is to only allow the endpoint commands +when the endpoint is connected. This will also fix issues that +showed up when using configfs to create gadgets. + +Signed-off-by: Sasi Kumar +Signed-off-by: Al Cooper +Acked-by: Florian Fainelli +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/bdc/bdc_core.c | 4 ++++ + drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 ++++++++++------ + 2 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index e9bd8d4abca00..f09a74d79c9eb 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -286,6 +286,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + * in that case reinit is passed as 1 + */ + if (reinit) { ++ int i; + /* Enable interrupts */ + temp = bdc_readl(bdc->regs, BDC_BDCSC); + temp |= BDC_GIE; +@@ -295,6 +296,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + /* Initialize SRR to 0 */ + memset(bdc->srr.sr_bds, 0, + NUM_SR_ENTRIES * sizeof(struct bdc_bd)); ++ /* clear ep flags to avoid post disconnect stops/deconfigs */ ++ for (i = 1; i < bdc->num_eps; ++i) ++ bdc->bdc_ep_array[i]->flags = 0; + } else { + /* One time initiaization only */ + /* Enable status report function pointers */ +diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c +index 3a65272fbed86..9f5f18891ba85 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c +@@ -621,7 +621,6 @@ int bdc_ep_enable(struct bdc_ep *ep) + } + bdc_dbg_bd_list(bdc, ep); + /* only for ep0: config ep is called for ep0 from connect event */ +- ep->flags |= BDC_EP_ENABLED; + if (ep->ep_num == 1) + return ret; + +@@ -767,10 +766,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req) + __func__, ep->name, start_bdi, end_bdi); + dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n", + ep, (void *)ep->usb_ep.desc); +- /* Stop the ep to see where the HW is ? */ +- ret = bdc_stop_ep(bdc, ep->ep_num); +- /* if there is an issue with stopping ep, then no need to go further */ +- if (ret) ++ /* if still connected, stop the ep to see where the HW is ? */ ++ if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) { ++ ret = bdc_stop_ep(bdc, ep->ep_num); ++ /* if there is an issue, then no need to go further */ ++ if (ret) ++ return 0; ++ } else + return 0; + + /* +@@ -1921,7 +1923,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep) + __func__, ep->name, ep->flags); + + if (!(ep->flags & BDC_EP_ENABLED)) { +- dev_warn(bdc->dev, "%s is already disabled\n", ep->name); ++ if (bdc->gadget.speed != USB_SPEED_UNKNOWN) ++ dev_warn(bdc->dev, "%s is already disabled\n", ++ ep->name); + return 0; + } + spin_lock_irqsave(&bdc->lock, flags); +-- +2.25.1 + diff --git a/queue-4.4/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch b/queue-4.4/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch new file mode 100644 index 00000000000..51bb3f0f615 --- /dev/null +++ b/queue-4.4/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch @@ -0,0 +1,142 @@ +From b22154c5d02bc5c2ca7204861af9ffa99e48ef35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 20:28:41 +0800 +Subject: Bluetooth: add a mutex lock to avoid UAF in do_enale_set + +From: Lihong Kou + +[ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] + +In the case we set or free the global value listen_chan in +different threads, we can encounter the UAF problems because +the method is not protected by any lock, add one to avoid +this bug. + +BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 +net/bluetooth/l2cap_core.c:730 +Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 + +CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 01/01/2011 +Workqueue: events do_enable_set +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1fb/0x318 lib/dump_stack.c:118 + print_address_description+0x74/0x5c0 mm/kasan/report.c:374 + __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 + kasan_report+0x26/0x50 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 + do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +Allocated by task 2870: + save_stack mm/kasan/common.c:72 [inline] + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 + chan_create net/bluetooth/6lowpan.c:640 [inline] + bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] + do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +Freed by task 2870: + save_stack mm/kasan/common.c:72 [inline] + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10d/0x220 mm/slab.c:3757 + l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] + kref_put include/linux/kref.h:65 [inline] + l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 + do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +The buggy address belongs to the object at ffff888096950000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 0 bytes inside of + 2048-byte region [ffff888096950000, ffff888096950800) +The buggy address belongs to the page: +page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 +raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com +Signed-off-by: Lihong Kou +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 4cd6b8d811ffa..11602902884ba 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -57,6 +57,7 @@ static bool enable_6lowpan; + /* We are listening incoming connections via this channel + */ + static struct l2cap_chan *listen_chan; ++static DEFINE_MUTEX(set_lock); + + struct lowpan_peer { + struct list_head list; +@@ -1195,12 +1196,14 @@ static void do_enable_set(struct work_struct *work) + + enable_6lowpan = set_enable->flag; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + } + + listen_chan = bt_6lowpan_listen(); ++ mutex_unlock(&set_lock); + + kfree(set_enable); + } +@@ -1252,11 +1255,13 @@ static ssize_t lowpan_control_write(struct file *fp, + if (ret == -EINVAL) + return ret; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + listen_chan = NULL; + } ++ mutex_unlock(&set_lock); + + if (conn) { + struct lowpan_peer *peer; +-- +2.25.1 + diff --git a/queue-4.4/brcmfmac-to-fix-bss-info-flag-definition-bug.patch b/queue-4.4/brcmfmac-to-fix-bss-info-flag-definition-bug.patch new file mode 100644 index 00000000000..d88d17c9ae5 --- /dev/null +++ b/queue-4.4/brcmfmac-to-fix-bss-info-flag-definition-bug.patch @@ -0,0 +1,39 @@ +From 17caef5e9852e7338957ffcbd358bd44064363a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 02:18:35 -0500 +Subject: brcmfmac: To fix Bss Info flag definition Bug + +From: Prasanna Kerekoppa + +[ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ] + +Bss info flag definition need to be fixed from 0x2 to 0x4 +This flag is for rssi info received on channel. +All Firmware branches defined as 0x4 and this is bug in brcmfmac. + +Signed-off-by: Prasanna Kerekoppa +Signed-off-by: Chi-hsien Lin +Signed-off-by: Wright Feng +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h +index 4320c4cae53e1..7eb9f31dde1a2 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h ++++ b/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h +@@ -30,7 +30,7 @@ + #define BRCMF_ARP_OL_PEER_AUTO_REPLY 0x00000008 + + #define BRCMF_BSS_INFO_VERSION 109 /* curr ver of brcmf_bss_info_le struct */ +-#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0002 ++#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0004 + + #define BRCMF_STA_WME 0x00000002 /* WMM association */ + #define BRCMF_STA_AUTHE 0x00000008 /* Authenticated */ +-- +2.25.1 + diff --git a/queue-4.4/console-newport_con-fix-an-issue-about-leak-related-.patch b/queue-4.4/console-newport_con-fix-an-issue-about-leak-related-.patch new file mode 100644 index 00000000000..d16fcfe4796 --- /dev/null +++ b/queue-4.4/console-newport_con-fix-an-issue-about-leak-related-.patch @@ -0,0 +1,91 @@ +From b25bae93b294d9ce16825eb33be92cf15441ec5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 00:42:51 +0800 +Subject: console: newport_con: fix an issue about leak related system + resources + +From: Dejin Zheng + +[ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ] + +A call of the function do_take_over_console() can fail here. +The corresponding system resources were not released then. +Thus add a call of iounmap() and release_mem_region() +together with the check of a failure predicate. and also +add release_mem_region() on device removal. + +Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding") +Suggested-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Dejin Zheng +Reviewed-by: Andy Shevchenko +Cc: Greg Kroah-Hartman +cc: Thomas Gleixner +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/console/newport_con.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c +index bb4e96255974a..bd0c6e53bec19 100644 +--- a/drivers/video/console/newport_con.c ++++ b/drivers/video/console/newport_con.c +@@ -31,6 +31,8 @@ + #include + #include + ++#define NEWPORT_LEN 0x10000 ++ + #define FONT_DATA ((unsigned char *)font_vga_8x16.data) + + /* borrowed from fbcon.c */ +@@ -42,6 +44,7 @@ + static unsigned char *font_data[MAX_NR_CONSOLES]; + + static struct newport_regs *npregs; ++static unsigned long newport_addr; + + static int logo_active; + static int topscan; +@@ -743,7 +746,6 @@ const struct consw newport_con = { + static int newport_probe(struct gio_device *dev, + const struct gio_device_id *id) + { +- unsigned long newport_addr; + int err; + + if (!dev->resource.start) +@@ -753,7 +755,7 @@ static int newport_probe(struct gio_device *dev, + return -EBUSY; /* we only support one Newport as console */ + + newport_addr = dev->resource.start + 0xF0000; +- if (!request_mem_region(newport_addr, 0x10000, "Newport")) ++ if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport")) + return -ENODEV; + + npregs = (struct newport_regs *)/* ioremap cannot fail */ +@@ -761,6 +763,11 @@ static int newport_probe(struct gio_device *dev, + console_lock(); + err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1); + console_unlock(); ++ ++ if (err) { ++ iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); ++ } + return err; + } + +@@ -768,6 +775,7 @@ static void newport_remove(struct gio_device *dev) + { + give_up_console(&newport_con); + iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); + } + + static struct gio_device_id newport_ids[] = { +-- +2.25.1 + diff --git a/queue-4.4/cxl-fix-kobject-memleak.patch b/queue-4.4/cxl-fix-kobject-memleak.patch new file mode 100644 index 00000000000..bc2f1a60b47 --- /dev/null +++ b/queue-4.4/cxl-fix-kobject-memleak.patch @@ -0,0 +1,44 @@ +From 