From: Sasha Levin Date: Mon, 26 Oct 2020 04:58:13 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.4.241~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c03406fbd3876f62e1597afd2cb08c9f96066d0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch b/queue-4.19/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch new file mode 100644 index 00000000000..27a14d29737 --- /dev/null +++ b/queue-4.19/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch @@ -0,0 +1,51 @@ +From e90d6ff171ae80d173b8e58fe18e22eb222ef50f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 10:38:56 +0200 +Subject: ALSA: seq: oss: Avoid mutex lock for a long-time ioctl + +From: Takashi Iwai + +[ Upstream commit 2759caad2600d503c3b0ed800e7e03d2cd7a4c05 ] + +Recently we applied a fix to cover the whole OSS sequencer ioctls with +the mutex for dealing with the possible races. This works fine in +general, but in theory, this may lead to unexpectedly long stall if an +ioctl like SNDCTL_SEQ_SYNC is issued and an event with the far future +timestamp was queued. + +For fixing such a potential stall, this patch changes the mutex lock +applied conditionally excluding such an ioctl command. Also, change +the mutex_lock() with the interruptible version for user to allow +escaping from the big-hammer mutex. + +Fixes: 80982c7e834e ("ALSA: seq: oss: Serialize ioctls") +Suggested-by: Pavel Machek +Link: https://lore.kernel.org/r/20200922083856.28572-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/oss/seq_oss.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c +index ed5bca0db3e73..f4a9d9972330b 100644 +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -187,9 +187,12 @@ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + if (snd_BUG_ON(!dp)) + return -ENXIO; + +- mutex_lock(®ister_mutex); ++ if (cmd != SNDCTL_SEQ_SYNC && ++ mutex_lock_interruptible(®ister_mutex)) ++ return -ERESTARTSYS; + rc = snd_seq_oss_ioctl(dp, cmd, arg); +- mutex_unlock(®ister_mutex); ++ if (cmd != SNDCTL_SEQ_SYNC) ++ mutex_unlock(®ister_mutex); + return rc; + } + +-- +2.25.1 + diff --git a/queue-4.19/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch b/queue-4.19/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch new file mode 100644 index 00000000000..3e393c698e9 --- /dev/null +++ b/queue-4.19/arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch @@ -0,0 +1,45 @@ +From a4603eb4e3c549b1f4c85ff9b9be2f9ea8ee177a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:46:52 +0300 +Subject: arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER + +From: Necip Fazil Yildiran + +[ Upstream commit 63bcf87cb1c57956e1179f1a78dde625c7e3cba7 ] + +When ARC_SOC_HSDK is enabled and RESET_CONTROLLER is disabled, it results +in the following Kbuild warning: + +WARNING: unmet direct dependencies detected for RESET_HSDK + Depends on [n]: RESET_CONTROLLER [=n] && HAS_IOMEM [=y] && (ARC_SOC_HSDK [=y] || COMPILE_TEST [=n]) + Selected by [y]: + - ARC_SOC_HSDK [=y] && ISA_ARCV2 [=y] + +The reason is that ARC_SOC_HSDK selects RESET_HSDK without depending on or +selecting RESET_CONTROLLER while RESET_HSDK is subordinate to +RESET_CONTROLLER. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: a528629dfd3b ("ARC: [plat-hsdk] select CONFIG_RESET_HSDK from Kconfig") +Signed-off-by: Necip Fazil Yildiran +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/plat-hsdk/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arc/plat-hsdk/Kconfig b/arch/arc/plat-hsdk/Kconfig +index c285a83cbf08f..df35ea1912e8b 100644 +--- a/arch/arc/plat-hsdk/Kconfig ++++ b/arch/arc/plat-hsdk/Kconfig +@@ -11,5 +11,6 @@ menuconfig ARC_SOC_HSDK + select ARC_HAS_ACCL_REGS + select ARC_IRQ_NO_AUTOSAVE + select CLK_HSDK ++ select RESET_CONTROLLER + select RESET_HSDK + select MIGHT_HAVE_PCI +-- +2.25.1 + diff --git a/queue-4.19/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch b/queue-4.19/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch new file mode 100644 index 00000000000..cb890b6addf --- /dev/null +++ b/queue-4.19/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch @@ -0,0 +1,68 @@ +From 4907d814c69a51fd3648f0754b616a5ec69b2424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 16:58:06 +0100 +Subject: ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT + values + +From: Guillaume Tucker + +[ Upstream commit 8e007b367a59bcdf484c81f6df9bd5a4cc179ca6 ] + +The L310_PREFETCH_CTRL register bits 28 and 29 to enable data and +instruction prefetch respectively can also be accessed via the +L2X0_AUX_CTRL register. They appear to be actually wired together in +hardware between the registers. Changing them in the prefetch +register only will get undone when restoring the aux control register +later on. For this reason, set these bits in both registers during +initialisation according to the devicetree property values. + +Link: https://lore.kernel.org/lkml/76f2f3ad5e77e356e0a5b99ceee1e774a2842c25.1597061474.git.guillaume.tucker@collabora.com/ + +Fixes: ec3bd0e68a67 ("ARM: 8391/1: l2c: add options to overwrite prefetching behavior") +Signed-off-by: Guillaume Tucker +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/cache-l2x0.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c +index 808efbb89b88c..02f613def40dc 100644 +--- a/arch/arm/mm/cache-l2x0.c ++++ b/arch/arm/mm/cache-l2x0.c +@@ -1261,20 +1261,28 @@ static void __init l2c310_of_parse(const struct device_node *np, + + ret = of_property_read_u32(np, "prefetch-data", &val); + if (ret == 0) { +- if (val) ++ if (val) { + prefetch |= L310_PREFETCH_CTRL_DATA_PREFETCH; +- else ++ *aux_val |= L310_PREFETCH_CTRL_DATA_PREFETCH; ++ } else { + prefetch &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; ++ *aux_val &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; ++ } ++ *aux_mask &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; + } else if (ret != -EINVAL) { + pr_err("L2C-310 OF prefetch-data property value is missing\n"); + } + + ret = of_property_read_u32(np, "prefetch-instr", &val); + if (ret == 0) { +- if (val) ++ if (val) { + prefetch |= L310_PREFETCH_CTRL_INSTR_PREFETCH; +- else ++ *aux_val |= L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ } else { + prefetch &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ *aux_val &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ } ++ *aux_mask &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; + } else if (ret != -EINVAL) { + pr_err("L2C-310 OF prefetch-instr property value is missing\n"); + } +-- +2.25.1 + diff --git a/queue-4.19/arm-dts-imx6sl-fix-rng-node.patch b/queue-4.19/arm-dts-imx6sl-fix-rng-node.patch new file mode 100644 index 00000000000..9c5e71e938b --- /dev/null +++ b/queue-4.19/arm-dts-imx6sl-fix-rng-node.patch @@ -0,0 +1,45 @@ +From 6f4e8a9996ecb62d329cbbb1b774eb417f8c94d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jul 2020 18:26:01 +0300 +Subject: ARM: dts: imx6sl: fix rng node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +[ Upstream commit 82ffb35c2ce63ef8e0325f75eb48022abcf8edbe ] + +rng DT node was added without a compatible string. + +i.MX driver for RNGC (drivers/char/hw_random/imx-rngc.c) also claims +support for RNGB, and is currently used for i.MX25. + +Let's use this driver also for RNGB block in i.MX6SL. + +Fixes: e29fe21cff96 ("ARM: dts: add device tree source for imx6sl SoC") +Signed-off-by: Horia Geantă +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi +index 55d1872aa81a8..9d19183f40e15 100644 +--- a/arch/arm/boot/dts/imx6sl.dtsi ++++ b/arch/arm/boot/dts/imx6sl.dtsi +@@ -922,8 +922,10 @@ mmdc: mmdc@21b0000 { + }; + + rngb: rngb@21b4000 { ++ compatible = "fsl,imx6sl-rngb", "fsl,imx25-rngb"; + reg = <0x021b4000 0x4000>; + interrupts = <0 5 IRQ_TYPE_LEVEL_HIGH>; ++ clocks = <&clks IMX6SL_CLK_DUMMY>; + }; + + weim: weim@21b8000 { +-- +2.25.1 + diff --git a/queue-4.19/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch b/queue-4.19/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch new file mode 100644 index 00000000000..7321685808f --- /dev/null +++ b/queue-4.19/arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch @@ -0,0 +1,53 @@ +From 1e8c8ff543b8c19e751c4c825cf6f9816cf3c354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 16:53:17 +0300 +Subject: ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers + +From: Cristian Ciocaltea + +[ Upstream commit 55f6c9931f7c32f19cf221211f099dfd8dab3af9 ] + +The PPI interrupts for cortex-a9 were incorrectly specified, fix them. + +Fixes: fdfe7f4f9d85 ("ARM: dts: Add Actions Semi S500 and LeMaker Guitar") +Signed-off-by: Cristian Ciocaltea +Reviewed-by: Peter Korsgaard +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/owl-s500.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/owl-s500.dtsi b/arch/arm/boot/dts/owl-s500.dtsi +index 43c9980a4260c..75a76842c2700 100644 +--- a/arch/arm/boot/dts/owl-s500.dtsi ++++ b/arch/arm/boot/dts/owl-s500.dtsi +@@ -85,21 +85,21 @@ scu: scu@b0020000 { + global_timer: timer@b0020200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0xb0020200 0x100>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + + twd_timer: timer@b0020600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xb0020600 0x20>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + + twd_wdt: wdt@b0020620 { + compatible = "arm,cortex-a9-twd-wdt"; + reg = <0xb0020620 0xe0>; +- interrupts = ; ++ interrupts = ; + status = "disabled"; + }; + +-- +2.25.1 + diff --git a/queue-4.19/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch b/queue-4.19/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch new file mode 100644 index 00000000000..d4e599167a3 --- /dev/null +++ b/queue-4.19/arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch @@ -0,0 +1,54 @@ +From cef77db706318f37f952b8692ad72a660bd311b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 21:36:49 +0200 +Subject: ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix dcdc1 regulator + +From: Jernej Skrabec + +[ Upstream commit 3658a2b7f3e16c7053eb8d70657b94bb62c5a0f4 ] + +DCDC1 regulator powers many different subsystems. While some of them can +work at 3.0 V, some of them can not. For example, VCC-HDMI can only work +between 3.24 V and 3.36 V. According to OS images provided by the board +manufacturer this regulator should be set to 3.3 V. + +Set DCDC1 and DCDC1SW to 3.3 V in order to fix this. + +Fixes: da7ac948fa93 ("ARM: dts: sun8i: Add board dts file for Banana Pi M2 Ultra") +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20200824193649.978197-1-jernej.skrabec@siol.net +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts b/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts +index c39b9169ea641..b2a773a718e16 100644 +--- a/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts ++++ b/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts +@@ -206,16 +206,16 @@ ®_aldo3 { + }; + + ®_dc1sw { +- regulator-min-microvolt = <3000000>; +- regulator-max-microvolt = <3000000>; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; + regulator-name = "vcc-gmac-phy"; + }; + + ®_dcdc1 { + regulator-always-on; +- regulator-min-microvolt = <3000000>; +- regulator-max-microvolt = <3000000>; +- regulator-name = "vcc-3v0"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-name = "vcc-3v3"; + }; + + ®_dcdc2 { +-- +2.25.1 + diff --git a/queue-4.19/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch b/queue-4.19/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch new file mode 100644 index 00000000000..a02b33b7095 --- /dev/null +++ b/queue-4.19/arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch @@ -0,0 +1,54 @@ +From bec8a8a45430577882917d925df9430d1302bf1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:12:11 +0200 +Subject: arm64: dts: qcom: msm8916: Fix MDP/DSI interrupts + +From: Stephan Gerhold + +[ Upstream commit 027cca9eb5b450c3f6bb916ba999144c2ec23cb7 ] + +The mdss node sets #interrupt-cells = <1>, so its interrupts +should be referenced using a single cell (in this case: only the +interrupt number). + +However, right now the mdp/dsi node both have two interrupt cells +set, e.g. interrupts = <4 0>. The 0 is probably meant to say +IRQ_TYPE_NONE (= 0), but with #interrupt-cells = <1> this is +actually interpreted as a second interrupt line. + +Remove the IRQ flags from both interrupts to fix this. + +Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200915071221.72895-5-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 8011e564a234b..2c5193ae20277 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -877,7 +877,7 @@ mdp: mdp@1a01000 { + reg-names = "mdp_phys"; + + interrupt-parent = <&mdss>; +- interrupts = <0 0>; ++ interrupts = <0>; + + clocks = <&gcc GCC_MDSS_AHB_CLK>, + <&gcc GCC_MDSS_AXI_CLK>, +@@ -909,7 +909,7 @@ dsi0: dsi@1a98000 { + reg-names = "dsi_ctrl"; + + interrupt-parent = <&mdss>; +- interrupts = <4 0>; ++ interrupts = <4>; + + assigned-clocks = <&gcc BYTE0_CLK_SRC>, + <&gcc PCLK0_CLK_SRC>; +-- +2.25.1 + diff --git a/queue-4.19/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch b/queue-4.19/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch new file mode 100644 index 00000000000..a7988e6587b --- /dev/null +++ b/queue-4.19/arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch @@ -0,0 +1,48 @@ +From 02ad4271fcaa83ac6d98af467a4ff1e185440553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:12:10 +0200 +Subject: arm64: dts: qcom: pm8916: Remove invalid reg size from wcd_codec + +From: Stephan Gerhold + +[ Upstream commit c2f0cbb57dbac6da3d38b47b5b96de0fe4e23884 ] + +Tha parent node of "wcd_codec" specifies #address-cells = <1> +and #size-cells = <0>, which means that each resource should be +described by one cell for the address and size omitted. + +However, wcd_codec currently lists 0x200 as second cell (probably +the size of the resource). When parsing this would be treated like +another memory resource - which is entirely wrong. + +To quote the device tree specification [1]: + "If the parent node specifies a value of 0 for #size-cells, + the length field in the value of reg shall be omitted." + +[1]: https://www.devicetree.org/specifications/ + +Fixes: 5582fcb3829f ("arm64: dts: apq8016-sbc: add analog audio support with multicodec") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200915071221.72895-4-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pm8916.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/pm8916.dtsi b/arch/arm64/boot/dts/qcom/pm8916.dtsi +index 196b1c0ceb9b0..b968afa8da175 100644 +--- a/arch/arm64/boot/dts/qcom/pm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/pm8916.dtsi +@@ -99,7 +99,7 @@ pm8916_1: pm8916@1 { + + wcd_codec: codec@f000 { + compatible = "qcom,pm8916-wcd-analog-codec"; +- reg = <0xf000 0x200>; ++ reg = <0xf000>; + reg-names = "pmic-codec-core"; + clocks = <&gcc GCC_CODEC_DIGCODEC_CLK>; + clock-names = "mclk"; +-- +2.25.1 + diff --git a/queue-4.19/arm64-dts-zynqmp-remove-additional-compatible-string.patch b/queue-4.19/arm64-dts-zynqmp-remove-additional-compatible-string.patch new file mode 100644 index 00000000000..fcef845ef78 --- /dev/null +++ b/queue-4.19/arm64-dts-zynqmp-remove-additional-compatible-string.patch @@ -0,0 +1,60 @@ +From 1e92185a81dbb82262583c3d0b0ab970c32ee36d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 10:59:14 +0200 +Subject: arm64: dts: zynqmp: Remove additional compatible string for i2c IPs + +From: Michal Simek + +[ Upstream commit 35292518cb0a626fcdcabf739aed75060a018ab5 ] + +DT binding permits only one compatible string which was decribed in past by +commit 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq +Ultrascale+ MPSoC"). +The commit aea37006e183 ("dt-bindings: i2c: cadence: Migrate i2c-cadence +documentation to YAML") has converted binding to yaml and the following +issues is reported: +...: i2c@ff030000: compatible: Additional items are not allowed +('cdns,i2c-r1p10' was unexpected) + From schema: +.../Documentation/devicetree/bindings/i2c/cdns,i2c-r1p10.yaml fds +...: i2c@ff030000: compatible: ['cdns,i2c-r1p14', 'cdns,i2c-r1p10'] is too +long + +The commit c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") +has added the second compatible string but without removing origin one. +The patch is only keeping one compatible string "cdns,i2c-r1p14". + +Fixes: c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") +Signed-off-by: Michal Simek +Link: https://lore.kernel.org/r/cc294ae1a79ef845af6809ddb4049f0c0f5bb87a.1598259551.git.michal.simek@xilinx.com +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi +index a516c0e01429a..8a885ae647b7e 100644 +--- a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi ++++ b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi +@@ -411,7 +411,7 @@ gpio: gpio@ff0a0000 { + }; + + i2c0: i2c@ff020000 { +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10"; ++ compatible = "cdns,i2c-r1p14"; + status = "disabled"; + interrupt-parent = <&gic>; + interrupts = <0 17 4>; +@@ -421,7 +421,7 @@ i2c0: i2c@ff020000 { + }; + + i2c1: i2c@ff030000 { +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10"; ++ compatible = "cdns,i2c-r1p14"; + status = "disabled"; + interrupt-parent = <&gic>; + interrupts = <0 18 4>; +-- +2.25.1 + diff --git a/queue-4.19/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch b/queue-4.19/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch new file mode 100644 index 00000000000..8f473f3d783 --- /dev/null +++ b/queue-4.19/asoc-qcom-lpass-cpu-fix-concurrency-issue.patch @@ -0,0 +1,62 @@ +From d8861794462c062941ee1e3228a8ac143c61b517 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 16:23:02 +0530 +Subject: ASoC: qcom: lpass-cpu: fix concurrency issue + +From: Rohit kumar + +[ Upstream commit 753a6e17942f6f425ca622e1610625998312ad89 ] + +i2sctl register value is set to 0 during hw_free(). This +impacts any ongoing concurrent session on the same i2s +port. As trigger() stop already resets enable bit to 0, +there is no need of explicit hw_free. Removing it to +fix the issue. + +Fixes: 80beab8e1d86 ("ASoC: qcom: Add LPASS CPU DAI driver") +Signed-off-by: Rohit kumar +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/1597402388-14112-7-git-send-email-rohitkr@codeaurora.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/lpass-cpu.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/sound/soc/qcom/lpass-cpu.c b/sound/soc/qcom/lpass-cpu.c +index 292b103abada9..475579a9830a3 100644 +--- a/sound/soc/qcom/lpass-cpu.c ++++ b/sound/soc/qcom/lpass-cpu.c +@@ -182,21 +182,6 @@ static int lpass_cpu_daiops_hw_params(struct snd_pcm_substream *substream, + return 0; + } + +-static int lpass_cpu_daiops_hw_free(struct snd_pcm_substream *substream, +- struct snd_soc_dai *dai) +-{ +- struct lpass_data *drvdata = snd_soc_dai_get_drvdata(dai); +- int ret; +- +- ret = regmap_write(drvdata->lpaif_map, +- LPAIF_I2SCTL_REG(drvdata->variant, dai->driver->id), +- 0); +- if (ret) +- dev_err(dai->dev, "error writing to i2sctl reg: %d\n", ret); +- +- return ret; +-} +- + static int lpass_cpu_daiops_prepare(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { +@@ -277,7 +262,6 @@ const struct snd_soc_dai_ops asoc_qcom_lpass_cpu_dai_ops = { + .startup = lpass_cpu_daiops_startup, + .shutdown = lpass_cpu_daiops_shutdown, + .hw_params = lpass_cpu_daiops_hw_params, +- .hw_free = lpass_cpu_daiops_hw_free, + .prepare = lpass_cpu_daiops_prepare, + .trigger = lpass_cpu_daiops_trigger, + }; +-- +2.25.1 + diff --git a/queue-4.19/asoc-qcom-lpass-platform-fix-memory-leak.patch b/queue-4.19/asoc-qcom-lpass-platform-fix-memory-leak.patch new file mode 100644 index 00000000000..94446bcb4f7 --- /dev/null +++ b/queue-4.19/asoc-qcom-lpass-platform-fix-memory-leak.patch @@ -0,0 +1,46 @@ +From f5ac3a17feadf711ebfc12b2dccf08f1dfa40e14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 16:23:00 +0530 +Subject: ASoC: qcom: lpass-platform: fix memory leak + +From: Rohit kumar + +[ Upstream commit 5fd188215d4eb52703600d8986b22311099a5940 ] + +lpass_pcm_data is never freed. Free it in close +ops to avoid memory leak. + +Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage") +Signed-off-by: Rohit kumar +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/1597402388-14112-5-git-send-email-rohitkr@codeaurora.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/lpass-platform.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/qcom/lpass-platform.c b/sound/soc/qcom/lpass-platform.c +index d07271ea4c451..2f29672477892 100644 +--- a/sound/soc/qcom/lpass-platform.c ++++ b/sound/soc/qcom/lpass-platform.c +@@ -69,7 +69,7 @@ static int lpass_platform_pcmops_open(struct snd_pcm_substream *substream) + int ret, dma_ch, dir = substream->stream; + struct lpass_pcm_data *data; + +- data = devm_kzalloc(soc_runtime->dev, sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -127,6 +127,7 @@ static int lpass_platform_pcmops_close(struct snd_pcm_substream *substream) + if (v->free_dma_channel) + v->free_dma_channel(drvdata, data->dma_ch); + ++ kfree(data); + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.19/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch b/queue-4.19/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch new file mode 100644 index 00000000000..5ee34ce5294 --- /dev/null +++ b/queue-4.19/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch @@ -0,0 +1,68 @@ +From fc347839d851b77ca8157417e8d9f703dfe92000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 18:11:05 -0400 +Subject: ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() + +From: Zekun Shen + +[ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ] + +The idx in __ath10k_htt_rx_ring_fill_n function lives in +consistent dma region writable by the device. Malfunctional +or malicious device could manipulate such idx to have a OOB +write. Either by + htt->rx_ring.netbufs_ring[idx] = skb; +or by + ath10k_htt_set_paddrs_ring(htt, paddr, idx); + +The idx can also be negative as it's signed, giving a large +memory space to write to. + +It's possibly exploitable by corruptting a legit pointer with +a skb pointer. And then fill skb with payload as rougue object. + +Part of the log here. Sometimes it appears as UAF when writing +to a freed memory by chance. + + [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0 + [ 15.595483] #PF: supervisor write access in kernel mode + [ 15.596250] #PF: error_code(0x0002) - not-present page + [ 15.597013] PGD 0 P4D 0 + [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI + [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69 + [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core] + [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n + (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 03d4cc6f35bcd..7d15f6208b463 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -153,6 +153,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num) + BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2); + + idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr); ++ ++ if (idx < 0 || idx >= htt->rx_ring.size) { ++ ath10k_err(htt->ar, "rx ring index is not valid, firmware malfunctioning?\n"); ++ idx &= htt->rx_ring.size_mask; ++ ret = -ENOMEM; ++ goto fail; ++ } ++ + while (num > 0) { + skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN); + if (!skb) { +-- +2.25.1 + diff --git a/queue-4.19/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch b/queue-4.19/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch new file mode 100644 index 00000000000..ba544f114b3 --- /dev/null +++ b/queue-4.19/ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch @@ -0,0 +1,39 @@ +From 064659832fcf2f894c2fc181c85299a0477fd18b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 14:22:27 +0200 +Subject: ath10k: Fix the size used in a 'dma_free_coherent()' call in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit 454530a9950b5a26d4998908249564cedfc4babc ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()'. + +Fixes: 1863008369ae ("ath10k: fix shadow register implementation for WCN3990") +Signed-off-by: Christophe JAILLET +Reviewed-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802122227.678637-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/ce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c +index f761d651c16e7..2276d608bca35 100644 +--- a/drivers/net/wireless/ath/ath10k/ce.c ++++ b/drivers/net/wireless/ath/ath10k/ce.c +@@ -1453,7 +1453,7 @@ ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id, + ret = ath10k_ce_alloc_shadow_base(ar, src_ring, nentries); + if (ret) { + dma_free_coherent(ar->dev, +- (nentries * sizeof(struct ce_desc_64) + ++ (nentries * sizeof(struct ce_desc) + + CE_DESC_RING_ALIGN), + src_ring->base_addr_owner_space_unaligned, + base_addr); +-- +2.25.1 + diff --git a/queue-4.19/ath10k-provide-survey-info-as-accumulated-data.patch b/queue-4.19/ath10k-provide-survey-info-as-accumulated-data.patch new file mode 100644 index 00000000000..5b1092013c5 --- /dev/null +++ b/queue-4.19/ath10k-provide-survey-info-as-accumulated-data.patch @@ -0,0 +1,73 @@ +From 16115629fac1256aa372c6a9a96b0426fd2f3d79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 20:29:03 +0300 +Subject: ath10k: provide survey info as accumulated data + +From: Venkateswara Naralasetty + +[ Upstream commit 720e5c03e5cb26d33d97f55192b791bb48478aa5 ] + +It is expected that the returned counters by .get_survey are monotonic +increasing. But the data from ath10k gets reset to zero regularly. Channel +active/busy time are then showing incorrect values (less than previous or +sometimes zero) for the currently active channel during successive survey +dump commands. + +example: + + $ iw dev wlan0 survey dump + Survey data from wlan0 + frequency: 5180 MHz [in use] + channel active time: 54995 ms + channel busy time: 432 ms + channel receive time: 0 ms + channel transmit time: 59 ms + ... + + $ iw dev wlan0 survey dump + Survey data from wlan0 + frequency: 5180 MHz [in use] + channel active time: 32592 ms + channel busy time: 254 ms + channel receive time: 0 ms + channel transmit time: 0 ms + ... + +The correct way to handle this is to use the non-clearing +WMI_BSS_SURVEY_REQ_TYPE_READ wmi_bss_survey_req_type. The firmware will +then accumulate the survey data and handle wrap arounds. + +Tested-on: QCA9984 hw1.0 10.4-3.5.3-00057 +Tested-on: QCA988X hw2.0 10.2.4-1.0-00047 +Tested-on: QCA9888 hw2.0 10.4-3.9.0.2-00024 +Tested-on: QCA4019 hw1.0 10.4-3.6-00140 + +Fixes: fa7937e3d5c2 ("ath10k: update bss channel survey information") +Signed-off-by: Venkateswara Naralasetty +Tested-by: Markus Theil +Tested-by: John Deere <24601deerej@gmail.com> +[sven@narfation.org: adjust commit message] +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1592232686-28712-1-git-send-email-kvalo@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 81af403c19c2a..faaca7fe9ad1e 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -6862,7 +6862,7 @@ ath10k_mac_update_bss_chan_survey(struct ath10k *ar, + struct ieee80211_channel *channel) + { + int ret; +- enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ_CLEAR; ++ enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ; + + lockdep_assert_held(&ar->conf_mutex); + +-- +2.25.1 + diff --git a/queue-4.19/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch b/queue-4.19/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch new file mode 100644 index 00000000000..e9e39f0d462 --- /dev/null +++ b/queue-4.19/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch @@ -0,0 +1,39 @@ +From cdf81a6a25f2a804ff65baf7453f1bbdae2738db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:13:15 +0300 +Subject: ath6kl: prevent potential array overflow in ath6kl_add_new_sta() + +From: Dan Carpenter + +[ Upstream commit 54f9ab7b870934b70e5a21786d951fbcf663970f ] + +The value for "aid" comes from skb->data so Smatch marks it as +untrusted. If it's invalid then it can result in an out of bounds array +access in ath6kl_add_new_sta(). + +Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200813141315.GB457408@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c +index 0c61dbaa62a41..702c4761006ca 100644 +--- a/drivers/net/wireless/ath/ath6kl/main.c ++++ b/drivers/net/wireless/ath/ath6kl/main.c +@@ -429,6 +429,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr, + + ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid); + ++ if (aid < 1 || aid > AP_MAX_NUM_STA) ++ return; ++ + if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) { + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *) assoc_info; +-- +2.25.1 + diff --git a/queue-4.19/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch b/queue-4.19/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch new file mode 100644 index 00000000000..ac66c2b776e --- /dev/null +++ b/queue-4.19/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch @@ -0,0 +1,43 @@ +From 423a443e607b98408fe5abc1e899da9b70ed7cf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 17:27:32 +0300 +Subject: ath6kl: wmi: prevent a shift wrapping bug in + ath6kl_wmi_delete_pstream_cmd() + +From: Dan Carpenter + +[ Upstream commit 6a950755cec1a90ddaaff3e4acb5333617441c32 ] + +The "tsid" is a user controlled u8 which comes from debugfs. Values +more than 15 are invalid because "active_tsids" is a 16 bit variable. +If the value of "tsid" is more than 31 then that leads to a shift +wrapping bug. + +Fixes: 8fffd9e5ec9e ("ath6kl: Implement support for QOS-enable and QOS-disable from userspace") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200918142732.GA909725@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index bc7916f2add09..987ebae8ea0e1 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -2648,6 +2648,11 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class, + return -EINVAL; + } + ++ if (tsid >= 16) { ++ ath6kl_err("invalid tsid: %d\n", tsid); ++ return -EINVAL; ++ } ++ + skb = ath6kl_wmi_get_new_buf(sizeof(*cmd)); + if (!skb) + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-4.19/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch b/queue-4.19/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch new file mode 100644 index 00000000000..ba940c2d518 --- /dev/null +++ b/queue-4.19/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch @@ -0,0 +1,42 @@ +From 3c518742976c3a0318aed1a3ba5cd73cb8055881 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:12:53 +0300 +Subject: ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() + +From: Dan Carpenter + +[ Upstream commit 2705cd7558e718a7240c64eb0afb2edad5f8c190 ] + +The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks +it as untrusted so we have to check it before using it as an array +offset. + +This is similar to a bug that syzkaller found in commit e4ff08a4d727 +("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is +probably a real issue. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200813141253.GA457408@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index f705f0e1cb5be..05fca38b38ed4 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -342,6 +342,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle, + + if (skb) { + htc_hdr = (struct htc_frame_hdr *) skb->data; ++ if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint)) ++ goto ret; + endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id]; + skb_pull(skb, sizeof(struct htc_frame_hdr)); + +-- +2.25.1 + diff --git a/queue-4.19/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch b/queue-4.19/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch new file mode 100644 index 00000000000..9dd14b1a193 --- /dev/null +++ b/queue-4.19/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch @@ -0,0 +1,92 @@ +From 7c37389c8b762f8ac3e0ecc10542d82f00c2c030 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 03:14:27 -0400 +Subject: ath9k: hif_usb: fix race condition between usb_get_urb() and + usb_kill_anchored_urbs() + +From: Brooke Basile + +[ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ] + +Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor +systems create a race condition in which usb_kill_anchored_urbs() deallocates +the URB before the completer callback is called in usb_kill_urb(), resulting +in a use-after-free. +To fix this, add proper lock protection to usb_kill_urb() calls that can +possibly run concurrently with usb_kill_anchored_urbs(). + +Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf +Signed-off-by: Brooke Basile +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 3f563e02d17da..2ed98aaed6fb5 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -449,10 +449,19 @@ static void hif_usb_stop(void *hif_handle) + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + /* The pending URBs have to be canceled. */ ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_pending, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); ++ list_del(&tx_buf->list); ++ usb_free_urb(tx_buf->urb); ++ kfree(tx_buf->buf); ++ kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); + } +@@ -762,27 +771,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) + struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; + unsigned long flags; + ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_buf, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + hif_dev->tx.flags |= HIF_USB_TX_FLUSH; + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_pending, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); + } +-- +2.25.1 + diff --git a/queue-4.19/backlight-sky81452-backlight-fix-refcount-imbalance-.patch b/queue-4.19/backlight-sky81452-backlight-fix-refcount-imbalance-.patch new file mode 100644 index 00000000000..0f5d7a21cfc --- /dev/null +++ b/queue-4.19/backlight-sky81452-backlight-fix-refcount-imbalance-.patch @@ -0,0 +1,37 @@ +From 8928e5f0f1b7c2503e55e734b681ecacc5780281 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:38:17 +0800 +Subject: backlight: sky81452-backlight: Fix refcount imbalance on error + +From: dinghao.liu@zju.edu.cn + +[ Upstream commit b7a4f80bc316a56d6ec8750e93e66f42431ed960 ] + +When of_property_read_u32_array() returns an error code, a +pairing refcount decrement is needed to keep np's refcount +balanced. + +Fixes: f705806c9f355 ("backlight: Add support Skyworks SKY81452 backlight driver") +Signed-off-by: Dinghao Liu +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/sky81452-backlight.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c +index d414c7a3acf5a..a2f77625b7170 100644 +--- a/drivers/video/backlight/sky81452-backlight.c ++++ b/drivers/video/backlight/sky81452-backlight.c +@@ -207,6 +207,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( + num_entry); + if (ret < 0) { + dev_err(dev, "led-sources node is invalid.\n"); ++ of_node_put(np); + return ERR_PTR(-EINVAL); + } + +-- +2.25.1 + diff --git a/queue-4.19/block-ratelimit-handle_bad_sector-message.patch b/queue-4.19/block-ratelimit-handle_bad_sector-message.patch new file mode 100644 index 00000000000..290c869f7cd --- /dev/null +++ b/queue-4.19/block-ratelimit-handle_bad_sector-message.patch @@ -0,0 +1,47 @@ +From cf87fa1d0515d4607ab6fdea12c5195c12b09631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 22:37:23 +0900 +Subject: block: ratelimit handle_bad_sector() message + +From: Tetsuo Handa + +[ Upstream commit f4ac712e4fe009635344b9af5d890fe25fcc8c0d ] + +syzbot is reporting unkillable task [1], for the caller is failing to +handle a corrupted filesystem image which attempts to access beyond +the end of the device. While we need to fix the caller, flooding the +console with handle_bad_sector() message is unlikely useful. + +[1] https://syzkaller.appspot.com/bug?id=f1f49fb971d7a3e01bd8ab8cff2ff4572ccf3092 + +Signed-off-by: Tetsuo Handa +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index ce3710404544c..445b878e35194 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -2127,11 +2127,10 @@ static void handle_bad_sector(struct bio *bio, sector_t maxsector) + { + char b[BDEVNAME_SIZE]; + +- printk(KERN_INFO "attempt to access beyond end of device\n"); +- printk(KERN_INFO "%s: rw=%d, want=%Lu, limit=%Lu\n", +- bio_devname(bio, b), bio->bi_opf, +- (unsigned long long)bio_end_sector(bio), +- (long long)maxsector); ++ pr_info_ratelimited("attempt to access beyond end of device\n" ++ "%s: rw=%d, want=%llu, limit=%llu\n", ++ bio_devname(bio, b), bio->bi_opf, ++ bio_end_sector(bio), maxsector); + } + + #ifdef CONFIG_FAIL_MAKE_REQUEST +-- +2.25.1 + diff --git a/queue-4.19/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch b/queue-4.19/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch new file mode 100644 index 00000000000..cc0b6bca3e0 --- /dev/null +++ b/queue-4.19/bluetooth-hci_uart-cancel-init-work-before-unregiste.patch @@ -0,0 +1,51 @@ +From 3c0651bb7dd872d0ea1eb8260258fd1fd5456e7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Aug 2020 11:29:56 -0500 +Subject: Bluetooth: hci_uart: Cancel init work before unregistering + +From: Samuel Holland + +[ Upstream commit 3b799254cf6f481460719023d7a18f46651e5e7f ] + +If hci_uart_tty_close() or hci_uart_unregister_device() is called while +hu->init_ready is scheduled, hci_register_dev() could be called after +the hci_uart is torn down. Avoid this by ensuring the work is complete +or canceled before checking the HCI_UART_REGISTERED flag. + +Fixes: 9f2aee848fe6 ("Bluetooth: Add delayed init sequence support for UART controllers") +Signed-off-by: Samuel Holland +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 1 + + drivers/bluetooth/hci_serdev.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index efeb8137ec67f..48560e646e53e 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -545,6 +545,7 @@ static void hci_uart_tty_close(struct tty_struct *tty) + clear_bit(HCI_UART_PROTO_READY, &hu->flags); + percpu_up_write(&hu->proto_lock); + ++ cancel_work_sync(&hu->init_ready); + cancel_work_sync(&hu->write_work); + + if (hdev) { +diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c +index d3fb0d657fa52..7b3aade431e5e 100644 +--- a/drivers/bluetooth/hci_serdev.c ++++ b/drivers/bluetooth/hci_serdev.c +@@ -369,6 +369,8 @@ void hci_uart_unregister_device(struct hci_uart *hu) + struct hci_dev *hdev = hu->hdev; + + clear_bit(HCI_UART_PROTO_READY, &hu->flags); ++ ++ cancel_work_sync(&hu->init_ready); + if (test_bit(HCI_UART_REGISTERED, &hu->flags)) + hci_unregister_dev(hdev); + hci_free_dev(hdev); +-- +2.25.1 + diff --git a/queue-4.19/bluetooth-only-mark-socket-zapped-after-unlocking.patch b/queue-4.19/bluetooth-only-mark-socket-zapped-after-unlocking.patch new file mode 100644 index 00000000000..d109b8c2b60 --- /dev/null +++ b/queue-4.19/bluetooth-only-mark-socket-zapped-after-unlocking.patch @@ -0,0 +1,73 @@ +From 1b4f27bb94d83e6662b432340c301a4e9f2c6c00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 15:33:18 -0700 +Subject: Bluetooth: Only mark socket zapped after unlocking + +From: Abhishek Pandit-Subedi + +[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ] + +Since l2cap_sock_teardown_cb doesn't acquire the channel lock before +setting the socket as zapped, it could potentially race with +l2cap_sock_release which frees the socket. Thus, wait until the cleanup +is complete before marking the socket as zapped. + +This race was reproduced on a JBL GO speaker after the remote device +rejected L2CAP connection due to resource unavailability. + +Here is a dmesg log with debug logs from a repro of this bug: +[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002 +[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0 +[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2 +[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001 +[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952 +[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c +[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00 +[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4 +[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT +[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT +[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3 +[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6 +[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159 +[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053 +[ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 +[ 3465.430332] Causing a watchdog bite! + +Signed-off-by: Abhishek Pandit-Subedi +Reported-by: Balakrishna Godavarthi +Reviewed-by: Manish Mandlik +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 2a85dc3be8bf3..198a1fdd6709e 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1341,8 +1341,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + + parent = bt_sk(sk)->parent; + +- sock_set_flag(sk, SOCK_ZAPPED); +- + switch (chan->state) { + case BT_OPEN: + case BT_BOUND: +@@ -1369,8 +1367,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + + break; + } +- + release_sock(sk); ++ ++ /* Only zap after cleanup to avoid use after free race */ ++ sock_set_flag(sk, SOCK_ZAPPED); ++ + } + + static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, +-- +2.25.1 + diff --git a/queue-4.19/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch b/queue-4.19/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch new file mode 100644 index 00000000000..52da44de546 --- /dev/null +++ b/queue-4.19/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch @@ -0,0 +1,37 @@ +From 53a955be5c18bfef151aee0d5e4e97c15e536483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 17:36:05 +0800 +Subject: brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach + +From: Wang Yufen + +[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ] + +When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL, +we should destroy the workqueue. + +Reported-by: Hulk Robot +Signed-off-by: Wang Yufen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595237765-66238-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +index ee922b0525610..768a99c15c08b 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -1563,6 +1563,8 @@ int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr) + BRCMF_TX_IOCTL_MAX_MSG_SIZE, + msgbuf->ioctbuf, + msgbuf->ioctbuf_handle); ++ if (msgbuf->txflow_wq) ++ destroy_workqueue(msgbuf->txflow_wq); + kfree(msgbuf); + } + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-4.19/brcmfmac-check-ndev-pointer.patch b/queue-4.19/brcmfmac-check-ndev-pointer.patch new file mode 100644 index 00000000000..ab9df3a8274 --- /dev/null +++ b/queue-4.19/brcmfmac-check-ndev-pointer.patch @@ -0,0 +1,54 @@ +From a8f28be135b513b0ccee6318de7af28e91b81dd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 09:18:04 -0700 +Subject: brcmfmac: check ndev pointer + +From: Tom Rix + +[ Upstream commit 9c9f015bc9f8839831c7ba0a6d731a3853c464e2 ] + +Clang static analysis reports this error + +brcmfmac/core.c:490:4: warning: Dereference of null pointer + (*ifp)->ndev->stats.rx_errors++; + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In this block of code + + if (ret || !(*ifp) || !(*ifp)->ndev) { + if (ret != -ENODATA && *ifp) + (*ifp)->ndev->stats.rx_errors++; + brcmu_pkt_buf_free_skb(skb); + return -ENODATA; + } + +(*ifp)->ndev being NULL is caught as an error +But then it is used to report the error. + +So add a check before using it. + +Fixes: 91b632803ee4 ("brcmfmac: Use net_device_stats from struct net_device") +Signed-off-by: Tom Rix +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802161804.6126-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index 9d7b8834b8545..db4c541f58ae0 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -438,7 +438,7 @@ static int brcmf_rx_hdrpull(struct brcmf_pub *drvr, struct sk_buff *skb, + ret = brcmf_proto_hdrpull(drvr, true, skb, ifp); + + if (ret || !(*ifp) || !(*ifp)->ndev) { +- if (ret != -ENODATA && *ifp) ++ if (ret != -ENODATA && *ifp && (*ifp)->ndev) + (*ifp)->ndev->stats.rx_errors++; + brcmu_pkt_buf_free_skb(skb); + return -ENODATA; +-- +2.25.1 + diff --git a/queue-4.19/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch b/queue-4.19/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch new file mode 100644 index 00000000000..9947528e712 --- /dev/null +++ b/queue-4.19/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch @@ -0,0 +1,43 @@ +From f106226ac0ce0c924900878c733abdfb801c0834 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 12:17:41 +0000 +Subject: brcmsmac: fix memory leak in wlc_phy_attach_lcnphy + +From: Keita Suzuki + +[ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ] + +When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy, +the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be +freed in the caller function. + +Fix this by calling wlc_phy_detach_lcnphy in the error handler of +wlc_phy_txpwr_srom_read_lcnphy before returning. + +Signed-off-by: Keita Suzuki +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200908121743.23108-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +index 9fb0d9fbd9395..d532decc15383 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +@@ -5085,8 +5085,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi) + pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft; + pi->pi_fptr.detach = wlc_phy_detach_lcnphy; + +- if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) ++ if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) { ++ kfree(pi->u.pi_lcnphy); + return false; ++ } + + if (LCNREV_IS(pi->pubpi.phy_rev, 1)) { + if (pi_lcn->lcnphy_tempsense_option == 3) { +-- +2.25.1 + diff --git a/queue-4.19/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch b/queue-4.19/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch new file mode 100644 index 00000000000..2e25126c085 --- /dev/null +++ b/queue-4.19/can-flexcan-flexcan_chip_stop-add-error-handling-and.patch @@ -0,0 +1,95 @@ +From c9c5fa3b0d19c947afa26bcd72efb3a6409b7f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 16:44:19 +0200 +Subject: can: flexcan: flexcan_chip_stop(): add error handling and propagate + error value + +From: Joakim Zhang + +[ Upstream commit 9ad02c7f4f279504bdd38ab706fdc97d5f2b2a9c ] + +This patch implements error handling and propagates the error value of +flexcan_chip_stop(). This function will be called from flexcan_suspend() +in an upcoming patch in some SoCs which support LPSR mode. + +Add a new function flexcan_chip_stop_disable_on_error() that tries to +disable the chip even in case of errors. + +Signed-off-by: Joakim Zhang +[mkl: introduce flexcan_chip_stop_disable_on_error() and use it in flexcan_close()] +Signed-off-by: Marc Kleine-Budde +Link: https://lore.kernel.org/r/20200922144429.2613631-11-mkl@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/net/can/flexcan.c | 34 ++++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c +index bfe13c6627bed..0be8db6ab3195 100644 +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -1091,18 +1091,23 @@ static int flexcan_chip_start(struct net_device *dev) + return err; + } + +-/* flexcan_chip_stop ++/* __flexcan_chip_stop + * +- * this functions is entered with clocks enabled ++ * this function is entered with clocks enabled + */ +-static void flexcan_chip_stop(struct net_device *dev) ++static int __flexcan_chip_stop(struct net_device *dev, bool disable_on_error) + { + struct flexcan_priv *priv = netdev_priv(dev); + struct flexcan_regs __iomem *regs = priv->regs; ++ int err; + + /* freeze + disable module */ +- flexcan_chip_freeze(priv); +- flexcan_chip_disable(priv); ++ err = flexcan_chip_freeze(priv); ++ if (err && !disable_on_error) ++ return err; ++ err = flexcan_chip_disable(priv); ++ if (err && !disable_on_error) ++ goto out_chip_unfreeze; + + /* Disable all interrupts */ + priv->write(0, ®s->imask2); +@@ -1112,6 +1117,23 @@ static void flexcan_chip_stop(struct net_device *dev) + + flexcan_transceiver_disable(priv); + priv->can.state = CAN_STATE_STOPPED; ++ ++ return 0; ++ ++ out_chip_unfreeze: ++ flexcan_chip_unfreeze(priv); ++ ++ return err; ++} ++ ++static inline int flexcan_chip_stop_disable_on_error(struct net_device *dev) ++{ ++ return __flexcan_chip_stop(dev, true); ++} ++ ++static inline int flexcan_chip_stop(struct net_device *dev) ++{ ++ return __flexcan_chip_stop(dev, false); + } + + static int flexcan_open(struct net_device *dev) +@@ -1165,7 +1187,7 @@ static int flexcan_close(struct net_device *dev) + + netif_stop_queue(dev); + can_rx_offload_disable(&priv->offload); +- flexcan_chip_stop(dev); ++ flexcan_chip_stop_disable_on_error(dev); + + free_irq(dev->irq, dev); + clk_disable_unprepare(priv->clk_per); +-- +2.25.1 + diff --git a/queue-4.19/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch b/queue-4.19/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch new file mode 100644 index 00000000000..eeb42fb3e25 --- /dev/null +++ b/queue-4.19/clk-at91-clk-main-update-key-before-writing-at91_ckg.patch @@ -0,0 +1,52 @@ +From 4cd19e6d41db7776268d82245f7a9b22235b69cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 09:59:10 +0300 +Subject: clk: at91: clk-main: update key before writing AT91_CKGR_MOR + +From: Claudiu Beznea + +[ Upstream commit 85d071e7f19a6a9abf30476b90b3819642568756 ] + +SAMA5D2 datasheet specifies on chapter 33.22.8 (PMC Clock Generator +Main Oscillator Register) that writing any value other than +0x37 on KEY field aborts the write operation. Use the key when +selecting main clock parent. + +Fixes: 27cb1c2083373 ("clk: at91: rework main clk implementation") +Signed-off-by: Claudiu Beznea +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/1598338751-20607-3-git-send-email-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-main.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/at91/clk-main.c b/drivers/clk/at91/clk-main.c +index 90988e7a5b47f..2e7da9b379d48 100644 +--- a/drivers/clk/at91/clk-main.c ++++ b/drivers/clk/at91/clk-main.c +@@ -517,12 +517,17 @@ static int clk_sam9x5_main_set_parent(struct clk_hw *hw, u8 index) + return -EINVAL; + + regmap_read(regmap, AT91_CKGR_MOR, &tmp); +- tmp &= ~MOR_KEY_MASK; + + if (index && !(tmp & AT91_PMC_MOSCSEL)) +- regmap_write(regmap, AT91_CKGR_MOR, tmp | AT91_PMC_MOSCSEL); ++ tmp = AT91_PMC_MOSCSEL; + else if (!index && (tmp & AT91_PMC_MOSCSEL)) +- regmap_write(regmap, AT91_CKGR_MOR, tmp & ~AT91_PMC_MOSCSEL); ++ tmp = 0; ++ else ++ return 0; ++ ++ regmap_update_bits(regmap, AT91_CKGR_MOR, ++ AT91_PMC_MOSCSEL | MOR_KEY_MASK, ++ tmp | AT91_PMC_KEY); + + while (!clk_sam9x5_main_ready(regmap)) + cpu_relax(); +-- +2.25.1 + diff --git a/queue-4.19/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch b/queue-4.19/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch new file mode 100644 index 00000000000..976e6968ce9 --- /dev/null +++ b/queue-4.19/clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch @@ -0,0 +1,41 @@ +From 856032c09c029b03127eef18710f3038620a92c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 18:11:58 -0500 +Subject: clk: bcm2835: add missing release if devm_clk_hw_register fails + +From: Navid Emamdoost + +[ Upstream commit f6c992ca7dd4f49042eec61f3fb426c94d901675 ] + +In the implementation of bcm2835_register_pll(), the allocated pll is +leaked if devm_clk_hw_register() fails to register hw. Release pll if +devm_clk_hw_register() fails. + +Signed-off-by: Navid Emamdoost +Link: https://lore.kernel.org/r/20200809231202.15811-1-navid.emamdoost@gmail.com +Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 1c093fb35ebee..e4fee233849d2 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1319,8 +1319,10 @@ static struct clk_hw *bcm2835_register_pll(struct bcm2835_cprman *cprman, + pll->hw.init = &init; + + ret = devm_clk_hw_register(cprman->dev, &pll->hw); +- if (ret) ++ if (ret) { ++ kfree(pll); + return NULL; ++ } + return &pll->hw; + } + +-- +2.25.1 + diff --git a/queue-4.19/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch b/queue-4.19/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch new file mode 100644 index 00000000000..21e5c24b104 --- /dev/null +++ b/queue-4.19/clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch @@ -0,0 +1,44 @@ +From 4360f0749fdeca082e69e0ecf1c8f5598fd4088b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 17:41:44 -0700 +Subject: clk: rockchip: Initialize hw to error to avoid undefined behavior + +From: Stephen Boyd + +[ Upstream commit b608f11d49ec671739604cc763248d8e8fadbbeb ] + +We can get down to this return value from ERR_CAST() without +initializing hw. Set it to -ENOMEM so that we always return something +sane. + +Fixes the following smatch warning: + +drivers/clk/rockchip/clk-half-divider.c:228 rockchip_clk_register_halfdiv() error: uninitialized symbol 'hw'. +drivers/clk/rockchip/clk-half-divider.c:228 rockchip_clk_register_halfdiv() warn: passing zero to 'ERR_CAST' + +Cc: Elaine Zhang +Cc: Heiko Stuebner +Fixes: 956060a52795 ("clk: rockchip: add support for half divider") +Reviewed-by: Heiko Stuebner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-half-divider.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-half-divider.c b/drivers/clk/rockchip/clk-half-divider.c +index b8da6e799423a..6a371d05218da 100644 +--- a/drivers/clk/rockchip/clk-half-divider.c ++++ b/drivers/clk/rockchip/clk-half-divider.c +@@ -166,7 +166,7 @@ struct clk *rockchip_clk_register_halfdiv(const char *name, + unsigned long flags, + spinlock_t *lock) + { +- struct clk *clk; ++ struct clk *clk = ERR_PTR(-ENOMEM); + struct clk_mux *mux = NULL; + struct clk_gate *gate = NULL; + struct clk_divider *div = NULL; +-- +2.25.1 + diff --git a/queue-4.19/cpufreq-armada-37xx-add-missing-module_device_table.patch b/queue-4.19/cpufreq-armada-37xx-add-missing-module_device_table.patch new file mode 100644 index 00000000000..4322e4d2ff0 --- /dev/null +++ b/queue-4.19/cpufreq-armada-37xx-add-missing-module_device_table.patch @@ -0,0 +1,47 @@ +From de5a5762b85119ae73dcf49cbba11266e461d136 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 15:27:16 +0200 +Subject: cpufreq: armada-37xx: Add missing MODULE_DEVICE_TABLE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit c942d1542f1bc5001216fabce9cb8ffbe515777e ] + +CONFIG_ARM_ARMADA_37XX_CPUFREQ is tristate option and therefore this +cpufreq driver can be compiled as a module. This patch adds missing +MODULE_DEVICE_TABLE which generates correct modalias for automatic +loading of this cpufreq driver when is compiled as an external module. + +Reviewed-by: Andrew Lunn +Signed-off-by: Pali Rohár +Fixes: 92ce45fb875d7 ("cpufreq: Add DVFS support for Armada 37xx") +[ Viresh: Added __maybe_unused ] +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/armada-37xx-cpufreq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/cpufreq/armada-37xx-cpufreq.c b/drivers/cpufreq/armada-37xx-cpufreq.c +index c5f98cafc25c9..9b0b490d70ff4 100644 +--- a/drivers/cpufreq/armada-37xx-cpufreq.c ++++ b/drivers/cpufreq/armada-37xx-cpufreq.c +@@ -486,6 +486,12 @@ static int __init armada37xx_cpufreq_driver_init(void) + /* late_initcall, to guarantee the driver is loaded after A37xx clock driver */ + late_initcall(armada37xx_cpufreq_driver_init); + ++static const struct of_device_id __maybe_unused armada37xx_cpufreq_of_match[] = { ++ { .compatible = "marvell,armada-3700-nb-pm" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(of, armada37xx_cpufreq_of_match); ++ + MODULE_AUTHOR("Gregory CLEMENT "); + MODULE_DESCRIPTION("Armada 37xx cpufreq driver"); + MODULE_LICENSE("GPL"); +-- +2.25.1 + diff --git a/queue-4.19/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch b/queue-4.19/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch new file mode 100644 index 00000000000..02204b97db8 --- /dev/null +++ b/queue-4.19/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch @@ -0,0 +1,52 @@ +From 2e56275cf456c2d30d26ce121178222b9e0ad564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 13:32:54 +0530 +Subject: cpufreq: powernv: Fix frame-size-overflow in + powernv_cpufreq_reboot_notifier + +From: Srikar Dronamraju + +[ Upstream commit a2d0230b91f7e23ceb5d8fb6a9799f30517ec33a ] + +The patch avoids allocating cpufreq_policy on stack hence fixing frame +size overflow in 'powernv_cpufreq_reboot_notifier': + + drivers/cpufreq/powernv-cpufreq.c: In function powernv_cpufreq_reboot_notifier: + drivers/cpufreq/powernv-cpufreq.c:906:1: error: the frame size of 2064 bytes is larger than 2048 bytes + +Fixes: cf30af76 ("cpufreq: powernv: Set the cpus to nominal frequency during reboot/kexec") +Signed-off-by: Srikar Dronamraju +Reviewed-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200922080254.41497-1-srikar@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/powernv-cpufreq.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index 79942f7057576..5da985604692f 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -885,12 +885,15 @@ static int powernv_cpufreq_reboot_notifier(struct notifier_block *nb, + unsigned long action, void *unused) + { + int cpu; +- struct cpufreq_policy cpu_policy; ++ struct cpufreq_policy *cpu_policy; + + rebooting = true; + for_each_online_cpu(cpu) { +- cpufreq_get_policy(&cpu_policy, cpu); +- powernv_cpufreq_target_index(&cpu_policy, get_nominal_index()); ++ cpu_policy = cpufreq_cpu_get(cpu); ++ if (!cpu_policy) ++ continue; ++ powernv_cpufreq_target_index(cpu_policy, get_nominal_index()); ++ cpufreq_cpu_put(cpu_policy); + } + + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-4.19/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch b/queue-4.19/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch new file mode 100644 index 00000000000..ed478a86db1 --- /dev/null +++ b/queue-4.19/crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch @@ -0,0 +1,37 @@ +From ede795def562e700ade104d6f032bc7022dfe576 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 17:03:27 +1000 +Subject: crypto: algif_skcipher - EBUSY on aio should be an error + +From: Herbert Xu + +[ Upstream commit 2a05b029c1ee045b886ebf9efef9985ca23450de ] + +I removed the MAY_BACKLOG flag on the aio path a while ago but +the error check still incorrectly interpreted EBUSY as success. +This may cause the submitter to wait for a request that will never +complete. + +Fixes: dad419970637 ("crypto: algif_skcipher - Do not set...") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algif_skcipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index 1cb106c46043d..9d2e9783c0d4e 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -127,7 +127,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, + crypto_skcipher_decrypt(&areq->cra_u.skcipher_req); + + /* AIO operation in progress */ +- if (err == -EINPROGRESS || err == -EBUSY) ++ if (err == -EINPROGRESS) + return -EIOCBQUEUED; + + sock_put(sk); +-- +2.25.1 + diff --git a/queue-4.19/crypto-ccp-fix-error-handling.patch b/queue-4.19/crypto-ccp-fix-error-handling.patch new file mode 100644 index 00000000000..256fe618386 --- /dev/null +++ b/queue-4.19/crypto-ccp-fix-error-handling.patch @@ -0,0 +1,35 @@ +From f22f7577c0b11abb4648e4a666b1da2fe3f1635f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 13:34:35 +0200 +Subject: crypto: ccp - fix error handling + +From: Pavel Machek + +[ Upstream commit e356c49c6cf0db3f00e1558749170bd56e47652d ] + +Fix resource leak in error handling. + +Signed-off-by: Pavel Machek (CIP) +Acked-by: John Allen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index 626b643d610eb..20ca9c9e109e0 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -1752,7 +1752,7 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + break; + default: + ret = -EINVAL; +- goto e_ctx; ++ goto e_data; + } + } else { + /* Stash the context */ +-- +2.25.1 + diff --git a/queue-4.19/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch b/queue-4.19/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch new file mode 100644 index 00000000000..e439d173560 --- /dev/null +++ b/queue-4.19/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch @@ -0,0 +1,36 @@ +From 9825efe23799dc24aa03638915dfa27412cbdea8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 16:56:48 +0200 +Subject: crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit f7ade9aaf66bd5599690acf0597df2c0f6cd825a ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()', in 'setup_crypt_desc()'. + +Fixes: 81bef0150074 ("crypto: ixp4xx - Hardware crypto support for IXP4xx CPUs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ixp4xx_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index 27f7dad2d45d9..9b7b8558db31d 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -530,7 +530,7 @@ static void release_ixp_crypto(struct device *dev) + + if (crypt_virt) { + dma_free_coherent(dev, +- NPE_QLEN_TOTAL * sizeof( struct crypt_ctl), ++ NPE_QLEN * sizeof(struct crypt_ctl), + crypt_virt, crypt_phys); + } + } +-- +2.25.1 + diff --git a/queue-4.19/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch b/queue-4.19/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch new file mode 100644 index 00000000000..575e0c5b65b --- /dev/null +++ b/queue-4.19/crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch @@ -0,0 +1,46 @@ +From 9854cc0d2931a5b0a06b10a3e17c51c48f9b45b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:32 +0800 +Subject: crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() + +From: Tianjia Zhang + +[ Upstream commit 8cbde6c6a6d2b1599ff90f932304aab7e32fce89 ] + +In case of memory allocation failure, a negative error code should +be returned. + +Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips") +Cc: Ryder Lee +Signed-off-by: Tianjia Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mediatek/mtk-platform.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c +index ee0404e27a0f2..03b1436f87096 100644 +--- a/drivers/crypto/mediatek/mtk-platform.c ++++ b/drivers/crypto/mediatek/mtk-platform.c +@@ -446,7 +446,7 @@ static void mtk_desc_dma_free(struct mtk_cryp *cryp) + static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + { + struct mtk_ring **ring = cryp->ring; +- int i, err = ENOMEM; ++ int i; + + for (i = 0; i < MTK_RING_MAX; i++) { + ring[i] = kzalloc(sizeof(**ring), GFP_KERNEL); +@@ -480,7 +480,7 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + ring[i]->cmd_base, ring[i]->cmd_dma); + kfree(ring[i]); + } +- return err; ++ return -ENOMEM; + } + + static int mtk_crypto_probe(struct platform_device *pdev) +-- +2.25.1 + diff --git a/queue-4.19/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch b/queue-4.19/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch new file mode 100644 index 00000000000..cbeda7a21b1 --- /dev/null +++ b/queue-4.19/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch @@ -0,0 +1,39 @@ +From d8a0ee6486111f3b97dbb781fba97fa66f4787c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 10:56:24 +0300 +Subject: crypto: omap-sham - fix digcnt register handling with export/import + +From: Tero Kristo + +[ Upstream commit 3faf757bad75f3fc1b2736f0431e295a073a7423 ] + +Running export/import for hashes in peculiar order (mostly done by +openssl) can mess up the internal book keeping of the OMAP SHA core. +Fix by forcibly writing the correct DIGCNT back to hardware. This issue +was noticed while transitioning to openssl 1.1 support. + +Fixes: 0d373d603202 ("crypto: omap-sham - Add OMAP4/AM33XX SHAM Support") +Signed-off-by: Tero Kristo +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-sham.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index 2faaa4069cdd8..4d31ef4724366 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -456,6 +456,9 @@ static void omap_sham_write_ctrl_omap4(struct omap_sham_dev *dd, size_t length, + struct omap_sham_reqctx *ctx = ahash_request_ctx(dd->req); + u32 val, mask; + ++ if (likely(ctx->digcnt)) ++ omap_sham_write(dd, SHA_REG_DIGCNT(dd), ctx->digcnt); ++ + /* + * Setting ALGO_CONST only for the first iteration and + * CLOSE_HASH only for the last one. Note that flags mode bits +-- +2.25.1 + diff --git a/queue-4.19/crypto-picoxcell-fix-potential-race-condition-bug.patch b/queue-4.19/crypto-picoxcell-fix-potential-race-condition-bug.patch new file mode 100644 index 00000000000..833d7a0a6f3 --- /dev/null +++ b/queue-4.19/crypto-picoxcell-fix-potential-race-condition-bug.patch @@ -0,0 +1,55 @@ +From 833227505bf4cd33775f034115c0041f2e9ddf97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:00:24 +0530 +Subject: crypto: picoxcell - Fix potential race condition bug + +From: Madhuparna Bhowmik + +[ Upstream commit 64f4a62e3b17f1e473f971127c2924cae42afc82 ] + +engine->stat_irq_thresh was initialized after device_create_file() in +the probe function, the initialization may race with call to +spacc_stat_irq_thresh_store() which updates engine->stat_irq_thresh, +therefore initialize it before creating the file in probe function. