From: Sasha Levin Date: Thu, 3 Mar 2022 12:11:17 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v4.9.305~111 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dcab1548468a461502876f1063343d683aa66a73;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/asoc-rt5668-do-not-block-workqueue-if-card-is-unboun.patch b/queue-5.10/asoc-rt5668-do-not-block-workqueue-if-card-is-unboun.patch new file mode 100644 index 00000000000..a89ea34cec0 --- /dev/null +++ b/queue-5.10/asoc-rt5668-do-not-block-workqueue-if-card-is-unboun.patch @@ -0,0 +1,66 @@ +From f49f7708dbd2a3e09691716354c994fe78b3cb95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 17:29:59 +0200 +Subject: ASoC: rt5668: do not block workqueue if card is unbound +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Vehmanen + +[ Upstream commit a6d78661dc903d90a327892bbc34268f3a5f4b9c ] + +The current rt5668_jack_detect_handler() assumes the component +and card will always show up and implements an infinite usleep +loop waiting for them to show up. + +This does not hold true if a codec interrupt (or other +event) occurs when the card is unbound. The codec driver's +remove or shutdown functions cannot cancel the workqueue due +to the wait loop. As a result, code can either end up blocking +the workqueue, or hit a kernel oops when the card is freed. + +Fix the issue by rescheduling the jack detect handler in +case the card is not ready. In case card never shows up, +the shutdown/remove/suspend calls can now cancel the detect +task. + +Signed-off-by: Kai Vehmanen +Reviewed-by: Bard Liao +Reviewed-by: Ranjani Sridharan +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Shuming Fan +Link: https://lore.kernel.org/r/20220207153000.3452802-2-kai.vehmanen@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5668.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/codecs/rt5668.c b/sound/soc/codecs/rt5668.c +index bc69adc9c8b70..e625df57c69e5 100644 +--- a/sound/soc/codecs/rt5668.c ++++ b/sound/soc/codecs/rt5668.c +@@ -1022,11 +1022,13 @@ static void rt5668_jack_detect_handler(struct work_struct *work) + container_of(work, struct rt5668_priv, jack_detect_work.work); + int val, btn_type; + +- while (!rt5668->component) +- usleep_range(10000, 15000); +- +- while (!rt5668->component->card->instantiated) +- usleep_range(10000, 15000); ++ if (!rt5668->component || !rt5668->component->card || ++ !rt5668->component->card->instantiated) { ++ /* card not yet ready, try later */ ++ mod_delayed_work(system_power_efficient_wq, ++ &rt5668->jack_detect_work, msecs_to_jiffies(15)); ++ return; ++ } + + mutex_lock(&rt5668->calibrate_mutex); + +-- +2.34.1 + diff --git a/queue-5.10/asoc-rt5682-do-not-block-workqueue-if-card-is-unboun.patch b/queue-5.10/asoc-rt5682-do-not-block-workqueue-if-card-is-unboun.patch new file mode 100644 index 00000000000..60ecd76a0bd --- /dev/null +++ b/queue-5.10/asoc-rt5682-do-not-block-workqueue-if-card-is-unboun.patch @@ -0,0 +1,66 @@ +From 8e615453a045a2f6956e07442586e0adf1c11cdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 17:30:00 +0200 +Subject: ASoC: rt5682: do not block workqueue if card is unbound +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Vehmanen + +[ Upstream commit 4c33de0673ced9c7c37b3bbd9bfe0fda72340b2a ] + +The current rt5682_jack_detect_handler() assumes the component +and card will always show up and implements an infinite usleep +loop waiting for them to show up. + +This does not hold true if a codec interrupt (or other +event) occurs when the card is unbound. The codec driver's +remove or shutdown functions cannot cancel the workqueue due +to the wait loop. As a result, code can either end up blocking +the workqueue, or hit a kernel oops when the card is freed. + +Fix the issue by rescheduling the jack detect handler in +case the card is not ready. In case card never shows up, +the shutdown/remove/suspend calls can now cancel the detect +task. + +Signed-off-by: Kai Vehmanen +Reviewed-by: Bard Liao +Reviewed-by: Ranjani Sridharan +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: Shuming Fan +Link: https://lore.kernel.org/r/20220207153000.3452802-3-kai.vehmanen@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5682.