From 28ba033af71acb1b9071ea1609d6ad7101f1a61a Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 20 Aug 2020 00:03:59 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...ix-potential-oops-in-snd_echo_resume.patch | 45 ++++ ...ix-return-value-check-in-atlas6_clk_.patch | 39 ++++ ...-blk_mq_queue_stopped-in-dm_stop_que.patch | 45 ++++ ...ix-two-list_for_each-loop-exit-tests.patch | 62 +++++ ...orrect-vmw_legacy_display_unit-point.patch | 54 +++++ ...block-limit-check-for-v1-filesystems.patch | 43 ++++ ...expected-error-message-in-block_to_p.patch | 78 +++++++ .../fs-minix-set-s_maxbytes-correctly.patch | 125 ++++++++++ ...otential-u32-multiplication-overflow.patch | 44 ++++ ...-convert-combine-rotate-no-rotate-ir.patch | 118 ++++++++++ ...-avoid-race-when-unregistering-slave.patch | 56 +++++ ...nly-send-stop-event-when-we-have-bee.patch | 55 +++++ ...ix-error-return-when-fsp_reg_write-f.patch | 39 ++++ ...-for-failure-of-a-call-to-omap_iommu.patch | 43 ++++ ...vt-d-enforce-pasid-devtlb-field-mask.patch | 40 ++++ ...ga-introduce-color-fmt-macros-and-re.patch | 83 +++++++ ...ga-only-set-output-csc-mode-for-rgb-.patch | 55 +++++ ...re-32k-clock-is-put-on-driver-unbind.patch | 65 ++++++ ...un-event-handler-loop-under-spinlock.patch | 68 ++++++ ..._internal_dmac-clean-up-the-code-for.patch | 64 ++++++ ...d-missed-clk_disable_unprepare-in-er.patch | 58 +++++ ...ttr-kernel-panic-and-memory-overflow.patch | 55 +++++ ...c-fix-oops-caused-when-dumping-stack.patch | 97 ++++++++ ...m-always-memset-source-before-memcpy.patch | 105 +++++++++ ...bcm-iproc-handle-clk_get_rate-return.patch | 55 +++++ ...fix-abba-deadlock-with-ipoib_reap_ah.patch | 217 ++++++++++++++++++ ...b-return-void-from-ipoib_ib_dev_stop.patch | 59 +++++ ...avoid-hang-use-after-free-again-when.patch | 48 ++++ ...c-ptrace-pkey-don-t-update-expected-.patch | 53 +++++ ...c-ptrace-pkey-rename-variables-to-ma.patch | 112 +++++++++ ...c-ptrace-pkey-update-the-test-to-mar.patch | 85 +++++++ queue-4.19/series | 39 ++++ ...issing-initialization-of-sh_io_port_.patch | 45 ++++ ...potential-double-free-in-trigger_con.patch | 65 ++++++ ...ure-quote-cc-and-cxx-for-their-argum.patch | 93 ++++++++ ...d-feature-use-cc-and-cxx-from-parent.patch | 91 ++++++++ ...ftdi_sio-clean-up-receive-processing.patch | 75 ++++++ ...tdi_sio-fix-break-and-sysrq-handling.patch | 87 +++++++ ...sio-make-process-packet-buffer-unsig.patch | 96 ++++++++ ...itialize-device-before-misc_register.patch | 119 ++++++++++ 40 files changed, 2875 insertions(+) create mode 100644 queue-4.19/alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch create mode 100644 queue-4.19/clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch create mode 100644 queue-4.19/dm-rq-don-t-call-blk_mq_queue_stopped-in-dm_stop_que.patch create mode 100644 queue-4.19/drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch create mode 100644 queue-4.19/drm-vmwgfx-use-correct-vmw_legacy_display_unit-point.patch create mode 100644 queue-4.19/fs-minix-fix-block-limit-check-for-v1-filesystems.patch create mode 100644 queue-4.19/fs-minix-remove-expected-error-message-in-block_to_p.patch create mode 100644 queue-4.19/fs-minix-set-s_maxbytes-correctly.patch create mode 100644 queue-4.19/fs-ufs-avoid-potential-u32-multiplication-overflow.patch create mode 100644 queue-4.19/gpu-ipu-v3-image-convert-combine-rotate-no-rotate-ir.patch create mode 100644 queue-4.19/i2c-rcar-avoid-race-when-unregistering-slave.patch create mode 100644 queue-4.19/i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch create mode 100644 queue-4.19/input-sentelic-fix-error-return-when-fsp_reg_write-f.patch create mode 100644 queue-4.19/iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch create mode 100644 queue-4.19/iommu-vt-d-enforce-pasid-devtlb-field-mask.patch create mode 100644 queue-4.19/media-rockchip-rga-introduce-color-fmt-macros-and-re.patch create mode 100644 queue-4.19/media-rockchip-rga-only-set-output-csc-mode-for-rgb-.patch create mode 100644 queue-4.19/mfd-arizona-ensure-32k-clock-is-put-on-driver-unbind.patch create mode 100644 queue-4.19/mfd-dln2-run-event-handler-loop-under-spinlock.patch create mode 100644 queue-4.19/mmc-renesas_sdhi_internal_dmac-clean-up-the-code-for.patch create mode 100644 queue-4.19/net-qcom-emac-add-missed-clk_disable_unprepare-in-er.patch create mode 100644 queue-4.19/nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch create mode 100644 queue-4.19/openrisc-fix-oops-caused-when-dumping-stack.patch create mode 100644 queue-4.19/perf-bench-mem-always-memset-source-before-memcpy.patch create mode 100644 queue-4.19/pwm-bcm-iproc-handle-clk_get_rate-return.patch create mode 100644 queue-4.19/rdma-ipoib-fix-abba-deadlock-with-ipoib_reap_ah.patch create mode 100644 queue-4.19/rdma-ipoib-return-void-from-ipoib_ib_dev_stop.patch create mode 100644 queue-4.19/scsi-lpfc-nvmet-avoid-hang-use-after-free-again-when.patch create mode 100644 queue-4.19/selftests-powerpc-ptrace-pkey-don-t-update-expected-.patch create mode 100644 queue-4.19/selftests-powerpc-ptrace-pkey-rename-variables-to-ma.patch create mode 100644 queue-4.19/selftests-powerpc-ptrace-pkey-update-the-test-to-mar.patch create mode 100644 queue-4.19/sh-landisk-add-missing-initialization-of-sh_io_port_.patch create mode 100644 queue-4.19/test_kmod-avoid-potential-double-free-in-trigger_con.patch create mode 100644 queue-4.19/tools-build-feature-quote-cc-and-cxx-for-their-argum.patch create mode 100644 queue-4.19/tools-build-feature-use-cc-and-cxx-from-parent.patch create mode 100644 queue-4.19/usb-serial-ftdi_sio-clean-up-receive-processing.patch create mode 100644 queue-4.19/usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch create mode 100644 queue-4.19/usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch create mode 100644 queue-4.19/watchdog-initialize-device-before-misc_register.patch diff --git a/queue-4.19/alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch b/queue-4.19/alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch new file mode 100644 index 00000000000..e16ab282327 --- /dev/null +++ b/queue-4.19/alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch @@ -0,0 +1,45 @@ +From 56fdffca7de44e6adaf8ea90191339d46aff5443 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 15:46:30 +0800 +Subject: ALSA: echoaudio: Fix potential Oops in snd_echo_resume() + +From: Dinghao Liu + +[ Upstream commit 5a25de6df789cc805a9b8ba7ab5deef5067af47e ] + +Freeing chip on error may lead to an Oops at the next time +the system goes to resume. Fix this by removing all +snd_echo_free() calls on error. + +Fixes: 47b5d028fdce8 ("ALSA: Echoaudio - Add suspend support #2") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20200813074632.17022-1-dinghao.liu@zju.edu.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/echoaudio/echoaudio.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c +index 3ef2b27ebbe8c..f32c55ffffc79 100644 +--- a/sound/pci/echoaudio/echoaudio.c ++++ b/sound/pci/echoaudio/echoaudio.c +@@ -2216,7 +2216,6 @@ static int snd_echo_resume(struct device *dev) + if (err < 0) { + kfree(commpage_bak); + dev_err(dev, "resume init_hw err=%d\n", err); +- snd_echo_free(chip); + return err; + } + +@@ -2243,7 +2242,6 @@ static int snd_echo_resume(struct device *dev) + if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED, + KBUILD_MODNAME, chip)) { + dev_err(chip->card->dev, "cannot grab irq\n"); +- snd_echo_free(chip); + return -EBUSY; + } + chip->irq = pci->irq; +-- +2.25.1 + diff --git a/queue-4.19/clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch b/queue-4.19/clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch new file mode 100644 index 00000000000..34e3d868fb6 --- /dev/null +++ b/queue-4.19/clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch @@ -0,0 +1,39 @@ +From 7263005092837c6d5c9a6ea0bb6d9c99f7069a05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 03:21:43 +0000 +Subject: clk: clk-atlas6: fix return value check in atlas6_clk_init() + +From: Xu Wang + +[ Upstream commit 12b90b40854a8461a02ef19f6f4474cc88d64b66 ] + +In case of error, the function clk_register() returns ERR_PTR() +and never returns NULL. The NULL test in the return value check +should be replaced with IS_ERR(). + +Signed-off-by: Xu Wang +Link: https://lore.kernel.org/r/20200713032143.21362-1-vulab@iscas.ac.cn +Acked-by: Barry Song +Fixes: 7bf21bc81f28 ("clk: sirf: re-arch to make the codes support both prima2 and atlas6") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/sirf/clk-atlas6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sirf/clk-atlas6.c b/drivers/clk/sirf/clk-atlas6.c +index 0cd11e6893afa..25ed60776560e 100644 +--- a/drivers/clk/sirf/clk-atlas6.c ++++ b/drivers/clk/sirf/clk-atlas6.c +@@ -136,7 +136,7 @@ static void __init atlas6_clk_init(struct device_node *np) + + for (i = pll1; i < maxclk; i++) { + atlas6_clks[i] = clk_register(NULL, atlas6_clk_hw_array[i]); +- BUG_ON(!atlas6_clks[i]); ++ BUG_ON(IS_ERR(atlas6_clks[i])); + } + clk_register_clkdev(atlas6_clks[cpu], NULL, "cpu"); + clk_register_clkdev(atlas6_clks[io], NULL, "io"); +-- +2.25.1 + diff --git a/queue-4.19/dm-rq-don-t-call-blk_mq_queue_stopped-in-dm_stop_que.patch b/queue-4.19/dm-rq-don-t-call-blk_mq_queue_stopped-in-dm_stop_que.patch new file mode 100644 index 00000000000..bccfabd43d5 --- /dev/null +++ b/queue-4.19/dm-rq-don-t-call-blk_mq_queue_stopped-in-dm_stop_que.patch @@ -0,0 +1,45 @@ +From c5c305f2347bd8f29b7438cf2b674433b68b9cbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 16:42:14 +0800 +Subject: dm rq: don't call blk_mq_queue_stopped() in dm_stop_queue() + +From: Ming Lei + +[ Upstream commit e766668c6cd49d741cfb49eaeb38998ba34d27bc ] + +dm_stop_queue() only uses blk_mq_quiesce_queue() so it doesn't +formally stop the blk-mq queue; therefore there is no point making the +blk_mq_queue_stopped() check -- it will never be stopped. + +In addition, even though dm_stop_queue() actually tries to quiesce hw +queues via blk_mq_quiesce_queue(), checking with blk_queue_quiesced() +to avoid unnecessary queue quiesce isn't reliable because: the +QUEUE_FLAG_QUIESCED flag is set before synchronize_rcu() and +dm_stop_queue() may be called when synchronize_rcu() from another +blk_mq_quiesce_queue() is in-progress. + +Fixes: 7b17c2f7292ba ("dm: Fix a race condition related to stopping and starting queues") +Signed-off-by: Ming Lei +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-rq.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c +index 4d36373e1c0f0..9fde174ce3961 100644 +--- a/drivers/md/dm-rq.c ++++ b/drivers/md/dm-rq.c +@@ -95,9 +95,6 @@ static void dm_old_stop_queue(struct request_queue *q) + + static void dm_mq_stop_queue(struct request_queue *q) + { +- if (blk_mq_queue_stopped(q)) +- return; +- + blk_mq_quiesce_queue(q); + } + +-- +2.25.1 + diff --git a/queue-4.19/drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch b/queue-4.19/drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch new file mode 100644 index 00000000000..71c371192ea --- /dev/null +++ b/queue-4.19/drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch @@ -0,0 +1,62 @@ +From 70dbff0b731a90b30ba63135ada0668410ef5401 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 13:39:59 +0300 +Subject: drm/vmwgfx: Fix two list_for_each loop exit tests + +From: Dan Carpenter + +[ Upstream commit 4437c1152ce0e57ab8f401aa696ea6291cc07ab1 ] + +These if statements are supposed to be true if we ended the +list_for_each_entry() loops without hitting a break statement but they +don't work. + +In the first loop, we increment "i" after the "if (i == unit)" condition +so we don't necessarily know that "i" is not equal to unit at the end of +the loop. + +In the second loop we exit when mode is not pointing to a valid +drm_display_mode struct so it doesn't make sense to check "mode->type". + +Fixes: a278724aa23c ("drm/vmwgfx: Implement fbdev on kms v2") +Signed-off-by: Dan Carpenter +Reviewed-by: Roland Scheidegger +Signed-off-by: Roland Scheidegger +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 6a712a8d59e93..e486b6517ac55 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -2861,7 +2861,7 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv, + ++i; + } + +- if (i != unit) { ++ if (&con->head == &dev_priv->dev->mode_config.connector_list) { + DRM_ERROR("Could not find initial display unit.\n"); + ret = -EINVAL; + goto out_unlock; +@@ -2885,13 +2885,13 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv, + break; + } + +- if (mode->type & DRM_MODE_TYPE_PREFERRED) +- *p_mode = mode; +- else { ++ if (&mode->head == &con->modes) { + WARN_ONCE(true, "Could not find initial preferred mode.