From: Greg Kroah-Hartman Date: Sun, 15 Dec 2019 13:52:58 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.4.4~62 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f10acee9165d8892b52eb5180bae93a59b2eed39;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch acpi-hotplug-pci-allocate-resources-directly-under-the-non-hotplug-bridge.patch acpi-osl-only-free-map-once-in-osl.c.patch acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch ar5523-check-null-before-memcpy-in-ar5523_cmd.patch arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch asoc-rt5645-fixed-buddy-jack-support.patch asoc-rt5645-fixed-typo-for-buddy-jack-support.patch blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch cgroup-pids-use-atomic64_t-for-pids-limit.patch cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch erofs-zero-out-when-listxattr-is-called-with-no-xattr.patch intel_th-fix-a-double-put_device-in-error-path.patch intel_th-pci-add-ice-lake-cpu-support.patch intel_th-pci-add-tiger-lake-cpu-support.patch md-improve-handling-of-bio-with-req_preflush-in-md_flush_request.patch media-bdisp-fix-memleak-on-release.patch media-cec.h-cec_op_rec_flag_-values-were-swapped.patch media-radio-wl1273-fix-interrupt-masking-on-release.patch mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch perf-tests-fix-out-of-bounds-memory-access.patch pinctrl-armada-37xx-fix-irq-mask-access-in-armada_37xx_irq_set_type.patch pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-exynos-wakeup-controller-init.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch pm-devfreq-lock-devfreq-in-trans_stat_show.patch ppdev-fix-ppgettime-ppsettime-ioctls.patch s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch --- diff --git a/queue-4.19/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch b/queue-4.19/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch new file mode 100644 index 00000000000..ea3b2f70482 --- /dev/null +++ b/queue-4.19/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch @@ -0,0 +1,59 @@ +From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001 +From: Vamshi K Sthambamkadi +Date: Thu, 28 Nov 2019 15:58:29 +0530 +Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() + +From: Vamshi K Sthambamkadi + +commit 627ead724eff33673597216f5020b72118827de4 upstream. + +kmemleak reported backtrace: + [] kmem_cache_alloc_trace+0x128/0x260 + [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0 + [<1180f4fc>] i2c_register_adapter+0x186/0x400 + [<6083baf7>] i2c_add_adapter+0x4e/0x70 + [] intel_gmbus_setup+0x1a2/0x2c0 [i915] + [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915] + [<81911d4b>] i915_pci_probe+0x48/0x160 [i915] + [<4b159af1>] pci_device_probe+0xdc/0x160 + [] really_probe+0x1ee/0x450 + [] driver_probe_device+0x142/0x1b0 + [] device_driver_attach+0x49/0x50 + [] __driver_attach+0xc9/0x150 + [] bus_for_each_dev+0x56/0xa0 + [<80089bba>] driver_attach+0x19/0x20 + [] bus_add_driver+0x177/0x220 + [<7b29d8c7>] driver_register+0x56/0xf0 + +In i2c_acpi_remove_space_handler(), a leak occurs whenever the +"data" parameter is initialized to 0 before being passed to +acpi_bus_get_private_data(). + +This is because the NULL pointer check in acpi_bus_get_private_data() +(condition->if(!*data)) returns EINVAL and, in consequence, memory is +never freed in i2c_acpi_remove_space_handler(). + +Fix the NULL pointer check in acpi_bus_get_private_data() to follow +the analogous check in acpi_get_data_full(). + +Signed-off-by: Vamshi K Sthambamkadi +[ rjw: Subject & changelog ] +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -166,7 +166,7 @@ int acpi_bus_get_private_data(acpi_handl + { + acpi_status status; + +- if (!*data) ++ if (!data) + return -EINVAL; + + status = acpi_get_data(handle, acpi_bus_private_data_handler, data); diff --git a/queue-4.19/acpi-hotplug-pci-allocate-resources-directly-under-the-non-hotplug-bridge.patch b/queue-4.19/acpi-hotplug-pci-allocate-resources-directly-under-the-non-hotplug-bridge.patch new file mode 100644 index 00000000000..06756ebe22b --- /dev/null +++ b/queue-4.19/acpi-hotplug-pci-allocate-resources-directly-under-the-non-hotplug-bridge.patch @@ -0,0 +1,110 @@ +From 77adf9355304f8dcf09054280af5e23fc451ab3d Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 30 Oct 2019 18:05:45 +0300 +Subject: ACPI / hotplug / PCI: Allocate resources directly under the non-hotplug bridge + +From: Mika Westerberg + +commit 77adf9355304f8dcf09054280af5e23fc451ab3d upstream. + +Valerio and others reported that commit 84c8b58ed3ad ("ACPI / hotplug / +PCI: Don't scan bridges managed by native hotplug") prevents some recent +LG and HP laptops from booting with endless loop of: + + ACPI Error: No handler or method for GPE 08, disabling event (20190215/evgpe-835) + ACPI Error: No handler or method for GPE 09, disabling event (20190215/evgpe-835) + ACPI Error: No handler or method for GPE 0A, disabling event (20190215/evgpe-835) + ... + +What seems to happen is that during boot, after the initial PCI enumeration +when EC is enabled the platform triggers ACPI Notify() to one of the root +ports. The root port itself looks like this: + + pci 0000:00:1b.0: PCI bridge to [bus 02-3a] + pci 0000:00:1b.0: bridge window [mem 0xc4000000-0xda0fffff] + pci 0000:00:1b.0: bridge window [mem 0x80000000-0xa1ffffff 64bit pref] + +The BIOS has configured the root port so that it does not have I/O bridge +window. + +Now when the ACPI Notify() is triggered ACPI hotplug handler calls +acpiphp_native_scan_bridge() for each non-hotplug bridge (as this system is +using native PCIe hotplug) and pci_assign_unassigned_bridge_resources() to +allocate resources. + +The device connected to the root port is a PCIe switch (Thunderbolt +controller) with two hotplug downstream ports. Because of the hotplug ports +__pci_bus_size_bridges() tries to add "additional I/O" of 256 bytes to each +(DEFAULT_HOTPLUG_IO_SIZE). This gets further aligned to 4k as that's the +minimum I/O window size so each hotplug port gets 4k I/O window and the +same happens for the root port (which is also hotplug port). This means +3 * 4k = 12k I/O window. + +Because of this pci_assign_unassigned_bridge_resources() ends up opening a +I/O bridge window for the root port at first available I/O address which +seems to be in range 0x1000 - 0x3fff. Normally this range is used for ACPI +stuff such as GPE bits (below is part of /proc/ioports): + + 1800-1803 : ACPI PM1a_EVT_BLK + 1804-1805 : ACPI PM1a_CNT_BLK + 1808-180b : ACPI PM_TMR + 1810-1815 : ACPI CPU throttle + 1850-1850 : ACPI PM2_CNT_BLK + 1854-1857 : pnp 00:05 + 1860-187f : ACPI GPE0_BLK + +However, when the ACPI Notify() happened this range was not yet reserved +for ACPI/PNP (that happens later) so PCI gets it. It then starts writing to +this range and accidentally stomps over GPE bits among other things causing +the endless stream of messages about missing GPE handler. + +This problem does not happen if "pci=hpiosize=0" is passed in the kernel +command line. The reason is that then the kernel does not try to allocate +the additional 256 bytes for each hotplug port. + +Fix this by allocating resources directly below the non-hotplug bridges +where a new device may appear as a result of ACPI Notify(). This avoids the +hotplug bridges and prevents opening the additional I/O window. + +Fixes: 84c8b58ed3ad ("ACPI / hotplug / PCI: Don't scan bridges managed by native hotplug") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=203617 +Link: https://lore.kernel.org/r/20191030150545.19885-1-mika.westerberg@linux.intel.com +Reported-by: Valerio Passini +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/acpiphp_glue.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/pci/hotplug/acpiphp_glue.c ++++ b/drivers/pci/hotplug/acpiphp_glue.c +@@ -449,8 +449,15 @@ static void acpiphp_native_scan_bridge(s + + /* Scan non-hotplug bridges that need to be reconfigured */ + for_each_pci_bridge(dev, bus) { +- if (!hotplug_is_native(dev)) +- max = pci_scan_bridge(bus, dev, max, 1); ++ if (hotplug_is_native(dev)) ++ continue; ++ ++ max = pci_scan_bridge(bus, dev, max, 1); ++ if (dev->subordinate) { ++ pcibios_resource_survey_bus(dev->subordinate); ++ pci_bus_size_bridges(dev->subordinate); ++ pci_bus_assign_resources(dev->subordinate); ++ } + } + } + +@@ -480,7 +487,6 @@ static void enable_slot(struct acpiphp_s + if (PCI_SLOT(dev->devfn) == slot->device) + acpiphp_native_scan_bridge(dev); + } +- pci_assign_unassigned_bridge_resources(bus->self); + } else { + LIST_HEAD(add_list); + int max, pass; diff --git a/queue-4.19/acpi-osl-only-free-map-once-in-osl.c.patch b/queue-4.19/acpi-osl-only-free-map-once-in-osl.c.patch new file mode 100644 index 00000000000..3c7e9bd22f8 --- /dev/null +++ b/queue-4.19/acpi-osl-only-free-map-once-in-osl.c.patch @@ -0,0 +1,111 @@ +From 833a426cc471b6088011b3d67f1dc4e147614647 Mon Sep 17 00:00:00 2001 +From: Francesco Ruggeri +Date: Tue, 19 Nov 2019 21:47:27 -0800 +Subject: ACPI: OSL: only free map once in osl.c + +From: Francesco Ruggeri + +commit 833a426cc471b6088011b3d67f1dc4e147614647 upstream. + +acpi_os_map_cleanup checks map->refcount outside of acpi_ioremap_lock +before freeing the map. This creates a race condition the can result +in the map being freed more than once. +A panic can be caused by running + +for ((i=0; i<10; i++)) +do + for ((j=0; j<100000; j++)) + do + cat /sys/firmware/acpi/tables/data/BERT >/dev/null + done & +done + +This patch makes sure that only the process that drops the reference +to 0 does the freeing. + +Fixes: b7c1fadd6c2e ("ACPI: Do not use krefs under a mutex in osl.c") +Signed-off-by: Francesco Ruggeri +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/osl.