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: ce92136843cb ("crypto: picoxcell - add support for the...") +Signed-off-by: Madhuparna Bhowmik +Acked-by: Jamie Iles +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/picoxcell_crypto.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/crypto/picoxcell_crypto.c b/drivers/crypto/picoxcell_crypto.c +index e2491754c468f..1ef47f7208b92 100644 +--- a/drivers/crypto/picoxcell_crypto.c ++++ b/drivers/crypto/picoxcell_crypto.c +@@ -1701,11 +1701,6 @@ static int spacc_probe(struct platform_device *pdev) + goto err_clk_put; + } + +- ret = device_create_file(&pdev->dev, &dev_attr_stat_irq_thresh); +- if (ret) +- goto err_clk_disable; +- +- + /* + * Use an IRQ threshold of 50% as a default. This seems to be a + * reasonable trade off of latency against throughput but can be +@@ -1713,6 +1708,10 @@ static int spacc_probe(struct platform_device *pdev) + */ + engine->stat_irq_thresh = (engine->fifo_sz / 2); + ++ ret = device_create_file(&pdev->dev, &dev_attr_stat_irq_thresh); ++ if (ret) ++ goto err_clk_disable; ++ + /* + * Configure the interrupts. We only use the STAT_CNT interrupt as we + * only submit a new packet for processing when we complete another in +-- +2.25.1 + diff --git a/queue-4.19/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch b/queue-4.19/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch new file mode 100644 index 00000000000..3d37d376b43 --- /dev/null +++ b/queue-4.19/cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch @@ -0,0 +1,46 @@ +From 3ad2f78fe8e3f6477edbb5bb85041fa5dbabc7c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 11:00:51 +0800 +Subject: cypto: mediatek - fix leaks in mtk_desc_ring_alloc + +From: Xiaoliang Pang + +[ Upstream commit 228d284aac61283cde508a925d666f854b57af63 ] + +In the init loop, if an error occurs in function 'dma_alloc_coherent', +then goto the err_cleanup section, after run i--, +in the array ring, the struct mtk_ring with index i will not be released, +causing memory leaks + +Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips") +Cc: Ryder Lee +Signed-off-by: Xiaoliang Pang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mediatek/mtk-platform.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c +index 03b1436f87096..e4d7ef3bfb61d 100644 +--- a/drivers/crypto/mediatek/mtk-platform.c ++++ b/drivers/crypto/mediatek/mtk-platform.c +@@ -473,13 +473,13 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp) + return 0; + + err_cleanup: +- for (; i--; ) { ++ do { + dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ, + ring[i]->res_base, ring[i]->res_dma); + dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ, + ring[i]->cmd_base, ring[i]->cmd_dma); + kfree(ring[i]); +- } ++ } while (i--); + return -ENOMEM; + } + +-- +2.25.1 + diff --git a/queue-4.19/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch b/queue-4.19/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch new file mode 100644 index 00000000000..df99b9667ef --- /dev/null +++ b/queue-4.19/drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch @@ -0,0 +1,126 @@ +From bf49e9f5d4c6401e992e5e8100970ce887ba91f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 16:41:09 -0400 +Subject: drivers/perf: xgene_pmu: Fix uninitialized resource struct + +From: Mark Salter + +[ Upstream commit a76b8236edcf5b785d044b930f9e14ad02b4a484 ] + +This splat was reported on newer Fedora kernels booting on certain +X-gene based machines: + + xgene-pmu APMC0D83:00: X-Gene PMU version 3 + Unable to handle kernel read from unreadable memory at virtual \ + address 0000000000004006 + ... + Call trace: + string+0x50/0x100 + vsnprintf+0x160/0x750 + devm_kvasprintf+0x5c/0xb4 + devm_kasprintf+0x54/0x60 + __devm_ioremap_resource+0xdc/0x1a0 + devm_ioremap_resource+0x14/0x20 + acpi_get_pmu_hw_inf.isra.0+0x84/0x15c + acpi_pmu_dev_add+0xbc/0x21c + acpi_ns_walk_namespace+0x16c/0x1e4 + acpi_walk_namespace+0xb4/0xfc + xgene_pmu_probe_pmu_dev+0x7c/0xe0 + xgene_pmu_probe.part.0+0x2c0/0x310 + xgene_pmu_probe+0x54/0x64 + platform_drv_probe+0x60/0xb4 + really_probe+0xe8/0x4a0 + driver_probe_device+0xe4/0x100 + device_driver_attach+0xcc/0xd4 + __driver_attach+0xb0/0x17c + bus_for_each_dev+0x6c/0xb0 + driver_attach+0x30/0x40 + bus_add_driver+0x154/0x250 + driver_register+0x84/0x140 + __platform_driver_register+0x54/0x60 + xgene_pmu_driver_init+0x28/0x34 + do_one_initcall+0x40/0x204 + do_initcalls+0x104/0x144 + kernel_init_freeable+0x198/0x210 + kernel_init+0x20/0x12c + ret_from_fork+0x10/0x18 + Code: 91000400 110004e1 eb08009f 540000c0 (38646846) + ---[ end trace f08c10566496a703 ]--- + +This is due to use of an uninitialized local resource struct in the xgene +pmu driver. The thunderx2_pmu driver avoids this by using the resource list +constructed by acpi_dev_get_resources() rather than using a callback from +that function. The callback in the xgene driver didn't fully initialize +the resource. So get rid of the callback and search the resource list as +done by thunderx2. + +Fixes: 832c927d119b ("perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver") +Signed-off-by: Mark Salter +Link: https://lore.kernel.org/r/20200915204110.326138-1-msalter@redhat.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/xgene_pmu.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/drivers/perf/xgene_pmu.c b/drivers/perf/xgene_pmu.c +index 0e31f1392a53c..949b07e29c06b 100644 +--- a/drivers/perf/xgene_pmu.c ++++ b/drivers/perf/xgene_pmu.c +@@ -1474,17 +1474,6 @@ static char *xgene_pmu_dev_name(struct device *dev, u32 type, int id) + } + + #if defined(CONFIG_ACPI) +-static int acpi_pmu_dev_add_resource(struct acpi_resource *ares, void *data) +-{ +- struct resource *res = data; +- +- if (ares->type == ACPI_RESOURCE_TYPE_FIXED_MEMORY32) +- acpi_dev_resource_memory(ares, res); +- +- /* Always tell the ACPI core to skip this resource */ +- return 1; +-} +- + static struct + xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + struct acpi_device *adev, u32 type) +@@ -1496,6 +1485,7 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + struct hw_pmu_info *inf; + void __iomem *dev_csr; + struct resource res; ++ struct resource_entry *rentry; + int enable_bit; + int rc; + +@@ -1504,11 +1494,23 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu, + return NULL; + + INIT_LIST_HEAD(&resource_list); +- rc = acpi_dev_get_resources(adev, &resource_list, +- acpi_pmu_dev_add_resource, &res); ++ rc = acpi_dev_get_resources(adev, &resource_list, NULL, NULL); ++ if (rc <= 0) { ++ dev_err(dev, "PMU type %d: No resources found\n", type); ++ return NULL; ++ } ++ ++ list_for_each_entry(rentry, &resource_list, node) { ++ if (resource_type(rentry->res) == IORESOURCE_MEM) { ++ res = *rentry->res; ++ rentry = NULL; ++ break; ++ } ++ } + acpi_dev_free_resource_list(&resource_list); +- if (rc < 0) { +- dev_err(dev, "PMU type %d: No resource address found\n", type); ++ ++ if (rentry) { ++ dev_err(dev, "PMU type %d: No memory resource found\n", type); + return NULL; + } + +-- +2.25.1 + diff --git a/queue-4.19/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch b/queue-4.19/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch new file mode 100644 index 00000000000..097fff999dc --- /dev/null +++ b/queue-4.19/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch @@ -0,0 +1,99 @@ +From 7e01f1f2cd3c2d44132ba4d4986869ede252eb69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 02:51:11 +0530 +Subject: drivers/virt/fsl_hypervisor: Fix error handling path + +From: Souptick Joarder + +[ Upstream commit 7f360bec37857bfd5a48cef21d86f58a09a3df63 ] + +First, when memory allocation for sg_list_unaligned failed, there +is a bug of calling put_pages() as we haven't pinned any pages. + +Second, if get_user_pages_fast() failed we should unpin num_pinned +pages. + +This will address both. + +As part of these changes, minor update in documentation. + +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Souptick Joarder +Reviewed-by: Dan Carpenter +Reviewed-by: John Hubbard +Link: https://lore.kernel.org/r/1598995271-6755-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/virt/fsl_hypervisor.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c +index 1bbd910d4ddb8..2a7f7f47fe893 100644 +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -157,7 +157,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + + unsigned int i; + long ret = 0; +- int num_pinned; /* return value from get_user_pages() */ ++ int num_pinned = 0; /* return value from get_user_pages_fast() */ + phys_addr_t remote_paddr; /* The next address in the remote buffer */ + uint32_t count; /* The number of bytes left to copy */ + +@@ -174,7 +174,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + return -EINVAL; + + /* +- * The array of pages returned by get_user_pages() covers only ++ * The array of pages returned by get_user_pages_fast() covers only + * page-aligned memory. Since the user buffer is probably not + * page-aligned, we need to handle the discrepancy. + * +@@ -224,7 +224,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + + /* + * 'pages' is an array of struct page pointers that's initialized by +- * get_user_pages(). ++ * get_user_pages_fast(). + */ + pages = kcalloc(num_pages, sizeof(struct page *), GFP_KERNEL); + if (!pages) { +@@ -241,7 +241,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + if (!sg_list_unaligned) { + pr_debug("fsl-hv: could not allocate S/G list\n"); + ret = -ENOMEM; +- goto exit; ++ goto free_pages; + } + sg_list = PTR_ALIGN(sg_list_unaligned, sizeof(struct fh_sg_list)); + +@@ -250,7 +250,6 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + num_pages, param.source != -1, pages); + + if (num_pinned != num_pages) { +- /* get_user_pages() failed */ + pr_debug("fsl-hv: could not lock source buffer\n"); + ret = (num_pinned < 0) ? num_pinned : -EFAULT; + goto exit; +@@ -292,13 +291,13 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + virt_to_phys(sg_list), num_pages); + + exit: +- if (pages) { +- for (i = 0; i < num_pages; i++) +- if (pages[i]) +- put_page(pages[i]); ++ if (pages && (num_pinned > 0)) { ++ for (i = 0; i < num_pinned; i++) ++ put_page(pages[i]); + } + + kfree(sg_list_unaligned); ++free_pages: + kfree(pages); + + if (!ret) +-- +2.25.1 + diff --git a/queue-4.19/drm-gma500-fix-error-check.patch b/queue-4.19/drm-gma500-fix-error-check.patch new file mode 100644 index 00000000000..b8e49dc9f74 --- /dev/null +++ b/queue-4.19/drm-gma500-fix-error-check.patch @@ -0,0 +1,54 @@ +From e84b79cba1cd3add2e384fd63d218855554494a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 13:59:11 -0700 +Subject: drm/gma500: fix error check + +From: Tom Rix + +[ Upstream commit cdd296cdae1af2d27dae3fcfbdf12c5252ab78cf ] + +Reviewing this block of code in cdv_intel_dp_init() + +ret = cdv_intel_dp_aux_native_read(gma_encoder, DP_DPCD_REV, ... + +cdv_intel_edp_panel_vdd_off(gma_encoder); +if (ret == 0) { + /* if this fails, presume the device is a ghost */ + DRM_INFO("failed to retrieve link info, disabling eDP\n"); + drm_encoder_cleanup(encoder); + cdv_intel_dp_destroy(connector); + goto err_priv; +} else { + +The (ret == 0) is not strict enough. +cdv_intel_dp_aux_native_read() returns > 0 on success +otherwise it is failure. + +So change to <= + +Fixes: d112a8163f83 ("gma500/cdv: Add eDP support") + +Signed-off-by: Tom Rix +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20200805205911.20927-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c +index 90ed20083009f..05eba6dec5ebf 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c +@@ -2119,7 +2119,7 @@ cdv_intel_dp_init(struct drm_device *dev, struct psb_intel_mode_device *mode_dev + intel_dp->dpcd, + sizeof(intel_dp->dpcd)); + cdv_intel_edp_panel_vdd_off(gma_encoder); +- if (ret == 0) { ++ if (ret <= 0) { + /* if this fails, presume the device is a ghost */ + DRM_INFO("failed to retrieve link info, disabling eDP\n"); + cdv_intel_dp_encoder_destroy(encoder); +-- +2.25.1 + diff --git a/queue-4.19/drm-radeon-prefer-lower-feedback-dividers.patch b/queue-4.19/drm-radeon-prefer-lower-feedback-dividers.patch new file mode 100644 index 00000000000..5016a0b7905 --- /dev/null +++ b/queue-4.19/drm-radeon-prefer-lower-feedback-dividers.patch @@ -0,0 +1,48 @@ +From 1bafcb5df4ef285af23c2523bcbb00eb7d9ad189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 01:33:48 +0800 +Subject: drm/radeon: Prefer lower feedback dividers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai-Heng Feng + +[ Upstream commit 5150dd85bdfa08143cacf1b4249121651bed3c35 ] + +Commit 2e26ccb119bd ("drm/radeon: prefer lower reference dividers") +fixed screen flicker for HP Compaq nx9420 but breaks other laptops like +Asus X50SL. + +Turns out we also need to favor lower feedback dividers. + +Users confirmed this change fixes the regression and doesn't regress the +original fix. + +Fixes: 2e26ccb119bd ("drm/radeon: prefer lower reference dividers") +BugLink: https://bugs.launchpad.net/bugs/1791312 +BugLink: https://bugs.launchpad.net/bugs/1861554 +Reviewed-by: Christian König +Signed-off-by: Kai-Heng Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 3f0f3a578ddf0..c28d76d898fdb 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -926,7 +926,7 @@ static void avivo_get_fb_ref_div(unsigned nom, unsigned den, unsigned post_div, + + /* get matching reference and feedback divider */ + *ref_div = min(max(den/post_div, 1u), ref_div_max); +- *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den); ++ *fb_div = max(nom * *ref_div * post_div / den, 1u); + + /* limit fb divider to its maximum */ + if (*fb_div > fb_div_max) { +-- +2.25.1 + diff --git a/queue-4.19/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch b/queue-4.19/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch new file mode 100644 index 00000000000..269ec5cb720 --- /dev/null +++ b/queue-4.19/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch @@ -0,0 +1,69 @@ +From aa725fdcd958bf567437f3d07412f67abd2dcaca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 20:14:37 +0800 +Subject: EDAC/i5100: Fix error handling order in i5100_init_one() + +From: Dinghao Liu + +[ Upstream commit 857a3139bd8be4f702c030c8ca06f3fd69c1741a ] + +When pci_get_device_func() fails, the driver doesn't need to execute +pci_dev_put(). mci should still be freed, though, to prevent a memory +leak. When pci_enable_device() fails, the error injection PCI device +"einj" doesn't need to be disabled either. + + [ bp: Massage commit message, rename label to "bail_mc_free". ] + +Fixes: 52608ba205461 ("i5100_edac: probe for device 19 function 0") +Signed-off-by: Dinghao Liu +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200826121437.31606-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/edac/i5100_edac.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/edac/i5100_edac.c b/drivers/edac/i5100_edac.c +index b506eef6b146d..858ef4e15180b 100644 +--- a/drivers/edac/i5100_edac.c ++++ b/drivers/edac/i5100_edac.c +@@ -1072,16 +1072,15 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + PCI_DEVICE_ID_INTEL_5100_19, 0); + if (!einj) { + ret = -ENODEV; +- goto bail_einj; ++ goto bail_mc_free; + } + + rc = pci_enable_device(einj); + if (rc < 0) { + ret = rc; +- goto bail_disable_einj; ++ goto bail_einj; + } + +- + mci->pdev = &pdev->dev; + + priv = mci->pvt_info; +@@ -1147,14 +1146,14 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + bail_scrub: + priv->scrub_enable = 0; + cancel_delayed_work_sync(&(priv->i5100_scrubbing)); +- edac_mc_free(mci); +- +-bail_disable_einj: + pci_disable_device(einj); + + bail_einj: + pci_dev_put(einj); + ++bail_mc_free: ++ edac_mc_free(mci); ++ + bail_disable_ch1: + pci_disable_device(ch1mm); + +-- +2.25.1 + diff --git a/queue-4.19/edac-ti-fix-handling-of-platform_get_irq-error.patch b/queue-4.19/edac-ti-fix-handling-of-platform_get_irq-error.patch new file mode 100644 index 00000000000..6b9629acfb6 --- /dev/null +++ b/queue-4.19/edac-ti-fix-handling-of-platform_get_irq-error.patch @@ -0,0 +1,42 @@ +From 661cb6a5313dd7ef14caf6fcf9b08706d2457c35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:07:43 +0200 +Subject: EDAC/ti: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 66077adb70a2a9e92540155b2ace33ec98299c90 ] + +platform_get_irq() returns a negative error number on error. In such a +case, comparison to 0 would pass the check therefore check the return +value properly, whether it is negative. + + [ bp: Massage commit message. ] + +Fixes: 86a18ee21e5e ("EDAC, ti: Add support for TI keystone and DRA7xx EDAC") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Borislav Petkov +Reviewed-by: Tero Kristo +Link: https://lkml.kernel.org/r/20200827070743.26628-2-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/edac/ti_edac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c +index 6ac26d1b929f0..3247689467435 100644 +--- a/drivers/edac/ti_edac.c ++++ b/drivers/edac/ti_edac.c +@@ -278,7 +278,8 @@ static int ti_edac_probe(struct platform_device *pdev) + + /* add EMIF ECC error handler */ + error_irq = platform_get_irq(pdev, 0); +- if (!error_irq) { ++ if (error_irq < 0) { ++ ret = error_irq; + edac_printk(KERN_ERR, EDAC_MOD_NAME, + "EMIF irq number not defined.\n"); + goto err; +-- +2.25.1 + diff --git a/queue-4.19/ext4-limit-entries-returned-when-counting-fsmap-reco.patch b/queue-4.19/ext4-limit-entries-returned-when-counting-fsmap-reco.patch new file mode 100644 index 00000000000..d2bbdc62b4b --- /dev/null +++ b/queue-4.19/ext4-limit-entries-returned-when-counting-fsmap-reco.patch @@ -0,0 +1,40 @@ +From 17978cbb2b62b409fd130f2cdbd86c9b41c2d5f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 15:21:48 -0700 +Subject: ext4: limit entries returned when counting fsmap records + +From: Darrick J. Wong + +[ Upstream commit af8c53c8bc087459b1aadd4c94805d8272358d79 ] + +If userspace asked fsmap to try to count the number of entries, we cannot +return more than UINT_MAX entries because fmh_entries is u32. +Therefore, stop counting if we hit this limit or else we will waste time +to return truncated results. + +Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls") +Signed-off-by: Darrick J. Wong +Link: https://lore.kernel.org/r/20201001222148.GA49520@magnolia +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/fsmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ext4/fsmap.c b/fs/ext4/fsmap.c +index 4b99e2db95b8b..6f3f245f3a803 100644 +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -108,6 +108,9 @@ static int ext4_getfsmap_helper(struct super_block *sb, + + /* Are we just counting mappings? */ + if (info->gfi_head->fmh_count == 0) { ++ if (info->gfi_head->fmh_entries == UINT_MAX) ++ return EXT4_QUERY_RANGE_ABORT; ++ + if (rec_fsblk > info->gfi_next_fsblk) + info->gfi_head->fmh_entries++; + +-- +2.25.1 + diff --git a/queue-4.19/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch b/queue-4.19/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch new file mode 100644 index 00000000000..e20e256b9ab --- /dev/null +++ b/queue-4.19/f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch @@ -0,0 +1,78 @@ +From 9de534fc7463d58f63d52a459eaf1ea5813f6eb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 14:09:48 +0100 +Subject: f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info + +From: Jamie Iles + +[ Upstream commit ae284d87abade58c8db7760c808f311ef1ce693c ] + +syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an +f2fs filesystem could result in the following splat: + + kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250) + kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750) + ------------[ cut here ]------------ + ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98 + WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S 5.9.0-rc8+ #101 + Hardware name: linux,dummy-virt (DT) + Call trace: + dump_backtrace+0x0/0x4d8 + show_stack+0x34/0x48 + dump_stack+0x174/0x1f8 + panic+0x360/0x7a0 + __warn+0x244/0x2ec + report_bug+0x240/0x398 + bug_handler+0x50/0xc0 + call_break_hook+0x160/0x1d8 + brk_handler+0x30/0xc0 + do_debug_exception+0x184/0x340 + el1_dbg+0x48/0xb0 + el1_sync_handler+0x170/0x1c8 + el1_sync+0x80/0x100 + debug_print_object+0x180/0x240 + debug_check_no_obj_freed+0x200/0x430 + slab_free_freelist_hook+0x190/0x210 + kfree+0x13c/0x460 + f2fs_put_super+0x624/0xa58 + generic_shutdown_super+0x120/0x300 + kill_block_super+0x94/0xf8 + kill_f2fs_super+0x244/0x308 + deactivate_locked_super+0x104/0x150 + deactivate_super+0x118/0x148 + cleanup_mnt+0x27c/0x3c0 + __cleanup_mnt+0x28/0x38 + task_work_run+0x10c/0x248 + do_notify_resume+0x9d4/0x1188 + work_pending+0x8/0x34c + +Like the error handling for f2fs_register_sysfs(), we need to wait for +the kobject to be destroyed before returning to prevent a potential +use-after-free. + +Fixes: bf9e697ecd42 ("f2fs: expose features to sysfs entry") +Cc: Jaegeuk Kim +Cc: Chao Yu +Signed-off-by: Jamie Iles +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 9a59f49ba4050..89b6c33ba6a42 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -717,4 +717,5 @@ void f2fs_unregister_sysfs(struct f2fs_sb_info *sbi) + } + kobject_del(&sbi->s_kobj); + kobject_put(&sbi->s_kobj); ++ wait_for_completion(&sbi->s_kobj_unregister); + } +-- +2.25.1 + diff --git a/queue-4.19/fix-use-after-free-in-get_capset_info-callback.patch b/queue-4.19/fix-use-after-free-in-get_capset_info-callback.patch new file mode 100644 index 00000000000..967d638b1e8 --- /dev/null +++ b/queue-4.19/fix-use-after-free-in-get_capset_info-callback.patch @@ -0,0 +1,61 @@ +From a5c072779f77ffacc565aaa993f42b674cd93047 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:08:25 -0700 +Subject: Fix use after free in get_capset_info callback. + +From: Doug Horn + +[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ] + +If a response to virtio_gpu_cmd_get_capset_info takes longer than +five seconds to return, the callback will access freed kernel memory +in vg->capsets. + +Signed-off-by: Doug Horn +Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_kms.c | 2 ++ + drivers/gpu/drm/virtio/virtgpu_vq.c | 10 +++++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c +index 65060c08522d7..22397a23780c0 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_kms.c ++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c +@@ -113,8 +113,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev, + vgdev->capsets[i].id > 0, 5 * HZ); + if (ret == 0) { + DRM_ERROR("timed out waiting for cap set %d\n", i); ++ spin_lock(&vgdev->display_info_lock); + kfree(vgdev->capsets); + vgdev->capsets = NULL; ++ spin_unlock(&vgdev->display_info_lock); + return; + } + DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n", +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 608906f06cedd..3e72c6dac0ffe 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -566,9 +566,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev, + int i = le32_to_cpu(cmd->capset_index); + + spin_lock(&vgdev->display_info_lock); +- vgdev->capsets[i].id = le32_to_cpu(resp->capset_id); +- vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version); +- vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size); ++ if (vgdev->capsets) { ++ vgdev->capsets[i].id = le32_to_cpu(resp->capset_id); ++ vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version); ++ vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size); ++ } else { ++ DRM_ERROR("invalid capset memory."); ++ } + spin_unlock(&vgdev->display_info_lock); + wake_up(&vgdev->resp_wq); + } +-- +2.25.1 + diff --git a/queue-4.19/fs-dlm-fix-configfs-memory-leak.patch b/queue-4.19/fs-dlm-fix-configfs-memory-leak.patch new file mode 100644 index 00000000000..50aadb05264 --- /dev/null +++ b/queue-4.19/fs-dlm-fix-configfs-memory-leak.patch @@ -0,0 +1,70 @@ +From adad84bc66fb7bb2fcd790e6112e5b07b0aedc32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 15:02:51 -0400 +Subject: fs: dlm: fix configfs memory leak + +From: Alexander Aring + +[ Upstream commit 3d2825c8c6105b0f36f3ff72760799fa2e71420e ] + +This patch fixes the following memory detected by kmemleak and umount +gfs2 filesystem which removed the last lockspace: + +unreferenced object 0xffff9264f482f600 (size 192): + comm "dlm_controld", pid 325, jiffies 4294690276 (age 48.136s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 6e 6f 64 65 73 00 00 00 ........nodes... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000060481d7>] make_space+0x41/0x130 + [<000000008d905d46>] configfs_mkdir+0x1a2/0x5f0 + [<00000000729502cf>] vfs_mkdir+0x155/0x210 + [<000000000369bcf1>] do_mkdirat+0x6d/0x110 + [<00000000cc478a33>] do_syscall_64+0x33/0x40 + [<00000000ce9ccf01>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The patch just remembers the "nodes" entry pointer in space as I think +it's created as subdirectory when parent "spaces" is created. In +function drop_space() we will lost the pointer reference to nds because +configfs_remove_default_groups(). However as this subdirectory is always +available when "spaces" exists it will just be freed when "spaces" will be +freed. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/config.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/dlm/config.c b/fs/dlm/config.c +index 1270551d24e38..f13d865244501 100644 +--- a/fs/dlm/config.c ++++ b/fs/dlm/config.c +@@ -218,6 +218,7 @@ struct dlm_space { + struct list_head members; + struct mutex members_lock; + int members_count; ++ struct dlm_nodes *nds; + }; + + struct dlm_comms { +@@ -426,6 +427,7 @@ static struct config_group *make_space(struct config_group *g, const char *name) + INIT_LIST_HEAD(&sp->members); + mutex_init(&sp->members_lock); + sp->members_count = 0; ++ sp->nds = nds; + return &sp->group; + + fail: +@@ -447,6 +449,7 @@ static void drop_space(struct config_group *g, struct config_item *i) + static void release_space(struct config_item *i) + { + struct dlm_space *sp = config_item_to_space(i); ++ kfree(sp->nds); + kfree(sp); + } + +-- +2.25.1 + diff --git a/queue-4.19/hid-hid-input-fix-stylus-battery-reporting.patch b/queue-4.19/hid-hid-input-fix-stylus-battery-reporting.patch new file mode 100644 index 00000000000..a257422d48f --- /dev/null +++ b/queue-4.19/hid-hid-input-fix-stylus-battery-reporting.patch @@ -0,0 +1,49 @@ +From 8cba88c32c9ca6c5a43bf698acd6a5e0e048c1fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 16:35:52 -0700 +Subject: HID: hid-input: fix stylus battery reporting + +From: Dmitry Torokhov + +[ Upstream commit 505f394fa239cecb76d916aa858f87ed7ea7fde4 ] + +With commit 4f3882177240 hid-input started clearing of "ignored" usages +to avoid using garbage that might have been left in them. However +"battery strength" usages should not be ignored, as we do want to +use them. + +Fixes: 4f3882177240 ("HID: hid-input: clear unmapped usages") +Reported-by: Kenneth Albanowski +Tested-by: Kenneth Albanowski +Signed-off-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index a9da1526c40ae..11bd2ca22a2e6 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -796,7 +796,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x3b: /* Battery Strength */ + hidinput_setup_battery(device, HID_INPUT_REPORT, field); + usage->type = EV_PWR; +- goto ignore; ++ return; + + case 0x3c: /* Invert */ + map_key_clear(BTN_TOOL_RUBBER); +@@ -1052,7 +1052,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case HID_DC_BATTERYSTRENGTH: + hidinput_setup_battery(device, HID_INPUT_REPORT, field); + usage->type = EV_PWR; +- goto ignore; ++ return; + } + goto unknown; + +-- +2.25.1 + diff --git a/queue-4.19/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch b/queue-4.19/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch new file mode 100644 index 00000000000..4f39ca3dea8 --- /dev/null +++ b/queue-4.19/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch @@ -0,0 +1,78 @@ +From 561f363762ac385d5a5e58a2e0064adbdfe16728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:57:35 +0300 +Subject: HID: roccat: add bounds checking in kone_sysfs_write_settings() + +From: Dan Carpenter + +[ Upstream commit d4f98dbfe717490e771b6e701904bfcf4b4557f0 ] + +This code doesn't check if "settings->startup_profile" is within bounds +and that could result in an out of bounds array access. What the code +does do is it checks if the settings can be written to the firmware, so +it's possible that the firmware has a bounds check? It's safer and +easier to verify when the bounds checking is done in the kernel. + +Fixes: 14bf62cde794 ("HID: add driver for Roccat Kone gaming mouse") +Signed-off-by: Dan Carpenter +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat-kone.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c +index bf4675a273965..9be8c31f613fd 100644 +--- a/drivers/hid/hid-roccat-kone.c ++++ b/drivers/hid/hid-roccat-kone.c +@@ -297,31 +297,40 @@ static ssize_t kone_sysfs_write_settings(struct file *fp, struct kobject *kobj, + struct kone_device *kone = hid_get_drvdata(dev_get_drvdata(dev)); + struct usb_device *usb_dev = interface_to_usbdev(to_usb_interface(dev)); + int retval = 0, difference, old_profile; ++ struct kone_settings *settings = (struct kone_settings *)buf; + + /* I need to get my data in one piece */ + if (off != 0 || count != sizeof(struct kone_settings)) + return -EINVAL; + + mutex_lock(&kone->kone_lock); +- difference = memcmp(buf, &kone->settings, sizeof(struct kone_settings)); ++ difference = memcmp(settings, &kone->settings, ++ sizeof(struct kone_settings)); + if (difference) { +- retval = kone_set_settings(usb_dev, +- (struct kone_settings const *)buf); +- if (retval) { +- mutex_unlock(&kone->kone_lock); +- return retval; ++ if (settings->startup_profile < 1 || ++ settings->startup_profile > 5) { ++ retval = -EINVAL; ++ goto unlock; + } + ++ retval = kone_set_settings(usb_dev, settings); ++ if (retval) ++ goto unlock; ++ + old_profile = kone->settings.startup_profile; +- memcpy(&kone->settings, buf, sizeof(struct kone_settings)); ++ memcpy(&kone->settings, settings, sizeof(struct kone_settings)); + + kone_profile_activated(kone, kone->settings.startup_profile); + + if (kone->settings.startup_profile != old_profile) + kone_profile_report(kone, kone->settings.startup_profile); + } ++unlock: + mutex_unlock(&kone->kone_lock); + ++ if (retval) ++ return retval; ++ + return sizeof(struct kone_settings); + } + static BIN_ATTR(settings, 0660, kone_sysfs_read_settings, +-- +2.25.1 + diff --git a/queue-4.19/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch b/queue-4.19/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch new file mode 100644 index 00000000000..d8295092034 --- /dev/null +++ b/queue-4.19/hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch @@ -0,0 +1,55 @@ +From 87ac2e55d0e0b4b1cce32c7418e4bea0fbbbe914 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 14:39:29 -0700 +Subject: hwmon: (pmbus/max34440) Fix status register reads for + MAX344{51,60,61} + +From: Guenter Roeck + +[ Upstream commit 6c094b31ea2ad773824362ba0fccb88d36f8d32d ] + +Starting with MAX34451, the chips of this series support STATUS_IOUT and +STATUS_TEMPERATURE commands, and no longer report over-current and +over-temperature status with STATUS_MFR_SPECIFIC. + +Fixes: 7a001dbab4ade ("hwmon: (pmbus/max34440) Add support for MAX34451.") +Fixes: 50115ac9b6f35 ("hwmon: (pmbus/max34440) Add support for MAX34460 and MAX34461") +Reported-by: Steve Foreman +Cc: Steve Foreman +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/max34440.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/hwmon/pmbus/max34440.c b/drivers/hwmon/pmbus/max34440.c +index 47576c4600105..9af5ab52ca31c 100644 +--- a/drivers/hwmon/pmbus/max34440.c ++++ b/drivers/hwmon/pmbus/max34440.c +@@ -400,7 +400,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[18] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[19] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[20] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +@@ -431,7 +430,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[15] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[16] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[17] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +@@ -467,7 +465,6 @@ static struct pmbus_driver_info max34440_info[] = { + .func[19] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[20] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, + .func[21] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP, +- .read_byte_data = max34440_read_byte_data, + .read_word_data = max34440_read_word_data, + .write_word_data = max34440_write_word_data, + }, +-- +2.25.1 + diff --git a/queue-4.19/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch b/queue-4.19/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch new file mode 100644 index 00000000000..b7168f22a1c --- /dev/null +++ b/queue-4.19/i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch @@ -0,0 +1,79 @@ +From b8ab0d89c20a9320a672246da6a19e1868706d65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 16:41:58 +0200 +Subject: i2c: core: Restore acpi_walk_dep_device_list() getting called after + registering the ACPI i2c devs + +From: Hans de Goede + +[ Upstream commit 8058d69905058ec8f467a120b5ec5bb831ea67f3 ] + +Commit 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() +before i2c_acpi_register_devices()")'s intention was to only move the +acpi_install_address_space_handler() call to the point before where +the ACPI declared i2c-children of the adapter where instantiated by +i2c_acpi_register_devices(). + +But i2c_acpi_install_space_handler() had a call to +acpi_walk_dep_device_list() hidden (that is I missed it) at the end +of it, so as an unwanted side-effect now acpi_walk_dep_device_list() +was also being called before i2c_acpi_register_devices(). + +Move the acpi_walk_dep_device_list() call to the end of +i2c_acpi_register_devices(), so that it is once again called *after* +the i2c_client-s hanging of the adapter have been created. + +This fixes the Microsoft Surface Go 2 hanging at boot. + +Fixes: 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209627 +Reported-by: Rainer Finke +Reported-by: Kieran Bingham +Suggested-by: Maximilian Luz +Tested-by: Kieran Bingham +Signed-off-by: Hans de Goede +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-acpi.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index eb05693593875..8ba4122fb3404 100644 +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -219,6 +219,7 @@ static acpi_status i2c_acpi_add_device(acpi_handle handle, u32 level, + void i2c_acpi_register_devices(struct i2c_adapter *adap) + { + acpi_status status; ++ acpi_handle handle; + + if (!has_acpi_companion(&adap->dev)) + return; +@@ -229,6 +230,15 @@ void i2c_acpi_register_devices(struct i2c_adapter *adap) + adap, NULL); + if (ACPI_FAILURE(status)) + dev_warn(&adap->dev, "failed to enumerate I2C slaves\n"); ++ ++ if (!adap->dev.parent) ++ return; ++ ++ handle = ACPI_HANDLE(adap->dev.parent); ++ if (!handle) ++ return; ++ ++ acpi_walk_dep_device_list(handle); + } + + const struct acpi_device_id * +@@ -693,7 +703,6 @@ int i2c_acpi_install_space_handler(struct i2c_adapter *adapter) + return -ENOMEM; + } + +- acpi_walk_dep_device_list(handle); + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.19/i2c-rcar-auto-select-reset_controller.patch b/queue-4.19/i2c-rcar-auto-select-reset_controller.patch new file mode 100644 index 00000000000..7f3785cd685 --- /dev/null +++ b/queue-4.19/i2c-rcar-auto-select-reset_controller.patch @@ -0,0 +1,39 @@ +From 3ef59c12dafba3b0eb543d389d0d35ddfcd53de4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 11:23:30 +0200 +Subject: i2c: rcar: Auto select RESET_CONTROLLER + +From: Dirk Behme + +[ Upstream commit 5b9bacf28a973a6b16510493416baeefa2c06289 ] + +The i2c-rcar driver utilizes the Generic Reset Controller kernel +feature, so select the RESET_CONTROLLER option when the I2C_RCAR +option is selected with a Gen3 SoC. + +Fixes: 2b16fd63059ab9 ("i2c: rcar: handle RXDMA HW behaviour on Gen3") +Signed-off-by: Dirk Behme +Signed-off-by: Andy Lowe +[erosca: Add "if ARCH_RCAR_GEN3" per Wolfram's request] +Signed-off-by: Eugeniu Rosca +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig +index ee6dd1b84fac8..017aec34a238d 100644 +--- a/drivers/i2c/busses/Kconfig ++++ b/drivers/i2c/busses/Kconfig +@@ -1117,6 +1117,7 @@ config I2C_RCAR + tristate "Renesas R-Car I2C Controller" + depends on ARCH_RENESAS || COMPILE_TEST + select I2C_SLAVE ++ select RESET_CONTROLLER if ARCH_RCAR_GEN3 + help + If you say yes to this option, support will be included for the + R-Car I2C controller. +-- +2.25.1 + diff --git a/queue-4.19/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch b/queue-4.19/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch new file mode 100644 index 00000000000..5ced942f03c --- /dev/null +++ b/queue-4.19/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch @@ -0,0 +1,41 @@ +From 7f75135f2bd96dfd138b2fd8688b60ebdb3c373b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 08:19:41 +0200 +Subject: IB/mlx4: Adjust delayed work when a dup is observed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +[ Upstream commit 785167a114855c5aa75efca97000e405c2cc85bf ] + +When scheduling delayed work to clean up the cache, if the entry already +has been scheduled for deletion, we adjust the delay. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-7-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index 8c79a480f2b76..d3e11503e67ca 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -307,6 +307,9 @@ static void schedule_delayed(struct ib_device *ibdev, struct id_map_entry *id) + if (!sriov->is_going_down) { + id->scheduled_delete = 1; + schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT); ++ } else if (id->scheduled_delete) { ++ /* Adjust timeout if already scheduled */ ++ mod_delayed_work(system_wq, &id->timeout, CM_CLEANUP_CACHE_TIMEOUT); + } + spin_unlock_irqrestore(&sriov->going_down_lock, flags); + spin_unlock(&sriov->id_map_lock); +-- +2.25.1 + diff --git a/queue-4.19/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch b/queue-4.19/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch new file mode 100644 index 00000000000..a1282d22938 --- /dev/null +++ b/queue-4.19/ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch @@ -0,0 +1,181 @@ +From ce74e13300c55e9e27a7f0eec2c3a078ef2a7888 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 08:19:39 +0200 +Subject: IB/mlx4: Fix starvation in paravirt mux/demux +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +[ Upstream commit 7fd1507df7cee9c533f38152fcd1dd769fcac6ce ] + +The mlx4 driver will proxy MAD packets through the PF driver. A VM or an +instantiated VF will send its MAD packets to the PF driver using +loop-back. The PF driver will be informed by an interrupt, but defer the +handling and polling of CQEs to a worker thread running on an ordered +work-queue. + +Consider the following scenario: the VMs will in short proximity in time, +for example due to a network event, send many MAD packets to the PF +driver. Lets say there are K VMs, each sending N packets. + +The interrupt from the first VM will start the worker thread, which will +poll N CQEs. A common case here is where the PF driver will multiplex the +packets received from the VMs out on the wire QP. + +But before the wire QP has returned a send CQE and associated interrupt, +the other K - 1 VMs have sent their N packets as well. + +The PF driver has to multiplex K * N packets out on the wire QP. But the +send-queue on the wire QP has a finite capacity. + +So, in this scenario, if K * N is larger than the send-queue capacity of +the wire QP, we will get MAD packets dropped on the floor with this +dynamic debug message: + +mlx4_ib_multiplex_mad: failed sending GSI to wire on behalf of slave 2 (-11) + +and this despite the fact that the wire send-queue could have capacity, +but the PF driver isn't aware, because the wire send CQEs have not yet +been polled. + +We can also have a similar scenario inbound, with a wire recv-queue larger +than the tunnel QP's send-queue. If many remote peers send MAD packets to +the very same VM, the tunnel send-queue destined to the VM could allegedly +be construed to be full by the PF driver. + +This starvation is fixed by introducing separate work queues for the wire +QPs vs. the tunnel QPs. + +With this fix, using a dual ported HCA, 8 VFs instantiated, we could run +cmtime on each of the 18 interfaces towards a similar configured peer, +each cmtime instance with 800 QPs (all in all 14400 QPs) without a single +CM packet getting lost. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-5-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/mad.c | 34 +++++++++++++++++++++++++--- + drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 ++ + 2 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c +index 5aaa2a6c431b6..418b9312fb2d7 100644 +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1305,6 +1305,18 @@ static void mlx4_ib_tunnel_comp_handler(struct ib_cq *cq, void *arg) + spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags); + } + ++static void mlx4_ib_wire_comp_handler(struct ib_cq *cq, void *arg) ++{ ++ unsigned long flags; ++ struct mlx4_ib_demux_pv_ctx *ctx = cq->cq_context; ++ struct mlx4_ib_dev *dev = to_mdev(ctx->ib_dev); ++ ++ spin_lock_irqsave(&dev->sriov.going_down_lock, flags); ++ if (!dev->sriov.is_going_down && ctx->state == DEMUX_PV_STATE_ACTIVE) ++ queue_work(ctx->wi_wq, &ctx->work); ++ spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags); ++} ++ + static int mlx4_ib_post_pv_qp_buf(struct mlx4_ib_demux_pv_ctx *ctx, + struct mlx4_ib_demux_pv_qp *tun_qp, + int index) +@@ -2000,7 +2012,8 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port, + cq_size *= 2; + + cq_attr.cqe = cq_size; +- ctx->cq = ib_create_cq(ctx->ib_dev, mlx4_ib_tunnel_comp_handler, ++ ctx->cq = ib_create_cq(ctx->ib_dev, ++ create_tun ? mlx4_ib_tunnel_comp_handler : mlx4_ib_wire_comp_handler, + NULL, ctx, &cq_attr); + if (IS_ERR(ctx->cq)) { + ret = PTR_ERR(ctx->cq); +@@ -2037,6 +2050,7 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port, + INIT_WORK(&ctx->work, mlx4_ib_sqp_comp_worker); + + ctx->wq = to_mdev(ibdev)->sriov.demux[port - 1].wq; ++ ctx->wi_wq = to_mdev(ibdev)->sriov.demux[port - 1].wi_wq; + + ret = ib_req_notify_cq(ctx->cq, IB_CQ_NEXT_COMP); + if (ret) { +@@ -2180,7 +2194,7 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + goto err_mcg; + } + +- snprintf(name, sizeof name, "mlx4_ibt%d", port); ++ snprintf(name, sizeof(name), "mlx4_ibt%d", port); + ctx->wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); + if (!ctx->wq) { + pr_err("Failed to create tunnelling WQ for port %d\n", port); +@@ -2188,7 +2202,15 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + goto err_wq; + } + +- snprintf(name, sizeof name, "mlx4_ibud%d", port); ++ snprintf(name, sizeof(name), "mlx4_ibwi%d", port); ++ ctx->wi_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); ++ if (!ctx->wi_wq) { ++ pr_err("Failed to create wire WQ for port %d\n", port); ++ ret = -ENOMEM; ++ goto err_wiwq; ++ } ++ ++ snprintf(name, sizeof(name), "mlx4_ibud%d", port); + ctx->ud_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM); + if (!ctx->ud_wq) { + pr_err("Failed to create up/down WQ for port %d\n", port); +@@ -2199,6 +2221,10 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, + return 0; + + err_udwq: ++ destroy_workqueue(ctx->wi_wq); ++ ctx->wi_wq = NULL; ++ ++err_wiwq: + destroy_workqueue(ctx->wq); + ctx->wq = NULL; + +@@ -2246,12 +2272,14 @@ static void mlx4_ib_free_demux_ctx(struct mlx4_ib_demux_ctx *ctx) + ctx->tun[i]->state = DEMUX_PV_STATE_DOWNING; + } + flush_workqueue(ctx->wq); ++ flush_workqueue(ctx->wi_wq); + for (i = 0; i < dev->dev->caps.sqp_demux; i++) { + destroy_pv_resources(dev, i, ctx->port, ctx->tun[i], 0); + free_pv_object(dev, i, ctx->port); + } + kfree(ctx->tun); + destroy_workqueue(ctx->ud_wq); ++ destroy_workqueue(ctx->wi_wq); + destroy_workqueue(ctx->wq); + } + } +diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h +index e10dccc7958f1..76ca67aa40158 100644 +--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h ++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h +@@ -464,6 +464,7 @@ struct mlx4_ib_demux_pv_ctx { + struct ib_pd *pd; + struct work_struct work; + struct workqueue_struct *wq; ++ struct workqueue_struct *wi_wq; + struct mlx4_ib_demux_pv_qp qp[2]; + }; + +@@ -471,6 +472,7 @@ struct mlx4_ib_demux_ctx { + struct ib_device *ib_dev; + int port; + struct workqueue_struct *wq; ++ struct workqueue_struct *wi_wq; + struct workqueue_struct *ud_wq; + spinlock_t ud_lock; + atomic64_t subnet_prefix; +-- +2.25.1 + diff --git a/queue-4.19/ib-rdmavt-fix-sizeof-mismatch.patch b/queue-4.19/ib-rdmavt-fix-sizeof-mismatch.patch new file mode 100644 index 00000000000..2937d2ab637 --- /dev/null +++ b/queue-4.19/ib-rdmavt-fix-sizeof-mismatch.patch @@ -0,0 +1,46 @@ +From 46ce6c2f3f6bba77498f9b51b9caaae7d98af806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 10:52:04 +0100 +Subject: IB/rdmavt: Fix sizeof mismatch + +From: Colin Ian King + +[ Upstream commit 8e71f694e0c819db39af2336f16eb9689f1ae53f ] + +An incorrect sizeof is being used, struct rvt_ibport ** is not correct, it +should be struct rvt_ibport *. Note that since ** is the same size as +* this is not causing any issues. Improve this fix by using +sizeof(*rdi->ports) as this allows us to not even reference the type +of the pointer. Also remove line breaks as the entire statement can +fit on one line. + +Link: https://lore.kernel.org/r/20201008095204.82683-1-colin.king@canonical.com +Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") +Fixes: ff6acd69518e ("IB/rdmavt: Add device structure allocation") +Signed-off-by: Colin Ian King +Reviewed-by: Ira Weiny +Acked-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/vt.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c +index 17e4abc067afa..541ee30727aa0 100644 +--- a/drivers/infiniband/sw/rdmavt/vt.c ++++ b/drivers/infiniband/sw/rdmavt/vt.c +@@ -95,9 +95,7 @@ struct rvt_dev_info *rvt_alloc_device(size_t size, int nports) + if (!rdi) + return rdi; + +- rdi->ports = kcalloc(nports, +- sizeof(struct rvt_ibport **), +- GFP_KERNEL); ++ rdi->ports = kcalloc(nports, sizeof(*rdi->ports), GFP_KERNEL); + if (!rdi->ports) + ib_dealloc_device(&rdi->ibdev); + +-- +2.25.1 + diff --git a/queue-4.19/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch b/queue-4.19/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch new file mode 100644 index 00000000000..1a02a7a747c --- /dev/null +++ b/queue-4.19/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch @@ -0,0 +1,39 @@ +From a86f4c40c30587354a2baedbfe232fa55f4ac46f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:51:05 -0700 +Subject: Input: ep93xx_keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 7d50f6656dacf085a00beeedbc48b19a37d17881 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: 60214f058f44 ("Input: ep93xx_keypad - update driver to new core support") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-1-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/ep93xx_keypad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/keyboard/ep93xx_keypad.c b/drivers/input/keyboard/ep93xx_keypad.c +index f77b295e0123e..01788a78041b3 100644 +--- a/drivers/input/keyboard/ep93xx_keypad.c ++++ b/drivers/input/keyboard/ep93xx_keypad.c +@@ -257,8 +257,8 @@ static int ep93xx_keypad_probe(struct platform_device *pdev) + } + + keypad->irq = platform_get_irq(pdev, 0); +- if (!keypad->irq) { +- err = -ENXIO; ++ if (keypad->irq < 0) { ++ err = keypad->irq; + goto failed_free; + } + +-- +2.25.1 + diff --git a/queue-4.19/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch b/queue-4.19/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch new file mode 100644 index 00000000000..4204bab32d1 --- /dev/null +++ b/queue-4.19/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch @@ -0,0 +1,67 @@ +From 5a4e532640c83999d589c8764531c5a3e33c76f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 10:17:01 -0700 +Subject: Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() + +From: Dan Carpenter + +[ Upstream commit 30df23c5ecdfb8da5b0bc17ceef67eff9e1b0957 ] + +If imx6ul_tsc_init() fails then we need to clean up the clocks. + +I reversed the "if (input_dev->users) {" condition to make the code a +bit simpler. + +Fixes: 6cc527b05847 ("Input: imx6ul_tsc - propagate the errors") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200905124942.GC183976@mwanda +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/imx6ul_tsc.c | 27 +++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/input/touchscreen/imx6ul_tsc.c b/drivers/input/touchscreen/imx6ul_tsc.c +index c10fc594f94d9..6bfe42a11452a 100644 +--- a/drivers/input/touchscreen/imx6ul_tsc.c ++++ b/drivers/input/touchscreen/imx6ul_tsc.c +@@ -538,20 +538,25 @@ static int __maybe_unused imx6ul_tsc_resume(struct device *dev) + + mutex_lock(&input_dev->mutex); + +- if (input_dev->users) { +- retval = clk_prepare_enable(tsc->adc_clk); +- if (retval) +- goto out; +- +- retval = clk_prepare_enable(tsc->tsc_clk); +- if (retval) { +- clk_disable_unprepare(tsc->adc_clk); +- goto out; +- } ++ if (!input_dev->users) ++ goto out; + +- retval = imx6ul_tsc_init(tsc); ++ retval = clk_prepare_enable(tsc->adc_clk); ++ if (retval) ++ goto out; ++ ++ retval = clk_prepare_enable(tsc->tsc_clk); ++ if (retval) { ++ clk_disable_unprepare(tsc->adc_clk); ++ goto out; + } + ++ retval = imx6ul_tsc_init(tsc); ++ if (retval) { ++ clk_disable_unprepare(tsc->tsc_clk); ++ clk_disable_unprepare(tsc->adc_clk); ++ goto out; ++ } + out: + mutex_unlock(&input_dev->mutex); + return retval; +-- +2.25.1 + diff --git a/queue-4.19/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch b/queue-4.19/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch new file mode 100644 index 00000000000..60a752c2915 --- /dev/null +++ b/queue-4.19/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch @@ -0,0 +1,41 @@ +From f0e8f32c04f9be6dfcac61848e888dfc9d743d03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:52:15 -0700 +Subject: Input: omap4-keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 4738dd1992fa13acfbbd71800c71c612f466fa44 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: f3a1ba60dbdb ("Input: omap4-keypad - use platform device helpers") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-2-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/omap4-keypad.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c +index 840e53732753f..aeeef50cef9bb 100644 +--- a/drivers/input/keyboard/omap4-keypad.c ++++ b/drivers/input/keyboard/omap4-keypad.c +@@ -253,10 +253,8 @@ static int omap4_keypad_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "no keyboard irq assigned\n"); +- return -EINVAL; +- } ++ if (irq < 0) ++ return irq; + + keypad_data = kzalloc(sizeof(struct omap4_keypad), GFP_KERNEL); + if (!keypad_data) { +-- +2.25.1 + diff --git a/queue-4.19/input-stmfts-fix-a-vs-typo.patch b/queue-4.19/input-stmfts-fix-a-vs-typo.patch new file mode 100644 index 00000000000..286a8f27b4b --- /dev/null +++ b/queue-4.19/input-stmfts-fix-a-vs-typo.patch @@ -0,0 +1,37 @@ +From f17599b6b94cf9b5e3d7ee6bd14a69316cfa4089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 10:26:09 -0700 +Subject: Input: stmfts - fix a & vs && typo + +From: YueHaibing + +[ Upstream commit d04afe14b23651e7a8bc89727a759e982a8458e4 ] + +In stmfts_sysfs_hover_enable_write(), we should check value and +sdata->hover_enabled is all true. + +Fixes: 78bcac7b2ae1 ("Input: add support for the STMicroelectronics FingerTip touchscreen") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20200916141941.16684-1-yuehaibing@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/stmfts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/stmfts.c b/drivers/input/touchscreen/stmfts.c +index b6f95f20f9244..cd8805d71d977 100644 +--- a/drivers/input/touchscreen/stmfts.c ++++ b/drivers/input/touchscreen/stmfts.c +@@ -479,7 +479,7 @@ static ssize_t stmfts_sysfs_hover_enable_write(struct device *dev, + + mutex_lock(&sdata->mutex); + +- if (value & sdata->hover_enabled) ++ if (value && sdata->hover_enabled) + goto out; + + if (sdata->running) +-- +2.25.1 + diff --git a/queue-4.19/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch b/queue-4.19/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch new file mode 100644 index 00000000000..207c50b70b6 --- /dev/null +++ b/queue-4.19/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch @@ -0,0 +1,55 @@ +From e89d44891e37b4191a2166282de4fb636d6510ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:56:40 -0700 +Subject: Input: sun4i-ps2 - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit cafb3abea6136e59ea534004e5773361e196bb94 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: e443631d20f5 ("Input: serio - add support for Alwinner A10/A20 PS/2 controller") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20200828145744.3636-4-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/sun4i-ps2.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/serio/sun4i-ps2.c b/drivers/input/serio/sun4i-ps2.c +index 04b96fe393397..46512b4d686a8 100644 +--- a/drivers/input/serio/sun4i-ps2.c ++++ b/drivers/input/serio/sun4i-ps2.c +@@ -210,7 +210,6 @@ static int sun4i_ps2_probe(struct platform_device *pdev) + struct sun4i_ps2data *drvdata; + struct serio *serio; + struct device *dev = &pdev->dev; +- unsigned int irq; + int error; + + drvdata = kzalloc(sizeof(struct sun4i_ps2data), GFP_KERNEL); +@@ -263,14 +262,12 @@ static int sun4i_ps2_probe(struct platform_device *pdev) + writel(0, drvdata->reg_base + PS2_REG_GCTL); + + /* Get IRQ for the device */ +- irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(dev, "no IRQ found\n"); +- error = -ENXIO; ++ drvdata->irq = platform_get_irq(pdev, 0); ++ if (drvdata->irq < 0) { ++ error = drvdata->irq; + goto err_disable_clk; + } + +- drvdata->irq = irq; + drvdata->serio = serio; + drvdata->dev = dev; + +-- +2.25.1 + diff --git a/queue-4.19/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch b/queue-4.19/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch new file mode 100644 index 00000000000..8373d697f8b --- /dev/null +++ b/queue-4.19/input-twl4030_keypad-fix-handling-of-platform_get_ir.patch @@ -0,0 +1,51 @@ +From 7692d097c2f1958f121142c93b08fa251d7c1747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:56:19 -0700 +Subject: Input: twl4030_keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit c277e1f0dc3c7d7b5b028e20dd414df241642036 ] + +platform_get_irq() returns -ERRNO on error. In such case casting to +unsigned and comparing to 0 would pass the check. + +Fixes: 7abf38d6d13c ("Input: twl4030-keypad - add device tree support") +Reported-by: kernel test robot +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-3-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/twl4030_keypad.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/input/keyboard/twl4030_keypad.c b/drivers/input/keyboard/twl4030_keypad.c +index f9f98ef1d98e3..8677dbe0fd209 100644 +--- a/drivers/input/keyboard/twl4030_keypad.c ++++ b/drivers/input/keyboard/twl4030_keypad.c +@@ -63,7 +63,7 @@ struct twl4030_keypad { + bool autorepeat; + unsigned int n_rows; + unsigned int n_cols; +- unsigned int irq; ++ int irq; + + struct device *dbg_dev; + struct input_dev *input; +@@ -389,10 +389,8 @@ static int twl4030_kp_probe(struct platform_device *pdev) + } + + kp->irq = platform_get_irq(pdev, 0); +- if (!kp->irq) { +- dev_err(&pdev->dev, "no keyboard irq assigned\n"); +- return -EINVAL; +- } ++ if (kp->irq < 0) ++ return kp->irq; + + error = matrix_keypad_build_keymap(keymap_data, NULL, + TWL4030_MAX_ROWS, +-- +2.25.1 + diff --git a/queue-4.19/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch b/queue-4.19/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch new file mode 100644 index 00000000000..580207de584 --- /dev/null +++ b/queue-4.19/ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch @@ -0,0 +1,90 @@ +From 742f57e8866ed05a7b005996409e4e5bb4465c22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 16:17:21 -0700 +Subject: ip_gre: set dev->hard_header_len and dev->needed_headroom properly + +From: Cong Wang + +[ Upstream commit fdafed459998e2be0e877e6189b24cb7a0183224 ] + +GRE tunnel has its own header_ops, ipgre_header_ops, and sets it +conditionally. When it is set, it assumes the outer IP header is +already created before ipgre_xmit(). + +This is not true when we send packets through a raw packet socket, +where L2 headers are supposed to be constructed by user. Packet +socket calls dev_validate_header() to validate the header. But +GRE tunnel does not set dev->hard_header_len, so that check can +be simply bypassed, therefore uninit memory could be passed down +to ipgre_xmit(). Similar for dev->needed_headroom. + +dev->hard_header_len is supposed to be the length of the header +created by dev->header_ops->create(), so it should be used whenever +header_ops is set, and dev->needed_headroom should be used when it +is not set. + +Reported-and-tested-by: syzbot+4a2c52677a8a1aa283cb@syzkaller.appspotmail.com +Cc: William Tu +Acked-by: Willem de Bruijn +Signed-off-by: Cong Wang +Acked-by: Xie He +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index ffcb5983107db..de6f89511a216 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -680,9 +680,7 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, + } + + if (dev->header_ops) { +- /* Need space for new headers */ +- if (skb_cow_head(skb, dev->needed_headroom - +- (tunnel->hlen + sizeof(struct iphdr)))) ++ if (skb_cow_head(skb, 0)) + goto free_skb; + + tnl_params = (const struct iphdr *)skb->data; +@@ -800,7 +798,11 @@ static void ipgre_link_update(struct net_device *dev, bool set_mtu) + len = tunnel->tun_hlen - len; + tunnel->hlen = tunnel->hlen + len; + +- dev->needed_headroom = dev->needed_headroom + len; ++ if (dev->header_ops) ++ dev->hard_header_len += len; ++ else ++ dev->needed_headroom += len; ++ + if (set_mtu) + dev->mtu = max_t(int, dev->mtu - len, 68); + +@@ -1003,6 +1005,7 @@ static void __gre_tunnel_init(struct net_device *dev) + tunnel->parms.iph.protocol = IPPROTO_GRE; + + tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen; ++ dev->needed_headroom = tunnel->hlen + sizeof(tunnel->parms.iph); + + dev->features |= GRE_FEATURES; + dev->hw_features |= GRE_FEATURES; +@@ -1046,10 +1049,14 @@ static int ipgre_tunnel_init(struct net_device *dev) + return -EINVAL; + dev->flags = IFF_BROADCAST; + dev->header_ops = &ipgre_header_ops; ++ dev->hard_header_len = tunnel->hlen + sizeof(*iph); ++ dev->needed_headroom = 0; + } + #endif + } else if (!tunnel->collect_md) { + dev->header_ops = &ipgre_header_ops; ++ dev->hard_header_len = tunnel->hlen + sizeof(*iph); ++ dev->needed_headroom = 0; + } + + return ip_tunnel_init(dev); +-- +2.25.1 + diff --git a/queue-4.19/ipvs-clear-skb-tstamp-in-forwarding-path.patch b/queue-4.19/ipvs-clear-skb-tstamp-in-forwarding-path.patch new file mode 100644 index 00000000000..5a9304034f7 --- /dev/null +++ b/queue-4.19/ipvs-clear-skb-tstamp-in-forwarding-path.patch @@ -0,0 +1,59 @@ +From 39cbbfc38d85341bffad5a1553a2e2f8e7400ad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 21:24:25 +0300 +Subject: ipvs: clear skb->tstamp in forwarding path + +From: Julian Anastasov + +[ Upstream commit 7980d2eabde82be86c5be18aa3d07e88ec13c6a1 ] + +fq qdisc requires tstamp to be cleared in forwarding path + +Reported-by: Evgeny B +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209427 +Suggested-by: Eric Dumazet +Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths") +Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC") +Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.") +Signed-off-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_xmit.