From 6d14e5d1b2d5645d4c9ad9598829e47d68729314 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 4 Mar 2023 20:57:03 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...-missing-nul-termination-with-large-.patch | 44 ++ .../acpi-don-t-build-acpica-with-os.patch | 111 ++++ ...eo-fix-lenovo-ideapad-z570-dmi-match.patch | 42 ++ ...port-i-o-validation-for-some-regions.patch | 75 +++ ...handle-cases-without-a-return-value-.patch | 65 ++ ...ca0132-minor-fix-for-allocation-size.patch | 40 ++ ...orrect-wr-active-property-in-exynos3.patch | 37 ++ ...se-exynos5420-compatible-for-the-mip.patch | 37 ++ ...ida_simple_remove-for-ida_simple_get.patch | 102 +++ ...latform_device_put-in-error-case-in-.patch | 39 ++ ...memory-leak-in-realtime_counter_init.patch | 36 ++ ...efcount-leak-in-zynq_early_slcr_init.patch | 37 ++ ...c-meson-axg-fix-scpi-clock-dvfs-node.patch | 35 + ...c-meson-gx-add-missing-scpi-sensors-.patch | 37 ++ ...c-meson-gx-add-missing-unit-address-.patch | 36 ++ ...c-meson-gx-fix-scpi-clock-dvfs-node-.patch | 35 + ...c-meson-gxl-add-missing-unit-address.patch | 36 ++ ...ek-mt7622-add-missing-pwm-cells-to-p.patch | 35 + .../arm64-dts-meson-axg-enable-scpi.patch | 89 +++ ...gx-fix-ethernet-mac-address-unit-nam.patch | 39 ++ ...gx-fix-the-scpi-dvfs-node-name-and-u.patch | 40 ++ ...erate-over-array-indexes-instead-of-.patch | 50 ++ ...s.c-fixup-private_data-on-snd_soc_ne.patch | 41 ++ ...9k-hif_usb-simplify-if-if-to-if-else.patch | 44 ++ ...ath9k-htc-clean-up-statistics-macros.patch | 232 +++++++ ...ale-comment-for-blk_mq_sched_mark_re.patch | 41 ++ ...ity-copy-flags-when-bio_integrity_pa.patch | 44 ++ ...-l2cap-fix-potential-user-after-free.patch | 93 +++ ...-mislocated-storage-of-sja1000_ecc_s.patch | 49 ++ ...stroy-smbd-connection-when-mr-alloca.patch | 42 ++ ...ing-and-uaf-when-destroy-the-mr-list.patch | 133 ++++ ...s_parent_enable-in-clk_core_is_enabl.patch | 68 ++ ...pto4xx-call-dma_unmap_page-when-done.patch | 64 ++ ...cs1pad-use-akcipher_request_complete.patch | 91 +++ .../crypto-seqiv-handle-ebusy-correctly.patch | 40 ++ ...d_resched-to-various-workqueue-loops.patch | 50 ++ ...ush_scheduled_work-during-local_exit.patch | 43 ++ ...d_resched-to-various-workqueue-loops.patch | 41 ++ ...-add-necessary-make-scripts_gdb-step.patch | 46 ++ ...fix-potential-null-deref-in-dm_resum.patch | 53 ++ ...hips-fix-error-handling-in-i2c_regis.patch | 65 ++ ...nition-of-the-drm_bus_flag_-pixdata-.patch | 92 +++ ...an-dangling-pointer-on-bind-error-pa.patch | 44 ++ ...m-mediatek-drop-unbalanced-obj-unref.patch | 37 ++ ...-byte-order-of-16-bit-dcs-set-get-br.patch | 117 ++++ .../drm-msm-dpu-add-check-for-pstates.patch | 40 ++ ...missing-check-for-alloc_ordered_work.patch | 39 ++ ...-missing-check-for-alloc_ordered_wor.patch | 42 ++ ...m-msm-use-strscpy-instead-of-strncpy.patch | 47 ++ ...sfb-should-depend-on-arch_mxs-arch_m.patch | 39 ++ ...iio-for-atombios-when-driver-shutdow.patch | 60 ++ ...option-for-inverting-pixel-clock-and.patch | 104 +++ ...c4-dpi-fix-format-mapping-for-rgb565.patch | 38 ++ ...he-return-type-of-kstat_cpu_irqs_sum.patch | 44 ++ queue-4.19/gfs2-jdata-writepage-fix.patch | 45 ++ ...vf610-connect-gpio-label-to-dev-name.patch | 38 ++ ...-skip-assigning-syncpoints-to-channe.patch | 40 ++ ...n-add-of_node_put-for-reference-retu.patch | 39 ++ ...ndle-error-case-in-ltc2945_value_sto.patch | 38 ++ ...fan-return-zero-speed-for-broken-fan.patch | 46 ++ ...fix-fast-path-in-__inet_hash_connect.patch | 56 ++ ...n-t-check-penirq-immediately-for-784.patch | 46 ++ ...46-don-t-report-pressure-for-ads7845.patch | 42 ++ ...ipw2x00-switch-from-pci_-to-dma_-api.patch | 603 ++++++++++++++++++ ...si-fix-refcount-leak-in-alpine_msix_.patch | 37 ++ ...120-l2-set-irq_level-for-level-trigg.patch | 44 ++ ...stb-l2-set-irq_level-for-level-trigg.patch | 57 ++ ...u-gicp-fix-refcount-leak-in-mvebu_gi.patch | 37 ++ ...x-buffer-overrun-when-sg-is-too-long.patch | 41 ++ ...calculation-in-libbpf_nla_dump_error.patch | 38 ++ ...heck-syscall_trace_enter-return-code.patch | 72 +++ ...oc-hardware-should-depend-on-proc_fs.patch | 42 ++ ...670-0-instead-of-einval-was-returned.patch | 41 ++ ...c-ov772x-fix-memleak-in-ov772x_probe.patch | 94 +++ ...i-add-missing-check-for-devm_regulat.patch | 45 ++ ...-after-free-bugs-caused-by-ene_tx_ir.patch | 83 +++ ...fix-use-after-free-bugs-caused-by-do.patch | 233 +++++++ ...-fix-potential-memleak-in-pcf50633_a.patch | 50 ++ .../mips-vpe-mt-drop-physical_memsize.patch | 99 +++ ...i-fix-the-size-of-the-last-oob-regio.patch | 37 ++ ...et-add-a-check-for-oversized-packets.patch | 43 ++ ...-debug-print-in-page-allocation-fail.patch | 38 ++ .../net-mlx5-fw_tracer-fix-debug-print.patch | 36 ++ .../nfsd-fix-race-to-check-ls_layouts.patch | 46 ++ ...f-llvm-fix-inadvertent-file-creation.patch | 91 +++ ...f-tools-fix-auto-complete-on-aarch64.patch | 72 +++ ...-devm_kasprintf-to-avoid-potential-l.patch | 53 ++ ...rockchip-fix-a-bunch-of-kerneldoc-mi.patch | 155 +++++ ...-fix-refcount-leak-in-rockchip_pinct.patch | 37 ++ ...sible-name-leak-in-powercap_register.patch | 60 ++ ...ioda-skip-unallocated-resources-when.patch | 93 +++ ...lparcfg-add-missing-rtas-retry-statu.patch | 67 ++ ...emove-linker-flag-from-kbuild_aflags.patch | 72 +++ ...sure-4kb-alignment-for-rtas_data_buf.patch | 57 ++ .../powerpc-rtas-make-all-exports-gpl.patch | 140 ++++ ..._processor_id-complaint-in-synchroni.patch | 43 ++ ...opy_callback-correct-order-for-list_.patch | 38 ++ ...02-bounds-check-regulator-id-against.patch | 137 ++++ ...7-bounds-check-id-indexing-into-arra.patch | 55 ++ ...ialize-hrtimer-based-broadcast-clock.patch | 63 ++ ...d-infinite-loop-on-intent-for-missin.patch | 38 ++ .../rtlwifi-fix-wpointer-sign-warning.patch | 232 +++++++ ...tize-vruntime-of-entity-being-placed.patch | 70 ++ ...add-missing-check-for-dma_map_single.patch | 39 ++ ...fib_tests-always-cleanup-before-exit.patch | 42 ++ ...ts-ftrace-fix-bash-specific-operator.patch | 44 ++ queue-4.19/series | 137 ++++ ...-pm-configs-for-sparc32-compile_test.patch | 86 +++ ...spi-endianness-fix-for-arm-based-soc.patch | 41 ++ ...3xx-hsspi-fix-multi-bit-mode-setting.patch | 61 ++ .../spi-bcm63xx-hsspi-fix-pm_runtime.patch | 60 ++ ...x-unsigned-comparison-with-less-than.patch | 42 ++ ...nion-confusion-from-unexpected-resta.patch | 108 ++++ .../udf-define-efscorrupted-error-code.patch | 34 + ...otential-stack-out-of-bounds-write-i.patch | 62 ++ ...sb-clean-up-skbs-if-ath9k_hif_usb_rx.patch | 125 ++++ ...st-free-skb-in-ath9k_htc_rx_msg-if-t.patch | 58 ++ ...sure-clm-version-is-null-terminated-.patch | 165 +++++ ...x-potential-memory-leak-in-brcmf_net.patch | 39 ++ ...x-potential-stack-out-of-bounds-in-b.patch | 160 +++++ ...map-dma-buffer-in-brcmf_msgbuf_alloc.patch | 46 ++ ...200-fix-memory-leak-in-ipw_wdev_init.patch | 47 ++ ...-t-call-dev_kfree_skb-under-spin_loc.patch | 46 ++ ...-missing-check-for-create_singlethre.patch | 85 +++ ...-missing-check-for-create_singlethre.patch | 72 +++ ...dresp-don-t-call-kfree_skb-under-spi.patch | 40 ++ ...-fix-memory-leak-in-lbs_init_adapter.patch | 37 ++ ..._usb-don-t-call-kfree_skb-under-spin.patch | 40 ++ ...in-don-t-call-kfree_skb-under-spin_l.patch | 40 ++ ...-don-t-call-kfree_skb-under-spin_loc.patch | 39 ++ ...ake-rate-u32-in-sta_set_rate_info_rx.patch | 38 ++ ...-loop-iterator-in-mwifiex_update_amp.patch | 48 ++ ...ck-return-value-of-hermes_write_word.patch | 43 ++ ...i-fix-memory-leak-in-rsi_coex_attach.patch | 37 ++ ...n-t-call-dev_kfree_skb-under-spin_lo.patch | 47 ++ ...-global-out-of-bounds-bug-in-_rtl881.patch | 158 +++++ ...on-t-call-kfree_skb-under-spin_lock_.patch | 39 ++ ...speculation-control-settings-on-init.patch | 75 +++ 138 files changed, 9179 insertions(+) create mode 100644 queue-4.19/acpi-battery-fix-missing-nul-termination-with-large-.patch create mode 100644 queue-4.19/acpi-don-t-build-acpica-with-os.patch create mode 100644 queue-4.19/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch create mode 100644 queue-4.19/acpica-drop-port-i-o-validation-for-some-regions.patch create mode 100644 queue-4.19/acpica-nsrepair-handle-cases-without-a-return-value-.patch create mode 100644 queue-4.19/alsa-hda-ca0132-minor-fix-for-allocation-size.patch create mode 100644 queue-4.19/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch create mode 100644 queue-4.19/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch create mode 100644 queue-4.19/arm-imx-call-ida_simple_remove-for-ida_simple_get.patch create mode 100644 queue-4.19/arm-omap1-call-platform_device_put-in-error-case-in-.patch create mode 100644 queue-4.19/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch create mode 100644 queue-4.19/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch create mode 100644 queue-4.19/arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch create mode 100644 queue-4.19/arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch create mode 100644 queue-4.19/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch create mode 100644 queue-4.19/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch create mode 100644 queue-4.19/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch create mode 100644 queue-4.19/arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch create mode 100644 queue-4.19/arm64-dts-meson-axg-enable-scpi.patch create mode 100644 queue-4.19/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch create mode 100644 queue-4.19/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch create mode 100644 queue-4.19/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch create mode 100644 queue-4.19/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch create mode 100644 queue-4.19/ath9k-hif_usb-simplify-if-if-to-if-else.patch create mode 100644 queue-4.19/ath9k-htc-clean-up-statistics-macros.patch create mode 100644 queue-4.19/blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch create mode 100644 queue-4.19/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch create mode 100644 queue-4.19/bluetooth-l2cap-fix-potential-user-after-free.patch create mode 100644 queue-4.19/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch create mode 100644 queue-4.19/cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch create mode 100644 queue-4.19/cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch create mode 100644 queue-4.19/clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch create mode 100644 queue-4.19/crypto-crypto4xx-call-dma_unmap_page-when-done.patch create mode 100644 queue-4.19/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch create mode 100644 queue-4.19/crypto-seqiv-handle-ebusy-correctly.patch create mode 100644 queue-4.19/dm-cache-add-cond_resched-to-various-workqueue-loops.patch create mode 100644 queue-4.19/dm-remove-flush_scheduled_work-during-local_exit.patch create mode 100644 queue-4.19/dm-thin-add-cond_resched-to-various-workqueue-loops.patch create mode 100644 queue-4.19/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch create mode 100644 queue-4.19/drm-amd-display-fix-potential-null-deref-in-dm_resum.patch create mode 100644 queue-4.19/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch create mode 100644 queue-4.19/drm-clarify-definition-of-the-drm_bus_flag_-pixdata-.patch create mode 100644 queue-4.19/drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch create mode 100644 queue-4.19/drm-mediatek-drop-unbalanced-obj-unref.patch create mode 100644 queue-4.19/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch create mode 100644 queue-4.19/drm-msm-dpu-add-check-for-pstates.patch create mode 100644 queue-4.19/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch create mode 100644 queue-4.19/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch create mode 100644 queue-4.19/drm-msm-use-strscpy-instead-of-strncpy.patch create mode 100644 queue-4.19/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch create mode 100644 queue-4.19/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch create mode 100644 queue-4.19/drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch create mode 100644 queue-4.19/drm-vc4-dpi-fix-format-mapping-for-rgb565.patch create mode 100644 queue-4.19/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch create mode 100644 queue-4.19/gfs2-jdata-writepage-fix.patch create mode 100644 queue-4.19/gpio-vf610-connect-gpio-label-to-dev-name.patch create mode 100644 queue-4.19/gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch create mode 100644 queue-4.19/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch create mode 100644 queue-4.19/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch create mode 100644 queue-4.19/hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch create mode 100644 queue-4.19/inet-fix-fast-path-in-__inet_hash_connect.patch create mode 100644 queue-4.19/input-ads7846-don-t-check-penirq-immediately-for-784.patch create mode 100644 queue-4.19/input-ads7846-don-t-report-pressure-for-ads7845.patch create mode 100644 queue-4.19/ipw2x00-switch-from-pci_-to-dma_-api.patch create mode 100644 queue-4.19/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch create mode 100644 queue-4.19/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch create mode 100644 queue-4.19/irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch create mode 100644 queue-4.19/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch create mode 100644 queue-4.19/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch create mode 100644 queue-4.19/libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch create mode 100644 queue-4.19/m68k-check-syscall_trace_enter-return-code.patch create mode 100644 queue-4.19/m68k-proc-hardware-should-depend-on-proc_fs.patch create mode 100644 queue-4.19/media-i2c-ov7670-0-instead-of-einval-was-returned.patch create mode 100644 queue-4.19/media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch create mode 100644 queue-4.19/media-platform-ti-add-missing-check-for-devm_regulat.patch create mode 100644 queue-4.19/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch create mode 100644 queue-4.19/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch create mode 100644 queue-4.19/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch create mode 100644 queue-4.19/mips-vpe-mt-drop-physical_memsize.patch create mode 100644 queue-4.19/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch create mode 100644 queue-4.19/net-bcmgenet-add-a-check-for-oversized-packets.patch create mode 100644 queue-4.19/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch create mode 100644 queue-4.19/net-mlx5-fw_tracer-fix-debug-print.patch create mode 100644 queue-4.19/nfsd-fix-race-to-check-ls_layouts.patch create mode 100644 queue-4.19/perf-llvm-fix-inadvertent-file-creation.patch create mode 100644 queue-4.19/perf-tools-fix-auto-complete-on-aarch64.patch create mode 100644 queue-4.19/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch create mode 100644 queue-4.19/pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch create mode 100644 queue-4.19/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch create mode 100644 queue-4.19/powercap-fix-possible-name-leak-in-powercap_register.patch create mode 100644 queue-4.19/powerpc-powernv-ioda-skip-unallocated-resources-when.patch create mode 100644 queue-4.19/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch create mode 100644 queue-4.19/powerpc-remove-linker-flag-from-kbuild_aflags.patch create mode 100644 queue-4.19/powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch create mode 100644 queue-4.19/powerpc-rtas-make-all-exports-gpl.patch create mode 100644 queue-4.19/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch create mode 100644 queue-4.19/rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch create mode 100644 queue-4.19/regulator-max77802-bounds-check-regulator-id-against.patch create mode 100644 queue-4.19/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch create mode 100644 queue-4.19/risc-v-time-initialize-hrtimer-based-broadcast-clock.patch create mode 100644 queue-4.19/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch create mode 100644 queue-4.19/rtlwifi-fix-wpointer-sign-warning.patch create mode 100644 queue-4.19/sched-fair-sanitize-vruntime-of-entity-being-placed.patch create mode 100644 queue-4.19/scsi-aic94xx-add-missing-check-for-dma_map_single.patch create mode 100644 queue-4.19/selftest-fib_tests-always-cleanup-before-exit.patch create mode 100644 queue-4.19/selftests-ftrace-fix-bash-specific-operator.patch create mode 100644 queue-4.19/sparc-allow-pm-configs-for-sparc32-compile_test.patch create mode 100644 queue-4.19/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch create mode 100644 queue-4.19/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch create mode 100644 queue-4.19/spi-bcm63xx-hsspi-fix-pm_runtime.patch create mode 100644 queue-4.19/thermal-intel-fix-unsigned-comparison-with-less-than.patch create mode 100644 queue-4.19/timers-prevent-union-confusion-from-unexpected-resta.patch create mode 100644 queue-4.19/udf-define-efscorrupted-error-code.patch create mode 100644 queue-4.19/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch create mode 100644 queue-4.19/wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch create mode 100644 queue-4.19/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch create mode 100644 queue-4.19/wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch create mode 100644 queue-4.19/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch create mode 100644 queue-4.19/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch create mode 100644 queue-4.19/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch create mode 100644 queue-4.19/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch create mode 100644 queue-4.19/wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch create mode 100644 queue-4.19/wifi-iwl3945-add-missing-check-for-create_singlethre.patch create mode 100644 queue-4.19/wifi-iwl4965-add-missing-check-for-create_singlethre.patch create mode 100644 queue-4.19/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch create mode 100644 queue-4.19/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch create mode 100644 queue-4.19/wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch create mode 100644 queue-4.19/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch create mode 100644 queue-4.19/wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch create mode 100644 queue-4.19/wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch create mode 100644 queue-4.19/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch create mode 100644 queue-4.19/wifi-orinoco-check-return-value-of-hermes_write_word.patch create mode 100644 queue-4.19/wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch create mode 100644 queue-4.19/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch create mode 100644 queue-4.19/wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch create mode 100644 queue-4.19/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch create mode 100644 queue-4.19/x86-bugs-reset-speculation-control-settings-on-init.patch diff --git a/queue-4.19/acpi-battery-fix-missing-nul-termination-with-large-.patch b/queue-4.19/acpi-battery-fix-missing-nul-termination-with-large-.patch new file mode 100644 index 00000000000..2ec03ebe3eb --- /dev/null +++ b/queue-4.19/acpi-battery-fix-missing-nul-termination-with-large-.patch @@ -0,0 +1,44 @@ +From 1b1d2f92956b35ab52cad14f07d8383bfca4806a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 09:50:50 +0100 +Subject: ACPI: battery: Fix missing NUL-termination with large strings + +From: Armin Wolf + +[ Upstream commit f2ac14b5f197e4a2dec51e5ceaa56682ff1592bc ] + +When encountering a string bigger than the destination buffer (32 bytes), +the string is not properly NUL-terminated, causing buffer overreads later. + +This for example happens on the Inspiron 3505, where the battery +model name is larger than 32 bytes, which leads to sysfs showing +the model name together with the serial number string (which is +NUL-terminated and thus prevents worse). + +Fix this by using strscpy() which ensures that the result is +always NUL-terminated. + +Fixes: 106449e870b3 ("ACPI: Battery: Allow extract string from integer") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index c0c533206e02d..88f4040d6c1f2 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -478,7 +478,7 @@ static int extract_package(struct acpi_battery *battery, + u8 *ptr = (u8 *)battery + offsets[i].offset; + if (element->type == ACPI_TYPE_STRING || + element->type == ACPI_TYPE_BUFFER) +- strncpy(ptr, element->string.pointer, 32); ++ strscpy(ptr, element->string.pointer, 32); + else if (element->type == ACPI_TYPE_INTEGER) { + strncpy(ptr, (u8 *)&element->integer.value, + sizeof(u64)); +-- +2.39.2 + diff --git a/queue-4.19/acpi-don-t-build-acpica-with-os.patch b/queue-4.19/acpi-don-t-build-acpica-with-os.patch new file mode 100644 index 00000000000..33c19a69ab5 --- /dev/null +++ b/queue-4.19/acpi-don-t-build-acpica-with-os.patch @@ -0,0 +1,111 @@ +From 1b602f17ae17ffd375c35a41530be6ae3b4b623e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 13:45:58 +0000 +Subject: ACPI: Don't build ACPICA with '-Os' + +From: Mark Rutland + +[ Upstream commit 8f9e0a52810dd83406c768972d022c37e7a18f1f ] + +The ACPICA code has been built with '-Os' since the beginning of git +history, though there's no explanatory comment as to why. + +This is unfortunate as GCC drops the alignment specificed by +'-falign-functions=N' when '-Os' is used, as reported in GCC bug 88345: + + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88345 + +This prevents CONFIG_FUNCTION_ALIGNMENT and +CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B from having their expected effect +on the ACPICA code. This is doubly unfortunate as in subsequent patches +arm64 will depend upon CONFIG_FUNCTION_ALIGNMENT for its ftrace +implementation. + +Drop the '-Os' flag when building the ACPICA code. With this removed, +the code builds cleanly and works correctly in testing so far. + +I've tested this by selecting CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y, +building and booting a kernel using ACPI, and looking for misaligned +text symbols: + +* arm64: + + Before, v6.2-rc3: + # uname -rm + 6.2.0-rc3 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 5009 + + Before, v6.2-rc3 + fixed __cold: + # uname -rm + 6.2.0-rc3-00001-g2a2bedf8bfa9 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 919 + + After: + # uname -rm + 6.2.0-rc3-00002-g267bddc38572 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 323 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | grep acpi | wc -l + 0 + +* x86_64: + + Before, v6.2-rc3: + # uname -rm + 6.2.0-rc3 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 11537 + + Before, v6.2-rc3 + fixed __cold: + # uname -rm + 6.2.0-rc3-00001-g2a2bedf8bfa9 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 2805 + + After: + # uname -rm + 6.2.0-rc3-00002-g267bddc38572 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 1357 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | grep acpi | wc -l + 0 + +With the patch applied, the remaining unaligned text labels are a +combination of static call trampolines and labels in assembly, which can +be dealt with in subsequent patches. + +Signed-off-by: Mark Rutland +Acked-by: Rafael J. Wysocki +Cc: Florent Revest +Cc: Len Brown +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Cc: Robert Moore +Cc: Steven Rostedt +Cc: Will Deacon +Cc: linux-acpi@vger.kernel.org +Link: https://lore.kernel.org/r/20230123134603.1064407-4-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile +index 71f6f2624debc..8ce51f0f40ce5 100644 +--- a/drivers/acpi/acpica/Makefile ++++ b/drivers/acpi/acpica/Makefile +@@ -3,7 +3,7 @@ + # Makefile for ACPICA Core interpreter + # + +-ccflags-y := -Os -D_LINUX -DBUILDING_ACPICA ++ccflags-y := -D_LINUX -DBUILDING_ACPICA + ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT + + # use acpi.o to put all files here into acpi.o modparam namespace +-- +2.39.2 + diff --git a/queue-4.19/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch b/queue-4.19/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch new file mode 100644 index 00000000000..75bb9f6783c --- /dev/null +++ b/queue-4.19/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch @@ -0,0 +1,42 @@ +From a1aa703986c410bc2dcfebbc919cefe83918969a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 13:44:49 +0100 +Subject: ACPI: video: Fix Lenovo Ideapad Z570 DMI match + +From: Hans de Goede + +[ Upstream commit 2d11eae42d52a131f06061015e49dc0f085c5bfc ] + +Multiple Ideapad Z570 variants need acpi_backlight=native to force native +use on these pre Windows 8 machines since acpi_video backlight control +does not work here. + +The original DMI quirk matches on a product_name of "102434U" but other +variants may have different product_name-s such as e.g. "1024D9U". + +Move to checking product_version instead as is more or less standard for +Lenovo DMI quirks for similar reasons. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 0ec74ab2a3995..b4f16073ef432 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -300,7 +300,7 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + .ident = "Lenovo Ideapad Z570", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "102434U"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Ideapad Z570"), + }, + }, + { +-- +2.39.2 + diff --git a/queue-4.19/acpica-drop-port-i-o-validation-for-some-regions.patch b/queue-4.19/acpica-drop-port-i-o-validation-for-some-regions.patch new file mode 100644 index 00000000000..042008f436d --- /dev/null +++ b/queue-4.19/acpica-drop-port-i-o-validation-for-some-regions.patch @@ -0,0 +1,75 @@ +From fb652161c33de04d666948dc7c1a43f15b07c7ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 09:51:20 -0600 +Subject: ACPICA: Drop port I/O validation for some regions + +From: Mario Limonciello + +[ Upstream commit e1d9148582ab2c3dada5c5cf8ca7531ca269fee5 ] + +Microsoft introduced support in Windows XP for blocking port I/O +to various regions. For Windows compatibility ACPICA has adopted +the same protections and will disallow writes to those +(presumably) the same regions. + +On some systems the AML included with the firmware will issue 4 byte +long writes to 0x80. These writes aren't making it over because of this +blockage. The first 4 byte write attempt is rejected, and then +subsequently 1 byte at a time each offset is tried. The first at 0x80 +works, but then the next 3 bytes are rejected. + +This manifests in bizarre failures for devices that expected the AML to +write all 4 bytes. Trying the same AML on Windows 10 or 11 doesn't hit +this failure and all 4 bytes are written. + +Either some of these regions were wrong or some point after Windows XP +some of these regions blocks have been lifted. + +In the last 15 years there doesn't seem to be any reports popping up of +this error in the Windows event viewer anymore. There is no documentation +at Microsoft's developer site indicating that Windows ACPI interpreter +blocks these regions. Between the lack of documentation and the fact that +the writes actually do work in Windows 10 and 11, it's quite likely +Windows doesn't actually enforce this anymore. + +So to help the issue, only enforce Windows XP specific entries if the +latest _OSI supported is Windows XP. Continue to enforce the +ALWAYS_ILLEGAL entries. + +Link: https://github.com/acpica/acpica/pull/817 +Fixes: 7f0719039085 ("ACPICA: New: I/O port protection") +Signed-off-by: Mario Limonciello +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/hwvalid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/acpica/hwvalid.c b/drivers/acpi/acpica/hwvalid.c +index 24f9b61aa4049..b081177c421aa 100644 +--- a/drivers/acpi/acpica/hwvalid.c ++++ b/drivers/acpi/acpica/hwvalid.c +@@ -23,8 +23,8 @@ acpi_hw_validate_io_request(acpi_io_address address, u32 bit_width); + * + * The table is used to implement the Microsoft port access rules that + * first appeared in Windows XP. Some ports are always illegal, and some +- * ports are only illegal if the BIOS calls _OSI with a win_XP string or +- * later (meaning that the BIOS itelf is post-XP.) ++ * ports are only illegal if the BIOS calls _OSI with nothing newer than ++ * the specific _OSI strings. + * + * This provides ACPICA with the desired port protections and + * Microsoft compatibility. +@@ -145,7 +145,8 @@ acpi_hw_validate_io_request(acpi_io_address address, u32 bit_width) + + /* Port illegality may depend on the _OSI calls made by the BIOS */ + +- if (acpi_gbl_osi_data >= port_info->osi_dependency) { ++ if (port_info->osi_dependency == ACPI_ALWAYS_ILLEGAL || ++ acpi_gbl_osi_data == port_info->osi_dependency) { + ACPI_DEBUG_PRINT((ACPI_DB_VALUES, + "Denied AML access to port 0x%8.8X%8.8X/%X (%s 0x%.4X-0x%.4X)\n", + ACPI_FORMAT_UINT64(address), +-- +2.39.2 + diff --git a/queue-4.19/acpica-nsrepair-handle-cases-without-a-return-value-.patch b/queue-4.19/acpica-nsrepair-handle-cases-without-a-return-value-.patch new file mode 100644 index 00000000000..6b178ee8e14 --- /dev/null +++ b/queue-4.19/acpica-nsrepair-handle-cases-without-a-return-value-.patch @@ -0,0 +1,65 @@ +From 6047e41be1ff93d16d02681ea32c720354d8c60f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 02:53:08 +0300 +Subject: ACPICA: nsrepair: handle cases without a return value correctly + +From: Daniil Tatianin + +[ Upstream commit ca843a4c79486e99a19b859ef0b9887854afe146 ] + +Previously acpi_ns_simple_repair() would crash if expected_btypes +contained any combination of ACPI_RTYPE_NONE with a different type, +e.g | ACPI_RTYPE_INTEGER because of slightly incorrect logic in the +!return_object branch, which wouldn't return AE_AML_NO_RETURN_VALUE +for such cases. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Link: https://github.com/acpica/acpica/pull/811 +Fixes: 61db45ca2163 ("ACPICA: Restore code that repairs NULL package elements in return values.") +Signed-off-by: Daniil Tatianin +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/nsrepair.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/acpica/nsrepair.c b/drivers/acpi/acpica/nsrepair.c +index ff2ab8fbec384..8de80bf7802b4 100644 +--- a/drivers/acpi/acpica/nsrepair.c ++++ b/drivers/acpi/acpica/nsrepair.c +@@ -181,8 +181,9 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info, + * Try to fix if there was no return object. Warning if failed to fix. + */ + if (!return_object) { +- if (expected_btypes && (!(expected_btypes & ACPI_RTYPE_NONE))) { +- if (package_index != ACPI_NOT_PACKAGE_ELEMENT) { ++ if (expected_btypes) { ++ if (!(expected_btypes & ACPI_RTYPE_NONE) && ++ package_index != ACPI_NOT_PACKAGE_ELEMENT) { + ACPI_WARN_PREDEFINED((AE_INFO, + info->full_pathname, + ACPI_WARN_ALWAYS, +@@ -196,14 +197,15 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info, + if (ACPI_SUCCESS(status)) { + return (AE_OK); /* Repair was successful */ + } +- } else { ++ } ++ ++ if (expected_btypes != ACPI_RTYPE_NONE) { + ACPI_WARN_PREDEFINED((AE_INFO, + info->full_pathname, + ACPI_WARN_ALWAYS, + "Missing expected return value")); ++ return (AE_AML_NO_RETURN_VALUE); + } +- +- return (AE_AML_NO_RETURN_VALUE); + } + } + +-- +2.39.2 + diff --git a/queue-4.19/alsa-hda-ca0132-minor-fix-for-allocation-size.patch b/queue-4.19/alsa-hda-ca0132-minor-fix-for-allocation-size.patch new file mode 100644 index 00000000000..57c5bf79a3f --- /dev/null +++ b/queue-4.19/alsa-hda-ca0132-minor-fix-for-allocation-size.patch @@ -0,0 +1,40 @@ +From 41a96011bb2b9016459c92e23a0143fc39f97599 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 14:15:23 +0300 +Subject: ALSA: hda/ca0132: minor fix for allocation size + +From: Alexey V. Vissarionov + +[ Upstream commit 3ee0fe7fa39b14d1cea455b7041f2df933bd97d2 ] + +Although the "dma_chan" pointer occupies more or equal space compared +to "*dma_chan", the allocation size should use the size of variable +itself. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 01ef7dbffb41 ("ALSA: hda - Update CA0132 codec to load DSP firmware binary") +Signed-off-by: Alexey V. Vissarionov +Link: https://lore.kernel.org/r/20230117111522.GA15213@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 23f00ba993cb7..ca8a37388d565 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1917,7 +1917,7 @@ static int dspio_set_uint_param_no_source(struct hda_codec *codec, int mod_id, + static int dspio_alloc_dma_chan(struct hda_codec *codec, unsigned int *dma_chan) + { + int status = 0; +- unsigned int size = sizeof(dma_chan); ++ unsigned int size = sizeof(*dma_chan); + + codec_dbg(codec, " dspio_alloc_dma_chan() -- begin\n"); + status = dspio_scp(codec, MASTERCONTROL, 0x20, +-- +2.39.2 + diff --git a/queue-4.19/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch b/queue-4.19/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch new file mode 100644 index 00000000000..7c4523a447f --- /dev/null +++ b/queue-4.19/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch @@ -0,0 +1,37 @@ +From c676c3c35ba826422d2e56b66a33e944509658f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 16:53:54 +0100 +Subject: ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato + +From: Krzysztof Kozlowski + +[ Upstream commit d15d2a617499882971ddb773a583015bf36fa492 ] + +The property is wr-active: + + exynos3250-rinato.dtb: fimd@11c00000: i80-if-timings: 'wr-act' does not match any of the regexes: 'pinctrl-[0-9]+' + +Fixes: b59b3afb94d4 ("ARM: dts: add fimd device support for exynos3250-rinato") +Link: https://lore.kernel.org/r/20230120155404.323386-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos3250-rinato.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos3250-rinato.dts b/arch/arm/boot/dts/exynos3250-rinato.dts +index 29df4cfa9165f..e398604b2ce0f 100644 +--- a/arch/arm/boot/dts/exynos3250-rinato.dts ++++ b/arch/arm/boot/dts/exynos3250-rinato.dts +@@ -237,7 +237,7 @@ &fimd { + i80-if-timings { + cs-setup = <0>; + wr-setup = <0>; +- wr-act = <1>; ++ wr-active = <1>; + wr-hold = <0>; + }; + }; +-- +2.39.2 + diff --git a/queue-4.19/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch b/queue-4.19/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch new file mode 100644 index 00000000000..83eab2a94a4 --- /dev/null +++ b/queue-4.19/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch @@ -0,0 +1,37 @@ +From 543e8ce98c4b2e02f37066bef239df37a583b828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jan 2023 22:18:42 +0200 +Subject: ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy + +From: Markuss Broks + +[ Upstream commit 5d5aa219a790d61cad2c38e1aa32058f16ad2f0b ] + +For some reason, the driver adding support for Exynos5420 MIPI phy +back in 2016 wasn't used on Exynos5420, which caused a kernel panic. +Add the proper compatible for it. + +Signed-off-by: Markuss Broks +Link: https://lore.kernel.org/r/20230121201844.46872-2-markuss.broks@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5420.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5420.dtsi b/arch/arm/boot/dts/exynos5420.dtsi +index aaff158807613..99e2e0b0b9cd4 100644 +--- a/arch/arm/boot/dts/exynos5420.dtsi ++++ b/arch/arm/boot/dts/exynos5420.dtsi +@@ -530,7 +530,7 @@ dp_phy: dp-video-phy { + }; + + mipi_phy: mipi-video-phy { +- compatible = "samsung,s5pv210-mipi-video-phy"; ++ compatible = "samsung,exynos5420-mipi-video-phy"; + syscon = <&pmu_system_controller>; + #phy-cells = <1>; + }; +-- +2.39.2 + diff --git a/queue-4.19/arm-imx-call-ida_simple_remove-for-ida_simple_get.patch b/queue-4.19/arm-imx-call-ida_simple_remove-for-ida_simple_get.patch new file mode 100644 index 00000000000..694e594cbc6 --- /dev/null +++ b/queue-4.19/arm-imx-call-ida_simple_remove-for-ida_simple_get.patch @@ -0,0 +1,102 @@ +From 4a08f85a56675d162ddabdfddbb9beb5648f4149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 14:11:23 +0800 +Subject: ARM: imx: Call ida_simple_remove() for ida_simple_get + +From: Angus Chen + +[ Upstream commit ebeb49f43c8952f12aa20f03f00d7009edc2d1c5 ] + +The function call ida_simple_get maybe fail,we should deal with it. +And if ida_simple_get success ,it need to call ida_simple_remove also. +BTW,devm_kasprintf can handle id is zero for consistency. + +Fixes: e76bdfd7403a ("ARM: imx: Added perf functionality to mmdc driver") +Signed-off-by: Angus Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/mmdc.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/mach-imx/mmdc.c b/arch/arm/mach-imx/mmdc.c +index 14be73ca107a5..965a41572283e 100644 +--- a/arch/arm/mach-imx/mmdc.c ++++ b/arch/arm/mach-imx/mmdc.c +@@ -105,6 +105,7 @@ struct mmdc_pmu { + cpumask_t cpu; + struct hrtimer hrtimer; + unsigned int active_events; ++ int id; + struct device *dev; + struct perf_event *mmdc_events[MMDC_NUM_COUNTERS]; + struct hlist_node node; +@@ -445,8 +446,6 @@ static enum hrtimer_restart mmdc_pmu_timer_handler(struct hrtimer *hrtimer) + static int mmdc_pmu_init(struct mmdc_pmu *pmu_mmdc, + void __iomem *mmdc_base, struct device *dev) + { +- int mmdc_num; +- + *pmu_mmdc = (struct mmdc_pmu) { + .pmu = (struct pmu) { + .task_ctx_nr = perf_invalid_context, +@@ -463,15 +462,16 @@ static int mmdc_pmu_init(struct mmdc_pmu *pmu_mmdc, + .active_events = 0, + }; + +- mmdc_num = ida_simple_get(&mmdc_ida, 0, 0, GFP_KERNEL); ++ pmu_mmdc->id = ida_simple_get(&mmdc_ida, 0, 0, GFP_KERNEL); + +- return mmdc_num; ++ return pmu_mmdc->id; + } + + static int imx_mmdc_remove(struct platform_device *pdev) + { + struct mmdc_pmu *pmu_mmdc = platform_get_drvdata(pdev); + ++ ida_simple_remove(&mmdc_ida, pmu_mmdc->id); + cpuhp_state_remove_instance_nocalls(cpuhp_mmdc_state, &pmu_mmdc->node); + perf_pmu_unregister(&pmu_mmdc->pmu); + iounmap(pmu_mmdc->mmdc_base); +@@ -485,7 +485,6 @@ static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_b + { + struct mmdc_pmu *pmu_mmdc; + char *name; +- int mmdc_num; + int ret; + const struct of_device_id *of_id = + of_match_device(imx_mmdc_dt_ids, &pdev->dev); +@@ -508,14 +507,14 @@ static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_b + cpuhp_mmdc_state = ret; + } + +- mmdc_num = mmdc_pmu_init(pmu_mmdc, mmdc_base, &pdev->dev); +- pmu_mmdc->mmdc_ipg_clk = mmdc_ipg_clk; +- if (mmdc_num == 0) +- name = "mmdc"; +- else +- name = devm_kasprintf(&pdev->dev, +- GFP_KERNEL, "mmdc%d", mmdc_num); ++ ret = mmdc_pmu_init(pmu_mmdc, mmdc_base, &pdev->dev); ++ if (ret < 0) ++ goto pmu_free; + ++ name = devm_kasprintf(&pdev->dev, ++ GFP_KERNEL, "mmdc%d", ret); ++ ++ pmu_mmdc->mmdc_ipg_clk = mmdc_ipg_clk; + pmu_mmdc->devtype_data = (struct fsl_mmdc_devtype_data *)of_id->data; + + hrtimer_init(&pmu_mmdc->hrtimer, CLOCK_MONOTONIC, +@@ -536,6 +535,7 @@ static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_b + + pmu_register_err: + pr_warn("MMDC Perf PMU failed (%d), disabled\n", ret); ++ ida_simple_remove(&mmdc_ida, pmu_mmdc->id); + cpuhp_state_remove_instance_nocalls(cpuhp_mmdc_state, &pmu_mmdc->node); + hrtimer_cancel(&pmu_mmdc->hrtimer); + pmu_free: +-- +2.39.2 + diff --git a/queue-4.19/arm-omap1-call-platform_device_put-in-error-case-in-.patch b/queue-4.19/arm-omap1-call-platform_device_put-in-error-case-in-.patch new file mode 100644 index 00000000000..3ff3cfbefa3 --- /dev/null +++ b/queue-4.19/arm-omap1-call-platform_device_put-in-error-case-in-.patch @@ -0,0 +1,39 @@ +From 400881813a356fd5d403b9919a764507ce54fc36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 11:57:54 +0200 +Subject: ARM: OMAP1: call platform_device_put() in error case in + omap1_dm_timer_init() + +From: Yang Yingliang + +[ Upstream commit 0414a100d6ab32721efa70ab55524540fdfe0ede ] + +If platform_device_add() is not called or failed, it should call +platform_device_put() in error case. + +Fixes: 97933d6ced60 ("ARM: OMAP1: dmtimer: conversion to platform devices") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Message-Id: <20220701094602.2365099-1-yangyingliang@huawei.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap1/timer.c b/arch/arm/mach-omap1/timer.c +index 4447210c9b0d8..291bc376d30e8 100644 +--- a/arch/arm/mach-omap1/timer.c ++++ b/arch/arm/mach-omap1/timer.c +@@ -165,7 +165,7 @@ static int __init omap1_dm_timer_init(void) + kfree(pdata); + + err_free_pdev: +- platform_device_unregister(pdev); ++ platform_device_put(pdev); + + return ret; + } +-- +2.39.2 + diff --git a/queue-4.19/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch b/queue-4.19/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch new file mode 100644 index 00000000000..16e99648f4a --- /dev/null +++ b/queue-4.19/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch @@ -0,0 +1,36 @@ +From b4e7b39541ac5b54528092d66297cfdc27d692ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 22:19:17 +0800 +Subject: ARM: OMAP2+: Fix memory leak in realtime_counter_init() + +From: Chen Hui + +[ Upstream commit ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac ] + +The "sys_clk" resource is malloced by clk_get(), +it is not released when the function return. + +Fixes: fa6d79d27614 ("ARM: OMAP: Add initialisation for the real-time counter.") +Signed-off-by: Chen Hui +Message-Id: <20221108141917.46796-1-judy.chenhui@huawei.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-omap2/timer.c b/arch/arm/mach-omap2/timer.c +index c4ba848e8af62..d98aa78b9be91 100644 +--- a/arch/arm/mach-omap2/timer.c ++++ b/arch/arm/mach-omap2/timer.c +@@ -701,6 +701,7 @@ static void __init realtime_counter_init(void) + } + + rate = clk_get_rate(sys_clk); ++ clk_put(sys_clk); + + if (soc_is_dra7xx()) { + /* +-- +2.39.2 + diff --git a/queue-4.19/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch b/queue-4.19/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch new file mode 100644 index 00000000000..f6c65a1deef --- /dev/null +++ b/queue-4.19/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch @@ -0,0 +1,37 @@ +From 378369468c5e9811e41fa2b51d7dea58daf40459 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 22:05:44 +0800 +Subject: ARM: zynq: Fix refcount leak in zynq_early_slcr_init + +From: Qiheng Lin + +[ Upstream commit 9eedb910a3be0005b88c696a8552c0d4c9937cd4 ] + +of_find_compatible_node() returns a node pointer with refcount incremented, +we should use of_node_put() on error path. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 3329659df030 ("ARM: zynq: Simplify SLCR initialization") +Signed-off-by: Qiheng Lin +Link: https://lore.kernel.org/r/20221129140544.41293-1-linqiheng@huawei.com +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + arch/arm/mach-zynq/slcr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-zynq/slcr.c b/arch/arm/mach-zynq/slcr.c +index f0292a30e6f69..6b75ef7be3fda 100644 +--- a/arch/arm/mach-zynq/slcr.c ++++ b/arch/arm/mach-zynq/slcr.c +@@ -222,6 +222,7 @@ int __init zynq_early_slcr_init(void) + zynq_slcr_regmap = syscon_regmap_lookup_by_compatible("xlnx,zynq-slcr"); + if (IS_ERR(zynq_slcr_regmap)) { + pr_err("%s: failed to find zynq-slcr\n", __func__); ++ of_node_put(np); + return -ENODEV; + } + +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch b/queue-4.19/arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch new file mode 100644 index 00000000000..8ecfa9e3cf5 --- /dev/null +++ b/queue-4.19/arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch @@ -0,0 +1,35 @@ +From d80a72456bc63f7c9d004c22258699453af05f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:23 +0100 +Subject: arm64: dts: amlogic: meson-axg: fix SCPI clock dvfs node name + +From: Neil Armstrong + +[ Upstream commit 5b7069d72f03c92a0ab919725017394ebce03a81 ] + +Fixes: +scpi: clocks: 'clock-controller' does not match any of the regexes: '^clocks-[0-9a-f]+$', 'pinctrl-[0-9]+' + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-2-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +index 8355818153775..a2c809f861c09 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +@@ -163,7 +163,7 @@ scpi { + scpi_clocks: clocks { + compatible = "arm,scpi-clocks"; + +- scpi_dvfs: clock-controller { ++ scpi_dvfs: clocks-0 { + compatible = "arm,scpi-dvfs-clocks"; + #clock-cells = <1>; + clock-indices = <0>; +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch b/queue-4.19/arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch new file mode 100644 index 00000000000..44d8e96156a --- /dev/null +++ b/queue-4.19/arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch @@ -0,0 +1,37 @@ +From 51913f24562f4c873d1b079a439365cfb54dfc0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:24 +0100 +Subject: arm64: dts: amlogic: meson-gx: add missing SCPI sensors compatible + +From: Neil Armstrong + +[ Upstream commit 2ff650051493d5bdb6dd09d4c2850bb37db6be31 ] + +Fixes: +scpi: sensors:compatible: 'oneOf' conditional failed, one must be fixed: + ['amlogic,meson-gxbb-scpi-sensors'] is too short + 'arm,scpi-sensors' was expected + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-3-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +index a2c809f861c09..d5f2f7593c67e 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +@@ -172,7 +172,7 @@ scpi_dvfs: clocks-0 { + }; + + scpi_sensors: sensors { +- compatible = "amlogic,meson-gxbb-scpi-sensors"; ++ compatible = "amlogic,meson-gxbb-scpi-sensors", "arm,scpi-sensors"; + #thermal-sensor-cells = <1>; + }; + }; +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch b/queue-4.19/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch new file mode 100644 index 00000000000..0b3025a4bc7 --- /dev/null +++ b/queue-4.19/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch @@ -0,0 +1,36 @@ +From a7083073198b5e764c6d286fd9d6ff39e0f63948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:27 +0100 +Subject: arm64: dts: amlogic: meson-gx: add missing unit address to rng node + name + +From: Neil Armstrong + +[ Upstream commit 61ff70708b98a85516eccb3755084ac97b42cf48 ] + +Fixes: +bus@c8834000: rng: {...} should not be valid under {'type': 'object'} + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-6-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index 85e69bfd21744..c167023ca1db7 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -423,7 +423,7 @@ periphs: periphs@c8834000 { + #size-cells = <2>; + ranges = <0x0 0x0 0x0 0xc8834000 0x0 0x2000>; + +- hwrng: rng { ++ hwrng: rng@0 { + compatible = "amlogic,meson-rng"; + reg = <0x0 0x0 0x0 0x4>; + }; +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch b/queue-4.19/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch new file mode 100644 index 00000000000..c8ca3f13998 --- /dev/null +++ b/queue-4.19/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch @@ -0,0 +1,35 @@ +From 09e994c092ef49768e5f4c56c93a3e2af02e9f1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:22 +0100 +Subject: arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name + +From: Neil Armstrong + +[ Upstream commit 127f79212b07c5d9a6657a87e3eafdd889335814 ] + +Fixes: +scpi: clocks: 'clock-controller' does not match any of the regexes: '^clocks-[0-9a-f]+$', 'pinctrl-[0-9]+' + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-1-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index daadf0edf8bde..85e69bfd21744 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -167,7 +167,7 @@ scpi { + scpi_clocks: clocks { + compatible = "arm,scpi-clocks"; + +- scpi_dvfs: clock-controller { ++ scpi_dvfs: clocks-0 { + compatible = "arm,scpi-dvfs-clocks"; + #clock-cells = <1>; + clock-indices = <0>; +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch b/queue-4.19/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch new file mode 100644 index 00000000000..21f186e584d --- /dev/null +++ b/queue-4.19/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch @@ -0,0 +1,36 @@ +From 42d230f0905db702eff84f6a68492b844866f673 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:30 +0100 +Subject: arm64: dts: amlogic: meson-gxl: add missing unit address to + eth-phy-mux node name + +From: Neil Armstrong + +[ Upstream commit d19189f70ba596798ea49166d2d1ef36a8df5289 ] + +Fixes: +bus@c8834000: eth-phy-mux: {...} should not be valid under {'type': 'object'} + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-9-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +index 5d7724b3a6123..f999a92d174b7 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +@@ -636,7 +636,7 @@ mux { + }; + }; + +- eth-phy-mux { ++ eth-phy-mux@55c { + compatible = "mdio-mux-mmioreg", "mdio-mux"; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch b/queue-4.19/arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch new file mode 100644 index 00000000000..f7135c3dead --- /dev/null +++ b/queue-4.19/arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch @@ -0,0 +1,35 @@ +From 69db2aebbd0549c30c62b6d7cb7e1e3e39942281 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 12:20:27 +0100 +Subject: arm64: dts: mediatek: mt7622: Add missing pwm-cells to pwm node + +From: AngeloGioacchino Del Regno + +[ Upstream commit 22925af785fa3470efdf566339616d801119d348 ] + +Specify #pwm-cells on pwm@11006000 to make it actually usable. + +Fixes: ae457b7679c4 ("arm64: dts: mt7622: add SoC and peripheral related device nodes") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20221128112028.58021-2-angelogioacchino.delregno@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt7622.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +index 2bcee994898a2..5cb0470ede723 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +@@ -380,6 +380,7 @@ uart3: serial@11005000 { + pwm: pwm@11006000 { + compatible = "mediatek,mt7622-pwm"; + reg = <0 0x11006000 0 0x1000>; ++ #pwm-cells = <2>; + interrupts = ; + clocks = <&topckgen CLK_TOP_PWM_SEL>, + <&pericfg CLK_PERI_PWM_PD>, +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-meson-axg-enable-scpi.patch b/queue-4.19/arm64-dts-meson-axg-enable-scpi.patch new file mode 100644 index 00000000000..48337a9c735 --- /dev/null +++ b/queue-4.19/arm64-dts-meson-axg-enable-scpi.patch @@ -0,0 +1,89 @@ +From 8ea6709373a170ec415f54138c5a239e57b30934 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Nov 2018 14:53:52 +0100 +Subject: arm64: dts: meson-axg: enable SCPI + +From: Jerome Brunet + +[ Upstream commit 2c130695ad5265ce2eb38f55ee0cce26238f7891 ] + +Enable SCPI on the axg platform, with cpu clock and hwmon +(core temperature) support + +Signed-off-by: Jerome Brunet +Reviewed-by: Neil Armstrong +Signed-off-by: Kevin Hilman +Stable-dep-of: 5b7069d72f03 ("arm64: dts: amlogic: meson-axg: fix SCPI clock dvfs node name") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 26 ++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +index 90e9cbcc891f2..8355818153775 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +@@ -47,6 +47,7 @@ cpu0: cpu@0 { + reg = <0x0 0x0>; + enable-method = "psci"; + next-level-cache = <&l2>; ++ clocks = <&scpi_dvfs 0>; + }; + + cpu1: cpu@1 { +@@ -55,6 +56,7 @@ cpu1: cpu@1 { + reg = <0x0 0x1>; + enable-method = "psci"; + next-level-cache = <&l2>; ++ clocks = <&scpi_dvfs 0>; + }; + + cpu2: cpu@2 { +@@ -63,6 +65,7 @@ cpu2: cpu@2 { + reg = <0x0 0x2>; + enable-method = "psci"; + next-level-cache = <&l2>; ++ clocks = <&scpi_dvfs 0>; + }; + + cpu3: cpu@3 { +@@ -71,6 +74,7 @@ cpu3: cpu@3 { + reg = <0x0 0x3>; + enable-method = "psci"; + next-level-cache = <&l2>; ++ clocks = <&scpi_dvfs 0>; + }; + + l2: l2-cache0 { +@@ -151,6 +155,28 @@ ao_alt_xtal: ao_alt_xtal-clk { + #clock-cells = <0>; + }; + ++ scpi { ++ compatible = "arm,scpi-pre-1.0"; ++ mboxes = <&mailbox 1 &mailbox 2>; ++ shmem = <&cpu_scp_lpri &cpu_scp_hpri>; ++ ++ scpi_clocks: clocks { ++ compatible = "arm,scpi-clocks"; ++ ++ scpi_dvfs: clock-controller { ++ compatible = "arm,scpi-dvfs-clocks"; ++ #clock-cells = <1>; ++ clock-indices = <0>; ++ clock-output-names = "vcpu"; ++ }; ++ }; ++ ++ scpi_sensors: sensors { ++ compatible = "amlogic,meson-gxbb-scpi-sensors"; ++ #thermal-sensor-cells = <1>; ++ }; ++ }; ++ + soc { + compatible = "simple-bus"; + #address-cells = <2>; +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch b/queue-4.19/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch new file mode 100644 index 00000000000..21c273b1c25 --- /dev/null +++ b/queue-4.19/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch @@ -0,0 +1,39 @@ +From 498fc22aa2008b48c9ba4ee5787c5de6861cc2d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:13:48 +0100 +Subject: arm64: dts: meson-gx: Fix Ethernet MAC address unit name + +From: Martin Blumenstingl + +[ Upstream commit 8ed5310356bfa47cc6bb4221ae6b21258c52e3d1 ] + +Unit names should use hyphens instead of underscores to not cause +warnings. + +Fixes: bfe59f92d306 ("ARM64: dts: amlogic: gxbb: Enable NVMEM") +Suggested-by: Vyacheslav Bocharov +Signed-off-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230111211350.1461860-5-martin.blumenstingl@googlemail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index a127657526c7f..19feaec6a1ae8 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -150,7 +150,7 @@ sn: sn@14 { + reg = <0x14 0x10>; + }; + +- eth_mac: eth_mac@34 { ++ eth_mac: eth-mac@34 { + reg = <0x34 0x10>; + }; + +-- +2.39.2 + diff --git a/queue-4.19/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch b/queue-4.19/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch new file mode 100644 index 00000000000..24065b37564 --- /dev/null +++ b/queue-4.19/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch @@ -0,0 +1,40 @@ +From af22638eb2015b7c6cdc2aecce131cc3d2f645ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:13:50 +0100 +Subject: arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address + +From: Martin Blumenstingl + +[ Upstream commit f189c869ad92787ddd753558bcbae89d75825bb6 ] + +Node names should be generic and use hyphens instead of underscores to +not cause warnings. Also nodes without a reg property should not have a +unit-address. Change the scpi_dvfs node to use clock-controller as node +name without a unit address (since it does not have a reg property). + +Fixes: 70db166a2baa ("ARM64: dts: meson-gxbb: Add SCPI with cpufreq & sensors Nodes") +Signed-off-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230111211350.1461860-7-martin.blumenstingl@googlemail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index 19feaec6a1ae8..daadf0edf8bde 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -167,7 +167,7 @@ scpi { + scpi_clocks: clocks { + compatible = "arm,scpi-clocks"; + +- scpi_dvfs: scpi_clocks@0 { ++ scpi_dvfs: clock-controller { + compatible = "arm,scpi-dvfs-clocks"; + #clock-cells = <1>; + clock-indices = <0>; +-- +2.39.2 + diff --git a/queue-4.19/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch b/queue-4.19/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch new file mode 100644 index 00000000000..2b3bc8a5ed5 --- /dev/null +++ b/queue-4.19/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch @@ -0,0 +1,50 @@ +From debcdcf48106c3c2771564dec1faf2e89c3b34c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 14:41:29 -0800 +Subject: ASoC: kirkwood: Iterate over array indexes instead of using pointer + math + +From: Kees Cook + +[ Upstream commit b3bcedc0402fcdc5c8624c433562d9d1882749d8 ] + +Walking the dram->cs array was seen as accesses beyond the first array +item by the compiler. Instead, use the array index directly. This allows +for run-time bounds checking under CONFIG_UBSAN_BOUNDS as well. Seen +with GCC 13 with -fstrict-flex-arrays: + +../sound/soc/kirkwood/kirkwood-dma.c: In function +'kirkwood_dma_conf_mbus_windows.constprop': +../sound/soc/kirkwood/kirkwood-dma.c:90:24: warning: array subscript 0 is outside array bounds of 'const struct mbus_dram_window[0]' [-Warray-bounds=] + 90 | if ((cs->base & 0xffff0000) < (dma & 0xffff0000)) { + | ~~^~~~~~ + +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: alsa-devel@alsa-project.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230127224128.never.410-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/kirkwood/kirkwood-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index 255cc45905b81..51f75523b691a 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -90,7 +90,7 @@ kirkwood_dma_conf_mbus_windows(void __iomem *base, int win, + + /* try to find matching cs for current dma address */ + for (i = 0; i < dram->num_cs; i++) { +- const struct mbus_dram_window *cs = dram->cs + i; ++ const struct mbus_dram_window *cs = &dram->cs[i]; + if ((cs->base & 0xffff0000) < (dma & 0xffff0000)) { + writel(cs->base & 0xffff0000, + base + KIRKWOOD_AUDIO_WIN_BASE_REG(win)); +-- +2.39.2 + diff --git a/queue-4.19/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch b/queue-4.19/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch new file mode 100644 index 00000000000..9152c50c7b0 --- /dev/null +++ b/queue-4.19/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch @@ -0,0 +1,41 @@ +From e80731385c5ca299b06e61e81f3630ef816af7e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 23:17:20 +0000 +Subject: ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() + +From: Kuninori Morimoto + +[ Upstream commit ffe4c0f0bfaa571a676a0e946d4a6a0607f94294 ] + +commit d3268a40d4b19f ("ASoC: soc-compress.c: fix NULL dereference") +enables DPCM capture, but it should independent from playback. +This patch fixup it. + +Fixes: d3268a40d4b1 ("ASoC: soc-compress.c: fix NULL dereference") +Link: https://lore.kernel.org/r/87tu0i6j7j.wl-kuninori.morimoto.gx@renesas.com +Acked-by: Charles Keepax +Acked-by: Pierre-Louis Bossart +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/871qnkvo1s.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-compress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c +index 409d082e80d15..7745a3e9044f3 100644 +--- a/sound/soc/soc-compress.c ++++ b/sound/soc/soc-compress.c +@@ -944,7 +944,7 @@ int snd_soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num) + rtd->fe_compr = 1; + if (rtd->dai_link->dpcm_playback) + be_pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream->private_data = rtd; +- else if (rtd->dai_link->dpcm_capture) ++ if (rtd->dai_link->dpcm_capture) + be_pcm->streams[SNDRV_PCM_STREAM_CAPTURE].substream->private_data = rtd; + memcpy(compr->ops, &soc_compr_dyn_ops, sizeof(soc_compr_dyn_ops)); + } else { +-- +2.39.2 + diff --git a/queue-4.19/ath9k-hif_usb-simplify-if-if-to-if-else.patch b/queue-4.19/ath9k-hif_usb-simplify-if-if-to-if-else.patch new file mode 100644 index 00000000000..7e60194c445 --- /dev/null +++ b/queue-4.19/ath9k-hif_usb-simplify-if-if-to-if-else.patch @@ -0,0 +1,44 @@ +From faf4c1c54a8104faab2679965d184aab182459ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Apr 2022 10:37:32 +0300 +Subject: ath9k: hif_usb: simplify if-if to if-else +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wan Jiabing + +[ Upstream commit 2950833f10cfa601813262e1d9c8473f9415681b ] + +Use if and else instead of if(A) and if (!A). + +Signed-off-by: Wan Jiabing +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220424094441.104937-1-wanjiabing@vivo.com +Stable-dep-of: 0af54343a762 ("wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 8a18a33b5b59f..15c8b512a1d9f 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -368,10 +368,9 @@ static int __hif_usb_tx(struct hif_device_usb *hif_dev) + __skb_queue_head_init(&tx_buf->skb_queue); + list_move_tail(&tx_buf->list, &hif_dev->tx.tx_buf); + hif_dev->tx.tx_buf_cnt++; +- } +- +- if (!ret) ++ } else { + TX_STAT_INC(buf_queued); ++ } + + return ret; + } +-- +2.39.2 + diff --git a/queue-4.19/ath9k-htc-clean-up-statistics-macros.patch b/queue-4.19/ath9k-htc-clean-up-statistics-macros.patch new file mode 100644 index 00000000000..573b720e63d --- /dev/null +++ b/queue-4.19/ath9k-htc-clean-up-statistics-macros.patch @@ -0,0 +1,232 @@ +From bcdd0a5b92e5c1b1fe8e866ec9f592017d6ce6cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 21:44:07 +0300 +Subject: ath9k: htc: clean up statistics macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Skripkin + +[ Upstream commit d7fc76039b74ad37b7056d5607b05d7cb31a5404 ] + +I've changed *STAT_* macros a bit in previous patch and I seems like +they become really unreadable. Align these macros definitions to make +code cleaner and fix folllowing checkpatch warning + +ERROR: Macros with complex values should be enclosed in parentheses + +Also, statistics macros now accept an hif_dev as argument, since +macros that depend on having a local variable with a magic name +don't abide by the coding style. + +No functional change + +Suggested-by: Jeff Johnson +Signed-off-by: Pavel Skripkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/ebb2306d06a496cd1b032155ae52fdc5fa8cc2c5.1655145743.git.paskripkin@gmail.com +Stable-dep-of: 0af54343a762 ("wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 26 +++++++-------- + drivers/net/wireless/ath/ath9k/htc.h | 32 +++++++++++-------- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 +++--- + 3 files changed, 36 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 15c8b512a1d9f..f68e47f9b01e2 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -244,11 +244,11 @@ static inline void ath9k_skb_queue_complete(struct hif_device_usb *hif_dev, + ath9k_htc_txcompletion_cb(hif_dev->htc_handle, + skb, txok); + if (txok) { +- TX_STAT_INC(skb_success); +- TX_STAT_ADD(skb_success_bytes, ln); ++ TX_STAT_INC(hif_dev, skb_success); ++ TX_STAT_ADD(hif_dev, skb_success_bytes, ln); + } + else +- TX_STAT_INC(skb_failed); ++ TX_STAT_INC(hif_dev, skb_failed); + } + } + +@@ -302,7 +302,7 @@ static void hif_usb_tx_cb(struct urb *urb) + hif_dev->tx.tx_buf_cnt++; + if (!(hif_dev->tx.flags & HIF_USB_TX_STOP)) + __hif_usb_tx(hif_dev); /* Check for pending SKBs */ +- TX_STAT_INC(buf_completed); ++ TX_STAT_INC(hif_dev, buf_completed); + spin_unlock(&hif_dev->tx.tx_lock); + } + +@@ -353,7 +353,7 @@ static int __hif_usb_tx(struct hif_device_usb *hif_dev) + tx_buf->len += tx_buf->offset; + + __skb_queue_tail(&tx_buf->skb_queue, nskb); +- TX_STAT_INC(skb_queued); ++ TX_STAT_INC(hif_dev, skb_queued); + } + + usb_fill_bulk_urb(tx_buf->urb, hif_dev->udev, +@@ -369,7 +369,7 @@ static int __hif_usb_tx(struct hif_device_usb *hif_dev) + list_move_tail(&tx_buf->list, &hif_dev->tx.tx_buf); + hif_dev->tx.tx_buf_cnt++; + } else { +- TX_STAT_INC(buf_queued); ++ TX_STAT_INC(hif_dev, buf_queued); + } + + return ret; +@@ -514,7 +514,7 @@ static void hif_usb_sta_drain(void *hif_handle, u8 idx) + ath9k_htc_txcompletion_cb(hif_dev->htc_handle, + skb, false); + hif_dev->tx.tx_skb_cnt--; +- TX_STAT_INC(skb_failed); ++ TX_STAT_INC(hif_dev, skb_failed); + } + } + +@@ -585,14 +585,14 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + pkt_tag = get_unaligned_le16(ptr + index + 2); + + if (pkt_tag != ATH_USB_RX_STREAM_MODE_TAG) { +- RX_STAT_INC(skb_dropped); ++ RX_STAT_INC(hif_dev, skb_dropped); + return; + } + + if (pkt_len > 2 * MAX_RX_BUF_SIZE) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); +- RX_STAT_INC(skb_dropped); ++ RX_STAT_INC(hif_dev, skb_dropped); + return; + } + +@@ -618,7 +618,7 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + goto err; + } + skb_reserve(nskb, 32); +- RX_STAT_INC(skb_allocated); ++ RX_STAT_INC(hif_dev, skb_allocated); + + memcpy(nskb->data, &(skb->data[chk_idx+4]), + hif_dev->rx_transfer_len); +@@ -639,7 +639,7 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + goto err; + } + skb_reserve(nskb, 32); +- RX_STAT_INC(skb_allocated); ++ RX_STAT_INC(hif_dev, skb_allocated); + + memcpy(nskb->data, &(skb->data[chk_idx+4]), pkt_len); + skb_put(nskb, pkt_len); +@@ -649,10 +649,10 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + + err: + for (i = 0; i < pool_index; i++) { +- RX_STAT_ADD(skb_completed_bytes, skb_pool[i]->len); ++ RX_STAT_ADD(hif_dev, skb_completed_bytes, skb_pool[i]->len); + ath9k_htc_rx_msg(hif_dev->htc_handle, skb_pool[i], + skb_pool[i]->len, USB_WLAN_RX_PIPE); +- RX_STAT_INC(skb_completed); ++ RX_STAT_INC(hif_dev, skb_completed); + } + } + +diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h +index 81107100e3682..655238a59ee03 100644 +--- a/drivers/net/wireless/ath/ath9k/htc.h ++++ b/drivers/net/wireless/ath/ath9k/htc.h +@@ -325,14 +325,18 @@ static inline struct ath9k_htc_tx_ctl *HTC_SKB_CB(struct sk_buff *skb) + } + + #ifdef CONFIG_ATH9K_HTC_DEBUGFS +-#define __STAT_SAFE(expr) (hif_dev->htc_handle->drv_priv ? (expr) : 0) +-#define TX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c++) +-#define TX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c += a) +-#define RX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c++) +-#define RX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c += a) +-#define CAB_STAT_INC priv->debug.tx_stats.cab_queued++ +- +-#define TX_QSTAT_INC(q) (priv->debug.tx_stats.queue_stats[q]++) ++#define __STAT_SAFE(hif_dev, expr) ((hif_dev)->htc_handle->drv_priv ? (expr) : 0) ++#define CAB_STAT_INC(priv) ((priv)->debug.tx_stats.cab_queued++) ++#define TX_QSTAT_INC(priv, q) ((priv)->debug.tx_stats.queue_stats[q]++) ++ ++#define TX_STAT_INC(hif_dev, c) \ ++ __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.tx_stats.c++) ++#define TX_STAT_ADD(hif_dev, c, a) \ ++ __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.tx_stats.c += a) ++#define RX_STAT_INC(hif_dev, c) \ ++ __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.skbrx_stats.c++) ++#define RX_STAT_ADD(hif_dev, c, a) \ ++ __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.skbrx_stats.c += a) + + void ath9k_htc_err_stat_rx(struct ath9k_htc_priv *priv, + struct ath_rx_status *rs); +@@ -372,13 +376,13 @@ void ath9k_htc_get_et_stats(struct ieee80211_hw *hw, + struct ethtool_stats *stats, u64 *data); + #else + +-#define TX_STAT_INC(c) do { } while (0) +-#define TX_STAT_ADD(c, a) do { } while (0) +-#define RX_STAT_INC(c) do { } while (0) +-#define RX_STAT_ADD(c, a) do { } while (0) +-#define CAB_STAT_INC do { } while (0) ++#define TX_STAT_INC(hif_dev, c) ++#define TX_STAT_ADD(hif_dev, c, a) ++#define RX_STAT_INC(hif_dev, c) ++#define RX_STAT_ADD(hif_dev, c, a) + +-#define TX_QSTAT_INC(c) do { } while (0) ++#define CAB_STAT_INC(priv) ++#define TX_QSTAT_INC(priv, c) + + static inline void ath9k_htc_err_stat_rx(struct ath9k_htc_priv *priv, + struct ath_rx_status *rs) +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index 3cd3f3ca1000d..979ac31a77a07 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -106,20 +106,20 @@ static inline enum htc_endpoint_id get_htc_epid(struct ath9k_htc_priv *priv, + + switch (qnum) { + case 0: +- TX_QSTAT_INC(IEEE80211_AC_VO); ++ TX_QSTAT_INC(priv, IEEE80211_AC_VO); + epid = priv->data_vo_ep; + break; + case 1: +- TX_QSTAT_INC(IEEE80211_AC_VI); ++ TX_QSTAT_INC(priv, IEEE80211_AC_VI); + epid = priv->data_vi_ep; + break; + case 2: +- TX_QSTAT_INC(IEEE80211_AC_BE); ++ TX_QSTAT_INC(priv, IEEE80211_AC_BE); + epid = priv->data_be_ep; + break; + case 3: + default: +- TX_QSTAT_INC(IEEE80211_AC_BK); ++ TX_QSTAT_INC(priv, IEEE80211_AC_BK); + epid = priv->data_bk_ep; + break; + } +@@ -323,7 +323,7 @@ static void ath9k_htc_tx_data(struct ath9k_htc_priv *priv, + memcpy(tx_fhdr, (u8 *) &tx_hdr, sizeof(tx_hdr)); + + if (is_cab) { +- CAB_STAT_INC; ++ CAB_STAT_INC(priv); + tx_ctl->epid = priv->cab_ep; + return; + } +-- +2.39.2 + diff --git a/queue-4.19/blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch b/queue-4.19/blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch new file mode 100644 index 00000000000..a985b6e0485 --- /dev/null +++ b/queue-4.19/blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch @@ -0,0 +1,41 @@ +From 5802bb27407c1635720f1794599911c97b7bf043 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 17:37:14 +0800 +Subject: blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx + +From: Kemeng Shi + +[ Upstream commit c31e76bcc379182fe67a82c618493b7b8868c672 ] + +Commit 97889f9ac24f8 ("blk-mq: remove synchronize_rcu() from +blk_mq_del_queue_tag_set()") remove handle of TAG_SHARED in restart, +then shared_hctx_restart counted for how many hardware queues are marked +for restart is removed too. +Remove the stale comment that we still count hardware queues need restart. + +Fixes: 97889f9ac24f ("blk-mq: remove synchronize_rcu() from blk_mq_del_queue_tag_set()") +Reviewed-by: Christoph Hellwig +Signed-off-by: Kemeng Shi +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-sched.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c +index d89a757cbde0f..dfa0a21a1fe46 100644 +--- a/block/blk-mq-sched.c ++++ b/block/blk-mq-sched.c +@@ -51,8 +51,7 @@ void blk_mq_sched_assign_ioc(struct request *rq, struct bio *bio) + } + + /* +- * Mark a hardware queue as needing a restart. For shared queues, maintain +- * a count of how many hardware queues are marked for restart. ++ * Mark a hardware queue as needing a restart. + */ + void blk_mq_sched_mark_restart_hctx(struct blk_mq_hw_ctx *hctx) + { +-- +2.39.2 + diff --git a/queue-4.19/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch b/queue-4.19/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch new file mode 100644 index 00000000000..5aa1896fc6c --- /dev/null +++ b/queue-4.19/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch @@ -0,0 +1,44 @@ +From eaadf6ca5931582bfe16e7e62f24783ab3a01482 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 12:18:01 -0500 +Subject: block: bio-integrity: Copy flags when bio_integrity_payload is cloned + +From: Martin K. Petersen + +[ Upstream commit b6a4bdcda430e3ca43bbb9cb1d4d4d34ebe15c40 ] + +Make sure to copy the flags when a bio_integrity_payload is cloned. +Otherwise per-I/O properties such as IP checksum flag will not be +passed down to the HBA driver. Since the integrity buffer is owned by +the original bio, the BIP_BLOCK_INTEGRITY flag needs to be masked off +to avoid a double free in the completion path. + +Fixes: aae7df50190a ("block: Integrity checksum flag") +Fixes: b1f01388574c ("block: Relocate bio integrity flags") +Reported-by: Saurav Kashyap +Tested-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20230215171801.21062-1-martin.petersen@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio-integrity.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/bio-integrity.c b/block/bio-integrity.c +index 2e22a3f7466a8..469e30a6d3cde 100644 +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -444,6 +444,7 @@ int bio_integrity_clone(struct bio *bio, struct bio *bio_src, + + bip->bip_vcnt = bip_src->bip_vcnt; + bip->bip_iter = bip_src->bip_iter; ++ bip->bip_flags = bip_src->bip_flags & ~BIP_BLOCK_INTEGRITY; + + return 0; + } +-- +2.39.2 + diff --git a/queue-4.19/bluetooth-l2cap-fix-potential-user-after-free.patch b/queue-4.19/bluetooth-l2cap-fix-potential-user-after-free.patch new file mode 100644 index 00000000000..cafd066d8e3 --- /dev/null +++ b/queue-4.19/bluetooth-l2cap-fix-potential-user-after-free.patch @@ -0,0 +1,93 @@ +From 34047b7cb45701b402dee3d0f5d915b71b9be821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 14:01:11 -0800 +Subject: Bluetooth: L2CAP: Fix potential user-after-free + +From: Luiz Augusto von Dentz + +[ Upstream commit df5703348813235874d851934e957c3723d71644 ] + +This fixes all instances of which requires to allocate a buffer calling +alloc_skb which may release the chan lock and reacquire later which +makes it possible that the chan is disconnected in the meantime. + +Fixes: a6a5568c03c4 ("Bluetooth: Lock the L2CAP channel when sending") +Reported-by: Alexander Coffin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 24 ------------------------ + net/bluetooth/l2cap_sock.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 24 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index fd95631205a6a..0e034925e3601 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -2517,14 +2517,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + if (IS_ERR(skb)) + return PTR_ERR(skb); + +- /* Channel lock is released before requesting new skb and then +- * reacquired thus we need to recheck channel state. +- */ +- if (chan->state != BT_CONNECTED) { +- kfree_skb(skb); +- return -ENOTCONN; +- } +- + l2cap_do_send(chan, skb); + return len; + } +@@ -2568,14 +2560,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + if (IS_ERR(skb)) + return PTR_ERR(skb); + +- /* Channel lock is released before requesting new skb and then +- * reacquired thus we need to recheck channel state. +- */ +- if (chan->state != BT_CONNECTED) { +- kfree_skb(skb); +- return -ENOTCONN; +- } +- + l2cap_do_send(chan, skb); + err = len; + break; +@@ -2596,14 +2580,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + */ + err = l2cap_segment_sdu(chan, &seg_queue, msg, len); + +- /* The channel could have been closed while segmenting, +- * check that it is still connected. +- */ +- if (chan->state != BT_CONNECTED) { +- __skb_queue_purge(&seg_queue); +- err = -ENOTCONN; +- } +- + if (err) + break; + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index d938311c58a8d..1c6d01a27e0e8 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1414,6 +1414,14 @@ static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, + if (!skb) + return ERR_PTR(err); + ++ /* Channel lock is released before requesting new skb and then ++ * reacquired thus we need to recheck channel state. ++ */ ++ if (chan->state != BT_CONNECTED) { ++ kfree_skb(skb); ++ return ERR_PTR(-ENOTCONN); ++ } ++ + skb->priority = sk->sk_priority; + + bt_cb(skb)->l2cap.chan = chan; +-- +2.39.2 + diff --git a/queue-4.19/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch b/queue-4.19/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch new file mode 100644 index 00000000000..093646a36c3 --- /dev/null +++ b/queue-4.19/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch @@ -0,0 +1,49 @@ +From cad69275177eec182e7ca7626f39025cb6455497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 20:04:48 +0100 +Subject: can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case + of a bus error + +From: Frank Jungclaus + +[ Upstream commit 118469f88180438ef43dee93d71f77c00e7b425d ] + +Move the supply for cf->data[3] (bit stream position of CAN error), in +case of a bus- or protocol-error, outside of the "switch (ecc & +SJA1000_ECC_MASK){}"-statement, because this bit stream position is +independent of the error type. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Signed-off-by: Frank Jungclaus +Link: https://lore.kernel.org/all/20230216190450.3901254-2-frank.jungclaus@esd.eu +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/esd_usb2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c +index ffdee5aeb8a93..d46599871919d 100644 +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -290,7 +290,6 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + cf->data[2] |= CAN_ERR_PROT_STUFF; + break; + default: +- cf->data[3] = ecc & SJA1000_ECC_SEG; + break; + } + +@@ -298,6 +297,9 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + if (!(ecc & SJA1000_ECC_DIR)) + cf->data[2] |= CAN_ERR_PROT_TX; + ++ /* Bit stream position in CAN frame as the error was detected */ ++ cf->data[3] = ecc & SJA1000_ECC_SEG; ++ + if (priv->can.state == CAN_STATE_ERROR_WARNING || + priv->can.state == CAN_STATE_ERROR_PASSIVE) { + cf->data[1] = (txerr > rxerr) ? +-- +2.39.2 + diff --git a/queue-4.19/cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch b/queue-4.19/cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch new file mode 100644 index 00000000000..bd6fa6e60da --- /dev/null +++ b/queue-4.19/cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch @@ -0,0 +1,42 @@ +From 2f5e5063acc613d72b3ad893dc23553084fd1215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:42:07 +0800 +Subject: cifs: Fix lost destroy smbd connection when MR allocate failed + +From: Zhang Xiaoxu + +[ Upstream commit e9d3401d95d62a9531082cd2453ed42f2740e3fd ] + +If the MR allocate failed, the smb direct connection info is NULL, +then smbd_destroy() will directly return, then the connection info +will be leaked. + +Let's set the smb direct connection info to the server before call +smbd_destroy(). + +Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration") +Signed-off-by: Zhang Xiaoxu +Acked-by: Paulo Alcantara (SUSE) +Reviewed-by: David Howells +Reviewed-by: Tom Talpey +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smbdirect.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c +index 591cd5c704323..de11b52a04dee 100644 +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -1887,6 +1887,7 @@ static struct smbd_connection *_smbd_get_connection( + + allocate_mr_failed: + /* At this point, need to a full transport shutdown */ ++ server->smbd_conn = info; + smbd_destroy(server); + return NULL; + +-- +2.39.2 + diff --git a/queue-4.19/cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch b/queue-4.19/cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch new file mode 100644 index 00000000000..2f6f2ed419a --- /dev/null +++ b/queue-4.19/cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch @@ -0,0 +1,133 @@ +From dc67c71f0494cf462483eac9f0b24085d0e4045f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:42:08 +0800 +Subject: cifs: Fix warning and UAF when destroy the MR list + +From: Zhang Xiaoxu + +[ Upstream commit 3e161c2791f8e661eed24a2c624087084d910215 ] + +If the MR allocate failed, the MR recovery work not initialized +and list not cleared. Then will be warning and UAF when release +the MR: + + WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110 + CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82 + RIP: 0010:__flush_work.isra.0+0xf7/0x110 + Call Trace: + + __cancel_work_timer+0x2ba/0x2e0 + smbd_destroy+0x4e1/0x990 + _smbd_get_connection+0x1cbd/0x2110 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990 + Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824 + CPU: 4 PID: 824 Comm: mount.cifs Tainted: G W 6.1.0-rc5+ #82 + Call Trace: + dump_stack_lvl+0x34/0x44 + print_report+0x171/0x472 + kasan_report+0xad/0x130 + smbd_destroy+0x4fc/0x990 + _smbd_get_connection+0x1cbd/0x2110 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + Allocated by task 824: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7a/0x90 + _smbd_get_connection+0x1b6f/0x2110 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + Freed by task 824: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x40 + ____kasan_slab_free+0x143/0x1b0 + __kmem_cache_free+0xc8/0x330 + _smbd_get_connection+0x1c6a/0x2110 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Let's initialize the MR recovery work before MR allocate to prevent +the warning, remove the MRs from the list to prevent the UAF. + +Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration") +Acked-by: Paulo Alcantara (SUSE) +Reviewed-by: Tom Talpey +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smbdirect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c +index de11b52a04dee..ea1d8cfab4302 100644 +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -2454,6 +2454,7 @@ static int allocate_mr_list(struct smbd_connection *info) + atomic_set(&info->mr_ready_count, 0); + atomic_set(&info->mr_used_count, 0); + init_waitqueue_head(&info->wait_for_mr_cleanup); ++ INIT_WORK(&info->mr_recovery_work, smbd_mr_recovery_work); + /* Allocate more MRs (2x) than hardware responder_resources */ + for (i = 0; i < info->responder_resources * 2; i++) { + smbdirect_mr = kzalloc(sizeof(*smbdirect_mr), GFP_KERNEL); +@@ -2482,13 +2483,13 @@ static int allocate_mr_list(struct smbd_connection *info) + list_add_tail(&smbdirect_mr->list, &info->mr_list); + atomic_inc(&info->mr_ready_count); + } +- INIT_WORK(&info->mr_recovery_work, smbd_mr_recovery_work); + return 0; + + out: + kfree(smbdirect_mr); + + list_for_each_entry_safe(smbdirect_mr, tmp, &info->mr_list, list) { ++ list_del(&smbdirect_mr->list); + ib_dereg_mr(smbdirect_mr->mr); + kfree(smbdirect_mr->sgl); + kfree(smbdirect_mr); +-- +2.39.2 + diff --git a/queue-4.19/clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch b/queue-4.19/clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch new file mode 100644 index 00000000000..71164ea26e9 --- /dev/null +++ b/queue-4.19/clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch @@ -0,0 +1,68 @@ +From 0bda68081b3c610cda0c9f4f09f1541dcb2552f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 17:23:30 +0800 +Subject: clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled() + +From: Chen-Yu Tsai + +[ Upstream commit 79200d5851c8e7179f68a4a6f162d8f1bde4986f ] + +In the previous commits that added CLK_OPS_PARENT_ENABLE, support for +this flag was only added to rate change operations (rate setting and +reparent) and disabling unused subtree. It was not added to the +clock gate related operations. Any hardware driver that needs it for +these operations will either see bogus results, or worse, hang. + +This has been seen on MT8192 and MT8195, where the imp_ii2_* clk +drivers set this, but dumping debugfs clk_summary would cause it +to hang. + +Prepare parent on prepare and enable parent on enable dependencies are +already handled automatically by the core as part of its sequencing. +Whether the case for "enable parent on prepare" should be supported by +this flag or not is not clear, and thus ignored for now. + +This change solely fixes the handling of clk_core_is_enabled, i.e. +enabling the parent clock when reading the hardware state. Unfortunately +clk_core_is_enabled is called in a variety of places, sometimes with +the enable clock already held. To avoid deadlocking, the core will +ignore readouts and just return false if CLK_OPS_PARENT_ENABLE is set +but the parent isn't currently enabled. + +Fixes: fc8726a2c021 ("clk: core: support clocks which requires parents enable (part 2)") +Fixes: a4b3518d146f ("clk: core: support clocks which requires parents enable (part 1)") +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20230103092330.494102-1-wenst@chromium.org +Tested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 53ac3a0e741d7..a8d68ac9d0dea 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -244,6 +244,17 @@ static bool clk_core_is_enabled(struct clk_core *core) + } + } + ++ /* ++ * This could be called with the enable lock held, or from atomic ++ * context. If the parent isn't enabled already, we can't do ++ * anything here. We can also assume this clock isn't enabled. ++ */ ++ if ((core->flags & CLK_OPS_PARENT_ENABLE) && core->parent) ++ if (!clk_core_is_enabled(core->parent)) { ++ ret = false; ++ goto done; ++ } ++ + ret = core->ops->is_enabled(core->hw); + done: + if (core->dev) +-- +2.39.2 + diff --git a/queue-4.19/crypto-crypto4xx-call-dma_unmap_page-when-done.patch b/queue-4.19/crypto-crypto4xx-call-dma_unmap_page-when-done.patch new file mode 100644 index 00000000000..a2ac9031ff9 --- /dev/null +++ b/queue-4.19/crypto-crypto4xx-call-dma_unmap_page-when-done.patch @@ -0,0 +1,64 @@ +From 8b3f739421a57d13d1eda860cb9fc494574d62da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 14:01:53 +0800 +Subject: crypto: crypto4xx - Call dma_unmap_page when done + +From: Herbert Xu + +[ Upstream commit bcdda4301bdc4955d45f7e1ffefb6207967b067e ] + +In crypto4xx_cipher_done, we should be unmapping the dst page, not +mapping it. + +This was flagged by a sparse warning about the unused addr variable. +While we're at it, also fix a sparse warning regarding the unused +ctx variable in crypto4xx_ahash_done (by actually using it). + +Fixes: 049359d65527 ("crypto: amcc - Add crypt4xx driver") +Signed-off-by: Herbert Xu +Tested-by: Christian Lamparter +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/amcc/crypto4xx_core.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/amcc/crypto4xx_core.c b/drivers/crypto/amcc/crypto4xx_core.c +index cd00afb5786e8..2c70a64cc8317 100644 +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -529,7 +529,6 @@ static void crypto4xx_cipher_done(struct crypto4xx_device *dev, + { + struct skcipher_request *req; + struct scatterlist *dst; +- dma_addr_t addr; + + req = skcipher_request_cast(pd_uinfo->async_req); + +@@ -538,8 +537,8 @@ static void crypto4xx_cipher_done(struct crypto4xx_device *dev, + req->cryptlen, req->dst); + } else { + dst = pd_uinfo->dest_va; +- addr = dma_map_page(dev->core_dev->device, sg_page(dst), +- dst->offset, dst->length, DMA_FROM_DEVICE); ++ dma_unmap_page(dev->core_dev->device, pd->dest, dst->length, ++ DMA_FROM_DEVICE); + } + + if (pd_uinfo->sa_va->sa_command_0.bf.save_iv == SA_SAVE_IV) { +@@ -564,10 +563,9 @@ static void crypto4xx_ahash_done(struct crypto4xx_device *dev, + struct ahash_request *ahash_req; + + ahash_req = ahash_request_cast(pd_uinfo->async_req); +- ctx = crypto_tfm_ctx(ahash_req->base.tfm); ++ ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(ahash_req)); + +- crypto4xx_copy_digest_to_dst(ahash_req->result, pd_uinfo, +- crypto_tfm_ctx(ahash_req->base.tfm)); ++ crypto4xx_copy_digest_to_dst(ahash_req->result, pd_uinfo, ctx); + crypto4xx_ret_sg_desc(dev, pd_uinfo); + + if (pd_uinfo->state & PD_ENTRY_BUSY) +-- +2.39.2 + diff --git a/queue-4.19/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch b/queue-4.19/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch new file mode 100644 index 00000000000..4224bff3d57 --- /dev/null +++ b/queue-4.19/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch @@ -0,0 +1,91 @@ +From 4db2b31182c628640ad57daa6458e2667198cfe4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 16:02:04 +0800 +Subject: crypto: rsa-pkcs1pad - Use akcipher_request_complete + +From: Herbert Xu + +[ Upstream commit 564cabc0ca0bdfa8f0fc1ae74b24d0a7554522c5 ] + +Use the akcipher_request_complete helper instead of calling the +completion function directly. In fact the previous code was buggy +in that EINPROGRESS was never passed back to the original caller. + +Fixes: 3d5b1ecdea6f ("crypto: rsa - RSA padding algorithm") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/rsa-pkcs1pad.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c +index 812476e468213..444a3c630924d 100644 +--- a/crypto/rsa-pkcs1pad.c ++++ b/crypto/rsa-pkcs1pad.c +@@ -216,16 +216,14 @@ static void pkcs1pad_encrypt_sign_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; ++ ++ err = pkcs1pad_encrypt_sign_complete(req, err); + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, +- pkcs1pad_encrypt_sign_complete(req, err)); ++out: ++ akcipher_request_complete(req, err); + } + + static int pkcs1pad_encrypt(struct akcipher_request *req) +@@ -334,15 +332,14 @@ static void pkcs1pad_decrypt_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; ++ ++ err = pkcs1pad_decrypt_complete(req, err); + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, pkcs1pad_decrypt_complete(req, err)); ++out: ++ akcipher_request_complete(req, err); + } + + static int pkcs1pad_decrypt(struct akcipher_request *req) +@@ -500,15 +497,14 @@ static void pkcs1pad_verify_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, pkcs1pad_verify_complete(req, err)); ++ err = pkcs1pad_verify_complete(req, err); ++ ++out: ++ akcipher_request_complete(req, err); + } + + /* +-- +2.39.2 + diff --git a/queue-4.19/crypto-seqiv-handle-ebusy-correctly.patch b/queue-4.19/crypto-seqiv-handle-ebusy-correctly.patch new file mode 100644 index 00000000000..57db5e73efa --- /dev/null +++ b/queue-4.19/crypto-seqiv-handle-ebusy-correctly.patch @@ -0,0 +1,40 @@ +From 05e9e6eef5007d6939c205b344b5080ebaa45a1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 18:27:51 +0800 +Subject: crypto: seqiv - Handle EBUSY correctly + +From: Herbert Xu + +[ Upstream commit 32e62025e5e52fbe4812ef044759de7010b15dbc ] + +As it is seqiv only handles the special return value of EINPROGERSS, +which means that in all other cases it will free data related to the +request. + +However, as the caller of seqiv may specify MAY_BACKLOG, we also need +to expect EBUSY and treat it in the same way. Otherwise backlogged +requests will trigger a use-after-free. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index 39dbf2f7e5f5c..ca68608ab14e1 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -30,7 +30,7 @@ static void seqiv_aead_encrypt_complete2(struct aead_request *req, int err) + struct aead_request *subreq = aead_request_ctx(req); + struct crypto_aead *geniv; + +- if (err == -EINPROGRESS) ++ if (err == -EINPROGRESS || err == -EBUSY) + return; + + if (err) +-- +2.39.2 + diff --git a/queue-4.19/dm-cache-add-cond_resched-to-various-workqueue-loops.patch b/queue-4.19/dm-cache-add-cond_resched-to-various-workqueue-loops.patch new file mode 100644 index 00000000000..ab5c0e893a8 --- /dev/null +++ b/queue-4.19/dm-cache-add-cond_resched-to-various-workqueue-loops.patch @@ -0,0 +1,50 @@ +From 87c407623d7587597cb2c35b6b2e44845685631a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 15:31:08 -0500 +Subject: dm cache: add cond_resched() to various workqueue loops + +From: Mike Snitzer + +[ Upstream commit 76227f6dc805e9e960128bcc6276647361e0827c ] + +Otherwise on resource constrained systems these workqueues may be too +greedy. + +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-cache-target.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c +index df7bc45bc0ced..b3371812a2158 100644 +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -1905,6 +1905,7 @@ static void process_deferred_bios(struct work_struct *ws) + + else + commit_needed = process_bio(cache, bio) || commit_needed; ++ cond_resched(); + } + + if (commit_needed) +@@ -1927,6 +1928,7 @@ static void requeue_deferred_bios(struct cache *cache) + while ((bio = bio_list_pop(&bios))) { + bio->bi_status = BLK_STS_DM_REQUEUE; + bio_endio(bio); ++ cond_resched(); + } + } + +@@ -1967,6 +1969,8 @@ static void check_migrations(struct work_struct *ws) + r = mg_start(cache, op, NULL); + if (r) + break; ++ ++ cond_resched(); + } + } + +-- +2.39.2 + diff --git a/queue-4.19/dm-remove-flush_scheduled_work-during-local_exit.patch b/queue-4.19/dm-remove-flush_scheduled_work-during-local_exit.patch new file mode 100644 index 00000000000..c9a752bbaf4 --- /dev/null +++ b/queue-4.19/dm-remove-flush_scheduled_work-during-local_exit.patch @@ -0,0 +1,43 @@ +From 7e546579b378ffa35ff7985071642ad0bd89e0df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 13:06:05 -0500 +Subject: dm: remove flush_scheduled_work() during local_exit() + +From: Mike Snitzer + +[ Upstream commit 0b22ff5360f5c4e11050b89206370fdf7dc0a226 ] + +Commit acfe0ad74d2e1 ("dm: allocate a special workqueue for deferred +device removal") switched from using system workqueue to a single +workqueue local to DM. But it didn't eliminate the call to +flush_scheduled_work() that was introduced purely for the benefit of +deferred device removal with commit 2c140a246dc ("dm: allow remove to +be deferred"). + +Since DM core uses its own workqueue (and queue_work) there is no need +to call flush_scheduled_work() from local_exit(). local_exit()'s +destroy_workqueue(deferred_remove_workqueue) handles flushing work +started with queue_work(). + +Fixes: acfe0ad74d2e1 ("dm: allocate a special workqueue for deferred device removal") +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 324d1dd58e2bc..3d9a77f4e20f8 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -279,7 +279,6 @@ static int __init local_init(void) + + static void local_exit(void) + { +- flush_scheduled_work(); + destroy_workqueue(deferred_remove_workqueue); + + kmem_cache_destroy(_rq_cache); +-- +2.39.2 + diff --git a/queue-4.19/dm-thin-add-cond_resched-to-various-workqueue-loops.patch b/queue-4.19/dm-thin-add-cond_resched-to-various-workqueue-loops.patch new file mode 100644 index 00000000000..bb1ae17ad07 --- /dev/null +++ b/queue-4.19/dm-thin-add-cond_resched-to-various-workqueue-loops.patch @@ -0,0 +1,41 @@ +From 181ba8755f3c86dac87a630d6a7c2f9b58ffda2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 15:29:44 -0500 +Subject: dm thin: add cond_resched() to various workqueue loops + +From: Mike Snitzer + +[ Upstream commit e4f80303c2353952e6e980b23914e4214487f2a6 ] + +Otherwise on resource constrained systems these workqueues may be too +greedy. + +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-thin.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index 386cb33953783..969ea013c74e4 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2222,6 +2222,7 @@ static void process_thin_deferred_bios(struct thin_c *tc) + throttle_work_update(&pool->throttle); + dm_pool_issue_prefetches(pool->pmd); + } ++ cond_resched(); + } + blk_finish_plug(&plug); + } +@@ -2305,6 +2306,7 @@ static void process_thin_deferred_cells(struct thin_c *tc) + else + pool->process_cell(tc, cell); + } ++ cond_resched(); + } while (!list_empty(&cells)); + } + +-- +2.39.2 + diff --git a/queue-4.19/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch b/queue-4.19/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch new file mode 100644 index 00000000000..23afbf7a004 --- /dev/null +++ b/queue-4.19/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch @@ -0,0 +1,46 @@ +From 8fb7712dc995b97e6e70c5b9d6c48ecc034725ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 00:23:20 +0100 +Subject: docs/scripts/gdb: add necessary make scripts_gdb step + +From: Jakob Koschel + +[ Upstream commit 6b219431037bf98c9efd49716aea9b68440477a3 ] + +In order to debug the kernel successfully with gdb you need to run +'make scripts_gdb' nowadays. + +This was changed with the following commit: + +Commit 67274c083438340ad16c ("scripts/gdb: delay generation of gdb +constants.py") + +In order to have a complete guide for beginners this remark +should be added to the offial documentation. + +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20230112-documentation-gdb-v2-1-292785c43dc9@gmail.com +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +--- + Documentation/dev-tools/gdb-kernel-debugging.rst | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/Documentation/dev-tools/gdb-kernel-debugging.rst b/Documentation/dev-tools/gdb-kernel-debugging.rst +index 19df79286f000..afe4bc206486c 100644 +--- a/Documentation/dev-tools/gdb-kernel-debugging.rst ++++ b/Documentation/dev-tools/gdb-kernel-debugging.rst +@@ -39,6 +39,10 @@ Setup + this mode. In this case, you should build the kernel with + CONFIG_RANDOMIZE_BASE disabled if the architecture supports KASLR. + ++- Build the gdb scripts (required on kernels v5.1 and above):: ++ ++ make scripts_gdb ++ + - Enable the gdb stub of QEMU/KVM, either + + - at VM startup time by appending "-s" to the QEMU command line +-- +2.39.2 + diff --git a/queue-4.19/drm-amd-display-fix-potential-null-deref-in-dm_resum.patch b/queue-4.19/drm-amd-display-fix-potential-null-deref-in-dm_resum.patch new file mode 100644 index 00000000000..312c14cee80 --- /dev/null +++ b/queue-4.19/drm-amd-display-fix-potential-null-deref-in-dm_resum.patch @@ -0,0 +1,53 @@ +From b0273907f4523a13a1f67a2dc7feb67dd1fc2f31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 09:06:42 -0500 +Subject: drm/amd/display: Fix potential null-deref in dm_resume + +From: Roman Li + +[ Upstream commit 7a7175a2cd84b7874bebbf8e59f134557a34161b ] + +[Why] +Fixing smatch error: +dm_resume() error: we previously assumed 'aconnector->dc_link' could be null + +[How] +Check if dc_link null at the beginning of the loop, +so further checks can be dropped. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter + +Reviewed-by: Wayne Lin +Acked-by: Jasdeep Dhillon +Signed-off-by: Roman Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 57678e6dcdc4c..98d51bc204172 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -773,12 +773,14 @@ static int dm_resume(void *handle) + list_for_each_entry(connector, &ddev->mode_config.connector_list, head) { + aconnector = to_amdgpu_dm_connector(connector); + ++ if (!aconnector->dc_link) ++ continue; ++ + /* + * this is the case when traversing through already created + * MST connectors, should be skipped + */ +- if (aconnector->dc_link && +- aconnector->dc_link->type == dc_connection_mst_branch) ++ if (aconnector->dc_link->type == dc_connection_mst_branch) + continue; + + mutex_lock(&aconnector->hpd_lock); +-- +2.39.2 + diff --git a/queue-4.19/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch b/queue-4.19/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch new file mode 100644 index 00000000000..9af3be25b38 --- /dev/null +++ b/queue-4.19/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch @@ -0,0 +1,65 @@ +From f39a21635f189fedc8b701f92e3b4362621027e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 09:12:26 +0000 +Subject: drm/bridge: megachips: Fix error handling in i2c_register_driver() + +From: Yuan Can + +[ Upstream commit 4ecff954c370b82bce45bdca2846c5c5563e8a8a ] + +A problem about insmod megachips-stdpxxxx-ge-b850v3-fw.ko failed is +triggered with the following log given: + +[ 4497.981497] Error: Driver 'stdp4028-ge-b850v3-fw' is already registered, aborting... +insmod: ERROR: could not insert module megachips-stdpxxxx-ge-b850v3-fw.ko: Device or resource busy + +The reason is that stdpxxxx_ge_b850v3_init() returns i2c_add_driver() +directly without checking its return value, if i2c_add_driver() failed, +it returns without calling i2c_del_driver() on the previous i2c driver, +resulting the megachips-stdpxxxx-ge-b850v3-fw can never be installed +later. +A simple call graph is shown as below: + + stdpxxxx_ge_b850v3_init() + i2c_add_driver(&stdp4028_ge_b850v3_fw_driver) + i2c_add_driver(&stdp2690_ge_b850v3_fw_driver) + i2c_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without delete stdp4028_ge_b850v3_fw_driver + +Fix by calling i2c_del_driver() on stdp4028_ge_b850v3_fw_driver when +i2c_add_driver() returns error. + +Fixes: fcfa0ddc18ed ("drm/bridge: Drivers for megachips-stdpxxxx-ge-b850v3-fw (LVDS-DP++)") +Signed-off-by: Yuan Can +Reviewed-by: Andrzej Hajda +Tested-by: Ian Ray +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20221108091226.114524-1-yuancan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index 07e3a8aaa0e4b..dfc0ada99b5c5 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -437,7 +437,11 @@ static int __init stdpxxxx_ge_b850v3_init(void) + if (ret) + return ret; + +- return i2c_add_driver(&stdp2690_ge_b850v3_fw_driver); ++ ret = i2c_add_driver(&stdp2690_ge_b850v3_fw_driver); ++ if (ret) ++ i2c_del_driver(&stdp4028_ge_b850v3_fw_driver); ++ ++ return ret; + } + module_init(stdpxxxx_ge_b850v3_init); + +-- +2.39.2 + diff --git a/queue-4.19/drm-clarify-definition-of-the-drm_bus_flag_-pixdata-.patch b/queue-4.19/drm-clarify-definition-of-the-drm_bus_flag_-pixdata-.patch new file mode 100644 index 00000000000..cc2106658a8 --- /dev/null +++ b/queue-4.19/drm-clarify-definition-of-the-drm_bus_flag_-pixdata-.patch @@ -0,0 +1,92 @@ +From 5617fc97ffc5fcee3609bb300ad12002171400b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Sep 2018 14:43:56 +0300 +Subject: drm: Clarify definition of the DRM_BUS_FLAG_(PIXDATA|SYNC)_* macros + +From: Laurent Pinchart + +[ Upstream commit a792fa0e21876c9cbae7cc170083016299153051 ] + +The DRM_BUS_FLAG_PIXDATA_POSEDGE and DRM_BUS_FLAG_PIXDATA_NEGEDGE macros +and their DRM_BUS_FLAG_SYNC_* counterparts define on which pixel clock +edge data and sync signals are driven. They are however used in some +drivers to define on which pixel clock edge data and sync signals are +sampled, which should usually (but not always) be the opposite edge of +the driving edge. This creates confusion. + +Create four new macros for both PIXDATA and SYNC that explicitly state +the driving and sampling edge in their name to remove the confusion. The +driving macros are defined as the opposite of the sampling macros to +made code simpler based on the assumption that the driving and sampling +edges are opposite. + +Signed-off-by: Laurent Pinchart +Acked-by: Linus Walleij +Reviewed-by: Stefan Agner +Tested-by: Sebastian Reichel +Signed-off-by: Tomi Valkeinen +Stable-dep-of: 0870d86eac8a ("drm/vc4: dpi: Fix format mapping for RGB565") +Signed-off-by: Sasha Levin +--- + include/drm/drm_connector.h | 36 ++++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +diff --git a/include/drm/drm_connector.h b/include/drm/drm_connector.h +index e5f641cdab5a4..f9f85a466cb8a 100644 +--- a/include/drm/drm_connector.h ++++ b/include/drm/drm_connector.h +@@ -329,19 +329,47 @@ struct drm_display_info { + + #define DRM_BUS_FLAG_DE_LOW (1<<0) + #define DRM_BUS_FLAG_DE_HIGH (1<<1) +-/* drive data on pos. edge */ ++ ++/* ++ * Don't use those two flags directly, use the DRM_BUS_FLAG_PIXDATA_DRIVE_* ++ * and DRM_BUS_FLAG_PIXDATA_SAMPLE_* variants to qualify the flags explicitly. ++ * The DRM_BUS_FLAG_PIXDATA_SAMPLE_* flags are defined as the opposite of the ++ * DRM_BUS_FLAG_PIXDATA_DRIVE_* flags to make code simpler, as signals are ++ * usually to be sampled on the opposite edge of the driving edge. ++ */ + #define DRM_BUS_FLAG_PIXDATA_POSEDGE (1<<2) +-/* drive data on neg. edge */ + #define DRM_BUS_FLAG_PIXDATA_NEGEDGE (1<<3) ++ ++/* Drive data on rising edge */ ++#define DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE DRM_BUS_FLAG_PIXDATA_POSEDGE ++/* Drive data on falling edge */ ++#define DRM_BUS_FLAG_PIXDATA_DRIVE_NEGEDGE DRM_BUS_FLAG_PIXDATA_NEGEDGE ++/* Sample data on rising edge */ ++#define DRM_BUS_FLAG_PIXDATA_SAMPLE_POSEDGE DRM_BUS_FLAG_PIXDATA_NEGEDGE ++/* Sample data on falling edge */ ++#define DRM_BUS_FLAG_PIXDATA_SAMPLE_NEGEDGE DRM_BUS_FLAG_PIXDATA_POSEDGE ++ + /* data is transmitted MSB to LSB on the bus */ + #define DRM_BUS_FLAG_DATA_MSB_TO_LSB (1<<4) + /* data is transmitted LSB to MSB on the bus */ + #define DRM_BUS_FLAG_DATA_LSB_TO_MSB (1<<5) +-/* drive sync on pos. edge */ ++ ++/* ++ * Similarly to the DRM_BUS_FLAG_PIXDATA_* flags, don't use these two flags ++ * directly, use one of the DRM_BUS_FLAG_SYNC_(DRIVE|SAMPLE)_* instead. ++ */ + #define DRM_BUS_FLAG_SYNC_POSEDGE (1<<6) +-/* drive sync on neg. edge */ + #define DRM_BUS_FLAG_SYNC_NEGEDGE (1<<7) + ++/* Drive sync on rising edge */ ++#define DRM_BUS_FLAG_SYNC_DRIVE_POSEDGE DRM_BUS_FLAG_SYNC_POSEDGE ++/* Drive sync on falling edge */ ++#define DRM_BUS_FLAG_SYNC_DRIVE_NEGEDGE DRM_BUS_FLAG_SYNC_NEGEDGE ++/* Sample sync on rising edge */ ++#define DRM_BUS_FLAG_SYNC_SAMPLE_POSEDGE DRM_BUS_FLAG_SYNC_NEGEDGE ++/* Sample sync on falling edge */ ++#define DRM_BUS_FLAG_SYNC_SAMPLE_NEGEDGE DRM_BUS_FLAG_SYNC_POSEDGE ++ + /** + * @bus_flags: Additional information (like pixel signal polarity) for + * the pixel data on the bus, using DRM_BUS_FLAGS\_ defines. +-- +2.39.2 + diff --git a/queue-4.19/drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch b/queue-4.19/drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch new file mode 100644 index 00000000000..c8528b19688 --- /dev/null +++ b/queue-4.19/drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch @@ -0,0 +1,44 @@ +From 0f7a6f5d8dced43d14b7be9c9bc8b4f92eeadfd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 09:39:49 -0500 +Subject: drm/mediatek: Clean dangling pointer on bind error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 36aa8c61af55675ed967900fbe5deb32d776f051 ] + +mtk_drm_bind() can fail, in which case drm_dev_put() is called, +destroying the drm_device object. However a pointer to it was still +being held in the private object, and that pointer would be passed along +to DRM in mtk_drm_sys_prepare() if a suspend were triggered at that +point, resulting in a panic. Clean the pointer when destroying the +object in the error path to prevent this from happening. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20221122143949.3493104-1-nfraprado@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index d143217636071..eeb1277794dbf 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -425,6 +425,7 @@ static int mtk_drm_bind(struct device *dev) + err_deinit: + mtk_drm_kms_deinit(drm); + err_free: ++ private->drm = NULL; + drm_dev_put(drm); + return ret; + } +-- +2.39.2 + diff --git a/queue-4.19/drm-mediatek-drop-unbalanced-obj-unref.patch b/queue-4.19/drm-mediatek-drop-unbalanced-obj-unref.patch new file mode 100644 index 00000000000..2d3e999b96b --- /dev/null +++ b/queue-4.19/drm-mediatek-drop-unbalanced-obj-unref.patch @@ -0,0 +1,37 @@ +From ff7ca05665e39a84c7306cae1a1363b4a9dbdda6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 15:12:55 -0800 +Subject: drm/mediatek: Drop unbalanced obj unref + +From: Rob Clark + +[ Upstream commit 4deef811828e87e26a978d5d6433b261d4713849 ] + +In the error path, mtk_drm_gem_object_mmap() is dropping an obj +reference that it doesn't own. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Rob Clark +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20230119231255.2883365-1-robdclark@gmail.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index 259b7b0de1d22..b09a37a38e0ae 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -148,8 +148,6 @@ static int mtk_drm_gem_object_mmap(struct drm_gem_object *obj, + + ret = dma_mmap_attrs(priv->dma_dev, vma, mtk_gem->cookie, + mtk_gem->dma_addr, obj->size, mtk_gem->dma_attrs); +- if (ret) +- drm_gem_vm_close(vma); + + return ret; + } +-- +2.39.2 + diff --git a/queue-4.19/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch b/queue-4.19/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch new file mode 100644 index 00000000000..48db728b2d9 --- /dev/null +++ b/queue-4.19/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch @@ -0,0 +1,117 @@ +From 51259aacb3e58a89dd84c99bb5a2fffa21eff74b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 17:49:07 -0500 +Subject: drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness + +From: Daniel Mentz + +[ Upstream commit c9d27c6be518b4ef2966d9564654ef99292ea1b3 ] + +The MIPI DCS specification demands that brightness values are sent in +big endian byte order. It also states that one parameter (i.e. one byte) +shall be sent/received for 8 bit wide values, and two parameters shall +be used for values that are between 9 and 16 bits wide. + +Add new functions to properly handle 16-bit brightness in big endian, +since the two 8- and 16-bit cases are distinct from each other. + +[richard: use separate functions instead of switch/case] +[richard: split into 16-bit component] + +Fixes: 1a9d759331b8 ("drm/dsi: Implement DCS set/get display brightness") +Signed-off-by: Daniel Mentz +Link: https://android.googlesource.com/kernel/msm/+/754affd62d0ee268c686c53169b1dbb7deac8550 +[richard: fix 16-bit brightness_get] +Signed-off-by: Richard Acayan +Tested-by: Caleb Connolly +Reviewed-by: Neil Armstrong +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230116224909.23884-2-mailingradian@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 52 ++++++++++++++++++++++++++++++++++ + include/drm/drm_mipi_dsi.h | 4 +++ + 2 files changed, 56 insertions(+) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index c8c9daecd00da..81923442b42d0 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -1096,6 +1096,58 @@ int mipi_dsi_dcs_get_display_brightness(struct mipi_dsi_device *dsi, + } + EXPORT_SYMBOL(mipi_dsi_dcs_get_display_brightness); + ++/** ++ * mipi_dsi_dcs_set_display_brightness_large() - sets the 16-bit brightness value ++ * of the display ++ * @dsi: DSI peripheral device ++ * @brightness: brightness value ++ * ++ * Return: 0 on success or a negative error code on failure. ++ */ ++int mipi_dsi_dcs_set_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 brightness) ++{ ++ u8 payload[2] = { brightness >> 8, brightness & 0xff }; ++ ssize_t err; ++ ++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_DISPLAY_BRIGHTNESS, ++ payload, sizeof(payload)); ++ if (err < 0) ++ return err; ++ ++ return 0; ++} ++EXPORT_SYMBOL(mipi_dsi_dcs_set_display_brightness_large); ++ ++/** ++ * mipi_dsi_dcs_get_display_brightness_large() - gets the current 16-bit ++ * brightness value of the display ++ * @dsi: DSI peripheral device ++ * @brightness: brightness value ++ * ++ * Return: 0 on success or a negative error code on failure. ++ */ ++int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 *brightness) ++{ ++ u8 brightness_be[2]; ++ ssize_t err; ++ ++ err = mipi_dsi_dcs_read(dsi, MIPI_DCS_GET_DISPLAY_BRIGHTNESS, ++ brightness_be, sizeof(brightness_be)); ++ if (err <= 0) { ++ if (err == 0) ++ err = -ENODATA; ++ ++ return err; ++ } ++ ++ *brightness = (brightness_be[0] << 8) | brightness_be[1]; ++ ++ return 0; ++} ++EXPORT_SYMBOL(mipi_dsi_dcs_get_display_brightness_large); ++ + static int mipi_dsi_drv_probe(struct device *dev) + { + struct mipi_dsi_driver *drv = to_mipi_dsi_driver(dev->driver); +diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h +index 4fef19064b0f1..689f615471ab1 100644 +--- a/include/drm/drm_mipi_dsi.h ++++ b/include/drm/drm_mipi_dsi.h +@@ -274,6 +274,10 @@ int mipi_dsi_dcs_set_display_brightness(struct mipi_dsi_device *dsi, + u16 brightness); + int mipi_dsi_dcs_get_display_brightness(struct mipi_dsi_device *dsi, + u16 *brightness); ++int mipi_dsi_dcs_set_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 brightness); ++int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 *brightness); + + /** + * struct mipi_dsi_driver - DSI driver +-- +2.39.2 + diff --git a/queue-4.19/drm-msm-dpu-add-check-for-pstates.patch b/queue-4.19/drm-msm-dpu-add-check-for-pstates.patch new file mode 100644 index 00000000000..312a67e21a6 --- /dev/null +++ b/queue-4.19/drm-msm-dpu-add-check-for-pstates.patch @@ -0,0 +1,40 @@ +From 3d7072d08c5d5b3a0251be9a88b02eb1cc29fef4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 16:02:36 +0800 +Subject: drm/msm/dpu: Add check for pstates + +From: Jiasheng Jiang + +[ Upstream commit 93340e10b9c5fc86730d149636e0aa8b47bb5a34 ] + +As kzalloc may fail and return NULL pointer, +it should be better to check pstates +in order to avoid the NULL pointer dereference. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/514160/ +Link: https://lore.kernel.org/r/20221206080236.43687-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index 3c3b7f7013e87..2efdc3c9f2916 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -1477,6 +1477,8 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + } + + pstates = kzalloc(sizeof(*pstates) * DPU_STAGE_MAX * 4, GFP_KERNEL); ++ if (!pstates) ++ return -ENOMEM; + + dpu_crtc = to_dpu_crtc(crtc); + cstate = to_dpu_crtc_state(state); +-- +2.39.2 + diff --git a/queue-4.19/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch b/queue-4.19/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch new file mode 100644 index 00000000000..6c9482035b7 --- /dev/null +++ b/queue-4.19/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch @@ -0,0 +1,39 @@ +From 1f178f6193e79d750a3826527ea20dab7e3ad404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 10:16:51 +0800 +Subject: drm/msm/dsi: Add missing check for alloc_ordered_workqueue + +From: Jiasheng Jiang + +[ Upstream commit 115906ca7b535afb1fe7b5406c566ccd3873f82b ] + +Add check for the return value of alloc_ordered_workqueue as it may return +NULL pointer and cause NULL pointer dereference. + +Signed-off-by: Jiasheng Jiang +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/517646/ +Link: https://lore.kernel.org/r/20230110021651.12770-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index 56cfa0a03fd5b..059578faa1c6d 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1883,6 +1883,9 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi) + + /* setup workqueue */ + msm_host->workqueue = alloc_ordered_workqueue("dsi_drm_work", 0); ++ if (!msm_host->workqueue) ++ return -ENOMEM; ++ + INIT_WORK(&msm_host->err_work, dsi_err_worker); + INIT_WORK(&msm_host->hpd_work, dsi_hpd_worker); + +-- +2.39.2 + diff --git a/queue-4.19/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch b/queue-4.19/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch new file mode 100644 index 00000000000..7f8f3f1f78c --- /dev/null +++ b/queue-4.19/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch @@ -0,0 +1,42 @@ +From 38d6a2ff318730b3b10dd05551207bcdfc161ceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 10:30:11 +0800 +Subject: drm/msm/hdmi: Add missing check for alloc_ordered_workqueue + +From: Jiasheng Jiang + +[ Upstream commit afe4cb96153a0d8003e4e4ebd91b5c543e10df84 ] + +Add check for the return value of alloc_ordered_workqueue as it may return +NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and +`hdmi_hpd.c`. + +Fixes: c6a57a50ad56 ("drm/msm/hdmi: add hdmi hdcp support (V3)") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/517211/ +Link: https://lore.kernel.org/r/20230106023011.3985-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/hdmi/hdmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c +index e03f08757b252..b75067854b4d7 100644 +--- a/drivers/gpu/drm/msm/hdmi/hdmi.c ++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c +@@ -254,6 +254,10 @@ static struct hdmi *msm_hdmi_init(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + + hdmi->workq = alloc_ordered_workqueue("msm_hdmi", 0); ++ if (!hdmi->workq) { ++ ret = -ENOMEM; ++ goto fail; ++ } + + hdmi->i2c = msm_hdmi_i2c_init(hdmi); + if (IS_ERR(hdmi->i2c)) { +-- +2.39.2 + diff --git a/queue-4.19/drm-msm-use-strscpy-instead-of-strncpy.patch b/queue-4.19/drm-msm-use-strscpy-instead-of-strncpy.patch new file mode 100644 index 00000000000..63e9e6764f3 --- /dev/null +++ b/queue-4.19/drm-msm-use-strscpy-instead-of-strncpy.patch @@ -0,0 +1,47 @@ +From b7534d3e8a01d7be6a65a7a33a2c40674cf2560e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 04:01:52 +0200 +Subject: drm/msm: use strscpy instead of strncpy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Baryshkov + +[ Upstream commit d7fd8634f48d76aa799ed57beb7d87dab91bde80 ] + +Using strncpy can result in non-NULL-terminated destination string. Use +strscpy instead. This fixes following warning: + +drivers/gpu/drm/msm/msm_fence.c: In function ‘msm_fence_context_alloc’: +drivers/gpu/drm/msm/msm_fence.c:25:9: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] + 25 | strncpy(fctx->name, name, sizeof(fctx->name)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: f97decac5f4c ("drm/msm: Support multiple ringbuffers") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/518787/ +Link: https://lore.kernel.org/r/20230118020152.1689213-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_fence.c b/drivers/gpu/drm/msm/msm_fence.c +index 6c11be79574e5..ef79c3661acb4 100644 +--- a/drivers/gpu/drm/msm/msm_fence.c ++++ b/drivers/gpu/drm/msm/msm_fence.c +@@ -31,7 +31,7 @@ msm_fence_context_alloc(struct drm_device *dev, const char *name) + return ERR_PTR(-ENOMEM); + + fctx->dev = dev; +- strncpy(fctx->name, name, sizeof(fctx->name)); ++ strscpy(fctx->name, name, sizeof(fctx->name)); + fctx->context = dma_fence_context_alloc(1); + init_waitqueue_head(&fctx->event); + spin_lock_init(&fctx->spinlock); +-- +2.39.2 + diff --git a/queue-4.19/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch b/queue-4.19/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch new file mode 100644 index 00000000000..c7f050f03e3 --- /dev/null +++ b/queue-4.19/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch @@ -0,0 +1,39 @@ +From 6c70dc5954cd860b3a312b7f7d5db48e44ba8c09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 16:59:55 +0100 +Subject: drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC + +From: Geert Uytterhoeven + +[ Upstream commit 7783cc67862f9166c901bfa0f80b717aa8d354dd ] + +Freescale/NXP i.MX LCDIF and eLCDIF LCD controllers are only present on +Freescale/NXP i.MX SoCs. Hence add a dependency on ARCH_MXS || +ARCH_MXC, to prevent asking the user about this driver when configuring +a kernel without Freescale/NXP i.MX support. + +Fixes: 45d59d704080cc0c ("drm: Add new driver for MXSFB controller") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Marek Vasut +Signed-off-by: Marek Vasut +Link: https://patchwork.freedesktop.org/patch/msgid/98e74779ca2bc575d91afff03369e86b080c01ac.1669046358.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mxsfb/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/mxsfb/Kconfig b/drivers/gpu/drm/mxsfb/Kconfig +index 3ed6849d63cba..1a2805c7a0eb7 100644 +--- a/drivers/gpu/drm/mxsfb/Kconfig ++++ b/drivers/gpu/drm/mxsfb/Kconfig +@@ -7,6 +7,7 @@ config DRM_MXSFB + tristate "i.MX23/i.MX28/i.MX6SX MXSFB LCD controller" + depends on DRM && OF + depends on COMMON_CLK ++ depends on ARCH_MXS || ARCH_MXC || COMPILE_TEST + select DRM_MXS + select DRM_KMS_HELPER + select DRM_KMS_CMA_HELPER +-- +2.39.2 + diff --git a/queue-4.19/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch b/queue-4.19/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch new file mode 100644 index 00000000000..a5491d60d21 --- /dev/null +++ b/queue-4.19/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch @@ -0,0 +1,60 @@ +From 4a5ca7da43c9cba2fe3c353ddf6c267fa3a94c92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 17:47:29 +0800 +Subject: drm/radeon: free iio for atombios when driver shutdown + +From: Liwei Song + +[ Upstream commit 4773fadedca918faec443daaca5e4ea1c0ced144 ] + +Fix below kmemleak when unload radeon driver: + +unreferenced object 0xffff9f8608ede200 (size 512): + comm "systemd-udevd", pid 326, jiffies 4294682822 (age 716.338s) + hex dump (first 32 bytes): + 00 00 00 00 c4 aa ec aa 14 ab 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000062fadebe>] kmem_cache_alloc_trace+0x2f1/0x500 + [<00000000b6883cea>] atom_parse+0x117/0x230 [radeon] + [<00000000158c23fd>] radeon_atombios_init+0xab/0x170 [radeon] + [<00000000683f672e>] si_init+0x57/0x750 [radeon] + [<00000000566cc31f>] radeon_device_init+0x559/0x9c0 [radeon] + [<0000000046efabb3>] radeon_driver_load_kms+0xc1/0x1a0 [radeon] + [<00000000b5155064>] drm_dev_register+0xdd/0x1d0 + [<0000000045fec835>] radeon_pci_probe+0xbd/0x100 [radeon] + [<00000000e69ecca3>] pci_device_probe+0xe1/0x160 + [<0000000019484b76>] really_probe.part.0+0xc1/0x2c0 + [<000000003f2649da>] __driver_probe_device+0x96/0x130 + [<00000000231c5bb1>] driver_probe_device+0x24/0xf0 + [<0000000000a42377>] __driver_attach+0x77/0x190 + [<00000000d7574da6>] bus_for_each_dev+0x7f/0xd0 + [<00000000633166d2>] driver_attach+0x1e/0x30 + [<00000000313b05b8>] bus_add_driver+0x12c/0x1e0 + +iio was allocated in atom_index_iio() called by atom_parse(), +but it doesn't got released when the dirver is shutdown. +Fix this kmemleak by free it in radeon_atombios_fini(). + +Signed-off-by: Liwei Song +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index cc1c07963116c..bcca0dd67fd15 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -1015,6 +1015,7 @@ void radeon_atombios_fini(struct radeon_device *rdev) + { + if (rdev->mode_info.atom_context) { + kfree(rdev->mode_info.atom_context->scratch); ++ kfree(rdev->mode_info.atom_context->iio); + } + kfree(rdev->mode_info.atom_context); + rdev->mode_info.atom_context = NULL; +-- +2.39.2 + diff --git a/queue-4.19/drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch b/queue-4.19/drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch new file mode 100644 index 00000000000..432d4aedcf5 --- /dev/null +++ b/queue-4.19/drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch @@ -0,0 +1,104 @@ +From e480c9dbf3b9301c41e3db327157480724b3b3a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 16:47:36 +0200 +Subject: drm/vc4: dpi: Add option for inverting pixel clock and output enable + +From: Dave Stevenson + +[ Upstream commit 3c2707632146b22e97b0fbf6778bab8add2eaa1d ] + +DRM provides flags for inverting pixel clock and output enable +signals, but these were not mapped to the relevant registers. + +Add those mappings. + +Signed-off-by: Dave Stevenson +Link: https://lore.kernel.org/r/20220613144800.326124-10-maxime@cerno.tech +Signed-off-by: Maxime Ripard +Stable-dep-of: 0870d86eac8a ("drm/vc4: dpi: Fix format mapping for RGB565") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_dpi.c | 66 ++++++++++++++++++++--------------- + 1 file changed, 38 insertions(+), 28 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_dpi.c b/drivers/gpu/drm/vc4/vc4_dpi.c +index f185812970da7..2e6608c57a11a 100644 +--- a/drivers/gpu/drm/vc4/vc4_dpi.c ++++ b/drivers/gpu/drm/vc4/vc4_dpi.c +@@ -186,35 +186,45 @@ static void vc4_dpi_encoder_enable(struct drm_encoder *encoder) + } + drm_connector_list_iter_end(&conn_iter); + +- if (connector && connector->display_info.num_bus_formats) { +- u32 bus_format = connector->display_info.bus_formats[0]; +- +- switch (bus_format) { +- case MEDIA_BUS_FMT_RGB888_1X24: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, +- DPI_FORMAT); +- break; +- case MEDIA_BUS_FMT_BGR888_1X24: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, +- DPI_FORMAT); +- dpi_c |= VC4_SET_FIELD(DPI_ORDER_BGR, DPI_ORDER); +- break; +- case MEDIA_BUS_FMT_RGB666_1X24_CPADHI: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_18BIT_666_RGB_2, +- DPI_FORMAT); +- break; +- case MEDIA_BUS_FMT_RGB666_1X18: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_18BIT_666_RGB_1, +- DPI_FORMAT); +- break; +- case MEDIA_BUS_FMT_RGB565_1X16: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_16BIT_565_RGB_3, +- DPI_FORMAT); +- break; +- default: +- DRM_ERROR("Unknown media bus format %d\n", bus_format); +- break; ++ if (connector) { ++ if (connector->display_info.num_bus_formats) { ++ u32 bus_format = connector->display_info.bus_formats[0]; ++ ++ switch (bus_format) { ++ case MEDIA_BUS_FMT_RGB888_1X24: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, ++ DPI_FORMAT); ++ break; ++ case MEDIA_BUS_FMT_BGR888_1X24: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, ++ DPI_FORMAT); ++ dpi_c |= VC4_SET_FIELD(DPI_ORDER_BGR, ++ DPI_ORDER); ++ break; ++ case MEDIA_BUS_FMT_RGB666_1X24_CPADHI: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_18BIT_666_RGB_2, ++ DPI_FORMAT); ++ break; ++ case MEDIA_BUS_FMT_RGB666_1X18: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_18BIT_666_RGB_1, ++ DPI_FORMAT); ++ break; ++ case MEDIA_BUS_FMT_RGB565_1X16: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_16BIT_565_RGB_3, ++ DPI_FORMAT); ++ break; ++ default: ++ DRM_ERROR("Unknown media bus format %d\n", ++ bus_format); ++ break; ++ } + } ++ ++ if (connector->display_info.bus_flags & DRM_BUS_FLAG_PIXDATA_DRIVE_NEGEDGE) ++ dpi_c |= DPI_PIXEL_CLK_INVERT; ++ ++ if (connector->display_info.bus_flags & DRM_BUS_FLAG_DE_LOW) ++ dpi_c |= DPI_OUTPUT_ENABLE_INVERT; + } else { + /* Default to 24bit if no connector found. */ + dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, DPI_FORMAT); +-- +2.39.2 + diff --git a/queue-4.19/drm-vc4-dpi-fix-format-mapping-for-rgb565.patch b/queue-4.19/drm-vc4-dpi-fix-format-mapping-for-rgb565.patch new file mode 100644 index 00000000000..2fd78293fc6 --- /dev/null +++ b/queue-4.19/drm-vc4-dpi-fix-format-mapping-for-rgb565.patch @@ -0,0 +1,38 @@ +From 26921bc30431302646c5f302e1ddef25aa769fe4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 09:42:52 +0100 +Subject: drm/vc4: dpi: Fix format mapping for RGB565 + +From: Dave Stevenson + +[ Upstream commit 0870d86eac8a9abd89a0be1b719d5dc5bac936f0 ] + +The mapping is incorrect for RGB565_1X16 as it should be +DPI_FORMAT_18BIT_666_RGB_1 instead of DPI_FORMAT_18BIT_666_RGB_3. + +Fixes: 08302c35b59d ("drm/vc4: Add DPI driver") +Signed-off-by: Dave Stevenson +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20221013-rpi-dpi-improvements-v3-7-eb76e26a772d@cerno.tech +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_dpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_dpi.c b/drivers/gpu/drm/vc4/vc4_dpi.c +index 2e6608c57a11a..0a0c239ed5c81 100644 +--- a/drivers/gpu/drm/vc4/vc4_dpi.c ++++ b/drivers/gpu/drm/vc4/vc4_dpi.c +@@ -210,7 +210,7 @@ static void vc4_dpi_encoder_enable(struct drm_encoder *encoder) + DPI_FORMAT); + break; + case MEDIA_BUS_FMT_RGB565_1X16: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_16BIT_565_RGB_3, ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_16BIT_565_RGB_1, + DPI_FORMAT); + break; + default: +-- +2.39.2 + diff --git a/queue-4.19/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch b/queue-4.19/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch new file mode 100644 index 00000000000..a8f3e58442a --- /dev/null +++ b/queue-4.19/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch @@ -0,0 +1,44 @@ +From dc42969680ecce4937055173b87288c7af336d04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 17:25:03 +0800 +Subject: genirq: Fix the return type of kstat_cpu_irqs_sum() + +From: Zhen Lei + +[ Upstream commit 47904aed898a08f028572b9b5a5cc101ddfb2d82 ] + +The type of member ->irqs_sum is unsigned long, but kstat_cpu_irqs_sum() +returns int, which can result in truncation. Therefore, change the +kstat_cpu_irqs_sum() function's return value to unsigned long to avoid +truncation. + +Fixes: f2c66cd8eedd ("/proc/stat: scalability of irq num per cpu") +Reported-by: Elliott, Robert (Servers) +Signed-off-by: Zhen Lei +Cc: Tejun Heo +Cc: "Peter Zijlstra (Intel)" +Cc: Josh Don +Cc: Andrew Morton +Reviewed-by: Frederic Weisbecker +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/kernel_stat.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/kernel_stat.h b/include/linux/kernel_stat.h +index 7ee2bb43b251a..f7f20cf1bd3b1 100644 +--- a/include/linux/kernel_stat.h ++++ b/include/linux/kernel_stat.h +@@ -73,7 +73,7 @@ extern unsigned int kstat_irqs_usr(unsigned int irq); + /* + * Number of interrupts per cpu, since bootup + */ +-static inline unsigned int kstat_cpu_irqs_sum(unsigned int cpu) ++static inline unsigned long kstat_cpu_irqs_sum(unsigned int cpu) + { + return kstat_cpu(cpu).irqs_sum; + } +-- +2.39.2 + diff --git a/queue-4.19/gfs2-jdata-writepage-fix.patch b/queue-4.19/gfs2-jdata-writepage-fix.patch new file mode 100644 index 00000000000..1192402a8d6 --- /dev/null +++ b/queue-4.19/gfs2-jdata-writepage-fix.patch @@ -0,0 +1,45 @@ +From 3395d8fe25baf959a31b5e76cf0a7f93719c5093 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 15:08:50 +0100 +Subject: gfs2: jdata writepage fix + +From: Andreas Gruenbacher + +[ Upstream commit cbb60951ce18c9b6e91d2eb97deb41d8ff616622 ] + +The ->writepage() and ->writepages() operations are supposed to write +entire pages. However, on filesystems with a block size smaller than +PAGE_SIZE, __gfs2_jdata_writepage() only adds the first block to the +current transaction instead of adding the entire page. Fix that. + +Fixes: 18ec7d5c3f43 ("[GFS2] Make journaled data files identical to normal files on disk") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/aops.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/gfs2/aops.c b/fs/gfs2/aops.c +index 31e8270d0b266..c5390421cca29 100644 +--- a/fs/gfs2/aops.c ++++ b/fs/gfs2/aops.c +@@ -179,7 +179,6 @@ static int __gfs2_jdata_writepage(struct page *page, struct writeback_control *w + { + struct inode *inode = page->mapping->host; + struct gfs2_inode *ip = GFS2_I(inode); +- struct gfs2_sbd *sdp = GFS2_SB(inode); + + if (PageChecked(page)) { + ClearPageChecked(page); +@@ -187,7 +186,7 @@ static int __gfs2_jdata_writepage(struct page *page, struct writeback_control *w + create_empty_buffers(page, inode->i_sb->s_blocksize, + BIT(BH_Dirty)|BIT(BH_Uptodate)); + } +- gfs2_page_add_databufs(ip, page, 0, sdp->sd_vfs->s_blocksize); ++ gfs2_page_add_databufs(ip, page, 0, PAGE_SIZE); + } + return gfs2_write_full_page(page, gfs2_get_block_noalloc, wbc); + } +-- +2.39.2 + diff --git a/queue-4.19/gpio-vf610-connect-gpio-label-to-dev-name.patch b/queue-4.19/gpio-vf610-connect-gpio-label-to-dev-name.patch new file mode 100644 index 00000000000..3ffd6a1cd87 --- /dev/null +++ b/queue-4.19/gpio-vf610-connect-gpio-label-to-dev-name.patch @@ -0,0 +1,38 @@ +From b91a68b82caf81730c0f4f52f394295ba07de7f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Dec 2022 17:02:47 +0800 +Subject: gpio: vf610: connect GPIO label to dev name + +From: Haibo Chen + +[ Upstream commit 6f8ecb7f85f441eb7d78ba2a4df45ee8a821934e ] + +Current GPIO label is fixed, so can't distinguish different GPIO +controllers through labels. Use dev name instead. + +Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid") +Signed-off-by: Clark Wang +Signed-off-by: Haibo Chen +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index f7692999df475..01865b3e0a5f5 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -279,7 +279,7 @@ static int vf610_gpio_probe(struct platform_device *pdev) + gc = &port->gc; + gc->of_node = np; + gc->parent = dev; +- gc->label = "vf610-gpio"; ++ gc->label = dev_name(dev); + gc->ngpio = VF610_GPIO_PER_PORT; + gc->base = of_alias_get_id(np, "gpio") * VF610_GPIO_PER_PORT; + +-- +2.39.2 + diff --git a/queue-4.19/gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch b/queue-4.19/gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch new file mode 100644 index 00000000000..1ae8a247b48 --- /dev/null +++ b/queue-4.19/gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch @@ -0,0 +1,40 @@ +From 7d74a996d3f8f80655d58ff2a227773990a29443 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 15:39:00 +0200 +Subject: gpu: host1x: Don't skip assigning syncpoints to channels + +From: Mikko Perttunen + +[ Upstream commit eb258cc1fd458e584082be987dbc6ec42668c05e ] + +The code to write the syncpoint channel assignment register +incorrectly skips the write if hypervisor registers are not available. + +The register, however, is within the guest aperture so remove the +check and assign syncpoints properly even on virtualized systems. + +Fixes: c3f52220f276 ("gpu: host1x: Enable Tegra186 syncpoint protection") +Signed-off-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/hw/syncpt_hw.