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -374,19 +374,21 @@ void *__ref acpi_os_map_memory(acpi_phys + } + EXPORT_SYMBOL_GPL(acpi_os_map_memory); + +-static void acpi_os_drop_map_ref(struct acpi_ioremap *map) ++/* Must be called with mutex_lock(&acpi_ioremap_lock) */ ++static unsigned long acpi_os_drop_map_ref(struct acpi_ioremap *map) + { +- if (!--map->refcount) ++ unsigned long refcount = --map->refcount; ++ ++ if (!refcount) + list_del_rcu(&map->list); ++ return refcount; + } + + static void acpi_os_map_cleanup(struct acpi_ioremap *map) + { +- if (!map->refcount) { +- synchronize_rcu_expedited(); +- acpi_unmap(map->phys, map->virt); +- kfree(map); +- } ++ synchronize_rcu_expedited(); ++ acpi_unmap(map->phys, map->virt); ++ kfree(map); + } + + /** +@@ -406,6 +408,7 @@ static void acpi_os_map_cleanup(struct a + void __ref acpi_os_unmap_iomem(void __iomem *virt, acpi_size size) + { + struct acpi_ioremap *map; ++ unsigned long refcount; + + if (!acpi_permanent_mmap) { + __acpi_unmap_table(virt, size); +@@ -419,10 +422,11 @@ void __ref acpi_os_unmap_iomem(void __io + WARN(true, PREFIX "%s: bad address %p\n", __func__, virt); + return; + } +- acpi_os_drop_map_ref(map); ++ refcount = acpi_os_drop_map_ref(map); + mutex_unlock(&acpi_ioremap_lock); + +- acpi_os_map_cleanup(map); ++ if (!refcount) ++ acpi_os_map_cleanup(map); + } + EXPORT_SYMBOL_GPL(acpi_os_unmap_iomem); + +@@ -457,6 +461,7 @@ void acpi_os_unmap_generic_address(struc + { + u64 addr; + struct acpi_ioremap *map; ++ unsigned long refcount; + + if (gas->space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY) + return; +@@ -472,10 +477,11 @@ void acpi_os_unmap_generic_address(struc + mutex_unlock(&acpi_ioremap_lock); + return; + } +- acpi_os_drop_map_ref(map); ++ refcount = acpi_os_drop_map_ref(map); + mutex_unlock(&acpi_ioremap_lock); + +- acpi_os_map_cleanup(map); ++ if (!refcount) ++ acpi_os_map_cleanup(map); + } + EXPORT_SYMBOL(acpi_os_unmap_generic_address); + diff --git a/queue-4.19/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch b/queue-4.19/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch new file mode 100644 index 00000000000..d833c428d05 --- /dev/null +++ b/queue-4.19/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch @@ -0,0 +1,53 @@ +From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 4 Dec 2019 02:54:27 +0100 +Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices + +From: Rafael J. Wysocki + +commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream. + +Certain ACPI-enumerated devices represented as platform devices in +Linux, like fans, require special low-level power management handling +implemented by their drivers that is not in agreement with the ACPI +PM domain behavior. That leads to problems with managing ACPI fans +during system-wide suspend and resume. + +For this reason, make acpi_dev_pm_attach() skip the affected devices +by adding a list of device IDs to avoid to it and putting the IDs of +the affected devices into that list. + +Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems) +Reported-by: Zhang Rui +Tested-by: Todd Brandt +Cc: 3.10+ # 3.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/device_pm.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -1254,9 +1254,19 @@ static void acpi_dev_pm_detach(struct de + */ + int acpi_dev_pm_attach(struct device *dev, bool power_on) + { ++ /* ++ * Skip devices whose ACPI companions match the device IDs below, ++ * because they require special power management handling incompatible ++ * with the generic ACPI PM domain. ++ */ ++ static const struct acpi_device_id special_pm_ids[] = { ++ {"PNP0C0B", }, /* Generic ACPI fan */ ++ {"INT3404", }, /* Fan */ ++ {} ++ }; + struct acpi_device *adev = ACPI_COMPANION(dev); + +- if (!adev) ++ if (!adev || !acpi_match_device_ids(adev, special_pm_ids)) + return 0; + + /* diff --git a/queue-4.19/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch b/queue-4.19/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch new file mode 100644 index 00000000000..f6bdacaf136 --- /dev/null +++ b/queue-4.19/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch @@ -0,0 +1,40 @@ +From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Mon, 30 Sep 2019 23:31:47 +0300 +Subject: ar5523: check NULL before memcpy() in ar5523_cmd() + +From: Denis Efremov + +commit 315cee426f87658a6799815845788fde965ddaad upstream. + +memcpy() call with "idata == NULL && ilen == 0" results in undefined +behavior in ar5523_cmd(). For example, NULL is passed in callchain +"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch +adds ilen check before memcpy() call in ar5523_cmd() to prevent an +undefined behavior. + +Cc: Pontus Fuchs +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: David Laight +Cc: stable@vger.kernel.org +Signed-off-by: Denis Efremov +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, + + if (flags & AR5523_CMD_FLAG_MAGIC) + hdr->magic = cpu_to_be32(1 << 24); +- memcpy(hdr + 1, idata, ilen); ++ if (ilen) ++ memcpy(hdr + 1, idata, ilen); + + cmd->odata = odata; + cmd->olen = olen; diff --git a/queue-4.19/arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch b/queue-4.19/arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch new file mode 100644 index 00000000000..fe771f82fa8 --- /dev/null +++ b/queue-4.19/arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch @@ -0,0 +1,45 @@ +From 287897f9aaa2ad1c923d9875914f57c4dc9159c8 Mon Sep 17 00:00:00 2001 +From: Jarkko Nikula +Date: Sat, 16 Nov 2019 17:16:51 +0200 +Subject: ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity + +From: Jarkko Nikula + +commit 287897f9aaa2ad1c923d9875914f57c4dc9159c8 upstream. + +The MMC card detection GPIO polarity is active low on TAO3530, like in many +other similar boards. Now the card is not detected and it is unable to +mount rootfs from an SD card. + +Fix this by using the correct polarity. + +This incorrect polarity was defined already in the commit 30d95c6d7092 +("ARM: dts: omap3: Add Technexion TAO3530 SOM omap3-tao3530.dtsi") in v3.18 +kernel and later changed to use defined GPIO constants in v4.4 kernel by +the commit 3a637e008e54 ("ARM: dts: Use defined GPIO constants in flags +cell for OMAP2+ boards"). + +While the latter commit did not introduce the issue I'm marking it with +Fixes tag due the v4.4 kernels still being maintained. + +Fixes: 3a637e008e54 ("ARM: dts: Use defined GPIO constants in flags cell for OMAP2+ boards") +Cc: linux-stable # 4.4+ +Signed-off-by: Jarkko Nikula +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap3-tao3530.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/omap3-tao3530.dtsi ++++ b/arch/arm/boot/dts/omap3-tao3530.dtsi +@@ -225,7 +225,7 @@ + pinctrl-0 = <&mmc1_pins>; + vmmc-supply = <&vmmc1>; + vqmmc-supply = <&vsim>; +- cd-gpios = <&twl_gpio 0 GPIO_ACTIVE_HIGH>; ++ cd-gpios = <&twl_gpio 0 GPIO_ACTIVE_LOW>; + bus-width = <8>; + }; + diff --git a/queue-4.19/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch b/queue-4.19/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch new file mode 100644 index 00000000000..c79f6e873ac --- /dev/null +++ b/queue-4.19/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch @@ -0,0 +1,37 @@ +From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001 +From: Pawel Harlozinski +Date: Tue, 12 Nov 2019 14:02:36 +0100 +Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report + +From: Pawel Harlozinski + +commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream. + +Check for existance of jack before tracing. +NULL pointer dereference has been reported by KASAN while unloading +machine driver (snd_soc_cnl_rt274). + +Signed-off-by: Pawel Harlozinski +Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-jack.