From 0d9b35b361a561684373abe139ff73e40d493e91 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 3 Dec 2021 22:39:58 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...en-sardine-vendor-id-as-board_ahci_m.patch | 42 +++++++ ...-read-and-write-in-hw_atl_utils_fw_r.patch | 92 ++++++++++++++ ...grity-fix-a-warning-on-write-caching.patch | 113 ++++++++++++++++++ ...on-hns-hns_dsaf_misc-fix-a-possible-.patch | 49 ++++++++ ...gth-of-holes-reported-at-end-of-file.patch | 40 +++++++ ...-tulip-de4x5-fix-possible-array-over.patch | 58 +++++++++ .../net-return-correct-error-code.patch | 35 ++++++ ...fix-the-problem-that-the-array-lp-ph.patch | 66 ++++++++++ ...st-fix-memory-leak-of-a-perf_hpp_fmt.patch | 101 ++++++++++++++++ ...nkpad_acpi-fix-wwan-device-disabled-.patch | 70 +++++++++++ ...-using-memblock_enforce_memory_limit.patch | 56 +++++++++ ...ck-session-then-wake-up-error-handle.patch | 53 ++++++++ queue-4.19/series | 13 ++ ...et-previous-low-and-high-trip-during.patch | 50 ++++++++ 14 files changed, 838 insertions(+) create mode 100644 queue-4.19/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch create mode 100644 queue-4.19/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch create mode 100644 queue-4.19/btrfs-check-integrity-fix-a-warning-on-write-caching.patch create mode 100644 queue-4.19/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch create mode 100644 queue-4.19/gfs2-fix-length-of-holes-reported-at-end-of-file.patch create mode 100644 queue-4.19/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch create mode 100644 queue-4.19/net-return-correct-error-code.patch create mode 100644 queue-4.19/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch create mode 100644 queue-4.19/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch create mode 100644 queue-4.19/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch create mode 100644 queue-4.19/s390-setup-avoid-using-memblock_enforce_memory_limit.patch create mode 100644 queue-4.19/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch create mode 100644 queue-4.19/thermal-core-reset-previous-low-and-high-trip-during.patch diff --git a/queue-4.19/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch b/queue-4.19/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch new file mode 100644 index 00000000000..c6a3174967d --- /dev/null +++ b/queue-4.19/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch @@ -0,0 +1,42 @@ +From 8c60aa66a0aff2a638e366dff513e5a80f48edc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 14:15:38 -0600 +Subject: ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile + +From: Mario Limonciello + +[ Upstream commit 1527f69204fe35f341cb599f1cb01bd02daf4374 ] + +AMD requires that the SATA controller be configured for devsleep in order +for S0i3 entry to work properly. + +commit b1a9585cc396 ("ata: ahci: Enable DEVSLP by default on x86 with +SLP_S0") sets up a kernel policy to enable devsleep on Intel mobile +platforms that are using s0ix. Add the PCI ID for the SATA controller in +Green Sardine platforms to extend this policy by default for AMD based +systems using s0i3 as well. + +Cc: Nehal-bakulchandra Shah +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214091 +Signed-off-by: Mario Limonciello +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 8df0ec85cc7b9..505920d4530f8 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -436,6 +436,7 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* AMD */ + { PCI_VDEVICE(AMD, 0x7800), board_ahci }, /* AMD Hudson-2 */ + { PCI_VDEVICE(AMD, 0x7900), board_ahci }, /* AMD CZ */ ++ { PCI_VDEVICE(AMD, 0x7901), board_ahci_mobile }, /* AMD Green Sardine */ + /* AMD is using RAID class only for ahci controllers */ + { PCI_VENDOR_ID_AMD, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_RAID << 8, 0xffffff, board_ahci }, +-- +2.33.0 + diff --git a/queue-4.19/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch b/queue-4.19/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch new file mode 100644 index 00000000000..eff0f5494f4 --- /dev/null +++ b/queue-4.19/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch @@ -0,0 +1,92 @@ +From cddc17d643d6b3e56ff62ede56eca05a148d95fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Nov 2021 22:24:40 -0500 +Subject: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait + +From: Zekun Shen + +[ Upstream commit b922f622592af76b57cbc566eaeccda0b31a3496 ] + +This bug report shows up when running our research tools. The +reports is SOOB read, but it seems SOOB write is also possible +a few lines below. + +In details, fw.len and sw.len are inputs coming from io. A len +over the size of self->rpc triggers SOOB. The patch fixes the +bugs by adding sanity checks. + +The bugs are triggerable with compromised/malfunctioning devices. +They are potentially exploitable given they first leak up to +0xffff bytes and able to overwrite the region later. + +The patch is tested with QEMU emulater. +This is NOT tested with a real device. + +Attached is the log we found by fuzzing. + +BUG: KASAN: slab-out-of-bounds in + hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] +Read of size 4 at addr ffff888016260b08 by task modprobe/213 +CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1 +Call Trace: + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + __kasan_report.cold+0x37/0x7c + ? aq_hw_read_reg_bit+0x60/0x70 [atlantic] + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + kasan_report+0xe/0x20 + hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic] + hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic] + hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic] + ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic] + ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic] + hw_atl_utils_initfw+0x12a/0x1c8 [atlantic] + aq_nic_ndev_register+0x88/0x650 [atlantic] + ? aq_nic_ndev_init+0x235/0x3c0 [atlantic] + aq_pci_probe+0x731/0x9b0 [atlantic] + ? aq_pci_func_init+0xc0/0xc0 [atlantic] + local_pci_probe+0xd3/0x160 + pci_device_probe+0x23f/0x3e0 + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c +index 096ec18e8f15a..49c80bac9ce28 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c +@@ -459,6 +459,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self, + goto err_exit; + + if (fw.len == 0xFFFFU) { ++ if (sw.len > sizeof(self->rpc)) { ++ printk(KERN_INFO "Invalid sw len: %x\n", sw.len); ++ err = -EINVAL; ++ goto err_exit; ++ } + err = hw_atl_utils_fw_rpc_call(self, sw.len); + if (err < 0) + goto err_exit; +@@ -469,6 +474,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self, + + if (rpc) { + if (fw.len) { ++ if (fw.len > sizeof(self->rpc)) { ++ printk(KERN_INFO "Invalid fw len: %x\n", fw.len); ++ err = -EINVAL; ++ goto err_exit; ++ } + err = + hw_atl_utils_fw_downld_dwords(self, + self->rpc_addr, +-- +2.33.0 + diff --git a/queue-4.19/btrfs-check-integrity-fix-a-warning-on-write-caching.patch b/queue-4.19/btrfs-check-integrity-fix-a-warning-on-write-caching.patch new file mode 100644 index 00000000000..cf80488e99e --- /dev/null +++ b/queue-4.19/btrfs-check-integrity-fix-a-warning-on-write-caching.patch @@ -0,0 +1,113 @@ +From 6686594d00193ce0378cf9139bed9303df2abb81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 06:32:54 +0800 +Subject: btrfs: check-integrity: fix a warning on write caching disabled disk + +From: Wang Yugui + +[ Upstream commit a91cf0ffbc244792e0b3ecf7d0fddb2f344b461f ] + +When a disk has write caching disabled, we skip submission of a bio with +flush and sync requests before writing the superblock, since it's not +needed. However when the integrity checker is enabled, this results in +reports that there are metadata blocks referred by a superblock that +were not properly flushed. So don't skip the bio submission only when +the integrity checker is enabled for the sake of simplicity, since this +is a debug tool and not meant for use in non-debug builds. + +fstests/btrfs/220 trigger a check-integrity warning like the following +when CONFIG_BTRFS_FS_CHECK_INTEGRITY=y and the disk with WCE=0. + + btrfs: attempt to write superblock which references block M @5242880 (sdb2/5242880/0) which is not flushed out of disk's write cache (block