From: Sasha Levin Date: Fri, 21 Feb 2020 01:26:59 +0000 (-0500) Subject: fixes for 4.9 X-Git-Tag: v4.19.106~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eadec4a9799ccafbc438e93b3c66a8dbf2872763;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/acpica-disassembler-create-buffer-fields-in-acpi_par.patch b/queue-4.9/acpica-disassembler-create-buffer-fields-in-acpi_par.patch new file mode 100644 index 00000000000..dff566e9550 --- /dev/null +++ b/queue-4.9/acpica-disassembler-create-buffer-fields-in-acpi_par.patch @@ -0,0 +1,86 @@ +From 0eb894a7bc70eccbbeee2a97ad25a4943d459649 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 11:35:20 -0800 +Subject: ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 + +From: Erik Kaneda + +[ Upstream commit 5ddbd77181dfca61b16d2e2222382ea65637f1b9 ] + +ACPICA commit 29cc8dbc5463a93625bed87d7550a8bed8913bf4 + +create_buffer_field is a deferred op that is typically processed in +load pass 2. However, disassembly of control method contents walk the +parse tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are +processed in a later walk. This is a problem when there is a control +method that has the same name as the AML_CREATE object. In this case, +any use of the name segment will be detected as a method call rather +than a reference to a buffer field. If this is detected as a method +call, it can result in a mal-formed parse tree if the control methods +have parameters. + +This change in processing AML_CREATE ops earlier solves this issue by +inserting the named object in the ACPI namespace so that references +to this name would be detected as a name string rather than a method +call. + +Link: https://github.com/acpica/acpica/commit/29cc8dbc +Reported-by: Elia Geretto +Tested-by: Elia Geretto +Signed-off-by: Bob Moore +Signed-off-by: Erik Kaneda +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsfield.c | 2 +- + drivers/acpi/acpica/dswload.c | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/dsfield.c b/drivers/acpi/acpica/dsfield.c +index 6a4b603d0e834..10bbf6ca082ab 100644 +--- a/drivers/acpi/acpica/dsfield.c ++++ b/drivers/acpi/acpica/dsfield.c +@@ -272,7 +272,7 @@ cleanup: + * FUNCTION: acpi_ds_get_field_names + * + * PARAMETERS: info - create_field info structure +- * ` walk_state - Current method state ++ * walk_state - Current method state + * arg - First parser arg for the field name list + * + * RETURN: Status +diff --git a/drivers/acpi/acpica/dswload.c b/drivers/acpi/acpica/dswload.c +index fd34040d4f44a..9c41d2153d0f2 100644 +--- a/drivers/acpi/acpica/dswload.c ++++ b/drivers/acpi/acpica/dswload.c +@@ -440,6 +440,27 @@ acpi_status acpi_ds_load1_end_op(struct acpi_walk_state *walk_state) + ACPI_DEBUG_PRINT((ACPI_DB_DISPATCH, "Op=%p State=%p\n", op, + walk_state)); + ++ /* ++ * Disassembler: handle create field operators here. ++ * ++ * create_buffer_field is a deferred op that is typically processed in load ++ * pass 2. However, disassembly of control method contents walk the parse ++ * tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are processed ++ * in a later walk. This is a problem when there is a control method that ++ * has the same name as the AML_CREATE object. In this case, any use of the ++ * name segment will be detected as a method call rather than a reference ++ * to a buffer field. ++ * ++ * This earlier creation during disassembly solves this issue by inserting ++ * the named object in the ACPI namespace so that references to this name ++ * would be a name string rather than a method call. ++ */ ++ if ((walk_state->parse_flags & ACPI_PARSE_DISASSEMBLE) && ++ (walk_state->op_info->flags & AML_CREATE)) { ++ status = acpi_ds_create_buffer_field(op, walk_state); ++ return_ACPI_STATUS(status); ++ } ++ + /* We are only interested in opcodes that have an associated name */ + + if (!(walk_state->op_info->flags & (AML_NAMED | AML_FIELD))) { +-- +2.20.1 + diff --git a/queue-4.9/alsa-hda-add-docking-station-support-for-lenovo-thin.patch b/queue-4.9/alsa-hda-add-docking-station-support-for-lenovo-thin.patch new file mode 100644 index 00000000000..cbc951ba76b --- /dev/null +++ b/queue-4.9/alsa-hda-add-docking-station-support-for-lenovo-thin.patch @@ -0,0 +1,38 @@ +From 0180217803eda52b0d962a39bc59c66cfd52561b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 19:01:06 +0100 +Subject: ALSA: hda - Add docking station support for Lenovo Thinkpad T420s +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Große + +[ Upstream commit ef7d84caa5928b40b1c93a26dbe5a3f12737c6ab ] + +Lenovo Thinkpad T420s uses the same codec as T420, so apply the +same quirk to enable audio output on a docking station. + +Signed-off-by: Peter Große +Link: https://lore.kernel.org/r/20200122180106.9351-1-pegro@friiks.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 8557b94e462cb..1e99500dbb6c8 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x17aa, 0x215f, "Lenovo T510", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21ce, "Lenovo T420", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520", CXT_PINCFG_LENOVO_TP410), ++ SND_PCI_QUIRK(0x17aa, 0x21d2, "Lenovo T420s", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD), +-- +2.20.1 + diff --git a/queue-4.9/alsa-sh-fix-compile-warning-wrt-const.patch b/queue-4.9/alsa-sh-fix-compile-warning-wrt-const.patch new file mode 100644 index 00000000000..3537e97a65e --- /dev/null +++ b/queue-4.9/alsa-sh-fix-compile-warning-wrt-const.patch @@ -0,0 +1,41 @@ +From bdb8f644fc59cea2328a0202de4d436d149c6025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jan 2020 15:48:23 +0100 +Subject: ALSA: sh: Fix compile warning wrt const + +From: Takashi Iwai + +[ Upstream commit f1dd4795b1523fbca7ab4344dd5a8bb439cc770d ] + +A long-standing compile warning was seen during build test: + sound/sh/aica.c: In function 'load_aica_firmware': + sound/sh/aica.c:521:25: warning: passing argument 2 of 'spu_memload' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] + +Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device") +Link: https://lore.kernel.org/r/20200105144823.29547-69-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/sh/aica.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/sh/aica.c b/sound/sh/aica.c +index fbbc252795599..2a127feb8e293 100644 +--- a/sound/sh/aica.c ++++ b/sound/sh/aica.c +@@ -117,10 +117,10 @@ static void spu_memset(u32 toi, u32 what, int length) + } + + /* spu_memload - write to SPU address space */ +-static void spu_memload(u32 toi, void *from, int length) ++static void spu_memload(u32 toi, const void *from, int length) + { + unsigned long flags; +- u32 *froml = from; ++ const u32 *froml = from; + u32 __iomem *to = (u32 __iomem *) (SPU_MEMORY_BASE + toi); + int i; + u32 val; +-- +2.20.1 + diff --git a/queue-4.9/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch b/queue-4.9/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch new file mode 100644 index 00000000000..6b941fdfb9e --- /dev/null +++ b/queue-4.9/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch @@ -0,0 +1,51 @@ +From 49a7a15d35a17a9e1c449a6524e9328a89f6f214 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 20:42:57 -0700 +Subject: ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status + +From: Nathan Chancellor + +[ Upstream commit df4654bd6e42125d9b85ce3a26eaca2935290b98 ] + +Clang warns: + +../sound/usb/usx2y/usX2Yhwdep.c:122:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + info->version = USX2Y_DRIVER_VERSION; + ^ +../sound/usb/usx2y/usX2Yhwdep.c:120:2: note: previous statement is here + if (us428->chip_status & USX2Y_STAT_CHIP_INIT) + ^ +1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +This was introduced before the beginning of git history so no fixes tag. + +Link: https://github.com/ClangBuiltLinux/linux/issues/831 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20191218034257.54535-1-natechancellor@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/usx2y/usX2Yhwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c +index 0b34dbc8f3020..7dcb33d3886bc 100644 +--- a/sound/usb/usx2y/usX2Yhwdep.c ++++ b/sound/usb/usx2y/usX2Yhwdep.c +@@ -132,7 +132,7 @@ static int snd_usX2Y_hwdep_dsp_status(struct snd_hwdep *hw, + info->num_dsps = 2; // 0: Prepad Data, 1: FPGA Code + if (us428->chip_status & USX2Y_STAT_CHIP_INIT) + info->chip_ready = 1; +- info->version = USX2Y_DRIVER_VERSION; ++ info->version = USX2Y_DRIVER_VERSION; + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.9/arm-8951-1-fix-kexec-compilation-issue.patch b/queue-4.9/arm-8951-1-fix-kexec-compilation-issue.patch new file mode 100644 index 00000000000..af7c949fc75 --- /dev/null +++ b/queue-4.9/arm-8951-1-fix-kexec-compilation-issue.patch @@ -0,0 +1,53 @@ +From c6383d4a694717497f847cbaa8bc2f1a77176f8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 13:37:59 +0100 +Subject: ARM: 8951/1: Fix Kexec compilation issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vincenzo Frascino + +[ Upstream commit 76950f7162cad51d2200ebd22c620c14af38f718 ] + +To perform the reserve_crashkernel() operation kexec uses SECTION_SIZE to +find a memblock in a range. +SECTION_SIZE is not defined for nommu systems. Trying to compile kexec in +these conditions results in a build error: + + linux/arch/arm/kernel/setup.c: In function ‘reserve_crashkernel’: + linux/arch/arm/kernel/setup.c:1016:25: error: ‘SECTION_SIZE’ undeclared + (first use in this function); did you mean ‘SECTIONS_WIDTH’? + crash_size, SECTION_SIZE); + ^~~~~~~~~~~~ + SECTIONS_WIDTH + linux/arch/arm/kernel/setup.c:1016:25: note: each undeclared identifier + is reported only once for each function it appears in + linux/scripts/Makefile.build:265: recipe for target 'arch/arm/kernel/setup.o' + failed + +Make KEXEC depend on MMU to fix the compilation issue. + +Signed-off-by: Vincenzo Frascino +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 74a70f91b01a4..56bd9beb6a35c 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -2020,7 +2020,7 @@ config XIP_PHYS_ADDR + config KEXEC + bool "Kexec system call (EXPERIMENTAL)" + depends on (!SMP || PM_SLEEP_SMP) +- depends on !CPU_V7M ++ depends on MMU + select KEXEC_CORE + help + kexec is a system call that implements the ability to shutdown your +-- +2.20.1 + diff --git a/queue-4.9/arm-dts-allwinner-h3-add-pmu-node.patch b/queue-4.9/arm-dts-allwinner-h3-add-pmu-node.patch new file mode 100644 index 00000000000..5b3a1a7af8e --- /dev/null +++ b/queue-4.9/arm-dts-allwinner-h3-add-pmu-node.patch @@ -0,0 +1,68 @@ +From 8d0271a18b723a04a29ee748881aca28bc085f86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 01:18:35 +0000 +Subject: arm: dts: allwinner: H3: Add PMU node + +From: Andre Przywara + +[ Upstream commit 0388a110747bec0c9d9de995842bb2a03a26aae1 ] + +Add the Performance Monitoring Unit (PMU) device tree node to the H3 +.dtsi, which tells DT users which interrupts are triggered by PMU +overflow events on each core. The numbers come from the manual and have +been checked in U-Boot and with perf in Linux. + +Tested with perf record and taskset on an OrangePi Zero. + +Signed-off-by: Andre Przywara +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sun8i-h3.dtsi | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/sun8i-h3.dtsi b/arch/arm/boot/dts/sun8i-h3.dtsi +index f4ba088b225ed..08d65f252e172 100644 +--- a/arch/arm/boot/dts/sun8i-h3.dtsi ++++ b/arch/arm/boot/dts/sun8i-h3.dtsi +@@ -60,25 +60,34 @@ + reg = <0>; + }; + +- cpu@1 { ++ cpu1: cpu@1 { + compatible = "arm,cortex-a7"; + device_type = "cpu"; + reg = <1>; + }; + +- cpu@2 { ++ cpu2: cpu@2 { + compatible = "arm,cortex-a7"; + device_type = "cpu"; + reg = <2>; + }; + +- cpu@3 { ++ cpu3: cpu@3 { + compatible = "arm,cortex-a7"; + device_type = "cpu"; + reg = <3>; + }; + }; + ++ pmu { ++ compatible = "arm,cortex-a7-pmu"; ++ interrupts = , ++ , ++ , ++ ; ++ interrupt-affinity = <&cpu0>, <&cpu1>, <&cpu2>, <&cpu3>; ++ }; ++ + timer { + compatible = "arm,armv7-timer"; + interrupts = , +-- +2.20.1 + diff --git a/queue-4.9/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch b/queue-4.9/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch new file mode 100644 index 00000000000..476b02f63b1 --- /dev/null +++ b/queue-4.9/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch @@ -0,0 +1,44 @@ +From 5db65b15cf90db9205e5d5855a34eeb2b7e505a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 14:52:21 +0100 +Subject: ARM: dts: r8a7779: Add device node for ARM global timer + +From: Geert Uytterhoeven + +[ Upstream commit 8443ffd1bbd5be74e9b12db234746d12e8ea93e2 ] + +Add a device node for the global timer, which is part of the Cortex-A9 +MPCore. + +The global timer can serve as an accurate (4 ns) clock source for +scheduling and delay loops. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191211135222.26770-4-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/r8a7779.dtsi | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm/boot/dts/r8a7779.dtsi b/arch/arm/boot/dts/r8a7779.dtsi +index b9bbcce69dfbd..6c6d4893e92d4 100644 +--- a/arch/arm/boot/dts/r8a7779.dtsi ++++ b/arch/arm/boot/dts/r8a7779.dtsi +@@ -67,6 +67,14 @@ + <0xf0000100 0x100>; + }; + ++ timer@f0000200 { ++ compatible = "arm,cortex-a9-global-timer"; ++ reg = <0xf0000200 0x100>; ++ interrupts = ; ++ clocks = <&cpg_clocks R8A7779_CLK_ZS>; ++ }; ++ + timer@f0000600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xf0000600 0x20>; +-- +2.20.1 + diff --git a/queue-4.9/arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch b/queue-4.9/arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch new file mode 100644 index 00000000000..c801a49796a --- /dev/null +++ b/queue-4.9/arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch @@ -0,0 +1,119 @@ +From 9b1def17f0667d8ac714659f64bd056daddc3383 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 12:46:52 -0700 +Subject: arm64: fix alternatives with LLVM's integrated assembler + +From: Sami Tolvanen + +[ Upstream commit c54f90c2627cc316d365e3073614731e17dbc631 ] + +LLVM's integrated assembler fails with the following error when +building KVM: + + :12:6: error: expected absolute expression + .if kvm_update_va_mask == 0 + ^ + :21:6: error: expected absolute expression + .if kvm_update_va_mask == 0 + ^ + :24:2: error: unrecognized instruction mnemonic + NOT_AN_INSTRUCTION + ^ + LLVM ERROR: Error parsing inline asm + +These errors come from ALTERNATIVE_CB and __ALTERNATIVE_CFG, +which test for the existence of the callback parameter in inline +assembly using the following expression: + + " .if " __stringify(cb) " == 0\n" + +This works with GNU as, but isn't supported by LLVM. This change +splits __ALTERNATIVE_CFG and ALTINSTR_ENTRY into separate macros +to fix the LLVM build. + +Link: https://github.com/ClangBuiltLinux/linux/issues/472 +Signed-off-by: Sami Tolvanen +Tested-by: Nick Desaulniers +Reviewed-by: Kees Cook +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/alternative.h | 32 ++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/arch/arm64/include/asm/alternative.h b/arch/arm64/include/asm/alternative.h +index 7e842dcae4509..3626655175a2e 100644 +--- a/arch/arm64/include/asm/alternative.h ++++ b/arch/arm64/include/asm/alternative.h +@@ -29,13 +29,16 @@ typedef void (*alternative_cb_t)(struct alt_instr *alt, + void __init apply_alternatives_all(void); + void apply_alternatives(void *start, size_t length); + +-#define ALTINSTR_ENTRY(feature,cb) \ ++#define ALTINSTR_ENTRY(feature) \ + " .word 661b - .\n" /* label */ \ +- " .if " __stringify(cb) " == 0\n" \ + " .word 663f - .\n" /* new instruction */ \ +- " .else\n" \ ++ " .hword " __stringify(feature) "\n" /* feature bit */ \ ++ " .byte 662b-661b\n" /* source len */ \ ++ " .byte 664f-663f\n" /* replacement len */ ++ ++#define ALTINSTR_ENTRY_CB(feature, cb) \ ++ " .word 661b - .\n" /* label */ \ + " .word " __stringify(cb) "- .\n" /* callback */ \ +- " .endif\n" \ + " .hword " __stringify(feature) "\n" /* feature bit */ \ + " .byte 662b-661b\n" /* source len */ \ + " .byte 664f-663f\n" /* replacement len */ +@@ -56,15 +59,14 @@ void apply_alternatives(void *start, size_t length); + * + * Alternatives with callbacks do not generate replacement instructions. + */ +-#define __ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg_enabled, cb) \ ++#define __ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg_enabled) \ + ".if "__stringify(cfg_enabled)" == 1\n" \ + "661:\n\t" \ + oldinstr "\n" \ + "662:\n" \ + ".pushsection .altinstructions,\"a\"\n" \ +- ALTINSTR_ENTRY(feature,cb) \ ++ ALTINSTR_ENTRY(feature) \ + ".popsection\n" \ +- " .if " __stringify(cb) " == 0\n" \ + ".pushsection .altinstr_replacement, \"a\"\n" \ + "663:\n\t" \ + newinstr "\n" \ +@@ -72,17 +74,25 @@ void apply_alternatives(void *start, size_t length); + ".popsection\n\t" \ + ".org . - (664b-663b) + (662b-661b)\n\t" \ + ".org . - (662b-661b) + (664b-663b)\n" \ +- ".else\n\t" \ ++ ".endif\n" ++ ++#define __ALTERNATIVE_CFG_CB(oldinstr, feature, cfg_enabled, cb) \ ++ ".if "__stringify(cfg_enabled)" == 1\n" \ ++ "661:\n\t" \ ++ oldinstr "\n" \ ++ "662:\n" \ ++ ".pushsection .altinstructions,\"a\"\n" \ ++ ALTINSTR_ENTRY_CB(feature, cb) \ ++ ".popsection\n" \ + "663:\n\t" \ + "664:\n\t" \ +- ".endif\n" \ + ".endif\n" + + #define _ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg, ...) \ +- __ALTERNATIVE_CFG(oldinstr, newinstr, feature, IS_ENABLED(cfg), 0) ++ __ALTERNATIVE_CFG(oldinstr, newinstr, feature, IS_ENABLED(cfg)) + + #define ALTERNATIVE_CB(oldinstr, cb) \ +- __ALTERNATIVE_CFG(oldinstr, "NOT_AN_INSTRUCTION", ARM64_CB_PATCH, 1, cb) ++ __ALTERNATIVE_CFG_CB(oldinstr, ARM64_CB_PATCH, 1, cb) + #else + + #include +-- +2.20.1 + diff --git a/queue-4.9/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch b/queue-4.9/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch new file mode 100644 index 00000000000..0fc3af21e7f --- /dev/null +++ b/queue-4.9/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch @@ -0,0 +1,43 @@ +From 80ec26482254ad7bb94190a75976fd811ebbb637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 21:32:42 +0800 +Subject: ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m + +From: Chen Zhou + +[ Upstream commit 8fea78029f5e6ed734ae1957bef23cfda1af4354 ] + +If CONFIG_SND_ATMEL_SOC_DMA=m, build error: + +sound/soc/atmel/atmel_ssc_dai.o: In function `atmel_ssc_set_audio': +(.text+0x7cd): undefined reference to `atmel_pcm_dma_platform_register' + +Function atmel_pcm_dma_platform_register is defined under +CONFIG SND_ATMEL_SOC_DMA, so select SND_ATMEL_SOC_DMA in +CONFIG SND_ATMEL_SOC_SSC, same to CONFIG_SND_ATMEL_SOC_PDC. + +Reported-by: Hulk Robot +Signed-off-by: Chen Zhou +Link: https://lore.kernel.org/r/20200113133242.144550-1-chenzhou10@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/atmel/Kconfig b/sound/soc/atmel/Kconfig +index 22aec9a1e9a49..838d03a138ca2 100644 +--- a/sound/soc/atmel/Kconfig ++++ b/sound/soc/atmel/Kconfig +@@ -25,6 +25,8 @@ config SND_ATMEL_SOC_DMA + + config SND_ATMEL_SOC_SSC_DMA + tristate ++ select SND_ATMEL_SOC_DMA ++ select SND_ATMEL_SOC_PDC + + config SND_ATMEL_SOC_SSC + tristate +-- +2.20.1 + diff --git a/queue-4.9/b43legacy-fix-wcast-function-type.patch b/queue-4.9/b43legacy-fix-wcast-function-type.patch new file mode 100644 index 00000000000..776b7e92d0f --- /dev/null +++ b/queue-4.9/b43legacy-fix-wcast-function-type.patch @@ -0,0 +1,48 @@ +From 8ccee200e5830ac0081a7f1856cdbfbfb6cf92a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:26 +0700 +Subject: b43legacy: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit 475eec112e4267232d10f4afe2f939a241692b6c ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Tested-by: Larry Finger +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43legacy/main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43legacy/main.c b/drivers/net/wireless/broadcom/b43legacy/main.c +index 83770d2ea0578..9da8bd7927022 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/main.c ++++ b/drivers/net/wireless/broadcom/b43legacy/main.c +@@ -1304,8 +1304,9 @@ static void handle_irq_ucode_debug(struct b43legacy_wldev *dev) + } + + /* Interrupt handler bottom-half */ +-static void b43legacy_interrupt_tasklet(struct b43legacy_wldev *dev) ++static void b43legacy_interrupt_tasklet(unsigned long data) + { ++ struct b43legacy_wldev *dev = (struct b43legacy_wldev *)data; + u32 reason; + u32 dma_reason[ARRAY_SIZE(dev->dma_reason)]; + u32 merged_dma_reason = 0; +@@ -3775,7 +3776,7 @@ static int b43legacy_one_core_attach(struct ssb_device *dev, + b43legacy_set_status(wldev, B43legacy_STAT_UNINIT); + wldev->bad_frames_preempt = modparam_bad_frames_preempt; + tasklet_init(&wldev->isr_tasklet, +- (void (*)(unsigned long))b43legacy_interrupt_tasklet, ++ b43legacy_interrupt_tasklet, + (unsigned long)wldev); + if (modparam_pio) + wldev->__using_pio = true; +-- +2.20.1 + diff --git a/queue-4.9/bcache-explicity-type-cast-in-bset_bkey_last.patch b/queue-4.9/bcache-explicity-type-cast-in-bset_bkey_last.patch new file mode 100644 index 00000000000..4c4efdfe0ea --- /dev/null +++ b/queue-4.9/bcache-explicity-type-cast-in-bset_bkey_last.patch @@ -0,0 +1,52 @@ +From 0347862eb6e2d9127c19d09849317ccd61e3e9fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2020 22:42:32 +0800 +Subject: bcache: explicity type cast in bset_bkey_last() + +From: Coly Li + +[ Upstream commit 7c02b0055f774ed9afb6e1c7724f33bf148ffdc0 ] + +In bset.h, macro bset_bkey_last() is defined as, + bkey_idx((struct bkey *) (i)->d, (i)->keys) + +Parameter i can be variable type of data structure, the macro always +works once the type of struct i has member 'd' and 'keys'. + +bset_bkey_last() is also used in macro csum_set() to calculate the +checksum of a on-disk data structure. When csum_set() is used to +calculate checksum of on-disk bcache super block, the parameter 'i' +data type is struct cache_sb_disk. Inside struct cache_sb_disk (also in +struct cache_sb) the member keys is __u16 type. But bkey_idx() expects +unsigned int (a 32bit width), so there is problem when sending +parameters via stack to call bkey_idx(). + +Sparse tool from Intel 0day kbuild system reports this incompatible +problem. bkey_idx() is part of user space API, so the simplest fix is +to cast the (i)->keys to unsigned int type in macro bset_bkey_last(). + +Reported-by: kbuild test robot +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/bset.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h +index b935839ab79c6..f483041eed986 100644 +--- a/drivers/md/bcache/bset.h ++++ b/drivers/md/bcache/bset.h +@@ -380,7 +380,8 @@ void bch_btree_keys_stats(struct btree_keys *, struct bset_stats *); + + /* Bkey utility code */ + +-#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, (i)->keys) ++#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, \ ++ (unsigned int)(i)->keys) + + static inline struct bkey *bset_bkey_idx(struct bset *i, unsigned idx) + { +-- +2.20.1 + diff --git a/queue-4.9/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch b/queue-4.9/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch new file mode 100644 index 00000000000..6e07d7c5fef --- /dev/null +++ b/queue-4.9/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch @@ -0,0 +1,41 @@ +From d4224e44768e3bb3c797d6372a2c2bcfd2b35a93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 12:58:55 +0300 +Subject: brcmfmac: Fix use after free in brcmf_sdio_readframes() + +From: Dan Carpenter + +[ Upstream commit 216b44000ada87a63891a8214c347e05a4aea8fe ] + +The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a +static checker warning: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() + error: dereferencing freed memory 'pkt' + +It looks like there was supposed to be a continue after we free "pkt". + +Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") +Signed-off-by: Dan Carpenter +Acked-by: Franky Lin +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index de52d826eb248..998a4bd6db78a 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -1921,6 +1921,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes) + BRCMF_SDIO_FT_NORMAL)) { + rd->len = 0; + brcmu_pkt_buf_free_skb(pkt); ++ continue; + } + bus->sdcnt.rx_readahead_cnt++; + if (rd->len != roundup(rd_new.len, 16)) { +-- +2.20.1 + diff --git a/queue-4.9/brd-check-and-limit-max_part-par.patch b/queue-4.9/brd-check-and-limit-max_part-par.patch new file mode 100644 index 00000000000..40531e13381 --- /dev/null +++ b/queue-4.9/brd-check-and-limit-max_part-par.patch @@ -0,0 +1,109 @@ +From 9f051261f2d9f41ccb70af85b4617beebc380178 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2020 19:30:20 +0800 +Subject: brd: check and limit max_part par + +From: Zhiqiang Liu + +[ Upstream commit c8ab422553c81a0eb070329c63725df1cd1425bc ] + +In brd_init func, rd_nr num of brd_device are firstly allocated +and add in brd_devices, then brd_devices are traversed to add each +brd_device by calling add_disk func. When allocating brd_device, +the disk->first_minor is set to i * max_part, if rd_nr * max_part +is larger than MINORMASK, two different brd_device may have the same +devt, then only one of them can be successfully added. +when rmmod brd.ko, it will cause oops when calling brd_exit. + +Follow those steps: + # modprobe brd rd_nr=3 rd_size=102400 max_part=1048576 + # rmmod brd +then, the oops will appear. + +Oops log: +[ 726.613722] Call trace: +[ 726.614175] kernfs_find_ns+0x24/0x130 +[ 726.614852] kernfs_find_and_get_ns+0x44/0x68 +[ 726.615749] sysfs_remove_group+0x38/0xb0 +[ 726.616520] blk_trace_remove_sysfs+0x1c/0x28 +[ 726.617320] blk_unregister_queue+0x98/0x100 +[ 726.618105] del_gendisk+0x144/0x2b8 +[ 726.618759] brd_exit+0x68/0x560 [brd] +[ 726.619501] __arm64_sys_delete_module+0x19c/0x2a0 +[ 726.620384] el0_svc_common+0x78/0x130 +[ 726.621057] el0_svc_handler+0x38/0x78 +[ 726.621738] el0_svc+0x8/0xc +[ 726.622259] Code: aa0203f6 aa0103f7 aa1e03e0 d503201f (7940e260) + +Here, we add brd_check_and_reset_par func to check and limit max_part par. + +-- +V5->V6: + - remove useless code + +V4->V5:(suggested by Ming Lei) + - make sure max_part is not larger than DISK_MAX_PARTS + +V3->V4:(suggested by Ming Lei) + - remove useless change + - add one limit of max_part + +V2->V3: (suggested by Ming Lei) + - clear .minors when running out of consecutive minor space in brd_alloc + - remove limit of rd_nr + +V1->V2: + - add more checks in brd_check_par_valid as suggested by Ming Lei. + +Signed-off-by: Zhiqiang Liu +Reviewed-by: Bob Liu +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/brd.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/brd.c b/drivers/block/brd.c +index 0c76d4016eebe..7e35574a17dfc 100644 +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -581,6 +581,25 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data) + return kobj; + } + ++static inline void brd_check_and_reset_par(void) ++{ ++ if (unlikely(!max_part)) ++ max_part = 1; ++ ++ /* ++ * make sure 'max_part' can be divided exactly by (1U << MINORBITS), ++ * otherwise, it is possiable to get same dev_t when adding partitions. ++ */ ++ if ((1U << MINORBITS) % max_part != 0) ++ max_part = 1UL << fls(max_part); ++ ++ if (max_part > DISK_MAX_PARTS) { ++ pr_info("brd: max_part can't be larger than %d, reset max_part = %d.\n", ++ DISK_MAX_PARTS, DISK_MAX_PARTS); ++ max_part = DISK_MAX_PARTS; ++ } ++} ++ + static int __init brd_init(void) + { + struct brd_device *brd, *next; +@@ -604,8 +623,7 @@ static int __init brd_init(void) + if (register_blkdev(RAMDISK_MAJOR, "ramdisk")) + return -EIO; + +- if (unlikely(!max_part)) +- max_part = 1; ++ brd_check_and_reset_par(); + + for (i = 0; i < rd_nr; i++) { + brd = brd_alloc(i); +-- +2.20.1 + diff --git a/queue-4.9/cifs-fix-null-dereference-in-match_prepath.patch b/queue-4.9/cifs-fix-null-dereference-in-match_prepath.patch new file mode 100644 index 00000000000..c124d8e2a0f --- /dev/null +++ b/queue-4.9/cifs-fix-null-dereference-in-match_prepath.patch @@ -0,0 +1,43 @@ +From 7249e5fbba02ea7bc31b1c9bf6dfb3e3f6799778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 11:07:56 +1000 +Subject: cifs: fix NULL dereference in match_prepath + +From: Ronnie Sahlberg + +[ Upstream commit fe1292686333d1dadaf84091f585ee903b9ddb84 ] + +RHBZ: 1760879 + +Fix an oops in match_prepath() by making sure that the prepath string is not +NULL before we pass it into strcmp(). + +This is similar to other checks we make for example in cifs_root_iget() + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 751bdde6515d5..961fcb40183a4 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2927,8 +2927,10 @@ match_prepath(struct super_block *sb, struct cifs_mnt_data *mnt_data) + { + struct cifs_sb_info *old = CIFS_SB(sb); + struct cifs_sb_info *new = mnt_data->cifs_sb; +- bool old_set = old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH; +- bool new_set = new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH; ++ bool old_set = (old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) && ++ old->prepath; ++ bool new_set = (new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) && ++ new->prepath; + + if (old_set && new_set && !strcmp(new->prepath, old->prepath)) + return 1; +-- +2.20.1 + diff --git a/queue-4.9/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch b/queue-4.9/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch new file mode 100644 index 00000000000..f7bd1541c21 --- /dev/null +++ b/queue-4.9/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch @@ -0,0 +1,71 @@ +From 3b8f5f37ac81ff5a3f0068b7afdf128d5fc6ad29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2020 10:31:34 -0800 +Subject: clk: qcom: rcg2: Don't crash if our parent can't be found; return an + error + +From: Douglas Anderson + +[ Upstream commit 908b050114d8fefdddc57ec9fbc213c3690e7f5f ] + +When I got my clock parenting slightly wrong I ended up with a crash +that looked like this: + + Unable to handle kernel NULL pointer dereference at virtual + address 0000000000000000 + ... + pc : clk_hw_get_rate+0x14/0x44 + ... + Call trace: + clk_hw_get_rate+0x14/0x44 + _freq_tbl_determine_rate+0x94/0xfc + clk_rcg2_determine_rate+0x2c/0x38 + clk_core_determine_round_nolock+0x4c/0x88 + clk_core_round_rate_nolock+0x6c/0xa8 + clk_core_round_rate_nolock+0x9c/0xa8 + clk_core_set_rate_nolock+0x70/0x180 + clk_set_rate+0x3c/0x6c + of_clk_set_defaults+0x254/0x360 + platform_drv_probe+0x28/0xb0 + really_probe+0x120/0x2dc + driver_probe_device+0x64/0xfc + device_driver_attach+0x4c/0x6c + __driver_attach+0xac/0xc0 + bus_for_each_dev+0x84/0xcc + driver_attach+0x2c/0x38 + bus_add_driver+0xfc/0x1d0 + driver_register+0x64/0xf8 + __platform_driver_register+0x4c/0x58 + msm_drm_register+0x5c/0x60 + ... + +It turned out that clk_hw_get_parent_by_index() was returning NULL and +we weren't checking. Let's check it so that we don't crash. + +Fixes: ac269395cdd8 ("clk: qcom: Convert to clk_hw based provider APIs") +Signed-off-by: Douglas Anderson +Reviewed-by: Matthias Kaehlcke +Link: https://lkml.kernel.org/r/20200203103049.v4.1.I7487325fe8e701a68a07d3be8a6a4b571eca9cfa@changeid +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index 0ae1b0a66eb55..d8601b138dc1e 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -194,6 +194,9 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw, + + clk_flags = clk_hw_get_flags(hw); + p = clk_hw_get_parent_by_index(hw, index); ++ if (!p) ++ return -EINVAL; ++ + if (clk_flags & CLK_SET_RATE_PARENT) { + if (f->pre_div) { + if (!rate) +-- +2.20.1 + diff --git a/queue-4.9/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch b/queue-4.9/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch new file mode 100644 index 00000000000..b28ad87b55c --- /dev/null +++ b/queue-4.9/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch @@ -0,0 +1,36 @@ +From 78117a9cd071552cfc1ca2035f5cfd3d996031ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 16:04:41 +0300 +Subject: cmd64x: potential buffer overflow in cmd64x_program_timings() + +From: Dan Carpenter + +[ Upstream commit 117fcc3053606d8db5cef8821dca15022ae578bb ] + +The "drive->dn" value is a u8 and it is controlled by root only, but +it could be out of bounds here so let's check. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ide/cmd64x.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ide/cmd64x.c b/drivers/ide/cmd64x.c +index b127ed60c7336..9dde8390da09b 100644 +--- a/drivers/ide/cmd64x.c ++++ b/drivers/ide/cmd64x.c +@@ -65,6 +65,9 @@ static void cmd64x_program_timings(ide_drive_t *drive, u8 mode) + struct ide_timing t; + u8 arttim = 0; + ++ if (drive->dn >= ARRAY_SIZE(drwtim_regs)) ++ return; ++ + ide_timing_compute(drive, mode, &t, T, 0); + + /* +-- +2.20.1 + diff --git a/queue-4.9/cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch b/queue-4.9/cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch new file mode 100644 index 00000000000..f746b60568f --- /dev/null +++ b/queue-4.9/cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch @@ -0,0 +1,91 @@ +From d1148ca5ab2e55ab52b16b533e79b90bd30db8a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 09:34:54 +0100 +Subject: cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order + +From: Peter Zijlstra + +[ Upstream commit 45178ac0cea853fe0e405bf11e101bdebea57b15 ] + +Paul reported a very sporadic, rcutorture induced, workqueue failure. +When the planets align, the workqueue rescuer's self-migrate fails and +then triggers a WARN for running a work on the wrong CPU. + +Tejun then figured that set_cpus_allowed_ptr()'s stop_one_cpu() call +could be ignored! When stopper->enabled is false, stop_machine will +insta complete the work, without actually doing the work. Worse, it +will not WARN about this (we really should fix this). + +It turns out there is a small window where a freshly online'ed CPU is +marked 'online' but doesn't yet have the stopper task running: + + BP AP + + bringup_cpu() + __cpu_up(cpu, idle) --> start_secondary() + ... + cpu_startup_entry() + bringup_wait_for_ap() + wait_for_ap_thread() <-- cpuhp_online_idle() + while (1) + do_idle() + + ... available to run kthreads ... + + stop_machine_unpark() + stopper->enable = true; + +Close this by moving the stop_machine_unpark() into +cpuhp_online_idle(), such that the stopper thread is ready before we +start the idle loop and schedule. + +Reported-by: "Paul E. McKenney" +Debugged-by: Tejun Heo +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: "Paul E. McKenney" +Signed-off-by: Sasha Levin +--- + kernel/cpu.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index c2573e858009b..1fbe93fefc1fa 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -515,8 +515,7 @@ static int bringup_wait_for_ap(unsigned int cpu) + if (WARN_ON_ONCE((!cpu_online(cpu)))) + return -ECANCELED; + +- /* Unpark the stopper thread and the hotplug thread of the target cpu */ +- stop_machine_unpark(cpu); ++ /* Unpark the hotplug thread of the target cpu */ + kthread_unpark(st->thread); + + /* +@@ -1115,8 +1114,8 @@ void notify_cpu_starting(unsigned int cpu) + + /* + * Called from the idle task. Wake up the controlling task which brings the +- * stopper and the hotplug thread of the upcoming CPU up and then delegates +- * the rest of the online bringup to the hotplug thread. ++ * hotplug thread of the upcoming CPU up and then delegates the rest of the ++ * online bringup to the hotplug thread. + */ + void cpuhp_online_idle(enum cpuhp_state state) + { +@@ -1126,6 +1125,12 @@ void cpuhp_online_idle(enum cpuhp_state state) + if (state != CPUHP_AP_ONLINE_IDLE) + return; + ++ /* ++ * Unpart the stopper thread before we start the idle loop (and start ++ * scheduling); this ensures the stopper task is always available. ++ */ ++ stop_machine_unpark(smp_processor_id()); ++ + st->state = CPUHP_AP_ONLINE_IDLE; + complete(&st->done); + } +-- +2.20.1 + diff --git a/queue-4.9/driver-core-platform-fix-u32-greater-or-equal-to-zer.patch b/queue-4.9/driver-core-platform-fix-u32-greater-or-equal-to-zer.patch new file mode 100644 index 00000000000..d62d5157902 --- /dev/null +++ b/queue-4.9/driver-core-platform-fix-u32-greater-or-equal-to-zer.patch @@ -0,0 +1,41 @@ +From 6415a8924a1c5a8bc66913b65bd768b1ad8c7338 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2020 17:57:58 +0000 +Subject: driver core: platform: fix u32 greater or equal to zero comparison + +From: Colin Ian King + +[ Upstream commit 0707cfa5c3ef58effb143db9db6d6e20503f9dec ] + +Currently the check that a u32 variable i is >= 0 is always true because +the unsigned variable will never be negative, causing the loop to run +forever. Fix this by changing the pre-decrement check to a zero check on +i followed by a decrement of i. + +Addresses-Coverity: ("Unsigned compared against 0") +Fixes: 39cc539f90d0 ("driver core: platform: Prevent resouce overflow from causing infinite loops") +Signed-off-by: Colin Ian King +Reviewed-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20200116175758.88396-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 6cdc198965f5a..bef299ef62276 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -418,7 +418,7 @@ int platform_device_add(struct platform_device *pdev) + pdev->id = PLATFORM_DEVID_AUTO; + } + +- while (--i >= 0) { ++ while (i--) { + struct resource *r = &pdev->resource[i]; + if (r->parent) + release_resource(r); +-- +2.20.1 + diff --git a/queue-4.9/driver-core-platform-prevent-resouce-overflow-from-c.patch b/queue-4.9/driver-core-platform-prevent-resouce-overflow-from-c.patch new file mode 100644 index 00000000000..bf5f41f3c04 --- /dev/null +++ b/queue-4.9/driver-core-platform-prevent-resouce-overflow-from-c.patch @@ -0,0 +1,75 @@ +From a6595801ca05d4ac6713ab902f359d61f913d91f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 17:41:37 -0500 +Subject: driver core: platform: Prevent resouce overflow from causing infinite + loops + +From: Simon Schwartz + +[ Upstream commit 39cc539f90d035a293240c9443af50be55ee81b8 ] + +num_resources in the platform_device struct is declared as a u32. The +for loops that iterate over num_resources use an int as the counter, +which can cause infinite loops on architectures with smaller ints. +Change the loop counters to u32. + +Signed-off-by: Simon Schwartz +Link: https://lore.kernel.org/r/2201ce63a2a171ffd2ed14e867875316efcf71db.camel@theschwartz.xyz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index f90b1b9bbad0d..6cdc198965f5a 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "base.h" + #include "power/power.h" +@@ -68,7 +69,7 @@ void __weak arch_setup_pdev_archdata(struct platform_device *pdev) + struct resource *platform_get_resource(struct platform_device *dev, + unsigned int type, unsigned int num) + { +- int i; ++ u32 i; + + for (i = 0; i < dev->num_resources; i++) { + struct resource *r = &dev->resource[i]; +@@ -153,7 +154,7 @@ struct resource *platform_get_resource_byname(struct platform_device *dev, + unsigned int type, + const char *name) + { +- int i; ++ u32 i; + + for (i = 0; i < dev->num_resources; i++) { + struct resource *r = &dev->resource[i]; +@@ -350,7 +351,8 @@ EXPORT_SYMBOL_GPL(platform_device_add_properties); + */ + int platform_device_add(struct platform_device *pdev) + { +- int i, ret; ++ u32 i; ++ int ret; + + if (!pdev) + return -EINVAL; +@@ -437,7 +439,7 @@ EXPORT_SYMBOL_GPL(platform_device_add); + */ + void platform_device_del(struct platform_device *pdev) + { +- int i; ++ u32 i; + + if (pdev) { + device_remove_properties(&pdev->dev); +-- +2.20.1 + diff --git a/queue-4.9/driver-core-print-device-when-resources-present-in-r.patch b/queue-4.9/driver-core-print-device-when-resources-present-in-r.patch new file mode 100644 index 00000000000..d2f867dce3f --- /dev/null +++ b/queue-4.9/driver-core-print-device-when-resources-present-in-r.patch @@ -0,0 +1,45 @@ +From 0a3851110e2402b956f0ee6a1fddadebdbb566a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 14:22:19 +0100 +Subject: driver core: Print device when resources present in really_probe() + +From: Geert Uytterhoeven + +[ Upstream commit 7c35e699c88bd60734277b26962783c60e04b494 ] + +If a device already has devres items attached before probing, a warning +backtrace is printed. However, this backtrace does not reveal the +offending device, leaving the user uninformed. Furthermore, using +WARN_ON() causes systems with panic-on-warn to reboot. + +Fix this by replacing the WARN_ON() by a dev_crit() message. +Abort probing the device, to prevent doing more damage to the device's +resources. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191206132219.28908-1-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/dd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index ee25a69630c3a..854d218ea76ac 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -341,7 +341,10 @@ static int really_probe(struct device *dev, struct device_driver *drv) + atomic_inc(&probe_count); + pr_debug("bus: '%s': %s: probing driver %s with device %s\n", + drv->bus->name, __func__, drv->name, dev_name(dev)); +- WARN_ON(!list_empty(&dev->devres_head)); ++ if (!list_empty(&dev->devres_head)) { ++ dev_crit(dev, "Resources present before probing\n"); ++ return -EBUSY; ++ } + + re_probe: + dev->driver = drv; +-- +2.20.1 + diff --git a/queue-4.9/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch b/queue-4.9/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch new file mode 100644 index 00000000000..e99bc3ab2a0 --- /dev/null +++ b/queue-4.9/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch @@ -0,0 +1,75 @@ +From 5ff4baaf819fbec85f3eeba9d4c5db03f39db004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 21:27:20 +0800 +Subject: drm/amdgpu: remove 4 set but not used variable in + amdgpu_atombios_get_connector_info_from_object_table + +From: yu kuai + +[ Upstream commit bae028e3e521e8cb8caf2cc16a455ce4c55f2332 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c: In function +'amdgpu_atombios_get_connector_info_from_object_table': +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:26: warning: variable +'grph_obj_num' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:13: warning: variable +'grph_obj_id' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:37: warning: variable +'con_obj_type' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:24: warning: variable +'con_obj_num' set but not used [-Wunused-but-set-variable] + +They are never used, so can be removed. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +index 26afdffab5a06..ac8885562919d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +@@ -336,17 +336,9 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device * + path_size += le16_to_cpu(path->usSize); + + if (device_support & le16_to_cpu(path->usDeviceTag)) { +- uint8_t con_obj_id, con_obj_num, con_obj_type; +- +- con_obj_id = ++ uint8_t con_obj_id = + (le16_to_cpu(path->usConnObjectId) & OBJECT_ID_MASK) + >> OBJECT_ID_SHIFT; +- con_obj_num = +- (le16_to_cpu(path->usConnObjectId) & ENUM_ID_MASK) +- >> ENUM_ID_SHIFT; +- con_obj_type = +- (le16_to_cpu(path->usConnObjectId) & +- OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; + + /* Skip TV/CV support */ + if ((le16_to_cpu(path->usDeviceTag) == +@@ -371,14 +363,7 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device * + router.ddc_valid = false; + router.cd_valid = false; + for (j = 0; j < ((le16_to_cpu(path->usSize) - 8) / 2); j++) { +- uint8_t grph_obj_id, grph_obj_num, grph_obj_type; +- +- grph_obj_id = +- (le16_to_cpu(path->usGraphicObjIds[j]) & +- OBJECT_ID_MASK) >> OBJECT_ID_SHIFT; +- grph_obj_num = +- (le16_to_cpu(path->usGraphicObjIds[j]) & +- ENUM_ID_MASK) >> ENUM_ID_SHIFT; ++ uint8_t grph_obj_type= + grph_obj_type = + (le16_to_cpu(path->usGraphicObjIds[j]) & + OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; +-- +2.20.1 + diff --git a/queue-4.9/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch b/queue-4.9/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch new file mode 100644 index 00000000000..19a8bf50325 --- /dev/null +++ b/queue-4.9/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch @@ -0,0 +1,61 @@ +From 7952c71319e6fd4f58288572f60d92eb41b09cca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 16:30:48 +0100 +Subject: drm/gma500: Fixup fbdev stolen size usage evaluation + +From: Paul Kocialkowski + +[ Upstream commit fd1a5e521c3c083bb43ea731aae0f8b95f12b9bd ] + +psbfb_probe performs an evaluation of the required size from the stolen +GTT memory, but gets it wrong in two distinct ways: +- The resulting size must be page-size-aligned; +- The size to allocate is derived from the surface dimensions, not the fb + dimensions. + +When two connectors are connected with different modes, the smallest will +be stored in the fb dimensions, but the size that needs to be allocated must +match the largest (surface) dimensions. This is what is used in the actual +allocation code. + +Fix this by correcting the evaluation to conform to the two points above. +It allows correctly switching to 16bpp when one connector is e.g. 1920x1080 +and the other is 1024x768. + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20191107153048.843881-1-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/framebuffer.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c +index 3a44e705db538..d224fc12b7571 100644 +--- a/drivers/gpu/drm/gma500/framebuffer.c ++++ b/drivers/gpu/drm/gma500/framebuffer.c +@@ -516,6 +516,7 @@ static int psbfb_probe(struct drm_fb_helper *helper, + container_of(helper, struct psb_fbdev, psb_fb_helper); + struct drm_device *dev = psb_fbdev->psb_fb_helper.dev; + struct drm_psb_private *dev_priv = dev->dev_private; ++ unsigned int fb_size; + int bytespp; + + bytespp = sizes->surface_bpp / 8; +@@ -525,8 +526,11 @@ static int psbfb_probe(struct drm_fb_helper *helper, + /* If the mode will not fit in 32bit then switch to 16bit to get + a console on full resolution. The X mode setting server will + allocate its own 32bit GEM framebuffer */ +- if (ALIGN(sizes->fb_width * bytespp, 64) * sizes->fb_height > +- dev_priv->vram_stolen_size) { ++ fb_size = ALIGN(sizes->surface_width * bytespp, 64) * ++ sizes->surface_height; ++ fb_size = ALIGN(fb_size, PAGE_SIZE); ++ ++ if (fb_size > dev_priv->vram_stolen_size) { + sizes->surface_bpp = 16; + sizes->surface_depth = 16; + } +-- +2.20.1 + diff --git a/queue-4.9/drm-mediatek-handle-events-when-enabling-disabling-c.patch b/queue-4.9/drm-mediatek-handle-events-when-enabling-disabling-c.patch new file mode 100644 index 00000000000..dce1b6cb9c6 --- /dev/null +++ b/queue-4.9/drm-mediatek-handle-events-when-enabling-disabling-c.patch @@ -0,0 +1,51 @@ +From a717f95d131f51b3ef78da9c856598a93ccf1cc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 13:05:21 +0800 +Subject: drm/mediatek: handle events when enabling/disabling crtc + +From: Bibby Hsieh + +[ Upstream commit 411f5c1eacfebb1f6e40b653d29447cdfe7282aa ] + +The driver currently handles vblank events only when updating planes on +an already enabled CRTC. The atomic update API however allows requesting +an event when enabling or disabling a CRTC. This currently leads to +event objects being leaked in the kernel and to events not being sent +out. Fix it. + +Signed-off-by: Bibby Hsieh +Signed-off-by: CK Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index 01a21dd835b57..1ed60da76a0ce 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -306,6 +306,7 @@ err_pm_runtime_put: + static void mtk_crtc_ddp_hw_fini(struct mtk_drm_crtc *mtk_crtc) + { + struct drm_device *drm = mtk_crtc->base.dev; ++ struct drm_crtc *crtc = &mtk_crtc->base; + int i; + + DRM_DEBUG_DRIVER("%s\n", __func__); +@@ -327,6 +328,13 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_drm_crtc *mtk_crtc) + mtk_disp_mutex_unprepare(mtk_crtc->mutex); + + pm_runtime_put(drm->dev); ++ ++ if (crtc->state->event && !crtc->state->active) { ++ spin_lock_irq(&crtc->dev->event_lock); ++ drm_crtc_send_vblank_event(crtc, crtc->state->event); ++ crtc->state->event = NULL; ++ spin_unlock_irq(&crtc->dev->event_lock); ++ } + } + + static void mtk_drm_crtc_enable(struct drm_crtc *crtc) +-- +2.20.1 + diff --git a/queue-4.9/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch b/queue-4.9/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch new file mode 100644 index 00000000000..121e9219b67 --- /dev/null +++ b/queue-4.9/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch @@ -0,0 +1,41 @@ +From 64d9ec392f62a94e9ac829c2bd21264084185c60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2020 14:39:26 +1000 +Subject: drm/nouveau/disp/nv50-: prevent oops when no channel method map + provided + +From: Ben Skeggs + +[ Upstream commit 0e6176c6d286316e9431b4f695940cfac4ffe6c2 ] + +The implementations for most channel types contains a map of methods to +priv registers in order to provide debugging info when a disp exception +has been raised. + +This info is missing from the implementation of PIO channels as they're +rather simplistic already, however, if an exception is raised by one of +them, we'd end up triggering a NULL-pointer deref. Not ideal... + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206299 +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c +index 9d90d8b4b7e65..f5a8db1bb8b72 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c +@@ -72,6 +72,8 @@ nv50_disp_chan_mthd(struct nv50_disp_chan *chan, int debug) + + if (debug > subdev->debug) + return; ++ if (!mthd) ++ return; + + for (i = 0; (list = mthd->data[i].mthd) != NULL; i++) { + u32 base = chan->head * mthd->addr; +-- +2.20.1 + diff --git a/queue-4.9/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch b/queue-4.9/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch new file mode 100644 index 00000000000..464b5767165 --- /dev/null +++ b/queue-4.9/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch @@ -0,0 +1,37 @@ +From eb5744cdbd548aa85d787a3e5528a63ead9ad9c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 14:32:01 +0800 +Subject: drm/nouveau: Fix copy-paste error in + nouveau_fence_wait_uevent_handler + +From: YueHaibing + +[ Upstream commit 1eb013473bff5f95b6fe1ca4dd7deda47257b9c2 ] + +Like other cases, it should use rcu protected 'chan' rather +than 'fence->channel' in nouveau_fence_wait_uevent_handler. + +Fixes: 0ec5f02f0e2c ("drm/nouveau: prevent stale fence->channel pointers, and protect with rcu") +Signed-off-by: YueHaibing +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c +index 4bb9ab892ae19..78e521d00251c 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -158,7 +158,7 @@ nouveau_fence_wait_uevent_handler(struct nvif_notify *notify) + + fence = list_entry(fctx->pending.next, typeof(*fence), head); + chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); +- if (nouveau_fence_update(fence->channel, fctx)) ++ if (nouveau_fence_update(chan, fctx)) + ret = NVIF_NOTIFY_DROP; + } + spin_unlock_irqrestore(&fctx->lock, flags); +-- +2.20.1 + diff --git a/queue-4.9/drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch b/queue-4.9/drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch new file mode 100644 index 00000000000..969a1316d58 --- /dev/null +++ b/queue-4.9/drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch @@ -0,0 +1,76 @@ +From b94e6f9d250eacbcc854685994b675104ab5c315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2020 11:46:15 +1000 +Subject: drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read + from fw + +From: Ben Skeggs + +[ Upstream commit 7adc77aa0e11f25b0e762859219c70852cd8d56f ] + +Method init is typically ordered by class in the FW image as ThreeD, +TwoD, Compute. + +Due to a bug in parsing the FW into our internal format, we've been +accidentally sending Twod + Compute methods to the ThreeD class, as +well as Compute methods to the TwoD class - oops. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + .../gpu/drm/nouveau/nvkm/engine/gr/gk20a.c | 21 ++++++++++--------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c +index de8b806b88fd9..7618b2eb4fdfd 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c +@@ -143,23 +143,24 @@ gk20a_gr_av_to_method(struct gf100_gr *gr, const char *fw_name, + + nent = (fuc.size / sizeof(struct gk20a_fw_av)); + +- pack = vzalloc((sizeof(*pack) * max_classes) + +- (sizeof(*init) * (nent + 1))); ++ pack = vzalloc((sizeof(*pack) * (max_classes + 1)) + ++ (sizeof(*init) * (nent + max_classes + 1))); + if (!pack) { + ret = -ENOMEM; + goto end; + } + +- init = (void *)(pack + max_classes); ++ init = (void *)(pack + max_classes + 1); + +- for (i = 0; i < nent; i++) { +- struct gf100_gr_init *ent = &init[i]; ++ for (i = 0; i < nent; i++, init++) { + struct gk20a_fw_av *av = &((struct gk20a_fw_av *)fuc.data)[i]; + u32 class = av->addr & 0xffff; + u32 addr = (av->addr & 0xffff0000) >> 14; + + if (prevclass != class) { +- pack[classidx].init = ent; ++ if (prevclass) /* Add terminator to the method list. */ ++ init++; ++ pack[classidx].init = init; + pack[classidx].type = class; + prevclass = class; + if (++classidx >= max_classes) { +@@ -169,10 +170,10 @@ gk20a_gr_av_to_method(struct gf100_gr *gr, const char *fw_name, + } + } + +- ent->addr = addr; +- ent->data = av->data; +- ent->count = 1; +- ent->pitch = 1; ++ init->addr = addr; ++ init->data = av->data; ++ init->count = 1; ++ init->pitch = 1; + } + + *ppack = pack; +-- +2.20.1 + diff --git a/queue-4.9/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch b/queue-4.9/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch new file mode 100644 index 00000000000..2f03ab380ae --- /dev/null +++ b/queue-4.9/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch @@ -0,0 +1,40 @@ +From d00f62d57c43529d2745aa38748439cdfe422d00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 23:37:58 -0500 +Subject: drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add + +From: Navid Emamdoost + +[ Upstream commit 40efb09a7f53125719e49864da008495e39aaa1e ] + +In vmw_cmdbuf_res_add if drm_ht_insert_item fails the allocated memory +for cres should be released. + +Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace") +Signed-off-by: Navid Emamdoost +Reviewed-by: Thomas Hellstrom +Signed-off-by: Thomas Hellstrom +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +index 1f013d45c9e9a..0c7c3005594cc 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +@@ -210,8 +210,10 @@ int vmw_cmdbuf_res_add(struct vmw_cmdbuf_res_manager *man, + + cres->hash.key = user_key | (res_type << 24); + ret = drm_ht_insert_item(&man->resources, &cres->hash); +- if (unlikely(ret != 0)) ++ if (unlikely(ret != 0)) { ++ kfree(cres); + goto out_invalid_key; ++ } + + cres->state = VMW_CMDBUF_RES_ADD; + cres->res = vmw_resource_reference(res); +-- +2.20.1 + diff --git a/queue-4.9/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch b/queue-4.9/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch new file mode 100644 index 00000000000..29d3d186871 --- /dev/null +++ b/queue-4.9/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch @@ -0,0 +1,69 @@ +From 9c28ff2d1fef539c6f3a02899609b414b04a7d34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2020 12:39:37 +0100 +Subject: efi/x86: Map the entire EFI vendor string before copying it + +From: Ard Biesheuvel + +[ Upstream commit ffc2760bcf2dba0dbef74013ed73eea8310cc52c ] + +Fix a couple of issues with the way we map and copy the vendor string: +- we map only 2 bytes, which usually works since you get at least a + page, but if the vendor string happens to cross a page boundary, + a crash will result +- only call early_memunmap() if early_memremap() succeeded, or we will + call it with a NULL address which it doesn't like, +- while at it, switch to early_memremap_ro(), and array indexing rather + than pointer dereferencing to read the CHAR16 characters. + +Signed-off-by: Ard Biesheuvel +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Arvind Sankar +Cc: Matthew Garrett +Cc: linux-efi@vger.kernel.org +Fixes: 5b83683f32b1 ("x86: EFI runtime service support") +Link: https://lkml.kernel.org/r/20200103113953.9571-5-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/platform/efi/efi.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index b6669d326545a..f08abdf8bb676 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -478,7 +478,6 @@ void __init efi_init(void) + efi_char16_t *c16; + char vendor[100] = "unknown"; + int i = 0; +- void *tmp; + + #ifdef CONFIG_X86_32 + if (boot_params.efi_info.efi_systab_hi || +@@ -503,14 +502,16 @@ void __init efi_init(void) + /* + * Show what we know for posterity + */ +- c16 = tmp = early_memremap(efi.systab->fw_vendor, 2); ++ c16 = early_memremap_ro(efi.systab->fw_vendor, ++ sizeof(vendor) * sizeof(efi_char16_t)); + if (c16) { +- for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i) +- vendor[i] = *c16++; ++ for (i = 0; i < sizeof(vendor) - 1 && c16[i]; ++i) ++ vendor[i] = c16[i]; + vendor[i] = '\0'; +- } else ++ early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t)); ++ } else { + pr_err("Could not map the firmware vendor!\n"); +- early_memunmap(tmp, 2); ++ } + + pr_info("EFI v%u.