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/soc/soc-jack.c ++++ b/sound/soc/soc-jack.c +@@ -100,10 +100,9 @@ void snd_soc_jack_report(struct snd_soc_ + unsigned int sync = 0; + int enable; + +- trace_snd_soc_jack_report(jack, mask, status); +- + if (!jack) + return; ++ trace_snd_soc_jack_report(jack, mask, status); + + dapm = &jack->card->dapm; + diff --git a/queue-4.19/asoc-rt5645-fixed-buddy-jack-support.patch b/queue-4.19/asoc-rt5645-fixed-buddy-jack-support.patch new file mode 100644 index 00000000000..741a55a3c89 --- /dev/null +++ b/queue-4.19/asoc-rt5645-fixed-buddy-jack-support.patch @@ -0,0 +1,58 @@ +From e7cfd867fd9842f346688f28412eb83dec342900 Mon Sep 17 00:00:00 2001 +From: Jacob Rasmussen +Date: Mon, 11 Nov 2019 11:59:57 -0700 +Subject: ASoC: rt5645: Fixed buddy jack support. + +From: Jacob Rasmussen + +commit e7cfd867fd9842f346688f28412eb83dec342900 upstream. + +The headphone jack on buddy was broken with the following commit: +commit 6b5da66322c5 ("ASoC: rt5645: read jd1_1 status for jd +detection"). +This changes the jd_mode for buddy to 4 so buddy can read from the same +register that was used in the working version of this driver without +affecting any other devices that might use this, since no other device uses +jd_mode = 4. To test this I plugged and uplugged the headphone jack, verifying +audio works. + +Signed-off-by: Jacob Rasmussen +Reviewed-by: Ross Zwisler +Link: https://lore.kernel.org/r/20191111185957.217244-1-jacobraz@google.com +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/rt5645.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/rt5645.c ++++ b/sound/soc/codecs/rt5645.c +@@ -3307,6 +3307,9 @@ static void rt5645_jack_detect_work(stru + snd_soc_jack_report(rt5645->mic_jack, + report, SND_JACK_MICROPHONE); + return; ++ case 4: ++ val = snd_soc_component_read32(rt5645->component, RT5645_A_JD_CTRL1) & 0x002; ++ break; + default: /* read rt5645 jd1_1 status */ + val = snd_soc_component_read32(rt5645->component, RT5645_INT_IRQ_ST) & 0x1000; + break; +@@ -3634,7 +3637,7 @@ static const struct rt5645_platform_data + static const struct rt5645_platform_data buddy_platform_data = { + .dmic1_data_pin = RT5645_DMIC_DATA_GPIO5, + .dmic2_data_pin = RT5645_DMIC_DATA_IN2P, +- .jd_mode = 3, ++ .jd_mode = 4, + .level_trigger_irq = true, + }; + +@@ -4030,6 +4033,7 @@ static int rt5645_i2c_probe(struct i2c_c + RT5645_JD1_MODE_1); + break; + case 3: ++ case 4: + regmap_update_bits(rt5645->regmap, RT5645_A_JD_CTRL1, + RT5645_JD1_MODE_MASK, + RT5645_JD1_MODE_2); diff --git a/queue-4.19/asoc-rt5645-fixed-typo-for-buddy-jack-support.patch b/queue-4.19/asoc-rt5645-fixed-typo-for-buddy-jack-support.patch new file mode 100644 index 00000000000..741ac8f43a4 --- /dev/null +++ b/queue-4.19/asoc-rt5645-fixed-typo-for-buddy-jack-support.patch @@ -0,0 +1,36 @@ +From fe23be2d85b05f561431d75acddec726ea807d2a Mon Sep 17 00:00:00 2001 +From: Jacob Rasmussen +Date: Thu, 14 Nov 2019 16:20:11 -0700 +Subject: ASoC: rt5645: Fixed typo for buddy jack support. + +From: Jacob Rasmussen + +commit fe23be2d85b05f561431d75acddec726ea807d2a upstream. + +Had a typo in e7cfd867fd98 that resulted in buddy jack support not being +fixed. + +Fixes: e7cfd867fd98 ("ASoC: rt5645: Fixed buddy jack support.") +Signed-off-by: Jacob Rasmussen +Reviewed-by: Ross Zwisler +Cc: +CC: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191114232011.165762-1-jacobraz@google.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/rt5645.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/rt5645.c ++++ b/sound/soc/codecs/rt5645.c +@@ -3308,7 +3308,7 @@ static void rt5645_jack_detect_work(stru + report, SND_JACK_MICROPHONE); + return; + case 4: +- val = snd_soc_component_read32(rt5645->component, RT5645_A_JD_CTRL1) & 0x002; ++ val = snd_soc_component_read32(rt5645->component, RT5645_A_JD_CTRL1) & 0x0020; + break; + default: /* read rt5645 jd1_1 status */ + val = snd_soc_component_read32(rt5645->component, RT5645_INT_IRQ_ST) & 0x1000; diff --git a/queue-4.19/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch b/queue-4.19/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch new file mode 100644 index 00000000000..a4644a02adc --- /dev/null +++ b/queue-4.19/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch @@ -0,0 +1,61 @@ +From 8962842ca5abdcf98e22ab3b2b45a103f0408b95 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sat, 2 Nov 2019 16:02:15 +0800 +Subject: blk-mq: avoid sysfs buffer overflow with too many CPU cores + +From: Ming Lei + +commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream. + +It is reported that sysfs buffer overflow can be triggered if the system +has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of +hctx via /sys/block/$DEV/mq/$N/cpu_list. + +Use snprintf to avoid the potential buffer overflow. + +This version doesn't change the attribute format, and simply stops +showing CPU numbers if the buffer is going to overflow. + +Cc: stable@vger.kernel.org +Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load") +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq-sysfs.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -151,20 +151,25 @@ static ssize_t blk_mq_hw_sysfs_nr_reserv + + static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page) + { ++ const size_t size = PAGE_SIZE - 1; + unsigned int i, first = 1; +- ssize_t ret = 0; ++ int ret = 0, pos = 0; + + for_each_cpu(i, hctx->cpumask) { + if (first) +- ret += sprintf(ret + page, "%u", i); ++ ret = snprintf(pos + page, size - pos, "%u", i); + else +- ret += sprintf(ret + page, ", %u", i); ++ ret = snprintf(pos + page, size - pos, ", %u", i); ++ ++ if (ret >= size - pos) ++ break; + + first = 0; ++ pos += ret; + } + +- ret += sprintf(ret + page, "\n"); +- return ret; ++ ret = snprintf(pos + page, size - pos, "\n"); ++ return pos + ret; + } + + static struct attribute *default_ctx_attrs[] = { diff --git a/queue-4.19/cgroup-pids-use-atomic64_t-for-pids-limit.patch b/queue-4.19/cgroup-pids-use-atomic64_t-for-pids-limit.patch new file mode 100644 index 00000000000..3654bcc8c77 --- /dev/null +++ b/queue-4.19/cgroup-pids-use-atomic64_t-for-pids-limit.patch @@ -0,0 +1,78 @@ +From a713af394cf382a30dd28a1015cbe572f1b9ca75 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 17 Oct 2019 02:50:01 +1100 +Subject: cgroup: pids: use atomic64_t for pids->limit + +From: Aleksa Sarai + +commit a713af394cf382a30dd28a1015cbe572f1b9ca75 upstream. + +Because pids->limit can be changed concurrently (but we don't want to +take a lock because it would be needlessly expensive), use atomic64_ts +instead. + +Fixes: commit 49b786ea146f ("cgroup: implement the PIDs subsystem") +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Aleksa Sarai +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/pids.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/cgroup/pids.c ++++ b/kernel/cgroup/pids.c +@@ -48,7 +48,7 @@ struct pids_cgroup { + * %PIDS_MAX = (%PID_MAX_LIMIT + 1). + */ + atomic64_t counter; +- int64_t limit; ++ atomic64_t limit; + + /* Handle for "pids.events" */ + struct cgroup_file events_file; +@@ -76,8 +76,8 @@ pids_css_alloc(struct cgroup_subsys_stat + if (!pids) + return ERR_PTR(-ENOMEM); + +- pids->limit = PIDS_MAX; + atomic64_set(&pids->counter, 0); ++ atomic64_set(&pids->limit, PIDS_MAX); + atomic64_set(&pids->events_limit, 0); + return &pids->css; + } +@@ -149,13 +149,14 @@ static int pids_try_charge(struct pids_c + + for (p = pids; parent_pids(p); p = parent_pids(p)) { + int64_t new = atomic64_add_return(num, &p->counter); ++ int64_t limit = atomic64_read(&p->limit); + + /* + * Since new is capped to the maximum number of pid_t, if + * p->limit is %PIDS_MAX then we know that this test will never + * fail. + */ +- if (new > p->limit) ++ if (new > limit) + goto revert; + } + +@@ -280,7 +281,7 @@ set_limit: + * Limit updates don't need to be mutex'd, since it isn't + * critical that any racing fork()s follow the new limit. + */ +- pids->limit = limit; ++ atomic64_set(&pids->limit, limit); + return nbytes; + } + +@@ -288,7 +289,7 @@ static int pids_max_show(struct seq_file + { + struct cgroup_subsys_state *css = seq_css(sf); + struct pids_cgroup *pids = css_pids(css); +- int64_t limit = pids->limit; ++ int64_t limit = atomic64_read(&pids->limit); + + if (limit >= PIDS_MAX) + seq_printf(sf, "%s\n", PIDS_MAX_STR); diff --git a/queue-4.19/cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch b/queue-4.19/cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch new file mode 100644 index 00000000000..f988d3069bd --- /dev/null +++ b/queue-4.19/cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch @@ -0,0 +1,81 @@ +From db0d32d84031188443e25edbd50a71a6e7ac5d1d Mon Sep 17 00:00:00 2001 +From: John Hubbard +Date: Wed, 30 Oct 2019 22:21:59 -0700 +Subject: cpufreq: powernv: fix stack bloat and hard limit on number of CPUs + +From: John Hubbard + +commit db0d32d84031188443e25edbd50a71a6e7ac5d1d upstream. + +The following build warning occurred on powerpc 64-bit builds: + +drivers/cpufreq/powernv-cpufreq.c: In function 'init_chip_info': +drivers/cpufreq/powernv-cpufreq.c:1070:1: warning: the frame size of +1040 bytes is larger than 1024 bytes [-Wframe-larger-than=] + +This is with a cross-compiler based on gcc 8.1.0, which I got from: + https://mirrors.edge.kernel.org/pub/tools/crosstool/files/bin/x86_64/8.1.0/ + +The warning is due to putting 1024 bytes on the stack: + + unsigned int chip[256]; + +...and it's also undesirable to have a hard limit on the number of +CPUs here. + +Fix both problems by dynamically allocating based on num_possible_cpus, +as recommended by Michael Ellerman. + +Fixes: 053819e0bf840 ("cpufreq: powernv: Handle throttling due to Pmax capping at chip level") +Signed-off-by: John Hubbard +Acked-by: Viresh Kumar +Cc: 4.10+ # 4.