flush_gen=1, dev->flush_gen=0)! + ------------[ cut here ]------------ + WARNING: CPU: 28 PID: 843680 at fs/btrfs/check-integrity.c:2196 btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs] + CPU: 28 PID: 843680 Comm: umount Not tainted 5.15.0-0.rc5.39.el8.x86_64 #1 + Hardware name: Dell Inc. Precision T7610/0NK70N, BIOS A18 09/11/2019 + RIP: 0010:btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs] + RSP: 0018:ffffb642afb47940 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 + RDX: 00000000ffffffff RSI: ffff8b722fc97d00 RDI: ffff8b722fc97d00 + RBP: ffff8b5601c00000 R08: 0000000000000000 R09: c0000000ffff7fff + R10: 0000000000000001 R11: ffffb642afb476f8 R12: ffffffffffffffff + R13: ffffb642afb47974 R14: ffff8b5499254c00 R15: 0000000000000003 + FS: 00007f00a06d4080(0000) GS:ffff8b722fc80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fff5cff5ff0 CR3: 00000001c0c2a006 CR4: 00000000001706e0 + Call Trace: + btrfsic_process_written_block+0x2f7/0x850 [btrfs] + __btrfsic_submit_bio.part.19+0x310/0x330 [btrfs] + ? bio_associate_blkg_from_css+0xa4/0x2c0 + btrfsic_submit_bio+0x18/0x30 [btrfs] + write_dev_supers+0x81/0x2a0 [btrfs] + ? find_get_pages_range_tag+0x219/0x280 + ? pagevec_lookup_range_tag+0x24/0x30 + ? __filemap_fdatawait_range+0x6d/0xf0 + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + ? find_first_extent_bit+0x9b/0x160 [btrfs] + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + write_all_supers+0x1b3/0xa70 [btrfs] + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + btrfs_commit_transaction+0x59d/0xac0 [btrfs] + close_ctree+0x11d/0x339 [btrfs] + generic_shutdown_super+0x71/0x110 + kill_anon_super+0x14/0x30 + btrfs_kill_super+0x12/0x20 [btrfs] + deactivate_locked_super+0x31/0x70 + cleanup_mnt+0xb8/0x140 + task_work_run+0x6d/0xb0 + exit_to_user_mode_prepare+0x1f0/0x200 + syscall_exit_to_user_mode+0x12/0x30 + do_syscall_64+0x46/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f009f711dfb + RSP: 002b:00007fff5cff7928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 + RAX: 0000000000000000 RBX: 000055b68c6c9970 RCX: 00007f009f711dfb + RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055b68c6c9b50 + RBP: 0000000000000000 R08: 000055b68c6ca900 R09: 00007f009f795580 + R10: 0000000000000000 R11: 0000000000000246 R12: 000055b68c6c9b50 + R13: 00007f00a04bf184 R14: 0000000000000000 R15: 00000000ffffffff + ---[ end trace 2c4b82abcef9eec4 ]--- + S-65536(sdb2/65536/1) + --> + M-1064960(sdb2/1064960/1) + +Reviewed-by: Filipe Manana +Signed-off-by: Wang Yugui +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index c326535d5a80a..2ac920bdf4df5 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3579,11 +3579,23 @@ static void btrfs_end_empty_barrier(struct bio *bio) + */ + static void write_dev_flush(struct btrfs_device *device) + { +- struct request_queue *q = bdev_get_queue(device->bdev); + struct bio *bio = device->flush_bio; + ++#ifndef CONFIG_BTRFS_FS_CHECK_INTEGRITY ++ /* ++ * When a disk has write caching disabled, we skip submission of a bio ++ * with flush and sync requests before writing the superblock, since ++ * it's not needed. However when the integrity checker is enabled, this ++ * results in reports that there are metadata blocks referred by a ++ * superblock that were not properly flushed. So don't skip the bio ++ * submission only when the integrity checker is enabled for the sake ++ * of simplicity, since this is a debug tool and not meant for use in ++ * non-debug builds. ++ */ ++ struct request_queue *q = bdev_get_queue(device->bdev); + if (!test_bit(QUEUE_FLAG_WC, &q->queue_flags)) + return; ++#endif + + bio_reset(bio); + bio->bi_end_io = btrfs_end_empty_barrier; +-- +2.33.0 + diff --git a/queue-4.19/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch b/queue-4.19/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch new file mode 100644 index 00000000000..0092ab6b253 --- /dev/null +++ b/queue-4.19/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch @@ -0,0 +1,49 @@ +From c26eb15c39e70473a0cc1b354fb77a08201c27d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 11:44:53 +0800 +Subject: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array + overflow in hns_dsaf_ge_srst_by_port() + +From: Teng Qi + +[ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ] + +The if statement: + if (port >= DSAF_GE_NUM) + return; + +limits the value of port less than DSAF_GE_NUM (i.e., 8). +However, if the value of port is 6 or 7, an array overflow could occur: + port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; + +because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6). + +To fix this possible array overflow, we first check port and if it is +greater than or equal to DSAF_MAX_PORT_NUM, the function returns. + +Reported-by: TOTE Robot +Signed-off-by: Teng Qi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c +index 16294cd3c9545..4ceacb1c154dc 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c +@@ -402,6 +402,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port, + return; + + if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) { ++ /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8. ++ We need check to prevent array overflow */ ++ if (port >= DSAF_MAX_PORT_NUM) ++ return; + reg_val_1 = 0x1 << port; + port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; + /* there is difference between V1 and V2 in register.*/ +-- +2.33.0 + diff --git a/queue-4.19/gfs2-fix-length-of-holes-reported-at-end-of-file.patch b/queue-4.19/gfs2-fix-length-of-holes-reported-at-end-of-file.patch new file mode 100644 index 00000000000..c17ad7b4379 --- /dev/null +++ b/queue-4.19/gfs2-fix-length-of-holes-reported-at-end-of-file.patch @@ -0,0 +1,40 @@ +From 6dd0e79fe878238dea1f2c4ead187e80ecbc916c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Nov 2021 00:18:56 +0100 +Subject: gfs2: Fix length of holes reported at end-of-file + +From: Andreas Gruenbacher + +[ Upstream commit f3506eee81d1f700d9ee2d2f4a88fddb669ec032 ] + +Fix the length of holes reported at the end of a file: the length is +relative to the beginning of the extent, not the seek position which is +rounded down to the filesystem block size. + +This bug went unnoticed for some time, but is now caught by the +following assertion in iomap_iter_done(): + + WARN_ON_ONCE(iter->iomap.offset + iter->iomap.length <= iter->pos) + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/bmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c +index 43f53020553b5..53ba5019ad063 100644 +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -943,7 +943,7 @@ static int gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length, + else if (height == ip->i_height) + ret = gfs2_hole_size(inode, lblock, len, mp, iomap); + else +- iomap->length = size - pos; ++ iomap->length = size - iomap->offset; + } else if (flags & IOMAP_WRITE) { + u64 alloc_size; + +-- +2.33.0 + diff --git a/queue-4.19/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch b/queue-4.19/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch new file mode 100644 index 00000000000..9416653a23b --- /dev/null +++ b/queue-4.19/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch @@ -0,0 +1,58 @@ +From 6276b3a7750b0800a62ea3e0b375a937d16232e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 15:01:18 +0800 +Subject: net: ethernet: dec: tulip: de4x5: fix possible array overflows in + type3_infoblock() + +From: Teng Qi + +[ Upstream commit 0fa68da72c3be09e06dd833258ee89c33374195f ] + +The definition of macro MOTO_SROM_BUG is: + #define MOTO_SROM_BUG (lp->active == 8 && (get_unaligned_le32( + dev->dev_addr) & 0x00ffffff) == 0x3e0008) + +and the if statement + if (MOTO_SROM_BUG) lp->active = 0; + +using this macro indicates lp->active could be 8. If lp->active is 8 and +the second comparison of this macro is false. lp->active will remain 8 in: + lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].mci = *p; + +However, the length of array lp->phy is 8, so array overflows can occur. +To fix these possible array overflows, we first check lp->active and then +return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8). + +Reported-by: TOTE Robot +Signed-off-by: Teng Qi +Reviewed-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index