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpu/host1x/hw/syncpt_hw.c b/drivers/gpu/host1x/hw/syncpt_hw.c +index a23bb3352d029..b40a537884dde 100644 +--- a/drivers/gpu/host1x/hw/syncpt_hw.c ++++ b/drivers/gpu/host1x/hw/syncpt_hw.c +@@ -113,9 +113,6 @@ static void syncpt_assign_to_channel(struct host1x_syncpt *sp, + #if HOST1X_HW >= 6 + struct host1x *host = sp->host; + +- if (!host->hv_regs) +- return; +- + host1x_sync_writel(host, + HOST1X_SYNC_SYNCPT_CH_APP_CH(ch ? ch->id : 0xff), + HOST1X_SYNC_SYNCPT_CH_APP(sp->id)); +-- +2.39.2 + diff --git a/queue-4.19/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch b/queue-4.19/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch new file mode 100644 index 00000000000..3acc2678f8c --- /dev/null +++ b/queue-4.19/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch @@ -0,0 +1,39 @@ +From 6eb3c494f001aceb174c47c80c1fe7ea4ded0e66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 23:22:27 +0800 +Subject: gpu: ipu-v3: common: Add of_node_put() for reference returned by + of_graph_get_port_by_id() + +From: Liang He + +[ Upstream commit 9afdf98cfdfa2ba8ec068cf08c5fcdc1ed8daf3f ] + +In ipu_add_client_devices(), we need to call of_node_put() for +reference returned by of_graph_get_port_by_id() in fail path. + +Fixes: 17e052175039 ("gpu: ipu-v3: Do not bail out on missing optional port nodes") +Signed-off-by: Liang He +Reviewed-by: Philipp Zabel +Link: https://lore.kernel.org/r/20220720152227.1288413-1-windhl@126.com +Signed-off-by: Philipp Zabel +Link: https://patchwork.freedesktop.org/patch/msgid/20220720152227.1288413-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index 0a7d4395d427b..f6e74ff7ef75d 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -1238,6 +1238,7 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) + pdev = platform_device_alloc(reg->name, id++); + if (!pdev) { + ret = -ENOMEM; ++ of_node_put(of_node); + goto err_register; + } + +-- +2.39.2 + diff --git a/queue-4.19/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch b/queue-4.19/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch new file mode 100644 index 00000000000..e5ffece156e --- /dev/null +++ b/queue-4.19/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch @@ -0,0 +1,38 @@ +From b50a3bff8b8cf8bf923f8765b8141047c887d021 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 17:32:25 -0500 +Subject: hwmon: (ltc2945) Handle error case in ltc2945_value_store + +From: Jonathan Cormier + +[ Upstream commit 178b01eccfb0b8149682f61388400bd3d903dddc ] + +ltc2945_val_to_reg errors were not being handled +which would have resulted in register being set to +0 (clamped) instead of being left alone. + +Fixes: 6700ce035f83 ("hwmon: Driver for Linear Technologies LTC2945") + +Signed-off-by: Jonathan Cormier +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ltc2945.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hwmon/ltc2945.c b/drivers/hwmon/ltc2945.c +index 1b92e4f6e2349..efabe514ec560 100644 +--- a/drivers/hwmon/ltc2945.c ++++ b/drivers/hwmon/ltc2945.c +@@ -257,6 +257,8 @@ static ssize_t ltc2945_set_value(struct device *dev, + + /* convert to register value, then clamp and write result */ + regval = ltc2945_val_to_reg(dev, reg, val); ++ if (regval < 0) ++ return regval; + if (is_power_reg(reg)) { + regval = clamp_val(regval, 0, 0xffffff); + regbuf[0] = regval >> 16; +-- +2.39.2 + diff --git a/queue-4.19/hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch b/queue-4.19/hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch new file mode 100644 index 00000000000..76e1d24d67a --- /dev/null +++ b/queue-4.19/hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch @@ -0,0 +1,46 @@ +From 6dd241faa254d31b82999723d057e77d86049ad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 16:57:30 +0200 +Subject: hwmon: (mlxreg-fan) Return zero speed for broken fan + +From: Vadim Pasternak + +[ Upstream commit a1ffd3c46267ee5c807acd780e15df9bb692223f ] + +Currently for broken fan driver returns value calculated based on error +code (0xFF) in related fan speed register. +Thus, for such fan user gets fan{n}_fault to 1 and fan{n}_input with +misleading value. + +Add check for fan fault prior return speed value and return zero if +fault is detected. + +Fixes: 65afb4c8e7e4 ("hwmon: (mlxreg-fan) Add support for Mellanox FAN driver") +Signed-off-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20230212145730.24247-1-vadimp@nvidia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/mlxreg-fan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/hwmon/mlxreg-fan.c b/drivers/hwmon/mlxreg-fan.c +index e57b0c5119ce4..ec68dace3cf93 100644 +--- a/drivers/hwmon/mlxreg-fan.c ++++ b/drivers/hwmon/mlxreg-fan.c +@@ -125,6 +125,12 @@ mlxreg_fan_read(struct device *dev, enum hwmon_sensor_types type, u32 attr, + if (err) + return err; + ++ if (MLXREG_FAN_GET_FAULT(regval, tacho->mask)) { ++ /* FAN is broken - return zero for FAN speed. */ ++ *val = 0; ++ return 0; ++ } ++ + *val = MLXREG_FAN_GET_RPM(regval, fan->divider, + fan->samples); + break; +-- +2.39.2 + diff --git a/queue-4.19/inet-fix-fast-path-in-__inet_hash_connect.patch b/queue-4.19/inet-fix-fast-path-in-__inet_hash_connect.patch new file mode 100644 index 00000000000..d31484f9b3e --- /dev/null +++ b/queue-4.19/inet-fix-fast-path-in-__inet_hash_connect.patch @@ -0,0 +1,56 @@ +From ce8729c90b07c3356e7bcf6936c8be15f68448f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 13:11:41 +0000 +Subject: inet: fix fast path in __inet_hash_connect() + +From: Pietro Borrello + +[ Upstream commit 21cbd90a6fab7123905386985e3e4a80236b8714 ] + +__inet_hash_connect() has a fast path taken if sk_head(&tb->owners) is +equal to the sk parameter. +sk_head() returns the hlist_entry() with respect to the sk_node field. +However entries in the tb->owners list are inserted with respect to the +sk_bind_node field with sk_add_bind_node(). +Thus the check would never pass and the fast path never execute. + +This fast path has never been executed or tested as this bug seems +to be present since commit 1da177e4c3f4 ("Linux-2.6.12-rc2"), thus +remove it to reduce code complexity. + +Signed-off-by: Pietro Borrello +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230112-inet_hash_connect_bind_head-v3-1-b591fd212b93@diag.uniroma1.it +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index d64522af9c3a8..5a272d09b8248 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -756,17 +756,7 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, + u32 index; + + if (port) { +- head = &hinfo->bhash[inet_bhashfn(net, port, +- hinfo->bhash_size)]; +- tb = inet_csk(sk)->icsk_bind_hash; +- spin_lock_bh(&head->lock); +- if (sk_head(&tb->owners) == sk && !sk->sk_bind_node.next) { +- inet_ehash_nolisten(sk, NULL, NULL); +- spin_unlock_bh(&head->lock); +- return 0; +- } +- spin_unlock(&head->lock); +- /* No definite answer... Walk to established hash table */ ++ local_bh_disable(); + ret = check_established(death_row, sk, port, NULL); + local_bh_enable(); + return ret; +-- +2.39.2 + diff --git a/queue-4.19/input-ads7846-don-t-check-penirq-immediately-for-784.patch b/queue-4.19/input-ads7846-don-t-check-penirq-immediately-for-784.patch new file mode 100644 index 00000000000..324b993423b --- /dev/null +++ b/queue-4.19/input-ads7846-don-t-check-penirq-immediately-for-784.patch @@ -0,0 +1,46 @@ +From 93cd092ad80afbff876dc9bf76a6ec9f843cca73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 11:52:27 +0100 +Subject: Input: ads7846 - don't check penirq immediately for 7845 + +From: Luca Ellero + +[ Upstream commit fa9f4275b20ec7b2a8fb05c66362d10b36f9efec ] + +To discard false readings, one should use "ti,penirq-recheck-delay-usecs". +Checking get_pendown_state() at the beginning, most of the time fails +causing malfunctioning. + +Fixes: ffa458c1bd9b ("spi: ads7846 driver") +Signed-off-by: Luca Ellero +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230126105227.47648-4-l.ellero@asem.it +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ads7846.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c +index 491cc7efecf9e..fe6c9e1870414 100644 +--- a/drivers/input/touchscreen/ads7846.c ++++ b/drivers/input/touchscreen/ads7846.c +@@ -790,14 +790,8 @@ static void ads7846_report_state(struct ads7846 *ts) + if (x == MAX_12BIT) + x = 0; + +- if (ts->model == 7843) { ++ if (ts->model == 7843 || ts->model == 7845) { + Rt = ts->pressure_max / 2; +- } else if (ts->model == 7845) { +- if (get_pendown_state(ts)) +- Rt = ts->pressure_max / 2; +- else +- Rt = 0; +- dev_vdbg(&ts->spi->dev, "x/y: %d/%d, PD %d\n", x, y, Rt); + } else if (likely(x && z1)) { + /* compute touch pressure resistance using equation #2 */ + Rt = z2; +-- +2.39.2 + diff --git a/queue-4.19/input-ads7846-don-t-report-pressure-for-ads7845.patch b/queue-4.19/input-ads7846-don-t-report-pressure-for-ads7845.patch new file mode 100644 index 00000000000..af4a269c541 --- /dev/null +++ b/queue-4.19/input-ads7846-don-t-report-pressure-for-ads7845.patch @@ -0,0 +1,42 @@ +From acd290e6e17780c7d9df996280ef4b0b51bbd229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 11:52:25 +0100 +Subject: Input: ads7846 - don't report pressure for ads7845 + +From: Luca Ellero + +[ Upstream commit d50584d783313c8b05b84d0b07a2142f1bde46dd ] + +ADS7845 doesn't support pressure. +Avoid the following error reported by libinput-list-devices: +"ADS7845 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE". + +Fixes: ffa458c1bd9b ("spi: ads7846 driver") +Signed-off-by: Luca Ellero +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230126105227.47648-2-l.ellero@asem.it +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ads7846.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c +index b536768234b7c..491cc7efecf9e 100644 +--- a/drivers/input/touchscreen/ads7846.c ++++ b/drivers/input/touchscreen/ads7846.c +@@ -1374,8 +1374,9 @@ static int ads7846_probe(struct spi_device *spi) + pdata->y_min ? : 0, + pdata->y_max ? : MAX_12BIT, + 0, 0); +- input_set_abs_params(input_dev, ABS_PRESSURE, +- pdata->pressure_min, pdata->pressure_max, 0, 0); ++ if (ts->model != 7845) ++ input_set_abs_params(input_dev, ABS_PRESSURE, ++ pdata->pressure_min, pdata->pressure_max, 0, 0); + + ads7846_setup_spi_msg(ts, pdata); + +-- +2.39.2 + diff --git a/queue-4.19/ipw2x00-switch-from-pci_-to-dma_-api.patch b/queue-4.19/ipw2x00-switch-from-pci_-to-dma_-api.patch new file mode 100644 index 00000000000..a9dd06ca410 --- /dev/null +++ b/queue-4.19/ipw2x00-switch-from-pci_-to-dma_-api.patch @@ -0,0 +1,603 @@ +From 3677baf1824e1c679b84732607f441da7ff3f7e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 12:17:16 +0200 +Subject: ipw2x00: switch from 'pci_' to 'dma_' API + +From: Christophe JAILLET + +[ Upstream commit e52525c0c320076deab35409a6b2cff6388959b8 ] + +The wrappers in include/linux/pci-dma-compat.h should go away. + +The patch has been generated with the coccinelle script below and has been +hand modified to replace GFP_ with a correct flag. +It has been compile tested. + +When memory is allocated in 'ipw2100_msg_allocate()' (ipw2100.c), +GFP_KERNEL can be used because it is called from the probe function. +The call chain is: + ipw2100_pci_init_one (the probe function) + --> ipw2100_queues_allocate + --> ipw2100_msg_allocate +Moreover, 'ipw2100_msg_allocate()' already uses GFP_KERNEL for some other +memory allocations. + +When memory is allocated in 'status_queue_allocate()' (ipw2100.c), +GFP_KERNEL can be used because it is called from the probe function. +The call chain is: + ipw2100_pci_init_one (the probe function) + --> ipw2100_queues_allocate + --> ipw2100_rx_allocate + --> status_queue_allocate +Moreover, 'ipw2100_rx_allocate()' already uses GFP_KERNEL for some other +memory allocations. + +When memory is allocated in 'bd_queue_allocate()' (ipw2100.c), +GFP_KERNEL can be used because it is called from the probe function. +The call chain is: + ipw2100_pci_init_one (the probe function) + --> ipw2100_queues_allocate + --> ipw2100_rx_allocate + --> bd_queue_allocate +Moreover, 'ipw2100_rx_allocate()' already uses GFP_KERNEL for some other +memory allocations. + +When memory is allocated in 'ipw2100_tx_allocate()' (ipw2100.c), +GFP_KERNEL can be used because it is called from the probe function. +The call chain is: + ipw2100_pci_init_one (the probe function) + --> ipw2100_queues_allocate + --> ipw2100_tx_allocate +Moreover, 'ipw2100_tx_allocate()' already uses GFP_KERNEL for some other +memory allocations. + +When memory is allocated in 'ipw_queue_tx_init()' (ipw2200.c), +GFP_KERNEL can be used because it is called from a call chain that already +uses GFP_KERNEL and no spin_lock is taken in the between. +The call chain is: + ipw_up + --> ipw_load + --> ipw_queue_reset + --> ipw_queue_tx_init +'ipw_up()' already uses GFP_KERNEL for some other memory allocations. + +@@ +@@ +- PCI_DMA_BIDIRECTIONAL ++ DMA_BIDIRECTIONAL + +@@ +@@ +- PCI_DMA_TODEVICE ++ DMA_TO_DEVICE + +@@ +@@ +- PCI_DMA_FROMDEVICE ++ DMA_FROM_DEVICE + +@@ +@@ +- PCI_DMA_NONE ++ DMA_NONE + +@@ +expression e1, e2, e3; +@@ +- pci_alloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3; +@@ +- pci_zalloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_free_consistent(e1, e2, e3, e4) ++ dma_free_coherent(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_single(e1, e2, e3, e4) ++ dma_map_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_single(e1, e2, e3, e4) ++ dma_unmap_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4, e5; +@@ +- pci_map_page(e1, e2, e3, e4, e5) ++ dma_map_page(&e1->dev, e2, e3, e4, e5) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_page(e1, e2, e3, e4) ++ dma_unmap_page(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_sg(e1, e2, e3, e4) ++ dma_map_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_sg(e1, e2, e3, e4) ++ dma_unmap_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_cpu(e1, e2, e3, e4) ++ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_device(e1, e2, e3, e4) ++ dma_sync_single_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4) ++ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_device(e1, e2, e3, e4) ++ dma_sync_sg_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2; +@@ +- pci_dma_mapping_error(e1, e2) ++ dma_mapping_error(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_dma_mask(e1, e2) ++ dma_set_mask(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_consistent_dma_mask(e1, e2) ++ dma_set_coherent_mask(&e1->dev, e2) + +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200722101716.26185-1-christophe.jaillet@wanadoo.fr +Stable-dep-of: 45fc6d7461f1 ("wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2100.c | 121 +++++++++---------- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 56 ++++----- + 2 files changed, 88 insertions(+), 89 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2100.c b/drivers/net/wireless/intel/ipw2x00/ipw2100.c +index a3a470976a5c7..68c4ce352b006 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2100.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2100.c +@@ -2308,10 +2308,11 @@ static int ipw2100_alloc_skb(struct ipw2100_priv *priv, + return -ENOMEM; + + packet->rxp = (struct ipw2100_rx *)packet->skb->data; +- packet->dma_addr = pci_map_single(priv->pci_dev, packet->skb->data, ++ packet->dma_addr = dma_map_single(&priv->pci_dev->dev, ++ packet->skb->data, + sizeof(struct ipw2100_rx), +- PCI_DMA_FROMDEVICE); +- if (pci_dma_mapping_error(priv->pci_dev, packet->dma_addr)) { ++ DMA_FROM_DEVICE); ++ if (dma_mapping_error(&priv->pci_dev->dev, packet->dma_addr)) { + dev_kfree_skb(packet->skb); + return -ENOMEM; + } +@@ -2492,9 +2493,8 @@ static void isr_rx(struct ipw2100_priv *priv, int i, + return; + } + +- pci_unmap_single(priv->pci_dev, +- packet->dma_addr, +- sizeof(struct ipw2100_rx), PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, packet->dma_addr, ++ sizeof(struct ipw2100_rx), DMA_FROM_DEVICE); + + skb_put(packet->skb, status->frame_size); + +@@ -2576,8 +2576,8 @@ static void isr_rx_monitor(struct ipw2100_priv *priv, int i, + return; + } + +- pci_unmap_single(priv->pci_dev, packet->dma_addr, +- sizeof(struct ipw2100_rx), PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, packet->dma_addr, ++ sizeof(struct ipw2100_rx), DMA_FROM_DEVICE); + memmove(packet->skb->data + sizeof(struct ipw_rt_hdr), + packet->skb->data, status->frame_size); + +@@ -2702,9 +2702,9 @@ static void __ipw2100_rx_process(struct ipw2100_priv *priv) + + /* Sync the DMA for the RX buffer so CPU is sure to get + * the correct values */ +- pci_dma_sync_single_for_cpu(priv->pci_dev, packet->dma_addr, +- sizeof(struct ipw2100_rx), +- PCI_DMA_FROMDEVICE); ++ dma_sync_single_for_cpu(&priv->pci_dev->dev, packet->dma_addr, ++ sizeof(struct ipw2100_rx), ++ DMA_FROM_DEVICE); + + if (unlikely(ipw2100_corruption_check(priv, i))) { + ipw2100_corruption_detected(priv, i); +@@ -2936,9 +2936,8 @@ static int __ipw2100_tx_process(struct ipw2100_priv *priv) + (packet->index + 1 + i) % txq->entries, + tbd->host_addr, tbd->buf_length); + +- pci_unmap_single(priv->pci_dev, +- tbd->host_addr, +- tbd->buf_length, PCI_DMA_TODEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, tbd->host_addr, ++ tbd->buf_length, DMA_TO_DEVICE); + } + + libipw_txb_free(packet->info.d_struct.txb); +@@ -3178,15 +3177,13 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv) + tbd->buf_length = packet->info.d_struct.txb-> + fragments[i]->len - LIBIPW_3ADDR_LEN; + +- tbd->host_addr = pci_map_single(priv->pci_dev, ++ tbd->host_addr = dma_map_single(&priv->pci_dev->dev, + packet->info.d_struct. +- txb->fragments[i]-> +- data + ++ txb->fragments[i]->data + + LIBIPW_3ADDR_LEN, + tbd->buf_length, +- PCI_DMA_TODEVICE); +- if (pci_dma_mapping_error(priv->pci_dev, +- tbd->host_addr)) { ++ DMA_TO_DEVICE); ++ if (dma_mapping_error(&priv->pci_dev->dev, tbd->host_addr)) { + IPW_DEBUG_TX("dma mapping error\n"); + break; + } +@@ -3195,10 +3192,10 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv) + txq->next, tbd->host_addr, + tbd->buf_length); + +- pci_dma_sync_single_for_device(priv->pci_dev, +- tbd->host_addr, +- tbd->buf_length, +- PCI_DMA_TODEVICE); ++ dma_sync_single_for_device(&priv->pci_dev->dev, ++ tbd->host_addr, ++ tbd->buf_length, ++ DMA_TO_DEVICE); + + txq->next++; + txq->next %= txq->entries; +@@ -3453,9 +3450,9 @@ static int ipw2100_msg_allocate(struct ipw2100_priv *priv) + return -ENOMEM; + + for (i = 0; i < IPW_COMMAND_POOL_SIZE; i++) { +- v = pci_zalloc_consistent(priv->pci_dev, +- sizeof(struct ipw2100_cmd_header), +- &p); ++ v = dma_alloc_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_cmd_header), &p, ++ GFP_KERNEL); + if (!v) { + printk(KERN_ERR DRV_NAME ": " + "%s: PCI alloc failed for msg " +@@ -3474,11 +3471,10 @@ static int ipw2100_msg_allocate(struct ipw2100_priv *priv) + return 0; + + for (j = 0; j < i; j++) { +- pci_free_consistent(priv->pci_dev, +- sizeof(struct ipw2100_cmd_header), +- priv->msg_buffers[j].info.c_struct.cmd, +- priv->msg_buffers[j].info.c_struct. +- cmd_phys); ++ dma_free_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_cmd_header), ++ priv->msg_buffers[j].info.c_struct.cmd, ++ priv->msg_buffers[j].info.c_struct.cmd_phys); + } + + kfree(priv->msg_buffers); +@@ -3509,11 +3505,10 @@ static void ipw2100_msg_free(struct ipw2100_priv *priv) + return; + + for (i = 0; i < IPW_COMMAND_POOL_SIZE; i++) { +- pci_free_consistent(priv->pci_dev, +- sizeof(struct ipw2100_cmd_header), +- priv->msg_buffers[i].info.c_struct.cmd, +- priv->msg_buffers[i].info.c_struct. +- cmd_phys); ++ dma_free_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_cmd_header), ++ priv->msg_buffers[i].info.c_struct.cmd, ++ priv->msg_buffers[i].info.c_struct.cmd_phys); + } + + kfree(priv->msg_buffers); +@@ -4336,7 +4331,8 @@ static int status_queue_allocate(struct ipw2100_priv *priv, int entries) + IPW_DEBUG_INFO("enter\n"); + + q->size = entries * sizeof(struct ipw2100_status); +- q->drv = pci_zalloc_consistent(priv->pci_dev, q->size, &q->nic); ++ q->drv = dma_alloc_coherent(&priv->pci_dev->dev, q->size, &q->nic, ++ GFP_KERNEL); + if (!q->drv) { + IPW_DEBUG_WARNING("Can not allocate status queue.\n"); + return -ENOMEM; +@@ -4352,9 +4348,10 @@ static void status_queue_free(struct ipw2100_priv *priv) + IPW_DEBUG_INFO("enter\n"); + + if (priv->status_queue.drv) { +- pci_free_consistent(priv->pci_dev, priv->status_queue.size, +- priv->status_queue.drv, +- priv->status_queue.nic); ++ dma_free_coherent(&priv->pci_dev->dev, ++ priv->status_queue.size, ++ priv->status_queue.drv, ++ priv->status_queue.nic); + priv->status_queue.drv = NULL; + } + +@@ -4370,7 +4367,8 @@ static int bd_queue_allocate(struct ipw2100_priv *priv, + + q->entries = entries; + q->size = entries * sizeof(struct ipw2100_bd); +- q->drv = pci_zalloc_consistent(priv->pci_dev, q->size, &q->nic); ++ q->drv = dma_alloc_coherent(&priv->pci_dev->dev, q->size, &q->nic, ++ GFP_KERNEL); + if (!q->drv) { + IPW_DEBUG_INFO + ("can't allocate shared memory for buffer descriptors\n"); +@@ -4390,7 +4388,8 @@ static void bd_queue_free(struct ipw2100_priv *priv, struct ipw2100_bd_queue *q) + return; + + if (q->drv) { +- pci_free_consistent(priv->pci_dev, q->size, q->drv, q->nic); ++ dma_free_coherent(&priv->pci_dev->dev, q->size, q->drv, ++ q->nic); + q->drv = NULL; + } + +@@ -4450,9 +4449,9 @@ static int ipw2100_tx_allocate(struct ipw2100_priv *priv) + } + + for (i = 0; i < TX_PENDED_QUEUE_LENGTH; i++) { +- v = pci_alloc_consistent(priv->pci_dev, +- sizeof(struct ipw2100_data_header), +- &p); ++ v = dma_alloc_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_data_header), &p, ++ GFP_KERNEL); + if (!v) { + printk(KERN_ERR DRV_NAME + ": %s: PCI alloc failed for tx " "buffers.\n", +@@ -4472,11 +4471,10 @@ static int ipw2100_tx_allocate(struct ipw2100_priv *priv) + return 0; + + for (j = 0; j < i; j++) { +- pci_free_consistent(priv->pci_dev, +- sizeof(struct ipw2100_data_header), +- priv->tx_buffers[j].info.d_struct.data, +- priv->tx_buffers[j].info.d_struct. +- data_phys); ++ dma_free_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_data_header), ++ priv->tx_buffers[j].info.d_struct.data, ++ priv->tx_buffers[j].info.d_struct.data_phys); + } + + kfree(priv->tx_buffers); +@@ -4553,12 +4551,10 @@ static void ipw2100_tx_free(struct ipw2100_priv *priv) + priv->tx_buffers[i].info.d_struct.txb = NULL; + } + if (priv->tx_buffers[i].info.d_struct.data) +- pci_free_consistent(priv->pci_dev, +- sizeof(struct ipw2100_data_header), +- priv->tx_buffers[i].info.d_struct. +- data, +- priv->tx_buffers[i].info.d_struct. +- data_phys); ++ dma_free_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_data_header), ++ priv->tx_buffers[i].info.d_struct.data, ++ priv->tx_buffers[i].info.d_struct.data_phys); + } + + kfree(priv->tx_buffers); +@@ -4621,9 +4617,10 @@ static int ipw2100_rx_allocate(struct ipw2100_priv *priv) + return 0; + + for (j = 0; j < i; j++) { +- pci_unmap_single(priv->pci_dev, priv->rx_buffers[j].dma_addr, ++ dma_unmap_single(&priv->pci_dev->dev, ++ priv->rx_buffers[j].dma_addr, + sizeof(struct ipw2100_rx_packet), +- PCI_DMA_FROMDEVICE); ++ DMA_FROM_DEVICE); + dev_kfree_skb(priv->rx_buffers[j].skb); + } + +@@ -4675,10 +4672,10 @@ static void ipw2100_rx_free(struct ipw2100_priv *priv) + + for (i = 0; i < RX_QUEUE_LENGTH; i++) { + if (priv->rx_buffers[i].rxp) { +- pci_unmap_single(priv->pci_dev, ++ dma_unmap_single(&priv->pci_dev->dev, + priv->rx_buffers[i].dma_addr, + sizeof(struct ipw2100_rx), +- PCI_DMA_FROMDEVICE); ++ DMA_FROM_DEVICE); + dev_kfree_skb(priv->rx_buffers[i].skb); + } + } +@@ -6214,7 +6211,7 @@ static int ipw2100_pci_init_one(struct pci_dev *pci_dev, + pci_set_master(pci_dev); + pci_set_drvdata(pci_dev, priv); + +- err = pci_set_dma_mask(pci_dev, DMA_BIT_MASK(32)); ++ err = dma_set_mask(&pci_dev->dev, DMA_BIT_MASK(32)); + if (err) { + printk(KERN_WARNING DRV_NAME + "Error calling pci_set_dma_mask.\n"); +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index 04aee2fdba375..33deaa5cb4e88 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -3456,8 +3456,9 @@ static void ipw_rx_queue_reset(struct ipw_priv *priv, + /* In the reset function, these buffers may have been allocated + * to an SKB, so we need to unmap and free potential storage */ + if (rxq->pool[i].skb != NULL) { +- pci_unmap_single(priv->pci_dev, rxq->pool[i].dma_addr, +- IPW_RX_BUF_SIZE, PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, ++ rxq->pool[i].dma_addr, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + dev_kfree_skb(rxq->pool[i].skb); + rxq->pool[i].skb = NULL; + } +@@ -3790,7 +3791,8 @@ static int ipw_queue_tx_init(struct ipw_priv *priv, + } + + q->bd = +- pci_alloc_consistent(dev, sizeof(q->bd[0]) * count, &q->q.dma_addr); ++ dma_alloc_coherent(&dev->dev, sizeof(q->bd[0]) * count, ++ &q->q.dma_addr, GFP_KERNEL); + if (!q->bd) { + IPW_ERROR("pci_alloc_consistent(%zd) failed\n", + sizeof(q->bd[0]) * count); +@@ -3832,9 +3834,10 @@ static void ipw_queue_tx_free_tfd(struct ipw_priv *priv, + + /* unmap chunks if any */ + for (i = 0; i < le32_to_cpu(bd->u.data.num_chunks); i++) { +- pci_unmap_single(dev, le32_to_cpu(bd->u.data.chunk_ptr[i]), ++ dma_unmap_single(&dev->dev, ++ le32_to_cpu(bd->u.data.chunk_ptr[i]), + le16_to_cpu(bd->u.data.chunk_len[i]), +- PCI_DMA_TODEVICE); ++ DMA_TO_DEVICE); + if (txq->txb[txq->q.last_used]) { + libipw_txb_free(txq->txb[txq->q.last_used]); + txq->txb[txq->q.last_used] = NULL; +@@ -3866,8 +3869,8 @@ static void ipw_queue_tx_free(struct ipw_priv *priv, struct clx2_tx_queue *txq) + } + + /* free buffers belonging to queue itself */ +- pci_free_consistent(dev, sizeof(txq->bd[0]) * q->n_bd, txq->bd, +- q->dma_addr); ++ dma_free_coherent(&dev->dev, sizeof(txq->bd[0]) * q->n_bd, txq->bd, ++ q->dma_addr); + kfree(txq->txb); + + /* 0 fill whole structure */ +@@ -5212,8 +5215,8 @@ static void ipw_rx_queue_replenish(void *data) + list_del(element); + + rxb->dma_addr = +- pci_map_single(priv->pci_dev, rxb->skb->data, +- IPW_RX_BUF_SIZE, PCI_DMA_FROMDEVICE); ++ dma_map_single(&priv->pci_dev->dev, rxb->skb->data, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + + list_add_tail(&rxb->list, &rxq->rx_free); + rxq->free_count++; +@@ -5246,8 +5249,9 @@ static void ipw_rx_queue_free(struct ipw_priv *priv, struct ipw_rx_queue *rxq) + + for (i = 0; i < RX_QUEUE_SIZE + RX_FREE_BUFFERS; i++) { + if (rxq->pool[i].skb != NULL) { +- pci_unmap_single(priv->pci_dev, rxq->pool[i].dma_addr, +- IPW_RX_BUF_SIZE, PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, ++ rxq->pool[i].dma_addr, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + dev_kfree_skb(rxq->pool[i].skb); + } + } +@@ -8285,9 +8289,8 @@ static void ipw_rx(struct ipw_priv *priv) + } + priv->rxq->queue[i] = NULL; + +- pci_dma_sync_single_for_cpu(priv->pci_dev, rxb->dma_addr, +- IPW_RX_BUF_SIZE, +- PCI_DMA_FROMDEVICE); ++ dma_sync_single_for_cpu(&priv->pci_dev->dev, rxb->dma_addr, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + + pkt = (struct ipw_rx_packet *)rxb->skb->data; + IPW_DEBUG_RX("Packet: type=%02X seq=%02X bits=%02X\n", +@@ -8439,8 +8442,8 @@ static void ipw_rx(struct ipw_priv *priv) + rxb->skb = NULL; + } + +- pci_unmap_single(priv->pci_dev, rxb->dma_addr, +- IPW_RX_BUF_SIZE, PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, rxb->dma_addr, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + list_add_tail(&rxb->list, &priv->rxq->rx_used); + + i = (i + 1) % RX_QUEUE_SIZE; +@@ -10239,11 +10242,10 @@ static int ipw_tx_skb(struct ipw_priv *priv, struct libipw_txb *txb, + txb->fragments[i]->len - hdr_len); + + tfd->u.data.chunk_ptr[i] = +- cpu_to_le32(pci_map_single +- (priv->pci_dev, +- txb->fragments[i]->data + hdr_len, +- txb->fragments[i]->len - hdr_len, +- PCI_DMA_TODEVICE)); ++ cpu_to_le32(dma_map_single(&priv->pci_dev->dev, ++ txb->fragments[i]->data + hdr_len, ++ txb->fragments[i]->len - hdr_len, ++ DMA_TO_DEVICE)); + tfd->u.data.chunk_len[i] = + cpu_to_le16(txb->fragments[i]->len - hdr_len); + } +@@ -10273,10 +10275,10 @@ static int ipw_tx_skb(struct ipw_priv *priv, struct libipw_txb *txb, + dev_kfree_skb_any(txb->fragments[i]); + txb->fragments[i] = skb; + tfd->u.data.chunk_ptr[i] = +- cpu_to_le32(pci_map_single +- (priv->pci_dev, skb->data, +- remaining_bytes, +- PCI_DMA_TODEVICE)); ++ cpu_to_le32(dma_map_single(&priv->pci_dev->dev, ++ skb->data, ++ remaining_bytes, ++ DMA_TO_DEVICE)); + + le32_add_cpu(&tfd->u.data.num_chunks, 1); + } +@@ -11649,9 +11651,9 @@ static int ipw_pci_probe(struct pci_dev *pdev, + + pci_set_master(pdev); + +- err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)); ++ err = dma_set_mask(&pdev->dev, DMA_BIT_MASK(32)); + if (!err) +- err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(32)); ++ err = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); + if (err) { + printk(KERN_WARNING DRV_NAME ": No suitable DMA available.\n"); + goto out_pci_disable_device; +-- +2.39.2 + diff --git a/queue-4.19/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch b/queue-4.19/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch new file mode 100644 index 00000000000..77bb1b6db8d --- /dev/null +++ b/queue-4.19/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch @@ -0,0 +1,37 @@ +From c630513755508aa4f90ff9edb6ade3408208a8b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 12:28:10 +0400 +Subject: irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains + +From: Miaoqian Lin + +[ Upstream commit 071d068b89e95d1b078aa6bbcb9d0961b77d6aa1 ] + +of_irq_find_parent() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: e6b78f2c3e14 ("irqchip: Add the Alpine MSIX interrupt controller") +Signed-off-by: Miaoqian Lin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230102082811.3947760-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-alpine-msi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c +index ede02dc2bcd0b..1819bb1d27230 100644 +--- a/drivers/irqchip/irq-alpine-msi.c ++++ b/drivers/irqchip/irq-alpine-msi.c +@@ -199,6 +199,7 @@ static int alpine_msix_init_domains(struct alpine_msix_data *priv, + } + + gic_domain = irq_find_host(gic_node); ++ of_node_put(gic_node); + if (!gic_domain) { + pr_err("Failed to find the GIC domain\n"); + return -ENXIO; +-- +2.39.2 + diff --git a/queue-4.19/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch b/queue-4.19/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch new file mode 100644 index 00000000000..0cd2e461a0e --- /dev/null +++ b/queue-4.19/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch @@ -0,0 +1,44 @@ +From 4e6f70389f0669ce5eddd35b9a9bd4938dde2e7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 15:09:34 -0800 +Subject: irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Fainelli + +[ Upstream commit 13a157b38ca5b4f9eed81442b8821db293755961 ] + +When support for the interrupt controller was added with a5042de2688d, +we forgot to update the flags to be set to contain IRQ_LEVEL. While the +flow handler is correct, the output from /proc/interrupts does not show +such interrupts as being level triggered when they are, correct that. + +Fixes: a5042de2688d ("irqchip: bcm7120-l2: Add Broadcom BCM7120-style Level 2 interrupt controller") +Signed-off-by: Florian Fainelli +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221216230934.2478345-3-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-bcm7120-l2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-bcm7120-l2.c b/drivers/irqchip/irq-bcm7120-l2.c +index 8968e5e93fcb8..fefafe1af1167 100644 +--- a/drivers/irqchip/irq-bcm7120-l2.c ++++ b/drivers/irqchip/irq-bcm7120-l2.c +@@ -271,7 +271,8 @@ static int __init bcm7120_l2_intc_probe(struct device_node *dn, + flags |= IRQ_GC_BE_IO; + + ret = irq_alloc_domain_generic_chips(data->domain, IRQS_PER_WORD, 1, +- dn->full_name, handle_level_irq, clr, 0, flags); ++ dn->full_name, handle_level_irq, clr, ++ IRQ_LEVEL, flags); + if (ret) { + pr_err("failed to allocate generic irq chip\n"); + goto out_free_domain; +-- +2.39.2 + diff --git a/queue-4.19/irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch b/queue-4.19/irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch new file mode 100644 index 00000000000..b984d3730fc --- /dev/null +++ b/queue-4.19/irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch @@ -0,0 +1,57 @@ +From bcf4aa79aac4f610e1abcac5817e4e1c23a12fbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 15:09:33 -0800 +Subject: irqchip/irq-brcmstb-l2: Set IRQ_LEVEL for level triggered interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Fainelli + +[ Upstream commit 94debe03e8afa1267f95a9001786a6aa506b9ff3 ] + +When support for the level triggered interrupt controller flavor was +added with c0ca7262088e, we forgot to update the flags to be set to +contain IRQ_LEVEL. While the flow handler is correct, the output from +/proc/interrupts does not show such interrupts as being level triggered +when they are, correct that. + +Fixes: c0ca7262088e ("irqchip/brcmstb-l2: Add support for the BCM7271 L2 controller") +Signed-off-by: Florian Fainelli +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221216230934.2478345-2-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-brcmstb-l2.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-brcmstb-l2.c b/drivers/irqchip/irq-brcmstb-l2.c +index 83364fedbf0ab..3f1ae63233cb4 100644 +--- a/drivers/irqchip/irq-brcmstb-l2.c ++++ b/drivers/irqchip/irq-brcmstb-l2.c +@@ -169,6 +169,7 @@ static int __init brcmstb_l2_intc_of_init(struct device_node *np, + *init_params) + { + unsigned int clr = IRQ_NOREQUEST | IRQ_NOPROBE | IRQ_NOAUTOEN; ++ unsigned int set = 0; + struct brcmstb_l2_intc_data *data; + struct irq_chip_type *ct; + int ret; +@@ -216,9 +217,12 @@ static int __init brcmstb_l2_intc_of_init(struct device_node *np, + if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) + flags |= IRQ_GC_BE_IO; + ++ if (init_params->handler == handle_level_irq) ++ set |= IRQ_LEVEL; ++ + /* Allocate a single Generic IRQ chip for this node */ + ret = irq_alloc_domain_generic_chips(data->domain, 32, 1, +- np->full_name, init_params->handler, clr, 0, flags); ++ np->full_name, init_params->handler, clr, set, flags); + if (ret) { + pr_err("failed to allocate generic irq chip\n"); + goto out_free_domain; +-- +2.39.2 + diff --git a/queue-4.19/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch b/queue-4.19/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch new file mode 100644 index 00000000000..55d52b61c56 --- /dev/null +++ b/queue-4.19/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch @@ -0,0 +1,37 @@ +From 4894382b81df1128d92b0c14ee28e21ec4fc0f73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 12:42:08 +0400 +Subject: irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe + +From: Miaoqian Lin + +[ Upstream commit 9419e700021a393f67be36abd0c4f3acc6139041 ] + +of_irq_find_parent() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: a68a63cb4dfc ("irqchip/irq-mvebu-gicp: Add new driver for Marvell GICP") +Signed-off-by: Miaoqian Lin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230102084208.3951758-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mvebu-gicp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-mvebu-gicp.c b/drivers/irqchip/irq-mvebu-gicp.c +index 3be5c5dba1dab..5caec411059f5 100644 +--- a/drivers/irqchip/irq-mvebu-gicp.c ++++ b/drivers/irqchip/irq-mvebu-gicp.c +@@ -223,6 +223,7 @@ static int mvebu_gicp_probe(struct platform_device *pdev) + } + + parent_domain = irq_find_host(irq_parent_dn); ++ of_node_put(irq_parent_dn); + if (!parent_domain) { + dev_err(&pdev->dev, "failed to find parent IRQ domain\n"); + return -ENODEV; +-- +2.39.2 + diff --git a/queue-4.19/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch b/queue-4.19/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch new file mode 100644 index 00000000000..e504ac4857f --- /dev/null +++ b/queue-4.19/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch @@ -0,0 +1,41 @@ +From a1bfe78df1b64f61859a6aa82dbca0383d2c06df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Dec 2022 15:27:39 +0100 +Subject: lib/mpi: Fix buffer overrun when SG is too long + +From: Herbert Xu + +[ Upstream commit 7361d1bc307b926cbca214ab67b641123c2d6357 ] + +The helper mpi_read_raw_from_sgl sets the number of entries in +the SG list according to nbytes. However, if the last entry +in the SG list contains more data than nbytes, then it may overrun +the buffer because it only allocates enough memory for nbytes. + +Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") +Reported-by: Roberto Sassu +Signed-off-by: Herbert Xu +Reviewed-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/mpicoder.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c +index eead4b3394668..4f73db248009e 100644 +--- a/lib/mpi/mpicoder.c ++++ b/lib/mpi/mpicoder.c +@@ -397,7 +397,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes) + + while (sg_miter_next(&miter)) { + buff = miter.addr; +- len = miter.length; ++ len = min_t(unsigned, miter.length, nbytes); ++ nbytes -= len; + + for (x = 0; x < len; x++) { + a <<= 8; +-- +2.39.2 + diff --git a/queue-4.19/libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch b/queue-4.19/libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch new file mode 100644 index 00000000000..f104ba042f3 --- /dev/null +++ b/queue-4.19/libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch @@ -0,0 +1,38 @@ +From a1e8b9e7f1e6d21494048dbebd7ac5bb5ce0ff3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 01:12:01 +0100 +Subject: libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() + +From: Ilya Leoshkevich + +[ Upstream commit 17bcd27a08a21397698edf143084d7c87ce17946 ] + +The code assumes that everything that comes after nlmsgerr are nlattrs. +When calculating their size, it does not account for the initial +nlmsghdr. This may lead to accessing uninitialized memory. + +Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20230210001210.395194-8-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/nlattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c +index 4719434278b20..ac979b4290559 100644 +--- a/tools/lib/bpf/nlattr.c ++++ b/tools/lib/bpf/nlattr.c +@@ -170,7 +170,7 @@ int nla_dump_errormsg(struct nlmsghdr *nlh) + hlen += nlmsg_len(&err->msg); + + attr = (struct nlattr *) ((void *) err + hlen); +- alen = nlh->nlmsg_len - hlen; ++ alen = (void *)nlh + nlh->nlmsg_len - (void *)attr; + + if (nla_parse(tb, NLMSGERR_ATTR_MAX, attr, alen, extack_policy) != 0) { + fprintf(stderr, +-- +2.39.2 + diff --git a/queue-4.19/m68k-check-syscall_trace_enter-return-code.patch b/queue-4.19/m68k-check-syscall_trace_enter-return-code.patch new file mode 100644 index 00000000000..60f1359dd9d --- /dev/null +++ b/queue-4.19/m68k-check-syscall_trace_enter-return-code.patch @@ -0,0 +1,72 @@ +From bb1c7a0476084f89c0cc61f9a019be4db18f8cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 16:55:27 +1300 +Subject: m68k: Check syscall_trace_enter() return code + +From: Michael Schmitz + +[ Upstream commit 2ca8a1de4437f21562e57f9ac123914747a8e7a1 ] + +Check return code of syscall_trace_enter(), and skip syscall +if -1. Return code will be left at what had been set by +ptrace or seccomp (in regs->d0). + +No regression seen in testing with strace on ARAnyM. + +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230112035529.13521-2-schmitzmic@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/68000/entry.S | 2 ++ + arch/m68k/coldfire/entry.S | 2 ++ + arch/m68k/kernel/entry.S | 3 +++ + 3 files changed, 7 insertions(+) + +diff --git a/arch/m68k/68000/entry.S b/arch/m68k/68000/entry.S +index 259b3661b6141..94abf3d8afc52 100644 +--- a/arch/m68k/68000/entry.S ++++ b/arch/m68k/68000/entry.S +@@ -47,6 +47,8 @@ do_trace: + jbsr syscall_trace_enter + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 ++ jeq ret_from_exception + movel %sp@(PT_OFF_ORIG_D0),%d1 + movel #-ENOSYS,%d0 + cmpl #NR_syscalls,%d1 +diff --git a/arch/m68k/coldfire/entry.S b/arch/m68k/coldfire/entry.S +index 52d312d5b4d4f..fb3b065677459 100644 +--- a/arch/m68k/coldfire/entry.S ++++ b/arch/m68k/coldfire/entry.S +@@ -92,6 +92,8 @@ ENTRY(system_call) + jbsr syscall_trace_enter + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 ++ jeq ret_from_exception + movel %d3,%a0 + jbsr %a0@ + movel %d0,%sp@(PT_OFF_D0) /* save the return value */ +diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S +index 97cd3ea5f10b8..9a66657773beb 100644 +--- a/arch/m68k/kernel/entry.S ++++ b/arch/m68k/kernel/entry.S +@@ -160,9 +160,12 @@ do_trace_entry: + jbsr syscall_trace + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 | optimization for cmpil #-1,%d0 ++ jeq ret_from_syscall + movel %sp@(PT_OFF_ORIG_D0),%d0 + cmpl #NR_syscalls,%d0 + jcs syscall ++ jra ret_from_syscall + badsys: + movel #-ENOSYS,%sp@(PT_OFF_D0) + jra ret_from_syscall +-- +2.39.2 + diff --git a/queue-4.19/m68k-proc-hardware-should-depend-on-proc_fs.patch b/queue-4.19/m68k-proc-hardware-should-depend-on-proc_fs.patch new file mode 100644 index 00000000000..ac87bb19f88 --- /dev/null +++ b/queue-4.19/m68k-proc-hardware-should-depend-on-proc_fs.patch @@ -0,0 +1,42 @@ +From 6b6f8f485b319989fd47327b065fce15a6cb1dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 17:08:25 -0800 +Subject: m68k: /proc/hardware should depend on PROC_FS + +From: Randy Dunlap + +[ Upstream commit 1e5b5df65af99013b4d31607ddb3ca5731dbe44d ] + +When CONFIG_PROC_FS is not set, there is a build error for an unused +function. Make PROC_HARDWARE depend on PROC_FS to prevent this error. + +In file included from ../arch/m68k/kernel/setup.c:3: +../arch/m68k/kernel/setup_mm.c:477:12: error: 'hardware_proc_show' defined but not used [-Werror=unused-function] + 477 | static int hardware_proc_show(struct seq_file *m, void *v) + | ^~~~~~~~~~~~~~~~~~ + +Fixes: 66d857b08b8c ("m68k: merge m68k and m68knommu arch directories") # v3.0 +Signed-off-by: Randy Dunlap +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230209010825.24136-1-rdunlap@infradead.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.devices | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/m68k/Kconfig.devices b/arch/m68k/Kconfig.devices +index 3e9b0b826f8a1..6fb693bb0771c 100644 +--- a/arch/m68k/Kconfig.devices ++++ b/arch/m68k/Kconfig.devices +@@ -19,6 +19,7 @@ config HEARTBEAT + # We have a dedicated heartbeat LED. :-) + config PROC_HARDWARE + bool "/proc/hardware support" ++ depends on PROC_FS + help + Say Y here to support the /proc/hardware file, which gives you + access to information about the machine you're running on, +-- +2.39.2 + diff --git a/queue-4.19/media-i2c-ov7670-0-instead-of-einval-was-returned.patch b/queue-4.19/media-i2c-ov7670-0-instead-of-einval-was-returned.patch new file mode 100644 index 00000000000..b5bd853fe01 --- /dev/null +++ b/queue-4.19/media-i2c-ov7670-0-instead-of-einval-was-returned.patch @@ -0,0 +1,41 @@ +From 32e55e70dc0efcb9e05b813681c022bf421b0c52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 14:03:51 +0100 +Subject: media: i2c: ov7670: 0 instead of -EINVAL was returned + +From: Hans Verkuil + +[ Upstream commit 6a4c664539e6de9b32b65ddcf767ec1bcc1d7f8a ] + +If the media bus is unsupported, then return -EINVAL. Instead it +returned 'ret' which happened to be 0. + +This fixes a smatch warning: + +ov7670.c:1843 ov7670_parse_dt() warn: missing error code? 'ret' + +Signed-off-by: Hans Verkuil +Fixes: 01b8444828fc ("media: v4l2: i2c: ov7670: Implement OF mbus configuration") +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov7670.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c +index 1f71c14c8aab4..4f906d25ce5ca 100644 +--- a/drivers/media/i2c/ov7670.c ++++ b/drivers/media/i2c/ov7670.c +@@ -1750,7 +1750,7 @@ static int ov7670_parse_dt(struct device *dev, + + if (bus_cfg.bus_type != V4L2_MBUS_PARALLEL) { + dev_err(dev, "Unsupported media bus type\n"); +- return ret; ++ return -EINVAL; + } + info->mbus_config = bus_cfg.bus.parallel.flags; + +-- +2.39.2 + diff --git a/queue-4.19/media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch b/queue-4.19/media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch new file mode 100644 index 00000000000..e518b709a96 --- /dev/null +++ b/queue-4.19/media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch @@ -0,0 +1,94 @@ +From 76cb3583937aa59e0cf5cfce60347379aac92bf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 09:06:25 +0100 +Subject: media: i2c: ov772x: Fix memleak in ov772x_probe() + +From: Yuan Can + +[ Upstream commit 7485edb2b6ca5960205c0a49bedfd09bba30e521 ] + +A memory leak was reported when testing ov772x with bpf mock device: + +AssertionError: unreferenced object 0xffff888109afa7a8 (size 8): + comm "python3", pid 279, jiffies 4294805921 (age 20.681s) + hex dump (first 8 bytes): + 80 22 88 15 81 88 ff ff ."