From f3abc4c457e59df2bc8d485ddf786ac48484df79 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Mar 2020 20:38:35 +0100 Subject: [PATCH] 5.4-stable patches added patches: drm-i915-gvt-fix-orphan-vgpu-dmabuf_objs-lifetime.patch drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch hid-alps-fix-an-error-handling-path-in-alps_input_configured.patch hid-hiddev-fix-race-in-in-hiddev_disconnect.patch hv_netvsc-fix-unwanted-wakeup-in-netvsc_attach.patch i2c-altera-fix-potential-integer-overflow.patch i2c-jz4780-silence-log-flood-on-txabrt.patch kbuild-fix-dt-binding-schema-rule-to-detect-command-line-changes.patch mac80211-remove-a-redundant-mutex-unlock.patch mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch nl80211-fix-potential-leak-in-ap-start.patch --- ...fix-orphan-vgpu-dmabuf_objs-lifetime.patch | 45 +++++++++ ...display-reset-from-all_engines-reset.patch | 93 +++++++++++++++++++ ...ndling-path-in-alps_input_configured.patch | 36 +++++++ ...dev-fix-race-in-in-hiddev_disconnect.patch | 39 ++++++++ ...fix-unwanted-wakeup-in-netvsc_attach.patch | 64 +++++++++++++ ...ltera-fix-potential-integer-overflow.patch | 38 ++++++++ ...c-jz4780-silence-log-flood-on-txabrt.patch | 76 +++++++++++++++ ...-rule-to-detect-command-line-changes.patch | 46 +++++++++ ...0211-remove-a-redundant-mutex-unlock.patch | 48 ++++++++++ ...ree-and-a-memory-leak-in-release_vpe.patch | 42 +++++++++ ...80211-fix-potential-leak-in-ap-start.patch | 42 +++++++++ queue-5.4/series | 11 +++ 12 files changed, 580 insertions(+) create mode 100644 queue-5.4/drm-i915-gvt-fix-orphan-vgpu-dmabuf_objs-lifetime.patch create mode 100644 queue-5.4/drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch create mode 100644 queue-5.4/hid-alps-fix-an-error-handling-path-in-alps_input_configured.patch create mode 100644 queue-5.4/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch create mode 100644 queue-5.4/hv_netvsc-fix-unwanted-wakeup-in-netvsc_attach.patch create mode 100644 queue-5.4/i2c-altera-fix-potential-integer-overflow.patch create mode 100644 queue-5.4/i2c-jz4780-silence-log-flood-on-txabrt.patch create mode 100644 queue-5.4/kbuild-fix-dt-binding-schema-rule-to-detect-command-line-changes.patch create mode 100644 queue-5.4/mac80211-remove-a-redundant-mutex-unlock.patch create mode 100644 queue-5.4/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch create mode 100644 queue-5.4/nl80211-fix-potential-leak-in-ap-start.patch diff --git a/queue-5.4/drm-i915-gvt-fix-orphan-vgpu-dmabuf_objs-lifetime.patch b/queue-5.4/drm-i915-gvt-fix-orphan-vgpu-dmabuf_objs-lifetime.patch new file mode 100644 index 00000000000..23b99a444b6 --- /dev/null +++ b/queue-5.4/drm-i915-gvt-fix-orphan-vgpu-dmabuf_objs-lifetime.patch @@ -0,0 +1,45 @@ +From b549c252b1292aea959cd9b83537fcb9384a6112 Mon Sep 17 00:00:00 2001 +From: Tina Zhang +Date: Tue, 25 Feb 2020 13:35:27 +0800 +Subject: drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime + +From: Tina Zhang + +commit b549c252b1292aea959cd9b83537fcb9384a6112 upstream. + +Deleting dmabuf item's list head after releasing its container can lead +to KASAN-reported issue: + + BUG: KASAN: use-after-free in __list_del_entry_valid+0x15/0xf0 + Read of size 8 at addr ffff88818a4598a8 by task kworker/u8:3/13119 + +So fix this issue by puting deleting dmabuf_objs ahead of releasing its +container. + +Fixes: dfb6ae4e14bd6 ("drm/i915/gvt: Handle orphan dmabuf_objs") +Signed-off-by: Tina Zhang +Reviewed-by: Zhenyu Wang +Signed-off-by: Zhenyu Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20200225053527.8336-2-tina.zhang@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gvt/dmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gvt/dmabuf.c ++++ b/drivers/gpu/drm/i915/gvt/dmabuf.c +@@ -96,12 +96,12 @@ static void dmabuf_gem_object_free(struc + dmabuf_obj = container_of(pos, + struct intel_vgpu_dmabuf_obj, list); + if (dmabuf_obj == obj) { ++ list_del(pos); + intel_gvt_hypervisor_put_vfio_device(vgpu); + idr_remove(&vgpu->object_idr, + dmabuf_obj->dmabuf_id); + kfree(dmabuf_obj->info); + kfree(dmabuf_obj); +- list_del(pos); + break; + } + } diff --git a/queue-5.4/drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch b/queue-5.4/drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch new file mode 100644 index 00000000000..cd4d4c516f4 --- /dev/null +++ b/queue-5.4/drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch @@ -0,0 +1,93 @@ +From 3eb55e6f753a379e293395de8d5f3be28351a7f8 Mon Sep 17 00:00:00 2001 +From: Tina Zhang +Date: Fri, 21 Feb 2020 10:32:34 +0800 +Subject: drm/i915/gvt: Separate display reset from ALL_ENGINES reset + +From: Tina Zhang + +commit 3eb55e6f753a379e293395de8d5f3be28351a7f8 upstream. + +ALL_ENGINES reset doesn't clobber display with the current gvt-g +supported platforms. Thus ALL_ENGINES reset shouldn't reset the +display engine registers emulated by gvt-g. + +This fixes guest warning like + +[ 14.622026] [drm] Initialized i915 1.6.0 20200114 for 0000:00:03.0 on minor 0 +[ 14.967917] fbcon: i915drmfb (fb0) is primary device +[ 25.100188] [drm:drm_atomic_helper_wait_for_dependencies [drm_kms_helper]] E RROR [CRTC:51:pipe A] flip_done timed out +[ 25.100860] -----------[ cut here ]----------- +[ 25.100861] pll on state mismatch (expected 0, found 1) +[ 25.101024] WARNING: CPU: 1 PID: 30 at drivers/gpu/drm/i915/display/intel_dis play.c:14382 verify_single_dpll_state.isra.115+0x28f/0x320 [i915] +[ 25.101025] Modules linked in: intel_rapl_msr intel_rapl_common kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel i915 aesni_intel cr ypto_simd cryptd glue_helper cec rc_core video drm_kms_helper joydev drm input_l eds i2c_algo_bit serio_raw fb_sys_fops syscopyarea sysfillrect sysimgblt mac_hid qemu_fw_cfg sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 e1000 psmouse i2c_piix4 pata_acpi floppy +[ 25.101052] CPU: 1 PID: 30 Comm: kworker/u4:1 Not tainted 5.5.0+ #1 +[ 25.101053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1 .12.1-0-ga5cab58 04/01/2014 +[ 25.101055] Workqueue: events_unbound async_run_entry_fn +[ 25.101092] RIP: 0010:verify_single_dpll_state.isra.115+0x28f/0x320 [i915] +[ 25.101093] Code: e0 d9 ff e9 a3 fe ff ff 80 3d e9 c2 11 00 00 44 89 f6 48 c7 c7 c0 9d 88 c0 75 3b e8 eb df d9 ff e9 c7 fe ff ff e8 d1 e0 ae c4 <0f> 0b e9 7a fe ff ff 80 3d c0 c2 11 00 00 8d 71 41 89 c2 48 c7 c7 +[ 25.101093] RSP: 0018:ffffb1de80107878 EFLAGS: 00010286 +[ 25.101094] RAX: 0000000000000000 RBX: ffffb1de80107884 RCX: 0000000000000007 +[ 25.101095] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff94fdfdd19740 +[ 25.101095] RBP: ffffb1de80107938 R08: 0000000d6bfdc7b4 R09: 000000000000002b +[ 25.101096] R10: ffff94fdf82dc000 R11: 0000000000000225 R12: 00000000000001f8 +[ 25.101096] R13: ffff94fdb3ca6a90 R14: ffff94fdb3ca0000 R15: 0000000000000000 +[ 25.101097] FS: 0000000000000000(0000) GS:ffff94fdfdd00000(0000) knlGS:00000 00000000000 +[ 25.101098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 25.101098] CR2: 00007fbc3e2be9c8 CR3: 000000003339a003 CR4: 0000000000360ee0 +[ 25.101101] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 25.101101] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 25.101102] Call Trace: +[ 25.101139] intel_atomic_commit_tail+0xde4/0x1520 [i915] +[ 25.101141] ? flush_workqueue_prep_pwqs+0xfa/0x130 +[ 25.101142] ? flush_workqueue+0x198/0x3c0 +[ 25.101174] intel_atomic_commit+0x2ad/0x320 [i915] +[ 25.101209] drm_atomic_commit+0x4a/0x50 [drm] +[ 25.101220] drm_client_modeset_commit_atomic+0x1c4/0x200 [drm] +[ 25.101231] drm_client_modeset_commit_force+0x47/0x170 [drm] +[ 25.101250] drm_fb_helper_restore_fbdev_mode_unlocked+0x4e/0xa0 [drm_kms_hel per] +[ 25.101255] drm_fb_helper_set_par+0x2d/0x60 [drm_kms_helper] +[ 25.101287] intel_fbdev_set_par+0x1a/0x40 [i915] +[ 25.101289] ? con_is_visible+0x2e/0x60 +[ 25.101290] fbcon_init+0x378/0x600 +[ 25.101292] visual_init+0xd5/0x130 +[ 25.101296] do_bind_con_driver+0x217/0x430 +[ 25.101297] do_take_over_console+0x7d/0x1b0 +[ 25.101298] do_fbcon_takeover+0x5c/0xb0 +[ 25.101299] fbcon_fb_registered+0x199/0x1a0 +[ 25.101301] register_framebuffer+0x22c/0x330 +[ 25.101306] __drm_fb_helper_initial_config_and_unlock+0x31a/0x520 [drm_kms_h elper] +[ 25.101311] drm_fb_helper_initial_config+0x35/0x40 [drm_kms_helper] +[ 25.101341] intel_fbdev_initial_config+0x18/0x30 [i915] +[ 25.101342] async_run_entry_fn+0x3c/0x150 +[ 25.101343] process_one_work+0x1fd/0x3f0 +[ 25.101344] worker_thread+0x34/0x410 +[ 25.101346] kthread+0x121/0x140 +[ 25.101346] ? process_one_work+0x3f0/0x3f0 +[ 25.101347] ? kthread_park+0x90/0x90 +[ 25.101350] ret_from_fork+0x35/0x40 +[ 25.101351] --[ end trace b5b47d44cd998ba1 ]-- + +Fixes: 6294b61ba769 ("drm/i915/gvt: add missing display part reset for vGPU reset") +Signed-off-by: Tina Zhang +Reviewed-by: Zhenyu Wang +Signed-off-by: Zhenyu Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20200221023234.28635-1-tina.zhang@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gvt/vgpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gvt/vgpu.c ++++ b/drivers/gpu/drm/i915/gvt/vgpu.c +@@ -560,9 +560,9 @@ void intel_gvt_reset_vgpu_locked(struct + + intel_vgpu_reset_mmio(vgpu, dmlr); + populate_pvinfo_page(vgpu); +- intel_vgpu_reset_display(vgpu); + + if (dmlr) { ++ intel_vgpu_reset_display(vgpu); + intel_vgpu_reset_cfg_space(vgpu); + /* only reset the failsafe mode when dmlr reset */ + vgpu->failsafe = false; diff --git a/queue-5.4/hid-alps-fix-an-error-handling-path-in-alps_input_configured.patch b/queue-5.4/hid-alps-fix-an-error-handling-path-in-alps_input_configured.patch new file mode 100644 index 00000000000..6251821d0e4 --- /dev/null +++ b/queue-5.4/hid-alps-fix-an-error-handling-path-in-alps_input_configured.patch @@ -0,0 +1,36 @@ +From 8d2e77b39b8fecb794e19cd006a12f90b14dd077 