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/codecs/rt5682.c b/sound/soc/codecs/rt5682.c +index aaef76cc151fa..113ed00ddf1e5 100644 +--- a/sound/soc/codecs/rt5682.c ++++ b/sound/soc/codecs/rt5682.c +@@ -1081,11 +1081,13 @@ void rt5682_jack_detect_handler(struct work_struct *work) + container_of(work, struct rt5682_priv, jack_detect_work.work); + int val, btn_type; + +- while (!rt5682->component) +- usleep_range(10000, 15000); +- +- while (!rt5682->component->card->instantiated) +- usleep_range(10000, 15000); ++ if (!rt5682->component || !rt5682->component->card || ++ !rt5682->component->card->instantiated) { ++ /* card not yet ready, try later */ ++ mod_delayed_work(system_power_efficient_wq, ++ &rt5682->jack_detect_work, msecs_to_jiffies(15)); ++ return; ++ } + + mutex_lock(&rt5682->calibrate_mutex); + +-- +2.34.1 + diff --git a/queue-5.10/cifs-fix-double-free-race-when-mount-fails-in-cifs_g.patch b/queue-5.10/cifs-fix-double-free-race-when-mount-fails-in-cifs_g.patch new file mode 100644 index 00000000000..940d687a483 --- /dev/null +++ b/queue-5.10/cifs-fix-double-free-race-when-mount-fails-in-cifs_g.patch @@ -0,0 +1,95 @@ +From 5c3f9280ca426c2184176fe0ead5580859ee80a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Feb 2022 02:59:15 +1000 +Subject: cifs: fix double free race when mount fails in cifs_get_root() + +From: Ronnie Sahlberg + +[ Upstream commit 3d6cc9898efdfb062efb74dc18cfc700e082f5d5 ] + +When cifs_get_root() fails during cifs_smb3_do_mount() we call +deactivate_locked_super() which eventually will call delayed_free() which +will free the context. +In this situation we should not proceed to enter the out: section in +cifs_smb3_do_mount() and free the same resources a second time. + +[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60 +[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0 + +[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 +[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 +[Thu Feb 10 12:59:06 2022] Call Trace: +[Thu Feb 10 12:59:06 2022] +[Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78 +[Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150 +[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 +[Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117 +[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 +[Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0 +[Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60 +[Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0 +[Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0 +[Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20 +[Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140 +[Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10 +[Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b +[Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150 +[Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30 +[Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0 +... +[Thu Feb 10 12:59:07 2022] Freed by task 58179: +[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 +[Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30 +[Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40 +[Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170 +[Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20 +[Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0 +[Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520 +[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs] +[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] +[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 +[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 +[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 +[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 +[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae + +[Thu Feb 10 12:59:07 2022] Last potentially related work creation: +[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 +[Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0 +[Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10 +[Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0 +[Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs] +[Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs] +[Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0 +[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs] +[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] +[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 +[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 +[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 +[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 +[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported-by: Shyam Prasad N +Reviewed-by: Shyam Prasad N +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index f0ed29a9a6f11..aa5a4d759ca23 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -864,6 +864,7 @@ cifs_smb3_do_mount(struct file_system_type *fs_type, + + out_super: + deactivate_locked_super(sb); ++ return root; + out: + cifs_cleanup_volume_info(volume_info); + return root; +-- +2.34.1 + diff --git a/queue-5.10/dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch b/queue-5.10/dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..51f0830ad6f --- /dev/null +++ b/queue-5.10/dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,40 @@ +From 5a83966982bd7f5883173a15f31dd65828116a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jan 2022 21:34:56 -0800 +Subject: dmaengine: shdma: Fix runtime PM imbalance on error + +From: Yongzhi Liu + +[ Upstream commit 455896c53d5b803733ddd84e1bf8a430644439b6 ] + +pm_runtime_get_() increments the runtime PM usage counter even +when it returns an error code, thus a matching decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Yongzhi Liu +Link: https://lore.kernel.org/r/1642311296-87020-1-git-send-email-lyz_cs@pku.edu.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/sh/shdma-base.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/sh/shdma-base.c b/drivers/dma/sh/shdma-base.c +index 7f72b3f4cd1ae..19ac95c0098f0 100644 +--- a/drivers/dma/sh/shdma-base.c ++++ b/drivers/dma/sh/shdma-base.c +@@ -115,8 +115,10 @@ static dma_cookie_t shdma_tx_submit(struct dma_async_tx_descriptor *tx) + ret = pm_runtime_get(schan->dev); + + spin_unlock_irq(&schan->chan_lock); +- if (ret < 0) ++ if (ret < 0) { + dev_err(schan->dev, "%s(): GET = %d\n", __func__, ret); ++ pm_runtime_put(schan->dev); ++ } + + pm_runtime_barrier(schan->dev); + +-- +2.34.1 + diff --git a/queue-5.10/i2c-bcm2835-avoid-clock-stretching-timeouts.patch b/queue-5.10/i2c-bcm2835-avoid-clock-stretching-timeouts.patch new file mode 100644 index 00000000000..1eefd6b6913 --- /dev/null +++ b/queue-5.10/i2c-bcm2835-avoid-clock-stretching-timeouts.patch @@ -0,0 +1,55 @@ +From 032c408ac2cc23eba8c352a4949f58fa20c95883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Feb 2018 22:42:31 +0100 +Subject: i2c: bcm2835: Avoid clock stretching timeouts + +From: Eric Anholt + +[ Upstream commit 9495b9b31abe525ebd93da58de2c88b9f66d3a0e ] + +The CLKT register contains at poweron 0x40, which at our typical 100kHz +bus rate means .64ms. But there is no specified limit to how long devices +should be able to stretch the clocks, so just disable the timeout. We +still have a timeout wrapping the entire transfer. + +Signed-off-by: Eric Anholt +Signed-off-by: Stefan Wahren +BugLink: https://github.com/raspberrypi/linux/issues/3064 +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-bcm2835.