a80252973171f..c97fc0e384ca6 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -4708,6 +4708,10 @@ type3_infoblock(struct net_device *dev, u_char count, u_char *p) + lp->ibn = 3; + lp->active = *p++; + if (MOTO_SROM_BUG) lp->active = 0; ++ /* if (MOTO_SROM_BUG) statement indicates lp->active could ++ * be 8 (i.e. the size of array lp->phy) */ ++ if (WARN_ON(lp->active >= ARRAY_SIZE(lp->phy))) ++ return -EINVAL; + lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2; +-- +2.33.0 + diff --git a/queue-4.19/net-return-correct-error-code.patch b/queue-4.19/net-return-correct-error-code.patch new file mode 100644 index 00000000000..487f3f5a934 --- /dev/null +++ b/queue-4.19/net-return-correct-error-code.patch @@ -0,0 +1,35 @@ +From b0b6552fb6d8572f5931d0417b9b2dd5856d733a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 16:14:48 +0800 +Subject: net: return correct error code + +From: liuguoqiang + +[ Upstream commit 6def480181f15f6d9ec812bca8cbc62451ba314c ] + +When kmemdup called failed and register_net_sysctl return NULL, should +return ENOMEM instead of ENOBUFS + +Signed-off-by: liuguoqiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 12a2cea9d606a..e2ab8cdb71347 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -2354,7 +2354,7 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name, + free: + kfree(t); + out: +- return -ENOBUFS; ++ return -ENOMEM; + } + + static void __devinet_sysctl_unregister(struct net *net, +-- +2.33.0 + diff --git a/queue-4.19/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch b/queue-4.19/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch new file mode 100644 index 00000000000..c03f2b82749 --- /dev/null +++ b/queue-4.19/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch @@ -0,0 +1,66 @@ +From 7719843a73b87fb9d0ff3998f9b011db5b22f575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 13:46:32 +0800 +Subject: net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be + out of bound + +From: zhangyue + +[ Upstream commit 61217be886b5f7402843677e4be7e7e83de9cb41 ] + +In line 5001, if all id in the array 'lp->phy[8]' is not 0, when the +'for' end, the 'k' is 8. + +At this time, the array 'lp->phy[8]' may be out of bound. + +Signed-off-by: zhangyue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/de4x5.c | 30 +++++++++++++++----------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index c813e6f2b371e..a80252973171f 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -4999,19 +4999,23 @@ mii_get_phy(struct net_device *dev) + } + if ((j == limit) && (i < DE4X5_MAX_MII)) { + for (k=0; k < DE4X5_MAX_PHY && lp->phy[k].id; k++); +- lp->phy[k].addr = i; +- lp->phy[k].id = id; +- lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */ +- lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */ +- lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */ +- lp->mii_cnt++; +- lp->active++; +- printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name); +- j = de4x5_debug; +- de4x5_debug |= DEBUG_MII; +- de4x5_dbg_mii(dev, k); +- de4x5_debug = j; +- printk("\n"); ++ if (k < DE4X5_MAX_PHY) { ++ lp->phy[k].addr = i; ++ lp->phy[k].id = id; ++ lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */ ++ lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */ ++ lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */ ++ lp->mii_cnt++; ++ lp->active++; ++ printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name); ++ j = de4x5_debug; ++ de4x5_debug |= DEBUG_MII; ++ de4x5_dbg_mii(dev, k); ++ de4x5_debug = j; ++ printk("\n"); ++ } else { ++ goto purgatory; ++ } + } + } + purgatory: +-- +2.33.0 + diff --git a/queue-4.19/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch b/queue-4.19/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch new file mode 100644 index 00000000000..a9989693824 --- /dev/null +++ b/queue-4.19/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch @@ -0,0 +1,101 @@ +From be5dbcc82829cf568632539a3f27a66d2e29f3f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 23:12:47 -0800 +Subject: perf hist: Fix memory leak of a perf_hpp_fmt + +From: Ian