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Wed, 4 Dec 2019 04:35:25 +0100 +Subject: HID: alps: Fix an error handling path in 'alps_input_configured()' + +From: Christophe JAILLET + +commit 8d2e77b39b8fecb794e19cd006a12f90b14dd077 upstream. + +They are issues: + - if 'input_allocate_device()' fails and return NULL, there is no need + to free anything and 'input_free_device()' call is a no-op. It can + be axed. + - 'ret' is known to be 0 at this point, so we must set it to a + meaningful value before returning + +Fixes: 2562756dde55 ("HID: add Alps I2C HID Touchpad-Stick support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-alps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-alps.c ++++ b/drivers/hid/hid-alps.c +@@ -730,7 +730,7 @@ static int alps_input_configured(struct + if (data->has_sp) { + input2 = input_allocate_device(); + if (!input2) { +- input_free_device(input2); ++ ret = -ENOMEM; + goto exit; + } + diff --git a/queue-5.4/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch b/queue-5.4/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch new file mode 100644 index 00000000000..3c2e20420a8 --- /dev/null +++ b/queue-5.4/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch @@ -0,0 +1,39 @@ +From 5c02c447eaeda29d3da121a2e17b97ccaf579b51 Mon Sep 17 00:00:00 2001 +From: "dan.carpenter@oracle.com" +Date: Wed, 15 Jan 2020 20:46:28 +0300 +Subject: HID: hiddev: Fix race in in hiddev_disconnect() + +From: dan.carpenter@oracle.com + +commit 5c02c447eaeda29d3da121a2e17b97ccaf579b51 upstream. + +Syzbot reports that "hiddev" is used after it's free in hiddev_disconnect(). +The hiddev_disconnect() function sets "hiddev->exist = 0;" so +hiddev_release() can free it as soon as we drop the "existancelock" +lock. This patch moves the mutex_unlock(&hiddev->existancelock) until +after we have finished using it. + +Reported-by: syzbot+784ccb935f9900cc7c9e@syzkaller.appspotmail.com +Fixes: 7f77897ef2b6 ("HID: hiddev: fix potential use-after-free") +Suggested-by: Alan Stern +Signed-off-by: Dan Carpenter +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hiddev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -941,9 +941,9 @@ void hiddev_disconnect(struct hid_device + hiddev->exist = 0; + + if (hiddev->open) { +- mutex_unlock(&hiddev->existancelock); + hid_hw_close(hiddev->hid); + wake_up_interruptible(&hiddev->wait); ++ mutex_unlock(&hiddev->existancelock); + } else { + mutex_unlock(&hiddev->existancelock); + kfree(hiddev); diff --git a/queue-5.4/hv_netvsc-fix-unwanted-wakeup-in-netvsc_attach.patch b/queue-5.4/hv_netvsc-fix-unwanted-wakeup-in-netvsc_attach.patch new file mode 100644 index 00000000000..348ab274b44 --- /dev/null +++ b/queue-5.4/hv_netvsc-fix-unwanted-wakeup-in-netvsc_attach.patch @@ -0,0 +1,64 @@ +From f6f13c125e05603f68f5bf31f045b95e6d493598 Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Fri, 21 Feb 2020 08:32:18 -0800 +Subject: hv_netvsc: Fix unwanted wakeup in netvsc_attach() + +From: Haiyang Zhang + +commit f6f13c125e05603f68f5bf31f045b95e6d493598 upstream. + +When netvsc_attach() is called by operations like changing MTU, etc., +an extra wakeup may happen while netvsc_attach() calling +rndis_filter_device_add() which sends rndis messages when queue is +stopped in