From 359e3df8797a4c7c407391226c1aebfa788f26b9 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 28 Feb 2021 22:19:10 -0500 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...rce-leak-for-drivers-without-.remove.patch | 83 +++++++ ...pressor-do-not-clear-sctlr.ntlsmd-fo.patch | 75 +++++++ ...e-missing-thermal-interrupt-for-4430.patch | 52 +++++ ...orrect-pmic-interrupt-trigger-level-.patch | 38 ++++ ...-pmic-interrupt-trigger-level-.patch-11258 | 39 ++++ queue-4.9/arm-s3c-fix-fiq-for-clang-ias.patch | 93 ++++++++ ...g-isb-after-invalidating-tlb-in-__pr.patch | 49 +++++ ...-correct-pmic-interrupt-trigger-leve.patch | 38 ++++ ...6-fix-reserved-and-rfsa-nodes-unit-a.patch | 46 ++++ ...42l56-fix-up-error-handling-in-probe.patch | 46 ++++ ..._brcm-add-back-regulators-management.patch | 79 +++++++ ...e-update-of-coef-for-the-phy-revisio.patch | 50 +++++ ...p-hci-device-reference-before-return.patch | 35 +++ ...itializing-response-id-after-clearin.patch | 39 ++++ ...i-device-if-inquiry-procedure-interr.patch | 40 ++++ ...-order-of-tx-disable-and-carrier-off.patch | 42 ++++ ...ror-returns-values-in-__load_free_sp.patch | 60 +++++ ...l-fix-initializing-the-old-rate-fall.patch | 39 ++++ ...ers-mxs_timer-add-missing-semicolon-.patch | 49 +++++ ...er-ensure-len-secret.len-in-decode_k.patch | 41 ++++ ...-fix-a-resource-leak-in-an-error-han.patch | 51 +++++ ...-fix-a-resource-leak-in-the-remove-f.patch | 42 ++++ ...error-return-code-in-psb_driver_load.patch | 38 ++++ ...orrect-io_start-for-msm8994-20nm-phy.patch | 37 ++++ ...fbdev-aty-sparc64-requires-fb_aty_ct.patch | 62 ++++++ ...dle-no-map-field-in-the-memory-regio.patch | 42 ++++ ...tial-integer-overflow-on-shift-of-a-.patch | 39 ++++ ...a500-clean-up-error-handling-in-init.patch | 73 +++++++ ...ct-and-skip-invalid-inputs-to-snto32.patch | 51 +++++ ...b-fix-brcmstd_send_i2c_cmd-condition.patch | 40 ++++ ...or-ipv6-next-header-extension-header.patch | 63 ++++++ ...io-in-case-of-when-device-disassocia.patch | 54 +++++ ...elo-fix-an-error-code-in-elo_connect.patch | 40 ++++ ...fs-release-buffer-head-before-return.patch | 49 +++++ ...e-after-free-in-jffs2_sum_write_data.patch | 58 +++++ ...ential-overflow-when-multiplying-to-.patch | 40 ++++ ...x-a-bug-when-reallocating-some-dma-m.patch | 46 ++++ .../media-lmedm04-fix-misuse-of-comma.patch | 40 ++++ ...edia-pci-fix-memleak-in-empress_init.patch | 42 ++++ ...-declare-variable-when-debug-is-defi.patch | 46 ++++ ...-fix-error-return-code-in-qm1d1c0042.patch | 43 ++++ ...0-fix-memleak-in-tm6000_start_stream.patch | 40 ++++ ...ccept-invalid-bformatindex-and-bfram.patch | 82 +++++++ ...n-error-handling-path-in-the-probe-f.patch | 43 ++++ ...c-prevent-use-after-free-in-wm831x_a.patch | 44 ++++ ...ection-mismatch-for-loongson2_sc_ini.patch | 45 ++++ ...icitly-compare-ltq_ebu_pcc_istat-aga.patch | 55 +++++ ...46-add-module-alias-to-avoid-breakin.patch | 38 ++++ ...46-fix-module-alias-to-enable-module.patch | 34 +++ ...otential-double-free-in-hugetlb_regi.patch | 46 ++++ ...potential-pte_unmap_unlock-pte-error.patch | 66 ++++++ ...ix-a-resource-leak-in-the-error-hand.patch | 46 ++++ ...ore-add-missed-mlx4_free_cmd_mailbox.patch | 39 ++++ .../ocfs2-fix-a-use-after-free-on-error.patch | 60 +++++ ...-no-map-does-not-remove-already-rese.patch | 80 +++++++ ...ing-of-syscall-user-config-accessors.patch | 80 +++++++ ...pt-fix-missing-cyc-processing-in-psb.patch | 41 ++++ ...aligned-access-in-sample-parsing-tes.patch | 73 +++++++ ...so-filtering-when-not-finding-a-map-.patch | 101 +++++++++ ...-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch | 36 +++ .../powerpc-47x-disable-256k-page-size.patch | 41 ++++ ...dlpar-handle-ibm-configure-connector.patch | 65 ++++++ ...kchip_pwm_probe-remove-superfluous-c.patch | 43 ++++ ...a-rxe-fix-coding-error-in-rxe_recv.c.patch | 67 ++++++ ...lator-axp20x-fix-reference-cout-leak.patch | 52 +++++ ...ix-kconfig-warning-cnic-build-errors.patch | 57 +++++ queue-4.9/series | 76 +++++++ ...ect-compat_binfmt_elf-if-binfmt_elf-.patch | 47 ++++ ...spi-abort-read-if-dummy-cycles-requi.patch | 41 ++++ ...he-controller-numbering-for-wildcat-.patch | 87 ++++++++ ...take-mmap-lock-in-cacheflush-syscall.patch | 61 ++++++ ...t-fail-unregistering-a-probe-due-to-.patch | 205 ++++++++++++++++++ ...ransaction-after-errors-with-unknown.patch | 84 +++++++ ...update-data-length-if-it-is-0-on-inb.patch | 63 ++++++ ...trimming-xfer-length-a-debug-message.patch | 48 ++++ ...e_dirty_lock-when-unregistering-gues.patch | 43 ++++ ...spurious-event-detection-for-common-.patch | 56 +++++ 77 files changed, 4214 insertions(+) create mode 100644 queue-4.9/amba-fix-resource-leak-for-drivers-without-.remove.patch create mode 100644 queue-4.9/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch create mode 100644 queue-4.9/arm-dts-configure-missing-thermal-interrupt-for-4430.patch create mode 100644 queue-4.9/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch create mode 100644 queue-4.9/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-11258 create mode 100644 queue-4.9/arm-s3c-fix-fiq-for-clang-ias.patch create mode 100644 queue-4.9/arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch create mode 100644 queue-4.9/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch create mode 100644 queue-4.9/arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch create mode 100644 queue-4.9/asoc-cs42l56-fix-up-error-handling-in-probe.patch create mode 100644 queue-4.9/ata-ahci_brcm-add-back-regulators-management.patch create mode 100644 queue-4.9/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch create mode 100644 queue-4.9/bluetooth-drop-hci-device-reference-before-return.patch create mode 100644 queue-4.9/bluetooth-fix-initializing-response-id-after-clearin.patch create mode 100644 queue-4.9/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch create mode 100644 queue-4.9/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch create mode 100644 queue-4.9/btrfs-clarify-error-returns-values-in-__load_free_sp.patch create mode 100644 queue-4.9/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch create mode 100644 queue-4.9/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch create mode 100644 queue-4.9/crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch create mode 100644 queue-4.9/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch create mode 100644 queue-4.9/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch create mode 100644 queue-4.9/drm-gma500-fix-error-return-code-in-psb_driver_load.patch create mode 100644 queue-4.9/drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch create mode 100644 queue-4.9/fbdev-aty-sparc64-requires-fb_aty_ct.patch create mode 100644 queue-4.9/fdt-properly-handle-no-map-field-in-the-memory-regio.patch create mode 100644 queue-4.9/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch create mode 100644 queue-4.9/gma500-clean-up-error-handling-in-init.patch create mode 100644 queue-4.9/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch create mode 100644 queue-4.9/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch create mode 100644 queue-4.9/i40e-fix-flow-for-ipv6-next-header-extension-header.patch create mode 100644 queue-4.9/ib-umad-return-eio-in-case-of-when-device-disassocia.patch create mode 100644 queue-4.9/input-elo-fix-an-error-code-in-elo_connect.patch create mode 100644 queue-4.9/isofs-release-buffer-head-before-return.patch create mode 100644 queue-4.9/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch create mode 100644 queue-4.9/mac80211-fix-potential-overflow-when-multiplying-to-.patch create mode 100644 queue-4.9/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch create mode 100644 queue-4.9/media-lmedm04-fix-misuse-of-comma.patch create mode 100644 queue-4.9/media-media-pci-fix-memleak-in-empress_init.patch create mode 100644 queue-4.9/media-pxa_camera-declare-variable-when-debug-is-defi.patch create mode 100644 queue-4.9/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch create mode 100644 queue-4.9/media-tm6000-fix-memleak-in-tm6000_start_stream.patch create mode 100644 queue-4.9/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch create mode 100644 queue-4.9/media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch create mode 100644 queue-4.9/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch create mode 100644 queue-4.9/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch create mode 100644 queue-4.9/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch create mode 100644 queue-4.9/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch create mode 100644 queue-4.9/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch create mode 100644 queue-4.9/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch create mode 100644 queue-4.9/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch create mode 100644 queue-4.9/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch create mode 100644 queue-4.9/net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch create mode 100644 queue-4.9/ocfs2-fix-a-use-after-free-on-error.patch create mode 100644 queue-4.9/of-fdt-make-sure-no-map-does-not-remove-already-rese.patch create mode 100644 queue-4.9/pci-align-checking-of-syscall-user-config-accessors.patch create mode 100644 queue-4.9/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch create mode 100644 queue-4.9/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch create mode 100644 queue-4.9/perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch create mode 100644 queue-4.9/power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch create mode 100644 queue-4.9/powerpc-47x-disable-256k-page-size.patch create mode 100644 queue-4.9/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch create mode 100644 queue-4.9/pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch create mode 100644 queue-4.9/rdma-rxe-fix-coding-error-in-rxe_recv.c.patch create mode 100644 queue-4.9/regulator-axp20x-fix-reference-cout-leak.patch create mode 100644 queue-4.9/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch create mode 100644 queue-4.9/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch create mode 100644 queue-4.9/spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch create mode 100644 queue-4.9/spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch create mode 100644 queue-4.9/take-mmap-lock-in-cacheflush-syscall.patch create mode 100644 queue-4.9/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch create mode 100644 queue-4.9/usb-dwc2-abort-transaction-after-errors-with-unknown.patch create mode 100644 queue-4.9/usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch create mode 100644 queue-4.9/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch create mode 100644 queue-4.9/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch create mode 100644 queue-4.9/xen-netback-fix-spurious-event-detection-for-common-.patch diff --git a/queue-4.9/amba-fix-resource-leak-for-drivers-without-.remove.patch b/queue-4.9/amba-fix-resource-leak-for-drivers-without-.remove.patch new file mode 100644 index 00000000000..5521f5d7da3 --- /dev/null +++ b/queue-4.9/amba-fix-resource-leak-for-drivers-without-.remove.patch @@ -0,0 +1,83 @@ +From 70fc85a0f32d1ce708b0777a2a3be218efefb6f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jan 2021 17:58:31 +0100 +Subject: amba: Fix resource leak for drivers without .remove +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit de5d7adb89367bbc87b4e5ce7afe7ae9bd86dc12 ] + +Consider an amba driver with a .probe but without a .remove callback (e.g. +pl061_gpio_driver). The function amba_probe() is called to bind a device +and so dev_pm_domain_attach() and others are called. As there is no remove +callback amba_remove() isn't called at unbind time however and so calling +dev_pm_domain_detach() is missed and the pm domain keeps active. + +To fix this always use the core driver callbacks and handle missing amba +callbacks there. For probe refuse registration as a driver without probe +doesn't make sense. + +Fixes: 7cfe249475fd ("ARM: AMBA: Add pclk support to AMBA bus infrastructure") +Reviewed-by: Ulf Hansson +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210126165835.687514-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/amba/bus.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index 93888ccb4e267..5bc8d588d1460 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -280,10 +280,11 @@ static int amba_remove(struct device *dev) + { + struct amba_device *pcdev = to_amba_device(dev); + struct amba_driver *drv = to_amba_driver(dev->driver); +- int ret; ++ int ret = 0; + + pm_runtime_get_sync(dev); +- ret = drv->remove(pcdev); ++ if (drv->remove) ++ ret = drv->remove(pcdev); + pm_runtime_put_noidle(dev); + + /* Undo the runtime PM settings in amba_probe() */ +@@ -300,7 +301,9 @@ static int amba_remove(struct device *dev) + static void amba_shutdown(struct device *dev) + { + struct amba_driver *drv = to_amba_driver(dev->driver); +- drv->shutdown(to_amba_device(dev)); ++ ++ if (drv->shutdown) ++ drv->shutdown(to_amba_device(dev)); + } + + /** +@@ -313,12 +316,13 @@ static void amba_shutdown(struct device *dev) + */ + int amba_driver_register(struct amba_driver *drv) + { +- drv->drv.bus = &amba_bustype; ++ if (!drv->probe) ++ return -EINVAL; + +-#define SETFN(fn) if (drv->fn) drv->drv.fn = amba_##fn +- SETFN(probe); +- SETFN(remove); +- SETFN(shutdown); ++ drv->drv.bus = &amba_bustype; ++ drv->drv.probe = amba_probe; ++ drv->drv.remove = amba_remove; ++ drv->drv.shutdown = amba_shutdown; + + return driver_register(&drv->drv); + } +-- +2.27.0 + diff --git a/queue-4.9/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch b/queue-4.9/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch new file mode 100644 index 00000000000..695e7cd5ff8 --- /dev/null +++ b/queue-4.9/arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch @@ -0,0 +1,75 @@ +From dfea0c11946ee2e2495fa7ccba16a6057b397833 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 10:47:24 +0100 +Subject: ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores + +From: Vladimir Murzin + +[ Upstream commit 2acb909750431030b65a0a2a17fd8afcbd813a84 ] + +It was observed that decompressor running on hardware implementing ARM v8.2 +Load/Store Multiple Atomicity and Ordering Control (LSMAOC), say, as guest, +would stuck just after: + +Uncompressing Linux... done, booting the kernel. + +The reason is that it clears nTLSMD bit when disabling caches: + + nTLSMD, bit [3] + + When ARMv8.2-LSMAOC is implemented: + + No Trap Load Multiple and Store Multiple to + Device-nGRE/Device-nGnRE/Device-nGnRnE memory. + + 0b0 All memory accesses by A32 and T32 Load Multiple and Store + Multiple at EL1 or EL0 that are marked at stage 1 as + Device-nGRE/Device-nGnRE/Device-nGnRnE memory are trapped and + generate a stage 1 Alignment fault. + + 0b1 All memory accesses by A32 and T32 Load Multiple and Store + Multiple at EL1 or EL0 that are marked at stage 1 as + Device-nGRE/Device-nGnRE/Device-nGnRnE memory are not trapped. + + This bit is permitted to be cached in a TLB. + + This field resets to 1. + + Otherwise: + + Reserved, RES1 + +So as effect we start getting traps we are not quite ready for. + +Looking into history it seems that mask used for SCTLR clear came from +the similar code for ARMv4, where bit[3] is the enable/disable bit for +the write buffer. That not applicable to ARMv7 and onwards, so retire +that bit from the masks. + +Fixes: 7d09e85448dfa78e3e58186c934449aaf6d49b50 ("[ARM] 4393/2: ARMv7: Add uncompressing code for the new CPU Id format") +Signed-off-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/head.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S +index a67ed746b0e37..5fa0beba46ee5 100644 +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -1080,9 +1080,9 @@ __armv4_mmu_cache_off: + __armv7_mmu_cache_off: + mrc p15, 0, r0, c1, c0 + #ifdef CONFIG_MMU +- bic r0, r0, #0x000d ++ bic r0, r0, #0x0005 + #else +- bic r0, r0, #0x000c ++ bic r0, r0, #0x0004 + #endif + mcr p15, 0, r0, c1, c0 @ turn MMU and cache off + mov r12, lr +-- +2.27.0 + diff --git a/queue-4.9/arm-dts-configure-missing-thermal-interrupt-for-4430.patch b/queue-4.9/arm-dts-configure-missing-thermal-interrupt-for-4430.patch new file mode 100644 index 00000000000..5eb6accdaaf --- /dev/null +++ b/queue-4.9/arm-dts-configure-missing-thermal-interrupt-for-4430.patch @@ -0,0 +1,52 @@ +From 56202611c7edab7f0f2b5c6976ecb6d2886718f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Dec 2020 10:42:30 +0200 +Subject: ARM: dts: Configure missing thermal interrupt for 4430 + +From: Tony Lindgren + +[ Upstream commit 44f416879a442600b006ef7dec3a6dc98bcf59c6 ] + +We have gpio_86 wired internally to the bandgap thermal shutdown +interrupt on 4430 like we have it on 4460 according to the TRM. +This can be found easily by searching for TSHUT. + +For some reason the thermal shutdown interrupt was never added +for 4430, let's add it. I believe this is needed for the thermal +shutdown interrupt handler ti_bandgap_tshut_irq_handler() to call +orderly_poweroff(). + +Fixes: aa9bb4bb8878 ("arm: dts: add omap4430 thermal data") +Cc: Carl Philipp Klemm +Cc: Daniel Lezcano +Cc: Eduardo Valentin +Cc: Merlijn Wajer +Cc: Pavel Machek +Cc: Peter Ujfalusi +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap443x.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/omap443x.dtsi b/arch/arm/boot/dts/omap443x.dtsi +index fc6a8610c24c5..adcf9d141db6a 100644 +--- a/arch/arm/boot/dts/omap443x.dtsi ++++ b/arch/arm/boot/dts/omap443x.dtsi +@@ -35,10 +35,12 @@ + }; + + ocp { ++ /* 4430 has only gpio_86 tshut and no talert interrupt */ + bandgap: bandgap@4a002260 { + reg = <0x4a002260 0x4 + 0x4a00232C 0x4>; + compatible = "ti,omap4430-bandgap"; ++ gpios = <&gpio3 22 GPIO_ACTIVE_HIGH>; + + #thermal-sensor-cells = <0>; + }; +-- +2.27.0 + diff --git a/queue-4.9/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch b/queue-4.9/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch new file mode 100644 index 00000000000..3fa76fe4019 --- /dev/null +++ b/queue-4.9/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch @@ -0,0 +1,38 @@ +From e7a4f0f19f7053a36be8f2fe86a0fe7b81fde22e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:28:58 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Spring + +From: Krzysztof Kozlowski + +[ Upstream commit 77e6a5467cb8657cf8b5e610a30a4c502085e4f9 ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Fixes: 53dd4138bb0a ("ARM: dts: Add exynos5250-spring device tree") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212903.216728-4-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5250-spring.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5250-spring.dts b/arch/arm/boot/dts/exynos5250-spring.dts +index 4d7bdb735ed3b..e4433ecd9fe41 100644 +--- a/arch/arm/boot/dts/exynos5250-spring.dts ++++ b/arch/arm/boot/dts/exynos5250-spring.dts +@@ -112,7 +112,7 @@ + compatible = "samsung,s5m8767-pmic"; + reg = <0x66>; + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_NONE>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&s5m8767_irq &s5m8767_dvs &s5m8767_ds>; + wakeup-source; +-- +2.27.0 + diff --git a/queue-4.9/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-11258 b/queue-4.9/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-11258 new file mode 100644 index 00000000000..13a4c1f59cd --- /dev/null +++ b/queue-4.9/arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-11258 @@ -0,0 +1,39 @@ +From d32846f0a1081b54fe01616c63b787c27ac6ab92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:28:59 +0100 +Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale + Octa + +From: Krzysztof Kozlowski + +[ Upstream commit 1ac8893c4fa3d4a34915dc5cdab568a39db5086c ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. The falling edge +interrupt will mostly work but it's not correct. + +Fixes: 1fed2252713e ("ARM: dts: fix pinctrl for s2mps11-irq on exynos5420-arndale-octa") +Signed-off-by: Krzysztof Kozlowski +Tested-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20201210212903.216728-5-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5420-arndale-octa.