From: Sasha Levin Date: Fri, 21 Feb 2020 01:27:00 +0000 (-0500) Subject: fixes for 4.4 X-Git-Tag: v4.19.106~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e85e57e38b5ea01f3e575baf6d43fdcfe8365e22;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/acpica-disassembler-create-buffer-fields-in-acpi_par.patch b/queue-4.4/acpica-disassembler-create-buffer-fields-in-acpi_par.patch new file mode 100644 index 00000000000..c7f80b93dca --- /dev/null +++ b/queue-4.4/acpica-disassembler-create-buffer-fields-in-acpi_par.patch @@ -0,0 +1,86 @@ +From d51b900b9fd8f4e78f45fa6e878938df03442d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 11:35:20 -0800 +Subject: ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 + +From: Erik Kaneda + +[ Upstream commit 5ddbd77181dfca61b16d2e2222382ea65637f1b9 ] + +ACPICA commit 29cc8dbc5463a93625bed87d7550a8bed8913bf4 + +create_buffer_field is a deferred op that is typically processed in +load pass 2. However, disassembly of control method contents walk the +parse tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are +processed in a later walk. This is a problem when there is a control +method that has the same name as the AML_CREATE object. In this case, +any use of the name segment will be detected as a method call rather +than a reference to a buffer field. If this is detected as a method +call, it can result in a mal-formed parse tree if the control methods +have parameters. + +This change in processing AML_CREATE ops earlier solves this issue by +inserting the named object in the ACPI namespace so that references +to this name would be detected as a name string rather than a method +call. + +Link: https://github.com/acpica/acpica/commit/29cc8dbc +Reported-by: Elia Geretto +Tested-by: Elia Geretto +Signed-off-by: Bob Moore +Signed-off-by: Erik Kaneda +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsfield.c | 2 +- + drivers/acpi/acpica/dswload.c | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/dsfield.c b/drivers/acpi/acpica/dsfield.c +index 20de148594fdc..d56cbcda37c13 100644 +--- a/drivers/acpi/acpica/dsfield.c ++++ b/drivers/acpi/acpica/dsfield.c +@@ -272,7 +272,7 @@ cleanup: + * FUNCTION: acpi_ds_get_field_names + * + * PARAMETERS: info - create_field info structure +- * ` walk_state - Current method state ++ * walk_state - Current method state + * arg - First parser arg for the field name list + * + * RETURN: Status +diff --git a/drivers/acpi/acpica/dswload.c b/drivers/acpi/acpica/dswload.c +index 097188a6b1c1b..35f1d7657927a 100644 +--- a/drivers/acpi/acpica/dswload.c ++++ b/drivers/acpi/acpica/dswload.c +@@ -440,6 +440,27 @@ acpi_status acpi_ds_load1_end_op(struct acpi_walk_state *walk_state) + ACPI_DEBUG_PRINT((ACPI_DB_DISPATCH, "Op=%p State=%p\n", op, + walk_state)); + ++ /* ++ * Disassembler: handle create field operators here. ++ * ++ * create_buffer_field is a deferred op that is typically processed in load ++ * pass 2. However, disassembly of control method contents walk the parse ++ * tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are processed ++ * in a later walk. This is a problem when there is a control method that ++ * has the same name as the AML_CREATE object. In this case, any use of the ++ * name segment will be detected as a method call rather than a reference ++ * to a buffer field. ++ * ++ * This earlier creation during disassembly solves this issue by inserting ++ * the named object in the ACPI namespace so that references to this name ++ * would be a name string rather than a method call. ++ */ ++ if ((walk_state->parse_flags & ACPI_PARSE_DISASSEMBLE) && ++ (walk_state->op_info->flags & AML_CREATE)) { ++ status = acpi_ds_create_buffer_field(op, walk_state); ++ return_ACPI_STATUS(status); ++ } ++ + /* We are only interested in opcodes that have an associated name */ + + if (!(walk_state->op_info->flags & (AML_NAMED | AML_FIELD))) { +-- +2.20.1 + diff --git a/queue-4.4/alsa-hda-add-docking-station-support-for-lenovo-thin.patch b/queue-4.4/alsa-hda-add-docking-station-support-for-lenovo-thin.patch new file mode 100644 index 00000000000..0e94cc5b046 --- /dev/null +++ b/queue-4.4/alsa-hda-add-docking-station-support-for-lenovo-thin.patch @@ -0,0 +1,38 @@ +From a6aa18c5258abedd59e340628e148b12acb13d4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 19:01:06 +0100 +Subject: ALSA: hda - Add docking station support for Lenovo Thinkpad T420s +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Große + +[ Upstream commit ef7d84caa5928b40b1c93a26dbe5a3f12737c6ab ] + +Lenovo Thinkpad T420s uses the same codec as T420, so apply the +same quirk to enable audio output on a docking station. + +Signed-off-by: Peter Große +Link: https://lore.kernel.org/r/20200122180106.9351-1-pegro@friiks.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 05e745e2f4271..3150ddfbdb25e 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -866,6 +866,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x17aa, 0x215f, "Lenovo T510", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21ce, "Lenovo T420", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520", CXT_PINCFG_LENOVO_TP410), ++ SND_PCI_QUIRK(0x17aa, 0x21d2, "Lenovo T420s", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD), +-- +2.20.1 + diff --git a/queue-4.4/alsa-sh-fix-compile-warning-wrt-const.patch b/queue-4.4/alsa-sh-fix-compile-warning-wrt-const.patch new file mode 100644 index 00000000000..edaf16cdb84 --- /dev/null +++ b/queue-4.4/alsa-sh-fix-compile-warning-wrt-const.patch @@ -0,0 +1,41 @@ +From 08b43053d9524f95dec4b8097d0d68811bd93fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jan 2020 15:48:23 +0100 +Subject: ALSA: sh: Fix compile warning wrt const + +From: Takashi Iwai + +[ Upstream commit f1dd4795b1523fbca7ab4344dd5a8bb439cc770d ] + +A long-standing compile warning was seen during build test: + sound/sh/aica.c: In function 'load_aica_firmware': + sound/sh/aica.c:521:25: warning: passing argument 2 of 'spu_memload' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] + +Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device") +Link: https://lore.kernel.org/r/20200105144823.29547-69-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/sh/aica.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/sh/aica.c b/sound/sh/aica.c +index ad3d9ae380349..dd601b39f69ef 100644 +--- a/sound/sh/aica.c ++++ b/sound/sh/aica.c +@@ -120,10 +120,10 @@ static void spu_memset(u32 toi, u32 what, int length) + } + + /* spu_memload - write to SPU address space */ +-static void spu_memload(u32 toi, void *from, int length) ++static void spu_memload(u32 toi, const void *from, int length) + { + unsigned long flags; +- u32 *froml = from; ++ const u32 *froml = from; + u32 __iomem *to = (u32 __iomem *) (SPU_MEMORY_BASE + toi); + int i; + u32 val; +-- +2.20.1 + diff --git a/queue-4.4/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch b/queue-4.4/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch new file mode 100644 index 00000000000..4e96eb6e894 --- /dev/null +++ b/queue-4.4/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch @@ -0,0 +1,51 @@ +From 1f130c2d18f4559ed2736c57ec8e8ca3bf1524a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 20:42:57 -0700 +Subject: ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status + +From: Nathan Chancellor + +[ Upstream commit df4654bd6e42125d9b85ce3a26eaca2935290b98 ] + +Clang warns: + +../sound/usb/usx2y/usX2Yhwdep.c:122:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + info->version = USX2Y_DRIVER_VERSION; + ^ +../sound/usb/usx2y/usX2Yhwdep.c:120:2: note: previous statement is here + if (us428->chip_status & USX2Y_STAT_CHIP_INIT) + ^ +1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +This was introduced before the beginning of git history so no fixes tag. + +Link: https://github.com/ClangBuiltLinux/linux/issues/831 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20191218034257.54535-1-natechancellor@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/usx2y/usX2Yhwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c +index 0b34dbc8f3020..7dcb33d3886bc 100644 +--- a/sound/usb/usx2y/usX2Yhwdep.c ++++ b/sound/usb/usx2y/usX2Yhwdep.c +@@ -132,7 +132,7 @@ static int snd_usX2Y_hwdep_dsp_status(struct snd_hwdep *hw, + info->num_dsps = 2; // 0: Prepad Data, 1: FPGA Code + if (us428->chip_status & USX2Y_STAT_CHIP_INIT) + info->chip_ready = 1; +- info->version = USX2Y_DRIVER_VERSION; ++ info->version = USX2Y_DRIVER_VERSION; + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.4/arm-8951-1-fix-kexec-compilation-issue.patch b/queue-4.4/arm-8951-1-fix-kexec-compilation-issue.patch new file mode 100644 index 00000000000..03bdb9926b9 --- /dev/null +++ b/queue-4.4/arm-8951-1-fix-kexec-compilation-issue.patch @@ -0,0 +1,53 @@ +From 82402126c6bf7cb8cac783d8fc9bf10cf2ef3511 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 13:37:59 +0100 +Subject: ARM: 8951/1: Fix Kexec compilation issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vincenzo Frascino + +[ Upstream commit 76950f7162cad51d2200ebd22c620c14af38f718 ] + +To perform the reserve_crashkernel() operation kexec uses SECTION_SIZE to +find a memblock in a range. +SECTION_SIZE is not defined for nommu systems. Trying to compile kexec in +these conditions results in a build error: + + linux/arch/arm/kernel/setup.c: In function ‘reserve_crashkernel’: + linux/arch/arm/kernel/setup.c:1016:25: error: ‘SECTION_SIZE’ undeclared + (first use in this function); did you mean ‘SECTIONS_WIDTH’? + crash_size, SECTION_SIZE); + ^~~~~~~~~~~~ + SECTIONS_WIDTH + linux/arch/arm/kernel/setup.c:1016:25: note: each undeclared identifier + is reported only once for each function it appears in + linux/scripts/Makefile.build:265: recipe for target 'arch/arm/kernel/setup.o' + failed + +Make KEXEC depend on MMU to fix the compilation issue. + +Signed-off-by: Vincenzo Frascino +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 2ba69df49cf86..45f2a5930379a 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -2000,7 +2000,7 @@ config XIP_PHYS_ADDR + config KEXEC + bool "Kexec system call (EXPERIMENTAL)" + depends on (!SMP || PM_SLEEP_SMP) +- depends on !CPU_V7M ++ depends on MMU + select KEXEC_CORE + help + kexec is a system call that implements the ability to shutdown your +-- +2.20.1 + diff --git a/queue-4.4/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch b/queue-4.4/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch new file mode 100644 index 00000000000..a4d9a8bacd6 --- /dev/null +++ b/queue-4.4/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch @@ -0,0 +1,44 @@ +From a330aa57da5577e340c614661c38a526fd9a7b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 14:52:21 +0100 +Subject: ARM: dts: r8a7779: Add device node for ARM global timer + +From: Geert Uytterhoeven + +[ Upstream commit 8443ffd1bbd5be74e9b12db234746d12e8ea93e2 ] + +Add a device node for the global timer, which is part of the Cortex-A9 +MPCore. + +The global timer can serve as an accurate (4 ns) clock source for +scheduling and delay loops. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191211135222.26770-4-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/r8a7779.dtsi | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm/boot/dts/r8a7779.dtsi b/arch/arm/boot/dts/r8a7779.dtsi +index 6afa909865b52..8636e2321ab71 100644 +--- a/arch/arm/boot/dts/r8a7779.dtsi ++++ b/arch/arm/boot/dts/r8a7779.dtsi +@@ -63,6 +63,14 @@ + <0xf0000100 0x100>; + }; + ++ timer@f0000200 { ++ compatible = "arm,cortex-a9-global-timer"; ++ reg = <0xf0000200 0x100>; ++ interrupts = ; ++ clocks = <&cpg_clocks R8A7779_CLK_ZS>; ++ }; ++ + timer@f0000600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xf0000600 0x20>; +-- +2.20.1 + diff --git a/queue-4.4/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch b/queue-4.4/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch new file mode 100644 index 00000000000..a5ed4951321 --- /dev/null +++ b/queue-4.4/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch @@ -0,0 +1,43 @@ +From c79db4c7e7bbb9cd239bca57e511d467211b7755 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 21:32:42 +0800 +Subject: ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m + +From: Chen Zhou + +[ Upstream commit 8fea78029f5e6ed734ae1957bef23cfda1af4354 ] + +If CONFIG_SND_ATMEL_SOC_DMA=m, build error: + +sound/soc/atmel/atmel_ssc_dai.o: In function `atmel_ssc_set_audio': +(.text+0x7cd): undefined reference to `atmel_pcm_dma_platform_register' + +Function atmel_pcm_dma_platform_register is defined under +CONFIG SND_ATMEL_SOC_DMA, so select SND_ATMEL_SOC_DMA in +CONFIG SND_ATMEL_SOC_SSC, same to CONFIG_SND_ATMEL_SOC_PDC. + +Reported-by: Hulk Robot +Signed-off-by: Chen Zhou +Link: https://lore.kernel.org/r/20200113133242.144550-1-chenzhou10@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/atmel/Kconfig b/sound/soc/atmel/Kconfig +index 2d30464b81cef..d7b471c69f4fb 100644 +--- a/sound/soc/atmel/Kconfig ++++ b/sound/soc/atmel/Kconfig +@@ -24,6 +24,8 @@ config SND_ATMEL_SOC_DMA + + config SND_ATMEL_SOC_SSC_DMA + tristate ++ select SND_ATMEL_SOC_DMA ++ select SND_ATMEL_SOC_PDC + + config SND_ATMEL_SOC_SSC + tristate +-- +2.20.1 + diff --git a/queue-4.4/b43legacy-fix-wcast-function-type.patch b/queue-4.4/b43legacy-fix-wcast-function-type.patch new file mode 100644 index 00000000000..48eae5b3ff0 --- /dev/null +++ b/queue-4.4/b43legacy-fix-wcast-function-type.patch @@ -0,0 +1,48 @@ +From 31914bd6c2ba9802f69a030c86574d7c2515e282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:26 +0700 +Subject: b43legacy: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit 475eec112e4267232d10f4afe2f939a241692b6c ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Tested-by: Larry Finger +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/b43legacy/main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/b43legacy/main.c b/drivers/net/wireless/b43legacy/main.c +index afc1fb3e38dfe..bd35a702382fb 100644 +--- a/drivers/net/wireless/b43legacy/main.c ++++ b/drivers/net/wireless/b43legacy/main.c +@@ -1304,8 +1304,9 @@ static void handle_irq_ucode_debug(struct b43legacy_wldev *dev) + } + + /* Interrupt handler bottom-half */ +-static void b43legacy_interrupt_tasklet(struct b43legacy_wldev *dev) ++static void b43legacy_interrupt_tasklet(unsigned long data) + { ++ struct b43legacy_wldev *dev = (struct b43legacy_wldev *)data; + u32 reason; + u32 dma_reason[ARRAY_SIZE(dev->dma_reason)]; + u32 merged_dma_reason = 0; +@@ -3775,7 +3776,7 @@ static int b43legacy_one_core_attach(struct ssb_device *dev, + b43legacy_set_status(wldev, B43legacy_STAT_UNINIT); + wldev->bad_frames_preempt = modparam_bad_frames_preempt; + tasklet_init(&wldev->isr_tasklet, +- (void (*)(unsigned long))b43legacy_interrupt_tasklet, ++ b43legacy_interrupt_tasklet, + (unsigned long)wldev); + if (modparam_pio) + wldev->__using_pio = true; +-- +2.20.1 + diff --git a/queue-4.4/bcache-explicity-type-cast-in-bset_bkey_last.patch b/queue-4.4/bcache-explicity-type-cast-in-bset_bkey_last.patch new file mode 100644 index 00000000000..a5543d5d327 --- /dev/null +++ b/queue-4.4/bcache-explicity-type-cast-in-bset_bkey_last.patch @@ -0,0 +1,52 @@ +From 264165cd695ce801f1899e586af6962d9625eea5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2020 22:42:32 +0800 +Subject: bcache: explicity type cast in bset_bkey_last() + +From: Coly Li + +[ Upstream commit 7c02b0055f774ed9afb6e1c7724f33bf148ffdc0 ] + +In bset.h, macro bset_bkey_last() is defined as, + bkey_idx((struct bkey *) (i)->d, (i)->keys) + +Parameter i can be variable type of data structure, the macro always +works once the type of struct i has member 'd' and 'keys'. + +bset_bkey_last() is also used in macro csum_set() to calculate the +checksum of a on-disk data structure. When csum_set() is used to +calculate checksum of on-disk bcache super block, the parameter 'i' +data type is struct cache_sb_disk. Inside struct cache_sb_disk (also in +struct cache_sb) the member keys is __u16 type. But bkey_idx() expects +unsigned int (a 32bit width), so there is problem when sending +parameters via stack to call bkey_idx(). + +Sparse tool from Intel 0day kbuild system reports this incompatible +problem. bkey_idx() is part of user space API, so the simplest fix is +to cast the (i)->keys to unsigned int type in macro bset_bkey_last(). + +Reported-by: kbuild test robot +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/bset.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h +index b935839ab79c6..f483041eed986 100644 +--- a/drivers/md/bcache/bset.h ++++ b/drivers/md/bcache/bset.h +@@ -380,7 +380,8 @@ void bch_btree_keys_stats(struct btree_keys *, struct bset_stats *); + + /* Bkey utility code */ + +-#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, (i)->keys) ++#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, \ ++ (unsigned int)(i)->keys) + + static inline struct bkey *bset_bkey_idx(struct bset *i, unsigned idx) + { +-- +2.20.1 + diff --git a/queue-4.4/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch b/queue-4.4/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch new file mode 100644 index 00000000000..de6b9145baa --- /dev/null +++ b/queue-4.4/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch @@ -0,0 +1,41 @@ +From 21ee7b30e0901a43c12722c28ea394f44b93df13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 12:58:55 +0300 +Subject: brcmfmac: Fix use after free in brcmf_sdio_readframes() + +From: Dan Carpenter + +[ Upstream commit 216b44000ada87a63891a8214c347e05a4aea8fe ] + +The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a +static checker warning: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() + error: dereferencing freed memory 'pkt' + +It looks like there was supposed to be a continue after we free "pkt". + +Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") +Signed-off-by: Dan Carpenter +Acked-by: Franky Lin +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/brcm80211/brcmfmac/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c +index 9954e641c943d..8bb028f740fd8 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c +@@ -2027,6 +2027,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes) + BRCMF_SDIO_FT_NORMAL)) { + rd->len = 0; + brcmu_pkt_buf_free_skb(pkt); ++ continue; + } + bus->sdcnt.rx_readahead_cnt++; + if (rd->len != roundup(rd_new.len, 16)) { +-- +2.20.1 + diff --git a/queue-4.4/brd-check-and-limit-max_part-par.patch b/queue-4.4/brd-check-and-limit-max_part-par.patch new file mode 100644 index 00000000000..905a446d017 --- /dev/null +++ b/queue-4.4/brd-check-and-limit-max_part-par.patch @@ -0,0 +1,109 @@ +From 9a785b208e704bac1409b1acb51348bbb9cace15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2020 19:30:20 +0800 +Subject: brd: check and limit max_part par + +From: Zhiqiang Liu + +[ Upstream commit c8ab422553c81a0eb070329c63725df1cd1425bc ] + +In brd_init func, rd_nr num of brd_device are firstly allocated +and add in brd_devices, then brd_devices are traversed to add each +brd_device by calling add_disk func. When allocating brd_device, +the disk->first_minor is set to i * max_part, if rd_nr * max_part +is larger than MINORMASK, two different brd_device may have the same +devt, then only one of them can be successfully added. +when rmmod brd.ko, it will cause oops when calling brd_exit. + +Follow those steps: + # modprobe brd rd_nr=3 rd_size=102400 max_part=1048576 + # rmmod brd +then, the oops will appear. + +Oops log: +[ 726.613722] Call trace: +[ 726.614175] kernfs_find_ns+0x24/0x130 +[ 726.614852] kernfs_find_and_get_ns+0x44/0x68 +[ 726.615749] sysfs_remove_group+0x38/0xb0 +[ 726.616520] blk_trace_remove_sysfs+0x1c/0x28 +[ 726.617320] blk_unregister_queue+0x98/0x100 +[ 726.618105] del_gendisk+0x144/0x2b8 +[ 726.618759] brd_exit+0x68/0x560 [brd] +[ 726.619501] __arm64_sys_delete_module+0x19c/0x2a0 +[ 726.620384] el0_svc_common+0x78/0x130 +[ 726.621057] el0_svc_handler+0x38/0x78 +[ 726.621738] el0_svc+0x8/0xc +[ 726.622259] Code: aa0203f6 aa0103f7 aa1e03e0 d503201f (7940e260) + +Here, we add brd_check_and_reset_par func to check and limit max_part par. + +-- +V5->V6: + - remove useless code + +V4->V5:(suggested by Ming Lei) + - make sure max_part is not larger than DISK_MAX_PARTS + +V3->V4:(suggested by Ming Lei) + - remove useless change + - add one limit of max_part + +V2->V3: (suggested by Ming Lei) + - clear .minors when running out of consecutive minor space in brd_alloc + - remove limit of rd_nr + +V1->V2: + - add more checks in brd_check_par_valid as suggested by Ming Lei. + +Signed-off-by: Zhiqiang Liu +Reviewed-by: Bob Liu +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/brd.