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c +index 3f75cd947045e..11f7c546e57b3 100644 +--- a/net/netfilter/ipvs/ip_vs_xmit.c ++++ b/net/netfilter/ipvs/ip_vs_xmit.c +@@ -586,6 +586,8 @@ static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff *skb, + if (ret == NF_ACCEPT) { + nf_reset(skb); + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + } + return ret; + } +@@ -626,6 +628,8 @@ static inline int ip_vs_nat_send_or_cont(int pf, struct sk_buff *skb, + + if (!local) { + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb, + NULL, skb_dst(skb)->dev, dst_output); + } else +@@ -646,6 +650,8 @@ static inline int ip_vs_send_or_cont(int pf, struct sk_buff *skb, + if (!local) { + ip_vs_drop_early_demux_sk(skb); + skb_forward_csum(skb); ++ if (skb->dev) ++ skb->tstamp = 0; + NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb, + NULL, skb_dst(skb)->dev, dst_output); + } else +-- +2.25.1 + diff --git a/queue-4.19/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch b/queue-4.19/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch new file mode 100644 index 00000000000..2ae33717b88 --- /dev/null +++ b/queue-4.19/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch @@ -0,0 +1,52 @@ +From 32f1b96ef206fbe3cb76e66302fd2a6f3324feac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 03:46:40 -0400 +Subject: ipvs: Fix uninit-value in do_ip_vs_set_ctl() + +From: Peilin Ye + +[ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ] + +do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is +zero. Fix it. + +Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 +Suggested-by: Julian Anastasov +Signed-off-by: Peilin Ye +Acked-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index c339b5e386b78..3ad1de081e3c7 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2393,6 +2393,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + /* Set timeout values for (tcp tcpfin udp) */ + ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); + goto out_unlock; ++ } else if (!len) { ++ /* No more commands with len == 0 below */ ++ ret = -EINVAL; ++ goto out_unlock; + } + + usvc_compat = (struct ip_vs_service_user *)arg; +@@ -2469,9 +2473,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + break; + case IP_VS_SO_SET_DELDEST: + ret = ip_vs_del_dest(svc, &udest); +- break; +- default: +- ret = -EINVAL; + } + + out_unlock: +-- +2.25.1 + diff --git a/queue-4.19/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch b/queue-4.19/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch new file mode 100644 index 00000000000..6dfeb365114 --- /dev/null +++ b/queue-4.19/iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch @@ -0,0 +1,45 @@ +From 707063366ceee4b0696ddb5425de63f64933700f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Sep 2020 10:31:20 +0300 +Subject: iwlwifi: mvm: split a print to avoid a WARNING in ROC + +From: Emmanuel Grumbach + +[ Upstream commit 903b3f9badf1d54f77b468b96706dab679b45b14 ] + +A print in the remain on channel code was too long and caused +a WARNING, split it. + +Signed-off-by: Emmanuel Grumbach +Fixes: dc28e12f2125 ("iwlwifi: mvm: ROC: Extend the ROC max delay duration & limit ROC duration") +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20200930102759.58d57c0bdc68.Ib06008665e7bf1199c360aa92691d9c74fb84990@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +index 58653598db146..525b26e0f65ee 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -3424,9 +3424,12 @@ static int iwl_mvm_send_aux_roc_cmd(struct iwl_mvm *mvm, + aux_roc_req.apply_time_max_delay = cpu_to_le32(delay); + + IWL_DEBUG_TE(mvm, +- "ROC: Requesting to remain on channel %u for %ums (requested = %ums, max_delay = %ums, dtim_interval = %ums)\n", +- channel->hw_value, req_dur, duration, delay, +- dtim_interval); ++ "ROC: Requesting to remain on channel %u for %ums\n", ++ channel->hw_value, req_dur); ++ IWL_DEBUG_TE(mvm, ++ "\t(requested = %ums, max_delay = %ums, dtim_interval = %ums)\n", ++ duration, delay, dtim_interval); ++ + /* Set the node address */ + memcpy(aux_roc_req.node_addr, vif->addr, ETH_ALEN); + +-- +2.25.1 + diff --git a/queue-4.19/kdb-fix-pager-search-for-multi-line-strings.patch b/queue-4.19/kdb-fix-pager-search-for-multi-line-strings.patch new file mode 100644 index 00000000000..b62146f4937 --- /dev/null +++ b/queue-4.19/kdb-fix-pager-search-for-multi-line-strings.patch @@ -0,0 +1,55 @@ +From cbd08462ab408e14394131295863a473c0b0dd01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 15:17:08 +0100 +Subject: kdb: Fix pager search for multi-line strings + +From: Daniel Thompson + +[ Upstream commit d081a6e353168f15e63eb9e9334757f20343319f ] + +Currently using forward search doesn't handle multi-line strings correctly. +The search routine replaces line breaks with \0 during the search and, for +regular searches ("help | grep Common\n"), there is code after the line +has been discarded or printed to replace the break character. + +However during a pager search ("help\n" followed by "/Common\n") when the +string is matched we will immediately return to normal output and the code +that should restore the \n becomes unreachable. Fix this by restoring the +replaced character when we disable the search mode and update the comment +accordingly. + +Fixes: fb6daa7520f9d ("kdb: Provide forward search at more prompt") +Link: https://lore.kernel.org/r/20200909141708.338273-1-daniel.thompson@linaro.org +Reviewed-by: Douglas Anderson +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 6a4b41484afe6..b45576ca3b0da 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -679,12 +679,16 @@ int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap) + size_avail = sizeof(kdb_buffer) - len; + goto kdb_print_out; + } +- if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) ++ if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) { + /* + * This was a interactive search (using '/' at more +- * prompt) and it has completed. Clear the flag. ++ * prompt) and it has completed. Replace the \0 with ++ * its original value to ensure multi-line strings ++ * are handled properly, and return to normal mode. + */ ++ *cphold = replaced_byte; + kdb_grepping_flag = 0; ++ } + /* + * at this point the string is a full line and + * should be printed, up to the null. +-- +2.25.1 + diff --git a/queue-4.19/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch b/queue-4.19/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch new file mode 100644 index 00000000000..4d067da5c6b --- /dev/null +++ b/queue-4.19/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch @@ -0,0 +1,39 @@ +From e6c0ef61b4aa06047a698682610d543e3690ecf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 10:23:42 +0800 +Subject: KVM: x86: emulating RDPID failure shall return #UD rather than #GP + +From: Robert Hoo + +[ Upstream commit a9e2e0ae686094571378c72d8146b5a1a92d0652 ] + +Per Intel's SDM, RDPID takes a #UD if it is unsupported, which is more or +less what KVM is emulating when MSR_TSC_AUX is not available. In fact, +there are no scenarios in which RDPID is supposed to #GP. + +Fixes: fb6d4d340e ("KVM: x86: emulate RDPID") +Signed-off-by: Robert Hoo +Message-Id: <1598581422-76264-1-git-send-email-robert.hu@linux.intel.com> +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 210eabd71ab23..670c2aedcefab 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -3561,7 +3561,7 @@ static int em_rdpid(struct x86_emulate_ctxt *ctxt) + u64 tsc_aux = 0; + + if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux)) +- return emulate_gp(ctxt, 0); ++ return emulate_ud(ctxt); + ctxt->dst.val = tsc_aux; + return X86EMUL_CONTINUE; + } +-- +2.25.1 + diff --git a/queue-4.19/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch b/queue-4.19/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch new file mode 100644 index 00000000000..e22e20af29b --- /dev/null +++ b/queue-4.19/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch @@ -0,0 +1,45 @@ +From e66aafc6d965c564ee418621bf25dca72e070092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:11:38 -0700 +Subject: lib/crc32.c: fix trivial typo in preprocessor condition + +From: Tobias Jordan + +[ Upstream commit 904542dc56524f921a6bab0639ff6249c01e775f ] + +Whether crc32_be needs a lookup table is chosen based on CRC_LE_BITS. +Obviously, the _be function should be governed by the _BE_ define. + +This probably never pops up as it's hard to come up with a configuration +where CRC_BE_BITS isn't the same as CRC_LE_BITS and as nobody is using +bitwise CRC anyway. + +Fixes: 46c5801eaf86 ("crc32: bolt on crc32c") +Signed-off-by: Tobias Jordan +Signed-off-by: Andrew Morton +Cc: Krzysztof Kozlowski +Cc: Jonathan Corbet +Cc: Mauro Carvalho Chehab +Link: https://lkml.kernel.org/r/20200923182122.GA3338@agrajag.zerfleddert.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/crc32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/crc32.c b/lib/crc32.c +index a6c9afafc8c85..1a5d08470044e 100644 +--- a/lib/crc32.c ++++ b/lib/crc32.c +@@ -328,7 +328,7 @@ static inline u32 __pure crc32_be_generic(u32 crc, unsigned char const *p, + return crc; + } + +-#if CRC_LE_BITS == 1 ++#if CRC_BE_BITS == 1 + u32 __pure crc32_be(u32 crc, unsigned char const *p, size_t len) + { + return crc32_be_generic(crc, p, len, NULL, CRC32_POLY_BE); +-- +2.25.1 + diff --git a/queue-4.19/mac80211-handle-lack-of-sband-bitrates-in-rates.patch b/queue-4.19/mac80211-handle-lack-of-sband-bitrates-in-rates.patch new file mode 100644 index 00000000000..b337ede2752 --- /dev/null +++ b/queue-4.19/mac80211-handle-lack-of-sband-bitrates-in-rates.patch @@ -0,0 +1,58 @@ +From f292f576a82401c20484c3b16dd9d8bcca3e4561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Oct 2020 09:45:21 -0700 +Subject: mac80211: handle lack of sband->bitrates in rates + +From: Thomas Pedersen + +[ Upstream commit 8b783d104e7f40684333d2ec155fac39219beb2f ] + +Even though a driver or mac80211 shouldn't produce a +legacy bitrate if sband->bitrates doesn't exist, don't +crash if that is the case either. + +This fixes a kernel panic if station dump is run before +last_rate can be updated with a data frame when +sband->bitrates is missing (eg. in S1G bands). + +Signed-off-by: Thomas Pedersen +Link: https://lore.kernel.org/r/20201005164522.18069-1-thomas@adapt-ip.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 ++- + net/mac80211/sta_info.c | 4 ++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index b6670e74aeb7b..9926455dd546d 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -664,7 +664,8 @@ void sta_set_rate_info_tx(struct sta_info *sta, + u16 brate; + + sband = ieee80211_get_sband(sta->sdata); +- if (sband) { ++ WARN_ON_ONCE(sband && !sband->bitrates); ++ if (sband && sband->bitrates) { + brate = sband->bitrates[rate->idx].bitrate; + rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift); + } +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 2a82d438991b5..9968b8a976f19 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2009,6 +2009,10 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u32 rate, + int rate_idx = STA_STATS_GET(LEGACY_IDX, rate); + + sband = local->hw.wiphy->bands[band]; ++ ++ if (WARN_ON_ONCE(!sband->bitrates)) ++ break; ++ + brate = sband->bitrates[rate_idx].bitrate; + if (rinfo->bw == RATE_INFO_BW_5) + shift = 2; +-- +2.25.1 + diff --git a/queue-4.19/mailbox-avoid-timer-start-from-callback.patch b/queue-4.19/mailbox-avoid-timer-start-from-callback.patch new file mode 100644 index 00000000000..68f21fedabb --- /dev/null +++ b/queue-4.19/mailbox-avoid-timer-start-from-callback.patch @@ -0,0 +1,75 @@ +From 6fefaf8466b51d1959ad9efeb7e1ac9cd0b11133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 12:20:56 -0500 +Subject: mailbox: avoid timer start from callback + +From: Jassi Brar + +[ Upstream commit c7dacf5b0f32957b24ef29df1207dc2cd8307743 ] + +If the txdone is done by polling, it is possible for msg_submit() to start +the timer while txdone_hrtimer() callback is running. If the timer needs +recheduling, it could already be enqueued by the time hrtimer_forward_now() +is called, leading hrtimer to loudly complain. + +WARNING: CPU: 3 PID: 74 at kernel/time/hrtimer.c:932 hrtimer_forward+0xc4/0x110 +CPU: 3 PID: 74 Comm: kworker/u8:1 Not tainted 5.9.0-rc2-00236-gd3520067d01c-dirty #5 +Hardware name: Libre Computer AML-S805X-AC (DT) +Workqueue: events_freezable_power_ thermal_zone_device_check +pstate: 20000085 (nzCv daIf -PAN -UAO BTYPE=--) +pc : hrtimer_forward+0xc4/0x110 +lr : txdone_hrtimer+0xf8/0x118 +[...] + +This can be fixed by not starting the timer from the callback path. Which +requires the timer reloading as long as any message is queued on the +channel, and not just when current tx is not done yet. + +Fixes: 0cc67945ea59 ("mailbox: switch to hrtimer for tx_complete polling") +Reported-by: Da Xue +Reviewed-by: Sudeep Holla +Tested-by: Sudeep Holla +Acked-by: Jerome Brunet +Tested-by: Jerome Brunet +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c +index 055c90b8253cb..10a559cfb7ea3 100644 +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -85,9 +85,12 @@ static void msg_submit(struct mbox_chan *chan) + exit: + spin_unlock_irqrestore(&chan->lock, flags); + +- if (!err && (chan->txdone_method & TXDONE_BY_POLL)) +- /* kick start the timer immediately to avoid delays */ +- hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL); ++ /* kick start the timer immediately to avoid delays */ ++ if (!err && (chan->txdone_method & TXDONE_BY_POLL)) { ++ /* but only if not already active */ ++ if (!hrtimer_active(&chan->mbox->poll_hrt)) ++ hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL); ++ } + } + + static void tx_tick(struct mbox_chan *chan, int r) +@@ -125,11 +128,10 @@ static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer) + struct mbox_chan *chan = &mbox->chans[i]; + + if (chan->active_req && chan->cl) { ++ resched = true; + txdone = chan->mbox->ops->last_tx_done(chan); + if (txdone) + tx_tick(chan, 0); +- else +- resched = true; + } + } + +-- +2.25.1 + diff --git a/queue-4.19/media-ati_remote-sanity-check-for-both-endpoints.patch b/queue-4.19/media-ati_remote-sanity-check-for-both-endpoints.patch new file mode 100644 index 00000000000..7e49fcf11aa --- /dev/null +++ b/queue-4.19/media-ati_remote-sanity-check-for-both-endpoints.patch @@ -0,0 +1,40 @@ +From 5801ba6df4f61d0f5162d1155b54c6e5c5aceece Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 15:50:51 +0200 +Subject: media: ati_remote: sanity check for both endpoints + +From: Oliver Neukum + +[ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ] + +If you do sanity checks, you should do them for both endpoints. +Hence introduce checking for endpoint type for the output +endpoint, too. + +Reported-by: syzbot+998261c2ae5932458f6c@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ati_remote.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c +index 8e82610ffaad5..01c82da8e9aa2 100644 +--- a/drivers/media/rc/ati_remote.c ++++ b/drivers/media/rc/ati_remote.c +@@ -845,6 +845,10 @@ static int ati_remote_probe(struct usb_interface *interface, + err("%s: endpoint_in message size==0? \n", __func__); + return -ENODEV; + } ++ if (!usb_endpoint_is_int_out(endpoint_out)) { ++ err("%s: Unexpected endpoint_out\n", __func__); ++ return -ENODEV; ++ } + + ati_remote = kzalloc(sizeof (struct ati_remote), GFP_KERNEL); + rc_dev = rc_allocate_device(RC_DRIVER_SCANCODE); +-- +2.25.1 + diff --git a/queue-4.19/media-bdisp-fix-runtime-pm-imbalance-on-error.patch b/queue-4.19/media-bdisp-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..3fa88386b1f --- /dev/null +++ b/queue-4.19/media-bdisp-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,46 @@ +From 50cb234a4e2f8420ec98b8a78ffbaeed4e364fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 12:00:21 +0200 +Subject: media: bdisp: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit dbd2f2dc025f9be8ae063e4f270099677238f620 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +index 40c4eef71c34c..00f6e3f06dac5 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -1371,7 +1371,7 @@ static int bdisp_probe(struct platform_device *pdev) + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "failed to set PM\n"); +- goto err_dbg; ++ goto err_pm; + } + + /* Filters */ +@@ -1399,7 +1399,6 @@ static int bdisp_probe(struct platform_device *pdev) + bdisp_hw_free_filters(bdisp->dev); + err_pm: + pm_runtime_put(dev); +-err_dbg: + bdisp_debugfs_remove(bdisp); + err_v4l2: + v4l2_device_unregister(&bdisp->v4l2_dev); +-- +2.25.1 + diff --git a/queue-4.19/media-camss-fix-a-reference-count-leak.patch b/queue-4.19/media-camss-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..ace61579e40 --- /dev/null +++ b/queue-4.19/media-camss-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From acfcbae004de49ff4967cb4c443258e7b44b6cbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:27:12 +0200 +Subject: media: camss: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit d0675b67b42eb4f1a840d1513b5b00f78312f833 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +PM runtime put is not called in error handling paths. +Thus call pm_runtime_put_sync() if pm_runtime_get_sync() fails. + +Fixes: 02afa816dbbf ("media: camss: Add basic runtime PM support") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/camss/camss-csiphy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-csiphy.c b/drivers/media/platform/qcom/camss/camss-csiphy.c +index 008afb85023be..3c5b9082ad723 100644 +--- a/drivers/media/platform/qcom/camss/camss-csiphy.c ++++ b/drivers/media/platform/qcom/camss/camss-csiphy.c +@@ -176,8 +176,10 @@ static int csiphy_set_power(struct v4l2_subdev *sd, int on) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_sync(dev); + return ret; ++ } + + ret = csiphy_set_clock_rates(csiphy); + if (ret < 0) { +-- +2.25.1 + diff --git a/queue-4.19/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch b/queue-4.19/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch new file mode 100644 index 00000000000..636bfe23b2a --- /dev/null +++ b/queue-4.19/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch @@ -0,0 +1,41 @@ +From 4325dd5b355b652256062294ffb6d12b302a0f70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:10:58 +0200 +Subject: media: exynos4-is: Fix a reference count leak due to + pm_runtime_get_sync + +From: Qiushi Wu + +[ Upstream commit c47f7c779ef0458a58583f00c9ed71b7f5a4d0a2 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index f5fca01f3248e..3261dc72cc614 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -481,8 +481,10 @@ static int fimc_md_register_sensor_entities(struct fimc_md *fmd) + return -ENXIO; + + ret = pm_runtime_get_sync(fmd->pmf); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(fmd->pmf); + return ret; ++ } + + fmd->num_sensors = 0; + +-- +2.25.1 + diff --git a/queue-4.19/media-exynos4-is-fix-a-reference-count-leak.patch b/queue-4.19/media-exynos4-is-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..6cc25147f08 --- /dev/null +++ b/queue-4.19/media-exynos4-is-fix-a-reference-count-leak.patch @@ -0,0 +1,41 @@ +From 071c6fd550c21f73b03416f157416af7daf82dca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:01:11 +0200 +Subject: media: exynos4-is: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 64157b2cb1940449e7df2670e85781c690266588 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/mipi-csis.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c +index b4e28a299e26e..efab3ebc67564 100644 +--- a/drivers/media/platform/exynos4-is/mipi-csis.c ++++ b/drivers/media/platform/exynos4-is/mipi-csis.c +@@ -513,8 +513,10 @@ static int s5pcsis_s_stream(struct v4l2_subdev *sd, int enable) + if (enable) { + s5pcsis_clear_counters(state); + ret = pm_runtime_get_sync(&state->pdev->dev); +- if (ret && ret != 1) ++ if (ret && ret != 1) { ++ pm_runtime_put_noidle(&state->pdev->dev); + return ret; ++ } + } + + mutex_lock(&state->lock); +-- +2.25.1 + diff --git a/queue-4.19/media-exynos4-is-fix-several-reference-count-leaks-d.patch b/queue-4.19/media-exynos4-is-fix-several-reference-count-leaks-d.patch new file mode 100644 index 00000000000..b56da460d2f --- /dev/null +++ b/queue-4.19/media-exynos4-is-fix-several-reference-count-leaks-d.patch @@ -0,0 +1,55 @@ +From c633bd158ed631aecb226e428e2fae926507589e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:18:29 +0200 +Subject: media: exynos4-is: Fix several reference count leaks due to + pm_runtime_get_sync + +From: Qiushi Wu + +[ Upstream commit 7ef64ceea0008c17e94a8a2c60c5d6d46f481996 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-isp.c | 4 +++- + drivers/media/platform/exynos4-is/fimc-lite.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-isp.c b/drivers/media/platform/exynos4-is/fimc-isp.c +index 9a48c0f69320b..1dbebdc1c2f87 100644 +--- a/drivers/media/platform/exynos4-is/fimc-isp.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp.c +@@ -311,8 +311,10 @@ static int fimc_isp_subdev_s_power(struct v4l2_subdev *sd, int on) + + if (on) { + ret = pm_runtime_get_sync(&is->pdev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(&is->pdev->dev); + return ret; ++ } + set_bit(IS_ST_PWR_ON, &is->state); + + ret = fimc_is_start_firmware(is); +diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c +index 70d5f5586a5d5..10fe7d2e8790c 100644 +--- a/drivers/media/platform/exynos4-is/fimc-lite.c ++++ b/drivers/media/platform/exynos4-is/fimc-lite.c +@@ -480,7 +480,7 @@ static int fimc_lite_open(struct file *file) + set_bit(ST_FLITE_IN_USE, &fimc->state); + ret = pm_runtime_get_sync(&fimc->pdev->dev); + if (ret < 0) +- goto unlock; ++ goto err_pm; + + ret = v4l2_fh_open(file); + if (ret < 0) +-- +2.25.1 + diff --git a/queue-4.19/media-firewire-fix-memory-leak.patch b/queue-4.19/media-firewire-fix-memory-leak.patch new file mode 100644 index 00000000000..380b8d5c588 --- /dev/null +++ b/queue-4.19/media-firewire-fix-memory-leak.patch @@ -0,0 +1,39 @@ +From 35653e7fa94121754727bd16b877a4cefa0b76e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 11:01:37 +0200 +Subject: media: firewire: fix memory leak + +From: Pavel Machek + +[ Upstream commit b28e32798c78a346788d412f1958f36bb760ec03 ] + +Fix memory leak in node_probe. + +Signed-off-by: Pavel Machek (CIP) +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/firewire/firedtv-fw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index eaf94b817dbc0..2ac9d24d3f0cd 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -271,8 +271,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); +- if (name_len < 0) +- return name_len; ++ if (name_len < 0) { ++ err = name_len; ++ goto fail_free; ++ } + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +-- +2.25.1 + diff --git a/queue-4.19/media-m5mols-check-function-pointer-in-m5mols_sensor.patch b/queue-4.19/media-m5mols-check-function-pointer-in-m5mols_sensor.patch new file mode 100644 index 00000000000..dcc9eb02e9d --- /dev/null +++ b/queue-4.19/media-m5mols-check-function-pointer-in-m5mols_sensor.patch @@ -0,0 +1,45 @@ +From 07057c1b3eb470874c50e74ddb5b5f6a87657518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 17:34:47 +0200 +Subject: media: m5mols: Check function pointer in m5mols_sensor_power + +From: Tom Rix + +[ Upstream commit 52438c4463ac904d14bf3496765e67750766f3a6 ] + +clang static analysis reports this error + +m5mols_core.c:767:4: warning: Called function pointer + is null (null dereference) [core.CallAndMessage] + info->set_power(&client->dev, 0); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In other places, the set_power ptr is checked. +So add a check. + +Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP") +Signed-off-by: Tom Rix +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/m5mols/m5mols_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c +index 12e79f9e32d53..d9a9644306096 100644 +--- a/drivers/media/i2c/m5mols/m5mols_core.c ++++ b/drivers/media/i2c/m5mols/m5mols_core.c +@@ -768,7 +768,8 @@ static int m5mols_sensor_power(struct m5mols_info *info, bool enable) + + ret = regulator_bulk_enable(ARRAY_SIZE(supplies), supplies); + if (ret) { +- info->set_power(&client->dev, 0); ++ if (info->set_power) ++ info->set_power(&client->dev, 0); + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.19/media-media-pci-prevent-memory-leak-in-bttv_probe.patch b/queue-4.19/media-media-pci-prevent-memory-leak-in-bttv_probe.patch new file mode 100644 index 00000000000..49c4ffd1ea6 --- /dev/null +++ b/queue-4.19/media-media-pci-prevent-memory-leak-in-bttv_probe.patch @@ -0,0 +1,65 @@ +From 5e96ad7b0c340dee34987d0629d350c9f1082075 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 11:52:30 +0200 +Subject: media: media/pci: prevent memory leak in bttv_probe + +From: Xiaolong Huang + +[ Upstream commit 7b817585b730665126b45df5508dd69526448bc8 ] + +In bttv_probe if some functions such as pci_enable_device, +pci_set_dma_mask and request_mem_region fails the allocated + memory for btv should be released. + +Signed-off-by: Xiaolong Huang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/bt8xx/bttv-driver.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c +index cf05e11da01b0..4c042ba6de918 100644 +--- a/drivers/media/pci/bt8xx/bttv-driver.c ++++ b/drivers/media/pci/bt8xx/bttv-driver.c +@@ -4055,11 +4055,13 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + btv->id = dev->device; + if (pci_enable_device(dev)) { + pr_warn("%d: Can't enable device\n", btv->c.nr); +- return -EIO; ++ result = -EIO; ++ goto free_mem; + } + if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) { + pr_warn("%d: No suitable DMA available\n", btv->c.nr); +- return -EIO; ++ result = -EIO; ++ goto free_mem; + } + if (!request_mem_region(pci_resource_start(dev,0), + pci_resource_len(dev,0), +@@ -4067,7 +4069,8 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + pr_warn("%d: can't request iomem (0x%llx)\n", + btv->c.nr, + (unsigned long long)pci_resource_start(dev, 0)); +- return -EBUSY; ++ result = -EBUSY; ++ goto free_mem; + } + pci_set_master(dev); + pci_set_command(dev); +@@ -4253,6 +4256,10 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + release_mem_region(pci_resource_start(btv->c.pci,0), + pci_resource_len(btv->c.pci,0)); + pci_disable_device(btv->c.pci); ++ ++free_mem: ++ bttvs[btv->c.nr] = NULL; ++ kfree(btv); + return result; + } + +-- +2.25.1 + diff --git a/queue-4.19/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch b/queue-4.19/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch new file mode 100644 index 00000000000..4f50e1c67a8 --- /dev/null +++ b/queue-4.19/media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch @@ -0,0 +1,44 @@ +From 66991bd20775e9fc8351663ef8ff3d92cfec7294 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 11:26:04 +0200 +Subject: media: mx2_emmaprp: Fix memleak in emmaprp_probe + +From: Dinghao Liu + +[ Upstream commit 21d387b8d372f859d9e87fdcc7c3b4a432737f4d ] + +When platform_get_irq() fails, we should release +vfd and unregister pcdev->v4l2_dev just like the +subsequent error paths. + +Fixes: d4e192cc44914 ("media: mx2_emmaprp: Check for platform_get_irq() error") +Signed-off-by: Dinghao Liu +Reviewed-by: Fabio Estevam +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mx2_emmaprp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c +index 419e1cb10dc66..f4be4c672d40e 100644 +--- a/drivers/media/platform/mx2_emmaprp.c ++++ b/drivers/media/platform/mx2_emmaprp.c +@@ -929,8 +929,11 @@ static int emmaprp_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, pcdev); + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) +- return irq; ++ if (irq < 0) { ++ ret = irq; ++ goto rel_vdev; ++ } ++ + ret = devm_request_irq(&pdev->dev, irq, emmaprp_irq, 0, + dev_name(&pdev->dev), pcdev); + if (ret) +-- +2.25.1 + diff --git a/queue-4.19/media-omap3isp-fix-memleak-in-isp_probe.patch b/queue-4.19/media-omap3isp-fix-memleak-in-isp_probe.patch new file mode 100644 index 00000000000..9b12caf5378 --- /dev/null +++ b/queue-4.19/media-omap3isp-fix-memleak-in-isp_probe.patch @@ -0,0 +1,41 @@ +From 4cf6c3cd9456c2d66e6fec86149f424119df7748 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 08:53:52 +0200 +Subject: media: omap3isp: Fix memleak in isp_probe + +From: Dinghao Liu + +[ Upstream commit d8fc21c17099635e8ebd986d042be65a6c6b5bd0 ] + +When devm_ioremap_resource() fails, isp should be +freed just like other error paths in isp_probe. + +Fixes: 8644cdf972dd6 ("[media] omap3isp: Replace many MMIO regions by two") +Signed-off-by: Dinghao Liu +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c +index addd03b517481..00e52f0b8251b 100644 +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2265,8 +2265,10 @@ static int isp_probe(struct platform_device *pdev) + mem = platform_get_resource(pdev, IORESOURCE_MEM, i); + isp->mmio_base[map_idx] = + devm_ioremap_resource(isp->dev, mem); +- if (IS_ERR(isp->mmio_base[map_idx])) +- return PTR_ERR(isp->mmio_base[map_idx]); ++ if (IS_ERR(isp->mmio_base[map_idx])) { ++ ret = PTR_ERR(isp->mmio_base[map_idx]); ++ goto error; ++ } + } + + ret = isp_get_clocks(isp); +-- +2.25.1 + diff --git a/queue-4.19/media-platform-fcp-fix-a-reference-count-leak.patch b/queue-4.19/media-platform-fcp-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..60b8639277c --- /dev/null +++ b/queue-4.19/media-platform-fcp-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From 5edadc3044b545899c31c09837708a4b07dc501a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:19:44 +0200 +Subject: media: platform: fcp: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit 63e36a381d92a9cded97e90d481ee22566557dd1 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Fixes: 6eaafbdb668b ("[media] v4l: rcar-fcp: Keep the coding style consistent") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-fcp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-fcp.c b/drivers/media/platform/rcar-fcp.c +index 5c6b00737fe75..05c712e00a2a7 100644 +--- a/drivers/media/platform/rcar-fcp.c ++++ b/drivers/media/platform/rcar-fcp.c +@@ -103,8 +103,10 @@ int rcar_fcp_enable(struct rcar_fcp_device *fcp) + return 0; + + ret = pm_runtime_get_sync(fcp->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(fcp->dev); + return ret; ++ } + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.19/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch b/queue-4.19/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch new file mode 100644 index 00000000000..cad19fe7a12 --- /dev/null +++ b/queue-4.19/media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch @@ -0,0 +1,53 @@ +From a9bfd8bc8011dbf4751f3b5408e24793147ecaf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 15:29:33 +0200 +Subject: media: platform: s3c-camif: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit dafa3605fe60d5a61239d670919b2a36e712481e ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Also, call pm_runtime_disable() when pm_runtime_get_sync() returns +an error code. + +Signed-off-by: Dinghao Liu +Reviewed-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s3c-camif/camif-core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/s3c-camif/camif-core.c b/drivers/media/platform/s3c-camif/camif-core.c +index 79bc0ef6bb413..8d8ed72bd0aaf 100644 +--- a/drivers/media/platform/s3c-camif/camif-core.c ++++ b/drivers/media/platform/s3c-camif/camif-core.c +@@ -476,7 +476,7 @@ static int s3c_camif_probe(struct platform_device *pdev) + + ret = camif_media_dev_init(camif); + if (ret < 0) +- goto err_alloc; ++ goto err_pm; + + ret = camif_register_sensor(camif); + if (ret < 0) +@@ -510,10 +510,9 @@ static int s3c_camif_probe(struct platform_device *pdev) + media_device_unregister(&camif->media_dev); + media_device_cleanup(&camif->media_dev); + camif_unregister_media_entities(camif); +-err_alloc: ++err_pm: + pm_runtime_put(dev); + pm_runtime_disable(dev); +-err_pm: + camif_clk_put(camif); + err_clk: + s3c_camif_unregister_subdev(camif); +-- +2.25.1 + diff --git a/queue-4.19/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch b/queue-4.19/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch new file mode 100644 index 00000000000..1bc23d590d0 --- /dev/null +++ b/queue-4.19/media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch @@ -0,0 +1,37 @@ +From 9fdb8c85a3a054343cc030dda5987c2db7960669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 12:05:02 +0200 +Subject: media: platform: sti: hva: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit d912a1d9e9afe69c6066c1ceb6bfc09063074075 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/hva/hva-hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c +index 166ed30bbfce5..d826c011c0952 100644 +--- a/drivers/media/platform/sti/hva/hva-hw.c ++++ b/drivers/media/platform/sti/hva/hva-hw.c +@@ -393,7 +393,7 @@ int hva_hw_probe(struct platform_device *pdev, struct hva_dev *hva) + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "%s failed to set PM\n", HVA_PREFIX); +- goto err_clk; ++ goto err_pm; + } + + /* check IP hardware version */ +-- +2.25.1 + diff --git a/queue-4.19/media-rcar-vin-fix-a-reference-count-leak.patch b/queue-4.19/media-rcar-vin-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..e338b2f9f6f --- /dev/null +++ b/queue-4.19/media-rcar-vin-fix-a-reference-count-leak.patch @@ -0,0 +1,41 @@ +From 2de9a79c5586265356ed626806a67c01bafb30e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 00:30:08 +0200 +Subject: media: rcar-vin: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit aaffa0126a111d65f4028c503c76192d4cc93277 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus call pm_runtime_put_noidle() +if pm_runtime_get_sync() fails. + +Fixes: 90dedce9bc54 ("media: rcar-vin: add function to manipulate Gen3 chsel value") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-dma.c b/drivers/media/platform/rcar-vin/rcar-dma.c +index 92323310f7352..70a8cc433a03f 100644 +--- a/drivers/media/platform/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/rcar-vin/rcar-dma.c +@@ -1323,8 +1323,10 @@ int rvin_set_channel_routing(struct rvin_dev *vin, u8 chsel) + int ret; + + ret = pm_runtime_get_sync(vin->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(vin->dev); + return ret; ++ } + + /* Make register writes take effect immediately. */ + vnmc = rvin_read(vin, VNMC_REG); +-- +2.25.1 + diff --git a/queue-4.19/media-revert-media-exynos4-is-add-missed-check-for-p.patch b/queue-4.19/media-revert-media-exynos4-is-add-missed-check-for-p.patch new file mode 100644 index 00000000000..43c61fc4e41 --- /dev/null +++ b/queue-4.19/media-revert-media-exynos4-is-add-missed-check-for-p.patch @@ -0,0 +1,47 @@ +From 97670cc6ec2d492536ad420eac6a061e6c7c8034 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 17:32:39 +0200 +Subject: media: Revert "media: exynos4-is: Add missed check for + pinctrl_lookup_state()" + +From: Sylwester Nawrocki + +[ Upstream commit 00d21f325d58567d81d9172096692d0a9ea7f725 ] + +The "idle" pinctrl state is optional as documented in the DT binding. +The change introduced by the commit being reverted makes that pinctrl state +mandatory and breaks initialization of the whole media driver, since the +"idle" state is not specified in any mainline dts. + +This reverts commit 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") +to fix the regression. + +Fixes: 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 2d25a197dc657..f5fca01f3248e 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1257,11 +1257,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + if (IS_ERR(pctl->state_default)) + return PTR_ERR(pctl->state_default); + ++ /* PINCTRL_STATE_IDLE is optional */ + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); +- if (IS_ERR(pctl->state_idle)) +- return PTR_ERR(pctl->state_idle); +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.19/media-rockchip-rga-fix-a-reference-count-leak.patch b/queue-4.19/media-rockchip-rga-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..f9b1cf7ed8c --- /dev/null +++ b/queue-4.19/media-rockchip-rga-fix-a-reference-count-leak.patch @@ -0,0 +1,38 @@ +From 8d0fbf54f3e418c84a52c2f3bcc33d4df9d28087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 01:13:49 +0200 +Subject: media: rockchip/rga: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit 884d638e0853c4b5f01eb6d048fc3b6239012404 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus call pm_runtime_put_noidle() +if pm_runtime_get_sync() fails. + +Fixes: f7e7b48e6d79 ("[media] rockchip/rga: v4l2 m2m support") +Signed-off-by: Qiushi Wu +Reviewed-by: Heiko Stuebner +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga-buf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/rockchip/rga/rga-buf.c b/drivers/media/platform/rockchip/rga/rga-buf.c +index 356821c2dacf0..0932f1445deab 100644 +--- a/drivers/media/platform/rockchip/rga/rga-buf.c ++++ b/drivers/media/platform/rockchip/rga/rga-buf.c +@@ -89,6 +89,7 @@ static int rga_buf_start_streaming(struct vb2_queue *q, unsigned int count) + + ret = pm_runtime_get_sync(rga->dev); + if (ret < 0) { ++ pm_runtime_put_noidle(rga->dev); + rga_buf_return_buffers(q, VB2_BUF_STATE_QUEUED); + return ret; + } +-- +2.25.1 + diff --git a/queue-4.19/media-s5p-mfc-fix-a-reference-count-leak.patch b/queue-4.19/media-s5p-mfc-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..d9809151b6e --- /dev/null +++ b/queue-4.19/media-s5p-mfc-fix-a-reference-count-leak.patch @@ -0,0 +1,42 @@ +From 4112ede14617668e7df0e373fda8df0b09681c49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:31:22 +0200 +Subject: media: s5p-mfc: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 78741ce98c2e36188e2343434406b0e0bc50b0e7 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Fixes: c5086f130a77 ("[media] s5p-mfc: Use clock gating only on MFC v5 hardware") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +index 5e080f32b0e82..95abf2bd7ebae 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +@@ -83,8 +83,10 @@ int s5p_mfc_power_on(void) + int i, ret = 0; + + ret = pm_runtime_get_sync(pm->device); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(pm->device); + return ret; ++ } + + /* clock control */ + for (i = 0; i < pm->num_clocks; i++) { +-- +2.25.1 + diff --git a/queue-4.19/media-saa7134-avoid-a-shift-overflow.patch b/queue-4.19/media-saa7134-avoid-a-shift-overflow.patch new file mode 100644 index 00000000000..0068fc55e98 --- /dev/null +++ b/queue-4.19/media-saa7134-avoid-a-shift-overflow.patch @@ -0,0 +1,39 @@ +From 2fac414dea35f70677d45e4b6cc90c5c8a05f064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 08:37:12 +0200 +Subject: media: saa7134: avoid a shift overflow + +From: Mauro Carvalho Chehab + +[ Upstream commit 15a36aae1ec1c1f17149b6113b92631791830740 ] + +As reported by smatch: + drivers/media/pci/saa7134//saa7134-tvaudio.c:686 saa_dsp_writel() warn: should 'reg << 2' be a 64 bit type? + +On a 64-bits Kernel, the shift might be bigger than 32 bits. + +In real, this should never happen, but let's shut up the warning. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7134/saa7134-tvaudio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7134/saa7134-tvaudio.c b/drivers/media/pci/saa7134/saa7134-tvaudio.c +index 68d400e1e240e..8c3da6f7a60f1 100644 +--- a/drivers/media/pci/saa7134/saa7134-tvaudio.c ++++ b/drivers/media/pci/saa7134/saa7134-tvaudio.c +@@ -693,7 +693,8 @@ int saa_dsp_writel(struct saa7134_dev *dev, int reg, u32 value) + { + int err; + +- audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", reg << 2, value); ++ audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", ++ (reg << 2) & 0xffffffff, value); + err = saa_dsp_wait_bit(dev,SAA7135_DSP_RWSTATE_WRR); + if (err < 0) + return err; +-- +2.25.1 + diff --git a/queue-4.19/media-st-delta-fix-reference-count-leak-in-delta_run.patch b/queue-4.19/media-st-delta-fix-reference-count-leak-in-delta_run.patch new file mode 100644 index 00000000000..1fe6062927b --- /dev/null +++ b/queue-4.19/media-st-delta-fix-reference-count-leak-in-delta_run.patch @@ -0,0 +1,40 @@ +From a2592d2fcb485010b46bd9428e284d9f7b1304a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:58:41 +0200 +Subject: media: st-delta: Fix reference count leak in delta_run_work + +From: Aditya Pakki + +[ Upstream commit 57cc666d36adc7b45e37ba4cd7bc4e44ec4c43d7 ] + +delta_run_work() calls delta_get_sync() that increments +the reference counter. In case of failure, decrement the reference +count by calling delta_put_autosuspend(). + +Signed-off-by: Aditya Pakki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/delta/delta-v4l2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/sti/delta/delta-v4l2.c b/drivers/media/platform/sti/delta/delta-v4l2.c +index 0b42acd4e3a6e..53dc6da2b09e2 100644 +--- a/drivers/media/platform/sti/delta/delta-v4l2.c ++++ b/drivers/media/platform/sti/delta/delta-v4l2.c +@@ -954,8 +954,10 @@ static void delta_run_work(struct work_struct *work) + /* enable the hardware */ + if (!dec->pm) { + ret = delta_get_sync(ctx); +- if (ret) ++ if (ret) { ++ delta_put_autosuspend(ctx); + goto err; ++ } + } + + /* decode this access unit */ +-- +2.25.1 + diff --git a/queue-4.19/media-sti-fix-reference-count-leaks.patch b/queue-4.19/media-sti-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..a68a9f0d62f --- /dev/null +++ b/queue-4.19/media-sti-fix-reference-count-leaks.patch @@ -0,0 +1,45 @@ +From e1c634d42bbcd185729ded5dc749253b46d40eca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:31:06 +0200 +Subject: media: sti: Fix reference count leaks + +From: Qiushi Wu + +[ Upstream commit 6f4432bae9f2d12fc1815b5e26cc07e69bcad0df ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/hva/hva-hw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c +index 7917fd2c4bd4b..166ed30bbfce5 100644 +--- a/drivers/media/platform/sti/hva/hva-hw.c ++++ b/drivers/media/platform/sti/hva/hva-hw.c +@@ -272,6 +272,7 @@ static unsigned long int hva_hw_get_ip_version(struct hva_dev *hva) + + if (pm_runtime_get_sync(dev) < 0) { + dev_err(dev, "%s failed to get pm_runtime\n", HVA_PREFIX); ++ pm_runtime_put_noidle(dev); + mutex_unlock(&hva->protect_mutex); + return -EFAULT; + } +@@ -557,6 +558,7 @@ void hva_hw_dump_regs(struct hva_dev *hva, struct seq_file *s) + + if (pm_runtime_get_sync(dev) < 0) { + seq_puts(s, "Cannot wake up IP\n"); ++ pm_runtime_put_noidle(dev); + mutex_unlock(&hva->protect_mutex); + return; + } +-- +2.25.1 + diff --git a/queue-4.19/media-stm32-dcmi-fix-a-reference-count-leak.patch b/queue-4.19/media-stm32-dcmi-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..7dcce22668e --- /dev/null +++ b/queue-4.19/media-stm32-dcmi-fix-a-reference-count-leak.patch @@ -0,0 +1,48 @@ +From 20f469aa64a1d343c976b48ea453f154fef165b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:36:59 +0200 +Subject: media: stm32-dcmi: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 88f50a05f907d96a27a9ce3cc9e8cbb91a6f0f22 ] + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count if pm_runtime_put is not +called in error handling paths. Thus replace the jump target +"err_release_buffers" by "err_pm_putw". + +Fixes: 152e0bf60219 ("media: stm32-dcmi: add power saving support") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/stm32/stm32-dcmi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c +index 18d0b56417894..ee1a211797673 100644 +--- a/drivers/media/platform/stm32/stm32-dcmi.c ++++ b/drivers/media/platform/stm32/stm32-dcmi.c +@@ -587,7 +587,7 @@ static int dcmi_start_streaming(struct vb2_queue *vq, unsigned int count) + if (ret < 0) { + dev_err(dcmi->dev, "%s: Failed to start streaming, cannot get sync (%d)\n", + __func__, ret); +- goto err_release_buffers; ++ goto err_pm_put; + } + + /* Enable stream on the sub device */ +@@ -682,8 +682,6 @@ static int dcmi_start_streaming(struct vb2_queue *vq, unsigned int count) + + err_pm_put: + pm_runtime_put(dcmi->dev); +- +-err_release_buffers: + spin_lock_irq(&dcmi->irqlock); + /* + * Return all buffers to vb2 in QUEUED state. +-- +2.25.1 + diff --git a/queue-4.19/media-tc358743-cleanup-tc358743_cec_isr.patch b/queue-4.19/media-tc358743-cleanup-tc358743_cec_isr.patch new file mode 100644 index 00000000000..0f048ff1dae --- /dev/null +++ b/queue-4.19/media-tc358743-cleanup-tc358743_cec_isr.patch @@ -0,0 +1,72 @@ +From 2e5347a97190955c501785207a8a0df273226e6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 20:32:12 +0200 +Subject: media: tc358743: cleanup tc358743_cec_isr + +From: Tom Rix + +[ Upstream commit 877cb8a444dad2304e891294afb0915fe3c278d6 ] + +tc358743_cec_isr is misnammed, it is not the main isr. +So rename it to be consistent with its siblings, +tc358743_cec_handler. + +It also does not check if its input parameter 'handled' is +is non NULL like its siblings, so add a check. + +Fixes: a0ec8d1dc42e ("media: tc358743: add CEC support") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 874673218dd6e..d9bc3851bf63b 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -919,8 +919,8 @@ static const struct cec_adap_ops tc358743_cec_adap_ops = { + .adap_monitor_all_enable = tc358743_cec_adap_monitor_all_enable, + }; + +-static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, +- bool *handled) ++static void tc358743_cec_handler(struct v4l2_subdev *sd, u16 intstatus, ++ bool *handled) + { + struct tc358743_state *state = to_state(sd); + unsigned int cec_rxint, cec_txint; +@@ -953,7 +953,8 @@ static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, + cec_transmit_attempt_done(state->cec_adap, + CEC_TX_STATUS_ERROR); + } +- *handled = true; ++ if (handled) ++ *handled = true; + } + if ((intstatus & MASK_CEC_RINT) && + (cec_rxint & MASK_CECRIEND)) { +@@ -968,7 +969,8 @@ static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus, + msg.msg[i] = v & 0xff; + } + cec_received_msg(state->cec_adap, &msg); +- *handled = true; ++ if (handled) ++ *handled = true; + } + i2c_wr16(sd, INTSTATUS, + intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)); +@@ -1432,7 +1434,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled) + + #ifdef CONFIG_VIDEO_TC358743_CEC + if (intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)) { +- tc358743_cec_isr(sd, intstatus, handled); ++ tc358743_cec_handler(sd, intstatus, handled); + i2c_wr16(sd, INTSTATUS, + intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)); + intstatus &= ~(MASK_CEC_RINT | MASK_CEC_TINT); +-- +2.25.1 + diff --git a/queue-4.19/media-tc358743-initialize-variable.patch b/queue-4.19/media-tc358743-initialize-variable.patch new file mode 100644 index 00000000000..b4745dfaf7d --- /dev/null +++ b/queue-4.19/media-tc358743-initialize-variable.patch @@ -0,0 +1,42 @@ +From 25253d3e5354e253205f4a11c80c98af730ded3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 18:30:43 +0200 +Subject: media: tc358743: initialize variable + +From: Tom Rix + +[ Upstream commit 274cf92d5dff5c2fec1a518078542ffe70d07646 ] + +clang static analysis flags this error + +tc358743.c:1468:9: warning: Branch condition evaluates + to a garbage value + return handled ? IRQ_HANDLED : IRQ_NONE; + ^~~~~~~ +handled should be initialized to false. + +Fixes: d747b806abf4 ("[media] tc358743: add direct interrupt handling") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index e4c0a27b636aa..874673218dd6e 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1461,7 +1461,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled) + static irqreturn_t tc358743_irq_handler(int irq, void *dev_id) + { + struct tc358743_state *state = dev_id; +- bool handled; ++ bool handled = false; + + tc358743_isr(&state->sd, 0, &handled); + +-- +2.25.1 + diff --git a/queue-4.19/media-ti-vpe-fix-a-missing-check-and-reference-count.patch b/queue-4.19/media-ti-vpe-fix-a-missing-check-and-reference-count.patch new file mode 100644 index 00000000000..88b71c26729 --- /dev/null +++ b/queue-4.19/media-ti-vpe-fix-a-missing-check-and-reference-count.patch @@ -0,0 +1,42 @@ +From ac55d5812365854153eb0c14dba95d1c382ef3d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:56:05 +0200 +Subject: media: ti-vpe: Fix a missing check and reference count leak + +From: Qiushi Wu + +[ Upstream commit 7dae2aaaf432767ca7aa11fa84643a7c2600dbdd ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +And also, when the call of function vpe_runtime_get() failed, +we won't call vpe_runtime_put(). +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails +inside vpe_runtime_get(). + +Fixes: 4571912743ac ("[media] v4l: ti-vpe: Add VPE mem to mem driver") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index a285b9db7ee86..70a8371b7e9a1 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -2451,6 +2451,8 @@ static int vpe_runtime_get(struct platform_device *pdev) + + r = pm_runtime_get_sync(&pdev->dev); + WARN_ON(r < 0); ++ if (r) ++ pm_runtime_put_noidle(&pdev->dev); + return r < 0 ? r : 0; + } + +-- +2.25.1 + diff --git a/queue-4.19/media-tuner-simple-fix-regression-in-simple_set_radi.patch b/queue-4.19/media-tuner-simple-fix-regression-in-simple_set_radi.patch new file mode 100644 index 00000000000..cd51167b9ae --- /dev/null +++ b/queue-4.19/media-tuner-simple-fix-regression-in-simple_set_radi.patch @@ -0,0 +1,66 @@ +From c90877e19669f12e5e70ef09706f27ae040ec191 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Aug 2020 23:15:47 +0200 +Subject: media: tuner-simple: fix regression in simple_set_radio_freq + +From: Tom Rix + +[ Upstream commit 505bfc2a142f12ce7bc7a878b44abc3496f2e747 ] + +clang static analysis reports this problem + +tuner-simple.c:714:13: warning: Assigned value is + garbage or undefined + buffer[1] = buffer[3]; + ^ ~~~~~~~~~ +In simple_set_radio_freq buffer[3] used to be done +in-function with a switch of tuner type, now done +by a call to simple_radio_bandswitch which has this case + + case TUNER_TENA_9533_DI: + case TUNER_YMEC_TVF_5533MF: + tuner_dbg("This tuner doesn't ... + return 0; + +which does not set buffer[3]. In the old logic, this case +would have returned 0 from simple_set_radio_freq. + +Recover this old behavior by returning an error for this +codition. Since the old simple_set_radio_freq behavior +returned a 0, do the same. + +Fixes: c7a9f3aa1e1b ("V4L/DVB (7129): tuner-simple: move device-specific code into three separate functions") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/tuner-simple.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/tuners/tuner-simple.c b/drivers/media/tuners/tuner-simple.c +index 29c1473f2e9f6..81e24cf0c8b80 100644 +--- a/drivers/media/tuners/tuner-simple.c ++++ b/drivers/media/tuners/tuner-simple.c +@@ -499,7 +499,7 @@ static int simple_radio_bandswitch(struct dvb_frontend *fe, u8 *buffer) + case TUNER_TENA_9533_DI: + case TUNER_YMEC_TVF_5533MF: + tuner_dbg("This tuner doesn't have FM. Most cards have a TEA5767 for FM\n"); +- return 0; ++ return -EINVAL; + case TUNER_PHILIPS_FM1216ME_MK3: + case TUNER_PHILIPS_FM1236_MK3: + case TUNER_PHILIPS_FMD1216ME_MK3: +@@ -701,7 +701,8 @@ static int simple_set_radio_freq(struct dvb_frontend *fe, + TUNER_RATIO_SELECT_50; /* 50 kHz step */ + + /* Bandswitch byte */ +- simple_radio_bandswitch(fe, &buffer[0]); ++ if (simple_radio_bandswitch(fe, &buffer[0])) ++ return 0; + + /* Convert from 1/16 kHz V4L steps to 1/20 MHz (=50 kHz) PLL steps + freq * (1 Mhz / 16000 V4L steps) * (20 PLL steps / 1 MHz) = +-- +2.25.1 + diff --git a/queue-4.19/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch b/queue-4.19/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch new file mode 100644 index 00000000000..1fde161f3a8 --- /dev/null +++ b/queue-4.19/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch @@ -0,0 +1,84 @@ +From 3916677fdeae5fa55cff9adee369640cac89af23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 03:21:33 +0200 +Subject: media: uvcvideo: Ensure all probed info is returned to v4l2 + +From: Adam Goode + +[ Upstream commit 8a652a17e3c005dcdae31b6c8fdf14382a29cbbe ] + +bFrameIndex and bFormatIndex can be negotiated by the camera during +probing, resulting in the camera choosing a different format than +expected. v4l2 can already accommodate such changes, but the code was +not updating the proper fields. + +Without such a change, v4l2 would potentially interpret the payload +incorrectly, causing corrupted output. This was happening on the +Elgato HD60 S+, which currently always renegotiates to format 1. + +As an aside, the Elgato firmware is buggy and should not be renegotating, +but it is still a valid thing for the camera to do. Both macOS and Windows +will properly probe and read uncorrupted images from this camera. + +With this change, both qv4l2 and chromium can now read uncorrupted video +from the Elgato HD60 S+. + +[Add blank lines, remove periods at the of messages] + +Signed-off-by: Adam Goode +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 18a7384b50ee9..0921c95a1dca5 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -252,11 +252,41 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + if (ret < 0) + goto done; + ++ /* After the probe, update fmt with the values returned from ++ * negotiation with the device. ++ */ ++ for (i = 0; i < stream->nformats; ++i) { ++ if (probe->bFormatIndex == stream->format[i].index) { ++ format = &stream->format[i]; ++ break; ++ } ++ } ++ ++ if (i == stream->nformats) { ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n", ++ probe->bFormatIndex); ++ return -EINVAL; ++ } ++ ++ for (i = 0; i < format->nframes; ++i) { ++ if (probe->bFrameIndex == format->frame[i].bFrameIndex) { ++ frame = &format->frame[i]; ++ break; ++ } ++ } ++ ++ if (i == format->nframes) { ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n", ++ probe->bFrameIndex); ++ return -EINVAL; ++ } ++ + fmt->fmt.pix.width = frame->wWidth; + fmt->fmt.pix.height = frame->wHeight; + fmt->fmt.pix.field = V4L2_FIELD_NONE; + fmt->fmt.pix.bytesperline = uvc_v4l2_get_bytesperline(format, frame); + fmt->fmt.pix.sizeimage = probe->dwMaxVideoFrameSize; ++ fmt->fmt.pix.pixelformat = format->fcc; + fmt->fmt.pix.colorspace = format->colorspace; + fmt->fmt.pix.priv = 0; + +-- +2.25.1 + diff --git a/queue-4.19/media-uvcvideo-set-media-controller-entity-functions.patch b/queue-4.19/media-uvcvideo-set-media-controller-entity-functions.patch new file mode 100644 index 00000000000..d8fda64d113 --- /dev/null +++ b/queue-4.19/media-uvcvideo-set-media-controller-entity-functions.patch @@ -0,0 +1,78 @@ +From 629720ddeba5b3450dc8effc9d96c1f0191202b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Jun 2020 04:05:49 +0200 +Subject: media: uvcvideo: Set media controller entity functions + +From: Laurent Pinchart + +[ Upstream commit d6834b4b58d110814aaf3469e7fd87d34ae5ae81 ] + +The media controller core prints a warning when an entity is registered +without a function being set. This affects the uvcvideo driver, as the +warning was added without first addressing the issue in existing +drivers. The problem is harmless, but unnecessarily worries users. Fix +it by mapping UVC entity types to MC entity functions as accurately as +possible using the existing functions. + +Fixes: b50bde4e476d ("[media] v4l2-subdev: use MEDIA_ENT_T_UNKNOWN for new subdevs") +Signed-off-by: Laurent Pinchart +Reviewed-by: Kieran Bingham +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_entity.c | 35 ++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_entity.c b/drivers/media/usb/uvc/uvc_entity.c +index 554063c07d7a2..f2457953f27c6 100644 +--- a/drivers/media/usb/uvc/uvc_entity.c ++++ b/drivers/media/usb/uvc/uvc_entity.c +@@ -78,10 +78,45 @@ static int uvc_mc_init_entity(struct uvc_video_chain *chain, + int ret; + + if (UVC_ENTITY_TYPE(entity) != UVC_TT_STREAMING) { ++ u32 function; ++ + v4l2_subdev_init(&entity->subdev, &uvc_subdev_ops); + strlcpy(entity->subdev.name, entity->name, + sizeof(entity->subdev.name)); + ++ switch (UVC_ENTITY_TYPE(entity)) { ++ case UVC_VC_SELECTOR_UNIT: ++ function = MEDIA_ENT_F_VID_MUX; ++ break; ++ case UVC_VC_PROCESSING_UNIT: ++ case UVC_VC_EXTENSION_UNIT: ++ /* For lack of a better option. */ ++ function = MEDIA_ENT_F_PROC_VIDEO_PIXEL_FORMATTER; ++ break; ++ case UVC_COMPOSITE_CONNECTOR: ++ case UVC_COMPONENT_CONNECTOR: ++ function = MEDIA_ENT_F_CONN_COMPOSITE; ++ break; ++ case UVC_SVIDEO_CONNECTOR: ++ function = MEDIA_ENT_F_CONN_SVIDEO; ++ break; ++ case UVC_ITT_CAMERA: ++ function = MEDIA_ENT_F_CAM_SENSOR; ++ break; ++ case UVC_TT_VENDOR_SPECIFIC: ++ case UVC_ITT_VENDOR_SPECIFIC: ++ case UVC_ITT_MEDIA_TRANSPORT_INPUT: ++ case UVC_OTT_VENDOR_SPECIFIC: ++ case UVC_OTT_DISPLAY: ++ case UVC_OTT_MEDIA_TRANSPORT_OUTPUT: ++ case UVC_EXTERNAL_VENDOR_SPECIFIC: ++ default: ++ function = MEDIA_ENT_F_V4L2_SUBDEV_UNKNOWN; ++ break; ++ } ++ ++ entity->subdev.entity.function = function; ++ + ret = media_entity_pads_init(&entity->subdev.entity, + entity->num_pads, entity->pads); + +-- +2.25.1 + diff --git a/queue-4.19/media-uvcvideo-silence-shift-out-of-bounds-warning.patch b/queue-4.19/media-uvcvideo-silence-shift-out-of-bounds-warning.patch new file mode 100644 index 00000000000..7afaa66db69 --- /dev/null +++ b/queue-4.19/media-uvcvideo-silence-shift-out-of-bounds-warning.patch @@ -0,0 +1,54 @@ +From 6299058bde6761747b628405551d89f56e0c5437 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 01:56:49 +0200 +Subject: media: uvcvideo: Silence shift-out-of-bounds warning + +From: Laurent Pinchart + +[ Upstream commit 171994e498a0426cbe17f874c5c6af3c0af45200 ] + +UBSAN reports a shift-out-of-bounds warning in uvc_get_le_value(). The +report is correct, but the issue should be harmless as the computed +value isn't used when the shift is negative. This may however cause +incorrect behaviour if a negative shift could generate adverse side +effects (such as a trap on some architectures for instance). + +Regardless of whether that may happen or not, silence the warning as a +full WARN backtrace isn't nice. + +Reported-by: Bart Van Assche +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Signed-off-by: Laurent Pinchart +Reviewed-by: Bart Van Assche +Tested-by: Bart Van Assche +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_ctrl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index f2854337cdcac..abfc49901222e 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -778,12 +778,16 @@ static s32 uvc_get_le_value(struct uvc_control_mapping *mapping, + offset &= 7; + mask = ((1LL << bits) - 1) << offset; + +- for (; bits > 0; data++) { ++ while (1) { + u8 byte = *data & mask; + value |= offset > 0 ? (byte >> offset) : (byte << (-offset)); + bits -= 8 - (offset > 0 ? offset : 0); ++ if (bits <= 0) ++ break; ++ + offset -= 8; + mask = (1 << bits) - 1; ++ data++; + } + + /* Sign-extend the value if needed. */ +-- +2.25.1 + diff --git a/queue-4.19/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch b/queue-4.19/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch new file mode 100644 index 00000000000..eb32f7c5a92 --- /dev/null +++ b/queue-4.19/media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch @@ -0,0 +1,53 @@ +From 7f98bdf27a4151c2bfc830b5cdedd5579ef6961c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jun 2020 07:55:23 +0200 +Subject: media: venus: core: Fix runtime PM imbalance in venus_probe + +From: Dinghao Liu + +[ Upstream commit bbe516e976fce538db96bd2b7287df942faa14a3 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. For other error +paths after this call, things are the same. + +Fix this by adding pm_runtime_put_noidle() after 'err_runtime_disable' +label. But in this case, the error path after pm_runtime_put_sync() +will decrease PM usage counter twice. Thus add an extra +pm_runtime_get_noresume() in this path to balance PM counter. + +Signed-off-by: Dinghao Liu +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c +index 60069869596cb..168f5af6abcc2 100644 +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -321,8 +321,10 @@ static int venus_probe(struct platform_device *pdev) + goto err_dev_unregister; + + ret = pm_runtime_put_sync(dev); +- if (ret) ++ if (ret) { ++ pm_runtime_get_noresume(dev); + goto err_dev_unregister; ++ } + + return 0; + +@@ -333,6 +335,7 @@ static int venus_probe(struct platform_device *pdev) + err_venus_shutdown: + venus_shutdown(dev); + err_runtime_disable: ++ pm_runtime_put_noidle(dev); + pm_runtime_set_suspended(dev); + pm_runtime_disable(dev); + hfi_destroy(core); +-- +2.25.1 + diff --git a/queue-4.19/media-vsp1-fix-runtime-pm-imbalance-on-error.patch b/queue-4.19/media-vsp1-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..00dcad20490 --- /dev/null +++ b/queue-4.19/media-vsp1-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,59 @@ +From f5ef9a1f240f2487e5317e68244ab7c5384f1dbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 07:29:19 +0200 +Subject: media: vsp1: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit 98fae901c8883640202802174a4bd70a1b9118bd ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Reviewed-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vsp1/vsp1_drv.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/vsp1/vsp1_drv.c b/drivers/media/platform/vsp1/vsp1_drv.c +index b6619c9c18bb4..4e6530ee809af 100644 +--- a/drivers/media/platform/vsp1/vsp1_drv.c ++++ b/drivers/media/platform/vsp1/vsp1_drv.c +@@ -562,7 +562,12 @@ int vsp1_device_get(struct vsp1_device *vsp1) + int ret; + + ret = pm_runtime_get_sync(vsp1->dev); +- return ret < 0 ? ret : 0; ++ if (ret < 0) { ++ pm_runtime_put_noidle(vsp1->dev); ++ return ret; ++ } ++ ++ return 0; + } + + /* +@@ -845,12 +850,12 @@ static int vsp1_probe(struct platform_device *pdev) + /* Configure device parameters based on the version register. */ + pm_runtime_enable(&pdev->dev); + +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = vsp1_device_get(vsp1); + if (ret < 0) + goto done; + + vsp1->version = vsp1_read(vsp1, VI6_IP_VERSION); +- pm_runtime_put_sync(&pdev->dev); ++ vsp1_device_put(vsp1); + + for (i = 0; i < ARRAY_SIZE(vsp1_device_infos); ++i) { + if ((vsp1->version & VI6_IP_VERSION_MODEL_MASK) == +-- +2.25.1 + diff --git a/queue-4.19/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch b/queue-4.19/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch new file mode 100644 index 00000000000..471adebb4ea --- /dev/null +++ b/queue-4.19/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch @@ -0,0 +1,40 @@ +From 449e8c8133a5e15b982521c194aa69ab86cc9c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:33:15 +0200 +Subject: memory: fsl-corenet-cf: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit dd85345abca60a8916617e8d75c0f9ce334336dd ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: 54afbec0d57f ("memory: Freescale CoreNet Coherency Fabric error reporting driver") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200827073315.29351-1-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl-corenet-cf.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/memory/fsl-corenet-cf.c b/drivers/memory/fsl-corenet-cf.c +index 662d050243bec..2fbf8d09af36b 100644 +--- a/drivers/memory/fsl-corenet-cf.c ++++ b/drivers/memory/fsl-corenet-cf.c +@@ -215,10 +215,8 @@ static int ccf_probe(struct platform_device *pdev) + dev_set_drvdata(&pdev->dev, ccf); + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "%s: no irq\n", __func__); +- return -ENXIO; +- } ++ if (irq < 0) ++ return irq; + + ret = devm_request_irq(&pdev->dev, irq, ccf_irq, 0, pdev->name, ccf); + if (ret) { +-- +2.25.1 + diff --git a/queue-4.19/memory-omap-gpmc-fix-a-couple-off-by-ones.patch b/queue-4.19/memory-omap-gpmc-fix-a-couple-off-by-ones.patch new file mode 100644 index 00000000000..2ea4968ab70 --- /dev/null +++ b/queue-4.19/memory-omap-gpmc-fix-a-couple-off-by-ones.patch @@ -0,0 +1,48 @@ +From 17c5adf4bc1906191e534be5749b52164cd8c094 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 13:47:07 +0300 +Subject: memory: omap-gpmc: Fix a couple off by ones + +From: Dan Carpenter + +[ Upstream commit 4c54228ac8fd55044195825873c50a524131fa53 ] + +These comparisons should be >= instead of > to prevent reading one +element beyond the end of the gpmc_cs[] array. + +Fixes: cdd6928c589a ("ARM: OMAP2+: Add device-tree support for NOR flash") +Fixes: f37e4580c409 ("ARM: OMAP2: Dynamic allocator for GPMC memory space") +Signed-off-by: Dan Carpenter +Acked-by: Roger Quadros +Link: https://lore.kernel.org/r/20200825104707.GB278587@mwanda +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index 1c6a7c16e0c17..f5a89e78b7b2b 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -951,7 +951,7 @@ static int gpmc_cs_remap(int cs, u32 base) + int ret; + u32 old_base, size; + +- if (cs > gpmc_cs_num) { ++ if (cs >= gpmc_cs_num) { + pr_err("%s: requested chip-select is disabled\n", __func__); + return -ENODEV; + } +@@ -986,7 +986,7 @@ int gpmc_cs_request(int cs, unsigned long size, unsigned long *base) + struct resource *res = &gpmc->mem; + int r = -1; + +- if (cs > gpmc_cs_num) { ++ if (cs >= gpmc_cs_num) { + pr_err("%s: requested chip-select is disabled\n", __func__); + return -ENODEV; + } +-- +2.25.1 + diff --git a/queue-4.19/memory-omap-gpmc-fix-build-error-without-config_of.patch b/queue-4.19/memory-omap-gpmc-fix-build-error-without-config_of.patch new file mode 100644 index 00000000000..1555831ef71 --- /dev/null +++ b/queue-4.19/memory-omap-gpmc-fix-build-error-without-config_of.patch @@ -0,0 +1,45 @@ +From 350451c49c18c3fee9eeb8399e89aec86e37b569 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 20:53:16 +0800 +Subject: memory: omap-gpmc: Fix build error without CONFIG_OF + +From: YueHaibing + +[ Upstream commit 13d029ee51da365aa9c859db0c7395129252bde8 ] + +If CONFIG_OF is n, gcc fails: + +drivers/memory/omap-gpmc.o: In function `gpmc_omap_onenand_set_timings': + omap-gpmc.c:(.text+0x2a88): undefined reference to `gpmc_read_settings_dt' + +Add gpmc_read_settings_dt() helper function, which zero the gpmc_settings +so the caller doesn't proceed with random/invalid settings. + +Fixes: a758f50f10cf ("mtd: onenand: omap2: Configure driver from DT") +Signed-off-by: YueHaibing +Acked-by: Roger Quadros +Link: https://lore.kernel.org/r/20200827125316.20780-1-yuehaibing@huawei.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index f5a89e78b7b2b..2ca507f3a58c3 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -2278,6 +2278,10 @@ static void gpmc_probe_dt_children(struct platform_device *pdev) + } + } + #else ++void gpmc_read_settings_dt(struct device_node *np, struct gpmc_settings *p) ++{ ++ memset(p, 0, sizeof(*p)); ++} + static int gpmc_probe_dt(struct platform_device *pdev) + { + return 0; +-- +2.25.1 + diff --git a/queue-4.19/mfd-sm501-fix-leaks-in-probe.patch b/queue-4.19/mfd-sm501-fix-leaks-in-probe.patch new file mode 100644 index 00000000000..7f496035fb7 --- /dev/null +++ b/queue-4.19/mfd-sm501-fix-leaks-in-probe.patch @@ -0,0 +1,42 @@ +From 8409a010df1eeae97885013531e91209375a6573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 14:33:26 +0300 +Subject: mfd: sm501: Fix leaks in probe() + +From: Dan Carpenter + +[ Upstream commit 8ce24f8967df2836b4557a23e74dc4bb098249f1 ] + +This code should clean up if sm501_init_dev() fails. + +Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index e0173bf4b0dc7..ec1ac61a21ed1 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -1429,8 +1429,14 @@ static int sm501_plat_probe(struct platform_device *dev) + goto err_claim; + } + +- return sm501_init_dev(sm); ++ ret = sm501_init_dev(sm); ++ if (ret) ++ goto err_unmap; ++ ++ return 0; + ++ err_unmap: ++ iounmap(sm->regs); + err_claim: + release_resource(sm->regs_claim); + kfree(sm->regs_claim); +-- +2.25.1 + diff --git a/queue-4.19/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch b/queue-4.19/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch new file mode 100644 index 00000000000..8423e90f656 --- /dev/null +++ b/queue-4.19/mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch @@ -0,0 +1,63 @@ +From 81f64d3ebe7de8c172c7c7e73764a94fdc784407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 17:11:06 +0800 +Subject: mic: vop: copy data to kernel space then write to io memory + +From: Sherry Sun + +[ Upstream commit 675f0ad4046946e80412896436164d172cd92238 ] + +Read and write io memory should address align on ARCH ARM. Change to use +memcpy_toio to avoid kernel panic caused by the address un-align issue. + +Signed-off-by: Sherry Sun +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20200929091106.24624-5-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/vop/vop_vringh.