%.02u by %s\n", + efi.systab->hdr.revision >> 16, +-- +2.20.1 + diff --git a/queue-4.9/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch b/queue-4.9/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch new file mode 100644 index 00000000000..e7ef7353904 --- /dev/null +++ b/queue-4.9/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch @@ -0,0 +1,76 @@ +From 796b458c7819085d46f7ed5a281ee43d6af6010e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 20:46:12 +0800 +Subject: ext4, jbd2: ensure panic when aborting with zero errno + +From: zhangyi (F) + +[ Upstream commit 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 ] + +JBD2_REC_ERR flag used to indicate the errno has been updated when jbd2 +aborted, and then __ext4_abort() and ext4_handle_error() can invoke +panic if ERRORS_PANIC is specified. But if the journal has been aborted +with zero errno, jbd2_journal_abort() didn't set this flag so we can +no longer panic. Fix this by always record the proper errno in the +journal superblock. + +Fixes: 4327ba52afd03 ("ext4, jbd2: ensure entering into panic after recording an error in superblock") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/checkpoint.c | 2 +- + fs/jbd2/journal.c | 15 ++++----------- + 2 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c +index 4d5a5a4cc017c..addb0784dd1c4 100644 +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -168,7 +168,7 @@ void __jbd2_log_wait_for_space(journal_t *journal) + "journal space in %s\n", __func__, + journal->j_devname); + WARN_ON(1); +- jbd2_journal_abort(journal, 0); ++ jbd2_journal_abort(journal, -EIO); + } + write_lock(&journal->j_state_lock); + } else { +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 40c754854b29e..efc8cfd060730 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2100,12 +2100,10 @@ static void __journal_abort_soft (journal_t *journal, int errno) + + __jbd2_journal_abort_hard(journal); + +- if (errno) { +- jbd2_journal_update_sb_errno(journal); +- write_lock(&journal->j_state_lock); +- journal->j_flags |= JBD2_REC_ERR; +- write_unlock(&journal->j_state_lock); +- } ++ jbd2_journal_update_sb_errno(journal); ++ write_lock(&journal->j_state_lock); ++ journal->j_flags |= JBD2_REC_ERR; ++ write_unlock(&journal->j_state_lock); + } + + /** +@@ -2147,11 +2145,6 @@ static void __journal_abort_soft (journal_t *journal, int errno) + * failure to disk. ext3_error, for example, now uses this + * functionality. + * +- * Errors which originate from within the journaling layer will NOT +- * supply an errno; a null errno implies that absolutely no further +- * writes are done to the journal (unless there are any already in +- * progress). +- * + */ + + void jbd2_journal_abort(journal_t *journal, int errno) +-- +2.20.1 + diff --git a/queue-4.9/ftrace-fpid_next-should-increase-position-index.patch b/queue-4.9/ftrace-fpid_next-should-increase-position-index.patch new file mode 100644 index 00000000000..c8d48214970 --- /dev/null +++ b/queue-4.9/ftrace-fpid_next-should-increase-position-index.patch @@ -0,0 +1,63 @@ +From 6f91e39a064c8cde655223ddf042af906e062d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 10:02:56 +0300 +Subject: ftrace: fpid_next() should increase position index + +From: Vasily Averin + +[ Upstream commit e4075e8bdffd93a9b6d6e1d52fabedceeca5a91b ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +Without patch: + # dd bs=4 skip=1 if=/sys/kernel/tracing/set_ftrace_pid + dd: /sys/kernel/tracing/set_ftrace_pid: cannot skip to specified offset + id + no pid + 2+1 records in + 2+1 records out + 10 bytes copied, 0.000213285 s, 46.9 kB/s + +Notice the "id" followed by "no pid". + +With the patch: + # dd bs=4 skip=1 if=/sys/kernel/tracing/set_ftrace_pid + dd: /sys/kernel/tracing/set_ftrace_pid: cannot skip to specified offset + id + 0+1 records in + 0+1 records out + 3 bytes copied, 0.000202112 s, 14.8 kB/s + +Notice that it only prints "id" and not the "no pid" afterward. + +Link: http://lkml.kernel.org/r/4f87c6ad-f114-30bb-8506-c32274ce2992@virtuozzo.com + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 71a40e5c3a9f0..2ae98f8bce81b 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5455,9 +5455,10 @@ static void *fpid_next(struct seq_file *m, void *v, loff_t *pos) + struct trace_array *tr = m->private; + struct trace_pid_list *pid_list = rcu_dereference_sched(tr->function_pids); + +- if (v == FTRACE_NO_PIDS) ++ if (v == FTRACE_NO_PIDS) { ++ (*pos)++; + return NULL; +- ++ } + return trace_pid_next(pid_list, v, pos); + } + +-- +2.20.1 + diff --git a/queue-4.9/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch b/queue-4.9/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch new file mode 100644 index 00000000000..b34619fd7cb --- /dev/null +++ b/queue-4.9/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch @@ -0,0 +1,89 @@ +From 8328f7072f1e4c14d7c5832c577a876b2487385b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Dec 2019 15:30:45 +0200 +Subject: gianfar: Fix TX timestamping with a stacked DSA driver + +From: Vladimir Oltean + +[ Upstream commit c26a2c2ddc0115eb088873f5c309cf46b982f522 ] + +The driver wrongly assumes that it is the only entity that can set the +SKBTX_IN_PROGRESS bit of the current skb. Therefore, in the +gfar_clean_tx_ring function, where the TX timestamp is collected if +necessary, the aforementioned bit is used to discriminate whether or not +the TX timestamp should be delivered to the socket's error queue. + +But a stacked driver such as a DSA switch can also set the +SKBTX_IN_PROGRESS bit, which is actually exactly what it should do in +order to denote that the hardware timestamping process is undergoing. + +Therefore, gianfar would misinterpret the "in progress" bit as being its +own, and deliver a second skb clone in the socket's error queue, +completely throwing off a PTP process which is not expecting to receive +it, _even though_ TX timestamping is not enabled for gianfar. + +There have been discussions [0] as to whether non-MAC drivers need or +not to set SKBTX_IN_PROGRESS at all (whose purpose is to avoid sending 2 +timestamps, a sw and a hw one, to applications which only expect one). +But as of this patch, there are at least 2 PTP drivers that would break +in conjunction with gianfar: the sja1105 DSA switch and the felix +switch, by way of its ocelot core driver. + +So regardless of that conclusion, fix the gianfar driver to not do stuff +based on flags set by others and not intended for it. + +[0]: https://www.spinics.net/lists/netdev/msg619699.html + +Fixes: f0ee7acfcdd4 ("gianfar: Add hardware TX timestamping support") +Signed-off-by: Vladimir Oltean +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/gianfar.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index 60bd1b36df606..b665d27f8e299 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2688,13 +2688,17 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + skb_dirtytx = tx_queue->skb_dirtytx; + + while ((skb = tx_queue->tx_skbuff[skb_dirtytx])) { ++ bool do_tstamp; ++ ++ do_tstamp = (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) && ++ priv->hwts_tx_en; + + frags = skb_shinfo(skb)->nr_frags; + + /* When time stamping, one additional TxBD must be freed. + * Also, we need to dma_unmap_single() the TxPAL. + */ +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) ++ if (unlikely(do_tstamp)) + nr_txbds = frags + 2; + else + nr_txbds = frags + 1; +@@ -2708,7 +2712,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + (lstatus & BD_LENGTH_MASK)) + break; + +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) { ++ if (unlikely(do_tstamp)) { + next = next_txbd(bdp, base, tx_ring_size); + buflen = be16_to_cpu(next->length) + + GMAC_FCB_LEN + GMAC_TXPAL_LEN; +@@ -2718,7 +2722,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + dma_unmap_single(priv->dev, be32_to_cpu(bdp->bufPtr), + buflen, DMA_TO_DEVICE); + +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) { ++ if (unlikely(do_tstamp)) { + struct skb_shared_hwtstamps shhwtstamps; + u64 *ns = (u64 *)(((uintptr_t)skb->data + 0x10) & + ~0x7UL); +-- +2.20.1 + diff --git a/queue-4.9/gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch b/queue-4.9/gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch new file mode 100644 index 00000000000..42168e55e7f --- /dev/null +++ b/queue-4.9/gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch @@ -0,0 +1,78 @@ +From 2058623ba86f779eb982d4c3f853e8df9f0837c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 21:26:05 +0800 +Subject: gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in + grgpio_irq_map/unmap() + +From: Jia-Ju Bai + +[ Upstream commit e36eaf94be8f7bc4e686246eed3cf92d845e2ef8 ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +drivers/gpio/gpio-grgpio.c, 261: + request_irq in grgpio_irq_map +drivers/gpio/gpio-grgpio.c, 255: + _raw_spin_lock_irqsave in grgpio_irq_map + +drivers/gpio/gpio-grgpio.c, 318: + free_irq in grgpio_irq_unmap +drivers/gpio/gpio-grgpio.c, 299: + _raw_spin_lock_irqsave in grgpio_irq_unmap + +request_irq() and free_irq() can sleep at runtime. + +To fix these bugs, request_irq() and free_irq() are called without +holding the spinlock. + +These bugs are found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20191218132605.10594-1-baijiaju1990@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-grgpio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c +index 7847dd34f86fc..036a78b704270 100644 +--- a/drivers/gpio/gpio-grgpio.c ++++ b/drivers/gpio/gpio-grgpio.c +@@ -259,17 +259,16 @@ static int grgpio_irq_map(struct irq_domain *d, unsigned int irq, + lirq->irq = irq; + uirq = &priv->uirqs[lirq->index]; + if (uirq->refcnt == 0) { ++ spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags); + ret = request_irq(uirq->uirq, grgpio_irq_handler, 0, + dev_name(priv->dev), priv); + if (ret) { + dev_err(priv->dev, + "Could not request underlying irq %d\n", + uirq->uirq); +- +- spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags); +- + return ret; + } ++ spin_lock_irqsave(&priv->gc.bgpio_lock, flags); + } + uirq->refcnt++; + +@@ -315,8 +314,11 @@ static void grgpio_irq_unmap(struct irq_domain *d, unsigned int irq) + if (index >= 0) { + uirq = &priv->uirqs[lirq->index]; + uirq->refcnt--; +- if (uirq->refcnt == 0) ++ if (uirq->refcnt == 0) { ++ spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags); + free_irq(uirq->uirq, priv); ++ return; ++ } + } + + spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags); +-- +2.20.1 + diff --git a/queue-4.9/help_next-should-increase-position-index.patch b/queue-4.9/help_next-should-increase-position-index.patch new file mode 100644 index 00000000000..f9ce9618880 --- /dev/null +++ b/queue-4.9/help_next-should-increase-position-index.patch @@ -0,0 +1,35 @@ +From 930a7e5de3cf3b0a1d2ad4bfdce2638bbbdd641e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 09:10:47 +0300 +Subject: help_next should increase position index + +From: Vasily Averin + +[ Upstream commit 9f198a2ac543eaaf47be275531ad5cbd50db3edf ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index 0748a26598fca..7d7df003f9d8d 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -304,6 +304,7 @@ static void *help_start(struct seq_file *m, loff_t *pos) + + static void *help_next(struct seq_file *m, void *v, loff_t *pos) + { ++ (*pos)++; + gossip_debug(GOSSIP_DEBUGFS_DEBUG, "help_next: start\n"); + + return NULL; +-- +2.20.1 + diff --git a/queue-4.9/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch b/queue-4.9/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch new file mode 100644 index 00000000000..a6af2009c4b --- /dev/null +++ b/queue-4.9/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch @@ -0,0 +1,52 @@ +From 92c4868dc5014007d4a8128d8e2b00bef3f07e8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 18:15:46 -0700 +Subject: hostap: Adjust indentation in prism2_hostapd_add_sta + +From: Nathan Chancellor + +[ Upstream commit b61156fba74f659d0bc2de8f2dbf5bad9f4b8faf ] + +Clang warns: + +../drivers/net/wireless/intersil/hostap/hostap_ap.c:2511:3: warning: +misleading indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + if (sta->tx_supp_rates & WLAN_RATE_5M5) + ^ +../drivers/net/wireless/intersil/hostap/hostap_ap.c:2509:2: note: +previous statement is here + if (sta->tx_supp_rates & WLAN_RATE_2M) + ^ +1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +Fixes: ff1d2767d5a4 ("Add HostAP wireless driver.") +Link: https://github.com/ClangBuiltLinux/linux/issues/813 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/hostap/hostap_ap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intersil/hostap/hostap_ap.c b/drivers/net/wireless/intersil/hostap/hostap_ap.c +index c995ace153ee6..30171d4c47187 100644 +--- a/drivers/net/wireless/intersil/hostap/hostap_ap.c ++++ b/drivers/net/wireless/intersil/hostap/hostap_ap.c +@@ -2570,7 +2570,7 @@ static int prism2_hostapd_add_sta(struct ap_data *ap, + sta->supported_rates[0] = 2; + if (sta->tx_supp_rates & WLAN_RATE_2M) + sta->supported_rates[1] = 4; +- if (sta->tx_supp_rates & WLAN_RATE_5M5) ++ if (sta->tx_supp_rates & WLAN_RATE_5M5) + sta->supported_rates[2] = 11; + if (sta->tx_supp_rates & WLAN_RATE_11M) + sta->supported_rates[3] = 22; +-- +2.20.1 + diff --git a/queue-4.9/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch b/queue-4.9/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch new file mode 100644 index 00000000000..e3d6b8fb96f --- /dev/null +++ b/queue-4.9/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch @@ -0,0 +1,45 @@ +From ce08f8294134cfad13fbae439ed5db5858e1c4f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 16:06:07 +0300 +Subject: ide: serverworks: potential overflow in svwks_set_pio_mode() + +From: Dan Carpenter + +[ Upstream commit ce1f31b4c0b9551dd51874dd5364654ed4ca13ae ] + +The "drive->dn" variable is a u8 controlled by root. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ide/serverworks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/ide/serverworks.c b/drivers/ide/serverworks.c +index a97affca18abe..0f57d45484d1d 100644 +--- a/drivers/ide/serverworks.c ++++ b/drivers/ide/serverworks.c +@@ -114,6 +114,9 @@ static void svwks_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) + struct pci_dev *dev = to_pci_dev(hwif->dev); + const u8 pio = drive->pio_mode - XFER_PIO_0; + ++ if (drive->dn >= ARRAY_SIZE(drive_pci)) ++ return; ++ + pci_write_config_byte(dev, drive_pci[drive->dn], pio_modes[pio]); + + if (svwks_csb_check(dev)) { +@@ -140,6 +143,9 @@ static void svwks_set_dma_mode(ide_hwif_t *hwif, ide_drive_t *drive) + + u8 ultra_enable = 0, ultra_timing = 0, dma_timing = 0; + ++ if (drive->dn >= ARRAY_SIZE(drive_pci2)) ++ return; ++ + pci_read_config_byte(dev, (0x56|hwif->channel), &ultra_timing); + pci_read_config_byte(dev, 0x54, &ultra_enable); + +-- +2.20.1 + diff --git a/queue-4.9/input-edt-ft5x06-work-around-first-register-access-e.patch b/queue-4.9/input-edt-ft5x06-work-around-first-register-access-e.patch new file mode 100644 index 00000000000..10f29172a0c --- /dev/null +++ b/queue-4.9/input-edt-ft5x06-work-around-first-register-access-e.patch @@ -0,0 +1,55 @@ +From 996983ad48bd9f05131ef057b019444bb9413498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2020 17:03:21 -0800 +Subject: Input: edt-ft5x06 - work around first register access error + +From: Philipp Zabel + +[ Upstream commit e112324cc0422c046f1cf54c56f333d34fa20885 ] + +The EP0700MLP1 returns bogus data on the first register read access +(reading the threshold parameter from register 0x00): + + edt_ft5x06 2-0038: crc error: 0xfc expected, got 0x40 + +It ignores writes until then. This patch adds a dummy read after which +the number of sensors and parameter read/writes work correctly. + +Signed-off-by: Philipp Zabel +Signed-off-by: Marco Felsch +Tested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/edt-ft5x06.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c +index 28466e358fee1..22c8d2070faac 100644 +--- a/drivers/input/touchscreen/edt-ft5x06.c ++++ b/drivers/input/touchscreen/edt-ft5x06.c +@@ -887,6 +887,7 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client, + { + const struct edt_i2c_chip_data *chip_data; + struct edt_ft5x06_ts_data *tsdata; ++ u8 buf[2] = { 0xfc, 0x00 }; + struct input_dev *input; + unsigned long irq_flags; + int error; +@@ -956,6 +957,12 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client, + return error; + } + ++ /* ++ * Dummy read access. EP0700MLP1 returns bogus data on the first ++ * register read access and ignores writes. ++ */ ++ edt_ft5x06_ts_readwrite(tsdata->client, 2, buf, 2, buf); ++ + edt_ft5x06_ts_set_regs(tsdata); + edt_ft5x06_ts_get_defaults(&client->dev, tsdata); + edt_ft5x06_ts_get_parameters(tsdata); +-- +2.20.1 + diff --git a/queue-4.9/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch b/queue-4.9/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch new file mode 100644 index 00000000000..218dfcaa857 --- /dev/null +++ b/queue-4.9/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch @@ -0,0 +1,40 @@ +From cdf79f3346a77cc372269257a9ce0503e7421bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2020 15:21:47 +0000 +Subject: iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE + +From: Will Deacon + +[ Upstream commit d71e01716b3606a6648df7e5646ae12c75babde4 ] + +If, for some bizarre reason, the compiler decided to split up the write +of STE DWORD 0, we could end up making a partial structure valid. + +Although this probably won't happen, follow the example of the +context-descriptor code and use WRITE_ONCE() to ensure atomicity of the +write. + +Reported-by: Jean-Philippe Brucker +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm-smmu-v3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index 7bd98585d78d2..48d3820087881 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -1103,7 +1103,8 @@ static void arm_smmu_write_strtab_ent(struct arm_smmu_device *smmu, u32 sid, + } + + arm_smmu_sync_ste_for_sid(smmu, sid); +- dst[0] = cpu_to_le64(val); ++ /* See comment in arm_smmu_write_ctx_desc() */ ++ WRITE_ONCE(dst[0], cpu_to_le64(val)); + arm_smmu_sync_ste_for_sid(smmu, sid); + + /* It's likely that we'll want to use the new STE soon */ +-- +2.20.1 + diff --git a/queue-4.9/ipw2x00-fix-wcast-function-type.patch b/queue-4.9/ipw2x00-fix-wcast-function-type.patch new file mode 100644 index 00000000000..e5d6d250e8c --- /dev/null +++ b/queue-4.9/ipw2x00-fix-wcast-function-type.patch @@ -0,0 +1,81 @@ +From a4212856526cf8f570446ae7a254fe832095f193 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:27 +0700 +Subject: ipw2x00: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit ebd77feb27e91bb5fe35a7818b7c13ea7435fb98 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2100.c | 7 ++++--- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 5 +++-- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2100.c b/drivers/net/wireless/intel/ipw2x00/ipw2100.c +index bfa542c8d6f1a..86c84b11218db 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2100.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2100.c +@@ -3220,8 +3220,9 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv) + } + } + +-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv) ++static void ipw2100_irq_tasklet(unsigned long data) + { ++ struct ipw2100_priv *priv = (struct ipw2100_priv *)data; + struct net_device *dev = priv->net_dev; + unsigned long flags; + u32 inta, tmp; +@@ -6029,7 +6030,7 @@ static void ipw2100_rf_kill(struct work_struct *work) + spin_unlock_irqrestore(&priv->low_lock, flags); + } + +-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv); ++static void ipw2100_irq_tasklet(unsigned long data); + + static const struct net_device_ops ipw2100_netdev_ops = { + .ndo_open = ipw2100_open, +@@ -6158,7 +6159,7 @@ static struct net_device *ipw2100_alloc_device(struct pci_dev *pci_dev, + INIT_DELAYED_WORK(&priv->rf_kill, ipw2100_rf_kill); + INIT_DELAYED_WORK(&priv->scan_event, ipw2100_scan_event); + +- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long)) ++ tasklet_init(&priv->irq_tasklet, + ipw2100_irq_tasklet, (unsigned long)priv); + + /* NOTE: We do not start the deferred work for status checks yet */ +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index bfd68612a535d..48edb2b6eb7d5 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -1968,8 +1968,9 @@ static void notify_wx_assoc_event(struct ipw_priv *priv) + wireless_send_event(priv->net_dev, SIOCGIWAP, &wrqu, NULL); + } + +-static void ipw_irq_tasklet(struct ipw_priv *priv) ++static void ipw_irq_tasklet(unsigned long data) + { ++ struct ipw_priv *priv = (struct ipw_priv *)data; + u32 inta, inta_mask, handled = 0; + unsigned long flags; + int rc = 0; +@@ -10705,7 +10706,7 @@ static int ipw_setup_deferred_work(struct ipw_priv *priv) + INIT_WORK(&priv->qos_activate, ipw_bg_qos_activate); + #endif /* CONFIG_IPW2200_QOS */ + +- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long)) ++ tasklet_init(&priv->irq_tasklet, + ipw_irq_tasklet, (unsigned long)priv); + + return ret; +-- +2.20.1 + diff --git a/queue-4.9/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch b/queue-4.9/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch new file mode 100644 index 00000000000..189dcf11f1f --- /dev/null +++ b/queue-4.9/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch @@ -0,0 +1,40 @@ +From df54ba9de0c4d149f07f041f9de4ee3ac1973ce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2019 15:10:21 +0800 +Subject: irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when + building INVALL + +From: Zenghui Yu + +[ Upstream commit 107945227ac5d4c37911c7841b27c64b489ce9a9 ] + +It looks like an obvious mistake to use its_mapc_cmd descriptor when +building the INVALL command block. It so far worked by luck because +both its_mapc_cmd.col and its_invall_cmd.col sit at the same offset of +the ITS command descriptor, but we should not rely on it. + +Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue") +Signed-off-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20191202071021.1251-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 0c0cd2768d6e9..d1efbb8dadc53 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -365,7 +365,7 @@ static struct its_collection *its_build_invall_cmd(struct its_cmd_block *cmd, + struct its_cmd_desc *desc) + { + its_encode_cmd(cmd, GITS_CMD_INVALL); +- its_encode_collection(cmd, desc->its_mapc_cmd.col->col_id); ++ its_encode_collection(cmd, desc->its_invall_cmd.col->col_id); + + its_fixup_cmd(cmd); + +-- +2.20.1 + diff --git a/queue-4.9/irqchip-gic-v3-only-provision-redistributors-that-ar.patch b/queue-4.9/irqchip-gic-v3-only-provision-redistributors-that-ar.patch new file mode 100644 index 00000000000..974887ea16c --- /dev/null +++ b/queue-4.9/irqchip-gic-v3-only-provision-redistributors-that-ar.patch @@ -0,0 +1,71 @@ +From ce066d730704e232e6a47a9031fde0fdb5d6054e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2019 11:24:57 +0000 +Subject: irqchip/gic-v3: Only provision redistributors that are enabled in + ACPI + +From: Marc Zyngier + +[ Upstream commit 926b5dfa6b8dc666ff398044af6906b156e1d949 ] + +We currently allocate redistributor region structures for +individual redistributors when ACPI doesn't present us with +compact MMIO regions covering multiple redistributors. + +It turns out that we allocate these structures even when +the redistributor is flagged as disabled by ACPI. It works +fine until someone actually tries to tarse one of these +structures, and access the corresponding MMIO region. + +Instead, track the number of enabled redistributors, and +only allocate what is required. This makes sure that there +is no invalid data to misuse. + +Signed-off-by: Marc Zyngier +Reported-by: Heyi Guo +Tested-by: Heyi Guo +Link: https://lore.kernel.org/r/20191216062745.63397-1-guoheyi@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c +index f7b8681aed3f4..2ab6060031a43 100644 +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -1195,6 +1195,7 @@ static struct + struct redist_region *redist_regs; + u32 nr_redist_regions; + bool single_redist; ++ int enabled_rdists; + u32 maint_irq; + int maint_irq_mode; + phys_addr_t vcpu_base; +@@ -1289,8 +1290,10 @@ static int __init gic_acpi_match_gicc(struct acpi_subtable_header *header, + * If GICC is enabled and has valid gicr base address, then it means + * GICR base is presented via GICC + */ +- if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address) ++ if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address) { ++ acpi_data.enabled_rdists++; + return 0; ++ } + + /* + * It's perfectly valid firmware can pass disabled GICC entry, driver +@@ -1320,8 +1323,10 @@ static int __init gic_acpi_count_gicr_regions(void) + + count = acpi_table_parse_madt(ACPI_MADT_TYPE_GENERIC_INTERRUPT, + gic_acpi_match_gicc, 0); +- if (count > 0) ++ if (count > 0) { + acpi_data.single_redist = true; ++ count = acpi_data.enabled_rdists; ++ } + + return count; + } +-- +2.20.1 + diff --git a/queue-4.9/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch b/queue-4.9/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch new file mode 100644 index 00000000000..dfc15351277 --- /dev/null +++ b/queue-4.9/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch @@ -0,0 +1,49 @@ +From bfb5e9af517f5fed2bdceaff29f559c2e5566c4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2019 20:48:56 +0100 +Subject: isdn: don't mark kcapi_proc_exit as __exit + +From: Arnd Bergmann + +[ Upstream commit b33bdf8020c94438269becc6dace9ed49257c4ba ] + +As everybody pointed out by now, my patch to clean up CAPI introduced +a link time warning, as the two parts of the capi driver are now in +one module and the exit function may need to be called in the error +path of the init function: + +>> WARNING: drivers/isdn/capi/kernelcapi.o(.text+0xea4): Section mismatch in reference from the function kcapi_exit() to the function .exit.text:kcapi_proc_exit() + The function kcapi_exit() references a function in an exit section. + Often the function kcapi_proc_exit() has valid usage outside the exit section + and the fix is to remove the __exit annotation of kcapi_proc_exit. + +Remove the incorrect __exit annotation. + +Reported-by: kbuild test robot +Reported-by: kernelci.org bot +Reported-by: Olof's autobuilder +Reported-by: Stephen Rothwell +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20191216194909.1983639-1-arnd@arndb.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/isdn/capi/kcapi_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/capi/kcapi_proc.c b/drivers/isdn/capi/kcapi_proc.c +index 68db3c5a10636..d6ca626219c93 100644 +--- a/drivers/isdn/capi/kcapi_proc.c ++++ b/drivers/isdn/capi/kcapi_proc.c +@@ -309,7 +309,7 @@ kcapi_proc_init(void) + proc_create("capi/driver", 0, NULL, &proc_driver_ops); + } + +-void __exit ++void + kcapi_proc_exit(void) + { + remove_proc_entry("capi/driver", NULL); +-- +2.20.1 + diff --git a/queue-4.9/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch b/queue-4.9/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch new file mode 100644 index 00000000000..8c0bad0403e --- /dev/null +++ b/queue-4.9/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch @@ -0,0 +1,42 @@ +From 8005cb2b0faf9a38ac282b21812257815bc94a72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jan 2020 00:09:54 +0000 +Subject: iwlegacy: ensure loop counter addr does not wrap and cause an + infinite loop + +From: Colin Ian King + +[ Upstream commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 ] + +The loop counter addr is a u16 where as the upper limit of the loop +is an int. In the unlikely event that the il->cfg->eeprom_size is +greater than 64K then we end up with an infinite loop since addr will +wrap around an never reach upper loop limit. Fix this by making addr +an int. + +Addresses-Coverity: ("Infinite loop") +Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") +Signed-off-by: Colin Ian King +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index 140b6ea8f7cc4..db2373fe8ac32 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -717,7 +717,7 @@ il_eeprom_init(struct il_priv *il) + u32 gp = _il_rd(il, CSR_EEPROM_GP); + int sz; + int ret; +- u16 addr; ++ int addr; + + /* allocate eeprom */ + sz = il->cfg->eeprom_size; +-- +2.20.1 + diff --git a/queue-4.9/iwlegacy-fix-wcast-function-type.patch b/queue-4.9/iwlegacy-fix-wcast-function-type.patch new file mode 100644 index 00000000000..2097cab7115 --- /dev/null +++ b/queue-4.9/iwlegacy-fix-wcast-function-type.patch @@ -0,0 +1,72 @@ +From d2918dfb304677bcacd4f98ce3f5f3d4ab12b14d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:28 +0700 +Subject: iwlegacy: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit da5e57e8a6a3e69dac2937ba63fa86355628fbb2 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/3945-mac.c | 5 +++-- + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/3945-mac.c b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +index 466912eb2d874..d853ccbf74cb2 100644 +--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +@@ -1399,8 +1399,9 @@ il3945_dump_nic_error_log(struct il_priv *il) + } + + static void +-il3945_irq_tasklet(struct il_priv *il) ++il3945_irq_tasklet(unsigned long data) + { ++ struct il_priv *il = (struct il_priv *)data; + u32 inta, handled = 0; + u32 inta_fh; + unsigned long flags; +@@ -3432,7 +3433,7 @@ il3945_setup_deferred_work(struct il_priv *il) + setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il); + + tasklet_init(&il->irq_tasklet, +- (void (*)(unsigned long))il3945_irq_tasklet, ++ il3945_irq_tasklet, + (unsigned long)il); + } + +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +index a91d170a614b6..6c2dcd2367136 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -4361,8 +4361,9 @@ il4965_synchronize_irq(struct il_priv *il) + } + + static void +-il4965_irq_tasklet(struct il_priv *il) ++il4965_irq_tasklet(unsigned long data) + { ++ struct il_priv *il = (struct il_priv *)data; + u32 inta, handled = 0; + u32 inta_fh; + unsigned long flags; +@@ -6260,7 +6261,7 @@ il4965_setup_deferred_work(struct il_priv *il) + setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il); + + tasklet_init(&il->irq_tasklet, +- (void (*)(unsigned long))il4965_irq_tasklet, ++ il4965_irq_tasklet, + (unsigned long)il); + } + +-- +2.20.1 + diff --git a/queue-4.9/iwlwifi-mvm-fix-thermal-zone-registration.patch b/queue-4.9/iwlwifi-mvm-fix-thermal-zone-registration.patch new file mode 100644 index 00000000000..6e6816512b4 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-thermal-zone-registration.patch @@ -0,0 +1,64 @@ +From 01fbcd9845564e983f319f08b15cfc2b3c7ffc89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2020 15:45:24 +0200 +Subject: iwlwifi: mvm: Fix thermal zone registration + +From: Andrei Otcheretianski + +[ Upstream commit baa6cf8450b72dcab11f37c47efce7c5b9b8ad0f ] + +Use a unique name when registering a thermal zone. Otherwise, with +multiple NICS, we hit the following warning during the unregistration. + +WARNING: CPU: 2 PID: 3525 at fs/sysfs/group.c:255 + RIP: 0010:sysfs_remove_group+0x80/0x90 + Call Trace: + dpm_sysfs_remove+0x57/0x60 + device_del+0x5a/0x350 + ? sscanf+0x4e/0x70 + device_unregister+0x1a/0x60 + hwmon_device_unregister+0x4a/0xa0 + thermal_remove_hwmon_sysfs+0x175/0x1d0 + thermal_zone_device_unregister+0x188/0x1e0 + iwl_mvm_thermal_exit+0xe7/0x100 [iwlmvm] + iwl_op_mode_mvm_stop+0x27/0x180 [iwlmvm] + _iwl_op_mode_stop.isra.3+0x2b/0x50 [iwlwifi] + iwl_opmode_deregister+0x90/0xa0 [iwlwifi] + __exit_compat+0x10/0x2c7 [iwlmvm] + __x64_sys_delete_module+0x13f/0x270 + do_syscall_64+0x5a/0x110 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c +index c5203568a47ac..f0f205c3aadb7 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c +@@ -736,7 +736,8 @@ static struct thermal_zone_device_ops tzone_ops = { + static void iwl_mvm_thermal_zone_register(struct iwl_mvm *mvm) + { + int i; +- char name[] = "iwlwifi"; ++ char name[16]; ++ static atomic_t counter = ATOMIC_INIT(0); + + if (!iwl_mvm_is_tt_in_fw(mvm)) { + mvm->tz_device.tzone = NULL; +@@ -746,6 +747,7 @@ static void iwl_mvm_thermal_zone_register(struct iwl_mvm *mvm) + + BUILD_BUG_ON(ARRAY_SIZE(name) >= THERMAL_NAME_LENGTH); + ++ sprintf(name, "iwlwifi_%u", atomic_inc_return(&counter) & 0xFF); + mvm->tz_device.tzone = thermal_zone_device_register(name, + IWL_MAX_DTS_TRIPS, + IWL_WRITABLE_TRIPS_MSK, +-- +2.20.1 + diff --git a/queue-4.9/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch b/queue-4.9/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch new file mode 100644 index 00000000000..44b874c9e3a --- /dev/null +++ b/queue-4.9/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch @@ -0,0 +1,56 @@ +From e59d128c1ec0cbfc37872e7f2fc1c30ea3e3fbfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2020 10:25:42 +0800 +Subject: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail + info when load journal + +From: Kai Li + +[ Upstream commit a09decff5c32060639a685581c380f51b14e1fc2 ] + +If the journal is dirty when the filesystem is mounted, jbd2 will replay +the journal but the journal superblock will not be updated by +journal_reset() because JBD2_ABORT flag is still set (it was set in +journal_init_common()). This is problematic because when a new transaction +is then committed, it will be recorded in block 1 (journal->j_tail was set +to 1 in journal_reset()). If unclean shutdown happens again before the +journal superblock is updated, the new recorded transaction will not be +replayed during the next mount (because of stale sb->s_start and +sb->s_sequence values) which can lead to filesystem corruption. + +Fixes: 85e0c4e89c1b ("jbd2: if the journal is aborted then don't allow update of the log tail") +Signed-off-by: Kai Li +Link: https://lore.kernel.org/r/20200111022542.5008-1-li.kai4@h3c.