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-bcm2835.c b/drivers/i2c/busses/i2c-bcm2835.c +index 37443edbf7546..ad3b124a2e376 100644 +--- a/drivers/i2c/busses/i2c-bcm2835.c ++++ b/drivers/i2c/busses/i2c-bcm2835.c +@@ -23,6 +23,11 @@ + #define BCM2835_I2C_FIFO 0x10 + #define BCM2835_I2C_DIV 0x14 + #define BCM2835_I2C_DEL 0x18 ++/* ++ * 16-bit field for the number of SCL cycles to wait after rising SCL ++ * before deciding the slave is not responding. 0 disables the ++ * timeout detection. ++ */ + #define BCM2835_I2C_CLKT 0x1c + + #define BCM2835_I2C_C_READ BIT(0) +@@ -477,6 +482,12 @@ static int bcm2835_i2c_probe(struct platform_device *pdev) + adap->dev.of_node = pdev->dev.of_node; + adap->quirks = of_device_get_match_data(&pdev->dev); + ++ /* ++ * Disable the hardware clock stretching timeout. SMBUS ++ * specifies a limit for how long the device can stretch the ++ * clock, but core I2C doesn't. ++ */ ++ bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_CLKT, 0); + bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C, 0); + + ret = i2c_add_adapter(adap); +-- +2.34.1 + diff --git a/queue-5.10/i2c-cadence-allow-compile_test.patch b/queue-5.10/i2c-cadence-allow-compile_test.patch new file mode 100644 index 00000000000..d4f4caecdc9 --- /dev/null +++ b/queue-5.10/i2c-cadence-allow-compile_test.patch @@ -0,0 +1,35 @@ +From fb666d947b5cfe1da2d8d5e9fe3e6074927c5f91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Feb 2022 20:45:48 +0100 +Subject: i2c: cadence: allow COMPILE_TEST + +From: Wolfram Sang + +[ Upstream commit 0b0dcb3882c8f08bdeafa03adb4487e104d26050 ] + +Driver builds fine with COMPILE_TEST. Enable it for wider test coverage +and easier maintenance. + +Signed-off-by: Wolfram Sang +Acked-by: Michal Simek +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig +index 7e693dcbdd196..d5fc8ec025020 100644 +--- a/drivers/i2c/busses/Kconfig ++++ b/drivers/i2c/busses/Kconfig +@@ -488,7 +488,7 @@ config I2C_BRCMSTB + + config I2C_CADENCE + tristate "Cadence I2C Controller" +- depends on ARCH_ZYNQ || ARM64 || XTENSA ++ depends on ARCH_ZYNQ || ARM64 || XTENSA || COMPILE_TEST + help + Say yes here to select Cadence I2C Host Controller. This controller is + e.g. used by Xilinx Zynq. +-- +2.34.1 + diff --git a/queue-5.10/i2c-qup-allow-compile_test.patch b/queue-5.10/i2c-qup-allow-compile_test.patch new file mode 100644 index 00000000000..0b59bc1ca06 --- /dev/null +++ b/queue-5.10/i2c-qup-allow-compile_test.patch @@ -0,0 +1,34 @@ +From 50786eb8edd839753c163a14e4b32bf77656f26f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Feb 2022 20:47:07 +0100 +Subject: i2c: qup: allow COMPILE_TEST + +From: Wolfram Sang + +[ Upstream commit 5de717974005fcad2502281e9f82e139ca91f4bb ] + +Driver builds fine with COMPILE_TEST. Enable it for wider test coverage +and easier maintenance. + +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig +index d5fc8ec025020..ea474b16e3aac 100644 +--- a/drivers/i2c/busses/Kconfig ++++ b/drivers/i2c/busses/Kconfig +@@ -926,7 +926,7 @@ config I2C_QCOM_GENI + + config I2C_QUP + tristate "Qualcomm QUP based I2C controller" +- depends on ARCH_QCOM ++ depends on ARCH_QCOM || COMPILE_TEST + help + If you say yes to this option, support will be included for the + built-in I2C interface on the Qualcomm SoCs. +-- +2.34.1 + diff --git a/queue-5.10/input-clear-btn_right-middle-on-buttonpads.patch b/queue-5.10/input-clear-btn_right-middle-on-buttonpads.patch new file mode 100644 index 00000000000..665eb5a205b --- /dev/null +++ b/queue-5.10/input-clear-btn_right-middle-on-buttonpads.patch @@ -0,0 +1,85 @@ +From 459f877d5dca5d2d85cecab85bb2f9fcccc597c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 09:59:16 -0800 +Subject: Input: clear BTN_RIGHT/MIDDLE on buttonpads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 37ef4c19b4c659926ce65a7ac709ceaefb211c40 ] + +Buttonpads are expected