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c +index cbc8ebcff5cfe..3cc68b028cfae 100644 +--- a/drivers/misc/mic/vop/vop_vringh.c ++++ b/drivers/misc/mic/vop/vop_vringh.c +@@ -611,6 +611,7 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf, + size_t partlen; + bool dma = VOP_USE_DMA; + int err = 0; ++ size_t offset = 0; + + if (daddr & (dma_alignment - 1)) { + vdev->tx_dst_unaligned += len; +@@ -659,13 +660,20 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf, + * We are copying to IO below and should ideally use something + * like copy_from_user_toio(..) if it existed. + */ +- if (copy_from_user((void __force *)dbuf, ubuf, len)) { +- err = -EFAULT; +- dev_err(vop_dev(vdev), "%s %d err %d\n", +- __func__, __LINE__, err); +- goto err; ++ while (len) { ++ partlen = min_t(size_t, len, VOP_INT_DMA_BUF_SIZE); ++ ++ if (copy_from_user(vvr->buf, ubuf + offset, partlen)) { ++ err = -EFAULT; ++ dev_err(vop_dev(vdev), "%s %d err %d\n", ++ __func__, __LINE__, err); ++ goto err; ++ } ++ memcpy_toio(dbuf + offset, vvr->buf, partlen); ++ offset += partlen; ++ vdev->out_bytes += partlen; ++ len -= partlen; + } +- vdev->out_bytes += len; + err = 0; + err: + vpdev->hw_ops->iounmap(vpdev, dbuf); +-- +2.25.1 + diff --git a/queue-4.19/misc-mic-scif-fix-error-handling-path.patch b/queue-4.19/misc-mic-scif-fix-error-handling-path.patch new file mode 100644 index 00000000000..ec82c3f5e27 --- /dev/null +++ b/queue-4.19/misc-mic-scif-fix-error-handling-path.patch @@ -0,0 +1,65 @@ +From db81bfb7447858c39d9d0979542227051cffe194 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 08:21:35 +0530 +Subject: misc: mic: scif: Fix error handling path + +From: Souptick Joarder + +[ Upstream commit a81072a9c0ae734b7889929b0bc070fe3f353f0e ] + +Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it +will call pin_user_pages_fast() to map nr_pages. However, +pin_user_pages_fast() might fail with a return value -ERRNO. + +The return value is stored in pinned_pages->nr_pages. which in +turn is passed to unpin_user_pages(), which expects +pinned_pages->nr_pages >=0, else disaster. + +Fix this by assigning pinned_pages->nr_pages to 0 if +pin_user_pages_fast() returns -ERRNO. + +Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and unregistration") +Cc: John Hubbard +Cc: Ira Weiny +Cc: Dan Carpenter +Reviewed-by: John Hubbard +Signed-off-by: Souptick Joarder +Link: https://lore.kernel.org/r/1600570295-29546-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/scif/scif_rma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c +index 0e4193cb08cf1..e1f59b17715d5 100644 +--- a/drivers/misc/mic/scif/scif_rma.c ++++ b/drivers/misc/mic/scif/scif_rma.c +@@ -1403,6 +1403,8 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + NULL); + up_write(&mm->mmap_sem); + if (nr_pages != pinned_pages->nr_pages) { ++ if (pinned_pages->nr_pages < 0) ++ pinned_pages->nr_pages = 0; + if (try_upgrade) { + if (ulimit) + __scif_dec_pinned_vm_lock(mm, +@@ -1423,7 +1425,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + + if (pinned_pages->nr_pages < nr_pages) { + err = -EFAULT; +- pinned_pages->nr_pages = nr_pages; + goto dec_pinned; + } + +@@ -1436,7 +1437,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + __scif_dec_pinned_vm_lock(mm, nr_pages, 0); + /* Something went wrong! Rollback */ + error_unmap: +- pinned_pages->nr_pages = nr_pages; + scif_destroy_pinned_pages(pinned_pages); + *pages = NULL; + dev_dbg(scif_info.mdev.this_device, +-- +2.25.1 + diff --git a/queue-4.19/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch b/queue-4.19/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch new file mode 100644 index 00000000000..ac4dea227bd --- /dev/null +++ b/queue-4.19/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch @@ -0,0 +1,46 @@ +From 19a587b78f5cd094ccb3bcb443aaa2fb51e39c14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 07:18:51 +0000 +Subject: misc: rtsx: Fix memory leak in rtsx_pci_probe + +From: Keita Suzuki + +[ Upstream commit bc28369c6189009b66d9619dd9f09bd8c684bb98 ] + +When mfd_add_devices() fail, pcr->slots should also be freed. However, +the current implementation does not free the member, leading to a memory +leak. + +Fix this by adding a new goto label that frees pcr->slots. + +Signed-off-by: Keita Suzuki +Link: https://lore.kernel.org/r/20200909071853.4053-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cardreader/rtsx_pcr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/cardreader/rtsx_pcr.c b/drivers/misc/cardreader/rtsx_pcr.c +index 5c5d0241603a3..3eb3c237f3398 100644 +--- a/drivers/misc/cardreader/rtsx_pcr.c ++++ b/drivers/misc/cardreader/rtsx_pcr.c +@@ -1524,12 +1524,14 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, + ret = mfd_add_devices(&pcidev->dev, pcr->id, rtsx_pcr_cells, + ARRAY_SIZE(rtsx_pcr_cells), NULL, 0, NULL); + if (ret < 0) +- goto disable_irq; ++ goto free_slots; + + schedule_delayed_work(&pcr->idle_work, msecs_to_jiffies(200)); + + return 0; + ++free_slots: ++ kfree(pcr->slots); + disable_irq: + free_irq(pcr->irq, (void *)pcr); + disable_msi: +-- +2.25.1 + diff --git a/queue-4.19/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch b/queue-4.19/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch new file mode 100644 index 00000000000..c195e023e9b --- /dev/null +++ b/queue-4.19/misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch @@ -0,0 +1,91 @@ +From 798dbeaf19bc72b2d453b5c5f13c36e9af2e113b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 17:11:05 +0800 +Subject: misc: vop: add round_up(x,4) for vring_size to avoid kernel panic + +From: Sherry Sun + +[ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ] + +Since struct _mic_vring_info and vring are allocated together and follow +vring, if the vring_size() is not four bytes aligned, which will cause +the start address of struct _mic_vring_info is not four byte aligned. +For example, when vring entries is 128, the vring_size() will be 5126 +bytes. The _mic_vring_info struct layout in ddr looks like: +0x90002400: 00000000 00390000 EE010000 0000C0FF +Here 0x39 is the avail_idx member, and 0xC0FFEE01 is the magic member. + +When EP use ioread32(magic) to reads the magic in RC's share memory, it +will cause kernel panic on ARM64 platform due to the cross-byte io read. +Here read magic in user space use le32toh(vr0->info->magic) will meet +the same issue. +So add round_up(x,4) for vring_size, then the struct _mic_vring_info +will store in this way: +0x90002400: 00000000 00000000 00000039 C0FFEE01 +Which will avoid kernel panic when read magic in struct _mic_vring_info. + +Signed-off-by: Sherry Sun +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20200929091106.24624-4-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/vop/vop_main.c | 2 +- + drivers/misc/mic/vop/vop_vringh.c | 4 ++-- + samples/mic/mpssd/mpssd.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/misc/mic/vop/vop_main.c b/drivers/misc/mic/vop/vop_main.c +index de7f035a176df..f4332a97c6917 100644 +--- a/drivers/misc/mic/vop/vop_main.c ++++ b/drivers/misc/mic/vop/vop_main.c +@@ -301,7 +301,7 @@ static struct virtqueue *vop_find_vq(struct virtio_device *dev, + /* First assign the vring's allocated in host memory */ + vqconfig = _vop_vq_config(vdev->desc) + index; + memcpy_fromio(&config, vqconfig, sizeof(config)); +- _vr_size = vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN); ++ _vr_size = round_up(vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN), 4); + vr_size = PAGE_ALIGN(_vr_size + sizeof(struct _mic_vring_info)); + va = vpdev->hw_ops->ioremap(vpdev, le64_to_cpu(config.address), + vr_size); +diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c +index 3cc68b028cfae..a252c2199b937 100644 +--- a/drivers/misc/mic/vop/vop_vringh.c ++++ b/drivers/misc/mic/vop/vop_vringh.c +@@ -308,7 +308,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev, + + num = le16_to_cpu(vqconfig[i].num); + mutex_init(&vvr->vr_mutex); +- vr_size = PAGE_ALIGN(vring_size(num, MIC_VIRTIO_RING_ALIGN) + ++ vr_size = PAGE_ALIGN(round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4) + + sizeof(struct _mic_vring_info)); + vr->va = (void *) + __get_free_pages(GFP_KERNEL | __GFP_ZERO, +@@ -320,7 +320,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev, + goto err; + } + vr->len = vr_size; +- vr->info = vr->va + vring_size(num, MIC_VIRTIO_RING_ALIGN); ++ vr->info = vr->va + round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4); + vr->info->magic = cpu_to_le32(MIC_MAGIC + vdev->virtio_id + i); + vr_addr = dma_map_single(&vpdev->dev, vr->va, vr_size, + DMA_BIDIRECTIONAL); +diff --git a/samples/mic/mpssd/mpssd.c b/samples/mic/mpssd/mpssd.c +index f42ce551bb48f..a50d27473e125 100644 +--- a/samples/mic/mpssd/mpssd.c ++++ b/samples/mic/mpssd/mpssd.c +@@ -414,9 +414,9 @@ mic_virtio_copy(struct mic_info *mic, int fd, + + static inline unsigned _vring_size(unsigned int num, unsigned long align) + { +- return ((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num) ++ return _ALIGN_UP(((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num) + + align - 1) & ~(align - 1)) +- + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num; ++ + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num, 4); + } + + /* +-- +2.25.1 + diff --git a/queue-4.19/mm-memcg-fix-device-private-memcg-accounting.patch b/queue-4.19/mm-memcg-fix-device-private-memcg-accounting.patch new file mode 100644 index 00000000000..1572e26ac65 --- /dev/null +++ b/queue-4.19/mm-memcg-fix-device-private-memcg-accounting.patch @@ -0,0 +1,61 @@ +From 7300cbf745a55cabfed7ad7cb7f808f700cbd5f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:53:13 -0700 +Subject: mm/memcg: fix device private memcg accounting + +From: Ralph Campbell + +[ Upstream commit 9a137153fc8798a89d8fce895cd0a06ea5b8e37c ] + +The code in mc_handle_swap_pte() checks for non_swap_entry() and returns +NULL before checking is_device_private_entry() so device private pages are +never handled. Fix this by checking for non_swap_entry() after handling +device private swap PTEs. + +I assume the memory cgroup accounting would be off somehow when moving +a process to another memory cgroup. Currently, the device private page +is charged like a normal anonymous page when allocated and is uncharged +when the page is freed so I think that path is OK. + +Signed-off-by: Ralph Campbell +Signed-off-by: Andrew Morton +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: Vladimir Davydov +Cc: Jerome Glisse +Cc: Balbir Singh +Cc: Ira Weiny +Link: https://lkml.kernel.org/r/20201009215952.2726-1-rcampbell@nvidia.com +xFixes: c733a82874a7 ("mm/memcontrol: support MEMORY_DEVICE_PRIVATE") +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memcontrol.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index aa730a3d5c258..87cd5bf1b4874 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -4780,7 +4780,7 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma, + struct page *page = NULL; + swp_entry_t ent = pte_to_swp_entry(ptent); + +- if (!(mc.flags & MOVE_ANON) || non_swap_entry(ent)) ++ if (!(mc.flags & MOVE_ANON)) + return NULL; + + /* +@@ -4799,6 +4799,9 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma, + return page; + } + ++ if (non_swap_entry(ent)) ++ return NULL; ++ + /* + * Because lookup_swap_cache() updates some statistics counter, + * we call find_get_page() with swapper_space directly. +-- +2.25.1 + diff --git a/queue-4.19/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch b/queue-4.19/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch new file mode 100644 index 00000000000..3e61f7790ff --- /dev/null +++ b/queue-4.19/mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch @@ -0,0 +1,187 @@ +From ee290ac68a6668de0ba9e967898f54e0c4141cc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:58:35 -0700 +Subject: mm, oom_adj: don't loop through tasks in __set_oom_adj when not + necessary + +From: Suren Baghdasaryan + +[ Upstream commit 67197a4f28d28d0b073ab0427b03cb2ee5382578 ] + +Currently __set_oom_adj loops through all processes in the system to keep +oom_score_adj and oom_score_adj_min in sync between processes sharing +their mm. This is done for any task with more that one mm_users, which +includes processes with multiple threads (sharing mm and signals). +However for such processes the loop is unnecessary because their signal +structure is shared as well. + +Android updates oom_score_adj whenever a tasks changes its role +(background/foreground/...) or binds to/unbinds from a service, making it +more/less important. Such operation can happen frequently. We noticed +that updates to oom_score_adj became more expensive and after further +investigation found out that the patch mentioned in "Fixes" introduced a +regression. Using Pixel 4 with a typical Android workload, write time to +oom_score_adj increased from ~3.57us to ~362us. Moreover this regression +linearly depends on the number of multi-threaded processes running on the +system. + +Mark the mm with a new MMF_MULTIPROCESS flag bit when task is created with +(CLONE_VM && !CLONE_THREAD && !CLONE_VFORK). Change __set_oom_adj to use +MMF_MULTIPROCESS instead of mm_users to decide whether oom_score_adj +update should be synchronized between multiple processes. To prevent +races between clone() and __set_oom_adj(), when oom_score_adj of the +process being cloned might be modified from userspace, we use +oom_adj_mutex. Its scope is changed to global. + +The combination of (CLONE_VM && !CLONE_THREAD) is rarely used except for +the case of vfork(). To prevent performance regressions of vfork(), we +skip taking oom_adj_mutex and setting MMF_MULTIPROCESS when CLONE_VFORK is +specified. Clearing the MMF_MULTIPROCESS flag (when the last process +sharing the mm exits) is left out of this patch to keep it simple and +because it is believed that this threading model is rare. Should there +ever be a need for optimizing that case as well, it can be done by hooking +into the exit path, likely following the mm_update_next_owner pattern. + +With the combination of (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK) being +quite rare, the regression is gone after the change is applied. + +[surenb@google.com: v3] + Link: https://lkml.kernel.org/r/20200902012558.2335613-1-surenb@google.com + +Fixes: 44a70adec910 ("mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj") +Reported-by: Tim Murray +Suggested-by: Michal Hocko +Signed-off-by: Suren Baghdasaryan +Signed-off-by: Andrew Morton +Acked-by: Christian Brauner +Acked-by: Michal Hocko +Acked-by: Oleg Nesterov +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Eugene Syromiatnikov +Cc: Christian Kellner +Cc: Adrian Reber +Cc: Shakeel Butt +Cc: Aleksa Sarai +Cc: Alexey Dobriyan +Cc: "Eric W. Biederman" +Cc: Alexey Gladkov +Cc: Michel Lespinasse +Cc: Daniel Jordan +Cc: Andrei Vagin +Cc: Bernd Edlinger +Cc: John Johansen +Cc: Yafang Shao +Link: https://lkml.kernel.org/r/20200824153036.3201505-1-surenb@google.com +Debugged-by: Minchan Kim +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 3 +-- + include/linux/oom.h | 1 + + include/linux/sched/coredump.h | 1 + + kernel/fork.c | 21 +++++++++++++++++++++ + mm/oom_kill.c | 2 ++ + 5 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 3b9b726b1a6ca..5e705fa9a913d 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1035,7 +1035,6 @@ static ssize_t oom_adj_read(struct file *file, char __user *buf, size_t count, + + static int __set_oom_adj(struct file *file, int oom_adj, bool legacy) + { +- static DEFINE_MUTEX(oom_adj_mutex); + struct mm_struct *mm = NULL; + struct task_struct *task; + int err = 0; +@@ -1075,7 +1074,7 @@ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy) + struct task_struct *p = find_lock_task_mm(task); + + if (p) { +- if (atomic_read(&p->mm->mm_users) > 1) { ++ if (test_bit(MMF_MULTIPROCESS, &p->mm->flags)) { + mm = p->mm; + mmgrab(mm); + } +diff --git a/include/linux/oom.h b/include/linux/oom.h +index 69864a547663e..3f649be179dad 100644 +--- a/include/linux/oom.h ++++ b/include/linux/oom.h +@@ -45,6 +45,7 @@ struct oom_control { + }; + + extern struct mutex oom_lock; ++extern struct mutex oom_adj_mutex; + + static inline void set_current_oom_origin(void) + { +diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h +index ecdc6542070f1..dfd82eab29025 100644 +--- a/include/linux/sched/coredump.h ++++ b/include/linux/sched/coredump.h +@@ -72,6 +72,7 @@ static inline int get_dumpable(struct mm_struct *mm) + #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */ + #define MMF_OOM_VICTIM 25 /* mm is the oom victim */ + #define MMF_OOM_REAP_QUEUED 26 /* mm was queued for oom_reaper */ ++#define MMF_MULTIPROCESS 27 /* mm is shared between processes */ + #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP) + + #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\ +diff --git a/kernel/fork.c b/kernel/fork.c +index 1a2d18e98bf99..3ed29bf8eb291 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1647,6 +1647,25 @@ static __always_inline void delayed_free_task(struct task_struct *tsk) + free_task(tsk); + } + ++static void copy_oom_score_adj(u64 clone_flags, struct task_struct *tsk) ++{ ++ /* Skip if kernel thread */ ++ if (!tsk->mm) ++ return; ++ ++ /* Skip if spawning a thread or using vfork */ ++ if ((clone_flags & (CLONE_VM | CLONE_THREAD | CLONE_VFORK)) != CLONE_VM) ++ return; ++ ++ /* We need to synchronize with __set_oom_adj */ ++ mutex_lock(&oom_adj_mutex); ++ set_bit(MMF_MULTIPROCESS, &tsk->mm->flags); ++ /* Update the values in case they were changed after copy_signal */ ++ tsk->signal->oom_score_adj = current->signal->oom_score_adj; ++ tsk->signal->oom_score_adj_min = current->signal->oom_score_adj_min; ++ mutex_unlock(&oom_adj_mutex); ++} ++ + /* + * This creates a new process as a copy of the old one, + * but does not actually start it yet. +@@ -2084,6 +2103,8 @@ static __latent_entropy struct task_struct *copy_process( + trace_task_newtask(p, clone_flags); + uprobe_copy_process(p, clone_flags); + ++ copy_oom_score_adj(clone_flags, p); ++ + return p; + + bad_fork_cancel_cgroup: +diff --git a/mm/oom_kill.c b/mm/oom_kill.c +index a581fe2a2f1fe..928b3b5e24e6b 100644 +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -62,6 +62,8 @@ int sysctl_oom_dump_tasks = 1; + * and mark_oom_victim + */ + DEFINE_MUTEX(oom_lock); ++/* Serializes oom_score_adj and oom_score_adj_min updates */ ++DEFINE_MUTEX(oom_adj_mutex); + + #ifdef CONFIG_NUMA + /** +-- +2.25.1 + diff --git a/queue-4.19/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch b/queue-4.19/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch new file mode 100644 index 00000000000..1d64925e20a --- /dev/null +++ b/queue-4.19/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch @@ -0,0 +1,40 @@ +From b2f1cc0e07675e95da7cbc4ba0e80bda21ff7591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 15:38:34 +0200 +Subject: mmc: sdio: Check for CISTPL_VERS_1 buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ] + +Before parsing CISTPL_VERS_1 structure check that its size is at least two +bytes to prevent buffer overflow. + +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20200727133837.19086-2-pali@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/sdio_cis.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c +index f8c372839d244..2ca5cd79018b4 100644 +--- a/drivers/mmc/core/sdio_cis.c ++++ b/drivers/mmc/core/sdio_cis.c +@@ -30,6 +30,9 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, + unsigned i, nr_strings; + char **buffer, *string; + ++ if (size < 2) ++ return 0; ++ + /* Find all null-terminated (including zero length) strings in + the TPLLV1_INFO field. Trailing garbage is ignored. */ + buf += 2; +-- +2.25.1 + diff --git a/queue-4.19/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch b/queue-4.19/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch new file mode 100644 index 00000000000..878fbcf158c --- /dev/null +++ b/queue-4.19/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch @@ -0,0 +1,96 @@ +From dfec1970976c023bf511363ee4ede17a7e6f36ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 16:01:16 +0200 +Subject: mtd: lpddr: fix excessive stack usage with clang + +From: Arnd Bergmann + +[ Upstream commit 3e1b6469f8324bee5927b063e2aca30d3e56b907 ] + +Building lpddr2_nvm with clang can result in a giant stack usage +in one function: + +drivers/mtd/lpddr/lpddr2_nvm.c:399:12: error: stack frame size of 1144 bytes in function 'lpddr2_nvm_probe' [-Werror,-Wframe-larger-than=] + +The problem is that clang decides to build a copy of the mtd_info +structure on the stack and then do a memcpy() into the actual version. It +shouldn't really do it that way, but it's not strictly a bug either. + +As a workaround, use a static const version of the structure to assign +most of the members upfront and then only set the few members that +require runtime knowledge at probe time. + +Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Acked-by: Miquel Raynal +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200505140136.263461-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/lpddr/lpddr2_nvm.c | 35 ++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c +index c950c880ad590..90e6cb64db69c 100644 +--- a/drivers/mtd/lpddr/lpddr2_nvm.c ++++ b/drivers/mtd/lpddr/lpddr2_nvm.c +@@ -402,6 +402,17 @@ static int lpddr2_nvm_lock(struct mtd_info *mtd, loff_t start_add, + return lpddr2_nvm_do_block_op(mtd, start_add, len, LPDDR2_NVM_LOCK); + } + ++static const struct mtd_info lpddr2_nvm_mtd_info = { ++ .type = MTD_RAM, ++ .writesize = 1, ++ .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK), ++ ._read = lpddr2_nvm_read, ++ ._write = lpddr2_nvm_write, ++ ._erase = lpddr2_nvm_erase, ++ ._unlock = lpddr2_nvm_unlock, ++ ._lock = lpddr2_nvm_lock, ++}; ++ + /* + * lpddr2_nvm driver probe method + */ +@@ -442,6 +453,7 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + .pfow_base = OW_BASE_ADDRESS, + .fldrv_priv = pcm_data, + }; ++ + if (IS_ERR(map->virt)) + return PTR_ERR(map->virt); + +@@ -453,22 +465,13 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + return PTR_ERR(pcm_data->ctl_regs); + + /* Populate mtd_info data structure */ +- *mtd = (struct mtd_info) { +- .dev = { .parent = &pdev->dev }, +- .name = pdev->dev.init_name, +- .type = MTD_RAM, +- .priv = map, +- .size = resource_size(add_range), +- .erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width, +- .writesize = 1, +- .writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width, +- .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK), +- ._read = lpddr2_nvm_read, +- ._write = lpddr2_nvm_write, +- ._erase = lpddr2_nvm_erase, +- ._unlock = lpddr2_nvm_unlock, +- ._lock = lpddr2_nvm_lock, +- }; ++ *mtd = lpddr2_nvm_mtd_info; ++ mtd->dev.parent = &pdev->dev; ++ mtd->name = pdev->dev.init_name; ++ mtd->priv = map; ++ mtd->size = resource_size(add_range); ++ mtd->erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width; ++ mtd->writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width; + + /* Verify the presence of the device looking for PFOW string */ + if (!lpddr2_nvm_pfow_present(map)) { +-- +2.25.1 + diff --git a/queue-4.19/mtd-mtdoops-don-t-write-panic-data-twice.patch b/queue-4.19/mtd-mtdoops-don-t-write-panic-data-twice.patch new file mode 100644 index 00000000000..744e2dba7e7 --- /dev/null +++ b/queue-4.19/mtd-mtdoops-don-t-write-panic-data-twice.patch @@ -0,0 +1,49 @@ +From 1c40f26c6f9d5975e60449fbe0819cb8d8363c55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 15:42:17 +1200 +Subject: mtd: mtdoops: Don't write panic data twice + +From: Mark Tomlinson + +[ Upstream commit c1cf1d57d1492235309111ea6a900940213a9166 ] + +If calling mtdoops_write, don't also schedule work to be done later. + +Although this appears to not be causing an issue, possibly because the +scheduled work will never get done, it is confusing. + +Fixes: 016c1291ce70 ("mtd: mtdoops: do not use mtd->panic_write directly") +Signed-off-by: Mark Tomlinson +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200903034217.23079-1-mark.tomlinson@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdoops.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c +index e078fc41aa612..feeffde2d4fa9 100644 +--- a/drivers/mtd/mtdoops.c ++++ b/drivers/mtd/mtdoops.c +@@ -293,12 +293,13 @@ static void mtdoops_do_dump(struct kmsg_dumper *dumper, + kmsg_dump_get_buffer(dumper, true, cxt->oops_buf + MTDOOPS_HEADER_SIZE, + record_size - MTDOOPS_HEADER_SIZE, NULL); + +- /* Panics must be written immediately */ +- if (reason != KMSG_DUMP_OOPS) ++ if (reason != KMSG_DUMP_OOPS) { ++ /* Panics must be written immediately */ + mtdoops_write(cxt, 1); +- +- /* For other cases, schedule work to write it "nicely" */ +- schedule_work(&cxt->work_write); ++ } else { ++ /* For other cases, schedule work to write it "nicely" */ ++ schedule_work(&cxt->work_write); ++ } + } + + static void mtdoops_notify_add(struct mtd_info *mtd) +-- +2.25.1 + diff --git a/queue-4.19/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch b/queue-4.19/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch new file mode 100644 index 00000000000..dbbaf0a1998 --- /dev/null +++ b/queue-4.19/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch @@ -0,0 +1,51 @@ +From 932e1f6084f74ba044395a8e04d6ced24a49c0f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 11:29:06 +0200 +Subject: mwifiex: Do not use GFP_KERNEL in atomic context + +From: Christophe JAILLET + +[ Upstream commit d2ab7f00f4321370a8ee14e5630d4349fdacc42e ] + +A possible call chain is as follow: + mwifiex_sdio_interrupt (sdio.c) + --> mwifiex_main_process (main.c) + --> mwifiex_process_cmdresp (cmdevt.c) + --> mwifiex_process_sta_cmdresp (sta_cmdresp.c) + --> mwifiex_ret_802_11_scan (scan.c) + --> mwifiex_parse_single_response_buf (scan.c) + +'mwifiex_sdio_interrupt()' is an interrupt function. + +Also note that 'mwifiex_ret_802_11_scan()' already uses GFP_ATOMIC. + +So use GFP_ATOMIC instead of GFP_KERNEL when memory is allocated in +'mwifiex_parse_single_response_buf()'. + +Fixes: 7c6fa2a843c5 ("mwifiex: use cfg80211 dynamic scan table and cfg80211_get_bss API") +or +Fixes: 601216e12c65e ("mwifiex: process RX packets in SDIO IRQ thread directly") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200809092906.744621-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 85d6d5f3dce5b..c9f6cd2919699 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -1895,7 +1895,7 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info, + chan, CFG80211_BSS_FTYPE_UNKNOWN, + bssid, timestamp, + cap_info_bitmap, beacon_period, +- ie_buf, ie_len, rssi, GFP_KERNEL); ++ ie_buf, ie_len, rssi, GFP_ATOMIC); + if (bss) { + bss_priv = (struct mwifiex_bss_priv *)bss->priv; + bss_priv->band = band; +-- +2.25.1 + diff --git a/queue-4.19/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch b/queue-4.19/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch new file mode 100644 index 00000000000..5327cd3ae3a --- /dev/null +++ b/queue-4.19/mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch @@ -0,0 +1,54 @@ +From 0c59e015a50db0484ee90ca7cabdb3029ac57657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 17:27:19 +0900 +Subject: mwifiex: don't call del_timer_sync() on uninitialized timer + +From: Tetsuo Handa + +[ Upstream commit 621a3a8b1c0ecf16e1e5667ea5756a76a082b738 ] + +syzbot is reporting that del_timer_sync() is called from +mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without +checking timer_setup() from mwifiex_usb_tx_init() was called [1]. + +Ganapathi Bhat proposed a possibly cleaner fix, but it seems that +that fix was forgotten [2]. + +"grep -FrB1 'del_timer' drivers/ | grep -FA1 '.function)'" says that +currently there are 28 locations which call del_timer[_sync]() only if +that timer's function field was initialized (because timer_setup() sets +that timer's function field). Therefore, let's use same approach here. + +[1] https://syzkaller.appspot.com/bug?id=26525f643f454dd7be0078423e3cdb0d57744959 +[2] https://lkml.kernel.org/r/CA+ASDXMHt2gq9Hy+iP_BYkWXsSreWdp3_bAfMkNcuqJ3K+-jbQ@mail.gmail.com + +Reported-by: syzbot +Cc: Ganapathi Bhat +Cc: Brian Norris +Signed-off-by: Tetsuo Handa +Reviewed-by: Brian Norris +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200821082720.7716-1-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c +index d445acc4786b7..2a8d40ce463d5 100644 +--- a/drivers/net/wireless/marvell/mwifiex/usb.c ++++ b/drivers/net/wireless/marvell/mwifiex/usb.c +@@ -1355,7 +1355,8 @@ static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter) + skb_dequeue(&port->tx_aggr.aggr_list))) + mwifiex_write_data_complete(adapter, skb_tmp, + 0, -1); +- del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); ++ if (port->tx_aggr.timer_cnxt.hold_timer.function) ++ del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); + port->tx_aggr.timer_cnxt.is_hold_timer_set = false; + port->tx_aggr.timer_cnxt.hold_tmo_msecs = 0; + } +-- +2.25.1 + diff --git a/queue-4.19/mwifiex-fix-double-free.patch b/queue-4.19/mwifiex-fix-double-free.patch new file mode 100644 index 00000000000..07ef5d62e6e --- /dev/null +++ b/queue-4.19/mwifiex-fix-double-free.patch @@ -0,0 +1,50 @@ +From a82c761ef59e2d5199c23d91eef99fd6e2e2b147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 06:19:31 -0700 +Subject: mwifiex: fix double free + +From: Tom Rix + +[ Upstream commit 53708f4fd9cfe389beab5c8daa763bcd0e0b4aef ] + +clang static analysis reports this problem: + +sdio.c:2403:3: warning: Attempt to free released memory + kfree(card->mpa_rx.buf); + ^~~~~~~~~~~~~~~~~~~~~~~ + +When mwifiex_init_sdio() fails in its first call to +mwifiex_alloc_sdio_mpa_buffer, it falls back to calling it +again. If the second alloc of mpa_tx.buf fails, the error +handler will try to free the old, previously freed mpa_rx.buf. +Reviewing the code, it looks like a second double free would +happen with mwifiex_cleanup_sdio(). + +So set both pointers to NULL when they are freed. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Tom Rix +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201004131931.29782-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c +index bfbe3aa058d93..0773d81072aa1 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sdio.c ++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c +@@ -1985,6 +1985,8 @@ static int mwifiex_alloc_sdio_mpa_buffers(struct mwifiex_adapter *adapter, + kfree(card->mpa_rx.buf); + card->mpa_tx.buf_size = 0; + card->mpa_rx.buf_size = 0; ++ card->mpa_tx.buf = NULL; ++ card->mpa_rx.buf = NULL; + } + + return ret; +-- +2.25.1 + diff --git a/queue-4.19/net-dsa-rtl8366-check-validity-of-passed-vlans.patch b/queue-4.19/net-dsa-rtl8366-check-validity-of-passed-vlans.patch new file mode 100644 index 00000000000..35db7ac9575 --- /dev/null +++ b/queue-4.19/net-dsa-rtl8366-check-validity-of-passed-vlans.patch @@ -0,0 +1,49 @@ +From 6328f39c9fa10eb07593269e4a6aba5aa481c48b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 00:09:34 +0200 +Subject: net: dsa: rtl8366: Check validity of passed VLANs + +From: Linus Walleij + +[ Upstream commit 6641a2c42b0a307b7638d10e5d4b90debc61389d ] + +The rtl8366_set_vlan() and rtl8366_set_pvid() get invalid +VLANs tossed at it, especially VLAN0, something the hardware +and driver cannot handle. Check validity and bail out like +we do in the other callbacks. + +Reviewed-by: Florian Fainelli +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index 430988f797225..c854fea473f76 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -43,6 +43,9 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + int ret; + int i; + ++ if (!smi->ops->is_vlan_valid(smi, vid)) ++ return -EINVAL; ++ + dev_dbg(smi->dev, + "setting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n", + vid, member, untag); +@@ -118,6 +121,9 @@ int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + int ret; + int i; + ++ if (!smi->ops->is_vlan_valid(smi, vid)) ++ return -EINVAL; ++ + /* Try to find an existing MC entry for this VID */ + for (i = 0; i < smi->num_vlan_mc; i++) { + ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +-- +2.25.1 + diff --git a/queue-4.19/net-dsa-rtl8366-refactor-vlan-pvid-init.patch b/queue-4.19/net-dsa-rtl8366-refactor-vlan-pvid-init.patch new file mode 100644 index 00000000000..f6cdb942f63 --- /dev/null +++ b/queue-4.19/net-dsa-rtl8366-refactor-vlan-pvid-init.patch @@ -0,0 +1,398 @@ +From f7795ee1a717e903552caa50bb40924ac6348834 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 00:09:35 +0200 +Subject: net: dsa: rtl8366: Refactor VLAN/PVID init + +From: Linus Walleij + +[ Upstream commit 7e1301ed1881447d2a25f9c6423738c33cbca133 ] + +The VLANs and PVIDs on the RTL8366 utilizes a "member +configuration" (MC) which is largely unexplained in the +code. + +This set-up requires a special ordering: rtl8366_set_pvid() +must be called first, followed by rtl8366_set_vlan(), +else the MC will not be properly allocated. Relax this +by factoring out the code obtaining an MC and reuse +the helper in both rtl8366_set_pvid() and +rtl8366_set_vlan() so we remove this strict ordering +requirement. + +In the process, add some better comments and debug prints +so people who read the code understand what is going on. + +Reviewed-by: Florian Fainelli +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek-smi.h | 4 +- + drivers/net/dsa/rtl8366.c | 273 ++++++++++++++++++---------------- + 2 files changed, 146 insertions(+), 131 deletions(-) + +diff --git a/drivers/net/dsa/realtek-smi.h b/drivers/net/dsa/realtek-smi.h +index 9a63b51e1d82f..6f2dab7e33d65 100644 +--- a/drivers/net/dsa/realtek-smi.h ++++ b/drivers/net/dsa/realtek-smi.h +@@ -25,6 +25,9 @@ struct rtl8366_mib_counter { + const char *name; + }; + ++/** ++ * struct rtl8366_vlan_mc - Virtual LAN member configuration ++ */ + struct rtl8366_vlan_mc { + u16 vid; + u16 untag; +@@ -119,7 +122,6 @@ int realtek_smi_setup_mdio(struct realtek_smi *smi); + int rtl8366_mc_is_used(struct realtek_smi *smi, int mc_index, int *used); + int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + u32 untag, u32 fid); +-int rtl8366_get_pvid(struct realtek_smi *smi, int port, int *val); + int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + unsigned int vid); + int rtl8366_enable_vlan4k(struct realtek_smi *smi, bool enable); +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index c854fea473f76..4e1a2427fc314 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -36,12 +36,110 @@ int rtl8366_mc_is_used(struct realtek_smi *smi, int mc_index, int *used) + } + EXPORT_SYMBOL_GPL(rtl8366_mc_is_used); + ++/** ++ * rtl8366_obtain_mc() - retrieve or allocate a VLAN member configuration ++ * @smi: the Realtek SMI device instance ++ * @vid: the VLAN ID to look up or allocate ++ * @vlanmc: the pointer will be assigned to a pointer to a valid member config ++ * if successful ++ * @return: index of a new member config or negative error number ++ */ ++static int rtl8366_obtain_mc(struct realtek_smi *smi, int vid, ++ struct rtl8366_vlan_mc *vlanmc) ++{ ++ struct rtl8366_vlan_4k vlan4k; ++ int ret; ++ int i; ++ ++ /* Try to find an existing member config entry for this VID */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ ret = smi->ops->get_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "error searching for VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ if (vid == vlanmc->vid) ++ return i; ++ } ++ ++ /* We have no MC entry for this VID, try to find an empty one */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ ret = smi->ops->get_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "error searching for VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ if (vlanmc->vid == 0 && vlanmc->member == 0) { ++ /* Update the entry from the 4K table */ ++ ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); ++ if (ret) { ++ dev_err(smi->dev, "error looking for 4K VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ vlanmc->vid = vid; ++ vlanmc->member = vlan4k.member; ++ vlanmc->untag = vlan4k.untag; ++ vlanmc->fid = vlan4k.fid; ++ ret = smi->ops->set_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "unable to set/update VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ ++ dev_dbg(smi->dev, "created new MC at index %d for VID %d\n", ++ i, vid); ++ return i; ++ } ++ } ++ ++ /* MC table is full, try to find an unused entry and replace it */ ++ for (i = 0; i < smi->num_vlan_mc; i++) { ++ int used; ++ ++ ret = rtl8366_mc_is_used(smi, i, &used); ++ if (ret) ++ return ret; ++ ++ if (!used) { ++ /* Update the entry from the 4K table */ ++ ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); ++ if (ret) ++ return ret; ++ ++ vlanmc->vid = vid; ++ vlanmc->member = vlan4k.member; ++ vlanmc->untag = vlan4k.untag; ++ vlanmc->fid = vlan4k.fid; ++ ret = smi->ops->set_vlan_mc(smi, i, vlanmc); ++ if (ret) { ++ dev_err(smi->dev, "unable to set/update VLAN MC %d for VID %d\n", ++ i, vid); ++ return ret; ++ } ++ dev_dbg(smi->dev, "recycled MC at index %i for VID %d\n", ++ i, vid); ++ return i; ++ } ++ } ++ ++ dev_err(smi->dev, "all VLAN member configurations are in use\n"); ++ return -ENOSPC; ++} ++ + int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + u32 untag, u32 fid) + { ++ struct rtl8366_vlan_mc vlanmc; + struct rtl8366_vlan_4k vlan4k; ++ int mc; + int ret; +- int i; + + if (!smi->ops->is_vlan_valid(smi, vid)) + return -EINVAL; +@@ -66,136 +164,58 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member, + "resulting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n", + vid, vlan4k.member, vlan4k.untag); + +- /* Try to find an existing MC entry for this VID */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- struct rtl8366_vlan_mc vlanmc; +- +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vid == vlanmc.vid) { +- /* update the MC entry */ +- vlanmc.member |= member; +- vlanmc.untag |= untag; +- vlanmc.fid = fid; +- +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); ++ /* Find or allocate a member config for this VID */ ++ ret = rtl8366_obtain_mc(smi, vid, &vlanmc); ++ if (ret < 0) ++ return ret; ++ mc = ret; + +- dev_dbg(smi->dev, +- "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n", +- vid, vlanmc.member, vlanmc.untag); ++ /* Update the MC entry */ ++ vlanmc.member |= member; ++ vlanmc.untag |= untag; ++ vlanmc.fid = fid; + +- break; +- } +- } ++ /* Commit updates to the MC entry */ ++ ret = smi->ops->set_vlan_mc(smi, mc, &vlanmc); ++ if (ret) ++ dev_err(smi->dev, "failed to commit changes to VLAN MC index %d for VID %d\n", ++ mc, vid); ++ else ++ dev_dbg(smi->dev, ++ "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n", ++ vid, vlanmc.member, vlanmc.untag); + + return ret; + } + EXPORT_SYMBOL_GPL(rtl8366_set_vlan); + +-int rtl8366_get_pvid(struct realtek_smi *smi, int port, int *val) +-{ +- struct rtl8366_vlan_mc vlanmc; +- int ret; +- int index; +- +- ret = smi->ops->get_mc_index(smi, port, &index); +- if (ret) +- return ret; +- +- ret = smi->ops->get_vlan_mc(smi, index, &vlanmc); +- if (ret) +- return ret; +- +- *val = vlanmc.vid; +- return 0; +-} +-EXPORT_SYMBOL_GPL(rtl8366_get_pvid); +- + int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port, + unsigned int vid) + { + struct rtl8366_vlan_mc vlanmc; +- struct rtl8366_vlan_4k vlan4k; ++ int mc; + int ret; +- int i; + + if (!smi->ops->is_vlan_valid(smi, vid)) + return -EINVAL; + +- /* Try to find an existing MC entry for this VID */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vid == vlanmc.vid) { +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } +- } +- +- /* We have no MC entry for this VID, try to find an empty one */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- if (vlanmc.vid == 0 && vlanmc.member == 0) { +- /* Update the entry from the 4K table */ +- ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); +- if (ret) +- return ret; +- +- vlanmc.vid = vid; +- vlanmc.member = vlan4k.member; +- vlanmc.untag = vlan4k.untag; +- vlanmc.fid = vlan4k.fid; +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; +- +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } +- } +- +- /* MC table is full, try to find an unused entry and replace it */ +- for (i = 0; i < smi->num_vlan_mc; i++) { +- int used; +- +- ret = rtl8366_mc_is_used(smi, i, &used); +- if (ret) +- return ret; +- +- if (!used) { +- /* Update the entry from the 4K table */ +- ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k); +- if (ret) +- return ret; +- +- vlanmc.vid = vid; +- vlanmc.member = vlan4k.member; +- vlanmc.untag = vlan4k.untag; +- vlanmc.fid = vlan4k.fid; +- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc); +- if (ret) +- return ret; ++ /* Find or allocate a member config for this VID */ ++ ret = rtl8366_obtain_mc(smi, vid, &vlanmc); ++ if (ret < 0) ++ return ret; ++ mc = ret; + +- ret = smi->ops->set_mc_index(smi, port, i); +- return ret; +- } ++ ret = smi->ops->set_mc_index(smi, port, mc); ++ if (ret) { ++ dev_err(smi->dev, "set PVID: failed to set MC index %d for port %d\n", ++ mc, port); ++ return ret; + } + +- dev_err(smi->dev, +- "all VLAN member configurations are in use\n"); ++ dev_dbg(smi->dev, "set PVID: the PVID for port %d set to %d using existing MC index %d\n", ++ port, vid, mc); + +- return -ENOSPC; ++ return 0; + } + EXPORT_SYMBOL_GPL(rtl8366_set_pvid); + +@@ -395,7 +415,8 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + if (!smi->ops->is_vlan_valid(smi, vid)) + return; + +- dev_info(smi->dev, "add VLAN on port %d, %s, %s\n", ++ dev_info(smi->dev, "add VLAN %d on port %d, %s, %s\n", ++ vlan->vid_begin, + port, + untagged ? "untagged" : "tagged", + pvid ? " PVID" : "no PVID"); +@@ -404,34 +425,26 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + dev_err(smi->dev, "port is DSA or CPU port\n"); + + for (vid = vlan->vid_begin; vid <= vlan->vid_end; vid++) { +- int pvid_val = 0; +- +- dev_info(smi->dev, "add VLAN %04x\n", vid); + member |= BIT(port); + + if (untagged) + untag |= BIT(port); + +- /* To ensure that we have a valid MC entry for this VLAN, +- * initialize the port VLAN ID here. +- */ +- ret = rtl8366_get_pvid(smi, port, &pvid_val); +- if (ret < 0) { +- dev_err(smi->dev, "could not lookup PVID for port %d\n", +- port); +- return; +- } +- if (pvid_val == 0) { +- ret = rtl8366_set_pvid(smi, port, vid); +- if (ret < 0) +- return; +- } +- + ret = rtl8366_set_vlan(smi, vid, member, untag, 0); + if (ret) + dev_err(smi->dev, + "failed to set up VLAN %04x", + vid); ++ ++ ret = rtl8366_set_pvid(smi, port, vid); ++ if (ret) ++ dev_err(smi->dev, ++ "failed to set PVID on port %d to VLAN %04x", ++ port, vid); ++ ++ if (!ret) ++ dev_dbg(smi->dev, "VLAN add: added VLAN %d with PVID on port %d\n", ++ vid, port); + } + } + EXPORT_SYMBOL_GPL(rtl8366_vlan_add); +-- +2.25.1 + diff --git a/queue-4.19/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch b/queue-4.19/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch new file mode 100644 index 00000000000..86a3e4fd3c2 --- /dev/null +++ b/queue-4.19/net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch @@ -0,0 +1,38 @@ +From 6d6b0ed11a9c5ecf3d486e06295aff3a9891c10b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 00:29:54 +0200 +Subject: net: dsa: rtl8366: Skip PVID setting if not requested + +From: Linus Walleij + +[ Upstream commit 3dfe8dde093a07e82fa472c0f8c29a7f6a2006a5 ] + +We go to lengths to determine whether the PVID should be set +for this port or not, and then fail to take it into account. +Fix this oversight. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index 4e1a2427fc314..dddbc86429bd9 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -436,6 +436,9 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port, + "failed to set up VLAN %04x", + vid); + ++ if (!pvid) ++ continue; ++ + ret = rtl8366_set_pvid(smi, port, vid); + if (ret) + dev_err(smi->dev, +-- +2.25.1 + diff --git a/queue-4.19/net-dsa-rtl8366rb-support-all-4096-vlans.patch b/queue-4.19/net-dsa-rtl8366rb-support-all-4096-vlans.patch new file mode 100644 index 00000000000..468b6e56813 --- /dev/null +++ b/queue-4.19/net-dsa-rtl8366rb-support-all-4096-vlans.patch @@ -0,0 +1,38 @@ +From 8f3a7bb21bf5fff990dd7ba2beaa6732141364ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 22:37:33 +0200 +Subject: net: dsa: rtl8366rb: Support all 4096 VLANs + +From: Linus Walleij + +[ Upstream commit a7920efdd86d8a0d74402dbc80ead03b023294ba ] + +There is an off-by-one error in rtl8366rb_is_vlan_valid() +making VLANs 0..4094 valid while it should be 1..4095. +Fix it. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Signed-off-by: Linus Walleij +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366rb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/rtl8366rb.c b/drivers/net/dsa/rtl8366rb.c +index f4b14b6acd22d..5aefd7a4696a5 100644 +--- a/drivers/net/dsa/rtl8366rb.c ++++ b/drivers/net/dsa/rtl8366rb.c +@@ -1270,7 +1270,7 @@ static bool rtl8366rb_is_vlan_valid(struct realtek_smi *smi, unsigned int vlan) + if (smi->vlan4k_enabled) + max = RTL8366RB_NUM_VIDS - 1; + +- if (vlan == 0 || vlan >= max) ++ if (vlan == 0 || vlan > max) + return false; + + return true; +-- +2.25.1 + diff --git a/queue-4.19/net-enic-cure-the-enic-api-locking-trainwreck.patch b/queue-4.19/net-enic-cure-the-enic-api-locking-trainwreck.patch new file mode 100644 index 00000000000..7b4191da34c --- /dev/null +++ b/queue-4.19/net-enic-cure-the-enic-api-locking-trainwreck.patch @@ -0,0 +1,157 @@ +From b8b7235581b6a60527ac20a59d6be3479e877c25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 22:25:10 +0200 +Subject: net: enic: Cure the enic api locking trainwreck + +From: Thomas Gleixner + +[ Upstream commit a53b59ece86c86d16d12ccdaa1ad0c78250a9d96 ] + +enic_dev_wait() has a BUG_ON(in_interrupt()). + +Chasing the callers of enic_dev_wait() revealed the gems of enic_reset() +and enic_tx_hang_reset() which are both invoked through work queues in +order to be able to call rtnl_lock(). So far so good. + +After locking rtnl both functions acquire enic::enic_api_lock which +serializes against the (ab)use from infiniband. This is where the +trainwreck starts. + +enic::enic_api_lock is a spin_lock() which implicitly disables preemption, +but both functions invoke a ton of functions under that lock which can +sleep. The BUG_ON(in_interrupt()) does not trigger in that case because it +can't detect the preempt disabled condition. + +This clearly has never been tested with any of the mandatory debug options +for 7+ years, which would have caught that for sure. + +Cure it by adding a enic_api_busy member to struct enic, which is modified +and evaluated with enic::enic_api_lock held. + +If enic_api_devcmd_proxy_by_index() observes enic::enic_api_busy as true, +it drops enic::enic_api_lock and busy waits for enic::enic_api_busy to +become false. + +It would be smarter to wait for a completion of that busy period, but +enic_api_devcmd_proxy_by_index() is called with other spin locks held which +obviously can't sleep. + +Remove the BUG_ON(in_interrupt()) check as well because it's incomplete and +with proper debugging enabled the problem would have been caught from the +debug checks in schedule_timeout(). + +Fixes: 0b038566c0ea ("drivers/net: enic: Add an interface for USNIC to interact with firmware") +Signed-off-by: Thomas Gleixner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic.h | 1 + + drivers/net/ethernet/cisco/enic/enic_api.c | 6 +++++ + drivers/net/ethernet/cisco/enic/enic_main.c | 27 ++++++++++++++++----- + 3 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h +index 0dd64acd2a3fb..08cac1bfacafb 100644 +--- a/drivers/net/ethernet/cisco/enic/enic.h ++++ b/drivers/net/ethernet/cisco/enic/enic.h +@@ -171,6 +171,7 @@ struct enic { + u16 num_vfs; + #endif + spinlock_t enic_api_lock; ++ bool enic_api_busy; + struct enic_port_profile *pp; + + /* work queue cache line section */ +diff --git a/drivers/net/ethernet/cisco/enic/enic_api.c b/drivers/net/ethernet/cisco/enic/enic_api.c +index b161f24522b87..b028ea2dec2b9 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_api.c ++++ b/drivers/net/ethernet/cisco/enic/enic_api.c +@@ -34,6 +34,12 @@ int enic_api_devcmd_proxy_by_index(struct net_device *netdev, int vf, + struct vnic_dev *vdev = enic->vdev; + + spin_lock(&enic->enic_api_lock); ++ while (enic->enic_api_busy) { ++ spin_unlock(&enic->enic_api_lock); ++ cpu_relax(); ++ spin_lock(&enic->enic_api_lock); ++ } ++ + spin_lock_bh(&enic->devcmd_lock); + + vnic_dev_cmd_proxy_by_index_start(vdev, vf); +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 026a3bd71204f..810cbe2210463 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2142,8 +2142,6 @@ static int enic_dev_wait(struct vnic_dev *vdev, + int done; + int err; + +- BUG_ON(in_interrupt()); +- + err = start(vdev, arg); + if (err) + return err; +@@ -2331,6 +2329,13 @@ static int enic_set_rss_nic_cfg(struct enic *enic) + rss_hash_bits, rss_base_cpu, rss_enable); + } + ++static void enic_set_api_busy(struct enic *enic, bool busy) ++{ ++ spin_lock(&enic->enic_api_lock); ++ enic->enic_api_busy = busy; ++ spin_unlock(&enic->enic_api_lock); ++} ++ + static void enic_reset(struct work_struct *work) + { + struct enic *enic = container_of(work, struct enic, reset); +@@ -2340,7 +2345,9 @@ static void enic_reset(struct work_struct *work) + + rtnl_lock(); + +- spin_lock(&enic->enic_api_lock); ++ /* Stop any activity from infiniband */ ++ enic_set_api_busy(enic, true); ++ + enic_stop(enic->netdev); + enic_dev_soft_reset(enic); + enic_reset_addr_lists(enic); +@@ -2348,7 +2355,10 @@ static void enic_reset(struct work_struct *work) + enic_set_rss_nic_cfg(enic); + enic_dev_set_ig_vlan_rewrite_mode(enic); + enic_open(enic->netdev); +- spin_unlock(&enic->enic_api_lock); ++ ++ /* Allow infiniband to fiddle with the device again */ ++ enic_set_api_busy(enic, false); ++ + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev); + + rtnl_unlock(); +@@ -2360,7 +2370,9 @@ static void enic_tx_hang_reset(struct work_struct *work) + + rtnl_lock(); + +- spin_lock(&enic->enic_api_lock); ++ /* Stop any activity from infiniband */ ++ enic_set_api_busy(enic, true); ++ + enic_dev_hang_notify(enic); + enic_stop(enic->netdev); + enic_dev_hang_reset(enic); +@@ -2369,7 +2381,10 @@ static void enic_tx_hang_reset(struct work_struct *work) + enic_set_rss_nic_cfg(enic); + enic_dev_set_ig_vlan_rewrite_mode(enic); + enic_open(enic->netdev); +- spin_unlock(&enic->enic_api_lock); ++ ++ /* Allow infiniband to fiddle with the device again */ ++ enic_set_api_busy(enic, false); ++ + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev); + + rtnl_unlock(); +-- +2.25.1 + diff --git a/queue-4.19/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch b/queue-4.19/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch new file mode 100644 index 00000000000..06074e777d0 --- /dev/null +++ b/queue-4.19/net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch @@ -0,0 +1,49 @@ +From 1876af92a7ebd62d2db0068a6203615ec1864ab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Oct 2020 15:52:53 +0200 +Subject: net: fec: Fix PHY init after phy_reset_after_clk_enable() + +From: Marek Vasut + +[ Upstream commit 0da1ccbbefb662915228bc17e1c7d4ad28b3ddab ] + +The phy_reset_after_clk_enable() does a PHY reset, which means the PHY +loses its register settings. The fec_enet_mii_probe() starts the PHY +and does the necessary calls to configure the PHY via PHY framework, +and loads the correct register settings into the PHY. Therefore, +fec_enet_mii_probe() should be called only after the PHY has been +reset, not before as it is now. + +Fixes: 1b0a83ac04e3 ("net: fec: add phy_reset_after_clk_enable() support") +Reviewed-by: Andrew Lunn +Tested-by: Richard Leitner +Signed-off-by: Marek Vasut +Cc: Christoph Niedermaier +Cc: David S. Miller +Cc: NXP Linux Team +Cc: Shawn Guo +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 7d1a669416f20..6bd5738273e7a 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -2961,6 +2961,11 @@ fec_enet_open(struct net_device *ndev) + if (ret) + goto err_enet_mii_probe; + ++ /* Probe and connect to PHY when open the interface */ ++ ret = fec_enet_mii_probe(ndev); ++ if (ret) ++ goto err_enet_mii_probe; ++ + if (fep->quirks & FEC_QUIRK_ERR006687) + imx6q_cpuidle_fec_irqs_used(); + +-- +2.25.1 + diff --git a/queue-4.19/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch b/queue-4.19/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch new file mode 100644 index 00000000000..287d0515974 --- /dev/null +++ b/queue-4.19/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch @@ -0,0 +1,46 @@ +From 0f667890392280fa2ef19dd4ba4cf431a56c52bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 00:03:29 +0200 +Subject: net: korina: fix kfree of rx/tx descriptor array + +From: Valentin Vidic + +[ Upstream commit 3af5f0f5c74ecbaf757ef06c3f80d56751277637 ] + +kmalloc returns KSEG0 addresses so convert back from KSEG1 +in kfree. Also make sure array is freed when the driver is +unloaded from the kernel. + +Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC") +Signed-off-by: Valentin Vidic +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/korina.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index ae195f8adff58..5bdff77c0ad10 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -1113,7 +1113,7 @@ static int korina_probe(struct platform_device *pdev) + return rc; + + probe_err_register: +- kfree(lp->td_ring); ++ kfree(KSEG0ADDR(lp->td_ring)); + probe_err_td_ring: + iounmap(lp->tx_dma_regs); + probe_err_dma_tx: +@@ -1133,6 +1133,7 @@ static int korina_remove(struct platform_device *pdev) + iounmap(lp->eth_regs); + iounmap(lp->rx_dma_regs); + iounmap(lp->tx_dma_regs); ++ kfree(KSEG0ADDR(lp->td_ring)); + + unregister_netdev(bif->dev); + free_netdev(bif->dev); +-- +2.25.1 + diff --git a/queue-4.19/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch b/queue-4.19/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch new file mode 100644 index 00000000000..41995cc1f23 --- /dev/null +++ b/queue-4.19/net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch @@ -0,0 +1,38 @@ +From ffb8b02942c8fc1a38b8eb50cf7c9b650eb93f26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 12:07:10 +0300 +Subject: net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow + +From: Eran Ben Elisha + +[ Upstream commit 0d2ffdc8d4002a62de31ff7aa3bef28c843c3cbe ] + +Before calling timecounter_cyc2time(), clock->lock must be taken. +Use mlx5_timecounter_cyc2time instead which guarantees a safe access. + +Fixes: afc98a0b46d8 ("net/mlx5: Update ptp_clock_event foreach PPS event") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +index d359e850dbf07..0fd62510fb277 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c +@@ -475,8 +475,9 @@ void mlx5_pps_event(struct mlx5_core_dev *mdev, + switch (clock->ptp_info.pin_config[pin].func) { + case PTP_PF_EXTTS: + ptp_event.index = pin; +- ptp_event.timestamp = timecounter_cyc2time(&clock->tc, +- be64_to_cpu(eqe->data.pps.time_stamp)); ++ ptp_event.timestamp = ++ mlx5_timecounter_cyc2time(clock, ++ be64_to_cpu(eqe->data.pps.time_stamp)); + if (clock->pps_info.enabled) { + ptp_event.type = PTP_CLOCK_PPSUSR; + ptp_event.pps_times.ts_real = +-- +2.25.1 + diff --git a/queue-4.19/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch b/queue-4.19/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch new file mode 100644 index 00000000000..a4f0336641c --- /dev/null +++ b/queue-4.19/net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch @@ -0,0 +1,101 @@ +From 7452988e57fadd35390c3c6767ef4f9688c8d0ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 09:28:40 +0800 +Subject: net: stmmac: use netif_tx_start|stop_all_queues() function + +From: Ong Boon Leong + +[ Upstream commit 9f19306d166688a73356aa636c62e698bf2063cc ] + +The current implementation of stmmac_stop_all_queues() and +stmmac_start_all_queues() will not work correctly when the value of +tx_queues_to_use is changed through ethtool -L DEVNAME rx N tx M command. + +Also, netif_tx_start|stop_all_queues() are only needed in driver open() +and close() only. + +Fixes: c22a3f48 net: stmmac: adding multiple napi mechanism + +Signed-off-by: Ong Boon Leong +Signed-off-by: Voon Weifeng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 33 +------------------ + 1 file changed, 1 insertion(+), 32 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index c41879a955b57..2872684906e14 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -177,32 +177,6 @@ static void stmmac_enable_all_queues(struct stmmac_priv *priv) + } + } + +-/** +- * stmmac_stop_all_queues - Stop all queues +- * @priv: driver private structure +- */ +-static void stmmac_stop_all_queues(struct stmmac_priv *priv) +-{ +- u32 tx_queues_cnt = priv->plat->tx_queues_to_use; +- u32 queue; +- +- for (queue = 0; queue < tx_queues_cnt; queue++) +- netif_tx_stop_queue(netdev_get_tx_queue(priv->dev, queue)); +-} +- +-/** +- * stmmac_start_all_queues - Start all queues +- * @priv: driver private structure +- */ +-static void stmmac_start_all_queues(struct stmmac_priv *priv) +-{ +- u32 tx_queues_cnt = priv->plat->tx_queues_to_use; +- u32 queue; +- +- for (queue = 0; queue < tx_queues_cnt; queue++) +- netif_tx_start_queue(netdev_get_tx_queue(priv->dev, queue)); +-} +- + static void stmmac_service_event_schedule(struct stmmac_priv *priv) + { + if (!test_bit(STMMAC_DOWN, &priv->state) && +@@ -2678,7 +2652,7 @@ static int stmmac_open(struct net_device *dev) + } + + stmmac_enable_all_queues(priv); +- stmmac_start_all_queues(priv); ++ netif_tx_start_all_queues(priv->dev); + + return 0; + +@@ -2724,8 +2698,6 @@ static int stmmac_release(struct net_device *dev) + phy_disconnect(dev->phydev); + } + +- stmmac_stop_all_queues(priv); +- + stmmac_disable_all_queues(priv); + + for (chan = 0; chan < priv->plat->tx_queues_to_use; chan++) +@@ -4519,7 +4491,6 @@ int stmmac_suspend(struct device *dev) + mutex_lock(&priv->lock); + + netif_device_detach(ndev); +- stmmac_stop_all_queues(priv); + + stmmac_disable_all_queues(priv); + +@@ -4628,8 +4599,6 @@ int stmmac_resume(struct device *dev) + + stmmac_enable_all_queues(priv); + +- stmmac_start_all_queues(priv); +- + mutex_unlock(&priv->lock); + + if (ndev->phydev) +-- +2.25.1 + diff --git a/queue-4.19/netfilter-conntrack-connection-timeout-after-re-regi.patch b/queue-4.19/netfilter-conntrack-connection-timeout-after-re-regi.patch new file mode 100644 index 00000000000..fb4d089a930 --- /dev/null +++ b/queue-4.19/netfilter-conntrack-connection-timeout-after-re-regi.patch @@ -0,0 +1,64 @@ +From 04e4cd750f0771fdf0c3600d0a202ce8156026d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Oct 2020 12:32:52 -0700 +Subject: netfilter: conntrack: connection timeout after re-register + +From: Francesco Ruggeri + +[ Upstream commit 4f25434bccc28cf8a07876ef5142a2869a674353 ] + +If the first packet conntrack sees after a re-register is an outgoing +keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to +SND.NXT-1. +When the peer correctly acknowledges SND.NXT, tcp_in_window fails +check III (Upper bound for valid (s)ack: sack <= receiver.td_end) and +returns false, which cascades into nf_conntrack_in setting +skb->_nfct = 0 and in later conntrack iptables rules not matching. +In cases where iptables are dropping packets that do not match +conntrack rules this can result in idle tcp connections to time out. + +v2: adjust td_end when getting the reply rather than when sending out + the keepalive packet. + +Fixes: f94e63801ab2 ("netfilter: conntrack: reset tcp maxwin on re-register") +Signed-off-by: Francesco Ruggeri +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_tcp.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index 7011ab27c4371..40f8a1252394b 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -549,13 +549,20 @@ static bool tcp_in_window(const struct nf_conn *ct, + swin = win << sender->td_scale; + sender->td_maxwin = (swin == 0 ? 1 : swin); + sender->td_maxend = end + sender->td_maxwin; +- /* +- * We haven't seen traffic in the other direction yet +- * but we have to tweak window tracking to pass III +- * and IV until that happens. +- */ +- if (receiver->td_maxwin == 0) ++ if (receiver->td_maxwin == 0) { ++ /* We haven't seen traffic in the other ++ * direction yet but we have to tweak window ++ * tracking to pass III and IV until that ++ * happens. ++ */ + receiver->td_end = receiver->td_maxend = sack; ++ } else if (sack == receiver->td_end + 1) { ++ /* Likely a reply to a keepalive. ++ * Needed for III. ++ */ ++ receiver->td_end++; ++ } ++ + } + } else if (((state->state == TCP_CONNTRACK_SYN_SENT + && dir == IP_CT_DIR_ORIGINAL) +-- +2.25.1 + diff --git a/queue-4.19/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch b/queue-4.19/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch new file mode 100644 index 00000000000..73eaf650e97 --- /dev/null +++ b/queue-4.19/netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch @@ -0,0 +1,49 @@ +From 53235b2a121865acff15facffeee41125445091c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Oct 2020 12:55:52 +0200 +Subject: netfilter: nf_fwd_netdev: clear timestamp in forwarding path + +From: Pablo Neira Ayuso + +[ Upstream commit c77761c8a59405cb7aa44188b30fffe13fbdd02d ] + +Similar to 7980d2eabde8 ("ipvs: clear skb->tstamp in forwarding path"). +fq qdisc requires tstamp to be cleared in forwarding path. + +Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths") +Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC") +Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_dup_netdev.c | 1 + + net/netfilter/nft_fwd_netdev.