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/journal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index 3cbcf649ac660..40c754854b29e 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1670,6 +1670,11 @@ int jbd2_journal_load(journal_t *journal) + journal->j_devname); + return -EFSCORRUPTED; + } ++ /* ++ * clear JBD2_ABORT flag initialized in journal_init_common ++ * here to update log tail information with the newest seq. ++ */ ++ journal->j_flags &= ~JBD2_ABORT; + + /* OK, we've finished with the dynamic journal bits: + * reinitialise the dynamic contents of the superblock in memory +@@ -1677,7 +1682,6 @@ int jbd2_journal_load(journal_t *journal) + if (journal_reset(journal)) + goto recovery_error; + +- journal->j_flags &= ~JBD2_ABORT; + journal->j_flags |= JBD2_LOADED; + return 0; + +-- +2.20.1 + diff --git a/queue-4.9/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch b/queue-4.9/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch new file mode 100644 index 00000000000..537d3e2782d --- /dev/null +++ b/queue-4.9/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch @@ -0,0 +1,51 @@ +From 7b89ff7dda9c469a061ac86505860d5bcce7cec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 20:46:11 +0800 +Subject: jbd2: switch to use jbd2_journal_abort() when failed to submit the + commit record + +From: zhangyi (F) + +[ Upstream commit d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 ] + +We invoke jbd2_journal_abort() to abort the journal and record errno +in the jbd2 superblock when committing journal transaction besides the +failure on submitting the commit record. But there is no need for the +case and we can also invoke jbd2_journal_abort() instead of +__jbd2_journal_abort_hard(). + +Fixes: 818d276ceb83a ("ext4: Add the journal checksum feature") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index 72b5bbfd38447..1d06f81ee8b47 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -779,7 +779,7 @@ start_journal_io: + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + + blk_finish_plug(&plug); +@@ -872,7 +872,7 @@ start_journal_io: + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + if (cbh) + err = journal_wait_on_commit_record(journal, cbh); +-- +2.20.1 + diff --git a/queue-4.9/kconfig-fix-broken-dependency-in-randconfig-generate.patch b/queue-4.9/kconfig-fix-broken-dependency-in-randconfig-generate.patch new file mode 100644 index 00000000000..e79ba7516fe --- /dev/null +++ b/queue-4.9/kconfig-fix-broken-dependency-in-randconfig-generate.patch @@ -0,0 +1,46 @@ +From c0bd11bc850accadc8226c9e1f71b73e63820820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2020 14:03:11 +0900 +Subject: kconfig: fix broken dependency in randconfig-generated .config + +From: Masahiro Yamada + +[ Upstream commit c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 ] + +Running randconfig on arm64 using KCONFIG_SEED=0x40C5E904 (e.g. on v5.5) +produces the .config with CONFIG_EFI=y and CONFIG_CPU_BIG_ENDIAN=y, +which does not meet the !CONFIG_CPU_BIG_ENDIAN dependency. + +This is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs +CONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the +value of CONFIG_EFI is calculated. + +When this happens, the has_changed flag should be set. + +Currently, it takes the result from the last iteration. It should +accumulate all the results of the loop. + +Fixes: 3b9a19e08960 ("kconfig: loop as long as we changed some symbols in randconfig") +Reported-by: Vincenzo Frascino +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/confdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c +index 27aac273205ba..fa423fcd1a928 100644 +--- a/scripts/kconfig/confdata.c ++++ b/scripts/kconfig/confdata.c +@@ -1238,7 +1238,7 @@ bool conf_set_all_new_symbols(enum conf_def_mode mode) + + sym_calc_value(csym); + if (mode == def_random) +- has_changed = randomize_choice_values(csym); ++ has_changed |= randomize_choice_values(csym); + else { + set_all_choice_values(csym); + has_changed = true; +-- +2.20.1 + diff --git a/queue-4.9/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch b/queue-4.9/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch new file mode 100644 index 00000000000..a8938f8b6d2 --- /dev/null +++ b/queue-4.9/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch @@ -0,0 +1,51 @@ +From 81feaf514e5eab608e0562d2bdba2b09445100c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:16:37 -0800 +Subject: lib/scatterlist.c: adjust indentation in __sg_alloc_table + +From: Nathan Chancellor + +[ Upstream commit 4e456fee215677584cafa7f67298a76917e89c64 ] + +Clang warns: + + ../lib/scatterlist.c:314:5: warning: misleading indentation; statement + is not part of the previous 'if' [-Wmisleading-indentation] + return -ENOMEM; + ^ + ../lib/scatterlist.c:311:4: note: previous statement is here + if (prv) + ^ + 1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +Link: http://lkml.kernel.org/r/20191218033606.11942-1-natechancellor@gmail.com +Link: https://github.com/ClangBuiltLinux/linux/issues/830 +Fixes: edce6820a9fd ("scatterlist: prevent invalid free when alloc fails") +Signed-off-by: Nathan Chancellor +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/scatterlist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/scatterlist.c b/lib/scatterlist.c +index a854cc39f084f..ef8c14a56d0a7 100644 +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -317,7 +317,7 @@ int __sg_alloc_table(struct sg_table *table, unsigned int nents, + if (prv) + table->nents = ++table->orig_nents; + +- return -ENOMEM; ++ return -ENOMEM; + } + + sg_init_table(sg, alloc_size); +-- +2.20.1 + diff --git a/queue-4.9/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch b/queue-4.9/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch new file mode 100644 index 00000000000..d53aa4d3bee --- /dev/null +++ b/queue-4.9/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch @@ -0,0 +1,63 @@ +From decbebc1f73706bf9b9916088bfef1632bb591c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 08:55:24 +0100 +Subject: media: i2c: mt9v032: fix enum mbus codes and frame sizes + +From: Eugen Hristev + +[ Upstream commit 1451d5ae351d938a0ab1677498c893f17b9ee21d ] + +This driver supports both the mt9v032 (color) and the mt9v022 (mono) +sensors. Depending on which sensor is used, the format from the sensor is +different. The format.code inside the dev struct holds this information. +The enum mbus and enum frame sizes need to take into account both type of +sensors, not just the color one. To solve this, use the format.code in +these functions instead of the hardcoded bayer color format (which is only +used for mt9v032). + +[Sakari Ailus: rewrapped commit message] + +Suggested-by: Wenyou Yang +Signed-off-by: Eugen Hristev +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9v032.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/mt9v032.c b/drivers/media/i2c/mt9v032.c +index 58eb62f1ba214..a018a76662df7 100644 +--- a/drivers/media/i2c/mt9v032.c ++++ b/drivers/media/i2c/mt9v032.c +@@ -423,10 +423,12 @@ static int mt9v032_enum_mbus_code(struct v4l2_subdev *subdev, + struct v4l2_subdev_pad_config *cfg, + struct v4l2_subdev_mbus_code_enum *code) + { ++ struct mt9v032 *mt9v032 = to_mt9v032(subdev); ++ + if (code->index > 0) + return -EINVAL; + +- code->code = MEDIA_BUS_FMT_SGRBG10_1X10; ++ code->code = mt9v032->format.code; + return 0; + } + +@@ -434,7 +436,11 @@ static int mt9v032_enum_frame_size(struct v4l2_subdev *subdev, + struct v4l2_subdev_pad_config *cfg, + struct v4l2_subdev_frame_size_enum *fse) + { +- if (fse->index >= 3 || fse->code != MEDIA_BUS_FMT_SGRBG10_1X10) ++ struct mt9v032 *mt9v032 = to_mt9v032(subdev); ++ ++ if (fse->index >= 3) ++ return -EINVAL; ++ if (mt9v032->format.code != fse->code) + return -EINVAL; + + fse->min_width = MT9V032_WINDOW_WIDTH_DEF / (1 << fse->index); +-- +2.20.1 + diff --git a/queue-4.9/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch b/queue-4.9/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch new file mode 100644 index 00000000000..d0417be62f5 --- /dev/null +++ b/queue-4.9/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch @@ -0,0 +1,60 @@ +From 3ae6721c589b6b67c6fae50da8ff6a4903668d18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 11:34:01 +0100 +Subject: media: sti: bdisp: fix a possible sleep-in-atomic-context bug in + bdisp_device_run() + +From: Jia-Ju Bai + +[ Upstream commit bb6d42061a05d71dd73f620582d9e09c8fbf7f5b ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +drivers/media/platform/sti/bdisp/bdisp-hw.c, 385: + msleep in bdisp_hw_reset +drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 341: + bdisp_hw_reset in bdisp_device_run +drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 317: + _raw_spin_lock_irqsave in bdisp_device_run + +To fix this bug, msleep() is replaced with udelay(). + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-hw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-hw.c b/drivers/media/platform/sti/bdisp/bdisp-hw.c +index b7892f3efd988..5c4c3f0c57be1 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-hw.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-hw.c +@@ -14,8 +14,8 @@ + #define MAX_SRC_WIDTH 2048 + + /* Reset & boot poll config */ +-#define POLL_RST_MAX 50 +-#define POLL_RST_DELAY_MS 20 ++#define POLL_RST_MAX 500 ++#define POLL_RST_DELAY_MS 2 + + enum bdisp_target_plan { + BDISP_RGB, +@@ -382,7 +382,7 @@ int bdisp_hw_reset(struct bdisp_dev *bdisp) + for (i = 0; i < POLL_RST_MAX; i++) { + if (readl(bdisp->regs + BLT_STA1) & BLT_STA1_IDLE) + break; +- msleep(POLL_RST_DELAY_MS); ++ udelay(POLL_RST_DELAY_MS * 1000); + } + if (i == POLL_RST_MAX) + dev_err(bdisp->dev, "Reset timeout\n"); +-- +2.20.1 + diff --git a/queue-4.9/media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch b/queue-4.9/media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch new file mode 100644 index 00000000000..ef17c913a39 --- /dev/null +++ b/queue-4.9/media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch @@ -0,0 +1,94 @@ +From 1150529a8d7fe48b484795cead992209524892b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Dec 2019 22:11:40 +0100 +Subject: media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in + v4l2_device macros + +From: Nathan Chancellor + +[ Upstream commit afb34781620274236bd9fc9246e22f6963ef5262 ] + +When building with Clang + -Wtautological-constant-compare, several of +the ivtv and cx18 drivers warn along the lines of: + + drivers/media/pci/cx18/cx18-driver.c:1005:21: warning: converting the + result of '<<' to a boolean always evaluates to true + [-Wtautological-constant-compare] + cx18_call_hw(cx, CX18_HW_GPIO_RESET_CTRL, + ^ + drivers/media/pci/cx18/cx18-cards.h:18:37: note: expanded from macro + 'CX18_HW_GPIO_RESET_CTRL' + #define CX18_HW_GPIO_RESET_CTRL (1 << 6) + ^ + 1 warning generated. + +This warning happens because the shift operation is implicitly converted +to a boolean in v4l2_device_mask_call_all before being negated. This can +be solved by just comparing the mask result to 0 explicitly so that +there is no boolean conversion. The ultimate goal is to enable +-Wtautological-compare globally because there are several subwarnings +that would be helpful to have. + +For visual consistency and avoidance of these warnings in the future, +all of the implicitly boolean conversions in the v4l2_device macros +are converted to explicit ones as well. + +Link: https://github.com/ClangBuiltLinux/linux/issues/752 + +Reviewed-by: Ezequiel Garcia +Reviewed-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + include/media/v4l2-device.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h +index 8ffa94009d1a9..76002416cead9 100644 +--- a/include/media/v4l2-device.h ++++ b/include/media/v4l2-device.h +@@ -268,7 +268,7 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd, + struct v4l2_subdev *__sd; \ + \ + __v4l2_device_call_subdevs_p(v4l2_dev, __sd, \ +- !(grpid) || __sd->grp_id == (grpid), o, f , \ ++ (grpid) == 0 || __sd->grp_id == (grpid), o, f , \ + ##args); \ + } while (0) + +@@ -280,7 +280,7 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd, + ({ \ + struct v4l2_subdev *__sd; \ + __v4l2_device_call_subdevs_until_err_p(v4l2_dev, __sd, \ +- !(grpid) || __sd->grp_id == (grpid), o, f , \ ++ (grpid) == 0 || __sd->grp_id == (grpid), o, f , \ + ##args); \ + }) + +@@ -294,8 +294,8 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd, + struct v4l2_subdev *__sd; \ + \ + __v4l2_device_call_subdevs_p(v4l2_dev, __sd, \ +- !(grpmsk) || (__sd->grp_id & (grpmsk)), o, f , \ +- ##args); \ ++ (grpmsk) == 0 || (__sd->grp_id & (grpmsk)), o, \ ++ f , ##args); \ + } while (0) + + /* +@@ -308,8 +308,8 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd, + ({ \ + struct v4l2_subdev *__sd; \ + __v4l2_device_call_subdevs_until_err_p(v4l2_dev, __sd, \ +- !(grpmsk) || (__sd->grp_id & (grpmsk)), o, f , \ +- ##args); \ ++ (grpmsk) == 0 || (__sd->grp_id & (grpmsk)), o, \ ++ f , ##args); \ + }) + + /* +-- +2.20.1 + diff --git a/queue-4.9/microblaze-prevent-the-overflow-of-the-start.patch b/queue-4.9/microblaze-prevent-the-overflow-of-the-start.patch new file mode 100644 index 00000000000..860a87e8ea6 --- /dev/null +++ b/queue-4.9/microblaze-prevent-the-overflow-of-the-start.patch @@ -0,0 +1,37 @@ +From 1e718c8c520614c9fa4b4306061f6873645c9d0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2020 18:44:34 +0530 +Subject: microblaze: Prevent the overflow of the start + +From: Shubhrajyoti Datta + +[ Upstream commit 061d2c1d593076424c910cb1b64ecdb5c9a6923f ] + +In case the start + cache size is more than the max int the +start overflows. +Prevent the same. + +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + arch/microblaze/kernel/cpu/cache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/microblaze/kernel/cpu/cache.c b/arch/microblaze/kernel/cpu/cache.c +index 0bde47e4fa694..dcba53803fa5f 100644 +--- a/arch/microblaze/kernel/cpu/cache.c ++++ b/arch/microblaze/kernel/cpu/cache.c +@@ -92,7 +92,8 @@ static inline void __disable_dcache_nomsr(void) + #define CACHE_LOOP_LIMITS(start, end, cache_line_length, cache_size) \ + do { \ + int align = ~(cache_line_length - 1); \ +- end = min(start + cache_size, end); \ ++ if (start < UINT_MAX - cache_size) \ ++ end = min(start + cache_size, end); \ + start &= align; \ + } while (0) + +-- +2.20.1 + diff --git a/queue-4.9/mips-loongson-fix-potential-null-dereference-in-loon.patch b/queue-4.9/mips-loongson-fix-potential-null-dereference-in-loon.patch new file mode 100644 index 00000000000..a732fe78fdd --- /dev/null +++ b/queue-4.9/mips-loongson-fix-potential-null-dereference-in-loon.patch @@ -0,0 +1,43 @@ +From d2592c9dc617204c57622764f6f68be1bf760541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 09:30:42 +0800 +Subject: MIPS: Loongson: Fix potential NULL dereference in + loongson3_platform_init() + +From: Tiezhu Yang + +[ Upstream commit 72d052e28d1d2363f9107be63ef3a3afdea6143c ] + +If kzalloc fails, it should return -ENOMEM, otherwise may trigger a NULL +pointer dereference. + +Fixes: 3adeb2566b9b ("MIPS: Loongson: Improve LEFI firmware interface") +Signed-off-by: Tiezhu Yang +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: Huacai Chen +Cc: Jiaxun Yang +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/loongson64/loongson-3/platform.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/loongson64/loongson-3/platform.c b/arch/mips/loongson64/loongson-3/platform.c +index 25a97cc0ee336..0db4cc3196ebd 100644 +--- a/arch/mips/loongson64/loongson-3/platform.c ++++ b/arch/mips/loongson64/loongson-3/platform.c +@@ -31,6 +31,9 @@ static int __init loongson3_platform_init(void) + continue; + + pdev = kzalloc(sizeof(struct platform_device), GFP_KERNEL); ++ if (!pdev) ++ return -ENOMEM; ++ + pdev->name = loongson_sysconf.sensors[i].name; + pdev->id = loongson_sysconf.sensors[i].id; + pdev->dev.platform_data = &loongson_sysconf.sensors[i]; +-- +2.20.1 + diff --git a/queue-4.9/net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch b/queue-4.9/net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch new file mode 100644 index 00000000000..179a6d1bfd9 --- /dev/null +++ b/queue-4.9/net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch @@ -0,0 +1,44 @@ +From 8c94d44f1abdbbe44214a6388f3f3efbd8c22ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2019 15:55:51 +0100 +Subject: net/wan/fsl_ucc_hdlc: reject muram offsets above 64K + +From: Rasmus Villemoes + +[ Upstream commit 148587a59f6b85831695e0497d9dd1af5f0495af ] + +Qiang Zhao points out that these offsets get written to 16-bit +registers, and there are some QE platforms with more than 64K +muram. So it is possible that qe_muram_alloc() gives us an allocation +that can't actually be used by the hardware, so detect and reject +that. + +Reported-by: Qiang Zhao +Reviewed-by: Timur Tabi +Signed-off-by: Rasmus Villemoes +Acked-by: David S. Miller +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/net/wan/fsl_ucc_hdlc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c +index af85a1b3135e2..87bf05a81db50 100644 +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -209,6 +209,11 @@ static int uhdlc_init(struct ucc_hdlc_private *priv) + ret = -ENOMEM; + goto free_riptr; + } ++ if (riptr != (u16)riptr || tiptr != (u16)tiptr) { ++ dev_err(priv->dev, "MURAM allocation out of addressable range\n"); ++ ret = -ENOMEM; ++ goto free_tiptr; ++ } + + /* Set RIPTR, TIPTR */ + iowrite16be(riptr, &priv->ucc_pram->riptr); +-- +2.20.1 + diff --git a/queue-4.9/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch b/queue-4.9/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch new file mode 100644 index 00000000000..19cb5084204 --- /dev/null +++ b/queue-4.9/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch @@ -0,0 +1,37 @@ +From 4513ba054e22dce952c7ded8f67cd253ca8d87ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 21:08:45 +0800 +Subject: NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use + le16_add_cpu(). + +From: Mao Wenan + +[ Upstream commit 718eae277e62a26e5862eb72a830b5e0fe37b04a ] + +Convert cpu_to_le16(le16_to_cpu(frame->datalen) + len) to +use le16_add_cpu(), which is more concise and does the same thing. + +Reported-by: Hulk Robot +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/port100.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c +index 3cd995de1bbb5..151b220381f95 100644 +--- a/drivers/nfc/port100.c ++++ b/drivers/nfc/port100.c +@@ -573,7 +573,7 @@ static void port100_tx_update_payload_len(void *_frame, int len) + { + struct port100_frame *frame = _frame; + +- frame->datalen = cpu_to_le16(le16_to_cpu(frame->datalen) + len); ++ le16_add_cpu(&frame->datalen, len); + } + + static bool port100_rx_frame_is_valid(void *_frame) +-- +2.20.1 + diff --git a/queue-4.9/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-4.9/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch new file mode 100644 index 00000000000..206bcb861e1 --- /dev/null +++ b/queue-4.9/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch @@ -0,0 +1,54 @@ +From e0d4740dac290b43dd78e4d4d11d01092291209a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:07:32 -0500 +Subject: nfsd4: avoid NULL deference on strange COPY compounds + +From: J. Bruce Fields + +[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] + +With cross-server COPY we've introduced the possibility that the current +or saved filehandle might not have fh_dentry/fh_export filled in, but we +missed a place that assumed it was. I think this could be triggered by +a compound like: + + PUTFH(foreign filehandle) + GETATTR + SAVEFH + COPY + +First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. +Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. +need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE +set and GETATTR does not have OP_HANDLES_WRONGSEC set. + +We should probably also consider tightening the checks in +check_if_stalefh_allowed and double-checking that we don't assume the +filehandle is verified elsewhere in the compound. But I think this +fixes the immediate issue. + +Reported-by: Dan Carpenter +Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 66985a6a7047b..33537bbb70b36 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1800,7 +1800,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp, + if (opdesc->op_flags & OP_CLEAR_STATEID) + clear_current_stateid(cstate); + +- if (need_wrongsec_check(rqstp)) ++ if (current_fh->fh_export && ++ need_wrongsec_check(rqstp)) + op->status = check_nfsd_access(current_fh->fh_export, rqstp); + } + encode_op: +-- +2.20.1 + diff --git a/queue-4.9/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch b/queue-4.9/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch new file mode 100644 index 00000000000..95f302d6e9a --- /dev/null +++ b/queue-4.9/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch @@ -0,0 +1,140 @@ +From 6d3a12d3746593b71a4ac212934bef9a83e02dd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:11:50 -0800 +Subject: ocfs2: fix a NULL pointer dereference when call + ocfs2_update_inode_fsync_trans() + +From: wangyan + +[ Upstream commit 9f16ca48fc818a17de8be1f75d08e7f4addc4497 ] + +I found a NULL pointer dereference in ocfs2_update_inode_fsync_trans(), +handle->h_transaction may be NULL in this situation: + +ocfs2_file_write_iter + ->__generic_file_write_iter + ->generic_perform_write + ->ocfs2_write_begin + ->ocfs2_write_begin_nolock + ->ocfs2_write_cluster_by_desc + ->ocfs2_write_cluster + ->ocfs2_mark_extent_written + ->ocfs2_change_extent_flag + ->ocfs2_split_extent + ->ocfs2_try_to_merge_extent + ->ocfs2_extend_rotate_transaction + ->ocfs2_extend_trans + ->jbd2_journal_restart + ->jbd2__journal_restart + // handle->h_transaction is NULL here + ->handle->h_transaction = NULL; + ->start_this_handle + /* journal aborted due to storage + network disconnection, return error */ + ->return -EROFS; + /* line 3806 in ocfs2_try_to_merge_extent (), + it will ignore ret error. */ + ->ret = 0; + ->... + ->ocfs2_write_end + ->ocfs2_write_end_nolock + ->ocfs2_update_inode_fsync_trans + // NULL pointer dereference + ->oi->i_sync_tid = handle->h_transaction->t_tid; + +The information of NULL pointer dereference as follows: + JBD2: Detected IO errors while flushing file data on dm-11-45 + Aborting journal on device dm-11-45. + JBD2: Error -5 detected when updating journal superblock for dm-11-45. + (dd,22081,3):ocfs2_extend_trans:474 ERROR: status = -30 + (dd,22081,3):ocfs2_try_to_merge_extent:3877 ERROR: status = -30 + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000008 + Mem abort info: + ESR = 0x96000004 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e74e1338 + [0000000000000008] pgd=0000000000000000 + Internal error: Oops: 96000004 [#1] SMP + Process dd (pid: 22081, stack limit = 0x00000000584f35a9) + CPU: 3 PID: 22081 Comm: dd Kdump: loaded + Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019 + pstate: 60400009 (nZCv daif +PAN -UAO) + pc : ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2] + lr : ocfs2_write_end_nolock+0x2a0/0x550 [ocfs2] + sp : ffff0000459fba70 + x29: ffff0000459fba70 x28: 0000000000000000 + x27: ffff807ccf7f1000 x26: 0000000000000001 + x25: ffff807bdff57970 x24: ffff807caf1d4000 + x23: ffff807cc79e9000 x22: 0000000000001000 + x21: 000000006c6cd000 x20: ffff0000091d9000 + x19: ffff807ccb239db0 x18: ffffffffffffffff + x17: 000000000000000e x16: 0000000000000007 + x15: ffff807c5e15bd78 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000001 + x9 : 0000000000000228 x8 : 000000000000000c + x7 : 0000000000000fff x6 : ffff807a308ed6b0 + x5 : ffff7e01f10967c0 x4 : 0000000000000018 + x3 : d0bc661572445600 x2 : 0000000000000000 + x1 : 000000001b2e0200 x0 : 0000000000000000 + Call trace: + ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2] + ocfs2_write_end+0x4c/0x80 [ocfs2] + generic_perform_write+0x108/0x1a8 + __generic_file_write_iter+0x158/0x1c8 + ocfs2_file_write_iter+0x668/0x950 [ocfs2] + __vfs_write+0x11c/0x190 + vfs_write+0xac/0x1c0 + ksys_write+0x6c/0xd8 + __arm64_sys_write+0x24/0x30 + el0_svc_common+0x78/0x130 + el0_svc_handler+0x38/0x78 + el0_svc+0x8/0xc + +To prevent NULL pointer dereference in this situation, we use +is_handle_aborted() before using handle->h_transaction->t_tid. + +Link: http://lkml.kernel.org/r/03e750ab-9ade-83aa-b000-b9e81e34e539@huawei.com +Signed-off-by: Yan Wang +Reviewed-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/journal.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h +index 497a4171ef61f..bfb50fc51528f 100644 +--- a/fs/ocfs2/journal.h ++++ b/fs/ocfs2/journal.h +@@ -637,9 +637,11 @@ static inline void ocfs2_update_inode_fsync_trans(handle_t *handle, + { + struct ocfs2_inode_info *oi = OCFS2_I(inode); + +- oi->i_sync_tid = handle->h_transaction->t_tid; +- if (datasync) +- oi->i_datasync_tid = handle->h_transaction->t_tid; ++ if (!is_handle_aborted(handle)) { ++ oi->i_sync_tid = handle->h_transaction->t_tid; ++ if (datasync) ++ oi->i_datasync_tid = handle->h_transaction->t_tid; ++ } + } + + #endif /* OCFS2_JOURNAL_H */ +-- +2.20.1 + diff --git a/queue-4.9/orinoco-avoid-assertion-in-case-of-null-pointer.patch b/queue-4.9/orinoco-avoid-assertion-in-case-of-null-pointer.patch new file mode 100644 index 00000000000..4f5779c1b29 --- /dev/null +++ b/queue-4.9/orinoco-avoid-assertion-in-case-of-null-pointer.patch @@ -0,0 +1,37 @@ +From 1ace914e428557ffe52eb5a5629055830644cb23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Dec 2019 13:58:58 -0600 +Subject: orinoco: avoid assertion in case of NULL pointer + +From: Aditya Pakki + +[ Upstream commit c705f9fc6a1736dcf6ec01f8206707c108dca824 ] + +In ezusb_init, if upriv is NULL, the code crashes. However, the caller +in ezusb_probe can handle the error and print the failure message. +The patch replaces the BUG_ON call to error return. + +Signed-off-by: Aditya Pakki +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +index 8244d82629511..4e91c74fcfad9 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +@@ -1351,7 +1351,8 @@ static int ezusb_init(struct hermes *hw) + int retval; + + BUG_ON(in_interrupt()); +- BUG_ON(!upriv); ++ if (!upriv) ++ return -EINVAL; + + upriv->reply_count = 0; + /* Write the MAGIC number on the simulated registers to keep +-- +2.20.1 + diff --git a/queue-4.9/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch b/queue-4.9/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch new file mode 100644 index 00000000000..68cc99e3c92 --- /dev/null +++ b/queue-4.9/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch @@ -0,0 +1,71 @@ +From 1bdef1e2e81dce73c8b58f95555d8dcbff1efc9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 14:31:11 -0500 +Subject: padata: always acquire cpu_hotplug_lock before pinst->lock + +From: Daniel Jordan + +[ Upstream commit 38228e8848cd7dd86ccb90406af32de0cad24be3 ] + +lockdep complains when padata's paths to update cpumasks via CPU hotplug +and sysfs are both taken: + + # echo 0 > /sys/devices/system/cpu/cpu1/online + # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask + + ====================================================== + WARNING: possible circular locking dependency detected + 5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted + ------------------------------------------------------ + bash/205 is trying to acquire lock: + ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120 + + but task is already holding lock: + ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120 + + which lock already depends on the new lock. + +padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent +order. Which should be first? CPU hotplug calls into padata with +cpu_hotplug_lock already held, so it should have priority. + +Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus") +Signed-off-by: Daniel Jordan +Cc: Eric Biggers +Cc: Herbert Xu +Cc: Steffen Klassert +Cc: linux-crypto@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/padata.c b/kernel/padata.c +index 286c5142a0f74..6939111b3cbe0 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -614,8 +614,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type, + struct cpumask *serial_mask, *parallel_mask; + int err = -EINVAL; + +- mutex_lock(&pinst->lock); + get_online_cpus(); ++ mutex_lock(&pinst->lock); + + switch (cpumask_type) { + case PADATA_CPU_PARALLEL: +@@ -633,8 +633,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type, + err = __padata_set_cpumasks(pinst, parallel_mask, serial_mask); + + out: +- put_online_cpus(); + mutex_unlock(&pinst->lock); ++ put_online_cpus(); + + return err; + } +-- +2.20.1 + diff --git a/queue-4.9/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch b/queue-4.9/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch new file mode 100644 index 00000000000..eeffa3d33ae --- /dev/null +++ b/queue-4.9/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch @@ -0,0 +1,37 @@ +From 867265a84ebd4781c48a1fa3d9810358503b1f71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 13:52:52 -0600 +Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn() + +From: Navid Emamdoost + +[ Upstream commit 8c386cc817878588195dde38e919aa6ba9409d58 ] + +In the implementation of pci_iov_add_virtfn() the allocated virtfn is +leaked if pci_setup_device() fails. The error handling is not calling +pci_stop_and_remove_bus_device(). Change the goto label to failed2. + +Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()") +Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/iov.