From 40cbd4e72b6f2f7879ad02103eb9fbbe8f296039 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 13 Aug 2022 16:26:04 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...uplicate-thinkpad-x1-carbon-6th-entr.patch | 42 +++++ ...ssing-check-in-register_device_clock.patch | 36 +++++ ...pm-save-nvs-memory-for-lenovo-g40-45.patch | 44 +++++ ...x-refcount-leak-in-bcm_kona_smc_init.patch | 36 +++++ ...dts-ast2500-evb-fix-board-compatible.patch | 35 ++++ ...x6ul-add-missing-properties-for-sram.patch | 39 +++++ ...hange-operating-points-to-uint32-mat.patch | 63 ++++++++ ...dts-imx6ul-fix-lcdif-node-compatible.patch | 42 +++++ ...-dts-imx6ul-fix-qspi-node-compatible.patch | 42 +++++ ...841-add-required-thermal-sensor-cell.patch | 35 ++++ .../arm-findbit-fix-overflowing-offset.patch | 76 +++++++++ ...-omap2-display-fix-refcount-leak-bug.patch | 36 +++++ ...fcount-leak-in-omap3xxx_prm_late_ini.patch | 37 +++++ ...get-syscall-when-starting-a-new-thre.patch | 40 +++++ ...-dts-qcom-ipq8074-fix-nand-node-name.patch | 37 +++++ ...sm8916-fix-typo-in-pronto-remoteproc.patch | 42 +++++ ...n-concurrently-setting-insn_emulatio.patch | 93 +++++++++++ ...-da7210-add-check-for-i2c_add_driver.patch | 41 +++++ ...8173-fix-refcount-leak-in-mt8173_rt5.patch | 67 ++++++++ ...8173-rt5650-fix-refcount-leak-in-mt8.patch | 67 ++++++++ ...51-fix-refcount-leak-in-mt6797_mt635.patch | 49 ++++++ ...fix-an-off-by-one-in-q6adm_alloc_cop.patch | 37 +++++ ...o-not-enforce-interrupt-trigger-type.patch | 58 +++++++ ...se-after-free-in-ath9k_hif_usb_rx_cb.patch | 94 +++++++++++ ...tel-add-check-for-platform_driver_re.patch | 41 +++++ ...-missing-platform_device_put-in-hisi.patch | 75 +++++++++ ...y-the-values-of-data-5.7-of-can-erro.patch | 49 ++++++ ...t-report-txerr-and-rxerr-during-bus-.patch | 47 ++++++ ...ydra-do-not-report-txerr-and-rxerr-d.patch | 55 +++++++ ...eaf-do-not-report-txerr-and-rxerr-du.patch | 42 +++++ ...ot-report-txerr-and-rxerr-during-bus.patch | 48 ++++++ ...can_error-initialize-errc-before-usi.patch | 58 +++++++ ...not-report-txerr-and-rxerr-during-bu.patch | 51 ++++++ ...ot-report-txerr-and-rxerr-during-bus.patch | 49 ++++++ ...-not-report-txerr-and-rxerr-during-b.patch | 52 ++++++ ...not-report-txerr-and-rxerr-during-bu.patch | 42 +++++ ...pq8074-fix-nss-port-frequency-tables.patch | 76 +++++++++ ...-set-branch_halt_delay-flag-for-ubi-.patch | 113 +++++++++++++ ...sas-r9a06g032-fix-uart-clkgrp-bitsel.patch | 54 +++++++ ...x-refcount-leak-in-zynq_get_revision.patch | 37 +++++ ...-kunpeng916-crypto-driver-don-t-slee.patch | 97 +++++++++++ ...olicy_full-and-dccp_qpolicy_push-in-.patch | 71 +++++++++ ...from-dm_pr_call-if-dm-device-is-susp.patch | 38 +++++ ...11-add-check-for-mipi_dsi_driver_reg.patch | 57 +++++++ ...idge-sii8620-fix-possible-off-by-one.patch | 52 ++++++ ...-pull-down-mipi-operation-in-mtk_dsi.patch | 49 ++++++ ...atek-dpi-remove-output-format-of-yuv.patch | 73 +++++++++ ...ble-core-vcc-core-vdda-supply-for-89.patch | 40 +++++ ...m-mdp5-fix-global-state-lock-backoff.patch | 85 ++++++++++ ...otential-buffer-overflow-in-ni_set_m.patch | 61 +++++++ ...-don-t-crash-for-invalid-duplicate_s.patch | 42 +++++ ...dsi-correct-dsi-divider-calculations.patch | 51 ++++++ ...ore-validity-checks-for-inode-counts.patch | 55 +++++++ ...m-seed-of-tmp_inode-after-migrating-.patch | 76 +++++++++ ...p-fix-unsigned-comparison-with-less-.patch | 40 +++++ ...seek-to-control-internal-pipe-splici.patch | 58 +++++++ ...libcrypto_support-not-the-never-defi.patch | 59 +++++++ ...enirq-generic_irq_ipi-depends-on-smp.patch | 51 ++++++ ...fix-refcount-bugs-in-of_mm_gpiochip_.patch | 53 +++++++ ...ps-declare-u1_unicorn_legacy-support.patch | 36 +++++ ...ent-a-buffer-overflow-in-cp2112_xfer.patch | 47 ++++++ ...wrong-assumptions-in-device-remove-c.patch | 78 +++++++++ ...nce-support-pec-for-smbus-block-read.patch | 77 +++++++++ .../i2c-fix-a-potential-use-after-free.patch | 40 +++++ ...d-of_node_put-when-breaking-out-of-l.patch | 37 +++++ ...com_iommu-add-of_node_put-when-break.patch | 45 ++++++ ...dle-failed-iommu-device-registration.patch | 51 ++++++ ...on-jh-b_frozen_data-null-failure-whe.patch | 110 +++++++++++++ .../kfifo-fix-kfifo_to_user-return-type.patch | 44 +++++ ...robing-on-trampoline-and-bpf-code-ar.patch | 52 ++++++ .../libbpf-fix-the-name-of-a-reused-map.patch | 74 +++++++++ ...ix-error-value-returns-in-hdpvr_read.patch | 44 +++++ ...tk-mdp-fix-mdp_ipi_comm-structure-al.patch | 57 +++++++ ...register-the-irq-at-the-end-of-probe.patch | 82 ++++++++++ ...c80211-fix-missing-of_node_put-in-mt.patch | 36 +++++ .../memstick-ms_block-fix-a-memory-leak.patch | 39 +++++ ...k-fix-some-incorrect-memory-allocati.patch | 65 ++++++++ ...-fix-refcount-leak-in-meson_mx_socin.patch | 38 +++++ ...l66xb-drop-platform-disable-callback.patch | 70 ++++++++ ...-error-handling-path-in-rtsx_pci_pro.patch | 51 ++++++ ...ssing-call-to-vm_unacct_memory-in-mm.patch | 40 +++++ ...n-add-of_node_put-when-breaking-out-.patch | 38 +++++ ...erx-add-of_node_put-when-breaking-ou.patch | 42 +++++ ...1-fix-set_uhs_signaling-rewriting-of.patch | 48 ++++++ ...hc-fix-refcount-leak-in-esdhc_signal.patch | 38 +++++ ...s-fix-refcount-leak-in-ap_flash_init.patch | 38 +++++ ...count-leak-in-of_flash_probe_versati.patch | 38 +++++ ...eadlock-caused-by-cancel_work_sync-i.patch | 53 +++++++ ...dd-a-clk_disable_unprepare-in-.probe.patch | 49 ++++++ ...x-the-value-of-mlx5e_max_rq_num_mtts.patch | 40 +++++ ...et-rose-fix-netdev-reference-changes.patch | 110 +++++++++++++ ...allocation-warnings-triggered-from-u.patch | 54 +++++++ ...les-add-rescheduling-points-during-l.patch | 53 +++++++ ...rt-fix-missed-tick-reenabling-bug-in.patch | 118 ++++++++++++++ ...x-ida-error-handling-in-null_add_dev.patch | 62 ++++++++ ...t-disable-aer-reporting-in-get_port_.patch | 106 +++++++++++++ ...x-uninitialized-data-in-debugfs-writ.patch | 50 ++++++ ...er-device-probing-when-resuming-from.patch | 106 +++++++++++++ ...t-allow-selection-of-e5500-or-e6500-.patch | 48 ++++++ ...n_msi-fix-refcount-leak-in-setup_msi.patch | 37 +++++ ...-phb-numbering-when-using-opal-phbid.patch | 61 +++++++ ...er-pci-domain-assignment-via-dt-linu.patch | 88 ++++++++++ ...x-refcount-leak-in-spufs_init_isolat.patch | 38 +++++ ...x-refcount-leak-in-xive_get_max_prio.patch | 37 +++++ ...x-shift-too-large-makes-kernel-panic.patch | 91 +++++++++++ ...tential-memory-leak-in-setup_base_ct.patch | 45 ++++++ ...xe-fix-error-unwind-in-rxe_create_qp.patch | 69 ++++++++ ...-refcount-leak-bug-in-of_get_regulat.patch | 43 +++++ ...proc-qcom-wcnss-fix-handling-of-irqs.patch | 60 +++++++ ...ix-refcount-leak-in-qcom_smd_parse_e.patch | 36 +++++ ...ace-when-reading-from-hardware-syste.patch | 84 ++++++++++ ...2line-fix-vmlinux-detection-on-arm64.patch | 47 ++++++ ...-fix-dma-direction-for-raid-requests.patch | 68 ++++++++ ...-clocksource-switch-fix-passing-erro.patch | 43 +++++ ...-valid-adjtimex-build-fix-for-newer-.patch | 42 +++++ ...inux-add-boundary-check-in-put_entry.patch | 35 ++++ ...tore-lsr-into-lsr_saved_flags-in-dw8.patch | 54 +++++++ queue-4.19/series | 149 +++++++++++++++++ ...guts-machine-variable-might-be-unset.patch | 37 +++++ ...type-fix-remove-and-shutdown-support.patch | 54 +++++++ ...-fix-sleep-in-atomic-context-bug-in-.patch | 150 ++++++++++++++++++ ...smitted-skb-fit-into-the-send-window.patch | 112 +++++++++++++ ...on-include-pthread-and-time-headers-.patch | 62 ++++++++ ...hermal-fix-possible-path-truncations.patch | 109 +++++++++++++ queue-4.19/tty-n_gsm-fix-dm-command.patch | 42 +++++ ...x-missing-corner-cases-in-gsmld_poll.patch | 49 ++++++ ...n-flow-control-frames-during-mux-flo.patch | 116 ++++++++++++++ ...cket-re-transmission-without-open-co.patch | 40 +++++ ...sm-fix-race-condition-in-gsmld_write.patch | 62 ++++++++ ...sm-fix-wrong-t1-retry-count-handling.patch | 55 +++++++ ...adget-udc-amd5536-depends-on-has_dma.patch | 49 ++++++ ...fcount-leak-in-ehci_hcd_ppc_of_probe.patch | 38 +++++ ...-refcount-leak-in-ohci_hcd_nxp_probe.patch | 38 +++++ ...al-fix-tty-port-initialized-comments.patch | 66 ++++++++ ...change-fsm-state-in-subchannel-event.patch | 61 +++++++ ...dev-amba-clcd-fix-refcount-leak-bugs.patch | 82 ++++++++++ ...b-check-the-size-of-screen-before-me.patch | 50 ++++++ ...b-fix-a-divide-by-zero-bug-in-ark_se.patch | 59 +++++++ ...-check-the-size-of-screen-before-mem.patch | 49 ++++++ ...fbdev-sis-fix-typos-in-sis_getmodeid.patch | 47 ++++++ ...23fb-check-the-size-of-screen-before.patch | 50 ++++++ ...65-fix-potential-off-by-one-overflow.patch | 64 ++++++++ ...x-possible-refcount-leak-in-if_usb_p.patch | 37 +++++ ...add-missing-parentheses-in-p54_flush.patch | 45 ++++++ ...-error-handling-path-in-p54spi_probe.patch | 52 ++++++ ...-error-codes-in-rtl_debugfs_set_writ.patch | 57 +++++++ ...ugfs-fix-info-leak-in-wil_write_file.patch | 52 ++++++ ...ugfs-fix-uninitialized-variable-use-.patch | 59 +++++++ ...mask_available-instead-of-hardcoded-.patch | 76 +++++++++ ...x-platform-device-leak-in-error-path.patch | 41 +++++ 150 files changed, 8576 insertions(+) create mode 100644 queue-4.19/acpi-ec-remove-duplicate-thinkpad-x1-carbon-6th-entr.patch create mode 100644 queue-4.19/acpi-lpss-fix-missing-check-in-register_device_clock.patch create mode 100644 queue-4.19/acpi-pm-save-nvs-memory-for-lenovo-g40-45.patch create mode 100644 queue-4.19/arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch create mode 100644 queue-4.19/arm-dts-ast2500-evb-fix-board-compatible.patch create mode 100644 queue-4.19/arm-dts-imx6ul-add-missing-properties-for-sram.patch create mode 100644 queue-4.19/arm-dts-imx6ul-change-operating-points-to-uint32-mat.patch create mode 100644 queue-4.19/arm-dts-imx6ul-fix-lcdif-node-compatible.patch create mode 100644 queue-4.19/arm-dts-imx6ul-fix-qspi-node-compatible.patch create mode 100644 queue-4.19/arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch create mode 100644 queue-4.19/arm-findbit-fix-overflowing-offset.patch create mode 100644 queue-4.19/arm-omap2-display-fix-refcount-leak-bug.patch create mode 100644 queue-4.19/arm-omap2-fix-refcount-leak-in-omap3xxx_prm_late_ini.patch create mode 100644 queue-4.19/arm64-do-not-forget-syscall-when-starting-a-new-thre.patch create mode 100644 queue-4.19/arm64-dts-qcom-ipq8074-fix-nand-node-name.patch create mode 100644 queue-4.19/arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch create mode 100644 queue-4.19/arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch create mode 100644 queue-4.19/asoc-codecs-da7210-add-check-for-i2c_add_driver.patch create mode 100644 queue-4.19/asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch create mode 100644 queue-4.19/asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch create mode 100644 queue-4.19/asoc-mt6797-mt6351-fix-refcount-leak-in-mt6797_mt635.patch create mode 100644 queue-4.19/asoc-qcom-q6dsp-fix-an-off-by-one-in-q6adm_alloc_cop.patch create mode 100644 queue-4.19/ath10k-do-not-enforce-interrupt-trigger-type.patch create mode 100644 queue-4.19/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch create mode 100644 queue-4.19/bluetooth-hci_intel-add-check-for-platform_driver_re.patch create mode 100644 queue-4.19/bus-hisi_lpc-fix-missing-platform_device_put-in-hisi.patch create mode 100644 queue-4.19/can-error-specify-the-values-of-data-5.7-of-can-erro.patch create mode 100644 queue-4.19/can-hi311x-do-not-report-txerr-and-rxerr-during-bus-.patch create mode 100644 queue-4.19/can-kvaser_usb_hydra-do-not-report-txerr-and-rxerr-d.patch create mode 100644 queue-4.19/can-kvaser_usb_leaf-do-not-report-txerr-and-rxerr-du.patch create mode 100644 queue-4.19/can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch create mode 100644 queue-4.19/can-pch_can-pch_can_error-initialize-errc-before-usi.patch create mode 100644 queue-4.19/can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch create mode 100644 queue-4.19/can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch create mode 100644 queue-4.19/can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch create mode 100644 queue-4.19/can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch create mode 100644 queue-4.19/clk-qcom-ipq8074-fix-nss-port-frequency-tables.patch create mode 100644 queue-4.19/clk-qcom-ipq8074-set-branch_halt_delay-flag-for-ubi-.patch create mode 100644 queue-4.19/clk-renesas-r9a06g032-fix-uart-clkgrp-bitsel.patch create mode 100644 queue-4.19/cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch create mode 100644 queue-4.19/crypto-hisilicon-kunpeng916-crypto-driver-don-t-slee.patch create mode 100644 queue-4.19/dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch create mode 100644 queue-4.19/dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch create mode 100644 queue-4.19/drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch create mode 100644 queue-4.19/drm-bridge-sii8620-fix-possible-off-by-one.patch create mode 100644 queue-4.19/drm-mediatek-add-pull-down-mipi-operation-in-mtk_dsi.patch create mode 100644 queue-4.19/drm-mediatek-dpi-remove-output-format-of-yuv.patch create mode 100644 queue-4.19/drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch create mode 100644 queue-4.19/drm-msm-mdp5-fix-global-state-lock-backoff.patch create mode 100644 queue-4.19/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch create mode 100644 queue-4.19/drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch create mode 100644 queue-4.19/drm-vc4-dsi-correct-dsi-divider-calculations.patch create mode 100644 queue-4.19/ext2-add-more-validity-checks-for-inode-counts.patch create mode 100644 queue-4.19/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch create mode 100644 queue-4.19/fpga-altera-pr-ip-fix-unsigned-comparison-with-less-.patch create mode 100644 queue-4.19/fs-check-fmode_lseek-to-control-internal-pipe-splici.patch create mode 100644 queue-4.19/genelf-use-have_libcrypto_support-not-the-never-defi.patch create mode 100644 queue-4.19/genirq-generic_irq_ipi-depends-on-smp.patch create mode 100644 queue-4.19/gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch create mode 100644 queue-4.19/hid-alps-declare-u1_unicorn_legacy-support.patch create mode 100644 queue-4.19/hid-cp2112-prevent-a-buffer-overflow-in-cp2112_xfer.patch create mode 100644 queue-4.19/hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch create mode 100644 queue-4.19/i2c-cadence-support-pec-for-smbus-block-read.patch create mode 100644 queue-4.19/i2c-fix-a-potential-use-after-free.patch create mode 100644 queue-4.19/i2c-mux-gpmux-add-of_node_put-when-breaking-out-of-l.patch create mode 100644 queue-4.19/iommu-arm-smmu-qcom_iommu-add-of_node_put-when-break.patch create mode 100644 queue-4.19/iommu-exynos-handle-failed-iommu-device-registration.patch create mode 100644 queue-4.19/jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch create mode 100644 queue-4.19/kfifo-fix-kfifo_to_user-return-type.patch create mode 100644 queue-4.19/kprobes-forbid-probing-on-trampoline-and-bpf-code-ar.patch create mode 100644 queue-4.19/libbpf-fix-the-name-of-a-reused-map.patch create mode 100644 queue-4.19/media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch create mode 100644 queue-4.19/media-platform-mtk-mdp-fix-mdp_ipi_comm-structure-al.patch create mode 100644 queue-4.19/media-tw686x-register-the-irq-at-the-end-of-probe.patch create mode 100644 queue-4.19/mediatek-mt76-mac80211-fix-missing-of_node_put-in-mt.patch create mode 100644 queue-4.19/memstick-ms_block-fix-a-memory-leak.patch create mode 100644 queue-4.19/memstick-ms_block-fix-some-incorrect-memory-allocati.patch create mode 100644 queue-4.19/meson-mx-socinfo-fix-refcount-leak-in-meson_mx_socin.patch create mode 100644 queue-4.19/mfd-t7l66xb-drop-platform-disable-callback.patch create mode 100644 queue-4.19/misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch create mode 100644 queue-4.19/mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch create mode 100644 queue-4.19/mmc-cavium-octeon-add-of_node_put-when-breaking-out-.patch create mode 100644 queue-4.19/mmc-cavium-thunderx-add-of_node_put-when-breaking-ou.patch create mode 100644 queue-4.19/mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch create mode 100644 queue-4.19/mmc-sdhci-of-esdhc-fix-refcount-leak-in-esdhc_signal.patch create mode 100644 queue-4.19/mtd-maps-fix-refcount-leak-in-ap_flash_init.patch create mode 100644 queue-4.19/mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch create mode 100644 queue-4.19/mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch create mode 100644 queue-4.19/mtd-st_spi_fsm-add-a-clk_disable_unprepare-in-.probe.patch create mode 100644 queue-4.19/net-mlx5e-fix-the-value-of-mlx5e_max_rq_num_mtts.patch create mode 100644 queue-4.19/net-rose-fix-netdev-reference-changes.patch create mode 100644 queue-4.19/netdevsim-avoid-allocation-warnings-triggered-from-u.patch create mode 100644 queue-4.19/netfilter-nf_tables-add-rescheduling-points-during-l.patch create mode 100644 queue-4.19/nohz-full-sched-rt-fix-missed-tick-reenabling-bug-in.patch create mode 100644 queue-4.19/null_blk-fix-ida-error-handling-in-null_add_dev.patch create mode 100644 queue-4.19/pci-portdrv-don-t-disable-aer-reporting-in-get_port_.patch create mode 100644 queue-4.19/platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch create mode 100644 queue-4.19/pm-hibernate-defer-device-probing-when-resuming-from.patch create mode 100644 queue-4.19/powerpc-32-do-not-allow-selection-of-e5500-or-e6500-.patch create mode 100644 queue-4.19/powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch create mode 100644 queue-4.19/powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch create mode 100644 queue-4.19/powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch create mode 100644 queue-4.19/powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch create mode 100644 queue-4.19/powerpc-xive-fix-refcount-leak-in-xive_get_max_prio.patch create mode 100644 queue-4.19/profiling-fix-shift-too-large-makes-kernel-panic.patch create mode 100644 queue-4.19/rdma-hfi1-fix-potential-memory-leak-in-setup_base_ct.patch create mode 100644 queue-4.19/rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch create mode 100644 queue-4.19/regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch create mode 100644 queue-4.19/remoteproc-qcom-wcnss-fix-handling-of-irqs.patch create mode 100644 queue-4.19/rpmsg-qcom_smd-fix-refcount-leak-in-qcom_smd_parse_e.patch create mode 100644 queue-4.19/s390-zcore-fix-race-when-reading-from-hardware-syste.patch create mode 100644 queue-4.19/scripts-faddr2line-fix-vmlinux-detection-on-arm64.patch create mode 100644 queue-4.19/scsi-smartpqi-fix-dma-direction-for-raid-requests.patch create mode 100644 queue-4.19/selftests-timers-clocksource-switch-fix-passing-erro.patch create mode 100644 queue-4.19/selftests-timers-valid-adjtimex-build-fix-for-newer-.patch create mode 100644 queue-4.19/selinux-add-boundary-check-in-put_entry.patch create mode 100644 queue-4.19/serial-8250_dw-store-lsr-into-lsr_saved_flags-in-dw8.patch create mode 100644 queue-4.19/soc-fsl-guts-machine-variable-might-be-unset.patch create mode 100644 queue-4.19/soundwire-bus_type-fix-remove-and-shutdown-support.patch create mode 100644 queue-4.19/staging-rtl8192u-fix-sleep-in-atomic-context-bug-in-.patch create mode 100644 queue-4.19/tcp-make-retransmitted-skb-fit-into-the-send-window.patch create mode 100644 queue-4.19/thermal-tools-tmon-include-pthread-and-time-headers-.patch create mode 100644 queue-4.19/tools-thermal-fix-possible-path-truncations.patch create mode 100644 queue-4.19/tty-n_gsm-fix-dm-command.patch create mode 100644 queue-4.19/tty-n_gsm-fix-missing-corner-cases-in-gsmld_poll.patch create mode 100644 queue-4.19/tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch create mode 100644 queue-4.19/tty-n_gsm-fix-packet-re-transmission-without-open-co.patch create mode 100644 queue-4.19/tty-n_gsm-fix-race-condition-in-gsmld_write.patch create mode 100644 queue-4.19/tty-n_gsm-fix-wrong-t1-retry-count-handling.patch create mode 100644 queue-4.19/usb-gadget-udc-amd5536-depends-on-has_dma.patch create mode 100644 queue-4.19/usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch create mode 100644 queue-4.19/usb-ohci-nxp-fix-refcount-leak-in-ohci_hcd_nxp_probe.patch create mode 100644 queue-4.19/usb-serial-fix-tty-port-initialized-comments.patch create mode 100644 queue-4.19/vfio-ccw-do-not-change-fsm-state-in-subchannel-event.patch create mode 100644 queue-4.19/video-fbdev-amba-clcd-fix-refcount-leak-bugs.patch create mode 100644 queue-4.19/video-fbdev-arkfb-check-the-size-of-screen-before-me.patch create mode 100644 queue-4.19/video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch create mode 100644 queue-4.19/video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch create mode 100644 queue-4.19/video-fbdev-sis-fix-typos-in-sis_getmodeid.patch create mode 100644 queue-4.19/video-fbdev-vt8623fb-check-the-size-of-screen-before.patch create mode 100644 queue-4.19/wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch create mode 100644 queue-4.19/wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch create mode 100644 queue-4.19/wifi-p54-add-missing-parentheses-in-p54_flush.patch create mode 100644 queue-4.19/wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch create mode 100644 queue-4.19/wifi-rtlwifi-fix-error-codes-in-rtl_debugfs_set_writ.patch create mode 100644 queue-4.19/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch create mode 100644 queue-4.19/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch create mode 100644 queue-4.19/x86-numa-use-cpumask_available-instead-of-hardcoded-.patch create mode 100644 queue-4.19/x86-pmem-fix-platform-device-leak-in-error-path.patch diff --git a/queue-4.19/acpi-ec-remove-duplicate-thinkpad-x1-carbon-6th-entr.patch b/queue-4.19/acpi-ec-remove-duplicate-thinkpad-x1-carbon-6th-entr.patch new file mode 100644 index 00000000000..77573afe2d6 --- /dev/null +++ b/queue-4.19/acpi-ec-remove-duplicate-thinkpad-x1-carbon-6th-entr.patch @@ -0,0 +1,42 @@ +From d4b1ac754170b3a4f333a091466a8802057a96e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 11:25:43 +0200 +Subject: ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI + quirks + +From: Hans de Goede + +[ Upstream commit 0dd6db359e5f206cbf1dd1fd40dd211588cd2725 ] + +Somehow the "ThinkPad X1 Carbon 6th" entry ended up twice in the +struct dmi_system_id acpi_ec_no_wakeup[] array. Remove one of +the entries. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index e3df3dda0332..3394ec64fe95 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -2118,13 +2118,6 @@ static const struct dmi_system_id acpi_ec_no_wakeup[] = { + DMI_MATCH(DMI_PRODUCT_FAMILY, "Thinkpad X1 Carbon 6th"), + }, + }, +- { +- .ident = "ThinkPad X1 Carbon 6th", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_FAMILY, "ThinkPad X1 Carbon 6th"), +- }, +- }, + { + .ident = "ThinkPad X1 Yoga 3rd", + .matches = { +-- +2.35.1 + diff --git a/queue-4.19/acpi-lpss-fix-missing-check-in-register_device_clock.patch b/queue-4.19/acpi-lpss-fix-missing-check-in-register_device_clock.patch new file mode 100644 index 00000000000..8e4d766a91c --- /dev/null +++ b/queue-4.19/acpi-lpss-fix-missing-check-in-register_device_clock.patch @@ -0,0 +1,36 @@ +From f6affe923e3bd1fb8f66688b21cc473896ead516 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 21:21:27 +0800 +Subject: ACPI: LPSS: Fix missing check in register_device_clock() + +From: huhai + +[ Upstream commit b4f1f61ed5928b1128e60e38d0dffa16966f06dc ] + +register_device_clock() misses a check for platform_device_register_simple(). +Add a check to fix it. + +Signed-off-by: huhai +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_lpss.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c +index ded6c5c17fd7..144cda7da7ee 100644 +--- a/drivers/acpi/acpi_lpss.c ++++ b/drivers/acpi/acpi_lpss.c +@@ -401,6 +401,9 @@ static int register_device_clock(struct acpi_device *adev, + if (!lpss_clk_dev) + lpt_register_clock_device(); + ++ if (IS_ERR(lpss_clk_dev)) ++ return PTR_ERR(lpss_clk_dev); ++ + clk_data = platform_get_drvdata(lpss_clk_dev); + if (!clk_data) + return -ENODEV; +-- +2.35.1 + diff --git a/queue-4.19/acpi-pm-save-nvs-memory-for-lenovo-g40-45.patch b/queue-4.19/acpi-pm-save-nvs-memory-for-lenovo-g40-45.patch new file mode 100644 index 00000000000..8bf613a9226 --- /dev/null +++ b/queue-4.19/acpi-pm-save-nvs-memory-for-lenovo-g40-45.patch @@ -0,0 +1,44 @@ +From 6215edb41fe9ff8f9f752df4414a780a58a680cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jun 2022 15:42:48 +0800 +Subject: ACPI: PM: save NVS memory for Lenovo G40-45 + +From: Manyi Li + +[ Upstream commit 4b7ef7b05afcde44142225c184bf43a0cd9e2178 ] + +[821d6f0359b0614792ab8e2fb93b503e25a65079] is to make machines +produced from 2012 to now not saving NVS region to accelerate S3. + +But, Lenovo G40-45, a platform released in 2015, still needs NVS memory +saving during S3. A quirk is introduced for this platform. + +Signed-off-by: Manyi Li +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/sleep.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c +index 847db3edcb5b..a3b4ac97793f 100644 +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -359,6 +359,14 @@ static const struct dmi_system_id acpisleep_dmi_table[] __initconst = { + DMI_MATCH(DMI_PRODUCT_NAME, "80E3"), + }, + }, ++ { ++ .callback = init_nvs_save_s3, ++ .ident = "Lenovo G40-45", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "80E1"), ++ }, ++ }, + /* + * https://bugzilla.kernel.org/show_bug.cgi?id=196907 + * Some Dell XPS13 9360 cannot do suspend-to-idle using the Low Power +-- +2.35.1 + diff --git a/queue-4.19/arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch b/queue-4.19/arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch new file mode 100644 index 00000000000..42a5b5639ef --- /dev/null +++ b/queue-4.19/arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch @@ -0,0 +1,36 @@ +From d52678805ea159d6e65160b48ba6cba83a9db803 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 12:13:25 +0400 +Subject: ARM: bcm: Fix refcount leak in bcm_kona_smc_init + +From: Miaoqian Lin + +[ Upstream commit cb23389a2458c2e4bfd6c86a513cbbe1c4d35e76 ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: b8eb35fd594a ("ARM: bcm281xx: Add L2 cache enable code") +Signed-off-by: Miaoqian Lin +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/mach-bcm/bcm_kona_smc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-bcm/bcm_kona_smc.c b/arch/arm/mach-bcm/bcm_kona_smc.c +index a55a7ecf146a..dd0b4195e629 100644 +--- a/arch/arm/mach-bcm/bcm_kona_smc.c ++++ b/arch/arm/mach-bcm/bcm_kona_smc.c +@@ -54,6 +54,7 @@ int __init bcm_kona_smc_init(void) + return -ENODEV; + + prop_val = of_get_address(node, 0, &prop_size, NULL); ++ of_node_put(node); + if (!prop_val) + return -EINVAL; + +-- +2.35.1 + diff --git a/queue-4.19/arm-dts-ast2500-evb-fix-board-compatible.patch b/queue-4.19/arm-dts-ast2500-evb-fix-board-compatible.patch new file mode 100644 index 00000000000..1c672cc3ed1 --- /dev/null +++ b/queue-4.19/arm-dts-ast2500-evb-fix-board-compatible.patch @@ -0,0 +1,35 @@ +From 30c9085f3c700e73e3019072fd46d0920a66693f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 May 2022 12:49:25 +0200 +Subject: ARM: dts: ast2500-evb: fix board compatible + +From: Krzysztof Kozlowski + +[ Upstream commit 30b276fca5c0644f3cb17bceb1bd6a626c670184 ] + +The AST2500 EVB board should have dedicated compatible. + +Fixes: 02440622656d ("arm/dst: Add Aspeed ast2500 device tree") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220529104928.79636-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-ast2500-evb.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/aspeed-ast2500-evb.dts b/arch/arm/boot/dts/aspeed-ast2500-evb.dts +index 2375449c02d0..10626452878a 100644 +--- a/arch/arm/boot/dts/aspeed-ast2500-evb.dts ++++ b/arch/arm/boot/dts/aspeed-ast2500-evb.dts +@@ -5,7 +5,7 @@ + + / { + model = "AST2500 EVB"; +- compatible = "aspeed,ast2500"; ++ compatible = "aspeed,ast2500-evb", "aspeed,ast2500"; + + aliases { + serial4 = &uart5; +-- +2.35.1 + diff --git a/queue-4.19/arm-dts-imx6ul-add-missing-properties-for-sram.patch b/queue-4.19/arm-dts-imx6ul-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..3e58d209757 --- /dev/null +++ b/queue-4.19/arm-dts-imx6ul-add-missing-properties-for-sram.patch @@ -0,0 +1,39 @@ +From 40e47c70cb355e78ee25e1e34d387d416bb23625 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 14:33:51 +0200 +Subject: ARM: dts: imx6ul: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 5655699cf5cff9f4c4ee703792156bdd05d1addf ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check +warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ul.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi +index adecd6e08468..07850587ee0a 100644 +--- a/arch/arm/boot/dts/imx6ul.dtsi ++++ b/arch/arm/boot/dts/imx6ul.dtsi +@@ -169,6 +169,9 @@ soc { + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + }; + + dma_apbh: dma-apbh@1804000 { +-- +2.35.1 + diff --git a/queue-4.19/arm-dts-imx6ul-change-operating-points-to-uint32-mat.patch b/queue-4.19/arm-dts-imx6ul-change-operating-points-to-uint32-mat.patch new file mode 100644 index 00000000000..980ccba5186 --- /dev/null +++ b/queue-4.19/arm-dts-imx6ul-change-operating-points-to-uint32-mat.patch @@ -0,0 +1,63 @@ +From e7972b2d94ee393779305d1db53f8532792abb5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 14:33:52 +0200 +Subject: ARM: dts: imx6ul: change operating-points to uint32-matrix + +From: Alexander Stein + +[ Upstream commit edb67843983bbdf61b4c8c3c50618003d38bb4ae ] + +operating-points is a uint32-matrix as per opp-v1.yaml. Change it +accordingly. While at it, change fsl,soc-operating-points as well, +although there is no bindings file (yet). But they should have the same +format. Fixes the dt_binding_check warning: +cpu@0: operating-points:0: [696000, 1275000, 528000, 1175000, 396000, +1025000, 198000, 950000] is too long +cpu@0: operating-points:0: Additional items are not allowed (528000, +1175000, 396000, 1025000, 198000, 950000 were unexpected) + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ul.dtsi | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi +index 07850587ee0a..605792fa67b2 100644 +--- a/arch/arm/boot/dts/imx6ul.dtsi ++++ b/arch/arm/boot/dts/imx6ul.dtsi +@@ -61,20 +61,18 @@ cpu0: cpu@0 { + reg = <0>; + clock-latency = <61036>; /* two CLK32 periods */ + #cooling-cells = <2>; +- operating-points = < ++ operating-points = + /* kHz uV */ +- 696000 1275000 +- 528000 1175000 +- 396000 1025000 +- 198000 950000 +- >; +- fsl,soc-operating-points = < ++ <696000 1275000>, ++ <528000 1175000>, ++ <396000 1025000>, ++ <198000 950000>; ++ fsl,soc-operating-points = + /* KHz uV */ +- 696000 1275000 +- 528000 1175000 +- 396000 1175000 +- 198000 1175000 +- >; ++ <696000 1275000>, ++ <528000 1175000>, ++ <396000 1175000>, ++ <198000 1175000>; + clocks = <&clks IMX6UL_CLK_ARM>, + <&clks IMX6UL_CLK_PLL2_BUS>, + <&clks IMX6UL_CLK_PLL2_PFD2>, +-- +2.35.1 + diff --git a/queue-4.19/arm-dts-imx6ul-fix-lcdif-node-compatible.patch b/queue-4.19/arm-dts-imx6ul-fix-lcdif-node-compatible.patch new file mode 100644 index 00000000000..077f6e2d8e1 --- /dev/null +++ b/queue-4.19/arm-dts-imx6ul-fix-lcdif-node-compatible.patch @@ -0,0 +1,42 @@ +From 1fae34fc409fb12ecb2165713b561b31c771ab5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 14:33:56 +0200 +Subject: ARM: dts: imx6ul: fix lcdif node compatible + +From: Alexander Stein + +[ Upstream commit 1a884d17ca324531634cce82e9f64c0302bdf7de ] + +In yaml binding "fsl,imx6ul-lcdif" is listed as compatible to imx6sx-lcdif, +but not imx28-lcdif. Change the list accordingly. Fixes the +dt_binding_check warning: +lcdif@21c8000: compatible: 'oneOf' conditional failed, one must be fixed: +['fsl,imx6ul-lcdif', 'fsl,imx28-lcdif'] is too long +Additional items are not allowed ('fsl,imx28-lcdif' was unexpected) +'fsl,imx6ul-lcdif' is not one of ['fsl,imx23-lcdif', 'fsl,imx28-lcdif', +'fsl,imx6sx-lcdif'] +'fsl,imx6sx-lcdif' was expected + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ul.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi +index 605792fa67b2..d91baa74e608 100644 +--- a/arch/arm/boot/dts/imx6ul.dtsi ++++ b/arch/arm/boot/dts/imx6ul.dtsi +@@ -940,7 +940,7 @@ cpu_speed_grade: speed-grade@10 { + }; + + lcdif: lcdif@21c8000 { +- compatible = "fsl,imx6ul-lcdif", "fsl,imx28-lcdif"; ++ compatible = "fsl,imx6ul-lcdif", "fsl,imx6sx-lcdif"; + reg = <0x021c8000 0x4000>; + interrupts = ; + clocks = <&clks IMX6UL_CLK_LCDIF_PIX>, +-- +2.35.1 + diff --git a/queue-4.19/arm-dts-imx6ul-fix-qspi-node-compatible.patch b/queue-4.19/arm-dts-imx6ul-fix-qspi-node-compatible.patch new file mode 100644 index 00000000000..d632e73e87b --- /dev/null +++ b/queue-4.19/arm-dts-imx6ul-fix-qspi-node-compatible.patch @@ -0,0 +1,42 @@ +From 89a765d3500fa681c1e8e73b8d4cc31891d392eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 14:33:57 +0200 +Subject: ARM: dts: imx6ul: fix qspi node compatible + +From: Alexander Stein + +[ Upstream commit 0c6cf86e1ab433b2d421880fdd9c6e954f404948 ] + +imx6ul is not compatible to imx6sx, both have different erratas. +Fixes the dt_binding_check warning: +spi@21e0000: compatible: 'oneOf' conditional failed, one must be fixed: +['fsl,imx6ul-qspi', 'fsl,imx6sx-qspi'] is too long +Additional items are not allowed ('fsl,imx6sx-qspi' was unexpected) +'fsl,imx6ul-qspi' is not one of ['fsl,ls1043a-qspi'] +'fsl,imx6ul-qspi' is not one of ['fsl,imx8mq-qspi'] +'fsl,ls1021a-qspi' was expected +'fsl,imx7d-qspi' was expected + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ul.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi +index d91baa74e608..334638ff5075 100644 +--- a/arch/arm/boot/dts/imx6ul.dtsi ++++ b/arch/arm/boot/dts/imx6ul.dtsi +@@ -953,7 +953,7 @@ lcdif: lcdif@21c8000 { + qspi: qspi@21e0000 { + #address-cells = <1>; + #size-cells = <0>; +- compatible = "fsl,imx6ul-qspi", "fsl,imx6sx-qspi"; ++ compatible = "fsl,imx6ul-qspi"; + reg = <0x021e0000 0x4000>, <0x60000000 0x10000000>; + reg-names = "QuadSPI", "QuadSPI-memory"; + interrupts = ; +-- +2.35.1 + diff --git a/queue-4.19/arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch b/queue-4.19/arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch new file mode 100644 index 00000000000..b2e30c14577 --- /dev/null +++ b/queue-4.19/arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch @@ -0,0 +1,35 @@ +From bc22c575d94ce0f0a75f3acff440466c0d8645a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 13:27:02 +0200 +Subject: ARM: dts: qcom: pm8841: add required thermal-sensor-cells + +From: Krzysztof Kozlowski + +[ Upstream commit e2759fa0676c9a32bbddb9aff955b54bb35066ad ] + +The PM8841 temperature sensor has to define thermal-sensor-cells. + +Fixes: dab8134ca072 ("ARM: dts: qcom: Add PM8841 functions device nodes") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220608112702.80873-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-pm8841.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/qcom-pm8841.dtsi b/arch/arm/boot/dts/qcom-pm8841.dtsi +index 2fd59c440903..c73e5b149ac5 100644 +--- a/arch/arm/boot/dts/qcom-pm8841.dtsi ++++ b/arch/arm/boot/dts/qcom-pm8841.dtsi +@@ -25,6 +25,7 @@ temp-alarm@2400 { + compatible = "qcom,spmi-temp-alarm"; + reg = <0x2400>; + interrupts = <4 0x24 0 IRQ_TYPE_EDGE_RISING>; ++ #thermal-sensor-cells = <0>; + }; + }; + +-- +2.35.1 + diff --git a/queue-4.19/arm-findbit-fix-overflowing-offset.patch b/queue-4.19/arm-findbit-fix-overflowing-offset.patch new file mode 100644 index 00000000000..b60c331940c --- /dev/null +++ b/queue-4.19/arm-findbit-fix-overflowing-offset.patch @@ -0,0 +1,76 @@ +From 5710f0811478ec06dfd66cebaed5d3ef26952dec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 23:51:48 +0100 +Subject: ARM: findbit: fix overflowing offset + +From: Russell King (Oracle) + +[ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ] + +When offset is larger than the size of the bit array, we should not +attempt to access the array as we can perform an access beyond the +end of the array. Fix this by changing the pre-condition. + +Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since +this will always take the branch when r1 is zero, irrespective of +the value of r2. This means we can fix this bug without adding any +additional code! + +Tested-by: Guenter Roeck +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/lib/findbit.S | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S +index 7848780e8834..20fef6c41f6f 100644 +--- a/arch/arm/lib/findbit.S ++++ b/arch/arm/lib/findbit.S +@@ -43,8 +43,8 @@ ENDPROC(_find_first_zero_bit_le) + * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) + */ + ENTRY(_find_next_zero_bit_le) +- teq r1, #0 +- beq 3b ++ cmp r2, r1 ++ bhs 3b + ands ip, r2, #7 + beq 1b @ If new byte, goto old routine + ARM( ldrb r3, [r0, r2, lsr #3] ) +@@ -84,8 +84,8 @@ ENDPROC(_find_first_bit_le) + * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) + */ + ENTRY(_find_next_bit_le) +- teq r1, #0 +- beq 3b ++ cmp r2, r1 ++ bhs 3b + ands ip, r2, #7 + beq 1b @ If new byte, goto old routine + ARM( ldrb r3, [r0, r2, lsr #3] ) +@@ -118,8 +118,8 @@ ENTRY(_find_first_zero_bit_be) + ENDPROC(_find_first_zero_bit_be) + + ENTRY(_find_next_zero_bit_be) +- teq r1, #0 +- beq 3b ++ cmp r2, r1 ++ bhs 3b + ands ip, r2, #7 + beq 1b @ If new byte, goto old routine + eor r3, r2, #0x18 @ big endian byte ordering +@@ -152,8 +152,8 @@ ENTRY(_find_first_bit_be) + ENDPROC(_find_first_bit_be) + + ENTRY(_find_next_bit_be) +- teq r1, #0 +- beq 3b ++ cmp r2, r1 ++ bhs 3b + ands ip, r2, #7 + beq 1b @ If new byte, goto old routine + eor r3, r2, #0x18 @ big endian byte ordering +-- +2.35.1 + diff --git a/queue-4.19/arm-omap2-display-fix-refcount-leak-bug.patch b/queue-4.19/arm-omap2-display-fix-refcount-leak-bug.patch new file mode 100644 index 00000000000..d1cbfd6bbbd --- /dev/null +++ b/queue-4.19/arm-omap2-display-fix-refcount-leak-bug.patch @@ -0,0 +1,36 @@ +From 7549b848446a218ef4b24223f8a846c86289e122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 22:58:03 +0800 +Subject: ARM: OMAP2+: display: Fix refcount leak bug + +From: Liang He + +[ Upstream commit 50b87a32a79bca6e275918a711fb8cc55e16d739 ] + +In omapdss_init_fbdev(), of_find_node_by_name() will return a node +pointer with refcount incremented. We should use of_node_put() when +it is not used anymore. + +Signed-off-by: Liang He +Message-Id: <20220617145803.4050918-1-windhl@126.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/display.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c +index 5d73f2c0b117..dd2ff10790ab 100644 +--- a/arch/arm/mach-omap2/display.c ++++ b/arch/arm/mach-omap2/display.c +@@ -211,6 +211,7 @@ static int __init omapdss_init_fbdev(void) + node = of_find_node_by_name(NULL, "omap4_padconf_global"); + if (node) + omap4_dsi_mux_syscon = syscon_node_to_regmap(node); ++ of_node_put(node); + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.19/arm-omap2-fix-refcount-leak-in-omap3xxx_prm_late_ini.patch b/queue-4.19/arm-omap2-fix-refcount-leak-in-omap3xxx_prm_late_ini.patch new file mode 100644 index 00000000000..7499b10e24f --- /dev/null +++ b/queue-4.19/arm-omap2-fix-refcount-leak-in-omap3xxx_prm_late_ini.patch @@ -0,0 +1,37 @@ +From 7343d600da1a86960ebf703726de9e8d3062b8b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 11:37:24 +0400 +Subject: ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init + +From: Miaoqian Lin + +[ Upstream commit 942228fbf5d4901112178b93d41225be7c0dd9de ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 1e037794f7f0 ("ARM: OMAP3+: PRM: register interrupt information from DT") +Signed-off-by: Miaoqian Lin +Message-Id: <20220526073724.21169-1-linmq006@gmail.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/prm3xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-omap2/prm3xxx.c b/arch/arm/mach-omap2/prm3xxx.c +index dfa65fc2c82b..30445849b5e3 100644 +--- a/arch/arm/mach-omap2/prm3xxx.c ++++ b/arch/arm/mach-omap2/prm3xxx.c +@@ -711,6 +711,7 @@ static int omap3xxx_prm_late_init(void) + } + + irq_num = of_irq_get(np, 0); ++ of_node_put(np); + if (irq_num == -EPROBE_DEFER) + return irq_num; + +-- +2.35.1 + diff --git a/queue-4.19/arm64-do-not-forget-syscall-when-starting-a-new-thre.patch b/queue-4.19/arm64-do-not-forget-syscall-when-starting-a-new-thre.patch new file mode 100644 index 00000000000..f7079bcae49 --- /dev/null +++ b/queue-4.19/arm64-do-not-forget-syscall-when-starting-a-new-thre.patch @@ -0,0 +1,40 @@ +From 38676cb1bab28bee0e459c8c605d4405cc918aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 17:24:46 +0100 +Subject: arm64: Do not forget syscall when starting a new thread. + +From: Francis Laniel + +[ Upstream commit de6921856f99c11d3986c6702d851e1328d4f7f6 ] + +Enable tracing of the execve*() system calls with the +syscalls:sys_exit_execve tracepoint by removing the call to +forget_syscall() when starting a new thread and preserving the value of +regs->syscallno across exec. + +Signed-off-by: Francis Laniel +Link: https://lore.kernel.org/r/20220608162447.666494-2-flaniel@linux.microsoft.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/processor.