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/brd.c b/drivers/block/brd.c +index 1914c63ca8b1d..58c1138ad5e17 100644 +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -581,6 +581,25 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data) + return kobj; + } + ++static inline void brd_check_and_reset_par(void) ++{ ++ if (unlikely(!max_part)) ++ max_part = 1; ++ ++ /* ++ * make sure 'max_part' can be divided exactly by (1U << MINORBITS), ++ * otherwise, it is possiable to get same dev_t when adding partitions. ++ */ ++ if ((1U << MINORBITS) % max_part != 0) ++ max_part = 1UL << fls(max_part); ++ ++ if (max_part > DISK_MAX_PARTS) { ++ pr_info("brd: max_part can't be larger than %d, reset max_part = %d.\n", ++ DISK_MAX_PARTS, DISK_MAX_PARTS); ++ max_part = DISK_MAX_PARTS; ++ } ++} ++ + static int __init brd_init(void) + { + struct brd_device *brd, *next; +@@ -604,8 +623,7 @@ static int __init brd_init(void) + if (register_blkdev(RAMDISK_MAJOR, "ramdisk")) + return -EIO; + +- if (unlikely(!max_part)) +- max_part = 1; ++ brd_check_and_reset_par(); + + for (i = 0; i < rd_nr; i++) { + brd = brd_alloc(i); +-- +2.20.1 + diff --git a/queue-4.4/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch b/queue-4.4/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch new file mode 100644 index 00000000000..13c71bb2e45 --- /dev/null +++ b/queue-4.4/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch @@ -0,0 +1,71 @@ +From 89bb8acf6214b747c0b6100b159a8068742558e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2020 10:31:34 -0800 +Subject: clk: qcom: rcg2: Don't crash if our parent can't be found; return an + error + +From: Douglas Anderson + +[ Upstream commit 908b050114d8fefdddc57ec9fbc213c3690e7f5f ] + +When I got my clock parenting slightly wrong I ended up with a crash +that looked like this: + + Unable to handle kernel NULL pointer dereference at virtual + address 0000000000000000 + ... + pc : clk_hw_get_rate+0x14/0x44 + ... + Call trace: + clk_hw_get_rate+0x14/0x44 + _freq_tbl_determine_rate+0x94/0xfc + clk_rcg2_determine_rate+0x2c/0x38 + clk_core_determine_round_nolock+0x4c/0x88 + clk_core_round_rate_nolock+0x6c/0xa8 + clk_core_round_rate_nolock+0x9c/0xa8 + clk_core_set_rate_nolock+0x70/0x180 + clk_set_rate+0x3c/0x6c + of_clk_set_defaults+0x254/0x360 + platform_drv_probe+0x28/0xb0 + really_probe+0x120/0x2dc + driver_probe_device+0x64/0xfc + device_driver_attach+0x4c/0x6c + __driver_attach+0xac/0xc0 + bus_for_each_dev+0x84/0xcc + driver_attach+0x2c/0x38 + bus_add_driver+0xfc/0x1d0 + driver_register+0x64/0xf8 + __platform_driver_register+0x4c/0x58 + msm_drm_register+0x5c/0x60 + ... + +It turned out that clk_hw_get_parent_by_index() was returning NULL and +we weren't checking. Let's check it so that we don't crash. + +Fixes: ac269395cdd8 ("clk: qcom: Convert to clk_hw based provider APIs") +Signed-off-by: Douglas Anderson +Reviewed-by: Matthias Kaehlcke +Link: https://lkml.kernel.org/r/20200203103049.v4.1.I7487325fe8e701a68a07d3be8a6a4b571eca9cfa@changeid +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index 350a01f748706..8b549ece9f13c 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -194,6 +194,9 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw, + + clk_flags = clk_hw_get_flags(hw); + p = clk_hw_get_parent_by_index(hw, index); ++ if (!p) ++ return -EINVAL; ++ + if (clk_flags & CLK_SET_RATE_PARENT) { + if (f->pre_div) { + if (!rate) +-- +2.20.1 + diff --git a/queue-4.4/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch b/queue-4.4/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch new file mode 100644 index 00000000000..d1080c46b4a --- /dev/null +++ b/queue-4.4/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch @@ -0,0 +1,36 @@ +From a87b2163232239d2cf73c7f553318e35c356ff08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 16:04:41 +0300 +Subject: cmd64x: potential buffer overflow in cmd64x_program_timings() + +From: Dan Carpenter + +[ Upstream commit 117fcc3053606d8db5cef8821dca15022ae578bb ] + +The "drive->dn" value is a u8 and it is controlled by root only, but +it could be out of bounds here so let's check. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ide/cmd64x.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ide/cmd64x.c b/drivers/ide/cmd64x.c +index b127ed60c7336..9dde8390da09b 100644 +--- a/drivers/ide/cmd64x.c ++++ b/drivers/ide/cmd64x.c +@@ -65,6 +65,9 @@ static void cmd64x_program_timings(ide_drive_t *drive, u8 mode) + struct ide_timing t; + u8 arttim = 0; + ++ if (drive->dn >= ARRAY_SIZE(drwtim_regs)) ++ return; ++ + ide_timing_compute(drive, mode, &t, T, 0); + + /* +-- +2.20.1 + diff --git a/queue-4.4/driver-core-print-device-when-resources-present-in-r.patch b/queue-4.4/driver-core-print-device-when-resources-present-in-r.patch new file mode 100644 index 00000000000..ec604cbc88b --- /dev/null +++ b/queue-4.4/driver-core-print-device-when-resources-present-in-r.patch @@ -0,0 +1,45 @@ +From 832c4e2ccca940f164bc26b0e0645c50c2d910cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 14:22:19 +0100 +Subject: driver core: Print device when resources present in really_probe() + +From: Geert Uytterhoeven + +[ Upstream commit 7c35e699c88bd60734277b26962783c60e04b494 ] + +If a device already has devres items attached before probing, a warning +backtrace is printed. However, this backtrace does not reveal the +offending device, leaving the user uninformed. Furthermore, using +WARN_ON() causes systems with panic-on-warn to reboot. + +Fix this by replacing the WARN_ON() by a dev_crit() message. +Abort probing the device, to prevent doing more damage to the device's +resources. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191206132219.28908-1-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/dd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index 1dffb018a7feb..04a923186081f 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -283,7 +283,10 @@ static int really_probe(struct device *dev, struct device_driver *drv) + atomic_inc(&probe_count); + pr_debug("bus: '%s': %s: probing driver %s with device %s\n", + drv->bus->name, __func__, drv->name, dev_name(dev)); +- WARN_ON(!list_empty(&dev->devres_head)); ++ if (!list_empty(&dev->devres_head)) { ++ dev_crit(dev, "Resources present before probing\n"); ++ return -EBUSY; ++ } + + dev->driver = drv; + +-- +2.20.1 + diff --git a/queue-4.4/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch b/queue-4.4/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch new file mode 100644 index 00000000000..4cb3a71ae32 --- /dev/null +++ b/queue-4.4/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch @@ -0,0 +1,75 @@ +From 438aece190c8200751c411ca17ae3a5f23f60242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 21:27:20 +0800 +Subject: drm/amdgpu: remove 4 set but not used variable in + amdgpu_atombios_get_connector_info_from_object_table + +From: yu kuai + +[ Upstream commit bae028e3e521e8cb8caf2cc16a455ce4c55f2332 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c: In function +'amdgpu_atombios_get_connector_info_from_object_table': +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:26: warning: variable +'grph_obj_num' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:13: warning: variable +'grph_obj_id' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:37: warning: variable +'con_obj_type' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:24: warning: variable +'con_obj_num' set but not used [-Wunused-but-set-variable] + +They are never used, so can be removed. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +index 3e90ddcbb24a7..d799927d3a5de 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +@@ -319,17 +319,9 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device * + path_size += le16_to_cpu(path->usSize); + + if (device_support & le16_to_cpu(path->usDeviceTag)) { +- uint8_t con_obj_id, con_obj_num, con_obj_type; +- +- con_obj_id = ++ uint8_t con_obj_id = + (le16_to_cpu(path->usConnObjectId) & OBJECT_ID_MASK) + >> OBJECT_ID_SHIFT; +- con_obj_num = +- (le16_to_cpu(path->usConnObjectId) & ENUM_ID_MASK) +- >> ENUM_ID_SHIFT; +- con_obj_type = +- (le16_to_cpu(path->usConnObjectId) & +- OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; + + /* Skip TV/CV support */ + if ((le16_to_cpu(path->usDeviceTag) == +@@ -354,14 +346,7 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device * + router.ddc_valid = false; + router.cd_valid = false; + for (j = 0; j < ((le16_to_cpu(path->usSize) - 8) / 2); j++) { +- uint8_t grph_obj_id, grph_obj_num, grph_obj_type; +- +- grph_obj_id = +- (le16_to_cpu(path->usGraphicObjIds[j]) & +- OBJECT_ID_MASK) >> OBJECT_ID_SHIFT; +- grph_obj_num = +- (le16_to_cpu(path->usGraphicObjIds[j]) & +- ENUM_ID_MASK) >> ENUM_ID_SHIFT; ++ uint8_t grph_obj_type= + grph_obj_type = + (le16_to_cpu(path->usGraphicObjIds[j]) & + OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; +-- +2.20.1 + diff --git a/queue-4.4/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch b/queue-4.4/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch new file mode 100644 index 00000000000..6e32f872a86 --- /dev/null +++ b/queue-4.4/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch @@ -0,0 +1,61 @@ +From fa9da0fb6c5e463a14788890c339b50373d97c8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 16:30:48 +0100 +Subject: drm/gma500: Fixup fbdev stolen size usage evaluation + +From: Paul Kocialkowski + +[ Upstream commit fd1a5e521c3c083bb43ea731aae0f8b95f12b9bd ] + +psbfb_probe performs an evaluation of the required size from the stolen +GTT memory, but gets it wrong in two distinct ways: +- The resulting size must be page-size-aligned; +- The size to allocate is derived from the surface dimensions, not the fb + dimensions. + +When two connectors are connected with different modes, the smallest will +be stored in the fb dimensions, but the size that needs to be allocated must +match the largest (surface) dimensions. This is what is used in the actual +allocation code. + +Fix this by correcting the evaluation to conform to the two points above. +It allows correctly switching to 16bpp when one connector is e.g. 1920x1080 +and the other is 1024x768. + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20191107153048.843881-1-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/framebuffer.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c +index 2eaf1b31c7bd8..ef60bb1971951 100644 +--- a/drivers/gpu/drm/gma500/framebuffer.c ++++ b/drivers/gpu/drm/gma500/framebuffer.c +@@ -533,6 +533,7 @@ static int psbfb_probe(struct drm_fb_helper *helper, + container_of(helper, struct psb_fbdev, psb_fb_helper); + struct drm_device *dev = psb_fbdev->psb_fb_helper.dev; + struct drm_psb_private *dev_priv = dev->dev_private; ++ unsigned int fb_size; + int bytespp; + + bytespp = sizes->surface_bpp / 8; +@@ -542,8 +543,11 @@ static int psbfb_probe(struct drm_fb_helper *helper, + /* If the mode will not fit in 32bit then switch to 16bit to get + a console on full resolution. The X mode setting server will + allocate its own 32bit GEM framebuffer */ +- if (ALIGN(sizes->fb_width * bytespp, 64) * sizes->fb_height > +- dev_priv->vram_stolen_size) { ++ fb_size = ALIGN(sizes->surface_width * bytespp, 64) * ++ sizes->surface_height; ++ fb_size = ALIGN(fb_size, PAGE_SIZE); ++ ++ if (fb_size > dev_priv->vram_stolen_size) { + sizes->surface_bpp = 16; + sizes->surface_depth = 16; + } +-- +2.20.1 + diff --git a/queue-4.4/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch b/queue-4.4/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch new file mode 100644 index 00000000000..06e41ab3756 --- /dev/null +++ b/queue-4.4/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch @@ -0,0 +1,41 @@ +From f78e44908db4f7986eb8eedeb814ce24a2e3500e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2020 14:39:26 +1000 +Subject: drm/nouveau/disp/nv50-: prevent oops when no channel method map + provided + +From: Ben Skeggs + +[ Upstream commit 0e6176c6d286316e9431b4f695940cfac4ffe6c2 ] + +The implementations for most channel types contains a map of methods to +priv registers in order to provide debugging info when a disp exception +has been raised. + +This info is missing from the implementation of PIO channels as they're +rather simplistic already, however, if an exception is raised by one of +them, we'd end up triggering a NULL-pointer deref. Not ideal... + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206299 +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c +index 01803c0679b68..d012df9fb9df0 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c +@@ -72,6 +72,8 @@ nv50_disp_chan_mthd(struct nv50_disp_chan *chan, int debug) + + if (debug > subdev->debug) + return; ++ if (!mthd) ++ return; + + for (i = 0; (list = mthd->data[i].mthd) != NULL; i++) { + u32 base = chan->head * mthd->addr; +-- +2.20.1 + diff --git a/queue-4.4/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch b/queue-4.4/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch new file mode 100644 index 00000000000..d1b00868439 --- /dev/null +++ b/queue-4.4/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch @@ -0,0 +1,37 @@ +From 8c55ab29c752f7f2eca17cb5263a1905852ef437 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 14:32:01 +0800 +Subject: drm/nouveau: Fix copy-paste error in + nouveau_fence_wait_uevent_handler + +From: YueHaibing + +[ Upstream commit 1eb013473bff5f95b6fe1ca4dd7deda47257b9c2 ] + +Like other cases, it should use rcu protected 'chan' rather +than 'fence->channel' in nouveau_fence_wait_uevent_handler. + +Fixes: 0ec5f02f0e2c ("drm/nouveau: prevent stale fence->channel pointers, and protect with rcu") +Signed-off-by: YueHaibing +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c +index 574c36b492ee4..fccec23731e24 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -157,7 +157,7 @@ nouveau_fence_wait_uevent_handler(struct nvif_notify *notify) + + fence = list_entry(fctx->pending.next, typeof(*fence), head); + chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); +- if (nouveau_fence_update(fence->channel, fctx)) ++ if (nouveau_fence_update(chan, fctx)) + ret = NVIF_NOTIFY_DROP; + } + spin_unlock_irqrestore(&fctx->lock, flags); +-- +2.20.1 + diff --git a/queue-4.4/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch b/queue-4.4/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch new file mode 100644 index 00000000000..0b64444b7a4 --- /dev/null +++ b/queue-4.4/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch @@ -0,0 +1,40 @@ +From 3c07b7c386b69da7c821d6e129a39a0661956b6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 23:37:58 -0500 +Subject: drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add + +From: Navid Emamdoost + +[ Upstream commit 40efb09a7f53125719e49864da008495e39aaa1e ] + +In vmw_cmdbuf_res_add if drm_ht_insert_item fails the allocated memory +for cres should be released. + +Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace") +Signed-off-by: Navid Emamdoost +Reviewed-by: Thomas Hellstrom +Signed-off-by: Thomas Hellstrom +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +index 1f013d45c9e9a..0c7c3005594cc 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +@@ -210,8 +210,10 @@ int vmw_cmdbuf_res_add(struct vmw_cmdbuf_res_manager *man, + + cres->hash.key = user_key | (res_type << 24); + ret = drm_ht_insert_item(&man->resources, &cres->hash); +- if (unlikely(ret != 0)) ++ if (unlikely(ret != 0)) { ++ kfree(cres); + goto out_invalid_key; ++ } + + cres->state = VMW_CMDBUF_RES_ADD; + cres->res = vmw_resource_reference(res); +-- +2.20.1 + diff --git a/queue-4.4/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch b/queue-4.4/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch new file mode 100644 index 00000000000..9209df2f5b2 --- /dev/null +++ b/queue-4.4/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch @@ -0,0 +1,69 @@ +From 85ae2c5bc3453b841e02526a8327c20fb3ca646f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2020 12:39:37 +0100 +Subject: efi/x86: Map the entire EFI vendor string before copying it + +From: Ard Biesheuvel + +[ Upstream commit ffc2760bcf2dba0dbef74013ed73eea8310cc52c ] + +Fix a couple of issues with the way we map and copy the vendor string: +- we map only 2 bytes, which usually works since you get at least a + page, but if the vendor string happens to cross a page boundary, + a crash will result +- only call early_memunmap() if early_memremap() succeeded, or we will + call it with a NULL address which it doesn't like, +- while at it, switch to early_memremap_ro(), and array indexing rather + than pointer dereferencing to read the CHAR16 characters. + +Signed-off-by: Ard Biesheuvel +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Arvind Sankar +Cc: Matthew Garrett +Cc: linux-efi@vger.kernel.org +Fixes: 5b83683f32b1 ("x86: EFI runtime service support") +Link: https://lkml.kernel.org/r/20200103113953.9571-5-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/platform/efi/efi.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index 4bc352fc08f19..105872617be08 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -465,7 +465,6 @@ void __init efi_init(void) + efi_char16_t *c16; + char vendor[100] = "unknown"; + int i = 0; +- void *tmp; + + #ifdef CONFIG_X86_32 + if (boot_params.efi_info.efi_systab_hi || +@@ -490,14 +489,16 @@ void __init efi_init(void) + /* + * Show what we know for posterity + */ +- c16 = tmp = early_memremap(efi.systab->fw_vendor, 2); ++ c16 = early_memremap_ro(efi.systab->fw_vendor, ++ sizeof(vendor) * sizeof(efi_char16_t)); + if (c16) { +- for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i) +- vendor[i] = *c16++; ++ for (i = 0; i < sizeof(vendor) - 1 && c16[i]; ++i) ++ vendor[i] = c16[i]; + vendor[i] = '\0'; +- } else ++ early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t)); ++ } else { + pr_err("Could not map the firmware vendor!\n"); +- early_memunmap(tmp, 2); ++ } + + pr_info("EFI v%u.