From: Sasha Levin Date: Sun, 18 Aug 2019 11:49:04 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v4.19.68~46^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4e9b492f11c6ce6ac597e03cd17158c2bfc94c0;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm64-efi-fix-variable-si-set-but-not-used.patch b/queue-4.14/arm64-efi-fix-variable-si-set-but-not-used.patch new file mode 100644 index 00000000000..82a62ccc8f7 --- /dev/null +++ b/queue-4.14/arm64-efi-fix-variable-si-set-but-not-used.patch @@ -0,0 +1,43 @@ +From 7306e1a140771cacf8e9443b8f9b5c7445c85373 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 30 Jul 2019 17:23:48 -0400 +Subject: arm64/efi: fix variable 'si' set but not used + +[ Upstream commit f1d4836201543e88ebe70237e67938168d5fab19 ] + +GCC throws out this warning on arm64. + +drivers/firmware/efi/libstub/arm-stub.c: In function 'efi_entry': +drivers/firmware/efi/libstub/arm-stub.c:132:22: warning: variable 'si' +set but not used [-Wunused-but-set-variable] + +Fix it by making free_screen_info() a static inline function. + +Acked-by: Will Deacon +Signed-off-by: Qian Cai +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/efi.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h +index 8389050328bba..5585420860694 100644 +--- a/arch/arm64/include/asm/efi.h ++++ b/arch/arm64/include/asm/efi.h +@@ -89,7 +89,11 @@ static inline unsigned long efi_get_max_initrd_addr(unsigned long dram_base, + ((protocol##_t *)instance)->f(instance, ##__VA_ARGS__) + + #define alloc_screen_info(x...) &screen_info +-#define free_screen_info(x...) ++ ++static inline void free_screen_info(efi_system_table_t *sys_table_arg, ++ struct screen_info *si) ++{ ++} + + /* redeclare as 'hidden' so the compiler will generate relative references */ + extern struct screen_info screen_info __attribute__((__visibility__("hidden"))); +-- +2.20.1 + diff --git a/queue-4.14/arm64-mm-fix-variable-pud-set-but-not-used.patch b/queue-4.14/arm64-mm-fix-variable-pud-set-but-not-used.patch new file mode 100644 index 00000000000..938c8c2633c --- /dev/null +++ b/queue-4.14/arm64-mm-fix-variable-pud-set-but-not-used.patch @@ -0,0 +1,43 @@ +From fcfee787ba6ca9af7dbadb0986b6706a2937435e Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Wed, 31 Jul 2019 16:05:45 -0400 +Subject: arm64/mm: fix variable 'pud' set but not used + +[ Upstream commit 7d4e2dcf311d3b98421d1f119efe5964cafa32fc ] + +GCC throws a warning, + +arch/arm64/mm/mmu.c: In function 'pud_free_pmd_page': +arch/arm64/mm/mmu.c:1033:8: warning: variable 'pud' set but not used +[-Wunused-but-set-variable] + pud_t pud; + ^~~ + +because pud_table() is a macro and compiled away. Fix it by making it a +static inline function and for pud_sect() as well. + +Signed-off-by: Qian Cai +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index ee77556b01243..4cf248185e6f9 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -394,8 +394,8 @@ extern pgprot_t phys_mem_access_prot(struct file *file, unsigned long pfn, + PMD_TYPE_SECT) + + #if defined(CONFIG_ARM64_64K_PAGES) || CONFIG_PGTABLE_LEVELS < 3 +-#define pud_sect(pud) (0) +-#define pud_table(pud) (1) ++static inline bool pud_sect(pud_t pud) { return false; } ++static inline bool pud_table(pud_t pud) { return true; } + #else + #define pud_sect(pud) ((pud_val(pud) & PUD_TYPE_MASK) == \ + PUD_TYPE_SECT) +-- +2.20.1 + diff --git a/queue-4.14/arm64-unwind-prohibit-probing-on-return_address.patch b/queue-4.14/arm64-unwind-prohibit-probing-on-return_address.patch new file mode 100644 index 00000000000..8c821c1ca56 --- /dev/null +++ b/queue-4.14/arm64-unwind-prohibit-probing-on-return_address.patch @@ -0,0 +1,76 @@ +From b8c404d7a5e9e3a97a383e2bac4915a0f7916481 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Thu, 25 Jul 2019 17:16:05 +0900 +Subject: arm64: unwind: Prohibit probing on return_address() + +[ Upstream commit ee07b93e7721ccd5d5b9fa6f0c10cb3fe2f1f4f9 ] + +Prohibit probing on return_address() and subroutines which +is called from return_address(), since the it is invoked from +trace_hardirqs_off() which is also kprobe blacklisted. + +Reported-by: Naresh Kamboju +Signed-off-by: Masami Hiramatsu +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/return_address.c | 3 +++ + arch/arm64/kernel/stacktrace.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/arch/arm64/kernel/return_address.c b/arch/arm64/kernel/return_address.c +index 933adbc0f654d..0311fe52c8ffb 100644 +--- a/arch/arm64/kernel/return_address.c ++++ b/arch/arm64/kernel/return_address.c +@@ -11,6 +11,7 @@ + + #include + #include ++#include + + #include + #include +@@ -32,6 +33,7 @@ static int save_return_addr(struct stackframe *frame, void *d) + return 0; + } + } ++NOKPROBE_SYMBOL(save_return_addr); + + void *return_address(unsigned int level) + { +@@ -55,3 +57,4 @@ void *return_address(unsigned int level) + return NULL; + } + EXPORT_SYMBOL_GPL(return_address); ++NOKPROBE_SYMBOL(return_address); +diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c +index d5718a060672e..2ae7630d685b5 100644 +--- a/arch/arm64/kernel/stacktrace.c ++++ b/arch/arm64/kernel/stacktrace.