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h +index 773ea8e0e442..f81074c68ff3 100644 +--- a/arch/arm64/include/asm/processor.h ++++ b/arch/arm64/include/asm/processor.h +@@ -172,8 +172,9 @@ void tls_preserve_current_state(void); + + static inline void start_thread_common(struct pt_regs *regs, unsigned long pc) + { ++ s32 previous_syscall = regs->syscallno; + memset(regs, 0, sizeof(*regs)); +- forget_syscall(regs); ++ regs->syscallno = previous_syscall; + regs->pc = pc; + } + +-- +2.35.1 + diff --git a/queue-4.19/arm64-dts-qcom-ipq8074-fix-nand-node-name.patch b/queue-4.19/arm64-dts-qcom-ipq8074-fix-nand-node-name.patch new file mode 100644 index 00000000000..1e3209bfae9 --- /dev/null +++ b/queue-4.19/arm64-dts-qcom-ipq8074-fix-nand-node-name.patch @@ -0,0 +1,37 @@ +From d2b5ededf3db2f7cce70f89612ce7a5d1e15081b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 14:06:42 +0200 +Subject: arm64: dts: qcom: ipq8074: fix NAND node name + +From: Robert Marko + +[ Upstream commit b39961659ffc3c3a9e3d0d43b0476547b5f35d49 ] + +Per schema it should be nand-controller@79b0000 instead of nand@79b0000. +Fix it to match nand-controller.yaml requirements. + +Signed-off-by: Robert Marko +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220621120642.518575-1-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/ipq8074.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq8074.dtsi b/arch/arm64/boot/dts/qcom/ipq8074.dtsi +index f48d14cd10a3..bdee07305ce5 100644 +--- a/arch/arm64/boot/dts/qcom/ipq8074.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq8074.dtsi +@@ -261,7 +261,7 @@ qpic_bam: dma@7984000 { + status = "disabled"; + }; + +- qpic_nand: nand@79b0000 { ++ qpic_nand: nand-controller@79b0000 { + compatible = "qcom,ipq8074-nand"; + reg = <0x79b0000 0x10000>; + #address-cells = <1>; +-- +2.35.1 + diff --git a/queue-4.19/arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch b/queue-4.19/arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch new file mode 100644 index 00000000000..e1c84547910 --- /dev/null +++ b/queue-4.19/arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch @@ -0,0 +1,42 @@ +From debb90ed5550204ce86f20c3a64eb8a6a901332c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 19:47:40 +0530 +Subject: arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node + +From: Sireesh Kodali + +[ Upstream commit 5458d6f2827cd30218570f266b8d238417461f2f ] + +The smem-state properties for the pronto node were incorrectly labelled, +reading `qcom,state*` rather than `qcom,smem-state*`. Fix that, allowing +the stop state to be used. + +Fixes: 88106096cbf8 ("ARM: dts: msm8916: Add and enable wcnss node") +Signed-off-by: Sireesh Kodali +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Stephan Gerhold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220526141740.15834-3-sireeshkodali1@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 078ae020a77b..1832687f7ba8 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -1039,8 +1039,8 @@ pronto: wcnss@a21b000 { + vddmx-supply = <&pm8916_l3>; + vddpx-supply = <&pm8916_l7>; + +- qcom,state = <&wcnss_smp2p_out 0>; +- qcom,state-names = "stop"; ++ qcom,smem-states = <&wcnss_smp2p_out 0>; ++ qcom,smem-state-names = "stop"; + + pinctrl-names = "default"; + pinctrl-0 = <&wcnss_pin_a>; +-- +2.35.1 + diff --git a/queue-4.19/arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch b/queue-4.19/arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch new file mode 100644 index 00000000000..6c36fef54ed --- /dev/null +++ b/queue-4.19/arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch @@ -0,0 +1,93 @@ +From fe9cfe5575902b7efc6d01f2e6c25eb80b599bd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Jul 2022 05:43:19 +0000 +Subject: arm64: fix oops in concurrently setting insn_emulation sysctls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: haibinzhang (张海斌) + +[ Upstream commit af483947d472eccb79e42059276c4deed76f99a6 ] + +emulation_proc_handler() changes table->data for proc_dointvec_minmax +and can generate the following Oops if called concurrently with itself: + + | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 + | Internal error: Oops: 96000006 [#1] SMP + | Call trace: + | update_insn_emulation_mode+0xc0/0x148 + | emulation_proc_handler+0x64/0xb8 + | proc_sys_call_handler+0x9c/0xf8 + | proc_sys_write+0x18/0x20 + | __vfs_write+0x20/0x48 + | vfs_write+0xe4/0x1d0 + | ksys_write+0x70/0xf8 + | __arm64_sys_write+0x20/0x28 + | el0_svc_common.constprop.0+0x7c/0x1c0 + | el0_svc_handler+0x2c/0xa0 + | el0_svc+0x8/0x200 + +To fix this issue, keep the table->data as &insn->current_mode and +use container_of() to retrieve the insn pointer. Another mutex is +used to protect against the current_mode update but not for retrieving +insn_emulation as table->data is no longer changing. + +Co-developed-by: hewenliang +Signed-off-by: hewenliang +Signed-off-by: Haibin Zhang +Reviewed-by: Catalin Marinas +Link: https://lore.kernel.org/r/20220128090324.2727688-1-hewenliang4@huawei.com +Link: https://lore.kernel.org/r/9A004C03-250B-46C5-BF39-782D7551B00E@tencent.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/armv8_deprecated.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c +index 181c29af5617..7c69a203cdf8 100644 +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -62,6 +62,7 @@ struct insn_emulation { + static LIST_HEAD(insn_emulation); + static int nr_insn_emulated __initdata; + static DEFINE_RAW_SPINLOCK(insn_emulation_lock); ++static DEFINE_MUTEX(insn_emulation_mutex); + + static void register_emulation_hooks(struct insn_emulation_ops *ops) + { +@@ -210,10 +211,10 @@ static int emulation_proc_handler(struct ctl_table *table, int write, + loff_t *ppos) + { + int ret = 0; +- struct insn_emulation *insn = (struct insn_emulation *) table->data; ++ struct insn_emulation *insn = container_of(table->data, struct insn_emulation, current_mode); + enum insn_emulation_mode prev_mode = insn->current_mode; + +- table->data = &insn->current_mode; ++ mutex_lock(&insn_emulation_mutex); + ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); + + if (ret || !write || prev_mode == insn->current_mode) +@@ -226,7 +227,7 @@ static int emulation_proc_handler(struct ctl_table *table, int write, + update_insn_emulation_mode(insn, INSN_UNDEF); + } + ret: +- table->data = insn; ++ mutex_unlock(&insn_emulation_mutex); + return ret; + } + +@@ -250,7 +251,7 @@ static void __init register_insn_emulation_sysctl(void) + sysctl->maxlen = sizeof(int); + + sysctl->procname = insn->ops->name; +- sysctl->data = insn; ++ sysctl->data = &insn->current_mode; + sysctl->extra1 = &insn->min; + sysctl->extra2 = &insn->max; + sysctl->proc_handler = emulation_proc_handler; +-- +2.35.1 + diff --git a/queue-4.19/asoc-codecs-da7210-add-check-for-i2c_add_driver.patch b/queue-4.19/asoc-codecs-da7210-add-check-for-i2c_add_driver.patch new file mode 100644 index 00000000000..f1d402d5859 --- /dev/null +++ b/queue-4.19/asoc-codecs-da7210-add-check-for-i2c_add_driver.patch @@ -0,0 +1,41 @@ +From 8cd1345bfecfaf5d3fbdfbf1dfcb273f471d3811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 17:47:12 +0800 +Subject: ASoC: codecs: da7210: add check for i2c_add_driver + +From: Jiasheng Jiang + +[ Upstream commit 82fa8f581a954ddeec1602bed9f8b4a09d100e6e ] + +As i2c_add_driver could return error if fails, it should be +better to check the return value. +However, if the CONFIG_I2C and CONFIG_SPI_MASTER are both true, +the return value of i2c_add_driver will be covered by +spi_register_driver. +Therefore, it is necessary to add check and return error if fails. + +Fixes: aa0e25caafb7 ("ASoC: da7210: Add support for spi regmap") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220531094712.2376759-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/da7210.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/da7210.c b/sound/soc/codecs/da7210.c +index e172913d04a4..efc5049c0796 100644 +--- a/sound/soc/codecs/da7210.c ++++ b/sound/soc/codecs/da7210.c +@@ -1333,6 +1333,8 @@ static int __init da7210_modinit(void) + int ret = 0; + #if IS_ENABLED(CONFIG_I2C) + ret = i2c_add_driver(&da7210_i2c_driver); ++ if (ret) ++ return ret; + #endif + #if defined(CONFIG_SPI_MASTER) + ret = spi_register_driver(&da7210_spi_driver); +-- +2.35.1 + diff --git a/queue-4.19/asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch b/queue-4.19/asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch new file mode 100644 index 00000000000..b0ba22db700 --- /dev/null +++ b/queue-4.19/asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch @@ -0,0 +1,67 @@ +From 07cf7a380fa4321a8901180849ffaeae00b8988b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 07:41:42 +0400 +Subject: ASoC: mediatek: mt8173: Fix refcount leak in + mt8173_rt5650_rt5676_dev_probe + +From: Miaoqian Lin + +[ Upstream commit ae4f11c1ed2d67192fdf3d89db719ee439827c11 ] + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Fix missing of_node_put() in error paths. + +Fixes: 94319ba10eca ("ASoC: mediatek: Use platform_of_node for machine drivers") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220602034144.60159-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c +index 242f99716c61..c37c962173d9 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c +@@ -245,14 +245,16 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev) + if (!mt8173_rt5650_rt5676_codecs[0].of_node) { + dev_err(&pdev->dev, + "Property 'audio-codec' missing or invalid\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_node; + } + mt8173_rt5650_rt5676_codecs[1].of_node = + of_parse_phandle(pdev->dev.of_node, "mediatek,audio-codec", 1); + if (!mt8173_rt5650_rt5676_codecs[1].of_node) { + dev_err(&pdev->dev, + "Property 'audio-codec' missing or invalid\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_node; + } + mt8173_rt5650_rt5676_codec_conf[0].of_node = + mt8173_rt5650_rt5676_codecs[1].of_node; +@@ -265,7 +267,8 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev) + if (!mt8173_rt5650_rt5676_dais[DAI_LINK_HDMI_I2S].codec_of_node) { + dev_err(&pdev->dev, + "Property 'audio-codec' missing or invalid\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_node; + } + + card->dev = &pdev->dev; +@@ -275,6 +278,7 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); + ++put_node: + of_node_put(platform_node); + return ret; + } +-- +2.35.1 + diff --git a/queue-4.19/asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch b/queue-4.19/asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch new file mode 100644 index 00000000000..e1dfe97a7fd --- /dev/null +++ b/queue-4.19/asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch @@ -0,0 +1,67 @@ +From 1da00533910bac092ec52828d4b799f82e8c928c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 16:42:41 +0400 +Subject: ASoC: mediatek: mt8173-rt5650: Fix refcount leak in + mt8173_rt5650_dev_probe + +From: Miaoqian Lin + +[ Upstream commit efe2178d1a32492f99e7f1f2568eea5c88a85729 ] + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Fix refcount leak in some error paths. + +Fixes: 0f83f9296d5c ("ASoC: mediatek: Add machine driver for ALC5650 codec") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220603124243.31358-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8173/mt8173-rt5650.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650.c b/sound/soc/mediatek/mt8173/mt8173-rt5650.c +index 14011a70bcc4..8b613f8627fa 100644 +--- a/sound/soc/mediatek/mt8173/mt8173-rt5650.c ++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650.c +@@ -260,7 +260,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) + if (!mt8173_rt5650_codecs[0].of_node) { + dev_err(&pdev->dev, + "Property 'audio-codec' missing or invalid\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_platform_node; + } + mt8173_rt5650_codecs[1].of_node = mt8173_rt5650_codecs[0].of_node; + +@@ -272,7 +273,7 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) + dev_err(&pdev->dev, + "%s codec_capture_dai name fail %d\n", + __func__, ret); +- return ret; ++ goto put_platform_node; + } + mt8173_rt5650_codecs[1].dai_name = codec_capture_dai; + } +@@ -293,7 +294,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) + if (!mt8173_rt5650_dais[DAI_LINK_HDMI_I2S].codec_of_node) { + dev_err(&pdev->dev, + "Property 'audio-codec' missing or invalid\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_platform_node; + } + card->dev = &pdev->dev; + +@@ -302,6 +304,7 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); + ++put_platform_node: + of_node_put(platform_node); + return ret; + } +-- +2.35.1 + diff --git a/queue-4.19/asoc-mt6797-mt6351-fix-refcount-leak-in-mt6797_mt635.patch b/queue-4.19/asoc-mt6797-mt6351-fix-refcount-leak-in-mt6797_mt635.patch new file mode 100644 index 00000000000..2ca94ca2e9c --- /dev/null +++ b/queue-4.19/asoc-mt6797-mt6351-fix-refcount-leak-in-mt6797_mt635.patch @@ -0,0 +1,49 @@ +From 5a73f8c8fa85b0c31aa3857a5c8b5dd64113f1f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 12:34:15 +0400 +Subject: ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe + +From: Miaoqian Lin + +[ Upstream commit 7472eb8d7dd12b6b9b1a4f4527719cc9c7f5965f ] + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: f0ab0bf250da ("ASoC: add mt6797-mt6351 driver and config option") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220603083417.9011-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt6797/mt6797-mt6351.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/mediatek/mt6797/mt6797-mt6351.c b/sound/soc/mediatek/mt6797/mt6797-mt6351.c +index b1558c57b9ca..0c49e1a9a897 100644 +--- a/sound/soc/mediatek/mt6797/mt6797-mt6351.c ++++ b/sound/soc/mediatek/mt6797/mt6797-mt6351.c +@@ -179,7 +179,8 @@ static int mt6797_mt6351_dev_probe(struct platform_device *pdev) + if (!codec_node) { + dev_err(&pdev->dev, + "Property 'audio-codec' missing or invalid\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto put_platform_node; + } + for (i = 0; i < card->num_links; i++) { + if (mt6797_mt6351_dai_links[i].codec_name) +@@ -192,6 +193,9 @@ static int mt6797_mt6351_dev_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", + __func__, ret); + ++ of_node_put(codec_node); ++put_platform_node: ++ of_node_put(platform_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.19/asoc-qcom-q6dsp-fix-an-off-by-one-in-q6adm_alloc_cop.patch b/queue-4.19/asoc-qcom-q6dsp-fix-an-off-by-one-in-q6adm_alloc_cop.patch new file mode 100644 index 00000000000..d1e787d4876 --- /dev/null +++ b/queue-4.19/asoc-qcom-q6dsp-fix-an-off-by-one-in-q6adm_alloc_cop.patch @@ -0,0 +1,37 @@ +From 603a3467da0f773f718226e3e69eadf14a0b37ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 11:02:22 +0200 +Subject: ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp() + +From: Christophe JAILLET + +[ Upstream commit 673f58f62ca6fc98979d1cf3fe89c3ff33f29b2e ] + +find_first_zero_bit() returns MAX_COPPS_PER_PORT at max here. +So 'idx' should be tested with ">=" or the test can't match. + +Fixes: 7b20b2be51e1 ("ASoC: qdsp6: q6adm: Add q6adm driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/0fca3271649736053eb9649d87e1ca01b056be40.1658394124.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6adm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/qcom/qdsp6/q6adm.c b/sound/soc/qcom/qdsp6/q6adm.c +index 932c3ebfd252..01f9127daf5c 100644 +--- a/sound/soc/qcom/qdsp6/q6adm.c ++++ b/sound/soc/qcom/qdsp6/q6adm.c +@@ -218,7 +218,7 @@ static struct q6copp *q6adm_alloc_copp(struct q6adm *adm, int port_idx) + idx = find_first_zero_bit(&adm->copp_bitmap[port_idx], + MAX_COPPS_PER_PORT); + +- if (idx > MAX_COPPS_PER_PORT) ++ if (idx >= MAX_COPPS_PER_PORT) + return ERR_PTR(-EBUSY); + + c = kzalloc(sizeof(*c), GFP_ATOMIC); +-- +2.35.1 + diff --git a/queue-4.19/ath10k-do-not-enforce-interrupt-trigger-type.patch b/queue-4.19/ath10k-do-not-enforce-interrupt-trigger-type.patch new file mode 100644 index 00000000000..3bee7cdcb30 --- /dev/null +++ b/queue-4.19/ath10k-do-not-enforce-interrupt-trigger-type.patch @@ -0,0 +1,58 @@ +From 9e4d8c007c0ee589841d1eab0ac9d0c1f7c8ddef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 10:27:26 +0300 +Subject: ath10k: do not enforce interrupt trigger type + +From: Krzysztof Kozlowski + +[ Upstream commit 1ee6c5abebd3cacf2ac4378d0ed4f57fd4850421 ] + +Interrupt line can be configured on different hardware in different way, +even inverted. Therefore driver should not enforce specific trigger +type - edge rising - but instead rely on Devicetree to configure it. + +All Qualcomm DTSI with WCN3990 define the interrupt type as level high, +so the mismatch between DTSI and driver causes rebind issues: + + $ echo 18800000.wifi > /sys/bus/platform/drivers/ath10k_snoc/unbind + $ echo 18800000.wifi > /sys/bus/platform/drivers/ath10k_snoc/bind + [ 44.763114] irq: type mismatch, failed to map hwirq-446 for interrupt-controller@17a00000! + [ 44.763130] ath10k_snoc 18800000.wifi: error -ENXIO: IRQ index 0 not found + [ 44.763140] ath10k_snoc 18800000.wifi: failed to initialize resource: -6 + +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.0.c8-00009-QCAHLSWSC8180XMTPLZ-1 +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 + +Fixes: c963a683e701 ("ath10k: add resource init and deinit for WCN3990") +Signed-off-by: Krzysztof Kozlowski +Tested-by: Steev Klimaszewski +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220513151516.357549-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/snoc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c +index 241e6f0e1dfe..4489875fc87b 100644 +--- a/drivers/net/wireless/ath/ath10k/snoc.c ++++ b/drivers/net/wireless/ath/ath10k/snoc.c +@@ -879,13 +879,12 @@ static void ath10k_snoc_init_napi(struct ath10k *ar) + static int ath10k_snoc_request_irq(struct ath10k *ar) + { + struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar); +- int irqflags = IRQF_TRIGGER_RISING; + int ret, id; + + for (id = 0; id < CE_COUNT_MAX; id++) { + ret = request_irq(ar_snoc->ce_irqs[id].irq_line, +- ath10k_snoc_per_engine_handler, +- irqflags, ce_name[id], ar); ++ ath10k_snoc_per_engine_handler, 0, ++ ce_name[id], ar); + if (ret) { + ath10k_err(ar, + "failed to register IRQ handler for CE %d: %d", +-- +2.35.1 + diff --git a/queue-4.19/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch b/queue-4.19/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch new file mode 100644 index 00000000000..acf80c49f73 --- /dev/null +++ b/queue-4.19/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch @@ -0,0 +1,94 @@ +From b97f70e824736a38c584434329d2c39acacc9ad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 21:43:59 +0300 +Subject: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Skripkin + +[ Upstream commit 0ac4827f78c7ffe8eef074bc010e7e34bc22f533 ] + +Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The +problem was in incorrect htc_handle->drv_priv initialization. + +Probable call trace which can trigger use-after-free: + +ath9k_htc_probe_device() + /* htc_handle->drv_priv = priv; */ + ath9k_htc_wait_for_target() <--- Failed + ieee80211_free_hw() <--- priv pointer is freed + + +... +ath9k_hif_usb_rx_cb() + ath9k_hif_usb_rx_stream() + RX_STAT_INC() <--- htc_handle->drv_priv access + +In order to not add fancy protection for drv_priv we can move +htc_handle->drv_priv initialization at the end of the +ath9k_htc_probe_device() and add helper macro to make +all *_STAT_* macros NULL safe, since syzbot has reported related NULL +deref in that macros [1] + +Link: https://syzkaller.appspot.com/bug?id=6ead44e37afb6866ac0c7dd121b4ce07cb665f60 [0] +Link: https://syzkaller.appspot.com/bug?id=b8101ffcec107c0567a0cd8acbbacec91e9ee8de [1] +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-and-tested-by: syzbot+03110230a11411024147@syzkaller.appspotmail.com +Reported-and-tested-by: syzbot+c6dde1f690b60e0b9fbe@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/d57bbedc857950659bfacac0ab48790c1eda00c8.1655145743.git.paskripkin@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc.h | 10 +++++----- + drivers/net/wireless/ath/ath9k/htc_drv_init.c | 3 ++- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h +index 9f64e32381f9..81107100e368 100644 +--- a/drivers/net/wireless/ath/ath9k/htc.h ++++ b/drivers/net/wireless/ath/ath9k/htc.h +@@ -325,11 +325,11 @@ static inline struct ath9k_htc_tx_ctl *HTC_SKB_CB(struct sk_buff *skb) + } + + #ifdef CONFIG_ATH9K_HTC_DEBUGFS +- +-#define TX_STAT_INC(c) (hif_dev->htc_handle->drv_priv->debug.tx_stats.c++) +-#define TX_STAT_ADD(c, a) (hif_dev->htc_handle->drv_priv->debug.tx_stats.c += a) +-#define RX_STAT_INC(c) (hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c++) +-#define RX_STAT_ADD(c, a) (hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c += a) ++#define __STAT_SAFE(expr) (hif_dev->htc_handle->drv_priv ? (expr) : 0) ++#define TX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c++) ++#define TX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c += a) ++#define RX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c++) ++#define RX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c += a) + #define CAB_STAT_INC priv->debug.tx_stats.cab_queued++ + + #define TX_QSTAT_INC(q) (priv->debug.tx_stats.queue_stats[q]++) +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c +index cb136d9d4621..49d587330990 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c +@@ -946,7 +946,6 @@ int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev, + priv->hw = hw; + priv->htc = htc_handle; + priv->dev = dev; +- htc_handle->drv_priv = priv; + SET_IEEE80211_DEV(hw, priv->dev); + + ret = ath9k_htc_wait_for_target(priv); +@@ -967,6 +966,8 @@ int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev, + if (ret) + goto err_init; + ++ htc_handle->drv_priv = priv; ++ + return 0; + + err_init: +-- +2.35.1 + diff --git a/queue-4.19/bluetooth-hci_intel-add-check-for-platform_driver_re.patch b/queue-4.19/bluetooth-hci_intel-add-check-for-platform_driver_re.patch new file mode 100644 index 00000000000..1bc2a8f6c32 --- /dev/null +++ b/queue-4.19/bluetooth-hci_intel-add-check-for-platform_driver_re.patch @@ -0,0 +1,41 @@ +From 90285a9230d4104219d5c09890864bc9051ee291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 09:24:36 +0800 +Subject: Bluetooth: hci_intel: Add check for platform_driver_register + +From: Jiasheng Jiang + +[ Upstream commit ab2d2a982ff721f4b029282d9a40602ea46a745e ] + +As platform_driver_register() could fail, it should be better +to deal with the return value in order to maintain the code +consisitency. + +Fixes: 1ab1f239bf17 ("Bluetooth: hci_intel: Add support for platform driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_intel.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c +index e9228520e4c7..727fa4347b1e 100644 +--- a/drivers/bluetooth/hci_intel.c ++++ b/drivers/bluetooth/hci_intel.c +@@ -1253,7 +1253,11 @@ static struct platform_driver intel_driver = { + + int __init intel_init(void) + { +- platform_driver_register(&intel_driver); ++ int err; ++ ++ err = platform_driver_register(&intel_driver); ++ if (err) ++ return err; + + return hci_uart_register_proto(&intel_proto); + } +-- +2.35.1 + diff --git a/queue-4.19/bus-hisi_lpc-fix-missing-platform_device_put-in-hisi.patch b/queue-4.19/bus-hisi_lpc-fix-missing-platform_device_put-in-hisi.patch new file mode 100644 index 00000000000..72db5a69382 --- /dev/null +++ b/queue-4.19/bus-hisi_lpc-fix-missing-platform_device_put-in-hisi.patch @@ -0,0 +1,75 @@ +From 14be25ec636d090d5bbbf5fd1b072784b391ae89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 17:43:52 +0800 +Subject: bus: hisi_lpc: fix missing platform_device_put() in + hisi_lpc_acpi_probe() + +From: Yang Yingliang + +[ Upstream commit 54872fea6a5ac967ec2272aea525d1438ac6735a ] + +In error case in hisi_lpc_acpi_probe() after calling platform_device_add(), +hisi_lpc_acpi_remove() can't release the failed 'pdev', so it will be leak, +call platform_device_put() to fix this problem. +I'v constructed this error case and tested this patch on D05 board. + +Fixes: 99c0228d6ff1 ("HISI LPC: Re-Add ACPI child enumeration support") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Acked-by: John Garry +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/bus/hisi_lpc.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/bus/hisi_lpc.c b/drivers/bus/hisi_lpc.c +index cbd970fb02f1..43342ea82afa 100644 +--- a/drivers/bus/hisi_lpc.c ++++ b/drivers/bus/hisi_lpc.c +@@ -504,13 +504,13 @@ static int hisi_lpc_acpi_probe(struct device *hostdev) + { + struct acpi_device *adev = ACPI_COMPANION(hostdev); + struct acpi_device *child; ++ struct platform_device *pdev; + int ret; + + /* Only consider the children of the host */ + list_for_each_entry(child, &adev->children, node) { + const char *hid = acpi_device_hid(child); + const struct hisi_lpc_acpi_cell *cell; +- struct platform_device *pdev; + const struct resource *res; + bool found = false; + int num_res; +@@ -573,22 +573,24 @@ static int hisi_lpc_acpi_probe(struct device *hostdev) + + ret = platform_device_add_resources(pdev, res, num_res); + if (ret) +- goto fail; ++ goto fail_put_device; + + ret = platform_device_add_data(pdev, cell->pdata, + cell->pdata_size); + if (ret) +- goto fail; ++ goto fail_put_device; + + ret = platform_device_add(pdev); + if (ret) +- goto fail; ++ goto fail_put_device; + + acpi_device_set_enumerated(child); + } + + return 0; + ++fail_put_device: ++ platform_device_put(pdev); + fail: + hisi_lpc_acpi_remove(hostdev); + return ret; +-- +2.35.1 + diff --git a/queue-4.19/can-error-specify-the-values-of-data-5.7-of-can-erro.patch b/queue-4.19/can-error-specify-the-values-of-data-5.7-of-can-erro.patch new file mode 100644 index 00000000000..71a56a98fb1 --- /dev/null +++ b/queue-4.19/can-error-specify-the-values-of-data-5.7-of-can-erro.patch @@ -0,0 +1,49 @@ +From 257e4a3e93043d576f4b8666b3dca03559a73518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:48 +0900 +Subject: can: error: specify the values of data[5..7] of CAN error frames + +From: Vincent Mailhol + +[ Upstream commit e70a3263a7eed768d5f947b8f2aff8d2a79c9d97 ] + +Currently, data[5..7] of struct can_frame, when used as a CAN error +frame, are defined as being "controller specific". Device specific +behaviours are problematic because it prevents someone from writing +code which is portable between devices. + +As a matter of fact, data[5] is never used, data[6] is always used to +report TX error counter and data[7] is always used to report RX error +counter. can-utils also relies on this. + +This patch updates the comment in the uapi header to specify that +data[5] is reserved (and thus should not be used) and that data[6..7] +are used for error counters. + +Fixes: 0d66548a10cb ("[CAN]: Add PF_CAN core module") +Link: https://lore.kernel.org/all/20220719143550.3681-11-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + include/uapi/linux/can/error.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/uapi/linux/can/error.h b/include/uapi/linux/can/error.h +index bfc4b5d22a5e..383f3d508a53 100644 +--- a/include/uapi/linux/can/error.h ++++ b/include/uapi/linux/can/error.h +@@ -120,6 +120,9 @@ + #define CAN_ERR_TRX_CANL_SHORT_TO_GND 0x70 /* 0111 0000 */ + #define CAN_ERR_TRX_CANL_SHORT_TO_CANH 0x80 /* 1000 0000 */ + +-/* controller specific additional information / data[5..7] */ ++/* data[5] is reserved (do not use) */ ++ ++/* TX error counter / data[6] */ ++/* RX error counter / data[7] */ + + #endif /* _UAPI_CAN_ERROR_H */ +-- +2.35.1 + diff --git a/queue-4.19/can-hi311x-do-not-report-txerr-and-rxerr-during-bus-.patch b/queue-4.19/can-hi311x-do-not-report-txerr-and-rxerr-during-bus-.patch new file mode 100644 index 00000000000..859fad979bc --- /dev/null +++ b/queue-4.19/can-hi311x-do-not-report-txerr-and-rxerr-during-bus-.patch @@ -0,0 +1,47 @@ +From 9e0b974b65175e6912f247ce1f3e3746bf590f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:43 +0900 +Subject: can: hi311x: do not report txerr and rxerr during bus-off + +From: Vincent Mailhol + +[ Upstream commit a22bd630cfff496b270211745536e50e98eb3a45 ] + +During bus off, the error count is greater than 255 and can not fit in +a u8. + +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +Link: https://lore.kernel.org/all/20220719143550.3681-6-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index 472175e37055..5f730f791c27 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -688,8 +688,6 @@ static irqreturn_t hi3110_can_ist(int irq, void *dev_id) + + txerr = hi3110_read(spi, HI3110_READ_TEC); + rxerr = hi3110_read(spi, HI3110_READ_REC); +- cf->data[6] = txerr; +- cf->data[7] = rxerr; + tx_state = txerr >= rxerr ? new_state : 0; + rx_state = txerr <= rxerr ? new_state : 0; + can_change_state(net, cf, tx_state, rx_state); +@@ -702,6 +700,9 @@ static irqreturn_t hi3110_can_ist(int irq, void *dev_id) + hi3110_hw_sleep(spi); + break; + } ++ } else { ++ cf->data[6] = txerr; ++ cf->data[7] = rxerr; + } + } + +-- +2.35.1 + diff --git a/queue-4.19/can-kvaser_usb_hydra-do-not-report-txerr-and-rxerr-d.patch b/queue-4.19/can-kvaser_usb_hydra-do-not-report-txerr-and-rxerr-d.patch new file mode 100644 index 00000000000..5ac2b52ff38 --- /dev/null +++ b/queue-4.19/can-kvaser_usb_hydra-do-not-report-txerr-and-rxerr-d.patch @@ -0,0 +1,55 @@ +From 14cf521fb46ab41195e857ad692b861d50c87a06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:45 +0900 +Subject: can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off + +From: Vincent Mailhol + +[ Upstream commit 936e90595376e64b6247c72d3ea8b8b164b7ac96 ] + +During bus off, the error count is greater than 255 and can not fit in +a u8. + +Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family") +Link: https://lore.kernel.org/all/20220719143550.3681-8-mailhol.vincent@wanadoo.fr +CC: Jimmy Assarsson +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +index a7c408acb0c0..01d4a731b579 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c +@@ -890,8 +890,10 @@ static void kvaser_usb_hydra_update_state(struct kvaser_usb_net_priv *priv, + new_state < CAN_STATE_BUS_OFF) + priv->can.can_stats.restarts++; + +- cf->data[6] = bec->txerr; +- cf->data[7] = bec->rxerr; ++ if (new_state != CAN_STATE_BUS_OFF) { ++ cf->data[6] = bec->txerr; ++ cf->data[7] = bec->rxerr; ++ } + + stats = &netdev->stats; + stats->rx_packets++; +@@ -1045,8 +1047,10 @@ kvaser_usb_hydra_error_frame(struct kvaser_usb_net_priv *priv, + shhwtstamps->hwtstamp = hwtstamp; + + cf->can_id |= CAN_ERR_BUSERROR; +- cf->data[6] = bec.txerr; +- cf->data[7] = bec.rxerr; ++ if (new_state != CAN_STATE_BUS_OFF) { ++ cf->data[6] = bec.txerr; ++ cf->data[7] = bec.rxerr; ++ } + + stats->rx_packets++; + stats->rx_bytes += cf->can_dlc; +-- +2.35.1 + diff --git a/queue-4.19/can-kvaser_usb_leaf-do-not-report-txerr-and-rxerr-du.patch b/queue-4.19/can-kvaser_usb_leaf-do-not-report-txerr-and-rxerr-du.patch new file mode 100644 index 00000000000..ac381fd7e5a --- /dev/null +++ b/queue-4.19/can-kvaser_usb_leaf-do-not-report-txerr-and-rxerr-du.patch @@ -0,0 +1,42 @@ +From f8fe028c665c40f1a5aa0c1473547ecabd52d85a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:46 +0900 +Subject: can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off + +From: Vincent Mailhol + +[ Upstream commit a57732084e06791d37ea1ea447cca46220737abd ] + +During bus off, the error count is greater than 255 and can not fit in +a u8. + +Fixes: 7259124eac7d1 ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c") +Link: https://lore.kernel.org/all/20220719143550.3681-9-mailhol.vincent@wanadoo.fr +CC: Jimmy Assarsson +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +index 0e0403dd0550..5e281249ad5f 100644 +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c +@@ -857,8 +857,10 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev, + break; + } + +- cf->data[6] = es->txerr; +- cf->data[7] = es->rxerr; ++ if (new_state != CAN_STATE_BUS_OFF) { ++ cf->data[6] = es->txerr; ++ cf->data[7] = es->rxerr; ++ } + + stats->rx_packets++; + stats->rx_bytes += cf->can_dlc; +-- +2.35.1 + diff --git a/queue-4.19/can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch b/queue-4.19/can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch new file mode 100644 index 00000000000..93fc670739f --- /dev/null +++ b/queue-4.19/can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch @@ -0,0 +1,48 @@ +From 439b570bcbf16a2e754f6ae40265477e03816c05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:39 +0900 +Subject: can: pch_can: do not report txerr and rxerr during bus-off + +From: Vincent Mailhol + +[ Upstream commit 3a5c7e4611ddcf0ef37a3a17296b964d986161a6 ] + +During bus off, the error count is greater than 255 and can not fit in +a u8. + +Fixes: 0c78ab76a05c ("pch_can: Add setting TEC/REC statistics processing") +Link: https://lore.kernel.org/all/20220719143550.3681-2-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/pch_can.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c +index ced11ea89269..3e1d71c70b0d 100644 +--- a/drivers/net/can/pch_can.c ++++ b/drivers/net/can/pch_can.c +@@ -507,6 +507,9 @@ static void pch_can_error(struct net_device *ndev, u32 status) + cf->can_id |= CAN_ERR_BUSOFF; + priv->can.can_stats.bus_off++; + can_bus_off(ndev); ++ } else { ++ cf->data[6] = errc & PCH_TEC; ++ cf->data[7] = (errc & PCH_REC) >> 8; + } + + errc = ioread32(&priv->regs->errc); +@@ -567,9 +570,6 @@ static void pch_can_error(struct net_device *ndev, u32 status) + break; + } + +- cf->data[6] = errc & PCH_TEC; +- cf->data[7] = (errc & PCH_REC) >> 8; +- + priv->can.state = state; + netif_receive_skb(skb); + +-- +2.35.1 + diff --git a/queue-4.19/can-pch_can-pch_can_error-initialize-errc-before-usi.patch b/queue-4.19/can-pch_can-pch_can_error-initialize-errc-before-usi.patch new file mode 100644 index 00000000000..f601dec1f78 --- /dev/null +++ b/queue-4.19/can-pch_can-pch_can_error-initialize-errc-before-usi.patch @@ -0,0 +1,58 @@ +From 0eb969b8076997c34decaec2d30fced76f9ec7bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 01:00:32 +0900 +Subject: can: pch_can: pch_can_error(): initialize errc before using it + +From: Vincent Mailhol + +[ Upstream commit 9950f11211331180269867aef848c7cf56861742 ] + +After commit 3a5c7e4611dd, the variable errc is accessed before being +initialized, c.f. below W=2 warning: + +| In function 'pch_can_error', +| inlined from 'pch_can_poll' at drivers/net/can/pch_can.c:739:4: +| drivers/net/can/pch_can.c:501:29: warning: 'errc' may be used uninitialized [-Wmaybe-uninitialized] +| 501 | cf->data[6] = errc & PCH_TEC; +| | ^ +| drivers/net/can/pch_can.c: In function 'pch_can_poll': +| drivers/net/can/pch_can.c:484:13: note: 'errc' was declared here +| 484 | u32 errc, lec; +| | ^~~~ + +Moving errc initialization up solves this issue. + +Fixes: 3a5c7e4611dd ("can: pch_can: do not report txerr and rxerr during bus-off") +Reported-by: Nathan Chancellor +Signed-off-by: Vincent Mailhol +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/all/20220721160032.9348-1-mailhol.vincent@wanadoo.fr +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/pch_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c +index 3e1d71c70b0d..25def028a1dc 100644 +--- a/drivers/net/can/pch_can.c ++++ b/drivers/net/can/pch_can.c +@@ -500,6 +500,7 @@ static void pch_can_error(struct net_device *ndev, u32 status) + if (!skb) + return; + ++ errc = ioread32(&priv->regs->errc); + if (status & PCH_BUS_OFF) { + pch_can_set_tx_all(priv, 0); + pch_can_set_rx_all(priv, 0); +@@ -512,7 +513,6 @@ static void pch_can_error(struct net_device *ndev, u32 status) + cf->data[7] = (errc & PCH_REC) >> 8; + } + +- errc = ioread32(&priv->regs->errc); + /* Warning interrupt. */ + if (status & PCH_EWARN) { + state = CAN_STATE_ERROR_WARNING; +-- +2.35.1 + diff --git a/queue-4.19/can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch b/queue-4.19/can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch new file mode 100644 index 00000000000..422e3784f3a --- /dev/null +++ b/queue-4.19/can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch @@ -0,0 +1,51 @@ +From 3f30cc7d9823343f46e5a5ce522fc33b9326b161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:40 +0900 +Subject: can: rcar_can: do not report txerr and rxerr during bus-off + +From: Vincent Mailhol + +[ Upstream commit a37b7245e831a641df360ca41db6a71c023d3746 ] + +During bus off, the error count is greater than 255 and can not fit in +a u8. + +Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver") +Link: https://lore.kernel.org/all/20220719143550.3681-3-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/rcar/rcar_can.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/rcar/rcar_can.c b/drivers/net/can/rcar/rcar_can.c +index 963da8eda168..0156c18d5a2d 100644 +--- a/drivers/net/can/rcar/rcar_can.c ++++ b/drivers/net/can/rcar/rcar_can.c +@@ -233,11 +233,8 @@ static void rcar_can_error(struct net_device *ndev) + if (eifr & (RCAR_CAN_EIFR_EWIF | RCAR_CAN_EIFR_EPIF)) { + txerr = readb(&priv->regs->tecr); + rxerr = readb(&priv->regs->recr); +- if (skb) { ++ if (skb) + cf->can_id |= CAN_ERR_CRTL; +- cf->data[6] = txerr; +- cf->data[7] = rxerr; +- } + } + if (eifr & RCAR_CAN_EIFR_BEIF) { + int rx_errors = 0, tx_errors = 0; +@@ -337,6 +334,9 @@ static void rcar_can_error(struct net_device *ndev) + can_bus_off(ndev); + if (skb) + cf->can_id |= CAN_ERR_BUSOFF; ++ } else if (skb) { ++ cf->data[6] = txerr; ++ cf->data[7] = rxerr; + } + if (eifr & RCAR_CAN_EIFR_ORIF) { + netdev_dbg(priv->ndev, "Receive overrun error interrupt\n"); +-- +2.35.1 + diff --git a/queue-4.19/can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch b/queue-4.19/can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch new file mode 100644 index 00000000000..aaa0d37d8c2 --- /dev/null +++ b/queue-4.19/can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch @@ -0,0 +1,49 @@ +From d92d065c70c244c9fd0f4a4603918f6617f5ec4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:41 +0900 +Subject: can: sja1000: do not report txerr and rxerr during bus-off + +From: Vincent Mailhol + +[ Upstream commit 164d7cb2d5a30f1b3a5ab4fab1a27731fb1494a8 ] + +During bus off, the error count is greater than 255 and can not fit in +a u8. + +Fixes: 215db1856e83 ("can: sja1000: Consolidate and unify state change handling") +Link: https://lore.kernel.org/all/20220719143550.3681-4-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sja1000/sja1000.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c +index 9f107798f904..e7327ceabb76 100644 +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -405,9 +405,6 @@ static int sja1000_err(struct net_device *dev, uint8_t isrc, uint8_t status) + txerr = priv->read_reg(priv, SJA1000_TXERR); + rxerr = priv->read_reg(priv, SJA1000_RXERR); + +- cf->data[6] = txerr; +- cf->data[7] = rxerr; +- + if (isrc & IRQ_DOI) { + /* data overrun interrupt */ + netdev_dbg(dev, "data overrun interrupt\n"); +@@ -429,6 +426,10 @@ static int sja1000_err(struct net_device *dev, uint8_t isrc, uint8_t status) + else + state = CAN_STATE_ERROR_ACTIVE; + } ++ if (state != CAN_STATE_BUS_OFF) { ++ cf->data[6] = txerr; ++ cf->data[7] = rxerr; ++ } + if (isrc & IRQ_BEI) { + /* bus error interrupt */ + priv->can.can_stats.bus_error++; +-- +2.35.1 + diff --git a/queue-4.19/can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch b/queue-4.19/can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch new file mode 100644 index 00000000000..365b49004c6 --- /dev/null +++ b/queue-4.19/can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch @@ -0,0 +1,52 @@ +From cf844468713362cfee177a033887a492d223773f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:44 +0900 +Subject: can: sun4i_can: do not report txerr and rxerr during bus-off + +From: Vincent Mailhol + +[ Upstream commit 0ac15a8f661b941519379831d09bfb12271b23ee ] + +During bus off, the error count is greater than 255 and can not fit in +a u8. + +Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") +Link: https://lore.kernel.org/all/20220719143550.3681-7-mailhol.vincent@wanadoo.fr +CC: Chen-Yu Tsai +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sun4i_can.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/sun4i_can.c b/drivers/net/can/sun4i_can.c +index 093fc9a529f0..bebdd133d9ed 100644 +--- a/drivers/net/can/sun4i_can.c ++++ b/drivers/net/can/sun4i_can.c +@@ -525,11 +525,6 @@ static int sun4i_can_err(struct net_device *dev, u8 isrc, u8 status) + rxerr = (errc >> 16) & 0xFF; + txerr = errc & 0xFF; + +- if (skb) { +- cf->data[6] = txerr; +- cf->data[7] = rxerr; +- } +- + if (isrc & SUN4I_INT_DATA_OR) { + /* data overrun interrupt */ + netdev_dbg(dev, "data overrun interrupt\n"); +@@ -560,6 +555,10 @@ static int sun4i_can_err(struct net_device *dev, u8 isrc, u8 status) + else + state = CAN_STATE_ERROR_ACTIVE; + } ++ if (skb && state != CAN_STATE_BUS_OFF) { ++ cf->data[6] = txerr; ++ cf->data[7] = rxerr; ++ } + if (isrc & SUN4I_INT_BUS_ERR) { + /* bus error interrupt */ + netdev_dbg(dev, "bus error interrupt\n"); +-- +2.35.1 + diff --git a/queue-4.19/can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch b/queue-4.19/can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch new file mode 100644 index 00000000000..4524ec8399b --- /dev/null +++ b/queue-4.19/can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch @@ -0,0 +1,42 @@ +From e5abd216d59da2c5058d34c2cee6f85d6706398a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 23:35:47 +0900 +Subject: can: usb_8dev: do not report txerr and rxerr during bus-off + +From: Vincent Mailhol + +[ Upstream commit aebe8a2433cd090ccdc222861f44bddb75eb01de ] + +During bus off, the error count is greater than 255 and can not fit in +a u8. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Link: https://lore.kernel.org/all/20220719143550.3681-10-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/usb_8dev.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c +index 232f45f722f0..5cb5be4dc941 100644 +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -453,9 +453,10 @@ static void usb_8dev_rx_err_msg(struct usb_8dev_priv *priv, + + if (rx_errors) + stats->rx_errors++; +- +- cf->data[6] = txerr; +- cf->data[7] = rxerr; ++ if (priv->can.state != CAN_STATE_BUS_OFF) { ++ cf->data[6] = txerr; ++ cf->data[7] = rxerr; ++ } + + priv->bec.txerr = txerr; + priv->bec.rxerr = rxerr; +-- +2.35.1 + diff --git a/queue-4.19/clk-qcom-ipq8074-fix-nss-port-frequency-tables.patch b/queue-4.19/clk-qcom-ipq8074-fix-nss-port-frequency-tables.patch new file mode 100644 index 00000000000..4afefef2323 --- /dev/null +++ b/queue-4.19/clk-qcom-ipq8074-fix-nss-port-frequency-tables.patch @@ -0,0 +1,76 @@ +From 679039b6d8d538887318c42d770a341c4de5360b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 23:00:40 +0200 +Subject: clk: qcom: ipq8074: fix NSS port frequency tables + +From: Robert Marko + +[ Upstream commit 0e9e61a2815b5cd34f1b495b2d72e8127ce9b794 ] + +NSS port 5 and 6 frequency tables are currently broken and are causing a +wide ranges of issue like 1G not working at all on port 6 or port 5 being +clocked with 312 instead of 125 MHz as UNIPHY1 gets selected. + +So, update the frequency tables with the ones from the downstream QCA 5.4 +based kernel which has already fixed this. + +Fixes: 7117a51ed303 ("clk: qcom: ipq8074: add NSS ethernet port clocks") +Signed-off-by: Robert Marko +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220515210048.483898-3-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq8074.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c +index 708c486a6e96..d9ac10b6624f 100644 +--- a/drivers/clk/qcom/gcc-ipq8074.c ++++ b/drivers/clk/qcom/gcc-ipq8074.c +@@ -1796,8 +1796,10 @@ static struct clk_regmap_div nss_port4_tx_div_clk_src = { + static const struct freq_tbl ftbl_nss_port5_rx_clk_src[] = { + F(19200000, P_XO, 1, 0, 0), + F(25000000, P_UNIPHY1_RX, 12.5, 0, 0), ++ F(25000000, P_UNIPHY0_RX, 5, 0, 0), + F(78125000, P_UNIPHY1_RX, 4, 0, 0), + F(125000000, P_UNIPHY1_RX, 2.5, 0, 0), ++ F(125000000, P_UNIPHY0_RX, 1, 0, 0), + F(156250000, P_UNIPHY1_RX, 2, 0, 0), + F(312500000, P_UNIPHY1_RX, 1, 0, 0), + { } +@@ -1836,8 +1838,10 @@ static struct clk_regmap_div nss_port5_rx_div_clk_src = { + static const struct freq_tbl ftbl_nss_port5_tx_clk_src[] = { + F(19200000, P_XO, 1, 0, 0), + F(25000000, P_UNIPHY1_TX, 12.5, 0, 0), ++ F(25000000, P_UNIPHY0_TX, 5, 0, 0), + F(78125000, P_UNIPHY1_TX, 4, 0, 0), + F(125000000, P_UNIPHY1_TX, 2.5, 0, 0), ++ F(125000000, P_UNIPHY0_TX, 1, 0, 0), + F(156250000, P_UNIPHY1_TX, 2, 0, 0), + F(312500000, P_UNIPHY1_TX, 1, 0, 0), + { } +@@ -1875,8 +1879,10 @@ static struct clk_regmap_div nss_port5_tx_div_clk_src = { + + static const struct freq_tbl ftbl_nss_port6_rx_clk_src[] = { + F(19200000, P_XO, 1, 0, 0), ++ F(25000000, P_UNIPHY2_RX, 5, 0, 0), + F(25000000, P_UNIPHY2_RX, 12.5, 0, 0), + F(78125000, P_UNIPHY2_RX, 4, 0, 0), ++ F(125000000, P_UNIPHY2_RX, 1, 0, 0), + F(125000000, P_UNIPHY2_RX, 2.5, 0, 0), + F(156250000, P_UNIPHY2_RX, 2, 0, 0), + F(312500000, P_UNIPHY2_RX, 1, 0, 0), +@@ -1915,8 +1921,10 @@ static struct clk_regmap_div nss_port6_rx_div_clk_src = { + + static const struct freq_tbl ftbl_nss_port6_tx_clk_src[] = { + F(19200000, P_XO, 1, 0, 0), ++ F(25000000, P_UNIPHY2_TX, 5, 0, 0), + F(25000000, P_UNIPHY2_TX, 12.5, 0, 0), + F(78125000, P_UNIPHY2_TX, 4, 0, 0), ++ F(125000000, P_UNIPHY2_TX, 1, 0, 0), + F(125000000, P_UNIPHY2_TX, 2.5, 0, 0), + F(156250000, P_UNIPHY2_TX, 2, 0, 0), + F(312500000, P_UNIPHY2_TX, 1, 0, 0), +-- +2.35.1 + diff --git a/queue-4.19/clk-qcom-ipq8074-set-branch_halt_delay-flag-for-ubi-.patch b/queue-4.19/clk-qcom-ipq8074-set-branch_halt_delay-flag-for-ubi-.patch new file mode 100644 index 00000000000..59e32c84394 --- /dev/null +++ b/queue-4.19/clk-qcom-ipq8074-set-branch_halt_delay-flag-for-ubi-.patch @@ -0,0 +1,113 @@ +From 3110efd3c3728d3947189626dae2a271f27b77d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 23:00:43 +0200 +Subject: clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks + +From: Robert Marko + +[ Upstream commit 2bd357e698207e2e65db03007e4be65bf9d6a7b3 ] + +Currently, attempting to enable the UBI clocks will cause the stuck at +off warning to be printed and clk_enable will fail. + +[ 14.936694] gcc_ubi1_ahb_clk status stuck at 'off' + +Downstream 5.4 QCA kernel has fixed this by seting the BRANCH_HALT_DELAY +flag on UBI clocks, so lets do the same. + +Fixes: 5736294aef83 ("clk: qcom: ipq8074: add NSS clocks") +Signed-off-by: Robert Marko +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220515210048.483898-6-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq8074.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c +index d9ac10b6624f..c93161d6824a 100644 +--- a/drivers/clk/qcom/gcc-ipq8074.c ++++ b/drivers/clk/qcom/gcc-ipq8074.c +@@ -3362,6 +3362,7 @@ static struct clk_branch gcc_nssnoc_ubi1_ahb_clk = { + + static struct clk_branch gcc_ubi0_ahb_clk = { + .halt_reg = 0x6820c, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x6820c, + .enable_mask = BIT(0), +@@ -3379,6 +3380,7 @@ static struct clk_branch gcc_ubi0_ahb_clk = { + + static struct clk_branch gcc_ubi0_axi_clk = { + .halt_reg = 0x68200, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x68200, + .enable_mask = BIT(0), +@@ -3396,6 +3398,7 @@ static struct clk_branch gcc_ubi0_axi_clk = { + + static struct clk_branch gcc_ubi0_nc_axi_clk = { + .halt_reg = 0x68204, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x68204, + .enable_mask = BIT(0), +@@ -3413,6 +3416,7 @@ static struct clk_branch gcc_ubi0_nc_axi_clk = { + + static struct clk_branch gcc_ubi0_core_clk = { + .halt_reg = 0x68210, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x68210, + .enable_mask = BIT(0), +@@ -3430,6 +3434,7 @@ static struct clk_branch gcc_ubi0_core_clk = { + + static struct clk_branch gcc_ubi0_mpt_clk = { + .halt_reg = 0x68208, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x68208, + .enable_mask = BIT(0), +@@ -3447,6 +3452,7 @@ static struct clk_branch gcc_ubi0_mpt_clk = { + + static struct clk_branch gcc_ubi1_ahb_clk = { + .halt_reg = 0x6822c, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x6822c, + .enable_mask = BIT(0), +@@ -3464,6 +3470,7 @@ static struct clk_branch gcc_ubi1_ahb_clk = { + + static struct clk_branch gcc_ubi1_axi_clk = { + .halt_reg = 0x68220, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x68220, + .enable_mask = BIT(0), +@@ -3481,6 +3488,7 @@ static struct clk_branch gcc_ubi1_axi_clk = { + + static struct clk_branch gcc_ubi1_nc_axi_clk = { + .halt_reg = 0x68224, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x68224, + .enable_mask = BIT(0), +@@ -3498,6 +3506,7 @@ static struct clk_branch gcc_ubi1_nc_axi_clk = { + + static struct clk_branch gcc_ubi1_core_clk = { + .halt_reg = 0x68230, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x68230, + .enable_mask = BIT(0), +@@ -3515,6 +3524,7 @@ static struct clk_branch gcc_ubi1_core_clk = { + + static struct clk_branch gcc_ubi1_mpt_clk = { + .halt_reg = 0x68228, ++ .halt_check = BRANCH_HALT_DELAY, + .clkr = { + .enable_reg = 0x68228, + .enable_mask = BIT(0), +-- +2.35.1 + diff --git a/queue-4.19/clk-renesas-r9a06g032-fix-uart-clkgrp-bitsel.patch b/queue-4.19/clk-renesas-r9a06g032-fix-uart-clkgrp-bitsel.patch new file mode 100644 index 00000000000..19978003beb --- /dev/null +++ b/queue-4.19/clk-renesas-r9a06g032-fix-uart-clkgrp-bitsel.patch @@ -0,0 +1,54 @@ +From d2621c963499733e247ffa0a0a6ae371038cdd95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 14:25:27 -0400 +Subject: clk: renesas: r9a06g032: Fix UART clkgrp bitsel + +From: Ralph Siemsen + +[ Upstream commit 2dee50ab9e72a3cae75b65e5934c8dd3e9bf01bc ] + +There are two UART clock groups, each having a mux to select its +upstream clock source. The register/bit definitions for accessing these +two muxes appear to have been reversed since introduction. Correct them +so as to match the hardware manual. + +Fixes: 4c3d88526eba ("clk: renesas: Renesas R9A06G032 clock driver") + +Signed-off-by: Ralph Siemsen +Reviewed-by: Phil Edworthy +Link: https://lore.kernel.org/r/20220518182527.1693156-1-ralph.siemsen@linaro.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r9a06g032-clocks.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/renesas/r9a06g032-clocks.c b/drivers/clk/renesas/r9a06g032-clocks.c +index 6e03b467395b..ec48b5516e17 100644 +--- a/drivers/clk/renesas/r9a06g032-clocks.c ++++ b/drivers/clk/renesas/r9a06g032-clocks.c +@@ -277,8 +277,8 @@ static const struct r9a06g032_clkdesc r9a06g032_clocks[] __initconst = { + .name = "uart_group_012", + .type = K_BITSEL, + .source = 1 + R9A06G032_DIV_UART, +- /* R9A06G032_SYSCTRL_REG_PWRCTRL_PG1_PR2 */ +- .dual.sel = ((0xec / 4) << 5) | 24, ++ /* R9A06G032_SYSCTRL_REG_PWRCTRL_PG0_0 */ ++ .dual.sel = ((0x34 / 4) << 5) | 30, + .dual.group = 0, + }, + { +@@ -286,8 +286,8 @@ static const struct r9a06g032_clkdesc r9a06g032_clocks[] __initconst = { + .name = "uart_group_34567", + .type = K_BITSEL, + .source = 1 + R9A06G032_DIV_P2_PG, +- /* R9A06G032_SYSCTRL_REG_PWRCTRL_PG0_0 */ +- .dual.sel = ((0x34 / 4) << 5) | 30, ++ /* R9A06G032_SYSCTRL_REG_PWRCTRL_PG1_PR2 */ ++ .dual.sel = ((0xec / 4) << 5) | 24, + .dual.group = 1, + }, + D_UGATE(CLK_UART0, "clk_uart0", UART_GROUP_012, 0, 0, 0x1b2, 0x1b3, 0x1b4, 0x1b5), +-- +2.35.1 + diff --git a/queue-4.19/cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch b/queue-4.19/cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch new file mode 100644 index 00000000000..8f191296cb8 --- /dev/null +++ b/queue-4.19/cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch @@ -0,0 +1,37 @@ +From 05f6e5d237e351cda5c19b9051f0c9040f3819e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 12:28:07 +0400 +Subject: cpufreq: zynq: Fix refcount leak in zynq_get_revision + +From: Miaoqian Lin + +[ Upstream commit d1ff2559cef0f6f8d97fba6337b28adb10689e16 ] + +of_find_compatible_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 00f7dc636366 ("ARM: zynq: Add support for SOC_BUS") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220605082807.21526-1-linmq006@gmail.com +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + arch/arm/mach-zynq/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-zynq/common.c b/arch/arm/mach-zynq/common.c +index 6aba9ebf8041..a8b1b9c6626e 100644 +--- a/arch/arm/mach-zynq/common.c ++++ b/arch/arm/mach-zynq/common.c +@@ -84,6 +84,7 @@ static int __init zynq_get_revision(void) + } + + zynq_devcfg_base = of_iomap(np, 0); ++ of_node_put(np); + if (!zynq_devcfg_base) { + pr_err("%s: Unable to map I/O memory\n", __func__); + return -1; +-- +2.35.1 + diff --git a/queue-4.19/crypto-hisilicon-kunpeng916-crypto-driver-don-t-slee.patch b/queue-4.19/crypto-hisilicon-kunpeng916-crypto-driver-don-t-slee.patch new file mode 100644 index 00000000000..c1ed3195552 --- /dev/null +++ b/queue-4.19/crypto-hisilicon-kunpeng916-crypto-driver-don-t-slee.patch @@ -0,0 +1,97 @@ +From e30c1e6925978f63969306647f1b1d5e895daa78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 09:59:54 +0800 +Subject: crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in + softirq + +From: Zhengchao Shao + +[ Upstream commit 68740ab505431f268dc1ee26a54b871e75f0ddaa ] + +When kunpeng916 encryption driver is used to deencrypt and decrypt +packets during the softirq, it is not allowed to use mutex lock. + +Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver") +Signed-off-by: Zhengchao Shao +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/sec/sec_algs.c | 14 +++++++------- + drivers/crypto/hisilicon/sec/sec_drv.h | 2 +- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/crypto/hisilicon/sec/sec_algs.c b/drivers/crypto/hisilicon/sec/sec_algs.c +index 3e3cc28d5cfe..f672dc1ecfac 100644 +--- a/drivers/crypto/hisilicon/sec/sec_algs.c ++++ b/drivers/crypto/hisilicon/sec/sec_algs.c +@@ -457,7 +457,7 @@ static void sec_skcipher_alg_callback(struct sec_bd_info *sec_resp, + */ + } + +- mutex_lock(&ctx->queue->queuelock); ++ spin_lock_bh(&ctx->queue->queuelock); + /* Put the IV in place for chained cases */ + switch (ctx->cipher_alg) { + case SEC_C_AES_CBC_128: +@@ -517,7 +517,7 @@ static void sec_skcipher_alg_callback(struct sec_bd_info *sec_resp, + list_del(&backlog_req->backlog_head); + } + } +- mutex_unlock(&ctx->queue->queuelock); ++ spin_unlock_bh(&ctx->queue->queuelock); + + mutex_lock(&sec_req->lock); + list_del(&sec_req_el->head); +@@ -806,7 +806,7 @@ static int sec_alg_skcipher_crypto(struct skcipher_request *skreq, + */ + + /* Grab a big lock for a long time to avoid concurrency issues */ +- mutex_lock(&queue->queuelock); ++ spin_lock_bh(&queue->queuelock); + + /* + * Can go on to queue if we have space in either: +@@ -822,15 +822,15 @@ static int sec_alg_skcipher_crypto(struct skcipher_request *skreq, + ret = -EBUSY; + if ((skreq->base.flags & CRYPTO_TFM_REQ_MAY_BACKLOG)) { + list_add_tail(&sec_req->backlog_head, &ctx->backlog); +- mutex_unlock(&queue->queuelock); ++ spin_unlock_bh(&queue->queuelock); + goto out; + } + +- mutex_unlock(&queue->queuelock); ++ spin_unlock_bh(&queue->queuelock); + goto err_free_elements; + } + ret = sec_send_request(sec_req, queue); +- mutex_unlock(&queue->queuelock); ++ spin_unlock_bh(&queue->queuelock); + if (ret) + goto err_free_elements; + +@@ -889,7 +889,7 @@ static int sec_alg_skcipher_init(struct crypto_skcipher *tfm) + if (IS_ERR(ctx->queue)) + return PTR_ERR(ctx->queue); + +- mutex_init(&ctx->queue->queuelock); ++ spin_lock_init(&ctx->queue->queuelock); + ctx->queue->havesoftqueue = false; + + return 0; +diff --git a/drivers/crypto/hisilicon/sec/sec_drv.h b/drivers/crypto/hisilicon/sec/sec_drv.h +index 2d2f186674ba..ddc5d6bd7574 100644 +--- a/drivers/crypto/hisilicon/sec/sec_drv.h ++++ b/drivers/crypto/hisilicon/sec/sec_drv.h +@@ -347,7 +347,7 @@ struct sec_queue { + DECLARE_BITMAP(unprocessed, SEC_QUEUE_LEN); + DECLARE_KFIFO_PTR(softqueue, typeof(struct sec_request_el *)); + bool havesoftqueue; +- struct mutex queuelock; ++ spinlock_t queuelock; + void *shadow[SEC_QUEUE_LEN]; + }; + +-- +2.35.1 + diff --git a/queue-4.19/dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch b/queue-4.19/dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch new file mode 100644 index 00000000000..931954f8e25 --- /dev/null +++ b/queue-4.19/dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch @@ -0,0 +1,71 @@ +From ddaec633ebae6dc5bf5048367199125f094c7813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 19:00:27 +0800 +Subject: dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same + lock + +From: Hangyu Hua + +[ Upstream commit a41b17ff9dacd22f5f118ee53d82da0f3e52d5e3 ] + +In the case of sk->dccps_qpolicy == DCCPQ_POLICY_PRIO, dccp_qpolicy_full +will drop a skb when qpolicy is full. And the lock in dccp_sendmsg is +released before sock_alloc_send_skb and then relocked after +sock_alloc_send_skb. The following conditions may lead dccp_qpolicy_push +to add skb to an already full sk_write_queue: + +thread1--->lock +thread1--->dccp_qpolicy_full: queue is full. drop a skb +thread1--->unlock +thread2--->lock +thread2--->dccp_qpolicy_full: queue is not full. no need to drop. +thread2--->unlock +thread1--->lock +thread1--->dccp_qpolicy_push: add a skb. queue is full. +thread1--->unlock +thread2--->lock +thread2--->dccp_qpolicy_push: add a skb! +thread2--->unlock + +Fix this by moving dccp_qpolicy_full. + +Fixes: b1308dc015eb ("[DCCP]: Set TX Queue Length Bounds via Sysctl") +Signed-off-by: Hangyu Hua +Link: https://lore.kernel.org/r/20220729110027.40569-1-hbh25y@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dccp/proto.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 43733accf58e..dbbcf50aea35 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -769,11 +769,6 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + + lock_sock(sk); + +- if (dccp_qpolicy_full(sk)) { +- rc = -EAGAIN; +- goto out_release; +- } +- + timeo = sock_sndtimeo(sk, noblock); + + /* +@@ -792,6 +787,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + if (skb == NULL) + goto out_release; + ++ if (dccp_qpolicy_full(sk)) { ++ rc = -EAGAIN; ++ goto out_discard; ++ } ++ + if (sk->sk_state == DCCP_CLOSED) { + rc = -ENOTCONN; + goto out_discard; +-- +2.35.1 + diff --git a/queue-4.19/dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch b/queue-4.19/dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch new file mode 100644 index 00000000000..c1f2fa5a394 --- /dev/null +++ b/queue-4.19/dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch @@ -0,0 +1,38 @@ +From ebd24291ddb61ef57222a01bf9e4cabcb2819538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 15:31:23 -0400 +Subject: dm: return early from dm_pr_call() if DM device is suspended + +From: Mike Snitzer + +[ Upstream commit e120a5f1e78fab6223544e425015f393d90d6f0d ] + +Otherwise PR ops may be issued while the broader DM device is being +reconfigured, etc. + +Fixes: 9c72bad1f31a ("dm: call PR reserve/unreserve on each underlying device") +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index d2ee97cd7d14..324d1dd58e2b 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -3122,6 +3122,11 @@ static int dm_call_pr(struct block_device *bdev, iterate_devices_callout_fn fn, + goto out; + ti = dm_table_get_target(table, 0); + ++ if (dm_suspended_md(md)) { ++ ret = -EAGAIN; ++ goto out; ++ } ++ + ret = -EINVAL; + if (!ti->type->iterate_devices) + goto out; +-- +2.35.1 + diff --git a/queue-4.19/drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch b/queue-4.19/drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch new file mode 100644 index 00000000000..d3a56799f07 --- /dev/null +++ b/queue-4.19/drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch @@ -0,0 +1,57 @@ +From 264b1dc01cd1fc780dc6dc938cff68f49a6df9ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 18:34:01 +0800 +Subject: drm: bridge: adv7511: Add check for mipi_dsi_driver_register + +From: Jiasheng Jiang + +[ Upstream commit 831463667b5f4f1e5bce9c3b94e9e794d2bc8923 ] + +As mipi_dsi_driver_register could return error if fails, +it should be better to check the return value and return error +if fails. +Moreover, if i2c_add_driver fails, mipi_dsi_driver_register +should be reverted. + +Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20220602103401.2980938-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index b6e7cc9082ca..31b75d3ca6e9 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -1301,10 +1301,21 @@ static struct i2c_driver adv7511_driver = { + + static int __init adv7511_init(void) + { +- if (IS_ENABLED(CONFIG_DRM_MIPI_DSI)) +- mipi_dsi_driver_register(&adv7533_dsi_driver); ++ int ret; ++ ++ if (IS_ENABLED(CONFIG_DRM_MIPI_DSI)) { ++ ret = mipi_dsi_driver_register(&adv7533_dsi_driver); ++ if (ret) ++ return ret; ++ } + +- return i2c_add_driver(&adv7511_driver); ++ ret = i2c_add_driver(&adv7511_driver); ++ if (ret) { ++ if (IS_ENABLED(CONFIG_DRM_MIPI_DSI)) ++ mipi_dsi_driver_unregister(&adv7533_dsi_driver); ++ } ++ ++ return ret; + } + module_init(adv7511_init); + +-- +2.35.1 + diff --git a/queue-4.19/drm-bridge-sii8620-fix-possible-off-by-one.patch b/queue-4.19/drm-bridge-sii8620-fix-possible-off-by-one.patch new file mode 100644 index 00000000000..efc5803948d --- /dev/null +++ b/queue-4.19/drm-bridge-sii8620-fix-possible-off-by-one.patch @@ -0,0 +1,52 @@ +From 140a06fd48911d0e7e9f390d8b83cf4956c5e81a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 14:58:56 +0800 +Subject: drm: bridge: sii8620: fix possible off-by-one + +From: Hangyu Hua + +[ Upstream commit 21779cc21c732c5eff8ea1624be6590450baa30f ] + +The next call to sii8620_burst_get_tx_buf will result in off-by-one +When ctx->burst.tx_count + size == ARRAY_SIZE(ctx->burst.tx_buf). The same +thing happens in sii8620_burst_get_rx_buf. + +This patch also change tx_count and tx_buf to rx_count and rx_buf in +sii8620_burst_get_rx_buf. It is unreasonable to check tx_buf's size and +use rx_buf. + +Fixes: e19e9c692f81 ("drm/bridge/sii8620: add support for burst eMSC transmissions") +Signed-off-by: Hangyu Hua +Reviewed-by: Andrzej Hajda +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220518065856.18936-1-hbh25y@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/sil-sii8620.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c +index ea433bb189ca..c72092319a53 100644 +--- a/drivers/gpu/drm/bridge/sil-sii8620.c ++++ b/drivers/gpu/drm/bridge/sil-sii8620.c +@@ -607,7 +607,7 @@ static void *sii8620_burst_get_tx_buf(struct sii8620 *ctx, int len) + u8 *buf = &ctx->burst.tx_buf[ctx->burst.tx_count]; + int size = len + 2; + +- if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { ++ if (ctx->burst.tx_count + size >= ARRAY_SIZE(ctx->burst.tx_buf)) { + dev_err(ctx->dev, "TX-BLK buffer exhausted\n"); + ctx->error = -EINVAL; + return NULL; +@@ -624,7 +624,7 @@ static u8 *sii8620_burst_get_rx_buf(struct sii8620 *ctx, int len) + u8 *buf = &ctx->burst.rx_buf[ctx->burst.rx_count]; + int size = len + 1; + +- if (ctx->burst.tx_count + size > ARRAY_SIZE(ctx->burst.tx_buf)) { ++ if (ctx->burst.rx_count + size >= ARRAY_SIZE(ctx->burst.rx_buf)) { + dev_err(ctx->dev, "RX-BLK buffer exhausted\n"); + ctx->error = -EINVAL; + return NULL; +-- +2.35.1 + diff --git a/queue-4.19/drm-mediatek-add-pull-down-mipi-operation-in-mtk_dsi.patch b/queue-4.19/drm-mediatek-add-pull-down-mipi-operation-in-mtk_dsi.patch new file mode 100644 index 00000000000..4276f3d8d3d --- /dev/null +++ b/queue-4.19/drm-mediatek-add-pull-down-mipi-operation-in-mtk_dsi.patch @@ -0,0 +1,49 @@ +From d5d9df3a8fc7c2df4c38d166fd165315f529ec49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 10:00:07 +0800 +Subject: drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff + function + +From: Xinlei Lee + +[ Upstream commit fa5d0a0205c34734c5b8daa77e39ac2817f63a10 ] + +In the dsi_enable function, mtk_dsi_rxtx_control is to +pull up the MIPI signal operation. Before dsi_disable, +MIPI should also be pulled down by writing a register +instead of disabling dsi. + +If disable dsi without pulling the mipi signal low, the value of +the register will still maintain the setting of the mipi signal being +pulled high. +After resume, even if the mipi signal is not pulled high, it will still +be in the high state. + +Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver") + +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-5-git-send-email-xinlei.lee@mediatek.com/ +Signed-off-by: Jitao Shi +Signed-off-by: Xinlei Lee +Reviewed-by: Rex-BC Chen +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dsi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c +index 0dd317ac5fe5..a629a69c2756 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dsi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c +@@ -651,6 +651,8 @@ static void mtk_dsi_poweroff(struct mtk_dsi *dsi) + mtk_dsi_reset_engine(dsi); + mtk_dsi_lane0_ulp_mode_enter(dsi); + mtk_dsi_clk_ulp_mode_enter(dsi); ++ /* set the lane number as 0 to pull down mipi */ ++ writel(0, dsi->regs + DSI_TXRX_CTRL); + + mtk_dsi_disable(dsi); + +-- +2.35.1 + diff --git a/queue-4.19/drm-mediatek-dpi-remove-output-format-of-yuv.patch b/queue-4.19/drm-mediatek-dpi-remove-output-format-of-yuv.patch new file mode 100644 index 00000000000..005c4c563ba --- /dev/null +++ b/queue-4.19/drm-mediatek-dpi-remove-output-format-of-yuv.patch @@ -0,0 +1,73 @@ +From ffa81e5837e36a16112fa18a3c3c9560b0072d7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 11:58:33 +0800 +Subject: drm/mediatek: dpi: Remove output format of YUV + +From: Bo-Chen Chen + +[ Upstream commit c9ed0713b3c35fc45677707ba47f432cad95da56 ] + +DPI is not support output format as YUV, but there is the setting of +configuring output YUV. Therefore, remove them in this patch. + +Fixes: 9e629c17aa8d ("drm/mediatek: Add DPI sub driver") +Signed-off-by: Bo-Chen Chen +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20220701035845.16458-5-rex-bc.chen@mediatek.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dpi.c | 31 ++++++------------------------ + 1 file changed, 6 insertions(+), 25 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c +index 6c0ea39d5739..a263ac4aaab2 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dpi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dpi.c +@@ -52,13 +52,7 @@ enum mtk_dpi_out_channel_swap { + }; + + enum mtk_dpi_out_color_format { +- MTK_DPI_COLOR_FORMAT_RGB, +- MTK_DPI_COLOR_FORMAT_RGB_FULL, +- MTK_DPI_COLOR_FORMAT_YCBCR_444, +- MTK_DPI_COLOR_FORMAT_YCBCR_422, +- MTK_DPI_COLOR_FORMAT_XV_YCC, +- MTK_DPI_COLOR_FORMAT_YCBCR_444_FULL, +- MTK_DPI_COLOR_FORMAT_YCBCR_422_FULL ++ MTK_DPI_COLOR_FORMAT_RGB + }; + + struct mtk_dpi { +@@ -347,24 +341,11 @@ static void mtk_dpi_config_2n_h_fre(struct mtk_dpi *dpi) + static void mtk_dpi_config_color_format(struct mtk_dpi *dpi, + enum mtk_dpi_out_color_format format) + { +- if ((format == MTK_DPI_COLOR_FORMAT_YCBCR_444) || +- (format == MTK_DPI_COLOR_FORMAT_YCBCR_444_FULL)) { +- mtk_dpi_config_yuv422_enable(dpi, false); +- mtk_dpi_config_csc_enable(dpi, true); +- mtk_dpi_config_swap_input(dpi, false); +- mtk_dpi_config_channel_swap(dpi, MTK_DPI_OUT_CHANNEL_SWAP_BGR); +- } else if ((format == MTK_DPI_COLOR_FORMAT_YCBCR_422) || +- (format == MTK_DPI_COLOR_FORMAT_YCBCR_422_FULL)) { +- mtk_dpi_config_yuv422_enable(dpi, true); +- mtk_dpi_config_csc_enable(dpi, true); +- mtk_dpi_config_swap_input(dpi, true); +- mtk_dpi_config_channel_swap(dpi, MTK_DPI_OUT_CHANNEL_SWAP_RGB); +- } else { +- mtk_dpi_config_yuv422_enable(dpi, false); +- mtk_dpi_config_csc_enable(dpi, false); +- mtk_dpi_config_swap_input(dpi, false); +- mtk_dpi_config_channel_swap(dpi, MTK_DPI_OUT_CHANNEL_SWAP_RGB); +- } ++ /* only support RGB888 */ ++ mtk_dpi_config_yuv422_enable(dpi, false); ++ mtk_dpi_config_csc_enable(dpi, false); ++ mtk_dpi_config_swap_input(dpi, false); ++ mtk_dpi_config_channel_swap(dpi, MTK_DPI_OUT_CHANNEL_SWAP_RGB); + } + + static void mtk_dpi_power_off(struct mtk_dpi *dpi, enum mtk_dpi_power_ctl pctl) +-- +2.35.1 + diff --git a/queue-4.19/drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch b/queue-4.19/drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch new file mode 100644 index 00000000000..998bbf01b0e --- /dev/null +++ b/queue-4.19/drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch @@ -0,0 +1,40 @@ +From 48d3c16b966918333422dc324f6305670bec42e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 15:23:43 +0300 +Subject: drm/msm/hdmi: enable core-vcc/core-vdda-supply for 8996 platform + +From: Dmitry Baryshkov + +[ Upstream commit 1f88301794595ff4c28a1f1befe690e8dbac72a2 ] + +DB820c makes use of core-vcc-supply and core-vdda-supply, however the +driver code doesn't support these regulators. Enable them for HDMI on +8996 platform. + +Fixes: 0afbe59edd3f ("drm/msm/hdmi: Add basic HDMI support for msm8996") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Stephen Boyd +Patchwork: https://patchwork.freedesktop.org/patch/488857/ +Link: https://lore.kernel.org/r/20220609122350.3157529-8-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/hdmi/hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c +index 0b7cb90d2826..edd13ed1ecff 100644 +--- a/drivers/gpu/drm/msm/hdmi/hdmi.c ++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c +@@ -419,7 +419,7 @@ static struct hdmi_platform_config hdmi_tx_8994_config = { + }; + + static struct hdmi_platform_config hdmi_tx_8996_config = { +- HDMI_CFG(pwr_reg, none), ++ HDMI_CFG(pwr_reg, 8x74), + HDMI_CFG(hpd_reg, none), + HDMI_CFG(pwr_clk, 8x74), + HDMI_CFG(hpd_clk, 8x74), +-- +2.35.1 + diff --git a/queue-4.19/drm-msm-mdp5-fix-global-state-lock-backoff.patch b/queue-4.19/drm-msm-mdp5-fix-global-state-lock-backoff.patch new file mode 100644 index 00000000000..7e0c48fe759 --- /dev/null +++ b/queue-4.19/drm-msm-mdp5-fix-global-state-lock-backoff.patch @@ -0,0 +1,85 @@ +From f01b388b070ed90c90116f85962f2ddf26143b95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 09:20:37 -0700 +Subject: drm/msm/mdp5: Fix global state lock backoff + +From: Rob Clark + +[ Upstream commit 92ef86ab513593c6329d04146e61f9a670e72fc5 ] + +We need to grab the lock after the early return for !hwpipe case. +Otherwise, we could have hit contention yet still returned 0. + +Fixes an issue that the new CONFIG_DRM_DEBUG_MODESET_LOCK stuff flagged +in CI: + + WARNING: CPU: 0 PID: 282 at drivers/gpu/drm/drm_modeset_lock.c:296 drm_modeset_lock+0xf8/0x154 + Modules linked in: + CPU: 0 PID: 282 Comm: kms_cursor_lega Tainted: G W 5.19.0-rc2-15930-g875cc8bc536a #1 + Hardware name: Qualcomm Technologies, Inc. DB820c (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : drm_modeset_lock+0xf8/0x154 + lr : drm_atomic_get_private_obj_state+0x84/0x170 + sp : ffff80000cfab6a0 + x29: ffff80000cfab6a0 x28: 0000000000000000 x27: ffff000083bc4d00 + x26: 0000000000000038 x25: 0000000000000000 x24: ffff80000957ca58 + x23: 0000000000000000 x22: ffff000081ace080 x21: 0000000000000001 + x20: ffff000081acec18 x19: ffff80000cfabb80 x18: 0000000000000038 + x17: 0000000000000000 x16: 0000000000000000 x15: fffffffffffea0d0 + x14: 0000000000000000 x13: 284e4f5f4e524157 x12: 5f534b434f4c5f47 + x11: ffff80000a386aa8 x10: 0000000000000029 x9 : ffff80000cfab610 + x8 : 0000000000000029 x7 : 0000000000000014 x6 : 0000000000000000 + x5 : 0000000000000001 x4 : ffff8000081ad904 x3 : 0000000000000029 + x2 : ffff0000801db4c0 x1 : ffff80000cfabb80 x0 : ffff000081aceb58 + Call trace: + drm_modeset_lock+0xf8/0x154 + drm_atomic_get_private_obj_state+0x84/0x170 + mdp5_get_global_state+0x54/0x6c + mdp5_pipe_release+0x2c/0xd4 + mdp5_plane_atomic_check+0x2ec/0x414 + drm_atomic_helper_check_planes+0xd8/0x210 + drm_atomic_helper_check+0x54/0xb0 + ... + ---[ end trace 0000000000000000 ]--- + drm_modeset_lock attempting to lock a contended lock without backoff: + drm_modeset_lock+0x148/0x154 + mdp5_get_global_state+0x30/0x6c + mdp5_pipe_release+0x2c/0xd4 + mdp5_plane_atomic_check+0x290/0x414 + drm_atomic_helper_check_planes+0xd8/0x210 + drm_atomic_helper_check+0x54/0xb0 + drm_atomic_check_only+0x4b0/0x8f4 + drm_atomic_commit+0x68/0xe0 + +Fixes: d59be579fa93 ("drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected") +Signed-off-by: Rob Clark +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/492701/ +Link: https://lore.kernel.org/r/20220707162040.1594855-1-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c +index 88de12225582..69fe09b41087 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c +@@ -134,12 +134,13 @@ int mdp5_pipe_release(struct drm_atomic_state *s, struct mdp5_hw_pipe *hwpipe) + { + struct msm_drm_private *priv = s->dev->dev_private; + struct mdp5_kms *mdp5_kms = to_mdp5_kms(to_mdp_kms(priv->kms)); +- struct mdp5_global_state *state = mdp5_get_global_state(s); ++ struct mdp5_global_state *state; + struct mdp5_hw_pipe_state *new_state; + + if (!hwpipe) + return 0; + ++ state = mdp5_get_global_state(s); + if (IS_ERR(state)) + return PTR_ERR(state); + +-- +2.35.1 + diff --git a/queue-4.19/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch b/queue-4.19/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch new file mode 100644 index 00000000000..661605a6fcc --- /dev/null +++ b/queue-4.19/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch @@ -0,0 +1,61 @@ +From baf622f40b8433f5e2c2c27e152d3c6c4f75bc4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 16:50:54 +0300 +Subject: drm/radeon: fix potential buffer overflow in + ni_set_mc_special_registers() + +From: Alexey Kodanev + +[ Upstream commit 136f614931a2bb73616b292cf542da3a18daefd5 ] + +The last case label can write two buffers 'mc_reg_address[j]' and +'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE +since there are no checks for this value in both case labels after the +last 'j++'. + +Instead of changing '>' to '>=' there, add the bounds check at the start +of the second 'case' (the first one already has it). + +Also, remove redundant last checks for 'j' index bigger than array size. +The expression is always false. Moreover, before or after the patch +'table->last' can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it +seems it can be a valid value. + +Detected using the static analysis tool - Svace. +Fixes: 69e0b57a91ad ("drm/radeon/kms: add dpm support for cayman (v5)") +Signed-off-by: Alexey Kodanev +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ni_dpm.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c +index f86ca163dcf3..a7273c01de34 100644 +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2738,10 +2738,10 @@ static int ni_set_mc_special_registers(struct radeon_device *rdev, + table->mc_reg_table_entry[k].mc_data[j] |= 0x100; + } + j++; +- if (j > SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE) +- return -EINVAL; + break; + case MC_SEQ_RESERVE_M >> 2: ++ if (j >= SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE) ++ return -EINVAL; + temp_reg = RREG32(MC_PMG_CMD_MRS1); + table->mc_reg_address[j].s1 = MC_PMG_CMD_MRS1 >> 2; + table->mc_reg_address[j].s0 = MC_SEQ_PMG_CMD_MRS1_LP >> 2; +@@ -2750,8 +2750,6 @@ static int ni_set_mc_special_registers(struct radeon_device *rdev, + (temp_reg & 0xffff0000) | + (table->mc_reg_table_entry[k].mc_data[i] & 0x0000ffff); + j++; +- if (j > SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE) +- return -EINVAL; + break; + default: + break; +-- +2.35.1 + diff --git a/queue-4.19/drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch b/queue-4.19/drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch new file mode 100644 index 00000000000..ae87661e5fd --- /dev/null +++ b/queue-4.19/drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch @@ -0,0 +1,42 @@ +From 43f3c95b63e505485c3f44da4045a132b09adace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 17:26:52 -0700 +Subject: drm/rockchip: vop: Don't crash for invalid duplicate_state() + +From: Brian Norris + +[ Upstream commit 1449110b0dade8b638d2c17ab7c5b0ff696bfccb ] + +It's possible for users to try to duplicate the CRTC state even when the +state doesn't exist. drm_atomic_helper_crtc_duplicate_state() (and other +users of __drm_atomic_helper_crtc_duplicate_state()) already guard this +with a WARN_ON() instead of crashing, so let's do that here too. + +Fixes: 4e257d9eee23 ("drm/rockchip: get rid of rockchip_drm_crtc_mode_config") +Signed-off-by: Brian Norris +Reviewed-by: Sean Paul +Reviewed-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20220617172623.1.I62db228170b1559ada60b8d3e1637e1688424926@changeid +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index c0b647435974..69eb0de9973f 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -1088,6 +1088,9 @@ static struct drm_crtc_state *vop_crtc_duplicate_state(struct drm_crtc *crtc) + { + struct rockchip_crtc_state *rockchip_state; + ++ if (WARN_ON(!crtc->state)) ++ return NULL; ++ + rockchip_state = kzalloc(sizeof(*rockchip_state), GFP_KERNEL); + if (!rockchip_state) + return NULL; +-- +2.35.1 + diff --git a/queue-4.19/drm-vc4-dsi-correct-dsi-divider-calculations.patch b/queue-4.19/drm-vc4-dsi-correct-dsi-divider-calculations.patch new file mode 100644 index 00000000000..00203402be6 --- /dev/null +++ b/queue-4.19/drm-vc4-dsi-correct-dsi-divider-calculations.patch @@ -0,0 +1,51 @@ +From e542050bce9df7b09ef114ac7e355abb89c75281 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 16:47:39 +0200 +Subject: drm/vc4: dsi: Correct DSI divider calculations + +From: Dave Stevenson + +[ Upstream commit 3b45eee87da171caa28f61240ddb5c21170cda53 ] + +The divider calculations tried to find the divider just faster than the +clock requested. However if it required a divider of 7 then the for loop +aborted without handling the "error" case, and could end up with a clock +lower than requested. + +The integer divider from parent PLL to DSI clock is also capable of +going up to /255, not just /7 that the driver was trying. This allows +for slower link frequencies on the DSI bus where the resolution permits. + +Correct the loop so that we always have a clock greater than requested, +and covering the whole range of dividers. + +Fixes: 86c1b9eff3f2 ("drm/vc4: Adjust modes in DSI to work around the integer PLL divider.") +Signed-off-by: Dave Stevenson +Link: https://lore.kernel.org/r/20220613144800.326124-13-maxime@cerno.tech +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_dsi.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_dsi.c b/drivers/gpu/drm/vc4/vc4_dsi.c +index 0c607eb33d7e..77003ce666a4 100644 +--- a/drivers/gpu/drm/vc4/vc4_dsi.c ++++ b/drivers/gpu/drm/vc4/vc4_dsi.c +@@ -853,11 +853,9 @@ static bool vc4_dsi_encoder_mode_fixup(struct drm_encoder *encoder, + /* Find what divider gets us a faster clock than the requested + * pixel clock. + */ +- for (divider = 1; divider < 8; divider++) { +- if (parent_rate / divider < pll_clock) { +- divider--; ++ for (divider = 1; divider < 255; divider++) { ++ if (parent_rate / (divider + 1) < pll_clock) + break; +- } + } + + /* Now that we've picked a PLL divider, calculate back to its +-- +2.35.1 + diff --git a/queue-4.19/ext2-add-more-validity-checks-for-inode-counts.patch b/queue-4.19/ext2-add-more-validity-checks-for-inode-counts.patch new file mode 100644 index 00000000000..d5ee4d820f8 --- /dev/null +++ b/queue-4.19/ext2-add-more-validity-checks-for-inode-counts.patch @@ -0,0 +1,55 @@ +From 64f8ba6d46b6e18b3dce31479b822604baa5419c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 13:13:50 +0200 +Subject: ext2: Add more validity checks for inode counts + +From: Jan Kara + +[ Upstream commit fa78f336937240d1bc598db817d638086060e7e9 ] + +Add checks verifying number of inodes stored in the superblock matches +the number computed from number of inodes per group. Also verify we have +at least one block worth of inodes per group. This prevents crashes on +corrupted filesystems. + +Reported-by: syzbot+d273f7d7f58afd93be48@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/super.