%.02u by %s\n", + efi.systab->hdr.revision >> 16, +-- +2.20.1 + diff --git a/queue-4.4/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch b/queue-4.4/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch new file mode 100644 index 00000000000..0c6c18a58e0 --- /dev/null +++ b/queue-4.4/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch @@ -0,0 +1,76 @@ +From ee433d8c425e4cc4078fac1ae5c8b9950896793b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 20:46:12 +0800 +Subject: ext4, jbd2: ensure panic when aborting with zero errno + +From: zhangyi (F) + +[ Upstream commit 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 ] + +JBD2_REC_ERR flag used to indicate the errno has been updated when jbd2 +aborted, and then __ext4_abort() and ext4_handle_error() can invoke +panic if ERRORS_PANIC is specified. But if the journal has been aborted +with zero errno, jbd2_journal_abort() didn't set this flag so we can +no longer panic. Fix this by always record the proper errno in the +journal superblock. + +Fixes: 4327ba52afd03 ("ext4, jbd2: ensure entering into panic after recording an error in superblock") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/checkpoint.c | 2 +- + fs/jbd2/journal.c | 15 ++++----------- + 2 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c +index 4d5a5a4cc017c..addb0784dd1c4 100644 +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -168,7 +168,7 @@ void __jbd2_log_wait_for_space(journal_t *journal) + "journal space in %s\n", __func__, + journal->j_devname); + WARN_ON(1); +- jbd2_journal_abort(journal, 0); ++ jbd2_journal_abort(journal, -EIO); + } + write_lock(&journal->j_state_lock); + } else { +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index deb3300299709..d62435897d0d0 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2086,12 +2086,10 @@ static void __journal_abort_soft (journal_t *journal, int errno) + + __jbd2_journal_abort_hard(journal); + +- if (errno) { +- jbd2_journal_update_sb_errno(journal); +- write_lock(&journal->j_state_lock); +- journal->j_flags |= JBD2_REC_ERR; +- write_unlock(&journal->j_state_lock); +- } ++ jbd2_journal_update_sb_errno(journal); ++ write_lock(&journal->j_state_lock); ++ journal->j_flags |= JBD2_REC_ERR; ++ write_unlock(&journal->j_state_lock); + } + + /** +@@ -2133,11 +2131,6 @@ static void __journal_abort_soft (journal_t *journal, int errno) + * failure to disk. ext3_error, for example, now uses this + * functionality. + * +- * Errors which originate from within the journaling layer will NOT +- * supply an errno; a null errno implies that absolutely no further +- * writes are done to the journal (unless there are any already in +- * progress). +- * + */ + + void jbd2_journal_abort(journal_t *journal, int errno) +-- +2.20.1 + diff --git a/queue-4.4/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch b/queue-4.4/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch new file mode 100644 index 00000000000..cc028df6b39 --- /dev/null +++ b/queue-4.4/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch @@ -0,0 +1,89 @@ +From ae548c3ffd497ce99b8bdfee4fcb701f4374b900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Dec 2019 15:30:45 +0200 +Subject: gianfar: Fix TX timestamping with a stacked DSA driver + +From: Vladimir Oltean + +[ Upstream commit c26a2c2ddc0115eb088873f5c309cf46b982f522 ] + +The driver wrongly assumes that it is the only entity that can set the +SKBTX_IN_PROGRESS bit of the current skb. Therefore, in the +gfar_clean_tx_ring function, where the TX timestamp is collected if +necessary, the aforementioned bit is used to discriminate whether or not +the TX timestamp should be delivered to the socket's error queue. + +But a stacked driver such as a DSA switch can also set the +SKBTX_IN_PROGRESS bit, which is actually exactly what it should do in +order to denote that the hardware timestamping process is undergoing. + +Therefore, gianfar would misinterpret the "in progress" bit as being its +own, and deliver a second skb clone in the socket's error queue, +completely throwing off a PTP process which is not expecting to receive +it, _even though_ TX timestamping is not enabled for gianfar. + +There have been discussions [0] as to whether non-MAC drivers need or +not to set SKBTX_IN_PROGRESS at all (whose purpose is to avoid sending 2 +timestamps, a sw and a hw one, to applications which only expect one). +But as of this patch, there are at least 2 PTP drivers that would break +in conjunction with gianfar: the sja1105 DSA switch and the felix +switch, by way of its ocelot core driver. + +So regardless of that conclusion, fix the gianfar driver to not do stuff +based on flags set by others and not intended for it. + +[0]: https://www.spinics.net/lists/netdev/msg619699.html + +Fixes: f0ee7acfcdd4 ("gianfar: Add hardware TX timestamping support") +Signed-off-by: Vladimir Oltean +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/gianfar.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index 2d61369f586f7..37cc1f838dd8b 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2679,13 +2679,17 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + skb_dirtytx = tx_queue->skb_dirtytx; + + while ((skb = tx_queue->tx_skbuff[skb_dirtytx])) { ++ bool do_tstamp; ++ ++ do_tstamp = (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) && ++ priv->hwts_tx_en; + + frags = skb_shinfo(skb)->nr_frags; + + /* When time stamping, one additional TxBD must be freed. + * Also, we need to dma_unmap_single() the TxPAL. + */ +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) ++ if (unlikely(do_tstamp)) + nr_txbds = frags + 2; + else + nr_txbds = frags + 1; +@@ -2699,7 +2703,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + (lstatus & BD_LENGTH_MASK)) + break; + +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) { ++ if (unlikely(do_tstamp)) { + next = next_txbd(bdp, base, tx_ring_size); + buflen = be16_to_cpu(next->length) + + GMAC_FCB_LEN + GMAC_TXPAL_LEN; +@@ -2709,7 +2713,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + dma_unmap_single(priv->dev, be32_to_cpu(bdp->bufPtr), + buflen, DMA_TO_DEVICE); + +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) { ++ if (unlikely(do_tstamp)) { + struct skb_shared_hwtstamps shhwtstamps; + u64 *ns = (u64 *)(((uintptr_t)skb->data + 0x10) & + ~0x7UL); +-- +2.20.1 + diff --git a/queue-4.4/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch b/queue-4.4/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch new file mode 100644 index 00000000000..bf87b4af2ba --- /dev/null +++ b/queue-4.4/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch @@ -0,0 +1,52 @@ +From 128ff466286c20718ad26d0271267095822f4da3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 18:15:46 -0700 +Subject: hostap: Adjust indentation in prism2_hostapd_add_sta + +From: Nathan Chancellor + +[ Upstream commit b61156fba74f659d0bc2de8f2dbf5bad9f4b8faf ] + +Clang warns: + +../drivers/net/wireless/intersil/hostap/hostap_ap.c:2511:3: warning: +misleading indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + if (sta->tx_supp_rates & WLAN_RATE_5M5) + ^ +../drivers/net/wireless/intersil/hostap/hostap_ap.c:2509:2: note: +previous statement is here + if (sta->tx_supp_rates & WLAN_RATE_2M) + ^ +1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +Fixes: ff1d2767d5a4 ("Add HostAP wireless driver.") +Link: https://github.com/ClangBuiltLinux/linux/issues/813 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/hostap/hostap_ap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/hostap/hostap_ap.c b/drivers/net/wireless/hostap/hostap_ap.c +index c995ace153ee6..30171d4c47187 100644 +--- a/drivers/net/wireless/hostap/hostap_ap.c ++++ b/drivers/net/wireless/hostap/hostap_ap.c +@@ -2570,7 +2570,7 @@ static int prism2_hostapd_add_sta(struct ap_data *ap, + sta->supported_rates[0] = 2; + if (sta->tx_supp_rates & WLAN_RATE_2M) + sta->supported_rates[1] = 4; +- if (sta->tx_supp_rates & WLAN_RATE_5M5) ++ if (sta->tx_supp_rates & WLAN_RATE_5M5) + sta->supported_rates[2] = 11; + if (sta->tx_supp_rates & WLAN_RATE_11M) + sta->supported_rates[3] = 22; +-- +2.20.1 + diff --git a/queue-4.4/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch b/queue-4.4/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch new file mode 100644 index 00000000000..d34350b9f74 --- /dev/null +++ b/queue-4.4/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch @@ -0,0 +1,45 @@ +From 79bc69b8026c78418518ac3fb9c08ff23e898b2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 16:06:07 +0300 +Subject: ide: serverworks: potential overflow in svwks_set_pio_mode() + +From: Dan Carpenter + +[ Upstream commit ce1f31b4c0b9551dd51874dd5364654ed4ca13ae ] + +The "drive->dn" variable is a u8 controlled by root. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ide/serverworks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/ide/serverworks.c b/drivers/ide/serverworks.c +index a97affca18abe..0f57d45484d1d 100644 +--- a/drivers/ide/serverworks.c ++++ b/drivers/ide/serverworks.c +@@ -114,6 +114,9 @@ static void svwks_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) + struct pci_dev *dev = to_pci_dev(hwif->dev); + const u8 pio = drive->pio_mode - XFER_PIO_0; + ++ if (drive->dn >= ARRAY_SIZE(drive_pci)) ++ return; ++ + pci_write_config_byte(dev, drive_pci[drive->dn], pio_modes[pio]); + + if (svwks_csb_check(dev)) { +@@ -140,6 +143,9 @@ static void svwks_set_dma_mode(ide_hwif_t *hwif, ide_drive_t *drive) + + u8 ultra_enable = 0, ultra_timing = 0, dma_timing = 0; + ++ if (drive->dn >= ARRAY_SIZE(drive_pci2)) ++ return; ++ + pci_read_config_byte(dev, (0x56|hwif->channel), &ultra_timing); + pci_read_config_byte(dev, 0x54, &ultra_enable); + +-- +2.20.1 + diff --git a/queue-4.4/input-edt-ft5x06-work-around-first-register-access-e.patch b/queue-4.4/input-edt-ft5x06-work-around-first-register-access-e.patch new file mode 100644 index 00000000000..affce802ad3 --- /dev/null +++ b/queue-4.4/input-edt-ft5x06-work-around-first-register-access-e.patch @@ -0,0 +1,55 @@ +From 950071bea2e0c1fdb52d3d5d689abc2cd1f1d2f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2020 17:03:21 -0800 +Subject: Input: edt-ft5x06 - work around first register access error + +From: Philipp Zabel + +[ Upstream commit e112324cc0422c046f1cf54c56f333d34fa20885 ] + +The EP0700MLP1 returns bogus data on the first register read access +(reading the threshold parameter from register 0x00): + + edt_ft5x06 2-0038: crc error: 0xfc expected, got 0x40 + +It ignores writes until then. This patch adds a dummy read after which +the number of sensors and parameter read/writes work correctly. + +Signed-off-by: Philipp Zabel +Signed-off-by: Marco Felsch +Tested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/edt-ft5x06.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c +index 0b0f8c17f3f7e..a9d97d577a7e9 100644 +--- a/drivers/input/touchscreen/edt-ft5x06.c ++++ b/drivers/input/touchscreen/edt-ft5x06.c +@@ -880,6 +880,7 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client, + { + const struct edt_i2c_chip_data *chip_data; + struct edt_ft5x06_ts_data *tsdata; ++ u8 buf[2] = { 0xfc, 0x00 }; + struct input_dev *input; + unsigned long irq_flags; + int error; +@@ -949,6 +950,12 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client, + return error; + } + ++ /* ++ * Dummy read access. EP0700MLP1 returns bogus data on the first ++ * register read access and ignores writes. ++ */ ++ edt_ft5x06_ts_readwrite(tsdata->client, 2, buf, 2, buf); ++ + edt_ft5x06_ts_set_regs(tsdata); + edt_ft5x06_ts_get_defaults(&client->dev, tsdata); + edt_ft5x06_ts_get_parameters(tsdata); +-- +2.20.1 + diff --git a/queue-4.4/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch b/queue-4.4/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch new file mode 100644 index 00000000000..4b04b1cfa76 --- /dev/null +++ b/queue-4.4/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch @@ -0,0 +1,40 @@ +From 9014c7e2532a217b5fa5d437741890a6337037e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2020 15:21:47 +0000 +Subject: iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE + +From: Will Deacon + +[ Upstream commit d71e01716b3606a6648df7e5646ae12c75babde4 ] + +If, for some bizarre reason, the compiler decided to split up the write +of STE DWORD 0, we could end up making a partial structure valid. + +Although this probably won't happen, follow the example of the +context-descriptor code and use WRITE_ONCE() to ensure atomicity of the +write. + +Reported-by: Jean-Philippe Brucker +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm-smmu-v3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index eb9937225d645..6c10f307a1c98 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -1090,7 +1090,8 @@ static void arm_smmu_write_strtab_ent(struct arm_smmu_device *smmu, u32 sid, + } + + arm_smmu_sync_ste_for_sid(smmu, sid); +- dst[0] = cpu_to_le64(val); ++ /* See comment in arm_smmu_write_ctx_desc() */ ++ WRITE_ONCE(dst[0], cpu_to_le64(val)); + arm_smmu_sync_ste_for_sid(smmu, sid); + + /* It's likely that we'll want to use the new STE soon */ +-- +2.20.1 + diff --git a/queue-4.4/ipw2x00-fix-wcast-function-type.patch b/queue-4.4/ipw2x00-fix-wcast-function-type.patch new file mode 100644 index 00000000000..a80fecb38ad --- /dev/null +++ b/queue-4.4/ipw2x00-fix-wcast-function-type.patch @@ -0,0 +1,81 @@ +From 1552524ef2de217c064047a3b8b63d81bcda7a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:27 +0700 +Subject: ipw2x00: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit ebd77feb27e91bb5fe35a7818b7c13ea7435fb98 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ipw2x00/ipw2100.c | 7 ++++--- + drivers/net/wireless/ipw2x00/ipw2200.c | 5 +++-- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ipw2x00/ipw2100.c b/drivers/net/wireless/ipw2x00/ipw2100.c +index 36818c7f30b96..11cfc5822eb03 100644 +--- a/drivers/net/wireless/ipw2x00/ipw2100.c ++++ b/drivers/net/wireless/ipw2x00/ipw2100.c +@@ -3213,8 +3213,9 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv) + } + } + +-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv) ++static void ipw2100_irq_tasklet(unsigned long data) + { ++ struct ipw2100_priv *priv = (struct ipw2100_priv *)data; + struct net_device *dev = priv->net_dev; + unsigned long flags; + u32 inta, tmp; +@@ -6022,7 +6023,7 @@ static void ipw2100_rf_kill(struct work_struct *work) + spin_unlock_irqrestore(&priv->low_lock, flags); + } + +-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv); ++static void ipw2100_irq_tasklet(unsigned long data); + + static const struct net_device_ops ipw2100_netdev_ops = { + .ndo_open = ipw2100_open, +@@ -6151,7 +6152,7 @@ static struct net_device *ipw2100_alloc_device(struct pci_dev *pci_dev, + INIT_DELAYED_WORK(&priv->rf_kill, ipw2100_rf_kill); + INIT_DELAYED_WORK(&priv->scan_event, ipw2100_scan_event); + +- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long)) ++ tasklet_init(&priv->irq_tasklet, + ipw2100_irq_tasklet, (unsigned long)priv); + + /* NOTE: We do not start the deferred work for status checks yet */ +diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c +index ed0adaf1eec44..1e08f94dc4da3 100644 +--- a/drivers/net/wireless/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/ipw2x00/ipw2200.c +@@ -1968,8 +1968,9 @@ static void notify_wx_assoc_event(struct ipw_priv *priv) + wireless_send_event(priv->net_dev, SIOCGIWAP, &wrqu, NULL); + } + +-static void ipw_irq_tasklet(struct ipw_priv *priv) ++static void ipw_irq_tasklet(unsigned long data) + { ++ struct ipw_priv *priv = (struct ipw_priv *)data; + u32 inta, inta_mask, handled = 0; + unsigned long flags; + int rc = 0; +@@ -10705,7 +10706,7 @@ static int ipw_setup_deferred_work(struct ipw_priv *priv) + INIT_WORK(&priv->qos_activate, ipw_bg_qos_activate); + #endif /* CONFIG_IPW2200_QOS */ + +- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long)) ++ tasklet_init(&priv->irq_tasklet, + ipw_irq_tasklet, (unsigned long)priv); + + return ret; +-- +2.20.1 + diff --git a/queue-4.4/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch b/queue-4.4/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch new file mode 100644 index 00000000000..515ccb8c73d --- /dev/null +++ b/queue-4.4/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch @@ -0,0 +1,40 @@ +From 837926ac61e4e718dca0b922e94e962a4e0c8883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2019 15:10:21 +0800 +Subject: irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when + building INVALL + +From: Zenghui Yu + +[ Upstream commit 107945227ac5d4c37911c7841b27c64b489ce9a9 ] + +It looks like an obvious mistake to use its_mapc_cmd descriptor when +building the INVALL command block. It so far worked by luck because +both its_mapc_cmd.col and its_invall_cmd.col sit at the same offset of +the ITS command descriptor, but we should not rely on it. + +Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue") +Signed-off-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20191202071021.1251-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index cf11d43ce2416..d4ae43f71e723 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -352,7 +352,7 @@ static struct its_collection *its_build_invall_cmd(struct its_cmd_block *cmd, + struct its_cmd_desc *desc) + { + its_encode_cmd(cmd, GITS_CMD_INVALL); +- its_encode_collection(cmd, desc->its_mapc_cmd.col->col_id); ++ its_encode_collection(cmd, desc->its_invall_cmd.col->col_id); + + its_fixup_cmd(cmd); + +-- +2.20.1 + diff --git a/queue-4.4/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch b/queue-4.4/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch new file mode 100644 index 00000000000..4a02e515b23 --- /dev/null +++ b/queue-4.4/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch @@ -0,0 +1,49 @@ +From f4385dedc633e253c0ad64d5dc82c00f1bcf9a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2019 20:48:56 +0100 +Subject: isdn: don't mark kcapi_proc_exit as __exit + +From: Arnd Bergmann + +[ Upstream commit b33bdf8020c94438269becc6dace9ed49257c4ba ] + +As everybody pointed out by now, my patch to clean up CAPI introduced +a link time warning, as the two parts of the capi driver are now in +one module and the exit function may need to be called in the error +path of the init function: + +>> WARNING: drivers/isdn/capi/kernelcapi.o(.text+0xea4): Section mismatch in reference from the function kcapi_exit() to the function .exit.text:kcapi_proc_exit() + The function kcapi_exit() references a function in an exit section. + Often the function kcapi_proc_exit() has valid usage outside the exit section + and the fix is to remove the __exit annotation of kcapi_proc_exit. + +Remove the incorrect __exit annotation. + +Reported-by: kbuild test robot +Reported-by: kernelci.org bot +Reported-by: Olof's autobuilder +Reported-by: Stephen Rothwell +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20191216194909.1983639-1-arnd@arndb.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/isdn/capi/kcapi_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/capi/kcapi_proc.c b/drivers/isdn/capi/kcapi_proc.c +index 68db3c5a10636..d6ca626219c93 100644 +--- a/drivers/isdn/capi/kcapi_proc.c ++++ b/drivers/isdn/capi/kcapi_proc.c +@@ -309,7 +309,7 @@ kcapi_proc_init(void) + proc_create("capi/driver", 0, NULL, &proc_driver_ops); + } + +-void __exit ++void + kcapi_proc_exit(void) + { + remove_proc_entry("capi/driver", NULL); +-- +2.20.1 + diff --git a/queue-4.4/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch b/queue-4.4/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch new file mode 100644 index 00000000000..a921f05e5ec --- /dev/null +++ b/queue-4.4/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch @@ -0,0 +1,42 @@ +From 2940f6022f7068a912bd98ade7bd3de3d4199bc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jan 2020 00:09:54 +0000 +Subject: iwlegacy: ensure loop counter addr does not wrap and cause an + infinite loop + +From: Colin Ian King + +[ Upstream commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 ] + +The loop counter addr is a u16 where as the upper limit of the loop +is an int. In the unlikely event that the il->cfg->eeprom_size is +greater than 64K then we end up with an infinite loop since addr will +wrap around an never reach upper loop limit. Fix this by making addr +an int. + +Addresses-Coverity: ("Infinite loop") +Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") +Signed-off-by: Colin Ian King +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/iwlegacy/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c +index 887114582583b..544ab3750ea6e 100644 +--- a/drivers/net/wireless/iwlegacy/common.c ++++ b/drivers/net/wireless/iwlegacy/common.c +@@ -717,7 +717,7 @@ il_eeprom_init(struct il_priv *il) + u32 gp = _il_rd(il, CSR_EEPROM_GP); + int sz; + int ret; +- u16 addr; ++ int addr; + + /* allocate eeprom */ + sz = il->cfg->eeprom_size; +-- +2.20.1 + diff --git a/queue-4.4/iwlegacy-fix-wcast-function-type.patch b/queue-4.4/iwlegacy-fix-wcast-function-type.patch new file mode 100644 index 00000000000..13a185c23d2 --- /dev/null +++ b/queue-4.4/iwlegacy-fix-wcast-function-type.patch @@ -0,0 +1,72 @@ +From c85189b2bd384419259b5984cdb0ed7e95a7b3b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:28 +0700 +Subject: iwlegacy: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit da5e57e8a6a3e69dac2937ba63fa86355628fbb2 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/iwlegacy/3945-mac.c | 5 +++-- + drivers/net/wireless/iwlegacy/4965-mac.