From: Greg Kroah-Hartman Date: Fri, 11 Jan 2019 13:14:13 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v4.20.2~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c96945002706f9dd99f546e949cbb7ee9bebe50c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch drivers-perf-hisi-fixup-one-ddrc-pmu-register-offset.patch drm-nouveau-drm-nouveau-check-rc-from-drm_dp_mst_topology_mgr_resume.patch drm-rockchip-psr-do-not-dereference-encoder-before-it-is-null-checked.patch drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch genwqe-fix-size-check.patch intel_th-msu-fix-an-off-by-one-in-attribute-store.patch lib-fix-build-failure-in-config_debug_virtual-test.patch of-__of_detach_node-remove-node-from-phandle-cache.patch of-of_node_get-of_node_put-nodes-held-in-phandle-cache.patch power-supply-olpc_battery-correct-the-temperature-units.patch powerpc-4xx-ocm-fix-compilation-error-due-to-page_kernel-usage.patch selftests-fix-test-errors-related-to-lib.mk-khdr-target.patch video-fbdev-pxafb-fix-warning-invalid-free-of-devm_-allocated-data.patch --- diff --git a/queue-4.20/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch b/queue-4.20/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch new file mode 100644 index 00000000000..ea055ebcb0e --- /dev/null +++ b/queue-4.20/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch @@ -0,0 +1,35 @@ +From 3c1392d4c49962a31874af14ae9ff289cb2b3851 Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Thu, 29 Nov 2018 11:22:50 +0800 +Subject: ceph: don't update importing cap's mseq when handing cap export + +From: Yan, Zheng + +commit 3c1392d4c49962a31874af14ae9ff289cb2b3851 upstream. + +Updating mseq makes client think importer mds has accepted all prior +cap messages and importer mds knows what caps client wants. Actually +some cap messages may have been dropped because of mseq mismatch. + +If mseq is left untouched, importing cap's mds_wanted later will get +reset by cap import message. + +Cc: stable@vger.kernel.org +Signed-off-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/caps.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -3569,7 +3569,6 @@ retry: + tcap->cap_id = t_cap_id; + tcap->seq = t_seq - 1; + tcap->issue_seq = t_seq - 1; +- tcap->mseq = t_mseq; + tcap->issued |= issued; + tcap->implemented |= issued; + if (cap == ci->i_auth_cap) diff --git a/queue-4.20/drivers-perf-hisi-fixup-one-ddrc-pmu-register-offset.patch b/queue-4.20/drivers-perf-hisi-fixup-one-ddrc-pmu-register-offset.patch new file mode 100644 index 00000000000..8154738285c --- /dev/null +++ b/queue-4.20/drivers-perf-hisi-fixup-one-ddrc-pmu-register-offset.patch @@ -0,0 +1,52 @@ +From eb4f5213251833567570df1a09803f895653274d Mon Sep 17 00:00:00 2001 +From: Shaokun Zhang +Date: Fri, 4 Jan 2019 14:21:34 +0800 +Subject: drivers/perf: hisi: Fixup one DDRC PMU register offset + +From: Shaokun Zhang + +commit eb4f5213251833567570df1a09803f895653274d upstream. + +For DDRC PMU, each PMU counter is fixed-purpose. There is a mismatch +between perf list and driver definition on rw_chg event. +# perf list | grep chg + hisi_sccl1_ddrc0/rnk_chg/ [Kernel PMU event] + hisi_sccl1_ddrc0/rw_chg/ [Kernel PMU event] +But the register offset of rw_chg event is not defined in the driver, +meanwhile bnk_chg register offset is mis-defined, let's fixup it. + +Fixes: 904dcf03f086 ("perf: hisi: Add support for HiSilicon SoC DDRC PMU driver") +Cc: stable@vger.kernel.org +Cc: John Garry +Cc: Will Deacon +Cc: Mark Rutland +Reported-by: Weijian Huang +Signed-off-by: Shaokun Zhang +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/perf/hisilicon/hisi_uncore_ddrc_pmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/perf/hisilicon/hisi_uncore_ddrc_pmu.c ++++ b/drivers/perf/hisilicon/hisi_uncore_ddrc_pmu.c +@@ -30,8 +30,8 @@ + #define DDRC_FLUX_RCMD 0x38c + #define DDRC_PRE_CMD 0x3c0 + #define DDRC_ACT_CMD 0x3c4 +-#define DDRC_BNK_CHG 0x3c8 + #define DDRC_RNK_CHG 0x3cc ++#define DDRC_RW_CHG 0x3d0 + #define DDRC_EVENT_CTRL 0x6C0 + #define DDRC_INT_MASK 0x6c8 + #define DDRC_INT_STATUS 0x6cc +@@ -51,7 +51,7 @@ + + static const u32 ddrc_reg_off[] = { + DDRC_FLUX_WR, DDRC_FLUX_RD, DDRC_FLUX_WCMD, DDRC_FLUX_RCMD, +- DDRC_PRE_CMD, DDRC_ACT_CMD, DDRC_BNK_CHG, DDRC_RNK_CHG ++ DDRC_PRE_CMD, DDRC_ACT_CMD, DDRC_RNK_CHG, DDRC_RW_CHG + }; + + /* diff --git a/queue-4.20/drm-nouveau-drm-nouveau-check-rc-from-drm_dp_mst_topology_mgr_resume.patch