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -85,6 +86,7 @@ int notrace unwind_frame(struct task_struct *tsk, struct stackframe *frame) + + return 0; + } ++NOKPROBE_SYMBOL(unwind_frame); + + void notrace walk_stackframe(struct task_struct *tsk, struct stackframe *frame, + int (*fn)(struct stackframe *, void *), void *data) +@@ -99,6 +101,7 @@ void notrace walk_stackframe(struct task_struct *tsk, struct stackframe *frame, + break; + } + } ++NOKPROBE_SYMBOL(walk_stackframe); + + #ifdef CONFIG_STACKTRACE + struct stack_trace_data { +-- +2.20.1 + diff --git a/queue-4.14/asm-generic-fix-wtype-limits-compiler-warnings.patch b/queue-4.14/asm-generic-fix-wtype-limits-compiler-warnings.patch new file mode 100644 index 00000000000..1f5d13bee43 --- /dev/null +++ b/queue-4.14/asm-generic-fix-wtype-limits-compiler-warnings.patch @@ -0,0 +1,132 @@ +From 314c541205d546de7d4cfb214c7beb485a1a02ad Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 2 Aug 2019 21:49:19 -0700 +Subject: asm-generic: fix -Wtype-limits compiler warnings + +[ Upstream commit cbedfe11347fe418621bd188d58a206beb676218 ] + +Commit d66acc39c7ce ("bitops: Optimise get_order()") introduced a +compilation warning because "rx_frag_size" is an "ushort" while +PAGE_SHIFT here is 16. + +The commit changed the get_order() to be a multi-line macro where +compilers insist to check all statements in the macro even when +__builtin_constant_p(rx_frag_size) will return false as "rx_frag_size" +is a module parameter. + +In file included from ./arch/powerpc/include/asm/page_64.h:107, + from ./arch/powerpc/include/asm/page.h:242, + from ./arch/powerpc/include/asm/mmu.h:132, + from ./arch/powerpc/include/asm/lppaca.h:47, + from ./arch/powerpc/include/asm/paca.h:17, + from ./arch/powerpc/include/asm/current.h:13, + from ./include/linux/thread_info.h:21, + from ./arch/powerpc/include/asm/processor.h:39, + from ./include/linux/prefetch.h:15, + from drivers/net/ethernet/emulex/benet/be_main.c:14: +drivers/net/ethernet/emulex/benet/be_main.c: In function 'be_rx_cqs_create': +./include/asm-generic/getorder.h:54:9: warning: comparison is always +true due to limited range of data type [-Wtype-limits] + (((n) < (1UL << PAGE_SHIFT)) ? 0 : \ + ^ +drivers/net/ethernet/emulex/benet/be_main.c:3138:33: note: in expansion +of macro 'get_order' + adapter->big_page_size = (1 << get_order(rx_frag_size)) * PAGE_SIZE; + ^~~~~~~~~ + +Fix it by moving all of this multi-line macro into a proper function, +and killing __get_order() off. + +[akpm@linux-foundation.org: remove __get_order() altogether] +[cai@lca.pw: v2] + Link: http://lkml.kernel.org/r/1564000166-31428-1-git-send-email-cai@lca.pw +Link: http://lkml.kernel.org/r/1563914986-26502-1-git-send-email-cai@lca.pw +Fixes: d66acc39c7ce ("bitops: Optimise get_order()") +Signed-off-by: Qian Cai +Reviewed-by: Nathan Chancellor +Cc: David S. Miller +Cc: Arnd Bergmann +Cc: David Howells +Cc: Jakub Jelinek +Cc: Nick Desaulniers +Cc: Bill Wendling +Cc: James Y Knight +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/asm-generic/getorder.h | 50 ++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 30 deletions(-) + +diff --git a/include/asm-generic/getorder.h b/include/asm-generic/getorder.h +index c64bea7a52beb..e9f20b813a699 100644 +--- a/include/asm-generic/getorder.h ++++ b/include/asm-generic/getorder.h +@@ -7,24 +7,6 @@ + #include + #include + +-/* +- * Runtime evaluation of get_order() +- */ +-static inline __attribute_const__ +-int __get_order(unsigned long size) +-{ +- int order; +- +- size--; +- size >>= PAGE_SHIFT; +-#if BITS_PER_LONG == 32 +- order = fls(size); +-#else +- order = fls64(size); +-#endif +- return order; +-} +- + /** + * get_order - Determine the allocation order of a memory size + * @size: The size for which to get the order +@@ -43,19 +25,27 @@ int __get_order(unsigned long size) + * to hold an object of the specified size. + * + * The result is undefined if the size is 0. +- * +- * This function may be used to initialise variables with compile time +- * evaluations of constants. + */ +-#define get_order(n) \ +-( \ +- __builtin_constant_p(n) ? ( \ +- ((n) == 0UL) ? BITS_PER_LONG - PAGE_SHIFT : \ +- (((n) < (1UL << PAGE_SHIFT)) ? 0 : \ +- ilog2((n) - 1) - PAGE_SHIFT + 1) \ +- ) : \ +- __get_order(n) \ +-) ++static inline __attribute_const__ int get_order(unsigned long size) ++{ ++ if (__builtin_constant_p(size)) { ++ if (!size) ++ return BITS_PER_LONG - PAGE_SHIFT; ++ ++ if (size < (1UL << PAGE_SHIFT)) ++ return 0; ++ ++ return ilog2((size) - 1) - PAGE_SHIFT + 1; ++ } ++ ++ size--; ++ size >>= PAGE_SHIFT; ++#if BITS_PER_LONG == 32 ++ return fls(size); ++#else ++ return fls64(size); ++#endif ++} + + #endif /* __ASSEMBLY__ */ + +-- +2.20.1 + diff --git a/queue-4.14/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch b/queue-4.14/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch new file mode 100644 index 00000000000..ecb7b1cebad --- /dev/null +++ b/queue-4.14/ata-libahci-do-not-complain-in-case-of-deferred-prob.patch @@ -0,0 +1,36 @@ +From 1037aa21eaae5f46071338a313c891eafcdc2863 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 31 Jul 2019 14:26:51 +0200 +Subject: ata: libahci: do not complain in case of deferred probe + +[ Upstream commit 090bb803708198e5ab6b0046398c7ed9f4d12d6b ] + +Retrieving PHYs can defer the probe, do not spawn an error when +-EPROBE_DEFER is returned, it is normal behavior. + +Fixes: b1a9edbda040 ("ata: libahci: allow to use multiple PHYs") +Reviewed-by: Hans de Goede +Signed-off-by: Miquel Raynal +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libahci_platform.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c +index a270a1173c8cb..70cdbf1b0f9a3 100644 +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -300,6 +300,9 @@ static int ahci_platform_get_phy(struct ahci_host_priv *hpriv, u32 port, + hpriv->phys[port] = NULL; + rc = 0; + break; ++ case -EPROBE_DEFER: ++ /* Do not complain yet */ ++ break; + + default: + dev_err(dev, +-- +2.20.1 + diff --git a/queue-4.14/clk-at91-generated-truncate-divisor-to-generated_max.patch b/queue-4.14/clk-at91-generated-truncate-divisor-to-generated_max.patch new file mode 100644 index 00000000000..361d8d14b5d --- /dev/null +++ b/queue-4.14/clk-at91-generated-truncate-divisor-to-generated_max.patch @@ -0,0 +1,39 @@ +From e8d54e4bf77d9069033c2c542358711e9dabd3aa Mon Sep 17 00:00:00 2001 +From: Codrin Ciubotariu +Date: Tue, 25 Jun 2019 12:10:02 +0300 +Subject: clk: at91: generated: Truncate divisor to GENERATED_MAX_DIV + 1 + +[ Upstream commit 1573eebeaa8055777eb753f9b4d1cbe653380c38 ] + +In clk_generated_determine_rate(), if the divisor is greater than +GENERATED_MAX_DIV + 1, then the wrong best_rate will be returned. +If clk_generated_set_rate() will be called later with this wrong +rate, it will return -EINVAL, so the generated clock won't change +its value. Do no let the divisor be greater than GENERATED_MAX_DIV + 1. + +Fixes: 8c7aa6328947 ("clk: at91: clk-generated: remove useless divisor loop") +Signed-off-by: Codrin Ciubotariu +Acked-by: Nicolas Ferre +Acked-by: Ludovic Desroches +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-generated.