From c247b3b448d2df489907fa746b2a269606a7f74e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 20 Feb 2020 20:26:59 -0500 Subject: [PATCH] fixes for 4.14 Signed-off-by: Sasha Levin --- ...umber-of-ids-handling-in-iort_id_map.patch | 156 ++++++++++ ...ler-create-buffer-fields-in-acpi_par.patch | 86 ++++++ ...lv-read-operation-for-callback-type-.patch | 61 ++++ ...king-station-support-for-lenovo-thin.patch | 38 +++ ...-add-retry-logic-to-parse_intel_hdmi.patch | 52 ++++ ...lsa-sh-fix-compile-warning-wrt-const.patch | 41 +++ ...alsa-sh-fix-unused-variable-warnings.patch | 54 ++++ ...t-indentation-in-snd_usx2y_hwdep_dsp.patch | 51 ++++ ...m-8951-1-fix-kexec-compilation-issue.patch | 53 ++++ .../arm-dts-allwinner-h3-add-pmu-node.patch | 68 +++++ ...du2-disable-wp-for-usdhc2-and-usdhc3.patch | 69 +++++ ...add-device-node-for-arm-global-timer.patch | 44 +++ ...sm8996-disable-usb2-phy-suspend-by-c.patch | 51 ++++ ...atives-with-llvm-s-integrated-assemb.patch | 119 ++++++++ ...uild-error-with-config_snd_atmel_soc.patch | 43 +++ .../b43legacy-fix-wcast-function-type.patch | 48 +++ ...xplicity-type-cast-in-bset_bkey_last.patch | 52 ++++ ...-after-free-in-brcmf_sdio_readframes.patch | 41 +++ .../brd-check-and-limit-max_part-par.patch | 109 +++++++ ...vice-stats-log-when-stats-are-zeroed.patch | 47 +++ ...le-null-pointer-dereference-in-integ.patch | 51 ++++ ...ance-counter-when-looking-up-bio-csu.patch | 53 ++++ ...ability-of-mds-cluster-on-mount-afte.patch | 59 ++++ ...-silence-a-lockdep-splat-with-printk.patch | 278 ++++++++++++++++++ ...ix-null-dereference-in-match_prepath.patch | 43 +++ ...n-t-crash-if-our-parent-can-t-be-fou.patch | 71 +++++ ...-mux-and-pll-notifiers-for-a64-cpu-c.patch | 79 +++++ ...ers-bcm2835_timer-fix-memory-leak-of.patch | 51 ++++ ...-buffer-overflow-in-cmd64x_program_t.patch | 36 +++ ..._machine-fix-stop_machine-vs-hotplug.patch | 91 ++++++ ...re-module-owner-in-dma_device-struct.patch | 80 +++++ ...form-fix-u32-greater-or-equal-to-zer.patch | 41 +++ ...form-prevent-resouce-overflow-from-c.patch | 75 +++++ ...t-device-when-resources-present-in-r.patch | 45 +++ ...e-4-set-but-not-used-variable-in-amd.patch | 75 +++++ ...p-fbdev-stolen-size-usage-evaluation.patch | 61 ++++ ...dle-events-when-enabling-disabling-c.patch | 51 ++++ ...-nv50-prevent-oops-when-no-channel-m.patch | 41 +++ ...copy-paste-error-in-nouveau_fence_wa.patch | 37 +++ ...k20a-gm200-add-terminators-to-method.patch | 76 +++++ ...oot-gm20b-initialize-pointer-in-gm20.patch | 48 +++ ...move-the-newline-for-crc-source-name.patch | 48 +++ ...nt-memory-leak-in-vmw_cmdbuf_res_add.patch | 40 +++ ...nic-or-bug-on-non-critical-error-con.patch | 131 +++++++++ ...entire-efi-vendor-string-before-copy.patch | 69 +++++ ...x_read-write-inode-locking-sequence-.patch | 59 ++++ ...-panic-when-aborting-with-zero-errno.patch | 76 +++++ queue-4.14/f2fs-fix-memleak-of-kobject.patch | 54 ++++ queue-4.14/f2fs-free-sysfs-kobject.patch | 31 ++ ...orrect-checks-of-null-pointer-derefe.patch | 80 +++++ ..._next-should-increase-position-index.patch | 63 ++++ ...imestamping-with-a-stacked-dsa-drive.patch | 89 ++++++ ...-fix-possible-sleep-in-atomic-contex.patch | 78 +++++ ..._next-should-increase-position-index.patch | 35 +++ ...ndentation-in-prism2_hostapd_add_sta.patch | 52 ++++ ...-software-counter-for-ctxt0-seq-drop.patch | 95 ++++++ ...potential-overflow-in-svwks_set_pio_.patch | 45 +++ ...-work-around-first-register-access-e.patch | 55 ++++ ...3-use-write_once-when-changing-valid.patch | 40 +++ .../ipw2x00-fix-wcast-function-type.patch | 81 +++++ ...ts-reference-to-its_invall_cmd-descr.patch | 40 +++ ...nly-provision-redistributors-that-ar.patch | 71 +++++ ...et-driver-.suppress_bind_attrs-to-av.patch | 127 ++++++++ ...don-t-mark-kcapi_proc_exit-as-__exit.patch | 49 +++ ...loop-counter-addr-does-not-wrap-and-.patch | 42 +++ .../iwlegacy-fix-wcast-function-type.patch | 72 +++++ ...fi-mvm-fix-thermal-zone-registration.patch | 64 ++++ ...abort-flag-before-journal_reset-to-u.patch | 56 ++++ ...shutdown-to-be-recorded-in-the-journ.patch | 43 +++ ...se-jbd2_journal_abort-when-failed-to.patch | 51 ++++ ...en-dependency-in-randconfig-generate.patch | 46 +++ ...se-dependency-of-get_size-on-c-libra.patch | 113 +++++++ .../kvm-s390-enotsupp-eopnotsupp-fixups.patch | 56 ++++ ...ca963x-fix-open-drain-initialization.patch | 69 +++++ ...c-adjust-indentation-in-__sg_alloc_t.patch | 51 ++++ ...2-fix-enum-mbus-codes-and-frame-size.patch | 63 ++++ ...fix-a-possible-sleep-in-atomic-conte.patch | 60 ++++ ...e.h-explicitly-compare-grp-id-mask-t.patch | 94 ++++++ ...ze-prevent-the-overflow-of-the-start.patch | 37 +++ ...x-potential-null-dereference-in-loon.patch | 43 +++ ...pectrum_dpipe-add-missing-error-path.patch | 45 +++ ...-flush_workqueue-in-nbd_start_device.patch | 56 ++++ ..._hdlc-reject-muram-offsets-above-64k.patch | 44 +++ ...ert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch | 37 +++ ...-deference-on-strange-copy-compounds.patch | 54 ++++ ...-pointer-dereference-when-call-ocfs2.patch | 140 +++++++++ ...id-assertion-in-case-of-null-pointer.patch | 37 +++ ...quire-cpu_hotplug_lock-before-pinst-.patch | 71 +++++ ...ix-memory-leak-in-pci_iov_add_virtfn.patch | 37 +++ ...-do-not-clear-irq-flags-on-direct-ir.patch | 60 ++++ ...sh-pfc-sh7264-fix-can-function-gpios.patch | 94 ++++++ ...sh-pfc-sh7269-fix-can-function-gpios.patch | 184 ++++++++++++ ...9_dmc-add-compile_test-and-have_arm_.patch | 53 ++++ ...iov-ensure-the-pdn-for-vfs-always-co.patch | 167 +++++++++++ ...move-vf-eeh_dev-state-when-disabling.patch | 57 ++++ ...-remove-pwm-chip-in-.remove-before-m.patch | 53 ++++ ...-remove-set-but-not-set-variable-pwm.patch | 51 ++++ ...-function-used-to-release-some-memor.patch | 57 ++++ ...ert-10ms-sleep-in-dce5_crtc_load_lut.patch | 53 ++++ ...ce-for-assignments-to-pprev-for-hlis.patch | 169 +++++++++++ ...ma-rxe-fix-error-type-of-mmap_offset.patch | 38 +++ ...lower-log-level-on-optional-gpios-be.patch | 45 +++ ...rious-unlock-in-reiserfs_fill_super-.patch | 36 +++ ...-null-pointer-dereference-in-reiserf.patch | 44 +++ ...oc-initialize-rproc_class-before-use.patch | 73 +++++ ...wifi-rtl_pci-fix-wcast-function-type.patch | 58 ++++ ...generate-traced-function-stack-frame.patch | 103 +++++++ ...ust-indentation-in-ahc_find_syncrate.patch | 54 ++++ ...-destroy-session-if-there-are-outsta.patch | 138 +++++++++ ...e-pending-requests-in-host-reset-and.patch | 121 ++++++++ ...e-cleanup-the-internal-avc-counters-.patch | 40 +++ queue-4.14/series | 135 +++++++++ ...e-return-type-of-cpm_muram_alloc-to-.patch | 188 ++++++++++++ ...orrect-straps-address-for-older-tegr.patch | 38 +++ queue-4.14/sparc-add-.exit.data-section.patch | 43 +++ ...-fix-gcc9-stringop-truncation-compil.patch | 67 +++++ ...ing_stat-return-values-in-error-hand.patch | 58 ++++ ...-unlikely-race-of-registering-two-st.patch | 87 ++++++ ..._next-should-increase-position-index.patch | 64 ++++ ...adjust-indentation-in-several-functi.patch | 118 ++++++++ ...djust-indentation-in-several-functio.patch | 159 ++++++++++ ...ce-reporting-for-metadata-and-virtua.patch | 76 +++++ ...in-atomic-context-bug-in-uio_dmem_ge.patch | 57 ++++ .../usb-dwc2-fix-in-fifo-allocation.patch | 84 ++++++ ...ix-possible-sleep-in-atomic-context-.patch | 111 +++++++ ...0-get-rid-of-musb-.set_vbus-for-omap.patch | 56 ++++ ...p-fix-unsafe-unaligned-pointer-usage.patch | 156 ++++++++++ ...o_balloon-prevent-pfn-array-overflow.patch | 36 +++ .../vme-bridges-reduce-stack-usage.patch | 110 +++++++ ...xx_hss-fix-compile-testing-on-64-bit.patch | 55 ++++ ...kup-enforce-that-timestamp-is-valid-.patch | 81 +++++ ...-decoder-add-test-opcode-to-group3-2.patch | 80 +++++ ...t-clearing-issue-in-kernel_map_pages.patch | 61 ++++ ...86-sysfb-fix-check-for-bad-vram-size.patch | 50 ++++ ...orc-fix-config_modules-build-warning.patch | 55 ++++ ...86-vdso-provide-missing-include-file.patch | 47 +++ 136 files changed, 9534 insertions(+) create mode 100644 queue-4.14/acpi-iort-fix-number-of-ids-handling-in-iort_id_map.patch create mode 100644 queue-4.14/acpica-disassembler-create-buffer-fields-in-acpi_par.patch create mode 100644 queue-4.14/alsa-ctl-allow-tlv-read-operation-for-callback-type-.patch create mode 100644 queue-4.14/alsa-hda-add-docking-station-support-for-lenovo-thin.patch create mode 100644 queue-4.14/alsa-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch create mode 100644 queue-4.14/alsa-sh-fix-compile-warning-wrt-const.patch create mode 100644 queue-4.14/alsa-sh-fix-unused-variable-warnings.patch create mode 100644 queue-4.14/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch create mode 100644 queue-4.14/arm-8951-1-fix-kexec-compilation-issue.patch create mode 100644 queue-4.14/arm-dts-allwinner-h3-add-pmu-node.patch create mode 100644 queue-4.14/arm-dts-imx6-rdu2-disable-wp-for-usdhc2-and-usdhc3.patch create mode 100644 queue-4.14/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch create mode 100644 queue-4.14/arm64-dts-qcom-msm8996-disable-usb2-phy-suspend-by-c.patch create mode 100644 queue-4.14/arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch create mode 100644 queue-4.14/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch create mode 100644 queue-4.14/b43legacy-fix-wcast-function-type.patch create mode 100644 queue-4.14/bcache-explicity-type-cast-in-bset_bkey_last.patch create mode 100644 queue-4.14/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch create mode 100644 queue-4.14/brd-check-and-limit-max_part-par.patch create mode 100644 queue-4.14/btrfs-device-stats-log-when-stats-are-zeroed.patch create mode 100644 queue-4.14/btrfs-fix-possible-null-pointer-dereference-in-integ.patch create mode 100644 queue-4.14/btrfs-safely-advance-counter-when-looking-up-bio-csu.patch create mode 100644 queue-4.14/ceph-check-availability-of-mds-cluster-on-mount-afte.patch create mode 100644 queue-4.14/char-random-silence-a-lockdep-splat-with-printk.patch create mode 100644 queue-4.14/cifs-fix-null-dereference-in-match_prepath.patch create mode 100644 queue-4.14/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch create mode 100644 queue-4.14/clk-sunxi-ng-add-mux-and-pll-notifiers-for-a64-cpu-c.patch create mode 100644 queue-4.14/clocksource-drivers-bcm2835_timer-fix-memory-leak-of.patch create mode 100644 queue-4.14/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch create mode 100644 queue-4.14/cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch create mode 100644 queue-4.14/dmaengine-store-module-owner-in-dma_device-struct.patch create mode 100644 queue-4.14/driver-core-platform-fix-u32-greater-or-equal-to-zer.patch create mode 100644 queue-4.14/driver-core-platform-prevent-resouce-overflow-from-c.patch create mode 100644 queue-4.14/driver-core-print-device-when-resources-present-in-r.patch create mode 100644 queue-4.14/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch create mode 100644 queue-4.14/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch create mode 100644 queue-4.14/drm-mediatek-handle-events-when-enabling-disabling-c.patch create mode 100644 queue-4.14/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch create mode 100644 queue-4.14/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch create mode 100644 queue-4.14/drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch create mode 100644 queue-4.14/drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch create mode 100644 queue-4.14/drm-remove-the-newline-for-crc-source-name.patch create mode 100644 queue-4.14/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch create mode 100644 queue-4.14/efi-x86-don-t-panic-or-bug-on-non-critical-error-con.patch create mode 100644 queue-4.14/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch create mode 100644 queue-4.14/ext4-fix-ext4_dax_read-write-inode-locking-sequence-.patch create mode 100644 queue-4.14/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch create mode 100644 queue-4.14/f2fs-fix-memleak-of-kobject.patch create mode 100644 queue-4.14/f2fs-free-sysfs-kobject.patch create mode 100644 queue-4.14/fore200e-fix-incorrect-checks-of-null-pointer-derefe.patch create mode 100644 queue-4.14/ftrace-fpid_next-should-increase-position-index.patch create mode 100644 queue-4.14/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch create mode 100644 queue-4.14/gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch create mode 100644 queue-4.14/help_next-should-increase-position-index.patch create mode 100644 queue-4.14/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch create mode 100644 queue-4.14/ib-hfi1-add-software-counter-for-ctxt0-seq-drop.patch create mode 100644 queue-4.14/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch create mode 100644 queue-4.14/input-edt-ft5x06-work-around-first-register-access-e.patch create mode 100644 queue-4.14/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch create mode 100644 queue-4.14/ipw2x00-fix-wcast-function-type.patch create mode 100644 queue-4.14/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch create mode 100644 queue-4.14/irqchip-gic-v3-only-provision-redistributors-that-ar.patch create mode 100644 queue-4.14/irqchip-mbigen-set-driver-.suppress_bind_attrs-to-av.patch create mode 100644 queue-4.14/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch create mode 100644 queue-4.14/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch create mode 100644 queue-4.14/iwlegacy-fix-wcast-function-type.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-thermal-zone-registration.patch create mode 100644 queue-4.14/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch create mode 100644 queue-4.14/jbd2-make-sure-eshutdown-to-be-recorded-in-the-journ.patch create mode 100644 queue-4.14/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch create mode 100644 queue-4.14/kconfig-fix-broken-dependency-in-randconfig-generate.patch create mode 100644 queue-4.14/kselftest-minimise-dependency-of-get_size-on-c-libra.patch create mode 100644 queue-4.14/kvm-s390-enotsupp-eopnotsupp-fixups.patch create mode 100644 queue-4.14/leds-pca963x-fix-open-drain-initialization.patch create mode 100644 queue-4.14/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch create mode 100644 queue-4.14/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch create mode 100644 queue-4.14/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch create mode 100644 queue-4.14/media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch create mode 100644 queue-4.14/microblaze-prevent-the-overflow-of-the-start.patch create mode 100644 queue-4.14/mips-loongson-fix-potential-null-dereference-in-loon.patch create mode 100644 queue-4.14/mlxsw-spectrum_dpipe-add-missing-error-path.patch create mode 100644 queue-4.14/nbd-add-a-flush_workqueue-in-nbd_start_device.patch create mode 100644 queue-4.14/net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch create mode 100644 queue-4.14/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch create mode 100644 queue-4.14/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch create mode 100644 queue-4.14/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch create mode 100644 queue-4.14/orinoco-avoid-assertion-in-case-of-null-pointer.patch create mode 100644 queue-4.14/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch create mode 100644 queue-4.14/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch create mode 100644 queue-4.14/pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch create mode 100644 queue-4.14/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch create mode 100644 queue-4.14/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch create mode 100644 queue-4.14/pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch create mode 100644 queue-4.14/powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch create mode 100644 queue-4.14/powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch create mode 100644 queue-4.14/pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch create mode 100644 queue-4.14/pwm-remove-set-but-not-set-variable-pwm.patch create mode 100644 queue-4.14/pxa168fb-fix-the-function-used-to-release-some-memor.patch create mode 100644 queue-4.14/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch create mode 100644 queue-4.14/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch create mode 100644 queue-4.14/rdma-rxe-fix-error-type-of-mmap_offset.patch create mode 100644 queue-4.14/regulator-rk808-lower-log-level-on-optional-gpios-be.patch create mode 100644 queue-4.14/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch create mode 100644 queue-4.14/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch create mode 100644 queue-4.14/remoteproc-initialize-rproc_class-before-use.patch create mode 100644 queue-4.14/rtlwifi-rtl_pci-fix-wcast-function-type.patch create mode 100644 queue-4.14/s390-ftrace-generate-traced-function-stack-frame.patch create mode 100644 queue-4.14/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch create mode 100644 queue-4.14/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch create mode 100644 queue-4.14/scsi-ufs-complete-pending-requests-in-host-reset-and.patch create mode 100644 queue-4.14/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch create mode 100644 queue-4.14/soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch create mode 100644 queue-4.14/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch create mode 100644 queue-4.14/sparc-add-.exit.data-section.patch create mode 100644 queue-4.14/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch create mode 100644 queue-4.14/tracing-fix-tracing_stat-return-values-in-error-hand.patch create mode 100644 queue-4.14/tracing-fix-very-unlikely-race-of-registering-two-st.patch create mode 100644 queue-4.14/trigger_next-should-increase-position-index.patch create mode 100644 queue-4.14/tty-synclink_gt-adjust-indentation-in-several-functi.patch create mode 100644 queue-4.14/tty-synclinkmp-adjust-indentation-in-several-functio.patch create mode 100644 queue-4.14/udf-fix-free-space-reporting-for-metadata-and-virtua.patch create mode 100644 queue-4.14/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch create mode 100644 queue-4.14/usb-dwc2-fix-in-fifo-allocation.patch create mode 100644 queue-4.14/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch create mode 100644 queue-4.14/usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch create mode 100644 queue-4.14/usbip-fix-unsafe-unaligned-pointer-usage.patch create mode 100644 queue-4.14/virtio_balloon-prevent-pfn-array-overflow.patch create mode 100644 queue-4.14/vme-bridges-reduce-stack-usage.patch create mode 100644 queue-4.14/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch create mode 100644 queue-4.14/watchdog-softlockup-enforce-that-timestamp-is-valid-.patch create mode 100644 queue-4.14/x86-decoder-add-test-opcode-to-group3-2.patch create mode 100644 queue-4.14/x86-mm-fix-nx-bit-clearing-issue-in-kernel_map_pages.patch create mode 100644 queue-4.14/x86-sysfb-fix-check-for-bad-vram-size.patch create mode 100644 queue-4.14/x86-unwind-orc-fix-config_modules-build-warning.patch create mode 100644 queue-4.14/x86-vdso-provide-missing-include-file.patch diff --git a/queue-4.14/acpi-iort-fix-number-of-ids-handling-in-iort_id_map.patch b/queue-4.14/acpi-iort-fix-number-of-ids-handling-in-iort_id_map.patch new file mode 100644 index 00000000000..952c55d1207 --- /dev/null +++ b/queue-4.14/acpi-iort-fix-number-of-ids-handling-in-iort_id_map.patch @@ -0,0 +1,156 @@ +From 6849aee2349bef078883faf3180f983c07adaa83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2020 20:14:11 +0800 +Subject: ACPI/IORT: Fix 'Number of IDs' handling in iort_id_map() + +From: Hanjun Guo + +[ Upstream commit 3c23b83a88d00383e1d498cfa515249aa2fe0238 ] + +The IORT specification [0] (Section 3, table 4, page 9) defines the +'Number of IDs' as 'The number of IDs in the range minus one'. + +However, the IORT ID mapping function iort_id_map() treats the 'Number +of IDs' field as if it were the full IDs mapping count, with the +following check in place to detect out of boundary input IDs: + +InputID >= Input base + Number of IDs + +This check is flawed in that it considers the 'Number of IDs' field as +the full number of IDs mapping and disregards the 'minus one' from +the IDs count. + +The correct check in iort_id_map() should be implemented as: + +InputID > Input base + Number of IDs + +this implements the specification correctly but unfortunately it breaks +existing firmwares that erroneously set the 'Number of IDs' as the full +IDs mapping count rather than IDs mapping count minus one. + +e.g. + +PCI hostbridge mapping entry 1: +Input base: 0x1000 +ID Count: 0x100 +Output base: 0x1000 +Output reference: 0xC4 //ITS reference + +PCI hostbridge mapping entry 2: +Input base: 0x1100 +ID Count: 0x100 +Output base: 0x2000 +Output reference: 0xD4 //ITS reference + +Two mapping entries which the second entry's Input base = the first +entry's Input base + ID count, so for InputID 0x1100 and with the +correct InputID check in place in iort_id_map() the kernel would map +the InputID to ITS 0xC4 not 0xD4 as it would be expected. + +Therefore, to keep supporting existing flawed firmwares, introduce a +workaround that instructs the kernel to use the old InputID range check +logic in iort_id_map(), so that we can support both firmwares written +with the flawed 'Number of IDs' logic and the correct one as defined in +the specifications. + +[0]: http://infocenter.arm.com/help/topic/com.arm.doc.den0049d/DEN0049D_IO_Remapping_Table.pdf + +Reported-by: Pankaj Bansal +Link: https://lore.kernel.org/linux-acpi/20191215203303.29811-1-pankaj.bansal@nxp.com/ +Signed-off-by: Hanjun Guo +Signed-off-by: Lorenzo Pieralisi +Cc: Pankaj Bansal +Cc: Will Deacon +Cc: Sudeep Holla +Cc: Catalin Marinas +Cc: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/acpi/arm64/iort.c | 57 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 55 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c +index b0a7afd4e7d35..f45bb681b3db5 100644 +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -282,6 +282,59 @@ out: + return status; + } + ++struct iort_workaround_oem_info { ++ char oem_id[ACPI_OEM_ID_SIZE + 1]; ++ char oem_table_id[ACPI_OEM_TABLE_ID_SIZE + 1]; ++ u32 oem_revision; ++}; ++ ++static bool apply_id_count_workaround; ++ ++static struct iort_workaround_oem_info wa_info[] __initdata = { ++ { ++ .oem_id = "HISI ", ++ .oem_table_id = "HIP07 ", ++ .oem_revision = 0, ++ }, { ++ .oem_id = "HISI ", ++ .oem_table_id = "HIP08 ", ++ .oem_revision = 0, ++ } ++}; ++ ++static void __init ++iort_check_id_count_workaround(struct acpi_table_header *tbl) ++{ ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(wa_info); i++) { ++ if (!memcmp(wa_info[i].oem_id, tbl->oem_id, ACPI_OEM_ID_SIZE) && ++ !memcmp(wa_info[i].oem_table_id, tbl->oem_table_id, ACPI_OEM_TABLE_ID_SIZE) && ++ wa_info[i].oem_revision == tbl->oem_revision) { ++ apply_id_count_workaround = true; ++ pr_warn(FW_BUG "ID count for ID mapping entry is wrong, applying workaround\n"); ++ break; ++ } ++ } ++} ++ ++static inline u32 iort_get_map_max(struct acpi_iort_id_mapping *map) ++{ ++ u32 map_max = map->input_base + map->id_count; ++ ++ /* ++ * The IORT specification revision D (Section 3, table 4, page 9) says ++ * Number of IDs = The number of IDs in the range minus one, but the ++ * IORT code ignored the "minus one", and some firmware did that too, ++ * so apply a workaround here to keep compatible with both the spec ++ * compliant and non-spec compliant firmwares. ++ */ ++ if (apply_id_count_workaround) ++ map_max--; ++ ++ return map_max; ++} ++ + static int iort_id_map(struct acpi_iort_id_mapping *map, u8 type, u32 rid_in, + u32 *rid_out) + { +@@ -298,8 +351,7 @@ static int iort_id_map(struct acpi_iort_id_mapping *map, u8 type, u32 rid_in, + return -ENXIO; + } + +- if (rid_in < map->input_base || +- (rid_in >= map->input_base + map->id_count)) ++ if (rid_in < map->input_base || rid_in > iort_get_map_max(map)) + return -ENXIO; + + *rid_out = map->output_base + (rid_in - map->input_base); +@@ -1275,5 +1327,6 @@ void __init acpi_iort_init(void) + return; + } + ++ iort_check_id_count_workaround(iort_table); + iort_init_platform_devices(); + } +-- +2.20.1 + diff --git a/queue-4.14/acpica-disassembler-create-buffer-fields-in-acpi_par.patch b/queue-4.14/acpica-disassembler-create-buffer-fields-in-acpi_par.patch new file mode 100644 index 00000000000..42d13ed4fd3 --- /dev/null +++ b/queue-4.14/acpica-disassembler-create-buffer-fields-in-acpi_par.patch @@ -0,0 +1,86 @@ +From 58df4adac9d04f28641743409204e980258d9be4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 11:35:20 -0800 +Subject: ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 + +From: Erik Kaneda + +[ Upstream commit 5ddbd77181dfca61b16d2e2222382ea65637f1b9 ] + +ACPICA commit 29cc8dbc5463a93625bed87d7550a8bed8913bf4 + +create_buffer_field is a deferred op that is typically processed in +load pass 2. However, disassembly of control method contents walk the +parse tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are +processed in a later walk. This is a problem when there is a control +method that has the same name as the AML_CREATE object. In this case, +any use of the name segment will be detected as a method call rather +than a reference to a buffer field. If this is detected as a method +call, it can result in a mal-formed parse tree if the control methods +have parameters. + +This change in processing AML_CREATE ops earlier solves this issue by +inserting the named object in the ACPI namespace so that references +to this name would be detected as a name string rather than a method +call. + +Link: https://github.com/acpica/acpica/commit/29cc8dbc +Reported-by: Elia Geretto +Tested-by: Elia Geretto +Signed-off-by: Bob Moore +Signed-off-by: Erik Kaneda +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsfield.c | 2 +- + drivers/acpi/acpica/dswload.c | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/dsfield.c b/drivers/acpi/acpica/dsfield.c +index 7bcf5f5ea0297..8df4a49a99a6b 100644 +--- a/drivers/acpi/acpica/dsfield.c ++++ b/drivers/acpi/acpica/dsfield.c +@@ -273,7 +273,7 @@ cleanup: + * FUNCTION: acpi_ds_get_field_names + * + * PARAMETERS: info - create_field info structure +- * ` walk_state - Current method state ++ * walk_state - Current method state + * arg - First parser arg for the field name list + * + * RETURN: Status +diff --git a/drivers/acpi/acpica/dswload.c b/drivers/acpi/acpica/dswload.c +index eaa859a89702a..1d82e1419397e 100644 +--- a/drivers/acpi/acpica/dswload.c ++++ b/drivers/acpi/acpica/dswload.c +@@ -444,6 +444,27 @@ acpi_status acpi_ds_load1_end_op(struct acpi_walk_state *walk_state) + ACPI_DEBUG_PRINT((ACPI_DB_DISPATCH, "Op=%p State=%p\n", op, + walk_state)); + ++ /* ++ * Disassembler: handle create field operators here. ++ * ++ * create_buffer_field is a deferred op that is typically processed in load ++ * pass 2. However, disassembly of control method contents walk the parse ++ * tree with ACPI_PARSE_LOAD_PASS1 and AML_CREATE operators are processed ++ * in a later walk. This is a problem when there is a control method that ++ * has the same name as the AML_CREATE object. In this case, any use of the ++ * name segment will be detected as a method call rather than a reference ++ * to a buffer field. ++ * ++ * This earlier creation during disassembly solves this issue by inserting ++ * the named object in the ACPI namespace so that references to this name ++ * would be a name string rather than a method call. ++ */ ++ if ((walk_state->parse_flags & ACPI_PARSE_DISASSEMBLE) && ++ (walk_state->op_info->flags & AML_CREATE)) { ++ status = acpi_ds_create_buffer_field(op, walk_state); ++ return_ACPI_STATUS(status); ++ } ++ + /* We are only interested in opcodes that have an associated name */ + + if (!(walk_state->op_info->flags & (AML_NAMED | AML_FIELD))) { +-- +2.20.1 + diff --git a/queue-4.14/alsa-ctl-allow-tlv-read-operation-for-callback-type-.patch b/queue-4.14/alsa-ctl-allow-tlv-read-operation-for-callback-type-.patch new file mode 100644 index 00000000000..dfc9a1e3791 --- /dev/null +++ b/queue-4.14/alsa-ctl-allow-tlv-read-operation-for-callback-type-.patch @@ -0,0 +1,61 @@ +From 2e02c906e180fe917605cb0744192864e791d8fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Dec 2019 18:33:47 +0900 +Subject: ALSA: ctl: allow TLV read operation for callback type of element in + locked case + +From: Takashi Sakamoto + +[ Upstream commit d61fe22c2ae42d9fd76c34ef4224064cca4b04b0 ] + +A design of ALSA control core allows applications to execute three +operations for TLV feature; read, write and command. Furthermore, it +allows driver developers to process the operations by two ways; allocated +array or callback function. In the former, read operation is just allowed, +thus developers uses the latter when device driver supports variety of +models or the target model is expected to dynamically change information +stored in TLV container. + +The core also allows applications to lock any element so that the other +applications can't perform write operation to the element for element +value and TLV information. When the element is locked, write and command +operation for TLV information are prohibited as well as element value. +Any read operation should be allowed in the case. + +At present, when an element has callback function for TLV information, +TLV read operation returns EPERM if the element is locked. On the +other hand, the read operation is success when an element has allocated +array for TLV information. In both cases, read operation is success for +element value expectedly. + +This commit fixes the bug. This change can be backported to v4.14 +kernel or later. + +Signed-off-by: Takashi Sakamoto +Reviewed-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20191223093347.15279-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/control.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/core/control.c b/sound/core/control.c +index 36571cd49be33..a0ce22164957c 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1467,8 +1467,9 @@ static int call_tlv_handler(struct snd_ctl_file *file, int op_flag, + if (kctl->tlv.c == NULL) + return -ENXIO; + +- /* When locked, this is unavailable. */ +- if (vd->owner != NULL && vd->owner != file) ++ /* Write and command operations are not allowed for locked element. */ ++ if (op_flag != SNDRV_CTL_TLV_OP_READ && ++ vd->owner != NULL && vd->owner != file) + return -EPERM; + + return kctl->tlv.c(kctl, op_flag, size, buf); +-- +2.20.1 + diff --git a/queue-4.14/alsa-hda-add-docking-station-support-for-lenovo-thin.patch b/queue-4.14/alsa-hda-add-docking-station-support-for-lenovo-thin.patch new file mode 100644 index 00000000000..a3156ffd68c --- /dev/null +++ b/queue-4.14/alsa-hda-add-docking-station-support-for-lenovo-thin.patch @@ -0,0 +1,38 @@ +From 87abab106e4934b4f1681a2c87f0068226921b2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 19:01:06 +0100 +Subject: ALSA: hda - Add docking station support for Lenovo Thinkpad T420s +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Große + +[ Upstream commit ef7d84caa5928b40b1c93a26dbe5a3f12737c6ab ] + +Lenovo Thinkpad T420s uses the same codec as T420, so apply the +same quirk to enable audio output on a docking station. + +Signed-off-by: Peter Große +Link: https://lore.kernel.org/r/20200122180106.9351-1-pegro@friiks.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 382b6d2ed8036..9cc9304ff21a7 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -969,6 +969,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x17aa, 0x215f, "Lenovo T510", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21ce, "Lenovo T420", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520", CXT_PINCFG_LENOVO_TP410), ++ SND_PCI_QUIRK(0x17aa, 0x21d2, "Lenovo T420s", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21da, "Lenovo X220", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x21db, "Lenovo X220-tablet", CXT_PINCFG_LENOVO_TP410), + SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo IdeaPad Z560", CXT_FIXUP_MUTE_LED_EAPD), +-- +2.20.1 + diff --git a/queue-4.14/alsa-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch b/queue-4.14/alsa-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch new file mode 100644 index 00000000000..7047d010979 --- /dev/null +++ b/queue-4.14/alsa-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch @@ -0,0 +1,52 @@ +From 9e2233fd0201e1b5c423baedbe1f882713643acf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2020 18:01:17 +0200 +Subject: ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() + +From: Kai Vehmanen + +[ Upstream commit 2928fa0a97ebb9549cb877fdc99aed9b95438c3a ] + +The initial snd_hda_get_sub_node() can fail on certain +devices (e.g. some Chromebook models using Intel GLK). +The failure rate is very low, but as this is is part of +the probe process, end-user impact is high. + +In observed cases, related hardware status registers have +expected values, but the node query still fails. Retrying +the node query does seem to help, so fix the problem by +adding retry logic to the query. This does not impact +non-Intel platforms. + +BugLink: https://github.com/thesofproject/linux/issues/1642 +Signed-off-by: Kai Vehmanen +Reviewed-by: Takashi Iwai +Link: https://lore.kernel.org/r/20200120160117.29130-4-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index f214055972150..12913368c2314 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2574,9 +2574,12 @@ static int alloc_intel_hdmi(struct hda_codec *codec) + /* parse and post-process for Intel codecs */ + static int parse_intel_hdmi(struct hda_codec *codec) + { +- int err; ++ int err, retries = 3; ++ ++ do { ++ err = hdmi_parse_codec(codec); ++ } while (err < 0 && retries--); + +- err = hdmi_parse_codec(codec); + if (err < 0) { + generic_spec_free(codec); + return err; +-- +2.20.1 + diff --git a/queue-4.14/alsa-sh-fix-compile-warning-wrt-const.patch b/queue-4.14/alsa-sh-fix-compile-warning-wrt-const.patch new file mode 100644 index 00000000000..acbb470fc96 --- /dev/null +++ b/queue-4.14/alsa-sh-fix-compile-warning-wrt-const.patch @@ -0,0 +1,41 @@ +From 718a748f98d9c1d9feb8c1d1a6d3f61ca8d0cd6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jan 2020 15:48:23 +0100 +Subject: ALSA: sh: Fix compile warning wrt const + +From: Takashi Iwai + +[ Upstream commit f1dd4795b1523fbca7ab4344dd5a8bb439cc770d ] + +A long-standing compile warning was seen during build test: + sound/sh/aica.c: In function 'load_aica_firmware': + sound/sh/aica.c:521:25: warning: passing argument 2 of 'spu_memload' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] + +Fixes: 198de43d758c ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device") +Link: https://lore.kernel.org/r/20200105144823.29547-69-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/sh/aica.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/sh/aica.c b/sound/sh/aica.c +index fdc680ae8aa09..d9acf551a8985 100644 +--- a/sound/sh/aica.c ++++ b/sound/sh/aica.c +@@ -117,10 +117,10 @@ static void spu_memset(u32 toi, u32 what, int length) + } + + /* spu_memload - write to SPU address space */ +-static void spu_memload(u32 toi, void *from, int length) ++static void spu_memload(u32 toi, const void *from, int length) + { + unsigned long flags; +- u32 *froml = from; ++ const u32 *froml = from; + u32 __iomem *to = (u32 __iomem *) (SPU_MEMORY_BASE + toi); + int i; + u32 val; +-- +2.20.1 + diff --git a/queue-4.14/alsa-sh-fix-unused-variable-warnings.patch b/queue-4.14/alsa-sh-fix-unused-variable-warnings.patch new file mode 100644 index 00000000000..98df7a2df94 --- /dev/null +++ b/queue-4.14/alsa-sh-fix-unused-variable-warnings.patch @@ -0,0 +1,54 @@ +From ba0eaf1a02d17d0c9da4b76f6845bc5576cd0c31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jan 2020 12:00:57 +0100 +Subject: ALSA: sh: Fix unused variable warnings + +From: Takashi Iwai + +[ Upstream commit 5da116f164ce265e397b8f59af5c39e4a61d61a5 ] + +Remove unused variables that are left over after the conversion of new +PCM ops: + sound/sh/sh_dac_audio.c:166:26: warning: unused variable 'runtime' + sound/sh/sh_dac_audio.c:186:26: warning: unused variable 'runtime' + sound/sh/sh_dac_audio.c:205:26: warning: unused variable 'runtime' + +Fixes: 1cc2f8ba0b3e ("ALSA: sh: Convert to the new PCM ops") +Link: https://lore.kernel.org/r/20200104110057.13875-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/sh/sh_dac_audio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/sound/sh/sh_dac_audio.c b/sound/sh/sh_dac_audio.c +index 834b2574786f5..6251b5e1b64a2 100644 +--- a/sound/sh/sh_dac_audio.c ++++ b/sound/sh/sh_dac_audio.c +@@ -190,7 +190,6 @@ static int snd_sh_dac_pcm_copy(struct snd_pcm_substream *substream, + { + /* channel is not used (interleaved data) */ + struct snd_sh_dac *chip = snd_pcm_substream_chip(substream); +- struct snd_pcm_runtime *runtime = substream->runtime; + + if (copy_from_user_toio(chip->data_buffer + pos, src, count)) + return -EFAULT; +@@ -210,7 +209,6 @@ static int snd_sh_dac_pcm_copy_kernel(struct snd_pcm_substream *substream, + { + /* channel is not used (interleaved data) */ + struct snd_sh_dac *chip = snd_pcm_substream_chip(substream); +- struct snd_pcm_runtime *runtime = substream->runtime; + + memcpy_toio(chip->data_buffer + pos, src, count); + chip->buffer_end = chip->data_buffer + pos + count; +@@ -229,7 +227,6 @@ static int snd_sh_dac_pcm_silence(struct snd_pcm_substream *substream, + { + /* channel is not used (interleaved data) */ + struct snd_sh_dac *chip = snd_pcm_substream_chip(substream); +- struct snd_pcm_runtime *runtime = substream->runtime; + + memset_io(chip->data_buffer + pos, 0, count); + chip->buffer_end = chip->data_buffer + pos + count; +-- +2.20.1 + diff --git a/queue-4.14/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch b/queue-4.14/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch new file mode 100644 index 00000000000..9d5b235bf73 --- /dev/null +++ b/queue-4.14/alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch @@ -0,0 +1,51 @@ +From fa35b2e9b3f2f821bb29d1e77508a3bba37c495b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 20:42:57 -0700 +Subject: ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status + +From: Nathan Chancellor + +[ Upstream commit df4654bd6e42125d9b85ce3a26eaca2935290b98 ] + +Clang warns: + +../sound/usb/usx2y/usX2Yhwdep.c:122:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + info->version = USX2Y_DRIVER_VERSION; + ^ +../sound/usb/usx2y/usX2Yhwdep.c:120:2: note: previous statement is here + if (us428->chip_status & USX2Y_STAT_CHIP_INIT) + ^ +1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +This was introduced before the beginning of git history so no fixes tag. + +Link: https://github.com/ClangBuiltLinux/linux/issues/831 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20191218034257.54535-1-natechancellor@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/usx2y/usX2Yhwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/usx2y/usX2Yhwdep.c b/sound/usb/usx2y/usX2Yhwdep.c +index f4b3cda412fcc..e75271e731b2d 100644 +--- a/sound/usb/usx2y/usX2Yhwdep.c ++++ b/sound/usb/usx2y/usX2Yhwdep.c +@@ -131,7 +131,7 @@ static int snd_usX2Y_hwdep_dsp_status(struct snd_hwdep *hw, + info->num_dsps = 2; // 0: Prepad Data, 1: FPGA Code + if (us428->chip_status & USX2Y_STAT_CHIP_INIT) + info->chip_ready = 1; +- info->version = USX2Y_DRIVER_VERSION; ++ info->version = USX2Y_DRIVER_VERSION; + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/arm-8951-1-fix-kexec-compilation-issue.patch b/queue-4.14/arm-8951-1-fix-kexec-compilation-issue.patch new file mode 100644 index 00000000000..faac9670cd5 --- /dev/null +++ b/queue-4.14/arm-8951-1-fix-kexec-compilation-issue.patch @@ -0,0 +1,53 @@ +From f746ab134c3dbc7c50aa0d73577f5e303adc62fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 13:37:59 +0100 +Subject: ARM: 8951/1: Fix Kexec compilation issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vincenzo Frascino + +[ Upstream commit 76950f7162cad51d2200ebd22c620c14af38f718 ] + +To perform the reserve_crashkernel() operation kexec uses SECTION_SIZE to +find a memblock in a range. +SECTION_SIZE is not defined for nommu systems. Trying to compile kexec in +these conditions results in a build error: + + linux/arch/arm/kernel/setup.c: In function ‘reserve_crashkernel’: + linux/arch/arm/kernel/setup.c:1016:25: error: ‘SECTION_SIZE’ undeclared + (first use in this function); did you mean ‘SECTIONS_WIDTH’? + crash_size, SECTION_SIZE); + ^~~~~~~~~~~~ + SECTIONS_WIDTH + linux/arch/arm/kernel/setup.c:1016:25: note: each undeclared identifier + is reported only once for each function it appears in + linux/scripts/Makefile.build:265: recipe for target 'arch/arm/kernel/setup.o' + failed + +Make KEXEC depend on MMU to fix the compilation issue. + +Signed-off-by: Vincenzo Frascino +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index ba9325fc75b85..7a8fbe9a077bb 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -2005,7 +2005,7 @@ config XIP_PHYS_ADDR + config KEXEC + bool "Kexec system call (EXPERIMENTAL)" + depends on (!SMP || PM_SLEEP_SMP) +- depends on !CPU_V7M ++ depends on MMU + select KEXEC_CORE + help + kexec is a system call that implements the ability to shutdown your +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-allwinner-h3-add-pmu-node.patch b/queue-4.14/arm-dts-allwinner-h3-add-pmu-node.patch new file mode 100644 index 00000000000..2cd259e8084 --- /dev/null +++ b/queue-4.14/arm-dts-allwinner-h3-add-pmu-node.patch @@ -0,0 +1,68 @@ +From 1799153a946972238e995b83d9364059534dcc6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 01:18:35 +0000 +Subject: arm: dts: allwinner: H3: Add PMU node + +From: Andre Przywara + +[ Upstream commit 0388a110747bec0c9d9de995842bb2a03a26aae1 ] + +Add the Performance Monitoring Unit (PMU) device tree node to the H3 +.dtsi, which tells DT users which interrupts are triggered by PMU +overflow events on each core. The numbers come from the manual and have +been checked in U-Boot and with perf in Linux. + +Tested with perf record and taskset on an OrangePi Zero. + +Signed-off-by: Andre Przywara +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sun8i-h3.dtsi | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/sun8i-h3.dtsi b/arch/arm/boot/dts/sun8i-h3.dtsi +index b36f9f423c39d..d685beb49659c 100644 +--- a/arch/arm/boot/dts/sun8i-h3.dtsi ++++ b/arch/arm/boot/dts/sun8i-h3.dtsi +@@ -53,25 +53,34 @@ + reg = <0>; + }; + +- cpu@1 { ++ cpu1: cpu@1 { + compatible = "arm,cortex-a7"; + device_type = "cpu"; + reg = <1>; + }; + +- cpu@2 { ++ cpu2: cpu@2 { + compatible = "arm,cortex-a7"; + device_type = "cpu"; + reg = <2>; + }; + +- cpu@3 { ++ cpu3: cpu@3 { + compatible = "arm,cortex-a7"; + device_type = "cpu"; + reg = <3>; + }; + }; + ++ pmu { ++ compatible = "arm,cortex-a7-pmu"; ++ interrupts = , ++ , ++ , ++ ; ++ interrupt-affinity = <&cpu0>, <&cpu1>, <&cpu2>, <&cpu3>; ++ }; ++ + timer { + compatible = "arm,armv7-timer"; + interrupts = , +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-imx6-rdu2-disable-wp-for-usdhc2-and-usdhc3.patch b/queue-4.14/arm-dts-imx6-rdu2-disable-wp-for-usdhc2-and-usdhc3.patch new file mode 100644 index 00000000000..b14fb6b6076 --- /dev/null +++ b/queue-4.14/arm-dts-imx6-rdu2-disable-wp-for-usdhc2-and-usdhc3.patch @@ -0,0 +1,69 @@ +From 2437062c853ec9e24c27626f1354b90ba4760f6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 08:50:17 -0800 +Subject: ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3 + +From: Andrey Smirnov + +[ Upstream commit cd58a174e58649426fb43d7456e5f7d7eab58af1 ] + +RDU2 production units come with resistor connecting WP pin to +correpsonding GPIO DNPed for both SD card slots. Drop any WP related +configuration and mark both slots with "disable-wp". + +Reported-by: Chris Healy +Reviewed-by: Chris Healy +Reviewed-by: Lucas Stach +Signed-off-by: Andrey Smirnov +Cc: Shawn Guo +Cc: Fabio Estevam +Cc: Lucas Stach +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-zii-rdu2.dtsi | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-zii-rdu2.dtsi b/arch/arm/boot/dts/imx6qdl-zii-rdu2.dtsi +index 849eb3443cde2..719e63092c2ea 100644 +--- a/arch/arm/boot/dts/imx6qdl-zii-rdu2.