b/queue-4.20/drm-nouveau-drm-nouveau-check-rc-from-drm_dp_mst_topology_mgr_resume.patch new file mode 100644 index 00000000000..c7c7a688b00 --- /dev/null +++ b/queue-4.20/drm-nouveau-drm-nouveau-check-rc-from-drm_dp_mst_topology_mgr_resume.patch @@ -0,0 +1,45 @@ +From b89fdf7ae8500feae1100d8b283176a44d31d698 Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Wed, 14 Nov 2018 20:39:51 -0500 +Subject: drm/nouveau/drm/nouveau: Check rc from drm_dp_mst_topology_mgr_resume() + +From: Lyude Paul + +commit b89fdf7ae8500feae1100d8b283176a44d31d698 upstream. + +We need to actually make sure we check this on resume since otherwise we +won't know whether or not the topology is still there once we've +resumed, which will cause us to still think the topology is connected +even after it's been removed if the removal happens mid-suspend. + +Signed-off-by: Lyude Paul +Cc: stable@vger.kernel.org +Signed-off-by: Ben Skeggs +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/dispnv50/disp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c +@@ -1262,8 +1262,16 @@ nv50_mstm_fini(struct nv50_mstm *mstm) + static void + nv50_mstm_init(struct nv50_mstm *mstm) + { +- if (mstm && mstm->mgr.mst_state) +- drm_dp_mst_topology_mgr_resume(&mstm->mgr); ++ int ret; ++ ++ if (!mstm || !mstm->mgr.mst_state) ++ return; ++ ++ ret = drm_dp_mst_topology_mgr_resume(&mstm->mgr); ++ if (ret == -1) { ++ drm_dp_mst_topology_mgr_set_mst(&mstm->mgr, false); ++ drm_kms_helper_hotplug_event(mstm->mgr.dev); ++ } + } + + static void diff --git a/queue-4.20/drm-rockchip-psr-do-not-dereference-encoder-before-it-is-null-checked.patch b/queue-4.20/drm-rockchip-psr-do-not-dereference-encoder-before-it-is-null-checked.patch new file mode 100644 index 00000000000..7907f62fbc9 --- /dev/null +++ b/queue-4.20/drm-rockchip-psr-do-not-dereference-encoder-before-it-is-null-checked.patch @@ -0,0 +1,43 @@ +From 4eda776c3cefcb1f01b2d85bd8753f67606282b5 Mon Sep 17 00:00:00 2001 +From: Enric Balletbo i Serra +Date: Sat, 13 Oct 2018 12:56:54 +0200 +Subject: drm/rockchip: psr: do not dereference encoder before it is null checked. + +From: Enric Balletbo i Serra + +commit 4eda776c3cefcb1f01b2d85bd8753f67606282b5 upstream. + +'encoder' is dereferenced before it is null sanity checked, hence we +potentially have a null pointer dereference bug. Instead, initialise +drm_drv from encoder->dev->dev_private after we are sure 'encoder' is +not null. + +Fixes: 5182c1a556d7f ("drm/rockchip: add an common abstracted PSR driver") +Cc: stable@vger.kernel.org +Signed-off-by: Enric Balletbo i Serra +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20181013105654.11827-1-enric.balletbo@collabora.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/rockchip/rockchip_drm_psr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_psr.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_psr.c +@@ -189,12 +189,14 @@ EXPORT_SYMBOL(rockchip_drm_psr_flush_all + int rockchip_drm_psr_register(struct drm_encoder *encoder, + int (*psr_set)(struct drm_encoder *, bool enable)) + { +- struct rockchip_drm_private *drm_drv = encoder->dev->dev_private; ++ struct rockchip_drm_private *drm_drv; + struct psr_drv *psr; + + if (!encoder || !psr_set) + return -EINVAL; + ++ drm_drv = encoder->dev->dev_private; ++ + psr = kzalloc(sizeof(struct psr_drv), GFP_KERNEL); + if (!psr) + return -ENOMEM; diff --git a/queue-4.20/drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch b/queue-4.20/drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch new file mode 100644 index 00000000000..ea30ee3a888 --- /dev/null +++ b/queue-4.20/drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch @@ -0,0 +1,37 @@ +From 2b02a05bdc3a62d36e0d0b015351897109e25991 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 9 Oct 2018 15:24:46 +0200 +Subject: drm/vc4: Set ->is_yuv to false when num_planes == 1 + +From: Boris Brezillon + +commit 2b02a05bdc3a62d36e0d0b015351897109e25991 upstream. + +When vc4_plane_state is duplicated ->is_yuv is left assigned to its +previous value, and we never set it back to false when switching to +a non-YUV format. + +Fix that by setting ->is_yuv to false in the 'num_planes == 1' branch +of the vc4_plane_setup_clipping_and_scaling() function. + +Fixes: fc04023fafecf ("drm/vc4: Add support for YUV planes.") +Cc: +Signed-off-by: Boris Brezillon +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20181009132446.21960-1-boris.brezillon@bootlin.