From: Sasha Levin Date: Sat, 2 Apr 2022 12:59:32 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.17.2~173^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b4a4801771918dc3803ab5fc23951a22f9067906;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-apei-fix-return-value-of-__setup-handlers.patch b/queue-4.19/acpi-apei-fix-return-value-of-__setup-handlers.patch new file mode 100644 index 00000000000..9735fe5cc45 --- /dev/null +++ b/queue-4.19/acpi-apei-fix-return-value-of-__setup-handlers.patch @@ -0,0 +1,86 @@ +From 9c96431dfc39ac66cb31fb709b3981b2dc2e2a8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 18:46:20 -0800 +Subject: ACPI: APEI: fix return value of __setup handlers + +From: Randy Dunlap + +[ Upstream commit f3303ff649dbf7dcdc6a6e1a922235b12b3028f4 ] + +__setup() handlers should return 1 to indicate that the boot option +has been handled. Returning 0 causes a boot option to be listed in +the Unknown kernel command line parameters and also added to init's +arg list (if no '=' sign) or environment list (if of the form 'a=b'). + +Unknown kernel command line parameters "erst_disable + bert_disable hest_disable BOOT_IMAGE=/boot/bzImage-517rc6", will be + passed to user space. + + Run /sbin/init as init process + with arguments: + /sbin/init + erst_disable + bert_disable + hest_disable + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc6 + +Fixes: a3e2acc5e37b ("ACPI / APEI: Add Boot Error Record Table (BERT) support") +Fixes: a08f82d08053 ("ACPI, APEI, Error Record Serialization Table (ERST) support") +Fixes: 9dc966641677 ("ACPI, APEI, HEST table parsing") +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Reviewed-by: "Huang, Ying" +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/bert.c | 2 +- + drivers/acpi/apei/erst.c | 2 +- + drivers/acpi/apei/hest.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c +index 12771fcf0417..876824948c19 100644 +--- a/drivers/acpi/apei/bert.c ++++ b/drivers/acpi/apei/bert.c +@@ -82,7 +82,7 @@ static int __init setup_bert_disable(char *str) + { + bert_disable = 1; + +- return 0; ++ return 1; + } + __setup("bert_disable", setup_bert_disable); + +diff --git a/drivers/acpi/apei/erst.c b/drivers/acpi/apei/erst.c +index ab8faa6d6616..445e85394db6 100644 +--- a/drivers/acpi/apei/erst.c ++++ b/drivers/acpi/apei/erst.c +@@ -899,7 +899,7 @@ EXPORT_SYMBOL_GPL(erst_clear); + static int __init setup_erst_disable(char *str) + { + erst_disable = 1; +- return 0; ++ return 1; + } + + __setup("erst_disable", setup_erst_disable); +diff --git a/drivers/acpi/apei/hest.c b/drivers/acpi/apei/hest.c +index b1e9f81ebeea..d536e4d132eb 100644 +--- a/drivers/acpi/apei/hest.c ++++ b/drivers/acpi/apei/hest.c +@@ -215,7 +215,7 @@ static int __init hest_ghes_dev_register(unsigned int ghes_count) + static int __init setup_hest_disable(char *str) + { + hest_disable = HEST_DISABLED; +- return 0; ++ return 1; + } + + __setup("hest_disable", setup_hest_disable); +-- +2.34.1 + diff --git a/queue-4.19/acpi-apei-limit-printable-size-of-bert-table-data.patch b/queue-4.19/acpi-apei-limit-printable-size-of-bert-table-data.patch new file mode 100644 index 00000000000..ccabd08855d --- /dev/null +++ b/queue-4.19/acpi-apei-limit-printable-size-of-bert-table-data.patch @@ -0,0 +1,72 @@ +From 2da7be2cde262cde7ad78590082671b4c5608be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 10:50:48 -0800 +Subject: ACPI/APEI: Limit printable size of BERT table data + +From: Darren Hart + +[ Upstream commit 3f8dec116210ca649163574ed5f8df1e3b837d07 ] + +Platforms with large BERT table data can trigger soft lockup errors +while attempting to print the entire BERT table data to the console at +boot: + + watchdog: BUG: soft lockup - CPU#160 stuck for 23s! [swapper/0:1] + +Observed on Ampere Altra systems with a single BERT record of ~250KB. + +The original bert driver appears to have assumed relatively small table +data. Since it is impractical to reassemble large table data from +interwoven console messages, and the table data is available in + + /sys/firmware/acpi/tables/data/BERT + +limit the size for tables printed to the console to 1024 (for no reason +other than it seemed like a good place to kick off the discussion, would +appreciate feedback from existing users in terms of what size would +maintain their current usage model). + +Alternatively, we could make printing a CONFIG option, use the +bert_disable boot arg (or something similar), or use a debug log level. +However, all those solutions require extra steps or change the existing +behavior for small table data. Limiting the size preserves existing +behavior on existing platforms with small table data, and eliminates the +soft lockups for platforms with large table data, while still making it +available. + +Signed-off-by: Darren Hart +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/bert.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c +index 876824948c19..d2212e092c50 100644 +--- a/drivers/acpi/apei/bert.c ++++ b/drivers/acpi/apei/bert.c +@@ -31,6 +31,7 @@ + + #undef pr_fmt + #define pr_fmt(fmt) "BERT: " fmt ++#define ACPI_BERT_PRINT_MAX_LEN 1024 + + static int bert_disable; + +@@ -59,8 +60,11 @@ static void __init bert_print_all(struct acpi_bert_region *region, + } + + pr_info_once("Error records from previous boot:\n"); +- +- cper_estatus_print(KERN_INFO HW_ERR, estatus); ++ if (region_len < ACPI_BERT_PRINT_MAX_LEN) ++ cper_estatus_print(KERN_INFO HW_ERR, estatus); ++ else ++ pr_info_once("Max print length exceeded, table data is available at:\n" ++ "/sys/firmware/acpi/tables/data/BERT"); + + /* + * Because the boot error source is "one-time polled" type, +-- +2.34.1 + diff --git a/queue-4.19/acpica-avoid-walking-the-acpi-namespace-if-it-is-not.patch b/queue-4.19/acpica-avoid-walking-the-acpi-namespace-if-it-is-not.patch new file mode 100644 index 00000000000..362b8baa5f3 --- /dev/null +++ b/queue-4.19/acpica-avoid-walking-the-acpi-namespace-if-it-is-not.patch @@ -0,0 +1,44 @@ +From 8dbd8b53d46269a493499435b6d29af6dae1439e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 20:28:26 +0100 +Subject: ACPICA: Avoid walking the ACPI Namespace if it is not there + +From: Rafael J. Wysocki + +[ Upstream commit 0c9992315e738e7d6e927ef36839a466b080dba6 ] + +ACPICA commit b1c3656ef4950098e530be68d4b589584f06cddc + +Prevent acpi_ns_walk_namespace() from crashing when called with +start_node equal to ACPI_ROOT_OBJECT if the Namespace has not been +instantiated yet and acpi_gbl_root_node is NULL. + +For instance, this can happen if the kernel is run with "acpi=off" +in the command line. + +Link: https://github.com/acpica/acpica/commit/b1c3656ef4950098e530be68d4b589584f06cddc +Link: https://lore.kernel.org/linux-acpi/CAJZ5v0hJWW_vZ3wwajE7xT38aWjY7cZyvqMJpXHzUL98-SiCVQ@mail.gmail.com/ +Reported-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/nswalk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpica/nswalk.c b/drivers/acpi/acpica/nswalk.c +index e9a061da9bb2..c325789a62bf 100644 +--- a/drivers/acpi/acpica/nswalk.c ++++ b/drivers/acpi/acpica/nswalk.c +@@ -169,6 +169,9 @@ acpi_ns_walk_namespace(acpi_object_type type, + + if (start_node == ACPI_ROOT_OBJECT) { + start_node = acpi_gbl_root_node; ++ if (!start_node) { ++ return_ACPI_STATUS(AE_NO_NAMESPACE); ++ } + } + + /* Null child means "get first node" */ +-- +2.34.1 + diff --git a/queue-4.19/af_netlink-fix-shift-out-of-bounds-in-group-mask-cal.patch b/queue-4.19/af_netlink-fix-shift-out-of-bounds-in-group-mask-cal.patch new file mode 100644 index 00000000000..f39d73ccea5 --- /dev/null +++ b/queue-4.19/af_netlink-fix-shift-out-of-bounds-in-group-mask-cal.patch @@ -0,0 +1,62 @@ +From 8ab454052e8e1e07a894e13a3a9afb9ac9b3ad8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 15:53:06 +0100 +Subject: af_netlink: Fix shift out of bounds in group mask calculation + +From: Petr Machata + +[ Upstream commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f ] + +When a netlink message is received, netlink_recvmsg() fills in the address +of the sender. One of the fields is the 32-bit bitfield nl_groups, which +carries the multicast group on which the message was received. The least +significant bit corresponds to group 1, and therefore the highest group +that the field can represent is 32. Above that, the UB sanitizer flags the +out-of-bounds shift attempts. + +Which bits end up being set in such case is implementation defined, but +it's either going to be a wrong non-zero value, or zero, which is at least +not misleading. Make the latter choice deterministic by always setting to 0 +for higher-numbered multicast groups. + +To get information about membership in groups >= 32, userspace is expected +to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO +socket option. +[0] https://lwn.net/Articles/147608/ + +The way to trigger this issue is e.g. through monitoring the BRVLAN group: + + # bridge monitor vlan & + # ip link add name br type bridge + +Which produces the following citation: + + UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 + shift exponent 32 is too large for 32-bit type 'int' + +Fixes: f7fa9b10edbb ("[NETLINK]: Support dynamic number of multicast groups per netlink family") +Signed-off-by: Petr Machata +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/2bef6aabf201d1fc16cca139a744700cff9dcb04.1647527635.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index a7497361e4d7..5c6241964637 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -152,6 +152,8 @@ static const struct rhashtable_params netlink_rhashtable_params; + + static inline u32 netlink_group_mask(u32 group) + { ++ if (group > 32) ++ return 0; + return group ? 1 << (group - 1) : 0; + } + +-- +2.34.1 + diff --git a/queue-4.19/alsa-firewire-lib-fix-uninitialized-flag-for-av-c-de.patch b/queue-4.19/alsa-firewire-lib-fix-uninitialized-flag-for-av-c-de.patch new file mode 100644 index 00000000000..d459a46d4cc --- /dev/null +++ b/queue-4.19/alsa-firewire-lib-fix-uninitialized-flag-for-av-c-de.patch @@ -0,0 +1,84 @@ +From c254717d3712596e40dbc863e2b7bdca76cb0f3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 21:56:47 +0900 +Subject: ALSA: firewire-lib: fix uninitialized flag for AV/C deferred + transaction + +From: Takashi Sakamoto + +[ Upstream commit bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d ] + +AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA: +firewire-lib: Add support for deferred transaction") while 'deferrable' +flag can be uninitialized for non-control/notify AV/C transactions. +UBSAN reports it: + +kernel: ================================================================================ +kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9 +kernel: load of value 158 is not a valid value for type '_Bool' +kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu +kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019 +kernel: Call Trace: +kernel: +kernel: show_stack+0x52/0x58 +kernel: dump_stack_lvl+0x4a/0x5f +kernel: dump_stack+0x10/0x12 +kernel: ubsan_epilogue+0x9/0x45 +kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49 +kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib] +kernel: fcp_response+0x28/0x30 [snd_firewire_lib] +kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core] +kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci] +kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci] +kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core] +kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci] +kernel: tasklet_action_common.constprop.0+0xea/0xf0 +kernel: tasklet_action+0x22/0x30 +kernel: __do_softirq+0xd9/0x2e3 +kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0 +kernel: do_softirq+0x75/0xa0 +kernel: +kernel: +kernel: __local_bh_enable_ip+0x50/0x60 +kernel: irq_forced_thread_fn+0x7e/0x90 +kernel: irq_thread+0xba/0x190 +kernel: ? irq_thread_fn+0x60/0x60 +kernel: kthread+0x11e/0x140 +kernel: ? irq_thread_check_affinity+0xf0/0xf0 +kernel: ? set_kthread_struct+0x50/0x50 +kernel: ret_from_fork+0x22/0x30 +kernel: +kernel: ================================================================================ + +This commit fixes the bug. The bug has no disadvantage for the non- +control/notify AV/C transactions since the flag has an effect for AV/C +response with INTERIM (0x0f) status which is not used for the transactions +in AV/C general specification. + +Fixes: 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20220304125647.78430-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/fcp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/firewire/fcp.c b/sound/firewire/fcp.c +index 61dda828f767..c8fbb54269cb 100644 +--- a/sound/firewire/fcp.c ++++ b/sound/firewire/fcp.c +@@ -240,9 +240,7 @@ int fcp_avc_transaction(struct fw_unit *unit, + t.response_match_bytes = response_match_bytes; + t.state = STATE_PENDING; + init_waitqueue_head(&t.wait); +- +- if (*(const u8 *)command == 0x00 || *(const u8 *)command == 0x03) +- t.deferrable = true; ++ t.deferrable = (*(const u8 *)command == 0x00 || *(const u8 *)command == 0x03); + + spin_lock_irq(&transactions_lock); + list_add_tail(&t.list, &transactions); +-- +2.34.1 + diff --git a/queue-4.19/alsa-spi-add-check-for-clk_enable.patch b/queue-4.19/alsa-spi-add-check-for-clk_enable.patch new file mode 100644 index 00000000000..e81d46e18e2 --- /dev/null +++ b/queue-4.19/alsa-spi-add-check-for-clk_enable.patch @@ -0,0 +1,92 @@ +From 6acb55ac26a23d3ae0fd1427c0b5348fc9e88784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 10:28:39 +0800 +Subject: ALSA: spi: Add check for clk_enable() + +From: Jiasheng Jiang + +[ Upstream commit ca1697eb09208f0168d94b88b72f57505339cbe5 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: 3568459a5113 ("ALSA: at73c213: manage SSC clock") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220228022839.3547266-1-jiasheng@iscas.ac.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/spi/at73c213.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/sound/spi/at73c213.c b/sound/spi/at73c213.c +index 1ef52edeb538..3763f06ed784 100644 +--- a/sound/spi/at73c213.c ++++ b/sound/spi/at73c213.c +@@ -221,7 +221,9 @@ static int snd_at73c213_pcm_open(struct snd_pcm_substream *substream) + runtime->hw = snd_at73c213_playback_hw; + chip->substream = substream; + +- clk_enable(chip->ssc->clk); ++ err = clk_enable(chip->ssc->clk); ++ if (err) ++ return err; + + return 0; + } +@@ -787,7 +789,9 @@ static int snd_at73c213_chip_init(struct snd_at73c213 *chip) + goto out; + + /* Enable DAC master clock. */ +- clk_enable(chip->board->dac_clk); ++ retval = clk_enable(chip->board->dac_clk); ++ if (retval) ++ goto out; + + /* Initialize at73c213 on SPI bus. */ + retval = snd_at73c213_write_reg(chip, DAC_RST, 0x04); +@@ -900,7 +904,9 @@ static int snd_at73c213_dev_init(struct snd_card *card, + chip->card = card; + chip->irq = -1; + +- clk_enable(chip->ssc->clk); ++ retval = clk_enable(chip->ssc->clk); ++ if (retval) ++ return retval; + + retval = request_irq(irq, snd_at73c213_interrupt, 0, "at73c213", chip); + if (retval) { +@@ -1019,7 +1025,9 @@ static int snd_at73c213_remove(struct spi_device *spi) + int retval; + + /* Stop playback. */ +- clk_enable(chip->ssc->clk); ++ retval = clk_enable(chip->ssc->clk); ++ if (retval) ++ goto out; + ssc_writel(chip->ssc->regs, CR, SSC_BIT(CR_TXDIS)); + clk_disable(chip->ssc->clk); + +@@ -1099,9 +1107,16 @@ static int snd_at73c213_resume(struct device *dev) + { + struct snd_card *card = dev_get_drvdata(dev); + struct snd_at73c213 *chip = card->private_data; ++ int retval; + +- clk_enable(chip->board->dac_clk); +- clk_enable(chip->ssc->clk); ++ retval = clk_enable(chip->board->dac_clk); ++ if (retval) ++ return retval; ++ retval = clk_enable(chip->ssc->clk); ++ if (retval) { ++ clk_disable(chip->board->dac_clk); ++ return retval; ++ } + ssc_writel(chip->ssc->regs, CR, SSC_BIT(CR_TXEN)); + + return 0; +-- +2.34.1 + diff --git a/queue-4.19/arm-dts-bcm2837-add-the-missing-l1-l2-cache-informat.patch b/queue-4.19/arm-dts-bcm2837-add-the-missing-l1-l2-cache-informat.patch new file mode 100644 index 00000000000..e7ae8962cec --- /dev/null +++ b/queue-4.19/arm-dts-bcm2837-add-the-missing-l1-l2-cache-informat.patch @@ -0,0 +1,112 @@ +From 91bffaf5a321ae5ef9a7660aff4813a028b68001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Dec 2021 21:00:09 +0100 +Subject: ARM: dts: bcm2837: Add the missing L1/L2 cache information + +From: Richard Schleich + +[ Upstream commit bdf8762da268d2a34abf517c36528413906e9cd5 ] + +This patch fixes the kernel warning +"cacheinfo: Unable to detect cache hierarchy for CPU 0" +for the bcm2837 on newer kernel versions. + +Signed-off-by: Richard Schleich +Tested-by: Stefan Wahren +[florian: Align and remove comments matching property values] +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm2837.dtsi | 49 ++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm2837.dtsi b/arch/arm/boot/dts/bcm2837.dtsi +index beb6c502dadc..bcad098a7fcc 100644 +--- a/arch/arm/boot/dts/bcm2837.dtsi ++++ b/arch/arm/boot/dts/bcm2837.dtsi +@@ -38,12 +38,26 @@ + #size-cells = <0>; + enable-method = "brcm,bcm2836-smp"; // for ARM 32-bit + ++ /* Source for d/i-cache-line-size and d/i-cache-sets ++ * https://developer.arm.com/documentation/ddi0500/e/level-1-memory-system ++ * /about-the-l1-memory-system?lang=en ++ * ++ * Source for d/i-cache-size ++ * https://magpi.raspberrypi.com/articles/raspberry-pi-3-specs-benchmarks ++ */ + cpu0: cpu@0 { + device_type = "cpu"; + compatible = "arm,cortex-a53"; + reg = <0>; + enable-method = "spin-table"; + cpu-release-addr = <0x0 0x000000d8>; ++ d-cache-size = <0x8000>; ++ d-cache-line-size = <64>; ++ d-cache-sets = <128>; // 32KiB(size)/64(line-size)=512ways/4-way set ++ i-cache-size = <0x8000>; ++ i-cache-line-size = <64>; ++ i-cache-sets = <256>; // 32KiB(size)/64(line-size)=512ways/2-way set ++ next-level-cache = <&l2>; + }; + + cpu1: cpu@1 { +@@ -52,6 +66,13 @@ + reg = <1>; + enable-method = "spin-table"; + cpu-release-addr = <0x0 0x000000e0>; ++ d-cache-size = <0x8000>; ++ d-cache-line-size = <64>; ++ d-cache-sets = <128>; // 32KiB(size)/64(line-size)=512ways/4-way set ++ i-cache-size = <0x8000>; ++ i-cache-line-size = <64>; ++ i-cache-sets = <256>; // 32KiB(size)/64(line-size)=512ways/2-way set ++ next-level-cache = <&l2>; + }; + + cpu2: cpu@2 { +@@ -60,6 +81,13 @@ + reg = <2>; + enable-method = "spin-table"; + cpu-release-addr = <0x0 0x000000e8>; ++ d-cache-size = <0x8000>; ++ d-cache-line-size = <64>; ++ d-cache-sets = <128>; // 32KiB(size)/64(line-size)=512ways/4-way set ++ i-cache-size = <0x8000>; ++ i-cache-line-size = <64>; ++ i-cache-sets = <256>; // 32KiB(size)/64(line-size)=512ways/2-way set ++ next-level-cache = <&l2>; + }; + + cpu3: cpu@3 { +@@ -68,6 +96,27 @@ + reg = <3>; + enable-method = "spin-table"; + cpu-release-addr = <0x0 0x000000f0>; ++ d-cache-size = <0x8000>; ++ d-cache-line-size = <64>; ++ d-cache-sets = <128>; // 32KiB(size)/64(line-size)=512ways/4-way set ++ i-cache-size = <0x8000>; ++ i-cache-line-size = <64>; ++ i-cache-sets = <256>; // 32KiB(size)/64(line-size)=512ways/2-way set ++ next-level-cache = <&l2>; ++ }; ++ ++ /* Source for cache-line-size + cache-sets ++ * https://developer.arm.com/documentation/ddi0500 ++ * /e/level-2-memory-system/about-the-l2-memory-system?lang=en ++ * Source for cache-size ++ * https://datasheets.raspberrypi.com/cm/cm1-and-cm3-datasheet.pdf ++ */ ++ l2: l2-cache0 { ++ compatible = "cache"; ++ cache-size = <0x80000>; ++ cache-line-size = <64>; ++ cache-sets = <512>; // 512KiB(size)/64(line-size)=8192ways/16-way set ++ cache-level = <2>; + }; + }; + }; +-- +2.34.1 + diff --git a/queue-4.19/arm-dts-qcom-fix-gic_irq_domain_translate-warnings-f.patch b/queue-4.19/arm-dts-qcom-fix-gic_irq_domain_translate-warnings-f.patch new file mode 100644 index 00000000000..7377a399b41 --- /dev/null +++ b/queue-4.19/arm-dts-qcom-fix-gic_irq_domain_translate-warnings-f.patch @@ -0,0 +1,60 @@ +From 1d7602c80c19116afc6e263a20093c55262edefb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jan 2022 18:42:28 +0100 +Subject: ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960 + +From: David Heidelberg + +[ Upstream commit 6f7e221e7a5cfc3299616543fce42b36e631497b ] + +IRQ types blindly copied from very similar APQ8064. + +Fixes warnings as: +WARNING: CPU: 0 PID: 1 at drivers/irqchip/irq-gic.c:1080 gic_irq_domain_translate+0x118/0x120 +... + +Tested-by: LogicalErzor # boot-tested on Samsung S3 +Signed-off-by: David Heidelberg +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220108174229.60384-1-david@ixit.cz +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-msm8960.dtsi | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-msm8960.dtsi b/arch/arm/boot/dts/qcom-msm8960.dtsi +index 1733d8f40ab1..b256fda0f5ea 100644 +--- a/arch/arm/boot/dts/qcom-msm8960.dtsi ++++ b/arch/arm/boot/dts/qcom-msm8960.dtsi +@@ -140,7 +140,9 @@ + reg = <0x108000 0x1000>; + qcom,ipc = <&l2cc 0x8 2>; + +- interrupts = <0 19 0>, <0 21 0>, <0 22 0>; ++ interrupts = , ++ , ++ ; + interrupt-names = "ack", "err", "wakeup"; + + regulators { +@@ -186,7 +188,7 @@ + compatible = "qcom,msm-uartdm-v1.3", "qcom,msm-uartdm"; + reg = <0x16440000 0x1000>, + <0x16400000 0x1000>; +- interrupts = <0 154 0x0>; ++ interrupts = ; + clocks = <&gcc GSBI5_UART_CLK>, <&gcc GSBI5_H_CLK>; + clock-names = "core", "iface"; + status = "disabled"; +@@ -312,7 +314,7 @@ + #address-cells = <1>; + #size-cells = <0>; + reg = <0x16080000 0x1000>; +- interrupts = <0 147 0>; ++ interrupts = ; + spi-max-frequency = <24000000>; + cs-gpios = <&msmgpio 8 0>; + +-- +2.34.1 + diff --git a/queue-4.19/arm-dts-qcom-ipq4019-fix-sleep-clock.patch b/queue-4.19/arm-dts-qcom-ipq4019-fix-sleep-clock.patch new file mode 100644 index 00000000000..e6e65e71ec5 --- /dev/null +++ b/queue-4.19/arm-dts-qcom-ipq4019-fix-sleep-clock.patch @@ -0,0 +1,42 @@ +From 22076fc4d4a6648c41588ca23ddf522489ef787a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 18:03:52 +0100 +Subject: ARM: dts: qcom: ipq4019: fix sleep clock + +From: Pavel Kubelun + +[ Upstream commit 3d7e7980993d2c1ae42d3d314040fc2de6a9c45f ] + +It seems like sleep_clk was copied from ipq806x. +Fix ipq40xx sleep_clk to the value QSDK defines. + +Link: https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=d92ec59973484acc86dd24b67f10f8911b4b4b7d +Link: https://patchwork.kernel.org/comment/22721613/ +Fixes: bec6ba4cdf2a ("qcom: ipq4019: Add basic board/dts support for IPQ4019 SoC") +Suggested-by: Bjorn Andersson (clock-output-names) +Signed-off-by: Pavel Kubelun +Signed-off-by: Christian Lamparter (removed clock rename) +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211220170352.34591-1-chunkeey@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-ipq4019.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/qcom-ipq4019.dtsi b/arch/arm/boot/dts/qcom-ipq4019.dtsi +index 8328ad589e2b..59527bb1225a 100644 +--- a/arch/arm/boot/dts/qcom-ipq4019.dtsi ++++ b/arch/arm/boot/dts/qcom-ipq4019.dtsi +@@ -135,7 +135,8 @@ + clocks { + sleep_clk: sleep_clk { + compatible = "fixed-clock"; +- clock-frequency = <32768>; ++ clock-frequency = <32000>; ++ clock-output-names = "gcc_sleep_clk_src"; + #clock-cells = <0>; + }; + +-- +2.34.1 + diff --git a/queue-4.19/arm-ftrace-avoid-redundant-loads-or-clobbering-ip.patch b/queue-4.19/arm-ftrace-avoid-redundant-loads-or-clobbering-ip.patch new file mode 100644 index 00000000000..9cf90bf2708 --- /dev/null +++ b/queue-4.19/arm-ftrace-avoid-redundant-loads-or-clobbering-ip.patch @@ -0,0 +1,135 @@ +From 84e5759501033fb4384127dd40f02f935be104d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jan 2022 20:18:33 +0100 +Subject: ARM: ftrace: avoid redundant loads or clobbering IP + +From: Ard Biesheuvel + +[ Upstream commit d11967870815b5ab89843980e35aab616c97c463 ] + +Tweak the ftrace return paths to avoid redundant loads of SP, as well as +unnecessary clobbering of IP. + +This also fixes the inconsistency of using MOV to perform a function +return, which is sub-optimal on recent micro-architectures but more +importantly, does not perform an interworking return, unlike compiler +generated function returns in Thumb2 builds. + +Let's fix this by popping PC from the stack like most ordinary code +does. + +Signed-off-by: Ard Biesheuvel +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-ftrace.S | 51 +++++++++++++++------------------- + 1 file changed, 22 insertions(+), 29 deletions(-) + +diff --git a/arch/arm/kernel/entry-ftrace.S b/arch/arm/kernel/entry-ftrace.S +index 1acf4d05e94c..393c342ecd51 100644 +--- a/arch/arm/kernel/entry-ftrace.S ++++ b/arch/arm/kernel/entry-ftrace.S +@@ -41,10 +41,7 @@ + * mcount can be thought of as a function called in the middle of a subroutine + * call. As such, it needs to be transparent for both the caller and the + * callee: the original lr needs to be restored when leaving mcount, and no +- * registers should be clobbered. (In the __gnu_mcount_nc implementation, we +- * clobber the ip register. This is OK because the ARM calling convention +- * allows it to be clobbered in subroutines and doesn't use it to hold +- * parameters.) ++ * registers should be clobbered. + * + * When using dynamic ftrace, we patch out the mcount call by a "mov r0, r0" + * for the mcount case, and a "pop {lr}" for the __gnu_mcount_nc case (see +@@ -96,26 +93,25 @@ + + .macro __ftrace_regs_caller + +- sub sp, sp, #8 @ space for PC and CPSR OLD_R0, ++ str lr, [sp, #-8]! @ store LR as PC and make space for CPSR/OLD_R0, + @ OLD_R0 will overwrite previous LR + +- add ip, sp, #12 @ move in IP the value of SP as it was +- @ before the push {lr} of the mcount mechanism ++ ldr lr, [sp, #8] @ get previous LR + +- str lr, [sp, #0] @ store LR instead of PC ++ str r0, [sp, #8] @ write r0 as OLD_R0 over previous LR + +- ldr lr, [sp, #8] @ get previous LR ++ str lr, [sp, #-4]! @ store previous LR as LR + +- str r0, [sp, #8] @ write r0 as OLD_R0 over previous LR ++ add lr, sp, #16 @ move in LR the value of SP as it was ++ @ before the push {lr} of the mcount mechanism + +- stmdb sp!, {ip, lr} +- stmdb sp!, {r0-r11, lr} ++ push {r0-r11, ip, lr} + + @ stack content at this point: + @ 0 4 48 52 56 60 64 68 72 +- @ R0 | R1 | ... | LR | SP + 4 | previous LR | LR | PSR | OLD_R0 | ++ @ R0 | R1 | ... | IP | SP + 4 | previous LR | LR | PSR | OLD_R0 | + +- mov r3, sp @ struct pt_regs* ++ mov r3, sp @ struct pt_regs* + + ldr r2, =function_trace_op + ldr r2, [r2] @ pointer to the current +@@ -138,11 +134,9 @@ ftrace_graph_regs_call: + #endif + + @ pop saved regs +- ldmia sp!, {r0-r12} @ restore r0 through r12 +- ldr ip, [sp, #8] @ restore PC +- ldr lr, [sp, #4] @ restore LR +- ldr sp, [sp, #0] @ restore SP +- mov pc, ip @ return ++ pop {r0-r11, ip, lr} @ restore r0 through r12 ++ ldr lr, [sp], #4 @ restore LR ++ ldr pc, [sp], #12 + .endm + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +@@ -158,11 +152,9 @@ ftrace_graph_regs_call: + bl prepare_ftrace_return + + @ pop registers saved in ftrace_regs_caller +- ldmia sp!, {r0-r12} @ restore r0 through r12 +- ldr ip, [sp, #8] @ restore PC +- ldr lr, [sp, #4] @ restore LR +- ldr sp, [sp, #0] @ restore SP +- mov pc, ip @ return ++ pop {r0-r11, ip, lr} @ restore r0 through r12 ++ ldr lr, [sp], #4 @ restore LR ++ ldr pc, [sp], #12 + + .endm + #endif +@@ -273,16 +265,17 @@ ENDPROC(ftrace_graph_caller_old) + .endm + + .macro mcount_exit +- ldmia sp!, {r0-r3, ip, lr} +- ret ip ++ ldmia sp!, {r0-r3} ++ ldr lr, [sp, #4] ++ ldr pc, [sp], #8 + .endm + + ENTRY(__gnu_mcount_nc) + UNWIND(.fnstart) + #ifdef CONFIG_DYNAMIC_FTRACE +- mov ip, lr +- ldmia sp!, {lr} +- ret ip ++ push {lr} ++ ldr lr, [sp, #4] ++ ldr pc, [sp], #8 + #else + __mcount + #endif +-- +2.34.1 + diff --git a/queue-4.19/arm-ftrace-ensure-that-adr-takes-the-thumb-bit-into-.patch b/queue-4.19/arm-ftrace-ensure-that-adr-takes-the-thumb-bit-into-.patch new file mode 100644 index 00000000000..273d204c62e --- /dev/null +++ b/queue-4.19/arm-ftrace-ensure-that-adr-takes-the-thumb-bit-into-.patch @@ -0,0 +1,40 @@ +From efde028d425299858f468df653dae29d1f504f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 10:38:15 +0100 +Subject: ARM: ftrace: ensure that ADR takes the Thumb bit into account + +From: Ard Biesheuvel + +[ Upstream commit dd88b03ff0c84f4bcbe1419b93a4bed429fed3be ] + +Using ADR to take the address of 'ftrace_stub' via a local label +produces an address that has the Thumb bit cleared, which means the +subsequent comparison is guaranteed to fail. Instead, use the badr +macro, which forces the Thumb bit to be set. + +Fixes: a3ba87a61499 ("ARM: 6316/1: ftrace: add Thumb-2 support") +Signed-off-by: Ard Biesheuvel +Reviewed-by: Nick Desaulniers +Reviewed-by: Steven Rostedt (Google) +Reviewed-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-ftrace.