netvsc_detach(). The completion message will wake up queue 0. + +We can reproduce the issue by changing MTU etc., then the wake_queue +counter from "ethtool -S" will increase beyond stop_queue counter: + stop_queue: 0 + wake_queue: 1 +The issue causes queue wake up, and counter increment, no other ill +effects in current code. So we didn't see any network problem for now. + +To fix this, initialize tx_disable to true, and set it to false when +the NIC is ready to be attached or registered. + +Fixes: 7b2ee50c0cd5 ("hv_netvsc: common detach logic") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/hyperv/netvsc.c | 2 +- + drivers/net/hyperv/netvsc_drv.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -99,7 +99,7 @@ static struct netvsc_device *alloc_net_d + + init_waitqueue_head(&net_device->wait_drain); + net_device->destroy = false; +- net_device->tx_disable = false; ++ net_device->tx_disable = true; + + net_device->max_pkt = RNDIS_MAX_PKT_DEFAULT; + net_device->pkt_align = RNDIS_PKT_ALIGN_DEFAULT; +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -973,6 +973,7 @@ static int netvsc_attach(struct net_devi + } + + /* In any case device is now ready */ ++ nvdev->tx_disable = false; + netif_device_attach(ndev); + + /* Note: enable and attach happen when sub-channels setup */ +@@ -2350,6 +2351,8 @@ static int netvsc_probe(struct hv_device + else + net->max_mtu = ETH_DATA_LEN; + ++ nvdev->tx_disable = false; ++ + ret = register_netdevice(net); + if (ret != 0) { + pr_err("Unable to register netdev.\n"); diff --git a/queue-5.4/i2c-altera-fix-potential-integer-overflow.patch b/queue-5.4/i2c-altera-fix-potential-integer-overflow.patch new file mode 100644 index 00000000000..e9ec923e98f --- /dev/null +++ b/queue-5.4/i2c-altera-fix-potential-integer-overflow.patch @@ -0,0 +1,38 @@ +From 54498e8070e19e74498a72c7331348143e7e1f8c Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 11 Feb 2020 08:47:04 -0600 +Subject: i2c: altera: Fix potential integer overflow + +From: Gustavo A. R. Silva + +commit 54498e8070e19e74498a72c7331348143e7e1f8c upstream. + +Factor out 100 from the equation and do 32-bit arithmetic (3 * clk_mhz / 10) +instead of 64-bit. + +Notice that clk_mhz is MHz, so the multiplication will never wrap 32 bits +and there is no need for div_u64(). + +Addresses-Coverity: 1458369 ("Unintentional integer overflow") +Fixes: 0560ad576268 ("i2c: altera: Add Altera I2C Controller driver") +Suggested-by: David Laight +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Thor Thayer +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-altera.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-altera.c ++++ b/drivers/i2c/busses/i2c-altera.c +@@ -171,7 +171,7 @@ static void altr_i2c_init(struct altr_i2 + /* SCL Low Time */ + writel(t_low, idev->base + ALTR_I2C_SCL_LOW); + /* SDA Hold Time, 300ns */ +- writel(div_u64(300 * clk_mhz, 1000), idev->base + ALTR_I2C_SDA_HOLD); ++ writel(3 * clk_mhz / 10, idev->base + ALTR_I2C_SDA_HOLD); + + /* Mask all master interrupt bits */ + altr_i2c_int_enable(idev, ALTR_I2C_ALL_IRQ, false); diff --git a/queue-5.4/i2c-jz4780-silence-log-flood-on-txabrt.patch b/queue-5.4/i2c-jz4780-silence-log-flood-on-txabrt.patch new file mode 100644 index 00000000000..54ca97fd51a --- /dev/null +++ b/queue-5.4/i2c-jz4780-silence-log-flood-on-txabrt.patch @@ -0,0 +1,76 @@ +From 9e661cedcc0a072d91a32cb88e0515ea26e35711 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Wed, 12 Feb 2020 10:35:30 +0100 +Subject: i2c: jz4780: silence log flood on txabrt + +From: Wolfram Sang + +commit 9e661cedcc0a072d91a32cb88e0515ea26e35711 upstream. + +The printout for txabrt is way too talkative and is highly annoying with +scanning programs like 'i2cdetect'. Reduce it to the minimum, the rest +can be gained by I2C core debugging and datasheet information. Also, +make it a debug printout, it won't help the regular user. + +Fixes: ba92222ed63a ("i2c: jz4780: Add i2c bus controller driver for Ingenic JZ4780") +Reported-by: H. Nikolaus Schaller +Tested-by: H. Nikolaus Schaller +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-jz4780.c | 36 ++---------------------------------- + 1 file changed, 2 insertions(+), 34 deletions(-) + +--- a/drivers/i2c/busses/i2c-jz4780.c ++++ b/drivers/i2c/busses/i2c-jz4780.c +@@ -73,25 +73,6 @@ + #define JZ4780_I2C_STA_TFNF BIT(1) + #define JZ4780_I2C_STA_ACT BIT(0) + +-static const char * const jz4780_i2c_abrt_src[] = { +- "ABRT_7B_ADDR_NOACK", +- "ABRT_10ADDR1_NOACK", +- "ABRT_10ADDR2_NOACK", +- "ABRT_XDATA_NOACK", +- "ABRT_GCALL_NOACK", +- "ABRT_GCALL_READ", +- "ABRT_HS_ACKD", +- "SBYTE_ACKDET", +- "ABRT_HS_NORSTRT", +- "SBYTE_NORSTRT", +- "ABRT_10B_RD_NORSTRT", +- "ABRT_MASTER_DIS", +- "ARB_LOST", +- "SLVFLUSH_TXFIFO", +- "SLV_ARBLOST", +- "SLVRD_INTX", +-}; +- + #define JZ4780_I2C_INTST_IGC BIT(11) + #define JZ4780_I2C_INTST_ISTT BIT(10) + #define JZ4780_I2C_INTST_ISTP BIT(9) +@@ -529,21 +510,8 @@ done: + + static void jz4780_i2c_txabrt(struct jz4780_i2c *i2c, int src) + { +- int i; +- +- dev_err(&i2c->adap.dev, "txabrt: 0x%08x\n", src); +- dev_err(&i2c->adap.dev, "device addr=%x\n", +- jz4780_i2c_readw(i2c, JZ4780_I2C_TAR)); +- dev_err(&i2c->adap.dev, "send cmd count:%d %d\n", +- i2c->cmd, i2c->cmd_buf[i2c->cmd]); +- dev_err(&i2c->adap.dev, "receive data count:%d %d\n", +- i2c->cmd, i2c->data_buf[i2c->cmd]); +- +- for (i = 0; i < 16; i++) { +- if (src & BIT(i)) +- dev_dbg(&i2c->adap.dev, "I2C TXABRT[%d]=%s\n", +- i, jz4780_i2c_abrt_src[i]); +- } ++ dev_dbg(&i2c->adap.dev, "txabrt: 0x%08x, cmd: %d, send: %d, recv: %d\n", ++ src, i2c->cmd, i2c->cmd_buf[i2c->cmd], i2c->data_buf[i2c->cmd]); + } + + static inline int jz4780_i2c_xfer_read(struct jz4780_i2c *i2c, diff --git a/queue-5.4/kbuild-fix-dt-binding-schema-rule-to-detect-command-line-changes.patch b/queue-5.4/kbuild-fix-dt-binding-schema-rule-to-detect-command-line-changes.patch new file mode 100644 index 00000000000..2835146b58e --- /dev/null +++ b/queue-5.4/kbuild-fix-dt-binding-schema-rule-to-detect-command-line-changes.patch @@ -0,0 +1,46 @@ +From 7a04960560640ac5b0b89461f7757322b57d0c7a Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Sun, 23 Feb 2020 04:04:31 +0900 +Subject: kbuild: fix DT binding schema rule to detect command line changes + +From: Masahiro Yamada + +commit 7a04960560640ac5b0b89461f7757322b57d0c7a upstream. + +This if_change_rule is not working properly; it cannot detect any +command line change. + +The reason is because cmd-check in scripts/Kbuild.include compares +$(cmd_$@) and $(cmd_$1), but