Rogers + +[ Upstream commit 0ca1f534a776cc7d42f2c33da4732b74ec2790cd ] + +perf_hpp__column_unregister() removes an entry from a list but doesn't +free the memory causing a memory leak spotted by leak sanitizer. + +Add the free while at the same time reducing the scope of the function +to static. + +Signed-off-by: Ian Rogers +Reviewed-by: Kajol Jain +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20211118071247.2140392-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/hist.c | 28 ++++++++++++++-------------- + tools/perf/util/hist.h | 1 - + 2 files changed, 14 insertions(+), 15 deletions(-) + +diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c +index fe3dfaa64a916..4afb63cea41b9 100644 +--- a/tools/perf/ui/hist.c ++++ b/tools/perf/ui/hist.c +@@ -468,6 +468,18 @@ struct perf_hpp_list perf_hpp_list = { + #undef __HPP_SORT_ACC_FN + #undef __HPP_SORT_RAW_FN + ++static void fmt_free(struct perf_hpp_fmt *fmt) ++{ ++ /* ++ * At this point fmt should be completely ++ * unhooked, if not it's a bug. ++ */ ++ BUG_ON(!list_empty(&fmt->list)); ++ BUG_ON(!list_empty(&fmt->sort_list)); ++ ++ if (fmt->free) ++ fmt->free(fmt); ++} + + void perf_hpp__init(void) + { +@@ -531,9 +543,10 @@ void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list, + list_add(&format->sort_list, &list->sorts); + } + +-void perf_hpp__column_unregister(struct perf_hpp_fmt *format) ++static void perf_hpp__column_unregister(struct perf_hpp_fmt *format) + { + list_del_init(&format->list); ++ fmt_free(format); + } + + void perf_hpp__cancel_cumulate(void) +@@ -605,19 +618,6 @@ void perf_hpp__append_sort_keys(struct perf_hpp_list *list) + } + + +-static void fmt_free(struct perf_hpp_fmt *fmt) +-{ +- /* +- * At this point fmt should be completely +- * unhooked, if not it's a bug. +- */ +- BUG_ON(!list_empty(&fmt->list)); +- BUG_ON(!list_empty(&fmt->sort_list)); +- +- if (fmt->free) +- fmt->free(fmt); +-} +- + void perf_hpp__reset_output_field(struct perf_hpp_list *list) + { + struct perf_hpp_fmt *fmt, *tmp; +diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h +index 7173e1f410930..899c1ca5e7dce 100644 +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -346,7 +346,6 @@ enum { + }; + + void perf_hpp__init(void); +-void perf_hpp__column_unregister(struct perf_hpp_fmt *format); + void perf_hpp__cancel_cumulate(void); + void perf_hpp__setup_output_field(struct perf_hpp_list *list); + void perf_hpp__reset_output_field(struct perf_hpp_list *list); +-- +2.33.0 + diff --git a/queue-4.19/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch b/queue-4.19/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch new file mode 100644 index 00000000000..71aff93f8c1 --- /dev/null +++ b/queue-4.19/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch @@ -0,0 +1,70 @@ +From 1e69ffdbe6752945243d0318ff8490e31aa17866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 14:06:48 +0800 +Subject: platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 + deep + +From: Slark Xiao + +[ Upstream commit 39f53292181081d35174a581a98441de5da22bc9 ] + +When WWAN device wake from S3 deep, under thinkpad platform, +WWAN would be disabled. This disable status could be checked +by command 'nmcli r wwan' or 'rfkill list'. + +Issue analysis as below: + When host resume from S3 deep, thinkpad_acpi driver would +call hotkey_resume() function. Finnaly, it will use +wan_get_status to check the current status of WWAN device. +During this resume progress, wan_get_status would always +return off even WWAN boot up completely. + In patch V2, Hans said 'sw_state should be unchanged +after a suspend/resume. It's better to drop the +tpacpi_rfk_update_swstate call all together from the +resume path'. + And it's confimed by Lenovo that GWAN is no longer + available from WHL generation because the design does not + match with current pin control. + +Signed-off-by: Slark Xiao +Link: https://lore.kernel.org/r/20211108060648.8212-1-slark_xiao@163.