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/entry-ftrace.S b/arch/arm/kernel/entry-ftrace.S +index efcd9f25a14b..1acf4d05e94c 100644 +--- a/arch/arm/kernel/entry-ftrace.S ++++ b/arch/arm/kernel/entry-ftrace.S +@@ -66,7 +66,7 @@ + mcount_enter + ldr r0, =ftrace_trace_function + ldr r2, [r0] +- adr r0, .Lftrace_stub ++ badr r0, .Lftrace_stub + cmp r0, r2 + bne 1f + +-- +2.34.1 + diff --git a/queue-4.19/arm-mmp-fix-failure-to-remove-sram-device.patch b/queue-4.19/arm-mmp-fix-failure-to-remove-sram-device.patch new file mode 100644 index 00000000000..369091bfab1 --- /dev/null +++ b/queue-4.19/arm-mmp-fix-failure-to-remove-sram-device.patch @@ -0,0 +1,79 @@ +From 67b603404a533eae95803b8e57e5384a52e32b7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 22:01:58 +0200 +Subject: ARM: mmp: Fix failure to remove sram device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 4036b29a146b2749af3bb213b003eb69f3e5ecc4 ] + +Make sure in .probe() to set driver data before the function is left to +make it possible in .remove() to undo the actions done. + +This fixes a potential memory leak and stops returning an error code in +.remove() that is ignored by the driver core anyhow. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mmp/sram.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/mach-mmp/sram.c b/arch/arm/mach-mmp/sram.c +index ba91e4fe444d..3c4e41dabb02 100644 +--- a/arch/arm/mach-mmp/sram.c ++++ b/arch/arm/mach-mmp/sram.c +@@ -76,6 +76,8 @@ static int sram_probe(struct platform_device *pdev) + if (!info) + return -ENOMEM; + ++ platform_set_drvdata(pdev, info); ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (res == NULL) { + dev_err(&pdev->dev, "no memory resource defined\n"); +@@ -111,8 +113,6 @@ static int sram_probe(struct platform_device *pdev) + list_add(&info->node, &sram_bank_list); + mutex_unlock(&sram_lock); + +- platform_set_drvdata(pdev, info); +- + dev_info(&pdev->dev, "initialized\n"); + return 0; + +@@ -131,17 +131,19 @@ static int sram_remove(struct platform_device *pdev) + struct sram_bank_info *info; + + info = platform_get_drvdata(pdev); +- if (info == NULL) +- return -ENODEV; + +- mutex_lock(&sram_lock); +- list_del(&info->node); +- mutex_unlock(&sram_lock); ++ if (info->sram_size) { ++ mutex_lock(&sram_lock); ++ list_del(&info->node); ++ mutex_unlock(&sram_lock); ++ ++ gen_pool_destroy(info->gpool); ++ iounmap(info->sram_virt); ++ kfree(info->pool_name); ++ } + +- gen_pool_destroy(info->gpool); +- iounmap(info->sram_virt); +- kfree(info->pool_name); + kfree(info); ++ + return 0; + } + +-- +2.34.1 + diff --git a/queue-4.19/arm-tegra-tamonten-fix-i2c3-pad-setting.patch b/queue-4.19/arm-tegra-tamonten-fix-i2c3-pad-setting.patch new file mode 100644 index 00000000000..ec02dc14eba --- /dev/null +++ b/queue-4.19/arm-tegra-tamonten-fix-i2c3-pad-setting.patch @@ -0,0 +1,46 @@ +From 51923dc5e0cd8bf3384318d6098db0d97b84ac16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 17:11:48 +0100 +Subject: ARM: tegra: tamonten: Fix I2C3 pad setting + +From: Richard Leitner + +[ Upstream commit 0092c25b541a5422d7e71892a13c55ee91abc34b ] + +This patch fixes the tristate configuration for i2c3 function assigned +to the dtf pins on the Tamonten Tegra20 SoM. + +Signed-off-by: Richard Leitner +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/tegra20-tamonten.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/tegra20-tamonten.dtsi b/arch/arm/boot/dts/tegra20-tamonten.dtsi +index 394a6b4dc69d..69cb65d86c46 100644 +--- a/arch/arm/boot/dts/tegra20-tamonten.dtsi ++++ b/arch/arm/boot/dts/tegra20-tamonten.dtsi +@@ -183,8 +183,8 @@ + }; + conf_ata { + nvidia,pins = "ata", "atb", "atc", "atd", "ate", +- "cdev1", "cdev2", "dap1", "dtb", "gma", +- "gmb", "gmc", "gmd", "gme", "gpu7", ++ "cdev1", "cdev2", "dap1", "dtb", "dtf", ++ "gma", "gmb", "gmc", "gmd", "gme", "gpu7", + "gpv", "i2cp", "irrx", "irtx", "pta", + "rm", "slxa", "slxk", "spia", "spib", + "uac"; +@@ -203,7 +203,7 @@ + }; + conf_crtp { + nvidia,pins = "crtp", "dap2", "dap3", "dap4", +- "dtc", "dte", "dtf", "gpu", "sdio1", ++ "dtc", "dte", "gpu", "sdio1", + "slxc", "slxd", "spdi", "spdo", "spig", + "uda"; + nvidia,pull = ; +-- +2.34.1 + diff --git a/queue-4.19/arm64-dts-broadcom-fix-sata-nodename.patch b/queue-4.19/arm64-dts-broadcom-fix-sata-nodename.patch new file mode 100644 index 00000000000..49f6a2ff8f2 --- /dev/null +++ b/queue-4.19/arm64-dts-broadcom-fix-sata-nodename.patch @@ -0,0 +1,41 @@ +From 953e9ac08a692ba959625d3183c2288c9d8e2306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 16:24:18 +0100 +Subject: arm64: dts: broadcom: Fix sata nodename + +From: Frank Wunderlich + +[ Upstream commit 55927cb44db43a57699fa652e2437a91620385dc ] + +After converting ahci-platform txt binding to yaml nodename is reported +as not matching the standard: + +arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dt.yaml: +ahci@663f2000: $nodename:0: 'ahci@663f2000' does not match '^sata(@.*)?$' + +Fix it to match binding. + +Fixes: ac9aae00f0fc ("arm64: dts: Add SATA3 AHCI and SATA3 PHY DT nodes for NS2") +Signed-off-by: Frank Wunderlich +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi b/arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi +index 6bfb7bbd264a..772ecf4ed3e6 100644 +--- a/arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi ++++ b/arch/arm64/boot/dts/broadcom/northstar2/ns2.dtsi +@@ -687,7 +687,7 @@ + }; + }; + +- sata: ahci@663f2000 { ++ sata: sata@663f2000 { + compatible = "brcm,iproc-ahci", "generic-ahci"; + reg = <0x663f2000 0x1000>; + dma-coherent; +-- +2.34.1 + diff --git a/queue-4.19/arm64-dts-ns2-fix-spi-cpol-and-spi-cpha-property.patch b/queue-4.19/arm64-dts-ns2-fix-spi-cpol-and-spi-cpha-property.patch new file mode 100644 index 00000000000..de2b6040751 --- /dev/null +++ b/queue-4.19/arm64-dts-ns2-fix-spi-cpol-and-spi-cpha-property.patch @@ -0,0 +1,52 @@ +From dd3e5059e011646fa0067375b771e989ba7fb706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 16:39:03 +0530 +Subject: arm64: dts: ns2: Fix spi-cpol and spi-cpha property + +From: Kuldeep Singh + +[ Upstream commit c953c764e505428f59ffe6afb1c73b89b5b1ac35 ] + +Broadcom ns2 platform has spi-cpol and spi-cpho properties set +incorrectly. As per spi-slave-peripheral-prop.yaml, these properties are +of flag or boolean type and not integer type. Fix the values. + +Fixes: d69dbd9f41a7c (arm64: dts: Add ARM PL022 SPI DT nodes for NS2) +Signed-off-by: Kuldeep Singh +CC: Ray Jui +CC: Scott Branden +CC: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts b/arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts +index ec19fbf928a1..12a4b1c03390 100644 +--- a/arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts ++++ b/arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dts +@@ -111,8 +111,8 @@ + compatible = "silabs,si3226x"; + reg = <0>; + spi-max-frequency = <5000000>; +- spi-cpha = <1>; +- spi-cpol = <1>; ++ spi-cpha; ++ spi-cpol; + pl022,hierarchy = <0>; + pl022,interface = <0>; + pl022,slave-tx-disable = <0>; +@@ -135,8 +135,8 @@ + at25,byte-len = <0x8000>; + at25,addr-mode = <2>; + at25,page-size = <64>; +- spi-cpha = <1>; +- spi-cpol = <1>; ++ spi-cpha; ++ spi-cpol; + pl022,hierarchy = <0>; + pl022,interface = <0>; + pl022,slave-tx-disable = <0>; +-- +2.34.1 + diff --git a/queue-4.19/asoc-atmel-add-missing-of_node_put-in-at91sam9g20ek_.patch b/queue-4.19/asoc-atmel-add-missing-of_node_put-in-at91sam9g20ek_.patch new file mode 100644 index 00000000000..3c45035664c --- /dev/null +++ b/queue-4.19/asoc-atmel-add-missing-of_node_put-in-at91sam9g20ek_.patch @@ -0,0 +1,38 @@ +From 5defb11dcd5fd81d8f63602c58ef7a5e081a1632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 12:45:39 +0000 +Subject: ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe + +From: Miaoqian Lin + +[ Upstream commit f590797fa3c1bccdd19e55441592a23b46aef449 ] + +This node pointer is returned by of_parse_phandle() with refcount +incremented in this function. +Calling of_node_put() to avoid the refcount leak. + +Fixes: 531f67e41dcd ("ASoC: at91sam9g20ek-wm8731: convert to dt support") +Signed-off-by: Miaoqian Lin +Reviewed-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220307124539.1743-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/sam9g20_wm8731.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/atmel/sam9g20_wm8731.c b/sound/soc/atmel/sam9g20_wm8731.c +index 98f93e79c654..5041f43ee5f7 100644 +--- a/sound/soc/atmel/sam9g20_wm8731.c ++++ b/sound/soc/atmel/sam9g20_wm8731.c +@@ -225,6 +225,7 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev) + cpu_np = of_parse_phandle(np, "atmel,ssc-controller", 0); + if (!cpu_np) { + dev_err(&pdev->dev, "dai and pcm info missing\n"); ++ of_node_put(codec_np); + return -EINVAL; + } + at91sam9g20ek_dai.cpu_of_node = cpu_np; +-- +2.34.1 + diff --git a/queue-4.19/asoc-atmel_ssc_dai-handle-errors-for-clk_enable.patch b/queue-4.19/asoc-atmel_ssc_dai-handle-errors-for-clk_enable.patch new file mode 100644 index 00000000000..e5cade76fd6 --- /dev/null +++ b/queue-4.19/asoc-atmel_ssc_dai-handle-errors-for-clk_enable.patch @@ -0,0 +1,40 @@ +From 4997291937baf017addc45b5163a0f04424b1665 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 17:06:37 +0800 +Subject: ASoC: atmel_ssc_dai: Handle errors for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit f9e2ca0640e59d19af0ff285ee5591ed39069b09 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error if fals. + +Fixes: cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and shutdown") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220301090637.3776558-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/atmel_ssc_dai.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/atmel/atmel_ssc_dai.c b/sound/soc/atmel/atmel_ssc_dai.c +index d3b69682d9c2..7272f00222fd 100644 +--- a/sound/soc/atmel/atmel_ssc_dai.c ++++ b/sound/soc/atmel/atmel_ssc_dai.c +@@ -296,7 +296,10 @@ static int atmel_ssc_startup(struct snd_pcm_substream *substream, + + /* Enable PMC peripheral clock for this SSC */ + pr_debug("atmel_ssc_dai: Starting clock\n"); +- clk_enable(ssc_p->ssc->clk); ++ ret = clk_enable(ssc_p->ssc->clk); ++ if (ret) ++ return ret; ++ + ssc_p->mck_rate = clk_get_rate(ssc_p->ssc->clk); + + /* Reset the SSC unless initialized to keep it in a clean state */ +-- +2.34.1 + diff --git a/queue-4.19/asoc-dmaengine-do-not-use-a-null-prepare_slave_confi.patch b/queue-4.19/asoc-dmaengine-do-not-use-a-null-prepare_slave_confi.patch new file mode 100644 index 00000000000..c942809da76 --- /dev/null +++ b/queue-4.19/asoc-dmaengine-do-not-use-a-null-prepare_slave_confi.patch @@ -0,0 +1,42 @@ +From 98ecc56b2413d21e04f354fb677071a249d1e6c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 14:21:57 +0200 +Subject: ASoC: dmaengine: do not use a NULL prepare_slave_config() callback + +From: Codrin Ciubotariu + +[ Upstream commit 9a1e13440a4f2e7566fd4c5eae6a53e6400e08a4 ] + +Even if struct snd_dmaengine_pcm_config is used, prepare_slave_config() +callback might not be set. Check if this callback is set before using it. + +Fixes: fa654e085300 ("ASoC: dmaengine-pcm: Provide default config") +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220307122202.2251639-2-codrin.ciubotariu@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-generic-dmaengine-pcm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/soc-generic-dmaengine-pcm.c b/sound/soc/soc-generic-dmaengine-pcm.c +index 232df04ca586..45cce7376191 100644 +--- a/sound/soc/soc-generic-dmaengine-pcm.c ++++ b/sound/soc/soc-generic-dmaengine-pcm.c +@@ -91,10 +91,10 @@ static int dmaengine_pcm_hw_params(struct snd_pcm_substream *substream, + + memset(&slave_config, 0, sizeof(slave_config)); + +- if (!pcm->config) +- prepare_slave_config = snd_dmaengine_pcm_prepare_slave_config; +- else ++ if (pcm->config && pcm->config->prepare_slave_config) + prepare_slave_config = pcm->config->prepare_slave_config; ++ else ++ prepare_slave_config = snd_dmaengine_pcm_prepare_slave_config; + + if (prepare_slave_config) { + ret = prepare_slave_config(substream, params, &slave_config); +-- +2.34.1 + diff --git a/queue-4.19/asoc-fsi-add-check-for-clk_enable.patch b/queue-4.19/asoc-fsi-add-check-for-clk_enable.patch new file mode 100644 index 00000000000..fe0ed17fdc1 --- /dev/null +++ b/queue-4.19/asoc-fsi-add-check-for-clk_enable.patch @@ -0,0 +1,60 @@ +From 6787dae9ed5e74c97c76cf1bf245f64fc2b63946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 14:28:44 +0800 +Subject: ASoC: fsi: Add check for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 405afed8a728f23cfaa02f75bbc8bdd6b7322123 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: ab6f6d85210c ("ASoC: fsi: add master clock control functions") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220302062844.46869-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/fsi.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/sh/fsi.c b/sound/soc/sh/fsi.c +index aa7e902f0c02..f486e2b2c540 100644 +--- a/sound/soc/sh/fsi.c ++++ b/sound/soc/sh/fsi.c +@@ -816,14 +816,27 @@ static int fsi_clk_enable(struct device *dev, + return ret; + } + +- clk_enable(clock->xck); +- clk_enable(clock->ick); +- clk_enable(clock->div); ++ ret = clk_enable(clock->xck); ++ if (ret) ++ goto err; ++ ret = clk_enable(clock->ick); ++ if (ret) ++ goto disable_xck; ++ ret = clk_enable(clock->div); ++ if (ret) ++ goto disable_ick; + + clock->count++; + } + + return ret; ++ ++disable_ick: ++ clk_disable(clock->ick); ++disable_xck: ++ clk_disable(clock->xck); ++err: ++ return ret; + } + + static int fsi_clk_disable(struct device *dev, +-- +2.34.1 + diff --git a/queue-4.19/asoc-imx-es8328-fix-error-return-code-in-imx_es8328_.patch b/queue-4.19/asoc-imx-es8328-fix-error-return-code-in-imx_es8328_.patch new file mode 100644 index 00000000000..ea6778a6b07 --- /dev/null +++ b/queue-4.19/asoc-imx-es8328-fix-error-return-code-in-imx_es8328_.patch @@ -0,0 +1,36 @@ +From 786a4c6d4e02992bb606e1c4eb99cdb0e29217a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Mar 2022 09:19:02 +0000 +Subject: ASoC: imx-es8328: Fix error return code in imx_es8328_probe() + +From: Wang Wensheng + +[ Upstream commit 3b891513f95cba3944e72c1139ea706d04f3781b ] + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver") +Signed-off-by: Wang Wensheng +Link: https://lore.kernel.org/r/20220310091902.129299-1-wangwensheng4@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-es8328.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/imx-es8328.c b/sound/soc/fsl/imx-es8328.c +index 9953438086e4..735693274f49 100644 +--- a/sound/soc/fsl/imx-es8328.c ++++ b/sound/soc/fsl/imx-es8328.c +@@ -93,6 +93,7 @@ static int imx_es8328_probe(struct platform_device *pdev) + if (int_port > MUX_PORT_MAX || int_port == 0) { + dev_err(dev, "mux-int-port: hardware only has %d mux ports\n", + MUX_PORT_MAX); ++ ret = -EINVAL; + goto fail; + } + +-- +2.34.1 + diff --git a/queue-4.19/asoc-msm8916-wcd-digital-fix-missing-clk_disable_unp.patch b/queue-4.19/asoc-msm8916-wcd-digital-fix-missing-clk_disable_unp.patch new file mode 100644 index 00000000000..e5c0fa2a92a --- /dev/null +++ b/queue-4.19/asoc-msm8916-wcd-digital-fix-missing-clk_disable_unp.patch @@ -0,0 +1,48 @@ +From 3a4c2066fb56bcdd925dce6aa722a463d9ea8237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 08:45:22 +0000 +Subject: ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in + msm8916_wcd_digital_probe + +From: Miaoqian Lin + +[ Upstream commit 375a347da4889f64d86e1ab7f4e6702b6e9bf299 ] + +Fix the missing clk_disable_unprepare() before return +from msm8916_wcd_digital_probe in the error handling case. + +Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220307084523.28687-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/msm8916-wcd-digital.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-digital.c b/sound/soc/codecs/msm8916-wcd-digital.c +index 6de2ab6f9706..e6750bda542a 100644 +--- a/sound/soc/codecs/msm8916-wcd-digital.c ++++ b/sound/soc/codecs/msm8916-wcd-digital.c +@@ -918,7 +918,7 @@ static int msm8916_wcd_digital_probe(struct platform_device *pdev) + ret = clk_prepare_enable(priv->mclk); + if (ret < 0) { + dev_err(dev, "failed to enable mclk %d\n", ret); +- return ret; ++ goto err_clk; + } + + dev_set_drvdata(dev, priv); +@@ -926,6 +926,9 @@ static int msm8916_wcd_digital_probe(struct platform_device *pdev) + return devm_snd_soc_register_component(dev, &msm8916_wcd_digital, + msm8916_wcd_digital_dai, + ARRAY_SIZE(msm8916_wcd_digital_dai)); ++err_clk: ++ clk_disable_unprepare(priv->ahbclk); ++ return ret; + } + + static int msm8916_wcd_digital_remove(struct platform_device *pdev) +-- +2.34.1 + diff --git a/queue-4.19/asoc-mxs-fix-error-handling-in-mxs_sgtl5000_probe.patch b/queue-4.19/asoc-mxs-fix-error-handling-in-mxs_sgtl5000_probe.patch new file mode 100644 index 00000000000..e5129ea2226 --- /dev/null +++ b/queue-4.19/asoc-mxs-fix-error-handling-in-mxs_sgtl5000_probe.patch @@ -0,0 +1,43 @@ +From 397cbdf3f13cb94f4295ab666059ac29e95b3e53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 02:01:44 +0000 +Subject: ASoC: mxs: Fix error handling in mxs_sgtl5000_probe + +From: Miaoqian Lin + +[ Upstream commit 6ae0a4d8fec551ec581d620f0eb1fe31f755551c ] + +This function only calls of_node_put() in the regular path. +And it will cause refcount leak in error paths. +For example, when codec_np is NULL, saif_np[0] and saif_np[1] +are not NULL, it will cause leaks. + +of_node_put() will check if the node pointer is NULL, so we can +call it directly to release the refcount of regular pointers. + +Fixes: e968194b45c4 ("ASoC: mxs: add device tree support for mxs-sgtl5000") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220308020146.26496-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mxs/mxs-sgtl5000.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/mxs/mxs-sgtl5000.c b/sound/soc/mxs/mxs-sgtl5000.c +index 2b3f2408301a..c40e0ab49657 100644 +--- a/sound/soc/mxs/mxs-sgtl5000.c ++++ b/sound/soc/mxs/mxs-sgtl5000.c +@@ -120,6 +120,9 @@ static int mxs_sgtl5000_probe(struct platform_device *pdev) + codec_np = of_parse_phandle(np, "audio-codec", 0); + if (!saif_np[0] || !saif_np[1] || !codec_np) { + dev_err(&pdev->dev, "phandle missing or invalid\n"); ++ of_node_put(codec_np); ++ of_node_put(saif_np[0]); ++ of_node_put(saif_np[1]); + return -EINVAL; + } + +-- +2.34.1 + diff --git a/queue-4.19/asoc-mxs-saif-handle-errors-for-clk_enable.patch b/queue-4.19/asoc-mxs-saif-handle-errors-for-clk_enable.patch new file mode 100644 index 00000000000..cc1ae5939db --- /dev/null +++ b/queue-4.19/asoc-mxs-saif-handle-errors-for-clk_enable.patch @@ -0,0 +1,40 @@ +From 8c2443e65881ec156714190cc6eb607c565a39ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 16:17:17 +0800 +Subject: ASoC: mxs-saif: Handle errors for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 2ecf362d220317debf5da376e0390e9f7a3f7b29 ] + +As the potential failure of the clk_enable(), +it should be better to check it, like mxs_saif_trigger(). + +Fixes: d0ba4c014934 ("ASoC: mxs-saif: set a base clock rate for EXTMASTER mode work") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220301081717.3727190-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mxs/mxs-saif.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/mxs/mxs-saif.c b/sound/soc/mxs/mxs-saif.c +index 156aa7c00787..93c019670199 100644 +--- a/sound/soc/mxs/mxs-saif.c ++++ b/sound/soc/mxs/mxs-saif.c +@@ -467,7 +467,10 @@ static int mxs_saif_hw_params(struct snd_pcm_substream *substream, + * basic clock which should be fast enough for the internal + * logic. + */ +- clk_enable(saif->clk); ++ ret = clk_enable(saif->clk); ++ if (ret) ++ return ret; ++ + ret = clk_set_rate(saif->clk, 24000000); + clk_disable(saif->clk); + if (ret) +-- +2.34.1 + diff --git a/queue-4.19/asoc-rt5663-check-the-return-value-of-devm_kzalloc-i.patch b/queue-4.19/asoc-rt5663-check-the-return-value-of-devm_kzalloc-i.patch new file mode 100644 index 00000000000..6902fad4822 --- /dev/null +++ b/queue-4.19/asoc-rt5663-check-the-return-value-of-devm_kzalloc-i.patch @@ -0,0 +1,39 @@ +From dc770594159ea0b6898d6ae9fe4638caa26ed061 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 05:10:30 -0800 +Subject: ASoC: rt5663: check the return value of devm_kzalloc() in + rt5663_parse_dp() + +From: Jia-Ju Bai + +[ Upstream commit 4d06f92f38b799295ae22c98be7a20cac3e2a1a7 ] + +The function devm_kzalloc() in rt5663_parse_dp() can fail, so its return +value should be checked. + +Fixes: 457c25efc592 ("ASoC: rt5663: Add the function of impedance sensing") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20220225131030.27248-1-baijiaju1990@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5663.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/rt5663.c b/sound/soc/codecs/rt5663.c +index dd77f131ce6c..b92e1b6ed383 100644 +--- a/sound/soc/codecs/rt5663.c ++++ b/sound/soc/codecs/rt5663.c +@@ -3463,6 +3463,8 @@ static int rt5663_parse_dp(struct rt5663_priv *rt5663, struct device *dev) + table_size = sizeof(struct impedance_mapping_table) * + rt5663->pdata.impedance_sensing_num; + rt5663->imp_table = devm_kzalloc(dev, table_size, GFP_KERNEL); ++ if (!rt5663->imp_table) ++ return -ENOMEM; + ret = device_property_read_u32_array(dev, + "realtek,impedance_sensing_table", + (u32 *)rt5663->imp_table, table_size); +-- +2.34.1 + diff --git a/queue-4.19/asoc-soc-core-skip-zero-num_dai-component-in-searchi.patch b/queue-4.19/asoc-soc-core-skip-zero-num_dai-component-in-searchi.patch new file mode 100644 index 00000000000..1246c69082b --- /dev/null +++ b/queue-4.19/asoc-soc-core-skip-zero-num_dai-component-in-searchi.patch @@ -0,0 +1,47 @@ +From 7bed00f91c2230dbce3fc65abf5a5c49998fb8ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Feb 2022 19:19:12 +0800 +Subject: ASoC: soc-core: skip zero num_dai component in searching dai name + +From: Shengjiu Wang + +[ Upstream commit f7d344a2bd5ec81fbd1ce76928fd059e57ec9bea ] + +In the case like dmaengine which's not a dai but as a component, the +num_dai is zero, dmaengine component has the same component_of_node +as cpu dai, when cpu dai component is not ready, but dmaengine component +is ready, try to get cpu dai name, the snd_soc_get_dai_name() return +-EINVAL, not -EPROBE_DEFER, that cause below error: + +asoc-simple-card : parse error -22 +asoc-simple-card: probe of failed with error -22 + +The sound card failed to probe. + +So this patch fixes the issue above by skipping the zero num_dai +component in searching dai name. + +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1644491952-7457-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 273898b358c4..9ca7dff5593d 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -3708,7 +3708,7 @@ int snd_soc_get_dai_name(struct of_phandle_args *args, + if (!component_of_node && pos->dev->parent) + component_of_node = pos->dev->parent->of_node; + +- if (component_of_node != args->np) ++ if (component_of_node != args->np || !pos->num_dai) + continue; + + if (pos->driver->of_xlate_dai_name) { +-- +2.34.1 + diff --git a/queue-4.19/asoc-ti-davinci-i2s-add-check-for-clk_enable.patch b/queue-4.19/asoc-ti-davinci-i2s-add-check-for-clk_enable.patch new file mode 100644 index 00000000000..82ecdf57e43 --- /dev/null +++ b/queue-4.19/asoc-ti-davinci-i2s-add-check-for-clk_enable.patch @@ -0,0 +1,49 @@ +From e6468e00d17548ee61bef336d80ad47fa9e6977e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 11:15:40 +0800 +Subject: ASoC: ti: davinci-i2s: Add check for clk_enable() + +From: Jiasheng Jiang + +[ Upstream commit ed7c9fef11931fc5d32a83d68017ff390bf5c280 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: 5f9a50c3e55e ("ASoC: Davinci: McBSP: add device tree support for McBSP") +Signed-off-by: Jiasheng Jiang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20220228031540.3571959-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/davinci/davinci-i2s.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/davinci/davinci-i2s.c b/sound/soc/davinci/davinci-i2s.c +index a3206e65e5e5..205841e46046 100644 +--- a/sound/soc/davinci/davinci-i2s.c ++++ b/sound/soc/davinci/davinci-i2s.c +@@ -721,7 +721,9 @@ static int davinci_i2s_probe(struct platform_device *pdev) + dev->clk = clk_get(&pdev->dev, NULL); + if (IS_ERR(dev->clk)) + return -ENODEV; +- clk_enable(dev->clk); ++ ret = clk_enable(dev->clk); ++ if (ret) ++ goto err_put_clk; + + dev->dev = &pdev->dev; + dev_set_drvdata(&pdev->dev, dev); +@@ -743,6 +745,7 @@ static int davinci_i2s_probe(struct platform_device *pdev) + snd_soc_unregister_component(&pdev->dev); + err_release_clk: + clk_disable(dev->clk); ++err_put_clk: + clk_put(dev->clk); + return ret; + } +-- +2.34.1 + diff --git a/queue-4.19/asoc-wm8350-handle-error-for-wm8350_register_irq.patch b/queue-4.19/asoc-wm8350-handle-error-for-wm8350_register_irq.patch new file mode 100644 index 00000000000..d69f2051b4b --- /dev/null +++ b/queue-4.19/asoc-wm8350-handle-error-for-wm8350_register_irq.patch @@ -0,0 +1,73 @@ +From 6ac3df1a255d9e1ec8e2df8100fa3b0386acac98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 10:38:21 +0800 +Subject: ASoC: wm8350: Handle error for wm8350_register_irq + +From: Jiasheng Jiang + +[ Upstream commit db0350da8084ad549bca16cc0486c11cc70a1f9b ] + +As the potential failure of the wm8350_register_irq(), +it should be better to check it and return error if fails. +Also, use 'free_' in order to avoid the same code. + +Fixes: a6ba2b2dabb5 ("ASoC: Implement WM8350 headphone jack detection") +Signed-off-by: Jiasheng Jiang +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/20220304023821.391936-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8350.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/wm8350.c b/sound/soc/codecs/wm8350.c +index e92ebe52d485..707b31ef9346 100644 +--- a/sound/soc/codecs/wm8350.c ++++ b/sound/soc/codecs/wm8350.c +@@ -1538,18 +1538,38 @@ static int wm8350_component_probe(struct snd_soc_component *component) + wm8350_clear_bits(wm8350, WM8350_JACK_DETECT, + WM8350_JDL_ENA | WM8350_JDR_ENA); + +- wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_L, ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_L, + wm8350_hpl_jack_handler, 0, "Left jack detect", + priv); +- wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_R, ++ if (ret != 0) ++ goto err; ++ ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_R, + wm8350_hpr_jack_handler, 0, "Right jack detect", + priv); +- wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_MICSCD, ++ if (ret != 0) ++ goto free_jck_det_l; ++ ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_MICSCD, + wm8350_mic_handler, 0, "Microphone short", priv); +- wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_MICD, ++ if (ret != 0) ++ goto free_jck_det_r; ++ ++ ret = wm8350_register_irq(wm8350, WM8350_IRQ_CODEC_MICD, + wm8350_mic_handler, 0, "Microphone detect", priv); ++ if (ret != 0) ++ goto free_micscd; + + return 0; ++ ++free_micscd: ++ wm8350_free_irq(wm8350, WM8350_IRQ_CODEC_MICSCD, priv); ++free_jck_det_r: ++ wm8350_free_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_R, priv); ++free_jck_det_l: ++ wm8350_free_irq(wm8350, WM8350_IRQ_CODEC_JCK_DET_L, priv); ++err: ++ return ret; + } + + static void wm8350_component_remove(struct snd_soc_component *component) +-- +2.34.1 + diff --git a/queue-4.19/ath10k-fix-memory-overwrite-of-the-wowlan-wakeup-pac.patch b/queue-4.19/ath10k-fix-memory-overwrite-of-the-wowlan-wakeup-pac.patch new file mode 100644 index 00000000000..657f4ee8985 --- /dev/null +++ b/queue-4.19/ath10k-fix-memory-overwrite-of-the-wowlan-wakeup-pac.patch @@ -0,0 +1,56 @@ +From ff0b25d0ced15b40ca5c0642ed65e543e124d9e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jan 2022 16:24:13 +0200 +Subject: ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern + +From: Wen Gong + +[ Upstream commit e3fb3d4418fce5484dfe7995fcd94c18b10a431a ] + +In function ath10k_wow_convert_8023_to_80211(), it will do memcpy for +the new->pattern, and currently the new->pattern and new->mask is same +with the old, then the memcpy of new->pattern will also overwrite the +old->pattern, because the header format of new->pattern is 802.11, +its length is larger than the old->pattern which is 802.3. Then the +operation of "Copy frame body" will copy a mistake value because the +body memory has been overwrite when memcpy the new->pattern. + +Assign another empty value to new_pattern to avoid the overwrite issue. + +Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 + +Fixes: fa3440fa2fa1 ("ath10k: convert wow pattern from 802.3 to 802.11") +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211222031347.25463-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wow.