cmd_dtc_dt_yaml does not exist here. + +For if_change_rule to work properly, the stem part of cmd_* and rule_* +must match. Because this cmd_and_fixdep invokes cmd_dtc, this rule must +be named rule_dtc. + +Fixes: 4f0e3a57d6eb ("kbuild: Add support for DT binding schema checks") +Signed-off-by: Masahiro Yamada +Acked-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/Makefile.lib | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/scripts/Makefile.lib ++++ b/scripts/Makefile.lib +@@ -305,13 +305,13 @@ DT_TMP_SCHEMA := $(objtree)/$(DT_BINDING + quiet_cmd_dtb_check = CHECK $@ + cmd_dtb_check = $(DT_CHECKER) -u $(srctree)/$(DT_BINDING_DIR) -p $(DT_TMP_SCHEMA) $@ ; + +-define rule_dtc_dt_yaml ++define rule_dtc + $(call cmd_and_fixdep,dtc,yaml) + $(call cmd,dtb_check) + endef + + $(obj)/%.dt.yaml: $(src)/%.dts $(DTC) $(DT_TMP_SCHEMA) FORCE +- $(call if_changed_rule,dtc_dt_yaml) ++ $(call if_changed_rule,dtc) + + dtc-tmp = $(subst $(comma),_,$(dot-target).dts.tmp) + diff --git a/queue-5.4/mac80211-remove-a-redundant-mutex-unlock.patch b/queue-5.4/mac80211-remove-a-redundant-mutex-unlock.patch new file mode 100644 index 00000000000..9a22873bbc6 --- /dev/null +++ b/queue-5.4/mac80211-remove-a-redundant-mutex-unlock.patch @@ -0,0 +1,48 @@ +From 0daa63ed4c6c4302790ce67b7a90c0997ceb7514 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Fri, 21 Feb 2020 10:47:20 +0100 +Subject: mac80211: Remove a redundant mutex unlock + +From: Andrei Otcheretianski + +commit 0daa63ed4c6c4302790ce67b7a90c0997ceb7514 upstream. + +The below-mentioned commit changed the code to unlock *inside* +the function, but previously the unlock was *outside*. It failed +to remove the outer unlock, however, leading to double unlock. + +Fix this. + +Fixes: 33483a6b88e4 ("mac80211: fix missing unlock on error in ieee80211_mark_sta_auth()") +Signed-off-by: Andrei Otcheretianski +Link: https://lore.kernel.org/r/20200221104719.cce4741cf6eb.I671567b185c8a4c2409377e483fd149ce590f56d@changeid +[rewrite commit message to better explain what happened] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2959,7 +2959,7 @@ static void ieee80211_rx_mgmt_auth(struc + (auth_transaction == 2 && + ifmgd->auth_data->expected_transaction == 2)) { + if (!ieee80211_mark_sta_auth(sdata, bssid)) +- goto out_err; ++ return; /* ignore frame -- wait for timeout */ + } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE && + auth_transaction == 2) { + sdata_info(sdata, "SAE peer confirmed\n"); +@@ -2967,10 +2967,6 @@ static void ieee80211_rx_mgmt_auth(struc + } + + cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len); +- return; +- out_err: +- mutex_unlock(&sdata->local->sta_mtx); +- /* ignore frame -- wait for timeout */ + } + + #define case_WLAN(type) \ diff --git a/queue-5.4/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch b/queue-5.4/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch new file mode 100644 index 00000000000..7d8ed6c2a47 --- /dev/null +++ b/queue-5.4/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch @@ -0,0 +1,42 @@ +From bef8e2dfceed6daeb6ca3e8d33f9c9d43b926580 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 2 Feb 2020 21:19:22 +0100 +Subject: MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()' + +From: Christophe