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-zii-rdu2.dtsi +@@ -587,7 +587,7 @@ + pinctrl-0 = <&pinctrl_usdhc2>; + bus-width = <4>; + cd-gpios = <&gpio2 2 GPIO_ACTIVE_LOW>; +- wp-gpios = <&gpio2 3 GPIO_ACTIVE_HIGH>; ++ disable-wp; + vmmc-supply = <®_3p3v_sd>; + vqmmc-supply = <®_3p3v>; + status = "okay"; +@@ -598,7 +598,7 @@ + pinctrl-0 = <&pinctrl_usdhc3>; + bus-width = <4>; + cd-gpios = <&gpio2 0 GPIO_ACTIVE_LOW>; +- wp-gpios = <&gpio2 1 GPIO_ACTIVE_HIGH>; ++ disable-wp; + vmmc-supply = <®_3p3v_sd>; + vqmmc-supply = <®_3p3v>; + status = "okay"; +@@ -1001,7 +1001,6 @@ + MX6QDL_PAD_SD2_DAT1__SD2_DATA1 0x17059 + MX6QDL_PAD_SD2_DAT2__SD2_DATA2 0x17059 + MX6QDL_PAD_SD2_DAT3__SD2_DATA3 0x17059 +- MX6QDL_PAD_NANDF_D3__GPIO2_IO03 0x40010040 + MX6QDL_PAD_NANDF_D2__GPIO2_IO02 0x40010040 + >; + }; +@@ -1014,7 +1013,6 @@ + MX6QDL_PAD_SD3_DAT1__SD3_DATA1 0x17059 + MX6QDL_PAD_SD3_DAT2__SD3_DATA2 0x17059 + MX6QDL_PAD_SD3_DAT3__SD3_DATA3 0x17059 +- MX6QDL_PAD_NANDF_D1__GPIO2_IO01 0x40010040 + MX6QDL_PAD_NANDF_D0__GPIO2_IO00 0x40010040 + + >; +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch b/queue-4.14/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch new file mode 100644 index 00000000000..016a6c46575 --- /dev/null +++ b/queue-4.14/arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch @@ -0,0 +1,44 @@ +From ec54fe5201042e270ec4acf26bd600c05bb469e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 14:52:21 +0100 +Subject: ARM: dts: r8a7779: Add device node for ARM global timer + +From: Geert Uytterhoeven + +[ Upstream commit 8443ffd1bbd5be74e9b12db234746d12e8ea93e2 ] + +Add a device node for the global timer, which is part of the Cortex-A9 +MPCore. + +The global timer can serve as an accurate (4 ns) clock source for +scheduling and delay loops. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191211135222.26770-4-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/r8a7779.dtsi | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/arm/boot/dts/r8a7779.dtsi b/arch/arm/boot/dts/r8a7779.dtsi +index 8ee0b2ca5d39a..2face089d65b9 100644 +--- a/arch/arm/boot/dts/r8a7779.dtsi ++++ b/arch/arm/boot/dts/r8a7779.dtsi +@@ -67,6 +67,14 @@ + <0xf0000100 0x100>; + }; + ++ timer@f0000200 { ++ compatible = "arm,cortex-a9-global-timer"; ++ reg = <0xf0000200 0x100>; ++ interrupts = ; ++ clocks = <&cpg_clocks R8A7779_CLK_ZS>; ++ }; ++ + timer@f0000600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xf0000600 0x20>; +-- +2.20.1 + diff --git a/queue-4.14/arm64-dts-qcom-msm8996-disable-usb2-phy-suspend-by-c.patch b/queue-4.14/arm64-dts-qcom-msm8996-disable-usb2-phy-suspend-by-c.patch new file mode 100644 index 00000000000..13f168d9974 --- /dev/null +++ b/queue-4.14/arm64-dts-qcom-msm8996-disable-usb2-phy-suspend-by-c.patch @@ -0,0 +1,51 @@ +From 43de3a0588edb1043858f652a3f10a52fcf45462 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 16:15:01 +0100 +Subject: arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core + +From: Manu Gautam + +[ Upstream commit d026c96b25b7ce5df89526aad2df988d553edb4d ] + +QUSB2 PHY on msm8996 doesn't work well when autosuspend by +dwc3 core using USB2PHYCFG register is enabled. One of the +issue seen is that PHY driver reports PLL lock failure and +fails phy_init() if dwc3 core has USB2 PHY suspend enabled. +Fix this by using quirks to disable USB2 PHY LPM/suspend and +dwc3 core already takes care of explicitly suspending PHY +during suspend if quirks are specified. + +Signed-off-by: Manu Gautam +Signed-off-by: Paolo Pisati +Link: https://lore.kernel.org/r/20191209151501.26993-1-p.pisati@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index 6f372ec055dd3..da2949586c7a3 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -788,6 +788,8 @@ + interrupts = <0 138 0>; + phys = <&hsusb_phy2>; + phy-names = "usb2-phy"; ++ snps,dis_u2_susphy_quirk; ++ snps,dis_enblslpm_quirk; + }; + }; + +@@ -817,6 +819,8 @@ + interrupts = <0 131 0>; + phys = <&hsusb_phy1>, <&ssusb_phy_0>; + phy-names = "usb2-phy", "usb3-phy"; ++ snps,dis_u2_susphy_quirk; ++ snps,dis_enblslpm_quirk; + }; + }; + }; +-- +2.20.1 + diff --git a/queue-4.14/arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch b/queue-4.14/arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch new file mode 100644 index 00000000000..5d1c3cbccee --- /dev/null +++ b/queue-4.14/arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch @@ -0,0 +1,119 @@ +From 844bfdee20a66210b5586a34f932f1437eb59556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2019 12:46:52 -0700 +Subject: arm64: fix alternatives with LLVM's integrated assembler + +From: Sami Tolvanen + +[ Upstream commit c54f90c2627cc316d365e3073614731e17dbc631 ] + +LLVM's integrated assembler fails with the following error when +building KVM: + + :12:6: error: expected absolute expression + .if kvm_update_va_mask == 0 + ^ + :21:6: error: expected absolute expression + .if kvm_update_va_mask == 0 + ^ + :24:2: error: unrecognized instruction mnemonic + NOT_AN_INSTRUCTION + ^ + LLVM ERROR: Error parsing inline asm + +These errors come from ALTERNATIVE_CB and __ALTERNATIVE_CFG, +which test for the existence of the callback parameter in inline +assembly using the following expression: + + " .if " __stringify(cb) " == 0\n" + +This works with GNU as, but isn't supported by LLVM. This change +splits __ALTERNATIVE_CFG and ALTINSTR_ENTRY into separate macros +to fix the LLVM build. + +Link: https://github.com/ClangBuiltLinux/linux/issues/472 +Signed-off-by: Sami Tolvanen +Tested-by: Nick Desaulniers +Reviewed-by: Kees Cook +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/alternative.h | 32 ++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/arch/arm64/include/asm/alternative.h b/arch/arm64/include/asm/alternative.h +index a91933b1e2e62..4cd4a793dc328 100644 +--- a/arch/arm64/include/asm/alternative.h ++++ b/arch/arm64/include/asm/alternative.h +@@ -30,13 +30,16 @@ typedef void (*alternative_cb_t)(struct alt_instr *alt, + void __init apply_alternatives_all(void); + void apply_alternatives(void *start, size_t length); + +-#define ALTINSTR_ENTRY(feature,cb) \ ++#define ALTINSTR_ENTRY(feature) \ + " .word 661b - .\n" /* label */ \ +- " .if " __stringify(cb) " == 0\n" \ + " .word 663f - .\n" /* new instruction */ \ +- " .else\n" \ ++ " .hword " __stringify(feature) "\n" /* feature bit */ \ ++ " .byte 662b-661b\n" /* source len */ \ ++ " .byte 664f-663f\n" /* replacement len */ ++ ++#define ALTINSTR_ENTRY_CB(feature, cb) \ ++ " .word 661b - .\n" /* label */ \ + " .word " __stringify(cb) "- .\n" /* callback */ \ +- " .endif\n" \ + " .hword " __stringify(feature) "\n" /* feature bit */ \ + " .byte 662b-661b\n" /* source len */ \ + " .byte 664f-663f\n" /* replacement len */ +@@ -57,15 +60,14 @@ void apply_alternatives(void *start, size_t length); + * + * Alternatives with callbacks do not generate replacement instructions. + */ +-#define __ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg_enabled, cb) \ ++#define __ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg_enabled) \ + ".if "__stringify(cfg_enabled)" == 1\n" \ + "661:\n\t" \ + oldinstr "\n" \ + "662:\n" \ + ".pushsection .altinstructions,\"a\"\n" \ +- ALTINSTR_ENTRY(feature,cb) \ ++ ALTINSTR_ENTRY(feature) \ + ".popsection\n" \ +- " .if " __stringify(cb) " == 0\n" \ + ".pushsection .altinstr_replacement, \"a\"\n" \ + "663:\n\t" \ + newinstr "\n" \ +@@ -73,17 +75,25 @@ void apply_alternatives(void *start, size_t length); + ".popsection\n\t" \ + ".org . - (664b-663b) + (662b-661b)\n\t" \ + ".org . - (662b-661b) + (664b-663b)\n" \ +- ".else\n\t" \ ++ ".endif\n" ++ ++#define __ALTERNATIVE_CFG_CB(oldinstr, feature, cfg_enabled, cb) \ ++ ".if "__stringify(cfg_enabled)" == 1\n" \ ++ "661:\n\t" \ ++ oldinstr "\n" \ ++ "662:\n" \ ++ ".pushsection .altinstructions,\"a\"\n" \ ++ ALTINSTR_ENTRY_CB(feature, cb) \ ++ ".popsection\n" \ + "663:\n\t" \ + "664:\n\t" \ +- ".endif\n" \ + ".endif\n" + + #define _ALTERNATIVE_CFG(oldinstr, newinstr, feature, cfg, ...) \ +- __ALTERNATIVE_CFG(oldinstr, newinstr, feature, IS_ENABLED(cfg), 0) ++ __ALTERNATIVE_CFG(oldinstr, newinstr, feature, IS_ENABLED(cfg)) + + #define ALTERNATIVE_CB(oldinstr, cb) \ +- __ALTERNATIVE_CFG(oldinstr, "NOT_AN_INSTRUCTION", ARM64_CB_PATCH, 1, cb) ++ __ALTERNATIVE_CFG_CB(oldinstr, ARM64_CB_PATCH, 1, cb) + #else + + #include +-- +2.20.1 + diff --git a/queue-4.14/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch b/queue-4.14/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch new file mode 100644 index 00000000000..698be994d20 --- /dev/null +++ b/queue-4.14/asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch @@ -0,0 +1,43 @@ +From cdf7e61c724a5289f2edc16ada0e330a3a094f82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 21:32:42 +0800 +Subject: ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m + +From: Chen Zhou + +[ Upstream commit 8fea78029f5e6ed734ae1957bef23cfda1af4354 ] + +If CONFIG_SND_ATMEL_SOC_DMA=m, build error: + +sound/soc/atmel/atmel_ssc_dai.o: In function `atmel_ssc_set_audio': +(.text+0x7cd): undefined reference to `atmel_pcm_dma_platform_register' + +Function atmel_pcm_dma_platform_register is defined under +CONFIG SND_ATMEL_SOC_DMA, so select SND_ATMEL_SOC_DMA in +CONFIG SND_ATMEL_SOC_SSC, same to CONFIG_SND_ATMEL_SOC_PDC. + +Reported-by: Hulk Robot +Signed-off-by: Chen Zhou +Link: https://lore.kernel.org/r/20200113133242.144550-1-chenzhou10@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/atmel/Kconfig b/sound/soc/atmel/Kconfig +index 4a56f3dfba513..23887613b5c39 100644 +--- a/sound/soc/atmel/Kconfig ++++ b/sound/soc/atmel/Kconfig +@@ -25,6 +25,8 @@ config SND_ATMEL_SOC_DMA + + config SND_ATMEL_SOC_SSC_DMA + tristate ++ select SND_ATMEL_SOC_DMA ++ select SND_ATMEL_SOC_PDC + + config SND_ATMEL_SOC_SSC + tristate +-- +2.20.1 + diff --git a/queue-4.14/b43legacy-fix-wcast-function-type.patch b/queue-4.14/b43legacy-fix-wcast-function-type.patch new file mode 100644 index 00000000000..18ac1196772 --- /dev/null +++ b/queue-4.14/b43legacy-fix-wcast-function-type.patch @@ -0,0 +1,48 @@ +From 99339cc3f6a485ff449e8b10fad3a38ca912a3bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:26 +0700 +Subject: b43legacy: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit 475eec112e4267232d10f4afe2f939a241692b6c ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Tested-by: Larry Finger +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43legacy/main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43legacy/main.c b/drivers/net/wireless/broadcom/b43legacy/main.c +index f1e3dad576292..f435bd0f8b5b5 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/main.c ++++ b/drivers/net/wireless/broadcom/b43legacy/main.c +@@ -1304,8 +1304,9 @@ static void handle_irq_ucode_debug(struct b43legacy_wldev *dev) + } + + /* Interrupt handler bottom-half */ +-static void b43legacy_interrupt_tasklet(struct b43legacy_wldev *dev) ++static void b43legacy_interrupt_tasklet(unsigned long data) + { ++ struct b43legacy_wldev *dev = (struct b43legacy_wldev *)data; + u32 reason; + u32 dma_reason[ARRAY_SIZE(dev->dma_reason)]; + u32 merged_dma_reason = 0; +@@ -3775,7 +3776,7 @@ static int b43legacy_one_core_attach(struct ssb_device *dev, + b43legacy_set_status(wldev, B43legacy_STAT_UNINIT); + wldev->bad_frames_preempt = modparam_bad_frames_preempt; + tasklet_init(&wldev->isr_tasklet, +- (void (*)(unsigned long))b43legacy_interrupt_tasklet, ++ b43legacy_interrupt_tasklet, + (unsigned long)wldev); + if (modparam_pio) + wldev->__using_pio = true; +-- +2.20.1 + diff --git a/queue-4.14/bcache-explicity-type-cast-in-bset_bkey_last.patch b/queue-4.14/bcache-explicity-type-cast-in-bset_bkey_last.patch new file mode 100644 index 00000000000..d2d607f7af8 --- /dev/null +++ b/queue-4.14/bcache-explicity-type-cast-in-bset_bkey_last.patch @@ -0,0 +1,52 @@ +From 22f65e1a73a3f85a3177e59422da71f789d0302f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2020 22:42:32 +0800 +Subject: bcache: explicity type cast in bset_bkey_last() + +From: Coly Li + +[ Upstream commit 7c02b0055f774ed9afb6e1c7724f33bf148ffdc0 ] + +In bset.h, macro bset_bkey_last() is defined as, + bkey_idx((struct bkey *) (i)->d, (i)->keys) + +Parameter i can be variable type of data structure, the macro always +works once the type of struct i has member 'd' and 'keys'. + +bset_bkey_last() is also used in macro csum_set() to calculate the +checksum of a on-disk data structure. When csum_set() is used to +calculate checksum of on-disk bcache super block, the parameter 'i' +data type is struct cache_sb_disk. Inside struct cache_sb_disk (also in +struct cache_sb) the member keys is __u16 type. But bkey_idx() expects +unsigned int (a 32bit width), so there is problem when sending +parameters via stack to call bkey_idx(). + +Sparse tool from Intel 0day kbuild system reports this incompatible +problem. bkey_idx() is part of user space API, so the simplest fix is +to cast the (i)->keys to unsigned int type in macro bset_bkey_last(). + +Reported-by: kbuild test robot +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/bset.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h +index 8d1964b472e7e..0bfde500af196 100644 +--- a/drivers/md/bcache/bset.h ++++ b/drivers/md/bcache/bset.h +@@ -381,7 +381,8 @@ void bch_btree_keys_stats(struct btree_keys *, struct bset_stats *); + + /* Bkey utility code */ + +-#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, (i)->keys) ++#define bset_bkey_last(i) bkey_idx((struct bkey *) (i)->d, \ ++ (unsigned int)(i)->keys) + + static inline struct bkey *bset_bkey_idx(struct bset *i, unsigned idx) + { +-- +2.20.1 + diff --git a/queue-4.14/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch b/queue-4.14/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch new file mode 100644 index 00000000000..810884801fe --- /dev/null +++ b/queue-4.14/brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch @@ -0,0 +1,41 @@ +From 5f17c16df64c61e19f72edcdfd055aeece42f96f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 12:58:55 +0300 +Subject: brcmfmac: Fix use after free in brcmf_sdio_readframes() + +From: Dan Carpenter + +[ Upstream commit 216b44000ada87a63891a8214c347e05a4aea8fe ] + +The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a +static checker warning: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() + error: dereferencing freed memory 'pkt' + +It looks like there was supposed to be a continue after we free "pkt". + +Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") +Signed-off-by: Dan Carpenter +Acked-by: Franky Lin +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index 4c28b04ea6053..d198a8780b966 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -1932,6 +1932,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes) + BRCMF_SDIO_FT_NORMAL)) { + rd->len = 0; + brcmu_pkt_buf_free_skb(pkt); ++ continue; + } + bus->sdcnt.rx_readahead_cnt++; + if (rd->len != roundup(rd_new.len, 16)) { +-- +2.20.1 + diff --git a/queue-4.14/brd-check-and-limit-max_part-par.patch b/queue-4.14/brd-check-and-limit-max_part-par.patch new file mode 100644 index 00000000000..56b9a049e92 --- /dev/null +++ b/queue-4.14/brd-check-and-limit-max_part-par.patch @@ -0,0 +1,109 @@ +From 933dcb765e03002a228bac0e950f2c3edd6c5d52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2020 19:30:20 +0800 +Subject: brd: check and limit max_part par + +From: Zhiqiang Liu + +[ Upstream commit c8ab422553c81a0eb070329c63725df1cd1425bc ] + +In brd_init func, rd_nr num of brd_device are firstly allocated +and add in brd_devices, then brd_devices are traversed to add each +brd_device by calling add_disk func. When allocating brd_device, +the disk->first_minor is set to i * max_part, if rd_nr * max_part +is larger than MINORMASK, two different brd_device may have the same +devt, then only one of them can be successfully added. +when rmmod brd.ko, it will cause oops when calling brd_exit. + +Follow those steps: + # modprobe brd rd_nr=3 rd_size=102400 max_part=1048576 + # rmmod brd +then, the oops will appear. + +Oops log: +[ 726.613722] Call trace: +[ 726.614175] kernfs_find_ns+0x24/0x130 +[ 726.614852] kernfs_find_and_get_ns+0x44/0x68 +[ 726.615749] sysfs_remove_group+0x38/0xb0 +[ 726.616520] blk_trace_remove_sysfs+0x1c/0x28 +[ 726.617320] blk_unregister_queue+0x98/0x100 +[ 726.618105] del_gendisk+0x144/0x2b8 +[ 726.618759] brd_exit+0x68/0x560 [brd] +[ 726.619501] __arm64_sys_delete_module+0x19c/0x2a0 +[ 726.620384] el0_svc_common+0x78/0x130 +[ 726.621057] el0_svc_handler+0x38/0x78 +[ 726.621738] el0_svc+0x8/0xc +[ 726.622259] Code: aa0203f6 aa0103f7 aa1e03e0 d503201f (7940e260) + +Here, we add brd_check_and_reset_par func to check and limit max_part par. + +-- +V5->V6: + - remove useless code + +V4->V5:(suggested by Ming Lei) + - make sure max_part is not larger than DISK_MAX_PARTS + +V3->V4:(suggested by Ming Lei) + - remove useless change + - add one limit of max_part + +V2->V3: (suggested by Ming Lei) + - clear .minors when running out of consecutive minor space in brd_alloc + - remove limit of rd_nr + +V1->V2: + - add more checks in brd_check_par_valid as suggested by Ming Lei. + +Signed-off-by: Zhiqiang Liu +Reviewed-by: Bob Liu +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/brd.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/brd.c b/drivers/block/brd.c +index 2d7178f7754ed..0129b1921cb36 100644 +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -529,6 +529,25 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data) + return kobj; + } + ++static inline void brd_check_and_reset_par(void) ++{ ++ if (unlikely(!max_part)) ++ max_part = 1; ++ ++ /* ++ * make sure 'max_part' can be divided exactly by (1U << MINORBITS), ++ * otherwise, it is possiable to get same dev_t when adding partitions. ++ */ ++ if ((1U << MINORBITS) % max_part != 0) ++ max_part = 1UL << fls(max_part); ++ ++ if (max_part > DISK_MAX_PARTS) { ++ pr_info("brd: max_part can't be larger than %d, reset max_part = %d.\n", ++ DISK_MAX_PARTS, DISK_MAX_PARTS); ++ max_part = DISK_MAX_PARTS; ++ } ++} ++ + static int __init brd_init(void) + { + struct brd_device *brd, *next; +@@ -552,8 +571,7 @@ static int __init brd_init(void) + if (register_blkdev(RAMDISK_MAJOR, "ramdisk")) + return -EIO; + +- if (unlikely(!max_part)) +- max_part = 1; ++ brd_check_and_reset_par(); + + for (i = 0; i < rd_nr; i++) { + brd = brd_alloc(i); +-- +2.20.1 + diff --git a/queue-4.14/btrfs-device-stats-log-when-stats-are-zeroed.patch b/queue-4.14/btrfs-device-stats-log-when-stats-are-zeroed.patch new file mode 100644 index 00000000000..c01468c6691 --- /dev/null +++ b/queue-4.14/btrfs-device-stats-log-when-stats-are-zeroed.patch @@ -0,0 +1,47 @@ +From 2577745217cd831ad43a22c527d5420efee8ab37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 12:26:34 +0800 +Subject: btrfs: device stats, log when stats are zeroed + +From: Anand Jain + +[ Upstream commit a69976bc69308aa475d0ba3b8b3efd1d013c0460 ] + +We had a report indicating that some read errors aren't reported by the +device stats in the userland. It is important to have the errors +reported in the device stat as user land scripts might depend on it to +take the reasonable corrective actions. But to debug these issue we need +to be really sure that request to reset the device stat did not come +from the userland itself. So log an info message when device error reset +happens. + +For example: + BTRFS info (device sdc): device stats zeroed by btrfs(9223) + +Reported-by: philip@philip-seeger.de +Link: https://www.spinics.net/lists/linux-btrfs/msg96528.html +Reviewed-by: Josef Bacik +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 358e930df4acd..6d34842912e80 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -7227,6 +7227,8 @@ int btrfs_get_dev_stats(struct btrfs_fs_info *fs_info, + else + btrfs_dev_stat_reset(dev, i); + } ++ btrfs_info(fs_info, "device stats zeroed by %s (%d)", ++ current->comm, task_pid_nr(current)); + } else { + for (i = 0; i < BTRFS_DEV_STAT_VALUES_MAX; i++) + if (stats->nr_items > i) +-- +2.20.1 + diff --git a/queue-4.14/btrfs-fix-possible-null-pointer-dereference-in-integ.patch b/queue-4.14/btrfs-fix-possible-null-pointer-dereference-in-integ.patch new file mode 100644 index 00000000000..8b45f1823be --- /dev/null +++ b/queue-4.14/btrfs-fix-possible-null-pointer-dereference-in-integ.patch @@ -0,0 +1,51 @@ +From 91ac893c2f7a9c1190252dbe3b2eed95d3fa6db6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 14:19:57 +0100 +Subject: btrfs: fix possible NULL-pointer dereference in integrity checks + +From: Johannes Thumshirn + +[ Upstream commit 3dbd351df42109902fbcebf27104149226a4fcd9 ] + +A user reports a possible NULL-pointer dereference in +btrfsic_process_superblock(). We are assigning state->fs_info to a local +fs_info variable and afterwards checking for the presence of state. + +While we would BUG_ON() a NULL state anyways, we can also just remove +the local fs_info copy, as fs_info is only used once as the first +argument for btrfs_num_copies(). There we can just pass in +state->fs_info as well. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=205003 +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/check-integrity.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c +index 7d5a9b51f0d7a..4be07cf31d74c 100644 +--- a/fs/btrfs/check-integrity.c ++++ b/fs/btrfs/check-integrity.c +@@ -642,7 +642,6 @@ static struct btrfsic_dev_state *btrfsic_dev_state_hashtable_lookup(dev_t dev, + static int btrfsic_process_superblock(struct btrfsic_state *state, + struct btrfs_fs_devices *fs_devices) + { +- struct btrfs_fs_info *fs_info = state->fs_info; + struct btrfs_super_block *selected_super; + struct list_head *dev_head = &fs_devices->devices; + struct btrfs_device *device; +@@ -713,7 +712,7 @@ static int btrfsic_process_superblock(struct btrfsic_state *state, + break; + } + +- num_copies = btrfs_num_copies(fs_info, next_bytenr, ++ num_copies = btrfs_num_copies(state->fs_info, next_bytenr, + state->metablock_size); + if (state->print_mask & BTRFSIC_PRINT_MASK_NUM_COPIES) + pr_info("num_copies(log_bytenr=%llu) = %d\n", +-- +2.20.1 + diff --git a/queue-4.14/btrfs-safely-advance-counter-when-looking-up-bio-csu.patch b/queue-4.14/btrfs-safely-advance-counter-when-looking-up-bio-csu.patch new file mode 100644 index 00000000000..413a7683aa7 --- /dev/null +++ b/queue-4.14/btrfs-safely-advance-counter-when-looking-up-bio-csu.patch @@ -0,0 +1,53 @@ +From 4cc3fc7c5736513856fbfd706f9f07695c4047f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2020 15:29:53 +0100 +Subject: btrfs: safely advance counter when looking up bio csums + +From: David Sterba + +[ Upstream commit 4babad10198fa73fe73239d02c2e99e3333f5f5c ] + +Dan's smatch tool reports + + fs/btrfs/file-item.c:295 btrfs_lookup_bio_sums() + warn: should this be 'count == -1' + +which points to the while (count--) loop. With count == 0 the check +itself could decrement it to -1. There's a WARN_ON a few lines below +that has never been seen in practice though. + +It turns out that the value of page_bytes_left matches the count (by +sectorsize multiples). The loop never reaches the state where count +would go to -1, because page_bytes_left == 0 is found first and this +breaks out. + +For clarity, use only plain check on count (and only for positive +value), decrement safely inside the loop. Any other discrepancy after +the whole bio list processing should be reported by the exising +WARN_ON_ONCE as well. + +Reported-by: Dan Carpenter +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file-item.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c +index 702b3606ad0ec..717d82d51bb13 100644 +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -288,7 +288,8 @@ found: + csum += count * csum_size; + nblocks -= count; + next: +- while (count--) { ++ while (count > 0) { ++ count--; + disk_bytenr += fs_info->sectorsize; + offset += fs_info->sectorsize; + page_bytes_left -= fs_info->sectorsize; +-- +2.20.1 + diff --git a/queue-4.14/ceph-check-availability-of-mds-cluster-on-mount-afte.patch b/queue-4.14/ceph-check-availability-of-mds-cluster-on-mount-afte.patch new file mode 100644 index 00000000000..6cfa4c95213 --- /dev/null +++ b/queue-4.14/ceph-check-availability-of-mds-cluster-on-mount-afte.patch @@ -0,0 +1,59 @@ +From b57e3f54d9d477d846e30f645495e935fdb1955f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 20:29:40 -0500 +Subject: ceph: check availability of mds cluster on mount after wait timeout + +From: Xiubo Li + +[ Upstream commit 97820058fb2831a4b203981fa2566ceaaa396103 ] + +If all the MDS daemons are down for some reason, then the first mount +attempt will fail with EIO after the mount request times out. A mount +attempt will also fail with EIO if all of the MDS's are laggy. + +This patch changes the code to return -EHOSTUNREACH in these situations +and adds a pr_info error message to help the admin determine the cause. + +URL: https://tracker.ceph.com/issues/4386 +Signed-off-by: Xiubo Li +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/mds_client.c | 3 +-- + fs/ceph/super.c | 5 +++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index b968334f841e8..f36ddfea4997e 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -2261,8 +2261,7 @@ static int __do_request(struct ceph_mds_client *mdsc, + if (!(mdsc->fsc->mount_options->flags & + CEPH_MOUNT_OPT_MOUNTWAIT) && + !ceph_mdsmap_is_cluster_available(mdsc->mdsmap)) { +- err = -ENOENT; +- pr_info("probably no mds server is up\n"); ++ err = -EHOSTUNREACH; + goto finish; + } + } +diff --git a/fs/ceph/super.c b/fs/ceph/super.c +index 088c4488b4492..6b10b20bfe32b 100644 +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -1055,6 +1055,11 @@ static struct dentry *ceph_mount(struct file_system_type *fs_type, + return res; + + out_splat: ++ if (!ceph_mdsmap_is_cluster_available(fsc->mdsc->mdsmap)) { ++ pr_info("No mds server is up or the cluster is laggy\n"); ++ err = -EHOSTUNREACH; ++ } ++ + ceph_mdsc_close_sessions(fsc->mdsc); + deactivate_locked_super(sb); + goto out_final; +-- +2.20.1 + diff --git a/queue-4.14/char-random-silence-a-lockdep-splat-with-printk.patch b/queue-4.14/char-random-silence-a-lockdep-splat-with-printk.patch new file mode 100644 index 00000000000..bd9ad01fae9 --- /dev/null +++ b/queue-4.14/char-random-silence-a-lockdep-splat-with-printk.patch @@ -0,0 +1,278 @@ +From acf76b02b1e653583f0a53d3731e39ebcd4c813c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2019 16:16:25 -0500 +Subject: char/random: silence a lockdep splat with printk() + +From: Sergey Senozhatsky + +[ Upstream commit 1b710b1b10eff9d46666064ea25f079f70bc67a8 ] + +Sergey didn't like the locking order, + +uart_port->lock -> tty_port->lock + +uart_write (uart_port->lock) + __uart_start + pl011_start_tx + pl011_tx_chars + uart_write_wakeup + tty_port_tty_wakeup + tty_port_default + tty_port_tty_get (tty_port->lock) + +but those code is so old, and I have no clue how to de-couple it after +checking other locks in the splat. There is an onging effort to make all +printk() as deferred, so until that happens, workaround it for now as a +short-term fix. + +LTP: starting iogen01 (export LTPROOT; rwtest -N iogen01 -i 120s -s +read,write -Da -Dv -n 2 500b:$TMPDIR/doio.f1.$$ +1000b:$TMPDIR/doio.f2.$$) +WARNING: possible circular locking dependency detected +------------------------------------------------------ +doio/49441 is trying to acquire lock: +ffff008b7cff7290 (&(&zone->lock)->rlock){..-.}, at: rmqueue+0x138/0x2050 + +but task is already holding lock: +60ff000822352818 (&pool->lock/1){-.-.}, at: start_flush_work+0xd8/0x3f0 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #4 (&pool->lock/1){-.-.}: + lock_acquire+0x320/0x360 + _raw_spin_lock+0x64/0x80 + __queue_work+0x4b4/0xa10 + queue_work_on+0xac/0x11c + tty_schedule_flip+0x84/0xbc + tty_flip_buffer_push+0x1c/0x28 + pty_write+0x98/0xd0 + n_tty_write+0x450/0x60c + tty_write+0x338/0x474 + __vfs_write+0x88/0x214 + vfs_write+0x12c/0x1a4 + redirected_tty_write+0x90/0xdc + do_loop_readv_writev+0x140/0x180 + do_iter_write+0xe0/0x10c + vfs_writev+0x134/0x1cc + do_writev+0xbc/0x130 + __arm64_sys_writev+0x58/0x8c + el0_svc_handler+0x170/0x240 + el0_sync_handler+0x150/0x250 + el0_sync+0x164/0x180 + + -> #3 (&(&port->lock)->rlock){-.-.}: + lock_acquire+0x320/0x360 + _raw_spin_lock_irqsave+0x7c/0x9c + tty_port_tty_get+0x24/0x60 + tty_port_default_wakeup+0x1c/0x3c + tty_port_tty_wakeup+0x34/0x40 + uart_write_wakeup+0x28/0x44 + pl011_tx_chars+0x1b8/0x270 + pl011_start_tx+0x24/0x70 + __uart_start+0x5c/0x68 + uart_write+0x164/0x1c8 + do_output_char+0x33c/0x348 + n_tty_write+0x4bc/0x60c + tty_write+0x338/0x474 + redirected_tty_write+0xc0/0xdc + do_loop_readv_writev+0x140/0x180 + do_iter_write+0xe0/0x10c + vfs_writev+0x134/0x1cc + do_writev+0xbc/0x130 + __arm64_sys_writev+0x58/0x8c + el0_svc_handler+0x170/0x240 + el0_sync_handler+0x150/0x250 + el0_sync+0x164/0x180 + + -> #2 (&port_lock_key){-.-.}: + lock_acquire+0x320/0x360 + _raw_spin_lock+0x64/0x80 + pl011_console_write+0xec/0x2cc + console_unlock+0x794/0x96c + vprintk_emit+0x260/0x31c + vprintk_default+0x54/0x7c + vprintk_func+0x218/0x254 + printk+0x7c/0xa4 + register_console+0x734/0x7b0 + uart_add_one_port+0x734/0x834 + pl011_register_port+0x6c/0xac + sbsa_uart_probe+0x234/0x2ec + platform_drv_probe+0xd4/0x124 + really_probe+0x250/0x71c + driver_probe_device+0xb4/0x200 + __device_attach_driver+0xd8/0x188 + bus_for_each_drv+0xbc/0x110 + __device_attach+0x120/0x220 + device_initial_probe+0x20/0x2c + bus_probe_device+0x54/0x100 + device_add+0xae8/0xc2c + platform_device_add+0x278/0x3b8 + platform_device_register_full+0x238/0x2ac + acpi_create_platform_device+0x2dc/0x3a8 + acpi_bus_attach+0x390/0x3cc + acpi_bus_attach+0x108/0x3cc + acpi_bus_attach+0x108/0x3cc + acpi_bus_attach+0x108/0x3cc + acpi_bus_scan+0x7c/0xb0 + acpi_scan_init+0xe4/0x304 + acpi_init+0x100/0x114 + do_one_initcall+0x348/0x6a0 + do_initcall_level+0x190/0x1fc + do_basic_setup+0x34/0x4c + kernel_init_freeable+0x19c/0x260 + kernel_init+0x18/0x338 + ret_from_fork+0x10/0x18 + + -> #1 (console_owner){-...}: + lock_acquire+0x320/0x360 + console_lock_spinning_enable+0x6c/0x7c + console_unlock+0x4f8/0x96c + vprintk_emit+0x260/0x31c + vprintk_default+0x54/0x7c + vprintk_func+0x218/0x254 + printk+0x7c/0xa4 + get_random_u64+0x1c4/0x1dc + shuffle_pick_tail+0x40/0xac + __free_one_page+0x424/0x710 + free_one_page+0x70/0x120 + __free_pages_ok+0x61c/0xa94 + __free_pages_core+0x1bc/0x294 + memblock_free_pages+0x38/0x48 + __free_pages_memory+0xcc/0xfc + __free_memory_core+0x70/0x78 + free_low_memory_core_early+0x148/0x18c + memblock_free_all+0x18/0x54 + mem_init+0xb4/0x17c + mm_init+0x14/0x38 + start_kernel+0x19c/0x530 + + -> #0 (&(&zone->lock)->rlock){..-.}: + validate_chain+0xf6c/0x2e2c + __lock_acquire+0x868/0xc2c + lock_acquire+0x320/0x360 + _raw_spin_lock+0x64/0x80 + rmqueue+0x138/0x2050 + get_page_from_freelist+0x474/0x688 + __alloc_pages_nodemask+0x3b4/0x18dc + alloc_pages_current+0xd0/0xe0 + alloc_slab_page+0x2b4/0x5e0 + new_slab+0xc8/0x6bc + ___slab_alloc+0x3b8/0x640 + kmem_cache_alloc+0x4b4/0x588 + __debug_object_init+0x778/0x8b4 + debug_object_init_on_stack+0x40/0x50 + start_flush_work+0x16c/0x3f0 + __flush_work+0xb8/0x124 + flush_work+0x20/0x30 + xlog_cil_force_lsn+0x88/0x204 [xfs] + xfs_log_force_lsn+0x128/0x1b8 [xfs] + xfs_file_fsync+0x3c4/0x488 [xfs] + vfs_fsync_range+0xb0/0xd0 + generic_write_sync+0x80/0xa0 [xfs] + xfs_file_buffered_aio_write+0x66c/0x6e4 [xfs] + xfs_file_write_iter+0x1a0/0x218 [xfs] + __vfs_write+0x1cc/0x214 + vfs_write+0x12c/0x1a4 + ksys_write+0xb0/0x120 + __arm64_sys_write+0x54/0x88 + el0_svc_handler+0x170/0x240 + el0_sync_handler+0x150/0x250 + el0_sync+0x164/0x180 + + other info that might help us debug this: + + Chain exists of: + &(&zone->lock)->rlock --> &(&port->lock)->rlock --> &pool->lock/1 + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&pool->lock/1); + lock(&(&port->lock)->rlock); + lock(&pool->lock/1); + lock(&(&zone->lock)->rlock); + + *** DEADLOCK *** + +4 locks held by doio/49441: + #0: a0ff00886fc27408 (sb_writers#8){.+.+}, at: vfs_write+0x118/0x1a4 + #1: 8fff00080810dfe0 (&xfs_nondir_ilock_class){++++}, at: +xfs_ilock+0x2a8/0x300 [xfs] + #2: ffff9000129f2390 (rcu_read_lock){....}, at: +rcu_lock_acquire+0x8/0x38 + #3: 60ff000822352818 (&pool->lock/1){-.-.}, at: +start_flush_work+0xd8/0x3f0 + + stack backtrace: +CPU: 48 PID: 49441 Comm: doio Tainted: G W +Hardware name: HPE Apollo 70 /C01_APACHE_MB , BIOS +L50_5.13_1.11 06/18/2019 +Call trace: + dump_backtrace+0x0/0x248 + show_stack+0x20/0x2c + dump_stack+0xe8/0x150 + print_circular_bug+0x368/0x380 + check_noncircular+0x28c/0x294 + validate_chain+0xf6c/0x2e2c + __lock_acquire+0x868/0xc2c + lock_acquire+0x320/0x360 + _raw_spin_lock+0x64/0x80 + rmqueue+0x138/0x2050 + get_page_from_freelist+0x474/0x688 + __alloc_pages_nodemask+0x3b4/0x18dc + alloc_pages_current+0xd0/0xe0 + alloc_slab_page+0x2b4/0x5e0 + new_slab+0xc8/0x6bc + ___slab_alloc+0x3b8/0x640 + kmem_cache_alloc+0x4b4/0x588 + __debug_object_init+0x778/0x8b4 + debug_object_init_on_stack+0x40/0x50 + start_flush_work+0x16c/0x3f0 + __flush_work+0xb8/0x124 + flush_work+0x20/0x30 + xlog_cil_force_lsn+0x88/0x204 [xfs] + xfs_log_force_lsn+0x128/0x1b8 [xfs] + xfs_file_fsync+0x3c4/0x488 [xfs] + vfs_fsync_range+0xb0/0xd0 + generic_write_sync+0x80/0xa0 [xfs] + xfs_file_buffered_aio_write+0x66c/0x6e4 [xfs] + xfs_file_write_iter+0x1a0/0x218 [xfs] + __vfs_write+0x1cc/0x214 + vfs_write+0x12c/0x1a4 + ksys_write+0xb0/0x120 + __arm64_sys_write+0x54/0x88 + el0_svc_handler+0x170/0x240 + el0_sync_handler+0x150/0x250 + el0_sync+0x164/0x180 + +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Qian Cai +Link: https://lore.kernel.org/r/1573679785-21068-1-git-send-email-cai@lca.pw +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + drivers/char/random.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index e6efa07e9f9ea..50d5846acf48a 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1598,8 +1598,9 @@ static void _warn_unseeded_randomness(const char *func_name, void *caller, + print_once = true; + #endif + if (__ratelimit(&unseeded_warning)) +- pr_notice("random: %s called from %pS with crng_init=%d\n", +- func_name, caller, crng_init); ++ printk_deferred(KERN_NOTICE "random: %s called from %pS " ++ "with crng_init=%d\n", func_name, caller, ++ crng_init); + } + + /* +-- +2.20.1 + diff --git a/queue-4.14/cifs-fix-null-dereference-in-match_prepath.patch b/queue-4.14/cifs-fix-null-dereference-in-match_prepath.patch new file mode 100644 index 00000000000..192103517a8 --- /dev/null +++ b/queue-4.14/cifs-fix-null-dereference-in-match_prepath.patch @@ -0,0 +1,43 @@ +From 6c07287817e01bb525ab2a3e6fe67d55f67ea6d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 11:07:56 +1000 +Subject: cifs: fix NULL dereference in match_prepath + +From: Ronnie Sahlberg + +[ Upstream commit fe1292686333d1dadaf84091f585ee903b9ddb84 ] + +RHBZ: 1760879 + +Fix an oops in match_prepath() by making sure that the prepath string is not +NULL before we pass it into strcmp(). + +This is similar to other checks we make for example in cifs_root_iget() + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index f0b1279a7de66..6e5ecf70996a0 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3047,8 +3047,10 @@ match_prepath(struct super_block *sb, struct cifs_mnt_data *mnt_data) + { + struct cifs_sb_info *old = CIFS_SB(sb); + struct cifs_sb_info *new = mnt_data->cifs_sb; +- bool old_set = old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH; +- bool new_set = new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH; ++ bool old_set = (old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) && ++ old->prepath; ++ bool new_set = (new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) && ++ new->prepath; + + if (old_set && new_set && !strcmp(new->prepath, old->prepath)) + return 1; +-- +2.20.1 + diff --git a/queue-4.14/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch b/queue-4.14/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch new file mode 100644 index 00000000000..57a21f8b7dc --- /dev/null +++ b/queue-4.14/clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch @@ -0,0 +1,71 @@ +From b67e0fefda8301dc3edb11d10c424ffef43841e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2020 10:31:34 -0800 +Subject: clk: qcom: rcg2: Don't crash if our parent can't be found; return an + error + +From: Douglas Anderson + +[ Upstream commit 908b050114d8fefdddc57ec9fbc213c3690e7f5f ] + +When I got my clock parenting slightly wrong I ended up with a crash +that looked like this: + + Unable to handle kernel NULL pointer dereference at virtual + address 0000000000000000 + ... + pc : clk_hw_get_rate+0x14/0x44 + ... + Call trace: + clk_hw_get_rate+0x14/0x44 + _freq_tbl_determine_rate+0x94/0xfc + clk_rcg2_determine_rate+0x2c/0x38 + clk_core_determine_round_nolock+0x4c/0x88 + clk_core_round_rate_nolock+0x6c/0xa8 + clk_core_round_rate_nolock+0x9c/0xa8 + clk_core_set_rate_nolock+0x70/0x180 + clk_set_rate+0x3c/0x6c + of_clk_set_defaults+0x254/0x360 + platform_drv_probe+0x28/0xb0 + really_probe+0x120/0x2dc + driver_probe_device+0x64/0xfc + device_driver_attach+0x4c/0x6c + __driver_attach+0xac/0xc0 + bus_for_each_dev+0x84/0xcc + driver_attach+0x2c/0x38 + bus_add_driver+0xfc/0x1d0 + driver_register+0x64/0xf8 + __platform_driver_register+0x4c/0x58 + msm_drm_register+0x5c/0x60 + ... + +It turned out that clk_hw_get_parent_by_index() was returning NULL and +we weren't checking. Let's check it so that we don't crash. + +Fixes: ac269395cdd8 ("clk: qcom: Convert to clk_hw based provider APIs") +Signed-off-by: Douglas Anderson +Reviewed-by: Matthias Kaehlcke +Link: https://lkml.kernel.org/r/20200203103049.v4.1.I7487325fe8e701a68a07d3be8a6a4b571eca9cfa@changeid +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index a93439242565d..d3953ea69fda4 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -210,6 +210,9 @@ static int _freq_tbl_determine_rate(struct clk_hw *hw, const struct freq_tbl *f, + + clk_flags = clk_hw_get_flags(hw); + p = clk_hw_get_parent_by_index(hw, index); ++ if (!p) ++ return -EINVAL; ++ + if (clk_flags & CLK_SET_RATE_PARENT) { + if (f->pre_div) { + if (!rate) +-- +2.20.1 + diff --git a/queue-4.14/clk-sunxi-ng-add-mux-and-pll-notifiers-for-a64-cpu-c.patch b/queue-4.14/clk-sunxi-ng-add-mux-and-pll-notifiers-for-a64-cpu-c.patch new file mode 100644 index 00000000000..40b4118039c --- /dev/null +++ b/queue-4.14/clk-sunxi-ng-add-mux-and-pll-notifiers-for-a64-cpu-c.patch @@ -0,0 +1,79 @@ +From 75ca52f83889eadca0e85680ca2447cbc414d1c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2020 22:35:03 -0800 +Subject: clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock + +From: Icenowy Zheng + +[ Upstream commit ec97faff743b398e21f74a54c81333f3390093aa ] + +The A64 PLL_CPU clock has the same instability if some factor changed +without the PLL gated like other SoCs with sun6i-style CCU, e.g. A33, +H3. + +Add the mux and pll notifiers for A64 CPU clock to workaround the +problem. + +Fixes: c6a0637460c2 ("clk: sunxi-ng: Add A64 clocks") +Signed-off-by: Icenowy Zheng +Signed-off-by: Vasily Khoruzhick +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun50i-a64.c | 28 ++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c +index eaafc038368f5..183985c8c9bab 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun50i-a64.c ++++ b/drivers/clk/sunxi-ng/ccu-sun50i-a64.c +@@ -884,11 +884,26 @@ static const struct sunxi_ccu_desc sun50i_a64_ccu_desc = { + .num_resets = ARRAY_SIZE(sun50i_a64_ccu_resets), + }; + ++static struct ccu_pll_nb sun50i_a64_pll_cpu_nb = { ++ .common = &pll_cpux_clk.common, ++ /* copy from pll_cpux_clk */ ++ .enable = BIT(31), ++ .lock = BIT(28), ++}; ++ ++static struct ccu_mux_nb sun50i_a64_cpu_nb = { ++ .common = &cpux_clk.common, ++ .cm = &cpux_clk.mux, ++ .delay_us = 1, /* > 8 clock cycles at 24 MHz */ ++ .bypass_index = 1, /* index of 24 MHz oscillator */ ++}; ++ + static int sun50i_a64_ccu_probe(struct platform_device *pdev) + { + struct resource *res; + void __iomem *reg; + u32 val; ++ int ret; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + reg = devm_ioremap_resource(&pdev->dev, res); +@@ -902,7 +917,18 @@ static int sun50i_a64_ccu_probe(struct platform_device *pdev) + + writel(0x515, reg + SUN50I_A64_PLL_MIPI_REG); + +- return sunxi_ccu_probe(pdev->dev.of_node, reg, &sun50i_a64_ccu_desc); ++ ret = sunxi_ccu_probe(pdev->dev.of_node, reg, &sun50i_a64_ccu_desc); ++ if (ret) ++ return ret; ++ ++ /* Gate then ungate PLL CPU after any rate changes */ ++ ccu_pll_notifier_register(&sun50i_a64_pll_cpu_nb); ++ ++ /* Reparent CPU during PLL CPU rate changes */ ++ ccu_mux_notifier_register(pll_cpux_clk.common.hw.clk, ++ &sun50i_a64_cpu_nb); ++ ++ return 0; + } + + static const struct of_device_id sun50i_a64_ccu_ids[] = { +-- +2.20.1 + diff --git a/queue-4.14/clocksource-drivers-bcm2835_timer-fix-memory-leak-of.patch b/queue-4.14/clocksource-drivers-bcm2835_timer-fix-memory-leak-of.patch new file mode 100644 index 00000000000..b07074a376b --- /dev/null +++ b/queue-4.14/clocksource-drivers-bcm2835_timer-fix-memory-leak-of.patch @@ -0,0 +1,51 @@ +From 00e75057ab009bc36e2dd7f2fbf131b3aac5e360 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 21:32:46 +0000 +Subject: clocksource/drivers/bcm2835_timer: Fix memory leak of timer + +From: Colin Ian King + +[ Upstream commit 2052d032c06761330bca4944bb7858b00960e868 ] + +Currently when setup_irq fails the error exit path will leak the +recently allocated timer structure. Originally the code would +throw a panic but a later commit changed the behaviour to return +via the err_iounmap path and hence we now have a memory leak. Fix +this by adding a err_timer_free error path that kfree's timer. + +Addresses-Coverity: ("Resource Leak") +Fixes: 524a7f08983d ("clocksource/drivers/bcm2835_timer: Convert init function to return error") +Signed-off-by: Colin Ian King +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20191219213246.34437-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/clocksource/bcm2835_timer.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/bcm2835_timer.c b/drivers/clocksource/bcm2835_timer.c +index 39e489a96ad74..8894cfc32be06 100644 +--- a/drivers/clocksource/bcm2835_timer.c ++++ b/drivers/clocksource/bcm2835_timer.c +@@ -134,7 +134,7 @@ static int __init bcm2835_timer_init(struct device_node *node) + ret = setup_irq(irq, &timer->act); + if (ret) { + pr_err("Can't set up timer IRQ\n"); +- goto err_iounmap; ++ goto err_timer_free; + } + + clockevents_config_and_register(&timer->evt, freq, 0xf, 0xffffffff); +@@ -143,6 +143,9 @@ static int __init bcm2835_timer_init(struct device_node *node) + + return 0; + ++err_timer_free: ++ kfree(timer); ++ + err_iounmap: + iounmap(base); + return ret; +-- +2.20.1 + diff --git a/queue-4.14/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch b/queue-4.14/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch new file mode 100644 index 00000000000..d4d9dc5f004 --- /dev/null +++ b/queue-4.14/cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch @@ -0,0 +1,36 @@ +From 3cee4523282bae295174b71c50a0687d7628e5de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 16:04:41 +0300 +Subject: cmd64x: potential buffer overflow in cmd64x_program_timings() + +From: Dan Carpenter + +[ Upstream commit 117fcc3053606d8db5cef8821dca15022ae578bb ] + +The "drive->dn" value is a u8 and it is controlled by root only, but +it could be out of bounds here so let's check. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ide/cmd64x.