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_plane.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -321,6 +321,7 @@ static int vc4_plane_setup_clipping_and_ + if (vc4_state->is_unity) + vc4_state->x_scaling[0] = VC4_SCALING_PPF; + } else { ++ vc4_state->is_yuv = false; + vc4_state->x_scaling[1] = VC4_SCALING_NONE; + vc4_state->y_scaling[1] = VC4_SCALING_NONE; + } diff --git a/queue-4.20/genwqe-fix-size-check.patch b/queue-4.20/genwqe-fix-size-check.patch new file mode 100644 index 00000000000..7028dbe9bda --- /dev/null +++ b/queue-4.20/genwqe-fix-size-check.patch @@ -0,0 +1,65 @@ +From fdd669684655c07dacbdb0d753fd13833de69a33 Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Wed, 12 Dec 2018 14:45:18 +0100 +Subject: genwqe: Fix size check + +From: Christian Borntraeger + +commit fdd669684655c07dacbdb0d753fd13833de69a33 upstream. + +Calling the test program genwqe_cksum with the default buffer size of +2MB triggers the following kernel warning on s390: + +WARNING: CPU: 30 PID: 9311 at mm/page_alloc.c:3189 __alloc_pages_nodemask+0x45c/0xbe0 +CPU: 30 PID: 9311 Comm: genwqe_cksum Kdump: loaded Not tainted 3.10.0-957.el7.s390x #1 +task: 00000005e5d13980 ti: 00000005e7c6c000 task.ti: 00000005e7c6c000 +Krnl PSW : 0704c00180000000 00000000002780ac (__alloc_pages_nodemask+0x45c/0xbe0) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3 +Krnl GPRS: 00000000002932b8 0000000000b73d7c 0000000000000010 0000000000000009 + 0000000000000041 00000005e7c6f9b8 0000000000000001 00000000000080d0 + 0000000000000000 0000000000b70500 0000000000000001 0000000000000000 + 0000000000b70528 00000000007682c0 0000000000277df2 00000005e7c6f9a0 +Krnl Code: 000000000027809e: de7195001000 ed 1280(114,%r9),0(%r1) + 00000000002780a4: a774fead brc 7,277dfe + #00000000002780a8: a7f40001 brc 15,2780aa + >00000000002780ac: 92011000 mvi 0(%r1),1 + 00000000002780b0: a7f4fea7 brc 15,277dfe + 00000000002780b4: 9101c6b6 tm 1718(%r12),1 + 00000000002780b8: a784ff3a brc 8,277f2c + 00000000002780bc: a7f4fe2e brc 15,277d18 +Call Trace: +([<0000000000277df2>] __alloc_pages_nodemask+0x1a2/0xbe0) + [<000000000013afae>] s390_dma_alloc+0xfe/0x310 + [<000003ff8065f362>] __genwqe_alloc_consistent+0xfa/0x148 [genwqe_card] + [<000003ff80658f7a>] genwqe_mmap+0xca/0x248 [genwqe_card] + [<00000000002b2712>] mmap_region+0x4e2/0x778 + [<00000000002b2c54>] do_mmap+0x2ac/0x3e0 + [<0000000000292d7e>] vm_mmap_pgoff+0xd6/0x118 + [<00000000002b081c>] SyS_mmap_pgoff+0xdc/0x268 + [<00000000002b0a34>] SyS_old_mmap+0x8c/0xb0 + [<000000000074e518>] sysc_tracego+0x14/0x1e + [<000003ffacf87dc6>] 0x3ffacf87dc6 + +turns out the check in __genwqe_alloc_consistent uses "> MAX_ORDER" +while the mm code uses ">= MAX_ORDER". Fix genwqe. + +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger +Signed-off-by: Frank Haverkamp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/genwqe/card_utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/genwqe/card_utils.c ++++ b/drivers/misc/genwqe/card_utils.c +@@ -215,7 +215,7 @@ u32 genwqe_crc32(u8 *buff, size_t len, u + void *__genwqe_alloc_consistent(struct genwqe_dev *cd, size_t size, + dma_addr_t *dma_handle) + { +- if (get_order(size) > MAX_ORDER) ++ if (get_order(size) >= MAX_ORDER) + return NULL; + + return dma_zalloc_coherent(&cd->pci_dev->dev, size, dma_handle, diff --git a/queue-4.20/intel_th-msu-fix-an-off-by-one-in-attribute-store.patch b/queue-4.20/intel_th-msu-fix-an-off-by-one-in-attribute-store.patch new file mode 100644 index 00000000000..e210679aff9 --- /dev/null +++ b/queue-4.20/intel_th-msu-fix-an-off-by-one-in-attribute-store.patch @@ -0,0 +1,52 @@ +From ec5b5ad6e272d8d6b92d1007f79574919862a2d2 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 19 Dec 2018 17:19:22 +0200 +Subject: intel_th: msu: Fix an off-by-one in attribute store + +From: Alexander Shishkin + +commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream. + +The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated +list of window sizes, passed from userspace. However, there is a bug in +the string parsing logic wherein it doesn't exclude the comma character +from the range of characters as it consumes them. This leads to an +out-of-bounds access given a sufficiently long list. For example: + +> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages +> ================================================================== +> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40 +> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825 +> +> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+ +> Call Trace: +> dump_stack+0x7c/0xc0 +> print_address_description+0x6c/0x23c +> ? memchr+0x1e/0x40 +> kasan_report.cold.5+0x241/0x308 +> memchr+0x1e/0x40 +> nr_pages_store+0x203/0xd00 [intel_th_msu] + +Fix this by accounting for the comma character. + +Signed-off-by: Alexander Shishkin +Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/msu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -1423,7 +1423,8 @@ nr_pages_store(struct device *dev, struc + if (!end) + break; + +- len -= end - p; ++ /* consume the number and the following comma, hence +1 */ ++ len -= end - p + 1; + p = end + 1; + } while (len); + diff --git a/queue-4.20/lib-fix-build-failure-in-config_debug_virtual-test.patch b/queue-4.20/lib-fix-build-failure-in-config_debug_virtual-test.patch new file mode 100644 index 00000000000..ab41bf5d587 --- /dev/null +++ b/queue-4.20/lib-fix-build-failure-in-config_debug_virtual-test.patch @@ -0,0 +1,40 @@ +From 10fdf838e5f540beca466e9d1325999c072e5d3f Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 10 Dec 2018 08:08:28 +0000 +Subject: lib: fix build failure in CONFIG_DEBUG_VIRTUAL test + +From: Christophe Leroy + +commit 10fdf838e5f540beca466e9d1325999c072e5d3f upstream. + +On several arches, virt_to_phys() is in io.h + +Build fails without it: + + CC lib/test_debug_virtual.o +lib/test_debug_virtual.c: In function 'test_debug_virtual_init': +lib/test_debug_virtual.c:26:7: error: implicit declaration of function 'virt_to_phys' [-Werror=implicit-function-declaration] + pa = virt_to_phys(va); + ^ + +Fixes: e4dace361552 ("lib: add test module for CONFIG_DEBUG_VIRTUAL") +CC: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Reviewed-by: Kees Cook +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + lib/test_debug_virtual.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/test_debug_virtual.c ++++ b/lib/test_debug_virtual.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + #include + #ifdef CONFIG_MIPS diff --git a/queue-4.20/of-__of_detach_node-remove-node-from-phandle-cache.patch b/queue-4.20/of-__of_detach_node-remove-node-from-phandle-cache.patch new file mode 100644 index 00000000000..bc9e87698f7 --- /dev/null +++ b/queue-4.20/of-__of_detach_node-remove-node-from-phandle-cache.patch @@ -0,0 +1,107 @@ +From 5801169a2ed20003f771acecf3ac00574cf10a38 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Tue, 18 Dec 2018 11:40:03 -0800 +Subject: of: __of_detach_node() - remove node from phandle cache + +From: Frank Rowand + +commit 5801169a2ed20003f771acecf3ac00574cf10a38 upstream. + +Non-overlay dynamic devicetree node removal may leave the node in +the phandle cache. Subsequent calls to of_find_node_by_phandle() +will incorrectly find the stale entry. Remove the node from the +cache. + +Add paranoia checks in of_find_node_by_phandle() as a second level +of defense (do not return cached node if detached, do not add node +to cache if detached). + +Fixes: 0b3ce78e90fc ("of: cache phandle nodes to reduce cost of of_find_node_by_phandle()") +Reported-by: Michael Bringmann +Cc: stable@vger.kernel.org # v4.17+ +Signed-off-by: Frank Rowand +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 31 ++++++++++++++++++++++++++++++- + drivers/of/dynamic.c | 3 +++ + drivers/of/of_private.h | 4 ++++ + 3 files changed, 37 insertions(+), 1 deletion(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -162,6 +162,28 @@ int of_free_phandle_cache(void) + late_initcall_sync(of_free_phandle_cache); + #endif + ++/* ++ * Caller must hold devtree_lock. ++ */ ++void __of_free_phandle_cache_entry(phandle handle) ++{ ++ phandle masked_handle; ++ struct device_node *np; ++ ++ if (!handle) ++ return; ++ ++ masked_handle = handle & phandle_cache_mask; ++ ++ if (phandle_cache) { ++ np = phandle_cache[masked_handle]; ++ if (np && handle == np->phandle) { ++ of_node_put(np); ++ phandle_cache[masked_handle] = NULL; ++ } ++ } ++} ++ + void of_populate_phandle_cache(void) + { + unsigned long flags; +@@ -1209,11 +1231,18 @@ struct device_node *of_find_node_by_phan + if (phandle_cache[masked_handle] && + handle == phandle_cache[masked_handle]->phandle) + np = phandle_cache[masked_handle]; ++ if (np && of_node_check_flag(np, OF_DETACHED)) { ++ WARN_ON(1); /* did