to map the INPUT_PROP_BUTTONPAD property bit +and the BTN_LEFT key bit. + +As explained in the specification, where a device has a button type +value of 0 (click-pad) or 1 (pressure-pad) there should not be +discrete buttons: +https://docs.microsoft.com/en-us/windows-hardware/design/component-guidelines/touchpad-windows-precision-touchpad-collection#device-capabilities-feature-report + +However, some drivers map the BTN_RIGHT and/or BTN_MIDDLE key bits even +though the device is a buttonpad and therefore does not have those +buttons. + +This behavior has forced userspace applications like libinput to +implement different workarounds and quirks to detect buttonpads and +offer to the user the right set of features and configuration options. +For more information: +https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/726 + +In order to avoid this issue clear the BTN_RIGHT and BTN_MIDDLE key +bits when the input device is register if the INPUT_PROP_BUTTONPAD +property bit is set. + +Notice that this change will not affect udev because it does not check +for buttons. See systemd/src/udev/udev-builtin-input_id.c. + +List of known affected hardware: + + - Chuwi AeroBook Plus + - Chuwi Gemibook + - Framework Laptop + - GPD Win Max + - Huawei MateBook 2020 + - Prestigio Smartbook 141 C2 + - Purism Librem 14v1 + - StarLite Mk II - AMI firmware + - StarLite Mk II - Coreboot firmware + - StarLite Mk III - AMI firmware + - StarLite Mk III - Coreboot firmware + - StarLabTop Mk IV - AMI firmware + - StarLabTop Mk IV - Coreboot firmware + - StarBook Mk V + +Acked-by: Peter Hutterer +Acked-by: Benjamin Tissoires +Acked-by: Jiri Kosina +Signed-off-by: José Expósito +Link: https://lore.kernel.org/r/20220208174806.17183-1-jose.exposito89@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/input.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/input/input.c b/drivers/input/input.c +index 3cfd2c18eebd9..ff9dc37eff345 100644 +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -2179,6 +2179,12 @@ int input_register_device(struct input_dev *dev) + /* KEY_RESERVED is not supposed to be transmitted to userspace. */ + __clear_bit(KEY_RESERVED, dev->keybit); + ++ /* Buttonpads should not map BTN_RIGHT and/or BTN_MIDDLE. */ ++ if (test_bit(INPUT_PROP_BUTTONPAD, dev->propbit)) { ++ __clear_bit(BTN_RIGHT, dev->keybit); ++ __clear_bit(BTN_MIDDLE, dev->keybit); ++ } ++ + /* Make sure that bitmasks not mentioned in dev->evbit are clean. */ + input_cleanse_bitmasks(dev); + +-- +2.34.1 + diff --git a/queue-5.10/kvm-arm64-vgic-read-hw-interrupt-pending-state-from-.patch b/queue-5.10/kvm-arm64-vgic-read-hw-interrupt-pending-state-from-.patch new file mode 100644 index 00000000000..b933f1be7a7 --- /dev/null +++ b/queue-5.10/kvm-arm64-vgic-read-hw-interrupt-pending-state-from-.patch @@ -0,0 +1,51 @@ +From e3a0c59f1d51d06848f65e5c9257b51dd32b3900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Feb 2022 09:24:45 +0000 +Subject: KVM: arm64: vgic: Read HW interrupt pending state from the HW + +From: Marc Zyngier + +[ Upstream commit 5bfa685e62e9ba93c303a9a8db646c7228b9b570 ] + +It appears that a read access to GIC[DR]_I[CS]PENDRn doesn't always +result in the pending interrupts being accurately reported if they are +mapped to a HW interrupt. This is particularily visible when acking +the timer interrupt and reading the GICR_ISPENDR1 register immediately +after, for example (the interrupt appears as not-pending while it really +is...). + +This is because a HW interrupt has its 'active and pending state' kept +in the *physical* distributor, and not in the virtual one, as mandated +by the spec (this is what allows the direct deactivation). The virtual +distributor only caries the pending and active *states* (note the +plural, as these are two independent and non-overlapping states). + +Fix it by reading the HW state back, either from the timer itself