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ide/cmd64x.c b/drivers/ide/cmd64x.c +index b127ed60c7336..9dde8390da09b 100644 +--- a/drivers/ide/cmd64x.c ++++ b/drivers/ide/cmd64x.c +@@ -65,6 +65,9 @@ static void cmd64x_program_timings(ide_drive_t *drive, u8 mode) + struct ide_timing t; + u8 arttim = 0; + ++ if (drive->dn >= ARRAY_SIZE(drwtim_regs)) ++ return; ++ + ide_timing_compute(drive, mode, &t, T, 0); + + /* +-- +2.20.1 + diff --git a/queue-4.14/cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch b/queue-4.14/cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch new file mode 100644 index 00000000000..6a025a81103 --- /dev/null +++ b/queue-4.14/cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch @@ -0,0 +1,91 @@ +From 86a175f283314586f091de35be62fc622f7b292f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 09:34:54 +0100 +Subject: cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order + +From: Peter Zijlstra + +[ Upstream commit 45178ac0cea853fe0e405bf11e101bdebea57b15 ] + +Paul reported a very sporadic, rcutorture induced, workqueue failure. +When the planets align, the workqueue rescuer's self-migrate fails and +then triggers a WARN for running a work on the wrong CPU. + +Tejun then figured that set_cpus_allowed_ptr()'s stop_one_cpu() call +could be ignored! When stopper->enabled is false, stop_machine will +insta complete the work, without actually doing the work. Worse, it +will not WARN about this (we really should fix this). + +It turns out there is a small window where a freshly online'ed CPU is +marked 'online' but doesn't yet have the stopper task running: + + BP AP + + bringup_cpu() + __cpu_up(cpu, idle) --> start_secondary() + ... + cpu_startup_entry() + bringup_wait_for_ap() + wait_for_ap_thread() <-- cpuhp_online_idle() + while (1) + do_idle() + + ... available to run kthreads ... + + stop_machine_unpark() + stopper->enable = true; + +Close this by moving the stop_machine_unpark() into +cpuhp_online_idle(), such that the stopper thread is ready before we +start the idle loop and schedule. + +Reported-by: "Paul E. McKenney" +Debugged-by: Tejun Heo +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: "Paul E. McKenney" +Signed-off-by: Sasha Levin +--- + kernel/cpu.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 49273130e4f1e..96c0a868232ef 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -494,8 +494,7 @@ static int bringup_wait_for_ap(unsigned int cpu) + if (WARN_ON_ONCE((!cpu_online(cpu)))) + return -ECANCELED; + +- /* Unpark the stopper thread and the hotplug thread of the target cpu */ +- stop_machine_unpark(cpu); ++ /* Unpark the hotplug thread of the target cpu */ + kthread_unpark(st->thread); + + /* +@@ -1064,8 +1063,8 @@ void notify_cpu_starting(unsigned int cpu) + + /* + * Called from the idle task. Wake up the controlling task which brings the +- * stopper and the hotplug thread of the upcoming CPU up and then delegates +- * the rest of the online bringup to the hotplug thread. ++ * hotplug thread of the upcoming CPU up and then delegates the rest of the ++ * online bringup to the hotplug thread. + */ + void cpuhp_online_idle(enum cpuhp_state state) + { +@@ -1075,6 +1074,12 @@ void cpuhp_online_idle(enum cpuhp_state state) + if (state != CPUHP_AP_ONLINE_IDLE) + return; + ++ /* ++ * Unpart the stopper thread before we start the idle loop (and start ++ * scheduling); this ensures the stopper task is always available. ++ */ ++ stop_machine_unpark(smp_processor_id()); ++ + st->state = CPUHP_AP_ONLINE_IDLE; + complete_ap_thread(st, true); + } +-- +2.20.1 + diff --git a/queue-4.14/dmaengine-store-module-owner-in-dma_device-struct.patch b/queue-4.14/dmaengine-store-module-owner-in-dma_device-struct.patch new file mode 100644 index 00000000000..3e2fd2643cc --- /dev/null +++ b/queue-4.14/dmaengine-store-module-owner-in-dma_device-struct.patch @@ -0,0 +1,80 @@ +From e1c2ac35d579a1bb7bea7564771932408f4350aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2019 12:01:16 -0700 +Subject: dmaengine: Store module owner in dma_device struct + +From: Logan Gunthorpe + +[ Upstream commit dae7a589c18a4d979d5f14b09374e871b995ceb1 ] + +dma_chan_to_owner() dereferences the driver from the struct device to +obtain the owner and call module_[get|put](). However, if the backing +device is unbound before the dma_device is unregistered, the driver +will be cleared and this will cause a NULL pointer dereference. + +Instead, store a pointer to the owner module in the dma_device struct +so the module reference can be properly put when the channel is put, even +if the backing device was destroyed first. + +This change helps to support a safer unbind of DMA engines. +If the dma_device is unregistered in the driver's remove function, +there's no guarantee that there are no existing clients and a users +action may trigger the WARN_ONCE in dma_async_device_unregister() +which is unlikely to leave the system in a consistent state. +Instead, a better approach is to allow the backing driver to go away +and fail any subsequent requests to it. + +Signed-off-by: Logan Gunthorpe +Link: https://lore.kernel.org/r/20191216190120.21374-2-logang@deltatee.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmaengine.c | 4 +++- + include/linux/dmaengine.h | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c +index b451354735d3d..faaaf10311ec0 100644 +--- a/drivers/dma/dmaengine.c ++++ b/drivers/dma/dmaengine.c +@@ -192,7 +192,7 @@ __dma_device_satisfies_mask(struct dma_device *device, + + static struct module *dma_chan_to_owner(struct dma_chan *chan) + { +- return chan->device->dev->driver->owner; ++ return chan->device->owner; + } + + /** +@@ -928,6 +928,8 @@ int dma_async_device_register(struct dma_device *device) + return -EIO; + } + ++ device->owner = device->dev->driver->owner; ++ + if (dma_has_cap(DMA_MEMCPY, device->cap_mask) && !device->device_prep_dma_memcpy) { + dev_err(device->dev, + "Device claims capability %s, but op is not defined\n", +diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h +index 087cbe7768680..8089e28539f16 100644 +--- a/include/linux/dmaengine.h ++++ b/include/linux/dmaengine.h +@@ -677,6 +677,7 @@ struct dma_filter { + * @fill_align: alignment shift for memset operations + * @dev_id: unique device ID + * @dev: struct device reference for dma mapping api ++ * @owner: owner module (automatically set based on the provided dev) + * @src_addr_widths: bit mask of src addr widths the device supports + * @dst_addr_widths: bit mask of dst addr widths the device supports + * @directions: bit mask of slave direction the device supports since +@@ -738,6 +739,7 @@ struct dma_device { + + int dev_id; + struct device *dev; ++ struct module *owner; + + u32 src_addr_widths; + u32 dst_addr_widths; +-- +2.20.1 + diff --git a/queue-4.14/driver-core-platform-fix-u32-greater-or-equal-to-zer.patch b/queue-4.14/driver-core-platform-fix-u32-greater-or-equal-to-zer.patch new file mode 100644 index 00000000000..4a3da2ea97d --- /dev/null +++ b/queue-4.14/driver-core-platform-fix-u32-greater-or-equal-to-zer.patch @@ -0,0 +1,41 @@ +From f96d4ead1e6f0407c5491029ae7916c640a0f423 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2020 17:57:58 +0000 +Subject: driver core: platform: fix u32 greater or equal to zero comparison + +From: Colin Ian King + +[ Upstream commit 0707cfa5c3ef58effb143db9db6d6e20503f9dec ] + +Currently the check that a u32 variable i is >= 0 is always true because +the unsigned variable will never be negative, causing the loop to run +forever. Fix this by changing the pre-decrement check to a zero check on +i followed by a decrement of i. + +Addresses-Coverity: ("Unsigned compared against 0") +Fixes: 39cc539f90d0 ("driver core: platform: Prevent resouce overflow from causing infinite loops") +Signed-off-by: Colin Ian King +Reviewed-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20200116175758.88396-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index e3d40c41c33b0..bcb6519fe2113 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -428,7 +428,7 @@ int platform_device_add(struct platform_device *pdev) + pdev->id = PLATFORM_DEVID_AUTO; + } + +- while (--i >= 0) { ++ while (i--) { + struct resource *r = &pdev->resource[i]; + if (r->parent) + release_resource(r); +-- +2.20.1 + diff --git a/queue-4.14/driver-core-platform-prevent-resouce-overflow-from-c.patch b/queue-4.14/driver-core-platform-prevent-resouce-overflow-from-c.patch new file mode 100644 index 00000000000..307b96f79d1 --- /dev/null +++ b/queue-4.14/driver-core-platform-prevent-resouce-overflow-from-c.patch @@ -0,0 +1,75 @@ +From 5d4aa65020abafd62a4f0f3aa743a14ae6956b40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 17:41:37 -0500 +Subject: driver core: platform: Prevent resouce overflow from causing infinite + loops + +From: Simon Schwartz + +[ Upstream commit 39cc539f90d035a293240c9443af50be55ee81b8 ] + +num_resources in the platform_device struct is declared as a u32. The +for loops that iterate over num_resources use an int as the counter, +which can cause infinite loops on architectures with smaller ints. +Change the loop counters to u32. + +Signed-off-by: Simon Schwartz +Link: https://lore.kernel.org/r/2201ce63a2a171ffd2ed14e867875316efcf71db.camel@theschwartz.xyz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index f1105de0d9fed..e3d40c41c33b0 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "base.h" + #include "power/power.h" +@@ -68,7 +69,7 @@ void __weak arch_setup_pdev_archdata(struct platform_device *pdev) + struct resource *platform_get_resource(struct platform_device *dev, + unsigned int type, unsigned int num) + { +- int i; ++ u32 i; + + for (i = 0; i < dev->num_resources; i++) { + struct resource *r = &dev->resource[i]; +@@ -163,7 +164,7 @@ struct resource *platform_get_resource_byname(struct platform_device *dev, + unsigned int type, + const char *name) + { +- int i; ++ u32 i; + + for (i = 0; i < dev->num_resources; i++) { + struct resource *r = &dev->resource[i]; +@@ -360,7 +361,8 @@ EXPORT_SYMBOL_GPL(platform_device_add_properties); + */ + int platform_device_add(struct platform_device *pdev) + { +- int i, ret; ++ u32 i; ++ int ret; + + if (!pdev) + return -EINVAL; +@@ -447,7 +449,7 @@ EXPORT_SYMBOL_GPL(platform_device_add); + */ + void platform_device_del(struct platform_device *pdev) + { +- int i; ++ u32 i; + + if (pdev) { + device_remove_properties(&pdev->dev); +-- +2.20.1 + diff --git a/queue-4.14/driver-core-print-device-when-resources-present-in-r.patch b/queue-4.14/driver-core-print-device-when-resources-present-in-r.patch new file mode 100644 index 00000000000..456591c339e --- /dev/null +++ b/queue-4.14/driver-core-print-device-when-resources-present-in-r.patch @@ -0,0 +1,45 @@ +From cd356683325e5c6319a669ccfffe371a8b5e4edf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 14:22:19 +0100 +Subject: driver core: Print device when resources present in really_probe() + +From: Geert Uytterhoeven + +[ Upstream commit 7c35e699c88bd60734277b26962783c60e04b494 ] + +If a device already has devres items attached before probing, a warning +backtrace is printed. However, this backtrace does not reveal the +offending device, leaving the user uninformed. Furthermore, using +WARN_ON() causes systems with panic-on-warn to reboot. + +Fix this by replacing the WARN_ON() by a dev_crit() message. +Abort probing the device, to prevent doing more damage to the device's +resources. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191206132219.28908-1-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/dd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index 536c9ac3b8489..aa1a2d32360f9 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -375,7 +375,10 @@ static int really_probe(struct device *dev, struct device_driver *drv) + atomic_inc(&probe_count); + pr_debug("bus: '%s': %s: probing driver %s with device %s\n", + drv->bus->name, __func__, drv->name, dev_name(dev)); +- WARN_ON(!list_empty(&dev->devres_head)); ++ if (!list_empty(&dev->devres_head)) { ++ dev_crit(dev, "Resources present before probing\n"); ++ return -EBUSY; ++ } + + re_probe: + dev->driver = drv; +-- +2.20.1 + diff --git a/queue-4.14/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch b/queue-4.14/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch new file mode 100644 index 00000000000..b5e2419ac42 --- /dev/null +++ b/queue-4.14/drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch @@ -0,0 +1,75 @@ +From 677c6b031429950337a61613033373055450bd29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2019 21:27:20 +0800 +Subject: drm/amdgpu: remove 4 set but not used variable in + amdgpu_atombios_get_connector_info_from_object_table + +From: yu kuai + +[ Upstream commit bae028e3e521e8cb8caf2cc16a455ce4c55f2332 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c: In function +'amdgpu_atombios_get_connector_info_from_object_table': +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:26: warning: variable +'grph_obj_num' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:376:13: warning: variable +'grph_obj_id' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:37: warning: variable +'con_obj_type' set but not used [-Wunused-but-set-variable] +drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c:341:24: warning: variable +'con_obj_num' set but not used [-Wunused-but-set-variable] + +They are never used, so can be removed. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: yu kuai +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +index cc4e18dcd8b6f..4779740421a88 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +@@ -336,17 +336,9 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device * + path_size += le16_to_cpu(path->usSize); + + if (device_support & le16_to_cpu(path->usDeviceTag)) { +- uint8_t con_obj_id, con_obj_num, con_obj_type; +- +- con_obj_id = ++ uint8_t con_obj_id = + (le16_to_cpu(path->usConnObjectId) & OBJECT_ID_MASK) + >> OBJECT_ID_SHIFT; +- con_obj_num = +- (le16_to_cpu(path->usConnObjectId) & ENUM_ID_MASK) +- >> ENUM_ID_SHIFT; +- con_obj_type = +- (le16_to_cpu(path->usConnObjectId) & +- OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; + + /* Skip TV/CV support */ + if ((le16_to_cpu(path->usDeviceTag) == +@@ -371,14 +363,7 @@ bool amdgpu_atombios_get_connector_info_from_object_table(struct amdgpu_device * + router.ddc_valid = false; + router.cd_valid = false; + for (j = 0; j < ((le16_to_cpu(path->usSize) - 8) / 2); j++) { +- uint8_t grph_obj_id, grph_obj_num, grph_obj_type; +- +- grph_obj_id = +- (le16_to_cpu(path->usGraphicObjIds[j]) & +- OBJECT_ID_MASK) >> OBJECT_ID_SHIFT; +- grph_obj_num = +- (le16_to_cpu(path->usGraphicObjIds[j]) & +- ENUM_ID_MASK) >> ENUM_ID_SHIFT; ++ uint8_t grph_obj_type= + grph_obj_type = + (le16_to_cpu(path->usGraphicObjIds[j]) & + OBJECT_TYPE_MASK) >> OBJECT_TYPE_SHIFT; +-- +2.20.1 + diff --git a/queue-4.14/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch b/queue-4.14/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch new file mode 100644 index 00000000000..230d76b468f --- /dev/null +++ b/queue-4.14/drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch @@ -0,0 +1,61 @@ +From 869c8d9f141d9cf0572dea85ffc40ce7cd48f666 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 16:30:48 +0100 +Subject: drm/gma500: Fixup fbdev stolen size usage evaluation + +From: Paul Kocialkowski + +[ Upstream commit fd1a5e521c3c083bb43ea731aae0f8b95f12b9bd ] + +psbfb_probe performs an evaluation of the required size from the stolen +GTT memory, but gets it wrong in two distinct ways: +- The resulting size must be page-size-aligned; +- The size to allocate is derived from the surface dimensions, not the fb + dimensions. + +When two connectors are connected with different modes, the smallest will +be stored in the fb dimensions, but the size that needs to be allocated must +match the largest (surface) dimensions. This is what is used in the actual +allocation code. + +Fix this by correcting the evaluation to conform to the two points above. +It allows correctly switching to 16bpp when one connector is e.g. 1920x1080 +and the other is 1024x768. + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20191107153048.843881-1-paul.kocialkowski@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/framebuffer.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/gma500/framebuffer.c b/drivers/gpu/drm/gma500/framebuffer.c +index 2570c7f647a63..883fc45870dd9 100644 +--- a/drivers/gpu/drm/gma500/framebuffer.c ++++ b/drivers/gpu/drm/gma500/framebuffer.c +@@ -486,6 +486,7 @@ static int psbfb_probe(struct drm_fb_helper *helper, + container_of(helper, struct psb_fbdev, psb_fb_helper); + struct drm_device *dev = psb_fbdev->psb_fb_helper.dev; + struct drm_psb_private *dev_priv = dev->dev_private; ++ unsigned int fb_size; + int bytespp; + + bytespp = sizes->surface_bpp / 8; +@@ -495,8 +496,11 @@ static int psbfb_probe(struct drm_fb_helper *helper, + /* If the mode will not fit in 32bit then switch to 16bit to get + a console on full resolution. The X mode setting server will + allocate its own 32bit GEM framebuffer */ +- if (ALIGN(sizes->fb_width * bytespp, 64) * sizes->fb_height > +- dev_priv->vram_stolen_size) { ++ fb_size = ALIGN(sizes->surface_width * bytespp, 64) * ++ sizes->surface_height; ++ fb_size = ALIGN(fb_size, PAGE_SIZE); ++ ++ if (fb_size > dev_priv->vram_stolen_size) { + sizes->surface_bpp = 16; + sizes->surface_depth = 16; + } +-- +2.20.1 + diff --git a/queue-4.14/drm-mediatek-handle-events-when-enabling-disabling-c.patch b/queue-4.14/drm-mediatek-handle-events-when-enabling-disabling-c.patch new file mode 100644 index 00000000000..a01612666d7 --- /dev/null +++ b/queue-4.14/drm-mediatek-handle-events-when-enabling-disabling-c.patch @@ -0,0 +1,51 @@ +From 678358e04e698ed91cd46f96550d7c7c6b497da2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 13:05:21 +0800 +Subject: drm/mediatek: handle events when enabling/disabling crtc + +From: Bibby Hsieh + +[ Upstream commit 411f5c1eacfebb1f6e40b653d29447cdfe7282aa ] + +The driver currently handles vblank events only when updating planes on +an already enabled CRTC. The atomic update API however allows requesting +an event when enabling or disabling a CRTC. This currently leads to +event objects being leaked in the kernel and to events not being sent +out. Fix it. + +Signed-off-by: Bibby Hsieh +Signed-off-by: CK Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +index 658b8dd45b834..3ea311d32fa9e 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +@@ -307,6 +307,7 @@ err_pm_runtime_put: + static void mtk_crtc_ddp_hw_fini(struct mtk_drm_crtc *mtk_crtc) + { + struct drm_device *drm = mtk_crtc->base.dev; ++ struct drm_crtc *crtc = &mtk_crtc->base; + int i; + + DRM_DEBUG_DRIVER("%s\n", __func__); +@@ -328,6 +329,13 @@ static void mtk_crtc_ddp_hw_fini(struct mtk_drm_crtc *mtk_crtc) + mtk_disp_mutex_unprepare(mtk_crtc->mutex); + + pm_runtime_put(drm->dev); ++ ++ if (crtc->state->event && !crtc->state->active) { ++ spin_lock_irq(&crtc->dev->event_lock); ++ drm_crtc_send_vblank_event(crtc, crtc->state->event); ++ crtc->state->event = NULL; ++ spin_unlock_irq(&crtc->dev->event_lock); ++ } + } + + static void mtk_crtc_ddp_config(struct drm_crtc *crtc) +-- +2.20.1 + diff --git a/queue-4.14/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch b/queue-4.14/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch new file mode 100644 index 00000000000..4c96a1cf89f --- /dev/null +++ b/queue-4.14/drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch @@ -0,0 +1,41 @@ +From fbc6fd51caf90461ef5f1adcf9f781e4ed916db3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2020 14:39:26 +1000 +Subject: drm/nouveau/disp/nv50-: prevent oops when no channel method map + provided + +From: Ben Skeggs + +[ Upstream commit 0e6176c6d286316e9431b4f695940cfac4ffe6c2 ] + +The implementations for most channel types contains a map of methods to +priv registers in order to provide debugging info when a disp exception +has been raised. + +This info is missing from the implementation of PIO channels as they're +rather simplistic already, however, if an exception is raised by one of +them, we'd end up triggering a NULL-pointer deref. Not ideal... + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=206299 +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c +index 0c0310498afdb..cd9666583d4bd 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/channv50.c +@@ -73,6 +73,8 @@ nv50_disp_chan_mthd(struct nv50_disp_chan *chan, int debug) + + if (debug > subdev->debug) + return; ++ if (!mthd) ++ return; + + for (i = 0; (list = mthd->data[i].mthd) != NULL; i++) { + u32 base = chan->head * mthd->addr; +-- +2.20.1 + diff --git a/queue-4.14/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch b/queue-4.14/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch new file mode 100644 index 00000000000..6686ff413bf --- /dev/null +++ b/queue-4.14/drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch @@ -0,0 +1,37 @@ +From 9282f6d985e898a7a38e5a9336221bcf5b013b61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 14:32:01 +0800 +Subject: drm/nouveau: Fix copy-paste error in + nouveau_fence_wait_uevent_handler + +From: YueHaibing + +[ Upstream commit 1eb013473bff5f95b6fe1ca4dd7deda47257b9c2 ] + +Like other cases, it should use rcu protected 'chan' rather +than 'fence->channel' in nouveau_fence_wait_uevent_handler. + +Fixes: 0ec5f02f0e2c ("drm/nouveau: prevent stale fence->channel pointers, and protect with rcu") +Signed-off-by: YueHaibing +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c +index 99e14e3e0fe4d..72532539369fb 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -158,7 +158,7 @@ nouveau_fence_wait_uevent_handler(struct nvif_notify *notify) + + fence = list_entry(fctx->pending.next, typeof(*fence), head); + chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); +- if (nouveau_fence_update(fence->channel, fctx)) ++ if (nouveau_fence_update(chan, fctx)) + ret = NVIF_NOTIFY_DROP; + } + spin_unlock_irqrestore(&fctx->lock, flags); +-- +2.20.1 + diff --git a/queue-4.14/drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch b/queue-4.14/drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch new file mode 100644 index 00000000000..90f0fe4ef59 --- /dev/null +++ b/queue-4.14/drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch @@ -0,0 +1,76 @@ +From e9a842db499c96dcd5599b65294c125d0b9abc3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2020 11:46:15 +1000 +Subject: drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read + from fw + +From: Ben Skeggs + +[ Upstream commit 7adc77aa0e11f25b0e762859219c70852cd8d56f ] + +Method init is typically ordered by class in the FW image as ThreeD, +TwoD, Compute. + +Due to a bug in parsing the FW into our internal format, we've been +accidentally sending Twod + Compute methods to the ThreeD class, as +well as Compute methods to the TwoD class - oops. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + .../gpu/drm/nouveau/nvkm/engine/gr/gk20a.c | 21 ++++++++++--------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c +index de8b806b88fd9..7618b2eb4fdfd 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/gr/gk20a.c +@@ -143,23 +143,24 @@ gk20a_gr_av_to_method(struct gf100_gr *gr, const char *fw_name, + + nent = (fuc.size / sizeof(struct gk20a_fw_av)); + +- pack = vzalloc((sizeof(*pack) * max_classes) + +- (sizeof(*init) * (nent + 1))); ++ pack = vzalloc((sizeof(*pack) * (max_classes + 1)) + ++ (sizeof(*init) * (nent + max_classes + 1))); + if (!pack) { + ret = -ENOMEM; + goto end; + } + +- init = (void *)(pack + max_classes); ++ init = (void *)(pack + max_classes + 1); + +- for (i = 0; i < nent; i++) { +- struct gf100_gr_init *ent = &init[i]; ++ for (i = 0; i < nent; i++, init++) { + struct gk20a_fw_av *av = &((struct gk20a_fw_av *)fuc.data)[i]; + u32 class = av->addr & 0xffff; + u32 addr = (av->addr & 0xffff0000) >> 14; + + if (prevclass != class) { +- pack[classidx].init = ent; ++ if (prevclass) /* Add terminator to the method list. */ ++ init++; ++ pack[classidx].init = init; + pack[classidx].type = class; + prevclass = class; + if (++classidx >= max_classes) { +@@ -169,10 +170,10 @@ gk20a_gr_av_to_method(struct gf100_gr *gr, const char *fw_name, + } + } + +- ent->addr = addr; +- ent->data = av->data; +- ent->count = 1; +- ent->pitch = 1; ++ init->addr = addr; ++ init->data = av->data; ++ init->count = 1; ++ init->pitch = 1; + } + + *ppack = pack; +-- +2.20.1 + diff --git a/queue-4.14/drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch b/queue-4.14/drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch new file mode 100644 index 00000000000..6ccd2c1dd52 --- /dev/null +++ b/queue-4.14/drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch @@ -0,0 +1,48 @@ +From 3af4448377d3d8dda13391e599422f06504bb21a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2020 08:46:01 +0300 +Subject: drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() + +From: Dan Carpenter + +[ Upstream commit 3613a9bea95a1470dd42e4ed1cc7d86ebe0a2dc0 ] + +We accidentally set "psb" which is a no-op instead of "*psb" so it +generates a static checker warning. We should probably set it before +the first error return so that it's always initialized. + +Fixes: 923f1bd27bf1 ("drm/nouveau/secboot/gm20b: add secure boot support") +Signed-off-by: Dan Carpenter +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c +index 30491d132d59c..fbd10a67c6c6a 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/secboot/gm20b.c +@@ -108,6 +108,7 @@ gm20b_secboot_new(struct nvkm_device *device, int index, + struct gm200_secboot *gsb; + struct nvkm_acr *acr; + ++ *psb = NULL; + acr = acr_r352_new(BIT(NVKM_SECBOOT_FALCON_FECS) | + BIT(NVKM_SECBOOT_FALCON_PMU)); + if (IS_ERR(acr)) +@@ -116,10 +117,8 @@ gm20b_secboot_new(struct nvkm_device *device, int index, + acr->optional_falcons = BIT(NVKM_SECBOOT_FALCON_PMU); + + gsb = kzalloc(sizeof(*gsb), GFP_KERNEL); +- if (!gsb) { +- psb = NULL; ++ if (!gsb) + return -ENOMEM; +- } + *psb = &gsb->base; + + ret = nvkm_secboot_ctor(&gm20b_secboot, acr, device, index, &gsb->base); +-- +2.20.1 + diff --git a/queue-4.14/drm-remove-the-newline-for-crc-source-name.patch b/queue-4.14/drm-remove-the-newline-for-crc-source-name.patch new file mode 100644 index 00000000000..68bf581f37c --- /dev/null +++ b/queue-4.14/drm-remove-the-newline-for-crc-source-name.patch @@ -0,0 +1,48 @@ +From bca937af62d43d027312496c9ca549bcebc5dae3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2019 09:47:51 -0400 +Subject: drm: remove the newline for CRC source name. + +From: Dingchen Zhang + +[ Upstream commit 72a848f5c46bab4c921edc9cbffd1ab273b2be17 ] + +userspace may transfer a newline, and this terminating newline +is replaced by a '\0' to avoid followup issues. + +'len-1' is the index to replace the newline of CRC source name. + +v3: typo fix (Sam) + +v2: update patch subject, body and format. (Sam) + +Cc: Leo Li +Cc: Harry Wentland +Cc: Sam Ravnborg +Signed-off-by: Dingchen Zhang +Reviewed-by: Sam Ravnborg +Signed-off-by: Alex Deucher +Link: https://patchwork.freedesktop.org/patch/msgid/20190610134751.14356-1-dingchen.zhang@amd.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_debugfs_crc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_debugfs_crc.c b/drivers/gpu/drm/drm_debugfs_crc.c +index 2901b7944068d..6858c80d2eb50 100644 +--- a/drivers/gpu/drm/drm_debugfs_crc.c ++++ b/drivers/gpu/drm/drm_debugfs_crc.c +@@ -101,8 +101,8 @@ static ssize_t crc_control_write(struct file *file, const char __user *ubuf, + if (IS_ERR(source)) + return PTR_ERR(source); + +- if (source[len] == '\n') +- source[len] = '\0'; ++ if (source[len - 1] == '\n') ++ source[len - 1] = '\0'; + + spin_lock_irq(&crc->lock); + +-- +2.20.1 + diff --git a/queue-4.14/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch b/queue-4.14/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch new file mode 100644 index 00000000000..e02014e60a6 --- /dev/null +++ b/queue-4.14/drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch @@ -0,0 +1,40 @@ +From 94264712580139062b35c7ccaf2ca64223e1c6d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 23:37:58 -0500 +Subject: drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add + +From: Navid Emamdoost + +[ Upstream commit 40efb09a7f53125719e49864da008495e39aaa1e ] + +In vmw_cmdbuf_res_add if drm_ht_insert_item fails the allocated memory +for cres should be released. + +Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace") +Signed-off-by: Navid Emamdoost +Reviewed-by: Thomas Hellstrom +Signed-off-by: Thomas Hellstrom +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +index 36c7b6c839c0d..738ad2fc79a25 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c +@@ -210,8 +210,10 @@ int vmw_cmdbuf_res_add(struct vmw_cmdbuf_res_manager *man, + + cres->hash.key = user_key | (res_type << 24); + ret = drm_ht_insert_item(&man->resources, &cres->hash); +- if (unlikely(ret != 0)) ++ if (unlikely(ret != 0)) { ++ kfree(cres); + goto out_invalid_key; ++ } + + cres->state = VMW_CMDBUF_RES_ADD; + cres->res = vmw_resource_reference(res); +-- +2.20.1 + diff --git a/queue-4.14/efi-x86-don-t-panic-or-bug-on-non-critical-error-con.patch b/queue-4.14/efi-x86-don-t-panic-or-bug-on-non-critical-error-con.patch new file mode 100644 index 00000000000..77937a2d51f --- /dev/null +++ b/queue-4.14/efi-x86-don-t-panic-or-bug-on-non-critical-error-con.patch @@ -0,0 +1,131 @@ +From 2497b4d576bac6d4f1718ace224541ad448c88cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2020 12:39:46 +0100 +Subject: efi/x86: Don't panic or BUG() on non-critical error conditions + +From: Ard Biesheuvel + +[ Upstream commit e2d68a955e49d61fd0384f23e92058dc9b79be5e ] + +The logic in __efi_enter_virtual_mode() does a number of steps in +sequence, all of which may fail in one way or the other. In most +cases, we simply print an error and disable EFI runtime services +support, but in some cases, we BUG() or panic() and bring down the +system when encountering conditions that we could easily handle in +the same way. + +While at it, replace a pointless page-to-virt-phys conversion with +one that goes straight from struct page to physical. + +Signed-off-by: Ard Biesheuvel +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Arvind Sankar +Cc: Matthew Garrett +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20200103113953.9571-14-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/platform/efi/efi.c | 28 ++++++++++++++-------------- + arch/x86/platform/efi/efi_64.c | 9 +++++---- + 2 files changed, 19 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index 5b0275310070e..e7f19dec16b97 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -930,16 +930,14 @@ static void __init __efi_enter_virtual_mode(void) + + if (efi_alloc_page_tables()) { + pr_err("Failed to allocate EFI page tables\n"); +- clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); +- return; ++ goto err; + } + + efi_merge_regions(); + new_memmap = efi_map_regions(&count, &pg_shift); + if (!new_memmap) { + pr_err("Error reallocating memory, EFI runtime non-functional!\n"); +- clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); +- return; ++ goto err; + } + + pa = __pa(new_memmap); +@@ -953,8 +951,7 @@ static void __init __efi_enter_virtual_mode(void) + + if (efi_memmap_init_late(pa, efi.memmap.desc_size * count)) { + pr_err("Failed to remap late EFI memory map\n"); +- clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); +- return; ++ goto err; + } + + if (efi_enabled(EFI_DBG)) { +@@ -962,12 +959,11 @@ static void __init __efi_enter_virtual_mode(void) + efi_print_memmap(); + } + +- BUG_ON(!efi.systab); ++ if (WARN_ON(!efi.systab)) ++ goto err; + +- if (efi_setup_page_tables(pa, 1 << pg_shift)) { +- clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); +- return; +- } ++ if (efi_setup_page_tables(pa, 1 << pg_shift)) ++ goto err; + + efi_sync_low_kernel_mappings(); + +@@ -987,9 +983,9 @@ static void __init __efi_enter_virtual_mode(void) + } + + if (status != EFI_SUCCESS) { +- pr_alert("Unable to switch EFI into virtual mode (status=%lx)!\n", +- status); +- panic("EFI call to SetVirtualAddressMap() failed!"); ++ pr_err("Unable to switch EFI into virtual mode (status=%lx)!\n", ++ status); ++ goto err; + } + + /* +@@ -1016,6 +1012,10 @@ static void __init __efi_enter_virtual_mode(void) + + /* clean DUMMY object */ + efi_delete_dummy_variable(); ++ return; ++ ++err: ++ clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); + } + + void __init efi_enter_virtual_mode(void) +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c +index ae369c2bbc3eb..0ebb7f94fd518 100644 +--- a/arch/x86/platform/efi/efi_64.c ++++ b/arch/x86/platform/efi/efi_64.c +@@ -390,11 +390,12 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) + return 0; + + page = alloc_page(GFP_KERNEL|__GFP_DMA32); +- if (!page) +- panic("Unable to allocate EFI runtime stack < 4GB\n"); ++ if (!page) { ++ pr_err("Unable to allocate EFI runtime stack < 4GB\n"); ++ return 1; ++ } + +- efi_scratch.phys_stack = virt_to_phys(page_address(page)); +- efi_scratch.phys_stack += PAGE_SIZE; /* stack grows down */ ++ efi_scratch.phys_stack = page_to_phys(page + 1); /* stack grows down */ + + npages = (_etext - _text) >> PAGE_SHIFT; + text = __pa(_text); +-- +2.20.1 + diff --git a/queue-4.14/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch b/queue-4.14/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch new file mode 100644 index 00000000000..c8a73c10481 --- /dev/null +++ b/queue-4.14/efi-x86-map-the-entire-efi-vendor-string-before-copy.patch @@ -0,0 +1,69 @@ +From 25be65e06c8ca7307d57b22cea514adaa16d09d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2020 12:39:37 +0100 +Subject: efi/x86: Map the entire EFI vendor string before copying it + +From: Ard Biesheuvel + +[ Upstream commit ffc2760bcf2dba0dbef74013ed73eea8310cc52c ] + +Fix a couple of issues with the way we map and copy the vendor string: +- we map only 2 bytes, which usually works since you get at least a + page, but if the vendor string happens to cross a page boundary, + a crash will result +- only call early_memunmap() if early_memremap() succeeded, or we will + call it with a NULL address which it doesn't like, +- while at it, switch to early_memremap_ro(), and array indexing rather + than pointer dereferencing to read the CHAR16 characters. + +Signed-off-by: Ard Biesheuvel +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Arvind Sankar +Cc: Matthew Garrett +Cc: linux-efi@vger.kernel.org +Fixes: 5b83683f32b1 ("x86: EFI runtime service support") +Link: https://lkml.kernel.org/r/20200103113953.9571-5-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/platform/efi/efi.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index 335a62e74a2e9..5b0275310070e 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -480,7 +480,6 @@ void __init efi_init(void) + efi_char16_t *c16; + char vendor[100] = "unknown"; + int i = 0; +- void *tmp; + + #ifdef CONFIG_X86_32 + if (boot_params.efi_info.efi_systab_hi || +@@ -505,14 +504,16 @@ void __init efi_init(void) + /* + * Show what we know for posterity + */ +- c16 = tmp = early_memremap(efi.systab->fw_vendor, 2); ++ c16 = early_memremap_ro(efi.systab->fw_vendor, ++ sizeof(vendor) * sizeof(efi_char16_t)); + if (c16) { +- for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i) +- vendor[i] = *c16++; ++ for (i = 0; i < sizeof(vendor) - 1 && c16[i]; ++i) ++ vendor[i] = c16[i]; + vendor[i] = '\0'; +- } else ++ early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t)); ++ } else { + pr_err("Could not map the firmware vendor!\n"); +- early_memunmap(tmp, 2); ++ } + + pr_info("EFI v%u.%.02u by %s\n", + efi.systab->hdr.revision >> 16, +-- +2.20.1 + diff --git a/queue-4.14/ext4-fix-ext4_dax_read-write-inode-locking-sequence-.patch b/queue-4.14/ext4-fix-ext4_dax_read-write-inode-locking-sequence-.patch new file mode 100644 index 00000000000..b361beb9216 --- /dev/null +++ b/queue-4.14/ext4-fix-ext4_dax_read-write-inode-locking-sequence-.patch @@ -0,0 +1,59 @@ +From 46ca6079380fcc254080c815e2fa3736ca7f069a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:25:55 +0530 +Subject: ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT + +From: Ritesh Harjani + +[ Upstream commit f629afe3369e9885fd6e9cc7a4f514b6a65cf9e9 ] + +Apparently our current rwsem code doesn't like doing the trylock, then +lock for real scheme. So change our dax read/write methods to just do the +trylock for the RWF_NOWAIT case. +This seems to fix AIM7 regression in some scalable filesystems upto ~25% +in some cases. Claimed in commit 942491c9e6d6 ("xfs: fix AIM7 regression") + +Reviewed-by: Jan Kara +Reviewed-by: Matthew Bobrowski +Tested-by: Joseph Qi +Signed-off-by: Ritesh Harjani +Link: https://lore.kernel.org/r/20191212055557.11151-2-riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/file.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/file.c b/fs/ext4/file.c +index 4ede0af9d6fe3..acec134da57df 100644 +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -38,9 +38,10 @@ static ssize_t ext4_dax_read_iter(struct kiocb *iocb, struct iov_iter *to) + struct inode *inode = file_inode(iocb->ki_filp); + ssize_t ret; + +- if (!inode_trylock_shared(inode)) { +- if (iocb->ki_flags & IOCB_NOWAIT) ++ if (iocb->ki_flags & IOCB_NOWAIT) { ++ if (!inode_trylock_shared(inode)) + return -EAGAIN; ++ } else { + inode_lock_shared(inode); + } + /* +@@ -188,9 +189,10 @@ ext4_dax_write_iter(struct kiocb *iocb, struct iov_iter *from) + struct inode *inode = file_inode(iocb->ki_filp); + ssize_t ret; + +- if (!inode_trylock(inode)) { +- if (iocb->ki_flags & IOCB_NOWAIT) ++ if (iocb->ki_flags & IOCB_NOWAIT) { ++ if (!inode_trylock(inode)) + return -EAGAIN; ++ } else { + inode_lock(inode); + } + ret = ext4_write_checks(iocb, from); +-- +2.20.1 + diff --git a/queue-4.14/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch b/queue-4.14/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch new file mode 100644 index 00000000000..4a74bf55834 --- /dev/null +++ b/queue-4.14/ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch @@ -0,0 +1,76 @@ +From cd099becfc090556f1fc149b6568e6b4a7e2bd8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 20:46:12 +0800 +Subject: ext4, jbd2: ensure panic when aborting with zero errno + +From: zhangyi (F) + +[ Upstream commit 51f57b01e4a3c7d7bdceffd84de35144e8c538e7 ] + +JBD2_REC_ERR flag used to indicate the errno has been updated when jbd2 +aborted, and then __ext4_abort() and ext4_handle_error() can invoke +panic if ERRORS_PANIC is specified. But if the journal has been aborted +with zero errno, jbd2_journal_abort() didn't set this flag so we can +no longer panic. Fix this by always record the proper errno in the +journal superblock. + +Fixes: 4327ba52afd03 ("ext4, jbd2: ensure entering into panic after recording an error in superblock") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-3-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/checkpoint.c | 2 +- + fs/jbd2/journal.c | 15 ++++----------- + 2 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c +index fe4fe155b7fbe..15d129b7494b0 100644 +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -168,7 +168,7 @@ void __jbd2_log_wait_for_space(journal_t *journal) + "journal space in %s\n", __func__, + journal->j_devname); + WARN_ON(1); +- jbd2_journal_abort(journal, 0); ++ jbd2_journal_abort(journal, -EIO); + } + write_lock(&journal->j_state_lock); + } else { +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index b72be822f04f2..eae9ced846d51 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2128,12 +2128,10 @@ static void __journal_abort_soft (journal_t *journal, int errno) + + __jbd2_journal_abort_hard(journal); + +- if (errno) { +- jbd2_journal_update_sb_errno(journal); +- write_lock(&journal->j_state_lock); +- journal->j_flags |= JBD2_REC_ERR; +- write_unlock(&journal->j_state_lock); +- } ++ jbd2_journal_update_sb_errno(journal); ++ write_lock(&journal->j_state_lock); ++ journal->j_flags |= JBD2_REC_ERR; ++ write_unlock(&journal->j_state_lock); + } + + /** +@@ -2175,11 +2173,6 @@ static void __journal_abort_soft (journal_t *journal, int errno) + * failure to disk. ext3_error, for example, now uses this + * functionality. + * +- * Errors which originate from within the journaling layer will NOT +- * supply an errno; a null errno implies that absolutely no further +- * writes are done to the journal (unless there are any already in +- * progress). +- * + */ + + void jbd2_journal_abort(journal_t *journal, int errno) +-- +2.20.1 + diff --git a/queue-4.14/f2fs-fix-memleak-of-kobject.patch b/queue-4.14/f2fs-fix-memleak-of-kobject.patch new file mode 100644 index 00000000000..7477061f191 --- /dev/null +++ b/queue-4.14/f2fs-fix-memleak-of-kobject.patch @@ -0,0 +1,54 @@ +From ae03465bcb7a5c71b7e3d126b48b4a321d3667b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2019 17:41:41 +0800 +Subject: f2fs: fix memleak of kobject + +From: Chao Yu + +[ Upstream commit fe396ad8e7526f059f7b8c7290d33a1b84adacab ] + +If kobject_init_and_add() failed, caller needs to invoke kobject_put() +to release kobject explicitly. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 79e45e760c20b..a55919eec0351 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -507,10 +507,12 @@ int __init f2fs_init_sysfs(void) + + ret = kobject_init_and_add(&f2fs_feat, &f2fs_feat_ktype, + NULL, "features"); +- if (ret) ++ if (ret) { ++ kobject_put(&f2fs_feat); + kset_unregister(&f2fs_kset); +- else ++ } else { + f2fs_proc_root = proc_mkdir("fs/f2fs", NULL); ++ } + return ret; + } + +@@ -531,8 +533,11 @@ int f2fs_register_sysfs(struct f2fs_sb_info *sbi) + init_completion(&sbi->s_kobj_unregister); + err = kobject_init_and_add(&sbi->s_kobj, &f2fs_sb_ktype, NULL, + "%s", sb->s_id); +- if (err) ++ if (err) { ++ kobject_put(&sbi->s_kobj); ++ wait_for_completion(&sbi->s_kobj_unregister); + return err; ++ } + + if (f2fs_proc_root) + sbi->s_proc = proc_mkdir(sb->s_id, f2fs_proc_root); +-- +2.20.1 + diff --git a/queue-4.14/f2fs-free-sysfs-kobject.patch b/queue-4.14/f2fs-free-sysfs-kobject.patch new file mode 100644 index 00000000000..cb224a2e405 --- /dev/null +++ b/queue-4.14/f2fs-free-sysfs-kobject.patch @@ -0,0 +1,31 @@ +From b8d4fe4611b474619aaa83fa3db21a6eb301b502 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2019 18:32:16 -0800 +Subject: f2fs: free sysfs kobject + +From: Jaegeuk Kim + +[ Upstream commit 820d366736c949ffe698d3b3fe1266a91da1766d ] + +Detected kmemleak. + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c +index 93af9d7dfcdca..79e45e760c20b 100644 +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -557,4 +557,5 @@ void f2fs_unregister_sysfs(struct f2fs_sb_info *sbi) + remove_proc_entry(sbi->sb->s_id, f2fs_proc_root); + } + kobject_del(&sbi->s_kobj); ++ kobject_put(&sbi->s_kobj); + } +-- +2.20.1 + diff --git a/queue-4.14/fore200e-fix-incorrect-checks-of-null-pointer-derefe.patch b/queue-4.14/fore200e-fix-incorrect-checks-of-null-pointer-derefe.patch new file mode 100644 index 00000000000..0988c0b4611 --- /dev/null +++ b/queue-4.14/fore200e-fix-incorrect-checks-of-null-pointer-derefe.patch @@ -0,0 +1,80 @@ +From 7ade54fdeab661f67db172272b0c268585315e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Dec 2019 10:14:51 -0600 +Subject: fore200e: Fix incorrect checks of NULL pointer dereference + +From: Aditya Pakki + +[ Upstream commit bbd20c939c8aa3f27fa30e86691af250bf92973a ] + +In fore200e_send and fore200e_close, the pointers from the arguments +are dereferenced in the variable declaration block and then checked +for NULL. The patch fixes these issues by avoiding NULL pointer +dereferences. + +Signed-off-by: Aditya Pakki +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/fore200e.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c +index f8b7e86907cc2..0a1ad1a1d34fb 100644 +--- a/drivers/atm/fore200e.c ++++ b/drivers/atm/fore200e.c +@@ -1496,12 +1496,14 @@ fore200e_open(struct atm_vcc *vcc) + static void + fore200e_close(struct atm_vcc* vcc) + { +- struct fore200e* fore200e = FORE200E_DEV(vcc->dev); + struct fore200e_vcc* fore200e_vcc; ++ struct fore200e* fore200e; + struct fore200e_vc_map* vc_map; + unsigned long flags; + + ASSERT(vcc); ++ fore200e = FORE200E_DEV(vcc->dev); ++ + ASSERT((vcc->vpi >= 0) && (vcc->vpi < 1<vci >= 0) && (vcc->vci < 1<dev); +- struct fore200e_vcc* fore200e_vcc = FORE200E_VCC(vcc); ++ struct fore200e* fore200e; ++ struct fore200e_vcc* fore200e_vcc; + struct fore200e_vc_map* vc_map; +- struct host_txq* txq = &fore200e->host_txq; ++ struct host_txq* txq; + struct host_txq_entry* entry; + struct tpd* tpd; + struct tpd_haddr tpd_haddr; +@@ -1562,9 +1564,18 @@ fore200e_send(struct atm_vcc *vcc, struct sk_buff *skb) + unsigned char* data; + unsigned long flags; + +- ASSERT(vcc); +- ASSERT(fore200e); +- ASSERT(fore200e_vcc); ++ if (!vcc) ++ return -EINVAL; ++ ++ fore200e = FORE200E_DEV(vcc->dev); ++ fore200e_vcc = FORE200E_VCC(vcc); ++ ++ if (!fore200e) ++ return -EINVAL; ++ ++ txq = &fore200e->host_txq; ++ if (!fore200e_vcc) ++ return -EINVAL; + + if (!test_bit(ATM_VF_READY, &vcc->flags)) { + DPRINTK(1, "VC %d.%d.