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c +index 33481368740e7..113152425a95d 100644 +--- a/drivers/clk/at91/clk-generated.c ++++ b/drivers/clk/at91/clk-generated.c +@@ -153,6 +153,8 @@ static int clk_generated_determine_rate(struct clk_hw *hw, + continue; + + div = DIV_ROUND_CLOSEST(parent_rate, req->rate); ++ if (div > GENERATED_MAX_DIV + 1) ++ div = GENERATED_MAX_DIV + 1; + + clk_generated_best_diff(req, parent, parent_rate, div, + &best_diff, &best_rate); +-- +2.20.1 + diff --git a/queue-4.14/clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch b/queue-4.14/clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch new file mode 100644 index 00000000000..8b928618203 --- /dev/null +++ b/queue-4.14/clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch @@ -0,0 +1,109 @@ +From 67d80a79c73500f9008b06cea4b70a4eb1615fd4 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 11 Jul 2019 15:03:59 +0200 +Subject: clk: renesas: cpg-mssr: Fix reset control race condition + +[ Upstream commit e1f1ae8002e4b06addc52443fcd975bbf554ae92 ] + +The module reset code in the Renesas CPG/MSSR driver uses +read-modify-write (RMW) operations to write to a Software Reset Register +(SRCRn), and simple writes to write to a Software Reset Clearing +Register (SRSTCLRn), as was mandated by the R-Car Gen2 and Gen3 Hardware +User's Manuals. + +However, this may cause a race condition when two devices are reset in +parallel: if the reset for device A completes in the middle of the RMW +operation for device B, device A may be reset again, causing subtle +failures (e.g. i2c timeouts): + + thread A thread B + -------- -------- + + val = SRCRn + val |= bit A + SRCRn = val + + delay + + val = SRCRn (bit A is set) + + SRSTCLRn = bit A + (bit A in SRCRn is cleared) + + val |= bit B + SRCRn = val (bit A and B are set) + +This can be reproduced on e.g. Salvator-XS using: + + $ while true; do i2cdump -f -y 4 0x6A b > /dev/null; done & + $ while true; do i2cdump -f -y 2 0x10 b > /dev/null; done & + + i2c-rcar e6510000.i2c: error -110 : 40000002 + i2c-rcar e66d8000.i2c: error -110 : 40000002 + +According to the R-Car Gen3 Hardware Manual Errata for Rev. +0.80 of Feb 28, 2018, reflected in Rev. 1.00 of the R-Car Gen3 Hardware +User's Manual, writes to SRCRn do not require read-modify-write cycles. + +Note that the R-Car Gen2 Hardware User's Manual has not been updated +yet, and still says a read-modify-write sequence is required. According +to the hardware team, the reset hardware block is the same on both R-Car +Gen2 and Gen3, though. + +Hence fix the issue by replacing the read-modify-write operations on +SRCRn by simple writes. + +Reported-by: Yao Lihua +Fixes: 6197aa65c4905532 ("clk: renesas: cpg-mssr: Add support for reset control") +Signed-off-by: Geert Uytterhoeven +Tested-by: Linh Phung +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/renesas-cpg-mssr.c | 16 ++-------------- + 1 file changed, 2 insertions(+), 14 deletions(-) + +diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c +index 30c23b882675a..fe25d37ce9d39 100644 +--- a/drivers/clk/renesas/renesas-cpg-mssr.c ++++ b/drivers/clk/renesas/renesas-cpg-mssr.c +@@ -522,17 +522,11 @@ static int cpg_mssr_reset(struct reset_controller_dev *rcdev, + unsigned int reg = id / 32; + unsigned int bit = id % 32; + u32 bitmask = BIT(bit); +- unsigned long flags; +- u32 value; + + dev_dbg(priv->dev, "reset %u%02u\n", reg, bit); + + /* Reset module */ +- spin_lock_irqsave(&priv->rmw_lock, flags); +- value = readl(priv->base + SRCR(reg)); +- value |= bitmask; +- writel(value, priv->base + SRCR(reg)); +- spin_unlock_irqrestore(&priv->rmw_lock, flags); ++ writel(bitmask, priv->base + SRCR(reg)); + + /* Wait for at least one cycle of the RCLK clock (@ ca. 32 kHz) */ + udelay(35); +@@ -549,16 +543,10 @@ static int cpg_mssr_assert(struct reset_controller_dev *rcdev, unsigned long id) + unsigned int reg = id / 32; + unsigned int bit = id % 32; + u32 bitmask = BIT(bit); +- unsigned long flags; +- u32 value; + + dev_dbg(priv->dev, "assert %u%02u\n", reg, bit); + +- spin_lock_irqsave(&priv->rmw_lock, flags); +- value = readl(priv->base + SRCR(reg)); +- value |= bitmask; +- writel(value, priv->base + SRCR(reg)); +- spin_unlock_irqrestore(&priv->rmw_lock, flags); ++ writel(bitmask, priv->base + SRCR(reg)); + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/drm-bridge-lvds-encoder-fix-build-error-while-config.patch b/queue-4.14/drm-bridge-lvds-encoder-fix-build-error-while-config.patch new file mode 100644 index 00000000000..e610cb4e041 --- /dev/null +++ b/queue-4.14/drm-bridge-lvds-encoder-fix-build-error-while-config.patch @@ -0,0 +1,40 @@ +From 835494f8e8d6879bfbe55605946e18445b41d6d7 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Mon, 29 Jul 2019 15:12:16 +0800 +Subject: drm/bridge: lvds-encoder: Fix build error while + CONFIG_DRM_KMS_HELPER=m + +[ Upstream commit f4cc743a98136df3c3763050a0e8223b52d9a960 ] + +If DRM_LVDS_ENCODER=y but CONFIG_DRM_KMS_HELPER=m, +build fails: + +drivers/gpu/drm/bridge/lvds-encoder.o: In function `lvds_encoder_probe': +lvds-encoder.c:(.text+0x155): undefined reference to `devm_drm_panel_bridge_add' + +Reported-by: Hulk Robot +Fixes: dbb58bfd9ae6 ("drm/bridge: Fix lvds-encoder since the panel_bridge rework.") +Signed-off-by: YueHaibing +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20190729071216.27488-1-yuehaibing@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/bridge/Kconfig b/drivers/gpu/drm/bridge/Kconfig +index adf9ae0e0b7c9..85aa824317f01 100644 +--- a/drivers/gpu/drm/bridge/Kconfig ++++ b/drivers/gpu/drm/bridge/Kconfig +@@ -35,6 +35,7 @@ config DRM_DUMB_VGA_DAC + config DRM_LVDS_ENCODER + tristate "Transparent parallel to LVDS encoder support" + depends on OF ++ select DRM_KMS_HELPER + select DRM_PANEL_BRIDGE + help + Support for transparent parallel to LVDS encoders that don't require +-- +2.20.1 + diff --git a/queue-4.14/drm-msm-fix-add_gpu_components.patch b/queue-4.14/drm-msm-fix-add_gpu_components.patch new file mode 100644 index 00000000000..eb7b0b184ec --- /dev/null +++ b/queue-4.14/drm-msm-fix-add_gpu_components.patch @@ -0,0 +1,42 @@ +From 51ad0690bfec9f0b3bcb3793d4948ca2cdb6a04a Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Wed, 26 Jun 2019 11:00:15 -0700 +Subject: drm: msm: Fix add_gpu_components + +[ Upstream commit 9ca7ad6c7706edeae331c1632d0c63897418ebad ] + +add_gpu_components() adds found GPU nodes from the DT to the match list, +regardless of the status of the nodes. This is a problem, because if the +nodes are disabled, they should not be on the match list because they will +not be matched. This prevents display from initing if a GPU node is +defined, but it's status is disabled. + +Fix this by checking the node's status before adding it to the match list. + +Fixes: dc3ea265b856 (drm/msm: Drop the gpu binding) +Reviewed-by: Rob Clark +Signed-off-by: Jeffrey Hugo +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190626180015.45242-1-jeffrey.l.hugo@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index b970427e53a7a..77c45a2ebd833 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1060,7 +1060,8 @@ static int add_gpu_components(struct device *dev, + if (!np) + return 0; + +- drm_of_component_match_add(dev, matchptr, compare_of, np); ++ if (of_device_is_available(np)) ++ drm_of_component_match_add(dev, matchptr, compare_of, np); + + of_node_put(np); + +-- +2.20.1 + diff --git a/queue-4.14/exit-make-setting-exit_state-consistent.patch b/queue-4.14/exit-make-setting-exit_state-consistent.patch new file mode 100644 index 00000000000..dcf77aa59be --- /dev/null +++ b/queue-4.14/exit-make-setting-exit_state-consistent.patch @@ -0,0 +1,51 @@ +From 5c27da12d347a3cef4b7a6a14db182857ecbcd58 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 29 Jul 2019 17:48:24 +0200 +Subject: exit: make setting exit_state consistent + +[ Upstream commit 30b692d3b390c6fe78a5064be0c4bbd44a41be59 ] + +Since commit b191d6491be6 ("pidfd: fix a poll race when setting exit_state") +we unconditionally set exit_state to EXIT_ZOMBIE before calling into +do_notify_parent(). This was done to eliminate a race when querying +exit_state in do_notify_pidfd(). +Back then we decided to do the absolute minimal thing to fix this and +not touch the rest of the exit_notify() function where exit_state is +set. +Since this fix has not caused any issues change the setting of +exit_state to EXIT_DEAD in the autoreap case to account for the fact hat +exit_state is set to EXIT_ZOMBIE unconditionally. This fix was planned +but also explicitly requested in [1] and makes the whole code more +consistent. + +/* References */ +[1]: https://lore.kernel.org/lkml/CAHk-=wigcxGFR2szue4wavJtH5cYTTeNES=toUBVGsmX0rzX+g@mail.gmail.com + +Signed-off-by: Christian Brauner +Acked-by: Oleg Nesterov +Cc: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/exit.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/exit.c b/kernel/exit.c +index 15437cfdcd70d..c71e7ad4f7b48 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -730,9 +730,10 @@ static void exit_notify(struct task_struct *tsk, int group_dead) + autoreap = true; + } + +- tsk->exit_state = autoreap ? EXIT_DEAD : EXIT_ZOMBIE; +- if (tsk->exit_state == EXIT_DEAD) ++ if (autoreap) { ++ tsk->exit_state = EXIT_DEAD; + list_add(&tsk->ptrace_entry, &dead); ++ } + + /* mt-exec, de_thread() is waiting for group leader */ + if (unlikely(tsk->signal->notify_count < 0)) +-- +2.20.1 + diff --git a/queue-4.14/ib-core-add-mitigation-for-spectre-v1.patch b/queue-4.14/ib-core-add-mitigation-for-spectre-v1.patch new file mode 100644 index 00000000000..1cccc2c2610 --- /dev/null +++ b/queue-4.14/ib-core-add-mitigation-for-spectre-v1.patch @@ -0,0 +1,52 @@ +From 8d07d7acbcc07e9646a13d9463e432cccfcdaed0 Mon Sep 17 00:00:00 2001 +From: "Luck, Tony" +Date: Tue, 30 Jul 2019 21:39:57 -0700 +Subject: IB/core: Add mitigation for Spectre V1 + +[ Upstream commit 61f259821dd3306e49b7d42a3f90fb5a4ff3351b ] + +Some processors may mispredict an array bounds check and +speculatively access memory that they should not. With +a user supplied array index we like to play things safe +by masking the value with the array size before it is +used as an index. + +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/20190731043957.GA1600@agluck-desk2.amr.corp.intel.com +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index 6511cb21f6e20..4a137bf584b04 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -49,6 +49,7 @@ + #include + #include + #include ++#include + + #include + +@@ -856,11 +857,14 @@ static int ib_umad_unreg_agent(struct ib_umad_file *file, u32 __user *arg) + + if (get_user(id, arg)) + return -EFAULT; ++ if (id >= IB_UMAD_MAX_AGENTS) ++ return -EINVAL; + + mutex_lock(&file->port->file_mutex); + mutex_lock(&file->mutex); + +- if (id >= IB_UMAD_MAX_AGENTS || !__get_agent(file, id)) { ++ id = array_index_nospec(id, IB_UMAD_MAX_AGENTS); ++ if (!