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c +index af1b3e6839fa6..775f5e7791d48 100644 +--- a/drivers/net/wireless/iwlegacy/3945-mac.c ++++ b/drivers/net/wireless/iwlegacy/3945-mac.c +@@ -1399,8 +1399,9 @@ il3945_dump_nic_error_log(struct il_priv *il) + } + + static void +-il3945_irq_tasklet(struct il_priv *il) ++il3945_irq_tasklet(unsigned long data) + { ++ struct il_priv *il = (struct il_priv *)data; + u32 inta, handled = 0; + u32 inta_fh; + unsigned long flags; +@@ -3432,7 +3433,7 @@ il3945_setup_deferred_work(struct il_priv *il) + setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il); + + tasklet_init(&il->irq_tasklet, +- (void (*)(unsigned long))il3945_irq_tasklet, ++ il3945_irq_tasklet, + (unsigned long)il); + } + +diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c +index 04b0349a6ad9f..b1925bdb11718 100644 +--- a/drivers/net/wireless/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/iwlegacy/4965-mac.c +@@ -4361,8 +4361,9 @@ il4965_synchronize_irq(struct il_priv *il) + } + + static void +-il4965_irq_tasklet(struct il_priv *il) ++il4965_irq_tasklet(unsigned long data) + { ++ struct il_priv *il = (struct il_priv *)data; + u32 inta, handled = 0; + u32 inta_fh; + unsigned long flags; +@@ -6257,7 +6258,7 @@ il4965_setup_deferred_work(struct il_priv *il) + setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il); + + tasklet_init(&il->irq_tasklet, +- (void (*)(unsigned long))il4965_irq_tasklet, ++ il4965_irq_tasklet, + (unsigned long)il); + } + +-- +2.20.1 + diff --git a/queue-4.4/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch b/queue-4.4/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch new file mode 100644 index 00000000000..e8e0c647150 --- /dev/null +++ b/queue-4.4/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch @@ -0,0 +1,56 @@ +From 2d590528b4c0912f8e50d85774a8e5c4ebdde0bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2020 10:25:42 +0800 +Subject: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail + info when load journal + +From: Kai Li + +[ Upstream commit a09decff5c32060639a685581c380f51b14e1fc2 ] + +If the journal is dirty when the filesystem is mounted, jbd2 will replay +the journal but the journal superblock will not be updated by +journal_reset() because JBD2_ABORT flag is still set (it was set in +journal_init_common()). This is problematic because when a new transaction +is then committed, it will be recorded in block 1 (journal->j_tail was set +to 1 in journal_reset()). If unclean shutdown happens again before the +journal superblock is updated, the new recorded transaction will not be +replayed during the next mount (because of stale sb->s_start and +sb->s_sequence values) which can lead to filesystem corruption. + +Fixes: 85e0c4e89c1b ("jbd2: if the journal is aborted then don't allow update of the log tail") +Signed-off-by: Kai Li +Link: https://lore.kernel.org/r/20200111022542.5008-1-li.kai4@h3c.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/journal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 9398d1b70545c..deb3300299709 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1656,6 +1656,11 @@ int jbd2_journal_load(journal_t *journal) + journal->j_devname); + return -EFSCORRUPTED; + } ++ /* ++ * clear JBD2_ABORT flag initialized in journal_init_common ++ * here to update log tail information with the newest seq. ++ */ ++ journal->j_flags &= ~JBD2_ABORT; + + /* OK, we've finished with the dynamic journal bits: + * reinitialise the dynamic contents of the superblock in memory +@@ -1663,7 +1668,6 @@ int jbd2_journal_load(journal_t *journal) + if (journal_reset(journal)) + goto recovery_error; + +- journal->j_flags &= ~JBD2_ABORT; + journal->j_flags |= JBD2_LOADED; + return 0; + +-- +2.20.1 + diff --git a/queue-4.4/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch b/queue-4.4/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch new file mode 100644 index 00000000000..0b2fde5dc1b --- /dev/null +++ b/queue-4.4/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch @@ -0,0 +1,51 @@ +From 906414d1f275761e987f937d71aeb6a9d61b7b6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 20:46:11 +0800 +Subject: jbd2: switch to use jbd2_journal_abort() when failed to submit the + commit record + +From: zhangyi (F) + +[ Upstream commit d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 ] + +We invoke jbd2_journal_abort() to abort the journal and record errno +in the jbd2 superblock when committing journal transaction besides the +failure on submitting the commit record. But there is no need for the +case and we can also invoke jbd2_journal_abort() instead of +__jbd2_journal_abort_hard(). + +Fixes: 818d276ceb83a ("ext4: Add the journal checksum feature") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 7fe61edb1bb9e..a7d12dd6d56e8 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -797,7 +797,7 @@ start_journal_io: + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + + blk_finish_plug(&plug); +@@ -890,7 +890,7 @@ start_journal_io: + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + if (cbh) + err = journal_wait_on_commit_record(journal, cbh); +-- +2.20.1 + diff --git a/queue-4.4/kconfig-fix-broken-dependency-in-randconfig-generate.patch b/queue-4.4/kconfig-fix-broken-dependency-in-randconfig-generate.patch new file mode 100644 index 00000000000..2f9002c8396 --- /dev/null +++ b/queue-4.4/kconfig-fix-broken-dependency-in-randconfig-generate.patch @@ -0,0 +1,46 @@ +From 55a0910e0e3e7b32d6e2136ebff4a3f7dde2601e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2020 14:03:11 +0900 +Subject: kconfig: fix broken dependency in randconfig-generated .config + +From: Masahiro Yamada + +[ Upstream commit c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 ] + +Running randconfig on arm64 using KCONFIG_SEED=0x40C5E904 (e.g. on v5.5) +produces the .config with CONFIG_EFI=y and CONFIG_CPU_BIG_ENDIAN=y, +which does not meet the !CONFIG_CPU_BIG_ENDIAN dependency. + +This is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs +CONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the +value of CONFIG_EFI is calculated. + +When this happens, the has_changed flag should be set. + +Currently, it takes the result from the last iteration. It should +accumulate all the results of the loop. + +Fixes: 3b9a19e08960 ("kconfig: loop as long as we changed some symbols in randconfig") +Reported-by: Vincenzo Frascino +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/confdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c +index 138d7f100f7e8..4216940e875df 100644 +--- a/scripts/kconfig/confdata.c ++++ b/scripts/kconfig/confdata.c +@@ -1236,7 +1236,7 @@ bool conf_set_all_new_symbols(enum conf_def_mode mode) + + sym_calc_value(csym); + if (mode == def_random) +- has_changed = randomize_choice_values(csym); ++ has_changed |= randomize_choice_values(csym); + else { + set_all_choice_values(csym); + has_changed = true; +-- +2.20.1 + diff --git a/queue-4.4/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch b/queue-4.4/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch new file mode 100644 index 00000000000..194611eda32 --- /dev/null +++ b/queue-4.4/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch @@ -0,0 +1,51 @@ +From 92d4fbbbc272b8a4fd92cdc401318fdb832eb748 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:16:37 -0800 +Subject: lib/scatterlist.c: adjust indentation in __sg_alloc_table + +From: Nathan Chancellor + +[ Upstream commit 4e456fee215677584cafa7f67298a76917e89c64 ] + +Clang warns: + + ../lib/scatterlist.c:314:5: warning: misleading indentation; statement + is not part of the previous 'if' [-Wmisleading-indentation] + return -ENOMEM; + ^ + ../lib/scatterlist.c:311:4: note: previous statement is here + if (prv) + ^ + 1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +Link: http://lkml.kernel.org/r/20191218033606.11942-1-natechancellor@gmail.com +Link: https://github.com/ClangBuiltLinux/linux/issues/830 +Fixes: edce6820a9fd ("scatterlist: prevent invalid free when alloc fails") +Signed-off-by: Nathan Chancellor +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/scatterlist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/scatterlist.c b/lib/scatterlist.c +index 0b86b7992f931..1875c09eede91 100644 +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -317,7 +317,7 @@ int __sg_alloc_table(struct sg_table *table, unsigned int nents, + if (prv) + table->nents = ++table->orig_nents; + +- return -ENOMEM; ++ return -ENOMEM; + } + + sg_init_table(sg, alloc_size); +-- +2.20.1 + diff --git a/queue-4.4/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch b/queue-4.4/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch new file mode 100644 index 00000000000..54c195b9c60 --- /dev/null +++ b/queue-4.4/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch @@ -0,0 +1,63 @@ +From 75f1448f94f4f6f09c8f277c8b62d46364effd6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 08:55:24 +0100 +Subject: media: i2c: mt9v032: fix enum mbus codes and frame sizes + +From: Eugen Hristev + +[ Upstream commit 1451d5ae351d938a0ab1677498c893f17b9ee21d ] + +This driver supports both the mt9v032 (color) and the mt9v022 (mono) +sensors. Depending on which sensor is used, the format from the sensor is +different. The format.code inside the dev struct holds this information. +The enum mbus and enum frame sizes need to take into account both type of +sensors, not just the color one. To solve this, use the format.code in +these functions instead of the hardcoded bayer color format (which is only +used for mt9v032). + +[Sakari Ailus: rewrapped commit message] + +Suggested-by: Wenyou Yang +Signed-off-by: Eugen Hristev +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9v032.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/mt9v032.c b/drivers/media/i2c/mt9v032.c +index a68ce94ee0976..cacdab30fece0 100644 +--- a/drivers/media/i2c/mt9v032.c ++++ b/drivers/media/i2c/mt9v032.c +@@ -454,10 +454,12 @@ static int mt9v032_enum_mbus_code(struct v4l2_subdev *subdev, + struct v4l2_subdev_pad_config *cfg, + struct v4l2_subdev_mbus_code_enum *code) + { ++ struct mt9v032 *mt9v032 = to_mt9v032(subdev); ++ + if (code->index > 0) + return -EINVAL; + +- code->code = MEDIA_BUS_FMT_SGRBG10_1X10; ++ code->code = mt9v032->format.code; + return 0; + } + +@@ -465,7 +467,11 @@ static int mt9v032_enum_frame_size(struct v4l2_subdev *subdev, + struct v4l2_subdev_pad_config *cfg, + struct v4l2_subdev_frame_size_enum *fse) + { +- if (fse->index >= 3 || fse->code != MEDIA_BUS_FMT_SGRBG10_1X10) ++ struct mt9v032 *mt9v032 = to_mt9v032(subdev); ++ ++ if (fse->index >= 3) ++ return -EINVAL; ++ if (mt9v032->format.code != fse->code) + return -EINVAL; + + fse->min_width = MT9V032_WINDOW_WIDTH_DEF / (1 << fse->index); +-- +2.20.1 + diff --git a/queue-4.4/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch b/queue-4.4/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch new file mode 100644 index 00000000000..a63e1b71fb5 --- /dev/null +++ b/queue-4.4/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch @@ -0,0 +1,60 @@ +From 1f4ee95be6be066f183ad2759ca5908f5f22cdf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 11:34:01 +0100 +Subject: media: sti: bdisp: fix a possible sleep-in-atomic-context bug in + bdisp_device_run() + +From: Jia-Ju Bai + +[ Upstream commit bb6d42061a05d71dd73f620582d9e09c8fbf7f5b ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +drivers/media/platform/sti/bdisp/bdisp-hw.c, 385: + msleep in bdisp_hw_reset +drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 341: + bdisp_hw_reset in bdisp_device_run +drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 317: + _raw_spin_lock_irqsave in bdisp_device_run + +To fix this bug, msleep() is replaced with udelay(). + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-hw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-hw.c b/drivers/media/platform/sti/bdisp/bdisp-hw.c +index 052c932ac9426..0792db43ce9db 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-hw.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-hw.c +@@ -14,8 +14,8 @@ + #define MAX_SRC_WIDTH 2048 + + /* Reset & boot poll config */ +-#define POLL_RST_MAX 50 +-#define POLL_RST_DELAY_MS 20 ++#define POLL_RST_MAX 500 ++#define POLL_RST_DELAY_MS 2 + + enum bdisp_target_plan { + BDISP_RGB, +@@ -77,7 +77,7 @@ int bdisp_hw_reset(struct bdisp_dev *bdisp) + for (i = 0; i < POLL_RST_MAX; i++) { + if (readl(bdisp->regs + BLT_STA1) & BLT_STA1_IDLE) + break; +- msleep(POLL_RST_DELAY_MS); ++ udelay(POLL_RST_DELAY_MS * 1000); + } + if (i == POLL_RST_MAX) + dev_err(bdisp->dev, "Reset timeout\n"); +-- +2.20.1 + diff --git a/queue-4.4/microblaze-prevent-the-overflow-of-the-start.patch b/queue-4.4/microblaze-prevent-the-overflow-of-the-start.patch new file mode 100644 index 00000000000..925d8710fb3 --- /dev/null +++ b/queue-4.4/microblaze-prevent-the-overflow-of-the-start.patch @@ -0,0 +1,37 @@ +From 1e86b5fec8c37a33b631350c93637a6457331ded Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2020 18:44:34 +0530 +Subject: microblaze: Prevent the overflow of the start + +From: Shubhrajyoti Datta + +[ Upstream commit 061d2c1d593076424c910cb1b64ecdb5c9a6923f ] + +In case the start + cache size is more than the max int the +start overflows. +Prevent the same. + +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + arch/microblaze/kernel/cpu/cache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/microblaze/kernel/cpu/cache.c b/arch/microblaze/kernel/cpu/cache.c +index 0bde47e4fa694..dcba53803fa5f 100644 +--- a/arch/microblaze/kernel/cpu/cache.c ++++ b/arch/microblaze/kernel/cpu/cache.c +@@ -92,7 +92,8 @@ static inline void __disable_dcache_nomsr(void) + #define CACHE_LOOP_LIMITS(start, end, cache_line_length, cache_size) \ + do { \ + int align = ~(cache_line_length - 1); \ +- end = min(start + cache_size, end); \ ++ if (start < UINT_MAX - cache_size) \ ++ end = min(start + cache_size, end); \ + start &= align; \ + } while (0) + +-- +2.20.1 + diff --git a/queue-4.4/mips-loongson-fix-potential-null-dereference-in-loon.patch b/queue-4.4/mips-loongson-fix-potential-null-dereference-in-loon.patch new file mode 100644 index 00000000000..bf0b2cbd01b --- /dev/null +++ b/queue-4.4/mips-loongson-fix-potential-null-dereference-in-loon.patch @@ -0,0 +1,43 @@ +From 65647070a46e2d4f15876b858323b74119ce9650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 09:30:42 +0800 +Subject: MIPS: Loongson: Fix potential NULL dereference in + loongson3_platform_init() + +From: Tiezhu Yang + +[ Upstream commit 72d052e28d1d2363f9107be63ef3a3afdea6143c ] + +If kzalloc fails, it should return -ENOMEM, otherwise may trigger a NULL +pointer dereference. + +Fixes: 3adeb2566b9b ("MIPS: Loongson: Improve LEFI firmware interface") +Signed-off-by: Tiezhu Yang +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: Huacai Chen +Cc: Jiaxun Yang +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/loongson64/loongson-3/platform.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/loongson64/loongson-3/platform.c b/arch/mips/loongson64/loongson-3/platform.c +index 25a97cc0ee336..0db4cc3196ebd 100644 +--- a/arch/mips/loongson64/loongson-3/platform.c ++++ b/arch/mips/loongson64/loongson-3/platform.c +@@ -31,6 +31,9 @@ static int __init loongson3_platform_init(void) + continue; + + pdev = kzalloc(sizeof(struct platform_device), GFP_KERNEL); ++ if (!pdev) ++ return -ENOMEM; ++ + pdev->name = loongson_sysconf.sensors[i].name; + pdev->id = loongson_sysconf.sensors[i].id; + pdev->dev.platform_data = &loongson_sysconf.sensors[i]; +-- +2.20.1 + diff --git a/queue-4.4/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch b/queue-4.4/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch new file mode 100644 index 00000000000..a65aa06440a --- /dev/null +++ b/queue-4.4/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch @@ -0,0 +1,37 @@ +From f903f807da4f4e8ab52871d66b93a62417cda50b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 21:08:45 +0800 +Subject: NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use + le16_add_cpu(). + +From: Mao Wenan + +[ Upstream commit 718eae277e62a26e5862eb72a830b5e0fe37b04a ] + +Convert cpu_to_le16(le16_to_cpu(frame->datalen) + len) to +use le16_add_cpu(), which is more concise and does the same thing. + +Reported-by: Hulk Robot +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/port100.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c +index 87d5099967040..3ffbed72adf75 100644 +--- a/drivers/nfc/port100.c ++++ b/drivers/nfc/port100.c +@@ -545,7 +545,7 @@ static void port100_tx_update_payload_len(void *_frame, int len) + { + struct port100_frame *frame = _frame; + +- frame->datalen = cpu_to_le16(le16_to_cpu(frame->datalen) + len); ++ le16_add_cpu(&frame->datalen, len); + } + + static bool port100_rx_frame_is_valid(void *_frame) +-- +2.20.1 + diff --git a/queue-4.4/nfs-nfs_swap-should-depend-on-swap.patch b/queue-4.4/nfs-nfs_swap-should-depend-on-swap.patch new file mode 100644 index 00000000000..0ee9c4e73a5 --- /dev/null +++ b/queue-4.4/nfs-nfs_swap-should-depend-on-swap.patch @@ -0,0 +1,42 @@ +From 9b25fab30134e1f85c419a794e0c4f29dd76f43a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2019 16:32:38 +0100 +Subject: nfs: NFS_SWAP should depend on SWAP + +From: Geert Uytterhoeven + +[ Upstream commit 474c4f306eefbb21b67ebd1de802d005c7d7ecdc ] + +If CONFIG_SWAP=n, it does not make much sense to offer the user the +option to enable support for swapping over NFS, as that will still fail +at run time: + + # swapon /swap + swapon: /swap: swapon failed: Function not implemented + +Fix this by adding a dependency on CONFIG_SWAP. + +Fixes: a564b8f0398636ba ("nfs: enable swap on NFS") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig +index b1daeafbea920..c3428767332c2 100644 +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -89,7 +89,7 @@ config NFS_V4 + config NFS_SWAP + bool "Provide swap over NFS support" + default n +- depends on NFS_FS ++ depends on NFS_FS && SWAP + select SUNRPC_SWAP + help + This option enables swapon to work on files located on NFS mounts. +-- +2.20.1 + diff --git a/queue-4.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-4.