%d not ready for tx\n", vcc->itf, vcc->vpi, vcc->vpi); +-- +2.20.1 + diff --git a/queue-4.14/ftrace-fpid_next-should-increase-position-index.patch b/queue-4.14/ftrace-fpid_next-should-increase-position-index.patch new file mode 100644 index 00000000000..30dc4d939bb --- /dev/null +++ b/queue-4.14/ftrace-fpid_next-should-increase-position-index.patch @@ -0,0 +1,63 @@ +From 08801e3833e87b78a467265e7f64dc5137a17eb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 10:02:56 +0300 +Subject: ftrace: fpid_next() should increase position index + +From: Vasily Averin + +[ Upstream commit e4075e8bdffd93a9b6d6e1d52fabedceeca5a91b ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +Without patch: + # dd bs=4 skip=1 if=/sys/kernel/tracing/set_ftrace_pid + dd: /sys/kernel/tracing/set_ftrace_pid: cannot skip to specified offset + id + no pid + 2+1 records in + 2+1 records out + 10 bytes copied, 0.000213285 s, 46.9 kB/s + +Notice the "id" followed by "no pid". + +With the patch: + # dd bs=4 skip=1 if=/sys/kernel/tracing/set_ftrace_pid + dd: /sys/kernel/tracing/set_ftrace_pid: cannot skip to specified offset + id + 0+1 records in + 0+1 records out + 3 bytes copied, 0.000202112 s, 14.8 kB/s + +Notice that it only prints "id" and not the "no pid" afterward. + +Link: http://lkml.kernel.org/r/4f87c6ad-f114-30bb-8506-c32274ce2992@virtuozzo.com + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 8974ecbcca3cb..8a8d92a8045b1 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6317,9 +6317,10 @@ static void *fpid_next(struct seq_file *m, void *v, loff_t *pos) + struct trace_array *tr = m->private; + struct trace_pid_list *pid_list = rcu_dereference_sched(tr->function_pids); + +- if (v == FTRACE_NO_PIDS) ++ if (v == FTRACE_NO_PIDS) { ++ (*pos)++; + return NULL; +- ++ } + return trace_pid_next(pid_list, v, pos); + } + +-- +2.20.1 + diff --git a/queue-4.14/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch b/queue-4.14/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch new file mode 100644 index 00000000000..c1520682bd9 --- /dev/null +++ b/queue-4.14/gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch @@ -0,0 +1,89 @@ +From f0e8fa05d92ef84a5bbbfca7c2e20d60fa904470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Dec 2019 15:30:45 +0200 +Subject: gianfar: Fix TX timestamping with a stacked DSA driver + +From: Vladimir Oltean + +[ Upstream commit c26a2c2ddc0115eb088873f5c309cf46b982f522 ] + +The driver wrongly assumes that it is the only entity that can set the +SKBTX_IN_PROGRESS bit of the current skb. Therefore, in the +gfar_clean_tx_ring function, where the TX timestamp is collected if +necessary, the aforementioned bit is used to discriminate whether or not +the TX timestamp should be delivered to the socket's error queue. + +But a stacked driver such as a DSA switch can also set the +SKBTX_IN_PROGRESS bit, which is actually exactly what it should do in +order to denote that the hardware timestamping process is undergoing. + +Therefore, gianfar would misinterpret the "in progress" bit as being its +own, and deliver a second skb clone in the socket's error queue, +completely throwing off a PTP process which is not expecting to receive +it, _even though_ TX timestamping is not enabled for gianfar. + +There have been discussions [0] as to whether non-MAC drivers need or +not to set SKBTX_IN_PROGRESS at all (whose purpose is to avoid sending 2 +timestamps, a sw and a hw one, to applications which only expect one). +But as of this patch, there are at least 2 PTP drivers that would break +in conjunction with gianfar: the sja1105 DSA switch and the felix +switch, by way of its ocelot core driver. + +So regardless of that conclusion, fix the gianfar driver to not do stuff +based on flags set by others and not intended for it. + +[0]: https://www.spinics.net/lists/netdev/msg619699.html + +Fixes: f0ee7acfcdd4 ("gianfar: Add hardware TX timestamping support") +Signed-off-by: Vladimir Oltean +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/gianfar.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c +index 27d0e3b9833cd..e4a2c74a9b47e 100644 +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2685,13 +2685,17 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + skb_dirtytx = tx_queue->skb_dirtytx; + + while ((skb = tx_queue->tx_skbuff[skb_dirtytx])) { ++ bool do_tstamp; ++ ++ do_tstamp = (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) && ++ priv->hwts_tx_en; + + frags = skb_shinfo(skb)->nr_frags; + + /* When time stamping, one additional TxBD must be freed. + * Also, we need to dma_unmap_single() the TxPAL. + */ +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) ++ if (unlikely(do_tstamp)) + nr_txbds = frags + 2; + else + nr_txbds = frags + 1; +@@ -2705,7 +2709,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + (lstatus & BD_LENGTH_MASK)) + break; + +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) { ++ if (unlikely(do_tstamp)) { + next = next_txbd(bdp, base, tx_ring_size); + buflen = be16_to_cpu(next->length) + + GMAC_FCB_LEN + GMAC_TXPAL_LEN; +@@ -2715,7 +2719,7 @@ static void gfar_clean_tx_ring(struct gfar_priv_tx_q *tx_queue) + dma_unmap_single(priv->dev, be32_to_cpu(bdp->bufPtr), + buflen, DMA_TO_DEVICE); + +- if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS)) { ++ if (unlikely(do_tstamp)) { + struct skb_shared_hwtstamps shhwtstamps; + u64 *ns = (u64 *)(((uintptr_t)skb->data + 0x10) & + ~0x7UL); +-- +2.20.1 + diff --git a/queue-4.14/gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch b/queue-4.14/gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch new file mode 100644 index 00000000000..03a42fac42c --- /dev/null +++ b/queue-4.14/gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch @@ -0,0 +1,78 @@ +From 908049ca4e3713888eb5bdd356eca30ccd12c95e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 21:26:05 +0800 +Subject: gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in + grgpio_irq_map/unmap() + +From: Jia-Ju Bai + +[ Upstream commit e36eaf94be8f7bc4e686246eed3cf92d845e2ef8 ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +drivers/gpio/gpio-grgpio.c, 261: + request_irq in grgpio_irq_map +drivers/gpio/gpio-grgpio.c, 255: + _raw_spin_lock_irqsave in grgpio_irq_map + +drivers/gpio/gpio-grgpio.c, 318: + free_irq in grgpio_irq_unmap +drivers/gpio/gpio-grgpio.c, 299: + _raw_spin_lock_irqsave in grgpio_irq_unmap + +request_irq() and free_irq() can sleep at runtime. + +To fix these bugs, request_irq() and free_irq() are called without +holding the spinlock. + +These bugs are found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20191218132605.10594-1-baijiaju1990@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-grgpio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c +index 6544a16ab02e9..7541bd327e6c5 100644 +--- a/drivers/gpio/gpio-grgpio.c ++++ b/drivers/gpio/gpio-grgpio.c +@@ -259,17 +259,16 @@ static int grgpio_irq_map(struct irq_domain *d, unsigned int irq, + lirq->irq = irq; + uirq = &priv->uirqs[lirq->index]; + if (uirq->refcnt == 0) { ++ spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags); + ret = request_irq(uirq->uirq, grgpio_irq_handler, 0, + dev_name(priv->dev), priv); + if (ret) { + dev_err(priv->dev, + "Could not request underlying irq %d\n", + uirq->uirq); +- +- spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags); +- + return ret; + } ++ spin_lock_irqsave(&priv->gc.bgpio_lock, flags); + } + uirq->refcnt++; + +@@ -315,8 +314,11 @@ static void grgpio_irq_unmap(struct irq_domain *d, unsigned int irq) + if (index >= 0) { + uirq = &priv->uirqs[lirq->index]; + uirq->refcnt--; +- if (uirq->refcnt == 0) ++ if (uirq->refcnt == 0) { ++ spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags); + free_irq(uirq->uirq, priv); ++ return; ++ } + } + + spin_unlock_irqrestore(&priv->gc.bgpio_lock, flags); +-- +2.20.1 + diff --git a/queue-4.14/help_next-should-increase-position-index.patch b/queue-4.14/help_next-should-increase-position-index.patch new file mode 100644 index 00000000000..810a5fab6f6 --- /dev/null +++ b/queue-4.14/help_next-should-increase-position-index.patch @@ -0,0 +1,35 @@ +From 40f888c0d25f9c7aa217c78bcd13bd7ca6830bb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 09:10:47 +0300 +Subject: help_next should increase position index + +From: Vasily Averin + +[ Upstream commit 9f198a2ac543eaaf47be275531ad5cbd50db3edf ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index 1c59dff530dee..34d1cc98260d2 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -305,6 +305,7 @@ static void *help_start(struct seq_file *m, loff_t *pos) + + static void *help_next(struct seq_file *m, void *v, loff_t *pos) + { ++ (*pos)++; + gossip_debug(GOSSIP_DEBUGFS_DEBUG, "help_next: start\n"); + + return NULL; +-- +2.20.1 + diff --git a/queue-4.14/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch b/queue-4.14/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch new file mode 100644 index 00000000000..d66f82ecb54 --- /dev/null +++ b/queue-4.14/hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch @@ -0,0 +1,52 @@ +From 36d27abf27a81d42a4cd8410cd3e3c9759375b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 18:15:46 -0700 +Subject: hostap: Adjust indentation in prism2_hostapd_add_sta + +From: Nathan Chancellor + +[ Upstream commit b61156fba74f659d0bc2de8f2dbf5bad9f4b8faf ] + +Clang warns: + +../drivers/net/wireless/intersil/hostap/hostap_ap.c:2511:3: warning: +misleading indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + if (sta->tx_supp_rates & WLAN_RATE_5M5) + ^ +../drivers/net/wireless/intersil/hostap/hostap_ap.c:2509:2: note: +previous statement is here + if (sta->tx_supp_rates & WLAN_RATE_2M) + ^ +1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +Fixes: ff1d2767d5a4 ("Add HostAP wireless driver.") +Link: https://github.com/ClangBuiltLinux/linux/issues/813 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/hostap/hostap_ap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intersil/hostap/hostap_ap.c b/drivers/net/wireless/intersil/hostap/hostap_ap.c +index 1a8d8db80b054..486ca1ee306ed 100644 +--- a/drivers/net/wireless/intersil/hostap/hostap_ap.c ++++ b/drivers/net/wireless/intersil/hostap/hostap_ap.c +@@ -2568,7 +2568,7 @@ static int prism2_hostapd_add_sta(struct ap_data *ap, + sta->supported_rates[0] = 2; + if (sta->tx_supp_rates & WLAN_RATE_2M) + sta->supported_rates[1] = 4; +- if (sta->tx_supp_rates & WLAN_RATE_5M5) ++ if (sta->tx_supp_rates & WLAN_RATE_5M5) + sta->supported_rates[2] = 11; + if (sta->tx_supp_rates & WLAN_RATE_11M) + sta->supported_rates[3] = 22; +-- +2.20.1 + diff --git a/queue-4.14/ib-hfi1-add-software-counter-for-ctxt0-seq-drop.patch b/queue-4.14/ib-hfi1-add-software-counter-for-ctxt0-seq-drop.patch new file mode 100644 index 00000000000..a68ef467c9f --- /dev/null +++ b/queue-4.14/ib-hfi1-add-software-counter-for-ctxt0-seq-drop.patch @@ -0,0 +1,95 @@ +From 599c30c34a7840b05ab36537840ba90c26029dbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jan 2020 08:42:28 -0500 +Subject: IB/hfi1: Add software counter for ctxt0 seq drop + +From: Mike Marciniszyn + +[ Upstream commit 5ffd048698ea5139743acd45e8ab388a683642b8 ] + +All other code paths increment some form of drop counter. + +This was missed in the original implementation. + +Fixes: 82c2611daaf0 ("staging/rdma/hfi1: Handle packets with invalid RHF on context 0") +Link: https://lore.kernel.org/r/20200106134228.119356.96828.stgit@awfm-01.aw.intel.com +Reviewed-by: Kaike Wan +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/chip.c | 10 ++++++++++ + drivers/infiniband/hw/hfi1/chip.h | 1 + + drivers/infiniband/hw/hfi1/driver.c | 1 + + drivers/infiniband/hw/hfi1/hfi.h | 2 ++ + 4 files changed, 14 insertions(+) + +diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c +index 4a0b7c0034771..cb5785dda524e 100644 +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -1686,6 +1686,14 @@ static u64 access_sw_pio_drain(const struct cntr_entry *entry, + return dd->verbs_dev.n_piodrain; + } + ++static u64 access_sw_ctx0_seq_drop(const struct cntr_entry *entry, ++ void *context, int vl, int mode, u64 data) ++{ ++ struct hfi1_devdata *dd = context; ++ ++ return dd->ctx0_seq_drop; ++} ++ + static u64 access_sw_vtx_wait(const struct cntr_entry *entry, + void *context, int vl, int mode, u64 data) + { +@@ -4246,6 +4254,8 @@ static struct cntr_entry dev_cntrs[DEV_CNTR_LAST] = { + access_sw_cpu_intr), + [C_SW_CPU_RCV_LIM] = CNTR_ELEM("RcvLimit", 0, 0, CNTR_NORMAL, + access_sw_cpu_rcv_limit), ++[C_SW_CTX0_SEQ_DROP] = CNTR_ELEM("SeqDrop0", 0, 0, CNTR_NORMAL, ++ access_sw_ctx0_seq_drop), + [C_SW_VTX_WAIT] = CNTR_ELEM("vTxWait", 0, 0, CNTR_NORMAL, + access_sw_vtx_wait), + [C_SW_PIO_WAIT] = CNTR_ELEM("PioWait", 0, 0, CNTR_NORMAL, +diff --git a/drivers/infiniband/hw/hfi1/chip.h b/drivers/infiniband/hw/hfi1/chip.h +index 50b8645d0b876..a88ef2433cea2 100644 +--- a/drivers/infiniband/hw/hfi1/chip.h ++++ b/drivers/infiniband/hw/hfi1/chip.h +@@ -864,6 +864,7 @@ enum { + C_DC_PG_STS_TX_MBE_CNT, + C_SW_CPU_INTR, + C_SW_CPU_RCV_LIM, ++ C_SW_CTX0_SEQ_DROP, + C_SW_VTX_WAIT, + C_SW_PIO_WAIT, + C_SW_PIO_DRAIN, +diff --git a/drivers/infiniband/hw/hfi1/driver.c b/drivers/infiniband/hw/hfi1/driver.c +index 72c836b826ca8..7aa1aabb7a43c 100644 +--- a/drivers/infiniband/hw/hfi1/driver.c ++++ b/drivers/infiniband/hw/hfi1/driver.c +@@ -710,6 +710,7 @@ static noinline int skip_rcv_packet(struct hfi1_packet *packet, int thread) + { + int ret; + ++ packet->rcd->dd->ctx0_seq_drop++; + /* Set up for the next packet */ + packet->rhqoff += packet->rsize; + if (packet->rhqoff >= packet->maxcnt) +diff --git a/drivers/infiniband/hw/hfi1/hfi.h b/drivers/infiniband/hw/hfi1/hfi.h +index 810ef5114772c..cf9bc95d80396 100644 +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1043,6 +1043,8 @@ struct hfi1_devdata { + + char *boardname; /* human readable board info */ + ++ u64 ctx0_seq_drop; ++ + /* reset value */ + u64 z_int_counter; + u64 z_rcv_limit; +-- +2.20.1 + diff --git a/queue-4.14/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch b/queue-4.14/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch new file mode 100644 index 00000000000..e4725e30be1 --- /dev/null +++ b/queue-4.14/ide-serverworks-potential-overflow-in-svwks_set_pio_.patch @@ -0,0 +1,45 @@ +From 72165ee7fdd9a485113a39d09d31e815b4f2106a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 16:06:07 +0300 +Subject: ide: serverworks: potential overflow in svwks_set_pio_mode() + +From: Dan Carpenter + +[ Upstream commit ce1f31b4c0b9551dd51874dd5364654ed4ca13ae ] + +The "drive->dn" variable is a u8 controlled by root. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ide/serverworks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/ide/serverworks.c b/drivers/ide/serverworks.c +index a97affca18abe..0f57d45484d1d 100644 +--- a/drivers/ide/serverworks.c ++++ b/drivers/ide/serverworks.c +@@ -114,6 +114,9 @@ static void svwks_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) + struct pci_dev *dev = to_pci_dev(hwif->dev); + const u8 pio = drive->pio_mode - XFER_PIO_0; + ++ if (drive->dn >= ARRAY_SIZE(drive_pci)) ++ return; ++ + pci_write_config_byte(dev, drive_pci[drive->dn], pio_modes[pio]); + + if (svwks_csb_check(dev)) { +@@ -140,6 +143,9 @@ static void svwks_set_dma_mode(ide_hwif_t *hwif, ide_drive_t *drive) + + u8 ultra_enable = 0, ultra_timing = 0, dma_timing = 0; + ++ if (drive->dn >= ARRAY_SIZE(drive_pci2)) ++ return; ++ + pci_read_config_byte(dev, (0x56|hwif->channel), &ultra_timing); + pci_read_config_byte(dev, 0x54, &ultra_enable); + +-- +2.20.1 + diff --git a/queue-4.14/input-edt-ft5x06-work-around-first-register-access-e.patch b/queue-4.14/input-edt-ft5x06-work-around-first-register-access-e.patch new file mode 100644 index 00000000000..117df20799c --- /dev/null +++ b/queue-4.14/input-edt-ft5x06-work-around-first-register-access-e.patch @@ -0,0 +1,55 @@ +From 5299f8f322702f407728bd494fa7b8885e527ea8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2020 17:03:21 -0800 +Subject: Input: edt-ft5x06 - work around first register access error + +From: Philipp Zabel + +[ Upstream commit e112324cc0422c046f1cf54c56f333d34fa20885 ] + +The EP0700MLP1 returns bogus data on the first register read access +(reading the threshold parameter from register 0x00): + + edt_ft5x06 2-0038: crc error: 0xfc expected, got 0x40 + +It ignores writes until then. This patch adds a dummy read after which +the number of sensors and parameter read/writes work correctly. + +Signed-off-by: Philipp Zabel +Signed-off-by: Marco Felsch +Tested-by: Andy Shevchenko +Reviewed-by: Andy Shevchenko +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/edt-ft5x06.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c +index 5bf63f76dddac..4eff5b44640cf 100644 +--- a/drivers/input/touchscreen/edt-ft5x06.c ++++ b/drivers/input/touchscreen/edt-ft5x06.c +@@ -888,6 +888,7 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client, + { + const struct edt_i2c_chip_data *chip_data; + struct edt_ft5x06_ts_data *tsdata; ++ u8 buf[2] = { 0xfc, 0x00 }; + struct input_dev *input; + unsigned long irq_flags; + int error; +@@ -957,6 +958,12 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client, + return error; + } + ++ /* ++ * Dummy read access. EP0700MLP1 returns bogus data on the first ++ * register read access and ignores writes. ++ */ ++ edt_ft5x06_ts_readwrite(tsdata->client, 2, buf, 2, buf); ++ + edt_ft5x06_ts_set_regs(tsdata); + edt_ft5x06_ts_get_defaults(&client->dev, tsdata); + edt_ft5x06_ts_get_parameters(tsdata); +-- +2.20.1 + diff --git a/queue-4.14/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch b/queue-4.14/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch new file mode 100644 index 00000000000..94ea557f1ec --- /dev/null +++ b/queue-4.14/iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch @@ -0,0 +1,40 @@ +From ddcb6598b89d6cab888b8cdfa1b0a40f88749ae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2020 15:21:47 +0000 +Subject: iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE + +From: Will Deacon + +[ Upstream commit d71e01716b3606a6648df7e5646ae12c75babde4 ] + +If, for some bizarre reason, the compiler decided to split up the write +of STE DWORD 0, we could end up making a partial structure valid. + +Although this probably won't happen, follow the example of the +context-descriptor code and use WRITE_ONCE() to ensure atomicity of the +write. + +Reported-by: Jean-Philippe Brucker +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm-smmu-v3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index 09eb258a9a7de..29feafa8007fb 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -1145,7 +1145,8 @@ static void arm_smmu_write_strtab_ent(struct arm_smmu_device *smmu, u32 sid, + } + + arm_smmu_sync_ste_for_sid(smmu, sid); +- dst[0] = cpu_to_le64(val); ++ /* See comment in arm_smmu_write_ctx_desc() */ ++ WRITE_ONCE(dst[0], cpu_to_le64(val)); + arm_smmu_sync_ste_for_sid(smmu, sid); + + /* It's likely that we'll want to use the new STE soon */ +-- +2.20.1 + diff --git a/queue-4.14/ipw2x00-fix-wcast-function-type.patch b/queue-4.14/ipw2x00-fix-wcast-function-type.patch new file mode 100644 index 00000000000..6c48b941378 --- /dev/null +++ b/queue-4.14/ipw2x00-fix-wcast-function-type.patch @@ -0,0 +1,81 @@ +From 2b4b11b716646ae908e3efed7d339f9c829210bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:27 +0700 +Subject: ipw2x00: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit ebd77feb27e91bb5fe35a7818b7c13ea7435fb98 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2100.c | 7 ++++--- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 5 +++-- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2100.c b/drivers/net/wireless/intel/ipw2x00/ipw2100.c +index 19c442cb93e4a..8fbdd7d4fd0c2 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2100.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2100.c +@@ -3220,8 +3220,9 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv) + } + } + +-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv) ++static void ipw2100_irq_tasklet(unsigned long data) + { ++ struct ipw2100_priv *priv = (struct ipw2100_priv *)data; + struct net_device *dev = priv->net_dev; + unsigned long flags; + u32 inta, tmp; +@@ -6027,7 +6028,7 @@ static void ipw2100_rf_kill(struct work_struct *work) + spin_unlock_irqrestore(&priv->low_lock, flags); + } + +-static void ipw2100_irq_tasklet(struct ipw2100_priv *priv); ++static void ipw2100_irq_tasklet(unsigned long data); + + static const struct net_device_ops ipw2100_netdev_ops = { + .ndo_open = ipw2100_open, +@@ -6157,7 +6158,7 @@ static struct net_device *ipw2100_alloc_device(struct pci_dev *pci_dev, + INIT_DELAYED_WORK(&priv->rf_kill, ipw2100_rf_kill); + INIT_DELAYED_WORK(&priv->scan_event, ipw2100_scan_event); + +- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long)) ++ tasklet_init(&priv->irq_tasklet, + ipw2100_irq_tasklet, (unsigned long)priv); + + /* NOTE: We do not start the deferred work for status checks yet */ +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index 8da87496cb587..2d0734ab3f747 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -1966,8 +1966,9 @@ static void notify_wx_assoc_event(struct ipw_priv *priv) + wireless_send_event(priv->net_dev, SIOCGIWAP, &wrqu, NULL); + } + +-static void ipw_irq_tasklet(struct ipw_priv *priv) ++static void ipw_irq_tasklet(unsigned long data) + { ++ struct ipw_priv *priv = (struct ipw_priv *)data; + u32 inta, inta_mask, handled = 0; + unsigned long flags; + int rc = 0; +@@ -10702,7 +10703,7 @@ static int ipw_setup_deferred_work(struct ipw_priv *priv) + INIT_WORK(&priv->qos_activate, ipw_bg_qos_activate); + #endif /* CONFIG_IPW2200_QOS */ + +- tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long)) ++ tasklet_init(&priv->irq_tasklet, + ipw_irq_tasklet, (unsigned long)priv); + + return ret; +-- +2.20.1 + diff --git a/queue-4.14/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch b/queue-4.14/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch new file mode 100644 index 00000000000..552415972fe --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch @@ -0,0 +1,40 @@ +From 67efc921ce3f8a9666f7820085a82306f67f3287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2019 15:10:21 +0800 +Subject: irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when + building INVALL + +From: Zenghui Yu + +[ Upstream commit 107945227ac5d4c37911c7841b27c64b489ce9a9 ] + +It looks like an obvious mistake to use its_mapc_cmd descriptor when +building the INVALL command block. It so far worked by luck because +both its_mapc_cmd.col and its_invall_cmd.col sit at the same offset of +the ITS command descriptor, but we should not rely on it. + +Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue") +Signed-off-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20191202071021.1251-1-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 52238e6bed392..799df1e598db3 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -527,7 +527,7 @@ static struct its_collection *its_build_invall_cmd(struct its_cmd_block *cmd, + struct its_cmd_desc *desc) + { + its_encode_cmd(cmd, GITS_CMD_INVALL); +- its_encode_collection(cmd, desc->its_mapc_cmd.col->col_id); ++ its_encode_collection(cmd, desc->its_invall_cmd.col->col_id); + + its_fixup_cmd(cmd); + +-- +2.20.1 + diff --git a/queue-4.14/irqchip-gic-v3-only-provision-redistributors-that-ar.patch b/queue-4.14/irqchip-gic-v3-only-provision-redistributors-that-ar.patch new file mode 100644 index 00000000000..302c69adbab --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-only-provision-redistributors-that-ar.patch @@ -0,0 +1,71 @@ +From aadb10ae717c3c5777e2cf866b983af0a2c9a745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2019 11:24:57 +0000 +Subject: irqchip/gic-v3: Only provision redistributors that are enabled in + ACPI + +From: Marc Zyngier + +[ Upstream commit 926b5dfa6b8dc666ff398044af6906b156e1d949 ] + +We currently allocate redistributor region structures for +individual redistributors when ACPI doesn't present us with +compact MMIO regions covering multiple redistributors. + +It turns out that we allocate these structures even when +the redistributor is flagged as disabled by ACPI. It works +fine until someone actually tries to tarse one of these +structures, and access the corresponding MMIO region. + +Instead, track the number of enabled redistributors, and +only allocate what is required. This makes sure that there +is no invalid data to misuse. + +Signed-off-by: Marc Zyngier +Reported-by: Heyi Guo +Tested-by: Heyi Guo +Link: https://lore.kernel.org/r/20191216062745.63397-1-guoheyi@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c +index 3d73746555876..730b3c1cf7f61 100644 +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -1253,6 +1253,7 @@ static struct + struct redist_region *redist_regs; + u32 nr_redist_regions; + bool single_redist; ++ int enabled_rdists; + u32 maint_irq; + int maint_irq_mode; + phys_addr_t vcpu_base; +@@ -1347,8 +1348,10 @@ static int __init gic_acpi_match_gicc(struct acpi_subtable_header *header, + * If GICC is enabled and has valid gicr base address, then it means + * GICR base is presented via GICC + */ +- if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address) ++ if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address) { ++ acpi_data.enabled_rdists++; + return 0; ++ } + + /* + * It's perfectly valid firmware can pass disabled GICC entry, driver +@@ -1378,8 +1381,10 @@ static int __init gic_acpi_count_gicr_regions(void) + + count = acpi_table_parse_madt(ACPI_MADT_TYPE_GENERIC_INTERRUPT, + gic_acpi_match_gicc, 0); +- if (count > 0) ++ if (count > 0) { + acpi_data.single_redist = true; ++ count = acpi_data.enabled_rdists; ++ } + + return count; + } +-- +2.20.1 + diff --git a/queue-4.14/irqchip-mbigen-set-driver-.suppress_bind_attrs-to-av.patch b/queue-4.14/irqchip-mbigen-set-driver-.suppress_bind_attrs-to-av.patch new file mode 100644 index 00000000000..912de209ad5 --- /dev/null +++ b/queue-4.14/irqchip-mbigen-set-driver-.suppress_bind_attrs-to-av.patch @@ -0,0 +1,127 @@ +From a547e472fc6ddf759348c30ae52c90a5c01ae900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2020 01:38:43 +0800 +Subject: irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove + problems + +From: John Garry + +[ Upstream commit d6152e6ec9e2171280436f7b31a571509b9287e1 ] + +The following crash can be seen for setting +CONFIG_DEBUG_TEST_DRIVER_REMOVE=y for DT FW (which some people still use): + +Hisilicon MBIGEN-V2 60080000.interrupt-controller: Failed to create mbi-gen irqdomain +Hisilicon MBIGEN-V2: probe of 60080000.interrupt-controller failed with error -12 + +[...] + +Unable to handle kernel paging request at virtual address 0000000000005008 + Mem abort info: + ESR = 0x96000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=0000041fb9990000 + [0000000000005008] pgd=0000000000000000 + Internal error: Oops: 96000004 [#1] PREEMPT SMP + Modules linked in: + CPU: 7 PID: 1 Comm: swapper/0 Not tainted 5.5.0-rc6-00002-g3fc42638a506-dirty #1622 + Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018 + pstate: 40000085 (nZcv daIf -PAN -UAO) + pc : mbigen_set_type+0x38/0x60 + lr : __irq_set_trigger+0x6c/0x188 + sp : ffff800014b4b400 + x29: ffff800014b4b400 x28: 0000000000000007 + x27: 0000000000000000 x26: 0000000000000000 + x25: ffff041fd83bd0d4 x24: ffff041fd83bd188 + x23: 0000000000000000 x22: ffff80001193ce00 + x21: 0000000000000004 x20: 0000000000000000 + x19: ffff041fd83bd000 x18: ffffffffffffffff + x17: 0000000000000000 x16: 0000000000000000 + x15: ffff8000119098c8 x14: ffff041fb94ec91c + x13: ffff041fb94ec1a1 x12: 0000000000000030 + x11: 0101010101010101 x10: 0000000000000040 + x9 : 0000000000000000 x8 : ffff041fb98c6680 + x7 : ffff800014b4b380 x6 : ffff041fd81636c8 + x5 : 0000000000000000 x4 : 000000000000025f + x3 : 0000000000005000 x2 : 0000000000005008 + x1 : 0000000000000004 x0 : 0000000080000000 + Call trace: + mbigen_set_type+0x38/0x60 + __setup_irq+0x744/0x900 + request_threaded_irq+0xe0/0x198 + pcie_pme_probe+0x98/0x118 + pcie_port_probe_service+0x38/0x78 + really_probe+0xa0/0x3e0 + driver_probe_device+0x58/0x100 + __device_attach_driver+0x90/0xb0 + bus_for_each_drv+0x64/0xc8 + __device_attach+0xd8/0x138 + device_initial_probe+0x10/0x18 + bus_probe_device+0x90/0x98 + device_add+0x4c4/0x770 + device_register+0x1c/0x28 + pcie_port_device_register+0x1e4/0x4f0 + pcie_portdrv_probe+0x34/0xd8 + local_pci_probe+0x3c/0xa0 + pci_device_probe+0x128/0x1c0 + really_probe+0xa0/0x3e0 + driver_probe_device+0x58/0x100 + __device_attach_driver+0x90/0xb0 + bus_for_each_drv+0x64/0xc8 + __device_attach+0xd8/0x138 + device_attach+0x10/0x18 + pci_bus_add_device+0x4c/0xb8 + pci_bus_add_devices+0x38/0x88 + pci_host_probe+0x3c/0xc0 + pci_host_common_probe+0xf0/0x208 + hisi_pcie_almost_ecam_probe+0x24/0x30 + platform_drv_probe+0x50/0xa0 + really_probe+0xa0/0x3e0 + driver_probe_device+0x58/0x100 + device_driver_attach+0x6c/0x90 + __driver_attach+0x84/0xc8 + bus_for_each_dev+0x74/0xc8 + driver_attach+0x20/0x28 + bus_add_driver+0x148/0x1f0 + driver_register+0x60/0x110 + __platform_driver_register+0x40/0x48 + hisi_pcie_almost_ecam_driver_init+0x1c/0x24 + +The specific problem here is that the mbigen driver real probe has failed +as the mbigen_of_create_domain()->of_platform_device_create() call fails, +the reason for that being that we never destroyed the platform device +created during the remove test dry run and there is some conflict. + +Since we generally would never want to unbind this driver, and to save +adding a driver tear down path for that, just set the driver +.suppress_bind_attrs member to avoid this possibility. + +Signed-off-by: John Garry +Signed-off-by: Marc Zyngier +Reviewed-by: Hanjun Guo +Link: https://lore.kernel.org/r/1579196323-180137-1-git-send-email-john.garry@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mbigen.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c +index 98b6e1d4b1a68..f7fdbf5d183b9 100644 +--- a/drivers/irqchip/irq-mbigen.c ++++ b/drivers/irqchip/irq-mbigen.c +@@ -381,6 +381,7 @@ static struct platform_driver mbigen_platform_driver = { + .name = "Hisilicon MBIGEN-V2", + .of_match_table = mbigen_of_match, + .acpi_match_table = ACPI_PTR(mbigen_acpi_match), ++ .suppress_bind_attrs = true, + }, + .probe = mbigen_device_probe, + }; +-- +2.20.1 + diff --git a/queue-4.14/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch b/queue-4.14/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch new file mode 100644 index 00000000000..048efd38c64 --- /dev/null +++ b/queue-4.14/isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch @@ -0,0 +1,49 @@ +From 04540637574e142875cee91146cdd9324b381819 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2019 20:48:56 +0100 +Subject: isdn: don't mark kcapi_proc_exit as __exit + +From: Arnd Bergmann + +[ Upstream commit b33bdf8020c94438269becc6dace9ed49257c4ba ] + +As everybody pointed out by now, my patch to clean up CAPI introduced +a link time warning, as the two parts of the capi driver are now in +one module and the exit function may need to be called in the error +path of the init function: + +>> WARNING: drivers/isdn/capi/kernelcapi.o(.text+0xea4): Section mismatch in reference from the function kcapi_exit() to the function .exit.text:kcapi_proc_exit() + The function kcapi_exit() references a function in an exit section. + Often the function kcapi_proc_exit() has valid usage outside the exit section + and the fix is to remove the __exit annotation of kcapi_proc_exit. + +Remove the incorrect __exit annotation. + +Reported-by: kbuild test robot +Reported-by: kernelci.org bot +Reported-by: Olof's autobuilder +Reported-by: Stephen Rothwell +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20191216194909.1983639-1-arnd@arndb.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/isdn/capi/kcapi_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/capi/kcapi_proc.c b/drivers/isdn/capi/kcapi_proc.c +index 68db3c5a10636..d6ca626219c93 100644 +--- a/drivers/isdn/capi/kcapi_proc.c ++++ b/drivers/isdn/capi/kcapi_proc.c +@@ -309,7 +309,7 @@ kcapi_proc_init(void) + proc_create("capi/driver", 0, NULL, &proc_driver_ops); + } + +-void __exit ++void + kcapi_proc_exit(void) + { + remove_proc_entry("capi/driver", NULL); +-- +2.20.1 + diff --git a/queue-4.14/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch b/queue-4.14/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch new file mode 100644 index 00000000000..1f4a344643e --- /dev/null +++ b/queue-4.14/iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch @@ -0,0 +1,42 @@ +From 6c9eb12726dbde5f4bc70b3263eab371f7d29abf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jan 2020 00:09:54 +0000 +Subject: iwlegacy: ensure loop counter addr does not wrap and cause an + infinite loop + +From: Colin Ian King + +[ Upstream commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 ] + +The loop counter addr is a u16 where as the upper limit of the loop +is an int. In the unlikely event that the il->cfg->eeprom_size is +greater than 64K then we end up with an infinite loop since addr will +wrap around an never reach upper loop limit. Fix this by making addr +an int. + +Addresses-Coverity: ("Infinite loop") +Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") +Signed-off-by: Colin Ian King +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index 8d5acda92a9b8..6e6b124f0d5e3 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -717,7 +717,7 @@ il_eeprom_init(struct il_priv *il) + u32 gp = _il_rd(il, CSR_EEPROM_GP); + int sz; + int ret; +- u16 addr; ++ int addr; + + /* allocate eeprom */ + sz = il->cfg->eeprom_size; +-- +2.20.1 + diff --git a/queue-4.14/iwlegacy-fix-wcast-function-type.patch b/queue-4.14/iwlegacy-fix-wcast-function-type.patch new file mode 100644 index 00000000000..85774574ec8 --- /dev/null +++ b/queue-4.14/iwlegacy-fix-wcast-function-type.patch @@ -0,0 +1,72 @@ +From dcdc830a057da07e376ac43e560ab88ae5c965f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:28 +0700 +Subject: iwlegacy: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit da5e57e8a6a3e69dac2937ba63fa86355628fbb2 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/3945-mac.c | 5 +++-- + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/3945-mac.c b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +index 329f3a63dadd6..0fb81151a1327 100644 +--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +@@ -1399,8 +1399,9 @@ il3945_dump_nic_error_log(struct il_priv *il) + } + + static void +-il3945_irq_tasklet(struct il_priv *il) ++il3945_irq_tasklet(unsigned long data) + { ++ struct il_priv *il = (struct il_priv *)data; + u32 inta, handled = 0; + u32 inta_fh; + unsigned long flags; +@@ -3432,7 +3433,7 @@ il3945_setup_deferred_work(struct il_priv *il) + setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il); + + tasklet_init(&il->irq_tasklet, +- (void (*)(unsigned long))il3945_irq_tasklet, ++ il3945_irq_tasklet, + (unsigned long)il); + } + +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +index de9b6522c43f5..665e82effb03d 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -4363,8 +4363,9 @@ il4965_synchronize_irq(struct il_priv *il) + } + + static void +-il4965_irq_tasklet(struct il_priv *il) ++il4965_irq_tasklet(unsigned long data) + { ++ struct il_priv *il = (struct il_priv *)data; + u32 inta, handled = 0; + u32 inta_fh; + unsigned long flags; +@@ -6264,7 +6265,7 @@ il4965_setup_deferred_work(struct il_priv *il) + setup_timer(&il->watchdog, il_bg_watchdog, (unsigned long)il); + + tasklet_init(&il->irq_tasklet, +- (void (*)(unsigned long))il4965_irq_tasklet, ++ il4965_irq_tasklet, + (unsigned long)il); + } + +-- +2.20.1 + diff --git a/queue-4.14/iwlwifi-mvm-fix-thermal-zone-registration.patch b/queue-4.14/iwlwifi-mvm-fix-thermal-zone-registration.patch new file mode 100644 index 00000000000..cc44949ecaf --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-thermal-zone-registration.patch @@ -0,0 +1,64 @@ +From 396e9dc36c84bcfe9fa2c11ec34220031615b0b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2020 15:45:24 +0200 +Subject: iwlwifi: mvm: Fix thermal zone registration + +From: Andrei Otcheretianski + +[ Upstream commit baa6cf8450b72dcab11f37c47efce7c5b9b8ad0f ] + +Use a unique name when registering a thermal zone. Otherwise, with +multiple NICS, we hit the following warning during the unregistration. + +WARNING: CPU: 2 PID: 3525 at fs/sysfs/group.c:255 + RIP: 0010:sysfs_remove_group+0x80/0x90 + Call Trace: + dpm_sysfs_remove+0x57/0x60 + device_del+0x5a/0x350 + ? sscanf+0x4e/0x70 + device_unregister+0x1a/0x60 + hwmon_device_unregister+0x4a/0xa0 + thermal_remove_hwmon_sysfs+0x175/0x1d0 + thermal_zone_device_unregister+0x188/0x1e0 + iwl_mvm_thermal_exit+0xe7/0x100 [iwlmvm] + iwl_op_mode_mvm_stop+0x27/0x180 [iwlmvm] + _iwl_op_mode_stop.isra.3+0x2b/0x50 [iwlwifi] + iwl_opmode_deregister+0x90/0xa0 [iwlwifi] + __exit_compat+0x10/0x2c7 [iwlmvm] + __x64_sys_delete_module+0x13f/0x270 + do_syscall_64+0x5a/0x110 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c +index 1232f63278eb6..319103f4b432e 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c +@@ -739,7 +739,8 @@ static struct thermal_zone_device_ops tzone_ops = { + static void iwl_mvm_thermal_zone_register(struct iwl_mvm *mvm) + { + int i; +- char name[] = "iwlwifi"; ++ char name[16]; ++ static atomic_t counter = ATOMIC_INIT(0); + + if (!iwl_mvm_is_tt_in_fw(mvm)) { + mvm->tz_device.tzone = NULL; +@@ -749,6 +750,7 @@ static void iwl_mvm_thermal_zone_register(struct iwl_mvm *mvm) + + BUILD_BUG_ON(ARRAY_SIZE(name) >= THERMAL_NAME_LENGTH); + ++ sprintf(name, "iwlwifi_%u", atomic_inc_return(&counter) & 0xFF); + mvm->tz_device.tzone = thermal_zone_device_register(name, + IWL_MAX_DTS_TRIPS, + IWL_WRITABLE_TRIPS_MSK, +-- +2.20.1 + diff --git a/queue-4.14/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch b/queue-4.14/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch new file mode 100644 index 00000000000..59cc344abd3 --- /dev/null +++ b/queue-4.14/jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch @@ -0,0 +1,56 @@ +From e13acbbd4a9346f80e97e1d2cac7e0837160bce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2020 10:25:42 +0800 +Subject: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail + info when load journal + +From: Kai Li + +[ Upstream commit a09decff5c32060639a685581c380f51b14e1fc2 ] + +If the journal is dirty when the filesystem is mounted, jbd2 will replay +the journal but the journal superblock will not be updated by +journal_reset() because JBD2_ABORT flag is still set (it was set in +journal_init_common()). This is problematic because when a new transaction +is then committed, it will be recorded in block 1 (journal->j_tail was set +to 1 in journal_reset()). If unclean shutdown happens again before the +journal superblock is updated, the new recorded transaction will not be +replayed during the next mount (because of stale sb->s_start and +sb->s_sequence values) which can lead to filesystem corruption. + +Fixes: 85e0c4e89c1b ("jbd2: if the journal is aborted then don't allow update of the log tail") +Signed-off-by: Kai Li +Link: https://lore.kernel.org/r/20200111022542.5008-1-li.kai4@h3c.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/journal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index d3cce5c86fd90..b72be822f04f2 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1687,6 +1687,11 @@ int jbd2_journal_load(journal_t *journal) + journal->j_devname); + return -EFSCORRUPTED; + } ++ /* ++ * clear JBD2_ABORT flag initialized in journal_init_common ++ * here to update log tail information with the newest seq. ++ */ ++ journal->j_flags &= ~JBD2_ABORT; + + /* OK, we've finished with the dynamic journal bits: + * reinitialise the dynamic contents of the superblock in memory +@@ -1694,7 +1699,6 @@ int jbd2_journal_load(journal_t *journal) + if (journal_reset(journal)) + goto recovery_error; + +- journal->j_flags &= ~JBD2_ABORT; + journal->j_flags |= JBD2_LOADED; + return 0; + +-- +2.20.1 + diff --git a/queue-4.14/jbd2-make-sure-eshutdown-to-be-recorded-in-the-journ.patch b/queue-4.14/jbd2-make-sure-eshutdown-to-be-recorded-in-the-journ.patch new file mode 100644 index 00000000000..67feb9c9673 --- /dev/null +++ b/queue-4.14/jbd2-make-sure-eshutdown-to-be-recorded-in-the-journ.patch @@ -0,0 +1,43 @@ +From 4dca49b0997bdebe2ccbcd21eab5aa8fef1341ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 20:46:13 +0800 +Subject: jbd2: make sure ESHUTDOWN to be recorded in the journal superblock + +From: zhangyi (F) + +[ Upstream commit 0e98c084a21177ef136149c6a293b3d1eb33ff92 ] + +Commit fb7c02445c49 ("ext4: pass -ESHUTDOWN code to jbd2 layer") want +to allow jbd2 layer to distinguish shutdown journal abort from other +error cases. So the ESHUTDOWN should be taken precedence over any other +errno which has already been recoded after EXT4_FLAGS_SHUTDOWN is set, +but it only update errno in the journal suoerblock now if the old errno +is 0. + +Fixes: fb7c02445c49 ("ext4: pass -ESHUTDOWN code to jbd2 layer") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-4-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/journal.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c +index eae9ced846d51..6e054b368b5fe 100644 +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -2119,8 +2119,7 @@ static void __journal_abort_soft (journal_t *journal, int errno) + + if (journal->j_flags & JBD2_ABORT) { + write_unlock(&journal->j_state_lock); +- if (!old_errno && old_errno != -ESHUTDOWN && +- errno == -ESHUTDOWN) ++ if (old_errno != -ESHUTDOWN && errno == -ESHUTDOWN) + jbd2_journal_update_sb_errno(journal); + return; + } +-- +2.20.1 + diff --git a/queue-4.14/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch b/queue-4.14/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch new file mode 100644 index 00000000000..007b8382aca --- /dev/null +++ b/queue-4.14/jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch @@ -0,0 +1,51 @@ +From 08f62a8f457f80acf5a6ec70351d1e26d84cd8f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 20:46:11 +0800 +Subject: jbd2: switch to use jbd2_journal_abort() when failed to submit the + commit record + +From: zhangyi (F) + +[ Upstream commit d0a186e0d3e7ac05cc77da7c157dae5aa59f95d9 ] + +We invoke jbd2_journal_abort() to abort the journal and record errno +in the jbd2 superblock when committing journal transaction besides the +failure on submitting the commit record. But there is no need for the +case and we can also invoke jbd2_journal_abort() instead of +__jbd2_journal_abort_hard(). + +Fixes: 818d276ceb83a ("ext4: Add the journal checksum feature") +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20191204124614.45424-2-yi.zhang@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/commit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c +index cb0da3d4adc04..1a4bd8d9636e8 100644 +--- a/fs/jbd2/commit.c ++++ b/fs/jbd2/commit.c +@@ -783,7 +783,7 @@ start_journal_io: + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + + blk_finish_plug(&plug); +@@ -876,7 +876,7 @@ start_journal_io: + err = journal_submit_commit_record(journal, commit_transaction, + &cbh, crc32_sum); + if (err) +- __jbd2_journal_abort_hard(journal); ++ jbd2_journal_abort(journal, err); + } + if (cbh) + err = journal_wait_on_commit_record(journal, cbh); +-- +2.20.1 + diff --git a/queue-4.14/kconfig-fix-broken-dependency-in-randconfig-generate.patch b/queue-4.14/kconfig-fix-broken-dependency-in-randconfig-generate.patch new file mode 100644 index 00000000000..33ad6878ef8 --- /dev/null +++ b/queue-4.14/kconfig-fix-broken-dependency-in-randconfig-generate.patch @@ -0,0 +1,46 @@ +From c6d93d4b82bfc78aacb8770e700600d1f32690e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Feb 2020 14:03:11 +0900 +Subject: kconfig: fix broken dependency in randconfig-generated .config + +From: Masahiro Yamada + +[ Upstream commit c8fb7d7e48d11520ad24808cfce7afb7b9c9f798 ] + +Running randconfig on arm64 using KCONFIG_SEED=0x40C5E904 (e.g. on v5.5) +produces the .config with CONFIG_EFI=y and CONFIG_CPU_BIG_ENDIAN=y, +which does not meet the !CONFIG_CPU_BIG_ENDIAN dependency. + +This is because the user choice for CONFIG_CPU_LITTLE_ENDIAN vs +CONFIG_CPU_BIG_ENDIAN is set by randomize_choice_values() after the +value of CONFIG_EFI is calculated. + +When this happens, the has_changed flag should be set. + +Currently, it takes the result from the last iteration. It should +accumulate all the results of the loop. + +Fixes: 3b9a19e08960 ("kconfig: loop as long as we changed some symbols in randconfig") +Reported-by: Vincenzo Frascino +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/confdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c +index 27aac273205ba..fa423fcd1a928 100644 +--- a/scripts/kconfig/confdata.c ++++ b/scripts/kconfig/confdata.c +@@ -1238,7 +1238,7 @@ bool conf_set_all_new_symbols(enum conf_def_mode mode) + + sym_calc_value(csym); + if (mode == def_random) +- has_changed = randomize_choice_values(csym); ++ has_changed |= randomize_choice_values(csym); + else { + set_all_choice_values(csym); + has_changed = true; +-- +2.20.1 + diff --git a/queue-4.14/kselftest-minimise-dependency-of-get_size-on-c-libra.patch b/queue-4.14/kselftest-minimise-dependency-of-get_size-on-c-libra.patch new file mode 100644 index 00000000000..1e5c23286bb --- /dev/null +++ b/queue-4.14/kselftest-minimise-dependency-of-get_size-on-c-libra.patch @@ -0,0 +1,113 @@ +From 0359690cd33068e4453d00ee69c2fb665b82e19c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 22:11:58 +0530 +Subject: kselftest: Minimise dependency of get_size on C library interfaces + +From: Siddhesh Poyarekar + +[ Upstream commit 6b64a650f0b2ae3940698f401732988699eecf7a ] + +It was observed[1] on arm64 that __builtin_strlen led to an infinite +loop in the get_size selftest. This is because __builtin_strlen (and +other builtins) may sometimes result in a call to the C library +function. The C library implementation of strlen uses an IFUNC +resolver to load the most efficient strlen implementation for the +underlying machine and hence has a PLT indirection even for static +binaries. Because this binary avoids the C library startup routines, +the PLT initialization never happens and hence the program gets stuck +in an infinite loop. + +On x86_64 the __builtin_strlen just happens to expand inline and avoid +the call but that is not always guaranteed. + +Further, while testing on x86_64 (Fedora 31), it was observed that the +test also failed with a segfault inside write() because the generated +code for the write function in glibc seems to access TLS before the +syscall (probably due to the cancellation point check) and fails +because TLS is not initialised. + +To mitigate these problems, this patch reduces the interface with the +C library to just the syscall function. The syscall function still +sets errno on failure, which is undesirable but for now it only +affects cases where syscalls fail. + +[1] https://bugs.linaro.org/show_bug.cgi?id=5479 + +Signed-off-by: Siddhesh Poyarekar +Reported-by: Masami Hiramatsu +Tested-by: Masami Hiramatsu +Reviewed-by: Tim Bird +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/size/get_size.