__get_agent(file, id)) { + ret = -EINVAL; + goto out; + } +-- +2.20.1 + diff --git a/queue-4.14/ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch b/queue-4.14/ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch new file mode 100644 index 00000000000..906fe8513e9 --- /dev/null +++ b/queue-4.14/ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch @@ -0,0 +1,150 @@ +From 7867ac4beb79cd4ec1da12d432dc33afbe792104 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Thu, 1 Aug 2019 15:14:49 +0300 +Subject: IB/mad: Fix use-after-free in ib mad completion handling + +[ Upstream commit 770b7d96cfff6a8bf6c9f261ba6f135dc9edf484 ] + +We encountered a use-after-free bug when unloading the driver: + +[ 3562.116059] BUG: KASAN: use-after-free in ib_mad_post_receive_mads+0xddc/0xed0 [ib_core] +[ 3562.117233] Read of size 4 at addr ffff8882ca5aa868 by task kworker/u13:2/23862 +[ 3562.118385] +[ 3562.119519] CPU: 2 PID: 23862 Comm: kworker/u13:2 Tainted: G OE 5.1.0-for-upstream-dbg-2019-05-19_16-44-30-13 #1 +[ 3562.121806] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014 +[ 3562.123075] Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] +[ 3562.124383] Call Trace: +[ 3562.125640] dump_stack+0x9a/0xeb +[ 3562.126911] print_address_description+0xe3/0x2e0 +[ 3562.128223] ? ib_mad_post_receive_mads+0xddc/0xed0 [ib_core] +[ 3562.129545] __kasan_report+0x15c/0x1df +[ 3562.130866] ? ib_mad_post_receive_mads+0xddc/0xed0 [ib_core] +[ 3562.132174] kasan_report+0xe/0x20 +[ 3562.133514] ib_mad_post_receive_mads+0xddc/0xed0 [ib_core] +[ 3562.134835] ? find_mad_agent+0xa00/0xa00 [ib_core] +[ 3562.136158] ? qlist_free_all+0x51/0xb0 +[ 3562.137498] ? mlx4_ib_sqp_comp_worker+0x1970/0x1970 [mlx4_ib] +[ 3562.138833] ? quarantine_reduce+0x1fa/0x270 +[ 3562.140171] ? kasan_unpoison_shadow+0x30/0x40 +[ 3562.141522] ib_mad_recv_done+0xdf6/0x3000 [ib_core] +[ 3562.142880] ? _raw_spin_unlock_irqrestore+0x46/0x70 +[ 3562.144277] ? ib_mad_send_done+0x1810/0x1810 [ib_core] +[ 3562.145649] ? mlx4_ib_destroy_cq+0x2a0/0x2a0 [mlx4_ib] +[ 3562.147008] ? _raw_spin_unlock_irqrestore+0x46/0x70 +[ 3562.148380] ? debug_object_deactivate+0x2b9/0x4a0 +[ 3562.149814] __ib_process_cq+0xe2/0x1d0 [ib_core] +[ 3562.151195] ib_cq_poll_work+0x45/0xf0 [ib_core] +[ 3562.152577] process_one_work+0x90c/0x1860 +[ 3562.153959] ? pwq_dec_nr_in_flight+0x320/0x320 +[ 3562.155320] worker_thread+0x87/0xbb0 +[ 3562.156687] ? __kthread_parkme+0xb6/0x180 +[ 3562.158058] ? process_one_work+0x1860/0x1860 +[ 3562.159429] kthread+0x320/0x3e0 +[ 3562.161391] ? kthread_park+0x120/0x120 +[ 3562.162744] ret_from_fork+0x24/0x30 +... +[ 3562.187615] Freed by task 31682: +[ 3562.188602] save_stack+0x19/0x80 +[ 3562.189586] __kasan_slab_free+0x11d/0x160 +[ 3562.190571] kfree+0xf5/0x2f0 +[ 3562.191552] ib_mad_port_close+0x200/0x380 [ib_core] +[ 3562.192538] ib_mad_remove_device+0xf0/0x230 [ib_core] +[ 3562.193538] remove_client_context+0xa6/0xe0 [ib_core] +[ 3562.194514] disable_device+0x14e/0x260 [ib_core] +[ 3562.195488] __ib_unregister_device+0x79/0x150 [ib_core] +[ 3562.196462] ib_unregister_device+0x21/0x30 [ib_core] +[ 3562.197439] mlx4_ib_remove+0x162/0x690 [mlx4_ib] +[ 3562.198408] mlx4_remove_device+0x204/0x2c0 [mlx4_core] +[ 3562.199381] mlx4_unregister_interface+0x49/0x1d0 [mlx4_core] +[ 3562.200356] mlx4_ib_cleanup+0xc/0x1d [mlx4_ib] +[ 3562.201329] __x64_sys_delete_module+0x2d2/0x400 +[ 3562.202288] do_syscall_64+0x95/0x470 +[ 3562.203277] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The problem was that the MAD PD was deallocated before the MAD CQ. +There was completion work pending for the CQ when the PD got deallocated. +When the mad completion handling reached procedure +ib_mad_post_receive_mads(), we got a use-after-free bug in the following +line of code in that procedure: + sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey; +(the pd pointer in the above line is no longer valid, because the +pd has been deallocated). + +We fix this by allocating the PD before the CQ in procedure +ib_mad_port_open(), and deallocating the PD after freeing the CQ +in procedure ib_mad_port_close(). + +Since the CQ completion work queue is flushed during ib_free_cq(), +no completions will be pending for that CQ when the PD is later +deallocated. + +Note that freeing the CQ before deallocating the PD is the practice +in the ULPs. + +Fixes: 4be90bc60df4 ("IB/mad: Remove ib_get_dma_mr calls") +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20190801121449.24973-1-leon@kernel.org +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index 55252079faf65..49b6da1d990fc 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -3170,18 +3170,18 @@ static int ib_mad_port_open(struct ib_device *device, + if (has_smi) + cq_size *= 2; + ++ port_priv->pd = ib_alloc_pd(device, 0); ++ if (IS_ERR(port_priv->pd)) { ++ dev_err(&device->dev, "Couldn't create ib_mad PD\n"); ++ ret = PTR_ERR(port_priv->pd); ++ goto error3; ++ } ++ + port_priv->cq = ib_alloc_cq(port_priv->device, port_priv, cq_size, 0, + IB_POLL_WORKQUEUE); + if (IS_ERR(port_priv->cq)) { + dev_err(&device->dev, "Couldn't create ib_mad CQ\n"); + ret = PTR_ERR(port_priv->cq); +- goto error3; +- } +- +- port_priv->pd = ib_alloc_pd(device, 0); +- if (IS_ERR(port_priv->pd)) { +- dev_err(&device->dev, "Couldn't create ib_mad PD\n"); +- ret = PTR_ERR(port_priv->pd); + goto error4; + } + +@@ -3224,11 +3224,11 @@ error8: + error7: + destroy_mad_qp(&port_priv->qp_info[0]); + error6: +- ib_dealloc_pd(port_priv->pd); +-error4: + ib_free_cq(port_priv->cq); + cleanup_recv_queue(&port_priv->qp_info[1]); + cleanup_recv_queue(&port_priv->qp_info[0]); ++error4: ++ ib_dealloc_pd(port_priv->pd); + error3: + kfree(port_priv); + +@@ -3258,8 +3258,8 @@ static int ib_mad_port_close(struct ib_device *device, int port_num) + destroy_workqueue(port_priv->wq); + destroy_mad_qp(&port_priv->qp_info[1]); + destroy_mad_qp(&port_priv->qp_info[0]); +- ib_dealloc_pd(port_priv->pd); + ib_free_cq(port_priv->cq); ++ ib_dealloc_pd(port_priv->pd); + cleanup_recv_queue(&port_priv->qp_info[1]); + cleanup_recv_queue(&port_priv->qp_info[0]); + /* XXX: Handle deallocation of MAD registration tables */ +-- +2.20.1 + diff --git a/queue-4.14/irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch b/queue-4.14/irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch new file mode 100644 index 00000000000..c99c9007680 --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch @@ -0,0 +1,38 @@ +From d01822aa6b4b2171e6e87882ca78566facd23943 Mon Sep 17 00:00:00 2001 +From: Nianyao Tang +Date: Fri, 26 Jul 2019 17:32:57 +0800 +Subject: irqchip/gic-v3-its: Free unused vpt_page when alloc vpe table fail + +[ Upstream commit 34f8eb92ca053cbba2887bb7e4dbf2b2cd6eb733 ] + +In