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch new file mode 100644 index 00000000000..a98da7a5f4b --- /dev/null +++ b/queue-4.4/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch @@ -0,0 +1,54 @@ +From 1afcc98c1b35802dcf7854cf2b29e19c30416c86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:07:32 -0500 +Subject: nfsd4: avoid NULL deference on strange COPY compounds + +From: J. Bruce Fields + +[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] + +With cross-server COPY we've introduced the possibility that the current +or saved filehandle might not have fh_dentry/fh_export filled in, but we +missed a place that assumed it was. I think this could be triggered by +a compound like: + + PUTFH(foreign filehandle) + GETATTR + SAVEFH + COPY + +First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. +Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. +need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE +set and GETATTR does not have OP_HANDLES_WRONGSEC set. + +We should probably also consider tightening the checks in +check_if_stalefh_allowed and double-checking that we don't assume the +filehandle is verified elsewhere in the compound. But I think this +fixes the immediate issue. + +Reported-by: Dan Carpenter +Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index c67064d94096b..0cb956d792f21 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1704,7 +1704,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp, + if (opdesc->op_flags & OP_CLEAR_STATEID) + clear_current_stateid(cstate); + +- if (need_wrongsec_check(rqstp)) ++ if (current_fh->fh_export && ++ need_wrongsec_check(rqstp)) + op->status = check_nfsd_access(current_fh->fh_export, rqstp); + } + encode_op: +-- +2.20.1 + diff --git a/queue-4.4/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch b/queue-4.4/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch new file mode 100644 index 00000000000..8335eedc917 --- /dev/null +++ b/queue-4.4/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch @@ -0,0 +1,140 @@ +From 97e8f1a2b32a0de6ffbfab6fc175c6f0222e5faf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:11:50 -0800 +Subject: ocfs2: fix a NULL pointer dereference when call + ocfs2_update_inode_fsync_trans() + +From: wangyan + +[ Upstream commit 9f16ca48fc818a17de8be1f75d08e7f4addc4497 ] + +I found a NULL pointer dereference in ocfs2_update_inode_fsync_trans(), +handle->h_transaction may be NULL in this situation: + +ocfs2_file_write_iter + ->__generic_file_write_iter + ->generic_perform_write + ->ocfs2_write_begin + ->ocfs2_write_begin_nolock + ->ocfs2_write_cluster_by_desc + ->ocfs2_write_cluster + ->ocfs2_mark_extent_written + ->ocfs2_change_extent_flag + ->ocfs2_split_extent + ->ocfs2_try_to_merge_extent + ->ocfs2_extend_rotate_transaction + ->ocfs2_extend_trans + ->jbd2_journal_restart + ->jbd2__journal_restart + // handle->h_transaction is NULL here + ->handle->h_transaction = NULL; + ->start_this_handle + /* journal aborted due to storage + network disconnection, return error */ + ->return -EROFS; + /* line 3806 in ocfs2_try_to_merge_extent (), + it will ignore ret error. */ + ->ret = 0; + ->... + ->ocfs2_write_end + ->ocfs2_write_end_nolock + ->ocfs2_update_inode_fsync_trans + // NULL pointer dereference + ->oi->i_sync_tid = handle->h_transaction->t_tid; + +The information of NULL pointer dereference as follows: + JBD2: Detected IO errors while flushing file data on dm-11-45 + Aborting journal on device dm-11-45. + JBD2: Error -5 detected when updating journal superblock for dm-11-45. + (dd,22081,3):ocfs2_extend_trans:474 ERROR: status = -30 + (dd,22081,3):ocfs2_try_to_merge_extent:3877 ERROR: status = -30 + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000008 + Mem abort info: + ESR = 0x96000004 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e74e1338 + [0000000000000008] pgd=0000000000000000 + Internal error: Oops: 96000004 [#1] SMP + Process dd (pid: 22081, stack limit = 0x00000000584f35a9) + CPU: 3 PID: 22081 Comm: dd Kdump: loaded + Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019 + pstate: 60400009 (nZCv daif +PAN -UAO) + pc : ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2] + lr : ocfs2_write_end_nolock+0x2a0/0x550 [ocfs2] + sp : ffff0000459fba70 + x29: ffff0000459fba70 x28: 0000000000000000 + x27: ffff807ccf7f1000 x26: 0000000000000001 + x25: ffff807bdff57970 x24: ffff807caf1d4000 + x23: ffff807cc79e9000 x22: 0000000000001000 + x21: 000000006c6cd000 x20: ffff0000091d9000 + x19: ffff807ccb239db0 x18: ffffffffffffffff + x17: 000000000000000e x16: 0000000000000007 + x15: ffff807c5e15bd78 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000001 + x9 : 0000000000000228 x8 : 000000000000000c + x7 : 0000000000000fff x6 : ffff807a308ed6b0 + x5 : ffff7e01f10967c0 x4 : 0000000000000018 + x3 : d0bc661572445600 x2 : 0000000000000000 + x1 : 000000001b2e0200 x0 : 0000000000000000 + Call trace: + ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2] + ocfs2_write_end+0x4c/0x80 [ocfs2] + generic_perform_write+0x108/0x1a8 + __generic_file_write_iter+0x158/0x1c8 + ocfs2_file_write_iter+0x668/0x950 [ocfs2] + __vfs_write+0x11c/0x190 + vfs_write+0xac/0x1c0 + ksys_write+0x6c/0xd8 + __arm64_sys_write+0x24/0x30 + el0_svc_common+0x78/0x130 + el0_svc_handler+0x38/0x78 + el0_svc+0x8/0xc + +To prevent NULL pointer dereference in this situation, we use +is_handle_aborted() before using handle->h_transaction->t_tid. + +Link: http://lkml.kernel.org/r/03e750ab-9ade-83aa-b000-b9e81e34e539@huawei.com +Signed-off-by: Yan Wang +Reviewed-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/journal.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h +index f4cd3c3e9fb70..0a4d2cbf512f8 100644 +--- a/fs/ocfs2/journal.h ++++ b/fs/ocfs2/journal.h +@@ -637,9 +637,11 @@ static inline void ocfs2_update_inode_fsync_trans(handle_t *handle, + { + struct ocfs2_inode_info *oi = OCFS2_I(inode); + +- oi->i_sync_tid = handle->h_transaction->t_tid; +- if (datasync) +- oi->i_datasync_tid = handle->h_transaction->t_tid; ++ if (!is_handle_aborted(handle)) { ++ oi->i_sync_tid = handle->h_transaction->t_tid; ++ if (datasync) ++ oi->i_datasync_tid = handle->h_transaction->t_tid; ++ } + } + + #endif /* OCFS2_JOURNAL_H */ +-- +2.20.1 + diff --git a/queue-4.4/orinoco-avoid-assertion-in-case-of-null-pointer.patch b/queue-4.4/orinoco-avoid-assertion-in-case-of-null-pointer.patch new file mode 100644 index 00000000000..7169bbbf38f --- /dev/null +++ b/queue-4.4/orinoco-avoid-assertion-in-case-of-null-pointer.patch @@ -0,0 +1,37 @@ +From 49f84cf618c083e5647df394b6d41d18f7ad9bad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Dec 2019 13:58:58 -0600 +Subject: orinoco: avoid assertion in case of NULL pointer + +From: Aditya Pakki + +[ Upstream commit c705f9fc6a1736dcf6ec01f8206707c108dca824 ] + +In ezusb_init, if upriv is NULL, the code crashes. However, the caller +in ezusb_probe can handle the error and print the failure message. +The patch replaces the BUG_ON call to error return. + +Signed-off-by: Aditya Pakki +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/orinoco/orinoco_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/orinoco/orinoco_usb.c b/drivers/net/wireless/orinoco/orinoco_usb.c +index e434f7ca8ff36..3c5baccd67922 100644 +--- a/drivers/net/wireless/orinoco/orinoco_usb.c ++++ b/drivers/net/wireless/orinoco/orinoco_usb.c +@@ -1351,7 +1351,8 @@ static int ezusb_init(struct hermes *hw) + int retval; + + BUG_ON(in_interrupt()); +- BUG_ON(!upriv); ++ if (!upriv) ++ return -EINVAL; + + upriv->reply_count = 0; + /* Write the MAGIC number on the simulated registers to keep +-- +2.20.1 + diff --git a/queue-4.4/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch b/queue-4.4/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch new file mode 100644 index 00000000000..38eb2c848e5 --- /dev/null +++ b/queue-4.4/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch @@ -0,0 +1,71 @@ +From 0fde03153ecc6044b38e96dfefd75f058eb8a3d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 14:31:11 -0500 +Subject: padata: always acquire cpu_hotplug_lock before pinst->lock + +From: Daniel Jordan + +[ Upstream commit 38228e8848cd7dd86ccb90406af32de0cad24be3 ] + +lockdep complains when padata's paths to update cpumasks via CPU hotplug +and sysfs are both taken: + + # echo 0 > /sys/devices/system/cpu/cpu1/online + # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask + + ====================================================== + WARNING: possible circular locking dependency detected + 5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted + ------------------------------------------------------ + bash/205 is trying to acquire lock: + ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120 + + but task is already holding lock: + ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120 + + which lock already depends on the new lock. + +padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent +order. Which should be first? CPU hotplug calls into padata with +cpu_hotplug_lock already held, so it should have priority. + +Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus") +Signed-off-by: Daniel Jordan +Cc: Eric Biggers +Cc: Herbert Xu +Cc: Steffen Klassert +Cc: linux-crypto@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/padata.c b/kernel/padata.c +index 0d7ec5fd520bc..ae036af3f0129 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -640,8 +640,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type, + struct cpumask *serial_mask, *parallel_mask; + int err = -EINVAL; + +- mutex_lock(&pinst->lock); + get_online_cpus(); ++ mutex_lock(&pinst->lock); + + switch (cpumask_type) { + case PADATA_CPU_PARALLEL: +@@ -659,8 +659,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type, + err = __padata_set_cpumasks(pinst, parallel_mask, serial_mask); + + out: +- put_online_cpus(); + mutex_unlock(&pinst->lock); ++ put_online_cpus(); + + return err; + } +-- +2.20.1 + diff --git a/queue-4.4/pci-don-t-disable-bridge-bars-when-assigning-bus-res.patch b/queue-4.4/pci-don-t-disable-bridge-bars-when-assigning-bus-res.patch new file mode 100644 index 00000000000..623c0b9d80d --- /dev/null +++ b/queue-4.4/pci-don-t-disable-bridge-bars-when-assigning-bus-res.patch @@ -0,0 +1,115 @@ +From 7737477262d2f86ffe5dd1d74c9dcb5756b880bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2020 14:32:08 -0700 +Subject: PCI: Don't disable bridge BARs when assigning bus resources + +From: Logan Gunthorpe + +[ Upstream commit 9db8dc6d0785225c42a37be7b44d1b07b31b8957 ] + +Some PCI bridges implement BARs in addition to bridge windows. For +example, here's a PLX switch: + + 04:00.0 PCI bridge: PLX Technology, Inc. PEX 8724 24-Lane, 6-Port PCI + Express Gen 3 (8 GT/s) Switch, 19 x 19mm FCBGA (rev ca) + (prog-if 00 [Normal decode]) + Flags: bus master, fast devsel, latency 0, IRQ 30, NUMA node 0 + Memory at 90a00000 (32-bit, non-prefetchable) [size=256K] + Bus: primary=04, secondary=05, subordinate=0a, sec-latency=0 + I/O behind bridge: 00002000-00003fff + Memory behind bridge: 90000000-909fffff + Prefetchable memory behind bridge: 0000380000800000-0000380000bfffff + +Previously, when the kernel assigned resource addresses (with the +pci=realloc command line parameter, for example) it could clear the struct +resource corresponding to the BAR. When this happened, lspci would report +this BAR as "ignored": + + Region 0: Memory at (32-bit, non-prefetchable) [size=256K] + +This is because the kernel reports a zero start address and zero flags +in the corresponding sysfs resource file and in /proc/bus/pci/devices. +Investigation with 'lspci -x', however, shows the BIOS-assigned address +will still be programmed in the device's BAR registers. + +It's clearly a bug that the kernel lost track of the BAR value, but in most +cases, this still won't result in a visible issue because nothing uses the +memory, so nothing is affected. However, when an IOMMU is in use, it will +not reserve this space in the IOVA because the kernel no longer thinks the +range is valid. (See dmar_init_reserved_ranges() for the Intel +implementation of this.) + +Without the proper reserved range, a DMA mapping may allocate an IOVA that +matches a bridge BAR, which results in DMA accesses going to the BAR +instead of the intended RAM. + +The problem was in pci_assign_unassigned_root_bus_resources(). When any +resource from a bridge device fails to get assigned, the code set the +resource's flags to zero. This makes sense for bridge windows, as they +will be re-enabled later, but for regular BARs, it makes the kernel +permanently lose track of the fact that they decode address space. + +Change pci_assign_unassigned_root_bus_resources() and +pci_assign_unassigned_bridge_resources() so they only clear "res->flags" +for bridge *windows*, not bridge BARs. + +Fixes: da7822e5ad71 ("PCI: update bridge resources to get more big ranges when allocating space (again)") +Link: https://lore.kernel.org/r/20200108213208.4612-1-logang@deltatee.com +[bhelgaas: commit log, check for pci_is_bridge()] +Reported-by: Kit Chow +Signed-off-by: Logan Gunthorpe +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/setup-bus.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c +index 1723ac1b30e10..fe2865a0da395 100644 +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -1760,12 +1760,18 @@ again: + /* restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + +@@ -1826,12 +1832,18 @@ again: + /* restore size and flags */ + list_for_each_entry(fail_res, &fail_head, list) { + struct resource *res = fail_res->res; ++ int idx; + + res->start = fail_res->start; + res->end = fail_res->end; + res->flags = fail_res->flags; +- if (fail_res->dev->subordinate) +- res->flags = 0; ++ ++ if (pci_is_bridge(fail_res->dev)) { ++ idx = res - &fail_res->dev->resource[0]; ++ if (idx >= PCI_BRIDGE_RESOURCES && ++ idx <= PCI_BRIDGE_RESOURCE_END) ++ res->flags = 0; ++ } + } + free_list(&fail_head); + +-- +2.20.1 + diff --git a/queue-4.4/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch b/queue-4.4/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch new file mode 100644 index 00000000000..d5efe3bcfbc --- /dev/null +++ b/queue-4.4/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch @@ -0,0 +1,94 @@ +From 9c7955080b019be288561966ee2c2a7fc95e1d22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 20:48:09 +0100 +Subject: pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs + +From: Geert Uytterhoeven + +[ Upstream commit 55b1cb1f03ad5eea39897d0c74035e02deddcff2 ] + +pinmux_func_gpios[] contains a hole due to the missing function GPIO +definition for the "CTX0&CTX1" signal, which is the logical "AND" of the +two CAN outputs. + +Fix this by: + - Renaming CRX0_CRX1_MARK to CTX0_CTX1_MARK, as PJ2MD[2:0]=010 + configures the combined "CTX0&CTX1" output signal, + - Renaming CRX0X1_MARK to CRX0_CRX1_MARK, as PJ3MD[1:0]=10 configures + the shared "CRX0/CRX1" input signal, which is fed to both CAN + inputs, + - Adding the missing function GPIO definition for "CTX0&CTX1" to + pinmux_func_gpios[], + - Moving all CAN enums next to each other. + +See SH7262 Group, SH7264 Group User's Manual: Hardware, Rev. 4.00: + [1] Figure 1.2 (3) (Pin Assignment for the SH7264 Group (1-Mbyte + Version), + [2] Figure 1.2 (4) Pin Assignment for the SH7264 Group (640-Kbyte + Version, + [3] Table 1.4 List of Pins, + [4] Figure 20.29 Connection Example when Using This Module as 1-Channel + Module (64 Mailboxes x 1 Channel), + [5] Table 32.10 Multiplexed Pins (Port J), + [6] Section 32.2.30 (3) Port J Control Register 0 (PJCR0). + +Note that the last 2 disagree about PJ2MD[2:0], which is probably the +root cause of this bug. But considering [4], "CTx0&CTx1" in [5] must +be correct, and "CRx0&CRx1" in [6] must be wrong. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191218194812.12741-4-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sh-pfc/pfc-sh7264.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7264.c b/drivers/pinctrl/sh-pfc/pfc-sh7264.c +index e1c34e19222ee..3ddb9565ed804 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-sh7264.c ++++ b/drivers/pinctrl/sh-pfc/pfc-sh7264.c +@@ -500,17 +500,15 @@ enum { + SD_WP_MARK, SD_CLK_MARK, SD_CMD_MARK, + CRX0_MARK, CRX1_MARK, + CTX0_MARK, CTX1_MARK, ++ CRX0_CRX1_MARK, CTX0_CTX1_MARK, + + PWM1A_MARK, PWM1B_MARK, PWM1C_MARK, PWM1D_MARK, + PWM1E_MARK, PWM1F_MARK, PWM1G_MARK, PWM1H_MARK, + PWM2A_MARK, PWM2B_MARK, PWM2C_MARK, PWM2D_MARK, + PWM2E_MARK, PWM2F_MARK, PWM2G_MARK, PWM2H_MARK, + IERXD_MARK, IETXD_MARK, +- CRX0_CRX1_MARK, + WDTOVF_MARK, + +- CRX0X1_MARK, +- + /* DMAC */ + TEND0_MARK, DACK0_MARK, DREQ0_MARK, + TEND1_MARK, DACK1_MARK, DREQ1_MARK, +@@ -998,12 +996,12 @@ static const u16 pinmux_data[] = { + + PINMUX_DATA(PJ3_DATA, PJ3MD_00), + PINMUX_DATA(CRX1_MARK, PJ3MD_01), +- PINMUX_DATA(CRX0X1_MARK, PJ3MD_10), ++ PINMUX_DATA(CRX0_CRX1_MARK, PJ3MD_10), + PINMUX_DATA(IRQ1_PJ_MARK, PJ3MD_11), + + PINMUX_DATA(PJ2_DATA, PJ2MD_000), + PINMUX_DATA(CTX1_MARK, PJ2MD_001), +- PINMUX_DATA(CRX0_CRX1_MARK, PJ2MD_010), ++ PINMUX_DATA(CTX0_CTX1_MARK, PJ2MD_010), + PINMUX_DATA(CS2_MARK, PJ2MD_011), + PINMUX_DATA(SCK0_MARK, PJ2MD_100), + PINMUX_DATA(LCD_M_DISP_MARK, PJ2MD_101), +@@ -1248,6 +1246,7 @@ static const struct pinmux_func pinmux_func_gpios[] = { + GPIO_FN(CTX1), + GPIO_FN(CRX1), + GPIO_FN(CTX0), ++ GPIO_FN(CTX0_CTX1), + GPIO_FN(CRX0), + GPIO_FN(CRX0_CRX1), + +-- +2.20.1 + diff --git a/queue-4.4/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch b/queue-4.4/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch new file mode 100644 index 00000000000..5e6e936b17d --- /dev/null +++ b/queue-4.4/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch @@ -0,0 +1,184 @@ +From c3e44eb8ba1635bbd78cfa3ab6d9c46e4369960a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 20:48:10 +0100 +Subject: pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 02aeb2f21530c98fc3ca51028eda742a3fafbd9f ] + +pinmux_func_gpios[] contains a hole due to the missing function GPIO +definition for the "CTX0&CTX1" signal, which is the logical "AND" of the +first two CAN outputs. + +A closer look reveals other issues: + - Some functionality is available on alternative pins, but the + PINMUX_DATA() entries is using the wrong marks, + - Several configurations are missing. + +Fix this by: + - Renaming CTX0CTX1CTX2_MARK, CRX0CRX1_PJ22_MARK, and + CRX0CRX1CRX2_PJ20_MARK to CTX0_CTX1_CTX2_MARK, CRX0_CRX1_PJ22_MARK, + resp. CRX0_CRX1_CRX2_PJ20_MARK for consistency with the + corresponding enum IDs, + - Adding all missing enum IDs and marks, + - Use the right (*_PJ2x) variants for alternative pins, + - Adding all missing configurations to pinmux_data[], + - Adding all missing function GPIO definitions to pinmux_func_gpios[]. + +See SH7268 Group, SH7269 Group User’s Manual: Hardware, Rev. 2.00: + [1] Table 1.4 List of Pins + [2] Figure 23.29 Connection Example when Using Channels 0 and 1 as One + Channel (64 Mailboxes × 1 Channel) and Channel 2 as One Channel + (32 Mailboxes × 1 Channel), + [3] Figure 23.30 Connection Example when Using Channels 0, 1, and 2 as + One Channel (96 Mailboxes × 1 Channel), + [4] Table 48.3 Multiplexed Pins (Port B), + [5] Table 48.4 Multiplexed Pins (Port C), + [6] Table 48.10 Multiplexed Pins (Port J), + [7] Section 48.2.4 Port B Control Registers 0 to 5 (PBCR0 to PBCR5). + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191218194812.12741-5-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/sh/include/cpu-sh2a/cpu/sh7269.h | 11 ++++++-- + drivers/pinctrl/sh-pfc/pfc-sh7269.c | 39 ++++++++++++++++++--------- + 2 files changed, 36 insertions(+), 14 deletions(-) + +diff --git a/arch/sh/include/cpu-sh2a/cpu/sh7269.h b/arch/sh/include/cpu-sh2a/cpu/sh7269.h +index 2a0ca8780f0d8..e4caddd443daf 100644 +--- a/arch/sh/include/cpu-sh2a/cpu/sh7269.h ++++ b/arch/sh/include/cpu-sh2a/cpu/sh7269.h +@@ -79,8 +79,15 @@ enum { + GPIO_FN_WDTOVF, + + /* CAN */ +- GPIO_FN_CTX1, GPIO_FN_CRX1, GPIO_FN_CTX0, GPIO_FN_CTX0_CTX1, +- GPIO_FN_CRX0, GPIO_FN_CRX0_CRX1, GPIO_FN_CRX0_CRX1_CRX2, ++ GPIO_FN_CTX2, GPIO_FN_CRX2, ++ GPIO_FN_CTX1, GPIO_FN_CRX1, ++ GPIO_FN_CTX0, GPIO_FN_CRX0, ++ GPIO_FN_CTX0_CTX1, GPIO_FN_CRX0_CRX1, ++ GPIO_FN_CTX0_CTX1_CTX2, GPIO_FN_CRX0_CRX1_CRX2, ++ GPIO_FN_CTX2_PJ21, GPIO_FN_CRX2_PJ20, ++ GPIO_FN_CTX1_PJ23, GPIO_FN_CRX1_PJ22, ++ GPIO_FN_CTX0_CTX1_PJ23, GPIO_FN_CRX0_CRX1_PJ22, ++ GPIO_FN_CTX0_CTX1_CTX2_PJ21, GPIO_FN_CRX0_CRX1_CRX2_PJ20, + + /* DMAC */ + GPIO_FN_TEND0, GPIO_FN_DACK0, GPIO_FN_DREQ0, +diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7269.c b/drivers/pinctrl/sh-pfc/pfc-sh7269.c +index cfdb4fc177c3e..3df0c0d139d08 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-sh7269.c ++++ b/drivers/pinctrl/sh-pfc/pfc-sh7269.c +@@ -740,13 +740,12 @@ enum { + CRX0_MARK, CTX0_MARK, + CRX1_MARK, CTX1_MARK, + CRX2_MARK, CTX2_MARK, +- CRX0_CRX1_MARK, +- CRX0_CRX1_CRX2_MARK, +- CTX0CTX1CTX2_MARK, ++ CRX0_CRX1_MARK, CTX0_CTX1_MARK, ++ CRX0_CRX1_CRX2_MARK, CTX0_CTX1_CTX2_MARK, + CRX1_PJ22_MARK, CTX1_PJ23_MARK, + CRX2_PJ20_MARK, CTX2_PJ21_MARK, +- CRX0CRX1_PJ22_MARK, +- CRX0CRX1CRX2_PJ20_MARK, ++ CRX0_CRX1_PJ22_MARK, CTX0_CTX1_PJ23_MARK, ++ CRX0_CRX1_CRX2_PJ20_MARK, CTX0_CTX1_CTX2_PJ21_MARK, + + /* VDC */ + DV_CLK_MARK, +@@ -824,6 +823,7 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(CS3_MARK, PC8MD_001), + PINMUX_DATA(TXD7_MARK, PC8MD_010), + PINMUX_DATA(CTX1_MARK, PC8MD_011), ++ PINMUX_DATA(CTX0_CTX1_MARK, PC8MD_100), + + PINMUX_DATA(PC7_DATA, PC7MD_000), + PINMUX_DATA(CKE_MARK, PC7MD_001), +@@ -836,11 +836,12 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(CAS_MARK, PC6MD_001), + PINMUX_DATA(SCK7_MARK, PC6MD_010), + PINMUX_DATA(CTX0_MARK, PC6MD_011), ++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC6MD_100), + + PINMUX_DATA(PC5_DATA, PC5MD_000), + PINMUX_DATA(RAS_MARK, PC5MD_001), + PINMUX_DATA(CRX0_MARK, PC5MD_011), +- PINMUX_DATA(CTX0CTX1CTX2_MARK, PC5MD_100), ++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC5MD_100), + PINMUX_DATA(IRQ0_PC_MARK, PC5MD_101), + + PINMUX_DATA(PC4_DATA, PC4MD_00), +@@ -1292,30 +1293,32 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(LCD_DATA23_PJ23_MARK, PJ23MD_010), + PINMUX_DATA(LCD_TCON6_MARK, PJ23MD_011), + PINMUX_DATA(IRQ3_PJ_MARK, PJ23MD_100), +- PINMUX_DATA(CTX1_MARK, PJ23MD_101), ++ PINMUX_DATA(CTX1_PJ23_MARK, PJ23MD_101), ++ PINMUX_DATA(CTX0_CTX1_PJ23_MARK, PJ23MD_110), + + PINMUX_DATA(PJ22_DATA, PJ22MD_000), + PINMUX_DATA(DV_DATA22_MARK, PJ22MD_001), + PINMUX_DATA(LCD_DATA22_PJ22_MARK, PJ22MD_010), + PINMUX_DATA(LCD_TCON5_MARK, PJ22MD_011), + PINMUX_DATA(IRQ2_PJ_MARK, PJ22MD_100), +- PINMUX_DATA(CRX1_MARK, PJ22MD_101), +- PINMUX_DATA(CRX0_CRX1_MARK, PJ22MD_110), ++ PINMUX_DATA(CRX1_PJ22_MARK, PJ22MD_101), ++ PINMUX_DATA(CRX0_CRX1_PJ22_MARK, PJ22MD_110), + + PINMUX_DATA(PJ21_DATA, PJ21MD_000), + PINMUX_DATA(DV_DATA21_MARK, PJ21MD_001), + PINMUX_DATA(LCD_DATA21_PJ21_MARK, PJ21MD_010), + PINMUX_DATA(LCD_TCON4_MARK, PJ21MD_011), + PINMUX_DATA(IRQ1_PJ_MARK, PJ21MD_100), +- PINMUX_DATA(CTX2_MARK, PJ21MD_101), ++ PINMUX_DATA(CTX2_PJ21_MARK, PJ21MD_101), ++ PINMUX_DATA(CTX0_CTX1_CTX2_PJ21_MARK, PJ21MD_110), + + PINMUX_DATA(PJ20_DATA, PJ20MD_000), + PINMUX_DATA(DV_DATA20_MARK, PJ20MD_001), + PINMUX_DATA(LCD_DATA20_PJ20_MARK, PJ20MD_010), + PINMUX_DATA(LCD_TCON3_MARK, PJ20MD_011), + PINMUX_DATA(IRQ0_PJ_MARK, PJ20MD_100), +- PINMUX_DATA(CRX2_MARK, PJ20MD_101), +- PINMUX_DATA(CRX0CRX1CRX2_PJ20_MARK, PJ20MD_110), ++ PINMUX_DATA(CRX2_PJ20_MARK, PJ20MD_101), ++ PINMUX_DATA(CRX0_CRX1_CRX2_PJ20_MARK, PJ20MD_110), + + PINMUX_DATA(PJ19_DATA, PJ19MD_000), + PINMUX_DATA(DV_DATA19_MARK, PJ19MD_001), +@@ -1666,12 +1669,24 @@ static const struct pinmux_func pinmux_func_gpios[] = { + GPIO_FN(WDTOVF), + + /* CAN */ ++ GPIO_FN(CTX2), ++ GPIO_FN(CRX2), + GPIO_FN(CTX1), + GPIO_FN(CRX1), + GPIO_FN(CTX0), + GPIO_FN(CRX0), ++ GPIO_FN(CTX0_CTX1), + GPIO_FN(CRX0_CRX1), ++ GPIO_FN(CTX0_CTX1_CTX2), + GPIO_FN(CRX0_CRX1_CRX2), ++ GPIO_FN(CTX2_PJ21), ++ GPIO_FN(CRX2_PJ20), ++ GPIO_FN(CTX1_PJ23), ++ GPIO_FN(CRX1_PJ22), ++ GPIO_FN(CTX0_CTX1_PJ23), ++ GPIO_FN(CRX0_CRX1_PJ22), ++ GPIO_FN(CTX0_CTX1_CTX2_PJ21), ++ GPIO_FN(CRX0_CRX1_CRX2_PJ20), + + /* DMAC */ + GPIO_FN(TEND0), +-- +2.20.1 + diff --git a/queue-4.4/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch b/queue-4.4/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch new file mode 100644 index 00000000000..054a1a838be --- /dev/null +++ b/queue-4.4/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch @@ -0,0 +1,53 @@ +From a2ae9514a96068f0920710672d252a2c3e9d6876 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2020 17:09:52 +0100 +Subject: radeon: insert 10ms sleep in dce5_crtc_load_lut +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +[ Upstream commit ec3d65082d7dabad6fa8f66a8ef166f2d522d6b2 ] + +Per at least one tester this is enough magic to recover the regression +introduced for some people (but not all) in + +commit b8e2b0199cc377617dc238f5106352c06dcd3fa2 +Author: Peter Rosin +Date: Tue Jul 4 12:36:57 2017 +0200 + + drm/fb-helper: factor out pseudo-palette + +which for radeon had the side-effect of refactoring out a seemingly +redudant writing of the color palette. + +10ms in a fairly slow modeset path feels like an acceptable form of +duct-tape, so maybe worth a shot and see what sticks. + +Cc: Alex Deucher +Cc: Michel Dänzer +References: https://bugzilla.kernel.org/show_bug.cgi?id=198123 +Signed-off-by: Daniel Vetter +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 446d990623069..4572bfba017c5 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -110,6 +110,8 @@ static void dce5_crtc_load_lut(struct drm_crtc *crtc) + + DRM_DEBUG_KMS("%d\n", radeon_crtc->crtc_id); + ++ msleep(10); ++ + WREG32(NI_INPUT_CSC_CONTROL + radeon_crtc->crtc_offset, + (NI_INPUT_CSC_GRPH_MODE(NI_INPUT_CSC_BYPASS) | + NI_INPUT_CSC_OVL_MODE(NI_INPUT_CSC_BYPASS))); +-- +2.20.1 + diff --git a/queue-4.4/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch b/queue-4.4/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch new file mode 100644 index 00000000000..3bc7a429546 --- /dev/null +++ b/queue-4.4/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch @@ -0,0 +1,169 @@ +From 6220e4420de6ccd456ed3f63145a05c8d6aa297d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Nov 2019 09:42:13 -0800 +Subject: rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls + +From: Paul E. McKenney + +[ Upstream commit 860c8802ace14c646864795e057349c9fb2d60ad ] + +Eric Dumazet supplied a KCSAN report of a bug that forces use +of hlist_unhashed_lockless() from sk_unhashed(): + +------------------------------------------------------------------------ + +BUG: KCSAN: data-race in inet_unhash / inet_unhash + +write to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 1: + __hlist_nulls_del include/linux/list_nulls.h:88 [inline] + hlist_nulls_del_init_rcu include/linux/rculist_nulls.h:36 [inline] + __sk_nulls_del_node_init_rcu include/net/sock.h:676 [inline] + inet_unhash+0x38f/0x4a0 net/ipv4/inet_hashtables.c:612 + tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249 + tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854 + tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56 + tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599 + tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619 + call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 + arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 + default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x1af/0x280 kernel/sched/idle.c:263 + cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355 + start_secondary+0x208/0x260 arch/x86/kernel/smpboot.c:264 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 + +read to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 0: + sk_unhashed include/net/sock.h:607 [inline] + inet_unhash+0x3d/0x4a0 net/ipv4/inet_hashtables.c:592 + tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249 + tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854 + tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56 + tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599 + tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619 + call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 + arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 + default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x1af/0x280 kernel/sched/idle.c:263 + cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355 + rest_init+0xec/0xf6 init/main.c:452 + arch_call_rest_init+0x17/0x37 + start_kernel+0x838/0x85e init/main.c:786 + x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490 + x86_64_start_kernel+0x72/0x76 arch/x86/kernel/head64.c:471 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc6+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 01/01/2011 + +------------------------------------------------------------------------ + +This commit therefore replaces C-language assignments with WRITE_ONCE() +in include/linux/list_nulls.h and include/linux/rculist_nulls.h. + +Reported-by: Eric Dumazet # For KCSAN +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/list_nulls.h | 8 ++++---- + include/linux/rculist_nulls.h | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/include/linux/list_nulls.h b/include/linux/list_nulls.h +index 444d2b1313bda..703928e4fd42d 100644 +--- a/include/linux/list_nulls.h ++++ b/include/linux/list_nulls.h +@@ -66,10 +66,10 @@ static inline void hlist_nulls_add_head(struct hlist_nulls_node *n, + struct hlist_nulls_node *first = h->first; + + n->next = first; +- n->pprev = &h->first; ++ WRITE_ONCE(n->pprev, &h->first); + h->first = n; + if (!is_a_nulls(first)) +- first->pprev = &n->next; ++ WRITE_ONCE(first->pprev, &n->next); + } + + static inline void __hlist_nulls_del(struct hlist_nulls_node *n) +@@ -79,13 +79,13 @@ static inline void __hlist_nulls_del(struct hlist_nulls_node *n) + + WRITE_ONCE(*pprev, next); + if (!is_a_nulls(next)) +- next->pprev = pprev; ++ WRITE_ONCE(next->pprev, pprev); + } + + static inline void hlist_nulls_del(struct hlist_nulls_node *n) + { + __hlist_nulls_del(n); +- n->pprev = LIST_POISON2; ++ WRITE_ONCE(n->pprev, LIST_POISON2); + } + + /** +diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h +index 1c33dd7da4a7d..f35dc0a1d6ebc 100644 +--- a/include/linux/rculist_nulls.h ++++ b/include/linux/rculist_nulls.h +@@ -33,7 +33,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n) + { + if (!hlist_nulls_unhashed(n)) { + __hlist_nulls_del(n); +- n->pprev = NULL; ++ WRITE_ONCE(n->pprev, NULL); + } + } + +@@ -65,7 +65,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n) + static inline void hlist_nulls_del_rcu(struct hlist_nulls_node *n) + { + __hlist_nulls_del(n); +- n->pprev = LIST_POISON2; ++ WRITE_ONCE(n->pprev, LIST_POISON2); + } + + /** +@@ -93,10 +93,10 @@ static inline void hlist_nulls_add_head_rcu(struct hlist_nulls_node *n, + struct hlist_nulls_node *first = h->first; + + n->next = first; +- n->pprev = &h->first; ++ WRITE_ONCE(n->pprev, &h->first); + rcu_assign_pointer(hlist_nulls_first_rcu(h), n); + if (!is_a_nulls(first)) +- first->pprev = &n->next; ++ WRITE_ONCE(first->pprev, &n->next); + } + /** + * hlist_nulls_for_each_entry_rcu - iterate over rcu list of given type +-- +2.20.1 + diff --git a/queue-4.4/regulator-rk808-lower-log-level-on-optional-gpios-be.patch b/queue-4.4/regulator-rk808-lower-log-level-on-optional-gpios-be.patch new file mode 100644 index 00000000000..e724103f9d4 --- /dev/null +++ b/queue-4.4/regulator-rk808-lower-log-level-on-optional-gpios-be.patch @@ -0,0 +1,45 @@ +From b9daa0f0c46a968f76be514df1e2acd249e44379 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 17:47:09 +0100 +Subject: regulator: rk808: Lower log level on optional GPIOs being not + available + +From: Miquel Raynal + +[ Upstream commit b8a039d37792067c1a380dc710361905724b9b2f ] + +RK808 can leverage a couple of GPIOs to tweak the ramp rate during DVS +(Dynamic Voltage Scaling). These GPIOs are entirely optional but a +dev_warn() appeared when cleaning this driver to use a more up-to-date +gpiod API. At least reduce the log level to 'info' as it is totally +fine to not populate these GPIO on a hardware design. + +This change is trivial but it is worth not polluting the logs during +bringup phase by having real warnings and errors sorted out +correctly. + +Fixes: a13eaf02e2d6 ("regulator: rk808: make better use of the gpiod API") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20191203164709.11127-1-miquel.raynal@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/rk808-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c +index d86a3dcd61e24..b96d50a03022c 100644 +--- a/drivers/regulator/rk808-regulator.c ++++ b/drivers/regulator/rk808-regulator.c +@@ -551,7 +551,7 @@ static int rk808_regulator_dt_parse_pdata(struct device *dev, + } + + if (!pdata->dvs_gpio[i]) { +- dev_warn(dev, "there is no dvs%d gpio\n", i); ++ dev_info(dev, "there is no dvs%d gpio\n", i); + continue; + } + +-- +2.20.1 + diff --git a/queue-4.4/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch b/queue-4.4/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch new file mode 100644 index 00000000000..6a747466fc4 --- /dev/null +++ b/queue-4.4/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch @@ -0,0 +1,36 @@ +From 08373057db5191741d1a268c272880b139d6f64f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:35:58 +0100 +Subject: reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling + +From: Jan Kara + +[ Upstream commit 4d5c1adaf893b8aa52525d2b81995e949bcb3239 ] + +When we fail to allocate string for journal device name we jump to +'error' label which tries to unlock reiserfs write lock which is not +held. Jump to 'error_unlocked' instead. + +Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal initialization") +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index 519bf410e65b2..f9796fd515315 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1921,7 +1921,7 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + if (!sbi->s_jdev) { + SWARN(silent, s, "", "Cannot allocate memory for " + "journal device name"); +- goto error; ++ goto error_unlocked; + } + } + #ifdef CONFIG_QUOTA +-- +2.20.1 + diff --git a/queue-4.4/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch b/queue-4.4/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch new file mode 100644 index 00000000000..7bb67aebfd4 --- /dev/null +++ b/queue-4.4/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch @@ -0,0 +1,44 @@ +From b9d92843125e8bc185b19d1fb94f542ff59be8dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:17:26 -0800 +Subject: reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() + +From: Yunfeng Ye + +[ Upstream commit aacee5446a2a1aa35d0a49dab289552578657fb4 ] + +The variable inode may be NULL in reiserfs_insert_item(), but there is +no check before accessing the member of inode. + +Fix this by adding NULL pointer check before calling reiserfs_debug(). + +Link: http://lkml.kernel.org/r/79c5135d-ff25-1cc9-4e99-9f572b88cc00@huawei.com +Signed-off-by: Yunfeng Ye +Cc: zhengbin +Cc: Hu Shiyuan +Cc: Feilong Lin +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/reiserfs/stree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c +index 24cbe013240fa..e3a4cbad9620c 100644 +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -2249,7 +2249,8 @@ error_out: + /* also releases the path */ + unfix_nodes(&s_ins_balance); + #ifdef REISERQUOTA_DEBUG +- reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE, ++ if (inode) ++ reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE, + "reiserquota insert_item(): freeing %u id=%u type=%c", + quota_bytes, inode->i_uid, head2type(ih)); + #endif +-- +2.20.1 + diff --git a/queue-4.4/remoteproc-initialize-rproc_class-before-use.patch b/queue-4.4/remoteproc-initialize-rproc_class-before-use.patch new file mode 100644 index 00000000000..91313e06d3a --- /dev/null +++ b/queue-4.4/remoteproc-initialize-rproc_class-before-use.patch @@ -0,0 +1,73 @@ +From 94a00087710e6fb76f3b106c3ab14150368cb5fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2019 17:52:23 -0500 +Subject: remoteproc: Initialize rproc_class before use + +From: Brandon Maier + +[ Upstream commit a8f40111d184098cd2b3dc0c7170c42250a5fa09 ] + +The remoteproc_core and remoteproc drivers all initialize with module_init(). +However remoteproc drivers need the rproc_class during their probe. If one of +the remoteproc drivers runs init and gets through probe before +remoteproc_init() runs, a NULL pointer access of rproc_class's `glue_dirs` +spinlock occurs. + +> Unable to handle kernel NULL pointer dereference at virtual address 000000dc +> pgd = c0004000 +> [000000dc] *pgd=00000000 +> Internal error: Oops: 5 [#1] PREEMPT ARM +> Modules linked in: +> CPU: 0 PID: 1 Comm: swapper Tainted: G W 4.14.106-rt56 #1 +> Hardware name: Generic OMAP36xx (Flattened Device Tree) +> task: c6050000 task.stack: c604a000 +> PC is at rt_spin_lock+0x40/0x6c +> LR is at rt_spin_lock+0x28/0x6c +> pc : [] lr : [] psr: 60000013 +> sp : c604bdc0 ip : 00000000 fp : 00000000 +> r10: 00000000 r9 : c61c7c10 r8 : c6269c20 +> r7 : c0905888 r6 : c6269c20 r5 : 00000000 r4 : 000000d4 +> r3 : 000000dc r2 : c6050000 r1 : 00000002 r0 : 000000d4 +> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +... +> [] (rt_spin_lock) from [] (get_device_parent+0x54/0x17c) +> [] (get_device_parent) from [] (device_add+0xe0/0x5b4) +> [] (device_add) from [] (rproc_add+0x18/0xd8) +> [] (rproc_add) from [] (my_rproc_probe+0x158/0x204) +> [] (my_rproc_probe) from [] (platform_drv_probe+0x34/0x70) +> [] (platform_drv_probe) from [] (driver_probe_device+0x2c8/0x420) +> [] (driver_probe_device) from [] (__driver_attach+0x100/0x11c) +> [] (__driver_attach) from [] (bus_for_each_dev+0x7c/0xc0) +> [] (bus_for_each_dev) from [] (bus_add_driver+0x1cc/0x264) +> [] (bus_add_driver) from [] (driver_register+0x78/0xf8) +> [] (driver_register) from [] (do_one_initcall+0x100/0x190) +> [] (do_one_initcall) from [] (kernel_init_freeable+0x130/0x1d0) +> [] (kernel_init_freeable) from [] (kernel_init+0x8/0x114) +> [] (kernel_init) from [] (ret_from_fork+0x14/0x24) +> Code: e2843008 e3c2203f f5d3f000 e5922010 (e193cf9f) +> ---[ end trace 0000000000000002 ]--- + +Signed-off-by: Brandon Maier +Link: https://lore.kernel.org/r/20190530225223.136420-1-brandon.maier@rockwellcollins.