not uncache np on node removal */ ++ of_node_put(np); ++ phandle_cache[masked_handle] = NULL; ++ np = NULL; ++ } + } + + if (!np) { + for_each_of_allnodes(np) +- if (np->phandle == handle) { ++ if (np->phandle == handle && ++ !of_node_check_flag(np, OF_DETACHED)) { + if (phandle_cache) { + /* will put when removed from cache */ + of_node_get(np); +--- a/drivers/of/dynamic.c ++++ b/drivers/of/dynamic.c +@@ -268,6 +268,9 @@ void __of_detach_node(struct device_node + } + + of_node_set_flag(np, OF_DETACHED); ++ ++ /* race with of_find_node_by_phandle() prevented by devtree_lock */ ++ __of_free_phandle_cache_entry(np->phandle); + } + + /** +--- a/drivers/of/of_private.h ++++ b/drivers/of/of_private.h +@@ -84,6 +84,10 @@ static inline void __of_detach_node_sysf + int of_resolve_phandles(struct device_node *tree); + #endif + ++#if defined(CONFIG_OF_DYNAMIC) ++void __of_free_phandle_cache_entry(phandle handle); ++#endif ++ + #if defined(CONFIG_OF_OVERLAY) + void of_overlay_mutex_lock(void); + void of_overlay_mutex_unlock(void); diff --git a/queue-4.20/of-of_node_get-of_node_put-nodes-held-in-phandle-cache.patch b/queue-4.20/of-of_node_get-of_node_put-nodes-held-in-phandle-cache.patch new file mode 100644 index 00000000000..abaf25ae3b2 --- /dev/null +++ b/queue-4.20/of-of_node_get-of_node_put-nodes-held-in-phandle-cache.patch @@ -0,0 +1,138 @@ +From b8a9ac1a5b99a2fcbed19fd29d2d59270c281a31 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Tue, 18 Dec 2018 11:40:02 -0800 +Subject: of: of_node_get()/of_node_put() nodes held in phandle cache + +From: Frank Rowand + +commit b8a9ac1a5b99a2fcbed19fd29d2d59270c281a31 upstream. + +The phandle cache contains struct device_node pointers. The refcount +of the pointers was not incremented while in the cache, allowing use +after free error after kfree() of the node. Add the proper increment +and decrement of the use count. + +Fixes: 0b3ce78e90fc ("of: cache phandle nodes to reduce cost of of_find_node_by_phandle()") +Cc: stable@vger.kernel.org # v4.17+ +Signed-off-by: Frank Rowand +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 70 +++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 46 insertions(+), 24 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -116,9 +116,6 @@ int __weak of_node_to_nid(struct device_ + } + #endif + +-static struct device_node **phandle_cache; +-static u32 phandle_cache_mask; +- + /* + * Assumptions behind phandle_cache implementation: + * - phandle property values are in a contiguous range of 1..n +@@ -127,6 +124,44 @@ static u32 phandle_cache_mask; + * - the phandle lookup overhead reduction provided by the cache + * will likely be less + */ ++ ++static struct device_node **phandle_cache; ++static u32 phandle_cache_mask; ++ ++/* ++ * Caller must hold devtree_lock. ++ */ ++static void __of_free_phandle_cache(void) ++{ ++ u32 cache_entries = phandle_cache_mask + 1; ++ u32 k; ++ ++ if (!phandle_cache) ++ return; ++ ++ for (k = 0; k < cache_entries; k++) ++ of_node_put(phandle_cache[k]); ++ ++ kfree(phandle_cache); ++ phandle_cache = NULL; ++} ++ ++int of_free_phandle_cache(void) ++{ ++ unsigned long flags; ++ ++ raw_spin_lock_irqsave(&devtree_lock, flags); ++ ++ __of_free_phandle_cache(); ++ ++ raw_spin_unlock_irqrestore(&devtree_lock, flags); ++ ++ return 0; ++} ++#if !defined(CONFIG_MODULES) ++late_initcall_sync(of_free_phandle_cache); ++#endif ++ + void of_populate_phandle_cache(void) + { + unsigned long flags; +@@ -136,8 +171,7 @@ void of_populate_phandle_cache(void) + + raw_spin_lock_irqsave(&devtree_lock, flags); + +- kfree(phandle_cache); +- phandle_cache = NULL; ++ __of_free_phandle_cache(); + + for_each_of_allnodes(np) + if (np->phandle && np->phandle != OF_PHANDLE_ILLEGAL) +@@ -155,30 +189,15 @@ void of_populate_phandle_cache(void) + goto out; + + for_each_of_allnodes(np) +- if (np->phandle && np->phandle != OF_PHANDLE_ILLEGAL) ++ if (np->phandle && np->phandle != OF_PHANDLE_ILLEGAL) { ++ of_node_get(np); + phandle_cache[np->phandle & phandle_cache_mask] = np; ++ } + + out: + raw_spin_unlock_irqrestore(&devtree_lock, flags); + } + +-int of_free_phandle_cache(void) +-{ +- unsigned long flags; +- +- raw_spin_lock_irqsave(&devtree_lock, flags); +- +- kfree(phandle_cache); +- phandle_cache = NULL; +- +- raw_spin_unlock_irqrestore(&devtree_lock, flags); +- +- return 0; +-} +-#if !defined(CONFIG_MODULES) +-late_initcall_sync(of_free_phandle_cache); +-#endif +- + void __init of_core_init(void) + { + struct device_node *np; +@@ -1195,8 +1214,11 @@ struct device_node *of_find_node_by_phan + if (!np) { + for_each_of_allnodes(np) + if (np->phandle == handle) { +- if (phandle_cache) ++ if (phandle_cache) { ++ /* will put when removed from cache */ ++ of_node_get(np); + phandle_cache[masked_handle] = np; ++ } + break; + } + } diff --git a/queue-4.20/power-supply-olpc_battery-correct-the-temperature-units.patch b/queue-4.20/power-supply-olpc_battery-correct-the-temperature-units.patch new file mode 100644 index 00000000000..397e372c08e --- /dev/null +++ b/queue-4.20/power-supply-olpc_battery-correct-the-temperature-units.patch @@ -0,0 +1,51 @@ +From ed54ffbe554f0902689fd6d1712bbacbacd11376 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Fri, 16 Nov 2018 17:23:47 +0100 +Subject: power: supply: olpc_battery: correct the temperature units + +From: Lubomir Rintel + +commit ed54ffbe554f0902689fd6d1712bbacbacd11376 upstream. + +According to [1] and [2], the temperature values are in tenths of degree +Celsius. Exposing the Celsius value makes the battery appear on fire: + + $ upower -i /org/freedesktop/UPower/devices/battery_olpc_battery + ... + temperature: 236.9 degrees C + +Tested on OLPC XO-1 and OLPC XO-1.75 laptops. + +[1] include/linux/power_supply.h +[2] Documentation/power/power_supply_class.txt + +Fixes: fb972873a767 ("[BATTERY] One Laptop Per Child power/battery driver") +Cc: stable@vger.kernel.org +Signed-off-by: Lubomir Rintel +Acked-by: Pavel Machek +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/olpc_battery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/olpc_battery.c ++++ b/drivers/power/supply/olpc_battery.c +@@ -428,14 +428,14 @@ static int olpc_bat_get_property(struct + if (ret) + return ret; + +- val->intval = (s16)be16_to_cpu(ec_word) * 100 / 256; ++ val->intval = (s16)be16_to_cpu(ec_word) * 10 / 256; + break; + case POWER_SUPPLY_PROP_TEMP_AMBIENT: + ret = olpc_ec_cmd(EC_AMB_TEMP, NULL, 0, (void *)&ec_word, 2); + if (ret) + return ret; + +- val->intval = (int)be16_to_cpu(ec_word) * 100 / 256; ++ val->intval = (int)be16_to_cpu(ec_word) * 10 / 256; + break; + case POWER_SUPPLY_PROP_CHARGE_COUNTER: + ret = olpc_ec_cmd(EC_BAT_ACR, NULL, 0, (void *)&ec_word, 2); diff --git a/queue-4.20/powerpc-4xx-ocm-fix-compilation-error-due-to-page_kernel-usage.patch b/queue-4.20/powerpc-4xx-ocm-fix-compilation-error-due-to-page_kernel-usage.patch new file mode 100644 index 00000000000..3caec5b1fde --- /dev/null +++ b/queue-4.20/powerpc-4xx-ocm-fix-compilation-error-due-to-page_kernel-usage.patch @@ -0,0 +1,56 @@ +From d0757237d7b18b1ce74293be7c077d86f7a732e8 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Sat, 22 Dec 2018 15:35:38 +0100 +Subject: powerpc/4xx/ocm: Fix compilation error due to PAGE_KERNEL usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian Lamparter + +commit d0757237d7b18b1ce74293be7c077d86f7a732e8 upstream. + +This patch fixes a recent compilation regression in ocm: + + ocm.c: In function ‘ocm_init_node’: + ocm.c:182:18: error: invalid operands to binary | + (have ‘int’ and ‘pgprot_t’ {aka ‘struct ’}) + _PAGE_EXEC | PAGE_KERNEL_NCG); + ^ + + ocm.c:197:17: error: invalid operands to binary | + (have ‘int’ and ‘pgprot_t’ {aka ‘struct ’}) + _PAGE_EXEC | PAGE_KERNEL); + ^ + +Fixes: 56f3c1413f5c ("powerpc/mm: properly set PAGE_KERNEL flags in ioremap()") +Cc: stable@vger.kernel.org # v4.20 +Signed-off-by: Christian Lamparter +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/4xx/ocm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/4xx/ocm.c ++++ b/arch/powerpc/platforms/4xx/ocm.c +@@ -179,7 +179,7 @@ static void __init ocm_init_node(int cou + /* ioremap the non-cached region */ + if (ocm->nc.memtotal) { + ocm->nc.virt = __ioremap(ocm->nc.phys, ocm->nc.memtotal, +- _PAGE_EXEC | PAGE_KERNEL_NCG); ++ _PAGE_EXEC | pgprot_val(PAGE_KERNEL_NCG)); + + if (!ocm->nc.virt) { + printk(KERN_ERR +@@ -194,7 +194,7 @@ static void __init ocm_init_node(int cou + + if (ocm->c.memtotal) { + ocm->c.virt = __ioremap(ocm->c.phys, ocm->c.memtotal, +- _PAGE_EXEC | PAGE_KERNEL); ++ _PAGE_EXEC | pgprot_val(PAGE_KERNEL)); + + if (!ocm->c.virt) { + printk(KERN_ERR diff --git a/queue-4.20/selftests-fix-test-errors-related-to-lib.mk-khdr-target.patch b/queue-4.20/selftests-fix-test-errors-related-to-lib.mk-khdr-target.patch new file mode 100644 index 