its_vpe_init, when its_alloc_vpe_table fails, we should free +vpt_page allocated just before, instead of vpe->vpt_page. +Let's fix it. + +Cc: Thomas Gleixner +Cc: Jason Cooper +Cc: Marc Zyngier +Signed-off-by: Nianyao Tang +Signed-off-by: Shaokun Zhang +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 121fb552f8734..f80666acb9efd 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -2631,7 +2631,7 @@ static int its_vpe_init(struct its_vpe *vpe) + + if (!its_alloc_vpe_table(vpe_id)) { + its_vpe_id_free(vpe_id); +- its_free_pending_table(vpe->vpt_page); ++ its_free_pending_table(vpt_page); + return -ENOMEM; + } + +-- +2.20.1 + diff --git a/queue-4.14/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch b/queue-4.14/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch new file mode 100644 index 00000000000..d600aea34a0 --- /dev/null +++ b/queue-4.14/irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch @@ -0,0 +1,33 @@ +From c1c26a4abbcea97c3e55dbb73e7bafae62ff72f6 Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 12 Jul 2019 15:29:05 +0200 +Subject: irqchip/irq-imx-gpcv2: Forward irq type to parent + +[ Upstream commit 9a446ef08f3bfc0c3deb9c6be840af2528ef8cf8 ] + +The GPCv2 is a stacked IRQ controller below the ARM GIC. It doesn't +care about the IRQ type itself, but needs to forward the type to the +parent IRQ controller, so this one can be configured correctly. + +Signed-off-by: Lucas Stach +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-imx-gpcv2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-imx-gpcv2.c b/drivers/irqchip/irq-imx-gpcv2.c +index 675eda5ff2b85..e4831491a3c49 100644 +--- a/drivers/irqchip/irq-imx-gpcv2.c ++++ b/drivers/irqchip/irq-imx-gpcv2.c +@@ -145,6 +145,7 @@ static struct irq_chip gpcv2_irqchip_data_chip = { + .irq_unmask = imx_gpcv2_irq_unmask, + .irq_set_wake = imx_gpcv2_irq_set_wake, + .irq_retrigger = irq_chip_retrigger_hierarchy, ++ .irq_set_type = irq_chip_set_type_parent, + #ifdef CONFIG_SMP + .irq_set_affinity = irq_chip_set_affinity_parent, + #endif +-- +2.20.1 + diff --git a/queue-4.14/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch b/queue-4.14/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch new file mode 100644 index 00000000000..6fcae40b095 --- /dev/null +++ b/queue-4.14/kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch @@ -0,0 +1,36 @@ +From 9fe8f1d4d865a175e08395b1b812c43a5e1d6b97 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Wed, 31 Jul 2019 00:59:00 +0900 +Subject: kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external + modules + +[ Upstream commit cb4819934a7f9b87876f11ed05b8624c0114551b ] + +KBUILD_EXTRA_SYMBOLS makes sense only when building external modules. +Moreover, the modpost sets 'external_module' if the -e option is given. + +I replaced $(patsubst %, -e %,...) with simpler $(addprefix -e,...) +while I was here. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.modpost | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index 991db7d6e4df8..cf6f33b2633d5 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -75,7 +75,7 @@ modpost = scripts/mod/modpost \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a,) \ + $(if $(KBUILD_EXTMOD),-i,-o) $(kernelsymfile) \ + $(if $(KBUILD_EXTMOD),-I $(modulesymfile)) \ +- $(if $(KBUILD_EXTRA_SYMBOLS), $(patsubst %, -e %,$(KBUILD_EXTRA_SYMBOLS))) \ ++ $(if $(KBUILD_EXTMOD),$(addprefix -e ,$(KBUILD_EXTRA_SYMBOLS))) \ + $(if $(KBUILD_EXTMOD),-o $(modulesymfile)) \ + $(if $(CONFIG_DEBUG_SECTION_MISMATCH),,-S) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ +-- +2.20.1 + diff --git a/queue-4.14/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch b/queue-4.14/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch new file mode 100644 index 00000000000..ce9050e7d64 --- /dev/null +++ b/queue-4.14/libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch @@ -0,0 +1,50 @@ +From 1dda8f5eb9293c10d7ce97687c8a7dadb7ce2f88 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 29 Jul 2019 14:47:22 -0700 +Subject: libata: zpodd: Fix small read overflow in zpodd_get_mech_type() + +[ Upstream commit 71d6c505b4d9e6f76586350450e785e3d452b346 ] + +Jeffrin reported a KASAN issue: + + BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70 + Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149 + ... + The buggy address belongs to the variable: + cdb.48319+0x0/0x40 + +Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in +eject_tray()"), this fixes a cdb[] buffer length, this time in +zpodd_get_mech_type(): + +We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be +ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes. + +Reported-by: Jeffrin Jose T +Fixes: afe759511808c ("libata: identify and init ZPODD devices") +Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/ +Tested-by: Jeffrin Jose T +Reviewed-by: Nick Desaulniers +Signed-off-by: Kees Cook +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-zpodd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index 173e6f2dd9af0..eefda51f97d35 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -56,7 +56,7 @@ static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + unsigned int ret; + struct rm_feature_desc *desc; + struct ata_taskfile tf; +- static const char cdb[] = { GPCMD_GET_CONFIGURATION, ++ static const char cdb[ATAPI_CDB_LEN] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +-- +2.20.1 + diff --git a/queue-4.14/ocfs2-remove-set-but-not-used-variable-last_hash.patch b/queue-4.14/ocfs2-remove-set-but-not-used-variable-last_hash.patch new file mode 100644 index 00000000000..eff75152f79 --- /dev/null +++ b/queue-4.14/ocfs2-remove-set-but-not-used-variable-last_hash.patch @@ -0,0 +1,54 @@ +From a36c5ec23c054c4ec3fb207eb9ce0b482313f536 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Fri, 2 Aug 2019 21:48:40 -0700 +Subject: ocfs2: remove set but not used variable 'last_hash' + +[ Upstream commit 7bc36e3ce91471b6377c8eadc0a2f220a2280083 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + + fs/ocfs2/xattr.c: In function ocfs2_xattr_bucket_find: + fs/ocfs2/xattr.c:3828:6: warning: variable last_hash set but not used [-Wunused-but-set-variable] + +It's never used and can be removed. + +Link: http://lkml.kernel.org/r/20190716132110.34836-1-yuehaibing@huawei.com +Signed-off-by: YueHaibing +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/xattr.