\n"); + *p_mode = list_first_entry(&con->modes, + struct drm_display_mode, + head); ++ } else { ++ *p_mode = mode; + } + + out_unlock: +-- +2.25.1 + diff --git a/queue-4.19/drm-vmwgfx-use-correct-vmw_legacy_display_unit-point.patch b/queue-4.19/drm-vmwgfx-use-correct-vmw_legacy_display_unit-point.patch new file mode 100644 index 00000000000..a56d19ebedb --- /dev/null +++ b/queue-4.19/drm-vmwgfx-use-correct-vmw_legacy_display_unit-point.patch @@ -0,0 +1,54 @@ +From 892213c7dcdb12a1c9ce2ac0beed67c9bfee6ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 13:34:37 +0300 +Subject: drm/vmwgfx: Use correct vmw_legacy_display_unit pointer + +From: Dan Carpenter + +[ Upstream commit 1d2c0c565bc0da25f5e899a862fb58e612b222df ] + +The "entry" pointer is an offset from the list head and it doesn't +point to a valid vmw_legacy_display_unit struct. Presumably the +intent was to point to the last entry. + +Also the "i++" wasn't used so I have removed that as well. + +Fixes: d7e1958dbe4a ("drm/vmwgfx: Support older hardware.") +Signed-off-by: Dan Carpenter +Reviewed-by: Roland Scheidegger +Signed-off-by: Roland Scheidegger +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c +index 7235781171912..0743a73117000 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c +@@ -79,7 +79,7 @@ static int vmw_ldu_commit_list(struct vmw_private *dev_priv) + struct vmw_legacy_display_unit *entry; + struct drm_framebuffer *fb = NULL; + struct drm_crtc *crtc = NULL; +- int i = 0; ++ int i; + + /* If there is no display topology the host just assumes + * that the guest will set the same layout as the host. +@@ -90,12 +90,11 @@ static int vmw_ldu_commit_list(struct vmw_private *dev_priv) + crtc = &entry->base.crtc; + w = max(w, crtc->x + crtc->mode.hdisplay); + h = max(h, crtc->y + crtc->mode.vdisplay); +- i++; + } + + if (crtc == NULL) + return 0; +- fb = entry->base.crtc.primary->state->fb; ++ fb = crtc->primary->state->fb; + + return vmw_kms_write_svga(dev_priv, w, h, fb->pitches[0], + fb->format->cpp[0] * 8, +-- +2.25.1 + diff --git a/queue-4.19/fs-minix-fix-block-limit-check-for-v1-filesystems.patch b/queue-4.19/fs-minix-fix-block-limit-check-for-v1-filesystems.patch new file mode 100644 index 00000000000..ab171960852 --- /dev/null +++ b/queue-4.19/fs-minix-fix-block-limit-check-for-v1-filesystems.patch @@ -0,0 +1,43 @@ +From 2f8d9d6f05f397fe6e0a2a5d067c47079aab6d6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:35:36 -0700 +Subject: fs/minix: fix block limit check for V1 filesystems + +From: Eric Biggers + +[ Upstream commit 0a12c4a8069607247cb8edc3b035a664e636fd9a ] + +The minix filesystem reads its maximum file size from its on-disk +superblock. This value isn't necessarily a multiple of the block size. +When it's not, the V1 block mapping code doesn't allow mapping the last +possible block. Commit 6ed6a722f9ab ("minixfs: fix block limit check") +fixed this in the V2 mapping code. Fix it in the V1 mapping code too. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Alexander Viro +Cc: Qiujun Huang +Link: http://lkml.kernel.org/r/20200628060846.682158-6-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/minix/itree_v1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c +index c0d418209ead1..405573a79aab4 100644 +--- a/fs/minix/itree_v1.c ++++ b/fs/minix/itree_v1.c +@@ -29,7 +29,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + if (block < 0) { + printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", + block, inode->i_sb->s_bdev); +- } else if (block >= inode->i_sb->s_maxbytes/BLOCK_SIZE) { ++ } else if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes) { + if (printk_ratelimit()) + printk("MINIX-fs: block_to_path: " + "block %ld too big on dev %pg\n", +-- +2.25.1 + diff --git a/queue-4.19/fs-minix-remove-expected-error-message-in-block_to_p.patch b/queue-4.19/fs-minix-remove-expected-error-message-in-block_to_p.patch new file mode 100644 index 00000000000..74dca282b33 --- /dev/null +++ b/queue-4.19/fs-minix-remove-expected-error-message-in-block_to_p.patch @@ -0,0 +1,78 @@ +From 84632fd316d9a064599d143522bea659acb7a07f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:35:39 -0700 +Subject: fs/minix: remove expected error message in block_to_path() + +From: Eric Biggers + +[ Upstream commit f666f9fb9a36f1c833b9d18923572f0e4d304754 ] + +When truncating a file to a size within the last allowed logical block, +block_to_path() is called with the *next* block. This exceeds the limit, +causing the "block %ld too big" error message to be printed. + +This case isn't actually an error; there are just no more blocks past that +point. So, remove this error message. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Alexander Viro +Cc: Qiujun Huang +Link: http://lkml.kernel.org/r/20200628060846.682158-7-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/minix/itree_v1.c | 12 ++++++------ + fs/minix/itree_v2.c | 12 ++++++------ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c +index 405573a79aab4..1fed906042aa8 100644 +--- a/fs/minix/itree_v1.c ++++ b/fs/minix/itree_v1.c +@@ -29,12 +29,12 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + if (block < 0) { + printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", + block, inode->i_sb->s_bdev); +- } else if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes) { +- if (printk_ratelimit()) +- printk("MINIX-fs: block_to_path: " +- "block %ld too big on dev %pg\n", +- block, inode->i_sb->s_bdev); +- } else if (block < 7) { ++ return 0; ++ } ++ if ((u64)block * BLOCK_SIZE >= inode->i_sb->s_maxbytes) ++ return 0; ++ ++ if (block < 7) { + offsets[n++] = block; + } else if ((block -= 7) < 512) { + offsets[n++] = 7; +diff --git a/fs/minix/itree_v2.c b/fs/minix/itree_v2.c +index ee8af2f9e2828..9d00f31a2d9d1 100644 +--- a/fs/minix/itree_v2.c ++++ b/fs/minix/itree_v2.c +@@ -32,12 +32,12 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + if (block < 0) { + printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", + block, sb->s_bdev); +- } else if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes) { +- if (printk_ratelimit()) +- printk("MINIX-fs: block_to_path: " +- "block %ld too big on dev %pg\n", +- block, sb->s_bdev); +- } else if (block < DIRCOUNT) { ++ return 0; ++ } ++ if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes) ++ return 0; ++ ++ if (block < DIRCOUNT) { + offsets[n++] = block; + } else if ((block -= DIRCOUNT) < INDIRCOUNT(sb)) { + offsets[n++] = DIRCOUNT; +-- +2.25.1 + diff --git a/queue-4.19/fs-minix-set-s_maxbytes-correctly.patch b/queue-4.19/fs-minix-set-s_maxbytes-correctly.patch new file mode 100644 index 00000000000..831876f2878 --- /dev/null +++ b/queue-4.19/fs-minix-set-s_maxbytes-correctly.patch @@ -0,0 +1,125 @@ +From 905c491129c3b1d7a65f6bdd109de6f33af8d19e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:35:33 -0700 +Subject: fs/minix: set s_maxbytes correctly + +From: Eric Biggers + +[ Upstream commit 32ac86efff91a3e4ef8c3d1cadd4559e23c8e73a ] + +The minix filesystem leaves super_block::s_maxbytes at MAX_NON_LFS rather +than setting it to the actual filesystem-specific limit. This is broken +because it means userspace doesn't see the standard behavior like getting +EFBIG and SIGXFSZ when exceeding the maximum file size. + +Fix this by setting s_maxbytes correctly. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Cc: Alexander Viro +Cc: Qiujun Huang +Link: http://lkml.kernel.org/r/20200628060846.682158-5-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/minix/inode.c | 12 +++++++----- + fs/minix/itree_v1.c | 2 +- + fs/minix/itree_v2.c | 3 +-- + fs/minix/minix.h | 1 - + 4 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/fs/minix/inode.c b/fs/minix/inode.c +index 4f994de46e6b9..03fe8bac36cf4 100644 +--- a/fs/minix/inode.c ++++ b/fs/minix/inode.c +@@ -155,8 +155,10 @@ static int minix_remount (struct super_block * sb, int * flags, char * data) + return 0; + } + +-static bool minix_check_superblock(struct minix_sb_info *sbi) ++static bool minix_check_superblock(struct super_block *sb) + { ++ struct minix_sb_info *sbi = minix_sb(sb); ++ + if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0) + return false; + +@@ -166,7 +168,7 @@ static bool minix_check_superblock(struct minix_sb_info *sbi) + * of indirect blocks which places the limit well above U32_MAX. + */ + if (sbi->s_version == MINIX_V1 && +- sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE) ++ sb->s_maxbytes > (7 + 512 + 512*512) * BLOCK_SIZE) + return false; + + return true; +@@ -207,7 +209,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) + sbi->s_zmap_blocks = ms->s_zmap_blocks; + sbi->s_firstdatazone = ms->s_firstdatazone; + sbi->s_log_zone_size = ms->s_log_zone_size; +- sbi->s_max_size = ms->s_max_size; ++ s->s_maxbytes = ms->s_max_size; + s->s_magic = ms->s_magic; + if (s->s_magic == MINIX_SUPER_MAGIC) { + sbi->s_version = MINIX_V1; +@@ -238,7 +240,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) + sbi->s_zmap_blocks = m3s->s_zmap_blocks; + sbi->s_firstdatazone = m3s->s_firstdatazone; + sbi->s_log_zone_size = m3s->s_log_zone_size; +- sbi->s_max_size = m3s->s_max_size; ++ s->s_maxbytes = m3s->s_max_size; + sbi->s_ninodes = m3s->s_ninodes; + sbi->s_nzones = m3s->s_zones; + sbi->s_dirsize = 64; +@@ -250,7 +252,7 @@ static int minix_fill_super(struct super_block *s, void *data, int silent) + } else + goto out_no_fs; + +- if (!minix_check_superblock(sbi)) ++ if (!minix_check_superblock(s)) + goto out_illegal_sb; + + /* +diff --git a/fs/minix/itree_v1.c b/fs/minix/itree_v1.c +index 046cc96ee7adb..c0d418209ead1 100644 +--- a/fs/minix/itree_v1.c ++++ b/fs/minix/itree_v1.c +@@ -29,7 +29,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + if (block < 0) { + printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", + block, inode->i_sb->s_bdev); +- } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { ++ } else if (block >= inode->i_sb->s_maxbytes/BLOCK_SIZE) { + if (printk_ratelimit()) + printk("MINIX-fs: block_to_path: " + "block %ld too big on dev %pg\n", +diff --git a/fs/minix/itree_v2.c b/fs/minix/itree_v2.c +index f7fc7eccccccd..ee8af2f9e2828 100644 +--- a/fs/minix/itree_v2.c ++++ b/fs/minix/itree_v2.c +@@ -32,8 +32,7 @@ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + if (block < 0) { + printk("MINIX-fs: block_to_path: block %ld < 0 on dev %pg\n", + block, sb->s_bdev); +- } else if ((u64)block * (u64)sb->s_blocksize >= +- minix_sb(sb)->s_max_size) { ++ } else if ((u64)block * (u64)sb->s_blocksize >= sb->s_maxbytes) { + if (printk_ratelimit()) + printk("MINIX-fs: block_to_path: " + "block %ld too big on dev %pg\n", +diff --git a/fs/minix/minix.h b/fs/minix/minix.h +index df081e8afcc3c..168d45d3de73e 100644 +--- a/fs/minix/minix.h ++++ b/fs/minix/minix.h +@@ -32,7 +32,6 @@ struct minix_sb_info { + unsigned long s_zmap_blocks; + unsigned long s_firstdatazone; + unsigned long s_log_zone_size; +- unsigned long s_max_size; + int s_dirsize; + int s_namelen; + struct buffer_head ** s_imap; +-- +2.25.1 + diff --git a/queue-4.19/fs-ufs-avoid-potential-u32-multiplication-overflow.patch b/queue-4.19/fs-ufs-avoid-potential-u32-multiplication-overflow.patch new file mode 100644 index 00000000000..ce0ebbafc02 --- /dev/null +++ b/queue-4.19/fs-ufs-avoid-potential-u32-multiplication-overflow.patch @@ -0,0 +1,44 @@ +From fea88c24d4cb5dede3c36c4a0fc31c628cf7a257 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:35:53 -0700 +Subject: fs/ufs: avoid potential u32 multiplication overflow + +From: Colin Ian King + +[ Upstream commit 88b2e9b06381551b707d980627ad0591191f7a2d ] + +The 64 bit ino is being compared to the product of two u32 values, +however, the multiplication is being performed using a 32 bit multiply so +there is a potential of an overflow. To be fully safe, cast uspi->s_ncg +to a u64 to ensure a 64 bit multiplication occurs to avoid any chance of +overflow. + +Fixes: f3e2a520f5fb ("ufs: NFS support") +Signed-off-by: Colin Ian King +Signed-off-by: Andrew Morton +Cc: Evgeniy Dushistov +Cc: Alexey Dobriyan +Link: http://lkml.kernel.org/r/20200715170355.1081713-1-colin.king@canonical.com +Addresses-Coverity: ("Unintentional integer overflow") +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ufs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ufs/super.c b/fs/ufs/super.c +index a4e07e910f1b4..6e59e45d7bfbd 100644 +--- a/fs/ufs/super.c ++++ b/fs/ufs/super.c +@@ -100,7 +100,7 @@ static struct inode *ufs_nfs_get_inode(struct super_block *sb, u64 ino, u32 gene + struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi; + struct inode *inode; + +- if (ino < UFS_ROOTINO || ino > uspi->s_ncg * uspi->s_ipg) ++ if (ino < UFS_ROOTINO || ino > (u64)uspi->s_ncg * uspi->s_ipg) + return ERR_PTR(-ESTALE); + + inode = ufs_iget(sb, ino); +-- +2.25.1 + diff --git a/queue-4.19/gpu-ipu-v3-image-convert-combine-rotate-no-rotate-ir.patch b/queue-4.19/gpu-ipu-v3-image-convert-combine-rotate-no-rotate-ir.patch new file mode 100644 index 00000000000..1fafaf08f47 --- /dev/null +++ b/queue-4.19/gpu-ipu-v3-image-convert-combine-rotate-no-rotate-ir.patch @@ -0,0 +1,118 @@ +From 0ab8875052a40e42be46ddb4d37f1a84e3356c02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Jun 2020 15:40:37 -0700 +Subject: gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers + +From: Steve Longerbeam + +[ Upstream commit 0f6245f42ce9b7e4d20f2cda8d5f12b55a44d7d1 ] + +Combine the rotate_irq() and norotate_irq() handlers into a single +eof_irq() handler. + +Signed-off-by: Steve Longerbeam +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-image-convert.c | 58 +++++++++----------------- + 1 file changed, 20 insertions(+), 38 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c +index 91653adc41cc4..cdaf1d74e31a2 100644 +--- a/drivers/gpu/ipu-v3/ipu-image-convert.c ++++ b/drivers/gpu/ipu-v3/ipu-image-convert.c +@@ -998,9 +998,10 @@ static irqreturn_t do_irq(struct ipu_image_convert_run *run) + return IRQ_WAKE_THREAD; + } + +-static irqreturn_t norotate_irq(int irq, void *data) ++static irqreturn_t eof_irq(int irq, void *data) + { + struct ipu_image_convert_chan *chan = data; ++ struct ipu_image_convert_priv *priv = chan->priv; + struct ipu_image_convert_ctx *ctx; + struct ipu_image_convert_run *run; + unsigned long flags; +@@ -1017,45 +1018,26 @@ static irqreturn_t norotate_irq(int irq, void *data) + + ctx = run->ctx; + +- if (ipu_rot_mode_is_irt(ctx->rot_mode)) { +- /* this is a rotation operation, just ignore */ +- spin_unlock_irqrestore(&chan->irqlock, flags); +- return IRQ_HANDLED; +- } +- +- ret = do_irq(run); +-out: +- spin_unlock_irqrestore(&chan->irqlock, flags); +- return ret; +-} +- +-static irqreturn_t rotate_irq(int irq, void *data) +-{ +- struct ipu_image_convert_chan *chan = data; +- struct ipu_image_convert_priv *priv = chan->priv; +- struct ipu_image_convert_ctx *ctx; +- struct ipu_image_convert_run *run; +- unsigned long flags; +- irqreturn_t ret; +- +- spin_lock_irqsave(&chan->irqlock, flags); +- +- /* get current run and its context */ +- run = chan->current_run; +- if (!run) { ++ if (irq == chan->out_eof_irq) { ++ if (ipu_rot_mode_is_irt(ctx->rot_mode)) { ++ /* this is a rotation op, just ignore */ ++ ret = IRQ_HANDLED; ++ goto out; ++ } ++ } else if (irq == chan->rot_out_eof_irq) { ++ if (!ipu_rot_mode_is_irt(ctx->rot_mode)) { ++ /* this was NOT a rotation op, shouldn't happen */ ++ dev_err(priv->ipu->dev, ++ "Unexpected rotation interrupt\n"); ++ ret = IRQ_HANDLED; ++ goto out; ++ } ++ } else { ++ dev_err(priv->ipu->dev, "Received unknown irq %d\n", irq); + ret = IRQ_NONE; + goto out; + } + +- ctx = run->ctx; +- +- if (!ipu_rot_mode_is_irt(ctx->rot_mode)) { +- /* this was NOT a rotation operation, shouldn't happen */ +- dev_err(priv->ipu->dev, "Unexpected rotation interrupt\n"); +- spin_unlock_irqrestore(&chan->irqlock, flags); +- return IRQ_HANDLED; +- } +- + ret = do_irq(run); + out: + spin_unlock_irqrestore(&chan->irqlock, flags); +@@ -1148,7 +1130,7 @@ static int get_ipu_resources(struct ipu_image_convert_chan *chan) + chan->out_chan, + IPU_IRQ_EOF); + +- ret = request_threaded_irq(chan->out_eof_irq, norotate_irq, do_bh, ++ ret = request_threaded_irq(chan->out_eof_irq, eof_irq, do_bh, + 0, "ipu-ic", chan); + if (ret < 0) { + dev_err(priv->ipu->dev, "could not acquire irq %d\n", +@@ -1161,7 +1143,7 @@ static int get_ipu_resources(struct ipu_image_convert_chan *chan) + chan->rotation_out_chan, + IPU_IRQ_EOF); + +- ret = request_threaded_irq(chan->rot_out_eof_irq, rotate_irq, do_bh, ++ ret = request_threaded_irq(chan->rot_out_eof_irq, eof_irq, do_bh, + 0, "ipu-ic", chan); + if (ret < 0) { + dev_err(priv->ipu->dev, "could not acquire irq %d\n", +-- +2.25.1 + diff --git a/queue-4.19/i2c-rcar-avoid-race-when-unregistering-slave.patch b/queue-4.19/i2c-rcar-avoid-race-when-unregistering-slave.patch new file mode 100644 index 00000000000..4ecde14e9b5 --- /dev/null +++ b/queue-4.19/i2c-rcar-avoid-race-when-unregistering-slave.patch @@ -0,0 +1,56 @@ +From 15af14735f7396a69097107215ae9c118cdc2a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jul 2020 18:16:06 +0200 +Subject: i2c: rcar: avoid race when unregistering slave +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wolfram Sang + +[ Upstream commit c7c9e914f9a0478fba4dc6f227cfd69cf84a4063 ] + +Due to the lockless design of the driver, it is theoretically possible +to access a NULL pointer, if a slave interrupt was running while we were +unregistering the slave. To make this rock solid, disable the interrupt +for a short time while we are clearing the interrupt_enable register. +This patch is purely based on code inspection. The OOPS is super-hard to +trigger because clearing SAR (the address) makes interrupts even more +unlikely to happen as well. While here, reinit SCR to SDBS because this +bit should always be set according to documentation. There is no effect, +though, because the interface is disabled. + +Fixes: 7b814d852af6 ("i2c: rcar: avoid race when unregistering slave client") +Signed-off-by: Wolfram Sang +Reviewed-by: Niklas Söderlund +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rcar.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index 11d1977616858..dcdce18fc7062 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -861,12 +861,14 @@ static int rcar_unreg_slave(struct i2c_client *slave) + + WARN_ON(!priv->slave); + +- /* disable irqs and ensure none is running before clearing ptr */ ++ /* ensure no irq is running before clearing ptr */ ++ disable_irq(priv->irq); + rcar_i2c_write(priv, ICSIER, 0); +- rcar_i2c_write(priv, ICSCR, 0); ++ rcar_i2c_write(priv, ICSSR, 0); ++ enable_irq(priv->irq); ++ rcar_i2c_write(priv, ICSCR, SDBS); + rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ + +- synchronize_irq(priv->irq); + priv->slave = NULL; + + pm_runtime_put(rcar_i2c_priv_to_dev(priv)); +-- +2.25.1 + diff --git a/queue-4.19/i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch b/queue-4.19/i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch new file mode 100644 index 00000000000..33da5f922e1 --- /dev/null +++ b/queue-4.19/i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch @@ -0,0 +1,55 @@ +From 59ed85d3b71681aab843a70eb1d9a56318a59475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 17:38:07 +0200 +Subject: i2c: rcar: slave: only send STOP event when we have been addressed + +From: Wolfram Sang + +[ Upstream commit 314139f9f0abdba61ed9a8463bbcb0bf900ac5a2 ] + +When the SSR interrupt is activated, it will detect every STOP condition +on the bus, not only the ones after we have been addressed. So, enable +this interrupt only after we have been addressed, and disable it +otherwise. + +Fixes: de20d1857dd6 ("i2c: rcar: add slave support") +Signed-off-by: Wolfram Sang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rcar.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index 6e49e438ef5a5..11d1977616858 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -587,13 +587,14 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) + rcar_i2c_write(priv, ICSIER, SDR | SSR | SAR); + } + +- rcar_i2c_write(priv, ICSSR, ~SAR & 0xff); ++ /* Clear SSR, too, because of old STOPs to other clients than us */ ++ rcar_i2c_write(priv, ICSSR, ~(SAR | SSR) & 0xff); + } + + /* master sent stop */ + if (ssr_filtered & SSR) { + i2c_slave_event(priv->slave, I2C_SLAVE_STOP, &value); +- rcar_i2c_write(priv, ICSIER, SAR | SSR); ++ rcar_i2c_write(priv, ICSIER, SAR); + rcar_i2c_write(priv, ICSSR, ~SSR & 0xff); + } + +@@ -848,7 +849,7 @@ static int rcar_reg_slave(struct i2c_client *slave) + priv->slave = slave; + rcar_i2c_write(priv, ICSAR, slave->addr); + rcar_i2c_write(priv, ICSSR, 0); +- rcar_i2c_write(priv, ICSIER, SAR | SSR); ++ rcar_i2c_write(priv, ICSIER, SAR); + rcar_i2c_write(priv, ICSCR, SIE | SDBS); + + return 0; +-- +2.25.1 + diff --git a/queue-4.19/input-sentelic-fix-error-return-when-fsp_reg_write-f.patch b/queue-4.19/input-sentelic-fix-error-return-when-fsp_reg_write-f.patch new file mode 100644 index 00000000000..2e759d5d5a5 --- /dev/null +++ b/queue-4.19/input-sentelic-fix-error-return-when-fsp_reg_write-f.patch @@ -0,0 +1,39 @@ +From f3638a8b393c66d78983c452601ba6c7347dec35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 15:35:34 -0700 +Subject: Input: sentelic - fix error return when fsp_reg_write fails + +From: Colin Ian King + +[ Upstream commit ea38f06e0291986eb93beb6d61fd413607a30ca4 ] + +Currently when the call to fsp_reg_write fails -EIO is not being returned +because the count is being returned instead of the return value in retval. +Fix this by returning the value in retval instead of count. + +Addresses-Coverity: ("Unused value") +Fixes: fc69f4a6af49 ("Input: add new driver for Sentelic Finger Sensing Pad") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200603141218.131663-1-colin.king@canonical.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/sentelic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/mouse/sentelic.c b/drivers/input/mouse/sentelic.c +index 1d6010d463e2c..022a8cb58a066 100644 +--- a/drivers/input/mouse/sentelic.c ++++ b/drivers/input/mouse/sentelic.c +@@ -454,7 +454,7 @@ static ssize_t fsp_attr_set_setreg(struct psmouse *psmouse, void *data, + + fsp_reg_write_enable(psmouse, false); + +- return count; ++ return retval; + } + + PSMOUSE_DEFINE_WO_ATTR(setreg, S_IWUSR, NULL, fsp_attr_set_setreg); +-- +2.25.1 + diff --git a/queue-4.19/iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch b/queue-4.19/iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch new file mode 100644 index 00000000000..d99362dee90 --- /dev/null +++ b/queue-4.19/iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch @@ -0,0 +1,43 @@ +From 68e532cce3d0ef8cf9d9c41057668ead9c18a72b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 20:22:11 +0100 +Subject: iommu/omap: Check for failure of a call to omap_iommu_dump_ctx + +From: Colin Ian King + +[ Upstream commit dee9d154f40c58d02f69acdaa5cfd1eae6ebc28b ] + +It is possible for the call to omap_iommu_dump_ctx to return +a negative error number, so check for the failure and return +the error number rather than pass the negative value to +simple_read_from_buffer. + +Fixes: 14e0e6796a0d ("OMAP: iommu: add initial debugfs support") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200714192211.744776-1-colin.king@canonical.com +Addresses-Coverity: ("Improper use of negative value") +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/omap-iommu-debug.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c +index 50217548c3b8e..5ce55fabc9d80 100644 +--- a/drivers/iommu/omap-iommu-debug.c ++++ b/drivers/iommu/omap-iommu-debug.c +@@ -101,8 +101,11 @@ static ssize_t debug_read_regs(struct file *file, char __user *userbuf, + mutex_lock(&iommu_debug_lock); + + bytes = omap_iommu_dump_ctx(obj, p, count); ++ if (bytes < 0) ++ goto err; + bytes = simple_read_from_buffer(userbuf, count, ppos, buf, bytes); + ++err: + mutex_unlock(&iommu_debug_lock); + kfree(buf); + +-- +2.25.1 + diff --git a/queue-4.19/iommu-vt-d-enforce-pasid-devtlb-field-mask.patch b/queue-4.19/iommu-vt-d-enforce-pasid-devtlb-field-mask.patch new file mode 100644 index 00000000000..8e23a60dbd2 --- /dev/null +++ b/queue-4.19/iommu-vt-d-enforce-pasid-devtlb-field-mask.patch @@ -0,0 +1,40 @@ +From 465a125784d2da826c1d4cff5fa75fc03a784062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 09:49:14 +0800 +Subject: iommu/vt-d: Enforce PASID devTLB field mask + +From: Liu Yi L + +[ Upstream commit 5f77d6ca5ca74e4b4a5e2e010f7ff50c45dea326 ] + +Set proper masks to avoid invalid input spillover to reserved bits. + +Signed-off-by: Liu Yi L +Signed-off-by: Jacob Pan +Signed-off-by: Lu Baolu +Reviewed-by: Eric Auger +Link: https://lore.kernel.org/r/20200724014925.15523-2-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + include/linux/intel-iommu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h +index b1b4411b4c6b8..539f4a84412f4 100644 +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -308,8 +308,8 @@ enum { + + #define QI_DEV_EIOTLB_ADDR(a) ((u64)(a) & VTD_PAGE_MASK) + #define QI_DEV_EIOTLB_SIZE (((u64)1) << 11) +-#define QI_DEV_EIOTLB_GLOB(g) ((u64)g) +-#define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32) ++#define QI_DEV_EIOTLB_GLOB(g) ((u64)(g) & 0x1) ++#define QI_DEV_EIOTLB_PASID(p) ((u64)((p) & 0xfffff) << 32) + #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16) + #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4) + #define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | \ +-- +2.25.1 + diff --git a/queue-4.19/media-rockchip-rga-introduce-color-fmt-macros-and-re.patch b/queue-4.19/media-rockchip-rga-introduce-color-fmt-macros-and-re.patch new file mode 100644 index 00000000000..db018f4e9bd --- /dev/null +++ b/queue-4.19/media-rockchip-rga-introduce-color-fmt-macros-and-re.patch @@ -0,0 +1,83 @@ +From 29bd817d87c4bb739af5b1f0720255dd075907eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 18:42:44 +0200 +Subject: media: rockchip: rga: Introduce color fmt macros and refactor CSC + mode logic + +From: Paul Kocialkowski + +[ Upstream commit ded874ece29d3fe2abd3775810a06056067eb68c ] + +This introduces two macros: RGA_COLOR_FMT_IS_YUV and RGA_COLOR_FMT_IS_RGB +which allow quick checking of the colorspace familily of a RGA color format. + +These macros are then used to refactor the logic for CSC mode selection. +The two nested tests for input colorspace are simplified into a single one, +with a logical and, making the whole more readable. + +Signed-off-by: Paul Kocialkowski +Reviewed-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga-hw.c | 23 +++++++++----------- + drivers/media/platform/rockchip/rga/rga-hw.h | 5 +++++ + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/media/platform/rockchip/rga/rga-hw.c b/drivers/media/platform/rockchip/rga/rga-hw.c +index 96d1b1b3fe8e8..6d12491b79d78 100644 +--- a/drivers/media/platform/rockchip/rga/rga-hw.c ++++ b/drivers/media/platform/rockchip/rga/rga-hw.c +@@ -208,22 +208,19 @@ static void rga_cmd_set_trans_info(struct rga_ctx *ctx) + dst_info.data.format = ctx->out.fmt->hw_format; + dst_info.data.swap = ctx->out.fmt->color_swap; + +- if (ctx->in.fmt->hw_format >= RGA_COLOR_FMT_YUV422SP) { +- if (ctx->out.fmt->hw_format < RGA_COLOR_FMT_YUV422SP) { +- switch (ctx->in.colorspace) { +- case V4L2_COLORSPACE_REC709: +- src_info.data.csc_mode = +- RGA_SRC_CSC_MODE_BT709_R0; +- break; +- default: +- src_info.data.csc_mode = +- RGA_SRC_CSC_MODE_BT601_R0; +- break; +- } ++ if (RGA_COLOR_FMT_IS_YUV(ctx->in.fmt->hw_format) && ++ RGA_COLOR_FMT_IS_RGB(ctx->out.fmt->hw_format)) { ++ switch (ctx->in.colorspace) { ++ case V4L2_COLORSPACE_REC709: ++ src_info.data.csc_mode = RGA_SRC_CSC_MODE_BT709_R0; ++ break; ++ default: ++ src_info.data.csc_mode = RGA_SRC_CSC_MODE_BT601_R0; ++ break; + } + } + +- if (ctx->out.fmt->hw_format >= RGA_COLOR_FMT_YUV422SP) { ++ if (RGA_COLOR_FMT_IS_YUV(ctx->out.fmt->hw_format)) { + switch (ctx->out.colorspace) { + case V4L2_COLORSPACE_REC709: + dst_info.data.csc_mode = RGA_SRC_CSC_MODE_BT709_R0; +diff --git a/drivers/media/platform/rockchip/rga/rga-hw.h b/drivers/media/platform/rockchip/rga/rga-hw.h +index ca3c204abe420..3e4b70eb9ced5 100644 +--- a/drivers/media/platform/rockchip/rga/rga-hw.h ++++ b/drivers/media/platform/rockchip/rga/rga-hw.h +@@ -103,6 +103,11 @@ + #define RGA_COLOR_FMT_CP_8BPP 15 + #define RGA_COLOR_FMT_MASK 15 + ++#define RGA_COLOR_FMT_IS_YUV(fmt) \ ++ (((fmt) >= RGA_COLOR_FMT_YUV422SP) && ((fmt) < RGA_COLOR_FMT_CP_1BPP)) ++#define RGA_COLOR_FMT_IS_RGB(fmt) \ ++ ((fmt) < RGA_COLOR_FMT_YUV422SP) ++ + #define RGA_COLOR_NONE_SWAP 0 + #define RGA_COLOR_RB_SWAP 1 + #define RGA_COLOR_ALPHA_SWAP 2 +-- +2.25.1 + diff --git a/queue-4.19/media-rockchip-rga-only-set-output-csc-mode-for-rgb-.patch b/queue-4.19/media-rockchip-rga-only-set-output-csc-mode-for-rgb-.patch new file mode 100644 index 00000000000..59ac2e232d5 --- /dev/null +++ b/queue-4.19/media-rockchip-rga-only-set-output-csc-mode-for-rgb-.patch @@ -0,0 +1,55 @@ +From 39e94c687dd9d4dfd2c4b8d06f55e2bc88a8e647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 18:42:45 +0200 +Subject: media: rockchip: rga: Only set output CSC mode for RGB input + +From: Paul Kocialkowski + +[ Upstream commit 0f879bab72f47e8ba2421a984e7acfa763d3e84e ] + +Setting the output CSC mode is required for a YUV output, but must not +be set when the input is also YUV. Doing this (as tested with a YUV420P +to YUV420P conversion) results in wrong colors. + +Adapt the logic to only set the output CSC mode when the output is YUV and +the input is RGB. Also add a comment to clarify the rationale. + +Fixes: f7e7b48e6d79 ("[media] rockchip/rga: v4l2 m2m support") +Signed-off-by: Paul Kocialkowski +Reviewed-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga-hw.