5f936529eee86906de3b0dba0d40ddc29bb8bac1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 20:07:33 +0800 +Subject: cxl: Fix kobject memleak + +From: Wang Hai + +[ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ] + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Fix it by adding a call to kobject_put() in the error path of +kobject_init_and_add(). + +Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c +index 02006f7109a80..349955982081b 100644 +--- a/drivers/misc/cxl/sysfs.c ++++ b/drivers/misc/cxl/sysfs.c +@@ -539,7 +539,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c + rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type, + &afu->dev.kobj, "cr%i", cr->cr); + if (rc) +- goto err; ++ goto err1; + + rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr); + if (rc) +-- +2.25.1 + diff --git a/queue-4.4/dlm-fix-kobject-memleak.patch b/queue-4.4/dlm-fix-kobject-memleak.patch new file mode 100644 index 00000000000..cc9d080445e --- /dev/null +++ b/queue-4.4/dlm-fix-kobject-memleak.patch @@ -0,0 +1,52 @@ +From fd95ace18ba536356b3020d6c558022848b578b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 11:25:33 +0800 +Subject: dlm: Fix kobject memleak + +From: Wang Hai + +[ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ] + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Set do_unreg = 1 before kobject_init_and_add() to ensure that +kobject_put() can be called in its error patch. + +Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index b14bb2c460426..499f54f99891c 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -626,6 +626,9 @@ static int new_lockspace(const char *name, const char *cluster, + wait_event(ls->ls_recover_lock_wait, + test_bit(LSFL_RECOVER_LOCK, &ls->ls_flags)); + ++ /* let kobject handle freeing of ls if there's an error */ ++ do_unreg = 1; ++ + ls->ls_kobj.kset = dlm_kset; + error = kobject_init_and_add(&ls->ls_kobj, &dlm_ktype, NULL, + "%s", ls->ls_name); +@@ -633,9 +636,6 @@ static int new_lockspace(const char *name, const char *cluster, + goto out_recoverd; + kobject_uevent(&ls->ls_kobj, KOBJ_ADD); + +- /* let kobject handle freeing of ls if there's an error */ +- do_unreg = 1; +- + /* This uevent triggers dlm_controld in userspace to add us to the + group of nodes that are members of this lockspace (managed by the + cluster infrastructure.) Once it's done that, it tells us who the +-- +2.25.1 + diff --git a/queue-4.4/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch b/queue-4.4/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch new file mode 100644 index 00000000000..6d4fa908c68 --- /dev/null +++ b/queue-4.4/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch @@ -0,0 +1,51 @@ +From 7c3a1e971ad75c56d3ba4a98130ff5f27754a5fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2017 12:43:07 +0200 +Subject: drm/debugfs: fix plain echo to connector "force" attribute + +From: Michael Tretter + +[ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ] + +Using plain echo to set the "force" connector attribute fails with +-EINVAL, because echo appends a newline to the output. + +Replace strcmp with sysfs_streq to also accept strings that end with a +newline. + +v2: use sysfs_streq instead of stripping trailing whitespace + +Signed-off-by: Michael Tretter +Reviewed-by: Jani Nikula +Signed-off-by: Emil Velikov +Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_debugfs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c +index 3bcf8e6a85b35..5b0fdcd0b63fd 100644 +--- a/drivers/gpu/drm/drm_debugfs.c ++++ b/drivers/gpu/drm/drm_debugfs.c +@@ -290,13 +290,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf, + + buf[len] = '\0'; + +- if (!strcmp(buf, "on")) ++ if (sysfs_streq(buf, "on")) + connector->force = DRM_FORCE_ON; +- else if (!strcmp(buf, "digital")) ++ else if (sysfs_streq(buf, "digital")) + connector->force = DRM_FORCE_ON_DIGITAL; +- else if (!strcmp(buf, "off")) ++ else if (sysfs_streq(buf, "off")) + connector->force = DRM_FORCE_OFF; +- else if (!strcmp(buf, "unspecified")) ++ else if (sysfs_streq(buf, "unspecified")) + connector->force = DRM_FORCE_UNSPECIFIED; + else + return -EINVAL; +-- +2.25.1 + diff --git a/queue-4.4/drm-nouveau-fix-multiple-instances-of-reference-coun.patch b/queue-4.4/drm-nouveau-fix-multiple-instances-of-reference-coun.patch new file mode 100644 index 00000000000..7f969cddbdc --- /dev/null +++ b/queue-4.4/drm-nouveau-fix-multiple-instances-of-reference-coun.patch @@ -0,0 +1,68 @@ +From bc573391022e1f28868b261411771ae382eab34e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:41:56 -0500 +Subject: drm/nouveau: fix multiple instances of reference count leaks + +From: Aditya Pakki + +[ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 8 ++++++-- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index 91a61d2cca889..a90840e391100 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -805,8 +805,10 @@ nouveau_drm_open(struct drm_device *dev, struct drm_file *fpriv) + + /* need to bring up power immediately if opening device */ + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + get_task_comm(tmpname, current); + snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid)); +@@ -894,8 +896,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + long ret; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) { + case DRM_NOUVEAU_NVIF: +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index ae560f5977fca..e5db2a385cb65 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -42,8 +42,10 @@ nouveau_gem_object_del(struct drm_gem_object *gem) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (WARN_ON(ret < 0 && ret != -EACCES)) ++ if (WARN_ON(ret < 0 && ret != -EACCES)) { ++ pm_runtime_put_autosuspend(dev); + return; ++ } + + if (gem->import_attach) + drm_prime_gem_destroy(gem, nvbo->bo.sg); +-- +2.25.1 + diff --git a/queue-4.4/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch b/queue-4.4/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch new file mode 100644 index 00000000000..d71d4e222bf --- /dev/null +++ b/queue-4.4/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch @@ -0,0 +1,37 @@ +From f678d08d8dd8736ced52c185472214179aff38db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jul 2020 01:53:17 +0300 +Subject: drm: panel: simple: Fix bpc for LG LB070WV8 panel + +From: Laurent Pinchart + +[ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ] + +The LG LB070WV8 panel incorrectly reports a 16 bits per component value, +while the panel uses 8 bits per component. Fix it. + +Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index ecad4d7c6cd17..64b23bdebd1d1 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -920,7 +920,7 @@ static const struct drm_display_mode lg_lb070wv8_mode = { + static const struct panel_desc lg_lb070wv8 = { + .modes = &lg_lb070wv8_mode, + .num_modes = 1, +- .bpc = 16, ++ .bpc = 8, + .size = { + .width = 151, + .height = 91, +-- +2.25.1 + diff --git a/queue-4.4/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch b/queue-4.4/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch new file mode 100644 index 00000000000..2e66ec1c773 --- /dev/null +++ b/queue-4.4/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch @@ -0,0 +1,39 @@ +From 6f33dfd24693a35750042dcd717a737b66ead109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 13:07:10 +0100 +Subject: drm/radeon: fix array out-of-bounds read and write issues + +From: Colin Ian King + +[ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ] + +There is an off-by-one bounds check on the index into arrays +table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that +can lead to reads and writes outside of arrays. Fix the bound checking +off-by-one error. + +Addresses-Coverity: ("Out-of-bounds read/write") +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Signed-off-by: Colin Ian King +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index e7a245d7bdbcb..8e1bf9ed8efff 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -4345,7 +4345,7 @@ static int ci_set_mc_special_registers(struct radeon_device *rdev, + table->mc_reg_table_entry[k].mc_data[j] |= 0x100; + } + j++; +- if (j > SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + + if (!pi->mem_gddr5) { +-- +2.25.1 + diff --git a/queue-4.4/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch b/queue-4.4/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch new file mode 100644 index 00000000000..f33feabdbc0 --- /dev/null +++ b/queue-4.4/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch @@ -0,0 +1,74 @@ +From e9d5ff51d5c898fcd7e87d8ad76ef2b9a4393bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 21:21:22 -0500 +Subject: drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync + +From: Aditya Pakki + +[ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Acked-by: Evan Quan +Signed-off-by: Aditya Pakki +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 4 +++- + drivers/gpu/drm/radeon/radeon_drv.c | 4 +++- + drivers/gpu/drm/radeon/radeon_kms.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 4572bfba017c5..17c73b8c90e71 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -660,8 +660,10 @@ radeon_crtc_set_config(struct drm_mode_set *set) + dev = set->crtc->dev; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_crtc_helper_set_config(set); + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index 5b6a6f5b3619e..401403a3ea50c 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -527,8 +527,10 @@ long radeon_drm_ioctl(struct file *filp, + long ret; + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_ioctl(filp, cmd, arg); + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index d290a8a09036e..41caf7da90548 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -631,8 +631,10 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + file_priv->driver_priv = NULL; + + r = pm_runtime_get_sync(dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return r; ++ } + + /* new gpu have virtual address space support */ + if (rdev->family >= CHIP_CAYMAN) { +-- +2.25.1 + diff --git a/queue-4.4/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch b/queue-4.4/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch new file mode 100644 index 00000000000..ad051d342c8 --- /dev/null +++ b/queue-4.4/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch @@ -0,0 +1,51 @@ +From 689fe870d9a6675f4a9b36a8fd6b6f8f589b898c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 13:42:32 +0300 +Subject: drm/tilcdc: fix leak & null ref in panel_connector_get_modes + +From: Tomi Valkeinen + +[ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ] + +If videomode_from_timings() returns true, the mode allocated with +drm_mode_create will be leaked. + +Also, the return value of drm_mode_create() is never checked, and thus +could cause NULL deref. + +Fix these two issues. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com +Reviewed-by: Jyri Sarha +Acked-by: Sam Ravnborg +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tilcdc/tilcdc_panel.c b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +index 0af8bed7ce1ee..08d8f608be632 100644 +--- a/drivers/gpu/drm/tilcdc/tilcdc_panel.c ++++ b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +@@ -177,12 +177,16 @@ static int panel_connector_get_modes(struct drm_connector *connector) + int i; + + for (i = 0; i < timings->num_timings; i++) { +- struct drm_display_mode *mode = drm_mode_create(dev); ++ struct drm_display_mode *mode; + struct videomode vm; + + if (videomode_from_timings(timings, &vm, i)) + break; + ++ mode = drm_mode_create(dev); ++ if (!mode) ++ break; ++ + drm_display_mode_from_videomode(&vm, mode); + + mode->type = DRM_MODE_TYPE_DRIVER; +-- +2.25.1 + diff --git a/queue-4.4/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch b/queue-4.4/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch new file mode 100644 index 00000000000..af54000b3ae --- /dev/null +++ b/queue-4.4/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch @@ -0,0 +1,101 @@ +From ee07ad4f5536930f1c1c8509a15b9113841d0de9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 17:10:47 -0600 +Subject: dyndbg: fix a BUG_ON in ddebug_describe_flags + +From: Jim Cromie + +[ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ] + +ddebug_describe_flags() currently fills a caller provided string buffer, +after testing its size (also passed) in a BUG_ON. Fix this by +replacing them with a known-big-enough string buffer wrapped in a +struct, and passing that instead. + +Also simplify ddebug_describe_flags() flags parameter from a struct to +a member in that struct, and hoist the member deref up to the caller. +This makes the function reusable (soon) where flags are unpacked. + +Acked-by: +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/dynamic_debug.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index c6368ae93fe6e..f50d63f67899a 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -85,22 +85,22 @@ static struct { unsigned flag:8; char opt_char; } opt_array[] = { + { _DPRINTK_FLAGS_NONE, '_' }, + }; + ++struct flagsbuf { char buf[ARRAY_SIZE(opt_array)+1]; }; ++ + /* format a string into buf[] which describes the _ddebug's flags */ +-static char *ddebug_describe_flags(struct _ddebug *dp, char *buf, +- size_t maxlen) ++static char *ddebug_describe_flags(unsigned int flags, struct flagsbuf *fb) + { +- char *p = buf; ++ char *p = fb->buf; + int i; + +- BUG_ON(maxlen < 6); + for (i = 0; i < ARRAY_SIZE(opt_array); ++i) +- if (dp->flags & opt_array[i].flag) ++ if (flags & opt_array[i].flag) + *p++ = opt_array[i].opt_char; +- if (p == buf) ++ if (p == fb->buf) + *p++ = '_'; + *p = '\0'; + +- return buf; ++ return fb->buf; + } + + #define vpr_info(fmt, ...) \ +@@ -142,7 +142,7 @@ static int ddebug_change(const struct ddebug_query *query, + struct ddebug_table *dt; + unsigned int newflags; + unsigned int nfound = 0; +- char flagbuf[10]; ++ struct flagsbuf fbuf; + + /* search for matching ddebugs */ + mutex_lock(&ddebug_lock); +@@ -192,8 +192,7 @@ static int ddebug_change(const struct ddebug_query *query, + vpr_info("changed %s:%d [%s]%s =%s\n", + trim_prefix(dp->filename), dp->lineno, + dt->mod_name, dp->function, +- ddebug_describe_flags(dp, flagbuf, +- sizeof(flagbuf))); ++ ddebug_describe_flags(dp->flags, &fbuf)); + } + } + mutex_unlock(&ddebug_lock); +@@ -777,7 +776,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + { + struct ddebug_iter *iter = m->private; + struct _ddebug *dp = p; +- char flagsbuf[10]; ++ struct flagsbuf flags; + + vpr_info("called m=%p p=%p\n", m, p); + +@@ -790,7 +789,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + seq_printf(m, "%s:%u [%s]%s =%s \"", + trim_prefix(dp->filename), dp->lineno, + iter->table->mod_name, dp->function, +- ddebug_describe_flags(dp, flagsbuf, sizeof(flagsbuf))); ++ ddebug_describe_flags(dp->flags, &flags)); + seq_escape(m, dp->format, "\t\r\n\""); + seq_puts(m, "\"\n"); + +-- +2.25.1 + diff --git a/queue-4.4/edac-fix-reference-count-leaks.patch b/queue-4.4/edac-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..f175a5fe00a --- /dev/null +++ b/queue-4.4/edac-fix-reference-count-leaks.patch @@ -0,0 +1,59 @@ +From f805a7f99feffaf4c8f8f13cd92da8f8f260be5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 15:22:37 -0500 +Subject: EDAC: Fix reference count leaks + +From: Qiushi Wu + +[ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ] + +When kobject_init_and_add() returns an error, it should be handled +because kobject_init_and_add() takes a reference even when it fails. If +this function returns an error, kobject_put() must be called to properly +clean up the memory associated with the object. + +Therefore, replace calling kfree() and call kobject_put() and add a +missing kobject_put() in the edac_device_register_sysfs_main_kobj() +error path. + + [ bp: Massage and merge into a single patch. ] + +Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add") +Signed-off-by: Qiushi Wu +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu +Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_device_sysfs.c | 1 + + drivers/edac/edac_pci_sysfs.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c +index fb68a06ad6837..18991cfec2af4 100644 +--- a/drivers/edac/edac_device_sysfs.c ++++ b/drivers/edac/edac_device_sysfs.c +@@ -280,6 +280,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev) + + /* Error exit stack */ + err_kobj_reg: ++ kobject_put(&edac_dev->kobj); + module_put(edac_dev->owner); + + err_mod_get: +diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c +index 24d877f6e5775..c56128402bc67 100644 +--- a/drivers/edac/edac_pci_sysfs.c ++++ b/drivers/edac/edac_pci_sysfs.c +@@ -394,7 +394,7 @@ static int edac_pci_main_kobj_setup(void) + + /* Error unwind statck */ + kobject_init_and_add_fail: +- kfree(edac_pci_top_main_kobj); ++ kobject_put(edac_pci_top_main_kobj); + + kzalloc_fail: + module_put(THIS_MODULE); +-- +2.25.1 + diff --git a/queue-4.4/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch b/queue-4.4/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch new file mode 100644 index 00000000000..b58fe10ee83 --- /dev/null +++ b/queue-4.4/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch @@ -0,0 +1,62 @@ +From 494a97c0bd1c0f079cb217c7c1400c57345eaa5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 14:15:37 -0700 +Subject: fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls + +From: Paul E. McKenney + +[ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ] + +Very large I/Os can cause the following RCU CPU stall warning: + +RIP: 0010:rb_prev+0x8/0x50 +Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c = +89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48 +RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13 +RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0 +RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630 +RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238 +R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001 +R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0 + __lookup_extent_mapping+0xa0/0x110 + try_release_extent_mapping+0xdc/0x220 + btrfs_releasepage+0x45/0x70 + shrink_page_list+0xa39/0xb30 + shrink_inactive_list+0x18f/0x3b0 + shrink_lruvec+0x38e/0x6b0 + shrink_node+0x14d/0x690 + do_try_to_free_pages+0xc6/0x3e0 + try_to_free_mem_cgroup_pages+0xe6/0x1e0 + reclaim_high.constprop.73+0x87/0xc0 + mem_cgroup_handle_over_high+0x66/0x150 + exit_to_usermode_loop+0x82/0xd0 + do_syscall_64+0xd4/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +On a PREEMPT=n kernel, the try_release_extent_mapping() function's +"while" loop might run for a very long time on a large I/O. This commit +therefore adds a cond_resched() to this loop, providing RCU any needed +quiescent states. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 42b7409d4cc55..2f9f738ecf84a 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4437,6 +4437,8 @@ int try_release_extent_mapping(struct extent_map_tree *map, + + /* once for us */ + free_extent_map(em); ++ ++ cond_resched(); /* Allow large-extent preemption. */ + } + } + return try_release_extent_state(map, tree, page, mask); +-- +2.25.1 + diff --git a/queue-4.4/iio-improve-iio_concentration-channel-type-descripti.patch b/queue-4.4/iio-improve-iio_concentration-channel-type-descripti.patch new file mode 100644 index 00000000000..1dca2d9b2b5 --- /dev/null +++ b/queue-4.4/iio-improve-iio_concentration-channel-type-descripti.patch @@ -0,0 +1,43 @@ +From e74346c5f85ff85bfa5f1626e3430d3a8153287b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 18:15:52 +0200 +Subject: iio: improve IIO_CONCENTRATION channel type description + +From: Tomasz Duszynski + +[ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ] + +IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting +raw concentrations of pollutants. Raw value should be meaningless +before being properly scaled. Because of that description shouldn't +mention raw value unit whatsoever. + +Fix this by rephrasing existing description so it follows conventions +used throughout IIO ABI docs. + +Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type") +Signed-off-by: Tomasz Duszynski +Acked-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-iio | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio +index 0439c2aaf7419..f20c783cb5c03 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio ++++ b/Documentation/ABI/testing/sysfs-bus-iio +@@ -1470,7 +1470,8 @@ What: /sys/bus/iio/devices/iio:deviceX/in_concentrationX_voc_raw + KernelVersion: 4.3 + Contact: linux-iio@vger.kernel.org + Description: +- Raw (unscaled no offset etc.) percentage reading of a substance. ++ Raw (unscaled no offset etc.) reading of a substance. Units ++ after application of scale and offset are percents. + + What: /sys/bus/iio/devices/iio:deviceX/in_resistance_raw + What: /sys/bus/iio/devices/iio:deviceX/in_resistanceX_raw +-- +2.25.1 + diff --git a/queue-4.4/iwlegacy-check-the-return-value-of-pcie_capability_r.patch b/queue-4.4/iwlegacy-check-the-return-value-of-pcie_capability_r.patch new file mode 100644 index 00000000000..4fe7399ccdc --- /dev/null +++ b/queue-4.4/iwlegacy-check-the-return-value-of-pcie_capability_r.patch @@ -0,0 +1,45 @@ +From 53d28409bc03fcd837c35694aa7dca4f3c8ae818 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 19:55:27 +0200 +Subject: iwlegacy: Check the return value of pcie_capability_read_*() + +From: Bolarinwa Olayemi Saheed + +[ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ] + +On failure pcie_capability_read_dword() sets it's last parameter, val +to 0. However, with Patch 14/14, it is possible that val is set to ~0 on +failure. This would introduce a bug because (x & x) == (~0 & x). + +This bug can be avoided without changing the function's behaviour if the +return value of pcie_capability_read_dword is checked to confirm success. + +Check the return value of pcie_capability_read_dword() to ensure success. + +Suggested-by: Bjorn Helgaas +Signed-off-by: Bolarinwa Olayemi Saheed +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/iwlegacy/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c +index 544ab3750ea6e..c56febdae1349 100644 +--- a/drivers/net/wireless/iwlegacy/common.c ++++ b/drivers/net/wireless/iwlegacy/common.c +@@ -4294,8 +4294,8 @@ il_apm_init(struct il_priv *il) + * power savings, even without L1. + */ + if (il->cfg->set_l0s) { +- pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); +- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) { ++ ret = pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); ++ if (!ret && (lctl & PCI_EXP_LNKCTL_ASPM_L1)) { + /* L1-ASPM enabled; disable(!) L0S */ + il_set_bit(il, CSR_GIO_REG, + CSR_GIO_REG_VAL_L0S_ENABLED); +-- +2.25.1 + diff --git a/queue-4.4/leds-lm355x-avoid-enum-conversion-warning.patch b/queue-4.4/leds-lm355x-avoid-enum-conversion-warning.patch new file mode 100644 index 00000000000..5c36c553cdc --- /dev/null +++ b/queue-4.4/leds-lm355x-avoid-enum-conversion-warning.patch @@ -0,0 +1,60 @@ +From 66280f4d6ac6d8e92679a6ddb768bb5f4b91072e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 16:19:17 +0200 +Subject: leds: lm355x: avoid enum conversion warning + +From: Arnd Bergmann + +[ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ] + +clang points out that doing arithmetic between diffent enums is usually +a mistake: + +drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] + reg_val = pdata->pin_tx2 | pdata->ntc_pin; + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ +drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] + reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ + +In this driver, it is intentional, so add a cast to hide the false-positive +warning. It appears to be the only instance of this warning at the moment. + +Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips") +Signed-off-by: Arnd Bergmann +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lm355x.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/leds/leds-lm355x.c b/drivers/leds/leds-lm355x.c +index 48872997d6b4b..533b255c27cd6 100644 +--- a/drivers/leds/leds-lm355x.c ++++ b/drivers/leds/leds-lm355x.c +@@ -177,18 +177,19 @@ static int lm355x_chip_init(struct lm355x_chip_data *chip) + /* input and output pins configuration */ + switch (chip->type) { + case CHIP_LM3554: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin; + ret = regmap_update_bits(chip->regmap, 0xE0, 0x28, reg_val); + if (ret < 0) + goto out; +- reg_val = pdata->pass_mode; ++ reg_val = (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0xA0, 0x04, reg_val); + if (ret < 0) + goto out; + break; + + case CHIP_LM3556: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin | ++ (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0x0A, 0xC4, reg_val); + if (ret < 0) + goto out; +-- +2.25.1 + diff --git a/queue-4.4/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch b/queue-4.4/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch new file mode 100644 index 00000000000..964f835fbad --- /dev/null +++ b/queue-4.4/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch @@ -0,0 +1,70 @@ +From 044a76cfbf25014015994fc8001e44082744f42b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 09:12:13 +1000 +Subject: m68k: mac: Don't send IOP message until channel is idle + +From: Finn Thain + +[ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ] + +In the following sequence of calls, iop_do_send() gets called when the +"send" channel is not in the IOP_MSG_IDLE state: + + iop_ism_irq() + iop_handle_send() + (msg->handler)() + iop_send_message() + iop_do_send() + +Avoid this by testing the channel state before calling iop_do_send(). + +When sending, and iop_send_queue is empty, call iop_do_send() because +the channel is idle. If iop_send_queue is not empty, iop_do_send() will +get called later by iop_handle_send(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Cc: Joshua Thompson +Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/iop.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index 4d2adfb32a2ab..c89ed66908f91 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -416,7 +416,8 @@ static void iop_handle_send(uint iop_num, uint chan) + iop_free_msg(msg2); + + iop_send_queue[iop_num][chan] = msg; +- if (msg) iop_do_send(msg); ++ if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) ++ iop_do_send(msg); + } + + /* +@@ -497,16 +498,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata, + + if (!(q = iop_send_queue[iop_num][chan])) { + iop_send_queue[iop_num][chan] = msg; ++ iop_do_send(msg); + } else { + while (q->next) q = q->next; + q->next = msg; + } + +- if (iop_readb(iop_base[iop_num], +- IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) { +- iop_do_send(msg); +- } +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.4/m68k-mac-fix-iop-status-control-register-writes.patch b/queue-4.4/m68k-mac-fix-iop-status-control-register-writes.patch new file mode 100644 index 00000000000..3ee63c9f148 --- /dev/null +++ b/queue-4.4/m68k-mac-fix-iop-status-control-register-writes.patch @@ -0,0 +1,79 @@ +From 3b09500b8bb33ff470906689cf57be722578e029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 09:12:13 +1000 +Subject: m68k: mac: Fix IOP status/control register writes + +From: Finn Thain + +[ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ] + +When writing values to the IOP status/control register make sure those +values do not have any extraneous bits that will clear interrupt flags. + +To place the SCC IOP into bypass mode would be desirable but this is not +achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS +to the control register. Drop this ineffective register write. + +Remove the flawed and unused iop_bypass() function. Make use of the +unused iop_stop() function. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Cc: Joshua Thompson +Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/iop.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index c89ed66908f91..358ca965cf824 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -173,7 +173,7 @@ static __inline__ void iop_writeb(volatile struct mac_iop *iop, __u16 addr, __u8 + + static __inline__ void iop_stop(volatile struct mac_iop *iop) + { +- iop->status_ctrl &= ~IOP_RUN; ++ iop->status_ctrl = IOP_AUTOINC; + } + + static __inline__ void iop_start(volatile struct mac_iop *iop) +@@ -181,14 +181,9 @@ static __inline__ void iop_start(volatile struct mac_iop *iop) + iop->status_ctrl = IOP_RUN | IOP_AUTOINC; + } + +-static __inline__ void iop_bypass(volatile struct mac_iop *iop) +-{ +- iop->status_ctrl |= IOP_BYPASS; +-} +- + static __inline__ void iop_interrupt(volatile struct mac_iop *iop) + { +- iop->status_ctrl |= IOP_IRQ; ++ iop->status_ctrl = IOP_IRQ | IOP_RUN | IOP_AUTOINC; + } + + static int iop_alive(volatile struct mac_iop *iop) +@@ -239,7 +234,6 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_SCC] = (struct mac_iop *) SCC_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_SCC]->status_ctrl = 0x87; + iop_scc_present = 1; + } else { + iop_base[IOP_NUM_SCC] = NULL; +@@ -251,7 +245,7 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_ISM] = (struct mac_iop *) ISM_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_ISM]->status_ctrl = 0; ++ iop_stop(iop_base[IOP_NUM_ISM]); + iop_ism_present = 1; + } else { + iop_base[IOP_NUM_ISM] = NULL; +-- +2.25.1 + diff --git a/queue-4.4/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch b/queue-4.4/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch new file mode 100644 index 00000000000..97ec8cb7843 --- /dev/null +++ b/queue-4.4/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch @@ -0,0 +1,38 @@ +From d17d04cdb76f99c5af7813764ff18764b3ec374b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 08:41:47 +0200 +Subject: media: exynos4-is: Add missed check for pinctrl_lookup_state() + +From: Chuhong Yuan + +[ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ] + +fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state(). +Add the missed check to fix it. + +Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]") +Signed-off-by: Chuhong Yuan +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 4f5586a4cbffa..31cc7d94064e3 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1172,6 +1172,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); ++ if (IS_ERR(pctl->state_idle)) ++ return PTR_ERR(pctl->state_idle); ++ + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.4/media-firewire-using-uninitialized-values-in-node_pr.patch b/queue-4.4/media-firewire-using-uninitialized-values-in-node_pr.patch new file mode 100644 index 00000000000..e5c84aff469 --- /dev/null +++ b/queue-4.4/media-firewire-using-uninitialized-values-in-node_pr.patch @@ -0,0 +1,40 @@ +From ddfb0401f47f5c06f1a5f0fc21f049fabe7e0406 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 16:40:22 +0200 +Subject: media: firewire: Using uninitialized values in node_probe() + +From: Dan Carpenter + +[ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] + +If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So +then the "strlen(model_names[i]) <= name_len" is true because strlen() +is unsigned and -ENOENT is type promoted to a very high positive value. +Then the "strncmp(name, model_names[i], name_len)" uses uninitialized +data because "name" is uninitialized. + +Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/firewire/firedtv-fw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index 247f0e7cb5f7f..5d634706a7eaa 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -271,6 +271,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); ++ if (name_len < 0) ++ return name_len; + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +-- +2.25.1 + diff --git a/queue-4.4/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch b/queue-4.4/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch new file mode 100644 index 00000000000..fca47aaa022 --- /dev/null +++ b/queue-4.4/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch @@ -0,0 +1,49 @@ +From 66412891a5c4ee738993acecd666d9419003028c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 18:41:22 +0200 +Subject: media: omap3isp: Add missed v4l2_ctrl_handler_free() for + preview_init_entities() + +From: Chuhong Yuan + +[ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ] + +preview_init_entities() does not call v4l2_ctrl_handler_free() when +it fails. +Add the missed function to fix it. + +Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") +Signed-off-by: Chuhong Yuan +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isppreview.