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c +index fb0a4eec310ce..77740ef5a8e85 100644 +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -3832,7 +3832,6 @@ static int ocfs2_xattr_bucket_find(struct inode *inode, + u16 blk_per_bucket = ocfs2_blocks_per_xattr_bucket(inode->i_sb); + int low_bucket = 0, bucket, high_bucket; + struct ocfs2_xattr_bucket *search; +- u32 last_hash; + u64 blkno, lower_blkno = 0; + + search = ocfs2_xattr_bucket_new(inode); +@@ -3876,8 +3875,6 @@ static int ocfs2_xattr_bucket_find(struct inode *inode, + if (xh->xh_count) + xe = &xh->xh_entries[le16_to_cpu(xh->xh_count) - 1]; + +- last_hash = le32_to_cpu(xe->xe_name_hash); +- + /* record lower_blkno which may be the insert place. */ + lower_blkno = blkno; + +-- +2.20.1 + diff --git a/queue-4.14/perf-header-fix-divide-by-zero-error-if-f_header.att.patch b/queue-4.14/perf-header-fix-divide-by-zero-error-if-f_header.att.patch new file mode 100644 index 00000000000..e14414347d8 --- /dev/null +++ b/queue-4.14/perf-header-fix-divide-by-zero-error-if-f_header.att.patch @@ -0,0 +1,52 @@ +From 603ba41e825f4e0b5b35454a3988cbed35ae6bb3 Mon Sep 17 00:00:00 2001 +From: Vince Weaver +Date: Tue, 23 Jul 2019 11:06:01 -0400 +Subject: perf header: Fix divide by zero error if f_header.attr_size==0 + +[ Upstream commit 7622236ceb167aa3857395f9bdaf871442aa467e ] + +So I have been having lots of trouble with hand-crafted perf.data files +causing segfaults and the like, so I have started fuzzing the perf tool. + +First issue found: + +If f_header.attr_size is 0 in the perf.data file, then perf will crash +with a divide-by-zero error. + +Committer note: + +Added a pr_err() to tell the user why the command failed. + +Signed-off-by: Vince Weaver +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1907231100440.14532@macbook-air +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index c892a28e7b048..baec3e9833256 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -2901,6 +2901,13 @@ int perf_session__read_header(struct perf_session *session) + file->path); + } + ++ if (f_header.attr_size == 0) { ++ pr_err("ERROR: The %s file's attr size field is 0 which is unexpected.\n" ++ "Was the 'perf record' command properly terminated?\n", ++ data->file.path); ++ return -EINVAL; ++ } ++ + nr_attrs = f_header.attrs.size / f_header.attr_size; + lseek(fd, f_header.attrs.offset, SEEK_SET); + +-- +2.20.1 + diff --git a/queue-4.14/perf-header-fix-use-of-unitialized-value-warning.patch b/queue-4.14/perf-header-fix-use-of-unitialized-value-warning.patch new file mode 100644 index 00000000000..6bd3de1b88e --- /dev/null +++ b/queue-4.14/perf-header-fix-use-of-unitialized-value-warning.patch @@ -0,0 +1,68 @@ +From bff5ef10bb1b1e3c8ccdaa11cf4be746fe9bb015 Mon Sep 17 00:00:00 2001 +From: Numfor Mbiziwo-Tiapo +Date: Wed, 24 Jul 2019 16:44:58 -0700 +Subject: perf header: Fix use of unitialized value warning + +[ Upstream commit 20f9781f491360e7459c589705a2e4b1f136bee9 ] + +When building our local version of perf with MSAN (Memory Sanitizer) and +running the perf record command, MSAN throws a use of uninitialized +value warning in "tools/perf/util/util.c:333:6". + +This warning stems from the "buf" variable being passed into "write". +It originated as the variable "ev" with the type union perf_event* +defined in the "perf_event__synthesize_attr" function in +"tools/perf/util/header.c". + +In the "perf_event__synthesize_attr" function they allocate space with a malloc +call using ev, then go on to only assign some of the member variables before +passing "ev" on as a parameter to the "process" function therefore "ev" +contains uninitialized memory. Changing the malloc call to zalloc to initialize +all the members of "ev" which gets rid of the warning. + +To reproduce this warning, build perf by running: +make -C tools/perf CLANG=1 CC=clang EXTRA_CFLAGS="-fsanitize=memory\ + -fsanitize-memory-track-origins" + +(Additionally, llvm might have to be installed and clang might have to +be specified as the compiler - export CC=/usr/bin/clang) + +then running: +tools/perf/perf record -o - ls / | tools/perf/perf --no-pager annotate\ + -i - --stdio + +Please see the cover letter for why false positive warnings may be +generated. + +Signed-off-by: Numfor Mbiziwo-Tiapo +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Mark Drayton +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Link: http://lkml.kernel.org/r/20190724234500.253358-2-nums@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index baec3e9833256..f03ba775f8be6 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -2990,7 +2990,7 @@ int perf_event__synthesize_attr(struct perf_tool *tool, + size += sizeof(struct perf_event_header); + size += ids * sizeof(u64); + +- ev = malloc(size); ++ ev = zalloc(size); + + if (ev == NULL) + return -ENOMEM; +-- +2.20.1 + diff --git a/queue-4.14/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch b/queue-4.14/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch new file mode 100644 index 00000000000..bf5b254707e --- /dev/null +++ b/queue-4.14/scsi-hpsa-correct-scsi-command-status-issue-after-re.patch @@ -0,0 +1,59 @@ +From 191cc4d30680f6e8ccb2faf2f8837e099362910c Mon Sep 17 00:00:00 2001 +From: Don Brace +Date: Wed, 24 Jul 2019 17:08:06 -0500 +Subject: scsi: hpsa: correct scsi command status issue after reset + +[ Upstream commit eeebce1862970653cdf5c01e98bc669edd8f529a ] + +Reviewed-by: Bader Ali - Saleh +Reviewed-by: Scott Teel +Reviewed-by: Scott Benesh +Reviewed-by: Kevin Barnett +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 6d520e8945f73..3b892918d8219 