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5420-arndale-octa.dts b/arch/arm/boot/dts/exynos5420-arndale-octa.dts +index e664c33c3c640..4a71bbe1ce542 100644 +--- a/arch/arm/boot/dts/exynos5420-arndale-octa.dts ++++ b/arch/arm/boot/dts/exynos5420-arndale-octa.dts +@@ -88,7 +88,7 @@ + reg = <0x66>; + + interrupt-parent = <&gpx3>; +- interrupts = <2 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&s2mps11_irq>; + +-- +2.27.0 + diff --git a/queue-4.9/arm-s3c-fix-fiq-for-clang-ias.patch b/queue-4.9/arm-s3c-fix-fiq-for-clang-ias.patch new file mode 100644 index 00000000000..770acda354a --- /dev/null +++ b/queue-4.9/arm-s3c-fix-fiq-for-clang-ias.patch @@ -0,0 +1,93 @@ +From 01cb5f6afada5cb22002b8242ae47f3947296c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Feb 2021 17:23:42 +0100 +Subject: ARM: s3c: fix fiq for clang IAS + +From: Arnd Bergmann + +[ Upstream commit 7f9942c61fa60eda7cc8e42f04bd25b7d175876e ] + +Building with the clang integrated assembler produces a couple of +errors for the s3c24xx fiq support: + + arch/arm/mach-s3c/irq-s3c24xx-fiq.S:52:2: error: instruction 'subne' can not set flags, but 's' suffix specified + subnes pc, lr, #4 @@ return, still have work to do + + arch/arm/mach-s3c/irq-s3c24xx-fiq.S:64:1: error: invalid symbol redefinition + s3c24xx_spi_fiq_txrx: + +There are apparently two problems: one with extraneous or duplicate +labels, and one with old-style opcode mnemonics. Stefan Agner has +previously fixed other problems like this, but missed this particular +file. + +Fixes: bec0806cfec6 ("spi_s3c24xx: add FIQ pseudo-DMA support") +Cc: Stefan Agner +Signed-off-by: Arnd Bergmann +Reviewed-by: Nick Desaulniers +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20210204162416.3030114-1-arnd@kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c24xx-fiq.S | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-s3c24xx-fiq.S b/drivers/spi/spi-s3c24xx-fiq.S +index 059f2dc1fda2d..1565c792da079 100644 +--- a/drivers/spi/spi-s3c24xx-fiq.S ++++ b/drivers/spi/spi-s3c24xx-fiq.S +@@ -36,7 +36,6 @@ + @ and an offset to the irq acknowledgment word + + ENTRY(s3c24xx_spi_fiq_rx) +-s3c24xx_spi_fix_rx: + .word fiq_rx_end - fiq_rx_start + .word fiq_rx_irq_ack - fiq_rx_start + fiq_rx_start: +@@ -50,7 +49,7 @@ fiq_rx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + @@ set IRQ controller so that next op will trigger IRQ + mov fiq_rtmp, #0 +@@ -62,7 +61,6 @@ fiq_rx_irq_ack: + fiq_rx_end: + + ENTRY(s3c24xx_spi_fiq_txrx) +-s3c24xx_spi_fiq_txrx: + .word fiq_txrx_end - fiq_txrx_start + .word fiq_txrx_irq_ack - fiq_txrx_start + fiq_txrx_start: +@@ -77,7 +75,7 @@ fiq_txrx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + mov fiq_rtmp, #0 + str fiq_rtmp, [ fiq_rirq, # S3C2410_INTMOD - S3C24XX_VA_IRQ ] +@@ -89,7 +87,6 @@ fiq_txrx_irq_ack: + fiq_txrx_end: + + ENTRY(s3c24xx_spi_fiq_tx) +-s3c24xx_spi_fix_tx: + .word fiq_tx_end - fiq_tx_start + .word fiq_tx_irq_ack - fiq_tx_start + fiq_tx_start: +@@ -102,7 +99,7 @@ fiq_tx_start: + strb fiq_rtmp, [ fiq_rspi, # S3C2410_SPTDAT ] + + subs fiq_rcount, fiq_rcount, #1 +- subnes pc, lr, #4 @@ return, still have work to do ++ subsne pc, lr, #4 @@ return, still have work to do + + mov fiq_rtmp, #0 + str fiq_rtmp, [ fiq_rirq, # S3C2410_INTMOD - S3C24XX_VA_IRQ ] +-- +2.27.0 + diff --git a/queue-4.9/arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch b/queue-4.9/arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch new file mode 100644 index 00000000000..93f13fd6b26 --- /dev/null +++ b/queue-4.9/arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch @@ -0,0 +1,49 @@ +From 36b70aef45e2590df46c9c08ec8c741a05a227a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 09:37:37 +0000 +Subject: arm64: Add missing ISB after invalidating TLB in __primary_switch + +From: Marc Zyngier + +[ Upstream commit 9d41053e8dc115c92b8002c3db5f545d7602498b ] + +Although there has been a bit of back and forth on the subject, it +appears that invalidating TLBs requires an ISB instruction when FEAT_ETS +is not implemented by the CPU. + +From the bible: + + | In an implementation that does not implement FEAT_ETS, a TLB + | maintenance instruction executed by a PE, PEx, can complete at any + | time after it is issued, but is only guaranteed to be finished for a + | PE, PEx, after the execution of DSB by the PEx followed by a Context + | synchronization event + +Add the missing ISB in __primary_switch, just in case. + +Fixes: 3c5e9f238bc4 ("arm64: head.S: move KASLR processing out of __enable_mmu()") +Suggested-by: Will Deacon +Signed-off-by: Marc Zyngier +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20210224093738.3629662-3-maz@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/head.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index aba534959377b..3875423836622 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -846,6 +846,7 @@ __primary_switch: + + tlbi vmalle1 // Remove any stale TLB entries + dsb nsh ++ isb + + msr sctlr_el1, x19 // re-enable the MMU + isb +-- +2.27.0 + diff --git a/queue-4.9/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch b/queue-4.9/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch new file mode 100644 index 00000000000..3714943a4e4 --- /dev/null +++ b/queue-4.9/arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch @@ -0,0 +1,38 @@ +From 06ed88d298b8465587c77e8b198c5a51e1334c3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Dec 2020 22:29:02 +0100 +Subject: arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso + +From: Krzysztof Kozlowski + +[ Upstream commit 1fea2eb2f5bbd3fbbe2513d2386b5f6e6db17fd7 ] + +The Samsung PMIC datasheets describe the interrupt line as active low +with a requirement of acknowledge from the CPU. Without specifying the +interrupt type in Devicetree, kernel might apply some fixed +configuration, not necessarily working for this hardware. + +Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20201210212903.216728-8-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +index 2f7d144d556da..e43e804c42c3e 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts ++++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +@@ -64,7 +64,7 @@ + s2mps15_pmic@66 { + compatible = "samsung,s2mps15-pmic"; + reg = <0x66>; +- interrupts = <2 IRQ_TYPE_NONE>; ++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>; + interrupt-parent = <&gpa0>; + pinctrl-names = "default"; + pinctrl-0 = <&pmic_irq>; +-- +2.27.0 + diff --git a/queue-4.9/arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch b/queue-4.9/arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch new file mode 100644 index 00000000000..8c8dcbd3d9e --- /dev/null +++ b/queue-4.9/arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch @@ -0,0 +1,46 @@ +From 42e5589741a40e992b6bfa6f67dd80dac5126dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Jan 2021 11:44:16 +0100 +Subject: arm64: dts: msm8916: Fix reserved and rfsa nodes unit address + +From: Vincent Knecht + +[ Upstream commit d5ae2528b0b56cf054b27d48b0cb85330900082f ] + +Fix `reserved` and `rfsa` unit address according to their reg address + +Fixes: 7258e10e6a0b ("ARM: dts: msm8916: Update reserved-memory") + +Signed-off-by: Vincent Knecht +Link: https://lore.kernel.org/r/20210123104417.518105-1-vincent.knecht@mailoo.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index fb5001a6879c7..c2557cf43b3dc 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -62,7 +62,7 @@ + no-map; + }; + +- reserved@8668000 { ++ reserved@86680000 { + reg = <0x0 0x86680000 0x0 0x80000>; + no-map; + }; +@@ -72,7 +72,7 @@ + no-map; + }; + +- rfsa@867e00000 { ++ rfsa@867e0000 { + reg = <0x0 0x867e0000 0x0 0x20000>; + no-map; + }; +-- +2.27.0 + diff --git a/queue-4.9/asoc-cs42l56-fix-up-error-handling-in-probe.patch b/queue-4.9/asoc-cs42l56-fix-up-error-handling-in-probe.patch new file mode 100644 index 00000000000..46f2941dd3e --- /dev/null +++ b/queue-4.9/asoc-cs42l56-fix-up-error-handling-in-probe.patch @@ -0,0 +1,46 @@ +From c896b5d9991aedc8374a1f2c23a8c3ac631854eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Dec 2020 13:07:59 +0300 +Subject: ASoC: cs42l56: fix up error handling in probe + +From: Dan Carpenter + +[ Upstream commit 856fe64da84c95a1d415564b981ae3908eea2a76 ] + +There are two issues with this code. The first error path forgot to set +the error code and instead returns success. The second error path +doesn't clean up. + +Fixes: 272b5edd3b8f ("ASoC: Add support for CS42L56 CODEC") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/X9NE/9nK9/TuxuL+@mwanda +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l56.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l56.c b/sound/soc/codecs/cs42l56.c +index 54c1768bc8185..a2535a7eb4bbd 100644 +--- a/sound/soc/codecs/cs42l56.c ++++ b/sound/soc/codecs/cs42l56.c +@@ -1270,6 +1270,7 @@ static int cs42l56_i2c_probe(struct i2c_client *i2c_client, + dev_err(&i2c_client->dev, + "CS42L56 Device ID (%X). Expected %X\n", + devid, CS42L56_DEVID); ++ ret = -EINVAL; + goto err_enable; + } + alpha_rev = reg & CS42L56_AREV_MASK; +@@ -1325,7 +1326,7 @@ static int cs42l56_i2c_probe(struct i2c_client *i2c_client, + ret = snd_soc_register_codec(&i2c_client->dev, + &soc_codec_dev_cs42l56, &cs42l56_dai, 1); + if (ret < 0) +- return ret; ++ goto err_enable; + + return 0; + +-- +2.27.0 + diff --git a/queue-4.9/ata-ahci_brcm-add-back-regulators-management.patch b/queue-4.9/ata-ahci_brcm-add-back-regulators-management.patch new file mode 100644 index 00000000000..baa46f2df38 --- /dev/null +++ b/queue-4.9/ata-ahci_brcm-add-back-regulators-management.patch @@ -0,0 +1,79 @@ +From 8f246f589a4c883b17bddc706481600304dae189 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 10:28:45 -0800 +Subject: ata: ahci_brcm: Add back regulators management + +From: Florian Fainelli + +[ Upstream commit 10340f8d7b6dd54e616339c8ccb2f397133ebea0 ] + +While reworking the resources management and departing from using +ahci_platform_enable_resources() which did not allow a proper step +separation like we need, we unfortunately lost the ability to control +AHCI regulators. This broke some Broadcom STB systems that do expect +regulators to be turned on to link up with attached hard drives. + +Fixes: c0cdf2ac4b5b ("ata: ahci_brcm: Fix AHCI resources management") +Signed-off-by: Florian Fainelli +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci_brcm.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/ahci_brcm.c b/drivers/ata/ahci_brcm.c +index f50a76ad63e4a..8354f2de37c31 100644 +--- a/drivers/ata/ahci_brcm.c ++++ b/drivers/ata/ahci_brcm.c +@@ -285,6 +285,10 @@ static int brcm_ahci_resume(struct device *dev) + if (ret) + return ret; + ++ ret = ahci_platform_enable_regulators(hpriv); ++ if (ret) ++ goto out_disable_clks; ++ + brcm_sata_init(priv); + brcm_sata_phys_enable(priv); + brcm_sata_alpm_init(hpriv); +@@ -314,6 +318,8 @@ out_disable_platform_phys: + ahci_platform_disable_phys(hpriv); + out_disable_phys: + brcm_sata_phys_disable(priv); ++ ahci_platform_disable_regulators(hpriv); ++out_disable_clks: + ahci_platform_disable_clks(hpriv); + return ret; + } +@@ -377,6 +383,10 @@ static int brcm_ahci_probe(struct platform_device *pdev) + if (ret) + goto out_reset; + ++ ret = ahci_platform_enable_regulators(hpriv); ++ if (ret) ++ goto out_disable_clks; ++ + /* Must be first so as to configure endianness including that + * of the standard AHCI register space. + */ +@@ -386,7 +396,7 @@ static int brcm_ahci_probe(struct platform_device *pdev) + priv->port_mask = brcm_ahci_get_portmask(hpriv, priv); + if (!priv->port_mask) { + ret = -ENODEV; +- goto out_disable_clks; ++ goto out_disable_regulators; + } + + /* Must be done before ahci_platform_enable_phys() */ +@@ -417,6 +427,8 @@ out_disable_platform_phys: + ahci_platform_disable_phys(hpriv); + out_disable_phys: + brcm_sata_phys_disable(priv); ++out_disable_regulators: ++ ahci_platform_disable_regulators(hpriv); + out_disable_clks: + ahci_platform_disable_clks(hpriv); + out_reset: +-- +2.27.0 + diff --git a/queue-4.9/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch b/queue-4.9/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch new file mode 100644 index 00000000000..325db941eac --- /dev/null +++ b/queue-4.9/b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch @@ -0,0 +1,50 @@ +From ad9bb88cde28da8f560d56cb531ef3921fadcedf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Feb 2021 12:05:32 +0000 +Subject: b43: N-PHY: Fix the update of coef for the PHY revision >= 3case + +From: Colin Ian King + +[ Upstream commit 4773acf3d4b50768bf08e9e97a204819e9ea0895 ] + +The documentation for the PHY update [1] states: + +Loop 4 times with index i + + If PHY Revision >= 3 + Copy table[i] to coef[i] + Otherwise + Set coef[i] to 0 + +the copy of the table to coef is currently implemented the wrong way +around, table is being updated from uninitialized values in coeff. +Fix this by swapping the assignment around. + +[1] https://bcm-v4.sipsolutions.net/802.11/PHY/N/RestoreCal/ + +Fixes: 2f258b74d13c ("b43: N-PHY: implement restoring general configuration") +Addresses-Coverity: ("Uninitialized scalar variable") +Signed-off-by: Colin Ian King +Acked-by: Larry Finger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/phy_n.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43/phy_n.c b/drivers/net/wireless/broadcom/b43/phy_n.c +index a5557d70689f4..d1afa74aa144b 100644 +--- a/drivers/net/wireless/broadcom/b43/phy_n.c ++++ b/drivers/net/wireless/broadcom/b43/phy_n.c +@@ -5320,7 +5320,7 @@ static void b43_nphy_restore_cal(struct b43_wldev *dev) + + for (i = 0; i < 4; i++) { + if (dev->phy.rev >= 3) +- table[i] = coef[i]; ++ coef[i] = table[i]; + else + coef[i] = 0; + } +-- +2.27.0 + diff --git a/queue-4.9/bluetooth-drop-hci-device-reference-before-return.patch b/queue-4.9/bluetooth-drop-hci-device-reference-before-return.patch new file mode 100644 index 00000000000..76d79bf7e08 --- /dev/null +++ b/queue-4.9/bluetooth-drop-hci-device-reference-before-return.patch @@ -0,0 +1,35 @@ +From 30d900cb2d739d230359c44fa7a4f6127c703035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 23:34:19 -0800 +Subject: Bluetooth: drop HCI device reference before return + +From: Pan Bian + +[ Upstream commit 5a3ef03afe7e12982dc3b978f4c5077c907f7501 ] + +Call hci_dev_put() to decrement reference count of HCI device hdev if +fails to duplicate memory. + +Fixes: 0b26ab9dce74 ("Bluetooth: AMP: Handle Accept phylink command status evt") +Signed-off-by: Pan Bian +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/a2mp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c +index 242ef2abd0911..fcd819ffda108 100644 +--- a/net/bluetooth/a2mp.c ++++ b/net/bluetooth/a2mp.c +@@ -519,6 +519,7 @@ static int a2mp_createphyslink_req(struct amp_mgr *mgr, struct sk_buff *skb, + assoc = kmemdup(req->amp_assoc, assoc_len, GFP_KERNEL); + if (!assoc) { + amp_ctrl_put(ctrl); ++ hci_dev_put(hdev); + return -ENOMEM; + } + +-- +2.27.0 + diff --git a/queue-4.9/bluetooth-fix-initializing-response-id-after-clearin.patch b/queue-4.9/bluetooth-fix-initializing-response-id-after-clearin.patch new file mode 100644 index 00000000000..585a24be1a2 --- /dev/null +++ b/queue-4.9/bluetooth-fix-initializing-response-id-after-clearin.patch @@ -0,0 +1,39 @@ +From e89ef9ad8cf452ca5e7ffbbfe78e66a22c045782 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Dec 2020 19:12:32 -0800 +Subject: Bluetooth: Fix initializing response id after clearing struct + +From: Christopher William Snowhill + +[ Upstream commit a5687c644015a097304a2e47476c0ecab2065734 ] + +Looks like this was missed when patching the source to clear the structures +throughout, causing this one instance to clear the struct after the response +id is assigned. + +Fixes: eddb7732119d ("Bluetooth: A2MP: Fix not initializing all members") +Signed-off-by: Christopher William Snowhill +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/a2mp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c +index 8f918155685db..242ef2abd0911 100644 +--- a/net/bluetooth/a2mp.c ++++ b/net/bluetooth/a2mp.c +@@ -388,9 +388,9 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb, + hdev = hci_dev_get(req->id); + if (!hdev || hdev->amp_type == AMP_TYPE_BREDR || tmp) { + struct a2mp_amp_assoc_rsp rsp; +- rsp.id = req->id; + + memset(&rsp, 0, sizeof(rsp)); ++ rsp.id = req->id; + + if (tmp) { + rsp.status = A2MP_STATUS_COLLISION_OCCURED; +-- +2.27.0 + diff --git a/queue-4.9/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch b/queue-4.9/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch new file mode 100644 index 00000000000..ea403469394 --- /dev/null +++ b/queue-4.9/bluetooth-put-hci-device-if-inquiry-procedure-interr.patch @@ -0,0 +1,40 @@ +From 6f7e5b2bbe193c88a844ffbcdc5317ba57f68b77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jan 2021 00:10:45 -0800 +Subject: Bluetooth: Put HCI device if inquiry procedure interrupts + +From: Pan Bian + +[ Upstream commit 28a758c861ff290e39d4f1ee0aa5df0f0b9a45ee ] + +Jump to the label done to decrement the reference count of HCI device +hdev on path that the Inquiry procedure is interrupted. + +Fixes: 3e13fa1e1fab ("Bluetooth: Fix hci_inquiry ioctl usage") +Signed-off-by: Pan Bian +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index a70b078ceb3ca..02f44a408edbd 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1243,8 +1243,10 @@ int hci_inquiry(void __user *arg) + * cleared). If it is interrupted by a signal, return -EINTR. + */ + if (wait_on_bit(&hdev->flags, HCI_INQUIRY, +- TASK_INTERRUPTIBLE)) +- return -EINTR; ++ TASK_INTERRUPTIBLE)) { ++ err = -EINTR; ++ goto done; ++ } + } + + /* for unlimited number of responses we will use buffer with +-- +2.27.0 + diff --git a/queue-4.9/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch b/queue-4.9/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch new file mode 100644 index 00000000000..08c8a3f58d1 --- /dev/null +++ b/queue-4.9/bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch @@ -0,0 +1,42 @@ +From 982149c6af1873be6271baee1f4ebacef5b5a68e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 02:24:23 -0500 +Subject: bnxt_en: reverse order of TX disable and carrier off + +From: Edwin Peer + +[ Upstream commit 132e0b65dc2b8bfa9721bfce834191f24fd1d7ed ] + +A TX queue can potentially immediately timeout after it is stopped +and the last TX timestamp on that queue was more than 5 seconds ago with +carrier still up. Prevent these intermittent false TX timeouts +by bringing down carrier first before calling netif_tx_disable(). + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Edwin Peer +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index f9610f860e6d1..148e1ff2e5e0e 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5095,9 +5095,10 @@ static void bnxt_tx_disable(struct bnxt *bp) + txr->dev_state = BNXT_DEV_STATE_CLOSING; + } + } ++ /* Drop carrier first to prevent TX timeout */ ++ netif_carrier_off(bp->dev); + /* Stop all TX queues */ + netif_tx_disable(bp->dev); +- netif_carrier_off(bp->dev); + } + + static void bnxt_tx_enable(struct bnxt *bp) +-- +2.27.0 + diff --git a/queue-4.9/btrfs-clarify-error-returns-values-in-__load_free_sp.patch b/queue-4.9/btrfs-clarify-error-returns-values-in-__load_free_sp.patch new file mode 100644 index 00000000000..67290b54464 --- /dev/null +++ b/queue-4.9/btrfs-clarify-error-returns-values-in-__load_free_sp.patch @@ -0,0 +1,60 @@ +From afe6026eb0003472993eaf27ffe0b0af9aee84d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2020 09:08:04 +0800 +Subject: btrfs: clarify error returns values in __load_free_space_cache + +From: Zhihao Cheng + +[ Upstream commit 3cc64e7ebfb0d7faaba2438334c43466955a96e8 ] + +Return value in __load_free_space_cache is not properly set after +(unlikely) memory allocation failures and 0 is returned instead. +This is not a problem for the caller load_free_space_cache because only +value 1 is considered as 'cache loaded' but for clarity it's better +to set the errors accordingly. + +Fixes: a67509c30079 ("Btrfs: add a io_ctl struct and helpers for dealing with the space cache") +Reported-by: Hulk Robot +Signed-off-by: Zhihao Cheng +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/free-space-cache.