00000000000..e4620dda46d --- /dev/null +++ b/queue-4.20/selftests-fix-test-errors-related-to-lib.mk-khdr-target.patch @@ -0,0 +1,178 @@ +From 211929fd3f7c8de4d541b1cc243b82830e5ea1e8 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Wed, 12 Dec 2018 20:25:14 -0700 +Subject: selftests: Fix test errors related to lib.mk khdr target + +From: Shuah Khan + +commit 211929fd3f7c8de4d541b1cc243b82830e5ea1e8 upstream. + +Commit b2d35fa5fc80 ("selftests: add headers_install to lib.mk") added +khdr target to run headers_install target from the main Makefile. The +logic uses KSFT_KHDR_INSTALL and top_srcdir as controls to initialize +variables and include files to run headers_install from the top level +Makefile. There are a few problems with this logic. + +1. Exposes top_srcdir to all tests +2. Common logic impacts all tests +3. Uses KSFT_KHDR_INSTALL, top_srcdir, and khdr in an adhoc way. Tests + add "khdr" dependency in their Makefiles to TEST_PROGS_EXTENDED in + some cases, and STATIC_LIBS in other cases. This makes this framework + confusing to use. + +The common logic that runs for all tests even when KSFT_KHDR_INSTALL +isn't defined by the test. top_srcdir is initialized to a default value +when test doesn't initialize it. It works for all tests without a sub-dir +structure and tests with sub-dir structure fail to build. + +e.g: make -C sparc64/drivers/ or make -C drivers/dma-buf + +../../lib.mk:20: ../../../../scripts/subarch.include: No such file or directory +make: *** No rule to make target '../../../../scripts/subarch.include'. Stop. + +There is no reason to require all tests to define top_srcdir and there is +no need to require tests to add khdr dependency using adhoc changes to +TEST_* and other variables. + +Fix it with a consistent use of KSFT_KHDR_INSTALL and top_srcdir from tests +that have the dependency on headers_install. + +Change common logic to include khdr target define and "all" target with +dependency on khdr when KSFT_KHDR_INSTALL is defined. + +Only tests that have dependency on headers_install have to define just +the KSFT_KHDR_INSTALL, and top_srcdir variables and there is no need to +specify khdr dependency in the test Makefiles. + +Fixes: b2d35fa5fc80 ("selftests: add headers_install to lib.mk") +Cc: stable@vger.kernel.org +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/android/Makefile | 2 +- + tools/testing/selftests/futex/functional/Makefile | 1 + + tools/testing/selftests/gpio/Makefile | 6 +++--- + tools/testing/selftests/kvm/Makefile | 2 +- + tools/testing/selftests/lib.mk | 8 ++++---- + tools/testing/selftests/networking/timestamping/Makefile | 1 + + tools/testing/selftests/tc-testing/bpf/Makefile | 1 + + tools/testing/selftests/vm/Makefile | 1 + + 8 files changed, 13 insertions(+), 9 deletions(-) + +--- a/tools/testing/selftests/android/Makefile ++++ b/tools/testing/selftests/android/Makefile +@@ -6,7 +6,7 @@ TEST_PROGS := run.sh + + include ../lib.mk + +-all: khdr ++all: + @for DIR in $(SUBDIRS); do \ + BUILD_TARGET=$(OUTPUT)/$$DIR; \ + mkdir $$BUILD_TARGET -p; \ +--- a/tools/testing/selftests/futex/functional/Makefile ++++ b/tools/testing/selftests/futex/functional/Makefile +@@ -19,6 +19,7 @@ TEST_GEN_FILES := \ + TEST_PROGS := run.sh + + top_srcdir = ../../../../.. ++KSFT_KHDR_INSTALL := 1 + include ../../lib.mk + + $(TEST_GEN_FILES): $(HEADERS) +--- a/tools/testing/selftests/gpio/Makefile ++++ b/tools/testing/selftests/gpio/Makefile +@@ -10,8 +10,6 @@ TEST_PROGS_EXTENDED := gpio-mockup-chard + GPIODIR := $(realpath ../../../gpio) + GPIOOBJ := gpio-utils.o + +-include ../lib.mk +- + all: $(TEST_PROGS_EXTENDED) + + override define CLEAN +@@ -19,7 +17,9 @@ override define CLEAN + $(MAKE) -C $(GPIODIR) OUTPUT=$(GPIODIR)/ clean + endef + +-$(TEST_PROGS_EXTENDED):| khdr ++KSFT_KHDR_INSTALL := 1 ++include ../lib.mk ++ + $(TEST_PROGS_EXTENDED): $(GPIODIR)/$(GPIOOBJ) + + $(GPIODIR)/$(GPIOOBJ): +--- a/tools/testing/selftests/kvm/Makefile ++++ b/tools/testing/selftests/kvm/Makefile +@@ -1,6 +1,7 @@ + all: + + top_srcdir = ../../../.. ++KSFT_KHDR_INSTALL := 1 + UNAME_M := $(shell uname -m) + + LIBKVM = lib/assert.c lib/elf.c lib/io.c lib/kvm_util.c lib/ucall.c lib/sparsebit.c +@@ -44,7 +45,6 @@ $(OUTPUT)/libkvm.a: $(LIBKVM_OBJ) + + all: $(STATIC_LIBS) + $(TEST_GEN_PROGS): $(STATIC_LIBS) +-$(STATIC_LIBS):| khdr + + cscope: include_paths = $(LINUX_TOOL_INCLUDE) $(LINUX_HDR_PATH) include lib .. + cscope: +--- a/tools/testing/selftests/lib.mk ++++ b/tools/testing/selftests/lib.mk +@@ -16,18 +16,18 @@ TEST_GEN_PROGS := $(patsubst %,$(OUTPUT) + TEST_GEN_PROGS_EXTENDED := $(patsubst %,$(OUTPUT)/%,$(TEST_GEN_PROGS_EXTENDED)) + TEST_GEN_FILES := $(patsubst %,$(OUTPUT)/%,$(TEST_GEN_FILES)) + ++ifdef KSFT_KHDR_INSTALL + top_srcdir ?