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wow.c b/drivers/net/wireless/ath/ath10k/wow.c +index a6b179f88d36..1d44227d107d 100644 +--- a/drivers/net/wireless/ath/ath10k/wow.c ++++ b/drivers/net/wireless/ath/ath10k/wow.c +@@ -235,14 +235,15 @@ static int ath10k_vif_wow_set_wakeups(struct ath10k_vif *arvif, + if (patterns[i].mask[j / 8] & BIT(j % 8)) + bitmask[j] = 0xff; + old_pattern.mask = bitmask; +- new_pattern = old_pattern; + + if (ar->wmi.rx_decap_mode == ATH10K_HW_TXRX_NATIVE_WIFI) { +- if (patterns[i].pkt_offset < ETH_HLEN) ++ if (patterns[i].pkt_offset < ETH_HLEN) { + ath10k_wow_convert_8023_to_80211(&new_pattern, + &old_pattern); +- else ++ } else { ++ new_pattern = old_pattern; + new_pattern.pkt_offset += WOW_HDR_LEN - ETH_HLEN; ++ } + } + + if (WARN_ON(new_pattern.pattern_len > WOW_MAX_PATTERN_SIZE)) +-- +2.34.1 + diff --git a/queue-4.19/ath9k_htc-fix-uninit-value-bugs.patch b/queue-4.19/ath9k_htc-fix-uninit-value-bugs.patch new file mode 100644 index 00000000000..f5e8c13001c --- /dev/null +++ b/queue-4.19/ath9k_htc-fix-uninit-value-bugs.patch @@ -0,0 +1,100 @@ +From 8fe19b7d377c396e9141ce728577ca39bda6db90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jan 2022 10:52:37 +0200 +Subject: ath9k_htc: fix uninit value bugs + +From: Pavel Skripkin + +[ Upstream commit d1e0df1c57bd30871dd1c855742a7c346dbca853 ] + +Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing +field initialization. + +In htc_connect_service() svc_meta_len and pad are not initialized. Based +on code it looks like in current skb there is no service data, so simply +initialize svc_meta_len to 0. + +htc_issue_send() does not initialize htc_frame_hdr::control array. Based +on firmware code, it will initialize it by itself, so simply zero whole +array to make KMSAN happy + +Fail logs: + +BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 + usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 + hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] + hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 + htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] + htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 +... + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1126 [inline] + htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 +... + +Bytes 4-7 of 18 are uninitialized +Memory access of size 18 starts at ffff888027377e00 + +BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 + usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 + hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] + hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 + htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] + htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 +... + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1126 [inline] + htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 +... + +Bytes 16-17 of 18 are uninitialized +Memory access of size 18 starts at ffff888027377e00 + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220115122733.11160-1-paskripkin@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 05fca38b38ed..e37de14bc502 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -30,6 +30,7 @@ static int htc_issue_send(struct htc_target *target, struct sk_buff* skb, + hdr->endpoint_id = epid; + hdr->flags = flags; + hdr->payload_len = cpu_to_be16(len); ++ memset(hdr->control, 0, sizeof(hdr->control)); + + status = target->hif->send(target->hif_dev, endpoint->ul_pipeid, skb); + +@@ -274,6 +275,10 @@ int htc_connect_service(struct htc_target *target, + conn_msg->dl_pipeid = endpoint->dl_pipeid; + conn_msg->ul_pipeid = endpoint->ul_pipeid; + ++ /* To prevent infoleak */ ++ conn_msg->svc_meta_len = 0; ++ conn_msg->pad = 0; ++ + ret = htc_issue_send(target, skb, skb->len, 0, ENDPOINT0); + if (ret) + goto err; +-- +2.34.1 + diff --git a/queue-4.19/bfq-fix-use-after-free-in-bfq_dispatch_request.patch b/queue-4.19/bfq-fix-use-after-free-in-bfq_dispatch_request.patch new file mode 100644 index 00000000000..fa6749062e0 --- /dev/null +++ b/queue-4.19/bfq-fix-use-after-free-in-bfq_dispatch_request.patch @@ -0,0 +1,183 @@ +From bf9345aef617b20d563e047cde8d2771249b3c89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 15:03:34 +0800 +Subject: bfq: fix use-after-free in bfq_dispatch_request + +From: Zhang Wensheng + +[ Upstream commit ab552fcb17cc9e4afe0e4ac4df95fc7b30e8490a ] + +KASAN reports a use-after-free report when doing normal scsi-mq test + +[69832.239032] ================================================================== +[69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0 +[69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155 +[69832.244656] +[69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8 +[69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[69832.249069] Workqueue: kblockd blk_mq_run_work_fn +[69832.250022] Call Trace: +[69832.250541] dump_stack+0x9b/0xce +[69832.251232] ? bfq_dispatch_request+0x1045/0x44b0 +[69832.252243] print_address_description.constprop.6+0x3e/0x60 +[69832.253381] ? __cpuidle_text_end+0x5/0x5 +[69832.254211] ? vprintk_func+0x6b/0x120 +[69832.254994] ? bfq_dispatch_request+0x1045/0x44b0 +[69832.255952] ? bfq_dispatch_request+0x1045/0x44b0 +[69832.256914] kasan_report.cold.9+0x22/0x3a +[69832.257753] ? bfq_dispatch_request+0x1045/0x44b0 +[69832.258755] check_memory_region+0x1c1/0x1e0 +[69832.260248] bfq_dispatch_request+0x1045/0x44b0 +[69832.261181] ? bfq_bfqq_expire+0x2440/0x2440 +[69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170 +[69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830 +[69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100 +[69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0 +[69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570 +[69832.267147] ? __switch_to+0x5f4/0xee0 +[69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140 +[69832.268946] __blk_mq_run_hw_queue+0xc0/0x270 +[69832.269840] blk_mq_run_work_fn+0x51/0x60 +[69832.278170] process_one_work+0x6d4/0xfe0 +[69832.278984] worker_thread+0x91/0xc80 +[69832.279726] ? __kthread_parkme+0xb0/0x110 +[69832.280554] ? process_one_work+0xfe0/0xfe0 +[69832.281414] kthread+0x32d/0x3f0 +[69832.282082] ? kthread_park+0x170/0x170 +[69832.282849] ret_from_fork+0x1f/0x30 +[69832.283573] +[69832.283886] Allocated by task 7725: +[69832.284599] kasan_save_stack+0x19/0x40 +[69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0 +[69832.286350] kmem_cache_alloc_node+0x13f/0x460 +[69832.287237] bfq_get_queue+0x3d4/0x1140 +[69832.287993] bfq_get_bfqq_handle_split+0x103/0x510 +[69832.289015] bfq_init_rq+0x337/0x2d50 +[69832.289749] bfq_insert_requests+0x304/0x4e10 +[69832.290634] blk_mq_sched_insert_requests+0x13e/0x390 +[69832.291629] blk_mq_flush_plug_list+0x4b4/0x760 +[69832.292538] blk_flush_plug_list+0x2c5/0x480 +[69832.293392] io_schedule_prepare+0xb2/0xd0 +[69832.294209] io_schedule_timeout+0x13/0x80 +[69832.295014] wait_for_common_io.constprop.1+0x13c/0x270 +[69832.296137] submit_bio_wait+0x103/0x1a0 +[69832.296932] blkdev_issue_discard+0xe6/0x160 +[69832.297794] blk_ioctl_discard+0x219/0x290 +[69832.298614] blkdev_common_ioctl+0x50a/0x1750 +[69832.304715] blkdev_ioctl+0x470/0x600 +[69832.305474] block_ioctl+0xde/0x120 +[69832.306232] vfs_ioctl+0x6c/0xc0 +[69832.306877] __se_sys_ioctl+0x90/0xa0 +[69832.307629] do_syscall_64+0x2d/0x40 +[69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[69832.309382] +[69832.309701] Freed by task 155: +[69832.310328] kasan_save_stack+0x19/0x40 +[69832.311121] kasan_set_track+0x1c/0x30 +[69832.311868] kasan_set_free_info+0x1b/0x30 +[69832.312699] __kasan_slab_free+0x111/0x160 +[69832.313524] kmem_cache_free+0x94/0x460 +[69832.314367] bfq_put_queue+0x582/0x940 +[69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0 +[69832.317275] bfq_bfqq_expire+0xb27/0x2440 +[69832.318084] bfq_dispatch_request+0x697/0x44b0 +[69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830 +[69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0 +[69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140 +[69832.322225] __blk_mq_run_hw_queue+0xc0/0x270 +[69832.323114] blk_mq_run_work_fn+0x51/0x60 +[69832.323942] process_one_work+0x6d4/0xfe0 +[69832.324772] worker_thread+0x91/0xc80 +[69832.325518] kthread+0x32d/0x3f0 +[69832.326205] ret_from_fork+0x1f/0x30 +[69832.326932] +[69832.338297] The buggy address belongs to the object at ffff88802622b968 +[69832.338297] which belongs to the cache bfq_queue of size 512 +[69832.340766] The buggy address is located 288 bytes inside of +[69832.340766] 512-byte region [ffff88802622b968, ffff88802622bb68) +[69832.343091] The buggy address belongs to the page: +[69832.344097] page:ffffea0000988a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802622a528 pfn:0x26228 +[69832.346214] head:ffffea0000988a00 order:2 compound_mapcount:0 compound_pincount:0 +[69832.347719] flags: 0x1fffff80010200(slab|head) +[69832.348625] raw: 001fffff80010200 ffffea0000dbac08 ffff888017a57650 ffff8880179fe840 +[69832.354972] raw: ffff88802622a528 0000000000120008 00000001ffffffff 0000000000000000 +[69832.356547] page dumped because: kasan: bad access detected +[69832.357652] +[69832.357970] Memory state around the buggy address: +[69832.358926] ffff88802622b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[69832.360358] ffff88802622ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[69832.361810] >ffff88802622ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[69832.363273] ^ +[69832.363975] ffff88802622bb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc +[69832.375960] ffff88802622bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[69832.377405] ================================================================== + +In bfq_dispatch_requestfunction, it may have function call: + +bfq_dispatch_request + __bfq_dispatch_request + bfq_select_queue + bfq_bfqq_expire + __bfq_bfqd_reset_in_service + bfq_put_queue + kmem_cache_free +In this function call, in_serv_queue has beed expired and meet the +conditions to free. In the function bfq_dispatch_request, the address +of in_serv_queue pointing to has been released. For getting the value +of idle_timer_disabled, it will get flags value from the address which +in_serv_queue pointing to, then the problem of use-after-free happens; + +Fix the problem by check in_serv_queue == bfqd->in_service_queue, to +get the value of idle_timer_disabled if in_serve_queue is equel to +bfqd->in_service_queue. If the space of in_serv_queue pointing has +been released, this judge will aviod use-after-free problem. +And if in_serv_queue may be expired or finished, the idle_timer_disabled +will be false which would not give effects to bfq_update_dispatch_stats. + +Reported-by: Hulk Robot +Signed-off-by: Zhang Wensheng +Link: https://lore.kernel.org/r/20220303070334.3020168-1-zhangwensheng5@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 11686e768401..dfd55037dc6f 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -4122,7 +4122,7 @@ static struct request *bfq_dispatch_request(struct blk_mq_hw_ctx *hctx) + struct bfq_data *bfqd = hctx->queue->elevator->elevator_data; + struct request *rq; + struct bfq_queue *in_serv_queue; +- bool waiting_rq, idle_timer_disabled; ++ bool waiting_rq, idle_timer_disabled = false; + + spin_lock_irq(&bfqd->lock); + +@@ -4130,14 +4130,15 @@ static struct request *bfq_dispatch_request(struct blk_mq_hw_ctx *hctx) + waiting_rq = in_serv_queue && bfq_bfqq_wait_request(in_serv_queue); + + rq = __bfq_dispatch_request(hctx); +- +- idle_timer_disabled = +- waiting_rq && !bfq_bfqq_wait_request(in_serv_queue); ++ if (in_serv_queue == bfqd->in_service_queue) { ++ idle_timer_disabled = ++ waiting_rq && !bfq_bfqq_wait_request(in_serv_queue); ++ } + + spin_unlock_irq(&bfqd->lock); +- +- bfq_update_dispatch_stats(hctx->queue, rq, in_serv_queue, +- idle_timer_disabled); ++ bfq_update_dispatch_stats(hctx->queue, rq, ++ idle_timer_disabled ? in_serv_queue : NULL, ++ idle_timer_disabled); + + return rq; + } +-- +2.34.1 + diff --git a/queue-4.19/block-don-t-delete-queue-kobject-before-its-children.patch b/queue-4.19/block-don-t-delete-queue-kobject-before-its-children.patch new file mode 100644 index 00000000000..096e2c0a9b0 --- /dev/null +++ b/queue-4.19/block-don-t-delete-queue-kobject-before-its-children.patch @@ -0,0 +1,72 @@ +From ce87848cf9336189664f85020e07a3751416ab48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 13:59:37 -0800 +Subject: block: don't delete queue kobject before its children + +From: Eric Biggers + +[ Upstream commit 0f69288253e9fc7c495047720e523b9f1aba5712 ] + +kobjects aren't supposed to be deleted before their child kobjects are +deleted. Apparently this is usually benign; however, a WARN will be +triggered if one of the child kobjects has a named attribute group: + + sysfs group 'modes' not found for kobject 'crypto' + WARNING: CPU: 0 PID: 1 at fs/sysfs/group.c:278 sysfs_remove_group+0x72/0x80 + ... + Call Trace: + sysfs_remove_groups+0x29/0x40 fs/sysfs/group.c:312 + __kobject_del+0x20/0x80 lib/kobject.c:611 + kobject_cleanup+0xa4/0x140 lib/kobject.c:696 + kobject_release lib/kobject.c:736 [inline] + kref_put include/linux/kref.h:65 [inline] + kobject_put+0x53/0x70 lib/kobject.c:753 + blk_crypto_sysfs_unregister+0x10/0x20 block/blk-crypto-sysfs.c:159 + blk_unregister_queue+0xb0/0x110 block/blk-sysfs.c:962 + del_gendisk+0x117/0x250 block/genhd.c:610 + +Fix this by moving the kobject_del() and the corresponding +kobject_uevent() to the correct place. + +Fixes: 2c2086afc2b8 ("block: Protect less code with sysfs_lock in blk_{un,}register_queue()") +Reviewed-by: Hannes Reinecke +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Bart Van Assche +Signed-off-by: Eric Biggers +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220124215938.2769-3-ebiggers@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-sysfs.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c +index 07494deb1a26..67836f212e2d 100644 +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -1002,9 +1002,6 @@ void blk_unregister_queue(struct gendisk *disk) + */ + if (q->mq_ops) + blk_mq_unregister_dev(disk_to_dev(disk), q); +- +- kobject_uevent(&q->kobj, KOBJ_REMOVE); +- kobject_del(&q->kobj); + blk_trace_remove_sysfs(disk_to_dev(disk)); + + mutex_lock(&q->sysfs_lock); +@@ -1015,6 +1012,11 @@ void blk_unregister_queue(struct gendisk *disk) + if (q->request_fn || q->elevator) + elv_unregister_queue(q); + mutex_unlock(&q->sysfs_lock); ++ ++ /* Now that we've deleted all child objects, we can delete the queue. */ ++ kobject_uevent(&q->kobj, KOBJ_REMOVE); ++ kobject_del(&q->kobj); ++ + mutex_unlock(&q->sysfs_dir_lock); + + kobject_put(&disk_to_dev(disk)->kobj); +-- +2.34.1 + diff --git a/queue-4.19/bluetooth-hci_serdev-call-init_rwsem-before-p-open.patch b/queue-4.19/bluetooth-hci_serdev-call-init_rwsem-before-p-open.patch new file mode 100644 index 00000000000..05001e5dc0e --- /dev/null +++ b/queue-4.19/bluetooth-hci_serdev-call-init_rwsem-before-p-open.patch @@ -0,0 +1,71 @@ +From ad48fe9271d93118000d5c6a8e65e63ff3876bab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jan 2022 16:27:04 +0300 +Subject: Bluetooth: hci_serdev: call init_rwsem() before p->open() + +From: Pavel Skripkin + +[ Upstream commit 9d7cbe2b9cf5f650067df4f402fdd799d4bbb4e1 ] + +kvartet reported, that hci_uart_tx_wakeup() uses uninitialized rwsem. +The problem was in wrong place for percpu_init_rwsem() call. + +hci_uart_proto::open() may register a timer whose callback may call +hci_uart_tx_wakeup(). There is a chance, that hci_uart_register_device() +thread won't be fast enough to call percpu_init_rwsem(). + +Fix it my moving percpu_init_rwsem() call before p->open(). + +INFO: trying to register non-static key. +The code is fine but needs lockdep annotation, or maybe +you didn't initialize this object before use? +turning off the locking correctness validator. +CPU: 2 PID: 18524 Comm: syz-executor.5 Not tainted 5.16.0-rc6 #9 +... +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + assign_lock_key kernel/locking/lockdep.c:951 [inline] + register_lock_class+0x148d/0x1950 kernel/locking/lockdep.c:1263 + __lock_acquire+0x106/0x57e0 kernel/locking/lockdep.c:4906 + lock_acquire kernel/locking/lockdep.c:5637 [inline] + lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5602 + percpu_down_read_trylock include/linux/percpu-rwsem.h:92 [inline] + hci_uart_tx_wakeup+0x12e/0x490 drivers/bluetooth/hci_ldisc.c:124 + h5_timed_event+0x32f/0x6a0 drivers/bluetooth/hci_h5.c:188 + call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 + +Fixes: d73e17281665 ("Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops") +Reported-by: Yiru Xu +Signed-off-by: Pavel Skripkin +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_serdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c +index 7b3aade431e5..9ebcf0d9e395 100644 +--- a/drivers/bluetooth/hci_serdev.c ++++ b/drivers/bluetooth/hci_serdev.c +@@ -288,6 +288,8 @@ int hci_uart_register_device(struct hci_uart *hu, + if (err) + return err; + ++ percpu_init_rwsem(&hu->proto_lock); ++ + err = p->open(hu); + if (err) + goto err_open; +@@ -310,7 +312,6 @@ int hci_uart_register_device(struct hci_uart *hu, + + INIT_WORK(&hu->init_ready, hci_uart_init_work); + INIT_WORK(&hu->write_work, hci_uart_write_work); +- percpu_init_rwsem(&hu->proto_lock); + + /* Only when vendor specific setup callback is provided, consider + * the manufacturer information valid. This avoids filling in the +-- +2.34.1 + diff --git a/queue-4.19/clk-actions-terminate-clk_div_table-with-sentinel-el.patch b/queue-4.19/clk-actions-terminate-clk_div_table-with-sentinel-el.patch new file mode 100644 index 00000000000..fa85d0590ec --- /dev/null +++ b/queue-4.19/clk-actions-terminate-clk_div_table-with-sentinel-el.patch @@ -0,0 +1,58 @@ +From 1db2bebf2d3d874cd210aa2118897d1a81da673d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 01:09:17 +0100 +Subject: clk: actions: Terminate clk_div_table with sentinel element +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +[ Upstream commit d8a441e53e2434b1401e52dfd66b05263e442edc ] + +In order that the end of a clk_div_table can be detected, it must be +terminated with a sentinel element (.div = 0). + +In owl-s900.s, the { 0, 8 } element was probably meant to be just that, +so this patch changes { 0, 8 } to { 0, 0 }. + +Fixes: d47317ca4ade1 ("clk: actions: Add S700 SoC clock support") +Fixes: d85d20053e195 ("clk: actions: Add S900 SoC clock support") +Signed-off-by: Jonathan Neuschäfer +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20220218000922.134857-2-j.neuschaefer@gmx.net +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/actions/owl-s700.c | 1 + + drivers/clk/actions/owl-s900.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/actions/owl-s700.c b/drivers/clk/actions/owl-s700.c +index 5e9531392ee5..aa76b0c10373 100644 +--- a/drivers/clk/actions/owl-s700.c ++++ b/drivers/clk/actions/owl-s700.c +@@ -160,6 +160,7 @@ static struct clk_div_table hdmia_div_table[] = { + + static struct clk_div_table rmii_div_table[] = { + {0, 4}, {1, 10}, ++ {0, 0} + }; + + /* divider clocks */ +diff --git a/drivers/clk/actions/owl-s900.c b/drivers/clk/actions/owl-s900.c +index 7f60ed6afe63..460b33fc6c54 100644 +--- a/drivers/clk/actions/owl-s900.c ++++ b/drivers/clk/actions/owl-s900.c +@@ -138,7 +138,7 @@ static struct clk_div_table rmii_ref_div_table[] = { + + static struct clk_div_table usb3_mac_div_table[] = { + { 1, 2 }, { 2, 3 }, { 3, 4 }, +- { 0, 8 }, ++ { 0, 0 } + }; + + static struct clk_div_table i2s_div_table[] = { +-- +2.34.1 + diff --git a/queue-4.19/clk-clps711x-terminate-clk_div_table-with-sentinel-e.patch b/queue-4.19/clk-clps711x-terminate-clk_div_table-with-sentinel-e.patch new file mode 100644 index 00000000000..5054dde2cf7 --- /dev/null +++ b/queue-4.19/clk-clps711x-terminate-clk_div_table-with-sentinel-e.patch @@ -0,0 +1,45 @@ +From c4d5615f4cb1c06f6251805d778cb73264f11ce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 01:09:20 +0100 +Subject: clk: clps711x: Terminate clk_div_table with sentinel element +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +[ Upstream commit 8bed4ed5aa3431085d9d27afc35d684856460eda ] + +In order that the end of a clk_div_table can be detected, it must be +terminated with a sentinel element (.div = 0). + +Fixes: 631c53478973d ("clk: Add CLPS711X clk driver") +Signed-off-by: Jonathan Neuschäfer +Link: https://lore.kernel.org/r/20220218000922.134857-5-j.neuschaefer@gmx.net +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-clps711x.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/clk-clps711x.c b/drivers/clk/clk-clps711x.c +index 2c04396402ab..50b42e91a137 100644 +--- a/drivers/clk/clk-clps711x.c ++++ b/drivers/clk/clk-clps711x.c +@@ -32,11 +32,13 @@ static const struct clk_div_table spi_div_table[] = { + { .val = 1, .div = 8, }, + { .val = 2, .div = 2, }, + { .val = 3, .div = 1, }, ++ { /* sentinel */ } + }; + + static const struct clk_div_table timer_div_table[] = { + { .val = 0, .div = 256, }, + { .val = 1, .div = 1, }, ++ { /* sentinel */ } + }; + + struct clps711x_clk { +-- +2.34.1 + diff --git a/queue-4.19/clk-loongson1-terminate-clk_div_table-with-sentinel-.patch b/queue-4.19/clk-loongson1-terminate-clk_div_table-with-sentinel-.patch new file mode 100644 index 00000000000..faf572f1cb9 --- /dev/null +++ b/queue-4.19/clk-loongson1-terminate-clk_div_table-with-sentinel-.patch @@ -0,0 +1,40 @@ +From 0bb73308e48ae59b79f49eed0d8990cb5ac4a200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 01:09:18 +0100 +Subject: clk: loongson1: Terminate clk_div_table with sentinel element +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +[ Upstream commit 3eb00f89162e80083dfcaa842468b510462cfeaa ] + +In order that the end of a clk_div_table can be detected, it must be +terminated with a sentinel element (.div = 0). + +Fixes: b4626a7f4892 ("CLK: Add Loongson1C clock support") +Signed-off-by: Jonathan Neuschäfer +Reviewed-by: Philippe Mathieu-Daudé +Link: https://lore.kernel.org/r/20220218000922.134857-3-j.neuschaefer@gmx.net +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/loongson1/clk-loongson1c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/loongson1/clk-loongson1c.c b/drivers/clk/loongson1/clk-loongson1c.c +index 3466f7320b40..e3aa502761a3 100644 +--- a/drivers/clk/loongson1/clk-loongson1c.c ++++ b/drivers/clk/loongson1/clk-loongson1c.c +@@ -40,6 +40,7 @@ static const struct clk_div_table ahb_div_table[] = { + [1] = { .val = 1, .div = 4 }, + [2] = { .val = 2, .div = 3 }, + [3] = { .val = 3, .div = 3 }, ++ [4] = { /* sentinel */ } + }; + + void __init ls1x_clk_init(void) +-- +2.34.1 + diff --git a/queue-4.19/clk-qcom-clk-rcg2-update-the-frac-table-for-pixel-cl.patch b/queue-4.19/clk-qcom-clk-rcg2-update-the-frac-table-for-pixel-cl.patch new file mode 100644 index 00000000000..8ebfe198885 --- /dev/null +++ b/queue-4.19/clk-qcom-clk-rcg2-update-the-frac-table-for-pixel-cl.patch @@ -0,0 +1,37 @@ +From 74853d8312e3982b7be80678e49702ff2c4a4a83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Feb 2022 23:25:36 +0530 +Subject: clk: qcom: clk-rcg2: Update the frac table for pixel clock + +From: Taniya Das + +[ Upstream commit b527358cb4cd58a8279c9062b0786f1fab628fdc ] + +Support the new numerator and denominator for pixel clock on SM8350 and +support rgb101010, RGB888 use cases on SM8450. + +Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks") +Signed-off-by: Taniya Das +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220227175536.3131-2-tdas@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index f420f0c96877..04bd29d6aba1 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -625,6 +625,7 @@ static const struct frac_entry frac_table_pixel[] = { + { 2, 9 }, + { 4, 9 }, + { 1, 1 }, ++ { 2, 3 }, + { } + }; + +-- +2.34.1 + diff --git a/queue-4.19/clk-qcom-gcc-msm8994-fix-gpll4-width.patch b/queue-4.19/clk-qcom-gcc-msm8994-fix-gpll4-width.patch new file mode 100644 index 00000000000..e8e245cb974 --- /dev/null +++ b/queue-4.19/clk-qcom-gcc-msm8994-fix-gpll4-width.patch @@ -0,0 +1,43 @@ +From d4893dd4feb9d59943193cee7e6556c29a7c535a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 18:49:40 +0100 +Subject: clk: qcom: gcc-msm8994: Fix gpll4 width + +From: Konrad Dybcio + +[ Upstream commit 71021db1c532c2545ae53b9ee85b37b7154f51d4 ] + +The gpll4 postdiv is actually a div4, so make sure that Linux is aware of +this. + +This fixes the following error messages: + + mmc1: Card appears overclocked; req 200000000 Hz, actual 343999999 Hz + mmc1: Card appears overclocked; req 400000000 Hz, actual 687999999 Hz + +Fixes: aec89f78cf01 ("clk: qcom: Add support for msm8994 global clock controller") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20220319174940.341137-1-konrad.dybcio@somainline.org +Tested-by: Petr Vorel +Reviewed-by: Petr Vorel +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-msm8994.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/gcc-msm8994.c b/drivers/clk/qcom/gcc-msm8994.c +index 53f0f369a33e..4ec481efedc8 100644 +--- a/drivers/clk/qcom/gcc-msm8994.c ++++ b/drivers/clk/qcom/gcc-msm8994.c +@@ -115,6 +115,7 @@ static struct clk_alpha_pll gpll4_early = { + + static struct clk_alpha_pll_postdiv gpll4 = { + .offset = 0x1dc0, ++ .width = 4, + .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data) + { +-- +2.34.1 + diff --git a/queue-4.19/clk-qcom-ipq8074-use-floor-ops-for-sdcc1-clock.patch b/queue-4.19/clk-qcom-ipq8074-use-floor-ops-for-sdcc1-clock.patch new file mode 100644 index 00000000000..4b7b8fe2840 --- /dev/null +++ b/queue-4.19/clk-qcom-ipq8074-use-floor-ops-for-sdcc1-clock.patch @@ -0,0 +1,49 @@ +From 8dc88824f552e71be810b0ab751e3e391cf85fbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Feb 2022 18:31:00 +0100 +Subject: clk: qcom: ipq8074: Use floor ops for SDCC1 clock + +From: Dirk Buchwalder + +[ Upstream commit b77d8306d84f83d1da68028a68c91da9c867b6f6 ] + +Use floor ops on SDCC1 APPS clock in order to round down selected clock +frequency and avoid overclocking SD/eMMC cards. + +For example, currently HS200 cards were failling tuning as they were +actually being clocked at 384MHz instead of 192MHz. +This caused some boards to disable 1.8V I/O and force the eMMC into the +standard HS mode (50MHz) and that appeared to work despite the eMMC being +overclocked to 96Mhz in that case. + +There was a previous commit to use floor ops on SDCC clocks, but it looks +to have only covered SDCC2 clock. + +Fixes: 9607f6224b39 ("clk: qcom: ipq8074: add PCIE, USB and SDCC clocks") + +Signed-off-by: Dirk Buchwalder +Signed-off-by: Robert Marko +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220210173100.505128-1-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq8074.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c +index 505c6263141d..708c486a6e96 100644 +--- a/drivers/clk/qcom/gcc-ipq8074.c ++++ b/drivers/clk/qcom/gcc-ipq8074.c +@@ -1082,7 +1082,7 @@ static struct clk_rcg2 sdcc1_apps_clk_src = { + .name = "sdcc1_apps_clk_src", + .parent_names = gcc_xo_gpll0_gpll2_gpll0_out_main_div2, + .num_parents = 4, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_rcg2_floor_ops, + }, + }; + +-- +2.34.1 + diff --git a/queue-4.19/clk-tegra-tegra124-emc-fix-missing-put_device-call-i.patch b/queue-4.19/clk-tegra-tegra124-emc-fix-missing-put_device-call-i.patch new file mode 100644 index 00000000000..24d5dd85d80 --- /dev/null +++ b/queue-4.19/clk-tegra-tegra124-emc-fix-missing-put_device-call-i.patch @@ -0,0 +1,39 @@ +From 1d8e1a798e3a6aaf2694e87d6a2cfe7ada102f1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 10:45:01 +0000 +Subject: clk: tegra: tegra124-emc: Fix missing put_device() call in + emc_ensure_emc_driver + +From: Miaoqian Lin + +[ Upstream commit 6d6ef58c2470da85a99119f74d34216c8074b9f0 ] + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. +Add the corresponding 'put_device()' in the error handling path. + +Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") +Signed-off-by: Miaoqian Lin +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20220112104501.30655-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-emc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-emc.c b/drivers/clk/tegra/clk-emc.c +index 0621a3a82ea6..7aeace88be6e 100644 +--- a/drivers/clk/tegra/clk-emc.c ++++ b/drivers/clk/tegra/clk-emc.c +@@ -190,6 +190,7 @@ static struct tegra_emc *emc_ensure_emc_driver(struct tegra_clk_emc *tegra) + + tegra->emc = platform_get_drvdata(pdev); + if (!tegra->emc) { ++ put_device(&pdev->dev); + pr_err("%s: cannot find EMC driver\n", __func__); + return NULL; + } +-- +2.34.1 + diff --git a/queue-4.19/clocksource-acpi_pm-fix-return-value-of-__setup-hand.patch b/queue-4.19/clocksource-acpi_pm-fix-return-value-of-__setup-hand.patch new file mode 100644 index 00000000000..fc49faaeae5 --- /dev/null +++ b/queue-4.19/clocksource-acpi_pm-fix-return-value-of-__setup-hand.patch @@ -0,0 +1,50 @@ +From 6b41a6fbb24a065004b57179a56be636a6e7bb7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 08:39:39 -0700 +Subject: clocksource: acpi_pm: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 6a861abceecb68497dd82a324fee45a5332dcece ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) environment strings. + +The __setup() handler interface isn't meant to handle negative return +values -- they are non-zero, so they mean "handled" (like a return +value of 1 does), but that's just a quirk. So return 1 from +parse_pmtmr(). Also print a warning message if kstrtouint() returns +an error. + +Fixes: 6b148507d3d0 ("pmtmr: allow command line override of ioport") +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/clocksource/acpi_pm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/clocksource/acpi_pm.c b/drivers/clocksource/acpi_pm.c +index 1961e3539b57..05cc8d4e49ad 100644 +--- a/drivers/clocksource/acpi_pm.c ++++ b/drivers/clocksource/acpi_pm.c +@@ -230,8 +230,10 @@ static int __init parse_pmtmr(char *arg) + int ret; + + ret = kstrtouint(arg, 16, &base); +- if (ret) +- return ret; ++ if (ret) { ++ pr_warn("PMTMR: invalid 'pmtmr=' value: '%s'\n", arg); ++ return 1; ++ } + + pr_info("PMTMR IOPort override: 0x%04x -> 0x%04x\n", pmtmr_ioport, + base); +-- +2.34.1 + diff --git a/queue-4.19/clocksource-drivers-timer-of-check-return-value-of-o.patch b/queue-4.19/clocksource-drivers-timer-of-check-return-value-of-o.patch new file mode 100644 index 00000000000..b7f8b10f9d5 --- /dev/null +++ b/queue-4.19/clocksource-drivers-timer-of-check-return-value-of-o.patch @@ -0,0 +1,45 @@ +From 157ad59ef8b875f76faa0b95e1fc38d6fa8c564d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 18:26:56 +0100 +Subject: clocksource/drivers/timer-of: Check return value of of_iomap in + timer_of_base_init() + +From: Guillaume Ranquet + +[ Upstream commit 4467b8bad2401794fb89a0268c8c8257180bf60f ] + +of_base->base can either be iomapped using of_io_request_and_map() or +of_iomap() depending whether or not an of_base->name has been set. + +Thus check of_base->base against NULL as of_iomap() does not return a +PTR_ERR() in case of error. + +Fixes: 9aea417afa6b ("clocksource/drivers/timer-of: Don't request the resource by name") +Signed-off-by: Guillaume Ranquet +Link: https://lore.kernel.org/r/20220307172656.4836-1-granquet@baylibre.