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 8e93bd391b352..f74cb39a64e5e 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -753,8 +753,10 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + while (num_entries) { + e = kmem_cache_zalloc(btrfs_free_space_cachep, + GFP_NOFS); +- if (!e) ++ if (!e) { ++ ret = -ENOMEM; + goto free_cache; ++ } + + ret = io_ctl_read_entry(&io_ctl, e, &type); + if (ret) { +@@ -763,6 +765,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + } + + if (!e->bytes) { ++ ret = -1; + kmem_cache_free(btrfs_free_space_cachep, e); + goto free_cache; + } +@@ -782,6 +785,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + num_bitmaps--; + e->bitmap = kzalloc(PAGE_SIZE, GFP_NOFS); + if (!e->bitmap) { ++ ret = -ENOMEM; + kmem_cache_free( + btrfs_free_space_cachep, e); + goto free_cache; +-- +2.27.0 + diff --git a/queue-4.9/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch b/queue-4.9/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch new file mode 100644 index 00000000000..3b7e6fcd76a --- /dev/null +++ b/queue-4.9/clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch @@ -0,0 +1,39 @@ +From ce95d1dcd021007d040035b9eab404d26acce135 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Dec 2020 13:15:54 +0100 +Subject: clk: meson: clk-pll: fix initializing the old rate (fallback) for a + PLL + +From: Martin Blumenstingl + +[ Upstream commit 2f290b7c67adf6459a17a4c978102af35cd62e4a ] + +The "rate" parameter in meson_clk_pll_set_rate() contains the new rate. +Retrieve the old rate with clk_hw_get_rate() so we don't inifinitely try +to switch from the new rate to the same rate again. + +Fixes: 7a29a869434e8b ("clk: meson: Add support for Meson clock controller") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Jerome Brunet +Link: https://lore.kernel.org/r/20201226121556.975418-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/clk-pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/clk-pll.c b/drivers/clk/meson/clk-pll.c +index 4adc1e89212c9..f9157e7f45f2d 100644 +--- a/drivers/clk/meson/clk-pll.c ++++ b/drivers/clk/meson/clk-pll.c +@@ -145,7 +145,7 @@ static int meson_clk_pll_set_rate(struct clk_hw *hw, unsigned long rate, + if (parent_rate == 0 || rate == 0) + return -EINVAL; + +- old_rate = rate; ++ old_rate = clk_hw_get_rate(hw); + + rate_set = meson_clk_get_pll_settings(pll, rate); + if (!rate_set) +-- +2.27.0 + diff --git a/queue-4.9/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch b/queue-4.9/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch new file mode 100644 index 00000000000..63fabd6e210 --- /dev/null +++ b/queue-4.9/clocksource-drivers-mxs_timer-add-missing-semicolon-.patch @@ -0,0 +1,49 @@ +From 857bc8c440cbd250e3befa2b43cd68f2a1d56a2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 13:19:55 -0800 +Subject: clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is + defined +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Rix + +[ Upstream commit 7da390694afbaed8e0f05717a541dfaf1077ba51 ] + +When DEBUG is defined this error occurs + +drivers/clocksource/mxs_timer.c:138:1: error: + expected ‘;’ before ‘}’ token + +The preceding statement needs a semicolon. +Replace pr_info() with pr_debug() and remove the unneeded ifdef. + +Fixes: eb8703e2ef7c ("clockevents/drivers/mxs: Migrate to new 'set-state' interface") +Signed-off-by: Tom Rix +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210118211955.763609-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/mxs_timer.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/clocksource/mxs_timer.c b/drivers/clocksource/mxs_timer.c +index 0ba0a913b41d1..b26c3b84c5b6c 100644 +--- a/drivers/clocksource/mxs_timer.c ++++ b/drivers/clocksource/mxs_timer.c +@@ -152,10 +152,7 @@ static void mxs_irq_clear(char *state) + + /* Clear pending interrupt */ + timrot_irq_acknowledge(); +- +-#ifdef DEBUG +- pr_info("%s: changing mode to %s\n", __func__, state) +-#endif /* DEBUG */ ++ pr_debug("%s: changing mode to %s\n", __func__, state); + } + + static int mxs_shutdown(struct clock_event_device *evt) +-- +2.27.0 + diff --git a/queue-4.9/crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch b/queue-4.9/crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch new file mode 100644 index 00000000000..8fffd938d9f --- /dev/null +++ b/queue-4.9/crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch @@ -0,0 +1,41 @@ +From 2fbad53b051d608d1f65795b752f578537b97710 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Feb 2021 11:28:37 +0000 +Subject: crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() + +From: Daniele Alessandrelli + +[ Upstream commit a53ab94eb6850c3657392e2d2ce9b38c387a2633 ] + +The length ('len' parameter) passed to crypto_ecdh_decode_key() is never +checked against the length encoded in the passed buffer ('buf' +parameter). This could lead to an out-of-bounds access when the passed +length is less than the encoded length. + +Add a check to prevent that. + +Fixes: 3c4b23901a0c7 ("crypto: ecdh - Add ECDH software support") +Signed-off-by: Daniele Alessandrelli +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/ecdh_helper.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/crypto/ecdh_helper.c b/crypto/ecdh_helper.c +index 3cd8a2414e60e..de43ffb538405 100644 +--- a/crypto/ecdh_helper.c ++++ b/crypto/ecdh_helper.c +@@ -71,6 +71,9 @@ int crypto_ecdh_decode_key(const char *buf, unsigned int len, + if (secret.type != CRYPTO_KPP_SECRET_TYPE_ECDH) + return -EINVAL; + ++ if (unlikely(len < secret.len)) ++ return -EINVAL; ++ + ptr = ecdh_unpack_data(¶ms->curve_id, ptr, sizeof(params->curve_id)); + ptr = ecdh_unpack_data(¶ms->key_size, ptr, sizeof(params->key_size)); + if (secret.len != crypto_ecdh_key_len(params)) +-- +2.27.0 + diff --git a/queue-4.9/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch b/queue-4.9/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch new file mode 100644 index 00000000000..fef46162c9e --- /dev/null +++ b/queue-4.9/dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch @@ -0,0 +1,51 @@ +From a955c2377e5a1dd9b1acce2b7712d8f5b8ea55a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 17:06:14 +0100 +Subject: dmaengine: fsldma: Fix a resource leak in an error handling path of + the probe function + +From: Christophe JAILLET + +[ Upstream commit b202d4e82531a62a33a6b14d321dd2aad491578e ] + +In case of error, the previous 'fsl_dma_chan_probe()' calls must be undone +by some 'fsl_dma_chan_remove()', as already done in the remove function. + +It was added in the remove function in commit 77cd62e8082b ("fsldma: allow +Freescale Elo DMA driver to be compiled as a module") + +Fixes: d3f620b2c4fe ("fsldma: simplify IRQ probing and handling") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201212160614.92576-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsldma.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c +index a5687864e8830..c9a1d59dcb490 100644 +--- a/drivers/dma/fsldma.c ++++ b/drivers/dma/fsldma.c +@@ -1331,6 +1331,7 @@ static int fsldma_of_probe(struct platform_device *op) + { + struct fsldma_device *fdev; + struct device_node *child; ++ unsigned int i; + int err; + + fdev = kzalloc(sizeof(*fdev), GFP_KERNEL); +@@ -1411,6 +1412,10 @@ static int fsldma_of_probe(struct platform_device *op) + return 0; + + out_free_fdev: ++ for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++) { ++ if (fdev->chan[i]) ++ fsl_dma_chan_remove(fdev->chan[i]); ++ } + irq_dispose_mapping(fdev->irq); + iounmap(fdev->regs); + out_free: +-- +2.27.0 + diff --git a/queue-4.9/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch b/queue-4.9/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch new file mode 100644 index 00000000000..24e469b611b --- /dev/null +++ b/queue-4.9/dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch @@ -0,0 +1,42 @@ +From 8c9c228ff93916b85b77314238a3f68d8d6c3904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 17:05:16 +0100 +Subject: dmaengine: fsldma: Fix a resource leak in the remove function + +From: Christophe JAILLET + +[ Upstream commit cbc0ad004c03ad7971726a5db3ec84dba3dcb857 ] + +A 'irq_dispose_mapping()' call is missing in the remove function. +Add it. + +This is needed to undo the 'irq_of_parse_and_map() call from the probe +function and already part of the error handling path of the probe function. + +It was added in the probe function only in commit d3f620b2c4fe ("fsldma: +simplify IRQ probing and handling") + +Fixes: 77cd62e8082b ("fsldma: allow Freescale Elo DMA driver to be compiled as a module") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201212160516.92515-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsldma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c +index 51c75bf2b9b68..a5687864e8830 100644 +--- a/drivers/dma/fsldma.c ++++ b/drivers/dma/fsldma.c +@@ -1433,6 +1433,7 @@ static int fsldma_of_remove(struct platform_device *op) + if (fdev->chan[i]) + fsl_dma_chan_remove(fdev->chan[i]); + } ++ irq_dispose_mapping(fdev->irq); + + iounmap(fdev->regs); + kfree(fdev); +-- +2.27.0 + diff --git a/queue-4.9/drm-gma500-fix-error-return-code-in-psb_driver_load.patch b/queue-4.9/drm-gma500-fix-error-return-code-in-psb_driver_load.patch new file mode 100644 index 00000000000..1582f3f3ff9 --- /dev/null +++ b/queue-4.9/drm-gma500-fix-error-return-code-in-psb_driver_load.patch @@ -0,0 +1,38 @@ +From 6a8556aafa4133999c504effb595d21ef3d3d583 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2020 10:02:16 +0800 +Subject: drm/gma500: Fix error return code in psb_driver_load() + +From: Jialin Zhang + +[ Upstream commit 6926872ae24452d4f2176a3ba2dee659497de2c4 ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 5c49fd3aa0ab ("gma500: Add the core DRM files and headers") +Reported-by: Hulk Robot +Signed-off-by: Jialin Zhang +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201130020216.1906141-1-zhangjialin11@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/psb_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c +index 8f3ca526bd1bd..29cb552829fe1 100644 +--- a/drivers/gpu/drm/gma500/psb_drv.c ++++ b/drivers/gpu/drm/gma500/psb_drv.c +@@ -323,6 +323,8 @@ static int psb_driver_load(struct drm_device *dev, unsigned long flags) + if (ret) + goto out_err; + ++ ret = -ENOMEM; ++ + dev_priv->mmu = psb_mmu_driver_init(dev, 1, 0, 0); + if (!dev_priv->mmu) + goto out_err; +-- +2.27.0 + diff --git a/queue-4.9/drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch b/queue-4.9/drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch new file mode 100644 index 00000000000..5c8673012b3 --- /dev/null +++ b/queue-4.9/drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch @@ -0,0 +1,37 @@ +From bc6df3c0e1e3c9acd5fe938bc1fe3b1074dede74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 17:15:58 +0100 +Subject: drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) + +From: Konrad Dybcio + +[ Upstream commit 33a7808ce1aea6e2edc1af25db25928137940c02 ] + +The previous registers were *almost* correct, but instead of +PHYs, they were pointing at DSI PLLs, resulting in the PHY id +autodetection failing miserably. + +Fixes: dcefc117cc19 ("drm/msm/dsi: Add support for msm8x94") +Signed-off-by: Konrad Dybcio +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c +index c757e2070cac7..636e9df3d1181 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_20nm.c +@@ -146,7 +146,7 @@ const struct msm_dsi_phy_cfg dsi_phy_20nm_cfgs = { + .enable = dsi_20nm_phy_enable, + .disable = dsi_20nm_phy_disable, + }, +- .io_start = { 0xfd998300, 0xfd9a0300 }, ++ .io_start = { 0xfd998500, 0xfd9a0500 }, + .num_dsi_phy = 2, + }; + +-- +2.27.0 + diff --git a/queue-4.9/fbdev-aty-sparc64-requires-fb_aty_ct.patch b/queue-4.9/fbdev-aty-sparc64-requires-fb_aty_ct.patch new file mode 100644 index 00000000000..0223ac16dc5 --- /dev/null +++ b/queue-4.9/fbdev-aty-sparc64-requires-fb_aty_ct.patch @@ -0,0 +1,62 @@ +From 478e29aa340934e8bada007e91f918d39f29df20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Nov 2020 19:17:52 -0800 +Subject: fbdev: aty: SPARC64 requires FB_ATY_CT + +From: Randy Dunlap + +[ Upstream commit c6c90c70db4d9a0989111d6b994d545659410f7a ] + +It looks like SPARC64 requires FB_ATY_CT to build without errors, +so have FB_ATY select FB_ATY_CT if both SPARC64 and PCI are enabled +instead of using "default y if SPARC64 && PCI", which is not strong +enough to prevent build errors. + +As it currently is, FB_ATY_CT can be disabled, resulting in build +errors: + +ERROR: modpost: "aty_postdividers" [drivers/video/fbdev/aty/atyfb.ko] undefined! +ERROR: modpost: "aty_ld_pll_ct" [drivers/video/fbdev/aty/atyfb.ko] undefined! + +Reviewed-by: Geert Uytterhoeven +Fixes: f7018c213502 ("video: move fbdev to drivers/video/fbdev") +Signed-off-by: Randy Dunlap +Cc: "David S. Miller" +Cc: sparclinux@vger.kernel.org +Cc: Tomi Valkeinen +Cc: dri-devel@lists.freedesktop.org +Cc: linux-fbdev@vger.kernel.org +Cc: Daniel Vetter +Cc: David Airlie +Cc: Bartlomiej Zolnierkiewicz +Cc: Geert Uytterhoeven +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20201127031752.10371-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index 5d3b0db5ce0af..c0d4e645f3b51 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -1405,6 +1405,7 @@ config FB_ATY + select FB_CFB_IMAGEBLIT + select FB_BACKLIGHT if FB_ATY_BACKLIGHT + select FB_MACMODES if PPC ++ select FB_ATY_CT if SPARC64 && PCI + help + This driver supports graphics boards with the ATI Mach64 chips. + Say Y if you have such a graphics board. +@@ -1415,7 +1416,6 @@ config FB_ATY + config FB_ATY_CT + bool "Mach64 CT/VT/GT/LT (incl. 3D RAGE) support" + depends on PCI && FB_ATY +- default y if SPARC64 && PCI + help + Say Y here to support use of ATI's 64-bit Rage boards (or other + boards based on the Mach64 CT, VT, GT, and LT chipsets) as a +-- +2.27.0 + diff --git a/queue-4.9/fdt-properly-handle-no-map-field-in-the-memory-regio.patch b/queue-4.9/fdt-properly-handle-no-map-field-in-the-memory-regio.patch new file mode 100644 index 00000000000..ef292b8ad8f --- /dev/null +++ b/queue-4.9/fdt-properly-handle-no-map-field-in-the-memory-regio.patch @@ -0,0 +1,42 @@ +From 761b12856ec9d4cd2c259f1b280b9e0ade8ec023 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 11:45:43 +0000 +Subject: fdt: Properly handle "no-map" field in the memory region + +From: KarimAllah Ahmed + +[ Upstream commit 86588296acbfb1591e92ba60221e95677ecadb43 ] + +Mark the memory region with NOMAP flag instead of completely removing it +from the memory blocks. That makes the FDT handling consistent with the EFI +memory map handling. + +Cc: Rob Herring +Cc: Frank Rowand +Cc: devicetree@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: KarimAllah Ahmed +Signed-off-by: Quentin Perret +Link: https://lore.kernel.org/r/20210115114544.1830068-2-qperret@google.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index e9360d5cbcbac..f90b626269ab6 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -1159,7 +1159,7 @@ int __init __weak early_init_dt_reserve_memory_arch(phys_addr_t base, + phys_addr_t size, bool nomap) + { + if (nomap) +- return memblock_remove(base, size); ++ return memblock_mark_nomap(base, size); + return memblock_reserve(base, size); + } + +-- +2.27.0 + diff --git a/queue-4.9/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch b/queue-4.9/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch new file mode 100644 index 00000000000..8308a94c4fa --- /dev/null +++ b/queue-4.9/fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch @@ -0,0 +1,39 @@ +From f31e4c173411d641072816070320b821490905f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 13:01:08 +0000 +Subject: fs/jfs: fix potential integer overflow on shift of a int + +From: Colin Ian King + +[ Upstream commit 4208c398aae4c2290864ba15c3dab7111f32bec1 ] + +The left shift of int 32 bit integer constant 1 is evaluated using 32 bit +arithmetic and then assigned to a signed 64 bit integer. In the case where +l2nb is 32 or more this can lead to an overflow. Avoid this by shifting +the value 1LL instead. + +Addresses-Coverity: ("Uninitentional integer overflow") +Fixes: b40c2e665cd5 ("fs/jfs: TRIM support for JFS Filesystem") +Signed-off-by: Colin Ian King +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 2d514c7affc2a..9ff510a489cb1 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1669,7 +1669,7 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen) + } else if (rc == -ENOSPC) { + /* search for next smaller log2 block */ + l2nb = BLKSTOL2(nblocks) - 1; +- nblocks = 1 << l2nb; ++ nblocks = 1LL << l2nb; + } else { + /* Trim any already allocated blocks */ + jfs_error(bmp->db_ipbmap->i_sb, "-EIO\n"); +-- +2.27.0 + diff --git a/queue-4.9/gma500-clean-up-error-handling-in-init.patch b/queue-4.9/gma500-clean-up-error-handling-in-init.patch new file mode 100644 index 00000000000..edd644f2f33 --- /dev/null +++ b/queue-4.9/gma500-clean-up-error-handling-in-init.patch @@ -0,0 +1,73 @@ +From b1bb35b7a7ed9dc01ee3e5833aa448825fe79304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Dec 2020 11:40:48 +0300 +Subject: gma500: clean up error handling in init + +From: Dan Carpenter + +[ Upstream commit 15ccc39b3aab667c6fa131206f01f31bfbccdf6a ] + +The main problem with this error handling was that it didn't clean up if +i2c_add_numbered_adapter() failed. This code is pretty old, and doesn't +match with today's checkpatch.pl standards so I took the opportunity to +tidy it up a bit. I changed the NULL comparison, and removed the +WARNING message if kzalloc() fails and updated the label names. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Dan Carpenter +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/X8ikkAqZfnDO2lu6@mwanda +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c b/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c +index e281070611480..fc9a34ed58bd1 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi_i2c.c +@@ -279,11 +279,8 @@ int oaktrail_hdmi_i2c_init(struct pci_dev *dev) + hdmi_dev = pci_get_drvdata(dev); + + i2c_dev = kzalloc(sizeof(struct hdmi_i2c_dev), GFP_KERNEL); +- if (i2c_dev == NULL) { +- DRM_ERROR("Can't allocate interface\n"); +- ret = -ENOMEM; +- goto exit; +- } ++ if (!i2c_dev) ++ return -ENOMEM; + + i2c_dev->adap = &oaktrail_hdmi_i2c_adapter; + i2c_dev->status = I2C_STAT_INIT; +@@ -300,16 +297,23 @@ int oaktrail_hdmi_i2c_init(struct pci_dev *dev) + oaktrail_hdmi_i2c_adapter.name, hdmi_dev); + if (ret) { + DRM_ERROR("Failed to request IRQ for I2C controller\n"); +- goto err; ++ goto free_dev; + } + + /* Adapter registration */ + ret = i2c_add_numbered_adapter(&oaktrail_hdmi_i2c_adapter); +- return ret; ++ if (ret) { ++ DRM_ERROR("Failed to add I2C adapter\n"); ++ goto free_irq; ++ } + +-err: ++ return 0; ++ ++free_irq: ++ free_irq(dev->irq, hdmi_dev); ++free_dev: + kfree(i2c_dev); +-exit: ++ + return ret; + } + +-- +2.27.0 + diff --git a/queue-4.9/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch b/queue-4.9/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch new file mode 100644 index 00000000000..aeeb772e2f2 --- /dev/null +++ b/queue-4.9/hid-core-detect-and-skip-invalid-inputs-to-snto32.patch @@ -0,0 +1,51 @@ +From d7cbe137774e56b60375687c8d176445947f72bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Dec 2020 17:12:21 -0800 +Subject: HID: core: detect and skip invalid inputs to snto32() + +From: Randy Dunlap + +[ Upstream commit a0312af1f94d13800e63a7d0a66e563582e39aec ] + +Prevent invalid (0, 0) inputs to hid-core's snto32() function. + +Maybe it is just the dummy device here that is causing this, but +there are hundreds of calls to snto32(0, 0). Having n (bits count) +of 0 is causing the current UBSAN trap with a shift value of +0xffffffff (-1, or n - 1 in this function). + +Either of the value to shift being 0 or the bits count being 0 can be +handled by just returning 0 to the caller, avoiding the following +complex shift + OR operations: + + return value & (1 << (n - 1)) ? value | (~0U << n) : value; + +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Signed-off-by: Randy Dunlap +Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com +Cc: Jiri Kosina +Cc: Benjamin Tissoires +Cc: linux-input@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 18bdba45c159a..40b36e59a8676 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1109,6 +1109,9 @@ EXPORT_SYMBOL_GPL(hid_open_report); + + static s32 snto32(__u32 value, unsigned n) + { ++ if (!value || !n) ++ return 0; ++ + switch (n) { + case 8: return ((__s8)value); + case 16: return ((__s16)value); +-- +2.27.0 + diff --git a/queue-4.9/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch b/queue-4.9/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch new file mode 100644 index 00000000000..2b4bfe328f8 --- /dev/null +++ b/queue-4.9/i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch @@ -0,0 +1,40 @@ +From 5b796ce3798622c4a1566c97520f97ee0ddf7407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Feb 2021 17:11:01 +0100 +Subject: i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition + +From: Maxime Ripard + +[ Upstream commit a1858ce0cfe31368b23ba55794e409fb57ced4a4 ] + +The brcmstb_send_i2c_cmd currently has a condition that is (CMD_RD || +CMD_WR) which always evaluates to true, while the obvious fix is to test +whether the cmd variable passed as parameter holds one of these two +values. + +Fixes: dd1aa2524bc5 ("i2c: brcmstb: Add Broadcom settop SoC i2c controller driver") +Reported-by: Dave Stevenson +Signed-off-by: Maxime Ripard +Acked-by: Florian Fainelli +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-brcmstb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-brcmstb.c b/drivers/i2c/busses/i2c-brcmstb.c +index 78792b4d6437c..a658f975605a7 100644 +--- a/drivers/i2c/busses/i2c-brcmstb.c ++++ b/drivers/i2c/busses/i2c-brcmstb.c +@@ -318,7 +318,7 @@ static int brcmstb_send_i2c_cmd(struct brcmstb_i2c_dev *dev, + goto cmd_out; + } + +- if ((CMD_RD || CMD_WR) && ++ if ((cmd == CMD_RD || cmd == CMD_WR) && + bsc_readl(dev, iic_enable) & BSC_IIC_EN_NOACK_MASK) { + rc = -EREMOTEIO; + dev_dbg(dev->device, "controller received NOACK intr for %s\n", +-- +2.27.0 + diff --git a/queue-4.9/i40e-fix-flow-for-ipv6-next-header-extension-header.patch b/queue-4.9/i40e-fix-flow-for-ipv6-next-header-extension-header.patch new file mode 100644 index 00000000000..c9f253ee876 --- /dev/null +++ b/queue-4.9/i40e-fix-flow-for-ipv6-next-header-extension-header.patch @@ -0,0 +1,63 @@ +From 604af93d8037a18f9dabe64e947d57889da68d57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 07:57:04 +0000 +Subject: i40e: Fix flow for IPv6 next header (extension header) + +From: Slawomir Laba + +[ Upstream commit 92c6058024e87087cf1b99b0389d67c0a886360e ] + +When a packet contains an IPv6 header with next header which is +an extension header and not a protocol one, the kernel function +skb_transport_header called with such sk_buff will return a +pointer to the extension header and not to the TCP one. + +The above explained call caused a problem with packet processing +for skb with encapsulation for tunnel with I40E_TX_CTX_EXT_IP_IPV6. +The extension header was not skipped at all. + +The ipv6_skip_exthdr function does check if next header of the IPV6 +header is an extension header and doesn't modify the l4_proto pointer +if it points to a protocol header value so its safe to omit the +comparison of exthdr and l4.hdr pointers. The ipv6_skip_exthdr can +return value -1. This means that the skipping process failed +and there is something wrong with the packet so it will be dropped. + +Fixes: a3fd9d8876a5 ("i40e/i40evf: Handle IPv6 extension headers in checksum offload") +Signed-off-by: Slawomir Laba +Signed-off-by: Przemyslaw Patynowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 2e12ccf73dba0..877b49cc9d3c3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -2452,13 +2452,16 @@ static int i40e_tx_enable_csum(struct sk_buff *skb, u32 *tx_flags, + + l4_proto = ip.v4->protocol; + } else if (*tx_flags & I40E_TX_FLAGS_IPV6) { ++ int ret; ++ + tunnel |= I40E_TX_CTX_EXT_IP_IPV6; + + exthdr = ip.hdr + sizeof(*ip.v6); + l4_proto = ip.v6->nexthdr; +- if (l4.hdr != exthdr) +- ipv6_skip_exthdr(skb, exthdr - skb->data, +- &l4_proto, &frag_off); ++ ret = ipv6_skip_exthdr(skb, exthdr - skb->data, ++ &l4_proto, &frag_off); ++ if (ret < 0) ++ return -1; + } + + /* define outer transport */ +-- +2.27.0 + diff --git a/queue-4.9/ib-umad-return-eio-in-case-of-when-device-disassocia.patch b/queue-4.9/ib-umad-return-eio-in-case-of-when-device-disassocia.patch new file mode 100644 index 00000000000..d940527b1da --- /dev/null +++ b/queue-4.9/ib-umad-return-eio-in-case-of-when-device-disassocia.patch @@ -0,0 +1,54 @@ +From 2921e1328036fdf77089218c8f9221d3430bdd11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jan 2021 14:13:38 +0200 +Subject: IB/umad: Return EIO in case of when device disassociated + +From: Shay Drory + +[ Upstream commit 4fc5461823c9cad547a9bdfbf17d13f0da0d6bb5 ] + +MAD message received by the user has EINVAL error in all flows +including when the device is disassociated. That makes it impossible +for the applications to treat such flow differently. + +Change it to return EIO, so the applications will be able to perform +disassociation recovery. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/r/20210125121339.837518-2-leon@kernel.org +Signed-off-by: Shay Drory +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/user_mad.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c +index cf93a96b63249..bc6458d760330 100644 +--- a/drivers/infiniband/core/user_mad.c ++++ b/drivers/infiniband/core/user_mad.c +@@ -343,6 +343,11 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf, + + mutex_lock(&file->mutex); + ++ if (file->agents_dead) { ++ mutex_unlock(&file->mutex); ++ return -EIO; ++ } ++ + while (list_empty(&file->recv_list)) { + mutex_unlock(&file->mutex); + +@@ -485,7 +490,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, + + agent = __get_agent(file, packet->mad.hdr.id); + if (!agent) { +- ret = -EINVAL; ++ ret = -EIO; + goto err_up; + } + +-- +2.27.0 + diff --git a/queue-4.9/input-elo-fix-an-error-code-in-elo_connect.patch b/queue-4.9/input-elo-fix-an-error-code-in-elo_connect.patch new file mode 100644 index 00000000000..65a8c50a683 --- /dev/null +++ b/queue-4.9/input-elo-fix-an-error-code-in-elo_connect.patch @@ -0,0 +1,40 @@ +From 6d629de1df36f13c5e0ee79245f97ec7ec6c08f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Feb 2021 20:29:05 -0800 +Subject: Input: elo - fix an error code in elo_connect() + +From: Dan Carpenter + +[ Upstream commit 0958351e93fa0ac142f6dd8bd844441594f30a57 ] + +If elo_setup_10() fails then this should return an error code instead +of success. + +Fixes: fae3006e4b42 ("Input: elo - add support for non-pressure-sensitive touchscreens") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YBKFd5CvDu+jVmfW@mwanda +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/elo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/elo.c b/drivers/input/touchscreen/elo.c +index 8051a4b704ea3..e2e31cbd6b2c3 100644 +--- a/drivers/input/touchscreen/elo.c ++++ b/drivers/input/touchscreen/elo.c +@@ -345,8 +345,10 @@ static int elo_connect(struct serio *serio, struct serio_driver *drv) + switch (elo->id) { + + case 0: /* 10-byte protocol */ +- if (elo_setup_10(elo)) ++ if (elo_setup_10(elo)) { ++ err = -EIO; + goto fail3; ++ } + + break; + +-- +2.27.0 + diff --git a/queue-4.9/isofs-release-buffer-head-before-return.patch b/queue-4.9/isofs-release-buffer-head-before-return.patch new file mode 100644 index 00000000000..2556ad29bad --- /dev/null +++ b/queue-4.9/isofs-release-buffer-head-before-return.patch @@ -0,0 +1,49 @@ +From 29d1e3f6e7f366d8313fc98c1f02e4d7fbf7797e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 04:04:55 -0800 +Subject: isofs: release buffer head before return + +From: Pan Bian + +[ Upstream commit 0a6dc67a6aa45f19bd4ff89b4f468fc50c4b8daa ] + +Release the buffer_head before returning error code in +do_isofs_readdir() and isofs_find_entry(). + +Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem") +Link: https://lore.kernel.org/r/20210118120455.118955-1-bianpan2016@163.com +Signed-off-by: Pan Bian +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/isofs/dir.c | 1 + + fs/isofs/namei.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c +index e7599615e4e04..e876a30f90735 100644 +--- a/fs/isofs/dir.c ++++ b/fs/isofs/dir.c +@@ -151,6 +151,7 @@ static int do_isofs_readdir(struct inode *inode, struct file *file, + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, + inode->i_ino); ++ brelse(bh); + return -EIO; + } + +diff --git a/fs/isofs/namei.c b/fs/isofs/namei.c +index aee592767f1d0..2c43de1b034d2 100644 +--- a/fs/isofs/namei.c ++++ b/fs/isofs/namei.c +@@ -101,6 +101,7 @@ isofs_find_entry(struct inode *dir, struct dentry *dentry, + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, + dir->i_ino); ++ brelse(bh); + return 0; + } + +-- +2.27.0 + diff --git a/queue-4.9/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch b/queue-4.9/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch new file mode 100644 index 00000000000..8cb1b99833b --- /dev/null +++ b/queue-4.9/jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch @@ -0,0 +1,58 @@ +From 276af343a7a35c75a26611af7bf397fd2c9540a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Dec 2020 06:56:04 -0800 +Subject: jffs2: fix use after free in jffs2_sum_write_data() + +From: Tom Rix + +[ Upstream commit 19646447ad3a680d2ab08c097585b7d96a66126b ] + +clang static analysis reports this problem + +fs/jffs2/summary.c:794:31: warning: Use of memory after it is freed + c->summary->sum_list_head = temp->u.next; + ^~~~~~~~~~~~ + +In jffs2_sum_write_data(), in a loop summary data is handles a node at +a time. When it has written out the node it is removed the summary list, +and the node is deleted. In the corner case when a +JFFS2_FEATURE_RWCOMPAT_COPY is seen, a call is made to +jffs2_sum_disable_collecting(). jffs2_sum_disable_collecting() deletes +the whole list which conflicts with the loop's deleting the list by parts. + +To preserve the old behavior of stopping the write midway, bail out of +the loop after disabling summary collection. + +Fixes: 6171586a7ae5 ("[JFFS2] Correct handling of JFFS2_FEATURE_RWCOMPAT_COPY nodes.") +Signed-off-by: Tom Rix +Reviewed-by: Nathan Chancellor +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/summary.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c +index be7c8a6a57480..4fe64519870f1 100644 +--- a/fs/jffs2/summary.c ++++ b/fs/jffs2/summary.c +@@ -783,6 +783,8 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock + dbg_summary("Writing unknown RWCOMPAT_COPY node type %x\n", + je16_to_cpu(temp->u.nodetype)); + jffs2_sum_disable_collecting(c->summary); ++ /* The above call removes the list, nothing more to do */ ++ goto bail_rwcompat; + } else { + BUG(); /* unknown node in summary information */ + } +@@ -794,6 +796,7 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock + + c->summary->sum_num--; + } ++ bail_rwcompat: + + jffs2_sum_reset_collected(c->summary); + +-- +2.27.0 + diff --git a/queue-4.9/mac80211-fix-potential-overflow-when-multiplying-to-.patch b/queue-4.9/mac80211-fix-potential-overflow-when-multiplying-to-.patch new file mode 100644 index 00000000000..6c6477c6ac5 --- /dev/null +++ b/queue-4.9/mac80211-fix-potential-overflow-when-multiplying-to-.patch @@ -0,0 +1,40 @@ +From 04e7bee9cf15e5886a382d20a5b580bb644f4cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 17:53:52 +0000 +Subject: mac80211: fix potential overflow when multiplying to u32 integers + +From: Colin Ian King + +[ Upstream commit 6194f7e6473be78acdc5d03edd116944bdbb2c4e ] + +The multiplication of the u32 variables tx_time and estimated_retx is +performed using a 32 bit multiplication and the result is stored in +a u64 result. This has a potential u32 overflow issue, so avoid this +by casting tx_time to a u64 to force a 64 bit multiply. + +Addresses-Coverity: ("Unintentional integer overflow") +Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210205175352.208841-1-colin.king@canonical.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_hwmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index 2fbd100b9e73d..a8b837d0498a4 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -355,7 +355,7 @@ static u32 airtime_link_metric_get(struct ieee80211_local *local, + */ + tx_time = (device_constant + 10 * test_frame_len / rate); + estimated_retx = ((1 << (2 * ARITH_SHIFT)) / (s_unit - err)); +- result = (tx_time * estimated_retx) >> (2 * ARITH_SHIFT); ++ result = ((u64)tx_time * estimated_retx) >> (2 * ARITH_SHIFT); + return (u32)result; + } + +-- +2.27.0 + diff --git a/queue-4.9/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch b/queue-4.9/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch new file mode 100644 index 00000000000..f2348fe89da --- /dev/null +++ b/queue-4.9/media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch @@ -0,0 +1,46 @@ +From 337afc27cfcaa7c8ec6e9110574c1150bbf3a926 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Jan 2021 22:21:46 +0100 +Subject: media: cx25821: Fix a bug when reallocating some dma memory + +From: Christophe JAILLET + +[ Upstream commit b2de3643c5024fc4fd128ba7767c7fb8b714bea7 ] + +This function looks like a realloc. + +However, if 'risc->cpu != NULL', the memory will be freed, but never +reallocated with the bigger 'size'. +Explicitly set 'risc->cpu' to NULL, so that the reallocation is +correctly performed a few lines below. + +[hverkuil: NULL != risc->cpu -> risc->cpu] + +Fixes: 5ede94c70553 ("[media] cx25821: remove bogus btcx_risc dependency) +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx25821/cx25821-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c +index 0d4cacb93664e..d58c58e61bde0 100644 +--- a/drivers/media/pci/cx25821/cx25821-core.c ++++ b/drivers/media/pci/cx25821/cx25821-core.c +@@ -990,8 +990,10 @@ int cx25821_riscmem_alloc(struct pci_dev *pci, + __le32 *cpu; + dma_addr_t dma = 0; + +- if (NULL != risc->cpu && risc->size < size) ++ if (risc->cpu && risc->size < size) { + pci_free_consistent(pci, risc->size, risc->cpu, risc->dma); ++ risc->cpu = NULL; ++ } + if (NULL == risc->cpu) { + cpu = pci_zalloc_consistent(pci, size, &dma); + if (NULL == cpu) +-- +2.27.0 + diff --git a/queue-4.9/media-lmedm04-fix-misuse-of-comma.patch b/queue-4.9/media-lmedm04-fix-misuse-of-comma.patch new file mode 100644 index 00000000000..c5fa5998a57 --- /dev/null +++ b/queue-4.9/media-lmedm04-fix-misuse-of-comma.patch @@ -0,0 +1,40 @@ +From 1891dbcfff7620992ad8913a689e1f127e9f3928 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 20:13:31 +0200 +Subject: media: lmedm04: Fix misuse of comma + +From: Joe Perches + +[ Upstream commit 59a3e78f8cc33901fe39035c1ab681374bba95ad ] + +There's a comma used instead of a semicolon that causes multiple +statements to be executed after an if instead of just the intended +single statement. + +Replace the comma with a semicolon. + +Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb") +Signed-off-by: Joe Perches +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 5c4aa247d650f..ca4ed2af53207 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -446,7 +446,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) + ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe); + + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) +- lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa), ++ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa); + + lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + +-- +2.27.0 + diff --git a/queue-4.9/media-media-pci-fix-memleak-in-empress_init.patch b/queue-4.9/media-media-pci-fix-memleak-in-empress_init.patch new file mode 100644 index 00000000000..8295b9f5786 --- /dev/null +++ b/queue-4.9/media-media-pci-fix-memleak-in-empress_init.patch @@ -0,0 +1,42 @@ +From 8a68da112a9bedaf14b431125f2d3eae645805d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jan 2021 07:27:22 +0100 +Subject: media: media/pci: Fix memleak in empress_init + +From: Dinghao Liu + +[ Upstream commit 15d0c52241ecb1c9d802506bff6f5c3f7872c0df ] + +When vb2_queue_init() fails, dev->empress_dev +should be released just like other error handling +paths. + +Fixes: 2ada815fc48bb ("[media] saa7134: convert to vb2") +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7134/saa7134-empress.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7134/saa7134-empress.c b/drivers/media/pci/saa7134/saa7134-empress.c +index f0fe2524259f0..522e1e18850fb 100644 +--- a/drivers/media/pci/saa7134/saa7134-empress.c ++++ b/drivers/media/pci/saa7134/saa7134-empress.c +@@ -297,8 +297,11 @@ static int empress_init(struct saa7134_dev *dev) + q->lock = &dev->lock; + q->dev = &dev->pci->dev; + err = vb2_queue_init(q); +- if (err) ++ if (err) { ++ video_device_release(dev->empress_dev); ++ dev->empress_dev = NULL; + return err; ++ } + dev->empress_dev->queue = q; + + video_set_drvdata(dev->empress_dev, dev); +-- +2.27.0 + diff --git a/queue-4.9/media-pxa_camera-declare-variable-when-debug-is-defi.patch b/queue-4.9/media-pxa_camera-declare-variable-when-debug-is-defi.patch new file mode 100644 index 00000000000..3c126624cb4 --- /dev/null +++ b/queue-4.9/media-pxa_camera-declare-variable-when-debug-is-defi.patch @@ -0,0 +1,46 @@ +From 14f6a0b5d3cdd2a440838d37142f0ae24a8d8086 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 14:45:13 +0100 +Subject: media: pxa_camera: declare variable when DEBUG is defined +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Rix + +[ Upstream commit 031b9212eeee365443aaef013360ea6cded7b2c4 ] + +When DEBUG is defined this error occurs + +drivers/media/platform/pxa_camera.c:1410:7: error: + ‘i’ undeclared (first use in this function) + for (i = 0; i < vb->num_planes; i++) + ^ +The variable 'i' is missing, so declare it. + +Fixes: 6f28435d1c15 ("[media] media: platform: pxa_camera: trivial move of functions") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/pxa_camera.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/pxa_camera.c b/drivers/media/platform/pxa_camera.c +index 3fab9f776afa7..425eda460e013 100644 +--- a/drivers/media/platform/pxa_camera.c ++++ b/drivers/media/platform/pxa_camera.c +@@ -1420,6 +1420,9 @@ static int pxac_vb2_prepare(struct vb2_buffer *vb) + struct pxa_camera_dev *pcdev = vb2_get_drv_priv(vb->vb2_queue); + struct pxa_buffer *buf = vb2_to_pxa_buffer(vb); + int ret = 0; ++#ifdef DEBUG ++ int i; ++#endif + + switch (pcdev->channels) { + case 1: +-- +2.27.0 + diff --git a/queue-4.9/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch b/queue-4.9/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch new file mode 100644 index 00000000000..09b34d5573a --- /dev/null +++ b/queue-4.9/media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch @@ -0,0 +1,43 @@ +From 3d536ee93b375063fbb1a69d4fc599ad3de2c7ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Nov 2020 02:34:37 +0100 +Subject: media: qm1d1c0042: fix error return code in qm1d1c0042_init() + +From: Luo Meng + +[ Upstream commit fcf8d018bdca0453b8d6359062e6bc1512d04c38 ] + +Fix to return a negative error code from the error handling case +instead of 0 in function qm1d1c0042_init(), as done elsewhere +in this function. + +Fixes: ab4d14528fdf ("[media] em28xx: add support for PLEX PX-BCUD (ISDB-S)") +Reported-by: Hulk Robot +Signed-off-by: Luo Meng +Acked-by: Akihiro Tsukada +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/qm1d1c0042.