From b685cdce892b8d619d4f21108b534822daa72e67 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 16 Aug 2020 09:50:48 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...crement-operation_region-reference-c.patch | 81 ++++++++++ ...memory-leak-on-module-initialisation.patch | 43 ++++++ ...missing-put_device-call-in-at91_pm_s.patch | 64 ++++++++ ...dd-missing-put_device-call-in-socfpg.patch | 64 ++++++++ ...-fix-silent-hang-after-boot-on-espre.patch | 37 +++++ ...sm8916-replace-invalid-bias-pull-non.patch | 81 ++++++++++ ...-block-seq-numbers-comparision-in-re.patch | 79 ++++++++++ ...ing-crash-after-multiple-disconnects.patch | 92 +++++++++++ ...mutex-lock-to-avoid-uaf-in-do_enale_.patch | 142 +++++++++++++++++ ...-to-fix-bss-info-flag-definition-bug.patch | 39 +++++ ...con-fix-an-issue-about-leak-related-.patch | 91 +++++++++++ queue-4.9/cxl-fix-kobject-memleak.patch | 44 ++++++ queue-4.9/dlm-fix-kobject-memleak.patch | 52 +++++++ ...plain-echo-to-connector-force-attrib.patch | 51 +++++++ ...tve-fix-regulator_disable-error-path.patch | 70 +++++++++ ...-write-for-mipi_dsi_dcs_set_tear_sca.patch | 50 ++++++ ...multiple-instances-of-reference-coun.patch | 68 +++++++++ ...simple-fix-bpc-for-lg-lb070wv8-panel.patch | 37 +++++ ...rray-out-of-bounds-read-and-write-is.patch | 39 +++++ ...eference-count-leaks-caused-by-pm_ru.patch | 74 +++++++++ ...eak-null-ref-in-panel_connector_get_.patch | 51 +++++++ ...ix-a-bug_on-in-ddebug_describe_flags.patch | 101 +++++++++++++ .../edac-fix-reference-count-leaks.patch | 59 ++++++++ ...d_resched-for-try_release_extent_map.patch | 62 ++++++++ ...man-check-dereferencing-null-pointer.patch | 72 +++++++++ ...an-fix-dereference-null-return-value.patch | 50 ++++++ ...l-fman-fix-eth-hash-table-allocation.patch | 38 +++++ queue-4.9/fsl-fman-fix-unreachable-code.patch | 35 +++++ ...fsl-fman-use-32-bit-unsigned-integer.patch | 41 +++++ ...concentration-channel-type-descripti.patch | 43 ++++++ ...he-return-value-of-pcie_capability_r.patch | 45 ++++++ ...sh-scheduled-work-for-system-suspend.patch | 42 +++++ ...lm355x-avoid-enum-conversion-warning.patch | 60 ++++++++ ...end-iop-message-until-channel-is-idl.patch | 70 +++++++++ ...x-iop-status-control-register-writes.patch | 79 ++++++++++ ...x-wild-pointer-of-unlock_all_bitmaps.patch | 72 +++++++++ ...-add-missed-check-for-pinctrl_lookup.patch | 38 +++++ ...sing-uninitialized-values-in-node_pr.patch | 40 +++++ ...dd-missed-v4l2_ctrl_handler_free-for.patch | 49 ++++++ ...ond_resched-for-exit_mmap-cpu-stalls.patch | 83 ++++++++++ ...vent-memory-corruption-handling-keys.patch | 82 ++++++++++ ...ix-the-size-used-in-a-dma_free_coher.patch | 39 +++++ ...-add-missing-newline-in-sysfs-policy.patch | 40 +++++ ...x-pci_cfg_wait-queue-locking-problem.patch | 72 +++++++++ ...e-fix-pcs_parse_pinconf-return-value.patch | 143 ++++++++++++++++++ ...el-hid-fix-return-value-check-in-che.patch | 38 +++++ ...el-vbtn-fix-return-value-check-in-ch.patch | 38 +++++ ...ck-if-calc_soc-succeeded-in-pm860x_i.patch | 58 +++++++ ...powerpc-vdso-fix-vdso-cpu-truncation.patch | 45 ++++++ ...n-t-process-empty-bridge-port-events.patch | 40 +++++ ...x-different-dev_id-between-request_i.patch | 39 +++++ ...ifferent-dev_id-between-request_irq-.patch | 38 +++++ ...sh-fix-panic-after-host-or-bus-reset.patch | 109 +++++++++++++ ...x-different-dev_id-between-request_i.patch | 38 +++++ ...add-check-for-sdebug_max_queue-durin.patch | 92 +++++++++++ ...c-fix-cpu-affinity-for-child-process.patch | 82 ++++++++++ ...sts-powerpc-fix-online-cpu-selection.patch | 93 ++++++++++++ queue-4.9/series | 68 +++++++++ ...ck-fix-another-vsscanf-out-of-bounds.patch | 39 +++++ ...k-prevent-underflow-in-smk_set_cipso.patch | 36 +++++ ...-fix-a-dubious-looking-mask-before-a.patch | 42 +++++ ...ix-error-path-in-gadget-registration.patch | 97 ++++++++++++ ...80-fix-memory-leak-on-probe-error-ha.patch | 42 +++++ ...iuu_phoenix-fix-led-activity-helpers.patch | 70 +++++++++ ...b-fix-memory-leak-in-neo_scan_monito.patch | 46 ++++++ ...2fb-fix-an-issue-about-iounmap-for-a.patch | 42 +++++ ...the-function-used-to-balance-a-dma_a.patch | 49 ++++++ .../wl1251-fix-always-return-0-error.patch | 38 +++++ ...k-quota-reservation-accounting-error.patch | 64 ++++++++ 69 files changed, 4147 insertions(+) create mode 100644 queue-4.9/acpica-do-not-increment-operation_region-reference-c.patch create mode 100644 queue-4.9/agp-intel-fix-a-memory-leak-on-module-initialisation.patch create mode 100644 queue-4.9/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch create mode 100644 queue-4.9/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch create mode 100644 queue-4.9/arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch create mode 100644 queue-4.9/arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch create mode 100644 queue-4.9/bcache-fix-super-block-seq-numbers-comparision-in-re.patch create mode 100644 queue-4.9/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch create mode 100644 queue-4.9/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch create mode 100644 queue-4.9/brcmfmac-to-fix-bss-info-flag-definition-bug.patch create mode 100644 queue-4.9/console-newport_con-fix-an-issue-about-leak-related-.patch create mode 100644 queue-4.9/cxl-fix-kobject-memleak.patch create mode 100644 queue-4.9/dlm-fix-kobject-memleak.patch create mode 100644 queue-4.9/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch create mode 100644 queue-4.9/drm-imx-tve-fix-regulator_disable-error-path.patch create mode 100644 queue-4.9/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch create mode 100644 queue-4.9/drm-nouveau-fix-multiple-instances-of-reference-coun.patch create mode 100644 queue-4.9/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch create mode 100644 queue-4.9/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch create mode 100644 queue-4.9/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch create mode 100644 queue-4.9/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch create mode 100644 queue-4.9/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch create mode 100644 queue-4.9/edac-fix-reference-count-leaks.patch create mode 100644 queue-4.9/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch create mode 100644 queue-4.9/fsl-fman-check-dereferencing-null-pointer.patch create mode 100644 queue-4.9/fsl-fman-fix-dereference-null-return-value.patch create mode 100644 queue-4.9/fsl-fman-fix-eth-hash-table-allocation.patch create mode 100644 queue-4.9/fsl-fman-fix-unreachable-code.patch create mode 100644 queue-4.9/fsl-fman-use-32-bit-unsigned-integer.patch create mode 100644 queue-4.9/iio-improve-iio_concentration-channel-type-descripti.patch create mode 100644 queue-4.9/iwlegacy-check-the-return-value-of-pcie_capability_r.patch create mode 100644 queue-4.9/leds-core-flush-scheduled-work-for-system-suspend.patch create mode 100644 queue-4.9/leds-lm355x-avoid-enum-conversion-warning.patch create mode 100644 queue-4.9/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch create mode 100644 queue-4.9/m68k-mac-fix-iop-status-control-register-writes.patch create mode 100644 queue-4.9/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch create mode 100644 queue-4.9/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch create mode 100644 queue-4.9/media-firewire-using-uninitialized-values-in-node_pr.patch create mode 100644 queue-4.9/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch create mode 100644 queue-4.9/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch create mode 100644 queue-4.9/mwifiex-prevent-memory-corruption-handling-keys.patch create mode 100644 queue-4.9/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch create mode 100644 queue-4.9/pci-aspm-add-missing-newline-in-sysfs-policy.patch create mode 100644 queue-4.9/pci-fix-pci_cfg_wait-queue-locking-problem.patch create mode 100644 queue-4.9/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch create mode 100644 queue-4.9/platform-x86-intel-hid-fix-return-value-check-in-che.patch create mode 100644 queue-4.9/platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch create mode 100644 queue-4.9/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch create mode 100644 queue-4.9/powerpc-vdso-fix-vdso-cpu-truncation.patch create mode 100644 queue-4.9/s390-qeth-don-t-process-empty-bridge-port-events.patch create mode 100644 queue-4.9/scsi-cumana_2-fix-different-dev_id-between-request_i.patch create mode 100644 queue-4.9/scsi-eesox-fix-different-dev_id-between-request_irq-.patch create mode 100644 queue-4.9/scsi-mesh-fix-panic-after-host-or-bus-reset.patch create mode 100644 queue-4.9/scsi-powertec-fix-different-dev_id-between-request_i.patch create mode 100644 queue-4.9/scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch create mode 100644 queue-4.9/selftests-powerpc-fix-cpu-affinity-for-child-process.patch create mode 100644 queue-4.9/selftests-powerpc-fix-online-cpu-selection.patch create mode 100644 queue-4.9/smack-fix-another-vsscanf-out-of-bounds.patch create mode 100644 queue-4.9/smack-prevent-underflow-in-smk_set_cipso.patch create mode 100644 queue-4.9/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch create mode 100644 queue-4.9/usb-dwc2-fix-error-path-in-gadget-registration.patch create mode 100644 queue-4.9/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch create mode 100644 queue-4.9/usb-serial-iuu_phoenix-fix-led-activity-helpers.patch create mode 100644 queue-4.9/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch create mode 100644 queue-4.9/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch create mode 100644 queue-4.9/video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch create mode 100644 queue-4.9/wl1251-fix-always-return-0-error.patch create mode 100644 queue-4.9/xfs-fix-reflink-quota-reservation-accounting-error.patch diff --git a/queue-4.9/acpica-do-not-increment-operation_region-reference-c.patch b/queue-4.9/acpica-do-not-increment-operation_region-reference-c.patch new file mode 100644 index 00000000000..ed33627a08d --- /dev/null +++ b/queue-4.9/acpica-do-not-increment-operation_region-reference-c.patch @@ -0,0 +1,81 @@ +From 4222384febcd2f34ceb2e972f1f61ca9ebc49af4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 10:31:20 -0700 +Subject: ACPICA: Do not increment operation_region reference counts for field + units + +From: Erik Kaneda + +[ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ] + +ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70 + +Object reference counts are used as a part of ACPICA's garbage +collection mechanism. This mechanism keeps track of references to +heap-allocated structures such as the ACPI operand objects. + +Recent server firmware has revealed that this reference count can +overflow on large servers that declare many field units under the +same operation_region. This occurs because each field unit declaration +will add a reference count to the source operation_region. + +This change solves the reference count overflow for operation_regions +objects by preventing fieldunits from incrementing their +operation_region's reference count. Each operation_region's reference +count will not be changed by named objects declared under the Field +operator. During namespace deletion, the operation_region namespace +node will be deleted and each fieldunit will be deleted without +touching the deleted operation_region object. + +Link: https://github.com/acpica/acpica/commit/e17b28cf +Signed-off-by: Erik Kaneda +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exprep.c | 4 ---- + drivers/acpi/acpica/utdelete.c | 6 +----- + 2 files changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c +index aed8d34592209..c2c391d5c5a1c 100644 +--- a/drivers/acpi/acpica/exprep.c ++++ b/drivers/acpi/acpica/exprep.c +@@ -507,10 +507,6 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info) + (u8)access_byte_width; + } + } +- /* An additional reference for the container */ +- +- acpi_ut_add_reference(obj_desc->field.region_obj); +- + ACPI_DEBUG_PRINT((ACPI_DB_BFIELD, + "RegionField: BitOff %X, Off %X, Gran %X, Region %p\n", + obj_desc->field.start_field_bit_offset, +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index 529d6c38ea7ce..03a2282ceb9ca 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -591,11 +591,6 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + next_object = object->buffer_field.buffer_obj; + break; + +- case ACPI_TYPE_LOCAL_REGION_FIELD: +- +- next_object = object->field.region_obj; +- break; +- + case ACPI_TYPE_LOCAL_BANK_FIELD: + + next_object = object->bank_field.bank_obj; +@@ -636,6 +631,7 @@ acpi_ut_update_object_reference(union acpi_operand_object *object, u16 action) + } + break; + ++ case ACPI_TYPE_LOCAL_REGION_FIELD: + case ACPI_TYPE_REGION: + default: + +-- +2.25.1 + diff --git a/queue-4.9/agp-intel-fix-a-memory-leak-on-module-initialisation.patch b/queue-4.9/agp-intel-fix-a-memory-leak-on-module-initialisation.patch new file mode 100644 index 00000000000..1bb059f7c96 --- /dev/null +++ b/queue-4.9/agp-intel-fix-a-memory-leak-on-module-initialisation.patch @@ -0,0 +1,43 @@ +From 0ac47e7661a412ec6cd6f1025ffe8580c91ee8fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 May 2020 09:34:51 +0100 +Subject: agp/intel: Fix a memory leak on module initialisation failure + +From: Qiushi Wu + +[ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ] + +In intel_gtt_setup_scratch_page(), pointer "page" is not released if +pci_dma_mapping_error() return an error, leading to a memory leak on +module initialisation failure. Simply fix this issue by freeing "page" +before return. + +Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page") +Signed-off-by: Qiushi Wu +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20200522083451.7448-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +--- + drivers/char/agp/intel-gtt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c +index 871e7f4994e8c..667882e996ecc 100644 +--- a/drivers/char/agp/intel-gtt.c ++++ b/drivers/char/agp/intel-gtt.c +@@ -303,8 +303,10 @@ static int intel_gtt_setup_scratch_page(void) + if (intel_private.needs_dmar) { + dma_addr = pci_map_page(intel_private.pcidev, page, 0, + PAGE_SIZE, PCI_DMA_BIDIRECTIONAL); +- if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) ++ if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) { ++ __free_page(page); + return -EINVAL; ++ } + + intel_private.scratch_page_dma = dma_addr; + } else +-- +2.25.1 + diff --git a/queue-4.9/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch b/queue-4.9/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch new file mode 100644 index 00000000000..37b4ac3a9db --- /dev/null +++ b/queue-4.9/arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch @@ -0,0 +1,64 @@ +From 8e0651b173cf006e5d6ed8ea79cb45dac5522d3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 20:33:01 +0800 +Subject: ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() + +From: yu kuai + +[ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ] + +if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have +a corresponding put_device(). Thus add a jump target to fix the exception +handling for this function implementation. + +Fixes: d2e467905596 ("ARM: at91: pm: use the mmio-sram pool to access SRAM") +Signed-off-by: yu kuai +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20200604123301.3905837-1-yukuai3@huawei.com +Signed-off-by: Sasha Levin +--- + arch/arm/mach-at91/pm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c +index 8ba0e2e5ad97c..0efac1404418e 100644 +--- a/arch/arm/mach-at91/pm.c ++++ b/arch/arm/mach-at91/pm.c +@@ -411,13 +411,13 @@ static void __init at91_pm_sram_init(void) + sram_pool = gen_pool_get(&pdev->dev, NULL); + if (!sram_pool) { + pr_warn("%s: sram pool unavailable!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_base = gen_pool_alloc(sram_pool, at91_pm_suspend_in_sram_sz); + if (!sram_base) { + pr_warn("%s: unable to alloc sram!\n", __func__); +- return; ++ goto out_put_device; + } + + sram_pbase = gen_pool_virt_to_phys(sram_pool, sram_base); +@@ -425,12 +425,17 @@ static void __init at91_pm_sram_init(void) + at91_pm_suspend_in_sram_sz, false); + if (!at91_suspend_sram_fn) { + pr_warn("SRAM: Could not map\n"); +- return; ++ goto out_put_device; + } + + /* Copy the pm suspend handler to SRAM */ + at91_suspend_sram_fn = fncpy(at91_suspend_sram_fn, + &at91_pm_suspend_in_sram, at91_pm_suspend_in_sram_sz); ++ return; ++ ++out_put_device: ++ put_device(&pdev->dev); ++ return; + } + + static const struct of_device_id atmel_pmc_ids[] __initconst = { +-- +2.25.1 + diff --git a/queue-4.9/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch b/queue-4.9/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch new file mode 100644 index 00000000000..2202c09b01f --- /dev/null +++ b/queue-4.9/arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch @@ -0,0 +1,64 @@ +From 930f6edd5cb7d172ef89c9c97ab394d4ab46089b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 21:45:51 +0800 +Subject: ARM: socfpga: PM: add missing put_device() call in + socfpga_setup_ocram_self_refresh() + +From: Yu Kuai + +[ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ] + +if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh +doesn't have a corresponding put_device(). Thus add a jump target to +fix the exception handling for this function implementation. + +Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram") +Signed-off-by: Yu Kuai +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/arm/mach-socfpga/pm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c +index c378ab0c24317..93f2245c97750 100644 +--- a/arch/arm/mach-socfpga/pm.c ++++ b/arch/arm/mach-socfpga/pm.c +@@ -60,14 +60,14 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!ocram_pool) { + pr_warn("%s: ocram pool unavailable!\n", __func__); + ret = -ENODEV; +- goto put_node; ++ goto put_device; + } + + ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz); + if (!ocram_base) { + pr_warn("%s: unable to alloc ocram!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base); +@@ -78,7 +78,7 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!suspend_ocram_base) { + pr_warn("%s: __arm_ioremap_exec failed!