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/powernv-cpufreq.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -1042,9 +1042,14 @@ static struct cpufreq_driver powernv_cpu + + static int init_chip_info(void) + { +- unsigned int chip[256]; ++ unsigned int *chip; + unsigned int cpu, i; + unsigned int prev_chip_id = UINT_MAX; ++ int ret = 0; ++ ++ chip = kcalloc(num_possible_cpus(), sizeof(*chip), GFP_KERNEL); ++ if (!chip) ++ return -ENOMEM; + + for_each_possible_cpu(cpu) { + unsigned int id = cpu_to_chip_id(cpu); +@@ -1056,8 +1061,10 @@ static int init_chip_info(void) + } + + chips = kcalloc(nr_chips, sizeof(struct chip), GFP_KERNEL); +- if (!chips) +- return -ENOMEM; ++ if (!chips) { ++ ret = -ENOMEM; ++ goto free_and_return; ++ } + + for (i = 0; i < nr_chips; i++) { + chips[i].id = chip[i]; +@@ -1067,7 +1074,9 @@ static int init_chip_info(void) + per_cpu(chip_info, cpu) = &chips[i]; + } + +- return 0; ++free_and_return: ++ kfree(chip); ++ return ret; + } + + static inline void clean_chip_info(void) diff --git a/queue-4.19/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch b/queue-4.19/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch new file mode 100644 index 00000000000..0dd587edfc7 --- /dev/null +++ b/queue-4.19/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch @@ -0,0 +1,58 @@ +From 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Wed, 23 Oct 2019 09:57:14 +0800 +Subject: cpuidle: Do not unset the driver if it is there already + +From: Zhenzhong Duan + +commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream. + +Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has +a driver different from drv already and, if so, return -EBUSY before +updating any cpuidle_drivers per-CPU pointers. + +Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support") +Cc: 3.11+ # 3.11+ +Signed-off-by: Zhenzhong Duan +[ rjw: Subject & changelog ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/driver.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/cpuidle/driver.c ++++ b/drivers/cpuidle/driver.c +@@ -62,24 +62,23 @@ static inline void __cpuidle_unset_drive + * __cpuidle_set_driver - set per CPU driver variables for the given driver. + * @drv: a valid pointer to a struct cpuidle_driver + * +- * For each CPU in the driver's cpumask, unset the registered driver per CPU +- * to @drv. +- * +- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already. ++ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver ++ * different from drv already. + */ + static inline int __cpuidle_set_driver(struct cpuidle_driver *drv) + { + int cpu; + + for_each_cpu(cpu, drv->cpumask) { ++ struct cpuidle_driver *old_drv; + +- if (__cpuidle_get_cpu_driver(cpu)) { +- __cpuidle_unset_driver(drv); ++ old_drv = __cpuidle_get_cpu_driver(cpu); ++ if (old_drv && old_drv != drv) + return -EBUSY; +- } ++ } + ++ for_each_cpu(cpu, drv->cpumask) + per_cpu(cpuidle_drivers, cpu) = drv; +- } + + return 0; + } diff --git a/queue-4.19/erofs-zero-out-when-listxattr-is-called-with-no-xattr.patch b/queue-4.19/erofs-zero-out-when-listxattr-is-called-with-no-xattr.patch new file mode 100644 index 00000000000..b71cdb696ce --- /dev/null +++ b/queue-4.19/erofs-zero-out-when-listxattr-is-called-with-no-xattr.patch @@ -0,0 +1,42 @@ +From 926d1650176448d7684b991fbe1a5b1a8289e97c Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Sun, 1 Dec 2019 16:01:09 +0800 +Subject: erofs: zero out when listxattr is called with no xattr + +From: Gao Xiang + +commit 926d1650176448d7684b991fbe1a5b1a8289e97c upstream. + +As David reported [1], ENODATA returns when attempting +to modify files by using EROFS as an overlayfs lower layer. + +The root cause is that listxattr could return unexpected +-ENODATA by mistake for inodes without xattr. That breaks +listxattr return value convention and it can cause copy +up failure when used with overlayfs. + +Resolve by zeroing out if no xattr is found for listxattr. + +[1] https://lore.kernel.org/r/CAEvUa7nxnby+rxK-KRMA46=exeOMApkDMAV08AjMkkPnTPV4CQ@mail.gmail.com +Link: https://lore.kernel.org/r/20191201084040.29275-1-hsiangkao@aol.com +Fixes: cadf1ccf1b00 ("staging: erofs: add error handling for xattr submodule") +Cc: # 4.19+ +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/erofs/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/erofs/xattr.c ++++ b/drivers/staging/erofs/xattr.c +@@ -638,6 +638,8 @@ ssize_t erofs_listxattr(struct dentry *d + struct listxattr_iter it; + + ret = init_inode_xattrs(d_inode(dentry)); ++ if (ret == -ENOATTR) ++ return 0; + if (ret) + return ret; + diff --git a/queue-4.19/intel_th-fix-a-double-put_device-in-error-path.patch b/queue-4.19/intel_th-fix-a-double-put_device-in-error-path.patch new file mode 100644 index 00000000000..db62a9e4d9f --- /dev/null +++ b/queue-4.19/intel_th-fix-a-double-put_device-in-error-path.patch @@ -0,0 +1,54 @@ +From 512592779a337feb5905d8fcf9498dbf33672d4a Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 20 Nov 2019 15:08:04 +0200 +Subject: intel_th: Fix a double put_device() in error path + +From: Alexander Shishkin + +commit 512592779a337feb5905d8fcf9498dbf33672d4a upstream. + +Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") +factored out intel_th_subdevice_alloc() from intel_th_populate(), but got +the error path wrong, resulting in two instances of a double put_device() +on a freshly initialized, but not 'added' device. + +Fix this by only doing one put_device() in the error path. + +Signed-off-by: Alexander Shishkin +Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") +Reported-by: Wen Yang +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20191120130806.44028-2-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/core.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -629,10 +629,8 @@ intel_th_subdevice_alloc(struct intel_th + } + + err = intel_th_device_add_resources(thdev, res, subdev->nres); +- if (err) { +- put_device(&thdev->dev); ++ if (err) + goto fail_put_device; +- } + + if (subdev->type == INTEL_TH_OUTPUT) { + thdev->dev.devt = MKDEV(th->major, th->num_thdevs); +@@ -646,10 +644,8 @@ intel_th_subdevice_alloc(struct intel_th + } + + err = device_add(&thdev->dev); +- if (err) { +- put_device(&thdev->dev); ++ if (err) + goto fail_free_res; +- } + + /* need switch driver to be loaded to enumerate the rest */ + if (subdev->type == INTEL_TH_SWITCH && !req) { diff --git a/queue-4.19/intel_th-pci-add-ice-lake-cpu-support.patch b/queue-4.19/intel_th-pci-add-ice-lake-cpu-support.patch new file mode 100644 index 00000000000..53a69cb9d14 --- /dev/null +++ b/queue-4.19/intel_th-pci-add-ice-lake-cpu-support.patch @@ -0,0 +1,35 @@ +From 6a1743422a7c0fda26764a544136cac13e5ae486 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 20 Nov 2019 15:08:05 +0200 +Subject: intel_th: pci: Add Ice Lake CPU support + +From: Alexander Shishkin + +commit 6a1743422a7c0fda26764a544136cac13e5ae486 upstream. + +This adds support for the Trace Hub in Ice Lake CPU. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191120130806.44028-3-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -186,6 +186,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Ice Lake CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x8a29), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Tiger Lake PCH */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.19/intel_th-pci-add-tiger-lake-cpu-support.patch b/queue-4.19/intel_th-pci-add-tiger-lake-cpu-support.patch new file mode 100644 index 00000000000..b2e0dceed3f --- /dev/null +++ b/queue-4.19/intel_th-pci-add-tiger-lake-cpu-support.patch @@ -0,0 +1,35 @@ +From 6e6c18bcb78c0dc0601ebe216bed12c844492d0c Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 20 Nov 2019 15:08:06 +0200 +Subject: intel_th: pci: Add Tiger Lake CPU support + +From: Alexander Shishkin + +commit 6e6c18bcb78c0dc0601ebe216bed12c844492d0c upstream. + +This adds support for the Trace Hub in Tiger Lake CPU. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191120130806.44028-4-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -191,6 +191,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Tiger Lake CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9a33), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Tiger Lake PCH */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.19/md-improve-handling-of-bio-with-req_preflush-in-md_flush_request.patch b/queue-4.19/md-improve-handling-of-bio-with-req_preflush-in-md_flush_request.patch new file mode 100644 index 00000000000..39bc92a6fdc --- /dev/null +++ b/queue-4.19/md-improve-handling-of-bio-with-req_preflush-in-md_flush_request.patch @@ -0,0 +1,182 @@ +From 775d78319f1ceb32be8eb3b1202ccdc60e9cb7f1 Mon Sep 17 00:00:00 2001 +From: David Jeffery +Date: Mon, 16 Sep 2019 13:15:14 -0400 +Subject: md: improve handling of bio with REQ_PREFLUSH in md_flush_request() + +From: David Jeffery + +commit 775d78319f1ceb32be8eb3b1202ccdc60e9cb7f1 upstream. + +If pers->make_request fails in md_flush_request(), the bio is lost. To +fix this, pass back a bool to indicate if the original make_request call +should continue to handle the I/O and instead of assuming the flush logic +will push it to completion. + +Convert md_flush_request to return a bool and no longer calls the raid +driver's make_request function. If the return is true, then the md flush +logic has or will complete the bio and the md make_request call is done. +If false, then the md make_request function needs to keep processing like +it is a normal bio. Let the original call to md_handle_request handle any +need to retry sending the bio to the raid driver's make_request function +should it be needed. + +Also mark md_flush_request and the make_request function pointer as +__must_check to issue warnings should these critical return values be +ignored. + +Fixes: 2bc13b83e629 ("md: batch flush requests.") +Cc: stable@vger.kernel.org # # v4.19+ +Cc: NeilBrown +Signed-off-by: David Jeffery +Reviewed-by: Xiao Ni +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md-linear.c | 5 ++--- + drivers/md/md-multipath.c | 5 ++--- + drivers/md/md.c | 11 +++++++++-- + drivers/md/md.h | 4 ++-- + drivers/md/raid0.c | 5 ++--- + drivers/md/raid1.c | 5 ++--- + drivers/md/raid10.c | 5 ++--- + drivers/md/raid5.c | 4 ++-- + 8 files changed, 23 insertions(+), 21 deletions(-) + +--- a/drivers/md/md-linear.c ++++ b/drivers/md/md-linear.c +@@ -252,10 +252,9 @@ static bool linear_make_request(struct m + sector_t start_sector, end_sector, data_offset; + sector_t bio_sector = bio->bi_iter.bi_sector; + +- if (unlikely(bio->bi_opf & REQ_PREFLUSH)) { +- md_flush_request(mddev, bio); ++ if (unlikely(bio->bi_opf & REQ_PREFLUSH) ++ && md_flush_request(mddev, bio)) + return true; +- } + + tmp_dev = which_dev(mddev, bio_sector); + start_sector = tmp_dev->end_sector - tmp_dev->rdev->sectors; +--- a/drivers/md/md-multipath.c ++++ b/drivers/md/md-multipath.c +@@ -112,10 +112,9 @@ static bool multipath_make_request(struc + struct multipath_bh * mp_bh; + struct multipath_info *multipath; + +- if (unlikely(bio->bi_opf & REQ_PREFLUSH)) { +- md_flush_request(mddev, bio); ++ if (unlikely(bio->bi_opf & REQ_PREFLUSH) ++ && md_flush_request(mddev, bio)) + return true; +- } + + mp_bh = mempool_alloc(&conf->pool, GFP_NOIO); + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -487,7 +487,13 @@ static void md_submit_flush_data(struct + } + } + +-void md_flush_request(struct mddev *mddev, struct bio *bio) ++/* ++ * Manages consolidation of flushes and submitting any flushes needed for ++ * a bio with REQ_PREFLUSH. Returns true if the bio is finished or is ++ * being finished in another context. Returns false if the flushing is ++ * complete but still needs the I/O portion of the bio to be processed. ++ */ ++bool md_flush_request(struct mddev *mddev, struct bio *bio) + { + ktime_t start = ktime_get_boottime(); + spin_lock_irq(&mddev->lock); +@@ -512,9 +518,10 @@ void md_flush_request(struct mddev *mdde + bio_endio(bio); + else { + bio->bi_opf &= ~REQ_PREFLUSH; +- mddev->pers->make_request(mddev, bio); ++ return false; + } + } ++ return true; + } + EXPORT_SYMBOL(md_flush_request); + +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -532,7 +532,7 @@ struct md_personality + int level; + struct list_head list; + struct module *owner; +- bool (*make_request)(struct mddev *mddev, struct bio *bio); ++ bool __must_check (*make_request)(struct mddev *mddev, struct bio *bio); + /* + * start up works that do NOT require md_thread. tasks that + * requires md_thread should go into start() +@@ -684,7 +684,7 @@ extern void md_error(struct mddev *mddev + extern void md_finish_reshape(struct mddev *mddev); + + extern int mddev_congested(struct mddev *mddev, int bits); +-extern void md_flush_request(struct mddev *mddev, struct bio *bio); ++extern bool __must_check md_flush_request(struct mddev *mddev, struct bio *bio); + extern void md_super_write(struct mddev *mddev, struct md_rdev *rdev, + sector_t sector, int size, struct page *page); + extern int md_super_wait(struct mddev *mddev); +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -580,10 +580,9 @@ static bool raid0_make_request(struct md + unsigned chunk_sects; + unsigned sectors; + +- if (unlikely(bio->bi_opf & REQ_PREFLUSH)) { +- md_flush_request(mddev, bio); ++ if (unlikely(bio->bi_opf & REQ_PREFLUSH) ++ && md_flush_request(mddev, bio)) + return true; +- } + + if (unlikely((bio_op(bio) == REQ_OP_DISCARD))) { + raid0_handle_discard(mddev, bio); +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1537,10 +1537,9 @@ static bool raid1_make_request(struct md + { + sector_t sectors; + +- if (unlikely(bio->bi_opf & REQ_PREFLUSH)) { +- md_flush_request(mddev, bio); ++ if (unlikely(bio->bi_opf & REQ_PREFLUSH) ++ && md_flush_request(mddev, bio)) + return true; +- } + + /* + * There is a limit to the maximum size, but +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1562,10 +1562,9 @@ static bool raid10_make_request(struct m + int chunk_sects = chunk_mask + 1; + int sectors = bio_sectors(bio); + +- if (unlikely(bio->bi_opf & REQ_PREFLUSH)) { +- md_flush_request(mddev, bio); ++ if (unlikely(bio->bi_opf & REQ_PREFLUSH) ++ && md_flush_request(mddev, bio)) + return true; +- } + + if (!md_write_start(mddev, bio)) + return false; +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -5590,8 +5590,8 @@ static bool raid5_make_request(struct md + if (ret == 0) + return true; + if (ret == -ENODEV) { +- md_flush_request(mddev, bi); +- return true; ++ if (md_flush_request(mddev, bi)) ++ return true; + } + /* ret == -EAGAIN, fallback */ + /* diff --git a/queue-4.19/media-bdisp-fix-memleak-on-release.patch b/queue-4.19/media-bdisp-fix-memleak-on-release.patch new file mode 100644 index 00000000000..96388aacf42 --- /dev/null +++ b/queue-4.19/media-bdisp-fix-memleak-on-release.patch @@ -0,0 +1,40 @@ +From 11609a7e21f8cea42630350aa57662928fa4dc63 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 10 Oct 2019 10:13:31 -0300 +Subject: media: bdisp: fix memleak on release + +From: Johan Hovold + +commit 11609a7e21f8cea42630350aa57662928fa4dc63 upstream. + +If a process is interrupted while accessing the video device and the +device lock is contended, release() could return early and fail to free +related resources. + +Note that the return value of the v4l2 release file operation is +ignored. + +Fixes: 28ffeebbb7bd ("[media] bdisp: 2D blitter driver using v4l2 mem2mem framework") +Cc: stable # 4.2 +Signed-off-by: Johan Hovold +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -651,8 +651,7 @@ static int bdisp_release(struct file *fi + + dev_dbg(bdisp->dev, "%s\n", __func__); + +- if (mutex_lock_interruptible(&bdisp->lock)) +- return -ERESTARTSYS; ++ mutex_lock(&bdisp->lock); + + v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); + diff --git a/queue-4.19/media-cec.h-cec_op_rec_flag_-values-were-swapped.patch b/queue-4.19/media-cec.h-cec_op_rec_flag_-values-were-swapped.patch new file mode 100644 index 00000000000..cc479328fed --- /dev/null +++ b/queue-4.19/media-cec.h-cec_op_rec_flag_-values-were-swapped.patch @@ -0,0 +1,35 @@ +From 806e0cdfee0b99efbb450f9f6e69deb7118602fc Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 16 Sep 2019 02:47:41 -0300 +Subject: media: cec.h: CEC_OP_REC_FLAG_ values were swapped + +From: Hans Verkuil + +commit 806e0cdfee0b99efbb450f9f6e69deb7118602fc upstream. + +CEC_OP_REC_FLAG_NOT_USED is 0 and CEC_OP_REC_FLAG_USED is 1, not the +other way around. + +Signed-off-by: Hans Verkuil +Reported-by: Jiunn Chang +Cc: # for v4.10 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/cec.