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-of.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clocksource/timer-of.c b/drivers/clocksource/timer-of.c +index 6e2cb3693ed8..82bb0d39e8af 100644 +--- a/drivers/clocksource/timer-of.c ++++ b/drivers/clocksource/timer-of.c +@@ -164,9 +164,9 @@ static __init int timer_of_base_init(struct device_node *np, + of_base->base = of_base->name ? + of_io_request_and_map(np, of_base->index, of_base->name) : + of_iomap(np, of_base->index); +- if (IS_ERR(of_base->base)) { +- pr_err("Failed to iomap (%s)\n", of_base->name); +- return PTR_ERR(of_base->base); ++ if (IS_ERR_OR_NULL(of_base->base)) { ++ pr_err("Failed to iomap (%s:%s)\n", np->name, of_base->name); ++ return of_base->base ? PTR_ERR(of_base->base) : -ENOMEM; + } + + return 0; +-- +2.34.1 + diff --git a/queue-4.19/crypto-authenc-fix-sleep-in-atomic-context-in-decryp.patch b/queue-4.19/crypto-authenc-fix-sleep-in-atomic-context-in-decryp.patch new file mode 100644 index 00000000000..a87941299cf --- /dev/null +++ b/queue-4.19/crypto-authenc-fix-sleep-in-atomic-context-in-decryp.patch @@ -0,0 +1,42 @@ +From 6ab87d95357fb799b701d343c8e88d4a202a0ac0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jan 2022 17:58:40 +1100 +Subject: crypto: authenc - Fix sleep in atomic context in decrypt_tail + +From: Herbert Xu + +[ Upstream commit 66eae850333d639fc278d6f915c6fc01499ea893 ] + +The function crypto_authenc_decrypt_tail discards its flags +argument and always relies on the flags from the original request +when starting its sub-request. + +This is clearly wrong as it may cause the SLEEPABLE flag to be +set when it shouldn't. + +Fixes: 92d95ba91772 ("crypto: authenc - Convert to new AEAD interface") +Reported-by: Corentin Labbe +Signed-off-by: Herbert Xu +Tested-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/authenc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/authenc.c b/crypto/authenc.c +index 3ee10fc25aff..02d4d8517449 100644 +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -268,7 +268,7 @@ static int crypto_authenc_decrypt_tail(struct aead_request *req, + dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen); + + skcipher_request_set_tfm(skreq, ctx->enc); +- skcipher_request_set_callback(skreq, aead_request_flags(req), ++ skcipher_request_set_callback(skreq, flags, + req->base.complete, req->base.data); + skcipher_request_set_crypt(skreq, src, dst, + req->cryptlen - authsize, req->iv); +-- +2.34.1 + diff --git a/queue-4.19/crypto-ccp-ccp_dmaengine_unregister-release-dma-chan.patch b/queue-4.19/crypto-ccp-ccp_dmaengine_unregister-release-dma-chan.patch new file mode 100644 index 00000000000..47c9b5262d5 --- /dev/null +++ b/queue-4.19/crypto-ccp-ccp_dmaengine_unregister-release-dma-chan.patch @@ -0,0 +1,69 @@ +From 7a45f2e98873f9a11a85bd49967988779ee3adbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 05:15:45 +0200 +Subject: crypto: ccp - ccp_dmaengine_unregister release dma channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dāvis Mosāns + +[ Upstream commit 54cce8ecb9254f971b40a72911c6da403720a2d2 ] + +ccp_dmaengine_register adds dma_chan->device_node to dma_dev->channels list +but ccp_dmaengine_unregister didn't remove them. +That can cause crashes in various dmaengine methods that tries to use dma_dev->channels + +Fixes: 58ea8abf4904 ("crypto: ccp - Register the CCP as a DMA...") +Signed-off-by: Dāvis Mosāns +Acked-by: John Allen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-dmaengine.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c +index a83588d6ba72..8209273eb85b 100644 +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -631,6 +631,20 @@ static int ccp_terminate_all(struct dma_chan *dma_chan) + return 0; + } + ++static void ccp_dma_release(struct ccp_device *ccp) ++{ ++ struct ccp_dma_chan *chan; ++ struct dma_chan *dma_chan; ++ unsigned int i; ++ ++ for (i = 0; i < ccp->cmd_q_count; i++) { ++ chan = ccp->ccp_dma_chan + i; ++ dma_chan = &chan->dma_chan; ++ tasklet_kill(&chan->cleanup_tasklet); ++ list_del_rcu(&dma_chan->device_node); ++ } ++} ++ + int ccp_dmaengine_register(struct ccp_device *ccp) + { + struct ccp_dma_chan *chan; +@@ -732,6 +746,7 @@ int ccp_dmaengine_register(struct ccp_device *ccp) + return 0; + + err_reg: ++ ccp_dma_release(ccp); + kmem_cache_destroy(ccp->dma_desc_cache); + + err_cache: +@@ -745,6 +760,7 @@ void ccp_dmaengine_unregister(struct ccp_device *ccp) + struct dma_device *dma_dev = &ccp->dma_dev; + + dma_async_device_unregister(dma_dev); ++ ccp_dma_release(ccp); + + kmem_cache_destroy(ccp->dma_desc_cache); + kmem_cache_destroy(ccp->dma_cmd_cache); +-- +2.34.1 + diff --git a/queue-4.19/crypto-mxs-dcp-fix-scatterlist-processing.patch b/queue-4.19/crypto-mxs-dcp-fix-scatterlist-processing.patch new file mode 100644 index 00000000000..d704c7acd58 --- /dev/null +++ b/queue-4.19/crypto-mxs-dcp-fix-scatterlist-processing.patch @@ -0,0 +1,35 @@ +From 8bc4d8b4450e49848ee32ce95a23cc164f7b5095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jan 2022 18:07:53 +0100 +Subject: crypto: mxs-dcp - Fix scatterlist processing + +From: Tomas Paukrt + +[ Upstream commit 28e9b6d8199a3f124682b143800c2dacdc3d70dd ] + +This patch fixes a bug in scatterlist processing that may cause incorrect AES block encryption/decryption. + +Fixes: 2e6d793e1bf0 ("crypto: mxs-dcp - Use sg_mapping_iter to copy data") +Signed-off-by: Tomas Paukrt +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mxs-dcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c +index da834ae3586b..2da6f38e2bcb 100644 +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -328,7 +328,7 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq) + memset(key + AES_KEYSIZE_128, 0, AES_KEYSIZE_128); + } + +- for_each_sg(req->src, src, sg_nents(src), i) { ++ for_each_sg(req->src, src, sg_nents(req->src), i) { + src_buf = sg_virt(src); + len = sg_dma_len(src); + tlen += len; +-- +2.34.1 + diff --git a/queue-4.19/crypto-vmx-add-missing-dependencies.patch b/queue-4.19/crypto-vmx-add-missing-dependencies.patch new file mode 100644 index 00000000000..efbadfa6607 --- /dev/null +++ b/queue-4.19/crypto-vmx-add-missing-dependencies.patch @@ -0,0 +1,62 @@ +From 63e400992e74403cff3c0081a5b41f34417bdc73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Feb 2022 16:11:15 +0100 +Subject: crypto: vmx - add missing dependencies + +From: Petr Vorel + +[ Upstream commit 647d41d3952d726d4ae49e853a9eff68ebad3b3f ] + +vmx-crypto module depends on CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or +CRYPTO_XTS, thus add them. + +These dependencies are likely to be enabled, but if +CRYPTO_DEV_VMX=y && !CRYPTO_MANAGER_DISABLE_TESTS +and either of CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS is built +as module or disabled, alg_test() from crypto/testmgr.c complains during +boot about failing to allocate the generic fallback implementations +(2 == ENOENT): + +[ 0.540953] Failed to allocate xts(aes) fallback: -2 +[ 0.541014] alg: skcipher: failed to allocate transform for p8_aes_xts: -2 +[ 0.541120] alg: self-tests for p8_aes_xts (xts(aes)) failed (rc=-2) +[ 0.544440] Failed to allocate ctr(aes) fallback: -2 +[ 0.544497] alg: skcipher: failed to allocate transform for p8_aes_ctr: -2 +[ 0.544603] alg: self-tests for p8_aes_ctr (ctr(aes)) failed (rc=-2) +[ 0.547992] Failed to allocate cbc(aes) fallback: -2 +[ 0.548052] alg: skcipher: failed to allocate transform for p8_aes_cbc: -2 +[ 0.548156] alg: self-tests for p8_aes_cbc (cbc(aes)) failed (rc=-2) +[ 0.550745] Failed to allocate transformation for 'aes': -2 +[ 0.550801] alg: cipher: Failed to load transform for p8_aes: -2 +[ 0.550892] alg: self-tests for p8_aes (aes) failed (rc=-2) + +Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") +Fixes: d2e3ae6f3aba ("crypto: vmx - Enabling VMX module for PPC64") + +Suggested-by: Nicolai Stange +Signed-off-by: Petr Vorel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/vmx/Kconfig | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/crypto/vmx/Kconfig b/drivers/crypto/vmx/Kconfig +index c3d524ea6998..f39eeca87932 100644 +--- a/drivers/crypto/vmx/Kconfig ++++ b/drivers/crypto/vmx/Kconfig +@@ -1,7 +1,11 @@ + config CRYPTO_DEV_VMX_ENCRYPT + tristate "Encryption acceleration support on P8 CPU" + depends on CRYPTO_DEV_VMX ++ select CRYPTO_AES ++ select CRYPTO_CBC ++ select CRYPTO_CTR + select CRYPTO_GHASH ++ select CRYPTO_XTS + default m + help + Support for VMX cryptographic acceleration instructions on Power8 CPU. +-- +2.34.1 + diff --git a/queue-4.19/dm-crypt-fix-get_key_size-compiler-warning-if-config.patch b/queue-4.19/dm-crypt-fix-get_key_size-compiler-warning-if-config.patch new file mode 100644 index 00000000000..9494369f74b --- /dev/null +++ b/queue-4.19/dm-crypt-fix-get_key_size-compiler-warning-if-config.patch @@ -0,0 +1,40 @@ +From 02da2fd27b2f8777698b06c781dd9aa7c3442730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Feb 2022 12:15:38 +0000 +Subject: dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS + +From: Aashish Sharma + +[ Upstream commit 6fc51504388c1a1a53db8faafe9fff78fccc7c87 ] + +Explicitly convert unsigned int in the right of the conditional +expression to int to match the left side operand and the return type, +fixing the following compiler warning: + +drivers/md/dm-crypt.c:2593:43: warning: signed and unsigned +type in conditional expression [-Wsign-compare] + +Fixes: c538f6ec9f56 ("dm crypt: add ability to use keys from the kernel key retention service") +Signed-off-by: Aashish Sharma +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-crypt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index a6a26f8e4d8e..3441ad140b58 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2107,7 +2107,7 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string + + static int get_key_size(char **key_string) + { +- return (*key_string[0] == ':') ? -EINVAL : strlen(*key_string) >> 1; ++ return (*key_string[0] == ':') ? -EINVAL : (int)(strlen(*key_string) >> 1); + } + + #endif +-- +2.34.1 + diff --git a/queue-4.19/dma-debug-fix-return-value-of-__setup-handlers.patch b/queue-4.19/dma-debug-fix-return-value-of-__setup-handlers.patch new file mode 100644 index 00000000000..59da7949b62 --- /dev/null +++ b/queue-4.19/dma-debug-fix-return-value-of-__setup-handlers.patch @@ -0,0 +1,72 @@ +From 82f11adcb16a5c662275be83937e6aded941f5b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 14:04:53 -0800 +Subject: dma-debug: fix return value of __setup handlers + +From: Randy Dunlap + +[ Upstream commit 80e4390981618e290616dbd06ea190d4576f219d ] + +When valid kernel command line parameters + dma_debug=off dma_debug_entries=100 +are used, they are reported as Unknown parameters and added to init's +environment strings, polluting it. + + Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 + dma_debug=off dma_debug_entries=100", will be passed to user space. + +and + + Run /sbin/init as init process + with arguments: + /sbin/init + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc5 + dma_debug=off + dma_debug_entries=100 + +Return 1 from these __setup handlers to indicate that the command line +option has been handled. + +Fixes: 59d3daafa1726 ("dma-debug: add kernel command line parameters") +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Cc: Joerg Roedel +Cc: Christoph Hellwig +Cc: Marek Szyprowski +Cc: iommu@lists.linux-foundation.org +Cc: Robin Murphy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c +index 1c82b0d25498..9c9a5b12f92f 100644 +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -1056,7 +1056,7 @@ static __init int dma_debug_cmdline(char *str) + global_disable = true; + } + +- return 0; ++ return 1; + } + + static __init int dma_debug_entries_cmdline(char *str) +@@ -1065,7 +1065,7 @@ static __init int dma_debug_entries_cmdline(char *str) + return -EINVAL; + if (!get_option(&str, &nr_prealloc_entries)) + nr_prealloc_entries = PREALLOC_DMA_DEBUG_ENTRIES; +- return 0; ++ return 1; + } + + __setup("dma_debug=", dma_debug_cmdline); +-- +2.34.1 + diff --git a/queue-4.19/drm-amd-display-fix-a-null-pointer-dereference-in-am.patch b/queue-4.19/drm-amd-display-fix-a-null-pointer-dereference-in-am.patch new file mode 100644 index 00000000000..2fa5612b07c --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-a-null-pointer-dereference-in-am.patch @@ -0,0 +1,49 @@ +From 5e537e23f8f8a949dc7e88db7ac4700a72f78793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 00:57:29 +0800 +Subject: drm/amd/display: Fix a NULL pointer dereference in + amdgpu_dm_connector_add_common_modes() + +From: Zhou Qingyang + +[ Upstream commit 588a70177df3b1777484267584ef38ab2ca899a2 ] + +In amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode() +is assigned to mode and is passed to drm_mode_probed_add() directly after +that. drm_mode_probed_add() passes &mode->head to list_add_tail(), and +there is a dereference of it in list_add_tail() without recoveries, which +could lead to NULL pointer dereference on failure of +amdgpu_dm_create_common_mode(). + +Fix this by adding a NULL check of mode. + +This bug was found by a static analyzer. + +Builds with 'make allyesconfig' show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: e7b07ceef2a6 ("drm/amd/display: Merge amdgpu_dm_types and amdgpu_dm") +Signed-off-by: Zhou Qingyang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index ed02bb6b2cd0..b2835cd41d3e 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -3593,6 +3593,9 @@ static void amdgpu_dm_connector_add_common_modes(struct drm_encoder *encoder, + mode = amdgpu_dm_create_common_mode(encoder, + common_modes[i].name, common_modes[i].w, + common_modes[i].h); ++ if (!mode) ++ continue; ++ + drm_mode_probed_add(connector, mode); + amdgpu_dm_connector->num_modes++; + } +-- +2.34.1 + diff --git a/queue-4.19/drm-bridge-cdns-dsi-make-sure-to-to-create-proper-al.patch b/queue-4.19/drm-bridge-cdns-dsi-make-sure-to-to-create-proper-al.patch new file mode 100644 index 00000000000..b8e5f1fbca6 --- /dev/null +++ b/queue-4.19/drm-bridge-cdns-dsi-make-sure-to-to-create-proper-al.patch @@ -0,0 +1,38 @@ +From d00e3884669a6d98d653380c112deec1f0c14545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 12:40:59 -0500 +Subject: drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt + +From: Nishanth Menon + +[ Upstream commit ffb5c099aaa13ab7f73c29ea6ae26bce8d7575ae ] + +Add MODULE_DEVICE_TABLE to the device tree table to create required +aliases needed for module to be loaded with device tree based platform. + +Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") +Signed-off-by: Nishanth Menon +Reviewed-by: Tomi Valkeinen +Reviewed-by: Laurent Pinchart +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20210921174059.17946-1-nm@ti.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/cdns-dsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/bridge/cdns-dsi.c b/drivers/gpu/drm/bridge/cdns-dsi.c +index ce9496d13986..0573c5250a41 100644 +--- a/drivers/gpu/drm/bridge/cdns-dsi.c ++++ b/drivers/gpu/drm/bridge/cdns-dsi.c +@@ -1604,6 +1604,7 @@ static const struct of_device_id cdns_dsi_of_match[] = { + { .compatible = "cdns,dsi" }, + { }, + }; ++MODULE_DEVICE_TABLE(of, cdns_dsi_of_match); + + static struct platform_driver cdns_dsi_platform_driver = { + .probe = cdns_dsi_drm_probe, +-- +2.34.1 + diff --git a/queue-4.19/drm-bridge-fix-free-wrong-object-in-sii8620_init_rcp.patch b/queue-4.19/drm-bridge-fix-free-wrong-object-in-sii8620_init_rcp.patch new file mode 100644 index 00000000000..0903dcc0bd6 --- /dev/null +++ b/queue-4.19/drm-bridge-fix-free-wrong-object-in-sii8620_init_rcp.patch @@ -0,0 +1,39 @@ +From 4535bb9ffa811481e9a2f60afb1038a7eb37d5d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Dec 2021 09:25:22 +0000 +Subject: drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev + +From: Miaoqian Lin + +[ Upstream commit 7c442e76c06cb1bef16a6c523487438175584eea ] + +rc_dev is allocated by rc_allocate_device(), and doesn't assigned to +ctx->rc_dev before calling rc_free_device(ctx->rc_dev). +So it should call rc_free_device(rc_dev); + +Fixes: e25f1f7c94e1 ("drm/bridge/sii8620: add remote control support") +Signed-off-by: Miaoqian Lin +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20211227092522.21755-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/sil-sii8620.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c +index 1ea2a1b0fe37..ea433bb189ca 100644 +--- a/drivers/gpu/drm/bridge/sil-sii8620.c ++++ b/drivers/gpu/drm/bridge/sil-sii8620.c +@@ -2122,7 +2122,7 @@ static void sii8620_init_rcp_input_dev(struct sii8620 *ctx) + if (ret) { + dev_err(ctx->dev, "Failed to register RC device\n"); + ctx->error = ret; +- rc_free_device(ctx->rc_dev); ++ rc_free_device(rc_dev); + return; + } + ctx->rc_dev = rc_dev; +-- +2.34.1 + diff --git a/queue-4.19/drm-edid-don-t-clear-formats-if-using-deep-color.patch b/queue-4.19/drm-edid-don-t-clear-formats-if-using-deep-color.patch new file mode 100644 index 00000000000..8e39972ee0d --- /dev/null +++ b/queue-4.19/drm-edid-don-t-clear-formats-if-using-deep-color.patch @@ -0,0 +1,76 @@ +From 77581b26fca52768ba61b64392219aef50f86c5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jan 2022 16:16:11 +0100 +Subject: drm/edid: Don't clear formats if using deep color +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Ripard + +[ Upstream commit 75478b3b393bcbdca4e6da76fe3a9f1a4133ec5d ] + +The current code, when parsing the EDID Deep Color depths, that the +YUV422 cannot be used, referring to the HDMI 1.3 Specification. + +This specification, in its section 6.2.4, indeed states: + + For each supported Deep Color mode, RGB 4:4:4 shall be supported and + optionally YCBCR 4:4:4 may be supported. + + YCBCR 4:2:2 is not permitted for any Deep Color mode. + +This indeed can be interpreted like the code does, but the HDMI 1.4 +specification further clarifies that statement in its section 6.2.4: + + For each supported Deep Color mode, RGB 4:4:4 shall be supported and + optionally YCBCR 4:4:4 may be supported. + + YCBCR 4:2:2 is also 36-bit mode but does not require the further use + of the Deep Color modes described in section 6.5.2 and 6.5.3. + +This means that, even though YUV422 can be used with 12 bit per color, +it shouldn't be treated as a deep color mode. + +This is also broken with YUV444 if it's supported by the display, but +DRM_EDID_HDMI_DC_Y444 isn't set. In such a case, the code will clear +color_formats of the YUV444 support set previously in +drm_parse_cea_ext(), but will not set it back. + +Since the formats supported are already setup properly in +drm_parse_cea_ext(), let's just remove the code modifying the formats in +drm_parse_hdmi_deep_color_info() + +Fixes: d0c94692e0a3 ("drm/edid: Parse and handle HDMI deep color modes.") +Signed-off-by: Maxime Ripard +Reviewed-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220120151625.594595-3-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_edid.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c +index 5c049483de23..3df7c2bf675e 100644 +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -4501,16 +4501,8 @@ static void drm_parse_hdmi_deep_color_info(struct drm_connector *connector, + connector->name, dc_bpc); + info->bpc = dc_bpc; + +- /* +- * Deep color support mandates RGB444 support for all video +- * modes and forbids YCRCB422 support for all video modes per +- * HDMI 1.3 spec. +- */ +- info->color_formats = DRM_COLOR_FORMAT_RGB444; +- + /* YCRCB444 is optional according to spec. */ + if (hdmi[6] & DRM_EDID_HDMI_DC_Y444) { +- info->color_formats |= DRM_COLOR_FORMAT_YCRCB444; + DRM_DEBUG("%s: HDMI sink does YCRCB444 in deep color.\n", + connector->name); + } +-- +2.34.1 + diff --git a/queue-4.19/drm-tegra-fix-reference-leak-in-tegra_dsi_ganged_pro.patch b/queue-4.19/drm-tegra-fix-reference-leak-in-tegra_dsi_ganged_pro.patch new file mode 100644 index 00000000000..6de3042113a --- /dev/null +++ b/queue-4.19/drm-tegra-fix-reference-leak-in-tegra_dsi_ganged_pro.patch @@ -0,0 +1,39 @@ +From 55103434d6f90244d876502f4b663f14eb7bc81f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jan 2022 06:53:16 +0000 +Subject: drm/tegra: Fix reference leak in tegra_dsi_ganged_probe + +From: Miaoqian Lin + +[ Upstream commit 221e3638feb8bc42143833c9a704fa89b6c366bb ] + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. Add put_device() call to fix this. + +Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") +Signed-off-by: Miaoqian Lin +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/dsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c +index ee6ca8fa1c65..e2903bf7821b 100644 +--- a/drivers/gpu/drm/tegra/dsi.c ++++ b/drivers/gpu/drm/tegra/dsi.c +@@ -1456,8 +1456,10 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi) + dsi->slave = platform_get_drvdata(gangster); + of_node_put(np); + +- if (!dsi->slave) ++ if (!dsi->slave) { ++ put_device(&gangster->dev); + return -EPROBE_DEFER; ++ } + + dsi->slave->master = dsi; + } +-- +2.34.1 + diff --git a/queue-4.19/ext2-correct-max-file-size-computing.patch b/queue-4.19/ext2-correct-max-file-size-computing.patch new file mode 100644 index 00000000000..4dcbb2fe066 --- /dev/null +++ b/queue-4.19/ext2-correct-max-file-size-computing.patch @@ -0,0 +1,58 @@ +From 141ce7f07dae6dc8dadda677d82f4cf050642700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Feb 2022 13:05:32 +0800 +Subject: ext2: correct max file size computing + +From: Zhang Yi + +[ Upstream commit 50b3a818991074177a56c87124c7a7bdf5fa4f67 ] + +We need to calculate the max file size accurately if the total blocks +that can address by block tree exceed the upper_limit. But this check is +not correct now, it only compute the total data blocks but missing +metadata blocks are needed. So in the case of "data blocks < upper_limit +&& total blocks > upper_limit", we will get wrong result. Fortunately, +this case could not happen in reality, but it's confused and better to +correct the computing. + + bits data blocks metadatablocks upper_limit + 10 16843020 66051 2147483647 + 11 134480396 263171 1073741823 + 12 1074791436 1050627 536870911 (*) + 13 8594130956 4198403 268435455 (*) + 14 68736258060 16785411 134217727 (*) + 15 549822930956 67125251 67108863 (*) + 16 4398314962956 268468227 33554431 (*) + + [*] Need to calculate in depth. + +Fixes: 1c2d14212b15 ("ext2: Fix underflow in ext2_max_size()") +Link: https://lore.kernel.org/r/20220212050532.179055-1-yi.zhang@huawei.com +Signed-off-by: Zhang Yi +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/super.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index 80a3038e0e46..ad9fd08f66ba 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -780,8 +780,12 @@ static loff_t ext2_max_size(int bits) + res += 1LL << (bits-2); + res += 1LL << (2*(bits-2)); + res += 1LL << (3*(bits-2)); ++ /* Compute how many metadata blocks are needed */ ++ meta_blocks = 1; ++ meta_blocks += 1 + ppb; ++ meta_blocks += 1 + ppb + ppb * ppb; + /* Does block tree limit file size? */ +- if (res < upper_limit) ++ if (res + meta_blocks <= upper_limit) + goto check_lfs; + + res = upper_limit; +-- +2.34.1 + diff --git a/queue-4.19/ext4-don-t-bug-if-someone-dirty-pages-without-asking.patch b/queue-4.19/ext4-don-t-bug-if-someone-dirty-pages-without-asking.patch new file mode 100644 index 00000000000..7319bfb0b83 --- /dev/null +++ b/queue-4.19/ext4-don-t-bug-if-someone-dirty-pages-without-asking.patch @@ -0,0 +1,84 @@ +From d0f6e340f119499b3627aff6695a24d60e37c03e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 09:38:47 -0500 +Subject: ext4: don't BUG if someone dirty pages without asking ext4 first + +From: Theodore Ts'o + +[ Upstream commit cc5095747edfb054ca2068d01af20be3fcc3634f ] + +[un]pin_user_pages_remote is dirtying pages without properly warning +the file system in advance. A related race was noted by Jan Kara in +2018[1]; however, more recently instead of it being a very hard-to-hit +race, it could be reliably triggered by process_vm_writev(2) which was +discovered by Syzbot[2]. + +This is technically a bug in mm/gup.c, but arguably ext4 is fragile in +that if some other kernel subsystem dirty pages without properly +notifying the file system using page_mkwrite(), ext4 will BUG, while +other file systems will not BUG (although data will still be lost). + +So instead of crashing with a BUG, issue a warning (since there may be +potential data loss) and just mark the page as clean to avoid +unprivileged denial of service attacks until the problem can be +properly fixed. More discussion and background can be found in the +thread starting at [2]. + +[1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz +[2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com + +Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com +Reported-by: Lee Jones +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.edu +Signed-off-by: Sasha Levin +--- + fs/ext4/inode.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 7959aae4857e..96cf0f57ca95 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2148,6 +2148,15 @@ static int ext4_writepage(struct page *page, + else + len = PAGE_SIZE; + ++ /* Should never happen but for bugs in other kernel subsystems */ ++ if (!page_has_buffers(page)) { ++ ext4_warning_inode(inode, ++ "page %lu does not have buffers attached", page->index); ++ ClearPageDirty(page); ++ unlock_page(page); ++ return 0; ++ } ++ + page_bufs = page_buffers(page); + /* + * We cannot do block allocation or other extent handling in this +@@ -2697,6 +2706,22 @@ static int mpage_prepare_extent_to_map(struct mpage_da_data *mpd) + wait_on_page_writeback(page); + BUG_ON(PageWriteback(page)); + ++ /* ++ * Should never happen but for buggy code in ++ * other subsystems that call ++ * set_page_dirty() without properly warning ++ * the file system first. See [1] for more ++ * information. ++ * ++ * [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz ++ */ ++ if (!page_has_buffers(page)) { ++ ext4_warning_inode(mpd->inode, "page %lu does not have buffers attached", page->index); ++ ClearPageDirty(page); ++ unlock_page(page); ++ continue; ++ } ++ + if (mpd->map.m_len == 0) + mpd->first_page = page->index; + mpd->next_page = page->index + 1; +-- +2.34.1 + diff --git a/queue-4.19/fix-incorrect-type-in-assignment-of-ipv6-port-for-au.patch b/queue-4.19/fix-incorrect-type-in-assignment-of-ipv6-port-for-au.patch new file mode 100644 index 00000000000..f9c2c78b641 --- /dev/null +++ b/queue-4.19/fix-incorrect-type-in-assignment-of-ipv6-port-for-au.patch @@ -0,0 +1,35 @@ +From 1f0c0984eee16d3addfe89f323df270dcab58cb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 15:45:32 -0800 +Subject: Fix incorrect type in assignment of ipv6 port for audit + +From: Casey Schaufler + +[ Upstream commit a5cd1ab7ab679d252a6d2f483eee7d45ebf2040c ] + +Remove inappropriate use of ntohs() and assign the +port value directly. + +Reported-by: kernel test robot +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 221de4c755c3..4f65d953fe31 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2586,7 +2586,7 @@ static int smk_ipv6_check(struct smack_known *subject, + #ifdef CONFIG_AUDIT + smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); + ad.a.u.net->family = PF_INET6; +- ad.a.u.net->dport = ntohs(address->sin6_port); ++ ad.a.u.net->dport = address->sin6_port; + if (act == SMK_RECEIVING) + ad.a.u.net->v6info.saddr = address->sin6_addr; + else +-- +2.34.1 + diff --git a/queue-4.19/hid-i2c-hid-fix-get-set_report-for-unnumbered-report.patch b/queue-4.19/hid-i2c-hid-fix-get-set_report-for-unnumbered-report.patch new file mode 100644 index 00000000000..e59267e7aac --- /dev/null +++ b/queue-4.19/hid-i2c-hid-fix-get-set_report-for-unnumbered-report.patch @@ -0,0 +1,91 @@ +From 5044f69bee2edc7c4a17be514c3044a4f6758fc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jan 2022 23:26:18 -0800 +Subject: HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports + +From: Dmitry Torokhov + +[ Upstream commit a5e5e03e94764148a01757b2fa4737d3445c13a6 ] + +Internally kernel prepends all report buffers, for both numbered and +unnumbered reports, with report ID, therefore to properly handle unnumbered +reports we should prepend it ourselves. + +For the same reason we should skip the first byte of the buffer when +calling i2c_hid_set_or_send_report() which then will take care of properly +formatting the transfer buffer based on its separate report ID argument +along with report payload. + +[jkosina@suse.cz: finalize trimmed sentence in changelog as spotted by Benjamin] +Fixes: 9b5a9ae88573 ("HID: i2c-hid: implement ll_driver transport-layer callbacks") +Signed-off-by: Dmitry Torokhov +Tested-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 32 ++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 19f4b807a5d1..f5dc3122aff8 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -632,6 +632,17 @@ static int i2c_hid_get_raw_report(struct hid_device *hid, + if (report_type == HID_OUTPUT_REPORT) + return -EINVAL; + ++ /* ++ * In case of unnumbered reports the response from the device will ++ * not have the report ID that the upper layers expect, so we need ++ * to stash it the buffer ourselves and adjust the data size. ++ */ ++ if (!report_number) { ++ buf[0] = 0; ++ buf++; ++ count--; ++ } ++ + /* +2 bytes to include the size of the reply in the query buffer */ + ask_count = min(count + 2, (size_t)ihid->bufsize); + +@@ -653,6 +664,9 @@ static int i2c_hid_get_raw_report(struct hid_device *hid, + count = min(count, ret_count - 2); + memcpy(buf, ihid->rawbuf + 2, count); + ++ if (!report_number) ++ count++; ++ + return count; + } + +@@ -669,17 +683,19 @@ static int i2c_hid_output_raw_report(struct hid_device *hid, __u8 *buf, + + mutex_lock(&ihid->reset_lock); + +- if (report_id) { +- buf++; +- count--; +- } +- ++ /* ++ * Note that both numbered and unnumbered reports passed here ++ * are supposed to have report ID stored in the 1st byte of the ++ * buffer, so we strip it off unconditionally before passing payload ++ * to i2c_hid_set_or_send_report which takes care of encoding ++ * everything properly. ++ */ + ret = i2c_hid_set_or_send_report(client, + report_type == HID_FEATURE_REPORT ? 