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c +index 1d32fe2d97aa7..9ec3cb628b0b6 100644 +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -181,6 +181,7 @@ int pci_iov_add_virtfn(struct pci_dev *dev, int id, int reset) + failed2: + sysfs_remove_link(&dev->dev.kobj, buf); + failed1: ++ pci_stop_and_remove_bus_device(virtfn); + pci_dev_put(dev); + mutex_lock(&iov->dev->sriov->lock); + pci_stop_and_remove_bus_device(virtfn); +-- +2.20.1 + diff --git a/queue-4.9/pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch b/queue-4.9/pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch new file mode 100644 index 00000000000..ec15281cde6 --- /dev/null +++ b/queue-4.9/pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch @@ -0,0 +1,60 @@ +From 305c5574e6513b7a3f3eccbf2fb628937c31eeab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Dec 2019 00:04:47 +0100 +Subject: pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins + +From: Hans de Goede + +[ Upstream commit a23680594da7a9e2696dbcf4f023e9273e2fa40b ] + +Suspending Goodix touchscreens requires changing the interrupt pin to +output before sending them a power-down command. Followed by wiggling +the interrupt pin to wake the device up, after which it is put back +in input mode. + +On Bay Trail devices with a Goodix touchscreen direct-irq mode is used +in combination with listing the pin as a normal GpioIo resource. + +This works fine, until the goodix driver gets rmmod-ed and then insmod-ed +again. In this case byt_gpio_disable_free() calls +byt_gpio_clear_triggering() which clears the IRQ flags and after that the +(direct) IRQ no longer triggers. + +This commit fixes this by adding a check for the BYT_DIRECT_IRQ_EN flag +to byt_gpio_clear_triggering(). + +Note that byt_gpio_clear_triggering() only gets called from +byt_gpio_disable_free() for direct-irq enabled pins, as these are excluded +from the irq_valid mask by byt_init_irq_valid_mask(). + +Signed-off-by: Hans de Goede +Acked-by: Mika Westerberg +Reviewed-by: Linus Walleij +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-baytrail.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-baytrail.c b/drivers/pinctrl/intel/pinctrl-baytrail.c +index f83a2a60d9c9b..1e945aa77734b 100644 +--- a/drivers/pinctrl/intel/pinctrl-baytrail.c ++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c +@@ -958,7 +958,13 @@ static void byt_gpio_clear_triggering(struct byt_gpio *vg, unsigned int offset) + + raw_spin_lock_irqsave(&byt_lock, flags); + value = readl(reg); +- value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); ++ ++ /* Do not clear direct-irq enabled IRQs (from gpio_disable_free) */ ++ if (value & BYT_DIRECT_IRQ_EN) ++ /* nothing to do */ ; ++ else ++ value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); ++ + writel(value, reg); + raw_spin_unlock_irqrestore(&byt_lock, flags); + } +-- +2.20.1 + diff --git a/queue-4.9/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch b/queue-4.9/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch new file mode 100644 index 00000000000..1ecedbf0025 --- /dev/null +++ b/queue-4.9/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch @@ -0,0 +1,94 @@ +From 0d353adcf49bd9235e72c335d6c5a1273c7343cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 20:48:09 +0100 +Subject: pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs + +From: Geert Uytterhoeven + +[ Upstream commit 55b1cb1f03ad5eea39897d0c74035e02deddcff2 ] + +pinmux_func_gpios[] contains a hole due to the missing function GPIO +definition for the "CTX0&CTX1" signal, which is the logical "AND" of the +two CAN outputs. + +Fix this by: + - Renaming CRX0_CRX1_MARK to CTX0_CTX1_MARK, as PJ2MD[2:0]=010 + configures the combined "CTX0&CTX1" output signal, + - Renaming CRX0X1_MARK to CRX0_CRX1_MARK, as PJ3MD[1:0]=10 configures + the shared "CRX0/CRX1" input signal, which is fed to both CAN + inputs, + - Adding the missing function GPIO definition for "CTX0&CTX1" to + pinmux_func_gpios[], + - Moving all CAN enums next to each other. + +See SH7262 Group, SH7264 Group User's Manual: Hardware, Rev. 4.00: + [1] Figure 1.2 (3) (Pin Assignment for the SH7264 Group (1-Mbyte + Version), + [2] Figure 1.2 (4) Pin Assignment for the SH7264 Group (640-Kbyte + Version, + [3] Table 1.4 List of Pins, + [4] Figure 20.29 Connection Example when Using This Module as 1-Channel + Module (64 Mailboxes x 1 Channel), + [5] Table 32.10 Multiplexed Pins (Port J), + [6] Section 32.2.30 (3) Port J Control Register 0 (PJCR0). + +Note that the last 2 disagree about PJ2MD[2:0], which is probably the +root cause of this bug. But considering [4], "CTx0&CTx1" in [5] must +be correct, and "CRx0&CRx1" in [6] must be wrong. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191218194812.12741-4-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sh-pfc/pfc-sh7264.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7264.c b/drivers/pinctrl/sh-pfc/pfc-sh7264.c +index e1c34e19222ee..3ddb9565ed804 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-sh7264.c ++++ b/drivers/pinctrl/sh-pfc/pfc-sh7264.c +@@ -500,17 +500,15 @@ enum { + SD_WP_MARK, SD_CLK_MARK, SD_CMD_MARK, + CRX0_MARK, CRX1_MARK, + CTX0_MARK, CTX1_MARK, ++ CRX0_CRX1_MARK, CTX0_CTX1_MARK, + + PWM1A_MARK, PWM1B_MARK, PWM1C_MARK, PWM1D_MARK, + PWM1E_MARK, PWM1F_MARK, PWM1G_MARK, PWM1H_MARK, + PWM2A_MARK, PWM2B_MARK, PWM2C_MARK, PWM2D_MARK, + PWM2E_MARK, PWM2F_MARK, PWM2G_MARK, PWM2H_MARK, + IERXD_MARK, IETXD_MARK, +- CRX0_CRX1_MARK, + WDTOVF_MARK, + +- CRX0X1_MARK, +- + /* DMAC */ + TEND0_MARK, DACK0_MARK, DREQ0_MARK, + TEND1_MARK, DACK1_MARK, DREQ1_MARK, +@@ -998,12 +996,12 @@ static const u16 pinmux_data[] = { + + PINMUX_DATA(PJ3_DATA, PJ3MD_00), + PINMUX_DATA(CRX1_MARK, PJ3MD_01), +- PINMUX_DATA(CRX0X1_MARK, PJ3MD_10), ++ PINMUX_DATA(CRX0_CRX1_MARK, PJ3MD_10), + PINMUX_DATA(IRQ1_PJ_MARK, PJ3MD_11), + + PINMUX_DATA(PJ2_DATA, PJ2MD_000), + PINMUX_DATA(CTX1_MARK, PJ2MD_001), +- PINMUX_DATA(CRX0_CRX1_MARK, PJ2MD_010), ++ PINMUX_DATA(CTX0_CTX1_MARK, PJ2MD_010), + PINMUX_DATA(CS2_MARK, PJ2MD_011), + PINMUX_DATA(SCK0_MARK, PJ2MD_100), + PINMUX_DATA(LCD_M_DISP_MARK, PJ2MD_101), +@@ -1248,6 +1246,7 @@ static const struct pinmux_func pinmux_func_gpios[] = { + GPIO_FN(CTX1), + GPIO_FN(CRX1), + GPIO_FN(CTX0), ++ GPIO_FN(CTX0_CTX1), + GPIO_FN(CRX0), + GPIO_FN(CRX0_CRX1), + +-- +2.20.1 + diff --git a/queue-4.9/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch b/queue-4.9/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch new file mode 100644 index 00000000000..4570a482256 --- /dev/null +++ b/queue-4.9/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch @@ -0,0 +1,184 @@ +From e1b0cdc7124b5614f71ce0d9bc0daf6c245d63e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 20:48:10 +0100 +Subject: pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 02aeb2f21530c98fc3ca51028eda742a3fafbd9f ] + +pinmux_func_gpios[] contains a hole due to the missing function GPIO +definition for the "CTX0&CTX1" signal, which is the logical "AND" of the +first two CAN outputs. + +A closer look reveals other issues: + - Some functionality is available on alternative pins, but the + PINMUX_DATA() entries is using the wrong marks, + - Several configurations are missing. + +Fix this by: + - Renaming CTX0CTX1CTX2_MARK, CRX0CRX1_PJ22_MARK, and + CRX0CRX1CRX2_PJ20_MARK to CTX0_CTX1_CTX2_MARK, CRX0_CRX1_PJ22_MARK, + resp. CRX0_CRX1_CRX2_PJ20_MARK for consistency with the + corresponding enum IDs, + - Adding all missing enum IDs and marks, + - Use the right (*_PJ2x) variants for alternative pins, + - Adding all missing configurations to pinmux_data[], + - Adding all missing function GPIO definitions to pinmux_func_gpios[]. + +See SH7268 Group, SH7269 Group User’s Manual: Hardware, Rev. 2.00: + [1] Table 1.4 List of Pins + [2] Figure 23.29 Connection Example when Using Channels 0 and 1 as One + Channel (64 Mailboxes × 1 Channel) and Channel 2 as One Channel + (32 Mailboxes × 1 Channel), + [3] Figure 23.30 Connection Example when Using Channels 0, 1, and 2 as + One Channel (96 Mailboxes × 1 Channel), + [4] Table 48.3 Multiplexed Pins (Port B), + [5] Table 48.4 Multiplexed Pins (Port C), + [6] Table 48.10 Multiplexed Pins (Port J), + [7] Section 48.2.4 Port B Control Registers 0 to 5 (PBCR0 to PBCR5). + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191218194812.12741-5-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/sh/include/cpu-sh2a/cpu/sh7269.h | 11 ++++++-- + drivers/pinctrl/sh-pfc/pfc-sh7269.c | 39 ++++++++++++++++++--------- + 2 files changed, 36 insertions(+), 14 deletions(-) + +diff --git a/arch/sh/include/cpu-sh2a/cpu/sh7269.h b/arch/sh/include/cpu-sh2a/cpu/sh7269.h +index 2a0ca8780f0d8..e4caddd443daf 100644 +--- a/arch/sh/include/cpu-sh2a/cpu/sh7269.h ++++ b/arch/sh/include/cpu-sh2a/cpu/sh7269.h +@@ -79,8 +79,15 @@ enum { + GPIO_FN_WDTOVF, + + /* CAN */ +- GPIO_FN_CTX1, GPIO_FN_CRX1, GPIO_FN_CTX0, GPIO_FN_CTX0_CTX1, +- GPIO_FN_CRX0, GPIO_FN_CRX0_CRX1, GPIO_FN_CRX0_CRX1_CRX2, ++ GPIO_FN_CTX2, GPIO_FN_CRX2, ++ GPIO_FN_CTX1, GPIO_FN_CRX1, ++ GPIO_FN_CTX0, GPIO_FN_CRX0, ++ GPIO_FN_CTX0_CTX1, GPIO_FN_CRX0_CRX1, ++ GPIO_FN_CTX0_CTX1_CTX2, GPIO_FN_CRX0_CRX1_CRX2, ++ GPIO_FN_CTX2_PJ21, GPIO_FN_CRX2_PJ20, ++ GPIO_FN_CTX1_PJ23, GPIO_FN_CRX1_PJ22, ++ GPIO_FN_CTX0_CTX1_PJ23, GPIO_FN_CRX0_CRX1_PJ22, ++ GPIO_FN_CTX0_CTX1_CTX2_PJ21, GPIO_FN_CRX0_CRX1_CRX2_PJ20, + + /* DMAC */ + GPIO_FN_TEND0, GPIO_FN_DACK0, GPIO_FN_DREQ0, +diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7269.c b/drivers/pinctrl/sh-pfc/pfc-sh7269.c +index cfdb4fc177c3e..3df0c0d139d08 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-sh7269.c ++++ b/drivers/pinctrl/sh-pfc/pfc-sh7269.c +@@ -740,13 +740,12 @@ enum { + CRX0_MARK, CTX0_MARK, + CRX1_MARK, CTX1_MARK, + CRX2_MARK, CTX2_MARK, +- CRX0_CRX1_MARK, +- CRX0_CRX1_CRX2_MARK, +- CTX0CTX1CTX2_MARK, ++ CRX0_CRX1_MARK, CTX0_CTX1_MARK, ++ CRX0_CRX1_CRX2_MARK, CTX0_CTX1_CTX2_MARK, + CRX1_PJ22_MARK, CTX1_PJ23_MARK, + CRX2_PJ20_MARK, CTX2_PJ21_MARK, +- CRX0CRX1_PJ22_MARK, +- CRX0CRX1CRX2_PJ20_MARK, ++ CRX0_CRX1_PJ22_MARK, CTX0_CTX1_PJ23_MARK, ++ CRX0_CRX1_CRX2_PJ20_MARK, CTX0_CTX1_CTX2_PJ21_MARK, + + /* VDC */ + DV_CLK_MARK, +@@ -824,6 +823,7 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(CS3_MARK, PC8MD_001), + PINMUX_DATA(TXD7_MARK, PC8MD_010), + PINMUX_DATA(CTX1_MARK, PC8MD_011), ++ PINMUX_DATA(CTX0_CTX1_MARK, PC8MD_100), + + PINMUX_DATA(PC7_DATA, PC7MD_000), + PINMUX_DATA(CKE_MARK, PC7MD_001), +@@ -836,11 +836,12 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(CAS_MARK, PC6MD_001), + PINMUX_DATA(SCK7_MARK, PC6MD_010), + PINMUX_DATA(CTX0_MARK, PC6MD_011), ++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC6MD_100), + + PINMUX_DATA(PC5_DATA, PC5MD_000), + PINMUX_DATA(RAS_MARK, PC5MD_001), + PINMUX_DATA(CRX0_MARK, PC5MD_011), +- PINMUX_DATA(CTX0CTX1CTX2_MARK, PC5MD_100), ++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC5MD_100), + PINMUX_DATA(IRQ0_PC_MARK, PC5MD_101), + + PINMUX_DATA(PC4_DATA, PC4MD_00), +@@ -1292,30 +1293,32 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(LCD_DATA23_PJ23_MARK, PJ23MD_010), + PINMUX_DATA(LCD_TCON6_MARK, PJ23MD_011), + PINMUX_DATA(IRQ3_PJ_MARK, PJ23MD_100), +- PINMUX_DATA(CTX1_MARK, PJ23MD_101), ++ PINMUX_DATA(CTX1_PJ23_MARK, PJ23MD_101), ++ PINMUX_DATA(CTX0_CTX1_PJ23_MARK, PJ23MD_110), + + PINMUX_DATA(PJ22_DATA, PJ22MD_000), + PINMUX_DATA(DV_DATA22_MARK, PJ22MD_001), + PINMUX_DATA(LCD_DATA22_PJ22_MARK, PJ22MD_010), + PINMUX_DATA(LCD_TCON5_MARK, PJ22MD_011), + PINMUX_DATA(IRQ2_PJ_MARK, PJ22MD_100), +- PINMUX_DATA(CRX1_MARK, PJ22MD_101), +- PINMUX_DATA(CRX0_CRX1_MARK, PJ22MD_110), ++ PINMUX_DATA(CRX1_PJ22_MARK, PJ22MD_101), ++ PINMUX_DATA(CRX0_CRX1_PJ22_MARK, PJ22MD_110), + + PINMUX_DATA(PJ21_DATA, PJ21MD_000), + PINMUX_DATA(DV_DATA21_MARK, PJ21MD_001), + PINMUX_DATA(LCD_DATA21_PJ21_MARK, PJ21MD_010), + PINMUX_DATA(LCD_TCON4_MARK, PJ21MD_011), + PINMUX_DATA(IRQ1_PJ_MARK, PJ21MD_100), +- PINMUX_DATA(CTX2_MARK, PJ21MD_101), ++ PINMUX_DATA(CTX2_PJ21_MARK, PJ21MD_101), ++ PINMUX_DATA(CTX0_CTX1_CTX2_PJ21_MARK, PJ21MD_110), + + PINMUX_DATA(PJ20_DATA, PJ20MD_000), + PINMUX_DATA(DV_DATA20_MARK, PJ20MD_001), + PINMUX_DATA(LCD_DATA20_PJ20_MARK, PJ20MD_010), + PINMUX_DATA(LCD_TCON3_MARK, PJ20MD_011), + PINMUX_DATA(IRQ0_PJ_MARK, PJ20MD_100), +- PINMUX_DATA(CRX2_MARK, PJ20MD_101), +- PINMUX_DATA(CRX0CRX1CRX2_PJ20_MARK, PJ20MD_110), ++ PINMUX_DATA(CRX2_PJ20_MARK, PJ20MD_101), ++ PINMUX_DATA(CRX0_CRX1_CRX2_PJ20_MARK, PJ20MD_110), + + PINMUX_DATA(PJ19_DATA, PJ19MD_000), + PINMUX_DATA(DV_DATA19_MARK, PJ19MD_001), +@@ -1666,12 +1669,24 @@ static const struct pinmux_func pinmux_func_gpios[] = { + GPIO_FN(WDTOVF), + + /* CAN */ ++ GPIO_FN(CTX2), ++ GPIO_FN(CRX2), + GPIO_FN(CTX1), + GPIO_FN(CRX1), + GPIO_FN(CTX0), + GPIO_FN(CRX0), ++ GPIO_FN(CTX0_CTX1), + GPIO_FN(CRX0_CRX1), ++ GPIO_FN(CTX0_CTX1_CTX2), + GPIO_FN(CRX0_CRX1_CRX2), ++ GPIO_FN(CTX2_PJ21), ++ GPIO_FN(CRX2_PJ20), ++ GPIO_FN(CTX1_PJ23), ++ GPIO_FN(CRX1_PJ22), ++ GPIO_FN(CTX0_CTX1_PJ23), ++ GPIO_FN(CRX0_CRX1_PJ22), ++ GPIO_FN(CTX0_CTX1_CTX2_PJ21), ++ GPIO_FN(CRX0_CRX1_CRX2_PJ20), + + /* DMAC */ + GPIO_FN(TEND0), +-- +2.20.1 + diff --git a/queue-4.9/pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch b/queue-4.9/pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch new file mode 100644 index 00000000000..1a54331e69e --- /dev/null +++ b/queue-4.9/pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch @@ -0,0 +1,53 @@ +From 185f81ed9b1f55c1bc31aa4c6313de61176d0269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:20:30 +0900 +Subject: PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC + dependency + +From: Chanwoo Choi + +[ Upstream commit eff5d31f7407fa9d31fb840106f1593399457298 ] + +To build test, add COMPILE_TEST depedency to both ARM_RK3399_DMC_DEVFREQ +and DEVFREQ_EVENT_ROCKCHIP_DFI configuration. And ARM_RK3399_DMC_DEVFREQ +used the SMCCC interface so that add HAVE_ARM_SMCCC dependency to prevent +the build break. + +Reported-by: kbuild test robot +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/Kconfig | 3 ++- + drivers/devfreq/event/Kconfig | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/devfreq/Kconfig b/drivers/devfreq/Kconfig +index 41254e702f1e9..2ce7cc94d78b1 100644 +--- a/drivers/devfreq/Kconfig ++++ b/drivers/devfreq/Kconfig +@@ -102,7 +102,8 @@ config ARM_TEGRA_DEVFREQ + + config ARM_RK3399_DMC_DEVFREQ + tristate "ARM RK3399 DMC DEVFREQ Driver" +- depends on ARCH_ROCKCHIP ++ depends on (ARCH_ROCKCHIP && HAVE_ARM_SMCCC) || \ ++ (COMPILE_TEST && HAVE_ARM_SMCCC) + select DEVFREQ_EVENT_ROCKCHIP_DFI + select DEVFREQ_GOV_SIMPLE_ONDEMAND + select PM_DEVFREQ_EVENT +diff --git a/drivers/devfreq/event/Kconfig b/drivers/devfreq/event/Kconfig +index cd949800eed96..8851bc4e8e3e1 100644 +--- a/drivers/devfreq/event/Kconfig ++++ b/drivers/devfreq/event/Kconfig +@@ -33,7 +33,7 @@ config DEVFREQ_EVENT_EXYNOS_PPMU + + config DEVFREQ_EVENT_ROCKCHIP_DFI + tristate "ROCKCHIP DFI DEVFREQ event Driver" +- depends on ARCH_ROCKCHIP ++ depends on ARCH_ROCKCHIP || COMPILE_TEST + help + This add the devfreq-event driver for Rockchip SoC. It provides DFI + (DDR Monitor Module) driver to count ddr load. +-- +2.20.1 + diff --git a/queue-4.9/powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch b/queue-4.9/powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch new file mode 100644 index 00000000000..5f1967ebc84 --- /dev/null +++ b/queue-4.9/powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch @@ -0,0 +1,167 @@ +From 13882526e4f64eb643a948e95184a7a2bf2271ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 19:54:22 +1100 +Subject: powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid + PE number + +From: Oliver O'Halloran + +[ Upstream commit 3b5b9997b331e77ce967eba2c4bc80dc3134a7fe ] + +On pseries there is a bug with adding hotplugged devices to an IOMMU +group. For a number of dumb reasons fixing that bug first requires +re-working how VFs are configured on PowerNV. For background, on +PowerNV we use the pcibios_sriov_enable() hook to do two things: + + 1. Create a pci_dn structure for each of the VFs, and + 2. Configure the PHB's internal BARs so the MMIO range for each VF + maps to a unique PE. + +Roughly speaking a PE is the hardware counterpart to a Linux IOMMU +group since all the devices in a PE share the same IOMMU table. A PE +also defines the set of devices that should be isolated in response to +a PCI error (i.e. bad DMA, UR/CA, AER events, etc). When isolated all +MMIO and DMA traffic to and from devicein the PE is blocked by the +root complex until the PE is recovered by the OS. + +The requirement to block MMIO causes a giant headache because the P8 +PHB generally uses a fixed mapping between MMIO addresses and PEs. As +a result we need to delay configuring the IOMMU groups for device +until after MMIO resources are assigned. For physical devices (i.e. +non-VFs) the PE assignment is done in pcibios_setup_bridge() which is +called immediately after the MMIO resources for downstream +devices (and the bridge's windows) are assigned. For VFs the setup is +more complicated because: + + a) pcibios_setup_bridge() is not called again when VFs are activated, and + b) The pci_dev for VFs are created by generic code which runs after + pcibios_sriov_enable() is called. + +The work around for this is a two step process: + + 1. A fixup in pcibios_add_device() is used to initialised the cached + pe_number in pci_dn, then + 2. A bus notifier then adds the device to the IOMMU group for the PE + specified in pci_dn->pe_number. + +A side effect fixing the pseries bug mentioned in the first paragraph +is moving the fixup out of pcibios_add_device() and into +pcibios_bus_add_device(), which is called much later. This results in +step 2. failing because pci_dn->pe_number won't be initialised when +the bus notifier is run. + +We can fix this by removing the need for the fixup. The PE for a VF is +known before the VF is even scanned so we can initialise +pci_dn->pe_number pcibios_sriov_enable() instead. Unfortunately, +moving the initialisation causes two problems: + + 1. We trip the WARN_ON() in the current fixup code, and + 2. The EEH core clears pdn->pe_number when recovering a VF and + relies on the fixup to correctly re-set it. + +The only justification for either of these is a comment in +eeh_rmv_device() suggesting that pdn->pe_number *must* be set to +IODA_INVALID_PE in order for the VF to be scanned. However, this +comment appears to have no basis in reality. Both bugs can be fixed by +just deleting the code. + +Tested-by: Alexey Kardashevskiy +Reviewed-by: Alexey Kardashevskiy +Signed-off-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191028085424.12006-1-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_driver.c | 6 ------ + arch/powerpc/platforms/powernv/pci-ioda.c | 19 +++++++++++++++---- + arch/powerpc/platforms/powernv/pci.c | 4 ---- + 3 files changed, 15 insertions(+), 14 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index 620e08d4eb6e2..adac3dee4c57e 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -520,12 +520,6 @@ static void *eeh_rmv_device(void *data, void *userdata) + + pci_iov_remove_virtfn(edev->physfn, pdn->vf_index, 0); + edev->pdev = NULL; +- +- /* +- * We have to set the VF PE number to invalid one, which is +- * required to plug the VF successfully. +- */ +- pdn->pe_number = IODA_INVALID_PE; + #endif + if (rmv_data) + list_add(&edev->rmv_list, &rmv_data->edev_list); +diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c +index 3ec673b4ca6ce..b787a669a1e27 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -1524,6 +1524,10 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs) + + /* Reserve PE for each VF */ + for (vf_index = 0; vf_index < num_vfs; vf_index++) { ++ int vf_devfn = pci_iov_virtfn_devfn(pdev, vf_index); ++ int vf_bus = pci_iov_virtfn_bus(pdev, vf_index); ++ struct pci_dn *vf_pdn; ++ + if (pdn->m64_single_mode) + pe_num = pdn->pe_num_map[vf_index]; + else +@@ -1536,13 +1540,11 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs) + pe->pbus = NULL; + pe->parent_dev = pdev; + pe->mve_number = -1; +- pe->rid = (pci_iov_virtfn_bus(pdev, vf_index) << 8) | +- pci_iov_virtfn_devfn(pdev, vf_index); ++ pe->rid = (vf_bus << 8) | vf_devfn; + + pe_info(pe, "VF %04d:%02d:%02d.%d associated with PE#%d\n", + hose->global_number, pdev->bus->number, +- PCI_SLOT(pci_iov_virtfn_devfn(pdev, vf_index)), +- PCI_FUNC(pci_iov_virtfn_devfn(pdev, vf_index)), pe_num); ++ PCI_SLOT(vf_devfn), PCI_FUNC(vf_devfn), pe_num); + + if (pnv_ioda_configure_pe(phb, pe)) { + /* XXX What do we do here ? */ +@@ -1556,6 +1558,15 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs) + list_add_tail(&pe->list, &phb->ioda.pe_list); + mutex_unlock(&phb->ioda.pe_list_mutex); + ++ /* associate this pe to it's pdn */ ++ list_for_each_entry(vf_pdn, &pdn->parent->child_list, list) { ++ if (vf_pdn->busno == vf_bus && ++ vf_pdn->devfn == vf_devfn) { ++ vf_pdn->pe_number = pe_num; ++ break; ++ } ++ } ++ + pnv_pci_ioda2_setup_dma_pe(phb, pe); + } + } +diff --git a/arch/powerpc/platforms/powernv/pci.c b/arch/powerpc/platforms/powernv/pci.c +index 00dbf1e895a9d..2ed7627e991e0 100644 +--- a/arch/powerpc/platforms/powernv/pci.c ++++ b/arch/powerpc/platforms/powernv/pci.c +@@ -856,16 +856,12 @@ void pnv_pci_dma_dev_setup(struct pci_dev *pdev) + struct pnv_phb *phb = hose->private_data; + #ifdef CONFIG_PCI_IOV + struct pnv_ioda_pe *pe; +- struct pci_dn *pdn; + + /* Fix the VF pdn PE number */ + if (pdev->is_virtfn) { +- pdn = pci_get_pdn(pdev); +- WARN_ON(pdn->pe_number != IODA_INVALID_PE); + list_for_each_entry(pe, &phb->ioda.pe_list, list) { + if (pe->rid == ((pdev->bus->number << 8) | + (pdev->devfn & 0xff))) { +- pdn->pe_number = pe->pe_number; + pe->pdev = pdev; + break; + } +-- +2.20.1 + diff --git a/queue-4.9/powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch b/queue-4.9/powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch new file mode 100644 index 00000000000..a7eb9337bb6 --- /dev/null +++ b/queue-4.9/powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch @@ -0,0 +1,57 @@ +From dbdf310852925ed2b30b2b10708b096731ea9472 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 16:26:53 +1000 +Subject: powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV + +From: Oliver O'Halloran + +[ Upstream commit 1fb4124ca9d456656a324f1ee29b7bf942f59ac8 ] + +When disabling virtual functions on an SR-IOV adapter we currently do not +correctly remove the EEH state for the now-dead virtual functions. When +removing the pci_dn that was created for the VF when SR-IOV was enabled +we free the corresponding eeh_dev without removing it from the child device +list of the eeh_pe that contained it. This can result in crashes due to the +use-after-free. + +Signed-off-by: Oliver O'Halloran +Reviewed-by: Sam Bobroff +Tested-by: Sam Bobroff +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190821062655.19735-1-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci_dn.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c +index 5926934370702..c8f1b78fbd0e2 100644 +--- a/arch/powerpc/kernel/pci_dn.c ++++ b/arch/powerpc/kernel/pci_dn.c +@@ -271,9 +271,22 @@ void remove_dev_pci_data(struct pci_dev *pdev) + continue; + + #ifdef CONFIG_EEH +- /* Release EEH device for the VF */ ++ /* ++ * Release EEH state for this VF. The PCI core ++ * has already torn down the pci_dev for this VF, but ++ * we're responsible to removing the eeh_dev since it ++ * has the same lifetime as the pci_dn that spawned it. ++ */ + edev = pdn_to_eeh_dev(pdn); + if (edev) { ++ /* ++ * We allocate pci_dn's for the totalvfs count, ++ * but only only the vfs that were activated ++ * have a configured PE. ++ */ ++ if (edev->pe) ++ eeh_rmv_from_parent_pe(edev); ++ + pdn->edev = NULL; + kfree(edev); + } +-- +2.20.1 + diff --git a/queue-4.9/pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch b/queue-4.9/pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch new file mode 100644 index 00000000000..cee5e80c6ea --- /dev/null +++ b/queue-4.9/pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch @@ -0,0 +1,53 @@ +From 1e6cf6a27db839e9ad486dd3ca59a1ec7f5fc744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 10:03:54 +0100 +Subject: pwm: omap-dmtimer: Remove PWM chip in .remove before making it + unfunctional +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 43efdc8f0e6d7088ec61bd55a73bf853f002d043 ] + +In the old code (e.g.) mutex_destroy() was called before +pwmchip_remove(). Between these two calls it is possible that a PWM +callback is used which tries to grab the mutex. + +Fixes: 6604c6556db9 ("pwm: Add PWM driver for OMAP using dual-mode timers") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-omap-dmtimer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-omap-dmtimer.c b/drivers/pwm/pwm-omap-dmtimer.c +index 5ad42f33e70c1..2e15acf13893d 100644 +--- a/drivers/pwm/pwm-omap-dmtimer.c ++++ b/drivers/pwm/pwm-omap-dmtimer.c +@@ -337,6 +337,11 @@ static int pwm_omap_dmtimer_probe(struct platform_device *pdev) + static int pwm_omap_dmtimer_remove(struct platform_device *pdev) + { + struct pwm_omap_dmtimer_chip *omap = platform_get_drvdata(pdev); ++ int ret; ++ ++ ret = pwmchip_remove(&omap->chip); ++ if (ret) ++ return ret; + + if (pm_runtime_active(&omap->dm_timer_pdev->dev)) + omap->pdata->stop(omap->dm_timer); +@@ -345,7 +350,7 @@ static int pwm_omap_dmtimer_remove(struct platform_device *pdev) + + mutex_destroy(&omap->mutex); + +- return pwmchip_remove(&omap->chip); ++ return 0; + } + + static const struct of_device_id pwm_omap_dmtimer_of_match[] = { +-- +2.20.1 + diff --git a/queue-4.9/pxa168fb-fix-the-function-used-to-release-some-memor.patch b/queue-4.9/pxa168fb-fix-the-function-used-to-release-some-memor.patch new file mode 100644 index 00000000000..e5cf9ac3bd4 --- /dev/null +++ b/queue-4.9/pxa168fb-fix-the-function-used-to-release-some-memor.patch @@ -0,0 +1,57 @@ +From 9029ed0a677a5aa1c82f953a1843523a71e97ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2019 12:00:24 +0200 +Subject: pxa168fb: Fix the function used to release some memory in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit 3c911fe799d1c338d94b78e7182ad452c37af897 ] + +In the probe function, some resources are allocated using 'dma_alloc_wc()', +they should be released with 'dma_free_wc()', not 'dma_free_coherent()'. + +We already use 'dma_free_wc()' in the remove function, but not in the +error handling path of the probe function. + +Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already +PAGE_ALIGNed. + +Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)") +Signed-off-by: Christophe JAILLET +Reviewed-by: Lubomir Rintel +CC: YueHaibing +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa168fb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c +index d059d04c63acd..20195d3dbf088 100644 +--- a/drivers/video/fbdev/pxa168fb.c ++++ b/drivers/video/fbdev/pxa168fb.c +@@ -769,8 +769,8 @@ failed_free_cmap: + failed_free_clk: + clk_disable_unprepare(fbi->clk); + failed_free_fbmem: +- dma_free_coherent(fbi->dev, info->fix.smem_len, +- info->screen_base, fbi->fb_start_dma); ++ dma_free_wc(fbi->dev, info->fix.smem_len, ++ info->screen_base, fbi->fb_start_dma); + failed_free_info: + kfree(info); + +@@ -804,7 +804,7 @@ static int pxa168fb_remove(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + +- dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len), ++ dma_free_wc(fbi->dev, info->fix.smem_len, + info->screen_base, info->fix.smem_start); + + clk_disable_unprepare(fbi->clk); +-- +2.20.1 + diff --git a/queue-4.9/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch b/queue-4.9/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch new file mode 100644 index 00000000000..8166b4a5a28 --- /dev/null +++ b/queue-4.9/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch @@ -0,0 +1,53 @@ +From 59160437ba887de4df54f550d5a2112925bdde52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2020 17:09:52 +0100 +Subject: radeon: insert 10ms sleep in dce5_crtc_load_lut +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +[ Upstream commit ec3d65082d7dabad6fa8f66a8ef166f2d522d6b2 ] + +Per at least one tester this is enough magic to recover the regression +introduced for some people (but not all) in + +commit