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c +index c9e8845de1b1d..c3336a2cbe145 100644 +--- a/drivers/media/platform/omap3isp/isppreview.c ++++ b/drivers/media/platform/omap3isp/isppreview.c +@@ -2285,7 +2285,7 @@ static int preview_init_entities(struct isp_prev_device *prev) + me->ops = &preview_media_ops; + ret = media_entity_init(me, PREV_PADS_NUM, pads, 0); + if (ret < 0) +- return ret; ++ goto error_handler_free; + + preview_init_formats(sd, NULL); + +@@ -2331,6 +2331,8 @@ static int preview_init_entities(struct isp_prev_device *prev) + omap3isp_video_cleanup(&prev->video_in); + error_video_in: + media_entity_cleanup(&prev->subdev.entity); ++error_handler_free: ++ v4l2_ctrl_handler_free(&prev->ctrls); + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.4/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch b/queue-4.4/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch new file mode 100644 index 00000000000..590dd00a2b8 --- /dev/null +++ b/queue-4.4/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch @@ -0,0 +1,83 @@ +From c58951e0720f1c8a109941b40f99bedc923e936c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 16:46:10 -0700 +Subject: mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls + +From: Paul E. McKenney + +[ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ] + +A large process running on a heavily loaded system can encounter the +following RCU CPU stall warning: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190 + (t=21013 jiffies g=1005461 q=132576) + NMI backtrace for cpu 3 + CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1 + Hardware name: Wiwynn HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016 + Call Trace: + + dump_stack+0x46/0x60 + nmi_cpu_backtrace.cold.3+0x13/0x50 + ? lapic_can_unplug_cpu.cold.27+0x34/0x34 + nmi_trigger_cpumask_backtrace+0xba/0xca + rcu_dump_cpu_stacks+0x99/0xc7 + rcu_sched_clock_irq.cold.87+0x1aa/0x397 + ? tick_sched_do_timer+0x60/0x60 + update_process_times+0x28/0x60 + tick_sched_timer+0x37/0x70 + __hrtimer_run_queues+0xfe/0x270 + hrtimer_interrupt+0xf4/0x210 + smp_apic_timer_interrupt+0x5e/0x120 + apic_timer_interrupt+0xf/0x20 + + RIP: 0010:kmem_cache_free+0x223/0x300 + Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65 + RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 + RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030 + RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18 + RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff + R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f + R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00 + ? remove_vma+0x4f/0x60 + remove_vma+0x4f/0x60 + exit_mmap+0xd6/0x160 + mmput+0x4a/0x110 + do_exit+0x278/0xae0 + ? syscall_trace_enter+0x1d3/0x2b0 + ? handle_mm_fault+0xaa/0x1c0 + do_group_exit+0x3a/0xa0 + __x64_sys_exit_group+0x14/0x20 + do_syscall_64+0x42/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run +for a very long time given a large process. This commit therefore adds +a cond_resched() to this loop, providing RCU any needed quiescent states. + +Cc: Andrew Morton +Cc: +Reviewed-by: Shakeel Butt +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + mm/mmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index a24e424770012..135cccce41f88 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2954,6 +2954,7 @@ void exit_mmap(struct mm_struct *mm) + if (vma->vm_flags & VM_ACCOUNT) + nr_accounted += vma_pages(vma); + vma = remove_vma(vma); ++ cond_resched(); + } + vm_unacct_memory(nr_accounted); + } +-- +2.25.1 + diff --git a/queue-4.4/mwifiex-prevent-memory-corruption-handling-keys.patch b/queue-4.4/mwifiex-prevent-memory-corruption-handling-keys.patch new file mode 100644 index 00000000000..abea71e9bfa --- /dev/null +++ b/queue-4.4/mwifiex-prevent-memory-corruption-handling-keys.patch @@ -0,0 +1,82 @@ +From 721e7a5b23bc002087cba24f32f514a243430721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:58:57 +0300 +Subject: mwifiex: Prevent memory corruption handling keys + +From: Dan Carpenter + +[ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ] + +The length of the key comes from the network and it's a 16 bit number. It +needs to be capped to prevent a buffer overflow. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Dan Carpenter +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mwifiex/sta_cmdresp.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/mwifiex/sta_cmdresp.c b/drivers/net/wireless/mwifiex/sta_cmdresp.c +index 9ac7aa2431b41..9e3853c8a22da 100644 +--- a/drivers/net/wireless/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/mwifiex/sta_cmdresp.c +@@ -592,6 +592,11 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + { + struct host_cmd_ds_802_11_key_material *key = + &resp->params.key_material; ++ int len; ++ ++ len = le16_to_cpu(key->key_param_set.key_len); ++ if (len > sizeof(key->key_param_set.key)) ++ return -EINVAL; + + if (le16_to_cpu(key->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key->key_param_set.key_info) & KEY_MCAST)) { +@@ -605,9 +610,8 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + + memset(priv->aes_key.key_param_set.key, 0, + sizeof(key->key_param_set.key)); +- priv->aes_key.key_param_set.key_len = key->key_param_set.key_len; +- memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, +- le16_to_cpu(priv->aes_key.key_param_set.key_len)); ++ priv->aes_key.key_param_set.key_len = cpu_to_le16(len); ++ memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len); + + return 0; + } +@@ -622,9 +626,14 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + struct host_cmd_ds_command *resp) + { + struct host_cmd_ds_802_11_key_material_v2 *key_v2; +- __le16 len; ++ int len; + + key_v2 = &resp->params.key_material_v2; ++ ++ len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); ++ if (len > WLAN_KEY_LEN_CCMP) ++ return -EINVAL; ++ + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key_v2->key_param_set.key_info) & KEY_MCAST)) { + mwifiex_dbg(priv->adapter, INFO, "info: key: GTK is set\n"); +@@ -640,10 +649,9 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, + WLAN_KEY_LEN_CCMP); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = +- key_v2->key_param_set.key_params.aes.key_len; +- len = priv->aes_key_v2.key_param_set.key_params.aes.key_len; ++ cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +- key_v2->key_param_set.key_params.aes.key, le16_to_cpu(len)); ++ key_v2->key_param_set.key_params.aes.key, len); + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.4/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch b/queue-4.4/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch new file mode 100644 index 00000000000..12dd2322cdb --- /dev/null +++ b/queue-4.4/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch @@ -0,0 +1,39 @@ +From 4dccd05e43da7a09af2a1e6c9bf85a4cc9c3aa35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 15:53:33 +0200 +Subject: net: spider_net: Fix the size used in a 'dma_free_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()', in +'spider_net_init_chain()'. + +Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/spider_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c +index 8e53211aedd82..53600e28d93b7 100644 +--- a/drivers/net/ethernet/toshiba/spider_net.c ++++ b/drivers/net/ethernet/toshiba/spider_net.c +@@ -297,8 +297,8 @@ spider_net_free_chain(struct spider_net_card *card, + descr = descr->next; + } while (descr != chain->ring); + +- dma_free_coherent(&card->pdev->dev, chain->num_desc, +- chain->hwring, chain->dma_addr); ++ dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr), ++ chain->hwring, chain->dma_addr); + } + + /** +-- +2.25.1 + diff --git a/queue-4.4/pci-aspm-add-missing-newline-in-sysfs-policy.patch b/queue-4.4/pci-aspm-add-missing-newline-in-sysfs-policy.patch new file mode 100644 index 00000000000..a813a007851 --- /dev/null +++ b/queue-4.4/pci-aspm-add-missing-newline-in-sysfs-policy.patch @@ -0,0 +1,40 @@ +From 627604268c00456370bdcbb459071c0cca8f7c64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 15:59:25 +0800 +Subject: PCI/ASPM: Add missing newline in sysfs 'policy' + +From: Xiongfeng Wang + +[ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ] + +When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a +newline for easy reading. Other sysfs attributes already include a +newline. + + [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy + [default] performance powersave powersupersave [root@localhost ~]# + +Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support") +Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com +Signed-off-by: Xiongfeng Wang +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 966b6947e5656..a098f8324afd0 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -807,6 +807,7 @@ static int pcie_aspm_get_policy(char *buffer, struct kernel_param *kp) + cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]); + else + cnt += sprintf(buffer + cnt, "%s ", policy_str[i]); ++ cnt += sprintf(buffer + cnt, "\n"); + return cnt; + } + +-- +2.25.1 + diff --git a/queue-4.4/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch b/queue-4.4/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch new file mode 100644 index 00000000000..2b0bd1e44d2 --- /dev/null +++ b/queue-4.4/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch @@ -0,0 +1,143 @@ +From 517550f651234b0e27057d8108908f58f07fa357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 14:51:43 +0200 +Subject: pinctrl-single: fix pcs_parse_pinconf() return value + +From: Drew Fustini + +[ Upstream commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f ] + +This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no +pinctrl_map is added. The current behavior is to return 0 when +!PCS_HAS_PINCONF or !nconfs. Thus pcs_parse_one_pinctrl_entry() +incorrectly assumes that a map was added and sets num_maps = 2. + +Analysis: +========= +The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf() +if PCS_HAS_PINCONF is enabled. The function pcs_parse_pinconf() +returns 0 to indicate there was no error and num_maps is then set to 2: + + 980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + 981 struct device_node *np, + 982 struct pinctrl_map **map, + 983 unsigned *num_maps, + 984 const char **pgnames) + 985 { + +1053 (*map)->type = PIN_MAP_TYPE_MUX_GROUP; +1054 (*map)->data.mux.group = np->name; +1055 (*map)->data.mux.function = np->name; +1056 +1057 if (PCS_HAS_PINCONF && function) { +1058 res = pcs_parse_pinconf(pcs, np, function, map); +1059 if (res) +1060 goto free_pingroups; +1061 *num_maps = 2; +1062 } else { +1063 *num_maps = 1; +1064 } + +However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or +!nconfs. I believe these conditions should indicate that no map was +added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry() +will set num_maps = 2 even though no maps were successfully added, as +it does not reach "m++" on line 940: + + 895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + 896 struct pcs_function *func, + 897 struct pinctrl_map **map) + 898 + 899 { + 900 struct pinctrl_map *m = *map; + + 917 /* If pinconf isn't supported, don't parse properties in below. */ + 918 if (!PCS_HAS_PINCONF) + 919 return 0; + 920 + 921 /* cacluate how much properties are supported in current node */ + 922 for (i = 0; i < ARRAY_SIZE(prop2); i++) { + 923 if (of_find_property(np, prop2[i].name, NULL)) + 924 nconfs++; + 925 } + 926 for (i = 0; i < ARRAY_SIZE(prop4); i++) { + 927 if (of_find_property(np, prop4[i].name, NULL)) + 928 nconfs++; + 929 } + 930 if (!nconfs) + 919 return 0; + 932 + 933 func->conf = devm_kcalloc(pcs->dev, + 934 nconfs, sizeof(struct pcs_conf_vals), + 935 GFP_KERNEL); + 936 if (!func->conf) + 937 return -ENOMEM; + 938 func->nconfs = nconfs; + 939 conf = &(func->conf[0]); + 940 m++; + +This situtation will cause a boot failure [0] on the BeagleBone Black +(AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi +has compatible = "pinconf-single" instead of "pinctrl-single". + +The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF +or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no +map was added. + +Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish +between -ENOSUPP and other errors. In the case of -ENOSUPP, num_maps +is set to 1 as it is valid for pinconf to be enabled and a given pin +group to not any pinconf properties. + +[0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/ + +Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf") +Signed-off-by: Drew Fustini +Acked-by: Tony Lindgren +Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1 +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-single.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index 73d8d47ea465a..17714793c08e4 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1071,7 +1071,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + + /* If pinconf isn't supported, don't parse properties in below. */ + if (!PCS_HAS_PINCONF) +- return 0; ++ return -ENOTSUPP; + + /* cacluate how much properties are supported in current node */ + for (i = 0; i < ARRAY_SIZE(prop2); i++) { +@@ -1083,7 +1083,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + nconfs++; + } + if (!nconfs) +- return 0; ++ return -ENOTSUPP; + + func->conf = devm_kzalloc(pcs->dev, + sizeof(struct pcs_conf_vals) * nconfs, +@@ -1196,9 +1196,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + + if (PCS_HAS_PINCONF) { + res = pcs_parse_pinconf(pcs, np, function, map); +- if (res) ++ if (res == 0) ++ *num_maps = 2; ++ else if (res == -ENOTSUPP) ++ *num_maps = 1; ++ else + goto free_pingroups; +- *num_maps = 2; + } else { + *num_maps = 1; + } +-- +2.25.1 + diff --git a/queue-4.4/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch b/queue-4.4/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch new file mode 100644 index 00000000000..1ed27480113 --- /dev/null +++ b/queue-4.4/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch @@ -0,0 +1,58 @@ +From 85de1a4905fbae4bb1beddf49b7696b3a8a54848 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jul 2020 12:23:51 -0700 +Subject: power: supply: check if calc_soc succeeded in pm860x_init_battery + +From: Tom Rix + +[ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ] + +clang static analysis flags this error + +88pm860x_battery.c:522:19: warning: Assigned value is + garbage or undefined [core.uninitialized.Assign] + info->start_soc = soc; + ^ ~~~ +soc is set by calling calc_soc. +But calc_soc can return without setting soc. + +So check the return status and bail similarly to other +checks in pm860x_init_battery and initialize soc to +silence the warning. + +Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x") + +Signed-off-by: Tom Rix +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/88pm860x_battery.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/88pm860x_battery.c b/drivers/power/88pm860x_battery.c +index 63c57dc82ac1d..4eda5065b5bbc 100644 +--- a/drivers/power/88pm860x_battery.c ++++ b/drivers/power/88pm860x_battery.c +@@ -436,7 +436,7 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + int ret; + int data; + int bat_remove; +- int soc; ++ int soc = 0; + + /* measure enable on GPADC1 */ + data = MEAS1_GP1; +@@ -499,7 +499,9 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + } + mutex_unlock(&info->lock); + +- calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ ret = calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ if (ret < 0) ++ goto out; + + data = pm860x_reg_read(info->i2c, PM8607_POWER_UP_LOG); + bat_remove = data & BAT_WU_LOG; +-- +2.25.1 + diff --git a/queue-4.4/powerpc-vdso-fix-vdso-cpu-truncation.patch b/queue-4.4/powerpc-vdso-fix-vdso-cpu-truncation.patch new file mode 100644 index 00000000000..4b0630203ef --- /dev/null +++ b/queue-4.4/powerpc-vdso-fix-vdso-cpu-truncation.patch @@ -0,0 +1,45 @@ +From 070a941f36fc7d51892f69c7a604ab7f54fd939b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 09:37:04 +1000 +Subject: powerpc/vdso: Fix vdso cpu truncation + +From: Milton Miller + +[ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ] + +The code in vdso_cpu_init that exposes the cpu and numa node to +userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means +that any kernel running on a box with more than 4096 threads (NR_CPUS +advertises a limit of of 8192 cpus) would expose userspace to two cpu +contexts running at the same time with the same cpu number. + +Note: I'm not aware of any distro shipping a kernel with support for more +than 4096 threads today, nor of any system image that currently exceeds +4096 threads. Found via code browsing. + +Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu") +Signed-off-by: Milton Miller +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/vdso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c +index b457bfa284360..05c17429e5442 100644 +--- a/arch/powerpc/kernel/vdso.c ++++ b/arch/powerpc/kernel/vdso.c +@@ -702,7 +702,7 @@ int vdso_getcpu_init(void) + node = cpu_to_node(cpu); + WARN_ON_ONCE(node > 0xffff); + +- val = (cpu & 0xfff) | ((node & 0xffff) << 16); ++ val = (cpu & 0xffff) | ((node & 0xffff) << 16); + mtspr(SPRN_SPRG_VDSO_WRITE, val); + get_paca()->sprg_vdso = val; + +-- +2.25.1 + diff --git a/queue-4.4/s390-qeth-don-t-process-empty-bridge-port-events.patch b/queue-4.4/s390-qeth-don-t-process-empty-bridge-port-events.patch new file mode 100644 index 00000000000..d315f2938d0 --- /dev/null +++ b/queue-4.4/s390-qeth-don-t-process-empty-bridge-port-events.patch @@ -0,0 +1,40 @@ +From 59e3864fc0bbd55617c655813654a21e1c7738ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 17:01:20 +0200 +Subject: s390/qeth: don't process empty bridge port events + +From: Julian Wiedmann + +[ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ] + +Discard events that don't contain any entries. This shouldn't happen, +but subsequent code relies on being able to use entry 0. So better +be safe than accessing garbage. + +Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control") +Signed-off-by: Julian Wiedmann +Reviewed-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_l2_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index 97211f7f0cf02..ed4b0f6e2d6ad 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -1669,6 +1669,10 @@ static void qeth_bridge_state_change(struct qeth_card *card, + int extrasize; + + QETH_CARD_TEXT(card, 2, "brstchng"); ++ if (qports->num_entries == 0) { ++ QETH_CARD_TEXT(card, 2, "BPempty"); ++ return; ++ } + if (qports->entry_length != sizeof(struct qeth_sbp_port_entry)) { + QETH_CARD_TEXT_(card, 2, "BPsz%04x", qports->entry_length); + return; +-- +2.25.1 + diff --git a/queue-4.4/scsi-cumana_2-fix-different-dev_id-between-request_i.patch b/queue-4.4/scsi-cumana_2-fix-different-dev_id-between-request_i.patch new file mode 100644 index 00000000000..51074145e9f --- /dev/null +++ b/queue-4.4/scsi-cumana_2-fix-different-dev_id-between-request_i.patch @@ -0,0 +1,39 @@ +From 2f7689b6af0739c680fe9d7253c7b2b3c3a11111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 22:47:30 +0200 +Subject: scsi: cumana_2: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' +in both cases. + +Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Acked-by: Russell King +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/cumana_2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c +index faa1bee07c8ac..0c83a155ceebc 100644 +--- a/drivers/scsi/arm/cumana_2.c ++++ b/drivers/scsi/arm/cumana_2.c +@@ -454,7 +454,7 @@ static int cumanascsi2_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +-- +2.25.1 + diff --git a/queue-4.4/scsi-eesox-fix-different-dev_id-between-request_irq-.patch b/queue-4.4/scsi-eesox-fix-different-dev_id-between-request_irq-.patch new file mode 100644 index 00000000000..27420312ea4 --- /dev/null +++ b/queue-4.4/scsi-eesox-fix-different-dev_id-between-request_irq-.patch @@ -0,0 +1,38 @@ +From 16584d17693fe8d457a9e9338391a7e5cc9dab7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 06:05:53 +0200 +Subject: scsi: eesox: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' in +both cases. + +Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/eesox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c +index a8ad6880dd914..cf01442d91363 100644 +--- a/drivers/scsi/arm/eesox.c ++++ b/drivers/scsi/arm/eesox.c +@@ -575,7 +575,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id) + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_remove: + fas216_remove(host); +-- +2.25.1 + diff --git a/queue-4.4/scsi-mesh-fix-panic-after-host-or-bus-reset.patch b/queue-4.4/scsi-mesh-fix-panic-after-host-or-bus-reset.patch new file mode 100644 index 00000000000..b8c80fcd61d --- /dev/null +++ b/queue-4.4/scsi-mesh-fix-panic-after-host-or-bus-reset.patch @@ -0,0 +1,109 @@ +From 5e6358909799aecab2fcca74614ed83dbc699a34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 09:25:51 +1000 +Subject: scsi: mesh: Fix panic after host or bus reset + +From: Finn Thain + +[ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ] + +Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus +results in EH measures and a panic: + +[ 25.499838] mesh: configured for synchronous 5 MB/s +[ 25.787154] mesh: performing initial bus reset... +[ 29.867115] scsi host0: MESH +[ 29.929527] mesh: target 0 synchronous at 3.6 MB/s +[ 29.998763] scsi 0:0:0:0: Direct-Access CONNER CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS +[ 31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB) +[ 32.070975] sd 0:0:0:0: [sda] Write Protect is off +[ 32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08 +[ 32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA +[ 32.332708] sda: [mac] sda1 sda2 sda3 +[ 32.417733] sd 0:0:0:0: [sda] Attached SCSI disk +... snip ... +[ 76.687067] mesh_abort((ptrval)) +[ 76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) +[ 76.810798] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 +[ 76.880720] dma stat=84e0 cmdptr=1f73d000 +[ 76.941387] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 +[ 77.005567] dma_st=1 dma_ct=0 n_msgout=0 +[ 77.065456] target 0: req=(ptrval) goes_out=0 saved_ptr=0 +[ 77.130512] mesh_abort((ptrval)) +[ 77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) +[ 77.255594] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 +[ 77.325778] dma stat=84e0 cmdptr=1f73d000 +[ 77.387239] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 +[ 77.453665] dma_st=1 dma_ct=0 n_msgout=0 +[ 77.515900] target 0: req=(ptrval) goes_out=0 saved_ptr=0 +[ 77.582902] mesh_host_reset +[ 88.187083] Kernel panic - not syncing: mesh: double DMA start ! +[ 88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1 +[ 88.323302] Call Trace: +[ 88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable) +[ 88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414 +[ 88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70 +[ 88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384 +[ 88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8 +[ 88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178 +[ 88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8 +[ 88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520 +[ 88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8 +[ 88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c +[ 89.044112] Rebooting in 180 seconds.. + +In theory, a panic can happen after a bus or host reset with dma_started +flag set. Fix this by halting the DMA before reinitializing the host. +Don't assume that ms->current_req is set when halt_dma() is invoked as it +may not hold for bus or host reset. + +BTW, this particular Conner drive can be made to work by inhibiting +disconnect/reselect with 'mesh.resel_targets=0'. + +Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Paul Mackerras +Reported-and-tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mesh.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mesh.c b/drivers/scsi/mesh.c +index 555367f002282..18ed4b44bc513 100644 +--- a/drivers/scsi/mesh.c ++++ b/drivers/scsi/mesh.c +@@ -1044,6 +1044,8 @@ static void handle_error(struct mesh_state *ms) + while ((in_8(&mr->bus_status1) & BS1_RST) != 0) + udelay(1); + printk("done\n"); ++ if (ms->dma_started) ++ halt_dma(ms); + handle_reset(ms); + /* request_q is empty, no point in mesh_start() */ + return; +@@ -1356,7 +1358,8 @@ static void halt_dma(struct mesh_state *ms) + ms->conn_tgt, ms->data_ptr, scsi_bufflen(cmd), + ms->tgts[ms->conn_tgt].data_goes_out); + } +- scsi_dma_unmap(cmd); ++ if (cmd) ++ scsi_dma_unmap(cmd); + ms->dma_started = 0; + } + +@@ -1711,6 +1714,9 @@ static int mesh_host_reset(struct scsi_cmnd *cmd) + + spin_lock_irqsave(ms->host->host_lock, flags); + ++ if (ms->dma_started) ++ halt_dma(ms); ++ + /* Reset the controller & dbdma channel */ + out_le32(&md->control, (RUN|PAUSE|FLUSH|WAKE) << 16); /* stop dma */ + out_8(&mr->exception, 0xff); /* clear all exception bits */ +-- +2.25.1 + diff --git a/queue-4.4/scsi-powertec-fix-different-dev_id-between-request_i.patch b/queue-4.4/scsi-powertec-fix-different-dev_id-between-request_i.patch new file mode 100644 index 00000000000..da67f7c7c78 --- /dev/null +++ b/queue-4.4/scsi-powertec-fix-different-dev_id-between-request_i.patch @@ -0,0 +1,38 @@ +From 8f3d808230f29dd720588736bf94cbe7fef28eee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 05:59:48 +0200 +Subject: scsi: powertec: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' in +both cases. + +Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/powertec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/powertec.c b/drivers/scsi/arm/powertec.c +index 5e1b73e1b743e..b6724ba9b36e7 100644 +--- a/drivers/scsi/arm/powertec.c ++++ b/drivers/scsi/arm/powertec.c +@@ -382,7 +382,7 @@ static int powertecscsi_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 4c7cd165e99..e64cfc41c43 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -54,3 +54,50 @@ smack-fix-use-after-free-in-smk_write_relabel_self.patch tracepoint-mark-__tracepoint_string-s-__used.patch udp-drop-corrupt-packets-earlier-to-avoid-data-corru.patch gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch +edac-fix-reference-count-leaks.patch +m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch +m68k-mac-fix-iop-status-control-register-writes.patch +arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch +arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch +drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch +bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch +fs-btrfs-add-cond_resched-for-try_release_extent_map.patch +drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch +video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch +drm-nouveau-fix-multiple-instances-of-reference-coun.patch +drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch +mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch +brcmfmac-to-fix-bss-info-flag-definition-bug.patch +iwlegacy-check-the-return-value-of-pcie_capability_r.patch +usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch +bdc-fix-bug-causing-crash-after-multiple-disconnects.patch +dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch +bcache-fix-super-block-seq-numbers-comparision-in-re.patch +acpica-do-not-increment-operation_region-reference-c.patch +agp-intel-fix-a-memory-leak-on-module-initialisation.patch +video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch +console-newport_con-fix-an-issue-about-leak-related-.patch +iio-improve-iio_concentration-channel-type-descripti.patch +leds-lm355x-avoid-enum-conversion-warning.patch +media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch +scsi-cumana_2-fix-different-dev_id-between-request_i.patch +cxl-fix-kobject-memleak.patch +drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch +scsi-powertec-fix-different-dev_id-between-request_i.patch +scsi-eesox-fix-different-dev_id-between-request_irq-.patch +media-firewire-using-uninitialized-values-in-node_pr.patch +media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch +drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch +mwifiex-prevent-memory-corruption-handling-keys.patch +powerpc-vdso-fix-vdso-cpu-truncation.patch +pci-aspm-add-missing-newline-in-sysfs-policy.patch +usb-dwc2-fix-error-path-in-gadget-registration.patch +scsi-mesh-fix-panic-after-host-or-bus-reset.patch +smack-fix-another-vsscanf-out-of-bounds.patch +smack-prevent-underflow-in-smk_set_cipso.patch +power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch +s390-qeth-don-t-process-empty-bridge-port-events.patch +wl1251-fix-always-return-0-error.patch +net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch +dlm-fix-kobject-memleak.patch +pinctrl-single-fix-pcs_parse_pinconf-return-value.patch diff --git a/queue-4.4/smack-fix-another-vsscanf-out-of-bounds.patch b/queue-4.4/smack-fix-another-vsscanf-out-of-bounds.patch new file mode 100644 index 00000000000..9923705ccbd --- /dev/null +++ b/queue-4.4/smack-fix-another-vsscanf-out-of-bounds.patch @@ -0,0 +1,39 @@ +From e4721b5df563005e6f4bc446c24ef9d3cacfcdb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:22:19 +0300 +Subject: Smack: fix another vsscanf out of bounds + +From: Dan Carpenter + +[ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ] + +This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in +vsscanf") where we added a bounds check on "rule". + +Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com +Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index bd4d0f5a79aa3..2e2ef3a525ecb 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -939,6 +939,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + + for (i = 0; i < catlen; i++) { + rule += SMK_DIGITLEN; ++ if (rule > data + count) { ++ rc = -EOVERFLOW; ++ goto out; ++ } + ret = sscanf(rule, "%u", &cat); + if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) + goto out; +-- +2.25.1 + diff --git a/queue-4.4/smack-prevent-underflow-in-smk_set_cipso.patch b/queue-4.4/smack-prevent-underflow-in-smk_set_cipso.patch new file mode 100644 index 00000000000..336f3d757ee --- /dev/null +++ b/queue-4.4/smack-prevent-underflow-in-smk_set_cipso.patch @@ -0,0 +1,36 @@ +From e4d4c1ace30718305318b03a8b7580a566be6926 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:23:05 +0300 +Subject: Smack: prevent underflow in smk_set_cipso() + +From: Dan Carpenter + +[ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ] + +We have an upper bound on "maplevel" but forgot to check for negative +values. + +Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 2e2ef3a525ecb..df082648eb0aa 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -918,7 +918,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + + ret = sscanf(rule, "%d", &maplevel); +- if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) ++ if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL) + goto out; + + rule += SMK_DIGITLEN; +-- +2.25.1 + diff --git a/queue-4.4/usb-dwc2-fix-error-path-in-gadget-registration.patch b/queue-4.4/usb-dwc2-fix-error-path-in-gadget-registration.patch new file mode 100644 index 00000000000..97b23a6f949 --- /dev/null +++ b/queue-4.4/usb-dwc2-fix-error-path-in-gadget-registration.patch @@ -0,0 +1,97 @@ +From cbeb649a6eda8e5f0b08721cd89aac193dd44c38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 14:09:48 +0200 +Subject: usb: dwc2: Fix error path in gadget registration + +From: Marek Szyprowski + +[ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ] + +When gadget registration fails, one should not call usb_del_gadget_udc(). +Ensure this by setting gadget->udc to NULL. Also in case of a failure +there is no need to disable low-level hardware, so return immiedetly +instead of jumping to error_init label. + +This fixes the following kernel NULL ptr dereference on gadget failure +(can be easily triggered with g_mass_storage without any module +parameters): + +dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1 +dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024 +dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM +Mass Storage Function, version: 2009/09/11 +LUN: removable file: (no medium) +no file given for LUN0 +g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22 +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000104 +pgd = (ptrval) +[00000104] *pgd=00000000 +Internal error: Oops: 805 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133 +Hardware name: Samsung Exynos (Flattened Device Tree) +Workqueue: events deferred_probe_work_func +PC is at usb_del_gadget_udc+0x38/0xc4 +LR is at __mutex_lock+0x31c/0xb18 +... +Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval)) +Stack: (0xef121db0 to 0xef122000) +... +[] (usb_del_gadget_udc) from [] (dwc2_hsotg_remove+0x10/0x20) +[] (dwc2_hsotg_remove) from [] (dwc2_driver_probe+0x57c/0x69c) +[] (dwc2_driver_probe) from [] (platform_drv_probe+0x6c/0xa4) +[] (platform_drv_probe) from [] (really_probe+0x200/0x48c) +[] (really_probe) from [] (driver_probe_device+0x78/0x1fc) +[] (driver_probe_device) from [] (bus_for_each_drv+0x74/0xb8) +[] (bus_for_each_drv) from [] (__device_attach+0xd4/0x16c) +[] (__device_attach) from [] (bus_probe_device+0x88/0x90) +[] (bus_probe_device) from [] (deferred_probe_work_func+0x3c/0xd0) +[] (deferred_probe_work_func) from [] (process_one_work+0x234/0x7dc) +[] (process_one_work) from [] (worker_thread+0x44/0x51c) +[] (worker_thread) from [] (kthread+0x158/0x1a0) +[] (kthread) from [] (ret_from_fork+0x14/0x20) +Exception stack(0xef121fb0 to 0xef121ff8) +... +---[ end trace 9724c2fc7cc9c982 ]--- + +While fixing this also fix the double call to dwc2_lowlevel_hw_disable() +if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level +hardware is already disabled before calling usb_add_gadget_udc(). That +function correctly preserves low-level hardware state, there is no need +for the second unconditional dwc2_lowlevel_hw_disable() call. + +Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver") +Acked-by: Minas Harutyunyan +Signed-off-by: Marek Szyprowski +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/platform.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c +index 5e554b1d5a8f9..d9fafd6a7927f 100644 +--- a/drivers/usb/dwc2/platform.c ++++ b/drivers/usb/dwc2/platform.c +@@ -458,6 +458,7 @@ static int dwc2_driver_probe(struct platform_device *dev) + if (hsotg->gadget_enabled) { + retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget); + if (retval) { ++ hsotg->gadget.udc = NULL; + dwc2_hsotg_remove(hsotg); + goto error; + } +@@ -466,7 +467,8 @@ static int dwc2_driver_probe(struct platform_device *dev) + return 0; + + error: +- dwc2_lowlevel_hw_disable(hsotg); ++ if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL) ++ dwc2_lowlevel_hw_disable(hsotg); + return retval; + } + +-- +2.25.1 + diff --git a/queue-4.4/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch b/queue-4.4/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch new file mode 100644 index 00000000000..c085a9a06fe --- /dev/null +++ b/queue-4.4/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch @@ -0,0 +1,42 @@ +From a1a7209b7f4f87b97ae456adfa829b590c358aed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 23:15:58 +0300 +Subject: usb: gadget: net2280: fix memory leak on probe error handling paths + +From: Evgeny Novikov + +[ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ] + +Driver does not release memory for device on error handling paths in +net2280_probe() when gadget_release() is not registered yet. + +The patch fixes the bug like in other similar drivers. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/net2280.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 3a8d056a5d16b..48dd0da21e2b4 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -3712,8 +3712,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + done: +- if (dev) ++ if (dev) { + net2280_remove(pdev); ++ kfree(dev); ++ } + return retval; + } + +-- +2.25.1 + diff --git a/queue-4.4/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch b/queue-4.4/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch new file mode 100644 index 00000000000..a730f2647ca --- /dev/null +++ b/queue-4.4/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch @@ -0,0 +1,46 @@ +From 5604444e09b84883303411e7988a9837cbabb335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 22:54:51 +0300 +Subject: video: fbdev: neofb: fix memory leak in neo_scan_monitor() + +From: Evgeny Novikov + +[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ] + +neofb_probe() calls neo_scan_monitor() that can successfully allocate a +memory for info->monspecs.modedb and proceed to case 0x03. There it does +not free the memory and returns -1. neofb_probe() goes to label +err_scan_monitor, thus, it does not free this memory through calling +fb_destroy_modedb() as well. We can not go to label err_init_hw since +neo_scan_monitor() can fail during memory allocation. So, the patch frees +the memory directly for case 0x03. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Cc: Jani Nikula +Cc: Mike Rapoport +Cc: Daniel Vetter +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/neofb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c +index db023a97d1eae..e243254a57214 100644 +--- a/drivers/video/fbdev/neofb.c ++++ b/drivers/video/fbdev/neofb.c +@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info) + #else + printk(KERN_ERR + "neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n"); ++ kfree(info->monspecs.modedb); + return -1; + #endif + default: +-- +2.25.1 + diff --git a/queue-4.4/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch b/queue-4.4/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch new file mode 100644 index 00000000000..45aa1abb61a --- /dev/null +++ b/queue-4.4/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch @@ -0,0 +1,42 @@ +From d0473aaf1154dc613c2a0275b7d3def85eb6ef16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 00:07:19 +0800 +Subject: video: fbdev: sm712fb: fix an issue about iounmap for a wrong address + +From: Dejin Zheng + +[ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ] + +the sfb->fb->screen_base is not save the value get by iounmap() when +the chip id is 0x720. so iounmap() for address sfb->fb->screen_base +is not right. + +Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev") +Cc: Andy Shevchenko +Cc: Sudip Mukherjee +Cc: Teddy Wang +Cc: Greg Kroah-Hartman +Signed-off-by: Dejin Zheng +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sm712fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c +index 589ac7e754130..c8ee58e0ae3ec 100644 +--- a/drivers/video/fbdev/sm712fb.c ++++ b/drivers/video/fbdev/sm712fb.c +@@ -1428,6 +1428,8 @@ static int smtc_map_smem(struct smtcfb_info *sfb, + static void smtc_unmap_smem(struct smtcfb_info *sfb) + { + if (sfb && sfb->fb->screen_base) { ++ if (sfb->chip_id == 0x720) ++ sfb->fb->screen_base -= 0x00200000; + iounmap(sfb->fb->screen_base); + sfb->fb->screen_base = NULL; + } +-- +2.25.1 + diff --git a/queue-4.4/wl1251-fix-always-return-0-error.patch b/queue-4.4/wl1251-fix-always-return-0-error.patch new file mode 100644 index 00000000000..009596f3229 --- /dev/null +++ b/queue-4.4/wl1251-fix-always-return-0-error.patch @@ -0,0 +1,38 @@ +From 89c1ab06f6747364f30b4fd96453b38abf557e1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 15:39:39 +0800 +Subject: wl1251: fix always return 0 error + +From: Wang Hai + +[ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ] + +wl1251_event_ps_report() should not always return 0 because +wl1251_ps_set_mode() may fail. Change it to return 'ret'. + +Fixes: f7ad1eed4d4b ("wl1251: retry power save entry") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wl1251/event.c b/drivers/net/wireless/ti/wl1251/event.c +index c98630394a1a2..26bf3e2b750d6 100644 +--- a/drivers/net/wireless/ti/wl1251/event.c ++++ b/drivers/net/wireless/ti/wl1251/event.c +@@ -80,7 +80,7 @@ static int wl1251_event_ps_report(struct wl1251 *wl, + break; + } + +- return 0; ++ return ret; + } + + static void wl1251_event_mbox_dump(struct event_mailbox *mbox) +-- +2.25.1 +