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/size/get_size.c b/tools/testing/selftests/size/get_size.c +index d4b59ab979a09..f55943b6d1e2a 100644 +--- a/tools/testing/selftests/size/get_size.c ++++ b/tools/testing/selftests/size/get_size.c +@@ -12,23 +12,35 @@ + * own execution. It also attempts to have as few dependencies + * on kernel features as possible. + * +- * It should be statically linked, with startup libs avoided. +- * It uses no library calls, and only the following 3 syscalls: ++ * It should be statically linked, with startup libs avoided. It uses ++ * no library calls except the syscall() function for the following 3 ++ * syscalls: + * sysinfo(), write(), and _exit() + * + * For output, it avoids printf (which in some C libraries + * has large external dependencies) by implementing it's own + * number output and print routines, and using __builtin_strlen() ++ * ++ * The test may crash if any of the above syscalls fails because in some ++ * libc implementations (e.g. the GNU C Library) errno is saved in ++ * thread-local storage, which does not get initialized due to avoiding ++ * startup libs. + */ + + #include + #include ++#include + + #define STDOUT_FILENO 1 + + static int print(const char *s) + { +- return write(STDOUT_FILENO, s, __builtin_strlen(s)); ++ size_t len = 0; ++ ++ while (s[len] != '\0') ++ len++; ++ ++ return syscall(SYS_write, STDOUT_FILENO, s, len); + } + + static inline char *num_to_str(unsigned long num, char *buf, int len) +@@ -80,12 +92,12 @@ void _start(void) + print("TAP version 13\n"); + print("# Testing system size.\n"); + +- ccode = sysinfo(&info); ++ ccode = syscall(SYS_sysinfo, &info); + if (ccode < 0) { + print("not ok 1"); + print(test_name); + print(" ---\n reason: \"could not get sysinfo\"\n ...\n"); +- _exit(ccode); ++ syscall(SYS_exit, ccode); + } + print("ok 1"); + print(test_name); +@@ -101,5 +113,5 @@ void _start(void) + print(" ...\n"); + print("1..1\n"); + +- _exit(0); ++ syscall(SYS_exit, 0); + } +-- +2.20.1 + diff --git a/queue-4.14/kvm-s390-enotsupp-eopnotsupp-fixups.patch b/queue-4.14/kvm-s390-enotsupp-eopnotsupp-fixups.patch new file mode 100644 index 00000000000..a4e9caf997c --- /dev/null +++ b/queue-4.14/kvm-s390-enotsupp-eopnotsupp-fixups.patch @@ -0,0 +1,56 @@ +From a132bfec2b5020b27fc496595e1f5b6c11939c63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 07:40:43 -0500 +Subject: KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups + +From: Christian Borntraeger + +[ Upstream commit c611990844c28c61ca4b35ff69d3a2ae95ccd486 ] + +There is no ENOTSUPP for userspace. + +Reported-by: Julian Wiedmann +Fixes: 519783935451 ("KVM: s390: introduce ais mode modify function") +Fixes: 2c1a48f2e5ed ("KVM: S390: add new group for flic") +Reviewed-by: Cornelia Huck +Reviewed-by: Thomas Huth +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/interrupt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index 28f3796d23c8f..61d25e2c82efa 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1913,7 +1913,7 @@ static int flic_ais_mode_get_all(struct kvm *kvm, struct kvm_device_attr *attr) + return -EINVAL; + + if (!test_kvm_facility(kvm, 72)) +- return -ENOTSUPP; ++ return -EOPNOTSUPP; + + mutex_lock(&fi->ais_lock); + ais.simm = fi->simm; +@@ -2214,7 +2214,7 @@ static int modify_ais_mode(struct kvm *kvm, struct kvm_device_attr *attr) + int ret = 0; + + if (!test_kvm_facility(kvm, 72)) +- return -ENOTSUPP; ++ return -EOPNOTSUPP; + + if (copy_from_user(&req, (void __user *)attr->addr, sizeof(req))) + return -EFAULT; +@@ -2294,7 +2294,7 @@ static int flic_ais_mode_set_all(struct kvm *kvm, struct kvm_device_attr *attr) + struct kvm_s390_ais_all ais; + + if (!test_kvm_facility(kvm, 72)) +- return -ENOTSUPP; ++ return -EOPNOTSUPP; + + if (copy_from_user(&ais, (void __user *)attr->addr, sizeof(ais))) + return -EFAULT; +-- +2.20.1 + diff --git a/queue-4.14/leds-pca963x-fix-open-drain-initialization.patch b/queue-4.14/leds-pca963x-fix-open-drain-initialization.patch new file mode 100644 index 00000000000..7f84febaafa --- /dev/null +++ b/queue-4.14/leds-pca963x-fix-open-drain-initialization.patch @@ -0,0 +1,69 @@ +From bf68564a87393610d5059ec07a7fc95c6f204fd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Nov 2019 23:02:55 +0200 +Subject: leds: pca963x: Fix open-drain initialization + +From: Zahari Petkov + +[ Upstream commit 697529091ac7a0a90ca349b914bb30641c13c753 ] + +Before commit bb29b9cccd95 ("leds: pca963x: Add bindings to invert +polarity") Mode register 2 was initialized directly with either 0x01 +or 0x05 for open-drain or totem pole (push-pull) configuration. + +Afterwards, MODE2 initialization started using bitwise operations on +top of the default MODE2 register value (0x05). Using bitwise OR for +setting OUTDRV with 0x01 and 0x05 does not produce correct results. +When open-drain is used, instead of setting OUTDRV to 0, the driver +keeps it as 1: + +Open-drain: 0x05 | 0x01 -> 0x05 (0b101 - incorrect) +Totem pole: 0x05 | 0x05 -> 0x05 (0b101 - correct but still wrong) + +Now OUTDRV setting uses correct bitwise operations for initialization: + +Open-drain: 0x05 & ~0x04 -> 0x01 (0b001 - correct) +Totem pole: 0x05 | 0x04 -> 0x05 (0b101 - correct) + +Additional MODE2 register definitions are introduced now as well. + +Fixes: bb29b9cccd95 ("leds: pca963x: Add bindings to invert polarity") +Signed-off-by: Zahari Petkov +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-pca963x.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/leds/leds-pca963x.c b/drivers/leds/leds-pca963x.c +index 3bf9a12718192..88c7313cf8693 100644 +--- a/drivers/leds/leds-pca963x.c ++++ b/drivers/leds/leds-pca963x.c +@@ -43,6 +43,8 @@ + #define PCA963X_LED_PWM 0x2 /* Controlled through PWM */ + #define PCA963X_LED_GRP_PWM 0x3 /* Controlled through PWM/GRPPWM */ + ++#define PCA963X_MODE2_OUTDRV 0x04 /* Open-drain or totem pole */ ++#define PCA963X_MODE2_INVRT 0x10 /* Normal or inverted direction */ + #define PCA963X_MODE2_DMBLNK 0x20 /* Enable blinking */ + + #define PCA963X_MODE1 0x00 +@@ -462,12 +464,12 @@ static int pca963x_probe(struct i2c_client *client, + PCA963X_MODE2); + /* Configure output: open-drain or totem pole (push-pull) */ + if (pdata->outdrv == PCA963X_OPEN_DRAIN) +- mode2 |= 0x01; ++ mode2 &= ~PCA963X_MODE2_OUTDRV; + else +- mode2 |= 0x05; ++ mode2 |= PCA963X_MODE2_OUTDRV; + /* Configure direction: normal or inverted */ + if (pdata->dir == PCA963X_INVERTED) +- mode2 |= 0x10; ++ mode2 |= PCA963X_MODE2_INVRT; + i2c_smbus_write_byte_data(pca963x->chip->client, PCA963X_MODE2, + mode2); + } +-- +2.20.1 + diff --git a/queue-4.14/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch b/queue-4.14/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch new file mode 100644 index 00000000000..9d51d217078 --- /dev/null +++ b/queue-4.14/lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch @@ -0,0 +1,51 @@ +From 42be9eb4982095bf43f43282b6b6ce8719b636ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:16:37 -0800 +Subject: lib/scatterlist.c: adjust indentation in __sg_alloc_table + +From: Nathan Chancellor + +[ Upstream commit 4e456fee215677584cafa7f67298a76917e89c64 ] + +Clang warns: + + ../lib/scatterlist.c:314:5: warning: misleading indentation; statement + is not part of the previous 'if' [-Wmisleading-indentation] + return -ENOMEM; + ^ + ../lib/scatterlist.c:311:4: note: previous statement is here + if (prv) + ^ + 1 warning generated. + +This warning occurs because there is a space before the tab on this +line. Remove it so that the indentation is consistent with the Linux +kernel coding style and clang no longer warns. + +Link: http://lkml.kernel.org/r/20191218033606.11942-1-natechancellor@gmail.com +Link: https://github.com/ClangBuiltLinux/linux/issues/830 +Fixes: edce6820a9fd ("scatterlist: prevent invalid free when alloc fails") +Signed-off-by: Nathan Chancellor +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/scatterlist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/scatterlist.c b/lib/scatterlist.c +index 11fce289d1166..834c846c5af84 100644 +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -317,7 +317,7 @@ int __sg_alloc_table(struct sg_table *table, unsigned int nents, + if (prv) + table->nents = ++table->orig_nents; + +- return -ENOMEM; ++ return -ENOMEM; + } + + sg_init_table(sg, alloc_size); +-- +2.20.1 + diff --git a/queue-4.14/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch b/queue-4.14/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch new file mode 100644 index 00000000000..8a84c23e763 --- /dev/null +++ b/queue-4.14/media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch @@ -0,0 +1,63 @@ +From 9c542eb5f491c6fe2e572bb382e4536fb148367b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2019 08:55:24 +0100 +Subject: media: i2c: mt9v032: fix enum mbus codes and frame sizes + +From: Eugen Hristev + +[ Upstream commit 1451d5ae351d938a0ab1677498c893f17b9ee21d ] + +This driver supports both the mt9v032 (color) and the mt9v022 (mono) +sensors. Depending on which sensor is used, the format from the sensor is +different. The format.code inside the dev struct holds this information. +The enum mbus and enum frame sizes need to take into account both type of +sensors, not just the color one. To solve this, use the format.code in +these functions instead of the hardcoded bayer color format (which is only +used for mt9v032). + +[Sakari Ailus: rewrapped commit message] + +Suggested-by: Wenyou Yang +Signed-off-by: Eugen Hristev +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9v032.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/mt9v032.c b/drivers/media/i2c/mt9v032.c +index 8a430640c85d5..1a20d0d558d3e 100644 +--- a/drivers/media/i2c/mt9v032.c ++++ b/drivers/media/i2c/mt9v032.c +@@ -423,10 +423,12 @@ static int mt9v032_enum_mbus_code(struct v4l2_subdev *subdev, + struct v4l2_subdev_pad_config *cfg, + struct v4l2_subdev_mbus_code_enum *code) + { ++ struct mt9v032 *mt9v032 = to_mt9v032(subdev); ++ + if (code->index > 0) + return -EINVAL; + +- code->code = MEDIA_BUS_FMT_SGRBG10_1X10; ++ code->code = mt9v032->format.code; + return 0; + } + +@@ -434,7 +436,11 @@ static int mt9v032_enum_frame_size(struct v4l2_subdev *subdev, + struct v4l2_subdev_pad_config *cfg, + struct v4l2_subdev_frame_size_enum *fse) + { +- if (fse->index >= 3 || fse->code != MEDIA_BUS_FMT_SGRBG10_1X10) ++ struct mt9v032 *mt9v032 = to_mt9v032(subdev); ++ ++ if (fse->index >= 3) ++ return -EINVAL; ++ if (mt9v032->format.code != fse->code) + return -EINVAL; + + fse->min_width = MT9V032_WINDOW_WIDTH_DEF / (1 << fse->index); +-- +2.20.1 + diff --git a/queue-4.14/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch b/queue-4.14/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch new file mode 100644 index 00000000000..fe208facdb3 --- /dev/null +++ b/queue-4.14/media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch @@ -0,0 +1,60 @@ +From e1713de866ceb0049d50303ce3cb82755467bb0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 11:34:01 +0100 +Subject: media: sti: bdisp: fix a possible sleep-in-atomic-context bug in + bdisp_device_run() + +From: Jia-Ju Bai + +[ Upstream commit bb6d42061a05d71dd73f620582d9e09c8fbf7f5b ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +drivers/media/platform/sti/bdisp/bdisp-hw.c, 385: + msleep in bdisp_hw_reset +drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 341: + bdisp_hw_reset in bdisp_device_run +drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 317: + _raw_spin_lock_irqsave in bdisp_device_run + +To fix this bug, msleep() is replaced with udelay(). + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-hw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-hw.c b/drivers/media/platform/sti/bdisp/bdisp-hw.c +index b7892f3efd988..5c4c3f0c57be1 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-hw.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-hw.c +@@ -14,8 +14,8 @@ + #define MAX_SRC_WIDTH 2048 + + /* Reset & boot poll config */ +-#define POLL_RST_MAX 50 +-#define POLL_RST_DELAY_MS 20 ++#define POLL_RST_MAX 500 ++#define POLL_RST_DELAY_MS 2 + + enum bdisp_target_plan { + BDISP_RGB, +@@ -382,7 +382,7 @@ int bdisp_hw_reset(struct bdisp_dev *bdisp) + for (i = 0; i < POLL_RST_MAX; i++) { + if (readl(bdisp->regs + BLT_STA1) & BLT_STA1_IDLE) + break; +- msleep(POLL_RST_DELAY_MS); ++ udelay(POLL_RST_DELAY_MS * 1000); + } + if (i == POLL_RST_MAX) + dev_err(bdisp->dev, "Reset timeout\n"); +-- +2.20.1 + diff --git a/queue-4.14/media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch b/queue-4.14/media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch new file mode 100644 index 00000000000..d9b6a54a9cf --- /dev/null +++ b/queue-4.14/media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch @@ -0,0 +1,94 @@ +From dd36d7d6712ea050970de2adba83d88bcae4463e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Dec 2019 22:11:40 +0100 +Subject: media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in + v4l2_device macros + +From: Nathan Chancellor + +[ Upstream commit afb34781620274236bd9fc9246e22f6963ef5262 ] + +When building with Clang + -Wtautological-constant-compare, several of +the ivtv and cx18 drivers warn along the lines of: + + drivers/media/pci/cx18/cx18-driver.c:1005:21: warning: converting the + result of '<<' to a boolean always evaluates to true + [-Wtautological-constant-compare] + cx18_call_hw(cx, CX18_HW_GPIO_RESET_CTRL, + ^ + drivers/media/pci/cx18/cx18-cards.h:18:37: note: expanded from macro + 'CX18_HW_GPIO_RESET_CTRL' + #define CX18_HW_GPIO_RESET_CTRL (1 << 6) + ^ + 1 warning generated. + +This warning happens because the shift operation is implicitly converted +to a boolean in v4l2_device_mask_call_all before being negated. This can +be solved by just comparing the mask result to 0 explicitly so that +there is no boolean conversion. The ultimate goal is to enable +-Wtautological-compare globally because there are several subwarnings +that would be helpful to have. + +For visual consistency and avoidance of these warnings in the future, +all of the implicitly boolean conversions in the v4l2_device macros +are converted to explicit ones as well. + +Link: https://github.com/ClangBuiltLinux/linux/issues/752 + +Reviewed-by: Ezequiel Garcia +Reviewed-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + include/media/v4l2-device.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h +index 8ffa94009d1a9..76002416cead9 100644 +--- a/include/media/v4l2-device.h ++++ b/include/media/v4l2-device.h +@@ -268,7 +268,7 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd, + struct v4l2_subdev *__sd; \ + \ + __v4l2_device_call_subdevs_p(v4l2_dev, __sd, \ +- !(grpid) || __sd->grp_id == (grpid), o, f , \ ++ (grpid) == 0 || __sd->grp_id == (grpid), o, f , \ + ##args); \ + } while (0) + +@@ -280,7 +280,7 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd, + ({ \ + struct v4l2_subdev *__sd; \ + __v4l2_device_call_subdevs_until_err_p(v4l2_dev, __sd, \ +- !(grpid) || __sd->grp_id == (grpid), o, f , \ ++ (grpid) == 0 || __sd->grp_id == (grpid), o, f , \ + ##args); \ + }) + +@@ -294,8 +294,8 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd, + struct v4l2_subdev *__sd; \ + \ + __v4l2_device_call_subdevs_p(v4l2_dev, __sd, \ +- !(grpmsk) || (__sd->grp_id & (grpmsk)), o, f , \ +- ##args); \ ++ (grpmsk) == 0 || (__sd->grp_id & (grpmsk)), o, \ ++ f , ##args); \ + } while (0) + + /* +@@ -308,8 +308,8 @@ static inline void v4l2_subdev_notify(struct v4l2_subdev *sd, + ({ \ + struct v4l2_subdev *__sd; \ + __v4l2_device_call_subdevs_until_err_p(v4l2_dev, __sd, \ +- !(grpmsk) || (__sd->grp_id & (grpmsk)), o, f , \ +- ##args); \ ++ (grpmsk) == 0 || (__sd->grp_id & (grpmsk)), o, \ ++ f , ##args); \ + }) + + /* +-- +2.20.1 + diff --git a/queue-4.14/microblaze-prevent-the-overflow-of-the-start.patch b/queue-4.14/microblaze-prevent-the-overflow-of-the-start.patch new file mode 100644 index 00000000000..504195d8f1f --- /dev/null +++ b/queue-4.14/microblaze-prevent-the-overflow-of-the-start.patch @@ -0,0 +1,37 @@ +From 2f4d50022af4a20b4e731aec20940812216bd68f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2020 18:44:34 +0530 +Subject: microblaze: Prevent the overflow of the start + +From: Shubhrajyoti Datta + +[ Upstream commit 061d2c1d593076424c910cb1b64ecdb5c9a6923f ] + +In case the start + cache size is more than the max int the +start overflows. +Prevent the same. + +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + arch/microblaze/kernel/cpu/cache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/microblaze/kernel/cpu/cache.c b/arch/microblaze/kernel/cpu/cache.c +index 0bde47e4fa694..dcba53803fa5f 100644 +--- a/arch/microblaze/kernel/cpu/cache.c ++++ b/arch/microblaze/kernel/cpu/cache.c +@@ -92,7 +92,8 @@ static inline void __disable_dcache_nomsr(void) + #define CACHE_LOOP_LIMITS(start, end, cache_line_length, cache_size) \ + do { \ + int align = ~(cache_line_length - 1); \ +- end = min(start + cache_size, end); \ ++ if (start < UINT_MAX - cache_size) \ ++ end = min(start + cache_size, end); \ + start &= align; \ + } while (0) + +-- +2.20.1 + diff --git a/queue-4.14/mips-loongson-fix-potential-null-dereference-in-loon.patch b/queue-4.14/mips-loongson-fix-potential-null-dereference-in-loon.patch new file mode 100644 index 00000000000..fdcca9b5f14 --- /dev/null +++ b/queue-4.14/mips-loongson-fix-potential-null-dereference-in-loon.patch @@ -0,0 +1,43 @@ +From 3e1d54d54673484743660374e43c5348828d41a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2020 09:30:42 +0800 +Subject: MIPS: Loongson: Fix potential NULL dereference in + loongson3_platform_init() + +From: Tiezhu Yang + +[ Upstream commit 72d052e28d1d2363f9107be63ef3a3afdea6143c ] + +If kzalloc fails, it should return -ENOMEM, otherwise may trigger a NULL +pointer dereference. + +Fixes: 3adeb2566b9b ("MIPS: Loongson: Improve LEFI firmware interface") +Signed-off-by: Tiezhu Yang +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: Huacai Chen +Cc: Jiaxun Yang +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/loongson64/loongson-3/platform.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/loongson64/loongson-3/platform.c b/arch/mips/loongson64/loongson-3/platform.c +index 25a97cc0ee336..0db4cc3196ebd 100644 +--- a/arch/mips/loongson64/loongson-3/platform.c ++++ b/arch/mips/loongson64/loongson-3/platform.c +@@ -31,6 +31,9 @@ static int __init loongson3_platform_init(void) + continue; + + pdev = kzalloc(sizeof(struct platform_device), GFP_KERNEL); ++ if (!pdev) ++ return -ENOMEM; ++ + pdev->name = loongson_sysconf.sensors[i].name; + pdev->id = loongson_sysconf.sensors[i].id; + pdev->dev.platform_data = &loongson_sysconf.sensors[i]; +-- +2.20.1 + diff --git a/queue-4.14/mlxsw-spectrum_dpipe-add-missing-error-path.patch b/queue-4.14/mlxsw-spectrum_dpipe-add-missing-error-path.patch new file mode 100644 index 00000000000..c1d5041379f --- /dev/null +++ b/queue-4.14/mlxsw-spectrum_dpipe-add-missing-error-path.patch @@ -0,0 +1,45 @@ +From 2965b8a5db1f285b90405bdfdd841274cf640369 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2020 19:26:28 +0200 +Subject: mlxsw: spectrum_dpipe: Add missing error path + +From: Ido Schimmel + +[ Upstream commit 3a99cbb6fa7bca1995586ec2dc21b0368aad4937 ] + +In case devlink_dpipe_entry_ctx_prepare() failed, release RTNL that was +previously taken and free the memory allocated by +mlxsw_sp_erif_entry_prepare(). + +Fixes: 2ba5999f009d ("mlxsw: spectrum: Add Support for erif table entries access") +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_dpipe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_dpipe.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_dpipe.c +index 51e6846da72bc..3c04f3d5de2dc 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_dpipe.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_dpipe.c +@@ -225,7 +225,7 @@ mlxsw_sp_dpipe_table_erif_entries_dump(void *priv, bool counters_enabled, + start_again: + err = devlink_dpipe_entry_ctx_prepare(dump_ctx); + if (err) +- return err; ++ goto err_ctx_prepare; + j = 0; + for (; i < rif_count; i++) { + struct mlxsw_sp_rif *rif = mlxsw_sp_rif_by_index(mlxsw_sp, i); +@@ -257,6 +257,7 @@ start_again: + return 0; + err_entry_append: + err_entry_get: ++err_ctx_prepare: + rtnl_unlock(); + devlink_dpipe_entry_clear(&entry); + return err; +-- +2.20.1 + diff --git a/queue-4.14/nbd-add-a-flush_workqueue-in-nbd_start_device.patch b/queue-4.14/nbd-add-a-flush_workqueue-in-nbd_start_device.patch new file mode 100644 index 00000000000..ed513559a86 --- /dev/null +++ b/queue-4.14/nbd-add-a-flush_workqueue-in-nbd_start_device.patch @@ -0,0 +1,56 @@ +From 2f0534cb7f87bda1f405f954fe398e9cadfe18f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 11:18:57 +0800 +Subject: nbd: add a flush_workqueue in nbd_start_device + +From: Sun Ke + +[ Upstream commit 5c0dd228b5fc30a3b732c7ae2657e0161ec7ed80 ] + +When kzalloc fail, may cause trying to destroy the +workqueue from inside the workqueue. + +If num_connections is m (2 < m), and NO.1 ~ NO.n +(1 < n < m) kzalloc are successful. The NO.(n + 1) +failed. Then, nbd_start_device will return ENOMEM +to nbd_start_device_ioctl, and nbd_start_device_ioctl +will return immediately without running flush_workqueue. +However, we still have n recv threads. If nbd_release +run first, recv threads may have to drop the last +config_refs and try to destroy the workqueue from +inside the workqueue. + +To fix it, add a flush_workqueue in nbd_start_device. + +Fixes: e9e006f5fcf2 ("nbd: fix max number of supported devs") +Signed-off-by: Sun Ke +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 4c661ad91e7d3..8f56e6b2f114f 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1203,6 +1203,16 @@ static int nbd_start_device(struct nbd_device *nbd) + args = kzalloc(sizeof(*args), GFP_KERNEL); + if (!args) { + sock_shutdown(nbd); ++ /* ++ * If num_connections is m (2 < m), ++ * and NO.1 ~ NO.n(1 < n < m) kzallocs are successful. ++ * But NO.(n + 1) failed. We still have n recv threads. ++ * So, add flush_workqueue here to prevent recv threads ++ * dropping the last config_refs and trying to destroy ++ * the workqueue from inside the workqueue. ++ */ ++ if (i) ++ flush_workqueue(nbd->recv_workq); + return -ENOMEM; + } + sk_set_memalloc(config->socks[i]->sock->sk); +-- +2.20.1 + diff --git a/queue-4.14/net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch b/queue-4.14/net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch new file mode 100644 index 00000000000..d5d15595cfa --- /dev/null +++ b/queue-4.14/net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch @@ -0,0 +1,44 @@ +From 278cfcf2dc9b023708467635cd5aa4820ebda582 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2019 15:55:51 +0100 +Subject: net/wan/fsl_ucc_hdlc: reject muram offsets above 64K + +From: Rasmus Villemoes + +[ Upstream commit 148587a59f6b85831695e0497d9dd1af5f0495af ] + +Qiang Zhao points out that these offsets get written to 16-bit +registers, and there are some QE platforms with more than 64K +muram. So it is possible that qe_muram_alloc() gives us an allocation +that can't actually be used by the hardware, so detect and reject +that. + +Reported-by: Qiang Zhao +Reviewed-by: Timur Tabi +Signed-off-by: Rasmus Villemoes +Acked-by: David S. Miller +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/net/wan/fsl_ucc_hdlc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c +index 571a1ff8f81f2..6a26cef621935 100644 +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -240,6 +240,11 @@ static int uhdlc_init(struct ucc_hdlc_private *priv) + ret = -ENOMEM; + goto free_riptr; + } ++ if (riptr != (u16)riptr || tiptr != (u16)tiptr) { ++ dev_err(priv->dev, "MURAM allocation out of addressable range\n"); ++ ret = -ENOMEM; ++ goto free_tiptr; ++ } + + /* Set RIPTR, TIPTR */ + iowrite16be(riptr, &priv->ucc_pram->riptr); +-- +2.20.1 + diff --git a/queue-4.14/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch b/queue-4.14/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch new file mode 100644 index 00000000000..3c013b99497 --- /dev/null +++ b/queue-4.14/nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch @@ -0,0 +1,37 @@ +From def2d705767d741fbc43b91afa08a26a5192b242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 21:08:45 +0800 +Subject: NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use + le16_add_cpu(). + +From: Mao Wenan + +[ Upstream commit 718eae277e62a26e5862eb72a830b5e0fe37b04a ] + +Convert cpu_to_le16(le16_to_cpu(frame->datalen) + len) to +use le16_add_cpu(), which is more concise and does the same thing. + +Reported-by: Hulk Robot +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/port100.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c +index 60ae382f50da9..06bb226c62ef4 100644 +--- a/drivers/nfc/port100.c ++++ b/drivers/nfc/port100.c +@@ -574,7 +574,7 @@ static void port100_tx_update_payload_len(void *_frame, int len) + { + struct port100_frame *frame = _frame; + +- frame->datalen = cpu_to_le16(le16_to_cpu(frame->datalen) + len); ++ le16_add_cpu(&frame->datalen, len); + } + + static bool port100_rx_frame_is_valid(void *_frame) +-- +2.20.1 + diff --git a/queue-4.14/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch b/queue-4.14/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch new file mode 100644 index 00000000000..80edae2758d --- /dev/null +++ b/queue-4.14/nfsd4-avoid-null-deference-on-strange-copy-compounds.patch @@ -0,0 +1,54 @@ +From b712a5f9de40f05543043efe4c34eb17f4e23e35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:07:32 -0500 +Subject: nfsd4: avoid NULL deference on strange COPY compounds + +From: J. Bruce Fields + +[ Upstream commit d781e3df710745fbbaee4eb07fd5b64331a1b175 ] + +With cross-server COPY we've introduced the possibility that the current +or saved filehandle might not have fh_dentry/fh_export filled in, but we +missed a place that assumed it was. I think this could be triggered by +a compound like: + + PUTFH(foreign filehandle) + GETATTR + SAVEFH + COPY + +First, check_if_stalefh_allowed sets no_verify on the first (PUTFH) op. +Then op_func = nfsd4_putfh runs and leaves current_fh->fh_export NULL. +need_wrongsec_check returns true, since this PUTFH has OP_IS_PUTFH_LIKE +set and GETATTR does not have OP_HANDLES_WRONGSEC set. + +We should probably also consider tightening the checks in +check_if_stalefh_allowed and double-checking that we don't assume the +filehandle is verified elsewhere in the compound. But I think this +fixes the immediate issue. + +Reported-by: Dan Carpenter +Fixes: 4e48f1cccab3 "NFSD: allow inter server COPY to have... " +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index ee765abad2efb..be42ea2603683 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1798,7 +1798,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) + if (op->opdesc->op_flags & OP_CLEAR_STATEID) + clear_current_stateid(cstate); + +- if (need_wrongsec_check(rqstp)) ++ if (current_fh->fh_export && ++ need_wrongsec_check(rqstp)) + op->status = check_nfsd_access(current_fh->fh_export, rqstp); + } + encode_op: +-- +2.20.1 + diff --git a/queue-4.14/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch b/queue-4.14/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch new file mode 100644 index 00000000000..674bba9803f --- /dev/null +++ b/queue-4.14/ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch @@ -0,0 +1,140 @@ +From 6ceecdf2b59c0a85de7fc5f48a25f862694a7387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:11:50 -0800 +Subject: ocfs2: fix a NULL pointer dereference when call + ocfs2_update_inode_fsync_trans() + +From: wangyan + +[ Upstream commit 9f16ca48fc818a17de8be1f75d08e7f4addc4497 ] + +I found a NULL pointer dereference in ocfs2_update_inode_fsync_trans(), +handle->h_transaction may be NULL in this situation: + +ocfs2_file_write_iter + ->__generic_file_write_iter + ->generic_perform_write + ->ocfs2_write_begin + ->ocfs2_write_begin_nolock + ->ocfs2_write_cluster_by_desc + ->ocfs2_write_cluster + ->ocfs2_mark_extent_written + ->ocfs2_change_extent_flag + ->ocfs2_split_extent + ->ocfs2_try_to_merge_extent + ->ocfs2_extend_rotate_transaction + ->ocfs2_extend_trans + ->jbd2_journal_restart + ->jbd2__journal_restart + // handle->h_transaction is NULL here + ->handle->h_transaction = NULL; + ->start_this_handle + /* journal aborted due to storage + network disconnection, return error */ + ->return -EROFS; + /* line 3806 in ocfs2_try_to_merge_extent (), + it will ignore ret error. */ + ->ret = 0; + ->... + ->ocfs2_write_end + ->ocfs2_write_end_nolock + ->ocfs2_update_inode_fsync_trans + // NULL pointer dereference + ->oi->i_sync_tid = handle->h_transaction->t_tid; + +The information of NULL pointer dereference as follows: + JBD2: Detected IO errors while flushing file data on dm-11-45 + Aborting journal on device dm-11-45. + JBD2: Error -5 detected when updating journal superblock for dm-11-45. + (dd,22081,3):ocfs2_extend_trans:474 ERROR: status = -30 + (dd,22081,3):ocfs2_try_to_merge_extent:3877 ERROR: status = -30 + Unable to handle kernel NULL pointer dereference at + virtual address 0000000000000008 + Mem abort info: + ESR = 0x96000004 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e74e1338 + [0000000000000008] pgd=0000000000000000 + Internal error: Oops: 96000004 [#1] SMP + Process dd (pid: 22081, stack limit = 0x00000000584f35a9) + CPU: 3 PID: 22081 Comm: dd Kdump: loaded + Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019 + pstate: 60400009 (nZCv daif +PAN -UAO) + pc : ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2] + lr : ocfs2_write_end_nolock+0x2a0/0x550 [ocfs2] + sp : ffff0000459fba70 + x29: ffff0000459fba70 x28: 0000000000000000 + x27: ffff807ccf7f1000 x26: 0000000000000001 + x25: ffff807bdff57970 x24: ffff807caf1d4000 + x23: ffff807cc79e9000 x22: 0000000000001000 + x21: 000000006c6cd000 x20: ffff0000091d9000 + x19: ffff807ccb239db0 x18: ffffffffffffffff + x17: 000000000000000e x16: 0000000000000007 + x15: ffff807c5e15bd78 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000001 + x9 : 0000000000000228 x8 : 000000000000000c + x7 : 0000000000000fff x6 : ffff807a308ed6b0 + x5 : ffff7e01f10967c0 x4 : 0000000000000018 + x3 : d0bc661572445600 x2 : 0000000000000000 + x1 : 000000001b2e0200 x0 : 0000000000000000 + Call trace: + ocfs2_write_end_nolock+0x2b8/0x550 [ocfs2] + ocfs2_write_end+0x4c/0x80 [ocfs2] + generic_perform_write+0x108/0x1a8 + __generic_file_write_iter+0x158/0x1c8 + ocfs2_file_write_iter+0x668/0x950 [ocfs2] + __vfs_write+0x11c/0x190 + vfs_write+0xac/0x1c0 + ksys_write+0x6c/0xd8 + __arm64_sys_write+0x24/0x30 + el0_svc_common+0x78/0x130 + el0_svc_handler+0x38/0x78 + el0_svc+0x8/0xc + +To prevent NULL pointer dereference in this situation, we use +is_handle_aborted() before using handle->h_transaction->t_tid. + +Link: http://lkml.kernel.org/r/03e750ab-9ade-83aa-b000-b9e81e34e539@huawei.com +Signed-off-by: Yan Wang +Reviewed-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Gang He +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/journal.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h +index 497a4171ef61f..bfb50fc51528f 100644 +--- a/fs/ocfs2/journal.h ++++ b/fs/ocfs2/journal.h +@@ -637,9 +637,11 @@ static inline void ocfs2_update_inode_fsync_trans(handle_t *handle, + { + struct ocfs2_inode_info *oi = OCFS2_I(inode); + +- oi->i_sync_tid = handle->h_transaction->t_tid; +- if (datasync) +- oi->i_datasync_tid = handle->h_transaction->t_tid; ++ if (!is_handle_aborted(handle)) { ++ oi->i_sync_tid = handle->h_transaction->t_tid; ++ if (datasync) ++ oi->i_datasync_tid = handle->h_transaction->t_tid; ++ } + } + + #endif /* OCFS2_JOURNAL_H */ +-- +2.20.1 + diff --git a/queue-4.14/orinoco-avoid-assertion-in-case-of-null-pointer.patch b/queue-4.14/orinoco-avoid-assertion-in-case-of-null-pointer.patch new file mode 100644 index 00000000000..becfcf04c58 --- /dev/null +++ b/queue-4.14/orinoco-avoid-assertion-in-case-of-null-pointer.patch @@ -0,0 +1,37 @@ +From 60876b3c4e4e589edac8b6199c6ec2533f7eac69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Dec 2019 13:58:58 -0600 +Subject: orinoco: avoid assertion in case of NULL pointer + +From: Aditya Pakki + +[ Upstream commit c705f9fc6a1736dcf6ec01f8206707c108dca824 ] + +In ezusb_init, if upriv is NULL, the code crashes. However, the caller +in ezusb_probe can handle the error and print the failure message. +The patch replaces the BUG_ON call to error return. + +Signed-off-by: Aditya Pakki +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +index 95015d74b1c0e..5a64674a5c8da 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +@@ -1364,7 +1364,8 @@ static int ezusb_init(struct hermes *hw) + int retval; + + BUG_ON(in_interrupt()); +- BUG_ON(!upriv); ++ if (!upriv) ++ return -EINVAL; + + upriv->reply_count = 0; + /* Write the MAGIC number on the simulated registers to keep +-- +2.20.1 + diff --git a/queue-4.14/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch b/queue-4.14/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch new file mode 100644 index 00000000000..7350f8c79f6 --- /dev/null +++ b/queue-4.14/padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch @@ -0,0 +1,71 @@ +From 5f61af927b283bca63732b63afa985c9e4985294 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 14:31:11 -0500 +Subject: padata: always acquire cpu_hotplug_lock before pinst->lock + +From: Daniel Jordan + +[ Upstream commit 38228e8848cd7dd86ccb90406af32de0cad24be3 ] + +lockdep complains when padata's paths to update cpumasks via CPU hotplug +and sysfs are both taken: + + # echo 0 > /sys/devices/system/cpu/cpu1/online + # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask + + ====================================================== + WARNING: possible circular locking dependency detected + 5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted + ------------------------------------------------------ + bash/205 is trying to acquire lock: + ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120 + + but task is already holding lock: + ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120 + + which lock already depends on the new lock. + +padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent +order. Which should be first? CPU hotplug calls into padata with +cpu_hotplug_lock already held, so it should have priority. + +Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus") +Signed-off-by: Daniel Jordan +Cc: Eric Biggers +Cc: Herbert Xu +Cc: Steffen Klassert +Cc: linux-crypto@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/padata.c b/kernel/padata.c +index 528a251217dfc..a71620d2b8bab 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -605,8 +605,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type, + struct cpumask *serial_mask, *parallel_mask; + int err = -EINVAL; + +- mutex_lock(&pinst->lock); + get_online_cpus(); ++ mutex_lock(&pinst->lock); + + switch (cpumask_type) { + case PADATA_CPU_PARALLEL: +@@ -624,8 +624,8 @@ int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type, + err = __padata_set_cpumasks(pinst, parallel_mask, serial_mask); + + out: +- put_online_cpus(); + mutex_unlock(&pinst->lock); ++ put_online_cpus(); + + return err; + } +-- +2.20.1 + diff --git a/queue-4.14/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch b/queue-4.14/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch new file mode 100644 index 00000000000..79e9077216d --- /dev/null +++ b/queue-4.14/pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch @@ -0,0 +1,37 @@ +From 2570410e54d013ae07d80a441bb3463c131dd03b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 13:52:52 -0600 +Subject: PCI/IOV: Fix memory leak in pci_iov_add_virtfn() + +From: Navid Emamdoost + +[ Upstream commit 8c386cc817878588195dde38e919aa6ba9409d58 ] + +In the implementation of pci_iov_add_virtfn() the allocated virtfn is +leaked if pci_setup_device() fails. The error handling is not calling +pci_stop_and_remove_bus_device(). Change the goto label to failed2. + +Fixes: 156c55325d30 ("PCI: Check for pci_setup_device() failure in pci_iov_add_virtfn()") +Link: https://lore.kernel.org/r/20191125195255.23740-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/iov.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c +index 0fd8e164339c3..0dc646c1bc3db 100644 +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -179,6 +179,7 @@ int pci_iov_add_virtfn(struct pci_dev *dev, int id, int reset) + failed2: + sysfs_remove_link(&dev->dev.kobj, buf); + failed1: ++ pci_stop_and_remove_bus_device(virtfn); + pci_dev_put(dev); + pci_stop_and_remove_bus_device(virtfn); + failed0: +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch b/queue-4.14/pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch new file mode 100644 index 00000000000..2f60258774d --- /dev/null +++ b/queue-4.14/pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch @@ -0,0 +1,60 @@ +From 515703e179bfcbb9be192422a561afbd64ba4d85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Dec 2019 00:04:47 +0100 +Subject: pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins + +From: Hans de Goede + +[ Upstream commit a23680594da7a9e2696dbcf4f023e9273e2fa40b ] + +Suspending Goodix touchscreens requires changing the interrupt pin to +output before sending them a power-down command. Followed by wiggling +the interrupt pin to wake the device up, after which it is put back +in input mode. + +On Bay Trail devices with a Goodix touchscreen direct-irq mode is used +in combination with listing the pin as a normal GpioIo resource. + +This works fine, until the goodix driver gets rmmod-ed and then insmod-ed +again. In this case byt_gpio_disable_free() calls +byt_gpio_clear_triggering() which clears the IRQ flags and after that the +(direct) IRQ no longer triggers. + +This commit fixes this by adding a check for the BYT_DIRECT_IRQ_EN flag +to byt_gpio_clear_triggering(). + +Note that byt_gpio_clear_triggering() only gets called from +byt_gpio_disable_free() for direct-irq enabled pins, as these are excluded +from the irq_valid mask by byt_init_irq_valid_mask(). + +Signed-off-by: Hans de Goede +Acked-by: Mika Westerberg +Reviewed-by: Linus Walleij +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-baytrail.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-baytrail.c b/drivers/pinctrl/intel/pinctrl-baytrail.c +index 9df5d29d708da..4fb3e44f91331 100644 +--- a/drivers/pinctrl/intel/pinctrl-baytrail.c ++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c +@@ -958,7 +958,13 @@ static void byt_gpio_clear_triggering(struct byt_gpio *vg, unsigned int offset) + + raw_spin_lock_irqsave(&byt_lock, flags); + value = readl(reg); +- value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); ++ ++ /* Do not clear direct-irq enabled IRQs (from gpio_disable_free) */ ++ if (value & BYT_DIRECT_IRQ_EN) ++ /* nothing to do */ ; ++ else ++ value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); ++ + writel(value, reg); + raw_spin_unlock_irqrestore(&byt_lock, flags); + } +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch b/queue-4.14/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch new file mode 100644 index 00000000000..4bbadfdfd19 --- /dev/null +++ b/queue-4.14/pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch @@ -0,0 +1,94 @@ +From 7a0fc13ed7b936ab41cfbf04bda99e1172dc9fff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 20:48:09 +0100 +Subject: pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs + +From: Geert Uytterhoeven + +[ Upstream commit 55b1cb1f03ad5eea39897d0c74035e02deddcff2 ] + +pinmux_func_gpios[] contains a hole due to the missing function GPIO +definition for the "CTX0&CTX1" signal, which is the logical "AND" of the +two CAN outputs. + +Fix this by: + - Renaming CRX0_CRX1_MARK to CTX0_CTX1_MARK, as PJ2MD[2:0]=010 + configures the combined "CTX0&CTX1" output signal, + - Renaming CRX0X1_MARK to CRX0_CRX1_MARK, as PJ3MD[1:0]=10 configures + the shared "CRX0/CRX1" input signal, which is fed to both CAN + inputs, + - Adding the missing function GPIO definition for "CTX0&CTX1" to + pinmux_func_gpios[], + - Moving all CAN enums next to each other. + +See SH7262 Group, SH7264 Group User's Manual: Hardware, Rev. 4.00: + [1] Figure 1.2 (3) (Pin Assignment for the SH7264 Group (1-Mbyte + Version), + [2] Figure 1.2 (4) Pin Assignment for the SH7264 Group (640-Kbyte + Version, + [3] Table 1.4 List of Pins, + [4] Figure 20.29 Connection Example when Using This Module as 1-Channel + Module (64 Mailboxes x 1 Channel), + [5] Table 32.10 Multiplexed Pins (Port J), + [6] Section 32.2.30 (3) Port J Control Register 0 (PJCR0). + +Note that the last 2 disagree about PJ2MD[2:0], which is probably the +root cause of this bug. But considering [4], "CTx0&CTx1" in [5] must +be correct, and "CRx0&CRx1" in [6] must be wrong. + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191218194812.12741-4-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sh-pfc/pfc-sh7264.