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index fa8bcbe3d2762..912ce5cb2f084 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -1198,15 +1198,6 @@ static int tpacpi_rfk_update_swstate(const struct tpacpi_rfk *tp_rfk) + return status; + } + +-/* Query FW and update rfkill sw state for all rfkill switches */ +-static void tpacpi_rfk_update_swstate_all(void) +-{ +- unsigned int i; +- +- for (i = 0; i < TPACPI_RFK_SW_MAX; i++) +- tpacpi_rfk_update_swstate(tpacpi_rfkill_switches[i]); +-} +- + /* + * Sync the HW-blocking state of all rfkill switches, + * do notice it causes the rfkill core to schedule uevents +@@ -3145,9 +3136,6 @@ static void tpacpi_send_radiosw_update(void) + if (wlsw == TPACPI_RFK_RADIO_OFF) + tpacpi_rfk_update_hwblock_state(true); + +- /* Sync sw blocking state */ +- tpacpi_rfk_update_swstate_all(); +- + /* Sync hw blocking state last if it is hw-unblocked */ + if (wlsw == TPACPI_RFK_RADIO_ON) + tpacpi_rfk_update_hwblock_state(false); +-- +2.33.0 + diff --git a/queue-4.19/s390-setup-avoid-using-memblock_enforce_memory_limit.patch b/queue-4.19/s390-setup-avoid-using-memblock_enforce_memory_limit.patch new file mode 100644 index 00000000000..06d8e922810 --- /dev/null +++ b/queue-4.19/s390-setup-avoid-using-memblock_enforce_memory_limit.patch @@ -0,0 +1,56 @@ +From a0f6055a15037b0582f71843928ad2a8a8ff0d4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 13:38:17 +0200 +Subject: s390/setup: avoid using memblock_enforce_memory_limit + +From: Vasily Gorbik + +[ Upstream commit 5dbc4cb4667457b0c53bcd7bff11500b3c362975 ] + +There is a difference in how architectures treat "mem=" option. For some +that is an amount of online memory, for s390 and x86 this is the limiting +max address. Some memblock api like memblock_enforce_memory_limit() +take limit argument and explicitly treat it as the size of online memory, +and use __find_max_addr to convert it to an actual max address. Current +s390 usage: + +memblock_enforce_memory_limit(memblock_end_of_DRAM()); + +yields different results depending on presence of memory holes (offline +memory blocks in between online memory). If there are no memory holes +limit == max_addr in memblock_enforce_memory_limit() and it does trim +online memory and reserved memory regions. With memory holes present it +actually does nothing. + +Since we already use memblock_remove() explicitly to trim online memory +regions to potential limit (think mem=, kdump, addressing limits, etc.) +drop the usage of memblock_enforce_memory_limit() altogether. Trimming +reserved regions should not be required, since we now use +memblock_set_current_limit() to limit allocations and any explicit memory +reservations above the limit is an actual problem we should not hide. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/setup.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index e8bfd29bb1f9f..098794fc5dc81 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -703,9 +703,6 @@ static void __init setup_memory(void) + storage_key_init_range(reg->base, reg->base + reg->size); + } + psw_set_key(PAGE_DEFAULT_KEY); +- +- /* Only cosmetics */ +- memblock_enforce_memory_limit(memblock_end_of_DRAM()); + } + + /* +-- +2.33.0 + diff --git a/queue-4.19/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch b/queue-4.19/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch new file mode 100644 index 00000000000..758cfadc5ee --- /dev/null +++ b/queue-4.19/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch @@ -0,0 +1,53 @@ +From 8702e10abcf6eb3a612ad5ce34a8f54c2da2124d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 17:10:47 -0500 +Subject: scsi: iscsi: Unblock session then wake up error handler + +From: Mike Christie + +[ Upstream commit a0c2f8b6709a9a4af175497ca65f93804f57b248 ] + +We can race where iscsi_session_recovery_timedout() has woken up the error +handler thread and it's now setting the devices to offline, and +session_recovery_timedout()'s call to scsi_target_unblock() is also trying +to set the device's state to transport-offline. We can then get a mix of +states. + +For the case where we can't relogin we want the devices to be in +transport-offline so when we have repaired the connection +__iscsi_unblock_session() can set the state back to running. + +Set the device