or +from the distributor if necessary. + +Reported-by: Ricardo Koller +Tested-by: Ricardo Koller +Reviewed-by: Ricardo Koller +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220208123726.3604198-1-maz@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/vgic/vgic-mmio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/kvm/vgic/vgic-mmio.c b/arch/arm64/kvm/vgic/vgic-mmio.c +index b2d73fc0d1ef4..9e1459534ce54 100644 +--- a/arch/arm64/kvm/vgic/vgic-mmio.c ++++ b/arch/arm64/kvm/vgic/vgic-mmio.c +@@ -248,6 +248,8 @@ unsigned long vgic_mmio_read_pending(struct kvm_vcpu *vcpu, + IRQCHIP_STATE_PENDING, + &val); + WARN_RATELIMIT(err, "IRQ %d", irq->host_irq); ++ } else if (vgic_irq_is_mapped_level(irq)) { ++ val = vgic_get_phys_line_level(irq); + } else { + val = irq_is_pending(irq); + } +-- +2.34.1 + diff --git a/queue-5.10/mac80211_hwsim-initialize-ieee80211_tx_info-at-hw_sc.patch b/queue-5.10/mac80211_hwsim-initialize-ieee80211_tx_info-at-hw_sc.patch new file mode 100644 index 00000000000..db1b3fd04d7 --- /dev/null +++ b/queue-5.10/mac80211_hwsim-initialize-ieee80211_tx_info-at-hw_sc.patch @@ -0,0 +1,51 @@ +From d68941ea0ad7960210e3b347bf13d3ae113bd200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jan 2022 15:02:35 +0900 +Subject: mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work + +From: JaeMan Park + +[ Upstream commit cacfddf82baf1470e5741edeecb187260868f195 ] + +In mac80211_hwsim, the probe_req frame is created and sent while +scanning. It is sent with ieee80211_tx_info which is not initialized. +Uninitialized ieee80211_tx_info can cause problems when using +mac80211_hwsim with wmediumd. wmediumd checks the tx_rates field of +ieee80211_tx_info and doesn't relay probe_req frame to other clients +even if it is a broadcasting message. + +Call ieee80211_tx_prepare_skb() to initialize ieee80211_tx_info for +the probe_req that is created by hw_scan_work in mac80211_hwsim. + +Signed-off-by: JaeMan Park +Link: https://lore.kernel.org/r/20220113060235.546107-1-jaeman@google.com +[fix memory leak] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 0122585a1e500..cc550ba0c9dfe 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2264,6 +2264,15 @@ static void hw_scan_work(struct work_struct *work) + if (req->ie_len) + skb_put_data(probe, req->ie, req->ie_len); + ++ if (!ieee80211_tx_prepare_skb(hwsim->hw, ++ hwsim->hw_scan_vif, ++ probe, ++ hwsim->tmp_chan->band, ++ NULL)) { ++ kfree_skb(probe); ++ continue; ++ } ++ + local_bh_disable(); + mac80211_hwsim_tx_frame(hwsim->hw, probe, + hwsim->tmp_chan); +-- +2.34.1 + diff --git a/queue-5.10/mac80211_hwsim-report-noack-frames-in-tx_status.patch b/queue-5.10/mac80211_hwsim-report-noack-frames-in-tx_status.patch new file mode 100644 index 00000000000..7c166fa281c --- /dev/null +++ b/queue-5.10/mac80211_hwsim-report-noack-frames-in-tx_status.patch @@ -0,0 +1,38 @@ +From 38da72b7e311cd909d1aa519a86e71cc305fae6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jan 2022 22:13:26 +0000 +Subject: mac80211_hwsim: report NOACK frames in tx_status + +From: Benjamin Beichler + +[ Upstream commit 42a79960ffa50bfe9e0bf5d6280be89bf563a5dd ] + +Add IEEE80211_TX_STAT_NOACK_TRANSMITTED to tx_status flags to have proper +statistics for non-acked frames. + +Signed-off-by: Benjamin Beichler +Link: https://lore.kernel.org/r/20220111221327.1499881-1-benjamin.beichler@uni-rostock.