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/uapi/linux/cec.h ++++ b/include/uapi/linux/cec.h +@@ -767,8 +767,8 @@ struct cec_event { + #define CEC_MSG_SELECT_DIGITAL_SERVICE 0x93 + #define CEC_MSG_TUNER_DEVICE_STATUS 0x07 + /* Recording Flag Operand (rec_flag) */ +-#define CEC_OP_REC_FLAG_USED 0 +-#define CEC_OP_REC_FLAG_NOT_USED 1 ++#define CEC_OP_REC_FLAG_NOT_USED 0 ++#define CEC_OP_REC_FLAG_USED 1 + /* Tuner Display Info Operand (tuner_display_info) */ + #define CEC_OP_TUNER_DISPLAY_INFO_DIGITAL 0 + #define CEC_OP_TUNER_DISPLAY_INFO_NONE 1 diff --git a/queue-4.19/media-radio-wl1273-fix-interrupt-masking-on-release.patch b/queue-4.19/media-radio-wl1273-fix-interrupt-masking-on-release.patch new file mode 100644 index 00000000000..443ef7d0947 --- /dev/null +++ b/queue-4.19/media-radio-wl1273-fix-interrupt-masking-on-release.patch @@ -0,0 +1,40 @@ +From 1091eb830627625dcf79958d99353c2391f41708 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 10 Oct 2019 10:13:32 -0300 +Subject: media: radio: wl1273: fix interrupt masking on release + +From: Johan Hovold + +commit 1091eb830627625dcf79958d99353c2391f41708 upstream. + +If a process is interrupted while accessing the radio device and the +core lock is contended, release() could return early and fail to update +the interrupt mask. + +Note that the return value of the v4l2 release file operation is +ignored. + +Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver") +Cc: stable # 2.6.38 +Cc: Matti Aaltonen +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/radio/radio-wl1273.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/radio/radio-wl1273.c ++++ b/drivers/media/radio/radio-wl1273.c +@@ -1156,8 +1156,7 @@ static int wl1273_fm_fops_release(struct + if (radio->rds_users > 0) { + radio->rds_users--; + if (radio->rds_users == 0) { +- if (mutex_lock_interruptible(&core->lock)) +- return -EINTR; ++ mutex_lock(&core->lock); + + radio->irq_flags &= ~WL1273_RDS_EVENT; + diff --git a/queue-4.19/mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch b/queue-4.19/mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch new file mode 100644 index 00000000000..8127c9b171c --- /dev/null +++ b/queue-4.19/mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch @@ -0,0 +1,73 @@ +From f6498b922e57aecbe3b7fa30a308d9d586c0c369 Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Thu, 7 Nov 2019 11:30:37 +0100 +Subject: mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card + +From: H. Nikolaus Schaller + +commit f6498b922e57aecbe3b7fa30a308d9d586c0c369 upstream. + +Pandora_wl1251_init_card was used to do special pdata based +setup of the sdio mmc interface. This does no longer work with +v4.7 and later. A fix requires a device tree based mmc3 setup. + +Therefore we move the special setup to omap_hsmmc.c instead +of calling some pdata supplied init_card function. + +The new code checks for a DT child node compatible to wl1251 +so it will not affect other MMC3 use cases. + +Generally, this code was and still is a hack and should be +moved to mmc core to e.g. read such properties from optional +DT child nodes. + +Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel") +Signed-off-by: H. Nikolaus Schaller +Cc: # v4.7+ +[Ulf: Fixed up some checkpatch complaints] +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/omap_hsmmc.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -1661,6 +1661,36 @@ static void omap_hsmmc_init_card(struct + + if (mmc_pdata(host)->init_card) + mmc_pdata(host)->init_card(card); ++ else if (card->type == MMC_TYPE_SDIO || ++ card->type == MMC_TYPE_SD_COMBO) { ++ struct device_node *np = mmc_dev(mmc)->of_node; ++ ++ /* ++ * REVISIT: should be moved to sdio core and made more ++ * general e.g. by expanding the DT bindings of child nodes ++ * to provide a mechanism to provide this information: ++ * Documentation/devicetree/bindings/mmc/mmc-card.txt ++ */ ++ ++ np = of_get_compatible_child(np, "ti,wl1251"); ++ if (np) { ++ /* ++ * We have TI wl1251 attached to MMC3. Pass this ++ * information to the SDIO core because it can't be ++ * probed by normal methods. ++ */ ++ ++ dev_info(host->dev, "found wl1251\n"); ++ card->quirks |= MMC_QUIRK_NONSTD_SDIO; ++ card->cccr.wide_bus = 1; ++ card->cis.vendor = 0x104c; ++ card->cis.device = 0x9066; ++ card->cis.blksize = 512; ++ card->cis.max_dtr = 24000000; ++ card->ocr = 0x80; ++ of_node_put(np); ++ } ++ } + } + + static void omap_hsmmc_enable_sdio_irq(struct mmc_host *mmc, int enable) diff --git a/queue-4.19/perf-tests-fix-out-of-bounds-memory-access.patch b/queue-4.19/perf-tests-fix-out-of-bounds-memory-access.patch new file mode 100644 index 00000000000..c256a5d8873 --- /dev/null +++ b/queue-4.19/perf-tests-fix-out-of-bounds-memory-access.patch @@ -0,0 +1,94 @@ +From af8490eb2b33684e26a0a927a9d93ae43cd08890 Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Thu, 7 Nov 2019 10:02:44 +0800 +Subject: perf tests: Fix out of bounds memory access + +From: Leo Yan + +commit af8490eb2b33684e26a0a927a9d93ae43cd08890 upstream. + +The test case 'Read backward ring buffer' failed on 32-bit architectures +which were found by LKFT perf testing. The test failed on arm32 x15 +device, qemu_arm32, qemu_i386, and found intermittent failure on i386; +the failure log is as below: + + 50: Read backward ring buffer : + --- start --- + test child forked, pid 510 + Using CPUID GenuineIntel-6-9E-9 + mmap size 1052672B + mmap size 8192B + Finished reading overwrite ring buffer: rewind + free(): invalid next size (fast) + test child interrupted + ---- end ---- + Read backward ring buffer: FAILED! + +The log hints there have issue for memory usage, thus free() reports +error 'invalid next size' and directly exit for the case. Finally, this +issue is root caused as out of bounds memory access for the data array +'evsel->id'. + +The backward ring buffer test invokes do_test() twice. 'evsel->id' is +allocated at the first call with the flow: + + test__backward_ring_buffer() + `-> do_test() + `-> evlist__mmap() + `-> evlist__mmap_ex() + `-> perf_evsel__alloc_id() + +So 'evsel->id' is allocated with one item, and it will be used in +function perf_evlist__id_add(): + + evsel->id[0] = id + evsel->ids = 1 + +At the second call for do_test(), it skips to initialize 'evsel->id' +and reuses the array which is allocated in the first call. But +'evsel->ids' contains the stale value. Thus: + + evsel->id[1] = id -> out of bound access + evsel->ids = 2 + +To fix this issue, we will use evlist__open() and evlist__close() pair +functions to prepare and cleanup context for evlist; so 'evsel->id' and +'evsel->ids' can be initialized properly when invoke do_test() and avoid +the out of bounds memory access. + +Fixes: ee74701ed8ad ("perf tests: Add test to check backward ring buffer") +Signed-off-by: Leo Yan +Reviewed-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Naresh Kamboju +Cc: Peter Zijlstra +Cc: Wang Nan +Cc: stable@vger.kernel.org # v4.10+ +Link: http://lore.kernel.org/lkml/20191107020244.2427-1-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/tests/backward-ring-buffer.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/tools/perf/tests/backward-ring-buffer.c ++++ b/tools/perf/tests/backward-ring-buffer.c +@@ -144,6 +144,15 @@ int test__backward_ring_buffer(struct te + goto out_delete_evlist; + } + ++ evlist__close(evlist); ++ ++ err = evlist__open(evlist); ++ if (err < 0) { ++ pr_debug("perf_evlist__open: %s\n", ++ str_error_r(errno, sbuf, sizeof(sbuf))); ++ goto out_delete_evlist; ++ } ++ + err = do_test(evlist, 1, &sample_count, &comm_count); + if (err != TEST_OK) + goto out_delete_evlist; diff --git a/queue-4.19/pinctrl-armada-37xx-fix-irq-mask-access-in-armada_37xx_irq_set_type.patch b/queue-4.19/pinctrl-armada-37xx-fix-irq-mask-access-in-armada_37xx_irq_set_type.patch new file mode 100644 index 00000000000..1160a1b6392 --- /dev/null +++ b/queue-4.19/pinctrl-armada-37xx-fix-irq-mask-access-in-armada_37xx_irq_set_type.patch @@ -0,0 +1,44 @@ +From 04fb02757ae5188031eb71b2f6f189edb1caf5dc Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Fri, 15 Nov 2019 16:57:52 +0100 +Subject: pinctrl: armada-37xx: Fix irq mask access in armada_37xx_irq_set_type() + +From: Gregory CLEMENT + +commit 04fb02757ae5188031eb71b2f6f189edb1caf5dc upstream. + +As explained in the following commit a9a1a4833613 ("pinctrl: +armada-37xx: Fix gpio interrupt setup") the armada_37xx_irq_set_type() +function can be called before the initialization of the mask field. + +That means that we can't use this field in this function and need to +workaround it using hwirq. + +Fixes: 30ac0d3b0702 ("pinctrl: armada-37xx: Add edge both type gpio irq support") +Cc: stable@vger.kernel.org +Reported-by: Russell King +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20191115155752.2562-1-gregory.clement@bootlin.