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -2266,6 +2266,8 @@ static int handle_ioaccel_mode2_error(struct ctlr_info *h, + case IOACCEL2_SERV_RESPONSE_COMPLETE: + switch (c2->error_data.status) { + case IOACCEL2_STATUS_SR_TASK_COMP_GOOD: ++ if (cmd) ++ cmd->result = 0; + break; + case IOACCEL2_STATUS_SR_TASK_COMP_CHK_COND: + cmd->result |= SAM_STAT_CHECK_CONDITION; +@@ -2425,8 +2427,10 @@ static void process_ioaccel2_completion(struct ctlr_info *h, + + /* check for good status */ + if (likely(c2->error_data.serv_response == 0 && +- c2->error_data.status == 0)) ++ c2->error_data.status == 0)) { ++ cmd->result = 0; + return hpsa_cmd_free_and_done(h, c, cmd); ++ } + + /* + * Any RAID offload error results in retry which will use +@@ -5494,6 +5498,12 @@ static int hpsa_scsi_queue_command(struct Scsi_Host *sh, struct scsi_cmnd *cmd) + } + c = cmd_tagged_alloc(h, cmd); + ++ /* ++ * This is necessary because the SML doesn't zero out this field during ++ * error recovery. ++ */ ++ cmd->result = 0; ++ + /* + * Call alternate submit routine for I/O accelerated commands. + * Retries always go down the normal I/O path. +-- +2.20.1 + diff --git a/queue-4.14/scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch b/queue-4.14/scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch new file mode 100644 index 00000000000..3627377b682 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch @@ -0,0 +1,48 @@ +From d1c03ebe9fa8c379ab08119c1e1e775bbc444680 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Mon, 29 Jul 2019 16:44:51 +0800 +Subject: scsi: qla2xxx: Fix possible fcport null-pointer dereferences + +[ Upstream commit e82f04ec6ba91065fd33a6201ffd7cab840e1475 ] + +In qla2x00_alloc_fcport(), fcport is assigned to NULL in the error +handling code on line 4880: + fcport = NULL; + +Then fcport is used on lines 4883-4886: + INIT_WORK(&fcport->del_work, qla24xx_delete_sess_fn); + INIT_WORK(&fcport->reg_work, qla_register_fcport_fn); + INIT_LIST_HEAD(&fcport->gnl_entry); + INIT_LIST_HEAD(&fcport->list); + +Thus, possible null-pointer dereferences may occur. + +To fix these bugs, qla2x00_alloc_fcport() directly returns NULL +in the error handling code. + +These bugs are found by a static analysis tool STCheck written by us. + +Signed-off-by: Jia-Ju Bai +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index aef1e1a555350..0e154fea693e7 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -4252,7 +4252,7 @@ qla2x00_alloc_fcport(scsi_qla_host_t *vha, gfp_t flags) + ql_log(ql_log_warn, vha, 0xd049, + "Failed to allocate ct_sns request.\n"); + kfree(fcport); +- fcport = NULL; ++ return NULL; + } + INIT_WORK(&fcport->del_work, qla24xx_delete_sess_fn); + INIT_LIST_HEAD(&fcport->gnl_entry); +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 7ae37375e9a..92649d177a7 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -18,3 +18,25 @@ input-kbtab-sanity-check-for-endpoint-type.patch input-iforce-add-sanity-checks.patch net-usb-pegasus-fix-improper-read-if-get_registers-fail.patch netfilter-ebtables-also-count-base-chain-policies.patch +clk-at91-generated-truncate-divisor-to-generated_max.patch +clk-renesas-cpg-mssr-fix-reset-control-race-conditio.patch +xen-pciback-remove-set-but-not-used-variable-old_sta.patch +irqchip-gic-v3-its-free-unused-vpt_page-when-alloc-v.patch +irqchip-irq-imx-gpcv2-forward-irq-type-to-parent.patch +perf-header-fix-divide-by-zero-error-if-f_header.att.patch +perf-header-fix-use-of-unitialized-value-warning.patch +libata-zpodd-fix-small-read-overflow-in-zpodd_get_me.patch +drm-bridge-lvds-encoder-fix-build-error-while-config.patch +scsi-hpsa-correct-scsi-command-status-issue-after-re.patch +scsi-qla2xxx-fix-possible-fcport-null-pointer-derefe.patch +exit-make-setting-exit_state-consistent.patch +ata-libahci-do-not-complain-in-case-of-deferred-prob.patch +kbuild-modpost-handle-kbuild_extra_symbols-only-for-.patch +arm64-efi-fix-variable-si-set-but-not-used.patch +arm64-unwind-prohibit-probing-on-return_address.patch +arm64-mm-fix-variable-pud-set-but-not-used.patch +ib-core-add-mitigation-for-spectre-v1.patch +ib-mad-fix-use-after-free-in-ib-mad-completion-handl.patch +drm-msm-fix-add_gpu_components.patch +ocfs2-remove-set-but-not-used-variable-last_hash.patch +asm-generic-fix-wtype-limits-compiler-warnings.patch diff --git a/queue-4.14/xen-pciback-remove-set-but-not-used-variable-old_sta.patch b/queue-4.14/xen-pciback-remove-set-but-not-used-variable-old_sta.patch new file mode 100644 index 00000000000..c95c0de678d --- /dev/null +++ b/queue-4.14/xen-pciback-remove-set-but-not-used-variable-old_sta.patch @@ -0,0 +1,46 @@ +From 7b3f31fa6de7caec957b996b2fc1030153718392 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 24 Jul 2019 22:08:50 +0800 +Subject: xen/pciback: remove set but not used variable 'old_state' + +[ Upstream commit 09e088a4903bd0dd911b4f1732b250130cdaffed ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/xen/xen-pciback/conf_space_capability.c: In function pm_ctrl_write: +drivers/xen/xen-pciback/conf_space_capability.c:119:25: warning: + variable old_state set but not used [-Wunused-but-set-variable] + +It is never used so can be removed. + +Reported-by: Hulk Robot +Signed-off-by: YueHaibing +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/xen-pciback/conf_space_capability.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c +index 73427d8e01161..e5694133ebe57 100644 +--- a/drivers/xen/xen-pciback/conf_space_capability.c ++++ b/drivers/xen/xen-pciback/conf_space_capability.c +@@ -116,13 +116,12 @@ static int pm_ctrl_write(struct pci_dev *dev, int offset, u16 new_value, + { + int err; + u16 old_value; +- pci_power_t new_state, old_state; ++ pci_power_t new_state; + + err = pci_read_config_word(dev, offset, &old_value); + if (err) + goto out; + +- old_state = (pci_power_t)(old_value & PCI_PM_CTRL_STATE_MASK); + new_state = (pci_power_t)(new_value & PCI_PM_CTRL_STATE_MASK); + + new_value &= PM_OK_BITS; +-- +2.20.1 +