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index b793d61d15d27..0122585a1e500 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3567,6 +3567,10 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, + } + txi->flags |= IEEE80211_TX_STAT_ACK; + } ++ ++ if (hwsim_flags & HWSIM_TX_CTL_NO_ACK) ++ txi->flags |= IEEE80211_TX_STAT_NOACK_TRANSMITTED; ++ + ieee80211_tx_status_irqsafe(data2->hw, skb); + return 0; + out: +-- +2.34.1 + diff --git a/queue-5.10/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch b/queue-5.10/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch new file mode 100644 index 00000000000..f11f606af10 --- /dev/null +++ b/queue-5.10/net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch @@ -0,0 +1,38 @@ +From cf1085b3ff206a8fb2cda551a328c822ca4a3d74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 12:13:35 +0100 +Subject: net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 + +From: Daniele Palmas + +[ Upstream commit 21e8a96377e6b6debae42164605bf9dcbe5720c5 ] + +Add quirk CDC_MBIM_FLAG_AVOID_ALTSETTING_TOGGLE for Telit FN990 +0x1071 composition in order to avoid bind error. + +Signed-off-by: Daniele Palmas +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_mbim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c +index 77ac5a721e7b6..414341c9cf5ae 100644 +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -658,6 +658,11 @@ static const struct usb_device_id mbim_devs[] = { + .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle, + }, + ++ /* Telit FN990 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x1bc7, 0x1071, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), ++ .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle, ++ }, ++ + /* default entry */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE), + .driver_info = (unsigned long)&cdc_mbim_info_zlp, +-- +2.34.1 + diff --git a/queue-5.10/regulator-core-fix-false-positive-in-regulator_late_.patch b/queue-5.10/regulator-core-fix-false-positive-in-regulator_late_.patch new file mode 100644 index 00000000000..2820fbf65a9 --- /dev/null +++ b/queue-5.10/regulator-core-fix-false-positive-in-regulator_late_.patch @@ -0,0 +1,74 @@ +From cf9d217240a0b51dfe12d9aaf403d6cb4fc2cc08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Feb 2022 09:46:45 +0100 +Subject: regulator: core: fix false positive in regulator_late_cleanup() + +From: Oliver Barta + +[ Upstream commit 4e2a354e3775870ca823f1fb29bbbffbe11059a6 ] + +The check done by regulator_late_cleanup() to detect whether a regulator +is on was inconsistent with the check done by _regulator_is_enabled(). +While _regulator_is_enabled() takes the enable GPIO into account, +regulator_late_cleanup() was not doing that. + +This resulted in a false positive, e.g. when a GPIO-controlled fixed +regulator was used, which was not enabled at boot time, e.g. + +reg_disp_1v2: reg_disp_1v2 { + compatible = "regulator-fixed"; + regulator-name = "display_1v2"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; + gpio = <&tlmm 148 0>; + enable-active-high; +}; + +Such regulator doesn't have an is_enabled() operation. Nevertheless +it's state can be determined based on the enable GPIO. The check in +regulator_late_cleanup() wrongly assumed that the regulator is on and +tried to disable it. + +Signed-off-by: Oliver Barta +Link: https://lore.kernel.org/r/20220208084645.8686-1-oliver.barta@aptiv.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 043b5f63b94a1..2c48e55c4104e 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -5862,9 +5862,8 @@ core_initcall(regulator_init); + static int regulator_late_cleanup(struct device *dev, void *data) + { + struct regulator_dev *rdev = dev_to_rdev(dev); +- const struct regulator_ops *ops = rdev->desc->ops; + struct regulation_constraints *c = rdev->constraints; +- int enabled, ret; ++ int ret; + + if (c && c->always_on) + return 0; +@@ -5877,14 +5876,8 @@ static int regulator_late_cleanup(struct device *dev, void *data) + if (rdev->use_count) + goto unlock; + +- /* If we can't read the status assume it's always on. */ +- if (ops->is_enabled) +- enabled = ops->is_enabled(rdev); +- else +- enabled = 1; +- +- /* But if reading the status failed, assume that it's off. */ +- if (enabled <= 0) ++ /* If reading the status failed, assume that it's off. */ ++ if (_regulator_is_enabled(rdev) <= 0) + goto unlock; + + if (have_full_constraints()) { +-- +2.34.1 + diff --git a/queue-5.10/selftests-seccomp-fix-seccomp-failure-by-adding-miss.patch b/queue-5.10/selftests-seccomp-fix-seccomp-failure-by-adding-miss.patch new file mode 100644 index 00000000000..6e41f10e082 --- /dev/null +++ b/queue-5.10/selftests-seccomp-fix-seccomp-failure-by-adding-miss.patch @@ -0,0 +1,42 @@ +From d9833bc6126291827e09bc7da06c3f64802a263b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Feb 2022 12:30:49 -0800 +Subject: selftests/seccomp: Fix seccomp failure by adding missing headers + +From: Sherry Yang + +[ Upstream commit 21bffcb76ee2fbafc7d5946cef10abc9df5cfff7 ] + +seccomp_bpf failed on tests 47 global.user_notification_filter_empty +and 48 global.user_notification_filter_empty_threaded when it's +tested on updated kernel but with old kernel headers. Because old +kernel headers don't have definition of macro __NR_clone3 which is +required for these two tests. Since under selftests/, we can install +headers once for all tests (the default INSTALL_HDR_PATH is +usr/include), fix it by adding usr/include to the list of directories +to be searched. Use "-isystem" to indicate it's a system directory as +the real kernel headers directories are. + +Signed-off-by: Sherry Yang +Tested-by: Sherry Yang +Reviewed-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/seccomp/Makefile b/tools/testing/selftests/seccomp/Makefile +index 0ebfe8b0e147f..585f7a0c10cbe 100644 +--- a/tools/testing/selftests/seccomp/Makefile ++++ b/tools/testing/selftests/seccomp/Makefile +@@ -1,5 +1,5 @@ + # SPDX-License-Identifier: GPL-2.0 +-CFLAGS += -Wl,-no-as-needed -Wall ++CFLAGS += -Wl,-no-as-needed -Wall -isystem ../../../../usr/include/ + LDFLAGS += -lpthread + + TEST_GEN_PROGS := seccomp_bpf seccomp_benchmark +-- +2.34.1 + diff --git a/queue-5.10/series b/queue-5.10/series index e69de29bb2d..644d2eab72e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -0,0 +1,15 @@ +mac80211_hwsim-report-noack-frames-in-tx_status.patch +mac80211_hwsim-initialize-ieee80211_tx_info-at-hw_sc.patch +i2c-bcm2835-avoid-clock-stretching-timeouts.patch +asoc-rt5668-do-not-block-workqueue-if-card-is-unboun.patch +asoc-rt5682-do-not-block-workqueue-if-card-is-unboun.patch +regulator-core-fix-false-positive-in-regulator_late_.patch +input-clear-btn_right-middle-on-buttonpads.patch +kvm-arm64-vgic-read-hw-interrupt-pending-state-from-.patch +tipc-fix-a-bit-overflow-in-tipc_crypto_key_rcv.patch +cifs-fix-double-free-race-when-mount-fails-in-cifs_g.patch +selftests-seccomp-fix-seccomp-failure-by-adding-miss.patch +dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch +i2c-cadence-allow-compile_test.patch +i2c-qup-allow-compile_test.patch +net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch diff --git a/queue-5.10/tipc-fix-a-bit-overflow-in-tipc_crypto_key_rcv.patch b/queue-5.10/tipc-fix-a-bit-overflow-in-tipc_crypto_key_rcv.patch new file mode 100644 index 00000000000..389f8830af1 --- /dev/null +++ b/queue-5.10/tipc-fix-a-bit-overflow-in-tipc_crypto_key_rcv.patch @@ -0,0 +1,35 @@ +From 3ba7a12560a27173becf7e71f9bc9c1aa19a36e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Feb 2022 12:55:10 +0800 +Subject: tipc: fix a bit overflow in tipc_crypto_key_rcv() + +From: Hangyu Hua + +[ Upstream commit 143de8d97d79316590475dc2a84513c63c863ddf ] + +msg_data_sz return a 32bit value, but size is 16bit. This may lead to a +bit overflow. + +Signed-off-by: Hangyu Hua +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index d8a2f424786fc..6f91b9a306dc3 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -2280,7 +2280,7 @@ static bool tipc_crypto_key_rcv(struct tipc_crypto *rx, struct tipc_msg *hdr) + struct tipc_crypto *tx = tipc_net(rx->net)->crypto_tx; + struct tipc_aead_key *skey = NULL; + u16 key_gen = msg_key_gen(hdr); +- u16 size = msg_data_sz(hdr); ++ u32 size = msg_data_sz(hdr); + u8 *data = msg_data(hdr); + unsigned int keylen; + +-- +2.34.1 +