\n", __func__); + ret = -ENOMEM; +- goto put_node; ++ goto put_device; + } + + /* Copy the code that puts DDR in self refresh to ocram */ +@@ -92,6 +92,8 @@ static int socfpga_setup_ocram_self_refresh(void) + if (!socfpga_sdram_self_refresh_in_ocram) + ret = -EFAULT; + ++put_device: ++ put_device(&pdev->dev); + put_node: + of_node_put(np); + +-- +2.25.1 + diff --git a/queue-4.9/arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch b/queue-4.9/arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch new file mode 100644 index 00000000000..08e35feb841 --- /dev/null +++ b/queue-4.9/arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch @@ -0,0 +1,37 @@ +From 0ef7d5c4a7812a975c6ccb8eaff98a7b844cfc5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jul 2020 12:39:17 +0530 +Subject: arm64: dts: exynos: Fix silent hang after boot on Espresso + +From: Alim Akhtar + +[ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ] + +Once regulators are disabled after kernel boot, on Espresso board silent +hang observed because of LDO7 being disabled. LDO7 actually provide +power to CPU cores and non-cpu blocks circuitries. Keep this regulator +always-on to fix this hang. + +Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso") +Signed-off-by: Alim Akhtar +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +index c528dd52ba2d3..2f7d144d556da 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts ++++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts +@@ -131,6 +131,7 @@ ldo7_reg: LDO7 { + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1150000>; + regulator-enable-ramp-delay = <125>; ++ regulator-always-on; + }; + + ldo8_reg: LDO8 { +-- +2.25.1 + diff --git a/queue-4.9/arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch b/queue-4.9/arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch new file mode 100644 index 00000000000..b5596296e2e --- /dev/null +++ b/queue-4.9/arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch @@ -0,0 +1,81 @@ +From 9e34f2ed94aadb2ea9acf1251ee38605a8e8a8ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 20:59:14 +0200 +Subject: arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property + +From: Stephan Gerhold + +[ Upstream commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 ] + +msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio +pin configurations. This was likely copied from the qcom kernel fork +where the same property was used for these audio pins. + +However, "bias-pull-none" actually does not exist at all - not in +mainline and not in downstream. I can only guess that the original +intention was to configure "no pull", i.e. bias-disable. + +Change it to that instead. + +Fixes: 143bb9ad85b7 ("arm64: dts: qcom: add audio pinctrls") +Cc: Srinivas Kandagatla +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20200605185916.318494-2-stephan@gerhold.net +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +index 10c83e11c272f..fabc0cebe2aa2 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi +@@ -542,7 +542,7 @@ pinconf { + pins = "gpio63", "gpio64", "gpio65", "gpio66", + "gpio67", "gpio68"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + cdc_pdm_lines_sus: pdm_lines_off { +@@ -571,7 +571,7 @@ pinconf { + pins = "gpio113", "gpio114", "gpio115", + "gpio116"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + +@@ -599,7 +599,7 @@ pinmux { + pinconf { + pins = "gpio110"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + +@@ -625,7 +625,7 @@ pinmux { + pinconf { + pins = "gpio116"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + ext_mclk_tlmm_lines_sus: mclk_lines_off { +@@ -653,7 +653,7 @@ pinconf { + pins = "gpio112", "gpio117", "gpio118", + "gpio119"; + drive-strength = <8>; +- bias-pull-none; ++ bias-disable; + }; + }; + ext_sec_tlmm_lines_sus: tlmm_lines_off { +-- +2.25.1 + diff --git a/queue-4.9/bcache-fix-super-block-seq-numbers-comparision-in-re.patch b/queue-4.9/bcache-fix-super-block-seq-numbers-comparision-in-re.patch new file mode 100644 index 00000000000..06e8e167ec7 --- /dev/null +++ b/queue-4.9/bcache-fix-super-block-seq-numbers-comparision-in-re.patch @@ -0,0 +1,79 @@ +From 3edf3a92738e03b4ed789a3328cc2becc864037b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 20:00:26 +0800 +Subject: bcache: fix super block seq numbers comparision in + register_cache_set() + +From: Coly Li + +[ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ] + +In register_cache_set(), c is pointer to struct cache_set, and ca is +pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this +registering cache has up to date version and other members, the in- +memory version and other members should be updated to the newer value. + +But current implementation makes a cache set only has a single cache +device, so the above assumption works well except for a special case. +The execption is when a cache device new created and both ca->sb.seq and +c->sb.seq are 0, because the super block is never flushed out yet. In +the location for the following if() check, +2156 if (ca->sb.seq > c->sb.seq) { +2157 c->sb.version = ca->sb.version; +2158 memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); +2159 c->sb.flags = ca->sb.flags; +2160 c->sb.seq = ca->sb.seq; +2161 pr_debug("set version = %llu\n", c->sb.version); +2162 } +c->sb.version is not initialized yet and valued 0. When ca->sb.seq is 0, +the if() check will fail (because both values are 0), and the cache set +version, set_uuid, flags and seq won't be updated. + +The above problem is hiden for current code, because the bucket size is +compatible among different super block version. And the next time when +running cache set again, ca->sb.seq will be larger than 0 and cache set +super block version will be updated properly. + +But if the large bucket feature is enabled, sb->bucket_size is the low +16bits of the bucket size. For a power of 2 value, when the actual +bucket size exceeds 16bit width, sb->bucket_size will always be 0. Then +read_super_common() will fail because the if() check to +is_power_of_2(sb->bucket_size) is false. This is how the long time +hidden bug is triggered. + +This patch modifies the if() check to the following way, +2156 if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { +Then cache set's version, set_uuid, flags and seq will always be updated +corectly including for a new created cache device. + +Signed-off-by: Coly Li +Reviewed-by: Hannes Reinecke +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 526e9d5a4fb16..2c976cf361984 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1778,7 +1778,14 @@ static const char *register_cache_set(struct cache *ca) + sysfs_create_link(&c->kobj, &ca->kobj, buf)) + goto err; + +- if (ca->sb.seq > c->sb.seq) { ++ /* ++ * A special case is both ca->sb.seq and c->sb.seq are 0, ++ * such condition happens on a new created cache device whose ++ * super block is never flushed yet. In this case c->sb.version ++ * and other members should be updated too, otherwise we will ++ * have a mistaken super block version in cache set. ++ */ ++ if (ca->sb.seq > c->sb.seq || c->sb.seq == 0) { + c->sb.version = ca->sb.version; + memcpy(c->sb.set_uuid, ca->sb.set_uuid, 16); + c->sb.flags = ca->sb.flags; +-- +2.25.1 + diff --git a/queue-4.9/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch b/queue-4.9/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch new file mode 100644 index 00000000000..fd7a7234134 --- /dev/null +++ b/queue-4.9/bdc-fix-bug-causing-crash-after-multiple-disconnects.patch @@ -0,0 +1,92 @@ +From a6166b9c45574ca1c5b53cdd110009b6c2c15bc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 13:07:42 -0400 +Subject: bdc: Fix bug causing crash after multiple disconnects + +From: Sasi Kumar + +[ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ] + +Multiple connects/disconnects can cause a crash on the second +disconnect. The driver had a problem where it would try to send +endpoint commands after it was disconnected which is not allowed +by the hardware. The fix is to only allow the endpoint commands +when the endpoint is connected. This will also fix issues that +showed up when using configfs to create gadgets. + +Signed-off-by: Sasi Kumar +Signed-off-by: Al Cooper +Acked-by: Florian Fainelli +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/bdc/bdc_core.c | 4 ++++ + drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 ++++++++++------ + 2 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c +index e9bd8d4abca00..f09a74d79c9eb 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c +@@ -286,6 +286,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + * in that case reinit is passed as 1 + */ + if (reinit) { ++ int i; + /* Enable interrupts */ + temp = bdc_readl(bdc->regs, BDC_BDCSC); + temp |= BDC_GIE; +@@ -295,6 +296,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit) + /* Initialize SRR to 0 */ + memset(bdc->srr.sr_bds, 0, + NUM_SR_ENTRIES * sizeof(struct bdc_bd)); ++ /* clear ep flags to avoid post disconnect stops/deconfigs */ ++ for (i = 1; i < bdc->num_eps; ++i) ++ bdc->bdc_ep_array[i]->flags = 0; + } else { + /* One time initiaization only */ + /* Enable status report function pointers */ +diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c +index 303735c7990c8..8b1b48fa4ebfc 100644 +--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c ++++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c +@@ -621,7 +621,6 @@ int bdc_ep_enable(struct bdc_ep *ep) + } + bdc_dbg_bd_list(bdc, ep); + /* only for ep0: config ep is called for ep0 from connect event */ +- ep->flags |= BDC_EP_ENABLED; + if (ep->ep_num == 1) + return ret; + +@@ -765,10 +764,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req) + __func__, ep->name, start_bdi, end_bdi); + dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n", + ep, (void *)ep->usb_ep.desc); +- /* Stop the ep to see where the HW is ? */ +- ret = bdc_stop_ep(bdc, ep->ep_num); +- /* if there is an issue with stopping ep, then no need to go further */ +- if (ret) ++ /* if still connected, stop the ep to see where the HW is ? */ ++ if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) { ++ ret = bdc_stop_ep(bdc, ep->ep_num); ++ /* if there is an issue, then no need to go further */ ++ if (ret) ++ return 0; ++ } else + return 0; + + /* +@@ -1917,7 +1919,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep) + __func__, ep->name, ep->flags); + + if (!(ep->flags & BDC_EP_ENABLED)) { +- dev_warn(bdc->dev, "%s is already disabled\n", ep->name); ++ if (bdc->gadget.speed != USB_SPEED_UNKNOWN) ++ dev_warn(bdc->dev, "%s is already disabled\n", ++ ep->name); + return 0; + } + spin_lock_irqsave(&bdc->lock, flags); +-- +2.25.1 + diff --git a/queue-4.9/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch b/queue-4.9/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch new file mode 100644 index 00000000000..4528019f5be --- /dev/null +++ b/queue-4.9/bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch @@ -0,0 +1,142 @@ +From f57a578dda3dfbb5711297dcb26aa9006d06298f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 20:28:41 +0800 +Subject: Bluetooth: add a mutex lock to avoid UAF in do_enale_set + +From: Lihong Kou + +[ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] + +In the case we set or free the global value listen_chan in +different threads, we can encounter the UAF problems because +the method is not protected by any lock, add one to avoid +this bug. + +BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990 +net/bluetooth/l2cap_core.c:730 +Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868 + +CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 01/01/2011 +Workqueue: events do_enable_set +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1fb/0x318 lib/dump_stack.c:118 + print_address_description+0x74/0x5c0 mm/kasan/report.c:374 + __kasan_report+0x149/0x1c0 mm/kasan/report.c:506 + kasan_report+0x26/0x50 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730 + do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +Allocated by task 2870: + save_stack mm/kasan/common.c:72 [inline] + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446 + chan_create net/bluetooth/6lowpan.c:640 [inline] + bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline] + do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +Freed by task 2870: + save_stack mm/kasan/common.c:72 [inline] + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10d/0x220 mm/slab.c:3757 + l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline] + kref_put include/linux/kref.h:65 [inline] + l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498 + do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075 + process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264 + worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410 + kthread+0x332/0x350 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 + +The buggy address belongs to the object at ffff888096950000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 0 bytes inside of + 2048-byte region [ffff888096950000, ffff888096950800) +The buggy address belongs to the page: +page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 +flags: 0xfffe0000000200(slab) +raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00 +raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Reported-by: syzbot+96414aa0033c363d8458@syzkaller.appspotmail.com +Signed-off-by: Lihong Kou +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 21096c8822231..3bfd747aa515b 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -57,6 +57,7 @@ static bool enable_6lowpan; + /* We are listening incoming connections via this channel + */ + static struct l2cap_chan *listen_chan; ++static DEFINE_MUTEX(set_lock); + + struct lowpan_peer { + struct list_head list; +@@ -1187,12 +1188,14 @@ static void do_enable_set(struct work_struct *work) + + enable_6lowpan = set_enable->flag; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + } + + listen_chan = bt_6lowpan_listen(); ++ mutex_unlock(&set_lock); + + kfree(set_enable); + } +@@ -1244,11 +1247,13 @@ static ssize_t lowpan_control_write(struct file *fp, + if (ret == -EINVAL) + return ret; + ++ mutex_lock(&set_lock); + if (listen_chan) { + l2cap_chan_close(listen_chan, 0); + l2cap_chan_put(listen_chan); + listen_chan = NULL; + } ++ mutex_unlock(&set_lock); + + if (conn) { + struct lowpan_peer *peer; +-- +2.25.1 + diff --git a/queue-4.9/brcmfmac-to-fix-bss-info-flag-definition-bug.patch b/queue-4.9/brcmfmac-to-fix-bss-info-flag-definition-bug.patch new file mode 100644 index 00000000000..b3684033d18 --- /dev/null +++ b/queue-4.9/brcmfmac-to-fix-bss-info-flag-definition-bug.patch @@ -0,0 +1,39 @@ +From d9e40c4ec2977aa4a7fd4c606f600510f77a0e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2020 02:18:35 -0500 +Subject: brcmfmac: To fix Bss Info flag definition Bug + +From: Prasanna Kerekoppa + +[ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ] + +Bss info flag definition need to be fixed from 0x2 to 0x4 +This flag is for rssi info received on channel. +All Firmware branches defined as 0x4 and this is bug in brcmfmac. + +Signed-off-by: Prasanna Kerekoppa +Signed-off-by: Chi-hsien Lin +Signed-off-by: Wright Feng +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200604071835.3842-6-wright.feng@cypress.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +index 59013572fbe3f..d6a4a08fd3c44 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +@@ -30,7 +30,7 @@ + #define BRCMF_ARP_OL_PEER_AUTO_REPLY 0x00000008 + + #define BRCMF_BSS_INFO_VERSION 109 /* curr ver of brcmf_bss_info_le struct */ +-#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0002 ++#define BRCMF_BSS_RSSI_ON_CHANNEL 0x0004 + + #define BRCMF_STA_WME 0x00000002 /* WMM association */ + #define BRCMF_STA_AUTHE 0x00000008 /* Authenticated */ +-- +2.25.1 + diff --git a/queue-4.9/console-newport_con-fix-an-issue-about-leak-related-.patch b/queue-4.9/console-newport_con-fix-an-issue-about-leak-related-.patch new file mode 100644 index 00000000000..41716c1b5e5 --- /dev/null +++ b/queue-4.9/console-newport_con-fix-an-issue-about-leak-related-.patch @@ -0,0 +1,91 @@ +From 5648159efd3218dc5580bb57a021e031141a6120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 00:42:51 +0800 +Subject: console: newport_con: fix an issue about leak related system + resources + +From: Dejin Zheng + +[ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ] + +A call of the function do_take_over_console() can fail here. +The corresponding system resources were not released then. +Thus add a call of iounmap() and release_mem_region() +together with the check of a failure predicate. and also +add release_mem_region() on device removal. + +Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding") +Suggested-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Dejin Zheng +Reviewed-by: Andy Shevchenko +Cc: Greg Kroah-Hartman +cc: Thomas Gleixner +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200423164251.3349-1-zhengdejin5@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/console/newport_con.