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index ad9fd08f66ba..44a1f356aca2 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -1088,9 +1088,10 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + sbi->s_frags_per_group); + goto failed_mount; + } +- if (sbi->s_inodes_per_group > sb->s_blocksize * 8) { ++ if (sbi->s_inodes_per_group < sbi->s_inodes_per_block || ++ sbi->s_inodes_per_group > sb->s_blocksize * 8) { + ext2_msg(sb, KERN_ERR, +- "error: #inodes per group too big: %lu", ++ "error: invalid #inodes per group: %lu", + sbi->s_inodes_per_group); + goto failed_mount; + } +@@ -1100,6 +1101,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) - + le32_to_cpu(es->s_first_data_block) - 1) + / EXT2_BLOCKS_PER_GROUP(sb)) + 1; ++ if ((u64)sbi->s_groups_count * sbi->s_inodes_per_group != ++ le32_to_cpu(es->s_inodes_count)) { ++ ext2_msg(sb, KERN_ERR, "error: invalid #inodes: %u vs computed %llu", ++ le32_to_cpu(es->s_inodes_count), ++ (u64)sbi->s_groups_count * sbi->s_inodes_per_group); ++ goto failed_mount; ++ } + db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) / + EXT2_DESC_PER_BLOCK(sb); + sbi->s_group_desc = kmalloc_array (db_count, +-- +2.35.1 + diff --git a/queue-4.19/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch b/queue-4.19/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch new file mode 100644 index 00000000000..3a9cfc892e1 --- /dev/null +++ b/queue-4.19/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch @@ -0,0 +1,76 @@ +From edece10be14675ac1f650dd15f61816877e746b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 14:25:15 +0800 +Subject: ext4: recover csum seed of tmp_inode after migrating to extents + +From: Li Lingfeng + +[ Upstream commit 07ea7a617d6b278fb7acedb5cbe1a81ce2de7d0c ] + +When migrating to extents, the checksum seed of temporary inode +need to be replaced by inode's, otherwise the inode checksums +will be incorrect when swapping the inodes data. + +However, the temporary inode can not match it's checksum to +itself since it has lost it's own checksum seed. + +mkfs.ext4 -F /dev/sdc +mount /dev/sdc /mnt/sdc +xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/sdc/testfile +chattr -e /mnt/sdc/testfile +chattr +e /mnt/sdc/testfile +umount /dev/sdc +fsck -fn /dev/sdc + +======== +... +Pass 1: Checking inodes, blocks, and sizes +Inode 13 passes checks, but checksum does not match inode. Fix? no +... +======== + +The fix is simple, save the checksum seed of temporary inode, and +recover it after migrating to extents. + +Fixes: e81c9302a6c3 ("ext4: set csum seed in tmp inode while migrating to extents") +Signed-off-by: Li Lingfeng +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220617062515.2113438-1-lilingfeng3@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/migrate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c +index 9adfe217b39d..37ce665ae1d2 100644 +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -435,7 +435,7 @@ int ext4_ext_migrate(struct inode *inode) + struct inode *tmp_inode = NULL; + struct migrate_struct lb; + unsigned long max_entries; +- __u32 goal; ++ __u32 goal, tmp_csum_seed; + uid_t owner[2]; + + /* +@@ -483,6 +483,7 @@ int ext4_ext_migrate(struct inode *inode) + * the migration. + */ + ei = EXT4_I(inode); ++ tmp_csum_seed = EXT4_I(tmp_inode)->i_csum_seed; + EXT4_I(tmp_inode)->i_csum_seed = ei->i_csum_seed; + i_size_write(tmp_inode, i_size_read(inode)); + /* +@@ -593,6 +594,7 @@ int ext4_ext_migrate(struct inode *inode) + * the inode is not visible to user space. + */ + tmp_inode->i_blocks = 0; ++ EXT4_I(tmp_inode)->i_csum_seed = tmp_csum_seed; + + /* Reset the extent details */ + ext4_ext_tree_init(handle, tmp_inode); +-- +2.35.1 + diff --git a/queue-4.19/fpga-altera-pr-ip-fix-unsigned-comparison-with-less-.patch b/queue-4.19/fpga-altera-pr-ip-fix-unsigned-comparison-with-less-.patch new file mode 100644 index 00000000000..0a4900fba58 --- /dev/null +++ b/queue-4.19/fpga-altera-pr-ip-fix-unsigned-comparison-with-less-.patch @@ -0,0 +1,40 @@ +From bf440ccdb9aeeb4b215180e2f5e626e499372213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 16:05:19 +0200 +Subject: fpga: altera-pr-ip: fix unsigned comparison with less than zero + +From: Marco Pagani + +[ Upstream commit 2df84a757d87fd62869fc401119d429735377ec5 ] + +Fix the "comparison with less than zero" warning reported by +cppcheck for the unsigned (size_t) parameter count of the +alt_pr_fpga_write() function. + +Fixes: d201cc17a8a3 ("fpga pr ip: Core driver support for Altera Partial Reconfiguration IP") +Reviewed-by: Tom Rix +Acked-by: Xu Yilun +Signed-off-by: Marco Pagani +Link: https://lore.kernel.org/r/20220609140520.42662-1-marpagan@redhat.com +Signed-off-by: Xu Yilun +Signed-off-by: Sasha Levin +--- + drivers/fpga/altera-pr-ip-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/fpga/altera-pr-ip-core.c b/drivers/fpga/altera-pr-ip-core.c +index 65e0b6a2c031..059ba27f3c29 100644 +--- a/drivers/fpga/altera-pr-ip-core.c ++++ b/drivers/fpga/altera-pr-ip-core.c +@@ -108,7 +108,7 @@ static int alt_pr_fpga_write(struct fpga_manager *mgr, const char *buf, + u32 *buffer_32 = (u32 *)buf; + size_t i = 0; + +- if (count <= 0) ++ if (!count) + return -EINVAL; + + /* Write out the complete 32-bit chunks */ +-- +2.35.1 + diff --git a/queue-4.19/fs-check-fmode_lseek-to-control-internal-pipe-splici.patch b/queue-4.19/fs-check-fmode_lseek-to-control-internal-pipe-splici.patch new file mode 100644 index 00000000000..ab37fdf0963 --- /dev/null +++ b/queue-4.19/fs-check-fmode_lseek-to-control-internal-pipe-splici.patch @@ -0,0 +1,58 @@ +From 42eb7ea9b9b0285baaa106cba62df51bfda33647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 15:06:58 +0200 +Subject: fs: check FMODE_LSEEK to control internal pipe splicing + +From: Jason A. Donenfeld + +[ Upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81 ] + +The original direct splicing mechanism from Jens required the input to +be a regular file because it was avoiding the special socket case. It +also recognized blkdevs as being close enough to a regular file. But it +forgot about chardevs, which behave the same way and work fine here. + +This is an okayish heuristic, but it doesn't totally work. For example, +a few chardevs should be spliceable here. And a few regular files +shouldn't. This patch fixes this by instead checking whether FMODE_LSEEK +is set, which represents decently enough what we need rewinding for when +splicing to internal pipes. + +Fixes: b92ce5589374 ("[PATCH] splice: add direct fd <-> fd splicing support") +Cc: Jens Axboe +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/splice.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/splice.c b/fs/splice.c +index fd28c7da3c83..ef1604e307f1 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -899,17 +899,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, + { + struct pipe_inode_info *pipe; + long ret, bytes; +- umode_t i_mode; + size_t len; + int i, flags, more; + + /* +- * We require the input being a regular file, as we don't want to +- * randomly drop data for eg socket -> socket splicing. Use the +- * piped splicing for that! ++ * We require the input to be seekable, as we don't want to randomly ++ * drop data for eg socket -> socket splicing. Use the piped splicing ++ * for that! + */ +- i_mode = file_inode(in)->i_mode; +- if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode))) ++ if (unlikely(!(in->f_mode & FMODE_LSEEK))) + return -EINVAL; + + /* +-- +2.35.1 + diff --git a/queue-4.19/genelf-use-have_libcrypto_support-not-the-never-defi.patch b/queue-4.19/genelf-use-have_libcrypto_support-not-the-never-defi.patch new file mode 100644 index 00000000000..9d6d53c7dc1 --- /dev/null +++ b/queue-4.19/genelf-use-have_libcrypto_support-not-the-never-defi.patch @@ -0,0 +1,59 @@ +From ac763b21d73d5f9d59c17d260d44ce103407509b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 15:13:22 -0300 +Subject: genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined + HAVE_LIBCRYPTO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 91cea6be90e436c55cde8770a15e4dac9d3032d0 ] + +When genelf was introduced it tested for HAVE_LIBCRYPTO not +HAVE_LIBCRYPTO_SUPPORT, which is the define the feature test for openssl +defines, fix it. + +This also adds disables the deprecation warning, someone has to fix this +to build with openssl 3.0 before the warning becomes a hard error. + +Fixes: 9b07e27f88b9cd78 ("perf inject: Add jitdump mmap injection support") +Reported-by: 谭梓煊 +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkmann +Cc: Jiri Olsa +Cc: John Fastabend +Cc: KP Singh +Cc: Martin KaFai Lau +Cc: Nick Terrell +Cc: Song Liu +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/YulpPqXSOG0Q4J1o@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/genelf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/genelf.c b/tools/perf/util/genelf.c +index aafbe54fd3fa..afb8fe3a8e35 100644 +--- a/tools/perf/util/genelf.c ++++ b/tools/perf/util/genelf.c +@@ -35,7 +35,11 @@ + + #define BUILD_ID_URANDOM /* different uuid for each run */ + +-#ifdef HAVE_LIBCRYPTO ++// FIXME, remove this and fix the deprecation warnings before its removed and ++// We'll break for good here... ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" ++ ++#ifdef HAVE_LIBCRYPTO_SUPPORT + + #define BUILD_ID_MD5 + #undef BUILD_ID_SHA /* does not seem to work well when linked with Java */ +-- +2.35.1 + diff --git a/queue-4.19/genirq-generic_irq_ipi-depends-on-smp.patch b/queue-4.19/genirq-generic_irq_ipi-depends-on-smp.patch new file mode 100644 index 00000000000..8dad1886702 --- /dev/null +++ b/queue-4.19/genirq-generic_irq_ipi-depends-on-smp.patch @@ -0,0 +1,51 @@ +From b99167fa29891e13cbc549090567ccfbd5a1dacd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 15:00:50 -0500 +Subject: genirq: GENERIC_IRQ_IPI depends on SMP + +From: Samuel Holland + +[ Upstream commit 0f5209fee90b4544c58b4278d944425292789967 ] + +The generic IPI code depends on the IRQ affinity mask being allocated +and initialized. This will not be the case if SMP is disabled. Fix up +the remaining driver that selected GENERIC_IRQ_IPI in a non-SMP config. + +Reported-by: kernel test robot +Signed-off-by: Samuel Holland +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220701200056.46555-3-samuel@sholland.org +Signed-off-by: Sasha Levin +--- + drivers/irqchip/Kconfig | 2 +- + kernel/irq/Kconfig | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig +index 9d3812cd668e..85099cff62eb 100644 +--- a/drivers/irqchip/Kconfig ++++ b/drivers/irqchip/Kconfig +@@ -153,7 +153,7 @@ config IMGPDC_IRQ + config IRQ_MIPS_CPU + bool + select GENERIC_IRQ_CHIP +- select GENERIC_IRQ_IPI if SYS_SUPPORTS_MULTITHREADING ++ select GENERIC_IRQ_IPI if SMP && SYS_SUPPORTS_MULTITHREADING + select IRQ_DOMAIN + select IRQ_DOMAIN_HIERARCHY if GENERIC_IRQ_IPI + select GENERIC_IRQ_EFFECTIVE_AFF_MASK +diff --git a/kernel/irq/Kconfig b/kernel/irq/Kconfig +index d532bf0c5a67..81473974b1d5 100644 +--- a/kernel/irq/Kconfig ++++ b/kernel/irq/Kconfig +@@ -80,6 +80,7 @@ config IRQ_FASTEOI_HIERARCHY_HANDLERS + # Generic IRQ IPI support + config GENERIC_IRQ_IPI + bool ++ depends on SMP + select IRQ_DOMAIN_HIERARCHY + + # Generic MSI interrupt support +-- +2.35.1 + diff --git a/queue-4.19/gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch b/queue-4.19/gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch new file mode 100644 index 00000000000..e5a8e610ad7 --- /dev/null +++ b/queue-4.19/gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch @@ -0,0 +1,53 @@ +From 1234c3ac15aae8e1a9b7e8750ddd1c29172ec27f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 20:52:38 +0800 +Subject: gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() + +From: Liang He + +[ Upstream commit 5d07a692f9562f9c06e62cce369e9dd108173a0f ] + +We should use of_node_get() when a new reference of device_node +is created. It is noted that the old reference stored in +'mm_gc->gc.of_node' should also be decreased. + +This patch is based on the fact that there is a call site in function +'qe_add_gpiochips()' of src file 'drivers\soc\fsl\qe\gpio.c'. In this +function, of_mm_gpiochip_add_data() is contained in an iteration of +for_each_compatible_node() which will automatically increase and +decrease the refcount. So we need additional of_node_get() for the +reference escape in of_mm_gpiochip_add_data(). + +Fixes: a19e3da5bc5f ("of/gpio: Kill of_gpio_chip and add members directly to gpio_chip") +Signed-off-by: Liang He +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index 09999e3e3109..7bda0f59c109 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -476,7 +476,8 @@ int of_mm_gpiochip_add_data(struct device_node *np, + if (mm_gc->save_regs) + mm_gc->save_regs(mm_gc); + +- mm_gc->gc.of_node = np; ++ of_node_put(mm_gc->gc.of_node); ++ mm_gc->gc.of_node = of_node_get(np); + + ret = gpiochip_add_data(gc, data); + if (ret) +@@ -484,6 +485,7 @@ int of_mm_gpiochip_add_data(struct device_node *np, + + return 0; + err2: ++ of_node_put(np); + iounmap(mm_gc->regs); + err1: + kfree(gc->label); +-- +2.35.1 + diff --git a/queue-4.19/hid-alps-declare-u1_unicorn_legacy-support.patch b/queue-4.19/hid-alps-declare-u1_unicorn_legacy-support.patch new file mode 100644 index 00000000000..4b33fc326d6 --- /dev/null +++ b/queue-4.19/hid-alps-declare-u1_unicorn_legacy-support.patch @@ -0,0 +1,36 @@ +From 568568e1b9dd178ae94f2bfe8f091bdfd5e622fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 17:53:24 +0300 +Subject: HID: alps: Declare U1_UNICORN_LEGACY support + +From: Artem Borisov + +[ Upstream commit 1117d182c5d72abd7eb8b7d5e7b8c3373181c3ab ] + +U1_UNICORN_LEGACY id was added to the driver, but was not declared +in the device id table, making it impossible to use. + +Fixes: 640e403 ("HID: alps: Add AUI1657 device ID") +Signed-off-by: Artem Borisov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-alps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-alps.c b/drivers/hid/hid-alps.c +index 3eddd8f73b57..116ece4be2c9 100644 +--- a/drivers/hid/hid-alps.c ++++ b/drivers/hid/hid-alps.c +@@ -835,6 +835,8 @@ static const struct hid_device_id alps_id[] = { + USB_VENDOR_ID_ALPS_JP, HID_DEVICE_ID_ALPS_U1_DUAL) }, + { HID_DEVICE(HID_BUS_ANY, HID_GROUP_ANY, + USB_VENDOR_ID_ALPS_JP, HID_DEVICE_ID_ALPS_U1) }, ++ { HID_DEVICE(HID_BUS_ANY, HID_GROUP_ANY, ++ USB_VENDOR_ID_ALPS_JP, HID_DEVICE_ID_ALPS_U1_UNICORN_LEGACY) }, + { HID_DEVICE(HID_BUS_ANY, HID_GROUP_ANY, + USB_VENDOR_ID_ALPS_JP, HID_DEVICE_ID_ALPS_T4_BTNLESS) }, + { } +-- +2.35.1 + diff --git a/queue-4.19/hid-cp2112-prevent-a-buffer-overflow-in-cp2112_xfer.patch b/queue-4.19/hid-cp2112-prevent-a-buffer-overflow-in-cp2112_xfer.patch new file mode 100644 index 00000000000..60908e0ed91 --- /dev/null +++ b/queue-4.19/hid-cp2112-prevent-a-buffer-overflow-in-cp2112_xfer.patch @@ -0,0 +1,47 @@ +From c226e2234e65c900f27b8fbe7320caed498dc333 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 05:26:09 -0700 +Subject: HID: cp2112: prevent a buffer overflow in cp2112_xfer() + +From: Harshit Mogalapalli + +[ Upstream commit 381583845d19cb4bd21c8193449385f3fefa9caf ] + +Smatch warnings: +drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() +'data->block[1]' too small (33 vs 255) +drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too +small (64 vs 255) + +The 'read_length' variable is provided by 'data->block[0]' which comes +from user and it(read_length) can take a value between 0-255. Add an +upper bound to 'read_length' variable to prevent a buffer overflow in +memcpy(). + +Fixes: 542134c0375b ("HID: cp2112: Fix I2C_BLOCK_DATA transactions") +Signed-off-by: Harshit Mogalapalli +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-cp2112.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c +index 6f65f5257236..637a7ce281c6 100644 +--- a/drivers/hid/hid-cp2112.c ++++ b/drivers/hid/hid-cp2112.c +@@ -794,6 +794,11 @@ static int cp2112_xfer(struct i2c_adapter *adap, u16 addr, + data->word = le16_to_cpup((__le16 *)buf); + break; + case I2C_SMBUS_I2C_BLOCK_DATA: ++ if (read_length > I2C_SMBUS_BLOCK_MAX) { ++ ret = -EINVAL; ++ goto power_normal; ++ } ++ + memcpy(data->block + 1, buf, read_length); + break; + case I2C_SMBUS_BLOCK_DATA: +-- +2.35.1 + diff --git a/queue-4.19/hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch b/queue-4.19/hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch new file mode 100644 index 00000000000..ef9d8301754 --- /dev/null +++ b/queue-4.19/hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch @@ -0,0 +1,78 @@ +From a9bd1e939b1769cd41424bcc035f1284de34d8bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 21:43:44 +0200 +Subject: hwmon: (sht15) Fix wrong assumptions in device remove callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 7d4edccc9bbfe1dcdff641343f7b0c6763fbe774 ] + +Taking a lock at the beginning of .remove() doesn't prevent new readers. +With the existing approach it can happen, that a read occurs just when +the lock was taken blocking the reader until the lock is released at the +end of the remove callback which then accessed *data that is already +freed then. + +To actually fix this problem the hwmon core needs some adaption. Until +this is implemented take the optimistic approach of assuming that all +readers are gone after hwmon_device_unregister() and +sysfs_remove_group() as most other drivers do. (And once the core +implements that, taking the lock would deadlock.) + +So drop the lock, move the reset to after device unregistration to keep +the device in a workable state until it's deregistered. Also add a error +message in case the reset fails and return 0 anyhow. (Returning an error +code, doesn't stop the platform device unregistration and only results +in a little helpful error message before the devm cleanup handlers are +called.) + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20220725194344.150098-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/sht15.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c +index 2be77752cd56..0a4578aae85b 100644 +--- a/drivers/hwmon/sht15.c ++++ b/drivers/hwmon/sht15.c +@@ -1029,25 +1029,20 @@ static int sht15_probe(struct platform_device *pdev) + static int sht15_remove(struct platform_device *pdev) + { + struct sht15_data *data = platform_get_drvdata(pdev); ++ int ret; + +- /* +- * Make sure any reads from the device are done and +- * prevent new ones beginning +- */ +- mutex_lock(&data->read_lock); +- if (sht15_soft_reset(data)) { +- mutex_unlock(&data->read_lock); +- return -EFAULT; +- } + hwmon_device_unregister(data->hwmon_dev); + sysfs_remove_group(&pdev->dev.kobj, &sht15_attr_group); ++ ++ ret = sht15_soft_reset(data); ++ if (ret) ++ dev_err(&pdev->dev, "Failed to reset device (%pe)\n", ERR_PTR(ret)); ++ + if (!IS_ERR(data->reg)) { + regulator_unregister_notifier(data->reg, &data->nb); + regulator_disable(data->reg); + } + +- mutex_unlock(&data->read_lock); +- + return 0; + } + +-- +2.35.1 + diff --git a/queue-4.19/i2c-cadence-support-pec-for-smbus-block-read.patch b/queue-4.19/i2c-cadence-support-pec-for-smbus-block-read.patch new file mode 100644 index 00000000000..3a4709ec91c --- /dev/null +++ b/queue-4.19/i2c-cadence-support-pec-for-smbus-block-read.patch @@ -0,0 +1,77 @@ +From 4f7f6fb4fd2531c3de17544cf22c8672db33c36d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Jul 2022 16:52:44 +0200 +Subject: i2c: cadence: Support PEC for SMBus block read + +From: Lars-Peter Clausen + +[ Upstream commit 9fdf6d97f03035ad5298e2d1635036c74c2090ed ] + +SMBus packet error checking (PEC) is implemented by appending one +additional byte of checksum data at the end of the message. This provides +additional protection and allows to detect data corruption on the I2C bus. + +SMBus block reads support variable length reads. The first byte in the read +message is the number of available data bytes. + +The combination of PEC and block read is currently not supported by the +Cadence I2C driver. + * When PEC is enabled the maximum transfer length for block reads + increases from 33 to 34 bytes. + * The I2C core smbus emulation layer relies on the driver updating the + `i2c_msg` `len` field with the number of received bytes. The updated + length is used when checking the PEC. + +Add support to the Cadence I2C driver for handling SMBus block reads with +PEC. To determine the maximum transfer length uses the initial `len` value +of the `i2c_msg`. When PEC is enabled this will be 2, when it is disabled +it will be 1. + +Once a read transfer is done also increment the `len` field by the amount +of received data bytes. + +This change has been tested with a UCM90320 PMBus power monitor, which +requires block reads to access certain data fields, but also has PEC +enabled by default. + +Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") +Signed-off-by: Lars-Peter Clausen +Tested-by: Shubhrajyoti Datta +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-cadence.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index 512c61d31fe5..bce7bf93d62a 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -353,8 +353,13 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + ctrl_reg = cdns_i2c_readreg(CDNS_I2C_CR_OFFSET); + ctrl_reg |= CDNS_I2C_CR_RW | CDNS_I2C_CR_CLR_FIFO; + ++ /* ++ * Receive up to I2C_SMBUS_BLOCK_MAX data bytes, plus one message length ++ * byte, plus one checksum byte if PEC is enabled. p_msg->len will be 2 if ++ * PEC is enabled, otherwise 1. ++ */ + if (id->p_msg->flags & I2C_M_RECV_LEN) +- id->recv_count = I2C_SMBUS_BLOCK_MAX + 1; ++ id->recv_count = I2C_SMBUS_BLOCK_MAX + id->p_msg->len; + + id->curr_recv_count = id->recv_count; + +@@ -540,6 +545,9 @@ static int cdns_i2c_process_msg(struct cdns_i2c *id, struct i2c_msg *msg, + if (id->err_status & CDNS_I2C_IXR_ARB_LOST) + return -EAGAIN; + ++ if (msg->flags & I2C_M_RECV_LEN) ++ msg->len += min_t(unsigned int, msg->buf[0], I2C_SMBUS_BLOCK_MAX); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-4.19/i2c-fix-a-potential-use-after-free.patch b/queue-4.19/i2c-fix-a-potential-use-after-free.patch new file mode 100644 index 00000000000..da815b8f3ac --- /dev/null +++ b/queue-4.19/i2c-fix-a-potential-use-after-free.patch @@ -0,0 +1,40 @@ +From 01af03e0c494142cc17f26c51dbf5b38184af197 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2019 09:34:32 +0000 +Subject: i2c: Fix a potential use after free + +From: Xu Wang + +[ Upstream commit e4c72c06c367758a14f227c847f9d623f1994ecf ] + +Free the adap structure only after we are done using it. +This patch just moves the put_device() down a bit to avoid the +use after free. + +Fixes: 611e12ea0f12 ("i2c: core: manage i2c bus device refcount in i2c_[get|put]_adapter") +Signed-off-by: Xu Wang +[wsa: added comment to the code, added Fixes tag] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-base.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c +index 2a43f4e46af0..9079be0d51d1 100644 +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -2273,8 +2273,9 @@ void i2c_put_adapter(struct i2c_adapter *adap) + if (!adap) + return; + +- put_device(&adap->dev); + module_put(adap->owner); ++ /* Should be last, otherwise we risk use-after-free with 'adap' */ ++ put_device(&adap->dev); + } + EXPORT_SYMBOL(i2c_put_adapter); + +-- +2.35.1 + diff --git a/queue-4.19/i2c-mux-gpmux-add-of_node_put-when-breaking-out-of-l.patch b/queue-4.19/i2c-mux-gpmux-add-of_node_put-when-breaking-out-of-l.patch new file mode 100644 index 00000000000..67d163cfa2d --- /dev/null +++ b/queue-4.19/i2c-mux-gpmux-add-of_node_put-when-breaking-out-of-l.patch @@ -0,0 +1,37 @@ +From f328cf5c397f8397be30b95566483899aade70fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 09:24:01 +0800 +Subject: i2c: mux-gpmux: Add of_node_put() when breaking out of loop + +From: Liang He + +[ Upstream commit 6435319c34704994e19b0767f6a4e6f37439867b ] + +In i2c_mux_probe(), we should call of_node_put() when breaking out +of for_each_child_of_node() which will automatically increase and +decrease the refcount. + +Fixes: ac8498f0ce53 ("i2c: i2c-mux-gpmux: new driver") +Signed-off-by: Liang He +Acked-by: Peter Rosin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/muxes/i2c-mux-gpmux.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/muxes/i2c-mux-gpmux.c b/drivers/i2c/muxes/i2c-mux-gpmux.c +index 92cf5f48afe6..5053f1675a29 100644 +--- a/drivers/i2c/muxes/i2c-mux-gpmux.c ++++ b/drivers/i2c/muxes/i2c-mux-gpmux.c +@@ -141,6 +141,7 @@ static int i2c_mux_probe(struct platform_device *pdev) + return 0; + + err_children: ++ of_node_put(child); + i2c_mux_del_adapters(muxc); + err_parent: + i2c_put_adapter(parent); +-- +2.35.1 + diff --git a/queue-4.19/iommu-arm-smmu-qcom_iommu-add-of_node_put-when-break.patch b/queue-4.19/iommu-arm-smmu-qcom_iommu-add-of_node_put-when-break.patch new file mode 100644 index 00000000000..0ab0d987107 --- /dev/null +++ b/queue-4.19/iommu-arm-smmu-qcom_iommu-add-of_node_put-when-break.patch @@ -0,0 +1,45 @@ +From 7a6e5cf090afacf0486378b6d4de4cb2817fc251 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 20:49:55 +0800 +Subject: iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of + loop + +From: Liang He + +[ Upstream commit a91eb6803c1c715738682fece095145cbd68fe0b ] + +In qcom_iommu_has_secure_context(), we should call of_node_put() +for the reference 'child' when breaking out of for_each_child_of_node() +which will automatically increase and decrease the refcount. + +Fixes: d051f28c8807 ("iommu/qcom: Initialize secure page table") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220719124955.1242171-1-windhl@126.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/qcom_iommu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/iommu/qcom_iommu.c b/drivers/iommu/qcom_iommu.c +index b0a4a3d2f60e..244e2f7eae84 100644 +--- a/drivers/iommu/qcom_iommu.c ++++ b/drivers/iommu/qcom_iommu.c +@@ -767,9 +767,12 @@ static bool qcom_iommu_has_secure_context(struct qcom_iommu_dev *qcom_iommu) + { + struct device_node *child; + +- for_each_child_of_node(qcom_iommu->dev->of_node, child) +- if (of_device_is_compatible(child, "qcom,msm-iommu-v1-sec")) ++ for_each_child_of_node(qcom_iommu->dev->of_node, child) { ++ if (of_device_is_compatible(child, "qcom,msm-iommu-v1-sec")) { ++ of_node_put(child); + return true; ++ } ++ } + + return false; + } +-- +2.35.1 + diff --git a/queue-4.19/iommu-exynos-handle-failed-iommu-device-registration.patch b/queue-4.19/iommu-exynos-handle-failed-iommu-device-registration.patch new file mode 100644 index 00000000000..ba31f4ecf79 --- /dev/null +++ b/queue-4.19/iommu-exynos-handle-failed-iommu-device-registration.patch @@ -0,0 +1,51 @@ +From 6c913613bcd1da351d1b3bb80d2c0352d53b68e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 19:55:46 +0300 +Subject: iommu/exynos: Handle failed IOMMU device registration properly + +From: Sam Protsenko + +[ Upstream commit fce398d2d02c0a9a2bedf7c7201b123e153e8963 ] + +If iommu_device_register() fails in exynos_sysmmu_probe(), the previous +calls have to be cleaned up. In this case, the iommu_device_sysfs_add() +should be cleaned up, by calling its remove counterpart call. + +Fixes: d2c302b6e8b1 ("iommu/exynos: Make use of iommu_device_register interface") +Signed-off-by: Sam Protsenko +Reviewed-by: Krzysztof Kozlowski +Acked-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20220714165550.8884-3-semen.protsenko@linaro.org +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/exynos-iommu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/exynos-iommu.c b/drivers/iommu/exynos-iommu.c +index 4bf6049dd2c7..8626c924f724 100644 +--- a/drivers/iommu/exynos-iommu.c ++++ b/drivers/iommu/exynos-iommu.c +@@ -640,7 +640,7 @@ static int __init exynos_sysmmu_probe(struct platform_device *pdev) + + ret = iommu_device_register(&data->iommu); + if (ret) +- return ret; ++ goto err_iommu_register; + + platform_set_drvdata(pdev, data); + +@@ -667,6 +667,10 @@ static int __init exynos_sysmmu_probe(struct platform_device *pdev) + pm_runtime_enable(dev); + + return 0; ++ ++err_iommu_register: ++ iommu_device_sysfs_remove(&data->iommu); ++ return ret; + } + + static int __maybe_unused exynos_sysmmu_suspend(struct device *dev) +-- +2.35.1 + diff --git a/queue-4.19/jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch b/queue-4.19/jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch new file mode 100644 index 00000000000..5c668170518 --- /dev/null +++ b/queue-4.19/jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch @@ -0,0 +1,110 @@ +From 835156e3381b15afbc68fec26470c54ee471302f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 20:51:52 +0800 +Subject: jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal + aborted + +From: Zhihao Cheng + +[ Upstream commit 4a734f0869f970b8a9b65062ea40b09a5da9dba8 ] + +Following process will fail assertion 'jh->b_frozen_data == NULL' in +jbd2_journal_dirty_metadata(): + + jbd2_journal_commit_transaction +unlink(dir/a) + jh->b_transaction = trans1 + jh->b_jlist = BJ_Metadata + journal->j_running_transaction = NULL + trans1->t_state = T_COMMIT +unlink(dir/b) + handle->h_trans = trans2 + do_get_write_access + jh->b_modified = 0 + jh->b_frozen_data = frozen_buffer + jh->b_next_transaction = trans2 + jbd2_journal_dirty_metadata + is_handle_aborted + is_journal_aborted // return false + + --> jbd2 abort <-- + + while (commit_transaction->t_buffers) + if (is_journal_aborted) + jbd2_journal_refile_buffer + __jbd2_journal_refile_buffer + WRITE_ONCE(jh->b_transaction, + jh->b_next_transaction) + WRITE_ONCE(jh->b_next_transaction, NULL) + __jbd2_journal_file_buffer(jh, BJ_Reserved) + J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure ! + +The reproducer (See detail in [Link]) reports: + ------------[ cut here ]------------ + kernel BUG at fs/jbd2/transaction.c:1629! + invalid opcode: 0000 [#1] PREEMPT SMP + CPU: 2 PID: 584 Comm: unlink Tainted: G W + 5.19.0-rc6-00115-g4a57a8400075-dirty #697 + RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 + RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 + Call Trace: + + __ext4_handle_dirty_metadata+0xa0/0x290 + ext4_handle_dirty_dirblock+0x10c/0x1d0 + ext4_delete_entry+0x104/0x200 + __ext4_unlink+0x22b/0x360 + ext4_unlink+0x275/0x390 + vfs_unlink+0x20b/0x4c0 + do_unlinkat+0x42f/0x4c0 + __x64_sys_unlink+0x37/0x50 + do_syscall_64+0x35/0x80 + +After journal aborting, __jbd2_journal_refile_buffer() is executed with +holding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()' +into the area protected by @jh->b_state_lock. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216251 +Fixes: 470decc613ab20 ("[PATCH] jbd2: initial copy of files from jbd") +Signed-off-by: Zhihao Cheng +Link: https://lore.kernel.org/r/20220715125152.4022726-1-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/jbd2/transaction.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 8c305593fb51..dbad00c20aa1 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1339,8 +1339,6 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + struct journal_head *jh; + int ret = 0; + +- if (is_handle_aborted(handle)) +- return -EROFS; + if (!buffer_jbd(bh)) + return -EUCLEAN; + +@@ -1387,6 +1385,18 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + journal = transaction->t_journal; + jbd_lock_bh_state(bh); + ++ if (is_handle_aborted(handle)) { ++ /* ++ * Check journal aborting with @jh->b_state_lock locked, ++ * since 'jh->b_transaction' could be replaced with ++ * 'jh->b_next_transaction' during old transaction ++ * committing if journal aborted, which may fail ++ * assertion on 'jh->b_frozen_data == NULL'. ++ */ ++ ret = -EROFS; ++ goto out_unlock_bh; ++ } ++ + if (jh->b_modified == 0) { + /* + * This buffer's got modified and becoming part +-- +2.35.1 + diff --git a/queue-4.19/kfifo-fix-kfifo_to_user-return-type.patch b/queue-4.19/kfifo-fix-kfifo_to_user-return-type.patch new file mode 100644 index 00000000000..12caf19bb08 --- /dev/null +++ b/queue-4.19/kfifo-fix-kfifo_to_user-return-type.patch @@ -0,0 +1,44 @@ +From 39dbe62f0cf842b7737e5ac29067a4de2a3c9793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jun 2022 08:30:04 +0300 +Subject: kfifo: fix kfifo_to_user() return type + +From: Dan Carpenter + +[ Upstream commit 045ed31e23aea840648c290dbde04797064960db ] + +The kfifo_to_user() macro is supposed to return zero for success or +negative error codes. Unfortunately, there is a signedness bug so it +returns unsigned int. This only affects callers which try to save the +result in ssize_t and as far as I can see the only place which does that +is line6_hwdep_read(). + +TL;DR: s/_uint/_int/. + +Link: https://lkml.kernel.org/r/YrVL3OJVLlNhIMFs@kili +Fixes: 144ecf310eb5 ("kfifo: fix kfifo_alloc() to return a signed int value") +Signed-off-by: Dan Carpenter +Cc: Stefani Seibold +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/kfifo.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/kfifo.h b/include/linux/kfifo.h +index 89fc8dc7bf38..ab9ff74818a4 100644 +--- a/include/linux/kfifo.h ++++ b/include/linux/kfifo.h +@@ -629,7 +629,7 @@ __kfifo_uint_must_check_helper( \ + * writer, you don't need extra locking to use these macro. + */ + #define kfifo_to_user(fifo, to, len, copied) \ +-__kfifo_uint_must_check_helper( \ ++__kfifo_int_must_check_helper( \ + ({ \ + typeof((fifo) + 1) __tmp = (fifo); \ + void __user *__to = (to); \ +-- +2.35.1 + diff --git a/queue-4.19/kprobes-forbid-probing-on-trampoline-and-bpf-code-ar.patch b/queue-4.19/kprobes-forbid-probing-on-trampoline-and-bpf-code-ar.patch new file mode 100644 index 00000000000..77342bca05d --- /dev/null +++ b/queue-4.19/kprobes-forbid-probing-on-trampoline-and-bpf-code-ar.patch @@ -0,0 +1,52 @@ +From 13f821624669d212669885a90a33a2da27e18501 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 11:37:19 +0800 +Subject: kprobes: Forbid probing on trampoline and BPF code areas + +From: Chen Zhongjin + +[ Upstream commit 28f6c37a2910f565b4f5960df52b2eccae28c891 ] + +kernel_text_address() treats ftrace_trampoline, kprobe_insn_slot +and bpf_text_address as valid kprobe addresses - which is not ideal. + +These text areas are removable and changeable without any notification +to kprobes, and probing on them can trigger unexpected behavior: + + https://lkml.org/lkml/2022/7/26/1148 + +Considering that jump_label and static_call text are already +forbiden to probe, kernel_text_address() should be replaced with +core_kernel_text() and is_module_text_address() to check other text +areas which are unsafe to kprobe. + +[ mingo: Rewrote the changelog. ] + +Fixes: 5b485629ba0d ("kprobes, extable: Identify kprobes trampolines as kernel text area") +Fixes: 74451e66d516 ("bpf: make jited programs visible in traces") +Signed-off-by: Chen Zhongjin +Signed-off-by: Ingo Molnar +Acked-by: Masami Hiramatsu (Google) +Link: https://lore.kernel.org/r/20220801033719.228248-1-chenzhongjin@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 993b84cc1db5..099191716d4c 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1566,7 +1566,8 @@ static int check_kprobe_address_safe(struct kprobe *p, + preempt_disable(); + + /* Ensure it is not in reserved area nor out of text */ +- if (!kernel_text_address((unsigned long) p->addr) || ++ if (!(core_kernel_text((unsigned long) p->addr) || ++ is_module_text_address((unsigned long) p->addr)) || + within_kprobe_blacklist((unsigned long) p->addr) || + jump_label_text_reserved(p->addr, p->addr) || + find_bug((unsigned long)p->addr)) { +-- +2.35.1 + diff --git a/queue-4.19/libbpf-fix-the-name-of-a-reused-map.patch b/queue-4.19/libbpf-fix-the-name-of-a-reused-map.patch new file mode 100644 index 00000000000..24b8e914e19 --- /dev/null +++ b/queue-4.19/libbpf-fix-the-name-of-a-reused-map.patch @@ -0,0 +1,74 @@ +From fae41b533adbc7eefd449cf995c66b0747dee0cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 11:15:40 +0800 +Subject: libbpf: Fix the name of a reused map +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anquan Wu + +[ Upstream commit bf3f00378524adae16628cbadbd11ba7211863bb ] + +BPF map name is limited to BPF_OBJ_NAME_LEN. +A map name is defined as being longer than BPF_OBJ_NAME_LEN, +it will be truncated to BPF_OBJ_NAME_LEN when a userspace program +calls libbpf to create the map. A pinned map also generates a path +in the /sys. If the previous program wanted to reuse the map, +it can not get bpf_map by name, because the name of the map is only +partially the same as the name which get from pinned path. + +The syscall information below show that map name "process_pinned_map" +is truncated to "process_pinned_". + + bpf(BPF_OBJ_GET, {pathname="/sys/fs/bpf/process_pinned_map", + bpf_fd=0, file_flags=0}, 144) = -1 ENOENT (No such file or directory) + + bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH, key_size=4, + value_size=4,max_entries=1024, map_flags=0, inner_map_fd=0, + map_name="process_pinned_",map_ifindex=0, btf_fd=3, btf_key_type_id=6, + btf_value_type_id=10,btf_vmlinux_value_type_id=0}, 72) = 4 + +This patch check that if the name of pinned map are the same as the +actual name for the first (BPF_OBJ_NAME_LEN - 1), +bpf map still uses the name which is included in bpf object. + +Fixes: 26736eb9a483 ("tools: libbpf: allow map reuse") +Signed-off-by: Anquan Wu +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/OSZP286MB1725CEA1C95C5CB8E7CCC53FB8869@OSZP286MB1725.JPNP286.PROD.OUTLOOK.COM +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 249fa8d7376e..76cf63705c86 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -1060,7 +1060,7 @@ static int bpf_map_find_btf_info(struct bpf_map *map, const struct btf *btf) + int bpf_map__reuse_fd(struct bpf_map *map, int fd) + { + struct bpf_map_info info = {}; +- __u32 len = sizeof(info); ++ __u32 len = sizeof(info), name_len; + int new_fd, err; + char *new_name; + +@@ -1068,7 +1068,12 @@ int bpf_map__reuse_fd(struct bpf_map *map, int fd) + if (err) + return err; + +- new_name = strdup(info.name); ++ name_len = strlen(info.name); ++ if (name_len == BPF_OBJ_NAME_LEN - 1 && strncmp(map->name, info.name, name_len) == 0) ++ new_name = strdup(map->name); ++ else ++ new_name = strdup(info.name); ++ + if (!new_name) + return -errno; + +-- +2.35.1 + diff --git a/queue-4.19/media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch b/queue-4.19/media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch new file mode 100644 index 00000000000..ef386c9fc6b --- /dev/null +++ b/queue-4.19/media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch @@ -0,0 +1,44 @@ +From a4f3d52fa02fa38b3fd759c4be7d678b3f8d8ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jun 2022 18:50:02 +0100 +Subject: media: hdpvr: fix error value returns in hdpvr_read + +From: Niels Dossche + +[ Upstream commit 359c27c6ddbde404f44a9c0d3ec88ccd1e2042f2 ] + +Error return values are supposed to be negative in hdpvr_read. Most +error returns are currently handled via an unsigned integer "ret". When +setting a negative error value to "ret", the value actually becomes a +large positive value, because "ret" is unsigned. Later on, the "ret" +value is returned. But as ssize_t is a 64-bit signed number, the error +return value stays a large positive integer instead of a negative +integer. This can cause an error value to be interpreted as the read +size, which can cause a buffer overread for applications relying on the +returned size. + +Fixes: 9aba42efe85b ("V4L/DVB (11096): V4L2 Driver for the Hauppauge HD PVR usb capture device") +Signed-off-by: Niels Dossche +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/hdpvr/hdpvr-video.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c +index ce46f8721470..1fb2cdd9c4b2 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-video.c ++++ b/drivers/media/usb/hdpvr/hdpvr-video.c +@@ -413,7 +413,7 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count, + struct hdpvr_device *dev = video_drvdata(file); + struct hdpvr_buffer *buf = NULL; + struct urb *urb; +- unsigned int ret = 0; ++ int ret = 0; + int rem, cnt; + + if (*pos) +-- +2.35.1 + diff --git a/queue-4.19/media-platform-mtk-mdp-fix-mdp_ipi_comm-structure-al.patch b/queue-4.19/media-platform-mtk-mdp-fix-mdp_ipi_comm-structure-al.patch new file mode 100644 index 00000000000..f18b814c3d9 --- /dev/null +++ b/queue-4.19/media-platform-mtk-mdp-fix-mdp_ipi_comm-structure-al.patch @@ -0,0 +1,57 @@ +From 2bd97e9ed4ca7142bf0c890546f490d365f1e915 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 14:55:46 +0100 +Subject: media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment + +From: AngeloGioacchino Del Regno + +[ Upstream commit ab14c99c035da7156a3b66fa171171295bc4b89a ] + +The mdp_ipi_comm structure defines a command that is either +PROCESS (start processing) or DEINIT (destroy instance); we +are using this one to send PROCESS or DEINIT commands from Linux +to an MDP instance through a VPU write but, while the first wants +us to stay 4-bytes aligned, the VPU instead requires an 8-bytes +data alignment. + +Keeping in mind that these commands are executed immediately +after sending them (hence not chained with others before the +VPU/MDP "actually" start executing), it is fine to simply add +a padding of 4 bytes to this structure: this keeps the same +performance as before, as we're still stack-allocating it, +while avoiding hackery inside of mtk-vpu to ensure alignment +bringing a definitely bigger performance impact. + +Fixes: c8eb2d7e8202 ("[media] media: Add Mediatek MDP Driver") +Signed-off-by: AngeloGioacchino Del Regno +Reviewed-by: Houlong Wei +Reviewed-by: Irui Wang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-mdp/mtk_mdp_ipi.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_ipi.h b/drivers/media/platform/mtk-mdp/mtk_mdp_ipi.h +index 78e2cc0dead1..4f4a51dd48e1 100644 +--- a/drivers/media/platform/mtk-mdp/mtk_mdp_ipi.h ++++ b/drivers/media/platform/mtk-mdp/mtk_mdp_ipi.h +@@ -48,12 +48,14 @@ struct mdp_ipi_init { + * @ipi_id : IPI_MDP + * @ap_inst : AP mtk_mdp_vpu address + * @vpu_inst_addr : VPU MDP instance address ++ * @padding : Alignment padding + */ + struct mdp_ipi_comm { + uint32_t msg_id; + uint32_t ipi_id; + uint64_t ap_inst; + uint32_t vpu_inst_addr; ++ uint32_t padding; + }; + + /** +-- +2.35.1 + diff --git a/queue-4.19/media-tw686x-register-the-irq-at-the-end-of-probe.patch b/queue-4.19/media-tw686x-register-the-irq-at-the-end-of-probe.patch new file mode 100644 index 00000000000..cda71de704b --- /dev/null +++ b/queue-4.19/media-tw686x-register-the-irq-at-the-end-of-probe.patch @@ -0,0 +1,82 @@ +From 28a66ce33bfed19d38986154368cdc426f7b8752 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 07:24:01 +0100 +Subject: media: tw686x: Register the irq at the end of probe + +From: Zheyu Ma + +[ Upstream commit fb730334e0f759d00f72168fbc555e5a95e35210 ] + +We got the following warning when booting the kernel: + +[ 3.243674] INFO: trying to register non-static key. +[ 3.243922] The code is fine but needs lockdep annotation, or maybe +[ 3.244230] you didn't initialize this object before use? +[ 3.245642] Call Trace: +[ 3.247836] lock_acquire+0xff/0x2d0 +[ 3.248727] tw686x_audio_irq+0x1a5/0xcc0 [tw686x] +[ 3.249211] tw686x_irq+0x1f9/0x480 [tw686x] + +The lock 'vc->qlock' will be initialized in tw686x_video_init(), but the +driver registers the irq before calling the tw686x_video_init(), and we +got the warning. + +Fix this by registering the irq at the end of probe + +Fixes: 704a84ccdbf1 ("[media] media: Support Intersil/Techwell TW686x-based video capture cards") +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/tw686x/tw686x-core.