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rockchip/rga/rga-hw.c b/drivers/media/platform/rockchip/rga/rga-hw.c +index 6d12491b79d78..681de42f12e9a 100644 +--- a/drivers/media/platform/rockchip/rga/rga-hw.c ++++ b/drivers/media/platform/rockchip/rga/rga-hw.c +@@ -208,6 +208,11 @@ static void rga_cmd_set_trans_info(struct rga_ctx *ctx) + dst_info.data.format = ctx->out.fmt->hw_format; + dst_info.data.swap = ctx->out.fmt->color_swap; + ++ /* ++ * CSC mode must only be set when the colorspace families differ between ++ * input and output. It must remain unset (zeroed) if both are the same. ++ */ ++ + if (RGA_COLOR_FMT_IS_YUV(ctx->in.fmt->hw_format) && + RGA_COLOR_FMT_IS_RGB(ctx->out.fmt->hw_format)) { + switch (ctx->in.colorspace) { +@@ -220,7 +225,8 @@ static void rga_cmd_set_trans_info(struct rga_ctx *ctx) + } + } + +- if (RGA_COLOR_FMT_IS_YUV(ctx->out.fmt->hw_format)) { ++ if (RGA_COLOR_FMT_IS_RGB(ctx->in.fmt->hw_format) && ++ RGA_COLOR_FMT_IS_YUV(ctx->out.fmt->hw_format)) { + switch (ctx->out.colorspace) { + case V4L2_COLORSPACE_REC709: + dst_info.data.csc_mode = RGA_SRC_CSC_MODE_BT709_R0; +-- +2.25.1 + diff --git a/queue-4.19/mfd-arizona-ensure-32k-clock-is-put-on-driver-unbind.patch b/queue-4.19/mfd-arizona-ensure-32k-clock-is-put-on-driver-unbind.patch new file mode 100644 index 00000000000..527c988042c --- /dev/null +++ b/queue-4.19/mfd-arizona-ensure-32k-clock-is-put-on-driver-unbind.patch @@ -0,0 +1,65 @@ +From bfed100fb8521852b359b7a76fc70caee15dc7c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 14:53:21 +0100 +Subject: mfd: arizona: Ensure 32k clock is put on driver unbind and error + +From: Charles Keepax + +[ Upstream commit ddff6c45b21d0437ce0c85f8ac35d7b5480513d7 ] + +Whilst it doesn't matter if the internal 32k clock register settings +are cleaned up on exit, as the part will be turned off losing any +settings, hence the driver hasn't historially bothered. The external +clock should however be cleaned up, as it could cause clocks to be +left on, and will at best generate a warning on unbind. + +Add clean up on both the probe error path and unbind for the 32k +clock. + +Fixes: cdd8da8cc66b ("mfd: arizona: Add gating of external MCLKn clocks") +Signed-off-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/arizona-core.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c +index a4403a57ddc89..09acaa2cf74a2 100644 +--- a/drivers/mfd/arizona-core.c ++++ b/drivers/mfd/arizona-core.c +@@ -1433,6 +1433,15 @@ int arizona_dev_init(struct arizona *arizona) + arizona_irq_exit(arizona); + err_pm: + pm_runtime_disable(arizona->dev); ++ ++ switch (arizona->pdata.clk32k_src) { ++ case ARIZONA_32KZ_MCLK1: ++ case ARIZONA_32KZ_MCLK2: ++ arizona_clk32k_disable(arizona); ++ break; ++ default: ++ break; ++ } + err_reset: + arizona_enable_reset(arizona); + regulator_disable(arizona->dcvdd); +@@ -1455,6 +1464,15 @@ int arizona_dev_exit(struct arizona *arizona) + regulator_disable(arizona->dcvdd); + regulator_put(arizona->dcvdd); + ++ switch (arizona->pdata.clk32k_src) { ++ case ARIZONA_32KZ_MCLK1: ++ case ARIZONA_32KZ_MCLK2: ++ arizona_clk32k_disable(arizona); ++ break; ++ default: ++ break; ++ } ++ + mfd_remove_devices(arizona->dev); + arizona_free_irq(arizona, ARIZONA_IRQ_UNDERCLOCKED, arizona); + arizona_free_irq(arizona, ARIZONA_IRQ_OVERCLOCKED, arizona); +-- +2.25.1 + diff --git a/queue-4.19/mfd-dln2-run-event-handler-loop-under-spinlock.patch b/queue-4.19/mfd-dln2-run-event-handler-loop-under-spinlock.patch new file mode 100644 index 00000000000..52056f48d12 --- /dev/null +++ b/queue-4.19/mfd-dln2-run-event-handler-loop-under-spinlock.patch @@ -0,0 +1,68 @@ +From a8e46c9542422ee52120d8552c94ea491b07eeb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 16:02:46 +0300 +Subject: mfd: dln2: Run event handler loop under spinlock + +From: Andy Shevchenko + +[ Upstream commit 3d858942250820b9adc35f963a257481d6d4c81d ] + +The event handler loop must be run with interrupts disabled. +Otherwise we will have a warning: + +[ 1970.785649] irq 31 handler lineevent_irq_handler+0x0/0x20 enabled interrupts +[ 1970.792739] WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x162/0x170 +[ 1970.860732] RIP: 0010:__handle_irq_event_percpu+0x162/0x170 +... +[ 1970.946994] Call Trace: +[ 1970.949446] +[ 1970.951471] handle_irq_event_percpu+0x2c/0x80 +[ 1970.955921] handle_irq_event+0x23/0x43 +[ 1970.959766] handle_simple_irq+0x57/0x70 +[ 1970.963695] generic_handle_irq+0x42/0x50 +[ 1970.967717] dln2_rx+0xc1/0x210 [dln2] +[ 1970.971479] ? usb_hcd_unmap_urb_for_dma+0xa6/0x1c0 +[ 1970.976362] __usb_hcd_giveback_urb+0x77/0xe0 +[ 1970.980727] usb_giveback_urb_bh+0x8e/0xe0 +[ 1970.984837] tasklet_action_common.isra.0+0x4a/0xe0 +... + +Recently xHCI driver switched to tasklets in the commit 36dc01657b49 +("usb: host: xhci: Support running urb giveback in tasklet context"). + +The handle_irq_event_* functions are expected to be called with interrupts +disabled and they rightfully complain here because we run in tasklet context +with interrupts enabled. + +Use a event spinlock to protect event handler from being interrupted. + +Note, that there are only two users of this GPIO and ADC drivers and both of +them are using generic_handle_irq() which makes above happen. + +Fixes: 338a12814297 ("mfd: Add support for Diolan DLN-2 devices") +Signed-off-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/dln2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 6ea0dd37b4535..fe614ba5fec90 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -290,7 +290,11 @@ static void dln2_rx(struct urb *urb) + len = urb->actual_length - sizeof(struct dln2_header); + + if (handle == DLN2_HANDLE_EVENT) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&dln2->event_cb_lock, flags); + dln2_run_event_callbacks(dln2, id, echo, data, len); ++ spin_unlock_irqrestore(&dln2->event_cb_lock, flags); + } else { + /* URB will be re-submitted in _dln2_transfer (free_rx_slot) */ + if (dln2_transfer_complete(dln2, urb, handle, echo)) +-- +2.25.1 + diff --git a/queue-4.19/mmc-renesas_sdhi_internal_dmac-clean-up-the-code-for.patch b/queue-4.19/mmc-renesas_sdhi_internal_dmac-clean-up-the-code-for.patch new file mode 100644 index 00000000000..000edf9b49e --- /dev/null +++ b/queue-4.19/mmc-renesas_sdhi_internal_dmac-clean-up-the-code-for.patch @@ -0,0 +1,64 @@ +From f0711fafc285eba2ffc79b311014210c09b637ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 16:01:05 +0900 +Subject: mmc: renesas_sdhi_internal_dmac: clean up the code for dma complete + +From: Yoshihiro Shimoda + +[ Upstream commit 2b26e34e9af3fa24fa1266e9ea2d66a1f7d62dc0 ] + +To add end() operation in the future, clean the code of +renesas_sdhi_internal_dmac_complete_tasklet_fn(). No behavior change. + +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1590044466-28372-3-git-send-email-yoshihiro.shimoda.uh@renesas.com +Tested-by: Wolfram Sang +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/renesas_sdhi_internal_dmac.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/mmc/host/renesas_sdhi_internal_dmac.c b/drivers/mmc/host/renesas_sdhi_internal_dmac.c +index 382172fb3da8f..74eea8247490d 100644 +--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c ++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c +@@ -222,15 +222,12 @@ static void renesas_sdhi_internal_dmac_issue_tasklet_fn(unsigned long arg) + DTRAN_CTRL_DM_START); + } + +-static void renesas_sdhi_internal_dmac_complete_tasklet_fn(unsigned long arg) ++static bool renesas_sdhi_internal_dmac_complete(struct tmio_mmc_host *host) + { +- struct tmio_mmc_host *host = (struct tmio_mmc_host *)arg; + enum dma_data_direction dir; + +- spin_lock_irq(&host->lock); +- + if (!host->data) +- goto out; ++ return false; + + if (host->data->flags & MMC_DATA_READ) + dir = DMA_FROM_DEVICE; +@@ -243,6 +240,17 @@ static void renesas_sdhi_internal_dmac_complete_tasklet_fn(unsigned long arg) + if (dir == DMA_FROM_DEVICE) + clear_bit(SDHI_INTERNAL_DMAC_RX_IN_USE, &global_flags); + ++ return true; ++} ++ ++static void renesas_sdhi_internal_dmac_complete_tasklet_fn(unsigned long arg) ++{ ++ struct tmio_mmc_host *host = (struct tmio_mmc_host *)arg; ++ ++ spin_lock_irq(&host->lock); ++ if (!renesas_sdhi_internal_dmac_complete(host)) ++ goto out; ++ + tmio_mmc_do_data_irq(host); + out: + spin_unlock_irq(&host->lock); +-- +2.25.1 + diff --git a/queue-4.19/net-qcom-emac-add-missed-clk_disable_unprepare-in-er.patch b/queue-4.19/net-qcom-emac-add-missed-clk_disable_unprepare-in-er.patch new file mode 100644 index 00000000000..ce2c279ad48 --- /dev/null +++ b/queue-4.19/net-qcom-emac-add-missed-clk_disable_unprepare-in-er.patch @@ -0,0 +1,58 @@ +From 2b6c4d940a06a2bff63f4c1a89683e8f7ee66147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 10:57:05 +0800 +Subject: net: qcom/emac: add missed clk_disable_unprepare in error path of + emac_clks_phase1_init + +From: Wang Hai + +[ Upstream commit 50caa777a3a24d7027748e96265728ce748b41ef ] + +Fix the missing clk_disable_unprepare() before return +from emac_clks_phase1_init() in the error handling case. + +Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Acked-by: Timur Tabi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/emac/emac.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c +index 2a0cbc535a2ed..19673ed929e68 100644 +--- a/drivers/net/ethernet/qualcomm/emac/emac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac.c +@@ -493,13 +493,24 @@ static int emac_clks_phase1_init(struct platform_device *pdev, + + ret = clk_prepare_enable(adpt->clk[EMAC_CLK_CFG_AHB]); + if (ret) +- return ret; ++ goto disable_clk_axi; + + ret = clk_set_rate(adpt->clk[EMAC_CLK_HIGH_SPEED], 19200000); + if (ret) +- return ret; ++ goto disable_clk_cfg_ahb; ++ ++ ret = clk_prepare_enable(adpt->clk[EMAC_CLK_HIGH_SPEED]); ++ if (ret) ++ goto disable_clk_cfg_ahb; + +- return clk_prepare_enable(adpt->clk[EMAC_CLK_HIGH_SPEED]); ++ return 0; ++ ++disable_clk_cfg_ahb: ++ clk_disable_unprepare(adpt->clk[EMAC_CLK_CFG_AHB]); ++disable_clk_axi: ++ clk_disable_unprepare(adpt->clk[EMAC_CLK_AXI]); ++ ++ return ret; + } + + /* Enable clocks; needs emac_clks_phase1_init to be called before */ +-- +2.25.1 + diff --git a/queue-4.19/nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch b/queue-4.19/nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch new file mode 100644 index 00000000000..9640a879c73 --- /dev/null +++ b/queue-4.19/nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch @@ -0,0 +1,55 @@ +From 62c42d5b1ff3c55abb72790769a37775fefbc8b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 12:23:19 -0500 +Subject: nfs: Fix getxattr kernel panic and memory overflow + +From: Jeffrey Mitchell + +[ Upstream commit b4487b93545214a9db8cbf32e86411677b0cca21 ] + +Move the buffer size check to decode_attr_security_label() before memcpy() +Only call memcpy() if the buffer is large enough + +Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") +Signed-off-by: Jeffrey Mitchell +[Trond: clean up duplicate test of label->len != 0] +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 2 -- + fs/nfs/nfs4xdr.c | 6 +++++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 05cb68ca1ba1a..1ef75b1deffa3 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5603,8 +5603,6 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, + return ret; + if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL)) + return -ENOENT; +- if (buflen < label.len) +- return -ERANGE; + return 0; + } + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index c4cf0192d7bb8..0a5cae8f8aff9 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4280,7 +4280,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, + goto out_overflow; + if (len < NFS4_MAXLABELLEN) { + if (label) { +- memcpy(label->label, p, len); ++ if (label->len) { ++ if (label->len < len) ++ return -ERANGE; ++ memcpy(label->label, p, len); ++ } + label->len = len; + label->pi = pi; + label->lfs = lfs; +-- +2.25.1 + diff --git a/queue-4.19/openrisc-fix-oops-caused-when-dumping-stack.patch b/queue-4.19/openrisc-fix-oops-caused-when-dumping-stack.patch new file mode 100644 index 00000000000..863f6153791 --- /dev/null +++ b/queue-4.19/openrisc-fix-oops-caused-when-dumping-stack.patch @@ -0,0 +1,97 @@ +From 06e742d2885cd4c3cb2113d99077f7a48e4e1eb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jun 2020 06:19:46 +0900 +Subject: openrisc: Fix oops caused when dumping stack + +From: Stafford Horne + +[ Upstream commit 57b8e277c33620e115633cdf700a260b55095460 ] + +When dumping a stack with 'cat /proc/#/stack' the kernel would oops. +For example: + + # cat /proc/690/stack + Unable to handle kernel access + at virtual address 0x7fc60f58 + + Oops#: 0000 + CPU #: 0 + PC: c00097fc SR: 0000807f SP: d6f09b9c + GPR00: 00000000 GPR01: d6f09b9c GPR02: d6f09bb8 GPR03: d6f09bc4 + GPR04: 7fc60f5c GPR05: c00099b4 GPR06: 00000000 GPR07: d6f09ba3 + GPR08: ffffff00 GPR09: c0009804 GPR10: d6f08000 GPR11: 00000000 + GPR12: ffffe000 GPR13: dbb86000 GPR14: 00000001 GPR15: dbb86250 + GPR16: 7fc60f63 GPR17: 00000f5c GPR18: d6f09bc4 GPR19: 00000000 + GPR20: c00099b4 GPR21: ffffffc0 GPR22: 00000000 GPR23: 00000000 + GPR24: 00000001 GPR25: 000002c6 GPR26: d78b6850 GPR27: 00000001 + GPR28: 00000000 GPR29: dbb86000 GPR30: ffffffff GPR31: dbb862fc + RES: 00000000 oGPR11: ffffffff + Process cat (pid: 702, stackpage=d79d6000) + + Stack: + Call trace: + [<598977f2>] save_stack_trace_tsk+0x40/0x74 + [<95063f0e>] stack_trace_save_tsk+0x44/0x58 + [] proc_pid_stack+0xd0/0x13c + [] proc_single_show+0x6c/0xf0 + [] seq_read+0x1b4/0x688 + [<2d6c7480>] do_iter_read+0x208/0x248 + [<2182a2fb>] vfs_readv+0x64/0x90 + +This was caused by the stack trace code in save_stack_trace_tsk using +the wrong stack pointer. It was using the user stack pointer instead of +the kernel stack pointer. Fix this by using the right stack. + +Also for good measure we add try_get_task_stack/put_task_stack to ensure +the task is not lost while we are walking it's stack. + +Fixes: eecac38b0423a ("openrisc: support framepointers and STACKTRACE_SUPPORT") +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/stacktrace.