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c +index e3b9521e4ec3e..33bddf3f30406 100644 +--- a/drivers/video/console/newport_con.c ++++ b/drivers/video/console/newport_con.c +@@ -31,6 +31,8 @@ + #include + #include + ++#define NEWPORT_LEN 0x10000 ++ + #define FONT_DATA ((unsigned char *)font_vga_8x16.data) + + /* borrowed from fbcon.c */ +@@ -42,6 +44,7 @@ + static unsigned char *font_data[MAX_NR_CONSOLES]; + + static struct newport_regs *npregs; ++static unsigned long newport_addr; + + static int logo_active; + static int topscan; +@@ -701,7 +704,6 @@ const struct consw newport_con = { + static int newport_probe(struct gio_device *dev, + const struct gio_device_id *id) + { +- unsigned long newport_addr; + int err; + + if (!dev->resource.start) +@@ -711,7 +713,7 @@ static int newport_probe(struct gio_device *dev, + return -EBUSY; /* we only support one Newport as console */ + + newport_addr = dev->resource.start + 0xF0000; +- if (!request_mem_region(newport_addr, 0x10000, "Newport")) ++ if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport")) + return -ENODEV; + + npregs = (struct newport_regs *)/* ioremap cannot fail */ +@@ -719,6 +721,11 @@ static int newport_probe(struct gio_device *dev, + console_lock(); + err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1); + console_unlock(); ++ ++ if (err) { ++ iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); ++ } + return err; + } + +@@ -726,6 +733,7 @@ static void newport_remove(struct gio_device *dev) + { + give_up_console(&newport_con); + iounmap((void *)npregs); ++ release_mem_region(newport_addr, NEWPORT_LEN); + } + + static struct gio_device_id newport_ids[] = { +-- +2.25.1 + diff --git a/queue-4.9/cxl-fix-kobject-memleak.patch b/queue-4.9/cxl-fix-kobject-memleak.patch new file mode 100644 index 00000000000..62e2e7bbb0b --- /dev/null +++ b/queue-4.9/cxl-fix-kobject-memleak.patch @@ -0,0 +1,44 @@ +From 869d95ff16a5e13c8c20a8e2415fb4556aff5bdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 20:07:33 +0800 +Subject: cxl: Fix kobject memleak + +From: Wang Hai + +[ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ] + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Fix it by adding a call to kobject_put() in the error path of +kobject_init_and_add(). + +Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Link: https://lore.kernel.org/r/20200602120733.5943-1-wanghai38@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c +index a8b6d6a635e96..e97b3b26805d1 100644 +--- a/drivers/misc/cxl/sysfs.c ++++ b/drivers/misc/cxl/sysfs.c +@@ -598,7 +598,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c + rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type, + &afu->dev.kobj, "cr%i", cr->cr); + if (rc) +- goto err; ++ goto err1; + + rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr); + if (rc) +-- +2.25.1 + diff --git a/queue-4.9/dlm-fix-kobject-memleak.patch b/queue-4.9/dlm-fix-kobject-memleak.patch new file mode 100644 index 00000000000..b506499e1a5 --- /dev/null +++ b/queue-4.9/dlm-fix-kobject-memleak.patch @@ -0,0 +1,52 @@ +From 308c78edc2da16638bda0f1f556bdd533f21b860 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Jun 2020 11:25:33 +0800 +Subject: dlm: Fix kobject memleak + +From: Wang Hai + +[ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ] + +Currently the error return path from kobject_init_and_add() is not +followed by a call to kobject_put() - which means we are leaking +the kobject. + +Set do_unreg = 1 before kobject_init_and_add() to ensure that +kobject_put() can be called in its error patch. + +Fixes: 901195ed7f4b ("Kobject: change GFS2 to use kobject_init_and_add") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index b14bb2c460426..499f54f99891c 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -626,6 +626,9 @@ static int new_lockspace(const char *name, const char *cluster, + wait_event(ls->ls_recover_lock_wait, + test_bit(LSFL_RECOVER_LOCK, &ls->ls_flags)); + ++ /* let kobject handle freeing of ls if there's an error */ ++ do_unreg = 1; ++ + ls->ls_kobj.kset = dlm_kset; + error = kobject_init_and_add(&ls->ls_kobj, &dlm_ktype, NULL, + "%s", ls->ls_name); +@@ -633,9 +636,6 @@ static int new_lockspace(const char *name, const char *cluster, + goto out_recoverd; + kobject_uevent(&ls->ls_kobj, KOBJ_ADD); + +- /* let kobject handle freeing of ls if there's an error */ +- do_unreg = 1; +- + /* This uevent triggers dlm_controld in userspace to add us to the + group of nodes that are members of this lockspace (managed by the + cluster infrastructure.) Once it's done that, it tells us who the +-- +2.25.1 + diff --git a/queue-4.9/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch b/queue-4.9/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch new file mode 100644 index 00000000000..34839c0a262 --- /dev/null +++ b/queue-4.9/drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch @@ -0,0 +1,51 @@ +From 5049782d037c7205aa318fb7bf1e73a72f916651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2017 12:43:07 +0200 +Subject: drm/debugfs: fix plain echo to connector "force" attribute + +From: Michael Tretter + +[ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ] + +Using plain echo to set the "force" connector attribute fails with +-EINVAL, because echo appends a newline to the output. + +Replace strcmp with sysfs_streq to also accept strings that end with a +newline. + +v2: use sysfs_streq instead of stripping trailing whitespace + +Signed-off-by: Michael Tretter +Reviewed-by: Jani Nikula +Signed-off-by: Emil Velikov +Link: https://patchwork.freedesktop.org/patch/msgid/20170817104307.17124-1-m.tretter@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_debugfs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c +index 1205790ed960c..5ffe4b664cfbf 100644 +--- a/drivers/gpu/drm/drm_debugfs.c ++++ b/drivers/gpu/drm/drm_debugfs.c +@@ -287,13 +287,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf, + + buf[len] = '\0'; + +- if (!strcmp(buf, "on")) ++ if (sysfs_streq(buf, "on")) + connector->force = DRM_FORCE_ON; +- else if (!strcmp(buf, "digital")) ++ else if (sysfs_streq(buf, "digital")) + connector->force = DRM_FORCE_ON_DIGITAL; +- else if (!strcmp(buf, "off")) ++ else if (sysfs_streq(buf, "off")) + connector->force = DRM_FORCE_OFF; +- else if (!strcmp(buf, "unspecified")) ++ else if (sysfs_streq(buf, "unspecified")) + connector->force = DRM_FORCE_UNSPECIFIED; + else + return -EINVAL; +-- +2.25.1 + diff --git a/queue-4.9/drm-imx-tve-fix-regulator_disable-error-path.patch b/queue-4.9/drm-imx-tve-fix-regulator_disable-error-path.patch new file mode 100644 index 00000000000..1c3b9d41b25 --- /dev/null +++ b/queue-4.9/drm-imx-tve-fix-regulator_disable-error-path.patch @@ -0,0 +1,70 @@ +From 1aff525911ba13e700f995dba887756a25a6786a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jun 2020 14:43:32 +0200 +Subject: drm/imx: tve: fix regulator_disable error path + +From: Marco Felsch + +[ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ] + +Add missing regulator_disable() as devm_action to avoid dedicated +unbind() callback and fix the missing error handling. + +Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") +Signed-off-by: Marco Felsch +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/imx-tve.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c +index 89cf0090feaca..9ae515f3171ec 100644 +--- a/drivers/gpu/drm/imx/imx-tve.c ++++ b/drivers/gpu/drm/imx/imx-tve.c +@@ -511,6 +511,13 @@ static int imx_tve_register(struct drm_device *drm, struct imx_tve *tve) + return 0; + } + ++static void imx_tve_disable_regulator(void *data) ++{ ++ struct imx_tve *tve = data; ++ ++ regulator_disable(tve->dac_reg); ++} ++ + static bool imx_tve_readable_reg(struct device *dev, unsigned int reg) + { + return (reg % 4 == 0) && (reg <= 0xdc); +@@ -635,6 +642,9 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + ret = regulator_enable(tve->dac_reg); + if (ret) + return ret; ++ ret = devm_add_action_or_reset(dev, imx_tve_disable_regulator, tve); ++ if (ret) ++ return ret; + } + + tve->clk = devm_clk_get(dev, "tve"); +@@ -681,18 +691,8 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data) + return 0; + } + +-static void imx_tve_unbind(struct device *dev, struct device *master, +- void *data) +-{ +- struct imx_tve *tve = dev_get_drvdata(dev); +- +- if (!IS_ERR(tve->dac_reg)) +- regulator_disable(tve->dac_reg); +-} +- + static const struct component_ops imx_tve_ops = { + .bind = imx_tve_bind, +- .unbind = imx_tve_unbind, + }; + + static int imx_tve_probe(struct platform_device *pdev) +-- +2.25.1 + diff --git a/queue-4.9/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch b/queue-4.9/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch new file mode 100644 index 00000000000..38fd2e1119f --- /dev/null +++ b/queue-4.9/drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch @@ -0,0 +1,50 @@ +From 534dd289d3372685e4ef40c387830eaf245b0229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 17:03:29 +0100 +Subject: drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline + +From: Emil Velikov + +[ Upstream commit 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 ] + +The helper uses the MIPI_DCS_SET_TEAR_SCANLINE, although it's currently +using the generic write. This does not look right. + +Perhaps some platforms don't distinguish between the two writers? + +Cc: Robert Chiras +Cc: Vinay Simha BN +Cc: Jani Nikula +Cc: Thierry Reding +Fixes: e83950816367 ("drm/dsi: Implement set tear scanline") +Signed-off-by: Emil Velikov +Reviewed-by: Thierry Reding +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200505160329.2976059-3-emil.l.velikov@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index 1160a579e0dc0..99415808e9f91 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -1029,11 +1029,11 @@ EXPORT_SYMBOL(mipi_dsi_dcs_set_pixel_format); + */ + int mipi_dsi_dcs_set_tear_scanline(struct mipi_dsi_device *dsi, u16 scanline) + { +- u8 payload[3] = { MIPI_DCS_SET_TEAR_SCANLINE, scanline >> 8, +- scanline & 0xff }; ++ u8 payload[2] = { scanline >> 8, scanline & 0xff }; + ssize_t err; + +- err = mipi_dsi_generic_write(dsi, payload, sizeof(payload)); ++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_TEAR_SCANLINE, payload, ++ sizeof(payload)); + if (err < 0) + return err; + +-- +2.25.1 + diff --git a/queue-4.9/drm-nouveau-fix-multiple-instances-of-reference-coun.patch b/queue-4.9/drm-nouveau-fix-multiple-instances-of-reference-coun.patch new file mode 100644 index 00000000000..cfa6f2dba03 --- /dev/null +++ b/queue-4.9/drm-nouveau-fix-multiple-instances-of-reference-coun.patch @@ -0,0 +1,68 @@ +From ef39f79765bc077e93837bed0149bf1076f6c1d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 20:41:56 -0500 +Subject: drm/nouveau: fix multiple instances of reference count leaks + +From: Aditya Pakki + +[ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +ref count before returning the error. + +Signed-off-by: Aditya Pakki +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_drm.c | 8 ++++++-- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c +index 42829a942e33c..4e12d3d59651b 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_drm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c +@@ -823,8 +823,10 @@ nouveau_drm_open(struct drm_device *dev, struct drm_file *fpriv) + + /* need to bring up power immediately if opening device */ + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + get_task_comm(tmpname, current); + snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid)); +@@ -912,8 +914,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + long ret; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) { + case DRM_NOUVEAU_NVIF: +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index 505dca48b9f80..be6672da33a65 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -42,8 +42,10 @@ nouveau_gem_object_del(struct drm_gem_object *gem) + int ret; + + ret = pm_runtime_get_sync(dev); +- if (WARN_ON(ret < 0 && ret != -EACCES)) ++ if (WARN_ON(ret < 0 && ret != -EACCES)) { ++ pm_runtime_put_autosuspend(dev); + return; ++ } + + if (gem->import_attach) + drm_prime_gem_destroy(gem, nvbo->bo.sg); +-- +2.25.1 + diff --git a/queue-4.9/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch b/queue-4.9/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch new file mode 100644 index 00000000000..fe66669be7b --- /dev/null +++ b/queue-4.9/drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch @@ -0,0 +1,37 @@ +From 0d830b1cd348b5d8a799045d601526173b23ae09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jul 2020 01:53:17 +0300 +Subject: drm: panel: simple: Fix bpc for LG LB070WV8 panel + +From: Laurent Pinchart + +[ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ] + +The LG LB070WV8 panel incorrectly reports a 16 bits per component value, +while the panel uses 8 bits per component. Fix it. + +Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel") +Signed-off-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20200711225317.28476-1-laurent.pinchart+renesas@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 68a2b25deb50d..57f32d1bb3127 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1041,7 +1041,7 @@ static const struct drm_display_mode lg_lb070wv8_mode = { + static const struct panel_desc lg_lb070wv8 = { + .modes = &lg_lb070wv8_mode, + .num_modes = 1, +- .bpc = 16, ++ .bpc = 8, + .size = { + .width = 151, + .height = 91, +-- +2.25.1 + diff --git a/queue-4.9/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch b/queue-4.9/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch new file mode 100644 index 00000000000..0ff07b2ceab --- /dev/null +++ b/queue-4.9/drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch @@ -0,0 +1,39 @@ +From 46bcbba49a0702056fc87d23b175aabf1b8f42e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jun 2020 13:07:10 +0100 +Subject: drm/radeon: fix array out-of-bounds read and write issues + +From: Colin Ian King + +[ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ] + +There is an off-by-one bounds check on the index into arrays +table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that +can lead to reads and writes outside of arrays. Fix the bound checking +off-by-one error. + +Addresses-Coverity: ("Out-of-bounds read/write") +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Signed-off-by: Colin Ian King +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index be43582811dfc..50bad42527b1c 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -4348,7 +4348,7 @@ static int ci_set_mc_special_registers(struct radeon_device *rdev, + table->mc_reg_table_entry[k].mc_data[j] |= 0x100; + } + j++; +- if (j > SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) ++ if (j >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; + + if (!pi->mem_gddr5) { +-- +2.25.1 + diff --git a/queue-4.9/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch b/queue-4.9/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch new file mode 100644 index 00000000000..63233fb5509 --- /dev/null +++ b/queue-4.9/drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch @@ -0,0 +1,74 @@ +From 4ca8b58b86d3a6904e00118d3d95010b7045d871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 21:21:22 -0500 +Subject: drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync + +From: Aditya Pakki + +[ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Acked-by: Evan Quan +Signed-off-by: Aditya Pakki +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 4 +++- + drivers/gpu/drm/radeon/radeon_drv.c | 4 +++- + drivers/gpu/drm/radeon/radeon_kms.c | 4 +++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 432ad7d73cb9b..99e23800cadc7 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -639,8 +639,10 @@ radeon_crtc_set_config(struct drm_mode_set *set) + dev = set->crtc->dev; + + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_crtc_helper_set_config(set); + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index 30bd4a6a9d466..7648fd0d10751 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -496,8 +496,10 @@ long radeon_drm_ioctl(struct file *filp, + long ret; + dev = file_priv->minor->dev; + ret = pm_runtime_get_sync(dev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return ret; ++ } + + ret = drm_ioctl(filp, cmd, arg); + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index 4388ddeec8d24..96d2a564d9a3c 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -634,8 +634,10 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv) + file_priv->driver_priv = NULL; + + r = pm_runtime_get_sync(dev->dev); +- if (r < 0) ++ if (r < 0) { ++ pm_runtime_put_autosuspend(dev->dev); + return r; ++ } + + /* new gpu have virtual address space support */ + if (rdev->family >= CHIP_CAYMAN) { +-- +2.25.1 + diff --git a/queue-4.9/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch b/queue-4.9/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch new file mode 100644 index 00000000000..03dc8cb9624 --- /dev/null +++ b/queue-4.9/drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch @@ -0,0 +1,51 @@ +From c2ada369a98e83e98a0a6f1d30174d197170a062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 13:42:32 +0300 +Subject: drm/tilcdc: fix leak & null ref in panel_connector_get_modes + +From: Tomi Valkeinen + +[ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ] + +If videomode_from_timings() returns true, the mode allocated with +drm_mode_create will be leaked. + +Also, the return value of drm_mode_create() is never checked, and thus +could cause NULL deref. + +Fix these two issues. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20200429104234.18910-1-tomi.valkeinen@ti.com +Reviewed-by: Jyri Sarha +Acked-by: Sam Ravnborg +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tilcdc/tilcdc_panel.c b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +index 2134bb20fbe9d..2836154dbb126 100644 +--- a/drivers/gpu/drm/tilcdc/tilcdc_panel.c ++++ b/drivers/gpu/drm/tilcdc/tilcdc_panel.c +@@ -159,12 +159,16 @@ static int panel_connector_get_modes(struct drm_connector *connector) + int i; + + for (i = 0; i < timings->num_timings; i++) { +- struct drm_display_mode *mode = drm_mode_create(dev); ++ struct drm_display_mode *mode; + struct videomode vm; + + if (videomode_from_timings(timings, &vm, i)) + break; + ++ mode = drm_mode_create(dev); ++ if (!mode) ++ break; ++ + drm_display_mode_from_videomode(&vm, mode); + + mode->type = DRM_MODE_TYPE_DRIVER; +-- +2.25.1 + diff --git a/queue-4.9/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch b/queue-4.9/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch new file mode 100644 index 00000000000..bbdf6f35018 --- /dev/null +++ b/queue-4.9/dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch @@ -0,0 +1,101 @@ +From 1a90d19b8f28737b504bdfd6a38caf099103cee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 17:10:47 -0600 +Subject: dyndbg: fix a BUG_ON in ddebug_describe_flags + +From: Jim Cromie + +[ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ] + +ddebug_describe_flags() currently fills a caller provided string buffer, +after testing its size (also passed) in a BUG_ON. Fix this by +replacing them with a known-big-enough string buffer wrapped in a +struct, and passing that instead. + +Also simplify ddebug_describe_flags() flags parameter from a struct to +a member in that struct, and hoist the member deref up to the caller. +This makes the function reusable (soon) where flags are unpacked. + +Acked-by: +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20200719231058.1586423-8-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/dynamic_debug.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index c7c96bc7654af..91c451e0f4741 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -85,22 +85,22 @@ static struct { unsigned flag:8; char opt_char; } opt_array[] = { + { _DPRINTK_FLAGS_NONE, '_' }, + }; + ++struct flagsbuf { char buf[ARRAY_SIZE(opt_array)+1]; }; ++ + /* format a string into buf[] which describes the _ddebug's flags */ +-static char *ddebug_describe_flags(struct _ddebug *dp, char *buf, +- size_t maxlen) ++static char *ddebug_describe_flags(unsigned int flags, struct flagsbuf *fb) + { +- char *p = buf; ++ char *p = fb->buf; + int i; + +- BUG_ON(maxlen < 6); + for (i = 0; i < ARRAY_SIZE(opt_array); ++i) +- if (dp->flags & opt_array[i].flag) ++ if (flags & opt_array[i].flag) + *p++ = opt_array[i].opt_char; +- if (p == buf) ++ if (p == fb->buf) + *p++ = '_'; + *p = '\0'; + +- return buf; ++ return fb->buf; + } + + #define vpr_info(fmt, ...) \ +@@ -142,7 +142,7 @@ static int ddebug_change(const struct ddebug_query *query, + struct ddebug_table *dt; + unsigned int newflags; + unsigned int nfound = 0; +- char flagbuf[10]; ++ struct flagsbuf fbuf; + + /* search for matching ddebugs */ + mutex_lock(&ddebug_lock); +@@ -199,8 +199,7 @@ static int ddebug_change(const struct ddebug_query *query, + vpr_info("changed %s:%d [%s]%s =%s\n", + trim_prefix(dp->filename), dp->lineno, + dt->mod_name, dp->function, +- ddebug_describe_flags(dp, flagbuf, +- sizeof(flagbuf))); ++ ddebug_describe_flags(dp->flags, &fbuf)); + } + } + mutex_unlock(&ddebug_lock); +@@ -779,7 +778,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + { + struct ddebug_iter *iter = m->private; + struct _ddebug *dp = p; +- char flagsbuf[10]; ++ struct flagsbuf flags; + + vpr_info("called m=%p p=%p\n", m, p); + +@@ -792,7 +791,7 @@ static int ddebug_proc_show(struct seq_file *m, void *p) + seq_printf(m, "%s:%u [%s]%s =%s \"", + trim_prefix(dp->filename), dp->lineno, + iter->table->mod_name, dp->function, +- ddebug_describe_flags(dp, flagsbuf, sizeof(flagsbuf))); ++ ddebug_describe_flags(dp->flags, &flags)); + seq_escape(m, dp->format, "\t\r\n\""); + seq_puts(m, "\"\n"); + +-- +2.25.1 + diff --git a/queue-4.9/edac-fix-reference-count-leaks.patch b/queue-4.9/edac-fix-reference-count-leaks.patch new file mode 100644 index 00000000000..6f812ec1f1d --- /dev/null +++ b/queue-4.9/edac-fix-reference-count-leaks.patch @@ -0,0 +1,59 @@ +From cc2883bdabef8c4ccfaa88b004d7d7c617d8ce1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 15:22:37 -0500 +Subject: EDAC: Fix reference count leaks + +From: Qiushi Wu + +[ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ] + +When kobject_init_and_add() returns an error, it should be handled +because kobject_init_and_add() takes a reference even when it fails. If +this function returns an error, kobject_put() must be called to properly +clean up the memory associated with the object. + +Therefore, replace calling kfree() and call kobject_put() and add a +missing kobject_put() in the edac_device_register_sysfs_main_kobj() +error path. + + [ bp: Massage and merge into a single patch. ] + +Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add") +Signed-off-by: Qiushi Wu +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200528202238.18078-1-wu000273@umn.edu +Link: https://lkml.kernel.org/r/20200528203526.20908-1-wu000273@umn.edu +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_device_sysfs.c | 1 + + drivers/edac/edac_pci_sysfs.