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/tuners/qm1d1c0042.c b/drivers/media/tuners/qm1d1c0042.c +index 9af2a155cfca9..416d1eeb9c029 100644 +--- a/drivers/media/tuners/qm1d1c0042.c ++++ b/drivers/media/tuners/qm1d1c0042.c +@@ -352,8 +352,10 @@ static int qm1d1c0042_init(struct dvb_frontend *fe) + if (val == reg_initval[reg_index][0x00]) + break; + } +- if (reg_index >= QM1D1C0042_NUM_REG_ROWS) ++ if (reg_index >= QM1D1C0042_NUM_REG_ROWS) { ++ ret = -EINVAL; + goto failed; ++ } + memcpy(state->regs, reg_initval[reg_index], QM1D1C0042_NUM_REGS); + usleep_range(2000, 3000); + +-- +2.27.0 + diff --git a/queue-4.9/media-tm6000-fix-memleak-in-tm6000_start_stream.patch b/queue-4.9/media-tm6000-fix-memleak-in-tm6000_start_stream.patch new file mode 100644 index 00000000000..c63c205cc9a --- /dev/null +++ b/queue-4.9/media-tm6000-fix-memleak-in-tm6000_start_stream.patch @@ -0,0 +1,40 @@ +From 752843cffed7eb68620f896cbcda7a6ea530820a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jan 2021 09:26:37 +0100 +Subject: media: tm6000: Fix memleak in tm6000_start_stream + +From: Dinghao Liu + +[ Upstream commit 76aaf8a96771c16365b8510f1fb97738dc88026e ] + +When usb_clear_halt() fails, dvb->bulk_urb->transfer_buffer +and dvb->bulk_urb should be freed just like when +usb_submit_urb() fails. + +Fixes: 3169c9b26fffa ("V4L/DVB (12788): tm6000: Add initial DVB-T support") +Signed-off-by: Dinghao Liu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/tm6000/tm6000-dvb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/tm6000/tm6000-dvb.c b/drivers/media/usb/tm6000/tm6000-dvb.c +index 185c8079d0f93..14f3e8388f357 100644 +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -156,6 +156,10 @@ static int tm6000_start_stream(struct tm6000_core *dev) + if (ret < 0) { + printk(KERN_ERR "tm6000: error %i in %s during pipe reset\n", + ret, __func__); ++ ++ kfree(dvb->bulk_urb->transfer_buffer); ++ usb_free_urb(dvb->bulk_urb); ++ dvb->bulk_urb = NULL; + return ret; + } else + printk(KERN_ERR "tm6000: pipe resetted\n"); +-- +2.27.0 + diff --git a/queue-4.9/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch b/queue-4.9/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch new file mode 100644 index 00000000000..f0c84df0407 --- /dev/null +++ b/queue-4.9/media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch @@ -0,0 +1,82 @@ +From 07de2fe3ee0d80e88391042118a6326bede20d62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Dec 2020 15:11:13 +0100 +Subject: media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Laurent Pinchart + +[ Upstream commit dc9455ffae02d7b7fb51ba1e007fffcb9dc5d890 ] + +The Renkforce RF AC4K 300 Action Cam 4K reports invalid bFormatIndex and +bFrameIndex values when negotiating the video probe and commit controls. +The UVC descriptors report a single supported format and frame size, +with bFormatIndex and bFrameIndex both equal to 2, but the video probe +and commit controls report bFormatIndex and bFrameIndex set to 1. + +The device otherwise operates correctly, but the driver rejects the +values and fails the format try operation. Fix it by ignoring the +invalid indices, and assuming that the format and frame requested by the +driver are accepted by the device. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=210767 + +Fixes: 8a652a17e3c0 ("media: uvcvideo: Ensure all probed info is returned to v4l2") +Reported-by: Till Dörges +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 5156c971c241c..6a19cf94705b1 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -258,7 +258,9 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + goto done; + + /* After the probe, update fmt with the values returned from +- * negotiation with the device. ++ * negotiation with the device. Some devices return invalid bFormatIndex ++ * and bFrameIndex values, in which case we can only assume they have ++ * accepted the requested format as-is. + */ + for (i = 0; i < stream->nformats; ++i) { + if (probe->bFormatIndex == stream->format[i].index) { +@@ -267,11 +269,10 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + } + } + +- if (i == stream->nformats) { +- uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n", ++ if (i == stream->nformats) ++ uvc_trace(UVC_TRACE_FORMAT, ++ "Unknown bFormatIndex %u, using default\n", + probe->bFormatIndex); +- return -EINVAL; +- } + + for (i = 0; i < format->nframes; ++i) { + if (probe->bFrameIndex == format->frame[i].bFrameIndex) { +@@ -280,11 +281,10 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + } + } + +- if (i == format->nframes) { +- uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n", ++ if (i == format->nframes) ++ uvc_trace(UVC_TRACE_FORMAT, ++ "Unknown bFrameIndex %u, using default\n", + probe->bFrameIndex); +- return -EINVAL; +- } + + fmt->fmt.pix.width = frame->wWidth; + fmt->fmt.pix.height = frame->wHeight; +-- +2.27.0 + diff --git a/queue-4.9/media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch b/queue-4.9/media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch new file mode 100644 index 00000000000..d7ac6fc5cb5 --- /dev/null +++ b/queue-4.9/media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch @@ -0,0 +1,43 @@ +From 9af2ec0c84f4db867a89aab5d2041f6175277a59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Dec 2020 18:41:19 +0100 +Subject: media: vsp1: Fix an error handling path in the probe function + +From: Christophe JAILLET + +[ Upstream commit 7113469dafc2d545fa4fa9bc649c31dc27db492e ] + +A previous 'rcar_fcp_get()' call must be undone in the error handling path, +as already done in the remove function. + +Fixes: 94fcdf829793 ("[media] v4l: vsp1: Add FCP support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vsp1/vsp1_drv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/vsp1/vsp1_drv.c b/drivers/media/platform/vsp1/vsp1_drv.c +index fcb1838d670d4..8d50a9a9f73da 100644 +--- a/drivers/media/platform/vsp1/vsp1_drv.c ++++ b/drivers/media/platform/vsp1/vsp1_drv.c +@@ -764,8 +764,10 @@ static int vsp1_probe(struct platform_device *pdev) + } + + done: +- if (ret) ++ if (ret) { + pm_runtime_disable(&pdev->dev); ++ rcar_fcp_put(vsp1->fcp); ++ } + + return ret; + } +-- +2.27.0 + diff --git a/queue-4.9/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch b/queue-4.9/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch new file mode 100644 index 00000000000..705520e4d7c --- /dev/null +++ b/queue-4.9/mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch @@ -0,0 +1,44 @@ +From 13a77a6ca996ae1718c65548863cc7d95eec4043 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jan 2021 17:37:24 +0300 +Subject: mfd: wm831x-auxadc: Prevent use after free in + wm831x_auxadc_read_irq() + +From: Dan Carpenter + +[ Upstream commit 26783d74cc6a440ee3ef9836a008a697981013d0 ] + +The "req" struct is always added to the "wm831x->auxadc_pending" list, +but it's only removed from the list on the success path. If a failure +occurs then the "req" struct is freed but it's still on the list, +leading to a use after free. + +Fixes: 78bb3688ea18 ("mfd: Support multiple active WM831x AUXADC conversions") +Signed-off-by: Dan Carpenter +Acked-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/wm831x-auxadc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/mfd/wm831x-auxadc.c b/drivers/mfd/wm831x-auxadc.c +index fd789d2eb0f52..9f7ae1e1ebcd6 100644 +--- a/drivers/mfd/wm831x-auxadc.c ++++ b/drivers/mfd/wm831x-auxadc.c +@@ -98,11 +98,10 @@ static int wm831x_auxadc_read_irq(struct wm831x *wm831x, + wait_for_completion_timeout(&req->done, msecs_to_jiffies(500)); + + mutex_lock(&wm831x->auxadc_lock); +- +- list_del(&req->list); + ret = req->val; + + out: ++ list_del(&req->list); + mutex_unlock(&wm831x->auxadc_lock); + + kfree(req); +-- +2.27.0 + diff --git a/queue-4.9/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch b/queue-4.9/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch new file mode 100644 index 00000000000..67fcce1f318 --- /dev/null +++ b/queue-4.9/mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch @@ -0,0 +1,45 @@ +From 9574d248c6af6196fc9a9cac830b5937fd9a7f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 13:34:56 -0700 +Subject: MIPS: c-r4k: Fix section mismatch for loongson2_sc_init + +From: Nathan Chancellor + +[ Upstream commit c58734eee6a2151ba033c0dcb31902c89e310374 ] + +When building with clang, the following section mismatch warning occurs: + +WARNING: modpost: vmlinux.o(.text+0x24490): Section mismatch in +reference from the function r4k_cache_init() to the function +.init.text:loongson2_sc_init() + +This should have been fixed with commit ad4fddef5f23 ("mips: fix Section +mismatch in reference") but it was missed. Remove the improper __init +annotation like that commit did. + +Fixes: 078a55fc824c ("MIPS: Delete __cpuinit/__CPUINIT usage from MIPS code") +Link: https://github.com/ClangBuiltLinux/linux/issues/787 +Signed-off-by: Nathan Chancellor +Reviewed-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/mm/c-r4k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c +index cb877f86f5fc9..b9dea4ce290c1 100644 +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -1630,7 +1630,7 @@ static int probe_scache(void) + return 1; + } + +-static void __init loongson2_sc_init(void) ++static void loongson2_sc_init(void) + { + struct cpuinfo_mips *c = ¤t_cpu_data; + +-- +2.27.0 + diff --git a/queue-4.9/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch b/queue-4.9/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch new file mode 100644 index 00000000000..ce4568b2336 --- /dev/null +++ b/queue-4.9/mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch @@ -0,0 +1,55 @@ +From 18d1507d16e39dd81d452a3da0fa1a9b884ae358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 13:15:48 -0700 +Subject: MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 + +From: Nathan Chancellor + +[ Upstream commit c6f2a9e17b9bef7677caddb1626c2402f3e9d2bd ] + +When building xway_defconfig with clang: + +arch/mips/lantiq/irq.c:305:48: error: use of logical '&&' with constant +operand [-Werror,-Wconstant-logical-operand] + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ^ ~~~~~~~~~~~~~~~~~ +arch/mips/lantiq/irq.c:305:48: note: use '&' for a bitwise operation + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ^~ + & +arch/mips/lantiq/irq.c:305:48: note: remove constant to silence this +warning + if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) + ~^~~~~~~~~~~~~~~~~~~~ +1 error generated. + +Explicitly compare the constant LTQ_EBU_PCC_ISTAT against 0 to fix the +warning. Additionally, remove the unnecessary parentheses as this is a +simple conditional statement and shorthand '== 0' to '!'. + +Fixes: 3645da0276ae ("OF: MIPS: lantiq: implement irq_domain support") +Link: https://github.com/ClangBuiltLinux/linux/issues/807 +Reported-by: Dmitry Golovin +Signed-off-by: Nathan Chancellor +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index 7c6f75c2aa4df..e64f678ca12c8 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -245,7 +245,7 @@ static void ltq_hw_irqdispatch(int module) + do_IRQ((int)irq + MIPS_CPU_IRQ_CASCADE + (INT_NUM_IM_OFFSET * module)); + + /* if this is a EBU irq, we need to ack it or get a deadlock */ +- if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) ++ if (irq == LTQ_ICU_EBU_IRQ && !module && LTQ_EBU_PCC_ISTAT != 0) + ltq_ebu_w32(ltq_ebu_r32(LTQ_EBU_PCC_ISTAT) | 0x10, + LTQ_EBU_PCC_ISTAT); + } +-- +2.27.0 + diff --git a/queue-4.9/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch b/queue-4.9/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch new file mode 100644 index 00000000000..cf13fb97e85 --- /dev/null +++ b/queue-4.9/misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch @@ -0,0 +1,38 @@ +From 6460422c93070f2f16b86a98f458498032832179 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 10:42:52 +0530 +Subject: misc: eeprom_93xx46: Add module alias to avoid breaking support for + non device tree users + +From: Aswath Govindraju + +[ Upstream commit 4540b9fbd8ebb21bb3735796d300a1589ee5fbf2 ] + +Module alias "spi:93xx46" is used by non device tree users like +drivers/misc/eeprom/digsy_mtc_eeprom.c and removing it will +break support for them. + +Fix this by adding back the module alias "spi:93xx46". + +Fixes: 13613a2246bf ("misc: eeprom_93xx46: Fix module alias to enable module autoprobe") +Signed-off-by: Aswath Govindraju +Link: https://lore.kernel.org/r/20210113051253.15061-1-a-govindraju@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/eeprom_93xx46.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/eeprom/eeprom_93xx46.c b/drivers/misc/eeprom/eeprom_93xx46.c +index 275906b37eb89..d30deee1effda 100644 +--- a/drivers/misc/eeprom/eeprom_93xx46.c ++++ b/drivers/misc/eeprom/eeprom_93xx46.c +@@ -532,4 +532,5 @@ module_spi_driver(eeprom_93xx46_driver); + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Driver for 93xx46 EEPROMs"); + MODULE_AUTHOR("Anatolij Gustschin "); ++MODULE_ALIAS("spi:93xx46"); + MODULE_ALIAS("spi:eeprom-93xx46"); +-- +2.27.0 + diff --git a/queue-4.9/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch b/queue-4.9/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch new file mode 100644 index 00000000000..77820d243ae --- /dev/null +++ b/queue-4.9/misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch @@ -0,0 +1,34 @@ +From 79f09e8941d754ed32ab8b8876b449ac54bed1a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jan 2021 22:09:53 +0530 +Subject: misc: eeprom_93xx46: Fix module alias to enable module autoprobe + +From: Aswath Govindraju + +[ Upstream commit 13613a2246bf531f5fc04e8e62e8f21a3d39bf1c ] + +Fix module autoprobe by correcting module alias to match the string from +/sys/class/.../spi1.0/modalias content. + +Fixes: 06b4501e88ad ("misc/eeprom: add driver for microwire 93xx46 EEPROMs") +Signed-off-by: Aswath Govindraju +Link: https://lore.kernel.org/r/20210107163957.28664-2-a-govindraju@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/eeprom/eeprom_93xx46.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/eeprom/eeprom_93xx46.c b/drivers/misc/eeprom/eeprom_93xx46.c +index 94cc035aa8417..275906b37eb89 100644 +--- a/drivers/misc/eeprom/eeprom_93xx46.c ++++ b/drivers/misc/eeprom/eeprom_93xx46.c +@@ -532,4 +532,4 @@ module_spi_driver(eeprom_93xx46_driver); + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Driver for 93xx46 EEPROMs"); + MODULE_AUTHOR("Anatolij Gustschin "); +-MODULE_ALIAS("spi:93xx46"); ++MODULE_ALIAS("spi:eeprom-93xx46"); +-- +2.27.0 + diff --git a/queue-4.9/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch b/queue-4.9/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch new file mode 100644 index 00000000000..1f669dcabca --- /dev/null +++ b/queue-4.9/mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch @@ -0,0 +1,46 @@ +From e28bc66580943f1760ce8830db581902825190ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 12:06:50 -0800 +Subject: mm/hugetlb: fix potential double free in hugetlb_register_node() + error path + +From: Miaohe Lin + +[ Upstream commit cc2205a67dec5a700227a693fc113441e73e4641 ] + +In hugetlb_sysfs_add_hstate(), we would do kobject_put() on hstate_kobjs +when failed to create sysfs group but forget to set hstate_kobjs to NULL. +Then in hugetlb_register_node() error path, we may free it again via +hugetlb_unregister_node(). + +Link: https://lkml.kernel.org/r/20210107123249.36964-1-linmiaohe@huawei.com +Fixes: a3437870160c ("hugetlb: new sysfs interface") +Signed-off-by: Miaohe Lin +Reviewed-by: Mike Kravetz +Reviewed-by: Muchun Song +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/hugetlb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 5a16d892c891c..729706f55dce0 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2618,8 +2618,10 @@ static int hugetlb_sysfs_add_hstate(struct hstate *h, struct kobject *parent, + return -ENOMEM; + + retval = sysfs_create_group(hstate_kobjs[hi], hstate_attr_group); +- if (retval) ++ if (retval) { + kobject_put(hstate_kobjs[hi]); ++ hstate_kobjs[hi] = NULL; ++ } + + return retval; + } +-- +2.27.0 + diff --git a/queue-4.9/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch b/queue-4.9/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch new file mode 100644 index 00000000000..1a721532189 --- /dev/null +++ b/queue-4.9/mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch @@ -0,0 +1,66 @@ +From 836310f5bf086b01b90d77e65391830a8909a1cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 12:04:33 -0800 +Subject: mm/memory.c: fix potential pte_unmap_unlock pte error + +From: Miaohe Lin + +[ Upstream commit 90a3e375d324b2255b83e3dd29e99e2b05d82aaf ] + +Since commit 42e4089c7890 ("x86/speculation/l1tf: Disallow non privileged +high MMIO PROT_NONE mappings"), when the first pfn modify is not allowed, +we would break the loop with pte unchanged. Then the wrong pte - 1 would +be passed to pte_unmap_unlock. + +Andi said: + + "While the fix is correct, I'm not sure if it actually is a real bug. + Is there any architecture that would do something else than unlocking + the underlying page? If it's just the underlying page then it should + be always the same page, so no bug" + +Link: https://lkml.kernel.org/r/20210109080118.20885-1-linmiaohe@huawei.com +Fixes: 42e4089c789 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings") +Signed-off-by: Hongxiang Lou +Signed-off-by: Miaohe Lin +Cc: Thomas Gleixner +Cc: Dave Hansen +Cc: Andi Kleen +Cc: Josh Poimboeuf +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/mm/memory.c b/mm/memory.c +index 47248dc0b9e1a..d1cc9923320b4 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1687,11 +1687,11 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, + unsigned long addr, unsigned long end, + unsigned long pfn, pgprot_t prot) + { +- pte_t *pte; ++ pte_t *pte, *mapped_pte; + spinlock_t *ptl; + int err = 0; + +- pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); ++ mapped_pte = pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); + if (!pte) + return -ENOMEM; + arch_enter_lazy_mmu_mode(); +@@ -1705,7 +1705,7 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, + pfn++; + } while (pte++, addr += PAGE_SIZE, addr != end); + arch_leave_lazy_mmu_mode(); +- pte_unmap_unlock(pte - 1, ptl); ++ pte_unmap_unlock(mapped_pte, ptl); + return err; + } + +-- +2.27.0 + diff --git a/queue-4.9/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch b/queue-4.9/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch new file mode 100644 index 00000000000..ed075ea8a79 --- /dev/null +++ b/queue-4.9/mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch @@ -0,0 +1,46 @@ +From 57725c79c2b19edbee80cc83c6438bc18ce9895c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Dec 2020 22:09:22 +0100 +Subject: mmc: usdhi6rol0: Fix a resource leak in the error handling path of + the probe + +From: Christophe JAILLET + +[ Upstream commit 6052b3c370fb82dec28bcfff6d7ec0da84ac087a ] + +A call to 'ausdhi6_dma_release()' to undo a previous call to +'usdhi6_dma_request()' is missing in the error handling path of the probe +function. + +It is already present in the remove function. + +Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20201217210922.165340-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/usdhi6rol0.