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7264.c b/drivers/pinctrl/sh-pfc/pfc-sh7264.c +index e1c34e19222ee..3ddb9565ed804 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-sh7264.c ++++ b/drivers/pinctrl/sh-pfc/pfc-sh7264.c +@@ -500,17 +500,15 @@ enum { + SD_WP_MARK, SD_CLK_MARK, SD_CMD_MARK, + CRX0_MARK, CRX1_MARK, + CTX0_MARK, CTX1_MARK, ++ CRX0_CRX1_MARK, CTX0_CTX1_MARK, + + PWM1A_MARK, PWM1B_MARK, PWM1C_MARK, PWM1D_MARK, + PWM1E_MARK, PWM1F_MARK, PWM1G_MARK, PWM1H_MARK, + PWM2A_MARK, PWM2B_MARK, PWM2C_MARK, PWM2D_MARK, + PWM2E_MARK, PWM2F_MARK, PWM2G_MARK, PWM2H_MARK, + IERXD_MARK, IETXD_MARK, +- CRX0_CRX1_MARK, + WDTOVF_MARK, + +- CRX0X1_MARK, +- + /* DMAC */ + TEND0_MARK, DACK0_MARK, DREQ0_MARK, + TEND1_MARK, DACK1_MARK, DREQ1_MARK, +@@ -998,12 +996,12 @@ static const u16 pinmux_data[] = { + + PINMUX_DATA(PJ3_DATA, PJ3MD_00), + PINMUX_DATA(CRX1_MARK, PJ3MD_01), +- PINMUX_DATA(CRX0X1_MARK, PJ3MD_10), ++ PINMUX_DATA(CRX0_CRX1_MARK, PJ3MD_10), + PINMUX_DATA(IRQ1_PJ_MARK, PJ3MD_11), + + PINMUX_DATA(PJ2_DATA, PJ2MD_000), + PINMUX_DATA(CTX1_MARK, PJ2MD_001), +- PINMUX_DATA(CRX0_CRX1_MARK, PJ2MD_010), ++ PINMUX_DATA(CTX0_CTX1_MARK, PJ2MD_010), + PINMUX_DATA(CS2_MARK, PJ2MD_011), + PINMUX_DATA(SCK0_MARK, PJ2MD_100), + PINMUX_DATA(LCD_M_DISP_MARK, PJ2MD_101), +@@ -1248,6 +1246,7 @@ static const struct pinmux_func pinmux_func_gpios[] = { + GPIO_FN(CTX1), + GPIO_FN(CRX1), + GPIO_FN(CTX0), ++ GPIO_FN(CTX0_CTX1), + GPIO_FN(CRX0), + GPIO_FN(CRX0_CRX1), + +-- +2.20.1 + diff --git a/queue-4.14/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch b/queue-4.14/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch new file mode 100644 index 00000000000..3fa5d9a5dc3 --- /dev/null +++ b/queue-4.14/pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch @@ -0,0 +1,184 @@ +From 09522b3dfba76d10ac93c85ad4c132516cdd113a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 20:48:10 +0100 +Subject: pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 02aeb2f21530c98fc3ca51028eda742a3fafbd9f ] + +pinmux_func_gpios[] contains a hole due to the missing function GPIO +definition for the "CTX0&CTX1" signal, which is the logical "AND" of the +first two CAN outputs. + +A closer look reveals other issues: + - Some functionality is available on alternative pins, but the + PINMUX_DATA() entries is using the wrong marks, + - Several configurations are missing. + +Fix this by: + - Renaming CTX0CTX1CTX2_MARK, CRX0CRX1_PJ22_MARK, and + CRX0CRX1CRX2_PJ20_MARK to CTX0_CTX1_CTX2_MARK, CRX0_CRX1_PJ22_MARK, + resp. CRX0_CRX1_CRX2_PJ20_MARK for consistency with the + corresponding enum IDs, + - Adding all missing enum IDs and marks, + - Use the right (*_PJ2x) variants for alternative pins, + - Adding all missing configurations to pinmux_data[], + - Adding all missing function GPIO definitions to pinmux_func_gpios[]. + +See SH7268 Group, SH7269 Group User’s Manual: Hardware, Rev. 2.00: + [1] Table 1.4 List of Pins + [2] Figure 23.29 Connection Example when Using Channels 0 and 1 as One + Channel (64 Mailboxes × 1 Channel) and Channel 2 as One Channel + (32 Mailboxes × 1 Channel), + [3] Figure 23.30 Connection Example when Using Channels 0, 1, and 2 as + One Channel (96 Mailboxes × 1 Channel), + [4] Table 48.3 Multiplexed Pins (Port B), + [5] Table 48.4 Multiplexed Pins (Port C), + [6] Table 48.10 Multiplexed Pins (Port J), + [7] Section 48.2.4 Port B Control Registers 0 to 5 (PBCR0 to PBCR5). + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20191218194812.12741-5-geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/sh/include/cpu-sh2a/cpu/sh7269.h | 11 ++++++-- + drivers/pinctrl/sh-pfc/pfc-sh7269.c | 39 ++++++++++++++++++--------- + 2 files changed, 36 insertions(+), 14 deletions(-) + +diff --git a/arch/sh/include/cpu-sh2a/cpu/sh7269.h b/arch/sh/include/cpu-sh2a/cpu/sh7269.h +index d516e5d488180..b887cc402b712 100644 +--- a/arch/sh/include/cpu-sh2a/cpu/sh7269.h ++++ b/arch/sh/include/cpu-sh2a/cpu/sh7269.h +@@ -78,8 +78,15 @@ enum { + GPIO_FN_WDTOVF, + + /* CAN */ +- GPIO_FN_CTX1, GPIO_FN_CRX1, GPIO_FN_CTX0, GPIO_FN_CTX0_CTX1, +- GPIO_FN_CRX0, GPIO_FN_CRX0_CRX1, GPIO_FN_CRX0_CRX1_CRX2, ++ GPIO_FN_CTX2, GPIO_FN_CRX2, ++ GPIO_FN_CTX1, GPIO_FN_CRX1, ++ GPIO_FN_CTX0, GPIO_FN_CRX0, ++ GPIO_FN_CTX0_CTX1, GPIO_FN_CRX0_CRX1, ++ GPIO_FN_CTX0_CTX1_CTX2, GPIO_FN_CRX0_CRX1_CRX2, ++ GPIO_FN_CTX2_PJ21, GPIO_FN_CRX2_PJ20, ++ GPIO_FN_CTX1_PJ23, GPIO_FN_CRX1_PJ22, ++ GPIO_FN_CTX0_CTX1_PJ23, GPIO_FN_CRX0_CRX1_PJ22, ++ GPIO_FN_CTX0_CTX1_CTX2_PJ21, GPIO_FN_CRX0_CRX1_CRX2_PJ20, + + /* DMAC */ + GPIO_FN_TEND0, GPIO_FN_DACK0, GPIO_FN_DREQ0, +diff --git a/drivers/pinctrl/sh-pfc/pfc-sh7269.c b/drivers/pinctrl/sh-pfc/pfc-sh7269.c +index cfdb4fc177c3e..3df0c0d139d08 100644 +--- a/drivers/pinctrl/sh-pfc/pfc-sh7269.c ++++ b/drivers/pinctrl/sh-pfc/pfc-sh7269.c +@@ -740,13 +740,12 @@ enum { + CRX0_MARK, CTX0_MARK, + CRX1_MARK, CTX1_MARK, + CRX2_MARK, CTX2_MARK, +- CRX0_CRX1_MARK, +- CRX0_CRX1_CRX2_MARK, +- CTX0CTX1CTX2_MARK, ++ CRX0_CRX1_MARK, CTX0_CTX1_MARK, ++ CRX0_CRX1_CRX2_MARK, CTX0_CTX1_CTX2_MARK, + CRX1_PJ22_MARK, CTX1_PJ23_MARK, + CRX2_PJ20_MARK, CTX2_PJ21_MARK, +- CRX0CRX1_PJ22_MARK, +- CRX0CRX1CRX2_PJ20_MARK, ++ CRX0_CRX1_PJ22_MARK, CTX0_CTX1_PJ23_MARK, ++ CRX0_CRX1_CRX2_PJ20_MARK, CTX0_CTX1_CTX2_PJ21_MARK, + + /* VDC */ + DV_CLK_MARK, +@@ -824,6 +823,7 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(CS3_MARK, PC8MD_001), + PINMUX_DATA(TXD7_MARK, PC8MD_010), + PINMUX_DATA(CTX1_MARK, PC8MD_011), ++ PINMUX_DATA(CTX0_CTX1_MARK, PC8MD_100), + + PINMUX_DATA(PC7_DATA, PC7MD_000), + PINMUX_DATA(CKE_MARK, PC7MD_001), +@@ -836,11 +836,12 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(CAS_MARK, PC6MD_001), + PINMUX_DATA(SCK7_MARK, PC6MD_010), + PINMUX_DATA(CTX0_MARK, PC6MD_011), ++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC6MD_100), + + PINMUX_DATA(PC5_DATA, PC5MD_000), + PINMUX_DATA(RAS_MARK, PC5MD_001), + PINMUX_DATA(CRX0_MARK, PC5MD_011), +- PINMUX_DATA(CTX0CTX1CTX2_MARK, PC5MD_100), ++ PINMUX_DATA(CTX0_CTX1_CTX2_MARK, PC5MD_100), + PINMUX_DATA(IRQ0_PC_MARK, PC5MD_101), + + PINMUX_DATA(PC4_DATA, PC4MD_00), +@@ -1292,30 +1293,32 @@ static const u16 pinmux_data[] = { + PINMUX_DATA(LCD_DATA23_PJ23_MARK, PJ23MD_010), + PINMUX_DATA(LCD_TCON6_MARK, PJ23MD_011), + PINMUX_DATA(IRQ3_PJ_MARK, PJ23MD_100), +- PINMUX_DATA(CTX1_MARK, PJ23MD_101), ++ PINMUX_DATA(CTX1_PJ23_MARK, PJ23MD_101), ++ PINMUX_DATA(CTX0_CTX1_PJ23_MARK, PJ23MD_110), + + PINMUX_DATA(PJ22_DATA, PJ22MD_000), + PINMUX_DATA(DV_DATA22_MARK, PJ22MD_001), + PINMUX_DATA(LCD_DATA22_PJ22_MARK, PJ22MD_010), + PINMUX_DATA(LCD_TCON5_MARK, PJ22MD_011), + PINMUX_DATA(IRQ2_PJ_MARK, PJ22MD_100), +- PINMUX_DATA(CRX1_MARK, PJ22MD_101), +- PINMUX_DATA(CRX0_CRX1_MARK, PJ22MD_110), ++ PINMUX_DATA(CRX1_PJ22_MARK, PJ22MD_101), ++ PINMUX_DATA(CRX0_CRX1_PJ22_MARK, PJ22MD_110), + + PINMUX_DATA(PJ21_DATA, PJ21MD_000), + PINMUX_DATA(DV_DATA21_MARK, PJ21MD_001), + PINMUX_DATA(LCD_DATA21_PJ21_MARK, PJ21MD_010), + PINMUX_DATA(LCD_TCON4_MARK, PJ21MD_011), + PINMUX_DATA(IRQ1_PJ_MARK, PJ21MD_100), +- PINMUX_DATA(CTX2_MARK, PJ21MD_101), ++ PINMUX_DATA(CTX2_PJ21_MARK, PJ21MD_101), ++ PINMUX_DATA(CTX0_CTX1_CTX2_PJ21_MARK, PJ21MD_110), + + PINMUX_DATA(PJ20_DATA, PJ20MD_000), + PINMUX_DATA(DV_DATA20_MARK, PJ20MD_001), + PINMUX_DATA(LCD_DATA20_PJ20_MARK, PJ20MD_010), + PINMUX_DATA(LCD_TCON3_MARK, PJ20MD_011), + PINMUX_DATA(IRQ0_PJ_MARK, PJ20MD_100), +- PINMUX_DATA(CRX2_MARK, PJ20MD_101), +- PINMUX_DATA(CRX0CRX1CRX2_PJ20_MARK, PJ20MD_110), ++ PINMUX_DATA(CRX2_PJ20_MARK, PJ20MD_101), ++ PINMUX_DATA(CRX0_CRX1_CRX2_PJ20_MARK, PJ20MD_110), + + PINMUX_DATA(PJ19_DATA, PJ19MD_000), + PINMUX_DATA(DV_DATA19_MARK, PJ19MD_001), +@@ -1666,12 +1669,24 @@ static const struct pinmux_func pinmux_func_gpios[] = { + GPIO_FN(WDTOVF), + + /* CAN */ ++ GPIO_FN(CTX2), ++ GPIO_FN(CRX2), + GPIO_FN(CTX1), + GPIO_FN(CRX1), + GPIO_FN(CTX0), + GPIO_FN(CRX0), ++ GPIO_FN(CTX0_CTX1), + GPIO_FN(CRX0_CRX1), ++ GPIO_FN(CTX0_CTX1_CTX2), + GPIO_FN(CRX0_CRX1_CRX2), ++ GPIO_FN(CTX2_PJ21), ++ GPIO_FN(CRX2_PJ20), ++ GPIO_FN(CTX1_PJ23), ++ GPIO_FN(CRX1_PJ22), ++ GPIO_FN(CTX0_CTX1_PJ23), ++ GPIO_FN(CRX0_CRX1_PJ22), ++ GPIO_FN(CTX0_CTX1_CTX2_PJ21), ++ GPIO_FN(CRX0_CRX1_CRX2_PJ20), + + /* DMAC */ + GPIO_FN(TEND0), +-- +2.20.1 + diff --git a/queue-4.14/pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch b/queue-4.14/pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch new file mode 100644 index 00000000000..41f8eb2fe4d --- /dev/null +++ b/queue-4.14/pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch @@ -0,0 +1,53 @@ +From 0c85bf2ea42a11d87126222efeecd7d922109c6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:20:30 +0900 +Subject: PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC + dependency + +From: Chanwoo Choi + +[ Upstream commit eff5d31f7407fa9d31fb840106f1593399457298 ] + +To build test, add COMPILE_TEST depedency to both ARM_RK3399_DMC_DEVFREQ +and DEVFREQ_EVENT_ROCKCHIP_DFI configuration. And ARM_RK3399_DMC_DEVFREQ +used the SMCCC interface so that add HAVE_ARM_SMCCC dependency to prevent +the build break. + +Reported-by: kbuild test robot +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/Kconfig | 3 ++- + drivers/devfreq/event/Kconfig | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/devfreq/Kconfig b/drivers/devfreq/Kconfig +index 6a172d338f6dc..4c4ec68b0566d 100644 +--- a/drivers/devfreq/Kconfig ++++ b/drivers/devfreq/Kconfig +@@ -103,7 +103,8 @@ config ARM_TEGRA_DEVFREQ + + config ARM_RK3399_DMC_DEVFREQ + tristate "ARM RK3399 DMC DEVFREQ Driver" +- depends on ARCH_ROCKCHIP ++ depends on (ARCH_ROCKCHIP && HAVE_ARM_SMCCC) || \ ++ (COMPILE_TEST && HAVE_ARM_SMCCC) + select DEVFREQ_EVENT_ROCKCHIP_DFI + select DEVFREQ_GOV_SIMPLE_ONDEMAND + select PM_DEVFREQ_EVENT +diff --git a/drivers/devfreq/event/Kconfig b/drivers/devfreq/event/Kconfig +index cd949800eed96..8851bc4e8e3e1 100644 +--- a/drivers/devfreq/event/Kconfig ++++ b/drivers/devfreq/event/Kconfig +@@ -33,7 +33,7 @@ config DEVFREQ_EVENT_EXYNOS_PPMU + + config DEVFREQ_EVENT_ROCKCHIP_DFI + tristate "ROCKCHIP DFI DEVFREQ event Driver" +- depends on ARCH_ROCKCHIP ++ depends on ARCH_ROCKCHIP || COMPILE_TEST + help + This add the devfreq-event driver for Rockchip SoC. It provides DFI + (DDR Monitor Module) driver to count ddr load. +-- +2.20.1 + diff --git a/queue-4.14/powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch b/queue-4.14/powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch new file mode 100644 index 00000000000..396d23ca482 --- /dev/null +++ b/queue-4.14/powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch @@ -0,0 +1,167 @@ +From 815fff58b59e5d33a5d2757ce45705a0f9bb5a51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Oct 2019 19:54:22 +1100 +Subject: powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid + PE number + +From: Oliver O'Halloran + +[ Upstream commit 3b5b9997b331e77ce967eba2c4bc80dc3134a7fe ] + +On pseries there is a bug with adding hotplugged devices to an IOMMU +group. For a number of dumb reasons fixing that bug first requires +re-working how VFs are configured on PowerNV. For background, on +PowerNV we use the pcibios_sriov_enable() hook to do two things: + + 1. Create a pci_dn structure for each of the VFs, and + 2. Configure the PHB's internal BARs so the MMIO range for each VF + maps to a unique PE. + +Roughly speaking a PE is the hardware counterpart to a Linux IOMMU +group since all the devices in a PE share the same IOMMU table. A PE +also defines the set of devices that should be isolated in response to +a PCI error (i.e. bad DMA, UR/CA, AER events, etc). When isolated all +MMIO and DMA traffic to and from devicein the PE is blocked by the +root complex until the PE is recovered by the OS. + +The requirement to block MMIO causes a giant headache because the P8 +PHB generally uses a fixed mapping between MMIO addresses and PEs. As +a result we need to delay configuring the IOMMU groups for device +until after MMIO resources are assigned. For physical devices (i.e. +non-VFs) the PE assignment is done in pcibios_setup_bridge() which is +called immediately after the MMIO resources for downstream +devices (and the bridge's windows) are assigned. For VFs the setup is +more complicated because: + + a) pcibios_setup_bridge() is not called again when VFs are activated, and + b) The pci_dev for VFs are created by generic code which runs after + pcibios_sriov_enable() is called. + +The work around for this is a two step process: + + 1. A fixup in pcibios_add_device() is used to initialised the cached + pe_number in pci_dn, then + 2. A bus notifier then adds the device to the IOMMU group for the PE + specified in pci_dn->pe_number. + +A side effect fixing the pseries bug mentioned in the first paragraph +is moving the fixup out of pcibios_add_device() and into +pcibios_bus_add_device(), which is called much later. This results in +step 2. failing because pci_dn->pe_number won't be initialised when +the bus notifier is run. + +We can fix this by removing the need for the fixup. The PE for a VF is +known before the VF is even scanned so we can initialise +pci_dn->pe_number pcibios_sriov_enable() instead. Unfortunately, +moving the initialisation causes two problems: + + 1. We trip the WARN_ON() in the current fixup code, and + 2. The EEH core clears pdn->pe_number when recovering a VF and + relies on the fixup to correctly re-set it. + +The only justification for either of these is a comment in +eeh_rmv_device() suggesting that pdn->pe_number *must* be set to +IODA_INVALID_PE in order for the VF to be scanned. However, this +comment appears to have no basis in reality. Both bugs can be fixed by +just deleting the code. + +Tested-by: Alexey Kardashevskiy +Reviewed-by: Alexey Kardashevskiy +Signed-off-by: Oliver O'Halloran +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191028085424.12006-1-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_driver.c | 6 ------ + arch/powerpc/platforms/powernv/pci-ioda.c | 19 +++++++++++++++---- + arch/powerpc/platforms/powernv/pci.c | 4 ---- + 3 files changed, 15 insertions(+), 14 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index 470284f9e4f66..5a48c93aaa1b3 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -520,12 +520,6 @@ static void *eeh_rmv_device(void *data, void *userdata) + + pci_iov_remove_virtfn(edev->physfn, pdn->vf_index, 0); + edev->pdev = NULL; +- +- /* +- * We have to set the VF PE number to invalid one, which is +- * required to plug the VF successfully. +- */ +- pdn->pe_number = IODA_INVALID_PE; + #endif + if (rmv_data) + list_add(&edev->rmv_list, &rmv_data->edev_list); +diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c +index d3d5796f7df60..36ef504eeab32 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -1523,6 +1523,10 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs) + + /* Reserve PE for each VF */ + for (vf_index = 0; vf_index < num_vfs; vf_index++) { ++ int vf_devfn = pci_iov_virtfn_devfn(pdev, vf_index); ++ int vf_bus = pci_iov_virtfn_bus(pdev, vf_index); ++ struct pci_dn *vf_pdn; ++ + if (pdn->m64_single_mode) + pe_num = pdn->pe_num_map[vf_index]; + else +@@ -1535,13 +1539,11 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs) + pe->pbus = NULL; + pe->parent_dev = pdev; + pe->mve_number = -1; +- pe->rid = (pci_iov_virtfn_bus(pdev, vf_index) << 8) | +- pci_iov_virtfn_devfn(pdev, vf_index); ++ pe->rid = (vf_bus << 8) | vf_devfn; + + pe_info(pe, "VF %04d:%02d:%02d.%d associated with PE#%x\n", + hose->global_number, pdev->bus->number, +- PCI_SLOT(pci_iov_virtfn_devfn(pdev, vf_index)), +- PCI_FUNC(pci_iov_virtfn_devfn(pdev, vf_index)), pe_num); ++ PCI_SLOT(vf_devfn), PCI_FUNC(vf_devfn), pe_num); + + if (pnv_ioda_configure_pe(phb, pe)) { + /* XXX What do we do here ? */ +@@ -1555,6 +1557,15 @@ static void pnv_ioda_setup_vf_PE(struct pci_dev *pdev, u16 num_vfs) + list_add_tail(&pe->list, &phb->ioda.pe_list); + mutex_unlock(&phb->ioda.pe_list_mutex); + ++ /* associate this pe to it's pdn */ ++ list_for_each_entry(vf_pdn, &pdn->parent->child_list, list) { ++ if (vf_pdn->busno == vf_bus && ++ vf_pdn->devfn == vf_devfn) { ++ vf_pdn->pe_number = pe_num; ++ break; ++ } ++ } ++ + pnv_pci_ioda2_setup_dma_pe(phb, pe); + } + } +diff --git a/arch/powerpc/platforms/powernv/pci.c b/arch/powerpc/platforms/powernv/pci.c +index 961c131a5b7e8..844ca1886063b 100644 +--- a/arch/powerpc/platforms/powernv/pci.c ++++ b/arch/powerpc/platforms/powernv/pci.c +@@ -978,16 +978,12 @@ void pnv_pci_dma_dev_setup(struct pci_dev *pdev) + struct pnv_phb *phb = hose->private_data; + #ifdef CONFIG_PCI_IOV + struct pnv_ioda_pe *pe; +- struct pci_dn *pdn; + + /* Fix the VF pdn PE number */ + if (pdev->is_virtfn) { +- pdn = pci_get_pdn(pdev); +- WARN_ON(pdn->pe_number != IODA_INVALID_PE); + list_for_each_entry(pe, &phb->ioda.pe_list, list) { + if (pe->rid == ((pdev->bus->number << 8) | + (pdev->devfn & 0xff))) { +- pdn->pe_number = pe->pe_number; + pe->pdev = pdev; + break; + } +-- +2.20.1 + diff --git a/queue-4.14/powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch b/queue-4.14/powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch new file mode 100644 index 00000000000..1af2180159d --- /dev/null +++ b/queue-4.14/powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch @@ -0,0 +1,57 @@ +From 9706519c37cc2b1596fbed5828cc6372c6165460 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 16:26:53 +1000 +Subject: powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV + +From: Oliver O'Halloran + +[ Upstream commit 1fb4124ca9d456656a324f1ee29b7bf942f59ac8 ] + +When disabling virtual functions on an SR-IOV adapter we currently do not +correctly remove the EEH state for the now-dead virtual functions. When +removing the pci_dn that was created for the VF when SR-IOV was enabled +we free the corresponding eeh_dev without removing it from the child device +list of the eeh_pe that contained it. This can result in crashes due to the +use-after-free. + +Signed-off-by: Oliver O'Halloran +Reviewed-by: Sam Bobroff +Tested-by: Sam Bobroff +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190821062655.19735-1-oohall@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci_dn.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c +index 0e395afbf0f49..0e45a446a8c78 100644 +--- a/arch/powerpc/kernel/pci_dn.c ++++ b/arch/powerpc/kernel/pci_dn.c +@@ -261,9 +261,22 @@ void remove_dev_pci_data(struct pci_dev *pdev) + continue; + + #ifdef CONFIG_EEH +- /* Release EEH device for the VF */ ++ /* ++ * Release EEH state for this VF. The PCI core ++ * has already torn down the pci_dev for this VF, but ++ * we're responsible to removing the eeh_dev since it ++ * has the same lifetime as the pci_dn that spawned it. ++ */ + edev = pdn_to_eeh_dev(pdn); + if (edev) { ++ /* ++ * We allocate pci_dn's for the totalvfs count, ++ * but only only the vfs that were activated ++ * have a configured PE. ++ */ ++ if (edev->pe) ++ eeh_rmv_from_parent_pe(edev); ++ + pdn->edev = NULL; + kfree(edev); + } +-- +2.20.1 + diff --git a/queue-4.14/pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch b/queue-4.14/pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch new file mode 100644 index 00000000000..107e4a1573c --- /dev/null +++ b/queue-4.14/pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch @@ -0,0 +1,53 @@ +From 95cfe75219fa0457cd9c89944c02e8dd4272b78a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2019 10:03:54 +0100 +Subject: pwm: omap-dmtimer: Remove PWM chip in .remove before making it + unfunctional +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 43efdc8f0e6d7088ec61bd55a73bf853f002d043 ] + +In the old code (e.g.) mutex_destroy() was called before +pwmchip_remove(). Between these two calls it is possible that a PWM +callback is used which tries to grab the mutex. + +Fixes: 6604c6556db9 ("pwm: Add PWM driver for OMAP using dual-mode timers") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-omap-dmtimer.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/pwm/pwm-omap-dmtimer.c b/drivers/pwm/pwm-omap-dmtimer.c +index 5ad42f33e70c1..2e15acf13893d 100644 +--- a/drivers/pwm/pwm-omap-dmtimer.c ++++ b/drivers/pwm/pwm-omap-dmtimer.c +@@ -337,6 +337,11 @@ static int pwm_omap_dmtimer_probe(struct platform_device *pdev) + static int pwm_omap_dmtimer_remove(struct platform_device *pdev) + { + struct pwm_omap_dmtimer_chip *omap = platform_get_drvdata(pdev); ++ int ret; ++ ++ ret = pwmchip_remove(&omap->chip); ++ if (ret) ++ return ret; + + if (pm_runtime_active(&omap->dm_timer_pdev->dev)) + omap->pdata->stop(omap->dm_timer); +@@ -345,7 +350,7 @@ static int pwm_omap_dmtimer_remove(struct platform_device *pdev) + + mutex_destroy(&omap->mutex); + +- return pwmchip_remove(&omap->chip); ++ return 0; + } + + static const struct of_device_id pwm_omap_dmtimer_of_match[] = { +-- +2.20.1 + diff --git a/queue-4.14/pwm-remove-set-but-not-set-variable-pwm.patch b/queue-4.14/pwm-remove-set-but-not-set-variable-pwm.patch new file mode 100644 index 00000000000..478bd4b54d8 --- /dev/null +++ b/queue-4.14/pwm-remove-set-but-not-set-variable-pwm.patch @@ -0,0 +1,51 @@ +From 4abbecb3b8d1894814ba1f1ad41b839f286555f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2020 19:51:43 +0800 +Subject: pwm: Remove set but not set variable 'pwm' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: yu kuai + +[ Upstream commit 9871abffc81048e20f02e15d6aa4558a44ad53ea ] + +Fixes gcc '-Wunused-but-set-variable' warning: + + drivers/pwm/pwm-pca9685.c: In function ‘pca9685_pwm_gpio_free’: + drivers/pwm/pwm-pca9685.c:162:21: warning: variable ‘pwm’ set but not used [-Wunused-but-set-variable] + +It is never used, and so can be removed. In that case, hold and release +the lock 'pca->lock' can be removed since nothing will be done between +them. + +Fixes: e926b12c611c ("pwm: Clear chip_data in pwm_put()") +Signed-off-by: yu kuai +Acked-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-pca9685.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/pwm/pwm-pca9685.c b/drivers/pwm/pwm-pca9685.c +index 567f5e2771c47..e1e5dfcb16f36 100644 +--- a/drivers/pwm/pwm-pca9685.c ++++ b/drivers/pwm/pwm-pca9685.c +@@ -170,13 +170,9 @@ static void pca9685_pwm_gpio_set(struct gpio_chip *gpio, unsigned int offset, + static void pca9685_pwm_gpio_free(struct gpio_chip *gpio, unsigned int offset) + { + struct pca9685 *pca = gpiochip_get_data(gpio); +- struct pwm_device *pwm; + + pca9685_pwm_gpio_set(gpio, offset, 0); + pm_runtime_put(pca->chip.dev); +- mutex_lock(&pca->lock); +- pwm = &pca->chip.pwms[offset]; +- mutex_unlock(&pca->lock); + } + + static int pca9685_pwm_gpio_get_direction(struct gpio_chip *chip, +-- +2.20.1 + diff --git a/queue-4.14/pxa168fb-fix-the-function-used-to-release-some-memor.patch b/queue-4.14/pxa168fb-fix-the-function-used-to-release-some-memor.patch new file mode 100644 index 00000000000..a70080453e6 --- /dev/null +++ b/queue-4.14/pxa168fb-fix-the-function-used-to-release-some-memor.patch @@ -0,0 +1,57 @@ +From a1b3d74e959f1f686620a30d2a53cc564aa1ff0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2019 12:00:24 +0200 +Subject: pxa168fb: Fix the function used to release some memory in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit 3c911fe799d1c338d94b78e7182ad452c37af897 ] + +In the probe function, some resources are allocated using 'dma_alloc_wc()', +they should be released with 'dma_free_wc()', not 'dma_free_coherent()'. + +We already use 'dma_free_wc()' in the remove function, but not in the +error handling path of the probe function. + +Also, remove a useless 'PAGE_ALIGN()'. 'info->fix.smem_len' is already +PAGE_ALIGNed. + +Fixes: 638772c7553f ("fb: add support of LCD display controller on pxa168/910 (base layer)") +Signed-off-by: Christophe JAILLET +Reviewed-by: Lubomir Rintel +CC: YueHaibing +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20190831100024.3248-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa168fb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c +index d059d04c63acd..20195d3dbf088 100644 +--- a/drivers/video/fbdev/pxa168fb.c ++++ b/drivers/video/fbdev/pxa168fb.c +@@ -769,8 +769,8 @@ failed_free_cmap: + failed_free_clk: + clk_disable_unprepare(fbi->clk); + failed_free_fbmem: +- dma_free_coherent(fbi->dev, info->fix.smem_len, +- info->screen_base, fbi->fb_start_dma); ++ dma_free_wc(fbi->dev, info->fix.smem_len, ++ info->screen_base, fbi->fb_start_dma); + failed_free_info: + kfree(info); + +@@ -804,7 +804,7 @@ static int pxa168fb_remove(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + +- dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len), ++ dma_free_wc(fbi->dev, info->fix.smem_len, + info->screen_base, info->fix.smem_start); + + clk_disable_unprepare(fbi->clk); +-- +2.20.1 + diff --git a/queue-4.14/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch b/queue-4.14/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch new file mode 100644 index 00000000000..03607812295 --- /dev/null +++ b/queue-4.14/radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch @@ -0,0 +1,53 @@ +From 85d2c32035750dba4acb5aeefeb174acc15a6bc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2020 17:09:52 +0100 +Subject: radeon: insert 10ms sleep in dce5_crtc_load_lut +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +[ Upstream commit ec3d65082d7dabad6fa8f66a8ef166f2d522d6b2 ] + +Per at least one tester this is enough magic to recover the regression +introduced for some people (but not all) in + +commit b8e2b0199cc377617dc238f5106352c06dcd3fa2 +Author: Peter Rosin +Date: Tue Jul 4 12:36:57 2017 +0200 + + drm/fb-helper: factor out pseudo-palette + +which for radeon had the side-effect of refactoring out a seemingly +redudant writing of the color palette. + +10ms in a fairly slow modeset path feels like an acceptable form of +duct-tape, so maybe worth a shot and see what sticks. + +Cc: Alex Deucher +Cc: Michel Dänzer +References: https://bugzilla.kernel.org/show_bug.cgi?id=198123 +Signed-off-by: Daniel Vetter +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c +index 4f94b78cb4647..d86110cdf0852 100644 +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -119,6 +119,8 @@ static void dce5_crtc_load_lut(struct drm_crtc *crtc) + + DRM_DEBUG_KMS("%d\n", radeon_crtc->crtc_id); + ++ msleep(10); ++ + WREG32(NI_INPUT_CSC_CONTROL + radeon_crtc->crtc_offset, + (NI_INPUT_CSC_GRPH_MODE(NI_INPUT_CSC_BYPASS) | + NI_INPUT_CSC_OVL_MODE(NI_INPUT_CSC_BYPASS))); +-- +2.20.1 + diff --git a/queue-4.14/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch b/queue-4.14/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch new file mode 100644 index 00000000000..f6f6f4db946 --- /dev/null +++ b/queue-4.14/rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch @@ -0,0 +1,169 @@ +From 81121cafba4478ef914a9b58fe215e9fc5f2c39a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Nov 2019 09:42:13 -0800 +Subject: rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls + +From: Paul E. McKenney + +[ Upstream commit 860c8802ace14c646864795e057349c9fb2d60ad ] + +Eric Dumazet supplied a KCSAN report of a bug that forces use +of hlist_unhashed_lockless() from sk_unhashed(): + +------------------------------------------------------------------------ + +BUG: KCSAN: data-race in inet_unhash / inet_unhash + +write to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 1: + __hlist_nulls_del include/linux/list_nulls.h:88 [inline] + hlist_nulls_del_init_rcu include/linux/rculist_nulls.h:36 [inline] + __sk_nulls_del_node_init_rcu include/net/sock.h:676 [inline] + inet_unhash+0x38f/0x4a0 net/ipv4/inet_hashtables.c:612 + tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249 + tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854 + tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56 + tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599 + tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619 + call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 + arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 + default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x1af/0x280 kernel/sched/idle.c:263 + cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355 + start_secondary+0x208/0x260 arch/x86/kernel/smpboot.c:264 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 + +read to 0xffff8880a69a0170 of 8 bytes by interrupt on cpu 0: + sk_unhashed include/net/sock.h:607 [inline] + inet_unhash+0x3d/0x4a0 net/ipv4/inet_hashtables.c:592 + tcp_set_state+0xfa/0x3e0 net/ipv4/tcp.c:2249 + tcp_done+0x93/0x1e0 net/ipv4/tcp.c:3854 + tcp_write_err+0x7e/0xc0 net/ipv4/tcp_timer.c:56 + tcp_retransmit_timer+0x9b8/0x16d0 net/ipv4/tcp_timer.c:479 + tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:599 + tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:619 + call_timer_fn+0x5f/0x2f0 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers kernel/time/timer.c:1773 [inline] + __run_timers kernel/time/timer.c:1740 [inline] + run_timer_softirq+0xc0c/0xcd0 kernel/time/timer.c:1786 + __do_softirq+0x115/0x33f kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:373 [inline] + irq_exit+0xbb/0xe0 kernel/softirq.c:413 + exiting_irq arch/x86/include/asm/apic.h:536 [inline] + smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137 + apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 + native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71 + arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571 + default_idle_call+0x1e/0x40 kernel/sched/idle.c:94 + cpuidle_idle_call kernel/sched/idle.c:154 [inline] + do_idle+0x1af/0x280 kernel/sched/idle.c:263 + cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355 + rest_init+0xec/0xf6 init/main.c:452 + arch_call_rest_init+0x17/0x37 + start_kernel+0x838/0x85e init/main.c:786 + x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490 + x86_64_start_kernel+0x72/0x76 arch/x86/kernel/head64.c:471 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc6+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, +BIOS Google 01/01/2011 + +------------------------------------------------------------------------ + +This commit therefore replaces C-language assignments with WRITE_ONCE() +in include/linux/list_nulls.h and include/linux/rculist_nulls.h. + +Reported-by: Eric Dumazet # For KCSAN +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/list_nulls.h | 8 ++++---- + include/linux/rculist_nulls.h | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/include/linux/list_nulls.h b/include/linux/list_nulls.h +index 3ef96743db8da..1ecd35664e0d3 100644 +--- a/include/linux/list_nulls.h ++++ b/include/linux/list_nulls.h +@@ -72,10 +72,10 @@ static inline void hlist_nulls_add_head(struct hlist_nulls_node *n, + struct hlist_nulls_node *first = h->first; + + n->next = first; +- n->pprev = &h->first; ++ WRITE_ONCE(n->pprev, &h->first); + h->first = n; + if (!is_a_nulls(first)) +- first->pprev = &n->next; ++ WRITE_ONCE(first->pprev, &n->next); + } + + static inline void __hlist_nulls_del(struct hlist_nulls_node *n) +@@ -85,13 +85,13 @@ static inline void __hlist_nulls_del(struct hlist_nulls_node *n) + + WRITE_ONCE(*pprev, next); + if (!is_a_nulls(next)) +- next->pprev = pprev; ++ WRITE_ONCE(next->pprev, pprev); + } + + static inline void hlist_nulls_del(struct hlist_nulls_node *n) + { + __hlist_nulls_del(n); +- n->pprev = LIST_POISON2; ++ WRITE_ONCE(n->pprev, LIST_POISON2); + } + + /** +diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h +index a10da545b3f67..cf64a94922566 100644 +--- a/include/linux/rculist_nulls.h ++++ b/include/linux/rculist_nulls.h +@@ -34,7 +34,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n) + { + if (!hlist_nulls_unhashed(n)) { + __hlist_nulls_del(n); +- n->pprev = NULL; ++ WRITE_ONCE(n->pprev, NULL); + } + } + +@@ -66,7 +66,7 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n) + static inline void hlist_nulls_del_rcu(struct hlist_nulls_node *n) + { + __hlist_nulls_del(n); +- n->pprev = LIST_POISON2; ++ WRITE_ONCE(n->pprev, LIST_POISON2); + } + + /** +@@ -94,10 +94,10 @@ static inline void hlist_nulls_add_head_rcu(struct hlist_nulls_node *n, + struct hlist_nulls_node *first = h->first; + + n->next = first; +- n->pprev = &h->first; ++ WRITE_ONCE(n->pprev, &h->first); + rcu_assign_pointer(hlist_nulls_first_rcu(h), n); + if (!is_a_nulls(first)) +- first->pprev = &n->next; ++ WRITE_ONCE(first->pprev, &n->next); + } + + /** +-- +2.20.1 + diff --git a/queue-4.14/rdma-rxe-fix-error-type-of-mmap_offset.patch b/queue-4.14/rdma-rxe-fix-error-type-of-mmap_offset.patch new file mode 100644 index 00000000000..b18cf646cdd --- /dev/null +++ b/queue-4.14/rdma-rxe-fix-error-type-of-mmap_offset.patch @@ -0,0 +1,38 @@ +From 264369babffb8b6cd004078383df665c601ec66a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2019 19:36:13 +0800 +Subject: RDMA/rxe: Fix error type of mmap_offset + +From: Jiewei Ke + +[ Upstream commit 6ca18d8927d468c763571f78c9a7387a69ffa020 ] + +The type of mmap_offset should be u64 instead of int to match the type of +mminfo.offset. If otherwise, after we create several thousands of CQs, it +will run into overflow issues. + +Link: https://lore.kernel.org/r/20191227113613.5020-1-kejiewei.cn@gmail.com +Signed-off-by: Jiewei Ke +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_verbs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.h b/drivers/infiniband/sw/rxe/rxe_verbs.h +index d1cc89f6f2e33..46c8a66731e6c 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.h ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.h +@@ -408,7 +408,7 @@ struct rxe_dev { + struct list_head pending_mmaps; + + spinlock_t mmap_offset_lock; /* guard mmap_offset */ +- int mmap_offset; ++ u64 mmap_offset; + + atomic64_t stats_counters[RXE_NUM_OF_COUNTERS]; + +-- +2.20.1 + diff --git a/queue-4.14/regulator-rk808-lower-log-level-on-optional-gpios-be.patch b/queue-4.14/regulator-rk808-lower-log-level-on-optional-gpios-be.patch new file mode 100644 index 00000000000..e487432ae50 --- /dev/null +++ b/queue-4.14/regulator-rk808-lower-log-level-on-optional-gpios-be.patch @@ -0,0 +1,45 @@ +From 5542bdc23fcdd55d51ba116f25584bd034b45583 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 17:47:09 +0100 +Subject: regulator: rk808: Lower log level on optional GPIOs being not + available + +From: Miquel Raynal + +[ Upstream commit b8a039d37792067c1a380dc710361905724b9b2f ] + +RK808 can leverage a couple of GPIOs to tweak the ramp rate during DVS +(Dynamic Voltage Scaling). These GPIOs are entirely optional but a +dev_warn() appeared when cleaning this driver to use a more up-to-date +gpiod API. At least reduce the log level to 'info' as it is totally +fine to not populate these GPIO on a hardware design. + +This change is trivial but it is worth not polluting the logs during +bringup phase by having real warnings and errors sorted out +correctly. + +Fixes: a13eaf02e2d6 ("regulator: rk808: make better use of the gpiod API") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20191203164709.11127-1-miquel.raynal@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/rk808-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c +index 213b68743cc89..92498ac503035 100644 +--- a/drivers/regulator/rk808-regulator.c ++++ b/drivers/regulator/rk808-regulator.c +@@ -714,7 +714,7 @@ static int rk808_regulator_dt_parse_pdata(struct device *dev, + } + + if (!pdata->dvs_gpio[i]) { +- dev_warn(dev, "there is no dvs%d gpio\n", i); ++ dev_info(dev, "there is no dvs%d gpio\n", i); + continue; + } + +-- +2.20.1 + diff --git a/queue-4.14/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch b/queue-4.14/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch new file mode 100644 index 00000000000..ca1ab7c2ddd --- /dev/null +++ b/queue-4.14/reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch @@ -0,0 +1,36 @@ +From 0a3eb5595d3c41d4ed445499c579ccc0f5c5ff89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2019 11:35:58 +0100 +Subject: reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling + +From: Jan Kara + +[ Upstream commit 4d5c1adaf893b8aa52525d2b81995e949bcb3239 ] + +When we fail to allocate string for journal device name we jump to +'error' label which tries to unlock reiserfs write lock which is not +held. Jump to 'error_unlocked' instead. + +Fixes: f32485be8397 ("reiserfs: delay reiserfs lock until journal initialization") +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index 5208d85dd30c5..9caf3948417c0 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1954,7 +1954,7 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + if (!sbi->s_jdev) { + SWARN(silent, s, "", "Cannot allocate memory for " + "journal device name"); +- goto error; ++ goto error_unlocked; + } + } + #ifdef CONFIG_QUOTA +-- +2.20.1 + diff --git a/queue-4.14/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch b/queue-4.14/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch new file mode 100644 index 00000000000..27750b2e98b --- /dev/null +++ b/queue-4.14/reiserfs-prevent-null-pointer-dereference-in-reiserf.patch @@ -0,0 +1,44 @@ +From d85ea50bf782b86e97eef09cc406aae3dfacdc8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2020 22:17:26 -0800 +Subject: reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() + +From: Yunfeng Ye + +[ Upstream commit aacee5446a2a1aa35d0a49dab289552578657fb4 ] + +The variable inode may be NULL in reiserfs_insert_item(), but there is +no check before accessing the member of inode. + +Fix this by adding NULL pointer check before calling reiserfs_debug(). + +Link: http://lkml.kernel.org/r/79c5135d-ff25-1cc9-4e99-9f572b88cc00@huawei.com +Signed-off-by: Yunfeng Ye +Cc: zhengbin +Cc: Hu Shiyuan +Cc: Feilong Lin +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/reiserfs/stree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c +index 0037aea97d39a..2946713cb00d6 100644 +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -2250,7 +2250,8 @@ error_out: + /* also releases the path */ + unfix_nodes(&s_ins_balance); + #ifdef REISERQUOTA_DEBUG +- reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE, ++ if (inode) ++ reiserfs_debug(th->t_super, REISERFS_DEBUG_CODE, + "reiserquota insert_item(): freeing %u id=%u type=%c", + quota_bytes, inode->i_uid, head2type(ih)); + #endif +-- +2.20.1 + diff --git a/queue-4.14/remoteproc-initialize-rproc_class-before-use.patch b/queue-4.14/remoteproc-initialize-rproc_class-before-use.patch new file mode 100644 index 00000000000..e428133ba92 --- /dev/null +++ b/queue-4.14/remoteproc-initialize-rproc_class-before-use.patch @@ -0,0 +1,73 @@ +From a2548a01e490974549b458c3a6a66de1bd07c90e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2019 17:52:23 -0500 +Subject: remoteproc: Initialize rproc_class before use + +From: Brandon Maier + +[ Upstream commit a8f40111d184098cd2b3dc0c7170c42250a5fa09 ] + +The remoteproc_core and remoteproc drivers all initialize with module_init(). +However remoteproc drivers need the rproc_class during their probe. If one of +the remoteproc drivers runs init and gets through probe before +remoteproc_init() runs, a NULL pointer access of rproc_class's `glue_dirs` +spinlock occurs. + +> Unable to handle kernel NULL pointer dereference at virtual address 000000dc +> pgd = c0004000 +> [000000dc] *pgd=00000000 +> Internal error: Oops: 5 [#1] PREEMPT ARM +> Modules linked in: +> CPU: 0 PID: 1 Comm: swapper Tainted: G W 4.14.106-rt56 #1 +> Hardware name: Generic OMAP36xx (Flattened Device Tree) +> task: c6050000 task.stack: c604a000 +> PC is at rt_spin_lock+0x40/0x6c +> LR is at rt_spin_lock+0x28/0x6c +> pc : [] lr : [] psr: 60000013 +> sp : c604bdc0 ip : 00000000 fp : 00000000 +> r10: 00000000 r9 : c61c7c10 r8 : c6269c20 +> r7 : c0905888 r6 : c6269c20 r5 : 00000000 r4 : 000000d4 +> r3 : 000000dc r2 : c6050000 r1 : 00000002 r0 : 000000d4 +> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +... +> [] (rt_spin_lock) from [] (get_device_parent+0x54/0x17c) +> [] (get_device_parent) from [] (device_add+0xe0/0x5b4) +> [] (device_add) from [] (rproc_add+0x18/0xd8) +> [] (rproc_add) from [] (my_rproc_probe+0x158/0x204) +> [] (my_rproc_probe) from [] (platform_drv_probe+0x34/0x70) +> [] (platform_drv_probe) from [] (driver_probe_device+0x2c8/0x420) +> [] (driver_probe_device) from [] (__driver_attach+0x100/0x11c) +> [] (__driver_attach) from [] (bus_for_each_dev+0x7c/0xc0) +> [] (bus_for_each_dev) from [] (bus_add_driver+0x1cc/0x264) +> [] (bus_add_driver) from [] (driver_register+0x78/0xf8) +> [] (driver_register) from [] (do_one_initcall+0x100/0x190) +> [] (do_one_initcall) from [] (kernel_init_freeable+0x130/0x1d0) +> [] (kernel_init_freeable) from [] (kernel_init+0x8/0x114) +> [] (kernel_init) from [] (ret_from_fork+0x14/0x24) +> Code: e2843008 e3c2203f f5d3f000 e5922010 (e193cf9f) +> ---[ end trace 0000000000000002 ]--- + +Signed-off-by: Brandon Maier +Link: https://lore.kernel.org/r/20190530225223.136420-1-brandon.maier@rockwellcollins.