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/media/pci/tw686x/tw686x-core.c b/drivers/media/pci/tw686x/tw686x-core.c +index 7fb3f07bf022..8e759728ef22 100644 +--- a/drivers/media/pci/tw686x/tw686x-core.c ++++ b/drivers/media/pci/tw686x/tw686x-core.c +@@ -318,13 +318,6 @@ static int tw686x_probe(struct pci_dev *pci_dev, + + spin_lock_init(&dev->lock); + +- err = request_irq(pci_dev->irq, tw686x_irq, IRQF_SHARED, +- dev->name, dev); +- if (err < 0) { +- dev_err(&pci_dev->dev, "unable to request interrupt\n"); +- goto iounmap; +- } +- + timer_setup(&dev->dma_delay_timer, tw686x_dma_delay, 0); + + /* +@@ -336,18 +329,23 @@ static int tw686x_probe(struct pci_dev *pci_dev, + err = tw686x_video_init(dev); + if (err) { + dev_err(&pci_dev->dev, "can't register video\n"); +- goto free_irq; ++ goto iounmap; + } + + err = tw686x_audio_init(dev); + if (err) + dev_warn(&pci_dev->dev, "can't register audio\n"); + ++ err = request_irq(pci_dev->irq, tw686x_irq, IRQF_SHARED, ++ dev->name, dev); ++ if (err < 0) { ++ dev_err(&pci_dev->dev, "unable to request interrupt\n"); ++ goto iounmap; ++ } ++ + pci_set_drvdata(pci_dev, dev); + return 0; + +-free_irq: +- free_irq(pci_dev->irq, dev); + iounmap: + pci_iounmap(pci_dev, dev->mmio); + free_region: +-- +2.35.1 + diff --git a/queue-4.19/mediatek-mt76-mac80211-fix-missing-of_node_put-in-mt.patch b/queue-4.19/mediatek-mt76-mac80211-fix-missing-of_node_put-in-mt.patch new file mode 100644 index 00000000000..b554c178100 --- /dev/null +++ b/queue-4.19/mediatek-mt76-mac80211-fix-missing-of_node_put-in-mt.patch @@ -0,0 +1,36 @@ +From b6ad455552b65ac82efbbf1d9e3ee3c9f318c5f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 16:34:20 +0800 +Subject: mediatek: mt76: mac80211: Fix missing of_node_put() in + mt76_led_init() + +From: Liang He + +[ Upstream commit 0a14c1d0113f121151edf34333cdf212dd209190 ] + +We should use of_node_put() for the reference 'np' returned by +of_get_child_by_name() which will increase the refcount. + +Fixes: 17f1de56df05 ("mt76: add common code shared between multiple chipsets") +Signed-off-by: Liang He +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mac80211.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c +index 1b5abd4816ed..203b888f38d8 100644 +--- a/drivers/net/wireless/mediatek/mt76/mac80211.c ++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c +@@ -114,6 +114,7 @@ static int mt76_led_init(struct mt76_dev *dev) + if (!of_property_read_u32(np, "led-sources", &led_pin)) + dev->led_pin = led_pin; + dev->led_al = of_property_read_bool(np, "led-active-low"); ++ of_node_put(np); + } + + return devm_led_classdev_register(dev->dev, &dev->led_cdev); +-- +2.35.1 + diff --git a/queue-4.19/memstick-ms_block-fix-a-memory-leak.patch b/queue-4.19/memstick-ms_block-fix-a-memory-leak.patch new file mode 100644 index 00000000000..de605747b06 --- /dev/null +++ b/queue-4.19/memstick-ms_block-fix-a-memory-leak.patch @@ -0,0 +1,39 @@ +From 9c9414b0eb9f3c10213113f10e1a0b35bb39972f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jun 2022 14:55:56 +0200 +Subject: memstick/ms_block: Fix a memory leak + +From: Christophe JAILLET + +[ Upstream commit 54eb7a55be6779c4d0c25eaf5056498a28595049 ] + +'erased_blocks_bitmap' is never freed. As it is allocated at the same time +as 'used_blocks_bitmap', it is likely that it should be freed also at the +same time. + +Add the corresponding bitmap_free() in msb_data_clear(). + +Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/b3b78926569445962ea5c3b6e9102418a9effb88.1656155715.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/ms_block.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c +index 0874fa882649..addf76a8d1b0 100644 +--- a/drivers/memstick/core/ms_block.c ++++ b/drivers/memstick/core/ms_block.c +@@ -1962,6 +1962,7 @@ static void msb_data_clear(struct msb_data *msb) + { + kfree(msb->boot_page); + bitmap_free(msb->used_blocks_bitmap); ++ bitmap_free(msb->erased_blocks_bitmap); + kfree(msb->lba_to_pba_table); + kfree(msb->cache); + msb->card = NULL; +-- +2.35.1 + diff --git a/queue-4.19/memstick-ms_block-fix-some-incorrect-memory-allocati.patch b/queue-4.19/memstick-ms_block-fix-some-incorrect-memory-allocati.patch new file mode 100644 index 00000000000..f2dd153ed28 --- /dev/null +++ b/queue-4.19/memstick-ms_block-fix-some-incorrect-memory-allocati.patch @@ -0,0 +1,65 @@ +From 802b5e286f0da3e0d74a9c7edb37f393efa3986a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jun 2022 14:55:25 +0200 +Subject: memstick/ms_block: Fix some incorrect memory allocation + +From: Christophe JAILLET + +[ Upstream commit 2e531bc3e0d86362fcd8a577b3278d9ef3cc2ba0 ] + +Some functions of the bitmap API take advantage of the fact that a bitmap +is an array of long. + +So, to make sure this assertion is correct, allocate bitmaps with +bitmap_zalloc() instead of kzalloc()+hand-computed number of bytes. + +While at it, also use bitmap_free() instead of kfree() to keep the +semantic. + +Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/dbf633c48c24ae6d95f852557e8d8b3bbdef65fe.1656155715.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/ms_block.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c +index 7aab26128f6d..0874fa882649 100644 +--- a/drivers/memstick/core/ms_block.c ++++ b/drivers/memstick/core/ms_block.c +@@ -1339,17 +1339,17 @@ static int msb_ftl_initialize(struct msb_data *msb) + msb->zone_count = msb->block_count / MS_BLOCKS_IN_ZONE; + msb->logical_block_count = msb->zone_count * 496 - 2; + +- msb->used_blocks_bitmap = kzalloc(msb->block_count / 8, GFP_KERNEL); +- msb->erased_blocks_bitmap = kzalloc(msb->block_count / 8, GFP_KERNEL); ++ msb->used_blocks_bitmap = bitmap_zalloc(msb->block_count, GFP_KERNEL); ++ msb->erased_blocks_bitmap = bitmap_zalloc(msb->block_count, GFP_KERNEL); + msb->lba_to_pba_table = + kmalloc_array(msb->logical_block_count, sizeof(u16), + GFP_KERNEL); + + if (!msb->used_blocks_bitmap || !msb->lba_to_pba_table || + !msb->erased_blocks_bitmap) { +- kfree(msb->used_blocks_bitmap); ++ bitmap_free(msb->used_blocks_bitmap); ++ bitmap_free(msb->erased_blocks_bitmap); + kfree(msb->lba_to_pba_table); +- kfree(msb->erased_blocks_bitmap); + return -ENOMEM; + } + +@@ -1961,7 +1961,7 @@ static int msb_bd_open(struct block_device *bdev, fmode_t mode) + static void msb_data_clear(struct msb_data *msb) + { + kfree(msb->boot_page); +- kfree(msb->used_blocks_bitmap); ++ bitmap_free(msb->used_blocks_bitmap); + kfree(msb->lba_to_pba_table); + kfree(msb->cache); + msb->card = NULL; +-- +2.35.1 + diff --git a/queue-4.19/meson-mx-socinfo-fix-refcount-leak-in-meson_mx_socin.patch b/queue-4.19/meson-mx-socinfo-fix-refcount-leak-in-meson_mx_socin.patch new file mode 100644 index 00000000000..12312ae3c87 --- /dev/null +++ b/queue-4.19/meson-mx-socinfo-fix-refcount-leak-in-meson_mx_socin.patch @@ -0,0 +1,38 @@ +From c13a683a28c1c9974bd1848f992382a6ca1149aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 10:57:29 +0400 +Subject: meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init + +From: Miaoqian Lin + +[ Upstream commit a2106f38077e78afcb4bf98fdda3e162118cfb3d ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 5e68c0fc8df8 ("soc: amlogic: Add Meson6/Meson8/Meson8b/Meson8m2 SoC Information driver") +Signed-off-by: Miaoqian Lin +Reviewed-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20220524065729.33689-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/soc/amlogic/meson-mx-socinfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/amlogic/meson-mx-socinfo.c b/drivers/soc/amlogic/meson-mx-socinfo.c +index 78f0f1aeca57..92125dd65f33 100644 +--- a/drivers/soc/amlogic/meson-mx-socinfo.c ++++ b/drivers/soc/amlogic/meson-mx-socinfo.c +@@ -126,6 +126,7 @@ static int __init meson_mx_socinfo_init(void) + np = of_find_matching_node(NULL, meson_mx_socinfo_analog_top_ids); + if (np) { + analog_top_regmap = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(analog_top_regmap)) + return PTR_ERR(analog_top_regmap); + +-- +2.35.1 + diff --git a/queue-4.19/mfd-t7l66xb-drop-platform-disable-callback.patch b/queue-4.19/mfd-t7l66xb-drop-platform-disable-callback.patch new file mode 100644 index 00000000000..d8272e932da --- /dev/null +++ b/queue-4.19/mfd-t7l66xb-drop-platform-disable-callback.patch @@ -0,0 +1,70 @@ +From 0ff414ab6400e944d1c8879eb25a9e699959e3b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 21:24:28 +0200 +Subject: mfd: t7l66xb: Drop platform disable callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 128ac294e1b437cb8a7f2ff8ede1cde9082bddbe ] + +None of the in-tree instantiations of struct t7l66xb_platform_data +provides a disable callback. So better don't dereference this function +pointer unconditionally. As there is no user, drop it completely instead +of calling it conditional. + +This is a preparation for making platform remove callbacks return void. + +Fixes: 1f192015ca5b ("mfd: driver for the T7L66XB TMIO SoC") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220530192430.2108217-3-u.kleine-koenig@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/mfd/t7l66xb.c | 6 +----- + include/linux/mfd/t7l66xb.h | 1 - + 2 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/mfd/t7l66xb.c b/drivers/mfd/t7l66xb.c +index 43d8683266de..caa61649fe79 100644 +--- a/drivers/mfd/t7l66xb.c ++++ b/drivers/mfd/t7l66xb.c +@@ -412,11 +412,8 @@ static int t7l66xb_probe(struct platform_device *dev) + + static int t7l66xb_remove(struct platform_device *dev) + { +- struct t7l66xb_platform_data *pdata = dev_get_platdata(&dev->dev); + struct t7l66xb *t7l66xb = platform_get_drvdata(dev); +- int ret; + +- ret = pdata->disable(dev); + clk_disable_unprepare(t7l66xb->clk48m); + clk_put(t7l66xb->clk48m); + clk_disable_unprepare(t7l66xb->clk32k); +@@ -427,8 +424,7 @@ static int t7l66xb_remove(struct platform_device *dev) + mfd_remove_devices(&dev->dev); + kfree(t7l66xb); + +- return ret; +- ++ return 0; + } + + static struct platform_driver t7l66xb_platform_driver = { +diff --git a/include/linux/mfd/t7l66xb.h b/include/linux/mfd/t7l66xb.h +index b4629818aea5..d4e7f0453c91 100644 +--- a/include/linux/mfd/t7l66xb.h ++++ b/include/linux/mfd/t7l66xb.h +@@ -16,7 +16,6 @@ + + struct t7l66xb_platform_data { + int (*enable)(struct platform_device *dev); +- int (*disable)(struct platform_device *dev); + int (*suspend)(struct platform_device *dev); + int (*resume)(struct platform_device *dev); + +-- +2.35.1 + diff --git a/queue-4.19/misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch b/queue-4.19/misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch new file mode 100644 index 00000000000..d495cfdab2f --- /dev/null +++ b/queue-4.19/misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch @@ -0,0 +1,51 @@ +From 37e40710bb62b15e18bb268f0dbf4414aceab9df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 07:33:44 +0200 +Subject: misc: rtsx: Fix an error handling path in rtsx_pci_probe() + +From: Christophe JAILLET + +[ Upstream commit 44fd1917314e9d4f53dd95dd65df1c152f503d3a ] + +If an error occurs after a successful idr_alloc() call, the corresponding +resource must be released with idr_remove() as already done in the .remove +function. + +Update the error handling path to add the missing idr_remove() call. + +Fixes: ada8a8a13b13 ("mfd: Add realtek pcie card reader driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/e8dc41716cbf52fb37a12e70d8972848e69df6d6.1655271216.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cardreader/rtsx_pcr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/cardreader/rtsx_pcr.c b/drivers/misc/cardreader/rtsx_pcr.c +index 3eb3c237f339..80b9f36dbca4 100644 +--- a/drivers/misc/cardreader/rtsx_pcr.c ++++ b/drivers/misc/cardreader/rtsx_pcr.c +@@ -1479,7 +1479,7 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, + pcr->remap_addr = ioremap_nocache(base, len); + if (!pcr->remap_addr) { + ret = -ENOMEM; +- goto free_handle; ++ goto free_idr; + } + + pcr->rtsx_resv_buf = dma_alloc_coherent(&(pcidev->dev), +@@ -1541,6 +1541,10 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, + pcr->rtsx_resv_buf, pcr->rtsx_resv_buf_addr); + unmap: + iounmap(pcr->remap_addr); ++free_idr: ++ spin_lock(&rtsx_pci_lock); ++ idr_remove(&rtsx_pci_idr, pcr->id); ++ spin_unlock(&rtsx_pci_lock); + free_handle: + kfree(handle); + free_pcr: +-- +2.35.1 + diff --git a/queue-4.19/mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch b/queue-4.19/mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch new file mode 100644 index 00000000000..4632d743286 --- /dev/null +++ b/queue-4.19/mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch @@ -0,0 +1,40 @@ +From af76088513f0705ff3fe9284babe2c6a0c5772de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jun 2022 16:20:27 +0800 +Subject: mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region + +From: Miaohe Lin + +[ Upstream commit 7f82f922319ede486540e8746769865b9508d2c2 ] + +Since the beginning, charged is set to 0 to avoid calling vm_unacct_memory +twice because vm_unacct_memory will be called by above unmap_region. But +since commit 4f74d2c8e827 ("vm: remove 'nr_accounted' calculations from +the unmap_vmas() interfaces"), unmap_region doesn't call vm_unacct_memory +anymore. So charged shouldn't be set to 0 now otherwise the calling to +paired vm_unacct_memory will be missed and leads to imbalanced account. + +Link: https://lkml.kernel.org/r/20220618082027.43391-1-linmiaohe@huawei.com +Fixes: 4f74d2c8e827 ("vm: remove 'nr_accounted' calculations from the unmap_vmas() interfaces") +Signed-off-by: Miaohe Lin +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + mm/mmap.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/mm/mmap.c b/mm/mmap.c +index bb8ba3258945..590840c3a3b5 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1821,7 +1821,6 @@ unsigned long mmap_region(struct file *file, unsigned long addr, + + /* Undo any partial mapping done by a device driver. */ + unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); +- charged = 0; + if (vm_flags & VM_SHARED) + mapping_unmap_writable(file->f_mapping); + allow_write_and_free_vma: +-- +2.35.1 + diff --git a/queue-4.19/mmc-cavium-octeon-add-of_node_put-when-breaking-out-.patch b/queue-4.19/mmc-cavium-octeon-add-of_node_put-when-breaking-out-.patch new file mode 100644 index 00000000000..604171888a2 --- /dev/null +++ b/queue-4.19/mmc-cavium-octeon-add-of_node_put-when-breaking-out-.patch @@ -0,0 +1,38 @@ +From 421f74b1d587b7783979b03817c24b661f6e40c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 17:52:15 +0800 +Subject: mmc: cavium-octeon: Add of_node_put() when breaking out of loop + +From: Liang He + +[ Upstream commit 19bbb49acf8d7a03cb83e05624363741a4c3ec6f ] + +In octeon_mmc_probe(), we should call of_node_put() when breaking +out of for_each_child_of_node() which has increased and decreased +the refcount during each iteration. + +Fixes: 01d95843335c ("mmc: cavium: Add MMC support for Octeon SOCs.") +Signed-off-by: Liang He +Acked-by: Robert Richter +Link: https://lore.kernel.org/r/20220719095216.1241601-1-windhl@126.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/cavium-octeon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/cavium-octeon.c b/drivers/mmc/host/cavium-octeon.c +index 22aded1065ae..2245452a44c8 100644 +--- a/drivers/mmc/host/cavium-octeon.c ++++ b/drivers/mmc/host/cavium-octeon.c +@@ -288,6 +288,7 @@ static int octeon_mmc_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, "Error populating slots\n"); + octeon_mmc_set_shared_power(host, 0); ++ of_node_put(cn); + goto error; + } + i++; +-- +2.35.1 + diff --git a/queue-4.19/mmc-cavium-thunderx-add-of_node_put-when-breaking-ou.patch b/queue-4.19/mmc-cavium-thunderx-add-of_node_put-when-breaking-ou.patch new file mode 100644 index 00000000000..33c29029761 --- /dev/null +++ b/queue-4.19/mmc-cavium-thunderx-add-of_node_put-when-breaking-ou.patch @@ -0,0 +1,42 @@ +From 0fe01e888b185293b645196fc78e85db4148b75f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 17:52:16 +0800 +Subject: mmc: cavium-thunderx: Add of_node_put() when breaking out of loop + +From: Liang He + +[ Upstream commit 7ee480795e41db314f2c445c65ed854a5d6e8e32 ] + +In thunder_mmc_probe(), we should call of_node_put() when breaking +out of for_each_child_of_node() which has increased and decreased +the refcount during each iteration. + +Fixes: 166bac38c3c5 ("mmc: cavium: Add MMC PCI driver for ThunderX SOCs") +Signed-off-by: Liang He +Acked-by: Robert Richter +Link: https://lore.kernel.org/r/20220719095216.1241601-2-windhl@126.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/cavium-thunderx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/cavium-thunderx.c b/drivers/mmc/host/cavium-thunderx.c +index eee08d81b242..f79806e31e7e 100644 +--- a/drivers/mmc/host/cavium-thunderx.c ++++ b/drivers/mmc/host/cavium-thunderx.c +@@ -138,8 +138,10 @@ static int thunder_mmc_probe(struct pci_dev *pdev, + continue; + + ret = cvm_mmc_of_slot_probe(&host->slot_pdev[i]->dev, host); +- if (ret) ++ if (ret) { ++ of_node_put(child_node); + goto error; ++ } + } + i++; + } +-- +2.35.1 + diff --git a/queue-4.19/mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch b/queue-4.19/mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch new file mode 100644 index 00000000000..83740986c96 --- /dev/null +++ b/queue-4.19/mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch @@ -0,0 +1,48 @@ +From 005ff9596ff634f2095aaf3d3ea6551cae3d43c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jun 2022 12:09:26 +0300 +Subject: mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R + +From: Eugen Hristev + +[ Upstream commit 5987e6ded29d52e42fc7b06aa575c60a25eee38e ] + +In set_uhs_signaling, the DDR bit is being set by fully writing the MC1R +register. +This can lead to accidental erase of certain bits in this register. +Avoid this by doing a read-modify-write operation. + +Fixes: d0918764c17b ("mmc: sdhci-of-at91: fix MMC_DDR_52 timing selection") +Signed-off-by: Eugen Hristev +Tested-by: Karl Olsen +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20220630090926.15061-1-eugen.hristev@microchip.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-of-at91.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-of-at91.c b/drivers/mmc/host/sdhci-of-at91.c +index 8cd1794768ba..70ce977cfeec 100644 +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -117,8 +117,13 @@ static void sdhci_at91_set_power(struct sdhci_host *host, unsigned char mode, + static void sdhci_at91_set_uhs_signaling(struct sdhci_host *host, + unsigned int timing) + { +- if (timing == MMC_TIMING_MMC_DDR52) +- sdhci_writeb(host, SDMMC_MC1R_DDR, SDMMC_MC1R); ++ u8 mc1r; ++ ++ if (timing == MMC_TIMING_MMC_DDR52) { ++ mc1r = sdhci_readb(host, SDMMC_MC1R); ++ mc1r |= SDMMC_MC1R_DDR; ++ sdhci_writeb(host, mc1r, SDMMC_MC1R); ++ } + sdhci_set_uhs_signaling(host, timing); + } + +-- +2.35.1 + diff --git a/queue-4.19/mmc-sdhci-of-esdhc-fix-refcount-leak-in-esdhc_signal.patch b/queue-4.19/mmc-sdhci-of-esdhc-fix-refcount-leak-in-esdhc_signal.patch new file mode 100644 index 00000000000..b277c1ab6c0 --- /dev/null +++ b/queue-4.19/mmc-sdhci-of-esdhc-fix-refcount-leak-in-esdhc_signal.patch @@ -0,0 +1,38 @@ +From bc8a97faa68706dc6feed0bf5dc9bb495e007646 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:42:54 +0400 +Subject: mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch + +From: Miaoqian Lin + +[ Upstream commit b5899a3e2f783a27b268e38d37f9b24c71bddf45 ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. +of_node_put() checks null pointer. + +Fixes: ea35645a3c66 ("mmc: sdhci-of-esdhc: add support for signal voltage switch") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523144255.10310-1-linmq006@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-of-esdhc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c +index d6cb0f9a3488..77ae23077f56 100644 +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -704,6 +704,7 @@ static int esdhc_signal_voltage_switch(struct mmc_host *mmc, + scfg_node = of_find_matching_node(NULL, scfg_device_ids); + if (scfg_node) + scfg_base = of_iomap(scfg_node, 0); ++ of_node_put(scfg_node); + if (scfg_base) { + sdhciovselcr = SDHCIOVSELCR_TGLEN | + SDHCIOVSELCR_VSELVAL; +-- +2.35.1 + diff --git a/queue-4.19/mtd-maps-fix-refcount-leak-in-ap_flash_init.patch b/queue-4.19/mtd-maps-fix-refcount-leak-in-ap_flash_init.patch new file mode 100644 index 00000000000..922c10d20b9 --- /dev/null +++ b/queue-4.19/mtd-maps-fix-refcount-leak-in-ap_flash_init.patch @@ -0,0 +1,38 @@ +From 2180de5b66ecac88a65ce2aceea54355c8791a85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:32:55 +0400 +Subject: mtd: maps: Fix refcount leak in ap_flash_init + +From: Miaoqian Lin + +[ Upstream commit 77087a04c8fd554134bddcb8a9ff87b21f357926 ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: b0afd44bc192 ("mtd: physmap_of: add a hook for Versatile write protection") +Signed-off-by: Miaoqian Lin +Reviewed-by: Linus Walleij +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220523143255.4376-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/maps/physmap_of_versatile.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mtd/maps/physmap_of_versatile.c b/drivers/mtd/maps/physmap_of_versatile.c +index 961704228dd2..7d56e97bd50f 100644 +--- a/drivers/mtd/maps/physmap_of_versatile.c ++++ b/drivers/mtd/maps/physmap_of_versatile.c +@@ -107,6 +107,7 @@ static int ap_flash_init(struct platform_device *pdev) + return -ENODEV; + } + ebi_base = of_iomap(ebi, 0); ++ of_node_put(ebi); + if (!ebi_base) + return -ENODEV; + +-- +2.35.1 + diff --git a/queue-4.19/mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch b/queue-4.19/mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch new file mode 100644 index 00000000000..aeb1bac628e --- /dev/null +++ b/queue-4.19/mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch @@ -0,0 +1,38 @@ +From b596b1fcb7f8cc437b075f8457228564ae6fa003 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:02:05 +0400 +Subject: mtd: maps: Fix refcount leak in of_flash_probe_versatile + +From: Miaoqian Lin + +[ Upstream commit 33ec82a6d2b119938f26e5c8040ed5d92378eb54 ] + +of_find_matching_node_and_match() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: b0afd44bc192 ("mtd: physmap_of: add a hook for Versatile write protection") +Signed-off-by: Miaoqian Lin +Reviewed-by: Linus Walleij +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220523140205.48625-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/maps/physmap_of_versatile.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mtd/maps/physmap_of_versatile.c b/drivers/mtd/maps/physmap_of_versatile.c +index 03f2b6e7bc7e..961704228dd2 100644 +--- a/drivers/mtd/maps/physmap_of_versatile.c ++++ b/drivers/mtd/maps/physmap_of_versatile.c +@@ -221,6 +221,7 @@ int of_flash_probe_versatile(struct platform_device *pdev, + + versatile_flashprot = (enum versatile_flashprot)devid->data; + rmap = syscon_node_to_regmap(sysnp); ++ of_node_put(sysnp); + if (IS_ERR(rmap)) + return PTR_ERR(rmap); + +-- +2.35.1 + diff --git a/queue-4.19/mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch b/queue-4.19/mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch new file mode 100644 index 00000000000..cf570cd9d9c --- /dev/null +++ b/queue-4.19/mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch @@ -0,0 +1,53 @@ +From 8c389b7c647a8d9dffa69496190aecb7a02d2f79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 12:48:41 +0800 +Subject: mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release + +From: Duoming Zhou + +[ Upstream commit a61528d997619a518ee8c51cf0ef0513021afaff ] + +There is a deadlock between sm_release and sm_cache_flush_work +which is a work item. The cancel_work_sync in sm_release will +not return until sm_cache_flush_work is finished. If we hold +mutex_lock and use cancel_work_sync to wait the work item to +finish, the work item also requires mutex_lock. As a result, +the sm_release will be blocked forever. The race condition is +shown below: + + (Thread 1) | (Thread 2) +sm_release | + mutex_lock(&ftl->mutex) | sm_cache_flush_work + | mutex_lock(&ftl->mutex) + cancel_work_sync | ... + +This patch moves del_timer_sync and cancel_work_sync out of +mutex_lock in order to mitigate deadlock. + +Fixes: 7d17c02a01a1 ("mtd: Add new SmartMedia/xD FTL") +Signed-off-by: Duoming Zhou +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220524044841.10517-1-duoming@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/mtd/sm_ftl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c +index f3bd86e13603..e57f7ba054bc 100644 +--- a/drivers/mtd/sm_ftl.c ++++ b/drivers/mtd/sm_ftl.c +@@ -1091,9 +1091,9 @@ static void sm_release(struct mtd_blktrans_dev *dev) + { + struct sm_ftl *ftl = dev->priv; + +- mutex_lock(&ftl->mutex); + del_timer_sync(&ftl->timer); + cancel_work_sync(&ftl->flush_work); ++ mutex_lock(&ftl->mutex); + sm_cache_flush(ftl); + mutex_unlock(&ftl->mutex); + } +-- +2.35.1 + diff --git a/queue-4.19/mtd-st_spi_fsm-add-a-clk_disable_unprepare-in-.probe.patch b/queue-4.19/mtd-st_spi_fsm-add-a-clk_disable_unprepare-in-.probe.patch new file mode 100644 index 00000000000..d6dda7a8ab7 --- /dev/null +++ b/queue-4.19/mtd-st_spi_fsm-add-a-clk_disable_unprepare-in-.probe.patch @@ -0,0 +1,49 @@ +From 09d771a4a762899393dcbb5c460ab76b7236b235 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 17:24:55 +0200 +Subject: mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error + path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 28607b426c3d050714f250d0faeb99d2e9106e90 ] + +For all but one error path clk_disable_unprepare() is already there. Add +it to the one location where it's missing. + +Fixes: 481815a6193b ("mtd: st_spi_fsm: Handle clk_prepare_enable/clk_disable_unprepare.") +Fixes: 69d5af8d016c ("mtd: st_spi_fsm: Obtain and use EMI clock") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220607152458.232847-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/devices/st_spi_fsm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/mtd/devices/st_spi_fsm.c b/drivers/mtd/devices/st_spi_fsm.c +index 55d4a77f3b7f..533096c88ae1 100644 +--- a/drivers/mtd/devices/st_spi_fsm.c ++++ b/drivers/mtd/devices/st_spi_fsm.c +@@ -2120,10 +2120,12 @@ static int stfsm_probe(struct platform_device *pdev) + (long long)fsm->mtd.size, (long long)(fsm->mtd.size >> 20), + fsm->mtd.erasesize, (fsm->mtd.erasesize >> 10)); + +- return mtd_device_register(&fsm->mtd, NULL, 0); +- ++ ret = mtd_device_register(&fsm->mtd, NULL, 0); ++ if (ret) { + err_clk_unprepare: +- clk_disable_unprepare(fsm->clk); ++ clk_disable_unprepare(fsm->clk); ++ } ++ + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.19/net-mlx5e-fix-the-value-of-mlx5e_max_rq_num_mtts.patch b/queue-4.19/net-mlx5e-fix-the-value-of-mlx5e_max_rq_num_mtts.patch new file mode 100644 index 00000000000..7a2b6f0d23c --- /dev/null +++ b/queue-4.19/net-mlx5e-fix-the-value-of-mlx5e_max_rq_num_mtts.patch @@ -0,0 +1,40 @@ +From ff4c4687c54e1bc2f23032fa0cbc1f4433d1da87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 16:48:47 +0300 +Subject: net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS + +From: Maxim Mikityanskiy + +[ Upstream commit 562696c3c62c7c23dd896e9447252ce9268cb812 ] + +MLX5E_MAX_RQ_NUM_MTTS should be the maximum value, so that +MLX5_MTT_OCTW(MLX5E_MAX_RQ_NUM_MTTS) fits into u16. The current value of +1 << 17 results in MLX5_MTT_OCTW(1 << 17) = 1 << 16, which doesn't fit +into u16. This commit replaces it with the maximum value that still +fits u16. + +Fixes: 73281b78a37a ("net/mlx5e: Derive Striding RQ size from MTU") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index d79e177f8990..ec303d4d2d7a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -95,7 +95,7 @@ struct page_pool; + #define MLX5E_LOG_ALIGNED_MPWQE_PPW (ilog2(MLX5E_REQUIRED_WQE_MTTS)) + #define MLX5E_REQUIRED_MTTS(wqes) (wqes * MLX5E_REQUIRED_WQE_MTTS) + #define MLX5E_MAX_RQ_NUM_MTTS \ +- ((1 << 16) * 2) /* So that MLX5_MTT_OCTW(num_mtts) fits into u16 */ ++ (ALIGN_DOWN(U16_MAX, 4) * 2) /* So that MLX5_MTT_OCTW(num_mtts) fits into u16 */ + #define MLX5E_ORDER2_MAX_PACKET_MTU (order_base_2(10 * 1024)) + #define MLX5E_PARAMS_MAXIMUM_LOG_RQ_SIZE_MPW \ + (ilog2(MLX5E_MAX_RQ_NUM_MTTS / MLX5E_REQUIRED_WQE_MTTS)) +-- +2.35.1 + diff --git a/queue-4.19/net-rose-fix-netdev-reference-changes.patch b/queue-4.19/net-rose-fix-netdev-reference-changes.patch new file mode 100644 index 00000000000..255b927a7c7 --- /dev/null +++ b/queue-4.19/net-rose-fix-netdev-reference-changes.patch @@ -0,0 +1,110 @@ +From 0dd6f6619b6e91468bcf222351a9fff3deb02e97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 09:12:32 +0000 +Subject: net: rose: fix netdev reference changes + +From: Eric Dumazet + +[ Upstream commit 931027820e4dafabc78aff82af59f8c1c4bd3128 ] + +Bernard reported that trying to unload rose module would lead +to infamous messages: + +unregistered_netdevice: waiting for rose0 to become free. Usage count = xx + +This patch solves the issue, by making sure each socket referring to +a netdevice holds a reference count on it, and properly releases it +in rose_release(). + +rose_dev_first() is also fixed to take a device reference +before leaving the rcu_read_locked section. + +Following patch will add ref_tracker annotations to ease +future bug hunting. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Bernard Pidoux +Signed-off-by: Eric Dumazet +Tested-by: Bernard Pidoux +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 11 +++++++++-- + net/rose/rose_route.c | 2 ++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index d00a0ef39a56..03a1ee221112 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -194,6 +194,7 @@ static void rose_kill_by_device(struct net_device *dev) + rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); + if (rose->neighbour) + rose->neighbour->use--; ++ dev_put(rose->device); + rose->device = NULL; + } + } +@@ -594,6 +595,8 @@ static struct sock *rose_make_new(struct sock *osk) + rose->idle = orose->idle; + rose->defer = orose->defer; + rose->device = orose->device; ++ if (rose->device) ++ dev_hold(rose->device); + rose->qbitincl = orose->qbitincl; + + return sk; +@@ -647,6 +650,7 @@ static int rose_release(struct socket *sock) + break; + } + ++ dev_put(rose->device); + sock->sk = NULL; + release_sock(sk); + sock_put(sk); +@@ -721,7 +725,6 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + struct rose_sock *rose = rose_sk(sk); + struct sockaddr_rose *addr = (struct sockaddr_rose *)uaddr; + unsigned char cause, diagnostic; +- struct net_device *dev; + ax25_uid_assoc *user; + int n, err = 0; + +@@ -778,9 +781,12 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + } + + if (sock_flag(sk, SOCK_ZAPPED)) { /* Must bind first - autobinding in this may or may not work */ ++ struct net_device *dev; ++ + sock_reset_flag(sk, SOCK_ZAPPED); + +- if ((dev = rose_dev_first()) == NULL) { ++ dev = rose_dev_first(); ++ if (!dev) { + err = -ENETUNREACH; + goto out_release; + } +@@ -788,6 +794,7 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le + user = ax25_findbyuid(current_euid()); + if (!user) { + err = -EINVAL; ++ dev_put(dev); + goto out_release; + } + +diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c +index 46ae92d70324..5671853bef83 100644 +--- a/net/rose/rose_route.c ++++ b/net/rose/rose_route.c +@@ -616,6 +616,8 @@ struct net_device *rose_dev_first(void) + if (first == NULL || strncmp(dev->name, first->name, 3) < 0) + first = dev; + } ++ if (first) ++ dev_hold(first); + rcu_read_unlock(); + + return first; +-- +2.35.1 + diff --git a/queue-4.19/netdevsim-avoid-allocation-warnings-triggered-from-u.patch b/queue-4.19/netdevsim-avoid-allocation-warnings-triggered-from-u.patch new file mode 100644 index 00000000000..0c181730b80 --- /dev/null +++ b/queue-4.19/netdevsim-avoid-allocation-warnings-triggered-from-u.patch @@ -0,0 +1,54 @@ +From 045d23502d805ba1b25c02f57fa549125cd9d9bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 14:36:05 -0700 +Subject: netdevsim: Avoid allocation warnings triggered from user space + +From: Jakub Kicinski + +[ Upstream commit d0b80a9edb1a029ff913e81b47540e57ad034329 ] + +We need to suppress warnings from sily map sizes. Also switch +from GFP_USER to GFP_KERNEL_ACCOUNT, I'm pretty sure I misunderstood +the flags when writing this code. + +Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload") +Reported-by: syzbot+ad24705d3fd6463b18c6@syzkaller.appspotmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220726213605.154204-1-kuba@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/bpf.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c +index 12f100392ed1..ca9042ddb6d7 100644 +--- a/drivers/net/netdevsim/bpf.c ++++ b/drivers/net/netdevsim/bpf.c +@@ -330,10 +330,12 @@ nsim_map_alloc_elem(struct bpf_offloaded_map *offmap, unsigned int idx) + { + struct nsim_bpf_bound_map *nmap = offmap->dev_priv; + +- nmap->entry[idx].key = kmalloc(offmap->map.key_size, GFP_USER); ++ nmap->entry[idx].key = kmalloc(offmap->map.key_size, ++ GFP_KERNEL_ACCOUNT | __GFP_NOWARN); + if (!nmap->entry[idx].key) + return -ENOMEM; +- nmap->entry[idx].value = kmalloc(offmap->map.value_size, GFP_USER); ++ nmap->entry[idx].value = kmalloc(offmap->map.value_size, ++ GFP_KERNEL_ACCOUNT | __GFP_NOWARN); + if (!nmap->entry[idx].value) { + kfree(nmap->entry[idx].key); + nmap->entry[idx].key = NULL; +@@ -475,7 +477,7 @@ nsim_bpf_map_alloc(struct netdevsim *ns, struct bpf_offloaded_map *offmap) + if (offmap->map.map_flags) + return -EINVAL; + +- nmap = kzalloc(sizeof(*nmap), GFP_USER); ++ nmap = kzalloc(sizeof(*nmap), GFP_KERNEL_ACCOUNT); + if (!nmap) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-4.19/netfilter-nf_tables-add-rescheduling-points-during-l.patch b/queue-4.19/netfilter-nf_tables-add-rescheduling-points-during-l.patch new file mode 100644 index 00000000000..235a7b53076 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-add-rescheduling-points-during-l.patch @@ -0,0 +1,53 @@ +From 4a32dc585d23095db5a157c744287d5f6bcef5ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 12:44:35 +0200 +Subject: netfilter: nf_tables: add rescheduling points during loop detection + walks + +From: Florian Westphal + +[ Upstream commit 81ea010667417ef3f218dfd99b69769fe66c2b67 ] + +Add explicit rescheduling points during ruleset walk. + +Switching to a faster algorithm is possible but this is a much +smaller change, suitable for nf tree. + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1460 +Signed-off-by: Florian Westphal +Acked-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 15cc05bc65f1..ac1cee5803ec 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2551,6 +2551,8 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } ++ ++ cond_resched(); + } + + return 0; +@@ -6910,9 +6912,13 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx, + break; + } + } ++ ++ cond_resched(); + } + + list_for_each_entry(set, &ctx->table->sets, list) { ++ cond_resched(); ++ + if (!nft_is_active_next(ctx->net, set)) + continue; + if (!(set->flags & NFT_SET_MAP) || +-- +2.35.1 + diff --git a/queue-4.19/nohz-full-sched-rt-fix-missed-tick-reenabling-bug-in.patch b/queue-4.19/nohz-full-sched-rt-fix-missed-tick-reenabling-bug-in.patch new file mode 100644 index 00000000000..7b521c33f46 --- /dev/null +++ b/queue-4.19/nohz-full-sched-rt-fix-missed-tick-reenabling-bug-in.patch @@ -0,0 +1,118 @@ +From 2bb215c226a7174ab10d7fc43d2add28a2ecd250 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 11:22:59 +0200 +Subject: nohz/full, sched/rt: Fix missed tick-reenabling bug in + dequeue_task_rt() + +From: Nicolas Saenz Julienne + +[ Upstream commit 5c66d1b9b30f737fcef85a0b75bfe0590e16b62a ] + +dequeue_task_rt() only decrements 'rt_rq->rt_nr_running' after having +called sched_update_tick_dependency() preventing it from re-enabling the +tick on systems that no longer have pending SCHED_RT tasks but have +multiple runnable SCHED_OTHER tasks: + + dequeue_task_rt() + dequeue_rt_entity() + dequeue_rt_stack() + dequeue_top_rt_rq() + sub_nr_running() // decrements rq->nr_running + sched_update_tick_dependency() + sched_can_stop_tick() // checks rq->rt.rt_nr_running, + ... + __dequeue_rt_entity() + dec_rt_tasks() // decrements rq->rt.rt_nr_running + ... + +Every other scheduler class performs the operation in the opposite +order, and sched_update_tick_dependency() expects the values to be +updated as such. So avoid the misbehaviour by inverting the order in +which the above operations are performed in the RT scheduler. + +Fixes: 76d92ac305f2 ("sched: Migrate sched to use new tick dependency mask model") +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Reviewed-by: Phil Auld +Link: https://lore.kernel.org/r/20220628092259.330171-1-nsaenzju@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/rt.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index 70e8cd395474..9c6c3572b131 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -434,7 +434,7 @@ static inline void rt_queue_push_tasks(struct rq *rq) + #endif /* CONFIG_SMP */ + + static void enqueue_top_rt_rq(struct rt_rq *rt_rq); +-static void dequeue_top_rt_rq(struct rt_rq *rt_rq); ++static void dequeue_top_rt_rq(struct rt_rq *rt_rq, unsigned int count); + + static inline int on_rt_rq(struct sched_rt_entity *rt_se) + { +@@ -516,7 +516,7 @@ static void sched_rt_rq_dequeue(struct rt_rq *rt_rq) + rt_se = rt_rq->tg->rt_se[cpu]; + + if (!rt_se) { +- dequeue_top_rt_rq(rt_rq); ++ dequeue_top_rt_rq(rt_rq, rt_rq->rt_nr_running); + /* Kick cpufreq (see the comment in kernel/sched/sched.h). */ + cpufreq_update_util(rq_of_rt_rq(rt_rq), 0); + } +@@ -602,7 +602,7 @@ static inline void sched_rt_rq_enqueue(struct rt_rq *rt_rq) + + static inline void sched_rt_rq_dequeue(struct rt_rq *rt_rq) + { +- dequeue_top_rt_rq(rt_rq); ++ dequeue_top_rt_rq(rt_rq, rt_rq->rt_nr_running); + } + + static inline int rt_rq_throttled(struct rt_rq *rt_rq) +@@ -1001,7 +1001,7 @@ static void update_curr_rt(struct rq *rq) + } + + static void +-dequeue_top_rt_rq(struct rt_rq *rt_rq) ++dequeue_top_rt_rq(struct rt_rq *rt_rq, unsigned int count) + { + struct rq *rq = rq_of_rt_rq(rt_rq); + +@@ -1012,7 +1012,7 @@ dequeue_top_rt_rq(struct rt_rq *rt_rq) + + BUG_ON(!rq->nr_running); + +- sub_nr_running(rq, rt_rq->rt_nr_running); ++ sub_nr_running(rq, count); + rt_rq->rt_queued = 0; + + } +@@ -1291,18 +1291,21 @@ static void __dequeue_rt_entity(struct sched_rt_entity *rt_se, unsigned int flag + static void dequeue_rt_stack(struct sched_rt_entity *rt_se, unsigned int flags) + { + struct sched_rt_entity *back = NULL; ++ unsigned int rt_nr_running; + + for_each_sched_rt_entity(rt_se) { + rt_se->back = back; + back = rt_se; + } + +- dequeue_top_rt_rq(rt_rq_of_se(back)); ++ rt_nr_running = rt_rq_of_se(back)->rt_nr_running; + + for (rt_se = back; rt_se; rt_se = rt_se->back) { + if (on_rt_rq(rt_se)) + __dequeue_rt_entity(rt_se, flags); + } ++ ++ dequeue_top_rt_rq(rt_rq_of_se(back), rt_nr_running); + } + + static void enqueue_rt_entity(struct sched_rt_entity *rt_se, unsigned int flags) +-- +2.35.1 + diff --git a/queue-4.19/null_blk-fix-ida-error-handling-in-null_add_dev.patch b/queue-4.19/null_blk-fix-ida-error-handling-in-null_add_dev.patch new file mode 100644 index 00000000000..747bc888199 --- /dev/null +++ b/queue-4.19/null_blk-fix-ida-error-handling-in-null_add_dev.patch @@ -0,0 +1,62 @@ +From 401a85076f2f411d2c4bf7f8ae1ffdd302e5b807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 11:12:14 +0300 +Subject: null_blk: fix ida error handling in null_add_dev() + +From: Dan Carpenter + +[ Upstream commit ee452a8d984f94fa8e894f003a52e776e4572881 ] + +There needs to be some error checking if ida_simple_get() fails. +Also call ida_free() if there are errors later. + +Fixes: 94bc02e30fb8 ("nullb: use ida to manage index") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YtEhXsr6vJeoiYhd@kili +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk_main.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c +index 4fef1fb918ec..5553df736c72 100644 +--- a/drivers/block/null_blk_main.c ++++ b/drivers/block/null_blk_main.c +@@ -1819,8 +1819,13 @@ static int null_add_dev(struct nullb_device *dev) + blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, nullb->q); + + mutex_lock(&lock); +- nullb->index = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); +- dev->index = nullb->index; ++ rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); ++ if (rv < 0) { ++ mutex_unlock(&lock); ++ goto out_cleanup_zone; ++ } ++ nullb->index = rv; ++ dev->index = rv; + mutex_unlock(&lock); + + blk_queue_logical_block_size(nullb->q, dev->blocksize); +@@ -1832,13 +1837,16 @@ static int null_add_dev(struct nullb_device *dev) + + rv = null_gendisk_register(nullb); + if (rv) +- goto out_cleanup_zone; ++ goto out_ida_free; + + mutex_lock(&lock); + list_add_tail(&nullb->list, &nullb_list); + mutex_unlock(&lock); + + return 0; ++ ++out_ida_free: ++ ida_free(&nullb_indexes, nullb->index); + out_cleanup_zone: + if (dev->zoned) + null_zone_exit(dev); +-- +2.35.1 + diff --git a/queue-4.19/pci-portdrv-don-t-disable-aer-reporting-in-get_port_.patch b/queue-4.19/pci-portdrv-don-t-disable-aer-reporting-in-get_port_.patch new file mode 100644 index 00000000000..d9d0e2248e4 --- /dev/null +++ b/queue-4.19/pci-portdrv-don-t-disable-aer-reporting-in-get_port_.patch @@ -0,0 +1,106 @@ +From dc3cd91af19d69d02ecd896f08cc90833efdf7e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 08:18:19 +0100 +Subject: PCI/portdrv: Don't disable AER reporting in + get_port_device_capability() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefan Roese + +[ Upstream commit 8795e182b02dc87e343c79e73af6b8b7f9c5e635 ] + +AER reporting is currently disabled in the DevCtl registers of all non Root +Port PCIe devices on systems using pcie_ports_native || host->native_aer, +disabling AER completely in such systems. This is because 2bd50dd800b5 +("PCI: PCIe: Disable PCIe port services during port initialization"), added +a call to pci_disable_pcie_error_reporting() *after* the AER setup was +completed for the PCIe device tree. + +Here a longer analysis about the current status of AER enabling / +disabling upon bootup provided by Bjorn: + + pcie_portdrv_probe + pcie_port_device_register + get_port_device_capability + pci_disable_pcie_error_reporting + clear CERE NFERE FERE URRE # <-- disable for RP USP DSP + pcie_device_init + device_register # new AER service device + aer_probe + aer_enable_rootport # RP only + set_downstream_devices_error_reporting + set_device_error_reporting # self (RP) + if (RP || USP || DSP) + pci_enable_pcie_error_reporting + set CERE NFERE FERE URRE # <-- enable for RP + pci_walk_bus + set_device_error_reporting + if (RP || USP || DSP) + pci_enable_pcie_error_reporting + set CERE NFERE FERE URRE # <-- enable for USP DSP + +In a typical Root Port -> Endpoint hierarchy, the above: + - Disables Error Reporting for the Root Port, + - Enables Error Reporting for the Root Port, + - Does NOT enable Error Reporting for the Endpoint because it is not a + Root Port or Switch Port. + +In a deeper Root Port -> Upstream Switch Port -> Downstream Switch +Port -> Endpoint hierarchy: + - Disables Error Reporting for the Root Port, + - Enables Error Reporting for the Root Port, + - Enables Error Reporting for both Switch Ports, + - Does NOT enable Error Reporting for the Endpoint because it is not a + Root Port or Switch Port, + - Disables Error Reporting for the Switch Ports when pcie_portdrv_probe() + claims them. AER does not re-enable it because these are not Root + Ports. + +Remove this call to pci_disable_pcie_error_reporting() from +get_port_device_capability(), leaving the already enabled AER configuration +intact. With this change, AER is enabled in the Root Port and the PCIe +switch upstream and downstream ports. Only the PCIe Endpoints don't have +AER enabled yet. A follow-up patch will take care of this Endpoint +enabling. + +Fixes: 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization") +Link: https://lore.kernel.org/r/20220125071820.2247260-3-sr@denx.de +Signed-off-by: Stefan Roese +Signed-off-by: Bjorn Helgaas +Reviewed-by: Pali Rohár +Cc: Rafael J. Wysocki +Cc: Bharat Kumar Gogada +Cc: Michal Simek +Cc: Yao Hongbo +Cc: Naveen Naidu +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/portdrv_core.