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c +index 1bd5f1a18d4e2..003aecc441223 100644 +--- a/drivers/mmc/host/usdhi6rol0.c ++++ b/drivers/mmc/host/usdhi6rol0.c +@@ -1866,10 +1866,12 @@ static int usdhi6_probe(struct platform_device *pdev) + + ret = mmc_add_host(mmc); + if (ret < 0) +- goto e_clk_off; ++ goto e_release_dma; + + return 0; + ++e_release_dma: ++ usdhi6_dma_release(host); + e_clk_off: + clk_disable_unprepare(host->clk); + e_free_mmc: +-- +2.27.0 + diff --git a/queue-4.9/net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch b/queue-4.9/net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch new file mode 100644 index 00000000000..a115c4a3634 --- /dev/null +++ b/queue-4.9/net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch @@ -0,0 +1,39 @@ +From 50153480bfa091e5a059faaf9de9b13a11bc40d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Feb 2021 22:35:59 +0800 +Subject: net/mlx4_core: Add missed mlx4_free_cmd_mailbox() + +From: Chuhong Yuan + +[ Upstream commit 8eb65fda4a6dbd59cd5de24b106a10b6ee0d2176 ] + +mlx4_do_mirror_rule() forgets to call mlx4_free_cmd_mailbox() to +free the memory region allocated by mlx4_alloc_cmd_mailbox() before +an exit. +Add the missed call to fix it. + +Fixes: 78efed275117 ("net/mlx4_core: Support mirroring VF DMFS rules on both ports") +Signed-off-by: Chuhong Yuan +Reviewed-by: Tariq Toukan +Link: https://lore.kernel.org/r/20210221143559.390277-1-hslester96@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +index 7d1e8ab956e64..ab046bffed150 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -4948,6 +4948,7 @@ static int mlx4_do_mirror_rule(struct mlx4_dev *dev, struct res_fs_rule *fs_rule + + if (!fs_rule->mirr_mbox) { + mlx4_err(dev, "rule mirroring mailbox is null\n"); ++ mlx4_free_cmd_mailbox(dev, mailbox); + return -EINVAL; + } + memcpy(mailbox->buf, fs_rule->mirr_mbox, fs_rule->mirr_mbox_size); +-- +2.27.0 + diff --git a/queue-4.9/ocfs2-fix-a-use-after-free-on-error.patch b/queue-4.9/ocfs2-fix-a-use-after-free-on-error.patch new file mode 100644 index 00000000000..35521352807 --- /dev/null +++ b/queue-4.9/ocfs2-fix-a-use-after-free-on-error.patch @@ -0,0 +1,60 @@ +From eaa3128cfbc41f564b958d6063a3fde266e50ed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Feb 2021 12:00:41 -0800 +Subject: ocfs2: fix a use after free on error + +From: Dan Carpenter + +[ Upstream commit c57d117f2b2f2a19b570c36f2819ef8d8210af20 ] + +The error handling in this function frees "reg" but it is still on the +"o2hb_all_regions" list so it will lead to a use after freew. Joseph Qi +points out that we need to clear the bit in the "o2hb_region_bitmap" as +well + +Link: https://lkml.kernel.org/r/YBk4M6HUG8jB/jc7@mwanda +Fixes: 1cf257f51191 ("ocfs2: fix memory leak") +Signed-off-by: Dan Carpenter +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/cluster/heartbeat.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c +index 5e8709aa1e7ec..89c71d32dc05b 100644 +--- a/fs/ocfs2/cluster/heartbeat.c ++++ b/fs/ocfs2/cluster/heartbeat.c +@@ -2155,7 +2155,7 @@ static struct config_item *o2hb_heartbeat_group_make_item(struct config_group *g + o2hb_nego_timeout_handler, + reg, NULL, ®->hr_handler_list); + if (ret) +- goto free; ++ goto remove_item; + + ret = o2net_register_handler(O2HB_NEGO_APPROVE_MSG, reg->hr_key, + sizeof(struct o2hb_nego_msg), +@@ -2174,6 +2174,12 @@ static struct config_item *o2hb_heartbeat_group_make_item(struct config_group *g + + unregister_handler: + o2net_unregister_handler_list(®->hr_handler_list); ++remove_item: ++ spin_lock(&o2hb_live_lock); ++ list_del(®->hr_all_item); ++ if (o2hb_global_heartbeat_active()) ++ clear_bit(reg->hr_region_num, o2hb_region_bitmap); ++ spin_unlock(&o2hb_live_lock); + free: + kfree(reg); + return ERR_PTR(ret); +-- +2.27.0 + diff --git a/queue-4.9/of-fdt-make-sure-no-map-does-not-remove-already-rese.patch b/queue-4.9/of-fdt-make-sure-no-map-does-not-remove-already-rese.patch new file mode 100644 index 00000000000..89690065fa2 --- /dev/null +++ b/queue-4.9/of-fdt-make-sure-no-map-does-not-remove-already-rese.patch @@ -0,0 +1,80 @@ +From ba17626e3fdeb8518d0d13fe35687dc9b5543c97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 11:45:44 +0000 +Subject: of/fdt: Make sure no-map does not remove already reserved regions + +From: Nicolas Boichat + +[ Upstream commit 8a5a75e5e9e55de1cef5d83ca3589cb4899193ef ] + +If the device tree is incorrectly configured, and attempts to +define a "no-map" reserved memory that overlaps with the kernel +data/code, the kernel would crash quickly after boot, with no +obvious clue about the nature of the issue. + +For example, this would happen if we have the kernel mapped at +these addresses (from /proc/iomem): +40000000-41ffffff : System RAM + 40080000-40dfffff : Kernel code + 40e00000-411fffff : reserved + 41200000-413e0fff : Kernel data + +And we declare a no-map shared-dma-pool region at a fixed address +within that range: +mem_reserved: mem_region { + compatible = "shared-dma-pool"; + reg = <0 0x40000000 0 0x01A00000>; + no-map; +}; + +To fix this, when removing memory regions at early boot (which is +what "no-map" regions do), we need to make sure that the memory +is not already reserved. If we do, __reserved_mem_reserve_reg +will throw an error: +[ 0.000000] OF: fdt: Reserved memory: failed to reserve memory + for node 'mem_region': base 0x0000000040000000, size 26 MiB +and the code that will try to use the region should also fail, +later on. + +We do not do anything for non-"no-map" regions, as memblock +explicitly allows reserved regions to overlap, and the commit +that this fixes removed the check for that precise reason. + +[ qperret: fixed conflicts caused by the usage of memblock_mark_nomap ] + +Fixes: 094cb98179f19b7 ("of/fdt: memblock_reserve /memreserve/ regions in the case of partial overlap") +Signed-off-by: Nicolas Boichat +Reviewed-by: Stephen Boyd +Signed-off-by: Quentin Perret +Link: https://lore.kernel.org/r/20210115114544.1830068-3-qperret@google.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index f90b626269ab6..9054b8f218a78 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -1158,8 +1158,16 @@ void __init __weak early_init_dt_add_memory_arch(u64 base, u64 size) + int __init __weak early_init_dt_reserve_memory_arch(phys_addr_t base, + phys_addr_t size, bool nomap) + { +- if (nomap) ++ if (nomap) { ++ /* ++ * If the memory is already reserved (by another region), we ++ * should not allow it to be marked nomap. ++ */ ++ if (memblock_is_region_reserved(base, size)) ++ return -EBUSY; ++ + return memblock_mark_nomap(base, size); ++ } + return memblock_reserve(base, size); + } + +-- +2.27.0 + diff --git a/queue-4.9/pci-align-checking-of-syscall-user-config-accessors.patch b/queue-4.9/pci-align-checking-of-syscall-user-config-accessors.patch new file mode 100644 index 00000000000..ffdd2c9d8e9 --- /dev/null +++ b/queue-4.9/pci-align-checking-of-syscall-user-config-accessors.patch @@ -0,0 +1,80 @@ +From b0eb490f640fd3ceb1aac8e8a5919c0e22f3ec0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jan 2021 16:39:32 +0100 +Subject: PCI: Align checking of syscall user config accessors + +From: Heiner Kallweit + +[ Upstream commit ef9e4005cbaf022c6251263aa27836acccaef65d ] + +After 34e3207205ef ("PCI: handle positive error codes"), +pci_user_read_config_*() and pci_user_write_config_*() return 0 or negative +errno values, not PCIBIOS_* values like PCIBIOS_SUCCESSFUL or +PCIBIOS_BAD_REGISTER_NUMBER. + +Remove comparisons with PCIBIOS_SUCCESSFUL and check only for non-zero. It +happens that PCIBIOS_SUCCESSFUL is zero, so this is not a functional +change, but it aligns this code with the user accessors. + +[bhelgaas: commit log] +Fixes: 34e3207205ef ("PCI: handle positive error codes") +Link: https://lore.kernel.org/r/f1220314-e518-1e18-bf94-8e6f8c703758@gmail.com +Signed-off-by: Heiner Kallweit +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/syscall.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index b91c4da683657..7958250856d36 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -21,7 +21,7 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn, + u16 word; + u32 dword; + long err; +- long cfg_ret; ++ int cfg_ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -47,7 +47,7 @@ SYSCALL_DEFINE5(pciconfig_read, unsigned long, bus, unsigned long, dfn, + } + + err = -EIO; +- if (cfg_ret != PCIBIOS_SUCCESSFUL) ++ if (cfg_ret) + goto error; + + switch (len) { +@@ -105,7 +105,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_byte(dev, off, byte); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +@@ -114,7 +114,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_word(dev, off, word); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +@@ -123,7 +123,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + if (err) + break; + err = pci_user_write_config_dword(dev, off, dword); +- if (err != PCIBIOS_SUCCESSFUL) ++ if (err) + err = -EIO; + break; + +-- +2.27.0 + diff --git a/queue-4.9/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch b/queue-4.9/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch new file mode 100644 index 00000000000..8d250231064 --- /dev/null +++ b/queue-4.9/perf-intel-pt-fix-missing-cyc-processing-in-psb.patch @@ -0,0 +1,41 @@ +From f456e0d87ee5e3d37a9c4749364683ada5aeaa3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Feb 2021 19:53:47 +0200 +Subject: perf intel-pt: Fix missing CYC processing in PSB + +From: Adrian Hunter + +[ Upstream commit 03fb0f859b45d1eb05c984ab4bd3bef67e45ede2 ] + +Add missing CYC packet processing when walking through PSB+. This +improves the accuracy of timestamps that follow PSB+, until the next +MTC. + +Fixes: 3d49807870f08 ("perf tools: Add new Intel PT packet definitions") +Signed-off-by: Adrian Hunter +Reviewed-by: Andi Kleen +Cc: Jiri Olsa +Link: https://lore.kernel.org/r/20210205175350.23817-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index 63fa3a95a1d69..7292f73118ed3 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1508,6 +1508,9 @@ static int intel_pt_walk_psbend(struct intel_pt_decoder *decoder) + break; + + case INTEL_PT_CYC: ++ intel_pt_calc_cyc_timestamp(decoder); ++ break; ++ + case INTEL_PT_VMCS: + case INTEL_PT_MNT: + case INTEL_PT_PAD: +-- +2.27.0 + diff --git a/queue-4.9/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch b/queue-4.9/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch new file mode 100644 index 00000000000..44c11f73ffb --- /dev/null +++ b/queue-4.9/perf-test-fix-unaligned-access-in-sample-parsing-tes.patch @@ -0,0 +1,73 @@ +From e33b521cb5d168ecce7872ebd161c21acf8cc78c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Feb 2021 18:16:38 +0900 +Subject: perf test: Fix unaligned access in sample parsing test + +From: Namhyung Kim + +[ Upstream commit c5c97cadd7ed13381cb6b4bef5c841a66938d350 ] + +The ubsan reported the following error. It was because sample's raw +data missed u32 padding at the end. So it broke the alignment of the +array after it. + +The raw data contains an u32 size prefix so the data size should have +an u32 padding after 8-byte aligned data. + +27: Sample parsing :util/synthetic-events.c:1539:4: + runtime error: store to misaligned address 0x62100006b9bc for type + '__u64' (aka 'unsigned long long'), which requires 8 byte alignment +0x62100006b9bc: note: pointer points here + 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + ^ + #0 0x561532a9fc96 in perf_event__synthesize_sample util/synthetic-events.c:1539:13 + #1 0x5615327f4a4f in do_test tests/sample-parsing.c:284:8 + #2 0x5615327f3f50 in test__sample_parsing tests/sample-parsing.c:381:9 + #3 0x56153279d3a1 in run_test tests/builtin-test.c:424:9 + #4 0x56153279c836 in test_and_print tests/builtin-test.c:454:9 + #5 0x56153279b7eb in __cmd_test tests/builtin-test.c:675:4 + #6 0x56153279abf0 in cmd_test tests/builtin-test.c:821:9 + #7 0x56153264e796 in run_builtin perf.c:312:11 + #8 0x56153264cf03 in handle_internal_command perf.c:364:8 + #9 0x56153264e47d in run_argv perf.c:408:2 + #10 0x56153264c9a9 in main perf.c:538:3 + #11 0x7f137ab6fbbc in __libc_start_main (/lib64/libc.so.6+0x38bbc) + #12 0x561532596828 in _start ... + +SUMMARY: UndefinedBehaviorSanitizer: misaligned-pointer-use + util/synthetic-events.c:1539:4 in + +Fixes: 045f8cd8542d ("perf tests: Add a sample parsing test") +Signed-off-by: Namhyung Kim +Acked-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: https://lore.kernel.org/r/20210214091638.519643-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/sample-parsing.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/sample-parsing.c b/tools/perf/tests/sample-parsing.c +index 5f23710b9fee6..60e5348f0a43f 100644 +--- a/tools/perf/tests/sample-parsing.c ++++ b/tools/perf/tests/sample-parsing.c +@@ -167,7 +167,7 @@ static int do_test(u64 sample_type, u64 sample_regs, u64 read_format) + .data = {1, 211, 212, 213}, + }; + u64 regs[64]; +- const u64 raw_data[] = {0x123456780a0b0c0dULL, 0x1102030405060708ULL}; ++ const u32 raw_data[] = {0x12345678, 0x0a0b0c0d, 0x11020304, 0x05060708, 0 }; + const u64 data[] = {0x2211443366558877ULL, 0, 0xaabbccddeeff4321ULL}; + struct perf_sample sample = { + .ip = 101, +-- +2.27.0 + diff --git a/queue-4.9/perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch b/queue-4.9/perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch new file mode 100644 index 00000000000..1fd8f92e0cd --- /dev/null +++ b/queue-4.9/perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch @@ -0,0 +1,101 @@ +From b5d981c388423ba4d5362542bcffac52e8542986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 09:52:47 -0300 +Subject: perf tools: Fix DSO filtering when not finding a map for a sampled + address + +From: Arnaldo Carvalho de Melo + +[ Upstream commit c69bf11ad3d30b6bf01cfa538ddff1a59467c734 ] + +When we lookup an address and don't find a map we should filter that +sample if the user specified a list of --dso entries to filter on, fix +it. + +Before: + + $ perf script + sleep 274800 2843.556162: 1 cycles:u: ffffffffbb26bff4 [unknown] ([unknown]) + sleep 274800 2843.556168: 1 cycles:u: ffffffffbb2b047d [unknown] ([unknown]) + sleep 274800 2843.556171: 1 cycles:u: ffffffffbb2706b2 [unknown] ([unknown]) + sleep 274800 2843.556174: 6 cycles:u: ffffffffbb2b0267 [unknown] ([unknown]) + sleep 274800 2843.556176: 59 cycles:u: ffffffffbb2b03b1 [unknown] ([unknown]) + sleep 274800 2843.556180: 691 cycles:u: ffffffffbb26bff4 [unknown] ([unknown]) + sleep 274800 2843.556189: 9160 cycles:u: 7fa9550eeaa3 __GI___tunables_init+0xf3 (/usr/lib64/ld-2.32.so) + sleep 274800 2843.556312: 86937 cycles:u: 7fa9550e157b _dl_lookup_symbol_x+0x4b (/usr/lib64/ld-2.32.so) + $ + +So we have some samples we somehow didn't find in a map for, if we now +do: + + $ perf report --stdio --dso /usr/lib64/ld-2.32.so + # dso: /usr/lib64/ld-2.32.so + # + # Total Lost Samples: 0 + # + # Samples: 8 of event 'cycles:u' + # Event count (approx.): 96856 + # + # Overhead Command Symbol + # ........ ....... ........................ + # + 89.76% sleep [.] _dl_lookup_symbol_x + 9.46% sleep [.] __GI___tunables_init + 0.71% sleep [k] 0xffffffffbb26bff4 + 0.06% sleep [k] 0xffffffffbb2b03b1 + 0.01% sleep [k] 0xffffffffbb2b0267 + 0.00% sleep [k] 0xffffffffbb2706b2 + 0.00% sleep [k] 0xffffffffbb2b047d + $ + +After this patch we get the right output with just entries for the DSOs +specified in --dso: + + $ perf report --stdio --dso /usr/lib64/ld-2.32.so + # dso: /usr/lib64/ld-2.32.so + # + # Total Lost Samples: 0 + # + # Samples: 8 of event 'cycles:u' + # Event count (approx.): 96856 + # + # Overhead Command Symbol + # ........ ....... ........................ + # + 89.76% sleep [.] _dl_lookup_symbol_x + 9.46% sleep [.] __GI___tunables_init + $ + # + +Fixes: 96415e4d3f5fdf9c ("perf symbols: Avoid unnecessary symbol loading when dso list is specified") +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20210128131209.GD775562@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/event.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c +index 659c41004322d..5742adf4d5e89 100644 +--- a/tools/perf/util/event.c ++++ b/tools/perf/util/event.c +@@ -1370,6 +1370,8 @@ int machine__resolve(struct machine *machine, struct addr_location *al, + } + + al->sym = map__find_symbol(al->map, al->addr); ++ } else if (symbol_conf.dso_list) { ++ al->filtered |= (1 << HIST_FILTER__DSO); + } + + if (symbol_conf.sym_list && +-- +2.27.0 + diff --git a/queue-4.9/power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch b/queue-4.9/power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch new file mode 100644 index 00000000000..990216e872d --- /dev/null +++ b/queue-4.9/power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch @@ -0,0 +1,36 @@ +From 9e265c2c3315deaad37e1afdd41f875b83bad5e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Dec 2020 14:57:31 +0200 +Subject: power: reset: at91-sama5d2_shdwc: fix wkupdbc mask + +From: Claudiu Beznea + +[ Upstream commit 95aa21a3f1183260db1b0395e03df5bebc5ed641 ] + +According to datasheet WKUPDBC mask is b/w bits 26..24. + +Fixes: f80cb48843987 ("power: reset: at91-shdwc: add new shutdown controller driver") +Signed-off-by: Claudiu Beznea +Reviewed-by: Alexandre Belloni +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/at91-sama5d2_shdwc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/reset/at91-sama5d2_shdwc.c b/drivers/power/reset/at91-sama5d2_shdwc.c +index 04ca990e8f6cb..dcfc7025f384a 100644 +--- a/drivers/power/reset/at91-sama5d2_shdwc.c ++++ b/drivers/power/reset/at91-sama5d2_shdwc.c +@@ -36,7 +36,7 @@ + + #define AT91_SHDW_MR 0x04 /* Shut Down Mode Register */ + #define AT91_SHDW_WKUPDBC_SHIFT 24 +-#define AT91_SHDW_WKUPDBC_MASK GENMASK(31, 16) ++#define AT91_SHDW_WKUPDBC_MASK GENMASK(26, 24) + #define AT91_SHDW_WKUPDBC(x) (((x) << AT91_SHDW_WKUPDBC_SHIFT) \ + & AT91_SHDW_WKUPDBC_MASK) + +-- +2.27.0 + diff --git a/queue-4.9/powerpc-47x-disable-256k-page-size.patch b/queue-4.9/powerpc-47x-disable-256k-page-size.patch new file mode 100644 index 00000000000..e39cb225c85 --- /dev/null +++ b/queue-4.9/powerpc-47x-disable-256k-page-size.patch @@ -0,0 +1,41 @@ +From e11e202fb62b51a33e62cff5f72cb9f38dce78c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 07:49:13 +0000 +Subject: powerpc/47x: Disable 256k page size + +From: Christophe Leroy + +[ Upstream commit 910a0cb6d259736a0c86e795d4c2f42af8d0d775 ] + +PPC47x_TLBE_SIZE isn't defined for 256k pages, leading to a build +break if 256k pages is selected. + +So change the kconfig so that 256k pages can't be selected for 47x. + +Fixes: e7f75ad01d59 ("powerpc/47x: Base ppc476 support") +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +[mpe: Expand change log to mention build break] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/2fed79b1154c872194f98bac4422c23918325e61.1611128938.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index f529d3d9d88d7..6a06411f9bf14 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -622,7 +622,7 @@ config PPC_64K_PAGES + + config PPC_256K_PAGES + bool "256k page size" +- depends on 44x && !STDBINUTILS ++ depends on 44x && !STDBINUTILS && !PPC_47x + help + Make the page size 256k. + +-- +2.27.0 + diff --git a/queue-4.9/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch b/queue-4.9/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch new file mode 100644 index 00000000000..089bdc273db --- /dev/null +++ b/queue-4.9/powerpc-pseries-dlpar-handle-ibm-configure-connector.patch @@ -0,0 +1,65 @@ +From b81602cc6f3e24026fa82ad39675282b87ac6e5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jan 2021 20:59:00 -0600 +Subject: powerpc/pseries/dlpar: handle ibm, configure-connector delay status + +From: Nathan Lynch + +[ Upstream commit 768d70e19ba525debd571b36e6d0ab19956c63d7 ] + +dlpar_configure_connector() has two problems in its handling of +ibm,configure-connector's return status: + +1. When the status is -2 (busy, call again), we call + ibm,configure-connector again immediately without checking whether + to schedule, which can result in monopolizing the CPU. +2. Extended delay status (9900..9905) goes completely unhandled, + causing the configuration to unnecessarily terminate. + +Fix both of these issues by using rtas_busy_delay(). + +Fixes: ab519a011caa ("powerpc/pseries: Kernel DLPAR Infrastructure") +Signed-off-by: Nathan Lynch +Reviewed-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210107025900.410369-1-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/dlpar.