...... + backtrace: + [<000000009990b438>] __kmalloc_node+0x44/0x1b0 + [<000000009e32f7d7>] kvmalloc_node+0x34/0x180 + [<00000000faf48134>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev] + [<00000000da376937>] ov772x_probe+0x1c3/0x68c [ov772x] + [<000000003f0d225e>] i2c_device_probe+0x28d/0x680 + [<00000000e0b6db89>] really_probe+0x17c/0x3f0 + [<000000001b19fcee>] __driver_probe_device+0xe3/0x170 + [<0000000048370519>] driver_probe_device+0x49/0x120 + [<000000005ead07a0>] __device_attach_driver+0xf7/0x150 + [<0000000043f452b8>] bus_for_each_drv+0x114/0x180 + [<00000000358e5596>] __device_attach+0x1e5/0x2d0 + [<0000000043f83c5d>] bus_probe_device+0x126/0x140 + [<00000000ee0f3046>] device_add+0x810/0x1130 + [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0 + [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110 + [<00000000a9f2159d>] of_i2c_notify+0x100/0x160 +unreferenced object 0xffff888119825c00 (size 256): + comm "python3", pid 279, jiffies 4294805921 (age 20.681s) + hex dump (first 32 bytes): + 00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^...... + 10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\.......\...... + backtrace: + [<000000009990b438>] __kmalloc_node+0x44/0x1b0 + [<000000009e32f7d7>] kvmalloc_node+0x34/0x180 + [<0000000073d88e0b>] v4l2_ctrl_new.cold+0x19b/0x86f [videodev] + [<00000000b1f576fb>] v4l2_ctrl_new_std+0x16f/0x210 [videodev] + [<00000000caf7ac99>] ov772x_probe+0x1fa/0x68c [ov772x] + [<000000003f0d225e>] i2c_device_probe+0x28d/0x680 + [<00000000e0b6db89>] really_probe+0x17c/0x3f0 + [<000000001b19fcee>] __driver_probe_device+0xe3/0x170 + [<0000000048370519>] driver_probe_device+0x49/0x120 + [<000000005ead07a0>] __device_attach_driver+0xf7/0x150 + [<0000000043f452b8>] bus_for_each_drv+0x114/0x180 + [<00000000358e5596>] __device_attach+0x1e5/0x2d0 + [<0000000043f83c5d>] bus_probe_device+0x126/0x140 + [<00000000ee0f3046>] device_add+0x810/0x1130 + [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0 + [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110 + +The reason is that if priv->hdl.error is set, ov772x_probe() jumps to the +error_mutex_destroy without doing v4l2_ctrl_handler_free(), and all +resources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() +are leaked. + +Fixes: 1112babde214 ("media: i2c: Copy ov772x soc_camera sensor driver") +Signed-off-by: Yuan Can +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov772x.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ov772x.c b/drivers/media/i2c/ov772x.c +index 4eae5f2f7d318..11deaec9afbfb 100644 +--- a/drivers/media/i2c/ov772x.c ++++ b/drivers/media/i2c/ov772x.c +@@ -1424,7 +1424,7 @@ static int ov772x_probe(struct i2c_client *client, + priv->subdev.ctrl_handler = &priv->hdl; + if (priv->hdl.error) { + ret = priv->hdl.error; +- goto error_mutex_destroy; ++ goto error_ctrl_free; + } + + priv->clk = clk_get(&client->dev, NULL); +@@ -1473,7 +1473,6 @@ static int ov772x_probe(struct i2c_client *client, + clk_put(priv->clk); + error_ctrl_free: + v4l2_ctrl_handler_free(&priv->hdl); +-error_mutex_destroy: + mutex_destroy(&priv->lock); + + return ret; +-- +2.39.2 + diff --git a/queue-4.19/media-platform-ti-add-missing-check-for-devm_regulat.patch b/queue-4.19/media-platform-ti-add-missing-check-for-devm_regulat.patch new file mode 100644 index 00000000000..53de0e4209b --- /dev/null +++ b/queue-4.19/media-platform-ti-add-missing-check-for-devm_regulat.patch @@ -0,0 +1,45 @@ +From 241359cc67ed6eaa64ba2ce0946f8e6d1a186b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 09:55:37 +0100 +Subject: media: platform: ti: Add missing check for devm_regulator_get + +From: Jiasheng Jiang + +[ Upstream commit da8e05f84a11c3cc3b0ba0a3c62d20e358002d99 ] + +Add check for the return value of devm_regulator_get since it may return +error pointer. + +Fixes: 448de7e7850b ("[media] omap3isp: OMAP3 ISP core") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c +index 00e52f0b8251b..b559cc179d708 100644 +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2247,7 +2247,16 @@ static int isp_probe(struct platform_device *pdev) + + /* Regulators */ + isp->isp_csiphy1.vdd = devm_regulator_get(&pdev->dev, "vdd-csiphy1"); ++ if (IS_ERR(isp->isp_csiphy1.vdd)) { ++ ret = PTR_ERR(isp->isp_csiphy1.vdd); ++ goto error; ++ } ++ + isp->isp_csiphy2.vdd = devm_regulator_get(&pdev->dev, "vdd-csiphy2"); ++ if (IS_ERR(isp->isp_csiphy2.vdd)) { ++ ret = PTR_ERR(isp->isp_csiphy2.vdd); ++ goto error; ++ } + + /* Clocks + * +-- +2.39.2 + diff --git a/queue-4.19/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch b/queue-4.19/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch new file mode 100644 index 00000000000..04b60f519ca --- /dev/null +++ b/queue-4.19/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch @@ -0,0 +1,83 @@ +From d1bb50727d7adfffb9c5c0f947917bb7e4b9c87e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 08:55:33 +0100 +Subject: media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() + +From: Duoming Zhou + +[ Upstream commit 29b0589a865b6f66d141d79b2dd1373e4e50fe17 ] + +When the ene device is detaching, function ene_remove() will +be called. But there is no function to cancel tx_sim_timer +in ene_remove(), the timer handler ene_tx_irqsim() could race +with ene_remove(). As a result, the UAF bugs could happen, +the process is shown below. + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +ene_remove() | (wait a time) + | ene_tx_irqsim() + | dev->hw_lock //USE + | ene_tx_sample(dev) //USE + +Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(), +The tx_sim_timer could stop before ene device is deallocated. + +What's more, The rc_unregister_device() and del_timer_sync() +should be called first in ene_remove() and the deallocated +functions such as free_irq(), release_region() and so on +should be called behind them. Because the rc_unregister_device() +is well synchronized. Otherwise, race conditions may happen. The +situations that may lead to race conditions are shown below. + +Firstly, the rx receiver is disabled with ene_rx_disable() +before rc_unregister_device() in ene_remove(), which means it +can be enabled again if a process opens /dev/lirc0 between +ene_rx_disable() and rc_unregister_device(). + +Secondly, the irqaction descriptor is freed by free_irq() +before the rc device is unregistered, which means irqaction +descriptor may be accessed again after it is deallocated. + +Thirdly, the timer can call ene_tx_sample() that can write +to the io ports, which means the io ports could be accessed +again after they are deallocated by release_region(). + +Therefore, the rc_unregister_device() and del_timer_sync() +should be called first in ene_remove(). + +Suggested by: Sean Young + +Fixes: 9ea53b74df9c ("V4L/DVB: STAGING: remove lirc_ene0100 driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ene_ir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c +index 71b8c9bbf6c40..8cf2a5c0575ab 100644 +--- a/drivers/media/rc/ene_ir.c ++++ b/drivers/media/rc/ene_ir.c +@@ -1116,6 +1116,8 @@ static void ene_remove(struct pnp_dev *pnp_dev) + struct ene_device *dev = pnp_get_drvdata(pnp_dev); + unsigned long flags; + ++ rc_unregister_device(dev->rdev); ++ del_timer_sync(&dev->tx_sim_timer); + spin_lock_irqsave(&dev->hw_lock, flags); + ene_rx_disable(dev); + ene_rx_restore_hw_buffer(dev); +@@ -1123,7 +1125,6 @@ static void ene_remove(struct pnp_dev *pnp_dev) + + free_irq(dev->irq, dev); + release_region(dev->hw_io, ENE_IO_SIZE); +- rc_unregister_device(dev->rdev); + kfree(dev); + } + +-- +2.39.2 + diff --git a/queue-4.19/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch b/queue-4.19/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch new file mode 100644 index 00000000000..7cf21bbe6c6 --- /dev/null +++ b/queue-4.19/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch @@ -0,0 +1,233 @@ +From 85667922e0395d88f3a7580243333f2922464206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 03:04:38 +0100 +Subject: media: usb: siano: Fix use after free bugs caused by do_submit_urb + +From: Duoming Zhou + +[ Upstream commit ebad8e731c1c06adf04621d6fd327b860c0861b5 ] + +There are UAF bugs caused by do_submit_urb(). One of the KASan reports +is shown below: + +[ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 +[ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 +[ 36.408316] +[ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 +[ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 +[ 36.416157] Workqueue: 0x0 (events) +[ 36.417654] Call Trace: +[ 36.418546] +[ 36.419320] dump_stack_lvl+0x96/0xd0 +[ 36.420522] print_address_description+0x75/0x350 +[ 36.421992] print_report+0x11b/0x250 +[ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 +[ 36.424806] ? __virt_addr_valid+0xcf/0x170 +[ 36.426069] ? worker_thread+0x4a2/0x890 +[ 36.427355] kasan_report+0x131/0x160 +[ 36.428556] ? worker_thread+0x4a2/0x890 +[ 36.430053] worker_thread+0x4a2/0x890 +[ 36.431297] ? worker_clr_flags+0x90/0x90 +[ 36.432479] kthread+0x166/0x190 +[ 36.433493] ? kthread_blkcg+0x50/0x50 +[ 36.434669] ret_from_fork+0x22/0x30 +[ 36.435923] +[ 36.436684] +[ 36.437215] Allocated by task 24: +[ 36.438289] kasan_set_track+0x50/0x80 +[ 36.439436] __kasan_kmalloc+0x89/0xa0 +[ 36.440566] smsusb_probe+0x374/0xc90 +[ 36.441920] usb_probe_interface+0x2d1/0x4c0 +[ 36.443253] really_probe+0x1d5/0x580 +[ 36.444539] __driver_probe_device+0xe3/0x130 +[ 36.446085] driver_probe_device+0x49/0x220 +[ 36.447423] __device_attach_driver+0x19e/0x1b0 +[ 36.448931] bus_for_each_drv+0xcb/0x110 +[ 36.450217] __device_attach+0x132/0x1f0 +[ 36.451470] bus_probe_device+0x59/0xf0 +[ 36.452563] device_add+0x4ec/0x7b0 +[ 36.453830] usb_set_configuration+0xc63/0xe10 +[ 36.455230] usb_generic_driver_probe+0x3b/0x80 +[ 36.456166] printk: console [ttyGS0] disabled +[ 36.456569] usb_probe_device+0x90/0x110 +[ 36.459523] really_probe+0x1d5/0x580 +[ 36.461027] __driver_probe_device+0xe3/0x130 +[ 36.462465] driver_probe_device+0x49/0x220 +[ 36.463847] __device_attach_driver+0x19e/0x1b0 +[ 36.465229] bus_for_each_drv+0xcb/0x110 +[ 36.466466] __device_attach+0x132/0x1f0 +[ 36.467799] bus_probe_device+0x59/0xf0 +[ 36.469010] device_add+0x4ec/0x7b0 +[ 36.470125] usb_new_device+0x863/0xa00 +[ 36.471374] hub_event+0x18c7/0x2220 +[ 36.472746] process_one_work+0x34c/0x5b0 +[ 36.474041] worker_thread+0x4b7/0x890 +[ 36.475216] kthread+0x166/0x190 +[ 36.476267] ret_from_fork+0x22/0x30 +[ 36.477447] +[ 36.478160] Freed by task 24: +[ 36.479239] kasan_set_track+0x50/0x80 +[ 36.480512] kasan_save_free_info+0x2b/0x40 +[ 36.481808] ____kasan_slab_free+0x122/0x1a0 +[ 36.483173] __kmem_cache_free+0xc4/0x200 +[ 36.484563] smsusb_term_device+0xcd/0xf0 +[ 36.485896] smsusb_probe+0xc85/0xc90 +[ 36.486976] usb_probe_interface+0x2d1/0x4c0 +[ 36.488303] really_probe+0x1d5/0x580 +[ 36.489498] __driver_probe_device+0xe3/0x130 +[ 36.491140] driver_probe_device+0x49/0x220 +[ 36.492475] __device_attach_driver+0x19e/0x1b0 +[ 36.493988] bus_for_each_drv+0xcb/0x110 +[ 36.495171] __device_attach+0x132/0x1f0 +[ 36.496617] bus_probe_device+0x59/0xf0 +[ 36.497875] device_add+0x4ec/0x7b0 +[ 36.498972] usb_set_configuration+0xc63/0xe10 +[ 36.500264] usb_generic_driver_probe+0x3b/0x80 +[ 36.501740] usb_probe_device+0x90/0x110 +[ 36.503084] really_probe+0x1d5/0x580 +[ 36.504241] __driver_probe_device+0xe3/0x130 +[ 36.505548] driver_probe_device+0x49/0x220 +[ 36.506766] __device_attach_driver+0x19e/0x1b0 +[ 36.508368] bus_for_each_drv+0xcb/0x110 +[ 36.509646] __device_attach+0x132/0x1f0 +[ 36.510911] bus_probe_device+0x59/0xf0 +[ 36.512103] device_add+0x4ec/0x7b0 +[ 36.513215] usb_new_device+0x863/0xa00 +[ 36.514736] hub_event+0x18c7/0x2220 +[ 36.516130] process_one_work+0x34c/0x5b0 +[ 36.517396] worker_thread+0x4b7/0x890 +[ 36.518591] kthread+0x166/0x190 +[ 36.519599] ret_from_fork+0x22/0x30 +[ 36.520851] +[ 36.521405] Last potentially related work creation: +[ 36.523143] kasan_save_stack+0x3f/0x60 +[ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 +[ 36.525831] insert_work+0x25/0x130 +[ 36.527039] __queue_work+0x4d4/0x620 +[ 36.528236] queue_work_on+0x72/0xb0 +[ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 +[ 36.530819] dummy_timer+0x350/0x1a40 +[ 36.532149] call_timer_fn+0x2c/0x190 +[ 36.533567] expire_timers+0x69/0x1f0 +[ 36.534736] __run_timers+0x289/0x2d0 +[ 36.535841] run_timer_softirq+0x2d/0x60 +[ 36.537110] __do_softirq+0x116/0x380 +[ 36.538377] +[ 36.538950] Second to last potentially related work creation: +[ 36.540855] kasan_save_stack+0x3f/0x60 +[ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 +[ 36.543592] insert_work+0x25/0x130 +[ 36.544891] __queue_work+0x4d4/0x620 +[ 36.546168] queue_work_on+0x72/0xb0 +[ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 +[ 36.548805] dummy_timer+0x350/0x1a40 +[ 36.550116] call_timer_fn+0x2c/0x190 +[ 36.551570] expire_timers+0x69/0x1f0 +[ 36.552762] __run_timers+0x289/0x2d0 +[ 36.553916] run_timer_softirq+0x2d/0x60 +[ 36.555118] __do_softirq+0x116/0x380 +[ 36.556239] +[ 36.556807] The buggy address belongs to the object at ffff888005960000 +[ 36.556807] which belongs to the cache kmalloc-4k of size 4096 +[ 36.560652] The buggy address is located 232 bytes inside of +[ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) +[ 36.564791] +[ 36.565355] The buggy address belongs to the physical page: +[ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 +[ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 +[ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) +[ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 +[ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 +[ 36.580175] page dumped because: kasan: bad access detected +[ 36.581994] +[ 36.582548] Memory state around the buggy address: +[ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.591071] ^ +[ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.598026] ================================================================== +[ 36.600224] Disabling lock debugging due to kernel taint +[ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I +[ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 +[ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 +[ 36.615026] Workqueue: events do_submit_urb +[ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 +[ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 +[ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 +[ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 +[ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 +[ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f +[ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 +[ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 +[ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 +[ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 +[ 36.643411] Call Trace: +[ 36.644215] +[ 36.644902] smscore_getbuffer+0x3e/0x1e0 +[ 36.646147] do_submit_urb+0x4f/0x190 +[ 36.647449] process_one_work+0x34c/0x5b0 +[ 36.648777] worker_thread+0x4b7/0x890 +[ 36.649984] ? worker_clr_flags+0x90/0x90 +[ 36.651166] kthread+0x166/0x190 +[ 36.652151] ? kthread_blkcg+0x50/0x50 +[ 36.653547] ret_from_fork+0x22/0x30 +[ 36.655051] +[ 36.655733] Modules linked in: +[ 36.656787] ---[ end trace 0000000000000000 ]--- +[ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 +[ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 +[ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 +[ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 +[ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 +[ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f +[ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 +[ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 +[ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 +[ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 +[ 36.685733] Kernel panic - not syncing: Fatal exception +[ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) +[ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +When the siano device is plugged in, it may call the following functions +to initialize the device. + +smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). + +When smscore_start_device() gets failed, the function smsusb_term_device() +will be called and smsusb_device_t will be deallocated. Although we use +usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests +and wait for them to finish, the worker threads that are scheduled by +smsusb_onresponse() may be still running. As a result, the UAF bugs +could happen. + +We add cancel_work_sync() in smsusb_stop_streaming() in order that the +worker threads could finish before the smsusb_device_t is deallocated. + +Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic") +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 3071d9bc77f48..2df3d730ea768 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -190,6 +190,7 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) + + for (i = 0; i < MAX_URBS; i++) { + usb_kill_urb(&dev->surbs[i].urb); ++ cancel_work_sync(&dev->surbs[i].wq); + + if (dev->surbs[i].cb) { + smscore_putbuffer(dev->coredev, dev->surbs[i].cb); +-- +2.39.2 + diff --git a/queue-4.19/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch b/queue-4.19/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch new file mode 100644 index 00000000000..1fa90d60998 --- /dev/null +++ b/queue-4.19/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch @@ -0,0 +1,50 @@ +From 6e512653f93c6f46e6c3810f01228d84498d047c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 14:15:55 +0800 +Subject: mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read() + +From: Qiheng Lin + +[ Upstream commit 8b450dcff23aa254844492831a8e2b508a9d522d ] + +`req` is allocated in pcf50633_adc_async_read(), but +adc_enqueue_request() could fail to insert the `req` into queue. +We need to check the return value and free it in the case of failure. + +Fixes: 08c3e06a5eb2 ("mfd: PCF50633 adc driver") +Signed-off-by: Qiheng Lin +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20221208061555.8776-1-linqiheng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/pcf50633-adc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/pcf50633-adc.c b/drivers/mfd/pcf50633-adc.c +index c1984b0d1b652..a4a765055ee6b 100644 +--- a/drivers/mfd/pcf50633-adc.c ++++ b/drivers/mfd/pcf50633-adc.c +@@ -140,6 +140,7 @@ int pcf50633_adc_async_read(struct pcf50633 *pcf, int mux, int avg, + void *callback_param) + { + struct pcf50633_adc_request *req; ++ int ret; + + /* req is freed when the result is ready, in interrupt handler */ + req = kmalloc(sizeof(*req), GFP_KERNEL); +@@ -151,7 +152,11 @@ int pcf50633_adc_async_read(struct pcf50633 *pcf, int mux, int avg, + req->callback = callback; + req->callback_param = callback_param; + +- return adc_enqueue_request(pcf, req); ++ ret = adc_enqueue_request(pcf, req); ++ if (ret) ++ kfree(req); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(pcf50633_adc_async_read); + +-- +2.39.2 + diff --git a/queue-4.19/mips-vpe-mt-drop-physical_memsize.patch b/queue-4.19/mips-vpe-mt-drop-physical_memsize.patch new file mode 100644 index 00000000000..f22a3549fcd --- /dev/null +++ b/queue-4.19/mips-vpe-mt-drop-physical_memsize.patch @@ -0,0 +1,99 @@ +From 8143f9acdf298851fb6aca008f3ca21ef0699d06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Feb 2023 15:15:25 -0800 +Subject: MIPS: vpe-mt: drop physical_memsize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 91dc288f4edf0d768e46c2c6d33e0ab703403459 ] + +When neither LANTIQ nor MIPS_MALTA is set, 'physical_memsize' is not +declared. This causes the build to fail with: + +mips-linux-ld: arch/mips/kernel/vpe-mt.o: in function `vpe_run': +arch/mips/kernel/vpe-mt.c:(.text.vpe_run+0x280): undefined reference to `physical_memsize' + +LANTIQ is not using 'physical_memsize' and MIPS_MALTA's use of it is +self-contained in mti-malta/malta-dtshim.c. +Use of physical_memsize in vpe-mt.c appears to be unused, so eliminate +this loader mode completely and require VPE programs to be compiled with +DFLT_STACK_SIZE and DFLT_HEAP_SIZE defined. + +Fixes: 9050d50e2244 ("MIPS: lantiq: Set physical_memsize") +Fixes: 1a2a6d7e8816 ("MIPS: APRP: Split VPE loader into separate files.") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202302030625.2g3E98sY-lkp@intel.com/ +Cc: Dengcheng Zhu +Cc: John Crispin +Cc: Thomas Bogendoerfer +Cc: Philippe Mathieu-Daudé +Cc: "Steven J. Hill" +Cc: Qais Yousef +Cc: Yang Yingliang +Cc: Hauke Mehrtens +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/vpe.h | 1 - + arch/mips/kernel/vpe-mt.c | 7 +++---- + arch/mips/lantiq/prom.c | 6 ------ + 3 files changed, 3 insertions(+), 11 deletions(-) + +diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h +index 80e70dbd1f641..012731546cf60 100644 +--- a/arch/mips/include/asm/vpe.h ++++ b/arch/mips/include/asm/vpe.h +@@ -104,7 +104,6 @@ struct vpe_control { + struct list_head tc_list; /* Thread contexts */ + }; + +-extern unsigned long physical_memsize; + extern struct vpe_control vpecontrol; + extern const struct file_operations vpe_fops; + +diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c +index 9fd7cd48ea1d2..496ed8f362f62 100644 +--- a/arch/mips/kernel/vpe-mt.c ++++ b/arch/mips/kernel/vpe-mt.c +@@ -92,12 +92,11 @@ int vpe_run(struct vpe *v) + write_tc_c0_tchalt(read_tc_c0_tchalt() & ~TCHALT_H); + + /* +- * The sde-kit passes 'memsize' to __start in $a3, so set something +- * here... Or set $a3 to zero and define DFLT_STACK_SIZE and +- * DFLT_HEAP_SIZE when you compile your program ++ * We don't pass the memsize here, so VPE programs need to be ++ * compiled with DFLT_STACK_SIZE and DFLT_HEAP_SIZE defined. + */ ++ mttgpr(7, 0); + mttgpr(6, v->ntcs); +- mttgpr(7, physical_memsize); + + /* set up VPE1 */ + /* +diff --git a/arch/mips/lantiq/prom.c b/arch/mips/lantiq/prom.c +index dceab67e481a8..02cf9b27b7859 100644 +--- a/arch/mips/lantiq/prom.c ++++ b/arch/mips/lantiq/prom.c +@@ -24,12 +24,6 @@ + DEFINE_SPINLOCK(ebu_lock); + EXPORT_SYMBOL_GPL(ebu_lock); + +-/* +- * This is needed by the VPE loader code, just set it to 0 and assume +- * that the firmware hardcodes this value to something useful. +- */ +-unsigned long physical_memsize = 0L; +- + /* + * this struct is filled by the soc specific detection code and holds + * information about the specific soc type, revision and name +-- +2.39.2 + diff --git a/queue-4.19/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch b/queue-4.19/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch new file mode 100644 index 00000000000..6e918c0eb83 --- /dev/null +++ b/queue-4.19/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch @@ -0,0 +1,37 @@ +From d9628466e30740632f621285efec13872c30a773 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Dec 2022 12:15:24 -0600 +Subject: mtd: rawnand: sunxi: Fix the size of the last OOB region + +From: Samuel Holland + +[ Upstream commit 34569d869532b54d6e360d224a0254dcdd6a1785 ] + +The previous code assigned to the wrong structure member. + +Fixes: c66811e6d350 ("mtd: nand: sunxi: switch to mtd_ooblayout_ops") +Signed-off-by: Samuel Holland +Acked-By: Dhruva Gole +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221229181526.53766-6-samuel@sholland.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/sunxi_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c +index 88075e420f907..fe7bfcdf7c69c 100644 +--- a/drivers/mtd/nand/raw/sunxi_nand.c ++++ b/drivers/mtd/nand/raw/sunxi_nand.c +@@ -1670,7 +1670,7 @@ static int sunxi_nand_ooblayout_free(struct mtd_info *mtd, int section, + if (section < ecc->steps) + oobregion->length = 4; + else +- oobregion->offset = mtd->oobsize - oobregion->offset; ++ oobregion->length = mtd->oobsize - oobregion->offset; + + return 0; + } +-- +2.39.2 + diff --git a/queue-4.19/net-bcmgenet-add-a-check-for-oversized-packets.patch b/queue-4.19/net-bcmgenet-add-a-check-for-oversized-packets.patch new file mode 100644 index 00000000000..2d3a09d611e --- /dev/null +++ b/queue-4.19/net-bcmgenet-add-a-check-for-oversized-packets.patch @@ -0,0 +1,43 @@ +From 172983a89fca4aad0f4b3d316bf33c24a38149cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 16:08:19 -0800 +Subject: net: bcmgenet: Add a check for oversized packets + +From: Florian Fainelli + +[ Upstream commit 5c0862c2c962052ed5055220a00ac1cefb92fbcd ] + +Occasionnaly we may get oversized packets from the hardware which +exceed the nomimal 2KiB buffer size we allocate SKBs with. Add an early +check which drops the packet to avoid invoking skb_over_panic() and move +on to processing the next packet. + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 96ef2dd46c78c..84bcb3ce00f73 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1825,6 +1825,14 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring, + __func__, p_index, ring->c_index, + ring->read_ptr, dma_length_status); + ++ if (unlikely(len > RX_BUF_LENGTH)) { ++ netif_err(priv, rx_status, dev, "oversized packet\n"); ++ dev->stats.rx_length_errors++; ++ dev->stats.rx_errors++; ++ dev_kfree_skb_any(skb); ++ goto next; ++ } ++ + if (unlikely(!(dma_flag & DMA_EOP) || !(dma_flag & DMA_SOP))) { + netif_err(priv, rx_status, dev, + "dropping fragmented packet!\n"); +-- +2.39.2 + diff --git a/queue-4.19/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch b/queue-4.19/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch new file mode 100644 index 00000000000..78f44dfec4c --- /dev/null +++ b/queue-4.19/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch @@ -0,0 +1,38 @@ +From caab83bf9d472ca716d0b1cf28df6345eaf0a0f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 19:57:04 +0200 +Subject: net/mlx5: Enhance debug print in page allocation failure + +From: Jack Morgenstein + +[ Upstream commit 7eef93003e5d20e1a6a6e59e12d914b5431cbda2 ] + +Provide more details to aid debugging. + +Fixes: bf0bf77f6519 ("mlx5: Support communicating arbitrary host page size to firmware") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Majd Dibbiny +Signed-off-by: Jack Morgenstein +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c +index 9c3653e06886a..fc880c02459db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c +@@ -164,7 +164,8 @@ static int alloc_4k(struct mlx5_core_dev *dev, u64 *addr) + fp = list_entry(dev->priv.free_list.next, struct fw_page, list); + n = find_first_bit(&fp->bitmask, 8 * sizeof(fp->bitmask)); + if (n >= MLX5_NUM_4K_IN_PAGE) { +- mlx5_core_warn(dev, "alloc 4k bug\n"); ++ mlx5_core_warn(dev, "alloc 4k bug: fw page = 0x%llx, n = %u, bitmask: %lu, max num of 4K pages: %d\n", ++ fp->addr, n, fp->bitmask, MLX5_NUM_4K_IN_PAGE); + return -ENOENT; + } + clear_bit(n, &fp->bitmask); +-- +2.39.2 + diff --git a/queue-4.19/net-mlx5-fw_tracer-fix-debug-print.patch b/queue-4.19/net-mlx5-fw_tracer-fix-debug-print.patch new file mode 100644 index 00000000000..fd5c35ea08d --- /dev/null +++ b/queue-4.19/net-mlx5-fw_tracer-fix-debug-print.patch @@ -0,0 +1,36 @@ +From 7567c6f1611d85d544ef7ac7bb4d172966d8ca7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 13:34:02 +0200 +Subject: net/mlx5: fw_tracer: Fix debug print + +From: Shay Drory + +[ Upstream commit 988c2352273997a242f15c4fc3711773515006a2 ] + +The debug message specify tdsn, but takes as an argument the +tmsn. The correct argument is tmsn, hence, fix the print. + +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index ef9f932f02263..5a2feadd80f08 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -564,7 +564,7 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer, + } else { + cur_string = mlx5_tracer_message_get(tracer, tracer_event); + if (!cur_string) { +- pr_debug("%s Got string event for unknown string tdsm: %d\n", ++ pr_debug("%s Got string event for unknown string tmsn: %d\n", + __func__, tracer_event->string_event.tmsn); + return -1; + } +-- +2.39.2 + diff --git a/queue-4.19/nfsd-fix-race-to-check-ls_layouts.patch b/queue-4.19/nfsd-fix-race-to-check-ls_layouts.patch new file mode 100644 index 00000000000..5bc268206b0 --- /dev/null +++ b/queue-4.19/nfsd-fix-race-to-check-ls_layouts.patch @@ -0,0 +1,46 @@ +From fd226aee31d4fba24da4d1f70973bbd74b205f0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 11:18:56 -0500 +Subject: nfsd: fix race to check ls_layouts + +From: Benjamin Coddington + +[ Upstream commit fb610c4dbc996415d57d7090957ecddd4fd64fb6 ] + +Its possible for __break_lease to find the layout's lease before we've +added the layout to the owner's ls_layouts list. In that case, setting +ls_recalled = true without actually recalling the layout will cause the +server to never send a recall callback. + +Move the check for ls_layouts before setting ls_recalled. + +Fixes: c5c707f96fc9 ("nfsd: implement pNFS layout recalls") +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4layouts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfsd/nfs4layouts.c b/fs/nfsd/nfs4layouts.c +index f4cf1c0793c6a..cf81b5bc3e156 100644 +--- a/fs/nfsd/nfs4layouts.c ++++ b/fs/nfsd/nfs4layouts.c +@@ -322,11 +322,11 @@ nfsd4_recall_file_layout(struct nfs4_layout_stateid *ls) + if (ls->ls_recalled) + goto out_unlock; + +- ls->ls_recalled = true; +- atomic_inc(&ls->ls_stid.sc_file->fi_lo_recalls); + if (list_empty(&ls->ls_layouts)) + goto out_unlock; + ++ ls->ls_recalled = true; ++ atomic_inc(&ls->ls_stid.sc_file->fi_lo_recalls); + trace_nfsd_layout_recall(&ls->ls_stid.sc_stateid); + + refcount_inc(&ls->ls_stid.sc_count); +-- +2.39.2 + diff --git a/queue-4.19/perf-llvm-fix-inadvertent-file-creation.patch b/queue-4.19/perf-llvm-fix-inadvertent-file-creation.patch new file mode 100644 index 00000000000..adad4ba806a --- /dev/null +++ b/queue-4.19/perf-llvm-fix-inadvertent-file-creation.patch @@ -0,0 +1,91 @@ +From 48f1c7343f6c4b99f95d8fe2ae017596f4457e47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 00:26:09 -0800 +Subject: perf llvm: Fix inadvertent file creation + +From: Ian Rogers + +[ Upstream commit 9f19aab47ced012eddef1e2bc96007efc7713b61 ] + +The LLVM template is first echo-ed into command_out and then +command_out executed. The echo surrounds the template with double +quotes, however, the template itself may contain quotes. This is +generally innocuous but in tools/perf/tests/bpf-script-test-prologue.c +we see: +... +SEC("func=null_lseek file->f_mode offset orig") +... +where the first double quote ends the double quote of the echo, then +the > redirects output into a file called f_mode. + +To avoid this inadvertent behavior substitute redirects and similar +characters to be ASCII control codes, then substitute the output in +the echo back again. + +Fixes: 5eab5a7ee032acaa ("perf llvm: Display eBPF compiling command in debug output") +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Andrii Nakryiko +Cc: bpf@vger.kernel.org +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: llvm@lists.linux.dev +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Cc: Tom Rix +Link: https://lore.kernel.org/r/20230105082609.344538-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/llvm-utils.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/llvm-utils.c b/tools/perf/util/llvm-utils.c +index 46ec9a1bb94cc..1ff4788bcb4e5 100644 +--- a/tools/perf/util/llvm-utils.c ++++ b/tools/perf/util/llvm-utils.c +@@ -521,14 +521,37 @@ int llvm__compile_bpf(const char *path, void **p_obj_buf, + + pr_debug("llvm compiling command template: %s\n", template); + ++ /* ++ * Below, substitute control characters for values that can cause the ++ * echo to misbehave, then substitute the values back. ++ */ + err = -ENOMEM; +- if (asprintf(&command_echo, "echo -n \"%s\"", template) < 0) ++ if (asprintf(&command_echo, "echo -n \a%s\a", template) < 0) + goto errout; + ++#define SWAP_CHAR(a, b) do { if (*p == a) *p = b; } while (0) ++ for (char *p = command_echo; *p; p++) { ++ SWAP_CHAR('<', '\001'); ++ SWAP_CHAR('>', '\002'); ++ SWAP_CHAR('"', '\003'); ++ SWAP_CHAR('\'', '\004'); ++ SWAP_CHAR('|', '\005'); ++ SWAP_CHAR('&', '\006'); ++ SWAP_CHAR('\a', '"'); ++ } + err = read_from_pipe(command_echo, (void **) &command_out, NULL); + if (err) + goto errout; + ++ for (char *p = command_out; *p; p++) { ++ SWAP_CHAR('\001', '<'); ++ SWAP_CHAR('\002', '>'); ++ SWAP_CHAR('\003', '"'); ++ SWAP_CHAR('\004', '\''); ++ SWAP_CHAR('\005', '|'); ++ SWAP_CHAR('\006', '&'); ++ } ++#undef SWAP_CHAR + pr_debug("llvm compiling command : %s\n", command_out); + + err = read_from_pipe(template, &obj_buf, &obj_buf_sz); +-- +2.39.2 + diff --git a/queue-4.19/perf-tools-fix-auto-complete-on-aarch64.patch b/queue-4.19/perf-tools-fix-auto-complete-on-aarch64.patch new file mode 100644 index 00000000000..519ebab2c2e --- /dev/null +++ b/queue-4.19/perf-tools-fix-auto-complete-on-aarch64.patch @@ -0,0 +1,72 @@ +From ee14d4d535dc0a7fc77bab55e999f6f9da8daf0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Feb 2023 11:50:57 +0800 +Subject: perf tools: Fix auto-complete on aarch64 + +From: Yicong Yang + +[ Upstream commit ffd1240e8f0814262ceb957dbe961f6e0aef1e7a ] + +On aarch64 CPU related events are not under event_source/devices/cpu/events, +they're under event_source/devices/armv8_pmuv3_0/events on my machine. +Using current auto-complete script will generate below error: + + [root@localhost bin]# perf stat -e + ls: cannot access '/sys/bus/event_source/devices/cpu/events': No such file or directory + +Fix this by not testing /sys/bus/event_source/devices/cpu/events on +aarch64 machine. + +Fixes: 74cd5815d9af6e6c ("perf tool: Improve bash command line auto-complete for multiple events with comma") +Reviewed-by: James Clark +Signed-off-by: Yicong Yang +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: linux-arm-kernel@lists.infradead.org +Cc: linuxarm@huawei.com +Cc: prime.zeng@hisilicon.com +Link: https://lore.kernel.org/r/20230207035057.43394-1-yangyicong@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/perf-completion.sh | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/perf-completion.sh b/tools/perf/perf-completion.sh +index fdf75d45efff7..978249d7868c2 100644 +--- a/tools/perf/perf-completion.sh ++++ b/tools/perf/perf-completion.sh +@@ -165,7 +165,12 @@ __perf_main () + + local cur1=${COMP_WORDS[COMP_CWORD]} + local raw_evts=$($cmd list --raw-dump) +- local arr s tmp result ++ local arr s tmp result cpu_evts ++ ++ # aarch64 doesn't have /sys/bus/event_source/devices/cpu/events ++ if [[ `uname -m` != aarch64 ]]; then ++ cpu_evts=$(ls /sys/bus/event_source/devices/cpu/events) ++ fi + + if [[ "$cur1" == */* && ${cur1#*/} =~ ^[A-Z] ]]; then + OLD_IFS="$IFS" +@@ -183,9 +188,9 @@ __perf_main () + fi + done + +- evts=${result}" "$(ls /sys/bus/event_source/devices/cpu/events) ++ evts=${result}" "${cpu_evts} + else +- evts=${raw_evts}" "$(ls /sys/bus/event_source/devices/cpu/events) ++ evts=${raw_evts}" "${cpu_evts} + fi + + if [[ "$cur1" == , ]]; then +-- +2.39.2 + diff --git a/queue-4.19/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch b/queue-4.19/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch new file mode 100644 index 00000000000..aa01fff971d --- /dev/null +++ b/queue-4.19/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch @@ -0,0 +1,53 @@ +From 1a08bb81d6789a2a1e07f0b0d7bd8e4bc6f2ff37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 15:27:14 +0200 +Subject: pinctrl: at91: use devm_kasprintf() to avoid potential leaks + +From: Claudiu Beznea + +[ Upstream commit 1c4e5c470a56f7f7c649c0c70e603abc1eab15c4 ] + +Use devm_kasprintf() instead of kasprintf() to avoid any potential +leaks. At the moment drivers have no remove functionality thus +there is no need for fixes tag. + +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230203132714.1931596-1-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 4 ++-- + drivers/pinctrl/pinctrl-at91.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index 9e2f3738bf3ec..89d88e447d44f 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1022,8 +1022,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + + pin_desc[i].number = i; + /* Pin naming convention: P(bank_name)(bank_pin_number). */ +- pin_desc[i].name = kasprintf(GFP_KERNEL, "P%c%d", +- bank + 'A', line); ++ pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", ++ bank + 'A', line); + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index fad0e132ead84..ad01cc5798232 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -1782,7 +1782,7 @@ static int at91_gpio_probe(struct platform_device *pdev) + } + + for (i = 0; i < chip->ngpio; i++) +- names[i] = kasprintf(GFP_KERNEL, "pio%c%d", alias_idx + 'A', i); ++ names[i] = devm_kasprintf(&pdev->dev, GFP_KERNEL, "pio%c%d", alias_idx + 'A', i); + + chip->names = (const char *const *)names; + +-- +2.39.2 + diff --git a/queue-4.19/pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch b/queue-4.19/pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch new file mode 100644 index 00000000000..1c6e9e62cf3 --- /dev/null +++ b/queue-4.19/pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch @@ -0,0 +1,155 @@ +From 97ab968aff3afd76620db3beea926b2c11e44edc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 15:49:24 +0100 +Subject: pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours + +From: Lee Jones + +[ Upstream commit e1524ea84af7172acc20827f8dca3fc8f72b8f37 ] + +Demote headers which are clearly not kerneldoc, provide titles for +struct definition blocks, fix API slip (bitrot) misspellings and +provide some missing entries. + +Fixes the following W=1 kernel build warning(s): + + drivers/pinctrl/pinctrl-rockchip.c:82: warning: cannot understand function prototype: 'struct rockchip_iomux ' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_DEFAULT' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_1V8_OR_3V0' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_1V8_ONLY' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_1V8_3V0_AUTO' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_3V3_ONLY' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_MAX' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:106: warning: Enum value 'PULL_TYPE_IO_DEFAULT' not described in enum 'rockchip_pin_pull_type' + drivers/pinctrl/pinctrl-rockchip.c:106: warning: Enum value 'PULL_TYPE_IO_1V8_ONLY' not described in enum 'rockchip_pin_pull_type' + drivers/pinctrl/pinctrl-rockchip.c:106: warning: Enum value 'PULL_TYPE_MAX' not described in enum 'rockchip_pin_pull_type' + drivers/pinctrl/pinctrl-rockchip.c:109: warning: Cannot understand * @drv_type: drive strength variant using rockchip_perpin_drv_type + on line 109 - I thought it was a doc line + drivers/pinctrl/pinctrl-rockchip.c:122: warning: Cannot understand * @reg_base: register base of the gpio bank + on line 109 - I thought it was a doc line + drivers/pinctrl/pinctrl-rockchip.c:325: warning: Function parameter or member 'route_location' not described in 'rockchip_mux_route_data' + drivers/pinctrl/pinctrl-rockchip.c:328: warning: Cannot understand */ + on line 109 - I thought it was a doc line + drivers/pinctrl/pinctrl-rockchip.c:375: warning: Function parameter or member 'data' not described in 'rockchip_pin_group' + drivers/pinctrl/pinctrl-rockchip.c:387: warning: Function parameter or member 'ngroups' not described in 'rockchip_pmx_func' + +Signed-off-by: Lee Jones +Reviewed-by: Heiko Stuebner +Cc: Heiko Stuebner +Cc: Jean-Christophe PLAGNIOL-VILLARD +Cc: linux-rockchip@lists.infradead.org +Link: https://lore.kernel.org/r/20200713144930.1034632-20-lee.jones@linaro.org +Signed-off-by: Linus Walleij +Stable-dep-of: c818ae563bf9 ("pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups") +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index dc405d7aa1b78..d9b9bbb45a630 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -70,7 +70,7 @@ enum rockchip_pinctrl_type { + RK3399, + }; + +-/** ++/* + * Encode variants of iomux registers into a type variable + */ + #define IOMUX_GPIO_ONLY BIT(0) +@@ -80,6 +80,7 @@ enum rockchip_pinctrl_type { + #define IOMUX_WIDTH_3BIT BIT(4) + + /** ++ * struct rockchip_iomux + * @type: iomux variant using IOMUX_* constants + * @offset: if initialized to -1 it will be autocalculated, by specifying + * an initial offset value the relevant source offset can be reset +@@ -90,7 +91,7 @@ struct rockchip_iomux { + int offset; + }; + +-/** ++/* + * enum type index corresponding to rockchip_perpin_drv_list arrays index. + */ + enum rockchip_pin_drv_type { +@@ -102,7 +103,7 @@ enum rockchip_pin_drv_type { + DRV_TYPE_MAX + }; + +-/** ++/* + * enum type index corresponding to rockchip_pull_list arrays index. + */ + enum rockchip_pin_pull_type { +@@ -112,6 +113,7 @@ enum rockchip_pin_pull_type { + }; + + /** ++ * struct rockchip_drv + * @drv_type: drive strength variant using rockchip_perpin_drv_type + * @offset: if initialized to -1 it will be autocalculated, by specifying + * an initial offset value the relevant source offset can be reset +@@ -125,8 +127,9 @@ struct rockchip_drv { + }; + + /** ++ * struct rockchip_pin_bank + * @reg_base: register base of the gpio bank +- * @reg_pull: optional separate register for additional pull settings ++ * @regmap_pull: optional separate register for additional pull settings + * @clk: clock of the gpio bank + * @irq: interrupt of the gpio bank + * @saved_masks: Saved content of GPIO_INTEN at suspend time. +@@ -144,6 +147,8 @@ struct rockchip_drv { + * @gpio_chip: gpiolib chip + * @grange: gpio range + * @slock: spinlock for the gpio bank ++ * @toggle_edge_mode: bit mask to toggle (falling/rising) edge mode ++ * @recalced_mask: bit mask to indicate a need to recalulate the mask + * @route_mask: bits describing the routing pins of per bank + */ + struct rockchip_pin_bank { +@@ -312,6 +317,7 @@ struct rockchip_mux_recalced_data { + * @bank_num: bank number. + * @pin: index at register or used to calc index. + * @func: the min pin. ++ * @route_location: the mux route location (same, pmu, grf). + * @route_offset: the max pin. + * @route_val: the register offset. + */ +@@ -323,8 +329,6 @@ struct rockchip_mux_route_data { + u32 route_val; + }; + +-/** +- */ + struct rockchip_pin_ctrl { + struct rockchip_pin_bank *pin_banks; + u32 nr_banks; +@@ -362,9 +366,7 @@ struct rockchip_pin_config { + * @name: name of the pin group, used to lookup the group. + * @pins: the pins included in this group. + * @npins: number of pins included in this group. +- * @func: the mux function number to be programmed when selected. +- * @configs: the config values to be set for each pin +- * @nconfigs: number of configs for each pin ++ * @data: local pin configuration + */ + struct rockchip_pin_group { + const char *name; +@@ -377,7 +379,7 @@ struct rockchip_pin_group { + * struct rockchip_pmx_func: represent a pin function. + * @name: name of the pin function, used to lookup the function. + * @groups: one or more names of pin groups that provide this function. +- * @num_groups: number of groups included in @groups. ++ * @ngroups: number of groups included in @groups. + */ + struct rockchip_pmx_func { + const char *name; +-- +2.39.2 + diff --git a/queue-4.19/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch b/queue-4.19/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch new file mode 100644 index 00000000000..0e8268a3229 --- /dev/null +++ b/queue-4.19/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch @@ -0,0 +1,37 @@ +From 48da473d69d1f144116a7456cf942ec43470885b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 15:28:45 +0400 +Subject: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups + +From: Miaoqian Lin + +[ Upstream commit c818ae563bf99457f02e8170aabd6b174f629f65 ] + +of_find_node_by_phandle() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: d3e5116119bd ("pinctrl: add pinctrl driver for Rockchip SoCs") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20230102112845.3982407-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index d9b9bbb45a630..fb7f2282635e8 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -2504,6 +2504,7 @@ static int rockchip_pinctrl_parse_groups(struct device_node *np, + np_config = of_find_node_by_phandle(be32_to_cpup(phandle)); + ret = pinconf_generic_parse_dt_config(np_config, NULL, + &grp->data[j].configs, &grp->data[j].nconfigs); ++ of_node_put(np_config); + if (ret) + return ret; + } +-- +2.39.2 + diff --git a/queue-4.19/powercap-fix-possible-name-leak-in-powercap_register.patch b/queue-4.19/powercap-fix-possible-name-leak-in-powercap_register.patch new file mode 100644 index 00000000000..5635b374e16 --- /dev/null +++ b/queue-4.19/powercap-fix-possible-name-leak-in-powercap_register.patch @@ -0,0 +1,60 @@ +From 447a0e3b006f7d9beb28c2038a906ff2948f4cb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 20:57:26 +0800 +Subject: powercap: fix possible name leak in powercap_register_zone() + +From: Yang Yingliang + +[ Upstream commit 1b6599f741a4525ca761ecde46e5885ff1e6ba58 ] + +In the error path after calling dev_set_name(), the device +name is leaked. To fix this, calling dev_set_name() before +device_register(), and call put_device() if it returns error. + +All the resources is released in powercap_release(), so it +can return from powercap_register_zone() directly. + +Fixes: 75d2364ea0ca ("PowerCap: Add class driver") +Signed-off-by: Yang Yingliang +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/powercap_sys.