0x03 : 0x02, +- report_id, buf, count, use_data); ++ report_id, buf + 1, count - 1, use_data); + +- if (report_id && ret >= 0) +- ret++; /* add report_id to the number of transfered bytes */ ++ if (ret >= 0) ++ ret++; /* add report_id to the number of transferred bytes */ + + mutex_unlock(&ihid->reset_lock); + +-- +2.34.1 + diff --git a/queue-4.19/hv_balloon-rate-limit-unhandled-message-warning.patch b/queue-4.19/hv_balloon-rate-limit-unhandled-message-warning.patch new file mode 100644 index 00000000000..1603fbf90ae --- /dev/null +++ b/queue-4.19/hv_balloon-rate-limit-unhandled-message-warning.patch @@ -0,0 +1,51 @@ +From b643a5361b98cd757bcc0451c1c32fbb319600f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 16:14:00 +0200 +Subject: hv_balloon: rate-limit "Unhandled message" warning + +From: Anssi Hannula + +[ Upstream commit 1d7286729aa616772be334eb908e11f527e1e291 ] + +For a couple of times I have encountered a situation where + + hv_balloon: Unhandled message: type: 12447 + +is being flooded over 1 million times per second with various values, +filling the log and consuming cycles, making debugging difficult. + +Add rate limiting to the message. + +Most other Hyper-V drivers already have similar rate limiting in their +message callbacks. + +The cause of the floods in my case was probably fixed by 96d9d1fa5cd5 +("Drivers: hv: balloon: account for vmbus packet header in +max_pkt_size"). + +Fixes: 9aa8b50b2b3d ("Drivers: hv: Add Hyper-V balloon driver") +Signed-off-by: Anssi Hannula +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20220222141400.98160-1-anssi.hannula@bitwise.fi +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/hv_balloon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c +index e5fc719a34e7..d442a8d2332e 100644 +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -1548,7 +1548,7 @@ static void balloon_onchannelcallback(void *context) + break; + + default: +- pr_warn("Unhandled message: type: %d\n", dm_hdr->type); ++ pr_warn_ratelimited("Unhandled message: type: %d\n", dm_hdr->type); + + } + } +-- +2.34.1 + diff --git a/queue-4.19/hwmon-pmbus-add-mutex-to-regulator-ops.patch b/queue-4.19/hwmon-pmbus-add-mutex-to-regulator-ops.patch new file mode 100644 index 00000000000..0a74ae19e73 --- /dev/null +++ b/queue-4.19/hwmon-pmbus-add-mutex-to-regulator-ops.patch @@ -0,0 +1,71 @@ +From 248d64cf5473ddecde28e762a1a745b856dd77c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 17:06:09 +0100 +Subject: hwmon: (pmbus) Add mutex to regulator ops + +From: Patrick Rudolph + +[ Upstream commit 686d303ee6301261b422ea51e64833d7909a2c36 ] + +On PMBUS devices with multiple pages, the regulator ops need to be +protected with the update mutex. This prevents accidentally changing +the page in a separate thread while operating on the PMBUS_OPERATION +register. + +Tested on Infineon xdpe11280 while a separate thread polls for sensor +data. + +Signed-off-by: Patrick Rudolph +Signed-off-by: Marcello Sylvester Bauer +Link: https://lore.kernel.org/r/b991506bcbf665f7af185945f70bf9d5cf04637c.1645804976.git.sylv@sylv.io +Fixes: ddbb4db4ced1b ("hwmon: (pmbus) Add regulator support") +Cc: Alan Tull +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/pmbus_core.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c +index cd24b375df1e..d822aeab333d 100644 +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -2074,10 +2074,14 @@ static int pmbus_regulator_is_enabled(struct regulator_dev *rdev) + { + struct device *dev = rdev_get_dev(rdev); + struct i2c_client *client = to_i2c_client(dev->parent); ++ struct pmbus_data *data = i2c_get_clientdata(client); + u8 page = rdev_get_id(rdev); + int ret; + ++ mutex_lock(&data->update_lock); + ret = pmbus_read_byte_data(client, page, PMBUS_OPERATION); ++ mutex_unlock(&data->update_lock); ++ + if (ret < 0) + return ret; + +@@ -2088,11 +2092,17 @@ static int _pmbus_regulator_on_off(struct regulator_dev *rdev, bool enable) + { + struct device *dev = rdev_get_dev(rdev); + struct i2c_client *client = to_i2c_client(dev->parent); ++ struct pmbus_data *data = i2c_get_clientdata(client); + u8 page = rdev_get_id(rdev); ++ int ret; + +- return pmbus_update_byte_data(client, page, PMBUS_OPERATION, +- PB_OPERATION_CONTROL_ON, +- enable ? PB_OPERATION_CONTROL_ON : 0); ++ mutex_lock(&data->update_lock); ++ ret = pmbus_update_byte_data(client, page, PMBUS_OPERATION, ++ PB_OPERATION_CONTROL_ON, ++ enable ? PB_OPERATION_CONTROL_ON : 0); ++ mutex_unlock(&data->update_lock); ++ ++ return ret; + } + + static int pmbus_regulator_enable(struct regulator_dev *rdev) +-- +2.34.1 + diff --git a/queue-4.19/hwmon-pmbus-add-vin-unit-off-handling.patch b/queue-4.19/hwmon-pmbus-add-vin-unit-off-handling.patch new file mode 100644 index 00000000000..7d80d21c7d3 --- /dev/null +++ b/queue-4.19/hwmon-pmbus-add-vin-unit-off-handling.patch @@ -0,0 +1,61 @@ +From 43793c859e0cc3b95a368dce8b2a69ae9bcacf51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 23:21:23 +0000 +Subject: hwmon: (pmbus) Add Vin unit off handling + +From: Brandon Wyman + +[ Upstream commit a5436af598779219b375c1977555c82def1c35d0 ] + +If there is an input undervoltage fault, reported in STATUS_INPUT +command response, there is quite likely a "Unit Off For Insufficient +Input Voltage" condition as well. + +Add a constant for bit 3 of STATUS_INPUT. Update the Vin limit +attributes to include both bits in the mask for clearing faults. + +If an input undervoltage fault occurs, causing a unit off for +insufficient input voltage, but the unit is off bit is not cleared, the +STATUS_WORD will not be updated to clear the input fault condition. +Including the unit is off bit (bit 3) allows for the input fault +condition to completely clear. + +Signed-off-by: Brandon Wyman +Link: https://lore.kernel.org/r/20220317232123.2103592-1-bjwyman@gmail.com +Fixes: b4ce237b7f7d3 ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers") +[groeck: Dropped unnecessary ()] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/pmbus.h | 1 + + drivers/hwmon/pmbus/pmbus_core.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/pmbus/pmbus.h b/drivers/hwmon/pmbus/pmbus.h +index 1d24397d36ec..9d731de852c6 100644 +--- a/drivers/hwmon/pmbus/pmbus.h ++++ b/drivers/hwmon/pmbus/pmbus.h +@@ -291,6 +291,7 @@ enum pmbus_fan_mode { percent = 0, rpm }; + /* + * STATUS_VOUT, STATUS_INPUT + */ ++#define PB_VOLTAGE_VIN_OFF BIT(3) + #define PB_VOLTAGE_UV_FAULT BIT(4) + #define PB_VOLTAGE_UV_WARNING BIT(5) + #define PB_VOLTAGE_OV_WARNING BIT(6) +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c +index d822aeab333d..bef28e955953 100644 +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -1337,7 +1337,7 @@ static const struct pmbus_limit_attr vin_limit_attrs[] = { + .reg = PMBUS_VIN_UV_FAULT_LIMIT, + .attr = "lcrit", + .alarm = "lcrit_alarm", +- .sbit = PB_VOLTAGE_UV_FAULT, ++ .sbit = PB_VOLTAGE_UV_FAULT | PB_VOLTAGE_VIN_OFF, + }, { + .reg = PMBUS_VIN_OV_WARN_LIMIT, + .attr = "max", +-- +2.34.1 + diff --git a/queue-4.19/hwmon-sch56xx-common-replace-wdog_active-with-wdog_h.patch b/queue-4.19/hwmon-sch56xx-common-replace-wdog_active-with-wdog_h.patch new file mode 100644 index 00000000000..22d21364b1c --- /dev/null +++ b/queue-4.19/hwmon-sch56xx-common-replace-wdog_active-with-wdog_h.patch @@ -0,0 +1,45 @@ +From 17713406ce9935e6e97e154e66e02915c7ab9552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jan 2022 22:19:35 +0100 +Subject: hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING + +From: Armin Wolf + +[ Upstream commit 647d6f09bea7dacf4cdb6d4ea7e3051883955297 ] + +If the watchdog was already enabled by the BIOS after booting, the +watchdog infrastructure needs to regularly send keepalives to +prevent a unexpected reset. +WDOG_ACTIVE only serves as an status indicator for userspace, +we want to use WDOG_HW_RUNNING instead. + +Since my Fujitsu Esprimo P720 does not support the watchdog, +this change is compile-tested only. + +Suggested-by: Guenter Roeck +Fixes: fb551405c0f8 (watchdog: sch56xx: Use watchdog core) +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20220131211935.3656-5-W_Armin@gmx.de +Reviewed-by: Hans de Goede +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/sch56xx-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/sch56xx-common.c b/drivers/hwmon/sch56xx-common.c +index bda3d5285586..e1c4e6937a64 100644 +--- a/drivers/hwmon/sch56xx-common.c ++++ b/drivers/hwmon/sch56xx-common.c +@@ -437,7 +437,7 @@ struct sch56xx_watchdog_data *sch56xx_watchdog_register(struct device *parent, + if (nowayout) + set_bit(WDOG_NO_WAY_OUT, &data->wddev.status); + if (output_enable & SCH56XX_WDOG_OUTPUT_ENABLE) +- set_bit(WDOG_ACTIVE, &data->wddev.status); ++ set_bit(WDOG_HW_RUNNING, &data->wddev.status); + + /* Since the watchdog uses a downcounter there is no register to read + the BIOS set timeout from (if any was set at all) -> +-- +2.34.1 + diff --git a/queue-4.19/hwrng-atmel-disable-trng-on-failure-path.patch b/queue-4.19/hwrng-atmel-disable-trng-on-failure-path.patch new file mode 100644 index 00000000000..8cf0aa46484 --- /dev/null +++ b/queue-4.19/hwrng-atmel-disable-trng-on-failure-path.patch @@ -0,0 +1,34 @@ +From bb725ba4ea1188422db6ef439df70b10cf8e587b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Feb 2022 09:59:23 +0200 +Subject: hwrng: atmel - disable trng on failure path + +From: Claudiu Beznea + +[ Upstream commit a223ea9f89ab960eb254ba78429efd42eaf845eb ] + +Call atmel_trng_disable() on failure path of probe. + +Fixes: a1fa98d8116f ("hwrng: atmel - disable TRNG during suspend") +Signed-off-by: Claudiu Beznea +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/atmel-rng.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/char/hw_random/atmel-rng.c b/drivers/char/hw_random/atmel-rng.c +index 433426242b87..40e6951ea078 100644 +--- a/drivers/char/hw_random/atmel-rng.c ++++ b/drivers/char/hw_random/atmel-rng.c +@@ -96,6 +96,7 @@ static int atmel_trng_probe(struct platform_device *pdev) + + err_register: + clk_disable_unprepare(trng->clk); ++ atmel_trng_disable(trng); + return ret; + } + +-- +2.34.1 + diff --git a/queue-4.19/i2c-mux-demux-pinctrl-do-not-deactivate-a-master-tha.patch b/queue-4.19/i2c-mux-demux-pinctrl-do-not-deactivate-a-master-tha.patch new file mode 100644 index 00000000000..c396392e8a9 --- /dev/null +++ b/queue-4.19/i2c-mux-demux-pinctrl-do-not-deactivate-a-master-tha.patch @@ -0,0 +1,53 @@ +From e9fef149ab36b5ff60b34865c9668cd32bdd5d28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 12:22:35 +0100 +Subject: i2c: mux: demux-pinctrl: do not deactivate a master that is not + active + +From: Peter Rosin + +[ Upstream commit 1a22aabf20adf89cb216f566913196128766f25b ] + +Attempting to rollback the activation of the current master when +the current master has not been activated is bad. priv->cur_chan +and priv->cur_adap are both still zeroed out and the rollback +may result in attempts to revert an of changeset that has not been +applied and do result in calls to both del and put the zeroed out +i2c_adapter. Maybe it crashes, or whatever, but it's bad in any +case. + +Fixes: e9d1a0a41d44 ("i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()'") +Signed-off-by: Peter Rosin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/muxes/i2c-demux-pinctrl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/muxes/i2c-demux-pinctrl.c b/drivers/i2c/muxes/i2c-demux-pinctrl.c +index 9ba9ce5696e1..1b99d0b928a0 100644 +--- a/drivers/i2c/muxes/i2c-demux-pinctrl.c ++++ b/drivers/i2c/muxes/i2c-demux-pinctrl.c +@@ -262,7 +262,7 @@ static int i2c_demux_pinctrl_probe(struct platform_device *pdev) + + err = device_create_file(&pdev->dev, &dev_attr_available_masters); + if (err) +- goto err_rollback; ++ goto err_rollback_activation; + + err = device_create_file(&pdev->dev, &dev_attr_current_master); + if (err) +@@ -272,8 +272,9 @@ static int i2c_demux_pinctrl_probe(struct platform_device *pdev) + + err_rollback_available: + device_remove_file(&pdev->dev, &dev_attr_available_masters); +-err_rollback: ++err_rollback_activation: + i2c_demux_deactivate_master(priv); ++err_rollback: + for (j = 0; j < i; j++) { + of_node_put(priv->chan[j].parent_np); + of_changeset_destroy(&priv->chan[j].chgset); +-- +2.34.1 + diff --git a/queue-4.19/i2c-xiic-make-bus-names-unique.patch b/queue-4.19/i2c-xiic-make-bus-names-unique.patch new file mode 100644 index 00000000000..14f827c3d70 --- /dev/null +++ b/queue-4.19/i2c-xiic-make-bus-names-unique.patch @@ -0,0 +1,49 @@ +From a23bcb4f687527b9453f5b8fa92c3704bd1851d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 11:50:13 -0600 +Subject: i2c: xiic: Make bus names unique + +From: Robert Hancock + +[ Upstream commit 1d366c2f9df8279df2adbb60471f86fc40a1c39e ] + +This driver is for an FPGA logic core, so there can be arbitrarily many +instances of the bus on a given system. Previously all of the I2C bus +names were "xiic-i2c" which caused issues with lm_sensors when trying to +map human-readable names to sensor inputs because it could not properly +distinguish the busses, for example. Append the platform device name to +the I2C bus name so it is unique between different instances. + +Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface") +Signed-off-by: Robert Hancock +Tested-by: Michal Simek +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 8d6b6eeef71c..52acb185a29c 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -724,7 +724,6 @@ static const struct i2c_adapter_quirks xiic_quirks = { + + static const struct i2c_adapter xiic_adapter = { + .owner = THIS_MODULE, +- .name = DRIVER_NAME, + .class = I2C_CLASS_DEPRECATED, + .algo = &xiic_algorithm, + .quirks = &xiic_quirks, +@@ -761,6 +760,8 @@ static int xiic_i2c_probe(struct platform_device *pdev) + i2c_set_adapdata(&i2c->adap, i2c); + i2c->adap.dev.parent = &pdev->dev; + i2c->adap.dev.of_node = pdev->dev.of_node; ++ snprintf(i2c->adap.name, sizeof(i2c->adap.name), ++ DRIVER_NAME " %s", pdev->name); + + mutex_init(&i2c->lock); + init_waitqueue_head(&i2c->wait); +-- +2.34.1 + diff --git a/queue-4.19/iio-adc-add-check-for-devm_request_threaded_irq.patch b/queue-4.19/iio-adc-add-check-for-devm_request_threaded_irq.patch new file mode 100644 index 00000000000..59ee046e60b --- /dev/null +++ b/queue-4.19/iio-adc-add-check-for-devm_request_threaded_irq.patch @@ -0,0 +1,38 @@ +From 6108a29f82d5607ea49c292496e3c52c44aaaa24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 14:28:49 +0800 +Subject: iio: adc: Add check for devm_request_threaded_irq + +From: Jiasheng Jiang + +[ Upstream commit b30537a4cedcacf0ade2f33ebb7610178ed1e7d7 ] + +As the potential failure of the devm_request_threaded_irq(), +it should be better to check the return value and return +error if fails. + +Fixes: fa659a40b80b ("iio: adc: twl6030-gpadc: Use devm_* API family") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220224062849.3280966-1-jiasheng@iscas.ac.cn +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/twl6030-gpadc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/adc/twl6030-gpadc.c b/drivers/iio/adc/twl6030-gpadc.c +index e470510e76ea..765aaee157e2 100644 +--- a/drivers/iio/adc/twl6030-gpadc.c ++++ b/drivers/iio/adc/twl6030-gpadc.c +@@ -927,6 +927,8 @@ static int twl6030_gpadc_probe(struct platform_device *pdev) + ret = devm_request_threaded_irq(dev, irq, NULL, + twl6030_gpadc_irq_handler, + IRQF_ONESHOT, "twl6030_gpadc", indio_dev); ++ if (ret) ++ return ret; + + ret = twl6030_gpadc_enable_irq(TWL6030_GPADC_RT_SW1_EOC_MASK); + if (ret < 0) { +-- +2.34.1 + diff --git a/queue-4.19/irqchip-nvic-release-nvic_base-upon-failure.patch b/queue-4.19/irqchip-nvic-release-nvic_base-upon-failure.patch new file mode 100644 index 00000000000..59717c93b15 --- /dev/null +++ b/queue-4.19/irqchip-nvic-release-nvic_base-upon-failure.patch @@ -0,0 +1,50 @@ +From a561fd0861c9ce63564f735116da3877dff429b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 22:03:03 +0530 +Subject: irqchip/nvic: Release nvic_base upon failure + +From: Souptick Joarder (HPE) + +[ Upstream commit e414c25e3399b2b3d7337dc47abccab5c71b7c8f ] + +smatch warning was reported as below -> + +smatch warnings: +drivers/irqchip/irq-nvic.c:131 nvic_of_init() +warn: 'nvic_base' not released on lines: 97. + +Release nvic_base upon failure. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Souptick Joarder (HPE) +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220218163303.33344-1-jrdr.linux@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-nvic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/irqchip/irq-nvic.c b/drivers/irqchip/irq-nvic.c +index 9694529b709d..330beb62d015 100644 +--- a/drivers/irqchip/irq-nvic.c ++++ b/drivers/irqchip/irq-nvic.c +@@ -108,6 +108,7 @@ static int __init nvic_of_init(struct device_node *node, + + if (!nvic_irq_domain) { + pr_warn("Failed to allocate irq domain\n"); ++ iounmap(nvic_base); + return -ENOMEM; + } + +@@ -117,6 +118,7 @@ static int __init nvic_of_init(struct device_node *node, + if (ret) { + pr_warn("Failed to allocate irq chips\n"); + irq_domain_remove(nvic_irq_domain); ++ iounmap(nvic_base); + return ret; + } + +-- +2.34.1 + diff --git a/queue-4.19/irqchip-qcom-pdc-fix-broken-locking.patch b/queue-4.19/irqchip-qcom-pdc-fix-broken-locking.patch new file mode 100644 index 00000000000..40131baa45f --- /dev/null +++ b/queue-4.19/irqchip-qcom-pdc-fix-broken-locking.patch @@ -0,0 +1,56 @@ +From 41e59e39217e37af7d191a5d49e731b3acb35493 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 10:12:25 +0000 +Subject: irqchip/qcom-pdc: Fix broken locking + +From: Marc Zyngier + +[ Upstream commit a6aca2f460e203781dc41391913cc5b54f4bc0ce ] + +pdc_enable_intr() serves as a primitive to qcom_pdc_gic_{en,dis}able, +and has a raw spinlock for mutual exclusion, which is uses with +interruptible primitives. + +This means that this critical section can itself be interrupted. +Should the interrupt also be a PDC interrupt, and the endpoint driver +perform an irq_disable() on that interrupt, we end-up in a deadlock. + +Fix this by using the irqsave/irqrestore variants of the locking +primitives. + +Signed-off-by: Marc Zyngier +Reviewed-by: Maulik Shah +Link: https://lore.kernel.org/r/20220224101226.88373-5-maz@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/qcom-pdc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/qcom-pdc.c b/drivers/irqchip/qcom-pdc.c +index faa7d61b9d6c..239a889df608 100644 +--- a/drivers/irqchip/qcom-pdc.c ++++ b/drivers/irqchip/qcom-pdc.c +@@ -50,17 +50,18 @@ static u32 pdc_reg_read(int reg, u32 i) + static void pdc_enable_intr(struct irq_data *d, bool on) + { + int pin_out = d->hwirq; ++ unsigned long flags; + u32 index, mask; + u32 enable; + + index = pin_out / 32; + mask = pin_out % 32; + +- raw_spin_lock(&pdc_lock); ++ raw_spin_lock_irqsave(&pdc_lock, flags); + enable = pdc_reg_read(IRQ_ENABLE_BANK, index); + enable = on ? ENABLE_INTR(enable, mask) : CLEAR_INTR(enable, mask); + pdc_reg_write(IRQ_ENABLE_BANK, index, enable); +- raw_spin_unlock(&pdc_lock); ++ raw_spin_unlock_irqrestore(&pdc_lock, flags); + } + + static void qcom_pdc_gic_mask(struct irq_data *d) +-- +2.34.1 + diff --git a/queue-4.19/iwlwifi-fix-eio-error-code-that-is-never-returned.patch b/queue-4.19/iwlwifi-fix-eio-error-code-that-is-never-returned.patch new file mode 100644 index 00000000000..766cc22cc9e --- /dev/null +++ b/queue-4.19/iwlwifi-fix-eio-error-code-that-is-never-returned.patch @@ -0,0 +1,39 @@ +From 83bc3f06a721fdbb1f6c34627001770ac3a88805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 11:46:58 +0100 +Subject: iwlwifi: Fix -EIO error code that is never returned + +From: Colin Ian King + +[ Upstream commit c305c94bdc18e45b5ad1db54da4269f8cbfdff6b ] + +Currently the error -EIO is being assinged to variable ret when +the READY_BIT is not set but the function iwlagn_mac_start returns +0 rather than ret. Fix this by returning ret instead of 0. + +Addresses-Coverity: ("Unused value") +Fixes: 7335613ae27a ("iwlwifi: move all mac80211 related functions to one place") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210907104658.14706-1-colin.king@canonical.com +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c +index 82caae02dd09..f2e0cfa2f4a2 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/mac80211.c +@@ -317,7 +317,7 @@ static int iwlagn_mac_start(struct ieee80211_hw *hw) + + priv->is_open = 1; + IWL_DEBUG_MAC80211(priv, "leave\n"); +- return 0; ++ return ret; + } + + static void iwlagn_mac_stop(struct ieee80211_hw *hw) +-- +2.34.1 + diff --git a/queue-4.19/jfs-fix-divide-error-in-dbnextag.patch b/queue-4.19/jfs-fix-divide-error-in-dbnextag.patch new file mode 100644 index 00000000000..e59834ad2f3 --- /dev/null +++ b/queue-4.19/jfs-fix-divide-error-in-dbnextag.patch @@ -0,0 +1,56 @@ +From 9bd99021baa2ad31ed48d8baca33cce0a5386614 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 22:30:00 +0300 +Subject: jfs: fix divide error in dbNextAG + +From: Pavel Skripkin + +[ Upstream commit 2cc7cc01c15f57d056318c33705647f87dcd4aab ] + +Syzbot reported divide error in dbNextAG(). The problem was in missing +validation check for malicious image. + +Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any +validation checks, but dbNextAG() blindly use bmp->db_numag in divide +expression + +Fix it by validating bmp->db_numag in dbMount() and return an error if +image is malicious + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 687b07b9b4f6..f05805a10a50 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -161,6 +161,7 @@ static const s8 budtab[256] = { + * 0 - success + * -ENOMEM - insufficient memory + * -EIO - i/o error ++ * -EINVAL - wrong bmap data + */ + int dbMount(struct inode *ipbmap) + { +@@ -192,6 +193,12 @@ int dbMount(struct inode *ipbmap) + bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); ++ if (!bmp->db_numag) { ++ release_metapage(mp); ++ kfree(bmp); ++ return -EINVAL; ++ } ++ + bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel); + bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag); + bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref); +-- +2.34.1 + diff --git a/queue-4.19/kgdboc-fix-return-value-of-__setup-handler.patch b/queue-4.19/kgdboc-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..ef2b668088a --- /dev/null +++ b/queue-4.19/kgdboc-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,76 @@ +From 4c6c0def2fddc01af20a90caa0254844d6c7e1b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 19:30:18 -0800 +Subject: kgdboc: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit ab818c7aa7544bf8d2dd4bdf68878b17a02eb332 ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) environment strings. +So return 1 from kgdboc_option_setup(). + +Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 + kgdboc=kbd kgdbts=", will be passed to user space. + + Run /sbin/init as init process + with arguments: + /sbin/init + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc7 + kgdboc=kbd + kgdbts= + +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Fixes: 1bd54d851f50 ("kgdboc: Passing ekgdboc to command line causes panic") +Fixes: f2d937f3bf00 ("consoles: polling support, kgdboc") +Cc: He Zhe +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: kgdb-bugreport@lists.sourceforge.net +Cc: Jason Wessel +Cc: Daniel Thompson +Cc: Douglas Anderson +Cc: linux-serial@vger.kernel.org +Reported-by: Igor Zhbanov +Reviewed-by: Douglas Anderson +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20220309033018.17936-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/kgdboc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c +index b0aa864f84a9..6e81d782d8a0 100644 +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -302,16 +302,16 @@ static int kgdboc_option_setup(char *opt) + { + if (!opt) { + pr_err("config string not provided\n"); +- return -EINVAL; ++ return 1; + } + + if (strlen(opt) >= MAX_CONFIG_LEN) { + pr_err("config string too long\n"); +- return -ENOSPC; ++ return 1; + } + strcpy(config, opt); + +- return 0; ++ return 1; + } + + __setup("kgdboc=", kgdboc_option_setup); +-- +2.34.1 + diff --git a/queue-4.19/kgdbts-fix-return-value-of-__setup-handler.patch b/queue-4.19/kgdbts-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..1cc347196b8 --- /dev/null +++ b/queue-4.19/kgdbts-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,65 @@ +From 38635974c4ef2f5a9ccc27c95556d6b8299b9fcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 19:32:55 -0800 +Subject: kgdbts: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 96c9e802c64014a7716865332d732cc9c7f24593 ] + +__setup() handlers should return 1 to indicate that the boot option +has been handled. A return of 0 causes the boot option/value to be +listed as an Unknown kernel parameter and added to init's (limited) +environment strings. So return 1 from kgdbts_option_setup(). + +Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 + kgdboc=kbd kgdbts=", will be passed to user space. + + Run /sbin/init as init process + with arguments: + /sbin/init + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc7 + kgdboc=kbd + kgdbts= + +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Fixes: e8d31c204e36 ("kgdb: add kgdb internal test suite") +Cc: kgdb-bugreport@lists.sourceforge.net +Cc: Jason Wessel +Cc: Daniel Thompson +Cc: Douglas Anderson +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Reported-by: Igor Zhbanov +Reviewed-by: Douglas Anderson +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20220308033255.22118-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/kgdbts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c +index 49e08b6133f5..bc4dc92af1f6 100644 +--- a/drivers/misc/kgdbts.c ++++ b/drivers/misc/kgdbts.c +@@ -1072,10 +1072,10 @@ static int kgdbts_option_setup(char *opt) + { + if (strlen(opt) >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdbts: config string too long\n"); +- return -ENOSPC; ++ return 1; + } + strcpy(config, opt); +- return 0; ++ return 1; + } + + __setup("kgdbts=", kgdbts_option_setup); +-- +2.34.1 + diff --git a/queue-4.19/kvm-ppc-fix-vmx-vsx-mixup-in-mmio-emulation.patch b/queue-4.19/kvm-ppc-fix-vmx-vsx-mixup-in-mmio-emulation.patch new file mode 100644 index 00000000000..bab6dfd5758 --- /dev/null +++ b/queue-4.19/kvm-ppc-fix-vmx-vsx-mixup-in-mmio-emulation.patch @@ -0,0 +1,48 @@ +From a0eee8918e9eacc80f5aa94110f8c1663e4f62b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 18:56:52 -0300 +Subject: KVM: PPC: Fix vmx/vsx mixup in mmio emulation + +From: Fabiano Rosas + +[ Upstream commit b99234b918c6e36b9aa0a5b2981e86b6bd11f8e2 ] + +The MMIO emulation code for vector instructions is duplicated between +VSX and VMX. When emulating VMX we should check the VMX copy size +instead of the VSX one. + +Fixes: acc9eb9305fe ("KVM: PPC: Reimplement LOAD_VMX/STORE_VMX instruction ...") +Signed-off-by: Fabiano Rosas +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220125215655.1026224-3-farosas@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/powerpc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index ad5a871a6cbf..dd352842a1c7 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -1479,7 +1479,7 @@ int kvmppc_handle_vmx_load(struct kvm_run *run, struct kvm_vcpu *vcpu, + { + enum emulation_result emulated = EMULATE_DONE; + +- if (vcpu->arch.mmio_vsx_copy_nums > 2) ++ if (vcpu->arch.mmio_vmx_copy_nums > 2) + return EMULATE_FAIL; + + while (vcpu->arch.mmio_vmx_copy_nums) { +@@ -1576,7 +1576,7 @@ int kvmppc_handle_vmx_store(struct kvm_run *run, struct kvm_vcpu *vcpu, + unsigned int index = rs & KVM_MMIO_REG_MASK; + enum emulation_result emulated = EMULATE_DONE; + +- if (vcpu->arch.mmio_vsx_copy_nums > 2) ++ if (vcpu->arch.mmio_vmx_copy_nums > 2) + return EMULATE_FAIL; + + vcpu->arch.io_gpr = rs; +-- +2.34.1 + diff --git a/queue-4.19/kvm-x86-emulator-defer-not-present-segment-check-in-.patch b/queue-4.19/kvm-x86-emulator-defer-not-present-segment-check-in-.patch new file mode 100644 index 00000000000..c7a17ca678c --- /dev/null +++ b/queue-4.19/kvm-x86-emulator-defer-not-present-segment-check-in-.patch @@ -0,0 +1,69 @@ +From ce24390afec9de1a66b0b112c782549de817cbf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 17:34:03 +0800 +Subject: KVM: x86/emulator: Defer not-present segment check in + __load_segment_descriptor() + +From: Hou Wenlong + +[ Upstream commit ca85f002258fdac3762c57d12d5e6e401b6a41af ] + +Per Intel's SDM on the "Instruction Set Reference", when +loading segment descriptor, not-present segment check should +be after all type and privilege checks. But the emulator checks +it first, then #NP is triggered instead of #GP if privilege fails +and segment is not present. Put not-present segment check after +type and privilege checks in __load_segment_descriptor(). + +Fixes: 38ba30ba51a00 (KVM: x86 emulator: Emulate task switch in emulator.c) +Reviewed-by: Sean Christopherson +Signed-off-by: Hou Wenlong +Message-Id: <52573c01d369f506cadcf7233812427cf7db81a7.1644292363.git.houwenlong.hwl@antgroup.