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index 4f7ce0097191d..b76ef5244b655 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -1477,7 +1477,7 @@ static int __init remoteproc_init(void) + + return 0; + } +-module_init(remoteproc_init); ++subsys_initcall(remoteproc_init); + + static void __exit remoteproc_exit(void) + { +-- +2.20.1 + diff --git a/queue-4.4/rtlwifi-rtl_pci-fix-wcast-function-type.patch b/queue-4.4/rtlwifi-rtl_pci-fix-wcast-function-type.patch new file mode 100644 index 00000000000..043e5994e06 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl_pci-fix-wcast-function-type.patch @@ -0,0 +1,58 @@ +From 7789f94e56dcdd36824207478e8ea519907cb485 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:29 +0700 +Subject: rtlwifi: rtl_pci: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit cb775c88da5d48a85d99d95219f637b6fad2e0e9 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index b51815eccdb3b..17a07d6b961c7 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -1096,13 +1096,15 @@ done: + return ret; + } + +-static void _rtl_pci_irq_tasklet(struct ieee80211_hw *hw) ++static void _rtl_pci_irq_tasklet(unsigned long data) + { ++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data; + _rtl_pci_tx_chk_waitq(hw); + } + +-static void _rtl_pci_prepare_bcn_tasklet(struct ieee80211_hw *hw) ++static void _rtl_pci_prepare_bcn_tasklet(unsigned long data) + { ++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data; + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); +@@ -1223,10 +1225,10 @@ static void _rtl_pci_init_struct(struct ieee80211_hw *hw, + + /*task */ + tasklet_init(&rtlpriv->works.irq_tasklet, +- (void (*)(unsigned long))_rtl_pci_irq_tasklet, ++ _rtl_pci_irq_tasklet, + (unsigned long)hw); + tasklet_init(&rtlpriv->works.irq_prepare_bcn_tasklet, +- (void (*)(unsigned long))_rtl_pci_prepare_bcn_tasklet, ++ _rtl_pci_prepare_bcn_tasklet, + (unsigned long)hw); + INIT_WORK(&rtlpriv->works.lps_change_work, + rtl_lps_change_work_callback); +-- +2.20.1 + diff --git a/queue-4.4/s390-ftrace-generate-traced-function-stack-frame.patch b/queue-4.4/s390-ftrace-generate-traced-function-stack-frame.patch new file mode 100644 index 00000000000..c45a1739fda --- /dev/null +++ b/queue-4.4/s390-ftrace-generate-traced-function-stack-frame.patch @@ -0,0 +1,103 @@ +From a04ad3d769f4c20d1f22fc913fa1c0369eb0a9ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 14:33:39 +0100 +Subject: s390/ftrace: generate traced function stack frame + +From: Vasily Gorbik + +[ Upstream commit 45f7a0da600d3c409b5ad8d5ddddacd98ddc8840 ] + +Currently backtrace from ftraced function does not contain ftraced +function itself. e.g. for "path_openat": + +arch_stack_walk+0x15c/0x2d8 +stack_trace_save+0x50/0x68 +stack_trace_call+0x15e/0x3d8 +ftrace_graph_caller+0x0/0x1c <-- ftrace code +do_filp_open+0x7c/0xe8 <-- ftraced function caller +do_open_execat+0x76/0x1b8 +open_exec+0x52/0x78 +load_elf_binary+0x180/0x1160 +search_binary_handler+0x8e/0x288 +load_script+0x2a8/0x2b8 +search_binary_handler+0x8e/0x288 +__do_execve_file.isra.39+0x6fa/0xb40 +__s390x_sys_execve+0x56/0x68 +system_call+0xdc/0x2d8 + +Ftraced function is expected in the backtrace by ftrace kselftests, which +are now failing. It would also be nice to have it for clarity reasons. + +"ftrace_caller" itself is called without stack frame allocated for it +and does not store its caller (ftraced function). Instead it simply +allocates a stack frame for "ftrace_trace_function" and sets backchain +to point to ftraced function stack frame (which contains ftraced function +caller in saved r14). + +To fix this issue make "ftrace_caller" allocate a stack frame +for itself just to store ftraced function for the stack unwinder. +As a result backtrace looks like the following: + +arch_stack_walk+0x15c/0x2d8 +stack_trace_save+0x50/0x68 +stack_trace_call+0x15e/0x3d8 +ftrace_graph_caller+0x0/0x1c <-- ftrace code +path_openat+0x6/0xd60 <-- ftraced function +do_filp_open+0x7c/0xe8 <-- ftraced function caller +do_open_execat+0x76/0x1b8 +open_exec+0x52/0x78 +load_elf_binary+0x180/0x1160 +search_binary_handler+0x8e/0x288 +load_script+0x2a8/0x2b8 +search_binary_handler+0x8e/0x288 +__do_execve_file.isra.39+0x6fa/0xb40 +__s390x_sys_execve+0x56/0x68 +system_call+0xdc/0x2d8 + +Reported-by: Sven Schnelle +Tested-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/mcount.S | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S +index 6c1c7d399bf95..78ba14546e007 100644 +--- a/arch/s390/kernel/mcount.S ++++ b/arch/s390/kernel/mcount.S +@@ -23,6 +23,12 @@ ENTRY(ftrace_stub) + #define STACK_PTREGS (STACK_FRAME_OVERHEAD) + #define STACK_PTREGS_GPRS (STACK_PTREGS + __PT_GPRS) + #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) ++#ifdef __PACK_STACK ++/* allocate just enough for r14, r15 and backchain */ ++#define TRACED_FUNC_FRAME_SIZE 24 ++#else ++#define TRACED_FUNC_FRAME_SIZE STACK_FRAME_OVERHEAD ++#endif + + ENTRY(_mcount) + BR_EX %r14 +@@ -34,9 +40,16 @@ ENTRY(ftrace_caller) + #ifndef CC_USING_HOTPATCH + aghi %r0,MCOUNT_RETURN_FIXUP + #endif +- aghi %r15,-STACK_FRAME_SIZE ++ # allocate stack frame for ftrace_caller to contain traced function ++ aghi %r15,-TRACED_FUNC_FRAME_SIZE + stg %r1,__SF_BACKCHAIN(%r15) ++ stg %r0,(__SF_GPRS+8*8)(%r15) ++ stg %r15,(__SF_GPRS+9*8)(%r15) ++ # allocate pt_regs and stack frame for ftrace_trace_function ++ aghi %r15,-STACK_FRAME_SIZE + stg %r1,(STACK_PTREGS_GPRS+15*8)(%r15) ++ aghi %r1,-TRACED_FUNC_FRAME_SIZE ++ stg %r1,__SF_BACKCHAIN(%r15) + stg %r0,(STACK_PTREGS_PSW+8)(%r15) + stmg %r2,%r14,(STACK_PTREGS_GPRS+2*8)(%r15) + #ifdef CONFIG_HAVE_MARCH_Z196_FEATURES +-- +2.20.1 + diff --git a/queue-4.4/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch b/queue-4.4/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch new file mode 100644 index 00000000000..1e3bce92a82 --- /dev/null +++ b/queue-4.4/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch @@ -0,0 +1,54 @@ +From af9298ab1865a18f411bb5e829a7249a2f47ea67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 18:42:20 -0700 +Subject: scsi: aic7xxx: Adjust indentation in ahc_find_syncrate + +From: Nathan Chancellor + +[ Upstream commit 4dbc96ad65c45cdd4e895ed7ae4c151b780790c5 ] + +Clang warns: + +../drivers/scsi/aic7xxx/aic7xxx_core.c:2317:5: warning: misleading +indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + if ((syncrate->sxfr_u2 & ST_SXFR) != 0) + ^ +../drivers/scsi/aic7xxx/aic7xxx_core.c:2310:4: note: previous statement +is here + if (syncrate == &ahc_syncrates[maxsync]) + ^ +1 warning generated. + +This warning occurs because there is a space amongst the tabs on this +line. Remove it so that the indentation is consistent with the Linux kernel +coding style and clang no longer warns. + +This has been a problem since the beginning of git history hence no fixes +tag. + +Link: https://github.com/ClangBuiltLinux/linux/issues/817 +Link: https://lore.kernel.org/r/20191218014220.52746-1-natechancellor@gmail.com +Signed-off-by: Nathan Chancellor +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aic7xxx/aic7xxx_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aic7xxx/aic7xxx_core.c b/drivers/scsi/aic7xxx/aic7xxx_core.c +index 64ab9eaec428c..def3208dd2905 100644 +--- a/drivers/scsi/aic7xxx/aic7xxx_core.c ++++ b/drivers/scsi/aic7xxx/aic7xxx_core.c +@@ -2321,7 +2321,7 @@ ahc_find_syncrate(struct ahc_softc *ahc, u_int *period, + * At some speeds, we only support + * ST transfers. + */ +- if ((syncrate->sxfr_u2 & ST_SXFR) != 0) ++ if ((syncrate->sxfr_u2 & ST_SXFR) != 0) + *ppr_options &= ~MSG_EXT_PPR_DT_REQ; + break; + } +-- +2.20.1 + diff --git a/queue-4.4/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch b/queue-4.4/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch new file mode 100644 index 00000000000..61fddaffb14 --- /dev/null +++ b/queue-4.4/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch @@ -0,0 +1,138 @@ +From 195c755e15e6d38a6f0f1bb380816cbc2143d0da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Dec 2019 15:31:48 -0500 +Subject: scsi: iscsi: Don't destroy session if there are outstanding + connections + +From: Nick Black + +[ Upstream commit 54155ed4199c7aa3fd20866648024ab63c96d579 ] + +A faulty userspace that calls destroy_session() before destroying the +connections can trigger the failure. This patch prevents the issue by +refusing to destroy the session if there are outstanding connections. + +------------[ cut here ]------------ +kernel BUG at mm/slub.c:306! +invalid opcode: 0000 [#1] SMP PTI +CPU: 1 PID: 1224 Comm: iscsid Not tainted 5.4.0-rc2.iscsi+ #7 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:__slab_free+0x181/0x350 +[...] +[ 1209.686056] RSP: 0018:ffffa93d4074fae0 EFLAGS: 00010246 +[ 1209.686694] RAX: ffff934efa5ad800 RBX: 000000008010000a RCX: ffff934efa5ad800 +[ 1209.687651] RDX: ffff934efa5ad800 RSI: ffffeb4041e96b00 RDI: ffff934efd402c40 +[ 1209.688582] RBP: ffffa93d4074fb80 R08: 0000000000000001 R09: ffffffffbb5dfa26 +[ 1209.689425] R10: ffff934efa5ad800 R11: 0000000000000001 R12: ffffeb4041e96b00 +[ 1209.690285] R13: ffff934efa5ad800 R14: ffff934efd402c40 R15: 0000000000000000 +[ 1209.691213] FS: 00007f7945dfb540(0000) GS:ffff934efda80000(0000) knlGS:0000000000000000 +[ 1209.692316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1209.693013] CR2: 000055877fd3da80 CR3: 0000000077384000 CR4: 00000000000006e0 +[ 1209.693897] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1209.694773] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1209.695631] Call Trace: +[ 1209.695957] ? __wake_up_common_lock+0x8a/0xc0 +[ 1209.696712] iscsi_pool_free+0x26/0x40 +[ 1209.697263] iscsi_session_teardown+0x2f/0xf0 +[ 1209.698117] iscsi_sw_tcp_session_destroy+0x45/0x60 +[ 1209.698831] iscsi_if_rx+0xd88/0x14e0 +[ 1209.699370] netlink_unicast+0x16f/0x200 +[ 1209.699932] netlink_sendmsg+0x21a/0x3e0 +[ 1209.700446] sock_sendmsg+0x4f/0x60 +[ 1209.700902] ___sys_sendmsg+0x2ae/0x320 +[ 1209.701451] ? cp_new_stat+0x150/0x180 +[ 1209.701922] __sys_sendmsg+0x59/0xa0 +[ 1209.702357] do_syscall_64+0x52/0x160 +[ 1209.702812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 1209.703419] RIP: 0033:0x7f7946433914 +[...] +[ 1209.706084] RSP: 002b:00007fffb99f2378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 1209.706994] RAX: ffffffffffffffda RBX: 000055bc869eac20 RCX: 00007f7946433914 +[ 1209.708082] RDX: 0000000000000000 RSI: 00007fffb99f2390 RDI: 0000000000000005 +[ 1209.709120] RBP: 00007fffb99f2390 R08: 000055bc84fe9320 R09: 00007fffb99f1f07 +[ 1209.710110] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038 +[ 1209.711085] R13: 000055bc8502306e R14: 0000000000000000 R15: 0000000000000000 + Modules linked in: + ---[ end trace a2d933ede7f730d8 ]--- + +Link: https://lore.kernel.org/r/20191226203148.2172200-1-krisman@collabora.com +Signed-off-by: Nick Black +Co-developed-by: Salman Qazi +Signed-off-by: Salman Qazi +Co-developed-by: Junho Ryu +Signed-off-by: Junho Ryu +Co-developed-by: Khazhismel Kumykov +Signed-off-by: Khazhismel Kumykov +Co-developed-by: Gabriel Krisman Bertazi +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 4 ++++ + drivers/scsi/scsi_transport_iscsi.c | 26 +++++++++++++++++++++++--- + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index fccb8991bd5b7..64a49dccb0b63 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -872,6 +872,10 @@ free_host: + static void iscsi_sw_tcp_session_destroy(struct iscsi_cls_session *cls_session) + { + struct Scsi_Host *shost = iscsi_session_to_shost(cls_session); ++ struct iscsi_session *session = cls_session->dd_data; ++ ++ if (WARN_ON_ONCE(session->leadconn)) ++ return; + + iscsi_tcp_r2tpool_free(cls_session->dd_data); + iscsi_session_teardown(cls_session); +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index ab32e60736424..20cf01d6ded7e 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2965,6 +2965,24 @@ iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev) + return err; + } + ++static int iscsi_session_has_conns(int sid) ++{ ++ struct iscsi_cls_conn *conn; ++ unsigned long flags; ++ int found = 0; ++ ++ spin_lock_irqsave(&connlock, flags); ++ list_for_each_entry(conn, &connlist, conn_list) { ++ if (iscsi_conn_get_sid(conn) == sid) { ++ found = 1; ++ break; ++ } ++ } ++ spin_unlock_irqrestore(&connlock, flags); ++ ++ return found; ++} ++ + static int + iscsi_set_iface_params(struct iscsi_transport *transport, + struct iscsi_uevent *ev, uint32_t len) +@@ -3539,10 +3557,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + break; + case ISCSI_UEVENT_DESTROY_SESSION: + session = iscsi_session_lookup(ev->u.d_session.sid); +- if (session) +- transport->destroy_session(session); +- else ++ if (!session) + err = -EINVAL; ++ else if (iscsi_session_has_conns(ev->u.d_session.sid)) ++ err = -EBUSY; ++ else ++ transport->destroy_session(session); + break; + case ISCSI_UEVENT_UNBIND_SESSION: + session = iscsi_session_lookup(ev->u.d_session.sid); +-- +2.20.1 + diff --git a/queue-4.4/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch b/queue-4.4/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch new file mode 100644 index 00000000000..131b860bb1c --- /dev/null +++ b/queue-4.4/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch @@ -0,0 +1,40 @@ +From 50c078a8b1b5c4798d9dc4f178da68aa96e386f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 17:25:47 +0530 +Subject: selinux: ensure we cleanup the internal AVC counters on error in + avc_update() + +From: Jaihind Yadav + +[ Upstream commit 030b995ad9ece9fa2d218af4429c1c78c2342096 ] + +In AVC update we don't call avc_node_kill() when avc_xperms_populate() +fails, resulting in the avc->avc_cache.active_nodes counter having a +false value. In last patch this changes was missed , so correcting it. + +Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") +Signed-off-by: Jaihind Yadav +Signed-off-by: Ravi Kumar Siddojigari +[PM: merge fuzz, minor description cleanup] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/avc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/avc.c b/security/selinux/avc.c +index 52f3c550abcc4..f3c473791b698 100644 +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -865,7 +865,7 @@ static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, + if (orig->ae.xp_node) { + rc = avc_xperms_populate(node, orig->ae.xp_node); + if (rc) { +- kmem_cache_free(avc_node_cachep, node); ++ avc_node_kill(node); + goto out_unlock; + } + } +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index bcf7921d2af..52b3ce76d83 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,71 @@ jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch btrfs-print-message-when-tree-log-replay-starts.patch scsi-qla2xxx-fix-a-potential-null-pointer-dereference.patch revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch +drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch +nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch +gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch +pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch +media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch +media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch +efi-x86-map-the-entire-efi-vendor-string-before-copy.patch +mips-loongson-fix-potential-null-dereference-in-loon.patch +uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch +usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch +nfs-nfs_swap-should-depend-on-swap.patch +jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch +tracing-fix-very-unlikely-race-of-registering-two-st.patch +ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch +kconfig-fix-broken-dependency-in-randconfig-generate.patch +clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch +drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch +regulator-rk808-lower-log-level-on-optional-gpios-be.patch +nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch +padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch +reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch +isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch +alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch +b43legacy-fix-wcast-function-type.patch +ipw2x00-fix-wcast-function-type.patch +iwlegacy-fix-wcast-function-type.patch +rtlwifi-rtl_pci-fix-wcast-function-type.patch +orinoco-avoid-assertion-in-case-of-null-pointer.patch +acpica-disassembler-create-buffer-fields-in-acpi_par.patch +scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch +arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch +x86-vdso-provide-missing-include-file.patch +pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch +alsa-sh-fix-compile-warning-wrt-const.patch +tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch +usbip-fix-unsafe-unaligned-pointer-usage.patch +soc-tegra-fuse-correct-straps-address-for-older-tegr.patch +rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch +input-edt-ft5x06-work-around-first-register-access-e.patch +wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch +asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch +pci-don-t-disable-bridge-bars-when-assigning-bus-res.patch +driver-core-print-device-when-resources-present-in-r.patch +drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch +drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch +iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch +scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch +cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch +ide-serverworks-potential-overflow-in-svwks_set_pio_.patch +remoteproc-initialize-rproc_class-before-use.patch +s390-ftrace-generate-traced-function-stack-frame.patch +alsa-hda-add-docking-station-support-for-lenovo-thin.patch +jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch +arm-8951-1-fix-kexec-compilation-issue.patch +hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch +iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch +drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch +trigger_next-should-increase-position-index.patch +radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch +ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch +lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch +reiserfs-prevent-null-pointer-dereference-in-reiserf.patch +bcache-explicity-type-cast-in-bset_bkey_last.patch +irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch +microblaze-prevent-the-overflow-of-the-start.patch +brd-check-and-limit-max_part-par.patch +selinux-ensure-we-cleanup-the-internal-avc-counters-.patch diff --git a/queue-4.4/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch b/queue-4.4/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch new file mode 100644 index 00000000000..51b5734a656 --- /dev/null +++ b/queue-4.4/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch @@ -0,0 +1,38 @@ +From a44f86232f7a43b72bd547b02ec83d92eda10f33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 21:23:03 +0300 +Subject: soc/tegra: fuse: Correct straps' address for older Tegra124 device + trees + +From: Dmitry Osipenko + +[ Upstream commit 2d9ea1934f8ef0dfb862d103389562cc28b4fc03 ] + +Trying to read out Chip ID before APBMISC registers are mapped won't +succeed, in a result Tegra124 gets a wrong address for the HW straps +register if machine uses an old outdated device tree. + +Fixes: 297c4f3dcbff ("soc/tegra: fuse: Restrict legacy code to 32-bit ARM") +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/fuse/tegra-apbmisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/fuse/tegra-apbmisc.c b/drivers/soc/tegra/fuse/tegra-apbmisc.c +index 5b18f6ffa45c7..cd61c883c19f5 100644 +--- a/drivers/soc/tegra/fuse/tegra-apbmisc.c ++++ b/drivers/soc/tegra/fuse/tegra-apbmisc.c +@@ -134,7 +134,7 @@ void __init tegra_init_apbmisc(void) + apbmisc.flags = IORESOURCE_MEM; + + /* strapping options */ +- if (tegra_get_chip_id() == TEGRA124) { ++ if (of_machine_is_compatible("nvidia,tegra124")) { + straps.start = 0x7000e864; + straps.end = 0x7000e867; + } else { +-- +2.20.1 + diff --git a/queue-4.4/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch b/queue-4.4/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch new file mode 100644 index 00000000000..ebcacead346 --- /dev/null +++ b/queue-4.4/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch @@ -0,0 +1,67 @@ +From 63eeab91223a6a28d6e497c799290b7e74bd6947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 08:01:09 +0000 +Subject: tools lib api fs: Fix gcc9 stringop-truncation compilation error + +From: Andrey Zhizhikin + +[ Upstream commit 6794200fa3c9c3e6759dae099145f23e4310f4f7 ] + +GCC9 introduced string hardening mechanisms, which exhibits the error +during fs api compilation: + +error: '__builtin_strncpy' specified bound 4096 equals destination size +[-Werror=stringop-truncation] + +This comes when the length of copy passed to strncpy is is equal to +destination size, which could potentially lead to buffer overflow. + +There is a need to mitigate this potential issue by limiting the size of +destination by 1 and explicitly terminate the destination with NULL. + +Signed-off-by: Andrey Zhizhikin +Reviewed-by: Petr Mladek +Acked-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkmann +Cc: Kefeng Wang +Cc: Martin KaFai Lau +Cc: Petr Mladek +Cc: Sergey Senozhatsky +Cc: Song Liu +Cc: Yonghong Song +Cc: bpf@vger.kernel.org +Cc: netdev@vger.kernel.org +Link: http://lore.kernel.org/lkml/20191211080109.18765-1-andrey.zhizhikin@leica-geosystems.