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c +index 60c8375c3c816..0a63fac54fd93 100644 +--- a/drivers/powercap/powercap_sys.c ++++ b/drivers/powercap/powercap_sys.c +@@ -542,9 +542,6 @@ struct powercap_zone *powercap_register_zone( + power_zone->name = kstrdup(name, GFP_KERNEL); + if (!power_zone->name) + goto err_name_alloc; +- dev_set_name(&power_zone->dev, "%s:%x", +- dev_name(power_zone->dev.parent), +- power_zone->id); + power_zone->constraints = kcalloc(nr_constraints, + sizeof(*power_zone->constraints), + GFP_KERNEL); +@@ -567,9 +564,16 @@ struct powercap_zone *powercap_register_zone( + power_zone->dev_attr_groups[0] = &power_zone->dev_zone_attr_group; + power_zone->dev_attr_groups[1] = NULL; + power_zone->dev.groups = power_zone->dev_attr_groups; ++ dev_set_name(&power_zone->dev, "%s:%x", ++ dev_name(power_zone->dev.parent), ++ power_zone->id); + result = device_register(&power_zone->dev); +- if (result) +- goto err_dev_ret; ++ if (result) { ++ put_device(&power_zone->dev); ++ mutex_unlock(&control_type->lock); ++ ++ return ERR_PTR(result); ++ } + + control_type->nr_zones++; + mutex_unlock(&control_type->lock); +-- +2.39.2 + diff --git a/queue-4.19/powerpc-powernv-ioda-skip-unallocated-resources-when.patch b/queue-4.19/powerpc-powernv-ioda-skip-unallocated-resources-when.patch new file mode 100644 index 00000000000..dfea0d0e8a4 --- /dev/null +++ b/queue-4.19/powerpc-powernv-ioda-skip-unallocated-resources-when.patch @@ -0,0 +1,93 @@ +From 5fc8357484042715bf37bb654493b2900660abd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 10:32:15 +0100 +Subject: powerpc/powernv/ioda: Skip unallocated resources when mapping to PE + +From: Frederic Barrat + +[ Upstream commit e64e71056f323a1e178dccf04d4c0f032d84436c ] + +pnv_ioda_setup_pe_res() calls opal to map a resource with a PE. However, +the code assumes the resource is allocated and it uses the resource +address to find out the segment(s) which need to be mapped to the +PE. In the unlikely case where the resource hasn't been allocated, the +computation for the segment number is garbage, which can lead to +invalid memory access and potentially a kernel crash, such as: + +[ ] pci_bus 0002:02: Configuring PE for bus +[ ] pci 0002:02 : [PE# fc] Secondary bus 0x0000000000000002..0x0000000000000002 associated with PE#fc +[ ] BUG: Kernel NULL pointer dereference on write at 0x00000000 +[ ] Faulting instruction address: 0xc00000000005eac4 +[ ] Oops: Kernel access of bad area, sig: 7 [#1] +[ ] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV +[ ] Modules linked in: +[ ] CPU: 12 PID: 1 Comm: swapper/20 Not tainted 5.10.50-openpower1 #2 +[ ] NIP: c00000000005eac4 LR: c00000000005ea44 CTR: 0000000030061b9c +[ ] REGS: c000200007383650 TRAP: 0300 Not tainted (5.10.50-openpower1) +[ ] MSR: 9000000000009033 CR: 44000224 XER: 20040000 +[ ] CFAR: c00000000005eaa0 DAR: 0000000000000000 DSISR: 02080000 IRQMASK: 0 +[ ] GPR00: c00000000005dd98 c0002000073838e0 c00000000185de00 c000200fff018960 +[ ] GPR04: 00000000000000fc 0000000000000003 0000000000000000 0000000000000000 +[ ] GPR08: 0000000000000000 0000000000000000 0000000000000000 9000000000001033 +[ ] GPR12: 0000000031cb0000 c000000ffffe6a80 c000000000010a58 0000000000000000 +[ ] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ ] GPR20: 0000000000000000 0000000000000000 0000000000000000 c00000000711e200 +[ ] GPR24: 0000000000000100 c000200009501120 c00020000cee2800 00000000000003ff +[ ] GPR28: c000200fff018960 0000000000000000 c000200ffcb7fd00 0000000000000000 +[ ] NIP [c00000000005eac4] pnv_ioda_setup_pe_res+0x94/0x1a0 +[ ] LR [c00000000005ea44] pnv_ioda_setup_pe_res+0x14/0x1a0 +[ ] Call Trace: +[ ] [c0002000073838e0] [c00000000005eb98] pnv_ioda_setup_pe_res+0x168/0x1a0 (unreliable) +[ ] [c000200007383970] [c00000000005dd98] pnv_pci_ioda_dma_dev_setup+0x43c/0x970 +[ ] [c000200007383a60] [c000000000032cdc] pcibios_bus_add_device+0x78/0x18c +[ ] [c000200007383aa0] [c00000000028f2bc] pci_bus_add_device+0x28/0xbc +[ ] [c000200007383b10] [c00000000028f3a0] pci_bus_add_devices+0x50/0x7c +[ ] [c000200007383b50] [c00000000028f3c4] pci_bus_add_devices+0x74/0x7c +[ ] [c000200007383b90] [c00000000028f3c4] pci_bus_add_devices+0x74/0x7c +[ ] [c000200007383bd0] [c00000000069ad0c] pcibios_init+0xf0/0x104 +[ ] [c000200007383c50] [c0000000000106d8] do_one_initcall+0x84/0x1c4 +[ ] [c000200007383d20] [c0000000006910b8] kernel_init_freeable+0x264/0x268 +[ ] [c000200007383dc0] [c000000000010a68] kernel_init+0x18/0x138 +[ ] [c000200007383e20] [c00000000000cbfc] ret_from_kernel_thread+0x5c/0x80 +[ ] Instruction dump: +[ ] 7f89e840 409d000c 7fbbf840 409c000c 38210090 4848f448 809c002c e95e0120 +[ ] 7ba91764 38a00003 57a7043e 38c00000 <7c8a492e> 5484043e e87e0018 4bff23bd + +Hitting the problem is not that easy. It was seen with a (semi-bogus) +PCI device with a class code of 0. The generic PCI framework doesn't +allocate resources in such a case. + +The patch is simply skipping resources which are still flagged with +IORESOURCE_UNSET. + +We don't have the problem with 64-bit mem resources, as the address of +the resource is checked to be within the range of the 64-bit mmio +window. See pnv_ioda_reserve_dev_m64_pe() and pnv_pci_is_m64(). + +Reported-by: Andrew Jeffery +Fixes: 23e79425fe7c ("powerpc/powernv: Simplify pnv_ioda_setup_pe_seg()") +Signed-off-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230120093215.19496-1-fbarrat@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c +index ecd211c5f24a5..cd3e5ed7d77c5 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -3123,7 +3123,8 @@ static void pnv_ioda_setup_pe_res(struct pnv_ioda_pe *pe, + int index; + int64_t rc; + +- if (!res || !res->flags || res->start > res->end) ++ if (!res || !res->flags || res->start > res->end || ++ res->flags & IORESOURCE_UNSET) + return; + + if (res->flags & IORESOURCE_IO) { +-- +2.39.2 + diff --git a/queue-4.19/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch b/queue-4.19/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch new file mode 100644 index 00000000000..fa685cc8f69 --- /dev/null +++ b/queue-4.19/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch @@ -0,0 +1,67 @@ +From aa98a46befb6902eaefb37e270e5cd7d26689082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 12:41:52 -0600 +Subject: powerpc/pseries/lparcfg: add missing RTAS retry status handling + +From: Nathan Lynch + +[ Upstream commit 5d08633e5f6564b60f1cbe09af3af40a74d66431 ] + +The ibm,get-system-parameter RTAS function may return -2 or 990x, +which indicate that the caller should try again. + +lparcfg's parse_system_parameter_string() ignores this, making it +possible to intermittently report incorrect SPLPAR characteristics. + +Move the RTAS call into a coventional rtas_busy_delay()-based loop. + +Signed-off-by: Nathan Lynch +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230125-b4-powerpc-rtas-queue-v3-4-26929c8cce78@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/lparcfg.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c +index 7c872dc01bdb0..d1b338b7dbded 100644 +--- a/arch/powerpc/platforms/pseries/lparcfg.c ++++ b/arch/powerpc/platforms/pseries/lparcfg.c +@@ -291,6 +291,7 @@ static void parse_mpp_x_data(struct seq_file *m) + */ + static void parse_system_parameter_string(struct seq_file *m) + { ++ const s32 token = rtas_token("ibm,get-system-parameter"); + int call_status; + + unsigned char *local_buffer = kmalloc(SPLPAR_MAXLENGTH, GFP_KERNEL); +@@ -300,16 +301,15 @@ static void parse_system_parameter_string(struct seq_file *m) + return; + } + +- spin_lock(&rtas_data_buf_lock); +- memset(rtas_data_buf, 0, SPLPAR_MAXLENGTH); +- call_status = rtas_call(rtas_token("ibm,get-system-parameter"), 3, 1, +- NULL, +- SPLPAR_CHARACTERISTICS_TOKEN, +- __pa(rtas_data_buf), +- RTAS_DATA_BUF_SIZE); +- memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); +- local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; +- spin_unlock(&rtas_data_buf_lock); ++ do { ++ spin_lock(&rtas_data_buf_lock); ++ memset(rtas_data_buf, 0, SPLPAR_MAXLENGTH); ++ call_status = rtas_call(token, 3, 1, NULL, SPLPAR_CHARACTERISTICS_TOKEN, ++ __pa(rtas_data_buf), RTAS_DATA_BUF_SIZE); ++ memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); ++ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; ++ spin_unlock(&rtas_data_buf_lock); ++ } while (rtas_busy_delay(call_status)); + + if (call_status != 0) { + printk(KERN_INFO +-- +2.39.2 + diff --git a/queue-4.19/powerpc-remove-linker-flag-from-kbuild_aflags.patch b/queue-4.19/powerpc-remove-linker-flag-from-kbuild_aflags.patch new file mode 100644 index 00000000000..8c46f16a58e --- /dev/null +++ b/queue-4.19/powerpc-remove-linker-flag-from-kbuild_aflags.patch @@ -0,0 +1,72 @@ +From 8672a97c1b3b48054eb56f3b7b26747feccd66bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 20:05:02 -0700 +Subject: powerpc: Remove linker flag from KBUILD_AFLAGS + +From: Nathan Chancellor + +[ Upstream commit 31f48f16264bc70962fb3e7ec62da64d0a2ba04a ] + +When clang's -Qunused-arguments is dropped from KBUILD_CPPFLAGS, it +points out that KBUILD_AFLAGS contains a linker flag, which will be +unused: + + clang: error: -Wl,-a32: 'linker' input unused [-Werror,-Wunused-command-line-argument] + +This was likely supposed to be '-Wa,-a$(BITS)'. However, this change is +unnecessary, as all supported versions of clang and gcc will pass '-a64' +or '-a32' to GNU as based on the value of '-m'; the behavior of the +latest stable release of the oldest supported major version of each +compiler is shown below and each compiler's latest release exhibits the +same behavior (GCC 12.2.0 and Clang 15.0.6). + + $ powerpc64-linux-gcc --version | head -1 + powerpc64-linux-gcc (GCC) 5.5.0 + + $ powerpc64-linux-gcc -m64 -### -x assembler-with-cpp -c -o /dev/null /dev/null &| grep 'as ' + .../as -a64 -mppc64 -many -mbig -o /dev/null /tmp/cctwuBzZ.s + + $ powerpc64-linux-gcc -m32 -### -x assembler-with-cpp -c -o /dev/null /dev/null &| grep 'as ' + .../as -a32 -mppc -many -mbig -o /dev/null /tmp/ccaZP4mF.sg + + $ clang --version | head -1 + Ubuntu clang version 11.1.0-++20211011094159+1fdec59bffc1-1~exp1~20211011214622.5 + + $ clang --target=powerpc64-linux-gnu -fno-integrated-as -m64 -### \ + -x assembler-with-cpp -c -o /dev/null /dev/null &| grep gnu-as + "/usr/bin/powerpc64-linux-gnu-as" "-a64" "-mppc64" "-many" "-o" "/dev/null" "/tmp/null-80267c.s" + + $ clang --target=powerpc64-linux-gnu -fno-integrated-as -m64 -### \ + -x assembler-with-cpp -c -o /dev/null /dev/null &| grep gnu-as + "/usr/bin/powerpc64-linux-gnu-as" "-a32" "-mppc" "-many" "-o" "/dev/null" "/tmp/null-ab8f8d.s" + +Remove this flag altogether to avoid future issues. + +Fixes: 1421dc6d4829 ("powerpc/kbuild: Use flags variables rather than overriding LD/CC/AS") +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Tested-by: Linux Kernel Functional Testing +Tested-by: Anders Roxell +Acked-by: Michael Ellerman +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/powerpc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile +index 5987ae0d8fbbb..9b33cd4e0e177 100644 +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -109,7 +109,7 @@ aflags-$(CONFIG_CPU_LITTLE_ENDIAN) += -mlittle-endian + + ifeq ($(HAS_BIARCH),y) + KBUILD_CFLAGS += -m$(BITS) +-KBUILD_AFLAGS += -m$(BITS) -Wl,-a$(BITS) ++KBUILD_AFLAGS += -m$(BITS) + KBUILD_LDFLAGS += -m elf$(BITS)$(LDEMULATION) + KBUILD_ARFLAGS += --target=elf$(BITS)-$(GNUTARGET) + endif +-- +2.39.2 + diff --git a/queue-4.19/powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch b/queue-4.19/powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch new file mode 100644 index 00000000000..5058fc7bcd9 --- /dev/null +++ b/queue-4.19/powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch @@ -0,0 +1,57 @@ +From 2e2d23af680231c7db1a15cce19e08f91223bfa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 12:41:54 -0600 +Subject: powerpc/rtas: ensure 4KB alignment for rtas_data_buf + +From: Nathan Lynch + +[ Upstream commit 836b5b9fcc8e09cea7e8a59a070349a00e818308 ] + +Some RTAS functions that have work area parameters impose alignment +requirements on the work area passed to them by the OS. Examples +include: + +- ibm,configure-connector +- ibm,update-nodes +- ibm,update-properties + +4KB is the greatest alignment required by PAPR for such +buffers. rtas_data_buf used to have a __page_aligned attribute in the +arch/ppc64 days, but that was changed to __cacheline_aligned for +unknown reasons by commit 033ef338b6e0 ("powerpc: Merge rtas.c into +arch/powerpc/kernel"). That works out to 128-byte alignment +on ppc64, which isn't right. + +This was found by inspection and I'm not aware of any real problems +caused by this. Either current RTAS implementations don't enforce the +alignment constraints, or rtas_data_buf is always being placed at a +4KB boundary by accident (or both, perhaps). + +Use __aligned(SZ_4K) to ensure the rtas_data_buf has alignment +appropriate for all users. + +Signed-off-by: Nathan Lynch +Fixes: 033ef338b6e0 ("powerpc: Merge rtas.c into arch/powerpc/kernel") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230125-b4-powerpc-rtas-queue-v3-6-26929c8cce78@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 07d1ef762936d..7c7648e6f1c22 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -56,7 +56,7 @@ EXPORT_SYMBOL(rtas); + DEFINE_SPINLOCK(rtas_data_buf_lock); + EXPORT_SYMBOL_GPL(rtas_data_buf_lock); + +-char rtas_data_buf[RTAS_DATA_BUF_SIZE] __cacheline_aligned; ++char rtas_data_buf[RTAS_DATA_BUF_SIZE] __aligned(SZ_4K); + EXPORT_SYMBOL_GPL(rtas_data_buf); + + unsigned long rtas_rmo_buf; +-- +2.39.2 + diff --git a/queue-4.19/powerpc-rtas-make-all-exports-gpl.patch b/queue-4.19/powerpc-rtas-make-all-exports-gpl.patch new file mode 100644 index 00000000000..3d47442a1ec --- /dev/null +++ b/queue-4.19/powerpc-rtas-make-all-exports-gpl.patch @@ -0,0 +1,140 @@ +From ce4a5ae6caeffa0961fff942033d274e036a98ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 08:04:46 -0600 +Subject: powerpc/rtas: make all exports GPL + +From: Nathan Lynch + +[ Upstream commit 9bce6243848dfd0ff7c2be6e8d82ab9b1e6c7858 ] + +The first symbol exports of RTAS functions and data came with the (now +removed) scanlog driver in 2003: + +https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=f92e361842d5251e50562b09664082dcbd0548bb + +At the time this was applied, EXPORT_SYMBOL_GPL() was very new, and +the exports of rtas_call() etc have remained non-GPL. As new APIs have +been added to the RTAS subsystem, their symbol exports have followed +the convention set by existing code. + +However, the historical evidence is that RTAS function exports have been +added over time only to satisfy the needs of in-kernel users, and these +clients must have fairly intimate knowledge of how the APIs work to use +them safely. No out of tree users are known, and future ones seem +unlikely. + +Arguably the default for RTAS symbols should have become +EXPORT_SYMBOL_GPL once it was available. Let's make it so now, and +exceptions can be evaluated as needed. + +Signed-off-by: Nathan Lynch +Reviewed-by: Laurent Dufour +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230124140448.45938-3-nathanl@linux.ibm.com +Stable-dep-of: 836b5b9fcc8e ("powerpc/rtas: ensure 4KB alignment for rtas_data_buf") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index a3f08a380c992..07d1ef762936d 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -54,10 +54,10 @@ struct rtas_t rtas = { + EXPORT_SYMBOL(rtas); + + DEFINE_SPINLOCK(rtas_data_buf_lock); +-EXPORT_SYMBOL(rtas_data_buf_lock); ++EXPORT_SYMBOL_GPL(rtas_data_buf_lock); + + char rtas_data_buf[RTAS_DATA_BUF_SIZE] __cacheline_aligned; +-EXPORT_SYMBOL(rtas_data_buf); ++EXPORT_SYMBOL_GPL(rtas_data_buf); + + unsigned long rtas_rmo_buf; + +@@ -66,7 +66,7 @@ unsigned long rtas_rmo_buf; + * This is done like this so rtas_flash can be a module. + */ + void (*rtas_flash_term_hook)(int); +-EXPORT_SYMBOL(rtas_flash_term_hook); ++EXPORT_SYMBOL_GPL(rtas_flash_term_hook); + + /* RTAS use home made raw locking instead of spin_lock_irqsave + * because those can be called from within really nasty contexts +@@ -314,7 +314,7 @@ void rtas_progress(char *s, unsigned short hex) + + spin_unlock(&progress_lock); + } +-EXPORT_SYMBOL(rtas_progress); /* needed by rtas_flash module */ ++EXPORT_SYMBOL_GPL(rtas_progress); /* needed by rtas_flash module */ + + int rtas_token(const char *service) + { +@@ -324,7 +324,7 @@ int rtas_token(const char *service) + tokp = of_get_property(rtas.dev, service, NULL); + return tokp ? be32_to_cpu(*tokp) : RTAS_UNKNOWN_SERVICE; + } +-EXPORT_SYMBOL(rtas_token); ++EXPORT_SYMBOL_GPL(rtas_token); + + int rtas_service_present(const char *service) + { +@@ -484,7 +484,7 @@ int rtas_call(int token, int nargs, int nret, int *outputs, ...) + } + return ret; + } +-EXPORT_SYMBOL(rtas_call); ++EXPORT_SYMBOL_GPL(rtas_call); + + /* For RTAS_BUSY (-2), delay for 1 millisecond. For an extended busy status + * code of 990n, perform the hinted delay of 10^n (last digit) milliseconds. +@@ -519,7 +519,7 @@ unsigned int rtas_busy_delay(int status) + + return ms; + } +-EXPORT_SYMBOL(rtas_busy_delay); ++EXPORT_SYMBOL_GPL(rtas_busy_delay); + + static int rtas_error_rc(int rtas_rc) + { +@@ -565,7 +565,7 @@ int rtas_get_power_level(int powerdomain, int *level) + return rtas_error_rc(rc); + return rc; + } +-EXPORT_SYMBOL(rtas_get_power_level); ++EXPORT_SYMBOL_GPL(rtas_get_power_level); + + int rtas_set_power_level(int powerdomain, int level, int *setlevel) + { +@@ -583,7 +583,7 @@ int rtas_set_power_level(int powerdomain, int level, int *setlevel) + return rtas_error_rc(rc); + return rc; + } +-EXPORT_SYMBOL(rtas_set_power_level); ++EXPORT_SYMBOL_GPL(rtas_set_power_level); + + int rtas_get_sensor(int sensor, int index, int *state) + { +@@ -601,7 +601,7 @@ int rtas_get_sensor(int sensor, int index, int *state) + return rtas_error_rc(rc); + return rc; + } +-EXPORT_SYMBOL(rtas_get_sensor); ++EXPORT_SYMBOL_GPL(rtas_get_sensor); + + int rtas_get_sensor_fast(int sensor, int index, int *state) + { +@@ -662,7 +662,7 @@ int rtas_set_indicator(int indicator, int index, int new_value) + return rtas_error_rc(rc); + return rc; + } +-EXPORT_SYMBOL(rtas_set_indicator); ++EXPORT_SYMBOL_GPL(rtas_set_indicator); + + /* + * Ignoring RTAS extended delay +-- +2.39.2 + diff --git a/queue-4.19/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch b/queue-4.19/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch new file mode 100644 index 00000000000..bd71c8cc0ca --- /dev/null +++ b/queue-4.19/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch @@ -0,0 +1,43 @@ +From 5cacbed13daf67fe71c1aa5e94a77c6f63c3a51f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 15:55:48 -0800 +Subject: rcu: Suppress smp_processor_id() complaint in + synchronize_rcu_expedited_wait() + +From: Paul E. McKenney + +[ Upstream commit 2d7f00b2f01301d6e41fd4a28030dab0442265be ] + +The normal grace period's RCU CPU stall warnings are invoked from the +scheduling-clock interrupt handler, and can thus invoke smp_processor_id() +with impunity, which allows them to directly invoke dump_cpu_task(). +In contrast, the expedited grace period's RCU CPU stall warnings are +invoked from process context, which causes the dump_cpu_task() function's +calls to smp_processor_id() to complain bitterly in debug kernels. + +This commit therefore causes synchronize_rcu_expedited_wait() to disable +preemption around its call to dump_cpu_task(). + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index 72770a551c24d..fa6ae9ed2e1df 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -577,7 +577,9 @@ static void synchronize_sched_expedited_wait(struct rcu_state *rsp) + mask = leaf_node_cpu_bit(rnp, cpu); + if (!(rnp->expmask & mask)) + continue; ++ preempt_disable(); // For smp_processor_id() in dump_cpu_task(). + dump_cpu_task(cpu); ++ preempt_enable(); + } + } + jiffies_stall = 3 * rcu_jiffies_till_stall_check() + 3; +-- +2.39.2 + diff --git a/queue-4.19/rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch b/queue-4.19/rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch new file mode 100644 index 00000000000..e31b9760e2f --- /dev/null +++ b/queue-4.19/rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch @@ -0,0 +1,38 @@ +From b08bf1e3db49064a5f39bb8b3356068086baa1a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 12:26:23 +0000 +Subject: rds: rds_rm_zerocopy_callback() correct order for list_add_tail() + +From: Pietro Borrello + +[ Upstream commit 68762148d1b011d47bc2ceed7321739b5aea1e63 ] + +rds_rm_zerocopy_callback() uses list_add_tail() with swapped +arguments. This links the list head with the new entry, losing +the references to the remaining part of the list. + +Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") +Suggested-by: Paolo Abeni +Signed-off-by: Pietro Borrello +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/message.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/message.c b/net/rds/message.c +index 309b54cc62ae3..29f67ad483ea6 100644 +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -118,7 +118,7 @@ static void rds_rm_zerocopy_callback(struct rds_sock *rs, + ck = &info->zcookies; + memset(ck, 0, sizeof(*ck)); + WARN_ON(!rds_zcookie_add(info, cookie)); +- list_add_tail(&q->zcookie_head, &info->rs_zcookie_next); ++ list_add_tail(&info->rs_zcookie_next, &q->zcookie_head); + + spin_unlock_irqrestore(&q->lock, flags); + /* caller invokes rds_wake_sk_sleep() */ +-- +2.39.2 + diff --git a/queue-4.19/regulator-max77802-bounds-check-regulator-id-against.patch b/queue-4.19/regulator-max77802-bounds-check-regulator-id-against.patch new file mode 100644 index 00000000000..a4d402f0bff --- /dev/null +++ b/queue-4.19/regulator-max77802-bounds-check-regulator-id-against.patch @@ -0,0 +1,137 @@ +From cfba731905dadcc801d093dc9e8424e421502f3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 14:52:07 -0800 +Subject: regulator: max77802: Bounds check regulator id against opmode + +From: Kees Cook + +[ Upstream commit 4fd8bcec5fd7c0d586206fa2f42bd67b06cdaa7e ] + +Explicitly bounds-check the id before accessing the opmode array. Seen +with GCC 13: + +../drivers/regulator/max77802-regulator.c: In function 'max77802_enable': +../drivers/regulator/max77802-regulator.c:217:29: warning: array subscript [0, 41] is outside array bounds of 'unsigned int[42]' [-Warray-bounds=] + 217 | if (max77802->opmode[id] == MAX77802_OFF_PWRREQ) + | ~~~~~~~~~~~~~~~~^~~~ +../drivers/regulator/max77802-regulator.c:62:22: note: while referencing 'opmode' + 62 | unsigned int opmode[MAX77802_REG_MAX]; + | ^~~~~~ + +Cc: Javier Martinez Canillas +Cc: Liam Girdwood +Cc: Mark Brown +Signed-off-by: Kees Cook +Acked-by: Javier Martinez Canillas +Link: https://lore.kernel.org/r/20230127225203.never.864-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/max77802-regulator.c | 34 ++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/regulator/max77802-regulator.c b/drivers/regulator/max77802-regulator.c +index c30cf5c9f2de3..ef314de7c2c01 100644 +--- a/drivers/regulator/max77802-regulator.c ++++ b/drivers/regulator/max77802-regulator.c +@@ -97,9 +97,11 @@ static int max77802_set_suspend_disable(struct regulator_dev *rdev) + { + unsigned int val = MAX77802_OFF_PWRREQ; + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + max77802->opmode[id] = val; + return regmap_update_bits(rdev->regmap, rdev->desc->enable_reg, + rdev->desc->enable_mask, val << shift); +@@ -113,7 +115,7 @@ static int max77802_set_suspend_disable(struct regulator_dev *rdev) + static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + unsigned int val; + int shift = max77802_get_opmode_shift(id); + +@@ -130,6 +132,9 @@ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + return -EINVAL; + } + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; ++ + max77802->opmode[id] = val; + return regmap_update_bits(rdev->regmap, rdev->desc->enable_reg, + rdev->desc->enable_mask, val << shift); +@@ -138,8 +143,10 @@ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + static unsigned max77802_get_mode(struct regulator_dev *rdev) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + return max77802_map_mode(max77802->opmode[id]); + } + +@@ -163,10 +170,13 @@ static int max77802_set_suspend_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + unsigned int val; + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; ++ + /* + * If the regulator has been disabled for suspend + * then is invalid to try setting a suspend mode. +@@ -212,9 +222,11 @@ static int max77802_set_suspend_mode(struct regulator_dev *rdev, + static int max77802_enable(struct regulator_dev *rdev) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + if (max77802->opmode[id] == MAX77802_OFF_PWRREQ) + max77802->opmode[id] = MAX77802_OPMODE_NORMAL; + +@@ -543,7 +555,7 @@ static int max77802_pmic_probe(struct platform_device *pdev) + + for (i = 0; i < MAX77802_REG_MAX; i++) { + struct regulator_dev *rdev; +- int id = regulators[i].id; ++ unsigned int id = regulators[i].id; + int shift = max77802_get_opmode_shift(id); + int ret; + +@@ -561,10 +573,12 @@ static int max77802_pmic_probe(struct platform_device *pdev) + * the hardware reports OFF as the regulator operating mode. + * Default to operating mode NORMAL in that case. + */ +- if (val == MAX77802_STATUS_OFF) +- max77802->opmode[id] = MAX77802_OPMODE_NORMAL; +- else +- max77802->opmode[id] = val; ++ if (id < ARRAY_SIZE(max77802->opmode)) { ++ if (val == MAX77802_STATUS_OFF) ++ max77802->opmode[id] = MAX77802_OPMODE_NORMAL; ++ else ++ max77802->opmode[id] = val; ++ } + + rdev = devm_regulator_register(&pdev->dev, + ®ulators[i], &config); +-- +2.39.2 + diff --git a/queue-4.19/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch b/queue-4.19/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch new file mode 100644 index 00000000000..042aec397da --- /dev/null +++ b/queue-4.19/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch @@ -0,0 +1,55 @@ +From 05f1ad1daaabb2a1b10152cd3458b845a27f6036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 16:53:58 -0800 +Subject: regulator: s5m8767: Bounds check id indexing into arrays + +From: Kees Cook + +[ Upstream commit e314e15a0b58f9d051c00b25951073bcdae61953 ] + +The compiler has no way to know if "id" is within the array bounds of +the regulators array. Add a check for this and a build-time check that +the regulators and reg_voltage_map arrays are sized the same. Seen with +GCC 13: + +../drivers/regulator/s5m8767.c: In function 's5m8767_pmic_probe': +../drivers/regulator/s5m8767.c:936:35: warning: array subscript [0, 36] is outside array bounds of 'struct regulator_desc[37]' [-Warray-bounds=] + 936 | regulators[id].vsel_reg = + | ~~~~~~~~~~^~~~ + +Cc: Krzysztof Kozlowski +Cc: Liam Girdwood +Cc: Mark Brown +Cc: linux-samsung-soc@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230128005358.never.313-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/s5m8767.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/s5m8767.c b/drivers/regulator/s5m8767.c +index 4818df3f8ec91..24c0c82b08a5d 100644 +--- a/drivers/regulator/s5m8767.c ++++ b/drivers/regulator/s5m8767.c +@@ -922,10 +922,14 @@ static int s5m8767_pmic_probe(struct platform_device *pdev) + + for (i = 0; i < pdata->num_regulators; i++) { + const struct sec_voltage_desc *desc; +- int id = pdata->regulators[i].id; ++ unsigned int id = pdata->regulators[i].id; + int enable_reg, enable_val; + struct regulator_dev *rdev; + ++ BUILD_BUG_ON(ARRAY_SIZE(regulators) != ARRAY_SIZE(reg_voltage_map)); ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(regulators))) ++ continue; ++ + desc = reg_voltage_map[id]; + if (desc) { + regulators[id].n_voltages = +-- +2.39.2 + diff --git a/queue-4.19/risc-v-time-initialize-hrtimer-based-broadcast-clock.patch b/queue-4.19/risc-v-time-initialize-hrtimer-based-broadcast-clock.patch new file mode 100644 index 00000000000..08e8d91156b --- /dev/null +++ b/queue-4.19/risc-v-time-initialize-hrtimer-based-broadcast-clock.patch @@ -0,0 +1,63 @@ +From 6efdcc6c719701c4f6774e987a2db327b60ed0d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 19:41:00 +0530 +Subject: RISC-V: time: initialize hrtimer based broadcast clock event device + +From: Conor Dooley + +[ Upstream commit 8b3b8fbb4896984b5564789a42240e4b3caddb61 ] + +Similarly to commit 022eb8ae8b5e ("ARM: 8938/1: kernel: initialize +broadcast hrtimer based clock event device"), RISC-V needs to initiate +hrtimer based broadcast clock event device before C3STOP can be used. +Otherwise, the introduction of C3STOP for the RISC-V arch timer in +commit 232ccac1bd9b ("clocksource/drivers/riscv: Events are stopped +during CPU suspend") leaves us without any broadcast timer registered. +This prevents the kernel from entering oneshot mode, which breaks timer +behaviour, for example clock_nanosleep(). + +A test app that sleeps each cpu for 6, 5, 4, 3 ms respectively, HZ=250 +& C3STOP enabled, the sleep times are rounded up to the next jiffy: +== CPU: 1 == == CPU: 2 == == CPU: 3 == == CPU: 4 == +Mean: 7.974992 Mean: 7.976534 Mean: 7.962591 Mean: 3.952179 +Std Dev: 0.154374 Std Dev: 0.156082 Std Dev: 0.171018 Std Dev: 0.076193 +Hi: 9.472000 Hi: 10.495000 Hi: 8.864000 Hi: 4.736000 +Lo: 6.087000 Lo: 6.380000 Lo: 4.872000 Lo: 3.403000 +Samples: 521 Samples: 521 Samples: 521 Samples: 521 + +Link: https://lore.kernel.org/linux-riscv/YzYTNQRxLr7Q9JR0@spud/ +Fixes: 232ccac1bd9b ("clocksource/drivers/riscv: Events are stopped during CPU suspend") +Suggested-by: Samuel Holland +Signed-off-by: Conor Dooley +Signed-off-by: Anup Patel +Reviewed-by: Samuel Holland +Acked-by: Palmer Dabbelt +Link: https://lore.kernel.org/r/20230103141102.772228-2-apatel@ventanamicro.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/time.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/riscv/kernel/time.c b/arch/riscv/kernel/time.c +index 15f4ab40e2221..50bb7e0d44ba3 100644 +--- a/arch/riscv/kernel/time.c ++++ b/arch/riscv/kernel/time.c +@@ -13,6 +13,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -33,4 +34,6 @@ void __init time_init(void) + + of_clk_init(NULL); + timer_probe(); ++ ++ tick_setup_hrtimer_broadcast(); + } +-- +2.39.2 + diff --git a/queue-4.19/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch b/queue-4.19/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch new file mode 100644 index 00000000000..8507188cabb --- /dev/null +++ b/queue-4.19/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch @@ -0,0 +1,38 @@ +From 4cc50e2eca6111aa1e1e153aec58721da6233382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 15:42:31 -0800 +Subject: rpmsg: glink: Avoid infinite loop on intent for missing channel + +From: Bjorn Andersson + +[ Upstream commit 3e74ec2f39362bffbd42854acbb67c7f4cb808f9 ] + +In the event that an intent advertisement arrives on an unknown channel +the fifo is not advanced, resulting in the same message being handled +over and over. + +Fixes: dacbb35e930f ("rpmsg: glink: Receive and store the remote intent buffers") +Signed-off-by: Bjorn Andersson +Reviewed-by: Chris Lew +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230214234231.2069751-1-quic_bjorande@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index c10230ad90b29..940f099c2092f 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -929,6 +929,7 @@ static void qcom_glink_handle_intent(struct qcom_glink *glink, + spin_unlock_irqrestore(&glink->idr_lock, flags); + if (!channel) { + dev_err(glink->dev, "intents for non-existing channel\n"); ++ qcom_glink_rx_advance(glink, ALIGN(msglen, 8)); + return; + } + +-- +2.39.2 + diff --git a/queue-4.19/rtlwifi-fix-wpointer-sign-warning.patch b/queue-4.19/rtlwifi-fix-wpointer-sign-warning.patch new file mode 100644 index 00000000000..4b1c4377a1e --- /dev/null +++ b/queue-4.19/rtlwifi-fix-wpointer-sign-warning.patch @@ -0,0 +1,232 @@ +From a1bc5dab0a5981f27c368991a5f396368112685c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 22:29:53 +0100 +Subject: rtlwifi: fix -Wpointer-sign warning + +From: Arnd Bergmann + +[ Upstream commit ef41937631bfee855e2b406e1d536efdaa9ce512 ] + +There are thousands of warnings in a W=2 build from just one file: + +drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c:3788:15: warning: pointer targets in initialization of 'u8 *' {aka 'unsigned char *'} from 'char *' differ in signedness [-Wpointer-sign] + +Change the types to consistently use 'const char *' for the +strings. + +Signed-off-by: Arnd Bergmann +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201026213040.3889546-6-arnd@kernel.org +Stable-dep-of: 117dbeda22ec ("wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()") +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8821ae/phy.c | 81 ++++++++++--------- + .../realtek/rtlwifi/rtl8821ae/table.c | 4 +- + .../realtek/rtlwifi/rtl8821ae/table.h | 4 +- + 3 files changed, 45 insertions(+), 44 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +index 176deb2b53868..c805ad1bba2e0 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -1608,7 +1608,7 @@ static void _rtl8821ae_phy_txpower_by_rate_configuration(struct ieee80211_hw *hw + } + + /* string is in decimal */ +-static bool _rtl8812ae_get_integer_from_string(char *str, u8 *pint) ++static bool _rtl8812ae_get_integer_from_string(const char *str, u8 *pint) + { + u16 i = 0; + *pint = 0; +@@ -1626,7 +1626,7 @@ static bool _rtl8812ae_get_integer_from_string(char *str, u8 *pint) + return true; + } + +-static bool _rtl8812ae_eq_n_byte(u8 *str1, u8 *str2, u32 num) ++static bool _rtl8812ae_eq_n_byte(const char *str1, const char *str2, u32 num) + { + if (num == 0) + return false; +@@ -1664,10 +1664,11 @@ static s8 _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(struct ieee80211_hw *hw, + return channel_index; + } + +-static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregulation, +- u8 *pband, u8 *pbandwidth, +- u8 *prate_section, u8 *prf_path, +- u8 *pchannel, u8 *ppower_limit) ++static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, ++ const char *pregulation, ++ const char *pband, const char *pbandwidth, ++ const char *prate_section, const char *prf_path, ++ const char *pchannel, const char *ppower_limit) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_phy *rtlphy = &rtlpriv->phy; +@@ -1675,8 +1676,8 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregul + u8 channel_index; + s8 power_limit = 0, prev_power_limit, ret; + +- if (!_rtl8812ae_get_integer_from_string((char *)pchannel, &channel) || +- !_rtl8812ae_get_integer_from_string((char *)ppower_limit, ++ if (!_rtl8812ae_get_integer_from_string(pchannel, &channel) || ++ !_rtl8812ae_get_integer_from_string(ppower_limit, + &power_limit)) { + RT_TRACE(rtlpriv, COMP_INIT, DBG_TRACE, + "Illegal index of pwr_lmt table [chnl %d][val %d]\n", +@@ -1686,42 +1687,42 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregul + power_limit = power_limit > MAX_POWER_INDEX ? + MAX_POWER_INDEX : power_limit; + +- if (_rtl8812ae_eq_n_byte(pregulation, (u8 *)("FCC"), 3)) ++ if (_rtl8812ae_eq_n_byte(pregulation, "FCC", 3)) + regulation = 0; +- else if (_rtl8812ae_eq_n_byte(pregulation, (u8 *)("MKK"), 3)) ++ else if (_rtl8812ae_eq_n_byte(pregulation, "MKK", 3)) + regulation = 1; +- else if (_rtl8812ae_eq_n_byte(pregulation, (u8 *)("ETSI"), 4)) ++ else if (_rtl8812ae_eq_n_byte(pregulation, "ETSI", 4)) + regulation = 2; +- else if (_rtl8812ae_eq_n_byte(pregulation, (u8 *)("WW13"), 4)) ++ else if (_rtl8812ae_eq_n_byte(pregulation, "WW13", 4)) + regulation = 3; + +- if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("CCK"), 3)) ++ if (_rtl8812ae_eq_n_byte(prate_section, "CCK", 3)) + rate_section = 0; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("OFDM"), 4)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "OFDM", 4)) + rate_section = 1; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("HT"), 2) && +- _rtl8812ae_eq_n_byte(prf_path, (u8 *)("1T"), 2)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "HT", 2) && ++ _rtl8812ae_eq_n_byte(prf_path, "1T", 2)) + rate_section = 2; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("HT"), 2) && +- _rtl8812ae_eq_n_byte(prf_path, (u8 *)("2T"), 2)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "HT", 2) && ++ _rtl8812ae_eq_n_byte(prf_path, "2T", 2)) + rate_section = 3; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("VHT"), 3) && +- _rtl8812ae_eq_n_byte(prf_path, (u8 *)("1T"), 2)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "VHT", 3) && ++ _rtl8812ae_eq_n_byte(prf_path, "1T", 2)) + rate_section = 4; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("VHT"), 3) && +- _rtl8812ae_eq_n_byte(prf_path, (u8 *)("2T"), 2)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "VHT", 3) && ++ _rtl8812ae_eq_n_byte(prf_path, "2T", 2)) + rate_section = 5; + +- if (_rtl8812ae_eq_n_byte(pbandwidth, (u8 *)("20M"), 3)) ++ if (_rtl8812ae_eq_n_byte(pbandwidth, "20M", 3)) + bandwidth = 0; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, (u8 *)("40M"), 3)) ++ else if (_rtl8812ae_eq_n_byte(pbandwidth, "40M", 3)) + bandwidth = 1; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, (u8 *)("80M"), 3)) ++ else if (_rtl8812ae_eq_n_byte(pbandwidth, "80M", 3)) + bandwidth = 2; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, (u8 *)("160M"), 4)) ++ else if (_rtl8812ae_eq_n_byte(pbandwidth, "160M", 4)) + bandwidth = 3; + +- if (_rtl8812ae_eq_n_byte(pband, (u8 *)("2.4G"), 4)) { ++ if (_rtl8812ae_eq_n_byte(pband, "2.4G", 4)) { + ret = _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(hw, + BAND_ON_2_4G, + channel); +@@ -1745,7 +1746,7 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregul + regulation, bandwidth, rate_section, channel_index, + rtlphy->txpwr_limit_2_4g[regulation][bandwidth] + [rate_section][channel_index][RF90_PATH_A]); +- } else if (_rtl8812ae_eq_n_byte(pband, (u8 *)("5G"), 2)) { ++ } else if (_rtl8812ae_eq_n_byte(pband, "5G", 2)) { + ret = _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(hw, + BAND_ON_5G, + channel); +@@ -1776,10 +1777,10 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregul + } + + static void _rtl8812ae_phy_config_bb_txpwr_lmt(struct ieee80211_hw *hw, +- u8 *regulation, u8 *band, +- u8 *bandwidth, u8 *rate_section, +- u8 *rf_path, u8 *channel, +- u8 *power_limit) ++ const char *regulation, const char *band, ++ const char *bandwidth, const char *rate_section, ++ const char *rf_path, const char *channel, ++ const char *power_limit) + { + _rtl8812ae_phy_set_txpower_limit(hw, regulation, band, bandwidth, + rate_section, rf_path, channel, +@@ -1792,7 +1793,7 @@ static void _rtl8821ae_phy_read_and_config_txpwr_lmt(struct ieee80211_hw *hw) + struct rtl_hal *rtlhal = rtl_hal(rtlpriv); + u32 i = 0; + u32 array_len; +- u8 **array; ++ const char **array; + + if (rtlhal->hw_type == HARDWARE_TYPE_RTL8812AE) { + array_len = RTL8812AE_TXPWR_LMT_ARRAY_LEN; +@@ -1806,13 +1807,13 @@ static void _rtl8821ae_phy_read_and_config_txpwr_lmt(struct ieee80211_hw *hw) + "\n"); + + for (i = 0; i < array_len; i += 7) { +- u8 *regulation = array[i]; +- u8 *band = array[i+1]; +- u8 *bandwidth = array[i+2]; +- u8 *rate = array[i+3]; +- u8 *rf_path = array[i+4]; +- u8 *chnl = array[i+5]; +- u8 *val = array[i+6]; ++ const char *regulation = array[i]; ++ const char *band = array[i+1]; ++ const char *bandwidth = array[i+2]; ++ const char *rate = array[i+3]; ++ const char *rf_path = array[i+4]; ++ const char *chnl = array[i+5]; ++ const char *val = array[i+6]; + + _rtl8812ae_phy_config_bb_txpwr_lmt(hw, regulation, band, + bandwidth, rate, rf_path, +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c +index ac44fd5d05977..e1e7fa990132a 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c +@@ -2917,7 +2917,7 @@ u32 RTL8821AE_AGC_TAB_1TARRAYLEN = ARRAY_SIZE(RTL8821AE_AGC_TAB_ARRAY); + * TXPWR_LMT.TXT + ******************************************************************************/ + +-u8 *RTL8812AE_TXPWR_LMT[] = { ++const char *RTL8812AE_TXPWR_LMT[] = { + "FCC", "2.4G", "20M", "CCK", "1T", "01", "36", + "ETSI", "2.4G", "20M", "CCK", "1T", "01", "32", + "MKK", "2.4G", "20M", "CCK", "1T", "01", "32", +@@ -3486,7 +3486,7 @@ u8 *RTL8812AE_TXPWR_LMT[] = { + + u32 RTL8812AE_TXPWR_LMT_ARRAY_LEN = ARRAY_SIZE(RTL8812AE_TXPWR_LMT); + +-u8 *RTL8821AE_TXPWR_LMT[] = { ++const char *RTL8821AE_TXPWR_LMT[] = { + "FCC", "2.4G", "20M", "CCK", "1T", "01", "32", + "ETSI", "2.4G", "20M", "CCK", "1T", "01", "32", + "MKK", "2.4G", "20M", "CCK", "1T", "01", "32", +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.h b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.h +index 36c2388b60bca..f8550a0122e80 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.h +@@ -52,7 +52,7 @@ extern u32 RTL8821AE_AGC_TAB_ARRAY[]; + extern u32 RTL8812AE_AGC_TAB_1TARRAYLEN; + extern u32 RTL8812AE_AGC_TAB_ARRAY[]; + extern u32 RTL8812AE_TXPWR_LMT_ARRAY_LEN; +-extern u8 *RTL8812AE_TXPWR_LMT[]; ++extern const char *RTL8812AE_TXPWR_LMT[]; + extern u32 RTL8821AE_TXPWR_LMT_ARRAY_LEN; +-extern u8 *RTL8821AE_TXPWR_LMT[]; ++extern const char *RTL8821AE_TXPWR_LMT[]; + #endif +-- +2.39.2 + diff --git a/queue-4.19/sched-fair-sanitize-vruntime-of-entity-being-placed.patch b/queue-4.19/sched-fair-sanitize-vruntime-of-entity-being-placed.patch new file mode 100644 index 00000000000..f449890f300 --- /dev/null +++ b/queue-4.19/sched-fair-sanitize-vruntime-of-entity-being-placed.patch @@ -0,0 +1,70 @@ +From 47398e01190531ee03509774a18c55181b7a72c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 13:22:16 +0100 +Subject: sched/fair: sanitize vruntime of entity being placed + +From: Zhang Qiao + +[ Upstream commit 829c1651e9c4a6f78398d3e67651cef9bb6b42cc ] + +When a scheduling entity is placed onto cfs_rq, its vruntime is pulled +to the base level (around cfs_rq->min_vruntime), so that the entity +doesn't gain extra boost when placed backwards. + +However, if the entity being placed wasn't executed for a long time, its +vruntime may get too far behind (e.g. while cfs_rq was executing a +low-weight hog), which can inverse the vruntime comparison due to s64 +overflow. This results in the entity being placed with its original +vruntime way forwards, so that it will effectively never get to the cpu. + +To prevent that, ignore the vruntime of the entity being placed if it +didn't execute for much longer than the characteristic sheduler time +scale. + +[rkagan: formatted, adjusted commit log, comments, cutoff value] +Signed-off-by: Zhang Qiao +Co-developed-by: Roman Kagan +Signed-off-by: Roman Kagan +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230130122216.3555094-1-rkagan@amazon.de +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 84e7efda98daf..304e7fa0ae870 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3858,6 +3858,7 @@ static void + place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial) + { + u64 vruntime = cfs_rq->min_vruntime; ++ u64 sleep_time; + + /* + * The 'current' period is already promised to the current tasks, +@@ -3882,8 +3883,18 @@ place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial) + vruntime -= thresh; + } + +- /* ensure we never gain time by being placed backwards. */ +- se->vruntime = max_vruntime(se->vruntime, vruntime); ++ /* ++ * Pull vruntime of the entity being placed to the base level of ++ * cfs_rq, to prevent boosting it if placed backwards. If the entity ++ * slept for a long time, don't even try to compare its vruntime with ++ * the base as it may be too far off and the comparison may get ++ * inversed due to s64 overflow. ++ */ ++ sleep_time = rq_clock_task(rq_of(cfs_rq)) - se->exec_start; ++ if ((s64)sleep_time > 60LL * NSEC_PER_SEC) ++ se->vruntime = vruntime; ++ else ++ se->vruntime = max_vruntime(se->vruntime, vruntime); + } + + static void check_enqueue_throttle(struct cfs_rq *cfs_rq); +-- +2.39.2 + diff --git a/queue-4.19/scsi-aic94xx-add-missing-check-for-dma_map_single.patch b/queue-4.19/scsi-aic94xx-add-missing-check-for-dma_map_single.patch new file mode 100644 index 00000000000..1ba388d0392 --- /dev/null +++ b/queue-4.19/scsi-aic94xx-add-missing-check-for-dma_map_single.patch @@ -0,0 +1,39 @@ +From 829c814e027bca1b9ed84dd3e145b8c0e191fab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jan 2023 19:08:32 +0800 +Subject: scsi: aic94xx: Add missing check for dma_map_single() + +From: Jiasheng Jiang + +[ Upstream commit 32fe45274edb5926abc0fac7263d9f889d02d9cf ] + +Add check for dma_map_single() and return error if it fails in order to +avoid invalid DMA address. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Link: https://lore.kernel.org/r/20230128110832.6792-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Reviewed-by: Jason Yan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aic94xx/aic94xx_task.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/aic94xx/aic94xx_task.c b/drivers/scsi/aic94xx/aic94xx_task.c +index cdd4ab683be98..4de4bbca1f925 100644 +--- a/drivers/scsi/aic94xx/aic94xx_task.c ++++ b/drivers/scsi/aic94xx/aic94xx_task.c +@@ -68,6 +68,9 @@ static int asd_map_scatterlist(struct sas_task *task, + dma_addr_t dma = pci_map_single(asd_ha->pcidev, p, + task->total_xfer_len, + task->data_dir); ++ if (dma_mapping_error(&asd_ha->pcidev->dev, dma)) ++ return -ENOMEM; ++ + sg_arr[0].bus_addr = cpu_to_le64((u64)dma); + sg_arr[0].size = cpu_to_le32(task->total_xfer_len); + sg_arr[0].flags |= ASD_SG_EL_LIST_EOL; +-- +2.39.2 + diff --git a/queue-4.19/selftest-fib_tests-always-cleanup-before-exit.patch b/queue-4.19/selftest-fib_tests-always-cleanup-before-exit.patch new file mode 100644 index 00000000000..8397be46548 --- /dev/null +++ b/queue-4.19/selftest-fib_tests-always-cleanup-before-exit.patch @@ -0,0 +1,42 @@ +From 1168592988579a8cfb5a44a40b8b265d2a136df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 12:04:00 +0100 +Subject: selftest: fib_tests: Always cleanup before exit + +From: Roxana Nicolescu + +[ Upstream commit b60417a9f2b890a8094477b2204d4f73c535725e ] + +Usage of `set -e` before executing a command causes immediate exit +on failure, without cleanup up the resources allocated at setup. +This can affect the next tests that use the same resources, +leading to a chain of failures. + +A simple fix is to always call cleanup function when the script exists. +This approach is already used by other existing tests. + +Fixes: 1056691b2680 ("selftests: fib_tests: Make test results more verbose") +Signed-off-by: Roxana Nicolescu +Link: https://lore.kernel.org/r/20230220110400.26737-2-roxana.nicolescu@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_tests.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +index a5ba149761bf9..f34e14e34d0d4 100755 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -1379,6 +1379,8 @@ EOF + ################################################################################ + # main + ++trap cleanup EXIT ++ + while getopts :t:pPhv o + do + case $o in +-- +2.39.2 + diff --git a/queue-4.19/selftests-ftrace-fix-bash-specific-operator.patch b/queue-4.19/selftests-ftrace-fix-bash-specific-operator.patch new file mode 100644 index 00000000000..9bb755d2300 --- /dev/null +++ b/queue-4.19/selftests-ftrace-fix-bash-specific-operator.patch @@ -0,0 +1,44 @@ +From 242ff8c82cf36e5ba2a4472b6c52e9728e1c4b9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Jan 2023 08:32:50 +0900 +Subject: selftests/ftrace: Fix bash specific "==" operator + +From: Masami Hiramatsu (Google) + +[ Upstream commit 1e6b485c922fbedf41d5a9f4e6449c5aeb923a32 ] + +Since commit a1d6cd88c897 ("selftests/ftrace: event_triggers: wait +longer for test_event_enable") introduced bash specific "==" +comparation operator, that test will fail when we run it on a +posix-shell. `checkbashisms` warned it as below. + +possible bashism in ftrace/func_event_triggers.tc line 45 (should be 'b = a'): + if [ "$e" == $val ]; then + +This replaces it with "=". + +Fixes: a1d6cd88c897 ("selftests/ftrace: event_triggers: wait longer for test_event_enable") +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../selftests/ftrace/test.d/ftrace/func_event_triggers.tc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc +index 79d614f1fe8e4..d620223a3f0f6 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc +@@ -49,7 +49,7 @@ test_event_enabled() { + + while [ $check_times -ne 0 ]; do + e=`cat $EVENT_ENABLE` +- if [ "$e" == $val ]; then ++ if [ "$e" = $val ]; then + return 0 + fi + sleep $SLEEP_TIME +-- +2.39.2 + diff --git a/queue-4.19/series b/queue-4.19/series index e6870028f5c..29387c51446 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -2,3 +2,140 @@ hid-asus-remove-check-for-same-led-brightness-on-set.patch hid-asus-use-spinlock-to-protect-concurrent-accesses.patch hid-asus-use-spinlock-to-safely-schedule-workers.patch powerpc-mm-rearrange-if-else-block-to-avoid-clang-warning.patch +arm-omap2-fix-memory-leak-in-realtime_counter_init.patch +arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch +arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch +arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch +arm-omap1-call-platform_device_put-in-error-case-in-.patch +arm-dts-exynos-correct-wr-active-property-in-exynos3.patch +arm-imx-call-ida_simple_remove-for-ida_simple_get.patch +arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch +arm64-dts-meson-axg-enable-scpi.patch +arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch +arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch +arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch +arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch +arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch +blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch +block-bio-integrity-copy-flags-when-bio_integrity_pa.patch +wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch +wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch +wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch +rtlwifi-fix-wpointer-sign-warning.patch +wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch +ipw2x00-switch-from-pci_-to-dma_-api.patch +wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch +wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch +wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch +wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch +wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch +wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch +wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch +wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch +wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch +acpica-drop-port-i-o-validation-for-some-regions.patch +genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch +lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch +acpica-nsrepair-handle-cases-without-a-return-value-.patch +wifi-orinoco-check-return-value-of-hermes_write_word.patch +wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch +ath9k-hif_usb-simplify-if-if-to-if-else.patch +ath9k-htc-clean-up-statistics-macros.patch +wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch +wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch +acpi-battery-fix-missing-nul-termination-with-large-.patch +crypto-seqiv-handle-ebusy-correctly.patch +powercap-fix-possible-name-leak-in-powercap_register.patch +net-mlx5-enhance-debug-print-in-page-allocation-fail.patch +irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch +irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch +bluetooth-l2cap-fix-potential-user-after-free.patch +libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch +rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch +crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch +m68k-proc-hardware-should-depend-on-proc_fs.patch +risc-v-time-initialize-hrtimer-based-broadcast-clock.patch +wifi-iwl3945-add-missing-check-for-create_singlethre.patch +wifi-iwl4965-add-missing-check-for-create_singlethre.patch +wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch +crypto-crypto4xx-call-dma_unmap_page-when-done.patch +wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch +can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch +irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch +irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch +selftest-fib_tests-always-cleanup-before-exit.patch +drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch +drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch +drm-clarify-definition-of-the-drm_bus_flag_-pixdata-.patch +drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch +drm-vc4-dpi-fix-format-mapping-for-rgb565.patch +gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch +drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch +pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch +pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch +alsa-hda-ca0132-minor-fix-for-allocation-size.patch +drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch +drm-msm-use-strscpy-instead-of-strncpy.patch +drm-msm-dpu-add-check-for-pstates.patch +gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch +drm-mediatek-drop-unbalanced-obj-unref.patch +drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch +asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch +gpio-vf610-connect-gpio-label-to-dev-name.patch +hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch +scsi-aic94xx-add-missing-check-for-dma_map_single.patch +spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch +spi-bcm63xx-hsspi-fix-pm_runtime.patch +spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch +hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch +dm-remove-flush_scheduled_work-during-local_exit.patch +nfsd-fix-race-to-check-ls_layouts.patch +cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch +cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch +gfs2-jdata-writepage-fix.patch +perf-llvm-fix-inadvertent-file-creation.patch +perf-tools-fix-auto-complete-on-aarch64.patch +sparc-allow-pm-configs-for-sparc32-compile_test.patch +selftests-ftrace-fix-bash-specific-operator.patch +mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch +mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch +input-ads7846-don-t-report-pressure-for-ads7845.patch +input-ads7846-don-t-check-penirq-immediately-for-784.patch +powerpc-powernv-ioda-skip-unallocated-resources-when.patch +clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch +powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch +powerpc-rtas-make-all-exports-gpl.patch +powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch +mips-vpe-mt-drop-physical_memsize.patch +media-platform-ti-add-missing-check-for-devm_regulat.patch +powerpc-remove-linker-flag-from-kbuild_aflags.patch +media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch +media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch +media-i2c-ov7670-0-instead-of-einval-was-returned.patch +media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch +rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch +udf-define-efscorrupted-error-code.patch +arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch +sched-fair-sanitize-vruntime-of-entity-being-placed.patch +wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch +rcu-suppress-smp_processor_id-complaint-in-synchroni.patch +thermal-intel-fix-unsigned-comparison-with-less-than.patch +timers-prevent-union-confusion-from-unexpected-resta.patch +x86-bugs-reset-speculation-control-settings-on-init.patch +wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch +inet-fix-fast-path-in-__inet_hash_connect.patch +acpi-don-t-build-acpica-with-os.patch +net-bcmgenet-add-a-check-for-oversized-packets.patch +m68k-check-syscall_trace_enter-return-code.patch +acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch +net-mlx5-fw_tracer-fix-debug-print.patch +drm-amd-display-fix-potential-null-deref-in-dm_resum.patch +drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch +drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch +docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch +asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch +regulator-max77802-bounds-check-regulator-id-against.patch +regulator-s5m8767-bounds-check-id-indexing-into-arra.patch +pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch +dm-thin-add-cond_resched-to-various-workqueue-loops.patch +dm-cache-add-cond_resched-to-various-workqueue-loops.patch diff --git a/queue-4.19/sparc-allow-pm-configs-for-sparc32-compile_test.patch b/queue-4.19/sparc-allow-pm-configs-for-sparc32-compile_test.patch new file mode 100644 index 00000000000..3e36f13039c --- /dev/null +++ b/queue-4.19/sparc-allow-pm-configs-for-sparc32-compile_test.patch @@ -0,0 +1,86 @@ +From 7679fe78213fe99442e9221bb270c6e2aedd9c66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Feb 2023 16:43:57 -0800 +Subject: sparc: allow PM configs for sparc32 COMPILE_TEST + +From: Randy Dunlap + +[ Upstream commit 7be6a87c2473957090995b7eb541e31d57a2c801 ] + +When doing randconfig builds for sparc32 with COMPILE_TEST, some +(non-Sparc) drivers cause kconfig warnings with the Kconfig symbols PM, +PM_GENERIC_DOMAINS, or PM_GENERIC_DOMAINS_OF. + +This is due to arch/sparc/Kconfig not using the PM Kconfig for +Sparc32: + + if SPARC64 + source "kernel/power/Kconfig" + endif + +Arnd suggested adding "|| COMPILE_TEST" to the conditional, +instead of trying to track down every driver that selects +any of these PM symbols. + +Fixes the following kconfig warnings: + +WARNING: unmet direct dependencies detected for PM + Depends on [n]: SPARC64 [=n] + Selected by [y]: + - SUN20I_PPU [=y] && (ARCH_SUNXI || COMPILE_TEST [=y]) + +WARNING: unmet direct dependencies detected for PM + Depends on [n]: SPARC64 [=n] + Selected by [y]: + - SUN20I_PPU [=y] && (ARCH_SUNXI || COMPILE_TEST [=y]) + +WARNING: unmet direct dependencies detected for PM_GENERIC_DOMAINS + Depends on [n]: SPARC64 [=n] && PM [=y] + Selected by [y]: + - QCOM_GDSC [=y] && COMMON_CLK [=y] && PM [=y] + - SUN20I_PPU [=y] && (ARCH_SUNXI || COMPILE_TEST [=y]) + - MESON_GX_PM_DOMAINS [=y] && (ARCH_MESON || COMPILE_TEST [=y]) && PM [=y] && OF [=y] + - BCM2835_POWER [=y] && (ARCH_BCM2835 || COMPILE_TEST [=y] && OF [=y]) && PM [=y] + - BCM_PMB [=y] && (ARCH_BCMBCA || COMPILE_TEST [=y] && OF [=y]) && PM [=y] + - ROCKCHIP_PM_DOMAINS [=y] && (ARCH_ROCKCHIP || COMPILE_TEST [=y]) && PM [=y] + Selected by [m]: + - ARM_SCPI_POWER_DOMAIN [=m] && (ARM_SCPI_PROTOCOL [=m] || COMPILE_TEST [=y] && OF [=y]) && PM [=y] + - MESON_EE_PM_DOMAINS [=m] && (ARCH_MESON || COMPILE_TEST [=y]) && PM [=y] && OF [=y] + - QCOM_AOSS_QMP [=m] && (ARCH_QCOM || COMPILE_TEST [=y]) && MAILBOX [=y] && COMMON_CLK [=y] && PM [=y] + +WARNING: unmet direct dependencies detected for PM_GENERIC_DOMAINS_OF + Depends on [n]: SPARC64 [=n] && PM_GENERIC_DOMAINS [=y] && OF [=y] + Selected by [y]: + - MESON_GX_PM_DOMAINS [=y] && (ARCH_MESON || COMPILE_TEST [=y]) && PM [=y] && OF [=y] + Selected by [m]: + - MESON_EE_PM_DOMAINS [=m] && (ARCH_MESON || COMPILE_TEST [=y]) && PM [=y] && OF [=y] + +Link: https://lkml.kernel.org/r/20230205004357.29459-1-rdunlap@infradead.org +Fixes: bdde6b3c8ba4 ("sparc64: Hibernation support") +Signed-off-by: Randy Dunlap +Suggested-by: Arnd Bergmann +Acked-by: Sam Ravnborg +Cc: "David S. Miller" +Cc: Kirill Tkhai +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + arch/sparc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig +index 1f1a7583fa905..426accab2a88b 100644 +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -329,7 +329,7 @@ config FORCE_MAX_ZONEORDER + This config option is actually maximum order plus one. For example, + a value of 13 means that the largest free memory block is 2^12 pages. + +-if SPARC64 ++if SPARC64 || COMPILE_TEST + source "kernel/power/Kconfig" + endif + +-- +2.39.2 + diff --git a/queue-4.19/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch b/queue-4.19/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch new file mode 100644 index 00000000000..aaff839db2e --- /dev/null +++ b/queue-4.19/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch @@ -0,0 +1,41 @@ +From e19b7cbc048e87c72124953619a3b2ea546472ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 22:58:17 -0800 +Subject: spi: bcm63xx-hsspi: Endianness fix for ARM based SoC + +From: William Zhang + +[ Upstream commit 85a84a61699990db6a025b5073f337f49933a875 ] + +HSSPI controller uses big endian for the opcode in the message to the +controller ping pong buffer. Use cpu_to_be16 to properly handle the +endianness for both big and little endian host. + +Fixes: 142168eba9dc ("spi: bcm63xx-hsspi: add bcm63xx HSSPI driver") +Signed-off-by: Kursad Oney +Signed-off-by: William Zhang +Acked-by: Florian Fainelli + +Link: https://lore.kernel.org/r/20230207065826.285013-7-william.zhang@broadcom.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 2ad7b3f3666be..443a480767e09 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -192,7 +192,7 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + tx += curr_step; + } + +- __raw_writew(opcode | curr_step, bs->fifo); ++ __raw_writew((u16)cpu_to_be16(opcode | curr_step), bs->fifo); + + /* enable interrupt */ + __raw_writel(HSSPI_PINGx_CMD_DONE(0), +-- +2.39.2 + diff --git a/queue-4.19/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch b/queue-4.19/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch new file mode 100644 index 00000000000..1af0439c79b --- /dev/null +++ b/queue-4.19/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch @@ -0,0 +1,61 @@ +From e5acff705641e87d60ea5053126304e8e316ecc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 12:02:41 -0800 +Subject: spi: bcm63xx-hsspi: Fix multi-bit mode setting + +From: William Zhang + +[ Upstream commit 811ff802aaf878ebbbaeac0307a0164fa21e7d40 ] + +Currently the driver always sets the controller to dual data bit mode +for both tx and rx data in the profile mode control register even for +single data bit transfer. Luckily the opcode is set correctly according +to SPI transfer data bit width so it does not actually cause issues. + +This change fixes the problem by setting tx and rx data bit mode field +correctly according to the actual SPI transfer tx and rx data bit width. + +Fixes: 142168eba9dc ("spi: bcm63xx-hsspi: add bcm63xx HSSPI driver") +Signed-off-by: William Zhang +Link: https://lore.kernel.org/r/20230209200246.141520-11-william.zhang@broadcom.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index f45df86cc95a0..6a7f5803e2e7f 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -163,6 +163,7 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + int step_size = HSSPI_BUFFER_LEN; + const u8 *tx = t->tx_buf; + u8 *rx = t->rx_buf; ++ u32 val = 0; + + bcm63xx_hsspi_set_clk(bs, spi, t->speed_hz); + bcm63xx_hsspi_set_cs(bs, spi->chip_select, true); +@@ -178,11 +179,16 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + step_size -= HSSPI_OPCODE_LEN; + + if ((opcode == HSSPI_OP_READ && t->rx_nbits == SPI_NBITS_DUAL) || +- (opcode == HSSPI_OP_WRITE && t->tx_nbits == SPI_NBITS_DUAL)) ++ (opcode == HSSPI_OP_WRITE && t->tx_nbits == SPI_NBITS_DUAL)) { + opcode |= HSSPI_OP_MULTIBIT; + +- __raw_writel(1 << MODE_CTRL_MULTIDATA_WR_SIZE_SHIFT | +- 1 << MODE_CTRL_MULTIDATA_RD_SIZE_SHIFT | 0xff, ++ if (t->rx_nbits == SPI_NBITS_DUAL) ++ val |= 1 << MODE_CTRL_MULTIDATA_RD_SIZE_SHIFT; ++ if (t->tx_nbits == SPI_NBITS_DUAL) ++ val |= 1 << MODE_CTRL_MULTIDATA_WR_SIZE_SHIFT; ++ } ++ ++ __raw_writel(val | 0xff, + bs->regs + HSSPI_PROFILE_MODE_CTRL_REG(chip_select)); + + while (pending > 0) { +-- +2.39.2 + diff --git a/queue-4.19/spi-bcm63xx-hsspi-fix-pm_runtime.patch b/queue-4.19/spi-bcm63xx-hsspi-fix-pm_runtime.patch new file mode 100644 index 00000000000..cc9fcb66625 --- /dev/null +++ b/queue-4.19/spi-bcm63xx-hsspi-fix-pm_runtime.patch @@ -0,0 +1,60 @@ +From 56e867d62170f29a7d4f0068489c7179fcfca07d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Feb 2021 16:18:51 +0100 +Subject: spi: bcm63xx-hsspi: fix pm_runtime +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 216e8e80057a9f0b6366327881acf88eaf9f1fd4 ] + +The driver sets auto_runtime_pm to true, but it doesn't call +pm_runtime_enable(), which results in "Failed to power device" when PM support +is enabled. + +Signed-off-by: Álvaro Fernández Rojas +Link: https://lore.kernel.org/r/20210223151851.4110-3-noltari@gmail.com +Signed-off-by: Mark Brown +Stable-dep-of: 811ff802aaf8 ("spi: bcm63xx-hsspi: Fix multi-bit mode setting") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 443a480767e09..f45df86cc95a0 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -20,6 +20,8 @@ + #include + #include + #include ++#include ++#include + + #define HSSPI_GLOBAL_CTRL_REG 0x0 + #define GLOBAL_CTRL_CS_POLARITY_SHIFT 0 +@@ -432,13 +434,17 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev) + if (ret) + goto out_put_master; + ++ pm_runtime_enable(&pdev->dev); ++ + /* register and we are done */ + ret = devm_spi_register_master(dev, master); + if (ret) +- goto out_put_master; ++ goto out_pm_disable; + + return 0; + ++out_pm_disable: ++ pm_runtime_disable(&pdev->dev); + out_put_master: + spi_master_put(master); + out_disable_pll_clk: +-- +2.39.2 + diff --git a/queue-4.19/thermal-intel-fix-unsigned-comparison-with-less-than.patch b/queue-4.19/thermal-intel-fix-unsigned-comparison-with-less-than.patch new file mode 100644 index 00000000000..4026254c774 --- /dev/null +++ b/queue-4.19/thermal-intel-fix-unsigned-comparison-with-less-than.patch @@ -0,0 +1,42 @@ +From dc0ec1acc063d64e404c5082c0de040be1c46b16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 08:59:51 +0800 +Subject: thermal: intel: Fix unsigned comparison with less than zero + +From: Yang Li + +[ Upstream commit e7fcfe67f9f410736b758969477b17ea285e8e6c ] + +The return value from the call to intel_tcc_get_tjmax() is int, which can +be a negative error code. However, the return value is being assigned to +an u32 variable 'tj_max', so making 'tj_max' an int. + +Eliminate the following warning: +./drivers/thermal/intel/intel_soc_dts_iosf.c:394:5-11: WARNING: Unsigned expression compared with zero: tj_max < 0 + +Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3637 +Reported-by: Abaci Robot +Signed-off-by: Yang Li +Acked-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel_soc_dts_iosf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/intel_soc_dts_iosf.c b/drivers/thermal/intel_soc_dts_iosf.c +index e0813dfaa2783..435a093998000 100644 +--- a/drivers/thermal/intel_soc_dts_iosf.c ++++ b/drivers/thermal/intel_soc_dts_iosf.c +@@ -405,7 +405,7 @@ struct intel_soc_dts_sensors *intel_soc_dts_iosf_init( + { + struct intel_soc_dts_sensors *sensors; + bool notification; +- u32 tj_max; ++ int tj_max; + int ret; + int i; + +-- +2.39.2 + diff --git a/queue-4.19/timers-prevent-union-confusion-from-unexpected-resta.patch b/queue-4.19/timers-prevent-union-confusion-from-unexpected-resta.patch new file mode 100644 index 00000000000..771b6bb8d72 --- /dev/null +++ b/queue-4.19/timers-prevent-union-confusion-from-unexpected-resta.patch @@ -0,0 +1,108 @@ +From 67e45b71f31b07763222f20a42fe5f0b25839803 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 14:44:03 +0100 +Subject: timers: Prevent union confusion from unexpected restart_syscall() + +From: Jann Horn + +[ Upstream commit 9f76d59173d9d146e96c66886b671c1915a5c5e5 ] + +The nanosleep syscalls use the restart_block mechanism, with a quirk: +The `type` and `rmtp`/`compat_rmtp` fields are set up unconditionally on +syscall entry, while the rest of the restart_block is only set up in the +unlikely case that the syscall is actually interrupted by a signal (or +pseudo-signal) that doesn't have a signal handler. + +If the restart_block was set up by a previous syscall (futex(..., +FUTEX_WAIT, ...) or poll()) and hasn't been invalidated somehow since then, +this will clobber some of the union fields used by futex_wait_restart() and +do_restart_poll(). + +If userspace afterwards wrongly calls the restart_syscall syscall, +futex_wait_restart()/do_restart_poll() will read struct fields that have +been clobbered. + +This doesn't actually lead to anything particularly interesting because +none of the union fields contain trusted kernel data, and +futex(..., FUTEX_WAIT, ...) and poll() aren't syscalls where it makes much +sense to apply seccomp filters to their arguments. + +So the current consequences are just of the "if userspace does bad stuff, +it can damage itself, and that's not a problem" flavor. + +But still, it seems like a hazard for future developers, so invalidate the +restart_block when partly setting it up in the nanosleep syscalls. + +Signed-off-by: Jann Horn +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20230105134403.754986-1-jannh@google.com +Signed-off-by: Sasha Levin +--- + kernel/time/hrtimer.c | 2 ++ + kernel/time/posix-stubs.c | 2 ++ + kernel/time/posix-timers.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 32ee24f5142ab..8512f06f0ebef 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1838,6 +1838,7 @@ SYSCALL_DEFINE2(nanosleep, struct __kernel_timespec __user *, rqtp, + if (!timespec64_valid(&tu)) + return -EINVAL; + ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC); +@@ -1858,6 +1859,7 @@ COMPAT_SYSCALL_DEFINE2(nanosleep, struct compat_timespec __user *, rqtp, + if (!timespec64_valid(&tu)) + return -EINVAL; + ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC); +diff --git a/kernel/time/posix-stubs.c b/kernel/time/posix-stubs.c +index 2c6847d5d69ba..362c159fb3f88 100644 +--- a/kernel/time/posix-stubs.c ++++ b/kernel/time/posix-stubs.c +@@ -144,6 +144,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + return hrtimer_nanosleep(&t, flags & TIMER_ABSTIME ? +@@ -230,6 +231,7 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + return hrtimer_nanosleep(&t, flags & TIMER_ABSTIME ? +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 48758108e055c..1234868b3b03e 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -1225,6 +1225,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + +@@ -1252,6 +1253,7 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + +-- +2.39.2 + diff --git a/queue-4.19/udf-define-efscorrupted-error-code.patch b/queue-4.19/udf-define-efscorrupted-error-code.patch new file mode 100644 index 00000000000..3df033c12e8 --- /dev/null +++ b/queue-4.19/udf-define-efscorrupted-error-code.patch @@ -0,0 +1,34 @@ +From 2c6106fb43e243dabdfccf729d358f9bf29b6191 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 16:34:45 +0200 +Subject: udf: Define EFSCORRUPTED error code + +From: Jan Kara + +[ Upstream commit 3d2d7e61553dbcc8ba45201d8ae4f383742c8202 ] + +Similarly to other filesystems define EFSCORRUPTED error code for +reporting internal filesystem corruption. + +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/udf_sb.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h +index d12e507e9eb2a..aa58173b468fb 100644 +--- a/fs/udf/udf_sb.h ++++ b/fs/udf/udf_sb.h +@@ -57,6 +57,8 @@ + #define MF_DUPLICATE_MD 0x01 + #define MF_MIRROR_FE_LOADED 0x02 + ++#define EFSCORRUPTED EUCLEAN ++ + struct udf_meta_data { + __u32 s_meta_file_loc; + __u32 s_mirror_file_loc; +-- +2.39.2 + diff --git a/queue-4.19/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch b/queue-4.19/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch new file mode 100644 index 00000000000..72849d0a431 --- /dev/null +++ b/queue-4.19/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch @@ -0,0 +1,62 @@ +From 9d50a8b69afee7bb7fed513b54e41f149f079066 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 21:41:30 +0900 +Subject: wifi: ath9k: Fix potential stack-out-of-bounds write in + ath9k_wmi_rsp_callback() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Minsuk Kang + +[ Upstream commit 8a2f35b9830692f7a616f2f627f943bc748af13a ] + +Fix a stack-out-of-bounds write that occurs in a WMI response callback +function that is called after a timeout occurs in ath9k_wmi_cmd(). +The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that +could no longer be valid when a timeout occurs. Set wmi->last_seq_id to +0 when a timeout occurred. + +Found by a modified version of syzkaller. + +BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx +Write of size 4 +Call Trace: + memcpy + ath9k_wmi_ctrl_rx + ath9k_htc_rx_msg + ath9k_hif_usb_reg_in_cb + __usb_hcd_giveback_urb + usb_hcd_giveback_urb + dummy_timer + call_timer_fn + run_timer_softirq + __do_softirq + irq_exit_rcu + sysvec_apic_timer_interrupt + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Minsuk Kang +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230104124130.10996-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 066677bb83eb0..e4ea6f5cc78ab 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -338,6 +338,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + if (!time_left) { + ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); ++ wmi->last_seq_id = 0; + mutex_unlock(&wmi->op_mutex); + kfree_skb(skb); + return -ETIMEDOUT; +-- +2.39.2 + diff --git a/queue-4.19/wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch b/queue-4.19/wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch new file mode 100644 index 00000000000..8f6fae7c985 --- /dev/null +++ b/queue-4.19/wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch @@ -0,0 +1,125 @@ +From 5db793d9ea93000ebd9eb4584f3bcc17571f260d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 15:36:15 +0300 +Subject: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() + fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 0af54343a76263a12dbae7fafb64eb47c4a6ad38 ] + +Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream(). +While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated +skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we +have an incorrect pkt_len or pkt_tag, the input skb is considered invalid +and dropped. All the associated packets already in skb_pool should be +dropped and freed. Added a comment describing this issue. + +The patch also makes remain_skb NULL after being processed so that it +cannot be referenced after potential free. The initialization of hif_dev +fields which are associated with remain_skb (rx_remain_len, +rx_transfer_len and rx_pad_len) is moved after a new remain_skb is +allocated. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 6ce708f54cc8 ("ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream") +Fixes: 44b23b488d44 ("ath9k: hif_usb: Reduce indent 1 column") +Reported-by: syzbot+e9632e3eb038d93d6bc6@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230104123615.51511-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 31 +++++++++++++++++------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index f68e47f9b01e2..e23d58f83dd6f 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -561,11 +561,11 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + memcpy(ptr, skb->data, rx_remain_len); + + rx_pkt_len += rx_remain_len; +- hif_dev->rx_remain_len = 0; + skb_put(remain_skb, rx_pkt_len); + + skb_pool[pool_index++] = remain_skb; +- ++ hif_dev->remain_skb = NULL; ++ hif_dev->rx_remain_len = 0; + } else { + index = rx_remain_len; + } +@@ -584,16 +584,21 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + pkt_len = get_unaligned_le16(ptr + index); + pkt_tag = get_unaligned_le16(ptr + index + 2); + ++ /* It is supposed that if we have an invalid pkt_tag or ++ * pkt_len then the whole input SKB is considered invalid ++ * and dropped; the associated packets already in skb_pool ++ * are dropped, too. ++ */ + if (pkt_tag != ATH_USB_RX_STREAM_MODE_TAG) { + RX_STAT_INC(hif_dev, skb_dropped); +- return; ++ goto invalid_pkt; + } + + if (pkt_len > 2 * MAX_RX_BUF_SIZE) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); + RX_STAT_INC(hif_dev, skb_dropped); +- return; ++ goto invalid_pkt; + } + + pad_len = 4 - (pkt_len & 0x3); +@@ -605,11 +610,6 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + + if (index > MAX_RX_BUF_SIZE) { + spin_lock(&hif_dev->rx_lock); +- hif_dev->rx_remain_len = index - MAX_RX_BUF_SIZE; +- hif_dev->rx_transfer_len = +- MAX_RX_BUF_SIZE - chk_idx - 4; +- hif_dev->rx_pad_len = pad_len; +- + nskb = __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC); + if (!nskb) { + dev_err(&hif_dev->udev->dev, +@@ -617,6 +617,12 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + spin_unlock(&hif_dev->rx_lock); + goto err; + } ++ ++ hif_dev->rx_remain_len = index - MAX_RX_BUF_SIZE; ++ hif_dev->rx_transfer_len = ++ MAX_RX_BUF_SIZE - chk_idx - 4; ++ hif_dev->rx_pad_len = pad_len; ++ + skb_reserve(nskb, 32); + RX_STAT_INC(hif_dev, skb_allocated); + +@@ -654,6 +660,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + skb_pool[i]->len, USB_WLAN_RX_PIPE); + RX_STAT_INC(hif_dev, skb_completed); + } ++ return; ++invalid_pkt: ++ for (i = 0; i < pool_index; i++) { ++ dev_kfree_skb_any(skb_pool[i]); ++ RX_STAT_INC(hif_dev, skb_dropped); ++ } ++ return; + } + + static void ath9k_hif_usb_rx_cb(struct urb *urb) +-- +2.39.2 + diff --git a/queue-4.19/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch b/queue-4.19/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch new file mode 100644 index 00000000000..40bf0cb863e --- /dev/null +++ b/queue-4.19/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch @@ -0,0 +1,58 @@ +From 91bcc8c733af862b57733b0d372c923a84ffc456 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 15:35:46 +0300 +Subject: wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no + callback function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69 ] + +It is stated that ath9k_htc_rx_msg() either frees the provided skb or +passes its management to another callback function. However, the skb is +not freed in case there is no another callback function, and Syzkaller was +able to cause a memory leak. Also minor comment fix. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com +Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230104123546.51427-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 6d69cf69fd86e..6331c98088e03 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -394,7 +394,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle, + * HTC Messages are handled directly here and the obtained SKB + * is freed. + * +- * Service messages (Data, WMI) passed to the corresponding ++ * Service messages (Data, WMI) are passed to the corresponding + * endpoint RX handlers, which have to free the SKB. + */ + void ath9k_htc_rx_msg(struct htc_target *htc_handle, +@@ -481,6 +481,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + if (endpoint->ep_callbacks.rx) + endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv, + skb, epid); ++ else ++ goto invalid; + } + } + +-- +2.39.2 + diff --git a/queue-4.19/wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch b/queue-4.19/wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch new file mode 100644 index 00000000000..8ecaa07af68 --- /dev/null +++ b/queue-4.19/wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch @@ -0,0 +1,165 @@ +From 7fbdd5d0f491635102dccdad7f57b00fa621d9df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Dec 2022 16:51:39 +0900 +Subject: wifi: brcmfmac: ensure CLM version is null-terminated to prevent + stack-out-of-bounds + +From: Jisoo Jang + +[ Upstream commit 660145d708be52f946a82e5b633c020f58f996de ] + +Fix a stack-out-of-bounds read in brcmfmac that occurs +when 'buf' that is not null-terminated is passed as an argument of +strreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with +a CLM version string by memcpy() in brcmf_fil_iovar_data_get(). +Ensure buf is null-terminated. + +Found by a modified version of syzkaller. + +[ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available +[ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22 +[ 33.021554][ T1896] ================================================================== +[ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110 +[ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896 +[ 33.023852][ T1896] +[ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 +[ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event +[ 33.026581][ T1896] Call Trace: +[ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d +[ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334 +[ 33.028037][ T1896] ? strreplace+0xf2/0x110 +[ 33.028403][ T1896] ? strreplace+0xf2/0x110 +[ 33.028807][ T1896] kasan_report.cold+0x83/0xdf +[ 33.029283][ T1896] ? strreplace+0xf2/0x110 +[ 33.029666][ T1896] strreplace+0xf2/0x110 +[ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40 +[ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100 +[ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0 +[ 33.032091][ T1896] ? find_held_lock+0x2d/0x110 +[ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260 +[ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0 +[ 33.033582][ T1896] brcmf_attach+0x246/0xd40 +[ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50 +[ 33.034383][ T1896] ? kmemdup+0x30/0x40 +[ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690 +[ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 +[ 33.035833][ T1896] usb_probe_interface+0x25f/0x710 +[ 33.036315][ T1896] really_probe+0x1be/0xa90 +[ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460 +[ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0 +[ 33.037383][ T1896] driver_probe_device+0x49/0x120 +[ 33.037790][ T1896] __device_attach_driver+0x18a/0x250 +[ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120 +[ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0 +[ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20 +[ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120 +[ 33.042330][ T1896] __device_attach+0x207/0x330 +[ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0 +[ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0 +[ 33.043515][ T1896] bus_probe_device+0x1a2/0x260 +[ 33.043914][ T1896] device_add+0xa61/0x1ce0 +[ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660 +[ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550 +[ 33.045531][ T1896] usb_set_configuration+0x984/0x1770 +[ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230 +[ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90 +[ 33.046931][ T1896] usb_probe_device+0x9c/0x220 +[ 33.047434][ T1896] really_probe+0x1be/0xa90 +[ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460 +[ 33.048134][ T1896] driver_probe_device+0x49/0x120 +[ 33.048516][ T1896] __device_attach_driver+0x18a/0x250 +[ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120 +[ 33.049437][ T1896] bus_for_each_drv+0x123/0x1a0 +[ 33.049814][ T1896] ? bus_rescan_devices+0x20/0x20 +[ 33.050164][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 33.050579][ T1896] ? trace_hardirqs_on+0x1c/0x120 +[ 33.050936][ T1896] __device_attach+0x207/0x330 +[ 33.051399][ T1896] ? device_bind_driver+0xb0/0xb0 +[ 33.051888][ T1896] ? kobject_uevent_env+0x230/0x12c0 +[ 33.052314][ T1896] bus_probe_device+0x1a2/0x260 +[ 33.052688][ T1896] device_add+0xa61/0x1ce0 +[ 33.053121][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550 +[ 33.053568][ T1896] usb_new_device.cold+0x463/0xf66 +[ 33.053953][ T1896] ? hub_disconnect+0x400/0x400 +[ 33.054313][ T1896] ? rwlock_bug.part.0+0x90/0x90 +[ 33.054661][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 33.055094][ T1896] hub_event+0x10d5/0x3330 +[ 33.055530][ T1896] ? hub_port_debounce+0x280/0x280 +[ 33.055934][ T1896] ? __lock_acquire+0x1671/0x5790 +[ 33.056387][ T1896] ? wq_calc_node_cpumask+0x170/0x2a0 +[ 33.056924][ T1896] ? lock_release+0x640/0x640 +[ 33.057383][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 33.057916][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 33.058402][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 33.059019][ T1896] process_one_work+0x873/0x13e0 +[ 33.059488][ T1896] ? lock_release+0x640/0x640 +[ 33.059932][ T1896] ? pwq_dec_nr_in_flight+0x320/0x320 +[ 33.060446][ T1896] ? rwlock_bug.part.0+0x90/0x90 +[ 33.060898][ T1896] worker_thread+0x8b/0xd10 +[ 33.061348][ T1896] ? __kthread_parkme+0xd9/0x1d0 +[ 33.061810][ T1896] ? process_one_work+0x13e0/0x13e0 +[ 33.062288][ T1896] kthread+0x379/0x450 +[ 33.062660][ T1896] ? _raw_spin_unlock_irq+0x24/0x30 +[ 33.063148][ T1896] ? set_kthread_struct+0x100/0x100 +[ 33.063606][ T1896] ret_from_fork+0x1f/0x30 +[ 33.064070][ T1896] +[ 33.064313][ T1896] +[ 33.064545][ T1896] addr ffffc90001d6efc8 is located in stack of task kworker/0:2/1896 at offset 512 in frame: +[ 33.065478][ T1896] brcmf_c_preinit_dcmds+0x0/0xc40 +[ 33.065973][ T1896] +[ 33.066191][ T1896] this frame has 4 objects: +[ 33.066614][ T1896] [48, 56) 'ptr' +[ 33.066618][ T1896] [80, 148) 'revinfo' +[ 33.066957][ T1896] [192, 210) 'eventmask' +[ 33.067338][ T1896] [256, 512) 'buf' +[ 33.067742][ T1896] +[ 33.068304][ T1896] Memory state around the buggy address: +[ 33.068838][ T1896] ffffc90001d6ee80: f2 00 00 02 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 +[ 33.069545][ T1896] ffffc90001d6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 33.070626][ T1896] >ffffc90001d6ef80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 +[ 33.072052][ T1896] ^ +[ 33.073043][ T1896] ffffc90001d6f000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 33.074230][ T1896] ffffc90001d6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 33.074914][ T1896] ================================================================== +[ 33.075713][ T1896] Disabling lock debugging due to kernel taint + +Reviewed-by: Arend van Spriel +Signed-off-by: Jisoo Jang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221230075139.56591-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +index b4e8957840020..3626ea9be92af 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +@@ -290,15 +290,17 @@ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp) + if (err) { + brcmf_dbg(TRACE, "retrieving clmver failed, %d\n", err); + } else { ++ buf[sizeof(buf) - 1] = '\0'; + clmver = (char *)buf; +- /* store CLM version for adding it to revinfo debugfs file */ +- memcpy(ifp->drvr->clmver, clmver, sizeof(ifp->drvr->clmver)); + + /* Replace all newline/linefeed characters with space + * character + */ + strreplace(clmver, '\n', ' '); + ++ /* store CLM version for adding it to revinfo debugfs file */ ++ memcpy(ifp->drvr->clmver, clmver, sizeof(ifp->drvr->clmver)); ++ + brcmf_dbg(INFO, "CLM version = %s\n", clmver); + } + +-- +2.39.2 + diff --git a/queue-4.19/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch b/queue-4.19/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch new file mode 100644 index 00000000000..24a9441c4e4 --- /dev/null +++ b/queue-4.19/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch @@ -0,0 +1,39 @@ +From 3849a00ec026d0455b7e5edccc08a2e28c3a1cd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 19:33:01 +0800 +Subject: wifi: brcmfmac: fix potential memory leak in + brcmf_netdev_start_xmit() + +From: Zhang Changzhong + +[ Upstream commit 212fde3fe76e962598ce1d47b97cc78afdfc71b3 ] + +The brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb +in case of pskb_expand_head() fails, add dev_kfree_skb() to fix it. +Compile tested only. + +Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()") +Signed-off-by: Zhang Changzhong +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1668684782-47422-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index 31bf2eb47b49f..6fd155187263f 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -313,6 +313,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + brcmf_err("%s: failed to expand headroom\n", + brcmf_ifname(ifp)); + atomic_inc(&drvr->bus_if->stats.pktcow_failed); ++ dev_kfree_skb(skb); + goto done; + } + } +-- +2.39.2 + diff --git a/queue-4.19/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch b/queue-4.19/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch new file mode 100644 index 00000000000..0989c3e20a9 --- /dev/null +++ b/queue-4.19/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch @@ -0,0 +1,160 @@ +From 34e58c527466623e2d2241caad4a1d7ffc3ea4b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 13:34:58 +0900 +Subject: wifi: brcmfmac: Fix potential stack-out-of-bounds in + brcmf_c_preinit_dcmds() + +From: Jisoo Jang + +[ Upstream commit 0a06cadcc2a0044e4a117cc0e61436fc3a0dad69 ] + +This patch fixes a stack-out-of-bounds read in brcmfmac that occurs +when 'buf' that is not null-terminated is passed as an argument of +strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware +version string by memcpy() in brcmf_fil_iovar_data_get(). +The patch ensures buf is null-terminated. + +Found by a modified version of syzkaller. + +[ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3 +[ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available +[ 47.601565][ T1897] ================================================================== +[ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0 +[ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897 +[ 47.604336][ T1897] +[ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131 +[ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event +[ 47.607453][ T1897] Call Trace: +[ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1 +[ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334 +[ 47.609009][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.609434][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.609863][ T1897] kasan_report.cold+0x83/0xdf +[ 47.610366][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.610882][ T1897] strsep+0x1b2/0x1f0 +[ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0 +[ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40 +[ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100 +[ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0 +[ 47.614704][ T1897] ? find_held_lock+0x2d/0x110 +[ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260 +[ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0 +[ 47.616288][ T1897] brcmf_attach+0x246/0xd40 +[ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0 +[ 47.617280][ T1897] ? kmemdup+0x43/0x50 +[ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690 +[ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 +[ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760 +[ 47.619429][ T1897] ? usb_probe_device+0x250/0x250 +[ 47.619950][ T1897] really_probe+0x205/0xb70 +[ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0 +[ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.622209][ T1897] driver_probe_device+0x4e/0x150 +[ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0 +[ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0 +[ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30 +[ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160 +[ 47.625437][ T1897] __device_attach+0x23f/0x3a0 +[ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0 +[ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0 +[ 47.627057][ T1897] bus_probe_device+0x1da/0x290 +[ 47.627557][ T1897] device_add+0xb7b/0x1eb0 +[ 47.628027][ T1897] ? wait_for_completion+0x290/0x290 +[ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 +[ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0 +[ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0 +[ 47.630385][ T1897] usb_probe_device+0xbb/0x250 +[ 47.630927][ T1897] ? usb_suspend+0x590/0x590 +[ 47.631397][ T1897] really_probe+0x205/0xb70 +[ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0 +[ 47.633002][ T1897] ? usb_generic_driver_match+0x75/0x90 +[ 47.633573][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.634170][ T1897] driver_probe_device+0x4e/0x150 +[ 47.634703][ T1897] __device_attach_driver+0x1cc/0x2a0 +[ 47.635248][ T1897] bus_for_each_drv+0x156/0x1d0 +[ 47.635748][ T1897] ? bus_rescan_devices+0x30/0x30 +[ 47.636271][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.636881][ T1897] ? trace_hardirqs_on+0x46/0x160 +[ 47.637396][ T1897] __device_attach+0x23f/0x3a0 +[ 47.637904][ T1897] ? device_bind_driver+0xd0/0xd0 +[ 47.638426][ T1897] ? kobject_uevent_env+0x287/0x14b0 +[ 47.638985][ T1897] bus_probe_device+0x1da/0x290 +[ 47.639512][ T1897] device_add+0xb7b/0x1eb0 +[ 47.639977][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 +[ 47.640612][ T1897] ? kfree+0x14a/0x6b0 +[ 47.641055][ T1897] ? __usb_get_extra_descriptor+0x116/0x160 +[ 47.641679][ T1897] usb_new_device.cold+0x49c/0x1029 +[ 47.642245][ T1897] ? hub_disconnect+0x450/0x450 +[ 47.642756][ T1897] ? rwlock_bug.part.0+0x90/0x90 +[ 47.643273][ T1897] ? _raw_spin_unlock_irq+0x24/0x30 +[ 47.643822][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.644445][ T1897] hub_event+0x1c98/0x3950 +[ 47.644939][ T1897] ? hub_port_debounce+0x2e0/0x2e0 +[ 47.645467][ T1897] ? check_irq_usage+0x861/0xf20 +[ 47.645975][ T1897] ? drain_workqueue+0x280/0x360 +[ 47.646506][ T1897] ? lock_release+0x640/0x640 +[ 47.646994][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 47.647572][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 47.648111][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.648735][ T1897] process_one_work+0x92b/0x1460 +[ 47.649262][ T1897] ? pwq_dec_nr_in_flight+0x330/0x330 +[ 47.649816][ T1897] ? rwlock_bug.part.0+0x90/0x90 +[ 47.650336][ T1897] worker_thread+0x95/0xe00 +[ 47.650830][ T1897] ? __kthread_parkme+0x115/0x1e0 +[ 47.651361][ T1897] ? process_one_work+0x1460/0x1460 +[ 47.651904][ T1897] kthread+0x3a1/0x480 +[ 47.652329][ T1897] ? set_kthread_struct+0x120/0x120 +[ 47.652878][ T1897] ret_from_fork+0x1f/0x30 +[ 47.653370][ T1897] +[ 47.653608][ T1897] +[ 47.653848][ T1897] addr ffffc90001f6f000 is located in stack of task kworker/0:2/1897 at offset 512 in frame: +[ 47.654891][ T1897] brcmf_c_preinit_dcmds+0x0/0xc40 +[ 47.655442][ T1897] +[ 47.655690][ T1897] this frame has 4 objects: +[ 47.656151][ T1897] [48, 56) 'ptr' +[ 47.656159][ T1897] [80, 148) 'revinfo' +[ 47.656534][ T1897] [192, 210) 'eventmask' +[ 47.656953][ T1897] [256, 512) 'buf' +[ 47.657410][ T1897] +[ 47.658035][ T1897] Memory state around the buggy address: +[ 47.658743][ T1897] ffffc90001f6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.659577][ T1897] ffffc90001f6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.660394][ T1897] >ffffc90001f6f000: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 +[ 47.661199][ T1897] ^ +[ 47.661625][ T1897] ffffc90001f6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.662455][ T1897] ffffc90001f6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 +[ 47.663318][ T1897] ================================================================== +[ 47.664147][ T1897] Disabling lock debugging due to kernel taint + +Reported-by: Dokyung Song +Reported-by: Jisoo Jang +Reported-by: Minsuk Kang +Signed-off-by: Jisoo Jang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221115043458.37562-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +index 8510d207ee87d..b4e8957840020 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +@@ -273,6 +273,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp) + err); + goto done; + } ++ buf[sizeof(buf) - 1] = '\0'; + ptr = (char *)buf; + strsep(&ptr, "\n"); + +-- +2.39.2 + diff --git a/queue-4.19/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch b/queue-4.19/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch new file mode 100644 index 00000000000..93183c269b8 --- /dev/null +++ b/queue-4.19/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch @@ -0,0 +1,46 @@ +From 48783fd3bd258d48c2cb4e55900550d76d620c69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 09:31:14 +0800 +Subject: wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() + +From: Zhengchao Shao + +[ Upstream commit b9f420032f2ba1e634b22ca7b433e5c40ea663af ] + +After the DMA buffer is mapped to a physical address, address is stored +in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in +brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr +and later unmap the DMA buffer. But when count is always equal to +pktids->array_size, physaddr isn't stored in pktids and the DMA buffer +will not be unmapped anyway. + +Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") +Signed-off-by: Zhengchao Shao +Reviewed-by: Sebastian Andrzej Siewior +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207013114.1748936-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +index 768a99c15c08b..e81e892ddacc5 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -339,8 +339,11 @@ brcmf_msgbuf_alloc_pktid(struct device *dev, + count++; + } while (count < pktids->array_size); + +- if (count == pktids->array_size) ++ if (count == pktids->array_size) { ++ dma_unmap_single(dev, *physaddr, skb->len - data_offset, ++ pktids->direction); + return -ENOMEM; ++ } + + array[*idx].data_offset = data_offset; + array[*idx].physaddr = *physaddr; +-- +2.39.2 + diff --git a/queue-4.19/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch b/queue-4.19/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch new file mode 100644 index 00000000000..d03f2534726 --- /dev/null +++ b/queue-4.19/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch @@ -0,0 +1,47 @@ +From 50a6cdae99f0a62acf45dab8051dc6b211696ff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:24:22 +0800 +Subject: wifi: ipw2200: fix memory leak in ipw_wdev_init() + +From: Zhengchao Shao + +[ Upstream commit 9fe21dc626117fb44a8eb393713a86a620128ce3 ] + +In the error path of ipw_wdev_init(), exception value is returned, and +the memory applied for in the function is not released. Also the memory +is not released in ipw_pci_probe(). As a result, memory leakage occurs. +So memory release needs to be added to the error path of ipw_wdev_init(). + +Fixes: a3caa99e6c68 ("libipw: initiate cfg80211 API conversion (v2)") +Signed-off-by: Zhengchao Shao +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221209012422.182669-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index 43ee0fa3c4ad6..c6f2cc3083aef 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -11431,9 +11431,14 @@ static int ipw_wdev_init(struct net_device *dev) + set_wiphy_dev(wdev->wiphy, &priv->pci_dev->dev); + + /* With that information in place, we can now register the wiphy... */ +- if (wiphy_register(wdev->wiphy)) +- rc = -EIO; ++ rc = wiphy_register(wdev->wiphy); ++ if (rc) ++ goto out; ++ ++ return 0; + out: ++ kfree(priv->ieee->a_band.channels); ++ kfree(priv->ieee->bg_band.channels); + return rc; + } + +-- +2.39.2 + diff --git a/queue-4.19/wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch b/queue-4.19/wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..9741d258897 --- /dev/null +++ b/queue-4.19/wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch @@ -0,0 +1,46 @@ +From 27f1bf4656046a1287e11c80eaafa9611e2ac5a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:38:26 +0800 +Subject: wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 45fc6d7461f18df2f238caf0cbc5acc4163203d1 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called to free and drop the SKB when +it's reset, so replace it with dev_kfree_skb_irq(). Compile tested +only. + +Fixes: 43f66a6ce8da ("Add ipw2200 wireless driver.") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221208143826.2385218-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index 33deaa5cb4e88..43ee0fa3c4ad6 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -3459,7 +3459,7 @@ static void ipw_rx_queue_reset(struct ipw_priv *priv, + dma_unmap_single(&priv->pci_dev->dev, + rxq->pool[i].dma_addr, + IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); +- dev_kfree_skb(rxq->pool[i].skb); ++ dev_kfree_skb_irq(rxq->pool[i].skb); + rxq->pool[i].skb = NULL; + } + list_add_tail(&rxq->pool[i].list, &rxq->rx_used); +-- +2.39.2 + diff --git a/queue-4.19/wifi-iwl3945-add-missing-check-for-create_singlethre.patch b/queue-4.19/wifi-iwl3945-add-missing-check-for-create_singlethre.patch new file mode 100644 index 00000000000..6afdb9559c1 --- /dev/null +++ b/queue-4.19/wifi-iwl3945-add-missing-check-for-create_singlethre.patch @@ -0,0 +1,85 @@ +From 5b3b58791c8ca76e0d2cc6d64d98699faa045ea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 14:30:32 +0800 +Subject: wifi: iwl3945: Add missing check for create_singlethread_workqueue + +From: Jiasheng Jiang + +[ Upstream commit 1fdeb8b9f29dfd64805bb49475ac7566a3cb06cb ] + +Add the check for the return value of the create_singlethread_workqueue +in order to avoid NULL pointer dereference. + +Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers") +Signed-off-by: Jiasheng Jiang +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230208063032.42763-2-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/3945-mac.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/3945-mac.c b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +index b536ec20eaccb..d51a23815e186 100644 +--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +@@ -3400,10 +3400,12 @@ static DEVICE_ATTR(dump_errors, 0200, NULL, il3945_dump_error_log); + * + *****************************************************************************/ + +-static void ++static int + il3945_setup_deferred_work(struct il_priv *il) + { + il->workqueue = create_singlethread_workqueue(DRV_NAME); ++ if (!il->workqueue) ++ return -ENOMEM; + + init_waitqueue_head(&il->wait_command_queue); + +@@ -3422,6 +3424,8 @@ il3945_setup_deferred_work(struct il_priv *il) + tasklet_init(&il->irq_tasklet, + il3945_irq_tasklet, + (unsigned long)il); ++ ++ return 0; + } + + static void +@@ -3743,7 +3747,10 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + } + + il_set_rxon_channel(il, &il->bands[NL80211_BAND_2GHZ].channels[5]); +- il3945_setup_deferred_work(il); ++ err = il3945_setup_deferred_work(il); ++ if (err) ++ goto out_remove_sysfs; ++ + il3945_setup_handlers(il); + il_power_initialize(il); + +@@ -3755,7 +3762,7 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err = il3945_setup_mac(il); + if (err) +- goto out_remove_sysfs; ++ goto out_destroy_workqueue; + + err = il_dbgfs_register(il, DRV_NAME); + if (err) +@@ -3767,9 +3774,10 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + return 0; + +-out_remove_sysfs: ++out_destroy_workqueue: + destroy_workqueue(il->workqueue); + il->workqueue = NULL; ++out_remove_sysfs: + sysfs_remove_group(&pdev->dev.kobj, &il3945_attribute_group); + out_release_irq: + free_irq(il->pci_dev->irq, il); +-- +2.39.2 + diff --git a/queue-4.19/wifi-iwl4965-add-missing-check-for-create_singlethre.patch b/queue-4.19/wifi-iwl4965-add-missing-check-for-create_singlethre.patch new file mode 100644 index 00000000000..d7fb64088e2 --- /dev/null +++ b/queue-4.19/wifi-iwl4965-add-missing-check-for-create_singlethre.patch @@ -0,0 +1,72 @@ +From 50c6758721ce6468da4f460d58b1a8dcdb65ea57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 09:07:48 +0800 +Subject: wifi: iwl4965: Add missing check for create_singlethread_workqueue() + +From: Jiasheng Jiang + +[ Upstream commit 26e6775f75517ad6844fe5b79bc5f3fa8c22ee61 ] + +Add the check for the return value of the create_singlethread_workqueue() +in order to avoid NULL pointer dereference. + +Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers") +Signed-off-by: Jiasheng Jiang +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230209010748.45454-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +index 6fc51c74cdb86..4970c19df582e 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -6236,10 +6236,12 @@ il4965_bg_txpower_work(struct work_struct *work) + mutex_unlock(&il->mutex); + } + +-static void ++static int + il4965_setup_deferred_work(struct il_priv *il) + { + il->workqueue = create_singlethread_workqueue(DRV_NAME); ++ if (!il->workqueue) ++ return -ENOMEM; + + init_waitqueue_head(&il->wait_command_queue); + +@@ -6260,6 +6262,8 @@ il4965_setup_deferred_work(struct il_priv *il) + tasklet_init(&il->irq_tasklet, + il4965_irq_tasklet, + (unsigned long)il); ++ ++ return 0; + } + + static void +@@ -6649,7 +6653,10 @@ il4965_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + goto out_disable_msi; + } + +- il4965_setup_deferred_work(il); ++ err = il4965_setup_deferred_work(il); ++ if (err) ++ goto out_free_irq; ++ + il4965_setup_handlers(il); + + /********************************************* +@@ -6687,6 +6694,7 @@ il4965_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + out_destroy_workqueue: + destroy_workqueue(il->workqueue); + il->workqueue = NULL; ++out_free_irq: + free_irq(il->pci_dev->irq, il); + out_disable_msi: + pci_disable_msi(il->pci_dev); +-- +2.39.2 + diff --git a/queue-4.19/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch b/queue-4.19/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch new file mode 100644 index 00000000000..8c4e71df77a --- /dev/null +++ b/queue-4.19/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch @@ -0,0 +1,40 @@ +From b9adb0eee9161f7d2fd4633a48927edb2cc75cfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:08 +0800 +Subject: wifi: libertas: cmdresp: don't call kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 708a49a64237f19bd404852f297aaadbc9e7fee0 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: f52b041aed77 ("libertas: Add spinlock to avoid race condition") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-5-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cmdresp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cmdresp.c b/drivers/net/wireless/marvell/libertas/cmdresp.c +index b73d083813985..5908f07d62ed7 100644 +--- a/drivers/net/wireless/marvell/libertas/cmdresp.c ++++ b/drivers/net/wireless/marvell/libertas/cmdresp.c +@@ -48,7 +48,7 @@ void lbs_mac_event_disconnected(struct lbs_private *priv, + + /* Free Tx and Rx packets */ + spin_lock_irqsave(&priv->driver_lock, flags); +- kfree_skb(priv->currenttxskb); ++ dev_kfree_skb_irq(priv->currenttxskb); + priv->currenttxskb = NULL; + priv->tx_pending_len = 0; + spin_unlock_irqrestore(&priv->driver_lock, flags); +-- +2.39.2 + diff --git a/queue-4.19/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch b/queue-4.19/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch new file mode 100644 index 00000000000..2ad5d18d551 --- /dev/null +++ b/queue-4.19/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch @@ -0,0 +1,37 @@ +From 412161fe30c30362c50c338c3dea18c1b4db95bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:14:48 +0800 +Subject: wifi: libertas: fix memory leak in lbs_init_adapter() + +From: Zhengchao Shao + +[ Upstream commit 16a03958618fb91bb1bc7077cf3211055162cc2f ] + +When kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not +released. Add free memory to processing error path. + +Fixes: 7919b89c8276 ("libertas: convert libertas driver to use an event/cmdresp queue") +Signed-off-by: Zhengchao Shao +Reviewed-by: Jiri Pirko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221208121448.2845986-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c +index f22e1c220cba1..41e37c17d9c28 100644 +--- a/drivers/net/wireless/marvell/libertas/main.c ++++ b/drivers/net/wireless/marvell/libertas/main.c +@@ -869,6 +869,7 @@ static int lbs_init_adapter(struct lbs_private *priv) + ret = kfifo_alloc(&priv->event_fifo, sizeof(u32) * 16, GFP_KERNEL); + if (ret) { + pr_err("Out of memory allocating event FIFO buffer\n"); ++ lbs_free_cmd_buffer(priv); + goto out; + } + +-- +2.39.2 + diff --git a/queue-4.19/wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch b/queue-4.19/wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch new file mode 100644 index 00000000000..2f41781c646 --- /dev/null +++ b/queue-4.19/wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch @@ -0,0 +1,40 @@ +From 42e949d3167c8323bc652fd1a39daa167f8e0f4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:06 +0800 +Subject: wifi: libertas: if_usb: don't call kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 3968e81ba644f10a7d45bae2539560db9edac501 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: a3128feef6d5 ("libertas: use irqsave() in USB's complete callback") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-3-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/if_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c +index d75763410cdc1..885abbd665e6e 100644 +--- a/drivers/net/wireless/marvell/libertas/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas/if_usb.c +@@ -633,7 +633,7 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, + priv->resp_len[i] = (recvlength - MESSAGE_HEADER_LEN); + memcpy(priv->resp_buf[i], recvbuff + MESSAGE_HEADER_LEN, + priv->resp_len[i]); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + lbs_notify_command_response(priv, i); + + spin_unlock_irqrestore(&priv->driver_lock, flags); +-- +2.39.2 + diff --git a/queue-4.19/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch b/queue-4.19/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..926f3e12292 --- /dev/null +++ b/queue-4.19/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch @@ -0,0 +1,40 @@ +From f7fb0fe7de175502f8155144ebca6e8e89c0ab7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:07 +0800 +Subject: wifi: libertas: main: don't call kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit f393df151540bf858effbd29ff572ab94e76a4c4 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: d2e7b3425c47 ("libertas: disable functionality when interface is down") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-4-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c +index 41e37c17d9c28..997c246b971e7 100644 +--- a/drivers/net/wireless/marvell/libertas/main.c ++++ b/drivers/net/wireless/marvell/libertas/main.c +@@ -216,7 +216,7 @@ int lbs_stop_iface(struct lbs_private *priv) + + spin_lock_irqsave(&priv->driver_lock, flags); + priv->iface_running = false; +- kfree_skb(priv->currenttxskb); ++ dev_kfree_skb_irq(priv->currenttxskb); + priv->currenttxskb = NULL; + priv->tx_pending_len = 0; + spin_unlock_irqrestore(&priv->driver_lock, flags); +-- +2.39.2 + diff --git a/queue-4.19/wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch b/queue-4.19/wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..43cc75d7a4a --- /dev/null +++ b/queue-4.19/wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch @@ -0,0 +1,39 @@ +From 3b0e6e2bf886b79beb3d476808f99fdcc1af7585 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:05 +0800 +Subject: wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 9388ce97b98216833c969191ee6df61a7201d797 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: fc75122fabb5 ("libertas_tf: use irqsave() in USB's complete callback") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-2-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +index 60941c319b421..5e7edc0309751 100644 +--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +@@ -616,7 +616,7 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, + spin_lock_irqsave(&priv->driver_lock, flags); + memcpy(priv->cmd_resp_buff, recvbuff + MESSAGE_HEADER_LEN, + recvlength - MESSAGE_HEADER_LEN); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + lbtf_cmd_response_rx(priv); + spin_unlock_irqrestore(&priv->driver_lock, flags); + } +-- +2.39.2 + diff --git a/queue-4.19/wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch b/queue-4.19/wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch new file mode 100644 index 00000000000..ca2e51b191e --- /dev/null +++ b/queue-4.19/wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch @@ -0,0 +1,38 @@ +From aca55f47b9cdd1f3f4b4f0aa2cb484657f3f34ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 19:06:59 +0800 +Subject: wifi: mac80211: make rate u32 in sta_set_rate_info_rx() + +From: Shayne Chen + +[ Upstream commit 59336e07b287d91dc4ec265e07724e8f7e3d0209 ] + +The value of last_rate in ieee80211_sta_rx_stats is degraded from u32 to +u16 after being assigned to rate variable, which causes information loss +in STA_STATS_FIELD_TYPE and later bitfields. + +Signed-off-by: Shayne Chen +Link: https://lore.kernel.org/r/20230209110659.25447-1-shayne.chen@mediatek.com +Fixes: 41cbb0f5a295 ("mac80211: add support for HE") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 3a907ba7f7634..5e28be07cad88 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2047,7 +2047,7 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u32 rate, + + static int sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo) + { +- u16 rate = READ_ONCE(sta_get_last_rx_stats(sta)->last_rate); ++ u32 rate = READ_ONCE(sta_get_last_rx_stats(sta)->last_rate); + + if (rate == STA_STATS_RATE_INVALID) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-4.19/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch b/queue-4.19/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch new file mode 100644 index 00000000000..c52f609ae55 --- /dev/null +++ b/queue-4.19/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch @@ -0,0 +1,48 @@ +From ccc49bba0791f430263cfb24cbb0c69ec2b21c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 17:41:33 +0300 +Subject: wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() + +From: Dan Carpenter + +[ Upstream commit 3cfb7df24cee0f5fdc4cc5d3176cab9aadfcb430 ] + +This code re-uses "i" to be the iterator for both the inside and outside +loops. It means the outside loop will exit earlier than intended. + +Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Y+ERnaDaZD7RtLvX@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/11n.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c +index 5dcc305cc8127..452ac56cdc923 100644 +--- a/drivers/net/wireless/marvell/mwifiex/11n.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n.c +@@ -901,7 +901,7 @@ mwifiex_send_delba_txbastream_tbl(struct mwifiex_private *priv, u8 tid) + */ + void mwifiex_update_ampdu_txwinsize(struct mwifiex_adapter *adapter) + { +- u8 i; ++ u8 i, j; + u32 tx_win_size; + struct mwifiex_private *priv; + +@@ -932,8 +932,8 @@ void mwifiex_update_ampdu_txwinsize(struct mwifiex_adapter *adapter) + if (tx_win_size != priv->add_ba_param.tx_win_size) { + if (!priv->media_connected) + continue; +- for (i = 0; i < MAX_NUM_TID; i++) +- mwifiex_send_delba_txbastream_tbl(priv, i); ++ for (j = 0; j < MAX_NUM_TID; j++) ++ mwifiex_send_delba_txbastream_tbl(priv, j); + } + } + } +-- +2.39.2 + diff --git a/queue-4.19/wifi-orinoco-check-return-value-of-hermes_write_word.patch b/queue-4.19/wifi-orinoco-check-return-value-of-hermes_write_word.patch new file mode 100644 index 00000000000..2f46de11cd1 --- /dev/null +++ b/queue-4.19/wifi-orinoco-check-return-value-of-hermes_write_word.patch @@ -0,0 +1,43 @@ +From 58e8286def746f7d2bfbf4f745624f21eb92534b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Dec 2022 16:33:06 +0300 +Subject: wifi: orinoco: check return value of hermes_write_wordrec() + +From: Alexey Kodanev + +[ Upstream commit 1e346cbb096a5351a637ec1992beffbf330547f0 ] + +There is currently no return check for writing an authentication +type (HERMES_AUTH_SHARED_KEY or HERMES_AUTH_OPEN). It looks like +it was accidentally skipped. + +This patch adds a return check similar to the other checks in +__orinoco_hw_setup_enc() for hermes_write_wordrec(). + +Detected using the static analysis tool - Svace. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alexey Kodanev +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221227133306.201356-1-aleksei.kodanev@bell-sw.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/hw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intersil/orinoco/hw.c b/drivers/net/wireless/intersil/orinoco/hw.c +index 61af5a28f269f..af49aa421e47f 100644 +--- a/drivers/net/wireless/intersil/orinoco/hw.c ++++ b/drivers/net/wireless/intersil/orinoco/hw.c +@@ -931,6 +931,8 @@ int __orinoco_hw_setup_enc(struct orinoco_private *priv) + err = hermes_write_wordrec(hw, USER_BAP, + HERMES_RID_CNFAUTHENTICATION_AGERE, + auth_flag); ++ if (err) ++ return err; + } + err = hermes_write_wordrec(hw, USER_BAP, + HERMES_RID_CNFWEPENABLED_AGERE, +-- +2.39.2 + diff --git a/queue-4.19/wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch b/queue-4.19/wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch new file mode 100644 index 00000000000..9b410704380 --- /dev/null +++ b/queue-4.19/wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch @@ -0,0 +1,37 @@ +From 865b967d963a2e7d6d89aa9926e9b18ceb90a670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 06:14:41 +0000 +Subject: wifi: rsi: Fix memory leak in rsi_coex_attach() + +From: Yuan Can + +[ Upstream commit 956fb851a6e19da5ab491e19c1bc323bb2c2cf6f ] + +The coex_cb needs to be freed when rsi_create_kthread() failed in +rsi_coex_attach(). + +Fixes: 2108df3c4b18 ("rsi: add coex support") +Signed-off-by: Yuan Can +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221205061441.114632-1-yuancan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_coex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_coex.c b/drivers/net/wireless/rsi/rsi_91x_coex.c +index c8ba148f8c6cf..acf4d8cb4b479 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_coex.c ++++ b/drivers/net/wireless/rsi/rsi_91x_coex.c +@@ -160,6 +160,7 @@ int rsi_coex_attach(struct rsi_common *common) + rsi_coex_scheduler_thread, + "Coex-Tx-Thread")) { + rsi_dbg(ERR_ZONE, "%s: Unable to init tx thrd\n", __func__); ++ kfree(coex_cb); + return -EINVAL; + } + return 0; +-- +2.39.2 + diff --git a/queue-4.19/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch b/queue-4.19/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..cf4d212ea2a --- /dev/null +++ b/queue-4.19/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch @@ -0,0 +1,47 @@ +From 018e77281dbca4b730dd54d6c1704d4b63e61d99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:35:17 +0800 +Subject: wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 4c2005ac87685907b3719b4f40215b578efd27c4 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called to free and drop the SKB when +it's shutdown, so replace it with dev_kfree_skb_irq(). Compile tested +only. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Yang Yingliang +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221208143517.2383424-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index e5aac9694ade2..9cdc8bc41c11a 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5101,7 +5101,7 @@ static void rtl8xxxu_queue_rx_urb(struct rtl8xxxu_priv *priv, + pending = priv->rx_urb_pending_count; + } else { + skb = (struct sk_buff *)rx_urb->urb.context; +- dev_kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + usb_free_urb(&rx_urb->urb); + } + +-- +2.39.2 + diff --git a/queue-4.19/wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch b/queue-4.19/wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch new file mode 100644 index 00000000000..5daab4aedf1 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch @@ -0,0 +1,158 @@ +From b199649bb90b6f2261d838d06be47f8fd4adf6a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 10:58:12 +0800 +Subject: wifi: rtlwifi: Fix global-out-of-bounds bug in + _rtl8812ae_phy_set_txpower_limit() + +From: Li Zetao + +[ Upstream commit 117dbeda22ec5ea0918254d03b540ef8b8a64d53 ] + +There is a global-out-of-bounds reported by KASAN: + + BUG: KASAN: global-out-of-bounds in + _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] + Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411 + + CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D + 6.1.0-rc8+ #144 e15588508517267d37 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), + Call Trace: + + ... + kasan_report+0xbb/0x1c0 + _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] + rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae] + rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae] + ... + + +The root cause of the problem is that the comparison order of +"prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The +_rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two +strings from tail to head, which causes the problem. In the +_rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet +this requirement by carefully designing the comparison order. +For example, "pregulation" and "pbandwidth" are compared in order of +length from small to large, first is 3 and last is 4. However, the +comparison order of "prate_section" dose not obey such order requirement, +therefore when "prate_section" is "HT", when comparing from tail to head, +it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As +mentioned above, the _rtl8812ae_eq_n_byte() has the same function as +strcmp(), so just strcmp() is enough. + +Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely. +Although it can be fixed by adjusting the comparison order of +"prate_section", this may cause the value of "rate_section" to not be +from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver +from staging to regular tree, but also added setting txpower limit +function during the driver config phase, so the problem was introduced +by this commit. + +Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree") +Signed-off-by: Li Zetao +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221212025812.1541311-1-lizetao1@huawei.com +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8821ae/phy.c | 52 +++++++------------ + 1 file changed, 20 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +index c805ad1bba2e0..502ac10cf251b 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -1626,18 +1626,6 @@ static bool _rtl8812ae_get_integer_from_string(const char *str, u8 *pint) + return true; + } + +-static bool _rtl8812ae_eq_n_byte(const char *str1, const char *str2, u32 num) +-{ +- if (num == 0) +- return false; +- while (num > 0) { +- num--; +- if (str1[num] != str2[num]) +- return false; +- } +- return true; +-} +- + static s8 _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(struct ieee80211_hw *hw, + u8 band, u8 channel) + { +@@ -1687,42 +1675,42 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, + power_limit = power_limit > MAX_POWER_INDEX ? + MAX_POWER_INDEX : power_limit; + +- if (_rtl8812ae_eq_n_byte(pregulation, "FCC", 3)) ++ if (strcmp(pregulation, "FCC") == 0) + regulation = 0; +- else if (_rtl8812ae_eq_n_byte(pregulation, "MKK", 3)) ++ else if (strcmp(pregulation, "MKK") == 0) + regulation = 1; +- else if (_rtl8812ae_eq_n_byte(pregulation, "ETSI", 4)) ++ else if (strcmp(pregulation, "ETSI") == 0) + regulation = 2; +- else if (_rtl8812ae_eq_n_byte(pregulation, "WW13", 4)) ++ else if (strcmp(pregulation, "WW13") == 0) + regulation = 3; + +- if (_rtl8812ae_eq_n_byte(prate_section, "CCK", 3)) ++ if (strcmp(prate_section, "CCK") == 0) + rate_section = 0; +- else if (_rtl8812ae_eq_n_byte(prate_section, "OFDM", 4)) ++ else if (strcmp(prate_section, "OFDM") == 0) + rate_section = 1; +- else if (_rtl8812ae_eq_n_byte(prate_section, "HT", 2) && +- _rtl8812ae_eq_n_byte(prf_path, "1T", 2)) ++ else if (strcmp(prate_section, "HT") == 0 && ++ strcmp(prf_path, "1T") == 0) + rate_section = 2; +- else if (_rtl8812ae_eq_n_byte(prate_section, "HT", 2) && +- _rtl8812ae_eq_n_byte(prf_path, "2T", 2)) ++ else if (strcmp(prate_section, "HT") == 0 && ++ strcmp(prf_path, "2T") == 0) + rate_section = 3; +- else if (_rtl8812ae_eq_n_byte(prate_section, "VHT", 3) && +- _rtl8812ae_eq_n_byte(prf_path, "1T", 2)) ++ else if (strcmp(prate_section, "VHT") == 0 && ++ strcmp(prf_path, "1T") == 0) + rate_section = 4; +- else if (_rtl8812ae_eq_n_byte(prate_section, "VHT", 3) && +- _rtl8812ae_eq_n_byte(prf_path, "2T", 2)) ++ else if (strcmp(prate_section, "VHT") == 0 && ++ strcmp(prf_path, "2T") == 0) + rate_section = 5; + +- if (_rtl8812ae_eq_n_byte(pbandwidth, "20M", 3)) ++ if (strcmp(pbandwidth, "20M") == 0) + bandwidth = 0; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, "40M", 3)) ++ else if (strcmp(pbandwidth, "40M") == 0) + bandwidth = 1; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, "80M", 3)) ++ else if (strcmp(pbandwidth, "80M") == 0) + bandwidth = 2; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, "160M", 4)) ++ else if (strcmp(pbandwidth, "160M") == 0) + bandwidth = 3; + +- if (_rtl8812ae_eq_n_byte(pband, "2.4G", 4)) { ++ if (strcmp(pband, "2.4G") == 0) { + ret = _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(hw, + BAND_ON_2_4G, + channel); +@@ -1746,7 +1734,7 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, + regulation, bandwidth, rate_section, channel_index, + rtlphy->txpwr_limit_2_4g[regulation][bandwidth] + [rate_section][channel_index][RF90_PATH_A]); +- } else if (_rtl8812ae_eq_n_byte(pband, "5G", 2)) { ++ } else if (strcmp(pband, "5G") == 0) { + ret = _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(hw, + BAND_ON_5G, + channel); +-- +2.39.2 + diff --git a/queue-4.19/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch b/queue-4.19/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch new file mode 100644 index 00000000000..519c3a0d9f1 --- /dev/null +++ b/queue-4.19/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch @@ -0,0 +1,39 @@ +From 6ea8d195e5b0b1ff90913cf08096aed0e16236e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:04:53 +0800 +Subject: wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 44bacbdf9066c590423259dbd6d520baac99c1a8 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150453.114742-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index f33ece9370473..cfde9b94b4b60 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1329,7 +1329,7 @@ static netdev_tx_t wl3501_hard_start_xmit(struct sk_buff *skb, + } else { + ++dev->stats.tx_packets; + dev->stats.tx_bytes += skb->len; +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + + if (this->tx_buffer_cnt < 2) + netif_stop_queue(dev); +-- +2.39.2 + diff --git a/queue-4.19/x86-bugs-reset-speculation-control-settings-on-init.patch b/queue-4.19/x86-bugs-reset-speculation-control-settings-on-init.patch new file mode 100644 index 00000000000..89936a40abe --- /dev/null +++ b/queue-4.19/x86-bugs-reset-speculation-control-settings-on-init.patch @@ -0,0 +1,75 @@ +From 93f2c3eb405b41eefadde2d04e94bdfc383bd4d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 07:31:48 -0800 +Subject: x86/bugs: Reset speculation control settings on init + +From: Breno Leitao + +[ Upstream commit 0125acda7d76b943ca55811df40ed6ec0ecf670f ] + +Currently, x86_spec_ctrl_base is read at boot time and speculative bits +are set if Kconfig items are enabled. For example, IBRS is enabled if +CONFIG_CPU_IBRS_ENTRY is configured, etc. These MSR bits are not cleared +if the mitigations are disabled. + +This is a problem when kexec-ing a kernel that has the mitigation +disabled from a kernel that has the mitigation enabled. In this case, +the MSR bits are not cleared during the new kernel boot. As a result, +this might have some performance degradation that is hard to pinpoint. + +This problem does not happen if the machine is (hard) rebooted because +the bit will be cleared by default. + + [ bp: Massage. ] + +Suggested-by: Pawan Gupta +Signed-off-by: Breno Leitao +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20221128153148.1129350-1-leitao@debian.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/msr-index.h | 4 ++++ + arch/x86/kernel/cpu/bugs.c | 10 +++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h +index 0bd07699dba38..847f3f5820d21 100644 +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -50,6 +50,10 @@ + #define SPEC_CTRL_RRSBA_DIS_S_SHIFT 6 /* Disable RRSBA behavior */ + #define SPEC_CTRL_RRSBA_DIS_S BIT(SPEC_CTRL_RRSBA_DIS_S_SHIFT) + ++/* A mask for bits which the kernel toggles when controlling mitigations */ ++#define SPEC_CTRL_MITIGATIONS_MASK (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD \ ++ | SPEC_CTRL_RRSBA_DIS_S) ++ + #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ + #define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */ + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index e298ec9d5d536..54f42ae1a61d9 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -135,9 +135,17 @@ void __init check_bugs(void) + * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD + * init code as it is not enumerated and depends on the family. + */ +- if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) ++ if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) { + rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); + ++ /* ++ * Previously running kernel (kexec), may have some controls ++ * turned ON. Clear them and let the mitigations setup below ++ * rediscover them based on configuration. ++ */ ++ x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK; ++ } ++ + /* Select the proper CPU mitigations before patching alternatives: */ + spectre_v1_select_mitigation(); + spectre_v2_select_mitigation(); +-- +2.39.2 + -- 2.47.3