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/emulate.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 3e182c7ae771..63754d248dfb 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1669,11 +1669,6 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + goto exception; + } + +- if (!seg_desc.p) { +- err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR; +- goto exception; +- } +- + dpl = seg_desc.dpl; + + switch (seg) { +@@ -1713,6 +1708,10 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + case VCPU_SREG_TR: + if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9)) + goto exception; ++ if (!seg_desc.p) { ++ err_vec = NP_VECTOR; ++ goto exception; ++ } + old_desc = seg_desc; + seg_desc.type |= 2; /* busy */ + ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, +@@ -1737,6 +1736,11 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, + break; + } + ++ if (!seg_desc.p) { ++ err_vec = (seg == VCPU_SREG_SS) ? SS_VECTOR : NP_VECTOR; ++ goto exception; ++ } ++ + if (seg_desc.s) { + /* mark segment as accessed */ + if (!(seg_desc.type & 1)) { +-- +2.34.1 + diff --git a/queue-4.19/kvm-x86-fix-emulation-in-writing-cr8.patch b/queue-4.19/kvm-x86-fix-emulation-in-writing-cr8.patch new file mode 100644 index 00000000000..c2d97879896 --- /dev/null +++ b/queue-4.19/kvm-x86-fix-emulation-in-writing-cr8.patch @@ -0,0 +1,65 @@ +From 4601d68832951ebaff32e137401b49bfd32d2c96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Feb 2022 17:45:06 +0800 +Subject: KVM: x86: Fix emulation in writing cr8 + +From: Zhenzhong Duan + +[ Upstream commit f66af9f222f08d5b11ea41c1bd6c07a0f12daa07 ] + +In emulation of writing to cr8, one of the lowest four bits in TPR[3:0] +is kept. + +According to Intel SDM 10.8.6.1(baremetal scenario): +"APIC.TPR[bits 7:4] = CR8[bits 3:0], APIC.TPR[bits 3:0] = 0"; + +and SDM 28.3(use TPR shadow): +"MOV to CR8. The instruction stores bits 3:0 of its source operand into +bits 7:4 of VTPR; the remainder of VTPR (bits 3:0 and bits 31:8) are +cleared."; + +and AMD's APM 16.6.4: +"Task Priority Sub-class (TPS)-Bits 3 : 0. The TPS field indicates the +current sub-priority to be used when arbitrating lowest-priority messages. +This field is written with zero when TPR is written using the architectural +CR8 register."; + +so in KVM emulated scenario, clear TPR[3:0] to make a consistent behavior +as in other scenarios. + +This doesn't impact evaluation and delivery of pending virtual interrupts +because processor does not use the processor-priority sub-class to +determine which interrupts to delivery and which to inhibit. + +Sub-class is used by hardware to arbitrate lowest priority interrupts, +but KVM just does a round-robin style delivery. + +Fixes: b93463aa59d6 ("KVM: Accelerated apic support") +Signed-off-by: Zhenzhong Duan +Reviewed-by: Sean Christopherson +Message-Id: <20220210094506.20181-1-zhenzhong.duan@intel.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/lapic.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 56a4b9762b0c..89d07312e58c 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -2045,10 +2045,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data) + + void kvm_lapic_set_tpr(struct kvm_vcpu *vcpu, unsigned long cr8) + { +- struct kvm_lapic *apic = vcpu->arch.apic; +- +- apic_set_tpr(apic, ((cr8 & 0x0f) << 4) +- | (kvm_lapic_get_reg(apic, APIC_TASKPRI) & 4)); ++ apic_set_tpr(vcpu->arch.apic, (cr8 & 0x0f) << 4); + } + + u64 kvm_lapic_get_cr8(struct kvm_vcpu *vcpu) +-- +2.34.1 + diff --git a/queue-4.19/lib-raid6-test-makefile-use-pound-instead-of-for-mak.patch b/queue-4.19/lib-raid6-test-makefile-use-pound-instead-of-for-mak.patch new file mode 100644 index 00000000000..1f91a2f3328 --- /dev/null +++ b/queue-4.19/lib-raid6-test-makefile-use-pound-instead-of-for-mak.patch @@ -0,0 +1,85 @@ +From 8120084163604e7810691f6ad5845b3d4078778b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 16:21:48 +0100 +Subject: lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paul Menzel + +[ Upstream commit 633174a7046ec3b4572bec24ef98e6ee89bce14b ] + +Buidling raid6test on Ubuntu 21.10 (ppc64le) with GNU Make 4.3 shows the +errors below: + + $ cd lib/raid6/test/ + $ make + :1:1: error: stray ‘\’ in program + :1:2: error: stray ‘#’ in program + :1:11: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ \ + before ‘<’ token + + [...] + +The errors come from the HAS_ALTIVEC test, which fails, and the POWER +optimized versions are not built. That’s also reason nobody noticed on the +other architectures. + +GNU Make 4.3 does not remove the backslash anymore. From the 4.3 release +announcment: + +> * WARNING: Backward-incompatibility! +> Number signs (#) appearing inside a macro reference or function invocation +> no longer introduce comments and should not be escaped with backslashes: +> thus a call such as: +> foo := $(shell echo '#') +> is legal. Previously the number sign needed to be escaped, for example: +> foo := $(shell echo '\#') +> Now this latter will resolve to "\#". If you want to write makefiles +> portable to both versions, assign the number sign to a variable: +> H := \# +> foo := $(shell echo '$H') +> This was claimed to be fixed in 3.81, but wasn't, for some reason. +> To detect this change search for 'nocomment' in the .FEATURES variable. + +So, do the same as commit 9564a8cf422d ("Kbuild: fix # escaping in .cmd +files for future Make") and commit 929bef467771 ("bpf: Use $(pound) instead +of \# in Makefiles") and define and use a $(pound) variable. + +Reference for the change in make: +https://git.savannah.gnu.org/cgit/make.git/commit/?id=c6966b323811c37acedff05b57 + +Cc: Matt Brown +Signed-off-by: Paul Menzel +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + lib/raid6/test/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/raid6/test/Makefile b/lib/raid6/test/Makefile +index 79777645cac9..e7b54ec8ca70 100644 +--- a/lib/raid6/test/Makefile ++++ b/lib/raid6/test/Makefile +@@ -4,6 +4,8 @@ + # from userspace. + # + ++pound := \# ++ + CC = gcc + OPTFLAGS = -O2 # Adjust as desired + CFLAGS = -I.. -I ../../../include -g $(OPTFLAGS) +@@ -44,7 +46,7 @@ else ifeq ($(HAS_NEON),yes) + OBJS += neon.o neon1.o neon2.o neon4.o neon8.o recov_neon.o recov_neon_inner.o + CFLAGS += -DCONFIG_KERNEL_MODE_NEON=1 + else +- HAS_ALTIVEC := $(shell printf '\#include \nvector int a;\n' |\ ++ HAS_ALTIVEC := $(shell printf '$(pound)include \nvector int a;\n' |\ + gcc -c -x c - >/dev/null && rm ./-.o && echo yes) + ifeq ($(HAS_ALTIVEC),yes) + CFLAGS += -I../../../arch/powerpc/include +-- +2.34.1 + diff --git a/queue-4.19/lib-test-use-after-free-in-register_test_dev_kmod.patch b/queue-4.19/lib-test-use-after-free-in-register_test_dev_kmod.patch new file mode 100644 index 00000000000..dd3f861a165 --- /dev/null +++ b/queue-4.19/lib-test-use-after-free-in-register_test_dev_kmod.patch @@ -0,0 +1,34 @@ +From 308756be9353e1b1b830f60555ad87f74cd19a31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 08:52:07 +0300 +Subject: lib/test: use after free in register_test_dev_kmod() + +From: Dan Carpenter + +[ Upstream commit dc0ce6cc4b133f5f2beb8b47dacae13a7d283c2c ] + +The "test_dev" pointer is freed but then returned to the caller. + +Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") +Signed-off-by: Dan Carpenter +Signed-off-by: Luis Chamberlain +Signed-off-by: Sasha Levin +--- + lib/test_kmod.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/test_kmod.c b/lib/test_kmod.c +index 87a0cc750ea2..6813b183aa34 100644 +--- a/lib/test_kmod.c ++++ b/lib/test_kmod.c +@@ -1155,6 +1155,7 @@ static struct kmod_test_device *register_test_dev_kmod(void) + if (ret) { + pr_err("could not register misc device: %d\n", ret); + free_test_dev_kmod(test_dev); ++ test_dev = NULL; + goto out; + } + +-- +2.34.1 + diff --git a/queue-4.19/loop-use-sysfs_emit-in-the-sysfs-xxx-show.patch b/queue-4.19/loop-use-sysfs_emit-in-the-sysfs-xxx-show.patch new file mode 100644 index 00000000000..8586f3aefb8 --- /dev/null +++ b/queue-4.19/loop-use-sysfs_emit-in-the-sysfs-xxx-show.patch @@ -0,0 +1,73 @@ +From 7e379cc7b6ce3e66cf96a68d790eeb94438afbcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 13:33:07 -0800 +Subject: loop: use sysfs_emit() in the sysfs xxx show() + +From: Chaitanya Kulkarni + +[ Upstream commit b27824d31f09ea7b4a6ba2c1b18bd328df3e8bed ] + +sprintf does not know the PAGE_SIZE maximum of the temporary buffer +used for outputting sysfs content and it's possible to overrun the +PAGE_SIZE buffer length. + +Use a generic sysfs_emit function that knows the size of the +temporary buffer and ensures that no overrun is done for offset +attribute in +loop_attr_[offset|sizelimit|autoclear|partscan|dio]_show() callbacks. + +Signed-off-by: Chaitanya Kulkarni +Reviewed-by: Himanshu Madhani +Link: https://lore.kernel.org/r/20220215213310.7264-2-kch@nvidia.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 19042b42a8ba..c31a76485c9c 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -795,33 +795,33 @@ static ssize_t loop_attr_backing_file_show(struct loop_device *lo, char *buf) + + static ssize_t loop_attr_offset_show(struct loop_device *lo, char *buf) + { +- return sprintf(buf, "%llu\n", (unsigned long long)lo->lo_offset); ++ return sysfs_emit(buf, "%llu\n", (unsigned long long)lo->lo_offset); + } + + static ssize_t loop_attr_sizelimit_show(struct loop_device *lo, char *buf) + { +- return sprintf(buf, "%llu\n", (unsigned long long)lo->lo_sizelimit); ++ return sysfs_emit(buf, "%llu\n", (unsigned long long)lo->lo_sizelimit); + } + + static ssize_t loop_attr_autoclear_show(struct loop_device *lo, char *buf) + { + int autoclear = (lo->lo_flags & LO_FLAGS_AUTOCLEAR); + +- return sprintf(buf, "%s\n", autoclear ? "1" : "0"); ++ return sysfs_emit(buf, "%s\n", autoclear ? "1" : "0"); + } + + static ssize_t loop_attr_partscan_show(struct loop_device *lo, char *buf) + { + int partscan = (lo->lo_flags & LO_FLAGS_PARTSCAN); + +- return sprintf(buf, "%s\n", partscan ? "1" : "0"); ++ return sysfs_emit(buf, "%s\n", partscan ? "1" : "0"); + } + + static ssize_t loop_attr_dio_show(struct loop_device *lo, char *buf) + { + int dio = (lo->lo_flags & LO_FLAGS_DIRECT_IO); + +- return sprintf(buf, "%s\n", dio ? "1" : "0"); ++ return sysfs_emit(buf, "%s\n", dio ? "1" : "0"); + } + + LOOP_ATTR_RO(backing_file); +-- +2.34.1 + diff --git a/queue-4.19/media-coda-fix-missing-put_device-call-in-coda_get_v.patch b/queue-4.19/media-coda-fix-missing-put_device-call-in-coda_get_v.patch new file mode 100644 index 00000000000..7973920707f --- /dev/null +++ b/queue-4.19/media-coda-fix-missing-put_device-call-in-coda_get_v.patch @@ -0,0 +1,37 @@ +From 6257f4e5003fea024221bcd2bedb6347345e21a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 12:05:54 +0100 +Subject: media: coda: Fix missing put_device() call in coda_get_vdoa_data + +From: Miaoqian Lin + +[ Upstream commit ca85d271531a1e1c86f24b892f57b7d0a3ddb5a6 ] + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. +Add the corresponding 'put_device()' in the error handling path. + +Fixes: e7f3c5481035 ("[media] coda: use VDOA for un-tiling custom macroblock format") +Signed-off-by: Miaoqian Lin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c +index fccc771d23a5..5f8da544b98d 100644 +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -376,6 +376,7 @@ static struct vdoa_data *coda_get_vdoa_data(void) + if (!vdoa_data) + vdoa_data = ERR_PTR(-EPROBE_DEFER); + ++ put_device(&vdoa_pdev->dev); + out: + if (vdoa_node) + of_node_put(vdoa_node); +-- +2.34.1 + diff --git a/queue-4.19/media-cx88-mpeg-clear-interrupt-status-register-befo.patch b/queue-4.19/media-cx88-mpeg-clear-interrupt-status-register-befo.patch new file mode 100644 index 00000000000..76538dcbb62 --- /dev/null +++ b/queue-4.19/media-cx88-mpeg-clear-interrupt-status-register-befo.patch @@ -0,0 +1,47 @@ +From 50e8a4af37203257b20dbe38508e0d75f0c9b934 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Feb 2022 19:19:50 +0100 +Subject: media: cx88-mpeg: clear interrupt status register before streaming + video +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel González Cabanelas + +[ Upstream commit 56cb61f70e547e1b0cdfe6ff5a1f1ce6242e6d96 ] + +Some cx88 video cards may have transport stream status interrupts set +to 1 from cold start, causing errors like this: + + cx88xx: cx88_print_irqbits: core:irq mpeg [0x100000] ts_err?* + cx8802: cx8802_mpeg_irq: mpeg:general errors: 0x00100000 + +According to CX2388x datasheet, the interrupt status register should be +cleared before enabling IRQs to stream video. + +Fix it by clearing the Transport Stream Interrupt Status register. + +Signed-off-by: Daniel González Cabanelas +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx88/cx88-mpeg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/pci/cx88/cx88-mpeg.c b/drivers/media/pci/cx88/cx88-mpeg.c +index 52ff00ebd4bd..281eca525340 100644 +--- a/drivers/media/pci/cx88/cx88-mpeg.c ++++ b/drivers/media/pci/cx88/cx88-mpeg.c +@@ -171,6 +171,9 @@ int cx8802_start_dma(struct cx8802_dev *dev, + cx_write(MO_TS_GPCNTRL, GP_COUNT_CONTROL_RESET); + q->count = 0; + ++ /* clear interrupt status register */ ++ cx_write(MO_TS_INTSTAT, 0x1f1111); ++ + /* enable irqs */ + dprintk(1, "setting the interrupt mask\n"); + cx_set(MO_PCI_INTMSK, core->pci_irqmask | PCI_INT_TSINT); +-- +2.34.1 + diff --git a/queue-4.19/media-em28xx-initialize-refcount-before-kref_get.patch b/queue-4.19/media-em28xx-initialize-refcount-before-kref_get.patch new file mode 100644 index 00000000000..01975464cb8 --- /dev/null +++ b/queue-4.19/media-em28xx-initialize-refcount-before-kref_get.patch @@ -0,0 +1,66 @@ +From fbab6a6dcc7ec310fc561087f761bb3bd06f35a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jan 2022 15:44:59 +0800 +Subject: media: em28xx: initialize refcount before kref_get + +From: Dongliang Mu + +[ Upstream commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d ] + +The commit 47677e51e2a4("[media] em28xx: Only deallocate struct +em28xx after finishing all extensions") adds kref_get to many init +functions (e.g., em28xx_audio_init). However, kref_init is called too +late in em28xx_usb_probe, since em28xx_init_dev before will invoke +those init functions and call kref_get function. Then refcount bug +occurs in my local syzkaller instance. + +Fix it by moving kref_init before em28xx_init_dev. This issue occurs +not only in dev but also dev->dev_next. + +Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") +Reported-by: syzkaller +Signed-off-by: Dongliang Mu +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-cards.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index 06da08f8efdb..c7f79d0f3883 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -3822,6 +3822,8 @@ static int em28xx_usb_probe(struct usb_interface *intf, + goto err_free; + } + ++ kref_init(&dev->ref); ++ + dev->devno = nr; + dev->model = id->driver_info; + dev->alt = -1; +@@ -3922,6 +3924,8 @@ static int em28xx_usb_probe(struct usb_interface *intf, + } + + if (dev->board.has_dual_ts && em28xx_duplicate_dev(dev) == 0) { ++ kref_init(&dev->dev_next->ref); ++ + dev->dev_next->ts = SECONDARY_TS; + dev->dev_next->alt = -1; + dev->dev_next->is_audio_only = has_vendor_audio && +@@ -3976,12 +3980,8 @@ static int em28xx_usb_probe(struct usb_interface *intf, + em28xx_write_reg(dev, 0x0b, 0x82); + mdelay(100); + } +- +- kref_init(&dev->dev_next->ref); + } + +- kref_init(&dev->ref); +- + request_modules(dev); + + /* +-- +2.34.1 + diff --git a/queue-4.19/media-hdpvr-initialize-dev-worker-at-hdpvr_register_.patch b/queue-4.19/media-hdpvr-initialize-dev-worker-at-hdpvr_register_.patch new file mode 100644 index 00000000000..ff44f31bb1d --- /dev/null +++ b/queue-4.19/media-hdpvr-initialize-dev-worker-at-hdpvr_register_.patch @@ -0,0 +1,61 @@ +From 972861840bc2e03f9d5b607dbc48ad0e473467e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 10:41:30 +0100 +Subject: media: hdpvr: initialize dev->worker at hdpvr_register_videodev + +From: Dongliang Mu + +[ Upstream commit 07922937e9a580825f9965c46fd15e23ba5754b6 ] + +hdpvr_register_videodev is responsible to initialize a worker in +hdpvr_device. However, the worker is only initialized at +hdpvr_start_streaming other than hdpvr_register_videodev. +When hdpvr_probe does not initialize its worker, the hdpvr_disconnect +will encounter one WARN in flush_work.The stack trace is as follows: + + hdpvr_disconnect+0xb8/0xf2 drivers/media/usb/hdpvr/hdpvr-core.c:425 + usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458 + __device_release_driver drivers/base/dd.c:1206 [inline] + device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1237 + bus_remove_device+0x108/0x160 drivers/base/bus.c:529 + device_del+0x1fe/0x510 drivers/base/core.c:3592 + usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419 + usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2228 + +Fix this by moving the initialization of dev->worker to the starting of +hdpvr_register_videodev + +Reported-by: syzkaller +Signed-off-by: Dongliang Mu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/hdpvr/hdpvr-video.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c +index 0615996572e4..ce46f8721470 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-video.c ++++ b/drivers/media/usb/hdpvr/hdpvr-video.c +@@ -312,7 +312,6 @@ static int hdpvr_start_streaming(struct hdpvr_device *dev) + + dev->status = STATUS_STREAMING; + +- INIT_WORK(&dev->worker, hdpvr_transmit_buffers); + schedule_work(&dev->worker); + + v4l2_dbg(MSG_BUFFER, hdpvr_debug, &dev->v4l2_dev, +@@ -1175,6 +1174,9 @@ int hdpvr_register_videodev(struct hdpvr_device *dev, struct device *parent, + bool ac3 = dev->flags & HDPVR_FLAG_AC3_CAP; + int res; + ++ // initialize dev->worker ++ INIT_WORK(&dev->worker, hdpvr_transmit_buffers); ++ + dev->cur_std = V4L2_STD_525_60; + dev->width = 720; + dev->height = 480; +-- +2.34.1 + diff --git a/queue-4.19/media-revert-media-em28xx-add-missing-em28xx_close_e.patch b/queue-4.19/media-revert-media-em28xx-add-missing-em28xx_close_e.patch new file mode 100644 index 00000000000..ecad5bf3a0c --- /dev/null +++ b/queue-4.19/media-revert-media-em28xx-add-missing-em28xx_close_e.patch @@ -0,0 +1,50 @@ +From 6e140d02cb7125dc20c034d4b618ecf9734b83ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jan 2022 20:37:30 +0100 +Subject: media: Revert "media: em28xx: add missing em28xx_close_extension" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Skripkin + +[ Upstream commit fde18c3bac3f964d8333ae53b304d8fee430502b ] + +This reverts commit 2c98b8a3458df03abdc6945bbef67ef91d181938. + +Reverted patch causes problems with Hauppauge WinTV dualHD as Maximilian +reported [1]. Since quick solution didn't come up let's just revert it +to make this device work with upstream kernels. + +Link: https://lore.kernel.org/all/6a72a37b-e972-187d-0322-16336e12bdc5@elbmurf.de/ [1] + +Reported-by: Maximilian Böhm +Tested-by: Maximilian Böhm +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-cards.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index c7f79d0f3883..b14bff7b4ec8 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -4036,11 +4036,8 @@ static void em28xx_usb_disconnect(struct usb_interface *intf) + + em28xx_close_extension(dev); + +- if (dev->dev_next) { +- em28xx_close_extension(dev->dev_next); ++ if (dev->dev_next) + em28xx_release_resources(dev->dev_next); +- } +- + em28xx_release_resources(dev); + + if (dev->dev_next) { +-- +2.34.1 + diff --git a/queue-4.19/media-stk1160-if-start-stream-fails-return-buffers-w.patch b/queue-4.19/media-stk1160-if-start-stream-fails-return-buffers-w.patch new file mode 100644 index 00000000000..68e14458aa1 --- /dev/null +++ b/queue-4.19/media-stk1160-if-start-stream-fails-return-buffers-w.patch @@ -0,0 +1,143 @@ +From b17c630056e3d81dbc7ba18f00f2ad61db87cd18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 09:02:11 +0100 +Subject: media: stk1160: If start stream fails, return buffers with + VB2_BUF_STATE_QUEUED + +From: Dafna Hirschfeld + +[ Upstream commit fbe04b49a54e31f4321d632270207f0e6304cd16 ] + +If the callback 'start_streaming' fails, then all +queued buffers in the driver should be returned with +state 'VB2_BUF_STATE_QUEUED'. Currently, they are +returned with 'VB2_BUF_STATE_ERROR' which is wrong. +Fix this. This also fixes the warning: + +[ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common] +[ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6 +[ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14 +[ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT) +[ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common] +[ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common] +[ 65.592395] sp : ffff800012bc3ad0 +[ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8 +[ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612 +[ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0 +[ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff +[ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78 +[ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce +[ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228 +[ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78 +[ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880 +[ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0 +[ 65.598940] Call trace: +[ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common] +[ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common] +[ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2] +[ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2] +[ 65.601103] v4l_streamon+0x3c/0x50 [videodev] +[ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev] +[ 65.601977] video_usercopy+0x320/0x828 [videodev] +[ 65.602419] video_ioctl2+0x3c/0x58 [videodev] +[ 65.602830] v4l2_ioctl+0x60/0x90 [videodev] +[ 65.603227] __arm64_sys_ioctl+0xa8/0xe0 +[ 65.603576] invoke_syscall+0x54/0x118 +[ 65.603911] el0_svc_common.constprop.3+0x84/0x100 +[ 65.604332] do_el0_svc+0x34/0xa0 +[ 65.604625] el0_svc+0x1c/0x50 +[ 65.604897] el0t_64_sync_handler+0x88/0xb0 +[ 65.605264] el0t_64_sync+0x16c/0x170 +[ 65.605587] ---[ end trace 578e0ba07742170d ]--- + +Fixes: 8ac456495a33d ("[media] stk1160: Stop device and unqueue buffers when start_streaming() fails") +Signed-off-by: Dafna Hirschfeld +Reviewed-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/stk1160/stk1160-core.c | 2 +- + drivers/media/usb/stk1160/stk1160-v4l.c | 10 +++++----- + drivers/media/usb/stk1160/stk1160.h | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/usb/stk1160/stk1160-core.c b/drivers/media/usb/stk1160/stk1160-core.c +index bb0db4cdc6c7..271994bfe9c5 100644 +--- a/drivers/media/usb/stk1160/stk1160-core.c ++++ b/drivers/media/usb/stk1160/stk1160-core.c +@@ -413,7 +413,7 @@ static void stk1160_disconnect(struct usb_interface *interface) + /* Here is the only place where isoc get released */ + stk1160_uninit_isoc(dev); + +- stk1160_clear_queue(dev); ++ stk1160_clear_queue(dev, VB2_BUF_STATE_ERROR); + + video_unregister_device(&dev->vdev); + v4l2_device_disconnect(&dev->v4l2_dev); +diff --git a/drivers/media/usb/stk1160/stk1160-v4l.c b/drivers/media/usb/stk1160/stk1160-v4l.c +index 504e413edcd2..381f9f189bb7 100644 +--- a/drivers/media/usb/stk1160/stk1160-v4l.c ++++ b/drivers/media/usb/stk1160/stk1160-v4l.c +@@ -269,7 +269,7 @@ static int stk1160_start_streaming(struct stk1160 *dev) + stk1160_uninit_isoc(dev); + out_stop_hw: + usb_set_interface(dev->udev, 0, 0); +- stk1160_clear_queue(dev); ++ stk1160_clear_queue(dev, VB2_BUF_STATE_QUEUED); + + mutex_unlock(&dev->v4l_lock); + +@@ -317,7 +317,7 @@ static int stk1160_stop_streaming(struct stk1160 *dev) + + stk1160_stop_hw(dev); + +- stk1160_clear_queue(dev); ++ stk1160_clear_queue(dev, VB2_BUF_STATE_ERROR); + + stk1160_dbg("streaming stopped\n"); + +@@ -762,7 +762,7 @@ static const struct video_device v4l_template = { + /********************************************************************/ + + /* Must be called with both v4l_lock and vb_queue_lock hold */ +-void stk1160_clear_queue(struct stk1160 *dev) ++void stk1160_clear_queue(struct stk1160 *dev, enum vb2_buffer_state vb2_state) + { + struct stk1160_buffer *buf; + unsigned long flags; +@@ -773,7 +773,7 @@ void stk1160_clear_queue(struct stk1160 *dev) + buf = list_first_entry(&dev->avail_bufs, + struct stk1160_buffer, list); + list_del(&buf->list); +- vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR); ++ vb2_buffer_done(&buf->vb.vb2_buf, vb2_state); + stk1160_dbg("buffer [%p/%d] aborted\n", + buf, buf->vb.vb2_buf.index); + } +@@ -783,7 +783,7 @@ void stk1160_clear_queue(struct stk1160 *dev) + buf = dev->isoc_ctl.buf; + dev->isoc_ctl.buf = NULL; + +- vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR); ++ vb2_buffer_done(&buf->vb.vb2_buf, vb2_state); + stk1160_dbg("buffer [%p/%d] aborted\n", + buf, buf->vb.vb2_buf.index); + } +diff --git a/drivers/media/usb/stk1160/stk1160.h b/drivers/media/usb/stk1160/stk1160.h +index acd1c811db08..54a046aacd33 100644 +--- a/drivers/media/usb/stk1160/stk1160.h ++++ b/drivers/media/usb/stk1160/stk1160.h +@@ -177,7 +177,7 @@ struct regval { + int stk1160_vb2_setup(struct stk1160 *dev); + int stk1160_video_register(struct stk1160 *dev); + void stk1160_video_unregister(struct stk1160 *dev); +-void stk1160_clear_queue(struct stk1160 *dev); ++void stk1160_clear_queue(struct stk1160 *dev, enum vb2_buffer_state vb2_state); + + /* Provided by stk1160-video.c */ + int stk1160_alloc_isoc(struct stk1160 *dev); +-- +2.34.1 + diff --git a/queue-4.19/media-usb-go7007-s2250-board-fix-leak-in-probe.patch b/queue-4.19/media-usb-go7007-s2250-board-fix-leak-in-probe.patch new file mode 100644 index 00000000000..bd26eec305b --- /dev/null +++ b/queue-4.19/media-usb-go7007-s2250-board-fix-leak-in-probe.patch @@ -0,0 +1,57 @@ +From 17e085ed4cd34634cd1a6af449d428f658dd5321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Feb 2022 20:52:01 +0300 +Subject: media: usb: go7007: s2250-board: fix leak in probe() + +From: Dan Carpenter + +[ Upstream commit 67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d ] + +Call i2c_unregister_device(audio) on this error path. + +Fixes: d3b2ccd9e307 ("[media] s2250: convert to the control framework") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/s2250-board.