state then call into libiscsi to wake up the error handler. + +Link: https://lore.kernel.org/r/20211105221048.6541-2-michael.christie@oracle.com +Reviewed-by: Lee Duncan +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index c06e648a415b5..79581771e6f61 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -1892,12 +1892,12 @@ static void session_recovery_timedout(struct work_struct *work) + } + spin_unlock_irqrestore(&session->lock, flags); + +- if (session->transport->session_recovery_timedout) +- session->transport->session_recovery_timedout(session); +- + ISCSI_DBG_TRANS_SESSION(session, "Unblocking SCSI target\n"); + scsi_target_unblock(&session->dev, SDEV_TRANSPORT_OFFLINE); + ISCSI_DBG_TRANS_SESSION(session, "Completed unblocking SCSI target\n"); ++ ++ if (session->transport->session_recovery_timedout) ++ session->transport->session_recovery_timedout(session); + } + + static void __iscsi_unblock_session(struct work_struct *work) +-- +2.33.0 + diff --git a/queue-4.19/series b/queue-4.19/series index cbae3e13695..c741c5f2ff4 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,3 +1,16 @@ shm-extend-forced-shm-destroy-to-support-objects-from-several-ipc-nses.patch nfsv42-fix-pagecache-invalidation-after-copy-clone.patch of-clk-make-linux-of_clk.h-self-contained.patch +gfs2-fix-length-of-holes-reported-at-end-of-file.patch +atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch +net-return-correct-error-code.patch +platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch +s390-setup-avoid-using-memblock_enforce_memory_limit.patch +btrfs-check-integrity-fix-a-warning-on-write-caching.patch +thermal-core-reset-previous-low-and-high-trip-during.patch +scsi-iscsi-unblock-session-then-wake-up-error-handle.patch +ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch +ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch +net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch +net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch +perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch diff --git a/queue-4.19/thermal-core-reset-previous-low-and-high-trip-during.patch b/queue-4.19/thermal-core-reset-previous-low-and-high-trip-during.patch new file mode 100644 index 00000000000..7d68f9c87a9 --- /dev/null +++ b/queue-4.19/thermal-core-reset-previous-low-and-high-trip-during.patch @@ -0,0 +1,50 @@ +From f578e1431119137c65b1c5a3bbcd1108a0b796e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 01:30:40 +0530 +Subject: thermal: core: Reset previous low and high trip during thermal zone + init + +From: Manaf Meethalavalappu Pallikunhi + +[ Upstream commit 99b63316c39988039965693f5f43d8b4ccb1c86c ] + +During the suspend is in process, thermal_zone_device_update bails out +thermal zone re-evaluation for any sensor trip violation without +setting next valid trip to that sensor. It assumes during resume +it will re-evaluate same thermal zone and update trip. But when it is +in suspend temperature goes down and on resume path while updating +thermal zone if temperature is less than previously violated trip, +thermal zone set trip function evaluates the same previous high and +previous low trip as new high and low trip. Since there is no change +in high/low trip, it bails out from thermal zone set trip API without +setting any trip. It leads to a case where sensor high trip or low +trip is disabled forever even though thermal zone has a valid high +or low trip. + +During thermal zone device init, reset thermal zone previous high +and low trip. It resolves above mentioned scenario. + +Signed-off-by: Manaf Meethalavalappu Pallikunhi +Reviewed-by: Thara Gopinath +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index ae60599c462b9..6c7825c581b5f 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -454,6 +454,8 @@ static void thermal_zone_device_init(struct thermal_zone_device *tz) + { + struct thermal_instance *pos; + tz->temperature = THERMAL_TEMP_INVALID; ++ tz->prev_low_trip = -INT_MAX; ++ tz->prev_high_trip = INT_MAX; + list_for_each_entry(pos, &tz->thermal_instances, tz_node) + pos->initialized = false; + } +-- +2.33.0 + -- 2.47.2