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/arch/openrisc/kernel/stacktrace.c b/arch/openrisc/kernel/stacktrace.c +index 43f140a28bc72..54d38809e22cb 100644 +--- a/arch/openrisc/kernel/stacktrace.c ++++ b/arch/openrisc/kernel/stacktrace.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -68,12 +69,25 @@ void save_stack_trace_tsk(struct task_struct *tsk, struct stack_trace *trace) + { + unsigned long *sp = NULL; + ++ if (!try_get_task_stack(tsk)) ++ return; ++ + if (tsk == current) + sp = (unsigned long *) &sp; +- else +- sp = (unsigned long *) KSTK_ESP(tsk); ++ else { ++ unsigned long ksp; ++ ++ /* Locate stack from kernel context */ ++ ksp = task_thread_info(tsk)->ksp; ++ ksp += STACK_FRAME_OVERHEAD; /* redzone */ ++ ksp += sizeof(struct pt_regs); ++ ++ sp = (unsigned long *) ksp; ++ } + + unwind_stack(trace, sp, save_stack_address_nosched); ++ ++ put_task_stack(tsk); + } + EXPORT_SYMBOL_GPL(save_stack_trace_tsk); + +-- +2.25.1 + diff --git a/queue-4.19/perf-bench-mem-always-memset-source-before-memcpy.patch b/queue-4.19/perf-bench-mem-always-memset-source-before-memcpy.patch new file mode 100644 index 00000000000..e1900ff430c --- /dev/null +++ b/queue-4.19/perf-bench-mem-always-memset-source-before-memcpy.patch @@ -0,0 +1,105 @@ +From 8f715a087a98d86ba3d7c33f5ca2c7ede2d6aef4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 15:34:04 +0200 +Subject: perf bench mem: Always memset source before memcpy + +From: Vincent Whitchurch + +[ Upstream commit 1beaef29c34154ccdcb3f1ae557f6883eda18840 ] + +For memcpy, the source pages are memset to zero only when --cycles is +used. This leads to wildly different results with or without --cycles, +since all sources pages are likely to be mapped to the same zero page +without explicit writes. + +Before this fix: + +$ export cmd="./perf stat -e LLC-loads -- ./perf bench \ + mem memcpy -s 1024MB -l 100 -f default" +$ $cmd + + 2,935,826 LLC-loads + 3.821677452 seconds time elapsed + +$ $cmd --cycles + + 217,533,436 LLC-loads + 8.616725985 seconds time elapsed + +After this fix: + +$ $cmd + + 214,459,686 LLC-loads + 8.674301124 seconds time elapsed + +$ $cmd --cycles + + 214,758,651 LLC-loads + 8.644480006 seconds time elapsed + +Fixes: 47b5757bac03c338 ("perf bench mem: Move boilerplate memory allocation to the infrastructure") +Signed-off-by: Vincent Whitchurch +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: kernel@axis.com +Link: http://lore.kernel.org/lkml/20200810133404.30829-1-vincent.whitchurch@axis.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/mem-functions.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/tools/perf/bench/mem-functions.c b/tools/perf/bench/mem-functions.c +index 0251dd348124a..4864fc67d01b5 100644 +--- a/tools/perf/bench/mem-functions.c ++++ b/tools/perf/bench/mem-functions.c +@@ -222,12 +222,8 @@ static int bench_mem_common(int argc, const char **argv, struct bench_mem_info * + return 0; + } + +-static u64 do_memcpy_cycles(const struct function *r, size_t size, void *src, void *dst) ++static void memcpy_prefault(memcpy_t fn, size_t size, void *src, void *dst) + { +- u64 cycle_start = 0ULL, cycle_end = 0ULL; +- memcpy_t fn = r->fn.memcpy; +- int i; +- + /* Make sure to always prefault zero pages even if MMAP_THRESH is crossed: */ + memset(src, 0, size); + +@@ -236,6 +232,15 @@ static u64 do_memcpy_cycles(const struct function *r, size_t size, void *src, vo + * to not measure page fault overhead: + */ + fn(dst, src, size); ++} ++ ++static u64 do_memcpy_cycles(const struct function *r, size_t size, void *src, void *dst) ++{ ++ u64 cycle_start = 0ULL, cycle_end = 0ULL; ++ memcpy_t fn = r->fn.memcpy; ++ int i; ++ ++ memcpy_prefault(fn, size, src, dst); + + cycle_start = get_cycles(); + for (i = 0; i < nr_loops; ++i) +@@ -251,11 +256,7 @@ static double do_memcpy_gettimeofday(const struct function *r, size_t size, void + memcpy_t fn = r->fn.memcpy; + int i; + +- /* +- * We prefault the freshly allocated memory range here, +- * to not measure page fault overhead: +- */ +- fn(dst, src, size); ++ memcpy_prefault(fn, size, src, dst); + + BUG_ON(gettimeofday(&tv_start, NULL)); + for (i = 0; i < nr_loops; ++i) +-- +2.25.1 + diff --git a/queue-4.19/pwm-bcm-iproc-handle-clk_get_rate-return.patch b/queue-4.19/pwm-bcm-iproc-handle-clk_get_rate-return.patch new file mode 100644 index 00000000000..79c107b8f13 --- /dev/null +++ b/queue-4.19/pwm-bcm-iproc-handle-clk_get_rate-return.patch @@ -0,0 +1,55 @@ +From d4e0d2b7ddb8a514cd2c6e2c7bd5ff4c586181ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 21:46:06 -0700 +Subject: pwm: bcm-iproc: handle clk_get_rate() return +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rayagonda Kokatanur + +[ Upstream commit 6ced5ff0be8e94871ba846dfbddf69d21363f3d7 ] + +Handle clk_get_rate() returning 0 to avoid possible division by zero. + +Fixes: daa5abc41c80 ("pwm: Add support for Broadcom iProc PWM controller") +Signed-off-by: Rayagonda Kokatanur +Signed-off-by: Scott Branden +Reviewed-by: Ray Jui +Reviewed-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-bcm-iproc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/pwm/pwm-bcm-iproc.c b/drivers/pwm/pwm-bcm-iproc.c +index 31b01035d0ab3..8cfba3614e601 100644 +--- a/drivers/pwm/pwm-bcm-iproc.c ++++ b/drivers/pwm/pwm-bcm-iproc.c +@@ -85,8 +85,6 @@ static void iproc_pwmc_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + u64 tmp, multi, rate; + u32 value, prescale; + +- rate = clk_get_rate(ip->clk); +- + value = readl(ip->base + IPROC_PWM_CTRL_OFFSET); + + if (value & BIT(IPROC_PWM_CTRL_EN_SHIFT(pwm->hwpwm))) +@@ -99,6 +97,13 @@ static void iproc_pwmc_get_state(struct pwm_chip *chip, struct pwm_device *pwm, + else + state->polarity = PWM_POLARITY_INVERSED; + ++ rate = clk_get_rate(ip->clk); ++ if (rate == 0) { ++ state->period = 0; ++ state->duty_cycle = 0; ++ return; ++ } ++ + value = readl(ip->base + IPROC_PWM_PRESCALE_OFFSET); + prescale = value >> IPROC_PWM_PRESCALE_SHIFT(pwm->hwpwm); + prescale &= IPROC_PWM_PRESCALE_MAX; +-- +2.25.1 + diff --git a/queue-4.19/rdma-ipoib-fix-abba-deadlock-with-ipoib_reap_ah.patch b/queue-4.19/rdma-ipoib-fix-abba-deadlock-with-ipoib_reap_ah.patch new file mode 100644 index 00000000000..d16fd161bb9 --- /dev/null +++ b/queue-4.19/rdma-ipoib-fix-abba-deadlock-with-ipoib_reap_ah.patch @@ -0,0 +1,217 @@ +From c8eb7771b2793524b2056aea158da2c8dd9f10b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 20:42:19 +0300 +Subject: RDMA/ipoib: Fix ABBA deadlock with ipoib_reap_ah() + +From: Jason Gunthorpe + +[ Upstream commit 65936bf25f90fe440bb2d11624c7d10fab266639 ] + +ipoib_mcast_carrier_on_task() insanely open codes a rtnl_lock() such that +the only time flush_workqueue() can be called is if it also clears +IPOIB_FLAG_OPER_UP. + +Thus the flush inside ipoib_flush_ah() will deadlock if it gets unlucky +enough, and lockdep doesn't help us to find it early: + + CPU0 CPU1 CPU2 + __ipoib_ib_dev_flush() + down_read(vlan_rwsem) + + ipoib_vlan_add() + rtnl_trylock() + down_write(vlan_rwsem) + + ipoib_mcast_carrier_on_task() + while (!rtnl_trylock()) + msleep(20); + + ipoib_flush_ah() + flush_workqueue(priv->wq) + +Clean up the ah_reaper related functions and lifecycle to make sense: + + - Start/Stop of the reaper should only be done in open/stop NDOs, not in + any other places + + - cancel and flush of the reaper should only happen in the stop NDO. + cancel is only functional when combined with IPOIB_STOP_REAPER. + + - Non-stop places were flushing the AH's just need to flush out dead AH's + synchronously and ignore the background task completely. It is fully + locked and harmless to leave running. + +Which ultimately fixes the ABBA deadlock by removing the unnecessary +flush_workqueue() from the problematic place under the vlan_rwsem. + +Fixes: efc82eeeae4e ("IB/ipoib: No longer use flush as a parameter") +Link: https://lore.kernel.org/r/20200625174219.290842-1-kamalheib1@gmail.com +Reported-by: Kamal Heib +Tested-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 65 ++++++++++------------- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 + + 2 files changed, 31 insertions(+), 36 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +index 925258ffbde3c..82b9c5b6e3e65 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -669,14 +669,13 @@ int ipoib_send(struct net_device *dev, struct sk_buff *skb, + return rc; + } + +-static void __ipoib_reap_ah(struct net_device *dev) ++static void ipoib_reap_dead_ahs(struct ipoib_dev_priv *priv) + { +- struct ipoib_dev_priv *priv = ipoib_priv(dev); + struct ipoib_ah *ah, *tah; + LIST_HEAD(remove_list); + unsigned long flags; + +- netif_tx_lock_bh(dev); ++ netif_tx_lock_bh(priv->dev); + spin_lock_irqsave(&priv->lock, flags); + + list_for_each_entry_safe(ah, tah, &priv->dead_ahs, list) +@@ -687,37 +686,37 @@ static void __ipoib_reap_ah(struct net_device *dev) + } + + spin_unlock_irqrestore(&priv->lock, flags); +- netif_tx_unlock_bh(dev); ++ netif_tx_unlock_bh(priv->dev); + } + + void ipoib_reap_ah(struct work_struct *work) + { + struct ipoib_dev_priv *priv = + container_of(work, struct ipoib_dev_priv, ah_reap_task.work); +- struct net_device *dev = priv->dev; + +- __ipoib_reap_ah(dev); ++ ipoib_reap_dead_ahs(priv); + + if (!test_bit(IPOIB_STOP_REAPER, &priv->flags)) + queue_delayed_work(priv->wq, &priv->ah_reap_task, + round_jiffies_relative(HZ)); + } + +-static void ipoib_flush_ah(struct net_device *dev) ++static void ipoib_start_ah_reaper(struct ipoib_dev_priv *priv) + { +- struct ipoib_dev_priv *priv = ipoib_priv(dev); +- +- cancel_delayed_work(&priv->ah_reap_task); +- flush_workqueue(priv->wq); +- ipoib_reap_ah(&priv->ah_reap_task.work); ++ clear_bit(IPOIB_STOP_REAPER, &priv->flags); ++ queue_delayed_work(priv->wq, &priv->ah_reap_task, ++ round_jiffies_relative(HZ)); + } + +-static void ipoib_stop_ah(struct net_device *dev) ++static void ipoib_stop_ah_reaper(struct ipoib_dev_priv *priv) + { +- struct ipoib_dev_priv *priv = ipoib_priv(dev); +- + set_bit(IPOIB_STOP_REAPER, &priv->flags); +- ipoib_flush_ah(dev); ++ cancel_delayed_work(&priv->ah_reap_task); ++ /* ++ * After ipoib_stop_ah_reaper() we always go through ++ * ipoib_reap_dead_ahs() which ensures the work is really stopped and ++ * does a final flush out of the dead_ah's list ++ */ + } + + static int recvs_pending(struct net_device *dev) +@@ -846,16 +845,6 @@ int ipoib_ib_dev_stop_default(struct net_device *dev) + return 0; + } + +-void ipoib_ib_dev_stop(struct net_device *dev) +-{ +- struct ipoib_dev_priv *priv = ipoib_priv(dev); +- +- priv->rn_ops->ndo_stop(dev); +- +- clear_bit(IPOIB_FLAG_INITIALIZED, &priv->flags); +- ipoib_flush_ah(dev); +-} +- + int ipoib_ib_dev_open_default(struct net_device *dev) + { + struct ipoib_dev_priv *priv = ipoib_priv(dev); +@@ -899,10 +888,7 @@ int ipoib_ib_dev_open(struct net_device *dev) + return -1; + } + +- clear_bit(IPOIB_STOP_REAPER, &priv->flags); +- queue_delayed_work(priv->wq, &priv->ah_reap_task, +- round_jiffies_relative(HZ)); +- ++ ipoib_start_ah_reaper(priv); + if (priv->rn_ops->ndo_open(dev)) { + pr_warn("%s: Failed to open dev\n", dev->name); + goto dev_stop; +@@ -913,13 +899,20 @@ int ipoib_ib_dev_open(struct net_device *dev) + return 0; + + dev_stop: +- set_bit(IPOIB_STOP_REAPER, &priv->flags); +- cancel_delayed_work(&priv->ah_reap_task); +- set_bit(IPOIB_FLAG_INITIALIZED, &priv->flags); +- ipoib_ib_dev_stop(dev); ++ ipoib_stop_ah_reaper(priv); + return -1; + } + ++void ipoib_ib_dev_stop(struct net_device *dev) ++{ ++ struct ipoib_dev_priv *priv = ipoib_priv(dev); ++ ++ priv->rn_ops->ndo_stop(dev); ++ ++ clear_bit(IPOIB_FLAG_INITIALIZED, &priv->flags); ++ ipoib_stop_ah_reaper(priv); ++} ++ + void ipoib_pkey_dev_check_presence(struct net_device *dev) + { + struct ipoib_dev_priv *priv = ipoib_priv(dev); +@@ -1230,7 +1223,7 @@ static void __ipoib_ib_dev_flush(struct ipoib_dev_priv *priv, + ipoib_mcast_dev_flush(dev); + if (oper_up) + set_bit(IPOIB_FLAG_OPER_UP, &priv->flags); +- ipoib_flush_ah(dev); ++ ipoib_reap_dead_ahs(priv); + } + + if (level >= IPOIB_FLUSH_NORMAL) +@@ -1305,7 +1298,7 @@ void ipoib_ib_dev_cleanup(struct net_device *dev) + * the neighbor garbage collection is stopped and reaped. + * That should all be done now, so make a final ah flush. + */ +- ipoib_stop_ah(dev); ++ ipoib_reap_dead_ahs(priv); + + clear_bit(IPOIB_PKEY_ASSIGNED, &priv->flags); + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index 6093e8268583d..d0c35eb687aeb 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -1979,6 +1979,8 @@ static void ipoib_ndo_uninit(struct net_device *dev) + + /* no more works over the priv->wq */ + if (priv->wq) { ++ /* See ipoib_mcast_carrier_on_task() */ ++ WARN_ON(test_bit(IPOIB_FLAG_OPER_UP, &priv->flags)); + flush_workqueue(priv->wq); + destroy_workqueue(priv->wq); + priv->wq = NULL; +-- +2.25.1 + diff --git a/queue-4.19/rdma-ipoib-return-void-from-ipoib_ib_dev_stop.patch b/queue-4.19/rdma-ipoib-return-void-from-ipoib_ib_dev_stop.patch new file mode 100644 index 00000000000..a10951f805e --- /dev/null +++ b/queue-4.19/rdma-ipoib-return-void-from-ipoib_ib_dev_stop.patch @@ -0,0 +1,59 @@ +From 91db3c7926bdc4a05bc443c82a91315cf1a20181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 13:52:36 +0300 +Subject: RDMA/ipoib: Return void from ipoib_ib_dev_stop() + +From: Kamal Heib + +[ Upstream commit 95a5631f6c9f3045f26245e6045244652204dfdb ] + +The return value from ipoib_ib_dev_stop() is always 0 - change it to be +void. + +Link: https://lore.kernel.org/r/20200623105236.18683-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib.h | 2 +- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 4 +--- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h +index 85267bbf48360..ef12221017053 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib.h ++++ b/drivers/infiniband/ulp/ipoib/ipoib.h +@@ -513,7 +513,7 @@ void ipoib_ib_dev_cleanup(struct net_device *dev); + + int ipoib_ib_dev_open_default(struct net_device *dev); + int ipoib_ib_dev_open(struct net_device *dev); +-int ipoib_ib_dev_stop(struct net_device *dev); ++void ipoib_ib_dev_stop(struct net_device *dev); + void ipoib_ib_dev_up(struct net_device *dev); + void ipoib_ib_dev_down(struct net_device *dev); + int ipoib_ib_dev_stop_default(struct net_device *dev); +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +index 0f2e80f54d333..925258ffbde3c 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -846,7 +846,7 @@ int ipoib_ib_dev_stop_default(struct net_device *dev) + return 0; + } + +-int ipoib_ib_dev_stop(struct net_device *dev) ++void ipoib_ib_dev_stop(struct net_device *dev) + { + struct ipoib_dev_priv *priv = ipoib_priv(dev); + +@@ -854,8 +854,6 @@ int ipoib_ib_dev_stop(struct net_device *dev) + + clear_bit(IPOIB_FLAG_INITIALIZED, &priv->flags); + ipoib_flush_ah(dev); +- +- return 0; + } + + int ipoib_ib_dev_open_default(struct net_device *dev) +-- +2.25.1 + diff --git a/queue-4.19/scsi-lpfc-nvmet-avoid-hang-use-after-free-again-when.patch b/queue-4.19/scsi-lpfc-nvmet-avoid-hang-use-after-free-again-when.patch new file mode 100644 index 00000000000..b50d01df1c4 --- /dev/null +++ b/queue-4.19/scsi-lpfc-nvmet-avoid-hang-use-after-free-again-when.patch @@ -0,0 +1,48 @@ +From fb6bde6ebdf5f908ec443ec07b24340e7126173f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 19:10:11 -0400 +Subject: scsi: lpfc: nvmet: Avoid hang / use-after-free again when destroying + targetport + +From: Ewan D. Milne + +[ Upstream commit af6de8c60fe9433afa73cea6fcccdccd98ad3e5e ] + +We cannot wait on a completion object in the lpfc_nvme_targetport structure +in the _destroy_targetport() code path because the NVMe/fc transport will +free that structure immediately after the .targetport_delete() callback. +This results in a use-after-free, and a crash if slub_debug=FZPU is +enabled. + +An earlier fix put put the completion on the stack, but commit 2a0fb340fcc8 +("scsi: lpfc: Correct localport timeout duration error") subsequently +changed the code to reference the completion through a pointer in the +object rather than the local stack variable. Fix this by using the stack +variable directly. + +Link: https://lore.kernel.org/r/20200729231011.13240-1-emilne@redhat.com +Fixes: 2a0fb340fcc8 ("scsi: lpfc: Correct localport timeout duration error") +Reviewed-by: James Smart +Signed-off-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nvmet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c +index 768eba8c111d9..5bc33817568ea 100644 +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -1712,7 +1712,7 @@ lpfc_nvmet_destroy_targetport(struct lpfc_hba *phba) + } + tgtp->tport_unreg_cmp = &tport_unreg_cmp; + nvmet_fc_unregister_targetport(phba->targetport); +- if (!wait_for_completion_timeout(tgtp->tport_unreg_cmp, ++ if (!wait_for_completion_timeout(&tport_unreg_cmp, + msecs_to_jiffies(LPFC_NVMET_WAIT_TMO))) + lpfc_printf_log(phba, KERN_ERR, LOG_NVME, + "6179 Unreg targetport %p timeout " +-- +2.25.1 + diff --git a/queue-4.19/selftests-powerpc-ptrace-pkey-don-t-update-expected-.patch b/queue-4.19/selftests-powerpc-ptrace-pkey-don-t-update-expected-.patch new file mode 100644 index 00000000000..4fa8ba1fcf4 --- /dev/null +++ b/queue-4.19/selftests-powerpc-ptrace-pkey-don-t-update-expected-.patch @@ -0,0 +1,53 @@ +From 5e577843aabec2883bdf7639f0705e56f2149f75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 08:59:45 +0530 +Subject: selftests/powerpc: ptrace-pkey: Don't update expected UAMOR value + +From: Aneesh Kumar K.V + +[ Upstream commit 3563b9bea0ca7f53e4218b5e268550341a49f333 ] + +With commit 4a4a5e5d2aad ("powerpc/pkeys: key allocation/deallocation +must not change pkey registers") we are not updating UAMOR on key +allocation. So don't update the expected uamor value in the test. + +Fixes: 4a4a5e5d2aad ("powerpc/pkeys: key allocation/deallocation must not change pkey registers") +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200709032946.881753-23-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c b/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c +index bc33d748d95b4..3694613f418f6 100644 +--- a/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c +@@ -101,15 +101,20 @@ static int child(struct shared_info *info) + */ + info->invalid_amr = info->amr2 | (~0x0UL & ~info->expected_uamor); + ++ /* ++ * if PKEY_DISABLE_EXECUTE succeeded we should update the expected_iamr ++ */ + if (disable_execute) + info->expected_iamr |= 1ul << pkeyshift(pkey1); + else + info->expected_iamr &= ~(1ul << pkeyshift(pkey1)); + +- info->expected_iamr &= ~(1ul << pkeyshift(pkey2) | 1ul << pkeyshift(pkey3)); ++ /* ++ * We allocated pkey2 and pkey 3 above. Clear the IAMR bits. ++ */ ++ info->expected_iamr &= ~(1ul << pkeyshift(pkey2)); ++ info->expected_iamr &= ~(1ul << pkeyshift(pkey3)); + +- info->expected_uamor |= 3ul << pkeyshift(pkey1) | +- 3ul << pkeyshift(pkey2); + /* + * Create an IAMR value different from expected value. + * Kernel will reject an IAMR and UAMOR change. +-- +2.25.1 + diff --git a/queue-4.19/selftests-powerpc-ptrace-pkey-rename-variables-to-ma.patch b/queue-4.19/selftests-powerpc-ptrace-pkey-rename-variables-to-ma.patch new file mode 100644 index 00000000000..e57fd736aae --- /dev/null +++ b/queue-4.19/selftests-powerpc-ptrace-pkey-rename-variables-to-ma.patch @@ -0,0 +1,112 @@ +From 595b8caa416494d2ac87124eaec061e569cbd445 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 08:59:43 +0530 +Subject: selftests/powerpc: ptrace-pkey: Rename variables to make it easier to + follow code + +From: Aneesh Kumar K.V + +[ Upstream commit 9a11f12e0a6c374b3ef1ce81e32ce477d28eb1b8 ] + +Rename variable to indicate that they are invalid values which we will +use to test ptrace update of pkeys. + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200709032946.881753-21-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + .../selftests/powerpc/ptrace/ptrace-pkey.c | 26 +++++++++---------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c b/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c +index bdbbbe8431e03..f9216c7a1829e 100644 +--- a/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c +@@ -44,7 +44,7 @@ struct shared_info { + unsigned long amr2; + + /* AMR value that ptrace should refuse to write to the child. */ +- unsigned long amr3; ++ unsigned long invalid_amr; + + /* IAMR value the parent expects to read from the child. */ + unsigned long expected_iamr; +@@ -57,8 +57,8 @@ struct shared_info { + * (even though they're valid ones) because userspace doesn't have + * access to those registers. + */ +- unsigned long new_iamr; +- unsigned long new_uamor; ++ unsigned long invalid_iamr; ++ unsigned long invalid_uamor; + }; + + static int sys_pkey_alloc(unsigned long flags, unsigned long init_access_rights) +@@ -100,7 +100,7 @@ static int child(struct shared_info *info) + + info->amr1 |= 3ul << pkeyshift(pkey1); + info->amr2 |= 3ul << pkeyshift(pkey2); +- info->amr3 |= info->amr2 | 3ul << pkeyshift(pkey3); ++ info->invalid_amr |= info->amr2 | 3ul << pkeyshift(pkey3); + + if (disable_execute) + info->expected_iamr |= 1ul << pkeyshift(pkey1); +@@ -111,8 +111,8 @@ static int child(struct shared_info *info) + + info->expected_uamor |= 3ul << pkeyshift(pkey1) | + 3ul << pkeyshift(pkey2); +- info->new_iamr |= 1ul << pkeyshift(pkey1) | 1ul << pkeyshift(pkey2); +- info->new_uamor |= 3ul << pkeyshift(pkey1); ++ info->invalid_iamr |= 1ul << pkeyshift(pkey1) | 1ul << pkeyshift(pkey2); ++ info->invalid_uamor |= 3ul << pkeyshift(pkey1); + + /* + * We won't use pkey3. We just want a plausible but invalid key to test +@@ -196,9 +196,9 @@ static int parent(struct shared_info *info, pid_t pid) + PARENT_SKIP_IF_UNSUPPORTED(ret, &info->child_sync); + PARENT_FAIL_IF(ret, &info->child_sync); + +- info->amr1 = info->amr2 = info->amr3 = regs[0]; +- info->expected_iamr = info->new_iamr = regs[1]; +- info->expected_uamor = info->new_uamor = regs[2]; ++ info->amr1 = info->amr2 = info->invalid_amr = regs[0]; ++ info->expected_iamr = info->invalid_iamr = regs[1]; ++ info->expected_uamor = info->invalid_uamor = regs[2]; + + /* Wake up child so that it can set itself up. */ + ret = prod_child(&info->child_sync); +@@ -234,10 +234,10 @@ static int parent(struct shared_info *info, pid_t pid) + return ret; + + /* Write invalid AMR value in child. */ +- ret = ptrace_write_regs(pid, NT_PPC_PKEY, &info->amr3, 1); ++ ret = ptrace_write_regs(pid, NT_PPC_PKEY, &info->invalid_amr, 1); + PARENT_FAIL_IF(ret, &info->child_sync); + +- printf("%-30s AMR: %016lx\n", ptrace_write_running, info->amr3); ++ printf("%-30s AMR: %016lx\n", ptrace_write_running, info->invalid_amr); + + /* Wake up child so that it can verify it didn't change. */ + ret = prod_child(&info->child_sync); +@@ -249,7 +249,7 @@ static int parent(struct shared_info *info, pid_t pid) + + /* Try to write to IAMR. */ + regs[0] = info->amr1; +- regs[1] = info->new_iamr; ++ regs[1] = info->invalid_iamr; + ret = ptrace_write_regs(pid, NT_PPC_PKEY, regs, 2); + PARENT_FAIL_IF(!ret, &info->child_sync); + +@@ -257,7 +257,7 @@ static int parent(struct shared_info *info, pid_t pid) + ptrace_write_running, regs[0], regs[1]); + + /* Try to write to IAMR and UAMOR. */ +- regs[2] = info->new_uamor; ++ regs[2] = info->invalid_uamor; + ret = ptrace_write_regs(pid, NT_PPC_PKEY, regs, 3); + PARENT_FAIL_IF(!ret, &info->child_sync); + +-- +2.25.1 + diff --git a/queue-4.19/selftests-powerpc-ptrace-pkey-update-the-test-to-mar.patch b/queue-4.19/selftests-powerpc-ptrace-pkey-update-the-test-to-mar.patch new file mode 100644 index 00000000000..1cdd5a9b497 --- /dev/null +++ b/queue-4.19/selftests-powerpc-ptrace-pkey-update-the-test-to-mar.patch @@ -0,0 +1,85 @@ +From e34910f09b58ed51a3d7db4c41758bde394233a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 08:59:44 +0530 +Subject: selftests/powerpc: ptrace-pkey: Update the test to mark an invalid + pkey correctly + +From: Aneesh Kumar K.V + +[ Upstream commit 0eaa3b5ca7b5a76e3783639c828498343be66a01 ] + +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200709032946.881753-22-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + .../selftests/powerpc/ptrace/ptrace-pkey.c | 30 ++++++++----------- + 1 file changed, 12 insertions(+), 18 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c b/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c +index f9216c7a1829e..bc33d748d95b4 100644 +--- a/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-pkey.c +@@ -66,11 +66,6 @@ static int sys_pkey_alloc(unsigned long flags, unsigned long init_access_rights) + return syscall(__NR_pkey_alloc, flags, init_access_rights); + } + +-static int sys_pkey_free(int pkey) +-{ +- return syscall(__NR_pkey_free, pkey); +-} +- + static int child(struct shared_info *info) + { + unsigned long reg; +@@ -100,7 +95,11 @@ static int child(struct shared_info *info) + + info->amr1 |= 3ul << pkeyshift(pkey1); + info->amr2 |= 3ul << pkeyshift(pkey2); +- info->invalid_amr |= info->amr2 | 3ul << pkeyshift(pkey3); ++ /* ++ * invalid amr value where we try to force write ++ * things which are deined by a uamor setting. ++ */ ++ info->invalid_amr = info->amr2 | (~0x0UL & ~info->expected_uamor); + + if (disable_execute) + info->expected_iamr |= 1ul << pkeyshift(pkey1); +@@ -111,17 +110,12 @@ static int child(struct shared_info *info) + + info->expected_uamor |= 3ul << pkeyshift(pkey1) | + 3ul << pkeyshift(pkey2); +- info->invalid_iamr |= 1ul << pkeyshift(pkey1) | 1ul << pkeyshift(pkey2); +- info->invalid_uamor |= 3ul << pkeyshift(pkey1); +- + /* +- * We won't use pkey3. We just want a plausible but invalid key to test +- * whether ptrace will let us write to AMR bits we are not supposed to. +- * +- * This also tests whether the kernel restores the UAMOR permissions +- * after a key is freed. ++ * Create an IAMR value different from expected value. ++ * Kernel will reject an IAMR and UAMOR change. + */ +- sys_pkey_free(pkey3); ++ info->invalid_iamr = info->expected_iamr | (1ul << pkeyshift(pkey1) | 1ul << pkeyshift(pkey2)); ++ info->invalid_uamor = info->expected_uamor & ~(0x3ul << pkeyshift(pkey1)); + + printf("%-30s AMR: %016lx pkey1: %d pkey2: %d pkey3: %d\n", + user_write, info->amr1, pkey1, pkey2, pkey3); +@@ -196,9 +190,9 @@ static int parent(struct shared_info *info, pid_t pid) + PARENT_SKIP_IF_UNSUPPORTED(ret, &info->child_sync); + PARENT_FAIL_IF(ret, &info->child_sync); + +- info->amr1 = info->amr2 = info->invalid_amr = regs[0]; +- info->expected_iamr = info->invalid_iamr = regs[1]; +- info->expected_uamor = info->invalid_uamor = regs[2]; ++ info->amr1 = info->amr2 = regs[0]; ++ info->expected_iamr = regs[1]; ++ info->expected_uamor = regs[2]; + + /* Wake up child so that it can set itself up. */ + ret = prod_child(&info->child_sync); +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 53ecffeb513..db5d5fecab2 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -46,3 +46,42 @@ module-correctly-truncate-sysfs-sections-output.patch perf-intel-pt-fix-fup-packet-state.patch remoteproc-qcom-q6v5-update-running-state-before-requesting-stop.patch drm-imx-imx-ldb-disable-both-channels-for-split-mode-in-enc-disable.patch +mfd-arizona-ensure-32k-clock-is-put-on-driver-unbind.patch +rdma-ipoib-return-void-from-ipoib_ib_dev_stop.patch +rdma-ipoib-fix-abba-deadlock-with-ipoib_reap_ah.patch +media-rockchip-rga-introduce-color-fmt-macros-and-re.patch +media-rockchip-rga-only-set-output-csc-mode-for-rgb-.patch +usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch +usb-serial-ftdi_sio-clean-up-receive-processing.patch +usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch +mmc-renesas_sdhi_internal_dmac-clean-up-the-code-for.patch +gpu-ipu-v3-image-convert-combine-rotate-no-rotate-ir.patch +dm-rq-don-t-call-blk_mq_queue_stopped-in-dm_stop_que.patch +selftests-powerpc-ptrace-pkey-rename-variables-to-ma.patch +selftests-powerpc-ptrace-pkey-update-the-test-to-mar.patch +selftests-powerpc-ptrace-pkey-don-t-update-expected-.patch +iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch +iommu-vt-d-enforce-pasid-devtlb-field-mask.patch +i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch +clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch +pwm-bcm-iproc-handle-clk_get_rate-return.patch +tools-build-feature-use-cc-and-cxx-from-parent.patch +i2c-rcar-avoid-race-when-unregistering-slave.patch +openrisc-fix-oops-caused-when-dumping-stack.patch +scsi-lpfc-nvmet-avoid-hang-use-after-free-again-when.patch +watchdog-initialize-device-before-misc_register.patch +input-sentelic-fix-error-return-when-fsp_reg_write-f.patch +drm-vmwgfx-use-correct-vmw_legacy_display_unit-point.patch +drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch +net-qcom-emac-add-missed-clk_disable_unprepare-in-er.patch +nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch +fs-minix-set-s_maxbytes-correctly.patch +fs-minix-fix-block-limit-check-for-v1-filesystems.patch +fs-minix-remove-expected-error-message-in-block_to_p.patch +fs-ufs-avoid-potential-u32-multiplication-overflow.patch +test_kmod-avoid-potential-double-free-in-trigger_con.patch +mfd-dln2-run-event-handler-loop-under-spinlock.patch +alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch +perf-bench-mem-always-memset-source-before-memcpy.patch +tools-build-feature-quote-cc-and-cxx-for-their-argum.patch +sh-landisk-add-missing-initialization-of-sh_io_port_.patch diff --git a/queue-4.19/sh-landisk-add-missing-initialization-of-sh_io_port_.patch b/queue-4.19/sh-landisk-add-missing-initialization-of-sh_io_port_.patch new file mode 100644 index 00000000000..0da176bd420 --- /dev/null +++ b/queue-4.19/sh-landisk-add-missing-initialization-of-sh_io_port_.patch @@ -0,0 +1,45 @@ +From 184c93b2b4cac2c59df8f89c27429a9ea98b2038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 14:42:45 +0200 +Subject: sh: landisk: Add missing initialization of sh_io_port_base + +From: Geert Uytterhoeven + +[ Upstream commit 0c64a0dce51faa9c706fdf1f957d6f19878f4b81 ] + +The Landisk setup code maps the CF IDE area using ioremap_prot(), and +passes the resulting virtual addresses to the pata_platform driver, +disguising them as I/O port addresses. Hence the pata_platform driver +translates them again using ioport_map(). +As CONFIG_GENERIC_IOMAP=n, and CONFIG_HAS_IOPORT_MAP=y, the +SuperH-specific mapping code in arch/sh/kernel/ioport.c translates +I/O port addresses to virtual addresses by adding sh_io_port_base, which +defaults to -1, thus breaking the assumption of an identity mapping. + +Fix this by setting sh_io_port_base to zero. + +Fixes: 37b7a97884ba64bf ("sh: machvec IO death.") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +--- + arch/sh/boards/mach-landisk/setup.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/sh/boards/mach-landisk/setup.c b/arch/sh/boards/mach-landisk/setup.c +index f1147caebacf0..af69fb7fef7c7 100644 +--- a/arch/sh/boards/mach-landisk/setup.c ++++ b/arch/sh/boards/mach-landisk/setup.c +@@ -85,6 +85,9 @@ device_initcall(landisk_devices_setup); + + static void __init landisk_setup(char **cmdline_p) + { ++ /* I/O port identity mapping */ ++ __set_io_port_base(0); ++ + /* LED ON */ + __raw_writeb(__raw_readb(PA_LED) | 0x03, PA_LED); + +-- +2.25.1 + diff --git a/queue-4.19/test_kmod-avoid-potential-double-free-in-trigger_con.patch b/queue-4.19/test_kmod-avoid-potential-double-free-in-trigger_con.patch new file mode 100644 index 00000000000..2384214ed34 --- /dev/null +++ b/queue-4.19/test_kmod-avoid-potential-double-free-in-trigger_con.patch @@ -0,0 +1,65 @@ +From bac8d0b7e918146921cd3d92c8b9ae5aeb6f0917 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:36:16 -0700 +Subject: test_kmod: avoid potential double free in trigger_config_run_type() + +From: Tiezhu Yang + +[ Upstream commit 0776d1231bec0c7ab43baf440a3f5ef5f49dd795 ] + +Reset the member "test_fs" of the test configuration after a call of the +function "kfree_const" to a null pointer so that a double memory release +will not be performed. + +Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") +Signed-off-by: Tiezhu Yang +Signed-off-by: Luis Chamberlain +Signed-off-by: Andrew Morton +Acked-by: Luis Chamberlain +Cc: Alexei Starovoitov +Cc: Al Viro +Cc: Christian Brauner +Cc: Chuck Lever +Cc: David Howells +Cc: David S. Miller +Cc: Greg Kroah-Hartman +Cc: Jakub Kicinski +Cc: James Morris +Cc: Jarkko Sakkinen +Cc: J. Bruce Fields +Cc: Jens Axboe +Cc: Josh Triplett +Cc: Kees Cook +Cc: Lars Ellenberg +Cc: Nikolay Aleksandrov +Cc: Philipp Reisner +Cc: Roopa Prabhu +Cc: "Serge E. Hallyn" +Cc: Sergei Trofimovich +Cc: Sergey Kvachonok +Cc: Shuah Khan +Cc: Tony Vroon +Cc: Christoph Hellwig +Link: http://lkml.kernel.org/r/20200610154923.27510-4-mcgrof@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/test_kmod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/test_kmod.c b/lib/test_kmod.c +index 9cf77628fc913..87a0cc750ea23 100644 +--- a/lib/test_kmod.c ++++ b/lib/test_kmod.c +@@ -745,7 +745,7 @@ static int trigger_config_run_type(struct kmod_test_device *test_dev, + break; + case TEST_KMOD_FS_TYPE: + kfree_const(config->test_fs); +- config->test_driver = NULL; ++ config->test_fs = NULL; + copied = config_copy_test_fs(config, test_str, + strlen(test_str)); + break; +-- +2.25.1 + diff --git a/queue-4.19/tools-build-feature-quote-cc-and-cxx-for-their-argum.patch b/queue-4.19/tools-build-feature-quote-cc-and-cxx-for-their-argum.patch new file mode 100644 index 00000000000..5b960683580 --- /dev/null +++ b/queue-4.19/tools-build-feature-quote-cc-and-cxx-for-their-argum.patch @@ -0,0 +1,93 @@ +From 1cc01d39a796af9691d8453a52cc645832c343f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Aug 2020 17:15:17 -0500 +Subject: tools build feature: Quote CC and CXX for their arguments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Díaz + +[ Upstream commit fa5c893181ed2ca2f96552f50073786d2cfce6c0 ] + +When using a cross-compilation environment, such as OpenEmbedded, +the CC an CXX variables are set to something more than just a +command: there are arguments (such as --sysroot) that need to be +passed on to the compiler so that the right set of headers and +libraries are used. + +For the particular case that our systems detected, CC is set to +the following: + + export CC="aarch64-linaro-linux-gcc --sysroot=/oe/build/tmp/work/machine/perf/1.0-r9/recipe-sysroot" + +Without quotes, detection is as follows: + + Auto-detecting system features: + ... dwarf: [ OFF ] + ... dwarf_getlocations: [ OFF ] + ... glibc: [ OFF ] + ... gtk2: [ OFF ] + ... libbfd: [ OFF ] + ... libcap: [ OFF ] + ... libelf: [ OFF ] + ... libnuma: [ OFF ] + ... numa_num_possible_cpus: [ OFF ] + ... libperl: [ OFF ] + ... libpython: [ OFF ] + ... libcrypto: [ OFF ] + ... libunwind: [ OFF ] + ... libdw-dwarf-unwind: [ OFF ] + ... zlib: [ OFF ] + ... lzma: [ OFF ] + ... get_cpuid: [ OFF ] + ... bpf: [ OFF ] + ... libaio: [ OFF ] + ... libzstd: [ OFF ] + ... disassembler-four-args: [ OFF ] + + Makefile.config:414: *** No gnu/libc-version.h found, please install glibc-dev[el]. Stop. + Makefile.perf:230: recipe for target 'sub-make' failed + make[1]: *** [sub-make] Error 2 + Makefile:69: recipe for target 'all' failed + make: *** [all] Error 2 + +With CC and CXX quoted, some of those features are now detected. + +Fixes: e3232c2f39ac ("tools build feature: Use CC and CXX from parent") +Signed-off-by: Daniel Díaz +Reviewed-by: Thomas Hebb +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkmann +Cc: Jiri Olsa +Cc: John Fastabend +Cc: KP Singh +Cc: Martin KaFai Lau +Cc: Namhyung Kim +Cc: Song Liu +Cc: Stephane Eranian +Cc: Yonghong Song +Link: http://lore.kernel.org/lkml/20200812221518.2869003-1-daniel.diaz@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/Makefile.feature | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/build/Makefile.feature b/tools/build/Makefile.feature +index 7d9d70c0b3800..7c17f17ea2cd2 100644 +--- a/tools/build/Makefile.feature ++++ b/tools/build/Makefile.feature +@@ -7,7 +7,7 @@ endif + + feature_check = $(eval $(feature_check_code)) + define feature_check_code +- feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CC=$(CC) CXX=$(CXX) CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0) ++ feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CC="$(CC)" CXX="$(CXX)" CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0) + endef + + feature_set = $(eval $(feature_set_code)) +-- +2.25.1 + diff --git a/queue-4.19/tools-build-feature-use-cc-and-cxx-from-parent.patch b/queue-4.19/tools-build-feature-use-cc-and-cxx-from-parent.patch new file mode 100644 index 00000000000..8a4bef21930 --- /dev/null +++ b/queue-4.19/tools-build-feature-use-cc-and-cxx-from-parent.patch @@ -0,0 +1,91 @@ +From 77e806822a0a6abee257b96ddb5c51664d424418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jul 2020 21:08:14 -0700 +Subject: tools build feature: Use CC and CXX from parent + +From: Thomas Hebb + +[ Upstream commit e3232c2f39acafd5a29128425bc30b9884642cfa ] + +commit c8c188679ccf ("tools build: Use the same CC for feature detection +and actual build") changed these assignments from unconditional (:=) to +conditional (?=) so that they wouldn't clobber values from the +environment. However, conditional assignment does not work properly for +variables that Make implicitly sets, among which are CC and CXX. To +quote tools/scripts/Makefile.include, which handles this properly: + + # Makefiles suck: This macro sets a default value of $(2) for the + # variable named by $(1), unless the variable has been set by + # environment or command line. This is necessary for CC and AR + # because make sets default values, so the simpler ?= approach + # won't work as expected. + +In other words, the conditional assignments will not run even if the +variables are not overridden in the environment; Make will set CC to +"cc" and CXX to "g++" when it starts[1], meaning the variables are not +empty by the time the conditional assignments are evaluated. This breaks +cross-compilation when CROSS_COMPILE is set but CC isn't, since "cc" +gets used for feature detection instead of the cross compiler (and +likewise for CXX). + +To fix the issue, just pass down the values of CC and CXX computed by +the parent Makefile, which gets included by the Makefile that actually +builds whatever we're detecting features for and so is guaranteed to +have good values. This is a better solution anyway, since it means we +aren't trying to replicate the logic of the parent build system and so +don't risk it getting out of sync. + +Leave PKG_CONFIG alone, since 1) there's no common logic to compute it +in Makefile.include, and 2) it's not an implicit variable, so +conditional assignment works properly. + +[1] https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html + +Fixes: c8c188679ccf ("tools build: Use the same CC for feature detection and actual build") +Signed-off-by: Thomas Hebb +Acked-by: Jiri Olsa +Cc: David Carrillo-Cisneros +Cc: Ian Rogers +Cc: Igor Lubashev +Cc: Namhyung Kim +Cc: Quentin Monnet +Cc: Song Liu +Cc: Stephane Eranian +Cc: thomas hebb +Link: http://lore.kernel.org/lkml/0a6e69d1736b0fa231a648f50b0cce5d8a6734ef.1595822871.git.tommyhebb@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/Makefile.feature | 2 +- + tools/build/feature/Makefile | 2 -- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/tools/build/Makefile.feature b/tools/build/Makefile.feature +index 42a787856cd87..7d9d70c0b3800 100644 +--- a/tools/build/Makefile.feature ++++ b/tools/build/Makefile.feature +@@ -7,7 +7,7 @@ endif + + feature_check = $(eval $(feature_check_code)) + define feature_check_code +- feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0) ++ feature-$(1) := $(shell $(MAKE) OUTPUT=$(OUTPUT_FEATURES) CC=$(CC) CXX=$(CXX) CFLAGS="$(EXTRA_CFLAGS) $(FEATURE_CHECK_CFLAGS-$(1))" CXXFLAGS="$(EXTRA_CXXFLAGS) $(FEATURE_CHECK_CXXFLAGS-$(1))" LDFLAGS="$(LDFLAGS) $(FEATURE_CHECK_LDFLAGS-$(1))" -C $(feature_dir) $(OUTPUT_FEATURES)test-$1.bin >/dev/null 2>/dev/null && echo 1 || echo 0) + endef + + feature_set = $(eval $(feature_set_code)) +diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile +index bf8a8ebcca1eb..c4845b66b9baa 100644 +--- a/tools/build/feature/Makefile ++++ b/tools/build/feature/Makefile +@@ -62,8 +62,6 @@ FILES= \ + + FILES := $(addprefix $(OUTPUT),$(FILES)) + +-CC ?= $(CROSS_COMPILE)gcc +-CXX ?= $(CROSS_COMPILE)g++ + PKG_CONFIG ?= $(CROSS_COMPILE)pkg-config + LLVM_CONFIG ?