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c +index f4a566e672135..98d117f3340ce 100644 +--- a/net/netfilter/nf_dup_netdev.c ++++ b/net/netfilter/nf_dup_netdev.c +@@ -21,6 +21,7 @@ static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev) + skb_push(skb, skb->mac_len); + + skb->dev = dev; ++ skb->tstamp = 0; + dev_queue_xmit(skb); + } + +diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c +index 649edbe77a205..10a12e0949299 100644 +--- a/net/netfilter/nft_fwd_netdev.c ++++ b/net/netfilter/nft_fwd_netdev.c +@@ -129,6 +129,7 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr, + return; + + skb->dev = dev; ++ skb->tstamp = 0; + neigh_xmit(neigh_table, dev, addr, skb); + out: + regs->verdict.code = verdict; +-- +2.25.1 + diff --git a/queue-4.19/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch b/queue-4.19/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch new file mode 100644 index 00000000000..e8d2f2e8157 --- /dev/null +++ b/queue-4.19/netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch @@ -0,0 +1,139 @@ +From 8fe555fad731a4f04aeae38ce83ab310aadf90f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 17:06:06 +0200 +Subject: netfilter: nf_log: missing vlan offload tag and proto + +From: Pablo Neira Ayuso + +[ Upstream commit 0d9826bc18ce356e8909919ad681ad65d0a6061e ] + +Dump vlan tag and proto for the usual vlan offload case if the +NF_LOG_MACDECODE flag is set on. Without this information the logging is +misleading as there is no reference to the VLAN header. + +[12716.993704] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0800 SRC=192.168.10.2 DST=172.217.168.163 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2548 DF PROTO=TCP SPT=55848 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0 +[12721.157643] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0806 ARP HTYPE=1 PTYPE=0x0800 OPCODE=2 MACSRC=86:6c:92:ea:d6:73 IPSRC=192.168.10.2 MACDST=0e:3b:eb:86:73:76 IPDST=192.168.10.1 + +Fixes: 83e96d443b37 ("netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_log.h | 1 + + net/ipv4/netfilter/nf_log_arp.c | 19 +++++++++++++++++-- + net/ipv4/netfilter/nf_log_ipv4.c | 6 ++++-- + net/ipv6/netfilter/nf_log_ipv6.c | 8 +++++--- + net/netfilter/nf_log_common.c | 12 ++++++++++++ + 5 files changed, 39 insertions(+), 7 deletions(-) + +diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h +index 0d3920896d502..716db4a0fed89 100644 +--- a/include/net/netfilter/nf_log.h ++++ b/include/net/netfilter/nf_log.h +@@ -108,6 +108,7 @@ int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb, + unsigned int logflags); + void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m, + struct sock *sk); ++void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb); + void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, + unsigned int hooknum, const struct sk_buff *skb, + const struct net_device *in, +diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c +index df5c2a2061a4b..19fff2c589fac 100644 +--- a/net/ipv4/netfilter/nf_log_arp.c ++++ b/net/ipv4/netfilter/nf_log_arp.c +@@ -46,16 +46,31 @@ static void dump_arp_packet(struct nf_log_buf *m, + const struct nf_loginfo *info, + const struct sk_buff *skb, unsigned int nhoff) + { +- const struct arphdr *ah; +- struct arphdr _arph; + const struct arppayload *ap; + struct arppayload _arpp; ++ const struct arphdr *ah; ++ unsigned int logflags; ++ struct arphdr _arph; + + ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); + if (ah == NULL) { + nf_log_buf_add(m, "TRUNCATED"); + return; + } ++ ++ if (info->type == NF_LOG_TYPE_LOG) ++ logflags = info->u.log.logflags; ++ else ++ logflags = NF_LOG_DEFAULT_MASK; ++ ++ if (logflags & NF_LOG_MACDECODE) { ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", ++ ntohs(eth_hdr(skb)->h_proto)); ++ } ++ + nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d", + ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op)); + +diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c +index 1e6f28c97d3a2..cde1918607e9c 100644 +--- a/net/ipv4/netfilter/nf_log_ipv4.c ++++ b/net/ipv4/netfilter/nf_log_ipv4.c +@@ -287,8 +287,10 @@ static void dump_ipv4_mac_header(struct nf_log_buf *m, + + switch (dev->type) { + case ARPHRD_ETHER: +- nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", +- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", + ntohs(eth_hdr(skb)->h_proto)); + return; + default: +diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c +index c6bf580d0f331..c456e2f902b93 100644 +--- a/net/ipv6/netfilter/nf_log_ipv6.c ++++ b/net/ipv6/netfilter/nf_log_ipv6.c +@@ -300,9 +300,11 @@ static void dump_ipv6_mac_header(struct nf_log_buf *m, + + switch (dev->type) { + case ARPHRD_ETHER: +- nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ", +- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, +- ntohs(eth_hdr(skb)->h_proto)); ++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ", ++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest); ++ nf_log_dump_vlan(m, skb); ++ nf_log_buf_add(m, "MACPROTO=%04x ", ++ ntohs(eth_hdr(skb)->h_proto)); + return; + default: + break; +diff --git a/net/netfilter/nf_log_common.c b/net/netfilter/nf_log_common.c +index a8c5c846aec10..b164a0e1e0536 100644 +--- a/net/netfilter/nf_log_common.c ++++ b/net/netfilter/nf_log_common.c +@@ -176,6 +176,18 @@ nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf, + } + EXPORT_SYMBOL_GPL(nf_log_dump_packet_common); + ++void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb) ++{ ++ u16 vid; ++ ++ if (!skb_vlan_tag_present(skb)) ++ return; ++ ++ vid = skb_vlan_tag_get(skb); ++ nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid); ++} ++EXPORT_SYMBOL_GPL(nf_log_dump_vlan); ++ + /* bridge and netdev logging families share this code. */ + void nf_log_l2packet(struct net *net, u_int8_t pf, + __be16 protocol, +-- +2.25.1 + diff --git a/queue-4.19/nl80211-fix-non-split-wiphy-information.patch b/queue-4.19/nl80211-fix-non-split-wiphy-information.patch new file mode 100644 index 00000000000..5d4be65913d --- /dev/null +++ b/queue-4.19/nl80211-fix-non-split-wiphy-information.patch @@ -0,0 +1,49 @@ +From 9682388b48023d16745b87ebeb6250a65de11a74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 13:07:18 +0200 +Subject: nl80211: fix non-split wiphy information + +From: Johannes Berg + +[ Upstream commit ab10c22bc3b2024f0c9eafa463899a071eac8d97 ] + +When dumping wiphy information, we try to split the data into +many submessages, but for old userspace we still support the +old mode where this doesn't happen. + +However, in this case we were not resetting our state correctly +and dumping multiple messages for each wiphy, which would have +broken such older userspace. + +This was broken pretty much immediately afterwards because it +only worked in the original commit where non-split dumps didn't +have any more data than split dumps... + +Fixes: fe1abafd942f ("nl80211: re-add channel width and extended capa advertising") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20200928130717.3e6d9c6bada2.Ie0f151a8d0d00a8e1e18f6a8c9244dd02496af67@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 4e41792099822..fbc8875502c3e 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -1950,7 +1950,10 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev, + * case we'll continue with more data in the next round, + * but break unconditionally so unsplit data stops here. + */ +- state->split_start++; ++ if (state->split) ++ state->split_start++; ++ else ++ state->split_start = 0; + break; + case 9: + if (rdev->wiphy.extended_capabilities && +-- +2.25.1 + diff --git a/queue-4.19/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch b/queue-4.19/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch new file mode 100644 index 00000000000..8c5ae829f87 --- /dev/null +++ b/queue-4.19/ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch @@ -0,0 +1,36 @@ +From 45624cbdc9d2775d4b91b77e07456ad568e0328a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 09:59:57 +0800 +Subject: NTB: hw: amd: fix an issue about leak system resources + +From: Kaige Li + +[ Upstream commit 44a0a3c17919db1498cebb02ecf3cf4abc1ade7b ] + +The related system resources were not released when pci_set_dma_mask(), +pci_set_consistent_dma_mask(), or pci_iomap() return error in the +amd_ntb_init_pci() function. Add pci_release_regions() to fix it. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Kaige Li +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index efb214fc545a2..0b1fbb5dba9b6 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1036,6 +1036,7 @@ static int amd_ntb_init_pci(struct amd_ntb_dev *ndev, + + err_dma_mask: + pci_clear_master(pdev); ++ pci_release_regions(pdev); + err_pci_regions: + pci_disable_device(pdev); + err_pci_enable: +-- +2.25.1 + diff --git a/queue-4.19/ntfs-add-check-for-mft-record-size-in-superblock.patch b/queue-4.19/ntfs-add-check-for-mft-record-size-in-superblock.patch new file mode 100644 index 00000000000..c7d3fe0a628 --- /dev/null +++ b/queue-4.19/ntfs-add-check-for-mft-record-size-in-superblock.patch @@ -0,0 +1,46 @@ +From 1a2bfa9939bbc9f2d1293e7aa68a43e7a4635038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:48:17 -0700 +Subject: ntfs: add check for mft record size in superblock + +From: Rustam Kovhaev + +[ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ] + +Number of bytes allocated for mft record should be equal to the mft record +size stored in ntfs superblock as reported by syzbot, userspace might +trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() + +Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com +Signed-off-by: Rustam Kovhaev +Signed-off-by: Andrew Morton +Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com +Acked-by: Anton Altaparmakov +Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e +Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ntfs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c +index bd3221cbdd956..0d4b5b9843b62 100644 +--- a/fs/ntfs/inode.c ++++ b/fs/ntfs/inode.c +@@ -1835,6 +1835,12 @@ int ntfs_read_inode_mount(struct inode *vi) + brelse(bh); + } + ++ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) { ++ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.", ++ le32_to_cpu(m->bytes_allocated), vol->mft_record_size); ++ goto err_out; ++ } ++ + /* Apply the mst fixups. */ + if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) { + /* FIXME: Try to use the $MFTMirr now. */ +-- +2.25.1 + diff --git a/queue-4.19/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch b/queue-4.19/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch new file mode 100644 index 00000000000..95e823739fa --- /dev/null +++ b/queue-4.19/nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch @@ -0,0 +1,107 @@ +From 91bd2f4432b704fbe879c3a8fa57203f006e42a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 23:44:56 +0300 +Subject: nvmem: core: fix possibly memleak when use + nvmem_cell_info_to_nvmem_cell() + +From: Vadym Kochan + +[ Upstream commit fc9eec4d643597cf4cb2fef17d48110e677610da ] + +Fix missing 'kfree_const(cell->name)' when call to +nvmem_cell_info_to_nvmem_cell() in several places: + + * after nvmem_cell_info_to_nvmem_cell() failed during + nvmem_add_cells() + + * during nvmem_device_cell_{read,write} when cell->name is + kstrdup'ed() without calling kfree_const() at the end, but + really there is no reason to do that 'dup, because the cell + instance is allocated on the stack for some short period to be + read/write without exposing it to the caller. + +So the new nvmem_cell_info_to_nvmem_cell_nodup() helper is introduced +which is used to convert cell_info -> cell without name duplication as +a lighweight version of nvmem_cell_info_to_nvmem_cell(). + +Fixes: e2a5402ec7c6 ("nvmem: Add nvmem_device based consumer apis.") +Reviewed-by: Srinivas Kandagatla +Acked-by: Srinivas Kandagatla +Signed-off-by: Vadym Kochan +Link: https://lore.kernel.org/r/20200923204456.14032-1-vadym.kochan@plvision.eu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/nvmem/core.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c +index 30c040786fde2..54204d550fc22 100644 +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -326,9 +326,9 @@ static void nvmem_cell_add(struct nvmem_cell *cell) + mutex_unlock(&nvmem_cells_mutex); + } + +-static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, +- const struct nvmem_cell_info *info, +- struct nvmem_cell *cell) ++static int nvmem_cell_info_to_nvmem_cell_nodup(struct nvmem_device *nvmem, ++ const struct nvmem_cell_info *info, ++ struct nvmem_cell *cell) + { + cell->nvmem = nvmem; + cell->offset = info->offset; +@@ -345,13 +345,30 @@ static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, + if (!IS_ALIGNED(cell->offset, nvmem->stride)) { + dev_err(&nvmem->dev, + "cell %s unaligned to nvmem stride %d\n", +- cell->name, nvmem->stride); ++ cell->name ?: "", nvmem->stride); + return -EINVAL; + } + + return 0; + } + ++static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem, ++ const struct nvmem_cell_info *info, ++ struct nvmem_cell *cell) ++{ ++ int err; ++ ++ err = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, cell); ++ if (err) ++ return err; ++ ++ cell->name = kstrdup_const(info->name, GFP_KERNEL); ++ if (!cell->name) ++ return -ENOMEM; ++ ++ return 0; ++} ++ + /** + * nvmem_add_cells() - Add cell information to an nvmem device + * +@@ -1265,7 +1282,7 @@ ssize_t nvmem_device_cell_read(struct nvmem_device *nvmem, + if (!nvmem) + return -EINVAL; + +- rc = nvmem_cell_info_to_nvmem_cell(nvmem, info, &cell); ++ rc = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, &cell); + if (rc) + return rc; + +@@ -1295,7 +1312,7 @@ int nvmem_device_cell_write(struct nvmem_device *nvmem, + if (!nvmem) + return -EINVAL; + +- rc = nvmem_cell_info_to_nvmem_cell(nvmem, info, &cell); ++ rc = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, &cell); + if (rc) + return rc; + +-- +2.25.1 + diff --git a/queue-4.19/nvmet-fix-uninitialized-work-for-zero-kato.patch b/queue-4.19/nvmet-fix-uninitialized-work-for-zero-kato.patch new file mode 100644 index 00000000000..ab97978a685 --- /dev/null +++ b/queue-4.19/nvmet-fix-uninitialized-work-for-zero-kato.patch @@ -0,0 +1,55 @@ +From cea13f7d89b41650711590a0f33c7691b4f5efa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 09:51:40 +0800 +Subject: nvmet: fix uninitialized work for zero kato + +From: zhenwei pi + +[ Upstream commit 85bd23f3dc09a2ae9e56885420e52c54bf983713 ] + +When connecting a controller with a zero kato value using the following +command line + + nvme connect -t tcp -n NQN -a ADDR -s PORT --keep-alive-tmo=0 + +the warning below can be reproduced: + +WARNING: CPU: 1 PID: 241 at kernel/workqueue.c:1627 __queue_delayed_work+0x6d/0x90 +with trace: + mod_delayed_work_on+0x59/0x90 + nvmet_update_cc+0xee/0x100 [nvmet] + nvmet_execute_prop_set+0x72/0x80 [nvmet] + nvmet_tcp_try_recv_pdu+0x2f7/0x770 [nvmet_tcp] + nvmet_tcp_io_work+0x63f/0xb2d [nvmet_tcp] + ... + +This is caused by queuing up an uninitialized work. Althrough the +keep-alive timer is disabled during allocating the controller (fixed in +0d3b6a8d213a), ka_work still has a chance to run (called by +nvmet_start_ctrl). + +Fixes: 0d3b6a8d213a ("nvmet: Disable keep-alive timer when kato is cleared to 0h") +Signed-off-by: zhenwei pi +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index f28df233dfcd0..2b492ad55f0e4 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -787,7 +787,8 @@ static void nvmet_start_ctrl(struct nvmet_ctrl *ctrl) + * in case a host died before it enabled the controller. Hence, simply + * reset the keep alive timer when the controller is enabled. + */ +- mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ); ++ if (ctrl->kato) ++ mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ); + } + + static void nvmet_clear_ctrl(struct nvmet_ctrl *ctrl) +-- +2.25.1 + diff --git a/queue-4.19/overflow-include-header-file-with-size_max-declarati.patch b/queue-4.19/overflow-include-header-file-with-size_max-declarati.patch new file mode 100644 index 00000000000..b743b4e3452 --- /dev/null +++ b/queue-4.19/overflow-include-header-file-with-size_max-declarati.patch @@ -0,0 +1,42 @@ +From 2352da9e3a23468ba0cc46c95ed4fc6c5835c530 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 13:29:28 +0300 +Subject: overflow: Include header file with SIZE_MAX declaration + +From: Leon Romanovsky + +[ Upstream commit a4947e84f23474803b62a2759b5808147e4e15f9 ] + +The various array_size functions use SIZE_MAX define, but missed limits.h +causes to failure to compile code that needs overflow.h. + + In file included from drivers/infiniband/core/uverbs_std_types_device.c:6: + ./include/linux/overflow.h: In function 'array_size': + ./include/linux/overflow.h:258:10: error: 'SIZE_MAX' undeclared (first use in this function) + 258 | return SIZE_MAX; + | ^~~~~~~~ + +Fixes: 610b15c50e86 ("overflow.h: Add allocation size calculation helpers") +Link: https://lore.kernel.org/r/20200913102928.134985-1-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/linux/overflow.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/overflow.h b/include/linux/overflow.h +index 15eb85de92269..4564a175e6814 100644 +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -3,6 +3,7 @@ + #define __LINUX_OVERFLOW_H + + #include ++#include + + /* + * In the fallback code below, we need to compute the minimum and +-- +2.25.1 + diff --git a/queue-4.19/pci-iproc-set-affinity-mask-on-msi-interrupts.patch b/queue-4.19/pci-iproc-set-affinity-mask-on-msi-interrupts.patch new file mode 100644 index 00000000000..0130fac6b91 --- /dev/null +++ b/queue-4.19/pci-iproc-set-affinity-mask-on-msi-interrupts.patch @@ -0,0 +1,55 @@ +From 4ea878b822f7c814dce352a94ab4f87c68c8d2fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 15:52:40 +1200 +Subject: PCI: iproc: Set affinity mask on MSI interrupts + +From: Mark Tomlinson + +[ Upstream commit eb7eacaa5b9e4f665bd08d416c8f88e63d2f123c ] + +The core interrupt code expects the irq_set_affinity call to update the +effective affinity for the interrupt. This was not being done, so update +iproc_msi_irq_set_affinity() to do so. + +Link: https://lore.kernel.org/r/20200803035241.7737-1-mark.tomlinson@alliedtelesis.co.nz +Fixes: 3bc2b2348835 ("PCI: iproc: Add iProc PCIe MSI support") +Signed-off-by: Mark Tomlinson +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Ray Jui +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-iproc-msi.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pcie-iproc-msi.c b/drivers/pci/controller/pcie-iproc-msi.c +index 9deb56989d726..ea612382599cf 100644 +--- a/drivers/pci/controller/pcie-iproc-msi.c ++++ b/drivers/pci/controller/pcie-iproc-msi.c +@@ -209,15 +209,20 @@ static int iproc_msi_irq_set_affinity(struct irq_data *data, + struct iproc_msi *msi = irq_data_get_irq_chip_data(data); + int target_cpu = cpumask_first(mask); + int curr_cpu; ++ int ret; + + curr_cpu = hwirq_to_cpu(msi, data->hwirq); + if (curr_cpu == target_cpu) +- return IRQ_SET_MASK_OK_DONE; ++ ret = IRQ_SET_MASK_OK_DONE; ++ else { ++ /* steer MSI to the target CPU */ ++ data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu; ++ ret = IRQ_SET_MASK_OK; ++ } + +- /* steer MSI to the target CPU */ +- data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu; ++ irq_data_update_effective_affinity(data, cpumask_of(target_cpu)); + +- return IRQ_SET_MASK_OK; ++ return ret; + } + + static void iproc_msi_irq_compose_msi_msg(struct irq_data *data, +-- +2.25.1 + diff --git a/queue-4.19/perf-correct-snoopx-field-offset.patch b/queue-4.19/perf-correct-snoopx-field-offset.patch new file mode 100644 index 00000000000..f9cb9dd3812 --- /dev/null +++ b/queue-4.19/perf-correct-snoopx-field-offset.patch @@ -0,0 +1,40 @@ +From ccb303f6dbfe8b99e5d506851476bc90160433ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 21:46:37 +0100 +Subject: perf: correct SNOOPX field offset + +From: Al Grant + +[ Upstream commit f3d301c1f2f5676465cdf3259737ea19cc82731f ] + +perf_event.h has macros that define the field offsets in the +data_src bitmask in perf records. The SNOOPX and REMOTE offsets +were both 37. These are distinct fields, and the bitfield layout +in perf_mem_data_src confirms that SNOOPX should be at offset 38. + +Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings") +Signed-off-by: Al Grant +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Andi Kleen +Link: https://lkml.kernel.org/r/4ac9f5cc-4388-b34a-9999-418a4099415d@foss.arm.com +Signed-off-by: Sasha Levin +--- + include/uapi/linux/perf_event.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/perf_event.h b/include/uapi/linux/perf_event.h +index f35eb72739c09..5fb4cdf37100c 100644 +--- a/include/uapi/linux/perf_event.h ++++ b/include/uapi/linux/perf_event.h +@@ -1079,7 +1079,7 @@ union perf_mem_data_src { + + #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */ + /* 1 free */ +-#define PERF_MEM_SNOOPX_SHIFT 37 ++#define PERF_MEM_SNOOPX_SHIFT 38 + + /* locked instruction */ + #define PERF_MEM_LOCK_NA 0x01 /* not available */ +-- +2.25.1 + diff --git a/queue-4.19/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch b/queue-4.19/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch new file mode 100644 index 00000000000..8145f975ba0 --- /dev/null +++ b/queue-4.19/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch @@ -0,0 +1,152 @@ +From 427758ff9ff13a7ac3ad2d7b357c5fa19916533b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 11:49:23 +0300 +Subject: perf intel-pt: Fix "context_switch event has no tid" error + +From: Adrian Hunter + +[ Upstream commit 7d537a8d2e76bc4fc71e34545ceaa463ac2cd928 ] + +A context_switch event can have no tid because pids can be detached from +a task while the task is still running (in do_exit()). Note this won't +happen with per-task contexts because then tracing stops at +perf_event_exit_task() + +If a task with no tid gets preempted, or a dying task gets preempted and +its parent releases it, when it subsequently gets switched back in, +Intel PT will not be able to determine what task is running and prints +an error "context_switch event has no tid". However, it is not really an +error because the task is in kernel space and the decoder can continue +to decode successfully. Fix by changing the error to be only a logged +message, and make allowance for tid == -1. + +Example: + + Using 5.9-rc4 with Preemptible Kernel (Low-Latency Desktop) e.g. + $ uname -r + 5.9.0-rc4 + $ grep PREEMPT .config + # CONFIG_PREEMPT_NONE is not set + # CONFIG_PREEMPT_VOLUNTARY is not set + CONFIG_PREEMPT=y + CONFIG_PREEMPT_COUNT=y + CONFIG_PREEMPTION=y + CONFIG_PREEMPT_RCU=y + CONFIG_PREEMPT_NOTIFIERS=y + CONFIG_DRM_I915_PREEMPT_TIMEOUT=640 + CONFIG_DEBUG_PREEMPT=y + # CONFIG_PREEMPT_TRACER is not set + # CONFIG_PREEMPTIRQ_DELAY_TEST is not set + +Before: + + $ cat forkit.c + + #include + #include + #include + + int main() + { + pid_t child; + int status = 0; + + child = fork(); + if (child == 0) + return 123; + wait(&status); + return 0; + } + + $ gcc -o forkit forkit.c + $ sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k & + [1] 11016 + $ taskset 2 ./forkit + $ sudo pkill perf + $ [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 17.262 MB perf.data ] + + [1]+ Terminated sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k + $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit + context_switch event has no tid + taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) + taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 + forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) + forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 + forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) + forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) + forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 + forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 + forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) + forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) + +After: + + $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit + taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) + taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 + forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) + forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 + forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) + forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) + forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 + forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 + forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) + forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) + forkit 11019 [001] 66663.271688752: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: -1/-1 + :-1 -1 [001] 66663.271692086: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + :-1 -1 [001] 66663.271707466: 1 instructions:k: ffffffffb18eb096 update_load_avg+0x306 ([kernel.kallsyms]) + +Fixes: 86c2786994bd7c ("perf intel-pt: Add support for PERF_RECORD_SWITCH") +Signed-off-by: Adrian Hunter +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Yu-cheng Yu +Link: http://lore.kernel.org/lkml/20200909084923.9096-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index ff2c41ea94c8c..2434a0014491f 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -876,6 +876,8 @@ static void intel_pt_set_pid_tid_cpu(struct intel_pt *pt, + + if (queue->tid == -1 || pt->have_sched_switch) { + ptq->tid = machine__get_current_tid(pt->machine, ptq->cpu); ++ if (ptq->tid == -1) ++ ptq->pid = -1; + thread__zput(ptq->thread); + } + +@@ -1915,10 +1917,8 @@ static int intel_pt_context_switch(struct intel_pt *pt, union perf_event *event, + tid = sample->tid; + } + +- if (tid == -1) { +- pr_err("context_switch event has no tid\n"); +- return -EINVAL; +- } ++ if (tid == -1) ++ intel_pt_log("context_switch event has no tid\n"); + + intel_pt_log("context_switch: cpu %d pid %d tid %d time %"PRIu64" tsc %#"PRIx64"\n", + cpu, pid, tid, sample->time, perf_time_to_tsc(sample->time, +-- +2.25.1 + diff --git a/queue-4.19/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch b/queue-4.19/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch new file mode 100644 index 00000000000..fd14a1e2399 --- /dev/null +++ b/queue-4.19/pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch @@ -0,0 +1,47 @@ +From 9265e9e6065ea72b5c79a69b478e1888a9d60d68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 17:40:26 +0300 +Subject: pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB + +From: Necip Fazil Yildiran + +[ Upstream commit 513034d8b089b9a49dab57845aee70e830fe7334 ] + +When PINCTRL_BCM2835 is enabled and GPIOLIB is disabled, it results in the +following Kbuild warning: + +WARNING: unmet direct dependencies detected for GPIOLIB_IRQCHIP + Depends on [n]: GPIOLIB [=n] + Selected by [y]: + - PINCTRL_BCM2835 [=y] && PINCTRL [=y] && OF [=y] && (ARCH_BCM2835 [=n] || ARCH_BRCMSTB [=n] || COMPILE_TEST [=y]) + +The reason is that PINCTRL_BCM2835 selects GPIOLIB_IRQCHIP without +depending on or selecting GPIOLIB while GPIOLIB_IRQCHIP is subordinate to +GPIOLIB. + +Honor the kconfig menu hierarchy to remove kconfig dependency warnings. + +Fixes: 85ae9e512f43 ("pinctrl: bcm2835: switch to GPIOLIB_IRQCHIP") +Signed-off-by: Necip Fazil Yildiran +Link: https://lore.kernel.org/r/20200914144025.371370-1-fazilyildiran@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/bcm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/bcm/Kconfig b/drivers/pinctrl/bcm/Kconfig +index 0f38d51f47c64..e6cd314919de1 100644 +--- a/drivers/pinctrl/bcm/Kconfig ++++ b/drivers/pinctrl/bcm/Kconfig +@@ -21,6 +21,7 @@ config PINCTRL_BCM2835 + select PINMUX + select PINCONF + select GENERIC_PINCONF ++ select GPIOLIB + select GPIOLIB_IRQCHIP + + config PINCTRL_IPROC_GPIO +-- +2.25.1 + diff --git a/queue-4.19/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch b/queue-4.19/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch new file mode 100644 index 00000000000..2467eb2d6da --- /dev/null +++ b/queue-4.19/pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch @@ -0,0 +1,42 @@ +From 159efe9706062badec2925825785f6bc6d819fe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 22:32:26 +0100 +Subject: pinctrl: mcp23s08: Fix mcp23x17 precious range + +From: Thomas Preston + +[ Upstream commit b9b7fb29433b906635231d0a111224efa009198c ] + +On page 23 of the datasheet [0] it says "The register remains unchanged +until the interrupt is cleared via a read of INTCAP or GPIO." Include +INTCAPA and INTCAPB registers in precious range, so that they aren't +accidentally cleared when we read via debugfs. + +[0] https://ww1.microchip.com/downloads/en/DeviceDoc/20001952C.pdf + +Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") +Signed-off-by: Thomas Preston +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200828213226.1734264-3-thomas.preston@codethink.co.uk +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index 5f0cea13bb5ce..5b5a4323ae63d 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -142,7 +142,7 @@ static const struct regmap_access_table mcp23x17_volatile_table = { + }; + + static const struct regmap_range mcp23x17_precious_range = { +- .range_min = MCP_GPIO << 1, ++ .range_min = MCP_INTCAP << 1, + .range_max = MCP_GPIO << 1, + }; + +-- +2.25.1 + diff --git a/queue-4.19/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch b/queue-4.19/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch new file mode 100644 index 00000000000..d782cf7e9e8 --- /dev/null +++ b/queue-4.19/pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch @@ -0,0 +1,84 @@ +From b0e38fa4c84664f0a23c59f5f655e65bf6dc99da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 22:32:25 +0100 +Subject: pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser + +From: Thomas Preston + +[ Upstream commit b445f6237744df5e8d4f56f8733b2108c611220a ] + +The mcp23x17_regmap is initialised with structs named "mcp23x16". +However, the mcp23s08 driver doesn't support the MCP23016 device yet, so +this appears to be a typo. + +Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") +Signed-off-by: Thomas Preston +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20200828213226.1734264-2-thomas.preston@codethink.co.uk +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index 33c3eca0ece97..5f0cea13bb5ce 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -120,7 +120,7 @@ static const struct regmap_config mcp23x08_regmap = { + .max_register = MCP_OLAT, + }; + +-static const struct reg_default mcp23x16_defaults[] = { ++static const struct reg_default mcp23x17_defaults[] = { + {.reg = MCP_IODIR << 1, .def = 0xffff}, + {.reg = MCP_IPOL << 1, .def = 0x0000}, + {.reg = MCP_GPINTEN << 1, .def = 0x0000}, +@@ -131,23 +131,23 @@ static const struct reg_default mcp23x16_defaults[] = { + {.reg = MCP_OLAT << 1, .def = 0x0000}, + }; + +-static const struct regmap_range mcp23x16_volatile_range = { ++static const struct regmap_range mcp23x17_volatile_range = { + .range_min = MCP_INTF << 1, + .range_max = MCP_GPIO << 1, + }; + +-static const struct regmap_access_table mcp23x16_volatile_table = { +- .yes_ranges = &mcp23x16_volatile_range, ++static const struct regmap_access_table mcp23x17_volatile_table = { ++ .yes_ranges = &mcp23x17_volatile_range, + .n_yes_ranges = 1, + }; + +-static const struct regmap_range mcp23x16_precious_range = { ++static const struct regmap_range mcp23x17_precious_range = { + .range_min = MCP_GPIO << 1, + .range_max = MCP_GPIO << 1, + }; + +-static const struct regmap_access_table mcp23x16_precious_table = { +- .yes_ranges = &mcp23x16_precious_range, ++static const struct regmap_access_table mcp23x17_precious_table = { ++ .yes_ranges = &mcp23x17_precious_range, + .n_yes_ranges = 1, + }; + +@@ -157,10 +157,10 @@ static const struct regmap_config mcp23x17_regmap = { + + .reg_stride = 2, + .max_register = MCP_OLAT << 1, +- .volatile_table = &mcp23x16_volatile_table, +- .precious_table = &mcp23x16_precious_table, +- .reg_defaults = mcp23x16_defaults, +- .num_reg_defaults = ARRAY_SIZE(mcp23x16_defaults), ++ .volatile_table = &mcp23x17_volatile_table, ++ .precious_table = &mcp23x17_precious_table, ++ .reg_defaults = mcp23x17_defaults, ++ .num_reg_defaults = ARRAY_SIZE(mcp23x17_defaults), + .cache_type = REGCACHE_FLAT, + .val_format_endian = REGMAP_ENDIAN_LITTLE, + }; +-- +2.25.1 + diff --git a/queue-4.19/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch b/queue-4.19/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch new file mode 100644 index 00000000000..405e18778c0 --- /dev/null +++ b/queue-4.19/platform-x86-mlx-platform-remove-psu-eeprom-configur.patch @@ -0,0 +1,71 @@ +From 9306c4761912961dc228c32b0de99571c3932928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 20:20:49 +0300 +Subject: platform/x86: mlx-platform: Remove PSU EEPROM configuration + +From: Vadim Pasternak + +[ Upstream commit c071afcea6ecf24a3c119f25ce9f71ffd55b5dc2 ] + +Remove PSU EEPROM configuration for systems class equipped with +Mellanox chip Spectrume-2. Till now all the systems from this class +used few types of power units, all equipped with EEPROM device with +address space two bytes. Thus, all these devices have been handled by +EEPROM driver "24c32". +There is a new requirement is to support power unit replacement by "off +the shelf" device, matching electrical required parameters. Such device +could be equipped with different EEPROM type, which could be one byte +address space addressing or even could be not equipped with EEPROM. +In such case "24c32" will not work. + +Fixes: 1bd42d94ccab ("platform/x86: mlx-platform: Add support for new 200G IB and Ethernet systems") +Signed-off-by: Vadim Pasternak +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20200923172053.26296-2-vadimp@nvidia.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/mlx-platform.c | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +diff --git a/drivers/platform/x86/mlx-platform.c b/drivers/platform/x86/mlx-platform.c +index 69e28c12d5915..0c72de95b5ccd 100644 +--- a/drivers/platform/x86/mlx-platform.c ++++ b/drivers/platform/x86/mlx-platform.c +@@ -221,15 +221,6 @@ static struct i2c_board_info mlxplat_mlxcpld_psu[] = { + }, + }; + +-static struct i2c_board_info mlxplat_mlxcpld_ng_psu[] = { +- { +- I2C_BOARD_INFO("24c32", 0x51), +- }, +- { +- I2C_BOARD_INFO("24c32", 0x50), +- }, +-}; +- + static struct i2c_board_info mlxplat_mlxcpld_pwr[] = { + { + I2C_BOARD_INFO("dps460", 0x59), +@@ -589,15 +580,13 @@ static struct mlxreg_core_data mlxplat_mlxcpld_default_ng_psu_items_data[] = { + .label = "psu1", + .reg = MLXPLAT_CPLD_LPC_REG_PSU_OFFSET, + .mask = BIT(0), +- .hpdev.brdinfo = &mlxplat_mlxcpld_ng_psu[0], +- .hpdev.nr = MLXPLAT_CPLD_PSU_MSNXXXX_NR, ++ .hpdev.nr = MLXPLAT_CPLD_NR_NONE, + }, + { + .label = "psu2", + .reg = MLXPLAT_CPLD_LPC_REG_PSU_OFFSET, + .mask = BIT(1), +- .hpdev.brdinfo = &mlxplat_mlxcpld_ng_psu[1], +- .hpdev.nr = MLXPLAT_CPLD_PSU_MSNXXXX_NR, ++ .hpdev.nr = MLXPLAT_CPLD_NR_NONE, + }, + }; + +-- +2.25.1 + diff --git a/queue-4.19/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch b/queue-4.19/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch new file mode 100644 index 00000000000..728325979db --- /dev/null +++ b/queue-4.19/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch @@ -0,0 +1,49 @@ +From 2bb6748cf4a2c7b200e942b04d19547684f6a72b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 18:14:47 +0200 +Subject: PM: hibernate: remove the bogus call to get_gendisk() in + software_resume() + +From: Christoph Hellwig + +[ Upstream commit 428805c0c5e76ef643b1fbc893edfb636b3d8aef ] + +get_gendisk grabs a reference on the disk and file operation, so this +code will leak both of them while having absolutely no use for the +gendisk itself. + +This effectively reverts commit 2df83fa4bce421f ("PM / Hibernate: Use +get_gendisk to verify partition if resume_file is integer format") + +Signed-off-by: Christoph Hellwig +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/hibernate.c | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index 537a2a3c1dea2..28db51274ed0e 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -842,17 +842,6 @@ static int software_resume(void) + + /* Check if the device is there */ + swsusp_resume_device = name_to_dev_t(resume_file); +- +- /* +- * name_to_dev_t is ineffective to verify parition if resume_file is in +- * integer format. (e.g. major:minor) +- */ +- if (isdigit(resume_file[0]) && resume_wait) { +- int partno; +- while (!get_gendisk(swsusp_resume_device, &partno)) +- msleep(10); +- } +- + if (!swsusp_resume_device) { + /* + * Some device discovery might still be in progress; we need +-- +2.25.1 + diff --git a/queue-4.19/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch b/queue-4.19/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch new file mode 100644 index 00000000000..42a7c4ace43 --- /dev/null +++ b/queue-4.19/powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch @@ -0,0 +1,116 @@ +From b644bb0c3a9f5b9c93b70387b1977ef9eace2500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 14:52:19 +1000 +Subject: powerpc/64s/radix: Fix mm_cpumask trimming race vs kthread_use_mm + +From: Nicholas Piggin + +[ Upstream commit a665eec0a22e11cdde708c1c256a465ebe768047 ] + +Commit 0cef77c7798a7 ("powerpc/64s/radix: flush remote CPUs out of +single-threaded mm_cpumask") added a mechanism to trim the mm_cpumask of +a process under certain conditions. One of the assumptions is that +mm_users would not be incremented via a reference outside the process +context with mmget_not_zero() then go on to kthread_use_mm() via that +reference. + +That invariant was broken by io_uring code (see previous sparc64 fix), +but I'll point Fixes: to the original powerpc commit because we are +changing that assumption going forward, so this will make backports +match up. + +Fix this by no longer relying on that assumption, but by having each CPU +check the mm is not being used, and clearing their own bit from the mask +only if it hasn't been switched-to by the time the IPI is processed. + +This relies on commit 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB +invalidate") and ARCH_WANT_IRQS_OFF_ACTIVATE_MM to disable irqs over mm +switch sequences. + +Fixes: 0cef77c7798a7 ("powerpc/64s/radix: flush remote CPUs out of single-threaded mm_cpumask") +Signed-off-by: Nicholas Piggin +Reviewed-by: Michael Ellerman +Depends-on: 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB invalidate") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-5-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/tlb.h | 13 ------------- + arch/powerpc/mm/tlb-radix.c | 23 ++++++++++++++++------- + 2 files changed, 16 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/include/asm/tlb.h b/arch/powerpc/include/asm/tlb.h +index f0e571b2dc7c8..a6073fecdacd3 100644 +--- a/arch/powerpc/include/asm/tlb.h ++++ b/arch/powerpc/include/asm/tlb.h +@@ -76,19 +76,6 @@ static inline int mm_is_thread_local(struct mm_struct *mm) + return false; + return cpumask_test_cpu(smp_processor_id(), mm_cpumask(mm)); + } +-static inline void mm_reset_thread_local(struct mm_struct *mm) +-{ +- WARN_ON(atomic_read(&mm->context.copros) > 0); +- /* +- * It's possible for mm_access to take a reference on mm_users to +- * access the remote mm from another thread, but it's not allowed +- * to set mm_cpumask, so mm_users may be > 1 here. +- */ +- WARN_ON(current->mm != mm); +- atomic_set(&mm->context.active_cpus, 1); +- cpumask_clear(mm_cpumask(mm)); +- cpumask_set_cpu(smp_processor_id(), mm_cpumask(mm)); +-} + #else /* CONFIG_PPC_BOOK3S_64 */ + static inline int mm_is_thread_local(struct mm_struct *mm) + { +diff --git a/arch/powerpc/mm/tlb-radix.c b/arch/powerpc/mm/tlb-radix.c +index 1749f15fc0705..80b8fc4173de6 100644 +--- a/arch/powerpc/mm/tlb-radix.c ++++ b/arch/powerpc/mm/tlb-radix.c +@@ -598,19 +598,29 @@ static void do_exit_flush_lazy_tlb(void *arg) + struct mm_struct *mm = arg; + unsigned long pid = mm->context.id; + ++ /* ++ * A kthread could have done a mmget_not_zero() after the flushing CPU ++ * checked mm_is_singlethreaded, and be in the process of ++ * kthread_use_mm when interrupted here. In that case, current->mm will ++ * be set to mm, because kthread_use_mm() setting ->mm and switching to ++ * the mm is done with interrupts off. ++ */ + if (current->mm == mm) +- return; /* Local CPU */ ++ goto out_flush; + + if (current->active_mm == mm) { +- /* +- * Must be a kernel thread because sender is single-threaded. +- */ +- BUG_ON(current->mm); ++ WARN_ON_ONCE(current->mm != NULL); ++ /* Is a kernel thread and is using mm as the lazy tlb */ + mmgrab(&init_mm); +- switch_mm(mm, &init_mm, current); + current->active_mm = &init_mm; ++ switch_mm_irqs_off(mm, &init_mm, current); + mmdrop(mm); + } ++ ++ atomic_dec(&mm->context.active_cpus); ++ cpumask_clear_cpu(smp_processor_id(), mm_cpumask(mm)); ++ ++out_flush: + _tlbiel_pid(pid, RIC_FLUSH_ALL); + } + +@@ -625,7 +635,6 @@ static void exit_flush_lazy_tlbs(struct mm_struct *mm) + */ + smp_call_function_many(mm_cpumask(mm), do_exit_flush_lazy_tlb, + (void *)mm, 1); +- mm_reset_thread_local(mm); + } + + void radix__flush_tlb_mm(struct mm_struct *mm) +-- +2.25.1 + diff --git a/queue-4.19/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch b/queue-4.19/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch new file mode 100644 index 00000000000..a703441017b --- /dev/null +++ b/queue-4.19/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch @@ -0,0 +1,37 @@ +From 7f508e06d0cfec5b6b3033830868ff697604a6b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jul 2018 10:03:27 +0200 +Subject: powerpc/icp-hv: Fix missing of_node_put() in success path + +From: Nicholas Mc Guire + +[ Upstream commit d3e669f31ec35856f5e85df9224ede5bdbf1bc7b ] + +Both of_find_compatible_node() and of_find_node_by_type() will return +a refcounted node on success - thus for the success path the node must +be explicitly released with a of_node_put(). + +Fixes: 0b05ac6e2480 ("powerpc/xics: Rewrite XICS driver") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1530691407-3991-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xics/icp-hv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/xics/icp-hv.c b/arch/powerpc/sysdev/xics/icp-hv.c +index bbc839a98c414..003deaabb5680 100644 +--- a/arch/powerpc/sysdev/xics/icp-hv.c ++++ b/arch/powerpc/sysdev/xics/icp-hv.c +@@ -179,6 +179,7 @@ int icp_hv_init(void) + + icp_ops = &icp_hv_ops; + ++ of_node_put(np); + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.19/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch b/queue-4.19/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch new file mode 100644 index 00000000000..d7944389341 --- /dev/null +++ b/queue-4.19/powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch @@ -0,0 +1,61 @@ +From e914f834f5b9b0dca19579e7c23bcb3919bc89ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 03:10:04 -0400 +Subject: powerpc/perf: Exclude pmc5/6 from the irrelevant PMU group + constraints + +From: Athira Rajeev + +[ Upstream commit 3b6c3adbb2fa42749c3d38cfc4d4d0b7e096bb7b ] + +PMU counter support functions enforces event constraints for group of +events to check if all events in a group can be monitored. Incase of +event codes using PMC5 and PMC6 ( 500fa and 600f4 respectively ), not +all constraints are applicable, say the threshold or sample bits. But +current code includes pmc5 and pmc6 in some group constraints (like +IC_DC Qualifier bits) which is actually not applicable and hence +results in those events not getting counted when scheduled along with +group of other events. Patch fixes this by excluding PMC5/6 from +constraints which are not relevant for it. + +Fixes: 7ffd948 ("powerpc/perf: factor out power8 pmu functions") +Signed-off-by: Athira Rajeev +Reviewed-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1600672204-1610-1-git-send-email-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/isa207-common.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c +index 053b8e9aa9e75..69a2dc2b16cf1 100644 +--- a/arch/powerpc/perf/isa207-common.c ++++ b/arch/powerpc/perf/isa207-common.c +@@ -273,6 +273,15 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp) + + mask |= CNST_PMC_MASK(pmc); + value |= CNST_PMC_VAL(pmc); ++ ++ /* ++ * PMC5 and PMC6 are used to count cycles and instructions and ++ * they do not support most of the constraint bits. Add a check ++ * to exclude PMC5/6 from most of the constraints except for ++ * EBB/BHRB. ++ */ ++ if (pmc >= 5) ++ goto ebb_bhrb; + } + + if (pmc <= 4) { +@@ -331,6 +340,7 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp) + } + } + ++ebb_bhrb: + if (!pmc && ebb) + /* EBB events must specify the PMC */ + return -1; +-- +2.25.1 + diff --git a/queue-4.19/powerpc-perf-hv-gpci-fix-starting-index-value.patch b/queue-4.19/powerpc-perf-hv-gpci-fix-starting-index-value.patch new file mode 100644 index 00000000000..3f0e3e2b5e6 --- /dev/null +++ b/queue-4.19/powerpc-perf-hv-gpci-fix-starting-index-value.patch @@ -0,0 +1,76 @@ +From 0e9bba9d5f21a1f1fe4304ff4bada3b5e7437d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 13:19:39 +0530 +Subject: powerpc/perf/hv-gpci: Fix starting index value + +From: Kajol Jain + +[ Upstream commit 0f9866f7e85765bbda86666df56c92f377c3bc10 ] + +Commit 9e9f60108423f ("powerpc/perf/{hv-gpci, hv-common}: generate +requests with counters annotated") adds a framework for defining +gpci counters. +In this patch, they adds starting_index value as '0xffffffffffffffff'. +which is wrong as starting_index is of size 32 bits. + +Because of this, incase we try to run hv-gpci event we get error. + +In power9 machine: + +command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + -C 0 -I 1000 +event syntax error: '..bie_count_and_time_tlbie_instructions_issued/' + \___ value too big for format, maximum is 4294967295 + +This patch fix this issue and changes starting_index value to '0xffffffff' + +After this patch: + +command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ -C 0 -I 1000 + 1.000085786 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + 2.000287818 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + 2.439113909 17,408 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + +Fixes: 9e9f60108423 ("powerpc/perf/{hv-gpci, hv-common}: generate requests with counters annotated") +Signed-off-by: Kajol Jain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201003074943.338618-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-gpci-requests.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h +index e608f9db12ddc..8965b4463d433 100644 +--- a/arch/powerpc/perf/hv-gpci-requests.h ++++ b/arch/powerpc/perf/hv-gpci-requests.h +@@ -95,7 +95,7 @@ REQUEST(__field(0, 8, partition_id) + + #define REQUEST_NAME system_performance_capabilities + #define REQUEST_NUM 0x40 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__field(0, 1, perf_collect_privileged) + __field(0x1, 1, capability_mask) +@@ -223,7 +223,7 @@ REQUEST(__field(0, 2, partition_id) + + #define REQUEST_NAME system_hypervisor_times + #define REQUEST_NUM 0xF0 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors) + __count(0x8, 8, time_spent_processing_virtual_processor_timers) +@@ -234,7 +234,7 @@ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors) + + #define REQUEST_NAME system_tlbie_count_and_time + #define REQUEST_NUM 0xF4 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__count(0, 8, tlbie_instructions_issued) + /* +-- +2.25.1 + diff --git a/queue-4.19/powerpc-powernv-dump-fix-race-while-processing-opal-.patch b/queue-4.19/powerpc-powernv-dump-fix-race-while-processing-opal-.patch new file mode 100644 index 00000000000..21e338d9712 --- /dev/null +++ b/queue-4.19/powerpc-powernv-dump-fix-race-while-processing-opal-.patch @@ -0,0 +1,117 @@ +From 468e97cecba257750c65db3d76a2ec4767706b81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Oct 2020 22:12:10 +0530 +Subject: powerpc/powernv/dump: Fix race while processing OPAL dump + +From: Vasant Hegde + +[ Upstream commit 0a43ae3e2beb77e3481d812834d33abe270768ab ] + +Every dump reported by OPAL is exported to userspace through a sysfs +interface and notified using kobject_uevent(). The userspace daemon +(opal_errd) then reads the dump and acknowledges that the dump is +saved safely to disk. Once acknowledged the kernel removes the +respective sysfs file entry causing respective resources to be +released including kobject. + +However it's possible the userspace daemon may already be scanning +dump entries when a new sysfs dump entry is created by the kernel. +User daemon may read this new entry and ack it even before kernel can +notify userspace about it through kobject_uevent() call. If that +happens then we have a potential race between +dump_ack_store->kobject_put() and kobject_uevent which can lead to +use-after-free of a kernfs object resulting in a kernel crash. + +This patch fixes this race by protecting the sysfs file +creation/notification by holding a reference count on kobject until we +safely send kobject_uevent(). + +The function create_dump_obj() returns the dump object which if used +by caller function will end up in use-after-free problem again. +However, the return value of create_dump_obj() function isn't being +used today and there is no need as well. Hence change it to return +void to make this fix complete. + +Fixes: c7e64b9ce04a ("powerpc/powernv Platform dump interface") +Signed-off-by: Vasant Hegde +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201017164210.264619-1-hegdevasant@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-dump.c | 41 +++++++++++++++------- + 1 file changed, 29 insertions(+), 12 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/opal-dump.c b/arch/powerpc/platforms/powernv/opal-dump.c +index 198143833f00d..1dc2122a3cf51 100644 +--- a/arch/powerpc/platforms/powernv/opal-dump.c ++++ b/arch/powerpc/platforms/powernv/opal-dump.c +@@ -322,15 +322,14 @@ static ssize_t dump_attr_read(struct file *filep, struct kobject *kobj, + return count; + } + +-static struct dump_obj *create_dump_obj(uint32_t id, size_t size, +- uint32_t type) ++static void create_dump_obj(uint32_t id, size_t size, uint32_t type) + { + struct dump_obj *dump; + int rc; + + dump = kzalloc(sizeof(*dump), GFP_KERNEL); + if (!dump) +- return NULL; ++ return; + + dump->kobj.kset = dump_kset; + +@@ -350,21 +349,39 @@ static struct dump_obj *create_dump_obj(uint32_t id, size_t size, + rc = kobject_add(&dump->kobj, NULL, "0x%x-0x%x", type, id); + if (rc) { + kobject_put(&dump->kobj); +- return NULL; ++ return; + } + ++ /* ++ * As soon as the sysfs file for this dump is created/activated there is ++ * a chance the opal_errd daemon (or any userspace) might read and ++ * acknowledge the dump before kobject_uevent() is called. If that ++ * happens then there is a potential race between ++ * dump_ack_store->kobject_put() and kobject_uevent() which leads to a ++ * use-after-free of a kernfs object resulting in a kernel crash. ++ * ++ * To avoid that, we need to take a reference on behalf of the bin file, ++ * so that our reference remains valid while we call kobject_uevent(). ++ * We then drop our reference before exiting the function, leaving the ++ * bin file to drop the last reference (if it hasn't already). ++ */ ++ ++ /* Take a reference for the bin file */ ++ kobject_get(&dump->kobj); + rc = sysfs_create_bin_file(&dump->kobj, &dump->dump_attr); +- if (rc) { ++ if (rc == 0) { ++ kobject_uevent(&dump->kobj, KOBJ_ADD); ++ ++ pr_info("%s: New platform dump. ID = 0x%x Size %u\n", ++ __func__, dump->id, dump->size); ++ } else { ++ /* Drop reference count taken for bin file */ + kobject_put(&dump->kobj); +- return NULL; + } + +- pr_info("%s: New platform dump. ID = 0x%x Size %u\n", +- __func__, dump->id, dump->size); +- +- kobject_uevent(&dump->kobj, KOBJ_ADD); +- +- return dump; ++ /* Drop our reference */ ++ kobject_put(&dump->kobj); ++ return; + } + + static irqreturn_t process_dump(int irq, void *data) +-- +2.25.1 + diff --git a/queue-4.19/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch b/queue-4.19/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch new file mode 100644 index 00000000000..db08cb24645 --- /dev/null +++ b/queue-4.19/powerpc-pseries-explicitly-reschedule-during-drmem_l.patch @@ -0,0 +1,76 @@ +From 3dd18ef7e212c25032b5074263d13a35d3012deb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 10:11:31 -0500 +Subject: powerpc/pseries: explicitly reschedule during drmem_lmb list + traversal + +From: Nathan Lynch + +[ Upstream commit 9d6792ffe140240ae54c881cc4183f9acc24b4df ] + +The drmem lmb list can have hundreds of thousands of entries, and +unfortunately lookups take the form of linear searches. As long as +this is the case, traversals have the potential to monopolize the CPU +and provoke lockup reports, workqueue stalls, and the like unless +they explicitly yield. + +Rather than placing cond_resched() calls within various +for_each_drmem_lmb() loop blocks in the code, put it in the iteration +expression of the loop macro itself so users can't omit it. + +Introduce a drmem_lmb_next() iteration helper function which calls +cond_resched() at a regular interval during array traversal. Each +iteration of the loop in DLPAR code paths can involve around ten RTAS +calls which can each take up to 250us, so this ensures the check is +performed at worst every few milliseconds. + +Fixes: 6c6ea53725b3 ("powerpc/mm: Separate ibm, dynamic-memory data from DT format") +Signed-off-by: Nathan Lynch +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200813151131.2070161-1-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/drmem.h | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/drmem.h b/arch/powerpc/include/asm/drmem.h +index 9e516fe3daaba..668d8a121f1a0 100644 +--- a/arch/powerpc/include/asm/drmem.h ++++ b/arch/powerpc/include/asm/drmem.h +@@ -12,6 +12,8 @@ + #ifndef _ASM_POWERPC_LMB_H + #define _ASM_POWERPC_LMB_H + ++#include ++ + struct drmem_lmb { + u64 base_addr; + u32 drc_index; +@@ -27,8 +29,22 @@ struct drmem_lmb_info { + + extern struct drmem_lmb_info *drmem_info; + ++static inline struct drmem_lmb *drmem_lmb_next(struct drmem_lmb *lmb, ++ const struct drmem_lmb *start) ++{ ++ /* ++ * DLPAR code paths can take several milliseconds per element ++ * when interacting with firmware. Ensure that we don't ++ * unfairly monopolize the CPU. ++ */ ++ if (((++lmb - start) % 16) == 0) ++ cond_resched(); ++ ++ return lmb; ++} ++ + #define for_each_drmem_lmb_in_range(lmb, start, end) \ +- for ((lmb) = (start); (lmb) < (end); (lmb)++) ++ for ((lmb) = (start); (lmb) < (end); lmb = drmem_lmb_next(lmb, start)) + + #define for_each_drmem_lmb(lmb) \ + for_each_drmem_lmb_in_range((lmb), \ +-- +2.25.1 + diff --git a/queue-4.19/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch b/queue-4.19/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch new file mode 100644 index 00000000000..e6804c960c9 --- /dev/null +++ b/queue-4.19/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch @@ -0,0 +1,37 @@ +From 86ba2821f5e29dfaa214be99a9eb3a07a0f8f6f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jul 2018 11:08:16 +0200 +Subject: powerpc/pseries: Fix missing of_node_put() in rng_init() + +From: Nicholas Mc Guire + +[ Upstream commit 67c3e59443f5fc77be39e2ce0db75fbfa78c7965 ] + +The call to of_find_compatible_node() returns a node pointer with +refcount incremented thus it must be explicitly decremented here +before returning. + +Fixes: a489043f4626 ("powerpc/pseries: Implement arch_get_random_long() based on H_RANDOM") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1530522496-14816-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/rng.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/pseries/rng.c b/arch/powerpc/platforms/pseries/rng.c +index 31ca557af60bc..262b8c5e1b9d0 100644 +--- a/arch/powerpc/platforms/pseries/rng.c ++++ b/arch/powerpc/platforms/pseries/rng.c +@@ -40,6 +40,7 @@ static __init int rng_init(void) + + ppc_md.get_random_seed = pseries_get_random_long; + ++ of_node_put(dn); + return 0; + } + machine_subsys_initcall(pseries, rng_init); +-- +2.25.1 + diff --git a/queue-4.19/powerpc-tau-check-processor-type-before-enabling-tau.patch b/queue-4.19/powerpc-tau-check-processor-type-before-enabling-tau.patch new file mode 100644 index 00000000000..a5990181d0b --- /dev/null +++ b/queue-4.19/powerpc-tau-check-processor-type-before-enabling-tau.patch @@ -0,0 +1,116 @@ +From 081e58d2f26009017096789a6c2cf3853879f1c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Check processor type before enabling TAU interrupt + +From: Finn Thain + +[ Upstream commit 5e3119e15fed5b9a9a7e528665ff098a4a8dbdbc ] + +According to Freescale's documentation, MPC74XX processors have an +erratum that prevents the TAU interrupt from working, so don't try to +use it when running on those processors. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/c281611544768e758bd58fe812cf702a5bd2d042.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 33 ++++++++++++++------------------- + arch/powerpc/platforms/Kconfig | 5 ++--- + 2 files changed, 16 insertions(+), 22 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index b8d7e7d498e0a..614b5b272d9c6 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -40,6 +40,8 @@ static struct tau_temp + unsigned char grew; + } tau[NR_CPUS]; + ++static bool tau_int_enable; ++ + #undef DEBUG + + /* TODO: put these in a /proc interface, with some sanity checks, and maybe +@@ -54,22 +56,13 @@ static struct tau_temp + + static void set_thresholds(unsigned long cpu) + { +-#ifdef CONFIG_TAU_INT +- /* +- * setup THRM1, +- * threshold, valid bit, enable interrupts, interrupt when below threshold +- */ +- mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | THRM1_TIE | THRM1_TID); ++ u32 maybe_tie = tau_int_enable ? THRM1_TIE : 0; + +- /* setup THRM2, +- * threshold, valid bit, enable interrupts, interrupt when above threshold +- */ +- mtspr (SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V | THRM1_TIE); +-#else +- /* same thing but don't enable interrupts */ +- mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | THRM1_TID); +- mtspr(SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V); +-#endif ++ /* setup THRM1, threshold, valid bit, interrupt when below threshold */ ++ mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | maybe_tie | THRM1_TID); ++ ++ /* setup THRM2, threshold, valid bit, interrupt when above threshold */ ++ mtspr(SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V | maybe_tie); + } + + static void TAUupdate(int cpu) +@@ -142,9 +135,8 @@ static void tau_timeout(void * info) + local_irq_save(flags); + cpu = smp_processor_id(); + +-#ifndef CONFIG_TAU_INT +- TAUupdate(cpu); +-#endif ++ if (!tau_int_enable) ++ TAUupdate(cpu); + + size = tau[cpu].high - tau[cpu].low; + if (size > min_window && ! tau[cpu].grew) { +@@ -225,6 +217,9 @@ static int __init TAU_init(void) + return 1; + } + ++ tau_int_enable = IS_ENABLED(CONFIG_TAU_INT) && ++ !strcmp(cur_cpu_spec->platform, "ppc750"); ++ + tau_workq = alloc_workqueue("tau", WQ_UNBOUND, 1, 0); + if (!tau_workq) + return -ENOMEM; +@@ -234,7 +229,7 @@ static int __init TAU_init(void) + queue_work(tau_workq, &tau_work); + + pr_info("Thermal assist unit using %s, shrink_timer: %d ms\n", +- IS_ENABLED(CONFIG_TAU_INT) ? "interrupts" : "workqueue", shrink_timer); ++ tau_int_enable ? "interrupts" : "workqueue", shrink_timer); + tau_initialized = 1; + + return 0; +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig +index 14ef17e10ec9a..e094211c7206b 100644 +--- a/arch/powerpc/platforms/Kconfig ++++ b/arch/powerpc/platforms/Kconfig +@@ -238,9 +238,8 @@ config TAU + temperature within 2-4 degrees Celsius. This option shows the current + on-die temperature in /proc/cpuinfo if the cpu supports it. + +- Unfortunately, on some chip revisions, this sensor is very inaccurate +- and in many cases, does not work at all, so don't assume the cpu +- temp is actually what /proc/cpuinfo says it is. ++ Unfortunately, this sensor is very inaccurate when uncalibrated, so ++ don't assume the cpu temp is actually what /proc/cpuinfo says it is. + + config TAU_INT + bool "Interrupt driven TAU driver (DANGEROUS)" +-- +2.25.1 + diff --git a/queue-4.19/powerpc-tau-convert-from-timer-to-workqueue.patch b/queue-4.19/powerpc-tau-convert-from-timer-to-workqueue.patch new file mode 100644 index 00000000000..a341551608d --- /dev/null +++ b/queue-4.19/powerpc-tau-convert-from-timer-to-workqueue.patch @@ -0,0 +1,153 @@ +From a8a2537533a479ab3f1bc79daf758054da0e0b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Convert from timer to workqueue + +From: Finn Thain + +[ Upstream commit b1c6a0a10bfaf36ec82fde6f621da72407fa60a1 ] + +Since commit 19dbdcb8039cf ("smp: Warn on function calls from softirq +context") the Thermal Assist Unit driver causes a warning like the +following when CONFIG_SMP is enabled. + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at kernel/smp.c:428 smp_call_function_many_cond+0xf4/0x38c + Modules linked in: + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac #3 + NIP: c00b37a8 LR: c00b3abc CTR: c001218c + REGS: c0799c60 TRAP: 0700 Not tainted (5.7.0-pmac) + MSR: 00029032 CR: 42000224 XER: 00000000 + GPR00: c00b3abc c0799d18 c076e300 c079ef5c c0011fec 00000000 00000000 00000000 + GPR08: 00000100 00000100 00008000 ffffffff 42000224 00000000 c079d040 c079d044 + GPR16: 00000001 00000000 00000004 c0799da0 c079f054 c07a0000 c07a0000 00000000 + GPR24: c0011fec 00000000 c079ef5c c079ef5c 00000000 00000000 00000000 00000000 + NIP [c00b37a8] smp_call_function_many_cond+0xf4/0x38c + LR [c00b3abc] on_each_cpu+0x38/0x68 + Call Trace: + [c0799d18] [ffffffff] 0xffffffff (unreliable) + [c0799d68] [c00b3abc] on_each_cpu+0x38/0x68 + [c0799d88] [c0096704] call_timer_fn.isra.26+0x20/0x7c + [c0799d98] [c0096b40] run_timer_softirq+0x1d4/0x3fc + [c0799df8] [c05b4368] __do_softirq+0x118/0x240 + [c0799e58] [c0039c44] irq_exit+0xc4/0xcc + [c0799e68] [c000ade8] timer_interrupt+0x1b0/0x230 + [c0799ea8] [c0013520] ret_from_except+0x0/0x14 + --- interrupt: 901 at arch_cpu_idle+0x24/0x6c + LR = arch_cpu_idle+0x24/0x6c + [c0799f70] [00000001] 0x1 (unreliable) + [c0799f80] [c0060990] do_idle+0xd8/0x17c + [c0799fa0] [c0060ba8] cpu_startup_entry+0x24/0x28 + [c0799fb0] [c072d220] start_kernel+0x434/0x44c + [c0799ff0] [00003860] 0x3860 + Instruction dump: + 8129f204 2f890000 40beff98 3d20c07a 8929eec4 2f890000 40beff88 0fe00000 + 81220000 552805de 550802ef 4182ff84 <0fe00000> 3860ffff 7f65db78 7f44d378 + ---[ end trace 34a886e47819c2eb ]--- + +Don't call on_each_cpu() from a timer callback, call it from a worker +thread instead. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/bb61650bea4f4c91fb8e24b9a6f130a1438651a7.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 38 +++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 20 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 976d5bc1b5176..268205cc347da 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -13,13 +13,14 @@ + */ + + #include +-#include + #include + #include + #include + #include + #include + #include ++#include ++#include + + #include + #include +@@ -39,8 +40,6 @@ static struct tau_temp + unsigned char grew; + } tau[NR_CPUS]; + +-struct timer_list tau_timer; +- + #undef DEBUG + + /* TODO: put these in a /proc interface, with some sanity checks, and maybe +@@ -50,7 +49,7 @@ struct timer_list tau_timer; + #define step_size 2 /* step size when temp goes out of range */ + #define window_expand 1 /* expand the window by this much */ + /* configurable values for shrinking the window */ +-#define shrink_timer 2*HZ /* period between shrinking the window */ ++#define shrink_timer 2000 /* period between shrinking the window */ + #define min_window 2 /* minimum window size, degrees C */ + + static void set_thresholds(unsigned long cpu) +@@ -187,14 +186,18 @@ static void tau_timeout(void * info) + local_irq_restore(flags); + } + +-static void tau_timeout_smp(struct timer_list *unused) +-{ ++static struct workqueue_struct *tau_workq; + +- /* schedule ourselves to be run again */ +- mod_timer(&tau_timer, jiffies + shrink_timer) ; ++static void tau_work_func(struct work_struct *work) ++{ ++ msleep(shrink_timer); + on_each_cpu(tau_timeout, NULL, 0); ++ /* schedule ourselves to be run again */ ++ queue_work(tau_workq, work); + } + ++DECLARE_WORK(tau_work, tau_work_func); ++ + /* + * setup the TAU + * +@@ -227,21 +230,16 @@ static int __init TAU_init(void) + return 1; + } + +- +- /* first, set up the window shrinking timer */ +- timer_setup(&tau_timer, tau_timeout_smp, 0); +- tau_timer.expires = jiffies + shrink_timer; +- add_timer(&tau_timer); ++ tau_workq = alloc_workqueue("tau", WQ_UNBOUND, 1, 0); ++ if (!tau_workq) ++ return -ENOMEM; + + on_each_cpu(TAU_init_smp, NULL, 0); + +- printk("Thermal assist unit "); +-#ifdef CONFIG_TAU_INT +- printk("using interrupts, "); +-#else +- printk("using timers, "); +-#endif +- printk("shrink_timer: %d jiffies\n", shrink_timer); ++ queue_work(tau_workq, &tau_work); ++ ++ pr_info("Thermal assist unit using %s, shrink_timer: %d ms\n", ++ IS_ENABLED(CONFIG_TAU_INT) ? "interrupts" : "workqueue", shrink_timer); + tau_initialized = 1; + + return 0; +-- +2.25.1 + diff --git a/queue-4.19/powerpc-tau-disable-tau-between-measurements.patch b/queue-4.19/powerpc-tau-disable-tau-between-measurements.patch new file mode 100644 index 00000000000..ee060d1f02e --- /dev/null +++ b/queue-4.19/powerpc-tau-disable-tau-between-measurements.patch @@ -0,0 +1,199 @@ +From 64fa7cd3dc66c937c49c15d7f2a9d99b9002b590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Disable TAU between measurements + +From: Finn Thain + +[ Upstream commit e63d6fb5637e92725cf143559672a34b706bca4f ] + +Enabling CONFIG_TAU_INT causes random crashes: + +Unrecoverable exception 1700 at c0009414 (msr=1000) +Oops: Unrecoverable exception, sig: 6 [#1] +BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac-00043-gd5f545e1a8593 #5 +NIP: c0009414 LR: c0009414 CTR: c00116fc +REGS: c0799eb8 TRAP: 1700 Not tainted (5.7.0-pmac-00043-gd5f545e1a8593) +MSR: 00001000 CR: 22000228 XER: 00000100 + +GPR00: 00000000 c0799f70 c076e300 00800000 0291c0ac 00e00000 c076e300 00049032 +GPR08: 00000001 c00116fc 00000000 dfbd3200 ffffffff 007f80a8 00000000 00000000 +GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c075ce04 +GPR24: c075ce04 dfff8880 c07b0000 c075ce04 00080000 00000001 c079ef98 c079ef5c +NIP [c0009414] arch_cpu_idle+0x24/0x6c +LR [c0009414] arch_cpu_idle+0x24/0x6c +Call Trace: +[c0799f70] [00000001] 0x1 (unreliable) +[c0799f80] [c0060990] do_idle+0xd8/0x17c +[c0799fa0] [c0060ba4] cpu_startup_entry+0x20/0x28 +[c0799fb0] [c072d220] start_kernel+0x434/0x44c +[c0799ff0] [00003860] 0x3860 +Instruction dump: +XXXXXXXX XXXXXXXX XXXXXXXX 3d20c07b XXXXXXXX XXXXXXXX XXXXXXXX 7c0802a6 +XXXXXXXX XXXXXXXX XXXXXXXX 4e800421 XXXXXXXX XXXXXXXX XXXXXXXX 7d2000a6 +---[ end trace 3a0c9b5cb216db6b ]--- + +Resolve this problem by disabling each THRMn comparator when handling +the associated THRMn interrupt and by disabling the TAU entirely when +updating THRMn thresholds. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/5a0ba3dc5612c7aac596727331284a3676c08472.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 65 +++++++++++++--------------------- + arch/powerpc/platforms/Kconfig | 9 ++--- + 2 files changed, 26 insertions(+), 48 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 614b5b272d9c6..0b4694b8d2482 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -42,8 +42,6 @@ static struct tau_temp + + static bool tau_int_enable; + +-#undef DEBUG +- + /* TODO: put these in a /proc interface, with some sanity checks, and maybe + * dynamic adjustment to minimize # of interrupts */ + /* configurable values for step size and how much to expand the window when +@@ -67,42 +65,33 @@ static void set_thresholds(unsigned long cpu) + + static void TAUupdate(int cpu) + { +- unsigned thrm; +- +-#ifdef DEBUG +- printk("TAUupdate "); +-#endif ++ u32 thrm; ++ u32 bits = THRM1_TIV | THRM1_TIN | THRM1_V; + + /* if both thresholds are crossed, the step_sizes cancel out + * and the window winds up getting expanded twice. */ +- if((thrm = mfspr(SPRN_THRM1)) & THRM1_TIV){ /* is valid? */ +- if(thrm & THRM1_TIN){ /* crossed low threshold */ +- if (tau[cpu].low >= step_size){ +- tau[cpu].low -= step_size; +- tau[cpu].high -= (step_size - window_expand); +- } +- tau[cpu].grew = 1; +-#ifdef DEBUG +- printk("low threshold crossed "); +-#endif ++ thrm = mfspr(SPRN_THRM1); ++ if ((thrm & bits) == bits) { ++ mtspr(SPRN_THRM1, 0); ++ ++ if (tau[cpu].low >= step_size) { ++ tau[cpu].low -= step_size; ++ tau[cpu].high -= (step_size - window_expand); + } ++ tau[cpu].grew = 1; ++ pr_debug("%s: low threshold crossed\n", __func__); + } +- if((thrm = mfspr(SPRN_THRM2)) & THRM1_TIV){ /* is valid? */ +- if(thrm & THRM1_TIN){ /* crossed high threshold */ +- if (tau[cpu].high <= 127-step_size){ +- tau[cpu].low += (step_size - window_expand); +- tau[cpu].high += step_size; +- } +- tau[cpu].grew = 1; +-#ifdef DEBUG +- printk("high threshold crossed "); +-#endif ++ thrm = mfspr(SPRN_THRM2); ++ if ((thrm & bits) == bits) { ++ mtspr(SPRN_THRM2, 0); ++ ++ if (tau[cpu].high <= 127 - step_size) { ++ tau[cpu].low += (step_size - window_expand); ++ tau[cpu].high += step_size; + } ++ tau[cpu].grew = 1; ++ pr_debug("%s: high threshold crossed\n", __func__); + } +- +-#ifdef DEBUG +- printk("grew = %d\n", tau[cpu].grew); +-#endif + } + + #ifdef CONFIG_TAU_INT +@@ -127,17 +116,17 @@ void TAUException(struct pt_regs * regs) + static void tau_timeout(void * info) + { + int cpu; +- unsigned long flags; + int size; + int shrink; + +- /* disabling interrupts *should* be okay */ +- local_irq_save(flags); + cpu = smp_processor_id(); + + if (!tau_int_enable) + TAUupdate(cpu); + ++ /* Stop thermal sensor comparisons and interrupts */ ++ mtspr(SPRN_THRM3, 0); ++ + size = tau[cpu].high - tau[cpu].low; + if (size > min_window && ! tau[cpu].grew) { + /* do an exponential shrink of half the amount currently over size */ +@@ -159,18 +148,12 @@ static void tau_timeout(void * info) + + set_thresholds(cpu); + +- /* +- * Do the enable every time, since otherwise a bunch of (relatively) +- * complex sleep code needs to be added. One mtspr every time +- * tau_timeout is called is probably not a big deal. +- * ++ /* Restart thermal sensor comparisons and interrupts. + * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet" + * recommends that "the maximum value be set in THRM3 under all + * conditions." + */ + mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E); +- +- local_irq_restore(flags); + } + + static struct workqueue_struct *tau_workq; +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig +index e094211c7206b..9914544e66774 100644 +--- a/arch/powerpc/platforms/Kconfig ++++ b/arch/powerpc/platforms/Kconfig +@@ -242,7 +242,7 @@ config TAU + don't assume the cpu temp is actually what /proc/cpuinfo says it is. + + config TAU_INT +- bool "Interrupt driven TAU driver (DANGEROUS)" ++ bool "Interrupt driven TAU driver (EXPERIMENTAL)" + depends on TAU + ---help--- + The TAU supports an interrupt driven mode which causes an interrupt +@@ -250,12 +250,7 @@ config TAU_INT + to get notified the temp has exceeded a range. With this option off, + a timer is used to re-check the temperature periodically. + +- However, on some cpus it appears that the TAU interrupt hardware +- is buggy and can cause a situation which would lead unexplained hard +- lockups. +- +- Unless you are extending the TAU driver, or enjoy kernel/hardware +- debugging, leave this option off. ++ If in doubt, say N here. + + config TAU_AVERAGE + bool "Average high and low temp" +-- +2.25.1 + diff --git a/queue-4.19/powerpc-tau-remove-duplicated-set_thresholds-call.patch b/queue-4.19/powerpc-tau-remove-duplicated-set_thresholds-call.patch new file mode 100644 index 00000000000..0c05cb7783d --- /dev/null +++ b/queue-4.19/powerpc-tau-remove-duplicated-set_thresholds-call.patch @@ -0,0 +1,44 @@ +From a3f83831059a51d193b582e763cb94830947b4e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Remove duplicated set_thresholds() call + +From: Finn Thain + +[ Upstream commit 420ab2bc7544d978a5d0762ee736412fe9c796ab ] + +The commentary at the call site seems to disagree with the code. The +conditional prevents calling set_thresholds() via the exception handler, +which appears to crash. Perhaps that's because it immediately triggers +another TAU exception. Anyway, calling set_thresholds() from TAUupdate() +is redundant because tau_timeout() does so. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/d7c7ee33232cf72a6a6bbb6ef05838b2e2b113c0.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 268205cc347da..b8d7e7d498e0a 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -110,11 +110,6 @@ static void TAUupdate(int cpu) + #ifdef DEBUG + printk("grew = %d\n", tau[cpu].grew); + #endif +- +-#ifndef CONFIG_TAU_INT /* tau_timeout will do this if not using interrupts */ +- set_thresholds(cpu); +-#endif +- + } + + #ifdef CONFIG_TAU_INT +-- +2.25.1 + diff --git a/queue-4.19/powerpc-tau-use-appropriate-temperature-sample-inter.patch b/queue-4.19/powerpc-tau-use-appropriate-temperature-sample-inter.patch new file mode 100644 index 00000000000..adf5a0f4fad --- /dev/null +++ b/queue-4.19/powerpc-tau-use-appropriate-temperature-sample-inter.patch @@ -0,0 +1,68 @@ +From 3f68a142df7b56a5543c2e2d81c568fc84c518b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Use appropriate temperature sample interval + +From: Finn Thain + +[ Upstream commit 66943005cc41f48e4d05614e8f76c0ca1812f0fd ] + +According to the MPC750 Users Manual, the SITV value in Thermal +Management Register 3 is 13 bits long. The present code calculates the +SITV value as 60 * 500 cycles. This would overflow to give 10 us on +a 500 MHz CPU rather than the intended 60 us. (But according to the +Microprocessor Datasheet, there is also a factor of 266 that has to be +applied to this value on certain parts i.e. speed sort above 266 MHz.) +Always use the maximum cycle count, as recommended by the Datasheet. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/896f542e5f0f1d6cf8218524c2b67d79f3d69b3c.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/reg.h | 2 +- + arch/powerpc/kernel/tau_6xx.c | 12 ++++-------- + 2 files changed, 5 insertions(+), 9 deletions(-) + +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h +index af99716615122..494b0283f2129 100644 +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -788,7 +788,7 @@ + #define THRM1_TIN (1 << 31) + #define THRM1_TIV (1 << 30) + #define THRM1_THRES(x) ((x&0x7f)<<23) +-#define THRM3_SITV(x) ((x&0x3fff)<<1) ++#define THRM3_SITV(x) ((x & 0x1fff) << 1) + #define THRM1_TID (1<<2) + #define THRM1_TIE (1<<1) + #define THRM1_V (1<<0) +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index e2ab8a111b693..976d5bc1b5176 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -178,15 +178,11 @@ static void tau_timeout(void * info) + * complex sleep code needs to be added. One mtspr every time + * tau_timeout is called is probably not a big deal. + * +- * Enable thermal sensor and set up sample interval timer +- * need 20 us to do the compare.. until a nice 'cpu_speed' function +- * call is implemented, just assume a 500 mhz clock. It doesn't really +- * matter if we take too long for a compare since it's all interrupt +- * driven anyway. +- * +- * use a extra long time.. (60 us @ 500 mhz) ++ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet" ++ * recommends that "the maximum value be set in THRM3 under all ++ * conditions." + */ +- mtspr(SPRN_THRM3, THRM3_SITV(500*60) | THRM3_E); ++ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E); + + local_irq_restore(flags); + } +-- +2.25.1 + diff --git a/queue-4.19/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch b/queue-4.19/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch new file mode 100644 index 00000000000..a1e8946f290 --- /dev/null +++ b/queue-4.19/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch @@ -0,0 +1,140 @@ +From 5b9495a8c52114132a94cee53546387e0532a654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:00:45 +0200 +Subject: pty: do tty_flip_buffer_push without port->lock in pty_write + +From: Artem Savkov + +[ Upstream commit 71a174b39f10b4b93223d374722aa894b5d8a82e ] + +b6da31b2c07c "tty: Fix data race in tty_insert_flip_string_fixed_flag" +puts tty_flip_buffer_push under port->lock introducing the following +possible circular locking dependency: + +[30129.876566] ====================================================== +[30129.876566] WARNING: possible circular locking dependency detected +[30129.876567] 5.9.0-rc2+ #3 Tainted: G S W +[30129.876568] ------------------------------------------------------ +[30129.876568] sysrq.sh/1222 is trying to acquire lock: +[30129.876569] ffffffff92c39480 (console_owner){....}-{0:0}, at: console_unlock+0x3fe/0xa90 + +[30129.876572] but task is already holding lock: +[30129.876572] ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca + +[30129.876576] which lock already depends on the new lock. + +[30129.876577] the existing dependency chain (in reverse order) is: + +[30129.876578] -> #3 (&pool->lock/1){-.-.}-{2:2}: +[30129.876581] _raw_spin_lock+0x30/0x70 +[30129.876581] __queue_work+0x1a3/0x10f0 +[30129.876582] queue_work_on+0x78/0x80 +[30129.876582] pty_write+0x165/0x1e0 +[30129.876583] n_tty_write+0x47f/0xf00 +[30129.876583] tty_write+0x3d6/0x8d0 +[30129.876584] vfs_write+0x1a8/0x650 + +[30129.876588] -> #2 (&port->lock#2){-.-.}-{2:2}: +[30129.876590] _raw_spin_lock_irqsave+0x3b/0x80 +[30129.876591] tty_port_tty_get+0x1d/0xb0 +[30129.876592] tty_port_default_wakeup+0xb/0x30 +[30129.876592] serial8250_tx_chars+0x3d6/0x970 +[30129.876593] serial8250_handle_irq.part.12+0x216/0x380 +[30129.876593] serial8250_default_handle_irq+0x82/0xe0 +[30129.876594] serial8250_interrupt+0xdd/0x1b0 +[30129.876595] __handle_irq_event_percpu+0xfc/0x850 + +[30129.876602] -> #1 (&port->lock){-.-.}-{2:2}: +[30129.876605] _raw_spin_lock_irqsave+0x3b/0x80 +[30129.876605] serial8250_console_write+0x12d/0x900 +[30129.876606] console_unlock+0x679/0xa90 +[30129.876606] register_console+0x371/0x6e0 +[30129.876607] univ8250_console_init+0x24/0x27 +[30129.876607] console_init+0x2f9/0x45e + +[30129.876609] -> #0 (console_owner){....}-{0:0}: +[30129.876611] __lock_acquire+0x2f70/0x4e90 +[30129.876612] lock_acquire+0x1ac/0xad0 +[30129.876612] console_unlock+0x460/0xa90 +[30129.876613] vprintk_emit+0x130/0x420 +[30129.876613] printk+0x9f/0xc5 +[30129.876614] show_pwq+0x154/0x618 +[30129.876615] show_workqueue_state.cold.55+0x193/0x6ca +[30129.876615] __handle_sysrq+0x244/0x460 +[30129.876616] write_sysrq_trigger+0x48/0x4a +[30129.876616] proc_reg_write+0x1a6/0x240 +[30129.876617] vfs_write+0x1a8/0x650 + +[30129.876619] other info that might help us debug this: + +[30129.876620] Chain exists of: +[30129.876621] console_owner --> &port->lock#2 --> &pool->lock/1 + +[30129.876625] Possible unsafe locking scenario: + +[30129.876626] CPU0 CPU1 +[30129.876626] ---- ---- +[30129.876627] lock(&pool->lock/1); +[30129.876628] lock(&port->lock#2); +[30129.876630] lock(&pool->lock/1); +[30129.876631] lock(console_owner); + +[30129.876633] *** DEADLOCK *** + +[30129.876634] 5 locks held by sysrq.sh/1222: +[30129.876634] #0: ffff8881d3ce0470 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x359/0x650 +[30129.876637] #1: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: __handle_sysrq+0x4d/0x460 +[30129.876640] #2: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: show_workqueue_state+0x5/0xf0 +[30129.876642] #3: ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca +[30129.876645] #4: ffffffff92c39980 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x123/0x420 + +[30129.876648] stack backtrace: +[30129.876649] CPU: 3 PID: 1222 Comm: sysrq.sh Tainted: G S W 5.9.0-rc2+ #3 +[30129.876649] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012 +[30129.876650] Call Trace: +[30129.876650] dump_stack+0x9d/0xe0 +[30129.876651] check_noncircular+0x34f/0x410 +[30129.876653] __lock_acquire+0x2f70/0x4e90 +[30129.876656] lock_acquire+0x1ac/0xad0 +[30129.876658] console_unlock+0x460/0xa90 +[30129.876660] vprintk_emit+0x130/0x420 +[30129.876660] printk+0x9f/0xc5 +[30129.876661] show_pwq+0x154/0x618 +[30129.876662] show_workqueue_state.cold.55+0x193/0x6ca +[30129.876664] __handle_sysrq+0x244/0x460 +[30129.876665] write_sysrq_trigger+0x48/0x4a +[30129.876665] proc_reg_write+0x1a6/0x240 +[30129.876666] vfs_write+0x1a8/0x650 + +It looks like the commit was aimed to protect tty_insert_flip_string and +there is no need for tty_flip_buffer_push to be under this lock. + +Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag") +Signed-off-by: Artem Savkov +Acked-by: Jiri Slaby +Link: https://lore.kernel.org/r/20200902120045.3693075-1-asavkov@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/pty.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index 00099a8439d21..c6a1d8c4e6894 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -120,10 +120,10 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) + spin_lock_irqsave(&to->port->lock, flags); + /* Stuff the data into the input queue of the other end */ + c = tty_insert_flip_string(to->port, buf, c); ++ spin_unlock_irqrestore(&to->port->lock, flags); + /* And shovel */ + if (c) + tty_flip_buffer_push(to->port); +- spin_unlock_irqrestore(&to->port->lock, flags); + } + return c; + } +-- +2.25.1 + diff --git a/queue-4.19/pwm-img-fix-null-pointer-access-in-probe.patch b/queue-4.19/pwm-img-fix-null-pointer-access-in-probe.patch new file mode 100644 index 00000000000..011be0865eb --- /dev/null +++ b/queue-4.19/pwm-img-fix-null-pointer-access-in-probe.patch @@ -0,0 +1,53 @@ +From 7adf8791a184d75f5a63ab2813034673b11623be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 19:14:25 +0200 +Subject: pwm: img: Fix null pointer access in probe + +From: Hauke Mehrtens + +[ Upstream commit b39c0615d0667b3a6f2f5c4bf99ffadf3b518bb1 ] + +dev_get_drvdata() is called in img_pwm_runtime_resume() before the +driver data is set. +When pm_runtime_enabled() returns false in img_pwm_probe() it calls +img_pwm_runtime_resume() which results in a null pointer access. + +This patch fixes the problem by setting the driver data earlier in the +img_pwm_probe() function. + +This crash was seen when booting the Imagination Technologies Creator +Ci40 (Marduk) with kernel 5.4 in OpenWrt. + +Fixes: e690ae526216 ("pwm: img: Add runtime PM") +Signed-off-by: Hauke Mehrtens +Acked-by: Lee Jones +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-img.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-img.c b/drivers/pwm/pwm-img.c +index da72b2866e88e..3b0a097ce2abd 100644 +--- a/drivers/pwm/pwm-img.c ++++ b/drivers/pwm/pwm-img.c +@@ -280,6 +280,8 @@ static int img_pwm_probe(struct platform_device *pdev) + return PTR_ERR(pwm->pwm_clk); + } + ++ platform_set_drvdata(pdev, pwm); ++ + pm_runtime_set_autosuspend_delay(&pdev->dev, IMG_PWM_PM_TIMEOUT); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_enable(&pdev->dev); +@@ -316,7 +318,6 @@ static int img_pwm_probe(struct platform_device *pdev) + goto err_suspend; + } + +- platform_set_drvdata(pdev, pwm); + return 0; + + err_suspend: +-- +2.25.1 + diff --git a/queue-4.19/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch b/queue-4.19/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch new file mode 100644 index 00000000000..0a7714fec8e --- /dev/null +++ b/queue-4.19/pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch @@ -0,0 +1,68 @@ +From 0311770c0aaf6953290a9189fc90d719dd8f1cae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 13:23:24 +0200 +Subject: pwm: lpss: Add range limit check for the base_unit register value + +From: Hans de Goede + +[ Upstream commit ef9f60daab309558c8bb3e086a9a11ee40bd6061 ] + +When the user requests a high enough period ns value, then the +calculations in pwm_lpss_prepare() might result in a base_unit value of 0. + +But according to the data-sheet the way the PWM controller works is that +each input clock-cycle the base_unit gets added to a N bit counter and +that counter overflowing determines the PWM output frequency. Adding 0 +to the counter is a no-op. The data-sheet even explicitly states that +writing 0 to the base_unit bits will result in the PWM outputting a +continuous 0 signal. + +When the user requestes a low enough period ns value, then the +calculations in pwm_lpss_prepare() might result in a base_unit value +which is bigger then base_unit_range - 1. Currently the codes for this +deals with this by applying a mask: + + base_unit &= (base_unit_range - 1); + +But this means that we let the value overflow the range, we throw away the +higher bits and store whatever value is left in the lower bits into the +register leading to a random output frequency, rather then clamping the +output frequency to the highest frequency which the hardware can do. + +This commit fixes both issues by clamping the base_unit value to be +between 1 and (base_unit_range - 1). + +Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit") +Reviewed-by: Andy Shevchenko +Acked-by: Thierry Reding +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-5-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c +index da63c029aa286..69f8be065919e 100644 +--- a/drivers/pwm/pwm-lpss.c ++++ b/drivers/pwm/pwm-lpss.c +@@ -109,6 +109,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + freq *= base_unit_range; + + base_unit = DIV_ROUND_CLOSEST_ULL(freq, c); ++ /* base_unit must not be 0 and we also want to avoid overflowing it */ ++ base_unit = clamp_val(base_unit, 1, base_unit_range - 1); + + on_time_div = 255ULL * duty_ns; + do_div(on_time_div, period_ns); +@@ -117,7 +119,6 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + orig_ctrl = ctrl = pwm_lpss_read(pwm); + ctrl &= ~PWM_ON_TIME_DIV_MASK; + ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT); +- base_unit &= (base_unit_range - 1); + ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT; + ctrl |= on_time_div; + +-- +2.25.1 + diff --git a/queue-4.19/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch b/queue-4.19/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch new file mode 100644 index 00000000000..f5f11c5e42b --- /dev/null +++ b/queue-4.19/pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch @@ -0,0 +1,68 @@ +From af477ccfb2fe7b1c65ca345fa87677c3ffeb3664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 13:23:23 +0200 +Subject: pwm: lpss: Fix off by one error in base_unit math in + pwm_lpss_prepare() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit 181f4d2f44463fe09fe4df02e03095cb87151c29 ] + +According to the data-sheet the way the PWM controller works is that +each input clock-cycle the base_unit gets added to a N bit counter and +that counter overflowing determines the PWM output frequency. + +So assuming e.g. a 16 bit counter this means that if base_unit is set to 1, +after 65535 input clock-cycles the counter has been increased from 0 to +65535 and it will overflow on the next cycle, so it will overflow after +every 65536 clock cycles and thus the calculations done in +pwm_lpss_prepare() should use 65536 and not 65535. + +This commit fixes this. Note this also aligns the calculations in +pwm_lpss_prepare() with those in pwm_lpss_get_state(). + +Note this effectively reverts commit 684309e5043e ("pwm: lpss: Avoid +potential overflow of base_unit"). The next patch in this series really +fixes the potential overflow of the base_unit value. + +Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit") +Reviewed-by: Andy Shevchenko +Acked-by: Uwe Kleine-König +Acked-by: Thierry Reding +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-4-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lpss.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c +index 7a4a6406cf69a..da63c029aa286 100644 +--- a/drivers/pwm/pwm-lpss.c ++++ b/drivers/pwm/pwm-lpss.c +@@ -105,7 +105,7 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + * The equation is: + * base_unit = round(base_unit_range * freq / c) + */ +- base_unit_range = BIT(lpwm->info->base_unit_bits) - 1; ++ base_unit_range = BIT(lpwm->info->base_unit_bits); + freq *= base_unit_range; + + base_unit = DIV_ROUND_CLOSEST_ULL(freq, c); +@@ -116,8 +116,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm, + + orig_ctrl = ctrl = pwm_lpss_read(pwm); + ctrl &= ~PWM_ON_TIME_DIV_MASK; +- ctrl &= ~(base_unit_range << PWM_BASE_UNIT_SHIFT); +- base_unit &= base_unit_range; ++ ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT); ++ base_unit &= (base_unit_range - 1); + ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT; + ctrl |= on_time_div; + +-- +2.25.1 + diff --git a/queue-4.19/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch b/queue-4.19/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch new file mode 100644 index 00000000000..e891a1bad87 --- /dev/null +++ b/queue-4.19/qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch @@ -0,0 +1,46 @@ +From 3b7528e417c471da7fbcb1f748751ddfc37d7421 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:22:24 +0100 +Subject: qtnfmac: fix resource leaks on unsupported iftype error return path + +From: Colin Ian King + +[ Upstream commit 63f6982075d890d7563e2469643f05a37d193f01 ] + +Currently if an unsupported iftype is detected the error return path +does not free the cmd_skb leading to a resource leak. Fix this by +free'ing cmd_skb. + +Addresses-Coverity: ("Resource leak") +Fixes: 805b28c05c8e ("qtnfmac: prepare for AP_VLAN interface type support") +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200925132224.21638-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/quantenna/qtnfmac/commands.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c +index 734844b34c266..dd473b206f123 100644 +--- a/drivers/net/wireless/quantenna/qtnfmac/commands.c ++++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c +@@ -894,6 +894,7 @@ int qtnf_cmd_send_del_intf(struct qtnf_vif *vif) + default: + pr_warn("VIF%u.%u: unsupported iftype %d\n", vif->mac->macid, + vif->vifid, vif->wdev.iftype); ++ dev_kfree_skb(cmd_skb); + ret = -EINVAL; + goto out; + } +@@ -2212,6 +2213,7 @@ int qtnf_cmd_send_change_sta(struct qtnf_vif *vif, const u8 *mac, + break; + default: + pr_err("unsupported iftype %d\n", vif->wdev.iftype); ++ dev_kfree_skb(cmd_skb); + ret = -EINVAL; + goto out; + } +-- +2.25.1 + diff --git a/queue-4.19/quota-clear-padding-in-v2r1_mem2diskdqb.patch b/queue-4.19/quota-clear-padding-in-v2r1_mem2diskdqb.patch new file mode 100644 index 00000000000..d1afa5bb30f --- /dev/null +++ b/queue-4.19/quota-clear-padding-in-v2r1_mem2diskdqb.patch @@ -0,0 +1,114 @@ +From e5f2e701c083b6d9f9db4f99310b19830b4b866d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 11:36:19 -0700 +Subject: quota: clear padding in v2r1_mem2diskdqb() + +From: Eric Dumazet + +[ Upstream commit 3d3dc274ce736227e3197868ff749cff2f175f63 ] + +Freshly allocated memory contains garbage, better make sure +to init all struct v2r1_disk_dqblk fields to avoid KMSAN report: + +BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 +CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219 + qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 + v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285 + qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394 + v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 + dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 + ext4_write_dquot fs/ext4/super.c:5934 [inline] + ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 + mark_dquot_dirty fs/quota/dquot.c:347 [inline] + mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] + dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 + __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 + ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 + vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 + do_tmpfile fs/namei.c:3316 [inline] + path_openat+0x4035/0x6a90 fs/namei.c:3359 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c +RIP: 0023:0xf7ff4549 +Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127 +RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000 +RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80 + slab_alloc_node mm/slub.c:2907 [inline] + slab_alloc mm/slub.c:2916 [inline] + __kmalloc+0x2bb/0x4b0 mm/slub.c:3982 + kmalloc include/linux/slab.h:559 [inline] + getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52 + qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378 + v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 + dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 + ext4_write_dquot fs/ext4/super.c:5934 [inline] + ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 + mark_dquot_dirty fs/quota/dquot.c:347 [inline] + mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] + dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 + __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 + ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 + vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 + do_tmpfile fs/namei.c:3316 [inline] + path_openat+0x4035/0x6a90 fs/namei.c:3359 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits") +Link: https://lore.kernel.org/r/20200924183619.4176790-1-edumazet@google.com +Signed-off-by: Eric Dumazet +Cc: Jan Kara +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/quota_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c +index a73e5b34db418..5d4dc0f84f202 100644 +--- a/fs/quota/quota_v2.c ++++ b/fs/quota/quota_v2.c +@@ -283,6 +283,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot) + d->dqb_curspace = cpu_to_le64(m->dqb_curspace); + d->dqb_btime = cpu_to_le64(m->dqb_btime); + d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id)); ++ d->dqb_pad = 0; + if (qtree_entry_unused(info, dp)) + d->dqb_itime = cpu_to_le64(1); + } +-- +2.25.1 + diff --git a/queue-4.19/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch b/queue-4.19/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch new file mode 100644 index 00000000000..f84fd7aaa84 --- /dev/null +++ b/queue-4.19/ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch @@ -0,0 +1,42 @@ +From 79a6774cff2a5fc22274bb005a3e815ac4cf9577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:04 -0700 +Subject: ramfs: fix nommu mmap with gaps in the page cache + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 50b7d85680086126d7bd91dae81d57d4cb1ab6b7 ] + +ramfs needs to check that pages are both physically contiguous and +contiguous in the file. If the page cache happens to have, eg, page A for +index 0 of the file, no page for index 1, and page A+1 for index 2, then +an mmap of the first two pages of the file will succeed when it should +fail. + +Fixes: 642fb4d1f1dd ("[PATCH] NOMMU: Provide shared-writable mmap support on ramfs") +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Cc: David Howells +Link: https://lkml.kernel.org/r/20200914122239.GO6583@casper.infradead.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ramfs/file-nommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ramfs/file-nommu.c b/fs/ramfs/file-nommu.c +index 3ac1f23870837..5e1ebbe639ebf 100644 +--- a/fs/ramfs/file-nommu.c ++++ b/fs/ramfs/file-nommu.c +@@ -228,7 +228,7 @@ static unsigned long ramfs_nommu_get_unmapped_area(struct file *file, + if (!pages) + goto out_free; + +- nr = find_get_pages(inode->i_mapping, &pgoff, lpages, pages); ++ nr = find_get_pages_contig(inode->i_mapping, pgoff, lpages, pages); + if (nr != lpages) + goto out_free_pages; /* leave if some pages were missing */ + +-- +2.25.1 + diff --git a/queue-4.19/rapidio-fix-error-handling-path.patch b/queue-4.19/rapidio-fix-error-handling-path.patch new file mode 100644 index 00000000000..8468ab6582e --- /dev/null +++ b/queue-4.19/rapidio-fix-error-handling-path.patch @@ -0,0 +1,71 @@ +From 39407a6238042b67926dbf110f6de74412dad877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:15 -0700 +Subject: rapidio: fix error handling path + +From: Souptick Joarder + +[ Upstream commit fa63f083b3492b5ed5332b8d7c90b03b5ef24a1d ] + +rio_dma_transfer() attempts to clamp the return value of +pin_user_pages_fast() to be >= 0. However, the attempt fails because +nr_pages is overridden a few lines later, and restored to the undesirable +-ERRNO value. + +The return value is ultimately stored in nr_pages, which in turn is passed +to unpin_user_pages(), which expects nr_pages >= 0, else, disaster. + +Fix this by fixing the nesting of the assignment to nr_pages: nr_pages +should be clamped to zero if pin_user_pages_fast() returns -ERRNO, or set +to the return value of pin_user_pages_fast(), otherwise. + +[jhubbard@nvidia.com: new changelog] + +Fixes: e8de370188d09 ("rapidio: add mport char device driver") +Signed-off-by: Souptick Joarder +Signed-off-by: Andrew Morton +Reviewed-by: Ira Weiny +Reviewed-by: John Hubbard +Cc: Matthew Wilcox +Cc: Matt Porter +Cc: Alexandre Bounine +Cc: Gustavo A. R. Silva +Cc: Madhuparna Bhowmik +Cc: Dan Carpenter +Link: https://lkml.kernel.org/r/1600227737-20785-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index f36a8a5261a13..c3ca1cf0e1bb7 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -875,15 +875,16 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode, + rmcd_error("get_user_pages_unlocked err=%ld", + pinned); + nr_pages = 0; +- } else ++ } else { + rmcd_error("pinned %ld out of %ld pages", + pinned, nr_pages); ++ /* ++ * Set nr_pages up to mean "how many pages to unpin, in ++ * the error handler: ++ */ ++ nr_pages = pinned; ++ } + ret = -EFAULT; +- /* +- * Set nr_pages up to mean "how many pages to unpin, in +- * the error handler: +- */ +- nr_pages = pinned; + goto err_pg; + } + +-- +2.25.1 + diff --git a/queue-4.19/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch b/queue-4.19/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch new file mode 100644 index 00000000000..f581abb7d80 --- /dev/null +++ b/queue-4.19/rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch @@ -0,0 +1,56 @@ +From e8d2ff5d37c0c59b89fa140fe81eff4b0de3c347 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:13:18 -0700 +Subject: rapidio: fix the missed put_device() for rio_mport_add_riodev + +From: Jing Xiangfeng + +[ Upstream commit 85094c05eeb47d195a74a25366a2db066f1c9d47 ] + +rio_mport_add_riodev() misses to call put_device() when the device already +exists. Add the missed function call to fix it. + +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Andrew Morton +Reviewed-by: Dan Carpenter +Cc: Matt Porter +Cc: Alexandre Bounine +Cc: Gustavo A. R. Silva +Cc: John Hubbard +Cc: Kees Cook +Cc: Madhuparna Bhowmik +Link: https://lkml.kernel.org/r/20200922072525.42330-1-jingxiangfeng@huawei.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index c3ca1cf0e1bb7..a136a7ae77140 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1685,6 +1685,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + struct rio_dev *rdev; + struct rio_switch *rswitch = NULL; + struct rio_mport *mport; ++ struct device *dev; + size_t size; + u32 rval; + u32 swpinfo = 0; +@@ -1699,8 +1700,10 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name, + dev_info.comptag, dev_info.destid, dev_info.hopcount); + +- if (bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name)) { ++ dev = bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name); ++ if (dev) { + rmcd_debug(RDEV, "device %s already exists", dev_info.name); ++ put_device(dev); + return -EEXIST; + } + +-- +2.25.1 + diff --git a/queue-4.19/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch b/queue-4.19/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch new file mode 100644 index 00000000000..845a8ecae6d --- /dev/null +++ b/queue-4.19/rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch @@ -0,0 +1,116 @@ +From f3f7edc0a87c2bcba0b13a14b42c3c510dbed9ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:11:21 +0300 +Subject: RDMA/cma: Consolidate the destruction of a cma_multicast in one place + +From: Jason Gunthorpe + +[ Upstream commit 3788d2997bc0150ea911a964d5b5a2e11808a936 ] + +Two places were open coding this sequence, and also pull in +cma_leave_roce_mc_group() which was called only once. + +Link: https://lore.kernel.org/r/20200902081122.745412-8-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 63 +++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 32 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 65c15114cbe7a..8cdf933310d15 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1678,19 +1678,30 @@ static void cma_release_port(struct rdma_id_private *id_priv) + mutex_unlock(&lock); + } + +-static void cma_leave_roce_mc_group(struct rdma_id_private *id_priv, +- struct cma_multicast *mc) ++static void destroy_mc(struct rdma_id_private *id_priv, ++ struct cma_multicast *mc) + { +- struct rdma_dev_addr *dev_addr = &id_priv->id.route.addr.dev_addr; +- struct net_device *ndev = NULL; ++ if (rdma_cap_ib_mcast(id_priv->id.device, id_priv->id.port_num)) { ++ ib_sa_free_multicast(mc->multicast.ib); ++ kfree(mc); ++ return; ++ } + +- if (dev_addr->bound_dev_if) +- ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if); +- if (ndev) { +- cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false); +- dev_put(ndev); ++ if (rdma_protocol_roce(id_priv->id.device, ++ id_priv->id.port_num)) { ++ struct rdma_dev_addr *dev_addr = ++ &id_priv->id.route.addr.dev_addr; ++ struct net_device *ndev = NULL; ++ ++ if (dev_addr->bound_dev_if) ++ ndev = dev_get_by_index(dev_addr->net, ++ dev_addr->bound_dev_if); ++ if (ndev) { ++ cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false); ++ dev_put(ndev); ++ } ++ kref_put(&mc->mcref, release_mc); + } +- kref_put(&mc->mcref, release_mc); + } + + static void cma_leave_mc_groups(struct rdma_id_private *id_priv) +@@ -1698,16 +1709,10 @@ static void cma_leave_mc_groups(struct rdma_id_private *id_priv) + struct cma_multicast *mc; + + while (!list_empty(&id_priv->mc_list)) { +- mc = container_of(id_priv->mc_list.next, +- struct cma_multicast, list); ++ mc = list_first_entry(&id_priv->mc_list, struct cma_multicast, ++ list); + list_del(&mc->list); +- if (rdma_cap_ib_mcast(id_priv->cma_dev->device, +- id_priv->id.port_num)) { +- ib_sa_free_multicast(mc->multicast.ib); +- kfree(mc); +- } else { +- cma_leave_roce_mc_group(id_priv, mc); +- } ++ destroy_mc(id_priv, mc); + } + } + +@@ -4327,20 +4332,14 @@ void rdma_leave_multicast(struct rdma_cm_id *id, struct sockaddr *addr) + id_priv = container_of(id, struct rdma_id_private, id); + spin_lock_irq(&id_priv->lock); + list_for_each_entry(mc, &id_priv->mc_list, list) { +- if (!memcmp(&mc->addr, addr, rdma_addr_size(addr))) { +- list_del(&mc->list); +- spin_unlock_irq(&id_priv->lock); +- +- BUG_ON(id_priv->cma_dev->device != id->device); ++ if (memcmp(&mc->addr, addr, rdma_addr_size(addr)) != 0) ++ continue; ++ list_del(&mc->list); ++ spin_unlock_irq(&id_priv->lock); + +- if (rdma_cap_ib_mcast(id->device, id->port_num)) { +- ib_sa_free_multicast(mc->multicast.ib); +- kfree(mc); +- } else if (rdma_protocol_roce(id->device, id->port_num)) { +- cma_leave_roce_mc_group(id_priv, mc); +- } +- return; +- } ++ WARN_ON(id_priv->cma_dev->device != id->device); ++ destroy_mc(id_priv, mc); ++ return; + } + spin_unlock_irq(&id_priv->lock); + } +-- +2.25.1 + diff --git a/queue-4.19/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch b/queue-4.19/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch new file mode 100644 index 00000000000..37987aea4e1 --- /dev/null +++ b/queue-4.19/rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch @@ -0,0 +1,69 @@ +From 7d5efa58e36ee7c2a4c5d468ec0f8d7b70bb8bf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 11:11:20 +0300 +Subject: RDMA/cma: Remove dead code for kernel rdmacm multicast + +From: Jason Gunthorpe + +[ Upstream commit 1bb5091def706732c749df9aae45fbca003696f2 ] + +There is no kernel user of RDMA CM multicast so this code managing the +multicast subscription of the kernel-only internal QP is dead. Remove it. + +This makes the bug fixes in the next patches much simpler. + +Link: https://lore.kernel.org/r/20200902081122.745412-7-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 1f14cd4ce3db5..65c15114cbe7a 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -4020,16 +4020,6 @@ static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast) + else + pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n", + status); +- mutex_lock(&id_priv->qp_mutex); +- if (!status && id_priv->id.qp) { +- status = ib_attach_mcast(id_priv->id.qp, &multicast->rec.mgid, +- be16_to_cpu(multicast->rec.mlid)); +- if (status) +- pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to attach QP. status %d\n", +- status); +- } +- mutex_unlock(&id_priv->qp_mutex); +- + event.status = status; + event.param.ud.private_data = mc->context; + if (!status) { +@@ -4283,6 +4273,10 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr, + struct cma_multicast *mc; + int ret; + ++ /* Not supported for kernel QPs */ ++ if (WARN_ON(id->qp)) ++ return -EINVAL; ++ + if (!id->device) + return -EINVAL; + +@@ -4337,11 +4331,6 @@ void rdma_leave_multicast(struct rdma_cm_id *id, struct sockaddr *addr) + list_del(&mc->list); + spin_unlock_irq(&id_priv->lock); + +- if (id->qp) +- ib_detach_mcast(id->qp, +- &mc->multicast.ib->rec.mgid, +- be16_to_cpu(mc->multicast.ib->rec.mlid)); +- + BUG_ON(id_priv->cma_dev->device != id->device); + + if (rdma_cap_ib_mcast(id->device, id->port_num)) { +-- +2.25.1 + diff --git a/queue-4.19/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch b/queue-4.19/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch new file mode 100644 index 00000000000..636b76f5eab --- /dev/null +++ b/queue-4.19/rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch @@ -0,0 +1,36 @@ +From fdfefd4cf186a980edf6a9ede2c6e47cde89be4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Sep 2020 18:03:22 +0800 +Subject: RDMA/hns: Fix missing sq_sig_type when querying QP + +From: Weihang Li + +[ Upstream commit 05df49279f8926178ecb3ce88e61b63104cd6293 ] + +The sq_sig_type field should be filled when querying QP, or the users may +get a wrong value. + +Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") +Link: https://lore.kernel.org/r/1600509802-44382-9-git-send-email-liweihang@huawei.com +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 417de7ac0d5e2..2a203e08d4c1a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -3821,6 +3821,7 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr, + } + + qp_init_attr->cap = qp_attr->cap; ++ qp_init_attr->sq_sig_type = hr_qp->sq_signal_bits; + + out: + mutex_unlock(&hr_qp->mutex); +-- +2.25.1 + diff --git a/queue-4.19/rdma-hns-set-the-unsupported-wr-opcode.patch b/queue-4.19/rdma-hns-set-the-unsupported-wr-opcode.patch new file mode 100644 index 00000000000..b88bb406da9 --- /dev/null +++ b/queue-4.19/rdma-hns-set-the-unsupported-wr-opcode.patch @@ -0,0 +1,37 @@ +From 25ee98cf109f5b15109e36bd6da0fb3c0b27f8cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Sep 2020 21:50:15 +0800 +Subject: RDMA/hns: Set the unsupported wr opcode + +From: Lijun Ou + +[ Upstream commit 22d3e1ed2cc837af87f76c3c8a4ccf4455e225c5 ] + +hip06 does not support IB_WR_LOCAL_INV, so the ps_opcode should be set to +an invalid value instead of being left uninitialized. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Fixes: a2f3d4479fe9 ("RDMA/hns: Avoid unncessary initialization") +Link: https://lore.kernel.org/r/1600350615-115217-1-git-send-email-oulijun@huawei.com +Signed-off-by: Lijun Ou +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +index 081aa91fc162d..620eaca2b8314 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +@@ -274,7 +274,6 @@ static int hns_roce_v1_post_send(struct ib_qp *ibqp, + ps_opcode = HNS_ROCE_WQE_OPCODE_SEND; + break; + case IB_WR_LOCAL_INV: +- break; + case IB_WR_ATOMIC_CMP_AND_SWP: + case IB_WR_ATOMIC_FETCH_AND_ADD: + case IB_WR_LSO: +-- +2.25.1 + diff --git a/queue-4.19/rdma-qedr-fix-inline-size-returned-for-iwarp.patch b/queue-4.19/rdma-qedr-fix-inline-size-returned-for-iwarp.patch new file mode 100644 index 00000000000..c125fb4f0f1 --- /dev/null +++ b/queue-4.19/rdma-qedr-fix-inline-size-returned-for-iwarp.patch @@ -0,0 +1,40 @@ +From 15c72fa117b67d8126ef6a39964671643e1162b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:40 +0300 +Subject: RDMA/qedr: Fix inline size returned for iWARP + +From: Michal Kalderon + +[ Upstream commit fbf58026b2256e9cd5f241a4801d79d3b2b7b89d ] + +commit 59e8970b3798 ("RDMA/qedr: Return max inline data in QP query +result") changed query_qp max_inline size to return the max roce inline +size. When iwarp was introduced, this should have been modified to return +the max inline size based on protocol. This size is cached in the device +attributes + +Fixes: 69ad0e7fe845 ("RDMA/qedr: Add support for iWARP in user space") +Link: https://lore.kernel.org/r/20200902165741.8355-8-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c +index 7b26afc7fef35..f847f0a9f204d 100644 +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2522,7 +2522,7 @@ int qedr_query_qp(struct ib_qp *ibqp, + qp_attr->cap.max_recv_wr = qp->rq.max_wr; + qp_attr->cap.max_send_sge = qp->sq.max_sges; + qp_attr->cap.max_recv_sge = qp->rq.max_sges; +- qp_attr->cap.max_inline_data = ROCE_REQ_MAX_INLINE_DATA_SIZE; ++ qp_attr->cap.max_inline_data = dev->attr.max_inline; + qp_init_attr->cap = qp_attr->cap; + + qp_attr->ah_attr.type = RDMA_AH_ATTR_TYPE_ROCE; +-- +2.25.1 + diff --git a/queue-4.19/rdma-qedr-fix-use-of-uninitialized-field.patch b/queue-4.19/rdma-qedr-fix-use-of-uninitialized-field.patch new file mode 100644 index 00000000000..42c77728949 --- /dev/null +++ b/queue-4.19/rdma-qedr-fix-use-of-uninitialized-field.patch @@ -0,0 +1,37 @@ +From b847e072a2d9a3f731f88982d322666f3f87b9f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 19:57:36 +0300 +Subject: RDMA/qedr: Fix use of uninitialized field + +From: Michal Kalderon + +[ Upstream commit a379ad54e55a12618cae7f6333fd1b3071de9606 ] + +dev->attr.page_size_caps was used uninitialized when setting device +attributes + +Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init") +Link: https://lore.kernel.org/r/20200902165741.8355-4-michal.kalderon@marvell.com +Signed-off-by: Michal Kalderon +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qedr/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/qedr/main.c b/drivers/infiniband/hw/qedr/main.c +index d1680d3b58250..2a82661620fe7 100644 +--- a/drivers/infiniband/hw/qedr/main.c ++++ b/drivers/infiniband/hw/qedr/main.c +@@ -604,7 +604,7 @@ static int qedr_set_device_attr(struct qedr_dev *dev) + qed_attr = dev->ops->rdma_query_device(dev->rdma_ctx); + + /* Part 2 - check capabilities */ +- page_size = ~dev->attr.page_size_caps + 1; ++ page_size = ~qed_attr->page_size_caps + 1; + if (page_size > PAGE_SIZE) { + DP_ERR(dev, + "Kernel PAGE_SIZE is %ld which is smaller than minimum page size (%d) required by qedr\n", +-- +2.25.1 + diff --git a/queue-4.19/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch b/queue-4.19/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch new file mode 100644 index 00000000000..ebd8358463a --- /dev/null +++ b/queue-4.19/rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch @@ -0,0 +1,38 @@ +From ddee81c301392589bff83b3c963e1fed75b02b80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:05:22 +0300 +Subject: RDMA/ucma: Add missing locking around rdma_leave_multicast() + +From: Jason Gunthorpe + +[ Upstream commit 38e03d092699891c3237b5aee9e8029d4ede0956 ] + +All entry points to the rdma_cm from a ULP must be single threaded, +even this error unwinds. Add the missing locking. + +Fixes: 7c11910783a1 ("RDMA/ucma: Put a lock around every call to the rdma_cm layer") +Link: https://lore.kernel.org/r/20200818120526.702120-11-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 0c095c8c0ac5b..01052de6bedbf 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1476,7 +1476,9 @@ static ssize_t ucma_process_join(struct ucma_file *file, + return 0; + + err3: ++ mutex_lock(&ctx->mutex); + rdma_leave_multicast(ctx->cm_id, (struct sockaddr *) &mc->addr); ++ mutex_unlock(&ctx->mutex); + ucma_cleanup_mc_events(mc); + err2: + mutex_lock(&mut); +-- +2.25.1 + diff --git a/queue-4.19/rdma-ucma-fix-locking-for-ctx-events_reported.patch b/queue-4.19/rdma-ucma-fix-locking-for-ctx-events_reported.patch new file mode 100644 index 00000000000..e4f39099cbd --- /dev/null +++ b/queue-4.19/rdma-ucma-fix-locking-for-ctx-events_reported.patch @@ -0,0 +1,58 @@ +From de8a786a08ae3efd94e198a201ad8f3574fdc934 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Aug 2020 15:05:21 +0300 +Subject: RDMA/ucma: Fix locking for ctx->events_reported + +From: Jason Gunthorpe + +[ Upstream commit 98837c6c3d7285f6eca86480b6f7fac6880e27a8 ] + +This value is locked under the file->mut, ensure it is held whenever +touching it. + +The case in ucma_migrate_id() is a race, while in ucma_free_uctx() it is +already not possible for the write side to run, the movement is just for +clarity. + +Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()") +Link: https://lore.kernel.org/r/20200818120526.702120-10-leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/ucma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 2acc30c3d5b2d..0c095c8c0ac5b 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -588,6 +588,7 @@ static int ucma_free_ctx(struct ucma_context *ctx) + list_move_tail(&uevent->list, &list); + } + list_del(&ctx->list); ++ events_reported = ctx->events_reported; + mutex_unlock(&ctx->file->mut); + + list_for_each_entry_safe(uevent, tmp, &list, list) { +@@ -597,7 +598,6 @@ static int ucma_free_ctx(struct ucma_context *ctx) + kfree(uevent); + } + +- events_reported = ctx->events_reported; + mutex_destroy(&ctx->mutex); + kfree(ctx); + return events_reported; +@@ -1644,7 +1644,9 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file, + + cur_file = ctx->file; + if (cur_file == new_file) { ++ mutex_lock(&cur_file->mut); + resp.events_reported = ctx->events_reported; ++ mutex_unlock(&cur_file->mut); + goto response; + } + +-- +2.25.1 + diff --git a/queue-4.19/regulator-resolve-supply-after-creating-regulator.patch b/queue-4.19/regulator-resolve-supply-after-creating-regulator.patch new file mode 100644 index 00000000000..56f9ecea169 --- /dev/null +++ b/queue-4.19/regulator-resolve-supply-after-creating-regulator.patch @@ -0,0 +1,67 @@ +From 5baf19bcff016515a750bd9cfa7164d0ca575fe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 23:32:41 +0200 +Subject: regulator: resolve supply after creating regulator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Mirosław + +[ Upstream commit aea6cb99703e17019e025aa71643b4d3e0a24413 ] + +When creating a new regulator its supply cannot create the sysfs link +because the device is not yet published. Remove early supply resolving +since it will be done later anyway. This makes the following error +disappear and the symlinks get created instead. + + DCDC_REG1: supplied by VSYS + VSYS: could not add device link regulator.3 err -2 + +Note: It doesn't fix the problem for bypassed regulators, though. + +Fixes: 45389c47526d ("regulator: core: Add early supply resolution for regulators") +Signed-off-by: Michał Mirosław +Link: https://lore.kernel.org/r/ba09e0a8617ffeeb25cb4affffe6f3149319cef8.1601155770.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 37e6270749eef..c290c89421314 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -4363,15 +4363,20 @@ regulator_register(const struct regulator_desc *regulator_desc, + else if (regulator_desc->supply_name) + rdev->supply_name = regulator_desc->supply_name; + +- /* +- * Attempt to resolve the regulator supply, if specified, +- * but don't return an error if we fail because we will try +- * to resolve it again later as more regulators are added. +- */ +- if (regulator_resolve_supply(rdev)) +- rdev_dbg(rdev, "unable to resolve supply\n"); +- + ret = set_machine_constraints(rdev, constraints); ++ if (ret == -EPROBE_DEFER) { ++ /* Regulator might be in bypass mode and so needs its supply ++ * to set the constraints */ ++ /* FIXME: this currently triggers a chicken-and-egg problem ++ * when creating -SUPPLY symlink in sysfs to a regulator ++ * that is just being created */ ++ ret = regulator_resolve_supply(rdev); ++ if (!ret) ++ ret = set_machine_constraints(rdev, constraints); ++ else ++ rdev_dbg(rdev, "unable to resolve supply early: %pe\n", ++ ERR_PTR(ret)); ++ } + if (ret < 0) + goto wash; + +-- +2.25.1 + diff --git a/queue-4.19/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch b/queue-4.19/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch new file mode 100644 index 00000000000..a8b3d3475e7 --- /dev/null +++ b/queue-4.19/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch @@ -0,0 +1,49 @@ +From 3940c70c036274eab0b33d1d31664926ed5935a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2020 14:01:44 +0100 +Subject: reiserfs: Fix memory leak in reiserfs_parse_options() + +From: Jan Kara + +[ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ] + +When a usrjquota or grpjquota mount option is used multiple times, we +will leak memory allocated for the file name. Make sure the last setting +is used and all the previous ones are properly freed. + +Reported-by: syzbot+c9e294bbe0333a6b7640@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index de5eda33c92a0..ec5716dd58c23 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1264,6 +1264,10 @@ static int reiserfs_parse_options(struct super_block *s, + "turned on."); + return 0; + } ++ if (qf_names[qtype] != ++ REISERFS_SB(s)->s_qf_names[qtype]) ++ kfree(qf_names[qtype]); ++ qf_names[qtype] = NULL; + if (*arg) { /* Some filename specified? */ + if (REISERFS_SB(s)->s_qf_names[qtype] + && strcmp(REISERFS_SB(s)->s_qf_names[qtype], +@@ -1293,10 +1297,6 @@ static int reiserfs_parse_options(struct super_block *s, + else + *mount_options |= 1 << REISERFS_GRPQUOTA; + } else { +- if (qf_names[qtype] != +- REISERFS_SB(s)->s_qf_names[qtype]) +- kfree(qf_names[qtype]); +- qf_names[qtype] = NULL; + if (qtype == USRQUOTA) + *mount_options &= ~(1 << REISERFS_USRQUOTA); + else +-- +2.25.1 + diff --git a/queue-4.19/reiserfs-only-call-unlock_new_inode-if-i_new.patch b/queue-4.19/reiserfs-only-call-unlock_new_inode-if-i_new.patch new file mode 100644 index 00000000000..c6be5e3c63d --- /dev/null +++ b/queue-4.19/reiserfs-only-call-unlock_new_inode-if-i_new.patch @@ -0,0 +1,44 @@ +From 544f66c7d08a6e7311bcd0b041173667be990b13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jun 2020 00:00:57 -0700 +Subject: reiserfs: only call unlock_new_inode() if I_NEW + +From: Eric Biggers + +[ Upstream commit 8859bf2b1278d064a139e3031451524a49a56bd0 ] + +unlock_new_inode() is only meant to be called after a new inode has +already been inserted into the hash table. But reiserfs_new_inode() can +call it even before it has inserted the inode, triggering the WARNING in +unlock_new_inode(). Fix this by only calling unlock_new_inode() if the +inode has the I_NEW flag set, indicating that it's in the table. + +This addresses the syzbot report "WARNING in unlock_new_inode" +(https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7). + +Link: https://lore.kernel.org/r/20200628070057.820213-1-ebiggers@kernel.org +Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c +index 70387650436cf..ac35ddf0dd603 100644 +--- a/fs/reiserfs/inode.c ++++ b/fs/reiserfs/inode.c +@@ -2161,7 +2161,8 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th, + out_inserted_sd: + clear_nlink(inode); + th->t_trans_id = 0; /* so the caller can't use this handle later */ +- unlock_new_inode(inode); /* OK to do even if we hadn't locked it */ ++ if (inode->i_state & I_NEW) ++ unlock_new_inode(inode); + iput(inode); + return err; + } +-- +2.25.1 + diff --git a/queue-4.19/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch b/queue-4.19/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch new file mode 100644 index 00000000000..a59f26be147 --- /dev/null +++ b/queue-4.19/rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch @@ -0,0 +1,111 @@ +From 24dce4c1446a703b96b5c8a3ba2f8c72eda7aec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 10:18:41 +0300 +Subject: rpmsg: smd: Fix a kobj leak in in qcom_smd_parse_edge() + +From: Dan Carpenter + +[ Upstream commit e69ee0cf655e8e0c4a80f4319e36019b74f17639 ] + +We need to call of_node_put(node) on the error paths for this function. + +Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200908071841.GA294938@mwanda +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 32 ++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 10 deletions(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index b2e5a6abf7d5c..aa008fa11002e 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1338,7 +1338,7 @@ static int qcom_smd_parse_edge(struct device *dev, + ret = of_property_read_u32(node, key, &edge->edge_id); + if (ret) { + dev_err(dev, "edge missing %s property\n", key); +- return -EINVAL; ++ goto put_node; + } + + edge->remote_pid = QCOM_SMEM_HOST_ANY; +@@ -1349,32 +1349,37 @@ static int qcom_smd_parse_edge(struct device *dev, + edge->mbox_client.knows_txdone = true; + edge->mbox_chan = mbox_request_channel(&edge->mbox_client, 0); + if (IS_ERR(edge->mbox_chan)) { +- if (PTR_ERR(edge->mbox_chan) != -ENODEV) +- return PTR_ERR(edge->mbox_chan); ++ if (PTR_ERR(edge->mbox_chan) != -ENODEV) { ++ ret = PTR_ERR(edge->mbox_chan); ++ goto put_node; ++ } + + edge->mbox_chan = NULL; + + syscon_np = of_parse_phandle(node, "qcom,ipc", 0); + if (!syscon_np) { + dev_err(dev, "no qcom,ipc node\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto put_node; + } + + edge->ipc_regmap = syscon_node_to_regmap(syscon_np); +- if (IS_ERR(edge->ipc_regmap)) +- return PTR_ERR(edge->ipc_regmap); ++ if (IS_ERR(edge->ipc_regmap)) { ++ ret = PTR_ERR(edge->ipc_regmap); ++ goto put_node; ++ } + + key = "qcom,ipc"; + ret = of_property_read_u32_index(node, key, 1, &edge->ipc_offset); + if (ret < 0) { + dev_err(dev, "no offset in %s\n", key); +- return -EINVAL; ++ goto put_node; + } + + ret = of_property_read_u32_index(node, key, 2, &edge->ipc_bit); + if (ret < 0) { + dev_err(dev, "no bit in %s\n", key); +- return -EINVAL; ++ goto put_node; + } + } + +@@ -1385,7 +1390,8 @@ static int qcom_smd_parse_edge(struct device *dev, + irq = irq_of_parse_and_map(node, 0); + if (irq < 0) { + dev_err(dev, "required smd interrupt missing\n"); +- return -EINVAL; ++ ret = irq; ++ goto put_node; + } + + ret = devm_request_irq(dev, irq, +@@ -1393,12 +1399,18 @@ static int qcom_smd_parse_edge(struct device *dev, + node->name, edge); + if (ret) { + dev_err(dev, "failed to request smd irq\n"); +- return ret; ++ goto put_node; + } + + edge->irq = irq; + + return 0; ++ ++put_node: ++ of_node_put(node); ++ edge->of_node = NULL; ++ ++ return ret; + } + + /* +-- +2.25.1 + diff --git a/queue-4.19/rtl8xxxu-prevent-potential-memory-leak.patch b/queue-4.19/rtl8xxxu-prevent-potential-memory-leak.patch new file mode 100644 index 00000000000..098d7d32d29 --- /dev/null +++ b/queue-4.19/rtl8xxxu-prevent-potential-memory-leak.patch @@ -0,0 +1,65 @@ +From 8ac81d4bda36a1d9c3068924a45104c70824c966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 12:04:24 +0800 +Subject: rtl8xxxu: prevent potential memory leak + +From: Chris Chiu + +[ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ] + +Free the skb if usb_submit_urb fails on rx_urb. And free the urb +no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb. + +Signed-off-by: Chris Chiu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200906040424.22022-1-chiu@endlessm.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 070ea0f456abd..b80cff96dea1e 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5453,7 +5453,6 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw) + ret = usb_submit_urb(urb, GFP_KERNEL); + if (ret) { + usb_unanchor_urb(urb); +- usb_free_urb(urb); + goto error; + } + +@@ -5462,6 +5461,7 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw) + rtl8xxxu_write32(priv, REG_USB_HIMR, val32); + + error: ++ usb_free_urb(urb); + return ret; + } + +@@ -5787,6 +5787,7 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw) + struct rtl8xxxu_priv *priv = hw->priv; + struct rtl8xxxu_rx_urb *rx_urb; + struct rtl8xxxu_tx_urb *tx_urb; ++ struct sk_buff *skb; + unsigned long flags; + int ret, i; + +@@ -5837,6 +5838,13 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw) + rx_urb->hw = hw; + + ret = rtl8xxxu_submit_rx_urb(priv, rx_urb); ++ if (ret) { ++ if (ret != -ENOMEM) { ++ skb = (struct sk_buff *)rx_urb->urb.context; ++ dev_kfree_skb(skb); ++ } ++ rtl8xxxu_queue_rx_urb(priv, rx_urb); ++ } + } + exit: + /* +-- +2.25.1 + diff --git a/queue-4.19/sched-features-fix-config_jump_label-case.patch b/queue-4.19/sched-features-fix-config_jump_label-case.patch new file mode 100644 index 00000000000..e7e8469051f --- /dev/null +++ b/queue-4.19/sched-features-fix-config_jump_label-case.patch @@ -0,0 +1,99 @@ +From 02c2586bfbf3302dfdcbdfca4ee840928b64aa47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 07:31:14 +0200 +Subject: sched/features: Fix !CONFIG_JUMP_LABEL case + +From: Juri Lelli + +[ Upstream commit a73f863af4ce9730795eab7097fb2102e6854365 ] + +Commit: + + 765cc3a4b224e ("sched/core: Optimize sched_feat() for !CONFIG_SCHED_DEBUG builds") + +made sched features static for !CONFIG_SCHED_DEBUG configurations, but +overlooked the CONFIG_SCHED_DEBUG=y and !CONFIG_JUMP_LABEL cases. + +For the latter echoing changes to /sys/kernel/debug/sched_features has +the nasty effect of effectively changing what sched_features reports, +but without actually changing the scheduler behaviour (since different +translation units get different sysctl_sched_features). + +Fix CONFIG_SCHED_DEBUG=y and !CONFIG_JUMP_LABEL configurations by properly +restructuring ifdefs. + +Fixes: 765cc3a4b224e ("sched/core: Optimize sched_feat() for !CONFIG_SCHED_DEBUG builds") +Co-developed-by: Daniel Bristot de Oliveira +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Juri Lelli +Signed-off-by: Ingo Molnar +Acked-by: Patrick Bellasi +Reviewed-by: Valentin Schneider +Link: https://lore.kernel.org/r/20201013053114.160628-1-juri.lelli@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + kernel/sched/sched.h | 13 ++++++++++--- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index faef74f632620..b166320f7633e 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -24,7 +24,7 @@ + + DEFINE_PER_CPU_SHARED_ALIGNED(struct rq, runqueues); + +-#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL) ++#ifdef CONFIG_SCHED_DEBUG + /* + * Debugging: various feature bits + * +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 5f0eb4565957f..41b7954be68b7 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1361,7 +1361,7 @@ enum { + + #undef SCHED_FEAT + +-#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL) ++#ifdef CONFIG_SCHED_DEBUG + + /* + * To support run-time toggling of sched features, all the translation units +@@ -1369,6 +1369,7 @@ enum { + */ + extern const_debug unsigned int sysctl_sched_features; + ++#ifdef CONFIG_JUMP_LABEL + #define SCHED_FEAT(name, enabled) \ + static __always_inline bool static_branch_##name(struct static_key *key) \ + { \ +@@ -1381,7 +1382,13 @@ static __always_inline bool static_branch_##name(struct static_key *key) \ + extern struct static_key sched_feat_keys[__SCHED_FEAT_NR]; + #define sched_feat(x) (static_branch_##x(&sched_feat_keys[__SCHED_FEAT_##x])) + +-#else /* !(SCHED_DEBUG && CONFIG_JUMP_LABEL) */ ++#else /* !CONFIG_JUMP_LABEL */ ++ ++#define sched_feat(x) (sysctl_sched_features & (1UL << __SCHED_FEAT_##x)) ++ ++#endif /* CONFIG_JUMP_LABEL */ ++ ++#else /* !SCHED_DEBUG */ + + /* + * Each translation unit has its own copy of sysctl_sched_features to allow +@@ -1397,7 +1404,7 @@ static const_debug __maybe_unused unsigned int sysctl_sched_features = + + #define sched_feat(x) !!