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c +index 93da1a45c7161..470b02fc2de96 100644 +--- a/drivers/edac/edac_device_sysfs.c ++++ b/drivers/edac/edac_device_sysfs.c +@@ -275,6 +275,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev) + + /* Error exit stack */ + err_kobj_reg: ++ kobject_put(&edac_dev->kobj); + module_put(edac_dev->owner); + + err_out: +diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c +index 6e3428ba400f3..622d117e25335 100644 +--- a/drivers/edac/edac_pci_sysfs.c ++++ b/drivers/edac/edac_pci_sysfs.c +@@ -386,7 +386,7 @@ static int edac_pci_main_kobj_setup(void) + + /* Error unwind statck */ + kobject_init_and_add_fail: +- kfree(edac_pci_top_main_kobj); ++ kobject_put(edac_pci_top_main_kobj); + + kzalloc_fail: + module_put(THIS_MODULE); +-- +2.25.1 + diff --git a/queue-4.9/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch b/queue-4.9/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch new file mode 100644 index 00000000000..c2fb33bcdb9 --- /dev/null +++ b/queue-4.9/fs-btrfs-add-cond_resched-for-try_release_extent_map.patch @@ -0,0 +1,62 @@ +From 2334ce1ec17b80b8b127089413acb817e26bce42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 14:15:37 -0700 +Subject: fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls + +From: Paul E. McKenney + +[ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ] + +Very large I/Os can cause the following RCU CPU stall warning: + +RIP: 0010:rb_prev+0x8/0x50 +Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c = +89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48 39 cf 74 38 <48> 8b 47 10 48 85 c0 74 22 48 8b 50 08 48 85 d2 74 0c 48 89 d0 48 +RSP: 0018:ffffc9002212bab0 EFLAGS: 00000287 ORIG_RAX: ffffffffffffff13 +RAX: ffff888821f93630 RBX: ffff888821f93630 RCX: ffff888821f937e0 +RDX: 0000000000000000 RSI: 0000000000102000 RDI: ffff888821f93630 +RBP: 0000000000103000 R08: 000000000006c000 R09: 0000000000000238 +R10: 0000000000102fff R11: ffffc9002212bac8 R12: 0000000000000001 +R13: ffffffffffffffff R14: 0000000000102000 R15: ffff888821f937e0 + __lookup_extent_mapping+0xa0/0x110 + try_release_extent_mapping+0xdc/0x220 + btrfs_releasepage+0x45/0x70 + shrink_page_list+0xa39/0xb30 + shrink_inactive_list+0x18f/0x3b0 + shrink_lruvec+0x38e/0x6b0 + shrink_node+0x14d/0x690 + do_try_to_free_pages+0xc6/0x3e0 + try_to_free_mem_cgroup_pages+0xe6/0x1e0 + reclaim_high.constprop.73+0x87/0xc0 + mem_cgroup_handle_over_high+0x66/0x150 + exit_to_usermode_loop+0x82/0xd0 + do_syscall_64+0xd4/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +On a PREEMPT=n kernel, the try_release_extent_mapping() function's +"while" loop might run for a very long time on a large I/O. This commit +therefore adds a cond_resched() to this loop, providing RCU any needed +quiescent states. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 8c0ff985c1919..fa22bb29eee6f 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4340,6 +4340,8 @@ int try_release_extent_mapping(struct extent_map_tree *map, + + /* once for us */ + free_extent_map(em); ++ ++ cond_resched(); /* Allow large-extent preemption. */ + } + } + return try_release_extent_state(map, tree, page, mask); +-- +2.25.1 + diff --git a/queue-4.9/fsl-fman-check-dereferencing-null-pointer.patch b/queue-4.9/fsl-fman-check-dereferencing-null-pointer.patch new file mode 100644 index 00000000000..fd977ac1f06 --- /dev/null +++ b/queue-4.9/fsl-fman-check-dereferencing-null-pointer.patch @@ -0,0 +1,72 @@ +From 62819d4603a3e01d7e5d5dcf59c832ae04ce5ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:33 +0300 +Subject: fsl/fman: check dereferencing null pointer + +From: Florinel Iordache + +[ Upstream commit cc5d229a122106733a85c279d89d7703f21e4d4f ] + +Add a safe check to avoid dereferencing null pointer + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_dtsec.c | 4 ++-- + drivers/net/ethernet/freescale/fman/fman_memac.c | 2 +- + drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_dtsec.c b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +index 641b916f122ba..332b60f03d225 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +@@ -1095,7 +1095,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) + list_for_each(pos, + &dtsec->multicast_addr_hash->lsts[bucket]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +@@ -1108,7 +1108,7 @@ int dtsec_del_hash_mac_address(struct fman_mac *dtsec, enet_addr_t *eth_addr) + list_for_each(pos, + &dtsec->unicast_addr_hash->lsts[bucket]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c +index 3e5b40c831558..4b0be0cebd199 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_memac.c ++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c +@@ -952,7 +952,7 @@ int memac_del_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr) + + list_for_each(pos, &memac->multicast_addr_hash->lsts[hash]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c +index e575259d20f40..c8ad9b8a75f8e 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c +@@ -585,7 +585,7 @@ int tgec_del_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr) + + list_for_each(pos, &tgec->multicast_addr_hash->lsts[hash]) { + hash_entry = ETH_HASH_ENTRY_OBJ(pos); +- if (hash_entry->addr == addr) { ++ if (hash_entry && hash_entry->addr == addr) { + list_del_init(&hash_entry->node); + kfree(hash_entry); + break; +-- +2.25.1 + diff --git a/queue-4.9/fsl-fman-fix-dereference-null-return-value.patch b/queue-4.9/fsl-fman-fix-dereference-null-return-value.patch new file mode 100644 index 00000000000..b7d3661d941 --- /dev/null +++ b/queue-4.9/fsl-fman-fix-dereference-null-return-value.patch @@ -0,0 +1,50 @@ +From f9516b933f37e234dccfea53813cf2dcf1bde76b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:31 +0300 +Subject: fsl/fman: fix dereference null return value + +From: Florinel Iordache + +[ Upstream commit 0572054617f32670abab4b4e89a876954d54b704 ] + +Check before using returned value to avoid dereferencing null pointer. + +Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_port.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_port.c b/drivers/net/ethernet/freescale/fman/fman_port.c +index 9f3bb50a23651..4986f6ba278a3 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_port.c ++++ b/drivers/net/ethernet/freescale/fman/fman_port.c +@@ -1623,6 +1623,7 @@ static int fman_port_probe(struct platform_device *of_dev) + struct fman_port *port; + struct fman *fman; + struct device_node *fm_node, *port_node; ++ struct platform_device *fm_pdev; + struct resource res; + struct resource *dev_res; + u32 val; +@@ -1647,8 +1648,14 @@ static int fman_port_probe(struct platform_device *of_dev) + goto return_err; + } + +- fman = dev_get_drvdata(&of_find_device_by_node(fm_node)->dev); ++ fm_pdev = of_find_device_by_node(fm_node); + of_node_put(fm_node); ++ if (!fm_pdev) { ++ err = -EINVAL; ++ goto return_err; ++ } ++ ++ fman = dev_get_drvdata(&fm_pdev->dev); + if (!fman) { + err = -EINVAL; + goto return_err; +-- +2.25.1 + diff --git a/queue-4.9/fsl-fman-fix-eth-hash-table-allocation.patch b/queue-4.9/fsl-fman-fix-eth-hash-table-allocation.patch new file mode 100644 index 00000000000..1d0ef7e029e --- /dev/null +++ b/queue-4.9/fsl-fman-fix-eth-hash-table-allocation.patch @@ -0,0 +1,38 @@ +From 243387c98ed5a16ba6d6bb8d0304bebdcb5760d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:34 +0300 +Subject: fsl/fman: fix eth hash table allocation + +From: Florinel Iordache + +[ Upstream commit 3207f715c34317d08e798e11a10ce816feb53c0f ] + +Fix memory allocation for ethernet address hash table. +The code was wrongly allocating an array for eth hash table which +is incorrect because this is the main structure for eth hash table +(struct eth_hash_t) that contains inside a number of elements. + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_mac.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_mac.h b/drivers/net/ethernet/freescale/fman/fman_mac.h +index dd6d0526f6c1f..19f327efdaff3 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_mac.h ++++ b/drivers/net/ethernet/freescale/fman/fman_mac.h +@@ -252,7 +252,7 @@ static inline struct eth_hash_t *alloc_hash_table(u16 size) + struct eth_hash_t *hash; + + /* Allocate address hash table */ +- hash = kmalloc_array(size, sizeof(struct eth_hash_t *), GFP_KERNEL); ++ hash = kmalloc(sizeof(*hash), GFP_KERNEL); + if (!hash) + return NULL; + +-- +2.25.1 + diff --git a/queue-4.9/fsl-fman-fix-unreachable-code.patch b/queue-4.9/fsl-fman-fix-unreachable-code.patch new file mode 100644 index 00000000000..d7a3beabae4 --- /dev/null +++ b/queue-4.9/fsl-fman-fix-unreachable-code.patch @@ -0,0 +1,35 @@ +From edc10d43e0762d5c4b59964fd0ee863479a6479b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:32 +0300 +Subject: fsl/fman: fix unreachable code + +From: Florinel Iordache + +[ Upstream commit cc79fd8f557767de90ff199d3b6fb911df43160a ] + +The parameter 'priority' is incorrectly forced to zero which ultimately +induces logically dead code in the subsequent lines. + +Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_memac.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c +index c30994a09a7c2..3e5b40c831558 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_memac.c ++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c +@@ -851,7 +851,6 @@ int memac_set_tx_pause_frames(struct fman_mac *memac, u8 priority, + + tmp = ioread32be(®s->command_config); + tmp &= ~CMD_CFG_PFC_MODE; +- priority = 0; + + iowrite32be(tmp, ®s->command_config); + +-- +2.25.1 + diff --git a/queue-4.9/fsl-fman-use-32-bit-unsigned-integer.patch b/queue-4.9/fsl-fman-use-32-bit-unsigned-integer.patch new file mode 100644 index 00000000000..c5d51c368f5 --- /dev/null +++ b/queue-4.9/fsl-fman-use-32-bit-unsigned-integer.patch @@ -0,0 +1,41 @@ +From 7bac1c942124c52fdc54e654cd78d9e35a63382e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 10:07:30 +0300 +Subject: fsl/fman: use 32-bit unsigned integer + +From: Florinel Iordache + +[ Upstream commit 99f47abd9f7bf6e365820d355dc98f6955a562df ] + +Potentially overflowing expression (ts_freq << 16 and intgr << 16) +declared as type u32 (32-bit unsigned) is evaluated using 32-bit +arithmetic and then used in a context that expects an expression of +type u64 (64-bit unsigned) which ultimately is used as 16-bit +unsigned by typecasting to u16. Fixed by using an unsigned 32-bit +integer since the value is truncated anyway in the end. + +Fixes: 414fd46e7762 ("fsl/fman: Add FMan support") +Signed-off-by: Florinel Iordache +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c +index 380c4a2f65161..6a11f9916116c 100644 +--- a/drivers/net/ethernet/freescale/fman/fman.c ++++ b/drivers/net/ethernet/freescale/fman/fman.c +@@ -1446,8 +1446,7 @@ static void enable_time_stamp(struct fman *fman) + { + struct fman_fpm_regs __iomem *fpm_rg = fman->fpm_regs; + u16 fm_clk_freq = fman->state->fm_clk_freq; +- u32 tmp, intgr, ts_freq; +- u64 frac; ++ u32 tmp, intgr, ts_freq, frac; + + ts_freq = (u32)(1 << fman->state->count1_micro_bit); + /* configure timestamp so that bit 8 will count 1 microsecond +-- +2.25.1 + diff --git a/queue-4.9/iio-improve-iio_concentration-channel-type-descripti.patch b/queue-4.9/iio-improve-iio_concentration-channel-type-descripti.patch new file mode 100644 index 00000000000..b17e4f596ad --- /dev/null +++ b/queue-4.9/iio-improve-iio_concentration-channel-type-descripti.patch @@ -0,0 +1,43 @@ +From 883203b9d693d74ef537811b14e12798105c7db9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2020 18:15:52 +0200 +Subject: iio: improve IIO_CONCENTRATION channel type description + +From: Tomasz Duszynski + +[ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ] + +IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting +raw concentrations of pollutants. Raw value should be meaningless +before being properly scaled. Because of that description shouldn't +mention raw value unit whatsoever. + +Fix this by rephrasing existing description so it follows conventions +used throughout IIO ABI docs. + +Fixes: 8ff6b3bc94930 ("iio: chemical: Add IIO_CONCENTRATION channel type") +Signed-off-by: Tomasz Duszynski +Acked-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-iio | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio +index 0406076e44059..743ffbcc6b5f0 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio ++++ b/Documentation/ABI/testing/sysfs-bus-iio +@@ -1491,7 +1491,8 @@ What: /sys/bus/iio/devices/iio:deviceX/in_concentrationX_voc_raw + KernelVersion: 4.3 + Contact: linux-iio@vger.kernel.org + Description: +- Raw (unscaled no offset etc.) percentage reading of a substance. ++ Raw (unscaled no offset etc.) reading of a substance. Units ++ after application of scale and offset are percents. + + What: /sys/bus/iio/devices/iio:deviceX/in_resistance_raw + What: /sys/bus/iio/devices/iio:deviceX/in_resistanceX_raw +-- +2.25.1 + diff --git a/queue-4.9/iwlegacy-check-the-return-value-of-pcie_capability_r.patch b/queue-4.9/iwlegacy-check-the-return-value-of-pcie_capability_r.patch new file mode 100644 index 00000000000..4c7fd7d536d --- /dev/null +++ b/queue-4.9/iwlegacy-check-the-return-value-of-pcie_capability_r.patch @@ -0,0 +1,45 @@ +From 184c72ec3d3d42f66148f2b4fb491c01bfb232f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 19:55:27 +0200 +Subject: iwlegacy: Check the return value of pcie_capability_read_*() + +From: Bolarinwa Olayemi Saheed + +[ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ] + +On failure pcie_capability_read_dword() sets it's last parameter, val +to 0. However, with Patch 14/14, it is possible that val is set to ~0 on +failure. This would introduce a bug because (x & x) == (~0 & x). + +This bug can be avoided without changing the function's behaviour if the +return value of pcie_capability_read_dword is checked to confirm success. + +Check the return value of pcie_capability_read_dword() to ensure success. + +Suggested-by: Bjorn Helgaas +Signed-off-by: Bolarinwa Olayemi Saheed +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200713175529.29715-3-refactormyself@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index db2373fe8ac32..55573d090503b 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -4302,8 +4302,8 @@ il_apm_init(struct il_priv *il) + * power savings, even without L1. + */ + if (il->cfg->set_l0s) { +- pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); +- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) { ++ ret = pcie_capability_read_word(il->pci_dev, PCI_EXP_LNKCTL, &lctl); ++ if (!ret && (lctl & PCI_EXP_LNKCTL_ASPM_L1)) { + /* L1-ASPM enabled; disable(!) L0S */ + il_set_bit(il, CSR_GIO_REG, + CSR_GIO_REG_VAL_L0S_ENABLED); +-- +2.25.1 + diff --git a/queue-4.9/leds-core-flush-scheduled-work-for-system-suspend.patch b/queue-4.9/leds-core-flush-scheduled-work-for-system-suspend.patch new file mode 100644 index 00000000000..c16ff58dc2a --- /dev/null +++ b/queue-4.9/leds-core-flush-scheduled-work-for-system-suspend.patch @@ -0,0 +1,42 @@ +From f8c0bf35d061b84307bfee78133a19aa424d14b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jul 2020 13:45:00 +0800 +Subject: leds: core: Flush scheduled work for system suspend + +From: Kai-Heng Feng + +[ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ] + +Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon +system suspend. + +led_set_brightness_nopm() uses schedule_work() to set LED brightness. +However, there's no guarantee that the scheduled work gets executed +because no one flushes the work. + +So flush the scheduled work to make sure LED gets turned off. + +Signed-off-by: Kai-Heng Feng +Acked-by: Jacek Anaszewski +Fixes: 81fe8e5b73e3 ("leds: core: Add led_set_brightness_nosleep{nopm} functions") +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/led-class.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c +index aa84e5b375931..7d3f23bad88dd 100644 +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -110,6 +110,7 @@ void led_classdev_suspend(struct led_classdev *led_cdev) + { + led_cdev->flags |= LED_SUSPENDED; + led_set_brightness_nopm(led_cdev, 0); ++ flush_work(&led_cdev->set_brightness_work); + } + EXPORT_SYMBOL_GPL(led_classdev_suspend); + +-- +2.25.1 + diff --git a/queue-4.9/leds-lm355x-avoid-enum-conversion-warning.patch b/queue-4.9/leds-lm355x-avoid-enum-conversion-warning.patch new file mode 100644 index 00000000000..3a402587284 --- /dev/null +++ b/queue-4.9/leds-lm355x-avoid-enum-conversion-warning.patch @@ -0,0 +1,60 @@ +From 0e283d88b3a05cf584456416b325776899363bef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 16:19:17 +0200 +Subject: leds: lm355x: avoid enum conversion warning + +From: Arnd Bergmann + +[ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ] + +clang points out that doing arithmetic between diffent enums is usually +a mistake: + +drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] + reg_val = pdata->pin_tx2 | pdata->ntc_pin; + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ +drivers/leds/leds-lm355x.c:178:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm355x_ntc') [-Wenum-enum-conversion] + reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~ + +In this driver, it is intentional, so add a cast to hide the false-positive +warning. It appears to be the only instance of this warning at the moment. + +Fixes: b98d13c72592 ("leds: Add new LED driver for lm355x chips") +Signed-off-by: Arnd Bergmann +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lm355x.