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -592,10 +592,10 @@ static int armada_37xx_irq_set_type(stru + regmap_read(info->regmap, in_reg, &in_val); + + /* Set initial polarity based on current input level. */ +- if (in_val & d->mask) +- val |= d->mask; /* falling */ ++ if (in_val & BIT(d->hwirq % GPIO_PER_REG)) ++ val |= BIT(d->hwirq % GPIO_PER_REG); /* falling */ + else +- val &= ~d->mask; /* rising */ ++ val &= ~(BIT(d->hwirq % GPIO_PER_REG)); /* rising */ + break; + } + default: diff --git a/queue-4.19/pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch b/queue-4.19/pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch new file mode 100644 index 00000000000..017ea2d205b --- /dev/null +++ b/queue-4.19/pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch @@ -0,0 +1,39 @@ +From 3d2557ab75d4c568c79eefa2e550e0d80348a6bd Mon Sep 17 00:00:00 2001 +From: Nishka Dasgupta +Date: Sun, 4 Aug 2019 21:32:00 +0530 +Subject: pinctrl: samsung: Add of_node_put() before return in error path + +From: Nishka Dasgupta + +commit 3d2557ab75d4c568c79eefa2e550e0d80348a6bd upstream. + +Each iteration of for_each_child_of_node puts the previous node, but in +the case of a return from the middle of the loop, there is no put, thus +causing a memory leak. Hence add an of_node_put before the return of +exynos_eint_wkup_init() error path. +Issue found with Coccinelle. + +Signed-off-by: Nishka Dasgupta +Cc: +Fixes: 14c255d35b25 ("pinctrl: exynos: Add irq_chip instance for Exynos7 wakeup interrupts") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-exynos.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-exynos.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos.c +@@ -494,8 +494,10 @@ int exynos_eint_wkup_init(struct samsung + if (match) { + irq_chip = kmemdup(match->data, + sizeof(*irq_chip), GFP_KERNEL); +- if (!irq_chip) ++ if (!irq_chip) { ++ of_node_put(np); + return -ENOMEM; ++ } + wkup_np = np; + break; + } diff --git a/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-exynos-wakeup-controller-init.patch b/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-exynos-wakeup-controller-init.patch new file mode 100644 index 00000000000..a3f950345ee --- /dev/null +++ b/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-exynos-wakeup-controller-init.patch @@ -0,0 +1,60 @@ +From 5c7f48dd14e892e3e920dd6bbbd52df79e1b3b41 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:07 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in Exynos wakeup controller init + +From: Krzysztof Kozlowski + +commit 5c7f48dd14e892e3e920dd6bbbd52df79e1b3b41 upstream. + +In exynos_eint_wkup_init() the for_each_child_of_node() loop is used +with a break to find a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: 43b169db1841 ("pinctrl: add exynos4210 specific extensions for samsung pinctrl driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-exynos.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-exynos.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos.c +@@ -514,6 +514,7 @@ int exynos_eint_wkup_init(struct samsung + bank->nr_pins, &exynos_eint_irqd_ops, bank); + if (!bank->irq_domain) { + dev_err(dev, "wkup irq domain add failed\n"); ++ of_node_put(wkup_np); + return -ENXIO; + } + +@@ -528,8 +529,10 @@ int exynos_eint_wkup_init(struct samsung + weint_data = devm_kcalloc(dev, + bank->nr_pins, sizeof(*weint_data), + GFP_KERNEL); +- if (!weint_data) ++ if (!weint_data) { ++ of_node_put(wkup_np); + return -ENOMEM; ++ } + + for (idx = 0; idx < bank->nr_pins; ++idx) { + irq = irq_of_parse_and_map(bank->of_node, idx); +@@ -546,10 +549,13 @@ int exynos_eint_wkup_init(struct samsung + } + } + +- if (!muxed_banks) ++ if (!muxed_banks) { ++ of_node_put(wkup_np); + return 0; ++ } + + irq = irq_of_parse_and_map(wkup_np, 0); ++ of_node_put(wkup_np); + if (!irq) { + dev_err(dev, "irq number for muxed EINTs not found\n"); + return 0; diff --git a/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch b/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch new file mode 100644 index 00000000000..53bb0e37d80 --- /dev/null +++ b/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch @@ -0,0 +1,58 @@ +From a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:10 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in init code + +From: Krzysztof Kozlowski + +commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream. + +Several functions use for_each_child_of_node() loop with a break to find +a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -272,6 +272,7 @@ static int samsung_dt_node_to_map(struct + &reserved_maps, num_maps); + if (ret < 0) { + samsung_dt_free_map(pctldev, *map, *num_maps); ++ of_node_put(np); + return ret; + } + } +@@ -785,8 +786,10 @@ static struct samsung_pmx_func *samsung_ + if (!of_get_child_count(cfg_np)) { + ret = samsung_pinctrl_create_function(dev, drvdata, + cfg_np, func); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(cfg_np); + return ERR_PTR(ret); ++ } + if (ret > 0) { + ++func; + ++func_cnt; +@@ -797,8 +800,11 @@ static struct samsung_pmx_func *samsung_ + for_each_child_of_node(cfg_np, func_np) { + ret = samsung_pinctrl_create_function(dev, drvdata, + func_np, func); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(func_np); ++ of_node_put(cfg_np); + return ERR_PTR(ret); ++ } + if (ret > 0) { + ++func; + ++func_cnt; diff --git a/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch b/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch new file mode 100644 index 00000000000..11744251567 --- /dev/null +++ b/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch @@ -0,0 +1,52 @@ +From 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:08 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init + +From: Krzysztof Kozlowski + +commit 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 upstream. + +In s3c24xx_eint_init() the for_each_child_of_node() loop is used with a +break to find a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: af99a7507469 ("pinctrl: Add pinctrl-s3c24xx driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-s3c24xx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-s3c24xx.c ++++ b/drivers/pinctrl/samsung/pinctrl-s3c24xx.c +@@ -490,8 +490,10 @@ static int s3c24xx_eint_init(struct sams + return -ENODEV; + + eint_data = devm_kzalloc(dev, sizeof(*eint_data), GFP_KERNEL); +- if (!eint_data) ++ if (!eint_data) { ++ of_node_put(eint_np); + return -ENOMEM; ++ } + + eint_data->drvdata = d; + +@@ -503,12 +505,14 @@ static int s3c24xx_eint_init(struct sams + irq = irq_of_parse_and_map(eint_np, i); + if (!irq) { + dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i); ++ of_node_put(eint_np); + return -ENXIO; + } + + eint_data->parents[i] = irq; + irq_set_chained_handler_and_data(irq, handlers[i], eint_data); + } ++ of_node_put(eint_np); + + bank = d->pin_banks; + for (i = 0; i < d->nr_banks; ++i, ++bank) { diff --git a/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch b/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch new file mode 100644 index 00000000000..f4b4c5fd6b7 --- /dev/null +++ b/queue-4.19/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch @@ -0,0 +1,53 @@ +From 7f028caadf6c37580d0f59c6c094ed09afc04062 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:09 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init + +From: Krzysztof Kozlowski + +commit 7f028caadf6c37580d0f59c6c094ed09afc04062 upstream. + +In s3c64xx_eint_eint0_init() the for_each_child_of_node() loop is used +with a break to find a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: 61dd72613177 ("pinctrl: Add pinctrl-s3c64xx driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-s3c64xx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-s3c64xx.c ++++ b/drivers/pinctrl/samsung/pinctrl-s3c64xx.c +@@ -704,8 +704,10 @@ static int s3c64xx_eint_eint0_init(struc + return -ENODEV; + + data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL); +- if (!data) ++ if (!data) { ++ of_node_put(eint0_np); + return -ENOMEM; ++ } + data->drvdata = d; + + for (i = 0; i < NUM_EINT0_IRQ; ++i) { +@@ -714,6 +716,7 @@ static int s3c64xx_eint_eint0_init(struc + irq = irq_of_parse_and_map(eint0_np, i); + if (!irq) { + dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i); ++ of_node_put(eint0_np); + return -ENXIO; + } + +@@ -721,6 +724,7 @@ static int s3c64xx_eint_eint0_init(struc + s3c64xx_eint0_handlers[i], + data); + } ++ of_node_put(eint0_np); + + bank = d->pin_banks; + for (i = 0; i < d->nr_banks; ++i, ++bank) { diff --git a/queue-4.19/pm-devfreq-lock-devfreq-in-trans_stat_show.patch b/queue-4.19/pm-devfreq-lock-devfreq-in-trans_stat_show.patch new file mode 100644 index 00000000000..a9dbb0b8c0f --- /dev/null +++ b/queue-4.19/pm-devfreq-lock-devfreq-in-trans_stat_show.patch @@ -0,0 +1,59 @@ +From 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Tue, 24 Sep 2019 10:52:23 +0300 +Subject: PM / devfreq: Lock devfreq in trans_stat_show + +From: Leonard Crestez + +commit 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 upstream. + +There is no locking in this sysfs show function so stats printing can +race with a devfreq_update_status called as part of freq switching or +with initialization. + +Also add an assert in devfreq_update_status to make it clear that lock +must be held by caller. + +Fixes: 39688ce6facd ("PM / devfreq: account suspend/resume for stats") +Cc: stable@vger.kernel.org +Signed-off-by: Leonard Crestez +Reviewed-by: Matthias Kaehlcke +Reviewed-by: Chanwoo Choi +Signed-off-by: Chanwoo Choi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/devfreq/devfreq.