(sysctl_sched_features & (1UL << __SCHED_FEAT_##x)) + +-#endif /* SCHED_DEBUG && CONFIG_JUMP_LABEL */ ++#endif /* SCHED_DEBUG */ + + extern struct static_key_false sched_numa_balancing; + extern struct static_key_false sched_schedstats; +-- +2.25.1 + diff --git a/queue-4.19/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch b/queue-4.19/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch new file mode 100644 index 00000000000..fedbf54e3e3 --- /dev/null +++ b/queue-4.19/scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch @@ -0,0 +1,62 @@ +From 2e2adfc93f459d4c59866e4277ddcabb32b8da19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 12:13:00 +0300 +Subject: scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() + +From: Dan Carpenter + +[ Upstream commit 38b2db564d9ab7797192ef15d7aade30633ceeae ] + +The be_fill_queue() function can only fail when "eq_vaddress" is NULL and +since it's non-NULL here that means the function call can't fail. But +imagine if it could, then in that situation we would want to store the +"paddr" so that dma memory can be released. + +Link: https://lore.kernel.org/r/20200928091300.GD377727@mwanda +Fixes: bfead3b2cb46 ("[SCSI] be2iscsi: Adding msix and mcc_rings V3") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/be2iscsi/be_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c +index 3660059784f74..6221a8372cee2 100644 +--- a/drivers/scsi/be2iscsi/be_main.c ++++ b/drivers/scsi/be2iscsi/be_main.c +@@ -3039,6 +3039,7 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba, + goto create_eq_error; + } + ++ mem->dma = paddr; + mem->va = eq_vaddress; + ret = be_fill_queue(eq, phba->params.num_eq_entries, + sizeof(struct be_eq_entry), eq_vaddress); +@@ -3048,7 +3049,6 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba, + goto create_eq_error; + } + +- mem->dma = paddr; + ret = beiscsi_cmd_eq_create(&phba->ctrl, eq, + BEISCSI_EQ_DELAY_DEF); + if (ret) { +@@ -3105,6 +3105,7 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba, + goto create_cq_error; + } + ++ mem->dma = paddr; + ret = be_fill_queue(cq, phba->params.num_cq_entries, + sizeof(struct sol_cqe), cq_vaddress); + if (ret) { +@@ -3114,7 +3115,6 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba, + goto create_cq_error; + } + +- mem->dma = paddr; + ret = beiscsi_cmd_cq_create(&phba->ctrl, cq, eq, false, + false, 0); + if (ret) { +-- +2.25.1 + diff --git a/queue-4.19/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch b/queue-4.19/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch new file mode 100644 index 00000000000..a04710e58fc --- /dev/null +++ b/queue-4.19/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch @@ -0,0 +1,38 @@ +From b801e7aa153cc5c9413fb05964c9efd63c88449e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:31 +0800 +Subject: scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() + +From: Tianjia Zhang + +[ Upstream commit 44f4daf8678ae5f08c93bbe70792f90cd88e4649 ] + +On an error exit path, a negative error code should be returned instead of +a positive return value. + +Link: https://lore.kernel.org/r/20200802111531.5065-1-tianjia.zhang@linux.alibaba.com +Fixes: f40e74ffa3de ("csiostor:firmware upgrade fix") +Cc: Praveen Madhavan +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c +index e519238864758..1b6f9351b43f9 100644 +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -2384,7 +2384,7 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info, + FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c), + FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k), + FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k)); +- ret = EINVAL; ++ ret = -EINVAL; + goto bye; + } + +-- +2.25.1 + diff --git a/queue-4.19/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch b/queue-4.19/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch new file mode 100644 index 00000000000..4d1d26bcd32 --- /dev/null +++ b/queue-4.19/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch @@ -0,0 +1,36 @@ +From 85acf0415df6d92e60e8822a3425022e29dca1c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 16:39:49 +0800 +Subject: scsi: ibmvfc: Fix error return in ibmvfc_probe() + +From: Jing Xiangfeng + +[ Upstream commit 5e48a084f4e824e1b624d3fd7ddcf53d2ba69e53 ] + +Fix to return error code PTR_ERR() from the error handling case instead of +0. + +Link: https://lore.kernel.org/r/20200907083949.154251-1-jingxiangfeng@huawei.com +Acked-by: Tyrel Datwyler +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index 71d53bb239e25..090ab377f65e5 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4795,6 +4795,7 @@ static int ibmvfc_probe(struct vio_dev *vdev, const struct vio_device_id *id) + if (IS_ERR(vhost->work_thread)) { + dev_err(dev, "Couldn't create kernel thread: %ld\n", + PTR_ERR(vhost->work_thread)); ++ rc = PTR_ERR(vhost->work_thread); + goto free_host_mem; + } + +-- +2.25.1 + diff --git a/queue-4.19/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch b/queue-4.19/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch new file mode 100644 index 00000000000..f07d6733e4a --- /dev/null +++ b/queue-4.19/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch @@ -0,0 +1,34 @@ +From d670839467597b6ba55add872bc653cab3215a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 20:38:48 +0800 +Subject: scsi: mvumi: Fix error return in mvumi_io_attach() + +From: Jing Xiangfeng + +[ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ] + +Return PTR_ERR() from the error handling case instead of 0. + +Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangfeng@huawei.com +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mvumi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c +index b3cd9a6b1d306..b3df114a1200f 100644 +--- a/drivers/scsi/mvumi.c ++++ b/drivers/scsi/mvumi.c +@@ -2439,6 +2439,7 @@ static int mvumi_io_attach(struct mvumi_hba *mhba) + if (IS_ERR(mhba->dm_thread)) { + dev_err(&mhba->pdev->dev, + "failed to create device scan thread\n"); ++ ret = PTR_ERR(mhba->dm_thread); + mutex_unlock(&mhba->sas_discovery_mutex); + goto fail_create_thread; + } +-- +2.25.1 + diff --git a/queue-4.19/scsi-qedi-fix-list_del-corruption-while-removing-act.patch b/queue-4.19/scsi-qedi-fix-list_del-corruption-while-removing-act.patch new file mode 100644 index 00000000000..25befe54b72 --- /dev/null +++ b/queue-4.19/scsi-qedi-fix-list_del-corruption-while-removing-act.patch @@ -0,0 +1,71 @@ +From 6292fa57beba813ef2e8851cd9d1ce570625a6b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 02:56:52 -0700 +Subject: scsi: qedi: Fix list_del corruption while removing active I/O + +From: Nilesh Javali + +[ Upstream commit 28b35d17f9f8573d4646dd8df08917a4076a6b63 ] + +While aborting the I/O, the firmware cleanup task timed out and driver +deleted the I/O from active command list. Some time later the firmware +sent the cleanup task response and driver again deleted the I/O from +active command list causing firmware to send completion for non-existent +I/O and list_del corruption of active command list. + +Add fix to check if I/O is present before deleting it from the active +command list to ensure firmware sends valid I/O completion and protect +against list_del corruption. + +Link: https://lore.kernel.org/r/20200908095657.26821-4-mrangankar@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_fw.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c +index 0d00970b7e25e..357a0acc5ed2f 100644 +--- a/drivers/scsi/qedi/qedi_fw.c ++++ b/drivers/scsi/qedi/qedi_fw.c +@@ -837,8 +837,11 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi, + qedi_clear_task_idx(qedi_conn->qedi, rtid); + + spin_lock(&qedi_conn->list_lock); +- list_del_init(&dbg_cmd->io_cmd); +- qedi_conn->active_cmd_count--; ++ if (likely(dbg_cmd->io_cmd_in_list)) { ++ dbg_cmd->io_cmd_in_list = false; ++ list_del_init(&dbg_cmd->io_cmd); ++ qedi_conn->active_cmd_count--; ++ } + spin_unlock(&qedi_conn->list_lock); + qedi_cmd->state = CLEANUP_RECV; + wake_up_interruptible(&qedi_conn->wait_queue); +@@ -1257,6 +1260,7 @@ int qedi_cleanup_all_io(struct qedi_ctx *qedi, struct qedi_conn *qedi_conn, + qedi_conn->cmd_cleanup_req++; + qedi_iscsi_cleanup_task(ctask, true); + ++ cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + QEDI_WARN(&qedi->dbg_ctx, +@@ -1470,8 +1474,11 @@ static void qedi_tmf_work(struct work_struct *work) + spin_unlock_bh(&qedi_conn->tmf_work_lock); + + spin_lock(&qedi_conn->list_lock); +- list_del_init(&cmd->io_cmd); +- qedi_conn->active_cmd_count--; ++ if (likely(cmd->io_cmd_in_list)) { ++ cmd->io_cmd_in_list = false; ++ list_del_init(&cmd->io_cmd); ++ qedi_conn->active_cmd_count--; ++ } + spin_unlock(&qedi_conn->list_lock); + + clear_bit(QEDI_CONN_FW_CLEANUP, &qedi_conn->flags); +-- +2.25.1 + diff --git a/queue-4.19/scsi-qedi-protect-active-command-list-to-avoid-list-.patch b/queue-4.19/scsi-qedi-protect-active-command-list-to-avoid-list-.patch new file mode 100644 index 00000000000..b152f6a7716 --- /dev/null +++ b/queue-4.19/scsi-qedi-protect-active-command-list-to-avoid-list-.patch @@ -0,0 +1,108 @@ +From 562da9559e1484066f149efd857e1b9f2133969f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 02:56:53 -0700 +Subject: scsi: qedi: Protect active command list to avoid list corruption + +From: Nilesh Javali + +[ Upstream commit c0650e28448d606c84f76c34333dba30f61de993 ] + +Protect active command list for non-I/O commands like login response, +logout response, text response, and recovery cleanup of active list to +avoid list corruption. + +Link: https://lore.kernel.org/r/20200908095657.26821-5-mrangankar@marvell.com +Signed-off-by: Nilesh Javali +Signed-off-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_fw.c | 8 ++++++++ + drivers/scsi/qedi/qedi_iscsi.c | 2 ++ + 2 files changed, 10 insertions(+) + +diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c +index 25d763ae5d5a6..0d00970b7e25e 100644 +--- a/drivers/scsi/qedi/qedi_fw.c ++++ b/drivers/scsi/qedi/qedi_fw.c +@@ -62,6 +62,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi, + "Freeing tid=0x%x for cid=0x%x\n", + cmd->task_id, qedi_conn->iscsi_conn_id); + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); +@@ -72,6 +73,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi, + cmd->task_id, qedi_conn->iscsi_conn_id, + &cmd->io_cmd); + } ++ spin_unlock(&qedi_conn->list_lock); + + cmd->state = RESPONSE_RECEIVED; + qedi_clear_task_idx(qedi, cmd->task_id); +@@ -125,6 +127,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi, + "Freeing tid=0x%x for cid=0x%x\n", + cmd->task_id, qedi_conn->iscsi_conn_id); + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); +@@ -135,6 +138,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi, + cmd->task_id, qedi_conn->iscsi_conn_id, + &cmd->io_cmd); + } ++ spin_unlock(&qedi_conn->list_lock); + + cmd->state = RESPONSE_RECEIVED; + qedi_clear_task_idx(qedi, cmd->task_id); +@@ -227,11 +231,13 @@ static void qedi_process_tmf_resp(struct qedi_ctx *qedi, + + tmf_hdr = (struct iscsi_tm *)qedi_cmd->task->hdr; + ++ spin_lock(&qedi_conn->list_lock); + if (likely(qedi_cmd->io_cmd_in_list)) { + qedi_cmd->io_cmd_in_list = false; + list_del_init(&qedi_cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + + if (((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) == + ISCSI_TM_FUNC_LOGICAL_UNIT_RESET) || +@@ -293,11 +299,13 @@ static void qedi_process_login_resp(struct qedi_ctx *qedi, + ISCSI_LOGIN_RESPONSE_HDR_DATA_SEG_LEN_MASK; + qedi_conn->gen_pdu.resp_wr_ptr = qedi_conn->gen_pdu.resp_buf + pld_len; + ++ spin_lock(&qedi_conn->list_lock); + if (likely(cmd->io_cmd_in_list)) { + cmd->io_cmd_in_list = false; + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + + memset(task_ctx, '\0', sizeof(*task_ctx)); + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index aa451c8b49e56..4e8c5fcbded6a 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -976,11 +976,13 @@ static void qedi_cleanup_active_cmd_list(struct qedi_conn *qedi_conn) + { + struct qedi_cmd *cmd, *cmd_tmp; + ++ spin_lock(&qedi_conn->list_lock); + list_for_each_entry_safe(cmd, cmd_tmp, &qedi_conn->active_cmd_list, + io_cmd) { + list_del_init(&cmd->io_cmd); + qedi_conn->active_cmd_count--; + } ++ spin_unlock(&qedi_conn->list_lock); + } + + static void qedi_ep_disconnect(struct iscsi_endpoint *ep) +-- +2.25.1 + diff --git a/queue-4.19/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch b/queue-4.19/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch new file mode 100644 index 00000000000..7a0af0b54ce --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch @@ -0,0 +1,38 @@ +From 7976e1c2a75247fc88a125e20e55ee45274dd5d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:30 +0800 +Subject: scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() + +From: Tianjia Zhang + +[ Upstream commit ca4fb89a3d714a770e9c73c649da830f3f4a5326 ] + +On an error exit path, a negative error code should be returned instead of +a positive return value. + +Link: https://lore.kernel.org/r/20200802111530.5020-1-tianjia.zhang@linux.alibaba.com +Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine") +Cc: Quinn Tran +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_nvme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c +index 3e2f8ce1d9a97..7821c1695e824 100644 +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -676,7 +676,7 @@ int qla_nvme_register_hba(struct scsi_qla_host *vha) + struct nvme_fc_port_template *tmpl; + struct qla_hw_data *ha; + struct nvme_fc_port_info pinfo; +- int ret = EINVAL; ++ int ret = -EINVAL; + + if (!IS_ENABLED(CONFIG_NVME_FC)) + return ret; +-- +2.25.1 + diff --git a/queue-4.19/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch b/queue-4.19/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch new file mode 100644 index 00000000000..3da09befb73 --- /dev/null +++ b/queue-4.19/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch @@ -0,0 +1,38 @@ +From 324e95f7c365d384ea00f9070d8f4ac8cdc06b55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 12:15:27 +0200 +Subject: scsi: qla4xxx: Fix an error handling path in + 'qla4xxx_get_host_stats()' + +From: Christophe JAILLET + +[ Upstream commit 574918e69720fe62ab3eb42ec3750230c8d16b06 ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()'. + +Link: https://lore.kernel.org/r/20200802101527.676054-1-christophe.jaillet@wanadoo.fr +Fixes: 4161cee52df8 ("[SCSI] qla4xxx: Add host statistics support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index f59b8982b2883..4ba9f46fcf748 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -1221,7 +1221,7 @@ static int qla4xxx_get_host_stats(struct Scsi_Host *shost, char *buf, int len) + le64_to_cpu(ql_iscsi_stats->iscsi_sequence_error); + exit_host_stats: + if (ql_iscsi_stats) +- dma_free_coherent(&ha->pdev->dev, host_stats_size, ++ dma_free_coherent(&ha->pdev->dev, stats_size, + ql_iscsi_stats, iscsi_stats_dma); + + ql4_printk(KERN_INFO, ha, "%s: Get host stats done\n", +-- +2.25.1 + diff --git a/queue-4.19/scsi-target-core-add-control-field-for-trace-events.patch b/queue-4.19/scsi-target-core-add-control-field-for-trace-events.patch new file mode 100644 index 00000000000..5286d89249a --- /dev/null +++ b/queue-4.19/scsi-target-core-add-control-field-for-trace-events.patch @@ -0,0 +1,113 @@ +From a27a0df5c68539f188ba38dabc7b6ae28aa26ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 15:59:57 +0300 +Subject: scsi: target: core: Add CONTROL field for trace events + +From: Roman Bolshakov + +[ Upstream commit 7010645ba7256992818b518163f46bd4cdf8002a ] + +trace-cmd report doesn't show events from target subsystem because +scsi_command_size() leaks through event format string: + + [target:target_sequencer_start] function scsi_command_size not defined + [target:target_cmd_complete] function scsi_command_size not defined + +Addition of scsi_command_size() to plugin_scsi.c in trace-cmd doesn't +help because an expression is used inside TP_printk(). trace-cmd event +parser doesn't understand minus sign inside [ ]: + + Error: expected ']' but read '-' + +Rather than duplicating kernel code in plugin_scsi.c, provide a dedicated +field for CONTROL byte. + +Link: https://lore.kernel.org/r/20200929125957.83069-1-r.bolshakov@yadro.com +Reviewed-by: Mike Christie +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + include/scsi/scsi_common.h | 7 +++++++ + include/trace/events/target.h | 12 ++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/scsi/scsi_common.h b/include/scsi/scsi_common.h +index 731ac09ed2313..5b567b43e1b16 100644 +--- a/include/scsi/scsi_common.h ++++ b/include/scsi/scsi_common.h +@@ -25,6 +25,13 @@ scsi_command_size(const unsigned char *cmnd) + scsi_varlen_cdb_length(cmnd) : COMMAND_SIZE(cmnd[0]); + } + ++static inline unsigned char ++scsi_command_control(const unsigned char *cmnd) ++{ ++ return (cmnd[0] == VARIABLE_LENGTH_CMD) ? ++ cmnd[1] : cmnd[COMMAND_SIZE(cmnd[0]) - 1]; ++} ++ + /* Returns a human-readable name for the device */ + extern const char *scsi_device_type(unsigned type); + +diff --git a/include/trace/events/target.h b/include/trace/events/target.h +index 914a872dd3435..e87a3716b0ac9 100644 +--- a/include/trace/events/target.h ++++ b/include/trace/events/target.h +@@ -140,6 +140,7 @@ TRACE_EVENT(target_sequencer_start, + __field( unsigned int, opcode ) + __field( unsigned int, data_length ) + __field( unsigned int, task_attribute ) ++ __field( unsigned char, control ) + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE ) + __string( initiator, cmd->se_sess->se_node_acl->initiatorname ) + ), +@@ -149,6 +150,7 @@ TRACE_EVENT(target_sequencer_start, + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; ++ __entry->control = scsi_command_control(cmd->t_task_cdb); + memcpy(__entry->cdb, cmd->t_task_cdb, TCM_MAX_COMMAND_SIZE); + __assign_str(initiator, cmd->se_sess->se_node_acl->initiatorname); + ), +@@ -158,9 +160,7 @@ TRACE_EVENT(target_sequencer_start, + show_opcode_name(__entry->opcode), + __entry->data_length, __print_hex(__entry->cdb, 16), + show_task_attribute_name(__entry->task_attribute), +- scsi_command_size(__entry->cdb) <= 16 ? +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] : +- __entry->cdb[1] ++ __entry->control + ) + ); + +@@ -175,6 +175,7 @@ TRACE_EVENT(target_cmd_complete, + __field( unsigned int, opcode ) + __field( unsigned int, data_length ) + __field( unsigned int, task_attribute ) ++ __field( unsigned char, control ) + __field( unsigned char, scsi_status ) + __field( unsigned char, sense_length ) + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE ) +@@ -187,6 +188,7 @@ TRACE_EVENT(target_cmd_complete, + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; ++ __entry->control = scsi_command_control(cmd->t_task_cdb); + __entry->scsi_status = cmd->scsi_status; + __entry->sense_length = cmd->scsi_status == SAM_STAT_CHECK_CONDITION ? + min(18, ((u8 *) cmd->sense_buffer)[SPC_ADD_SENSE_LEN_OFFSET] + 8) : 0; +@@ -203,9 +205,7 @@ TRACE_EVENT(target_cmd_complete, + show_opcode_name(__entry->opcode), + __entry->data_length, __print_hex(__entry->cdb, 16), + show_task_attribute_name(__entry->task_attribute), +- scsi_command_size(__entry->cdb) <= 16 ? +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] : +- __entry->cdb[1] ++ __entry->control + ) + ); + +-- +2.25.1 + diff --git a/queue-4.19/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch b/queue-4.19/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch new file mode 100644 index 00000000000..4e69961f15e --- /dev/null +++ b/queue-4.19/scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch @@ -0,0 +1,39 @@ +From 5fe72ebcf53c124de588af5e38c4a98f9f4c6d80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 17:19:20 -0700 +Subject: scsi: target: tcmu: Fix warning: 'page' may be used uninitialized + +From: John Donnelly + +[ Upstream commit 61741d8699e1fc764a309ebd20211bb1cb193110 ] + +Corrects drivers/target/target_core_user.c:688:6: warning: 'page' may be +used uninitialized. + +Link: https://lore.kernel.org/r/20200924001920.43594-1-john.p.donnelly@oracle.com +Fixes: 3c58f737231e ("scsi: target: tcmu: Optimize use of flush_dcache_page") +Cc: Mike Christie +Acked-by: Mike Christie +Signed-off-by: John Donnelly +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 99314e5162447..0219b5a865bee 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -680,7 +680,7 @@ static void scatter_data_area(struct tcmu_dev *udev, + void *from, *to = NULL; + size_t copy_bytes, to_offset, offset; + struct scatterlist *sg; +- struct page *page; ++ struct page *page = NULL; + + for_each_sg(data_sg, sg, data_nents, i) { + int sg_remaining = sg->length; +-- +2.25.1 + diff --git a/queue-4.19/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch b/queue-4.19/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch new file mode 100644 index 00000000000..4ca944d3e63 --- /dev/null +++ b/queue-4.19/scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch @@ -0,0 +1,53 @@ +From 01417140a31ebabba97fdea0c0ad136b76f60275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 05:15:48 -0700 +Subject: scsi: ufs: ufs-qcom: Fix race conditions caused by + ufs_qcom_testbus_config() + +From: Can Guo + +[ Upstream commit 89dd87acd40a44de8ff3358138aedf8f73f4efc6 ] + +If ufs_qcom_dump_dbg_regs() calls ufs_qcom_testbus_config() from +ufshcd_suspend/resume and/or clk gate/ungate context, pm_runtime_get_sync() +and ufshcd_hold() will cause a race condition. Fix this by removing the +unnecessary calls of pm_runtime_get_sync() and ufshcd_hold(). + +Link: https://lore.kernel.org/r/1596975355-39813-3-git-send-email-cang@codeaurora.org +Reviewed-by: Hongwu Su +Reviewed-by: Avri Altman +Reviewed-by: Bean Huo +Reviewed-by: Asutosh Das +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs-qcom.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c +index 21e3ff590ec91..798a74535ea7b 100644 +--- a/drivers/scsi/ufs/ufs-qcom.c ++++ b/drivers/scsi/ufs/ufs-qcom.c +@@ -1581,9 +1581,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host) + */ + } + mask <<= offset; +- +- pm_runtime_get_sync(host->hba->dev); +- ufshcd_hold(host->hba, false); + ufshcd_rmwl(host->hba, TEST_BUS_SEL, + (u32)host->testbus.select_major << 19, + REG_UFS_CFG1); +@@ -1596,8 +1593,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host) + * committed before returning. + */ + mb(); +- ufshcd_release(host->hba); +- pm_runtime_put_sync(host->hba->dev); + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 9754ef05dd6..3b67493dfa7 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -30,3 +30,231 @@ kvm-x86-mmu-commit-zap-of-remaining-invalid-pages-when-recovering-lpages.patch kvm-svm-initialize-prev_ga_tag-before-use.patch ima-don-t-ignore-errors-from-crypto_shash_update.patch crypto-algif_aead-do-not-set-may_backlog-on-the-async-path.patch +edac-i5100-fix-error-handling-order-in-i5100_init_on.patch +edac-ti-fix-handling-of-platform_get_irq-error.patch +x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch +drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch +x86-nmi-fix-nmi_handle-duration-miscalculation.patch +x86-events-amd-iommu-fix-sizeof-mismatch.patch +crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch +crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch +crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch +crypto-picoxcell-fix-potential-race-condition-bug.patch +media-tuner-simple-fix-regression-in-simple_set_radi.patch +media-revert-media-exynos4-is-add-missed-check-for-p.patch +media-m5mols-check-function-pointer-in-m5mols_sensor.patch +media-uvcvideo-set-media-controller-entity-functions.patch +media-uvcvideo-silence-shift-out-of-bounds-warning.patch +media-omap3isp-fix-memleak-in-isp_probe.patch +crypto-omap-sham-fix-digcnt-register-handling-with-e.patch +hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch +cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch +media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch +media-tc358743-initialize-variable.patch +media-tc358743-cleanup-tc358743_cec_isr.patch +media-rcar-vin-fix-a-reference-count-leak.patch +media-rockchip-rga-fix-a-reference-count-leak.patch +media-platform-fcp-fix-a-reference-count-leak.patch +media-camss-fix-a-reference-count-leak.patch +media-s5p-mfc-fix-a-reference-count-leak.patch +media-stm32-dcmi-fix-a-reference-count-leak.patch +media-ti-vpe-fix-a-missing-check-and-reference-count.patch +regulator-resolve-supply-after-creating-regulator.patch +pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch +spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch +spi-spi-s3c64xx-check-return-values.patch +ath10k-provide-survey-info-as-accumulated-data.patch +bluetooth-hci_uart-cancel-init-work-before-unregiste.patch +ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch +ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch +ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch +wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch +asoc-qcom-lpass-platform-fix-memory-leak.patch +asoc-qcom-lpass-cpu-fix-concurrency-issue.patch +brcmfmac-check-ndev-pointer.patch +mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch +staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch +drm-gma500-fix-error-check.patch +scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch +scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch +scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch +drm-radeon-prefer-lower-feedback-dividers.patch +backlight-sky81452-backlight-fix-refcount-imbalance-.patch +vmci-check-return-value-of-get_user_pages_fast-for-e.patch +tty-serial-earlycon-dependency.patch +tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch +pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch +pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch +pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch +drivers-virt-fsl_hypervisor-fix-error-handling-path.patch +video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch +video-fbdev-sis-fix-null-ptr-dereference.patch +video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch +hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch +pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch +pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch +net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch +net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch +cpufreq-armada-37xx-add-missing-module_device_table.patch +net-dsa-rtl8366-check-validity-of-passed-vlans.patch +net-dsa-rtl8366-refactor-vlan-pvid-init.patch +net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch +net-dsa-rtl8366rb-support-all-4096-vlans.patch +ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch +misc-mic-scif-fix-error-handling-path.patch +alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch +usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch +quota-clear-padding-in-v2r1_mem2diskdqb.patch +slimbus-core-check-get_addr-before-removing-laddr-id.patch +slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch +slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch +hid-hid-input-fix-stylus-battery-reporting.patch +nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch +qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch +net-enic-cure-the-enic-api-locking-trainwreck.patch +mfd-sm501-fix-leaks-in-probe.patch +iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch +usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch +usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch +nl80211-fix-non-split-wiphy-information.patch +usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch +scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch +scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch +platform-x86-mlx-platform-remove-psu-eeprom-configur.patch +mwifiex-fix-double-free.patch +net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch +ipvs-clear-skb-tstamp-in-forwarding-path.patch +net-korina-fix-kfree-of-rx-tx-descriptor-array.patch +netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch +mm-memcg-fix-device-private-memcg-accounting.patch +mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch +ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch +ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch +powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch +powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch +rdma-ucma-fix-locking-for-ctx-events_reported.patch +rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch +mtd-lpddr-fix-excessive-stack-usage-with-clang.patch +powerpc-pseries-explicitly-reschedule-during-drmem_l.patch +mtd-mtdoops-don-t-write-panic-data-twice.patch +arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch +arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch +xfs-limit-entries-returned-when-counting-fsmap-recor.patch +xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch +rdma-qedr-fix-use-of-uninitialized-field.patch +rdma-qedr-fix-inline-size-returned-for-iwarp.patch +powerpc-tau-use-appropriate-temperature-sample-inter.patch +powerpc-tau-convert-from-timer-to-workqueue.patch +powerpc-tau-remove-duplicated-set_thresholds-call.patch +powerpc-tau-check-processor-type-before-enabling-tau.patch +powerpc-tau-disable-tau-between-measurements.patch +powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch +rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch +rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch +perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch +rdma-hns-set-the-unsupported-wr-opcode.patch +rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch +kdb-fix-pager-search-for-multi-line-strings.patch +overflow-include-header-file-with-size_max-declarati.patch +powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch +powerpc-perf-hv-gpci-fix-starting-index-value.patch +cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch +ib-rdmavt-fix-sizeof-mismatch.patch +f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch +lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch +ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch +rapidio-fix-error-handling-path.patch +rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch +mailbox-avoid-timer-start-from-callback.patch +i2c-rcar-auto-select-reset_controller.patch +pci-iproc-set-affinity-mask-on-msi-interrupts.patch +rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch +pwm-img-fix-null-pointer-access-in-probe.patch +clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch +clk-at91-clk-main-update-key-before-writing-at91_ckg.patch +clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch +watchdog-fix-memleak-in-watchdog_cdev_register.patch +watchdog-use-put_device-on-error.patch +watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch +svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch +ext4-limit-entries-returned-when-counting-fsmap-reco.patch +vfio-pci-clear-token-on-bypass-registration-failure.patch +vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch +sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch +input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch +input-stmfts-fix-a-vs-typo.patch +input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch +input-omap4-keypad-fix-handling-of-platform_get_irq-.patch +input-twl4030_keypad-fix-handling-of-platform_get_ir.patch +input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch +kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch +netfilter-conntrack-connection-timeout-after-re-regi.patch +netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch +arm-dts-imx6sl-fix-rng-node.patch +arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch +memory-omap-gpmc-fix-a-couple-off-by-ones.patch +memory-omap-gpmc-fix-build-error-without-config_of.patch +memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch +arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch +arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch +arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch +arm64-dts-zynqmp-remove-additional-compatible-string.patch +powerpc-powernv-dump-fix-race-while-processing-opal-.patch +nvmet-fix-uninitialized-work-for-zero-kato.patch +ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch +sched-features-fix-config_jump_label-case.patch +perf-correct-snoopx-field-offset.patch +i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch +block-ratelimit-handle_bad_sector-message.patch +crypto-ccp-fix-error-handling.patch +media-firewire-fix-memory-leak.patch +media-ati_remote-sanity-check-for-both-endpoints.patch +media-st-delta-fix-reference-count-leak-in-delta_run.patch +media-sti-fix-reference-count-leaks.patch +media-exynos4-is-fix-several-reference-count-leaks-d.patch +media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch +media-exynos4-is-fix-a-reference-count-leak.patch +media-vsp1-fix-runtime-pm-imbalance-on-error.patch +media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch +media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch +media-bdisp-fix-runtime-pm-imbalance-on-error.patch +media-media-pci-prevent-memory-leak-in-bttv_probe.patch +media-uvcvideo-ensure-all-probed-info-is-returned-to.patch +mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch +media-saa7134-avoid-a-shift-overflow.patch +fs-dlm-fix-configfs-memory-leak.patch +media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch +ntfs-add-check-for-mft-record-size-in-superblock.patch +ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch +mac80211-handle-lack-of-sband-bitrates-in-rates.patch +pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch +scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch +scsi-target-core-add-control-field-for-trace-events.patch +mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch +misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch +usb-gadget-function-printer-fix-use-after-free-in-__.patch +udf-limit-sparing-table-size.patch +udf-avoid-accessing-uninitialized-data-on-failed-ino.patch +usb-cdc-acm-handle-broken-union-descriptors.patch +usb-dwc3-simple-add-support-for-hikey-970.patch +can-flexcan-flexcan_chip_stop-add-error-handling-and.patch +ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch +misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch +reiserfs-only-call-unlock_new_inode-if-i_new.patch +xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch +usb-ohci-default-to-per-port-over-current-protection.patch +bluetooth-only-mark-socket-zapped-after-unlocking.patch +scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch +brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch +rtl8xxxu-prevent-potential-memory-leak.patch +fix-use-after-free-in-get_capset_info-callback.patch +scsi-qedi-protect-active-command-list-to-avoid-list-.patch +scsi-qedi-fix-list_del-corruption-while-removing-act.patch +tty-ipwireless-fix-error-handling.patch +ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch +reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch +mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch +brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch +usb-core-solve-race-condition-in-anchor-cleanup-func.patch +scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch +ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch diff --git a/queue-4.19/slimbus-core-check-get_addr-before-removing-laddr-id.patch b/queue-4.19/slimbus-core-check-get_addr-before-removing-laddr-id.patch new file mode 100644 index 00000000000..8ec71e43b64 --- /dev/null +++ b/queue-4.19/slimbus-core-check-get_addr-before-removing-laddr-id.patch @@ -0,0 +1,42 @@ +From 974a453eb3aefba8a6dd9f92c4ca1a97cac36e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:18 +0100 +Subject: slimbus: core: check get_addr before removing laddr ida + +From: Srinivas Kandagatla + +[ Upstream commit f97769fde678e111a1b7b165b380d8a3dfe54f4e ] + +logical address can be either assigned by the SLIMBus controller or the core. +Core uses IDA in cases where get_addr callback is not provided by the +controller. +Core already has this check while allocating IDR, however during absence +reporting this is not checked. This patch fixes this issue. + +Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c +index 943172806a8a7..6e690aaacad1e 100644 +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -297,8 +297,8 @@ void slim_report_absent(struct slim_device *sbdev) + mutex_lock(&ctrl->lock); + sbdev->is_laddr_valid = false; + mutex_unlock(&ctrl->lock); +- +- ida_simple_remove(&ctrl->laddr_ida, sbdev->laddr); ++ if (!ctrl->get_laddr) ++ ida_simple_remove(&ctrl->laddr_ida, sbdev->laddr); + slim_device_update_status(sbdev, SLIM_DEVICE_STATUS_DOWN); + } + EXPORT_SYMBOL_GPL(slim_report_absent); +-- +2.25.1 + diff --git a/queue-4.19/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch b/queue-4.19/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch new file mode 100644 index 00000000000..2d0fe252ad8 --- /dev/null +++ b/queue-4.19/slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch @@ -0,0 +1,38 @@ +From dfe09c625b6d98a0f9e8f9e60d86ad88c20a5992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:19 +0100 +Subject: slimbus: core: do not enter to clock pause mode in core + +From: Srinivas Kandagatla + +[ Upstream commit df2c471c4ae07e18a0396db670dca2ef867c5153 ] + +Let the controller logic decide when to enter into clock pause mode! +Entering in to pause mode during unregistration does not really make +sense as the controller is totally going down at that point in time. + +Fixes: 4b14e62ad3c9e ("slimbus: Add support for 'clock-pause' feature") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-3-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c +index 6e690aaacad1e..3e63e4ce45b04 100644 +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -255,8 +255,6 @@ int slim_unregister_controller(struct slim_controller *ctrl) + { + /* Remove all clients */ + device_for_each_child(ctrl->dev, NULL, slim_ctrl_remove_device); +- /* Enter Clock Pause */ +- slim_ctrl_clk_pause(ctrl, false, 0); + ida_simple_remove(&ctrl_ida, ctrl->id); + + return 0; +-- +2.25.1 + diff --git a/queue-4.19/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch b/queue-4.19/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch new file mode 100644 index 00000000000..c8cf163aa26 --- /dev/null +++ b/queue-4.19/slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch @@ -0,0 +1,45 @@ +From b3c1de0c196842f28d28edc8703b033a98df2f36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 10:55:20 +0100 +Subject: slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback + +From: Srinivas Kandagatla + +[ Upstream commit 709ec3f7fc5773ac4aa6fb22c3f0ac8103c674db ] + +In QMI new server notification we enable the NGD however during +delete server notification we do not disable the NGD. + +This can lead to multiple instances of NGD being enabled, so make +sure that we disable NGD in delete server callback to fix this issue! + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20200925095520.27316-4-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/qcom-ngd-ctrl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c +index f40ac8dcb0817..522a87fc573a6 100644 +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1272,9 +1272,13 @@ static void qcom_slim_ngd_qmi_del_server(struct qmi_handle *hdl, + { + struct qcom_slim_ngd_qmi *qmi = + container_of(hdl, struct qcom_slim_ngd_qmi, svc_event_hdl); ++ struct qcom_slim_ngd_ctrl *ctrl = ++ container_of(qmi, struct qcom_slim_ngd_ctrl, qmi); + + qmi->svc_info.sq_node = 0; + qmi->svc_info.sq_port = 0; ++ ++ qcom_slim_ngd_enable(ctrl, false); + } + + static struct qmi_ops qcom_slim_ngd_qmi_svc_event_ops = { +-- +2.25.1 + diff --git a/queue-4.19/spi-spi-s3c64xx-check-return-values.patch b/queue-4.19/spi-spi-s3c64xx-check-return-values.patch new file mode 100644 index 00000000000..22ea5189bbd --- /dev/null +++ b/queue-4.19/spi-spi-s3c64xx-check-return-values.patch @@ -0,0 +1,183 @@ +From 6952ca5db180e719467e83e74648f78829433697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:22:37 +0200 +Subject: spi: spi-s3c64xx: Check return values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +[ Upstream commit 2f4db6f705c5cba85d23836c19b44d9687dc1334 ] + +Check return values in prepare_dma() and s3c64xx_spi_config() and +propagate errors upwards. + +Fixes: 788437273fa8 ("spi: s3c64xx: move to generic dmaengine API") +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Łukasz Stelmach +Link: https://lore.kernel.org/r/20201002122243.26849-4-l.stelmach@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 50 ++++++++++++++++++++++++++++++++------- + 1 file changed, 41 insertions(+), 9 deletions(-) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 322f75f89c713..1d948fee1a039 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -122,6 +122,7 @@ + + struct s3c64xx_spi_dma_data { + struct dma_chan *ch; ++ dma_cookie_t cookie; + enum dma_transfer_direction direction; + }; + +@@ -264,12 +265,13 @@ static void s3c64xx_spi_dmacb(void *data) + spin_unlock_irqrestore(&sdd->lock, flags); + } + +-static void prepare_dma(struct s3c64xx_spi_dma_data *dma, ++static int prepare_dma(struct s3c64xx_spi_dma_data *dma, + struct sg_table *sgt) + { + struct s3c64xx_spi_driver_data *sdd; + struct dma_slave_config config; + struct dma_async_tx_descriptor *desc; ++ int ret; + + memset(&config, 0, sizeof(config)); + +@@ -293,12 +295,24 @@ static void prepare_dma(struct s3c64xx_spi_dma_data *dma, + + desc = dmaengine_prep_slave_sg(dma->ch, sgt->sgl, sgt->nents, + dma->direction, DMA_PREP_INTERRUPT); ++ if (!desc) { ++ dev_err(&sdd->pdev->dev, "unable to prepare %s scatterlist", ++ dma->direction == DMA_DEV_TO_MEM ? "rx" : "tx"); ++ return -ENOMEM; ++ } + + desc->callback = s3c64xx_spi_dmacb; + desc->callback_param = dma; + +- dmaengine_submit(desc); ++ dma->cookie = dmaengine_submit(desc); ++ ret = dma_submit_error(dma->cookie); ++ if (ret) { ++ dev_err(&sdd->pdev->dev, "DMA submission failed"); ++ return -EIO; ++ } ++ + dma_async_issue_pending(dma->ch); ++ return 0; + } + + static void s3c64xx_spi_set_cs(struct spi_device *spi, bool enable) +@@ -348,11 +362,12 @@ static bool s3c64xx_spi_can_dma(struct spi_master *master, + return xfer->len > (FIFO_LVL_MASK(sdd) >> 1) + 1; + } + +-static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, ++static int s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + struct spi_transfer *xfer, int dma_mode) + { + void __iomem *regs = sdd->regs; + u32 modecfg, chcfg; ++ int ret = 0; + + modecfg = readl(regs + S3C64XX_SPI_MODE_CFG); + modecfg &= ~(S3C64XX_SPI_MODE_TXDMA_ON | S3C64XX_SPI_MODE_RXDMA_ON); +@@ -378,7 +393,7 @@ static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + chcfg |= S3C64XX_SPI_CH_TXCH_ON; + if (dma_mode) { + modecfg |= S3C64XX_SPI_MODE_TXDMA_ON; +- prepare_dma(&sdd->tx_dma, &xfer->tx_sg); ++ ret = prepare_dma(&sdd->tx_dma, &xfer->tx_sg); + } else { + switch (sdd->cur_bpw) { + case 32: +@@ -410,12 +425,17 @@ static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd, + writel(((xfer->len * 8 / sdd->cur_bpw) & 0xffff) + | S3C64XX_SPI_PACKET_CNT_EN, + regs + S3C64XX_SPI_PACKET_CNT); +- prepare_dma(&sdd->rx_dma, &xfer->rx_sg); ++ ret = prepare_dma(&sdd->rx_dma, &xfer->rx_sg); + } + } + ++ if (ret) ++ return ret; ++ + writel(modecfg, regs + S3C64XX_SPI_MODE_CFG); + writel(chcfg, regs + S3C64XX_SPI_CH_CFG); ++ ++ return 0; + } + + static u32 s3c64xx_spi_wait_for_timeout(struct s3c64xx_spi_driver_data *sdd, +@@ -548,9 +568,10 @@ static int s3c64xx_wait_for_pio(struct s3c64xx_spi_driver_data *sdd, + return 0; + } + +-static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) ++static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + { + void __iomem *regs = sdd->regs; ++ int ret; + u32 val; + + /* Disable Clock */ +@@ -598,7 +619,9 @@ static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + + if (sdd->port_conf->clk_from_cmu) { + /* The src_clk clock is divided internally by 2 */ +- clk_set_rate(sdd->src_clk, sdd->cur_speed * 2); ++ ret = clk_set_rate(sdd->src_clk, sdd->cur_speed * 2); ++ if (ret) ++ return ret; + } else { + /* Configure Clock */ + val = readl(regs + S3C64XX_SPI_CLK_CFG); +@@ -612,6 +635,8 @@ static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + val |= S3C64XX_SPI_ENCLK_ENABLE; + writel(val, regs + S3C64XX_SPI_CLK_CFG); + } ++ ++ return 0; + } + + #define XFER_DMAADDR_INVALID DMA_BIT_MASK(32) +@@ -654,7 +679,9 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + sdd->cur_bpw = bpw; + sdd->cur_speed = speed; + sdd->cur_mode = spi->mode; +- s3c64xx_spi_config(sdd); ++ status = s3c64xx_spi_config(sdd); ++ if (status) ++ return status; + } + + if (!is_polling(sdd) && (xfer->len > fifo_len) && +@@ -681,10 +708,15 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + /* Start the signals */ + s3c64xx_spi_set_cs(spi, true); + +- s3c64xx_enable_datapath(sdd, xfer, use_dma); ++ status = s3c64xx_enable_datapath(sdd, xfer, use_dma); + + spin_unlock_irqrestore(&sdd->lock, flags); + ++ if (status) { ++ dev_err(&spi->dev, "failed to enable data path for transfer: %d\n", status); ++ break; ++ } ++ + if (use_dma) + status = s3c64xx_wait_for_dma(sdd, xfer); + else +-- +2.25.1 + diff --git a/queue-4.19/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch b/queue-4.19/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch new file mode 100644 index 00000000000..b08f955832a --- /dev/null +++ b/queue-4.19/spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch @@ -0,0 +1,47 @@ +From 128780ae666548caafbeca19b996172a7de9de90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 14:22:35 +0200 +Subject: spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and + s3c64xx_enable_datapath() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Stelmach + +[ Upstream commit 581e2b41977dfc2d4c26c8e976f89c43bb92f9bf ] + +Fix issues with DMA transfers bigger than 512 bytes on Exynos3250. Without +the patches such transfers fail to complete. This solution to the problem +is found in the vendor kernel for ARTIK5 boards based on Exynos3250. + +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Łukasz Stelmach +Link: https://lore.kernel.org/r/20201002122243.26849-2-l.stelmach@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 7b7151ec14c8a..322f75f89c713 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -678,11 +678,11 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master, + sdd->state &= ~RXBUSY; + sdd->state &= ~TXBUSY; + +- s3c64xx_enable_datapath(sdd, xfer, use_dma); +- + /* Start the signals */ + s3c64xx_spi_set_cs(spi, true); + ++ s3c64xx_enable_datapath(sdd, xfer, use_dma); ++ + spin_unlock_irqrestore(&sdd->lock, flags); + + if (use_dma) +-- +2.25.1 + diff --git a/queue-4.19/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch b/queue-4.19/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch new file mode 100644 index 00000000000..4ac8def8555 --- /dev/null +++ b/queue-4.19/staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch @@ -0,0 +1,47 @@ +From a97c4a5d0e4061aad0aac8d0303908835e6ae31d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 19:34:58 +0200 +Subject: staging: rtl8192u: Do not use GFP_KERNEL in atomic context + +From: Christophe JAILLET + +[ Upstream commit acac75bb451fd39344eb54fad6602dfc9482e970 ] + +'rtl8192_irq_rx_tasklet()' is a tasklet initialized in +'rtl8192_init_priv_task()'. +>From this function it is possible to allocate some memory with the +GFP_KERNEL flag, which is not allowed in the atomic context of a tasklet. + +Use GFP_ATOMIC instead. + +The call chain is: + rtl8192_irq_rx_tasklet (in r8192U_core.c) + --> rtl8192_rx_nomal (in r8192U_core.c) + --> ieee80211_rx (in ieee80211/ieee80211_rx.c) + --> RxReorderIndicatePacket (in ieee80211/ieee80211_rx.c) + +Fixes: 79a5ccd97209 ("staging: rtl8192u: fix large frame size compiler warning") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20200813173458.758284-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +index 28cae82d795c7..fb824c5174497 100644 +--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c ++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +@@ -599,7 +599,7 @@ static void RxReorderIndicatePacket(struct ieee80211_device *ieee, + + prxbIndicateArray = kmalloc_array(REORDER_WIN_SIZE, + sizeof(struct ieee80211_rxb *), +- GFP_KERNEL); ++ GFP_ATOMIC); + if (!prxbIndicateArray) + return; + +-- +2.25.1 + diff --git a/queue-4.19/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch b/queue-4.19/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch new file mode 100644 index 00000000000..790d9b61686 --- /dev/null +++ b/queue-4.19/sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch @@ -0,0 +1,84 @@ +From 6c59813daf7f7b3930fed0b728d96120393aee52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 13:42:27 +0200 +Subject: SUNRPC: fix copying of multiple pages in gss_read_proxy_verf() + +From: Martijn de Gouw + +[ Upstream commit d48c8124749c9a5081fe68680f83605e272c984b ] + +When the passed token is longer than 4032 bytes, the remaining part +of the token must be copied from the rqstp->rq_arg.pages. But the +copy must make sure it happens in a consecutive way. + +With the existing code, the first memcpy copies 'length' bytes from +argv->iobase, but since the header is in front, this never fills the +whole first page of in_token->pages. + +The mecpy in the loop copies the following bytes, but starts writing at +the next page of in_token->pages. This leaves the last bytes of page 0 +unwritten. + +Symptoms were that users with many groups were not able to access NFS +exports, when using Active Directory as the KDC. + +Signed-off-by: Martijn de Gouw +Fixes: 5866efa8cbfb "SUNRPC: Fix svcauth_gss_proxy_init()" +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/svcauth_gss.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 68259eec6afd1..ab086081be9c7 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1079,9 +1079,9 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, + struct gssp_in_token *in_token) + { + struct kvec *argv = &rqstp->rq_arg.head[0]; +- unsigned int page_base, length; +- int pages, i, res; +- size_t inlen; ++ unsigned int length, pgto_offs, pgfrom_offs; ++ int pages, i, res, pgto, pgfrom; ++ size_t inlen, to_offs, from_offs; + + res = gss_read_common_verf(gc, argv, authp, in_handle); + if (res) +@@ -1109,17 +1109,24 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, + memcpy(page_address(in_token->pages[0]), argv->iov_base, length); + inlen -= length; + +- i = 1; +- page_base = rqstp->rq_arg.page_base; ++ to_offs = length; ++ from_offs = rqstp->rq_arg.page_base; + while (inlen) { +- length = min_t(unsigned int, inlen, PAGE_SIZE); +- memcpy(page_address(in_token->pages[i]), +- page_address(rqstp->rq_arg.pages[i]) + page_base, ++ pgto = to_offs >> PAGE_SHIFT; ++ pgfrom = from_offs >> PAGE_SHIFT; ++ pgto_offs = to_offs & ~PAGE_MASK; ++ pgfrom_offs = from_offs & ~PAGE_MASK; ++ ++ length = min_t(unsigned int, inlen, ++ min_t(unsigned int, PAGE_SIZE - pgto_offs, ++ PAGE_SIZE - pgfrom_offs)); ++ memcpy(page_address(in_token->pages[pgto]) + pgto_offs, ++ page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs, + length); + ++ to_offs += length; ++ from_offs += length; + inlen -= length; +- page_base = 0; +- i++; + } + return 0; + } +-- +2.25.1 + diff --git a/queue-4.19/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch b/queue-4.19/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch new file mode 100644 index 00000000000..9b1a0b661b1 --- /dev/null +++ b/queue-4.19/svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch @@ -0,0 +1,40 @@ +From ce025a07f9526c59acc405b0043a003f17fc638f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Oct 2020 22:33:43 +0300 +Subject: svcrdma: fix bounce buffers for unaligned offsets and multiple pages + +From: Dan Aloni + +[ Upstream commit c327a310ec4d6ecbea13185ed56c11def441d9ab ] + +This was discovered using O_DIRECT at the client side, with small +unaligned file offsets or IOs that span multiple file pages. + +Fixes: e248aa7be86 ("svcrdma: Remove max_sge check at connect time") +Signed-off-by: Dan Aloni +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/svc_rdma_sendto.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +index aa4d19a780d78..4062cd624b26f 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c +@@ -639,10 +639,11 @@ static int svc_rdma_pull_up_reply_msg(struct svcxprt_rdma *rdma, + while (remaining) { + len = min_t(u32, PAGE_SIZE - pageoff, remaining); + +- memcpy(dst, page_address(*ppages), len); ++ memcpy(dst, page_address(*ppages) + pageoff, len); + remaining -= len; + dst += len; + pageoff = 0; ++ ppages++; + } + } + +-- +2.25.1 + diff --git a/queue-4.19/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch b/queue-4.19/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch new file mode 100644 index 00000000000..603f577ff15 --- /dev/null +++ b/queue-4.19/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch @@ -0,0 +1,66 @@ +From 65e443a6d3a22fb47cf727f659849ae16b4ad4f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:46:38 -0500 +Subject: tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup() + +From: Tyrel Datwyler + +[ Upstream commit 63ffcbdad738e3d1c857027789a2273df3337624 ] + +The code currently NULLs tty->driver_data in hvcs_close() with the +intent of informing the next call to hvcs_open() that device needs to be +reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from +tty->driver_data which was previoulsy NULLed by hvcs_close() and our +call to tty_port_put(&hvcsd->port) doesn't actually do anything since +&hvcsd->port ends up translating to NULL by chance. This has the side +effect that when hvcs_remove() is called we have one too many port +references preventing hvcs_destuct_port() from ever being called. This +also prevents us from reusing the /dev/hvcsX node in a future +hvcs_probe() and we can eventually run out of /dev/hvcsX devices. + +Fix this by waiting to NULL tty->driver_data in hvcs_cleanup(). + +Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install") +Signed-off-by: Tyrel Datwyler +Link: https://lore.kernel.org/r/20200820234643.70412-1-tyreld@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/hvcs.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index cb4db1b3ca3c0..7853c6375325d 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -1218,13 +1218,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp) + + tty_wait_until_sent(tty, HVCS_CLOSE_WAIT); + +- /* +- * This line is important because it tells hvcs_open that this +- * device needs to be re-configured the next time hvcs_open is +- * called. +- */ +- tty->driver_data = NULL; +- + free_irq(irq, hvcsd); + return; + } else if (hvcsd->port.count < 0) { +@@ -1239,6 +1232,13 @@ static void hvcs_cleanup(struct tty_struct * tty) + { + struct hvcs_struct *hvcsd = tty->driver_data; + ++ /* ++ * This line is important because it tells hvcs_open that this ++ * device needs to be re-configured the next time hvcs_open is ++ * called. ++ */ ++ tty->driver_data = NULL; ++ + tty_port_put(&hvcsd->port); + } + +-- +2.25.1 + diff --git a/queue-4.19/tty-ipwireless-fix-error-handling.patch b/queue-4.19/tty-ipwireless-fix-error-handling.patch new file mode 100644 index 00000000000..066eeba507b --- /dev/null +++ b/queue-4.19/tty-ipwireless-fix-error-handling.patch @@ -0,0 +1,60 @@ +From ba534e79d44b3f13d122905fc781136a2bd21bdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 12:19:40 -0400 +Subject: tty: ipwireless: fix error handling + +From: Tong Zhang + +[ Upstream commit db332356222d9429731ab9395c89cca403828460 ] + +ipwireless_send_packet() can only return 0 on success and -ENOMEM on +error, the caller should check non zero for error condition + +Signed-off-by: Tong Zhang +Acked-by: David Sterba +Link: https://lore.kernel.org/r/20200821161942.36589-1-ztong0001@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/ipwireless/network.c | 4 ++-- + drivers/tty/ipwireless/tty.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/ipwireless/network.c b/drivers/tty/ipwireless/network.c +index cf20616340a1a..fe569f6294a24 100644 +--- a/drivers/tty/ipwireless/network.c ++++ b/drivers/tty/ipwireless/network.c +@@ -117,7 +117,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel, + skb->len, + notify_packet_sent, + network); +- if (ret == -1) { ++ if (ret < 0) { + skb_pull(skb, 2); + return 0; + } +@@ -134,7 +134,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel, + notify_packet_sent, + network); + kfree(buf); +- if (ret == -1) ++ if (ret < 0) + return 0; + } + kfree_skb(skb); +diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c +index 1ef751c27ac6d..cb04971843306 100644 +--- a/drivers/tty/ipwireless/tty.c ++++ b/drivers/tty/ipwireless/tty.c +@@ -218,7 +218,7 @@ static int ipw_write(struct tty_struct *linux_tty, + ret = ipwireless_send_packet(tty->hardware, IPW_CHANNEL_RAS, + buf, count, + ipw_write_packet_sent_callback, tty); +- if (ret == -1) { ++ if (ret < 0) { + mutex_unlock(&tty->ipw_tty_mutex); + return 0; + } +-- +2.25.1 + diff --git a/queue-4.19/tty-serial-earlycon-dependency.patch b/queue-4.19/tty-serial-earlycon-dependency.patch new file mode 100644 index 00000000000..8bb4176a372 --- /dev/null +++ b/queue-4.19/tty-serial-earlycon-dependency.patch @@ -0,0 +1,38 @@ +From f70afd01ac8b31675ddf06b0cc1ca6295f0fcdc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 08:39:50 -0400 +Subject: tty: serial: earlycon dependency + +From: Tong Zhang + +[ Upstream commit 0fb9342d06b0f667b915ba58bfefc030e534a218 ] + +parse_options() in drivers/tty/serial/earlycon.c calls uart_parse_earlycon +in drivers/tty/serial/serial_core.c therefore selecting SERIAL_EARLYCON +should automatically select SERIAL_CORE, otherwise will result in symbol +not found error during linking if SERIAL_CORE is not configured as builtin + +Fixes: 9aac5887595b ("tty/serial: add generic serial earlycon") +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20200828123949.2642-1-ztong0001@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig +index df8bd0c7b97db..cd13065095bc3 100644 +--- a/drivers/tty/serial/Kconfig ++++ b/drivers/tty/serial/Kconfig +@@ -9,6 +9,7 @@ menu "Serial drivers" + + config SERIAL_EARLYCON + bool ++ depends on SERIAL_CORE + help + Support for early consoles with the earlycon parameter. This enables + the console before standard serial driver is probed. The console is +-- +2.25.1 + diff --git a/queue-4.19/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch b/queue-4.19/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch new file mode 100644 index 00000000000..3767609d318 --- /dev/null +++ b/queue-4.19/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch @@ -0,0 +1,62 @@ +From 5ebe8e591e748113498a03587ca686bb4c77d69b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 12:14:03 +0200 +Subject: udf: Avoid accessing uninitialized data on failed inode read + +From: Jan Kara + +[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ] + +When we fail to read inode, some data accessed in udf_evict_inode() may +be uninitialized. Move the accesses to !is_bad_inode() branch. + +Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 4c46ebf0e773b..3bf89a6338367 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -132,21 +132,24 @@ void udf_evict_inode(struct inode *inode) + struct udf_inode_info *iinfo = UDF_I(inode); + int want_delete = 0; + +- if (!inode->i_nlink && !is_bad_inode(inode)) { +- want_delete = 1; +- udf_setsize(inode, 0); +- udf_update_inode(inode, IS_SYNC(inode)); ++ if (!is_bad_inode(inode)) { ++ if (!inode->i_nlink) { ++ want_delete = 1; ++ udf_setsize(inode, 0); ++ udf_update_inode(inode, IS_SYNC(inode)); ++ } ++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB && ++ inode->i_size != iinfo->i_lenExtents) { ++ udf_warn(inode->i_sb, ++ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n", ++ inode->i_ino, inode->i_mode, ++ (unsigned long long)inode->i_size, ++ (unsigned long long)iinfo->i_lenExtents); ++ } + } + truncate_inode_pages_final(&inode->i_data); + invalidate_inode_buffers(inode); + clear_inode(inode); +- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB && +- inode->i_size != iinfo->i_lenExtents) { +- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n", +- inode->i_ino, inode->i_mode, +- (unsigned long long)inode->i_size, +- (unsigned long long)iinfo->i_lenExtents); +- } + kfree(iinfo->i_ext.i_data); + iinfo->i_ext.i_data = NULL; + udf_clear_extent_cache(inode); +-- +2.25.1 + diff --git a/queue-4.19/udf-limit-sparing-table-size.patch b/queue-4.19/udf-limit-sparing-table-size.patch new file mode 100644 index 00000000000..3ac26dce37c --- /dev/null +++ b/queue-4.19/udf-limit-sparing-table-size.patch @@ -0,0 +1,40 @@ +From 08c01e697876a6354aa04284c171bb40ebdcecb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:53:08 +0200 +Subject: udf: Limit sparing table size + +From: Jan Kara + +[ Upstream commit 44ac6b829c4e173fdf6df18e6dd86aecf9a3dc99 ] + +Although UDF standard allows it, we don't support sparing table larger +than a single block. Check it during mount so that we don't try to +access memory beyond end of buffer. + +Reported-by: syzbot+9991561e714f597095da@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 1676a175cd7a8..caeb01ca039b7 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1349,6 +1349,12 @@ static int udf_load_sparable_map(struct super_block *sb, + (int)spm->numSparingTables); + return -EIO; + } ++ if (le32_to_cpu(spm->sizeSparingTable) > sb->s_blocksize) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too big sparing table size (%u)\n", ++ le32_to_cpu(spm->sizeSparingTable)); ++ return -EIO; ++ } + + for (i = 0; i < spm->numSparingTables; i++) { + loc = le32_to_cpu(spm->locSparingTable[i]); +-- +2.25.1 + diff --git a/queue-4.19/usb-cdc-acm-handle-broken-union-descriptors.patch b/queue-4.19/usb-cdc-acm-handle-broken-union-descriptors.patch new file mode 100644 index 00000000000..33fe7709c46 --- /dev/null +++ b/queue-4.19/usb-cdc-acm-handle-broken-union-descriptors.patch @@ -0,0 +1,61 @@ +From fa23c5b9bab01a93099e970a9745aa7a6a095972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Sep 2020 15:59:49 +0200 +Subject: USB: cdc-acm: handle broken union descriptors + +From: Johan Hovold + +[ Upstream commit 960c7339de27c6d6fec13b54880501c3576bb08d ] + +Handle broken union functional descriptors where the master-interface +doesn't exist or where its class is of neither Communication or Data +type (as required by the specification) by falling back to +"combined-interface" probing. + +Note that this still allows for handling union descriptors with switched +interfaces. + +This specifically makes the Whistler radio scanners TRX series devices +work with the driver without adding further quirks to the device-id +table. + +Reported-by: Daniel Caujolle-Bert +Tested-by: Daniel Caujolle-Bert +Acked-by: Oliver Neukum +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20200921135951.24045-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/class/cdc-acm.