= ../../../.. + include $(top_srcdir)/scripts/subarch.include + ARCH ?= $(SUBARCH) + +-all: $(TEST_GEN_PROGS) $(TEST_GEN_PROGS_EXTENDED) $(TEST_GEN_FILES) +- + .PHONY: khdr + khdr: + make ARCH=$(ARCH) -C $(top_srcdir) headers_install + +-ifdef KSFT_KHDR_INSTALL +-$(TEST_GEN_PROGS) $(TEST_GEN_PROGS_EXTENDED) $(TEST_GEN_FILES):| khdr ++all: khdr $(TEST_GEN_PROGS) $(TEST_GEN_PROGS_EXTENDED) $(TEST_GEN_FILES) ++else ++all: $(TEST_GEN_PROGS) $(TEST_GEN_PROGS_EXTENDED) $(TEST_GEN_FILES) + endif + + .ONESHELL: +--- a/tools/testing/selftests/networking/timestamping/Makefile ++++ b/tools/testing/selftests/networking/timestamping/Makefile +@@ -6,6 +6,7 @@ TEST_PROGS := hwtstamp_config rxtimestam + all: $(TEST_PROGS) + + top_srcdir = ../../../../.. ++KSFT_KHDR_INSTALL := 1 + include ../../lib.mk + + clean: +--- a/tools/testing/selftests/tc-testing/bpf/Makefile ++++ b/tools/testing/selftests/tc-testing/bpf/Makefile +@@ -4,6 +4,7 @@ APIDIR := ../../../../include/uapi + TEST_GEN_FILES = action.o + + top_srcdir = ../../../../.. ++KSFT_KHDR_INSTALL := 1 + include ../../lib.mk + + CLANG ?= clang +--- a/tools/testing/selftests/vm/Makefile ++++ b/tools/testing/selftests/vm/Makefile +@@ -25,6 +25,7 @@ TEST_GEN_FILES += virtual_address_range + + TEST_PROGS := run_vmtests + ++KSFT_KHDR_INSTALL := 1 + include ../lib.mk + + $(OUTPUT)/userfaultfd: LDLIBS += -lpthread diff --git a/queue-4.20/series b/queue-4.20/series index 813ca7cd706..529e0871116 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -49,3 +49,17 @@ rdma-srpt-fix-a-use-after-free-in-the-channel-release-code.patch rdma-iwcm-don-t-copy-past-the-end-of-dev_name-string.patch iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw.patch sched-fair-fix-infinite-loop-in-update_blocked_averages-by-reverting-a9e7f6544b9c.patch +ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch +video-fbdev-pxafb-fix-warning-invalid-free-of-devm_-allocated-data.patch +drivers-perf-hisi-fixup-one-ddrc-pmu-register-offset.patch +powerpc-4xx-ocm-fix-compilation-error-due-to-page_kernel-usage.patch +selftests-fix-test-errors-related-to-lib.mk-khdr-target.patch +genwqe-fix-size-check.patch +intel_th-msu-fix-an-off-by-one-in-attribute-store.patch +power-supply-olpc_battery-correct-the-temperature-units.patch +of-of_node_get-of_node_put-nodes-held-in-phandle-cache.patch +of-__of_detach_node-remove-node-from-phandle-cache.patch +lib-fix-build-failure-in-config_debug_virtual-test.patch +drm-nouveau-drm-nouveau-check-rc-from-drm_dp_mst_topology_mgr_resume.patch +drm-vc4-set-is_yuv-to-false-when-num_planes-1.patch +drm-rockchip-psr-do-not-dereference-encoder-before-it-is-null-checked.patch diff --git a/queue-4.20/video-fbdev-pxafb-fix-warning-invalid-free-of-devm_-allocated-data.patch b/queue-4.20/video-fbdev-pxafb-fix-warning-invalid-free-of-devm_-allocated-data.patch new file mode 100644 index 00000000000..abc6624051a --- /dev/null +++ b/queue-4.20/video-fbdev-pxafb-fix-warning-invalid-free-of-devm_-allocated-data.patch @@ -0,0 +1,40 @@ +From 2607391882fca37463187e7f2a9c76dec286947e Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 20 Dec 2018 19:13:08 +0100 +Subject: video: fbdev: pxafb: Fix "WARNING: invalid free of devm_ allocated data" + +From: YueHaibing + +commit 2607391882fca37463187e7f2a9c76dec286947e upstream. + +'info->modes' got allocated with devm_kcalloc in of_get_pxafb_display. + +This gives this error message: + ./drivers/video/fbdev/pxafb.c:2238:2-7: WARNING: invalid free of devm_ allocated data + +Fixes: c8f96304ec8b4 ("video: fbdev: pxafb: switch to devm_* API") +Cc: stable@kernel.org [v4.19+] +Signed-off-by: YueHaibing +Reviewed-by: Daniel Mack +Cc: Robert Jarzmik +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/pxafb.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2234,10 +2234,8 @@ static struct pxafb_mach_info *of_pxafb_ + if (!info) + return ERR_PTR(-ENOMEM); + ret = of_get_pxafb_mode_info(dev, info); +- if (ret) { +- kfree(info->modes); ++ if (ret) + return ERR_PTR(ret); +- } + + /* + * On purpose, neither lccrX registers nor video memory size can be