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -163,6 +163,7 @@ int devfreq_update_status(struct devfreq + int lev, prev_lev, ret = 0; + unsigned long cur_time; + ++ lockdep_assert_held(&devfreq->lock); + cur_time = jiffies; + + /* Immediately exit if previous_freq is not initialized yet. */ +@@ -1287,12 +1288,17 @@ static ssize_t trans_stat_show(struct de + int i, j; + unsigned int max_state = devfreq->profile->max_state; + +- if (!devfreq->stop_polling && +- devfreq_update_status(devfreq, devfreq->previous_freq)) +- return 0; + if (max_state == 0) + return sprintf(buf, "Not Supported.\n"); + ++ mutex_lock(&devfreq->lock); ++ if (!devfreq->stop_polling && ++ devfreq_update_status(devfreq, devfreq->previous_freq)) { ++ mutex_unlock(&devfreq->lock); ++ return 0; ++ } ++ mutex_unlock(&devfreq->lock); ++ + len = sprintf(buf, " From : To\n"); + len += sprintf(buf + len, " :"); + for (i = 0; i < max_state; i++) diff --git a/queue-4.19/ppdev-fix-ppgettime-ppsettime-ioctls.patch b/queue-4.19/ppdev-fix-ppgettime-ppsettime-ioctls.patch new file mode 100644 index 00000000000..5032b8f41b5 --- /dev/null +++ b/queue-4.19/ppdev-fix-ppgettime-ppsettime-ioctls.patch @@ -0,0 +1,76 @@ +From 998174042da229e2cf5841f574aba4a743e69650 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 8 Nov 2019 21:34:30 +0100 +Subject: ppdev: fix PPGETTIME/PPSETTIME ioctls + +From: Arnd Bergmann + +commit 998174042da229e2cf5841f574aba4a743e69650 upstream. + +Going through the uses of timeval in the user space API, +I noticed two bugs in ppdev that were introduced in the y2038 +conversion: + +* The range check was accidentally moved from ppsettime to + ppgettime + +* On sparc64, the microseconds are in the other half of the + 64-bit word. + +Fix both, and mark the fix for stable backports. + +Cc: stable@vger.kernel.org +Fixes: 3b9ab374a1e6 ("ppdev: convert to y2038 safe") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20191108203435.112759-8-arnd@arndb.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ppdev.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/char/ppdev.c ++++ b/drivers/char/ppdev.c +@@ -623,20 +623,27 @@ static int pp_do_ioctl(struct file *file + if (copy_from_user(time32, argp, sizeof(time32))) + return -EFAULT; + ++ if ((time32[0] < 0) || (time32[1] < 0)) ++ return -EINVAL; ++ + return pp_set_timeout(pp->pdev, time32[0], time32[1]); + + case PPSETTIME64: + if (copy_from_user(time64, argp, sizeof(time64))) + return -EFAULT; + ++ if ((time64[0] < 0) || (time64[1] < 0)) ++ return -EINVAL; ++ ++ if (IS_ENABLED(CONFIG_SPARC64) && !in_compat_syscall()) ++ time64[1] >>= 32; ++ + return pp_set_timeout(pp->pdev, time64[0], time64[1]); + + case PPGETTIME32: + jiffies_to_timespec64(pp->pdev->timeout, &ts); + time32[0] = ts.tv_sec; + time32[1] = ts.tv_nsec / NSEC_PER_USEC; +- if ((time32[0] < 0) || (time32[1] < 0)) +- return -EINVAL; + + if (copy_to_user(argp, time32, sizeof(time32))) + return -EFAULT; +@@ -647,8 +654,9 @@ static int pp_do_ioctl(struct file *file + jiffies_to_timespec64(pp->pdev->timeout, &ts); + time64[0] = ts.tv_sec; + time64[1] = ts.tv_nsec / NSEC_PER_USEC; +- if ((time64[0] < 0) || (time64[1] < 0)) +- return -EINVAL; ++ ++ if (IS_ENABLED(CONFIG_SPARC64) && !in_compat_syscall()) ++ time64[1] <<= 32; + + if (copy_to_user(argp, time64, sizeof(time64))) + return -EFAULT; diff --git a/queue-4.19/s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch b/queue-4.19/s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch new file mode 100644 index 00000000000..c5078a049d9 --- /dev/null +++ b/queue-4.19/s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch @@ -0,0 +1,65 @@ +From ab874f22d35a8058d8fdee5f13eb69d8867efeae Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 11 Sep 2019 19:42:23 +0200 +Subject: s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported + +From: Gerald Schaefer + +commit ab874f22d35a8058d8fdee5f13eb69d8867efeae upstream. + +On older HW or under a hypervisor, w/o the instruction-execution- +protection (IEP) facility, and also w/o EDAT-1, a translation-specification +exception may be recognized when bit 55 of a pte is one (_PAGE_NOEXEC). + +The current code tries to prevent setting _PAGE_NOEXEC in such cases, +by removing it within set_pte_at(). However, ptep_set_access_flags() +will modify a pte directly, w/o using set_pte_at(). There is at least +one scenario where this can result in an active pte with _PAGE_NOEXEC +set, which would then lead to a panic due to a translation-specification +exception (write to swapped out page): + +do_swap_page + pte = mk_pte (with _PAGE_NOEXEC bit) + set_pte_at (will remove _PAGE_NOEXEC bit in page table, but keep it + in local variable pte) + vmf->orig_pte = pte (pte still contains _PAGE_NOEXEC bit) + do_wp_page + wp_page_reuse + entry = vmf->orig_pte (still with _PAGE_NOEXEC bit) + ptep_set_access_flags (writes entry with _PAGE_NOEXEC bit) + +Fix this by clearing _PAGE_NOEXEC already in mk_pte_phys(), where the +pgprot value is applied, so that no pte with _PAGE_NOEXEC will ever be +visible, if it is not supported. The check in set_pte_at() can then also +be removed. + +Cc: # 4.11+ +Fixes: 57d7f939e7bd ("s390: add no-execute support") +Signed-off-by: Gerald Schaefer +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -1150,8 +1150,6 @@ void gmap_pmdp_idte_global(struct mm_str + static inline void set_pte_at(struct mm_struct *mm, unsigned long addr, + pte_t *ptep, pte_t entry) + { +- if (!MACHINE_HAS_NX) +- pte_val(entry) &= ~_PAGE_NOEXEC; + if (pte_present(entry)) + pte_val(entry) &= ~_PAGE_UNUSED; + if (mm_has_pgste(mm)) +@@ -1168,6 +1166,8 @@ static inline pte_t mk_pte_phys(unsigned + { + pte_t __pte; + pte_val(__pte) = physpage + pgprot_val(pgprot); ++ if (!MACHINE_HAS_NX) ++ pte_val(__pte) &= ~_PAGE_NOEXEC; + return pte_mkyoung(__pte); + } + diff --git a/queue-4.19/series b/queue-4.19/series index c9d21fca70c..d49f49d9638 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -52,3 +52,35 @@ dm-writecache-handle-req_fua.patch dm-zoned-reduce-overhead-of-backing-device-checks.patch workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch workqueue-fix-pwq-ref-leak-in-rescuer_thread.patch +asoc-rt5645-fixed-buddy-jack-support.patch +asoc-rt5645-fixed-typo-for-buddy-jack-support.patch +asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch +md-improve-handling-of-bio-with-req_preflush-in-md_flush_request.patch +blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch +cgroup-pids-use-atomic64_t-for-pids-limit.patch +ar5523-check-null-before-memcpy-in-ar5523_cmd.patch +s390-mm-properly-clear-_page_noexec-bit-when-it-is-not-supported.patch +media-bdisp-fix-memleak-on-release.patch +media-radio-wl1273-fix-interrupt-masking-on-release.patch +media-cec.h-cec_op_rec_flag_-values-were-swapped.patch +cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch +erofs-zero-out-when-listxattr-is-called-with-no-xattr.patch +perf-tests-fix-out-of-bounds-memory-access.patch +intel_th-fix-a-double-put_device-in-error-path.patch +intel_th-pci-add-ice-lake-cpu-support.patch +intel_th-pci-add-tiger-lake-cpu-support.patch +pm-devfreq-lock-devfreq-in-trans_stat_show.patch +cpufreq-powernv-fix-stack-bloat-and-hard-limit-on-number-of-cpus.patch +acpi-hotplug-pci-allocate-resources-directly-under-the-non-hotplug-bridge.patch +acpi-osl-only-free-map-once-in-osl.c.patch +acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch +acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch +pinctrl-armada-37xx-fix-irq-mask-access-in-armada_37xx_irq_set_type.patch +pinctrl-samsung-add-of_node_put-before-return-in-error-path.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-exynos-wakeup-controller-init.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c64xx-wakeup-controller-init.patch +mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch +arm-dts-omap3-tao3530-fix-incorrect-mmc-card-detection-gpio-polarity.patch +ppdev-fix-ppgettime-ppsettime-ioctls.patch