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index 5abb8e2239a54..647dbd8514c4f 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -139,7 +139,6 @@ void dlpar_free_cc_nodes(struct device_node *dn) + #define NEXT_PROPERTY 3 + #define PREV_PARENT 4 + #define MORE_MEMORY 5 +-#define CALL_AGAIN -2 + #define ERR_CFG_USE -9003 + + struct device_node *dlpar_configure_connector(__be32 drc_index, +@@ -181,6 +180,9 @@ struct device_node *dlpar_configure_connector(__be32 drc_index, + + spin_unlock(&rtas_data_buf_lock); + ++ if (rtas_busy_delay(rc)) ++ continue; ++ + switch (rc) { + case COMPLETE: + break; +@@ -233,9 +235,6 @@ struct device_node *dlpar_configure_connector(__be32 drc_index, + parent_path = last_dn->parent->full_name; + break; + +- case CALL_AGAIN: +- break; +- + case MORE_MEMORY: + case ERR_CFG_USE: + default: +-- +2.27.0 + diff --git a/queue-4.9/pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch b/queue-4.9/pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch new file mode 100644 index 00000000000..18521a491e7 --- /dev/null +++ b/queue-4.9/pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch @@ -0,0 +1,43 @@ +From 490181107a398ae01025d9b5ff8ffad5d6687bf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jan 2021 11:12:06 -0500 +Subject: pwm: rockchip: rockchip_pwm_probe(): Remove superfluous + clk_unprepare() + +From: Simon South + +[ Upstream commit d5d8d675865ccddfe4da26c85f22c55cec663bf2 ] + +If rockchip_pwm_probe() fails to register a PWM device it calls +clk_unprepare() for the device's PWM clock, without having first disabled +the clock and before jumping to an error handler that also unprepares +it. This is likely to produce warnings from the kernel about the clock +being unprepared when it is still enabled, and then being unprepared when +it has already been unprepared. + +Prevent these warnings by removing this unnecessary call to +clk_unprepare(). + +Fixes: 48cf973cae33 ("pwm: rockchip: Avoid glitches on already running PWMs") +Signed-off-by: Simon South +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-rockchip.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/pwm/pwm-rockchip.c b/drivers/pwm/pwm-rockchip.c +index 744d56197286a..1cc6717979537 100644 +--- a/drivers/pwm/pwm-rockchip.c ++++ b/drivers/pwm/pwm-rockchip.c +@@ -366,7 +366,6 @@ static int rockchip_pwm_probe(struct platform_device *pdev) + + ret = pwmchip_add(&pc->chip); + if (ret < 0) { +- clk_unprepare(pc->clk); + dev_err(&pdev->dev, "pwmchip_add() failed: %d\n", ret); + } + +-- +2.27.0 + diff --git a/queue-4.9/rdma-rxe-fix-coding-error-in-rxe_recv.c.patch b/queue-4.9/rdma-rxe-fix-coding-error-in-rxe_recv.c.patch new file mode 100644 index 00000000000..f9bf270e296 --- /dev/null +++ b/queue-4.9/rdma-rxe-fix-coding-error-in-rxe_recv.c.patch @@ -0,0 +1,67 @@ +From 89ba91c34cade6da981d688826213bb2cd423d27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jan 2021 15:45:01 -0600 +Subject: RDMA/rxe: Fix coding error in rxe_recv.c + +From: Bob Pearson + +[ Upstream commit 7d9ae80e31df57dd3253e1ec514f0000aa588a81 ] + +check_type_state() in rxe_recv.c is written as if the type bits in the +packet opcode were a bit mask which is not correct. This patch corrects +this code to compare all 3 type bits to the required type. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210127214500.3707-1-rpearson@hpe.com +Signed-off-by: Bob Pearson +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c +index db6bb026ae902..ece4fe838e755 100644 +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -36,21 +36,26 @@ + #include "rxe.h" + #include "rxe_loc.h" + ++/* check that QP matches packet opcode type and is in a valid state */ + static int check_type_state(struct rxe_dev *rxe, struct rxe_pkt_info *pkt, + struct rxe_qp *qp) + { ++ unsigned int pkt_type; ++ + if (unlikely(!qp->valid)) + goto err1; + ++ pkt_type = pkt->opcode & 0xe0; ++ + switch (qp_type(qp)) { + case IB_QPT_RC: +- if (unlikely((pkt->opcode & IB_OPCODE_RC) != 0)) { ++ if (unlikely(pkt_type != IB_OPCODE_RC)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } + break; + case IB_QPT_UC: +- if (unlikely(!(pkt->opcode & IB_OPCODE_UC))) { ++ if (unlikely(pkt_type != IB_OPCODE_UC)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } +@@ -58,7 +63,7 @@ static int check_type_state(struct rxe_dev *rxe, struct rxe_pkt_info *pkt, + case IB_QPT_UD: + case IB_QPT_SMI: + case IB_QPT_GSI: +- if (unlikely(!(pkt->opcode & IB_OPCODE_UD))) { ++ if (unlikely(pkt_type != IB_OPCODE_UD)) { + pr_warn_ratelimited("bad qp type\n"); + goto err1; + } +-- +2.27.0 + diff --git a/queue-4.9/regulator-axp20x-fix-reference-cout-leak.patch b/queue-4.9/regulator-axp20x-fix-reference-cout-leak.patch new file mode 100644 index 00000000000..d1f1182ec84 --- /dev/null +++ b/queue-4.9/regulator-axp20x-fix-reference-cout-leak.patch @@ -0,0 +1,52 @@ +From 3c3d136eb58109278a8ee250472d1607f044b266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 04:33:13 -0800 +Subject: regulator: axp20x: Fix reference cout leak + +From: Pan Bian + +[ Upstream commit e78bf6be7edaacb39778f3a89416caddfc6c6d70 ] + +Decrements the reference count of device node and its child node. + +Fixes: dfe7a1b058bb ("regulator: AXP20x: Add support for regulators subsystem") +Signed-off-by: Pan Bian +Link: https://lore.kernel.org/r/20210120123313.107640-1-bianpan2016@163.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/axp20x-regulator.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c +index a3ade9e4ef478..86776d45b68e1 100644 +--- a/drivers/regulator/axp20x-regulator.c ++++ b/drivers/regulator/axp20x-regulator.c +@@ -415,7 +415,7 @@ static int axp20x_set_dcdc_freq(struct platform_device *pdev, u32 dcdcfreq) + static int axp20x_regulator_parse_dt(struct platform_device *pdev) + { + struct device_node *np, *regulators; +- int ret; ++ int ret = 0; + u32 dcdcfreq = 0; + + np = of_node_get(pdev->dev.parent->of_node); +@@ -430,13 +430,12 @@ static int axp20x_regulator_parse_dt(struct platform_device *pdev) + ret = axp20x_set_dcdc_freq(pdev, dcdcfreq); + if (ret < 0) { + dev_err(&pdev->dev, "Error setting dcdc frequency: %d\n", ret); +- return ret; + } +- + of_node_put(regulators); + } + +- return 0; ++ of_node_put(np); ++ return ret; + } + + static int axp20x_set_dcdc_workmode(struct regulator_dev *rdev, int id, u32 workmode) +-- +2.27.0 + diff --git a/queue-4.9/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch b/queue-4.9/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch new file mode 100644 index 00000000000..47229fb20aa --- /dev/null +++ b/queue-4.9/scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch @@ -0,0 +1,57 @@ +From f5081ce5c29120bd0fb57d264fd76202b32d6db2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Feb 2021 11:24:28 -0800 +Subject: scsi: bnx2fc: Fix Kconfig warning & CNIC build errors + +From: Randy Dunlap + +[ Upstream commit eefb816acb0162e94a85a857f3a55148f671d5a5 ] + +CNIC depends on MMU, but since 'select' does not follow any dependency +chains, SCSI_BNX2X_FCOE also needs to depend on MMU, so that erroneous +configs are not generated, which cause build errors in cnic. + +WARNING: unmet direct dependencies detected for CNIC + Depends on [n]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && MMU [=n] + Selected by [y]: + - SCSI_BNX2X_FCOE [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && LIBFC [=y] && LIBFCOE [=y] + +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L154': +cnic.c:(.text+0x1094): undefined reference to `uio_event_notify' +riscv64-linux-ld: cnic.c:(.text+0x10bc): undefined reference to `uio_event_notify' +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L1442': +cnic.c:(.text+0x96a8): undefined reference to `__uio_register_device' +riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L0 ': +cnic.c:(.text.unlikely+0x68): undefined reference to `uio_unregister_device' + +Link: https://lore.kernel.org/r/20210213192428.22537-1-rdunlap@infradead.org +Fixes: 853e2bd2103a ("[SCSI] bnx2fc: Broadcom FCoE offload driver") +Cc: Saurav Kashyap +Cc: Javed Hasan +Cc: GR-QLogic-Storage-Upstream@marvell.com +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: linux-scsi@vger.kernel.org +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/bnx2fc/Kconfig b/drivers/scsi/bnx2fc/Kconfig +index d401a096dfc7e..2eb2476852b11 100644 +--- a/drivers/scsi/bnx2fc/Kconfig ++++ b/drivers/scsi/bnx2fc/Kconfig +@@ -4,6 +4,7 @@ config SCSI_BNX2X_FCOE + depends on (IPV6 || IPV6=n) + depends on LIBFC + depends on LIBFCOE ++ depends on MMU + select NETDEVICES + select ETHERNET + select NET_VENDOR_BROADCOM +-- +2.27.0 + diff --git a/queue-4.9/series b/queue-4.9/series index 54dcb1a0c50..a765e4744bb 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -10,3 +10,79 @@ kdb-make-memory-allocations-more-robust.patch mips-vmlinux.lds.s-add-missing-page_aligned_data-section.patch random-fix-the-rndreseedcrng-ioctl.patch mm-thp-make-do_huge_pmd_wp_page-lock-page-for-testin.patch +bluetooth-fix-initializing-response-id-after-clearin.patch +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch +arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-11258 +arm64-dts-exynos-correct-pmic-interrupt-trigger-leve.patch +bluetooth-drop-hci-device-reference-before-return.patch +bluetooth-put-hci-device-if-inquiry-procedure-interr.patch +arm-dts-configure-missing-thermal-interrupt-for-4430.patch +usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch +usb-dwc2-abort-transaction-after-errors-with-unknown.patch +usb-dwc2-make-trimming-xfer-length-a-debug-message.patch +arm64-dts-msm8916-fix-reserved-and-rfsa-nodes-unit-a.patch +arm-s3c-fix-fiq-for-clang-ias.patch +bnxt_en-reverse-order-of-tx-disable-and-carrier-off.patch +xen-netback-fix-spurious-event-detection-for-common-.patch +mac80211-fix-potential-overflow-when-multiplying-to-.patch +b43-n-phy-fix-the-update-of-coef-for-the-phy-revisio.patch +fbdev-aty-sparc64-requires-fb_aty_ct.patch +drm-gma500-fix-error-return-code-in-psb_driver_load.patch +gma500-clean-up-error-handling-in-init.patch +mips-c-r4k-fix-section-mismatch-for-loongson2_sc_ini.patch +mips-lantiq-explicitly-compare-ltq_ebu_pcc_istat-aga.patch +media-vsp1-fix-an-error-handling-path-in-the-probe-f.patch +media-media-pci-fix-memleak-in-empress_init.patch +media-tm6000-fix-memleak-in-tm6000_start_stream.patch +asoc-cs42l56-fix-up-error-handling-in-probe.patch +media-lmedm04-fix-misuse-of-comma.patch +media-qm1d1c0042-fix-error-return-code-in-qm1d1c0042.patch +media-cx25821-fix-a-bug-when-reallocating-some-dma-m.patch +media-pxa_camera-declare-variable-when-debug-is-defi.patch +media-uvcvideo-accept-invalid-bformatindex-and-bfram.patch +ata-ahci_brcm-add-back-regulators-management.patch +btrfs-clarify-error-returns-values-in-__load_free_sp.patch +crypto-ecdh_helper-ensure-len-secret.len-in-decode_k.patch +fs-jfs-fix-potential-integer-overflow-on-shift-of-a-.patch +jffs2-fix-use-after-free-in-jffs2_sum_write_data.patch +clk-meson-clk-pll-fix-initializing-the-old-rate-fall.patch +spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch +hid-core-detect-and-skip-invalid-inputs-to-snto32.patch +dmaengine-fsldma-fix-a-resource-leak-in-the-remove-f.patch +dmaengine-fsldma-fix-a-resource-leak-in-an-error-han.patch +fdt-properly-handle-no-map-field-in-the-memory-regio.patch +of-fdt-make-sure-no-map-does-not-remove-already-rese.patch +power-reset-at91-sama5d2_shdwc-fix-wkupdbc-mask.patch +clocksource-drivers-mxs_timer-add-missing-semicolon-.patch +regulator-axp20x-fix-reference-cout-leak.patch +isofs-release-buffer-head-before-return.patch +ib-umad-return-eio-in-case-of-when-device-disassocia.patch +powerpc-47x-disable-256k-page-size.patch +mmc-usdhi6rol0-fix-a-resource-leak-in-the-error-hand.patch +arm-9046-1-decompressor-do-not-clear-sctlr.ntlsmd-fo.patch +amba-fix-resource-leak-for-drivers-without-.remove.patch +tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch +perf-tools-fix-dso-filtering-when-not-finding-a-map-.patch +rdma-rxe-fix-coding-error-in-rxe_recv.c.patch +mfd-wm831x-auxadc-prevent-use-after-free-in-wm831x_a.patch +powerpc-pseries-dlpar-handle-ibm-configure-connector.patch +spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch +perf-intel-pt-fix-missing-cyc-processing-in-psb.patch +perf-test-fix-unaligned-access-in-sample-parsing-tes.patch +input-elo-fix-an-error-code-in-elo_connect.patch +sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch +misc-eeprom_93xx46-fix-module-alias-to-enable-module.patch +misc-eeprom_93xx46-add-module-alias-to-avoid-breakin.patch +pwm-rockchip-rockchip_pwm_probe-remove-superfluous-c.patch +vmci-use-set_page_dirty_lock-when-unregistering-gues.patch +pci-align-checking-of-syscall-user-config-accessors.patch +drm-msm-dsi-correct-io_start-for-msm8994-20nm-phy.patch +i40e-fix-flow-for-ipv6-next-header-extension-header.patch +take-mmap-lock-in-cacheflush-syscall.patch +net-mlx4_core-add-missed-mlx4_free_cmd_mailbox.patch +ocfs2-fix-a-use-after-free-on-error.patch +mm-memory.c-fix-potential-pte_unmap_unlock-pte-error.patch +mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch +arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch +i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch +scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch diff --git a/queue-4.9/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch b/queue-4.9/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch new file mode 100644 index 00000000000..8b121a5570b --- /dev/null +++ b/queue-4.9/sparc64-only-select-compat_binfmt_elf-if-binfmt_elf-.patch @@ -0,0 +1,47 @@ +From d21d1b822a9d1d5ee72ef67387897b8d6c6eaaef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Nov 2020 16:40:11 -0800 +Subject: sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set + +From: Randy Dunlap + +[ Upstream commit 80bddf5c93a99e11fc9faf7e4b575d01cecd45d3 ] + +Currently COMPAT on SPARC64 selects COMPAT_BINFMT_ELF unconditionally, +even when BINFMT_ELF is not enabled. This causes a kconfig warning. + +Instead, just select COMPAT_BINFMT_ELF if BINFMT_ELF is enabled. +This builds cleanly with no kconfig warnings. + +WARNING: unmet direct dependencies detected for COMPAT_BINFMT_ELF + Depends on [n]: COMPAT [=y] && BINFMT_ELF [=n] + Selected by [y]: + - COMPAT [=y] && SPARC64 [=y] + +Fixes: 26b4c912185a ("sparc,sparc64: unify Kconfig files") +Signed-off-by: Randy Dunlap +Cc: "David S. Miller" +Cc: sparclinux@vger.kernel.org +Cc: Sam Ravnborg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig +index cef42d4be2922..f6d9c44b32dfc 100644 +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -562,7 +562,7 @@ config COMPAT + bool + depends on SPARC64 + default y +- select COMPAT_BINFMT_ELF ++ select COMPAT_BINFMT_ELF if BINFMT_ELF + select HAVE_UID16 + select ARCH_WANT_OLD_COMPAT_IPC + select COMPAT_OLD_SIGACTION +-- +2.27.0 + diff --git a/queue-4.9/spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch b/queue-4.9/spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch new file mode 100644 index 00000000000..918b5b2ec84 --- /dev/null +++ b/queue-4.9/spi-cadence-quadspi-abort-read-if-dummy-cycles-requi.patch @@ -0,0 +1,41 @@ +From 58ee38b6701e17c7b7f8e87613087c8a5cd0156d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Dec 2020 00:14:20 +0530 +Subject: spi: cadence-quadspi: Abort read if dummy cycles required are too + many + +From: Pratyush Yadav + +[ Upstream commit ceeda328edeeeeac7579e9dbf0610785a3b83d39 ] + +The controller can only support up to 31 dummy cycles. If the command +requires more it falls back to using 31. This command is likely to fail +because the correct number of cycles are not waited upon. Rather than +silently issuing an incorrect command, fail loudly so the caller can get +a chance to find out the command can't be supported by the controller. + +Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20201222184425.7028-3-p.yadav@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/cadence-quadspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/spi-nor/cadence-quadspi.c b/drivers/mtd/spi-nor/cadence-quadspi.c +index d489fbd07c12b..92de2b408734a 100644 +--- a/drivers/mtd/spi-nor/cadence-quadspi.c ++++ b/drivers/mtd/spi-nor/cadence-quadspi.c +@@ -461,7 +461,7 @@ static int cqspi_indirect_read_setup(struct spi_nor *nor, + /* Setup dummy clock cycles */ + dummy_clk = nor->read_dummy; + if (dummy_clk > CQSPI_DUMMY_CLKS_MAX) +- dummy_clk = CQSPI_DUMMY_CLKS_MAX; ++ return -EOPNOTSUPP; + + if (dummy_clk / 8) { + reg |= (1 << CQSPI_REG_RD_INSTR_MODE_EN_LSB); +-- +2.27.0 + diff --git a/queue-4.9/spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch b/queue-4.9/spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch new file mode 100644 index 00000000000..96f1452f847 --- /dev/null +++ b/queue-4.9/spi-pxa2xx-fix-the-controller-numbering-for-wildcat-.patch @@ -0,0 +1,87 @@ +From 2b8daf383bf6ed6ca0be22c250a085581996cc95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Feb 2021 18:38:15 +0200 +Subject: spi: pxa2xx: Fix the controller numbering for Wildcat Point + +From: Andy Shevchenko + +[ Upstream commit 54c5d3bfb0cfb7b31259765524567871dee11615 ] + +Wildcat Point has two SPI controllers and added one is actually second one. +Fix the numbering by adding the description of the first one. + +Fixes: caba248db286 ("spi: spi-pxa2xx-pci: Add ID and driver type for WildcatPoint PCH") +Cc: Leif Liddy +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210208163816.22147-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-pxa2xx-pci.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-pxa2xx-pci.c b/drivers/spi/spi-pxa2xx-pci.c +index 58d2d48e16a53..c37e35aeafa44 100644 +--- a/drivers/spi/spi-pxa2xx-pci.c ++++ b/drivers/spi/spi-pxa2xx-pci.c +@@ -21,7 +21,8 @@ enum { + PORT_BSW1, + PORT_BSW2, + PORT_CE4100, +- PORT_LPT, ++ PORT_LPT0, ++ PORT_LPT1, + }; + + struct pxa_spi_info { +@@ -48,8 +49,10 @@ static struct dw_dma_slave bsw1_rx_param = { .src_id = 7 }; + static struct dw_dma_slave bsw2_tx_param = { .dst_id = 8 }; + static struct dw_dma_slave bsw2_rx_param = { .src_id = 9 }; + +-static struct dw_dma_slave lpt_tx_param = { .dst_id = 0 }; +-static struct dw_dma_slave lpt_rx_param = { .src_id = 1 }; ++static struct dw_dma_slave lpt1_tx_param = { .dst_id = 0 }; ++static struct dw_dma_slave lpt1_rx_param = { .src_id = 1 }; ++static struct dw_dma_slave lpt0_tx_param = { .dst_id = 2 }; ++static struct dw_dma_slave lpt0_rx_param = { .src_id = 3 }; + + static bool lpss_dma_filter(struct dma_chan *chan, void *param) + { +@@ -158,12 +161,19 @@ static struct pxa_spi_info spi_info_configs[] = { + .num_chipselect = 1, + .max_clk_rate = 50000000, + }, +- [PORT_LPT] = { ++ [PORT_LPT0] = { + .type = LPSS_LPT_SSP, + .port_id = 0, + .setup = lpss_spi_setup, +- .tx_param = &lpt_tx_param, +- .rx_param = &lpt_rx_param, ++ .tx_param = &lpt0_tx_param, ++ .rx_param = &lpt0_rx_param, ++ }, ++ [PORT_LPT1] = { ++ .type = LPSS_LPT_SSP, ++ .port_id = 1, ++ .setup = lpss_spi_setup, ++ .tx_param = &lpt1_tx_param, ++ .rx_param = &lpt1_rx_param, + }, + }; + +@@ -251,8 +261,9 @@ static const struct pci_device_id pxa2xx_spi_pci_devices[] = { + { PCI_VDEVICE(INTEL, 0x2290), PORT_BSW1 }, + { PCI_VDEVICE(INTEL, 0x22ac), PORT_BSW2 }, + { PCI_VDEVICE(INTEL, 0x2e6a), PORT_CE4100 }, +- { PCI_VDEVICE(INTEL, 0x9ce6), PORT_LPT }, +- { }, ++ { PCI_VDEVICE(INTEL, 0x9ce5), PORT_LPT0 }, ++ { PCI_VDEVICE(INTEL, 0x9ce6), PORT_LPT1 }, ++ { } + }; + MODULE_DEVICE_TABLE(pci, pxa2xx_spi_pci_devices); + +-- +2.27.0 + diff --git a/queue-4.9/take-mmap-lock-in-cacheflush-syscall.patch b/queue-4.9/take-mmap-lock-in-cacheflush-syscall.patch new file mode 100644 index 00000000000..4ec2ae0ae94 --- /dev/null +++ b/queue-4.9/take-mmap-lock-in-cacheflush-syscall.patch @@ -0,0 +1,61 @@ +From 9588a1bbc0fcc95b5fd6cddeb7e27c70fca6b662 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Feb 2021 14:59:35 +0800 +Subject: Take mmap lock in cacheflush syscall + +From: Jann Horn + +[ Upstream commit c26958cb5a0d9053d1358258827638773f3d36ed ] + +We need to take the mmap lock around find_vma() and subsequent use of the +VMA. Otherwise, we can race with concurrent operations like munmap(), which +can lead to use-after-free accesses to freed VMAs. + +Fixes: 1000197d8013 ("nios2: System calls handling") +Signed-off-by: Jann Horn +Signed-off-by: Ley Foon Tan +Signed-off-by: Sasha Levin +--- + arch/nios2/kernel/sys_nios2.