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/api/fs/fs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c +index 459599d1b6c41..58f05748dd39e 100644 +--- a/tools/lib/api/fs/fs.c ++++ b/tools/lib/api/fs/fs.c +@@ -179,6 +179,7 @@ static bool fs__env_override(struct fs *fs) + size_t name_len = strlen(fs->name); + /* name + "_PATH" + '\0' */ + char upper_name[name_len + 5 + 1]; ++ + memcpy(upper_name, fs->name, name_len); + mem_toupper(upper_name, name_len); + strcpy(&upper_name[name_len], "_PATH"); +@@ -188,7 +189,8 @@ static bool fs__env_override(struct fs *fs) + return false; + + fs->found = true; +- strncpy(fs->path, override_path, sizeof(fs->path)); ++ strncpy(fs->path, override_path, sizeof(fs->path) - 1); ++ fs->path[sizeof(fs->path) - 1] = '\0'; + return true; + } + +-- +2.20.1 + diff --git a/queue-4.4/tracing-fix-very-unlikely-race-of-registering-two-st.patch b/queue-4.4/tracing-fix-very-unlikely-race-of-registering-two-st.patch new file mode 100644 index 00000000000..2f4530304ba --- /dev/null +++ b/queue-4.4/tracing-fix-very-unlikely-race-of-registering-two-st.patch @@ -0,0 +1,87 @@ +From 00be0564d3ae6fc1b185c63b6c7df911fe15755f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 17:47:49 -0500 +Subject: tracing: Fix very unlikely race of registering two stat tracers + +From: Steven Rostedt (VMware) + +[ Upstream commit dfb6cd1e654315168e36d947471bd2a0ccd834ae ] + +Looking through old emails in my INBOX, I came across a patch from Luis +Henriques that attempted to fix a race of two stat tracers registering the +same stat trace (extremely unlikely, as this is done in the kernel, and +probably doesn't even exist). The submitted patch wasn't quite right as it +needed to deal with clean up a bit better (if two stat tracers were the +same, it would have the same files). + +But to make the code cleaner, all we needed to do is to keep the +all_stat_sessions_mutex held for most of the registering function. + +Link: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com + +Fixes: 002bb86d8d42f ("tracing/ftrace: separate events tracing and stats tracing engine") +Reported-by: Luis Henriques +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_stat.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c +index 6cf9353167696..a2081a7f0c2cd 100644 +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -302,7 +302,7 @@ static int init_stat_file(struct stat_session *session) + int register_stat_tracer(struct tracer_stat *trace) + { + struct stat_session *session, *node; +- int ret; ++ int ret = -EINVAL; + + if (!trace) + return -EINVAL; +@@ -313,17 +313,15 @@ int register_stat_tracer(struct tracer_stat *trace) + /* Already registered? */ + mutex_lock(&all_stat_sessions_mutex); + list_for_each_entry(node, &all_stat_sessions, session_list) { +- if (node->ts == trace) { +- mutex_unlock(&all_stat_sessions_mutex); +- return -EINVAL; +- } ++ if (node->ts == trace) ++ goto out; + } +- mutex_unlock(&all_stat_sessions_mutex); + ++ ret = -ENOMEM; + /* Init the session */ + session = kzalloc(sizeof(*session), GFP_KERNEL); + if (!session) +- return -ENOMEM; ++ goto out; + + session->ts = trace; + INIT_LIST_HEAD(&session->session_list); +@@ -332,15 +330,16 @@ int register_stat_tracer(struct tracer_stat *trace) + ret = init_stat_file(session); + if (ret) { + destroy_session(session); +- return ret; ++ goto out; + } + ++ ret = 0; + /* Register */ +- mutex_lock(&all_stat_sessions_mutex); + list_add_tail(&session->session_list, &all_stat_sessions); ++ out: + mutex_unlock(&all_stat_sessions_mutex); + +- return 0; ++ return ret; + } + + void unregister_stat_tracer(struct tracer_stat *trace) +-- +2.20.1 + diff --git a/queue-4.4/trigger_next-should-increase-position-index.patch b/queue-4.4/trigger_next-should-increase-position-index.patch new file mode 100644 index 00000000000..3d35a8da75a --- /dev/null +++ b/queue-4.4/trigger_next-should-increase-position-index.patch @@ -0,0 +1,64 @@ +From 640e84aa241d66a4578e5c6ecfd4e190716f4ea5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 10:03:06 +0300 +Subject: trigger_next should increase position index + +From: Vasily Averin + +[ Upstream commit 6722b23e7a2ace078344064a9735fb73e554e9ef ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +Without patch: + # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger + dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset + n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + # Available triggers: + # traceon traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + 6+1 records in + 6+1 records out + 206 bytes copied, 0.00027916 s, 738 kB/s + +Notice the printing of "# Available triggers:..." after the line. + +With the patch: + # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger + dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset + n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + 2+1 records in + 2+1 records out + 88 bytes copied, 0.000526867 s, 167 kB/s + +It only prints the end of the file, and does not restart. + +Link: http://lkml.kernel.org/r/3c35ee24-dd3a-8119-9c19-552ed253388a@virtuozzo.com + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_trigger.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index 8be66a2b0cacf..6524920c6ebc8 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -121,9 +121,10 @@ static void *trigger_next(struct seq_file *m, void *t, loff_t *pos) + { + struct trace_event_file *event_file = event_file_data(m->private); + +- if (t == SHOW_AVAILABLE_TRIGGERS) ++ if (t == SHOW_AVAILABLE_TRIGGERS) { ++ (*pos)++; + return NULL; +- ++ } + return seq_list_next(t, &event_file->triggers, pos); + } + +-- +2.20.1 + diff --git a/queue-4.4/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch b/queue-4.4/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch new file mode 100644 index 00000000000..1c50cadef88 --- /dev/null +++ b/queue-4.4/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch @@ -0,0 +1,57 @@ +From 6b56c73f953c2d03d3d0058bd0a6a1227c3156d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 17:44:05 +0800 +Subject: uio: fix a sleep-in-atomic-context bug in + uio_dmem_genirq_irqcontrol() + +From: Jia-Ju Bai + +[ Upstream commit b74351287d4bd90636c3f48bc188c2f53824c2d4 ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +kernel/irq/manage.c, 523: + synchronize_irq in disable_irq +drivers/uio/uio_dmem_genirq.c, 140: + disable_irq in uio_dmem_genirq_irqcontrol +drivers/uio/uio_dmem_genirq.c, 134: + _raw_spin_lock_irqsave in uio_dmem_genirq_irqcontrol + +synchronize_irq() can sleep at runtime. + +To fix this bug, disable_irq() is called without holding the spinlock. + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20191218094405.6009-1-baijiaju1990@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index e1134a4d97f3f..a00b4aee6c799 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -135,11 +135,13 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on) + if (irq_on) { + if (test_and_clear_bit(0, &priv->flags)) + enable_irq(dev_info->irq); ++ spin_unlock_irqrestore(&priv->lock, flags); + } else { +- if (!test_and_set_bit(0, &priv->flags)) ++ if (!test_and_set_bit(0, &priv->flags)) { ++ spin_unlock_irqrestore(&priv->lock, flags); + disable_irq(dev_info->irq); ++ } + } +- spin_unlock_irqrestore(&priv->lock, flags); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.4/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch b/queue-4.4/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch new file mode 100644 index 00000000000..ff1ac4c5bf6 --- /dev/null +++ b/queue-4.4/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch @@ -0,0 +1,111 @@ +From 7a1d568920ab7377d38933a8f898d5b8d80e55a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 11:43:49 +0800 +Subject: usb: gadget: udc: fix possible sleep-in-atomic-context bugs in + gr_probe() + +From: Jia-Ju Bai + +[ Upstream commit 9c1ed62ae0690dfe5d5e31d8f70e70a95cb48e52 ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +drivers/usb/gadget/udc/core.c, 1175: + kzalloc(GFP_KERNEL) in usb_add_gadget_udc_release +drivers/usb/gadget/udc/core.c, 1272: + usb_add_gadget_udc_release in usb_add_gadget_udc +drivers/usb/gadget/udc/gr_udc.c, 2186: + usb_add_gadget_udc in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/core.c, 1195: + mutex_lock in usb_add_gadget_udc_release +drivers/usb/gadget/udc/core.c, 1272: + usb_add_gadget_udc_release in usb_add_gadget_udc +drivers/usb/gadget/udc/gr_udc.c, 2186: + usb_add_gadget_udc in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/gr_udc.c, 212: + debugfs_create_file in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2197: + gr_dfs_create in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/gr_udc.c, 2114: + devm_request_threaded_irq in gr_request_irq +drivers/usb/gadget/udc/gr_udc.c, 2202: + gr_request_irq in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +kzalloc(GFP_KERNEL), mutex_lock(), debugfs_create_file() and +devm_request_threaded_irq() can sleep at runtime. + +To fix these possible bugs, usb_add_gadget_udc(), gr_dfs_create() and +gr_request_irq() are called without handling the spinlock. + +These bugs are found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/gr_udc.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/gadget/udc/gr_udc.c b/drivers/usb/gadget/udc/gr_udc.c +index b9429bc425116..594639e5cbf82 100644 +--- a/drivers/usb/gadget/udc/gr_udc.c ++++ b/drivers/usb/gadget/udc/gr_udc.c +@@ -2201,8 +2201,6 @@ static int gr_probe(struct platform_device *pdev) + return -ENOMEM; + } + +- spin_lock(&dev->lock); +- + /* Inside lock so that no gadget can use this udc until probe is done */ + retval = usb_add_gadget_udc(dev->dev, &dev->gadget); + if (retval) { +@@ -2211,15 +2209,21 @@ static int gr_probe(struct platform_device *pdev) + } + dev->added = 1; + ++ spin_lock(&dev->lock); ++ + retval = gr_udc_init(dev); +- if (retval) ++ if (retval) { ++ spin_unlock(&dev->lock); + goto out; +- +- gr_dfs_create(dev); ++ } + + /* Clear all interrupt enables that might be left on since last boot */ + gr_disable_interrupts_and_pullup(dev); + ++ spin_unlock(&dev->lock); ++ ++ gr_dfs_create(dev); ++ + retval = gr_request_irq(dev, dev->irq); + if (retval) { + dev_err(dev->dev, "Failed to request irq %d\n", dev->irq); +@@ -2248,8 +2252,6 @@ static int gr_probe(struct platform_device *pdev) + dev_info(dev->dev, "regs: %p, irq %d\n", dev->regs, dev->irq); + + out: +- spin_unlock(&dev->lock); +- + if (retval) + gr_remove(pdev); + +-- +2.20.1 + diff --git a/queue-4.4/usbip-fix-unsafe-unaligned-pointer-usage.patch b/queue-4.4/usbip-fix-unsafe-unaligned-pointer-usage.patch new file mode 100644 index 00000000000..4f2ed37eead --- /dev/null +++ b/queue-4.4/usbip-fix-unsafe-unaligned-pointer-usage.patch @@ -0,0 +1,156 @@ +From af02c3b9fa23c95432b022b162a1e8de0483e52c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2020 18:24:16 -0700 +Subject: usbip: Fix unsafe unaligned pointer usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuah Khan + +[ Upstream commit 585c91f40d201bc564d4e76b83c05b3b5363fe7e ] + +Fix unsafe unaligned pointer usage in usbip network interfaces. usbip tool +build fails with new gcc -Werror=address-of-packed-member checks. + +usbip_network.c: In function ‘usbip_net_pack_usb_device’: +usbip_network.c:79:32: error: taking address of packed member of ‘struct usbip_usb_device’ may result in an unaligned pointer value [-Werror=address-of-packed-member] + 79 | usbip_net_pack_uint32_t(pack, &udev->busnum); + +Fix with minor changes to pass by value instead of by address. + +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/20200109012416.2875-1-skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + tools/usb/usbip/src/usbip_network.c | 40 +++++++++++++++++------------ + tools/usb/usbip/src/usbip_network.h | 12 +++------ + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/tools/usb/usbip/src/usbip_network.c b/tools/usb/usbip/src/usbip_network.c +index b4c37e76a6e08..187dfaa67d0a2 100644 +--- a/tools/usb/usbip/src/usbip_network.c ++++ b/tools/usb/usbip/src/usbip_network.c +@@ -62,39 +62,39 @@ void usbip_setup_port_number(char *arg) + info("using port %d (\"%s\")", usbip_port, usbip_port_string); + } + +-void usbip_net_pack_uint32_t(int pack, uint32_t *num) ++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num) + { + uint32_t i; + + if (pack) +- i = htonl(*num); ++ i = htonl(num); + else +- i = ntohl(*num); ++ i = ntohl(num); + +- *num = i; ++ return i; + } + +-void usbip_net_pack_uint16_t(int pack, uint16_t *num) ++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num) + { + uint16_t i; + + if (pack) +- i = htons(*num); ++ i = htons(num); + else +- i = ntohs(*num); ++ i = ntohs(num); + +- *num = i; ++ return i; + } + + void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev) + { +- usbip_net_pack_uint32_t(pack, &udev->busnum); +- usbip_net_pack_uint32_t(pack, &udev->devnum); +- usbip_net_pack_uint32_t(pack, &udev->speed); ++ udev->busnum = usbip_net_pack_uint32_t(pack, udev->busnum); ++ udev->devnum = usbip_net_pack_uint32_t(pack, udev->devnum); ++ udev->speed = usbip_net_pack_uint32_t(pack, udev->speed); + +- usbip_net_pack_uint16_t(pack, &udev->idVendor); +- usbip_net_pack_uint16_t(pack, &udev->idProduct); +- usbip_net_pack_uint16_t(pack, &udev->bcdDevice); ++ udev->idVendor = usbip_net_pack_uint16_t(pack, udev->idVendor); ++ udev->idProduct = usbip_net_pack_uint16_t(pack, udev->idProduct); ++ udev->bcdDevice = usbip_net_pack_uint16_t(pack, udev->bcdDevice); + } + + void usbip_net_pack_usb_interface(int pack __attribute__((unused)), +@@ -141,6 +141,14 @@ ssize_t usbip_net_send(int sockfd, void *buff, size_t bufflen) + return usbip_net_xmit(sockfd, buff, bufflen, 1); + } + ++static inline void usbip_net_pack_op_common(int pack, ++ struct op_common *op_common) ++{ ++ op_common->version = usbip_net_pack_uint16_t(pack, op_common->version); ++ op_common->code = usbip_net_pack_uint16_t(pack, op_common->code); ++ op_common->status = usbip_net_pack_uint32_t(pack, op_common->status); ++} ++ + int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status) + { + struct op_common op_common; +@@ -152,7 +160,7 @@ int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status) + op_common.code = code; + op_common.status = status; + +- PACK_OP_COMMON(1, &op_common); ++ usbip_net_pack_op_common(1, &op_common); + + rc = usbip_net_send(sockfd, &op_common, sizeof(op_common)); + if (rc < 0) { +@@ -176,7 +184,7 @@ int usbip_net_recv_op_common(int sockfd, uint16_t *code) + goto err; + } + +- PACK_OP_COMMON(0, &op_common); ++ usbip_net_pack_op_common(0, &op_common); + + if (op_common.version != USBIP_VERSION) { + dbg("version mismatch: %d %d", op_common.version, +diff --git a/tools/usb/usbip/src/usbip_network.h b/tools/usb/usbip/src/usbip_network.h +index c1e875cf1078c..573fa839b66b7 100644 +--- a/tools/usb/usbip/src/usbip_network.h ++++ b/tools/usb/usbip/src/usbip_network.h +@@ -33,12 +33,6 @@ struct op_common { + + } __attribute__((packed)); + +-#define PACK_OP_COMMON(pack, op_common) do {\ +- usbip_net_pack_uint16_t(pack, &(op_common)->version);\ +- usbip_net_pack_uint16_t(pack, &(op_common)->code);\ +- usbip_net_pack_uint32_t(pack, &(op_common)->status);\ +-} while (0) +- + /* ---------------------------------------------------------------------- */ + /* Dummy Code */ + #define OP_UNSPEC 0x00 +@@ -164,11 +158,11 @@ struct op_devlist_reply_extra { + } while (0) + + #define PACK_OP_DEVLIST_REPLY(pack, reply) do {\ +- usbip_net_pack_uint32_t(pack, &(reply)->ndev);\ ++ (reply)->ndev = usbip_net_pack_uint32_t(pack, (reply)->ndev);\ + } while (0) + +-void usbip_net_pack_uint32_t(int pack, uint32_t *num); +-void usbip_net_pack_uint16_t(int pack, uint16_t *num); ++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num); ++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num); + void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev); + void usbip_net_pack_usb_interface(int pack, struct usbip_usb_interface *uinf); + +-- +2.20.1 + diff --git a/queue-4.4/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch b/queue-4.4/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch new file mode 100644 index 00000000000..37fa6f3acba --- /dev/null +++ b/queue-4.4/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch @@ -0,0 +1,55 @@ +From 9621097375b077c3b6f754e4c1c98465aad3d94a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2020 13:04:42 +0100 +Subject: wan: ixp4xx_hss: fix compile-testing on 64-bit + +From: Arnd Bergmann + +[ Upstream commit 504c28c853ec5c626900b914b5833daf0581a344 ] + +Change the driver to use portable integer types to avoid +warnings during compile testing: + +drivers/net/wan/ixp4xx_hss.c:863:21: error: cast to 'u32 *' (aka 'unsigned int *') from smaller integer type 'int' [-Werror,-Wint-to-pointer-cast] + memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4); + ^ +drivers/net/wan/ixp4xx_hss.c:979:12: error: incompatible pointer types passing 'u32 *' (aka 'unsigned int *') to parameter of type 'dma_addr_t *' (aka 'unsigned long long *') [-Werror,-Wincompatible-pointer-types] + &port->desc_tab_phys))) + ^~~~~~~~~~~~~~~~~~~~ +include/linux/dmapool.h:27:20: note: passing argument to parameter 'handle' here + dma_addr_t *handle); + ^ + +Signed-off-by: Arnd Bergmann +Signed-off-by: Linus Walleij +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/ixp4xx_hss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wan/ixp4xx_hss.c b/drivers/net/wan/ixp4xx_hss.c +index e7bbdb7af53ac..97968e6a6a4eb 100644 +--- a/drivers/net/wan/ixp4xx_hss.c ++++ b/drivers/net/wan/ixp4xx_hss.c +@@ -261,7 +261,7 @@ struct port { + struct hss_plat_info *plat; + buffer_t *rx_buff_tab[RX_DESCS], *tx_buff_tab[TX_DESCS]; + struct desc *desc_tab; /* coherent */ +- u32 desc_tab_phys; ++ dma_addr_t desc_tab_phys; + unsigned int id; + unsigned int clock_type, clock_rate, loopback; + unsigned int initialized, carrier; +@@ -861,7 +861,7 @@ static int hss_hdlc_xmit(struct sk_buff *skb, struct net_device *dev) + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } +- memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4); ++ memcpy_swab32(mem, (u32 *)((uintptr_t)skb->data & ~3), bytes / 4); + dev_kfree_skb(skb); + #endif + +-- +2.20.1 + diff --git a/queue-4.4/x86-vdso-provide-missing-include-file.patch b/queue-4.4/x86-vdso-provide-missing-include-file.patch new file mode 100644 index 00000000000..688b00f2f47 --- /dev/null +++ b/queue-4.4/x86-vdso-provide-missing-include-file.patch @@ -0,0 +1,47 @@ +From 487a52717027317f1edb9096a081345846c6fa08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 21:36:07 -0500 +Subject: x86/vdso: Provide missing include file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Valdis Klētnieks + +[ Upstream commit bff47c2302cc249bcd550b17067f8dddbd4b6f77 ] + +When building with C=1, sparse issues a warning: + + CHECK arch/x86/entry/vdso/vdso32-setup.c + arch/x86/entry/vdso/vdso32-setup.c:28:28: warning: symbol 'vdso32_enabled' was not declared. Should it be static? + +Provide the missing header file. + +Signed-off-by: Valdis Kletnieks +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Andy Lutomirski +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/36224.1575599767@turing-police +Signed-off-by: Sasha Levin +--- + arch/x86/entry/vdso/vdso32-setup.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/entry/vdso/vdso32-setup.c b/arch/x86/entry/vdso/vdso32-setup.c +index 3f9d1a83891ad..50c1f77cab150 100644 +--- a/arch/x86/entry/vdso/vdso32-setup.c ++++ b/arch/x86/entry/vdso/vdso32-setup.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + #include + #include +-- +2.20.1 +