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/pci/pcie/portdrv_core.c b/drivers/pci/pcie/portdrv_core.c +index 7c37d815229e..216dd6e61624 100644 +--- a/drivers/pci/pcie/portdrv_core.c ++++ b/drivers/pci/pcie/portdrv_core.c +@@ -218,15 +218,8 @@ static int get_port_device_capability(struct pci_dev *dev) + + #ifdef CONFIG_PCIEAER + if (dev->aer_cap && pci_aer_available() && +- (pcie_ports_native || host->native_aer)) { ++ (pcie_ports_native || host->native_aer)) + services |= PCIE_PORT_SERVICE_AER; +- +- /* +- * Disable AER on this port in case it's been enabled by the +- * BIOS (the AER service driver will enable it when necessary). +- */ +- pci_disable_pcie_error_reporting(dev); +- } + #endif + + /* +-- +2.35.1 + diff --git a/queue-4.19/platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch b/queue-4.19/platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch new file mode 100644 index 00000000000..4b494dbc393 --- /dev/null +++ b/queue-4.19/platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch @@ -0,0 +1,50 @@ +From 722e7ac8a81085b8952a01927aad1383bc656450 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 21:23:38 +0300 +Subject: platform/olpc: Fix uninitialized data in debugfs write + +From: Dan Carpenter + +[ Upstream commit 40ec787e1adf302c11668d4cc69838f4d584187d ] + +The call to: + + size = simple_write_to_buffer(cmdbuf, sizeof(cmdbuf), ppos, buf, size); + +will succeed if at least one byte is written to the "cmdbuf" buffer. +The "*ppos" value controls which byte is written. Another problem is +that this code does not check for errors so it's possible for the entire +buffer to be uninitialized. + +Inintialize the struct to zero to prevent reading uninitialized stack +data. + +Debugfs is normally only writable by root so the impact of this bug is +very minimal. + +Fixes: 6cca83d498bd ("Platform: OLPC: move debugfs support from x86 EC driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YthIKn+TfZSZMEcM@kili +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/olpc/olpc-ec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/olpc/olpc-ec.c b/drivers/platform/olpc/olpc-ec.c +index 374a8028fec7..b36a000ed969 100644 +--- a/drivers/platform/olpc/olpc-ec.c ++++ b/drivers/platform/olpc/olpc-ec.c +@@ -170,7 +170,7 @@ static ssize_t ec_dbgfs_cmd_write(struct file *file, const char __user *buf, + int i, m; + unsigned char ec_cmd[EC_MAX_CMD_ARGS]; + unsigned int ec_cmd_int[EC_MAX_CMD_ARGS]; +- char cmdbuf[64]; ++ char cmdbuf[64] = ""; + int ec_cmd_bytes; + + mutex_lock(&ec_dbgfs_lock); +-- +2.35.1 + diff --git a/queue-4.19/pm-hibernate-defer-device-probing-when-resuming-from.patch b/queue-4.19/pm-hibernate-defer-device-probing-when-resuming-from.patch new file mode 100644 index 00000000000..24252acbe30 --- /dev/null +++ b/queue-4.19/pm-hibernate-defer-device-probing-when-resuming-from.patch @@ -0,0 +1,106 @@ +From a5a08bb4632aff8067d803a96252cbfbc379b6f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 14:49:58 +0900 +Subject: PM: hibernate: defer device probing when resuming from hibernation + +From: Tetsuo Handa + +[ Upstream commit 8386c414e27caba8501119948e9551e52b527f59 ] + +syzbot is reporting hung task at misc_open() [1], for there is a race +window of AB-BA deadlock which involves probe_count variable. Currently +wait_for_device_probe() from snapshot_open() from misc_open() can sleep +forever with misc_mtx held if probe_count cannot become 0. + +When a device is probed by hub_event() work function, probe_count is +incremented before the probe function starts, and probe_count is +decremented after the probe function completed. + +There are three cases that can prevent probe_count from dropping to 0. + + (a) A device being probed stopped responding (i.e. broken/malicious + hardware). + + (b) A process emulating a USB device using /dev/raw-gadget interface + stopped responding for some reason. + + (c) New device probe requests keeps coming in before existing device + probe requests complete. + +The phenomenon syzbot is reporting is (b). A process which is holding +system_transition_mutex and misc_mtx is waiting for probe_count to become +0 inside wait_for_device_probe(), but the probe function which is called + from hub_event() work function is waiting for the processes which are +blocked at mutex_lock(&misc_mtx) to respond via /dev/raw-gadget interface. + +This patch mitigates (b) by deferring wait_for_device_probe() from +snapshot_open() to snapshot_write() and snapshot_ioctl(). Please note that +the possibility of (b) remains as long as any thread which is emulating a +USB device via /dev/raw-gadget interface can be blocked by uninterruptible +blocking operations (e.g. mutex_lock()). + +Please also note that (a) and (c) are not addressed. Regarding (c), we +should change the code to wait for only one device which contains the +image for resuming from hibernation. I don't know how to address (a), for +use of timeout for wait_for_device_probe() might result in loss of user +data in the image. Maybe we should require the userland to wait for the +image device before opening /dev/snapshot interface. + +Link: https://syzkaller.appspot.com/bug?extid=358c9ab4c93da7b7238c [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Tested-by: syzbot +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/user.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/user.c b/kernel/power/user.c +index 2d8b60a3c86b..6a11154b3d52 100644 +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -29,6 +29,7 @@ + + #include "power.h" + ++static bool need_wait; + + #define SNAPSHOT_MINOR 231 + +@@ -82,7 +83,7 @@ static int snapshot_open(struct inode *inode, struct file *filp) + * Resuming. We may need to wait for the image device to + * appear. + */ +- wait_for_device_probe(); ++ need_wait = true; + + data->swap = -1; + data->mode = O_WRONLY; +@@ -174,6 +175,11 @@ static ssize_t snapshot_write(struct file *filp, const char __user *buf, + ssize_t res; + loff_t pg_offp = *offp & ~PAGE_MASK; + ++ if (need_wait) { ++ wait_for_device_probe(); ++ need_wait = false; ++ } ++ + lock_system_sleep(); + + data = filp->private_data; +@@ -209,6 +215,11 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd, + loff_t size; + sector_t offset; + ++ if (need_wait) { ++ wait_for_device_probe(); ++ need_wait = false; ++ } ++ + if (_IOC_TYPE(cmd) != SNAPSHOT_IOC_MAGIC) + return -ENOTTY; + if (_IOC_NR(cmd) > SNAPSHOT_IOC_MAXNR) +-- +2.35.1 + diff --git a/queue-4.19/powerpc-32-do-not-allow-selection-of-e5500-or-e6500-.patch b/queue-4.19/powerpc-32-do-not-allow-selection-of-e5500-or-e6500-.patch new file mode 100644 index 00000000000..709207a1ef4 --- /dev/null +++ b/queue-4.19/powerpc-32-do-not-allow-selection-of-e5500-or-e6500-.patch @@ -0,0 +1,48 @@ +From 6a4ea50413ce62e0ad539b5184316c9af077b241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 16:19:29 +0200 +Subject: powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32 + +From: Christophe Leroy + +[ Upstream commit 9be013b2a9ecb29b5168e4b9db0e48ed53acf37c ] + +Commit 0e00a8c9fd92 ("powerpc: Allow CPU selection also on PPC32") +enlarged the CPU selection logic to PPC32 by removing depend to +PPC64, and failed to restrict that depend to E5500_CPU and E6500_CPU. +Fortunately that got unnoticed because -mcpu=8540 will override the +-mcpu=e500mc64 or -mpcu=e6500 as they are ealier, but that's +fragile and may no be right in the future. + +Add back the depend PPC64 on E5500_CPU and E6500_CPU. + +Fixes: 0e00a8c9fd92 ("powerpc: Allow CPU selection also on PPC32") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/8abab4888da69ff78b73a56f64d9678a7bf684e9.1657549153.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/Kconfig.cputype | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype +index ad0216c41d2c..67ad128a9a3d 100644 +--- a/arch/powerpc/platforms/Kconfig.cputype ++++ b/arch/powerpc/platforms/Kconfig.cputype +@@ -134,11 +134,11 @@ config POWER9_CPU + + config E5500_CPU + bool "Freescale e5500" +- depends on E500 ++ depends on PPC64 && E500 + + config E6500_CPU + bool "Freescale e6500" +- depends on E500 ++ depends on PPC64 && E500 + + config 860_CPU + bool "8xx family" +-- +2.35.1 + diff --git a/queue-4.19/powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch b/queue-4.19/powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch new file mode 100644 index 00000000000..c3d28e420e0 --- /dev/null +++ b/queue-4.19/powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch @@ -0,0 +1,37 @@ +From 242178e2031edb846b2b5ab1929c3e5367ae6778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 10:51:29 +0400 +Subject: powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address + +From: Miaoqian Lin + +[ Upstream commit df5d4b616ee76abc97e5bd348e22659c2b095b1c ] + +of_get_next_parent() returns a node pointer with refcount incremented, +we should use of_node_put() on it when not need anymore. +Add missing of_node_put() in the error path to avoid refcount leak. + +Fixes: ce21b3c9648a ("[CELL] add support for MSI on Axon-based Cell systems") +Signed-off-by: Miaoqian Lin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220605065129.63906-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/axon_msi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/cell/axon_msi.c b/arch/powerpc/platforms/cell/axon_msi.c +index 326d34e2aa02..946a09ae9fb2 100644 +--- a/arch/powerpc/platforms/cell/axon_msi.c ++++ b/arch/powerpc/platforms/cell/axon_msi.c +@@ -230,6 +230,7 @@ static int setup_msi_msg_address(struct pci_dev *dev, struct msi_msg *msg) + if (!prop) { + dev_dbg(&dev->dev, + "axon_msi: no msi-address-(32|64) properties found\n"); ++ of_node_put(dn); + return -ENOENT; + } + +-- +2.35.1 + diff --git a/queue-4.19/powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch b/queue-4.19/powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch new file mode 100644 index 00000000000..f4c75aec34a --- /dev/null +++ b/queue-4.19/powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch @@ -0,0 +1,61 @@ +From 19751572cb368e3aa54599ef8213dc29b5c9a8c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 20:38:32 +1000 +Subject: powerpc/pci: Fix PHB numbering when using opal-phbid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit f4b39e88b42d13366b831270306326b5c20971ca ] + +The recent change to the PHB numbering logic has a logic error in the +handling of "ibm,opal-phbid". + +When an "ibm,opal-phbid" property is present, &prop is written to and +ret is set to zero. + +The following call to of_alias_get_id() is skipped because ret == 0. + +But then the if (ret >= 0) is true, and the body of that if statement +sets prop = ret which throws away the value that was just read from +"ibm,opal-phbid". + +Fix the logic by only doing the ret >= 0 check in the of_alias_get_id() +case. + +Fixes: 0fe1e96fef0a ("powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias") +Reviewed-by: Pali Rohár +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220802105723.1055178-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci-common.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c +index b0bd55f2ce3a..740dcbdd56d8 100644 +--- a/arch/powerpc/kernel/pci-common.c ++++ b/arch/powerpc/kernel/pci-common.c +@@ -98,11 +98,13 @@ static int get_phb_number(struct device_node *dn) + } + if (ret) + ret = of_property_read_u64(dn, "ibm,opal-phbid", &prop); +- if (ret) ++ ++ if (ret) { + ret = of_alias_get_id(dn, "pci"); +- if (ret >= 0) { +- prop = ret; +- ret = 0; ++ if (ret >= 0) { ++ prop = ret; ++ ret = 0; ++ } + } + if (ret) { + u32 prop_32; +-- +2.35.1 + diff --git a/queue-4.19/powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch b/queue-4.19/powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch new file mode 100644 index 00000000000..cfc61a1f712 --- /dev/null +++ b/queue-4.19/powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch @@ -0,0 +1,88 @@ +From 955e76e526dd7287f30b560b826f728a0406ea9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 12:21:48 +0200 +Subject: powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' + and alias +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 0fe1e96fef0a5c53b4c0d1500d356f3906000f81 ] + +Other Linux architectures use DT property 'linux,pci-domain' for +specifying fixed PCI domain of PCI controller specified in Device-Tree. + +And lot of Freescale powerpc boards have defined numbered pci alias in +Device-Tree for every PCIe controller which number specify preferred PCI +domain. + +So prefer usage of DT property 'linux,pci-domain' (via function +of_get_pci_domain_nr()) and DT pci alias (via function +of_alias_get_id()) on powerpc architecture for assigning PCI domain to +PCI controller. + +Fixes: 63a72284b159 ("powerpc/pci: Assign fixed PHB number based on device-tree properties") +Signed-off-by: Pali Rohár +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220706102148.5060-2-pali@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci-common.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c +index 74628aca2bf1..b0bd55f2ce3a 100644 +--- a/arch/powerpc/kernel/pci-common.c ++++ b/arch/powerpc/kernel/pci-common.c +@@ -82,16 +82,30 @@ EXPORT_SYMBOL(get_pci_dma_ops); + static int get_phb_number(struct device_node *dn) + { + int ret, phb_id = -1; +- u32 prop_32; + u64 prop; + + /* + * Try fixed PHB numbering first, by checking archs and reading +- * the respective device-tree properties. Firstly, try powernv by +- * reading "ibm,opal-phbid", only present in OPAL environment. ++ * the respective device-tree properties. Firstly, try reading ++ * standard "linux,pci-domain", then try reading "ibm,opal-phbid" ++ * (only present in powernv OPAL environment), then try device-tree ++ * alias and as the last try to use lower bits of "reg" property. + */ +- ret = of_property_read_u64(dn, "ibm,opal-phbid", &prop); ++ ret = of_get_pci_domain_nr(dn); ++ if (ret >= 0) { ++ prop = ret; ++ ret = 0; ++ } ++ if (ret) ++ ret = of_property_read_u64(dn, "ibm,opal-phbid", &prop); ++ if (ret) ++ ret = of_alias_get_id(dn, "pci"); ++ if (ret >= 0) { ++ prop = ret; ++ ret = 0; ++ } + if (ret) { ++ u32 prop_32; + ret = of_property_read_u32_index(dn, "reg", 1, &prop_32); + prop = prop_32; + } +@@ -103,10 +117,7 @@ static int get_phb_number(struct device_node *dn) + if ((phb_id >= 0) && !test_and_set_bit(phb_id, phb_bitmap)) + return phb_id; + +- /* +- * If not pseries nor powernv, or if fixed PHB numbering tried to add +- * the same PHB number twice, then fallback to dynamic PHB numbering. +- */ ++ /* If everything fails then fallback to dynamic PHB numbering. */ + phb_id = find_first_zero_bit(phb_bitmap, MAX_PHBS); + BUG_ON(phb_id >= MAX_PHBS); + set_bit(phb_id, phb_bitmap); +-- +2.35.1 + diff --git a/queue-4.19/powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch b/queue-4.19/powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch new file mode 100644 index 00000000000..d92ce8c0d71 --- /dev/null +++ b/queue-4.19/powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch @@ -0,0 +1,38 @@ +From 8398fc9e1f8d60efed05c8375d7efd4ca4163259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 16:15:42 +0400 +Subject: powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader + +From: Miaoqian Lin + +[ Upstream commit 6ac059dacffa8ab2f7798f20e4bd3333890c541c ] + +of_find_node_by_path() returns remote device nodepointer with +refcount incremented, we should use of_node_put() on it when done. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 0afacde3df4c ("[POWERPC] spufs: allow isolated mode apps by starting the SPE loader") +Signed-off-by: Miaoqian Lin +Acked-by: Arnd Bergmann +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220603121543.22884-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c +index db329d4bf1c3..8b664d9cfcd4 100644 +--- a/arch/powerpc/platforms/cell/spufs/inode.c ++++ b/arch/powerpc/platforms/cell/spufs/inode.c +@@ -684,6 +684,7 @@ spufs_init_isolated_loader(void) + return; + + loader = of_get_property(dn, "loader", &size); ++ of_node_put(dn); + if (!loader) + return; + +-- +2.35.1 + diff --git a/queue-4.19/powerpc-xive-fix-refcount-leak-in-xive_get_max_prio.patch b/queue-4.19/powerpc-xive-fix-refcount-leak-in-xive_get_max_prio.patch new file mode 100644 index 00000000000..6126562d90c --- /dev/null +++ b/queue-4.19/powerpc-xive-fix-refcount-leak-in-xive_get_max_prio.patch @@ -0,0 +1,37 @@ +From 3323d7db883ec62f59252e9147883d63d6b26170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 09:32:23 +0400 +Subject: powerpc/xive: Fix refcount leak in xive_get_max_prio + +From: Miaoqian Lin + +[ Upstream commit 255b650cbec6849443ce2e0cdd187fd5e61c218c ] + +of_find_node_by_path() returns a node pointer with +refcount incremented, we should use of_node_put() on it when done. +Add missing of_node_put() to avoid refcount leak. + +Fixes: eac1e731b59e ("powerpc/xive: guest exploitation of the XIVE interrupt controller") +Signed-off-by: Miaoqian Lin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220605053225.56125-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xive/spapr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c +index 5566bbc86f4a..aa705732150c 100644 +--- a/arch/powerpc/sysdev/xive/spapr.c ++++ b/arch/powerpc/sysdev/xive/spapr.c +@@ -631,6 +631,7 @@ static bool xive_get_max_prio(u8 *max_prio) + } + + reg = of_get_property(rootdn, "ibm,plat-res-int-priorities", &len); ++ of_node_put(rootdn); + if (!reg) { + pr_err("Failed to read 'ibm,plat-res-int-priorities' property\n"); + return false; +-- +2.35.1 + diff --git a/queue-4.19/profiling-fix-shift-too-large-makes-kernel-panic.patch b/queue-4.19/profiling-fix-shift-too-large-makes-kernel-panic.patch new file mode 100644 index 00000000000..ec15837b55e --- /dev/null +++ b/queue-4.19/profiling-fix-shift-too-large-makes-kernel-panic.patch @@ -0,0 +1,91 @@ +From 44376a36c063d535bff61f0a57645b9a515373b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 09:28:54 +0800 +Subject: profiling: fix shift too large makes kernel panic + +From: Chen Zhongjin + +[ Upstream commit 0fe6ee8f123a4dfb529a5aff07536bb481f34043 ] + +2d186afd04d6 ("profiling: fix shift-out-of-bounds bugs") limits shift +value by [0, BITS_PER_LONG -1], which means [0, 63]. + +However, syzbot found that the max shift value should be the bit number of +(_etext - _stext). If shift is outside of this, the "buffer_bytes" will +be zero and will cause kzalloc(0). Then the kernel panics due to +dereferencing the returned pointer 16. + +This can be easily reproduced by passing a large number like 60 to enable +profiling and then run readprofile. + +LOGS: + BUG: kernel NULL pointer dereference, address: 0000000000000010 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 6148067 P4D 6148067 PUD 6142067 PMD 0 + PREEMPT SMP + CPU: 4 PID: 184 Comm: readprofile Not tainted 5.18.0+ #162 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 + RIP: 0010:read_profile+0x104/0x220 + RSP: 0018:ffffc900006fbe80 EFLAGS: 00000202 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: ffff888006150000 RSI: 0000000000000001 RDI: ffffffff82aba4a0 + RBP: 000000000188bb60 R08: 0000000000000010 R09: ffff888006151000 + R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82aba4a0 + R13: 0000000000000000 R14: ffffc900006fbf08 R15: 0000000000020c30 + FS: 000000000188a8c0(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000010 CR3: 0000000006144000 CR4: 00000000000006e0 + Call Trace: + + proc_reg_read+0x56/0x70 + vfs_read+0x9a/0x1b0 + ksys_read+0xa1/0xe0 + ? fpregs_assert_state_consistent+0x1e/0x40 + do_syscall_64+0x3a/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + RIP: 0033:0x4d4b4e + RSP: 002b:00007ffebb668d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 + RAX: ffffffffffffffda RBX: 000000000188a8a0 RCX: 00000000004d4b4e + RDX: 0000000000000400 RSI: 000000000188bb60 RDI: 0000000000000003 + RBP: 0000000000000003 R08: 000000000000006e R09: 0000000000000000 + R10: 0000000000000041 R11: 0000000000000246 R12: 000000000188bb60 + R13: 0000000000000400 R14: 0000000000000000 R15: 000000000188bb60 + + Modules linked in: + CR2: 0000000000000010 +Killed + ---[ end trace 0000000000000000 ]--- + +Check prof_len in profile_init() to prevent it be zero. + +Link: https://lkml.kernel.org/r/20220531012854.229439-1-chenzhongjin@huawei.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Chen Zhongjin +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/profile.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/kernel/profile.c b/kernel/profile.c +index efa58f63dc1b..7fc621404230 100644 +--- a/kernel/profile.c ++++ b/kernel/profile.c +@@ -108,6 +108,13 @@ int __ref profile_init(void) + + /* only text is profiled */ + prof_len = (_etext - _stext) >> prof_shift; ++ ++ if (!prof_len) { ++ pr_warn("profiling shift: %u too large\n", prof_shift); ++ prof_on = 0; ++ return -EINVAL; ++ } ++ + buffer_bytes = prof_len*sizeof(atomic_t); + + if (!alloc_cpumask_var(&prof_cpu_mask, GFP_KERNEL)) +-- +2.35.1 + diff --git a/queue-4.19/rdma-hfi1-fix-potential-memory-leak-in-setup_base_ct.patch b/queue-4.19/rdma-hfi1-fix-potential-memory-leak-in-setup_base_ct.patch new file mode 100644 index 00000000000..7c3e97f0799 --- /dev/null +++ b/queue-4.19/rdma-hfi1-fix-potential-memory-leak-in-setup_base_ct.patch @@ -0,0 +1,45 @@ +From 09d9cc52f555aee100913a32a0fe4671e9b10657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 15:07:18 +0800 +Subject: RDMA/hfi1: fix potential memory leak in setup_base_ctxt() + +From: Jianglei Nie + +[ Upstream commit aa2a1df3a2c85f855af7d54466ac10bd48645d63 ] + +setup_base_ctxt() allocates a memory chunk for uctxt->groups with +hfi1_alloc_ctxt_rcv_groups(). When init_user_ctxt() fails, uctxt->groups +is not released, which will lead to a memory leak. + +We should release the uctxt->groups with hfi1_free_ctxt_rcv_groups() +when init_user_ctxt() fails. + +Fixes: e87473bc1b6c ("IB/hfi1: Only set fd pointer when base context is completely initialized") +Link: https://lore.kernel.org/r/20220711070718.2318320-1-niejianglei2021@163.com +Signed-off-by: Jianglei Nie +Acked-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/file_ops.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c +index 64ee11542a56..be31faf6cc62 100644 +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -1222,8 +1222,10 @@ static int setup_base_ctxt(struct hfi1_filedata *fd, + goto done; + + ret = init_user_ctxt(fd, uctxt); +- if (ret) ++ if (ret) { ++ hfi1_free_ctxt_rcv_groups(uctxt); + goto done; ++ } + + user_init(uctxt); + +-- +2.35.1 + diff --git a/queue-4.19/rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch b/queue-4.19/rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch new file mode 100644 index 00000000000..6b4370f500d --- /dev/null +++ b/queue-4.19/rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch @@ -0,0 +1,69 @@ +From 3f70ecbdd048148bb599d873859eda72ace399ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 02:36:21 -0400 +Subject: RDMA/rxe: Fix error unwind in rxe_create_qp() + +From: Zhu Yanjun + +[ Upstream commit fd5382c5805c4bcb50fd25b7246247d3f7114733 ] + +In the function rxe_create_qp(), rxe_qp_from_init() is called to +initialize qp, internally things like the spin locks are not setup until +rxe_qp_init_req(). + +If an error occures before this point then the unwind will call +rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() +which will oops when trying to access the uninitialized spinlock. + +Move the spinlock initializations earlier before any failures. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220731063621.298405-1-yanjun.zhu@linux.dev +Reported-by: syzbot+833061116fa28df97f3b@syzkaller.appspotmail.com +Signed-off-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 4798b718b085..a4b5374deac8 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -210,6 +210,14 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct rxe_qp *qp, + spin_lock_init(&qp->grp_lock); + spin_lock_init(&qp->state_lock); + ++ spin_lock_init(&qp->req.task.state_lock); ++ spin_lock_init(&qp->resp.task.state_lock); ++ spin_lock_init(&qp->comp.task.state_lock); ++ ++ spin_lock_init(&qp->sq.sq_lock); ++ spin_lock_init(&qp->rq.producer_lock); ++ spin_lock_init(&qp->rq.consumer_lock); ++ + atomic_set(&qp->ssn, 0); + atomic_set(&qp->skb_out, 0); + } +@@ -258,7 +266,6 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, + qp->req.opcode = -1; + qp->comp.opcode = -1; + +- spin_lock_init(&qp->sq.sq_lock); + skb_queue_head_init(&qp->req_pkts); + + rxe_init_task(rxe, &qp->req.task, qp, +@@ -308,9 +315,6 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, + } + } + +- spin_lock_init(&qp->rq.producer_lock); +- spin_lock_init(&qp->rq.consumer_lock); +- + skb_queue_head_init(&qp->resp_pkts); + + rxe_init_task(rxe, &qp->resp.task, qp, +-- +2.35.1 + diff --git a/queue-4.19/regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch b/queue-4.19/regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch new file mode 100644 index 00000000000..d461d0a63b4 --- /dev/null +++ b/queue-4.19/regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch @@ -0,0 +1,43 @@ +From 08d27c0cea2a44f955a05531f8693f3142a4bdbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 19:10:27 +0800 +Subject: regulator: of: Fix refcount leak bug in + of_get_regulation_constraints() + +From: Liang He + +[ Upstream commit 66efb665cd5ad69b27dca8571bf89fc6b9c628a4 ] + +We should call the of_node_put() for the reference returned by +of_get_child_by_name() which has increased the refcount. + +Fixes: 40e20d68bb3f ("regulator: of: Add support for parsing regulator_state for suspend state") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220715111027.391032-1-windhl@126.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/of_regulator.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c +index b255590aef36..b2bd7ee46c45 100644 +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -189,8 +189,12 @@ static void of_get_regulation_constraints(struct device_node *np, + } + + suspend_np = of_get_child_by_name(np, regulator_states[i]); +- if (!suspend_np || !suspend_state) ++ if (!suspend_np) + continue; ++ if (!suspend_state) { ++ of_node_put(suspend_np); ++ continue; ++ } + + if (!of_property_read_u32(suspend_np, "regulator-mode", + &pval)) { +-- +2.35.1 + diff --git a/queue-4.19/remoteproc-qcom-wcnss-fix-handling-of-irqs.patch b/queue-4.19/remoteproc-qcom-wcnss-fix-handling-of-irqs.patch new file mode 100644 index 00000000000..97380a0d7ad --- /dev/null +++ b/queue-4.19/remoteproc-qcom-wcnss-fix-handling-of-irqs.patch @@ -0,0 +1,60 @@ +From 73eb88cb07600e129036cacf02a10b08ae5816f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 19:47:39 +0530 +Subject: remoteproc: qcom: wcnss: Fix handling of IRQs + +From: Sireesh Kodali + +[ Upstream commit bed0adac1ded4cb486ba19a3a7e730fbd9a1c9c6 ] + +The wcnss_get_irq function is expected to return a value > 0 in the +event that an IRQ is succssfully obtained, but it instead returns 0. +This causes the stop and ready IRQs to never actually be used despite +being defined in the device-tree. This patch fixes that. + +Fixes: aed361adca9f ("remoteproc: qcom: Introduce WCNSS peripheral image loader") +Signed-off-by: Sireesh Kodali +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220526141740.15834-2-sireeshkodali1@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_wcnss.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/remoteproc/qcom_wcnss.c b/drivers/remoteproc/qcom_wcnss.c +index 6cc0f9a5533e..63726d8fb332 100644 +--- a/drivers/remoteproc/qcom_wcnss.c ++++ b/drivers/remoteproc/qcom_wcnss.c +@@ -415,6 +415,7 @@ static int wcnss_request_irq(struct qcom_wcnss *wcnss, + irq_handler_t thread_fn) + { + int ret; ++ int irq_number; + + ret = platform_get_irq_byname(pdev, name); + if (ret < 0 && optional) { +@@ -425,14 +426,19 @@ static int wcnss_request_irq(struct qcom_wcnss *wcnss, + return ret; + } + ++ irq_number = ret; ++ + ret = devm_request_threaded_irq(&pdev->dev, ret, + NULL, thread_fn, + IRQF_TRIGGER_RISING | IRQF_ONESHOT, + "wcnss", wcnss); +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "request %s IRQ failed\n", name); ++ return ret; ++ } + +- return ret; ++ /* Return the IRQ number if the IRQ was successfully acquired */ ++ return irq_number; + } + + static int wcnss_alloc_memory_region(struct qcom_wcnss *wcnss) +-- +2.35.1 + diff --git a/queue-4.19/rpmsg-qcom_smd-fix-refcount-leak-in-qcom_smd_parse_e.patch b/queue-4.19/rpmsg-qcom_smd-fix-refcount-leak-in-qcom_smd_parse_e.patch new file mode 100644 index 00000000000..261ab53a97f --- /dev/null +++ b/queue-4.19/rpmsg-qcom_smd-fix-refcount-leak-in-qcom_smd_parse_e.patch @@ -0,0 +1,36 @@ +From 47c02dbb265aada112705c9df5e6f9598af51ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 16:07:37 +0400 +Subject: rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge + +From: Miaoqian Lin + +[ Upstream commit 65382585f067d4256ba087934f30f85c9b6984de ] + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. + +Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") +Signed-off-by: Miaoqian Lin +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220511120737.57374-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index f23f10887d93..f4f950c231d6 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1364,6 +1364,7 @@ static int qcom_smd_parse_edge(struct device *dev, + } + + edge->ipc_regmap = syscon_node_to_regmap(syscon_np); ++ of_node_put(syscon_np); + if (IS_ERR(edge->ipc_regmap)) { + ret = PTR_ERR(edge->ipc_regmap); + goto put_node; +-- +2.35.1 + diff --git a/queue-4.19/s390-zcore-fix-race-when-reading-from-hardware-syste.patch b/queue-4.19/s390-zcore-fix-race-when-reading-from-hardware-syste.patch new file mode 100644 index 00000000000..452c39d76c8 --- /dev/null +++ b/queue-4.19/s390-zcore-fix-race-when-reading-from-hardware-syste.patch @@ -0,0 +1,84 @@ +From 5b72a411437590cdccd676b026ed026371075f1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 07:16:33 +0200 +Subject: s390/zcore: fix race when reading from hardware system area + +From: Alexander Gordeev + +[ Upstream commit 9ffed254d938c9e99eb7761c7f739294c84e0367 ] + +Memory buffer used for reading out data from hardware system +area is not protected against concurrent access. + +Reported-by: Matthew Wilcox +Fixes: 411ed3225733 ("[S390] zfcpdump support.") +Acked-by: Heiko Carstens +Tested-by: Alexander Egorenkov +Link: https://lore.kernel.org/r/e68137f0f9a0d2558f37becc20af18e2939934f6.1658206891.git.agordeev@linux.ibm.com +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/char/zcore.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/char/zcore.c b/drivers/s390/char/zcore.c +index 76d3c50bf078..ba8fc756264b 100644 +--- a/drivers/s390/char/zcore.c ++++ b/drivers/s390/char/zcore.c +@@ -53,6 +53,7 @@ static struct dentry *zcore_reipl_file; + static struct dentry *zcore_hsa_file; + static struct ipl_parameter_block *ipl_block; + ++static DEFINE_MUTEX(hsa_buf_mutex); + static char hsa_buf[PAGE_SIZE] __aligned(PAGE_SIZE); + + /* +@@ -69,19 +70,24 @@ int memcpy_hsa_user(void __user *dest, unsigned long src, size_t count) + if (!hsa_available) + return -ENODATA; + ++ mutex_lock(&hsa_buf_mutex); + while (count) { + if (sclp_sdias_copy(hsa_buf, src / PAGE_SIZE + 2, 1)) { + TRACE("sclp_sdias_copy() failed\n"); ++ mutex_unlock(&hsa_buf_mutex); + return -EIO; + } + offset = src % PAGE_SIZE; + bytes = min(PAGE_SIZE - offset, count); +- if (copy_to_user(dest, hsa_buf + offset, bytes)) ++ if (copy_to_user(dest, hsa_buf + offset, bytes)) { ++ mutex_unlock(&hsa_buf_mutex); + return -EFAULT; ++ } + src += bytes; + dest += bytes; + count -= bytes; + } ++ mutex_unlock(&hsa_buf_mutex); + return 0; + } + +@@ -99,9 +105,11 @@ int memcpy_hsa_kernel(void *dest, unsigned long src, size_t count) + if (!hsa_available) + return -ENODATA; + ++ mutex_lock(&hsa_buf_mutex); + while (count) { + if (sclp_sdias_copy(hsa_buf, src / PAGE_SIZE + 2, 1)) { + TRACE("sclp_sdias_copy() failed\n"); ++ mutex_unlock(&hsa_buf_mutex); + return -EIO; + } + offset = src % PAGE_SIZE; +@@ -111,6 +119,7 @@ int memcpy_hsa_kernel(void *dest, unsigned long src, size_t count) + dest += bytes; + count -= bytes; + } ++ mutex_unlock(&hsa_buf_mutex); + return 0; + } + +-- +2.35.1 + diff --git a/queue-4.19/scripts-faddr2line-fix-vmlinux-detection-on-arm64.patch b/queue-4.19/scripts-faddr2line-fix-vmlinux-detection-on-arm64.patch new file mode 100644 index 00000000000..56ad75592af --- /dev/null +++ b/queue-4.19/scripts-faddr2line-fix-vmlinux-detection-on-arm64.patch @@ -0,0 +1,47 @@ +From 18f4762a09b7a296deebb0eb60a9e22c0d040ee6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 11:01:23 -0700 +Subject: scripts/faddr2line: Fix vmlinux detection on arm64 + +From: Josh Poimboeuf + +[ Upstream commit b6a5068854cfe372da7dee3224dcf023ed5b00cb ] + +Since commit dcea997beed6 ("faddr2line: Fix overlapping text section +failures, the sequel"), faddr2line is completely broken on arm64. + +For some reason, on arm64, the vmlinux ELF object file type is ET_DYN +rather than ET_EXEC. Check for both when determining whether the object +is vmlinux. + +Modules and vmlinux.o have type ET_REL on all arches. + +Fixes: dcea997beed6 ("faddr2line: Fix overlapping text section failures, the sequel") +Reported-by: John Garry +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Tested-by: John Garry +Link: https://lore.kernel.org/r/dad1999737471b06d6188ce4cdb11329aa41682c.1658426357.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + scripts/faddr2line | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/scripts/faddr2line b/scripts/faddr2line +index 2571caac3156..70f8c3ecd555 100755 +--- a/scripts/faddr2line ++++ b/scripts/faddr2line +@@ -112,7 +112,9 @@ __faddr2line() { + # section offsets. + local file_type=$(${READELF} --file-header $objfile | + ${AWK} '$1 == "Type:" { print $2; exit }') +- [[ $file_type = "EXEC" ]] && is_vmlinux=1 ++ if [[ $file_type = "EXEC" ]] || [[ $file_type == "DYN" ]]; then ++ is_vmlinux=1 ++ fi + + # Go through each of the object's symbols which match the func name. + # In rare cases there might be duplicates, in which case we print all +-- +2.35.1 + diff --git a/queue-4.19/scsi-smartpqi-fix-dma-direction-for-raid-requests.patch b/queue-4.19/scsi-smartpqi-fix-dma-direction-for-raid-requests.patch new file mode 100644 index 00000000000..3ec0ea574d5 --- /dev/null +++ b/queue-4.19/scsi-smartpqi-fix-dma-direction-for-raid-requests.patch @@ -0,0 +1,68 @@ +From 48740fd8f76f0766b52f28e8a9c5b8a9a603036e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 13:47:36 -0500 +Subject: scsi: smartpqi: Fix DMA direction for RAID requests + +From: Mahesh Rajashekhara + +[ Upstream commit 69695aeaa6621bc49cdd7a8e5a8d1042461e496e ] + +Correct a SOP READ and WRITE DMA flags for some requests. + +This update corrects DMA direction issues with SCSI commands removed from +the controller's internal lookup table. + +Currently, SCSI READ BLOCK LIMITS (0x5) was removed from the controller +lookup table and exposed a DMA direction flag issue. + +SCSI READ BLOCK LIMITS was recently removed from our controller lookup +table so the controller uses the respective IU flag field to set the DMA +data direction. Since the DMA direction is incorrect the FW never completes +the request causing a hang. + +Some SCSI commands which use SCSI READ BLOCK LIMITS + + * sg_map + * mt -f /dev/stX status + +After updating controller firmware, users may notice their tape units +failing. This patch resolves the issue. + +Also, the AIO path DMA direction is correct. + +The DMA direction flag is a day-one bug with no reported BZ. + +Fixes: 6c223761eb54 ("smartpqi: initial commit of Microsemi smartpqi driver") +Link: https://lore.kernel.org/r/165730605618.177165.9054223644512926624.stgit@brunhilda +Reviewed-by: Scott Benesh +Reviewed-by: Scott Teel +Reviewed-by: Mike McGowen +Reviewed-by: Kevin Barnett +Signed-off-by: Mahesh Rajashekhara +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 98f2d076f938..b86cc0342ae3 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -4638,10 +4638,10 @@ static int pqi_raid_submit_scsi_cmd_with_io_request( + } + + switch (scmd->sc_data_direction) { +- case DMA_TO_DEVICE: ++ case DMA_FROM_DEVICE: + request->data_direction = SOP_READ_FLAG; + break; +- case DMA_FROM_DEVICE: ++ case DMA_TO_DEVICE: + request->data_direction = SOP_WRITE_FLAG; + break; + case DMA_NONE: +-- +2.35.1 + diff --git a/queue-4.19/selftests-timers-clocksource-switch-fix-passing-erro.patch b/queue-4.19/selftests-timers-clocksource-switch-fix-passing-erro.patch new file mode 100644 index 00000000000..2432721c0c5 --- /dev/null +++ b/queue-4.19/selftests-timers-clocksource-switch-fix-passing-erro.patch @@ -0,0 +1,43 @@ +From 86f7c5e83acacc7823e7968280028f3e1f693e8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 22:46:17 +0200 +Subject: selftests: timers: clocksource-switch: fix passing errors from child + +From: Wolfram Sang + +[ Upstream commit 4d8f52ac5fa9eede7b7aa2f2d67c841d9eeb655f ] + +The return value from system() is a waitpid-style integer. Do not return +it directly because with the implicit masking in exit() it will always +return 0. Access it with appropriate macros to really pass on errors. + +Fixes: 7290ce1423c3 ("selftests/timers: Add clocksource-switch test from timetest suite") +Signed-off-by: Wolfram Sang +Acked-by: John Stultz +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/timers/clocksource-switch.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/timers/clocksource-switch.c b/tools/testing/selftests/timers/clocksource-switch.c +index bfc974b4572d..c18313a5f357 100644 +--- a/tools/testing/selftests/timers/clocksource-switch.c ++++ b/tools/testing/selftests/timers/clocksource-switch.c +@@ -110,10 +110,10 @@ int run_tests(int secs) + + sprintf(buf, "./inconsistency-check -t %i", secs); + ret = system(buf); +- if (ret) +- return ret; ++ if (WIFEXITED(ret) && WEXITSTATUS(ret)) ++ return WEXITSTATUS(ret); + ret = system("./nanosleep"); +- return ret; ++ return WIFEXITED(ret) ? WEXITSTATUS(ret) : 0; + } + + +-- +2.35.1 + diff --git a/queue-4.19/selftests-timers-valid-adjtimex-build-fix-for-newer-.patch b/queue-4.19/selftests-timers-valid-adjtimex-build-fix-for-newer-.patch new file mode 100644 index 00000000000..8fe14d87f3f --- /dev/null +++ b/queue-4.19/selftests-timers-valid-adjtimex-build-fix-for-newer-.patch @@ -0,0 +1,42 @@ +From d68283f9b3813e98a3f11a5af410370fdf7d6948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Jul 2022 22:46:13 +0200 +Subject: selftests: timers: valid-adjtimex: build fix for newer toolchains +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wolfram Sang + +[ Upstream commit 9a162977d20436be5678a8e21a8e58eb4616d86a ] + +Toolchains with an include file 'sys/timex.h' based on 3.18 will have a +'clock_adjtime' definition added, so it can't be static in the code: + +valid-adjtimex.c:43:12: error: static declaration of ‘clock_adjtime’ follows non-static declaration + +Fixes: e03a58c320e1 ("kselftests: timers: Add adjtimex SETOFFSET validity tests") +Signed-off-by: Wolfram Sang +Acked-by: John Stultz +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/timers/valid-adjtimex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c +index 5397de708d3c..48b9a803235a 100644 +--- a/tools/testing/selftests/timers/valid-adjtimex.c ++++ b/tools/testing/selftests/timers/valid-adjtimex.c +@@ -40,7 +40,7 @@ + #define ADJ_SETOFFSET 0x0100 + + #include +-static int clock_adjtime(clockid_t id, struct timex *tx) ++int clock_adjtime(clockid_t id, struct timex *tx) + { + return syscall(__NR_clock_adjtime, id, tx); + } +-- +2.35.1 + diff --git a/queue-4.19/selinux-add-boundary-check-in-put_entry.patch b/queue-4.19/selinux-add-boundary-check-in-put_entry.patch new file mode 100644 index 00000000000..110ada7a2ed --- /dev/null +++ b/queue-4.19/selinux-add-boundary-check-in-put_entry.patch @@ -0,0 +1,35 @@ +From d3a6f822df66803e4bbc6b07b288d861ef3d9459 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jun 2022 10:14:49 +0800 +Subject: selinux: Add boundary check in put_entry() + +From: Xiu Jianfeng + +[ Upstream commit 15ec76fb29be31df2bccb30fc09875274cba2776 ] + +Just like next_entry(), boundary check is necessary to prevent memory +out-of-bound access. + +Signed-off-by: Xiu Jianfeng +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/ss/policydb.