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/nios2/kernel/sys_nios2.c b/arch/nios2/kernel/sys_nios2.c +index cd390ec4f88bf..b1ca856999521 100644 +--- a/arch/nios2/kernel/sys_nios2.c ++++ b/arch/nios2/kernel/sys_nios2.c +@@ -22,6 +22,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, + unsigned int op) + { + struct vm_area_struct *vma; ++ struct mm_struct *mm = current->mm; + + if (len == 0) + return 0; +@@ -34,16 +35,22 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, + if (addr + len < addr) + return -EFAULT; + ++ if (mmap_read_lock_killable(mm)) ++ return -EINTR; ++ + /* + * Verify that the specified address region actually belongs + * to this process. + */ +- vma = find_vma(current->mm, addr); +- if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) ++ vma = find_vma(mm, addr); ++ if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) { ++ mmap_read_unlock(mm); + return -EFAULT; ++ } + + flush_cache_range(vma, addr, addr + len); + ++ mmap_read_unlock(mm); + return 0; + } + +-- +2.27.0 + diff --git a/queue-4.9/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch b/queue-4.9/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch new file mode 100644 index 00000000000..822853a779d --- /dev/null +++ b/queue-4.9/tracepoint-do-not-fail-unregistering-a-probe-due-to-.patch @@ -0,0 +1,205 @@ +From 89b675502dc8ffe6c410c56dff3d5090c97fb62a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Nov 2020 09:34:05 -0500 +Subject: tracepoint: Do not fail unregistering a probe due to memory failure + +From: Steven Rostedt (VMware) + +[ Upstream commit befe6d946551d65cddbd32b9cb0170b0249fd5ed ] + +The list of tracepoint callbacks is managed by an array that is protected +by RCU. To update this array, a new array is allocated, the updates are +copied over to the new array, and then the list of functions for the +tracepoint is switched over to the new array. After a completion of an RCU +grace period, the old array is freed. + +This process happens for both adding a callback as well as removing one. +But on removing a callback, if the new array fails to be allocated, the +callback is not removed, and may be used after it is freed by the clients +of the tracepoint. + +There's really no reason to fail if the allocation for a new array fails +when removing a function. Instead, the function can simply be replaced by a +stub function that could be cleaned up on the next modification of the +array. That is, instead of calling the function registered to the +tracepoint, it would call a stub function in its place. + +Link: https://lore.kernel.org/r/20201115055256.65625-1-mmullins@mmlx.us +Link: https://lore.kernel.org/r/20201116175107.02db396d@gandalf.local.home +Link: https://lore.kernel.org/r/20201117211836.54acaef2@oasis.local.home +Link: https://lkml.kernel.org/r/20201118093405.7a6d2290@gandalf.local.home + +[ Note, this version does use undefined compiler behavior (assuming that + a stub function with no parameters or return, can be called by a location + that thinks it has parameters but still no return value. Static calls + do the same thing, so this trick is not without precedent. + + There's another solution that uses RCU tricks and is more complex, but + can be an alternative if this solution becomes an issue. + + Link: https://lore.kernel.org/lkml/20210127170721.58bce7cc@gandalf.local.home/ +] + +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Cc: Mathieu Desnoyers +Cc: Ingo Molnar +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: Dmitry Vyukov +Cc: Martin KaFai Lau +Cc: Song Liu +Cc: Yonghong Song +Cc: Andrii Nakryiko +Cc: John Fastabend +Cc: KP Singh +Cc: netdev +Cc: bpf +Cc: Kees Cook +Cc: Florian Weimer +Fixes: 97e1c18e8d17b ("tracing: Kernel Tracepoints") +Reported-by: syzbot+83aa762ef23b6f0d1991@syzkaller.appspotmail.com +Reported-by: syzbot+d29e58bb557324e55e5e@syzkaller.appspotmail.com +Reported-by: Matt Mullins +Signed-off-by: Steven Rostedt (VMware) +Tested-by: Matt Mullins +Signed-off-by: Sasha Levin +--- + kernel/tracepoint.c | 80 ++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 64 insertions(+), 16 deletions(-) + +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c +index c8e7cc0e6ff6e..88ae873ee6cf3 100644 +--- a/kernel/tracepoint.c ++++ b/kernel/tracepoint.c +@@ -59,6 +59,12 @@ struct tp_probes { + struct tracepoint_func probes[0]; + }; + ++/* Called in removal of a func but failed to allocate a new tp_funcs */ ++static void tp_stub_func(void) ++{ ++ return; ++} ++ + static inline void *allocate_probes(int count) + { + struct tp_probes *p = kmalloc(count * sizeof(struct tracepoint_func) +@@ -97,6 +103,7 @@ func_add(struct tracepoint_func **funcs, struct tracepoint_func *tp_func, + { + struct tracepoint_func *old, *new; + int nr_probes = 0; ++ int stub_funcs = 0; + int pos = -1; + + if (WARN_ON(!tp_func->func)) +@@ -113,14 +120,34 @@ func_add(struct tracepoint_func **funcs, struct tracepoint_func *tp_func, + if (old[nr_probes].func == tp_func->func && + old[nr_probes].data == tp_func->data) + return ERR_PTR(-EEXIST); ++ if (old[nr_probes].func == tp_stub_func) ++ stub_funcs++; + } + } +- /* + 2 : one for new probe, one for NULL func */ +- new = allocate_probes(nr_probes + 2); ++ /* + 2 : one for new probe, one for NULL func - stub functions */ ++ new = allocate_probes(nr_probes + 2 - stub_funcs); + if (new == NULL) + return ERR_PTR(-ENOMEM); + if (old) { +- if (pos < 0) { ++ if (stub_funcs) { ++ /* Need to copy one at a time to remove stubs */ ++ int probes = 0; ++ ++ pos = -1; ++ for (nr_probes = 0; old[nr_probes].func; nr_probes++) { ++ if (old[nr_probes].func == tp_stub_func) ++ continue; ++ if (pos < 0 && old[nr_probes].prio < prio) ++ pos = probes++; ++ new[probes++] = old[nr_probes]; ++ } ++ nr_probes = probes; ++ if (pos < 0) ++ pos = probes; ++ else ++ nr_probes--; /* Account for insertion */ ++ ++ } else if (pos < 0) { + pos = nr_probes; + memcpy(new, old, nr_probes * sizeof(struct tracepoint_func)); + } else { +@@ -154,8 +181,9 @@ static void *func_remove(struct tracepoint_func **funcs, + /* (N -> M), (N > 1, M >= 0) probes */ + if (tp_func->func) { + for (nr_probes = 0; old[nr_probes].func; nr_probes++) { +- if (old[nr_probes].func == tp_func->func && +- old[nr_probes].data == tp_func->data) ++ if ((old[nr_probes].func == tp_func->func && ++ old[nr_probes].data == tp_func->data) || ++ old[nr_probes].func == tp_stub_func) + nr_del++; + } + } +@@ -174,14 +202,32 @@ static void *func_remove(struct tracepoint_func **funcs, + /* N -> M, (N > 1, M > 0) */ + /* + 1 for NULL */ + new = allocate_probes(nr_probes - nr_del + 1); +- if (new == NULL) +- return ERR_PTR(-ENOMEM); +- for (i = 0; old[i].func; i++) +- if (old[i].func != tp_func->func +- || old[i].data != tp_func->data) +- new[j++] = old[i]; +- new[nr_probes - nr_del].func = NULL; +- *funcs = new; ++ if (new) { ++ for (i = 0; old[i].func; i++) ++ if ((old[i].func != tp_func->func ++ || old[i].data != tp_func->data) ++ && old[i].func != tp_stub_func) ++ new[j++] = old[i]; ++ new[nr_probes - nr_del].func = NULL; ++ *funcs = new; ++ } else { ++ /* ++ * Failed to allocate, replace the old function ++ * with calls to tp_stub_func. ++ */ ++ for (i = 0; old[i].func; i++) ++ if (old[i].func == tp_func->func && ++ old[i].data == tp_func->data) { ++ old[i].func = tp_stub_func; ++ /* Set the prio to the next event. */ ++ if (old[i + 1].func) ++ old[i].prio = ++ old[i + 1].prio; ++ else ++ old[i].prio = -1; ++ } ++ *funcs = old; ++ } + } + debug_print_probes(*funcs); + return old; +@@ -234,10 +280,12 @@ static int tracepoint_remove_func(struct tracepoint *tp, + tp_funcs = rcu_dereference_protected(tp->funcs, + lockdep_is_held(&tracepoints_mutex)); + old = func_remove(&tp_funcs, func); +- if (IS_ERR(old)) { +- WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM); ++ if (WARN_ON_ONCE(IS_ERR(old))) + return PTR_ERR(old); +- } ++ ++ if (tp_funcs == old) ++ /* Failed allocating new tp_funcs, replaced func with stub */ ++ return 0; + + if (!tp_funcs) { + /* Removed last function */ +-- +2.27.0 + diff --git a/queue-4.9/usb-dwc2-abort-transaction-after-errors-with-unknown.patch b/queue-4.9/usb-dwc2-abort-transaction-after-errors-with-unknown.patch new file mode 100644 index 00000000000..bbfc7e2b4ee --- /dev/null +++ b/queue-4.9/usb-dwc2-abort-transaction-after-errors-with-unknown.patch @@ -0,0 +1,84 @@ +From b1448869bfd68ccdce31983812b8275fcabe4b5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 12:20:50 +0100 +Subject: usb: dwc2: Abort transaction after errors with unknown reason + +From: Guenter Roeck + +[ Upstream commit f74b68c61cbc4b2245022fcce038509333d63f6f ] + +In some situations, the following error messages are reported. + +dwc2 ff540000.usb: dwc2_hc_chhltd_intr_dma: Channel 1 - ChHltd set, but reason is unknown +dwc2 ff540000.usb: hcint 0x00000002, intsts 0x04000021 + +This is sometimes followed by: + +dwc2 ff540000.usb: dwc2_update_urb_state_abn(): trimming xfer length + +and then: + +WARNING: CPU: 0 PID: 0 at kernel/v4.19/drivers/usb/dwc2/hcd.c:2913 + dwc2_assign_and_init_hc+0x98c/0x990 + +The warning suggests that an odd buffer address is to be used for DMA. + +After an error is observed, the receive buffer may be full +(urb->actual_length >= urb->length). However, the urb is still left in +the queue unless three errors were observed in a row. When it is queued +again, the dwc2 hcd code translates this into a 1-block transfer. +If urb->actual_length (ie the total expected receive length) is not +DMA-aligned, the buffer pointer programmed into the chip will be +unaligned. This results in the observed warning. + +To solve the problem, abort input transactions after an error with +unknown cause if the entire packet was already received. This may be +a bit drastic, but we don't really know why the transfer was aborted +even though the entire packet was received. Aborting the transfer in +this situation is less risky than accepting a potentially corrupted +packet. + +With this patch in place, the 'ChHltd set' and 'trimming xfer length' +messages are still observed, but there are no more transfer attempts +with odd buffer addresses. + +Fixes: 151d0cbdbe860 ("usb: dwc2: make the scheduler handle excessive NAKs better") +Cc: Boris ARZUR +Cc: Douglas Anderson +Tested-by: Nicolas Saenz Julienne +Reviewed-by: Douglas Anderson +Signed-off-by: Guenter Roeck +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20210113112052.17063-3-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd_intr.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c +index 8066fa9ac97ba..c80bfd353758b 100644 +--- a/drivers/usb/dwc2/hcd_intr.c ++++ b/drivers/usb/dwc2/hcd_intr.c +@@ -1921,6 +1921,18 @@ error: + qtd->error_count++; + dwc2_update_urb_state_abn(hsotg, chan, chnum, qtd->urb, + qtd, DWC2_HC_XFER_XACT_ERR); ++ /* ++ * We can get here after a completed transaction ++ * (urb->actual_length >= urb->length) which was not reported ++ * as completed. If that is the case, and we do not abort ++ * the transfer, a transfer of size 0 will be enqueued ++ * subsequently. If urb->actual_length is not DMA-aligned, ++ * the buffer will then point to an unaligned address, and ++ * the resulting behavior is undefined. Bail out in that ++ * situation. ++ */ ++ if (qtd->urb->actual_length >= qtd->urb->length) ++ qtd->error_count = 3; + dwc2_hcd_save_data_toggle(hsotg, chan, chnum, qtd); + dwc2_halt_channel(hsotg, chan, qtd, DWC2_HC_XFER_XACT_ERR); + } +-- +2.27.0 + diff --git a/queue-4.9/usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch b/queue-4.9/usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch new file mode 100644 index 00000000000..2010ea473c6 --- /dev/null +++ b/queue-4.9/usb-dwc2-do-not-update-data-length-if-it-is-0-on-inb.patch @@ -0,0 +1,63 @@ +From 500b907919859dc2289b7c85aed82071d6f5dc8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 12:20:49 +0100 +Subject: usb: dwc2: Do not update data length if it is 0 on inbound transfers + +From: Guenter Roeck + +[ Upstream commit 415fa1c7305dedbb345e2cc8ac91769bc1c83f1a ] + +The DWC2 documentation states that transfers with zero data length should +set the number of packets to 1 and the transfer length to 0. This is not +currently the case for inbound transfers: the transfer length is set to +the maximum packet length. This can have adverse effects if the chip +actually does transfer data as it is programmed to do. Follow chip +documentation and keep the transfer length set to 0 in that situation. + +Fixes: 56f5b1cff22a1 ("staging: Core files for the DWC2 driver") +Tested-by: Nicolas Saenz Julienne +Reviewed-by: Douglas Anderson +Signed-off-by: Guenter Roeck +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20210113112052.17063-2-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index 120c8f716acf8..f2c7cd22b73f2 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -1425,19 +1425,20 @@ static void dwc2_hc_start_transfer(struct dwc2_hsotg *hsotg, + if (num_packets > max_hc_pkt_count) { + num_packets = max_hc_pkt_count; + chan->xfer_len = num_packets * chan->max_packet; ++ } else if (chan->ep_is_in) { ++ /* ++ * Always program an integral # of max packets ++ * for IN transfers. ++ * Note: This assumes that the input buffer is ++ * aligned and sized accordingly. ++ */ ++ chan->xfer_len = num_packets * chan->max_packet; + } + } else { + /* Need 1 packet for transfer length of 0 */ + num_packets = 1; + } + +- if (chan->ep_is_in) +- /* +- * Always program an integral # of max packets for IN +- * transfers +- */ +- chan->xfer_len = num_packets * chan->max_packet; +- + if (chan->ep_type == USB_ENDPOINT_XFER_INT || + chan->ep_type == USB_ENDPOINT_XFER_ISOC) + /* +-- +2.27.0 + diff --git a/queue-4.9/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch b/queue-4.9/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch new file mode 100644 index 00000000000..ca68e040675 --- /dev/null +++ b/queue-4.9/usb-dwc2-make-trimming-xfer-length-a-debug-message.patch @@ -0,0 +1,48 @@ +From c86766e1b8d8a0a60532c4ac8c517d4972f58178 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jan 2021 12:20:51 +0100 +Subject: usb: dwc2: Make "trimming xfer length" a debug message + +From: Guenter Roeck + +[ Upstream commit 1a9e38cabd80356ffb98c2c88fec528ea9644fd5 ] + +With some USB network adapters, such as DM96xx, the following message +is seen for each maximum size receive packet. + +dwc2 ff540000.usb: dwc2_update_urb_state(): trimming xfer length + +This happens because the packet size requested by the driver is 1522 +bytes, wMaxPacketSize is 64, the dwc2 driver configures the chip to +receive 24*64 = 1536 bytes, and the chip does indeed send more than +1522 bytes of data. Since the event does not indicate an error condition, +the message is just noise. Demote it to debug level. + +Fixes: 7359d482eb4d3 ("staging: HCD files for the DWC2 driver") +Tested-by: Nicolas Saenz Julienne +Reviewed-by: Douglas Anderson +Signed-off-by: Guenter Roeck +Signed-off-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/20210113112052.17063-4-nsaenzjulienne@suse.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd_intr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/hcd_intr.c b/drivers/usb/dwc2/hcd_intr.c +index c80bfd353758b..e39210bd97100 100644 +--- a/drivers/usb/dwc2/hcd_intr.c ++++ b/drivers/usb/dwc2/hcd_intr.c +@@ -488,7 +488,7 @@ static int dwc2_update_urb_state(struct dwc2_hsotg *hsotg, + &short_read); + + if (urb->actual_length + xfer_length > urb->length) { +- dev_warn(hsotg->dev, "%s(): trimming xfer length\n", __func__); ++ dev_dbg(hsotg->dev, "%s(): trimming xfer length\n", __func__); + xfer_length = urb->length - urb->actual_length; + } + +-- +2.27.0 + diff --git a/queue-4.9/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch b/queue-4.9/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch new file mode 100644 index 00000000000..2b94a4b67ec --- /dev/null +++ b/queue-4.9/vmci-use-set_page_dirty_lock-when-unregistering-gues.patch @@ -0,0 +1,43 @@ +From ec8b5ebdb99438a5280c3809b74fb5c0d820fcd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jan 2021 08:32:40 -0800 +Subject: VMCI: Use set_page_dirty_lock() when unregistering guest memory + +From: Jorgen Hansen + +[ Upstream commit 5a16c535409f8dcb7568e20737309e3027ae3e49 ] + +When the VMCI host support releases guest memory in the case where +the VM was killed, the pinned guest pages aren't locked. Use +set_page_dirty_lock() instead of set_page_dirty(). + +Testing done: Killed VM while having an active VMCI based vSocket +connection and observed warning from ext4. With this fix, no +warning was observed. Ran various vSocket tests without issues. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Reviewed-by: Vishnu Dasa +Signed-off-by: Jorgen Hansen +Link: https://lore.kernel.org/r/1611160360-30299-1-git-send-email-jhansen@vmware.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c +index 6ac3c59c9ae78..7c7ed3f8441ab 100644 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -732,7 +732,7 @@ static void qp_release_pages(struct page **pages, + + for (i = 0; i < num_pages; i++) { + if (dirty) +- set_page_dirty(pages[i]); ++ set_page_dirty_lock(pages[i]); + + put_page(pages[i]); + pages[i] = NULL; +-- +2.27.0 + diff --git a/queue-4.9/xen-netback-fix-spurious-event-detection-for-common-.patch b/queue-4.9/xen-netback-fix-spurious-event-detection-for-common-.patch new file mode 100644 index 00000000000..6643e6d1a2c --- /dev/null +++ b/queue-4.9/xen-netback-fix-spurious-event-detection-for-common-.patch @@ -0,0 +1,56 @@ +From 257f245a1a096d6ba96fc6095ebf74d585e02646 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Feb 2021 11:16:12 +0100 +Subject: xen/netback: fix spurious event detection for common event case + +From: Juergen Gross + +[ Upstream commit a3daf3d39132b405781be8d9ede0c449b244b64e ] + +In case of a common event for rx and tx queue the event should be +regarded to be spurious if no rx and no tx requests are pending. + +Unfortunately the condition for testing that is wrong causing to +decide a event being spurious if no rx OR no tx requests are +pending. + +Fix that plus using local variables for rx/tx pending indicators in +order to split function calls and if condition. + +Fixes: 23025393dbeb3b ("xen/netback: use lateeoi irq binding") +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Reviewed-by: Paul Durrant +Reviewed-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/interface.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index e61073c751428..d9d06dc689edc 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -161,13 +161,15 @@ irqreturn_t xenvif_interrupt(int irq, void *dev_id) + { + struct xenvif_queue *queue = dev_id; + int old; ++ bool has_rx, has_tx; + + old = atomic_fetch_or(NETBK_COMMON_EOI, &queue->eoi_pending); + WARN(old, "Interrupt while EOI pending\n"); + +- /* Use bitwise or as we need to call both functions. */ +- if ((!xenvif_handle_tx_interrupt(queue) | +- !xenvif_handle_rx_interrupt(queue))) { ++ has_tx = xenvif_handle_tx_interrupt(queue); ++ has_rx = xenvif_handle_rx_interrupt(queue); ++ ++ if (!has_rx && !has_tx) { + atomic_andnot(NETBK_COMMON_EOI, &queue->eoi_pending); + xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS); + } +-- +2.27.0 + -- 2.47.3