= llvm-config + +-- +2.25.1 + diff --git a/queue-4.19/usb-serial-ftdi_sio-clean-up-receive-processing.patch b/queue-4.19/usb-serial-ftdi_sio-clean-up-receive-processing.patch new file mode 100644 index 00000000000..2ea5ab242fd --- /dev/null +++ b/queue-4.19/usb-serial-ftdi_sio-clean-up-receive-processing.patch @@ -0,0 +1,75 @@ +From e85fe301c6265f24e52137bff40b1a538b748b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:49:52 +0200 +Subject: USB: serial: ftdi_sio: clean up receive processing + +From: Johan Hovold + +[ Upstream commit ce054039ba5e47b75a3be02a00274e52b06a6456 ] + +Clean up receive processing by dropping the character pointer and +keeping the length argument unchanged throughout the function. + +Also make it more apparent that sysrq processing can consume a +characters by adding an explicit continue. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/ftdi_sio.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index d0ae6318d6e96..ce9cc1f90b052 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2040,7 +2040,6 @@ static int ftdi_process_packet(struct usb_serial_port *port, + struct ftdi_private *priv, unsigned char *buf, int len) + { + unsigned char status; +- unsigned char *ch; + int i; + char flag; + +@@ -2083,8 +2082,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + else + priv->transmit_empty = 0; + +- len -= 2; +- if (!len) ++ if (len == 2) + return 0; /* status only */ + + /* +@@ -2113,19 +2111,20 @@ static int ftdi_process_packet(struct usb_serial_port *port, + } + } + +- port->icount.rx += len; +- ch = buf + 2; ++ port->icount.rx += len - 2; + + if (port->port.console && port->sysrq) { +- for (i = 0; i < len; i++, ch++) { +- if (!usb_serial_handle_sysrq_char(port, *ch)) +- tty_insert_flip_char(&port->port, *ch, flag); ++ for (i = 2; i < len; i++) { ++ if (usb_serial_handle_sysrq_char(port, buf[i])) ++ continue; ++ tty_insert_flip_char(&port->port, buf[i], flag); + } + } else { +- tty_insert_flip_string_fixed_flag(&port->port, ch, flag, len); ++ tty_insert_flip_string_fixed_flag(&port->port, buf + 2, flag, ++ len - 2); + } + +- return len; ++ return len - 2; + } + + static void ftdi_process_read_urb(struct urb *urb) +-- +2.25.1 + diff --git a/queue-4.19/usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch b/queue-4.19/usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch new file mode 100644 index 00000000000..19e55bebac4 --- /dev/null +++ b/queue-4.19/usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch @@ -0,0 +1,87 @@ +From cda7b26dd90d8dca943dd48b568753cb5826c8fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:49:53 +0200 +Subject: USB: serial: ftdi_sio: fix break and sysrq handling + +From: Johan Hovold + +[ Upstream commit 733fff67941dad64b8a630450b8372b1873edc41 ] + +Only the last NUL in a packet should be flagged as a break character, +for example, to avoid dropping unrelated characters when IGNBRK is set. + +Also make sysrq work by consuming the break character instead of having +it immediately cancel the sysrq request, and by not processing it +prematurely to avoid triggering a sysrq based on an unrelated character +received in the same packet (which was received *before* the break). + +Note that the break flag can be left set also for a packet received +immediately following a break and that and an ending NUL in such a +packet will continue to be reported as a break as there's no good way to +tell it apart from an actual break. + +Tested on FT232R and FT232H. + +Fixes: 72fda3ca6fc1 ("USB: serial: ftd_sio: implement sysrq handling on break") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/ftdi_sio.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index ce9cc1f90b052..aa72ce2642bf1 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2040,6 +2040,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + struct ftdi_private *priv, unsigned char *buf, int len) + { + unsigned char status; ++ bool brkint = false; + int i; + char flag; + +@@ -2091,13 +2092,17 @@ static int ftdi_process_packet(struct usb_serial_port *port, + */ + flag = TTY_NORMAL; + if (buf[1] & FTDI_RS_ERR_MASK) { +- /* Break takes precedence over parity, which takes precedence +- * over framing errors */ +- if (buf[1] & FTDI_RS_BI) { +- flag = TTY_BREAK; ++ /* ++ * Break takes precedence over parity, which takes precedence ++ * over framing errors. Note that break is only associated ++ * with the last character in the buffer and only when it's a ++ * NUL. ++ */ ++ if (buf[1] & FTDI_RS_BI && buf[len - 1] == '\0') { + port->icount.brk++; +- usb_serial_handle_break(port); +- } else if (buf[1] & FTDI_RS_PE) { ++ brkint = true; ++ } ++ if (buf[1] & FTDI_RS_PE) { + flag = TTY_PARITY; + port->icount.parity++; + } else if (buf[1] & FTDI_RS_FE) { +@@ -2113,8 +2118,13 @@ static int ftdi_process_packet(struct usb_serial_port *port, + + port->icount.rx += len - 2; + +- if (port->port.console && port->sysrq) { ++ if (brkint || (port->port.console && port->sysrq)) { + for (i = 2; i < len; i++) { ++ if (brkint && i == len - 1) { ++ if (usb_serial_handle_break(port)) ++ return len - 3; ++ flag = TTY_BREAK; ++ } + if (usb_serial_handle_sysrq_char(port, buf[i])) + continue; + tty_insert_flip_char(&port->port, buf[i], flag); +-- +2.25.1 + diff --git a/queue-4.19/usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch b/queue-4.19/usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch new file mode 100644 index 00000000000..7cb752e3309 --- /dev/null +++ b/queue-4.19/usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch @@ -0,0 +1,96 @@ +From 5151e08f9ca760bf5f9c8c43e9ea27b707d93845 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:49:51 +0200 +Subject: USB: serial: ftdi_sio: make process-packet buffer unsigned + +From: Johan Hovold + +[ Upstream commit ab4cc4ef6724ea588e835fc1e764c4b4407a70b7 ] + +Use an unsigned type for the process-packet buffer argument and give it +a more apt name. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/ftdi_sio.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 3c0f38cd3a5a4..d0ae6318d6e96 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2037,12 +2037,12 @@ static int ftdi_prepare_write_buffer(struct usb_serial_port *port, + #define FTDI_RS_ERR_MASK (FTDI_RS_BI | FTDI_RS_PE | FTDI_RS_FE | FTDI_RS_OE) + + static int ftdi_process_packet(struct usb_serial_port *port, +- struct ftdi_private *priv, char *packet, int len) ++ struct ftdi_private *priv, unsigned char *buf, int len) + { ++ unsigned char status; ++ unsigned char *ch; + int i; +- char status; + char flag; +- char *ch; + + if (len < 2) { + dev_dbg(&port->dev, "malformed packet\n"); +@@ -2052,7 +2052,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + /* Compare new line status to the old one, signal if different/ + N.B. packet may be processed more than once, but differences + are only processed once. */ +- status = packet[0] & FTDI_STATUS_B0_MASK; ++ status = buf[0] & FTDI_STATUS_B0_MASK; + if (status != priv->prev_status) { + char diff_status = status ^ priv->prev_status; + +@@ -2078,7 +2078,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + } + + /* save if the transmitter is empty or not */ +- if (packet[1] & FTDI_RS_TEMT) ++ if (buf[1] & FTDI_RS_TEMT) + priv->transmit_empty = 1; + else + priv->transmit_empty = 0; +@@ -2092,29 +2092,29 @@ static int ftdi_process_packet(struct usb_serial_port *port, + * data payload to avoid over-reporting. + */ + flag = TTY_NORMAL; +- if (packet[1] & FTDI_RS_ERR_MASK) { ++ if (buf[1] & FTDI_RS_ERR_MASK) { + /* Break takes precedence over parity, which takes precedence + * over framing errors */ +- if (packet[1] & FTDI_RS_BI) { ++ if (buf[1] & FTDI_RS_BI) { + flag = TTY_BREAK; + port->icount.brk++; + usb_serial_handle_break(port); +- } else if (packet[1] & FTDI_RS_PE) { ++ } else if (buf[1] & FTDI_RS_PE) { + flag = TTY_PARITY; + port->icount.parity++; +- } else if (packet[1] & FTDI_RS_FE) { ++ } else if (buf[1] & FTDI_RS_FE) { + flag = TTY_FRAME; + port->icount.frame++; + } + /* Overrun is special, not associated with a char */ +- if (packet[1] & FTDI_RS_OE) { ++ if (buf[1] & FTDI_RS_OE) { + port->icount.overrun++; + tty_insert_flip_char(&port->port, 0, TTY_OVERRUN); + } + } + + port->icount.rx += len; +- ch = packet + 2; ++ ch = buf + 2; + + if (port->port.console && port->sysrq) { + for (i = 0; i < len; i++, ch++) { +-- +2.25.1 + diff --git a/queue-4.19/watchdog-initialize-device-before-misc_register.patch b/queue-4.19/watchdog-initialize-device-before-misc_register.patch new file mode 100644 index 00000000000..ca31ba6c1b6 --- /dev/null +++ b/queue-4.19/watchdog-initialize-device-before-misc_register.patch @@ -0,0 +1,119 @@ +From 9710e180ec438bcdcc967e8fc0028194492bec0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 12:31:09 +0200 +Subject: watchdog: initialize device before misc_register + +From: Krzysztof Sobota + +[ Upstream commit cb36e29bb0e4b0c33c3d5866a0a4aebace4c99b7 ] + +When watchdog device is being registered, it calls misc_register that +makes watchdog available for systemd to open. This is a data race +scenario, because when device is open it may still have device struct +not initialized - this in turn causes a crash. This patch moves +device initialization before misc_register call and it solves the +problem printed below. + +------------[ cut here ]------------ +WARNING: CPU: 3 PID: 1 at lib/kobject.c:612 kobject_get+0x50/0x54 +kobject: '(null)' ((ptrval)): is not initialized, yet kobject_get() is being called. +Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6 +CPU: 3 PID: 1 Comm: systemd Tainted: G O 4.19.113-g2579778-fsm4_k2 #1 +Hardware name: Keystone +[] (unwind_backtrace) from [] (show_stack+0x18/0x1c) +[] (show_stack) from [] (dump_stack+0xb4/0xe8) +[] (dump_stack) from [] (__warn+0xfc/0x114) +[] (__warn) from [] (warn_slowpath_fmt+0x50/0x74) +[] (warn_slowpath_fmt) from [] (kobject_get+0x50/0x54) +[] (kobject_get) from [] (get_device+0x1c/0x24) +[] (get_device) from [] (watchdog_open+0x90/0xf0) +[] (watchdog_open) from [] (misc_open+0x130/0x17c) +[] (misc_open) from [] (chrdev_open+0xec/0x1a8) +[] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc) +[] (do_dentry_open) from [] (path_openat+0x330/0x1148) +[] (path_openat) from [] (do_filp_open+0x78/0xec) +[] (do_filp_open) from [] (do_sys_open+0x130/0x1f4) +[] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28) +Exception stack(0xd2ceffa8 to 0xd2cefff0) +ffa0: b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000 +ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78 +ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6 +---[ end trace 7b16eb105513974f ]--- + +------------[ cut here ]------------ +WARNING: CPU: 3 PID: 1 at lib/refcount.c:153 kobject_get+0x24/0x54 +refcount_t: increment on 0; use-after-free. +Modules linked in: k2_reset_status(O) davinci_wdt(+) sfn_platform_hwbcn(O) fsmddg_sfn(O) clk_misc_mmap(O) clk_sw_bcn(O) fsp_reset(O) cma_mod(O) slave_sup_notif(O) fpga_master(O) latency(O+) evnotify(O) enable_arm_pmu(O) xge(O) rio_mport_cdev br_netfilter bridge stp llc nvrd_checksum(O) ipv6 +CPU: 3 PID: 1 Comm: systemd Tainted: G W O 4.19.113-g2579778-fsm4_k2 #1 +Hardware name: Keystone +[] (unwind_backtrace) from [] (show_stack+0x18/0x1c) +[] (show_stack) from [] (dump_stack+0xb4/0xe8) +[] (dump_stack) from [] (__warn+0xfc/0x114) +[] (__warn) from [] (warn_slowpath_fmt+0x50/0x74) +[] (warn_slowpath_fmt) from [] (kobject_get+0x24/0x54) +[] (kobject_get) from [] (get_device+0x1c/0x24) +[] (get_device) from [] (watchdog_open+0x90/0xf0) +[] (watchdog_open) from [] (misc_open+0x130/0x17c) +[] (misc_open) from [] (chrdev_open+0xec/0x1a8) +[] (chrdev_open) from [] (do_dentry_open+0x204/0x3cc) +[] (do_dentry_open) from [] (path_openat+0x330/0x1148) +[] (path_openat) from [] (do_filp_open+0x78/0xec) +[] (do_filp_open) from [] (do_sys_open+0x130/0x1f4) +[] (do_sys_open) from [] (ret_fast_syscall+0x0/0x28) +Exception stack(0xd2ceffa8 to 0xd2cefff0) +ffa0: b6f69968 00000000 ffffff9c b6ebd210 000a0001 00000000 +ffc0: b6f69968 00000000 00000000 00000142 fffffffd ffffffff 00b65530 bed7bb78 +ffe0: 00000142 bed7ba70 b6cc2503 b6cc41d6 +---[ end trace 7b16eb1055139750 ]--- + +Fixes: 72139dfa2464 ("watchdog: Fix the race between the release of watchdog_core_data and cdev") +Reviewed-by: Guenter Roeck +Reviewed-by: Alexander Sverdlin +Signed-off-by: Krzysztof Sobota +Link: https://lore.kernel.org/r/20200717103109.14660-1-krzysztof.sobota@nokia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/watchdog_dev.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c +index 10b2090f3e5e7..1c322caecf7f1 100644 +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -947,6 +947,15 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + if (IS_ERR_OR_NULL(watchdog_kworker)) + return -ENODEV; + ++ device_initialize(&wd_data->dev); ++ wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id); ++ wd_data->dev.class = &watchdog_class; ++ wd_data->dev.parent = wdd->parent; ++ wd_data->dev.groups = wdd->groups; ++ wd_data->dev.release = watchdog_core_data_release; ++ dev_set_drvdata(&wd_data->dev, wdd); ++ dev_set_name(&wd_data->dev, "watchdog%d", wdd->id); ++ + kthread_init_work(&wd_data->work, watchdog_ping_work); + hrtimer_init(&wd_data->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + wd_data->timer.function = watchdog_timer_expired; +@@ -967,15 +976,6 @@ static int watchdog_cdev_register(struct watchdog_device *wdd) + } + } + +- device_initialize(&wd_data->dev); +- wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id); +- wd_data->dev.class = &watchdog_class; +- wd_data->dev.parent = wdd->parent; +- wd_data->dev.groups = wdd->groups; +- wd_data->dev.release = watchdog_core_data_release; +- dev_set_drvdata(&wd_data->dev, wdd); +- dev_set_name(&wd_data->dev, "watchdog%d", wdd->id); +- + /* Fill in the data structures */ + cdev_init(&wd_data->cdev, &watchdog_fops); + +-- +2.25.1 + -- 2.47.3