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index eab14b414bf0d..cc733b89560a1 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -1620,7 +1620,7 @@ static int __init remoteproc_init(void) + + return 0; + } +-module_init(remoteproc_init); ++subsys_initcall(remoteproc_init); + + static void __exit remoteproc_exit(void) + { +-- +2.20.1 + diff --git a/queue-4.14/rtlwifi-rtl_pci-fix-wcast-function-type.patch b/queue-4.14/rtlwifi-rtl_pci-fix-wcast-function-type.patch new file mode 100644 index 00000000000..b9d43bb8219 --- /dev/null +++ b/queue-4.14/rtlwifi-rtl_pci-fix-wcast-function-type.patch @@ -0,0 +1,58 @@ +From 6db9bd730be8e3f973b22c25dcb968be1e39b506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 00:55:29 +0700 +Subject: rtlwifi: rtl_pci: Fix -Wcast-function-type + +From: Phong Tran + +[ Upstream commit cb775c88da5d48a85d99d95219f637b6fad2e0e9 ] + +correct usage prototype of callback in tasklet_init(). +Report by https://github.com/KSPP/linux/issues/20 + +Signed-off-by: Phong Tran +Reviewed-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 457a0f725c8aa..ab74f31558540 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -1091,13 +1091,15 @@ done: + return ret; + } + +-static void _rtl_pci_irq_tasklet(struct ieee80211_hw *hw) ++static void _rtl_pci_irq_tasklet(unsigned long data) + { ++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data; + _rtl_pci_tx_chk_waitq(hw); + } + +-static void _rtl_pci_prepare_bcn_tasklet(struct ieee80211_hw *hw) ++static void _rtl_pci_prepare_bcn_tasklet(unsigned long data) + { ++ struct ieee80211_hw *hw = (struct ieee80211_hw *)data; + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw)); + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); +@@ -1223,10 +1225,10 @@ static void _rtl_pci_init_struct(struct ieee80211_hw *hw, + + /*task */ + tasklet_init(&rtlpriv->works.irq_tasklet, +- (void (*)(unsigned long))_rtl_pci_irq_tasklet, ++ _rtl_pci_irq_tasklet, + (unsigned long)hw); + tasklet_init(&rtlpriv->works.irq_prepare_bcn_tasklet, +- (void (*)(unsigned long))_rtl_pci_prepare_bcn_tasklet, ++ _rtl_pci_prepare_bcn_tasklet, + (unsigned long)hw); + INIT_WORK(&rtlpriv->works.lps_change_work, + rtl_lps_change_work_callback); +-- +2.20.1 + diff --git a/queue-4.14/s390-ftrace-generate-traced-function-stack-frame.patch b/queue-4.14/s390-ftrace-generate-traced-function-stack-frame.patch new file mode 100644 index 00000000000..adcdb9a7653 --- /dev/null +++ b/queue-4.14/s390-ftrace-generate-traced-function-stack-frame.patch @@ -0,0 +1,103 @@ +From 3f7894d3ea45b6cc109deb6599446714a9cf845e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 14:33:39 +0100 +Subject: s390/ftrace: generate traced function stack frame + +From: Vasily Gorbik + +[ Upstream commit 45f7a0da600d3c409b5ad8d5ddddacd98ddc8840 ] + +Currently backtrace from ftraced function does not contain ftraced +function itself. e.g. for "path_openat": + +arch_stack_walk+0x15c/0x2d8 +stack_trace_save+0x50/0x68 +stack_trace_call+0x15e/0x3d8 +ftrace_graph_caller+0x0/0x1c <-- ftrace code +do_filp_open+0x7c/0xe8 <-- ftraced function caller +do_open_execat+0x76/0x1b8 +open_exec+0x52/0x78 +load_elf_binary+0x180/0x1160 +search_binary_handler+0x8e/0x288 +load_script+0x2a8/0x2b8 +search_binary_handler+0x8e/0x288 +__do_execve_file.isra.39+0x6fa/0xb40 +__s390x_sys_execve+0x56/0x68 +system_call+0xdc/0x2d8 + +Ftraced function is expected in the backtrace by ftrace kselftests, which +are now failing. It would also be nice to have it for clarity reasons. + +"ftrace_caller" itself is called without stack frame allocated for it +and does not store its caller (ftraced function). Instead it simply +allocates a stack frame for "ftrace_trace_function" and sets backchain +to point to ftraced function stack frame (which contains ftraced function +caller in saved r14). + +To fix this issue make "ftrace_caller" allocate a stack frame +for itself just to store ftraced function for the stack unwinder. +As a result backtrace looks like the following: + +arch_stack_walk+0x15c/0x2d8 +stack_trace_save+0x50/0x68 +stack_trace_call+0x15e/0x3d8 +ftrace_graph_caller+0x0/0x1c <-- ftrace code +path_openat+0x6/0xd60 <-- ftraced function +do_filp_open+0x7c/0xe8 <-- ftraced function caller +do_open_execat+0x76/0x1b8 +open_exec+0x52/0x78 +load_elf_binary+0x180/0x1160 +search_binary_handler+0x8e/0x288 +load_script+0x2a8/0x2b8 +search_binary_handler+0x8e/0x288 +__do_execve_file.isra.39+0x6fa/0xb40 +__s390x_sys_execve+0x56/0x68 +system_call+0xdc/0x2d8 + +Reported-by: Sven Schnelle +Tested-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/mcount.S | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S +index 27110f3294edc..0cfd5a83a1daa 100644 +--- a/arch/s390/kernel/mcount.S ++++ b/arch/s390/kernel/mcount.S +@@ -25,6 +25,12 @@ ENTRY(ftrace_stub) + #define STACK_PTREGS (STACK_FRAME_OVERHEAD) + #define STACK_PTREGS_GPRS (STACK_PTREGS + __PT_GPRS) + #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) ++#ifdef __PACK_STACK ++/* allocate just enough for r14, r15 and backchain */ ++#define TRACED_FUNC_FRAME_SIZE 24 ++#else ++#define TRACED_FUNC_FRAME_SIZE STACK_FRAME_OVERHEAD ++#endif + + ENTRY(_mcount) + BR_EX %r14 +@@ -38,9 +44,16 @@ ENTRY(ftrace_caller) + #ifndef CC_USING_HOTPATCH + aghi %r0,MCOUNT_RETURN_FIXUP + #endif +- aghi %r15,-STACK_FRAME_SIZE ++ # allocate stack frame for ftrace_caller to contain traced function ++ aghi %r15,-TRACED_FUNC_FRAME_SIZE + stg %r1,__SF_BACKCHAIN(%r15) ++ stg %r0,(__SF_GPRS+8*8)(%r15) ++ stg %r15,(__SF_GPRS+9*8)(%r15) ++ # allocate pt_regs and stack frame for ftrace_trace_function ++ aghi %r15,-STACK_FRAME_SIZE + stg %r1,(STACK_PTREGS_GPRS+15*8)(%r15) ++ aghi %r1,-TRACED_FUNC_FRAME_SIZE ++ stg %r1,__SF_BACKCHAIN(%r15) + stg %r0,(STACK_PTREGS_PSW+8)(%r15) + stmg %r2,%r14,(STACK_PTREGS_GPRS+2*8)(%r15) + #ifdef CONFIG_HAVE_MARCH_Z196_FEATURES +-- +2.20.1 + diff --git a/queue-4.14/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch b/queue-4.14/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch new file mode 100644 index 00000000000..dce4848c431 --- /dev/null +++ b/queue-4.14/scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch @@ -0,0 +1,54 @@ +From 88a2b86481ebe06c4a38f6410734e75174c9ed69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 18:42:20 -0700 +Subject: scsi: aic7xxx: Adjust indentation in ahc_find_syncrate + +From: Nathan Chancellor + +[ Upstream commit 4dbc96ad65c45cdd4e895ed7ae4c151b780790c5 ] + +Clang warns: + +../drivers/scsi/aic7xxx/aic7xxx_core.c:2317:5: warning: misleading +indentation; statement is not part of the previous 'if' +[-Wmisleading-indentation] + if ((syncrate->sxfr_u2 & ST_SXFR) != 0) + ^ +../drivers/scsi/aic7xxx/aic7xxx_core.c:2310:4: note: previous statement +is here + if (syncrate == &ahc_syncrates[maxsync]) + ^ +1 warning generated. + +This warning occurs because there is a space amongst the tabs on this +line. Remove it so that the indentation is consistent with the Linux kernel +coding style and clang no longer warns. + +This has been a problem since the beginning of git history hence no fixes +tag. + +Link: https://github.com/ClangBuiltLinux/linux/issues/817 +Link: https://lore.kernel.org/r/20191218014220.52746-1-natechancellor@gmail.com +Signed-off-by: Nathan Chancellor +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aic7xxx/aic7xxx_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aic7xxx/aic7xxx_core.c b/drivers/scsi/aic7xxx/aic7xxx_core.c +index 3818461640031..fdbb0a3dc9b4f 100644 +--- a/drivers/scsi/aic7xxx/aic7xxx_core.c ++++ b/drivers/scsi/aic7xxx/aic7xxx_core.c +@@ -2321,7 +2321,7 @@ ahc_find_syncrate(struct ahc_softc *ahc, u_int *period, + * At some speeds, we only support + * ST transfers. + */ +- if ((syncrate->sxfr_u2 & ST_SXFR) != 0) ++ if ((syncrate->sxfr_u2 & ST_SXFR) != 0) + *ppr_options &= ~MSG_EXT_PPR_DT_REQ; + break; + } +-- +2.20.1 + diff --git a/queue-4.14/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch b/queue-4.14/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch new file mode 100644 index 00000000000..55fd7c43cd8 --- /dev/null +++ b/queue-4.14/scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch @@ -0,0 +1,138 @@ +From 9f06bd1e6716031ad14a69e0fc4eddce5c25b3d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Dec 2019 15:31:48 -0500 +Subject: scsi: iscsi: Don't destroy session if there are outstanding + connections + +From: Nick Black + +[ Upstream commit 54155ed4199c7aa3fd20866648024ab63c96d579 ] + +A faulty userspace that calls destroy_session() before destroying the +connections can trigger the failure. This patch prevents the issue by +refusing to destroy the session if there are outstanding connections. + +------------[ cut here ]------------ +kernel BUG at mm/slub.c:306! +invalid opcode: 0000 [#1] SMP PTI +CPU: 1 PID: 1224 Comm: iscsid Not tainted 5.4.0-rc2.iscsi+ #7 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:__slab_free+0x181/0x350 +[...] +[ 1209.686056] RSP: 0018:ffffa93d4074fae0 EFLAGS: 00010246 +[ 1209.686694] RAX: ffff934efa5ad800 RBX: 000000008010000a RCX: ffff934efa5ad800 +[ 1209.687651] RDX: ffff934efa5ad800 RSI: ffffeb4041e96b00 RDI: ffff934efd402c40 +[ 1209.688582] RBP: ffffa93d4074fb80 R08: 0000000000000001 R09: ffffffffbb5dfa26 +[ 1209.689425] R10: ffff934efa5ad800 R11: 0000000000000001 R12: ffffeb4041e96b00 +[ 1209.690285] R13: ffff934efa5ad800 R14: ffff934efd402c40 R15: 0000000000000000 +[ 1209.691213] FS: 00007f7945dfb540(0000) GS:ffff934efda80000(0000) knlGS:0000000000000000 +[ 1209.692316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1209.693013] CR2: 000055877fd3da80 CR3: 0000000077384000 CR4: 00000000000006e0 +[ 1209.693897] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1209.694773] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1209.695631] Call Trace: +[ 1209.695957] ? __wake_up_common_lock+0x8a/0xc0 +[ 1209.696712] iscsi_pool_free+0x26/0x40 +[ 1209.697263] iscsi_session_teardown+0x2f/0xf0 +[ 1209.698117] iscsi_sw_tcp_session_destroy+0x45/0x60 +[ 1209.698831] iscsi_if_rx+0xd88/0x14e0 +[ 1209.699370] netlink_unicast+0x16f/0x200 +[ 1209.699932] netlink_sendmsg+0x21a/0x3e0 +[ 1209.700446] sock_sendmsg+0x4f/0x60 +[ 1209.700902] ___sys_sendmsg+0x2ae/0x320 +[ 1209.701451] ? cp_new_stat+0x150/0x180 +[ 1209.701922] __sys_sendmsg+0x59/0xa0 +[ 1209.702357] do_syscall_64+0x52/0x160 +[ 1209.702812] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 1209.703419] RIP: 0033:0x7f7946433914 +[...] +[ 1209.706084] RSP: 002b:00007fffb99f2378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 1209.706994] RAX: ffffffffffffffda RBX: 000055bc869eac20 RCX: 00007f7946433914 +[ 1209.708082] RDX: 0000000000000000 RSI: 00007fffb99f2390 RDI: 0000000000000005 +[ 1209.709120] RBP: 00007fffb99f2390 R08: 000055bc84fe9320 R09: 00007fffb99f1f07 +[ 1209.710110] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000038 +[ 1209.711085] R13: 000055bc8502306e R14: 0000000000000000 R15: 0000000000000000 + Modules linked in: + ---[ end trace a2d933ede7f730d8 ]--- + +Link: https://lore.kernel.org/r/20191226203148.2172200-1-krisman@collabora.com +Signed-off-by: Nick Black +Co-developed-by: Salman Qazi +Signed-off-by: Salman Qazi +Co-developed-by: Junho Ryu +Signed-off-by: Junho Ryu +Co-developed-by: Khazhismel Kumykov +Signed-off-by: Khazhismel Kumykov +Co-developed-by: Gabriel Krisman Bertazi +Signed-off-by: Gabriel Krisman Bertazi +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 4 ++++ + drivers/scsi/scsi_transport_iscsi.c | 26 +++++++++++++++++++++++--- + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index 7e3a77d3c6f01..e3ca16043f9af 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -890,6 +890,10 @@ free_host: + static void iscsi_sw_tcp_session_destroy(struct iscsi_cls_session *cls_session) + { + struct Scsi_Host *shost = iscsi_session_to_shost(cls_session); ++ struct iscsi_session *session = cls_session->dd_data; ++ ++ if (WARN_ON_ONCE(session->leadconn)) ++ return; + + iscsi_tcp_r2tpool_free(cls_session->dd_data); + iscsi_session_teardown(cls_session); +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 95d71e301a534..aecb563a2b4e3 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2945,6 +2945,24 @@ iscsi_set_path(struct iscsi_transport *transport, struct iscsi_uevent *ev) + return err; + } + ++static int iscsi_session_has_conns(int sid) ++{ ++ struct iscsi_cls_conn *conn; ++ unsigned long flags; ++ int found = 0; ++ ++ spin_lock_irqsave(&connlock, flags); ++ list_for_each_entry(conn, &connlist, conn_list) { ++ if (iscsi_conn_get_sid(conn) == sid) { ++ found = 1; ++ break; ++ } ++ } ++ spin_unlock_irqrestore(&connlock, flags); ++ ++ return found; ++} ++ + static int + iscsi_set_iface_params(struct iscsi_transport *transport, + struct iscsi_uevent *ev, uint32_t len) +@@ -3522,10 +3540,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + break; + case ISCSI_UEVENT_DESTROY_SESSION: + session = iscsi_session_lookup(ev->u.d_session.sid); +- if (session) +- transport->destroy_session(session); +- else ++ if (!session) + err = -EINVAL; ++ else if (iscsi_session_has_conns(ev->u.d_session.sid)) ++ err = -EBUSY; ++ else ++ transport->destroy_session(session); + break; + case ISCSI_UEVENT_UNBIND_SESSION: + session = iscsi_session_lookup(ev->u.d_session.sid); +-- +2.20.1 + diff --git a/queue-4.14/scsi-ufs-complete-pending-requests-in-host-reset-and.patch b/queue-4.14/scsi-ufs-complete-pending-requests-in-host-reset-and.patch new file mode 100644 index 00000000000..0bd2ec8aaef --- /dev/null +++ b/queue-4.14/scsi-ufs-complete-pending-requests-in-host-reset-and.patch @@ -0,0 +1,121 @@ +From 9ab9bc09694934eb98bf5d81d396198fc27cb845 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2019 22:53:33 -0800 +Subject: scsi: ufs: Complete pending requests in host reset and restore path + +From: Can Guo + +[ Upstream commit 2df74b6985b51e77756e2e8faa16c45ca3ba53c5 ] + +In UFS host reset and restore path, before probe, we stop and start the +host controller once. After host controller is stopped, the pending +requests, if any, are cleared from the doorbell, but no completion IRQ +would be raised due to the hba is stopped. These pending requests shall be +completed along with the first NOP_OUT command (as it is the first command +which can raise a transfer completion IRQ) sent during probe. Since the +OCSs of these pending requests are not SUCCESS (because they are not yet +literally finished), their UPIUs shall be dumped. When there are multiple +pending requests, the UPIU dump can be overwhelming and may lead to +stability issues because it is in atomic context. Therefore, before probe, +complete these pending requests right after host controller is stopped and +silence the UPIU dump from them. + +Link: https://lore.kernel.org/r/1574751214-8321-5-git-send-email-cang@qti.qualcomm.com +Reviewed-by: Alim Akhtar +Reviewed-by: Bean Huo +Tested-by: Bean Huo +Signed-off-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 24 ++++++++++-------------- + drivers/scsi/ufs/ufshcd.h | 2 ++ + 2 files changed, 12 insertions(+), 14 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index ce40de334f112..c350453246952 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4580,7 +4580,7 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp) + break; + } /* end of switch */ + +- if (host_byte(result) != DID_OK) ++ if ((host_byte(result) != DID_OK) && !hba->silence_err_logs) + ufshcd_print_trs(hba, 1 << lrbp->task_tag, true); + return result; + } +@@ -5109,8 +5109,8 @@ static void ufshcd_err_handler(struct work_struct *work) + + /* + * if host reset is required then skip clearing the pending +- * transfers forcefully because they will automatically get +- * cleared after link startup. ++ * transfers forcefully because they will get cleared during ++ * host reset and restore + */ + if (needs_reset) + goto skip_pending_xfer_clear; +@@ -5749,9 +5749,15 @@ static int ufshcd_host_reset_and_restore(struct ufs_hba *hba) + int err; + unsigned long flags; + +- /* Reset the host controller */ ++ /* ++ * Stop the host controller and complete the requests ++ * cleared by h/w ++ */ + spin_lock_irqsave(hba->host->host_lock, flags); + ufshcd_hba_stop(hba, false); ++ hba->silence_err_logs = true; ++ ufshcd_complete_requests(hba); ++ hba->silence_err_logs = false; + spin_unlock_irqrestore(hba->host->host_lock, flags); + + /* scale up clocks to max frequency before full reinitialization */ +@@ -5785,22 +5791,12 @@ out: + static int ufshcd_reset_and_restore(struct ufs_hba *hba) + { + int err = 0; +- unsigned long flags; + int retries = MAX_HOST_RESET_RETRIES; + + do { + err = ufshcd_host_reset_and_restore(hba); + } while (err && --retries); + +- /* +- * After reset the door-bell might be cleared, complete +- * outstanding requests in s/w here. +- */ +- spin_lock_irqsave(hba->host->host_lock, flags); +- ufshcd_transfer_req_compl(hba); +- ufshcd_tmc_handler(hba); +- spin_unlock_irqrestore(hba->host->host_lock, flags); +- + return err; + } + +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index cdc8bd05f7dfc..4aac4d86f57b3 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -485,6 +485,7 @@ struct ufs_stats { + * @uic_error: UFS interconnect layer error status + * @saved_err: sticky error mask + * @saved_uic_err: sticky UIC error mask ++ * @silence_err_logs: flag to silence error logs + * @dev_cmd: ufs device management command information + * @last_dme_cmd_tstamp: time stamp of the last completed DME command + * @auto_bkops_enabled: to track whether bkops is enabled in device +@@ -621,6 +622,7 @@ struct ufs_hba { + u32 saved_err; + u32 saved_uic_err; + struct ufs_stats ufs_stats; ++ bool silence_err_logs; + + /* Device management request data */ + struct ufs_dev_cmd dev_cmd; +-- +2.20.1 + diff --git a/queue-4.14/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch b/queue-4.14/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch new file mode 100644 index 00000000000..b9cd53b1710 --- /dev/null +++ b/queue-4.14/selinux-ensure-we-cleanup-the-internal-avc-counters-.patch @@ -0,0 +1,40 @@ +From f35df257cda84a6582bc7bf3e363a3fe39eb4452 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 17:25:47 +0530 +Subject: selinux: ensure we cleanup the internal AVC counters on error in + avc_update() + +From: Jaihind Yadav + +[ Upstream commit 030b995ad9ece9fa2d218af4429c1c78c2342096 ] + +In AVC update we don't call avc_node_kill() when avc_xperms_populate() +fails, resulting in the avc->avc_cache.active_nodes counter having a +false value. In last patch this changes was missed , so correcting it. + +Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") +Signed-off-by: Jaihind Yadav +Signed-off-by: Ravi Kumar Siddojigari +[PM: merge fuzz, minor description cleanup] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/avc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/avc.c b/security/selinux/avc.c +index 2380b8d72cecb..23f387b30ece6 100644 +--- a/security/selinux/avc.c ++++ b/security/selinux/avc.c +@@ -863,7 +863,7 @@ static int avc_update_node(u32 event, u32 perms, u8 driver, u8 xperm, u32 ssid, + if (orig->ae.xp_node) { + rc = avc_xperms_populate(node, orig->ae.xp_node); + if (rc) { +- kmem_cache_free(avc_node_cachep, node); ++ avc_node_kill(node); + goto out_unlock; + } + } +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 01aea8ec1b4..cefb5421b7c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -30,3 +30,138 @@ scsi-qla2xxx-fix-a-potential-null-pointer-dereference.patch revert-kvm-nvmx-use-correct-root-level-for-nested-ep.patch revert-kvm-vmx-add-non-canonical-check-on-writes-to-.patch kvm-nvmx-use-correct-root-level-for-nested-ept-shado.patch +drm-gma500-fixup-fbdev-stolen-size-usage-evaluation.patch +nfsd4-avoid-null-deference-on-strange-copy-compounds.patch +soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch +cpu-hotplug-stop_machine-fix-stop_machine-vs-hotplug.patch +brcmfmac-fix-use-after-free-in-brcmf_sdio_readframes.patch +leds-pca963x-fix-open-drain-initialization.patch +ext4-fix-ext4_dax_read-write-inode-locking-sequence-.patch +alsa-ctl-allow-tlv-read-operation-for-callback-type-.patch +gianfar-fix-tx-timestamping-with-a-stacked-dsa-drive.patch +pinctrl-sh-pfc-sh7264-fix-can-function-gpios.patch +pxa168fb-fix-the-function-used-to-release-some-memor.patch +media-i2c-mt9v032-fix-enum-mbus-codes-and-frame-size.patch +powerpc-powernv-iov-ensure-the-pdn-for-vfs-always-co.patch +gpio-gpio-grgpio-fix-possible-sleep-in-atomic-contex.patch +char-random-silence-a-lockdep-splat-with-printk.patch +media-sti-bdisp-fix-a-possible-sleep-in-atomic-conte.patch +pinctrl-baytrail-do-not-clear-irq-flags-on-direct-ir.patch +efi-x86-map-the-entire-efi-vendor-string-before-copy.patch +mips-loongson-fix-potential-null-dereference-in-loon.patch +sparc-add-.exit.data-section.patch +uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch +usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch +usb-dwc2-fix-in-fifo-allocation.patch +clocksource-drivers-bcm2835_timer-fix-memory-leak-of.patch +kselftest-minimise-dependency-of-get_size-on-c-libra.patch +jbd2-clear-jbd2_abort-flag-before-journal_reset-to-u.patch +x86-sysfb-fix-check-for-bad-vram-size.patch +tracing-fix-tracing_stat-return-values-in-error-hand.patch +tracing-fix-very-unlikely-race-of-registering-two-st.patch +ext4-jbd2-ensure-panic-when-aborting-with-zero-errno.patch +nbd-add-a-flush_workqueue-in-nbd_start_device.patch +kvm-s390-enotsupp-eopnotsupp-fixups.patch +kconfig-fix-broken-dependency-in-randconfig-generate.patch +clk-qcom-rcg2-don-t-crash-if-our-parent-can-t-be-fou.patch +drm-amdgpu-remove-4-set-but-not-used-variable-in-amd.patch +regulator-rk808-lower-log-level-on-optional-gpios-be.patch +net-wan-fsl_ucc_hdlc-reject-muram-offsets-above-64k.patch +pci-iov-fix-memory-leak-in-pci_iov_add_virtfn.patch +nfc-port100-convert-cpu_to_le16-le16_to_cpu-e1-e2-to.patch +arm-dts-allwinner-h3-add-pmu-node.patch +arm64-dts-qcom-msm8996-disable-usb2-phy-suspend-by-c.patch +padata-always-acquire-cpu_hotplug_lock-before-pinst-.patch +arm-dts-imx6-rdu2-disable-wp-for-usdhc2-and-usdhc3.patch +media-v4l2-device.h-explicitly-compare-grp-id-mask-t.patch +reiserfs-fix-spurious-unlock-in-reiserfs_fill_super-.patch +fore200e-fix-incorrect-checks-of-null-pointer-derefe.patch +isdn-don-t-mark-kcapi_proc_exit-as-__exit.patch +alsa-usx2y-adjust-indentation-in-snd_usx2y_hwdep_dsp.patch +b43legacy-fix-wcast-function-type.patch +ipw2x00-fix-wcast-function-type.patch +iwlegacy-fix-wcast-function-type.patch +rtlwifi-rtl_pci-fix-wcast-function-type.patch +orinoco-avoid-assertion-in-case-of-null-pointer.patch +acpica-disassembler-create-buffer-fields-in-acpi_par.patch +scsi-ufs-complete-pending-requests-in-host-reset-and.patch +scsi-aic7xxx-adjust-indentation-in-ahc_find_syncrate.patch +drm-mediatek-handle-events-when-enabling-disabling-c.patch +arm-dts-r8a7779-add-device-node-for-arm-global-timer.patch +dmaengine-store-module-owner-in-dma_device-struct.patch +x86-vdso-provide-missing-include-file.patch +pm-devfreq-rk3399_dmc-add-compile_test-and-have_arm_.patch +pinctrl-sh-pfc-sh7269-fix-can-function-gpios.patch +rdma-rxe-fix-error-type-of-mmap_offset.patch +clk-sunxi-ng-add-mux-and-pll-notifiers-for-a64-cpu-c.patch +alsa-sh-fix-unused-variable-warnings.patch +alsa-sh-fix-compile-warning-wrt-const.patch +tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch +x86-unwind-orc-fix-config_modules-build-warning.patch +drm-remove-the-newline-for-crc-source-name.patch +usbip-fix-unsafe-unaligned-pointer-usage.patch +udf-fix-free-space-reporting-for-metadata-and-virtua.patch +ib-hfi1-add-software-counter-for-ctxt0-seq-drop.patch +soc-tegra-fuse-correct-straps-address-for-older-tegr.patch +efi-x86-don-t-panic-or-bug-on-non-critical-error-con.patch +rcu-use-write_once-for-assignments-to-pprev-for-hlis.patch +input-edt-ft5x06-work-around-first-register-access-e.patch +wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch +asoc-atmel-fix-build-error-with-config_snd_atmel_soc.patch +tty-synclinkmp-adjust-indentation-in-several-functio.patch +tty-synclink_gt-adjust-indentation-in-several-functi.patch +driver-core-platform-prevent-resouce-overflow-from-c.patch +driver-core-print-device-when-resources-present-in-r.patch +vme-bridges-reduce-stack-usage.patch +drm-nouveau-secboot-gm20b-initialize-pointer-in-gm20.patch +drm-nouveau-gr-gk20a-gm200-add-terminators-to-method.patch +drm-nouveau-fix-copy-paste-error-in-nouveau_fence_wa.patch +drm-vmwgfx-prevent-memory-leak-in-vmw_cmdbuf_res_add.patch +usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch +iommu-arm-smmu-v3-use-write_once-when-changing-valid.patch +f2fs-free-sysfs-kobject.patch +scsi-iscsi-don-t-destroy-session-if-there-are-outsta.patch +arm64-fix-alternatives-with-llvm-s-integrated-assemb.patch +watchdog-softlockup-enforce-that-timestamp-is-valid-.patch +acpi-iort-fix-number-of-ids-handling-in-iort_id_map.patch +f2fs-fix-memleak-of-kobject.patch +x86-mm-fix-nx-bit-clearing-issue-in-kernel_map_pages.patch +pwm-omap-dmtimer-remove-pwm-chip-in-.remove-before-m.patch +cmd64x-potential-buffer-overflow-in-cmd64x_program_t.patch +ide-serverworks-potential-overflow-in-svwks_set_pio_.patch +pwm-remove-set-but-not-set-variable-pwm.patch +btrfs-fix-possible-null-pointer-dereference-in-integ.patch +btrfs-safely-advance-counter-when-looking-up-bio-csu.patch +btrfs-device-stats-log-when-stats-are-zeroed.patch +remoteproc-initialize-rproc_class-before-use.patch +irqchip-mbigen-set-driver-.suppress_bind_attrs-to-av.patch +alsa-hda-hdmi-add-retry-logic-to-parse_intel_hdmi.patch +x86-decoder-add-test-opcode-to-group3-2.patch +s390-ftrace-generate-traced-function-stack-frame.patch +driver-core-platform-fix-u32-greater-or-equal-to-zer.patch +alsa-hda-add-docking-station-support-for-lenovo-thin.patch +powerpc-sriov-remove-vf-eeh_dev-state-when-disabling.patch +jbd2-switch-to-use-jbd2_journal_abort-when-failed-to.patch +jbd2-make-sure-eshutdown-to-be-recorded-in-the-journ.patch +arm-8951-1-fix-kexec-compilation-issue.patch +hostap-adjust-indentation-in-prism2_hostapd_add_sta.patch +iwlegacy-ensure-loop-counter-addr-does-not-wrap-and-.patch +cifs-fix-null-dereference-in-match_prepath.patch +ceph-check-availability-of-mds-cluster-on-mount-afte.patch +irqchip-gic-v3-only-provision-redistributors-that-ar.patch +drm-nouveau-disp-nv50-prevent-oops-when-no-channel-m.patch +ftrace-fpid_next-should-increase-position-index.patch +trigger_next-should-increase-position-index.patch +radeon-insert-10ms-sleep-in-dce5_crtc_load_lut.patch +ocfs2-fix-a-null-pointer-dereference-when-call-ocfs2.patch +lib-scatterlist.c-adjust-indentation-in-__sg_alloc_t.patch +reiserfs-prevent-null-pointer-dereference-in-reiserf.patch +bcache-explicity-type-cast-in-bset_bkey_last.patch +irqchip-gic-v3-its-reference-to-its_invall_cmd-descr.patch +iwlwifi-mvm-fix-thermal-zone-registration.patch +microblaze-prevent-the-overflow-of-the-start.patch +brd-check-and-limit-max_part-par.patch +help_next-should-increase-position-index.patch +virtio_balloon-prevent-pfn-array-overflow.patch +mlxsw-spectrum_dpipe-add-missing-error-path.patch +selinux-ensure-we-cleanup-the-internal-avc-counters-.patch diff --git a/queue-4.14/soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch b/queue-4.14/soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch new file mode 100644 index 00000000000..9ce362ac73e --- /dev/null +++ b/queue-4.14/soc-fsl-qe-change-return-type-of-cpm_muram_alloc-to-.patch @@ -0,0 +1,188 @@ +From 81b703fc72b9c63a53ea46d8e01356cca3f69cf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2019 15:55:40 +0100 +Subject: soc: fsl: qe: change return type of cpm_muram_alloc() to s32 + +From: Rasmus Villemoes + +[ Upstream commit 800cd6fb76f0ec7711deb72a86c924db1ae42648 ] + +There are a number of problems with cpm_muram_alloc() and its +callers. Most callers assign the return value to some variable and +then use IS_ERR_VALUE to check for allocation failure. However, when +that variable is not sizeof(long), this leads to warnings - and it is +indeed broken to do e.g. + + u32 foo = cpm_muram_alloc(); + if (IS_ERR_VALUE(foo)) + +on a 64-bit platform, since the condition + + foo >= (unsigned long)-ENOMEM + +is tautologically false. There are also callers that ignore the +possibility of error, and then there are those that check for error by +comparing the return value to 0... + +One could fix that by changing all callers to store the return value +temporarily in an "unsigned long" and test that. However, use of +IS_ERR_VALUE() is error-prone and should be restricted to things which +are inherently long-sized (stuff in pt_regs etc.). Instead, let's aim +for changing to the standard kernel style + + int foo = cpm_muram_alloc(); + if (foo < 0) + deal_with_it() + some->where = foo; + +Changing the return type from unsigned long to s32 (aka signed int) +doesn't change the value that gets stored into any of the callers' +variables except if the caller was storing the result in a u64 _and_ +the allocation failed, so in itself this patch should be a no-op. + +Another problem with cpm_muram_alloc() is that it can certainly +validly return 0 - and except if some cpm_muram_alloc_fixed() call +interferes, the very first cpm_muram_alloc() call will return just +that. But that shows that both ucc_slow_free() and ucc_fast_free() are +buggy, since they assume that a value of 0 means "that field was never +allocated". We'll later change cpm_muram_free() to accept (and ignore) +a negative offset, so callers can use a sentinel of -1 instead of 0 +and just unconditionally call cpm_muram_free(). + +Reviewed-by: Timur Tabi +Signed-off-by: Rasmus Villemoes +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/qe_common.c | 29 ++++++++++++++++------------- + include/soc/fsl/qe/qe.h | 16 ++++++++-------- + 2 files changed, 24 insertions(+), 21 deletions(-) + +diff --git a/drivers/soc/fsl/qe/qe_common.c b/drivers/soc/fsl/qe/qe_common.c +index 104e68d9b84f2..4f60724b06b7c 100644 +--- a/drivers/soc/fsl/qe/qe_common.c ++++ b/drivers/soc/fsl/qe/qe_common.c +@@ -35,7 +35,7 @@ static phys_addr_t muram_pbase; + + struct muram_block { + struct list_head head; +- unsigned long start; ++ s32 start; + int size; + }; + +@@ -113,13 +113,14 @@ out_muram: + * @algo: algorithm for alloc. + * @data: data for genalloc's algorithm. + * +- * This function returns an offset into the muram area. ++ * This function returns a non-negative offset into the muram area, or ++ * a negative errno on failure. + */ +-static unsigned long cpm_muram_alloc_common(unsigned long size, +- genpool_algo_t algo, void *data) ++static s32 cpm_muram_alloc_common(unsigned long size, ++ genpool_algo_t algo, void *data) + { + struct muram_block *entry; +- unsigned long start; ++ s32 start; + + if (!muram_pool && cpm_muram_init()) + goto out2; +@@ -140,7 +141,7 @@ static unsigned long cpm_muram_alloc_common(unsigned long size, + out1: + gen_pool_free(muram_pool, start, size); + out2: +- return (unsigned long)-ENOMEM; ++ return -ENOMEM; + } + + /* +@@ -148,13 +149,14 @@ out2: + * @size: number of bytes to allocate + * @align: requested alignment, in bytes + * +- * This function returns an offset into the muram area. ++ * This function returns a non-negative offset into the muram area, or ++ * a negative errno on failure. + * Use cpm_dpram_addr() to get the virtual address of the area. + * Use cpm_muram_free() to free the allocation. + */ +-unsigned long cpm_muram_alloc(unsigned long size, unsigned long align) ++s32 cpm_muram_alloc(unsigned long size, unsigned long align) + { +- unsigned long start; ++ s32 start; + unsigned long flags; + struct genpool_data_align muram_pool_data; + +@@ -171,7 +173,7 @@ EXPORT_SYMBOL(cpm_muram_alloc); + * cpm_muram_free - free a chunk of multi-user ram + * @offset: The beginning of the chunk as returned by cpm_muram_alloc(). + */ +-int cpm_muram_free(unsigned long offset) ++int cpm_muram_free(s32 offset) + { + unsigned long flags; + int size; +@@ -197,13 +199,14 @@ EXPORT_SYMBOL(cpm_muram_free); + * cpm_muram_alloc_fixed - reserve a specific region of multi-user ram + * @offset: offset of allocation start address + * @size: number of bytes to allocate +- * This function returns an offset into the muram area ++ * This function returns @offset if the area was available, a negative ++ * errno otherwise. + * Use cpm_dpram_addr() to get the virtual address of the area. + * Use cpm_muram_free() to free the allocation. + */ +-unsigned long cpm_muram_alloc_fixed(unsigned long offset, unsigned long size) ++s32 cpm_muram_alloc_fixed(unsigned long offset, unsigned long size) + { +- unsigned long start; ++ s32 start; + unsigned long flags; + struct genpool_data_fixed muram_pool_data_fixed; + +diff --git a/include/soc/fsl/qe/qe.h b/include/soc/fsl/qe/qe.h +index b3d1aff5e8ad5..deb6238416947 100644 +--- a/include/soc/fsl/qe/qe.h ++++ b/include/soc/fsl/qe/qe.h +@@ -102,26 +102,26 @@ static inline void qe_reset(void) {} + int cpm_muram_init(void); + + #if defined(CONFIG_CPM) || defined(CONFIG_QUICC_ENGINE) +-unsigned long cpm_muram_alloc(unsigned long size, unsigned long align); +-int cpm_muram_free(unsigned long offset); +-unsigned long cpm_muram_alloc_fixed(unsigned long offset, unsigned long size); ++s32 cpm_muram_alloc(unsigned long size, unsigned long align); ++int cpm_muram_free(s32 offset); ++s32 cpm_muram_alloc_fixed(unsigned long offset, unsigned long size); + void __iomem *cpm_muram_addr(unsigned long offset); + unsigned long cpm_muram_offset(void __iomem *addr); + dma_addr_t cpm_muram_dma(void __iomem *addr); + #else +-static inline unsigned long cpm_muram_alloc(unsigned long size, +- unsigned long align) ++static inline s32 cpm_muram_alloc(unsigned long size, ++ unsigned long align) + { + return -ENOSYS; + } + +-static inline int cpm_muram_free(unsigned long offset) ++static inline int cpm_muram_free(s32 offset) + { + return -ENOSYS; + } + +-static inline unsigned long cpm_muram_alloc_fixed(unsigned long offset, +- unsigned long size) ++static inline s32 cpm_muram_alloc_fixed(unsigned long offset, ++ unsigned long size) + { + return -ENOSYS; + } +-- +2.20.1 + diff --git a/queue-4.14/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch b/queue-4.14/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch new file mode 100644 index 00000000000..8ced38b75b2 --- /dev/null +++ b/queue-4.14/soc-tegra-fuse-correct-straps-address-for-older-tegr.patch @@ -0,0 +1,38 @@ +From cb3c83e7bb7c5982b52fa6b5a6f451e423cc5d7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 21:23:03 +0300 +Subject: soc/tegra: fuse: Correct straps' address for older Tegra124 device + trees + +From: Dmitry Osipenko + +[ Upstream commit 2d9ea1934f8ef0dfb862d103389562cc28b4fc03 ] + +Trying to read out Chip ID before APBMISC registers are mapped won't +succeed, in a result Tegra124 gets a wrong address for the HW straps +register if machine uses an old outdated device tree. + +Fixes: 297c4f3dcbff ("soc/tegra: fuse: Restrict legacy code to 32-bit ARM") +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/fuse/tegra-apbmisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/fuse/tegra-apbmisc.c b/drivers/soc/tegra/fuse/tegra-apbmisc.c +index 5b18f6ffa45c7..cd61c883c19f5 100644 +--- a/drivers/soc/tegra/fuse/tegra-apbmisc.c ++++ b/drivers/soc/tegra/fuse/tegra-apbmisc.c +@@ -134,7 +134,7 @@ void __init tegra_init_apbmisc(void) + apbmisc.flags = IORESOURCE_MEM; + + /* strapping options */ +- if (tegra_get_chip_id() == TEGRA124) { ++ if (of_machine_is_compatible("nvidia,tegra124")) { + straps.start = 0x7000e864; + straps.end = 0x7000e867; + } else { +-- +2.20.1 + diff --git a/queue-4.14/sparc-add-.exit.data-section.patch b/queue-4.14/sparc-add-.exit.data-section.patch new file mode 100644 index 00000000000..bad76ba398d --- /dev/null +++ b/queue-4.14/sparc-add-.exit.data-section.patch @@ -0,0 +1,43 @@ +From d5f510d3a85477fd60f401855b96e52876b3e6eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2020 00:07:42 -0800 +Subject: sparc: Add .exit.data section. + +From: David S. Miller + +[ Upstream commit 548f0b9a5f4cffa0cecf62eb12aa8db682e4eee6 ] + +This fixes build errors of all sorts. + +Also, emit .exit.text unconditionally. + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/vmlinux.lds.S | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/sparc/kernel/vmlinux.lds.S b/arch/sparc/kernel/vmlinux.lds.S +index 5a2344574f39b..4323dc4ae4c7a 100644 +--- a/arch/sparc/kernel/vmlinux.lds.S ++++ b/arch/sparc/kernel/vmlinux.lds.S +@@ -167,12 +167,14 @@ SECTIONS + } + PERCPU_SECTION(SMP_CACHE_BYTES) + +-#ifdef CONFIG_JUMP_LABEL + . = ALIGN(PAGE_SIZE); + .exit.text : { + EXIT_TEXT + } +-#endif ++ ++ .exit.data : { ++ EXIT_DATA ++ } + + . = ALIGN(PAGE_SIZE); + __init_end = .; +-- +2.20.1 + diff --git a/queue-4.14/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch b/queue-4.14/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch new file mode 100644 index 00000000000..0edf652b702 --- /dev/null +++ b/queue-4.14/tools-lib-api-fs-fix-gcc9-stringop-truncation-compil.patch @@ -0,0 +1,67 @@ +From 2c13744a548b57efad54e7822ed70528f9396ba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 08:01:09 +0000 +Subject: tools lib api fs: Fix gcc9 stringop-truncation compilation error + +From: Andrey Zhizhikin + +[ Upstream commit 6794200fa3c9c3e6759dae099145f23e4310f4f7 ] + +GCC9 introduced string hardening mechanisms, which exhibits the error +during fs api compilation: + +error: '__builtin_strncpy' specified bound 4096 equals destination size +[-Werror=stringop-truncation] + +This comes when the length of copy passed to strncpy is is equal to +destination size, which could potentially lead to buffer overflow. + +There is a need to mitigate this potential issue by limiting the size of +destination by 1 and explicitly terminate the destination with NULL. + +Signed-off-by: Andrey Zhizhikin +Reviewed-by: Petr Mladek +Acked-by: Jiri Olsa +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkmann +Cc: Kefeng Wang +Cc: Martin KaFai Lau +Cc: Petr Mladek +Cc: Sergey Senozhatsky +Cc: Song Liu +Cc: Yonghong Song +Cc: bpf@vger.kernel.org +Cc: netdev@vger.kernel.org +Link: http://lore.kernel.org/lkml/20191211080109.18765-1-andrey.zhizhikin@leica-geosystems.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/api/fs/fs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c +index b24afc0e6e81c..45b50b89009aa 100644 +--- a/tools/lib/api/fs/fs.c ++++ b/tools/lib/api/fs/fs.c +@@ -210,6 +210,7 @@ static bool fs__env_override(struct fs *fs) + size_t name_len = strlen(fs->name); + /* name + "_PATH" + '\0' */ + char upper_name[name_len + 5 + 1]; ++ + memcpy(upper_name, fs->name, name_len); + mem_toupper(upper_name, name_len); + strcpy(&upper_name[name_len], "_PATH"); +@@ -219,7 +220,8 @@ static bool fs__env_override(struct fs *fs) + return false; + + fs->found = true; +- strncpy(fs->path, override_path, sizeof(fs->path)); ++ strncpy(fs->path, override_path, sizeof(fs->path) - 1); ++ fs->path[sizeof(fs->path) - 1] = '\0'; + return true; + } + +-- +2.20.1 + diff --git a/queue-4.14/tracing-fix-tracing_stat-return-values-in-error-hand.patch b/queue-4.14/tracing-fix-tracing_stat-return-values-in-error-hand.patch new file mode 100644 index 00000000000..3d400f122c2 --- /dev/null +++ b/queue-4.14/tracing-fix-tracing_stat-return-values-in-error-hand.patch @@ -0,0 +1,58 @@ +From 5d1ed5051b875921429a3c08ca86733f4ce7bff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Sep 2014 22:49:41 +0100 +Subject: tracing: Fix tracing_stat return values in error handling paths + +From: Luis Henriques + +[ Upstream commit afccc00f75bbbee4e4ae833a96c2d29a7259c693 ] + +tracing_stat_init() was always returning '0', even on the error paths. It +now returns -ENODEV if tracing_init_dentry() fails or -ENOMEM if it fails +to created the 'trace_stat' debugfs directory. + +Link: http://lkml.kernel.org/r/1410299381-20108-1-git-send-email-luis.henriques@canonical.com + +Fixes: ed6f1c996bfe4 ("tracing: Check return value of tracing_init_dentry()") +Signed-off-by: Luis Henriques +[ Pulled from the archeological digging of my INBOX ] +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_stat.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c +index 75bf1bcb4a8a5..bf68af63538b4 100644 +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -278,18 +278,22 @@ static int tracing_stat_init(void) + + d_tracing = tracing_init_dentry(); + if (IS_ERR(d_tracing)) +- return 0; ++ return -ENODEV; + + stat_dir = tracefs_create_dir("trace_stat", d_tracing); +- if (!stat_dir) ++ if (!stat_dir) { + pr_warn("Could not create tracefs 'trace_stat' entry\n"); ++ return -ENOMEM; ++ } + return 0; + } + + static int init_stat_file(struct stat_session *session) + { +- if (!stat_dir && tracing_stat_init()) +- return -ENODEV; ++ int ret; ++ ++ if (!stat_dir && (ret = tracing_stat_init())) ++ return ret; + + session->file = tracefs_create_file(session->ts->name, 0644, + stat_dir, +-- +2.20.1 + diff --git a/queue-4.14/tracing-fix-very-unlikely-race-of-registering-two-st.patch b/queue-4.14/tracing-fix-very-unlikely-race-of-registering-two-st.patch new file mode 100644 index 00000000000..54c3e98c608 --- /dev/null +++ b/queue-4.14/tracing-fix-very-unlikely-race-of-registering-two-st.patch @@ -0,0 +1,87 @@ +From 98baf769a2173940cc41d027c0e90db5553eeee0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 17:47:49 -0500 +Subject: tracing: Fix very unlikely race of registering two stat tracers + +From: Steven Rostedt (VMware) + +[ Upstream commit dfb6cd1e654315168e36d947471bd2a0ccd834ae ] + +Looking through old emails in my INBOX, I came across a patch from Luis +Henriques that attempted to fix a race of two stat tracers registering the +same stat trace (extremely unlikely, as this is done in the kernel, and +probably doesn't even exist). The submitted patch wasn't quite right as it +needed to deal with clean up a bit better (if two stat tracers were the +same, it would have the same files). + +But to make the code cleaner, all we needed to do is to keep the +all_stat_sessions_mutex held for most of the registering function. + +Link: http://lkml.kernel.org/r/1410299375-20068-1-git-send-email-luis.henriques@canonical.com + +Fixes: 002bb86d8d42f ("tracing/ftrace: separate events tracing and stats tracing engine") +Reported-by: Luis Henriques +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_stat.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c +index bf68af63538b4..92b76f9e25edd 100644 +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -306,7 +306,7 @@ static int init_stat_file(struct stat_session *session) + int register_stat_tracer(struct tracer_stat *trace) + { + struct stat_session *session, *node; +- int ret; ++ int ret = -EINVAL; + + if (!trace) + return -EINVAL; +@@ -317,17 +317,15 @@ int register_stat_tracer(struct tracer_stat *trace) + /* Already registered? */ + mutex_lock(&all_stat_sessions_mutex); + list_for_each_entry(node, &all_stat_sessions, session_list) { +- if (node->ts == trace) { +- mutex_unlock(&all_stat_sessions_mutex); +- return -EINVAL; +- } ++ if (node->ts == trace) ++ goto out; + } +- mutex_unlock(&all_stat_sessions_mutex); + ++ ret = -ENOMEM; + /* Init the session */ + session = kzalloc(sizeof(*session), GFP_KERNEL); + if (!session) +- return -ENOMEM; ++ goto out; + + session->ts = trace; + INIT_LIST_HEAD(&session->session_list); +@@ -336,15 +334,16 @@ int register_stat_tracer(struct tracer_stat *trace) + ret = init_stat_file(session); + if (ret) { + destroy_session(session); +- return ret; ++ goto out; + } + ++ ret = 0; + /* Register */ +- mutex_lock(&all_stat_sessions_mutex); + list_add_tail(&session->session_list, &all_stat_sessions); ++ out: + mutex_unlock(&all_stat_sessions_mutex); + +- return 0; ++ return ret; + } + + void unregister_stat_tracer(struct tracer_stat *trace) +-- +2.20.1 + diff --git a/queue-4.14/trigger_next-should-increase-position-index.patch b/queue-4.14/trigger_next-should-increase-position-index.patch new file mode 100644 index 00000000000..51f01523123 --- /dev/null +++ b/queue-4.14/trigger_next-should-increase-position-index.patch @@ -0,0 +1,64 @@ +From d46b19505c4601f294000fce7a376d7cdfb32d53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2020 10:03:06 +0300 +Subject: trigger_next should increase position index + +From: Vasily Averin + +[ Upstream commit 6722b23e7a2ace078344064a9735fb73e554e9ef ] + +if seq_file .next fuction does not change position index, +read after some lseek can generate unexpected output. + +Without patch: + # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger + dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset + n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + # Available triggers: + # traceon traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + 6+1 records in + 6+1 records out + 206 bytes copied, 0.00027916 s, 738 kB/s + +Notice the printing of "# Available triggers:..." after the line. + +With the patch: + # dd bs=30 skip=1 if=/sys/kernel/tracing/events/sched/sched_switch/trigger + dd: /sys/kernel/tracing/events/sched/sched_switch/trigger: cannot skip to specified offset + n traceoff snapshot stacktrace enable_event disable_event enable_hist disable_hist hist + 2+1 records in + 2+1 records out + 88 bytes copied, 0.000526867 s, 167 kB/s + +It only prints the end of the file, and does not restart. + +Link: http://lkml.kernel.org/r/3c35ee24-dd3a-8119-9c19-552ed253388a@virtuozzo.com + +https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_trigger.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index e2da180ca172a..31e91efe243e5 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -127,9 +127,10 @@ static void *trigger_next(struct seq_file *m, void *t, loff_t *pos) + { + struct trace_event_file *event_file = event_file_data(m->private); + +- if (t == SHOW_AVAILABLE_TRIGGERS) ++ if (t == SHOW_AVAILABLE_TRIGGERS) { ++ (*pos)++; + return NULL; +- ++ } + return seq_list_next(t, &event_file->triggers, pos); + } + +-- +2.20.1 + diff --git a/queue-4.14/tty-synclink_gt-adjust-indentation-in-several-functi.patch b/queue-4.14/tty-synclink_gt-adjust-indentation-in-several-functi.patch new file mode 100644 index 00000000000..870f7c6d4b7 --- /dev/null +++ b/queue-4.14/tty-synclink_gt-adjust-indentation-in-several-functi.patch @@ -0,0 +1,118 @@ +From 859f6ce3a3d989900816689982961e34a117a56d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 19:39:13 -0700 +Subject: tty: synclink_gt: Adjust indentation in several functions + +From: Nathan Chancellor + +[ Upstream commit 446e76873b5e4e70bdee5db2f2a894d5b4a7d081 ] + +Clang warns: + +../drivers/tty/synclink_gt.c:1337:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + if (C_CRTSCTS(tty)) { + ^ +../drivers/tty/synclink_gt.c:1335:2: note: previous statement is here + if (I_IXOFF(tty)) + ^ +../drivers/tty/synclink_gt.c:2563:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) + ^ +../drivers/tty/synclink_gt.c:2561:2: note: previous statement is here + if (I_INPCK(info->port.tty)) + ^ +../drivers/tty/synclink_gt.c:3221:3: warning: misleading indentation; +statement is not part of the previous 'else' [-Wmisleading-indentation] + set_signals(info); + ^ +../drivers/tty/synclink_gt.c:3219:2: note: previous statement is here + else + ^ +3 warnings generated. + +The indentation on these lines is not at all consistent, tabs and spaces +are mixed together. Convert to just using tabs to be consistent with the +Linux kernel coding style and eliminate these warnings from clang. + +Link: https://github.com/ClangBuiltLinux/linux/issues/822 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20191218023912.13827-1-natechancellor@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index 344e8c427c7e2..9d68f89a2bf8d 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -1349,10 +1349,10 @@ static void throttle(struct tty_struct * tty) + DBGINFO(("%s throttle\n", info->device_name)); + if (I_IXOFF(tty)) + send_xchar(tty, STOP_CHAR(tty)); +- if (C_CRTSCTS(tty)) { ++ if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals &= ~SerialSignal_RTS; +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1374,10 +1374,10 @@ static void unthrottle(struct tty_struct * tty) + else + send_xchar(tty, START_CHAR(tty)); + } +- if (C_CRTSCTS(tty)) { ++ if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->signals |= SerialSignal_RTS; +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -2575,8 +2575,8 @@ static void change_params(struct slgt_info *info) + info->read_status_mask = IRQ_RXOVER; + if (I_INPCK(info->port.tty)) + info->read_status_mask |= MASK_PARITY | MASK_FRAMING; +- if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) +- info->read_status_mask |= MASK_BREAK; ++ if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) ++ info->read_status_mask |= MASK_BREAK; + if (I_IGNPAR(info->port.tty)) + info->ignore_status_mask |= MASK_PARITY | MASK_FRAMING; + if (I_IGNBRK(info->port.tty)) { +@@ -3207,7 +3207,7 @@ static int tiocmset(struct tty_struct *tty, + info->signals &= ~SerialSignal_DTR; + + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + return 0; + } +@@ -3218,7 +3218,7 @@ static int carrier_raised(struct tty_port *port) + struct slgt_info *info = container_of(port, struct slgt_info, port); + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + return (info->signals & SerialSignal_DCD) ? 