b8e2b0199cc377617dc238f5106352c06dcd3fa2 +Author: Peter Rosin +Date: Tue Jul 4 12:36:57 2017 +0200 + + drm/fb-helper: factor out pseudo-palette + +which for radeon had the side-effect of refactoring out a seemingly +redudant writing of the color palette. + +10ms in a fairly slow modeset path feels like an acceptable form of +duct-tape, so maybe worth a shot and see what sticks. + +Cc: Alex Deucher +Cc: Michel Dänzer +References: https://bugzilla.kernel.org/show_bug.cgi?id=198123 +Signed-off-by: Daniel Vetter +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 8b6f8aa238063..432ad7d73cb9b 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -110,6 +110,8 @@ static void dce5_crtc_load_lut(struct drm_crtc *crtc) + + DRM_DEBUG_KMS("%d\n", radeon_crtc->crtc_id); + ++ msleep(10); ++ + WREG32(NI_INPUT_CSC_CONTROL + radeon_crtc->crtc_offset, + (NI_INPUT_CSC_GRPH_MODE(NI_INPUT_CSC_BYPASS) | + NI_INPUT_CSC_OVL_MODE(NI_INPUT_CSC_BYPASS))); +-- +2.20.1 + diff --git a/queue-4.9/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch b/queue-4.9/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch new file mode 100644 index 00000000000..85dbeb96ee7 --- /dev/null +++ b/queue-4.9/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch @@ -0,0 +1,169 @@ +From c179dc71790196e4980f7b0c55390f3e161697f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Nov 2019 09:42:13 -0800 +Subject: rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls + +From: Paul E. McKenney + +[ Upstream commit 860c8802ace14c646864795e057349c9fb2d60ad ] + +Eric Dumazet supplied a KCSAN report of a bug that forces use +of hlist_unhashed_lockless() from sk_unhashed(): + +------------------------------------------------------------------------ + +BUG: KCSAN: data-race in inet_unhash / inet_unhash + +write to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 1: + __hlist_nulls_del include/linux/list_nulls.h:88 [inline] + hlist_nulls_del_init_rcu include/linux/rculist_nulls.h:36 [inline] + __sk_nulls_del_node_init_rcu include/net/sock.h:676 [inline] + inet_unhash+0x38f/0x4a0 net/ipv4/inet_hashtables.c:612 + tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249 + tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854 + tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56 + tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599 + tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619 + call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 + arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 + default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x1af/0x280 kernel/sched/idle.c:263 + cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355 + start_secondary+0x208/0x260 arch/x86/kernel/smpboot.c:264 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 + +read to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 0: + sk_unhashed include/net/sock.h:607 [inline] + inet_unhash+0x3d/0x4a0 net/ipv4/inet_hashtables.c:592 + tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249 + tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854 + tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56 + tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599 + tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619 + call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 + arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 + default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x1af/0x280 kernel/sched/idle.c:263 + cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355 + rest_init+0xec/0xf6 init/main.c:452 + arch_call_rest_init+0x17/0x37 + start_kernel+0x838/0x85e init/main.c:786 + x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490 + x86_64_start_kernel+0x72/0x76 arch/x86/kernel/head64.c:471 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc6+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 01/01/2011 + +------------------------------------------------------------------------ + +This commit therefore replaces C-language assignments with WRITE_ONCE() +in include/linux/list_nulls.h and include/linux/rculist_nulls.h. + +Reported-by: Eric Dumazet # For KCSAN +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/list_nulls.h | 8 ++++---- + include/linux/rculist_nulls.h | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/include/linux/list_nulls.h b/include/linux/list_nulls.h +index 87ff4f58a2f01..9e20bf7f46a20 100644 +--- a/include/linux/list_nulls.h ++++ b/include/linux/list_nulls.h +@@ -71,10 +71,10 @@ static inline void hlist_nulls_add_head(struct hlist_nulls_node *n, + struct hlist_nulls_node *first = h->first; + + n->next = first; +- n->pprev = &h->first; ++ WRITE_ONCE(n->pprev, &h->first); + h->first = n; + if (!is_a_nulls(first)) +- first->pprev = &n->next; ++ WRITE_ONCE(first->pprev, &n->next); + } + + static inline void __hlist_nulls_del(struct hlist_nulls_node *n) +@@ -84,13 +84,13 @@ static inline void __hlist_nulls_del(struct hlist_nulls_node *n) + + WRITE_ONCE(*pprev, next); + if (!is_a_nulls(next)) +- next->pprev = pprev; ++ WRITE_ONCE(next->pprev, pprev); + } + + static inline void hlist_nulls_del(struct hlist_nulls_node *n) + { + __hlist_nulls_del(n); +- n->pprev = LIST_POISON2; ++ WRITE_ONCE(n->pprev, LIST_POISON2); + } + + /** +diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h +index 106f4e0d7bd39..4d71e3687d1ed 100644 +--- a/include/linux/rculist_nulls.h ++++ b/include/linux/rculist_nulls.h +@@ -33,7 +33,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n) + { + if (!hlist_nulls_unhashed(n)) { + __hlist_nulls_del(n); +- n->pprev = NULL; ++ WRITE_ONCE(n->pprev, NULL); + } + } + +@@ -65,7 +65,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n) + static inline void hlist_nulls_del_rcu(struct hlist_nulls_node *n) + { + __hlist_nulls_del(n); +- n->pprev = LIST_POISON2; ++ WRITE_ONCE(n->pprev, LIST_POISON2); + } + + /** +@@ -93,10 +93,10 @@ static inline void hlist_nulls_add_head_rcu(struct hlist_nulls_node *n, + struct hlist_nulls_node *first = h->first; + + n->next = first; +- n->pprev = &h->first; ++ WRITE_ONCE(n->pprev, &h->first); + rcu_assign_pointer(hlist_nulls_first_rcu(h), n); + if (!is_a_nulls(first)) +- first->pprev = &n->next; ++ WRITE_ONCE(first->pprev, &n->next); + } + + /** +-- +2.20.1 + diff --git a/queue-4.9/rdma-rxe-fix-error-type-of-mmap_offset.patch b/queue-4.9/rdma-rxe-fix-error-type-of-mmap_offset.patch new file mode 100644 index 00000000000..9f54589881a --- /dev/null +++ b/queue-4.9/rdma-rxe-fix-error-type-of-mmap_offset.patch @@ -0,0 +1,38 @@ +From c56fc57e6b90ee77b44b2966ab09cd6b149fc6db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2019 19:36:13 +0800 +Subject: RDMA/rxe: Fix error type of mmap_offset + +From: Jiewei Ke + +[ Upstream commit 6ca18d8927d468c763571f78c9a7387a69ffa020 ] + +The type of mmap_offset should be u64 instead of int to match the type of +mminfo.offset. If otherwise, after we create several thousands of CQs, it +will run into overflow issues. + +Link: https://lore.kernel.org/r/20191227113613.5020-1-kejiewei.cn@gmail.com +Signed-off-by: Jiewei Ke +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_verbs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.h b/drivers/infiniband/sw/rxe/rxe_verbs.h +index 47003d2a4a46e..dee3853163b60 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.h ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.h +@@ -422,7 +422,7 @@ struct rxe_dev { + struct list_head pending_mmaps; + + spinlock_t mmap_offset_lock; /* guard mmap_offset */ +- int mmap_offset; ++ u64 mmap_offset; + + struct rxe_port port; + struct list_head list; +-- +2.20.1 + diff --git a/queue-4.9/regulator-rk808-lower-log-level-on-optional-gpios-be.patch b/queue-4.9/regulator-rk808-lower-log-level-on-optional-gpios-be.patch new file mode 100644 index 00000000000..30d6f8da4ed --- /dev/null +++ b/queue-4.9/regulator-rk808-lower-log-level-on-optional-gpios-be.patch @@ -0,0 +1,45 @@ +From 6757010f3416d97cf66f8ca168f38040a5a35ece Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 17:47:09 +0100 +Subject: regulator: rk808: Lower log level on optional GPIOs being not + available + +From: Miquel Raynal + +[ Upstream commit b8a039d37792067c1a380dc710361905724b9b2f ] + +RK808 can leverage a couple of GPIOs to tweak the ramp rate during DVS +(Dynamic Voltage Scaling). These GPIOs are entirely optional but a +dev_warn() appeared when cleaning this driver to use a more up-to-date +gpiod API. At least reduce the log level to 'info' as it is totally +fine to not populate these GPIO on a hardware design. + +This change is trivial but it is worth not polluting the logs during +bringup phase by having real warnings and errors sorted out +correctly. + +Fixes: a13eaf02e2d6 ("regulator: rk808: make better use of the gpiod API") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20191203164709.11127-1-miquel.raynal@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/rk808-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c +index dfa8d50a5d741..28646e4cf3bae 100644 +--- a/drivers/regulator/rk808-regulator.c ++++ b/drivers/regulator/rk808-regulator.c +@@ -589,7 +589,7 @@ static int rk808_regulator_dt_parse_pdata(struct device *dev, + } + + if (!pdata->dvs_gpio[i]) { +- dev_warn(dev, "there is no dvs%d gpio\n", i); ++ dev_info(dev, "there is no dvs%d gpio\n", i); + continue; + } + +-- +2.20.1 + diff --git a/queue-4.9/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch b/queue-4.9/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch new file mode 100644 index 00000000000..be749fcd221 --- /dev/null +++ b/queue-4.9/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch @@ -0,0 +1,36 @@ +From 75a665d8fc9383b2ab7ae2d1493bdb38e8796d23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:35:58 +0100 +Subject: reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling + +From: Jan Kara + +[ Upstream commit 4d5c1adaf893b8aa52525d2b81995e949bcb3239 ] + +When we fail to allocate string for journal device name we jump to +'error' label which tries to unlock reiserfs write lock which is not +held. Jump to 'error_unlocked' instead. + +Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal initialization") +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index bfed2a7000154..677608a89b08d 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1928,7 +1928,7 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + if (!sbi->s_jdev) { + SWARN(silent, s, "", "Cannot allocate memory for " + "journal device name"); +- goto error; ++ goto error_unlocked; + } + } + #ifdef CONFIG_QUOTA +-- +2.20.1 + diff --git a/queue-4.9/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch b/queue-4.9/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch new file mode 100644 index 00000000000..4ac3becc229 --- /dev/null +++ b/queue-4.9/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch @@ -0,0 +1,44 @@ +From 61809afab044c7e5712b4b27a75ca3f58208b79d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:17:26 -0800 +Subject: reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() + +From: Yunfeng Ye + +[ Upstream commit aacee5446a2a1aa35d0a49dab289552578657fb4 ] + +The variable inode may be NULL in reiserfs_insert_item(), but there is +no check before accessing the member of inode. + +Fix this by adding NULL pointer check before calling reiserfs_debug(). + +Link: http://lkml.kernel.org/r/79c5135d-ff25-1cc9-4e99-9f572b88cc00@huawei.com +Signed-off-by: Yunfeng Ye +Cc: zhengbin +Cc: Hu Shiyuan +Cc: Feilong Lin +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/reiserfs/stree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c +index a97e352d05d3b..5f5fff0688776 100644 +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -2249,7 +2249,8 @@ error_out: + /* also releases the path */ + unfix_nodes(&s_ins_balance); + #ifdef REISERQUOTA_DEBUG +- reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE, ++ if (inode) ++ reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE, + "reiserquota insert_item(): freeing %u id=%u type=%c", + quota_bytes, inode->i_uid, head2type(ih)); + #endif +-- +2.20.1 + diff --git a/queue-4.9/remoteproc-initialize-rproc_class-before-use.patch b/queue-4.9/remoteproc-initialize-rproc_class-before-use.patch new file mode 100644 index 00000000000..b6f9e8841c4 --- /dev/null +++ b/queue-4.9/remoteproc-initialize-rproc_class-before-use.patch @@ -0,0 +1,73 @@ +From 94db203348d35c9a9f9ab52d6ea181d5711a41b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2019 17:52:23 -0500 +Subject: remoteproc: Initialize rproc_class before use + +From: Brandon Maier + +[ Upstream commit a8f40111d184098cd2b3dc0c7170c42250a5fa09 ] + +The remoteproc_core and remoteproc drivers all initialize with module_init(). +However remoteproc drivers need the rproc_class during their probe. If one of +the remoteproc drivers runs init and gets through probe before +remoteproc_init() runs, a NULL pointer access of rproc_class's `glue_dirs` +spinlock occurs. + +> Unable to handle kernel NULL pointer dereference at virtual address 000000dc +> pgd = c0004000 +> [000000dc] *pgd=00000000 +> Internal error: Oops: 5 [#1] PREEMPT ARM +> Modules linked in: +> CPU: 0 PID: 1 Comm: swapper Tainted: G W 4.14.106-rt56 #1 +> Hardware name: Generic OMAP36xx (Flattened Device Tree) +> task: c6050000 task.stack: c604a000 +> PC is at rt_spin_lock+0x40/0x6c +> LR is at rt_spin_lock+0x28/0x6c +> pc : [] lr : [] psr: 60000013 +> sp : c604bdc0 ip : 00000000 fp : 00000000 +> r10: 00000000 r9 : c61c7c10 r8 : c6269c20 +> r7 : c0905888 r6 : c6269c20 r5 : 00000000 r4 : 000000d4 +> r3 : 000000dc r2 : c6050000 r1 : 00000002 r0 : 000000d4 +> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +... +> [] (rt_spin_lock) from [] (get_device_parent+0x54/0x17c) +> [] (get_device_parent) from [] (device_add+0xe0/0x5b4) +> [] (device_add) from [] (rproc_add+0x18/0xd8) +> [] (rproc_add) from [] (my_rproc_probe+0x158/0x204) +> [] (my_rproc_probe) from [] (platform_drv_probe+0x34/0x70) +> [] (platform_drv_probe) from [] (driver_probe_device+0x2c8/0x420) +> [] (driver_probe_device) from [] (__driver_attach+0x100/0x11c) +> [] (__driver_attach) from [] (bus_for_each_dev+0x7c/0xc0) +> [] (bus_for_each_dev) from [] (bus_add_driver+0x1cc/0x264) +> [] (bus_add_driver) from [] (driver_register+0x78/0xf8) +> [] (driver_register) from [] (do_one_initcall+0x100/0x190) +> [] (do_one_initcall) from [] (kernel_init_freeable+0x130/0x1d0) +> [] (kernel_init_freeable) from [] (kernel_init+0x8/0x114) +> [] (kernel_init) from [] (ret_from_fork+0x14/0x24) +> Code: e2843008 e3c2203f f5d3f000 e5922010 (e193cf9f) +> ---[ end trace 0000000000000002 ]--- + +Signed-off-by: Brandon Maier +Link: https://lore.kernel.org/r/20190530225223.136420-1-brandon.maier@rockwellcollins.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index c6bfb3496684e..b99780574044a 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -1488,7 +1488,7 @@ static int __init remoteproc_init(void) + + return 0; + } +-module_init(remoteproc_init); ++subsys_initcall(remoteproc_init); + + static void __exit remoteproc_exit(void) + { +-- +2.20.1 + diff --git a/queue-4.9/rtlwifi-rtl_pci-fix-wcast-function-type.patch b/queue-4.9/rtlwifi-rtl_pci-fix-wcast-function-type.patch new file mode 100644 index 00000000000..9c6be70c8bb --- /dev/null +++ b/queue-4.9/rtlwifi-rtl_pci-fix-wcast-function-type.patch @@ -0,0 +1,58 @@ +From 42a203c16d02996ea19084434c36f2fc2425ee3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:29 +0700 +Subject: rtlwifi: rtl_pci: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit cb775c88da5d48a85d99d95219f637b6fad2e0e9 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index e15b462d096bf..21b7cb845bf40 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -1095,13 +1095,15 @@ done: + return ret; + } + +-static void _rtl_pci_irq_tasklet(struct ieee80211_hw *hw) ++static void _rtl_pci_irq_tasklet(unsigned long data) + { ++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data; + _rtl_pci_tx_chk_waitq(hw); + } + +-static void _rtl_pci_prepare_bcn_tasklet(struct ieee80211_hw *hw) ++static void _rtl_pci_prepare_bcn_tasklet(unsigned long data) + { ++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data; + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); +@@ -1223,10 +1225,10 @@ static void _rtl_pci_init_struct(struct ieee80211_hw *hw, + + /*task */ + tasklet_init(&rtlpriv->works.irq_tasklet, +- (void (*)(unsigned long))_rtl_pci_irq_tasklet, ++ _rtl_pci_irq_tasklet, + (unsigned long)hw); + tasklet_init(&rtlpriv->works.irq_prepare_bcn_tasklet, +- (void (*)(unsigned long))_rtl_pci_prepare_bcn_tasklet, ++ _rtl_pci_prepare_bcn_tasklet, + (unsigned long)hw); + INIT_WORK(&rtlpriv->works.lps_change_work, + rtl_lps_change_work_callback); +-- +2.20.1 + diff --git a/queue-4.9/s390-ftrace-generate-traced-function-stack-frame.patch b/queue-4.9/s390-ftrace-generate-traced-function-stack-frame.patch new file mode 100644 index 00000000000..d2a5deb684e --- /dev/null +++ b/queue-4.9/s390-ftrace-generate-traced-function-stack-frame.patch @@ -0,0 +1,103 @@ +From 99655674ef1b6164e85d12aa3395e9a81e7b8c06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 14:33:39 +0100 +Subject: s390/ftrace: generate traced function stack frame + +From: Vasily Gorbik + +[ Upstream commit 45f7a0da600d3c409b5ad8d5ddddacd98ddc8840 ] + +Currently backtrace from ftraced function does not contain ftraced +function itself. e.g. for "path_openat": + +arch_stack_walk+0x15c/0x2d8 +stack_trace_save+0x50/0x68 +stack_trace_call+0x15e/0x3d8 +ftrace_graph_caller+0x0/0x1c <-- ftrace code +do_filp_open+0x7c/0xe8 <-- ftraced function caller +do_open_execat+0x76/0x1b8 +open_exec+0x52/0x78 +load_elf_binary+0x180/0x1160 +search_binary_handler+0x8e/0x288 +load_script+0x2a8/0x2b8 +search_binary_handler+0x8e/0x288 +__do_execve_file.isra.39+0x6fa/0xb40 +__s390x_sys_execve+0x56/0x68 +system_call+0xdc/0x2d8 + +Ftraced function is expected in the backtrace by ftrace kselftests, which +are now failing. It would also be nice to have it for clarity reasons. + +"ftrace_caller" itself is called without stack frame allocated for it +and does not store its caller (ftraced function). Instead it simply +allocates a stack frame for "ftrace_trace_function" and sets backchain +to point to ftraced function stack frame (which contains ftraced function +caller in saved r14). + +To fix this issue make "ftrace_caller" allocate a stack frame +for itself just to store ftraced function for the stack unwinder. +As a result backtrace looks like the following: + +arch_stack_walk+0x15c/0x2d8 +stack_trace_save+0x50/0x68 +stack_trace_call+0x15e/0x3d8 +ftrace_graph_caller+0x0/0x1c <-- ftrace code +path_openat+0x6/0xd60 <-- ftraced function +do_filp_open+0x7c/0xe8 <-- ftraced function caller +do_open_execat+0x76/0x1b8 +open_exec+0x52/0x78 +load_elf_binary+0x180/0x1160 +search_binary_handler+0x8e/0x288 +load_script+0x2a8/0x2b8 +search_binary_handler+0x8e/0x288 +__do_execve_file.isra.39+0x6fa/0xb40 +__s390x_sys_execve+0x56/0x68 +system_call+0xdc/0x2d8 + +Reported-by: Sven Schnelle +Tested-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/mcount.S | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S +index be75e8e49e43d..802a4ded9a626 100644 +--- a/arch/s390/kernel/mcount.S ++++ b/arch/s390/kernel/mcount.S +@@ -24,6 +24,12 @@ ENTRY(ftrace_stub) + #define STACK_PTREGS (STACK_FRAME_OVERHEAD) + #define STACK_PTREGS_GPRS (STACK_PTREGS + __PT_GPRS) + #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) ++#ifdef __PACK_STACK ++/* allocate just enough for r14, r15 and backchain */ ++#define TRACED_FUNC_FRAME_SIZE 24 ++#else ++#define TRACED_FUNC_FRAME_SIZE STACK_FRAME_OVERHEAD ++#endif + + ENTRY(_mcount) + BR_EX %r14 +@@ -37,9 +43,16 @@ ENTRY(ftrace_caller) + #ifndef CC_USING_HOTPATCH + aghi %r0,MCOUNT_RETURN_FIXUP + #endif +- aghi %r15,-STACK_FRAME_SIZE ++ # allocate stack frame for ftrace_caller to contain traced function ++ aghi %r15,-TRACED_FUNC_FRAME_SIZE + stg %r1,__SF_BACKCHAIN(%r15) ++ stg %r0,(__SF_GPRS+8*8)(%r15) ++ stg %r15,(__SF_GPRS+9*8)(%r15) ++ # allocate pt_regs and stack frame for ftrace_trace_function ++ aghi %r15,-STACK_FRAME_SIZE + stg %r1,(STACK_PTREGS_GPRS+15*8)(%r15) ++ aghi %r1,-TRACED_FUNC_FRAME_SIZE ++ stg %r1,__SF_BACKCHAIN(%r15) + stg %r0,(STACK_PTREGS_PSW+8)(%r15) + stmg %r2,%r14,(STACK_PTREGS_GPRS+2*8)(%r15) + #ifdef CONFIG_HAVE_MARCH_Z196_FEATURES +-- +2.20.1 + diff --git a/queue-4.9/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch b/queue-4.9/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch new file mode 100644 index 00000000000..ccdcf0a8f15 --- /dev/null +++ b/queue-4.9/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch @@ -0,0 +1,54 @@ +From 8c5e64cd5ccd8607c44b992003af89bcd684335f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 18:42:20 -0700 +Subject: scsi: aic7xxx: Adjust indentation in ahc_find_syncrate + +From: Nathan Chancellor + +[ Upstream commit 4dbc96ad65c45cdd4e895ed7ae4c151b780790c5 ] + +Clang warns: + +../drivers/scsi/aic7xxx/aic7xxx_core.c:2317:5: warning: misleading +indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + if ((syncrate->sxfr_u2 & ST_SXFR) != 0) + ^ +../drivers/scsi/aic7xxx/aic7xxx_core.c:2310:4: note: previous statement +is here + if (syncrate == &ahc_syncrates[maxsync]) + ^ +1 warning generated. + +This warning occurs because there is a space amongst the tabs on this +line. Remove it so that the indentation is consistent with the Linux kernel +coding style and clang no longer warns. + +This has been a problem since the beginning of git history hence no fixes +tag. + +Link: https://github.com/ClangBuiltLinux/linux/issues/817 +Link: https://lore.kernel.org/r/20191218014220.52746-1-natechancellor@gmail.com +Signed-off-by: Nathan Chancellor +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aic7xxx/aic7xxx_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aic7xxx/aic7xxx_core.c b/drivers/scsi/aic7xxx/aic7xxx_core.c +index 64ab9eaec428c..def3208dd2905 100644 +--- a/drivers/scsi/aic7xxx/aic7xxx_core.c ++++ b/drivers/scsi/aic7xxx/aic7xxx_core.c +@@ -2321,7 +2321,7 @@ ahc_find_syncrate(struct ahc_softc *ahc, u_int *period, + * At some speeds, we only support + * ST transfers. + */ +- if ((syncrate->sxfr_u2 & ST_SXFR) != 0) ++ if ((syncrate->sxfr_u2 & ST_SXFR) != 0) + *ppr_options &= ~MSG_EXT_PPR_DT_REQ; + break; + } +-- +2.20.1 + diff --git a/queue-4.9/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch b/queue-4.9/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch new file mode 100644 index 00000000000..607c8503488 --- /dev/null +++ b/queue-4.9/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch @@ -0,0 +1,138 @@ +From 688bebabb43f0209352a65234b7e24d8383e77e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Dec 2019 15:31:48 -0500 +Subject: scsi: iscsi: Don't destroy session if there are outstanding + connections + +From: Nick Black + +[ Upstream commit 54155ed4199c7aa3fd20866648024ab63c96d579 ] + +A faulty userspace that calls destroy_session() before destroying the +connections can trigger the failure. This patch prevents the issue by +refusing to destroy the session if there are outstanding connections. + +------------[ cut here ]------------ +kernel BUG at mm/slub.c:306! +invalid opcode: 0000 [#1] SMP PTI +CPU: 1 PID: 1224 Comm: iscsid Not tainted 5.4.0-rc2.iscsi+ #7 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:__slab_free+0x181/0x350 +[...] +[ 1209.686056] RSP: 0018:ffffa93d4074fae0 EFLAGS: 00010246 +[ 1209.686694] RAX: ffff934efa5ad800 RBX: 000000008010000a RCX: ffff934efa5ad800 +[ 1209.687651] RDX: ffff934efa5ad800 RSI: ffffeb4041e96b00 RDI: ffff934efd402c40 +[ 1209.688582] RBP: ffffa93d4074fb80 R08: 0000000000000001 R09: ffffffffbb5dfa26 +[ 1209.689425] R10: ffff934efa5ad800 R11: 0000000000000001 R12: ffffeb4041e96b00 +[ 1209.690285] R13: ffff934efa5ad800 R14: ffff934efd402c40 R15: 0000000000000000 +[ 1209.691213] FS: 00007f7945dfb540(0000) GS:ffff934efda80000(0000) knlGS:0000000000000000 +[ 1209.692316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1209.693013] CR2: 000055877fd3da80 CR3: 0000000077384000 CR4: 00000000000006e0 +[ 1209.693897] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1209.694773] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1209.695631] Call Trace: +[ 1209.695957] ? __wake_up_common_lock+0x8a/0xc0 +[ 1209.696712] iscsi_pool_free+0x26/0x40 +[ 1209.697263] iscsi_session_teardown+0x2f/0xf0 +[ 1209.698117] iscsi_sw_tcp_session_destroy+0x45/0x60 +[ 1209.698831] iscsi_if_rx+0xd88/0x14e0 +[ 1209.699370] netlink_unicast+0x16f/0x200 +[ 1209.699932] netlink_sendmsg+0x21a/0x3e0 +[ 1209.700446] sock_sendmsg+0x4f/0x60 +[ 1209.700902] ___sys_sendmsg+0x2ae/0x320 +[ 1209.701451] ? cp_new_stat+0x150/0x180 +[ 1209.701922] __sys_sendmsg+0x59/0xa0 +[ 1209.702357] do_syscall_64+0x52/0x160 +[ 1209.702812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 1209.703419] RIP: 0033:0x7f7946433914 +[...] +[ 1209.706084] RSP: 002b:00007fffb99f2378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 1209.706994] RAX: ffffffffffffffda RBX: 000055bc869eac20 RCX: 00007f7946433914 +[ 1209.708082] RDX: 0000000000000000 RSI: 00007fffb99f2390 RDI: 0000000000000005 +[ 1209.709120] RBP: 00007fffb99f2390 R08: 000055bc84fe9320 R09: 00007fffb99f1f07 +[ 1209.710110] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038 +[ 1209.711085] R13: 000055bc8502306e R14: 0000000000000000 R15: 0000000000000000 + Modules linked in: + ---[ end trace a2d933ede7f730d8 ]--- + +Link: https://lore.kernel.org/r/20191226203148.2172200-1-krisman@collabora.com +Signed-off-by: Nick Black +Co-developed-by: Salman Qazi +Signed-off-by: Salman Qazi +Co-developed-by: Junho Ryu +Signed-off-by: Junho Ryu +Co-developed-by: Khazhismel Kumykov +Signed-off-by: Khazhismel Kumykov +Co-developed-by: Gabriel Krisman Bertazi +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 4 ++++ + drivers/scsi/scsi_transport_iscsi.c | 26 +++++++++++++++++++++++--- + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index d60564397be54..60c3e2bf87619 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -882,6 +882,10 @@ free_host: + static void iscsi_sw_tcp_session_destroy(struct iscsi_cls_session *cls_session) + { + struct Scsi_Host *shost = iscsi_session_to_shost(cls_session); ++ struct iscsi_session *session = cls_session->dd_data; ++ ++ if (WARN_ON_ONCE(session->leadconn)) ++ return; + + iscsi_tcp_r2tpool_free(cls_session->dd_data); + iscsi_session_teardown(cls_session); +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index ab7bc4e634251..fff9c4d0f7c80 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2964,6 +2964,24 @@ iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev) + return err; + } + ++static int iscsi_session_has_conns(int sid) ++{ ++ struct iscsi_cls_conn *conn; ++ unsigned long flags; ++ int found = 0; ++ ++ spin_lock_irqsave(&connlock, flags); ++ list_for_each_entry(conn, &connlist, conn_list) { ++ if (iscsi_conn_get_sid(conn) == sid) { ++ found = 1; ++ break; ++ } ++ } ++ spin_unlock_irqrestore(&connlock, flags); ++ ++ return found; ++} ++ + static int + iscsi_set_iface_params(struct iscsi_transport *transport, + struct iscsi_uevent *ev, uint32_t len) +@@ -3538,10 +3556,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + break; + case ISCSI_UEVENT_DESTROY_SESSION: + session = iscsi_session_lookup(ev->u.d_session.sid); +- if (session) +- transport->destroy_session(session); +- else ++ if (!session) + err = -EINVAL; ++ else if (iscsi_session_has_conns(ev->u.d_session.sid)) ++ err = -EBUSY; ++ else ++ transport->destroy_session(session); + break; + case ISCSI_UEVENT_UNBIND_SESSION: + session = iscsi_session_lookup(ev->u.d_session.sid); +-- +2.20.1 + diff --git a/queue-4.9/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch b/queue-4.9/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch new file mode 100644 index 00000000000..15900e2ad86 --- /dev/null +++ b/queue-4.9/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch @@ -0,0 +1,40 @@ +From f32cde6a869e76d8c9f33860bc015d39a6cb3e4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 17:25:47 +0530 +Subject: selinux: ensure we cleanup the internal AVC counters on error in + avc_update() + +From: Jaihind Yadav + +[ Upstream commit 030b995ad9ece9fa2d218af4429c1c78c2342096 ] + +In AVC update we don't call avc_node_kill() when avc_xperms_populate() +fails, resulting in the avc->avc_cache.active_nodes counter having a +false value. In last patch this changes was missed , so correcting it. + +Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") +Signed-off-by: Jaihind Yadav +Signed-off-by: Ravi Kumar Siddojigari +[PM: merge fuzz, minor description cleanup] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/avc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/avc.c b/security/selinux/avc.c +index 52f3c550abcc4..f3c473791b698 100644 +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -865,7 +865,7 @@ static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, + if (orig->ae.xp_node) { + rc = avc_xperms_populate(node, orig->ae.xp_node); + if (rc) { +- kmem_cache_free(avc_node_cachep, node); ++ avc_node_kill(node); + goto out_unlock; + } + } +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index f9aeed53939..97053f3c6c2 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -14,3 +14,102 @@ jbd2-do-not-clear-the-bh_mapped-flag-when-forgetting.patch btrfs-print-message-when-tree-log-replay-starts.patch scsi-qla2xxx-fix-a-potential-null-pointer-dereference.patch revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch +drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch +nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch +cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch +brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch +gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch +pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch +pxa168fb-fix-the-function-used-to-release-some-memor.patch +media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch +powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch +gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch +media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch +pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch +efi-x86-map-the-entire-efi-vendor-string-before-copy.patch +mips-loongson-fix-potential-null-dereference-in-loon.patch +sparc-add-.exit.data-section.patch +uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch +usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch +jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch +x86-sysfb-fix-check-for-bad-vram-size.patch +tracing-fix-tracing_stat-return-values-in-error-hand.patch +tracing-fix-very-unlikely-race-of-registering-two-st.patch +ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch +kconfig-fix-broken-dependency-in-randconfig-generate.patch +clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch +drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch +regulator-rk808-lower-log-level-on-optional-gpios-be.patch +net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch +pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch +nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch +arm-dts-allwinner-h3-add-pmu-node.patch +padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch +media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch +reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch +isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch +alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch +b43legacy-fix-wcast-function-type.patch +ipw2x00-fix-wcast-function-type.patch +iwlegacy-fix-wcast-function-type.patch +rtlwifi-rtl_pci-fix-wcast-function-type.patch +orinoco-avoid-assertion-in-case-of-null-pointer.patch +acpica-disassembler-create-buffer-fields-in-acpi_par.patch +scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch +drm-mediatek-handle-events-when-enabling-disabling-c.patch +arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch +x86-vdso-provide-missing-include-file.patch +pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch +pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch +rdma-rxe-fix-error-type-of-mmap_offset.patch +alsa-sh-fix-compile-warning-wrt-const.patch +tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch +usbip-fix-unsafe-unaligned-pointer-usage.patch +udf-fix-free-space-reporting-for-metadata-and-virtua.patch +soc-tegra-fuse-correct-straps-address-for-older-tegr.patch +rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch +input-edt-ft5x06-work-around-first-register-access-e.patch +wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch +asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch +tty-synclinkmp-adjust-indentation-in-several-functio.patch +tty-synclink_gt-adjust-indentation-in-several-functi.patch +driver-core-platform-prevent-resouce-overflow-from-c.patch +driver-core-print-device-when-resources-present-in-r.patch +vme-bridges-reduce-stack-usage.patch +drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch +drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch +drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch +usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch +iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch +scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch +arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch +pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch +cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch +ide-serverworks-potential-overflow-in-svwks_set_pio_.patch +remoteproc-initialize-rproc_class-before-use.patch +x86-decoder-add-test-opcode-to-group3-2.patch +s390-ftrace-generate-traced-function-stack-frame.patch +driver-core-platform-fix-u32-greater-or-equal-to-zer.patch +alsa-hda-add-docking-station-support-for-lenovo-thin.patch +powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch +jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch +arm-8951-1-fix-kexec-compilation-issue.patch +hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch +iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch +cifs-fix-null-dereference-in-match_prepath.patch +irqchip-gic-v3-only-provision-redistributors-that-ar.patch +drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch +ftrace-fpid_next-should-increase-position-index.patch +trigger_next-should-increase-position-index.patch +radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch +ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch +lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch +reiserfs-prevent-null-pointer-dereference-in-reiserf.patch +bcache-explicity-type-cast-in-bset_bkey_last.patch +irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch +iwlwifi-mvm-fix-thermal-zone-registration.patch +microblaze-prevent-the-overflow-of-the-start.patch +brd-check-and-limit-max_part-par.patch +help_next-should-increase-position-index.patch +selinux-ensure-we-cleanup-the-internal-avc-counters-.patch diff --git a/queue-4.9/soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch b/queue-4.9/soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch new file mode 100644 index 00000000000..a125affe585 --- /dev/null +++ b/queue-4.9/soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch @@ -0,0 +1,188 @@ +From 5e1f645c0954e355aa4c68359f761494fb755a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2019 15:55:40 +0100 +Subject: soc: fsl: qe: change return type of cpm_muram_alloc() to s32 + +From: Rasmus Villemoes + +[ Upstream commit 800cd6fb76f0ec7711deb72a86c924db1ae42648 ] + +There are a number of problems with cpm_muram_alloc() and its +callers. Most callers assign the return value to some variable and +then use IS_ERR_VALUE to check for allocation failure. However, when +that variable is not sizeof(long), this leads to warnings - and it is +indeed broken to do e.g. + + u32 foo = cpm_muram_alloc(); + if (IS_ERR_VALUE(foo)) + +on a 64-bit platform, since the condition + + foo >= (unsigned long)-ENOMEM + +is tautologically false. There are also callers that ignore the +possibility of error, and then there are those that check for error by +comparing the return value to 0... + +One could fix that by changing all callers to store the return value +temporarily in an "unsigned long" and test that. However, use of +IS_ERR_VALUE() is error-prone and should be restricted to things which +are inherently long-sized (stuff in pt_regs etc.). Instead, let's aim +for changing to the standard kernel style + + int foo = cpm_muram_alloc(); + if (foo < 0) + deal_with_it() + some->where = foo; + +Changing the return type from unsigned long to s32 (aka signed int) +doesn't change the value that gets stored into any of the callers' +variables except if the caller was storing the result in a u64 _and_ +the allocation failed, so in itself this patch should be a no-op. + +Another problem with cpm_muram_alloc() is that it can certainly +validly return 0 - and except if some cpm_muram_alloc_fixed() call +interferes, the very first cpm_muram_alloc() call will return just +that. But that shows that both ucc_slow_free() and ucc_fast_free() are +buggy, since they assume that a value of 0 means "that field was never +allocated". We'll later change cpm_muram_free() to accept (and ignore) +a negative offset, so callers can use a sentinel of -1 instead of 0 +and just unconditionally call cpm_muram_free(). + +Reviewed-by: Timur Tabi +Signed-off-by: Rasmus Villemoes +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/qe_common.c | 29 ++++++++++++++++------------- + include/soc/fsl/qe/qe.h | 16 ++++++++-------- + 2 files changed, 24 insertions(+), 21 deletions(-) + +diff --git a/drivers/soc/fsl/qe/qe_common.c b/drivers/soc/fsl/qe/qe_common.c +index 104e68d9b84f2..4f60724b06b7c 100644 +--- a/drivers/soc/fsl/qe/qe_common.c ++++ b/drivers/soc/fsl/qe/qe_common.c +@@ -35,7 +35,7 @@ static phys_addr_t muram_pbase; + + struct muram_block { + struct list_head head; +- unsigned long start; ++ s32 start; + int size; + }; + +@@ -113,13 +113,14 @@ out_muram: + * @algo: algorithm for alloc. + * @data: data for genalloc's algorithm. + * +- * This function returns an offset into the muram area. ++ * This function returns a non-negative offset into the muram area, or ++ * a negative errno on failure. + */ +-static unsigned long cpm_muram_alloc_common(unsigned long size, +- genpool_algo_t algo, void *data) ++static s32 cpm_muram_alloc_common(unsigned long size, ++ genpool_algo_t algo, void *data) + { + struct muram_block *entry; +- unsigned long start; ++ s32 start; + + if (!muram_pool && cpm_muram_init()) + goto out2; +@@ -140,7 +141,7 @@ static unsigned long cpm_muram_alloc_common(unsigned long size, + out1: + gen_pool_free(muram_pool, start, size); + out2: +- return (unsigned long)-ENOMEM; ++ return -ENOMEM; + } + + /* +@@ -148,13 +149,14 @@ out2: + * @size: number of bytes to allocate + * @align: requested alignment, in bytes + * +- * This function returns an offset into the muram area. ++ * This function returns a non-negative offset into the muram area, or ++ * a negative errno on failure. + * Use cpm_dpram_addr() to get the virtual address of the area. + * Use cpm_muram_free() to free the allocation. + */ +-unsigned long cpm_muram_alloc(unsigned long size, unsigned long align) ++s32 cpm_muram_alloc(unsigned long size, unsigned long align) + { +- unsigned long start; ++ s32 start; + unsigned long flags; + struct genpool_data_align muram_pool_data; + +@@ -171,7 +173,7 @@ EXPORT_SYMBOL(cpm_muram_alloc); + * cpm_muram_free - free a chunk of multi-user ram + * @offset: The beginning of the chunk as returned by cpm_muram_alloc(). + */ +-int cpm_muram_free(unsigned long offset) ++int cpm_muram_free(s32 offset) + { + unsigned long flags; + int size; +@@ -197,13 +199,14 @@ EXPORT_SYMBOL(cpm_muram_free); + * cpm_muram_alloc_fixed - reserve a specific region of multi-user ram + * @offset: offset of allocation start address + * @size: number of bytes to allocate +- * This function returns an offset into the muram area ++ * This function returns @offset if the area was available, a negative ++ * errno otherwise. + * Use cpm_dpram_addr() to get the virtual address of the area. + * Use cpm_muram_free() to free the allocation. + */ +-unsigned long cpm_muram_alloc_fixed(unsigned long offset, unsigned long size) ++s32 cpm_muram_alloc_fixed(unsigned long offset, unsigned long size) + { +- unsigned long start; ++ s32 start; + unsigned long flags; + struct genpool_data_fixed muram_pool_data_fixed; + +diff --git a/include/soc/fsl/qe/qe.h b/include/soc/fsl/qe/qe.h +index 226f915a68c28..55907f7ace82e 100644 +--- a/include/soc/fsl/qe/qe.h ++++ b/include/soc/fsl/qe/qe.h +@@ -102,26 +102,26 @@ static inline void qe_reset(void) {} + int cpm_muram_init(void); + + #if defined(CONFIG_CPM) || defined(CONFIG_QUICC_ENGINE) +-unsigned long cpm_muram_alloc(unsigned long size, unsigned long align); +-int cpm_muram_free(unsigned long offset); +-unsigned long cpm_muram_alloc_fixed(unsigned long offset, unsigned long size); ++s32 cpm_muram_alloc(unsigned long size, unsigned long align); ++int cpm_muram_free(s32 offset); ++s32 cpm_muram_alloc_fixed(unsigned long offset, unsigned long size); + void __iomem *cpm_muram_addr(unsigned long offset); + unsigned long cpm_muram_offset(void __iomem *addr); + dma_addr_t cpm_muram_dma(void __iomem *addr); + #else +-static inline unsigned long cpm_muram_alloc(unsigned long size, +- unsigned long align) ++static inline s32 cpm_muram_alloc(unsigned long size, ++ unsigned long align) + { + return -ENOSYS; + } + +-static inline int cpm_muram_free(unsigned long offset) ++static inline int cpm_muram_free(s32 offset) + { + return -ENOSYS; + } + +-static inline unsigned long cpm_muram_alloc_fixed(unsigned long offset, +- unsigned long size) ++static inline s32 cpm_muram_alloc_fixed(unsigned long offset, ++ unsigned long size) + { + return -ENOSYS; + } +-- +2.20.1 + diff --git a/queue-4.9/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch b/queue-4.9/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch new file mode 100644 index 00000000000..d3a0e06b1df --- /dev/null +++ b/queue-4.9/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch @@ -0,0 +1,38 @@ +From d7372a798b6b9a89387374b6058241e3519bf8e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 21:23:03 +0300 +Subject: soc/tegra: fuse: Correct straps' address for older Tegra124 device + trees + +From: Dmitry Osipenko + +[ Upstream commit 2d9ea1934f8ef0dfb862d103389562cc28b4fc03 ] + +Trying to read out Chip ID before APBMISC registers are mapped won't +succeed, in a result Tegra124 gets a wrong address for the HW straps +register if machine uses an old outdated device tree. + +Fixes: 297c4f3dcbff ("soc/tegra: fuse: Restrict legacy code to 32-bit ARM") +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/fuse/tegra-apbmisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/fuse/tegra-apbmisc.c b/drivers/soc/tegra/fuse/tegra-apbmisc.c +index 5b18f6ffa45c7..cd61c883c19f5 100644 +--- a/drivers/soc/tegra/fuse/tegra-apbmisc.c ++++ b/drivers/soc/tegra/fuse/tegra-apbmisc.c +@@ -134,7 +134,7 @@ void __init tegra_init_apbmisc(void) + apbmisc.flags = IORESOURCE_MEM; + + /* strapping options */ +- if (tegra_get_chip_id() == TEGRA124) { ++ if (of_machine_is_compatible("nvidia,tegra124")) { + straps.start = 0x7000e864; + straps.end = 0x7000e867; + } else { +-- +2.20.1 + diff --git a/queue-4.9/sparc-add-.exit.data-section.patch b/queue-4.9/sparc-add-.exit.data-section.patch new file mode 100644 index 00000000000..0b365b67373 --- /dev/null +++ b/queue-4.9/sparc-add-.exit.data-section.patch @@ -0,0 +1,43 @@ +From 35e01619323bbf8b17ebc3d5327d1cc31115cf6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2020 00:07:42 -0800 +Subject: sparc: Add .exit.data section. + +From: David S. Miller + +[ Upstream commit 548f0b9a5f4cffa0cecf62eb12aa8db682e4eee6 ] + +This fixes build errors of all sorts. + +Also, emit .exit.text unconditionally. + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/vmlinux.lds.S | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/sparc/kernel/vmlinux.lds.S b/arch/sparc/kernel/vmlinux.lds.S +index 572db686f8458..385d6d04564d5 100644 +--- a/arch/sparc/kernel/vmlinux.lds.S ++++ b/arch/sparc/kernel/vmlinux.lds.S +@@ -151,12 +151,14 @@ SECTIONS + } + PERCPU_SECTION(SMP_CACHE_BYTES) + +-#ifdef CONFIG_JUMP_LABEL + . = ALIGN(PAGE_SIZE); + .exit.text : { + EXIT_TEXT + } +-#endif ++ ++ .exit.data : { ++ EXIT_DATA ++ } + + . = ALIGN(PAGE_SIZE); + __init_end = .; +-- +2.20.1 + diff --git a/queue-4.9/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch b/queue-4.9/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch new file mode 100644 index 00000000000..114255b487d --- /dev/null +++ b/queue-4.9/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch @@ -0,0 +1,67 @@ +From 229fdd12308635716a9d5bc78faa80c18887f43a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 08:01:09 +0000 +Subject: tools lib api fs: Fix gcc9 stringop-truncation compilation error + +From: Andrey Zhizhikin + +[ Upstream commit 6794200fa3c9c3e6759dae099145f23e4310f4f7 ] + +GCC9 introduced string hardening mechanisms, which exhibits the error +during fs api compilation: + +error: '__builtin_strncpy' specified bound 4096 equals destination size +[-Werror=stringop-truncation] + +This comes when the length of copy passed to strncpy is is equal to +destination size, which could potentially lead to buffer overflow. + +There is a need to mitigate this potential issue by limiting the size of +destination by 1 and explicitly terminate the destination with NULL. + +Signed-off-by: Andrey Zhizhikin +Reviewed-by: Petr Mladek +Acked-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkmann +Cc: Kefeng Wang +Cc: Martin KaFai Lau +Cc: Petr Mladek +Cc: Sergey Senozhatsky +Cc: Song Liu +Cc: Yonghong Song +Cc: bpf@vger.kernel.org +Cc: netdev@vger.kernel.org +Link: http://lore.kernel.org/lkml/20191211080109.18765-1-andrey.zhizhikin@leica-geosystems.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/api/fs/fs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c +index f99f49e4a31e6..21e714cf0126c 100644 +--- a/tools/lib/api/fs/fs.c ++++ b/tools/lib/api/fs/fs.c +@@ -194,6 +194,7 @@ static bool fs__env_override(struct fs *fs) + size_t name_len = strlen(fs->name); + /* name + "_PATH" + '\0' */ + char upper_name[name_len + 5 + 1]; ++ + memcpy(upper_name, fs->name, name_len); + mem_toupper(upper_name, name_len); + strcpy(&upper_name[name_len], "_PATH"); +@@ -203,7 +204,8 @@ static bool fs__env_override(struct fs *fs) + return false; + + fs->found = true; +- strncpy(fs->path, override_path, sizeof(fs->path)); ++ strncpy(fs->path, override_path, sizeof(fs->path) - 1); ++ fs->path[sizeof(fs->path) - 1] = '\0'; + return true; + } + +-- +2.20.1 + diff --git a/queue-4.9/tracing-fix-tracing_stat-return-values-in-error-hand.patch b/queue-4.9/tracing-fix-tracing_stat-return-values-in-error-hand.patch new file mode 100644 index 00000000000..9acbbf004a3 --- /dev/null +++ b/queue-4.9/tracing-fix-tracing_stat-return-values-in-error-hand.patch @@ -0,0 +1,58 @@ +From b6ee19bd43c962d1b01cef6c61bab95c3cef90af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Sep 2014 22:49:41 +0100 +Subject: tracing: Fix tracing_stat return values in error handling paths + +From: Luis Henriques + +[ Upstream commit afccc00f75bbbee4e4ae833a96c2d29a7259c693 ] + +tracing_stat_init() was always returning '0', even on the error paths. It +now returns -ENODEV if tracing_init_dentry() fails or -ENOMEM if it fails +to created the 'trace_stat' debugfs directory. + +Link: http://lkml.kernel.org/r/1410299381-20108-1-git-send-email-luis.henriques@canonical.com + +Fixes: ed6f1c996bfe4 ("tracing: Check return value of tracing_init_dentry()") +Signed-off-by: Luis Henriques +[ Pulled from the archeological digging of my INBOX ] +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_stat.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c +index 413ff108fbd05..bc97b10e56ccc 100644 +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -277,18 +277,22 @@ static int tracing_stat_init(void) + + d_tracing = tracing_init_dentry(); + if (IS_ERR(d_tracing)) +- return 0; ++ return -ENODEV; + + stat_dir = tracefs_create_dir("trace_stat", d_tracing); +- if (!stat_dir) ++ if (!stat_dir) { + pr_warn("Could not create tracefs 'trace_stat' entry\n"); ++ return -ENOMEM; ++ } + return 0; + } + + static int init_stat_file(struct stat_session *session) + { +- if (!stat_dir && tracing_stat_init()) +- return -ENODEV; ++ int ret; ++ ++ if (!stat_dir && (ret = tracing_stat_init())) ++ return ret; + + session->file = tracefs_create_file(session->ts->name, 0644, + stat_dir, +-- +2.20.1 + diff --git a/queue-4.9/tracing-fix-very-unlikely-race-of-registering-two-st.patch b/queue-4.9/tracing-fix-very-unlikely-race-of-registering-two-st.patch new file mode 100644 index 00000000000..19c92098e35 --- /dev/null +++ b/queue-4.9/tracing-fix-very-unlikely-race-of-registering-two-st.patch @@ -0,0 +1,87 @@ +From 4b2b0277364648e8a431ce0cc92e6e4cc4395908 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 17:47:49 -0500 +Subject: tracing: Fix very unlikely race of registering two stat tracers + +From: Steven Rostedt (VMware) + +[ Upstream commit dfb6cd1e654315168e36d947471bd2a0ccd834ae ] + +Looking through old emails in my INBOX, I came across a patch from Luis +Henriques that attempted to fix a race of two stat tracers registering the +same stat trace (extremely unlikely, as this is done in the kernel, and +probably doesn't even exist). The submitted patch wasn't quite right as it +needed to deal with clean up a bit better (if two stat tracers were the +same, it would have the same files). + +But to make the code cleaner, all we needed to do is to keep the +all_stat_sessions_mutex held for most of the registering function. + +Link: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com + +Fixes: 002bb86d8d42f ("tracing/ftrace: separate events tracing and stats tracing engine") +Reported-by: Luis Henriques +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_stat.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c +index bc97b10e56ccc..d19f2191960ea 100644 +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -305,7 +305,7 @@ static int init_stat_file(struct stat_session *session) + int register_stat_tracer(struct tracer_stat *trace) + { + struct stat_session *session, *node; +- int ret; ++ int ret = -EINVAL; + + if (!trace) + return -EINVAL; +@@ -316,17 +316,15 @@ int register_stat_tracer(struct tracer_stat *trace) + /* Already registered? */ + mutex_lock(&all_stat_sessions_mutex); + list_for_each_entry(node, &all_stat_sessions, session_list) { +- if (node->ts == trace) { +- mutex_unlock(&all_stat_sessions_mutex); +- return -EINVAL; +- } ++ if (node->ts == trace) ++ goto out; + } +- mutex_unlock(&all_stat_sessions_mutex); + ++ ret = -ENOMEM; + /* Init the session */ + session = kzalloc(sizeof(*session), GFP_KERNEL); + if (!session) +- return -ENOMEM; ++ goto out; + + session->ts = trace; + INIT_LIST_HEAD(&session->session_list); +@@ -335,15 +333,16 @@ int register_stat_tracer(struct tracer_stat *trace) + ret = init_stat_file(session); + if (ret) { + destroy_session(session); +- return ret; ++ goto out; + } + ++ ret = 0; + /* Register */ +- mutex_lock(&all_stat_sessions_mutex); + list_add_tail(&session->session_list, &all_stat_sessions); ++ out: + mutex_unlock(&all_stat_sessions_mutex); + +- return 0; ++ return ret; + } + + void unregister_stat_tracer(struct tracer_stat *trace) +-- +2.20.1 + diff --git a/queue-4.9/trigger_next-should-increase-position-index.patch b/queue-4.9/trigger_next-should-increase-position-index.patch new file mode 100644 index 00000000000..cabf267ae2f --- /dev/null +++ b/queue-4.9/trigger_next-should-increase-position-index.patch @@ -0,0 +1,64 @@ +From 292479abde59a2c4d1e99be6e16ee6826ef3e517 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 10:03:06 +0300 +Subject: trigger_next should increase position index + +From: Vasily Averin + +[ Upstream commit 6722b23e7a2ace078344064a9735fb73e554e9ef ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +Without patch: + # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger + dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset + n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + # Available triggers: + # traceon traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + 6+1 records in + 6+1 records out + 206 bytes copied, 0.00027916 s, 738 kB/s + +Notice the printing of "# Available triggers:..." after the line. + +With the patch: + # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger + dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset + n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + 2+1 records in + 2+1 records out + 88 bytes copied, 0.000526867 s, 167 kB/s + +It only prints the end of the file, and does not restart. + +Link: http://lkml.kernel.org/r/3c35ee24-dd3a-8119-9c19-552ed253388a@virtuozzo.com + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_trigger.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index 7e6971ba95417..8a88e85c8c615 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -126,9 +126,10 @@ static void *trigger_next(struct seq_file *m, void *t, loff_t *pos) + { + struct trace_event_file *event_file = event_file_data(m->private); + +- if (t == SHOW_AVAILABLE_TRIGGERS) ++ if (t == SHOW_AVAILABLE_TRIGGERS) { ++ (*pos)++; + return NULL; +- ++ } + return seq_list_next(t, &event_file->triggers, pos); + } + +-- +2.20.1 + diff --git a/queue-4.9/tty-synclink_gt-adjust-indentation-in-several-functi.patch b/queue-4.9/tty-synclink_gt-adjust-indentation-in-several-functi.patch new file mode 100644 index 00000000000..c04ba78cab8 --- /dev/null +++ b/queue-4.9/tty-synclink_gt-adjust-indentation-in-several-functi.patch @@ -0,0 +1,118 @@ +From 00d78467b9af3b3fcd2c4e2f5ce74d648c9060a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 19:39:13 -0700 +Subject: tty: synclink_gt: Adjust indentation in several functions + +From: Nathan Chancellor + +[ Upstream commit 446e76873b5e4e70bdee5db2f2a894d5b4a7d081 ] + +Clang warns: + +../drivers/tty/synclink_gt.c:1337:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + if (C_CRTSCTS(tty)) { + ^ +../drivers/tty/synclink_gt.c:1335:2: note: previous statement is here + if (I_IXOFF(tty)) + ^ +../drivers/tty/synclink_gt.c:2563:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) + ^ +../drivers/tty/synclink_gt.c:2561:2: note: previous statement is here + if (I_INPCK(info->port.tty)) + ^ +../drivers/tty/synclink_gt.c:3221:3: warning: misleading indentation; +statement is not part of the previous 'else' [-Wmisleading-indentation] + set_signals(info); + ^ +../drivers/tty/synclink_gt.c:3219:2: note: previous statement is here + else + ^ +3 warnings generated. + +The indentation on these lines is not at all consistent, tabs and spaces +are mixed together. Convert to just using tabs to be consistent with the +Linux kernel coding style and eliminate these warnings from clang. + +Link: https://github.com/ClangBuiltLinux/linux/issues/822 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20191218023912.13827-1-natechancellor@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index e645ee1cfd989..7446ce29f6770 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -1349,10 +1349,10 @@ static void throttle(struct tty_struct * tty) + DBGINFO(("%s throttle\n", info->device_name)); + if (I_IXOFF(tty)) + send_xchar(tty, STOP_CHAR(tty)); +- if (C_CRTSCTS(tty)) { ++ if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals &= ~SerialSignal_RTS; +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1374,10 +1374,10 @@ static void unthrottle(struct tty_struct * tty) + else + send_xchar(tty, START_CHAR(tty)); + } +- if (C_CRTSCTS(tty)) { ++ if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -2576,8 +2576,8 @@ static void change_params(struct slgt_info *info) + info->read_status_mask = IRQ_RXOVER; + if (I_INPCK(info->port.tty)) + info->read_status_mask |= MASK_PARITY | MASK_FRAMING; +- if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) +- info->read_status_mask |= MASK_BREAK; ++ if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) ++ info->read_status_mask |= MASK_BREAK; + if (I_IGNPAR(info->port.tty)) + info->ignore_status_mask |= MASK_PARITY | MASK_FRAMING; + if (I_IGNBRK(info->port.tty)) { +@@ -3208,7 +3208,7 @@ static int tiocmset(struct tty_struct *tty, + info->signals &= ~SerialSignal_DTR; + + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + return 0; + } +@@ -3219,7 +3219,7 @@ static int carrier_raised(struct tty_port *port) + struct slgt_info *info = container_of(port, struct slgt_info, port); + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + return (info->signals & SerialSignal_DCD) ? 1 : 0; + } +@@ -3234,7 +3234,7 @@ static void dtr_rts(struct tty_port *port, int on) + info->signals |= SerialSignal_RTS | SerialSignal_DTR; + else + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +-- +2.20.1 + diff --git a/queue-4.9/tty-synclinkmp-adjust-indentation-in-several-functio.patch b/queue-4.9/tty-synclinkmp-adjust-indentation-in-several-functio.patch new file mode 100644 index 00000000000..eb53411c657 --- /dev/null +++ b/queue-4.9/tty-synclinkmp-adjust-indentation-in-several-functio.patch @@ -0,0 +1,159 @@ +From 01ad9430c47e9e0a4526bd6415438231571c0d1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 19:47:20 -0700 +Subject: tty: synclinkmp: Adjust indentation in several functions + +From: Nathan Chancellor + +[ Upstream commit 1feedf61e7265128244f6993f23421f33dd93dbc ] + +Clang warns: + +../drivers/tty/synclinkmp.c:1456:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + if (C_CRTSCTS(tty)) { + ^ +../drivers/tty/synclinkmp.c:1453:2: note: previous statement is here + if (I_IXOFF(tty)) + ^ +../drivers/tty/synclinkmp.c:2473:8: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + info->port.tty->hw_stopped = 0; + ^ +../drivers/tty/synclinkmp.c:2471:7: note: previous statement is here + if ( debug_level >= DEBUG_LEVEL_ISR ) + ^ +../drivers/tty/synclinkmp.c:2482:8: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + info->port.tty->hw_stopped = 1; + ^ +../drivers/tty/synclinkmp.c:2480:7: note: previous statement is here + if ( debug_level >= DEBUG_LEVEL_ISR ) + ^ +../drivers/tty/synclinkmp.c:2809:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) + ^ +../drivers/tty/synclinkmp.c:2807:2: note: previous statement is here + if (I_INPCK(info->port.tty)) + ^ +../drivers/tty/synclinkmp.c:3246:3: warning: misleading indentation; +statement is not part of the previous 'else' [-Wmisleading-indentation] + set_signals(info); + ^ +../drivers/tty/synclinkmp.c:3244:2: note: previous statement is here + else + ^ +5 warnings generated. + +The indentation on these lines is not at all consistent, tabs and spaces +are mixed together. Convert to just using tabs to be consistent with the +Linux kernel coding style and eliminate these warnings from clang. + +Link: https://github.com/ClangBuiltLinux/linux/issues/823 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20191218024720.3528-1-natechancellor@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclinkmp.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c +index dec156586de1b..2f6df8d74b4aa 100644 +--- a/drivers/tty/synclinkmp.c ++++ b/drivers/tty/synclinkmp.c +@@ -1467,10 +1467,10 @@ static void throttle(struct tty_struct * tty) + if (I_IXOFF(tty)) + send_xchar(tty, STOP_CHAR(tty)); + +- if (C_CRTSCTS(tty)) { ++ if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->serial_signals &= ~SerialSignal_RTS; +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1496,10 +1496,10 @@ static void unthrottle(struct tty_struct * tty) + send_xchar(tty, START_CHAR(tty)); + } + +- if (C_CRTSCTS(tty)) { ++ if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->serial_signals |= SerialSignal_RTS; +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -2485,7 +2485,7 @@ static void isr_io_pin( SLMP_INFO *info, u16 status ) + if (status & SerialSignal_CTS) { + if ( debug_level >= DEBUG_LEVEL_ISR ) + printk("CTS tx start..."); +- info->port.tty->hw_stopped = 0; ++ info->port.tty->hw_stopped = 0; + tx_start(info); + info->pending_bh |= BH_TRANSMIT; + return; +@@ -2494,7 +2494,7 @@ static void isr_io_pin( SLMP_INFO *info, u16 status ) + if (!(status & SerialSignal_CTS)) { + if ( debug_level >= DEBUG_LEVEL_ISR ) + printk("CTS tx stop..."); +- info->port.tty->hw_stopped = 1; ++ info->port.tty->hw_stopped = 1; + tx_stop(info); + } + } +@@ -2821,8 +2821,8 @@ static void change_params(SLMP_INFO *info) + info->read_status_mask2 = OVRN; + if (I_INPCK(info->port.tty)) + info->read_status_mask2 |= PE | FRME; +- if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) +- info->read_status_mask1 |= BRKD; ++ if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) ++ info->read_status_mask1 |= BRKD; + if (I_IGNPAR(info->port.tty)) + info->ignore_status_mask2 |= PE | FRME; + if (I_IGNBRK(info->port.tty)) { +@@ -3192,7 +3192,7 @@ static int tiocmget(struct tty_struct *tty) + unsigned long flags; + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + + result = ((info->serial_signals & SerialSignal_RTS) ? TIOCM_RTS : 0) | +@@ -3230,7 +3230,7 @@ static int tiocmset(struct tty_struct *tty, + info->serial_signals &= ~SerialSignal_DTR; + + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + + return 0; +@@ -3242,7 +3242,7 @@ static int carrier_raised(struct tty_port *port) + unsigned long flags; + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + + return (info->serial_signals & SerialSignal_DCD) ? 1 : 0; +@@ -3258,7 +3258,7 @@ static void dtr_rts(struct tty_port *port, int on) + info->serial_signals |= SerialSignal_RTS | SerialSignal_DTR; + else + info->serial_signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +-- +2.20.1 + diff --git a/queue-4.9/udf-fix-free-space-reporting-for-metadata-and-virtua.patch b/queue-4.9/udf-fix-free-space-reporting-for-metadata-and-virtua.patch new file mode 100644 index 00000000000..9b45c7f4b93 --- /dev/null +++ b/queue-4.9/udf-fix-free-space-reporting-for-metadata-and-virtua.patch @@ -0,0 +1,76 @@ +From 9443cda4075c772979a9c77a024d954bf9e44088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 16:36:49 +0100 +Subject: udf: Fix free space reporting for metadata and virtual partitions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Kara + +[ Upstream commit a4a8b99ec819ca60b49dc582a4287ef03411f117 ] + +Free space on filesystems with metadata or virtual partition maps +currently gets misreported. This is because these partitions are just +remapped onto underlying real partitions from which keep track of free +blocks. Take this remapping into account when counting free blocks as +well. + +Reviewed-by: Pali Rohár +Reported-by: Pali Rohár +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 03369a89600e0..4abdba453885e 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -2460,17 +2460,29 @@ static unsigned int udf_count_free_table(struct super_block *sb, + static unsigned int udf_count_free(struct super_block *sb) + { + unsigned int accum = 0; +- struct udf_sb_info *sbi; ++ struct udf_sb_info *sbi = UDF_SB(sb); + struct udf_part_map *map; ++ unsigned int part = sbi->s_partition; ++ int ptype = sbi->s_partmaps[part].s_partition_type; ++ ++ if (ptype == UDF_METADATA_MAP25) { ++ part = sbi->s_partmaps[part].s_type_specific.s_metadata. ++ s_phys_partition_ref; ++ } else if (ptype == UDF_VIRTUAL_MAP15 || ptype == UDF_VIRTUAL_MAP20) { ++ /* ++ * Filesystems with VAT are append-only and we cannot write to ++ * them. Let's just report 0 here. ++ */ ++ return 0; ++ } + +- sbi = UDF_SB(sb); + if (sbi->s_lvid_bh) { + struct logicalVolIntegrityDesc *lvid = + (struct logicalVolIntegrityDesc *) + sbi->s_lvid_bh->b_data; +- if (le32_to_cpu(lvid->numOfPartitions) > sbi->s_partition) { ++ if (le32_to_cpu(lvid->numOfPartitions) > part) { + accum = le32_to_cpu( +- lvid->freeSpaceTable[sbi->s_partition]); ++ lvid->freeSpaceTable[part]); + if (accum == 0xFFFFFFFF) + accum = 0; + } +@@ -2479,7 +2491,7 @@ static unsigned int udf_count_free(struct super_block *sb) + if (accum) + return accum; + +- map = &sbi->s_partmaps[sbi->s_partition]; ++ map = &sbi->s_partmaps[part]; + if (map->s_partition_flags & UDF_PART_FLAG_UNALLOC_BITMAP) { + accum += udf_count_free_bitmap(sb, + map->s_uspace.s_bitmap); +-- +2.20.1 + diff --git a/queue-4.9/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch b/queue-4.9/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch new file mode 100644 index 00000000000..edf79d0ca7e --- /dev/null +++ b/queue-4.9/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch @@ -0,0 +1,57 @@ +From f1d9df94850124a2a63ce6b5b2e55ce224ca757e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 17:44:05 +0800 +Subject: uio: fix a sleep-in-atomic-context bug in + uio_dmem_genirq_irqcontrol() + +From: Jia-Ju Bai + +[ Upstream commit b74351287d4bd90636c3f48bc188c2f53824c2d4 ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +kernel/irq/manage.c, 523: + synchronize_irq in disable_irq +drivers/uio/uio_dmem_genirq.c, 140: + disable_irq in uio_dmem_genirq_irqcontrol +drivers/uio/uio_dmem_genirq.c, 134: + _raw_spin_lock_irqsave in uio_dmem_genirq_irqcontrol + +synchronize_irq() can sleep at runtime. + +To fix this bug, disable_irq() is called without holding the spinlock. + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20191218094405.6009-1-baijiaju1990@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index e1134a4d97f3f..a00b4aee6c799 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -135,11 +135,13 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on) + if (irq_on) { + if (test_and_clear_bit(0, &priv->flags)) + enable_irq(dev_info->irq); ++ spin_unlock_irqrestore(&priv->lock, flags); + } else { +- if (!test_and_set_bit(0, &priv->flags)) ++ if (!test_and_set_bit(0, &priv->flags)) { ++ spin_unlock_irqrestore(&priv->lock, flags); + disable_irq(dev_info->irq); ++ } + } +- spin_unlock_irqrestore(&priv->lock, flags); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.9/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch b/queue-4.9/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch new file mode 100644 index 00000000000..58554f6bf31 --- /dev/null +++ b/queue-4.9/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch @@ -0,0 +1,111 @@ +From 3fa5d18fff71180a330b9e20c8adee78f5b2e7db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 11:43:49 +0800 +Subject: usb: gadget: udc: fix possible sleep-in-atomic-context bugs in + gr_probe() + +From: Jia-Ju Bai + +[ Upstream commit 9c1ed62ae0690dfe5d5e31d8f70e70a95cb48e52 ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +drivers/usb/gadget/udc/core.c, 1175: + kzalloc(GFP_KERNEL) in usb_add_gadget_udc_release +drivers/usb/gadget/udc/core.c, 1272: + usb_add_gadget_udc_release in usb_add_gadget_udc +drivers/usb/gadget/udc/gr_udc.c, 2186: + usb_add_gadget_udc in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/core.c, 1195: + mutex_lock in usb_add_gadget_udc_release +drivers/usb/gadget/udc/core.c, 1272: + usb_add_gadget_udc_release in usb_add_gadget_udc +drivers/usb/gadget/udc/gr_udc.c, 2186: + usb_add_gadget_udc in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/gr_udc.c, 212: + debugfs_create_file in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2197: + gr_dfs_create in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/gr_udc.c, 2114: + devm_request_threaded_irq in gr_request_irq +drivers/usb/gadget/udc/gr_udc.c, 2202: + gr_request_irq in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +kzalloc(GFP_KERNEL), mutex_lock(), debugfs_create_file() and +devm_request_threaded_irq() can sleep at runtime. + +To fix these possible bugs, usb_add_gadget_udc(), gr_dfs_create() and +gr_request_irq() are called without handling the spinlock. + +These bugs are found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/gr_udc.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/gadget/udc/gr_udc.c b/drivers/usb/gadget/udc/gr_udc.c +index 39b7136d31d9c..9e246d2e55ca3 100644 +--- a/drivers/usb/gadget/udc/gr_udc.c ++++ b/drivers/usb/gadget/udc/gr_udc.c +@@ -2200,8 +2200,6 @@ static int gr_probe(struct platform_device *pdev) + return -ENOMEM; + } + +- spin_lock(&dev->lock); +- + /* Inside lock so that no gadget can use this udc until probe is done */ + retval = usb_add_gadget_udc(dev->dev, &dev->gadget); + if (retval) { +@@ -2210,15 +2208,21 @@ static int gr_probe(struct platform_device *pdev) + } + dev->added = 1; + ++ spin_lock(&dev->lock); ++ + retval = gr_udc_init(dev); +- if (retval) ++ if (retval) { ++ spin_unlock(&dev->lock); + goto out; +- +- gr_dfs_create(dev); ++ } + + /* Clear all interrupt enables that might be left on since last boot */ + gr_disable_interrupts_and_pullup(dev); + ++ spin_unlock(&dev->lock); ++ ++ gr_dfs_create(dev); ++ + retval = gr_request_irq(dev, dev->irq); + if (retval) { + dev_err(dev->dev, "Failed to request irq %d\n", dev->irq); +@@ -2247,8 +2251,6 @@ static int gr_probe(struct platform_device *pdev) + dev_info(dev->dev, "regs: %p, irq %d\n", dev->regs, dev->irq); + + out: +- spin_unlock(&dev->lock); +- + if (retval) + gr_remove(pdev); + +-- +2.20.1 + diff --git a/queue-4.9/usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch b/queue-4.9/usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch new file mode 100644 index 00000000000..ead6d160e58 --- /dev/null +++ b/queue-4.9/usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch @@ -0,0 +1,56 @@ +From 6c37676c020720624ee4141e6b2f6b2296341def Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2020 07:25:26 -0600 +Subject: usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue + +From: Tony Lindgren + +[ Upstream commit 91b6dec32e5c25fbdbb564d1e5af23764ec17ef1 ] + +We currently have musb_set_vbus() called from two different paths. Mostly +it gets called from the USB PHY via omap_musb_set_mailbox(), but in some +cases it can get also called from musb_stage0_irq() rather via .set_vbus: + +(musb_set_host [musb_hdrc]) +(omap2430_musb_set_vbus [omap2430]) +(musb_stage0_irq [musb_hdrc]) +(musb_interrupt [musb_hdrc]) +(omap2430_musb_interrupt [omap2430]) + +This is racy and will not work with introducing generic helper functions +for musb_set_host() and musb_set_peripheral(). We want to get rid of the +busy loops in favor of usleep_range(). + +Let's just get rid of .set_vbus for omap2430 glue layer and let the PHY +code handle VBUS with musb_set_vbus(). Note that in the follow-up patch +we can completely remove omap2430_musb_set_vbus(), but let's do it in a +separate patch as this change may actually turn out to be needed as a +fix. + +Reported-by: Pavel Machek +Acked-by: Pavel Machek +Signed-off-by: Tony Lindgren +Signed-off-by: Bin Liu +Link: https://lore.kernel.org/r/20200115132547.364-5-b-liu@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/omap2430.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c +index e8be8e39ab8fb..457ad33f4caa8 100644 +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -388,8 +388,6 @@ static const struct musb_platform_ops omap2430_ops = { + .init = omap2430_musb_init, + .exit = omap2430_musb_exit, + +- .set_vbus = omap2430_musb_set_vbus, +- + .enable = omap2430_musb_enable, + .disable = omap2430_musb_disable, + +-- +2.20.1 + diff --git a/queue-4.9/usbip-fix-unsafe-unaligned-pointer-usage.patch b/queue-4.9/usbip-fix-unsafe-unaligned-pointer-usage.patch new file mode 100644 index 00000000000..5c135f329d9 --- /dev/null +++ b/queue-4.9/usbip-fix-unsafe-unaligned-pointer-usage.patch @@ -0,0 +1,156 @@ +From cb99acc0d706b75b97cf31b9046b29458bd34666 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2020 18:24:16 -0700 +Subject: usbip: Fix unsafe unaligned pointer usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuah Khan + +[ Upstream commit 585c91f40d201bc564d4e76b83c05b3b5363fe7e ] + +Fix unsafe unaligned pointer usage in usbip network interfaces. usbip tool +build fails with new gcc -Werror=address-of-packed-member checks. + +usbip_network.c: In function ‘usbip_net_pack_usb_device’: +usbip_network.c:79:32: error: taking address of packed member of ‘struct usbip_usb_device’ may result in an unaligned pointer value [-Werror=address-of-packed-member] + 79 | usbip_net_pack_uint32_t(pack, &udev->busnum); + +Fix with minor changes to pass by value instead of by address. + +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/20200109012416.2875-1-skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + tools/usb/usbip/src/usbip_network.c | 40 +++++++++++++++++------------ + tools/usb/usbip/src/usbip_network.h | 12 +++------ + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/tools/usb/usbip/src/usbip_network.c b/tools/usb/usbip/src/usbip_network.c +index b4c37e76a6e08..187dfaa67d0a2 100644 +--- a/tools/usb/usbip/src/usbip_network.c ++++ b/tools/usb/usbip/src/usbip_network.c +@@ -62,39 +62,39 @@ void usbip_setup_port_number(char *arg) + info("using port %d (\"%s\")", usbip_port, usbip_port_string); + } + +-void usbip_net_pack_uint32_t(int pack, uint32_t *num) ++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num) + { + uint32_t i; + + if (pack) +- i = htonl(*num); ++ i = htonl(num); + else +- i = ntohl(*num); ++ i = ntohl(num); + +- *num = i; ++ return i; + } + +-void usbip_net_pack_uint16_t(int pack, uint16_t *num) ++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num) + { + uint16_t i; + + if (pack) +- i = htons(*num); ++ i = htons(num); + else +- i = ntohs(*num); ++ i = ntohs(num); + +- *num = i; ++ return i; + } + + void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev) + { +- usbip_net_pack_uint32_t(pack, &udev->busnum); +- usbip_net_pack_uint32_t(pack, &udev->devnum); +- usbip_net_pack_uint32_t(pack, &udev->speed); ++ udev->busnum = usbip_net_pack_uint32_t(pack, udev->busnum); ++ udev->devnum = usbip_net_pack_uint32_t(pack, udev->devnum); ++ udev->speed = usbip_net_pack_uint32_t(pack, udev->speed); + +- usbip_net_pack_uint16_t(pack, &udev->idVendor); +- usbip_net_pack_uint16_t(pack, &udev->idProduct); +- usbip_net_pack_uint16_t(pack, &udev->bcdDevice); ++ udev->idVendor = usbip_net_pack_uint16_t(pack, udev->idVendor); ++ udev->idProduct = usbip_net_pack_uint16_t(pack, udev->idProduct); ++ udev->bcdDevice = usbip_net_pack_uint16_t(pack, udev->bcdDevice); + } + + void usbip_net_pack_usb_interface(int pack __attribute__((unused)), +@@ -141,6 +141,14 @@ ssize_t usbip_net_send(int sockfd, void *buff, size_t bufflen) + return usbip_net_xmit(sockfd, buff, bufflen, 1); + } + ++static inline void usbip_net_pack_op_common(int pack, ++ struct op_common *op_common) ++{ ++ op_common->version = usbip_net_pack_uint16_t(pack, op_common->version); ++ op_common->code = usbip_net_pack_uint16_t(pack, op_common->code); ++ op_common->status = usbip_net_pack_uint32_t(pack, op_common->status); ++} ++ + int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status) + { + struct op_common op_common; +@@ -152,7 +160,7 @@ int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status) + op_common.code = code; + op_common.status = status; + +- PACK_OP_COMMON(1, &op_common); ++ usbip_net_pack_op_common(1, &op_common); + + rc = usbip_net_send(sockfd, &op_common, sizeof(op_common)); + if (rc < 0) { +@@ -176,7 +184,7 @@ int usbip_net_recv_op_common(int sockfd, uint16_t *code) + goto err; + } + +- PACK_OP_COMMON(0, &op_common); ++ usbip_net_pack_op_common(0, &op_common); + + if (op_common.version != USBIP_VERSION) { + dbg("version mismatch: %d %d", op_common.version, +diff --git a/tools/usb/usbip/src/usbip_network.h b/tools/usb/usbip/src/usbip_network.h +index c1e875cf1078c..573fa839b66b7 100644 +--- a/tools/usb/usbip/src/usbip_network.h ++++ b/tools/usb/usbip/src/usbip_network.h +@@ -33,12 +33,6 @@ struct op_common { + + } __attribute__((packed)); + +-#define PACK_OP_COMMON(pack, op_common) do {\ +- usbip_net_pack_uint16_t(pack, &(op_common)->version);\ +- usbip_net_pack_uint16_t(pack, &(op_common)->code);\ +- usbip_net_pack_uint32_t(pack, &(op_common)->status);\ +-} while (0) +- + /* ---------------------------------------------------------------------- */ + /* Dummy Code */ + #define OP_UNSPEC 0x00 +@@ -164,11 +158,11 @@ struct op_devlist_reply_extra { + } while (0) + + #define PACK_OP_DEVLIST_REPLY(pack, reply) do {\ +- usbip_net_pack_uint32_t(pack, &(reply)->ndev);\ ++ (reply)->ndev = usbip_net_pack_uint32_t(pack, (reply)->ndev);\ + } while (0) + +-void usbip_net_pack_uint32_t(int pack, uint32_t *num); +-void usbip_net_pack_uint16_t(int pack, uint16_t *num); ++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num); ++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num); + void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev); + void usbip_net_pack_usb_interface(int pack, struct usbip_usb_interface *uinf); + +-- +2.20.1 + diff --git a/queue-4.9/vme-bridges-reduce-stack-usage.patch b/queue-4.9/vme-bridges-reduce-stack-usage.patch new file mode 100644 index 00000000000..47b813bca4b --- /dev/null +++ b/queue-4.9/vme-bridges-reduce-stack-usage.patch @@ -0,0 +1,110 @@ +From 9abcc3cabfb0c7c93e5bf301ff087917319cf9ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 21:05:43 +0100 +Subject: vme: bridges: reduce stack usage + +From: Arnd Bergmann + +[ Upstream commit 7483e7a939c074d887450ef1c4d9ccc5909405f8 ] + +With CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3, the stack usage in vme_fake +grows above the warning limit: + +drivers/vme/bridges/vme_fake.c: In function 'fake_master_read': +drivers/vme/bridges/vme_fake.c:610:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +drivers/vme/bridges/vme_fake.c: In function 'fake_master_write': +drivers/vme/bridges/vme_fake.c:797:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + +The problem is that in some configurations, each call to +fake_vmereadX() puts another variable on the stack. + +Reduce the amount of inlining to get back to the previous state, +with no function using more than 200 bytes each. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20200107200610.3482901-1-arnd@arndb.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/vme/bridges/vme_fake.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/drivers/vme/bridges/vme_fake.c b/drivers/vme/bridges/vme_fake.c +index 30b3acc938330..e81ec763b5555 100644 +--- a/drivers/vme/bridges/vme_fake.c ++++ b/drivers/vme/bridges/vme_fake.c +@@ -418,8 +418,9 @@ static void fake_lm_check(struct fake_driver *bridge, unsigned long long addr, + } + } + +-static u8 fake_vmeread8(struct fake_driver *bridge, unsigned long long addr, +- u32 aspace, u32 cycle) ++static noinline_for_stack u8 fake_vmeread8(struct fake_driver *bridge, ++ unsigned long long addr, ++ u32 aspace, u32 cycle) + { + u8 retval = 0xff; + int i; +@@ -450,8 +451,9 @@ static u8 fake_vmeread8(struct fake_driver *bridge, unsigned long long addr, + return retval; + } + +-static u16 fake_vmeread16(struct fake_driver *bridge, unsigned long long addr, +- u32 aspace, u32 cycle) ++static noinline_for_stack u16 fake_vmeread16(struct fake_driver *bridge, ++ unsigned long long addr, ++ u32 aspace, u32 cycle) + { + u16 retval = 0xffff; + int i; +@@ -482,8 +484,9 @@ static u16 fake_vmeread16(struct fake_driver *bridge, unsigned long long addr, + return retval; + } + +-static u32 fake_vmeread32(struct fake_driver *bridge, unsigned long long addr, +- u32 aspace, u32 cycle) ++static noinline_for_stack u32 fake_vmeread32(struct fake_driver *bridge, ++ unsigned long long addr, ++ u32 aspace, u32 cycle) + { + u32 retval = 0xffffffff; + int i; +@@ -613,8 +616,9 @@ out: + return retval; + } + +-static void fake_vmewrite8(struct fake_driver *bridge, u8 *buf, +- unsigned long long addr, u32 aspace, u32 cycle) ++static noinline_for_stack void fake_vmewrite8(struct fake_driver *bridge, ++ u8 *buf, unsigned long long addr, ++ u32 aspace, u32 cycle) + { + int i; + unsigned long long start, end, offset; +@@ -643,8 +647,9 @@ static void fake_vmewrite8(struct fake_driver *bridge, u8 *buf, + + } + +-static void fake_vmewrite16(struct fake_driver *bridge, u16 *buf, +- unsigned long long addr, u32 aspace, u32 cycle) ++static noinline_for_stack void fake_vmewrite16(struct fake_driver *bridge, ++ u16 *buf, unsigned long long addr, ++ u32 aspace, u32 cycle) + { + int i; + unsigned long long start, end, offset; +@@ -673,8 +678,9 @@ static void fake_vmewrite16(struct fake_driver *bridge, u16 *buf, + + } + +-static void fake_vmewrite32(struct fake_driver *bridge, u32 *buf, +- unsigned long long addr, u32 aspace, u32 cycle) ++static noinline_for_stack void fake_vmewrite32(struct fake_driver *bridge, ++ u32 *buf, unsigned long long addr, ++ u32 aspace, u32 cycle) + { + int i; + unsigned long long start, end, offset; +-- +2.20.1 + diff --git a/queue-4.9/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch b/queue-4.9/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch new file mode 100644 index 00000000000..b41e94a3c2f --- /dev/null +++ b/queue-4.9/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch @@ -0,0 +1,55 @@ +From f0982a312fa02413cf7756e62adf2abf64de7b8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2020 13:04:42 +0100 +Subject: wan: ixp4xx_hss: fix compile-testing on 64-bit + +From: Arnd Bergmann + +[ Upstream commit 504c28c853ec5c626900b914b5833daf0581a344 ] + +Change the driver to use portable integer types to avoid +warnings during compile testing: + +drivers/net/wan/ixp4xx_hss.c:863:21: error: cast to 'u32 *' (aka 'unsigned int *') from smaller integer type 'int' [-Werror,-Wint-to-pointer-cast] + memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4); + ^ +drivers/net/wan/ixp4xx_hss.c:979:12: error: incompatible pointer types passing 'u32 *' (aka 'unsigned int *') to parameter of type 'dma_addr_t *' (aka 'unsigned long long *') [-Werror,-Wincompatible-pointer-types] + &port->desc_tab_phys))) + ^~~~~~~~~~~~~~~~~~~~ +include/linux/dmapool.h:27:20: note: passing argument to parameter 'handle' here + dma_addr_t *handle); + ^ + +Signed-off-by: Arnd Bergmann +Signed-off-by: Linus Walleij +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/ixp4xx_hss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wan/ixp4xx_hss.c b/drivers/net/wan/ixp4xx_hss.c +index e7bbdb7af53ac..97968e6a6a4eb 100644 +--- a/drivers/net/wan/ixp4xx_hss.c ++++ b/drivers/net/wan/ixp4xx_hss.c +@@ -261,7 +261,7 @@ struct port { + struct hss_plat_info *plat; + buffer_t *rx_buff_tab[RX_DESCS], *tx_buff_tab[TX_DESCS]; + struct desc *desc_tab; /* coherent */ +- u32 desc_tab_phys; ++ dma_addr_t desc_tab_phys; + unsigned int id; + unsigned int clock_type, clock_rate, loopback; + unsigned int initialized, carrier; +@@ -861,7 +861,7 @@ static int hss_hdlc_xmit(struct sk_buff *skb, struct net_device *dev) + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } +- memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4); ++ memcpy_swab32(mem, (u32 *)((uintptr_t)skb->data & ~3), bytes / 4); + dev_kfree_skb(skb); + #endif + +-- +2.20.1 + diff --git a/queue-4.9/x86-decoder-add-test-opcode-to-group3-2.patch b/queue-4.9/x86-decoder-add-test-opcode-to-group3-2.patch new file mode 100644 index 00000000000..02f0de46291 --- /dev/null +++ b/queue-4.9/x86-decoder-add-test-opcode-to-group3-2.patch @@ -0,0 +1,80 @@ +From 5662e464f542bbb9a39b715dedf541d03fb8314e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 13:11:54 +0900 +Subject: x86/decoder: Add TEST opcode to Group3-2 + +From: Masami Hiramatsu + +[ Upstream commit 8b7e20a7ba54836076ff35a28349dabea4cec48f ] + +Add TEST opcode to Group3-2 reg=001b as same as Group3-1 does. + +Commit + + 12a78d43de76 ("x86/decoder: Add new TEST instruction pattern") + +added a TEST opcode assignment to f6 XX/001/XXX (Group 3-1), but did +not add f7 XX/001/XXX (Group 3-2). + +Actually, this TEST opcode variant (ModRM.reg /1) is not described in +the Intel SDM Vol2 but in AMD64 Architecture Programmer's Manual Vol.3, +Appendix A.2 Table A-6. ModRM.reg Extensions for the Primary Opcode Map. + +Without this fix, Randy found a warning by insn_decoder_test related +to this issue as below. + + HOSTCC arch/x86/tools/insn_decoder_test + HOSTCC arch/x86/tools/insn_sanity + TEST posttest + arch/x86/tools/insn_decoder_test: warning: Found an x86 instruction decoder bug, please report this. + arch/x86/tools/insn_decoder_test: warning: ffffffff81000bf1: f7 0b 00 01 08 00 testl $0x80100,(%rbx) + arch/x86/tools/insn_decoder_test: warning: objdump says 6 bytes, but insn_get_length() says 2 + arch/x86/tools/insn_decoder_test: warning: Decoded and checked 11913894 instructions with 1 failures + TEST posttest + arch/x86/tools/insn_sanity: Success: decoded and checked 1000000 random instructions with 0 errors (seed:0x871ce29c) + +To fix this error, add the TEST opcode according to AMD64 APM Vol.3. + + [ bp: Massage commit message. ] + +Reported-by: Randy Dunlap +Signed-off-by: Masami Hiramatsu +Signed-off-by: Borislav Petkov +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Link: https://lkml.kernel.org/r/157966631413.9580.10311036595431878351.stgit@devnote2 +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 2 +- + tools/objtool/arch/x86/lib/x86-opcode-map.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index 0f7eb4f5bdb71..82e105b284e01 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -909,7 +909,7 @@ EndTable + + GrpTable: Grp3_2 + 0: TEST Ev,Iz +-1: ++1: TEST Ev,Iz + 2: NOT Ev + 3: NEG Ev + 4: MUL rAX,Ev +diff --git a/tools/objtool/arch/x86/lib/x86-opcode-map.txt b/tools/objtool/arch/x86/lib/x86-opcode-map.txt +index 0f7eb4f5bdb71..82e105b284e01 100644 +--- a/tools/objtool/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/objtool/arch/x86/lib/x86-opcode-map.txt +@@ -909,7 +909,7 @@ EndTable + + GrpTable: Grp3_2 + 0: TEST Ev,Iz +-1: ++1: TEST Ev,Iz + 2: NOT Ev + 3: NEG Ev + 4: MUL rAX,Ev +-- +2.20.1 + diff --git a/queue-4.9/x86-sysfb-fix-check-for-bad-vram-size.patch b/queue-4.9/x86-sysfb-fix-check-for-bad-vram-size.patch new file mode 100644 index 00000000000..22f2aa13e6a --- /dev/null +++ b/queue-4.9/x86-sysfb-fix-check-for-bad-vram-size.patch @@ -0,0 +1,50 @@ +From 7eacfb3b69ee47d8fe1dc54e5e9f632536d8e8d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 18:04:10 -0500 +Subject: x86/sysfb: Fix check for bad VRAM size + +From: Arvind Sankar + +[ Upstream commit dacc9092336be20b01642afe1a51720b31f60369 ] + +When checking whether the reported lfb_size makes sense, the height +* stride result is page-aligned before seeing whether it exceeds the +reported size. + +This doesn't work if height * stride is not an exact number of pages. +For example, as reported in the kernel bugzilla below, an 800x600x32 EFI +framebuffer gets skipped because of this. + +Move the PAGE_ALIGN to after the check vs size. + +Reported-by: Christopher Head +Tested-by: Christopher Head +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206051 +Link: https://lkml.kernel.org/r/20200107230410.2291947-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/sysfb_simplefb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/sysfb_simplefb.c b/arch/x86/kernel/sysfb_simplefb.c +index 85195d447a922..f3215346e47fd 100644 +--- a/arch/x86/kernel/sysfb_simplefb.c ++++ b/arch/x86/kernel/sysfb_simplefb.c +@@ -94,11 +94,11 @@ __init int create_simplefb(const struct screen_info *si, + if (si->orig_video_isVGA == VIDEO_TYPE_VLFB) + size <<= 16; + length = mode->height * mode->stride; +- length = PAGE_ALIGN(length); + if (length > size) { + printk(KERN_WARNING "sysfb: VRAM smaller than advertised\n"); + return -EINVAL; + } ++ length = PAGE_ALIGN(length); + + /* setup IORESOURCE_MEM as framebuffer memory */ + memset(&res, 0, sizeof(res)); +-- +2.20.1 + diff --git a/queue-4.9/x86-vdso-provide-missing-include-file.patch b/queue-4.9/x86-vdso-provide-missing-include-file.patch new file mode 100644 index 00000000000..c87ad7fc0c9 --- /dev/null +++ b/queue-4.9/x86-vdso-provide-missing-include-file.patch @@ -0,0 +1,47 @@ +From ee63241bfc5012f9d25e7879c085e25a37320b83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 21:36:07 -0500 +Subject: x86/vdso: Provide missing include file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Valdis Klētnieks + +[ Upstream commit bff47c2302cc249bcd550b17067f8dddbd4b6f77 ] + +When building with C=1, sparse issues a warning: + + CHECK arch/x86/entry/vdso/vdso32-setup.c + arch/x86/entry/vdso/vdso32-setup.c:28:28: warning: symbol 'vdso32_enabled' was not declared. Should it be static? + +Provide the missing header file. + +Signed-off-by: Valdis Kletnieks +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Andy Lutomirski +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/36224.1575599767@turing-police +Signed-off-by: Sasha Levin +--- + arch/x86/entry/vdso/vdso32-setup.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/entry/vdso/vdso32-setup.c b/arch/x86/entry/vdso/vdso32-setup.c +index 3f9d1a83891ad..50c1f77cab150 100644 +--- a/arch/x86/entry/vdso/vdso32-setup.c ++++ b/arch/x86/entry/vdso/vdso32-setup.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + #include + #include +-- +2.20.1 +