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 41453bf6fc0bd..ba3df4af74f11 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1275,9 +1275,21 @@ static int acm_probe(struct usb_interface *intf, + } + } + } else { ++ int class = -1; ++ + data_intf_num = union_header->bSlaveInterface0; + control_interface = usb_ifnum_to_if(usb_dev, union_header->bMasterInterface0); + data_interface = usb_ifnum_to_if(usb_dev, data_intf_num); ++ ++ if (control_interface) ++ class = control_interface->cur_altsetting->desc.bInterfaceClass; ++ ++ if (class != USB_CLASS_COMM && class != USB_CLASS_CDC_DATA) { ++ dev_dbg(&intf->dev, "Broken union descriptor, assuming single interface\n"); ++ combined_interfaces = 1; ++ control_interface = data_interface = intf; ++ goto look_for_collapsed_interface; ++ } + } + + if (!control_interface || !data_interface) { +-- +2.25.1 + diff --git a/queue-4.19/usb-core-solve-race-condition-in-anchor-cleanup-func.patch b/queue-4.19/usb-core-solve-race-condition-in-anchor-cleanup-func.patch new file mode 100644 index 00000000000..22230ec794b --- /dev/null +++ b/queue-4.19/usb-core-solve-race-condition-in-anchor-cleanup-func.patch @@ -0,0 +1,202 @@ +From c0bf458c67dc00842d154a1bd19ec6d7b50f904c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 08:46:50 +0300 +Subject: usb: core: Solve race condition in anchor cleanup functions + +From: Eli Billauer + +[ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ] + +usb_kill_anchored_urbs() is commonly used to cancel all URBs on an +anchor just before releasing resources which the URBs rely on. By doing +so, users of this function rely on that no completer callbacks will take +place from any URB on the anchor after it returns. + +However if this function is called in parallel with __usb_hcd_giveback_urb +processing a URB on the anchor, the latter may call the completer +callback after usb_kill_anchored_urbs() returns. This can lead to a +kernel panic due to use after release of memory in interrupt context. + +The race condition is that __usb_hcd_giveback_urb() first unanchors the URB +and then makes the completer callback. Such URB is hence invisible to +usb_kill_anchored_urbs(), allowing it to return before the completer has +been called, since the anchor's urb_list is empty. + +Even worse, if the racing completer callback resubmits the URB, it may +remain in the system long after usb_kill_anchored_urbs() returns. + +Hence list_empty(&anchor->urb_list), which is used in the existing +while-loop, doesn't reliably ensure that all URBs of the anchor are gone. + +A similar problem exists with usb_poison_anchored_urbs() and +usb_scuttle_anchored_urbs(). + +This patch adds an external do-while loop, which ensures that all URBs +are indeed handled before these three functions return. This change has +no effect at all unless the race condition occurs, in which case the +loop will busy-wait until the racing completer callback has finished. +This is a rare condition, so the CPU waste of this spinning is +negligible. + +The additional do-while loop relies on usb_anchor_check_wakeup(), which +returns true iff the anchor list is empty, and there is no +__usb_hcd_giveback_urb() in the system that is in the middle of the +unanchor-before-complete phase. The @suspend_wakeups member of +struct usb_anchor is used for this purpose, which was introduced to solve +another problem which the same race condition causes, in commit +6ec4147e7bdb ("usb-anchor: Delay usb_wait_anchor_empty_timeout wake up +till completion is done"). + +The surely_empty variable is necessary, because usb_anchor_check_wakeup() +must be called with the lock held to prevent races. However the spinlock +must be released and reacquired if the outer loop spins with an empty +URB list while waiting for the unanchor-before-complete passage to finish: +The completer callback may very well attempt to take the very same lock. + +To summarize, using usb_anchor_check_wakeup() means that the patched +functions can return only when the anchor's list is empty, and there is +no invisible URB being processed. Since the inner while loop finishes on +the empty list condition, the new do-while loop will terminate as well, +except for when the said race condition occurs. + +Signed-off-by: Eli Billauer +Acked-by: Oliver Neukum +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20200731054650.30644-1-eli.billauer@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/urb.c | 89 +++++++++++++++++++++++++----------------- + 1 file changed, 54 insertions(+), 35 deletions(-) + +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index 5e844097a9e30..3cd7732c086e0 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -773,11 +773,12 @@ void usb_block_urb(struct urb *urb) + EXPORT_SYMBOL_GPL(usb_block_urb); + + /** +- * usb_kill_anchored_urbs - cancel transfer requests en masse ++ * usb_kill_anchored_urbs - kill all URBs associated with an anchor + * @anchor: anchor the requests are bound to + * +- * this allows all outstanding URBs to be killed starting +- * from the back of the queue ++ * This kills all outstanding URBs starting from the back of the queue, ++ * with guarantee that no completer callbacks will take place from the ++ * anchor after this function returns. + * + * This routine should not be called by a driver after its disconnect + * method has returned. +@@ -785,20 +786,26 @@ EXPORT_SYMBOL_GPL(usb_block_urb); + void usb_kill_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; ++ int surely_empty; + +- spin_lock_irq(&anchor->lock); +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- /* we must make sure the URB isn't freed before we kill it*/ +- usb_get_urb(victim); +- spin_unlock_irq(&anchor->lock); +- /* this will unanchor the URB */ +- usb_kill_urb(victim); +- usb_put_urb(victim); ++ do { + spin_lock_irq(&anchor->lock); +- } +- spin_unlock_irq(&anchor->lock); ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ /* make sure the URB isn't freed before we kill it */ ++ usb_get_urb(victim); ++ spin_unlock_irq(&anchor->lock); ++ /* this will unanchor the URB */ ++ usb_kill_urb(victim); ++ usb_put_urb(victim); ++ spin_lock_irq(&anchor->lock); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); ++ ++ spin_unlock_irq(&anchor->lock); ++ cpu_relax(); ++ } while (!surely_empty); + } + EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); + +@@ -817,21 +824,27 @@ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); + void usb_poison_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; ++ int surely_empty; + +- spin_lock_irq(&anchor->lock); +- anchor->poisoned = 1; +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- /* we must make sure the URB isn't freed before we kill it*/ +- usb_get_urb(victim); +- spin_unlock_irq(&anchor->lock); +- /* this will unanchor the URB */ +- usb_poison_urb(victim); +- usb_put_urb(victim); ++ do { + spin_lock_irq(&anchor->lock); +- } +- spin_unlock_irq(&anchor->lock); ++ anchor->poisoned = 1; ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ /* make sure the URB isn't freed before we kill it */ ++ usb_get_urb(victim); ++ spin_unlock_irq(&anchor->lock); ++ /* this will unanchor the URB */ ++ usb_poison_urb(victim); ++ usb_put_urb(victim); ++ spin_lock_irq(&anchor->lock); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); ++ ++ spin_unlock_irq(&anchor->lock); ++ cpu_relax(); ++ } while (!surely_empty); + } + EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs); + +@@ -971,14 +984,20 @@ void usb_scuttle_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; + unsigned long flags; ++ int surely_empty; ++ ++ do { ++ spin_lock_irqsave(&anchor->lock, flags); ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ __usb_unanchor_urb(victim, anchor); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); + +- spin_lock_irqsave(&anchor->lock, flags); +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- __usb_unanchor_urb(victim, anchor); +- } +- spin_unlock_irqrestore(&anchor->lock, flags); ++ spin_unlock_irqrestore(&anchor->lock, flags); ++ cpu_relax(); ++ } while (!surely_empty); + } + + EXPORT_SYMBOL_GPL(usb_scuttle_anchored_urbs); +-- +2.25.1 + diff --git a/queue-4.19/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch b/queue-4.19/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch new file mode 100644 index 00000000000..4e16221b2cc --- /dev/null +++ b/queue-4.19/usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch @@ -0,0 +1,143 @@ +From 56396dff6d19e90616189a40a7453502ec3deaa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 18:08:39 +0400 +Subject: usb: dwc2: Fix INTR OUT transfers in DDMA mode. + +From: Minas Harutyunyan + +[ Upstream commit b2c586eb07efab982419f32b7c3bd96829bc8bcd ] + +In DDMA mode if INTR OUT transfers mps not multiple of 4 then single packet +corresponds to single descriptor. + +Descriptor limit set to mps and desc chain limit set to mps * +MAX_DMA_DESC_NUM_GENERIC. On that descriptors complete, to calculate +transfer size should be considered correction value for each descriptor. + +In start request function, if "continue" is true then dma buffer address +should be incremmented by offset for all type of transfers, not only for +Control DATA_OUT transfers. + +Fixes: cf77b5fb9b394 ("usb: dwc2: gadget: Transfer length limit checking for DDMA") +Fixes: e02f9aa6119e0 ("usb: dwc2: gadget: EP 0 specific DDMA programming") +Fixes: aa3e8bc81311e ("usb: dwc2: gadget: DDMA transfer start and complete") + +Signed-off-by: Minas Harutyunyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/gadget.c | 40 ++++++++++++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index f18aa3f59e519..8e98b4df9b109 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -671,8 +671,11 @@ static u32 dwc2_hsotg_read_frameno(struct dwc2_hsotg *hsotg) + */ + static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + int is_isoc = hs_ep->isochronous; + unsigned int maxsize; ++ u32 mps = hs_ep->ep.maxpacket; ++ int dir_in = hs_ep->dir_in; + + if (is_isoc) + maxsize = (hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT : +@@ -681,6 +684,11 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + else + maxsize = DEV_DMA_NBYTES_LIMIT * MAX_DMA_DESC_NUM_GENERIC; + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) ++ maxsize = mps * MAX_DMA_DESC_NUM_GENERIC; ++ + return maxsize; + } + +@@ -696,11 +704,14 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep) + * Isochronous - descriptor rx/tx bytes bitfield limit, + * Control In/Bulk/Interrupt - multiple of mps. This will allow to not + * have concatenations from various descriptors within one packet. ++ * Interrupt OUT - if mps not multiple of 4 then a single packet corresponds ++ * to a single descriptor. + * + * Selects corresponding mask for RX/TX bytes as well. + */ + static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + u32 mps = hs_ep->ep.maxpacket; + int dir_in = hs_ep->dir_in; + u32 desc_size = 0; +@@ -724,6 +735,13 @@ static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask) + desc_size -= desc_size % mps; + } + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) { ++ desc_size = mps; ++ *mask = DEV_DMA_NBYTES_MASK; ++ } ++ + return desc_size; + } + +@@ -1044,13 +1062,7 @@ static void dwc2_hsotg_start_req(struct dwc2_hsotg *hsotg, + length += (mps - (length % mps)); + } + +- /* +- * If more data to send, adjust DMA for EP0 out data stage. +- * ureq->dma stays unchanged, hence increment it by already +- * passed passed data count before starting new transaction. +- */ +- if (!index && hsotg->ep0_state == DWC2_EP0_DATA_OUT && +- continuing) ++ if (continuing) + offset = ureq->actual; + + /* Fill DDMA chain entries */ +@@ -2220,22 +2232,36 @@ static void dwc2_hsotg_change_ep_iso_parity(struct dwc2_hsotg *hsotg, + */ + static unsigned int dwc2_gadget_get_xfersize_ddma(struct dwc2_hsotg_ep *hs_ep) + { ++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc; + struct dwc2_hsotg *hsotg = hs_ep->parent; + unsigned int bytes_rem = 0; ++ unsigned int bytes_rem_correction = 0; + struct dwc2_dma_desc *desc = hs_ep->desc_list; + int i; + u32 status; ++ u32 mps = hs_ep->ep.maxpacket; ++ int dir_in = hs_ep->dir_in; + + if (!desc) + return -EINVAL; + ++ /* Interrupt OUT EP with mps not multiple of 4 */ ++ if (hs_ep->index) ++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) ++ bytes_rem_correction = 4 - (mps % 4); ++ + for (i = 0; i < hs_ep->desc_count; ++i) { + status = desc->status; + bytes_rem += status & DEV_DMA_NBYTES_MASK; ++ bytes_rem -= bytes_rem_correction; + + if (status & DEV_DMA_STS_MASK) + dev_err(hsotg->dev, "descriptor %d closed with %x\n", + i, status & DEV_DMA_STS_MASK); ++ ++ if (status & DEV_DMA_L) ++ break; ++ + desc++; + } + +-- +2.25.1 + diff --git a/queue-4.19/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch b/queue-4.19/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch new file mode 100644 index 00000000000..462fdc5b436 --- /dev/null +++ b/queue-4.19/usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch @@ -0,0 +1,88 @@ +From 1dfe32d36f91b1f6967a72343023f8c49f6df07b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 23:03:54 -0700 +Subject: usb: dwc2: Fix parameter type in function pointer prototype + +From: Nathan Chancellor + +[ Upstream commit 362b9398c962c9ec563653444e15ef9032ef3a90 ] + +When booting up on a Raspberry Pi 4 with Control Flow Integrity checking +enabled, the following warning/panic happens: + +[ 1.626435] CFI failure (target: dwc2_set_bcm_params+0x0/0x4): +[ 1.632408] WARNING: CPU: 0 PID: 32 at kernel/cfi.c:30 __cfi_check_fail+0x54/0x5c +[ 1.640021] Modules linked in: +[ 1.643137] CPU: 0 PID: 32 Comm: kworker/0:1 Not tainted 5.8.0-rc6-next-20200724-00051-g89ba619726de #1 +[ 1.652693] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT) +[ 1.658637] Workqueue: events deferred_probe_work_func +[ 1.663870] pstate: 60000005 (nZCv daif -PAN -UAO BTYPE=--) +[ 1.669542] pc : __cfi_check_fail+0x54/0x5c +[ 1.673798] lr : __cfi_check_fail+0x54/0x5c +[ 1.678050] sp : ffff8000102bbaa0 +[ 1.681419] x29: ffff8000102bbaa0 x28: ffffab09e21c7000 +[ 1.686829] x27: 0000000000000402 x26: ffff0000f6e7c228 +[ 1.692238] x25: 00000000fb7cdb0d x24: 0000000000000005 +[ 1.697647] x23: ffffab09e2515000 x22: ffffab09e069a000 +[ 1.703055] x21: 4c550309df1cf4c1 x20: ffffab09e2433c60 +[ 1.708462] x19: ffffab09e160dc50 x18: ffff0000f6e8cc78 +[ 1.713870] x17: 0000000000000041 x16: ffffab09e0bce6f8 +[ 1.719278] x15: ffffab09e1c819b7 x14: 0000000000000003 +[ 1.724686] x13: 00000000ffffefff x12: 0000000000000000 +[ 1.730094] x11: 0000000000000000 x10: 00000000ffffffff +[ 1.735501] x9 : c932f7abfc4bc600 x8 : c932f7abfc4bc600 +[ 1.740910] x7 : 077207610770075f x6 : ffff0000f6c38f00 +[ 1.746317] x5 : 0000000000000000 x4 : 0000000000000000 +[ 1.751723] x3 : 0000000000000000 x2 : 0000000000000000 +[ 1.757129] x1 : ffff8000102bb7d8 x0 : 0000000000000032 +[ 1.762539] Call trace: +[ 1.765030] __cfi_check_fail+0x54/0x5c +[ 1.768938] __cfi_check+0x5fa6c/0x66afc +[ 1.772932] dwc2_init_params+0xd74/0xd78 +[ 1.777012] dwc2_driver_probe+0x484/0x6ec +[ 1.781180] platform_drv_probe+0xb4/0x100 +[ 1.785350] really_probe+0x228/0x63c +[ 1.789076] driver_probe_device+0x80/0xc0 +[ 1.793247] __device_attach_driver+0x114/0x160 +[ 1.797857] bus_for_each_drv+0xa8/0x128 +[ 1.801851] __device_attach.llvm.14901095709067289134+0xc0/0x170 +[ 1.808050] bus_probe_device+0x44/0x100 +[ 1.812044] deferred_probe_work_func+0x78/0xb8 +[ 1.816656] process_one_work+0x204/0x3c4 +[ 1.820736] worker_thread+0x2f0/0x4c4 +[ 1.824552] kthread+0x174/0x184 +[ 1.827837] ret_from_fork+0x10/0x18 + +CFI validates that all indirect calls go to a function with the same +exact function pointer prototype. In this case, dwc2_set_bcm_params +is the target, which has a parameter of type 'struct dwc2_hsotg *', +but it is being implicitly cast to have a parameter of type 'void *' +because that is the set_params function pointer prototype. Make the +function pointer protoype match the definitions so that there is no +more violation. + +Fixes: 7de1debcd2de ("usb: dwc2: Remove platform static params") +Link: https://github.com/ClangBuiltLinux/linux/issues/1107 +Signed-off-by: Nathan Chancellor +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/params.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c +index a93415f33bf36..6d7861cba3f56 100644 +--- a/drivers/usb/dwc2/params.c ++++ b/drivers/usb/dwc2/params.c +@@ -808,7 +808,7 @@ int dwc2_get_hwparams(struct dwc2_hsotg *hsotg) + int dwc2_init_params(struct dwc2_hsotg *hsotg) + { + const struct of_device_id *match; +- void (*set_params)(void *data); ++ void (*set_params)(struct dwc2_hsotg *data); + + dwc2_set_default_params(hsotg); + dwc2_get_device_properties(hsotg); +-- +2.25.1 + diff --git a/queue-4.19/usb-dwc3-simple-add-support-for-hikey-970.patch b/queue-4.19/usb-dwc3-simple-add-support-for-hikey-970.patch new file mode 100644 index 00000000000..7a4f0881655 --- /dev/null +++ b/queue-4.19/usb-dwc3-simple-add-support-for-hikey-970.patch @@ -0,0 +1,95 @@ +From 3d814207d366026a7e90cb090d53e5148bfa2ae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 11:58:23 +0200 +Subject: usb: dwc3: simple: add support for Hikey 970 + +From: Mauro Carvalho Chehab + +[ Upstream commit b68d9251561f33661e53dd618f1cafe7ec9ec3c2 ] + +This binding driver is needed for Hikey 970 to work, +as otherwise a Serror is produced: + + [ 1.837458] SError Interrupt on CPU0, code 0xbf000002 -- SError + [ 1.837462] CPU: 0 PID: 74 Comm: kworker/0:1 Not tainted 5.8.0+ #205 + [ 1.837463] Hardware name: HiKey970 (DT) + [ 1.837465] Workqueue: events deferred_probe_work_func + [ 1.837467] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--) + [ 1.837468] pc : _raw_spin_unlock_irqrestore+0x18/0x50 + [ 1.837469] lr : regmap_unlock_spinlock+0x14/0x20 + [ 1.837470] sp : ffff8000124dba60 + [ 1.837471] x29: ffff8000124dba60 x28: 0000000000000000 + [ 1.837474] x27: ffff0001b7e854c8 x26: ffff80001204ea18 + [ 1.837476] x25: 0000000000000005 x24: ffff800011f918f8 + [ 1.837479] x23: ffff800011fbb588 x22: ffff0001b7e40e00 + [ 1.837481] x21: 0000000000000100 x20: 0000000000000000 + [ 1.837483] x19: ffff0001b767ec00 x18: 00000000ff10c000 + [ 1.837485] x17: 0000000000000002 x16: 0000b0740fdb9950 + [ 1.837488] x15: ffff8000116c1198 x14: ffffffffffffffff + [ 1.837490] x13: 0000000000000030 x12: 0101010101010101 + [ 1.837493] x11: 0000000000000020 x10: ffff0001bf17d130 + [ 1.837495] x9 : 0000000000000000 x8 : ffff0001b6938080 + [ 1.837497] x7 : 0000000000000000 x6 : 000000000000003f + [ 1.837500] x5 : 0000000000000000 x4 : 0000000000000000 + [ 1.837502] x3 : ffff80001096a880 x2 : 0000000000000000 + [ 1.837505] x1 : ffff0001b7e40e00 x0 : 0000000100000001 + [ 1.837507] Kernel panic - not syncing: Asynchronous SError Interrupt + [ 1.837509] CPU: 0 PID: 74 Comm: kworker/0:1 Not tainted 5.8.0+ #205 + [ 1.837510] Hardware name: HiKey970 (DT) + [ 1.837511] Workqueue: events deferred_probe_work_func + [ 1.837513] Call trace: + [ 1.837514] dump_backtrace+0x0/0x1e0 + [ 1.837515] show_stack+0x18/0x24 + [ 1.837516] dump_stack+0xc0/0x11c + [ 1.837517] panic+0x15c/0x324 + [ 1.837518] nmi_panic+0x8c/0x90 + [ 1.837519] arm64_serror_panic+0x78/0x84 + [ 1.837520] do_serror+0x158/0x15c + [ 1.837521] el1_error+0x84/0x100 + [ 1.837522] _raw_spin_unlock_irqrestore+0x18/0x50 + [ 1.837523] regmap_write+0x58/0x80 + [ 1.837524] hi3660_reset_deassert+0x28/0x34 + [ 1.837526] reset_control_deassert+0x50/0x260 + [ 1.837527] reset_control_deassert+0xf4/0x260 + [ 1.837528] dwc3_probe+0x5dc/0xe6c + [ 1.837529] platform_drv_probe+0x54/0xb0 + [ 1.837530] really_probe+0xe0/0x490 + [ 1.837531] driver_probe_device+0xf4/0x160 + [ 1.837532] __device_attach_driver+0x8c/0x114 + [ 1.837533] bus_for_each_drv+0x78/0xcc + [ 1.837534] __device_attach+0x108/0x1a0 + [ 1.837535] device_initial_probe+0x14/0x20 + [ 1.837537] bus_probe_device+0x98/0xa0 + [ 1.837538] deferred_probe_work_func+0x88/0xe0 + [ 1.837539] process_one_work+0x1cc/0x350 + [ 1.837540] worker_thread+0x2c0/0x470 + [ 1.837541] kthread+0x154/0x160 + [ 1.837542] ret_from_fork+0x10/0x30 + [ 1.837569] SMP: stopping secondary CPUs + [ 1.837570] Kernel Offset: 0x1d0000 from 0xffff800010000000 + [ 1.837571] PHYS_OFFSET: 0x0 + [ 1.837572] CPU features: 0x240002,20882004 + [ 1.837573] Memory Limit: none + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-of-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc3/dwc3-of-simple.c b/drivers/usb/dwc3/dwc3-of-simple.c +index 4c2771c5e7276..1ef89a4317c87 100644 +--- a/drivers/usb/dwc3/dwc3-of-simple.c ++++ b/drivers/usb/dwc3/dwc3-of-simple.c +@@ -243,6 +243,7 @@ static const struct of_device_id of_dwc3_simple_match[] = { + { .compatible = "amlogic,meson-axg-dwc3" }, + { .compatible = "amlogic,meson-gxl-dwc3" }, + { .compatible = "allwinner,sun50i-h6-dwc3" }, ++ { .compatible = "hisilicon,hi3670-dwc3" }, + { /* Sentinel */ } + }; + MODULE_DEVICE_TABLE(of, of_dwc3_simple_match); +-- +2.25.1 + diff --git a/queue-4.19/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch b/queue-4.19/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch new file mode 100644 index 00000000000..62427b3ce32 --- /dev/null +++ b/queue-4.19/usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch @@ -0,0 +1,70 @@ +From b00d96d3ec255e8cccc7bb0f93239175becff1e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 14:55:03 +0900 +Subject: usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Colitti + +[ Upstream commit 986499b1569af980a819817f17238015b27793f6 ] + +Currently, SuperSpeed NCM gadgets report a speed of 851 Mbps +in USB_CDC_NOTIFY_SPEED_CHANGE. But the calculation appears to +assume 16 packets per microframe, and USB 3 and above no longer +use microframes. + +Maximum speed is actually much higher. On a direct connection, +theoretical throughput is at most 3.86 Gbps for gen1x1 and +9.36 Gbps for gen2x1, and I have seen gadget->host iperf +throughput of >2 Gbps for gen1x1 and >4 Gbps for gen2x1. + +Unfortunately the ConnectionSpeedChange defined in the CDC spec +only uses 32-bit values, so we can't report accurate numbers for +10Gbps and above. So, report 3.75Gbps for SuperSpeed (which is +roughly maximum theoretical performance) and 4.25Gbps for +SuperSpeed Plus (which is close to the maximum that we can report +in a 32-bit unsigned integer). + +This results in: + +[50879.191272] cdc_ncm 2-2:1.0 enx228b127e050c: renamed from usb0 +[50879.234778] cdc_ncm 2-2:1.0 enx228b127e050c: 3750 mbit/s downlink 3750 mbit/s uplink + +on SuperSpeed and: + +[50798.434527] cdc_ncm 8-2:1.0 enx228b127e050c: renamed from usb0 +[50798.524278] cdc_ncm 8-2:1.0 enx228b127e050c: 4250 mbit/s downlink 4250 mbit/s uplink + +on SuperSpeed Plus. + +Fixes: 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors for CDC NCM") +Reviewed-by: Maciej Å»enczykowski +Signed-off-by: Lorenzo Colitti +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_ncm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c +index e2eefdd8bf786..09bc917d407d4 100644 +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -86,8 +86,10 @@ static inline struct f_ncm *func_to_ncm(struct usb_function *f) + /* peak (theoretical) bulk transfer rate in bits-per-second */ + static inline unsigned ncm_bitrate(struct usb_gadget *g) + { +- if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER) +- return 13 * 1024 * 8 * 1000 * 8; ++ if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS) ++ return 4250000000U; ++ else if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER) ++ return 3750000000U; + else if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH) + return 13 * 512 * 8 * 1000 * 8; + else +-- +2.25.1 + diff --git a/queue-4.19/usb-gadget-function-printer-fix-use-after-free-in-__.patch b/queue-4.19/usb-gadget-function-printer-fix-use-after-free-in-__.patch new file mode 100644 index 00000000000..91cdbd11855 --- /dev/null +++ b/queue-4.19/usb-gadget-function-printer-fix-use-after-free-in-__.patch @@ -0,0 +1,181 @@ +From 4ea9b86037bd9330c30779fa400c6eb01be83842 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 11:05:33 +0800 +Subject: usb: gadget: function: printer: fix use-after-free in __lock_acquire + +From: Zqiang + +[ Upstream commit e8d5f92b8d30bb4ade76494490c3c065e12411b1 ] + +Fix this by increase object reference count. + +BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180 +kernel/locking/lockdep.c:3831 +Read of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377 + +CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xce/0x128 lib/dump_stack.c:118 + print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 + __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831 + lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 + printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723 + vfs_ioctl fs/ioctl.c:47 [inline] + ksys_ioctl+0xfb/0x130 fs/ioctl.c:763 + __do_sys_ioctl fs/ioctl.c:772 [inline] + __se_sys_ioctl fs/ioctl.c:770 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4531a9 +Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9 +RDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003 +RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61 +R13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff + +Allocated by task 2393: + save_stack+0x21/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416 + usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 + config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444 + configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202 + vfs_symlink+0x33d/0x5b0 fs/namei.c:4201 + do_symlinkat+0x11b/0x1d0 fs/namei.c:4228 + __do_sys_symlinkat fs/namei.c:4242 [inline] + __se_sys_symlinkat fs/namei.c:4239 [inline] + __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 3368: + save_stack+0x21/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + slab_free_hook mm/slub.c:1444 [inline] + slab_free_freelist_hook mm/slub.c:1477 [inline] + slab_free mm/slub.c:3034 [inline] + kfree+0xf7/0x410 mm/slub.c:3995 + gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353 + usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 + config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485 + configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250 + vfs_unlink+0x287/0x570 fs/namei.c:4073 + do_unlinkat+0x4f9/0x620 fs/namei.c:4137 + __do_sys_unlink fs/namei.c:4184 [inline] + __se_sys_unlink fs/namei.c:4182 [inline] + __x64_sys_unlink+0x42/0x50 fs/namei.c:4182 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8880683b0000 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 24 bytes inside of + 1024-byte region [ffff8880683b0000, ffff8880683b0400) +The buggy address belongs to the page: +page:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300 +index:0xffff8880683b1800 compound_mapcount: 0 +flags: 0x100000000010200(slab|head) +raw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300 +raw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Reported-by: Kyungtae Kim +Signed-off-by: Zqiang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_printer.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c +index 9c7ed2539ff77..8ed1295d7e350 100644 +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -64,7 +65,7 @@ struct printer_dev { + struct usb_gadget *gadget; + s8 interface; + struct usb_ep *in_ep, *out_ep; +- ++ struct kref kref; + struct list_head rx_reqs; /* List of free RX structs */ + struct list_head rx_reqs_active; /* List of Active RX xfers */ + struct list_head rx_buffers; /* List of completed xfers */ +@@ -218,6 +219,13 @@ static inline struct usb_endpoint_descriptor *ep_desc(struct usb_gadget *gadget, + + /*-------------------------------------------------------------------------*/ + ++static void printer_dev_free(struct kref *kref) ++{ ++ struct printer_dev *dev = container_of(kref, struct printer_dev, kref); ++ ++ kfree(dev); ++} ++ + static struct usb_request * + printer_req_alloc(struct usb_ep *ep, unsigned len, gfp_t gfp_flags) + { +@@ -348,6 +356,7 @@ printer_open(struct inode *inode, struct file *fd) + + spin_unlock_irqrestore(&dev->lock, flags); + ++ kref_get(&dev->kref); + DBG(dev, "printer_open returned %x\n", ret); + return ret; + } +@@ -365,6 +374,7 @@ printer_close(struct inode *inode, struct file *fd) + dev->printer_status &= ~PRINTER_SELECTED; + spin_unlock_irqrestore(&dev->lock, flags); + ++ kref_put(&dev->kref, printer_dev_free); + DBG(dev, "printer_close\n"); + + return 0; +@@ -1350,7 +1360,8 @@ static void gprinter_free(struct usb_function *f) + struct f_printer_opts *opts; + + opts = container_of(f->fi, struct f_printer_opts, func_inst); +- kfree(dev); ++ ++ kref_put(&dev->kref, printer_dev_free); + mutex_lock(&opts->lock); + --opts->refcnt; + mutex_unlock(&opts->lock); +@@ -1419,6 +1430,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) + return ERR_PTR(-ENOMEM); + } + ++ kref_init(&dev->kref); + ++opts->refcnt; + dev->minor = opts->minor; + dev->pnp_string = opts->pnp_string; +-- +2.25.1 + diff --git a/queue-4.19/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch b/queue-4.19/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch new file mode 100644 index 00000000000..a2241fdcf8e --- /dev/null +++ b/queue-4.19/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch @@ -0,0 +1,56 @@ +From 641a40739d777c5f7ab90f193d6c8883a0576e00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 01:19:49 +0900 +Subject: usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Colitti + +[ Upstream commit 4eea21dc67b0c6ba15ae41b1defa113a680a858e ] + +The u_ether driver has a qmult setting that multiplies the +transmit queue length (which by default is 2). + +The intent is that it should be enabled at high/super speed, but +because the code does not explicitly check for USB_SUPER_PLUS, +it is disabled at that speed. + +Fix this by ensuring that the queue multiplier is enabled for any +wired link at high speed or above. Using >= for USB_SPEED_* +constants seems correct because it is what the gadget_is_xxxspeed +functions do. + +The queue multiplier substantially helps performance at higher +speeds. On a direct SuperSpeed Plus link to a Linux laptop, +iperf3 single TCP stream: + +Before (qmult=1): 1.3 Gbps +After (qmult=5): 3.2 Gbps + +Fixes: 04617db7aa68 ("usb: gadget: add SS descriptors to Ethernet gadget") +Reviewed-by: Maciej Å»enczykowski +Signed-off-by: Lorenzo Colitti +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_ether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index 0ef00315ec737..39ebc1b03698b 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -93,7 +93,7 @@ struct eth_dev { + static inline int qlen(struct usb_gadget *gadget, unsigned qmult) + { + if (gadget_is_dualspeed(gadget) && (gadget->speed == USB_SPEED_HIGH || +- gadget->speed == USB_SPEED_SUPER)) ++ gadget->speed >= USB_SPEED_SUPER)) + return qmult * DEFAULT_QLEN; + else + return DEFAULT_QLEN; +-- +2.25.1 + diff --git a/queue-4.19/usb-ohci-default-to-per-port-over-current-protection.patch b/queue-4.19/usb-ohci-default-to-per-port-over-current-protection.patch new file mode 100644 index 00000000000..31966feb5e4 --- /dev/null +++ b/queue-4.19/usb-ohci-default-to-per-port-over-current-protection.patch @@ -0,0 +1,78 @@ +From 2073ac996c796229738c3d905947484a64f10e6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 09:25:11 +1200 +Subject: usb: ohci: Default to per-port over-current protection + +From: Hamish Martin + +[ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ] + +Some integrated OHCI controller hubs do not expose all ports of the hub +to pins on the SoC. In some cases the unconnected ports generate +spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC +contains a nominally 3 port hub but only the first port is wired. + +Default behaviour for ohci-platform driver is to use global over-current +protection mode (AKA "ganged"). This leads to the spurious over-current +events affecting all ports in the hub. + +We now alter the default to use per-port over-current protection. + +This patch results in the following configuration changes depending +on quirks: +- For quirk OHCI_QUIRK_SUPERIO no changes. These systems remain set up + for ganged power switching and no over-current protection. +- For quirk OHCI_QUIRK_AMD756 or OHCI_QUIRK_HUB_POWER power switching + remains at none, while over-current protection is now guaranteed to be + set to per-port rather than the previous behaviour where it was either + none or global over-current protection depending on the value at + function entry. + +Suggested-by: Alan Stern +Acked-by: Alan Stern +Signed-off-by: Hamish Martin +Link: https://lore.kernel.org/r/20200910212512.16670-1-hamish.martin@alliedtelesis.co.nz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-hcd.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c +index af11887f5f9e4..e88486d8084af 100644 +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -665,20 +665,24 @@ static int ohci_run (struct ohci_hcd *ohci) + + /* handle root hub init quirks ... */ + val = roothub_a (ohci); +- val &= ~(RH_A_PSM | RH_A_OCPM); ++ /* Configure for per-port over-current protection by default */ ++ val &= ~RH_A_NOCP; ++ val |= RH_A_OCPM; + if (ohci->flags & OHCI_QUIRK_SUPERIO) { +- /* NSC 87560 and maybe others */ ++ /* NSC 87560 and maybe others. ++ * Ganged power switching, no over-current protection. ++ */ + val |= RH_A_NOCP; +- val &= ~(RH_A_POTPGT | RH_A_NPS); +- ohci_writel (ohci, val, &ohci->regs->roothub.a); ++ val &= ~(RH_A_POTPGT | RH_A_NPS | RH_A_PSM | RH_A_OCPM); + } else if ((ohci->flags & OHCI_QUIRK_AMD756) || + (ohci->flags & OHCI_QUIRK_HUB_POWER)) { + /* hub power always on; required for AMD-756 and some +- * Mac platforms. ganged overcurrent reporting, if any. ++ * Mac platforms. + */ + val |= RH_A_NPS; +- ohci_writel (ohci, val, &ohci->regs->roothub.a); + } ++ ohci_writel(ohci, val, &ohci->regs->roothub.a); ++ + ohci_writel (ohci, RH_HS_LPSC, &ohci->regs->roothub.status); + ohci_writel (ohci, (val & RH_A_NPS) ? 0 : RH_B_PPCM, + &ohci->regs->roothub.b); +-- +2.25.1 + diff --git a/queue-4.19/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch b/queue-4.19/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch new file mode 100644 index 00000000000..2c62c7b5a78 --- /dev/null +++ b/queue-4.19/vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch @@ -0,0 +1,39 @@ +From 99a321b3ecf526fc297cf1a45361b08bbf7a8448 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Oct 2020 17:35:58 +0800 +Subject: vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages + +From: Xiaoyang Xu + +[ Upstream commit 2e6cfd496f5b57034cf2aec738799571b5a52124 ] + +pfn is not added to pfn_list when vfio_add_to_pfn_list fails. +vfio_unpin_page_external will exit directly without calling +vfio_iova_put_vfio_pfn. This will lead to a memory leak. + +Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") +Signed-off-by: Xiaoyang Xu +[aw: simplified logic, add Fixes] +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 05d8553635ee7..95ce167a8ad92 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -636,7 +636,8 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data, + + ret = vfio_add_to_pfn_list(dma, iova, phys_pfn[i]); + if (ret) { +- vfio_unpin_page_external(dma, iova, do_accounting); ++ if (put_pfn(phys_pfn[i], dma->prot) && do_accounting) ++ vfio_lock_acct(dma, -1, true); + goto pin_unwind; + } + } +-- +2.25.1 + diff --git a/queue-4.19/vfio-pci-clear-token-on-bypass-registration-failure.patch b/queue-4.19/vfio-pci-clear-token-on-bypass-registration-failure.patch new file mode 100644 index 00000000000..0ac03a6a194 --- /dev/null +++ b/queue-4.19/vfio-pci-clear-token-on-bypass-registration-failure.patch @@ -0,0 +1,47 @@ +From 4208baf3e4fc4bf241616322e8a602a6cd36ed98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 07:13:55 -0600 +Subject: vfio/pci: Clear token on bypass registration failure + +From: Alex Williamson + +[ Upstream commit 852b1beecb6ff9326f7ca4bc0fe69ae860ebdb9e ] + +The eventfd context is used as our irqbypass token, therefore if an +eventfd is re-used, our token is the same. The irqbypass code will +return an -EBUSY in this case, but we'll still attempt to unregister +the producer, where if that duplicate token still exists, results in +removing the wrong object. Clear the token of failed producers so +that they harmlessly fall out when unregistered. + +Fixes: 6d7425f109d2 ("vfio: Register/unregister irq_bypass_producer") +Reported-by: guomin chen +Tested-by: guomin chen +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_intrs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c +index bdfdd506bc588..c989f777bf771 100644 +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -355,11 +355,13 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + vdev->ctx[vector].producer.token = trigger; + vdev->ctx[vector].producer.irq = irq; + ret = irq_bypass_register_producer(&vdev->ctx[vector].producer); +- if (unlikely(ret)) ++ if (unlikely(ret)) { + dev_info(&pdev->dev, + "irq bypass producer (token %p) registration fails: %d\n", + vdev->ctx[vector].producer.token, ret); + ++ vdev->ctx[vector].producer.token = NULL; ++ } + vdev->ctx[vector].trigger = trigger; + + return 0; +-- +2.25.1 + diff --git a/queue-4.19/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch b/queue-4.19/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch new file mode 100644 index 00000000000..ad8ce8bdd28 --- /dev/null +++ b/queue-4.19/video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch @@ -0,0 +1,40 @@ +From 01a897bdfc242b4185672df05a84311c0115ec3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 14:29:00 +0800 +Subject: video: fbdev: radeon: Fix memleak in radeonfb_pci_register + +From: Dinghao Liu + +[ Upstream commit fe6c6a4af2be8c15bac77f7ea160f947c04840d1 ] + +When radeon_kick_out_firmware_fb() fails, info should be +freed just like the subsequent error paths. + +Fixes: 069ee21a82344 ("fbdev: Fix loading of module radeonfb on PowerMac") +Signed-off-by: Dinghao Liu +Reviewed-by: Mathieu Malaterre +Cc: Kangjie Lu +Cc: Benjamin Herrenschmidt +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200825062900.11210-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/aty/radeon_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/aty/radeon_base.c b/drivers/video/fbdev/aty/radeon_base.c +index e8594bbaea609..c6109a385cac9 100644 +--- a/drivers/video/fbdev/aty/radeon_base.c ++++ b/drivers/video/fbdev/aty/radeon_base.c +@@ -2327,7 +2327,7 @@ static int radeonfb_pci_register(struct pci_dev *pdev, + + ret = radeon_kick_out_firmware_fb(pdev); + if (ret) +- return ret; ++ goto err_release_fb; + + /* request the mem regions */ + ret = pci_request_region(pdev, 0, "radeonfb framebuffer"); +-- +2.25.1 + diff --git a/queue-4.19/video-fbdev-sis-fix-null-ptr-dereference.patch b/queue-4.19/video-fbdev-sis-fix-null-ptr-dereference.patch new file mode 100644 index 00000000000..897980be215 --- /dev/null +++ b/queue-4.19/video-fbdev-sis-fix-null-ptr-dereference.patch @@ -0,0 +1,78 @@ +From bea5a8e615ac656972109f834f603b7a25138b6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 07:52:08 -0700 +Subject: video: fbdev: sis: fix null ptr dereference + +From: Tom Rix + +[ Upstream commit ad6f93e9cd56f0b10e9b22e3e137d17a1a035242 ] + +Clang static analysis reports this representative error + +init.c:2501:18: warning: Array access (from variable 'queuedata') results + in a null pointer dereference + templ |= ((queuedata[i] & 0xc0) << 3); + +This is the problem block of code + + if(ModeNo > 0x13) { + ... + if(SiS_Pr->ChipType == SIS_730) { + queuedata = &FQBQData730[0]; + } else { + queuedata = &FQBQData[0]; + } + } else { + + } + +queuedata is not set in the else block + +Reviewing the old code, the arrays FQBQData730 and FQBQData were +used directly. + +So hoist the setting of queuedata out of the if-else block. + +Fixes: 544393fe584d ("[PATCH] sisfb update") +Signed-off-by: Tom Rix +Cc: Thomas Winischhofer +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200805145208.17727-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/init.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c +index dfe3eb769638b..fde27feae5d0c 100644 +--- a/drivers/video/fbdev/sis/init.c ++++ b/drivers/video/fbdev/sis/init.c +@@ -2428,6 +2428,11 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo, + + i = 0; + ++ if (SiS_Pr->ChipType == SIS_730) ++ queuedata = &FQBQData730[0]; ++ else ++ queuedata = &FQBQData[0]; ++ + if(ModeNo > 0x13) { + + /* Get VCLK */ +@@ -2445,12 +2450,6 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo, + /* Get half colordepth */ + colorth = colortharray[(SiS_Pr->SiS_ModeType - ModeEGA)]; + +- if(SiS_Pr->ChipType == SIS_730) { +- queuedata = &FQBQData730[0]; +- } else { +- queuedata = &FQBQData[0]; +- } +- + do { + templ = SiS_CalcDelay2(SiS_Pr, queuedata[i]) * VCLK * colorth; + +-- +2.25.1 + diff --git a/queue-4.19/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch b/queue-4.19/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch new file mode 100644 index 00000000000..d5ea704cb38 --- /dev/null +++ b/queue-4.19/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch @@ -0,0 +1,87 @@ +From 4da361fe887080d3036d5dcb1b0be9cb33cfdc10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:02:27 +0100 +Subject: video: fbdev: vga16fb: fix setting of pixclock because a + pass-by-value error + +From: Colin Ian King + +[ Upstream commit c72fab81ceaa54408b827a2f0486d9a0f4be34cf ] + +The pixclock is being set locally because it is being passed as a +pass-by-value argument rather than pass-by-reference, so the computed +pixclock is never being set in var->pixclock. Fix this by passing +by reference. + +[This dates back to 2002, I found the offending commit from the git +history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git ] + +Addresses-Coverity: ("Unused value") +Signed-off-by: Colin Ian King +Cc: Daniel Vetter +Cc: Jani Nikula +[b.zolnierkie: minor patch summary fixup] +[b.zolnierkie: removed "Fixes:" tag (not in upstream tree)] +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200723170227.996229-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/vga16fb.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c +index 4b83109202b1c..3c4d20618de4c 100644 +--- a/drivers/video/fbdev/vga16fb.c ++++ b/drivers/video/fbdev/vga16fb.c +@@ -243,7 +243,7 @@ static void vga16fb_update_fix(struct fb_info *info) + } + + static void vga16fb_clock_chip(struct vga16fb_par *par, +- unsigned int pixclock, ++ unsigned int *pixclock, + const struct fb_info *info, + int mul, int div) + { +@@ -259,14 +259,14 @@ static void vga16fb_clock_chip(struct vga16fb_par *par, + { 0 /* bad */, 0x00, 0x00}}; + int err; + +- pixclock = (pixclock * mul) / div; ++ *pixclock = (*pixclock * mul) / div; + best = vgaclocks; +- err = pixclock - best->pixclock; ++ err = *pixclock - best->pixclock; + if (err < 0) err = -err; + for (ptr = vgaclocks + 1; ptr->pixclock; ptr++) { + int tmp; + +- tmp = pixclock - ptr->pixclock; ++ tmp = *pixclock - ptr->pixclock; + if (tmp < 0) tmp = -tmp; + if (tmp < err) { + err = tmp; +@@ -275,7 +275,7 @@ static void vga16fb_clock_chip(struct vga16fb_par *par, + } + par->misc |= best->misc; + par->clkdiv = best->seq_clock_mode; +- pixclock = (best->pixclock * div) / mul; ++ *pixclock = (best->pixclock * div) / mul; + } + + #define FAIL(X) return -EINVAL +@@ -497,10 +497,10 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var, + + if (mode & MODE_8BPP) + /* pixel clock == vga clock / 2 */ +- vga16fb_clock_chip(par, var->pixclock, info, 1, 2); ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 2); + else + /* pixel clock == vga clock */ +- vga16fb_clock_chip(par, var->pixclock, info, 1, 1); ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 1); + + var->red.offset = var->green.offset = var->blue.offset = + var->transp.offset = 0; +-- +2.25.1 + diff --git a/queue-4.19/vmci-check-return-value-of-get_user_pages_fast-for-e.patch b/queue-4.19/vmci-check-return-value-of-get_user_pages_fast-for-e.patch new file mode 100644 index 00000000000..adb90fc544d --- /dev/null +++ b/queue-4.19/vmci-check-return-value-of-get_user_pages_fast-for-e.patch @@ -0,0 +1,57 @@ +From d1f9db575cdaaa9a70af2a6e2482e11788356082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:45:18 +0100 +Subject: VMCI: check return value of get_user_pages_fast() for errors + +From: Alex Dewar + +[ Upstream commit 90ca6333fd65f318c47bff425e1ea36c0a5539f6 ] + +In a couple of places in qp_host_get_user_memory(), +get_user_pages_fast() is called without properly checking for errors. If +e.g. -EFAULT is returned, this negative value will then be passed on to +qp_release_pages(), which expects a u64 as input. + +Fix this by only calling qp_release_pages() when we have a positive +number returned. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Signed-off-by: Alex Dewar +Link: https://lore.kernel.org/r/20200825164522.412392-1-alex.dewar90@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c +index bd52f29b4a4e2..5e0d1ac67f73f 100644 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -671,8 +671,9 @@ static int qp_host_get_user_memory(u64 produce_uva, + if (retval < (int)produce_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(produce) failed (retval=%d)", + retval); +- qp_release_pages(produce_q->kernel_if->u.h.header_page, +- retval, false); ++ if (retval > 0) ++ qp_release_pages(produce_q->kernel_if->u.h.header_page, ++ retval, false); + err = VMCI_ERROR_NO_MEM; + goto out; + } +@@ -683,8 +684,9 @@ static int qp_host_get_user_memory(u64 produce_uva, + if (retval < (int)consume_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(consume) failed (retval=%d)", + retval); +- qp_release_pages(consume_q->kernel_if->u.h.header_page, +- retval, false); ++ if (retval > 0) ++ qp_release_pages(consume_q->kernel_if->u.h.header_page, ++ retval, false); + qp_release_pages(produce_q->kernel_if->u.h.header_page, + produce_q->kernel_if->num_pages, false); + err = VMCI_ERROR_NO_MEM; +-- +2.25.1 + diff --git a/queue-4.19/watchdog-fix-memleak-in-watchdog_cdev_register.patch b/queue-4.19/watchdog-fix-memleak-in-watchdog_cdev_register.patch new file mode 100644 index 00000000000..0e67a6d301e --- /dev/null +++ b/queue-4.19/watchdog-fix-memleak-in-watchdog_cdev_register.patch @@ -0,0 +1,42 @@ +From 59777eab3ffbf0bfff9d7bce0b5d489e0f7b1b81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 10:40:01 +0800 +Subject: watchdog: Fix memleak in watchdog_cdev_register + +From: Dinghao Liu + +[ Upstream commit 5afb6d203d0293512aa2c6ae098274a2a4f6ed02 ] + +When watchdog_kworker is NULL, we should free wd_data +before the function returns to prevent memleak. + +Fixes: 664a39236e718 ("watchdog: Introduce hardware maximum heartbeat in watchdog core") +Signed-off-by: Dinghao Liu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200824024001.25474-1-dinghao.liu@zju.edu.cn +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 1c322caecf7f1..1e4921f89fb52 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -944,8 +944,10 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + wd_data->wdd = wdd; + wdd->wd_data = wd_data; + +- if (IS_ERR_OR_NULL(watchdog_kworker)) ++ if (IS_ERR_OR_NULL(watchdog_kworker)) { ++ kfree(wd_data); + return -ENODEV; ++ } + + device_initialize(&wd_data->dev); + wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id); +-- +2.25.1 + diff --git a/queue-4.19/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch b/queue-4.19/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch new file mode 100644 index 00000000000..42ece7c6487 --- /dev/null +++ b/queue-4.19/watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch @@ -0,0 +1,39 @@ +From 5f5f5d0fd983efce718533eaa0e396a9e0f5282b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 09:31:08 -0700 +Subject: watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3 + +From: Guenter Roeck + +[ Upstream commit 08c619b4923056b5dd2d5045757468c76ad0e3fe ] + +EFCH_PM_DECODEEN3 is supposed to access DECODEEN register bits 24..31, +in other words the register at byte offset 3. + +Cc: Jan Kiszka +Fixes: 887d2ec51e34b ("watchdog: sp5100_tco: Add support for recent FCH versions") +Tested-by: Jan Kiszka +Link: https://lore.kernel.org/r/20200910163109.235136-1-linux@roeck-us.net +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/sp5100_tco.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/sp5100_tco.h b/drivers/watchdog/sp5100_tco.h +index 87eaf357ae01f..adf015aa4126f 100644 +--- a/drivers/watchdog/sp5100_tco.h ++++ b/drivers/watchdog/sp5100_tco.h +@@ -70,7 +70,7 @@ + #define EFCH_PM_DECODEEN_WDT_TMREN BIT(7) + + +-#define EFCH_PM_DECODEEN3 0x00 ++#define EFCH_PM_DECODEEN3 0x03 + #define EFCH_PM_DECODEEN_SECOND_RES GENMASK(1, 0) + #define EFCH_PM_WATCHDOG_DISABLE ((u8)GENMASK(3, 2)) + +-- +2.25.1 + diff --git a/queue-4.19/watchdog-use-put_device-on-error.patch b/queue-4.19/watchdog-use-put_device-on-error.patch new file mode 100644 index 00000000000..81b1e861ef0 --- /dev/null +++ b/queue-4.19/watchdog-use-put_device-on-error.patch @@ -0,0 +1,39 @@ +From dfe54f1176eb0aed036c29d15d616752c765cf19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:12:30 +0800 +Subject: watchdog: Use put_device on error + +From: Dinghao Liu + +[ Upstream commit 937425d4cd3ae4e2882b41e332bbbab616bcf0ad ] + +We should use put_device() instead of freeing device +directly after device_initialize(). + +Fixes: cb36e29bb0e4b ("watchdog: initialize device before misc_register") +Signed-off-by: Dinghao Liu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200824031230.31050-1-dinghao.liu@zju.edu.cn +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 1e4921f89fb52..8fe59b7d8eec8 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -973,7 +973,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + pr_err("%s: a legacy watchdog module is probably present.\n", + wdd->info->identity); + old_wd_data = NULL; +- kfree(wd_data); ++ put_device(&wd_data->dev); + return err; + } + } +-- +2.25.1 + diff --git a/queue-4.19/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch b/queue-4.19/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch new file mode 100644 index 00000000000..cc30fbba8f9 --- /dev/null +++ b/queue-4.19/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch @@ -0,0 +1,41 @@ +From 1e3f88bf7f55cba105dea197627e06871b0eaf1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 01:48:24 +0100 +Subject: wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 + +From: Bryan O'Donoghue + +[ Upstream commit 3b9fb6791e7113679b1eb472e6ce1659e80f5797 ] + +Qualcomm's document "80-WL007-1 Rev. J" states that the highest rx rate for +the WCN3660 and WCN3680 on MCS 7 is 150 Mbps not the 72 Mbps stated here. + +This patch fixes the data-rate declared in the 5GHz table. + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 +hardware") + +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802004824.1307124-1-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index ad051f34e65b2..46ae4ec4ad47d 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -163,7 +163,7 @@ static struct ieee80211_supported_band wcn_band_5ghz = { + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16, + .mcs = { + .rx_mask = { 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, }, +- .rx_highest = cpu_to_le16(72), ++ .rx_highest = cpu_to_le16(150), + .tx_params = IEEE80211_HT_MCS_TX_DEFINED, + } + } +-- +2.25.1 + diff --git a/queue-4.19/x86-events-amd-iommu-fix-sizeof-mismatch.patch b/queue-4.19/x86-events-amd-iommu-fix-sizeof-mismatch.patch new file mode 100644 index 00000000000..c809543fb88 --- /dev/null +++ b/queue-4.19/x86-events-amd-iommu-fix-sizeof-mismatch.patch @@ -0,0 +1,40 @@ +From 1914aa2c06f0ace910fc39ae75a0c6a83831a8aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 12:39:00 +0100 +Subject: x86/events/amd/iommu: Fix sizeof mismatch + +From: Colin Ian King + +[ Upstream commit 59d5396a4666195f89a67e118e9e627ddd6f53a1 ] + +An incorrect sizeof is being used, struct attribute ** is not correct, +it should be struct attribute *. Note that since ** is the same size as +* this is not causing any issues. Improve this fix by using sizeof(*attrs) +as this allows us to not even reference the type of the pointer. + +Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") +Fixes: 51686546304f ("x86/events/amd/iommu: Fix sysfs perf attribute groups") +Signed-off-by: Colin Ian King +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20201001113900.58889-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/amd/iommu.c b/arch/x86/events/amd/iommu.c +index 3210fee27e7f9..0014d26391fa6 100644 +--- a/arch/x86/events/amd/iommu.c ++++ b/arch/x86/events/amd/iommu.c +@@ -387,7 +387,7 @@ static __init int _init_events_attrs(void) + while (amd_iommu_v2_event_descs[i].attr.attr.name) + i++; + +- attrs = kcalloc(i + 1, sizeof(struct attribute **), GFP_KERNEL); ++ attrs = kcalloc(i + 1, sizeof(*attrs), GFP_KERNEL); + if (!attrs) + return -ENOMEM; + +-- +2.25.1 + diff --git a/queue-4.19/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch b/queue-4.19/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch new file mode 100644 index 00000000000..5027633e607 --- /dev/null +++ b/queue-4.19/x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch @@ -0,0 +1,102 @@ +From 0d1d35198a6286b70206ef821520b497c5cd1085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 17:39:19 -0400 +Subject: x86/fpu: Allow multiple bits in clearcpuid= parameter + +From: Arvind Sankar + +[ Upstream commit 0a4bb5e5507a585532cc413125b921c8546fc39f ] + +Commit + + 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument") + +changed clearcpuid parsing from __setup() to cmdline_find_option(). +While the __setup() function would have been called for each clearcpuid= +parameter on the command line, cmdline_find_option() will only return +the last one, so the change effectively made it impossible to disable +more than one bit. + +Allow a comma-separated list of bit numbers as the argument for +clearcpuid to allow multiple bits to be disabled again. Log the bits +being disabled for informational purposes. + +Also fix the check on the return value of cmdline_find_option(). It +returns -1 when the option is not found, so testing as a boolean is +incorrect. + +Fixes: 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument") +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200907213919.2423441-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 2 +- + arch/x86/kernel/fpu/init.c | 30 ++++++++++++++----- + 2 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 30752db575870..fb129272240c9 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -558,7 +558,7 @@ + loops can be debugged more effectively on production + systems. + +- clearcpuid=BITNUM [X86] ++ clearcpuid=BITNUM[,BITNUM...] [X86] + Disable CPUID feature X for the kernel. See + arch/x86/include/asm/cpufeatures.h for the valid bit + numbers. Note the Linux specific bits are not necessarily +diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c +index 6abd83572b016..9692ccc583bb3 100644 +--- a/arch/x86/kernel/fpu/init.c ++++ b/arch/x86/kernel/fpu/init.c +@@ -249,9 +249,9 @@ static void __init fpu__init_system_ctx_switch(void) + */ + static void __init fpu__init_parse_early_param(void) + { +- char arg[32]; ++ char arg[128]; + char *argptr = arg; +- int bit; ++ int arglen, res, bit; + + if (cmdline_find_option_bool(boot_command_line, "no387")) + setup_clear_cpu_cap(X86_FEATURE_FPU); +@@ -271,12 +271,26 @@ static void __init fpu__init_parse_early_param(void) + if (cmdline_find_option_bool(boot_command_line, "noxsaves")) + setup_clear_cpu_cap(X86_FEATURE_XSAVES); + +- if (cmdline_find_option(boot_command_line, "clearcpuid", arg, +- sizeof(arg)) && +- get_option(&argptr, &bit) && +- bit >= 0 && +- bit < NCAPINTS * 32) +- setup_clear_cpu_cap(bit); ++ arglen = cmdline_find_option(boot_command_line, "clearcpuid", arg, sizeof(arg)); ++ if (arglen <= 0) ++ return; ++ ++ pr_info("Clearing CPUID bits:"); ++ do { ++ res = get_option(&argptr, &bit); ++ if (res == 0 || res == 3) ++ break; ++ ++ /* If the argument was too long, the last bit may be cut off */ ++ if (res == 1 && arglen >= sizeof(arg)) ++ break; ++ ++ if (bit >= 0 && bit < NCAPINTS * 32) { ++ pr_cont(" " X86_CAP_FMT, x86_cap_flag(bit)); ++ setup_clear_cpu_cap(bit); ++ } ++ } while (res == 2); ++ pr_cont("\n"); + } + + /* +-- +2.25.1 + diff --git a/queue-4.19/x86-nmi-fix-nmi_handle-duration-miscalculation.patch b/queue-4.19/x86-nmi-fix-nmi_handle-duration-miscalculation.patch new file mode 100644 index 00000000000..a205cbd1381 --- /dev/null +++ b/queue-4.19/x86-nmi-fix-nmi_handle-duration-miscalculation.patch @@ -0,0 +1,57 @@ +From 73b1edf46669a5d0f2b25847026756591a2eee59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 10:56:41 +0800 +Subject: x86/nmi: Fix nmi_handle() duration miscalculation + +From: Libing Zhou + +[ Upstream commit f94c91f7ba3ba7de2bc8aa31be28e1abb22f849e ] + +When nmi_check_duration() is checking the time an NMI handler took to +execute, the whole_msecs value used should be read from the @duration +argument, not from the ->max_duration, the latter being used to store +the current maximal duration. + + [ bp: Rewrite commit message. ] + +Fixes: 248ed51048c4 ("x86/nmi: Remove irq_work from the long duration NMI handler") +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Libing Zhou +Signed-off-by: Borislav Petkov +Cc: Changbin Du +Link: https://lkml.kernel.org/r/20200820025641.44075-1-libing.zhou@nokia-sbell.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/nmi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c +index 0f8b9b900b0e7..996eb53f8eb75 100644 +--- a/arch/x86/kernel/nmi.c ++++ b/arch/x86/kernel/nmi.c +@@ -104,7 +104,6 @@ fs_initcall(nmi_warning_debugfs); + + static void nmi_check_duration(struct nmiaction *action, u64 duration) + { +- u64 whole_msecs = READ_ONCE(action->max_duration); + int remainder_ns, decimal_msecs; + + if (duration < nmi_longest_ns || duration < action->max_duration) +@@ -112,12 +111,12 @@ static void nmi_check_duration(struct nmiaction *action, u64 duration) + + action->max_duration = duration; + +- remainder_ns = do_div(whole_msecs, (1000 * 1000)); ++ remainder_ns = do_div(duration, (1000 * 1000)); + decimal_msecs = remainder_ns / 1000; + + printk_ratelimited(KERN_INFO + "INFO: NMI handler (%ps) took too long to run: %lld.%03d msecs\n", +- action->handler, whole_msecs, decimal_msecs); ++ action->handler, duration, decimal_msecs); + } + + static int nmi_handle(unsigned int type, struct pt_regs *regs) +-- +2.25.1 + diff --git a/queue-4.19/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch b/queue-4.19/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch new file mode 100644 index 00000000000..44836d6d7f5 --- /dev/null +++ b/queue-4.19/xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch @@ -0,0 +1,100 @@ +From 57ae99d99202c234301ae8c31ad7ca35a6640e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 08:46:27 -0700 +Subject: xfs: fix high key handling in the rt allocator's query_range function + +From: Darrick J. Wong + +[ Upstream commit d88850bd5516a77c6f727e8b6cefb64e0cc929c7 ] + +Fix some off-by-one errors in xfs_rtalloc_query_range. The highest key +in the realtime bitmap is always one less than the number of rt extents, +which means that the key clamp at the start of the function is wrong. +The 4th argument to xfs_rtfind_forw is the highest rt extent that we +want to probe, which means that passing 1 less than the high key is +wrong. Finally, drop the rem variable that controls the loop because we +can compare the iteration point (rtstart) against the high key directly. + +The sordid history of this function is that the original commit (fb3c3) +incorrectly passed (high_rec->ar_startblock - 1) as the 'limit' parameter +to xfs_rtfind_forw. This was wrong because the "high key" is supposed +to be the largest key for which the caller wants result rows, not the +key for the first row that could possibly be outside the range that the +caller wants to see. + +A subsequent attempt (8ad56) to strengthen the parameter checking added +incorrect clamping of the parameters to the number of rt blocks in the +system (despite the bitmap functions all taking units of rt extents) to +avoid querying ranges past the end of rt bitmap file but failed to fix +the incorrect _rtfind_forw parameter. The original _rtfind_forw +parameter error then survived the conversion of the startblock and +blockcount fields to rt extents (a0e5c), and the most recent off-by-one +fix (a3a37) thought it was patching a problem when the end of the rt +volume is not in use, but none of these fixes actually solved the +original problem that the author was confused about the "limit" argument +to xfs_rtfind_forw. + +Sadly, all four of these patches were written by this author and even +his own usage of this function and rt testing were inadequate to get +this fixed quickly. + +Original-problem: fb3c3de2f65c ("xfs: add a couple of queries to iterate free extents in the rtbitmap") +Not-fixed-by: 8ad560d2565e ("xfs: strengthen rtalloc query range checks") +Not-fixed-by: a0e5c435babd ("xfs: fix xfs_rtalloc_rec units") +Fixes: a3a374bf1889 ("xfs: fix off-by-one error in xfs_rtalloc_query_range") +Signed-off-by: Darrick J. Wong +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_rtbitmap.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_rtbitmap.c b/fs/xfs/libxfs/xfs_rtbitmap.c +index b228c821bae68..fe7323032e785 100644 +--- a/fs/xfs/libxfs/xfs_rtbitmap.c ++++ b/fs/xfs/libxfs/xfs_rtbitmap.c +@@ -1020,7 +1020,6 @@ xfs_rtalloc_query_range( + struct xfs_mount *mp = tp->t_mountp; + xfs_rtblock_t rtstart; + xfs_rtblock_t rtend; +- xfs_rtblock_t rem; + int is_free; + int error = 0; + +@@ -1029,13 +1028,12 @@ xfs_rtalloc_query_range( + if (low_rec->ar_startext >= mp->m_sb.sb_rextents || + low_rec->ar_startext == high_rec->ar_startext) + return 0; +- if (high_rec->ar_startext > mp->m_sb.sb_rextents) +- high_rec->ar_startext = mp->m_sb.sb_rextents; ++ high_rec->ar_startext = min(high_rec->ar_startext, ++ mp->m_sb.sb_rextents - 1); + + /* Iterate the bitmap, looking for discrepancies. */ + rtstart = low_rec->ar_startext; +- rem = high_rec->ar_startext - rtstart; +- while (rem) { ++ while (rtstart <= high_rec->ar_startext) { + /* Is the first block free? */ + error = xfs_rtcheck_range(mp, tp, rtstart, 1, 1, &rtend, + &is_free); +@@ -1044,7 +1042,7 @@ xfs_rtalloc_query_range( + + /* How long does the extent go for? */ + error = xfs_rtfind_forw(mp, tp, rtstart, +- high_rec->ar_startext - 1, &rtend); ++ high_rec->ar_startext, &rtend); + if (error) + break; + +@@ -1057,7 +1055,6 @@ xfs_rtalloc_query_range( + break; + } + +- rem -= rtend - rtstart + 1; + rtstart = rtend + 1; + } + +-- +2.25.1 + diff --git a/queue-4.19/xfs-limit-entries-returned-when-counting-fsmap-recor.patch b/queue-4.19/xfs-limit-entries-returned-when-counting-fsmap-recor.patch new file mode 100644 index 00000000000..1034366cdf9 --- /dev/null +++ b/queue-4.19/xfs-limit-entries-returned-when-counting-fsmap-recor.patch @@ -0,0 +1,40 @@ +From d04c0d434ba47a94d0f9f46d1b30c37795ec63d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Oct 2020 10:56:07 -0700 +Subject: xfs: limit entries returned when counting fsmap records + +From: Darrick J. Wong + +[ Upstream commit acd1ac3aa22fd58803a12d26b1ab7f70232f8d8d ] + +If userspace asked fsmap to count the number of entries, we cannot +return more than UINT_MAX entries because fmh_entries is u32. +Therefore, stop counting if we hit this limit or else we will waste time +to return truncated results. + +Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Reviewed-by: Chandan Babu R +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_fsmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c +index 3d76a9e35870a..75b57b683d3e6 100644 +--- a/fs/xfs/xfs_fsmap.c ++++ b/fs/xfs/xfs_fsmap.c +@@ -259,6 +259,9 @@ xfs_getfsmap_helper( + + /* Are we just counting mappings? */ + if (info->head->fmh_count == 0) { ++ if (info->head->fmh_entries == UINT_MAX) ++ return -ECANCELED; ++ + if (rec_daddr > info->next_daddr) + info->head->fmh_entries++; + +-- +2.25.1 + diff --git a/queue-4.19/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch b/queue-4.19/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch new file mode 100644 index 00000000000..eb1bd0a9ee9 --- /dev/null +++ b/queue-4.19/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch @@ -0,0 +1,58 @@ +From 404f787d180084ad55b6f0645aa779ac959242f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 14:21:06 -0700 +Subject: xfs: make sure the rt allocator doesn't run off the end + +From: Darrick J. Wong + +[ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ] + +There's an overflow bug in the realtime allocator. If the rt volume is +large enough to handle a single allocation request that is larger than +the maximum bmap extent length and the rt bitmap ends exactly on a +bitmap block boundary, it's possible that the near allocator will try to +check the freeness of a range that extends past the end of the bitmap. +This fails with a corruption error and shuts down the fs. + +Therefore, constrain maxlen so that the range scan cannot run off the +end of the rt bitmap. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 484eb0adcefb2..08da48b662358 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -245,6 +245,9 @@ xfs_rtallocate_extent_block( + end = XFS_BLOCKTOBIT(mp, bbno + 1) - 1; + i <= end; + i++) { ++ /* Make sure we don't scan off the end of the rt volume. */ ++ maxlen = min(mp->m_sb.sb_rextents, i + maxlen) - i; ++ + /* + * See if there's a free extent of maxlen starting at i. + * If it's not so then next will contain the first non-free. +@@ -440,6 +443,14 @@ xfs_rtallocate_extent_near( + */ + if (bno >= mp->m_sb.sb_rextents) + bno = mp->m_sb.sb_rextents - 1; ++ ++ /* Make sure we don't run off the end of the rt volume. */ ++ maxlen = min(mp->m_sb.sb_rextents, bno + maxlen) - bno; ++ if (maxlen < minlen) { ++ *rtblock = NULLRTBLOCK; ++ return 0; ++ } ++ + /* + * Try the exact allocation first. + */ +-- +2.25.1 +