1 : 0; + } +@@ -3233,7 +3233,7 @@ static void dtr_rts(struct tty_port *port, int on) + info->signals |= SerialSignal_RTS | SerialSignal_DTR; + else + info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +-- +2.20.1 + diff --git a/queue-4.14/tty-synclinkmp-adjust-indentation-in-several-functio.patch b/queue-4.14/tty-synclinkmp-adjust-indentation-in-several-functio.patch new file mode 100644 index 00000000000..61e88e8a4b4 --- /dev/null +++ b/queue-4.14/tty-synclinkmp-adjust-indentation-in-several-functio.patch @@ -0,0 +1,159 @@ +From 584b2bfb104e2116932debc0ab6335ed14d9aa6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2019 19:47:20 -0700 +Subject: tty: synclinkmp: Adjust indentation in several functions + +From: Nathan Chancellor + +[ Upstream commit 1feedf61e7265128244f6993f23421f33dd93dbc ] + +Clang warns: + +../drivers/tty/synclinkmp.c:1456:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + if (C_CRTSCTS(tty)) { + ^ +../drivers/tty/synclinkmp.c:1453:2: note: previous statement is here + if (I_IXOFF(tty)) + ^ +../drivers/tty/synclinkmp.c:2473:8: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + info->port.tty->hw_stopped = 0; + ^ +../drivers/tty/synclinkmp.c:2471:7: note: previous statement is here + if ( debug_level >= DEBUG_LEVEL_ISR ) + ^ +../drivers/tty/synclinkmp.c:2482:8: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + info->port.tty->hw_stopped = 1; + ^ +../drivers/tty/synclinkmp.c:2480:7: note: previous statement is here + if ( debug_level >= DEBUG_LEVEL_ISR ) + ^ +../drivers/tty/synclinkmp.c:2809:3: warning: misleading indentation; +statement is not part of the previous 'if' [-Wmisleading-indentation] + if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) + ^ +../drivers/tty/synclinkmp.c:2807:2: note: previous statement is here + if (I_INPCK(info->port.tty)) + ^ +../drivers/tty/synclinkmp.c:3246:3: warning: misleading indentation; +statement is not part of the previous 'else' [-Wmisleading-indentation] + set_signals(info); + ^ +../drivers/tty/synclinkmp.c:3244:2: note: previous statement is here + else + ^ +5 warnings generated. + +The indentation on these lines is not at all consistent, tabs and spaces +are mixed together. Convert to just using tabs to be consistent with the +Linux kernel coding style and eliminate these warnings from clang. + +Link: https://github.com/ClangBuiltLinux/linux/issues/823 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20191218024720.3528-1-natechancellor@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclinkmp.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c +index 4fed9e7b281f0..3c9e314406b4e 100644 +--- a/drivers/tty/synclinkmp.c ++++ b/drivers/tty/synclinkmp.c +@@ -1467,10 +1467,10 @@ static void throttle(struct tty_struct * tty) + if (I_IXOFF(tty)) + send_xchar(tty, STOP_CHAR(tty)); + +- if (C_CRTSCTS(tty)) { ++ if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->serial_signals &= ~SerialSignal_RTS; +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -1496,10 +1496,10 @@ static void unthrottle(struct tty_struct * tty) + send_xchar(tty, START_CHAR(tty)); + } + +- if (C_CRTSCTS(tty)) { ++ if (C_CRTSCTS(tty)) { + spin_lock_irqsave(&info->lock,flags); + info->serial_signals |= SerialSignal_RTS; +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + } +@@ -2484,7 +2484,7 @@ static void isr_io_pin( SLMP_INFO *info, u16 status ) + if (status & SerialSignal_CTS) { + if ( debug_level >= DEBUG_LEVEL_ISR ) + printk("CTS tx start..."); +- info->port.tty->hw_stopped = 0; ++ info->port.tty->hw_stopped = 0; + tx_start(info); + info->pending_bh |= BH_TRANSMIT; + return; +@@ -2493,7 +2493,7 @@ static void isr_io_pin( SLMP_INFO *info, u16 status ) + if (!(status & SerialSignal_CTS)) { + if ( debug_level >= DEBUG_LEVEL_ISR ) + printk("CTS tx stop..."); +- info->port.tty->hw_stopped = 1; ++ info->port.tty->hw_stopped = 1; + tx_stop(info); + } + } +@@ -2820,8 +2820,8 @@ static void change_params(SLMP_INFO *info) + info->read_status_mask2 = OVRN; + if (I_INPCK(info->port.tty)) + info->read_status_mask2 |= PE | FRME; +- if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) +- info->read_status_mask1 |= BRKD; ++ if (I_BRKINT(info->port.tty) || I_PARMRK(info->port.tty)) ++ info->read_status_mask1 |= BRKD; + if (I_IGNPAR(info->port.tty)) + info->ignore_status_mask2 |= PE | FRME; + if (I_IGNBRK(info->port.tty)) { +@@ -3191,7 +3191,7 @@ static int tiocmget(struct tty_struct *tty) + unsigned long flags; + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + + result = ((info->serial_signals & SerialSignal_RTS) ? TIOCM_RTS : 0) | +@@ -3229,7 +3229,7 @@ static int tiocmset(struct tty_struct *tty, + info->serial_signals &= ~SerialSignal_DTR; + + spin_lock_irqsave(&info->lock,flags); +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + + return 0; +@@ -3241,7 +3241,7 @@ static int carrier_raised(struct tty_port *port) + unsigned long flags; + + spin_lock_irqsave(&info->lock,flags); +- get_signals(info); ++ get_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + + return (info->serial_signals & SerialSignal_DCD) ? 1 : 0; +@@ -3257,7 +3257,7 @@ static void dtr_rts(struct tty_port *port, int on) + info->serial_signals |= SerialSignal_RTS | SerialSignal_DTR; + else + info->serial_signals &= ~(SerialSignal_RTS | SerialSignal_DTR); +- set_signals(info); ++ set_signals(info); + spin_unlock_irqrestore(&info->lock,flags); + } + +-- +2.20.1 + diff --git a/queue-4.14/udf-fix-free-space-reporting-for-metadata-and-virtua.patch b/queue-4.14/udf-fix-free-space-reporting-for-metadata-and-virtua.patch new file mode 100644 index 00000000000..b3060c12dc8 --- /dev/null +++ b/queue-4.14/udf-fix-free-space-reporting-for-metadata-and-virtua.patch @@ -0,0 +1,76 @@ +From 528e7000cb029820601095b8a9fd2e4a0ebf8875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 16:36:49 +0100 +Subject: udf: Fix free space reporting for metadata and virtual partitions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Kara + +[ Upstream commit a4a8b99ec819ca60b49dc582a4287ef03411f117 ] + +Free space on filesystems with metadata or virtual partition maps +currently gets misreported. This is because these partitions are just +remapped onto underlying real partitions from which keep track of free +blocks. Take this remapping into account when counting free blocks as +well. + +Reviewed-by: Pali Rohár +Reported-by: Pali Rohár +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 242d960df9a17..51de27685e185 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -2467,17 +2467,29 @@ static unsigned int udf_count_free_table(struct super_block *sb, + static unsigned int udf_count_free(struct super_block *sb) + { + unsigned int accum = 0; +- struct udf_sb_info *sbi; ++ struct udf_sb_info *sbi = UDF_SB(sb); + struct udf_part_map *map; ++ unsigned int part = sbi->s_partition; ++ int ptype = sbi->s_partmaps[part].s_partition_type; ++ ++ if (ptype == UDF_METADATA_MAP25) { ++ part = sbi->s_partmaps[part].s_type_specific.s_metadata. ++ s_phys_partition_ref; ++ } else if (ptype == UDF_VIRTUAL_MAP15 || ptype == UDF_VIRTUAL_MAP20) { ++ /* ++ * Filesystems with VAT are append-only and we cannot write to ++ * them. Let's just report 0 here. ++ */ ++ return 0; ++ } + +- sbi = UDF_SB(sb); + if (sbi->s_lvid_bh) { + struct logicalVolIntegrityDesc *lvid = + (struct logicalVolIntegrityDesc *) + sbi->s_lvid_bh->b_data; +- if (le32_to_cpu(lvid->numOfPartitions) > sbi->s_partition) { ++ if (le32_to_cpu(lvid->numOfPartitions) > part) { + accum = le32_to_cpu( +- lvid->freeSpaceTable[sbi->s_partition]); ++ lvid->freeSpaceTable[part]); + if (accum == 0xFFFFFFFF) + accum = 0; + } +@@ -2486,7 +2498,7 @@ static unsigned int udf_count_free(struct super_block *sb) + if (accum) + return accum; + +- map = &sbi->s_partmaps[sbi->s_partition]; ++ map = &sbi->s_partmaps[part]; + if (map->s_partition_flags & UDF_PART_FLAG_UNALLOC_BITMAP) { + accum += udf_count_free_bitmap(sb, + map->s_uspace.s_bitmap); +-- +2.20.1 + diff --git a/queue-4.14/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch b/queue-4.14/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch new file mode 100644 index 00000000000..6b451533d21 --- /dev/null +++ b/queue-4.14/uio-fix-a-sleep-in-atomic-context-bug-in-uio_dmem_ge.patch @@ -0,0 +1,57 @@ +From 97f7f697a5c0837385a9d799f248536242e5bda4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 17:44:05 +0800 +Subject: uio: fix a sleep-in-atomic-context bug in + uio_dmem_genirq_irqcontrol() + +From: Jia-Ju Bai + +[ Upstream commit b74351287d4bd90636c3f48bc188c2f53824c2d4 ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +kernel/irq/manage.c, 523: + synchronize_irq in disable_irq +drivers/uio/uio_dmem_genirq.c, 140: + disable_irq in uio_dmem_genirq_irqcontrol +drivers/uio/uio_dmem_genirq.c, 134: + _raw_spin_lock_irqsave in uio_dmem_genirq_irqcontrol + +synchronize_irq() can sleep at runtime. + +To fix this bug, disable_irq() is called without holding the spinlock. + +This bug is found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20191218094405.6009-1-baijiaju1990@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index e1134a4d97f3f..a00b4aee6c799 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -135,11 +135,13 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on) + if (irq_on) { + if (test_and_clear_bit(0, &priv->flags)) + enable_irq(dev_info->irq); ++ spin_unlock_irqrestore(&priv->lock, flags); + } else { +- if (!test_and_set_bit(0, &priv->flags)) ++ if (!test_and_set_bit(0, &priv->flags)) { ++ spin_unlock_irqrestore(&priv->lock, flags); + disable_irq(dev_info->irq); ++ } + } +- spin_unlock_irqrestore(&priv->lock, flags); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/usb-dwc2-fix-in-fifo-allocation.patch b/queue-4.14/usb-dwc2-fix-in-fifo-allocation.patch new file mode 100644 index 00000000000..36790ee4c15 --- /dev/null +++ b/queue-4.14/usb-dwc2-fix-in-fifo-allocation.patch @@ -0,0 +1,84 @@ +From 7511e2193958df42ec710cd993629bd9e2518da7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 11:34:31 +0000 +Subject: usb: dwc2: Fix IN FIFO allocation + +From: John Keeping + +[ Upstream commit 644139f8b64d818f6345351455f14471510879a5 ] + +On chips with fewer FIFOs than endpoints (for example RK3288 which has 9 +endpoints, but only 6 which are cabable of input), the DPTXFSIZN +registers above the FIFO count may return invalid values. + +With logging added on startup, I see: + + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=1 sz=256 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=2 sz=128 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=3 sz=128 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=4 sz=64 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=5 sz=64 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=6 sz=32 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=7 sz=0 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=8 sz=0 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=9 sz=0 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=10 sz=0 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=11 sz=0 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=12 sz=0 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=13 sz=0 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=14 sz=0 + dwc2 ff580000.usb: dwc2_hsotg_init_fifo: ep=15 sz=0 + +but: + + # cat /sys/kernel/debug/ff580000.usb/fifo + Non-periodic FIFOs: + RXFIFO: Size 275 + NPTXFIFO: Size 16, Start 0x00000113 + + Periodic TXFIFOs: + DPTXFIFO 1: Size 256, Start 0x00000123 + DPTXFIFO 2: Size 128, Start 0x00000223 + DPTXFIFO 3: Size 128, Start 0x000002a3 + DPTXFIFO 4: Size 64, Start 0x00000323 + DPTXFIFO 5: Size 64, Start 0x00000363 + DPTXFIFO 6: Size 32, Start 0x000003a3 + DPTXFIFO 7: Size 0, Start 0x000003e3 + DPTXFIFO 8: Size 0, Start 0x000003a3 + DPTXFIFO 9: Size 256, Start 0x00000123 + +so it seems that FIFO 9 is mirroring FIFO 1. + +Fix the allocation by using the FIFO count instead of the endpoint count +when selecting a FIFO for an endpoint. + +Acked-by: Minas Harutyunyan +Signed-off-by: John Keeping +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/gadget.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index 4af9a1c652edb..aeb6f7c84ea0a 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -3933,11 +3933,12 @@ static int dwc2_hsotg_ep_enable(struct usb_ep *ep, + * a unique tx-fifo even if it is non-periodic. + */ + if (dir_in && hsotg->dedicated_fifos) { ++ unsigned fifo_count = dwc2_hsotg_tx_fifo_count(hsotg); + u32 fifo_index = 0; + u32 fifo_size = UINT_MAX; + + size = hs_ep->ep.maxpacket * hs_ep->mc; +- for (i = 1; i < hsotg->num_of_eps; ++i) { ++ for (i = 1; i <= fifo_count; ++i) { + if (hsotg->fifo_map & (1 << i)) + continue; + val = dwc2_readl(hsotg->regs + DPTXFSIZN(i)); +-- +2.20.1 + diff --git a/queue-4.14/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch b/queue-4.14/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch new file mode 100644 index 00000000000..9741e4154d2 --- /dev/null +++ b/queue-4.14/usb-gadget-udc-fix-possible-sleep-in-atomic-context-.patch @@ -0,0 +1,111 @@ +From 177c18ea15bc4a618a3577ff3e8658cdd3319715 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 11:43:49 +0800 +Subject: usb: gadget: udc: fix possible sleep-in-atomic-context bugs in + gr_probe() + +From: Jia-Ju Bai + +[ Upstream commit 9c1ed62ae0690dfe5d5e31d8f70e70a95cb48e52 ] + +The driver may sleep while holding a spinlock. +The function call path (from bottom to top) in Linux 4.19 is: + +drivers/usb/gadget/udc/core.c, 1175: + kzalloc(GFP_KERNEL) in usb_add_gadget_udc_release +drivers/usb/gadget/udc/core.c, 1272: + usb_add_gadget_udc_release in usb_add_gadget_udc +drivers/usb/gadget/udc/gr_udc.c, 2186: + usb_add_gadget_udc in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/core.c, 1195: + mutex_lock in usb_add_gadget_udc_release +drivers/usb/gadget/udc/core.c, 1272: + usb_add_gadget_udc_release in usb_add_gadget_udc +drivers/usb/gadget/udc/gr_udc.c, 2186: + usb_add_gadget_udc in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/gr_udc.c, 212: + debugfs_create_file in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2197: + gr_dfs_create in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +drivers/usb/gadget/udc/gr_udc.c, 2114: + devm_request_threaded_irq in gr_request_irq +drivers/usb/gadget/udc/gr_udc.c, 2202: + gr_request_irq in gr_probe +drivers/usb/gadget/udc/gr_udc.c, 2183: + spin_lock in gr_probe + +kzalloc(GFP_KERNEL), mutex_lock(), debugfs_create_file() and +devm_request_threaded_irq() can sleep at runtime. + +To fix these possible bugs, usb_add_gadget_udc(), gr_dfs_create() and +gr_request_irq() are called without handling the spinlock. + +These bugs are found by a static analysis tool STCheck written by myself. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/gr_udc.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/gadget/udc/gr_udc.c b/drivers/usb/gadget/udc/gr_udc.c +index 1f9941145746e..feb73a1c42ef9 100644 +--- a/drivers/usb/gadget/udc/gr_udc.c ++++ b/drivers/usb/gadget/udc/gr_udc.c +@@ -2200,8 +2200,6 @@ static int gr_probe(struct platform_device *pdev) + return -ENOMEM; + } + +- spin_lock(&dev->lock); +- + /* Inside lock so that no gadget can use this udc until probe is done */ + retval = usb_add_gadget_udc(dev->dev, &dev->gadget); + if (retval) { +@@ -2210,15 +2208,21 @@ static int gr_probe(struct platform_device *pdev) + } + dev->added = 1; + ++ spin_lock(&dev->lock); ++ + retval = gr_udc_init(dev); +- if (retval) ++ if (retval) { ++ spin_unlock(&dev->lock); + goto out; +- +- gr_dfs_create(dev); ++ } + + /* Clear all interrupt enables that might be left on since last boot */ + gr_disable_interrupts_and_pullup(dev); + ++ spin_unlock(&dev->lock); ++ ++ gr_dfs_create(dev); ++ + retval = gr_request_irq(dev, dev->irq); + if (retval) { + dev_err(dev->dev, "Failed to request irq %d\n", dev->irq); +@@ -2247,8 +2251,6 @@ static int gr_probe(struct platform_device *pdev) + dev_info(dev->dev, "regs: %p, irq %d\n", dev->regs, dev->irq); + + out: +- spin_unlock(&dev->lock); +- + if (retval) + gr_remove(pdev); + +-- +2.20.1 + diff --git a/queue-4.14/usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch b/queue-4.14/usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch new file mode 100644 index 00000000000..9873389303e --- /dev/null +++ b/queue-4.14/usb-musb-omap2430-get-rid-of-musb-.set_vbus-for-omap.patch @@ -0,0 +1,56 @@ +From 0e135175044f2b31956b12841974745f6d8310d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2020 07:25:26 -0600 +Subject: usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue + +From: Tony Lindgren + +[ Upstream commit 91b6dec32e5c25fbdbb564d1e5af23764ec17ef1 ] + +We currently have musb_set_vbus() called from two different paths. Mostly +it gets called from the USB PHY via omap_musb_set_mailbox(), but in some +cases it can get also called from musb_stage0_irq() rather via .set_vbus: + +(musb_set_host [musb_hdrc]) +(omap2430_musb_set_vbus [omap2430]) +(musb_stage0_irq [musb_hdrc]) +(musb_interrupt [musb_hdrc]) +(omap2430_musb_interrupt [omap2430]) + +This is racy and will not work with introducing generic helper functions +for musb_set_host() and musb_set_peripheral(). We want to get rid of the +busy loops in favor of usleep_range(). + +Let's just get rid of .set_vbus for omap2430 glue layer and let the PHY +code handle VBUS with musb_set_vbus(). Note that in the follow-up patch +we can completely remove omap2430_musb_set_vbus(), but let's do it in a +separate patch as this change may actually turn out to be needed as a +fix. + +Reported-by: Pavel Machek +Acked-by: Pavel Machek +Signed-off-by: Tony Lindgren +Signed-off-by: Bin Liu +Link: https://lore.kernel.org/r/20200115132547.364-5-b-liu@ti.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/omap2430.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c +index 456f3e6ecf034..26e69c2766f56 100644 +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -388,8 +388,6 @@ static const struct musb_platform_ops omap2430_ops = { + .init = omap2430_musb_init, + .exit = omap2430_musb_exit, + +- .set_vbus = omap2430_musb_set_vbus, +- + .enable = omap2430_musb_enable, + .disable = omap2430_musb_disable, + +-- +2.20.1 + diff --git a/queue-4.14/usbip-fix-unsafe-unaligned-pointer-usage.patch b/queue-4.14/usbip-fix-unsafe-unaligned-pointer-usage.patch new file mode 100644 index 00000000000..fdc996a3f56 --- /dev/null +++ b/queue-4.14/usbip-fix-unsafe-unaligned-pointer-usage.patch @@ -0,0 +1,156 @@ +From a1850c92fcea9a40deef9f0cfbe388cd49dbc97d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2020 18:24:16 -0700 +Subject: usbip: Fix unsafe unaligned pointer usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuah Khan + +[ Upstream commit 585c91f40d201bc564d4e76b83c05b3b5363fe7e ] + +Fix unsafe unaligned pointer usage in usbip network interfaces. usbip tool +build fails with new gcc -Werror=address-of-packed-member checks. + +usbip_network.c: In function ‘usbip_net_pack_usb_device’: +usbip_network.c:79:32: error: taking address of packed member of ‘struct usbip_usb_device’ may result in an unaligned pointer value [-Werror=address-of-packed-member] + 79 | usbip_net_pack_uint32_t(pack, &udev->busnum); + +Fix with minor changes to pass by value instead of by address. + +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/20200109012416.2875-1-skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + tools/usb/usbip/src/usbip_network.c | 40 +++++++++++++++++------------ + tools/usb/usbip/src/usbip_network.h | 12 +++------ + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/tools/usb/usbip/src/usbip_network.c b/tools/usb/usbip/src/usbip_network.c +index b4c37e76a6e08..187dfaa67d0a2 100644 +--- a/tools/usb/usbip/src/usbip_network.c ++++ b/tools/usb/usbip/src/usbip_network.c +@@ -62,39 +62,39 @@ void usbip_setup_port_number(char *arg) + info("using port %d (\"%s\")", usbip_port, usbip_port_string); + } + +-void usbip_net_pack_uint32_t(int pack, uint32_t *num) ++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num) + { + uint32_t i; + + if (pack) +- i = htonl(*num); ++ i = htonl(num); + else +- i = ntohl(*num); ++ i = ntohl(num); + +- *num = i; ++ return i; + } + +-void usbip_net_pack_uint16_t(int pack, uint16_t *num) ++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num) + { + uint16_t i; + + if (pack) +- i = htons(*num); ++ i = htons(num); + else +- i = ntohs(*num); ++ i = ntohs(num); + +- *num = i; ++ return i; + } + + void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev) + { +- usbip_net_pack_uint32_t(pack, &udev->busnum); +- usbip_net_pack_uint32_t(pack, &udev->devnum); +- usbip_net_pack_uint32_t(pack, &udev->speed); ++ udev->busnum = usbip_net_pack_uint32_t(pack, udev->busnum); ++ udev->devnum = usbip_net_pack_uint32_t(pack, udev->devnum); ++ udev->speed = usbip_net_pack_uint32_t(pack, udev->speed); + +- usbip_net_pack_uint16_t(pack, &udev->idVendor); +- usbip_net_pack_uint16_t(pack, &udev->idProduct); +- usbip_net_pack_uint16_t(pack, &udev->bcdDevice); ++ udev->idVendor = usbip_net_pack_uint16_t(pack, udev->idVendor); ++ udev->idProduct = usbip_net_pack_uint16_t(pack, udev->idProduct); ++ udev->bcdDevice = usbip_net_pack_uint16_t(pack, udev->bcdDevice); + } + + void usbip_net_pack_usb_interface(int pack __attribute__((unused)), +@@ -141,6 +141,14 @@ ssize_t usbip_net_send(int sockfd, void *buff, size_t bufflen) + return usbip_net_xmit(sockfd, buff, bufflen, 1); + } + ++static inline void usbip_net_pack_op_common(int pack, ++ struct op_common *op_common) ++{ ++ op_common->version = usbip_net_pack_uint16_t(pack, op_common->version); ++ op_common->code = usbip_net_pack_uint16_t(pack, op_common->code); ++ op_common->status = usbip_net_pack_uint32_t(pack, op_common->status); ++} ++ + int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status) + { + struct op_common op_common; +@@ -152,7 +160,7 @@ int usbip_net_send_op_common(int sockfd, uint32_t code, uint32_t status) + op_common.code = code; + op_common.status = status; + +- PACK_OP_COMMON(1, &op_common); ++ usbip_net_pack_op_common(1, &op_common); + + rc = usbip_net_send(sockfd, &op_common, sizeof(op_common)); + if (rc < 0) { +@@ -176,7 +184,7 @@ int usbip_net_recv_op_common(int sockfd, uint16_t *code) + goto err; + } + +- PACK_OP_COMMON(0, &op_common); ++ usbip_net_pack_op_common(0, &op_common); + + if (op_common.version != USBIP_VERSION) { + dbg("version mismatch: %d %d", op_common.version, +diff --git a/tools/usb/usbip/src/usbip_network.h b/tools/usb/usbip/src/usbip_network.h +index 7032687621d3b..8e8330c0f1c9c 100644 +--- a/tools/usb/usbip/src/usbip_network.h ++++ b/tools/usb/usbip/src/usbip_network.h +@@ -34,12 +34,6 @@ struct op_common { + + } __attribute__((packed)); + +-#define PACK_OP_COMMON(pack, op_common) do {\ +- usbip_net_pack_uint16_t(pack, &(op_common)->version);\ +- usbip_net_pack_uint16_t(pack, &(op_common)->code);\ +- usbip_net_pack_uint32_t(pack, &(op_common)->status);\ +-} while (0) +- + /* ---------------------------------------------------------------------- */ + /* Dummy Code */ + #define OP_UNSPEC 0x00 +@@ -165,11 +159,11 @@ struct op_devlist_reply_extra { + } while (0) + + #define PACK_OP_DEVLIST_REPLY(pack, reply) do {\ +- usbip_net_pack_uint32_t(pack, &(reply)->ndev);\ ++ (reply)->ndev = usbip_net_pack_uint32_t(pack, (reply)->ndev);\ + } while (0) + +-void usbip_net_pack_uint32_t(int pack, uint32_t *num); +-void usbip_net_pack_uint16_t(int pack, uint16_t *num); ++uint32_t usbip_net_pack_uint32_t(int pack, uint32_t num); ++uint16_t usbip_net_pack_uint16_t(int pack, uint16_t num); + void usbip_net_pack_usb_device(int pack, struct usbip_usb_device *udev); + void usbip_net_pack_usb_interface(int pack, struct usbip_usb_interface *uinf); + +-- +2.20.1 + diff --git a/queue-4.14/virtio_balloon-prevent-pfn-array-overflow.patch b/queue-4.14/virtio_balloon-prevent-pfn-array-overflow.patch new file mode 100644 index 00000000000..fbc29c5f12a --- /dev/null +++ b/queue-4.14/virtio_balloon-prevent-pfn-array-overflow.patch @@ -0,0 +1,36 @@ +From 3fb813bc2977c81e56034f94572cb927d8cf9887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2020 02:40:58 -0500 +Subject: virtio_balloon: prevent pfn array overflow + +From: Michael S. Tsirkin + +[ Upstream commit 6e9826e77249355c09db6ba41cd3f84e89f4b614 ] + +Make sure, at build time, that pfn array is big enough to hold a single +page. It happens to be true since the PAGE_SHIFT value at the moment is +20, which is 1M - exactly 256 4K balloon pages. + +Signed-off-by: Michael S. Tsirkin +Reviewed-by: David Hildenbrand +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_balloon.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c +index 499531608fa26..71970773aad13 100644 +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -132,6 +132,8 @@ static void set_page_pfns(struct virtio_balloon *vb, + { + unsigned int i; + ++ BUILD_BUG_ON(VIRTIO_BALLOON_PAGES_PER_PAGE > VIRTIO_BALLOON_ARRAY_PFNS_MAX); ++ + /* + * Set balloon pfns pointing at this page. + * Note that the first pfn points at start of the page. +-- +2.20.1 + diff --git a/queue-4.14/vme-bridges-reduce-stack-usage.patch b/queue-4.14/vme-bridges-reduce-stack-usage.patch new file mode 100644 index 00000000000..3b237d797d4 --- /dev/null +++ b/queue-4.14/vme-bridges-reduce-stack-usage.patch @@ -0,0 +1,110 @@ +From d84304dee2d49ec6fc68e838c1707b64cfbc1c9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 21:05:43 +0100 +Subject: vme: bridges: reduce stack usage + +From: Arnd Bergmann + +[ Upstream commit 7483e7a939c074d887450ef1c4d9ccc5909405f8 ] + +With CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE_O3, the stack usage in vme_fake +grows above the warning limit: + +drivers/vme/bridges/vme_fake.c: In function 'fake_master_read': +drivers/vme/bridges/vme_fake.c:610:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] +drivers/vme/bridges/vme_fake.c: In function 'fake_master_write': +drivers/vme/bridges/vme_fake.c:797:1: error: the frame size of 1160 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + +The problem is that in some configurations, each call to +fake_vmereadX() puts another variable on the stack. + +Reduce the amount of inlining to get back to the previous state, +with no function using more than 200 bytes each. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20200107200610.3482901-1-arnd@arndb.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/vme/bridges/vme_fake.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/drivers/vme/bridges/vme_fake.c b/drivers/vme/bridges/vme_fake.c +index 30b3acc938330..e81ec763b5555 100644 +--- a/drivers/vme/bridges/vme_fake.c ++++ b/drivers/vme/bridges/vme_fake.c +@@ -418,8 +418,9 @@ static void fake_lm_check(struct fake_driver *bridge, unsigned long long addr, + } + } + +-static u8 fake_vmeread8(struct fake_driver *bridge, unsigned long long addr, +- u32 aspace, u32 cycle) ++static noinline_for_stack u8 fake_vmeread8(struct fake_driver *bridge, ++ unsigned long long addr, ++ u32 aspace, u32 cycle) + { + u8 retval = 0xff; + int i; +@@ -450,8 +451,9 @@ static u8 fake_vmeread8(struct fake_driver *bridge, unsigned long long addr, + return retval; + } + +-static u16 fake_vmeread16(struct fake_driver *bridge, unsigned long long addr, +- u32 aspace, u32 cycle) ++static noinline_for_stack u16 fake_vmeread16(struct fake_driver *bridge, ++ unsigned long long addr, ++ u32 aspace, u32 cycle) + { + u16 retval = 0xffff; + int i; +@@ -482,8 +484,9 @@ static u16 fake_vmeread16(struct fake_driver *bridge, unsigned long long addr, + return retval; + } + +-static u32 fake_vmeread32(struct fake_driver *bridge, unsigned long long addr, +- u32 aspace, u32 cycle) ++static noinline_for_stack u32 fake_vmeread32(struct fake_driver *bridge, ++ unsigned long long addr, ++ u32 aspace, u32 cycle) + { + u32 retval = 0xffffffff; + int i; +@@ -613,8 +616,9 @@ out: + return retval; + } + +-static void fake_vmewrite8(struct fake_driver *bridge, u8 *buf, +- unsigned long long addr, u32 aspace, u32 cycle) ++static noinline_for_stack void fake_vmewrite8(struct fake_driver *bridge, ++ u8 *buf, unsigned long long addr, ++ u32 aspace, u32 cycle) + { + int i; + unsigned long long start, end, offset; +@@ -643,8 +647,9 @@ static void fake_vmewrite8(struct fake_driver *bridge, u8 *buf, + + } + +-static void fake_vmewrite16(struct fake_driver *bridge, u16 *buf, +- unsigned long long addr, u32 aspace, u32 cycle) ++static noinline_for_stack void fake_vmewrite16(struct fake_driver *bridge, ++ u16 *buf, unsigned long long addr, ++ u32 aspace, u32 cycle) + { + int i; + unsigned long long start, end, offset; +@@ -673,8 +678,9 @@ static void fake_vmewrite16(struct fake_driver *bridge, u16 *buf, + + } + +-static void fake_vmewrite32(struct fake_driver *bridge, u32 *buf, +- unsigned long long addr, u32 aspace, u32 cycle) ++static noinline_for_stack void fake_vmewrite32(struct fake_driver *bridge, ++ u32 *buf, unsigned long long addr, ++ u32 aspace, u32 cycle) + { + int i; + unsigned long long start, end, offset; +-- +2.20.1 + diff --git a/queue-4.14/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch b/queue-4.14/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch new file mode 100644 index 00000000000..46897ee974b --- /dev/null +++ b/queue-4.14/wan-ixp4xx_hss-fix-compile-testing-on-64-bit.patch @@ -0,0 +1,55 @@ +From 3b80aa4d3cea849ae59a8dadeb165260d808762d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jan 2020 13:04:42 +0100 +Subject: wan: ixp4xx_hss: fix compile-testing on 64-bit + +From: Arnd Bergmann + +[ Upstream commit 504c28c853ec5c626900b914b5833daf0581a344 ] + +Change the driver to use portable integer types to avoid +warnings during compile testing: + +drivers/net/wan/ixp4xx_hss.c:863:21: error: cast to 'u32 *' (aka 'unsigned int *') from smaller integer type 'int' [-Werror,-Wint-to-pointer-cast] + memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4); + ^ +drivers/net/wan/ixp4xx_hss.c:979:12: error: incompatible pointer types passing 'u32 *' (aka 'unsigned int *') to parameter of type 'dma_addr_t *' (aka 'unsigned long long *') [-Werror,-Wincompatible-pointer-types] + &port->desc_tab_phys))) + ^~~~~~~~~~~~~~~~~~~~ +include/linux/dmapool.h:27:20: note: passing argument to parameter 'handle' here + dma_addr_t *handle); + ^ + +Signed-off-by: Arnd Bergmann +Signed-off-by: Linus Walleij +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/ixp4xx_hss.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wan/ixp4xx_hss.c b/drivers/net/wan/ixp4xx_hss.c +index 6a505c26a3e74..a269ed63d90f7 100644 +--- a/drivers/net/wan/ixp4xx_hss.c ++++ b/drivers/net/wan/ixp4xx_hss.c +@@ -261,7 +261,7 @@ struct port { + struct hss_plat_info *plat; + buffer_t *rx_buff_tab[RX_DESCS], *tx_buff_tab[TX_DESCS]; + struct desc *desc_tab; /* coherent */ +- u32 desc_tab_phys; ++ dma_addr_t desc_tab_phys; + unsigned int id; + unsigned int clock_type, clock_rate, loopback; + unsigned int initialized, carrier; +@@ -861,7 +861,7 @@ static int hss_hdlc_xmit(struct sk_buff *skb, struct net_device *dev) + dev->stats.tx_dropped++; + return NETDEV_TX_OK; + } +- memcpy_swab32(mem, (u32 *)((int)skb->data & ~3), bytes / 4); ++ memcpy_swab32(mem, (u32 *)((uintptr_t)skb->data & ~3), bytes / 4); + dev_kfree_skb(skb); + #endif + +-- +2.20.1 + diff --git a/queue-4.14/watchdog-softlockup-enforce-that-timestamp-is-valid-.patch b/queue-4.14/watchdog-softlockup-enforce-that-timestamp-is-valid-.patch new file mode 100644 index 00000000000..6098f00eb1a --- /dev/null +++ b/queue-4.14/watchdog-softlockup-enforce-that-timestamp-is-valid-.patch @@ -0,0 +1,81 @@ +From 34adb6fadc739c44def5baa5aefeae67cdbf6e63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2020 19:17:02 +0100 +Subject: watchdog/softlockup: Enforce that timestamp is valid on boot + +From: Thomas Gleixner + +[ Upstream commit 11e31f608b499f044f24b20be73f1dcab3e43f8a ] + +Robert reported that during boot the watchdog timestamp is set to 0 for one +second which is the indicator for a watchdog reset. + +The reason for this is that the timestamp is in seconds and the time is +taken from sched clock and divided by ~1e9. sched clock starts at 0 which +means that for the first second during boot the watchdog timestamp is 0, +i.e. reset. + +Use ULONG_MAX as the reset indicator value so the watchdog works correctly +right from the start. ULONG_MAX would only conflict with a real timestamp +if the system reaches an uptime of 136 years on 32bit and almost eternity +on 64bit. + +Reported-by: Robert Richter +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/87o8v3uuzl.fsf@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/watchdog.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index 087994b23f8b9..e4db5d54c07c0 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -164,6 +164,8 @@ static void lockup_detector_update_enable(void) + + #ifdef CONFIG_SOFTLOCKUP_DETECTOR + ++#define SOFTLOCKUP_RESET ULONG_MAX ++ + /* Global variables, exported for sysctl */ + unsigned int __read_mostly softlockup_panic = + CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE; +@@ -271,7 +273,7 @@ notrace void touch_softlockup_watchdog_sched(void) + * Preemption can be enabled. It doesn't matter which CPU's timestamp + * gets zeroed here, so use the raw_ operation. + */ +- raw_cpu_write(watchdog_touch_ts, 0); ++ raw_cpu_write(watchdog_touch_ts, SOFTLOCKUP_RESET); + } + + notrace void touch_softlockup_watchdog(void) +@@ -295,14 +297,14 @@ void touch_all_softlockup_watchdogs(void) + * the softlockup check. + */ + for_each_cpu(cpu, &watchdog_allowed_mask) +- per_cpu(watchdog_touch_ts, cpu) = 0; ++ per_cpu(watchdog_touch_ts, cpu) = SOFTLOCKUP_RESET; + wq_watchdog_touch(-1); + } + + void touch_softlockup_watchdog_sync(void) + { + __this_cpu_write(softlockup_touch_sync, true); +- __this_cpu_write(watchdog_touch_ts, 0); ++ __this_cpu_write(watchdog_touch_ts, SOFTLOCKUP_RESET); + } + + static int is_softlockup(unsigned long touch_ts) +@@ -354,7 +356,7 @@ static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) + /* .. and repeat */ + hrtimer_forward_now(hrtimer, ns_to_ktime(sample_period)); + +- if (touch_ts == 0) { ++ if (touch_ts == SOFTLOCKUP_RESET) { + if (unlikely(__this_cpu_read(softlockup_touch_sync))) { + /* + * If the time stamp was touched atomically +-- +2.20.1 + diff --git a/queue-4.14/x86-decoder-add-test-opcode-to-group3-2.patch b/queue-4.14/x86-decoder-add-test-opcode-to-group3-2.patch new file mode 100644 index 00000000000..726749061f2 --- /dev/null +++ b/queue-4.14/x86-decoder-add-test-opcode-to-group3-2.patch @@ -0,0 +1,80 @@ +From 46938f97d01895ff2f73d02598e0cccd56cd9fe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2020 13:11:54 +0900 +Subject: x86/decoder: Add TEST opcode to Group3-2 + +From: Masami Hiramatsu + +[ Upstream commit 8b7e20a7ba54836076ff35a28349dabea4cec48f ] + +Add TEST opcode to Group3-2 reg=001b as same as Group3-1 does. + +Commit + + 12a78d43de76 ("x86/decoder: Add new TEST instruction pattern") + +added a TEST opcode assignment to f6 XX/001/XXX (Group 3-1), but did +not add f7 XX/001/XXX (Group 3-2). + +Actually, this TEST opcode variant (ModRM.reg /1) is not described in +the Intel SDM Vol2 but in AMD64 Architecture Programmer's Manual Vol.3, +Appendix A.2 Table A-6. ModRM.reg Extensions for the Primary Opcode Map. + +Without this fix, Randy found a warning by insn_decoder_test related +to this issue as below. + + HOSTCC arch/x86/tools/insn_decoder_test + HOSTCC arch/x86/tools/insn_sanity + TEST posttest + arch/x86/tools/insn_decoder_test: warning: Found an x86 instruction decoder bug, please report this. + arch/x86/tools/insn_decoder_test: warning: ffffffff81000bf1: f7 0b 00 01 08 00 testl $0x80100,(%rbx) + arch/x86/tools/insn_decoder_test: warning: objdump says 6 bytes, but insn_get_length() says 2 + arch/x86/tools/insn_decoder_test: warning: Decoded and checked 11913894 instructions with 1 failures + TEST posttest + arch/x86/tools/insn_sanity: Success: decoded and checked 1000000 random instructions with 0 errors (seed:0x871ce29c) + +To fix this error, add the TEST opcode according to AMD64 APM Vol.3. + + [ bp: Massage commit message. ] + +Reported-by: Randy Dunlap +Signed-off-by: Masami Hiramatsu +Signed-off-by: Borislav Petkov +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Link: https://lkml.kernel.org/r/157966631413.9580.10311036595431878351.stgit@devnote2 +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 2 +- + tools/objtool/arch/x86/lib/x86-opcode-map.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index 0a0e9112f2842..5cb9f009f2be3 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -909,7 +909,7 @@ EndTable + + GrpTable: Grp3_2 + 0: TEST Ev,Iz +-1: ++1: TEST Ev,Iz + 2: NOT Ev + 3: NEG Ev + 4: MUL rAX,Ev +diff --git a/tools/objtool/arch/x86/lib/x86-opcode-map.txt b/tools/objtool/arch/x86/lib/x86-opcode-map.txt +index 0a0e9112f2842..5cb9f009f2be3 100644 +--- a/tools/objtool/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/objtool/arch/x86/lib/x86-opcode-map.txt +@@ -909,7 +909,7 @@ EndTable + + GrpTable: Grp3_2 + 0: TEST Ev,Iz +-1: ++1: TEST Ev,Iz + 2: NOT Ev + 3: NEG Ev + 4: MUL rAX,Ev +-- +2.20.1 + diff --git a/queue-4.14/x86-mm-fix-nx-bit-clearing-issue-in-kernel_map_pages.patch b/queue-4.14/x86-mm-fix-nx-bit-clearing-issue-in-kernel_map_pages.patch new file mode 100644 index 00000000000..7ac121bb883 --- /dev/null +++ b/queue-4.14/x86-mm-fix-nx-bit-clearing-issue-in-kernel_map_pages.patch @@ -0,0 +1,61 @@ +From 6947f38d241806c8a515eeec69429e2d8444f30d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2020 18:22:36 +0100 +Subject: x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd + +From: Ard Biesheuvel + +[ Upstream commit 75fbef0a8b6b4bb19b9a91b5214f846c2dc5139e ] + +The following commit: + + 15f003d20782 ("x86/mm/pat: Don't implicitly allow _PAGE_RW in kernel_map_pages_in_pgd()") + +modified kernel_map_pages_in_pgd() to manage writable permissions +of memory mappings in the EFI page table in a different way, but +in the process, it removed the ability to clear NX attributes from +read-only mappings, by clobbering the clear mask if _PAGE_RW is not +being requested. + +Failure to remove the NX attribute from read-only mappings is +unlikely to be a security issue, but it does prevent us from +tightening the permissions in the EFI page tables going forward, +so let's fix it now. + +Fixes: 15f003d20782 ("x86/mm/pat: Don't implicitly allow _PAGE_RW in kernel_map_pages_in_pgd() +Signed-off-by: Ard Biesheuvel +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20200113172245.27925-5-ardb@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pageattr.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index 835620ab435fd..eaee1a7ed0b50 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -2077,19 +2077,13 @@ int kernel_map_pages_in_pgd(pgd_t *pgd, u64 pfn, unsigned long address, + .pgd = pgd, + .numpages = numpages, + .mask_set = __pgprot(0), +- .mask_clr = __pgprot(0), ++ .mask_clr = __pgprot(~page_flags & (_PAGE_NX|_PAGE_RW)), + .flags = 0, + }; + + if (!(__supported_pte_mask & _PAGE_NX)) + goto out; + +- if (!(page_flags & _PAGE_NX)) +- cpa.mask_clr = __pgprot(_PAGE_NX); +- +- if (!(page_flags & _PAGE_RW)) +- cpa.mask_clr = __pgprot(_PAGE_RW); +- + if (!(page_flags & _PAGE_ENC)) + cpa.mask_clr = pgprot_encrypted(cpa.mask_clr); + +-- +2.20.1 + diff --git a/queue-4.14/x86-sysfb-fix-check-for-bad-vram-size.patch b/queue-4.14/x86-sysfb-fix-check-for-bad-vram-size.patch new file mode 100644 index 00000000000..57e2fe7567a --- /dev/null +++ b/queue-4.14/x86-sysfb-fix-check-for-bad-vram-size.patch @@ -0,0 +1,50 @@ +From c56e573945c3c939c9ced82874acf6bd3fb4d38f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2020 18:04:10 -0500 +Subject: x86/sysfb: Fix check for bad VRAM size + +From: Arvind Sankar + +[ Upstream commit dacc9092336be20b01642afe1a51720b31f60369 ] + +When checking whether the reported lfb_size makes sense, the height +* stride result is page-aligned before seeing whether it exceeds the +reported size. + +This doesn't work if height * stride is not an exact number of pages. +For example, as reported in the kernel bugzilla below, an 800x600x32 EFI +framebuffer gets skipped because of this. + +Move the PAGE_ALIGN to after the check vs size. + +Reported-by: Christopher Head +Tested-by: Christopher Head +Signed-off-by: Arvind Sankar +Signed-off-by: Borislav Petkov +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206051 +Link: https://lkml.kernel.org/r/20200107230410.2291947-1-nivedita@alum.mit.edu +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/sysfb_simplefb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/sysfb_simplefb.c b/arch/x86/kernel/sysfb_simplefb.c +index 85195d447a922..f3215346e47fd 100644 +--- a/arch/x86/kernel/sysfb_simplefb.c ++++ b/arch/x86/kernel/sysfb_simplefb.c +@@ -94,11 +94,11 @@ __init int create_simplefb(const struct screen_info *si, + if (si->orig_video_isVGA == VIDEO_TYPE_VLFB) + size <<= 16; + length = mode->height * mode->stride; +- length = PAGE_ALIGN(length); + if (length > size) { + printk(KERN_WARNING "sysfb: VRAM smaller than advertised\n"); + return -EINVAL; + } ++ length = PAGE_ALIGN(length); + + /* setup IORESOURCE_MEM as framebuffer memory */ + memset(&res, 0, sizeof(res)); +-- +2.20.1 + diff --git a/queue-4.14/x86-unwind-orc-fix-config_modules-build-warning.patch b/queue-4.14/x86-unwind-orc-fix-config_modules-build-warning.patch new file mode 100644 index 00000000000..e9af487f8d4 --- /dev/null +++ b/queue-4.14/x86-unwind-orc-fix-config_modules-build-warning.patch @@ -0,0 +1,55 @@ +From b311b11cbb1f15f40ebd6402cc90603d2cb6fcbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2019 11:07:29 +0800 +Subject: x86/unwind/orc: Fix !CONFIG_MODULES build warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shile Zhang + +[ Upstream commit 22a7fa8848c5e881d87ef2f7f3c2ea77b286e6f9 ] + +To fix follwowing warning due to ORC sort moved to build time: + + arch/x86/kernel/unwind_orc.c:210:12: warning: ‘orc_sort_cmp’ defined but not used [-Wunused-function] + arch/x86/kernel/unwind_orc.c:190:13: warning: ‘orc_sort_swap’ defined but not used [-Wunused-function] + +Signed-off-by: Shile Zhang +Reported-by: Stephen Rothwell +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/c9c81536-2afc-c8aa-c5f8-c7618ecd4f54@linux.alibaba.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/unwind_orc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c +index 3bbb399f7ead3..5ac0e0359b668 100644 +--- a/arch/x86/kernel/unwind_orc.c ++++ b/arch/x86/kernel/unwind_orc.c +@@ -131,6 +131,8 @@ static struct orc_entry *orc_find(unsigned long ip) + return orc_module_find(ip); + } + ++#ifdef CONFIG_MODULES ++ + static void orc_sort_swap(void *_a, void *_b, int size) + { + struct orc_entry *orc_a, *orc_b; +@@ -173,7 +175,6 @@ static int orc_sort_cmp(const void *_a, const void *_b) + return orc_a->sp_reg == ORC_REG_UNDEFINED ? -1 : 1; + } + +-#ifdef CONFIG_MODULES + void unwind_module_init(struct module *mod, void *_orc_ip, size_t orc_ip_size, + void *_orc, size_t orc_size) + { +-- +2.20.1 + diff --git a/queue-4.14/x86-vdso-provide-missing-include-file.patch b/queue-4.14/x86-vdso-provide-missing-include-file.patch new file mode 100644 index 00000000000..215eb9cbee6 --- /dev/null +++ b/queue-4.14/x86-vdso-provide-missing-include-file.patch @@ -0,0 +1,47 @@ +From 64d6592063b71618043e7059fe7952347849a100 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 21:36:07 -0500 +Subject: x86/vdso: Provide missing include file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Valdis Klētnieks + +[ Upstream commit bff47c2302cc249bcd550b17067f8dddbd4b6f77 ] + +When building with C=1, sparse issues a warning: + + CHECK arch/x86/entry/vdso/vdso32-setup.c + arch/x86/entry/vdso/vdso32-setup.c:28:28: warning: symbol 'vdso32_enabled' was not declared. Should it be static? + +Provide the missing header file. + +Signed-off-by: Valdis Kletnieks +Signed-off-by: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Andy Lutomirski +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: x86-ml +Link: https://lkml.kernel.org/r/36224.1575599767@turing-police +Signed-off-by: Sasha Levin +--- + arch/x86/entry/vdso/vdso32-setup.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/entry/vdso/vdso32-setup.c b/arch/x86/entry/vdso/vdso32-setup.c +index 42d4c89f990ed..ddff0ca6f5098 100644 +--- a/arch/x86/entry/vdso/vdso32-setup.c ++++ b/arch/x86/entry/vdso/vdso32-setup.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #include + #include +-- +2.20.1 + -- 2.47.3