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/go7007/s2250-board.c b/drivers/media/usb/go7007/s2250-board.c +index 1466db150d82..625e77f4dbd2 100644 +--- a/drivers/media/usb/go7007/s2250-board.c ++++ b/drivers/media/usb/go7007/s2250-board.c +@@ -512,6 +512,7 @@ static int s2250_probe(struct i2c_client *client, + u8 *data; + struct go7007 *go = i2c_get_adapdata(adapter); + struct go7007_usb *usb = go->hpi_context; ++ int err = -EIO; + + audio = i2c_new_dummy(adapter, TLV320_ADDRESS >> 1); + if (audio == NULL) +@@ -540,11 +541,8 @@ static int s2250_probe(struct i2c_client *client, + V4L2_CID_HUE, -512, 511, 1, 0); + sd->ctrl_handler = &state->hdl; + if (state->hdl.error) { +- int err = state->hdl.error; +- +- v4l2_ctrl_handler_free(&state->hdl); +- kfree(state); +- return err; ++ err = state->hdl.error; ++ goto fail; + } + + state->std = V4L2_STD_NTSC; +@@ -608,7 +606,7 @@ static int s2250_probe(struct i2c_client *client, + i2c_unregister_device(audio); + v4l2_ctrl_handler_free(&state->hdl); + kfree(state); +- return -EIO; ++ return err; + } + + static int s2250_remove(struct i2c_client *client) +-- +2.34.1 + diff --git a/queue-4.19/memory-emif-add-check-for-setup_interrupts.patch b/queue-4.19/memory-emif-add-check-for-setup_interrupts.patch new file mode 100644 index 00000000000..2a8101da790 --- /dev/null +++ b/queue-4.19/memory-emif-add-check-for-setup_interrupts.patch @@ -0,0 +1,49 @@ +From 041df8f8817a555f5cf96d45bc58cf43b94393de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 10:54:44 +0800 +Subject: memory: emif: Add check for setup_interrupts + +From: Jiasheng Jiang + +[ Upstream commit fd7bd80b46373887b390852f490f21b07e209498 ] + +As the potential failure of the devm_request_threaded_irq(), +it should be better to check the return value of the +setup_interrupts() and return error if fails. + +Fixes: 68b4aee35d1f ("memory: emif: add interrupt and temperature handling") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220224025444.3256530-1-jiasheng@iscas.ac.cn +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/emif.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/emif.c b/drivers/memory/emif.c +index 1c6b2cc6269a..8fd97b1b1efb 100644 +--- a/drivers/memory/emif.c ++++ b/drivers/memory/emif.c +@@ -1517,7 +1517,7 @@ static int __init_or_module emif_probe(struct platform_device *pdev) + { + struct emif_data *emif; + struct resource *res; +- int irq; ++ int irq, ret; + + if (pdev->dev.of_node) + emif = of_get_memory_device_details(pdev->dev.of_node, &pdev->dev); +@@ -1551,7 +1551,9 @@ static int __init_or_module emif_probe(struct platform_device *pdev) + emif_onetime_settings(emif); + emif_debugfs_init(emif); + disable_and_clear_all_interrupts(emif); +- setup_interrupts(emif, irq); ++ ret = setup_interrupts(emif, irq); ++ if (ret) ++ goto error; + + /* One-time actions taken on probing the first device */ + if (!emif1) { +-- +2.34.1 + diff --git a/queue-4.19/memory-emif-check-the-pointer-temp-in-get_device_det.patch b/queue-4.19/memory-emif-check-the-pointer-temp-in-get_device_det.patch new file mode 100644 index 00000000000..e8c969953d5 --- /dev/null +++ b/queue-4.19/memory-emif-check-the-pointer-temp-in-get_device_det.patch @@ -0,0 +1,37 @@ +From 4e75312f3b93e862a160926538ed6e47ab24c089 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 05:25:52 -0800 +Subject: memory: emif: check the pointer temp in get_device_details() + +From: Jia-Ju Bai + +[ Upstream commit 5b5ab1bfa1898c6d52936a57c25c5ceba2cb2f87 ] + +The pointer temp is allocated by devm_kzalloc(), so it should be +checked for error handling. + +Fixes: 7ec944538dde ("memory: emif: add basic infrastructure for EMIF driver") +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20220225132552.27894-1-baijiaju1990@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/emif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memory/emif.c b/drivers/memory/emif.c +index 8fd97b1b1efb..45f78b38b0da 100644 +--- a/drivers/memory/emif.c ++++ b/drivers/memory/emif.c +@@ -1425,7 +1425,7 @@ static struct emif_data *__init_or_module get_device_details( + temp = devm_kzalloc(dev, sizeof(*pd), GFP_KERNEL); + dev_info = devm_kzalloc(dev, sizeof(*dev_info), GFP_KERNEL); + +- if (!emif || !pd || !dev_info) { ++ if (!emif || !temp || !dev_info) { + dev_err(dev, "%s:%d: allocation error\n", __func__, __LINE__); + goto error; + } +-- +2.34.1 + diff --git a/queue-4.19/mfd-asic3-add-missing-iounmap-on-error-asic3_mfd_pro.patch b/queue-4.19/mfd-asic3-add-missing-iounmap-on-error-asic3_mfd_pro.patch new file mode 100644 index 00000000000..66ab5858f83 --- /dev/null +++ b/queue-4.19/mfd-asic3-add-missing-iounmap-on-error-asic3_mfd_pro.patch @@ -0,0 +1,59 @@ +From 94affc35bde6fbbd040bf9286c20d581b5ca5dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 07:29:47 +0000 +Subject: mfd: asic3: Add missing iounmap() on error asic3_mfd_probe + +From: Miaoqian Lin + +[ Upstream commit e84ee1a75f944a0fe3c277aaa10c426603d2b0bc ] + +Add the missing iounmap() before return from asic3_mfd_probe +in the error handling case. + +Fixes: 64e8867ba809 ("mfd: tmio_mmc hardware abstraction for CNF area") +Signed-off-by: Miaoqian Lin +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220307072947.5369-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/asic3.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/asic3.c b/drivers/mfd/asic3.c +index 1531302a50ec..75584cee0da5 100644 +--- a/drivers/mfd/asic3.c ++++ b/drivers/mfd/asic3.c +@@ -918,14 +918,14 @@ static int __init asic3_mfd_probe(struct platform_device *pdev, + ret = mfd_add_devices(&pdev->dev, pdev->id, + &asic3_cell_ds1wm, 1, mem, asic->irq_base, NULL); + if (ret < 0) +- goto out; ++ goto out_unmap; + } + + if (mem_sdio && (irq >= 0)) { + ret = mfd_add_devices(&pdev->dev, pdev->id, + &asic3_cell_mmc, 1, mem_sdio, irq, NULL); + if (ret < 0) +- goto out; ++ goto out_unmap; + } + + ret = 0; +@@ -939,8 +939,12 @@ static int __init asic3_mfd_probe(struct platform_device *pdev, + ret = mfd_add_devices(&pdev->dev, 0, + asic3_cell_leds, ASIC3_NUM_LEDS, NULL, 0, NULL); + } ++ return ret; + +- out: ++out_unmap: ++ if (asic->tmio_cnf) ++ iounmap(asic->tmio_cnf); ++out: + return ret; + } + +-- +2.34.1 + diff --git a/queue-4.19/mfd-mc13xxx-add-check-for-mc13xxx_irq_request.patch b/queue-4.19/mfd-mc13xxx-add-check-for-mc13xxx_irq_request.patch new file mode 100644 index 00000000000..aaabf80f834 --- /dev/null +++ b/queue-4.19/mfd-mc13xxx-add-check-for-mc13xxx_irq_request.patch @@ -0,0 +1,41 @@ +From 1edbf9101c04ce1a0b6638f2ffd0d600e80ec8e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 10:23:31 +0800 +Subject: mfd: mc13xxx: Add check for mc13xxx_irq_request + +From: Jiasheng Jiang + +[ Upstream commit e477e51a41cb5d6034f3c5ea85a71ad4613996b9 ] + +As the potential failure of the devm_request_threaded_irq(), +it should be better to check the return value of the +mc13xxx_irq_request() and return error if fails. + +Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220224022331.3208275-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/mc13xxx-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c +index d0bf50e3568d..dcbb969af5f4 100644 +--- a/drivers/mfd/mc13xxx-core.c ++++ b/drivers/mfd/mc13xxx-core.c +@@ -326,8 +326,10 @@ int mc13xxx_adc_do_conversion(struct mc13xxx *mc13xxx, unsigned int mode, + adc1 |= MC13783_ADC1_ATOX; + + dev_dbg(mc13xxx->dev, "%s: request irq\n", __func__); +- mc13xxx_irq_request(mc13xxx, MC13XXX_IRQ_ADCDONE, ++ ret = mc13xxx_irq_request(mc13xxx, MC13XXX_IRQ_ADCDONE, + mc13xxx_handler_adcdone, __func__, &adcdone_data); ++ if (ret) ++ goto out; + + mc13xxx_reg_write(mc13xxx, MC13XXX_ADC0, adc0); + mc13xxx_reg_write(mc13xxx, MC13XXX_ADC1, adc1); +-- +2.34.1 + diff --git a/queue-4.19/mips-rb532-fix-return-value-of-__setup-handler.patch b/queue-4.19/mips-rb532-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..efdf8014fab --- /dev/null +++ b/queue-4.19/mips-rb532-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,57 @@ +From caec9be624e35acb0f77f120b95fefa9aab784ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 20:20:26 -0800 +Subject: MIPS: RB532: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 8755d57ba1ff910666572fab9e32890e8cc6ed3b ] + +__setup() handlers should return 1 to obsolete_checksetup() in +init/main.c to indicate that the boot option has been handled. +A return of 0 causes the boot option/value to be listed as an Unknown +kernel parameter and added to init's (limited) argument or environment +strings. Also, error return codes don't mean anything to +obsolete_checksetup() -- only non-zero (usually 1) or zero. +So return 1 from setup_kmac(). + +Fixes: 9e21c7e40b7e ("MIPS: RB532: Replace parse_mac_addr() with mac_pton().") +Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system") +Signed-off-by: Randy Dunlap +From: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Phil Sutter +Cc: Florian Fainelli +Cc: Ralf Baechle +Cc: Daniel Walter +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/rb532/devices.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/mips/rb532/devices.c b/arch/mips/rb532/devices.c +index 354d258396ff..6624fe15839a 100644 +--- a/arch/mips/rb532/devices.c ++++ b/arch/mips/rb532/devices.c +@@ -315,11 +315,9 @@ static int __init plat_setup_devices(void) + static int __init setup_kmac(char *s) + { + printk(KERN_INFO "korina mac = %s\n", s); +- if (!mac_pton(s, korina_dev0_data.mac)) { ++ if (!mac_pton(s, korina_dev0_data.mac)) + printk(KERN_ERR "Invalid mac\n"); +- return -EINVAL; +- } +- return 0; ++ return 1; + } + + __setup("kmac=", setup_kmac); +-- +2.34.1 + diff --git a/queue-4.19/mmc-davinci_mmc-handle-error-for-clk_enable.patch b/queue-4.19/mmc-davinci_mmc-handle-error-for-clk_enable.patch new file mode 100644 index 00000000000..6d3cf6b98cd --- /dev/null +++ b/queue-4.19/mmc-davinci_mmc-handle-error-for-clk_enable.patch @@ -0,0 +1,43 @@ +From e4ce1f8911e10fe8583e9f39a37eb4312ed9759b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 15:14:15 +0800 +Subject: mmc: davinci_mmc: Handle error for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 09e7af76db02c74f2a339b3cb2d95460fa2ddbe4 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: bbce5802afc5 ("davinci: mmc: updates to suspend/resume implementation") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220308071415.1093393-1-jiasheng@iscas.ac.cn +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/davinci_mmc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c +index e6f14257a7d0..70d04962f53a 100644 +--- a/drivers/mmc/host/davinci_mmc.c ++++ b/drivers/mmc/host/davinci_mmc.c +@@ -1389,8 +1389,12 @@ static int davinci_mmcsd_suspend(struct device *dev) + static int davinci_mmcsd_resume(struct device *dev) + { + struct mmc_davinci_host *host = dev_get_drvdata(dev); ++ int ret; ++ ++ ret = clk_enable(host->clk); ++ if (ret) ++ return ret; + +- clk_enable(host->clk); + mmc_davinci_reset_ctrl(host, 0); + + return 0; +-- +2.34.1 + diff --git a/queue-4.19/mmc-host-return-an-error-when-enable_sdio_irq-ops-is.patch b/queue-4.19/mmc-host-return-an-error-when-enable_sdio_irq-ops-is.patch new file mode 100644 index 00000000000..b91d5483bd5 --- /dev/null +++ b/queue-4.19/mmc-host-return-an-error-when-enable_sdio_irq-ops-is.patch @@ -0,0 +1,60 @@ +From 3dd08d0f7d0cf1f83bede11682f8e67bcd8c7005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 17:51:42 +0100 +Subject: mmc: host: Return an error when ->enable_sdio_irq() ops is missing + +From: Ulf Hansson + +[ Upstream commit d6c9219ca1139b74541b2a98cee47a3426d754a9 ] + +Even if the current WARN() notifies the user that something is severely +wrong, we can still end up in a PANIC() when trying to invoke the missing +->enable_sdio_irq() ops. Therefore, let's also return an error code and +prevent the host from being added. + +While at it, move the code into a separate function to prepare for +subsequent changes and for further host caps validations. + +Signed-off-by: Ulf Hansson +Link: https://lore.kernel.org/r/20220303165142.129745-1-ulf.hansson@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/host.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/core/host.c b/drivers/mmc/core/host.c +index dd1c14d8f686..9de8a3553d42 100644 +--- a/drivers/mmc/core/host.c ++++ b/drivers/mmc/core/host.c +@@ -413,6 +413,16 @@ struct mmc_host *mmc_alloc_host(int extra, struct device *dev) + + EXPORT_SYMBOL(mmc_alloc_host); + ++static int mmc_validate_host_caps(struct mmc_host *host) ++{ ++ if (host->caps & MMC_CAP_SDIO_IRQ && !host->ops->enable_sdio_irq) { ++ dev_warn(host->parent, "missing ->enable_sdio_irq() ops\n"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + /** + * mmc_add_host - initialise host hardware + * @host: mmc host +@@ -425,8 +435,9 @@ int mmc_add_host(struct mmc_host *host) + { + int err; + +- WARN_ON((host->caps & MMC_CAP_SDIO_IRQ) && +- !host->ops->enable_sdio_irq); ++ err = mmc_validate_host_caps(host); ++ if (err) ++ return err; + + err = device_add(&host->class_dev); + if (err) +-- +2.34.1 + diff --git a/queue-4.19/mtd-onenand-check-for-error-irq.patch b/queue-4.19/mtd-onenand-check-for-error-irq.patch new file mode 100644 index 00000000000..0f5eb063739 --- /dev/null +++ b/queue-4.19/mtd-onenand-check-for-error-irq.patch @@ -0,0 +1,47 @@ +From d7a8323b1454442696b84be42f51eb92a1ca4938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 00:26:58 +0800 +Subject: mtd: onenand: Check for error irq + +From: Jiasheng Jiang + +[ Upstream commit 3e68f331c8c759c0daa31cc92c3449b23119a215 ] + +For the possible failure of the platform_get_irq(), the returned irq +could be error number and will finally cause the failure of the +request_irq(). +Consider that platform_get_irq() can now in certain cases return +-EPROBE_DEFER, and the consequences of letting request_irq() effectively +convert that into -EINVAL, even at probe time rather than later on. +So it might be better to check just now. + +Fixes: 2c22120fbd01 ("MTD: OneNAND: interrupt based wait support") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220104162658.1988142-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/onenand/generic.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/onenand/generic.c b/drivers/mtd/nand/onenand/generic.c +index acad17ec6581..bfb5cee1b472 100644 +--- a/drivers/mtd/nand/onenand/generic.c ++++ b/drivers/mtd/nand/onenand/generic.c +@@ -56,7 +56,12 @@ static int generic_onenand_probe(struct platform_device *pdev) + } + + info->onenand.mmcontrol = pdata ? pdata->mmcontrol : NULL; +- info->onenand.irq = platform_get_irq(pdev, 0); ++ ++ err = platform_get_irq(pdev, 0); ++ if (err < 0) ++ goto out_iounmap; ++ ++ info->onenand.irq = err; + + info->mtd.dev.parent = &pdev->dev; + info->mtd.priv = &info->onenand; +-- +2.34.1 + diff --git a/queue-4.19/mtd-rawnand-atmel-fix-refcount-issue-in-atmel_nand_c.patch b/queue-4.19/mtd-rawnand-atmel-fix-refcount-issue-in-atmel_nand_c.patch new file mode 100644 index 00000000000..a3d1b026cd3 --- /dev/null +++ b/queue-4.19/mtd-rawnand-atmel-fix-refcount-issue-in-atmel_nand_c.patch @@ -0,0 +1,75 @@ +From 7800540f015ec1faaaae9c32d0a1083fb6dc73f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 16:53:32 +0800 +Subject: mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init + +From: Xin Xiong + +[ Upstream commit fecbd4a317c95d73c849648c406bcf1b6a0ec1cf ] + +The reference counting issue happens in several error handling paths +on a refcounted object "nc->dmac". In these paths, the function simply +returns the error code, forgetting to balance the reference count of +"nc->dmac", increased earlier by dma_request_channel(), which may +cause refcount leaks. + +Fix it by decrementing the refcount of specific object in those error +paths. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Co-developed-by: Xiyu Yang +Signed-off-by: Xiyu Yang +Co-developed-by: Xin Tan +Signed-off-by: Xin Tan +Signed-off-by: Xin Xiong +Reviewed-by: Claudiu Beznea +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220304085330.3610-1-xiongx18@fudan.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/atmel/nand-controller.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c +index 788762930487..b2ffd22fec31 100644 +--- a/drivers/mtd/nand/raw/atmel/nand-controller.c ++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c +@@ -1984,13 +1984,15 @@ static int atmel_nand_controller_init(struct atmel_nand_controller *nc, + nc->mck = of_clk_get(dev->parent->of_node, 0); + if (IS_ERR(nc->mck)) { + dev_err(dev, "Failed to retrieve MCK clk\n"); +- return PTR_ERR(nc->mck); ++ ret = PTR_ERR(nc->mck); ++ goto out_release_dma; + } + + np = of_parse_phandle(dev->parent->of_node, "atmel,smc", 0); + if (!np) { + dev_err(dev, "Missing or invalid atmel,smc property\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out_release_dma; + } + + nc->smc = syscon_node_to_regmap(np); +@@ -1998,10 +2000,16 @@ static int atmel_nand_controller_init(struct atmel_nand_controller *nc, + if (IS_ERR(nc->smc)) { + ret = PTR_ERR(nc->smc); + dev_err(dev, "Could not get SMC regmap (err = %d)\n", ret); +- return ret; ++ goto out_release_dma; + } + + return 0; ++ ++out_release_dma: ++ if (nc->dmac) ++ dma_release_channel(nc->dmac); ++ ++ return ret; + } + + static int +-- +2.34.1 + diff --git a/queue-4.19/mxser-fix-xmit_buf-leak-in-activate-when-lsr-0xff.patch b/queue-4.19/mxser-fix-xmit_buf-leak-in-activate-when-lsr-0xff.patch new file mode 100644 index 00000000000..bc5389816f8 --- /dev/null +++ b/queue-4.19/mxser-fix-xmit_buf-leak-in-activate-when-lsr-0xff.patch @@ -0,0 +1,76 @@ +From ee7e835b911473a786a278ec44477daf3f840af4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 08:14:24 +0100 +Subject: mxser: fix xmit_buf leak in activate when LSR == 0xff + +From: Jiri Slaby + +[ Upstream commit cd3a4907ee334b40d7aa880c7ab310b154fd5cd4 ] + +When LSR is 0xff in ->activate() (rather unlike), we return an error. +Provided ->shutdown() is not called when ->activate() fails, nothing +actually frees the buffer in this case. + +Fix this by properly freeing the buffer in a designated label. We jump +there also from the "!info->type" if now too. + +Fixes: 6769140d3047 ("tty: mxser: use the tty_port_open method") +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220124071430.14907-6-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/mxser.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/mxser.c b/drivers/tty/mxser.c +index 8bc15cb67a58..88eb90361a89 100644 +--- a/drivers/tty/mxser.c ++++ b/drivers/tty/mxser.c +@@ -861,6 +861,7 @@ static int mxser_activate(struct tty_port *port, struct tty_struct *tty) + struct mxser_port *info = container_of(port, struct mxser_port, port); + unsigned long page; + unsigned long flags; ++ int ret; + + page = __get_free_page(GFP_KERNEL); + if (!page) +@@ -870,9 +871,9 @@ static int mxser_activate(struct tty_port *port, struct tty_struct *tty) + + if (!info->ioaddr || !info->type) { + set_bit(TTY_IO_ERROR, &tty->flags); +- free_page(page); + spin_unlock_irqrestore(&info->slock, flags); +- return 0; ++ ret = 0; ++ goto err_free_xmit; + } + info->port.xmit_buf = (unsigned char *) page; + +@@ -898,8 +899,10 @@ static int mxser_activate(struct tty_port *port, struct tty_struct *tty) + if (capable(CAP_SYS_ADMIN)) { + set_bit(TTY_IO_ERROR, &tty->flags); + return 0; +- } else +- return -ENODEV; ++ } ++ ++ ret = -ENODEV; ++ goto err_free_xmit; + } + + /* +@@ -944,6 +947,10 @@ static int mxser_activate(struct tty_port *port, struct tty_struct *tty) + spin_unlock_irqrestore(&info->slock, flags); + + return 0; ++err_free_xmit: ++ free_page(page); ++ info->port.xmit_buf = NULL; ++ return ret; + } + + /* +-- +2.34.1 + diff --git a/queue-4.19/net-bcmgenet-use-stronger-register-read-writes-to-as.patch b/queue-4.19/net-bcmgenet-use-stronger-register-read-writes-to-as.patch new file mode 100644 index 00000000000..64c7c9f3b0d --- /dev/null +++ b/queue-4.19/net-bcmgenet-use-stronger-register-read-writes-to-as.patch @@ -0,0 +1,115 @@ +From 073820fc026d94c7f3aa9320dae316553c533aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 22:53:58 -0600 +Subject: net: bcmgenet: Use stronger register read/writes to assure ordering + +From: Jeremy Linton + +[ Upstream commit 8d3ea3d402db94b61075617e71b67459a714a502 ] + +GCC12 appears to be much smarter about its dependency tracking and is +aware that the relaxed variants are just normal loads and stores and +this is causing problems like: + +[ 210.074549] ------------[ cut here ]------------ +[ 210.079223] NETDEV WATCHDOG: enabcm6e4ei0 (bcmgenet): transmit queue 1 timed out +[ 210.086717] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:529 dev_watchdog+0x234/0x240 +[ 210.095044] Modules linked in: genet(E) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat] +[ 210.146561] ACPI CPPC: PCC check channel failed for ss: 0. ret=-110 +[ 210.146927] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 5.17.0-rc7G12+ #58 +[ 210.153226] CPPC Cpufreq:cppc_scale_freq_workfn: failed to read perf counters +[ 210.161349] Hardware name: Raspberry Pi Foundation Raspberry Pi 4 Model B/Raspberry Pi 4 Model B, BIOS EDK2-DEV 02/08/2022 +[ 210.161353] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 210.161358] pc : dev_watchdog+0x234/0x240 +[ 210.161364] lr : dev_watchdog+0x234/0x240 +[ 210.161368] sp : ffff8000080a3a40 +[ 210.161370] x29: ffff8000080a3a40 x28: ffffcd425af87000 x27: ffff8000080a3b20 +[ 210.205150] x26: ffffcd425aa00000 x25: 0000000000000001 x24: ffffcd425af8ec08 +[ 210.212321] x23: 0000000000000100 x22: ffffcd425af87000 x21: ffff55b142688000 +[ 210.219491] x20: 0000000000000001 x19: ffff55b1426884c8 x18: ffffffffffffffff +[ 210.226661] x17: 64656d6974203120 x16: 0000000000000001 x15: 6d736e617274203a +[ 210.233831] x14: 2974656e65676d63 x13: ffffcd4259c300d8 x12: ffffcd425b07d5f0 +[ 210.241001] x11: 00000000ffffffff x10: ffffcd425b07d5f0 x9 : ffffcd4258bdad9c +[ 210.248171] x8 : 00000000ffffdfff x7 : 000000000000003f x6 : 0000000000000000 +[ 210.255341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000001000 +[ 210.262511] x2 : 0000000000001000 x1 : 0000000000000005 x0 : 0000000000000044 +[ 210.269682] Call trace: +[ 210.272133] dev_watchdog+0x234/0x240 +[ 210.275811] call_timer_fn+0x3c/0x15c +[ 210.279489] __run_timers.part.0+0x288/0x310 +[ 210.283777] run_timer_softirq+0x48/0x80 +[ 210.287716] __do_softirq+0x128/0x360 +[ 210.291392] __irq_exit_rcu+0x138/0x140 +[ 210.295243] irq_exit_rcu+0x1c/0x30 +[ 210.298745] el1_interrupt+0x38/0x54 +[ 210.302334] el1h_64_irq_handler+0x18/0x24 +[ 210.306445] el1h_64_irq+0x7c/0x80 +[ 210.309857] arch_cpu_idle+0x18/0x2c +[ 210.313445] default_idle_call+0x4c/0x140 +[ 210.317470] cpuidle_idle_call+0x14c/0x1a0 +[ 210.321584] do_idle+0xb0/0x100 +[ 210.324737] cpu_startup_entry+0x30/0x8c +[ 210.328675] secondary_start_kernel+0xe4/0x110 +[ 210.333138] __secondary_switched+0x94/0x98 + +The assumption when these were relaxed seems to be that device memory +would be mapped non reordering, and that other constructs +(spinlocks/etc) would provide the barriers to assure that packet data +and in memory rings/queues were ordered with respect to device +register reads/writes. This itself seems a bit sketchy, but the real +problem with GCC12 is that it is moving the actual reads/writes around +at will as though they were independent operations when in truth they +are not, but the compiler can't know that. When looking at the +assembly dumps for many of these routines its possible to see very +clean, but not strictly in program order operations occurring as the +compiler would be free to do if these weren't actually register +reads/write operations. + +Its possible to suppress the timeout with a liberal bit of dma_mb()'s +sprinkled around but the device still seems unable to reliably +send/receive data. A better plan is to use the safer readl/writel +everywhere. + +Since this partially reverts an older commit, which notes the use of +the relaxed variants for performance reasons. I would suggest that +any performance problems with this commit are targeted at relaxing only +the performance critical code paths after assuring proper barriers. + +Fixes: 69d2ea9c79898 ("net: bcmgenet: Use correct I/O accessors") +Reported-by: Peter Robinson +Signed-off-by: Jeremy Linton +Acked-by: Peter Robinson +Tested-by: Peter Robinson +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220310045358.224350-1-jeremy.linton@arm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index d4be107ea4cd..c78b687a1443 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -83,7 +83,7 @@ static inline void bcmgenet_writel(u32 value, void __iomem *offset) + if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) + __raw_writel(value, offset); + else +- writel_relaxed(value, offset); ++ writel(value, offset); + } + + static inline u32 bcmgenet_readl(void __iomem *offset) +@@ -91,7 +91,7 @@ static inline u32 bcmgenet_readl(void __iomem *offset) + if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) + return __raw_readl(offset); + else +- return readl_relaxed(offset); ++ return readl(offset); + } + + static inline void dmadesc_set_length_status(struct bcmgenet_priv *priv, +-- +2.34.1 + diff --git a/queue-4.19/net-phy-broadcom-fix-brcm_fet_config_init.patch b/queue-4.19/net-phy-broadcom-fix-brcm_fet_config_init.patch new file mode 100644 index 00000000000..6cf69179e43 --- /dev/null +++ b/queue-4.19/net-phy-broadcom-fix-brcm_fet_config_init.patch @@ -0,0 +1,79 @@ +From fd4e9e81a59d4bc2fbcc362791c2c67c8612a9ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 16:24:38 -0700 +Subject: net: phy: broadcom: Fix brcm_fet_config_init() + +From: Florian Fainelli + +[ Upstream commit bf8bfc4336f7a34e48b3bbd19b1542bf085bdc3d ] + +A Broadcom AC201 PHY (same entry as 5241) would be flagged by the +Broadcom UniMAC MDIO controller as not completing the turn around +properly since the PHY expects 65 MDC clock cycles to complete a write +cycle, and the MDIO controller was only sending 64 MDC clock cycles as +determined by looking at a scope shot. + +This would make the subsequent read fail with the UniMAC MDIO controller +command field having MDIO_READ_FAIL set and we would abort the +brcm_fet_config_init() function and thus not probe the PHY at all. + +After issuing a software reset, wait for at least 1ms which is well +above the 1us reset delay advertised by the datasheet and issue a dummy +read to let the PHY turn around the line properly. This read +specifically ignores -EIO which would be returned by MDIO controllers +checking for the line being turned around. + +If we have a genuine reaad failure, the next read of the interrupt +status register would pick it up anyway. + +Fixes: d7a2ed9248a3 ("broadcom: Add AC131 phy support") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220324232438.1156812-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index e86ea105c802..94622d119abc 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -15,6 +15,7 @@ + */ + + #include "bcm-phy-lib.h" ++#include + #include + #include + #include +@@ -462,6 +463,26 @@ static int brcm_fet_config_init(struct phy_device *phydev) + if (err < 0) + return err; + ++ /* The datasheet indicates the PHY needs up to 1us to complete a reset, ++ * build some slack here. ++ */ ++ usleep_range(1000, 2000); ++ ++ /* The PHY requires 65 MDC clock cycles to complete a write operation ++ * and turnaround the line properly. ++ * ++ * We ignore -EIO here as the MDIO controller (e.g.: mdio-bcm-unimac) ++ * may flag the lack of turn-around as a read failure. This is ++ * particularly true with this combination since the MDIO controller ++ * only used 64 MDC cycles. This is not a critical failure in this ++ * specific case and it has no functional impact otherwise, so we let ++ * that one go through. If there is a genuine bus error, the next read ++ * of MII_BRCM_FET_INTREG will error out. ++ */ ++ err = phy_read(phydev, MII_BMCR); ++ if (err < 0 && err != -EIO) ++ return err; ++ + reg = phy_read(phydev, MII_BRCM_FET_INTREG); + if (reg < 0) + return reg; +-- +2.34.1 + diff --git a/queue-4.19/net-x25-fix-null-ptr-deref-caused-by-x25_disconnect.patch b/queue-4.19/net-x25-fix-null-ptr-deref-caused-by-x25_disconnect.patch new file mode 100644 index 00000000000..38af75a04d2 --- /dev/null +++ b/queue-4.19/net-x25-fix-null-ptr-deref-caused-by-x25_disconnect.patch @@ -0,0 +1,65 @@ +From c925b4b21c686b42b6289ead888b4f774cda56de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Mar 2022 18:43:46 +0800 +Subject: net/x25: Fix null-ptr-deref caused by x25_disconnect + +From: Duoming Zhou + +[ Upstream commit 7781607938c8371d4c2b243527430241c62e39c2 ] + +When the link layer is terminating, x25->neighbour will be set to NULL +in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in +x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is +shown below. + + (Thread 1) | (Thread 2) +x25_link_terminated() | x25_recvmsg() + x25_kill_by_neigh() | ... + x25_disconnect() | lock_sock(sk) + ... | ... + x25->neighbour = NULL //(1) | + ... | x25->neighbour->extended //(2) + +The code sets NULL to x25->neighbour in position (1) and dereferences +x25->neighbour in position (2), which could cause null-ptr-deref bug. + +This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize +with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the +sock held by lock_sock() is not NULL, because it is extracted from x25_list +and uses x25_list_lock to synchronize. + +Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") +Signed-off-by: Duoming Zhou +Reviewed-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index f87002792836..77d8adb27ec7 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1797,10 +1797,15 @@ void x25_kill_by_neigh(struct x25_neigh *nb) + + write_lock_bh(&x25_list_lock); + +- sk_for_each(s, &x25_list) +- if (x25_sk(s)->neighbour == nb) ++ sk_for_each(s, &x25_list) { ++ if (x25_sk(s)->neighbour == nb) { ++ write_unlock_bh(&x25_list_lock); ++ lock_sock(s); + x25_disconnect(s, ENETUNREACH, 0, 0); +- ++ release_sock(s); ++ write_lock_bh(&x25_list_lock); ++ } ++ } + write_unlock_bh(&x25_list_lock); + + /* Remove any related forwards */ +-- +2.34.1 + diff --git a/queue-4.19/netfilter-nf_conntrack_tcp-preserve-liberal-flag-in-.patch b/queue-4.19/netfilter-nf_conntrack_tcp-preserve-liberal-flag-in-.patch new file mode 100644 index 00000000000..cdc00f0bba4 --- /dev/null +++ b/queue-4.19/netfilter-nf_conntrack_tcp-preserve-liberal-flag-in-.patch @@ -0,0 +1,71 @@ +From 2ab39aabc8cfaea21659a3fb3d352297fb3889c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Mar 2022 11:38:32 +0100 +Subject: netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options + +From: Pablo Neira Ayuso + +[ Upstream commit f2dd495a8d589371289981d5ed33e6873df94ecc ] + +Do not reset IP_CT_TCP_FLAG_BE_LIBERAL flag in out-of-sync scenarios +coming before the TCP window tracking, otherwise such connections will +fail in the window check. + +Update tcp_options() to leave this flag in place and add a new helper +function to reset the tcp window state. + +Based on patch from Sven Auhagen. + +Fixes: c4832c7bbc3f ("netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking") +Tested-by: Sven Auhagen +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_tcp.