JAILLET + +commit bef8e2dfceed6daeb6ca3e8d33f9c9d43b926580 upstream. + +Pointer on the memory allocated by 'alloc_progmem()' is stored in +'v->load_addr'. So this is this memory that should be freed by +'release_progmem()'. + +'release_progmem()' is only a call to 'kfree()'. + +With the current code, there is both a double free and a memory leak. +Fix it by passing the correct pointer to 'release_progmem()'. + +Fixes: e01402b115ccc ("More AP / SP bits for the 34K, the Malta bits and things. Still wants") +Signed-off-by: Christophe JAILLET +Signed-off-by: Paul Burton +Cc: ralf@linux-mips.org +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: kernel-janitors@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/vpe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/vpe.c ++++ b/arch/mips/kernel/vpe.c +@@ -134,7 +134,7 @@ void release_vpe(struct vpe *v) + { + list_del(&v->list); + if (v->load_addr) +- release_progmem(v); ++ release_progmem(v->load_addr); + kfree(v); + } + diff --git a/queue-5.4/nl80211-fix-potential-leak-in-ap-start.patch b/queue-5.4/nl80211-fix-potential-leak-in-ap-start.patch new file mode 100644 index 00000000000..ad93d82aebd --- /dev/null +++ b/queue-5.4/nl80211-fix-potential-leak-in-ap-start.patch @@ -0,0 +1,42 @@ +From 9951ebfcdf2b97dbb28a5d930458424341e61aa2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 21 Feb 2020 10:41:43 +0100 +Subject: nl80211: fix potential leak in AP start + +From: Johannes Berg + +commit 9951ebfcdf2b97dbb28a5d930458424341e61aa2 upstream. + +If nl80211_parse_he_obss_pd() fails, we leak the previously +allocated ACL memory. Free it in this case. + +Fixes: 796e90f42b7e ("cfg80211: add support for parsing OBBS_PD attributes") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20200221104142.835aba4cdd14.I1923b55ba9989c57e13978f91f40bfdc45e60cbd@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4795,8 +4795,7 @@ static int nl80211_start_ap(struct sk_bu + err = nl80211_parse_he_obss_pd( + info->attrs[NL80211_ATTR_HE_OBSS_PD], + ¶ms.he_obss_pd); +- if (err) +- return err; ++ goto out; + } + + nl80211_calculate_ap_params(¶ms); +@@ -4818,6 +4817,7 @@ static int nl80211_start_ap(struct sk_bu + } + wdev_unlock(wdev); + ++out: + kfree(params.acl); + + return err; diff --git a/queue-5.4/series b/queue-5.4/series index ae8e64bfc45..1c96c586a3e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -89,3 +89,14 @@ net-smc-transfer-fasync_list-in-case-of-fallback.patch vhost-check-docket-sk_family-instead-of-call-getname.patch netfilter-ipset-fix-forceadd-evaluation-path.patch netfilter-xt_hashlimit-reduce-hashlimit_mutex-scope-for-htable_put.patch +hid-alps-fix-an-error-handling-path-in-alps_input_configured.patch +hid-hiddev-fix-race-in-in-hiddev_disconnect.patch +mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch +i2c-altera-fix-potential-integer-overflow.patch +i2c-jz4780-silence-log-flood-on-txabrt.patch +drm-i915-gvt-fix-orphan-vgpu-dmabuf_objs-lifetime.patch +drm-i915-gvt-separate-display-reset-from-all_engines-reset.patch +nl80211-fix-potential-leak-in-ap-start.patch +mac80211-remove-a-redundant-mutex-unlock.patch +kbuild-fix-dt-binding-schema-rule-to-detect-command-line-changes.patch +hv_netvsc-fix-unwanted-wakeup-in-netvsc_attach.patch -- 2.47.3