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/leds/leds-lm355x.c b/drivers/leds/leds-lm355x.c +index 6cb94f9a2f3f3..b9c60dd2b1327 100644 +--- a/drivers/leds/leds-lm355x.c ++++ b/drivers/leds/leds-lm355x.c +@@ -168,18 +168,19 @@ static int lm355x_chip_init(struct lm355x_chip_data *chip) + /* input and output pins configuration */ + switch (chip->type) { + case CHIP_LM3554: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin; + ret = regmap_update_bits(chip->regmap, 0xE0, 0x28, reg_val); + if (ret < 0) + goto out; +- reg_val = pdata->pass_mode; ++ reg_val = (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0xA0, 0x04, reg_val); + if (ret < 0) + goto out; + break; + + case CHIP_LM3556: +- reg_val = pdata->pin_tx2 | pdata->ntc_pin | pdata->pass_mode; ++ reg_val = (u32)pdata->pin_tx2 | (u32)pdata->ntc_pin | ++ (u32)pdata->pass_mode; + ret = regmap_update_bits(chip->regmap, 0x0A, 0xC4, reg_val); + if (ret < 0) + goto out; +-- +2.25.1 + diff --git a/queue-4.9/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch b/queue-4.9/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch new file mode 100644 index 00000000000..ae6f94ad1d0 --- /dev/null +++ b/queue-4.9/m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch @@ -0,0 +1,70 @@ +From 0b39a5bbc420c8154b145fad4bb85dbade4dab34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 09:12:13 +1000 +Subject: m68k: mac: Don't send IOP message until channel is idle + +From: Finn Thain + +[ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ] + +In the following sequence of calls, iop_do_send() gets called when the +"send" channel is not in the IOP_MSG_IDLE state: + + iop_ism_irq() + iop_handle_send() + (msg->handler)() + iop_send_message() + iop_do_send() + +Avoid this by testing the channel state before calling iop_do_send(). + +When sending, and iop_send_queue is empty, call iop_do_send() because +the channel is idle. If iop_send_queue is not empty, iop_do_send() will +get called later by iop_handle_send(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Cc: Joshua Thompson +Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/iop.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index 7990b6f50105b..8209a74fbdebc 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -416,7 +416,8 @@ static void iop_handle_send(uint iop_num, uint chan) + iop_free_msg(msg2); + + iop_send_queue[iop_num][chan] = msg; +- if (msg) iop_do_send(msg); ++ if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) ++ iop_do_send(msg); + } + + /* +@@ -497,16 +498,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata, + + if (!(q = iop_send_queue[iop_num][chan])) { + iop_send_queue[iop_num][chan] = msg; ++ iop_do_send(msg); + } else { + while (q->next) q = q->next; + q->next = msg; + } + +- if (iop_readb(iop_base[iop_num], +- IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) { +- iop_do_send(msg); +- } +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.9/m68k-mac-fix-iop-status-control-register-writes.patch b/queue-4.9/m68k-mac-fix-iop-status-control-register-writes.patch new file mode 100644 index 00000000000..7a1468cbaed --- /dev/null +++ b/queue-4.9/m68k-mac-fix-iop-status-control-register-writes.patch @@ -0,0 +1,79 @@ +From 348af00ae37d90bf15fdb23e1ed8c17db9acc874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 May 2020 09:12:13 +1000 +Subject: m68k: mac: Fix IOP status/control register writes + +From: Finn Thain + +[ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ] + +When writing values to the IOP status/control register make sure those +values do not have any extraneous bits that will clear interrupt flags. + +To place the SCC IOP into bypass mode would be desirable but this is not +achieved by writing IOP_DMAINACTIVE | IOP_RUN | IOP_AUTOINC | IOP_BYPASS +to the control register. Drop this ineffective register write. + +Remove the flawed and unused iop_bypass() function. Make use of the +unused iop_stop() function. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Cc: Joshua Thompson +Link: https://lore.kernel.org/r/09bcb7359a1719a18b551ee515da3c4c3cf709e6.1590880333.git.fthain@telegraphics.com.au +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/iop.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c +index 8209a74fbdebc..cb516cacc819b 100644 +--- a/arch/m68k/mac/iop.c ++++ b/arch/m68k/mac/iop.c +@@ -173,7 +173,7 @@ static __inline__ void iop_writeb(volatile struct mac_iop *iop, __u16 addr, __u8 + + static __inline__ void iop_stop(volatile struct mac_iop *iop) + { +- iop->status_ctrl &= ~IOP_RUN; ++ iop->status_ctrl = IOP_AUTOINC; + } + + static __inline__ void iop_start(volatile struct mac_iop *iop) +@@ -181,14 +181,9 @@ static __inline__ void iop_start(volatile struct mac_iop *iop) + iop->status_ctrl = IOP_RUN | IOP_AUTOINC; + } + +-static __inline__ void iop_bypass(volatile struct mac_iop *iop) +-{ +- iop->status_ctrl |= IOP_BYPASS; +-} +- + static __inline__ void iop_interrupt(volatile struct mac_iop *iop) + { +- iop->status_ctrl |= IOP_IRQ; ++ iop->status_ctrl = IOP_IRQ | IOP_RUN | IOP_AUTOINC; + } + + static int iop_alive(volatile struct mac_iop *iop) +@@ -239,7 +234,6 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_SCC] = (struct mac_iop *) SCC_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_SCC]->status_ctrl = 0x87; + iop_scc_present = 1; + } else { + iop_base[IOP_NUM_SCC] = NULL; +@@ -251,7 +245,7 @@ void __init iop_preinit(void) + } else { + iop_base[IOP_NUM_ISM] = (struct mac_iop *) ISM_IOP_BASE_QUADRA; + } +- iop_base[IOP_NUM_ISM]->status_ctrl = 0; ++ iop_stop(iop_base[IOP_NUM_ISM]); + iop_ism_present = 1; + } else { + iop_base[IOP_NUM_ISM] = NULL; +-- +2.25.1 + diff --git a/queue-4.9/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch b/queue-4.9/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch new file mode 100644 index 00000000000..8de41dbf16f --- /dev/null +++ b/queue-4.9/md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch @@ -0,0 +1,72 @@ +From 43813930b76c66819c8a6f846743c95140a5c575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 11:29:29 +0800 +Subject: md-cluster: fix wild pointer of unlock_all_bitmaps() + +From: Zhao Heming + +[ Upstream commit 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 ] + +reproduction steps: +``` +node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda +/dev/sdb +node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb +node1 # mdadm -G /dev/md0 -b none +mdadm: failed to remove clustered bitmap. +node1 # mdadm -S --scan +^C <==== mdadm hung & kernel crash +``` + +kernel stack: +``` +[ 335.230657] general protection fault: 0000 [#1] SMP NOPTI +[...] +[ 335.230848] Call Trace: +[ 335.230873] ? unlock_all_bitmaps+0x5/0x70 [md_cluster] +[ 335.230886] unlock_all_bitmaps+0x3d/0x70 [md_cluster] +[ 335.230899] leave+0x10f/0x190 [md_cluster] +[ 335.230932] ? md_super_wait+0x93/0xa0 [md_mod] +[ 335.230947] ? leave+0x5/0x190 [md_cluster] +[ 335.230973] md_cluster_stop+0x1a/0x30 [md_mod] +[ 335.230999] md_bitmap_free+0x142/0x150 [md_mod] +[ 335.231013] ? _cond_resched+0x15/0x40 +[ 335.231025] ? mutex_lock+0xe/0x30 +[ 335.231056] __md_stop+0x1c/0xa0 [md_mod] +[ 335.231083] do_md_stop+0x160/0x580 [md_mod] +[ 335.231119] ? 0xffffffffc05fb078 +[ 335.231148] md_ioctl+0xa04/0x1930 [md_mod] +[ 335.231165] ? filename_lookup+0xf2/0x190 +[ 335.231179] blkdev_ioctl+0x93c/0xa10 +[ 335.231205] ? _cond_resched+0x15/0x40 +[ 335.231214] ? __check_object_size+0xd4/0x1a0 +[ 335.231224] block_ioctl+0x39/0x40 +[ 335.231243] do_vfs_ioctl+0xa0/0x680 +[ 335.231253] ksys_ioctl+0x70/0x80 +[ 335.231261] __x64_sys_ioctl+0x16/0x20 +[ 335.231271] do_syscall_64+0x65/0x1f0 +[ 335.231278] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +``` + +Signed-off-by: Zhao Heming +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md-cluster.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c +index e870b09b2c84d..d08c63aaf10bb 100644 +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -1234,6 +1234,7 @@ static void unlock_all_bitmaps(struct mddev *mddev) + } + } + kfree(cinfo->other_bitmap_lockres); ++ cinfo->other_bitmap_lockres = NULL; + } + } + +-- +2.25.1 + diff --git a/queue-4.9/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch b/queue-4.9/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch new file mode 100644 index 00000000000..463a2fea4dd --- /dev/null +++ b/queue-4.9/media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch @@ -0,0 +1,38 @@ +From e1cc6730b8c1c62cefb6344ee112354a3c177181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 May 2020 08:41:47 +0200 +Subject: media: exynos4-is: Add missed check for pinctrl_lookup_state() + +From: Chuhong Yuan + +[ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ] + +fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state(). +Add the missed check to fix it. + +Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]") +Signed-off-by: Chuhong Yuan +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index ef6ccb5b89525..cdaf3a8e2555e 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1257,6 +1257,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); ++ if (IS_ERR(pctl->state_idle)) ++ return PTR_ERR(pctl->state_idle); ++ + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.9/media-firewire-using-uninitialized-values-in-node_pr.patch b/queue-4.9/media-firewire-using-uninitialized-values-in-node_pr.patch new file mode 100644 index 00000000000..b6c987b3daf --- /dev/null +++ b/queue-4.9/media-firewire-using-uninitialized-values-in-node_pr.patch @@ -0,0 +1,40 @@ +From 40f1b13ebd9cd79800eefae30288163dec685c54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 May 2020 16:40:22 +0200 +Subject: media: firewire: Using uninitialized values in node_probe() + +From: Dan Carpenter + +[ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] + +If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So +then the "strlen(model_names[i]) <= name_len" is true because strlen() +is unsigned and -ENOENT is type promoted to a very high positive value. +Then the "strncmp(name, model_names[i], name_len)" uses uninitialized +data because "name" is uninitialized. + +Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/firewire/firedtv-fw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index 247f0e7cb5f7f..5d634706a7eaa 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -271,6 +271,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); ++ if (name_len < 0) ++ return name_len; + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +-- +2.25.1 + diff --git a/queue-4.9/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch b/queue-4.9/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch new file mode 100644 index 00000000000..edaef001a3d --- /dev/null +++ b/queue-4.9/media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch @@ -0,0 +1,49 @@ +From 6d3f2c1fac83574f57895f714773762ec90d977b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2020 18:41:22 +0200 +Subject: media: omap3isp: Add missed v4l2_ctrl_handler_free() for + preview_init_entities() + +From: Chuhong Yuan + +[ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ] + +preview_init_entities() does not call v4l2_ctrl_handler_free() when +it fails. +Add the missed function to fix it. + +Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") +Signed-off-by: Chuhong Yuan +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isppreview.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/omap3isp/isppreview.c b/drivers/media/platform/omap3isp/isppreview.c +index e981eb2330f18..ac005ae4d21b4 100644 +--- a/drivers/media/platform/omap3isp/isppreview.c ++++ b/drivers/media/platform/omap3isp/isppreview.c +@@ -2290,7 +2290,7 @@ static int preview_init_entities(struct isp_prev_device *prev) + me->ops = &preview_media_ops; + ret = media_entity_pads_init(me, PREV_PADS_NUM, pads); + if (ret < 0) +- return ret; ++ goto error_handler_free; + + preview_init_formats(sd, NULL); + +@@ -2323,6 +2323,8 @@ static int preview_init_entities(struct isp_prev_device *prev) + omap3isp_video_cleanup(&prev->video_in); + error_video_in: + media_entity_cleanup(&prev->subdev.entity); ++error_handler_free: ++ v4l2_ctrl_handler_free(&prev->ctrls); + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.9/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch b/queue-4.9/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch new file mode 100644 index 00000000000..64092d921ef --- /dev/null +++ b/queue-4.9/mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch @@ -0,0 +1,83 @@ +From 3f72d4b77f5eec8207f851790c09f0aefbbb6b67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Apr 2020 16:46:10 -0700 +Subject: mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls + +From: Paul E. McKenney + +[ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ] + +A large process running on a heavily loaded system can encounter the +following RCU CPU stall warning: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 3-....: (20998 ticks this GP) idle=4ea/1/0x4000000000000002 softirq=556558/556558 fqs=5190 + (t=21013 jiffies g=1005461 q=132576) + NMI backtrace for cpu 3 + CPU: 3 PID: 501900 Comm: aio-free-ring-w Kdump: loaded Not tainted 5.2.9-108_fbk12_rc3_3858_gb83b75af7909 #1 + Hardware name: Wiwynn HoneyBadger/PantherPlus, BIOS HBM6.71 02/03/2016 + Call Trace: + + dump_stack+0x46/0x60 + nmi_cpu_backtrace.cold.3+0x13/0x50 + ? lapic_can_unplug_cpu.cold.27+0x34/0x34 + nmi_trigger_cpumask_backtrace+0xba/0xca + rcu_dump_cpu_stacks+0x99/0xc7 + rcu_sched_clock_irq.cold.87+0x1aa/0x397 + ? tick_sched_do_timer+0x60/0x60 + update_process_times+0x28/0x60 + tick_sched_timer+0x37/0x70 + __hrtimer_run_queues+0xfe/0x270 + hrtimer_interrupt+0xf4/0x210 + smp_apic_timer_interrupt+0x5e/0x120 + apic_timer_interrupt+0xf/0x20 + + RIP: 0010:kmem_cache_free+0x223/0x300 + Code: 88 00 00 00 0f 85 ca 00 00 00 41 8b 55 18 31 f6 f7 da 41 f6 45 0a 02 40 0f 94 c6 83 c6 05 9c 41 5e fa e8 a0 a7 01 00 41 56 9d <49> 8b 47 08 a8 03 0f 85 87 00 00 00 65 48 ff 08 e9 3d fe ff ff 65 + RSP: 0018:ffffc9000e8e3da8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13 + RAX: 0000000000020000 RBX: ffff88861b9de960 RCX: 0000000000000030 + RDX: fffffffffffe41e8 RSI: 000060777fe3a100 RDI: 000000000001be18 + RBP: ffffea00186e7780 R08: ffffffffffffffff R09: ffffffffffffffff + R10: ffff88861b9dea28 R11: ffff88887ffde000 R12: ffffffff81230a1f + R13: ffff888854684dc0 R14: 0000000000000206 R15: ffff8888547dbc00 + ? remove_vma+0x4f/0x60 + remove_vma+0x4f/0x60 + exit_mmap+0xd6/0x160 + mmput+0x4a/0x110 + do_exit+0x278/0xae0 + ? syscall_trace_enter+0x1d3/0x2b0 + ? handle_mm_fault+0xaa/0x1c0 + do_group_exit+0x3a/0xa0 + __x64_sys_exit_group+0x14/0x20 + do_syscall_64+0x42/0x100 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +And on a PREEMPT=n kernel, the "while (vma)" loop in exit_mmap() can run +for a very long time given a large process. This commit therefore adds +a cond_resched() to this loop, providing RCU any needed quiescent states. + +Cc: Andrew Morton +Cc: +Reviewed-by: Shakeel Butt +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + mm/mmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index d221266d100f4..7109f886e739e 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -3018,6 +3018,7 @@ void exit_mmap(struct mm_struct *mm) + if (vma->vm_flags & VM_ACCOUNT) + nr_accounted += vma_pages(vma); + vma = remove_vma(vma); ++ cond_resched(); + } + vm_unacct_memory(nr_accounted); + } +-- +2.25.1 + diff --git a/queue-4.9/mwifiex-prevent-memory-corruption-handling-keys.patch b/queue-4.9/mwifiex-prevent-memory-corruption-handling-keys.patch new file mode 100644 index 00000000000..1a145acb3e2 --- /dev/null +++ b/queue-4.9/mwifiex-prevent-memory-corruption-handling-keys.patch @@ -0,0 +1,82 @@ +From dc2c8439ddab2c841c1307f0c0243b320f091e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:58:57 +0300 +Subject: mwifiex: Prevent memory corruption handling keys + +From: Dan Carpenter + +[ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ] + +The length of the key comes from the network and it's a 16 bit number. It +needs to be capped to prevent a buffer overflow. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Dan Carpenter +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda +Signed-off-by: Sasha Levin +--- + .../wireless/marvell/mwifiex/sta_cmdresp.c | 22 +++++++++++++------ + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index 8548027abf71b..1e26936c0d727 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -586,6 +586,11 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + { + struct host_cmd_ds_802_11_key_material *key = + &resp->params.key_material; ++ int len; ++ ++ len = le16_to_cpu(key->key_param_set.key_len); ++ if (len > sizeof(key->key_param_set.key)) ++ return -EINVAL; + + if (le16_to_cpu(key->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key->key_param_set.key_info) & KEY_MCAST)) { +@@ -599,9 +604,8 @@ static int mwifiex_ret_802_11_key_material_v1(struct mwifiex_private *priv, + + memset(priv->aes_key.key_param_set.key, 0, + sizeof(key->key_param_set.key)); +- priv->aes_key.key_param_set.key_len = key->key_param_set.key_len; +- memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, +- le16_to_cpu(priv->aes_key.key_param_set.key_len)); ++ priv->aes_key.key_param_set.key_len = cpu_to_le16(len); ++ memcpy(priv->aes_key.key_param_set.key, key->key_param_set.key, len); + + return 0; + } +@@ -616,9 +620,14 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + struct host_cmd_ds_command *resp) + { + struct host_cmd_ds_802_11_key_material_v2 *key_v2; +- __le16 len; ++ int len; + + key_v2 = &resp->params.key_material_v2; ++ ++ len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); ++ if (len > WLAN_KEY_LEN_CCMP) ++ return -EINVAL; ++ + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { + if ((le16_to_cpu(key_v2->key_param_set.key_info) & KEY_MCAST)) { + mwifiex_dbg(priv->adapter, INFO, "info: key: GTK is set\n"); +@@ -634,10 +643,9 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, + WLAN_KEY_LEN_CCMP); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = +- key_v2->key_param_set.key_params.aes.key_len; +- len = priv->aes_key_v2.key_param_set.key_params.aes.key_len; ++ cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +- key_v2->key_param_set.key_params.aes.key, le16_to_cpu(len)); ++ key_v2->key_param_set.key_params.aes.key, len); + + return 0; + } +-- +2.25.1 + diff --git a/queue-4.9/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch b/queue-4.9/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch new file mode 100644 index 00000000000..ef2bfd5bfec --- /dev/null +++ b/queue-4.9/net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch @@ -0,0 +1,39 @@ +From 03443c0301fac38ace85f8c05d6e45dd0bab433f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 15:53:33 +0200 +Subject: net: spider_net: Fix the size used in a 'dma_free_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()', in +'spider_net_init_chain()'. + +Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/toshiba/spider_net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c +index 1085987946212..9507ca2e02acd 100644 +--- a/drivers/net/ethernet/toshiba/spider_net.c ++++ b/drivers/net/ethernet/toshiba/spider_net.c +@@ -296,8 +296,8 @@ spider_net_free_chain(struct spider_net_card *card, + descr = descr->next; + } while (descr != chain->ring); + +- dma_free_coherent(&card->pdev->dev, chain->num_desc, +- chain->hwring, chain->dma_addr); ++ dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr), ++ chain->hwring, chain->dma_addr); + } + + /** +-- +2.25.1 + diff --git a/queue-4.9/pci-aspm-add-missing-newline-in-sysfs-policy.patch b/queue-4.9/pci-aspm-add-missing-newline-in-sysfs-policy.patch new file mode 100644 index 00000000000..3ad09c61841 --- /dev/null +++ b/queue-4.9/pci-aspm-add-missing-newline-in-sysfs-policy.patch @@ -0,0 +1,40 @@ +From 7b029b7b0eb117378e935d72ce1c9e9fd9788fcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jul 2020 15:59:25 +0800 +Subject: PCI/ASPM: Add missing newline in sysfs 'policy' + +From: Xiongfeng Wang + +[ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ] + +When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a +newline for easy reading. Other sysfs attributes already include a +newline. + + [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy + [default] performance powersave powersupersave [root@localhost ~]# + +Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support") +Link: https://lore.kernel.org/r/1594972765-10404-1-git-send-email-wangxiongfeng2@huawei.com +Signed-off-by: Xiongfeng Wang +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 75551a781e887..5eae5f35dcc7b 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -832,6 +832,7 @@ static int pcie_aspm_get_policy(char *buffer, struct kernel_param *kp) + cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]); + else + cnt += sprintf(buffer + cnt, "%s ", policy_str[i]); ++ cnt += sprintf(buffer + cnt, "\n"); + return cnt; + } + +-- +2.25.1 + diff --git a/queue-4.9/pci-fix-pci_cfg_wait-queue-locking-problem.patch b/queue-4.9/pci-fix-pci_cfg_wait-queue-locking-problem.patch new file mode 100644 index 00000000000..25d84e177e0 --- /dev/null +++ b/queue-4.9/pci-fix-pci_cfg_wait-queue-locking-problem.patch @@ -0,0 +1,72 @@ +From 750fbabe53594a1d0e127d47db36674d0f05d336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 18:14:55 -0500 +Subject: PCI: Fix pci_cfg_wait queue locking problem + +From: Bjorn Helgaas + +[ Upstream commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb ] + +The pci_cfg_wait queue is used to prevent user-space config accesses to +devices while they are recovering from reset. + +Previously we used these operations on pci_cfg_wait: + + __add_wait_queue(&pci_cfg_wait, ...) + __remove_wait_queue(&pci_cfg_wait, ...) + wake_up_all(&pci_cfg_wait) + +The wake_up acquires the wait queue lock, but the add and remove do not. + +Originally these were all protected by the pci_lock, but cdcb33f98244 +("PCI: Avoid possible deadlock on pci_lock and p->pi_lock"), moved +wake_up_all() outside pci_lock, so it could race with add/remove +operations, which caused occasional kernel panics, e.g., during vfio-pci +hotplug/unplug testing: + + Unable to handle kernel read from unreadable memory at virtual address ffff802dac469000 + +Resolve this by using wait_event() instead of __add_wait_queue() and +__remove_wait_queue(). The wait queue lock is held by both wait_event() +and wake_up_all(), so it provides mutual exclusion. + +Fixes: cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock") +Link: https://lore.kernel.org/linux-pci/79827f2f-9b43-4411-1376-b9063b67aee3@huawei.com/T/#u +Based-on: https://lore.kernel.org/linux-pci/20191210031527.40136-1-zhengxiang9@huawei.com/ +Based-on-patch-by: Xiang Zheng +Signed-off-by: Bjorn Helgaas +Tested-by: Xiang Zheng +Cc: Heyi Guo +Cc: Biaoxiang Ye +Signed-off-by: Sasha Levin +--- + drivers/pci/access.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/pci/access.c b/drivers/pci/access.c +index 7b5cf6d1181a9..6f2a07567532d 100644 +--- a/drivers/pci/access.c ++++ b/drivers/pci/access.c +@@ -185,17 +185,13 @@ EXPORT_SYMBOL(pci_bus_set_ops); + static DECLARE_WAIT_QUEUE_HEAD(pci_cfg_wait); + + static noinline void pci_wait_cfg(struct pci_dev *dev) ++ __must_hold(&pci_lock) + { +- DECLARE_WAITQUEUE(wait, current); +- +- __add_wait_queue(&pci_cfg_wait, &wait); + do { +- set_current_state(TASK_UNINTERRUPTIBLE); + raw_spin_unlock_irq(&pci_lock); +- schedule(); ++ wait_event(pci_cfg_wait, !dev->block_cfg_access); + raw_spin_lock_irq(&pci_lock); + } while (dev->block_cfg_access); +- __remove_wait_queue(&pci_cfg_wait, &wait); + } + + /* Returns 0 on success, negative values indicate error. */ +-- +2.25.1 + diff --git a/queue-4.9/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch b/queue-4.9/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch new file mode 100644 index 00000000000..f19c78e8155 --- /dev/null +++ b/queue-4.9/pinctrl-single-fix-pcs_parse_pinconf-return-value.patch @@ -0,0 +1,143 @@ +From c46a0c6b3859d05a4d5942fb0ade354f2536f6af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2020 14:51:43 +0200 +Subject: pinctrl-single: fix pcs_parse_pinconf() return value + +From: Drew Fustini + +[ Upstream commit f46fe79ff1b65692a65266a5bec6dbe2bf7fc70f ] + +This patch causes pcs_parse_pinconf() to return -ENOTSUPP when no +pinctrl_map is added. The current behavior is to return 0 when +!PCS_HAS_PINCONF or !nconfs. Thus pcs_parse_one_pinctrl_entry() +incorrectly assumes that a map was added and sets num_maps = 2. + +Analysis: +========= +The function pcs_parse_one_pinctrl_entry() calls pcs_parse_pinconf() +if PCS_HAS_PINCONF is enabled. The function pcs_parse_pinconf() +returns 0 to indicate there was no error and num_maps is then set to 2: + + 980 static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + 981 struct device_node *np, + 982 struct pinctrl_map **map, + 983 unsigned *num_maps, + 984 const char **pgnames) + 985 { + +1053 (*map)->type = PIN_MAP_TYPE_MUX_GROUP; +1054 (*map)->data.mux.group = np->name; +1055 (*map)->data.mux.function = np->name; +1056 +1057 if (PCS_HAS_PINCONF && function) { +1058 res = pcs_parse_pinconf(pcs, np, function, map); +1059 if (res) +1060 goto free_pingroups; +1061 *num_maps = 2; +1062 } else { +1063 *num_maps = 1; +1064 } + +However, pcs_parse_pinconf() will also return 0 if !PCS_HAS_PINCONF or +!nconfs. I believe these conditions should indicate that no map was +added by returning -ENOTSUPP. Otherwise pcs_parse_one_pinctrl_entry() +will set num_maps = 2 even though no maps were successfully added, as +it does not reach "m++" on line 940: + + 895 static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + 896 struct pcs_function *func, + 897 struct pinctrl_map **map) + 898 + 899 { + 900 struct pinctrl_map *m = *map; + + 917 /* If pinconf isn't supported, don't parse properties in below. */ + 918 if (!PCS_HAS_PINCONF) + 919 return 0; + 920 + 921 /* cacluate how much properties are supported in current node */ + 922 for (i = 0; i < ARRAY_SIZE(prop2); i++) { + 923 if (of_find_property(np, prop2[i].name, NULL)) + 924 nconfs++; + 925 } + 926 for (i = 0; i < ARRAY_SIZE(prop4); i++) { + 927 if (of_find_property(np, prop4[i].name, NULL)) + 928 nconfs++; + 929 } + 930 if (!nconfs) + 919 return 0; + 932 + 933 func->conf = devm_kcalloc(pcs->dev, + 934 nconfs, sizeof(struct pcs_conf_vals), + 935 GFP_KERNEL); + 936 if (!func->conf) + 937 return -ENOMEM; + 938 func->nconfs = nconfs; + 939 conf = &(func->conf[0]); + 940 m++; + +This situtation will cause a boot failure [0] on the BeagleBone Black +(AM3358) when am33xx_pinmux node in arch/arm/boot/dts/am33xx-l4.dtsi +has compatible = "pinconf-single" instead of "pinctrl-single". + +The patch fixes this issue by returning -ENOSUPP when !PCS_HAS_PINCONF +or !nconfs, so that pcs_parse_one_pinctrl_entry() will know that no +map was added. + +Logic is also added to pcs_parse_one_pinctrl_entry() to distinguish +between -ENOSUPP and other errors. In the case of -ENOSUPP, num_maps +is set to 1 as it is valid for pinconf to be enabled and a given pin +group to not any pinconf properties. + +[0] https://lore.kernel.org/linux-omap/20200529175544.GA3766151@x1/ + +Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf") +Signed-off-by: Drew Fustini +Acked-by: Tony Lindgren +Link: https://lore.kernel.org/r/20200608125143.GA2789203@x1 +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-single.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index bfdf720db270d..8769a579ecb13 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1078,7 +1078,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + + /* If pinconf isn't supported, don't parse properties in below. */ + if (!PCS_HAS_PINCONF) +- return 0; ++ return -ENOTSUPP; + + /* cacluate how much properties are supported in current node */ + for (i = 0; i < ARRAY_SIZE(prop2); i++) { +@@ -1090,7 +1090,7 @@ static int pcs_parse_pinconf(struct pcs_device *pcs, struct device_node *np, + nconfs++; + } + if (!nconfs) +- return 0; ++ return -ENOTSUPP; + + func->conf = devm_kzalloc(pcs->dev, + sizeof(struct pcs_conf_vals) * nconfs, +@@ -1203,9 +1203,12 @@ static int pcs_parse_one_pinctrl_entry(struct pcs_device *pcs, + + if (PCS_HAS_PINCONF) { + res = pcs_parse_pinconf(pcs, np, function, map); +- if (res) ++ if (res == 0) ++ *num_maps = 2; ++ else if (res == -ENOTSUPP) ++ *num_maps = 1; ++ else + goto free_pingroups; +- *num_maps = 2; + } else { + *num_maps = 1; + } +-- +2.25.1 + diff --git a/queue-4.9/platform-x86-intel-hid-fix-return-value-check-in-che.patch b/queue-4.9/platform-x86-intel-hid-fix-return-value-check-in-che.patch new file mode 100644 index 00000000000..0679b27bee1 --- /dev/null +++ b/queue-4.9/platform-x86-intel-hid-fix-return-value-check-in-che.patch @@ -0,0 +1,38 @@ +From 8a1b801e6496ad989e02057a4c213c9c77f663e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 17:30:17 +0800 +Subject: platform/x86: intel-hid: Fix return value check in check_acpi_dev() + +From: Lu Wei + +[ Upstream commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 ] + +In the function check_acpi_dev(), if it fails to create +platform device, the return value is ERR_PTR() or NULL. +Thus it must use IS_ERR_OR_NULL() to check return value. + +Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys") +Reported-by: Hulk Robot +Signed-off-by: Lu Wei +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-hid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c +index 12dbb50633761..a5c645b9e3f2a 100644 +--- a/drivers/platform/x86/intel-hid.c ++++ b/drivers/platform/x86/intel-hid.c +@@ -264,7 +264,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) + return AE_OK; + + if (acpi_match_device_ids(dev, ids) == 0) +- if (acpi_create_platform_device(dev, NULL)) ++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) + dev_info(&dev->dev, + "intel-hid: created platform device\n"); + +-- +2.25.1 + diff --git a/queue-4.9/platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch b/queue-4.9/platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch new file mode 100644 index 00000000000..2e4d1496a95 --- /dev/null +++ b/queue-4.9/platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch @@ -0,0 +1,38 @@ +From f4aef07ec34ec823af2b46a0b7dbc37f415931bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 17:30:18 +0800 +Subject: platform/x86: intel-vbtn: Fix return value check in check_acpi_dev() + +From: Lu Wei + +[ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ] + +In the function check_acpi_dev(), if it fails to create +platform device, the return value is ERR_PTR() or NULL. +Thus it must use IS_ERR_OR_NULL() to check return value. + +Fixes: 332e081225fc ("intel-vbtn: new driver for Intel Virtual Button") +Reported-by: Hulk Robot +Signed-off-by: Lu Wei +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-vbtn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c +index a74340dff530e..1cf2a38add5f9 100644 +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -168,7 +168,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv) + return AE_OK; + + if (acpi_match_device_ids(dev, ids) == 0) +- if (acpi_create_platform_device(dev, NULL)) ++ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL))) + dev_info(&dev->dev, + "intel-vbtn: created platform device\n"); + +-- +2.25.1 + diff --git a/queue-4.9/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch b/queue-4.9/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch new file mode 100644 index 00000000000..588441cc784 --- /dev/null +++ b/queue-4.9/power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch @@ -0,0 +1,58 @@ +From 7cb295a22fa38cf1a75194b3f7389c08dc85a4c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jul 2020 12:23:51 -0700 +Subject: power: supply: check if calc_soc succeeded in pm860x_init_battery + +From: Tom Rix + +[ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ] + +clang static analysis flags this error + +88pm860x_battery.c:522:19: warning: Assigned value is + garbage or undefined [core.uninitialized.Assign] + info->start_soc = soc; + ^ ~~~ +soc is set by calling calc_soc. +But calc_soc can return without setting soc. + +So check the return status and bail similarly to other +checks in pm860x_init_battery and initialize soc to +silence the warning. + +Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x") + +Signed-off-by: Tom Rix +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/88pm860x_battery.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/88pm860x_battery.c b/drivers/power/supply/88pm860x_battery.c +index 63c57dc82ac1d..4eda5065b5bbc 100644 +--- a/drivers/power/supply/88pm860x_battery.c ++++ b/drivers/power/supply/88pm860x_battery.c +@@ -436,7 +436,7 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + int ret; + int data; + int bat_remove; +- int soc; ++ int soc = 0; + + /* measure enable on GPADC1 */ + data = MEAS1_GP1; +@@ -499,7 +499,9 @@ static void pm860x_init_battery(struct pm860x_battery_info *info) + } + mutex_unlock(&info->lock); + +- calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ ret = calc_soc(info, OCV_MODE_ACTIVE, &soc); ++ if (ret < 0) ++ goto out; + + data = pm860x_reg_read(info->i2c, PM8607_POWER_UP_LOG); + bat_remove = data & BAT_WU_LOG; +-- +2.25.1 + diff --git a/queue-4.9/powerpc-vdso-fix-vdso-cpu-truncation.patch b/queue-4.9/powerpc-vdso-fix-vdso-cpu-truncation.patch new file mode 100644 index 00000000000..eeeabf89842 --- /dev/null +++ b/queue-4.9/powerpc-vdso-fix-vdso-cpu-truncation.patch @@ -0,0 +1,45 @@ +From 1d746fc8ca60906ad6772287be498913d6f47dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 09:37:04 +1000 +Subject: powerpc/vdso: Fix vdso cpu truncation + +From: Milton Miller + +[ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ] + +The code in vdso_cpu_init that exposes the cpu and numa node to +userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means +that any kernel running on a box with more than 4096 threads (NR_CPUS +advertises a limit of of 8192 cpus) would expose userspace to two cpu +contexts running at the same time with the same cpu number. + +Note: I'm not aware of any distro shipping a kernel with support for more +than 4096 threads today, nor of any system image that currently exceeds +4096 threads. Found via code browsing. + +Fixes: 18ad51dd342a7eb09dbcd059d0b451b616d4dafc ("powerpc: Add VDSO version of getcpu") +Signed-off-by: Milton Miller +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200715233704.1352257-1-anton@ozlabs.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/vdso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c +index 4111d30badfad..d24aea160352b 100644 +--- a/arch/powerpc/kernel/vdso.c ++++ b/arch/powerpc/kernel/vdso.c +@@ -704,7 +704,7 @@ int vdso_getcpu_init(void) + node = cpu_to_node(cpu); + WARN_ON_ONCE(node > 0xffff); + +- val = (cpu & 0xfff) | ((node & 0xffff) << 16); ++ val = (cpu & 0xffff) | ((node & 0xffff) << 16); + mtspr(SPRN_SPRG_VDSO_WRITE, val); + get_paca()->sprg_vdso = val; + +-- +2.25.1 + diff --git a/queue-4.9/s390-qeth-don-t-process-empty-bridge-port-events.patch b/queue-4.9/s390-qeth-don-t-process-empty-bridge-port-events.patch new file mode 100644 index 00000000000..1af9a20944a --- /dev/null +++ b/queue-4.9/s390-qeth-don-t-process-empty-bridge-port-events.patch @@ -0,0 +1,40 @@ +From 8bddf06df63dcfca9ae0c6ebd75bcd0ee02ae315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 17:01:20 +0200 +Subject: s390/qeth: don't process empty bridge port events + +From: Julian Wiedmann + +[ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ] + +Discard events that don't contain any entries. This shouldn't happen, +but subsequent code relies on being able to use entry 0. So better +be safe than accessing garbage. + +Fixes: b4d72c08b358 ("qeth: bridgeport support - basic control") +Signed-off-by: Julian Wiedmann +Reviewed-by: Alexandra Winter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_l2_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index 51152681aba6e..c878c87966163 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -1675,6 +1675,10 @@ static void qeth_bridge_state_change(struct qeth_card *card, + int extrasize; + + QETH_CARD_TEXT(card, 2, "brstchng"); ++ if (qports->num_entries == 0) { ++ QETH_CARD_TEXT(card, 2, "BPempty"); ++ return; ++ } + if (qports->entry_length != sizeof(struct qeth_sbp_port_entry)) { + QETH_CARD_TEXT_(card, 2, "BPsz%04x", qports->entry_length); + return; +-- +2.25.1 + diff --git a/queue-4.9/scsi-cumana_2-fix-different-dev_id-between-request_i.patch b/queue-4.9/scsi-cumana_2-fix-different-dev_id-between-request_i.patch new file mode 100644 index 00000000000..6880d4cc418 --- /dev/null +++ b/queue-4.9/scsi-cumana_2-fix-different-dev_id-between-request_i.patch @@ -0,0 +1,39 @@ +From 61a7d210e61e5d37a2c124626e1d84cd887189f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 22:47:30 +0200 +Subject: scsi: cumana_2: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' +in both cases. + +Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Acked-by: Russell King +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/cumana_2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/cumana_2.c b/drivers/scsi/arm/cumana_2.c +index edce5f3cfdba0..93ba83e3148eb 100644 +--- a/drivers/scsi/arm/cumana_2.c ++++ b/drivers/scsi/arm/cumana_2.c +@@ -454,7 +454,7 @@ static int cumanascsi2_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +-- +2.25.1 + diff --git a/queue-4.9/scsi-eesox-fix-different-dev_id-between-request_irq-.patch b/queue-4.9/scsi-eesox-fix-different-dev_id-between-request_irq-.patch new file mode 100644 index 00000000000..3deaf8ff411 --- /dev/null +++ b/queue-4.9/scsi-eesox-fix-different-dev_id-between-request_irq-.patch @@ -0,0 +1,38 @@ +From bd1c8abc7ad16a5836caa4772abfe94be0876399 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 06:05:53 +0200 +Subject: scsi: eesox: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' in +both cases. + +Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/eesox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c +index e93e047f43165..65bb34ce93b94 100644 +--- a/drivers/scsi/arm/eesox.c ++++ b/drivers/scsi/arm/eesox.c +@@ -575,7 +575,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id) + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_remove: + fas216_remove(host); +-- +2.25.1 + diff --git a/queue-4.9/scsi-mesh-fix-panic-after-host-or-bus-reset.patch b/queue-4.9/scsi-mesh-fix-panic-after-host-or-bus-reset.patch new file mode 100644 index 00000000000..cd169270ca9 --- /dev/null +++ b/queue-4.9/scsi-mesh-fix-panic-after-host-or-bus-reset.patch @@ -0,0 +1,109 @@ +From 0a72424e8300b13c10e61c5d736cfb8325a63112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 09:25:51 +1000 +Subject: scsi: mesh: Fix panic after host or bus reset + +From: Finn Thain + +[ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ] + +Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus +results in EH measures and a panic: + +[ 25.499838] mesh: configured for synchronous 5 MB/s +[ 25.787154] mesh: performing initial bus reset... +[ 29.867115] scsi host0: MESH +[ 29.929527] mesh: target 0 synchronous at 3.6 MB/s +[ 29.998763] scsi 0:0:0:0: Direct-Access CONNER CP3200-200mb-3.5 4040 PQ: 0 ANSI: 1 CCS +[ 31.989975] sd 0:0:0:0: [sda] 415872 512-byte logical blocks: (213 MB/203 MiB) +[ 32.070975] sd 0:0:0:0: [sda] Write Protect is off +[ 32.137197] sd 0:0:0:0: [sda] Mode Sense: 5b 00 00 08 +[ 32.209661] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA +[ 32.332708] sda: [mac] sda1 sda2 sda3 +[ 32.417733] sd 0:0:0:0: [sda] Attached SCSI disk +... snip ... +[ 76.687067] mesh_abort((ptrval)) +[ 76.743606] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) +[ 76.810798] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 +[ 76.880720] dma stat=84e0 cmdptr=1f73d000 +[ 76.941387] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 +[ 77.005567] dma_st=1 dma_ct=0 n_msgout=0 +[ 77.065456] target 0: req=(ptrval) goes_out=0 saved_ptr=0 +[ 77.130512] mesh_abort((ptrval)) +[ 77.187670] mesh: state at (ptrval), regs at (ptrval), dma at (ptrval) +[ 77.255594] ct=6000 seq=86 bs=4017 fc= 0 exc= 0 err= 0 im= 7 int= 0 sp=85 +[ 77.325778] dma stat=84e0 cmdptr=1f73d000 +[ 77.387239] phase=4 msgphase=0 conn_tgt=0 data_ptr=24576 +[ 77.453665] dma_st=1 dma_ct=0 n_msgout=0 +[ 77.515900] target 0: req=(ptrval) goes_out=0 saved_ptr=0 +[ 77.582902] mesh_host_reset +[ 88.187083] Kernel panic - not syncing: mesh: double DMA start ! +[ 88.254510] CPU: 0 PID: 358 Comm: scsi_eh_0 Not tainted 5.6.13-pmac #1 +[ 88.323302] Call Trace: +[ 88.378854] [e16ddc58] [c0027080] panic+0x13c/0x308 (unreliable) +[ 88.446221] [e16ddcb8] [c02b2478] mesh_start.part.12+0x130/0x414 +[ 88.513298] [e16ddcf8] [c02b2fc8] mesh_queue+0x54/0x70 +[ 88.577097] [e16ddd18] [c02a1848] scsi_send_eh_cmnd+0x374/0x384 +[ 88.643476] [e16dddc8] [c02a1938] scsi_eh_tur+0x5c/0xb8 +[ 88.707878] [e16dddf8] [c02a1ab8] scsi_eh_test_devices+0x124/0x178 +[ 88.775663] [e16dde28] [c02a2094] scsi_eh_ready_devs+0x588/0x8a8 +[ 88.843124] [e16dde98] [c02a31d8] scsi_error_handler+0x344/0x520 +[ 88.910697] [e16ddf08] [c00409c8] kthread+0xe4/0xe8 +[ 88.975166] [e16ddf38] [c000f234] ret_from_kernel_thread+0x14/0x1c +[ 89.044112] Rebooting in 180 seconds.. + +In theory, a panic can happen after a bus or host reset with dma_started +flag set. Fix this by halting the DMA before reinitializing the host. +Don't assume that ms->current_req is set when halt_dma() is invoked as it +may not hold for bus or host reset. + +BTW, this particular Conner drive can be made to work by inhibiting +disconnect/reselect with 'mesh.resel_targets=0'. + +Link: https://lore.kernel.org/r/3952bc691e150a7128b29120999b6092071b039a.1595460351.git.fthain@telegraphics.com.au +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Paul Mackerras +Reported-and-tested-by: Stan Johnson +Signed-off-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mesh.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mesh.c b/drivers/scsi/mesh.c +index 1753e42826dd9..a880abf5abaad 100644 +--- a/drivers/scsi/mesh.c ++++ b/drivers/scsi/mesh.c +@@ -1044,6 +1044,8 @@ static void handle_error(struct mesh_state *ms) + while ((in_8(&mr->bus_status1) & BS1_RST) != 0) + udelay(1); + printk("done\n"); ++ if (ms->dma_started) ++ halt_dma(ms); + handle_reset(ms); + /* request_q is empty, no point in mesh_start() */ + return; +@@ -1356,7 +1358,8 @@ static void halt_dma(struct mesh_state *ms) + ms->conn_tgt, ms->data_ptr, scsi_bufflen(cmd), + ms->tgts[ms->conn_tgt].data_goes_out); + } +- scsi_dma_unmap(cmd); ++ if (cmd) ++ scsi_dma_unmap(cmd); + ms->dma_started = 0; + } + +@@ -1711,6 +1714,9 @@ static int mesh_host_reset(struct scsi_cmnd *cmd) + + spin_lock_irqsave(ms->host->host_lock, flags); + ++ if (ms->dma_started) ++ halt_dma(ms); ++ + /* Reset the controller & dbdma channel */ + out_le32(&md->control, (RUN|PAUSE|FLUSH|WAKE) << 16); /* stop dma */ + out_8(&mr->exception, 0xff); /* clear all exception bits */ +-- +2.25.1 + diff --git a/queue-4.9/scsi-powertec-fix-different-dev_id-between-request_i.patch b/queue-4.9/scsi-powertec-fix-different-dev_id-between-request_i.patch new file mode 100644 index 00000000000..4a2584baed1 --- /dev/null +++ b/queue-4.9/scsi-powertec-fix-different-dev_id-between-request_i.patch @@ -0,0 +1,38 @@ +From 4c284f172215dcefee8d28949f44a58a9f02b6c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 05:59:48 +0200 +Subject: scsi: powertec: Fix different dev_id between request_irq() and + free_irq() + +From: Christophe JAILLET + +[ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ] + +The dev_id used in request_irq() and free_irq() should match. Use 'info' in +both cases. + +Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jaillet@wanadoo.fr +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/arm/powertec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/arm/powertec.c b/drivers/scsi/arm/powertec.c +index 79aa88911b7f3..b5e4a25ea1ef3 100644 +--- a/drivers/scsi/arm/powertec.c ++++ b/drivers/scsi/arm/powertec.c +@@ -382,7 +382,7 @@ static int powertecscsi_probe(struct expansion_card *ec, + + if (info->info.scsi.dma != NO_DMA) + free_dma(info->info.scsi.dma); +- free_irq(ec->irq, host); ++ free_irq(ec->irq, info); + + out_release: + fas216_release(host); +-- +2.25.1 + diff --git a/queue-4.9/scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch b/queue-4.9/scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch new file mode 100644 index 00000000000..56fdf355655 --- /dev/null +++ b/queue-4.9/scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch @@ -0,0 +1,92 @@ +From d9e88d1f6e6027c2837303762b7a4a29fceddcf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 20:23:19 +0800 +Subject: scsi: scsi_debug: Add check for sdebug_max_queue during module init + +From: John Garry + +[ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ] + +sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like +this can be triggered by passing an out-of-range value: + +Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 + pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--) + pc : schedule_resp+0x2a4/0xa70 [scsi_debug] + lr : schedule_resp+0x52c/0xa70 [scsi_debug] + sp : ffff800022ab36f0 + x29: ffff800022ab36f0 x28: ffff0023a935a610 + x27: ffff800008e0a648 x26: 0000000000000003 + x25: ffff0023e84f3200 x24: 00000000003d0900 + x23: 0000000000000000 x22: 0000000000000000 + x21: ffff0023be60a320 x20: ffff0023be60b538 + x19: ffff800008e13000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 + x15: 0000000000000000 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000000 + x9 : 0000000000000001 x8 : 0000000000000000 + x7 : 0000000000000000 x6 : 00000000000000c1 + x5 : 0000020000200000 x4 : dead0000000000ff + x3 : 0000000000000200 x2 : 0000000000000200 + x1 : ffff800008e13d88 x0 : 0000000000000000 + Call trace: +schedule_resp+0x2a4/0xa70 [scsi_debug] +scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug] +scsi_queue_rq+0x698/0x840 +__blk_mq_try_issue_directly+0x108/0x228 +blk_mq_request_issue_directly+0x58/0x98 +blk_mq_try_issue_list_directly+0x5c/0xf0 +blk_mq_sched_insert_requests+0x18c/0x200 +blk_mq_flush_plug_list+0x11c/0x190 +blk_flush_plug_list+0xdc/0x110 +blk_finish_plug+0x38/0x210 +blkdev_direct_IO+0x450/0x4d8 +generic_file_read_iter+0x84/0x180 +blkdev_read_iter+0x3c/0x50 +aio_read+0xc0/0x170 +io_submit_one+0x5c8/0xc98 +__arm64_sys_io_submit+0x1b0/0x258 +el0_svc_common.constprop.3+0x68/0x170 +do_el0_svc+0x24/0x90 +el0_sync_handler+0x13c/0x1a8 +el0_sync+0x158/0x180 + Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340) + +In addition, it should not be less than 1. + +So add checks for these, and fail the module init for those cases. + +[mkp: changed if condition to match error message] + +Link: https://lore.kernel.org/r/1594297400-24756-2-git-send-email-john.garry@huawei.com +Fixes: c483739430f1 ("scsi_debug: add multiple queue support") +Reviewed-by: Ming Lei +Acked-by: Douglas Gilbert +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index d7118d3767c35..99bfb003be3fc 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -4986,6 +4986,12 @@ static int __init scsi_debug_init(void) + pr_err("submit_queues must be 1 or more\n"); + return -EINVAL; + } ++ ++ if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue < 1)) { ++ pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE); ++ return -EINVAL; ++ } ++ + sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue), + GFP_KERNEL); + if (sdebug_q_arr == NULL) +-- +2.25.1 + diff --git a/queue-4.9/selftests-powerpc-fix-cpu-affinity-for-child-process.patch b/queue-4.9/selftests-powerpc-fix-cpu-affinity-for-child-process.patch new file mode 100644 index 00000000000..485014305b5 --- /dev/null +++ b/queue-4.9/selftests-powerpc-fix-cpu-affinity-for-child-process.patch @@ -0,0 +1,82 @@ +From c477625bb0166b6f862b4be9ea1f4e0bfa682e53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 13:44:23 +0530 +Subject: selftests/powerpc: Fix CPU affinity for child process + +From: Harish + +[ Upstream commit 854eb5022be04f81e318765f089f41a57c8e5d83 ] + +On systems with large number of cpus, test fails trying to set +affinity by calling sched_setaffinity() with smaller size for affinity +mask. This patch fixes it by making sure that the size of allocated +affinity mask is dependent on the number of CPUs as reported by +get_nprocs(). + +Fixes: 00b7ec5c9cf3 ("selftests/powerpc: Import Anton's context_switch2 benchmark") +Reported-by: Shirisha Ganta +Signed-off-by: Sandipan Das +Signed-off-by: Harish +Reviewed-by: Kamalesh Babulal +Reviewed-by: Satheesh Rajendran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200609081423.529664-1-harish@linux.ibm.com +Signed-off-by: Sasha Levin +--- + .../powerpc/benchmarks/context_switch.c | 21 ++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/benchmarks/context_switch.c b/tools/testing/selftests/powerpc/benchmarks/context_switch.c +index a36883ad48a45..4b4d2ce912566 100644 +--- a/tools/testing/selftests/powerpc/benchmarks/context_switch.c ++++ b/tools/testing/selftests/powerpc/benchmarks/context_switch.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -97,8 +98,9 @@ static void start_thread_on(void *(*fn)(void *), void *arg, unsigned long cpu) + + static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) + { +- int pid; +- cpu_set_t cpuset; ++ int pid, ncpus; ++ cpu_set_t *cpuset; ++ size_t size; + + pid = fork(); + if (pid == -1) { +@@ -109,14 +111,23 @@ static void start_process_on(void *(*fn)(void *), void *arg, unsigned long cpu) + if (pid) + return; + +- CPU_ZERO(&cpuset); +- CPU_SET(cpu, &cpuset); ++ ncpus = get_nprocs(); ++ size = CPU_ALLOC_SIZE(ncpus); ++ cpuset = CPU_ALLOC(ncpus); ++ if (!cpuset) { ++ perror("malloc"); ++ exit(1); ++ } ++ CPU_ZERO_S(size, cpuset); ++ CPU_SET_S(cpu, size, cpuset); + +- if (sched_setaffinity(0, sizeof(cpuset), &cpuset)) { ++ if (sched_setaffinity(0, size, cpuset)) { + perror("sched_setaffinity"); ++ CPU_FREE(cpuset); + exit(1); + } + ++ CPU_FREE(cpuset); + fn(arg); + + exit(0); +-- +2.25.1 + diff --git a/queue-4.9/selftests-powerpc-fix-online-cpu-selection.patch b/queue-4.9/selftests-powerpc-fix-online-cpu-selection.patch new file mode 100644 index 00000000000..6b5c72a09d5 --- /dev/null +++ b/queue-4.9/selftests-powerpc-fix-online-cpu-selection.patch @@ -0,0 +1,93 @@ +From ce6bf62907ffdc8e48799ffa2c3a23cc5768e6c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 10:38:46 +0530 +Subject: selftests/powerpc: Fix online CPU selection + +From: Sandipan Das + +[ Upstream commit dfa03fff86027e58c8dba5c03ae68150d4e513ad ] + +The size of the CPU affinity mask must be large enough for +systems with a very large number of CPUs. Otherwise, tests +which try to determine the first online CPU by calling +sched_getaffinity() will fail. This makes sure that the size +of the allocated affinity mask is dependent on the number of +CPUs as reported by get_nprocs_conf(). + +Fixes: 3752e453f6ba ("selftests/powerpc: Add tests of PMU EBBs") +Reported-by: Shirisha Ganta +Signed-off-by: Sandipan Das +Reviewed-by: Kamalesh Babulal +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/a408c4b8e9a23bb39b539417a21eb0ff47bb5127.1596084858.git.sandipan@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/utils.c | 37 +++++++++++++++++-------- + 1 file changed, 25 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/powerpc/utils.c b/tools/testing/selftests/powerpc/utils.c +index dcf74184bfd0a..bafb70d0ee264 100644 +--- a/tools/testing/selftests/powerpc/utils.c ++++ b/tools/testing/selftests/powerpc/utils.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -62,26 +63,38 @@ void *get_auxv_entry(int type) + + int pick_online_cpu(void) + { +- cpu_set_t mask; +- int cpu; ++ int ncpus, cpu = -1; ++ cpu_set_t *mask; ++ size_t size; ++ ++ ncpus = get_nprocs_conf(); ++ size = CPU_ALLOC_SIZE(ncpus); ++ mask = CPU_ALLOC(ncpus); ++ if (!mask) { ++ perror("malloc"); ++ return -1; ++ } + +- CPU_ZERO(&mask); ++ CPU_ZERO_S(size, mask); + +- if (sched_getaffinity(0, sizeof(mask), &mask)) { ++ if (sched_getaffinity(0, size, mask)) { + perror("sched_getaffinity"); +- return -1; ++ goto done; + } + + /* We prefer a primary thread, but skip 0 */ +- for (cpu = 8; cpu < CPU_SETSIZE; cpu += 8) +- if (CPU_ISSET(cpu, &mask)) +- return cpu; ++ for (cpu = 8; cpu < ncpus; cpu += 8) ++ if (CPU_ISSET_S(cpu, size, mask)) ++ goto done; + + /* Search for anything, but in reverse */ +- for (cpu = CPU_SETSIZE - 1; cpu >= 0; cpu--) +- if (CPU_ISSET(cpu, &mask)) +- return cpu; ++ for (cpu = ncpus - 1; cpu >= 0; cpu--) ++ if (CPU_ISSET_S(cpu, size, mask)) ++ goto done; + + printf("No cpus in affinity mask?!\n"); +- return -1; ++ ++done: ++ CPU_FREE(mask); ++ return cpu; + } +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index aa308572649..3b81267f2da 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -79,3 +79,71 @@ smack-fix-use-after-free-in-smk_write_relabel_self.patch tracepoint-mark-__tracepoint_string-s-__used.patch gpio-fix-oops-resulting-from-calling-of_get_named_gp.patch cgroup-add-missing-skcd-no_refcnt-check-in-cgroup_sk.patch +edac-fix-reference-count-leaks.patch +arm64-dts-qcom-msm8916-replace-invalid-bias-pull-non.patch +arm64-dts-exynos-fix-silent-hang-after-boot-on-espre.patch +m68k-mac-don-t-send-iop-message-until-channel-is-idl.patch +m68k-mac-fix-iop-status-control-register-writes.patch +platform-x86-intel-hid-fix-return-value-check-in-che.patch +platform-x86-intel-vbtn-fix-return-value-check-in-ch.patch +arm-at91-pm-add-missing-put_device-call-in-at91_pm_s.patch +arm-socfpga-pm-add-missing-put_device-call-in-socfpg.patch +drm-tilcdc-fix-leak-null-ref-in-panel_connector_get_.patch +bluetooth-add-a-mutex-lock-to-avoid-uaf-in-do_enale_.patch +fs-btrfs-add-cond_resched-for-try_release_extent_map.patch +drm-radeon-fix-reference-count-leaks-caused-by-pm_ru.patch +video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch +md-cluster-fix-wild-pointer-of-unlock_all_bitmaps.patch +drm-nouveau-fix-multiple-instances-of-reference-coun.patch +drm-debugfs-fix-plain-echo-to-connector-force-attrib.patch +mm-mmap.c-add-cond_resched-for-exit_mmap-cpu-stalls.patch +brcmfmac-to-fix-bss-info-flag-definition-bug.patch +iwlegacy-check-the-return-value-of-pcie_capability_r.patch +usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch +bdc-fix-bug-causing-crash-after-multiple-disconnects.patch +dyndbg-fix-a-bug_on-in-ddebug_describe_flags.patch +bcache-fix-super-block-seq-numbers-comparision-in-re.patch +acpica-do-not-increment-operation_region-reference-c.patch +agp-intel-fix-a-memory-leak-on-module-initialisation.patch +video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch +console-newport_con-fix-an-issue-about-leak-related-.patch +video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch +iio-improve-iio_concentration-channel-type-descripti.patch +leds-lm355x-avoid-enum-conversion-warning.patch +media-omap3isp-add-missed-v4l2_ctrl_handler_free-for.patch +scsi-cumana_2-fix-different-dev_id-between-request_i.patch +drm-mipi-use-dcs-write-for-mipi_dsi_dcs_set_tear_sca.patch +cxl-fix-kobject-memleak.patch +drm-radeon-fix-array-out-of-bounds-read-and-write-is.patch +scsi-powertec-fix-different-dev_id-between-request_i.patch +scsi-eesox-fix-different-dev_id-between-request_irq-.patch +media-firewire-using-uninitialized-values-in-node_pr.patch +media-exynos4-is-add-missed-check-for-pinctrl_lookup.patch +xfs-fix-reflink-quota-reservation-accounting-error.patch +pci-fix-pci_cfg_wait-queue-locking-problem.patch +leds-core-flush-scheduled-work-for-system-suspend.patch +drm-panel-simple-fix-bpc-for-lg-lb070wv8-panel.patch +scsi-scsi_debug-add-check-for-sdebug_max_queue-durin.patch +mwifiex-prevent-memory-corruption-handling-keys.patch +powerpc-vdso-fix-vdso-cpu-truncation.patch +staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch +pci-aspm-add-missing-newline-in-sysfs-policy.patch +drm-imx-tve-fix-regulator_disable-error-path.patch +usb-serial-iuu_phoenix-fix-led-activity-helpers.patch +usb-dwc2-fix-error-path-in-gadget-registration.patch +scsi-mesh-fix-panic-after-host-or-bus-reset.patch +smack-fix-another-vsscanf-out-of-bounds.patch +smack-prevent-underflow-in-smk_set_cipso.patch +power-supply-check-if-calc_soc-succeeded-in-pm860x_i.patch +selftests-powerpc-fix-cpu-affinity-for-child-process.patch +selftests-powerpc-fix-online-cpu-selection.patch +s390-qeth-don-t-process-empty-bridge-port-events.patch +wl1251-fix-always-return-0-error.patch +net-spider_net-fix-the-size-used-in-a-dma_free_coher.patch +fsl-fman-use-32-bit-unsigned-integer.patch +fsl-fman-fix-dereference-null-return-value.patch +fsl-fman-fix-unreachable-code.patch +fsl-fman-check-dereferencing-null-pointer.patch +fsl-fman-fix-eth-hash-table-allocation.patch +dlm-fix-kobject-memleak.patch +pinctrl-single-fix-pcs_parse_pinconf-return-value.patch diff --git a/queue-4.9/smack-fix-another-vsscanf-out-of-bounds.patch b/queue-4.9/smack-fix-another-vsscanf-out-of-bounds.patch new file mode 100644 index 00000000000..e882e999eb1 --- /dev/null +++ b/queue-4.9/smack-fix-another-vsscanf-out-of-bounds.patch @@ -0,0 +1,39 @@ +From c828c4117f59bbfb6328fb3df92b05ff717a49ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:22:19 +0300 +Subject: Smack: fix another vsscanf out of bounds + +From: Dan Carpenter + +[ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ] + +This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in +vsscanf") where we added a bounds check on "rule". + +Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com +Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 2bfec47b8d5c5..2eba7c1e66630 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -928,6 +928,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + + for (i = 0; i < catlen; i++) { + rule += SMK_DIGITLEN; ++ if (rule > data + count) { ++ rc = -EOVERFLOW; ++ goto out; ++ } + ret = sscanf(rule, "%u", &cat); + if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) + goto out; +-- +2.25.1 + diff --git a/queue-4.9/smack-prevent-underflow-in-smk_set_cipso.patch b/queue-4.9/smack-prevent-underflow-in-smk_set_cipso.patch new file mode 100644 index 00000000000..d98bbf9a67d --- /dev/null +++ b/queue-4.9/smack-prevent-underflow-in-smk_set_cipso.patch @@ -0,0 +1,36 @@ +From 20e0f876bc65964aa61c7fb37068358be5b4eb1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:23:05 +0300 +Subject: Smack: prevent underflow in smk_set_cipso() + +From: Dan Carpenter + +[ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ] + +We have an upper bound on "maplevel" but forgot to check for negative +values. + +Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") +Signed-off-by: Dan Carpenter +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 2eba7c1e66630..4aecdc8f74b2a 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -907,7 +907,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + } + + ret = sscanf(rule, "%d", &maplevel); +- if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) ++ if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL) + goto out; + + rule += SMK_DIGITLEN; +-- +2.25.1 + diff --git a/queue-4.9/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch b/queue-4.9/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch new file mode 100644 index 00000000000..95cce8ca14f --- /dev/null +++ b/queue-4.9/staging-rtl8192u-fix-a-dubious-looking-mask-before-a.patch @@ -0,0 +1,42 @@ +From a978447b446427868bc22fc20d840077d3c6385e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 16:47:20 +0100 +Subject: staging: rtl8192u: fix a dubious looking mask before a shift + +From: Colin Ian King + +[ Upstream commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 ] + +Currently the masking of ret with 0xff and followed by a right shift +of 8 bits always leaves a zero result. It appears the mask of 0xff +is incorrect and should be 0xff00, but I don't have the hardware to +test this. Fix this to mask the upper 8 bits before shifting. + +[ Not tested ] + +Addresses-Coverity: ("Operands don't affect result") +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200716154720.1710252-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/r8192U_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c +index 6ec3790566504..fa4c47c7d2166 100644 +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -2522,7 +2522,7 @@ static int rtl8192_read_eeprom_info(struct net_device *dev) + ret = eprom_read(dev, (EEPROM_TxPwIndex_CCK >> 1)); + if (ret < 0) + return ret; +- priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff) >> 8; ++ priv->EEPROMTxPowerLevelCCK = ((u16)ret & 0xff00) >> 8; + } else + priv->EEPROMTxPowerLevelCCK = 0x10; + RT_TRACE(COMP_EPROM, "CCK Tx Power Levl: 0x%02x\n", priv->EEPROMTxPowerLevelCCK); +-- +2.25.1 + diff --git a/queue-4.9/usb-dwc2-fix-error-path-in-gadget-registration.patch b/queue-4.9/usb-dwc2-fix-error-path-in-gadget-registration.patch new file mode 100644 index 00000000000..995ea974eae --- /dev/null +++ b/queue-4.9/usb-dwc2-fix-error-path-in-gadget-registration.patch @@ -0,0 +1,97 @@ +From fe0c8ba690088e5ad7e78a33a2eca630adbe95b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 14:09:48 +0200 +Subject: usb: dwc2: Fix error path in gadget registration + +From: Marek Szyprowski + +[ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ] + +When gadget registration fails, one should not call usb_del_gadget_udc(). +Ensure this by setting gadget->udc to NULL. Also in case of a failure +there is no need to disable low-level hardware, so return immiedetly +instead of jumping to error_init label. + +This fixes the following kernel NULL ptr dereference on gadget failure +(can be easily triggered with g_mass_storage without any module +parameters): + +dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter besl=1 +dwc2 12480000.hsotg: dwc2_check_params: Invalid parameter g_np_tx_fifo_size=1024 +dwc2 12480000.hsotg: EPs: 16, dedicated fifos, 7808 entries in SPRAM +Mass Storage Function, version: 2009/09/11 +LUN: removable file: (no medium) +no file given for LUN0 +g_mass_storage 12480000.hsotg: failed to start g_mass_storage: -22 +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000104 +pgd = (ptrval) +[00000104] *pgd=00000000 +Internal error: Oops: 805 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.8.0-rc5 #3133 +Hardware name: Samsung Exynos (Flattened Device Tree) +Workqueue: events deferred_probe_work_func +PC is at usb_del_gadget_udc+0x38/0xc4 +LR is at __mutex_lock+0x31c/0xb18 +... +Process kworker/0:1 (pid: 12, stack limit = 0x(ptrval)) +Stack: (0xef121db0 to 0xef122000) +... +[] (usb_del_gadget_udc) from [] (dwc2_hsotg_remove+0x10/0x20) +[] (dwc2_hsotg_remove) from [] (dwc2_driver_probe+0x57c/0x69c) +[] (dwc2_driver_probe) from [] (platform_drv_probe+0x6c/0xa4) +[] (platform_drv_probe) from [] (really_probe+0x200/0x48c) +[] (really_probe) from [] (driver_probe_device+0x78/0x1fc) +[] (driver_probe_device) from [] (bus_for_each_drv+0x74/0xb8) +[] (bus_for_each_drv) from [] (__device_attach+0xd4/0x16c) +[] (__device_attach) from [] (bus_probe_device+0x88/0x90) +[] (bus_probe_device) from [] (deferred_probe_work_func+0x3c/0xd0) +[] (deferred_probe_work_func) from [] (process_one_work+0x234/0x7dc) +[] (process_one_work) from [] (worker_thread+0x44/0x51c) +[] (worker_thread) from [] (kthread+0x158/0x1a0) +[] (kthread) from [] (ret_from_fork+0x14/0x20) +Exception stack(0xef121fb0 to 0xef121ff8) +... +---[ end trace 9724c2fc7cc9c982 ]--- + +While fixing this also fix the double call to dwc2_lowlevel_hw_disable() +if dr_mode is set to USB_DR_MODE_PERIPHERAL. In such case low-level +hardware is already disabled before calling usb_add_gadget_udc(). That +function correctly preserves low-level hardware state, there is no need +for the second unconditional dwc2_lowlevel_hw_disable() call. + +Fixes: 207324a321a8 ("usb: dwc2: Postponed gadget registration to the udc class driver") +Acked-by: Minas Harutyunyan +Signed-off-by: Marek Szyprowski +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/platform.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c +index 38926495c751d..f985315ebd3bd 100644 +--- a/drivers/usb/dwc2/platform.c ++++ b/drivers/usb/dwc2/platform.c +@@ -668,6 +668,7 @@ static int dwc2_driver_probe(struct platform_device *dev) + if (hsotg->gadget_enabled) { + retval = usb_add_gadget_udc(hsotg->dev, &hsotg->gadget); + if (retval) { ++ hsotg->gadget.udc = NULL; + dwc2_hsotg_remove(hsotg); + goto error; + } +@@ -676,7 +677,8 @@ static int dwc2_driver_probe(struct platform_device *dev) + return 0; + + error: +- dwc2_lowlevel_hw_disable(hsotg); ++ if (hsotg->dr_mode != USB_DR_MODE_PERIPHERAL) ++ dwc2_lowlevel_hw_disable(hsotg); + return retval; + } + +-- +2.25.1 + diff --git a/queue-4.9/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch b/queue-4.9/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch new file mode 100644 index 00000000000..be438d4385e --- /dev/null +++ b/queue-4.9/usb-gadget-net2280-fix-memory-leak-on-probe-error-ha.patch @@ -0,0 +1,42 @@ +From 648c8a5c680d80812a0ae92114a93476d25e1723 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 23:15:58 +0300 +Subject: usb: gadget: net2280: fix memory leak on probe error handling paths + +From: Evgeny Novikov + +[ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ] + +Driver does not release memory for device on error handling paths in +net2280_probe() when gadget_release() is not registered yet. + +The patch fixes the bug like in other similar drivers. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/net2280.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index dfaed8e8cc524..c8c45264e94cc 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -3785,8 +3785,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return 0; + + done: +- if (dev) ++ if (dev) { + net2280_remove(pdev); ++ kfree(dev); ++ } + return retval; + } + +-- +2.25.1 + diff --git a/queue-4.9/usb-serial-iuu_phoenix-fix-led-activity-helpers.patch b/queue-4.9/usb-serial-iuu_phoenix-fix-led-activity-helpers.patch new file mode 100644 index 00000000000..3553c92389b --- /dev/null +++ b/queue-4.9/usb-serial-iuu_phoenix-fix-led-activity-helpers.patch @@ -0,0 +1,70 @@ +From fc748a2cbe3c492dec5f9e2abc250fb0a73b5be7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 10:50:55 +0200 +Subject: USB: serial: iuu_phoenix: fix led-activity helpers + +From: Johan Hovold + +[ Upstream commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c ] + +The set-led command is eight bytes long and starts with a command byte +followed by six bytes of RGB data and ends with a byte encoding a +frequency (see iuu_led() and iuu_rgbf_fill_buffer()). + +The led activity helpers had a few long-standing bugs which corrupted +the command packets by inserting a second command byte and thereby +offsetting the RGB data and dropping the frequency in non-xmas mode. + +In xmas mode, a related off-by-one error left the frequency field +uninitialised. + +Fixes: 60a8fc017103 ("USB: add iuu_phoenix driver") +Reported-by: George Spelvin +Link: https://lore.kernel.org/r/20200716085056.31471-1-johan@kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/iuu_phoenix.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c +index d6ac1f472b779..bdeb2b2489549 100644 +--- a/drivers/usb/serial/iuu_phoenix.c ++++ b/drivers/usb/serial/iuu_phoenix.c +@@ -369,10 +369,11 @@ static void iuu_led_activity_on(struct urb *urb) + struct usb_serial_port *port = urb->context; + int result; + char *buf_ptr = port->write_urb->transfer_buffer; +- *buf_ptr++ = IUU_SET_LED; ++ + if (xmas) { +- get_random_bytes(buf_ptr, 6); +- *(buf_ptr+7) = 1; ++ buf_ptr[0] = IUU_SET_LED; ++ get_random_bytes(buf_ptr + 1, 6); ++ buf_ptr[7] = 1; + } else { + iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255); + } +@@ -390,13 +391,14 @@ static void iuu_led_activity_off(struct urb *urb) + struct usb_serial_port *port = urb->context; + int result; + char *buf_ptr = port->write_urb->transfer_buffer; ++ + if (xmas) { + iuu_rxcmd(urb); + return; +- } else { +- *buf_ptr++ = IUU_SET_LED; +- iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); + } ++ ++ iuu_rgbf_fill_buffer(buf_ptr, 0, 0, 255, 255, 0, 0, 255); ++ + usb_fill_bulk_urb(port->write_urb, port->serial->dev, + usb_sndbulkpipe(port->serial->dev, + port->bulk_out_endpointAddress), +-- +2.25.1 + diff --git a/queue-4.9/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch b/queue-4.9/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch new file mode 100644 index 00000000000..eca1f2e4844 --- /dev/null +++ b/queue-4.9/video-fbdev-neofb-fix-memory-leak-in-neo_scan_monito.patch @@ -0,0 +1,46 @@ +From 0a4439a49cdf622f02a73f99d8040b587f615754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Jun 2020 22:54:51 +0300 +Subject: video: fbdev: neofb: fix memory leak in neo_scan_monitor() + +From: Evgeny Novikov + +[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ] + +neofb_probe() calls neo_scan_monitor() that can successfully allocate a +memory for info->monspecs.modedb and proceed to case 0x03. There it does +not free the memory and returns -1. neofb_probe() goes to label +err_scan_monitor, thus, it does not free this memory through calling +fb_destroy_modedb() as well. We can not go to label err_init_hw since +neo_scan_monitor() can fail during memory allocation. So, the patch frees +the memory directly for case 0x03. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Cc: Jani Nikula +Cc: Mike Rapoport +Cc: Daniel Vetter +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/neofb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c +index db023a97d1eae..e243254a57214 100644 +--- a/drivers/video/fbdev/neofb.c ++++ b/drivers/video/fbdev/neofb.c +@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info) + #else + printk(KERN_ERR + "neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n"); ++ kfree(info->monspecs.modedb); + return -1; + #endif + default: +-- +2.25.1 + diff --git a/queue-4.9/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch b/queue-4.9/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch new file mode 100644 index 00000000000..b8c8ef4651d --- /dev/null +++ b/queue-4.9/video-fbdev-sm712fb-fix-an-issue-about-iounmap-for-a.patch @@ -0,0 +1,42 @@ +From 13bf93a41f69760a9a0193c7ed95356e24331a0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 00:07:19 +0800 +Subject: video: fbdev: sm712fb: fix an issue about iounmap for a wrong address + +From: Dejin Zheng + +[ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ] + +the sfb->fb->screen_base is not save the value get by iounmap() when +the chip id is 0x720. so iounmap() for address sfb->fb->screen_base +is not right. + +Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbdev") +Cc: Andy Shevchenko +Cc: Sudip Mukherjee +Cc: Teddy Wang +Cc: Greg Kroah-Hartman +Signed-off-by: Dejin Zheng +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200422160719.27763-1-zhengdejin5@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sm712fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c +index 0d92ff366a7b7..17efcdd4dc99b 100644 +--- a/drivers/video/fbdev/sm712fb.c ++++ b/drivers/video/fbdev/sm712fb.c +@@ -1428,6 +1428,8 @@ static int smtc_map_smem(struct smtcfb_info *sfb, + static void smtc_unmap_smem(struct smtcfb_info *sfb) + { + if (sfb && sfb->fb->screen_base) { ++ if (sfb->chip_id == 0x720) ++ sfb->fb->screen_base -= 0x00200000; + iounmap(sfb->fb->screen_base); + sfb->fb->screen_base = NULL; + } +-- +2.25.1 + diff --git a/queue-4.9/video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch b/queue-4.9/video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch new file mode 100644 index 00000000000..21c7a54164e --- /dev/null +++ b/queue-4.9/video-pxafb-fix-the-function-used-to-balance-a-dma_a.patch @@ -0,0 +1,49 @@ +From e9060072b1440f2631a73054c5c7883f9a1afd6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Apr 2020 10:45:05 +0200 +Subject: video: pxafb: Fix the function used to balance a + 'dma_alloc_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit 499a2c41b954518c372873202d5e7714e22010c4 ] + +'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()' +not 'dma_free_wc()'. +The correct dma_free_ function is already used in the error handling path +of the probe function. + +Fixes: 77e196752bdd ("[ARM] pxafb: allow video memory size to be configurable") +Signed-off-by: Christophe JAILLET +Cc: Sumit Semwal +Cc: Rafael J. Wysocki +Cc: Jonathan Corbet +Cc: Viresh Kumar +Cc: Jani Nikula +cc: Mauro Carvalho Chehab +Cc: Eric Miao +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200429084505.108897-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxafb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c +index 8503310a38167..7f8b6af29aab4 100644 +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -2447,8 +2447,8 @@ static int pxafb_remove(struct platform_device *dev) + + free_pages_exact(fbi->video_mem, fbi->video_mem_size); + +- dma_free_wc(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, +- fbi->dma_buff_phys); ++ dma_free_coherent(&dev->dev, fbi->dma_buff_size, fbi->dma_buff, ++ fbi->dma_buff_phys); + + iounmap(fbi->mmio_base); + +-- +2.25.1 + diff --git a/queue-4.9/wl1251-fix-always-return-0-error.patch b/queue-4.9/wl1251-fix-always-return-0-error.patch new file mode 100644 index 00000000000..7d916d7d766 --- /dev/null +++ b/queue-4.9/wl1251-fix-always-return-0-error.patch @@ -0,0 +1,38 @@ +From 2dc264bd305dd5868a83a4ff3e3358abe500b151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 15:39:39 +0800 +Subject: wl1251: fix always return 0 error + +From: Wang Hai + +[ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ] + +wl1251_event_ps_report() should not always return 0 because +wl1251_ps_set_mode() may fail. Change it to return 'ret'. + +Fixes: f7ad1eed4d4b ("wl1251: retry power save entry") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200730073939.33704-1-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wl1251/event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wl1251/event.c b/drivers/net/wireless/ti/wl1251/event.c +index d0593bc1f1a92..daddeaa66bf4a 100644 +--- a/drivers/net/wireless/ti/wl1251/event.c ++++ b/drivers/net/wireless/ti/wl1251/event.c +@@ -84,7 +84,7 @@ static int wl1251_event_ps_report(struct wl1251 *wl, + break; + } + +- return 0; ++ return ret; + } + + static void wl1251_event_mbox_dump(struct event_mailbox *mbox) +-- +2.25.1 + diff --git a/queue-4.9/xfs-fix-reflink-quota-reservation-accounting-error.patch b/queue-4.9/xfs-fix-reflink-quota-reservation-accounting-error.patch new file mode 100644 index 00000000000..9030c18995c --- /dev/null +++ b/queue-4.9/xfs-fix-reflink-quota-reservation-accounting-error.patch @@ -0,0 +1,64 @@ +From e0c25157dde96cd3f4cf2f8691c707fb17c9fa7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 14:47:18 -0700 +Subject: xfs: fix reflink quota reservation accounting error + +From: Darrick J. Wong + +[ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ] + +Quota reservations are supposed to account for the blocks that might be +allocated due to a bmap btree split. Reflink doesn't do this, so fix +this to make the quota accounting more accurate before we start +rearranging things. + +Fixes: 862bb360ef56 ("xfs: reflink extents from one file to another") +Signed-off-by: Darrick J. Wong +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_reflink.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c +index 6b753b969f7b8..aa99711a8ff96 100644 +--- a/fs/xfs/xfs_reflink.c ++++ b/fs/xfs/xfs_reflink.c +@@ -1108,6 +1108,7 @@ xfs_reflink_remap_extent( + xfs_filblks_t rlen; + xfs_filblks_t unmap_len; + xfs_off_t newlen; ++ int64_t qres; + int error; + + unmap_len = irec->br_startoff + irec->br_blockcount - destoff; +@@ -1135,13 +1136,19 @@ xfs_reflink_remap_extent( + xfs_ilock(ip, XFS_ILOCK_EXCL); + xfs_trans_ijoin(tp, ip, 0); + +- /* If we're not just clearing space, then do we have enough quota? */ +- if (real_extent) { +- error = xfs_trans_reserve_quota_nblks(tp, ip, +- irec->br_blockcount, 0, XFS_QMOPT_RES_REGBLKS); +- if (error) +- goto out_cancel; +- } ++ /* ++ * Reserve quota for this operation. We don't know if the first unmap ++ * in the dest file will cause a bmap btree split, so we always reserve ++ * at least enough blocks for that split. If the extent being mapped ++ * in is written, we need to reserve quota for that too. ++ */ ++ qres = XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK); ++ if (real_extent) ++ qres += irec->br_blockcount; ++ error = xfs_trans_reserve_quota_nblks(tp, ip, qres, 0, ++ XFS_QMOPT_RES_REGBLKS); ++ if (error) ++ goto out_cancel; + + trace_xfs_reflink_remap(ip, irec->br_startoff, + irec->br_blockcount, irec->br_startblock); +-- +2.25.1 + -- 2.47.3