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index 40f8a1252394..66cda5e2d6b9 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -362,8 +362,8 @@ static void tcp_options(const struct sk_buff *skb, + length, buff); + BUG_ON(ptr == NULL); + +- state->td_scale = +- state->flags = 0; ++ state->td_scale = 0; ++ state->flags &= IP_CT_TCP_FLAG_BE_LIBERAL; + + while (length > 0) { + int opcode=*ptr++; +@@ -784,6 +784,16 @@ static bool nf_conntrack_tcp_established(const struct nf_conn *ct) + test_bit(IPS_ASSURED_BIT, &ct->status); + } + ++static void nf_ct_tcp_state_reset(struct ip_ct_tcp_state *state) ++{ ++ state->td_end = 0; ++ state->td_maxend = 0; ++ state->td_maxwin = 0; ++ state->td_maxack = 0; ++ state->td_scale = 0; ++ state->flags &= IP_CT_TCP_FLAG_BE_LIBERAL; ++} ++ + /* Returns verdict for packet, or -1 for invalid. */ + static int tcp_packet(struct nf_conn *ct, + const struct sk_buff *skb, +@@ -882,8 +892,7 @@ static int tcp_packet(struct nf_conn *ct, + ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK; + ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags = + ct->proto.tcp.last_flags; +- memset(&ct->proto.tcp.seen[dir], 0, +- sizeof(struct ip_ct_tcp_state)); ++ nf_ct_tcp_state_reset(&ct->proto.tcp.seen[dir]); + break; + } + ct->proto.tcp.last_index = index; +-- +2.34.1 + diff --git a/queue-4.19/netfilter-nf_nat_h323-eliminate-anonymous-module_ini.patch b/queue-4.19/netfilter-nf_nat_h323-eliminate-anonymous-module_ini.patch new file mode 100644 index 00000000000..ca3817c5db3 --- /dev/null +++ b/queue-4.19/netfilter-nf_nat_h323-eliminate-anonymous-module_ini.patch @@ -0,0 +1,74 @@ +From ac64ce12e3f92c816ea6a5548e9e08eb9a6d9f9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 12:20:05 -0700 +Subject: netfilter: nf_nat_h323: eliminate anonymous module_init & module_exit + +From: Randy Dunlap + +[ Upstream commit fd4213929053bb58b0b2a080ca17f2dd1a9b6df4 ] + +Eliminate anonymous module_init() and module_exit(), which can lead to +confusion or ambiguity when reading System.map, crashes/oops/bugs, +or an initcall_debug log. + +Give each of these init and exit functions unique driver-specific +names to eliminate the anonymous names. + +Example 1: (System.map) + ffffffff832fc78c t init + ffffffff832fc79e t init + ffffffff832fc8f8 t init + +Example 2: (initcall_debug log) + calling init+0x0/0x12 @ 1 + initcall init+0x0/0x12 returned 0 after 15 usecs + calling init+0x0/0x60 @ 1 + initcall init+0x0/0x60 returned 0 after 2 usecs + calling init+0x0/0x9a @ 1 + initcall init+0x0/0x9a returned 0 after 74 usecs + +Fixes: f587de0e2feb ("[NETFILTER]: nf_conntrack/nf_nat: add H.323 helper port") +Signed-off-by: Randy Dunlap +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nf_nat_h323.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c +index 4e6b53ab6c33..fc5b8ce88741 100644 +--- a/net/ipv4/netfilter/nf_nat_h323.c ++++ b/net/ipv4/netfilter/nf_nat_h323.c +@@ -581,7 +581,7 @@ static struct nf_ct_helper_expectfn callforwarding_nat = { + }; + + /****************************************************************************/ +-static int __init init(void) ++static int __init nf_nat_h323_init(void) + { + BUG_ON(set_h245_addr_hook != NULL); + BUG_ON(set_h225_addr_hook != NULL); +@@ -608,7 +608,7 @@ static int __init init(void) + } + + /****************************************************************************/ +-static void __exit fini(void) ++static void __exit nf_nat_h323_fini(void) + { + RCU_INIT_POINTER(set_h245_addr_hook, NULL); + RCU_INIT_POINTER(set_h225_addr_hook, NULL); +@@ -625,8 +625,8 @@ static void __exit fini(void) + } + + /****************************************************************************/ +-module_init(init); +-module_exit(fini); ++module_init(nf_nat_h323_init); ++module_exit(nf_nat_h323_fini); + + MODULE_AUTHOR("Jing Min Zhao "); + MODULE_DESCRIPTION("H.323 NAT helper"); +-- +2.34.1 + diff --git a/queue-4.19/nfs-remove-unneeded-check-in-decode_devicenotify_arg.patch b/queue-4.19/nfs-remove-unneeded-check-in-decode_devicenotify_arg.patch new file mode 100644 index 00000000000..9a59c5223e9 --- /dev/null +++ b/queue-4.19/nfs-remove-unneeded-check-in-decode_devicenotify_arg.patch @@ -0,0 +1,39 @@ +From dad4a39bb8b77d08891796925816e5a915e2d719 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 13:17:04 +0300 +Subject: NFS: remove unneeded check in decode_devicenotify_args() + +From: Alexey Khoroshilov + +[ Upstream commit cb8fac6d2727f79f211e745b16c9abbf4d8be652 ] + +[You don't often get email from khoroshilov@ispras.ru. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.] + +Overflow check in not needed anymore after we switch to kmalloc_array(). + +Signed-off-by: Alexey Khoroshilov +Fixes: a4f743a6bb20 ("NFSv4.1: Convert open-coded array allocation calls to kmalloc_array()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_xdr.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c +index 76aa1b456c52..2f84c612838c 100644 +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -281,10 +281,6 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp, + n = ntohl(*p++); + if (n == 0) + goto out; +- if (n > ULONG_MAX / sizeof(*args->devs)) { +- status = htonl(NFS4ERR_BADXDR); +- goto out; +- } + + args->devs = kmalloc_array(n, sizeof(*args->devs), GFP_KERNEL); + if (!args->devs) { +-- +2.34.1 + diff --git a/queue-4.19/nfsv4-pnfs-fix-another-issue-with-a-list-iterator-po.patch b/queue-4.19/nfsv4-pnfs-fix-another-issue-with-a-list-iterator-po.patch new file mode 100644 index 00000000000..0f4ffd68397 --- /dev/null +++ b/queue-4.19/nfsv4-pnfs-fix-another-issue-with-a-list-iterator-po.patch @@ -0,0 +1,120 @@ +From f940de047f42da4b1b137a50dd197f342a11f064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Mar 2022 08:36:34 -0400 +Subject: NFSv4/pNFS: Fix another issue with a list iterator pointing to the + head + +From: Trond Myklebust + +[ Upstream commit 7c9d845f0612e5bcd23456a2ec43be8ac43458f1 ] + +In nfs4_callback_devicenotify(), if we don't find a matching entry for +the deviceid, we're left with a pointer to 'struct nfs_server' that +actually points to the list of super blocks associated with our struct +nfs_client. +Furthermore, even if we have a valid pointer, nothing pins the super +block, and so the struct nfs_server could end up getting freed while +we're using it. + +Since all we want is a pointer to the struct pnfs_layoutdriver_type, +let's skip all the iteration over super blocks, and just use APIs to +find the layout driver directly. + +Reported-by: Xiaomeng Tong +Fixes: 1be5683b03a7 ("pnfs: CB_NOTIFY_DEVICEID") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/callback_proc.c | 27 +++++++++------------------ + fs/nfs/pnfs.c | 11 +++++++++++ + fs/nfs/pnfs.h | 2 ++ + 3 files changed, 22 insertions(+), 18 deletions(-) + +diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c +index 868d66ed8bcf..f2a854805f0e 100644 +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -364,12 +364,11 @@ __be32 nfs4_callback_devicenotify(void *argp, void *resp, + struct cb_process_state *cps) + { + struct cb_devicenotifyargs *args = argp; ++ const struct pnfs_layoutdriver_type *ld = NULL; + uint32_t i; + __be32 res = 0; +- struct nfs_client *clp = cps->clp; +- struct nfs_server *server = NULL; + +- if (!clp) { ++ if (!cps->clp) { + res = cpu_to_be32(NFS4ERR_OP_NOT_IN_SESSION); + goto out; + } +@@ -377,23 +376,15 @@ __be32 nfs4_callback_devicenotify(void *argp, void *resp, + for (i = 0; i < args->ndevs; i++) { + struct cb_devicenotifyitem *dev = &args->devs[i]; + +- if (!server || +- server->pnfs_curr_ld->id != dev->cbd_layout_type) { +- rcu_read_lock(); +- list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) +- if (server->pnfs_curr_ld && +- server->pnfs_curr_ld->id == dev->cbd_layout_type) { +- rcu_read_unlock(); +- goto found; +- } +- rcu_read_unlock(); +- continue; ++ if (!ld || ld->id != dev->cbd_layout_type) { ++ pnfs_put_layoutdriver(ld); ++ ld = pnfs_find_layoutdriver(dev->cbd_layout_type); ++ if (!ld) ++ continue; + } +- +- found: +- nfs4_delete_deviceid(server->pnfs_curr_ld, clp, &dev->cbd_dev_id); ++ nfs4_delete_deviceid(ld, cps->clp, &dev->cbd_dev_id); + } +- ++ pnfs_put_layoutdriver(ld); + out: + kfree(args->devs); + return res; +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index c900cb2119ba..0f1c15859418 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -92,6 +92,17 @@ find_pnfs_driver(u32 id) + return local; + } + ++const struct pnfs_layoutdriver_type *pnfs_find_layoutdriver(u32 id) ++{ ++ return find_pnfs_driver(id); ++} ++ ++void pnfs_put_layoutdriver(const struct pnfs_layoutdriver_type *ld) ++{ ++ if (ld) ++ module_put(ld->owner); ++} ++ + void + unset_pnfs_layoutdriver(struct nfs_server *nfss) + { +diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h +index 80fafa29e567..d5d818b1ac9d 100644 +--- a/fs/nfs/pnfs.h ++++ b/fs/nfs/pnfs.h +@@ -225,6 +225,8 @@ struct pnfs_devicelist { + + extern int pnfs_register_layoutdriver(struct pnfs_layoutdriver_type *); + extern void pnfs_unregister_layoutdriver(struct pnfs_layoutdriver_type *); ++extern const struct pnfs_layoutdriver_type *pnfs_find_layoutdriver(u32 id); ++extern void pnfs_put_layoutdriver(const struct pnfs_layoutdriver_type *ld); + + /* nfs4proc.c */ + extern size_t max_response_pages(struct nfs_server *server); +-- +2.34.1 + diff --git a/queue-4.19/ntfs-add-sanity-check-on-allocation-size.patch b/queue-4.19/ntfs-add-sanity-check-on-allocation-size.patch new file mode 100644 index 00000000000..c4b93f41659 --- /dev/null +++ b/queue-4.19/ntfs-add-sanity-check-on-allocation-size.patch @@ -0,0 +1,43 @@ +From dcd2779d00b080c96ff98ff6233d69c69d6016be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 14:38:39 -0700 +Subject: ntfs: add sanity check on allocation size + +From: Dongliang Mu + +[ Upstream commit 714fbf2647b1a33d914edd695d4da92029c7e7c0 ] + +ntfs_read_inode_mount invokes ntfs_malloc_nofs with zero allocation +size. It triggers one BUG in the __ntfs_malloc function. + +Fix this by adding sanity check on ni->attr_list_size. + +Link: https://lkml.kernel.org/r/20220120094914.47736-1-dzm91@hust.edu.cn +Reported-by: syzbot+3c765c5248797356edaa@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Acked-by: Anton Altaparmakov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ntfs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c +index e844b43f2eac..0acd1f02b146 100644 +--- a/fs/ntfs/inode.c ++++ b/fs/ntfs/inode.c +@@ -1906,6 +1906,10 @@ int ntfs_read_inode_mount(struct inode *vi) + } + /* Now allocate memory for the attribute list. */ + ni->attr_list_size = (u32)ntfs_attr_size(a); ++ if (!ni->attr_list_size) { ++ ntfs_error(sb, "Attr_list_size is zero"); ++ goto put_err_out; ++ } + ni->attr_list = ntfs_malloc_nofs(ni->attr_list_size); + if (!ni->attr_list) { + ntfs_error(sb, "Not enough memory to allocate buffer " +-- +2.34.1 + diff --git a/queue-4.19/pci-reduce-warnings-on-possible-rw1c-corruption.patch b/queue-4.19/pci-reduce-warnings-on-possible-rw1c-corruption.patch new file mode 100644 index 00000000000..4c1aff955f0 --- /dev/null +++ b/queue-4.19/pci-reduce-warnings-on-possible-rw1c-corruption.patch @@ -0,0 +1,71 @@ +From 274044285fae9114c3ad7f9a8a942a1bf202090e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 16:14:55 +1200 +Subject: PCI: Reduce warnings on possible RW1C corruption + +From: Mark Tomlinson + +[ Upstream commit 92c45b63ce22c8898aa41806e8d6692bcd577510 ] + +For hardware that only supports 32-bit writes to PCI there is the +possibility of clearing RW1C (write-one-to-clear) bits. A rate-limited +messages was introduced by fb2659230120, but rate-limiting is not the best +choice here. Some devices may not show the warnings they should if another +device has just produced a bunch of warnings. Also, the number of messages +can be a nuisance on devices which are otherwise working fine. + +Change the ratelimit to a single warning per bus. This ensures no bus is +'starved' of emitting a warning and also that there isn't a continuous +stream of warnings. It would be preferable to have a warning per device, +but the pci_dev structure is not available here, and a lookup from devfn +would be far too slow. + +Suggested-by: Bjorn Helgaas +Fixes: fb2659230120 ("PCI: Warn on possible RW1C corruption for sub-32 bit config writes") +Link: https://lore.kernel.org/r/20200806041455.11070-1-mark.tomlinson@alliedtelesis.co.nz +Signed-off-by: Mark Tomlinson +Signed-off-by: Bjorn Helgaas +Reviewed-by: Florian Fainelli +Reviewed-by: Rob Herring +Acked-by: Scott Branden +Signed-off-by: Sasha Levin +--- + drivers/pci/access.c | 9 ++++++--- + include/linux/pci.h | 1 + + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/access.c b/drivers/pci/access.c +index 3c8ffd62dc00..98ee5f05fc0f 100644 +--- a/drivers/pci/access.c ++++ b/drivers/pci/access.c +@@ -160,9 +160,12 @@ int pci_generic_config_write32(struct pci_bus *bus, unsigned int devfn, + * write happen to have any RW1C (write-one-to-clear) bits set, we + * just inadvertently cleared something we shouldn't have. + */ +- dev_warn_ratelimited(&bus->dev, "%d-byte config write to %04x:%02x:%02x.%d offset %#x may corrupt adjacent RW1C bits\n", +- size, pci_domain_nr(bus), bus->number, +- PCI_SLOT(devfn), PCI_FUNC(devfn), where); ++ if (!bus->unsafe_warn) { ++ dev_warn(&bus->dev, "%d-byte config write to %04x:%02x:%02x.%d offset %#x may corrupt adjacent RW1C bits\n", ++ size, pci_domain_nr(bus), bus->number, ++ PCI_SLOT(devfn), PCI_FUNC(devfn), where); ++ bus->unsafe_warn = 1; ++ } + + mask = ~(((1 << (size * 8)) - 1) << ((where & 0x3) * 8)); + tmp = readl(addr) & mask; +diff --git a/include/linux/pci.h b/include/linux/pci.h +index a4bbce871e08..3e06e9790c25 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -581,6 +581,7 @@ struct pci_bus { + struct bin_attribute *legacy_io; /* Legacy I/O for this bus */ + struct bin_attribute *legacy_mem; /* Legacy mem */ + unsigned int is_added:1; ++ unsigned int unsafe_warn:1; /* warned about RW1C config write */ + }; + + #define to_pci_bus(n) container_of(n, struct pci_bus, dev) +-- +2.34.1 + diff --git a/queue-4.19/perf-core-fix-address-filter-parser-for-multiple-fil.patch b/queue-4.19/perf-core-fix-address-filter-parser-for-multiple-fil.patch new file mode 100644 index 00000000000..94b0d866dc3 --- /dev/null +++ b/queue-4.19/perf-core-fix-address-filter-parser-for-multiple-fil.patch @@ -0,0 +1,40 @@ +From 818653f8a51f2be6cf54a6de4ebd69f8df449a85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jan 2022 09:24:51 +0200 +Subject: perf/core: Fix address filter parser for multiple filters + +From: Adrian Hunter + +[ Upstream commit d680ff24e9e14444c63945b43a37ede7cd6958f9 ] + +Reset appropriate variables in the parser loop between parsing separate +filters, so that they do not interfere with parsing the next filter. + +Fixes: 375637bc524952 ("perf/core: Introduce address range filtering") +Signed-off-by: Adrian Hunter +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220131072453.2839535-4-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 2adde229d1af..ec2f9e433208 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9137,8 +9137,11 @@ perf_event_parse_addr_filter(struct perf_event *event, char *fstr, + } + + /* ready to consume more filters */ ++ kfree(filename); ++ filename = NULL; + state = IF_STATE_ACTION; + filter = NULL; ++ kernel = 0; + } + } + +-- +2.34.1 + diff --git a/queue-4.19/perf-x86-intel-pt-fix-address-filter-config-for-32-b.patch b/queue-4.19/perf-x86-intel-pt-fix-address-filter-config-for-32-b.patch new file mode 100644 index 00000000000..6df5223bac9 --- /dev/null +++ b/queue-4.19/perf-x86-intel-pt-fix-address-filter-config-for-32-b.patch @@ -0,0 +1,37 @@ +From b9ad287fed22504f83e96f9c7ba502493ea08d9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Jan 2022 09:24:52 +0200 +Subject: perf/x86/intel/pt: Fix address filter config for 32-bit kernel + +From: Adrian Hunter + +[ Upstream commit e5524bf1047eb3b3f3f33b5f59897ba67b3ade87 ] + +Change from shifting 'unsigned long' to 'u64' to prevent the config bits +being lost on a 32-bit kernel. + +Fixes: eadf48cab4b6b0 ("perf/x86/intel/pt: Add support for address range filtering in PT") +Signed-off-by: Adrian Hunter +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220131072453.2839535-5-adrian.hunter@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/pt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c +index 849f0ba53a9b..49b3ea1c1ea1 100644 +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -460,7 +460,7 @@ static u64 pt_config_filters(struct perf_event *event) + pt->filters.filter[range].msr_b = filter->msr_b; + } + +- rtit_ctl |= filter->config << pt_address_ranges[range].reg_off; ++ rtit_ctl |= (u64)filter->config << pt_address_ranges[range].reg_off; + } + + return rtit_ctl; +-- +2.34.1 + diff --git a/queue-4.19/pinctrl-mediatek-fix-missing-of_node_put-in-mtk_pctr.patch b/queue-4.19/pinctrl-mediatek-fix-missing-of_node_put-in-mtk_pctr.patch new file mode 100644 index 00000000000..f4aefe2d230 --- /dev/null +++ b/queue-4.19/pinctrl-mediatek-fix-missing-of_node_put-in-mtk_pctr.patch @@ -0,0 +1,45 @@ +From 70363cfcdd0c4d47e61a7bf7b00cb549fc9310fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 07:11:54 +0000 +Subject: pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init + +From: Miaoqian Lin + +[ Upstream commit dab4df9ca919f59e5b9dd84385eaf34d4f20dbb0 ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: a6df410d420a ("pinctrl: mediatek: Add Pinctrl/GPIO driver for mt8135.") +Signed-off-by: Miaoqian Lin +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220308071155.21114-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c +index 16ff56f93501..64fa544ac850 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common.c +@@ -1046,6 +1046,7 @@ int mtk_pctrl_init(struct platform_device *pdev, + node = of_parse_phandle(np, "mediatek,pctl-regmap", 0); + if (node) { + pctl->regmap1 = syscon_node_to_regmap(node); ++ of_node_put(node); + if (IS_ERR(pctl->regmap1)) + return PTR_ERR(pctl->regmap1); + } else if (regmap) { +@@ -1059,6 +1060,7 @@ int mtk_pctrl_init(struct platform_device *pdev, + node = of_parse_phandle(np, "mediatek,pctl-regmap", 1); + if (node) { + pctl->regmap2 = syscon_node_to_regmap(node); ++ of_node_put(node); + if (IS_ERR(pctl->regmap2)) + return PTR_ERR(pctl->regmap2); + } +-- +2.34.1 + diff --git a/queue-4.19/pinctrl-nomadik-add-missing-of_node_put-in-nmk_pinct.patch b/queue-4.19/pinctrl-nomadik-add-missing-of_node_put-in-nmk_pinct.patch new file mode 100644 index 00000000000..5ef5c10af36 --- /dev/null +++ b/queue-4.19/pinctrl-nomadik-add-missing-of_node_put-in-nmk_pinct.patch @@ -0,0 +1,41 @@ +From 87bcc3dba1b9e7821fe2870c1b3ab052a71faf31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 11:51:16 +0000 +Subject: pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe + +From: Miaoqian Lin + +[ Upstream commit c09ac191b1f97cfa06f394dbfd7a5db07986cefc ] + +This node pointer is returned by of_parse_phandle() with refcount +incremented in this function. Calling of_node_put() to avoid +the refcount leak. + +Fixes: 32e67eee670e ("pinctrl: nomadik: Allow prcm_base to be extracted from Device Tree") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220307115116.25316-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/nomadik/pinctrl-nomadik.c b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +index f0e7a8c114b2..415e91360994 100644 +--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c ++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c +@@ -1916,8 +1916,10 @@ static int nmk_pinctrl_probe(struct platform_device *pdev) + } + + prcm_np = of_parse_phandle(np, "prcm", 0); +- if (prcm_np) ++ if (prcm_np) { + npct->prcm_base = of_iomap(prcm_np, 0); ++ of_node_put(prcm_np); ++ } + if (!npct->prcm_base) { + if (version == PINCTRL_NMK_STN8815) { + dev_info(&pdev->dev, +-- +2.34.1 + diff --git a/queue-4.19/pinctrl-rockchip-add-missing-of_node_put-in-rockchip.patch b/queue-4.19/pinctrl-rockchip-add-missing-of_node_put-in-rockchip.patch new file mode 100644 index 00000000000..7cac7fc0abb --- /dev/null +++ b/queue-4.19/pinctrl-rockchip-add-missing-of_node_put-in-rockchip.patch @@ -0,0 +1,45 @@ +From 11a9cf29fb2b08ae6aa162b7b492d871a7b239f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 12:02:34 +0000 +Subject: pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe + +From: Miaoqian Lin + +[ Upstream commit 89388f8730699c259f8090ec435fb43569efe4ac ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: 1e747e59cc4d ("pinctrl: rockchip: base regmap supplied by a syscon") +Fixes: 14dee8677e19 ("pinctrl: rockchip: let pmu registers be supplied by a syscon") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220307120234.28657-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index d0d5b8bdbc10..dc405d7aa1b7 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -3400,6 +3400,7 @@ static int rockchip_pinctrl_probe(struct platform_device *pdev) + node = of_parse_phandle(np, "rockchip,grf", 0); + if (node) { + info->regmap_base = syscon_node_to_regmap(node); ++ of_node_put(node); + if (IS_ERR(info->regmap_base)) + return PTR_ERR(info->regmap_base); + } else { +@@ -3436,6 +3437,7 @@ static int rockchip_pinctrl_probe(struct platform_device *pdev) + node = of_parse_phandle(np, "rockchip,pmu", 0); + if (node) { + info->regmap_pmu = syscon_node_to_regmap(node); ++ of_node_put(node); + if (IS_ERR(info->regmap_pmu)) + return PTR_ERR(info->regmap_pmu); + } +-- +2.34.1 + diff --git a/queue-4.19/pm-core-keep-irq-flags-in-device_pm_check_callbacks.patch b/queue-4.19/pm-core-keep-irq-flags-in-device_pm_check_callbacks.patch new file mode 100644 index 00000000000..8e5bebd795a --- /dev/null +++ b/queue-4.19/pm-core-keep-irq-flags-in-device_pm_check_callbacks.patch @@ -0,0 +1,107 @@ +From 17f216808f9900889ad964cfdc589a638291abf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 14:02:14 +0300 +Subject: PM: core: keep irq flags in device_pm_check_callbacks() + +From: Dmitry Baryshkov + +[ Upstream commit 524bb1da785a7ae43dd413cd392b5071c6c367f8 ] + +The function device_pm_check_callbacks() can be called under the spin +lock (in the reported case it happens from genpd_add_device() -> +dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes. + +However this function uncoditionally uses spin_lock_irq() / +spin_unlock_irq(), thus not preserving the CPU flags. Use the +irqsave/irqrestore instead. + +The backtrace for the reference: +[ 2.752010] ------------[ cut here ]------------ +[ 2.756769] raw_local_irq_restore() called with IRQs enabled +[ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50 +[ 2.772338] Modules linked in: +[ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684 +[ 2.781384] Freeing initrd memory: 46024K +[ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50 +[ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50 +[ 2.785846] sp : ffff80000805b7d0 +[ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002 +[ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800 +[ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00 +[ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff +[ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7 +[ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8 +[ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0 +[ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0 +[ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 +[ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000 +[ 2.889774] Call trace: +[ 2.892290] warn_bogus_irq_restore+0x34/0x50 +[ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0 +[ 2.901690] genpd_unlock_spin+0x20/0x30 +[ 2.905724] genpd_add_device+0x100/0x2d0 +[ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c +[ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190 +[ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0 +[ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30 +[ 2.929102] psci_dt_attach_cpu+0x24/0x90 +[ 2.933230] psci_cpuidle_probe+0x2d4/0x46c +[ 2.937534] platform_probe+0x68/0xe0 +[ 2.941304] really_probe.part.0+0x9c/0x2fc +[ 2.945605] __driver_probe_device+0x98/0x144 +[ 2.950085] driver_probe_device+0x44/0x15c +[ 2.954385] __device_attach_driver+0xb8/0x120 +[ 2.958950] bus_for_each_drv+0x78/0xd0 +[ 2.962896] __device_attach+0xd8/0x180 +[ 2.966843] device_initial_probe+0x14/0x20 +[ 2.971144] bus_probe_device+0x9c/0xa4 +[ 2.975092] device_add+0x380/0x88c +[ 2.978679] platform_device_add+0x114/0x234 +[ 2.983067] platform_device_register_full+0x100/0x190 +[ 2.988344] psci_idle_init+0x6c/0xb0 +[ 2.992113] do_one_initcall+0x74/0x3a0 +[ 2.996060] kernel_init_freeable+0x2fc/0x384 +[ 3.000543] kernel_init+0x28/0x130 +[ 3.004132] ret_from_fork+0x10/0x20 +[ 3.007817] irq event stamp: 319826 +[ 3.011404] hardirqs last enabled at (319825): [] __up_console_sem+0x78/0x84 +[ 3.020332] hardirqs last disabled at (319826): [] el1_dbg+0x24/0x8c +[ 3.028458] softirqs last enabled at (318312): [] _stext+0x410/0x588 +[ 3.036678] softirqs last disabled at (318299): [] __irq_exit_rcu+0x158/0x174 +[ 3.045607] ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index da413b95afab..c0284c8db19b 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -2145,7 +2145,9 @@ static bool pm_ops_is_empty(const struct dev_pm_ops *ops) + + void device_pm_check_callbacks(struct device *dev) + { +- spin_lock_irq(&dev->power.lock); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&dev->power.lock, flags); + dev->power.no_pm_callbacks = + (!dev->bus || (pm_ops_is_empty(dev->bus->pm) && + !dev->bus->suspend && !dev->bus->resume)) && +@@ -2154,7 +2156,7 @@ void device_pm_check_callbacks(struct device *dev) + (!dev->pm_domain || pm_ops_is_empty(&dev->pm_domain->ops)) && + (!dev->driver || (pm_ops_is_empty(dev->driver->pm) && + !dev->driver->suspend && !dev->driver->resume)); +- spin_unlock_irq(&dev->power.lock); ++ spin_unlock_irqrestore(&dev->power.lock, flags); + } + + bool dev_pm_smart_suspend_and_suspended(struct device *dev) +-- +2.34.1 + diff --git a/queue-4.19/pm-hibernate-fix-__setup-handler-error-handling.patch b/queue-4.19/pm-hibernate-fix-__setup-handler-error-handling.patch new file mode 100644 index 00000000000..2fbb416e6b4 --- /dev/null +++ b/queue-4.19/pm-hibernate-fix-__setup-handler-error-handling.patch @@ -0,0 +1,40 @@ +From 683e7b36b6fdef4a81bd179a49b128bbf18932ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 14:05:32 -0800 +Subject: PM: hibernate: fix __setup handler error handling + +From: Randy Dunlap + +[ Upstream commit ba7ffcd4c4da374b0f64666354eeeda7d3827131 ] + +If an invalid value is used in "resumedelay=", it is +silently ignored. Add a warning message and then let the __setup +handler return 1 to indicate that the kernel command line option +has been handled. + +Fixes: 317cf7e5e85e3 ("PM / hibernate: convert simple_strtoul to kstrtoul") +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/hibernate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index 6670a44ec5d4..6abdfdf571ee 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -1219,7 +1219,7 @@ static int __init resumedelay_setup(char *str) + int rc = kstrtouint(str, 0, &resume_delay); + + if (rc) +- return rc; ++ pr_warn("resumedelay: bad option string '%s'\n", str); + return 1; + } + +-- +2.34.1 + diff --git a/queue-4.19/pm-suspend-fix-return-value-of-__setup-handler.patch b/queue-4.19/pm-suspend-fix-return-value-of-__setup-handler.patch new file mode 100644 index 00000000000..b470692dbdb --- /dev/null +++ b/queue-4.19/pm-suspend-fix-return-value-of-__setup-handler.patch @@ -0,0 +1,73 @@ +From 049b9eb7233afbd3ed7f17889cf2547758baf93c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 14:05:44 -0800 +Subject: PM: suspend: fix return value of __setup handler + +From: Randy Dunlap + +[ Upstream commit 7a64ca17e4dd50d5f910769167f3553902777844 ] + +If an invalid option is given for "test_suspend=