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h +index 215f8f30ac5a..2a479785ebd4 100644 +--- a/security/selinux/ss/policydb.h ++++ b/security/selinux/ss/policydb.h +@@ -360,6 +360,8 @@ static inline int put_entry(const void *buf, size_t bytes, int num, struct polic + { + size_t len = bytes * num; + ++ if (len > fp->len) ++ return -EINVAL; + memcpy(fp->data, buf, len); + fp->data += len; + fp->len -= len; +-- +2.35.1 + diff --git a/queue-4.19/serial-8250_dw-store-lsr-into-lsr_saved_flags-in-dw8.patch b/queue-4.19/serial-8250_dw-store-lsr-into-lsr_saved_flags-in-dw8.patch new file mode 100644 index 00000000000..e8b23120f3b --- /dev/null +++ b/queue-4.19/serial-8250_dw-store-lsr-into-lsr_saved_flags-in-dw8.patch @@ -0,0 +1,54 @@ +From 960683d8ebeb3bf7498d4f64435f9b7c5ad91c0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 12:54:31 +0300 +Subject: serial: 8250_dw: Store LSR into lsr_saved_flags in + dw8250_tx_wait_empty() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit af14f3007e2dca0d112f10f6717ba43093f74e81 ] + +Make sure LSR flags are preserved in dw8250_tx_wait_empty(). This +function is called from a low-level out function and therefore cannot +call serial_lsr_in() as it would lead to infinite recursion. + +It is borderline if the flags need to be saved here at all since this +code relates to writing LCR register which usually implies no important +characters should be arriving. + +Fixes: 914eaf935ec7 ("serial: 8250_dw: Allow TX FIFO to drain before writing to UART_LCR") +Reviewed-by: Andy Shevchenko +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220608095431.18376-7-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_dw.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index c73d0eddd9b8..cc9d1f416db8 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -140,12 +140,15 @@ static void dw8250_check_lcr(struct uart_port *p, int value) + /* Returns once the transmitter is empty or we run out of retries */ + static void dw8250_tx_wait_empty(struct uart_port *p) + { ++ struct uart_8250_port *up = up_to_u8250p(p); + unsigned int tries = 20000; + unsigned int delay_threshold = tries - 1000; + unsigned int lsr; + + while (tries--) { + lsr = readb (p->membase + (UART_LSR << p->regshift)); ++ up->lsr_saved_flags |= lsr & LSR_SAVE_FLAGS; ++ + if (lsr & UART_LSR_TEMT) + break; + +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 25ed5ce9701..ace4bbfcf45 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -38,3 +38,152 @@ usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch +arm64-do-not-forget-syscall-when-starting-a-new-thre.patch +arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch +ext2-add-more-validity-checks-for-inode-counts.patch +genirq-generic_irq_ipi-depends-on-smp.patch +arm-dts-imx6ul-add-missing-properties-for-sram.patch +arm-dts-imx6ul-change-operating-points-to-uint32-mat.patch +arm-dts-imx6ul-fix-lcdif-node-compatible.patch +arm-dts-imx6ul-fix-qspi-node-compatible.patch +arm-omap2-display-fix-refcount-leak-bug.patch +acpi-ec-remove-duplicate-thinkpad-x1-carbon-6th-entr.patch +acpi-pm-save-nvs-memory-for-lenovo-g40-45.patch +acpi-lpss-fix-missing-check-in-register_device_clock.patch +arm64-dts-qcom-ipq8074-fix-nand-node-name.patch +hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch +pm-hibernate-defer-device-probing-when-resuming-from.patch +selinux-add-boundary-check-in-put_entry.patch +netfilter-nf_tables-add-rescheduling-points-during-l.patch +arm-findbit-fix-overflowing-offset.patch +meson-mx-socinfo-fix-refcount-leak-in-meson_mx_socin.patch +arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch +x86-pmem-fix-platform-device-leak-in-error-path.patch +arm-dts-ast2500-evb-fix-board-compatible.patch +soc-fsl-guts-machine-variable-might-be-unset.patch +arm-omap2-fix-refcount-leak-in-omap3xxx_prm_late_ini.patch +cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch +arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch +bus-hisi_lpc-fix-missing-platform_device_put-in-hisi.patch +arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch +regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch +nohz-full-sched-rt-fix-missed-tick-reenabling-bug-in.patch +thermal-tools-tmon-include-pthread-and-time-headers-.patch +dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch +ath10k-do-not-enforce-interrupt-trigger-type.patch +wifi-rtlwifi-fix-error-codes-in-rtl_debugfs_set_writ.patch +drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch +drm-mediatek-add-pull-down-mipi-operation-in-mtk_dsi.patch +i2c-fix-a-potential-use-after-free.patch +media-tw686x-register-the-irq-at-the-end-of-probe.patch +ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch +wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch +drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch +media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch +drm-vc4-dsi-correct-dsi-divider-calculations.patch +drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch +drm-mediatek-dpi-remove-output-format-of-yuv.patch +drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch +drm-bridge-sii8620-fix-possible-off-by-one.patch +drm-msm-mdp5-fix-global-state-lock-backoff.patch +crypto-hisilicon-kunpeng916-crypto-driver-don-t-slee.patch +media-platform-mtk-mdp-fix-mdp_ipi_comm-structure-al.patch +mediatek-mt76-mac80211-fix-missing-of_node_put-in-mt.patch +tcp-make-retransmitted-skb-fit-into-the-send-window.patch +libbpf-fix-the-name-of-a-reused-map.patch +selftests-timers-valid-adjtimex-build-fix-for-newer-.patch +selftests-timers-clocksource-switch-fix-passing-erro.patch +fs-check-fmode_lseek-to-control-internal-pipe-splici.patch +wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch +wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch +wifi-p54-add-missing-parentheses-in-p54_flush.patch +can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch +can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch +can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch +can-hi311x-do-not-report-txerr-and-rxerr-during-bus-.patch +can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch +can-kvaser_usb_hydra-do-not-report-txerr-and-rxerr-d.patch +can-kvaser_usb_leaf-do-not-report-txerr-and-rxerr-du.patch +can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch +can-error-specify-the-values-of-data-5.7-of-can-erro.patch +can-pch_can-pch_can_error-initialize-errc-before-usi.patch +bluetooth-hci_intel-add-check-for-platform_driver_re.patch +i2c-cadence-support-pec-for-smbus-block-read.patch +i2c-mux-gpmux-add-of_node_put-when-breaking-out-of-l.patch +wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch +wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch +net-mlx5e-fix-the-value-of-mlx5e_max_rq_num_mtts.patch +netdevsim-avoid-allocation-warnings-triggered-from-u.patch +net-rose-fix-netdev-reference-changes.patch +dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch +clk-renesas-r9a06g032-fix-uart-clkgrp-bitsel.patch +mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch +mtd-maps-fix-refcount-leak-in-ap_flash_init.patch +hid-cp2112-prevent-a-buffer-overflow-in-cp2112_xfer.patch +mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch +mtd-st_spi_fsm-add-a-clk_disable_unprepare-in-.probe.patch +fpga-altera-pr-ip-fix-unsigned-comparison-with-less-.patch +usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch +usb-ohci-nxp-fix-refcount-leak-in-ohci_hcd_nxp_probe.patch +misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch +clk-qcom-ipq8074-fix-nss-port-frequency-tables.patch +clk-qcom-ipq8074-set-branch_halt_delay-flag-for-ubi-.patch +soundwire-bus_type-fix-remove-and-shutdown-support.patch +staging-rtl8192u-fix-sleep-in-atomic-context-bug-in-.patch +mmc-sdhci-of-esdhc-fix-refcount-leak-in-esdhc_signal.patch +memstick-ms_block-fix-some-incorrect-memory-allocati.patch +memstick-ms_block-fix-a-memory-leak.patch +mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch +pci-portdrv-don-t-disable-aer-reporting-in-get_port_.patch +scsi-smartpqi-fix-dma-direction-for-raid-requests.patch +usb-gadget-udc-amd5536-depends-on-has_dma.patch +rdma-hfi1-fix-potential-memory-leak-in-setup_base_ct.patch +gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch +mmc-cavium-octeon-add-of_node_put-when-breaking-out-.patch +mmc-cavium-thunderx-add-of_node_put-when-breaking-ou.patch +hid-alps-declare-u1_unicorn_legacy-support.patch +usb-serial-fix-tty-port-initialized-comments.patch +platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch +mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch +rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch +null_blk-fix-ida-error-handling-in-null_add_dev.patch +ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch +jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch +asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch +asoc-mt6797-mt6351-fix-refcount-leak-in-mt6797_mt635.patch +asoc-codecs-da7210-add-check-for-i2c_add_driver.patch +asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch +serial-8250_dw-store-lsr-into-lsr_saved_flags-in-dw8.patch +profiling-fix-shift-too-large-makes-kernel-panic.patch +tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch +tty-n_gsm-fix-packet-re-transmission-without-open-co.patch +tty-n_gsm-fix-race-condition-in-gsmld_write.patch +remoteproc-qcom-wcnss-fix-handling-of-irqs.patch +vfio-ccw-do-not-change-fsm-state-in-subchannel-event.patch +tty-n_gsm-fix-wrong-t1-retry-count-handling.patch +tty-n_gsm-fix-dm-command.patch +tty-n_gsm-fix-missing-corner-cases-in-gsmld_poll.patch +iommu-exynos-handle-failed-iommu-device-registration.patch +rpmsg-qcom_smd-fix-refcount-leak-in-qcom_smd_parse_e.patch +kfifo-fix-kfifo_to_user-return-type.patch +mfd-t7l66xb-drop-platform-disable-callback.patch +iommu-arm-smmu-qcom_iommu-add-of_node_put-when-break.patch +s390-zcore-fix-race-when-reading-from-hardware-syste.patch +asoc-qcom-q6dsp-fix-an-off-by-one-in-q6adm_alloc_cop.patch +video-fbdev-amba-clcd-fix-refcount-leak-bugs.patch +video-fbdev-sis-fix-typos-in-sis_getmodeid.patch +powerpc-32-do-not-allow-selection-of-e5500-or-e6500-.patch +powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch +powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch +powerpc-xive-fix-refcount-leak-in-xive_get_max_prio.patch +powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch +kprobes-forbid-probing-on-trampoline-and-bpf-code-ar.patch +powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch +genelf-use-have_libcrypto_support-not-the-never-defi.patch +scripts-faddr2line-fix-vmlinux-detection-on-arm64.patch +x86-numa-use-cpumask_available-instead-of-hardcoded-.patch +video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch +tools-thermal-fix-possible-path-truncations.patch +video-fbdev-vt8623fb-check-the-size-of-screen-before.patch +video-fbdev-arkfb-check-the-size-of-screen-before-me.patch +video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch diff --git a/queue-4.19/soc-fsl-guts-machine-variable-might-be-unset.patch b/queue-4.19/soc-fsl-guts-machine-variable-might-be-unset.patch new file mode 100644 index 00000000000..996909b4e69 --- /dev/null +++ b/queue-4.19/soc-fsl-guts-machine-variable-might-be-unset.patch @@ -0,0 +1,37 @@ +From 93f29dcd987a2ab7ac38aedbb97548131f9c2b0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 11:56:03 +0200 +Subject: soc: fsl: guts: machine variable might be unset + +From: Michael Walle + +[ Upstream commit ab3f045774f704c4e7b6a878102f4e9d4ae7bc74 ] + +If both the model and the compatible properties are missing, then +machine will not be set. Initialize it with NULL. + +Fixes: 34c1c21e94ac ("soc: fsl: fix section mismatch build warnings") +Signed-off-by: Michael Walle +Acked-by: Arnd Bergmann +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/guts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/fsl/guts.c b/drivers/soc/fsl/guts.c +index 302e0c8d69d9..6693c32e7447 100644 +--- a/drivers/soc/fsl/guts.c ++++ b/drivers/soc/fsl/guts.c +@@ -136,7 +136,7 @@ static int fsl_guts_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct resource *res; + const struct fsl_soc_die_attr *soc_die; +- const char *machine; ++ const char *machine = NULL; + u32 svr; + + /* Initialize guts */ +-- +2.35.1 + diff --git a/queue-4.19/soundwire-bus_type-fix-remove-and-shutdown-support.patch b/queue-4.19/soundwire-bus_type-fix-remove-and-shutdown-support.patch new file mode 100644 index 00000000000..1aa95a938b0 --- /dev/null +++ b/queue-4.19/soundwire-bus_type-fix-remove-and-shutdown-support.patch @@ -0,0 +1,54 @@ +From 2899df05e534f0c6b0ce1395cb9206eff315e805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jun 2022 09:51:05 +0800 +Subject: soundwire: bus_type: fix remove and shutdown support + +From: Pierre-Louis Bossart + +[ Upstream commit df6407782964dc7e35ad84230abb38f46314b245 ] + +The bus sdw_drv_remove() and sdw_drv_shutdown() helpers are used +conditionally, if the driver provides these routines. + +These helpers already test if the driver provides a .remove or +.shutdown callback, so there's no harm in invoking the +sdw_drv_remove() and sdw_drv_shutdown() unconditionally. + +In addition, the current code is imbalanced with +dev_pm_domain_attach() called from sdw_drv_probe(), but +dev_pm_domain_detach() called from sdw_drv_remove() only if the driver +provides a .remove callback. + +Fixes: 9251345dca24b ("soundwire: Add SoundWire bus type") +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Rander Wang +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20220610015105.25987-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/bus_type.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/soundwire/bus_type.c b/drivers/soundwire/bus_type.c +index 283b2832728e..414621f3c43c 100644 +--- a/drivers/soundwire/bus_type.c ++++ b/drivers/soundwire/bus_type.c +@@ -154,12 +154,8 @@ int __sdw_register_driver(struct sdw_driver *drv, struct module *owner) + + drv->driver.owner = owner; + drv->driver.probe = sdw_drv_probe; +- +- if (drv->remove) +- drv->driver.remove = sdw_drv_remove; +- +- if (drv->shutdown) +- drv->driver.shutdown = sdw_drv_shutdown; ++ drv->driver.remove = sdw_drv_remove; ++ drv->driver.shutdown = sdw_drv_shutdown; + + return driver_register(&drv->driver); + } +-- +2.35.1 + diff --git a/queue-4.19/staging-rtl8192u-fix-sleep-in-atomic-context-bug-in-.patch b/queue-4.19/staging-rtl8192u-fix-sleep-in-atomic-context-bug-in-.patch new file mode 100644 index 00000000000..e3ee89e63e9 --- /dev/null +++ b/queue-4.19/staging-rtl8192u-fix-sleep-in-atomic-context-bug-in-.patch @@ -0,0 +1,150 @@ +From 16ebfdba7d54034ecd6c8e7abb6e901d93d6a527 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Jul 2022 18:30:02 +0800 +Subject: staging: rtl8192u: Fix sleep in atomic context bug in + dm_fsync_timer_callback + +From: Duoming Zhou + +[ Upstream commit 6a0c054930d554ad8f8044ef1fc856d9da391c81 ] + +There are sleep in atomic context bugs when dm_fsync_timer_callback is +executing. The root cause is that the memory allocation functions with +GFP_KERNEL or GFP_NOIO parameters are called in dm_fsync_timer_callback +which is a timer handler. The call paths that could trigger bugs are +shown below: + + (interrupt context) +dm_fsync_timer_callback + write_nic_byte + kzalloc(sizeof(data), GFP_KERNEL); //may sleep + usb_control_msg + kmalloc(.., GFP_NOIO); //may sleep + write_nic_dword + kzalloc(sizeof(data), GFP_KERNEL); //may sleep + usb_control_msg + kmalloc(.., GFP_NOIO); //may sleep + +This patch uses delayed work to replace timer and moves the operations +that may sleep into the delayed work in order to mitigate bugs. + +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220710103002.63283-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/r8192U.h | 2 +- + drivers/staging/rtl8192u/r8192U_dm.c | 38 +++++++++++++--------------- + drivers/staging/rtl8192u/r8192U_dm.h | 2 +- + 3 files changed, 20 insertions(+), 22 deletions(-) + +diff --git a/drivers/staging/rtl8192u/r8192U.h b/drivers/staging/rtl8192u/r8192U.h +index 94a148994069..2c3b33304173 100644 +--- a/drivers/staging/rtl8192u/r8192U.h ++++ b/drivers/staging/rtl8192u/r8192U.h +@@ -1000,7 +1000,7 @@ typedef struct r8192_priv { + bool bis_any_nonbepkts; + bool bcurrent_turbo_EDCA; + bool bis_cur_rdlstate; +- struct timer_list fsync_timer; ++ struct delayed_work fsync_work; + bool bfsync_processing; /* 500ms Fsync timer is active or not */ + u32 rate_record; + u32 rateCountDiffRecord; +diff --git a/drivers/staging/rtl8192u/r8192U_dm.c b/drivers/staging/rtl8192u/r8192U_dm.c +index 5fb5f583f703..c24a29189545 100644 +--- a/drivers/staging/rtl8192u/r8192U_dm.c ++++ b/drivers/staging/rtl8192u/r8192U_dm.c +@@ -2627,19 +2627,20 @@ static void dm_init_fsync(struct net_device *dev) + priv->ieee80211->fsync_seconddiff_ratethreshold = 200; + priv->ieee80211->fsync_state = Default_Fsync; + priv->framesyncMonitor = 1; /* current default 0xc38 monitor on */ +- timer_setup(&priv->fsync_timer, dm_fsync_timer_callback, 0); ++ INIT_DELAYED_WORK(&priv->fsync_work, dm_fsync_work_callback); + } + + static void dm_deInit_fsync(struct net_device *dev) + { + struct r8192_priv *priv = ieee80211_priv(dev); + +- del_timer_sync(&priv->fsync_timer); ++ cancel_delayed_work_sync(&priv->fsync_work); + } + +-void dm_fsync_timer_callback(struct timer_list *t) ++void dm_fsync_work_callback(struct work_struct *work) + { +- struct r8192_priv *priv = from_timer(priv, t, fsync_timer); ++ struct r8192_priv *priv = ++ container_of(work, struct r8192_priv, fsync_work.work); + struct net_device *dev = priv->ieee80211->dev; + u32 rate_index, rate_count = 0, rate_count_diff = 0; + bool bSwitchFromCountDiff = false; +@@ -2706,17 +2707,16 @@ void dm_fsync_timer_callback(struct timer_list *t) + } + } + if (bDoubleTimeInterval) { +- if (timer_pending(&priv->fsync_timer)) +- del_timer_sync(&priv->fsync_timer); +- priv->fsync_timer.expires = jiffies + +- msecs_to_jiffies(priv->ieee80211->fsync_time_interval*priv->ieee80211->fsync_multiple_timeinterval); +- add_timer(&priv->fsync_timer); ++ cancel_delayed_work_sync(&priv->fsync_work); ++ schedule_delayed_work(&priv->fsync_work, ++ msecs_to_jiffies(priv ++ ->ieee80211->fsync_time_interval * ++ priv->ieee80211->fsync_multiple_timeinterval)); + } else { +- if (timer_pending(&priv->fsync_timer)) +- del_timer_sync(&priv->fsync_timer); +- priv->fsync_timer.expires = jiffies + +- msecs_to_jiffies(priv->ieee80211->fsync_time_interval); +- add_timer(&priv->fsync_timer); ++ cancel_delayed_work_sync(&priv->fsync_work); ++ schedule_delayed_work(&priv->fsync_work, ++ msecs_to_jiffies(priv ++ ->ieee80211->fsync_time_interval)); + } + } else { + /* Let Register return to default value; */ +@@ -2744,7 +2744,7 @@ static void dm_EndSWFsync(struct net_device *dev) + struct r8192_priv *priv = ieee80211_priv(dev); + + RT_TRACE(COMP_HALDM, "%s\n", __func__); +- del_timer_sync(&(priv->fsync_timer)); ++ cancel_delayed_work_sync(&priv->fsync_work); + + /* Let Register return to default value; */ + if (priv->bswitch_fsync) { +@@ -2786,11 +2786,9 @@ static void dm_StartSWFsync(struct net_device *dev) + if (priv->ieee80211->fsync_rate_bitmap & rateBitmap) + priv->rate_record += priv->stats.received_rate_histogram[1][rateIndex]; + } +- if (timer_pending(&priv->fsync_timer)) +- del_timer_sync(&priv->fsync_timer); +- priv->fsync_timer.expires = jiffies + +- msecs_to_jiffies(priv->ieee80211->fsync_time_interval); +- add_timer(&priv->fsync_timer); ++ cancel_delayed_work_sync(&priv->fsync_work); ++ schedule_delayed_work(&priv->fsync_work, ++ msecs_to_jiffies(priv->ieee80211->fsync_time_interval)); + + write_nic_dword(dev, rOFDM0_RxDetector2, 0x465c12cd); + +diff --git a/drivers/staging/rtl8192u/r8192U_dm.h b/drivers/staging/rtl8192u/r8192U_dm.h +index 0de0332906bd..eeb03130de15 100644 +--- a/drivers/staging/rtl8192u/r8192U_dm.h ++++ b/drivers/staging/rtl8192u/r8192U_dm.h +@@ -167,7 +167,7 @@ void dm_force_tx_fw_info(struct net_device *dev, + void dm_init_edca_turbo(struct net_device *dev); + void dm_rf_operation_test_callback(unsigned long data); + void dm_rf_pathcheck_workitemcallback(struct work_struct *work); +-void dm_fsync_timer_callback(struct timer_list *t); ++void dm_fsync_work_callback(struct work_struct *work); + void dm_cck_txpower_adjust(struct net_device *dev, bool binch14); + void dm_shadow_init(struct net_device *dev); + void dm_initialize_txpower_tracking(struct net_device *dev); +-- +2.35.1 + diff --git a/queue-4.19/tcp-make-retransmitted-skb-fit-into-the-send-window.patch b/queue-4.19/tcp-make-retransmitted-skb-fit-into-the-send-window.patch new file mode 100644 index 00000000000..d4711bee3a6 --- /dev/null +++ b/queue-4.19/tcp-make-retransmitted-skb-fit-into-the-send-window.patch @@ -0,0 +1,112 @@ +From 5a9cfee6744f1725aad44bdb336fe41c35c1ac95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 17:47:18 +0800 +Subject: tcp: make retransmitted SKB fit into the send window + +From: Yonglong Li + +[ Upstream commit 536a6c8e05f95e3d1118c40ae8b3022ee2d05d52 ] + +current code of __tcp_retransmit_skb only check TCP_SKB_CB(skb)->seq +in send window, and TCP_SKB_CB(skb)->seq_end maybe out of send window. +If receiver has shrunk his window, and skb is out of new window, it +should retransmit a smaller portion of the payload. + +test packetdrill script: + 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 + +0 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) + +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 + + +0 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress) + +0 > S 0:0(0) win 65535 + +.05 < S. 0:0(0) ack 1 win 6000 + +0 > . 1:1(0) ack 1 + + +0 write(3, ..., 10000) = 10000 + + +0 > . 1:2001(2000) ack 1 win 65535 + +0 > . 2001:4001(2000) ack 1 win 65535 + +0 > . 4001:6001(2000) ack 1 win 65535 + + +.05 < . 1:1(0) ack 4001 win 1001 + +and tcpdump show: +192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 1:2001, ack 1, win 65535, length 2000 +192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 2001:4001, ack 1, win 65535, length 2000 +192.168.226.67.55 > 192.0.2.1.8080: Flags [P.], seq 4001:5001, ack 1, win 65535, length 1000 +192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 5001:6001, ack 1, win 65535, length 1000 +192.0.2.1.8080 > 192.168.226.67.55: Flags [.], ack 4001, win 1001, length 0 +192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 5001:6001, ack 1, win 65535, length 1000 +192.168.226.67.55 > 192.0.2.1.8080: Flags [P.], seq 4001:5001, ack 1, win 65535, length 1000 + +when cient retract window to 1001, send window is [4001,5002], +but TLP send 5001-6001 packet which is out of send window. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yonglong Li +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/1657532838-20200-1-git-send-email-liyonglong@chinatelecom.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 3090b61e4edd..995306dc458a 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2856,7 +2856,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) + struct tcp_sock *tp = tcp_sk(sk); + unsigned int cur_mss; + int diff, len, err; +- ++ int avail_wnd; + + /* Inconclusive MTU probe */ + if (icsk->icsk_mtup.probe_size) +@@ -2886,17 +2886,25 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) + return -EHOSTUNREACH; /* Routing failure or similar. */ + + cur_mss = tcp_current_mss(sk); ++ avail_wnd = tcp_wnd_end(tp) - TCP_SKB_CB(skb)->seq; + + /* If receiver has shrunk his window, and skb is out of + * new window, do not retransmit it. The exception is the + * case, when window is shrunk to zero. In this case +- * our retransmit serves as a zero window probe. ++ * our retransmit of one segment serves as a zero window probe. + */ +- if (!before(TCP_SKB_CB(skb)->seq, tcp_wnd_end(tp)) && +- TCP_SKB_CB(skb)->seq != tp->snd_una) +- return -EAGAIN; ++ if (avail_wnd <= 0) { ++ if (TCP_SKB_CB(skb)->seq != tp->snd_una) ++ return -EAGAIN; ++ avail_wnd = cur_mss; ++ } + + len = cur_mss * segs; ++ if (len > avail_wnd) { ++ len = rounddown(avail_wnd, cur_mss); ++ if (!len) ++ len = avail_wnd; ++ } + if (skb->len > len) { + if (tcp_fragment(sk, TCP_FRAG_IN_RTX_QUEUE, skb, len, + cur_mss, GFP_ATOMIC)) +@@ -2910,8 +2918,9 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) + diff -= tcp_skb_pcount(skb); + if (diff) + tcp_adjust_pcount(sk, skb, diff); +- if (skb->len < cur_mss) +- tcp_retrans_try_collapse(sk, skb, cur_mss); ++ avail_wnd = min_t(int, avail_wnd, cur_mss); ++ if (skb->len < avail_wnd) ++ tcp_retrans_try_collapse(sk, skb, avail_wnd); + } + + /* RFC3168, section 6.1.1.1. ECN fallback */ +-- +2.35.1 + diff --git a/queue-4.19/thermal-tools-tmon-include-pthread-and-time-headers-.patch b/queue-4.19/thermal-tools-tmon-include-pthread-and-time-headers-.patch new file mode 100644 index 00000000000..ce5907aa717 --- /dev/null +++ b/queue-4.19/thermal-tools-tmon-include-pthread-and-time-headers-.patch @@ -0,0 +1,62 @@ +From 2a19c98fef76dcd09b06ed07e7723aded17523d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Jul 2022 20:10:39 -0700 +Subject: thermal/tools/tmon: Include pthread and time headers in tmon.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Mayer + +[ Upstream commit 0cf51bfe999524377fbb71becb583b4ca6d07cfc ] + +Include sys/time.h and pthread.h in tmon.h, so that types +"pthread_mutex_t" and "struct timeval tv" are known when tmon.h +references them. + +Without these headers, compiling tmon against musl-libc will fail with +these errors: + +In file included from sysfs.c:31:0: +tmon.h:47:8: error: unknown type name 'pthread_mutex_t' + extern pthread_mutex_t input_lock; + ^~~~~~~~~~~~~~~ +make[3]: *** [: sysfs.o] Error 1 +make[3]: *** Waiting for unfinished jobs.... +In file included from tui.c:31:0: +tmon.h:54:17: error: field 'tv' has incomplete type + struct timeval tv; + ^~ +make[3]: *** [: tui.o] Error 1 +make[2]: *** [Makefile:83: tmon] Error 2 + +Signed-off-by: Markus Mayer +Acked-by: Florian Fainelli +Reviewed-by: Sumeet Pawnikar +Acked-by: Alejandro González +Tested-by: Alejandro González +Fixes: 94f69966faf8 ("tools/thermal: Introduce tmon, a tool for thermal subsystem") +Link: https://lore.kernel.org/r/20220718031040.44714-1-f.fainelli@gmail.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + tools/thermal/tmon/tmon.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/thermal/tmon/tmon.h b/tools/thermal/tmon/tmon.h +index 9e3c49c547ac..7b090a6c95b6 100644 +--- a/tools/thermal/tmon/tmon.h ++++ b/tools/thermal/tmon/tmon.h +@@ -36,6 +36,9 @@ + #define NR_LINES_TZDATA 1 + #define TMON_LOG_FILE "/var/tmp/tmon.log" + ++#include ++#include ++ + extern unsigned long ticktime; + extern double time_elapsed; + extern unsigned long target_temp_user; +-- +2.35.1 + diff --git a/queue-4.19/tools-thermal-fix-possible-path-truncations.patch b/queue-4.19/tools-thermal-fix-possible-path-truncations.patch new file mode 100644 index 00000000000..67695051d6f --- /dev/null +++ b/queue-4.19/tools-thermal-fix-possible-path-truncations.patch @@ -0,0 +1,109 @@ +From 4f7701e0c8eabda84ec24e2486a72f1cb56bd4be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 10:37:54 -0700 +Subject: tools/thermal: Fix possible path truncations + +From: Florian Fainelli + +[ Upstream commit 6c58cf40e3a1d2f47c09d3489857e9476316788a ] + +A build with -D_FORTIFY_SOURCE=2 enabled will produce the following warnings: + +sysfs.c:63:30: warning: '%s' directive output may be truncated writing up to 255 bytes into a region of size between 0 and 255 [-Wformat-truncation=] + snprintf(filepath, 256, "%s/%s", path, filename); + ^~ +Bump up the buffer to PATH_MAX which is the limit and account for all of +the possible NUL and separators that could lead to exceeding the +allocated buffer sizes. + +Fixes: 94f69966faf8 ("tools/thermal: Introduce tmon, a tool for thermal subsystem") +Signed-off-by: Florian Fainelli +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + tools/thermal/tmon/sysfs.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/tools/thermal/tmon/sysfs.c b/tools/thermal/tmon/sysfs.c +index 18f523557983..1b17cbc54c9d 100644 +--- a/tools/thermal/tmon/sysfs.c ++++ b/tools/thermal/tmon/sysfs.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -42,9 +43,9 @@ int sysfs_set_ulong(char *path, char *filename, unsigned long val) + { + FILE *fd; + int ret = -1; +- char filepath[256]; ++ char filepath[PATH_MAX + 2]; /* NUL and '/' */ + +- snprintf(filepath, 256, "%s/%s", path, filename); ++ snprintf(filepath, sizeof(filepath), "%s/%s", path, filename); + + fd = fopen(filepath, "w"); + if (!fd) { +@@ -66,9 +67,9 @@ static int sysfs_get_ulong(char *path, char *filename, unsigned long *p_ulong) + { + FILE *fd; + int ret = -1; +- char filepath[256]; ++ char filepath[PATH_MAX + 2]; /* NUL and '/' */ + +- snprintf(filepath, 256, "%s/%s", path, filename); ++ snprintf(filepath, sizeof(filepath), "%s/%s", path, filename); + + fd = fopen(filepath, "r"); + if (!fd) { +@@ -85,9 +86,9 @@ static int sysfs_get_string(char *path, char *filename, char *str) + { + FILE *fd; + int ret = -1; +- char filepath[256]; ++ char filepath[PATH_MAX + 2]; /* NUL and '/' */ + +- snprintf(filepath, 256, "%s/%s", path, filename); ++ snprintf(filepath, sizeof(filepath), "%s/%s", path, filename); + + fd = fopen(filepath, "r"); + if (!fd) { +@@ -208,8 +209,8 @@ static int find_tzone_cdev(struct dirent *nl, char *tz_name, + { + unsigned long trip_instance = 0; + char cdev_name_linked[256]; +- char cdev_name[256]; +- char cdev_trip_name[256]; ++ char cdev_name[PATH_MAX]; ++ char cdev_trip_name[PATH_MAX]; + int cdev_id; + + if (nl->d_type == DT_LNK) { +@@ -222,7 +223,8 @@ static int find_tzone_cdev(struct dirent *nl, char *tz_name, + return -EINVAL; + } + /* find the link to real cooling device record binding */ +- snprintf(cdev_name, 256, "%s/%s", tz_name, nl->d_name); ++ snprintf(cdev_name, sizeof(cdev_name) - 2, "%s/%s", ++ tz_name, nl->d_name); + memset(cdev_name_linked, 0, sizeof(cdev_name_linked)); + if (readlink(cdev_name, cdev_name_linked, + sizeof(cdev_name_linked) - 1) != -1) { +@@ -235,8 +237,8 @@ static int find_tzone_cdev(struct dirent *nl, char *tz_name, + /* find the trip point in which the cdev is binded to + * in this tzone + */ +- snprintf(cdev_trip_name, 256, "%s%s", nl->d_name, +- "_trip_point"); ++ snprintf(cdev_trip_name, sizeof(cdev_trip_name) - 1, ++ "%s%s", nl->d_name, "_trip_point"); + sysfs_get_ulong(tz_name, cdev_trip_name, + &trip_instance); + /* validate trip point range, e.g. trip could return -1 +-- +2.35.1 + diff --git a/queue-4.19/tty-n_gsm-fix-dm-command.patch b/queue-4.19/tty-n_gsm-fix-dm-command.patch new file mode 100644 index 00000000000..5bdb7a69764 --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-dm-command.patch @@ -0,0 +1,42 @@ +From f84b42f6ca383234d2d0cc07c14ac5a049ff6480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 13:32:21 +0200 +Subject: tty: n_gsm: fix DM command + +From: Daniel Starke + +[ Upstream commit 18a948c7d90995d127785e308fa7b701df4c499f ] + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.3.3 defines the DM response. There exists +no DM command. However, the current implementation incorrectly sends DM as +command in case of unexpected UIH frames in gsm_queue(). +Correct this behavior by always sending DM as response. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220707113223.3685-2-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 43491df37a2d..727707e02551 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1892,7 +1892,7 @@ static void gsm_queue(struct gsm_mux *gsm) + goto invalid; + #endif + if (dlci == NULL || dlci->state != DLCI_OPEN) { +- gsm_command(gsm, address, DM|PF); ++ gsm_response(gsm, address, DM|PF); + return; + } + dlci->data(dlci, gsm->buf, gsm->len); +-- +2.35.1 + diff --git a/queue-4.19/tty-n_gsm-fix-missing-corner-cases-in-gsmld_poll.patch b/queue-4.19/tty-n_gsm-fix-missing-corner-cases-in-gsmld_poll.patch new file mode 100644 index 00000000000..f408e475da2 --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-missing-corner-cases-in-gsmld_poll.patch @@ -0,0 +1,49 @@ +From 821aed7da423c2523dac1a6217de3f35406e18ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 13:32:23 +0200 +Subject: tty: n_gsm: fix missing corner cases in gsmld_poll() + +From: Daniel Starke + +[ Upstream commit 7e5b4322cde067e1d0f1bf8f490e93f664a7c843 ] + +gsmld_poll() currently fails to handle the following corner cases correctly: +- remote party closed the associated tty + +Add the missing checks and map those to EPOLLHUP. +Reorder the checks to group them by their reaction. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220707113223.3685-4-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 727707e02551..f6d2be13b32e 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2561,12 +2561,15 @@ static __poll_t gsmld_poll(struct tty_struct *tty, struct file *file, + + poll_wait(file, &tty->read_wait, wait); + poll_wait(file, &tty->write_wait, wait); ++ ++ if (gsm->dead) ++ mask |= EPOLLHUP; + if (tty_hung_up_p(file)) + mask |= EPOLLHUP; ++ if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) ++ mask |= EPOLLHUP; + if (!tty_is_writelocked(tty) && tty_write_room(tty) > 0) + mask |= EPOLLOUT | EPOLLWRNORM; +- if (gsm->dead) +- mask |= EPOLLHUP; + return mask; + } + +-- +2.35.1 + diff --git a/queue-4.19/tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch b/queue-4.19/tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch new file mode 100644 index 00000000000..a3e0d0807e1 --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch @@ -0,0 +1,116 @@ +From cf37ad682b505b3e49d3410d40b5b1418e98b291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 08:16:48 +0200 +Subject: tty: n_gsm: fix non flow control frames during mux flow off + +From: Daniel Starke + +[ Upstream commit bec0224816d19abe4fe503586d16d51890540615 ] + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.4.6.3.6 states that FCoff stops the +transmission on all channels except the control channel. This is already +implemented in gsm_data_kick(). However, chapter 5.4.8.1 explains that this +shall result in the same behavior as software flow control on the ldisc in +advanced option mode. That means only flow control frames shall be sent +during flow off. The current implementation does not consider this case. + +Change gsm_data_kick() to send only flow control frames if constipated to +abide the standard. gsm_read_ea_val() and gsm_is_flow_ctrl_msg() are +introduced as helper functions for this. +It is planned to use gsm_read_ea_val() in later code cleanups for other +functions, too. + +Fixes: c01af4fec2c8 ("n_gsm : Flow control handling in Mux driver") +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220701061652.39604-5-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 54 ++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 53 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 5d2bb4d95186..baadac224c8d 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -410,6 +410,27 @@ static int gsm_read_ea(unsigned int *val, u8 c) + return c & EA; + } + ++/** ++ * gsm_read_ea_val - read a value until EA ++ * @val: variable holding value ++ * @data: buffer of data ++ * @dlen: length of data ++ * ++ * Processes an EA value. Updates the passed variable and ++ * returns the processed data length. ++ */ ++static unsigned int gsm_read_ea_val(unsigned int *val, const u8 *data, int dlen) ++{ ++ unsigned int len = 0; ++ ++ for (; dlen > 0; dlen--) { ++ len++; ++ if (gsm_read_ea(val, *data++)) ++ break; ++ } ++ return len; ++} ++ + /** + * gsm_encode_modem - encode modem data bits + * @dlci: DLCI to encode from +@@ -657,6 +678,37 @@ static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len, + return m; + } + ++/** ++ * gsm_is_flow_ctrl_msg - checks if flow control message ++ * @msg: message to check ++ * ++ * Returns true if the given message is a flow control command of the ++ * control channel. False is returned in any other case. ++ */ ++static bool gsm_is_flow_ctrl_msg(struct gsm_msg *msg) ++{ ++ unsigned int cmd; ++ ++ if (msg->addr > 0) ++ return false; ++ ++ switch (msg->ctrl & ~PF) { ++ case UI: ++ case UIH: ++ cmd = 0; ++ if (gsm_read_ea_val(&cmd, msg->data + 2, msg->len - 2) < 1) ++ break; ++ switch (cmd & ~PF) { ++ case CMD_FCOFF: ++ case CMD_FCON: ++ return true; ++ } ++ break; ++ } ++ ++ return false; ++} ++ + /** + * gsm_data_kick - poke the queue + * @gsm: GSM Mux +@@ -675,7 +727,7 @@ static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci) + int len; + + list_for_each_entry_safe(msg, nmsg, &gsm->tx_list, list) { +- if (gsm->constipated && msg->addr) ++ if (gsm->constipated && !gsm_is_flow_ctrl_msg(msg)) + continue; + if (gsm->encoding != 0) { + gsm->txframe[0] = GSM1_SOF; +-- +2.35.1 + diff --git a/queue-4.19/tty-n_gsm-fix-packet-re-transmission-without-open-co.patch b/queue-4.19/tty-n_gsm-fix-packet-re-transmission-without-open-co.patch new file mode 100644 index 00000000000..6b40caf4688 --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-packet-re-transmission-without-open-co.patch @@ -0,0 +1,40 @@ +From 9944c28584532edb15a04b1522414f009f48708d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 08:16:50 +0200 +Subject: tty: n_gsm: fix packet re-transmission without open control channel + +From: Daniel Starke + +[ Upstream commit 4fae831b3a71fc5a44cc5c7d0b8c1267ee7659f5 ] + +In the current implementation control packets are re-transmitted even if +the control channel closed down during T2. This is wrong. +Check whether the control channel is open before re-transmitting any +packets. Note that control channel open/close is handled by T1 and not T2 +and remains unaffected by this. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220701061652.39604-7-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index baadac224c8d..2c34a024b75f 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1382,7 +1382,7 @@ static void gsm_control_retransmit(struct timer_list *t) + spin_lock_irqsave(&gsm->control_lock, flags); + ctrl = gsm->pending_cmd; + if (ctrl) { +- if (gsm->cretries == 0) { ++ if (gsm->cretries == 0 || !gsm->dlci[0] || gsm->dlci[0]->dead) { + gsm->pending_cmd = NULL; + ctrl->error = -ETIMEDOUT; + ctrl->done = 1; +-- +2.35.1 + diff --git a/queue-4.19/tty-n_gsm-fix-race-condition-in-gsmld_write.patch b/queue-4.19/tty-n_gsm-fix-race-condition-in-gsmld_write.patch new file mode 100644 index 00000000000..5a39bffd74b --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-race-condition-in-gsmld_write.patch @@ -0,0 +1,62 @@ +From d55d2720fc63d9316cec0b7bb8b553d549649f50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 08:16:52 +0200 +Subject: tty: n_gsm: fix race condition in gsmld_write() + +From: Daniel Starke + +[ Upstream commit 32dd59f96924f45e33bc79854f7a00679c0fa28e ] + +The function may be used by the user directly and also by the n_gsm +internal functions. They can lead into a race condition which results in +interleaved frames if both are writing at the same time. The receiving side +is not able to decode those interleaved frames correctly. + +Add a lock around the low side tty write to avoid race conditions and frame +interleaving between user originated writes and n_gsm writes. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220701061652.39604-9-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 2c34a024b75f..3d45999fad1b 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2519,11 +2519,24 @@ static ssize_t gsmld_read(struct tty_struct *tty, struct file *file, + static ssize_t gsmld_write(struct tty_struct *tty, struct file *file, + const unsigned char *buf, size_t nr) + { +- int space = tty_write_room(tty); ++ struct gsm_mux *gsm = tty->disc_data; ++ unsigned long flags; ++ int space; ++ int ret; ++ ++ if (!gsm) ++ return -ENODEV; ++ ++ ret = -ENOBUFS; ++ spin_lock_irqsave(&gsm->tx_lock, flags); ++ space = tty_write_room(tty); + if (space >= nr) +- return tty->ops->write(tty, buf, nr); +- set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); +- return -ENOBUFS; ++ ret = tty->ops->write(tty, buf, nr); ++ else ++ set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); ++ spin_unlock_irqrestore(&gsm->tx_lock, flags); ++ ++ return ret; + } + + /** +-- +2.35.1 + diff --git a/queue-4.19/tty-n_gsm-fix-wrong-t1-retry-count-handling.patch b/queue-4.19/tty-n_gsm-fix-wrong-t1-retry-count-handling.patch new file mode 100644 index 00000000000..3e6ac67b4da --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-wrong-t1-retry-count-handling.patch @@ -0,0 +1,55 @@ +From 1f93c2f3a950295e3695e2f0073ce9effe76d18a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 13:32:20 +0200 +Subject: tty: n_gsm: fix wrong T1 retry count handling + +From: Daniel Starke + +[ Upstream commit f30e10caa80aa1f35508bc17fc302dbbde9a833c ] + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.7.3 states that the valid range for the +maximum number of retransmissions (N2) is from 0 to 255 (both including). +gsm_dlci_t1() handles this number incorrectly by performing N2 - 1 +retransmission attempts. Setting N2 to zero results in more than 255 +retransmission attempts. +Fix gsm_dlci_t1() to comply with 3GPP 27.010. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220707113223.3685-1-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 3d45999fad1b..43491df37a2d 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1534,8 +1534,8 @@ static void gsm_dlci_t1(struct timer_list *t) + + switch (dlci->state) { + case DLCI_OPENING: +- dlci->retries--; + if (dlci->retries) { ++ dlci->retries--; + gsm_command(dlci->gsm, dlci->addr, SABM|PF); + mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100); + } else if (!dlci->addr && gsm->control == (DM | PF)) { +@@ -1550,8 +1550,8 @@ static void gsm_dlci_t1(struct timer_list *t) + + break; + case DLCI_CLOSING: +- dlci->retries--; + if (dlci->retries) { ++ dlci->retries--; + gsm_command(dlci->gsm, dlci->addr, DISC|PF); + mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100); + } else +-- +2.35.1 + diff --git a/queue-4.19/usb-gadget-udc-amd5536-depends-on-has_dma.patch b/queue-4.19/usb-gadget-udc-amd5536-depends-on-has_dma.patch new file mode 100644 index 00000000000..d8d29f5a855 --- /dev/null +++ b/queue-4.19/usb-gadget-udc-amd5536-depends-on-has_dma.patch @@ -0,0 +1,49 @@ +From 888df67804defb21487ac157a8180415fcb00735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 18:36:01 -0700 +Subject: usb: gadget: udc: amd5536 depends on HAS_DMA + +From: Randy Dunlap + +[ Upstream commit 8097cf2fb3b2205257f1c76f4808e3398d66b6d9 ] + +USB_AMD5536UDC should depend on HAS_DMA since it selects USB_SNP_CORE, +which depends on HAS_DMA and since 'select' does not follow any +dependency chains. + +Fixes this kconfig warning: + +WARNING: unmet direct dependencies detected for USB_SNP_CORE + Depends on [n]: USB_SUPPORT [=y] && USB_GADGET [=y] && (USB_AMD5536UDC [=y] || USB_SNP_UDC_PLAT [=n]) && HAS_DMA [=n] + Selected by [y]: + - USB_AMD5536UDC [=y] && USB_SUPPORT [=y] && USB_GADGET [=y] && USB_PCI [=y] + +Fixes: 97b3ffa233b9 ("usb: gadget: udc: amd5536: split core and PCI layer") +Cc: Raviteja Garimella +Cc: Felipe Balbi +Cc: linux-usb@vger.kernel.org +Cc: Greg Kroah-Hartman +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20220709013601.7536-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/Kconfig b/drivers/usb/gadget/udc/Kconfig +index d83d93c6ef9e..33b5648b2819 100644 +--- a/drivers/usb/gadget/udc/Kconfig ++++ b/drivers/usb/gadget/udc/Kconfig +@@ -309,7 +309,7 @@ source "drivers/usb/gadget/udc/bdc/Kconfig" + + config USB_AMD5536UDC + tristate "AMD5536 UDC" +- depends on USB_PCI ++ depends on USB_PCI && HAS_DMA + select USB_SNP_CORE + help + The AMD5536 UDC is part of the AMD Geode CS5536, an x86 southbridge. +-- +2.35.1 + diff --git a/queue-4.19/usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch b/queue-4.19/usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch new file mode 100644 index 00000000000..7acc55a54fb --- /dev/null +++ b/queue-4.19/usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch @@ -0,0 +1,38 @@ +From 17b4f8278c455eb7dad4475e256660ad6eea3fd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 15:08:49 +0400 +Subject: usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe + +From: Miaoqian Lin + +[ Upstream commit b5c5b13cb45e2c88181308186b0001992cb41954 ] + +of_find_compatible_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 796bcae7361c ("USB: powerpc: Workaround for the PPC440EPX USBH_23 errata [take 3]") +Acked-by: Alan Stern +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220602110849.58549-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-ppc-of.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/host/ehci-ppc-of.c b/drivers/usb/host/ehci-ppc-of.c +index 576f7d79ad4e..d1dc644b215c 100644 +--- a/drivers/usb/host/ehci-ppc-of.c ++++ b/drivers/usb/host/ehci-ppc-of.c +@@ -148,6 +148,7 @@ static int ehci_hcd_ppc_of_probe(struct platform_device *op) + } else { + ehci->has_amcc_usb23 = 1; + } ++ of_node_put(np); + } + + if (of_get_property(dn, "big-endian", NULL)) { +-- +2.35.1 + diff --git a/queue-4.19/usb-ohci-nxp-fix-refcount-leak-in-ohci_hcd_nxp_probe.patch b/queue-4.19/usb-ohci-nxp-fix-refcount-leak-in-ohci_hcd_nxp_probe.patch new file mode 100644 index 00000000000..4a20c559041 --- /dev/null +++ b/queue-4.19/usb-ohci-nxp-fix-refcount-leak-in-ohci_hcd_nxp_probe.patch @@ -0,0 +1,38 @@ +From d3f842ddc7dd7f8c4bb2bc7a9249941acf2c5eca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 18:12:30 +0400 +Subject: usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe + +From: Miaoqian Lin + +[ Upstream commit 302970b4cad3ebfda2c05ce06c322ccdc447d17e ] + +of_parse_phandle() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver") +Acked-by: Alan Stern +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220603141231.979-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-nxp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/host/ohci-nxp.c b/drivers/usb/host/ohci-nxp.c +index f5f532601092..a964a93ff35b 100644 +--- a/drivers/usb/host/ohci-nxp.c ++++ b/drivers/usb/host/ohci-nxp.c +@@ -153,6 +153,7 @@ static int ohci_hcd_nxp_probe(struct platform_device *pdev) + } + + isp1301_i2c_client = isp1301_get_client(isp1301_node); ++ of_node_put(isp1301_node); + if (!isp1301_i2c_client) + return -EPROBE_DEFER; + +-- +2.35.1 + diff --git a/queue-4.19/usb-serial-fix-tty-port-initialized-comments.patch b/queue-4.19/usb-serial-fix-tty-port-initialized-comments.patch new file mode 100644 index 00000000000..be7a5f1560e --- /dev/null +++ b/queue-4.19/usb-serial-fix-tty-port-initialized-comments.patch @@ -0,0 +1,66 @@ +From 6bd2c2063b7bc82d8d5275fa4ec1d45735cd74cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 10:44:57 +0200 +Subject: USB: serial: fix tty-port initialized comments + +From: Johan Hovold + +[ Upstream commit 688ee1d1785c1359f9040f615dd8e6054962bce2 ] + +Fix up the tty-port initialized comments which got truncated and +obfuscated when replacing the old ASYNCB_INITIALIZED flag. + +Fixes: d41861ca19c9 ("tty: Replace ASYNC_INITIALIZED bit and update atomically") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/sierra.c | 3 ++- + drivers/usb/serial/usb-serial.c | 2 +- + drivers/usb/serial/usb_wwan.c | 3 ++- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c +index a43263a0edd8..891e52bc5002 100644 +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -757,7 +757,8 @@ static void sierra_close(struct usb_serial_port *port) + + /* + * Need to take susp_lock to make sure port is not already being +- * resumed, but no need to hold it due to initialized ++ * resumed, but no need to hold it due to the tty-port initialized ++ * flag. + */ + spin_lock_irq(&intfdata->susp_lock); + if (--intfdata->open_ports == 0) +diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c +index b1f0aa12ba39..eb4f20651186 100644 +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -251,7 +251,7 @@ static int serial_open(struct tty_struct *tty, struct file *filp) + * + * Shut down a USB serial port. Serialized against activate by the + * tport mutex and kept to matching open/close pairs +- * of calls by the initialized flag. ++ * of calls by the tty-port initialized flag. + * + * Not called if tty is console. + */ +diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c +index 997ff88ec04b..2ebf0842fa43 100644 +--- a/drivers/usb/serial/usb_wwan.c ++++ b/drivers/usb/serial/usb_wwan.c +@@ -463,7 +463,8 @@ void usb_wwan_close(struct usb_serial_port *port) + + /* + * Need to take susp_lock to make sure port is not already being +- * resumed, but no need to hold it due to initialized ++ * resumed, but no need to hold it due to the tty-port initialized ++ * flag. + */ + spin_lock_irq(&intfdata->susp_lock); + if (--intfdata->open_ports == 0) +-- +2.35.1 + diff --git a/queue-4.19/vfio-ccw-do-not-change-fsm-state-in-subchannel-event.patch b/queue-4.19/vfio-ccw-do-not-change-fsm-state-in-subchannel-event.patch new file mode 100644 index 00000000000..0a66b7a50b8 --- /dev/null +++ b/queue-4.19/vfio-ccw-do-not-change-fsm-state-in-subchannel-event.patch @@ -0,0 +1,61 @@ +From 626d5fbe1d3355bee75a624872bbfe4ae1a9f0fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 15:57:29 +0200 +Subject: vfio/ccw: Do not change FSM state in subchannel event + +From: Eric Farman + +[ Upstream commit cffcc109fd682075dee79bade3d60a07152a8fd1 ] + +The routine vfio_ccw_sch_event() is tasked with handling subchannel events, +specifically machine checks, on behalf of vfio-ccw. It correctly calls +cio_update_schib(), and if that fails (meaning the subchannel is gone) +it makes an FSM event call to mark the subchannel Not Operational. + +If that worked, however, then it decides that if the FSM state was already +Not Operational (implying the subchannel just came back), then it should +simply change the FSM to partially- or fully-open. + +Remove this trickery, since a subchannel returning will require more +probing than simply "oh all is well again" to ensure it works correctly. + +Fixes: bbe37e4cb8970 ("vfio: ccw: introduce a finite state machine") +Signed-off-by: Eric Farman +Reviewed-by: Matthew Rosato +Link: https://lore.kernel.org/r/20220707135737.720765-4-farman@linux.ibm.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/vfio_ccw_drv.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c +index 7a06cdff6572..862b0eb0fe6d 100644 +--- a/drivers/s390/cio/vfio_ccw_drv.c ++++ b/drivers/s390/cio/vfio_ccw_drv.c +@@ -205,19 +205,11 @@ static int vfio_ccw_sch_event(struct subchannel *sch, int process) + if (work_pending(&sch->todo_work)) + goto out_unlock; + +- if (cio_update_schib(sch)) { +- vfio_ccw_fsm_event(private, VFIO_CCW_EVENT_NOT_OPER); +- rc = 0; +- goto out_unlock; +- } +- +- private = dev_get_drvdata(&sch->dev); +- if (private->state == VFIO_CCW_STATE_NOT_OPER) { +- private->state = private->mdev ? VFIO_CCW_STATE_IDLE : +- VFIO_CCW_STATE_STANDBY; +- } + rc = 0; + ++ if (cio_update_schib(sch)) ++ vfio_ccw_fsm_event(private, VFIO_CCW_EVENT_NOT_OPER); ++ + out_unlock: + spin_unlock_irqrestore(sch->lock, flags); + +-- +2.35.1 + diff --git a/queue-4.19/video-fbdev-amba-clcd-fix-refcount-leak-bugs.patch b/queue-4.19/video-fbdev-amba-clcd-fix-refcount-leak-bugs.patch new file mode 100644 index 00000000000..8b694c07bd4 --- /dev/null +++ b/queue-4.19/video-fbdev-amba-clcd-fix-refcount-leak-bugs.patch @@ -0,0 +1,82 @@ +From e534ba43276f441148d0d801755d69686159c368 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 16:25:46 +0800 +Subject: video: fbdev: amba-clcd: Fix refcount leak bugs + +From: Liang He + +[ Upstream commit 26c2b7d9fac42eb8317f3ceefa4c1a9a9170ca69 ] + +In clcdfb_of_init_display(), we should call of_node_put() for the +references returned by of_graph_get_next_endpoint() and +of_graph_get_remote_port_parent() which have increased the refcount. + +Besides, we should call of_node_put() both in fail path or when +the references are not used anymore. + +Fixes: d10715be03bd ("video: ARM CLCD: Add DT support") +Signed-off-by: Liang He +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/amba-clcd.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/video/fbdev/amba-clcd.c b/drivers/video/fbdev/amba-clcd.c +index 549f78e77255..81f64ef6fa4c 100644 +--- a/drivers/video/fbdev/amba-clcd.c ++++ b/drivers/video/fbdev/amba-clcd.c +@@ -772,8 +772,10 @@ static int clcdfb_of_init_display(struct clcd_fb *fb) + return -ENODEV; + + panel = of_graph_get_remote_port_parent(endpoint); +- if (!panel) +- return -ENODEV; ++ if (!panel) { ++ err = -ENODEV; ++ goto out_endpoint_put; ++ } + + if (fb->vendor->init_panel) { + err = fb->vendor->init_panel(fb, panel); +@@ -783,11 +785,11 @@ static int clcdfb_of_init_display(struct clcd_fb *fb) + + err = clcdfb_of_get_backlight(panel, fb->panel); + if (err) +- return err; ++ goto out_panel_put; + + err = clcdfb_of_get_mode(&fb->dev->dev, panel, fb->panel); + if (err) +- return err; ++ goto out_panel_put; + + err = of_property_read_u32(fb->dev->dev.of_node, "max-memory-bandwidth", + &max_bandwidth); +@@ -816,11 +818,21 @@ static int clcdfb_of_init_display(struct clcd_fb *fb) + + if (of_property_read_u32_array(endpoint, + "arm,pl11x,tft-r0g0b0-pads", +- tft_r0b0g0, ARRAY_SIZE(tft_r0b0g0)) != 0) +- return -ENOENT; ++ tft_r0b0g0, ARRAY_SIZE(tft_r0b0g0)) != 0) { ++ err = -ENOENT; ++ goto out_panel_put; ++ } ++ ++ of_node_put(panel); ++ of_node_put(endpoint); + + return clcdfb_of_init_tft_panel(fb, tft_r0b0g0[0], + tft_r0b0g0[1], tft_r0b0g0[2]); ++out_panel_put: ++ of_node_put(panel); ++out_endpoint_put: ++ of_node_put(endpoint); ++ return err; + } + + static int clcdfb_of_vram_setup(struct clcd_fb *fb) +-- +2.35.1 + diff --git a/queue-4.19/video-fbdev-arkfb-check-the-size-of-screen-before-me.patch b/queue-4.19/video-fbdev-arkfb-check-the-size-of-screen-before-me.patch new file mode 100644 index 00000000000..651ea2c96bb --- /dev/null +++ b/queue-4.19/video-fbdev-arkfb-check-the-size-of-screen-before-me.patch @@ -0,0 +1,50 @@ +From 7f13c97e77a59e4eec38f115b82e0b140fba3399 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 20:41:24 +0800 +Subject: video: fbdev: arkfb: Check the size of screen before memset_io() + +From: Zheyu Ma + +[ Upstream commit 96b550971c65d54d64728d8ba973487878a06454 ] + +In the function arkfb_set_par(), the value of 'screen_size' is +calculated by the user input. If the user provides the improper value, +the value of 'screen_size' may larger than 'info->screen_size', which +may cause the following bug: + +[ 659.399066] BUG: unable to handle page fault for address: ffffc90003000000 +[ 659.399077] #PF: supervisor write access in kernel mode +[ 659.399079] #PF: error_code(0x0002) - not-present page +[ 659.399094] RIP: 0010:memset_orig+0x33/0xb0 +[ 659.399116] Call Trace: +[ 659.399122] arkfb_set_par+0x143f/0x24c0 +[ 659.399130] fb_set_var+0x604/0xeb0 +[ 659.399161] do_fb_ioctl+0x234/0x670 +[ 659.399189] fb_ioctl+0xdd/0x130 + +Fix the this by checking the value of 'screen_size' before memset_io(). + +Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") +Signed-off-by: Zheyu Ma +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/arkfb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/arkfb.c b/drivers/video/fbdev/arkfb.c +index bfa221b68d71..f7920987dd24 100644 +--- a/drivers/video/fbdev/arkfb.c ++++ b/drivers/video/fbdev/arkfb.c +@@ -794,6 +794,8 @@ static int arkfb_set_par(struct fb_info *info) + value = ((value * hmul / hdiv) / 8) - 5; + vga_wcrt(par->state.vgabase, 0x42, (value + 1) / 2); + ++ if (screen_size > info->screen_size) ++ screen_size = info->screen_size; + memset_io(info->screen_base, 0x00, screen_size); + /* Device and screen back on */ + svga_wcrt_mask(par->state.vgabase, 0x17, 0x80, 0x80); +-- +2.35.1 + diff --git a/queue-4.19/video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch b/queue-4.19/video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch new file mode 100644 index 00000000000..8185ff7baab --- /dev/null +++ b/queue-4.19/video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch @@ -0,0 +1,59 @@ +From b084bcc8a8be629fa2944ea96b091644754c7ead Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 17:23:12 +0800 +Subject: video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() + +From: Zheyu Ma + +[ Upstream commit 2f1c4523f7a3aaabe7e53d3ebd378292947e95c8 ] + +Since the user can control the arguments of the ioctl() from the user +space, under special arguments that may result in a divide-by-zero bug +in: + drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); +with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0. +and then in: + drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock); +we'll get a division-by-zero. + +The following log can reveal it: + +divide error: 0000 [#1] PREEMPT SMP KASAN PTI +RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline] +RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 +Call Trace: + fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 + do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 + fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 + +Fix this by checking the argument of ark_set_pixclock() first. + +Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") +Signed-off-by: Zheyu Ma +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/arkfb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/arkfb.c b/drivers/video/fbdev/arkfb.c +index 13ba371e70aa..bfa221b68d71 100644 +--- a/drivers/video/fbdev/arkfb.c ++++ b/drivers/video/fbdev/arkfb.c +@@ -778,7 +778,12 @@ static int arkfb_set_par(struct fb_info *info) + return -EINVAL; + } + +- ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); ++ value = (hdiv * info->var.pixclock) / hmul; ++ if (!value) { ++ fb_dbg(info, "invalid pixclock\n"); ++ value = 1; ++ } ++ ark_set_pixclock(info, value); + svga_set_timings(par->state.vgabase, &ark_timing_regs, &(info->var), hmul, hdiv, + (info->var.vmode & FB_VMODE_DOUBLE) ? 2 : 1, + (info->var.vmode & FB_VMODE_INTERLACED) ? 2 : 1, +-- +2.35.1 + diff --git a/queue-4.19/video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch b/queue-4.19/video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch new file mode 100644 index 00000000000..f9c37e44993 --- /dev/null +++ b/queue-4.19/video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch @@ -0,0 +1,49 @@ +From 9e6805094113e84cbe125ade2ab560bd1f70a2e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 20:41:25 +0800 +Subject: video: fbdev: s3fb: Check the size of screen before memset_io() + +From: Zheyu Ma + +[ Upstream commit 6ba592fa014f21f35a8ee8da4ca7b95a018f13e8 ] + +In the function s3fb_set_par(), the value of 'screen_size' is +calculated by the user input. If the user provides the improper value, +the value of 'screen_size' may larger than 'info->screen_size', which +may cause the following bug: + +[ 54.083733] BUG: unable to handle page fault for address: ffffc90003000000 +[ 54.083742] #PF: supervisor write access in kernel mode +[ 54.083744] #PF: error_code(0x0002) - not-present page +[ 54.083760] RIP: 0010:memset_orig+0x33/0xb0 +[ 54.083782] Call Trace: +[ 54.083788] s3fb_set_par+0x1ec6/0x4040 +[ 54.083806] fb_set_var+0x604/0xeb0 +[ 54.083836] do_fb_ioctl+0x234/0x670 + +Fix the this by checking the value of 'screen_size' before memset_io(). + +Fixes: a268422de8bf ("fbdev driver for S3 Trio/Virge") +Signed-off-by: Zheyu Ma +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/s3fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/s3fb.c b/drivers/video/fbdev/s3fb.c +index d63f23e26f7d..b17b806b4187 100644 +--- a/drivers/video/fbdev/s3fb.c ++++ b/drivers/video/fbdev/s3fb.c +@@ -902,6 +902,8 @@ static int s3fb_set_par(struct fb_info *info) + value = clamp((htotal + hsstart + 1) / 2 + 2, hsstart + 4, htotal + 1); + svga_wcrt_multi(par->state.vgabase, s3_dtpc_regs, value); + ++ if (screen_size > info->screen_size) ++ screen_size = info->screen_size; + memset_io(info->screen_base, 0x00, screen_size); + /* Device and screen back on */ + svga_wcrt_mask(par->state.vgabase, 0x17, 0x80, 0x80); +-- +2.35.1 + diff --git a/queue-4.19/video-fbdev-sis-fix-typos-in-sis_getmodeid.patch b/queue-4.19/video-fbdev-sis-fix-typos-in-sis_getmodeid.patch new file mode 100644 index 00000000000..927f1f61fde --- /dev/null +++ b/queue-4.19/video-fbdev-sis-fix-typos-in-sis_getmodeid.patch @@ -0,0 +1,47 @@ +From 126c307132eee7903b0a0fa24b55d74fb62ed600 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 15:43:43 +0300 +Subject: video: fbdev: sis: fix typos in SiS_GetModeID() + +From: Rustam Subkhankulov + +[ Upstream commit 3eb8fccc244bfb41a7961969e4db280d44911226 ] + +The second operand of a '&&' operator has no impact on expression +result for cases 400 and 512 in SiS_GetModeID(). + +Judging by the logic and the names of the variables, in both cases a +typo was made. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rustam Subkhankulov +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c +index fde27feae5d0..d6b2ce95a859 100644 +--- a/drivers/video/fbdev/sis/init.c ++++ b/drivers/video/fbdev/sis/init.c +@@ -355,12 +355,12 @@ SiS_GetModeID(int VGAEngine, unsigned int VBFlags, int HDisplay, int VDisplay, + } + break; + case 400: +- if((!(VBFlags & CRT1_LCDA)) || ((LCDwidth >= 800) && (LCDwidth >= 600))) { ++ if((!(VBFlags & CRT1_LCDA)) || ((LCDwidth >= 800) && (LCDheight >= 600))) { + if(VDisplay == 300) ModeIndex = ModeIndex_400x300[Depth]; + } + break; + case 512: +- if((!(VBFlags & CRT1_LCDA)) || ((LCDwidth >= 1024) && (LCDwidth >= 768))) { ++ if((!(VBFlags & CRT1_LCDA)) || ((LCDwidth >= 1024) && (LCDheight >= 768))) { + if(VDisplay == 384) ModeIndex = ModeIndex_512x384[Depth]; + } + break; +-- +2.35.1 + diff --git a/queue-4.19/video-fbdev-vt8623fb-check-the-size-of-screen-before.patch b/queue-4.19/video-fbdev-vt8623fb-check-the-size-of-screen-before.patch new file mode 100644 index 00000000000..d6173e06e82 --- /dev/null +++ b/queue-4.19/video-fbdev-vt8623fb-check-the-size-of-screen-before.patch @@ -0,0 +1,50 @@ +From a4b75d616af34a8d42504f8b0412e04729b0b509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 20:41:23 +0800 +Subject: video: fbdev: vt8623fb: Check the size of screen before memset_io() + +From: Zheyu Ma + +[ Upstream commit ec0754c60217248fa77cc9005d66b2b55200ac06 ] + +In the function vt8623fb_set_par(), the value of 'screen_size' is +calculated by the user input. If the user provides the improper value, +the value of 'screen_size' may larger than 'info->screen_size', which +may cause the following bug: + +[ 583.339036] BUG: unable to handle page fault for address: ffffc90005000000 +[ 583.339049] #PF: supervisor write access in kernel mode +[ 583.339052] #PF: error_code(0x0002) - not-present page +[ 583.339074] RIP: 0010:memset_orig+0x33/0xb0 +[ 583.339110] Call Trace: +[ 583.339118] vt8623fb_set_par+0x11cd/0x21e0 +[ 583.339146] fb_set_var+0x604/0xeb0 +[ 583.339181] do_fb_ioctl+0x234/0x670 +[ 583.339209] fb_ioctl+0xdd/0x130 + +Fix the this by checking the value of 'screen_size' before memset_io(). + +Fixes: 558b7bd86c32 ("vt8623fb: new framebuffer driver for VIA VT8623") +Signed-off-by: Zheyu Ma +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/vt8623fb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/vt8623fb.c b/drivers/video/fbdev/vt8623fb.c +index 5cac871db3ee..cbae9c510092 100644 +--- a/drivers/video/fbdev/vt8623fb.c ++++ b/drivers/video/fbdev/vt8623fb.c +@@ -504,6 +504,8 @@ static int vt8623fb_set_par(struct fb_info *info) + (info->var.vmode & FB_VMODE_DOUBLE) ? 2 : 1, 1, + 1, info->node); + ++ if (screen_size > info->screen_size) ++ screen_size = info->screen_size; + memset_io(info->screen_base, 0x00, screen_size); + + /* Device and screen back on */ +-- +2.35.1 + diff --git a/queue-4.19/wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch b/queue-4.19/wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch new file mode 100644 index 00000000000..713bcd957ca --- /dev/null +++ b/queue-4.19/wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch @@ -0,0 +1,64 @@ +From 5a0cf7aa1515b794486dbcbb60666b21eaf9b9f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 20:16:14 +0300 +Subject: wifi: iwlegacy: 4965: fix potential off-by-one overflow in + il4965_rs_fill_link_cmd() + +From: Alexey Kodanev + +[ Upstream commit a8eb8e6f7159c7c20c0ddac428bde3d110890aa7 ] + +As a result of the execution of the inner while loop, the value +of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this +is not checked after the loop and 'idx' is used to write the +LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below +in the outer loop. + +The fix is to check the new value of 'idx' inside the nested loop, +and break both loops if index equals the size. Checking it at the +start is now pointless, so let's remove it. + +Detected using the static analysis tool - Svace. + +Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") +Signed-off-by: Alexey Kodanev +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220608171614.28891-1-aleksei.kodanev@bell-sw.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/4965-rs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-rs.c b/drivers/net/wireless/intel/iwlegacy/4965-rs.c +index 54ff83829afb..f204e139e5f0 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-rs.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-rs.c +@@ -2422,7 +2422,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, + /* Repeat initial/next rate. + * For legacy IL_NUMBER_TRY == 1, this loop will not execute. + * For HT IL_HT_NUMBER_TRY == 3, this executes twice. */ +- while (repeat_rate > 0 && idx < LINK_QUAL_MAX_RETRY_NUM) { ++ while (repeat_rate > 0) { + if (is_legacy(tbl_type.lq_type)) { + if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) + ant_toggle_cnt++; +@@ -2441,6 +2441,8 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, + cpu_to_le32(new_rate); + repeat_rate--; + idx++; ++ if (idx >= LINK_QUAL_MAX_RETRY_NUM) ++ goto out; + } + + il4965_rs_get_tbl_info_from_mcs(new_rate, lq_sta->band, +@@ -2485,6 +2487,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, + repeat_rate--; + } + ++out: + lq_cmd->agg_params.agg_frame_cnt_limit = LINK_QUAL_AGG_FRAME_LIMIT_DEF; + lq_cmd->agg_params.agg_dis_start_th = LINK_QUAL_AGG_DISABLE_START_DEF; + +-- +2.35.1 + diff --git a/queue-4.19/wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch b/queue-4.19/wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch new file mode 100644 index 00000000000..5049a873032 --- /dev/null +++ b/queue-4.19/wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch @@ -0,0 +1,37 @@ +From 11b1ed72ec696b51e99828ee585e6b85a91f271b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 17:23:50 +0800 +Subject: wifi: libertas: Fix possible refcount leak in if_usb_probe() + +From: Hangyu Hua + +[ Upstream commit 6fd57e1d120bf13d4dc6c200a7cf914e6347a316 ] + +usb_get_dev will be called before lbs_get_firmware_async which means that +usb_put_dev need to be called when lbs_get_firmware_async fails. + +Fixes: ce84bb69f50e ("libertas USB: convert to asynchronous firmware loading") +Signed-off-by: Hangyu Hua +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220620092350.39960-1-hbh25y@gmail.com +Link: https://lore.kernel.org/r/20220622113402.16969-1-colin.i.king@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/if_usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c +index f29a154d995c..d75763410cdc 100644 +--- a/drivers/net/wireless/marvell/libertas/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas/if_usb.c +@@ -283,6 +283,7 @@ static int if_usb_probe(struct usb_interface *intf, + return 0; + + err_get_fw: ++ usb_put_dev(udev); + lbs_remove_card(priv); + err_add_card: + if_usb_reset_device(cardp); +-- +2.35.1 + diff --git a/queue-4.19/wifi-p54-add-missing-parentheses-in-p54_flush.patch b/queue-4.19/wifi-p54-add-missing-parentheses-in-p54_flush.patch new file mode 100644 index 00000000000..eaec39e80f8 --- /dev/null +++ b/queue-4.19/wifi-p54-add-missing-parentheses-in-p54_flush.patch @@ -0,0 +1,45 @@ +From 6fd20adc53217c35c6070a981f896ef2e9d376d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 16:48:31 +0300 +Subject: wifi: p54: add missing parentheses in p54_flush() + +From: Rustam Subkhankulov + +[ Upstream commit bcfd9d7f6840b06d5988c7141127795cf405805e ] + +The assignment of the value to the variable total in the loop +condition must be enclosed in additional parentheses, since otherwise, +in accordance with the precedence of the operators, the conjunction +will be performed first, and only then the assignment. + +Due to this error, a warning later in the function after the loop may +not occur in the situation when it should. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rustam Subkhankulov +Fixes: 0d4171e2153b ("p54: implement flush callback") +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220714134831.106004-1-subkhankulov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/p54/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c +index 1c6d428515a4..b15a1b99f28f 100644 +--- a/drivers/net/wireless/intersil/p54/main.c ++++ b/drivers/net/wireless/intersil/p54/main.c +@@ -688,7 +688,7 @@ static void p54_flush(struct ieee80211_hw *dev, struct ieee80211_vif *vif, + * queues have already been stopped and no new frames can sneak + * up from behind. + */ +- while ((total = p54_flush_count(priv) && i--)) { ++ while ((total = p54_flush_count(priv)) && i--) { + /* waste time */ + msleep(20); + } +-- +2.35.1 + diff --git a/queue-4.19/wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch b/queue-4.19/wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch new file mode 100644 index 00000000000..4c7f6ca1df3 --- /dev/null +++ b/queue-4.19/wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch @@ -0,0 +1,52 @@ +From 4e6d018776e222cca9b6c605e1c6716019abffe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jun 2022 23:12:20 +0200 +Subject: wifi: p54: Fix an error handling path in p54spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 83781f0162d080fec7dcb911afd1bc2f5ad04471 ] + +If an error occurs after a successful call to p54spi_request_firmware(), it +must be undone by a corresponding release_firmware() as already done in +the error handling path of p54spi_request_firmware() and in the .remove() +function. + +Add the missing call in the error handling path and remove it from +p54spi_request_firmware() now that it is the responsibility of the caller +to release the firmware + +Fixes: cd8d3d321285 ("p54spi: p54spi driver") +Signed-off-by: Christophe JAILLET +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/297d2547ff2ee627731662abceeab9dbdaf23231.1655068321.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/p54/p54spi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intersil/p54/p54spi.c b/drivers/net/wireless/intersil/p54/p54spi.c +index e41bf042352e..3dcfad5b61ff 100644 +--- a/drivers/net/wireless/intersil/p54/p54spi.c ++++ b/drivers/net/wireless/intersil/p54/p54spi.c +@@ -177,7 +177,7 @@ static int p54spi_request_firmware(struct ieee80211_hw *dev) + + ret = p54_parse_firmware(dev, priv->firmware); + if (ret) { +- release_firmware(priv->firmware); ++ /* the firmware is released by the caller */ + return ret; + } + +@@ -672,6 +672,7 @@ static int p54spi_probe(struct spi_device *spi) + return 0; + + err_free_common: ++ release_firmware(priv->firmware); + free_irq(gpio_to_irq(p54spi_gpio_irq), spi); + err_free_gpio_irq: + gpio_free(p54spi_gpio_irq); +-- +2.35.1 + diff --git a/queue-4.19/wifi-rtlwifi-fix-error-codes-in-rtl_debugfs_set_writ.patch b/queue-4.19/wifi-rtlwifi-fix-error-codes-in-rtl_debugfs_set_writ.patch new file mode 100644 index 00000000000..2e793d99cc4 --- /dev/null +++ b/queue-4.19/wifi-rtlwifi-fix-error-codes-in-rtl_debugfs_set_writ.patch @@ -0,0 +1,57 @@ +From f8d8e557b81231e97179351bf77cd4ea0a924f5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 14:48:44 +0300 +Subject: wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c() + +From: Dan Carpenter + +[ Upstream commit b88d28146c30a8e14f0f012d56ebf19b68a348f4 ] + +If the copy_from_user() fails or the user gives invalid date then the +correct thing to do is to return a negative error code. (Currently it +returns success). + +I made a copy additional related cleanups: +1) There is no need to check "buffer" for NULL. That's handled by +copy_from_user(). +2) The "h2c_len" variable cannot be negative because it is unsigned +and because sscanf() does not return negative error codes. + +Fixes: 610247f46feb ("rtlwifi: Improve debugging by using debugfs") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YoOLnDkHgVltyXK7@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/debug.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/debug.c b/drivers/net/wireless/realtek/rtlwifi/debug.c +index 498994041bbc..474439fc2da1 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/debug.c ++++ b/drivers/net/wireless/realtek/rtlwifi/debug.c +@@ -370,8 +370,8 @@ static ssize_t rtl_debugfs_set_write_h2c(struct file *filp, + + tmp_len = (count > sizeof(tmp) - 1 ? sizeof(tmp) - 1 : count); + +- if (!buffer || copy_from_user(tmp, buffer, tmp_len)) +- return count; ++ if (copy_from_user(tmp, buffer, tmp_len)) ++ return -EFAULT; + + tmp[tmp_len] = '\0'; + +@@ -381,8 +381,8 @@ static ssize_t rtl_debugfs_set_write_h2c(struct file *filp, + &h2c_data[4], &h2c_data[5], + &h2c_data[6], &h2c_data[7]); + +- if (h2c_len <= 0) +- return count; ++ if (h2c_len == 0) ++ return -EINVAL; + + for (i = 0; i < h2c_len; i++) + h2c_data_packed[i] = (u8)h2c_data[i]; +-- +2.35.1 + diff --git a/queue-4.19/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch b/queue-4.19/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch new file mode 100644 index 00000000000..5144eb6a02f --- /dev/null +++ b/queue-4.19/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch @@ -0,0 +1,52 @@ +From 29f6d80aecb279597fc80ebee021d4556c4be453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 13:35:18 +0300 +Subject: wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() + +From: Dan Carpenter + +[ Upstream commit 7a4836560a6198d245d5732e26f94898b12eb760 ] + +The simple_write_to_buffer() function will succeed if even a single +byte is initialized. However, we need to initialize the whole buffer +to prevent information leaks. Just use memdup_user(). + +Fixes: ff974e408334 ("wil6210: debugfs interface to send raw WMI command") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Ysg14NdKAZF/hcNG@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/debugfs.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c +index 55a809cb3105..675b2829b4c7 100644 +--- a/drivers/net/wireless/ath/wil6210/debugfs.c ++++ b/drivers/net/wireless/ath/wil6210/debugfs.c +@@ -1004,18 +1004,12 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf, + u16 cmdid; + int rc, rc1; + +- if (cmdlen < 0) ++ if (cmdlen < 0 || *ppos != 0) + return -EINVAL; + +- wmi = kmalloc(len, GFP_KERNEL); +- if (!wmi) +- return -ENOMEM; +- +- rc = simple_write_to_buffer(wmi, len, ppos, buf, len); +- if (rc < 0) { +- kfree(wmi); +- return rc; +- } ++ wmi = memdup_user(buf, len); ++ if (IS_ERR(wmi)) ++ return PTR_ERR(wmi); + + cmd = (cmdlen > 0) ? &wmi[1] : NULL; + cmdid = le16_to_cpu(wmi->command_id); +-- +2.35.1 + diff --git a/queue-4.19/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch b/queue-4.19/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch new file mode 100644 index 00000000000..11022a3ced7 --- /dev/null +++ b/queue-4.19/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch @@ -0,0 +1,59 @@ +From 886e789c3cd75ad56fbc82ea6737b51bd3d1812a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 20:49:11 +0300 +Subject: wifi: wil6210: debugfs: fix uninitialized variable use in + `wil_write_file_wmi()` + +From: Ammar Faizi + +[ Upstream commit d578e0af3a003736f6c440188b156483d451b329 ] + +Commit 7a4836560a61 changes simple_write_to_buffer() with memdup_user() +but it forgets to change the value to be returned that came from +simple_write_to_buffer() call. It results in the following warning: + + warning: variable 'rc' is uninitialized when used here [-Wuninitialized] + return rc; + ^~ + +Remove rc variable and just return the passed in length if the +memdup_user() succeeds. + +Cc: Dan Carpenter +Reported-by: kernel test robot +Fixes: 7a4836560a6198d245d5732e26f94898b12eb760 ("wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()") +Fixes: ff974e4083341383d3dd4079e52ed30f57f376f0 ("wil6210: debugfs interface to send raw WMI command") +Signed-off-by: Ammar Faizi +Reviewed-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220724202452.61846-1-ammar.faizi@intel.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c +index 675b2829b4c7..3a46b319e9f1 100644 +--- a/drivers/net/wireless/ath/wil6210/debugfs.c ++++ b/drivers/net/wireless/ath/wil6210/debugfs.c +@@ -1002,7 +1002,7 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf, + void *cmd; + int cmdlen = len - sizeof(struct wmi_cmd_hdr); + u16 cmdid; +- int rc, rc1; ++ int rc1; + + if (cmdlen < 0 || *ppos != 0) + return -EINVAL; +@@ -1019,7 +1019,7 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf, + + wil_info(wil, "0x%04x[%d] -> %d\n", cmdid, cmdlen, rc1); + +- return rc; ++ return len; + } + + static const struct file_operations fops_wmi = { +-- +2.35.1 + diff --git a/queue-4.19/x86-numa-use-cpumask_available-instead-of-hardcoded-.patch b/queue-4.19/x86-numa-use-cpumask_available-instead-of-hardcoded-.patch new file mode 100644 index 00000000000..01c3bf9f3ba --- /dev/null +++ b/queue-4.19/x86-numa-use-cpumask_available-instead-of-hardcoded-.patch @@ -0,0 +1,76 @@ +From d7f40748a54c56a9acb8ab38d4b1fe1ff5b17899 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 21:39:13 +0530 +Subject: x86/numa: Use cpumask_available instead of hardcoded NULL check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Siddh Raman Pant + +[ Upstream commit 625395c4a0f4775e0fe00f616888d2e6c1ba49db ] + +GCC-12 started triggering a new warning: + + arch/x86/mm/numa.c: In function ‘cpumask_of_node’: + arch/x86/mm/numa.c:916:39: warning: the comparison will always evaluate as ‘false’ for the address of ‘node_to_cpumask_map’ will never be NULL [-Waddress] + 916 | if (node_to_cpumask_map[node] == NULL) { + | ^~ + +node_to_cpumask_map is of type cpumask_var_t[]. + +When CONFIG_CPUMASK_OFFSTACK is set, cpumask_var_t is typedef'd to a +pointer for dynamic allocation, else to an array of one element. The +"wicked game" can be checked on line 700 of include/linux/cpumask.h. + +The original code in debug_cpumask_set_cpu() and cpumask_of_node() were +probably written by the original authors with CONFIG_CPUMASK_OFFSTACK=y +(i.e. dynamic allocation) in mind, checking if the cpumask was available +via a direct NULL check. + +When CONFIG_CPUMASK_OFFSTACK is not set, GCC gives the above warning +while compiling the kernel. + +Fix that by using cpumask_available(), which does the NULL check when +CONFIG_CPUMASK_OFFSTACK is set, otherwise returns true. Use it wherever +such checks are made. + +Conditional definitions of cpumask_available() can be found along with +the definition of cpumask_var_t. Check the cpumask.h reference mentioned +above. + +Fixes: c032ef60d1aa ("cpumask: convert node_to_cpumask_map[] to cpumask_var_t") +Fixes: de2d9445f162 ("x86: Unify node_to_cpumask_map handling between 32 and 64bit") +Signed-off-by: Siddh Raman Pant +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20220731160913.632092-1-code@siddh.me +Signed-off-by: Sasha Levin +--- + arch/x86/mm/numa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c +index fa150855647c..b4ff063a4371 100644 +--- a/arch/x86/mm/numa.c ++++ b/arch/x86/mm/numa.c +@@ -826,7 +826,7 @@ void debug_cpumask_set_cpu(int cpu, int node, bool enable) + return; + } + mask = node_to_cpumask_map[node]; +- if (!mask) { ++ if (!cpumask_available(mask)) { + pr_err("node_to_cpumask_map[%i] NULL\n", node); + dump_stack(); + return; +@@ -872,7 +872,7 @@ const struct cpumask *cpumask_of_node(int node) + dump_stack(); + return cpu_none_mask; + } +- if (node_to_cpumask_map[node] == NULL) { ++ if (!cpumask_available(node_to_cpumask_map[node])) { + printk(KERN_WARNING + "cpumask_of_node(%d): no node_to_cpumask_map!\n", + node); +-- +2.35.1 + diff --git a/queue-4.19/x86-pmem-fix-platform-device-leak-in-error-path.patch b/queue-4.19/x86-pmem-fix-platform-device-leak-in-error-path.patch new file mode 100644 index 00000000000..aff4be7cd14 --- /dev/null +++ b/queue-4.19/x86-pmem-fix-platform-device-leak-in-error-path.patch @@ -0,0 +1,41 @@ +From 0ea6630b87ba89b1a715f08298101e5801fdcaeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 16:07:23 +0200 +Subject: x86/pmem: Fix platform-device leak in error path + +From: Johan Hovold + +[ Upstream commit 229e73d46994f15314f58b2d39bf952111d89193 ] + +Make sure to free the platform device in the unlikely event that +registration fails. + +Fixes: 7a67832c7e44 ("libnvdimm, e820: make CONFIG_X86_PMEM_LEGACY a tristate option") +Signed-off-by: Johan Hovold +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220620140723.9810-1-johan@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/pmem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/pmem.c b/arch/x86/kernel/pmem.c +index 6b07faaa1579..23154d24b117 100644 +--- a/arch/x86/kernel/pmem.c ++++ b/arch/x86/kernel/pmem.c +@@ -27,6 +27,11 @@ static __init int register_e820_pmem(void) + * simply here to trigger the module to load on demand. + */ + pdev = platform_device_alloc("e820_pmem", -1); +- return platform_device_add(pdev); ++ ++ rc = platform_device_add(pdev); ++ if (rc) ++ platform_device_put(pdev); ++ ++ return rc; + } + device_initcall(register_e820_pmem); +-- +2.35.1 + -- 2.47.3